resume.exe is an advanced shellcode injector of which we had encountered only one sample as of the writing of this article. Before it gets down to business, this malware, like many other samples we have seen from Winnti, checks the current year. Current processes are checked and the malware will not run if any of the following are active: ollydbg.exe|ProcessHacker.exe|Fiddler.exe|windbg.exe|tcpview.exe|idaq.exe|idaq64.exe|tcpdump.exe|Wireshark.exe.
I started from the player crash, it reported that it crash in igdumdim32.dll @0x59c4EA0C, the igdumdim32.dll and igdumdim64.dll is the Intel's user space graphics drivers' core file, the Intel's graphics has a small kernel part called miniports, it only open the tunnel between userspace application and the hardware, the real working part is in the DLL, like 3D function, video acceleration and Direct draw. Use a debuger like ollydbg to debug it I found it's a function do some setting work: 2b1af7f3a8