If you have a dvdplay.exe program on your system you can quickly do two things with it:

• use it to disturb the process tree
• leveraging the fact it is a signed binary – add it to any common startup place and achieve a nice, invisible persistence mechanism, possibly bypassing some security  solutions (they will just detect entries pointing to a signed binary and nothing else)

How?

The dvdplay.exe program is a simple wrapper that actually calls wmplayer.exe. But not the one you would expect.

In order to find a path to the wmplayer, it reads the following Registry key:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\wmplayer.exe
"Path"="c:\\malware\\"

So… changing that path to any path in your control, you can drop your wmplayer.exe there and voila!