Malware Analysis Report

2024-10-10 07:25

Sample ID 240611-m5gn3avenn
Target bpzbku.mp4
SHA256 fa82b45c4fac3e0c617fc474ac7a395f1a1606fb3e1ef84ff85018cdba9f23e5
Tags
persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

fa82b45c4fac3e0c617fc474ac7a395f1a1606fb3e1ef84ff85018cdba9f23e5

Threat Level: Likely malicious

The file bpzbku.mp4 was found to be: Likely malicious.

Malicious Activity Summary

persistence

Modifies Installed Components in the registry

Drops desktop.ini file(s)

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Suspicious behavior: AddClipboardFormatListener

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 11:02

Signatures

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-11 11:02

Reported

2024-06-11 11:06

Platform

win11-20240508-en

Max time kernel

197s

Max time network

89s

Command Line

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\bpzbku.mp4"

Signatures

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\DontAsk = "2" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Version = "12,0,22000,282" C:\Windows\system32\unregmp2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\IsInstalled = "0" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Stubpath = "%SystemRoot%\\system32\\unregmp2.exe /ShowWMP" C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95} C:\Windows\system32\unregmp2.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Windows\system32\unregmp2.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\R: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\X: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\E: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\G: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\K: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\S: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\U: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\I: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\H: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\P: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\A: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\M: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\Y: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\N: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\V: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\W: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\O: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\Z: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\B: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\J: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\Q: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\T: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\unregmp2.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Windows Media Player\wmplayer.exe C:\Windows\system32\unregmp2.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll C:\Windows\system32\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play\command C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play\NeverDefault C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue\NeverDefault C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play\command C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Play C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play\ = "&Play with Windows Media Player" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue\NeverDefault C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}" C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\NeverDefault C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-upnp-org:device:MediaRenderer:1\ShellEx\ContextMenuHandlers\{A45AEC2B-549E-405F-AF3E-C6B03C4FDFBF} C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-upnp-org:device:MediaRenderer:1\ShellEx\ContextMenuHandlers\{17FC1A80-140E-4290-A64F-4A29A951A867} C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Play\NeverDefault C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\image\ShellEx\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-upnp-org:device:MediaRenderer:1\ShellEx\ContextMenuHandlers\{17FC1A80-140E-4290-A64F-4A29A951A867}\ = "Open Media Sharing Handler" C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play\command C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800" C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\command C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shellex\ContextMenuHandlers\PlayTo C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shellex\ContextMenuHandlers\PlayTo C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue\command C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play\command C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9801" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\ = "&Add to Windows Media Player list" C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Play\command C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shellex\ContextMenuHandlers\PlayTo C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play\NeverDefault C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue\command C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shellex\ContextMenuHandlers\PlayTo C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-upnp-org:device:MediaRenderer:1\ShellEx\ContextMenuHandlers\{A45AEC2B-549E-405F-AF3E-C6B03C4FDFBF}\ = "Toggle DMR Authorization Handler" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play\ = "&Play with Windows Media Player" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play\NeverDefault C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer\CLSID = "{cd3afa96-b84f-48f0-9393-7edc34128127}" C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play\NeverDefault C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9801" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800" C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue\command C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9801" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800" C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Play\ = "&Play with Windows Media Player" C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue\ = "&Add to Windows Media Player list" C:\Windows\system32\unregmp2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\unregmp2.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\unregmp2.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4748 wrote to memory of 3176 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Program Files (x86)\Windows Media Player\setup_wm.exe
PID 4748 wrote to memory of 3176 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Program Files (x86)\Windows Media Player\setup_wm.exe
PID 4748 wrote to memory of 3176 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Program Files (x86)\Windows Media Player\setup_wm.exe
PID 4748 wrote to memory of 1344 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Windows\SysWOW64\unregmp2.exe
PID 4748 wrote to memory of 1344 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Windows\SysWOW64\unregmp2.exe
PID 4748 wrote to memory of 1344 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Windows\SysWOW64\unregmp2.exe
PID 1344 wrote to memory of 5060 N/A C:\Windows\SysWOW64\unregmp2.exe C:\Windows\system32\unregmp2.exe
PID 1344 wrote to memory of 5060 N/A C:\Windows\SysWOW64\unregmp2.exe C:\Windows\system32\unregmp2.exe
PID 3176 wrote to memory of 3620 N/A C:\Program Files (x86)\Windows Media Player\setup_wm.exe C:\Windows\SysWOW64\unregmp2.exe
PID 3176 wrote to memory of 3620 N/A C:\Program Files (x86)\Windows Media Player\setup_wm.exe C:\Windows\SysWOW64\unregmp2.exe
PID 3176 wrote to memory of 3620 N/A C:\Program Files (x86)\Windows Media Player\setup_wm.exe C:\Windows\SysWOW64\unregmp2.exe
PID 3620 wrote to memory of 1216 N/A C:\Windows\SysWOW64\unregmp2.exe C:\Windows\system32\unregmp2.exe
PID 3620 wrote to memory of 1216 N/A C:\Windows\SysWOW64\unregmp2.exe C:\Windows\system32\unregmp2.exe
PID 3176 wrote to memory of 1504 N/A C:\Program Files (x86)\Windows Media Player\setup_wm.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 3176 wrote to memory of 1504 N/A C:\Program Files (x86)\Windows Media Player\setup_wm.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 3176 wrote to memory of 1504 N/A C:\Program Files (x86)\Windows Media Player\setup_wm.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe

Processes

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\bpzbku.mp4"

C:\Program Files (x86)\Windows Media Player\setup_wm.exe

"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\bpzbku.mp4"

C:\Windows\SysWOW64\unregmp2.exe

"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon

C:\Windows\system32\unregmp2.exe

"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT

C:\Windows\SysWOW64\unregmp2.exe

C:\Windows\system32\unregmp2.exe /ShowWMP /SetShowState /CreateMediaLibrary

C:\Windows\system32\unregmp2.exe

"C:\Windows\SysNative\unregmp2.exe" /ShowWMP /SetShowState /CreateMediaLibrary /REENTRANT

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Relaunch /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\bpzbku.mp4"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x0000000000000494 0x00000000000004D0

Network

Country Destination Domain Proto
US 8.8.8.8:53 c.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.ip6.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 musicmatch-ssl.xboxlive.com udp

Files

C:\Users\Admin\AppData\Local\Temp\wmsetup.log

MD5 01cc92784952058cdef7f695c7c430fc
SHA1 58dab872f862e37bb8b3b7c439583bbed98453cf
SHA256 010ba5687c5e9143ade13270ab95323e460e14deb5538abc5857c3cedc9bef54
SHA512 0ba233dcd8f05d714e8e2bc739393d16d0d178a5db517d899c84a3712738ccd736cd6d5f8872d9ff3fc5148fe10e6fac5b07edab09a9d9017f940834da2fb455

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

MD5 7050d5ae8acfbe560fa11073fef8185d
SHA1 5bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256 cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512 a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 19d78b1eae63fd95e33c36ae0cad7aa8
SHA1 52bbbd1abf5e05fd11b19462a54685e7ccfc2d4b
SHA256 50c2e86388d63a5a5a2052f9866083e8784c3eed266f9b947b4f5772e5fbcf80
SHA512 34d6dd06fc41e2a3bf026cc58e461cf12064eab6969225d118b786aaacfabaac8bd7cbc6c26ad2c985faa04f0a07a4134119d4780c9189ded6db3d0fe9b59454

C:\Users\Admin\AppData\Local\Temp\wmsetup.log

MD5 cc58d3db045cde8bf74bd845cda472fd
SHA1 3070e2b3b7153fd2ec01a1862d7cae47b5a4ee35
SHA256 d2a4363eee030439f4c22a244f24cc88d1cdbc19d8f9cad47a94d6d9cef937f4
SHA512 9ca5f2d38c538f4285fe0611a22bca6588601f90a7c9d1ca8f6a7c6aa7134de5a0ba65299e691d84745dac78dbfddbb132288d81fc501b37477cbdcd6f57bd8f

memory/1504-46-0x0000000004200000-0x0000000004210000-memory.dmp

memory/1504-47-0x0000000004200000-0x0000000004210000-memory.dmp

memory/1504-48-0x0000000004200000-0x0000000004210000-memory.dmp

memory/1504-45-0x0000000004200000-0x0000000004210000-memory.dmp

memory/1504-49-0x0000000006240000-0x0000000006250000-memory.dmp

memory/1504-50-0x0000000006190000-0x00000000061A0000-memory.dmp

memory/1504-53-0x0000000004200000-0x0000000004210000-memory.dmp

memory/1504-52-0x0000000004200000-0x0000000004210000-memory.dmp

memory/1504-51-0x0000000006190000-0x00000000061A0000-memory.dmp

memory/1504-54-0x0000000006190000-0x00000000061A0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 e381d16eb6548e59db015fe16b178ccc
SHA1 2961251c9ef24feb56164068096d40b482d68a1d
SHA256 0408b786428fd2a2e69233fd919fdfd041b875e2e95f8c58d0bf403aef5c5749
SHA512 85efb4d3ae6cab54c49cdaa5dfe75581a0798a4429b73c00ac80c03ad81db11660481e7ea89503cca780eaf487cb1cbb250b88d3e94112fa117cab721cea5637

C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

MD5 68bba5a7e896eadc8968165c5b2177be
SHA1 54eab7358bd00672b2c496165c0a61c966d658da
SHA256 d663b1f541b4c15ea3b52e1bf15481969d858fe662ba958f1f3012355f84009c
SHA512 44aa41f7016173206afcc2935aa27a8ccf3cf3b6132f46c815cb5a02694aa2bc437f485187c56a740ffea4ce0cd3e51560e93be4070020a950c797e2d5002474

memory/1504-70-0x0000000008C50000-0x0000000008C60000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-11 11:02

Reported

2024-06-11 11:03

Platform

android-x64-arm64-20240603-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-11 11:02

Reported

2024-06-11 11:03

Platform

debian12-mipsel-20240418-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-11 11:02

Reported

2024-06-11 11:03

Platform

ubuntu2004-amd64-20240508-en

Max time kernel

0s

Max time network

0s

Command Line

[/tmp/bpzbku.mp4]

Signatures

N/A

Processes

/tmp/bpzbku.mp4

[/tmp/bpzbku.mp4]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-11 11:02

Reported

2024-06-11 11:03

Platform

android-x64-20240603-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-11 11:02

Reported

2024-06-11 11:03

Platform

android-33-x64-arm64-20240603-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 216.58.213.4:443 udp
GB 216.58.213.4:443 tcp
GB 216.58.213.4:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-11 11:02

Reported

2024-06-11 11:03

Platform

android-x86-arm-20240603-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-11 11:02

Reported

2024-06-11 11:03

Platform

debian9-armhf-20240418-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-11 11:02

Reported

2024-06-11 11:03

Platform

ubuntu1804-amd64-20240508-en

Max time kernel

0s

Command Line

[/tmp/bpzbku.mp4]

Signatures

N/A

Processes

/tmp/bpzbku.mp4

[/tmp/bpzbku.mp4]

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-11 11:02

Reported

2024-06-11 11:03

Platform

ubuntu2404-amd64-20240523-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 11:02

Reported

2024-06-11 11:06

Platform

win10-20240404-en

Max time kernel

216s

Max time network

211s

Command Line

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\bpzbku.mp4"

Signatures

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\T: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\G: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\M: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\E: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\G: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\H: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\Z: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\J: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\M: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\A: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\N: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\T: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\U: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\Y: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\W: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\H: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\Q: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\N: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\P: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\Y: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\S: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\P: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\S: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\A: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\O: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\R: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\Q: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\E: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\J: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\R: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\B: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\I: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\K: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\L: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\O: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\K: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\U: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\L: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\X: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\B: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\I: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\V: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\W: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\X: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\V: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\Z: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll \??\c:\windows\system32\svchost.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll \??\c:\windows\system32\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer\CLSID = "{cd3afa96-b84f-48f0-9393-7edc34128127}" C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\System32\unregmp2.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\unregmp2.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4444 wrote to memory of 3828 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Program Files (x86)\Windows Media Player\setup_wm.exe
PID 4444 wrote to memory of 3828 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Program Files (x86)\Windows Media Player\setup_wm.exe
PID 4444 wrote to memory of 3828 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Program Files (x86)\Windows Media Player\setup_wm.exe
PID 4444 wrote to memory of 2880 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Windows\SysWOW64\unregmp2.exe
PID 4444 wrote to memory of 2880 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Windows\SysWOW64\unregmp2.exe
PID 4444 wrote to memory of 2880 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Windows\SysWOW64\unregmp2.exe
PID 2880 wrote to memory of 3552 N/A C:\Windows\SysWOW64\unregmp2.exe C:\Windows\System32\unregmp2.exe
PID 2880 wrote to memory of 3552 N/A C:\Windows\SysWOW64\unregmp2.exe C:\Windows\System32\unregmp2.exe
PID 3828 wrote to memory of 4360 N/A C:\Program Files (x86)\Windows Media Player\setup_wm.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 3828 wrote to memory of 4360 N/A C:\Program Files (x86)\Windows Media Player\setup_wm.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 3828 wrote to memory of 4360 N/A C:\Program Files (x86)\Windows Media Player\setup_wm.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe

Processes

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\bpzbku.mp4"

C:\Program Files (x86)\Windows Media Player\setup_wm.exe

"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\bpzbku.mp4"

C:\Windows\SysWOW64\unregmp2.exe

"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon

C:\Windows\System32\unregmp2.exe

"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Relaunch /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\bpzbku.mp4"

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s upnphost

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x3fc

Network

Country Destination Domain Proto
US 8.8.8.8:53 c.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.ip6.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 redir.metaservices.microsoft.com udp
SE 23.201.43.97:80 redir.metaservices.microsoft.com tcp
US 8.8.8.8:53 info.music.metaservices.microsoft.com udp
US 8.8.8.8:53 97.43.201.23.in-addr.arpa udp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\wmsetup.log

MD5 6d97cd36a54b5a1ee58b7a934904cc59
SHA1 e15e845cac65034921538060448aa00eb4b82da2
SHA256 691f1f47e6061d97995225a1c864f8227523bb2a365575216804b8e75dce52ed
SHA512 5304b8755dc00d8b5eefbf39dc6df39f030bb19df6c793d00c7ba53fead869f1c074889363c3b37be4882ad9bb908f1878c10ecbff07d2bcae90f16bb5e11902

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

MD5 7050d5ae8acfbe560fa11073fef8185d
SHA1 5bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256 cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512 a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 0e807656bd86f2aef7ccf207f963973b
SHA1 27052af8d103d134369e356b793eb88ba873df55
SHA256 c509c498682bec50142782a51785655020bea27652f46e104e07a530c2ff5162
SHA512 e6c7d5e001e8322ccb1abd101d47e7f1401597518f45dd8da1d757728147262bcb3b1f96128f291e0e367c5b34026b401468e4219b27cf3c37a8d434180cd8f3

memory/4360-40-0x0000000007140000-0x0000000007150000-memory.dmp

memory/4360-41-0x0000000007140000-0x0000000007150000-memory.dmp

memory/4360-43-0x0000000007140000-0x0000000007150000-memory.dmp

memory/4360-42-0x0000000007140000-0x0000000007150000-memory.dmp

memory/4360-46-0x00000000075C0000-0x00000000075D0000-memory.dmp

memory/4360-47-0x0000000009930000-0x0000000009940000-memory.dmp

memory/4360-50-0x0000000007140000-0x0000000007150000-memory.dmp

memory/4360-49-0x0000000007140000-0x0000000007150000-memory.dmp

memory/4360-48-0x0000000009930000-0x0000000009940000-memory.dmp

memory/4360-53-0x0000000009930000-0x0000000009940000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 7144801f06338d8de4e1d840a22a9941
SHA1 db463da201edc0c64b6f47e80bd1258bf5bc0825
SHA256 f5b238d1763fc3333d4becccd788b750d825027a4ff60bc3f0d28265eb9c1183
SHA512 8fa461f937e506c1c1d183111aca24756f37a1676bc1d7336b0efcfb04674e0ad18c6c7768ce5f55b9b0a6200d7a03267dd73e53e1370de7ecc2436411e875fa

C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

MD5 c92e6b5113f7fda22ae0063e27f06c1d
SHA1 81c83846b87461bf16eadff80602d42069a18807
SHA256 47fe784ae0719d63ca2d8e21c426423cf1c9ca3bcf9eeeb27d869f861b0203e6
SHA512 3e9a0fbfa0b5573636e9d93783c9aa42246105f8b805fc1ca5d56fd69dfc434fd9569264fa949d615ec171a88158b643d81b78a1b408a9a7190cba41dbdf1374

memory/4360-61-0x0000000009FF0000-0x000000000A000000-memory.dmp

memory/4360-62-0x000000000A0E0000-0x000000000A0F0000-memory.dmp

memory/4360-63-0x000000000A0E0000-0x000000000A0F0000-memory.dmp

memory/4360-64-0x0000000009930000-0x0000000009940000-memory.dmp

memory/4360-65-0x0000000009930000-0x0000000009940000-memory.dmp

memory/4360-67-0x0000000009930000-0x0000000009940000-memory.dmp

memory/4360-68-0x000000000A0E0000-0x000000000A0F0000-memory.dmp

memory/4360-69-0x0000000009930000-0x0000000009940000-memory.dmp

memory/4360-71-0x000000000A0E0000-0x000000000A0F0000-memory.dmp

memory/4360-72-0x000000000A0E0000-0x000000000A0F0000-memory.dmp

memory/4360-70-0x000000000A0E0000-0x000000000A0F0000-memory.dmp

memory/4360-66-0x0000000009930000-0x0000000009940000-memory.dmp

memory/4360-73-0x000000000A0E0000-0x000000000A0F0000-memory.dmp

memory/4360-78-0x000000000A0E0000-0x000000000A0F0000-memory.dmp

memory/4360-77-0x000000000A0E0000-0x000000000A0F0000-memory.dmp

memory/4360-76-0x000000000A0E0000-0x000000000A0F0000-memory.dmp

memory/4360-75-0x000000000A0E0000-0x000000000A0F0000-memory.dmp

memory/4360-74-0x000000000A0E0000-0x000000000A0F0000-memory.dmp

memory/4360-80-0x000000000A0E0000-0x000000000A0F0000-memory.dmp

memory/4360-81-0x000000000A0E0000-0x000000000A0F0000-memory.dmp

memory/4360-82-0x0000000009930000-0x0000000009940000-memory.dmp

memory/4360-83-0x000000000A0E0000-0x000000000A0F0000-memory.dmp

memory/4360-88-0x0000000009FF0000-0x000000000A000000-memory.dmp

memory/4360-86-0x0000000009930000-0x0000000009940000-memory.dmp

memory/4360-85-0x0000000009930000-0x0000000009940000-memory.dmp

memory/4360-84-0x000000000A0E0000-0x000000000A0F0000-memory.dmp

memory/4360-89-0x000000000A0E0000-0x000000000A0F0000-memory.dmp

memory/4360-91-0x0000000009930000-0x0000000009940000-memory.dmp

memory/4360-90-0x000000000A0E0000-0x000000000A0F0000-memory.dmp

memory/4360-92-0x0000000009930000-0x0000000009940000-memory.dmp

memory/4360-97-0x000000000A0E0000-0x000000000A0F0000-memory.dmp

memory/4360-99-0x000000000A0E0000-0x000000000A0F0000-memory.dmp

memory/4360-98-0x000000000A0E0000-0x000000000A0F0000-memory.dmp

memory/4360-96-0x0000000009930000-0x0000000009940000-memory.dmp

memory/4360-95-0x000000000A0E0000-0x000000000A0F0000-memory.dmp

memory/4360-94-0x0000000009930000-0x0000000009940000-memory.dmp

memory/4360-93-0x0000000009930000-0x0000000009940000-memory.dmp

memory/4360-102-0x000000000A0E0000-0x000000000A0F0000-memory.dmp

memory/4360-107-0x000000000A0E0000-0x000000000A0F0000-memory.dmp

memory/4360-106-0x000000000A0E0000-0x000000000A0F0000-memory.dmp

memory/4360-105-0x000000000A0E0000-0x000000000A0F0000-memory.dmp

memory/4360-104-0x000000000A0E0000-0x000000000A0F0000-memory.dmp

memory/4360-103-0x000000000A0E0000-0x000000000A0F0000-memory.dmp

memory/4360-110-0x000000000A0E0000-0x000000000A0F0000-memory.dmp

memory/4360-111-0x000000000A0E0000-0x000000000A0F0000-memory.dmp

memory/4360-113-0x000000000A0E0000-0x000000000A0F0000-memory.dmp

memory/4360-112-0x0000000009930000-0x0000000009940000-memory.dmp

memory/4360-117-0x0000000009FF0000-0x000000000A000000-memory.dmp

memory/4360-116-0x0000000009930000-0x0000000009940000-memory.dmp

memory/4360-119-0x000000000A0E0000-0x000000000A0F0000-memory.dmp

memory/4360-115-0x0000000009930000-0x0000000009940000-memory.dmp

memory/4360-114-0x000000000A0E0000-0x000000000A0F0000-memory.dmp

memory/4360-120-0x000000000A0E0000-0x000000000A0F0000-memory.dmp

memory/4360-121-0x0000000009930000-0x0000000009940000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-11 11:02

Reported

2024-06-11 11:03

Platform

macos-20240410-en

Max time kernel

43s

Max time network

35s

Command Line

[sh -c sudo /bin/zsh -c "/Users/run/bpzbku.mp4"]

Signatures

N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/bpzbku.mp4"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/bpzbku.mp4"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/bpzbku.mp4]

/bin/zsh

[/bin/zsh -c /Users/run/bpzbku.mp4]

/Users/run/bpzbku.mp4

[/Users/run/bpzbku.mp4]

/usr/bin/pluginkit

[/usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync]

/usr/sbin/spctl

[/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdaterB516C108/OneDrive.app]

/usr/libexec/xpcproxy

[xpcproxy com.apple.sysmond]

/usr/libexec/sysmond

[/usr/libexec/sysmond]

/usr/libexec/xpcproxy

[xpcproxy com.apple.audio.systemsoundserverd]

/usr/sbin/systemsoundserverd

[/usr/sbin/systemsoundserverd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.pbs]

/System/Library/CoreServices/pbs

[/System/Library/CoreServices/pbs]

/usr/libexec/xpcproxy

[xpcproxy com.apple.audio.AudioComponentRegistrar]

/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar

[/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar -daemon]

Network

Country Destination Domain Proto
US 8.8.8.8:53 mobile.events.data.trafficmanager.net udp
US 20.189.173.23:443 tcp
US 8.8.8.8:53 api.apple-cloudkit.fe2.apple-dns.net udp
US 8.8.8.8:53 apis.apple.map.fastly.net udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-11 11:02

Reported

2024-06-11 11:03

Platform

debian12-armhf-20240221-en

Max time network

36s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-11 11:02

Reported

2024-06-11 11:03

Platform

debian9-mipsbe-20240226-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-11 11:02

Reported

2024-06-11 11:03

Platform

ubuntu2204-amd64-20240522-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 11:02

Reported

2024-06-11 11:04

Platform

win7-20240508-en

Max time kernel

60s

Max time network

16s

Command Line

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\bpzbku.mp4"

Signatures

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Processes

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\bpzbku.mp4"

Network

N/A

Files

memory/2072-6-0x000007FEF8030000-0x000007FEF8064000-memory.dmp

memory/2072-5-0x000000013FEA0000-0x000000013FF98000-memory.dmp

memory/2072-8-0x000007FEFB530000-0x000007FEFB548000-memory.dmp

memory/2072-9-0x000007FEF8140000-0x000007FEF8157000-memory.dmp

memory/2072-14-0x000007FEF66B0000-0x000007FEF66C1000-memory.dmp

memory/2072-10-0x000007FEF8080000-0x000007FEF8091000-memory.dmp

memory/2072-13-0x000007FEF7250000-0x000007FEF726D000-memory.dmp

memory/2072-12-0x000007FEF7270000-0x000007FEF7281000-memory.dmp

memory/2072-11-0x000007FEF7290000-0x000007FEF72A7000-memory.dmp

memory/2072-7-0x000007FEF5F90000-0x000007FEF6246000-memory.dmp

memory/2072-16-0x000007FEF4CD0000-0x000007FEF4EDB000-memory.dmp

memory/2072-18-0x000007FEF6630000-0x000007FEF6651000-memory.dmp

memory/2072-19-0x000007FEF6610000-0x000007FEF6628000-memory.dmp

memory/2072-20-0x000007FEF65F0000-0x000007FEF6601000-memory.dmp

memory/2072-21-0x000007FEF65D0000-0x000007FEF65E1000-memory.dmp

memory/2072-22-0x000007FEF4CB0000-0x000007FEF4CC1000-memory.dmp

memory/2072-23-0x000007FEF4C90000-0x000007FEF4CAB000-memory.dmp

memory/2072-24-0x000007FEF4C70000-0x000007FEF4C81000-memory.dmp

memory/2072-25-0x000007FEF4C50000-0x000007FEF4C68000-memory.dmp

memory/2072-26-0x000007FEF4C20000-0x000007FEF4C50000-memory.dmp

memory/2072-17-0x000007FEF6660000-0x000007FEF66A1000-memory.dmp

memory/2072-32-0x000007FEF4910000-0x000007FEF4927000-memory.dmp

memory/2072-15-0x000007FEF4EE0000-0x000007FEF5F90000-memory.dmp

memory/2072-30-0x000007FEF4AB0000-0x000007FEF4B07000-memory.dmp

memory/2072-31-0x000007FEF4930000-0x000007FEF4AB0000-memory.dmp

memory/2072-29-0x000007FEF4B10000-0x000007FEF4B21000-memory.dmp

memory/2072-28-0x000007FEF4B30000-0x000007FEF4BAC000-memory.dmp

memory/2072-27-0x000007FEF4BB0000-0x000007FEF4C17000-memory.dmp

memory/2072-34-0x000007FEF2E90000-0x000007FEF3096000-memory.dmp

memory/2072-41-0x000007FEF2940000-0x000007FEF2956000-memory.dmp

memory/2072-40-0x000007FEF2960000-0x000007FEF2971000-memory.dmp

memory/2072-39-0x000007FEF2980000-0x000007FEF29AF000-memory.dmp

memory/2072-38-0x000007FEF80F0000-0x000007FEF8100000-memory.dmp

memory/2072-37-0x000007FEF2DD0000-0x000007FEF2E1D000-memory.dmp

memory/2072-36-0x000007FEF2E20000-0x000007FEF2E62000-memory.dmp

memory/2072-47-0x000007FEF2370000-0x000007FEF2393000-memory.dmp

memory/2072-56-0x000007FEEFC60000-0x000007FEEFC71000-memory.dmp

memory/2072-57-0x000007FEEFBF0000-0x000007FEEFC3E000-memory.dmp

memory/2072-59-0x000007FEEFB50000-0x000007FEEFB84000-memory.dmp

memory/2072-58-0x000007FEEFB90000-0x000007FEEFBE7000-memory.dmp

memory/2072-55-0x000007FEEFFF0000-0x000007FEF0064000-memory.dmp

memory/2072-54-0x000007FEF0120000-0x000007FEF0167000-memory.dmp

memory/2072-53-0x000007FEF0170000-0x000007FEF01D1000-memory.dmp

memory/2072-33-0x000007FEF30A0000-0x000007FEF490F000-memory.dmp

memory/2072-52-0x000007FEF01E0000-0x000007FEF01F1000-memory.dmp

memory/2072-51-0x000007FEF2200000-0x000007FEF2212000-memory.dmp

memory/2072-50-0x000007FEF2220000-0x000007FEF2231000-memory.dmp

memory/2072-49-0x000007FEF2240000-0x000007FEF2346000-memory.dmp

memory/2072-48-0x000007FEF2350000-0x000007FEF2363000-memory.dmp

memory/2072-45-0x000007FEF2740000-0x000007FEF27AD000-memory.dmp

memory/2072-46-0x000007FEF23C0000-0x000007FEF23D5000-memory.dmp

memory/2072-44-0x000007FEF27B0000-0x000007FEF2812000-memory.dmp

memory/2072-43-0x000007FEF2820000-0x000007FEF2862000-memory.dmp

memory/2072-42-0x000007FEF2870000-0x000007FEF2935000-memory.dmp

memory/2072-35-0x000007FEF2E70000-0x000007FEF2E82000-memory.dmp

memory/2072-62-0x000007FEF5F90000-0x000007FEF6246000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-11 11:02

Reported

2024-06-11 11:06

Platform

win10v2004-20240508-en

Max time kernel

204s

Max time network

108s

Command Line

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\bpzbku.mp4"

Signatures

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95} C:\Windows\system32\unregmp2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\DontAsk = "2" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Version = "12,0,19041,1266" C:\Windows\system32\unregmp2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\IsInstalled = "0" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Stubpath = "%SystemRoot%\\system32\\unregmp2.exe /ShowWMP" C:\Windows\system32\unregmp2.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Windows\system32\unregmp2.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Y: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\R: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\A: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\K: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\L: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\N: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\U: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\V: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\T: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\W: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\Z: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\O: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\G: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\J: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\Q: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\E: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\P: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\Y: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\B: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\I: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\S: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\X: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\H: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\M: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\unregmp2.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Windows Media Player\wmplayer.exe C:\Windows\system32\unregmp2.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll C:\Windows\system32\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue\command C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play\command C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer\CLSID = "{cd3afa96-b84f-48f0-9393-7edc34128127}" C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play\ = "&Play with Windows Media Player" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9801" C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue\command C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800" C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue\command C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play\ = "&Play with Windows Media Player" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play\NeverDefault C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shellex\ContextMenuHandlers\PlayTo C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue\command C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}" C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9801" C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shellex\ContextMenuHandlers\PlayTo C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shellex\ContextMenuHandlers\PlayTo C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}" C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Play\command C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-upnp-org:device:MediaRenderer:1\ShellEx\ContextMenuHandlers\{17FC1A80-140E-4290-A64F-4A29A951A867}\ = "Open Media Sharing Handler" C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play\NeverDefault C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue\ = "&Add to Windows Media Player list" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play\NeverDefault C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play\command C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Play\NeverDefault C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shellex\ContextMenuHandlers\PlayTo C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue\NeverDefault C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9801" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\NeverDefault C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\command C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue\NeverDefault C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9801" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Play\ = "&Play with Windows Media Player" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-upnp-org:device:MediaRenderer:1\ShellEx\ContextMenuHandlers\{A45AEC2B-549E-405F-AF3E-C6B03C4FDFBF}\ = "Toggle DMR Authorization Handler" C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\image\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play\command C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play\command C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue\NeverDefault C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1337824034-2731376981-3755436523-1000\{05BE7405-0B80-4E18-9AA9-8AF176765C35} C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\image\shellex\ContextMenuHandlers\PlayTo C:\Windows\system32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-upnp-org:device:MediaRenderer:1\ShellEx\ContextMenuHandlers\{17FC1A80-140E-4290-A64F-4A29A951A867} C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play\NeverDefault C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" C:\Windows\system32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" C:\Windows\system32\unregmp2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\unregmp2.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\unregmp2.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 392 wrote to memory of 216 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Program Files (x86)\Windows Media Player\setup_wm.exe
PID 392 wrote to memory of 216 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Program Files (x86)\Windows Media Player\setup_wm.exe
PID 392 wrote to memory of 216 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Program Files (x86)\Windows Media Player\setup_wm.exe
PID 392 wrote to memory of 968 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Windows\SysWOW64\unregmp2.exe
PID 392 wrote to memory of 968 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Windows\SysWOW64\unregmp2.exe
PID 392 wrote to memory of 968 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Windows\SysWOW64\unregmp2.exe
PID 968 wrote to memory of 1420 N/A C:\Windows\SysWOW64\unregmp2.exe C:\Windows\system32\unregmp2.exe
PID 968 wrote to memory of 1420 N/A C:\Windows\SysWOW64\unregmp2.exe C:\Windows\system32\unregmp2.exe
PID 216 wrote to memory of 2904 N/A C:\Program Files (x86)\Windows Media Player\setup_wm.exe C:\Windows\SysWOW64\unregmp2.exe
PID 216 wrote to memory of 2904 N/A C:\Program Files (x86)\Windows Media Player\setup_wm.exe C:\Windows\SysWOW64\unregmp2.exe
PID 216 wrote to memory of 2904 N/A C:\Program Files (x86)\Windows Media Player\setup_wm.exe C:\Windows\SysWOW64\unregmp2.exe
PID 2904 wrote to memory of 1504 N/A C:\Windows\SysWOW64\unregmp2.exe C:\Windows\system32\unregmp2.exe
PID 2904 wrote to memory of 1504 N/A C:\Windows\SysWOW64\unregmp2.exe C:\Windows\system32\unregmp2.exe
PID 216 wrote to memory of 3656 N/A C:\Program Files (x86)\Windows Media Player\setup_wm.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 216 wrote to memory of 3656 N/A C:\Program Files (x86)\Windows Media Player\setup_wm.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 216 wrote to memory of 3656 N/A C:\Program Files (x86)\Windows Media Player\setup_wm.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe

Processes

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\bpzbku.mp4"

C:\Program Files (x86)\Windows Media Player\setup_wm.exe

"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\bpzbku.mp4"

C:\Windows\SysWOW64\unregmp2.exe

"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon

C:\Windows\system32\unregmp2.exe

"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT

C:\Windows\SysWOW64\unregmp2.exe

C:\Windows\system32\unregmp2.exe /ShowWMP /SetShowState /CreateMediaLibrary

C:\Windows\system32\unregmp2.exe

"C:\Windows\SysNative\unregmp2.exe" /ShowWMP /SetShowState /CreateMediaLibrary /REENTRANT

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Relaunch /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\bpzbku.mp4"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x52c 0x514

Network

Country Destination Domain Proto
US 8.8.8.8:53 c.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.ip6.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 musicmatch-ssl.xboxlive.com udp

Files

C:\Users\Admin\AppData\Local\Temp\wmsetup.log

MD5 11fca311bd9eba5d15c773f2cfd93c58
SHA1 ff810438ae7fbd9abfbd239238378f140f376214
SHA256 0a3792c1db6d579d5dab4f381d73d57690990b1100015ed676a4846a57465e17
SHA512 d28c7002d6194a33cd140c26d83f1e6761638c15493769a7bc2118c0bc21a7ec07d660e89e8806bd2b1470a5642807ebb6f82bbd5256b6e3005532b313d1c9db

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

MD5 7050d5ae8acfbe560fa11073fef8185d
SHA1 5bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256 cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512 a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 063793e4ba784832026ec8bc3528f7f1
SHA1 687d03823d7ab8954826f753a645426cff3c5db4
SHA256 cb153cb703aea1ba1afe2614cffb086fa781646a285c5ac37354ee933a29cedd
SHA512 225910c24052dfdf7fca574b12ecef4eb68e990167010f80d7136f03ac6e7faa33233685cbf37b38ee626bb22ff3afeee39e597080e429be3ec241fb30af40c6

memory/3656-43-0x0000000004260000-0x0000000004270000-memory.dmp

memory/3656-46-0x0000000004260000-0x0000000004270000-memory.dmp

memory/3656-45-0x0000000004260000-0x0000000004270000-memory.dmp

memory/3656-44-0x0000000004260000-0x0000000004270000-memory.dmp

memory/3656-47-0x00000000066E0000-0x00000000066F0000-memory.dmp

memory/3656-48-0x00000000066C0000-0x00000000066D0000-memory.dmp

memory/3656-51-0x0000000004260000-0x0000000004270000-memory.dmp

memory/3656-50-0x0000000004260000-0x0000000004270000-memory.dmp

memory/3656-49-0x00000000066C0000-0x00000000066D0000-memory.dmp

memory/3656-52-0x00000000066C0000-0x00000000066D0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 7fe6bfaeb801920c0894824695d37c51
SHA1 e34f327dfb13e5f88a0f733d590b2d0da82e635e
SHA256 9ccc03d26d29c12dd13b2dabf955ec6a8b4e98c97aa8d2246ec815778662e5e0
SHA512 9a7f703b1e99866f421fc540aef049f49fa6f737b0c7f991501ae1c083f6c42b9d80381dc8337100220e8f298484bd58af2c90beb37f3519d447d4cb2942a60f

C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

MD5 055b9418acb59294f3a848b3af61fe14
SHA1 7b2c21ce214789e9980654e237c97dfbf41893e2
SHA256 ecfc5ff748cb86ff0c6f96c01bfbeadfecc5d3487886844c446d9535b86fe08e
SHA512 b4cb646d139d7cd5861a0dbff820c5cf9ec7e2badb77536af9ef9612978fd4ee788f3ae3d923409ef3f13c32fe9f8436f07f63920c8e35be11596d8345333d84

memory/3656-56-0x0000000006880000-0x0000000006890000-memory.dmp

memory/3656-57-0x0000000008B00000-0x0000000008B10000-memory.dmp

memory/3656-58-0x0000000008B00000-0x0000000008B10000-memory.dmp

memory/3656-59-0x00000000066C0000-0x00000000066D0000-memory.dmp

memory/3656-60-0x00000000066C0000-0x00000000066D0000-memory.dmp

memory/3656-61-0x00000000066C0000-0x00000000066D0000-memory.dmp

memory/3656-62-0x00000000066C0000-0x00000000066D0000-memory.dmp

memory/3656-68-0x0000000008B00000-0x0000000008B10000-memory.dmp

memory/3656-67-0x0000000008B00000-0x0000000008B10000-memory.dmp

memory/3656-66-0x0000000008B00000-0x0000000008B10000-memory.dmp

memory/3656-65-0x0000000008B00000-0x0000000008B10000-memory.dmp

memory/3656-64-0x00000000066C0000-0x00000000066D0000-memory.dmp

memory/3656-63-0x0000000008B00000-0x0000000008B10000-memory.dmp

memory/3656-70-0x0000000008B00000-0x0000000008B10000-memory.dmp

memory/3656-71-0x0000000008B00000-0x0000000008B10000-memory.dmp

memory/3656-73-0x0000000008B00000-0x0000000008B10000-memory.dmp

memory/3656-72-0x0000000008B00000-0x0000000008B10000-memory.dmp

memory/3656-69-0x0000000008B00000-0x0000000008B10000-memory.dmp

memory/3656-74-0x0000000008B00000-0x0000000008B10000-memory.dmp

memory/3656-75-0x0000000008B00000-0x0000000008B10000-memory.dmp

memory/3656-76-0x00000000066C0000-0x00000000066D0000-memory.dmp

memory/3656-77-0x0000000008B00000-0x0000000008B10000-memory.dmp

memory/3656-78-0x0000000008B00000-0x0000000008B10000-memory.dmp

memory/3656-79-0x00000000066C0000-0x00000000066D0000-memory.dmp

memory/3656-80-0x00000000066C0000-0x00000000066D0000-memory.dmp

memory/3656-81-0x0000000006880000-0x0000000006890000-memory.dmp

memory/3656-85-0x00000000066C0000-0x00000000066D0000-memory.dmp

memory/3656-86-0x00000000066C0000-0x00000000066D0000-memory.dmp

memory/3656-88-0x00000000066C0000-0x00000000066D0000-memory.dmp

memory/3656-87-0x00000000066C0000-0x00000000066D0000-memory.dmp

memory/3656-90-0x00000000066C0000-0x00000000066D0000-memory.dmp

memory/3656-93-0x0000000008B00000-0x0000000008B10000-memory.dmp

memory/3656-92-0x0000000008B00000-0x0000000008B10000-memory.dmp

memory/3656-91-0x0000000008B00000-0x0000000008B10000-memory.dmp

memory/3656-89-0x0000000008B00000-0x0000000008B10000-memory.dmp

memory/3656-84-0x0000000008B00000-0x0000000008B10000-memory.dmp

memory/3656-83-0x0000000008B00000-0x0000000008B10000-memory.dmp

memory/3656-94-0x0000000008B00000-0x0000000008B10000-memory.dmp

memory/3656-99-0x0000000008B00000-0x0000000008B10000-memory.dmp

memory/3656-98-0x0000000008B00000-0x0000000008B10000-memory.dmp

memory/3656-97-0x0000000008B00000-0x0000000008B10000-memory.dmp

memory/3656-96-0x0000000008B00000-0x0000000008B10000-memory.dmp

memory/3656-95-0x0000000008B00000-0x0000000008B10000-memory.dmp

memory/3656-100-0x0000000008B00000-0x0000000008B10000-memory.dmp

memory/3656-101-0x0000000008B00000-0x0000000008B10000-memory.dmp

memory/3656-102-0x00000000066C0000-0x00000000066D0000-memory.dmp

memory/3656-103-0x0000000008B00000-0x0000000008B10000-memory.dmp

memory/3656-104-0x0000000008B00000-0x0000000008B10000-memory.dmp

memory/3656-105-0x00000000066C0000-0x00000000066D0000-memory.dmp

memory/3656-106-0x00000000066C0000-0x00000000066D0000-memory.dmp

memory/3656-107-0x0000000006880000-0x0000000006890000-memory.dmp

memory/3656-108-0x0000000008B00000-0x0000000008B10000-memory.dmp

memory/3656-110-0x00000000066C0000-0x00000000066D0000-memory.dmp

memory/3656-109-0x0000000008B00000-0x0000000008B10000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-11 11:02

Reported

2024-06-11 11:03

Platform

debian9-mipsel-20240418-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A