fa09d24d7481dbdfc1cff6aaa92d2aec908e037a22a02346f6feeee5d6ba688e

Analysis

max time kernel
136s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12-06-2024 10:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

winamp_latest_full.exe
Size

12.4MB
MD5

39b72e2cbf2fb8da961538de3e892eba
SHA1

237ce8611cb8e2ede8a5d6b982597f7e93b2cd81
SHA256

fa09d24d7481dbdfc1cff6aaa92d2aec908e037a22a02346f6feeee5d6ba688e
SHA512

36e8b9d759d960390e8f1b4ac420d591204cb95a776be668db365c453cb702cadee9b34c03779044fdc04c2d2929ac542e01bba50094f8352e2724a082611b59
SSDEEP

393216:udNH1gz1+ZUUG9NWpHYV6ohIBfqHts7UU2wP3:udZk1vUG964V6ysUs7U/u3

Score

8^/10

discovery evasion

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 4 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exe

pid process

3820 netsh.exe
4404 netsh.exe
2800 netsh.exe
4796 netsh.exe
Executes dropped EXE 3 IoCs

Processes:

elevator.exewinamp.exewinamp.exe

pid process

3156 elevator.exe
3712 winamp.exe
3224 winamp.exe

pid	process
3820	netsh.exe
4404	netsh.exe
2800	netsh.exe
4796	netsh.exe

pid	process
3156	elevator.exe
3712	winamp.exe
3224	winamp.exe

Loads dropped DLL 64 IoCs

Processes:

winamp_latest_full.exerundll32.exewinamp.exe

pid	process
4768	winamp_latest_full.exe
4768	winamp_latest_full.exe
4768	winamp_latest_full.exe
4768	winamp_latest_full.exe
4768	winamp_latest_full.exe
4768	winamp_latest_full.exe
4768	winamp_latest_full.exe
4768	winamp_latest_full.exe
4768	winamp_latest_full.exe
4768	winamp_latest_full.exe
3776	rundll32.exe
3712	winamp.exe
3712	winamp.exe
3712	winamp.exe
3712	winamp.exe
3712	winamp.exe
3712	winamp.exe
3712	winamp.exe
3712	winamp.exe
3712	winamp.exe
3712	winamp.exe
3712	winamp.exe
3712	winamp.exe
3712	winamp.exe
3712	winamp.exe
3712	winamp.exe
3712	winamp.exe
3712	winamp.exe
3712	winamp.exe
3712	winamp.exe
3712	winamp.exe
3712	winamp.exe
3712	winamp.exe
3712	winamp.exe
3712	winamp.exe
3712	winamp.exe
3712	winamp.exe
3712	winamp.exe
3712	winamp.exe
3712	winamp.exe
3712	winamp.exe
3712	winamp.exe
3712	winamp.exe
3712	winamp.exe
3712	winamp.exe
3712	winamp.exe
3712	winamp.exe
3712	winamp.exe
3712	winamp.exe
3712	winamp.exe
3712	winamp.exe
3712	winamp.exe
3712	winamp.exe
3712	winamp.exe
3712	winamp.exe
3712	winamp.exe
3712	winamp.exe
3712	winamp.exe
3712	winamp.exe
3712	winamp.exe
3712	winamp.exe
3712	winamp.exe
3712	winamp.exe
3712	winamp.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

winamp.exe

description ioc process

File opened (read-only) \??\D: winamp.exe

description	ioc	process
File opened (read-only)	\??\D:	winamp.exe

Drops file in Program Files directory 64 IoCs

Processes:

winamp_latest_full.exe

description	ioc	process
File created	C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\ORB - Acid Sunrise.milk	winamp_latest_full.exe
File created	C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\affected\martin - night in the forest.milk	winamp_latest_full.exe
File created	C:\Program Files (x86)\Winamp\Plugins\AVS\Winamp 5 Picks\Tuggummi - Electro blobs.avs	winamp_latest_full.exe
File created	C:\Program Files (x86)\Winamp\Plugins\AVS\Community Picks\NemoOrange - the Light of Speed.avs	winamp_latest_full.exe
File opened for modification	C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Geiss and Zylot - Reaction Diffusion 3 (Overload Mix 2).milk	winamp_latest_full.exe
File opened for modification	C:\Program Files (x86)\Winamp\System\adpcm.w5s	winamp_latest_full.exe
File created	C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Goody - Need - Transcendance remix.milk	winamp_latest_full.exe
File opened for modification	C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Rozzor - Learning Curve (Invert Tweak).milk	winamp_latest_full.exe
File created	C:\Program Files (x86)\Winamp\Skins\Winamp Modern\scripts\mainmenu.maki	winamp_latest_full.exe
File created	C:\Program Files (x86)\Winamp\Plugins\AVS\Winamp 5 Picks\new taste.avs	winamp_latest_full.exe
File opened for modification	C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Rovastar - eclectic interface (despair mix).milk	winamp_latest_full.exe
File opened for modification	C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Shreyas - Carnival.milk	winamp_latest_full.exe
File opened for modification	C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\nil - Vortex of Vortices.milk	winamp_latest_full.exe
File created	C:\Program Files (x86)\Winamp\Plugins\winampFLV.swf	winamp_latest_full.exe
File created	C:\Program Files (x86)\Winamp\Plugins\AVS\Winamp 5 Picks\Tuggummi - Pina Colada.avs	winamp_latest_full.exe
File created	C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Idiot - Tentacle Dreams.milk	winamp_latest_full.exe
File opened for modification	C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Zylot & Rovastar - A Million Miles From Earth (Fog Of Time Mix (Vessel reMix) ).milk	winamp_latest_full.exe
File created	C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\stahlregen + flexi - what's on a moebius beasts mind.milk	winamp_latest_full.exe
File created	C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\BrainStain-Blackwidow.milk	winamp_latest_full.exe
File created	C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Eo.S. - glowsticks v2 05 and proton lights (+Krash's beat code) _Phat_remix07 recursive demons.milk	winamp_latest_full.exe
File opened for modification	C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Flexi - predator-prey-spirals.milk	winamp_latest_full.exe
File created	C:\Program Files (x86)\Winamp\Plugins\freeform\xml\wasabi\garbage\text_bg.png	winamp_latest_full.exe
File created	C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Forum collaboration thread - second try #6c1.5 [Goody(2), Stahlregen (3.5), fed (1)].milk	winamp_latest_full.exe
File created	C:\Program Files (x86)\Winamp\Skins\Big Bento\xml\window-overrides.xml	winamp_latest_full.exe
File created	C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Eo.S. + Phat - chasers 19 Portal.milk	winamp_latest_full.exe
File created	C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Unchained - Unclaimed Wreckage 2 (Hemi-Sync).milk	winamp_latest_full.exe
File opened for modification	C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Unchained - Unified Drag 2.milk	winamp_latest_full.exe
File opened for modification	C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\textures\clouds2.jpg	winamp_latest_full.exe
File created	C:\Program Files (x86)\Winamp\Skins\Bento\xml\player-elements.xml	winamp_latest_full.exe
File created	C:\Program Files (x86)\Winamp\Plugins\freeform\xml\winamp\thinger\library-selected.png	winamp_latest_full.exe
File created	C:\Program Files (x86)\Winamp\Skins\Winamp Modern\player\shufflerepeat_bg.PNG	winamp_latest_full.exe
File created	C:\Program Files (x86)\Winamp\Skins\Bento\window\menu_help.png	winamp_latest_full.exe
File opened for modification	C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Flexi - Julia fractal.milk	winamp_latest_full.exe
File created	C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\shifter - tumbling cubes (ripples) Phat_parallel_planes_mix.milk	winamp_latest_full.exe
File created	C:\Program Files (x86)\Winamp\Skins\Winamp Modern\xml\color-presets.xml	winamp_latest_full.exe
File opened for modification	C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Phat_Eo.S. rainbow bubble_mid3.milk	winamp_latest_full.exe
File opened for modification	C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\martin - butterflies.milk	winamp_latest_full.exe
File created	C:\Program Files (x86)\Winamp\Plugins\DSP_SPS\justin - tremolo and pingpong.sps	winamp_latest_full.exe
File created	C:\Program Files (x86)\Winamp\Skins\Big Bento\scripts\pledit.maki	winamp_latest_full.exe
File created	C:\Program Files (x86)\Winamp\Plugins\AVS\Winamp 5 Picks\lone - Nuclear Blobs.avs	winamp_latest_full.exe
File opened for modification	C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\ORB - Pastel Primer.milk	winamp_latest_full.exe
File opened for modification	C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Rovastar - Alpha Conflict.milk	winamp_latest_full.exe
File opened for modification	C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Unchained - Those Who Doubted.milk	winamp_latest_full.exe
File created	C:\Program Files (x86)\Winamp\Plugins\freeform\xml\wasabi\xml\xui\standardframe\standardframe.xml	winamp_latest_full.exe
File created	C:\Program Files (x86)\Winamp\Skins\Winamp Modern\window\menu\file.png	winamp_latest_full.exe
File opened for modification	C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Eo.S. + Phat - chasers 14 sentinel 616.milk	winamp_latest_full.exe
File created	C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\PieturP - triptrap_(ultimate-trip-mix).milk	winamp_latest_full.exe
File created	C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Stahlregen & baked + Geiss + Krash - Washing Machine (V2).milk	winamp_latest_full.exe
File created	C:\Program Files (x86)\Winamp\Skins\Winamp Modern\scripts\shadecontrol.maki	winamp_latest_full.exe
File created	C:\Program Files (x86)\Winamp\Skins\Winamp Modern\xml\notifier-elements.xml	winamp_latest_full.exe
File created	C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Aderrasi - Contortion (Escher's Tunnel Mix).milk	winamp_latest_full.exe
File opened for modification	C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Aderrasi - The Lurker (Twin Mix) - Bitcore Tweak.milk	winamp_latest_full.exe
File opened for modification	C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Zylot - In death there is life (Geiss Layered Mix).milk	winamp_latest_full.exe
File created	C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Geiss - Skin Dots Multi-layer 3.milk	winamp_latest_full.exe
File opened for modification	C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Goody - Lights in the Sky.milk	winamp_latest_full.exe
File opened for modification	C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Unchained - Making a Science of It 2.milk	winamp_latest_full.exe
File opened for modification	C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\affected\Eo.S. + Phat - cubetrace - v2.milk	winamp_latest_full.exe
File created	C:\Program Files (x86)\Winamp\Plugins\freeform\xml\popupmenu\popupmenu.xml	winamp_latest_full.exe
File created	C:\Program Files (x86)\Winamp\Skins\Winamp Modern\scripts\video.maki	winamp_latest_full.exe
File created	C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Flexi - predator-prey-spirals.milk	winamp_latest_full.exe
File created	C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\affected\shifter - urchin mod.milk	winamp_latest_full.exe
File created	C:\Program Files (x86)\Winamp\Plugins\ml_history.dll	winamp_latest_full.exe
File created	C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Shreyas - Carnival.milk	winamp_latest_full.exe
File opened for modification	C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Geiss - Myriad Spirals.milk	winamp_latest_full.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

Processes:

winamp.exewinamp_latest_full.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.WEBM\shell\ListBookmark\ = "Add to Winamp's &Bookmark list"	winamp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.NSA\shell\ = "Play"	winamp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.AVR\shell\ListBookmark	winamp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.MAT\shell\ListBookmark\ = "Add to Winamp's &Bookmark list"	winamp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.NSV\shell\ListBookmark\command	winamp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.UMX\shell\Enqueue	winamp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.S3Z\ = "Compressed Scream Tracker 3"	winamp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\UNSV\shell\open\command	winamp_latest_full.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.CAF\shell\ListBookmark\command	winamp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.AMF\shell\ListBookmark	winamp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.MDL\shell\open\command	winamp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.WMV\shell\Play	winamp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.NST\shell\ListBookmark\ = "Add to Winamp's &Bookmark list"	winamp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.PPM\shell\open\command\ = "\"C:\\Program Files (x86)\\Winamp\\winamp.exe\" \"%1\""	winamp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.MID\shell\Play\command\ = "\"C:\\Program Files (x86)\\Winamp\\winamp.exe\" \"%1\""	winamp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.OKT\shell\open\DropTarget	winamp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.WAV\shell\open	winamp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.ICE\shell\Enqueue\ = "&Enqueue in Winamp"	winamp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.MED\shell\Enqueue	winamp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.RMI\shell\ListBookmark\ = "Add to Winamp's &Bookmark list"	winamp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.MTM\shell\ListBookmark	winamp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.OKT\shell\open	winamp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.PVF\shell\Enqueue	winamp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.SF\shell\Enqueue\command\ = "\"C:\\Program Files (x86)\\Winamp\\winamp.exe\" /ADD \"%1\""	winamp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.STP\shell\ListBookmark	winamp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.MKV\shell\Enqueue\ = "&Enqueue in Winamp"	winamp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.PVF\shell\ListBookmark\command\ = "\"C:\\Program Files (x86)\\Winamp\\winamp.exe\" /BOOKMARK \"%1\""	winamp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.kar\ = "Winamp.File.KAR"	winamp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.669\shell\Play\DropTarget\Clsid = "{46986115-84D6-459c-8F95-52DD653E532E}"	winamp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.NSA\shell\open\DropTarget	winamp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.MT2\shell\Enqueue\command	winamp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.PSM	winamp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.MO3\shell\open\command\ = "\"C:\\Program Files (x86)\\Winamp\\winamp.exe\" \"%1\""	winamp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.AVI\ = "AVI Video"	winamp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.MKV\shell\open\command	winamp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.SDS\DefaultIcon	winamp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.XI\shell\Enqueue\DropTarget	winamp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.XI\shell\ListBookmark\command\ = "\"C:\\Program Files (x86)\\Winamp\\winamp.exe\" /BOOKMARK \"%1\""	winamp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.RMI\shell\Play\command\ = "\"C:\\Program Files (x86)\\Winamp\\winamp.exe\" \"%1\""	winamp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.669\ = "Composer 669 / UNIS 669"	winamp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.MP1\DefaultIcon	winamp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.M4A\shell\open\DropTarget	winamp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.FLV\shell\Enqueue\ = "&Enqueue in Winamp"	winamp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.M4V\shell\open	winamp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.PVF\shell\open	winamp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.669\shell\Play\command	winamp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.MUS\shell\ListBookmark\command\ = "\"C:\\Program Files (x86)\\Winamp\\winamp.exe\" /BOOKMARK \"%1\""	winamp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.UMX\shell\ = "Play"	winamp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.AMS\shell\Enqueue\ = "&Enqueue in Winamp"	winamp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.WMA\shell\Play\DropTarget\Clsid = "{46986115-84D6-459c-8F95-52DD653E532E}"	winamp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.RF64\shell\open	winamp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.MIDI\shell\Enqueue\DropTarget	winamp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.AMS\DefaultIcon	winamp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.M4A\shell\open\DropTarget\Clsid = "{46986115-84D6-459c-8F95-52DD653E532E}"	winamp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.WAV\shell\Play\DropTarget	winamp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.669\shell\Enqueue\DropTarget	winamp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.STP\shell	winamp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.MDZ	winamp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.MP3\ = "MPEG Layer 3 Audio File"	winamp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.AAC\shell\Play\ = "&Play in Winamp"	winamp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.FLAC\DefaultIcon	winamp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mdl\ = "Winamp.File.MDL"	winamp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mid\ = "Winamp.File.MID"	winamp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.MOD\shell\Enqueue\DropTarget	winamp.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

winamp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	winamp.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	winamp.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	winamp.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	winamp.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	winamp.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

ping.exe

pid process

3124 ping.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

winamp.exe

pid process

3224 winamp.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AUDIODG.EXE

description pid process

Token: 33 2668 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 2668 AUDIODG.EXE
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

winamp.exe

pid process

3224 winamp.exe
3224 winamp.exe
3224 winamp.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

winamp.exe

pid process

3224 winamp.exe
3224 winamp.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

winamp.exe

pid process

3224 winamp.exe

pid	process
3124	ping.exe

pid	process
3224	winamp.exe

description	pid	process
Token: 33	2668	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2668	AUDIODG.EXE

pid	process
3224	winamp.exe
3224	winamp.exe
3224	winamp.exe

pid	process
3224	winamp.exe
3224	winamp.exe

pid	process
3224	winamp.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

winamp_latest_full.exewinamp.exe

description	pid	process	target process
PID 4768 wrote to memory of 3156	4768	winamp_latest_full.exe	elevator.exe
PID 4768 wrote to memory of 3156	4768	winamp_latest_full.exe	elevator.exe
PID 4768 wrote to memory of 3156	4768	winamp_latest_full.exe	elevator.exe
PID 4768 wrote to memory of 4796	4768	winamp_latest_full.exe	netsh.exe
PID 4768 wrote to memory of 4796	4768	winamp_latest_full.exe	netsh.exe
PID 4768 wrote to memory of 4796	4768	winamp_latest_full.exe	netsh.exe
PID 4768 wrote to memory of 3820	4768	winamp_latest_full.exe	netsh.exe
PID 4768 wrote to memory of 3820	4768	winamp_latest_full.exe	netsh.exe
PID 4768 wrote to memory of 3820	4768	winamp_latest_full.exe	netsh.exe
PID 4768 wrote to memory of 4404	4768	winamp_latest_full.exe	netsh.exe
PID 4768 wrote to memory of 4404	4768	winamp_latest_full.exe	netsh.exe
PID 4768 wrote to memory of 4404	4768	winamp_latest_full.exe	netsh.exe
PID 4768 wrote to memory of 2800	4768	winamp_latest_full.exe	netsh.exe
PID 4768 wrote to memory of 2800	4768	winamp_latest_full.exe	netsh.exe
PID 4768 wrote to memory of 2800	4768	winamp_latest_full.exe	netsh.exe
PID 4768 wrote to memory of 3124	4768	winamp_latest_full.exe	ping.exe
PID 4768 wrote to memory of 3124	4768	winamp_latest_full.exe	ping.exe
PID 4768 wrote to memory of 3124	4768	winamp_latest_full.exe	ping.exe
PID 4768 wrote to memory of 3776	4768	winamp_latest_full.exe	rundll32.exe
PID 4768 wrote to memory of 3776	4768	winamp_latest_full.exe	rundll32.exe
PID 4768 wrote to memory of 3776	4768	winamp_latest_full.exe	rundll32.exe
PID 3712 wrote to memory of 3224	3712	winamp.exe	winamp.exe
PID 3712 wrote to memory of 3224	3712	winamp.exe	winamp.exe
PID 3712 wrote to memory of 3224	3712	winamp.exe	winamp.exe

C:\Users\Admin\AppData\Local\Temp\winamp_latest_full.exe
"C:\Users\Admin\AppData\Local\Temp\winamp_latest_full.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4768

C:\Program Files (x86)\Winamp\elevator.exe
"C:\Program Files (x86)\Winamp\elevator.exe" /RegServer
2⤵
- Executes dropped EXE
PID:3156

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall set rule name="Winamp" dir=in program="C:\Program Files (x86)\Winamp\winamp.exe" profile=private,public protocol=TCP new action=allow enable=yes
2⤵
- Modifies Windows Firewall
PID:4796

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Winamp" dir=in action=allow program="C:\Program Files (x86)\Winamp\winamp.exe" enable=yes profile=private,public protocol=TCP
2⤵
- Modifies Windows Firewall
PID:3820

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall set rule name="Winamp" dir=in program="C:\Program Files (x86)\Winamp\winamp.exe" profile=private,public protocol=UDP new action=allow enable=yes
2⤵
- Modifies Windows Firewall
PID:4404

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Winamp" dir=in action=allow program="C:\Program Files (x86)\Winamp\winamp.exe" enable=yes profile=private,public protocol=UDP
2⤵
- Modifies Windows Firewall
PID:2800

C:\Windows\SysWOW64\ping.exe
ping -n 1 -w 400 www.google.com
2⤵
- Runs ping.exe
PID:3124

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\nsd1E1.tmp\SHELLD~1.DLL,RunDll_ShellExecute "open" "C:\Program Files (x86)\Winamp\winamp.exe" "/NEW /REG=S" "C:\Program Files (x86)\Winamp" 1
2⤵
- Loads dropped DLL
PID:3776

C:\Program Files (x86)\Winamp\winamp.exe
"C:\Program Files (x86)\Winamp\winamp.exe" /NEW /REG=S
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:3712

C:\Program Files (x86)\Winamp\winamp.exe
"C:\Program Files (x86)\Winamp\winamp.exe" /NEW C:\Users\Admin\AppData\Roaming\Winamp\winamp.m3u8
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3844 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
1⤵
PID:4848

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4e8 0x33c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Winamp\Components\ssdp.w6c

Filesize
31KB

MD5
80e53207d1f5f684b098bf70b66c34b1

SHA1
848367ff79a68319c9211abfae289a3802a809f6

SHA256
dd55372e906699c3e35f02313736f74a13d1e526d0b9620cadb70d57e530af63

SHA512
cd7e0b59a2eb0ccf164e958e758d53646dd6a229a67cb37e2d524fb36d19116117b7390a368bc47043faf407d788e839aee20f501b7c90d367515acdf65690ac

Download Submit
C:\Program Files (x86)\Winamp\Elevator.exe

Filesize
97KB

MD5
59803a5bb88b88a6d83342eeb3816ad9

SHA1
cafa43cacd584deb0d54ac31ae9030f90455c6b7

SHA256
a8e9655510906994fdef3993bebabf0a5e0b6604f02c0ccc28fd31be3aa684bf

SHA512
85038570bb2fb39e7ee8994ccb3f8f9203c0d8360fea889d238c13b3b49a7ab85488edd01d3ec7e37288ffbd0db7e84cfe0353e199289a854311d27990cb9eea

Download Submit
C:\Program Files (x86)\Winamp\Plugins\gen_crasher.dll

Filesize
57KB

MD5
e52a7ef27aa85d2d763a47a0e3d0ec49

SHA1
918c0487e0798e9f16a2c8cab659b113eca57f65

SHA256
7c2d2c9db724b7ac4fa17b871c741182be0dab51f89b75a8d114d9d6d95b09fc

SHA512
7fd1bb7e2edb029b2853d64e5443213d0d8abb1aa97bf5c92ebde1ee3a42248867b998a89da657cd140fa68e98a1b961647362b049bac494f0a4032fe9024cc8

Download Submit
C:\Program Files (x86)\Winamp\Shared\ElevatorPS.dll

Filesize
23KB

MD5
7606a37c850c2ce121e74f09a131b9dc

SHA1
0c30b33ec6af5f9a0c32bb09d21d9739614ca863

SHA256
f3726029b19b5eb9e4a6ff2128bcdb945bfcc81c783cbfb6a087a973d9e002bb

SHA512
ed984e39cffac82d9f919ebd5d0dc05fcd3c487244d6a54964892d1be9670e5d5531ab6c0cab74ccf8bb0a9b59e8775f0aaedacc877d24cb70e51e33def30ae7

Download Submit
C:\Program Files (x86)\Winamp\Shared\jnetlib.dll

Filesize
896KB

MD5
f1e11bac0e12c6dd8fa2a9a543f337e1

SHA1
5f365dd640710b1b94fca6d563bc94eed134b7b7

SHA256
f5d68563e24361505a9d39205b914ea5998898e18ed27bd6e2caec7c2fca4ab4

SHA512
59e556c79b1e7aa3f464799c5e46220f970127f66f8ad47a7765b3e8326e203a3b9b2648949fb1eb75af11b1f0167c3a4a9bd49d4b69d7e48e73ff45ad048e68

Download Submit
C:\Program Files (x86)\Winamp\Shared\jnetlib.dll

Filesize
2.4MB

MD5
0e1d9c1b1d067ca068a120258d56f10b

SHA1
3f2f1354261a9de037bd83021a6fe2be024f371c

SHA256
df0e962303ee3a276e342d2a8c022fa756db6b6c93f680171b165c22feb70521

SHA512
66be377de7eeeb09dd4197882aced2486d411082b428f91a074322bcaff61d10223e4d842367f9c42679c74e3601657e3d95b73d610d868c22b9272067e66c2b

Download Submit
C:\Program Files (x86)\Winamp\Shared\libmp4v2.dll

Filesize
196KB

MD5
94ac898b7a10067e78d714849b5742a5

SHA1
9f6a171c27f1bf34f6d005879891ebf67e6cb283

SHA256
0dd4c133afdfe6f2e6d5e00ef7fd5494da1eb7cf7e2c5d9832803e90af9d75e8

SHA512
87cc90a0144e534a601467c02865573fd537ecc05c9154a38eaf00d2b2e5ae605a420c08b41df8c8638041e2c364aeb7d566f3074717388d51d361e95911fb77

Download Submit
C:\Program Files (x86)\Winamp\Shared\nde.dll

Filesize
85KB

MD5
7ef49a648488189e84785031e5233980

SHA1
fcdb8d02a04a664afbc901aef516d4bde9cc48f3

SHA256
1f856e87de95f73f6e7848473c62cb9868ec70a0d01686f56a9bbedceb89170f

SHA512
98c379ec0e538e7d92c93d374b4b3f7da8c282a4b4865c82b1626abccadfb5d13b458d15af6260ec8d644e9d2a8ab596f270f274bfe61e289bd5a9e37e424b02

Download Submit
C:\Program Files (x86)\Winamp\Shared\nsutil.dll

Filesize
420KB

MD5
0e87445c382776b590b6898ec3e4e0f4

SHA1
5770be505b48c73bd5fabd108c21c6728efb570e

SHA256
cd614597bd78bcfdb3d9d5dd1f7462a85d5a1f4b01ac479666d9b1516bccf137

SHA512
c9da42f43c922406f06b90763ad6302053e9a4d8eb00fb1c74f652aacc5a43eb9b1c713c8130b6c009222db4fce3ba662408749928316f1fe65dea847cff092f

Download Submit
C:\Program Files (x86)\Winamp\Shared\nxlite.dll

Filesize
78KB

MD5
0eb8f691e53a5ecf93b14d8d6c72e6ce

SHA1
2b40b27c1668791a146978e861005bc9095a66a1

SHA256
7cd7679b154f7d40f22d37b02e8aed2a694a2c23c997ba1cd1e4ead21164939e

SHA512
9efc89c2512e4bac51142ad3e34e10755ded7b055d93eb44a44abb7f4ef0822e4eab039237d7238cce007f56a447e1986de13febb0623839b7c065a4b1377367

Download Submit
C:\Program Files (x86)\Winamp\System\aacdec.w5s

Filesize
37KB

MD5
3f22364b04bdd95b5bb6193c993049ca

SHA1
fdf195aeb9c9b624f766cb9a11bc0d8e1f20d5d9

SHA256
772373cbb9e6da051368248bb8a73e11ae7aa232860861933b92e97d15c305ec

SHA512
04aceef8ad8fc0823183e9e187ab65f69c7a435bb6d69542cbb7e1208ec11ff8f1fff09ddd6e3f0d0a9246c8b42faba4b2f009bc4368742ef0b8b042bd6c1382

Download Submit
C:\Program Files (x86)\Winamp\System\adpcm.w5s

Filesize
30KB

MD5
63fbcc000aa4d0d75c569e4279eb29bf

SHA1
4e5909b204e7b383981104bd2b2b4a68f392374c

SHA256
d454db3897b4b7e85110875999a6c4594e875b3b86644e71661884296cdc5217

SHA512
286a6c2a1566734ac9438656053b85bbfd1c4a842ff3fc70e58e2fe2a661de96c3ecdfc09908756125a24016c255ec97e821cfb77c029bb9379fc217d21c02c7

Download Submit
C:\Program Files (x86)\Winamp\System\alac.w5s

Filesize
36KB

MD5
9cd27176dfd77f682b074bf9dac1736a

SHA1
e82e2910c2b3451637a03d21ecb61f6f1de49559

SHA256
8df472ca07447a30326107dc21f5fd5448a62a71d5c53a6fc87cecf77fcc4e44

SHA512
c142e23739cc8797634072cd0912080a22c83ca0feddf7514ab2e031008c411de118ca8e1127601031b5ab8c5eb215f5a8fb5523a92498c727ed122601519372

Download Submit
C:\Program Files (x86)\Winamp\System\albumart.w5s

Filesize
38KB

MD5
d7af4c04092842e5b4994ebed8bd05ca

SHA1
391add7a9bb2fe52da52e436b8f9c3c4546ab9d3

SHA256
c68698231754f25e069ca761d497b3c683f8166a81da076d33fc6d7489ac3769

SHA512
d02ca853abf9006c5760fc9e447633201c1d3e00b997aa75eaece259b42ff2dfa3cd4e63a87e4ecce97ccf45e2d2c0dff90d3f310d4e53de9d4d1cf32fa8b4ff

Download Submit
C:\Program Files (x86)\Winamp\System\bmp.w5s

Filesize
56KB

MD5
076b8084cb144b8e395dea3d3191a414

SHA1
72015b308c80a5955e68d256748af263c5edeecd

SHA256
91a1c75cd2a4cdc4a19f15e8061084ddbd9cf0fb2b03cad6d85b568254f58585

SHA512
7b960d176780e558e152c33a0897dd4f3aa5e3fe8fbfcc64eaf73785f53edcb96ff2143b2ca58499c98ac20f6c4484e6110b1880f2cf84cc5902a4607d505eea

Download Submit
C:\Program Files (x86)\Winamp\System\devices.w5s

Filesize
51KB

MD5
86f1ec62db6e736f27d9a2732115f81e

SHA1
79a3e2f46db95b55e2c7afa5411dbdb9ba92285a

SHA256
a3df6c40e8cf6f2765cd1bc446bb16aae858407656c7239b920d0dedd135d049

SHA512
5f00a464e77da7dc731e41ab29215251355a71552de99c88e8e4b294890f2837f9008ee14be3fb1c2eade3ff3917172a8ced997852813c4c834ffb8fa758daf1

Download Submit
C:\Program Files (x86)\Winamp\System\f263.w5s

Filesize
45KB

MD5
56f562aa73a4c3bfc542c43f27e62275

SHA1
d5f4f448d58789b7140e06d7d401073931db9612

SHA256
1b18b6a3c03eb26eb89a2c5f0e552090a7073fe6db553622005081cc12b20bdc

SHA512
13da391b91d52197fd68c8a9f86db4a0ba0a60d3da7a95f7de0366d7e9309492c0a676482075aa561cde1baebfba1d8e32f390cfdbc9a456d55983207f10739d

Download Submit
C:\Program Files (x86)\Winamp\System\filereader.w5s

Filesize
30KB

MD5
05fe16de167a516089ef3e96ad03f77d

SHA1
c64357d9bfc7398110024cb13860d23d136b3a03

SHA256
47ae2faa3fd9a92df816e43fe36dee412a1a95adc9c547f2bf4b54a3d1fb024c

SHA512
ad038ec5006bd3b8abf6a81ec851096fcc6a480fdbbff6c1f5271b8dc734c047b746521ee2ddf66ae4f914c943ab1db225b05b84481917f5f5b5f8808614f491

Download Submit
C:\Program Files (x86)\Winamp\System\gif.w5s

Filesize
35KB

MD5
7f85166b45e3835e9fe933408795b1dd

SHA1
65c400fb3528c64f2e85d651f7dcad3acda0e95a

SHA256
43f9cb8257a7f482f9039e8c4b86b15b5d5d03061e647ce75e2a95cd7386aede

SHA512
d5009021d2a208eb51754a1ca77cb591b9618a7cd577bde5551d2a3133ad3a4271cf46cb8362109652c9ae10d3f2abcbc2029d9e9c35c0caff151095778dbcd3

Download Submit
C:\Program Files (x86)\Winamp\System\h264.w5s

Filesize
45KB

MD5
66f906268252787285b860f8dc0cd68b

SHA1
adbb65e3e28438896cb97fa1aa7a48e41eba44b4

SHA256
2141213600d7d2c9a12d98a324c8381ab7be8792ba57b7b6e68770adb1f40813

SHA512
0be66230cdb767d9c0b2e91503160a3be43b036e653da68ca748d103346cd121ca29890dd9fa986cdb61ffd7815633ec85a6dd4a322c31f9783ef0ab34f64f0f

Download Submit
C:\Program Files (x86)\Winamp\System\wasabi2.w5s

Filesize
51KB

MD5
e64e27195d6c298276d518c3bdbfdc9e

SHA1
ecb372039808d0d4aad7a5594e71ccc36291f124

SHA256
2fcefbca651857ec1eddbc3e582bc5aec40277dd4c00118290ac934a4a6eb09c

SHA512
9139052d756c1553196c3d00fb534fd33fcdddde3e4e6292af9a6acc9eb2dc6fb48b47db2e3f25a59852ce68d1dbda05ffcabed777471ba9c2de8964156e8346

Download Submit
C:\Program Files (x86)\Winamp\paths.ini

Filesize
30B

MD5
8ad85a252352aa655f18d1b9300667b1

SHA1
5d2939f3b6c29739303f2caa4560d1f5376309c6

SHA256
fb7293e289aa918d2cbc3c362cea48dd061b0e12616924460466f26df28ff05c

SHA512
aa3c14551846a2a89b7c4ecbb9ac63e3c83501de5e088634c77e92ffd068a0aa547ad5c0d06890b553469013ff0de0dfe2058de86677966ace9c4d0b8c7b5525

Download Submit
C:\Program Files (x86)\Winamp\winamp.exe

Filesize
2.3MB

MD5
ebebc6e8f41e6c04dd661a14761d75d9

SHA1
9762e726a682f54bd9606bf08867a6206a1a39f7

SHA256
addf561fcdc496c1318ddc3586352aa7f6c1feb684a9e8ffa285409beac5b446

SHA512
9493e6576fe94e4ee8aacbf10389acc21a0298eea07217c53fbfe6b87ba2dd010c9f0081c5574ac3e896720e7e9b4683adb2dcaba4231c6a9fbb738181081c3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd1E1.tmp\Dialer.dll

Filesize
3KB

MD5
adea8024c99d7802fa3c9e5d34877aad

SHA1
4e015a5be3e668aa3e9758370413f2bb8ec5ad1a

SHA256
242b6aeb759e31b64e014e3df6b5c478fb309d56b4df8cdb59b2cd03bfa77db2

SHA512
717a9f08842e96e9395fe8fff19138d7e599e3dd4f44b7b55d9be86211f20cd89a1d315df1f241afc52456da738623401ee721b17e9fd5949fe1decfc1b2819d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd1E1.tmp\LangDLL.dll

Filesize
5KB

MD5
68b287f4067ba013e34a1339afdb1ea8

SHA1
45ad585b3cc8e5a6af7b68f5d8269c97992130b3

SHA256
18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026

SHA512
06c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd1E1.tmp\ShellDispatch.dll

Filesize
4KB

MD5
9c266c2dc7eca5bcab2d8df4990e0c1f

SHA1
662da3d9ca18aacdbaef884065fbfffdfacfabfa

SHA256
ea7800b89e49e7d7214c1405b4906f366096dfadff28d0732acb90ab2e9a99bd

SHA512
e9318db79b02df6b3b72ed16c5d70e4b46bab71f31544ce0323cd6dae739be1948a9d3a468977d703576d7f33580e3be5d1d1ace1fb29cee9dfe325c6e828139

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd1E1.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd1E1.tmp\execDos.dll

Filesize
5KB

MD5
0deb397ca1e716bb7b15e1754e52b2ac

SHA1
fbb9bcf872c5dbb4ca4c80fb21d41519bc273ef5

SHA256
720be35cd1b4a333264713dc146b4ad024f3a7ad0644c2d8c6fcedd3c30e8a1f

SHA512
507db0bee0897660750007e7ce674406acf9e8bf942cf26ded5654c07682757b07c9eb767bead0966478abc554dc9a6461c4288dc35d12cacfadad4c128f1bb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd1E1.tmp\install.ini

Filesize
1KB

MD5
e0e42af72dbda299b52fc031deed659e

SHA1
5d687ff7360e3767c4b699d4f7adeea83394f9d1

SHA256
c5e349b9b55bf18144f9ce7a7f95a66aaaffb92be6e197176ffe5290bf0dc2c7

SHA512
d0c69798877974f8840f92a9508fbdeadf64fb09ce5fd247681fa4a1734a2a3234845d065b6f9cedf8ce671dfcedac4ea8cd29f04225828bf55850a35fdea924

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd1E1.tmp\install.ini

Filesize
26B

MD5
385081d5feee87a4ed1a6e5dcee85f36

SHA1
8517162855b477e5498e95ff2e82584ef06d5c6d

SHA256
bdc6fb93206c1e7a590f2d4e97d0dab7d3badaf8b4e1a7b8487e9cf59f05eddc

SHA512
52bcb1cdae8abbe4b14ff85b57e03426d61e5cb25b1535a827af526ec66c00ae0a327b187cd10279cf18c379c912d3e478ef9966bb497a8b626824fe32d1093f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd1E1.tmp\modern-wizard.bmp

Filesize
150KB

MD5
2d63e33fa1cf672338a22c88fa45e6a0

SHA1
86c510009d6c71d05eb2707fe6a10039df525192

SHA256
7ae875cfcb6e3b1f4a06460fbda99d8014dc4674ee256b0b79ec656777c7e292

SHA512
d42a7401c1d0d77d517d2f8086286bd6cf487cf5400cd8b8d720bcaf15149727751677f444fd9a8e340072deabad51347956894c1c034dd81df793b3b8087252

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd1E1.tmp\nsDialogs.dll

Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd1E1.tmp\nsExec.dll

Filesize
7KB

MD5
675c4948e1efc929edcabfe67148eddd

SHA1
f5bdd2c4329ed2732ecfe3423c3cc482606eb28e

SHA256
1076ca39c449ed1a968021b76ef31f22a5692dfafeea29460e8d970a63c59906

SHA512
61737021f86f54279d0a4e35db0d0808e9a55d89784a31d597f2e4b65b7bbeec99aa6c79d65258259130eeda2e5b2820f4f1247777a3010f2dc53e30c612a683

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd1E1.tmp\nsis_winamp.dll

Filesize
4KB

MD5
1e1ded1cf1c69852f2074693459fb3b5

SHA1
81b165cae4d38a98760131989fdd8aed2c918679

SHA256
5946278545abbd0b0f5188752fe095e200c85abe0783632a00726d090c0753ec

SHA512
a6f9a43d4432658c3504629e9209ad350af69eff542d139e0ccfe0dbf8662f15034edd3cf8b56d606a740b66c8221cafad999088a4e64a4c9c9fb47793a19f96

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd1E1.tmp\nsisdl.dll

Filesize
15KB

MD5
ee68463fed225c5c98d800bdbd205598

SHA1
306364af624de3028e2078c4d8c234fa497bd723

SHA256
419485a096bc7d95f872ed1b9b7b5c537231183d710363beee4d235bb79dbe04

SHA512
b14fb74cb76b8f4e80fdd75b44adac3605883e2dcdb06b870811759d82fa2ec732cd63301f20a2168d7ad74510f62572818f90038f5116fe19c899eba68a5107

Download Submit
C:\Users\Admin\AppData\Roaming\Winamp\Plugins\gen_ml.ini

Filesize
440B

MD5
fd70afa346b357e375494f07df32cb7c

SHA1
eea764cbb4dc409f95e6ae23ad5a07359c46665d

SHA256
8ae21f0c629fe72c432f0224e6c84461e35cd2fac58d7e435a6a95dd6abda317

SHA512
32090a61e13bcb2f035e15babb1a3ee0af75f46ab9efa2899d270d2f1f0f25ec2ead115a55619e03b9aff2e8fa339428c5f63290e053ec9734a8f81dbeb87bcf

Download Submit
C:\Users\Admin\AppData\Roaming\Winamp\Plugins\gen_ml.ini

Filesize
1KB

MD5
c6f89259e22807646096b2afeb03cd1f

SHA1
0a1b9470a097e1db07010d7dd3ceb6e3026cff3e

SHA256
2fc96ab1bdcea049a8dbc123fa569369c5852c7a52c2def368b675c8fb5129e2

SHA512
8a970b86ea984713b83c8fc5a5644b4c1f5538c01fcfb0d78187bb768b5ce521b11e7addddf3d679fd0eb86ca378a3db90136a796283ddaf66a21831ae0a687a

Download Submit
C:\Users\Admin\AppData\Roaming\Winamp\Plugins\gen_ml.ini

Filesize
1KB

MD5
01b237aa106377d4bb7a258f89f7777f

SHA1
9d0f3eafd8b9e957e3a7788748c938cfc32a1a14

SHA256
3383aa9dd3a5d500cc7d1bc8bdb6f949f7b26505fb9ddcbd9340a7f845b8970e

SHA512
b4afe0c776f0d8f3ece1310d5823fe64f7bbab8068dbd63fe5ec92b3e10f0c3c325ba90e0621a2e8e32686544403db8e2fa917b0efca03c55614914905007aa2

Download Submit
C:\Users\Admin\AppData\Roaming\Winamp\Plugins\ml\recent.dat.o1d00000C98

Filesize
8B

MD5
76a66845f666c52790c3442f7e1a491a

SHA1
e392a609d9dc81fab060d8aece449fe616a40053

SHA256
101f682d9c519400a4d36b6a09cf0dd39a9faab6353b3ce0eb2f071860b6d05a

SHA512
71a6ab36ebfb6ff89ec6fbedfd1982fe0fb7e8c76981d24467eb73a924dc96cc4a0483381beead6517f829fa8babead0176a8df229072040564e708d99b4c783

Download Submit
C:\Users\Admin\AppData\Roaming\Winamp\Plugins\ml\recent.dat.o1d00000C98

Filesize
466B

MD5
ffa644a0d5809b1e5b7398df4c6da57a

SHA1
baa562ec0d20a5c770387b2584bb8d45580ec2b8

SHA256
e45a50fd2ced75792674dc9b70366b4bffacf274de5fc84f944199a90a016e23

SHA512
1f8936b368f243787bfc7aeb4cfa8a03f098647af58533f5e9458e2af3de022ebb62cb94758d6e0f14862538ebba123f2a1b6c59a533b29b92d12c97b3b476f3

Download Submit
C:\Users\Admin\AppData\Roaming\Winamp\Plugins\ml\recent.idx

Filesize
68B

MD5
d39305c16a773b222871032c4148600e

SHA1
196b2a21dabfd3d001e2c79f3fdc7c411c4ca261

SHA256
01786514a6a5bb357099b7c11c23615c0e8e6e07aced1f3764f034b6a6be8d29

SHA512
bc16b755eb56da66ff8290d1498c9ebbe7a29e27c50a4326cf3cd9018d20c13bccb4d23e63429e07ac33e323ec19e11a69ad2e25c1b5a4a67341ea2019862093

Download Submit
C:\Users\Admin\AppData\Roaming\Winamp\Plugins\ml\recent.idx.o1d00000C98

Filesize
32B

MD5
137faa0c3baa69f733eaadb966b64ade

SHA1
a55982685efc19bb0afffa2eb1f3750241480eb8

SHA256
9cc291dcb5847e7f0e6d4bf322164461c6607da934ce9d376c0e15f7ddd33181

SHA512
b6286a581aa3d1add62836804a1fc79a2399fd6fa7144945b47f2ff8c0ebe88af3f289bee95db0cae1aa7c532b487a4bb6a9e65710c581afa2b7f13989885d78

Download Submit
C:\Users\Admin\AppData\Roaming\Winamp\Plugins\ml\views\met1DFE.vmd

Filesize
910B

MD5
fa6b6eaa81a2662b8c45b126727ea832

SHA1
6087f9505d21819ed2f656517a0a13664aeead2b

SHA256
370be262ff415bed2a40f450f69dfce660e3e635af0924dca0c1f118e489c046

SHA512
f26688d6236021172c0f2d001e5636f018fef9ba7c7fadf688bd78fb1f9633c766cdf9ff2581997bc7af8a5ffd92da19cba699a46a64a555ccc0e7e57bd7b3c1

Download Submit
C:\Users\Admin\AppData\Roaming\Winamp\Plugins\ml\views\met1E0D.vmd

Filesize
126B

MD5
2cdaffaec77db6248825896e5c424893

SHA1
fc8df8ddc7811bfcf8f426dce0316c7eb6366b69

SHA256
6217223a02d019b85e566e2804ae6ae4dd3643c95578279a27909c9eedbdb961

SHA512
387e12cab715c8d9530b21725808c91bface84949f03d17312890464ec53ffbd79ce3a83685e0897e208a2e26e85c8296b848d91b0677df1bac446c229cfe05e

Download Submit
C:\Users\Admin\AppData\Roaming\Winamp\Plugins\ml\views\met1E3C.vmd

Filesize
125B

MD5
d39c2a872b313f71c47f6bef8a44b425

SHA1
fb0b1e55ba114f0ec0856cec44934c692690e487

SHA256
84f5b0b1ecb3612db2d369b18c758cd0de8ad31b371943343fc5b776092fceae

SHA512
b21b234843480ade18abbfc1dcae5edd536def427bfbd39d0c384e439c2b0692d1654703e32b4648ffb6f719fc1236edbc588bffd242ea7792fbb41b82d65b7a

Download Submit
C:\Users\Admin\AppData\Roaming\Winamp\Plugins\ml\views\met2DDF.vmd

Filesize
116B

MD5
c386b2dab1e50ba2766d84fbff261563

SHA1
04689715512886016010a77f4cb1e6659e0df0b5

SHA256
ae6359b0c31c69599ebb789f3016908d680c7079d452c4648a3af0226b78a84b

SHA512
f67d207fad5f0a78d1c7e507257aa903704020f8339720c7e6e23e7d4699d084a57628703a0cd4f33b0460e5454a6d33b99c51f37e346a95504949ce30929723

Download Submit
C:\Users\Admin\AppData\Roaming\Winamp\Winamp.ini

Filesize
237B

MD5
422639bbd97cac8a4d2a2c5d55bb1722

SHA1
f7d5ada78a83c462804aa6061ef2b19f7f549278

SHA256
d947679d0adf6b2416544b416002f217b7e6ccbdcd28245dd6b4b0cee06f233e

SHA512
c8ac6b9bae1ea10717a1f174ece8499d74db5bc0de309b3889507a93eb61389bacb4098cecf6bf43c89c8459d1f16c2d07f8ad6fa16a65aea615cd2976dc8e9e

Download Submit
C:\Users\Admin\AppData\Roaming\Winamp\Winamp.q1

Filesize
4KB

MD5
d24f1b829d1bd197e157b12d19c220e9

SHA1
555274f63e5b6ddbbd548179754fd0b2cbddf888

SHA256
58065811d8e881a5087af0c9a44d2baaa9628dc3cd1b1847533dad2c35a02cf8

SHA512
55c5c6bc1c466eebde84b98e024d774711bc1f1e32b28842d77eaea93dc030878e74012ea48179925313490b7c77d07383213ebb63d691228d2333e4217b33fc

Download Submit
C:\Users\Admin\AppData\Roaming\Winamp\winamp.ini

Filesize
68B

MD5
edd6ba51150158bf3a55658e7e648522

SHA1
8398eef1f876ce4caa0118eb2d7aa0328c7aa10c

SHA256
3dfe4b5ac3241b100c2e77275447df38a1ef08a5b608089223e8e7e64bd61b2b

SHA512
7e98798dfc97b7207453d299c4e4dde69262023d3dc5726e1c08135d124fa78ac7854bdfd58396b6885255d7b13fe000a5ddb6fa6a39f77cee88d888fe63e7f2

Download Submit
C:\Users\Admin\AppData\Roaming\Winamp\winamp.ini

Filesize
277B

MD5
026b6aba461ef2082c4115b50c53f13e

SHA1
a49435274569d14a1c37be40b33d2d66b42e9c3a

SHA256
b39d3f89ef5c4e7e7d9afdd005f8212f3a44ae27ae31d6069ce6e2fc203df5f2

SHA512
c588f31d7a4cb76f458b39b795103dd82fa992f9dcb30f36e43bf57bd8e2ac3904a5607777976b5cc77f5ee945875100897ab44440f01b1def3b1589cf76bae4

Download Submit
C:\Users\Admin\AppData\Roaming\Winamp\winamp.ini

Filesize
300B

MD5
0868f356d4739054bf70bf2976d0df10

SHA1
c06e565488cabd4a16a7f7f0d59ee8696dbca814

SHA256
93ef1b69e757cee1502a9010897b656db614bbe71f6d43272966ffdad3438532

SHA512
5c372dab2a99490055fbc55514cb8a36c0e9d60f34c830b7b7e4a244d914fcc20d35036b9ebf87636621d2b15a6ae357abb0e7e73664f7265dac55eaf21aaa6d

Download Submit
C:\Users\Admin\AppData\Roaming\Winamp\winamp.ini

Filesize
312B

MD5
93c46ee57c444c1692ff74906aef4f66

SHA1
d538c034f1a7f6ff27400a9affc245d8d7373363

SHA256
befb1458f9a226e2f593a05ddf5b90421446cb09b5135bd9ffda680f43fbeb73

SHA512
bb332f48b3c8b52a2e6ef10c7b6416dc5be0bbf70bee727daabb6151cd66cd8789232f73d2e0cc80769f868286a933381bf646b3aa38cff0cb57e2f0d8330876

Download Submit
C:\Users\Admin\AppData\Roaming\Winamp\winamp.ini

Filesize
1KB

MD5
c65b01ddd686715b3556a09a38390f4f

SHA1
f504e1d1db07baab21c36d20645bd6d23251caa2

SHA256
0c7e404f87444904e9322e6b3b09a44013093b770c1b8a488b4dbb2f1765bc23

SHA512
3a4dd2f119e0c1cee8bd8a562c3f0a5f65393454db429f65fc90717c7e275dfcdb035e76670b82275dfcccbf3dff15281ed0bc40574729c3bb19862840f52e8e

Download Submit
C:\Users\Admin\AppData\Roaming\Winamp\winamp.ini

Filesize
1KB

MD5
4445979a4efc281d95c027d189bdb835

SHA1
ce475f85c43784092aefa96b7c44aa53d436b5bd

SHA256
eb4e52f85b17e4cc48642b62379a99062fd8beb239ec43220ded142e71368c2a

SHA512
8eef656e9da5d783c4ea51e8bcc26e221aaca969c6855a6c8f522c60f004daa82ca40939c0bee6086df64a1ed2d49093d1152ee6aff242b2b4d67e18eb5448f2

Download Submit
C:\Users\Admin\AppData\Roaming\Winamp\winamp.ini

Filesize
1KB

MD5
45209e58cc848a65905b05bfda25b9d7

SHA1
7e3cac72886215f1417cc300fddde337c2086ca9

SHA256
631f5bd663396a1a86876130f11dd59d2943db7329e707816392f3129a5327fc

SHA512
9fcd8446225fb118980fe68aa9a7fe0826ad1b8d833e887f9d2bb15bfd3c7e2be8a3b891963e1ab6ae2f3f1a5174b7936cc14c656c699fc6ab02b3f4e3615fa9

Download Submit
memory/3712-2246-0x0000000004B90000-0x0000000004BE6000-memory.dmp

Filesize
344KB

Download
memory/3712-2225-0x0000000004A80000-0x0000000004A8F000-memory.dmp

Filesize
60KB

Download
memory/3712-2221-0x0000000004A60000-0x0000000004A6B000-memory.dmp

Filesize
44KB

Download
memory/3712-2230-0x0000000004AA0000-0x0000000004AAD000-memory.dmp

Filesize
52KB

Download
memory/3712-2234-0x0000000004AC0000-0x0000000004ACE000-memory.dmp

Filesize
56KB

Download
memory/3712-2242-0x0000000004B20000-0x0000000004B5F000-memory.dmp

Filesize
252KB

Download
memory/3712-2248-0x0000000005060000-0x0000000005081000-memory.dmp

Filesize
132KB

Download
memory/3712-2206-0x00000000049E0000-0x0000000004A12000-memory.dmp

Filesize
200KB

Download
memory/3712-2144-0x00000000040B0000-0x000000000411A000-memory.dmp

Filesize
424KB

Download
memory/3712-2364-0x0000000005620000-0x0000000005841000-memory.dmp

Filesize
2.1MB

Download
memory/3712-2439-0x00000000058D0000-0x00000000058E5000-memory.dmp

Filesize
84KB

Download
memory/3712-2251-0x00000000050A0000-0x00000000050CA000-memory.dmp

Filesize
168KB

Download
memory/3712-2707-0x00000000059A0000-0x00000000059CF000-memory.dmp

Filesize
188KB

Download
memory/3712-2709-0x00000000059A0000-0x00000000059B4000-memory.dmp

Filesize
80KB

Download
memory/3712-2712-0x00000000059A0000-0x00000000059CA000-memory.dmp

Filesize
168KB

Download
memory/3712-2710-0x0000000005A60000-0x0000000005AEA000-memory.dmp

Filesize
552KB

Download
memory/3712-2720-0x00000000059A0000-0x00000000059C8000-memory.dmp

Filesize
160KB

Download
memory/3712-2719-0x00000000059A0000-0x00000000059AD000-memory.dmp

Filesize
52KB

Download
memory/3712-2718-0x00000000059A0000-0x00000000059AC000-memory.dmp

Filesize
48KB

Download
memory/3712-2716-0x0000000005A60000-0x0000000005AB2000-memory.dmp

Filesize
328KB

Download
memory/3712-2714-0x0000000005A60000-0x0000000005AAE000-memory.dmp

Filesize
312KB

Download
memory/3712-2706-0x0000000005A60000-0x0000000005AA1000-memory.dmp

Filesize
260KB

Download
memory/3712-2705-0x00000000059A0000-0x00000000059AD000-memory.dmp

Filesize
52KB

Download
memory/3712-2704-0x00000000059E0000-0x0000000005A5F000-memory.dmp

Filesize
508KB

Download
memory/3712-2708-0x00000000059A0000-0x00000000059B3000-memory.dmp

Filesize
76KB

Download
memory/3712-2702-0x0000000005950000-0x000000000595D000-memory.dmp

Filesize
52KB

Download
memory/3712-2700-0x0000000005960000-0x000000000598B000-memory.dmp

Filesize
172KB

Download
memory/3712-2254-0x0000000005100000-0x0000000005112000-memory.dmp

Filesize
72KB

Download
memory/3712-2368-0x0000000005860000-0x000000000588F000-memory.dmp

Filesize
188KB

Download
memory/3712-2255-0x0000000005130000-0x000000000513F000-memory.dmp

Filesize
60KB

Download
memory/3712-2256-0x0000000005150000-0x000000000517F000-memory.dmp

Filesize
188KB

Download
memory/3712-2259-0x0000000005210000-0x0000000005235000-memory.dmp

Filesize
148KB

Download
memory/3712-2293-0x00000000053A0000-0x00000000053C6000-memory.dmp

Filesize
152KB

Download
memory/3712-2299-0x0000000005430000-0x000000000543F000-memory.dmp

Filesize
60KB

Download
memory/3712-2301-0x0000000005450000-0x000000000546A000-memory.dmp

Filesize
104KB

Download
memory/3712-2314-0x00000000054A0000-0x00000000054E8000-memory.dmp

Filesize
288KB

Download
memory/3712-2318-0x0000000005500000-0x0000000005512000-memory.dmp

Filesize
72KB

Download
memory/3712-2320-0x0000000005530000-0x000000000554F000-memory.dmp

Filesize
124KB

Download
memory/3712-2324-0x0000000005560000-0x0000000005584000-memory.dmp

Filesize
144KB

Download
memory/3712-2329-0x00000000055A0000-0x00000000055C0000-memory.dmp

Filesize
128KB

Download
memory/3712-2331-0x00000000055D0000-0x00000000055F0000-memory.dmp

Filesize
128KB

Download
memory/3712-2295-0x00000000053E0000-0x0000000005402000-memory.dmp

Filesize
136KB

Download
memory/3712-2258-0x0000000005190000-0x00000000051BC000-memory.dmp

Filesize
176KB

Download
memory/3712-2115-0x0000000003470000-0x0000000003487000-memory.dmp

Filesize
92KB

Download