Windows Analysis Report
Player reports algnet 07-10-2024 .pdf www.skype.com.exe

Overview

General Information

Sample name: Player reports algnet 07-10-2024 .pdf www.skype.com.exe
Analysis ID: 1528513
MD5: 005245fcbca50a836235392c802198a8
SHA1: e53c665ed01e497874627ac654d6f90832dba1af
SHA256: be1d320f773a860897be73dd16f805902effaead313873b0c622bc6eff9db715
Tags: exegibbooc2comRemcosuser-PeterGabaldon
Infos:

Detection

Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

System process connects to network (likely due to code injection or exploit)
Creates an autostart registry key pointing to binary in C:\Windows
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
One or more processes crash
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Network Connection Initiated By Regsvr32.EXE
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: Use Short Name Path in Command Line
Uses 32bit PE files
Uses reg.exe to modify the Windows registry

Classification

Uses 32bit PE files
Source: Player reports algnet 07-10-2024 .pdf www.skype.com.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Player reports algnet 07-10-2024 .pdf www.skype.com.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Creates COM task schedule object (often to register a task for autostart)
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFB0C4EBC74 FindFirstFileExW, 8_2_00007FFB0C4EBC74
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFB0C4B3530 Concurrency::details::WorkQueue::IsStructuredEmpty,FindFirstFileW,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,FindNextFileW,FindClose, 8_2_00007FFB0C4B3530
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFB0C4B3250 Concurrency::details::WorkQueue::IsStructuredEmpty,FindFirstFileW,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,FindNextFileW,FindClose, 8_2_00007FFB0C4B3250
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_00007FFB0C4EBC74 FindFirstFileExW, 12_2_00007FFB0C4EBC74
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_00007FFB0C4B3530 Concurrency::details::WorkQueue::IsStructuredEmpty,FindFirstFileW,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,FindNextFileW,FindClose, 12_2_00007FFB0C4B3530
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_00007FFB0C4B3250 Concurrency::details::WorkQueue::IsStructuredEmpty,FindFirstFileW,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,FindNextFileW,FindClose, 12_2_00007FFB0C4B3250
Source: C:\Windows\System32\regsvr32.exe Code function: 20_2_00007FFB0C4EBC74 FindFirstFileExW, 20_2_00007FFB0C4EBC74
Source: C:\Windows\System32\regsvr32.exe Code function: 20_2_00007FFB0C4B3530 Concurrency::details::WorkQueue::IsStructuredEmpty,FindFirstFileW,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,FindNextFileW,FindClose, 20_2_00007FFB0C4B3530
Source: C:\Windows\System32\regsvr32.exe Code function: 20_2_00007FFB0C4B3250 Concurrency::details::WorkQueue::IsStructuredEmpty,FindFirstFileW,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,FindNextFileW,FindClose, 20_2_00007FFB0C4B3250
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFB0C4B3830 std::_Fac_node::_Fac_node,std::_Fac_node::_Fac_node,std::_Fac_node::_Fac_node,GetLogicalDriveStringsA,GetDriveTypeA, 8_2_00007FFB0C4B3830

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 154.21.14.89 22455 Jump to behavior
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.7:49753 -> 154.21.14.89:22455
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: COGENT-174US COGENT-174US
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFB0C498340 LoadLibraryA,GetProcAddress,FreeLibrary,recv, 8_2_00007FFB0C498340
Source: global traffic DNS traffic detected: DNS query: gibbooc2.com
Source: HitPawInfo.exe.5.dr, 0 String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: HitPawInfo.exe.5.dr, 0 String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: HitPawInfo.exe.5.dr, 0 String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: HitPawInfo.exe.5.dr, 0 String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: HitPawInfo.exe.5.dr, 0 String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: HitPawInfo.exe.5.dr, 0 String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: HitPawInfo.exe.5.dr, 0 String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: 0 String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: HitPawInfo.exe.5.dr, 0 String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: HitPawInfo.exe.5.dr, 0 String found in binary or memory: http://ocsp.digicert.com0
Source: HitPawInfo.exe.5.dr, 0 String found in binary or memory: http://ocsp.digicert.com0A
Source: HitPawInfo.exe.5.dr, 0 String found in binary or memory: http://ocsp.digicert.com0C
Source: HitPawInfo.exe.5.dr, 0 String found in binary or memory: http://ocsp.digicert.com0X
Source: Amcache.hve.11.dr String found in binary or memory: http://upx.sf.net
Source: Player reports algnet 07-10-2024 .pdf www.skype.com.exe String found in binary or memory: http://www.actualinstaller.com
Source: HitPawInfo.exe.5.dr, 0 String found in binary or memory: http://www.digicert.com/CPS0
Source: Player reports algnet 07-10-2024 .pdf www.skype.com.exe String found in binary or memory: https://www.actualinstaller.comU
Source: Player reports algnet 07-10-2024 .pdf www.skype.com.exe, 00000005.00000003.1370907201.00000000046E4000.00000004.00001000.00020000.00000000.sdmp, Player reports algnet 07-10-2024 .pdf www.skype.com.exe, 00000005.00000003.1371083740.00000000028A7000.00000004.00001000.00020000.00000000.sdmp, Player reports algnet 07-10-2024 .pdf www.skype.com.exe, 00000005.00000003.1371083740.00000000028AD000.00000004.00001000.00020000.00000000.sdmp, Player reports algnet 07-10-2024 .pdf www.skype.com.exe, 00000005.00000003.1371083740.00000000028BC000.00000004.00001000.00020000.00000000.sdmp, Dutchai.lng.5.dr String found in binary or memory: https://www.daproverb.be)
Source: Player reports algnet 07-10-2024 .pdf www.skype.com.exe String found in binary or memory: https://www.google.comU

System Summary
barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Player reports algnet 07-10-2024 .pdf www.skype.com.exe
Abnormal high CPU Usage
Source: C:\Windows\System32\regsvr32.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFB0C4DF694 8_2_00007FFB0C4DF694
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFB0C4EACC4 8_2_00007FFB0C4EACC4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFB0C4E2DD8 8_2_00007FFB0C4E2DD8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFB0C4E4FE4 8_2_00007FFB0C4E4FE4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFB0C4EE8F8 8_2_00007FFB0C4EE8F8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFB0C4DABD8 8_2_00007FFB0C4DABD8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFB0C4F2500 8_2_00007FFB0C4F2500
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFB0C4DA840 8_2_00007FFB0C4DA840
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFB0C4DA0E0 8_2_00007FFB0C4DA0E0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFB0C4E0310 8_2_00007FFB0C4E0310
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFB0C4F03E8 8_2_00007FFB0C4F03E8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFB0C4D9CD8 8_2_00007FFB0C4D9CD8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFB0C4F1E64 8_2_00007FFB0C4F1E64
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFB0C4D9EDC 8_2_00007FFB0C4D9EDC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFB0C4E1958 8_2_00007FFB0C4E1958
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFB0C4DFA40 8_2_00007FFB0C4DFA40
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFB0C4E5AF8 8_2_00007FFB0C4E5AF8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFB0C4E9B1C 8_2_00007FFB0C4E9B1C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFB0C4EBC74 8_2_00007FFB0C4EBC74
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFB0C4ED680 8_2_00007FFB0C4ED680
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFB0C4DB6A4 8_2_00007FFB0C4DB6A4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFB0C4C16D0 8_2_00007FFB0C4C16D0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFB0C4DB26C 8_2_00007FFB0C4DB26C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFB0C4E5478 8_2_00007FFB0C4E5478
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_00007FFB0C4EACC4 12_2_00007FFB0C4EACC4
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_00007FFB0C4E2DD8 12_2_00007FFB0C4E2DD8
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_00007FFB0C4E4FE4 12_2_00007FFB0C4E4FE4
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_00007FFB0C4EE8F8 12_2_00007FFB0C4EE8F8
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_00007FFB0C4DABD8 12_2_00007FFB0C4DABD8
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_00007FFB0C4F2500 12_2_00007FFB0C4F2500
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_00007FFB0C4DA840 12_2_00007FFB0C4DA840
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_00007FFB0C4DA0E0 12_2_00007FFB0C4DA0E0
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_00007FFB0C4E0310 12_2_00007FFB0C4E0310
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_00007FFB0C4F03E8 12_2_00007FFB0C4F03E8
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_00007FFB0C4D9CD8 12_2_00007FFB0C4D9CD8
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_00007FFB0C4F1E64 12_2_00007FFB0C4F1E64
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_00007FFB0C4D9EDC 12_2_00007FFB0C4D9EDC
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_00007FFB0C4E1958 12_2_00007FFB0C4E1958
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_00007FFB0C4DFA40 12_2_00007FFB0C4DFA40
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_00007FFB0C4E5AF8 12_2_00007FFB0C4E5AF8
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_00007FFB0C4E9B1C 12_2_00007FFB0C4E9B1C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_00007FFB0C4EBC74 12_2_00007FFB0C4EBC74
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_00007FFB0C4DF694 12_2_00007FFB0C4DF694
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_00007FFB0C4ED680 12_2_00007FFB0C4ED680
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_00007FFB0C4DB6A4 12_2_00007FFB0C4DB6A4
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_00007FFB0C4C16D0 12_2_00007FFB0C4C16D0
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_00007FFB0C4DB26C 12_2_00007FFB0C4DB26C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_00007FFB0C4E5478 12_2_00007FFB0C4E5478
Source: C:\Windows\System32\regsvr32.exe Code function: 20_2_00007FFB0C4EACC4 20_2_00007FFB0C4EACC4
Source: C:\Windows\System32\regsvr32.exe Code function: 20_2_00007FFB0C4E2DD8 20_2_00007FFB0C4E2DD8
Source: C:\Windows\System32\regsvr32.exe Code function: 20_2_00007FFB0C4E4FE4 20_2_00007FFB0C4E4FE4
Source: C:\Windows\System32\regsvr32.exe Code function: 20_2_00007FFB0C4EE8F8 20_2_00007FFB0C4EE8F8
Source: C:\Windows\System32\regsvr32.exe Code function: 20_2_00007FFB0C4DABD8 20_2_00007FFB0C4DABD8
Source: C:\Windows\System32\regsvr32.exe Code function: 20_2_00007FFB0C4F2500 20_2_00007FFB0C4F2500
Source: C:\Windows\System32\regsvr32.exe Code function: 20_2_00007FFB0C4DA840 20_2_00007FFB0C4DA840
Source: C:\Windows\System32\regsvr32.exe Code function: 20_2_00007FFB0C4DA0E0 20_2_00007FFB0C4DA0E0
Source: C:\Windows\System32\regsvr32.exe Code function: 20_2_00007FFB0C4E0310 20_2_00007FFB0C4E0310
Source: C:\Windows\System32\regsvr32.exe Code function: 20_2_00007FFB0C4F03E8 20_2_00007FFB0C4F03E8
Source: C:\Windows\System32\regsvr32.exe Code function: 20_2_00007FFB0C4D9CD8 20_2_00007FFB0C4D9CD8
Source: C:\Windows\System32\regsvr32.exe Code function: 20_2_00007FFB0C4F1E64 20_2_00007FFB0C4F1E64
Source: C:\Windows\System32\regsvr32.exe Code function: 20_2_00007FFB0C4D9EDC 20_2_00007FFB0C4D9EDC
Source: C:\Windows\System32\regsvr32.exe Code function: 20_2_00007FFB0C4E1958 20_2_00007FFB0C4E1958
Source: C:\Windows\System32\regsvr32.exe Code function: 20_2_00007FFB0C4DFA40 20_2_00007FFB0C4DFA40
Source: C:\Windows\System32\regsvr32.exe Code function: 20_2_00007FFB0C4E5AF8 20_2_00007FFB0C4E5AF8
Source: C:\Windows\System32\regsvr32.exe Code function: 20_2_00007FFB0C4E9B1C 20_2_00007FFB0C4E9B1C
Source: C:\Windows\System32\regsvr32.exe Code function: 20_2_00007FFB0C4EBC74 20_2_00007FFB0C4EBC74
Source: C:\Windows\System32\regsvr32.exe Code function: 20_2_00007FFB0C4DF694 20_2_00007FFB0C4DF694
Source: C:\Windows\System32\regsvr32.exe Code function: 20_2_00007FFB0C4ED680 20_2_00007FFB0C4ED680
Source: C:\Windows\System32\regsvr32.exe Code function: 20_2_00007FFB0C4DB6A4 20_2_00007FFB0C4DB6A4
Source: C:\Windows\System32\regsvr32.exe Code function: 20_2_00007FFB0C4C16D0 20_2_00007FFB0C4C16D0
Source: C:\Windows\System32\regsvr32.exe Code function: 20_2_00007FFB0C4DB26C 20_2_00007FFB0C4DB26C
Source: C:\Windows\System32\regsvr32.exe Code function: 20_2_00007FFB0C4E5478 20_2_00007FFB0C4E5478
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe 5FC1BD27C679B1B5306996CFA518FA1A7B4FB60E0FE6EA92BB4BA3B82C471A85
Found potential string decryption / allocating functions
Source: C:\Windows\System32\regsvr32.exe Code function: String function: 00007FFB0C4A2E50 appears 63 times
Source: C:\Windows\System32\regsvr32.exe Code function: String function: 00007FFB0C495120 appears 36 times
Source: C:\Windows\System32\regsvr32.exe Code function: String function: 00007FFB0C4E4154 appears 75 times
Source: C:\Windows\System32\regsvr32.exe Code function: String function: 00007FFB0C4D598C appears 39 times
Source: C:\Windows\System32\regsvr32.exe Code function: String function: 00007FFB0C497410 appears 33 times
One or more processes crash
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6652 -s 524
PE file contains more sections than normal
Source: Player reports algnet 07-10-2024 .pdf www.skype.com.exe Static PE information: Number of sections : 11 > 10
Sample file is different than original file name gathered from version info
Source: Player reports algnet 07-10-2024 .pdf www.skype.com.exe, 00000005.00000003.1319569569.000000007F120000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameResourceCommander.exeD vs Player reports algnet 07-10-2024 .pdf www.skype.com.exe
Source: Player reports algnet 07-10-2024 .pdf www.skype.com.exe, 00000005.00000003.1370907201.00000000046E4000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameResourceCommander.exeD vs Player reports algnet 07-10-2024 .pdf www.skype.com.exe
Uses 32bit PE files
Source: Player reports algnet 07-10-2024 .pdf www.skype.com.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Uses reg.exe to modify the Windows registry
Source: unknown Process created: C:\Windows\System32\reg.exe C:\Windows\system32\REG.EXE ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PMP" /t REG_SZ /F /D "schtasks /run /tn PMP"
Source: classification engine Classification label: mal60.evad.winEXE@10/17@1/1
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe File created: C:\Users\user\AppData\Roaming\ResourceCommander Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Mutant created: \Sessions\1\BaseNamedObjects\{E27727EB-367C-4A9D-96C6-6520160ADF9B}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7436:120:WilError_03
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6652
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe File created: C:\Users\user~1\AppData\Local\Temp\AITMP0 Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe File read: C:\Users\user\AppData\Local\Temp\AITMP0\aisetup.ini Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe File read: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe "C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe"
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe Process created: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe "C:\Users\user~1\AppData\Local\Temp\HitPawInfo.exe"
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe Process created: C:\Windows\System32\regsvr32.exe ResPrompt.dll
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6652 -s 524
Source: unknown Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s ResPrompt.dll
Source: unknown Process created: C:\Windows\System32\reg.exe C:\Windows\system32\REG.EXE ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PMP" /t REG_SZ /F /D "schtasks /run /tn PMP"
Source: C:\Windows\System32\reg.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s ResPrompt.dll
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe Process created: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe "C:\Users\user~1\AppData\Local\Temp\HitPawInfo.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe Process created: C:\Windows\System32\regsvr32.exe ResPrompt.dll Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe Section loaded: msftedit.dll Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe Section loaded: windows.globalization.dll Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe Section loaded: bcp47mrm.dll Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe Section loaded: globinputhost.dll Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe Section loaded: pcinfo.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: resprompt.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: resprompt.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: resprompt.dll Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe File written: C:\Users\user\AppData\Local\Temp\AITMP0\aisetup.ini Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe Window found: window name: TComboBox Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Player reports algnet 07-10-2024 .pdf www.skype.com.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: Player reports algnet 07-10-2024 .pdf www.skype.com.exe Static file information: File size 4284934 > 1048576
Source: Player reports algnet 07-10-2024 .pdf www.skype.com.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x274e00
Source: Player reports algnet 07-10-2024 .pdf www.skype.com.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFB0C4B9030 LoadLibraryA,GetProcAddress,GetUserNameW, 8_2_00007FFB0C4B9030
PE file contains an invalid checksum
Source: PCInfo.dll.5.dr Static PE information: real checksum: 0x0 should be: 0x60c5c
Source: HitPawInfo.exe.5.dr Static PE information: real checksum: 0x7d382 should be: 0x7cdc6
Source: Player reports algnet 07-10-2024 .pdf www.skype.com.exe Static PE information: real checksum: 0x0 should be: 0x41a78b
PE file contains sections with non-standard names
Source: Player reports algnet 07-10-2024 .pdf www.skype.com.exe Static PE information: section name: .didata
Registers a DLL
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe Process created: C:\Windows\System32\regsvr32.exe ResPrompt.dll
Creates processes with suspicious names
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe File created: \player reports algnet 07-10-2024 .pdf www.skype.com.exe
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe File created: \player reports algnet 07-10-2024 .pdf www.skype.com.exe Jump to behavior
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe File created: C:\Users\user\AppData\Roaming\ResourceCommander\ResPrompt.dll Jump to dropped file
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe File created: C:\Users\user\AppData\Local\Temp\PCInfo.dll Jump to dropped file
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe File created: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe Jump to dropped file

Boot Survival
barindex
Creates an autostart registry key pointing to binary in C:\Windows
Source: C:\Windows\System32\reg.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PMP Jump to behavior
Source: C:\Windows\System32\reg.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PMP Jump to behavior
Source: C:\Windows\System32\reg.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PMP Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found evasive API chain (date check)
Source: C:\Windows\System32\regsvr32.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Windows\System32\regsvr32.exe API coverage: 2.9 %
Source: C:\Windows\System32\regsvr32.exe API coverage: 2.9 %
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\regsvr32.exe Last function: Thread delayed
Source: C:\Windows\System32\regsvr32.exe Last function: Thread delayed
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFB0C4EBC74 FindFirstFileExW, 8_2_00007FFB0C4EBC74
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFB0C4B3530 Concurrency::details::WorkQueue::IsStructuredEmpty,FindFirstFileW,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,FindNextFileW,FindClose, 8_2_00007FFB0C4B3530
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFB0C4B3250 Concurrency::details::WorkQueue::IsStructuredEmpty,FindFirstFileW,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,FindNextFileW,FindClose, 8_2_00007FFB0C4B3250
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_00007FFB0C4EBC74 FindFirstFileExW, 12_2_00007FFB0C4EBC74
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_00007FFB0C4B3530 Concurrency::details::WorkQueue::IsStructuredEmpty,FindFirstFileW,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,FindNextFileW,FindClose, 12_2_00007FFB0C4B3530
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_00007FFB0C4B3250 Concurrency::details::WorkQueue::IsStructuredEmpty,FindFirstFileW,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,FindNextFileW,FindClose, 12_2_00007FFB0C4B3250
Source: C:\Windows\System32\regsvr32.exe Code function: 20_2_00007FFB0C4EBC74 FindFirstFileExW, 20_2_00007FFB0C4EBC74
Source: C:\Windows\System32\regsvr32.exe Code function: 20_2_00007FFB0C4B3530 Concurrency::details::WorkQueue::IsStructuredEmpty,FindFirstFileW,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,FindNextFileW,FindClose, 20_2_00007FFB0C4B3530
Source: C:\Windows\System32\regsvr32.exe Code function: 20_2_00007FFB0C4B3250 Concurrency::details::WorkQueue::IsStructuredEmpty,FindFirstFileW,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,FindNextFileW,FindClose, 20_2_00007FFB0C4B3250
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFB0C4B3830 std::_Fac_node::_Fac_node,std::_Fac_node::_Fac_node,std::_Fac_node::_Fac_node,GetLogicalDriveStringsA,GetDriveTypeA, 8_2_00007FFB0C4B3830
Source: Amcache.hve.11.dr Binary or memory string: VMware
Source: Amcache.hve.11.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.11.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.11.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.11.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.11.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.11.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.11.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Player reports algnet 07-10-2024 .pdf www.skype.com.exe, 00000005.00000003.1372382822.0000000000E07000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: Amcache.hve.11.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.11.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.11.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.11.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: regsvr32.exe, 00000008.00000002.3179259080.0000000000DF8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll]]
Source: Amcache.hve.11.dr Binary or memory string: vmci.sys
Source: Player reports algnet 07-10-2024 .pdf www.skype.com.exe, 00000005.00000003.1372382822.0000000000E07000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.11.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.11.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.11.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.11.dr Binary or memory string: VMware20,1
Source: Amcache.hve.11.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.11.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.11.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.11.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.11.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.11.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.11.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.11.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.11.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.11.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.11.dr Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.11.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe Process queried: DebugPort Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFB0C4D40A0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_00007FFB0C4D40A0
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFB0C4B9030 LoadLibraryA,GetProcAddress,GetUserNameW, 8_2_00007FFB0C4B9030
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFB0C4ED000 GetProcessHeap, 8_2_00007FFB0C4ED000
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFB0C4D40A0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_00007FFB0C4D40A0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFB0C4D4354 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 8_2_00007FFB0C4D4354
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFB0C4D9238 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_00007FFB0C4D9238
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_00007FFB0C4D40A0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 12_2_00007FFB0C4D40A0
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_00007FFB0C4D4354 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 12_2_00007FFB0C4D4354
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_00007FFB0C4D9238 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 12_2_00007FFB0C4D9238
Source: C:\Windows\System32\regsvr32.exe Code function: 20_2_00007FFB0C4D40A0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 20_2_00007FFB0C4D40A0
Source: C:\Windows\System32\regsvr32.exe Code function: 20_2_00007FFB0C4D4354 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 20_2_00007FFB0C4D4354
Source: C:\Windows\System32\regsvr32.exe Code function: 20_2_00007FFB0C4D9238 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 20_2_00007FFB0C4D9238

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 154.21.14.89 22455 Jump to behavior
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe NtCreateUserProcess: Indirect: 0x7FFB0C5768AB Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Player reports algnet 07-10-2024 .pdf www.skype.com.exe Process created: C:\Users\user\AppData\Local\Temp\HitPawInfo.exe "C:\Users\user~1\AppData\Local\Temp\HitPawInfo.exe" Jump to behavior
Source: regsvr32.exe, 00000008.00000002.3179259080.0000000000DF8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 367706/user<-->Windows 10 Pro=19045<-->C:\Windows\System32\regsvr32.exe<-->Microsoft Defender Antivirus-<-->1709044087<-->A<-->7/12/2019 4:9 a.m.<-->Program Manager<-->o
Source: regsvr32.exe, 00000008.00000002.3179259080.0000000000DF8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 367706/user<-->Windows 10 Pro=19045<-->C:\Windows\System32\regsvr32.exe<-->Microsoft Defender Antivirus-<-->1709044087<-->A<-->7/12/2019 4:9 a.m.<-->Program Manager<-->
Source: regsvr32.exe, 00000008.00000002.3179259080.0000000000DF8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ClientInfo>>//>>367706/user<-->Windows 10 Pro=19045<-->C:\Windows\System32\regsvr32.exe<-->Microsoft Defender Antivirus-<-->1709044087<-->A<-->7/12/2019 4:9 a.m.<-->Program Manager<-->lication Error<-->H
Source: regsvr32.exe, 00000008.00000002.3179259080.0000000000DF8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ClientInfo>>//>>367706/user<-->Windows 10 Pro=19045<-->C:\Windows\System32\regsvr32.exe<-->Microsoft Defender Antivirus-<-->1709044087<-->A<-->7/12/2019 4:9 a.m.<-->Program Manager<-->
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFB0C4F4F90 cpuid 8_2_00007FFB0C4F4F90
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\regsvr32.exe Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW, 8_2_00007FFB0C4EEE88
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoW, 8_2_00007FFB0C4E44C4
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesW, 8_2_00007FFB0C4E40D8
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 8_2_00007FFB0C4EF8D0
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoW, 8_2_00007FFB0C4EF594
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 8_2_00007FFB0C4EF6EC
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoW, 8_2_00007FFB0C4EF79C
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesW, 8_2_00007FFB0C4EF1E4
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesW, 8_2_00007FFB0C4EF2B4
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 8_2_00007FFB0C4EF34C
Source: C:\Windows\System32\regsvr32.exe Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW, 12_2_00007FFB0C4EEE88
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoW, 12_2_00007FFB0C4E44C4
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesW, 12_2_00007FFB0C4E40D8
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 12_2_00007FFB0C4EF8D0
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoW, 12_2_00007FFB0C4EF594
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 12_2_00007FFB0C4EF6EC
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoW, 12_2_00007FFB0C4EF79C
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesW, 12_2_00007FFB0C4EF1E4
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesW, 12_2_00007FFB0C4EF2B4
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 12_2_00007FFB0C4EF34C
Source: C:\Windows\System32\regsvr32.exe Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW, 20_2_00007FFB0C4EEE88
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoW, 20_2_00007FFB0C4E44C4
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesW, 20_2_00007FFB0C4E40D8
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 20_2_00007FFB0C4EF8D0
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoW, 20_2_00007FFB0C4EF594
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 20_2_00007FFB0C4EF6EC
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoW, 20_2_00007FFB0C4EF79C
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesW, 20_2_00007FFB0C4EF1E4
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesW, 20_2_00007FFB0C4EF2B4
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 20_2_00007FFB0C4EF34C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFB0C4D2F8C GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime, 8_2_00007FFB0C4D2F8C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFB0C4B9030 LoadLibraryA,GetProcAddress,GetUserNameW, 8_2_00007FFB0C4B9030
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.11.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.11.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.11.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.11.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.11.dr Binary or memory string: MsMpEng.exe
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1528513 Sample: Player reports algnet 07-10... Startdate: 08/10/2024 Architecture: WINDOWS Score: 60 36 gibbooc2.com 2->36 40 Initial sample is a PE file and has a suspicious name 2->40 8 Player reports algnet 07-10-2024 .pdf       www.skype.com.exe 12 2->8         started        11 reg.exe 1 1 2->11         started        14 regsvr32.exe 2->14         started        16 regsvr32.exe 2->16         started        signatures3 process4 file5 32 C:\Users\user\AppData\...\HitPawInfo.exe, PE32+ 8->32 dropped 34 C:\Users\user\AppData\Local\Temp\PCInfo.dll, PE32+ 8->34 dropped 18 HitPawInfo.exe 3 8->18         started        46 Creates an autostart registry key pointing to binary in C:\Windows 11->46 22 conhost.exe 11->22         started        signatures6 process7 file8 30 C:\Users\user\AppData\...\ResPrompt.dll, PE32+ 18->30 dropped 42 Found direct / indirect Syscall (likely to bypass EDR) 18->42 24 regsvr32.exe 18->24         started        28 WerFault.exe 19 16 18->28         started        signatures9 process10 dnsIp11 38 gibbooc2.com 154.21.14.89, 22455, 49753, 49788 COGENT-174US United States 24->38 44 System process connects to network (likely due to code injection or exploit) 24->44 signatures12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
154.21.14.89
 gibbooc2.com United States
174 COGENT-174US true

Contacted Domains

Name IP Active
gibbooc2.com 154.21.14.89 true