PotPlayerSetup64.exe
This report is generated from a file or URL submitted to this webservice on April 19th 2019 04:49:54 (UTC)
Guest System: Windows 7 64 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.30 © Hybrid Analysis
Incident Response
Risk Assessment
- Ransomware
- The analysis extracted a known ransomware file
- Spyware
- Contains ability to open the clipboard
- Persistence
-
Spawns a lot of processes
Writes data to a remote process - Fingerprint
-
Queries kernel debugger information
Queries process information
Queries sensitive IE security settings
Reads the active computer name
Reads the cryptographic machine GUID
Reads the system/video BIOS version - Evasive
- Marks file for deletion
- Spreading
- Opens the MountPointManager (often used to detect additional infection locations)
- Network Behavior
- Contacts 1 domain and 1 host. View all details
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 11
-
Environment Awareness
-
Reads the system/video BIOS version
- details
-
"PotPlayerMini64.exe" (Path: "HKLM\HARDWARE\DESCRIPTION\SYSTEM"; Key: "SYSTEMBIOSVERSION")
"PotPlayerMini64.exe" (Path: "HKLM\HARDWARE\DESCRIPTION\SYSTEM"; Key: "VIDEOBIOSVERSION") - source
- Registry Access
- relevance
- 9/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the system/video BIOS version
-
External Systems
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 1/70 Antivirus vendors marked sample as malicious (1% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by at least one Antivirus engine
-
General
-
The analysis extracted a file that was identified as malicious
- details
- 1/68 Antivirus vendors marked dropped file "QuickSync64.dll" as malicious (classified as "Trojan.Win64" with 1% detection rate)
- source
- Binary File
- relevance
- 10/10
-
The analysis extracted a file that was identified as malicious
-
Installation/Persistance
-
Allocates virtual memory in a remote process
- details
-
"PotPlayerSetup64.exe" allocated memory in "%PROGRAMFILES%\DAUM\PotPlayer\Module\Bass64"
"PotPlayerSetup64.exe" allocated memory in "%PROGRAMFILES%\DAUM\PotPlayer\Extention\Subtitle"
"PotPlayerSetup64.exe" allocated memory in "%PROGRAMFILES%\DAUM\PotPlayer\uninstall.exe"
"PotPlayerMini64.exe" allocated memory in "\REGISTRY\USER\S-1-5-21-686412048-2446563785-1323799475-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e47f4f44-d863-11e7-9d8f-806e6f6e6963}" - source
- API Call
- relevance
- 7/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Writes data to a remote process
- details
-
"PotPlayerSetup64.exe" wrote 32 bytes to a remote process "%PROGRAMFILES%\DAUM\PotPlayer\KillPot64.exe" (Handle: 520)
"PotPlayerSetup64.exe" wrote 52 bytes to a remote process "C:\Program Files\DAUM\PotPlayer\KillPot64.exe" (Handle: 520)
"PotPlayerSetup64.exe" wrote 4 bytes to a remote process "C:\Program Files\DAUM\PotPlayer\KillPot64.exe" (Handle: 520)
"PotPlayerSetup64.exe" wrote 8 bytes to a remote process "C:\Program Files\DAUM\PotPlayer\KillPot64.exe" (Handle: 520)
"PotPlayerSetup64.exe" wrote 32 bytes to a remote process "C:\Program Files\DAUM\PotPlayer\PotPlayerMini64.exe" (Handle: 436)
"PotPlayerSetup64.exe" wrote 52 bytes to a remote process "C:\Program Files\DAUM\PotPlayer\PotPlayerMini64.exe" (Handle: 436)
"PotPlayerSetup64.exe" wrote 4 bytes to a remote process "C:\Program Files\DAUM\PotPlayer\PotPlayerMini64.exe" (Handle: 436)
"PotPlayerSetup64.exe" wrote 8 bytes to a remote process "C:\Program Files\DAUM\PotPlayer\PotPlayerMini64.exe" (Handle: 436)
"PotPlayerSetup64.exe" wrote 32 bytes to a remote process "C:\Program Files\DAUM\PotPlayer\PotPlayerMini64.exe" (Handle: 516)
"PotPlayerSetup64.exe" wrote 52 bytes to a remote process "C:\Program Files\DAUM\PotPlayer\PotPlayerMini64.exe" (Handle: 516)
"PotPlayerSetup64.exe" wrote 4 bytes to a remote process "C:\Program Files\DAUM\PotPlayer\PotPlayerMini64.exe" (Handle: 516)
"PotPlayerSetup64.exe" wrote 8 bytes to a remote process "C:\Program Files\DAUM\PotPlayer\PotPlayerMini64.exe" (Handle: 516)
"PotPlayerMini64.exe" wrote 32 bytes to a remote process "C:\Program Files\DAUM\PotPlayer\DTDrop64.exe" (Handle: 1172)
"PotPlayerMini64.exe" wrote 52 bytes to a remote process "C:\Program Files\DAUM\PotPlayer\DTDrop64.exe" (Handle: 1172)
"PotPlayerMini64.exe" wrote 8 bytes to a remote process "C:\Program Files\DAUM\PotPlayer\DTDrop64.exe" (Handle: 1172)
"PotPlayerMini64.exe" wrote 32 bytes to a remote process "C:\Program Files\DAUM\PotPlayer\DTDrop64.exe" (Handle: 1168)
"PotPlayerMini64.exe" wrote 52 bytes to a remote process "C:\Program Files\DAUM\PotPlayer\DTDrop64.exe" (Handle: 1168)
"PotPlayerMini64.exe" wrote 8 bytes to a remote process "C:\Program Files\DAUM\PotPlayer\DTDrop64.exe" (Handle: 1168) - source
- API Call
- relevance
- 6/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Allocates virtual memory in a remote process
-
Network Related
-
Malicious artifacts seen in the context of a contacted host
- details
-
Found malicious artifacts related to "211.231.108.199": ...
URL: http://get.daum.net/PotPlayer/Codec/OpenCodecSetup64.exe?a (AV positives: 1/69 scanned on 04/18/2019 20:28:36)
URL: http://get.daum.net/myb/ (AV positives: 2/69 scanned on 04/18/2019 12:31:12)
URL: http://get.daum.net/cleaner/DaumCleaner.exe (AV positives: 3/69 scanned on 04/17/2019 18:03:02)
URL: http://get.daum.net/DaumScreenSaver/ (AV positives: 2/69 scanned on 04/17/2019 13:21:07)
URL: http://get.daum.net/PotPlayer/Version/Latest/PotPlayerSetup.exe (AV positives: 1/69 scanned on 04/17/2019 07:38:07)
File SHA256: 4d29105af29e9d97a89a2818ffd7178fea649a001e819959b2eff3e75f11e985 (AV positives: 11/71 scanned on 04/08/2019 15:54:04)
File SHA256: c07345d23ed8c11ce6b30679df01e7020e1d5c5c45bbc170da7f996cafdd070d (AV positives: 2/71 scanned on 03/06/2019 12:24:30)
File SHA256: 28871a49e4188546a8ac52abc3defa4d6a668da77a8b3046fbe0d75eea1f5acc (AV positives: 1/66 scanned on 02/28/2019 01:29:39)
File SHA256: f891b63d5f0b6e55c0e5881a261a4209e80caf691f0f701e25b7f37dd74a5013 (AV positives: 1/66 scanned on 02/23/2019 20:16:24)
File SHA256: 999a680134bb6c8d3dad4e65cc7dc19739d74293977b40bb312dd3ec774c0d79 (AV positives: 1/72 scanned on 02/23/2019 07:39:13)
File SHA256: e87ed4627780e58da3d173dabbe86d687e680d628a31b5387770a8161e5b93fe (Date: 11/02/2018 06:05:53) - source
- Network Traffic
- relevance
- 10/10
-
Malicious artifacts seen in the context of a contacted host
-
Ransomware/Banking
-
The analysis extracted a known ransomware file
- details
- Found dropped filename "FileList.txt" which has been seen in the context of ransomware (Indicator: filelist.txt)
- source
- Binary File
- relevance
- 5/10
-
The analysis extracted a known ransomware file
-
Unusual Characteristics
-
Contains native function calls
- details
-
NtdllDefWindowProc_W@NTDLL.DLL from PotPlayerSetup64.exe (PID: 3196) (Show Stream)
NtdllDefWindowProc_A@NTDLL.DLL from OpenCodecSetup64.exe (PID: 3488) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Spawns a lot of processes
- details
-
Spawned process "PotPlayerSetup64.exe" (Show Process)
Spawned process "KillPot64.exe" (Show Process)
Spawned process "PotPlayerMini64.exe" with commandline "/SetLanguage /ENGLISH" (Show Process)
Spawned process "PotPlayerMini64.exe" with commandline "/RfPolicy" (Show Process)
Spawned process "DTDrop64.exe" with commandline "/regserver" (Show Process)
Spawned process "PotPlayerMini64.exe" with commandline "/RegisterAll" (Show Process)
Spawned process "DTDrop64.exe" with commandline "/regserver" (Show Process)
Spawned process "OpenCodecSetup64.exe" (Show Process) - source
- Monitored Target
- relevance
- 8/10
-
Contains native function calls
-
Hiding 2 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 33
-
Anti-Detection/Stealthyness
-
Queries kernel debugger information
- details
-
"PotPlayerMini64.exe" at 00030409-00002840-00000033-206369997944
"PotPlayerMini64.exe" at 00030409-00002840-00000033-210477602477
"PotPlayerMini64.exe" at 00030843-00002204-00000033-218274180779
"PotPlayerMini64.exe" at 00030843-00002204-00000033-221162077712
"PotPlayerMini64.exe" at 00031275-00002684-00000033-232639197847
"PotPlayerMini64.exe" at 00031275-00002684-00000033-235705000091 - source
- API Call
- relevance
- 6/10
-
Queries process information
- details
-
"KillPot64.exe" queried SystemProcessInformation at 00029460-00003592-00000033-169572592179
"KillPot64.exe" queried SystemProcessInformation at 00029460-00003592-00000033-173202989880
"KillPot64.exe" queried SystemProcessInformation at 00029460-00003592-00000033-175793996143
"KillPot64.exe" queried SystemProcessInformation at 00029460-00003592-00000033-179692115604
"KillPot64.exe" queried SystemProcessInformation at 00029460-00003592-00000033-183713326002
"KillPot64.exe" queried SystemProcessInformation at 00029460-00003592-00000033-186581755537
"KillPot64.exe" queried SystemProcessInformation at 00029460-00003592-00000033-189103411829 - source
- API Call
- relevance
- 4/10
- ATT&CK ID
- T1057 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries kernel debugger information
-
Anti-Reverse Engineering
-
Looks up many procedures within the same disassembly stream (often used to hide usage)
- details
-
Found 33 calls to GetProcAddress@KERNEL32.DLL from PotPlayerMini64.exe (PID: 2840) (Show Stream)
Found 33 calls to GetProcAddress@KERNEL32.DLL from PotPlayerMini64.exe (PID: 2204) (Show Stream)
Found 33 calls to GetProcAddress@KERNEL32.DLL from DTDrop64.exe (PID: 564) (Show Stream)
Found 33 calls to GetProcAddress@KERNEL32.DLL from PotPlayerMini64.exe (PID: 2684) (Show Stream)
Found 33 calls to GetProcAddress@KERNEL32.DLL from DTDrop64.exe (PID: 2156) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Looks up many procedures within the same disassembly stream (often used to hide usage)
-
Environment Awareness
-
Contains ability to query CPU information
- details
-
cpuid from KillPot64.exe (PID: 3592) (Show Stream)
cpuid from PotPlayerMini64.exe (PID: 2840) (Show Stream)
cpuid from PotPlayerMini64.exe (PID: 2204) (Show Stream)
cpuid from PotPlayerMini64.exe (PID: 2684) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
- ATT&CK ID
- T1082 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the active computer name
- details
-
"PotPlayerSetup64.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"PotPlayerMini64.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"OpenCodecSetup64.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME") - source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the cryptographic machine GUID
- details
- "PotPlayerMini64.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query CPU information
-
External Systems
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
- details
-
1/66 reputation engines marked "http://get.daum.net" as malicious (1% detection rate)
1/66 reputation engines marked "http://potplayer.daum.net" as malicious (1% detection rate)
1/66 reputation engines marked "http://nsis.sf.net" as malicious (1% detection rate) - source
- External System
- relevance
- 10/10
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
-
General
-
Contains ability to find and load resources of a specific module
- details
-
FindResourceW@KERNEL32.DLL from DTDrop64.exe (PID: 564) (Show Stream)
LoadResource@KERNEL32.DLL from DTDrop64.exe (PID: 564) (Show Stream)
FindResourceExW@KERNEL32.DLL from DTDrop64.exe (PID: 564) (Show Stream)
FindResourceW@KERNEL32.DLL from DTDrop64.exe (PID: 564) (Show Stream)
FindResourceW@KERNEL32.DLL from DTDrop64.exe (PID: 2156) (Show Stream)
LoadResource@KERNEL32.DLL from DTDrop64.exe (PID: 2156) (Show Stream)
FindResourceExW@KERNEL32.DLL from DTDrop64.exe (PID: 2156) (Show Stream)
FindResourceW@KERNEL32.DLL from DTDrop64.exe (PID: 2156) (Show Stream)
FindResourceW@KERNEL32.dll (Show Stream)
LoadResource@KERNEL32.dll (Show Stream)
FindResourceW@KERNEL32.dll (Show Stream)
FindResourceExW@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Reads configuration files
- details
-
"PotPlayerMini64.exe" read file "%USERPROFILE%\Desktop\desktop.ini"
"OpenCodecSetup64.exe" read file "%PROGRAMFILES%\desktop.ini"
"OpenCodecSetup64.exe" read file "C:\Users\%USERNAME%\Desktop\desktop.ini" - source
- API Call
- relevance
- 4/10
-
Contains ability to find and load resources of a specific module
-
Installation/Persistance
-
Drops executable files
- details
-
"PotIcons64.dll" has type "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"
"PotPlayerMini64.exe" has type "PE32+ executable (GUI) x86-64 for MS Windows"
"UAC.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"KillPot64.exe" has type "PE32+ executable (GUI) x86-64 for MS Windows"
"bass_flac.dll" has type "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"
"InstallOptions.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"QuickSync64.dll" has type "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"
"UserInfo.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"bass_wv.dll" has type "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"
"DesktopHook.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"d3dcompiler_47.dll" has type "PE32+ executable (DLL) (console) x86-64 for MS Windows"
"MediaInfo64.dll" has type "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"
"bass_ape.dll" has type "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"
"MediaDB64.dll" has type "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"
"advsplash.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"inetc.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"System.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"ATextOut64.dll" has type "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"
"bass_ofr.dll" has type "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"
"bass_tta.dll" has type "PE32+ executable (DLL) (GUI) x86-64 for MS Windows" - source
- Binary File
- relevance
- 10/10
-
Drops executable files
-
Network Related
-
Process binds to unusual ports
- details
- Process "C:\PotPlayerSetup64.exe" binds to port 1025
- source
- Network Traffic
- relevance
- 10/10
-
Sends traffic on typical HTTP outbound port, but without HTTP header
- details
- TCP traffic to 211.231.108.199 on port 80 is sent without HTTP header
- source
- Network Traffic
- relevance
- 5/10
-
Process binds to unusual ports
-
Spyware/Information Retrieval
-
Contains ability to enumerate processes/modules/threads
- details
-
Module32FirstW@KERNEL32.DLL from KillPot64.exe (PID: 3592) (Show Stream)
CreateToolhelp32Snapshot@KERNEL32.DLL from KillPot64.exe (PID: 3592) (Show Stream)
Module32FirstW@KERNEL32.DLL from KillPot64.exe (PID: 3592) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 5/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to open the clipboard
- details
-
OpenClipboard@USER32.DLL from PotPlayerSetup64.exe (PID: 3196) (Show Stream)
OpenClipboard@USER32.DLL from OpenCodecSetup64.exe (PID: 3488) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
- ATT&CK ID
- T1115 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to enumerate processes/modules/threads
-
System Destruction
-
Marks file for deletion
- details
-
"C:\PotPlayerSetup64.exe" marked "%TEMP%\nszE66F.tmp" for deletion
"C:\PotPlayerSetup64.exe" marked "%TEMP%\nskE7E8.tmp" for deletion
"C:\PotPlayerSetup64.exe" marked "C:\spltmp.bmp" for deletion
"%TEMP%\nskE7E8.tmp\OpenCodecSetup64.exe" marked "%TEMP%\nsdEACB.tmp" for deletion
"%TEMP%\nskE7E8.tmp\OpenCodecSetup64.exe" marked "%TEMP%\nstEB79.tmp" for deletion - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1107 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens file with deletion access rights
- details
-
"PotPlayerSetup64.exe" opened "%TEMP%\nszE66F.tmp" with delete access
"PotPlayerSetup64.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\nskE7E8.tmp" with delete access
"PotPlayerSetup64.exe" opened "C:\spltmp.bmp" with delete access
"PotPlayerSetup64.exe" opened "C:\Program Files\DAUM\PotPlayer\PotPlayerMini64.exe" with delete access
"PotPlayerSetup64.exe" opened "C:\Program Files\DAUM\PotPlayer\PotPlayer64.dll" with delete access
"PotPlayerSetup64.exe" opened "C:\Program Files\DAUM\PotPlayer\PotNotify64.dll" with delete access
"PotPlayerSetup64.exe" opened "C:\Program Files\DAUM\PotPlayer\PotScreenSaver64.dll" with delete access
"PotPlayerSetup64.exe" opened "C:\Program Files\DAUM\PotPlayer\ffcodec64.dll" with delete access
"PotPlayerMini64.exe" opened "C:\Users\%USERNAME%\AppData\Roaming\PotPlayerMini64\PotPlayerMini64.ini" with delete access
"OpenCodecSetup64.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\nsdEACB.tmp" with delete access
"OpenCodecSetup64.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\nstEB79.tmp" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
System Security
-
Modifies Software Policy Settings
- details
-
"PotPlayerMini64.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
"PotPlayerMini64.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"PotPlayerMini64.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"PotPlayerMini64.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"PotPlayerMini64.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
"PotPlayerMini64.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"PotPlayerMini64.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"PotPlayerMini64.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"PotPlayerMini64.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
"PotPlayerMini64.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"PotPlayerMini64.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"PotPlayerMini64.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"PotPlayerMini64.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
"PotPlayerMini64.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"PotPlayerMini64.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"PotPlayerMini64.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"PotPlayerMini64.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT")
"PotPlayerMini64.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES")
"PotPlayerMini64.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS")
"PotPlayerMini64.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Modifies proxy settings
- details
-
"PotPlayerMini64.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"PotPlayerMini64.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries sensitive IE security settings
- details
- "PotPlayerMini64.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
- source
- Registry Access
- relevance
- 8/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Modifies Software Policy Settings
-
Unusual Characteristics
-
CRC value set in PE header does not match actual value
- details
-
"PotIcons64.dll" claimed CRC 2552994 while the actual is CRC 28051664
"PotPlayerMini64.exe" claimed CRC 306275 while the actual is CRC 2552994
"UAC.dll" claimed CRC 35035 while the actual is CRC 306275
"KillPot64.exe" claimed CRC 121515 while the actual is CRC 35035
"DesktopHook.exe" claimed CRC 138297 while the actual is CRC 101726
"d3dcompiler_47.dll" claimed CRC 4219283 while the actual is CRC 138297
"MediaInfo64.dll" claimed CRC 6238772 while the actual is CRC 4219283
"advsplash.dll" claimed CRC 100753 while the actual is CRC 1223970
"DesktopHook.dll" claimed CRC 117119 while the actual is CRC 37502
"OpenCodecSetup64.exe" claimed CRC 10906167 while the actual is CRC 117119
"OldIconPack.dll" claimed CRC 1596605 while the actual is CRC 243487
"D_Exec64.exe" claimed CRC 98320 while the actual is CRC 68734
"PotIconsNew.dll" claimed CRC 2655340 while the actual is CRC 98320
"DesktopHook64.dll" claimed CRC 142527 while the actual is CRC 2655340
"FFmpegMininum64.dll" claimed CRC 342814 while the actual is CRC 272501
"DaumCrashHandler64.dll" claimed CRC 166836 while the actual is CRC 39792
"PotPlayer64.dll" claimed CRC 31507845 while the actual is CRC 166836
"ffcodec64.dll" claimed CRC 24729064 while the actual is CRC 216156
"uninstall.exe" claimed CRC 28051664 while the actual is CRC 5264079
"DTDrop64.exe" claimed CRC 181794 while the actual is CRC 24944 - source
- Static Parser
- relevance
- 10/10
-
Entrypoint in PE header is within an uncommon section
- details
- "PotPlayer64.dll" has an entrypoint in section ".taggant"
- source
- Static Parser
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
RegCreateKeyExW
RegDeleteValueW
RegCloseKey
OpenProcessToken
RegEnumKeyW
RegOpenKeyExW
RegDeleteKeyW
CopyFileW
GetModuleFileNameW
GetFileAttributesW
GetFileSize
GetCommandLineW
LoadLibraryExW
CreateDirectoryW
DeleteFileW
GetProcAddress
GetTempFileNameW
GetModuleHandleA
CreateThread
FindNextFileW
GetTempPathW
FindFirstFileW
GetModuleHandleW
WriteFile
CreateFileW
CreateProcessW
Sleep
GetTickCount
ShellExecuteExW
FindWindowExW
GetModuleFileNameA
LoadLibraryA
UnhandledExceptionFilter
GetCommandLineA
GetStartupInfoA
TerminateProcess
IsDebuggerPresent
GetStartupInfoW
LoadLibraryW
GetModuleHandleExW
OutputDebugStringW
GetVersionExW
OpenProcess
GetWindowThreadProcessId
GetLastActivePopup
SetWindowsHookExW
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
FindFirstFileExW
ShellExecuteW
RegEnumKeyExW
FindNextFileA
VirtualProtect
FindFirstFileExA
VirtualAlloc
GetUserNameW
RegOpenKeyExA
RegEnumKeyExA
DeviceIoControl
MapViewOfFileEx
CopyFileExW
CreateFileMappingW
GetFileSizeEx
MapViewOfFile
OutputDebugStringA
CreateFileA
GetFileAttributesA
GetTempPathA
FindResourceExW
ExitThread
DeleteFileA
CreateFileMappingA
FindResourceW
LockResource
GetFileAttributesExW
SleepEx
HttpQueryInfoW
InternetOpenW
InternetConnectW
InternetWriteFile
HttpSendRequestExW
InternetCloseHandle
InternetCrackUrlW
InternetQueryOptionW
HttpSendRequestW
InternetReadFile
FtpOpenFileW
RegDeleteValueA
GetThreadContext - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
-
"PotPlayerSetup64.exe" wrote bytes "c07411663bc275024747668b076689014141ebd7ff75ec66832100e80cf2ffff598bd8e9e1feffff83cbffe9e1feffff6a15eb0e6a16eb0a6a17eb066a18eb026a195be9c9feffff83f92a746583f92d740583f93a75676683fa2d75" to virtual address "0x10002000" (part of module "SYSTEM.DLL")
"PotPlayerSetup64.exe" wrote bytes "5034df74f854df7457d1e07486d5e174ea30e1742212df74dd16df743e18df746834df74d016df74cb48df742e58df74fe18df742618df74ff42df74c011df740000000019f1fd740000000008224d76d1e44a7600000000" to virtual address "0x10003000" (part of module "SYSTEM.DLL")
"PotPlayerSetup64.exe" wrote bytes "b830128073ffe0" to virtual address "0x76EB1368" (part of module "WS2_32.DLL")
"PotPlayerSetup64.exe" wrote bytes "b840138073ffe0" to virtual address "0x74D03AD8" (part of module "SSPICLI.DLL")
"PotPlayerSetup64.exe" wrote bytes "d83ad074" to virtual address "0x74D10258" (part of module "SSPICLI.DLL")
"PotPlayerSetup64.exe" wrote bytes "b436d074" to virtual address "0x74D1025C" (part of module "SSPICLI.DLL")
"PotPlayerSetup64.exe" wrote bytes "b436d074" to virtual address "0x74D10200" (part of module "SSPICLI.DLL")
"PotPlayerSetup64.exe" wrote bytes "2b4de82b45e46a145150ff75e88945c4894db8ff75e457ff35e88b5600ff15cc30560056ff75b46a30ff35e88b5600e83af0ffff393d308c5600897dbc897dc0897dcc0f8e960600008b5dcc" to virtual address "0x00562000" (part of module "INSTALLOPTIONS.DLL")
"PotPlayerSetup64.exe" wrote bytes "0efc497781ed4877ae864777c6e04677effd49772d164877c0fc4577da8f507760144a77478d4777a8e246776089477700000000ad37eb768b2deb76b641eb7600000000" to virtual address "0x73971000" (part of module "WSHIP6.DLL")
"PotPlayerSetup64.exe" wrote bytes "7d074a7781ed4877ae864777c6e04677effd49772d16487760144a77478d4777a8e246776089477700000000ad37eb768b2deb76b641eb7600000000" to virtual address "0x73981000" (part of module "WSHTCPIP.DLL")
"PotPlayerSetup64.exe" wrote bytes "c2000000" to virtual address "0x1000405C" (part of module "SYSTEM.DLL")
"PotPlayerSetup64.exe" wrote bytes "c0df46771cf94577ccf845770d64477700000000c011df7400000000fc3edf7400000000e013df74000000009457e77525e04677c6e0467700000000bc6ae67500000000cf31df74000000009319e775000000002c32df7400000000" to virtual address "0x76DE1000" (part of module "NSI.DLL")
"PotPlayerSetup64.exe" wrote bytes "711151027a3b5002ab8b02007f950200fc8c0200729602006cc805001ecd4d027d264d02" to virtual address "0x74FB07E4" (part of module "USER32.DLL")
"PotPlayerSetup64.exe" wrote bytes "60128073" to virtual address "0x7644E324" (part of module "WININET.DLL")
"PotPlayerSetup64.exe" wrote bytes "b8c0158073ffe0" to virtual address "0x74D036B4" (part of module "SSPICLI.DLL")
"PotPlayerSetup64.exe" wrote bytes "d83ad074" to virtual address "0x74D10274" (part of module "SSPICLI.DLL")
"PotPlayerSetup64.exe" wrote bytes "d83a0200" to virtual address "0x74D04E38" (part of module "SSPICLI.DLL")
"PotPlayerSetup64.exe" wrote bytes "d83a0200" to virtual address "0x74D04D78" (part of module "SSPICLI.DLL")
"PotPlayerSetup64.exe" wrote bytes "b436d074" to virtual address "0x74D10278" (part of module "SSPICLI.DLL")
"PotPlayerSetup64.exe" wrote bytes "68130000" to virtual address "0x76EB1680" (part of module "WS2_32.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
-
"PotPlayerSetup64.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"PotPlayerMini64.exe" (Path: "HKCU\CONTROL PANEL\INTERNATIONAL\GEO"; Key: "NATION")
"OpenCodecSetup64.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Timestamp in PE header is very old or in the future
- details
- "ffcodec64.dll" claims program is from Thu Jan 1 00:00:00 1970
- source
- Static Parser
- relevance
- 10/10
-
CRC value set in PE header does not match actual value
-
Hiding 8 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 36
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
-
SetUnhandledExceptionFilter@KERNEL32.DLL from KillPot64.exe (PID: 3592) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from KillPot64.exe (PID: 3592) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from KillPot64.exe (PID: 3592) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from KillPot64.exe (PID: 3592) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from PotPlayerMini64.exe (PID: 2840) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from PotPlayerMini64.exe (PID: 2204) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from DTDrop64.exe (PID: 564) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from PotPlayerMini64.exe (PID: 2684) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from DTDrop64.exe (PID: 2156) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
PE file contains zero-size sections
- details
-
Raw size of ".ndata" is zero
Raw size of ".bss" is zero - source
- Static Parser
- relevance
- 10/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetSystemTimeAsFileTime@KERNEL32.DLL from KillPot64.exe (PID: 3592) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from PotPlayerMini64.exe (PID: 2840) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from PotPlayerMini64.exe (PID: 2204) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from DTDrop64.exe (PID: 564) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from PotPlayerMini64.exe (PID: 2684) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from DTDrop64.exe (PID: 2156) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.dll (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
- ATT&CK ID
- T1124 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query the machine timezone
- details
- GetTimeZoneInformation@KERNEL32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
- ATT&CK ID
- T1124 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query the machine version
- details
-
GetVersion@KERNEL32.DLL from PotPlayerSetup64.exe (PID: 3196) (Show Stream)
GetVersion@KERNEL32.DLL from OpenCodecSetup64.exe (PID: 3488) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the system locale
- details
-
GetUserDefaultLCID@KERNEL32.DLL from PotPlayerMini64.exe (PID: 2840) (Show Stream)
GetUserDefaultLCID@KERNEL32.DLL from PotPlayerMini64.exe (PID: 2204) (Show Stream)
GetUserDefaultLCID@KERNEL32.DLL from PotPlayerMini64.exe (PID: 2684) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query volume size
- details
-
GetDiskFreeSpaceW@KERNEL32.DLL from PotPlayerSetup64.exe (PID: 3196) (Show Stream)
GetDiskFreeSpaceW@KERNEL32.DLL from PotPlayerSetup64.exe (PID: 3196) (Show Stream)
GetDiskFreeSpaceW@KERNEL32.DLL from PotPlayerSetup64.exe (PID: 3196) (Show Stream)
GetDiskFreeSpaceA@KERNEL32.DLL from OpenCodecSetup64.exe (PID: 3488) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 3/10
- ATT&CK ID
- T1083 (Show technique in the MITRE ATT&CK™ matrix)
-
Makes a code branch decision directly after an API that is environment aware
- details
-
Found API call GetVersion@KERNEL32.DLL directly followed by "cmp ax, 00000006h" and "je 004034D9h" from PotPlayerSetup64.exe (PID: 3196) (Show Stream)
Found API call GetVersion@KERNEL32.DLL directly followed by "cmp ax, 00000006h" and "je 0040335Fh" from OpenCodecSetup64.exe (PID: 3488) (Show Stream)
Found API call GetTimeZoneInformation@KERNEL32.dll directly followed by "cmp eax, FFFFFFFFh" and "je 00000001800CF062h" (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Possibly tries to detect the presence of a debugger
- details
-
GetProcessHeap@KERNEL32.DLL from PotPlayerMini64.exe (PID: 2840) (Show Stream)
GetProcessHeap@KERNEL32.DLL from PotPlayerMini64.exe (PID: 2204) (Show Stream)
GetProcessHeap@KERNEL32.DLL from DTDrop64.exe (PID: 564) (Show Stream)
GetProcessHeap@KERNEL32.DLL from DTDrop64.exe (PID: 564) (Show Stream)
GetProcessHeap@KERNEL32.DLL from DTDrop64.exe (PID: 564) (Show Stream)
GetProcessHeap@KERNEL32.DLL from PotPlayerMini64.exe (PID: 2684) (Show Stream)
GetProcessHeap@KERNEL32.DLL from DTDrop64.exe (PID: 2156) (Show Stream)
GetProcessHeap@KERNEL32.DLL from DTDrop64.exe (PID: 2156) (Show Stream)
GetProcessHeap@KERNEL32.DLL from DTDrop64.exe (PID: 2156) (Show Stream)
GetProcessHeap@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Reads the registry for installed applications
- details
-
"PotPlayerSetup64.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\POTPLAYERMINI64.EXE")
"PotPlayerSetup64.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\POTPLAYER64")
"PotPlayerMini64.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\DTDROP64.EXE")
"PotPlayerMini64.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\DTDROP64.EXE")
"PotPlayerMini64.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\POTPLAYERMINI64.EXE")
"PotPlayerMini64.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\POTPLAYERMINI64.EXE") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query machine time
-
General
-
Accesses Software Policy Settings
- details
-
"PotPlayerMini64.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"PotPlayerMini64.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"PotPlayerMini64.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"PotPlayerMini64.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"PotPlayerMini64.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"PotPlayerMini64.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"PotPlayerMini64.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"PotPlayerMini64.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"PotPlayerMini64.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"PotPlayerMini64.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"PotPlayerMini64.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"PotPlayerMini64.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"PotPlayerMini64.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"PotPlayerMini64.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"PotPlayerMini64.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"PotPlayerMini64.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"PotPlayerMini64.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT"; Key: "")
"PotPlayerMini64.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES"; Key: "")
"PotPlayerMini64.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS"; Key: "")
"PotPlayerMini64.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS"; Key: "") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Accesses System Certificates Settings
- details
-
"PotPlayerMini64.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\MY"; Key: "")
"PotPlayerMini64.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"PotPlayerMini64.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"PotPlayerMini64.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\104C63D2546B8021DD105E9FBA5A8D78169F6B32"; Key: "BLOB")
"PotPlayerMini64.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\1FB86B1168EC743154062E8C9CC5B171A4B7CCB4"; Key: "BLOB")
"PotPlayerMini64.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\247106A405B288A46E70A0262717162D0903E734"; Key: "BLOB")
"PotPlayerMini64.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\27AC9369FAF25207BB2627CEFACCBE4EF9C319B8"; Key: "BLOB")
"PotPlayerMini64.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\339CDD57CFD5B141169B615FF31428782D1DA639"; Key: "BLOB")
"PotPlayerMini64.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\5AEAEE3F7F2A9449CEBAFEEC68FDD184F20124A7"; Key: "BLOB")
"PotPlayerMini64.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\902EF2DEEB3C5B13EA4C3D5193629309E231AE55"; Key: "BLOB")
"PotPlayerMini64.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\C86EDBC71AB05078F61ACDF3D8DC5DB61EB75FB6"; Key: "BLOB")
"PotPlayerMini64.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\E3FC0AD84F2F5A83ED6F86F567F8B14B40DCBF12"; Key: "BLOB")
"PotPlayerMini64.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\EAB040689A0D805B5D6FD654FC168CFF00B78BE3"; Key: "BLOB")
"PotPlayerMini64.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0"; Key: "BLOB")
"PotPlayerMini64.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\FF67367C5CD4DE4AE18BCCE1D70FDABD7C866135"; Key: "BLOB")
"PotPlayerMini64.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"PotPlayerMini64.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"PotPlayerMini64.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Contacts domains
- details
- "get.daum.net"
- source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
- "211.231.108.199:80"
- source
- Network Traffic
- relevance
- 1/10
-
Contains PDB pathways
- details
-
"D:\MyProject\StreetPlayer\ExtraProgram\KillPot\x64\Release\KillPot64.pdb"
"D:\MyProject\StreetPlayer\ExtraProgram\PotPlayer\bin\lib\Release_Mini_x64\PotPlayerMini64.pdb"
"D:\MyProject\Street2008\ExtraProgram\DropTarget\x64\Release_EXE\DTDrop64.pdb" - source
- File/Memory
- relevance
- 1/10
-
Contains SQL queries
- details
-
"INSERT OR REPLACE INTO %s(fn, time, dur, fcc, width, height, fps, arx, ary, vbit, tag, srate, ch, bits, abit, sub, fsize, dib, dsize) Values(?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?);"
"INSERT OR REPLACE INTO %s(fn, time, dur, fcc, width, height, fps, arx, ary, vbit, tag, srate, ch, bits, abit, sub, fsize, dsize) Values(?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?);"
"UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;"
"UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');"
"UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;"
"INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);" - source
- File/Memory
- relevance
- 2/10
-
Creates a writable file in a temporary directory
- details
-
"PotPlayerSetup64.exe" created file "%TEMP%\nsqE7B9.tmp"
"PotPlayerSetup64.exe" created file "%TEMP%\nskE7E8.tmp\UAC.dll"
"PotPlayerSetup64.exe" created file "%TEMP%\nskE7E8.tmp\LangDLL.dll"
"PotPlayerSetup64.exe" created file "%TEMP%\nskE7E8.tmp\advsplash.dll"
"PotPlayerSetup64.exe" created file "%TEMP%\nskE7E8.tmp\System.dll"
"PotPlayerSetup64.exe" created file "%TEMP%\nskE7E8.tmp\ioSpecial.ini"
"PotPlayerSetup64.exe" created file "%TEMP%\nskE7E8.tmp\InstallOptions.dll"
"PotPlayerSetup64.exe" created file "%TEMP%\nskE7E8.tmp\modern-wizard.bmp"
"PotPlayerSetup64.exe" created file "%TEMP%\nskE7E8.tmp\modern-header.bmp" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\LRIEElevationPolicyMutex"
"Local\ZonesCacheCounterMutex"
"Local\LRIEElevationPolicyMutex"
"Local\ZonesLockedCacheCounterMutex" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "PotIcons64.dll" as clean (type is "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"), Antivirus vendors marked dropped file "PotPlayerMini64.exe" as clean (type is "PE32+ executable (GUI) x86-64 for MS Windows"), Antivirus vendors marked dropped file "UAC.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "KillPot64.exe" as clean (type is "PE32+ executable (GUI) x86-64 for MS Windows"), Antivirus vendors marked dropped file "bass_flac.dll" as clean (type is "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"), Antivirus vendors marked dropped file "InstallOptions.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "UserInfo.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "bass_wv.dll" as clean (type is "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"), Antivirus vendors marked dropped file "DesktopHook.exe" as clean (type is "PE32 executable (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "d3dcompiler_47.dll" as clean (type is "PE32+ executable (DLL) (console) x86-64 for MS Windows"), Antivirus vendors marked dropped file "bass_ape.dll" as clean (type is "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"), Antivirus vendors marked dropped file "MediaDB64.dll" as clean (type is "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"), Antivirus vendors marked dropped file "advsplash.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "inetc.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "System.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "ATextOut64.dll" as clean (type is "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"), Antivirus vendors marked dropped file "bass_ofr.dll" as clean (type is "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"), Antivirus vendors marked dropped file "bass_tta.dll" as clean (type is "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"), Antivirus vendors marked dropped file "DesktopHook.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "bass.dll" as clean (type is "PE32+ executable (DLL) (GUI) x86-64 for MS Windows")
- source
- Binary File
- relevance
- 10/10
-
GETs files from a webserver
- details
-
"GET /PotPlayer64/v4/Module/FFmpeg/FFmpegMininum64.dll HTTP/1.1
User-Agent: DaumPotPlayer
Host: get.daum.net
Connection: Keep-Alive
Cache-Control: no-cache"
"GET /PotPlayer/Codec/OpenCodecSetup64.exe HTTP/1.1
User-Agent: DaumPotPlayer
Host: get.daum.net
Connection: Keep-Alive
Cache-Control: no-cache" - source
- Network Traffic
- relevance
- 5/10
-
Loads rich edit control libraries
- details
-
"PotPlayerSetup64.exe" loaded module "%WINDIR%\SysWOW64\riched20.dll" at 73AD0000
"PotPlayerMini64.exe" loaded module "%WINDIR%\System32\riched32.dll" at FB480000
"PotPlayerMini64.exe" loaded module "%WINDIR%\System32\riched20.dll" at F54B0000
"PotPlayerMini64.exe" loaded module "%WINDIR%\System32\riched32.dll" at FB490000
"PotPlayerMini64.exe" loaded module "%WINDIR%\System32\riched20.dll" at F5370000
"PotPlayerMini64.exe" loaded module "%WINDIR%\System32\riched20.dll" at F5410000
"OpenCodecSetup64.exe" loaded module "%WINDIR%\SysWOW64\riched20.dll" at 73AD0000 - source
- Loaded Module
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Overview of unique CLSIDs touched in registry
- details
-
"PotPlayerSetup64.exe" touched "Computer" (Path: "HKCU\WOW6432NODE\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\SHELLFOLDER")
"PotPlayerSetup64.exe" touched "Memory Mapped Cache Mgr" (Path: "HKCU\WOW6432NODE\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}")
"PotPlayerSetup64.exe" touched "Microsoft Multiple AutoComplete List Container" (Path: "HKCU\WOW6432NODE\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\TREATAS")
"PotPlayerSetup64.exe" touched "Microsoft Shell Folder AutoComplete List" (Path: "HKCU\WOW6432NODE\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\TREATAS")
"PotPlayerSetup64.exe" touched "Microsoft AutoComplete" (Path: "HKCU\WOW6432NODE\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\TREATAS")
"PotPlayerSetup64.exe" touched "Microsoft TipAutoCompleteClient Control" (Path: "HKCU\WOW6432NODE\CLSID\{807C1E6C-1D00-453F-B920-B61BB7CDD997}\TREATAS")
"PotPlayerMini64.exe" touched "Security Manager" (Path: "HKCU\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}")
"PotPlayerMini64.exe" touched "Application Registration" (Path: "HKCR\SOFTWARE\CLASSES\CLSID\{591209C7-767B-42B2-9FBA-44EE4615F2C7}") - source
- Registry Access
- relevance
- 3/10
-
Process launched with changed environment
- details
-
Process "KillPot64.exe" (Show Process) was launched with modified environment variables: "CommonProgramFiles, PROCESSOR_ARCHITECTURE, ProgramFiles"
Process "DTDrop64.exe" (Show Process) was launched with modified environment variables: "CommonProgramFiles, PROCESSOR_ARCHITECTURE, ProgramFiles"
Process "DTDrop64.exe" (Show Process) was launched with missing environment variables: "PROCESSOR_ARCHITEW6432"
Process "PotPlayerMini64.exe" (Show Process) was launched with new environment variables: "PROCESSOR_ARCHITEW6432="AMD64""
Process "PotPlayerMini64.exe" (Show Process) was launched with modified environment variables: "CommonProgramFiles, PROCESSOR_ARCHITECTURE, ProgramFiles"
Process "DTDrop64.exe" (Show Process) was launched with modified environment variables: "CommonProgramFiles, PROCESSOR_ARCHITECTURE, ProgramFiles"
Process "DTDrop64.exe" (Show Process) was launched with missing environment variables: "PROCESSOR_ARCHITEW6432"
Process "OpenCodecSetup64.exe" (Show Process) was launched with new environment variables: "PROCESSOR_ARCHITEW6432="AMD64""
Process "OpenCodecSetup64.exe" (Show Process) was launched with modified environment variables: "CommonProgramFiles, PROCESSOR_ARCHITECTURE, ProgramFiles" - source
- Monitored Target
- relevance
- 10/10
-
Reads Windows Trust Settings
- details
- "PotPlayerMini64.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING"; Key: "STATE")
- source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Scanning for window names
- details
-
"PotPlayerSetup64.exe" searching for class "#32770"
"PotPlayerSetup64.exe" searching for class "PotNotify64"
"PotPlayerSetup64.exe" searching for class "PotPlayer64"
"OpenCodecSetup64.exe" searching for class "#32770" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1010 (Show technique in the MITRE ATT&CK™ matrix)
-
Spawns new processes
- details
-
Spawned process "KillPot64.exe" (Show Process)
Spawned process "PotPlayerMini64.exe" with commandline "/SetLanguage /ENGLISH" (Show Process)
Spawned process "PotPlayerMini64.exe" with commandline "/RfPolicy" (Show Process)
Spawned process "DTDrop64.exe" with commandline "/regserver" (Show Process)
Spawned process "PotPlayerMini64.exe" with commandline "/RegisterAll" (Show Process)
Spawned process "DTDrop64.exe" with commandline "/regserver" (Show Process)
Spawned process "OpenCodecSetup64.exe" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Spawns new processes that are not known child processes
- details
-
Spawned process "KillPot64.exe" (Show Process)
Spawned process "PotPlayerMini64.exe" with commandline "/SetLanguage /ENGLISH" (Show Process)
Spawned process "PotPlayerMini64.exe" with commandline "/RfPolicy" (Show Process)
Spawned process "DTDrop64.exe" with commandline "/regserver" (Show Process)
Spawned process "PotPlayerMini64.exe" with commandline "/RegisterAll" (Show Process)
Spawned process "DTDrop64.exe" with commandline "/regserver" (Show Process)
Spawned process "OpenCodecSetup64.exe" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
The input sample is signed with a certificate
- details
-
The input sample is signed with a certificate issued by "CN=thawte Primary Root CA, OU="c 2006 thawte
Inc. - For authorized use only", OU=Certification Services Division, O="thawte
Inc.", C=US" (SHA1: D0:0C:FD:BF:46:C9:8A:83:8B:C1:0D:C4:E0:97:AE:01:52:C4:61:BC; see report for more information)
The input sample is signed with a certificate issued by "CN=thawte SHA256 Code Signing CA, O="thawte
Inc.", C=US" (SHA1: C4:C8:C8:E0:C9:D5:EE:87:AE:6C:2C:7D:3B:60:83:3A:D2:19:65:82; see report for more information) - source
- Certificate Data
- relevance
- 10/10
- ATT&CK ID
- T1116 (Show technique in the MITRE ATT&CK™ matrix)
-
The input sample is signed with a valid certificate
- details
- The entire certificate chain of the input sample was validated successfully.
- source
- Certificate Data
- relevance
- 10/10
-
Accesses Software Policy Settings
-
Installation/Persistance
-
Connects to LPC ports
- details
-
"PotPlayerSetup64.exe" connecting to "\ThemeApiPort"
"PotPlayerMini64.exe" connecting to "\ThemeApiPort"
"OpenCodecSetup64.exe" connecting to "\ThemeApiPort" - source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"PotIcons64.dll" has type "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"
"PotPlayerMini64.exe" has type "PE32+ executable (GUI) x86-64 for MS Windows"
"UAC.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"KillPot64.exe" has type "PE32+ executable (GUI) x86-64 for MS Windows"
"bass_flac.dll" has type "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"
"InstallOptions.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"QuickSync64.dll" has type "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"
"UserInfo.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"bass_wv.dll" has type "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"
"DesktopHook.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"d3dcompiler_47.dll" has type "PE32+ executable (DLL) (console) x86-64 for MS Windows"
"MediaInfo64.dll" has type "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"
"bass_ape.dll" has type "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"
"MediaDB64.dll" has type "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"
"advsplash.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"inetc.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"System.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"ATextOut64.dll" has type "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"
"bass_ofr.dll" has type "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"
"bass_tta.dll" has type "PE32+ executable (DLL) (GUI) x86-64 for MS Windows" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"PotPlayerSetup64.exe" touched file "C:\Windows\SysWOW64\oleaccrc.dll"
"PotPlayerSetup64.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"PotPlayerSetup64.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"PotPlayerSetup64.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"PotPlayerSetup64.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000001b.db"
"PotPlayerSetup64.exe" touched file "C:\Windows\SysWOW64\en-US\msctf.dll.mui"
"PotPlayerSetup64.exe" touched file "C:\Windows\Fonts\StaticCache.dat"
"PotPlayerSetup64.exe" touched file "C:\Windows\SysWOW64\en-US\user32.dll.mui"
"PotPlayerSetup64.exe" touched file "C:\Windows\AppPatch\AppPatch64\sysmain.sdb"
"PotPlayerSetup64.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"PotPlayerSetup64.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\cversions.1.db"
"PotPlayerSetup64.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000001b.db"
"PotPlayerMini64.exe" touched file "C:\Windows\System32\rsaenh.dll"
"PotPlayerMini64.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"PotPlayerMini64.exe" touched file "C:\Windows\System32\en-US\KernelBase.dll.mui"
"PotPlayerMini64.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "IWpy%zT.me"
Heuristic match: "3ut9']$.La"
Heuristic match: "3\q[j>.Pw"
Heuristic match: "`O3M-b.Ca"
Heuristic match: "[q_m?M4.vC"
Heuristic match: "-jpK.SY"
Heuristic match: "9Ie;X.gB"
Heuristic match: "JiSPA=.nU"
Pattern match: "http://t2.symcb.com0"
Pattern match: "http://t1.symcb.com/ThawtePCA.crl0"
Pattern match: "http://tl.symcb.com/tl.crl0"
Pattern match: "https://www.thawte.com/cps0/"
Pattern match: "https://www.thawte.com/repository0W"
Pattern match: "http://tl.symcd.com0&"
Pattern match: "http://tl.symcb.com/tl.crt0"
Pattern match: "http://potplayer.daum.net"
Pattern match: "http://nsis.sf.net/NSIS_Error"
Heuristic match: "get.daum.net"
Heuristic match: "PotPlayerMini64.TP"
Pattern match: "http://schemas.microsoft.com/SMI/2005/WindowsSettings" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Creates or modifies windows services
- details
- "PotPlayerMini64.exe" (Access type: "SETVAL"; Path: "HKLM\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS"; Key: "MAXUSERPORT"; Value: "983A0000")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
-
"PotPlayerSetup64.exe" opened "\Device\KsecDD"
"PotPlayerMini64.exe" opened "\Device\KsecDD"
"OpenCodecSetup64.exe" opened "\Device\KsecDD" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Creates or modifies windows services
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
-
"DesktopHook.exe" was detected as "VC8 -> Microsoft Corporation"
"advsplash.dll" was detected as "Visual C++ 2005 DLL -> Microsoft"
"DesktopHook.dll" was detected as "Borland Delphi 3.0 (???)"
"OldIconPack.dll" was detected as "Visual C++ 2005 DLL -> Microsoft"
"PotIconsNew.dll" was detected as "Visual C++ 2005 DLL -> Microsoft"
"GameCaptureHook.dll" was detected as "Borland Delphi 3.0 (???)" - source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1002 (Show technique in the MITRE ATT&CK™ matrix)
-
Matched Compiler/Packer signature
File Details
PotPlayerSetup64.exe
- Filename
- PotPlayerSetup64.exe
- Size
- 27MiB (28010408 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
- Architecture
- WINDOWS
- SHA256
- 6ef09d4a51c3b75b1ac9a616a99aacb656bea868bb1e6baa986448e9feac768b
- MD5
- 1fc641cdaece84c3028b60ff865ab179
- SHA1
- 74278600f591bc82aef7915d6cf289ce4da8c15c
- ssdeep
- 786432:Vd48aj5b6ZqR6t6g7dejUo8Gsbt1V7yP8S6L:VNw5b6oIdHZtysL
- imphash
- 1f23f452093b5c1ff091a2f9fb4fa3e9
- authentihash
- bd87a19eb0502dafed826dcc4fe5a2131490a37e51bd8c0e301456e86c4a560d
Version Info
- LegalCopyright
- Kakao Corp. All rights reserved.
- FileVersion
- v1.7.18344
- CompanyName
- Kakao
- Comments
- PotPlayer Setup File (2019-04-19 10:46:49)
- ProductName
- PotPlayer
- FileDescription
- PotPlayer Setup File
- Translation
- 0x0409 0x04b0
Classification (TrID)
- 42.7% (.EXE) Win32 Executable (generic)
- 19.2% (.EXE) OS/2 Executable (generic)
- 18.9% (.EXE) Generic Win/DOS Executable
- 18.9% (.EXE) DOS Executable Generic
File Metadata
- 1 .RES Files linked with CVTRES.EXE 5.00 (Visual Studio 5) (build: 1735)
- 10 .C Files compiled with CL.EXE (Visual Studio 6 Processor Pack) (build: 9044)
- 15 .LIB Files generated with LIB.EXE 7.10 (Visual Studio .NET 2003) (build: 4035)
- 2 .C Files compiled with CL.EXE 13.10 (Visual Studio .NET 2003) (build: 4035)
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
File Certificates
Certificate chain was successfully validated.
Download Certificate File (Unknown)Owner | Issuer | Validity | Hashes (MD5, SHA1) |
---|---|---|---|
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US | CN=thawte Primary Root CA, OU="c 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US Serial: 71a0b73695ddb1afc23b2b9a18ee54cb |
12/10/2013 00:00:00 12/09/2023 23:59:59 |
87:19:53:A9:8D:41:50:C3:3C:69:A0:C5:AE:9A:68:C6 D0:0C:FD:BF:46:C9:8A:83:8B:C1:0D:C4:E0:97:AE:01:52:C4:61:BC |
CN=Kakao corp., O=Kakao corp., L=Jeju-si, ST=Jeju-do, C=KR | CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US Serial: 670dca655872a431ccc378ef09380189 |
07/09/2018 00:00:00 07/08/2020 23:59:59 |
A3:38:4F:45:6F:D5:28:A3:B1:74:F9:9A:38:74:02:DB C4:C8:C8:E0:C9:D5:EE:87:AE:6C:2C:7D:3B:60:83:3A:D2:19:65:82 |
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 8 processes in total (System Resource Monitor).
-
PotPlayerSetup64.exe
(PID: 3196)
1/70
- KillPot64.exe (PID: 3592)
- PotPlayerMini64.exe /SetLanguage /ENGLISH (PID: 2840)
-
PotPlayerMini64.exe
/RfPolicy
(PID: 2204)
- DTDrop64.exe /regserver (PID: 564)
-
PotPlayerMini64.exe
/RegisterAll
(PID: 2684)
- DTDrop64.exe /regserver (PID: 2156)
- OpenCodecSetup64.exe (PID: 3488)
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
get.daum.net
OSINT |
211.231.108.199
TTL: 490 |
Netpia.com, Inc. | Korea, Republic of |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
211.231.108.199 |
80
TCP |
potplayersetup64.exe PID: 3196 |
Korea, Republic of |
Contacted Countries
HTTP Traffic
Endpoint | Request | URL | |
---|---|---|---|
211.231.108.199:80 (get.daum.net) | GET | get.daum.net/PotPlayer64/v4/Module/FFmpeg/FFmpegMininum64.dll | GET /PotPlayer64/v4/Module/FFmpeg/FFmpegMininum64.dll HTTP/1.1
User-Agent: DaumPotPlayer
Host: get.daum.net
Connection: Keep-Alive
Cache-Control: no-cache More Details |
211.231.108.199:80 (get.daum.net) | GET | get.daum.net/PotPlayer/Codec/OpenCodecSetup64.exe | GET /PotPlayer/Codec/OpenCodecSetup64.exe HTTP/1.1
User-Agent: DaumPotPlayer
Host: get.daum.net
Connection: Keep-Alive
Cache-Control: no-cache More Details |
Memory Forensics
String | Context | Stream UID |
---|---|---|
http://nsis.sf.net/nsis_error | Domain/IP reference | 00033069-00003488-44231-71-00402D98 |
Extracted Strings
Extracted Files
Displaying 57 extracted file(s). The remaining 122 file(s) are available in the full version and XML/JSON reports.
-
Malicious 1
-
-
QuickSync64.dll
- Size
- 514KiB (526336 bytes)
- Type
- pedll 64bits executable
- Description
- PE32+ executable (DLL) (GUI) x86-64, for MS Windows
- AV Scan Result
- Labeled as "Trojan.Win64" (1/68)
- Runtime Process
- PotPlayerSetup64.exe (PID: 3196)
- MD5
- 90b5755f67996ce2d08d42c64839a21e
- SHA1
- 3585ed97c0a8d3a5cc48591f67cd6513fbb63d4b
- SHA256
- b58ed592f2a740b8ecd20f0a10cfbde619316c740d3c6bbfbeef050154cdb60a
-
-
Clean 36
-
-
ATextOut64.dll
- Size
- 871KiB (891904 bytes)
- Type
- pedll 64bits executable
- Description
- PE32+ executable (DLL) (GUI) x86-64, for MS Windows
- AV Scan Result
- 0/91
- Runtime Process
- PotPlayerSetup64.exe (PID: 3196)
- MD5
- 74ced07b0667f5916538b8cfe7d29b01
- SHA1
- f8331d509e52581fd34320a8aa55df4f7c2a8b70
- SHA256
- 9d3d2b21bdef42784839305700c9f545ffd8a3113f0dc71abad7dc12966a1b0c
-
DTDrop64.exe
- Size
- 162KiB (165824 bytes)
- Type
- peexe 64bits executable
- Description
- PE32+ executable (GUI) x86-64, for MS Windows
- AV Scan Result
- 0/70
- Runtime Process
- PotPlayerMini64.exe (PID: 2684)
- MD5
- 66514d53ce681b3a6f01c7477f0de2ca
- SHA1
- 8dd134edf5aad57118feccd22554a51165892fbf
- SHA256
- 289b2158a072ebbba09b507d17eee79be2614c3f2ae5a29c69e31dcaf3e0a64e
-
D_Exec64.exe
- Size
- 47KiB (48576 bytes)
- Type
- peexe 64bits executable
- Description
- PE32+ executable (GUI) x86-64, for MS Windows
- AV Scan Result
- 0/71
- Runtime Process
- PotPlayerSetup64.exe (PID: 3196)
- MD5
- c2357b7ffb8f273c1fa68168b1760a4d
- SHA1
- e57cdf9be0f177f5642276b65bd54ba511b07a03
- SHA256
- a1e48262d05af89d7d472aa7349316e544501bc63facf9d93c0c79c7fbe17639
-
DaumCrashHandler64.dll
- Size
- 129KiB (131584 bytes)
- Type
- pedll 64bits executable
- Description
- PE32+ executable (DLL) (GUI) x86-64, for MS Windows
- AV Scan Result
- 0/68
- Runtime Process
- PotPlayerSetup64.exe (PID: 3196)
- MD5
- 693f4e69e8695734cdc7be83c03fcca4
- SHA1
- 0caa96179277a6791b788ac34ea569fee07669af
- SHA256
- ab4996634ad9d0fac5aa9c89d90937f7acddfefeab8263e060cc38909f75b3be
-
DesktopHook.dll
- Size
- 75KiB (77248 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/67
- Runtime Process
- PotPlayerSetup64.exe (PID: 3196)
- MD5
- 5e5e1d2470601215e03788b050abef29
- SHA1
- 4241600108c2197d298f2890ab6272ba0068d3d9
- SHA256
- fa71310bd7b2e41737cc455a7fd27ee5d18ec48f86682a526a83f50f6b88c47b
-
DesktopHook.exe
- Size
- 80KiB (82368 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/91
- Runtime Process
- PotPlayerSetup64.exe (PID: 3196)
- MD5
- 25335c18824f30095f80a1ffe2ee13ab
- SHA1
- c8e7cdca5e9268a4c4d7ea466aa4612a82b5f141
- SHA256
- 57b9922cf1cb622c91dbe5e16ec9d170f437cc3d9e3c8541323c001d8312e366
-
DesktopHook64.dll
- Size
- 87KiB (89536 bytes)
- Type
- pedll 64bits executable
- Description
- PE32+ executable (DLL) (GUI) x86-64, for MS Windows
- AV Scan Result
- 0/67
- Runtime Process
- PotPlayerSetup64.exe (PID: 3196)
- MD5
- 0a9eb7c8c063d5f7147a3607022c1be1
- SHA1
- 6a08108840ed4d792cea99d66d0b09f8cc7fc6af
- SHA256
- 55b59671d63e9f1e8069d4d77d1b01a3ddcfbb0442c1c157d4a5483cff5c5488
-
DesktopHook64.exe
- Size
- 95KiB (97216 bytes)
- Type
- peexe 64bits executable
- Description
- PE32+ executable (GUI) x86-64, for MS Windows
- AV Scan Result
- 0/68
- Runtime Process
- PotPlayerSetup64.exe (PID: 3196)
- MD5
- 4fac7fe11f042be0787a88bc4f44018f
- SHA1
- 8d05d3774cb434628fec853c01c8253c693e231e
- SHA256
- 2aad4fecf6bf67a6ba618d8bd2ae08b3150ea94581b198184a49c51b33503364
-
GameCaptureHook.dll
- Size
- 266KiB (272384 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/65
- Runtime Process
- PotPlayerSetup64.exe (PID: 3196)
- MD5
- 6b3ffbd6752995b903e4d0e285c5c18d
- SHA1
- 5db9cf028d88536c4a5ca82e4d8e1b7feb9d486a
- SHA256
- 067a763efcf32debdf9f0959ad8a8eb7aa7374498ad23da1c1288a1dfb511d2a
-
GameCaptureHook64.dll
- Size
- 331KiB (338944 bytes)
- Type
- pedll 64bits executable
- Description
- PE32+ executable (DLL) (GUI) x86-64, for MS Windows
- AV Scan Result
- 0/69
- Runtime Process
- PotPlayerSetup64.exe (PID: 3196)
- MD5
- 72e9961e99691d6225da14e2c15cda00
- SHA1
- 85b2894560b79216924213c349c6db748c07b65f
- SHA256
- 6fbcbea2d0bb527c0ddb08e580db537e37706214d7bbbc70d0ec0d98533b2e3c
-
OldIconPack.dll
- Size
- 1.5MiB (1543096 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/69
- Runtime Process
- PotPlayerSetup64.exe (PID: 3196)
- MD5
- f93b44499ce92e571731af1e5a5ae23b
- SHA1
- 9dffbbb60ed3a1f25553ae296e499fe8186b41f2
- SHA256
- d1c5b9bf27f5702b58f9a8363792c7a931382ad76e9916af332241cb9d90869d
-
PotIconsNew.dll
- Size
- 2.5MiB (2597816 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/66
- Runtime Process
- PotPlayerSetup64.exe (PID: 3196)
- MD5
- 7a5bdf1854f1dc280840d212e330c96b
- SHA1
- 54ddc8b475d32e9dc789a4ad2e37644d94aa0663
- SHA256
- 0fdc0ae3612eda90f09797a65dd1230b7557115a15ec1a5f8fca7c177859d416
-
KillPot64.exe
- Size
- 90KiB (92088 bytes)
- Type
- peexe 64bits executable
- Description
- PE32+ executable (GUI) x86-64, for MS Windows
- AV Scan Result
- 0/94
- Runtime Process
- PotPlayerSetup64.exe (PID: 3196)
- MD5
- 67b4df7a6fb5e6b59012926177586732
- SHA1
- fdb725af9ac8daddb8a718e541db6d6718b3b301
- SHA256
- 00a1067fc96eb2c1d440bb5b44b32f43b9900fdd3a65c985d65a63b8f1535ef5
-
MediaDB64.dll
- Size
- 1.2MiB (1218560 bytes)
- Type
- pedll 64bits executable
- Description
- PE32+ executable (DLL) (GUI) x86-64, for MS Windows
- AV Scan Result
- 0/65
- Runtime Process
- PotPlayerSetup64.exe (PID: 3196)
- MD5
- 17676a601ca322ad9c17c84b6a8a1d45
- SHA1
- faaccdd1ca60e7b256548d9eede076203d0e5620
- SHA256
- 608bb69d3824a0534f849a7f36744fd2a1f1792f755faa84d09fd9a3d4132308
-
AcmVorbis64.dll
- Size
- 737KiB (754176 bytes)
- Type
- pedll 64bits executable
- Description
- PE32+ executable (DLL) (GUI) x86-64, for MS Windows
- AV Scan Result
- 0/66
- Runtime Process
- PotPlayerSetup64.exe (PID: 3196)
- MD5
- d00fffb5aa5511f7f1e24a8ae5f66b44
- SHA1
- d0f07f8c74603fb2f3aad13fcd5541f946defdb0
- SHA256
- c55eec4cd341b27df7b1b27de69cd70a496038a4b2a0a7f4798fcacc72926e68
-
OptimFROG.dll
- Size
- 204KiB (208896 bytes)
- Type
- pedll 64bits executable
- Description
- PE32+ executable (DLL) (GUI) x86-64, for MS Windows
- AV Scan Result
- 0/64
- Runtime Process
- PotPlayerSetup64.exe (PID: 3196)
- MD5
- f74ca7efe4969101e6dcec1def89d5ab
- SHA1
- 3def163a3be60007a8ee7e57b4f76f79feacdc38
- SHA256
- af27347767d7b9a5f24c1d0a7f3f74fbfe0fd74082463e8f74da27c231649a94
-
bass.dll
- Size
- 226KiB (230912 bytes)
- Type
- pedll 64bits executable
- Description
- PE32+ executable (DLL) (GUI) x86-64, for MS Windows
- AV Scan Result
- 0/66
- Runtime Process
- PotPlayerSetup64.exe (PID: 3196)
- MD5
- 636ab7c7f2a1736da9b6ed0c711ff865
- SHA1
- bedbfb50d84f91b2650bf1030f5c723b2ee592bb
- SHA256
- 93a913ca11a3466c73a0984f23fee570bcb29576a00fabe39e3ca1565588bef3
-
bass_ape.dll
- Size
- 68KiB (69120 bytes)
- Type
- pedll 64bits executable
- Description
- PE32+ executable (DLL) (GUI) x86-64, for MS Windows
- AV Scan Result
- 0/89
- Runtime Process
- PotPlayerSetup64.exe (PID: 3196)
- MD5
- e2320ce4684bb0983f17db5f94554329
- SHA1
- f5b271ea93cea0fd03fcdcc0a926e54e376d3a15
- SHA256
- 55d44326d157e021e3e1bfd9d9454b556b017060a4aeaf2d98655815e0e28056
-
bass_flac.dll
- Size
- 47KiB (47616 bytes)
- Type
- pedll 64bits executable
- Description
- PE32+ executable (DLL) (GUI) x86-64, for MS Windows
- AV Scan Result
- 0/90
- Runtime Process
- PotPlayerSetup64.exe (PID: 3196)
- MD5
- f3211ff69b27a313301801dafa9d0b2a
- SHA1
- 848646cfde9a42853cd6544409609980fe59b61c
- SHA256
- 5f0803d3dcc037670adb60bd53a466bc5c30bef7c2172b74df876441dad868d1
-
bass_mpc.dll
- Size
- 50KiB (50688 bytes)
- Type
- pedll 64bits executable
- Description
- PE32+ executable (DLL) (GUI) x86-64, for MS Windows
- AV Scan Result
- 0/65
- Runtime Process
- PotPlayerSetup64.exe (PID: 3196)
- MD5
- 28adddaea11a5de0857bcad2ac95fe4b
- SHA1
- c02f89a7576911bddd2badea18179a87090cb04f
- SHA256
- 1d967a699e0f3eff690ced938c04a4d3ed2d79e7b0fdf0567186a662bc0a3c46
-
bass_ofr.dll
- Size
- 8.5KiB (8704 bytes)
- Type
- pedll 64bits executable
- Description
- PE32+ executable (DLL) (GUI) x86-64, for MS Windows
- AV Scan Result
- 0/89
- Runtime Process
- PotPlayerSetup64.exe (PID: 3196)
- MD5
- 466ff711713f5aaa2a274eecc77b2794
- SHA1
- 741e412672a7e1ae780fc9de8ecf7d03c57f4cca
- SHA256
- 32aad81baef7468940c9ada6ecec96b4fc457959c67eacc1192ae530484aaf27
-
bass_tta.dll
- Size
- 12KiB (12288 bytes)
- Type
- pedll 64bits executable
- Description
- PE32+ executable (DLL) (GUI) x86-64, for MS Windows
- AV Scan Result
- 0/88
- Runtime Process
- PotPlayerSetup64.exe (PID: 3196)
- MD5
- f59e44cf4cfdb65f66574596851759bf
- SHA1
- 0fcf75ec6cb9493c98b06bb57b3fe0446e4d9062
- SHA256
- 5e4dc960a39e9d85719e512850b0efeaa49d53e5f390a04f9075e228f8d5ba62
-
bass_wv.dll
- Size
- 64KiB (65536 bytes)
- Type
- pedll 64bits executable
- Description
- PE32+ executable (DLL) (GUI) x86-64, for MS Windows
- AV Scan Result
- 0/90
- Runtime Process
- PotPlayerSetup64.exe (PID: 3196)
- MD5
- c35e677a9a1c63a96249cc2707cf4fa5
- SHA1
- 84f5bce10e3ab35819b3bc3e1f93816202575ce9
- SHA256
- 8f12cd50d718b7b4619cccc83a15d4c8f1c6a6128836b656a8cf5e8c239a366d
-
PotIcons64.dll
- Size
- 2.4MiB (2518968 bytes)
- Type
- pedll 64bits executable
- Description
- PE32+ executable (DLL) (GUI) x86-64, for MS Windows
- AV Scan Result
- 0/89
- Runtime Process
- PotPlayerSetup64.exe (PID: 3196)
- MD5
- ca6748a29531248370363084849b954b
- SHA1
- 6a3d8855694f902db14efcf46b335f34baaa264e
- SHA256
- 6af27ae826e386bdfef67548ccacc00982b9b9d0b54f77b51c29bdaf4946f94a
-
PotPlayerMini64.exe
- Size
- 247KiB (252864 bytes)
- Type
- peexe 64bits executable
- Description
- PE32+ executable (GUI) x86-64, for MS Windows
- AV Scan Result
- 0/90
- Runtime Process
- PotPlayerSetup64.exe (PID: 3196)
- MD5
- 4d930d63a53f691fbd2ea578e4fe93f6
- SHA1
- 22710228c9c2d822e6b793b48bf6d46754372336
- SHA256
- cb0622cd904b82c23d290b94714e5dfbf14a75b281b2817d10330f2727afcfe8
-
d3dcompiler_47.dll
- Size
- 4MiB (4173928 bytes)
- Type
- pedll 64bits executable
- Description
- PE32+ executable (DLL) (console) x86-64, for MS Windows
- AV Scan Result
- 0/93
- Runtime Process
- PotPlayerSetup64.exe (PID: 3196)
- MD5
- b0ae3aa9dd1ebd60bdf51cb94834cd04
- SHA1
- ee2f5726ac140fb42d17aba033d678afaf8c39c1
- SHA256
- e994847e01a6f1e4cbdc5a864616ac262f67ee4f14db194984661a8d927ab7f4
-
InstallOptions.dll
- Size
- 16KiB (15872 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/90
- Runtime Process
- PotPlayerSetup64.exe (PID: 3196)
- MD5
- b06dfd343c2a80f584ec8968b942a839
- SHA1
- 223b308f92cc53890993f6ac8caab49e0816ec90
- SHA256
- e546bcfa8d4adf45cc0828f32c0607385688994e19b41e11e5ce9badf923c0c6
-
LangDLL.dll
- Size
- 5.5KiB (5632 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/69
- Runtime Process
- PotPlayerSetup64.exe (PID: 3196)
- MD5
- 30b091668111ab1d6c19f16586a9eee5
- SHA1
- aea49d81cf9972eaf1604793c04d13ddffe2c475
- SHA256
- 331ca4b3a311324b463167ec43851146e57a2d90500ac3fd57a7683f6b777ffb
-
UAC.dll
- Size
- 19KiB (18944 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/88
- Runtime Process
- PotPlayerSetup64.exe (PID: 3196)
- MD5
- 0bea21545b130f74ad40160ae8ac05ea
- SHA1
- 3f969905c51d27a884c060a31d0d32b1024dab86
- SHA256
- 3239a185c653b1f2385fbb9716172e116551fc68867e36ffdb96d5d7c8eaea5b
-
UserInfo.dll
- Size
- 4KiB (4096 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/90
- Runtime Process
- PotPlayerSetup64.exe (PID: 3196)
- MD5
- a0efe0f3ef127dce9c59f407583061d9
- SHA1
- 25ed3628daf08758870d0fe47f6997a9e97bedd3
- SHA256
- 4506ff20ddc5eefb21d690e954f52df3da46fa47ec263ea965d86a683e74db40
-
advsplash.dll
- Size
- 45KiB (45568 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/89
- Runtime Process
- PotPlayerSetup64.exe (PID: 3196)
- MD5
- ec4e08a6ef93404b08a4a62cabfff0a9
- SHA1
- dc54ea6ebd4efe0e8a9f66855c215536a17c9fbd
- SHA256
- 4bee4c9d5ffe126a7daf7ee7dc6dc4c77fe4cf7334132d4d63352ec01a2a37fd
-
System.dll
- Size
- 12KiB (11776 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/68
- Runtime Process
- OpenCodecSetup64.exe (PID: 3488)
- MD5
- 9625d5b1754bc4ff29281d415d27a0fd
- SHA1
- 80e85afc5cccd4c0a3775edbb90595a1a59f5ce0
- SHA256
- c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448
-
inetc.dll
- Size
- 25KiB (25088 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/88
- MD5
- 1fc1fbb2c7a14b7901fc9abbd6dbef10
- SHA1
- 4d9ed86f31075a3d3f674ff78f39c190a4098126
- SHA256
- 4f26394c93f1acb315c42c351983dafc7f094b2d05db6d7a1ba7dcb39a3a599e
-
FFmpegMininum64.dll
- Size
- 289KiB (295936 bytes)
- Type
- pedll 64bits executable
- Description
- PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
- AV Scan Result
- 0/90
- MD5
- 1b2c52235a5a6b4f5803d5433727ae22
- SHA1
- a3c4daba128edec5f7803333053e9d7da982240a
- SHA256
- a12fcaaa7b4b1478afbe1dd08e1527e64b70ac09ee8414542640344223ff2c67
-
nsDialogs.dll
- Size
- 9.5KiB (9728 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/69
- MD5
- d2e45dd852a659e11897df573832f381
- SHA1
- 19990ee627c95b6c18d3b5c5f0ec5c24791d0af5
- SHA256
- 86c8ee210e6611383a634dcb8c60455063ddae3d7adccbeacf3adf7bf2a46676
-
FFmpegMininum64_1_.dll
- Size
- 289KiB (295936 bytes)
- Type
- pedll 64bits executable
- Description
- PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
- AV Scan Result
- 0/90
- MD5
- 1b2c52235a5a6b4f5803d5433727ae22
- SHA1
- a3c4daba128edec5f7803333053e9d7da982240a
- SHA256
- a12fcaaa7b4b1478afbe1dd08e1527e64b70ac09ee8414542640344223ff2c67
-
-
Informative 20
-
-
ColorBars.avs
- Size
- 33B (33 bytes)
- Runtime Process
- PotPlayerSetup64.exe (PID: 3196)
- MD5
- 59ada5ecb3f76949ef3888ee4beda8a4
- SHA1
- 3542a296928a2133832a0fd4de169fb663ab3660
- SHA256
- 54f30f35711b86fc8ba2f4215bab7c78fdbba94d48e270d5382403e104d1cb2b
-
FastTrueMotion.avs
- Size
- 209B (209 bytes)
- Runtime Process
- PotPlayerSetup64.exe (PID: 3196)
- MD5
- ed80cab209588b8b40e7e3bac79cd98f
- SHA1
- 31785f6c06cdc61523f9b307822952bbc4fe1fe5
- SHA256
- f3f3b80c9bffc698f4b7d87e3542acd06c90f9af873e4d9586eae26c30be4157
-
FastTrueMotionNoGPU.avs
- Size
- 210B (210 bytes)
- Runtime Process
- PotPlayerSetup64.exe (PID: 3196)
- MD5
- 4e89e2732a79616f559a4e245398c036
- SHA1
- 595d2f31f616825323f145c289c10fcc0b72d36d
- SHA256
- 449cfdb44d22945ac46f4bf50bf7ad5c94b813ed625690d4a6874371b0b44655
-
FasterTrueMotion.avs
- Size
- 759B (759 bytes)
- Runtime Process
- PotPlayerSetup64.exe (PID: 3196)
- MD5
- 3da45c11b1c569464dda46b2654f1b75
- SHA1
- 79e86673ee21683d8eebdff02dcaaddb155f5f06
- SHA256
- c72e15dc6716f3f44ede35848b177c7e945a97ac5d6c953846231659287c5d1f
-
FastestTrueMotion.avs
- Size
- 544B (544 bytes)
- Runtime Process
- PotPlayerSetup64.exe (PID: 3196)
- MD5
- 81866f036af36e662c9ca5bc2025a6e2
- SHA1
- f00c964c347a1ae5314c9bfffa036b0168292da8
- SHA256
- 35c6fcecf45ecf2341ecc65b2b1bbb9a64febb2a4a754721d4beafed4742438e
-
OverlayText.avs
- Size
- 1.2KiB (1226 bytes)
- Runtime Process
- PotPlayerSetup64.exe (PID: 3196)
- MD5
- a766d7f67b11a65bcace4a3881295526
- SHA1
- c18a3f000012a8bd7c7e794d98816d0b05d86231
- SHA256
- 71057c4bc793bd0974e1f147aa060e882c07e205ea2bdf6192d4da4cb4cd2779
-
TrueMotion.avs
- Size
- 192B (192 bytes)
- Runtime Process
- PotPlayerSetup64.exe (PID: 3196)
- MD5
- 3d24c3a614242d90df189b9ad1262efb
- SHA1
- adc66aafefb1d7775623508a7b416b65b90eadf5
- SHA256
- 9a5caf081522147738d2c05b0c2a6f2bf575bb060e8092414f91176813509944
-
TrueMotion2.avs
- Size
- 452B (452 bytes)
- Runtime Process
- PotPlayerSetup64.exe (PID: 3196)
- MD5
- 33d43512a8ff8d0379b41bb38529ab2b
- SHA1
- c37272dd99fde906667a6c30e4806486a853fb98
- SHA256
- 7946db2a7b394f792fdc7bd9bc760b5f406ba75bf14e4691fd28fb5f2fb3ec84
-
TrueMotion2NoGPU.avs
- Size
- 453B (453 bytes)
- Runtime Process
- PotPlayerSetup64.exe (PID: 3196)
- MD5
- 892dcb94a7705d4a3a91d517de22d0b5
- SHA1
- f0e935076c45eb72a409391d5e2c93db3c1021ce
- SHA256
- 21921a203c00676d23b59fba84d66d5718588a7ad027df80355ed5345aae932e
-
TrueMotionNoGPU.avs
- Size
- 193B (193 bytes)
- Runtime Process
- PotPlayerSetup64.exe (PID: 3196)
- MD5
- 6e0ccaaf2b7c20f86b97c750d517bd90
- SHA1
- 3720b50038a7d27fe86b6288e1073f1d3d570110
- SHA256
- 0d4e7e8b83254db3676db2cd06d09b812cf2b222f457900a8d422ef02dd3a11a
-
CmdLine64.txt
- Size
- 30KiB (30642 bytes)
- Runtime Process
- PotPlayerSetup64.exe (PID: 3196)
- MD5
- 5ac73075a5238006004de842f52e62ee
- SHA1
- c3e806b2e8dbfef076a6ae62d46e55106472146e
- SHA256
- 2466ab057f1a3a8bead8a8ddbbe09ffde9351e1c77e79859d62df252b8aaf1ae
-
MediaPlayParse - YouTube.as
- Size
- 50KiB (51426 bytes)
- Runtime Process
- PotPlayerSetup64.exe (PID: 3196)
- MD5
- 299ef9577b73a24e58be4632e2eec367
- SHA1
- a55c2485f85701f0d37eb51f0f403ab9e2827d48
- SHA256
- 990be5700b131db751fa7cb3a207bf9b8670fa93bb23911726c4ed7c487e5a56
-
MediaInfo64.dll
- Size
- 5MiB (5226496 bytes)
- Type
- pedll 64bits executable
- Description
- PE32+ executable (DLL) (GUI) x86-64, for MS Windows
- Runtime Process
- PotPlayerSetup64.exe (PID: 3196)
- MD5
- 0909e2b6254c2e66a71d6b48c934937a
- SHA1
- 943cdc10a2852e17779006fcc4f5f6a0880841c8
- SHA256
- 8c41ab33425c37efbcf943a43ce41d67efe9b5b548fc524f873c49b8ee1a3af3
-
PotPlayer64.dll
- Size
- 5MiB (5226496 bytes)
- Type
- pedll 64bits executable
- Description
- PE32+ executable (DLL) (GUI) x86-64, for MS Windows
- Runtime Process
- PotPlayerMini64.exe (PID: 2840)
- MD5
- 801d1f85dc4187bc0948b58076a50690
- SHA1
- 8ddff3fc0af9365a436ec2fa445140dff0c91fad
- SHA256
- 38b8e12592db61df05b5adce5a28117f7cea05e296c45ff99e80438a2224d386
-
ffcodec64.dll
- Size
- 5MiB (5226496 bytes)
- Type
- pedll 64bits executable
- Description
- PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
- Runtime Process
- PotPlayerSetup64.exe (PID: 3196)
- MD5
- f53fcac8ee49f19887d402a690da4ae0
- SHA1
- faeba80c7cdd6ad0d7858d60fc0faa99931665a7
- SHA256
- 4d28b1b999f158493530d8610bb2909f3ad83c36b034910883480f7537e6eb1b
-
uninstall.exe
- Size
- 242KiB (248123 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Runtime Process
- PotPlayerSetup64.exe (PID: 3196)
- MD5
- 13f328786f1cf4b0b33d3e3f4babaf16
- SHA1
- 78b9f7979a7ac4a8e28ed8f3a7c9a7481c5253bf
- SHA256
- a657c808e22c789a739bbf1ead810d4d46f8494e22255da323154bafea8911c9
-
OpenCodecSetup64.exe
- Size
- 5MiB (5234688 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
- Runtime Process
- OpenCodecSetup64.exe (PID: 3488)
- MD5
- af5ad4606246b5ca924d472d4a3e36d7
- SHA1
- a3bedd3958e56d7577246b5f6505f9e3d9ace406
- SHA256
- 66f054a99ee665369d248480145b51d3803022ac9ac0f3db269fd64c805226be
-
Uninstall PotPlayer-64 bit.lnk
- Size
- 967B (967 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Archive, ctime=Fri Apr 19 04:53:21 2019, mtime=Fri Apr 19 04:53:21 2019, atime=Fri Apr 19 04:53:21 2019, length=248123, window=hide
- MD5
- c1f8eab86598270520fd7ac215abfec2
- SHA1
- 42a6a33c575e5fae186e31eee5aff25970998b31
- SHA256
- 5463e3a6856d5ea7e964d7029e7061e6659cccd037f16a416d108f6cfac876b9
-
PotPlayer 64 bit.lnk
- Size
- 997B (997 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Archive, ctime=Wed Apr 17 02:34:08 2019, mtime=Fri Apr 19 04:53:12 2019, atime=Wed Apr 17 02:34:08 2019, length=252864, window=hide
- MD5
- dd3e0af1b7eeb54a6d5c495217d2abed
- SHA1
- cb074adf6d2802ede84253d05dfe086fa8025aab
- SHA256
- 20755b7b829355d6c4e50e2cb2f4b2329a7646dfb3c3d7a5e85d74e5f11d65a7
-
OpenCodecSetup64_1_.exe
- Size
- 5MiB (5234688 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
- MD5
- af5ad4606246b5ca924d472d4a3e36d7
- SHA1
- a3bedd3958e56d7577246b5f6505f9e3d9ace406
- SHA256
- 66f054a99ee665369d248480145b51d3803022ac9ac0f3db269fd64c805226be
-
Notifications
-
Runtime
- A process crash was detected during the runtime analysis
- Extracted file "uninstall.exe" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/a657c808e22c789a739bbf1ead810d4d46f8494e22255da323154bafea8911c9/analysis/1555649940/")
- Network whitenoise filtering (Process) was applied
- Not all Falcon MalQuery lookups completed in time
- Not all IP/URL string resources were checked online
- Not all sources for indicator ID "api-12" are available in the report
- Not all sources for indicator ID "api-4" are available in the report
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "binary-0" are available in the report
- Not all sources for indicator ID "binary-1" are available in the report
- Not all sources for indicator ID "binary-16" are available in the report
- Not all sources for indicator ID "hooks-8" are available in the report
- Not all sources for indicator ID "mutant-0" are available in the report
- Not all sources for indicator ID "registry-17" are available in the report
- Not all sources for indicator ID "registry-18" are available in the report
- Not all sources for indicator ID "registry-19" are available in the report
- Not all sources for indicator ID "registry-58" are available in the report
- Not all sources for indicator ID "static-0" are available in the report
- Not all sources for indicator ID "static-1" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Some low-level data is hidden, as this is only a slim report