Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
8Static
static
7Photoshop.exe
windows7-x64
7Photoshop.exe
windows10-2004-x64
7$PLUGINSDI...ol.dll
windows7-x64
7$PLUGINSDI...ol.dll
windows10-2004-x64
7$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
7$PLUGINSDI...em.dll
windows10-2004-x64
7$PLUGINSDI...te.dll
windows7-x64
8$PLUGINSDI...te.dll
windows10-2004-x64
3$PLUGINSDI...sh.dll
windows7-x64
7$PLUGINSDI...sh.dll
windows10-2004-x64
7$PLUGINSDI...ry.dll
windows7-x64
3$PLUGINSDI...ry.dll
windows10-2004-x64
3$PLUGINSDIR/xml.dll
windows7-x64
7$PLUGINSDIR/xml.dll
windows10-2004-x64
7Analysis
-
max time kernel
144s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19/03/2024, 03:07
Behavioral task
behavioral1
Sample
Photoshop.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral2
Sample
Photoshop.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/AccessControl.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/AccessControl.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/FindProcDLL.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/FindProcDLL.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$PLUGINSDIR/locate.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral10
Sample
$PLUGINSDIR/locate.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$PLUGINSDIR/newadvsplash.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral12
Sample
$PLUGINSDIR/newadvsplash.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
$PLUGINSDIR/registry.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral14
Sample
$PLUGINSDIR/registry.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
$PLUGINSDIR/xml.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral16
Sample
$PLUGINSDIR/xml.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
General
-
Target
$PLUGINSDIR/locate.dll
-
Size
17KB
-
MD5
7d3317f57c1a368480ace3c0ca804eeb
-
SHA1
d4c7e185bc64aac82339f51ba6c21cf0713c9f1a
-
SHA256
d88a04c1e39db583eaad727fd390fe599ab10198ee040bfbdd22daefadbd2372
-
SHA512
5598c2e6caa2f66edd48f8c8305e054d4b0740b5f2b7ed92cf197a13ac66ba99a32013d34b3c2e28d007ab7979eb90a50681324eb736b1410e7df1902e4ec32a
-
SSDEEP
384:ev/vPBkA6dK8wiLe45naPji7hpx2kRV+qgm:evyvwiNnGji7Xxjc8
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Stubpath = "%SystemRoot%\\system32\\unregmp2.exe /ShowWMP" unregmp2.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95} unregmp2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\DontAsk = "2" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Version = "12,0,7601,17514" unregmp2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\IsInstalled = "0" unregmp2.exe -
Drops desktop.ini file(s) 8 IoCs
description ioc Process File opened for modification C:\Users\Admin\Music\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\Music\desktop.ini wmplayer.exe File opened for modification C:\Users\Admin\Videos\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\Videos\desktop.ini wmplayer.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\Pictures\desktop.ini wmplayer.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini unregmp2.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: wmplayer.exe File opened (read-only) \??\Q: wmplayer.exe File opened (read-only) \??\H: wmplayer.exe File opened (read-only) \??\I: wmplayer.exe File opened (read-only) \??\K: wmplayer.exe File opened (read-only) \??\R: wmplayer.exe File opened (read-only) \??\W: wmplayer.exe File opened (read-only) \??\Y: wmplayer.exe File opened (read-only) \??\L: wmplayer.exe File opened (read-only) \??\N: wmplayer.exe File opened (read-only) \??\U: wmplayer.exe File opened (read-only) \??\O: wmplayer.exe File opened (read-only) \??\R: wmplayer.exe File opened (read-only) \??\Y: wmplayer.exe File opened (read-only) \??\M: wmplayer.exe File opened (read-only) \??\Q: wmplayer.exe File opened (read-only) \??\J: wmplayer.exe File opened (read-only) \??\K: wmplayer.exe File opened (read-only) \??\G: wmplayer.exe File opened (read-only) \??\B: wmplayer.exe File opened (read-only) \??\H: wmplayer.exe File opened (read-only) \??\S: wmplayer.exe File opened (read-only) \??\Z: wmplayer.exe File opened (read-only) \??\N: wmplayer.exe File opened (read-only) \??\B: wmplayer.exe File opened (read-only) \??\V: wmplayer.exe File opened (read-only) \??\E: wmplayer.exe File opened (read-only) \??\G: wmplayer.exe File opened (read-only) \??\W: wmplayer.exe File opened (read-only) \??\X: wmplayer.exe File opened (read-only) \??\T: wmplayer.exe File opened (read-only) \??\U: wmplayer.exe File opened (read-only) \??\E: wmplayer.exe File opened (read-only) \??\O: wmplayer.exe File opened (read-only) \??\P: wmplayer.exe File opened (read-only) \??\A: wmplayer.exe File opened (read-only) \??\I: wmplayer.exe File opened (read-only) \??\S: wmplayer.exe File opened (read-only) \??\V: wmplayer.exe File opened (read-only) \??\Z: wmplayer.exe File opened (read-only) \??\A: wmplayer.exe File opened (read-only) \??\J: wmplayer.exe File opened (read-only) \??\T: wmplayer.exe File opened (read-only) \??\X: wmplayer.exe File opened (read-only) \??\L: wmplayer.exe File opened (read-only) \??\P: wmplayer.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files\Windows Media Player\wmplayer.exe unregmp2.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2104 2108 WerFault.exe 28 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue\ = "&Add to Windows Media Player list" unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shell\Enqueue\command unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play\command unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\ShellEx\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play\command unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shell\Play unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shellex\ContextMenuHandlers\PlayTo unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}" unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shellex\ContextMenuHandlers\PlayTo unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play\ = "&Play with Windows Media Player" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shell\Play\NeverDefault unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play\NeverDefault unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\image\shellex\ContextMenuHandlers\PlayTo unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shell\Enqueue unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800" unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shell\Play unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-upnp-org:device:MediaRenderer:1\ShellEx\ContextMenuHandlers\{A45AEC2B-549E-405F-AF3E-C6B03C4FDFBF} unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue\NeverDefault unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue\ = "&Add to Windows Media Player list" unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue\ = "&Add to Windows Media Player list" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\NeverDefault unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shellex\ContextMenuHandlers\WMPShopMusic\ = "{8A734961-C4AA-4741-AC1E-791ACEBF5B39}" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play\ = "&Play with Windows Media Player" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}" unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play\command unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shell\Enqueue\command unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shell\Enqueue\NeverDefault unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9801" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shell\Play\NeverDefault unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shellex\ContextMenuHandlers\PlayTo unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shell\Play\ = "&Play with Windows Media Player" unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-upnp-org:device:MediaRenderer:1\ShellEx\ContextMenuHandlers\{A45AEC2B-549E-405F-AF3E-C6B03C4FDFBF}\ = "Toggle DMR Authorization Handler" unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shellex\ContextMenuHandlers\PlayTo unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shell\Enqueue\ = "&Add to Windows Media Player list" unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue\command unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Play\ = "&Play with Windows Media Player" unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shellex\ContextMenuHandlers\PlayTo unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shell\Play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9801" unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shellex\ContextMenuHandlers\PlayTo unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shellex\ContextMenuHandlers\PlayTo unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play\command unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue\NeverDefault unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\command unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue\command unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shell\Play\command unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\ = "&Add to Windows Media Player list" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\image\ShellEx\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" unregmp2.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1984 wmplayer.exe 1960 wmplayer.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 2980 wrote to memory of 2108 2980 rundll32.exe 28 PID 2980 wrote to memory of 2108 2980 rundll32.exe 28 PID 2980 wrote to memory of 2108 2980 rundll32.exe 28 PID 2980 wrote to memory of 2108 2980 rundll32.exe 28 PID 2980 wrote to memory of 2108 2980 rundll32.exe 28 PID 2980 wrote to memory of 2108 2980 rundll32.exe 28 PID 2980 wrote to memory of 2108 2980 rundll32.exe 28 PID 2108 wrote to memory of 2104 2108 rundll32.exe 29 PID 2108 wrote to memory of 2104 2108 rundll32.exe 29 PID 2108 wrote to memory of 2104 2108 rundll32.exe 29 PID 2108 wrote to memory of 2104 2108 rundll32.exe 29 PID 1716 wrote to memory of 1996 1716 wmplayer.exe 33 PID 1716 wrote to memory of 1996 1716 wmplayer.exe 33 PID 1716 wrote to memory of 1996 1716 wmplayer.exe 33 PID 1716 wrote to memory of 1996 1716 wmplayer.exe 33 PID 1716 wrote to memory of 1996 1716 wmplayer.exe 33 PID 1716 wrote to memory of 1996 1716 wmplayer.exe 33 PID 1716 wrote to memory of 1996 1716 wmplayer.exe 33 PID 1996 wrote to memory of 1640 1996 setup_wm.exe 36 PID 1996 wrote to memory of 1640 1996 setup_wm.exe 36 PID 1996 wrote to memory of 1640 1996 setup_wm.exe 36 PID 1996 wrote to memory of 1640 1996 setup_wm.exe 36 PID 1996 wrote to memory of 1640 1996 setup_wm.exe 36 PID 1996 wrote to memory of 1640 1996 setup_wm.exe 36 PID 1996 wrote to memory of 1640 1996 setup_wm.exe 36 PID 1640 wrote to memory of 1112 1640 unregmp2.exe 37 PID 1640 wrote to memory of 1112 1640 unregmp2.exe 37 PID 1640 wrote to memory of 1112 1640 unregmp2.exe 37 PID 1640 wrote to memory of 1112 1640 unregmp2.exe 37 PID 1996 wrote to memory of 1412 1996 setup_wm.exe 38 PID 1996 wrote to memory of 1412 1996 setup_wm.exe 38 PID 1996 wrote to memory of 1412 1996 setup_wm.exe 38 PID 1996 wrote to memory of 1412 1996 setup_wm.exe 38 PID 1996 wrote to memory of 1412 1996 setup_wm.exe 38 PID 1996 wrote to memory of 1412 1996 setup_wm.exe 38 PID 1996 wrote to memory of 1412 1996 setup_wm.exe 38 PID 1412 wrote to memory of 1560 1412 unregmp2.exe 39 PID 1412 wrote to memory of 1560 1412 unregmp2.exe 39 PID 1412 wrote to memory of 1560 1412 unregmp2.exe 39 PID 1412 wrote to memory of 1560 1412 unregmp2.exe 39 PID 1996 wrote to memory of 1984 1996 setup_wm.exe 40 PID 1996 wrote to memory of 1984 1996 setup_wm.exe 40 PID 1996 wrote to memory of 1984 1996 setup_wm.exe 40 PID 1996 wrote to memory of 1984 1996 setup_wm.exe 40
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\locate.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\locate.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 2283⤵
- Program crash
PID:2104
-
-
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Program Files (x86)\Windows Media Player\setup_wm.exe"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding2⤵
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\unregmp2.exeC:\Windows\system32\unregmp2.exe /ShowWMP /SetShowState /CreateMediaLibrary3⤵
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /ShowWMP /SetShowState /CreateMediaLibrary /REENTRANT4⤵
- Modifies Installed Components in the registry
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies registry class
PID:1112
-
-
-
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\system32\unregmp2.exe" /PerformIndivIfNeeded3⤵
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /PerformIndivIfNeeded /REENTRANT4⤵PID:1560
-
-
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Relaunch /Play C:\Users\Admin\Desktop\CopyAdd.wmx3⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:1984
-
-
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:1960
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5401⤵PID:1004
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Media Player\Art Cache\LocalMLS\{F8E015D3-D125-4A18-8A06-C56CE56DB4C8}.jpg
Filesize22KB
MD535e787587cd3fa8ed360036c9fca3df2
SHA184c76a25c6fe336f6559c033917a4c327279886d
SHA25698c49a68ee578e10947209ebc17c0ad188ed39c7d0c91a2b505f317259c0c9b2
SHA512aeec3eed5a52670f4cc35935005bb04bb435964a1975e489b8e101adfbce278142fd1a6c475860b7ccb414afe5e24613361a66d92f457937de9b21a7a112e1f9
-
Filesize
1.0MB
MD5b9c163f92e8911d5da300a84cc91b892
SHA1c373bd8d4da344b0e406e20ef7a439e69de7ccd8
SHA2566b4a147e430dc12997d7be68484cff295b271c40ae5b8f8671bfb83765aa633a
SHA512250feb6585d21377498b62b50d253c8ba0b5e63c91a4682b945ea10d86eeb044c726128809ea72d1a37b2c46780e5f6f709a6d897e9ddfc2d9cb48c78eb19c6a
-
Filesize
1.0MB
MD56d480d21967ab1283c1c33263339ed1b
SHA11a94adab0f39f1a6b9d1cc7458694f0c75bdc5c9
SHA256ed923770ddfe7f2ef41802aaadf135e09293bb61f1c708b2a4937093ce9bd970
SHA5124d95fb5ddd9bf4b6d8221fb755dbda1b395be5fedf8c1c3498286ff5739e3629c4e91de315b892cf98c0de10a986cc4cbe8bc1f1f1ca73b5f20986b0ff3c619d
-
Filesize
356B
MD522a577b001455d04afd80b6734a41e32
SHA1d0b1cbaab07db71b4108ec2a12f99253bf22f5c7
SHA256e45ecab9a45410437cad5d8862e4716561a58e5f1a8e2d7aca5af318174381d6
SHA5128687dd030abc84fafbc83acab0d4a094bc86eabe13d9b72c5ee5c4d823355fd64ff010a3f184e29a3391f28606f01c71047aa7d7b822945f1c4f554e824328ab
-
Filesize
546B
MD5df03e65b8e082f24dab09c57bc9c6241
SHA16b0dacbf38744c9a381830e6a5dc4c71bd7cedbf
SHA256155b9c588061c71832af329fafa5678835d9153b8fbb7592195ae953d0c455ba
SHA512ef1cc8d27fbc5da5daab854c933d3914b84ee539d4d2f0126dc1a04a830c5599e39a923c80257653638b1b99b0073a7174cc164be5887181730883c752ba2f99
-
Filesize
523B
MD5d58da90d6dc51f97cb84dfbffe2b2300
SHA15f86b06b992a3146cb698a99932ead57a5ec4666
SHA25693acdb79543d9248ca3fca661f3ac287e6004e4b3dafd79d4c4070794ffbf2ad
SHA5127f1e95e5aa4c8a0e4c967135c78f22f4505f2a48bbc619924d0096bf4a94d469389b9e8488c12edacfba819517b8376546687d1145660ad1f49d8c20a744e636
-
Filesize
3KB
MD5722463bb49d72be1d1d752ba5937896e
SHA15246827d15f4d8f7dedd74d8f809fc2c796a9792
SHA25673d255c8d6e0cb46c12a29610385ace4f04d71c9015a03699988dab3cce223e1
SHA512ca5eccf8c7a235db5e8305b3d76febf3dddc2510a33aacb7d3042adfcbe7d6b1deccb8f984d1673024ff8f186cd7695ca6b6b5b9083b3b2bcf53cb495bfd5bb4
-
Filesize
4KB
MD5a06f729346d93b03405b8d5bbb4911a1
SHA142d54ab20b84871d284ef6ada846a799d932be62
SHA2568d44b45d4596134ae036dd362242519abc9d15bce8354868c4f06968b0e8eaca
SHA5122a8ab45afa967c01a214b12189aa121a0f7bc0739169600f8b74628f8c0a5199068bb34b39725863c23cf0d9f232e5cc87cbd5ee1f83c5a2cca931793731d084
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms
Filesize3KB
MD5f4f8466d92a47048f2df6a12b92615c7
SHA158c193100f0050d0a9a0e9fa71bde054794e6538
SHA2565d842e8627b47757ae061e613794ff28ca91443d2ce238d4d5614bad7ddebbbe
SHA512b657127e5a1120280e69a76e4acaf2eb3d9c0694dafdf479213d73c4f32fb69f82cc6186a0d8ee8a72c1466233989e4c72b302f325257b39bb3a4ec8c88aba5d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms~RFf782d28.TMP
Filesize1KB
MD54fa692bf07e310869b7e7d2d7dbc25bc
SHA131ed5c6fd48c624cf92960b9848f987e6d47f000
SHA256ec9fe5f8a8e58d417e1eeba08d89ad2618dae89f5a1ddfb30f3ce4e6a53f2497
SHA512fc70580d14f34d8fd2d66efff3651cb9c50746653a3ddd3b1a41ebd314ee2834c3ef291261874b64a18bd5d9c11a312c705b634a9187a79f9b6e47043972c5f2
