Malware Analysis Report

2025-08-05 17:36

Sample ID 241117-skp3lasere
Target FluxTeam-Exploit-331600.zip
SHA256 fbdb54a8afac07ec058984aa8f693a1b8983faedde86ffafbcbcd22837cc6e24
Tags
discovery evasion persistence privilege_escalation
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

fbdb54a8afac07ec058984aa8f693a1b8983faedde86ffafbcbcd22837cc6e24

Threat Level: Likely malicious

The file FluxTeam-Exploit-331600.zip was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion persistence privilege_escalation

Modifies Windows Firewall

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Checks installed software on the system

Enumerates connected drives

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

System Network Configuration Discovery: Internet Connection Discovery

System Location Discovery: System Language Discovery

Suspicious use of SetWindowsHookEx

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-17 15:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-17 15:11

Reported

2024-11-17 15:13

Platform

win7-20240729-en

Max time kernel

58s

Max time network

62s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Setup_10024.exe"

Signatures

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup_10024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup_10024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup_10024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup_10024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\PrimoRedist\pxsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Program Files (x86)\Winamp\winamp.exe N/A
N/A N/A C:\Program Files (x86)\Winamp\winamp.exe N/A
N/A N/A C:\Program Files (x86)\Winamp\winamp.exe N/A
N/A N/A C:\Program Files (x86)\Winamp\winamp.exe N/A
N/A N/A C:\Program Files (x86)\Winamp\winamp.exe N/A
N/A N/A C:\Program Files (x86)\Winamp\winamp.exe N/A
N/A N/A C:\Program Files (x86)\Winamp\winamp.exe N/A
N/A N/A C:\Program Files (x86)\Winamp\winamp.exe N/A
N/A N/A C:\Program Files (x86)\Winamp\winamp.exe N/A
N/A N/A C:\Program Files (x86)\Winamp\winamp.exe N/A
N/A N/A C:\Program Files (x86)\Winamp\winamp.exe N/A
N/A N/A C:\Program Files (x86)\Winamp\winamp.exe N/A
N/A N/A C:\Program Files (x86)\Winamp\winamp.exe N/A
N/A N/A C:\Program Files (x86)\Winamp\winamp.exe N/A
N/A N/A C:\Program Files (x86)\Winamp\winamp.exe N/A
N/A N/A C:\Program Files (x86)\Winamp\winamp.exe N/A
N/A N/A C:\Program Files (x86)\Winamp\winamp.exe N/A
N/A N/A C:\Program Files (x86)\Winamp\winamp.exe N/A
N/A N/A C:\Program Files (x86)\Winamp\winamp.exe N/A
N/A N/A C:\Program Files (x86)\Winamp\winamp.exe N/A
N/A N/A C:\Program Files (x86)\Winamp\winamp.exe N/A
N/A N/A C:\Program Files (x86)\Winamp\winamp.exe N/A
N/A N/A C:\Program Files (x86)\Winamp\winamp.exe N/A
N/A N/A C:\Program Files (x86)\Winamp\winamp.exe N/A
N/A N/A C:\Program Files (x86)\Winamp\winamp.exe N/A
N/A N/A C:\Program Files (x86)\Winamp\winamp.exe N/A
N/A N/A C:\Program Files (x86)\Winamp\winamp.exe N/A
N/A N/A C:\Program Files (x86)\Winamp\winamp.exe N/A
N/A N/A C:\Program Files (x86)\Winamp\winamp.exe N/A
N/A N/A C:\Program Files (x86)\Winamp\winamp.exe N/A
N/A N/A C:\Program Files (x86)\Winamp\winamp.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Program Files (x86)\Winamp\winamp.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Winamp\Plugins\avs\Winamp 5 Picks\mig - Slyde - Tri.avs C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Flexi + Martin - astral projection.milk C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\fiShbRaiN + Flexi - stitchcraft.milk C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\Winamp\Plugins\gen_crasher.dll C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File opened for modification C:\Program Files (x86)\Winamp\System\ombrowser.w5s C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\Winamp\Skins\Big Bento\window\notifier.png C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Phat_Eo.S. - Just more trash.milk C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\Winamp\nxlite.dll C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File opened for modification C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Eo.S.+Phat Cool Bug.milk C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Rovastar - Mosaics Of Ages.milk C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\Winamp\Skins\Winamp Modern\player\Options_buttons.png C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Flexi - strangely dynamic world.milk C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Krash - interwoven (nightmare weft)_Phats_Maybe_Ill_Go_To_A_Party.milk C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\martin - neon space ps2.milk C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File opened for modification C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\yin - 100 - Through the ether - Bitcore Tweak.milk C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\Winamp\System\alac.wbm C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\Winamp\Plugins\avs\Winamp 5 Picks\S_KuPeRS - Spirit Realm (Degnic's Plasmoid RMX).avs C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Rovastar & Idiot24-7 - Balk Acid.milk C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\Winamp\Plugins\freeform\xml\historyeditbox\historyeditbox.m C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\Winamp\Plugins\freeform\xml\wasabi\xml\xui\standardframe\standardframe.xml C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Eo.S. - nematodes E daemon.milk C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File opened for modification C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\fiShbRaiN + Flexi - witchcraft 2.0.milk C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File opened for modification C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\shifter - spincycle c.milk C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\textures\prayerwheel.jpg C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Illusion & Unchained - New Strategy.milk C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Shreyas - Carnival.milk C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File opened for modification C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\martin - night cathedral.milk C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\martin - sparky caleidoscope.milk C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\Winamp\Plugins\freeform\xml\menubutton\menubutton.xml C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\Winamp\Plugins\freeform\xml\wasabi\xml\xui\editbox\editbox.xml C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\Winamp\Plugins\avs\Community Picks\fUk - cube.avs C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Rovastar + Loadus + Geiss - FractalDrop (Spinning Mix).milk C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\Winamp\Skins\Winamp Modern\scripts\vis.maki C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Illusion - Dance Of The Planets.milk C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Krash & Rovastar - Cerebral Demons - Phat + Eo.S. Moire Remix.milk C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File opened for modification C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\textures\wrenches.jpg C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\Winamp\Plugins\in_dshow.dll C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\Winamp\Plugins\freeform\xml\popupmenu\popupmenu.xml C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File opened for modification C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Rovastar & Krash - Rainbow Deflection.milk C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File opened for modification C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Unchained - Fuzzy Sciences.milk C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Zylot - Rush.milk C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File opened for modification C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\shifter - tumbling cubes.milk C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\Winamp\Skins\Winamp Modern\player\options_more.png C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\Winamp\Skins\Winamp Modern\xml\player-normal-group.xml C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Eo.S. - heater core C_Phat's_class + sparks_mix.milk C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\fiShbRaiN + Flexi - witchcraft unleashed.milk C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\Winamp\Skins\Winamp Modern\player\visualization_background.png C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File opened for modification C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Reenen - phoenix.milk C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File opened for modification C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\martin - Geiss - Psychotic Roulette.milk C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\shifter + geiss - neon pulse (glow mix).milk C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\Winamp\Skins\Winamp Modern\player\videoavs_button_bg2.png C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\Winamp\Skins\Bento\xml\config.xml C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File opened for modification C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Mstress & Zylot - Acid UFO.milk C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\Winamp\Plugins\avs\Winamp 5 Picks\yathosho - fabric (skupers remix).avs C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Fvese - Zoom Effects (Remix 3).milk C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Hexcollie + Flexi - Faceless Frog [rmx].milk C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File opened for modification C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Shifter & Eo.S+Phat - Fractical dancer (inside the neural net).milk C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File opened for modification C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Unchained - Hard Science.milk C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\Winamp\Plugins\DSP_SPS\justin - resolution reduction.sps C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File opened for modification C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Eo.S. + flexi - glowsticks v2 05 and proton lights (+Krash's beat code) _Phat_remix02b + illumination (Stahl's Mix).milk C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Eo.S. - pointfield 04 arcs demon_phat edit_v3.milk C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File opened for modification C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Flexi - gold plated maelstrom of chaos [mirrorized].milk C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File opened for modification C:\Program Files (x86)\Winamp\Plugins\Milkdrop2\presets\Stahlregen & fiSHbRaiN + flexi + Geiss + shifter - Stonecraft (Beetle Relief mix).milk C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\Winamp\Plugins\avs\Community Picks\duo - warm freeform.avs C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\PrimoRedist\pxsetup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Setup_10024.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Winamp\winamp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Winamp\winamp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Winamp\Elevator.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{fbcd6aca-39bc-47af-be8e-52bef2b9d0f7}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4570CDDC-94F8-4B43-B1AC-796D68FAC7DF} C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{719C744F-CDEF-49C2-9ADA-DF5BA8770F4B}\ = "ICddbLanguageList" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{46AC5819-1FA8-44A1-9954-270EA2CF0DCA}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EC0E5DD3-8BAB-4671-85A1-68BF93CB35E4} C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.OGA\shell\open\command\ = "\"C:\\Program Files (x86)\\Winamp\\winamp.exe\" \"%1\"" C:\Program Files (x86)\Winamp\winamp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.MP4\shell\open\command C:\Program Files (x86)\Winamp\winamp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.XI\shell\ListBookmark\command\ = "\"C:\\Program Files (x86)\\Winamp\\winamp.exe\" /BOOKMARK \"%1\"" C:\Program Files (x86)\Winamp\winamp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.NST\shell\Enqueue\command\ = "\"C:\\Program Files (x86)\\Winamp\\winamp.exe\" /ADD \"%1\"" C:\Program Files (x86)\Winamp\winamp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.PTM\DefaultIcon C:\Program Files (x86)\Winamp\winamp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ICY C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{06C77E4D-FE13-4FA4-B52A-1CF2E047F55F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B2D9EB8-70AA-43D3-AA8E-E71CE53A83D8}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1754C0C9-24B5-4ED6-8EEA-52620ED16E58}\TypeLib C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ogg\Winamp_Back = "VLC.ogg" C:\Program Files (x86)\Winamp\winamp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.ASF\shell\open\ C:\Program Files (x86)\Winamp\winamp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.STZ\DefaultIcon C:\Program Files (x86)\Winamp\winamp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.XMZ\shell\ListBookmark\command C:\Program Files (x86)\Winamp\winamp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{63C7D158-BCA0-4C29-96C4-06BDD744ECC2}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{39c806ec-eb0a-4f6e-b40d-c41d92281b5e} C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.SkinZip\shell\ = "Install" C:\Program Files (x86)\Winamp\winamp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.IT\shell\open\DropTarget\Clsid = "{46986115-84D6-459c-8F95-52DD653E532E}" C:\Program Files (x86)\Winamp\winamp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.ITZ\ = "Impulsetracker Compressed Module" C:\Program Files (x86)\Winamp\winamp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.NSA\shell\Play\DropTarget C:\Program Files (x86)\Winamp\winamp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.OGA\shell\Play\command C:\Program Files (x86)\Winamp\winamp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.STM\shell\open C:\Program Files (x86)\Winamp\winamp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.669\shell\Enqueue\ = "&Enqueue in Winamp" C:\Program Files (x86)\Winamp\winamp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{c7538f11-8d14-439b-ad2d-30c2cd8d0e68}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DCF3B306-AA51-455C-9B39-51F8CB8590AA} C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.AVI\shell\ListBookmark\ = "Add to Winamp's &Bookmark list" C:\Program Files (x86)\Winamp\winamp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.MID\shell\ListBookmark\command\ = "\"C:\\Program Files (x86)\\Winamp\\winamp.exe\" /BOOKMARK \"%1\"" C:\Program Files (x86)\Winamp\winamp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.OKT\shell C:\Program Files (x86)\Winamp\winamp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CDDBControlNSWinamp.CddbID3TagManager\CurVer C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{614D9D0A-C012-4863-AFBF-9C9DD01E04D1}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1754C0C9-24B5-4ED6-8EEA-52620ED16E58}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.AIFF\shell\open C:\Program Files (x86)\Winamp\winamp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.PAF\shell\ListBookmark\command\ = "\"C:\\Program Files (x86)\\Winamp\\winamp.exe\" /BOOKMARK \"%1\"" C:\Program Files (x86)\Winamp\winamp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.WVE\shell\Enqueue\DropTarget C:\Program Files (x86)\Winamp\winamp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.KAR\shell\Enqueue\ = "&Enqueue in Winamp" C:\Program Files (x86)\Winamp\winamp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.XMZ\shell\Play\command C:\Program Files (x86)\Winamp\winamp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CddbPlaylist2NSWinamp.CddbPL2Timestamp\CLSID\ = "{fe4c8bff-961f-42c2-bad8-808f76edde15}" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.MP4\shell\Play\ = "&Play in Winamp" C:\Program Files (x86)\Winamp\winamp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.WMA\shell\Enqueue\DropTarget C:\Program Files (x86)\Winamp\winamp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9151953E-0621-4167-BCB6-36F8E65EC6C9}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CddbPlaylist2NSWinamp.CddbPLGenerator\ = "CddbPLGenerator Class" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File\shell\Enqueue\DropTarget C:\Program Files (x86)\Winamp\winamp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.MPEG\shell\open C:\Program Files (x86)\Winamp\winamp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SHOUT\shell\open\command\ = "C:\\Program Files (x86)\\Winamp\\winamp.exe %1" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8D951C2E-56FB-4E0B-903C-FE738DA573C1}\TypeLib C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E1EEEE1-7227-4BAD-B955-B84BEA914A5A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.WEBM\shell\open\command C:\Program Files (x86)\Winamp\winamp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.FAR\shell\Enqueue\DropTarget\Clsid = "{77A366BA-2BE4-4a1e-9263-7734AA3E99A2}" C:\Program Files (x86)\Winamp\winamp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{61bd27fe-604c-49f8-a979-7a260a51ea5f}\Programmable C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CddbPlaylist2NSWinamp.CddbPLGenCriteriaList.1\ = "CddbPLGenCriteriaList Class" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DBBC42AC-1409-4D95-98FC-7F6ACB33EC15} C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.NSA\shell\open C:\Program Files (x86)\Winamp\winamp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.AIFF\ = "Apple Audio Interchange File" C:\Program Files (x86)\Winamp\winamp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.SDS\shell\open\DropTarget\Clsid = "{46986115-84D6-459c-8F95-52DD653E532E}" C:\Program Files (x86)\Winamp\winamp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.669\shell\Enqueue C:\Program Files (x86)\Winamp\winamp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7DA05059-CFB4-46CE-A788-709A3AD3454D}\TypeLib C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AA3218D8-A65C-4A29-8690-1E5B75DBF3B8}\TypeLib\ = "{65EBA1D4-45E2-4EC5-A7FF-CB7E14659C77}" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0281A5E7-BD75-4ED3-9872-3331157B923D}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.M4A\shell\ListBookmark\command C:\Program Files (x86)\Winamp\winamp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Winamp.File.MIZ\shell\Play\DropTarget\Clsid = "{46986115-84D6-459c-8F95-52DD653E532E}" C:\Program Files (x86)\Winamp\winamp.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Setup_10024.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Winamp\winamp.exe N/A
N/A N/A C:\Program Files (x86)\Winamp\winamp.exe N/A
N/A N/A C:\Program Files (x86)\Winamp\winamp.exe N/A
N/A N/A C:\Program Files (x86)\Winamp\winamp.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Winamp\winamp.exe N/A
N/A N/A C:\Program Files (x86)\Winamp\winamp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2340 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Setup_10024.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 2340 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Setup_10024.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 2340 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Setup_10024.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 2340 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Setup_10024.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 2340 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Setup_10024.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 2340 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Setup_10024.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 2340 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Setup_10024.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 2588 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Program Files (x86)\Winamp\Elevator.exe
PID 2588 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Program Files (x86)\Winamp\Elevator.exe
PID 2588 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Program Files (x86)\Winamp\Elevator.exe
PID 2588 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Program Files (x86)\Winamp\Elevator.exe
PID 2588 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2588 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2588 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2588 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2588 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2588 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2588 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2588 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2588 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2588 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2588 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2588 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2588 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2588 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2588 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2588 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2588 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2588 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2588 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2588 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2588 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\PrimoRedist\pxsetup.exe
PID 2588 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\PrimoRedist\pxsetup.exe
PID 2588 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\PrimoRedist\pxsetup.exe
PID 2588 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\PrimoRedist\pxsetup.exe
PID 2588 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\PrimoRedist\pxsetup.exe
PID 2588 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\PrimoRedist\pxsetup.exe
PID 2588 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\PrimoRedist\pxsetup.exe
PID 872 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\PrimoRedist\pxsetup.exe C:\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\PrimoRedist\pxcpyA64.exe
PID 872 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\PrimoRedist\pxsetup.exe C:\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\PrimoRedist\pxcpyA64.exe
PID 872 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\PrimoRedist\pxsetup.exe C:\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\PrimoRedist\pxcpyA64.exe
PID 872 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\PrimoRedist\pxsetup.exe C:\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\PrimoRedist\pxcpyA64.exe
PID 2588 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\ping.exe
PID 2588 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\ping.exe
PID 2588 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\ping.exe
PID 2588 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\ping.exe
PID 2588 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\ping.exe
PID 2588 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\ping.exe
PID 2588 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\ping.exe
PID 2588 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\ping.exe
PID 2588 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\rundll32.exe
PID 2588 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\rundll32.exe
PID 2588 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\rundll32.exe
PID 2588 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\rundll32.exe
PID 2588 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\rundll32.exe
PID 2588 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\rundll32.exe
PID 2588 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\rundll32.exe
PID 2620 wrote to memory of 2184 N/A C:\Program Files (x86)\Winamp\winamp.exe C:\Program Files (x86)\Winamp\winamp.exe
PID 2620 wrote to memory of 2184 N/A C:\Program Files (x86)\Winamp\winamp.exe C:\Program Files (x86)\Winamp\winamp.exe
PID 2620 wrote to memory of 2184 N/A C:\Program Files (x86)\Winamp\winamp.exe C:\Program Files (x86)\Winamp\winamp.exe
PID 2620 wrote to memory of 2184 N/A C:\Program Files (x86)\Winamp\winamp.exe C:\Program Files (x86)\Winamp\winamp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Setup_10024.exe

"C:\Users\Admin\AppData\Local\Temp\Setup_10024.exe"

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Program Files (x86)\Winamp\Elevator.exe

"C:\Program Files (x86)\Winamp\Elevator.exe" /RegServer

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall set rule name="Winamp" dir=in program="C:\Program Files (x86)\Winamp\winamp.exe" profile=private,public protocol=TCP new action=allow enable=yes

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Winamp" dir=in action=allow program="C:\Program Files (x86)\Winamp\winamp.exe" enable=yes profile=private,public protocol=TCP

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram program="C:\Program Files (x86)\Winamp\winamp.exe" name="Winamp" mode=ENABLE scope=ALL profile=ALL

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall set rule name="Winamp" dir=in program="C:\Program Files (x86)\Winamp\winamp.exe" profile=private,public protocol=UDP new action=allow enable=yes

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Winamp" dir=in action=allow program="C:\Program Files (x86)\Winamp\winamp.exe" enable=yes profile=private,public protocol=UDP

C:\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\PrimoRedist\pxsetup.exe

"C:\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\PrimoRedist\pxsetup.exe"

C:\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\PrimoRedist\pxcpyA64.exe

"C:\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\PrimoRedist\pxcpyA64.exe"

C:\Windows\SysWOW64\ping.exe

ping -n 1 -w 400 www.google.com

C:\Windows\SysWOW64\ping.exe

ping -n 1 -w 400 www.yahoo.com

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\SHELLD~1.DLL,RunDll_ShellExecute "open" "C:\Program Files (x86)\Winamp\winamp.exe" "/NEW /REG=S" "C:\Program Files (x86)\Winamp" 1

C:\Program Files (x86)\Winamp\winamp.exe

"C:\Program Files (x86)\Winamp\winamp.exe" /NEW /REG=S

C:\Program Files (x86)\Winamp\winamp.exe

"C:\Program Files (x86)\Winamp\winamp.exe" /NEW C:\Users\Admin\AppData\Roaming\Winamp\winamp.m3u8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x574

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 businesssetupapp.com udp
US 104.26.12.40:443 businesssetupapp.com tcp
N/A 127.0.0.1:49198 tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.yahoo.com udp
US 8.8.8.8:53 download.nullsoft.com udp
FR 5.39.58.65:80 download.nullsoft.com tcp
US 8.8.8.8:53 client.winamp.com udp
FR 51.210.155.142:80 client.winamp.com tcp
US 8.8.8.8:53 client.winamp.com udp
FR 51.210.155.142:80 client.winamp.com tcp
FR 51.210.155.142:80 client.winamp.com tcp

Files

\Users\Admin\AppData\Local\Temp\setup.exe

MD5 76954d7dbf005d6db5e38d64f25a8c20
SHA1 054ad10803aa95f512a2c56293be7d1a287696f7
SHA256 e9e2eb114941f9f9157b4fb139e5588665fb89b709df82d4a8346ae66ccf03e1
SHA512 49e77880255470096830059bda1baf1d955f7f33659118995495aa6a6e090e32c798a8568504f213a90c4d3c3c81db41c22c54359d0689adb7b233c96c4fff4a

\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\System.dll

MD5 bf712f32249029466fa86756f5546950
SHA1 75ac4dc4808ac148ddd78f6b89a51afbd4091c2e
SHA256 7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af
SHA512 13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\LangDLL.dll

MD5 a1cd3f159ef78d9ace162f067b544fd9
SHA1 72671fdf4bfeeb99b392685bf01081b4a0b3ae66
SHA256 47b9e251c9c90f43e3524965aecc07bd53c8e09c5b9f9862b44c306667e2b0b6
SHA512 ccc70166c7d7746cd42cd0cec322b2adf4a478ff67c35d465f0f0f5b2b369c996a95557b678c09cb21b8311d8a91eed4196ddc218ea7d510f81464669b911362

\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\nsDialogs.dll

MD5 4ccc4a742d4423f2f0ed744fd9c81f63
SHA1 704f00a1acc327fd879cf75fc90d0b8f927c36bc
SHA256 416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6
SHA512 790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb

\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\nsis_winamp.dll

MD5 1e1ded1cf1c69852f2074693459fb3b5
SHA1 81b165cae4d38a98760131989fdd8aed2c918679
SHA256 5946278545abbd0b0f5188752fe095e200c85abe0783632a00726d090c0753ec
SHA512 a6f9a43d4432658c3504629e9209ad350af69eff542d139e0ccfe0dbf8662f15034edd3cf8b56d606a740b66c8221cafad999088a4e64a4c9c9fb47793a19f96

C:\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\install.ini

MD5 385081d5feee87a4ed1a6e5dcee85f36
SHA1 8517162855b477e5498e95ff2e82584ef06d5c6d
SHA256 bdc6fb93206c1e7a590f2d4e97d0dab7d3badaf8b4e1a7b8487e9cf59f05eddc
SHA512 52bcb1cdae8abbe4b14ff85b57e03426d61e5cb25b1535a827af526ec66c00ae0a327b187cd10279cf18c379c912d3e478ef9966bb497a8b626824fe32d1093f

\Program Files (x86)\Winamp\Elevator.exe

MD5 5e90e4e003ff75b207d956227c8db1fc
SHA1 e05c30b4e1dd22afae5fe0a117e62ee69af878fc
SHA256 35f2265273b38d3f81d6ef07f57bc20fca07f62687445aab6651c141157cb519
SHA512 7dc765ebbdc8c707da12e4a321f80545def74cb93ee73c6545893a7366173ead0108292603856dcc6136bbc46550f73ecaf36553c12eff5ed32a391d1efe63ab

\Program Files (x86)\Winamp\elevatorps.dll

MD5 c990acb402c04bd44319183198c748f3
SHA1 d20358545f8148394a1205f63d6bfa3bcb950f28
SHA256 fde86abbc080ce9dc48975100ad908b05a53e5c1026e34d064f3245a01770fbb
SHA512 86c5c5027e9e4571888d5edef060eb71fe1a2a365c5f2933ae95f263a188f2256d9f9e7182616e53146455f81892f1a923da2c2e10937de06f888d6d2bc8dd70

\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\execDos.dll

MD5 0deb397ca1e716bb7b15e1754e52b2ac
SHA1 fbb9bcf872c5dbb4ca4c80fb21d41519bc273ef5
SHA256 720be35cd1b4a333264713dc146b4ad024f3a7ad0644c2d8c6fcedd3c30e8a1f
SHA512 507db0bee0897660750007e7ce674406acf9e8bf942cf26ded5654c07682757b07c9eb767bead0966478abc554dc9a6461c4288dc35d12cacfadad4c128f1bb7

C:\Program Files (x86)\Winamp\System\h264.wbm

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\PrimoRedist\pxsetup.exe

MD5 4ee24c7fd67b098431c951db7686bd19
SHA1 5b14bed150ea0bf619b938ce94b9f32b02a6aadc
SHA256 0f445c4b76bc309a940d5f4ba615bef1dcefbc0d160f3a8d06e0038160d9b4af
SHA512 7853bcd7482b85ab362935060506a1b44779946e9428838a1c95cc54fcbf94058ed9c2101b5c4e3114ed125b88692ed694b394ff94ecc8d88c39b57bb21f08f8

\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\PrimoRedist\pxhelp20.sys

MD5 e42e3433dbb4cffe8fdd91eab29aea8e
SHA1 6f764c5e20eecd6f3d4154d9d89d2420dd783470
SHA256 20abd8372b242fd356ac143e7eb56f93cfea4988ed1b0c4434cb64c387d7f66c
SHA512 260a2104aef64fd5a276e289e1cbe37502583e94039af41a3803f1c464d78c72def4e911f14312b94c63b28b1f6792a7bd10f23db837daf5a1a9ffd478c40810

memory/2588-248-0x0000000000820000-0x000000000082A000-memory.dmp

memory/2588-251-0x0000000000820000-0x000000000082A000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\PrimoRedist\PxHlpa64.sys

MD5 87b04878a6d59d6c79251dc960c674c1
SHA1 cc34993ed2b375bbab87058f79097eeacf381aa5
SHA256 3eb8db0624e646f0a65d0381408d35cf9fdc5abfc30df6431f4070a8eb68447c
SHA512 5c034f27ffd5d26faa2b6db9a6e97b261a0997400901e846880fc2eadda4ffc3aaf9885b90997ebeac8902b10f2e0f3e38b41e6f476b7c45f57ac5f9e59312b8

memory/2588-258-0x0000000000820000-0x000000000082D000-memory.dmp

memory/2588-257-0x0000000000820000-0x000000000082D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\PrimoRedist\pxmas.dll

MD5 746833260d2123ebb46ff44afcb8103c
SHA1 54275329dbc8caafb8a4a61198cdaa0986756ee3
SHA256 6cc2fc325653f7fc8725808270792921423c7dffba4f4e5bfdf5d396f89c2d97
SHA512 a2a577a39ece8b3b1407b528b17a3088179bc5eec3e1a9b14270529f82f6175d9c950da957bf6d707c968e4395eb55464e08778bb887b2871351f5655507252b

C:\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\PrimoRedist\pxwave.dll

MD5 24fa4bccc5ac82f5471abd0e3c9cb878
SHA1 9d9caf552519395fc76c7b756532032686827586
SHA256 a90d09923443c749266f65797176d70235854b9157a023362701c0d8477b78f3
SHA512 5e05daf7eb1de0baad166758304a5450750a876d4f7a521215aad279a00dfbc34a96299389dc2f523b54a73894433ce35480f559ed04d10ccbb14b1c75111914

C:\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\PrimoRedist\px.dll

MD5 dbb66b386c194a58e29e49d7ebbebe65
SHA1 78dced6be8870938a2c8fefb1b5b884159e5fb21
SHA256 309a40e28271eee4e41cdb5cd1f83c0087702d42f9fc3a87d62f9f30dd53d68d
SHA512 6a49783c86f2bdb6cb522f0e53a6e653eccb89b1a2d0d800bfae499d304cad173f621d9dad7765a13848a1e8bc4da355d94fc1a4bbf2beb5c4d999ea79257764

C:\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\PrimoRedist\vxblock.dll

MD5 ba8559b1de9e06e1ebc5b41138839fff
SHA1 b2eb5557c01a3731adc3e0539b9c9ba32329f35a
SHA256 ffa5a535493c11595b1edea75e67ddd6e26e587a27d36e06a499acfa0e0a002b
SHA512 3314838685b476cdde9f9eb5be4881b29494b04b3f93a544736a2cbe0716c03cdf7f38fa14cf3e68844495a5452dd00ac1ea335fdd030556dde4715826d50fd8

C:\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\PrimoRedist\pxdrv.dll

MD5 8f6f3aa814143099b431744b16845664
SHA1 67f518591a1cbb954a031cc7421faa1aeb25651a
SHA256 7c9449c2e774087305a28117e47fa48bbf33638144e9694f20d20fb15065ac9f
SHA512 5fdd908862dcabc37a794d0f7fe134e6df9f34d0e52cc69a535c37872a4f2edb44e2448654b3832a11f41fd57be36f1ad0f863603d1f268f99c6180a3a48bcb5

C:\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\PrimoRedist\pxwma.dll

MD5 cbaa54ae75a0b8430e6bb65c72c7683d
SHA1 5fdead1d32a164426c623f5b871bea3d547801f5
SHA256 4f69dbbad8775b22d328968461c0c7ae11fe902bb949e178bf1878009705d0ed
SHA512 18b51a143af0d7d279c961143c4e3b5a42d439f59d7cd495dda174e062f3b9981363c021e474fe7901ff4651a174883f748ca98766a12f08606378cca3c4f504

C:\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\PrimoRedist\pxafs.dll

MD5 e66569100ada3821d49be51109fa111c
SHA1 da0d6e0d9073b7d384e410916ae0306e16eee23a
SHA256 b7c5e5cdb6bf6fc01d1823b6aa1b0fef62f1e594886e2797a00a03809589c0f4
SHA512 981128e378ff2c286ad0aa9ca0012fc72cace283b0bbe4bb21ec7429735ef0b4438a6c6ff8dd3ac11438e25af33162f320a085223d6fcc41f5a7b060d88efb8e

C:\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\PrimoRedist\pxinsa64.exe

MD5 6d3630b7f27b3643fde05d1088f84f2f
SHA1 be742991eac9c6c8b0674c4be1fbddd10f7b9d37
SHA256 573d87feddc84eba6b3450bf00ad7ddf498ca99cc8809359fa9bb60c7ac76f68
SHA512 48a218a270357d3513596d92410bc865ef51c3bda6bfe5f53251e2ca3a5ff6edb31d722ee50d6b85d4e3bc7094b956180bed88575eac226236b55d81e0528ec1

C:\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\PrimoRedist\pxinsi64.exe

MD5 94f95be2a44c8291132d314582f141f8
SHA1 d5bb1a7519221964497560b579bb5c1f1ab30aef
SHA256 df83d7cb34c59e1406fb5bf1edd083f8bca649db97979c6debc3d3ab0e36b980
SHA512 4a726c8431d9722f1213659e3cf150cda5a0850bb874f0f7c4c280f6805a122d14882531e06b11cbcd36d8a9a741a67f12b46dd02933d00c65ad1e255e1ca1dc

\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\PrimoRedist\PxCpyA64.exe

MD5 08d51e037f487f9ca9fd0b0388f4c15a
SHA1 67188d670673a5e9185616923d1b1a8aa22ad8bc
SHA256 fbaa0fd8dae9bde80bfe497dca28c6fc9174c14b12ab93e3942fffa04e3db3cf
SHA512 a40bb551fa8a705a5ac2bdc02a17ebba1c6c70f9ffce38c668b07bc538dc4461658b0bf220e26aa1833f624009f417f05c44aa0ff81af59a5ada4f97dd99013d

C:\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\PrimoRedist\pxcpyi64.exe

MD5 50a76d2d5e4be94556326c4bf748c758
SHA1 dd2188e2fde11b75fa73003bf7502515182d4c88
SHA256 1c0e698d620f3703f940baccbfecd883b5f5e46d2436f0c17cb0c6c99155a4ec
SHA512 f60decd858d2dce3d7d57f53e7a2f7f1090d2d5fffbb1abcfd37c67718ecc2c92bfd45a208a2ec93efa5e8fa9c33f29e84bc52891998195dda237d6f1ea971a0

C:\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\PrimoRedist\pxhpinst.exe

MD5 d2728a10ccd2a675638b016d47b1c254
SHA1 9311a83a94d7b5694109e0e9694eada76765caa1
SHA256 8ca37574a79fffe781375955362eca8ba4511593dce6672590be8c42a775f146
SHA512 a6a31019f560b69935f5873fabe192b5899785544b9cf3841c1a846740edc56b3ba5f396d43d104f51acfd59faa97121f104abf7e4ac4a3fef5539cbd85a9759

C:\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\PrimoRedist\pxsfs.dll

MD5 e5ae8bd7d28eb4bf87f9c56daa6d3e3a
SHA1 61b841bdc9006953d504c137d5d7d8e8602fb31b
SHA256 780e084efbe74ac28d8d91dfff1e3bef97ebda3c54c7bd5c8fbbed128f21ea7b
SHA512 4930e9e128f9e8b55657752b5a8b1aa82c252dbae6ed0fc5d3112e5be85f30e6381e514e668ce5eb5dba8177583151d89707410b102d4c6466424682bcbbf0ad

C:\Program Files (x86)\Winamp\jnetlib.dll

MD5 792104d32753ab1011a7dc41c80cb504
SHA1 48314163f4815452b61c7069531a6faa02775bc9
SHA256 8d52761d0e9f753f05bb0dfb37d9fd14eba0af4023608012710ca0c3db79e444
SHA512 bb3ddc7eedf30e4776c06a667b0ff9aee2605cd32d8e0fee1f93839ff29075fe37713a2b74e5f6ec51c0bc7a6d44dd5f022e196f068f969cd75f14482c5be587

C:\Program Files (x86)\Winamp\nde.dll

MD5 d1b7c43550af02cf4e9712b1c1a63cc3
SHA1 0f0d82a6b341dfce6fa4d2b93252faf46a211e19
SHA256 202e7e7e30965d970cb37462f0bd763551d757bdf35e04cdc78721559118a469
SHA512 22d45cfa22343d5b74101e91cacdeaa73d6520588a365b0667c61e8e82451e78c0624b021e7ce5421d449e5d33f7df15355e272defb9d70c1cdbb89f611760e7

C:\Users\Admin\AppData\Roaming\Winamp\winamp.ini

MD5 69c56e3d98acc64fd35ec6b2916db596
SHA1 cc9d47c9fed45c892578c04e080696ffc2ac0eab
SHA256 85b420b1faf6d7e70567eaf2b01eac6dcb78e02e2375956c317c8e98d6cbbad1
SHA512 234f0db4c217469ec585903915758c890b0040a97735574caa1d73cde68c0fe239b58ce60720a16ee136c14ef0977af894167d12488af5993cd7514d9d79ce8f

\Program Files (x86)\Winamp\Plugins\Gracenote\CDDBControlWinamp.dll

MD5 72ab7ff3886957602a68b3d89bde44fa
SHA1 91365edba7dc4aae61edf0c5a16705552e668b6f
SHA256 025ee64129129e7e6bff4c0769cf93e00e095b752299e7d633de5d9c261e173b
SHA512 ac1b58c308bcebe6c4b4672b5a4aa14cd1d3a923c80ac495f4d42aab45db0d085ddbf51111f3045bbdc74d1456f642f62775362cf3d132c1b6aaae0c47663c35

memory/2588-2155-0x00000000050C0000-0x000000000524D000-memory.dmp

\Program Files (x86)\Winamp\Plugins\Gracenote\CDDBUIWinamp.dll

MD5 ac5430ae266925bb85d2d5800d03c262
SHA1 b9a86664a0fac9b79c162587a203674bc6ae9191
SHA256 fb4211686c2ddba152cbc239ef8b630c5d2a8c05e9056d4c797cd0ddb200e9e4
SHA512 3992049fe87785c6827fa35b271c37696733b362bf276d5098b0e1befe6c217ee7847d1256dedc1fbbb2d608e7cc195e9229dbde7519615127b7f361edd8a15b

memory/2588-2161-0x00000000050C0000-0x00000000051BF000-memory.dmp

memory/2588-2173-0x00000000050C0000-0x00000000051A3000-memory.dmp

\Program Files (x86)\Winamp\Plugins\Gracenote\CddbMusicIDWinamp.dll

MD5 37ffbcbc724d72a49248cd6df27cea84
SHA1 7ee0fa08510f549d9ad7538416e0e19bdf911ad8
SHA256 98a8b5ce8023885391bd4be08781deb141479eaae5c70e264eac2d6c2da54f7c
SHA512 b6fc63a76321e241547061a876f50f5b99e68880f6ba4af3d66656354cf827d99f07d38ffab6764c83c5ab1f35748876077af04743d747df3a3a5f86314a69e1

memory/2588-2179-0x00000000050C0000-0x00000000051D5000-memory.dmp

\Program Files (x86)\Winamp\Plugins\Gracenote\CddbPlaylist2Winamp.dll

MD5 7c7f404f3923a9346978be902e2257de
SHA1 c1f41edfb4af754db2e2679a8ae40d3b1a9075b9
SHA256 1239b23e01467f6fdc2a0dd109c5713588fe77a4d206d60dfb3712e08d1dc3d5
SHA512 c60806b31bcb314c4d6e3e4ddd394752a665d16ee223359677e6d08dbf288aef88967a4aea46efbe28600f35f7abc5b6267a6c69820a29ce3f9f2e805fbcc477

\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\Dialer.dll

MD5 61b40a89c8b94ad6355262e118c8420c
SHA1 6b8fcae8baf661e115763cec2d69db7a6b767030
SHA256 4e63d7b877a7e8889b6cd7bebc1dec767bff0f5bd41d8936d4a5b29d934ea4c5
SHA512 77f7e3cdd2f2ec3a2cf619afec6438e0966a2f0d43539d62e9cd8e2acce56322e2dfa2f747937c3d62346640fb64e1176b52a329027a5a0569e0f05ceeb7a126

\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\nsExec.dll

MD5 132e6153717a7f9710dcea4536f364cd
SHA1 e39bc82c7602e6dd0797115c2bd12e872a5fb2ab
SHA256 d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2
SHA512 9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\NSISdl.dll

MD5 7caaf58a526da33c24cbe122e7839693
SHA1 7687112cb6593947226f8a8319d6e2d0cdef3b11
SHA256 19debdc4c0b6f5dc9582bda7a2c1146516f683e8d741190e6d4b81ad10b33f61
SHA512 aafd0cb2abb3d2dee95c2d037a6a1a5bff0518e3210ced0c39e6d6696e4fab4734df01476fe9dcb208f02c529cd03346bc8b7f3319ae49701bbf2cb453d59bae

\Program Files (x86)\Winamp\winamp.exe

MD5 e000683011d966dd6cccf2bc3b6027c6
SHA1 7fea5c8039be8e5476c9322f14eadb9d855d1d72
SHA256 6760afda7a59a7dee557680e48a957cf1367ed04194808af61f779b7fb668850
SHA512 2dac85d626cb64b0ebc811b8d92d06503e06306df4830c562195a8116b25ae531bceedacb2b36487901454279cf4d9e328117f1133ea0fabff0a973ad7f4225f

C:\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\modern-wizard.bmp

MD5 2d63e33fa1cf672338a22c88fa45e6a0
SHA1 86c510009d6c71d05eb2707fe6a10039df525192
SHA256 7ae875cfcb6e3b1f4a06460fbda99d8014dc4674ee256b0b79ec656777c7e292
SHA512 d42a7401c1d0d77d517d2f8086286bd6cf487cf5400cd8b8d720bcaf15149727751677f444fd9a8e340072deabad51347956894c1c034dd81df793b3b8087252

memory/2588-2241-0x0000000000820000-0x000000000082A000-memory.dmp

memory/2588-2242-0x0000000000820000-0x000000000082D000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\SHELLD~1.DLL

MD5 9c266c2dc7eca5bcab2d8df4990e0c1f
SHA1 662da3d9ca18aacdbaef884065fbfffdfacfabfa
SHA256 ea7800b89e49e7d7214c1405b4906f366096dfadff28d0732acb90ab2e9a99bd
SHA512 e9318db79b02df6b3b72ed16c5d70e4b46bab71f31544ce0323cd6dae739be1948a9d3a468977d703576d7f33580e3be5d1d1ace1fb29cee9dfe325c6e828139

memory/2704-2253-0x0000000000160000-0x0000000000162000-memory.dmp

\Program Files (x86)\Winamp\nsutil.dll

MD5 cdc510af97cee27fe9b7f6e79321960d
SHA1 7a676c673e46a6bb33edd35bb8051dc8428a39e4
SHA256 714149e044c0b1598d50b0de75f0e6c7b6b4b879a4d8fb195243e68758cf3f84
SHA512 4bd33b051d8a0ea158ae665323383d4ad326a6f7693fcd02aa6b4a6f6dc6ea28b75c26f394710668bba50a46cf4896eb173b664183389a95ababb4aa0e68207b

\Program Files (x86)\Winamp\tataki.dll

MD5 54784a40c6e296df888635fafdc199c3
SHA1 863c0ee77db87557f39762e82d305d5bdc36fc91
SHA256 081220e46b00d9d1671f15658b6a9df7504223f514b03a593e5b9c56c68f135c
SHA512 5ae6bd6fce3d6f346409624a4229ec60fba113715d4ac17fc3f72c557a0b00b51de601bc44f214e39549e29d085e9acccc8aa5bc5acbe89638f1358fdc5d69c2

C:\Program Files (x86)\Winamp\paths.ini

MD5 8ad85a252352aa655f18d1b9300667b1
SHA1 5d2939f3b6c29739303f2caa4560d1f5376309c6
SHA256 fb7293e289aa918d2cbc3c362cea48dd061b0e12616924460466f26df28ff05c
SHA512 aa3c14551846a2a89b7c4ecbb9ac63e3c83501de5e088634c77e92ffd068a0aa547ad5c0d06890b553469013ff0de0dfe2058de86677966ace9c4d0b8c7b5525

C:\Users\Admin\AppData\Roaming\Winamp\Winamp.ini

MD5 bc44647d4f52e067a3d61bcea14fe74e
SHA1 42e182ca102d903d987856141d523d336a0ebecb
SHA256 ccba000bbc7f9152001d5e7217d7bd614d7322328a5a46b69e4a726295fe285f
SHA512 e223f333632b3c883420474f687ed6a78a2fa54d8d7a66ea8febbed8465201fe0905cfb6db01880a048f5cf4d41c160f0374a7914cafe22c489c10fbf3ee74ce

C:\Program Files (x86)\Winamp\Plugins\gen_crasher.dll

MD5 41b366ede1fbc0934ab725b98028dd09
SHA1 ba6790ebb79145bc35af7f1a197cc1f2048457f7
SHA256 4b561f368f71f524a1fd5b12f3b74d88e9baa89a9cf6e59128e6977fc47762c1
SHA512 1bbd61391db3e2c96c9140bf3a62a1fa0d2b1dd91e8240c62bec9be62e1f74007e42d5274100280fefc0bd7127ec993edb62ecfd3b159a8ba13b4d451dbfdeb6

\Program Files (x86)\Winamp\nxlite.dll

MD5 f270d9dbf305256d0979841886f288a3
SHA1 6e85e6d9e80c97e2d85b1754170b4ff9e50fe6bb
SHA256 bdc9e1a1edf9d42ca846b67256fc30befdf63c69354dcb30046e594e347a39ac
SHA512 b5b139870ac0ed729d6281a47ad002af2ac9102624846f0ca9ea198322fc20db9825261d4b3df26833df93d1dab3a2dbb8896eea100d06c7bcdbbd5ed08ea1f2

C:\Users\Admin\AppData\Roaming\Winamp\Plugins\feedback.ini

MD5 34596887db65b4d559bd92adbbd58eb3
SHA1 a610a496b41bc38bdb43e04b64c1e8ee2703fb8d
SHA256 b481b979a63b97651e2231b684e8d98f7c8a8e77163beeea49710a90da03c566
SHA512 115cee2deece2c0a5e83a68e14252272c9bdc2b8102fa33d21d56dd3db0bdf764b093fd4faca1afafcc3c92f8df065bd782c4d7b97c43a92b43b3761be3aa6dd

C:\Users\Admin\AppData\Roaming\Winamp\winamp.ini

MD5 cdce0972140bdbb3a9dd317548149197
SHA1 dfbe1673d708ee75146eed957eca28a754ed5930
SHA256 52ea725a9f81894fe6320986557d51b40687479a7b933bebb43a9c912095ffb8
SHA512 f78394b3ee5552b25d9a75fe2e22b7a25121bd4e5f09a0b96dff647d91ba0fbbbcb509f171e2b186b44a8725a6b37c243520c3f3692011ec90e4238fc92dcefa

C:\Users\Admin\AppData\Roaming\Winamp\winamp.ini

MD5 f76efc12c9bcce9cc881575c96f052f9
SHA1 bc7390a7635b385b51456687558dc90bf032af37
SHA256 eed6c69c2b5c93c92d608e65bde3d0fb4f71bf701be9283072b88a5483d54ee6
SHA512 6b94615007ca2ed308e31ecacd11f6042038019daecdf9fb49cc7bf60c78b9749bccb809f3d91d6bc7487139c616bab961334de080063828867416728212a7df

C:\Users\Admin\AppData\Roaming\Winamp\Winamp.q1

MD5 d24f1b829d1bd197e157b12d19c220e9
SHA1 555274f63e5b6ddbbd548179754fd0b2cbddf888
SHA256 58065811d8e881a5087af0c9a44d2baaa9628dc3cd1b1847533dad2c35a02cf8
SHA512 55c5c6bc1c466eebde84b98e024d774711bc1f1e32b28842d77eaea93dc030878e74012ea48179925313490b7c77d07383213ebb63d691228d2333e4217b33fc

memory/2620-2754-0x0000000002E00000-0x0000000002E45000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsuF5E5.tmp\install.ini

MD5 129725b4e32e12724054f1d018a04e0c
SHA1 ce2197507e97999c19cc29d3ba1628d518585246
SHA256 090fcca9a97cccdc1bb7f592e993a1e03c5ae578fc8e22ed1eb514cbbdd1d21a
SHA512 0479a4fb2ce3c999f8d852ded96a7ae4485737aebb63a7b67fded04ff5712beb118484bf4c2a8de2fb9eab1260db28d4e1c8eb88bc255aa7267efdc1cafce1c2

C:\Users\Admin\AppData\Roaming\Winamp\winamp.ini

MD5 80d68602177f04efc8c40dc8dd49263e
SHA1 2bab8d1aecd8c44a44a68c4a06876da1c9c9f96c
SHA256 a4dcc67fc9264261c503aa541a744dc902f41f95b6b282c57e489a5954b9e7bc
SHA512 07e9f56d317868988047b58317619d035ae828141bfb347bddaad6f8ca0fd209b96c45cc7c2645c67868f6b631b3ccbe970e003c292d45100cecca3edbe72594

C:\Users\Admin\AppData\Roaming\Winamp\Plugins\ml\views\met8955.vmd

MD5 9936bebab9c4e0e2aac7dceffc42dbac
SHA1 c1d2b8ceed49c904db7f174e06cc4e8ef851a87b
SHA256 ee730918e759544d7d087fe0b2e0aee12145ec36ecd4f4aced4336d85503a124
SHA512 16a5da57970c1d9b0e00bd8ac21ad53260b48db7b7b8bdb1953c625e8b6a9a132afa53fcb835163b73fe6a5dae40aa5ddffda9a11f42e8942c07b180363f2ff0

C:\Users\Admin\AppData\Roaming\Winamp\Plugins\ml\views\met9927.vmd

MD5 2cdaffaec77db6248825896e5c424893
SHA1 fc8df8ddc7811bfcf8f426dce0316c7eb6366b69
SHA256 6217223a02d019b85e566e2804ae6ae4dd3643c95578279a27909c9eedbdb961
SHA512 387e12cab715c8d9530b21725808c91bface84949f03d17312890464ec53ffbd79ce3a83685e0897e208a2e26e85c8296b848d91b0677df1bac446c229cfe05e

C:\Users\Admin\AppData\Roaming\Winamp\Plugins\ml\views\met7993.vmd

MD5 252e14c85c8b8288fda93614891308eb
SHA1 636d352077cab476c805fac2bc4ff58d83a14b99
SHA256 cd160e25ecd10aeada7cbe1b0913b8dc8098d009e43b9a549765e0250531c81b
SHA512 7c5654607006bd1300874257f9c452b7e5aeaf90e4815ccfa0f195988f7d51dfb8dce68c71d15649242f8d05f970d67101917c4ddeef12ea05d39fa8aa1f293b

C:\Users\Admin\AppData\Roaming\Winamp\Plugins\ml\views\met8965.vmd

MD5 c83239613245411ebd5416fe69629720
SHA1 e0b7924b12a88958fb9e18d5d8bdf1ed9ab84337
SHA256 a1defd5d6eed464399dc2a0f2c07d1f3a10e45963899ff4b824f748b690362d1
SHA512 f3d264e25bbceb2c58d741bfa16c35213df9a629ac59ef9a275c2ec60320b6580c6f1468627e966e14bc27695d9e157ce264a6259a4f78995e7fbe304d5e4528

C:\Users\Admin\AppData\Roaming\Winamp\Plugins\ml\views\metA8F9.vmd

MD5 c386b2dab1e50ba2766d84fbff261563
SHA1 04689715512886016010a77f4cb1e6659e0df0b5
SHA256 ae6359b0c31c69599ebb789f3016908d680c7079d452c4648a3af0226b78a84b
SHA512 f67d207fad5f0a78d1c7e507257aa903704020f8339720c7e6e23e7d4699d084a57628703a0cd4f33b0460e5454a6d33b99c51f37e346a95504949ce30929723

C:\Users\Admin\AppData\Roaming\Winamp\Plugins\gen_ml.ini

MD5 661f2206ac253963428371f575ce29e2
SHA1 a3ae20abb92b0a39f5be0e48387ff36c878d8999
SHA256 5eddd08dbbbb3f45bdbd18c5cb621e1d8b4f88961a51b25fb61c972887a20bae
SHA512 49a4ab478e326a5b820399c64169cf1a28bc1c7f00cc3a3c5b34b3e5f0553527087c4bd43eb2b4244202186f47e5ea969bf962290ce338f0e28b974d2af6d767

C:\Users\Admin\AppData\Roaming\Winamp\Plugins\ml\views\met9937.vmd

MD5 eebb8da8e062bd685542bffe0bb94e74
SHA1 75faddb50b83eae36988c1e3eab075fe8d5a3415
SHA256 ec58f79fffd619862667c1a7644ad34f76c4623f2b7857a5341640c893d4de18
SHA512 8a23a32b28a558e9a5d3a615d4412b768af8948f132b09e97ca121471db46693a4d05ce4df64f1ad951749d65c4d19000e08f7870d99eef9b90b62d2864f1bfa

C:\Users\Admin\AppData\Roaming\Winamp\Plugins\gen_ml.ini

MD5 ea88f208883a61145d61db8279eae5b3
SHA1 9940e3b818695d517b267ce6bc3230f96ee35663
SHA256 20b000356e443933ae9a2f38af6404227fa36f8186793d62d1078de1f942ca67
SHA512 0372e7ff31cc98ab7c6017a43bfe3fe43b786dbe3f479ee3cdce2bbfba701c91d367b37fae5a463a25f9c2deb9f180989e6f28e8d62862731deb30b806e252a3

C:\Users\Admin\AppData\Roaming\Winamp\Plugins\ml\views\metA909.vmd

MD5 d39c2a872b313f71c47f6bef8a44b425
SHA1 fb0b1e55ba114f0ec0856cec44934c692690e487
SHA256 84f5b0b1ecb3612db2d369b18c758cd0de8ad31b371943343fc5b776092fceae
SHA512 b21b234843480ade18abbfc1dcae5edd536def427bfbd39d0c384e439c2b0692d1654703e32b4648ffb6f719fc1236edbc588bffd242ea7792fbb41b82d65b7a

C:\Users\Admin\AppData\Roaming\Winamp\winamp.ini

MD5 d8212924840d3a3bccdfaf7f7b543ce6
SHA1 92dd07aab414a88552799a71ea10f35b29584586
SHA256 6a4b6c3c720a89f2b4e3d4abd4e93a234792be006a3ab6d95af1aa05cfdf9fd4
SHA512 6662a837f600918ec82947b198845f38eb890191609f6fcdb9365b542752b1313b4419a5bc8d90f25ad2a2c70512249b2207d39aa59e4400690ad5ecb4aec1c1

memory/2184-3207-0x0000000005AD0000-0x0000000005B15000-memory.dmp

C:\Users\Admin\AppData\Roaming\Winamp\winamp.ini

MD5 91556002d2ad06a9eb072230af74f0b4
SHA1 18a91faed752e330b631273eb31a7812186babcf
SHA256 385ccae65d6c67e66f8a514d227bd363d959a131e167e59969419f977c421f56
SHA512 f9cbd01f52724f38b864058400c3a292f833cb6046f5dc32d6a47da760e84c4ee7396f35da319b02f5465c932bc3f44fb921d996da2a64e8951c08103154838f

C:\Users\Admin\AppData\Roaming\Winamp\Plugins\gen_ml.ini

MD5 412475ef1907d32f51784154f6d0c8f1
SHA1 38f5ebb35a037481b32f3d5ff5912d08d63ff2bb
SHA256 e136890ebd7ee5e0df97329a5b1556b48b77b62e4b1a9f612c1acff6d77ba707
SHA512 f68af166b2dee91401e434164d045616777f1afb68d482295d6e64d0595b262bd4239e8a8a0118ae80adfd31647ecfa78e7cbdd7591e962c2b85ef2d2cdd044e

C:\Users\Admin\AppData\Roaming\Winamp\winamp.ini

MD5 438a956e27784499cf705a6a1b2aa1b1
SHA1 2c97f4a7417c776b4d44f695107e49fc30ae008a
SHA256 5f3a68d5a7346d4036d08cbb1c520f872117e6524b358cca06d26dba7f0d5152
SHA512 894653811700fece580372973418b2487887dd164a7b94d6a18a72bcb71c05563ca0bbc7827db118b2391c6dd2932e81b10a77bbb1801b4fc758d8a2c331b8d1

C:\Users\Admin\AppData\Roaming\Winamp\Plugins\ml\recent.dat.o1d00000888

MD5 76a66845f666c52790c3442f7e1a491a
SHA1 e392a609d9dc81fab060d8aece449fe616a40053
SHA256 101f682d9c519400a4d36b6a09cf0dd39a9faab6353b3ce0eb2f071860b6d05a
SHA512 71a6ab36ebfb6ff89ec6fbedfd1982fe0fb7e8c76981d24467eb73a924dc96cc4a0483381beead6517f829fa8babead0176a8df229072040564e708d99b4c783

C:\Users\Admin\AppData\Roaming\Winamp\Plugins\ml\recent.idx

MD5 d39305c16a773b222871032c4148600e
SHA1 196b2a21dabfd3d001e2c79f3fdc7c411c4ca261
SHA256 01786514a6a5bb357099b7c11c23615c0e8e6e07aced1f3764f034b6a6be8d29
SHA512 bc16b755eb56da66ff8290d1498c9ebbe7a29e27c50a4326cf3cd9018d20c13bccb4d23e63429e07ac33e323ec19e11a69ad2e25c1b5a4a67341ea2019862093

C:\Users\Admin\AppData\Roaming\Winamp\Plugins\ml\recent.idx.o1d00000888

MD5 137faa0c3baa69f733eaadb966b64ade
SHA1 a55982685efc19bb0afffa2eb1f3750241480eb8
SHA256 9cc291dcb5847e7f0e6d4bf322164461c6607da934ce9d376c0e15f7ddd33181
SHA512 b6286a581aa3d1add62836804a1fc79a2399fd6fa7144945b47f2ff8c0ebe88af3f289bee95db0cae1aa7c532b487a4bb6a9e65710c581afa2b7f13989885d78

C:\Users\Admin\AppData\Roaming\Winamp\Plugins\gen_ml.ini

MD5 6912e8fe99f846694bc8b592c13ec155
SHA1 d0c99287e7bc9d2da4541734dc55b37a4712b4d5
SHA256 357d2b35be8d16b9b43c59ef1f2f2447a84614ba9c97379db14aeb4c0bb66721
SHA512 339cd628c18c1ad3773cb78ebeef302b326aeacccab252e737029b2ed05b552f0900b2fa1d8dbb76cea30d07e9c2eed922f085437391692f4d3dba5c295b8368

C:\Users\Admin\AppData\Roaming\Winamp\Plugins\ml\recent.dat

MD5 11bfa874196e18174379f536a52372e4
SHA1 bcb5bea02fce56d0b97b0a6d815e6e73ce72dd5e
SHA256 60d2d9bf9ba4c9787f9cdb23d657809685f14f739866c4ab1c64ced47ebc7737
SHA512 7cfd5ee948971e44af7c46338191c460a408f0e34212dca2be7ee3c937d06b14dbf656a9006410a00888bc82b34c76caa68adcb79b380a29b67190d19728e2f8

C:\Users\Admin\AppData\Roaming\Winamp\Plugins\ml\ml_online.ini

MD5 869c023e6356f60322b9959002e199b0
SHA1 11f9f69683019566bdc932b2cdd8cc69fc6ad926
SHA256 be56a246bd91885254c46cd2b13bb2b1298a7810df495d4b5ad9e12e857b6aab
SHA512 58b089e54eb3bc7b2de61e9cd726a370289f0e8737c8bf56fc4513b250991b542b1a1ad5cb57a27133b741ac54301c3c9981f968caabac4815fbc48dff12cff3

C:\Users\Admin\AppData\Roaming\Winamp\Plugins\ml\views\et7983.vmd

MD5 4e9180a184a1198d9594c98d4e01919f
SHA1 ddcb8d3490b1fa89abca6ff28e172fc9bd6a8fc7
SHA256 6b4104b26ba3333b9baf2738993a14c4f51fbc8b1dac8560095e00aeb24ca7b6
SHA512 43cc1bb4cd1d7c2615e8a259db6bbf915a1b9534f030d368d210ad2e866f24b31cfd17fae669e86a702faa16eac181bfc570a85d495686499b5ffe3559db682b

C:\Users\Admin\AppData\Roaming\Winamp\Plugins\gen_ml.ini

MD5 ec6a2c2e5ded028cb262ba1016fac4fa
SHA1 8c095e0c56e0e64b83fe09fc60e67d56155a9d82
SHA256 a9f996a3bf5e70fa74605babee9cc802745021a606a2e6dc258eae681b1bf8be
SHA512 3eabbb812ab9d3c8436c41553c0697927c79bac9d56a8469d23834a2bfcff3369b4e31402cad3c9c069098cf7a9e959fc8fd58ee2b03ecefb65e2589edb7c251

C:\Users\Admin\AppData\Roaming\Winamp\Plugins\ml\views\et7983.vmd

MD5 fa6b6eaa81a2662b8c45b126727ea832
SHA1 6087f9505d21819ed2f656517a0a13664aeead2b
SHA256 370be262ff415bed2a40f450f69dfce660e3e635af0924dca0c1f118e489c046
SHA512 f26688d6236021172c0f2d001e5636f018fef9ba7c7fadf688bd78fb1f9633c766cdf9ff2581997bc7af8a5ffd92da19cba699a46a64a555ccc0e7e57bd7b3c1

C:\Users\Admin\AppData\Roaming\Winamp\winamp.ini

MD5 0b4e215ff523d3f164781ded7302acf6
SHA1 bd532714f24789afdd419b7431ab1b7ac0dfa2d6
SHA256 5e1ad063a76723ed659a8920cb9be9d0a1f8b8cc4707daee1d9e7b4ac28fe1a0
SHA512 af9cd32bab5371c0c2d9ad500452d4fd58d82e214395bff410dd98f896d0a5e8d47d57f2b0bcde219b5e3a583d3dca76ce3bdbfd85cb74fd8b6188f758ed3716

C:\Users\Admin\AppData\Roaming\Winamp\Plugins\ml\recent.idx

MD5 5dc97ea81161b0668f0e990df136a2ef
SHA1 eeaa4074b0aa62296a702a827ca9eb97d1e2826b
SHA256 612dee1659afbf7d277a6e3283bcc75107610cc9c2b934288ea04b0bccd92405
SHA512 659ec5e24c1950a1aaa8708f15ed0102e0afa87174b95e92201749ecf114b91b853c9c819c6501fcc319caa4c430eabeefe69e72950881dc94456bdaa629c5d1

C:\Users\Admin\AppData\Roaming\Winamp\winamp.ini

MD5 dceddb6e6e8806d71947d60c820988bc
SHA1 63c6c72c4e7a9ece0fd7326bf8306b3132f5fbd7
SHA256 7add9221bd0f55859d8c98d20c6fbdb5d59642d921f3ce190f1a848663c6947f
SHA512 eb8a027972b19ae783b5e2411671122376eeda20d503425218eb4443283673048c068a96a3548aecebe48954293b5b19bf8fddf31e69428d82709a2c4edd00b9

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-17 15:11

Reported

2024-11-17 15:14

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Setup_10024.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Setup_10024.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Setup_10024.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup_10024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup_10024.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Setup_10024.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Setup_10024.exe

"C:\Users\Admin\AppData\Local\Temp\Setup_10024.exe"

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
N/A 127.0.0.1:62775 tcp
US 8.8.8.8:53 businesssetupapp.com udp
US 104.26.13.40:443 businesssetupapp.com tcp
US 8.8.8.8:53 40.13.26.104.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 76954d7dbf005d6db5e38d64f25a8c20
SHA1 054ad10803aa95f512a2c56293be7d1a287696f7
SHA256 e9e2eb114941f9f9157b4fb139e5588665fb89b709df82d4a8346ae66ccf03e1
SHA512 49e77880255470096830059bda1baf1d955f7f33659118995495aa6a6e090e32c798a8568504f213a90c4d3c3c81db41c22c54359d0689adb7b233c96c4fff4a

C:\Users\Admin\AppData\Local\Temp\nsaAC8E.tmp\System.dll

MD5 bf712f32249029466fa86756f5546950
SHA1 75ac4dc4808ac148ddd78f6b89a51afbd4091c2e
SHA256 7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af
SHA512 13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

C:\Users\Admin\AppData\Local\Temp\nsaAC8E.tmp\LangDLL.dll

MD5 a1cd3f159ef78d9ace162f067b544fd9
SHA1 72671fdf4bfeeb99b392685bf01081b4a0b3ae66
SHA256 47b9e251c9c90f43e3524965aecc07bd53c8e09c5b9f9862b44c306667e2b0b6
SHA512 ccc70166c7d7746cd42cd0cec322b2adf4a478ff67c35d465f0f0f5b2b369c996a95557b678c09cb21b8311d8a91eed4196ddc218ea7d510f81464669b911362

C:\Users\Admin\AppData\Local\Temp\nsaAC8E.tmp\nsDialogs.dll

MD5 4ccc4a742d4423f2f0ed744fd9c81f63
SHA1 704f00a1acc327fd879cf75fc90d0b8f927c36bc
SHA256 416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6
SHA512 790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb