Analysis Overview
SHA256
fa82b45c4fac3e0c617fc474ac7a395f1a1606fb3e1ef84ff85018cdba9f23e5
Threat Level: Likely malicious
The file bpzbku.mp4 was found to be: Likely malicious.
Malicious Activity Summary
Modifies Installed Components in the registry
Drops desktop.ini file(s)
Enumerates connected drives
Drops file in Program Files directory
Drops file in Windows directory
Suspicious behavior: AddClipboardFormatListener
Suspicious use of FindShellTrayWindow
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-11 11:02
Signatures
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-11 11:02
Reported
2024-06-11 11:06
Platform
win11-20240508-en
Max time kernel
197s
Max time network
89s
Command Line
Signatures
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\DontAsk = "2" | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Version = "12,0,22000,282" | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\IsInstalled = "0" | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Stubpath = "%SystemRoot%\\system32\\unregmp2.exe /ShowWMP" | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95} | C:\Windows\system32\unregmp2.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Public\Videos\desktop.ini | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\desktop.ini | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\desktop.ini | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Windows\system32\unregmp2.exe | N/A |
| File opened for modification | C:\Users\Admin\Music\desktop.ini | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| File opened for modification | C:\Users\Public\desktop.ini | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| File opened for modification | C:\Users\Public\Music\desktop.ini | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| File opened for modification | C:\Users\Admin\Videos\desktop.ini | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
Enumerates connected drives
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Windows Media Player\wmplayer.exe | C:\Windows\system32\unregmp2.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll | C:\Windows\system32\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}" | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play\command | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}" | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play\NeverDefault | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue\NeverDefault | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play\command | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Play | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play\ = "&Play with Windows Media Player" | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800" | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue\NeverDefault | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}" | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\NeverDefault | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-upnp-org:device:MediaRenderer:1\ShellEx\ContextMenuHandlers\{A45AEC2B-549E-405F-AF3E-C6B03C4FDFBF} | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-upnp-org:device:MediaRenderer:1\ShellEx\ContextMenuHandlers\{17FC1A80-140E-4290-A64F-4A29A951A867} | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}" | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}" | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Play\NeverDefault | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\image\ShellEx\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-upnp-org:device:MediaRenderer:1\ShellEx\ContextMenuHandlers\{17FC1A80-140E-4290-A64F-4A29A951A867}\ = "Open Media Sharing Handler" | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play\command | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800" | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\command | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shellex\ContextMenuHandlers\PlayTo | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shellex\ContextMenuHandlers\PlayTo | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue\command | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play\command | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9801" | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\ = "&Add to Windows Media Player list" | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Play\command | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shellex\ContextMenuHandlers\PlayTo | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play\NeverDefault | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue\command | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shellex\ContextMenuHandlers\PlayTo | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-upnp-org:device:MediaRenderer:1\ShellEx\ContextMenuHandlers\{A45AEC2B-549E-405F-AF3E-C6B03C4FDFBF}\ = "Toggle DMR Authorization Handler" | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play\ = "&Play with Windows Media Player" | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}" | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play\NeverDefault | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}" | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer\CLSID = "{cd3afa96-b84f-48f0-9393-7edc34128127}" | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play\NeverDefault | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9801" | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800" | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue\command | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800" | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}" | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9801" | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800" | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Play\ = "&Play with Windows Media Player" | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue\ = "&Add to Windows Media Player list" | C:\Windows\system32\unregmp2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\unregmp2.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\unregmp2.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\bpzbku.mp4"
C:\Program Files (x86)\Windows Media Player\setup_wm.exe
"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\bpzbku.mp4"
C:\Windows\SysWOW64\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
C:\Windows\system32\unregmp2.exe
"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
C:\Windows\SysWOW64\unregmp2.exe
C:\Windows\system32\unregmp2.exe /ShowWMP /SetShowState /CreateMediaLibrary
C:\Windows\system32\unregmp2.exe
"C:\Windows\SysNative\unregmp2.exe" /ShowWMP /SetShowState /CreateMediaLibrary /REENTRANT
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Relaunch /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\bpzbku.mp4"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x0000000000000494 0x00000000000004D0
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | c.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.ip6.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | musicmatch-ssl.xboxlive.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\wmsetup.log
| MD5 | 01cc92784952058cdef7f695c7c430fc |
| SHA1 | 58dab872f862e37bb8b3b7c439583bbed98453cf |
| SHA256 | 010ba5687c5e9143ade13270ab95323e460e14deb5538abc5857c3cedc9bef54 |
| SHA512 | 0ba233dcd8f05d714e8e2bc739393d16d0d178a5db517d899c84a3712738ccd736cd6d5f8872d9ff3fc5148fe10e6fac5b07edab09a9d9017f940834da2fb455 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
| MD5 | 7050d5ae8acfbe560fa11073fef8185d |
| SHA1 | 5bc38e77ff06785fe0aec5a345c4ccd15752560e |
| SHA256 | cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b |
| SHA512 | a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
| MD5 | 19d78b1eae63fd95e33c36ae0cad7aa8 |
| SHA1 | 52bbbd1abf5e05fd11b19462a54685e7ccfc2d4b |
| SHA256 | 50c2e86388d63a5a5a2052f9866083e8784c3eed266f9b947b4f5772e5fbcf80 |
| SHA512 | 34d6dd06fc41e2a3bf026cc58e461cf12064eab6969225d118b786aaacfabaac8bd7cbc6c26ad2c985faa04f0a07a4134119d4780c9189ded6db3d0fe9b59454 |
C:\Users\Admin\AppData\Local\Temp\wmsetup.log
| MD5 | cc58d3db045cde8bf74bd845cda472fd |
| SHA1 | 3070e2b3b7153fd2ec01a1862d7cae47b5a4ee35 |
| SHA256 | d2a4363eee030439f4c22a244f24cc88d1cdbc19d8f9cad47a94d6d9cef937f4 |
| SHA512 | 9ca5f2d38c538f4285fe0611a22bca6588601f90a7c9d1ca8f6a7c6aa7134de5a0ba65299e691d84745dac78dbfddbb132288d81fc501b37477cbdcd6f57bd8f |
memory/1504-46-0x0000000004200000-0x0000000004210000-memory.dmp
memory/1504-47-0x0000000004200000-0x0000000004210000-memory.dmp
memory/1504-48-0x0000000004200000-0x0000000004210000-memory.dmp
memory/1504-45-0x0000000004200000-0x0000000004210000-memory.dmp
memory/1504-49-0x0000000006240000-0x0000000006250000-memory.dmp
memory/1504-50-0x0000000006190000-0x00000000061A0000-memory.dmp
memory/1504-53-0x0000000004200000-0x0000000004210000-memory.dmp
memory/1504-52-0x0000000004200000-0x0000000004210000-memory.dmp
memory/1504-51-0x0000000006190000-0x00000000061A0000-memory.dmp
memory/1504-54-0x0000000006190000-0x00000000061A0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
| MD5 | e381d16eb6548e59db015fe16b178ccc |
| SHA1 | 2961251c9ef24feb56164068096d40b482d68a1d |
| SHA256 | 0408b786428fd2a2e69233fd919fdfd041b875e2e95f8c58d0bf403aef5c5749 |
| SHA512 | 85efb4d3ae6cab54c49cdaa5dfe75581a0798a4429b73c00ac80c03ad81db11660481e7ea89503cca780eaf487cb1cbb250b88d3e94112fa117cab721cea5637 |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb
| MD5 | 68bba5a7e896eadc8968165c5b2177be |
| SHA1 | 54eab7358bd00672b2c496165c0a61c966d658da |
| SHA256 | d663b1f541b4c15ea3b52e1bf15481969d858fe662ba958f1f3012355f84009c |
| SHA512 | 44aa41f7016173206afcc2935aa27a8ccf3cf3b6132f46c815cb5a02694aa2bc437f485187c56a740ffea4ce0cd3e51560e93be4070020a950c797e2d5002474 |
memory/1504-70-0x0000000008C50000-0x0000000008C60000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-11 11:02
Reported
2024-06-11 11:03
Platform
android-x64-arm64-20240603-en
Max time network
6s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-11 11:02
Reported
2024-06-11 11:03
Platform
debian12-mipsel-20240418-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-06-11 11:02
Reported
2024-06-11 11:03
Platform
ubuntu2004-amd64-20240508-en
Max time kernel
0s
Max time network
0s
Command Line
Signatures
Processes
/tmp/bpzbku.mp4
[/tmp/bpzbku.mp4]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-11 11:02
Reported
2024-06-11 11:03
Platform
android-x64-20240603-en
Max time network
6s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-11 11:02
Reported
2024-06-11 11:03
Platform
android-33-x64-arm64-20240603-en
Max time network
6s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| GB | 216.58.213.4:443 | udp | |
| GB | 216.58.213.4:443 | tcp | |
| GB | 216.58.213.4:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-11 11:02
Reported
2024-06-11 11:03
Platform
android-x86-arm-20240603-en
Max time network
5s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-11 11:02
Reported
2024-06-11 11:03
Platform
debian9-armhf-20240418-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-06-11 11:02
Reported
2024-06-11 11:03
Platform
ubuntu1804-amd64-20240508-en
Max time kernel
0s
Command Line
Signatures
Processes
/tmp/bpzbku.mp4
[/tmp/bpzbku.mp4]
Network
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-06-11 11:02
Reported
2024-06-11 11:03
Platform
ubuntu2404-amd64-20240523-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 11:02
Reported
2024-06-11 11:06
Platform
win10-20240404-en
Max time kernel
216s
Max time network
211s
Command Line
Signatures
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Public\Videos\desktop.ini | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\desktop.ini | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\desktop.ini | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| File opened for modification | C:\Users\Admin\Music\desktop.ini | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| File opened for modification | C:\Users\Public\desktop.ini | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| File opened for modification | C:\Users\Public\Music\desktop.ini | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| File opened for modification | C:\Users\Admin\Videos\desktop.ini | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
Enumerates connected drives
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll | \??\c:\windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll | \??\c:\windows\system32\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer\CLSID = "{cd3afa96-b84f-48f0-9393-7edc34128127}" | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\unregmp2.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\unregmp2.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\bpzbku.mp4"
C:\Program Files (x86)\Windows Media Player\setup_wm.exe
"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\bpzbku.mp4"
C:\Windows\SysWOW64\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
C:\Windows\System32\unregmp2.exe
"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Relaunch /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\bpzbku.mp4"
\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s upnphost
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3fc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | c.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.ip6.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | redir.metaservices.microsoft.com | udp |
| SE | 23.201.43.97:80 | redir.metaservices.microsoft.com | tcp |
| US | 8.8.8.8:53 | info.music.metaservices.microsoft.com | udp |
| US | 8.8.8.8:53 | 97.43.201.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\wmsetup.log
| MD5 | 6d97cd36a54b5a1ee58b7a934904cc59 |
| SHA1 | e15e845cac65034921538060448aa00eb4b82da2 |
| SHA256 | 691f1f47e6061d97995225a1c864f8227523bb2a365575216804b8e75dce52ed |
| SHA512 | 5304b8755dc00d8b5eefbf39dc6df39f030bb19df6c793d00c7ba53fead869f1c074889363c3b37be4882ad9bb908f1878c10ecbff07d2bcae90f16bb5e11902 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
| MD5 | 7050d5ae8acfbe560fa11073fef8185d |
| SHA1 | 5bc38e77ff06785fe0aec5a345c4ccd15752560e |
| SHA256 | cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b |
| SHA512 | a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
| MD5 | 0e807656bd86f2aef7ccf207f963973b |
| SHA1 | 27052af8d103d134369e356b793eb88ba873df55 |
| SHA256 | c509c498682bec50142782a51785655020bea27652f46e104e07a530c2ff5162 |
| SHA512 | e6c7d5e001e8322ccb1abd101d47e7f1401597518f45dd8da1d757728147262bcb3b1f96128f291e0e367c5b34026b401468e4219b27cf3c37a8d434180cd8f3 |
memory/4360-40-0x0000000007140000-0x0000000007150000-memory.dmp
memory/4360-41-0x0000000007140000-0x0000000007150000-memory.dmp
memory/4360-43-0x0000000007140000-0x0000000007150000-memory.dmp
memory/4360-42-0x0000000007140000-0x0000000007150000-memory.dmp
memory/4360-46-0x00000000075C0000-0x00000000075D0000-memory.dmp
memory/4360-47-0x0000000009930000-0x0000000009940000-memory.dmp
memory/4360-50-0x0000000007140000-0x0000000007150000-memory.dmp
memory/4360-49-0x0000000007140000-0x0000000007150000-memory.dmp
memory/4360-48-0x0000000009930000-0x0000000009940000-memory.dmp
memory/4360-53-0x0000000009930000-0x0000000009940000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
| MD5 | 7144801f06338d8de4e1d840a22a9941 |
| SHA1 | db463da201edc0c64b6f47e80bd1258bf5bc0825 |
| SHA256 | f5b238d1763fc3333d4becccd788b750d825027a4ff60bc3f0d28265eb9c1183 |
| SHA512 | 8fa461f937e506c1c1d183111aca24756f37a1676bc1d7336b0efcfb04674e0ad18c6c7768ce5f55b9b0a6200d7a03267dd73e53e1370de7ecc2436411e875fa |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb
| MD5 | c92e6b5113f7fda22ae0063e27f06c1d |
| SHA1 | 81c83846b87461bf16eadff80602d42069a18807 |
| SHA256 | 47fe784ae0719d63ca2d8e21c426423cf1c9ca3bcf9eeeb27d869f861b0203e6 |
| SHA512 | 3e9a0fbfa0b5573636e9d93783c9aa42246105f8b805fc1ca5d56fd69dfc434fd9569264fa949d615ec171a88158b643d81b78a1b408a9a7190cba41dbdf1374 |
memory/4360-61-0x0000000009FF0000-0x000000000A000000-memory.dmp
memory/4360-62-0x000000000A0E0000-0x000000000A0F0000-memory.dmp
memory/4360-63-0x000000000A0E0000-0x000000000A0F0000-memory.dmp
memory/4360-64-0x0000000009930000-0x0000000009940000-memory.dmp
memory/4360-65-0x0000000009930000-0x0000000009940000-memory.dmp
memory/4360-67-0x0000000009930000-0x0000000009940000-memory.dmp
memory/4360-68-0x000000000A0E0000-0x000000000A0F0000-memory.dmp
memory/4360-69-0x0000000009930000-0x0000000009940000-memory.dmp
memory/4360-71-0x000000000A0E0000-0x000000000A0F0000-memory.dmp
memory/4360-72-0x000000000A0E0000-0x000000000A0F0000-memory.dmp
memory/4360-70-0x000000000A0E0000-0x000000000A0F0000-memory.dmp
memory/4360-66-0x0000000009930000-0x0000000009940000-memory.dmp
memory/4360-73-0x000000000A0E0000-0x000000000A0F0000-memory.dmp
memory/4360-78-0x000000000A0E0000-0x000000000A0F0000-memory.dmp
memory/4360-77-0x000000000A0E0000-0x000000000A0F0000-memory.dmp
memory/4360-76-0x000000000A0E0000-0x000000000A0F0000-memory.dmp
memory/4360-75-0x000000000A0E0000-0x000000000A0F0000-memory.dmp
memory/4360-74-0x000000000A0E0000-0x000000000A0F0000-memory.dmp
memory/4360-80-0x000000000A0E0000-0x000000000A0F0000-memory.dmp
memory/4360-81-0x000000000A0E0000-0x000000000A0F0000-memory.dmp
memory/4360-82-0x0000000009930000-0x0000000009940000-memory.dmp
memory/4360-83-0x000000000A0E0000-0x000000000A0F0000-memory.dmp
memory/4360-88-0x0000000009FF0000-0x000000000A000000-memory.dmp
memory/4360-86-0x0000000009930000-0x0000000009940000-memory.dmp
memory/4360-85-0x0000000009930000-0x0000000009940000-memory.dmp
memory/4360-84-0x000000000A0E0000-0x000000000A0F0000-memory.dmp
memory/4360-89-0x000000000A0E0000-0x000000000A0F0000-memory.dmp
memory/4360-91-0x0000000009930000-0x0000000009940000-memory.dmp
memory/4360-90-0x000000000A0E0000-0x000000000A0F0000-memory.dmp
memory/4360-92-0x0000000009930000-0x0000000009940000-memory.dmp
memory/4360-97-0x000000000A0E0000-0x000000000A0F0000-memory.dmp
memory/4360-99-0x000000000A0E0000-0x000000000A0F0000-memory.dmp
memory/4360-98-0x000000000A0E0000-0x000000000A0F0000-memory.dmp
memory/4360-96-0x0000000009930000-0x0000000009940000-memory.dmp
memory/4360-95-0x000000000A0E0000-0x000000000A0F0000-memory.dmp
memory/4360-94-0x0000000009930000-0x0000000009940000-memory.dmp
memory/4360-93-0x0000000009930000-0x0000000009940000-memory.dmp
memory/4360-102-0x000000000A0E0000-0x000000000A0F0000-memory.dmp
memory/4360-107-0x000000000A0E0000-0x000000000A0F0000-memory.dmp
memory/4360-106-0x000000000A0E0000-0x000000000A0F0000-memory.dmp
memory/4360-105-0x000000000A0E0000-0x000000000A0F0000-memory.dmp
memory/4360-104-0x000000000A0E0000-0x000000000A0F0000-memory.dmp
memory/4360-103-0x000000000A0E0000-0x000000000A0F0000-memory.dmp
memory/4360-110-0x000000000A0E0000-0x000000000A0F0000-memory.dmp
memory/4360-111-0x000000000A0E0000-0x000000000A0F0000-memory.dmp
memory/4360-113-0x000000000A0E0000-0x000000000A0F0000-memory.dmp
memory/4360-112-0x0000000009930000-0x0000000009940000-memory.dmp
memory/4360-117-0x0000000009FF0000-0x000000000A000000-memory.dmp
memory/4360-116-0x0000000009930000-0x0000000009940000-memory.dmp
memory/4360-119-0x000000000A0E0000-0x000000000A0F0000-memory.dmp
memory/4360-115-0x0000000009930000-0x0000000009940000-memory.dmp
memory/4360-114-0x000000000A0E0000-0x000000000A0F0000-memory.dmp
memory/4360-120-0x000000000A0E0000-0x000000000A0F0000-memory.dmp
memory/4360-121-0x0000000009930000-0x0000000009940000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-11 11:02
Reported
2024-06-11 11:03
Platform
macos-20240410-en
Max time kernel
43s
Max time network
35s
Command Line
Signatures
Processes
/bin/sh
[sh -c sudo /bin/zsh -c "/Users/run/bpzbku.mp4"]
/bin/bash
[sh -c sudo /bin/zsh -c "/Users/run/bpzbku.mp4"]
/usr/bin/sudo
[sudo /bin/zsh -c /Users/run/bpzbku.mp4]
/bin/zsh
[/bin/zsh -c /Users/run/bpzbku.mp4]
/Users/run/bpzbku.mp4
[/Users/run/bpzbku.mp4]
/usr/bin/pluginkit
[/usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync]
/usr/sbin/spctl
[/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdaterB516C108/OneDrive.app]
/usr/libexec/xpcproxy
[xpcproxy com.apple.sysmond]
/usr/libexec/sysmond
[/usr/libexec/sysmond]
/usr/libexec/xpcproxy
[xpcproxy com.apple.audio.systemsoundserverd]
/usr/sbin/systemsoundserverd
[/usr/sbin/systemsoundserverd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.pbs]
/System/Library/CoreServices/pbs
[/System/Library/CoreServices/pbs]
/usr/libexec/xpcproxy
[xpcproxy com.apple.audio.AudioComponentRegistrar]
/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar
[/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar -daemon]
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | mobile.events.data.trafficmanager.net | udp |
| US | 20.189.173.23:443 | tcp | |
| US | 8.8.8.8:53 | api.apple-cloudkit.fe2.apple-dns.net | udp |
| US | 8.8.8.8:53 | apis.apple.map.fastly.net | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-11 11:02
Reported
2024-06-11 11:03
Platform
debian12-armhf-20240221-en
Max time network
36s
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-06-11 11:02
Reported
2024-06-11 11:03
Platform
debian9-mipsbe-20240226-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-06-11 11:02
Reported
2024-06-11 11:03
Platform
ubuntu2204-amd64-20240522-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 11:02
Reported
2024-06-11 11:04
Platform
win7-20240508-en
Max time kernel
60s
Max time network
16s
Command Line
Signatures
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Processes
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\bpzbku.mp4"
Network
Files
memory/2072-6-0x000007FEF8030000-0x000007FEF8064000-memory.dmp
memory/2072-5-0x000000013FEA0000-0x000000013FF98000-memory.dmp
memory/2072-8-0x000007FEFB530000-0x000007FEFB548000-memory.dmp
memory/2072-9-0x000007FEF8140000-0x000007FEF8157000-memory.dmp
memory/2072-14-0x000007FEF66B0000-0x000007FEF66C1000-memory.dmp
memory/2072-10-0x000007FEF8080000-0x000007FEF8091000-memory.dmp
memory/2072-13-0x000007FEF7250000-0x000007FEF726D000-memory.dmp
memory/2072-12-0x000007FEF7270000-0x000007FEF7281000-memory.dmp
memory/2072-11-0x000007FEF7290000-0x000007FEF72A7000-memory.dmp
memory/2072-7-0x000007FEF5F90000-0x000007FEF6246000-memory.dmp
memory/2072-16-0x000007FEF4CD0000-0x000007FEF4EDB000-memory.dmp
memory/2072-18-0x000007FEF6630000-0x000007FEF6651000-memory.dmp
memory/2072-19-0x000007FEF6610000-0x000007FEF6628000-memory.dmp
memory/2072-20-0x000007FEF65F0000-0x000007FEF6601000-memory.dmp
memory/2072-21-0x000007FEF65D0000-0x000007FEF65E1000-memory.dmp
memory/2072-22-0x000007FEF4CB0000-0x000007FEF4CC1000-memory.dmp
memory/2072-23-0x000007FEF4C90000-0x000007FEF4CAB000-memory.dmp
memory/2072-24-0x000007FEF4C70000-0x000007FEF4C81000-memory.dmp
memory/2072-25-0x000007FEF4C50000-0x000007FEF4C68000-memory.dmp
memory/2072-26-0x000007FEF4C20000-0x000007FEF4C50000-memory.dmp
memory/2072-17-0x000007FEF6660000-0x000007FEF66A1000-memory.dmp
memory/2072-32-0x000007FEF4910000-0x000007FEF4927000-memory.dmp
memory/2072-15-0x000007FEF4EE0000-0x000007FEF5F90000-memory.dmp
memory/2072-30-0x000007FEF4AB0000-0x000007FEF4B07000-memory.dmp
memory/2072-31-0x000007FEF4930000-0x000007FEF4AB0000-memory.dmp
memory/2072-29-0x000007FEF4B10000-0x000007FEF4B21000-memory.dmp
memory/2072-28-0x000007FEF4B30000-0x000007FEF4BAC000-memory.dmp
memory/2072-27-0x000007FEF4BB0000-0x000007FEF4C17000-memory.dmp
memory/2072-34-0x000007FEF2E90000-0x000007FEF3096000-memory.dmp
memory/2072-41-0x000007FEF2940000-0x000007FEF2956000-memory.dmp
memory/2072-40-0x000007FEF2960000-0x000007FEF2971000-memory.dmp
memory/2072-39-0x000007FEF2980000-0x000007FEF29AF000-memory.dmp
memory/2072-38-0x000007FEF80F0000-0x000007FEF8100000-memory.dmp
memory/2072-37-0x000007FEF2DD0000-0x000007FEF2E1D000-memory.dmp
memory/2072-36-0x000007FEF2E20000-0x000007FEF2E62000-memory.dmp
memory/2072-47-0x000007FEF2370000-0x000007FEF2393000-memory.dmp
memory/2072-56-0x000007FEEFC60000-0x000007FEEFC71000-memory.dmp
memory/2072-57-0x000007FEEFBF0000-0x000007FEEFC3E000-memory.dmp
memory/2072-59-0x000007FEEFB50000-0x000007FEEFB84000-memory.dmp
memory/2072-58-0x000007FEEFB90000-0x000007FEEFBE7000-memory.dmp
memory/2072-55-0x000007FEEFFF0000-0x000007FEF0064000-memory.dmp
memory/2072-54-0x000007FEF0120000-0x000007FEF0167000-memory.dmp
memory/2072-53-0x000007FEF0170000-0x000007FEF01D1000-memory.dmp
memory/2072-33-0x000007FEF30A0000-0x000007FEF490F000-memory.dmp
memory/2072-52-0x000007FEF01E0000-0x000007FEF01F1000-memory.dmp
memory/2072-51-0x000007FEF2200000-0x000007FEF2212000-memory.dmp
memory/2072-50-0x000007FEF2220000-0x000007FEF2231000-memory.dmp
memory/2072-49-0x000007FEF2240000-0x000007FEF2346000-memory.dmp
memory/2072-48-0x000007FEF2350000-0x000007FEF2363000-memory.dmp
memory/2072-45-0x000007FEF2740000-0x000007FEF27AD000-memory.dmp
memory/2072-46-0x000007FEF23C0000-0x000007FEF23D5000-memory.dmp
memory/2072-44-0x000007FEF27B0000-0x000007FEF2812000-memory.dmp
memory/2072-43-0x000007FEF2820000-0x000007FEF2862000-memory.dmp
memory/2072-42-0x000007FEF2870000-0x000007FEF2935000-memory.dmp
memory/2072-35-0x000007FEF2E70000-0x000007FEF2E82000-memory.dmp
memory/2072-62-0x000007FEF5F90000-0x000007FEF6246000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-11 11:02
Reported
2024-06-11 11:06
Platform
win10v2004-20240508-en
Max time kernel
204s
Max time network
108s
Command Line
Signatures
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95} | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\DontAsk = "2" | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Version = "12,0,19041,1266" | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\IsInstalled = "0" | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Stubpath = "%SystemRoot%\\system32\\unregmp2.exe /ShowWMP" | C:\Windows\system32\unregmp2.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Public\Pictures\desktop.ini | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Windows\system32\unregmp2.exe | N/A |
| File opened for modification | C:\Users\Admin\Music\desktop.ini | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| File opened for modification | C:\Users\Public\desktop.ini | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| File opened for modification | C:\Users\Public\Music\desktop.ini | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| File opened for modification | C:\Users\Admin\Videos\desktop.ini | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| File opened for modification | C:\Users\Public\Videos\desktop.ini | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\desktop.ini | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
Enumerates connected drives
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Windows Media Player\wmplayer.exe | C:\Windows\system32\unregmp2.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll | C:\Windows\system32\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue\command | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play\command | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer\CLSID = "{cd3afa96-b84f-48f0-9393-7edc34128127}" | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play\ = "&Play with Windows Media Player" | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9801" | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue\command | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800" | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue\command | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play\ = "&Play with Windows Media Player" | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play\NeverDefault | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shellex\ContextMenuHandlers\PlayTo | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800" | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue\command | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}" | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9801" | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shellex\ContextMenuHandlers\PlayTo | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shellex\ContextMenuHandlers\PlayTo | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}" | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Play\command | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-upnp-org:device:MediaRenderer:1\ShellEx\ContextMenuHandlers\{17FC1A80-140E-4290-A64F-4A29A951A867}\ = "Open Media Sharing Handler" | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play\NeverDefault | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue\ = "&Add to Windows Media Player list" | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800" | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play\NeverDefault | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play\command | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}" | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Play\NeverDefault | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shellex\ContextMenuHandlers\PlayTo | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue\NeverDefault | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9801" | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\NeverDefault | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\command | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue\NeverDefault | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9801" | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Play\ = "&Play with Windows Media Player" | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-upnp-org:device:MediaRenderer:1\ShellEx\ContextMenuHandlers\{A45AEC2B-549E-405F-AF3E-C6B03C4FDFBF}\ = "Toggle DMR Authorization Handler" | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\image\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play\command | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play\command | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800" | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue\NeverDefault | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1337824034-2731376981-3755436523-1000\{05BE7405-0B80-4E18-9AA9-8AF176765C35} | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\image\shellex\ContextMenuHandlers\PlayTo | C:\Windows\system32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-upnp-org:device:MediaRenderer:1\ShellEx\ContextMenuHandlers\{17FC1A80-140E-4290-A64F-4A29A951A867} | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800" | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}" | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play\NeverDefault | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}" | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}" | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" | C:\Windows\system32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" | C:\Windows\system32\unregmp2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\unregmp2.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\unregmp2.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\bpzbku.mp4"
C:\Program Files (x86)\Windows Media Player\setup_wm.exe
"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\bpzbku.mp4"
C:\Windows\SysWOW64\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
C:\Windows\system32\unregmp2.exe
"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
C:\Windows\SysWOW64\unregmp2.exe
C:\Windows\system32\unregmp2.exe /ShowWMP /SetShowState /CreateMediaLibrary
C:\Windows\system32\unregmp2.exe
"C:\Windows\SysNative\unregmp2.exe" /ShowWMP /SetShowState /CreateMediaLibrary /REENTRANT
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Relaunch /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\bpzbku.mp4"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x52c 0x514
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | c.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.ip6.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | musicmatch-ssl.xboxlive.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\wmsetup.log
| MD5 | 11fca311bd9eba5d15c773f2cfd93c58 |
| SHA1 | ff810438ae7fbd9abfbd239238378f140f376214 |
| SHA256 | 0a3792c1db6d579d5dab4f381d73d57690990b1100015ed676a4846a57465e17 |
| SHA512 | d28c7002d6194a33cd140c26d83f1e6761638c15493769a7bc2118c0bc21a7ec07d660e89e8806bd2b1470a5642807ebb6f82bbd5256b6e3005532b313d1c9db |
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
| MD5 | 7050d5ae8acfbe560fa11073fef8185d |
| SHA1 | 5bc38e77ff06785fe0aec5a345c4ccd15752560e |
| SHA256 | cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b |
| SHA512 | a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
| MD5 | 063793e4ba784832026ec8bc3528f7f1 |
| SHA1 | 687d03823d7ab8954826f753a645426cff3c5db4 |
| SHA256 | cb153cb703aea1ba1afe2614cffb086fa781646a285c5ac37354ee933a29cedd |
| SHA512 | 225910c24052dfdf7fca574b12ecef4eb68e990167010f80d7136f03ac6e7faa33233685cbf37b38ee626bb22ff3afeee39e597080e429be3ec241fb30af40c6 |
memory/3656-43-0x0000000004260000-0x0000000004270000-memory.dmp
memory/3656-46-0x0000000004260000-0x0000000004270000-memory.dmp
memory/3656-45-0x0000000004260000-0x0000000004270000-memory.dmp
memory/3656-44-0x0000000004260000-0x0000000004270000-memory.dmp
memory/3656-47-0x00000000066E0000-0x00000000066F0000-memory.dmp
memory/3656-48-0x00000000066C0000-0x00000000066D0000-memory.dmp
memory/3656-51-0x0000000004260000-0x0000000004270000-memory.dmp
memory/3656-50-0x0000000004260000-0x0000000004270000-memory.dmp
memory/3656-49-0x00000000066C0000-0x00000000066D0000-memory.dmp
memory/3656-52-0x00000000066C0000-0x00000000066D0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
| MD5 | 7fe6bfaeb801920c0894824695d37c51 |
| SHA1 | e34f327dfb13e5f88a0f733d590b2d0da82e635e |
| SHA256 | 9ccc03d26d29c12dd13b2dabf955ec6a8b4e98c97aa8d2246ec815778662e5e0 |
| SHA512 | 9a7f703b1e99866f421fc540aef049f49fa6f737b0c7f991501ae1c083f6c42b9d80381dc8337100220e8f298484bd58af2c90beb37f3519d447d4cb2942a60f |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb
| MD5 | 055b9418acb59294f3a848b3af61fe14 |
| SHA1 | 7b2c21ce214789e9980654e237c97dfbf41893e2 |
| SHA256 | ecfc5ff748cb86ff0c6f96c01bfbeadfecc5d3487886844c446d9535b86fe08e |
| SHA512 | b4cb646d139d7cd5861a0dbff820c5cf9ec7e2badb77536af9ef9612978fd4ee788f3ae3d923409ef3f13c32fe9f8436f07f63920c8e35be11596d8345333d84 |
memory/3656-56-0x0000000006880000-0x0000000006890000-memory.dmp
memory/3656-57-0x0000000008B00000-0x0000000008B10000-memory.dmp
memory/3656-58-0x0000000008B00000-0x0000000008B10000-memory.dmp
memory/3656-59-0x00000000066C0000-0x00000000066D0000-memory.dmp
memory/3656-60-0x00000000066C0000-0x00000000066D0000-memory.dmp
memory/3656-61-0x00000000066C0000-0x00000000066D0000-memory.dmp
memory/3656-62-0x00000000066C0000-0x00000000066D0000-memory.dmp
memory/3656-68-0x0000000008B00000-0x0000000008B10000-memory.dmp
memory/3656-67-0x0000000008B00000-0x0000000008B10000-memory.dmp
memory/3656-66-0x0000000008B00000-0x0000000008B10000-memory.dmp
memory/3656-65-0x0000000008B00000-0x0000000008B10000-memory.dmp
memory/3656-64-0x00000000066C0000-0x00000000066D0000-memory.dmp
memory/3656-63-0x0000000008B00000-0x0000000008B10000-memory.dmp
memory/3656-70-0x0000000008B00000-0x0000000008B10000-memory.dmp
memory/3656-71-0x0000000008B00000-0x0000000008B10000-memory.dmp
memory/3656-73-0x0000000008B00000-0x0000000008B10000-memory.dmp
memory/3656-72-0x0000000008B00000-0x0000000008B10000-memory.dmp
memory/3656-69-0x0000000008B00000-0x0000000008B10000-memory.dmp
memory/3656-74-0x0000000008B00000-0x0000000008B10000-memory.dmp
memory/3656-75-0x0000000008B00000-0x0000000008B10000-memory.dmp
memory/3656-76-0x00000000066C0000-0x00000000066D0000-memory.dmp
memory/3656-77-0x0000000008B00000-0x0000000008B10000-memory.dmp
memory/3656-78-0x0000000008B00000-0x0000000008B10000-memory.dmp
memory/3656-79-0x00000000066C0000-0x00000000066D0000-memory.dmp
memory/3656-80-0x00000000066C0000-0x00000000066D0000-memory.dmp
memory/3656-81-0x0000000006880000-0x0000000006890000-memory.dmp
memory/3656-85-0x00000000066C0000-0x00000000066D0000-memory.dmp
memory/3656-86-0x00000000066C0000-0x00000000066D0000-memory.dmp
memory/3656-88-0x00000000066C0000-0x00000000066D0000-memory.dmp
memory/3656-87-0x00000000066C0000-0x00000000066D0000-memory.dmp
memory/3656-90-0x00000000066C0000-0x00000000066D0000-memory.dmp
memory/3656-93-0x0000000008B00000-0x0000000008B10000-memory.dmp
memory/3656-92-0x0000000008B00000-0x0000000008B10000-memory.dmp
memory/3656-91-0x0000000008B00000-0x0000000008B10000-memory.dmp
memory/3656-89-0x0000000008B00000-0x0000000008B10000-memory.dmp
memory/3656-84-0x0000000008B00000-0x0000000008B10000-memory.dmp
memory/3656-83-0x0000000008B00000-0x0000000008B10000-memory.dmp
memory/3656-94-0x0000000008B00000-0x0000000008B10000-memory.dmp
memory/3656-99-0x0000000008B00000-0x0000000008B10000-memory.dmp
memory/3656-98-0x0000000008B00000-0x0000000008B10000-memory.dmp
memory/3656-97-0x0000000008B00000-0x0000000008B10000-memory.dmp
memory/3656-96-0x0000000008B00000-0x0000000008B10000-memory.dmp
memory/3656-95-0x0000000008B00000-0x0000000008B10000-memory.dmp
memory/3656-100-0x0000000008B00000-0x0000000008B10000-memory.dmp
memory/3656-101-0x0000000008B00000-0x0000000008B10000-memory.dmp
memory/3656-102-0x00000000066C0000-0x00000000066D0000-memory.dmp
memory/3656-103-0x0000000008B00000-0x0000000008B10000-memory.dmp
memory/3656-104-0x0000000008B00000-0x0000000008B10000-memory.dmp
memory/3656-105-0x00000000066C0000-0x00000000066D0000-memory.dmp
memory/3656-106-0x00000000066C0000-0x00000000066D0000-memory.dmp
memory/3656-107-0x0000000006880000-0x0000000006890000-memory.dmp
memory/3656-108-0x0000000008B00000-0x0000000008B10000-memory.dmp
memory/3656-110-0x00000000066C0000-0x00000000066D0000-memory.dmp
memory/3656-109-0x0000000008B00000-0x0000000008B10000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-06-11 11:02
Reported
2024-06-11 11:03
Platform
debian9-mipsel-20240418-en