babadeda | 4f6cb888a4dfade727490683feaee96679d7044f0181799c18a8c7060cb8dab3

Resubmissions

27-10-2022 02:22

221027-ctn9naachk 10

25-10-2022 20:31

221025-zap36sdger 10

Analysis

max time kernel
179s
max time network
227s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27-10-2022 02:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9fe45f68df07a631b9ffda604af62c5.exe
Size

38.1MB
MD5

a9fe45f68df07a631b9ffda604af62c5
SHA1

47baf9832d6812906af41b57bea1337b03969c19
SHA256

4f6cb888a4dfade727490683feaee96679d7044f0181799c18a8c7060cb8dab3
SHA512

f6e6857788492e1cd0ce4d6da4d5c11f04efc65b7895e0da084f3cea1c2b4ec0267d04bd54885eb191ed31ebf16db02f120048201ee176a6de62dc790f56e367
SSDEEP

786432:WHwiu9WaDmAq9AHhIbznxWBEZ2FACXPyXXaDPgG1pvUybb2d00aHMGae:WHwvWAmAq9yhIPEBAC/yHg9YybSd00Q/

Score

10^/10

babadeda netsupport crypter loader rat

Malware Config

Signatures

Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
loader crypter babadeda

Babadeda Crypter 2 IoCs

resource	yara_rule
behavioral1/memory/1080-136-0x0000000005130000-0x0000000009630000-memory.dmp	family_babadeda
behavioral1/memory/1080-143-0x0000000005130000-0x0000000009630000-memory.dmp	family_babadeda

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport

Executes dropped EXE 3 IoCs

pid	Process
1080	Mp3tag.exe
564	client32.exe
752	uninstall.exe

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetSupport.url	Mp3tag.exe

Loads dropped DLL 50 IoCs

pid	Process
1824	a9fe45f68df07a631b9ffda604af62c5.exe
1824	a9fe45f68df07a631b9ffda604af62c5.exe
976	MsiExec.exe
1948	MsiExec.exe
1948	MsiExec.exe
1948	MsiExec.exe
1948	MsiExec.exe
1824	a9fe45f68df07a631b9ffda604af62c5.exe
1080	Mp3tag.exe
1080	Mp3tag.exe
1080	Mp3tag.exe
1080	Mp3tag.exe
1080	Mp3tag.exe
1080	Mp3tag.exe
1080	Mp3tag.exe
1080	Mp3tag.exe
1080	Mp3tag.exe
1080	Mp3tag.exe
1080	Mp3tag.exe
1080	Mp3tag.exe
1080	Mp3tag.exe
1080	Mp3tag.exe
1080	Mp3tag.exe
1080	Mp3tag.exe
1080	Mp3tag.exe
1080	Mp3tag.exe
1080	Mp3tag.exe
1080	Mp3tag.exe
1080	Mp3tag.exe
1080	Mp3tag.exe
1080	Mp3tag.exe
1080	Mp3tag.exe
1080	Mp3tag.exe
1080	Mp3tag.exe
1080	Mp3tag.exe
1080	Mp3tag.exe
1080	Mp3tag.exe
1080	Mp3tag.exe
1080	Mp3tag.exe
1080	Mp3tag.exe
564	client32.exe
564	client32.exe
564	client32.exe
564	client32.exe
564	client32.exe
1080	Mp3tag.exe
752	uninstall.exe
752	uninstall.exe
1660	MsiExec.exe
1660	MsiExec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\N:	uninstall.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	a9fe45f68df07a631b9ffda604af62c5.exe
File opened (read-only)	\??\H:	a9fe45f68df07a631b9ffda604af62c5.exe
File opened (read-only)	\??\T:	a9fe45f68df07a631b9ffda604af62c5.exe
File opened (read-only)	\??\W:	a9fe45f68df07a631b9ffda604af62c5.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\F:	uninstall.exe
File opened (read-only)	\??\A:	a9fe45f68df07a631b9ffda604af62c5.exe
File opened (read-only)	\??\R:	a9fe45f68df07a631b9ffda604af62c5.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	a9fe45f68df07a631b9ffda604af62c5.exe
File opened (read-only)	\??\L:	a9fe45f68df07a631b9ffda604af62c5.exe
File opened (read-only)	\??\O:	a9fe45f68df07a631b9ffda604af62c5.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	uninstall.exe
File opened (read-only)	\??\O:	uninstall.exe
File opened (read-only)	\??\N:	a9fe45f68df07a631b9ffda604af62c5.exe
File opened (read-only)	\??\P:	a9fe45f68df07a631b9ffda604af62c5.exe
File opened (read-only)	\??\Q:	a9fe45f68df07a631b9ffda604af62c5.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	uninstall.exe
File opened (read-only)	\??\K:	uninstall.exe
File opened (read-only)	\??\P:	uninstall.exe
File opened (read-only)	\??\Q:	uninstall.exe
File opened (read-only)	\??\Y:	uninstall.exe
File opened (read-only)	\??\I:	uninstall.exe
File opened (read-only)	\??\E:	a9fe45f68df07a631b9ffda604af62c5.exe
File opened (read-only)	\??\G:	a9fe45f68df07a631b9ffda604af62c5.exe
File opened (read-only)	\??\I:	a9fe45f68df07a631b9ffda604af62c5.exe
File opened (read-only)	\??\K:	a9fe45f68df07a631b9ffda604af62c5.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	a9fe45f68df07a631b9ffda604af62c5.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	uninstall.exe
File opened (read-only)	\??\L:	uninstall.exe
File opened (read-only)	\??\S:	a9fe45f68df07a631b9ffda604af62c5.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\X:	a9fe45f68df07a631b9ffda604af62c5.exe
File opened (read-only)	\??\Z:	a9fe45f68df07a631b9ffda604af62c5.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	Mp3tag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	Mp3tag.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Installer\6c0fcc.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI21C8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\6c0fca.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI10C4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1603.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\6c0fcc.ipi	msiexec.exe
File created	C:\Windows\Installer\6c0fca.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI124B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI16BF.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1924	msiexec.exe
1924	msiexec.exe
1660	MsiExec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
752	uninstall.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	1924	msiexec.exe
Token: SeTakeOwnershipPrivilege	1924	msiexec.exe
Token: SeSecurityPrivilege	1924	msiexec.exe
Token: SeCreateTokenPrivilege	1824	a9fe45f68df07a631b9ffda604af62c5.exe
Token: SeAssignPrimaryTokenPrivilege	1824	a9fe45f68df07a631b9ffda604af62c5.exe
Token: SeLockMemoryPrivilege	1824	a9fe45f68df07a631b9ffda604af62c5.exe
Token: SeIncreaseQuotaPrivilege	1824	a9fe45f68df07a631b9ffda604af62c5.exe
Token: SeMachineAccountPrivilege	1824	a9fe45f68df07a631b9ffda604af62c5.exe
Token: SeTcbPrivilege	1824	a9fe45f68df07a631b9ffda604af62c5.exe
Token: SeSecurityPrivilege	1824	a9fe45f68df07a631b9ffda604af62c5.exe
Token: SeTakeOwnershipPrivilege	1824	a9fe45f68df07a631b9ffda604af62c5.exe
Token: SeLoadDriverPrivilege	1824	a9fe45f68df07a631b9ffda604af62c5.exe
Token: SeSystemProfilePrivilege	1824	a9fe45f68df07a631b9ffda604af62c5.exe
Token: SeSystemtimePrivilege	1824	a9fe45f68df07a631b9ffda604af62c5.exe
Token: SeProfSingleProcessPrivilege	1824	a9fe45f68df07a631b9ffda604af62c5.exe
Token: SeIncBasePriorityPrivilege	1824	a9fe45f68df07a631b9ffda604af62c5.exe
Token: SeCreatePagefilePrivilege	1824	a9fe45f68df07a631b9ffda604af62c5.exe
Token: SeCreatePermanentPrivilege	1824	a9fe45f68df07a631b9ffda604af62c5.exe
Token: SeBackupPrivilege	1824	a9fe45f68df07a631b9ffda604af62c5.exe
Token: SeRestorePrivilege	1824	a9fe45f68df07a631b9ffda604af62c5.exe
Token: SeShutdownPrivilege	1824	a9fe45f68df07a631b9ffda604af62c5.exe
Token: SeDebugPrivilege	1824	a9fe45f68df07a631b9ffda604af62c5.exe
Token: SeAuditPrivilege	1824	a9fe45f68df07a631b9ffda604af62c5.exe
Token: SeSystemEnvironmentPrivilege	1824	a9fe45f68df07a631b9ffda604af62c5.exe
Token: SeChangeNotifyPrivilege	1824	a9fe45f68df07a631b9ffda604af62c5.exe
Token: SeRemoteShutdownPrivilege	1824	a9fe45f68df07a631b9ffda604af62c5.exe
Token: SeUndockPrivilege	1824	a9fe45f68df07a631b9ffda604af62c5.exe
Token: SeSyncAgentPrivilege	1824	a9fe45f68df07a631b9ffda604af62c5.exe
Token: SeEnableDelegationPrivilege	1824	a9fe45f68df07a631b9ffda604af62c5.exe
Token: SeManageVolumePrivilege	1824	a9fe45f68df07a631b9ffda604af62c5.exe
Token: SeImpersonatePrivilege	1824	a9fe45f68df07a631b9ffda604af62c5.exe
Token: SeCreateGlobalPrivilege	1824	a9fe45f68df07a631b9ffda604af62c5.exe
Token: SeCreateTokenPrivilege	1824	a9fe45f68df07a631b9ffda604af62c5.exe
Token: SeAssignPrimaryTokenPrivilege	1824	a9fe45f68df07a631b9ffda604af62c5.exe
Token: SeLockMemoryPrivilege	1824	a9fe45f68df07a631b9ffda604af62c5.exe
Token: SeIncreaseQuotaPrivilege	1824	a9fe45f68df07a631b9ffda604af62c5.exe
Token: SeMachineAccountPrivilege	1824	a9fe45f68df07a631b9ffda604af62c5.exe
Token: SeTcbPrivilege	1824	a9fe45f68df07a631b9ffda604af62c5.exe
Token: SeSecurityPrivilege	1824	a9fe45f68df07a631b9ffda604af62c5.exe
Token: SeTakeOwnershipPrivilege	1824	a9fe45f68df07a631b9ffda604af62c5.exe
Token: SeLoadDriverPrivilege	1824	a9fe45f68df07a631b9ffda604af62c5.exe
Token: SeSystemProfilePrivilege	1824	a9fe45f68df07a631b9ffda604af62c5.exe
Token: SeSystemtimePrivilege	1824	a9fe45f68df07a631b9ffda604af62c5.exe
Token: SeProfSingleProcessPrivilege	1824	a9fe45f68df07a631b9ffda604af62c5.exe
Token: SeIncBasePriorityPrivilege	1824	a9fe45f68df07a631b9ffda604af62c5.exe
Token: SeCreatePagefilePrivilege	1824	a9fe45f68df07a631b9ffda604af62c5.exe
Token: SeCreatePermanentPrivilege	1824	a9fe45f68df07a631b9ffda604af62c5.exe
Token: SeBackupPrivilege	1824	a9fe45f68df07a631b9ffda604af62c5.exe
Token: SeRestorePrivilege	1824	a9fe45f68df07a631b9ffda604af62c5.exe
Token: SeShutdownPrivilege	1824	a9fe45f68df07a631b9ffda604af62c5.exe
Token: SeDebugPrivilege	1824	a9fe45f68df07a631b9ffda604af62c5.exe
Token: SeAuditPrivilege	1824	a9fe45f68df07a631b9ffda604af62c5.exe
Token: SeSystemEnvironmentPrivilege	1824	a9fe45f68df07a631b9ffda604af62c5.exe
Token: SeChangeNotifyPrivilege	1824	a9fe45f68df07a631b9ffda604af62c5.exe
Token: SeRemoteShutdownPrivilege	1824	a9fe45f68df07a631b9ffda604af62c5.exe
Token: SeUndockPrivilege	1824	a9fe45f68df07a631b9ffda604af62c5.exe
Token: SeSyncAgentPrivilege	1824	a9fe45f68df07a631b9ffda604af62c5.exe
Token: SeEnableDelegationPrivilege	1824	a9fe45f68df07a631b9ffda604af62c5.exe
Token: SeManageVolumePrivilege	1824	a9fe45f68df07a631b9ffda604af62c5.exe
Token: SeImpersonatePrivilege	1824	a9fe45f68df07a631b9ffda604af62c5.exe
Token: SeCreateGlobalPrivilege	1824	a9fe45f68df07a631b9ffda604af62c5.exe
Token: SeCreateTokenPrivilege	1824	a9fe45f68df07a631b9ffda604af62c5.exe
Token: SeAssignPrimaryTokenPrivilege	1824	a9fe45f68df07a631b9ffda604af62c5.exe
Token: SeLockMemoryPrivilege	1824	a9fe45f68df07a631b9ffda604af62c5.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
1824	a9fe45f68df07a631b9ffda604af62c5.exe
780	msiexec.exe
780	msiexec.exe
564	client32.exe
752	uninstall.exe
752	uninstall.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1080	Mp3tag.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 976	1924	msiexec.exe	28
PID 1924 wrote to memory of 976	1924	msiexec.exe	28
PID 1924 wrote to memory of 976	1924	msiexec.exe	28
PID 1924 wrote to memory of 976	1924	msiexec.exe	28
PID 1924 wrote to memory of 976	1924	msiexec.exe	28
PID 1924 wrote to memory of 976	1924	msiexec.exe	28
PID 1924 wrote to memory of 976	1924	msiexec.exe	28
PID 1824 wrote to memory of 780	1824	a9fe45f68df07a631b9ffda604af62c5.exe	29
PID 1824 wrote to memory of 780	1824	a9fe45f68df07a631b9ffda604af62c5.exe	29
PID 1824 wrote to memory of 780	1824	a9fe45f68df07a631b9ffda604af62c5.exe	29
PID 1824 wrote to memory of 780	1824	a9fe45f68df07a631b9ffda604af62c5.exe	29
PID 1824 wrote to memory of 780	1824	a9fe45f68df07a631b9ffda604af62c5.exe	29
PID 1824 wrote to memory of 780	1824	a9fe45f68df07a631b9ffda604af62c5.exe	29
PID 1824 wrote to memory of 780	1824	a9fe45f68df07a631b9ffda604af62c5.exe	29
PID 1924 wrote to memory of 1948	1924	msiexec.exe	30
PID 1924 wrote to memory of 1948	1924	msiexec.exe	30
PID 1924 wrote to memory of 1948	1924	msiexec.exe	30
PID 1924 wrote to memory of 1948	1924	msiexec.exe	30
PID 1924 wrote to memory of 1948	1924	msiexec.exe	30
PID 1924 wrote to memory of 1948	1924	msiexec.exe	30
PID 1924 wrote to memory of 1948	1924	msiexec.exe	30
PID 1924 wrote to memory of 1080	1924	msiexec.exe	31
PID 1924 wrote to memory of 1080	1924	msiexec.exe	31
PID 1924 wrote to memory of 1080	1924	msiexec.exe	31
PID 1924 wrote to memory of 1080	1924	msiexec.exe	31
PID 1080 wrote to memory of 564	1080	Mp3tag.exe	32
PID 1080 wrote to memory of 564	1080	Mp3tag.exe	32
PID 1080 wrote to memory of 564	1080	Mp3tag.exe	32
PID 1080 wrote to memory of 564	1080	Mp3tag.exe	32
PID 1080 wrote to memory of 752	1080	Mp3tag.exe	33
PID 1080 wrote to memory of 752	1080	Mp3tag.exe	33
PID 1080 wrote to memory of 752	1080	Mp3tag.exe	33
PID 1080 wrote to memory of 752	1080	Mp3tag.exe	33
PID 1080 wrote to memory of 752	1080	Mp3tag.exe	33
PID 1080 wrote to memory of 752	1080	Mp3tag.exe	33
PID 1080 wrote to memory of 752	1080	Mp3tag.exe	33
PID 1924 wrote to memory of 1660	1924	msiexec.exe	34
PID 1924 wrote to memory of 1660	1924	msiexec.exe	34
PID 1924 wrote to memory of 1660	1924	msiexec.exe	34
PID 1924 wrote to memory of 1660	1924	msiexec.exe	34
PID 1924 wrote to memory of 1660	1924	msiexec.exe	34
PID 1924 wrote to memory of 1660	1924	msiexec.exe	34
PID 1924 wrote to memory of 1660	1924	msiexec.exe	34
PID 752 wrote to memory of 1920	752	uninstall.exe	38
PID 752 wrote to memory of 1920	752	uninstall.exe	38
PID 752 wrote to memory of 1920	752	uninstall.exe	38
PID 752 wrote to memory of 1920	752	uninstall.exe	38
PID 1920 wrote to memory of 388	1920	cmd.exe	40
PID 1920 wrote to memory of 388	1920	cmd.exe	40
PID 1920 wrote to memory of 388	1920	cmd.exe	40
PID 1920 wrote to memory of 388	1920	cmd.exe	40
PID 1920 wrote to memory of 1172	1920	cmd.exe	41
PID 1920 wrote to memory of 1172	1920	cmd.exe	41
PID 1920 wrote to memory of 1172	1920	cmd.exe	41
PID 1920 wrote to memory of 1172	1920	cmd.exe	41
PID 752 wrote to memory of 2028	752	uninstall.exe	42
PID 752 wrote to memory of 2028	752	uninstall.exe	42
PID 752 wrote to memory of 2028	752	uninstall.exe	42
PID 752 wrote to memory of 2028	752	uninstall.exe	42
PID 2028 wrote to memory of 1868	2028	cmd.exe	44
PID 2028 wrote to memory of 1868	2028	cmd.exe	44
PID 2028 wrote to memory of 1868	2028	cmd.exe	44
PID 2028 wrote to memory of 1868	2028	cmd.exe	44
PID 2028 wrote to memory of 1760	2028	cmd.exe	45

C:\Users\Admin\AppData\Local\Temp\a9fe45f68df07a631b9ffda604af62c5.exe
"C:\Users\Admin\AppData\Local\Temp\a9fe45f68df07a631b9ffda604af62c5.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\GMDH LLC\GMDH Streamline Manager 5.30.13.1\install\33119ED\GMDH-Setup.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\a9fe45f68df07a631b9ffda604af62c5.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1666837612 " AI_EUIMSI=""
  2⤵
  - Enumerates connected drives
  - Suspicious use of FindShellTrayWindow
  PID:780

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 343CB1A3CCF8F1467D32F515D7E02986 C
  2⤵
  - Loads dropped DLL
  PID:976
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 63C0A0946EB246A1AC995E3350C02BB6
  2⤵
  - Loads dropped DLL
  PID:1948
- C:\Users\Admin\AppData\Local\GMDH Streamline Manager\GMDH Streamline Manager\Mp3tag.exe
  "C:\Users\Admin\AppData\Local\GMDH Streamline Manager\GMDH Streamline Manager\Mp3tag.exe"
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Loads dropped DLL
  - Maps connected drives based on registry
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1080
- - C:\Users\Admin\AppData\Roaming\NetSupport_v_2.22685\client32.exe
    "C:\Users\Admin\AppData\Roaming\NetSupport_v_2.22685\client32.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    PID:564
- - C:\Users\Admin\AppData\Roaming\NetSupport_v_2.22685\uninstall.exe
    "C:\Users\Admin\AppData\Roaming\NetSupport_v_2.22685\uninstall.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:752
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\{E7AD46A7-6578-45D9-A690-BF58D33BA6B5}\check-KB2992611.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1920
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic qfe get hotfixid
        5⤵
        
        PID:388
    - - C:\Windows\SysWOW64\findstr.exe
        
        FindStr "KB2992611"
        5⤵
        
        PID:1172
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\{E7AD46A7-6578-45D9-A690-BF58D33BA6B5}\check-KB3033929.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2028
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic qfe get hotfixid
        5⤵
        
        PID:1868
    - - C:\Windows\SysWOW64\findstr.exe
        
        FindStr "KB3033929 KB4019264 KB4022719 KB4025341 KB4034664 KB4038777 KB4041681 KB4343900 KB4457144 KB4462923 KB4467107 KB4471318 KB4480970 KB4486563 KB4489878 KB4474419 KB4493472 KB4499164 KB4499175 KB4503292 KB4503269 KB4507449 KB4507456 KB4512506 KB4516065 KB4519976 KB4524157 KB4015549 KB3197868 KB3185330"
        5⤵
        
        PID:1760
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\{E7AD46A7-6578-45D9-A690-BF58D33BA6B5}\check-KB3063858.bat" "
      4⤵
      PID:1668
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic qfe get hotfixid
        5⤵
        
        PID:968
    - - C:\Windows\SysWOW64\findstr.exe
        
        FindStr "KB3063858 KB2533623 KB4457144 KB3126587 KB3126593 KB3146706 KB4014793"
        5⤵
        
        PID:1520
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\{E7AD46A7-6578-45D9-A690-BF58D33BA6B5}\check-KB2921916.bat" "
      4⤵
      PID:1352
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic qfe get hotfixid
        5⤵
        
        PID:1884
    - - C:\Windows\SysWOW64\findstr.exe
        
        FindStr "KB2921916"
        5⤵
        
        PID:1932
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 03F61D54BA71B24256B7C1DFD0DD2752 C
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSIC51.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Roaming\GMDH LLC\GMDH Streamline Manager 5.30.13.1\install\33119ED\GMDH Streamline Manager\FastNoise.txt

Filesize
1KB

MD5
03d6a3dee63f32cd6e64a24e8215301c

SHA1
a2624070ad77e592691cedaf64ae272bf0c3b04e

SHA256
ad4bdae53bad35e6f0e1c7174225ac9fe6547f63507953010294217492e887d3

SHA512
2727f6e740be1be2ade3a6eb3ab27984f50e4f3bae9320aac89514b58edf5e1861bfde34e80a9c761fa40de716ccb338a35b002b4f4af9487efdc0a213ba309a

Download Submit
C:\Users\Admin\AppData\Roaming\GMDH LLC\GMDH Streamline Manager 5.30.13.1\install\33119ED\GMDH Streamline Manager\Mp3tag.exe

Filesize
8.6MB

MD5
92c1655770e49b1dc19359ea1f02e780

SHA1
16b459328f086dd988bfb2b45288d32652400301

SHA256
bf9a506f8c9409fe9609c9590477fdb5cbd185c7b76344260a2494ec064feb28

SHA512
b5e7d6eb435411449402840161d47ec17a6d7f24853e3536d0619dfec5b5fead9de9336560a434735c343e2d96f22d97b9be6c5a52e708c97ced6999808946f6

Download Submit
C:\Users\Admin\AppData\Roaming\GMDH LLC\GMDH Streamline Manager 5.30.13.1\install\33119ED\GMDH Streamline Manager\Mp3tagSetup.ini

Filesize
68B

MD5
193d596a9dfae1b99ec2d39a872f05b7

SHA1
7b8c32ce86f2aeb49aaad38f47f5c9864aab2eb8

SHA256
59d189b0d6b992eee46798b1bd6b8cd062114e0ab94f3ea05f85ab72b3e3f67b

SHA512
dd4f5f498261dd292db920342bc77d374d2f171b169483f15294b0229e4211dafbf4e56347c9e0cd66376df921c624c252f57d252881d71037a1386c711ae56c

Download Submit
C:\Users\Admin\AppData\Roaming\GMDH LLC\GMDH Streamline Manager 5.30.13.1\install\33119ED\GMDH Streamline Manager\Mp3tagUninstall.exe

Filesize
175KB

MD5
4871a9fe3e0e70600fd13a57fc8c3698

SHA1
35d16ea83fbfe6723656585476b3c89961250d1b

SHA256
7414ca5e3ef2096a2cb513ab4928f48bdb52eb5dbf386d70a4697aa5bcf18312

SHA512
1caf65fef5012eedaaffd29f2d8a8b20120ac3e9eeb1a26ab6394bebfee763d5779c27db173e27e9afb80941e96b943018b4d3138152fb8fd7ff11102cde62f8

Download Submit
C:\Users\Admin\AppData\Roaming\GMDH LLC\GMDH Streamline Manager 5.30.13.1\install\33119ED\GMDH Streamline Manager\Mp3tagVersion.txt

Filesize
146KB

MD5
fc1d9424d7d72d925ec6817385858554

SHA1
b0adbfdfdf02a162fcfd5d3b8a562cd972f466ba

SHA256
d648b4142108917d2e65877dfb41b5761ce1df83107b62a56374088a1ceee1c2

SHA512
dfa4a4f1b42daabbef3f9baed5dc879690b8440e5f1b521f1090a13c6ca76700fe0b0fbd860d8c09331d136677aab1a0d41260d09360b9eeab7a5aac6dd6701b

Download Submit
C:\Users\Admin\AppData\Roaming\GMDH LLC\GMDH Streamline Manager 5.30.13.1\install\33119ED\GMDH Streamline Manager\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
86279521328398e87699d248628eb13a

SHA1
e4d4c39bda90635f1f5c2fc58b1304e2daac9caf

SHA256
3c9b67616fd0ceb3dd92e605918b08556683ebab5537aa76dff300fbd54b0337

SHA512
2cc328955611ad8369ff9facf9c1aabe99a20c3ded2977ad86c69e0f54acd78fa6f572ed688625c8c63016826a10b3578e3c186ef2b39c4bf393ab5e399913a6

Download Submit
C:\Users\Admin\AppData\Roaming\GMDH LLC\GMDH Streamline Manager 5.30.13.1\install\33119ED\GMDH Streamline Manager\api-ms-win-core-file-l2-1-0.dll

Filesize
11KB

MD5
422adad24e8da100f85bf3de86b5f302

SHA1
7004b3ed8663b5890cd25e1a7899a766be912728

SHA256
e04642684dc7376839c570bc11e9b46cae14420f1a85f7562fd2c4d656a22956

SHA512
e689ecb1a1cb1e7735cb6a961fd054d87bcad01acf76950b14a3bf4e08ddb7a8d31805c203374ee081a4ec13c40b25b3dc83b3895b9bfbd9c135673e98e6ee63

Download Submit
C:\Users\Admin\AppData\Roaming\GMDH LLC\GMDH Streamline Manager 5.30.13.1\install\33119ED\GMDH Streamline Manager\api-ms-win-core-handle-l1-1-0.dll

Filesize
11KB

MD5
c8d52cde743f4559e6eda1472ad44277

SHA1
09a19c5c5bc45dbf5391d882015b47cdad4b5631

SHA256
d2926dcb85ab577be75ecab1fc8dcd062318f147e0a9262a3b807bb5acb62beb

SHA512
3a031f282303cf664c6ab04c1561598595ef776799005d8ac7ae091ffd140e4d1d1e23b9f6783618c2bae4dc4d1cf741fdb3f83390d6854de97d85af4c940b23

Download Submit
C:\Users\Admin\AppData\Roaming\GMDH LLC\GMDH Streamline Manager 5.30.13.1\install\33119ED\GMDH Streamline Manager\api-ms-win-core-heap-l1-1-0.dll

Filesize
11KB

MD5
6e306654a55454e40889407e9334da0c

SHA1
0612894d9fbd8f92299541535f78db05fba3a78e

SHA256
eb02fc995bb92b214dd684e24c1060735f61ad4884ccb4aafa86c7c1de66d621

SHA512
f5a6980824cbfa82c47b20581658eb9fa8eeb2dbcf6bf9b148fe09099a3b131c2a4cc2a129135e708fb72f1cc43f083f93fc85a0e03209b75dfcc09106b977ac

Download Submit
C:\Users\Admin\AppData\Roaming\GMDH LLC\GMDH Streamline Manager 5.30.13.1\install\33119ED\GMDH Streamline Manager\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
11KB

MD5
8dcf3111501ed0a01855ebb328537bf7

SHA1
2134bca1fa16133632a1b3f28fc38edc15e933ac

SHA256
76f092341fbef40d5f35f70bab55f2eeb3e70a9b60f46043b342ceab7f79cef1

SHA512
4cb596ca11b4941571f3b998c98707bdf45ad608c9f661e0f0ae528fdb797190c9bb22e58ff65a98e52e3e51396f4c8b22229eefe54f0a73eb49c79d07ce1604

Download Submit
C:\Users\Admin\AppData\Roaming\GMDH LLC\GMDH Streamline Manager 5.30.13.1\install\33119ED\GMDH Streamline Manager\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
11KB

MD5
b0537a9eccc0f909c0715fc93b473d8d

SHA1
79e9929c83f5f73314c52f26be4147a74aa80e23

SHA256
8784c4912a2f391d5f0c79b38f48baf88e98bf4fa61614ccb9232d9bd1e4ad54

SHA512
d68e50361566e8800afb5fae32c65c90d2ac7877f9a02f3e2e6af61ccd8f99b484c808a9ba62ec9e4727481798b3d3f4f74d19b16c6ed80536cf89351071bab6

Download Submit
C:\Users\Admin\AppData\Roaming\GMDH LLC\GMDH Streamline Manager 5.30.13.1\install\33119ED\GMDH Streamline Manager\api-ms-win-core-localization-l1-2-0.dll

Filesize
13KB

MD5
602a35b140d9d68d7b3e488896158365

SHA1
f1ba615abb54ff786ddbc74dffffd56394bfc892

SHA256
43b98f74476c86107c8317749f54a107e2955696e4f79d3d02683dd7034d1d52

SHA512
4388947f90838cae8b5f8137c9ed2a099028b4341da8c574d536c6ad096bad0e217e105f0367750c70e3d3ca4857255b674955c71ecff0fda9c47a4b1951b8b6

Download Submit
C:\Users\Admin\AppData\Roaming\GMDH LLC\GMDH Streamline Manager 5.30.13.1\install\33119ED\GMDH Streamline Manager\api-ms-win-core-memory-l1-1-0.dll

Filesize
11KB

MD5
98b1e6d052cee5ccbb7e5af795b9f48c

SHA1
357ef3f8011d7e7f1d4cb30beae58d24d6b05085

SHA256
5c950723ff3118801884df67b6a14543978263a2d2a0437d8c8b2fe8ef3925d4

SHA512
31d961ada87eedfc4c1bb8938b0c4b44842153f4450f48a0c1dc12208f5c1ba62b076ef91a0dbd1c3f98d1e96517904b95e072002c50d2873c8638ddb25417d7

Download Submit
C:\Users\Admin\AppData\Roaming\GMDH LLC\GMDH Streamline Manager 5.30.13.1\install\33119ED\GMDH Streamline Manager\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
11KB

MD5
a8f889870885c5784afd47f5e3d33eed

SHA1
494b86c51c8908d17e563c80da0d42350aaf1155

SHA256
8979fe86afe23035caedd5df135786da2b28c095b69ce0179b6484fd680c9b91

SHA512
bb18675a9b311e4c34806ec834886659a95207a4ec9b48b082f5fa0e05f016b9f946db29c7aa20662b4090c7f42a606f9f3a5df48d7ed20c5b404ccf91a1b7eb

Download Submit
C:\Users\Admin\AppData\Roaming\GMDH LLC\GMDH Streamline Manager 5.30.13.1\install\33119ED\GMDH Streamline Manager\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
12KB

MD5
56813b784a1f8cdabedcc10de6e84864

SHA1
b636ba140e1ba7de5e59932702e7b4e53025d651

SHA256
98ee724aa3f5a8ec4f3f8596be5aba5cd19b556f88ef9fbaff1569051a4d0dc1

SHA512
f11739be9ff624044035678cf39b91d28a53f1ac56342baf985a4328da4c64c81107d7e1787ee50efb382472e4d46bb21c520918b8831edc7f6b3db70befa068

Download Submit
C:\Users\Admin\AppData\Roaming\GMDH LLC\GMDH Streamline Manager 5.30.13.1\install\33119ED\GMDH Streamline Manager\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
13KB

MD5
2557484c75d4507688b68a64882e0022

SHA1
ff78c6d44f7474d98402f8e17cfce5d712c41b95

SHA256
50b3e4ffee430c1b45f0ca75959936608f756ae5eb0352e8f3f5f69c5adfaa20

SHA512
e1c502e889664a46acaf0d8cab5d5082f46ad3f6f1a24ec702ec5174d077fff51cce7f80b13c5c22704937ce380ec3b14c088955d94eef1050d293c078869870

Download Submit
C:\Users\Admin\AppData\Roaming\GMDH LLC\GMDH Streamline Manager 5.30.13.1\install\33119ED\GMDH Streamline Manager\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
11KB

MD5
a07afa26ab56a8d3b8b16591a1962005

SHA1
2b6f3143487f747911ee20f039f1ffb1381858ac

SHA256
6be230837149dc2a8c7772142a674c3f90930a55da7f91d791942d8276d5440b

SHA512
b77b277d10cf6b8d209679684ead55b4347caef3213acdccdee35b5d4fe0e3fc136daf057830512c5473c4653a8d66357927c4b7d204c07d7508f792299d7fe9

Download Submit
C:\Users\Admin\AppData\Roaming\GMDH LLC\GMDH Streamline Manager 5.30.13.1\install\33119ED\GMDH Streamline Manager\api-ms-win-core-profile-l1-1-0.dll

Filesize
10KB

MD5
258caf72fd7c60586b4bacfee6b37872

SHA1
4a473ff7cdf254336cf2ff3ddeb03bd047b35af5

SHA256
04c0a5392a18a7555635cde23f9111ea4da550c309827b725a74bb6fd4f0cc64

SHA512
121a366f79ca1c9212d109d1f72a53b31f0bf0394b947949e2a0191629ace8ed107118e512bc8f4e9b43a84b6c936422372be2ff497f2cf13276217b15d079c5

Download Submit
C:\Users\Admin\AppData\Roaming\GMDH LLC\GMDH Streamline Manager 5.30.13.1\install\33119ED\GMDH Streamline Manager\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
10KB

MD5
cec2f0ac232cd07d217299386118692b

SHA1
7cd8218afc5ccf528bb2807168e11e5820c8bddd

SHA256
a5f4f23b01cac69058b7ec0e30b470f90bfc6d40de20e618c3045bf06e4a2cfd

SHA512
e06fc36de71caec6732d2553b5afcd6daf0b8eb4f1aea7d6f6c2ae00b3e3f4172c932458ebb6644e41dd26a48b66dbe935a40bcee68aa7cad4af155befe7019f

Download Submit
C:\Users\Admin\AppData\Roaming\GMDH LLC\GMDH Streamline Manager 5.30.13.1\install\33119ED\GMDH Streamline Manager\api-ms-win-core-string-l1-1-0.dll

Filesize
11KB

MD5
01cbaa0aafba1275cc23c29f139d399e

SHA1
5ca1434545c02c3f34bc9facf9b2eecc89ec3a24

SHA256
dcb3fc36c43a402b4b35644f1e7f6d6db31ef8d0a731c3b882e2cf3201a6714c

SHA512
f5a3d05690bf409d2b8d7eb96ac4fde1e2d27add79945d6d9f2482ee61c6698ee0e167e9677a61a435d99175979e8651f34b92a6d057236254a0a2ba1a9cc79f

Download Submit
C:\Users\Admin\AppData\Roaming\GMDH LLC\GMDH Streamline Manager 5.30.13.1\install\33119ED\GMDH Streamline Manager\api-ms-win-core-synch-l1-1-0.dll

Filesize
13KB

MD5
efbbbcef1514840d5ad9d8c084a0147e

SHA1
d046a440556ff7b9857963d86dd050ccd6b0533c

SHA256
9c1d190c85b9ccfb171d3db4ec363c97a3452bb365dd75dbda5ec9cad1a5d803

SHA512
fe78850b3acaa725f4a3f65fccc3c2644ef43eebe3c0083c0d4e9e967cfb230d966dee87dcd8a27f4dc452d7e72ea7efb24ab7b9dbcd58ab81f78d0d110829bc

Download Submit
C:\Users\Admin\AppData\Roaming\GMDH LLC\GMDH Streamline Manager 5.30.13.1\install\33119ED\GMDH Streamline Manager\api-ms-win-core-synch-l1-2-0.dll

Filesize
11KB

MD5
ed215daa7493bf93c5eadef178a261e0

SHA1
b20c8dc7ba00f98a326f5f4fd55329b72f8e5699

SHA256
8b7c8fc657e0dab0f2506001ca4bb76e675ffd18a2b4d9c1e03b876e008a7a26

SHA512
3ed052eada11c3dc44f81f330bd2a2526170515bc6a90281872a93ee49f9add8c9ad36b9a9e9185e251d664c1694d06625e0148e113addc32e53d705d2655f03

Download Submit
C:\Users\Admin\AppData\Roaming\GMDH LLC\GMDH Streamline Manager 5.30.13.1\install\33119ED\GMDH Streamline Manager\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
12KB

MD5
aed0b2511a396bb258a7bc7bb646b951

SHA1
151b08d20538990b894afef34de451708b5f334e

SHA256
fb7ffa16bfdf7392535b8e78a86db89ed9032f67a16b127a105582fab118cf2b

SHA512
dd7cdb5f401dce1566e331a3184ebd2c71f6d2dc4eb59f384bfb2daea8ce8a146d7449d989da2193abf30cd568e67bc932e28c8b93c7d6beceac0c7cb9ae1f5c

Download Submit
C:\Users\Admin\AppData\Roaming\GMDH LLC\GMDH Streamline Manager 5.30.13.1\install\33119ED\GMDH Streamline Manager\api-ms-win-core-timezone-l1-1-0.dll

Filesize
11KB

MD5
a9c7db516186c8e367fed757e238c61a

SHA1
1318d6496e7146e773aca85be6d0e9b87a09e284

SHA256
ded52bac23633a03341969c5b98b0d94d24fa3284c1ddd0c489e453b39cec659

SHA512
6aad003287afe86abccf34f6b15338c0c7380f4837805d919064a26380d2f3f7698515f927c148e618c12f0943d3621184bebc70a8b07eed64ad88689fbcc5cb

Download Submit
C:\Users\Admin\AppData\Roaming\GMDH LLC\GMDH Streamline Manager 5.30.13.1\install\33119ED\GMDH Streamline Manager\api-ms-win-core-util-l1-1-0.dll

Filesize
11KB

MD5
7294cef433dd8afa73982ea96dbd6f6a

SHA1
c73b123197e6ad47b13febeafa912fdad566c8ee

SHA256
21c57c8ae9407cedb50bcebf7f844a5933d274676f3194a87997672c7177cadb

SHA512
24048bd06f0a3ce593eadab4fee4e26aa339faba52ae52dd36f0c66ee5d7c166f68fff8ff5dbfffde26588351ca4b6de033528dd4b0a15b0afe3ddcaf13b8661

Download Submit
C:\Users\Admin\AppData\Roaming\GMDH LLC\GMDH Streamline Manager 5.30.13.1\install\33119ED\GMDH Streamline Manager\api-ms-win-crt-conio-l1-1-0.dll

Filesize
12KB

MD5
6e044455d104db0a31983ba722394d00

SHA1
aec808b8c70326506b7a07241b6aac817ca8bfa6

SHA256
7b5d400a141f363f553f61fa11e94a6851d1eeb510cb7988012862ed13208c97

SHA512
eb092e48f9bc4edac67ba5cc11199ad06f313a37df1b29053e105843519a59ada48915a5448d74d464cd1b05e0750c0f4339e6aed6390b31acbeff2d84f9b166

Download Submit
C:\Users\Admin\AppData\Roaming\GMDH LLC\GMDH Streamline Manager 5.30.13.1\install\33119ED\GMDH Streamline Manager\api-ms-win-crt-convert-l1-1-0.dll

Filesize
15KB

MD5
c6385b316bb04ca36d76b077eeb9a61e

SHA1
fc376f68798fecd41fb1c936eed1bce3f2ee6bef

SHA256
060636cfc58587b4344a6d0ff4f44dd77266f2bbdb877cb50cb1b44a7e3969bc

SHA512
bddf0f34bedb17ecf1d270a0613f27d174ae04f920192d7d1af6c15245175318b29691e748c36e2ce0a3027495b2f5a0bb688ae16095fad9dcd8c283b6d1b1d4

Download Submit
C:\Users\Admin\AppData\Roaming\GMDH LLC\GMDH Streamline Manager 5.30.13.1\install\33119ED\GMDH Streamline Manager\api-ms-win-crt-environment-l1-1-0.dll

Filesize
11KB

MD5
311e582d5d3d8421e883c4a8248eacc8

SHA1
c99e61d1446fce0f883a2aad261af22d77953a59

SHA256
369cc4d3bb05f4160a0bc9683feb1df2e94d02f061e4b23d53c3a6e2230cd5e4

SHA512
050ed1310e667e6bb22bb7952794745df1eee0c78f18240cc2217e748a11213d094b48153964c3da0ad8141da1709ece637315633396c77c035bb0565fa981b4

Download Submit
C:\Users\Admin\AppData\Roaming\GMDH LLC\GMDH Streamline Manager 5.30.13.1\install\33119ED\GMDH Streamline Manager\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
13KB

MD5
10731d3320c12abb62d3866d7e728cce

SHA1
df4e131c825d1ca5cd14e00e5c04785d6ca508f7

SHA256
9f3eb90963916194f167e98e049707b14fa84a3f11cb8cc7b940d95956601700

SHA512
7eeef98682872fd95a38a03435546349c8488607e59870086b486b807e8b53893603175d9ad0f3b80c1924381daca8d14868a6079988a944b005783b4e2e358e

Download Submit
C:\Users\Admin\AppData\Roaming\GMDH LLC\GMDH Streamline Manager 5.30.13.1\install\33119ED\GMDH Streamline Manager\api-ms-win-crt-heap-l1-1-0.dll

Filesize
12KB

MD5
cf5f256e8cd76ba85e6c3047f078814a

SHA1
b7cde77313ceaae76a46c1111b33b3d8f47c4214

SHA256
9382fc8d5cbcc23c5d05e6f48f4188af3f96efbbdc5a7ec05b37e252440ecfc1

SHA512
856eff4fff1d11a725af9c3e5ceac6d02a89297a16e97edec171839aa12c468fc37d60ec5df06d507cee695f71b7fbd4bc0ba51b7934d886e66a43b249e62da5

Download Submit
C:\Users\Admin\AppData\Roaming\GMDH LLC\GMDH Streamline Manager 5.30.13.1\install\33119ED\GMDH Streamline Manager\api-ms-win-crt-locale-l1-1-0.dll

Filesize
11KB

MD5
60ffdc3ef20b127e3fd14a0719328c34

SHA1
b510833350328f79a79fa464ea9d5e9455643659

SHA256
43c9ea4ddecf2f34852559cf0b40b5261e6701d3743ab219f48d43a312707ad9

SHA512
caef6ee08c9f6fabecef1f0be37ab34e2d4dc22f15a775b2f0dcacda1f0fcdf2259399e6fbab85f0f00e8e4b03d77fe88b85b901a9ba2f775a50f2da724da26e

Download Submit
C:\Users\Admin\AppData\Roaming\GMDH LLC\GMDH Streamline Manager 5.30.13.1\install\33119ED\GMDH Streamline Manager\api-ms-win-crt-math-l1-1-0.dll

Filesize
21KB

MD5
78dfcb76dc8b42411dbc682f78f5c6eb

SHA1
e50f6719fee44c70518cf8442737a688b5f45e62

SHA256
8673dd898f899de831fc3052c8b8254b7b85ee7f2b9b6c422736668689c9b14f

SHA512
968bb3bc952f4057f74c9c8825fcc2db34b9c56166ee39db3bab3d4ecf51fb65af250a8a65340274a1a0c0eed73b6c8962df5d2fce586c1ef4e19706edd5e6e1

Download Submit
C:\Users\Admin\AppData\Roaming\GMDH LLC\GMDH Streamline Manager 5.30.13.1\install\33119ED\GMDH Streamline Manager\api-ms-win-crt-multibyte-l1-1-0.dll

Filesize
19KB

MD5
a11597ab7e11d673c8f0b9082f16abb6

SHA1
09efc61cea01812db305cfa8b8ff95b4acad3b1d

SHA256
e2c9693500cc7ce5cba81f81a68abf2ca783e187cfbaa9b52dd6c157c940a854

SHA512
3fd3b0ebed8e97bf4c6dfa4ff2ce3c9b5e82905c2d8d674da64f4e3a9b0362c8b35f10895445d34b008b00c77b7d5ea079416d34b10ccce99fe6c7da6d17d72c

Download Submit
C:\Users\Admin\AppData\Roaming\GMDH LLC\GMDH Streamline Manager 5.30.13.1\install\33119ED\GMDH Streamline Manager\api-ms-win-crt-private-l1-1-0.dll

Filesize
64KB

MD5
8f2b23d0d913fca49fb5b9a715a73519

SHA1
6adde370204c8fde3979f707fa6306f831dea8ec

SHA256
722edc4fcf0cedc233f56227848b25318e2c211d5b3a4944fc294551f80d2652

SHA512
bc8e7b572fbb9a5cc5110617b1bb525fb41f0f435dfff7a332571785d50dfd43449fbacdd3c2ffe64539a26fbd33147f1b219f167b55eb7825249eb3237188da

Download Submit
C:\Users\Admin\AppData\Roaming\GMDH LLC\GMDH Streamline Manager 5.30.13.1\install\33119ED\GMDH Streamline Manager\api-ms-win-crt-process-l1-1-0.dll

Filesize
12KB

MD5
48e6bb6df76fc8f009b066f588b13c1f

SHA1
1db7352875992737effbc487252ccfa09ac3dc53

SHA256
253caf243f9fd21f45c052384ed08f4c10ed0da0dc3ac55aa1c9e4249e1103d9

SHA512
0c4ad3cfd90515c27efdb7e9fac2082e5a33a006f38c5be526e7a85d3046b28424c10d59ad88bda72ec07445231dffda47326de2451df65a2cddec791bf83623

Download Submit
C:\Users\Admin\AppData\Roaming\GMDH LLC\GMDH Streamline Manager 5.30.13.1\install\33119ED\GMDH Streamline Manager\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
15KB

MD5
8bd7a27e6ca969d3eb46086d411ce05d

SHA1
3bbf6f55853b1487debca58d7cb5c877d0abd517

SHA256
8edc95578b8c9ca93a65907e428fa2b57fef8370b902912689332bc61094904c

SHA512
fee8359398efe6a995a214d4e47de43aba12d33bb9cb1de18659d332d94ef83a4a77618b6caa9f455b0c6da4c10ab459209d483b9e778d9b522771ca692ca454

Download Submit
C:\Users\Admin\AppData\Roaming\GMDH LLC\GMDH Streamline Manager 5.30.13.1\install\33119ED\GMDH Streamline Manager\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
17KB

MD5
f681a45c47ebb2c56c1465677ec33ff3

SHA1
06bf7798c51325cf1806e14dea56ff98b05b7846

SHA256
3a03d727d291be57057587227273af410eda935438d8a0a165ec63ae772809af

SHA512
eeb05f1af7e1c714c658e9aa06e8c6dbeeb5f2e8dcf3fdb7b9b408018e41402d83893472114e0cf6d3a9a3bf54ec45c4f7a4840a09570d190277aa3514681ab8

Download Submit
C:\Users\Admin\AppData\Roaming\GMDH LLC\GMDH Streamline Manager 5.30.13.1\install\33119ED\GMDH Streamline Manager\api-ms-win-crt-string-l1-1-0.dll

Filesize
17KB

MD5
00446e48d60abf044acc72b46d5c3afb

SHA1
0ccc0c5034ac063e1d4af851b0de1f4ea99aff97

SHA256
82d26998b4b3c26dbc1c1fff9d6106109a081205081d3c0669e59d20d918bc5a

SHA512
69114f0efb3c853bffb55c15e5ad1b7919057a676056d57634a6a39916e232cde2dcdc49ea0f9751ddea6550ffa58f84b1f8918b3c9fd7e88c8b8f7eb4afeaf2

Download Submit
C:\Users\Admin\AppData\Roaming\GMDH LLC\GMDH Streamline Manager 5.30.13.1\install\33119ED\GMDH Streamline Manager\api-ms-win-crt-time-l1-1-0.dll

Filesize
13KB

MD5
376b4a7a02f20ed3aede05039ec3daf0

SHA1
c9149b37f85cfc724bedc0ecd543d95280055de1

SHA256
b0b8fc7de3641c3f23d30a4792c8584db33db6133ee29135c70bb504e80e4a2c

SHA512
ff7fba7cd8c9b55c1c87104d7d9074ef0eed524b02480ecf2c80e5cd489c568e1ed63bc62699a03272cab3dcbf20e6437e1f47ce112bcb3336d27ed2790430c5

Download Submit
C:\Users\Admin\AppData\Roaming\GMDH LLC\GMDH Streamline Manager 5.30.13.1\install\33119ED\GMDH Streamline Manager\api-ms-win-crt-utility-l1-1-0.dll

Filesize
11KB

MD5
6376bf5bac3f0208f0a5d11415ccd444

SHA1
c3fe96e51c3f3e622dcedd2ddf8d23f9442361b8

SHA256
e36763df57cd26ec2b4d52e27de51a4ca6f18caf86cbac8307bf4817705f9a0e

SHA512
9614e423c850bdb584f18555825214d42106966b1ee71e75ba7407591aa5de407b43909ce972e1923df82e9a0e953597fe19646296962194ebeb1579493d91c2

Download Submit
C:\Users\Admin\AppData\Roaming\GMDH LLC\GMDH Streamline Manager 5.30.13.1\install\33119ED\GMDH Streamline Manager\cpuid.dll

Filesize
65KB

MD5
66cc9189d93b34fbc90d199c9b90f9d7

SHA1
bc7128ce3af3ec90b695feb63976f90e6c94010e

SHA256
bcfaf8b17923b18091b47dae3db34967ff773c970cb116e00782acf5bb1b33ec

SHA512
17b70865c7c17beefd77da2acbaf16f45537f6b74dd0881858444cc868eb47cb6390e48ae650de00828a392a78f1a2547d5c189e49460ba749586b6e58161b9d

Download Submit
C:\Users\Admin\AppData\Roaming\GMDH LLC\GMDH Streamline Manager 5.30.13.1\install\33119ED\GMDH Streamline Manager\gumbo.txt

Filesize
11KB

MD5
4e6e3a246bc1ccf52fa84868df1d1b0a

SHA1
cbc61fce2fd732b6ebb98642bca199ace8652d26

SHA256
17fa39b5f12225602d967c908f39d3598be207d652bda3ca9deb6a426e2b909d

SHA512
81a070239cb0a6ee7d22f2611886411a6d9fc98ea09ca417e303043e955d97b881c80735b07924c42292e6c35d142fadb454db94d5bf3f871d7dcfc3620ef396

Download Submit
C:\Users\Admin\AppData\Roaming\GMDH LLC\GMDH Streamline Manager 5.30.13.1\install\33119ED\GMDH Streamline Manager\lame.txt

Filesize
605B

MD5
bc5b9d872fe40e70045dfc9b09186b97

SHA1
a672ac7498f5980d97fe97602f845cdb0d6bdd0c

SHA256
326de616457909152879072ac3cd3f811445a82fef19b6141b50b36cb2f8f40b

SHA512
f3da5a6e2d68e5f121235d3ef34bb6dbd4f67ff3cc4d021b185261455628ac4705cf2b8ced659328aea091cb6e1a8cec4bc2e86c2e5e0a1e831ea8b6f8228c47

Download Submit
C:\Users\Admin\AppData\Roaming\GMDH LLC\GMDH Streamline Manager 5.30.13.1\install\33119ED\GMDH Streamline Manager\libogg.dll

Filesize
17KB

MD5
b05f5447cd2457ede470a822c4f5bfe9

SHA1
56e68959d483174e841844a1d1b3f6f7fc0ebc51

SHA256
b5ee1821c351a38494f69ff5408762fada4ad103b82c1ba4a87e67ddfba1d62a

SHA512
3d690bfe2d380541b24e695966bd1b16afb2e1b0d77d3610f3c1d080e98ccdef17674b0f51a8f3f55515bec885fcdc7ae2e7ae6b4bcc8cf3df7301becab31953

Download Submit
C:\Users\Admin\AppData\Roaming\GMDH LLC\GMDH Streamline Manager 5.30.13.1\install\33119ED\GMDH Streamline Manager\libresample.dll

Filesize
79KB

MD5
4f29a41a2cbda9f77865932b899c2121

SHA1
7aeecaddb0568dd526378becbf4f783192238da4

SHA256
3d742f33f681c4eacc3f011170bf597e9d6ae5c41dda0070df61fcf23181f611

SHA512
fc7abec42e52bc5f7775cf71b8447c2a0c586f7d4c5d84c2c9433c99552892d53f37a1c78d2b15153671f6a6a8b15c164e7793015d21fd9c112acb071a3b9428

Download Submit
C:\Users\Admin\AppData\Roaming\GMDH LLC\GMDH Streamline Manager 5.30.13.1\install\33119ED\GMDH Streamline Manager\libresample.txt

Filesize
2KB

MD5
e9da4d1a73ab0aca4d0139d73944b6a7

SHA1
8e13d85dd589f84a12caf61e860f8ab063f99747

SHA256
bd65e3af3b1e6266b97bd458260e1573e8abdf3d4bb0718626f6b93d949269f1

SHA512
5581d8940e46902b7e354e9172e13f51a4072bc7ec6e090d1eabeb841564ac2dab43a247c92a78bbdc1e77a9448bff0ebd61a09b7725fa6353856503960b52ea

Download Submit
C:\Users\Admin\AppData\Roaming\GMDH LLC\GMDH Streamline Manager 5.30.13.1\install\33119ED\GMDH Streamline Manager\mpg123.txt

Filesize
25KB

MD5
17aa40ae4eed636dab627e286e4695b3

SHA1
0d7791d148674d4ef2139ea75460cf14138252cf

SHA256
48e27fa4fea30b20d7ed02fc2321f9bdc5b479bc3c19a5224bc0269dce0dbd74

SHA512
cfc19d823c2cfbd23e90b51f3afa7614ec3eb3209f82ac94e0a303f2ffe6f370115cc2c3f2fea93108b1bde8c65b22dff6ad365cfed5a0e4ed2bdeaf0553a7c6

Download Submit
C:\Users\Admin\AppData\Roaming\GMDH LLC\GMDH Streamline Manager 5.30.13.1\install\33119ED\GMDH Streamline Manager\oggvorbis.txt

Filesize
2KB

MD5
30b29f32974206e317404805ef05c58a

SHA1
4629fea096ba0db41d65f5cd6b92757e581e79cc

SHA256
2cba6d23f7c45935cb9fb68589b6b622bfc5df4d7ddebfff3e6e0a87a15e0d0f

SHA512
4c5b8686b378db4576a917e10997262e2bc55d6faae11422e6135be20f1612298253d43e7570d56c4c584638723f75990f2bd05670f48b577acdc8f0a2914caa

Download Submit
C:\Users\Admin\AppData\Roaming\GMDH LLC\GMDH Streamline Manager 5.30.13.1\install\33119ED\GMDH Streamline Manager\uriparser.txt

Filesize
1KB

MD5
addf299d53664aef098ff6b168efd390

SHA1
0676c571934c44efd23f3f9fcde00f7486b6d93f

SHA256
23f2cd0c81dc56b88f1a048928775830b6f322257bd7a009f2fe7d74ec37ba85

SHA512
defdde3359f201a689740cfaef4858b7a90f96bba8be6c560062cdfd6021e1bfd3b4a337fd32d5d464690f21e7e1a7ede6449d5ba06bd4abeedd7b007db9af87

Download Submit
C:\Users\Admin\AppData\Roaming\GMDH LLC\GMDH Streamline Manager 5.30.13.1\install\33119ED\GMDH Streamline Manager\webp.txt

Filesize
1KB

MD5
19f0b6b4a88473e1eed9ca57e11045f4

SHA1
00a7d2da8ecfab54b7859887e65ff57c71774f84

SHA256
17c029a902ad45a199dfe8e3a1c39305ab28d302b0703360c4a27351a4673dcb

SHA512
1c0c3284eaaaa2282faea552cf9346330ea8e2db9c2e3793114fae1593db5941ddebb0d1ee3f47f97de651be4fd394b076543c7da17f6b052d6c9844f4b1a454

Download Submit
C:\Users\Admin\AppData\Roaming\GMDH LLC\GMDH Streamline Manager 5.30.13.1\install\33119ED\GMDH-Setup.msi

Filesize
1.6MB

MD5
70f26425d8321b9f8c7dd762d39f77bc

SHA1
acc0c11ac06bb8806914330154c274b561c0abfb

SHA256
ab8deac18c092699c537070756d3473ce50460d54369f8f01407962a573b2244

SHA512
8133a69c504a1fb35ba6eb841f9332e3a089dbfa78c9d521c3792f8ae6ac4a7311e96316ee70909dbd99b39a8b9cebe3a9d1cd1b30cb2f891a49645174fd1cad

Download Submit
C:\Windows\Installer\MSI10C4.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Windows\Installer\MSI124B.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Windows\Installer\MSI1603.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Windows\Installer\MSI16BF.tmp

Filesize
630KB

MD5
8ecff5e8777908818edd94721ddc349d

SHA1
a3ffcfcffae1b44261c1b1a64917ac898c40b9e2

SHA256
1c450659c7681df9df21b20412c9647e7e8e5bf0f2945c48b1ab51f330f2516b

SHA512
8418049fe52dcf6e294cf58d200b7a7d8e704ba592b3f59243c4c5a4d661c60f8db97540badd9a1718547a0047b39316ec7917c43ddcb8a71bebad49e7baaf08

Download Submit
\Users\Admin\AppData\Local\Temp\MSIC51.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
\Users\Admin\AppData\Roaming\GMDH LLC\GMDH Streamline Manager 5.30.13.1\install\decoder.dll

Filesize
215KB

MD5
bc00325b004cf04b852429f5b9e71ce0

SHA1
3584b23ae9f7e82be20a223afa15d7696449a60e

SHA256
23131f8af5f06ddf022cea7456430a41368f747f1eec276d93c872019b909456

SHA512
809a907a5633615cb142c3c003fd0dc713137aa86b167b5b2263cfd021f15ea7cdae5fa441e861b86559626b0b78e9225b833c6a9fb23651736b076afe906847

Download Submit
\Users\Admin\AppData\Roaming\GMDH LLC\GMDH Streamline Manager 5.30.13.1\install\decoder.dll

Filesize
215KB

MD5
bc00325b004cf04b852429f5b9e71ce0

SHA1
3584b23ae9f7e82be20a223afa15d7696449a60e

SHA256
23131f8af5f06ddf022cea7456430a41368f747f1eec276d93c872019b909456

SHA512
809a907a5633615cb142c3c003fd0dc713137aa86b167b5b2263cfd021f15ea7cdae5fa441e861b86559626b0b78e9225b833c6a9fb23651736b076afe906847

Download Submit
\Users\Admin\AppData\Roaming\GMDH LLC\GMDH Streamline Manager 5.30.13.1\install\decoder.dll

Filesize
215KB

MD5
bc00325b004cf04b852429f5b9e71ce0

SHA1
3584b23ae9f7e82be20a223afa15d7696449a60e

SHA256
23131f8af5f06ddf022cea7456430a41368f747f1eec276d93c872019b909456

SHA512
809a907a5633615cb142c3c003fd0dc713137aa86b167b5b2263cfd021f15ea7cdae5fa441e861b86559626b0b78e9225b833c6a9fb23651736b076afe906847

Download Submit
\Windows\Installer\MSI10C4.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
\Windows\Installer\MSI124B.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
\Windows\Installer\MSI1603.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
\Windows\Installer\MSI16BF.tmp

Filesize
630KB

MD5
8ecff5e8777908818edd94721ddc349d

SHA1
a3ffcfcffae1b44261c1b1a64917ac898c40b9e2

SHA256
1c450659c7681df9df21b20412c9647e7e8e5bf0f2945c48b1ab51f330f2516b

SHA512
8418049fe52dcf6e294cf58d200b7a7d8e704ba592b3f59243c4c5a4d661c60f8db97540badd9a1718547a0047b39316ec7917c43ddcb8a71bebad49e7baaf08

Download Submit
memory/752-142-0x00000000727C1000-0x00000000727C3000-memory.dmp

Filesize
8KB

Download
memory/1080-143-0x0000000005130000-0x0000000009630000-memory.dmp

Filesize
69.0MB

Download
memory/1080-136-0x0000000005130000-0x0000000009630000-memory.dmp

Filesize
69.0MB

Download
memory/1080-129-0x0000000000230000-0x0000000000252000-memory.dmp

Filesize
136KB

Download
memory/1080-139-0x0000000011B20000-0x00000000135E8000-memory.dmp

Filesize
26.8MB

Download
memory/1080-130-0x0000000009630000-0x00000000096EC000-memory.dmp

Filesize
752KB

Download
memory/1080-144-0x0000000011B20000-0x00000000135E8000-memory.dmp

Filesize
26.8MB

Download
memory/1824-54-0x0000000075571000-0x0000000075573000-memory.dmp

Filesize
8KB

Download
memory/1824-55-0x0000000073921000-0x0000000073923000-memory.dmp

Filesize
8KB

Download
memory/1924-58-0x000007FEFB5C1000-0x000007FEFB5C3000-memory.dmp

Filesize
8KB

Download