File name:

1.avi

Full analysis: https://app.any.run/tasks/4505376a-5d7e-4e04-a6bc-94e0b0eb36ac
Verdict: Suspicious activity
Analysis date: December 06, 2019, 22:44:08
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: video/x-msvideo
File info: RIFF (little-endian) data, AVI, 1280 x 720, 8.00 fps, video:
MD5:

22BF50194F19A4E03CDBC8A679BE81E6

SHA1:

9653F95D6EC29103FBFB9340F9E6E270BE6FD9EE

SHA256:

BF6EB8122309A69DBF8ECC8001103FC041BC905499AD5B2466649FA3C701486F

SSDEEP:

12288:am2OVbCHYmDu3pyyyF9XR4bYsvKEaLgagaCgnm2YXJyoOPAwU1VrUlm8BbaMVumc:alOVlrkvF9h4bLi3L/gYnlYXsPA5dUl8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Creates files in the user directory

      • wmplayer.exe (PID: 3936)
      • vlc.exe (PID: 532)

    • Creates files in the program directory

      • unregmp2.exe (PID: 4092)

    • Executed via COM

      • wmplayer.exe (PID: 836)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.avi | AVI Audio Video Interleaved (50.2)

EXIF

RIFF

FrameRate: 8
MaxDataRate: 71.15 kB/s
FrameCount: 552
StreamCount: 1
ImageWidth: 1280
ImageHeight: 720
StreamType: Video
VideoCodec: x264
VideoFrameRate: 8
VideoFrameCount: 552
Quality: Default
SampleSize: Variable

Composite

Duration: 0:01:09
ImageSize: 1280x720
Megapixels: 0.922
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
6
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start vlc.exe wmplayer.exe no specs setup_wm.exe no specs unregmp2.exe no specs unregmp2.exe no specs wmplayer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
532"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\admin\Desktop\1.avi"C:\Program Files\VideoLAN\VLC\vlc.exe
explorer.exe
User:
admin
Company:
VideoLAN
Integrity Level:
MEDIUM
Description:
VLC media player
Exit code:
0
Version:
2.2.6
Modules
Images
c:\program files\videolan\vlc\vlc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\videolan\vlc\libvlc.dll
c:\program files\videolan\vlc\libvlccore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
836"C:\Program Files\Windows Media Player\wmplayer.exe" /Play -EmbeddingC:\Program Files\Windows Media Player\wmplayer.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmplayer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3456"C:\Program Files\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files\Windows Media Player\wmplayer.exe" /Play -EmbeddingC:\Program Files\Windows Media Player\setup_wm.exewmplayer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Windows Media Configuration Utility
Exit code:
1
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\setup_wm.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3816C:\Windows\system32\unregmp2.exe /ShowWMP /SetShowState /CreateMediaLibraryC:\Windows\system32\unregmp2.exesetup_wm.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Windows Media Player Setup Utility
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\unregmp2.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3936"C:\Program Files\Windows Media Player\wmplayer.exe" /Relaunch /Play C:\Users\admin\Desktop\1.aviC:\Program Files\Windows Media Player\wmplayer.exesetup_wm.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmplayer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
4092"C:\Windows\system32\unregmp2.exe" /PerformIndivIfNeededC:\Windows\system32\unregmp2.exesetup_wm.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Windows Media Player Setup Utility
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\unregmp2.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
600
Read events
407
Write events
192
Delete events
1

Modification events

(PID) Process:(532) vlc.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
vlc.exe
(PID) Process:(3456) setup_wm.exeKey:HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Setup\UserOptions
Operation:writeName:DesktopShortcut
Value:
no
(PID) Process:(836) wmplayer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(836) wmplayer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3816) unregmp2.exeKey:HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences
Operation:writeName:MigratedXML
Value:
1
(PID) Process:(3816) unregmp2.exeKey:HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences
Operation:writeName:Migrating
Value:
1
(PID) Process:(3816) unregmp2.exeKey:HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences
Operation:writeName:AutoMetadataCurrentDownloadCount
Value:
0
(PID) Process:(3816) unregmp2.exeKey:HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences
Operation:writeName:AutoMetadataCurrent500ServerErrorCount
Value:
0
(PID) Process:(3816) unregmp2.exeKey:HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences
Operation:writeName:AutoMetadataCurrent503ServerErrorCount
Value:
0
(PID) Process:(3816) unregmp2.exeKey:HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences
Operation:writeName:AutoMetadataCurrentOtherServerErrorCount
Value:
0
Executable files
0
Suspicious files
5
Text files
7
Unknown types
1

Dropped files

PID
Process
Filename
Type
532vlc.exeC:\Users\admin\AppData\Local\Temp\VLCADBF.tmp
MD5:
SHA256:
532vlc.exeC:\Users\admin\AppData\Local\Temp\VLCAE2D.tmp
MD5:
SHA256:
532vlc.exeC:\Users\admin\AppData\Local\Temp\VLCAE2E.tmp
MD5:
SHA256:
532vlc.exeC:\Users\admin\AppData\Local\Temp\VLCAE2F.tmp
MD5:
SHA256:
532vlc.exeC:\Users\admin\AppData\Local\Temp\VLCAE30.tmp
MD5:
SHA256:
532vlc.exeC:\Users\admin\AppData\Local\Temp\VLCAE31.tmp
MD5:
SHA256:
532vlc.exeC:\Users\admin\AppData\Local\Temp\VLCAE32.tmp
MD5:
SHA256:
532vlc.exeC:\Users\admin\AppData\Local\Temp\VLCAE33.tmp
MD5:
SHA256:
532vlc.exeC:\Users\admin\AppData\Local\Temp\VLCAEFF.tmp
MD5:
SHA256:
532vlc.exeC:\Users\admin\AppData\Local\Temp\VLCAF00.tmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

Domain
IP
Reputation
sqm.msn.com
whitelisted

Threats

No threats detected
Process
Message
vlc.exe
core libvlc: one instance mode ENABLED
vlc.exe
core libvlc: Running vlc with the default interface. Use 'cvlc' to use vlc without interface.
vlc.exe
direct3d vout display error: Could not read adapter capabilities. (hr=0x8876086A)
vlc.exe
direct3d vout display error: Direct3D could not be initialized