9479c3a08a8e42844b7598467aa1fc39d689bf0034112098955fc572bc470bb9

Analysis

max time kernel
140s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
15/10/2023, 23:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

📺Friends 2.mp4
Size

2.0MB
MD5

47af6e03191486e389f78e22de395ca0
SHA1

83fd3e45d63245cc6cb5175d2effe1aedb3bc997
SHA256

9479c3a08a8e42844b7598467aa1fc39d689bf0034112098955fc572bc470bb9
SHA512

3a302716d3bc6960a1b2fe4e4e40c588e92847eff8cea3cb0ccebde8da6dd97ab9a1ec57c65195a1467e6d12d61295cafc627781d40c1e9e13ed79126fb499cf
SSDEEP

49152:lerJ4VmEeWgnj6Xuu5a+u8atcegWvvA3UqtAIGjFI0glv:lCJLEbArXdvAEqt5GjFI0gV

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}	unregmp2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\DontAsk = "2"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Version = "12,0,19041,1266"	unregmp2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\IsInstalled = "0"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Stubpath = "%SystemRoot%\\system32\\unregmp2.exe /ShowWMP"	unregmp2.exe

Drops desktop.ini file(s) 8 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	unregmp2.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	wmplayer.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Media Player\wmplayer.exe	unregmp2.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shellex\ContextMenuHandlers\PlayTo	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\ = "&Add to Windows Media Player list"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Play\ = "&Play with Windows Media Player"	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1141987721-3945596982-3297311814-1000\{3BA97698-17F3-46CA-85A9-AF1D6FD5A6E6}	wmplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\image\shellex\ContextMenuHandlers\PlayTo	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play\NeverDefault	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue\NeverDefault	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Play	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play\NeverDefault	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue\ = "&Add to Windows Media Player list"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shellex\ContextMenuHandlers\PlayTo	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shellex\ContextMenuHandlers\PlayTo	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue\ = "&Add to Windows Media Player list"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play\NeverDefault	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9801"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shellex\ContextMenuHandlers\PlayTo	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\image\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-upnp-org:device:MediaRenderer:1\ShellEx\ContextMenuHandlers\{17FC1A80-140E-4290-A64F-4A29A951A867}	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue\command	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\NeverDefault	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play\command	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue\command	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shellex\ContextMenuHandlers\PlayTo	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-upnp-org:device:MediaRenderer:1\ShellEx\ContextMenuHandlers\{A45AEC2B-549E-405F-AF3E-C6B03C4FDFBF}	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9801"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play\ = "&Play with Windows Media Player"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play\command	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play\ = "&Play with Windows Media Player"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\command	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue\NeverDefault	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue\command	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue\NeverDefault	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play\command	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue\NeverDefault	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shellex\ContextMenuHandlers\PlayTo	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-upnp-org:device:MediaRenderer:1\ShellEx\ContextMenuHandlers\{17FC1A80-140E-4290-A64F-4A29A951A867}\ = "Open Media Sharing Handler"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play\ = "&Play with Windows Media Player"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play\command	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Play\NeverDefault	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shellex\ContextMenuHandlers\PlayTo	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue\ = "&Add to Windows Media Player list"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Play\command	unregmp2.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4312	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4312	vlc.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1648	unregmp2.exe
Token: SeCreatePagefilePrivilege	1648	unregmp2.exe
Token: SeShutdownPrivilege	2008	wmplayer.exe
Token: SeCreatePagefilePrivilege	2008	wmplayer.exe
Token: 33	3172	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3172	AUDIODG.EXE
Token: SeShutdownPrivilege	2008	wmplayer.exe
Token: SeCreatePagefilePrivilege	2008	wmplayer.exe
Token: 33	4312	vlc.exe
Token: SeIncBasePriorityPrivilege	4312	vlc.exe

Suspicious use of FindShellTrayWindow 31 IoCs

pid	Process
2008	wmplayer.exe
4312	vlc.exe
4312	vlc.exe
4312	vlc.exe
4312	vlc.exe
4312	vlc.exe
4312	vlc.exe
4312	vlc.exe
4312	vlc.exe
4312	vlc.exe
4312	vlc.exe
4312	vlc.exe
4312	vlc.exe
4312	vlc.exe
4312	vlc.exe
4312	vlc.exe
4312	vlc.exe
4312	vlc.exe
4312	vlc.exe
4312	vlc.exe
4312	vlc.exe
4312	vlc.exe
4312	vlc.exe
4312	vlc.exe
4312	vlc.exe
4312	vlc.exe
4312	vlc.exe
4312	vlc.exe
4312	vlc.exe
4312	vlc.exe
4312	vlc.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
4312	vlc.exe
4312	vlc.exe
4312	vlc.exe
4312	vlc.exe
4312	vlc.exe
4312	vlc.exe
4312	vlc.exe
4312	vlc.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4312	vlc.exe
4312	vlc.exe
4312	vlc.exe
4312	vlc.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4428 wrote to memory of 4188	4428	wmplayer.exe	82
PID 4428 wrote to memory of 4188	4428	wmplayer.exe	82
PID 4428 wrote to memory of 4188	4428	wmplayer.exe	82
PID 4428 wrote to memory of 2360	4428	wmplayer.exe	85
PID 4428 wrote to memory of 2360	4428	wmplayer.exe	85
PID 4428 wrote to memory of 2360	4428	wmplayer.exe	85
PID 2360 wrote to memory of 1648	2360	unregmp2.exe	86
PID 2360 wrote to memory of 1648	2360	unregmp2.exe	86
PID 4188 wrote to memory of 8	4188	setup_wm.exe	91
PID 4188 wrote to memory of 8	4188	setup_wm.exe	91
PID 4188 wrote to memory of 8	4188	setup_wm.exe	91
PID 8 wrote to memory of 5068	8	unregmp2.exe	92
PID 8 wrote to memory of 5068	8	unregmp2.exe	92
PID 4188 wrote to memory of 2008	4188	setup_wm.exe	94
PID 4188 wrote to memory of 2008	4188	setup_wm.exe	94
PID 4188 wrote to memory of 2008	4188	setup_wm.exe	94

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\📺Friends 2.mp4"
1⤵
- Suspicious use of WriteProcessMemory
PID:4428
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\📺Friends 2.mp4"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4188
- - C:\Windows\SysWOW64\unregmp2.exe
    C:\Windows\system32\unregmp2.exe /ShowWMP /SetShowState /CreateMediaLibrary
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:8
  - - C:\Windows\system32\unregmp2.exe
      "C:\Windows\SysNative\unregmp2.exe" /ShowWMP /SetShowState /CreateMediaLibrary /REENTRANT
      4⤵
      Modifies Installed Components in the registry
      Drops desktop.ini file(s)
      Drops file in Program Files directory
      Modifies registry class
      PID:5068
- - C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Relaunch /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\📺Friends 2.mp4"
    3⤵
    - Drops desktop.ini file(s)
    - Enumerates connected drives
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2008
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:1648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:1592

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x150 0x32c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3172

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3060

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Users\Admin\AppData\Local\Temp\📺Friends 2.mp4"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
256KB

MD5
2936527c6171be1065c6012a3e8ffddd

SHA1
9273557d3cfc6987eac30802569e9d2579d7d4a4

SHA256
e341ab7fd265205d2477cb5234a6c3d35911d7ebb17139b585b55eb7def237e0

SHA512
a83203b4696232299c70ff0f7ae292964417b0636d278544fd252a41e6ab3b5c749e836d83d7b22bc52d56dc069bb8caa0ebf5634b32e3acae7afc87c1215e5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
91facd669ee3e853fe0ef45cdbdeefac

SHA1
301538b6a5726ff391a2feb0e19f3f68385fa762

SHA256
d34be214b5750c6a3f3e3771446fe38d1240a59625850ced8c3597f82a6d7111

SHA512
95395eb8db70919e6fdd2c27a76d7a3a909f8122bf6e0a595f1ea2c9a893bfc87947a708b6d17743d7d6b9a3019f44e0b26ebbae90edbc652779c08fb3416c9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

Filesize
68KB

MD5
8f0d18feec13265e0893d4958abea93b

SHA1
3f63665e194464b87debe32b13e5a91b35fba403

SHA256
b9847590d2f9455cadfe7c3ecce0c0a02df3174e21df758ee1079e9adc9c74c0

SHA512
d17585b6ebfeeb02a7d24b0904a60c223fb4752dbac08333fc9891d8260c0e64c934d4ebd3d9972b47907db6d3acf5c1eeb1ad41f08297bdfff3127080d243fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00019A85\01_Music_auto_rated_at_5_stars.wpl

Filesize
1KB

MD5
159e63275630ec4c9747b664bd063938

SHA1
be4e32d7d022c3e3277e1ed65a21bebcf787ce3f

SHA256
d54745665432625a904636e7675612c85026da07e68f4e9d8dacbe98e5dee844

SHA512
1a128d4f59424bce6818c117f84dbfe16b7da1543d7b2682460da74839bfc6cfe805da00112e17cbaafdf4179e357b70fa0850fa722fb04f202e1d75e65edb60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00019A85\02_Music_added_in_the_last_month.wpl

Filesize
1KB

MD5
907bfc98ce854ae312127c952d8be0f2

SHA1
02defe8c5f9cc85742e45ba55e4fcfe326fd960c

SHA256
c475dc7423c2ad60f25adaac754cd8b68b57ff04f26ecef78f3e5961b986a324

SHA512
db4045f992bad6ad660769a22345c5e0d965ae521d6828d612b15f0163622c629992c313a41bc9e381f9b0f098117eef840d33100af4c6a3634eb0013a7fe1c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00019A85\03_Music_rated_at_4_or_5_stars.wpl

Filesize
1KB

MD5
6d791b697af46d6777182af7f18c2955

SHA1
d73e8b5f4ee646c1c4ab6d23f3cb3394cb833ca8

SHA256
4825eb90140f6b2f4f7ed0df66b24e10ff5d0da70af53ea495fd30b3aa791870

SHA512
268cf327a9f471d547ad1dae47833cf6d722c08f9cbf5e7867a422282ce52dc320340ded93473a598903bfee9bf6a1a3393779468dbeb27d3390dbd59e6d20ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00019A85\04_Music_played_in_the_last_month.wpl

Filesize
1KB

MD5
f8d3a4cacf055f5ec5c62218ea50d290

SHA1
974474ce3fe345d8015863bd6ea7242ba118532b

SHA256
201f2170812cf8041964c4d3c5ef539d96adeba6a68b69ecaed0affe3ae8e25f

SHA512
ac32cbeb05fae672047705679043aecf9b56314baa09c2d3abb7eac655710d7cb2c967ea1772767e366bb502e8ad6de375302f51ca62a76d962ee539b45bfc21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00019A85\05_Pictures_taken_in_the_last_month.wpl

Filesize
797B

MD5
821d2be672f05514127c117cef460c6e

SHA1
1c75f314e7658a3dcdcad315e301f2bae6d47b31

SHA256
3abdb6cbd88ad1557054ece3f10dd1a8494ed32f423b3cf8321b18decc489474

SHA512
146d6293173b80ffe3721ae6e61293cc1d838e8a72713be8b859ce33c69ef753408057be9ce15a78d573e253548ee674ca3fea77efa3d330ce8c8a50f8a8a988

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00019A85\06_Pictures_rated_4_or_5_stars.wpl

Filesize
785B

MD5
0a8a40ca87323dc16893194b00c7fe77

SHA1
b88a42a85053e0a7483e331b66ba5a40a6290e10

SHA256
9aa433bed2e090cc6904f1c24d5a7b5a1ed6d8f71a997e661b886c69383fd53e

SHA512
5932f09106d622054e6d624221d754ff471e3f37d9f585ed23db7f7327fe1e2f624b22a8f7f2827b607fdb9a30683b8f20c48a39cd35a57ad5cb78467af2c20e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00019A85\07_TV_recorded_in_the_last_week.wpl

Filesize
1KB

MD5
b9987b1f9df6d0afc01558b907e62a16

SHA1
ef202d5d6f90b37c71cb757f3babb0857ce54d86

SHA256
0892efdb8459d81d4c5e1085239734d9910b9c6a1debd7189cf385141f0b19d1

SHA512
6bc86075632c3e56ffe1d371f4178299e93e014f5c5c83dfdca2dc9efd1155633409c79ec87cfe2afd4374b83771ae56a3eb7fac00f83921b433cb49216037f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00019A85\08_Video_rated_at_4_or_5_stars.wpl

Filesize
1020B

MD5
a3787a42b81fce0e448976ad158edd93

SHA1
45ff275c0c32eab1f0b56e8b61e8ead18cfd1675

SHA256
94bc17ac59bde92fbca00fcc69aed68fcbfe2c1754dd45f4810765f5fdf774ff

SHA512
b36ca10f580ec9d455fb57149bce1897fe48fda6023b2fb55b6b4b80a91f1754311b91edd72c13103e0da9ed90b696c28d6904ea91984ade69ed50791f4065ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00019A85\09_Music_played_the_most.wpl

Filesize
1KB

MD5
467e71aa2fd951eb0a1af3d6bb8378e8

SHA1
fb654c0b2663d4fa5fd0f1658097d936dd0429ed

SHA256
a54bc2cad63ced4fd9ff2a3a094a26e264e8a5ce8139193896d13236f494e2ee

SHA512
f9242a4925b910f4a114652967a6e2f49444a3f0d9f35402fef28cc8d39c58720930084112baf92eb6716af541fd76e3803ccc1e742cec07f1d4fb6abc13a42c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00019A85\10_All_Music.wpl

Filesize
1KB

MD5
51aeed11707741118e0706c1259df22e

SHA1
6434e915b018c6d15898fe0a4d006bbe3e1edb60

SHA256
ec286113e5ad77ac34063589a137a6dc4b4cab8845cd9c5386519983fa3b48f0

SHA512
a674487f9cabe1fb2809cd98958dce696f7f066d3738bfb30317201ed804df3c72f2d24d6f9c0832cf446c8a965e21f3ea50aada1c69860a12340d6eca88e942

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00019A85\11_All_Pictures.wpl

Filesize
585B

MD5
74294ef495559ed32731f19096d70312

SHA1
fdc6cc849270016d2a382d7d0daabf44a4556cd9

SHA256
db34d82f2cd23e6e55a64e12d2a0a9c27ac2ded156483238f22a336ca6825110

SHA512
b068d903b83945f146abd4cf384da99af608643c62b647ea65db33c3b0e0face4727a74be3210a9c6469bbc403d1f5c59d92cbd57722737e992b0e4f5e66662a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00019A85\12_All_Video.wpl

Filesize
1KB

MD5
372d0beebea5460409a6a1c53ac52a18

SHA1
1b5a925e00f9a4cc3a18feb8f74a2e39ef11eeb6

SHA256
5b8b62b35e5dd8a46ccccaf3fc3743be9e0965d24cbcd20da2681065eeb37ef3

SHA512
efb412e3a17f4eab84fb9f99b9e420d18e23610a9a66bcd7298c3ba68fd24abe0c1f2e58faa411e059788d34f4cede45f9e25c6578d13faefb8ee79acd50f2e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
557a3f86c9c2f95c43d65cc186840a64

SHA1
efdaff1c41b5d23a75485f8c5426c6fc70d94b27

SHA256
f4d272053e08f065fe6b8461db978909cff0893cd85ecb5ec71a87e41ac22063

SHA512
9401af9f9fc2171904fbf044a6b44413d02587cab02f0c444898416b6236a54d693e44ac39955b58b865fefe840fc0faa2133dda5c9d0af1277d91330784c61d

Download Submit
memory/2008-46-0x0000000003A20000-0x0000000003A30000-memory.dmp

Filesize
64KB

Download
memory/2008-57-0x0000000003A20000-0x0000000003A30000-memory.dmp

Filesize
64KB

Download
memory/2008-59-0x0000000003A20000-0x0000000003A30000-memory.dmp

Filesize
64KB

Download
memory/2008-56-0x0000000003BD0000-0x0000000003BE0000-memory.dmp

Filesize
64KB

Download
memory/2008-54-0x0000000003BD0000-0x0000000003BE0000-memory.dmp

Filesize
64KB

Download
memory/2008-55-0x0000000003BD0000-0x0000000003BE0000-memory.dmp

Filesize
64KB

Download
memory/2008-53-0x0000000003BD0000-0x0000000003BE0000-memory.dmp

Filesize
64KB

Download
memory/2008-52-0x0000000003D70000-0x0000000003D80000-memory.dmp

Filesize
64KB

Download
memory/2008-51-0x0000000003D70000-0x0000000003D80000-memory.dmp

Filesize
64KB

Download
memory/2008-50-0x0000000003A20000-0x0000000003A30000-memory.dmp

Filesize
64KB

Download
memory/2008-49-0x0000000003A20000-0x0000000003A30000-memory.dmp

Filesize
64KB

Download
memory/2008-47-0x0000000003A20000-0x0000000003A30000-memory.dmp

Filesize
64KB

Download
memory/2008-45-0x0000000003A20000-0x0000000003A30000-memory.dmp

Filesize
64KB

Download
memory/2008-43-0x0000000003A20000-0x0000000003A30000-memory.dmp

Filesize
64KB

Download
memory/2008-60-0x0000000003A20000-0x0000000003A30000-memory.dmp

Filesize
64KB

Download
memory/2008-61-0x0000000003BD0000-0x0000000003BE0000-memory.dmp

Filesize
64KB

Download
memory/2008-62-0x0000000003BD0000-0x0000000003BE0000-memory.dmp

Filesize
64KB

Download
memory/4312-151-0x00007FFDCDB80000-0x00007FFDCDE34000-memory.dmp

Filesize
2.7MB

Download
memory/4312-176-0x00007FFDD01E0000-0x00007FFDD01F1000-memory.dmp

Filesize
68KB

Download
memory/4312-154-0x00007FFDDE940000-0x00007FFDDE951000-memory.dmp

Filesize
68KB

Download
memory/4312-155-0x00007FFDDE920000-0x00007FFDDE937000-memory.dmp

Filesize
92KB

Download
memory/4312-157-0x00007FFDDE8E0000-0x00007FFDDE8FD000-memory.dmp

Filesize
116KB

Download
memory/4312-158-0x00007FFDDE8C0000-0x00007FFDDE8D1000-memory.dmp

Filesize
68KB

Download
memory/4312-156-0x00007FFDDE900000-0x00007FFDDE911000-memory.dmp

Filesize
68KB

Download
memory/4312-153-0x00007FFDDEA30000-0x00007FFDDEA47000-memory.dmp

Filesize
92KB

Download
memory/4312-163-0x00007FFDCD980000-0x00007FFDCDB80000-memory.dmp

Filesize
2.0MB

Download
memory/4312-152-0x00007FFDDEC90000-0x00007FFDDECA8000-memory.dmp

Filesize
96KB

Download
memory/4312-149-0x00007FF79B4C0000-0x00007FF79B5B8000-memory.dmp

Filesize
992KB

Download
memory/4312-164-0x00007FFDCC8D0000-0x00007FFDCD97B000-memory.dmp

Filesize
16.7MB

Download
memory/4312-179-0x00007FFDD0120000-0x00007FFDD0187000-memory.dmp

Filesize
412KB

Download
memory/4312-180-0x00007FFDCF000000-0x00007FFDCF06F000-memory.dmp

Filesize
444KB

Download
memory/4312-183-0x00007FFDCC750000-0x00007FFDCC8C8000-memory.dmp

Filesize
1.5MB

Download
memory/4312-184-0x00007FFDCEF80000-0x00007FFDCEF97000-memory.dmp

Filesize
92KB

Download
memory/4312-185-0x00007FFDCC5E0000-0x00007FFDCC750000-memory.dmp

Filesize
1.4MB

Download
memory/4312-190-0x00007FFDCEF60000-0x00007FFDCEF72000-memory.dmp

Filesize
72KB

Download
memory/4312-192-0x00007FFDCEEC0000-0x00007FFDCEF0C000-memory.dmp

Filesize
304KB

Download
memory/4312-193-0x00007FFDCC470000-0x00007FFDCC5DB000-memory.dmp

Filesize
1.4MB

Download
memory/4312-194-0x00007FFDCC410000-0x00007FFDCC467000-memory.dmp

Filesize
348KB

Download
memory/4312-191-0x00007FFDCEF10000-0x00007FFDCEF52000-memory.dmp

Filesize
264KB

Download
memory/4312-182-0x00007FFDCEFA0000-0x00007FFDCEFF6000-memory.dmp

Filesize
344KB

Download
memory/4312-181-0x00007FFDCFC40000-0x00007FFDCFC51000-memory.dmp

Filesize
68KB

Download
memory/4312-178-0x00007FFDD0190000-0x00007FFDD01C0000-memory.dmp

Filesize
192KB

Download
memory/4312-177-0x00007FFDD01C0000-0x00007FFDD01D8000-memory.dmp

Filesize
96KB

Download
memory/4312-195-0x00007FFDCC1C0000-0x00007FFDCC40B000-memory.dmp

Filesize
2.3MB

Download
memory/4312-150-0x00007FFDDEA50000-0x00007FFDDEA84000-memory.dmp

Filesize
208KB

Download
memory/4312-175-0x00007FFDD0200000-0x00007FFDD021B000-memory.dmp

Filesize
108KB

Download
memory/4312-174-0x00007FFDD0220000-0x00007FFDD0231000-memory.dmp

Filesize
68KB

Download
memory/4312-173-0x00007FFDD0240000-0x00007FFDD0251000-memory.dmp

Filesize
68KB

Download
memory/4312-172-0x00007FFDD0260000-0x00007FFDD0271000-memory.dmp

Filesize
68KB

Download
memory/4312-171-0x00007FFDD5290000-0x00007FFDD52A8000-memory.dmp

Filesize
96KB

Download
memory/4312-170-0x00007FFDD0280000-0x00007FFDD02A1000-memory.dmp

Filesize
132KB

Download
memory/4312-169-0x00007FFDD02B0000-0x00007FFDD02EF000-memory.dmp

Filesize
252KB

Download
memory/4312-196-0x00007FFDCAA10000-0x00007FFDCC1C0000-memory.dmp

Filesize
23.7MB

Download
memory/4312-213-0x00007FFDE7EA0000-0x00007FFDE7EB0000-memory.dmp

Filesize
64KB

Download
memory/4312-214-0x00007FFDCA9E0000-0x00007FFDCAA0F000-memory.dmp

Filesize
188KB

Download
memory/4312-215-0x00007FFDCA9C0000-0x00007FFDCA9D1000-memory.dmp

Filesize
68KB

Download
memory/4312-216-0x00007FFDCA9A0000-0x00007FFDCA9B6000-memory.dmp

Filesize
88KB

Download
memory/4312-217-0x00007FFDCA8D0000-0x00007FFDCA995000-memory.dmp

Filesize
788KB

Download
memory/4312-218-0x00007FFDCA850000-0x00007FFDCA8C5000-memory.dmp

Filesize
468KB

Download
memory/4312-223-0x00007FFDCA7E0000-0x00007FFDCA842000-memory.dmp

Filesize
392KB

Download
memory/4312-225-0x00007FFDCA750000-0x00007FFDCA763000-memory.dmp

Filesize
76KB

Download
memory/4312-227-0x0000029ACF1E0000-0x0000029ACF230000-memory.dmp

Filesize
320KB

Download
memory/4312-228-0x0000029ACF230000-0x0000029ACF245000-memory.dmp

Filesize
84KB

Download
memory/4312-231-0x00007FFDCA440000-0x00007FFDCA452000-memory.dmp

Filesize
72KB

Download
memory/4312-232-0x00007FFDCA2C0000-0x00007FFDCA43A000-memory.dmp

Filesize
1.5MB

Download
memory/4312-233-0x00007FFDCA2A0000-0x00007FFDCA2B5000-memory.dmp

Filesize
84KB

Download
memory/4312-234-0x00007FFDCA270000-0x00007FFDCA293000-memory.dmp

Filesize
140KB

Download
memory/4312-230-0x00007FFDCA460000-0x00007FFDCA471000-memory.dmp

Filesize
68KB

Download
memory/4312-229-0x00007FFDCA4A0000-0x00007FFDCA6BD000-memory.dmp

Filesize
2.1MB

Download
memory/4312-226-0x00007FFDCA730000-0x00007FFDCA744000-memory.dmp

Filesize
80KB

Download
memory/4312-224-0x00007FFDCA770000-0x00007FFDCA7DD000-memory.dmp

Filesize
436KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads