File name:

image001.wmz

Full analysis: https://app.any.run/tasks/cf2f01fb-336a-4168-b8d3-d145aa5fc4cb
Verdict: Malicious activity
Analysis date: May 13, 2024, 18:42:08
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/gzip
File info: gzip compressed data, max speed, from NTFS filesystem (NT), original size modulo 2^32 335620
MD5:

3AFC6DE1BEAF9BCA42795127C1A8E1E3

SHA1:

7936B9C10D67D4D3B26285B566EE6B23D396E02A

SHA256:

77D0A2EFE9E115941BCC00D491D5B65F8BE671E56406F9998BEFCCC58F78B964

SSDEEP:

3072:EI7yeP+EoGXQoTZmyQMe0wwaDI9LX9InIf1Z0Z9:97NOaQolwTVDIFX9IITI9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads the Internet Settings

      • wmplayer.exe (PID: 3996)
      • setup_wm.exe (PID: 4016)
      • wmplayer.exe (PID: 1024)
      • wmplayer.exe (PID: 1988)

    • Reads security settings of Internet Explorer

      • wmplayer.exe (PID: 3996)
      • setup_wm.exe (PID: 4016)
      • wmplayer.exe (PID: 1024)
      • wmplayer.exe (PID: 1988)

    • Reads Microsoft Outlook installation path

      • wmplayer.exe (PID: 1024)
      • wmplayer.exe (PID: 1988)

    • Reads Internet Explorer settings

      • wmplayer.exe (PID: 1024)
      • wmplayer.exe (PID: 1988)

  • INFO

    • Reads the computer name

      • wmplayer.exe (PID: 3996)
      • setup_wm.exe (PID: 4016)
      • wmplayer.exe (PID: 1024)
      • wmpnscfg.exe (PID: 1664)
      • wmplayer.exe (PID: 1988)

    • Checks supported languages

      • wmplayer.exe (PID: 3996)
      • setup_wm.exe (PID: 4016)
      • wmplayer.exe (PID: 1024)
      • wmpnscfg.exe (PID: 1664)
      • wmplayer.exe (PID: 1988)

    • Create files in a temporary directory

      • setup_wm.exe (PID: 4016)
      • wmplayer.exe (PID: 1024)
      • wmplayer.exe (PID: 1988)

    • Reads Environment values

      • setup_wm.exe (PID: 4016)
      • wmplayer.exe (PID: 1024)
      • wmplayer.exe (PID: 1988)

    • Reads the machine GUID from the registry

      • setup_wm.exe (PID: 4016)
      • wmplayer.exe (PID: 1024)
      • wmplayer.exe (PID: 1988)

    • Process checks computer location settings

      • setup_wm.exe (PID: 4016)

    • Creates files or folders in the user directory

      • wmplayer.exe (PID: 1024)
      • wmplayer.exe (PID: 1988)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 1664)

    • Checks proxy server information

      • wmplayer.exe (PID: 1988)
      • wmplayer.exe (PID: 1024)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.z/gz/gzip | GZipped data (100)

EXIF

ZIP

Compression: Deflated
Flags: (none)
ModifyDate: 0000:00:00 00:00:00
ExtraFlags: Fastest Algorithm
OperatingSystem: NTFS filesystem (NT)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
8
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs wmplayer.exe no specs setup_wm.exe no specs unregmp2.exe no specs unregmp2.exe no specs wmplayer.exe wmpnscfg.exe no specs wmplayer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1024"C:\Program Files\Windows Media Player\wmplayer.exe" /Relaunch /layout:"C:\Users\admin\AppData\Local\Temp\Rar$DIa3952.6284\image001.wmz"C:\Program Files\Windows Media Player\wmplayer.exe
setup_wm.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player
Exit code:
0
Version:
12.0.7601.23517 (win7sp1_ldr.160812-0732)
Modules
Images
c:\program files\windows media player\wmplayer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1664"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1988"C:\Program Files\Windows Media Player\wmplayer.exe" /layout:"C:\Users\admin\AppData\Local\Temp\Rar$DIa3952.8032\image001.wmz"C:\Program Files\Windows Media Player\wmplayer.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player
Exit code:
0
Version:
12.0.7601.23517 (win7sp1_ldr.160812-0732)
Modules
Images
c:\program files\windows media player\wmplayer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3952"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\image001.wmz.gzC:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3996"C:\Program Files\Windows Media Player\wmplayer.exe" /layout:"C:\Users\admin\AppData\Local\Temp\Rar$DIa3952.6284\image001.wmz"C:\Program Files\Windows Media Player\wmplayer.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player
Exit code:
0
Version:
12.0.7601.23517 (win7sp1_ldr.160812-0732)
Modules
Images
c:\program files\windows media player\wmplayer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
4016"C:\Program Files\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files\Windows Media Player\wmplayer.exe" /layout:"C:\Users\admin\AppData\Local\Temp\Rar$DIa3952.6284\image001.wmz"C:\Program Files\Windows Media Player\setup_wm.exewmplayer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Windows Media Configuration Utility
Exit code:
1
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\setup_wm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
4056C:\Windows\system32\unregmp2.exe /ShowWMP /SetShowState /CreateMediaLibraryC:\Windows\System32\unregmp2.exesetup_wm.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Windows Media Player Setup Utility
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\unregmp2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
4088"C:\Windows\system32\unregmp2.exe" /PerformIndivIfNeededC:\Windows\System32\unregmp2.exesetup_wm.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Windows Media Player Setup Utility
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\unregmp2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
15 300
Read events
14 825
Write events
392
Delete events
83

Modification events

(PID) Process:(3952) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3952) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3952) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3952) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3952) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3952) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3952) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\image001.wmz.gz
(PID) Process:(3952) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3952) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3952) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
0
Suspicious files
15
Text files
21
Unknown types
0

Dropped files

PID
Process
Filename
Type
1024wmplayer.exeC:\Users\Public\Music\Sample Music\AlbumArtSmall.jpg
MD5:
SHA256:
1024wmplayer.exeC:\Users\Public\Music\Sample Music\AlbumArt_{5FA05D35-A682-4AF6-96F7-0773E42D4D16}_Large.jpg
MD5:
SHA256:
1024wmplayer.exeC:\Users\Public\Music\Sample Music\AlbumArt_{5FA05D35-A682-4AF6-96F7-0773E42D4D16}_Small.jpg
MD5:
SHA256:
3952WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa3952.6284\image001.wmzbinary
MD5:9B6D8271D3F545FE0EE75B2D624AEB9C
SHA256:9707641E590EDC3211085E7C9AF6C41271D2A46AAB70358EB6CEA9417E198EB7
1024wmplayer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-msbinary
MD5:3DB3814B65589F1A0E304610C29970D0
SHA256:2BB4E260FBA17E0B319EA7263B2E99B31489E5B10283B2BDF0E30FAC326D8045
4056unregmp2.exeC:\Users\admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_372.wmdbbinary
MD5:3B8E4FAD2454F5CF97B5B401A8369E91
SHA256:A69C8FB196478BF95A1C0AF91E67F7CFA5E7828DB8D0FEC22F5F47E108A237D5
4088unregmp2.exeC:\ProgramData\Microsoft\Windows\DRM\drmstore.hdsbinary
MD5:F6809B11AE0C25DF6C357315DC28F940
SHA256:9A63717480D3DE648C9F393C48027385734C6B6790B4E1E8A947C7ECB269317B
1024wmplayer.exeC:\Users\admin\AppData\Local\Temp\wmplog00.sqmbinary
MD5:A9A18FF13701C007251720BD73966CA9
SHA256:83A10F115C097D68ED37E66F9B11E3B5D92C3EAE2949ED598C8CE595BF2E8270
1024wmplayer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LWZS3HGF27JF4E5MHPXJ.tempbinary
MD5:3DB3814B65589F1A0E304610C29970D0
SHA256:2BB4E260FBA17E0B319EA7263B2E99B31489E5B10283B2BDF0E30FAC326D8045
4016setup_wm.exeC:\Users\admin\AppData\Local\Temp\wmsetup.logtext
MD5:FE03342673E7E0A6C460705F5899C1C7
SHA256:7CDC1AD6801F26BF220933A8B468FCC9DADDE464018F3D4445E8C5D9A525505A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
6
DNS requests
2
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1024
wmplayer.exe
GET
131.253.33.203:80
http://www.msn.com/sqm/wmp/sqmserver.dll
unknown
unknown
1024
wmplayer.exe
POST
301
131.253.33.203:80
http://sqm.msn.com/sqm/wmp/sqmserver.dll
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
112
svchost.exe
239.255.255.250:1900
unknown
1024
wmplayer.exe
131.253.33.203:80
sqm.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
sqm.msn.com
  • 131.253.33.203
whitelisted
www.msn.com
  • 131.253.33.203
whitelisted

Threats

PID
Process
Class
Message
1024
wmplayer.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
image001.wmz