File name:

wmp11-windowsxp-x86-ru-ru.exe

Full analysis: https://app.any.run/tasks/3cc00489-b366-4aec-8df3-0e9489b64da7
Verdict: Malicious activity
Analysis date: September 08, 2024, 20:54:29
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, MS CAB-Installer self-extracting archive
MD5:

9686D824005E5FB01ACE30D4F48ABA32

SHA1:

02F8AA3580DCB163B3E6E5ED7A6B019132AAF76A

SHA256:

E92E2927991B804585612B91D37E01A4167C461BE71DF85689E8C2C35566AF48

SSDEEP:

196608:ZfP8ZyRijc0xTFNKe0p9yJEws9QLQpgTpnP/cF5pSq9IHREA:ZP8fc0xJNDSU4WLIXPkquiA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • wmp11-windowsxp-x86-ru-ru.exe (PID: 4784)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • wmp11-windowsxp-x86-ru-ru.exe (PID: 4784)

    • Starts a Microsoft application from unusual location

      • setup_wm.exe (PID: 7152)

    • Executable content was dropped or overwritten

      • wmp11-windowsxp-x86-ru-ru.exe (PID: 4784)

  • INFO

    • Checks supported languages

      • wmp11-windowsxp-x86-ru-ru.exe (PID: 4784)

    • Create files in a temporary directory

      • wmp11-windowsxp-x86-ru-ru.exe (PID: 4784)

    • Reads the computer name

      • wmp11-windowsxp-x86-ru-ru.exe (PID: 4784)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2000:06:06 20:43:56+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, 32-bit, No debug
PEType: PE32
LinkerVersion: 5.12
CodeSize: 34816
InitializedDataSize: 25730560
UninitializedDataSize: -
EntryPoint: 0x2891
OSVersion: 5
ImageVersion: 5
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 5.50.4134.600
ProductVersionNumber: 5.50.4134.600
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Russian
CharacterSet: Unicode
CompanyName: Корпорация Майкрософт (Microsoft Corp.)
FileDescription: Windows Media Component Setup Application
FileVersion: 11.0.5721.5262
InternalName: Wextract
LegalCopyright: (C) Microsoft Corporation. All rights reserved.
OriginalFileName: WEXTRACT.EXE
ProductName: Windows Media Component Setup Application
ProductVersion: 11.0.5721.5262
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
114
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wmp11-windowsxp-x86-ru-ru.exe setup_wm.exe no specs wmp11-windowsxp-x86-ru-ru.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
4784"C:\Users\admin\Desktop\wmp11-windowsxp-x86-ru-ru.exe" C:\Users\admin\Desktop\wmp11-windowsxp-x86-ru-ru.exe
explorer.exe
User:
admin
Company:
Корпорация Майкрософт (Microsoft Corp.)
Integrity Level:
HIGH
Description:
Windows Media Component Setup Application
Version:
11.0.5721.5262
Modules
Images
c:\users\admin\desktop\wmp11-windowsxp-x86-ru-ru.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
6784"C:\Users\admin\Desktop\wmp11-windowsxp-x86-ru-ru.exe" C:\Users\admin\Desktop\wmp11-windowsxp-x86-ru-ru.exeexplorer.exe
User:
admin
Company:
Корпорация Майкрософт (Microsoft Corp.)
Integrity Level:
MEDIUM
Description:
Windows Media Component Setup Application
Exit code:
3221226540
Version:
11.0.5721.5262
Modules
Images
c:\users\admin\desktop\wmp11-windowsxp-x86-ru-ru.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7152C:\Users\admin\AppData\Local\Temp\IXP000.TMP\setup_wm.exe /P:C:\Users\admin\Desktop\wmp11-windowsxp-x86-ru-ru.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\setup_wm.exewmp11-windowsxp-x86-ru-ru.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Программа настройки Windows Media (Microsoft)
Version:
11.0.5721.5262 (WMP_11.090130-1421)
Total events
25
Read events
24
Write events
1
Delete events
0

Modification events

(PID) Process:(4784) wmp11-windowsxp-x86-ru-ru.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:wextract_cleanup0
Value:
rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\admin\AppData\Local\Temp\IXP000.TMP\"
Executable files
8
Suspicious files
4
Text files
14
Unknown types
0

Dropped files

PID
Process
Filename
Type
4784wmp11-windowsxp-x86-ru-ru.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\eula.txttext
MD5:D8C189AD0667D6A075E535800DDFF563
SHA256:A387182417DA64045DB2F976F106F6A393834B0C6EDE3B4574395DCF91B99446
4784wmp11-windowsxp-x86-ru-ru.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\Revert.wmzcompressed
MD5:817DF0E5533A31EED3804BA4D77B6025
SHA256:CA7F1428EBF4DB0E1DFCE209194FAA518A9617CD9872F4593D422F9ABE4F9C34
4784wmp11-windowsxp-x86-ru-ru.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\control.xmltext
MD5:23AEBAB6537B3A9F67167DFD1E3D202B
SHA256:33E95686F4C71C2475F9F96FDA8482AF5CA41E7C00153D4740745794AFD8B7EE
4784wmp11-windowsxp-x86-ru-ru.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\setup_wm.exeexecutable
MD5:8AA27121F720C8FD50161EF309EEAECB
SHA256:3A4C05DB04AF591C9964155F4C1F5FD29E6CC66D033F8CD9277B12D8CC44AA73
4784wmp11-windowsxp-x86-ru-ru.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\KB925749.cabcompressed
MD5:C3FCB611528510EFD9D3BD36F1A08E9C
SHA256:945BA71E1E48ACC4930076C1BA27F8040646348A2747C214603456A8A72A8B1B
4784wmp11-windowsxp-x86-ru-ru.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\mymusic.infbinary
MD5:4F9899CAE873564A31B1A584D440DDF0
SHA256:26652F87F852C11E09D3DCC52257D5F406828F87AA00514D2B6794817C57880D
4784wmp11-windowsxp-x86-ru-ru.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\LegitLibM.dllexecutable
MD5:A7CA4A6D185815C9D7A1E510061DCF8E
SHA256:A559272E5DA242DD740B26DC7988B77E10930BEBD61C0FE17FF053A903011732
4784wmp11-windowsxp-x86-ru-ru.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\syncpl09.wplhtml
MD5:DB7257D79C254A68D68B90BD1CA5477E
SHA256:D9A26B71C23F0BC470062DB097EF1F29A23208E7FEF04068EF2C0FE8AB10CC43
4784wmp11-windowsxp-x86-ru-ru.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\syncpl06.wplhtml
MD5:8B2B2F1AC3CF1F822FCE5E4F8391F9E1
SHA256:4D6BBEB4311A84C37F644D29BABED5F07FC0A2D5CA1647D1999712628F945045
4784wmp11-windowsxp-x86-ru-ru.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\syncpl05.wplhtml
MD5:15E0917DC08763F2A0B57E132C39A1E9
SHA256:9CDA018770CE911B56A42EB5DF9DA27D7A41C0DB3BA0BA4BEBA235B8456EE381
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
18
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2400
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2120
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2400
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2120
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
whitelisted
google.com
  • 142.250.181.238
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
wmp11-windowsxp-x86-ru-ru.exe