Windows Analysis Report
camphoto_1144747756.mp4

Overview

General Information

Sample name:	camphoto_1144747756.mp4 (renamed file extension from heic to mp4)
Original sample name:	camphoto_1144747756.heic
Analysis ID:	1432153
MD5:	53adfb8e1b3128a99cccd508fb1832a6
SHA1:	c0b886b84e36c8e792d11283aa91cdce839077e4
SHA256:	0ea08cb0f8c2133f948a5633e30440ebe01039cf685f2a4d5aad9b33599c0f20
Infos:

Detection

Score:	6
Range:	0 - 100
Whitelisted:	false
Confidence:	0%

Signatures

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Checks for available system drives (often done to infect USB drives)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

May sleep (evasive loops) to hinder dynamic analysis

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Stores large binary data to the registry

Classification

Signatures

Checks for available system drives (often done to infect USB drives)

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: z:	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: x:	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: v:	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: t:	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: r:	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: p:	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: n:	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: l:	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: j:	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: h:	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: f:	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: b:	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: y:	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: w:	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: u:	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: s:	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: q:	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: o:	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: m:	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: k:	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: i:	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: g:	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: e:	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: c:	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: a:	Jump to behavior

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe

Directory queried: number of queries: 1001

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries	Jump to behavior

Source: msdt.exe, 00000007.00000002.613272010.0000000000277000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: msdt.exe, 00000007.00000002.613700952.0000000002660000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: msdt.exe, 00000007.00000002.613272010.0000000000277000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000007.00000002.613700952.0000000002660000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: msdt.exe, 00000007.00000002.613272010.0000000000277000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: msdt.exe, 00000007.00000002.613272010.0000000000277000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: msdt.exe, 00000007.00000002.613700952.0000000002660000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: msdt.exe, 00000007.00000002.613272010.0000000000277000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: msdt.exe, 00000007.00000002.613272010.000000000024A000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000007.00000002.613272010.0000000000277000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: msdt.exe, 00000007.00000002.613272010.0000000000277000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000007.00000002.613700952.0000000002660000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: msdt.exe, 00000007.00000002.613272010.0000000000277000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: msdt.exe, 00000007.00000002.613272010.0000000000277000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: msdt.exe, 00000007.00000002.613272010.0000000000277000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: msdt.exe, 00000007.00000002.613272010.0000000000277000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: msdt.exe, 00000007.00000002.613272010.0000000000277000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: msdt.exe, 00000007.00000002.613272010.0000000000277000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: wmplayer.exe, 00000000.00000002.614694076.0000000006010000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pro.corbis.com/search/searchresults.asp?txt=42-15564978&openImage=42-15564978:li
Source: wmplayer.exe, 00000000.00000002.614694076.0000000006010000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pro.corbis.com/search/searchresults.asp?txt=42-17066732&openImage=42-17066732XRe
Source: wmplayer.exe, 00000000.00000002.613861620.0000000003D46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pro.corbis.com/search/searchresults.asp?txt=42-17167222&openImage=42-171672228BIM
Source: msdt.exe, 00000007.00000002.613272010.0000000000277000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: msdt.exe, 00000007.00000002.613272010.000000000024A000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000007.00000002.613272010.0000000000277000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: msdt.exe, 00000007.00000002.613272010.0000000000277000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000007.00000002.613700952.0000000002660000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0

Creates a window with clipboard capturing capabilities

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior

PE file does not import any functions

Source: DiagPackage.dll.mui.7.dr	Static PE information: No import functions for PE file found
Source: DiagPackage.dll.7.dr	Static PE information: No import functions for PE file found

Source: DiagPackage.dll.mui.7.dr	Static PE information: Section .rsrc
Source: DiagPackage.dll.7.dr	Static PE information: Section .rsrc

Source: classification engine

Classification label: clean6.winMP4@15/29@0/0

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe

File created: C:\Users\user\AppData\Local\Microsoft\Media Player\Transcoded Files Cache

Jump to behavior

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\Microsoft_WMP_70_CheckForOtherInstanceMutex

Source: C:\Windows\SysWOW64\msdt.exe

File created: C:\Users\user\AppData\Local\Temp\msdtadmin

Jump to behavior

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Windows Media Player\wmplayer.exe "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\user\Desktop\camphoto_1144747756.mp4"
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\System32\msdt.exe" -id WindowsMediaPlayerLibraryDiagnostic
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\System32\msdt.exe" -id WindowsMediaPlayerLibraryDiagnostic
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\System32\msdt.exe" -id WindowsMediaPlayerLibraryDiagnostic
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\System32\msdt.exe" -id WindowsMediaPlayerLibraryDiagnostic
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\System32\msdt.exe" -id WindowsMediaPlayerLibraryDiagnostic
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\System32\msdt.exe" -id WindowsMediaPlayerLibraryDiagnostic
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\System32\msdt.exe" -id WindowsMediaPlayerLibraryDiagnostic
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\System32\msdt.exe" -id WindowsMediaPlayerLibraryDiagnostic	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\System32\msdt.exe" -id WindowsMediaPlayerLibraryDiagnostic	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\System32\msdt.exe" -id WindowsMediaPlayerLibraryDiagnostic	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\System32\msdt.exe" -id WindowsMediaPlayerLibraryDiagnostic	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\System32\msdt.exe" -id WindowsMediaPlayerLibraryDiagnostic	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\System32\msdt.exe" -id WindowsMediaPlayerLibraryDiagnostic	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\System32\msdt.exe" -id WindowsMediaPlayerLibraryDiagnostic	Jump to behavior

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: wmp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: mfplat.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: avrt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: audioses.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: mf.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: ksuser.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: dxva2.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: d3d8thk.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: rgb9rast.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: wmerror.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: wmvcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: wmasf.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: shsvcs.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: rapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: davhlpr.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: bcrypt.dll	Jump to behavior

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next

Source: C:\Windows\SysWOW64\msdt.exe

File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Drops PE files

Source: C:\Windows\SysWOW64\msdt.exe	File created: C:\Windows\Temp\SDIAG_57d12060-20b6-45ab-a73b-de5201e22bf7\en-US\DiagPackage.dll.mui			Jump to dropped file
Source: C:\Windows\SysWOW64\msdt.exe	File created: C:\Windows\Temp\SDIAG_57d12060-20b6-45ab-a73b-de5201e22bf7\DiagPackage.dll			Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\SysWOW64\msdt.exe	File created: C:\Windows\Temp\SDIAG_57d12060-20b6-45ab-a73b-de5201e22bf7\en-US\DiagPackage.dll.mui			Jump to dropped file
Source: C:\Windows\SysWOW64\msdt.exe	File created: C:\Windows\Temp\SDIAG_57d12060-20b6-45ab-a73b-de5201e22bf7\DiagPackage.dll			Jump to dropped file

Stores large binary data to the registry

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe

Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Multimedia\ActiveMovie\Filter Cache 0

Jump to behavior

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\msdt.exe	Window / User API: threadDelayed 1010			Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Window / User API: threadDelayed 558			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\SysWOW64\msdt.exe	Dropped PE file which has not been started: C:\Windows\Temp\SDIAG_57d12060-20b6-45ab-a73b-de5201e22bf7\en-US\DiagPackage.dll.mui			Jump to dropped file
Source: C:\Windows\SysWOW64\msdt.exe	Dropped PE file which has not been started: C:\Windows\Temp\SDIAG_57d12060-20b6-45ab-a73b-de5201e22bf7\DiagPackage.dll			Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe TID: 1904

Thread sleep time: -120000s >= -30000s

Jump to behavior

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries	Jump to behavior

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe

Memory protected: page readonly | page guard

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\System32\msdt.exe" -id WindowsMediaPlayerLibraryDiagnostic	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\System32\msdt.exe" -id WindowsMediaPlayerLibraryDiagnostic	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\System32\msdt.exe" -id WindowsMediaPlayerLibraryDiagnostic	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\System32\msdt.exe" -id WindowsMediaPlayerLibraryDiagnostic	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\System32\msdt.exe" -id WindowsMediaPlayerLibraryDiagnostic	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\System32\msdt.exe" -id WindowsMediaPlayerLibraryDiagnostic	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\System32\msdt.exe" -id WindowsMediaPlayerLibraryDiagnostic	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\Program Files (x86)\Windows Media Player\wmplayer.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\Program Files (x86)\Windows Media Player\wmplayer.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\Program Files (x86)\Windows Media Player\wmplayer.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\Users\Public\Music\Sample Music\Kalimba.mp3 VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\Users\Public\Music\Sample Music\Sleep Away.mp3 VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\Users\Public\Recorded TV\Sample Media\win7_scenic-demoshort_raw.wtv VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\Users\Public\Videos\Sample Videos\Wildlife.wmv VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Queries volume information: C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WindowsMediaPlayer-Troubleshooters-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\msdt.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe

Directory queried: number of queries: 1001

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Checks for available system drives (often done to infect USB drives)

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: z:	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: x:	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: v:	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: t:	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: r:	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: p:	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: n:	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: l:	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: j:	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: h:	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: f:	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: b:	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: y:	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: w:	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: u:	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: s:	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: q:	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: o:	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: m:	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: k:	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: i:	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: g:	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: e:	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: c:	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: a:	Jump to behavior

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe

Directory queried: number of queries: 1001

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries	Jump to behavior

Source: msdt.exe, 00000007.00000002.613272010.0000000000277000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: msdt.exe, 00000007.00000002.613700952.0000000002660000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: msdt.exe, 00000007.00000002.613272010.0000000000277000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000007.00000002.613700952.0000000002660000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: msdt.exe, 00000007.00000002.613272010.0000000000277000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: msdt.exe, 00000007.00000002.613272010.0000000000277000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: msdt.exe, 00000007.00000002.613700952.0000000002660000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: msdt.exe, 00000007.00000002.613272010.0000000000277000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: msdt.exe, 00000007.00000002.613272010.000000000024A000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000007.00000002.613272010.0000000000277000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: msdt.exe, 00000007.00000002.613272010.0000000000277000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000007.00000002.613700952.0000000002660000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: msdt.exe, 00000007.00000002.613272010.0000000000277000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: msdt.exe, 00000007.00000002.613272010.0000000000277000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: msdt.exe, 00000007.00000002.613272010.0000000000277000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: msdt.exe, 00000007.00000002.613272010.0000000000277000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: msdt.exe, 00000007.00000002.613272010.0000000000277000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: msdt.exe, 00000007.00000002.613272010.0000000000277000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: wmplayer.exe, 00000000.00000002.614694076.0000000006010000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pro.corbis.com/search/searchresults.asp?txt=42-15564978&openImage=42-15564978:li
Source: wmplayer.exe, 00000000.00000002.614694076.0000000006010000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pro.corbis.com/search/searchresults.asp?txt=42-17066732&openImage=42-17066732XRe
Source: wmplayer.exe, 00000000.00000002.613861620.0000000003D46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pro.corbis.com/search/searchresults.asp?txt=42-17167222&openImage=42-171672228BIM
Source: msdt.exe, 00000007.00000002.613272010.0000000000277000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: msdt.exe, 00000007.00000002.613272010.000000000024A000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000007.00000002.613272010.0000000000277000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: msdt.exe, 00000007.00000002.613272010.0000000000277000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000007.00000002.613700952.0000000002660000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0

Creates a window with clipboard capturing capabilities

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior

PE file does not import any functions

Source: DiagPackage.dll.mui.7.dr	Static PE information: No import functions for PE file found
Source: DiagPackage.dll.7.dr	Static PE information: No import functions for PE file found

Source: DiagPackage.dll.mui.7.dr	Static PE information: Section .rsrc
Source: DiagPackage.dll.7.dr	Static PE information: Section .rsrc

Source: classification engine

Classification label: clean6.winMP4@15/29@0/0

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe

File created: C:\Users\user\AppData\Local\Microsoft\Media Player\Transcoded Files Cache

Jump to behavior

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\Microsoft_WMP_70_CheckForOtherInstanceMutex

Source: C:\Windows\SysWOW64\msdt.exe

File created: C:\Users\user\AppData\Local\Temp\msdtadmin

Jump to behavior

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Windows Media Player\wmplayer.exe "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\user\Desktop\camphoto_1144747756.mp4"
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\System32\msdt.exe" -id WindowsMediaPlayerLibraryDiagnostic
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\System32\msdt.exe" -id WindowsMediaPlayerLibraryDiagnostic
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\System32\msdt.exe" -id WindowsMediaPlayerLibraryDiagnostic
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\System32\msdt.exe" -id WindowsMediaPlayerLibraryDiagnostic
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\System32\msdt.exe" -id WindowsMediaPlayerLibraryDiagnostic
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\System32\msdt.exe" -id WindowsMediaPlayerLibraryDiagnostic
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\System32\msdt.exe" -id WindowsMediaPlayerLibraryDiagnostic
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\System32\msdt.exe" -id WindowsMediaPlayerLibraryDiagnostic	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\System32\msdt.exe" -id WindowsMediaPlayerLibraryDiagnostic	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\System32\msdt.exe" -id WindowsMediaPlayerLibraryDiagnostic	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\System32\msdt.exe" -id WindowsMediaPlayerLibraryDiagnostic	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\System32\msdt.exe" -id WindowsMediaPlayerLibraryDiagnostic	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\System32\msdt.exe" -id WindowsMediaPlayerLibraryDiagnostic	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\System32\msdt.exe" -id WindowsMediaPlayerLibraryDiagnostic	Jump to behavior

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: wmp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: mfplat.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: avrt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: audioses.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: mf.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: ksuser.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: dxva2.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: d3d8thk.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: rgb9rast.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: wmerror.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: wmvcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: wmasf.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: shsvcs.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: rapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: davhlpr.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: bcrypt.dll	Jump to behavior

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next

Source: C:\Windows\SysWOW64\msdt.exe

File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Drops PE files

Source: C:\Windows\SysWOW64\msdt.exe	File created: C:\Windows\Temp\SDIAG_57d12060-20b6-45ab-a73b-de5201e22bf7\en-US\DiagPackage.dll.mui			Jump to dropped file
Source: C:\Windows\SysWOW64\msdt.exe	File created: C:\Windows\Temp\SDIAG_57d12060-20b6-45ab-a73b-de5201e22bf7\DiagPackage.dll			Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\SysWOW64\msdt.exe	File created: C:\Windows\Temp\SDIAG_57d12060-20b6-45ab-a73b-de5201e22bf7\en-US\DiagPackage.dll.mui			Jump to dropped file
Source: C:\Windows\SysWOW64\msdt.exe	File created: C:\Windows\Temp\SDIAG_57d12060-20b6-45ab-a73b-de5201e22bf7\DiagPackage.dll			Jump to dropped file

Stores large binary data to the registry

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe

Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Multimedia\ActiveMovie\Filter Cache 0

Jump to behavior

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\msdt.exe	Window / User API: threadDelayed 1010			Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Window / User API: threadDelayed 558			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\SysWOW64\msdt.exe	Dropped PE file which has not been started: C:\Windows\Temp\SDIAG_57d12060-20b6-45ab-a73b-de5201e22bf7\en-US\DiagPackage.dll.mui			Jump to dropped file
Source: C:\Windows\SysWOW64\msdt.exe	Dropped PE file which has not been started: C:\Windows\Temp\SDIAG_57d12060-20b6-45ab-a73b-de5201e22bf7\DiagPackage.dll			Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe TID: 1904

Thread sleep time: -120000s >= -30000s

Jump to behavior

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries	Jump to behavior

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe

Memory protected: page readonly | page guard

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\System32\msdt.exe" -id WindowsMediaPlayerLibraryDiagnostic	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\System32\msdt.exe" -id WindowsMediaPlayerLibraryDiagnostic	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\System32\msdt.exe" -id WindowsMediaPlayerLibraryDiagnostic	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\System32\msdt.exe" -id WindowsMediaPlayerLibraryDiagnostic	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\System32\msdt.exe" -id WindowsMediaPlayerLibraryDiagnostic	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\System32\msdt.exe" -id WindowsMediaPlayerLibraryDiagnostic	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\System32\msdt.exe" -id WindowsMediaPlayerLibraryDiagnostic	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\Program Files (x86)\Windows Media Player\wmplayer.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\Program Files (x86)\Windows Media Player\wmplayer.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\Program Files (x86)\Windows Media Player\wmplayer.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\Users\Public\Music\Sample Music\Kalimba.mp3 VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\Users\Public\Music\Sample Music\Sleep Away.mp3 VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\Users\Public\Recorded TV\Sample Media\win7_scenic-demoshort_raw.wtv VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\Users\Public\Videos\Sample Videos\Wildlife.wmv VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Queries volume information: C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WindowsMediaPlayer-Troubleshooters-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\msdt.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe

Directory queried: number of queries: 1001

ID:	1432153
Product:	CloudBasic
Start time:	15:48:20
Start date:	26.04.2024
Sample:	camphoto_1144747756.heic
Cookbook:	default.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	53adfb8e1b3128a99cccd508fb1832a6
SHA1:	c0b886b84e36c8e792d11283aa91cdce839077e4
SHA256:	0ea08cb0f8c2133f948a5633e30440ebe01039cf685f2a4d5aad9b33599c0f20
Filetype:	Generic MP4 container (3007/2) 74.99%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Media Player\Art Cache\LocalMLS\{0879FDF1-3C18-4895-B405-9D2102018F3D}.jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 200x200, components 3	35E787587CD3FA8ED360036C9FCA3DF2	84C76A25C6FE336F6559C033917A4C327279886D	98C49A68EE578E10947209EBC17C0AD188ED39C7D0C91A2B505F317259C0C9B2
C:\Users\user\AppData\Local\Microsoft\Media Player\Art Cache\LocalMLS\{24E563B7-38E3-45A3-91E3-C6DAE51EA1CD}.jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 200x200, components 3	FD5FD28E41676618AAC733B243AD54DB	B2D69AD6A2E22C30EF1806AC4F990790C3B44763	A26544648EF8CEFFAD6C789A3677031BE3C515918627D7C8F8E0587D3033C431
C:\Users\user\AppData\Local\Microsoft\Media Player\CurrentDatabase_372.wmdb	data	3A7C2A950EC0D56853CFFDF047F7DB99	E19AD6C94F4A8275419E3FB5A04FDE29C7D21B4B	0A6CC1E3A4A8FB848AAB33EE311B64DDE0D2BA21678ADA54B566119A6D0C3478
C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\000064AB\01_Music_auto_rated_at_5_stars.wpl	HTML document, ASCII text, with CRLF line terminators	159E63275630EC4C9747B664BD063938	BE4E32D7D022C3E3277E1ED65A21BEBCF787CE3F	D54745665432625A904636E7675612C85026DA07E68F4E9D8DACBE98E5DEE844
C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\000064AB\02_Music_added_in_the_last_month.wpl	HTML document, ASCII text, with CRLF line terminators	907BFC98CE854AE312127C952D8BE0F2	02DEFE8C5F9CC85742E45BA55E4FCFE326FD960C	C475DC7423C2AD60F25ADAAC754CD8B68B57FF04F26ECEF78F3E5961B986A324
C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\000064AB\03_Music_rated_at_4_or_5_stars.wpl	HTML document, ASCII text, with CRLF line terminators	6D791B697AF46D6777182AF7F18C2955	D73E8B5F4EE646C1C4AB6D23F3CB3394CB833CA8	4825EB90140F6B2F4F7ED0DF66B24E10FF5D0DA70AF53EA495FD30B3AA791870
C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\000064AB\04_Music_played_in_the_last_month.wpl	HTML document, ASCII text, with CRLF line terminators	F8D3A4CACF055F5EC5C62218EA50D290	974474CE3FE345D8015863BD6EA7242BA118532B	201F2170812CF8041964C4D3C5EF539D96ADEBA6A68B69ECAED0AFFE3AE8E25F
C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\000064AB\05_Pictures_taken_in_the_last_month.wpl	HTML document, ASCII text, with CRLF line terminators	821D2BE672F05514127C117CEF460C6E	1C75F314E7658A3DCDCAD315E301F2BAE6D47B31	3ABDB6CBD88AD1557054ECE3F10DD1A8494ED32F423B3CF8321B18DECC489474
C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\000064AB\06_Pictures_rated_4_or_5_stars.wpl	HTML document, ASCII text, with CRLF line terminators	0A8A40CA87323DC16893194B00C7FE77	B88A42A85053E0A7483E331B66BA5A40A6290E10	9AA433BED2E090CC6904F1C24D5A7B5A1ED6D8F71A997E661B886C69383FD53E
C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\000064AB\07_TV_recorded_in_the_last_week.wpl	HTML document, ASCII text, with CRLF line terminators	B9987B1F9DF6D0AFC01558B907E62A16	EF202D5D6F90B37C71CB757F3BABB0857CE54D86	0892EFDB8459D81D4C5E1085239734D9910B9C6A1DEBD7189CF385141F0B19D1
C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\000064AB\08_Video_rated_at_4_or_5_stars.wpl	HTML document, ASCII text, with CRLF line terminators	A3787A42B81FCE0E448976AD158EDD93	45FF275C0C32EAB1F0B56E8B61E8EAD18CFD1675	94BC17AC59BDE92FBCA00FCC69AED68FCBFE2C1754DD45F4810765F5FDF774FF
C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\000064AB\09_Music_played_the_most.wpl	HTML document, ASCII text, with CRLF line terminators	467E71AA2FD951EB0A1AF3D6BB8378E8	FB654C0B2663D4FA5FD0F1658097D936DD0429ED	A54BC2CAD63CED4FD9FF2A3A094A26E264E8A5CE8139193896D13236F494E2EE
C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\000064AB\10_All_Music.wpl	HTML document, ASCII text, with CRLF line terminators	51AEED11707741118E0706C1259DF22E	6434E915B018C6D15898FE0A4D006BBE3E1EDB60	EC286113E5AD77AC34063589A137A6DC4B4CAB8845CD9C5386519983FA3B48F0
C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\000064AB\11_All_Pictures.wpl	HTML document, ASCII text, with CRLF line terminators	74294EF495559ED32731F19096D70312	FDC6CC849270016D2A382D7D0DAABF44A4556CD9	DB34D82F2CD23E6E55A64E12D2A0A9C27AC2DED156483238F22A336CA6825110
C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\000064AB\12_All_Video.wpl	HTML document, ASCII text, with CRLF line terminators	372D0BEEBEA5460409A6A1C53AC52A18	1B5A925E00F9A4CC3A18FEB8F74A2E39EF11EEB6	5B8B62B35E5DD8A46CCCCAF3FC3743BE9E0965D24CBCD20DA2681065EEB37EF3
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms (copy)	Matlab v4 mat-file (little endian) \253\373\277\272\002, sparse, rows 2, columns 0, imaginary	27061A1D3ED763264A0F8EB2CF853FB0	3CF4F319A438FE79767709225336755A7A572069	CA6329D303CD205DEA872C9A82B531EA4FA7AE0CD2B081CF5261024DE1C73962
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PC1JEWHXE4X3LXR54OYW.temp	Matlab v4 mat-file (little endian) \253\373\277\272\002, sparse, rows 2, columns 0, imaginary	27061A1D3ED763264A0F8EB2CF853FB0	3CF4F319A438FE79767709225336755A7A572069	CA6329D303CD205DEA872C9A82B531EA4FA7AE0CD2B081CF5261024DE1C73962
C:\Users\Public\Music\Sample Music\AlbumArtSmall.jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 75x75, components 3	911063B40C2A86275F58C856F1689B15	268BB30DC0790E3534B29ECA157B1547A01E956A	B81FC7D07B8008CE85FAB4947227A0115BFFFDB02F62366C36EA54551C0FEF35
C:\Users\Public\Music\Sample Music\AlbumArt_{5FA05D35-A682-4AF6-96F7-0773E42D4D16}_Large.jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 200x200, components 3	84BBA83CFBC0233517407678BB842686	1C617DE788DE380D28C52DC733AD580C3745A1C1	6ECF98ADB3CD0931EC803F3A56A9563C7D60BB86EC1886B21E3D0F7EB25198D9
C:\Users\Public\Music\Sample Music\AlbumArt_{5FA05D35-A682-4AF6-96F7-0773E42D4D16}_Small.jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 75x75, components 3	E29D6B28A6F50FFE9D93635457874773	D78303A13033528A467DBCA90581D5FA6FD9EBCD	2A9D62271A367C7E0FF582CF131007AC5B9F773077A53D48B4D782F6B23A9A4E
C:\Users\Public\Music\Sample Music\Folder.jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 200x200, components 3	FD5FD28E41676618AAC733B243AD54DB	B2D69AD6A2E22C30EF1806AC4F990790C3B44763	A26544648EF8CEFFAD6C789A3677031BE3C515918627D7C8F8E0587D3033C431
C:\Windows\Temp\SDIAG_57d12060-20b6-45ab-a73b-de5201e22bf7\DiagPackage.diagpkg	HTML document, ASCII text, with CRLF line terminators	0AB8039AFB5058F3F2158C1C97D79E10	E11FC9DBD2B88568B7E1A11BB997C532BF3877C8	47A57948609B63C2C608AF4F4DE11340EFAA83B189CE1E50DB36798F692B0DFC
C:\Windows\Temp\SDIAG_57d12060-20b6-45ab-a73b-de5201e22bf7\DiagPackage.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	4EC402B80561606E4C6C7E2E2D755231	63ABFDE34AC4AC4F6E53E213FA89DB0F410F31B5	1CBBB7F24D26854CE57D773E864030C20E8C586E78B6DED8A45DC6D6CD124897
C:\Windows\Temp\SDIAG_57d12060-20b6-45ab-a73b-de5201e22bf7\RS_MediaLibCorrupted.ps1	ISO-8859 text, with CRLF line terminators	96DA911A4ABF02D24973BF51A2E6E8E2	12FDE6151F78D3DA633B8B01D9A1667BA7F8E2F4	45DBCC2FDF8FBB9E0A534B57D88A8F6B876B711FF4D5D45CF887DD002251A7C4
C:\Windows\Temp\SDIAG_57d12060-20b6-45ab-a73b-de5201e22bf7\TS_IsWMPUnavailable.ps1	ISO-8859 text, with CRLF line terminators	32476DD258E2B285F69619B098A35C29	481C9539574697E469872CF4C97E9753AA03CB46	CBB4796369459CE8F9C73D9B3B5CC90FE054A272B270DB9C596B9AA58980ECEA
C:\Windows\Temp\SDIAG_57d12060-20b6-45ab-a73b-de5201e22bf7\TS_WindowsMediaPlayer.ps1	ISO-8859 text, with CRLF line terminators	EF4153F66CEC33C79C410E071630F34C	F0707F55DA1D7E4255D647814390809076D0630D	246F859EFE02CA3889F08C8BA9C8C0950D4841C036CD22019810391E58ACB584
C:\Windows\Temp\SDIAG_57d12060-20b6-45ab-a73b-de5201e22bf7\en-US\CL_LocalizationData.psd1	Unicode text, UTF-16, little-endian text, with CRLF line terminators	716BC9226380E01F8C4AEF9B96914067	5CCC638E2B8EE8869589FEA3F313A9F3AA69E84B	BD4291A0956703ECC23FC0DFB7915251EF722F1370376DB8C382CAB7E357BB88
C:\Windows\Temp\SDIAG_57d12060-20b6-45ab-a73b-de5201e22bf7\en-US\DiagPackage.dll.mui	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	2184A912F2813C0D568E6D06B61B270E	4012151066E9BC76511E99FB3974D58EAA713804	DB05416B2AE312469D562358748CC08D9E1ACD17B7822EC49FCC7CFB60895CCB
C:\Windows\Temp\SDIAG_57d12060-20b6-45ab-a73b-de5201e22bf7\result\results.xsl	XML 1.0 document, ASCII text, with CRLF line terminators	310E1DA2344BA6CA96666FB639840EA9	E8694EDF9EE68782AA1DE05470B884CC1A0E1DED	67401342192BABC27E62D4C1E0940409CC3F2BD28F77399E71D245EAE8D3F63C

Windows Analysis Report
camphoto_1144747756.mp4

Overview

General Information

Detection

Signatures

Classification

Signatures

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Windows Analysis Report camphoto_1144747756.mp4

Overview

General Information

Detection

Signatures

Classification

Signatures

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
camphoto_1144747756.mp4