File name:

foobar2000-x64_v2.1.6.exe

Full analysis: https://app.any.run/tasks/7cf76640-8d36-48ca-b5b2-45ced51979ec
Verdict: Malicious activity
Analysis date: October 04, 2024, 11:39:07
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

ADAFCE58F2C863C795671A1DFC5A0A46

SHA1:

B91C11C18C93CE3298730B120F5369D0853B0CA5

SHA256:

B8C6EDE3B39057170C6252DC660CF5180B06321B64B9774089F205BD3E813F90

SSDEEP:

98304:eMdWJ6a6Vb+Q7nm8BW6i48RGW6R7UD1KkRjB/YxPOmL0HEv7Ol4aCXZK/7Ff7FYj:e4NVQFoqNIYIjaZ5Asni

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Registers / Runs the DLL via REGSVR32.EXE

      • foobar2000-x64_v2.1.6.exe (PID: 1008)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • foobar2000-x64_v2.1.6.exe (PID: 4108)
      • foobar2000-x64_v2.1.6.exe (PID: 1008)

    • Executable content was dropped or overwritten

      • foobar2000-x64_v2.1.6.exe (PID: 4108)
      • foobar2000-x64_v2.1.6.exe (PID: 1008)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • foobar2000-x64_v2.1.6.exe (PID: 4108)
      • foobar2000-x64_v2.1.6.exe (PID: 1008)

    • Reads security settings of Internet Explorer

      • foobar2000-x64_v2.1.6.exe (PID: 4108)

    • Reads the date of Windows installation

      • foobar2000-x64_v2.1.6.exe (PID: 4108)

    • Application launched itself

      • foobar2000-x64_v2.1.6.exe (PID: 4108)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 2132)

    • Creates a software uninstall entry

      • foobar2000-x64_v2.1.6.exe (PID: 1008)

    • Process drops legitimate windows executable

      • foobar2000-x64_v2.1.6.exe (PID: 1008)

    • The process drops C-runtime libraries

      • foobar2000-x64_v2.1.6.exe (PID: 1008)

  • INFO

    • Checks supported languages

      • foobar2000-x64_v2.1.6.exe (PID: 4108)
      • foobar2000-x64_v2.1.6.exe (PID: 1008)
      • foobar2000.exe (PID: 2448)

    • Create files in a temporary directory

      • foobar2000-x64_v2.1.6.exe (PID: 4108)
      • foobar2000-x64_v2.1.6.exe (PID: 1008)
      • foobar2000.exe (PID: 2448)

    • Reads the computer name

      • foobar2000-x64_v2.1.6.exe (PID: 4108)
      • foobar2000-x64_v2.1.6.exe (PID: 1008)

    • Process checks computer location settings

      • foobar2000-x64_v2.1.6.exe (PID: 4108)

    • Creates files or folders in the user directory

      • foobar2000.exe (PID: 2448)

    • Creates files in the program directory

      • foobar2000-x64_v2.1.6.exe (PID: 1008)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:04:01 07:50:18+00:00
ImageFileCharacteristics: No relocs, Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.39
CodeSize: 33792
InitializedDataSize: 410624
UninitializedDataSize: 16384
EntryPoint: 0x425c
OSVersion: 6
ImageVersion: 6
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 2.1.6.0
ProductVersionNumber: 2.1.6.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: foobar2000.org
FileDescription: foobar2000 Installer
FileVersion: 2.1.6
LegalCopyright: © Peter Pawlowski. All rights reserved.
OriginalFileName: foobar2000-x64_v2.1.6.exe
ProductName: foobar2000
ProductVersion: 2.1.6
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
128
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start foobar2000-x64_v2.1.6.exe foobar2000-x64_v2.1.6.exe regsvr32.exe no specs foobar2000.exe no specs foobar2000 shell associations updater.exe no specs foobar2000.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1008"C:\Users\admin\Desktop\foobar2000-x64_v2.1.6.exe" /UAC:11031C /NCRC C:\Users\admin\Desktop\foobar2000-x64_v2.1.6.exe
foobar2000-x64_v2.1.6.exe
User:
admin
Company:
foobar2000.org
Integrity Level:
HIGH
Description:
foobar2000 Installer
Exit code:
0
Version:
2.1.6
Modules
Images
c:\users\admin\desktop\foobar2000-x64_v2.1.6.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1404"C:\Program Files\foobar2000\foobar2000 Shell Associations Updater.exe" "C:\Users\admin\AppData\Local\Temp\fb2kshelldata.tmp"C:\Program Files\foobar2000\foobar2000 Shell Associations Updater.exefoobar2000-x64_v2.1.6.exe
User:
admin
Company:
Peter Pawlowski
Integrity Level:
HIGH
Description:
foobar2000 Shell Associations Updater
Exit code:
0
Version:
1, 0, 0, 0
Modules
Images
c:\program files\foobar2000\foobar2000 shell associations updater.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
2132"C:\WINDOWS\system32\regsvr32.exe" /s "C:\Program Files\foobar2000\Fb2kShellExt.dll"C:\Windows\System32\regsvr32.exefoobar2000-x64_v2.1.6.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
2448"C:\Program Files\foobar2000\foobar2000.exe" /install /quiet /exportshelldata "C:\Users\admin\AppData\Local\Temp\fb2kshelldata.tmp"C:\Program Files\foobar2000\foobar2000.exefoobar2000-x64_v2.1.6.exe
User:
admin
Company:
Piotr Pawlowski
Integrity Level:
MEDIUM
Description:
foobar2000
Exit code:
0
Version:
2.1.6.0
Modules
Images
c:\program files\foobar2000\foobar2000.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.3636_none_60b6a03d71f818d5\comctl32.dll
c:\windows\system32\win32u.dll
4108"C:\Users\admin\Desktop\foobar2000-x64_v2.1.6.exe" C:\Users\admin\Desktop\foobar2000-x64_v2.1.6.exe
explorer.exe
User:
admin
Company:
foobar2000.org
Integrity Level:
MEDIUM
Description:
foobar2000 Installer
Exit code:
0
Version:
2.1.6
Modules
Images
c:\users\admin\desktop\foobar2000-x64_v2.1.6.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6296"C:\Program Files\foobar2000\foobar2000.exe" C:\Program Files\foobar2000\foobar2000.exefoobar2000-x64_v2.1.6.exe
User:
admin
Company:
Piotr Pawlowski
Integrity Level:
MEDIUM
Description:
foobar2000
Version:
2.1.6.0
Modules
Images
c:\program files\foobar2000\foobar2000.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
Total events
1 201
Read events
907
Write events
294
Delete events
0

Modification events

(PID) Process:(2132) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\Fb2kShellExt.DLL
Operation:writeName:AppID
Value:
{3B3052C5-E430-4A00-84C9-BFD43336940B}
(PID) Process:(2132) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A35F9F4-F4BE-471A-890D-E09FFA6B38AD}
Operation:writeName:AppID
Value:
{0A35F9F4-F4BE-471A-890D-E09FFA6B38AD}
(PID) Process:(2132) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A35F9F4-F4BE-471A-890D-E09FFA6B38AD}\InprocServer32
Operation:writeName:ThreadingModel
Value:
Apartment
(PID) Process:(2132) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{0A35F9F4-F4BE-471A-890D-E09FFA6B38AD}
Operation:writeName:DllSurrogate
Value:
(PID) Process:(1008) foobar2000-x64_v2.1.6.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\foobar2000
Operation:writeName:InstallDir
Value:
C:\Program Files\foobar2000
(PID) Process:(1008) foobar2000-x64_v2.1.6.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\foobar2000.exe
Operation:writeName:UseUrl
Value:
1
(PID) Process:(1008) foobar2000-x64_v2.1.6.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\foobar2000
Operation:writeName:DefaultIcon
Value:
C:\Program Files\foobar2000\foobar2000.exe
(PID) Process:(1008) foobar2000-x64_v2.1.6.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\foobar2000
Operation:writeName:Action
Value:
Play
(PID) Process:(1008) foobar2000-x64_v2.1.6.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\foobar2000
Operation:writeName:InvokeVerb
Value:
open
(PID) Process:(1008) foobar2000-x64_v2.1.6.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\foobar2000
Operation:writeName:Provider
Value:
foobar2000
Executable files
93
Suspicious files
48
Text files
46
Unknown types
0

Dropped files

PID
Process
Filename
Type
4108foobar2000-x64_v2.1.6.exeC:\Users\admin\AppData\Local\Temp\nsp6DFB.tmp\UAC.dllexecutable
MD5:A1662BD08B214585B88F3F7DDCFF473D
SHA256:6975D25C8DF210EC5EF8CB446F395406388D1DA7B66DEAEF53DAA0828437C41C
1008foobar2000-x64_v2.1.6.exeC:\Users\admin\AppData\Local\Temp\nso8FCC.tmp\modern-header.bmpimage
MD5:D0A335B55AEA042DBA383CB9EB91C093
SHA256:60F9E6030D4C75E5ED7E9300FB13FD46346D581E2039AE5E9A66DA72984C78F5
1008foobar2000-x64_v2.1.6.exeC:\Users\admin\AppData\Local\Temp\nso8FCC.tmp\System.dllexecutable
MD5:1E1757257C7528A1D975980AF12411DE
SHA256:2A00FF9FF6C7FBFD91641C0FA8636157424F29AC557BE56C5F8F41726DBCA56D
4108foobar2000-x64_v2.1.6.exeC:\Users\admin\AppData\Local\Temp\nsp6DFB.tmp\modern-wizard.bmpimage
MD5:4E50C5083442A80CCAD90B7249517327
SHA256:DCF6F31126374385B6B626C81262CDC29A1766E0AEB60AA830BCA2EF97684023
1008foobar2000-x64_v2.1.6.exeC:\Program Files\foobar2000\concrt140.dllexecutable
MD5:23F1F4021410EC9AD0D1D384DB019B02
SHA256:2556B827690E4598B5EB655982D996A4FD85B81BD182A56AA2145769B3FD4DA6
4108foobar2000-x64_v2.1.6.exeC:\Users\admin\AppData\Local\Temp\nsp6DFB.tmp\nsDialogs.dllexecutable
MD5:DECEC43DCFB8505308D2E33A126ED4C3
SHA256:DBE443CBFB07446C74892A483156FEBFDC78AD4C6C94688F1D5E0A344E7958C2
1008foobar2000-x64_v2.1.6.exeC:\Users\admin\AppData\Local\Temp\nso8FCC.tmp\UAC.dllexecutable
MD5:A1662BD08B214585B88F3F7DDCFF473D
SHA256:6975D25C8DF210EC5EF8CB446F395406388D1DA7B66DEAEF53DAA0828437C41C
4108foobar2000-x64_v2.1.6.exeC:\Users\admin\AppData\Local\Temp\nsp6DFB.tmp\modern-header.bmpimage
MD5:D0A335B55AEA042DBA383CB9EB91C093
SHA256:60F9E6030D4C75E5ED7E9300FB13FD46346D581E2039AE5E9A66DA72984C78F5
1008foobar2000-x64_v2.1.6.exeC:\Program Files\foobar2000\foobar2000.exeexecutable
MD5:6D7DA6ED41915A1F5725356B4454F095
SHA256:DF1DD0AC8C26EE66C6A3C9937BC505383AD0E949ADB9837EC8001A9432864693
1008foobar2000-x64_v2.1.6.exeC:\Program Files\foobar2000\shared.dllexecutable
MD5:CF937046FABC705C0191599D280BF8A7
SHA256:CBC0435E45A7615A62D2C0227F481469EA23FB19D14064E138843666B66B44EE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
28
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3324
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2120
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
20.50.80.210:443
https://browser.pipe.aria.microsoft.com/Collector/3.0/?qsp=true&content-type=application%2Fbond-compact-binary&client-id=NO_AUTH&sdk-version=AWT-Web-CJS-1.2.0&x-apikey=33d70a864599496b982a39f036f71122-2064703e-3a9d-4d90-8362-eec08dffe8e8-7176
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
3324
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
239.255.255.250:1900
whitelisted
2120
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
3324
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
2120
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
2120
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
google.com
  • 142.250.185.238
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
browser.pipe.aria.microsoft.com
  • 51.104.15.252
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
foobar2000-x64_v2.1.6.exe