Analysis Overview
SHA256
fbdb54a8afac07ec058984aa8f693a1b8983faedde86ffafbcbcd22837cc6e24
Threat Level: Likely malicious
The file FluxTeam-Exploit-331600.zip was found to be: Likely malicious.
Malicious Activity Summary
Modifies Windows Firewall
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Checks installed software on the system
Enumerates connected drives
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Network Configuration Discovery: Internet Connection Discovery
System Location Discovery: System Language Discovery
Suspicious use of SetWindowsHookEx
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-17 15:11
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-17 15:11
Reported
2024-11-17 15:13
Platform
win7-20240729-en
Max time kernel
58s
Max time network
62s
Command Line
Signatures
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Winamp\Elevator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\PrimoRedist\pxsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\PrimoRedist\pxcpyA64.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Winamp\winamp.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Winamp\winamp.exe | N/A |
Loads dropped DLL
Checks installed software on the system
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Program Files (x86)\Winamp\winamp.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Winamp\Plugins\avs\Winamp 5 Picks\mig - Slyde - Tri.avs | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Flexi + Martin - astral projection.milk | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\fiShbRaiN + Flexi - stitchcraft.milk | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\Winamp\Plugins\gen_crasher.dll | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Winamp\System\ombrowser.w5s | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\Winamp\Skins\Big Bento\window\notifier.png | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Phat_Eo.S. - Just more trash.milk | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\Winamp\nxlite.dll | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Eo.S.+Phat Cool Bug.milk | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Rovastar - Mosaics Of Ages.milk | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\Winamp\Skins\Winamp Modern\player\Options_buttons.png | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Flexi - strangely dynamic world.milk | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Krash - interwoven (nightmare weft)_Phats_Maybe_Ill_Go_To_A_Party.milk | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\martin - neon space ps2.milk | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\yin - 100 - Through the ether - Bitcore Tweak.milk | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\Winamp\System\alac.wbm | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\Winamp\Plugins\avs\Winamp 5 Picks\S_KuPeRS - Spirit Realm (Degnic's Plasmoid RMX).avs | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Rovastar & Idiot24-7 - Balk Acid.milk | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\Winamp\Plugins\freeform\xml\historyeditbox\historyeditbox.m | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\Winamp\Plugins\freeform\xml\wasabi\xml\xui\standardframe\standardframe.xml | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Eo.S. - nematodes E daemon.milk | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\fiShbRaiN + Flexi - witchcraft 2.0.milk | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\shifter - spincycle c.milk | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\textures\prayerwheel.jpg | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Illusion & Unchained - New Strategy.milk | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Shreyas - Carnival.milk | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\martin - night cathedral.milk | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\martin - sparky caleidoscope.milk | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\Winamp\Plugins\freeform\xml\menubutton\menubutton.xml | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\Winamp\Plugins\freeform\xml\wasabi\xml\xui\editbox\editbox.xml | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\Winamp\Plugins\avs\Community Picks\fUk - cube.avs | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Rovastar + Loadus + Geiss - FractalDrop (Spinning Mix).milk | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\Winamp\Skins\Winamp Modern\scripts\vis.maki | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Illusion - Dance Of The Planets.milk | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Krash & Rovastar - Cerebral Demons - Phat + Eo.S. Moire Remix.milk | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\textures\wrenches.jpg | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\Winamp\Plugins\in_dshow.dll | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\Winamp\Plugins\freeform\xml\popupmenu\popupmenu.xml | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Rovastar & Krash - Rainbow Deflection.milk | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Unchained - Fuzzy Sciences.milk | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Zylot - Rush.milk | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\shifter - tumbling cubes.milk | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\Winamp\Skins\Winamp Modern\player\options_more.png | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\Winamp\Skins\Winamp Modern\xml\player-normal-group.xml | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Eo.S. - heater core C_Phat's_class + sparks_mix.milk | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\fiShbRaiN + Flexi - witchcraft unleashed.milk | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\Winamp\Skins\Winamp Modern\player\visualization_background.png | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Reenen - phoenix.milk | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\martin - Geiss - Psychotic Roulette.milk | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\shifter + geiss - neon pulse (glow mix).milk | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\Winamp\Skins\Winamp Modern\player\videoavs_button_bg2.png | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\Winamp\Skins\Bento\xml\config.xml | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Mstress & Zylot - Acid UFO.milk | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\Winamp\Plugins\avs\Winamp 5 Picks\yathosho - fabric (skupers remix).avs | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Fvese - Zoom Effects (Remix 3).milk | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Hexcollie + Flexi - Faceless Frog [rmx].milk | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Shifter & Eo.S+Phat - Fractical dancer (inside the neural net).milk | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Unchained - Hard Science.milk | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\Winamp\Plugins\DSP_SPS\justin - resolution reduction.sps | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Eo.S. + flexi - glowsticks v2 05 and proton lights (+Krash's beat code) _Phat_remix02b + illumination (Stahl's Mix).milk | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Eo.S. - pointfield 04 arcs demon_phat edit_v3.milk | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Flexi - gold plated maelstrom of chaos [mirrorized].milk | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Stahlregen & fiSHbRaiN + flexi + Geiss + shifter - Stonecraft (Beetle Relief mix).milk | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\Winamp\Plugins\avs\Community Picks\duo - warm freeform.avs | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\PrimoRedist\pxsetup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Setup_10024.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Winamp\winamp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Winamp\winamp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Winamp\Elevator.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ping.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ping.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{fbcd6aca-39bc-47af-be8e-52bef2b9d0f7}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4570CDDC-94F8-4B43-B1AC-796D68FAC7DF} | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{719C744F-CDEF-49C2-9ADA-DF5BA8770F4B}\ = "ICddbLanguageList" | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{46AC5819-1FA8-44A1-9954-270EA2CF0DCA}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EC0E5DD3-8BAB-4671-85A1-68BF93CB35E4} | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.OGA\shell\open\command\ = "\"C:\\Program Files (x86)\\Winamp\\winamp.exe\" \"%1\"" | C:\Program Files (x86)\Winamp\winamp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.MP4\shell\open\command | C:\Program Files (x86)\Winamp\winamp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.XI\shell\ListBookmark\command\ = "\"C:\\Program Files (x86)\\Winamp\\winamp.exe\" /BOOKMARK \"%1\"" | C:\Program Files (x86)\Winamp\winamp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.NST\shell\Enqueue\command\ = "\"C:\\Program Files (x86)\\Winamp\\winamp.exe\" /ADD \"%1\"" | C:\Program Files (x86)\Winamp\winamp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.PTM\DefaultIcon | C:\Program Files (x86)\Winamp\winamp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ICY | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{06C77E4D-FE13-4FA4-B52A-1CF2E047F55F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B2D9EB8-70AA-43D3-AA8E-E71CE53A83D8}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1754C0C9-24B5-4ED6-8EEA-52620ED16E58}\TypeLib | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.ogg\Winamp_Back = "VLC.ogg" | C:\Program Files (x86)\Winamp\winamp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.ASF\shell\open\ | C:\Program Files (x86)\Winamp\winamp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.STZ\DefaultIcon | C:\Program Files (x86)\Winamp\winamp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.XMZ\shell\ListBookmark\command | C:\Program Files (x86)\Winamp\winamp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{63C7D158-BCA0-4C29-96C4-06BDD744ECC2}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{39c806ec-eb0a-4f6e-b40d-c41d92281b5e} | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.SkinZip\shell\ = "Install" | C:\Program Files (x86)\Winamp\winamp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.IT\shell\open\DropTarget\Clsid = "{46986115-84D6-459c-8F95-52DD653E532E}" | C:\Program Files (x86)\Winamp\winamp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.ITZ\ = "Impulsetracker Compressed Module" | C:\Program Files (x86)\Winamp\winamp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.NSA\shell\Play\DropTarget | C:\Program Files (x86)\Winamp\winamp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.OGA\shell\Play\command | C:\Program Files (x86)\Winamp\winamp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.STM\shell\open | C:\Program Files (x86)\Winamp\winamp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.669\shell\Enqueue\ = "&Enqueue in Winamp" | C:\Program Files (x86)\Winamp\winamp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{c7538f11-8d14-439b-ad2d-30c2cd8d0e68}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DCF3B306-AA51-455C-9B39-51F8CB8590AA} | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.AVI\shell\ListBookmark\ = "Add to Winamp's &Bookmark list" | C:\Program Files (x86)\Winamp\winamp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.MID\shell\ListBookmark\command\ = "\"C:\\Program Files (x86)\\Winamp\\winamp.exe\" /BOOKMARK \"%1\"" | C:\Program Files (x86)\Winamp\winamp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.OKT\shell | C:\Program Files (x86)\Winamp\winamp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CDDBControlNSWinamp.CddbID3TagManager\CurVer | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{614D9D0A-C012-4863-AFBF-9C9DD01E04D1}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1754C0C9-24B5-4ED6-8EEA-52620ED16E58}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.AIFF\shell\open | C:\Program Files (x86)\Winamp\winamp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.PAF\shell\ListBookmark\command\ = "\"C:\\Program Files (x86)\\Winamp\\winamp.exe\" /BOOKMARK \"%1\"" | C:\Program Files (x86)\Winamp\winamp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.WVE\shell\Enqueue\DropTarget | C:\Program Files (x86)\Winamp\winamp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.KAR\shell\Enqueue\ = "&Enqueue in Winamp" | C:\Program Files (x86)\Winamp\winamp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.XMZ\shell\Play\command | C:\Program Files (x86)\Winamp\winamp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CddbPlaylist2NSWinamp.CddbPL2Timestamp\CLSID\ = "{fe4c8bff-961f-42c2-bad8-808f76edde15}" | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.MP4\shell\Play\ = "&Play in Winamp" | C:\Program Files (x86)\Winamp\winamp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.WMA\shell\Enqueue\DropTarget | C:\Program Files (x86)\Winamp\winamp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9151953E-0621-4167-BCB6-36F8E65EC6C9}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CddbPlaylist2NSWinamp.CddbPLGenerator\ = "CddbPLGenerator Class" | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File\shell\Enqueue\DropTarget | C:\Program Files (x86)\Winamp\winamp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.MPEG\shell\open | C:\Program Files (x86)\Winamp\winamp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SHOUT\shell\open\command\ = "C:\\Program Files (x86)\\Winamp\\winamp.exe %1" | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8D951C2E-56FB-4E0B-903C-FE738DA573C1}\TypeLib | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E1EEEE1-7227-4BAD-B955-B84BEA914A5A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.WEBM\shell\open\command | C:\Program Files (x86)\Winamp\winamp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.FAR\shell\Enqueue\DropTarget\Clsid = "{77A366BA-2BE4-4a1e-9263-7734AA3E99A2}" | C:\Program Files (x86)\Winamp\winamp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{61bd27fe-604c-49f8-a979-7a260a51ea5f}\Programmable | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CddbPlaylist2NSWinamp.CddbPLGenCriteriaList.1\ = "CddbPLGenCriteriaList Class" | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DBBC42AC-1409-4D95-98FC-7F6ACB33EC15} | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.NSA\shell\open | C:\Program Files (x86)\Winamp\winamp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.AIFF\ = "Apple Audio Interchange File" | C:\Program Files (x86)\Winamp\winamp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.SDS\shell\open\DropTarget\Clsid = "{46986115-84D6-459c-8F95-52DD653E532E}" | C:\Program Files (x86)\Winamp\winamp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.669\shell\Enqueue | C:\Program Files (x86)\Winamp\winamp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7DA05059-CFB4-46CE-A788-709A3AD3454D}\TypeLib | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AA3218D8-A65C-4A29-8690-1E5B75DBF3B8}\TypeLib\ = "{65EBA1D4-45E2-4EC5-A7FF-CB7E14659C77}" | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0281A5E7-BD75-4ED3-9872-3331157B923D}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.M4A\shell\ListBookmark\command | C:\Program Files (x86)\Winamp\winamp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.MIZ\shell\Play\DropTarget\Clsid = "{46986115-84D6-459c-8F95-52DD653E532E}" | C:\Program Files (x86)\Winamp\winamp.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ping.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ping.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup_10024.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\PrimoRedist\pxsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\PrimoRedist\pxsetup.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Setup_10024.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Winamp\winamp.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Winamp\winamp.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Winamp\winamp.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Winamp\winamp.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Winamp\winamp.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Winamp\winamp.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Winamp\winamp.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Winamp\winamp.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Winamp\winamp.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Winamp\winamp.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Winamp\winamp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Setup_10024.exe
"C:\Users\Admin\AppData\Local\Temp\Setup_10024.exe"
C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
C:\Program Files (x86)\Winamp\Elevator.exe
"C:\Program Files (x86)\Winamp\Elevator.exe" /RegServer
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall set rule name="Winamp" dir=in program="C:\Program Files (x86)\Winamp\winamp.exe" profile=private,public protocol=TCP new action=allow enable=yes
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Winamp" dir=in action=allow program="C:\Program Files (x86)\Winamp\winamp.exe" enable=yes profile=private,public protocol=TCP
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram program="C:\Program Files (x86)\Winamp\winamp.exe" name="Winamp" mode=ENABLE scope=ALL profile=ALL
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall set rule name="Winamp" dir=in program="C:\Program Files (x86)\Winamp\winamp.exe" profile=private,public protocol=UDP new action=allow enable=yes
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Winamp" dir=in action=allow program="C:\Program Files (x86)\Winamp\winamp.exe" enable=yes profile=private,public protocol=UDP
C:\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\PrimoRedist\pxsetup.exe
"C:\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\PrimoRedist\pxsetup.exe"
C:\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\PrimoRedist\pxcpyA64.exe
"C:\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\PrimoRedist\pxcpyA64.exe"
C:\Windows\SysWOW64\ping.exe
ping -n 1 -w 400 www.google.com
C:\Windows\SysWOW64\ping.exe
ping -n 1 -w 400 www.yahoo.com
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\SHELLD~1.DLL,RunDll_ShellExecute "open" "C:\Program Files (x86)\Winamp\winamp.exe" "/NEW /REG=S" "C:\Program Files (x86)\Winamp" 1
C:\Program Files (x86)\Winamp\winamp.exe
"C:\Program Files (x86)\Winamp\winamp.exe" /NEW /REG=S
C:\Program Files (x86)\Winamp\winamp.exe
"C:\Program Files (x86)\Winamp\winamp.exe" /NEW C:\Users\Admin\AppData\Roaming\Winamp\winamp.m3u8
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x574
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | businesssetupapp.com | udp |
| US | 104.26.12.40:443 | businesssetupapp.com | tcp |
| N/A | 127.0.0.1:49198 | tcp | |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.yahoo.com | udp |
| US | 8.8.8.8:53 | download.nullsoft.com | udp |
| FR | 5.39.58.65:80 | download.nullsoft.com | tcp |
| US | 8.8.8.8:53 | client.winamp.com | udp |
| FR | 51.210.155.142:80 | client.winamp.com | tcp |
| US | 8.8.8.8:53 | client.winamp.com | udp |
| FR | 51.210.155.142:80 | client.winamp.com | tcp |
| FR | 51.210.155.142:80 | client.winamp.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\setup.exe
| MD5 | 76954d7dbf005d6db5e38d64f25a8c20 |
| SHA1 | 054ad10803aa95f512a2c56293be7d1a287696f7 |
| SHA256 | e9e2eb114941f9f9157b4fb139e5588665fb89b709df82d4a8346ae66ccf03e1 |
| SHA512 | 49e77880255470096830059bda1baf1d955f7f33659118995495aa6a6e090e32c798a8568504f213a90c4d3c3c81db41c22c54359d0689adb7b233c96c4fff4a |
\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\System.dll
| MD5 | bf712f32249029466fa86756f5546950 |
| SHA1 | 75ac4dc4808ac148ddd78f6b89a51afbd4091c2e |
| SHA256 | 7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af |
| SHA512 | 13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4 |
\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\LangDLL.dll
| MD5 | a1cd3f159ef78d9ace162f067b544fd9 |
| SHA1 | 72671fdf4bfeeb99b392685bf01081b4a0b3ae66 |
| SHA256 | 47b9e251c9c90f43e3524965aecc07bd53c8e09c5b9f9862b44c306667e2b0b6 |
| SHA512 | ccc70166c7d7746cd42cd0cec322b2adf4a478ff67c35d465f0f0f5b2b369c996a95557b678c09cb21b8311d8a91eed4196ddc218ea7d510f81464669b911362 |
\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\nsDialogs.dll
| MD5 | 4ccc4a742d4423f2f0ed744fd9c81f63 |
| SHA1 | 704f00a1acc327fd879cf75fc90d0b8f927c36bc |
| SHA256 | 416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6 |
| SHA512 | 790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb |
\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\nsis_winamp.dll
| MD5 | 1e1ded1cf1c69852f2074693459fb3b5 |
| SHA1 | 81b165cae4d38a98760131989fdd8aed2c918679 |
| SHA256 | 5946278545abbd0b0f5188752fe095e200c85abe0783632a00726d090c0753ec |
| SHA512 | a6f9a43d4432658c3504629e9209ad350af69eff542d139e0ccfe0dbf8662f15034edd3cf8b56d606a740b66c8221cafad999088a4e64a4c9c9fb47793a19f96 |
C:\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\install.ini
| MD5 | 385081d5feee87a4ed1a6e5dcee85f36 |
| SHA1 | 8517162855b477e5498e95ff2e82584ef06d5c6d |
| SHA256 | bdc6fb93206c1e7a590f2d4e97d0dab7d3badaf8b4e1a7b8487e9cf59f05eddc |
| SHA512 | 52bcb1cdae8abbe4b14ff85b57e03426d61e5cb25b1535a827af526ec66c00ae0a327b187cd10279cf18c379c912d3e478ef9966bb497a8b626824fe32d1093f |
\Program Files (x86)\Winamp\Elevator.exe
| MD5 | 5e90e4e003ff75b207d956227c8db1fc |
| SHA1 | e05c30b4e1dd22afae5fe0a117e62ee69af878fc |
| SHA256 | 35f2265273b38d3f81d6ef07f57bc20fca07f62687445aab6651c141157cb519 |
| SHA512 | 7dc765ebbdc8c707da12e4a321f80545def74cb93ee73c6545893a7366173ead0108292603856dcc6136bbc46550f73ecaf36553c12eff5ed32a391d1efe63ab |
\Program Files (x86)\Winamp\elevatorps.dll
| MD5 | c990acb402c04bd44319183198c748f3 |
| SHA1 | d20358545f8148394a1205f63d6bfa3bcb950f28 |
| SHA256 | fde86abbc080ce9dc48975100ad908b05a53e5c1026e34d064f3245a01770fbb |
| SHA512 | 86c5c5027e9e4571888d5edef060eb71fe1a2a365c5f2933ae95f263a188f2256d9f9e7182616e53146455f81892f1a923da2c2e10937de06f888d6d2bc8dd70 |
\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\execDos.dll
| MD5 | 0deb397ca1e716bb7b15e1754e52b2ac |
| SHA1 | fbb9bcf872c5dbb4ca4c80fb21d41519bc273ef5 |
| SHA256 | 720be35cd1b4a333264713dc146b4ad024f3a7ad0644c2d8c6fcedd3c30e8a1f |
| SHA512 | 507db0bee0897660750007e7ce674406acf9e8bf942cf26ded5654c07682757b07c9eb767bead0966478abc554dc9a6461c4288dc35d12cacfadad4c128f1bb7 |
C:\Program Files (x86)\Winamp\System\h264.wbm
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\PrimoRedist\pxsetup.exe
| MD5 | 4ee24c7fd67b098431c951db7686bd19 |
| SHA1 | 5b14bed150ea0bf619b938ce94b9f32b02a6aadc |
| SHA256 | 0f445c4b76bc309a940d5f4ba615bef1dcefbc0d160f3a8d06e0038160d9b4af |
| SHA512 | 7853bcd7482b85ab362935060506a1b44779946e9428838a1c95cc54fcbf94058ed9c2101b5c4e3114ed125b88692ed694b394ff94ecc8d88c39b57bb21f08f8 |
\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\PrimoRedist\pxhelp20.sys
| MD5 | e42e3433dbb4cffe8fdd91eab29aea8e |
| SHA1 | 6f764c5e20eecd6f3d4154d9d89d2420dd783470 |
| SHA256 | 20abd8372b242fd356ac143e7eb56f93cfea4988ed1b0c4434cb64c387d7f66c |
| SHA512 | 260a2104aef64fd5a276e289e1cbe37502583e94039af41a3803f1c464d78c72def4e911f14312b94c63b28b1f6792a7bd10f23db837daf5a1a9ffd478c40810 |
memory/2588-248-0x0000000000820000-0x000000000082A000-memory.dmp
memory/2588-251-0x0000000000820000-0x000000000082A000-memory.dmp
\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\PrimoRedist\PxHlpa64.sys
| MD5 | 87b04878a6d59d6c79251dc960c674c1 |
| SHA1 | cc34993ed2b375bbab87058f79097eeacf381aa5 |
| SHA256 | 3eb8db0624e646f0a65d0381408d35cf9fdc5abfc30df6431f4070a8eb68447c |
| SHA512 | 5c034f27ffd5d26faa2b6db9a6e97b261a0997400901e846880fc2eadda4ffc3aaf9885b90997ebeac8902b10f2e0f3e38b41e6f476b7c45f57ac5f9e59312b8 |
memory/2588-258-0x0000000000820000-0x000000000082D000-memory.dmp
memory/2588-257-0x0000000000820000-0x000000000082D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\PrimoRedist\pxmas.dll
| MD5 | 746833260d2123ebb46ff44afcb8103c |
| SHA1 | 54275329dbc8caafb8a4a61198cdaa0986756ee3 |
| SHA256 | 6cc2fc325653f7fc8725808270792921423c7dffba4f4e5bfdf5d396f89c2d97 |
| SHA512 | a2a577a39ece8b3b1407b528b17a3088179bc5eec3e1a9b14270529f82f6175d9c950da957bf6d707c968e4395eb55464e08778bb887b2871351f5655507252b |
C:\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\PrimoRedist\pxwave.dll
| MD5 | 24fa4bccc5ac82f5471abd0e3c9cb878 |
| SHA1 | 9d9caf552519395fc76c7b756532032686827586 |
| SHA256 | a90d09923443c749266f65797176d70235854b9157a023362701c0d8477b78f3 |
| SHA512 | 5e05daf7eb1de0baad166758304a5450750a876d4f7a521215aad279a00dfbc34a96299389dc2f523b54a73894433ce35480f559ed04d10ccbb14b1c75111914 |
C:\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\PrimoRedist\px.dll
| MD5 | dbb66b386c194a58e29e49d7ebbebe65 |
| SHA1 | 78dced6be8870938a2c8fefb1b5b884159e5fb21 |
| SHA256 | 309a40e28271eee4e41cdb5cd1f83c0087702d42f9fc3a87d62f9f30dd53d68d |
| SHA512 | 6a49783c86f2bdb6cb522f0e53a6e653eccb89b1a2d0d800bfae499d304cad173f621d9dad7765a13848a1e8bc4da355d94fc1a4bbf2beb5c4d999ea79257764 |
C:\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\PrimoRedist\vxblock.dll
| MD5 | ba8559b1de9e06e1ebc5b41138839fff |
| SHA1 | b2eb5557c01a3731adc3e0539b9c9ba32329f35a |
| SHA256 | ffa5a535493c11595b1edea75e67ddd6e26e587a27d36e06a499acfa0e0a002b |
| SHA512 | 3314838685b476cdde9f9eb5be4881b29494b04b3f93a544736a2cbe0716c03cdf7f38fa14cf3e68844495a5452dd00ac1ea335fdd030556dde4715826d50fd8 |
C:\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\PrimoRedist\pxdrv.dll
| MD5 | 8f6f3aa814143099b431744b16845664 |
| SHA1 | 67f518591a1cbb954a031cc7421faa1aeb25651a |
| SHA256 | 7c9449c2e774087305a28117e47fa48bbf33638144e9694f20d20fb15065ac9f |
| SHA512 | 5fdd908862dcabc37a794d0f7fe134e6df9f34d0e52cc69a535c37872a4f2edb44e2448654b3832a11f41fd57be36f1ad0f863603d1f268f99c6180a3a48bcb5 |
C:\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\PrimoRedist\pxwma.dll
| MD5 | cbaa54ae75a0b8430e6bb65c72c7683d |
| SHA1 | 5fdead1d32a164426c623f5b871bea3d547801f5 |
| SHA256 | 4f69dbbad8775b22d328968461c0c7ae11fe902bb949e178bf1878009705d0ed |
| SHA512 | 18b51a143af0d7d279c961143c4e3b5a42d439f59d7cd495dda174e062f3b9981363c021e474fe7901ff4651a174883f748ca98766a12f08606378cca3c4f504 |
C:\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\PrimoRedist\pxafs.dll
| MD5 | e66569100ada3821d49be51109fa111c |
| SHA1 | da0d6e0d9073b7d384e410916ae0306e16eee23a |
| SHA256 | b7c5e5cdb6bf6fc01d1823b6aa1b0fef62f1e594886e2797a00a03809589c0f4 |
| SHA512 | 981128e378ff2c286ad0aa9ca0012fc72cace283b0bbe4bb21ec7429735ef0b4438a6c6ff8dd3ac11438e25af33162f320a085223d6fcc41f5a7b060d88efb8e |
C:\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\PrimoRedist\pxinsa64.exe
| MD5 | 6d3630b7f27b3643fde05d1088f84f2f |
| SHA1 | be742991eac9c6c8b0674c4be1fbddd10f7b9d37 |
| SHA256 | 573d87feddc84eba6b3450bf00ad7ddf498ca99cc8809359fa9bb60c7ac76f68 |
| SHA512 | 48a218a270357d3513596d92410bc865ef51c3bda6bfe5f53251e2ca3a5ff6edb31d722ee50d6b85d4e3bc7094b956180bed88575eac226236b55d81e0528ec1 |
C:\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\PrimoRedist\pxinsi64.exe
| MD5 | 94f95be2a44c8291132d314582f141f8 |
| SHA1 | d5bb1a7519221964497560b579bb5c1f1ab30aef |
| SHA256 | df83d7cb34c59e1406fb5bf1edd083f8bca649db97979c6debc3d3ab0e36b980 |
| SHA512 | 4a726c8431d9722f1213659e3cf150cda5a0850bb874f0f7c4c280f6805a122d14882531e06b11cbcd36d8a9a741a67f12b46dd02933d00c65ad1e255e1ca1dc |
\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\PrimoRedist\PxCpyA64.exe
| MD5 | 08d51e037f487f9ca9fd0b0388f4c15a |
| SHA1 | 67188d670673a5e9185616923d1b1a8aa22ad8bc |
| SHA256 | fbaa0fd8dae9bde80bfe497dca28c6fc9174c14b12ab93e3942fffa04e3db3cf |
| SHA512 | a40bb551fa8a705a5ac2bdc02a17ebba1c6c70f9ffce38c668b07bc538dc4461658b0bf220e26aa1833f624009f417f05c44aa0ff81af59a5ada4f97dd99013d |
C:\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\PrimoRedist\pxcpyi64.exe
| MD5 | 50a76d2d5e4be94556326c4bf748c758 |
| SHA1 | dd2188e2fde11b75fa73003bf7502515182d4c88 |
| SHA256 | 1c0e698d620f3703f940baccbfecd883b5f5e46d2436f0c17cb0c6c99155a4ec |
| SHA512 | f60decd858d2dce3d7d57f53e7a2f7f1090d2d5fffbb1abcfd37c67718ecc2c92bfd45a208a2ec93efa5e8fa9c33f29e84bc52891998195dda237d6f1ea971a0 |
C:\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\PrimoRedist\pxhpinst.exe
| MD5 | d2728a10ccd2a675638b016d47b1c254 |
| SHA1 | 9311a83a94d7b5694109e0e9694eada76765caa1 |
| SHA256 | 8ca37574a79fffe781375955362eca8ba4511593dce6672590be8c42a775f146 |
| SHA512 | a6a31019f560b69935f5873fabe192b5899785544b9cf3841c1a846740edc56b3ba5f396d43d104f51acfd59faa97121f104abf7e4ac4a3fef5539cbd85a9759 |
C:\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\PrimoRedist\pxsfs.dll
| MD5 | e5ae8bd7d28eb4bf87f9c56daa6d3e3a |
| SHA1 | 61b841bdc9006953d504c137d5d7d8e8602fb31b |
| SHA256 | 780e084efbe74ac28d8d91dfff1e3bef97ebda3c54c7bd5c8fbbed128f21ea7b |
| SHA512 | 4930e9e128f9e8b55657752b5a8b1aa82c252dbae6ed0fc5d3112e5be85f30e6381e514e668ce5eb5dba8177583151d89707410b102d4c6466424682bcbbf0ad |
C:\Program Files (x86)\Winamp\jnetlib.dll
| MD5 | 792104d32753ab1011a7dc41c80cb504 |
| SHA1 | 48314163f4815452b61c7069531a6faa02775bc9 |
| SHA256 | 8d52761d0e9f753f05bb0dfb37d9fd14eba0af4023608012710ca0c3db79e444 |
| SHA512 | bb3ddc7eedf30e4776c06a667b0ff9aee2605cd32d8e0fee1f93839ff29075fe37713a2b74e5f6ec51c0bc7a6d44dd5f022e196f068f969cd75f14482c5be587 |
C:\Program Files (x86)\Winamp\nde.dll
| MD5 | d1b7c43550af02cf4e9712b1c1a63cc3 |
| SHA1 | 0f0d82a6b341dfce6fa4d2b93252faf46a211e19 |
| SHA256 | 202e7e7e30965d970cb37462f0bd763551d757bdf35e04cdc78721559118a469 |
| SHA512 | 22d45cfa22343d5b74101e91cacdeaa73d6520588a365b0667c61e8e82451e78c0624b021e7ce5421d449e5d33f7df15355e272defb9d70c1cdbb89f611760e7 |
C:\Users\Admin\AppData\Roaming\Winamp\winamp.ini
| MD5 | 69c56e3d98acc64fd35ec6b2916db596 |
| SHA1 | cc9d47c9fed45c892578c04e080696ffc2ac0eab |
| SHA256 | 85b420b1faf6d7e70567eaf2b01eac6dcb78e02e2375956c317c8e98d6cbbad1 |
| SHA512 | 234f0db4c217469ec585903915758c890b0040a97735574caa1d73cde68c0fe239b58ce60720a16ee136c14ef0977af894167d12488af5993cd7514d9d79ce8f |
\Program Files (x86)\Winamp\Plugins\Gracenote\CDDBControlWinamp.dll
| MD5 | 72ab7ff3886957602a68b3d89bde44fa |
| SHA1 | 91365edba7dc4aae61edf0c5a16705552e668b6f |
| SHA256 | 025ee64129129e7e6bff4c0769cf93e00e095b752299e7d633de5d9c261e173b |
| SHA512 | ac1b58c308bcebe6c4b4672b5a4aa14cd1d3a923c80ac495f4d42aab45db0d085ddbf51111f3045bbdc74d1456f642f62775362cf3d132c1b6aaae0c47663c35 |
memory/2588-2155-0x00000000050C0000-0x000000000524D000-memory.dmp
\Program Files (x86)\Winamp\Plugins\Gracenote\CDDBUIWinamp.dll
| MD5 | ac5430ae266925bb85d2d5800d03c262 |
| SHA1 | b9a86664a0fac9b79c162587a203674bc6ae9191 |
| SHA256 | fb4211686c2ddba152cbc239ef8b630c5d2a8c05e9056d4c797cd0ddb200e9e4 |
| SHA512 | 3992049fe87785c6827fa35b271c37696733b362bf276d5098b0e1befe6c217ee7847d1256dedc1fbbb2d608e7cc195e9229dbde7519615127b7f361edd8a15b |
memory/2588-2161-0x00000000050C0000-0x00000000051BF000-memory.dmp
memory/2588-2173-0x00000000050C0000-0x00000000051A3000-memory.dmp
\Program Files (x86)\Winamp\Plugins\Gracenote\CddbMusicIDWinamp.dll
| MD5 | 37ffbcbc724d72a49248cd6df27cea84 |
| SHA1 | 7ee0fa08510f549d9ad7538416e0e19bdf911ad8 |
| SHA256 | 98a8b5ce8023885391bd4be08781deb141479eaae5c70e264eac2d6c2da54f7c |
| SHA512 | b6fc63a76321e241547061a876f50f5b99e68880f6ba4af3d66656354cf827d99f07d38ffab6764c83c5ab1f35748876077af04743d747df3a3a5f86314a69e1 |
memory/2588-2179-0x00000000050C0000-0x00000000051D5000-memory.dmp
\Program Files (x86)\Winamp\Plugins\Gracenote\CddbPlaylist2Winamp.dll
| MD5 | 7c7f404f3923a9346978be902e2257de |
| SHA1 | c1f41edfb4af754db2e2679a8ae40d3b1a9075b9 |
| SHA256 | 1239b23e01467f6fdc2a0dd109c5713588fe77a4d206d60dfb3712e08d1dc3d5 |
| SHA512 | c60806b31bcb314c4d6e3e4ddd394752a665d16ee223359677e6d08dbf288aef88967a4aea46efbe28600f35f7abc5b6267a6c69820a29ce3f9f2e805fbcc477 |
\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\Dialer.dll
| MD5 | 61b40a89c8b94ad6355262e118c8420c |
| SHA1 | 6b8fcae8baf661e115763cec2d69db7a6b767030 |
| SHA256 | 4e63d7b877a7e8889b6cd7bebc1dec767bff0f5bd41d8936d4a5b29d934ea4c5 |
| SHA512 | 77f7e3cdd2f2ec3a2cf619afec6438e0966a2f0d43539d62e9cd8e2acce56322e2dfa2f747937c3d62346640fb64e1176b52a329027a5a0569e0f05ceeb7a126 |
\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\nsExec.dll
| MD5 | 132e6153717a7f9710dcea4536f364cd |
| SHA1 | e39bc82c7602e6dd0797115c2bd12e872a5fb2ab |
| SHA256 | d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2 |
| SHA512 | 9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1 |
\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\NSISdl.dll
| MD5 | 7caaf58a526da33c24cbe122e7839693 |
| SHA1 | 7687112cb6593947226f8a8319d6e2d0cdef3b11 |
| SHA256 | 19debdc4c0b6f5dc9582bda7a2c1146516f683e8d741190e6d4b81ad10b33f61 |
| SHA512 | aafd0cb2abb3d2dee95c2d037a6a1a5bff0518e3210ced0c39e6d6696e4fab4734df01476fe9dcb208f02c529cd03346bc8b7f3319ae49701bbf2cb453d59bae |
\Program Files (x86)\Winamp\winamp.exe
| MD5 | e000683011d966dd6cccf2bc3b6027c6 |
| SHA1 | 7fea5c8039be8e5476c9322f14eadb9d855d1d72 |
| SHA256 | 6760afda7a59a7dee557680e48a957cf1367ed04194808af61f779b7fb668850 |
| SHA512 | 2dac85d626cb64b0ebc811b8d92d06503e06306df4830c562195a8116b25ae531bceedacb2b36487901454279cf4d9e328117f1133ea0fabff0a973ad7f4225f |
C:\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\modern-wizard.bmp
| MD5 | 2d63e33fa1cf672338a22c88fa45e6a0 |
| SHA1 | 86c510009d6c71d05eb2707fe6a10039df525192 |
| SHA256 | 7ae875cfcb6e3b1f4a06460fbda99d8014dc4674ee256b0b79ec656777c7e292 |
| SHA512 | d42a7401c1d0d77d517d2f8086286bd6cf487cf5400cd8b8d720bcaf15149727751677f444fd9a8e340072deabad51347956894c1c034dd81df793b3b8087252 |
memory/2588-2241-0x0000000000820000-0x000000000082A000-memory.dmp
memory/2588-2242-0x0000000000820000-0x000000000082D000-memory.dmp
\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\SHELLD~1.DLL
| MD5 | 9c266c2dc7eca5bcab2d8df4990e0c1f |
| SHA1 | 662da3d9ca18aacdbaef884065fbfffdfacfabfa |
| SHA256 | ea7800b89e49e7d7214c1405b4906f366096dfadff28d0732acb90ab2e9a99bd |
| SHA512 | e9318db79b02df6b3b72ed16c5d70e4b46bab71f31544ce0323cd6dae739be1948a9d3a468977d703576d7f33580e3be5d1d1ace1fb29cee9dfe325c6e828139 |
memory/2704-2253-0x0000000000160000-0x0000000000162000-memory.dmp
\Program Files (x86)\Winamp\nsutil.dll
| MD5 | cdc510af97cee27fe9b7f6e79321960d |
| SHA1 | 7a676c673e46a6bb33edd35bb8051dc8428a39e4 |
| SHA256 | 714149e044c0b1598d50b0de75f0e6c7b6b4b879a4d8fb195243e68758cf3f84 |
| SHA512 | 4bd33b051d8a0ea158ae665323383d4ad326a6f7693fcd02aa6b4a6f6dc6ea28b75c26f394710668bba50a46cf4896eb173b664183389a95ababb4aa0e68207b |
\Program Files (x86)\Winamp\tataki.dll
| MD5 | 54784a40c6e296df888635fafdc199c3 |
| SHA1 | 863c0ee77db87557f39762e82d305d5bdc36fc91 |
| SHA256 | 081220e46b00d9d1671f15658b6a9df7504223f514b03a593e5b9c56c68f135c |
| SHA512 | 5ae6bd6fce3d6f346409624a4229ec60fba113715d4ac17fc3f72c557a0b00b51de601bc44f214e39549e29d085e9acccc8aa5bc5acbe89638f1358fdc5d69c2 |
C:\Program Files (x86)\Winamp\paths.ini
| MD5 | 8ad85a252352aa655f18d1b9300667b1 |
| SHA1 | 5d2939f3b6c29739303f2caa4560d1f5376309c6 |
| SHA256 | fb7293e289aa918d2cbc3c362cea48dd061b0e12616924460466f26df28ff05c |
| SHA512 | aa3c14551846a2a89b7c4ecbb9ac63e3c83501de5e088634c77e92ffd068a0aa547ad5c0d06890b553469013ff0de0dfe2058de86677966ace9c4d0b8c7b5525 |
C:\Users\Admin\AppData\Roaming\Winamp\Winamp.ini
| MD5 | bc44647d4f52e067a3d61bcea14fe74e |
| SHA1 | 42e182ca102d903d987856141d523d336a0ebecb |
| SHA256 | ccba000bbc7f9152001d5e7217d7bd614d7322328a5a46b69e4a726295fe285f |
| SHA512 | e223f333632b3c883420474f687ed6a78a2fa54d8d7a66ea8febbed8465201fe0905cfb6db01880a048f5cf4d41c160f0374a7914cafe22c489c10fbf3ee74ce |
C:\Program Files (x86)\Winamp\Plugins\gen_crasher.dll
| MD5 | 41b366ede1fbc0934ab725b98028dd09 |
| SHA1 | ba6790ebb79145bc35af7f1a197cc1f2048457f7 |
| SHA256 | 4b561f368f71f524a1fd5b12f3b74d88e9baa89a9cf6e59128e6977fc47762c1 |
| SHA512 | 1bbd61391db3e2c96c9140bf3a62a1fa0d2b1dd91e8240c62bec9be62e1f74007e42d5274100280fefc0bd7127ec993edb62ecfd3b159a8ba13b4d451dbfdeb6 |
\Program Files (x86)\Winamp\nxlite.dll
| MD5 | f270d9dbf305256d0979841886f288a3 |
| SHA1 | 6e85e6d9e80c97e2d85b1754170b4ff9e50fe6bb |
| SHA256 | bdc9e1a1edf9d42ca846b67256fc30befdf63c69354dcb30046e594e347a39ac |
| SHA512 | b5b139870ac0ed729d6281a47ad002af2ac9102624846f0ca9ea198322fc20db9825261d4b3df26833df93d1dab3a2dbb8896eea100d06c7bcdbbd5ed08ea1f2 |
C:\Users\Admin\AppData\Roaming\Winamp\Plugins\feedback.ini
| MD5 | 34596887db65b4d559bd92adbbd58eb3 |
| SHA1 | a610a496b41bc38bdb43e04b64c1e8ee2703fb8d |
| SHA256 | b481b979a63b97651e2231b684e8d98f7c8a8e77163beeea49710a90da03c566 |
| SHA512 | 115cee2deece2c0a5e83a68e14252272c9bdc2b8102fa33d21d56dd3db0bdf764b093fd4faca1afafcc3c92f8df065bd782c4d7b97c43a92b43b3761be3aa6dd |
C:\Users\Admin\AppData\Roaming\Winamp\winamp.ini
| MD5 | cdce0972140bdbb3a9dd317548149197 |
| SHA1 | dfbe1673d708ee75146eed957eca28a754ed5930 |
| SHA256 | 52ea725a9f81894fe6320986557d51b40687479a7b933bebb43a9c912095ffb8 |
| SHA512 | f78394b3ee5552b25d9a75fe2e22b7a25121bd4e5f09a0b96dff647d91ba0fbbbcb509f171e2b186b44a8725a6b37c243520c3f3692011ec90e4238fc92dcefa |
C:\Users\Admin\AppData\Roaming\Winamp\winamp.ini
| MD5 | f76efc12c9bcce9cc881575c96f052f9 |
| SHA1 | bc7390a7635b385b51456687558dc90bf032af37 |
| SHA256 | eed6c69c2b5c93c92d608e65bde3d0fb4f71bf701be9283072b88a5483d54ee6 |
| SHA512 | 6b94615007ca2ed308e31ecacd11f6042038019daecdf9fb49cc7bf60c78b9749bccb809f3d91d6bc7487139c616bab961334de080063828867416728212a7df |
C:\Users\Admin\AppData\Roaming\Winamp\Winamp.q1
| MD5 | d24f1b829d1bd197e157b12d19c220e9 |
| SHA1 | 555274f63e5b6ddbbd548179754fd0b2cbddf888 |
| SHA256 | 58065811d8e881a5087af0c9a44d2baaa9628dc3cd1b1847533dad2c35a02cf8 |
| SHA512 | 55c5c6bc1c466eebde84b98e024d774711bc1f1e32b28842d77eaea93dc030878e74012ea48179925313490b7c77d07383213ebb63d691228d2333e4217b33fc |
memory/2620-2754-0x0000000002E00000-0x0000000002E45000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\install.ini
| MD5 | 129725b4e32e12724054f1d018a04e0c |
| SHA1 | ce2197507e97999c19cc29d3ba1628d518585246 |
| SHA256 | 090fcca9a97cccdc1bb7f592e993a1e03c5ae578fc8e22ed1eb514cbbdd1d21a |
| SHA512 | 0479a4fb2ce3c999f8d852ded96a7ae4485737aebb63a7b67fded04ff5712beb118484bf4c2a8de2fb9eab1260db28d4e1c8eb88bc255aa7267efdc1cafce1c2 |
C:\Users\Admin\AppData\Roaming\Winamp\winamp.ini
| MD5 | 80d68602177f04efc8c40dc8dd49263e |
| SHA1 | 2bab8d1aecd8c44a44a68c4a06876da1c9c9f96c |
| SHA256 | a4dcc67fc9264261c503aa541a744dc902f41f95b6b282c57e489a5954b9e7bc |
| SHA512 | 07e9f56d317868988047b58317619d035ae828141bfb347bddaad6f8ca0fd209b96c45cc7c2645c67868f6b631b3ccbe970e003c292d45100cecca3edbe72594 |
C:\Users\Admin\AppData\Roaming\Winamp\Plugins\ml\views\met8955.vmd
| MD5 | 9936bebab9c4e0e2aac7dceffc42dbac |
| SHA1 | c1d2b8ceed49c904db7f174e06cc4e8ef851a87b |
| SHA256 | ee730918e759544d7d087fe0b2e0aee12145ec36ecd4f4aced4336d85503a124 |
| SHA512 | 16a5da57970c1d9b0e00bd8ac21ad53260b48db7b7b8bdb1953c625e8b6a9a132afa53fcb835163b73fe6a5dae40aa5ddffda9a11f42e8942c07b180363f2ff0 |
C:\Users\Admin\AppData\Roaming\Winamp\Plugins\ml\views\met9927.vmd
| MD5 | 2cdaffaec77db6248825896e5c424893 |
| SHA1 | fc8df8ddc7811bfcf8f426dce0316c7eb6366b69 |
| SHA256 | 6217223a02d019b85e566e2804ae6ae4dd3643c95578279a27909c9eedbdb961 |
| SHA512 | 387e12cab715c8d9530b21725808c91bface84949f03d17312890464ec53ffbd79ce3a83685e0897e208a2e26e85c8296b848d91b0677df1bac446c229cfe05e |
C:\Users\Admin\AppData\Roaming\Winamp\Plugins\ml\views\met7993.vmd
| MD5 | 252e14c85c8b8288fda93614891308eb |
| SHA1 | 636d352077cab476c805fac2bc4ff58d83a14b99 |
| SHA256 | cd160e25ecd10aeada7cbe1b0913b8dc8098d009e43b9a549765e0250531c81b |
| SHA512 | 7c5654607006bd1300874257f9c452b7e5aeaf90e4815ccfa0f195988f7d51dfb8dce68c71d15649242f8d05f970d67101917c4ddeef12ea05d39fa8aa1f293b |
C:\Users\Admin\AppData\Roaming\Winamp\Plugins\ml\views\met8965.vmd
| MD5 | c83239613245411ebd5416fe69629720 |
| SHA1 | e0b7924b12a88958fb9e18d5d8bdf1ed9ab84337 |
| SHA256 | a1defd5d6eed464399dc2a0f2c07d1f3a10e45963899ff4b824f748b690362d1 |
| SHA512 | f3d264e25bbceb2c58d741bfa16c35213df9a629ac59ef9a275c2ec60320b6580c6f1468627e966e14bc27695d9e157ce264a6259a4f78995e7fbe304d5e4528 |
C:\Users\Admin\AppData\Roaming\Winamp\Plugins\ml\views\metA8F9.vmd
| MD5 | c386b2dab1e50ba2766d84fbff261563 |
| SHA1 | 04689715512886016010a77f4cb1e6659e0df0b5 |
| SHA256 | ae6359b0c31c69599ebb789f3016908d680c7079d452c4648a3af0226b78a84b |
| SHA512 | f67d207fad5f0a78d1c7e507257aa903704020f8339720c7e6e23e7d4699d084a57628703a0cd4f33b0460e5454a6d33b99c51f37e346a95504949ce30929723 |
C:\Users\Admin\AppData\Roaming\Winamp\Plugins\gen_ml.ini
| MD5 | 661f2206ac253963428371f575ce29e2 |
| SHA1 | a3ae20abb92b0a39f5be0e48387ff36c878d8999 |
| SHA256 | 5eddd08dbbbb3f45bdbd18c5cb621e1d8b4f88961a51b25fb61c972887a20bae |
| SHA512 | 49a4ab478e326a5b820399c64169cf1a28bc1c7f00cc3a3c5b34b3e5f0553527087c4bd43eb2b4244202186f47e5ea969bf962290ce338f0e28b974d2af6d767 |
C:\Users\Admin\AppData\Roaming\Winamp\Plugins\ml\views\met9937.vmd
| MD5 | eebb8da8e062bd685542bffe0bb94e74 |
| SHA1 | 75faddb50b83eae36988c1e3eab075fe8d5a3415 |
| SHA256 | ec58f79fffd619862667c1a7644ad34f76c4623f2b7857a5341640c893d4de18 |
| SHA512 | 8a23a32b28a558e9a5d3a615d4412b768af8948f132b09e97ca121471db46693a4d05ce4df64f1ad951749d65c4d19000e08f7870d99eef9b90b62d2864f1bfa |
C:\Users\Admin\AppData\Roaming\Winamp\Plugins\gen_ml.ini
| MD5 | ea88f208883a61145d61db8279eae5b3 |
| SHA1 | 9940e3b818695d517b267ce6bc3230f96ee35663 |
| SHA256 | 20b000356e443933ae9a2f38af6404227fa36f8186793d62d1078de1f942ca67 |
| SHA512 | 0372e7ff31cc98ab7c6017a43bfe3fe43b786dbe3f479ee3cdce2bbfba701c91d367b37fae5a463a25f9c2deb9f180989e6f28e8d62862731deb30b806e252a3 |
C:\Users\Admin\AppData\Roaming\Winamp\Plugins\ml\views\metA909.vmd
| MD5 | d39c2a872b313f71c47f6bef8a44b425 |
| SHA1 | fb0b1e55ba114f0ec0856cec44934c692690e487 |
| SHA256 | 84f5b0b1ecb3612db2d369b18c758cd0de8ad31b371943343fc5b776092fceae |
| SHA512 | b21b234843480ade18abbfc1dcae5edd536def427bfbd39d0c384e439c2b0692d1654703e32b4648ffb6f719fc1236edbc588bffd242ea7792fbb41b82d65b7a |
C:\Users\Admin\AppData\Roaming\Winamp\winamp.ini
| MD5 | d8212924840d3a3bccdfaf7f7b543ce6 |
| SHA1 | 92dd07aab414a88552799a71ea10f35b29584586 |
| SHA256 | 6a4b6c3c720a89f2b4e3d4abd4e93a234792be006a3ab6d95af1aa05cfdf9fd4 |
| SHA512 | 6662a837f600918ec82947b198845f38eb890191609f6fcdb9365b542752b1313b4419a5bc8d90f25ad2a2c70512249b2207d39aa59e4400690ad5ecb4aec1c1 |
memory/2184-3207-0x0000000005AD0000-0x0000000005B15000-memory.dmp
C:\Users\Admin\AppData\Roaming\Winamp\winamp.ini
| MD5 | 91556002d2ad06a9eb072230af74f0b4 |
| SHA1 | 18a91faed752e330b631273eb31a7812186babcf |
| SHA256 | 385ccae65d6c67e66f8a514d227bd363d959a131e167e59969419f977c421f56 |
| SHA512 | f9cbd01f52724f38b864058400c3a292f833cb6046f5dc32d6a47da760e84c4ee7396f35da319b02f5465c932bc3f44fb921d996da2a64e8951c08103154838f |
C:\Users\Admin\AppData\Roaming\Winamp\Plugins\gen_ml.ini
| MD5 | 412475ef1907d32f51784154f6d0c8f1 |
| SHA1 | 38f5ebb35a037481b32f3d5ff5912d08d63ff2bb |
| SHA256 | e136890ebd7ee5e0df97329a5b1556b48b77b62e4b1a9f612c1acff6d77ba707 |
| SHA512 | f68af166b2dee91401e434164d045616777f1afb68d482295d6e64d0595b262bd4239e8a8a0118ae80adfd31647ecfa78e7cbdd7591e962c2b85ef2d2cdd044e |
C:\Users\Admin\AppData\Roaming\Winamp\winamp.ini
| MD5 | 438a956e27784499cf705a6a1b2aa1b1 |
| SHA1 | 2c97f4a7417c776b4d44f695107e49fc30ae008a |
| SHA256 | 5f3a68d5a7346d4036d08cbb1c520f872117e6524b358cca06d26dba7f0d5152 |
| SHA512 | 894653811700fece580372973418b2487887dd164a7b94d6a18a72bcb71c05563ca0bbc7827db118b2391c6dd2932e81b10a77bbb1801b4fc758d8a2c331b8d1 |
C:\Users\Admin\AppData\Roaming\Winamp\Plugins\ml\recent.dat.o1d00000888
| MD5 | 76a66845f666c52790c3442f7e1a491a |
| SHA1 | e392a609d9dc81fab060d8aece449fe616a40053 |
| SHA256 | 101f682d9c519400a4d36b6a09cf0dd39a9faab6353b3ce0eb2f071860b6d05a |
| SHA512 | 71a6ab36ebfb6ff89ec6fbedfd1982fe0fb7e8c76981d24467eb73a924dc96cc4a0483381beead6517f829fa8babead0176a8df229072040564e708d99b4c783 |
C:\Users\Admin\AppData\Roaming\Winamp\Plugins\ml\recent.idx
| MD5 | d39305c16a773b222871032c4148600e |
| SHA1 | 196b2a21dabfd3d001e2c79f3fdc7c411c4ca261 |
| SHA256 | 01786514a6a5bb357099b7c11c23615c0e8e6e07aced1f3764f034b6a6be8d29 |
| SHA512 | bc16b755eb56da66ff8290d1498c9ebbe7a29e27c50a4326cf3cd9018d20c13bccb4d23e63429e07ac33e323ec19e11a69ad2e25c1b5a4a67341ea2019862093 |
C:\Users\Admin\AppData\Roaming\Winamp\Plugins\ml\recent.idx.o1d00000888
| MD5 | 137faa0c3baa69f733eaadb966b64ade |
| SHA1 | a55982685efc19bb0afffa2eb1f3750241480eb8 |
| SHA256 | 9cc291dcb5847e7f0e6d4bf322164461c6607da934ce9d376c0e15f7ddd33181 |
| SHA512 | b6286a581aa3d1add62836804a1fc79a2399fd6fa7144945b47f2ff8c0ebe88af3f289bee95db0cae1aa7c532b487a4bb6a9e65710c581afa2b7f13989885d78 |
C:\Users\Admin\AppData\Roaming\Winamp\Plugins\gen_ml.ini
| MD5 | 6912e8fe99f846694bc8b592c13ec155 |
| SHA1 | d0c99287e7bc9d2da4541734dc55b37a4712b4d5 |
| SHA256 | 357d2b35be8d16b9b43c59ef1f2f2447a84614ba9c97379db14aeb4c0bb66721 |
| SHA512 | 339cd628c18c1ad3773cb78ebeef302b326aeacccab252e737029b2ed05b552f0900b2fa1d8dbb76cea30d07e9c2eed922f085437391692f4d3dba5c295b8368 |
C:\Users\Admin\AppData\Roaming\Winamp\Plugins\ml\recent.dat
| MD5 | 11bfa874196e18174379f536a52372e4 |
| SHA1 | bcb5bea02fce56d0b97b0a6d815e6e73ce72dd5e |
| SHA256 | 60d2d9bf9ba4c9787f9cdb23d657809685f14f739866c4ab1c64ced47ebc7737 |
| SHA512 | 7cfd5ee948971e44af7c46338191c460a408f0e34212dca2be7ee3c937d06b14dbf656a9006410a00888bc82b34c76caa68adcb79b380a29b67190d19728e2f8 |
C:\Users\Admin\AppData\Roaming\Winamp\Plugins\ml\ml_online.ini
| MD5 | 869c023e6356f60322b9959002e199b0 |
| SHA1 | 11f9f69683019566bdc932b2cdd8cc69fc6ad926 |
| SHA256 | be56a246bd91885254c46cd2b13bb2b1298a7810df495d4b5ad9e12e857b6aab |
| SHA512 | 58b089e54eb3bc7b2de61e9cd726a370289f0e8737c8bf56fc4513b250991b542b1a1ad5cb57a27133b741ac54301c3c9981f968caabac4815fbc48dff12cff3 |
C:\Users\Admin\AppData\Roaming\Winamp\Plugins\ml\views\et7983.vmd
| MD5 | 4e9180a184a1198d9594c98d4e01919f |
| SHA1 | ddcb8d3490b1fa89abca6ff28e172fc9bd6a8fc7 |
| SHA256 | 6b4104b26ba3333b9baf2738993a14c4f51fbc8b1dac8560095e00aeb24ca7b6 |
| SHA512 | 43cc1bb4cd1d7c2615e8a259db6bbf915a1b9534f030d368d210ad2e866f24b31cfd17fae669e86a702faa16eac181bfc570a85d495686499b5ffe3559db682b |
C:\Users\Admin\AppData\Roaming\Winamp\Plugins\gen_ml.ini
| MD5 | ec6a2c2e5ded028cb262ba1016fac4fa |
| SHA1 | 8c095e0c56e0e64b83fe09fc60e67d56155a9d82 |
| SHA256 | a9f996a3bf5e70fa74605babee9cc802745021a606a2e6dc258eae681b1bf8be |
| SHA512 | 3eabbb812ab9d3c8436c41553c0697927c79bac9d56a8469d23834a2bfcff3369b4e31402cad3c9c069098cf7a9e959fc8fd58ee2b03ecefb65e2589edb7c251 |
C:\Users\Admin\AppData\Roaming\Winamp\Plugins\ml\views\et7983.vmd
| MD5 | fa6b6eaa81a2662b8c45b126727ea832 |
| SHA1 | 6087f9505d21819ed2f656517a0a13664aeead2b |
| SHA256 | 370be262ff415bed2a40f450f69dfce660e3e635af0924dca0c1f118e489c046 |
| SHA512 | f26688d6236021172c0f2d001e5636f018fef9ba7c7fadf688bd78fb1f9633c766cdf9ff2581997bc7af8a5ffd92da19cba699a46a64a555ccc0e7e57bd7b3c1 |
C:\Users\Admin\AppData\Roaming\Winamp\winamp.ini
| MD5 | 0b4e215ff523d3f164781ded7302acf6 |
| SHA1 | bd532714f24789afdd419b7431ab1b7ac0dfa2d6 |
| SHA256 | 5e1ad063a76723ed659a8920cb9be9d0a1f8b8cc4707daee1d9e7b4ac28fe1a0 |
| SHA512 | af9cd32bab5371c0c2d9ad500452d4fd58d82e214395bff410dd98f896d0a5e8d47d57f2b0bcde219b5e3a583d3dca76ce3bdbfd85cb74fd8b6188f758ed3716 |
C:\Users\Admin\AppData\Roaming\Winamp\Plugins\ml\recent.idx
| MD5 | 5dc97ea81161b0668f0e990df136a2ef |
| SHA1 | eeaa4074b0aa62296a702a827ca9eb97d1e2826b |
| SHA256 | 612dee1659afbf7d277a6e3283bcc75107610cc9c2b934288ea04b0bccd92405 |
| SHA512 | 659ec5e24c1950a1aaa8708f15ed0102e0afa87174b95e92201749ecf114b91b853c9c819c6501fcc319caa4c430eabeefe69e72950881dc94456bdaa629c5d1 |
C:\Users\Admin\AppData\Roaming\Winamp\winamp.ini
| MD5 | dceddb6e6e8806d71947d60c820988bc |
| SHA1 | 63c6c72c4e7a9ece0fd7326bf8306b3132f5fbd7 |
| SHA256 | 7add9221bd0f55859d8c98d20c6fbdb5d59642d921f3ce190f1a848663c6947f |
| SHA512 | eb8a027972b19ae783b5e2411671122376eeda20d503425218eb4443283673048c068a96a3548aecebe48954293b5b19bf8fddf31e69428d82709a2c4edd00b9 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-17 15:11
Reported
2024-11-17 15:14
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Setup_10024.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Setup_10024.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup_10024.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup_10024.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Setup_10024.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 60 wrote to memory of 3936 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup_10024.exe | C:\Users\Admin\AppData\Local\Temp\Setup.exe |
| PID 60 wrote to memory of 3936 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup_10024.exe | C:\Users\Admin\AppData\Local\Temp\Setup.exe |
| PID 60 wrote to memory of 3936 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup_10024.exe | C:\Users\Admin\AppData\Local\Temp\Setup.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Setup_10024.exe
"C:\Users\Admin\AppData\Local\Temp\Setup_10024.exe"
C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| N/A | 127.0.0.1:62775 | tcp | |
| US | 8.8.8.8:53 | businesssetupapp.com | udp |
| US | 104.26.13.40:443 | businesssetupapp.com | tcp |
| US | 8.8.8.8:53 | 40.13.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.65.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\setup.exe
| MD5 | 76954d7dbf005d6db5e38d64f25a8c20 |
| SHA1 | 054ad10803aa95f512a2c56293be7d1a287696f7 |
| SHA256 | e9e2eb114941f9f9157b4fb139e5588665fb89b709df82d4a8346ae66ccf03e1 |
| SHA512 | 49e77880255470096830059bda1baf1d955f7f33659118995495aa6a6e090e32c798a8568504f213a90c4d3c3c81db41c22c54359d0689adb7b233c96c4fff4a |
C:\Users\Admin\AppData\Local\Temp\nsaAC8E.tmp\System.dll
| MD5 | bf712f32249029466fa86756f5546950 |
| SHA1 | 75ac4dc4808ac148ddd78f6b89a51afbd4091c2e |
| SHA256 | 7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af |
| SHA512 | 13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4 |
C:\Users\Admin\AppData\Local\Temp\nsaAC8E.tmp\LangDLL.dll
| MD5 | a1cd3f159ef78d9ace162f067b544fd9 |
| SHA1 | 72671fdf4bfeeb99b392685bf01081b4a0b3ae66 |
| SHA256 | 47b9e251c9c90f43e3524965aecc07bd53c8e09c5b9f9862b44c306667e2b0b6 |
| SHA512 | ccc70166c7d7746cd42cd0cec322b2adf4a478ff67c35d465f0f0f5b2b369c996a95557b678c09cb21b8311d8a91eed4196ddc218ea7d510f81464669b911362 |
C:\Users\Admin\AppData\Local\Temp\nsaAC8E.tmp\nsDialogs.dll
| MD5 | 4ccc4a742d4423f2f0ed744fd9c81f63 |
| SHA1 | 704f00a1acc327fd879cf75fc90d0b8f927c36bc |
| SHA256 | 416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6 |
| SHA512 | 790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb |