PUA.Win32.CPInstall.A

This Potentially Unwanted Application arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It does not have any propagation routine.

It does not have any backdoor routine.

Arrival Details

This Potentially Unwanted Application arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Potentially Unwanted Application adds the following folders:

• %Common Programs%\Media Player - Codec Pack
• %System%\Codecs
• %User Temp%\MPCP_FS_files
• %User Temp%\ns{Random Characters}.tmp

(Note: %Common Programs% is the folder that contains common program groups for all users, which is usually C:\Documents and Settings\All Users\Start Menu\Programs on Windows 2000, XP, and Server 2003, or C:\ProgramData\Microsoft\Windows\Start Menu\Programs on Windows Vista, 7, and 8.. %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It drops the following component file(s):

• %Common Programs%\Media Player - Codec Pack\Codec Settings (Run as administrator).lnk
• %Common Programs%\Media Player - Codec Pack\Codec Settings.lnk
• %Common Programs%\Media Player - Codec Pack\Media Player Classic.lnk
• %Common Programs%\Media Player - Codec Pack\Package Homepage.url
• %Common Programs%\Media Player - Codec Pack\Uninstall.lnk
• %Common Startup%\CodecPackTrayMenu.lnk
• %System%\Codecs\AC3Lib.dll.new → renamed to AC3Lib.dll
• %System%\Codecs\AppDialog.exe.new → renamed to AppDialog.exe
• %System%\Codecs\AudioProfiler.exe.new → renamed to AudioProfiler.exe
• %System%\Codecs\CleanUp.exe.new → renamed to CleanUp.exe
• %System%\Codecs\CleanUp_x64.exe.new → renamed to CleanUp_x64.exe
• %System%\Codecs\CodecSettings.exe.new → renamed to CodecSettings.exe
• %System%\Codecs\CodecSettingsADMIN.exe.new → renamed to CodecSettingsADMIN.exe
• %System%\Codecs\CodecUACManager.exe.new → renamed to CodecUACManager.exe
• %System%\Codecs\Compressor.dll.new → renamed to Compressor.dll
• %System%\Codecs\Config.exe.new → renamed to Config.exe
• %System%\Codecs\D3DCompiler_47.dll
• %System%\Codecs\D3DX9_43.dll
• %System%\Codecs\DisableUpdateChecker.exe.new → renamed to DisableUpdateChecker.exe
• %System%\Codecs\LAVFilters\IntelQuickSyncDecoder.dll.new → renamed to IntelQuickSyncDecoder.dll
• %System%\Codecs\LAVFilters\LAVAudio.ax.new → renamed to LAVAudio.ax
• %System%\Codecs\LAVFilters\LAVFilters.Dependencies.manifest.new → renamed to LAVFilters.Dependencies.manifest
• %System%\Codecs\LAVFilters\LAVSplitter.ax.new → renamed to LAVSplitter.ax
• %System%\Codecs\LAVFilters\LAVVideo.ax.new → renamed to LAVVideo.ax
• %System%\Codecs\LAVFilters\avcodec-lav-58.dll.new → renamed to avcodec-lav-58.dll
• %System%\Codecs\LAVFilters\avfilter-lav-7.dll.new → renamed to avfilter-lav-7.dll
• %System%\Codecs\LAVFilters\avformat-lav-58.dll.new → renamed to avformat-lav-58.dll
• %System%\Codecs\LAVFilters\avresample-lav-4.dll.new → renamed to avresample-lav-4.dll
• %System%\Codecs\LAVFilters\avutil-lav-56.dll.new → renamed to avutil-lav-56.dll
• %System%\Codecs\LAVFilters\libbluray.dll.new → renamed to libbluray.dll
• %System%\Codecs\LAVFilters\swscale-lav-5.dll.new → renamed to swscale-lav-5.dll
• %System%\Codecs\Lang\mpcresources.ar.dll
• %System%\Codecs\Lang\mpcresources.be.dll
• %System%\Codecs\Lang\mpcresources.bn.dll
• %System%\Codecs\Lang\mpcresources.bs_BA.dll
• %System%\Codecs\Lang\mpcresources.ca.dll
• %System%\Codecs\Lang\mpcresources.cs.dll
• %System%\Codecs\Lang\mpcresources.da.dll
• %System%\Codecs\Lang\mpcresources.de.dll
• %System%\Codecs\Lang\mpcresources.el.dll
• %System%\Codecs\Lang\mpcresources.en_GB.dll
• %System%\Codecs\Lang\mpcresources.es.dll
• %System%\Codecs\Lang\mpcresources.eu.dll
• %System%\Codecs\Lang\mpcresources.fi.dll
• %System%\Codecs\Lang\mpcresources.fr.dll
• %System%\Codecs\Lang\mpcresources.gl.dll
• %System%\Codecs\Lang\mpcresources.he.dll
• %System%\Codecs\Lang\mpcresources.hr.dll
• %System%\Codecs\Lang\mpcresources.hu.dll
• %System%\Codecs\Lang\mpcresources.hy.dll
• %System%\Codecs\Lang\mpcresources.id.dll
• %System%\Codecs\Lang\mpcresources.it.dll
• %System%\Codecs\Lang\mpcresources.ja.dll
• %System%\Codecs\Lang\mpcresources.ko.dll
• %System%\Codecs\Lang\mpcresources.lt.dll
• %System%\Codecs\Lang\mpcresources.ms_MY.dll
• %System%\Codecs\Lang\mpcresources.nl.dll
• %System%\Codecs\Lang\mpcresources.pa.dll
• %System%\Codecs\Lang\mpcresources.pl.dll
• %System%\Codecs\Lang\mpcresources.pt_BR.dll
• %System%\Codecs\Lang\mpcresources.pt_PT.dll
• %System%\Codecs\Lang\mpcresources.ro.dll
• %System%\Codecs\Lang\mpcresources.ru.dll
• %System%\Codecs\Lang\mpcresources.sk.dll
• %System%\Codecs\Lang\mpcresources.sl.dll
• %System%\Codecs\Lang\mpcresources.sr.dll
• %System%\Codecs\Lang\mpcresources.sv.dll
• %System%\Codecs\Lang\mpcresources.th_TH.dll
• %System%\Codecs\Lang\mpcresources.tr.dll
• %System%\Codecs\Lang\mpcresources.tt.dll
• %System%\Codecs\Lang\mpcresources.uk.dll
• %System%\Codecs\Lang\mpcresources.vi.dll
• %System%\Codecs\Lang\mpcresources.zh_CN.dll
• %System%\Codecs\Lang\mpcresources.zh_TW.dll
• %System%\Codecs\MPCP.ico
• %System%\Codecs\NotifyDisplayChange.exe.new → renamed to NotifyDisplayChange.exe
• %System%\Codecs\ReClock.dll.new → renamed to ReClock.dll
• %System%\Codecs\ReClockDS.dll.new → renamed to ReClockDS.dll
• %System%\Codecs\ReClockHelper.dll.new → renamed to ReClockHelper.dll
• %System%\Codecs\Resampler.dll.new → renamed to Resampler.dll
• %System%\Codecs\RunEvent.SetDisplayFrequency.sample.vbs.new → renamed to RunEvent.SetDisplayFrequency.sample.vbs
• %System%\Codecs\RunEvent.sample.vbs.new → renamed to RunEvent.sample.vbs
• %System%\Codecs\SetACL.exe
• %System%\Codecs\Shaders\"0-255 to 16-235.hlsl"
• %System%\Codecs\Shaders\"16-235 to 0-255 [SD].hlsl"
• %System%\Codecs\Shaders\"16-235 to 0-255.hlsl"
• %System%\Codecs\Shaders\"Adaptive sharpen.hlsl"
• %System%\Codecs\Shaders\"BT.601 to BT.709 [HD].hlsl"
• %System%\Codecs\Shaders\"Deinterlace (blend).hlsl"
• %System%\Codecs\Shaders\"Edge sharpen.hlsl"
• %System%\Codecs\Shaders\"LCD angle correction.hlsl"
• %System%\Codecs\Shaders\"Sharpen complex 2.hlsl"
• %System%\Codecs\Shaders\"Sharpen complex.hlsl"
• %System%\Codecs\Shaders\"YV12 chroma upsampling.hlsl"
• %System%\Codecs\Shaders\Denoise.hlsl
• %System%\Codecs\Shaders\Grayscale.hlsl
• %System%\Codecs\Shaders\Invert.hlsl
• %System%\Codecs\Shaders\Letterbox.hlsl
• %System%\Codecs\Shaders\LumaSharpen.hlsl
• %System%\Codecs\Shaders\Nightvision.hlsl
• %System%\Codecs\Shaders\Procamp.hlsl
• %System%\Codecs\Shaders\Sepia.hlsl
• %System%\Codecs\Shaders\Sharpen.hlsl
• %System%\Codecs\Shaders\Threshold.hlsl
• %System%\Codecs\Timestretch.dll.new → renamed to Timestretch.dll
• %System%\Codecs\TrayMenu.exe.new → renamed to TrayMenu.exe
• %System%\Codecs\Uninst.exe
• %System%\Codecs\Uninst.exe.new → renamed to Uninst.exe
• %System%\Codecs\UpdateChecker.exe.new → renamed to UpdateChecker.exe
• %System%\Codecs\mpc-hc.exe
• %System%\Codecs\mpciconlib.dll
• %System%\DCBassSourceMod.ax.new → renamed to DCBassSourceMod.ax
• %System%\DSDOUT_VIDEO.bmp.new → renamed to DSDOUT_VIDEO.bmp
• %System%\DSDProcessUnit.dll.new → renamed to DSDProcessUnit.dll
• %System%\DSDSourceFilter.ax.new → renamed to DSDSourceFilter.ax
• %System%\DSDToPCMFilter.ax.new → renamed to DSDToPCMFilter.ax
• %System%\DSDVideoOutFilter.ax.new → renamed to DSDVideoOutFilter.ax
• %System%\DiscHandler.exe.new → renamed to DiscHandler.exe
• %System%\DivXa32.acm.new → renamed to DivXa32.acm
• %System%\FLWindowsVistaAPI.dll.new → renamed to FLWindowsVistaAPI.dll
• %System%\Formats.ini.new → renamed to Formats.ini
• %System%\IcarosCache.dll
• %System%\IcarosCache.dll.new → renamed to IcarosCache.dll
• %System%\IcarosConfig.exe.new → renamed to IcarosConfig.exe
• %System%\IcarosPropertyHandler.dll
• %System%\IcarosPropertyHandler.dll.new → renamed to IcarosPropertyHandler.dll
• %System%\IcarosThumbnailProvider.dll
• %System%\IcarosThumbnailProvider.dll.new → renamed to IcarosThumbnailProvider.dll
• %System%\IcarosUICore.dll.new → renamed to IcarosUICore.dll
• %System%\IntelQuickSyncDecoder.dll.new → renamed to IntelQuickSyncDecoder.dll
• %System%\LAVAudio.ax.new → renamed to LAVAudio.ax
• %System%\LAVFilters.Dependencies.manifest.new → renamed to LAVFilters.Dependencies.manifest.dll
• %System%\LAVSplitter.ax.new → renamed to LAVSplitter.ax
• %System%\LAVVideo.ax.new → renamed to LAVVideo.ax
• %System%\Lagarith.dll.new → renamed to Lagarith.dll
• %System%\OptimFROG.dll.new → renamed to OptimFROG.dll
• %System%\PCMOUT_VIDEO_1644.bmp.new → renamed to PCMOUT_VIDEO_1644.bmp
• %System%\PCMOUT_VIDEO_2496.bmp.new → renamed to PCMOUT_VIDEO_2496.bmp
• %System%\TomsMoComp_ff.dll.new → renamed to TomsMoComp_ff.dll
• %System%\VSFilter.dll.new → renamed to VSFilter.dll
• %System%\VzCs.dll.new → renamed to VzCs.dll
• %System%\VzCsDsAudioDevice.vzcs.classinfo.new → VzCsDsAudioDevice.vzcs.classinfo
• %System%\VzCsDsAudioDevice.vzcs.new → renamed to VzCsDsAudioDevice.vzcs
• %System%\avcodec-ics-58.dll
• %System%\avcodec-ics-58.dll.new → renamed to avcodec-ics-58.dll
• %System%\avcodec-lav-58.dll.new → renamed to avcodec-lav-58.dll
• %System%\avfilter-lav-7.dll.new → renamed to avfilter-lav-7.dll
• %System%\avformat-ics-58.dll
• %System%\avformat-ics-58.dll.new → renamed to avformat-ics-58.dll
• %System%\avformat-lav-58.dll.new → renamed to avformat-lav-58.dll
• %System%\avi.dll.new → renamed to avi.dll
• %System%\avi.x64.dll.new → renamed to avi.x64.dll
• %System%\avresample-lav-4.dll.new → renamed to avresample-lav-4.dll
• %System%\avs.dll.new → renamed to avs.dll
• %System%\avss.dll.new → renamed to avss.dll
• %System%\avutil-ics-56.dll
• %System%\avutil-ics-56.dll.new → renamed to avutil-ics-56.dll
• %System%\avutil-lav-56.dll.new → renamed to avutil-lav-56.dll
• %System%\bass.dll.new → renamed to bass.dll
• %System%\bass_aac.dll.new → renamed to bass_aac.dll
• %System%\bass_alac.dll.new → renamed to bass_alac.dll
• %System%\bass_ape.dll.new → renamed to bass_ape.dll
• %System%\bass_mpc.dll.new → renamed to bass_mpc.dll
• %System%\bass_ofr.dll.new → renamed to bass_ofr.dll
• %System%\bass_tak.dll.new → renamed to bass_tak.dll
• %System%\bass_tta.dll.new → renamed to bass_tta.dll
• %System%\basscd.dll.new → renamed to basscd.dll
• %System%\bassflac.dll.new → renamed to bassflac.dll
• %System%\bassopus.dll.new → renamed to bassopus.dll
• %System%\basswv.dll.new → renamed to basswv.dll
• %System%\cdxareader.ax.new → renamed to cdxareader.ax
• %System%\cue2xml.js.new → renamed to cue2xml.js
• %System%\dsmux.exe.new → renamed to dsmux.exe
• %System%\dsmux.x64.exe.new → renamed to dsmux.x64.exe
• %System%\dxr.dll.new → renamed to dxr.dll
• %System%\dxr.x64.dll.new → renamed to dxr.x64.dll
• %System%\ff_kernelDeint.dll.new → renamed to ff_kernelDeint.dll
• %System%\ff_liba52.dll.new → renamed to ff_liba52.dll
• %System%\ff_libdts.dll.new → renamed to ff_libdts.dll
• %System%\ff_libfaad2.dll.new → renamed to ff_libfaad2.dll
• %System%\ff_libmad.dll.new → renamed to ff_libmad.dll
• %System%\ff_samplerate.dll.new → renamed to ff_samplerate.dll
• %System%\ff_unrar.dll.new → renamed to ff_unrar.dll
• %System%\ff_wmv9.dll.new → renamed to ff_wmv9.dll
• %System%\ffdshow.ax.new → renamed to ffdshow.ax
• %System%\ffmpeg.dll.new → renamed to ffmpeg.dll
• %System%\gdsmux.exe.new → renamed to gdsmux.exe
• %System%\gdsmux.x64.exe.new → renamed to gdsmux.x64.exe
• %System%\libFLAC.dll.new → renamed to libFLAC.dll
• %System%\libbluray.dll.new → renamed to libbluray.dll
• %System%\libmmd.dll.new → renamed to libmmd.dll
• %System%\libmpeg2_ff.dll.new → renamed to libmpeg2_ff.dll
• %System%\madFlac.ax.new → renamed to madFlac.ax
• %System%\mkunicode.dll.new → renamed to mkunicode.dll
• %System%\mkunicode.x64.dll.new → renamed to mkunicode.x64.dll
• %System%\mkv2vfr.exe.new → renamed to mkv2vfr.exe
• %System%\mkv2vfr.x64.exe.new → renamed to mkv2vfr.x64.exe
• %System%\mkx.dll.new → renamed to mkx.dll
• %System%\mkx.x64.dll.new → renamed to mkx.x64.dll
• %System%\mkzlib.dll.new → renamed to mkzlib.dll
• %System%\mkzlib.x64.dll.new → renamed to mkzlib.x64.dll
• %System%\mp4.dll.new → renamed to mp4.dll
• %System%\mp4.x64.dll.new → renamed to mp4.x64.dll
• %System%\msvcp71.dll
• %System%\msvcp80.dll
• %System%\msvcr71.dll
• %System%\msvcr80.dll
• %System%\ogm.dll.new → renamed to ogm.dll
• %System%\ogm.x64.dll.new → renamed to ogm.x64.dll
• %System%\splitter.ax.new → renamed to splitter.ax
• %System%\splitter.x64.ax.new → renamed to splitter.x64.ax
• %System%\swscale-ics-5.dll
• %System%\swscale-ics-5.dll.new → renamed to swscale-ics-5.dll
• %System%\swscale-lav-5.dll.new → renamed to swscale-lav-5.dll
• %System%\tak_deco_lib.dll.new → renamed to tak_deco_lib.dll
• %System%\ts.dll.new → renamed to ts.dll
• %System%\ts.x64.dll.new → renamed to ts.x64.dll
• %System%\x264vfw.dll.new → renamed to x264vfw.dll
• %System%\xvidcore.dll.new → renamed to xvidcore.dll
• %System%\xvidvfw.dll.new → renamed to xvidvfw.dll
• %User Temp%\ns{random}.tmp
• %User Temp%\ns{random}.tmp\UserInfo.dll
• %User Temp%\ns{random}.tmp\System.dll
• %User Temp%\ns{random}.tmp\easy.ini
• %User Temp%\ns{random}.tmp\video.ini
• %User Temp%\ns{random}.tmp\video_hardware.ini
• %User Temp%\ns{random}.tmp\audio.ini
• %User Temp%\ns{random}.tmp\InstallOptions.dll
• %System Root%\unstart.ini → added after uninstallation process

(Note: %Common Programs% is the folder that contains common program groups for all users, which is usually C:\Documents and Settings\All Users\Start Menu\Programs on Windows 2000, XP, and Server 2003, or C:\ProgramData\Microsoft\Windows\Start Menu\Programs on Windows Vista, 7, and 8.. %Common Startup% is the startup folder for all users, which is usually C:\Documents and Settings\All Users\Start Menu\Programs\Startup on Windows 2000, XP, and Server 2003, or C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup on Windows Vista, 7, and 8.. %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.)

It adds the following processes:

• %System%\Codecs\TrayMenu.exe

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

Autostart Technique

This Potentially Unwanted Application creates the following registry entries to enable automatic execution of dropped component at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Codec Pack Update Checker = %System%\Codecs\UpdateChecker.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Codec Settings UAC Manager = %System%\Codecs\CodecUACManager.exe

Other System Modifications

This Potentially Unwanted Application adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows Media Foundation\ByteStreamHandlers\.m4a
{271C3902-6095-4c45-A22F-20091816EE9E}_disabled = MPEG4 Byte Stream Handler

{HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER}\Software\Microsoft\
DirectShow\Preferred
{31435641-0000-0010-8000-00AA00389B71} = {SID}

{HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER}\Software\Microsoft\
DirectShow\Preferred
{31435657-0000-0010-8000-00AA00389B71} = {SID}

{HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER}\Software\Microsoft\
DirectShow\Preferred
{31637661-0000-0010-8000-00AA00389B71} = {SID}

{HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER}\Software\Microsoft\
DirectShow\Preferred
{34363248-0000-0010-8000-00AA00389B71} = {SID}

{HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER}\Software\Microsoft\
DirectShow\Preferred
{34363268-0000-0010-8000-00AA00389B71} = {SID}

{HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER}\Software\Microsoft\
DirectShow\Preferred
{44495658-0000-0010-8000-00AA00389B71} = {SID}

{HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER}\Software\Microsoft\
DirectShow\Preferred
{5634504D-0000-0010-8000-00AA00389B71} = {SID}

{HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER}\Software\Microsoft\
DirectShow\Preferred
{58564944-0000-0010-8000-00AA00389B71} = {SID}

{HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER}\Software\Microsoft\
DirectShow\Preferred
{64697678-0000-0010-8000-00AA00389B71} = {SID}

{HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER}\Software\Microsoft\
DirectShow\Preferred
{7634706D-0000-0010-8000-00AA00389B71} = {SID}

{HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER}\Software\Microsoft\
DirectShow\Preferred
{78766964-0000-0010-8000-00AA00389B71} = {SID}

HKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Control\
MediaResources\acm\msacm.divxa32
Description = "DivX Audio Codec"

HKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Control\
MediaResources\acm\msacm.divxa32
Driver = DivXa32.acm

HKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Control\
MediaResources\acm\msacm.divxa32
FriendlyName = "DivX Audio Codec"

HKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Control\
MediaResources\icm\vidc.lags
Description = "Lagarith lossless codec [LAGS]"

HKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Control\
MediaResources\icm\vidc.lags
Driver = lagarith.dll

HKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Control\
MediaResources\icm\vidc.lags
FriendlyName = "Lagarith lossless codec [LAGS]"

HKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Control\
MediaResources\icm\vidc.x264
Description = "x264 Video Codec"

HKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Control\
MediaResources\icm\vidc.x264
Driver = x264vfw.dll

HKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Control\
MediaResources\icm\vidc.x264
FriendlyName = "x264 Video Codec"

HKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Control\
MediaResources\icm\vidc.xvid
Description = "XviD 1.3.7 Video Codec"

HKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Control\
MediaResources\icm\vidc.xvid
Driver = xvidvfw.dll

HKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Control\
MediaResources\icm\vidc.xvid
FriendlyName = "XviD 1.3.7 Video Codec"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ogmfile\shellex\PropertySheetHandlers\
HaaliMediaSplitter

Propagation

This Potentially Unwanted Application does not have any propagation routine.

Backdoor Routine

This Potentially Unwanted Application does not have any backdoor routine.

Rootkit Capabilities

This Potentially Unwanted Application does not have rootkit capabilities.

Other Details

This Potentially Unwanted Application adds the following registry entries to add an uninstall option to the Control Panel:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Media Player - Codec Pack
DisplayIcon = %System%\Codecs\.\MPCP.ico,0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Media Player - Codec Pack
DisplayName = Media Player Codec Pack 4.5.7

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Media Player - Codec Pack
DisplayVersion = 4.5.7

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Media Player - Codec Pack
UninstallString = %System%\Codecs\Uninst.exe

It adds the following registry keys:

{HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER}\Software\Gabest (Contains configuration for Gabest VSFilter used for processing subtitles)

{HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER}\Software\GNU\
{ffdshow and ffdshow64} (Contains configuration for ffdshow used for encoding and decoding different video formats)

{HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER}\Software\GNU\
{ffdshow_audio and ffdshow64_audio} (Contains configuration for ffdshow used for encoding and decoding audio formats)

{HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER}\Software\GNU\
{ffdshow_dxva and ffdshow64_dxva} (Contains configuration for ffdshow_dxva used for encoding and decoding DXVA video formats)

{HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER}\Software\LAV (Contains configuration for LAV used for encoding and decoding different media formats)

{HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER}\Software\Microsoft\
MediaPlayer (Contains configuration for Windows Media Player)

{HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER}\Software\Microsoft\
Multimedia\WMPlayer (Contains configuration for Windows Media Player)

{HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER}\Software\3dtv.at\
Stereoscopic Player (Contains configuration for Stereoscopic Player)

{HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER}\Software\NVIDIA Corporation\
NVIDIA 3D Vision Video Player (Contains configuration for NVIDIA 3D Vision Video Player)

{HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER}\Software\MPC-HC\
MPC-HC (Contains configuration for MPC-HC Player)

{HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER}\Software\Sony Corporation\
DSD Playback DirectShow Filters (Contains configuration for DSD Playback DirectShow Filters)

{HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER}\Software\Sony Corporation\
DSD to PCM Playback DirectShow Filters (Contains configuration for DSD to PCM Playback DirectShow Filters)

{HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER}\Software\Icaros (Contains configuration for Icaros video thumbnail software)

{HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER}\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
Media Player - Codec Pack (Contains uninstall information for the installed application)

{HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER}\Software\Media Player - Codec Pack (Contains information for the installed application)

HKEY_LOCAL_MACHINE\SOFTWARE\Software\
CLASSES\MatroskaVideo (Contains configuration for Matroska video formats)

HKEY_LOCAL_MACHINE\SOFTWARE\{Haali and HaaliMkx} (Contains configuration for Haali and HaaliMkx Media Splitter)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
{Windows or Windows NT}\CurrentVersion\{drivers.desc and drivers32} (Contains configuration for Windows multimedia drivers)

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Media Type\{e436eb83-524f-11ce-9f53-0020af0ba770}\{49952F4C-3EDC-4A9B-8906-1DE02A3D4BC2} (Contains additional configuration for Haali Media splitter)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
AutoplayHandlers\Handlers\MSPlayBluRayOnArrival (Contains configuration for autoplay handlers)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
AutoplayHandlers\Handlers\MSPlayDVDMovieOnArrival (Contains configuration for autoplay handlers)

HKEY_CURRENT_USER\Software\ReClock (Contains configuration for the Reclock component of the installed application)

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ogmfile\shellex\PropertySheetHandlers\
HaaliMediaSplitter (for Haali Media Splitter Usage)

{HKEY_LOCAL_MACHINE\SOFTWARE\Classes or HKEY_CLASSES_ROOT}\
{.mka, .mkv and ogmfile} (for MatroskaVideo Usage)

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\
{B98D13E7-55DB-4385-A33D-09FD1BA26338} (for LAV Splitter Source Usage)

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{B98D13E7-55DB-4385-A33D-09FD1BA26338} (for LAV Splitter Source Usage)

HKEY_CLASSES_ROOT\CLSID\{B98D13E7-55DB-4385-A33D-09FD1BA26338} (for LAV Splitter Source Usage)

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
HKEY_CURRENT_USER (added if Uninstallation option is used)

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
HKEY_CURRENT_USER\SOFTWARE (added if Uninstallation option is used)

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
HKEY_CURRENT_USER\SOFTWARE\DSP-worx (added if Uninstallation option is used)

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
HKEY_CURRENT_USER\SOFTWARE\DSP-worx\
DC-Bass Source Mod (added if Uninstallation option is used)

It does the following:

• It may opt to shutdown the system after installation.
• It connects to the following URL to send information and receive ad configuration:
  • https://d2cp8mgeqj97lj.{BLOCKED}ront.net/sec
  • https://d2cp8mgeqj97lj.{BLOCKED}ront.net/assets/schema/1.0/schema.xsd
• It connects to the following URL to download and load resources in memory
  • https://d3j6hg32mwjrha.{BLOCKED}ront.net/ver/il/v9.24.527.231.6
• It connects to the following URL to send installation analytics:
  • https://d2cp8mgeqj97lj.{BLOCKED}ront.net/report
• It may display different ads depending on the received configuration from its list of connected URLs.
• It sends the following information to its list of connected URLs:
  • Install status
  • Operating system version
  • Locale
  • Memory size
  • Flag if executed on x64 architecture
  • Execution mode
  • Generated ID and session ID
• It contains pre-checked checkboxes that toggle which components to install.

It does not exploit any vulnerability.