File name:

winamp50.exe

Full analysis: https://app.any.run/tasks/da3eb091-b95d-4c26-85ab-b7c11d4b638b
Verdict: Malicious activity
Analysis date: February 04, 2025, 17:36:53
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

43ECD335D7E4CFA2D78AF90ADB1BD8FB

SHA1:

9FF4B59C7DF4E3A97050DD9D86D9226A5BAEC2E5

SHA256:

874050A70D7A4BA93E8B60F20E81F55C961960FC3A8C8B9A87B925CA6E725626

SSDEEP:

98304:JfAKjKDAviP/kLjTs8B1DQy+re9Cv1CDYbTZ7ITRSy3RYNOAcFify7ZMRcuDMoD/:FcjzbZ5dQe

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • wmaudioredist.exe (PID: 5916)

  • SUSPICIOUS

    • There is functionality for taking screenshot (YARA)

      • winamp50.exe (PID: 6520)

    • Process drops legitimate windows executable

      • winamp50.exe (PID: 6520)

    • Executable content was dropped or overwritten

      • winamp50.exe (PID: 6520)
      • pxsetup.exe (PID: 4188)

    • Starts a Microsoft application from unusual location

      • wmaudioredist.exe (PID: 5916)

    • Drops a system driver (possible attempt to evade defenses)

      • winamp50.exe (PID: 6520)

  • INFO

    • Creates files in the program directory

      • winamp50.exe (PID: 6520)

    • Checks supported languages

      • winamp50.exe (PID: 6520)

    • Reads the computer name

      • winamp50.exe (PID: 6520)

    • Create files in a temporary directory

      • winamp50.exe (PID: 6520)

    • The sample compiled with english language support

      • winamp50.exe (PID: 6520)

    • Creates files or folders in the user directory

      • winamp50.exe (PID: 6520)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | NSIS - Nullsoft Scriptable Install System (94.8)
.exe | Win32 Executable MS Visual C++ (generic) (3.4)
.dll | Win32 Dynamic Link Library (generic) (0.7)
.exe | Win32 Executable (generic) (0.5)
.exe | Generic Win/DOS Executable (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2003:11:18 22:21:29+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 24576
InitializedDataSize: 88064
UninitializedDataSize: 37888
EntryPoint: 0x429b
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
136
Monitored processes
7
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winamp50.exe wmaudioredist.exe no specs pxsetup.exe winampa.exe no specs winamp.exe no specs winamp.exe no specs winamp50.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3524"C:\Program Files (x86)\Winamp\Winamp.exe" /REG=DLCVANC:\Program Files (x86)\Winamp\winamp.exewinamp50.exe
User:
admin
Company:
Nullsoft
Integrity Level:
HIGH
Description:
Winamp
Exit code:
0
Version:
5.0
Modules
Images
c:\program files (x86)\winamp\winamp.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
4164"C:\Program Files (x86)\Winamp\Winamp.exe" "C:\Program Files (x86)\Winamp\winamp.m3u"C:\Program Files (x86)\Winamp\winamp.exewinamp50.exe
User:
admin
Company:
Nullsoft
Integrity Level:
HIGH
Description:
Winamp
Version:
5.0
Modules
Images
c:\program files (x86)\winamp\winamp.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
4188"C:\Users\admin\AppData\Local\Temp\nsi6B52.tmp\pxsetup.exe"C:\Users\admin\AppData\Local\Temp\nsi6B52.tmp\pxsetup.exe
winamp50.exe
User:
admin
Integrity Level:
HIGH
Exit code:
4294967295
Modules
Images
c:\users\admin\appdata\local\temp\nsi6b52.tmp\pxsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
4444"C:\Program Files (x86)\Winamp\winampa.exe"C:\Program Files (x86)\Winamp\winampa.exewinamp50.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\program files (x86)\winamp\winampa.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
5916"C:\Users\admin\AppData\Local\Temp\nsi6B52.tmp\wmaudioredist.exe" /Q /R:NC:\Users\admin\AppData\Local\Temp\nsi6B52.tmp\wmaudioredist.exewinamp50.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Media Component Setup Application
Exit code:
0
Version:
4.00.0.3845
Modules
Images
c:\users\admin\appdata\local\temp\nsi6b52.tmp\wmaudioredist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
6356"C:\Users\admin\AppData\Local\Temp\winamp50.exe" C:\Users\admin\AppData\Local\Temp\winamp50.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\winamp50.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6520"C:\Users\admin\AppData\Local\Temp\winamp50.exe" C:\Users\admin\AppData\Local\Temp\winamp50.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\winamp50.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
Total events
1 654
Read events
1 526
Write events
123
Delete events
5

Modification events

(PID) Process:(4188) pxsetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SharedDlls
Operation:writeName:C:\WINDOWS\system32\px.dll
Value:
1
(PID) Process:(4188) pxsetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SharedDlls
Operation:writeName:C:\WINDOWS\system32\pxmas.dll
Value:
1
(PID) Process:(4188) pxsetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SharedDlls
Operation:writeName:C:\WINDOWS\system32\pxwave.dll
Value:
1
(PID) Process:(4188) pxsetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SharedDlls
Operation:writeName:C:\WINDOWS\system32\vxblock.dll
Value:
1
(PID) Process:(4188) pxsetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SharedDlls
Operation:writeName:C:\WINDOWS\system32\pxdrv.dll
Value:
1
(PID) Process:(4188) pxsetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SharedDlls
Operation:writeName:C:\WINDOWS\system32\pxwma.dll
Value:
1
(PID) Process:(4188) pxsetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SharedDlls
Operation:writeName:C:\WINDOWS\system32\pxhpinst.exe
Value:
1
(PID) Process:(6520) winamp50.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fba38bcf-e23d-4979-811e-1326bbadb8c8}\InprocServer32
Operation:writeName:ThreadingModel
Value:
Apartment
(PID) Process:(6520) winamp50.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{44b09a5f-5dee-4539-8001-d4b2d45c2876}\InprocServer32
Operation:writeName:ThreadingModel
Value:
Both
(PID) Process:(6520) winamp50.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{d4387178-98ca-4929-b8e3-a11cd2f333a6}\InprocServer32
Operation:writeName:ThreadingModel
Value:
Apartment
Executable files
59
Suspicious files
212
Text files
576
Unknown types
0

Dropped files

PID
Process
Filename
Type
6520winamp50.exeC:\Program Files (x86)\Winamp\winamp.m3utext
MD5:A9FCF40B19E3F8CB024C56C5877E7455
SHA256:DFBCBDD41A68CB584FEC4810494577D9C17D1445D5883572B6770B257150701F
6520winamp50.exeC:\Program Files (x86)\Winamp\winampmb.htmhtml
MD5:601D39B04A3C48F7FE2D56274D425B41
SHA256:7F553795C636392A5BE97370B871947732249A4BF46B7D1064B598D795C0FD05
6520winamp50.exeC:\Program Files (x86)\Winamp\winamp.exeexecutable
MD5:C08EF0AFA6D941B39D43B3655681F6DF
SHA256:CF9B9BEF1C6EC66F8027A69DC197E7EA3463B81CB659C46701ACFD4E21B2400A
6520winamp50.exeC:\Program Files (x86)\Winamp\demo.mp3binary
MD5:5B9FC63F9D440BC6078CBDD21AB2A9D9
SHA256:235EF3F11F9D0D7E79C64C380F939B6B1C6C1EF7C34FCEAA31075114C7280C49
6520winamp50.exeC:\Program Files (x86)\Winamp\Plugins\in_mp3.dllexecutable
MD5:F1A68351670F5F0FFB54702994CFE079
SHA256:C9C5CEE2E685CD447F350A6838F853D8DBE03D246D675325DC9D4354E4F6AD9D
6520winamp50.exeC:\Program Files (x86)\Winamp\winampa.exeexecutable
MD5:11AA6662A1BE30375AFD1A8407811E7E
SHA256:390FFA2B40EB3930AAA07268442AD22A6C4B117B48B4582EBCF5E2A8844E5B3A
6520winamp50.exeC:\Users\admin\AppData\Local\Temp\nsi6B52.tmp\modern-header.bmpimage
MD5:82AB02BEF065A5537A9D22922F5B0D6E
SHA256:B7514AC9A55F2BE663346775D45B12B07E84B469DFC96D6E69CB19759B3FA90E
6520winamp50.exeC:\Users\admin\AppData\Local\Temp\nsi6B52.tmp\gaydata.initext
MD5:243BF3F2E784FAD9ECCBE03B4E494C6F
SHA256:20B0CFDA8005BA81AE7D425931AF73F73089A9F0D2CEA3A97C084D04A570F985
6520winamp50.exeC:\Users\admin\AppData\Local\Temp\nsi6B52.tmp\opt2page.initext
MD5:02F3078857596518B163EEB4D38C26B5
SHA256:6A66E033C7C9D955CBCFE638BC3EA2E17067D3114E2A2FECFC82406A4FD0F6F5
6520winamp50.exeC:\Users\admin\AppData\Local\Temp\nsi6B52.tmp\opt3page.iniini
MD5:9F91302DAF6E8567A39DBAE217AE43DD
SHA256:A12EDBA48966D8D57FC8FECA43B11A69B805EFC5931BDE67494E4E83E55A21A3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
31
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
95.101.78.32:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
8
backgroundTaskHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
7104
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7104
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
95.101.78.32:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3584
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1176
svchost.exe
40.126.31.128:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
184.28.89.167:443
go.microsoft.com
AKAMAI-AS
US
whitelisted
1076
svchost.exe
184.28.89.167:443
go.microsoft.com
AKAMAI-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.206
whitelisted
crl.microsoft.com
  • 95.101.78.32
  • 95.101.78.42
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
login.live.com
  • 40.126.31.128
  • 40.126.31.131
  • 20.190.159.2
  • 40.126.31.73
  • 20.190.159.68
  • 40.126.31.69
  • 40.126.31.71
  • 20.190.159.131
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
arc.msn.com
  • 20.31.169.57
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
fd.api.iris.microsoft.com
  • 20.199.58.43
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
winamp50.exe