Windows Analysis Report
Player reports algnet 07-10-2024 .pdf www.skype.com.7z

Overview

General Information

Sample name:	Player reports algnet 07-10-2024 .pdf www.skype.com.7z
Analysis ID:	1528232
MD5:	3ad813ff3a7dd9b8af0b7e712628df97
SHA1:	1f3ba2dc30aae0a30839e3ef62c498346b663a54
SHA256:	aa77c2e53e6e0a9285fbc211bda6135c7599dab021e60971019b4f8d50f795af
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Creates an autostart registry key pointing to binary in C:\Windows

Drops PE files with a suspicious file extension

Found direct / indirect Syscall (likely to bypass EDR)

Checks if the current process is being debugged

Creates COM task schedule object (often to register a task for autostart)

Creates a process in suspended mode (likely to inject code)

Creates processes with suspicious names

Detected TCP or UDP traffic on non-standard ports

Drops PE files

Found dropped PE file which has not been started or loaded

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Registers a DLL

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Direct Autorun Keys Modification

Sigma detected: Network Connection Initiated By Regsvr32.EXE

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Uses reg.exe to modify the Windows registry

Classification

Signatures

Creates COM task schedule object (often to register a task for autostart)

Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.16:49706 -> 154.21.14.89:22455

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: gibbooc2.com

One or more processes crash

Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6468 -s 532

Uses reg.exe to modify the Windows registry

Source: unknown

Process created: C:\Windows\System32\reg.exe C:\Windows\system32\REG.EXE ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PMP" /t REG_SZ /F /D "schtasks /run /tn PMP"

Source: classification engine

Classification label: mal52.evad.win7Z@10/17@1/9

Source: C:\Program Files\7-Zip\7zG.exe

File created: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4812:120:WilError_03
Source: C:\Windows\System32\regsvr32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{E27727EB-367C-4A9D-96C6-6520160ADF9B}
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6468
Source: C:\Windows\System32\OpenWith.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6620:120:WilError_03

Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com

File created: C:\Users\user\AppData\Local\Temp\AITMP0

Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\System32\OpenWith.exe

File read: C:\Users\desktop.ini

Source: C:\Windows\System32\OpenWith.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Source: unknown	Process created: C:\Program Files\7-Zip\7zG.exe "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Desktop\" -an -ai#7zMap7661:168:7zEvent14396
Source: unknown	Process created: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com "C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com"
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Process created: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe "C:\Users\user\AppData\Local\Temp\HitPawInfo.exe"
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Process created: C:\Windows\System32\regsvr32.exe ResPrompt.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Process created: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe "C:\Users\user\AppData\Local\Temp\HitPawInfo.exe"
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6468 -s 532
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Process created: C:\Windows\System32\regsvr32.exe ResPrompt.dll
Source: unknown	Process created: C:\Windows\System32\reg.exe C:\Windows\system32\REG.EXE ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PMP" /t REG_SZ /F /D "schtasks /run /tn PMP"
Source: C:\Windows\System32\reg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Windows\System32\OpenWith.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinui.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: actxprxy.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.appdefaults.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.immersive.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uiautomationcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dui70.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: duser.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: bcp47mrm.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uianimation.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dcomp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: oleacc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowmanagementapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: inputhost.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: slc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: tiledatarepository.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: staterepository.core.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepository.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepositorycore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: mrmcorer.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: directmanipulation.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textshaping.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: explorerframe.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: textshaping.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: textinputframework.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: coreuicomponents.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: coremessaging.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: ntmarta.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: wintypes.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: wintypes.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: wininet.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: version.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: wtsapi32.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: winsta.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: textshaping.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: msftedit.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: windows.globalization.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: bcp47langs.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: bcp47mrm.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: globinputhost.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: textinputframework.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: coremessaging.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: dwmapi.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: propsys.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: edputil.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: urlmon.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: iertutil.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: srvcli.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: netutils.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: appresolver.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: slc.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: sppc.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Section loaded: pcinfo.dll
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Section loaded: taskschd.dll
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Section loaded: taskschd.dll
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: resprompt.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: cryptbase.dll

Source: C:\Windows\System32\OpenWith.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com

File written: C:\Users\user\AppData\Local\Temp\AITMP0\aisetup.ini

Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com

Window found: window name: TComboBox

Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com

File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL

Source: Player reports algnet 07-10-2024 .pdf www.skype.com.7z

Static file information: File size 2124378 > 1048576

Registers a DLL

Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe

Process created: C:\Windows\System32\regsvr32.exe ResPrompt.dll

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Program Files\7-Zip\7zG.exe

File created: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com

Jump to dropped file

Creates processes with suspicious names

Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	File created: \player reports algnet 07-10-2024 .pdf www.skype.com
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	File created: \player reports algnet 07-10-2024 .pdf www.skype.com

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	File created: C:\Users\user\AppData\Roaming\ResourceCommander\ResPrompt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	File created: C:\Users\user\AppData\Local\Temp\PCInfo.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Jump to dropped file
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	File created: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Jump to dropped file

Boot Survival

Creates an autostart registry key pointing to binary in C:\Windows

Source: C:\Windows\System32\reg.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PMP

Source: C:\Windows\System32\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PMP
Source: C:\Windows\System32\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PMP

Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\ResourceCommander\ResPrompt.dll

Jump to dropped file

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Process queried: DebugPort

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe

NtCreateUserProcess: Indirect: 0x7FFF29BC68AB

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com

Process created: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe "C:\Users\user\AppData\Local\Temp\HitPawInfo.exe"

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation

Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
154.21.14.89	gibbooc2.com	United States		174	COGENT-174US	false

Contacted Domains

Name	IP	Active
gibbooc2.com	154.21.14.89	true

Creates COM task schedule object (often to register a task for autostart)

Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.16:49706 -> 154.21.14.89:22455

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: gibbooc2.com

One or more processes crash

Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6468 -s 532

Uses reg.exe to modify the Windows registry

Source: unknown

Process created: C:\Windows\System32\reg.exe C:\Windows\system32\REG.EXE ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PMP" /t REG_SZ /F /D "schtasks /run /tn PMP"

Source: classification engine

Classification label: mal52.evad.win7Z@10/17@1/9

Source: C:\Program Files\7-Zip\7zG.exe

File created: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4812:120:WilError_03
Source: C:\Windows\System32\regsvr32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{E27727EB-367C-4A9D-96C6-6520160ADF9B}
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6468
Source: C:\Windows\System32\OpenWith.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6620:120:WilError_03

Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com

File created: C:\Users\user\AppData\Local\Temp\AITMP0

Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\System32\OpenWith.exe

File read: C:\Users\desktop.ini

Source: C:\Windows\System32\OpenWith.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Source: unknown	Process created: C:\Program Files\7-Zip\7zG.exe "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Desktop\" -an -ai#7zMap7661:168:7zEvent14396
Source: unknown	Process created: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com "C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com"
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Process created: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe "C:\Users\user\AppData\Local\Temp\HitPawInfo.exe"
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Process created: C:\Windows\System32\regsvr32.exe ResPrompt.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Process created: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe "C:\Users\user\AppData\Local\Temp\HitPawInfo.exe"
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6468 -s 532
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Process created: C:\Windows\System32\regsvr32.exe ResPrompt.dll
Source: unknown	Process created: C:\Windows\System32\reg.exe C:\Windows\system32\REG.EXE ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PMP" /t REG_SZ /F /D "schtasks /run /tn PMP"
Source: C:\Windows\System32\reg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Windows\System32\OpenWith.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinui.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: actxprxy.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.appdefaults.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.immersive.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uiautomationcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dui70.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: duser.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: bcp47mrm.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uianimation.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dcomp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: oleacc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowmanagementapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: inputhost.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: slc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: tiledatarepository.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: staterepository.core.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepository.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepositorycore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: mrmcorer.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: directmanipulation.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textshaping.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: explorerframe.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: textshaping.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: textinputframework.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: coreuicomponents.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: coremessaging.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: ntmarta.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: wintypes.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: wintypes.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: wininet.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: version.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: wtsapi32.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: winsta.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: textshaping.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: msftedit.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: windows.globalization.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: bcp47langs.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: bcp47mrm.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: globinputhost.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: textinputframework.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: coremessaging.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: dwmapi.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: propsys.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: edputil.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: urlmon.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: iertutil.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: srvcli.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: netutils.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: appresolver.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: slc.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: sppc.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Section loaded: pcinfo.dll
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Section loaded: taskschd.dll
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Section loaded: taskschd.dll
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: resprompt.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: cryptbase.dll

Source: C:\Windows\System32\OpenWith.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com

File written: C:\Users\user\AppData\Local\Temp\AITMP0\aisetup.ini

Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com

Window found: window name: TComboBox

Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com

File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL

Source: Player reports algnet 07-10-2024 .pdf www.skype.com.7z

Static file information: File size 2124378 > 1048576

Registers a DLL

Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe

Process created: C:\Windows\System32\regsvr32.exe ResPrompt.dll

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Program Files\7-Zip\7zG.exe

File created: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com

Jump to dropped file

Creates processes with suspicious names

Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	File created: \player reports algnet 07-10-2024 .pdf www.skype.com
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	File created: \player reports algnet 07-10-2024 .pdf www.skype.com

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	File created: C:\Users\user\AppData\Roaming\ResourceCommander\ResPrompt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	File created: C:\Users\user\AppData\Local\Temp\PCInfo.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Jump to dropped file
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	File created: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Jump to dropped file

Boot Survival

Creates an autostart registry key pointing to binary in C:\Windows

Source: C:\Windows\System32\reg.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PMP

Source: C:\Windows\System32\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PMP
Source: C:\Windows\System32\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PMP

Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\ResourceCommander\ResPrompt.dll

Jump to dropped file

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Process queried: DebugPort

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe

NtCreateUserProcess: Indirect: 0x7FFF29BC68AB

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com

Process created: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe "C:\Users\user\AppData\Local\Temp\HitPawInfo.exe"

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation

ID:	1528232
Product:	CloudBasic
Start time:	17:10:40
Start date:	07.10.2024
Sample:	Player reports algnet 07-10-2024 .pdf www.skype.com.7z
Cookbook:	defaultwindowsinteractivecookbook.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	3ad813ff3a7dd9b8af0b7e712628df97
SHA1:	1f3ba2dc30aae0a30839e3ef62c498346b663a54
SHA256:	aa77c2e53e6e0a9285fbc211bda6135c7599dab021e60971019b4f8d50f795af
Filetype:	7-Zip compressed archive (6006/1) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_HitPawInfo.exe_4f927396ed7e1d24c97d8c6f3e8aee163dda5_092f0bdd_bf0ca793-66b3-435b-9b49-441b79f6b4c1\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	8DAC28D38DF7494A0A1472B8607606C0	AE9E2EDDF4D0E7F6EDD7657AD092D34DEBC11CDE	DCB9991C659EB2FF14AC7FEF3F6440B9FC2B6B248410DC01E950E421AE87072F
C:\ProgramData\Microsoft\Windows\WER\Temp\WER46FC.tmp.dmp	Mini DuMP crash report, 15 streams, Mon Oct 7 15:11:41 2024, 0x1205a4 type	D389736B71AFEFE98644336CC14E09A0	0DFEFD1720E2F6BD81716EC0BEA233B2682189B5	4F99B36BBC672E24A75409DDE174DF4AF4024581E6B08CA87D94C81F83A451E2
C:\ProgramData\Microsoft\Windows\WER\Temp\WER476B.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	9866E85DC7C5A689B88D0D90A303F3B8	1C4DB47499B0DC24E1E004D0D7C0B1998CB678CF	D1D0138EC588173E10F86EFE81C23B87B4122CCD11F7153549D8366570461801
C:\ProgramData\Microsoft\Windows\WER\Temp\WER479B.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	F88932558E2651516A55A0BEF08EA823	E2C36AE46CB59F52FC14615B6BD1BFC956B0C27A	3041E467CF23A3A18DACB978D40A35E136B248C4E551B6F8D99394D7320593C8
C:\Users\user\AppData\Local\Temp\AITMP0\Dutchai.lng	Unicode text, UTF-8 (with BOM) text, with very long lines (348), with CRLF line terminators	95291CB96482A97215C2C2EE737619F4	A256C8E1A5D12EEA3FF5FB5A7A3891B0CFB6AC2E	B58A44302AA11D1FA02732879F806B35E65E7C7C2FF6A6E7C48C66E327E66373
C:\Users\user\AppData\Local\Temp\AITMP0\Uninstall.ini	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	C965C2DCB929E6E5CE34587486EB079E	53E332D519AC8E66A718161F6989FBEF57C986C6	AD4B0F8BEF218CEF01050D33699C54A2DFED1765EF597C92E7687379340FC7E3
C:\Users\user\AppData\Local\Temp\AITMP0\aidatafile.zip	Zip archive data, at least v2.0 to extract, compression method=deflate	76258CA71C5D5200C20FF1C5309AA8F2	CCB79681CA9CE13D5B60888564C5E9FE35059237	2CEF521504F3C843B22C9F7B2EE203DE17493D9738FF4467D2967F85FAB61CA2
C:\Users\user\AppData\Local\Temp\AITMP0\aiheader.bmp	PC bitmap, Windows 3.x format, 498 x 55 x 24, image size 82280, cbSize 82334, bits offset 54	A620C87E69889F459C022578F3F5E420	125AF2C1D2D822982109D79A56703063EADCB683	AC34D2317F948C0D02E90C6F2473C4CC2A78D99D21C341FFA02FF4908B48DB2B
C:\Users\user\AppData\Local\Temp\AITMP0\aisetup.ini	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	BAA63F11F9C2E4DDC827B0B36DA75C4F	A882761158CC5271EBC889642CD5BFC1EB957139	C7F53E52BCAFB0F9975AC2EBA6F6B8DE434B30E88656EFF2B5721C24EE3213F4
C:\Users\user\AppData\Local\Temp\AITMP0\aisetup.zip	Zip archive data, at least v2.0 to extract, compression method=deflate	493C36038828A5EF850DA2106AB956C3	8DDEEE9E5A5266982B41EB33F26676D7B0797E41	F18F571A0826A626095C6D81E1F7063340436156569FAEC173474A2EEEC5B29B
C:\Users\user\AppData\Local\Temp\AITMP0\aiwizard.bmp	PC bitmap, Windows 3.x format, 500 x 314 x 24, image size 471000, cbSize 471054, bits offset 54	5B5B3247038C1AF153DFCB567B11DAA8	F35F529797188E9ABA2F7C5BECBD70309BD14541	48260B05BA47BF1CE3ECA2FC7899C65E95609CA3B6AB3A9F71F61C67493A3604
C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	PE32+ executable (GUI) x86-64, for MS Windows	00CED89A573AD1E1F96C94C763222E1E	808183D9160A89AD3C8730D2B6B76803CA97F38F	5FC1BD27C679B1B5306996CFA518FA1A7B4FB60E0FE6EA92BB4BA3B82C471A85
C:\Users\user\AppData\Local\Temp\PCInfo.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	438909882796242739C542D4AA5E94DA	E2A82D09C76C6A59F909CB35D4BF4F4F862213E1	B81A96A53AB20F43624CE4E8D25468AB8F65EF88441368CDA0C9C54525DB31F6
C:\Users\user\AppData\Local\Temp\Respc.jpg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, Exif Standard: [TIFF image data, little-endian, direntries=4, manufacturer=Canon, model=Canon PowerShot SX20 IS, orientation=upper-left], baseline, precision 8, 640x480, components 3	E9FC238F898B1F0763B4A2EA5BF6DA2B	090CC66E5C8CBA33C1B0F63F76B33C3190F6D789	F7249877EA94D997512FD5CF67C64DE8E9302D164FED5F2C2F3B6180E0DFC293
C:\Users\user\AppData\Roaming\ResourceCommander\Promptdource.xml	ASCII text	923CCF347E169F5533DBFC41D829B9DA	0360807D4C2A4923A679FC6F1175BB87A8749841	C57D35C439689668E10C53E86662E297DEDE3B96F1D37E4A9FAD20689DE646FB
C:\Users\user\AppData\Roaming\ResourceCommander\ResPrompt.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	E1BDFA7BC2EC8370102E69DE1FDC2800	1B26BCEC613EE069C0905055B40F0E858143562D	15C4C03C0E4345A3FCC08E55164ED5CF004D8C2C40A46D7F7DB891F312226497
C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	PE32 executable (GUI) Intel 80386, for MS Windows	005245FCBCA50A836235392C802198A8	E53C665ED01E497874627AC654D6F90832DBA1AF	BE1D320F773A860897BE73DD16F805902EFFAEAD313873B0C622BC6EFF9DB715

Windows Analysis Report
Player reports algnet 07-10-2024 .pdf www.skype.com.7z

Overview

General Information

Detection

Signatures

Classification

Signatures

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report Player reports algnet 07-10-2024 .pdf www.skype.com.7z

Overview

General Information

Detection

Signatures

Classification

Signatures

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report
Player reports algnet 07-10-2024 .pdf www.skype.com.7z