babadeda | 4265da988658800f37c41dfdefe6469133e43203b45e47751588600f779d3afa

Analysis

max time kernel
91s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20-02-2023 08:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a30d48a3a024646fcce9c8625f7d343.bin.exe
Size

20.4MB
MD5

3a30d48a3a024646fcce9c8625f7d343
SHA1

17f696c1c51cf5e7ad1a6280d80571849f2b971b
SHA256

4265da988658800f37c41dfdefe6469133e43203b45e47751588600f779d3afa
SHA512

5e95d69ea4effe083f5729fc63d025ac46bb3a4d0a87a9a8119d5dee82c49cdcba37741d677e6e835b297cbd77f8073405f34c694ef47209868f4c5162b994b4
SSDEEP

393216:WUuAZ1IwUF3NnsQ6W9eZB7/sMmkNw02St4yQJUuFe2HiuYpIsjPq4NJVeq/:WUrZ1IP/nsWejVNVF255dCRp/j1yw

Score

10^/10

babadeda crypter discovery loader spyware stealer

Malware Config

Signatures

Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
loader crypter babadeda

Babadeda Crypter 3 IoCs

resource	yara_rule
behavioral2/files/0x0006000000022e8a-157.dat	family_babadeda
behavioral2/memory/3728-173-0x00000000078F0000-0x0000000007D9D000-memory.dmp	family_babadeda
behavioral2/memory/3728-183-0x00000000078F0000-0x0000000007D9D000-memory.dmp	family_babadeda

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	3a30d48a3a024646fcce9c8625f7d343.bin.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	3a30d48a3a024646fcce9c8625f7d343.bin.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	winamp.exe

Executes dropped EXE 3 IoCs

pid	Process
2256	3a30d48a3a024646fcce9c8625f7d343.bin.tmp
4120	3a30d48a3a024646fcce9c8625f7d343.bin.tmp
3728	winamp.exe

Loads dropped DLL 12 IoCs

pid	Process
3728	winamp.exe
3728	winamp.exe
3728	winamp.exe
3728	winamp.exe
3728	winamp.exe
3728	winamp.exe
3728	winamp.exe
3728	winamp.exe
3728	winamp.exe
3728	winamp.exe
3728	winamp.exe
3728	winamp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	winamp.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	winamp.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\info107	winamp.exe
File opened for modification	C:\Windows\info108	winamp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3592	3728	WerFault.exe	83
3836	3728	WerFault.exe	83

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	winamp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winamp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	winamp.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2740	timeout.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4120	3a30d48a3a024646fcce9c8625f7d343.bin.tmp
4120	3a30d48a3a024646fcce9c8625f7d343.bin.tmp
3728	winamp.exe
3728	winamp.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4120	3a30d48a3a024646fcce9c8625f7d343.bin.tmp

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4808 wrote to memory of 2256	4808	3a30d48a3a024646fcce9c8625f7d343.bin.exe	80
PID 4808 wrote to memory of 2256	4808	3a30d48a3a024646fcce9c8625f7d343.bin.exe	80
PID 4808 wrote to memory of 2256	4808	3a30d48a3a024646fcce9c8625f7d343.bin.exe	80
PID 2256 wrote to memory of 3664	2256	3a30d48a3a024646fcce9c8625f7d343.bin.tmp	81
PID 2256 wrote to memory of 3664	2256	3a30d48a3a024646fcce9c8625f7d343.bin.tmp	81
PID 2256 wrote to memory of 3664	2256	3a30d48a3a024646fcce9c8625f7d343.bin.tmp	81
PID 3664 wrote to memory of 4120	3664	3a30d48a3a024646fcce9c8625f7d343.bin.exe	82
PID 3664 wrote to memory of 4120	3664	3a30d48a3a024646fcce9c8625f7d343.bin.exe	82
PID 3664 wrote to memory of 4120	3664	3a30d48a3a024646fcce9c8625f7d343.bin.exe	82
PID 4120 wrote to memory of 3728	4120	3a30d48a3a024646fcce9c8625f7d343.bin.tmp	83
PID 4120 wrote to memory of 3728	4120	3a30d48a3a024646fcce9c8625f7d343.bin.tmp	83
PID 4120 wrote to memory of 3728	4120	3a30d48a3a024646fcce9c8625f7d343.bin.tmp	83
PID 3728 wrote to memory of 3116	3728	winamp.exe	84
PID 3728 wrote to memory of 3116	3728	winamp.exe	84
PID 3728 wrote to memory of 3116	3728	winamp.exe	84
PID 3116 wrote to memory of 2740	3116	cmd.exe	87
PID 3116 wrote to memory of 2740	3116	cmd.exe	87
PID 3116 wrote to memory of 2740	3116	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\3a30d48a3a024646fcce9c8625f7d343.bin.exe
"C:\Users\Admin\AppData\Local\Temp\3a30d48a3a024646fcce9c8625f7d343.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Users\Admin\AppData\Local\Temp\is-FM51G.tmp\3a30d48a3a024646fcce9c8625f7d343.bin.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-FM51G.tmp\3a30d48a3a024646fcce9c8625f7d343.bin.tmp" /SL5="$1001D4,20492506,832512,C:\Users\Admin\AppData\Local\Temp\3a30d48a3a024646fcce9c8625f7d343.bin.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Users\Admin\AppData\Local\Temp\3a30d48a3a024646fcce9c8625f7d343.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\3a30d48a3a024646fcce9c8625f7d343.bin.exe" /VERYSILENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3664
  - - C:\Users\Admin\AppData\Local\Temp\is-6PNG6.tmp\3a30d48a3a024646fcce9c8625f7d343.bin.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-6PNG6.tmp\3a30d48a3a024646fcce9c8625f7d343.bin.tmp" /SL5="$B01C8,20492506,832512,C:\Users\Admin\AppData\Local\Temp\3a30d48a3a024646fcce9c8625f7d343.bin.exe" /VERYSILENT
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:4120
    - - C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe
        
        "C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in Windows directory
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3728
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout -t 5 && del "C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout -t 5
        7⤵
        Delays execution with timeout.exe
        
        PID:2740
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3728 -s 236
        6⤵
        Program crash
        
        PID:3592
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3728 -s 1044
        6⤵
        Program crash
        
        PID:3836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3728 -ip 3728
1⤵
PID:2484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3728 -ip 3728
1⤵
PID:5104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\GSA Backup Manager\DDCore.dll

Filesize
147KB

MD5
16ba1969a3b74bcaa3d6773ba1ab6844

SHA1
6d71fdc783a13e5c93350ae7233653320f36f905

SHA256
9e5c81b8f0d9e6fc5e038c88ce738974c2325e9238cb7c89be766fc2ac89c5fa

SHA512
b07af23de05cac007f28a57b6e7ebc00e19d54ae1fb90f146ededfe6ee6aa009d478e490a22401e121b33ad35a6d1ebbfaad7effc2f8cec8e13ef968e97877a9

Download Submit
C:\Users\Admin\AppData\Local\GSA Backup Manager\DDCore.dll

Filesize
147KB

MD5
16ba1969a3b74bcaa3d6773ba1ab6844

SHA1
6d71fdc783a13e5c93350ae7233653320f36f905

SHA256
9e5c81b8f0d9e6fc5e038c88ce738974c2325e9238cb7c89be766fc2ac89c5fa

SHA512
b07af23de05cac007f28a57b6e7ebc00e19d54ae1fb90f146ededfe6ee6aa009d478e490a22401e121b33ad35a6d1ebbfaad7effc2f8cec8e13ef968e97877a9

Download Submit
C:\Users\Admin\AppData\Local\GSA Backup Manager\MSVCP140.dll

Filesize
428KB

MD5
fdd04dbbcf321eee5f4dd67266f476b0

SHA1
65ffdfe2664a29a41fcf5039229ccecad5b825b9

SHA256
21570bcb7a77e856f3113235d2b05b2b328d4bb71b4fd9ca4d46d99adac80794

SHA512
04cfc3097fbce6ee1b7bac7bd63c3cffe7dca16f0ec9cd8fe657d8b7ebd06dcba272ff472f98c6385c3cfb9b1ac3f47be8ca6d3ea80ab4aeed44a0e2ce3185dd

Download Submit
C:\Users\Admin\AppData\Local\GSA Backup Manager\Shared\nde.dll

Filesize
180KB

MD5
9aa20f78c012bb1efa1eff57fcda6ff8

SHA1
9c4389463029509e41c149968d51ac61eedbde82

SHA256
b34aeb6801aa2c6a3ebd397b04c14bf8dda9a87ac998b733fcf43315e89e9a09

SHA512
58df5b24097b9309efc5908df831d487bb7af8cee47d89774dfa5250fc8161fb84648e750ea4fc02c92ebf86e0a7cb0e92690ace90a548bf4c64865b1e20475b

Download Submit
C:\Users\Admin\AppData\Local\GSA Backup Manager\Shared\nde.dll

Filesize
180KB

MD5
9aa20f78c012bb1efa1eff57fcda6ff8

SHA1
9c4389463029509e41c149968d51ac61eedbde82

SHA256
b34aeb6801aa2c6a3ebd397b04c14bf8dda9a87ac998b733fcf43315e89e9a09

SHA512
58df5b24097b9309efc5908df831d487bb7af8cee47d89774dfa5250fc8161fb84648e750ea4fc02c92ebf86e0a7cb0e92690ace90a548bf4c64865b1e20475b

Download Submit
C:\Users\Admin\AppData\Local\GSA Backup Manager\Shared\nsutil.dll

Filesize
479KB

MD5
a09694c05b0fc21377223789a33bce10

SHA1
0b9cbb4de28fd050d40d1706097efb71a15bfb25

SHA256
c0436892c7b9d0013a892000b00966f24bc76507ac13d51cf7ede810b8645fd8

SHA512
9801526c39e09b202e80551a9e6fdf5444105a66c8b3e21f30d73500f7b3ee5e66ab054f1c452b4aa902ad2b4c690d363b41502bccf411d8609e6dc1dd0d1c6b

Download Submit
C:\Users\Admin\AppData\Local\GSA Backup Manager\Shared\nsutil.dll

Filesize
479KB

MD5
a09694c05b0fc21377223789a33bce10

SHA1
0b9cbb4de28fd050d40d1706097efb71a15bfb25

SHA256
c0436892c7b9d0013a892000b00966f24bc76507ac13d51cf7ede810b8645fd8

SHA512
9801526c39e09b202e80551a9e6fdf5444105a66c8b3e21f30d73500f7b3ee5e66ab054f1c452b4aa902ad2b4c690d363b41502bccf411d8609e6dc1dd0d1c6b

Download Submit
C:\Users\Admin\AppData\Local\GSA Backup Manager\Shared\nsutil.dll

Filesize
479KB

MD5
a09694c05b0fc21377223789a33bce10

SHA1
0b9cbb4de28fd050d40d1706097efb71a15bfb25

SHA256
c0436892c7b9d0013a892000b00966f24bc76507ac13d51cf7ede810b8645fd8

SHA512
9801526c39e09b202e80551a9e6fdf5444105a66c8b3e21f30d73500f7b3ee5e66ab054f1c452b4aa902ad2b4c690d363b41502bccf411d8609e6dc1dd0d1c6b

Download Submit
C:\Users\Admin\AppData\Local\GSA Backup Manager\Shared\nxlite.dll

Filesize
237KB

MD5
e788352b5dad6b57193e208e80831083

SHA1
d0f3e96255fcec92f12efe1cecd3c764c0b3f7de

SHA256
0b0165ce80ae16e01e5a5f4bc946bd80df95e0e543ebbda803588030f90f8f78

SHA512
79db28f38d206c2517fbf2d199d2f8702b2aad0d5b36b07c754f8883de5dc571cea4a27642881322cdaa8feee82a8b2408c514991693e96cc90f2540c3da64ab

Download Submit
C:\Users\Admin\AppData\Local\GSA Backup Manager\Shared\nxlite.dll

Filesize
237KB

MD5
e788352b5dad6b57193e208e80831083

SHA1
d0f3e96255fcec92f12efe1cecd3c764c0b3f7de

SHA256
0b0165ce80ae16e01e5a5f4bc946bd80df95e0e543ebbda803588030f90f8f78

SHA512
79db28f38d206c2517fbf2d199d2f8702b2aad0d5b36b07c754f8883de5dc571cea4a27642881322cdaa8feee82a8b2408c514991693e96cc90f2540c3da64ab

Download Submit
C:\Users\Admin\AppData\Local\GSA Backup Manager\VCRUNTIME140.dll

Filesize
77KB

MD5
ba65db6bfef78a96aee7e29f1449bf8a

SHA1
06c7beb9fd1f33051b0e77087350903c652f4b77

SHA256
141690572594dbd3618a4984712e9e36fc09c9906bb845ce1a9531ac8f7ad493

SHA512
ca63eeac10ef55d7e2e55479b25cf394e58aef1422951f361f762ab667f72a3454f55afc04e967e8cdd20cf3eebe97083e0438ea941916a09e7d091818ea830e

Download Submit
C:\Users\Admin\AppData\Local\GSA Backup Manager\fmt.dll

Filesize
100KB

MD5
5377d5e1489af181a502b058b18eb8ab

SHA1
90b8ef5ed482871ec353c104536aaf72d8baea54

SHA256
b3c30600616b93fda649f93dbaf67a1430432024cb0bc8b816ce89ab16352ef0

SHA512
e1f522199f78062bf7fe9b3a7d8f81e115199062aa0cc042edb60dd053747fbd6ae306ee7add977fe7624e9840f09e09c7bd7325f1c3ba584e2b074fa3c9eabf

Download Submit
C:\Users\Admin\AppData\Local\GSA Backup Manager\fmt.dll

Filesize
100KB

MD5
5377d5e1489af181a502b058b18eb8ab

SHA1
90b8ef5ed482871ec353c104536aaf72d8baea54

SHA256
b3c30600616b93fda649f93dbaf67a1430432024cb0bc8b816ce89ab16352ef0

SHA512
e1f522199f78062bf7fe9b3a7d8f81e115199062aa0cc042edb60dd053747fbd6ae306ee7add977fe7624e9840f09e09c7bd7325f1c3ba584e2b074fa3c9eabf

Download Submit
C:\Users\Admin\AppData\Local\GSA Backup Manager\fxui.dll

Filesize
4.6MB

MD5
7259be44bb84b3147e58d87e89355523

SHA1
5f39919ea6f80daba9832438542f4c62c4f55d40

SHA256
130944dbf10de1cacb1a2446c6c264d5266787b4840a41e55e9e1eaf99047350

SHA512
95c16b7147a0a561fba54debc48e44dc662dbb77e0371312bf78c3395e554502e28188d56103aa34cb2b1d42f6100d8ac8b764e0d452a1c19d72d0ee2cfd2d5e

Download Submit
C:\Users\Admin\AppData\Local\GSA Backup Manager\fxui.dll

Filesize
4.6MB

MD5
7259be44bb84b3147e58d87e89355523

SHA1
5f39919ea6f80daba9832438542f4c62c4f55d40

SHA256
130944dbf10de1cacb1a2446c6c264d5266787b4840a41e55e9e1eaf99047350

SHA512
95c16b7147a0a561fba54debc48e44dc662dbb77e0371312bf78c3395e554502e28188d56103aa34cb2b1d42f6100d8ac8b764e0d452a1c19d72d0ee2cfd2d5e

Download Submit
C:\Users\Admin\AppData\Local\GSA Backup Manager\fxui.dll

Filesize
4.6MB

MD5
7259be44bb84b3147e58d87e89355523

SHA1
5f39919ea6f80daba9832438542f4c62c4f55d40

SHA256
130944dbf10de1cacb1a2446c6c264d5266787b4840a41e55e9e1eaf99047350

SHA512
95c16b7147a0a561fba54debc48e44dc662dbb77e0371312bf78c3395e554502e28188d56103aa34cb2b1d42f6100d8ac8b764e0d452a1c19d72d0ee2cfd2d5e

Download Submit
C:\Users\Admin\AppData\Local\GSA Backup Manager\js.zip

Filesize
1.6MB

MD5
655358c23319cf833afdfbf97fe78ec7

SHA1
58bac28b528d64345a93e25643128328d50c3761

SHA256
829cfa83aff95273d1c8b812c81a9bb02764403932337733d863f9c02790804e

SHA512
80ac76bddc377ebb121a668669128352f0f7ebd756aa4d81a2becdaad5e082ebdad0ef3839a79e74999e42748593e0e03e79234f41a8221d947ac2a108af39ae

Download Submit
C:\Users\Admin\AppData\Local\GSA Backup Manager\libhmap.dll

Filesize
32KB

MD5
d58d8ac1bbd1734e6ceda17ecd0b04c2

SHA1
911aac3715eec5ebd30c7cc05cecf55332e0b722

SHA256
60149f318be263e391e74137060ef2b2bda9d15361ce40779a76e508140bfccd

SHA512
52d1755b6ac22447e4848a9f745bb43eb1ddf48d6f13f06abeb07a66ff10583bac7dc2c851b4bb2d7673f4ceae00de6f71b5f831171c1e7b9446ea4f227c131c

Download Submit
C:\Users\Admin\AppData\Local\GSA Backup Manager\libhmap.dll

Filesize
32KB

MD5
d58d8ac1bbd1734e6ceda17ecd0b04c2

SHA1
911aac3715eec5ebd30c7cc05cecf55332e0b722

SHA256
60149f318be263e391e74137060ef2b2bda9d15361ce40779a76e508140bfccd

SHA512
52d1755b6ac22447e4848a9f745bb43eb1ddf48d6f13f06abeb07a66ff10583bac7dc2c851b4bb2d7673f4ceae00de6f71b5f831171c1e7b9446ea4f227c131c

Download Submit
C:\Users\Admin\AppData\Local\GSA Backup Manager\msvcp140.dll

Filesize
428KB

MD5
fdd04dbbcf321eee5f4dd67266f476b0

SHA1
65ffdfe2664a29a41fcf5039229ccecad5b825b9

SHA256
21570bcb7a77e856f3113235d2b05b2b328d4bb71b4fd9ca4d46d99adac80794

SHA512
04cfc3097fbce6ee1b7bac7bd63c3cffe7dca16f0ec9cd8fe657d8b7ebd06dcba272ff472f98c6385c3cfb9b1ac3f47be8ca6d3ea80ab4aeed44a0e2ce3185dd

Download Submit
C:\Users\Admin\AppData\Local\GSA Backup Manager\paths.ini

Filesize
30B

MD5
8ad85a252352aa655f18d1b9300667b1

SHA1
5d2939f3b6c29739303f2caa4560d1f5376309c6

SHA256
fb7293e289aa918d2cbc3c362cea48dd061b0e12616924460466f26df28ff05c

SHA512
aa3c14551846a2a89b7c4ecbb9ac63e3c83501de5e088634c77e92ffd068a0aa547ad5c0d06890b553469013ff0de0dfe2058de86677966ace9c4d0b8c7b5525

Download Submit
C:\Users\Admin\AppData\Local\GSA Backup Manager\vcruntime140.dll

Filesize
77KB

MD5
ba65db6bfef78a96aee7e29f1449bf8a

SHA1
06c7beb9fd1f33051b0e77087350903c652f4b77

SHA256
141690572594dbd3618a4984712e9e36fc09c9906bb845ce1a9531ac8f7ad493

SHA512
ca63eeac10ef55d7e2e55479b25cf394e58aef1422951f361f762ab667f72a3454f55afc04e967e8cdd20cf3eebe97083e0438ea941916a09e7d091818ea830e

Download Submit
C:\Users\Admin\AppData\Local\GSA Backup Manager\vcruntime140.dll

Filesize
77KB

MD5
ba65db6bfef78a96aee7e29f1449bf8a

SHA1
06c7beb9fd1f33051b0e77087350903c652f4b77

SHA256
141690572594dbd3618a4984712e9e36fc09c9906bb845ce1a9531ac8f7ad493

SHA512
ca63eeac10ef55d7e2e55479b25cf394e58aef1422951f361f762ab667f72a3454f55afc04e967e8cdd20cf3eebe97083e0438ea941916a09e7d091818ea830e

Download Submit
C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe

Filesize
2.3MB

MD5
0c7fcf9045547aa235ec345877f5d557

SHA1
e704d13ad4dda1a61b30a51460eb83db6570bf32

SHA256
6e67f21c0f64a103daebde136697d824fd630d7048492fdefad9d357dc002cce

SHA512
d5623fc7f76799aa3eb447f9c3823286418881a73d1df3f72a7aef8bef88e46c7834b9646bb1780669a30d7ba0393b5f6bcec4819976c2b7ead1dafdf7618de5

Download Submit
C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe

Filesize
2.3MB

MD5
0c7fcf9045547aa235ec345877f5d557

SHA1
e704d13ad4dda1a61b30a51460eb83db6570bf32

SHA256
6e67f21c0f64a103daebde136697d824fd630d7048492fdefad9d357dc002cce

SHA512
d5623fc7f76799aa3eb447f9c3823286418881a73d1df3f72a7aef8bef88e46c7834b9646bb1780669a30d7ba0393b5f6bcec4819976c2b7ead1dafdf7618de5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6PNG6.tmp\3a30d48a3a024646fcce9c8625f7d343.bin.tmp

Filesize
3.0MB

MD5
3f2a608fbbe8dc5829d6991093ea014e

SHA1
1cda3c2738c2185a24423b93e7f9fbbe6b4300ba

SHA256
2f25b851d010702076e70969360dcbe2221d32e4ca0abe1d4debca1ba7b9fa31

SHA512
3e44793920f15753d8d5bfe22427b2e25e72f4f36f87609fae0a7c7adca743fa3858224f49d17e27581a8071e8314688771a27fc877052d8113fa1824860bcf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FM51G.tmp\3a30d48a3a024646fcce9c8625f7d343.bin.tmp

Filesize
3.0MB

MD5
3f2a608fbbe8dc5829d6991093ea014e

SHA1
1cda3c2738c2185a24423b93e7f9fbbe6b4300ba

SHA256
2f25b851d010702076e70969360dcbe2221d32e4ca0abe1d4debca1ba7b9fa31

SHA512
3e44793920f15753d8d5bfe22427b2e25e72f4f36f87609fae0a7c7adca743fa3858224f49d17e27581a8071e8314688771a27fc877052d8113fa1824860bcf9

Download Submit
memory/3664-138-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3664-168-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3664-143-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3728-166-0x0000000004D30000-0x0000000004DAC000-memory.dmp

Filesize
496KB

Download
memory/3728-183-0x00000000078F0000-0x0000000007D9D000-memory.dmp

Filesize
4.7MB

Download
memory/3728-172-0x00000000078F0000-0x0000000007D9D000-memory.dmp

Filesize
4.7MB

Download
memory/3728-173-0x00000000078F0000-0x0000000007D9D000-memory.dmp

Filesize
4.7MB

Download
memory/3728-174-0x0000000007DA0000-0x0000000007E6C000-memory.dmp

Filesize
816KB

Download
memory/4808-140-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4808-136-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4808-132-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download