Edit tour

Windows Analysis Report
Player reports algnet 07-10-2024 .pdf www.skype.com.7z

Overview

General Information

Sample name:	Player reports algnet 07-10-2024 .pdf www.skype.com.7z
Analysis ID:	1528232
MD5:	3ad813ff3a7dd9b8af0b7e712628df97
SHA1:	1f3ba2dc30aae0a30839e3ef62c498346b663a54
SHA256:	aa77c2e53e6e0a9285fbc211bda6135c7599dab021e60971019b4f8d50f795af
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Creates an autostart registry key pointing to binary in C:\Windows

Drops PE files with a suspicious file extension

Found direct / indirect Syscall (likely to bypass EDR)

Checks if the current process is being debugged

Creates COM task schedule object (often to register a task for autostart)

Creates a process in suspended mode (likely to inject code)

Creates processes with suspicious names

Detected TCP or UDP traffic on non-standard ports

Drops PE files

Found dropped PE file which has not been started or loaded

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Registers a DLL

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Direct Autorun Keys Modification

Sigma detected: Network Connection Initiated By Regsvr32.EXE

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Uses reg.exe to modify the Windows registry

Classification

Process Tree

System is w10x64_ra

OpenWith.exe (PID: 6620 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)

7zG.exe (PID: 6328 cmdline: "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Desktop\" -an -ai#7zMap7661:168:7zEvent14396 MD5: 50F289DF0C19484E970849AAC4E6F977)

Player reports algnet 07-10-2024 .pdf www.skype.com (PID: 6232 cmdline: "C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com" MD5: 005245FCBCA50A836235392C802198A8)

HitPawInfo.exe (PID: 6468 cmdline: "C:\Users\user\AppData\Local\Temp\HitPawInfo.exe" MD5: 00CED89A573AD1E1F96C94C763222E1E)

regsvr32.exe (PID: 1836 cmdline: ResPrompt.dll MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)

WerFault.exe (PID: 6600 cmdline: C:\Windows\system32\WerFault.exe -u -p 6468 -s 532 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

reg.exe (PID: 3048 cmdline: C:\Windows\system32\REG.EXE ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PMP" /t REG_SZ /F /D "schtasks /run /tn PMP" MD5: 227F63E1D9008B36BDBCC4B397780BE4)

conhost.exe (PID: 4812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Sigma Signatures

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: schtasks /run /tn PMP, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\reg.exe, ProcessId: 3048, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PMP

Sigma detected: Direct Autorun Keys Modification

Source: Process started

Author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\system32\REG.EXE ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PMP" /t REG_SZ /F /D "schtasks /run /tn PMP", CommandLine: C:\Windows\system32\REG.EXE ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PMP" /t REG_SZ /F /D "schtasks /run /tn PMP", CommandLine|base64offset|contains: 0, Image: C:\Windows\System32\reg.exe, NewProcessName: C:\Windows\System32\reg.exe, OriginalFileName: C:\Windows\System32\reg.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1136, ProcessCommandLine: C:\Windows\system32\REG.EXE ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PMP" /t REG_SZ /F /D "schtasks /run /tn PMP", ProcessId: 3048, ProcessName: reg.exe

Sigma detected: Network Connection Initiated By Regsvr32.EXE

Source: Network Connection

Author: Dmitriy Lifanov, oscd.community: Data: DestinationIp: 154.21.14.89, DestinationIsIpv6: false, DestinationPort: 22455, EventID: 3, Image: C:\Windows\System32\regsvr32.exe, Initiated: true, ProcessId: 1836, Protocol: tcp, SourceIp: 192.168.2.16, SourceIsIpv6: false, SourcePort: 49706

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\REG.EXE ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PMP" /t REG_SZ /F /D "schtasks /run /tn PMP", CommandLine: C:\Windows\system32\REG.EXE ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PMP" /t REG_SZ /F /D "schtasks /run /tn PMP", CommandLine|base64offset|contains: 0, Image: C:\Windows\System32\reg.exe, NewProcessName: C:\Windows\System32\reg.exe, OriginalFileName: C:\Windows\System32\reg.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1136, ProcessCommandLine: C:\Windows\system32\REG.EXE ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PMP" /t REG_SZ /F /D "schtasks /run /tn PMP", ProcessId: 3048, ProcessName: reg.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs

Source: global traffic

TCP traffic: 192.168.2.16:49706 -> 154.21.14.89:22455

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: gibbooc2.com

Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6468 -s 532

Source: unknown

Process created: C:\Windows\System32\reg.exe C:\Windows\system32\REG.EXE ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PMP" /t REG_SZ /F /D "schtasks /run /tn PMP"

Source: classification engine

Classification label: mal52.evad.win7Z@10/17@1/9

Source: C:\Program Files\7-Zip\7zG.exe

File created: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4812:120:WilError_03
Source: C:\Windows\System32\regsvr32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{E27727EB-367C-4A9D-96C6-6520160ADF9B}
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6468
Source: C:\Windows\System32\OpenWith.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6620:120:WilError_03

Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com

File created: C:\Users\user\AppData\Local\Temp\AITMP0

Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\System32\OpenWith.exe

File read: C:\Users\desktop.ini

Source: C:\Windows\System32\OpenWith.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Source: unknown	Process created: C:\Program Files\7-Zip\7zG.exe "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Desktop\" -an -ai#7zMap7661:168:7zEvent14396
Source: unknown	Process created: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com "C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com"
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Process created: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe "C:\Users\user\AppData\Local\Temp\HitPawInfo.exe"
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Process created: C:\Windows\System32\regsvr32.exe ResPrompt.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Process created: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe "C:\Users\user\AppData\Local\Temp\HitPawInfo.exe"
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6468 -s 532
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Process created: C:\Windows\System32\regsvr32.exe ResPrompt.dll
Source: unknown	Process created: C:\Windows\System32\reg.exe C:\Windows\system32\REG.EXE ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PMP" /t REG_SZ /F /D "schtasks /run /tn PMP"
Source: C:\Windows\System32\reg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Windows\System32\OpenWith.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinui.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: actxprxy.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.appdefaults.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.immersive.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uiautomationcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dui70.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: duser.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: bcp47mrm.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uianimation.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dcomp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: oleacc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowmanagementapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: inputhost.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: slc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: tiledatarepository.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: staterepository.core.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepository.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepositorycore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: mrmcorer.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: directmanipulation.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textshaping.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: explorerframe.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: textshaping.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: textinputframework.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: coreuicomponents.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: coremessaging.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: ntmarta.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: wintypes.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: wintypes.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: wininet.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: version.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: wtsapi32.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: winsta.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: textshaping.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: msftedit.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: windows.globalization.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: bcp47langs.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: bcp47mrm.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: globinputhost.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: textinputframework.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: coremessaging.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: dwmapi.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: propsys.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: edputil.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: urlmon.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: iertutil.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: srvcli.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: netutils.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: appresolver.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: slc.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: sppc.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Section loaded: pcinfo.dll
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Section loaded: taskschd.dll
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Section loaded: taskschd.dll
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: resprompt.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: cryptbase.dll

Source: C:\Windows\System32\OpenWith.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com

File written: C:\Users\user\AppData\Local\Temp\AITMP0\aisetup.ini

Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com

Window found: window name: TComboBox

Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com

File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL

Source: Player reports algnet 07-10-2024 .pdf www.skype.com.7z

Static file information: File size 2124378 > 1048576

Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe

Process created: C:\Windows\System32\regsvr32.exe ResPrompt.dll

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Program Files\7-Zip\7zG.exe

File created: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com

Jump to dropped file

Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	File created: \player reports algnet 07-10-2024 .pdf www.skype.com
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	File created: \player reports algnet 07-10-2024 .pdf www.skype.com

Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	File created: C:\Users\user\AppData\Roaming\ResourceCommander\ResPrompt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	File created: C:\Users\user\AppData\Local\Temp\PCInfo.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Jump to dropped file
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	File created: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Jump to dropped file

Boot Survival

Creates an autostart registry key pointing to binary in C:\Windows

Source: C:\Windows\System32\reg.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PMP

Source: C:\Windows\System32\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PMP
Source: C:\Windows\System32\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PMP

Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\ResourceCommander\ResPrompt.dll

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	Process queried: DebugPort

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe

NtCreateUserProcess: Indirect: 0x7FFF29BC68AB

Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com

Process created: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe "C:\Users\user\AppData\Local\Temp\HitPawInfo.exe"

Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	11 Process Injection	11 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	11 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	1 Modify Registry	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 Virtualization/Sandbox Evasion	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	11 Registry Run Keys / Startup Folder	11 Process Injection	NTDS	11 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Regsvr32	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Source	Detection	Scanner
C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\HitPawInfo.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\PCInfo.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\ResourceCommander\ResPrompt.dll	3%	ReversingLabs

Name	IP	Active	Malicious	Antivirus Detection	Reputation
gibbooc2.com	154.21.14.89	true	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
154.21.14.89	gibbooc2.com	United States		174	COGENT-174US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528232
Start date and time:	2024-10-07 17:10:40 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample name:	Player reports algnet 07-10-2024 .pdf www.skype.com.7z
Detection:	MAL
Classification:	mal52.evad.win7Z@10/17@1/9

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: Player reports algnet 07-10-2024 .pdf www.skype.com.7z

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_HitPawInfo.exe_4f927396ed7e1d24c97d8c6f3e8aee163dda5_092f0bdd_bf0ca793-66b3-435b-9b49-441b79f6b4c1\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8123049279137572
Encrypted:	false
SSDEEP:
MD5:	8DAC28D38DF7494A0A1472B8607606C0
SHA1:	AE9E2EDDF4D0E7F6EDD7657AD092D34DEBC11CDE
SHA-256:	DCB9991C659EB2FF14AC7FEF3F6440B9FC2B6B248410DC01E950E421AE87072F
SHA-512:	0EF8BA860CD1E7BE6F3A4F84742BB6A8CC0EB457E2C84F31743BEEAA487901366E051EE10EFD0CF7CDDE4EE6BAAD7855BEBC58F6898369A42D7E3C433C31C8F5
Malicious:	false
Reputation:	unknown
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.7.8.7.5.0.1.4.1.5.9.6.6.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.f.0.c.a.7.9.3.-.6.6.b.3.-.4.3.5.b.-.9.b.4.9.-.4.4.1.b.7.9.f.6.b.4.c.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.e.c.9.3.c.1.6.-.4.9.4.5.-.4.d.0.f.-.b.5.0.7.-.3.e.b.3.c.b.7.4.0.8.5.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.H.i.t.P.a.w.I.n.f.o...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.4.4.-.0.0.0.1.-.0.0.1.6.-.0.2.b.7.-.4.f.3.0.c.b.1.8.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.7.1.5.e.c.d.3.8.5.8.f.f.0.3.f.d.4.2.9.3.0.0.b.4.6.f.9.d.3.2.3.0.0.0.0.0.9.0.4.!.0.0.0.0.8.0.8.1.8.3.d.9.1.6.0.a.8.9.a.d.3.c.8.7.3.0.d.2.b.6.b.7.6.8.0.3.c.a.9.7.f.3.8.f.!.H.i.t.P.a.w.I.n.f.o...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.6././.2.0.:.0.6.:.3.2.:.0.8.!.7.d.3.8.2.!.H.i.t.P.a.w.I.n.f.o...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER46FC.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Mon Oct 7 15:11:41 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	76916
Entropy (8bit):	1.6102805732455157
Encrypted:	false
SSDEEP:
MD5:	D389736B71AFEFE98644336CC14E09A0
SHA1:	0DFEFD1720E2F6BD81716EC0BEA233B2682189B5
SHA-256:	4F99B36BBC672E24A75409DDE174DF4AF4024581E6B08CA87D94C81F83A451E2
SHA-512:	B8EB74F493A5B426D237E61D1076A45D485FCE356DDE2D56F8EDA3903DF5DC94B66AE847E2FB47AB7BDF9F64A40A7E284BFACA76FD48C55D59085C4CF9E3A910
Malicious:	false
Reputation:	unknown
Preview:	MDMP..a..... .......-..g....................................l...........T...p3..........`.......8...........T...........8...<.......................................................................................................eJ......t.......Lw......................T.......D..."..g............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER476B.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6532
Entropy (8bit):	3.727061512059172
Encrypted:	false
SSDEEP:
MD5:	9866E85DC7C5A689B88D0D90A303F3B8
SHA1:	1C4DB47499B0DC24E1E004D0D7C0B1998CB678CF
SHA-256:	D1D0138EC588173E10F86EFE81C23B87B4122CCD11F7153549D8366570461801
SHA-512:	E9D3EC0026117D9498E975A2D14A913D643EF3E5D43937B999BF8EE43A3FB02ED440A481531DC9357E62FB789423B3009041E6B7B8F72EC393F8EEA79CB75EFD
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.6.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER479B.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4657
Entropy (8bit):	4.487286558208697
Encrypted:	false
SSDEEP:
MD5:	F88932558E2651516A55A0BEF08EA823
SHA1:	E2C36AE46CB59F52FC14615B6BD1BFC956B0C27A
SHA-256:	3041E467CF23A3A18DACB978D40A35E136B248C4E551B6F8D99394D7320593C8
SHA-512:	43851C04C68A9E1AB82A1CA070B6904FC15894CF3DCFC6055EB10A3C287282452085E8EC1FBAB7A134D9A0DAD3847FCDCFCDBF1A3C719EF21C06D8DBC51F2840
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="533174" />.. <arg nm="osinsty" val="2" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Temp\AITMP0\Dutchai.lng

Download File

Process:	C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (348), with CRLF line terminators
Category:	dropped
Size (bytes):	9854
Entropy (8bit):	4.955567924478758
Encrypted:	false
SSDEEP:
MD5:	95291CB96482A97215C2C2EE737619F4
SHA1:	A256C8E1A5D12EEA3FF5FB5A7A3891B0CFB6AC2E
SHA-256:	B58A44302AA11D1FA02732879F806B35E65E7C7C2FF6A6E7C48C66E327E66373
SHA-512:	D176A38B52E8DC8C33C08A405108541D576AA0AAD7FA8CA0AEFD55FBC811DC1A8EE2CC555FA29883B25397968575A12F97E1299FAD834F4EC3B4A4F397A09268
Malicious:	false
Reputation:	unknown
Preview:	.[Info]..id=1043..lng=nl..translator=Jacques Deseure (https://www.daproverb.be) 13/05/2020....[Buttons]..0=< &Terug..1=&Volgende >..2=&Annuleren..3=&Installeren..4=&Sluiten..5=&Ja..6=&Nee..7=&Bladeren.....8=&Voltooien..9=&Uitpakken..10=OK..11=A&kkoord..12=Afdrukken....[Title]..0=<AppNameVersion> Installatie....[Language]..0=<AppName> Installatie..1=Selecteer de installatietaal:....[Welcome]..0=<AppName> Installatie..1=Hiermee zal <AppNameVersion> worden ge.nstalleerd.<#><#>Klik op Volgende om verder te gaan, of op Annuleren om af te sluiten...2=Copyright . %s..3=Opties....[LicenseAgreement]..0=Gebruiksrechtovereenkomst..1=Lees de volgende belangrijke informatie voordat u verder gaat...2=Lees de volgende gebruiksrechtovereenkomst. U moet akkoord gaan met deze overeenkomst voordat u verder kunt gaan met de installatie...3=Indien u akkoord gaat met de gebruiksrechtovereenkomst, klik op Akkoord...4=Ik ga akkoord met de overeenkomst...5=Door het installeren van dit programma, gaat u akk

C:\Users\user\AppData\Local\Temp\AITMP0\Uninstall.ini

Download File

Process:	C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1286
Entropy (8bit):	4.952812810545326
Encrypted:	false
SSDEEP:
MD5:	C965C2DCB929E6E5CE34587486EB079E
SHA1:	53E332D519AC8E66A718161F6989FBEF57C986C6
SHA-256:	AD4B0F8BEF218CEF01050D33699C54A2DFED1765EF597C92E7687379340FC7E3
SHA-512:	D976987D8E8753899761057FB13BE31842E079BAC35DADD1D3A109653BBDA327B382624F9395B137A6938E2B49455DA11A98486A6F14173724F7C70114C214C2
Malicious:	false
Reputation:	unknown
Preview:	.[General]..AppName=HitPaw FotorPea..AppEdition=..AppVersion=4.0.1..GUID={1E697A61-832E-478F-9EE0-909B3BDAB870}..AllUsers=0..Admin=0..x64=0..InstallDir=C:\Users\user\AppData\Local\Temp..MainExe=C:\Users\user\AppData\Local\Temp\HitPawInfo.exe....[Messages]..0=%s verwijderen..1=Weet u zeker dat u %s volledig wilt verwijderen?..2=%s is van de computer verwijderd...3=Wilt u met ons uw opinie over dit product delen?..4=%s moet worden afgesloten om door te gaan met verwijderen.%n%nOm door te gaan, sluit %s en klik op OK.%nOm de verwijdering af te sluiten, klik op Annuleren...5=Om de verwijdering van %s te voltooien, moet de computer opnieuw worden opgestart.%n%nWilt u nu opnieuw opstarten?..6=%s kan alleen worden verwijderd als de gebruiker administrator-rechten heeft...7=Wilt u de instellingenbestanden van %s verwijderen?..8=%s moet worden afgesloten om door te gaan met verwijderen.%n%nOm door te gaan, sluit %s en klik dan op Opnieuw.%nOm dit bestand over te slaan, klik op Negeren.%nOm ve

C:\Users\user\AppData\Local\Temp\AITMP0\aidatafile.zip

Download File

Process:	C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	1030414
Entropy (8bit):	7.995083770357619
Encrypted:	true
SSDEEP:
MD5:	76258CA71C5D5200C20FF1C5309AA8F2
SHA1:	CCB79681CA9CE13D5B60888564C5E9FE35059237
SHA-256:	2CEF521504F3C843B22C9F7B2EE203DE17493D9738FF4467D2967F85FAB61CA2
SHA-512:	BE2E5331B2F41130F6076E2AC1360EB2B677EAECFA3D87FCB2EDB22C128663BE71D93DE75EACC0D8EDAB6951099DA7DE1ACD72DAD18FB0802E5E60EA5790753A
Malicious:	false
Reputation:	unknown
Preview:	PK..........FY...aL...........0.}.XSW..IH ....G......E%A......+ DA.h.......mZ.Rmk[[..m..k[........h.Fi.j[q.?s..............uf.3s.,7DN($....<6.!........"B...u'.Ot.-........0.O7$.R&&.....S.JCV.2%M.>r.rVz.....E%....Q...N...&........C..M...c.,.x....X.\|.Px2....[...w..+z.d.Z..B9.;.)......'hztJb2.o...B.^s$....iU.#i"voK&A...m.._.&:...bB..:vH.:Qa/.....s....x. ...TG...i..[.I..q".Q...H...,B..E..@~..NB.!.......F./M...K.Q...gHJ0&..{g..t.'.~95...b..YK...k...e.....V.%..3d... .....\|..r..t(.2BYQ.QN...X...}..I.W....;N3.3............r.....<a...T-./v...w....w....Y...?.u.X.W..,Q...q......C.`..S...........\.-'.YrD[T!..p...A.4][.&.).s.6j..'..au.2...c6....6...Z6.. R9..u...+.:qfO.Wt................nN-.j.W:......k.EN.. (W......(.$.:..#....0.o}M.k..Tr........f.!ue...0.w.... G...g7A..pG.;.2..0.....B.g..PL{l...L.EY......3...v.P.N{..#.{.d.V...2D..Ft.^...1.0..u.I..-?.G.....?i..M)>^....P76>....a.$.96>8:>>.4......O.X.......\.....p,.w.q...r........R...n...q.......Q.....?Bq

C:\Users\user\AppData\Local\Temp\AITMP0\aiheader.bmp

Download File

Process:	C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com
File Type:	PC bitmap, Windows 3.x format, 498 x 55 x 24, image size 82280, cbSize 82334, bits offset 54
Category:	dropped
Size (bytes):	82334
Entropy (8bit):	0.6686601662037086
Encrypted:	false
SSDEEP:
MD5:	A620C87E69889F459C022578F3F5E420
SHA1:	125AF2C1D2D822982109D79A56703063EADCB683
SHA-256:	AC34D2317F948C0D02E90C6F2473C4CC2A78D99D21C341FFA02FF4908B48DB2B
SHA-512:	8CBD9CEAA52204B9049618170579AE99C4425DE37DBD89787CF00A192C8A69A8390D692BF25A38C83A1D72BB05516EE6857B429EAAB995B92DEF12C68D6E3027
Malicious:	false
Reputation:	unknown
Preview:	BM.A......6...(.......7...........hA....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AITMP0\aisetup.ini

Download File

Process:	C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1880
Entropy (8bit):	5.3763216431025045
Encrypted:	false
SSDEEP:
MD5:	BAA63F11F9C2E4DDC827B0B36DA75C4F
SHA1:	A882761158CC5271EBC889642CD5BFC1EB957139
SHA-256:	C7F53E52BCAFB0F9975AC2EBA6F6B8DE434B30E88656EFF2B5721C24EE3213F4
SHA-512:	0D6B6819D5234FCB2C38174D68303F254CAFD94562601D6CD0A2DFD0C3FEDCC92A2B47A990F0BC2558AC1B89DF01D16EC9798C53EB9B4F9689D5FBC2415A87DC
Malicious:	false
Reputation:	unknown
Preview:	.[Setup]..AIVer=10.1..BDID=20241006..GUID={1E697A61-832E-478F-9EE0-909B3BDAB870}..AppName=HitPaw FotorPea..AppVersion=4.0.1..AppEdition=..AppDescription=HitPaw FotorPea..Publisher=HitPawSoftware..WebSite=..SupportLink=..Copyright=Copyright . 2024 <Publisher>..PackageType=0..InstallLevel=0..UpgradeMode=0..RunAsAdmin=0..IfInstalled=0..Windows Server 2003=1..Windows XP=1..Windows Vista=1..Windows 7=1..Windows 8=1..Windows 8.1=1..Windows 10=1..Windows 11=1..Windows Server 2008=1..Windows Server 2008 R2=1..Windows Server 2012=1..Windows Server 2012 R2=1..Windows Server 2016=1..Windows Server 2019=1..Windows Server 2022=1..Enab=1..SystemType=0..Internet=0..Archive=0..InstallDir=<TempDir>..MainExe=<InstallDir>\HitPawInfo.exe..ProgramGroup=<AppName>..Uninstall=0..Updater=0..LaunchOnStatup=0..RegisterAppPath=0..ActiveSetup=0..CacheSetup=0..SelectFolderMode=0..AltInstallDir=<AppData>\<AppName>..DataExtractParam=-o"<InstallDir>" -aoa..UninstallFile=Uninstall.exe..LangIDMethod=0..AllowInstallIf

C:\Users\user\AppData\Local\Temp\AITMP0\aisetup.zip

Download File

Process:	C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	93930
Entropy (8bit):	7.979028337427802
Encrypted:	false
SSDEEP:
MD5:	493C36038828A5EF850DA2106AB956C3
SHA1:	8DDEEE9E5A5266982B41EB33F26676D7B0797E41
SHA-256:	F18F571A0826A626095C6D81E1F7063340436156569FAEC173474A2EEEC5B29B
SHA-512:	D422D8BBF7E5E121D7A63045E7BBD4FC81AB742157F05503748F089106102505DE2FDA6154456AD6709F5DB7B9007E5A1BF246A4F75749E408B412CC2D71953B
Malicious:	false
Reputation:	unknown
Preview:	PK.........FY..1sf...X.......aisetup.ini}U.n.8....;...l...+..[....f.v..4...I...d.>P....}.}....%!.........BPE.W..?..\..[.`.x}.?t.g.n..E..]..c..v'...;.OV..r.t..t>...\|2v...<.....@..;+....1.. )g.g. .......H.../..!.2...(.Gu&..;8.T....<.Bm(.G.....I.....{G..].].k....O9xN..fR.,...d... 1\..w....(3..R.b..(..YvB.. 0.3...s[G.)Z.q.L.....4PCV...Awv.W%.[.......t.8Y2r...I8U.\.`....QJ.....f{8.x.~].......g;.kv.=x....m;....Y9.h\|..........)X..P.\..hH.A .vKTjR..ffVF.......A.V<.A<....z.z."W.k.ib..........w...u...Z.+..wA...a.:.........t.>n...."......91C..\-...h.:..Qjb.`..(.xr.Y.OP.....5b.$.+.J..9...(#z..?.D~l.....M.O.\Q....D.+?..',.6.%.....JQ.P<..-.H.Bo.V.LJ;wG.(..9.\|A......y8../...K.&....A6....5..U..$..nXy....qm...lf.#...\..P..U]a.Bt.s...w../.!.7.P....WkIoP....qG.....O(......x...=....:.g...v...7. .8S&Y\|5b.p.6<.f.\{.9...24ZG.YW..e..0....6A.&I.......nSc.0.8....@.Q..<1.v.?PK.........R.X..,....~&......Dutchai.lng.Z.n...}....(.`.2-..X........${.M....p......

C:\Users\user\AppData\Local\Temp\AITMP0\aiwizard.bmp

Download File

Process:	C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com
File Type:	PC bitmap, Windows 3.x format, 500 x 314 x 24, image size 471000, cbSize 471054, bits offset 54
Category:	dropped
Size (bytes):	471054
Entropy (8bit):	3.2443524520002636
Encrypted:	false
SSDEEP:
MD5:	5B5B3247038C1AF153DFCB567B11DAA8
SHA1:	F35F529797188E9ABA2F7C5BECBD70309BD14541
SHA-256:	48260B05BA47BF1CE3ECA2FC7899C65E95609CA3B6AB3A9F71F61C67493A3604
SHA-512:	9396A455BAD36896F33F5456B89E4B7D0AF401399A8603939F485061143EAEB90A9EF5418844A4117975E6850FE3C9EAD7E913D3979D44314D1EF70B2459DC8F
Malicious:	false
Reputation:	unknown
Preview:	BM.0......6...(.......:............/.......................................................................................................................................................................................................................{.{.z.........................................~..~..~..}..\|..}..\|..{..{..................................................~..\|..\|..{..z..y..x..x..v..v..u..t..s..s..r..q..p..o..o..n..n..m..l..l..k..k..j..j..i..i......................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\HitPawInfo.exe

Download File

Process:	C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	500488
Entropy (8bit):	7.912186742228876
Encrypted:	false
SSDEEP:
MD5:	00CED89A573AD1E1F96C94C763222E1E
SHA1:	808183D9160A89AD3C8730D2B6B76803CA97F38F
SHA-256:	5FC1BD27C679B1B5306996CFA518FA1A7B4FB60E0FE6EA92BB4BA3B82C471A85
SHA-512:	A527A55B7874E619379F18DF0EBF3BE17505D310B9AFD9E1FCCF21210EB4B93AA358F7A7BE1AA4616309D99810A0629389024738D36AEF867910419A410E0F55
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........:...i...i...i..\i..i...h..i...h..i...h..i...h..i...h..i}..h...i}..h..iV..h..iW..h..i...i...i...h...i..0i...i..Xi...i...h...iRich...i................PE..d.....sf.........."......\...........W.........@..........................................`.................................................,...................h....T...Q......T...Xu...............................u..8............p..H............................text...7[.......\.................. ..`.rdata...%...p...&...`..............@..@.data...............................@....pdata..h...........................@..@.rsrc...............................@..@.reloc..T............P..............@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\PCInfo.dll

Download File

Process:	C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	358400
Entropy (8bit):	6.138682134890285
Encrypted:	false
SSDEEP:
MD5:	438909882796242739C542D4AA5E94DA
SHA1:	E2A82D09C76C6A59F909CB35D4BF4F4F862213E1
SHA-256:	B81A96A53AB20F43624CE4E8D25468AB8F65EF88441368CDA0C9C54525DB31F6
SHA-512:	2F972CE6901734E3217AA1982695DA589A52926C7C49C0A340C41E963B3CC03D2EFD3DE5A6AF6E61691CAE211D756710D722234457D01B4642BF463EFE641652
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Zm.7...d...d...dUt.e...dUt.e...dUt.e...d...e...d...e...dUt.e...d...eQ..dUt.e...d...do..dV..e...dV..e...dV..d...dV..e...dRich...d................PE..d.....g.........." ...)............4.....................................................`.........................................@...H.......x............P.. C..............p......................................@...............(............................text............................... ..`.rdata..............................@..@.data...</... ......................@....pdata.. C...P...D...&..............@..@.rsrc................j..............@..@.reloc..p............l..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Respc.jpg

Download File

Process:	C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, Exif Standard: [TIFF image data, little-endian, direntries=4, manufacturer=Canon, model=Canon PowerShot SX20 IS, orientation=upper-left], baseline, precision 8, 640x480, components 3
Category:	dropped
Size (bytes):	770719
Entropy (8bit):	6.712677731362388
Encrypted:	false
SSDEEP:
MD5:	E9FC238F898B1F0763B4A2EA5BF6DA2B
SHA1:	090CC66E5C8CBA33C1B0F63F76B33C3190F6D789
SHA-256:	F7249877EA94D997512FD5CF67C64DE8E9302D164FED5F2C2F3B6180E0DFC293
SHA-512:	1FBAA8DA4D1A1F791133B126AE66E587215C73DCBE73B2F93687097C87A283F2BCD16D340CD8ED3A30506A47549156D6BF4575A8250BC0F96E4CD610894AFE6F
Malicious:	false
Reputation:	unknown
Preview:	......JFIF..............Exif..II...............>...........D...............i.......\.......Canon.Canon PowerShot SX20 IS...........................'...........................................................8.......2012:05:10 05:31:51.A..........C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...'.>..u+?.jH.s}.........u2`.<......h>.....5.CR...[..m&.... 6y=q.5..xw.VV6..Y\[...VA...O'...8...0......%X....N<....w...g.-4...7R.....[7.H.....U\|

C:\Users\user\AppData\Roaming\ResourceCommander\Promptdource.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\HitPawInfo.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	970
Entropy (8bit):	5.5220747862495365
Encrypted:	false
SSDEEP:
MD5:	923CCF347E169F5533DBFC41D829B9DA
SHA1:	0360807D4C2A4923A679FC6F1175BB87A8749841
SHA-256:	C57D35C439689668E10C53E86662E297DEDE3B96F1D37E4A9FAD20689DE646FB
SHA-512:	F5CA8F9F7206FFDE49CA4C3A106C68A7F076665042BD9E53FCD0FF01B0E71C847B157C493AB0C3202033ACB30A87BC50E9627B97DFC20AC62B81505C10346BFA
Malicious:	false
Reputation:	unknown
Preview:	. Windows Registry Editor Version 5.00..[HKEY_CURRENT_USER\Software\Classes\CLSID\{C346C9EC-A908-4164-A9B7-CD00EA3A99E8}]..@="ResPrompt"..[HKEY_CURRENT_USER\Software\Classes\CLSID\{C346C9EC-A908-4164-A9B7-CD00EA3A99E8}\ImplementedCategories]..[HKEY_CURRENT_USER\Software\Classes\CLSID\{C346C9EC-A908-4164-A9B7-CD00EA3A99E8}\ImplementedCategories\{EDF4B444-2758-45C1-A25A-F9ED8B5E5145}]..[HKEY_CURRENT_USER\Software\Classes\CLSID\{C346C9EC-A908-4164-A9B7-CD00EA3A99E8}\InprocServer32]..@="ResPrompt.dll".."ThreadingModel"="Apartment"..[HKEY_CURRENT_USER\Software\Classes\CLSID\{C346C9EC-A908-4164-A9B7-CD00EA3A99E8}\ProgID]..@="ResPrompt"..[HKEY_CURRENT_USER\Software\Classes\CLSID\{C346C9EC-A908-4164-A9B7-CD00EA3A99E8}\Programmable]..[HKEY_CURRENT_USER\Software\Classes\CLSID\{C346C9EC-A908-4164-A9B7-CD00EA3A99E8}TypeLib]..@="{EDF4B444-2758-45C1-A25A-F9ED8B5E5145}"..[HKEY_CURRENT_USER\Software\Classes\CLSID\{C346C9EC-A908-4164-A9B7-CD00EA3A99E8}\VERSION]..@="1.0"

C:\Users\user\AppData\Roaming\ResourceCommander\ResPrompt.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\HitPawInfo.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	32843280
Entropy (8bit):	7.9672098266294284
Encrypted:	false
SSDEEP:
MD5:	E1BDFA7BC2EC8370102E69DE1FDC2800
SHA1:	1B26BCEC613EE069C0905055B40F0E858143562D
SHA-256:	15C4C03C0E4345A3FCC08E55164ED5CF004D8C2C40A46D7F7DB891F312226497
SHA-512:	333F62FB4ABBA81F09A5D12AFAAFD8ED716CA03E7EF251C49B4DCF75EEA7D6ADF790C1FA9EED346AC8D22831904B8729DC771F9D66CE94C8F23F23BD0643A6E8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........"..L...L...L...O...L...I...L...H...L...K...L..cH...L..cO...L..cI...L...M...L...M.}.L..bI...L..bL...L..b....L......L..bN...L.Rich..L.........PE..d......g.........." ...)............$<....................................................`..........................................u..l...<v.......p..............................0...........................(......@...............`............................text...x........................... ..`.rdata.............................@..@.data....I...........~..............@....pdata..............................@..@.rsrc........p.......8..............@..@.reloc...............>..............@..B................................................................................................................................................................................................................................

C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com

Download File

Process:	C:\Program Files\7-Zip\7zG.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4284934
Entropy (8bit):	7.211500858406131
Encrypted:	false
SSDEEP:
MD5:	005245FCBCA50A836235392C802198A8
SHA1:	E53C665ED01E497874627AC654D6F90832DBA1AF
SHA-256:	BE1D320F773A860897BE73DD16F805902EFFAEAD313873B0C622BC6EFF9DB715
SHA-512:	C4297732536440EEE0D666E1E52B4777D2444F4D91AB77C779E3FB0ACBBC20B61CCD3D6654D8AB7FF3AF71283109FB633F5D83B21BE00FD14E52720A8EAB0D26
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......g.................n'..........}'.......'...@...........................1...........@......@....................).......(..:....,..u...................0)..]........................... ).......................(.......(......................text....L'......N'................. ..`.itext..<....`'.. ...R'............. ..`.data.........'......r'.............@....bss.....r...0(..........................idata...:....(..<....(.............@....didata.......(......T(.............@....edata........)......b(.............@..@.tls....T.....)..........................rdata..].... )......d(.............@..@.reloc...]...0)..^...f(.............@..B.rsrc....u....,..v....+.............@..@..............1......:0.............@..@................

Static File Info

General

File type:	7-zip archive data, version 0.4
Entropy (8bit):	7.999912534436202
TrID:	7-Zip compressed archive (6006/1) 100.00%
File name:	Player reports algnet 07-10-2024 .pdf www.skype.com.7z
File size:	2'124'378 bytes
MD5:	3ad813ff3a7dd9b8af0b7e712628df97
SHA1:	1f3ba2dc30aae0a30839e3ef62c498346b663a54
SHA256:	aa77c2e53e6e0a9285fbc211bda6135c7599dab021e60971019b4f8d50f795af
SHA512:	ce8486015cbb58458492a1996b3898ae61d4d106d17f271fc502934d13c034d604fd0662732268951dc511f06523c0bc1bddc35cf1967f4324f5399922bbe9b9
SSDEEP:	49152:RzItgbrYHoNGxnryiy/P6DfykFdOjcFt1qC3Ra4PlDi:RzItZHoN+nmnX6D3Fdd/RVPlu
TLSH:	ABA5335965931FEA1CCDC1DC7F4099022A6520A7223DD33F19A3AF31E44E0A595BFACD
File Content Preview:	7z..'....JB.pi .................E0F....mG.Z..]3u.B2.O}a.w..!V4r......QT..[...#...Q%/.$C.F......x..........A.ZI_..."!1..*..........Z..:....ap.c..B.x.vH0.A..F...Mx.q.]..fU....45.OO..I0a....J.R..:_.wm&k....it}....MO....Yc.....N......F..rw.....f\|}EU%...[vZ..X

File Icon


Icon Hash:	72e2a2a292a2a2b2

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. The Regsvr32.exe binary may also be signed by Microsoft.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Module: Module Load, Network Traffic: Network Connection Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Player reports algnet 07-10-2024 .pdf www.skype.com.7z

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_HitPawInfo.exe_4f927396ed7e1d24c97d8c6f3e8aee163dda5_092f0bdd_bf0ca793-66b3-435b-9b49-441b79f6b4c1\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER46FC.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER476B.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER479B.tmp.xml

C:\Users\user\AppData\Local\Temp\AITMP0\Dutchai.lng

C:\Users\user\AppData\Local\Temp\AITMP0\Uninstall.ini

C:\Users\user\AppData\Local\Temp\AITMP0\aidatafile.zip

C:\Users\user\AppData\Local\Temp\AITMP0\aiheader.bmp

C:\Users\user\AppData\Local\Temp\AITMP0\aisetup.ini

C:\Users\user\AppData\Local\Temp\AITMP0\aisetup.zip

C:\Users\user\AppData\Local\Temp\AITMP0\aiwizard.bmp

C:\Users\user\AppData\Local\Temp\HitPawInfo.exe

C:\Users\user\AppData\Local\Temp\PCInfo.dll

C:\Users\user\AppData\Local\Temp\Respc.jpg

C:\Users\user\AppData\Roaming\ResourceCommander\Promptdource.xml

C:\Users\user\AppData\Roaming\ResourceCommander\ResPrompt.dll

C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com

Static File Info

General

File Icon

Windows Analysis Report
Player reports algnet 07-10-2024 .pdf www.skype.com.7z