Malware Analysis Report

2024-09-22 16:41

Sample ID 230220-pwr5jsba69
Target 74fc503e1100f6c092cc42c3d747fc31.bin.exe
SHA256 591a2d0da6253f59300d647ef5847187e0250458187a10675f6699b7e1ba484b
Tags
babadeda crypter discovery loader spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

591a2d0da6253f59300d647ef5847187e0250458187a10675f6699b7e1ba484b

Threat Level: Known bad

The file 74fc503e1100f6c092cc42c3d747fc31.bin.exe was found to be: Known bad.

Malicious Activity Summary

babadeda crypter discovery loader spyware stealer

Babadeda

Babadeda Crypter

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Maps connected drives based on registry

Drops file in Windows directory

Program crash

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Delays execution with timeout.exe

Checks processor information in registry

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2023-02-20 12:41

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-20 12:41

Reported

2023-02-20 12:43

Platform

win7-20220812-en

Max time kernel

42s

Max time network

46s

Command Line

"C:\Users\Admin\AppData\Local\Temp\74fc503e1100f6c092cc42c3d747fc31.bin.exe"

Signatures

Babadeda

loader crypter babadeda

Babadeda Crypter

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\74fc503e1100f6c092cc42c3d747fc31.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74fc503e1100f6c092cc42c3d747fc31.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-QF6U8.tmp\74fc503e1100f6c092cc42c3d747fc31.bin.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\info107 C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe N/A
File opened for modification C:\Windows\info108 C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-QF6U8.tmp\74fc503e1100f6c092cc42c3d747fc31.bin.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 856 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\74fc503e1100f6c092cc42c3d747fc31.bin.exe C:\Users\Admin\AppData\Local\Temp\is-R0J9C.tmp\74fc503e1100f6c092cc42c3d747fc31.bin.tmp
PID 856 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\74fc503e1100f6c092cc42c3d747fc31.bin.exe C:\Users\Admin\AppData\Local\Temp\is-R0J9C.tmp\74fc503e1100f6c092cc42c3d747fc31.bin.tmp
PID 856 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\74fc503e1100f6c092cc42c3d747fc31.bin.exe C:\Users\Admin\AppData\Local\Temp\is-R0J9C.tmp\74fc503e1100f6c092cc42c3d747fc31.bin.tmp
PID 856 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\74fc503e1100f6c092cc42c3d747fc31.bin.exe C:\Users\Admin\AppData\Local\Temp\is-R0J9C.tmp\74fc503e1100f6c092cc42c3d747fc31.bin.tmp
PID 856 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\74fc503e1100f6c092cc42c3d747fc31.bin.exe C:\Users\Admin\AppData\Local\Temp\is-R0J9C.tmp\74fc503e1100f6c092cc42c3d747fc31.bin.tmp
PID 856 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\74fc503e1100f6c092cc42c3d747fc31.bin.exe C:\Users\Admin\AppData\Local\Temp\is-R0J9C.tmp\74fc503e1100f6c092cc42c3d747fc31.bin.tmp
PID 856 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\74fc503e1100f6c092cc42c3d747fc31.bin.exe C:\Users\Admin\AppData\Local\Temp\is-R0J9C.tmp\74fc503e1100f6c092cc42c3d747fc31.bin.tmp
PID 1072 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\is-R0J9C.tmp\74fc503e1100f6c092cc42c3d747fc31.bin.tmp C:\Users\Admin\AppData\Local\Temp\74fc503e1100f6c092cc42c3d747fc31.bin.exe
PID 1072 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\is-R0J9C.tmp\74fc503e1100f6c092cc42c3d747fc31.bin.tmp C:\Users\Admin\AppData\Local\Temp\74fc503e1100f6c092cc42c3d747fc31.bin.exe
PID 1072 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\is-R0J9C.tmp\74fc503e1100f6c092cc42c3d747fc31.bin.tmp C:\Users\Admin\AppData\Local\Temp\74fc503e1100f6c092cc42c3d747fc31.bin.exe
PID 1072 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\is-R0J9C.tmp\74fc503e1100f6c092cc42c3d747fc31.bin.tmp C:\Users\Admin\AppData\Local\Temp\74fc503e1100f6c092cc42c3d747fc31.bin.exe
PID 1072 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\is-R0J9C.tmp\74fc503e1100f6c092cc42c3d747fc31.bin.tmp C:\Users\Admin\AppData\Local\Temp\74fc503e1100f6c092cc42c3d747fc31.bin.exe
PID 1072 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\is-R0J9C.tmp\74fc503e1100f6c092cc42c3d747fc31.bin.tmp C:\Users\Admin\AppData\Local\Temp\74fc503e1100f6c092cc42c3d747fc31.bin.exe
PID 1072 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\is-R0J9C.tmp\74fc503e1100f6c092cc42c3d747fc31.bin.tmp C:\Users\Admin\AppData\Local\Temp\74fc503e1100f6c092cc42c3d747fc31.bin.exe
PID 1988 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\74fc503e1100f6c092cc42c3d747fc31.bin.exe C:\Users\Admin\AppData\Local\Temp\is-QF6U8.tmp\74fc503e1100f6c092cc42c3d747fc31.bin.tmp
PID 1988 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\74fc503e1100f6c092cc42c3d747fc31.bin.exe C:\Users\Admin\AppData\Local\Temp\is-QF6U8.tmp\74fc503e1100f6c092cc42c3d747fc31.bin.tmp
PID 1988 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\74fc503e1100f6c092cc42c3d747fc31.bin.exe C:\Users\Admin\AppData\Local\Temp\is-QF6U8.tmp\74fc503e1100f6c092cc42c3d747fc31.bin.tmp
PID 1988 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\74fc503e1100f6c092cc42c3d747fc31.bin.exe C:\Users\Admin\AppData\Local\Temp\is-QF6U8.tmp\74fc503e1100f6c092cc42c3d747fc31.bin.tmp
PID 1988 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\74fc503e1100f6c092cc42c3d747fc31.bin.exe C:\Users\Admin\AppData\Local\Temp\is-QF6U8.tmp\74fc503e1100f6c092cc42c3d747fc31.bin.tmp
PID 1988 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\74fc503e1100f6c092cc42c3d747fc31.bin.exe C:\Users\Admin\AppData\Local\Temp\is-QF6U8.tmp\74fc503e1100f6c092cc42c3d747fc31.bin.tmp
PID 1988 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\74fc503e1100f6c092cc42c3d747fc31.bin.exe C:\Users\Admin\AppData\Local\Temp\is-QF6U8.tmp\74fc503e1100f6c092cc42c3d747fc31.bin.tmp
PID 1060 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\is-QF6U8.tmp\74fc503e1100f6c092cc42c3d747fc31.bin.tmp C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe
PID 1060 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\is-QF6U8.tmp\74fc503e1100f6c092cc42c3d747fc31.bin.tmp C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe
PID 1060 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\is-QF6U8.tmp\74fc503e1100f6c092cc42c3d747fc31.bin.tmp C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe
PID 1060 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\is-QF6U8.tmp\74fc503e1100f6c092cc42c3d747fc31.bin.tmp C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe
PID 1488 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe C:\Windows\SysWOW64\cmd.exe
PID 1488 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe C:\Windows\SysWOW64\cmd.exe
PID 1488 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe C:\Windows\SysWOW64\cmd.exe
PID 1488 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe C:\Windows\SysWOW64\cmd.exe
PID 1624 wrote to memory of 984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1624 wrote to memory of 984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1624 wrote to memory of 984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1624 wrote to memory of 984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\74fc503e1100f6c092cc42c3d747fc31.bin.exe

"C:\Users\Admin\AppData\Local\Temp\74fc503e1100f6c092cc42c3d747fc31.bin.exe"

C:\Users\Admin\AppData\Local\Temp\is-R0J9C.tmp\74fc503e1100f6c092cc42c3d747fc31.bin.tmp

"C:\Users\Admin\AppData\Local\Temp\is-R0J9C.tmp\74fc503e1100f6c092cc42c3d747fc31.bin.tmp" /SL5="$60124,20492506,832512,C:\Users\Admin\AppData\Local\Temp\74fc503e1100f6c092cc42c3d747fc31.bin.exe"

C:\Users\Admin\AppData\Local\Temp\74fc503e1100f6c092cc42c3d747fc31.bin.exe

"C:\Users\Admin\AppData\Local\Temp\74fc503e1100f6c092cc42c3d747fc31.bin.exe" /VERYSILENT

C:\Users\Admin\AppData\Local\Temp\is-QF6U8.tmp\74fc503e1100f6c092cc42c3d747fc31.bin.tmp

"C:\Users\Admin\AppData\Local\Temp\is-QF6U8.tmp\74fc503e1100f6c092cc42c3d747fc31.bin.tmp" /SL5="$70124,20492506,832512,C:\Users\Admin\AppData\Local\Temp\74fc503e1100f6c092cc42c3d747fc31.bin.exe" /VERYSILENT

C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe

"C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout -t 5 && del "C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe"

C:\Windows\SysWOW64\timeout.exe

timeout -t 5

Network

Country Destination Domain Proto
US 8.8.8.8:53 ewzwea12.top udp
NL 84.21.172.161:80 ewzwea12.top tcp

Files

memory/856-54-0x0000000075D01000-0x0000000075D03000-memory.dmp

memory/856-55-0x0000000000400000-0x00000000004D8000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-R0J9C.tmp\74fc503e1100f6c092cc42c3d747fc31.bin.tmp

MD5 3f2a608fbbe8dc5829d6991093ea014e
SHA1 1cda3c2738c2185a24423b93e7f9fbbe6b4300ba
SHA256 2f25b851d010702076e70969360dcbe2221d32e4ca0abe1d4debca1ba7b9fa31
SHA512 3e44793920f15753d8d5bfe22427b2e25e72f4f36f87609fae0a7c7adca743fa3858224f49d17e27581a8071e8314688771a27fc877052d8113fa1824860bcf9

C:\Users\Admin\AppData\Local\Temp\is-R0J9C.tmp\74fc503e1100f6c092cc42c3d747fc31.bin.tmp

MD5 3f2a608fbbe8dc5829d6991093ea014e
SHA1 1cda3c2738c2185a24423b93e7f9fbbe6b4300ba
SHA256 2f25b851d010702076e70969360dcbe2221d32e4ca0abe1d4debca1ba7b9fa31
SHA512 3e44793920f15753d8d5bfe22427b2e25e72f4f36f87609fae0a7c7adca743fa3858224f49d17e27581a8071e8314688771a27fc877052d8113fa1824860bcf9

memory/1072-58-0x0000000000000000-mapping.dmp

memory/1988-61-0x0000000000000000-mapping.dmp

memory/1988-64-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/856-63-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/1988-66-0x0000000000400000-0x00000000004D8000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-QF6U8.tmp\74fc503e1100f6c092cc42c3d747fc31.bin.tmp

MD5 3f2a608fbbe8dc5829d6991093ea014e
SHA1 1cda3c2738c2185a24423b93e7f9fbbe6b4300ba
SHA256 2f25b851d010702076e70969360dcbe2221d32e4ca0abe1d4debca1ba7b9fa31
SHA512 3e44793920f15753d8d5bfe22427b2e25e72f4f36f87609fae0a7c7adca743fa3858224f49d17e27581a8071e8314688771a27fc877052d8113fa1824860bcf9

memory/1060-68-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\is-QF6U8.tmp\74fc503e1100f6c092cc42c3d747fc31.bin.tmp

MD5 3f2a608fbbe8dc5829d6991093ea014e
SHA1 1cda3c2738c2185a24423b93e7f9fbbe6b4300ba
SHA256 2f25b851d010702076e70969360dcbe2221d32e4ca0abe1d4debca1ba7b9fa31
SHA512 3e44793920f15753d8d5bfe22427b2e25e72f4f36f87609fae0a7c7adca743fa3858224f49d17e27581a8071e8314688771a27fc877052d8113fa1824860bcf9

memory/1060-71-0x0000000074B81000-0x0000000074B83000-memory.dmp

\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe

MD5 0c7fcf9045547aa235ec345877f5d557
SHA1 e704d13ad4dda1a61b30a51460eb83db6570bf32
SHA256 6e67f21c0f64a103daebde136697d824fd630d7048492fdefad9d357dc002cce
SHA512 d5623fc7f76799aa3eb447f9c3823286418881a73d1df3f72a7aef8bef88e46c7834b9646bb1780669a30d7ba0393b5f6bcec4819976c2b7ead1dafdf7618de5

memory/1488-73-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe

MD5 0c7fcf9045547aa235ec345877f5d557
SHA1 e704d13ad4dda1a61b30a51460eb83db6570bf32
SHA256 6e67f21c0f64a103daebde136697d824fd630d7048492fdefad9d357dc002cce
SHA512 d5623fc7f76799aa3eb447f9c3823286418881a73d1df3f72a7aef8bef88e46c7834b9646bb1780669a30d7ba0393b5f6bcec4819976c2b7ead1dafdf7618de5

C:\Users\Admin\AppData\Local\GSA Backup Manager\fmt.dll

MD5 5377d5e1489af181a502b058b18eb8ab
SHA1 90b8ef5ed482871ec353c104536aaf72d8baea54
SHA256 b3c30600616b93fda649f93dbaf67a1430432024cb0bc8b816ce89ab16352ef0
SHA512 e1f522199f78062bf7fe9b3a7d8f81e115199062aa0cc042edb60dd053747fbd6ae306ee7add977fe7624e9840f09e09c7bd7325f1c3ba584e2b074fa3c9eabf

\Users\Admin\AppData\Local\GSA Backup Manager\fmt.dll

MD5 5377d5e1489af181a502b058b18eb8ab
SHA1 90b8ef5ed482871ec353c104536aaf72d8baea54
SHA256 b3c30600616b93fda649f93dbaf67a1430432024cb0bc8b816ce89ab16352ef0
SHA512 e1f522199f78062bf7fe9b3a7d8f81e115199062aa0cc042edb60dd053747fbd6ae306ee7add977fe7624e9840f09e09c7bd7325f1c3ba584e2b074fa3c9eabf

C:\Users\Admin\AppData\Local\GSA Backup Manager\MSVCP140.dll

MD5 fdd04dbbcf321eee5f4dd67266f476b0
SHA1 65ffdfe2664a29a41fcf5039229ccecad5b825b9
SHA256 21570bcb7a77e856f3113235d2b05b2b328d4bb71b4fd9ca4d46d99adac80794
SHA512 04cfc3097fbce6ee1b7bac7bd63c3cffe7dca16f0ec9cd8fe657d8b7ebd06dcba272ff472f98c6385c3cfb9b1ac3f47be8ca6d3ea80ab4aeed44a0e2ce3185dd

\Users\Admin\AppData\Local\GSA Backup Manager\msvcp140.dll

MD5 fdd04dbbcf321eee5f4dd67266f476b0
SHA1 65ffdfe2664a29a41fcf5039229ccecad5b825b9
SHA256 21570bcb7a77e856f3113235d2b05b2b328d4bb71b4fd9ca4d46d99adac80794
SHA512 04cfc3097fbce6ee1b7bac7bd63c3cffe7dca16f0ec9cd8fe657d8b7ebd06dcba272ff472f98c6385c3cfb9b1ac3f47be8ca6d3ea80ab4aeed44a0e2ce3185dd

C:\Users\Admin\AppData\Local\GSA Backup Manager\VCRUNTIME140.dll

MD5 ba65db6bfef78a96aee7e29f1449bf8a
SHA1 06c7beb9fd1f33051b0e77087350903c652f4b77
SHA256 141690572594dbd3618a4984712e9e36fc09c9906bb845ce1a9531ac8f7ad493
SHA512 ca63eeac10ef55d7e2e55479b25cf394e58aef1422951f361f762ab667f72a3454f55afc04e967e8cdd20cf3eebe97083e0438ea941916a09e7d091818ea830e

\Users\Admin\AppData\Local\GSA Backup Manager\vcruntime140.dll

MD5 ba65db6bfef78a96aee7e29f1449bf8a
SHA1 06c7beb9fd1f33051b0e77087350903c652f4b77
SHA256 141690572594dbd3618a4984712e9e36fc09c9906bb845ce1a9531ac8f7ad493
SHA512 ca63eeac10ef55d7e2e55479b25cf394e58aef1422951f361f762ab667f72a3454f55afc04e967e8cdd20cf3eebe97083e0438ea941916a09e7d091818ea830e

C:\Users\Admin\AppData\Local\GSA Backup Manager\api-ms-win-crt-runtime-l1-1-0.dll

MD5 8bd7a27e6ca969d3eb46086d411ce05d
SHA1 3bbf6f55853b1487debca58d7cb5c877d0abd517
SHA256 8edc95578b8c9ca93a65907e428fa2b57fef8370b902912689332bc61094904c
SHA512 fee8359398efe6a995a214d4e47de43aba12d33bb9cb1de18659d332d94ef83a4a77618b6caa9f455b0c6da4c10ab459209d483b9e778d9b522771ca692ca454

\Users\Admin\AppData\Local\GSA Backup Manager\api-ms-win-crt-runtime-l1-1-0.dll

MD5 8bd7a27e6ca969d3eb46086d411ce05d
SHA1 3bbf6f55853b1487debca58d7cb5c877d0abd517
SHA256 8edc95578b8c9ca93a65907e428fa2b57fef8370b902912689332bc61094904c
SHA512 fee8359398efe6a995a214d4e47de43aba12d33bb9cb1de18659d332d94ef83a4a77618b6caa9f455b0c6da4c10ab459209d483b9e778d9b522771ca692ca454

C:\Users\Admin\AppData\Local\GSA Backup Manager\ucrtbase.DLL

MD5 5dafe0bfb955e780b3d50da4524b752f
SHA1 91c0d9fabe748d373215ba21b90278671b5f8957
SHA256 6255112c9978c07a05c6feaee01cf4be74b2920dc7017fbc1a42f8f5d23c20f9
SHA512 37fd37f3ad87838f596d1e8e497fe66d1a1c4128625ab456ec850179dd1e1f33cf4945d0faaf6cdbd1ed586ecfb7ff3e7cf10a88a823cc5eb06c2fc4fa16bff3

\Users\Admin\AppData\Local\GSA Backup Manager\ucrtbase.dll

MD5 5dafe0bfb955e780b3d50da4524b752f
SHA1 91c0d9fabe748d373215ba21b90278671b5f8957
SHA256 6255112c9978c07a05c6feaee01cf4be74b2920dc7017fbc1a42f8f5d23c20f9
SHA512 37fd37f3ad87838f596d1e8e497fe66d1a1c4128625ab456ec850179dd1e1f33cf4945d0faaf6cdbd1ed586ecfb7ff3e7cf10a88a823cc5eb06c2fc4fa16bff3

C:\Users\Admin\AppData\Local\GSA Backup Manager\api-ms-win-core-timezone-l1-1-0.dll

MD5 a9c7db516186c8e367fed757e238c61a
SHA1 1318d6496e7146e773aca85be6d0e9b87a09e284
SHA256 ded52bac23633a03341969c5b98b0d94d24fa3284c1ddd0c489e453b39cec659
SHA512 6aad003287afe86abccf34f6b15338c0c7380f4837805d919064a26380d2f3f7698515f927c148e618c12f0943d3621184bebc70a8b07eed64ad88689fbcc5cb

\Users\Admin\AppData\Local\GSA Backup Manager\api-ms-win-core-timezone-l1-1-0.dll

MD5 a9c7db516186c8e367fed757e238c61a
SHA1 1318d6496e7146e773aca85be6d0e9b87a09e284
SHA256 ded52bac23633a03341969c5b98b0d94d24fa3284c1ddd0c489e453b39cec659
SHA512 6aad003287afe86abccf34f6b15338c0c7380f4837805d919064a26380d2f3f7698515f927c148e618c12f0943d3621184bebc70a8b07eed64ad88689fbcc5cb

C:\Users\Admin\AppData\Local\GSA Backup Manager\api-ms-win-core-file-l2-1-0.dll

MD5 422adad24e8da100f85bf3de86b5f302
SHA1 7004b3ed8663b5890cd25e1a7899a766be912728
SHA256 e04642684dc7376839c570bc11e9b46cae14420f1a85f7562fd2c4d656a22956
SHA512 e689ecb1a1cb1e7735cb6a961fd054d87bcad01acf76950b14a3bf4e08ddb7a8d31805c203374ee081a4ec13c40b25b3dc83b3895b9bfbd9c135673e98e6ee63

\Users\Admin\AppData\Local\GSA Backup Manager\api-ms-win-core-file-l2-1-0.dll

MD5 422adad24e8da100f85bf3de86b5f302
SHA1 7004b3ed8663b5890cd25e1a7899a766be912728
SHA256 e04642684dc7376839c570bc11e9b46cae14420f1a85f7562fd2c4d656a22956
SHA512 e689ecb1a1cb1e7735cb6a961fd054d87bcad01acf76950b14a3bf4e08ddb7a8d31805c203374ee081a4ec13c40b25b3dc83b3895b9bfbd9c135673e98e6ee63

\Users\Admin\AppData\Local\GSA Backup Manager\api-ms-win-core-localization-l1-2-0.dll

MD5 602a35b140d9d68d7b3e488896158365
SHA1 f1ba615abb54ff786ddbc74dffffd56394bfc892
SHA256 43b98f74476c86107c8317749f54a107e2955696e4f79d3d02683dd7034d1d52
SHA512 4388947f90838cae8b5f8137c9ed2a099028b4341da8c574d536c6ad096bad0e217e105f0367750c70e3d3ca4857255b674955c71ecff0fda9c47a4b1951b8b6

C:\Users\Admin\AppData\Local\GSA Backup Manager\api-ms-win-core-localization-l1-2-0.dll

MD5 602a35b140d9d68d7b3e488896158365
SHA1 f1ba615abb54ff786ddbc74dffffd56394bfc892
SHA256 43b98f74476c86107c8317749f54a107e2955696e4f79d3d02683dd7034d1d52
SHA512 4388947f90838cae8b5f8137c9ed2a099028b4341da8c574d536c6ad096bad0e217e105f0367750c70e3d3ca4857255b674955c71ecff0fda9c47a4b1951b8b6

C:\Users\Admin\AppData\Local\GSA Backup Manager\api-ms-win-core-synch-l1-2-0.dll

MD5 ed215daa7493bf93c5eadef178a261e0
SHA1 b20c8dc7ba00f98a326f5f4fd55329b72f8e5699
SHA256 8b7c8fc657e0dab0f2506001ca4bb76e675ffd18a2b4d9c1e03b876e008a7a26
SHA512 3ed052eada11c3dc44f81f330bd2a2526170515bc6a90281872a93ee49f9add8c9ad36b9a9e9185e251d664c1694d06625e0148e113addc32e53d705d2655f03

\Users\Admin\AppData\Local\GSA Backup Manager\api-ms-win-core-synch-l1-2-0.dll

MD5 ed215daa7493bf93c5eadef178a261e0
SHA1 b20c8dc7ba00f98a326f5f4fd55329b72f8e5699
SHA256 8b7c8fc657e0dab0f2506001ca4bb76e675ffd18a2b4d9c1e03b876e008a7a26
SHA512 3ed052eada11c3dc44f81f330bd2a2526170515bc6a90281872a93ee49f9add8c9ad36b9a9e9185e251d664c1694d06625e0148e113addc32e53d705d2655f03

C:\Users\Admin\AppData\Local\GSA Backup Manager\api-ms-win-core-processthreads-l1-1-1.dll

MD5 a07afa26ab56a8d3b8b16591a1962005
SHA1 2b6f3143487f747911ee20f039f1ffb1381858ac
SHA256 6be230837149dc2a8c7772142a674c3f90930a55da7f91d791942d8276d5440b
SHA512 b77b277d10cf6b8d209679684ead55b4347caef3213acdccdee35b5d4fe0e3fc136daf057830512c5473c4653a8d66357927c4b7d204c07d7508f792299d7fe9

\Users\Admin\AppData\Local\GSA Backup Manager\api-ms-win-core-processthreads-l1-1-1.dll

MD5 a07afa26ab56a8d3b8b16591a1962005
SHA1 2b6f3143487f747911ee20f039f1ffb1381858ac
SHA256 6be230837149dc2a8c7772142a674c3f90930a55da7f91d791942d8276d5440b
SHA512 b77b277d10cf6b8d209679684ead55b4347caef3213acdccdee35b5d4fe0e3fc136daf057830512c5473c4653a8d66357927c4b7d204c07d7508f792299d7fe9

C:\Users\Admin\AppData\Local\GSA Backup Manager\api-ms-win-core-file-l1-2-0.dll

MD5 86279521328398e87699d248628eb13a
SHA1 e4d4c39bda90635f1f5c2fc58b1304e2daac9caf
SHA256 3c9b67616fd0ceb3dd92e605918b08556683ebab5537aa76dff300fbd54b0337
SHA512 2cc328955611ad8369ff9facf9c1aabe99a20c3ded2977ad86c69e0f54acd78fa6f572ed688625c8c63016826a10b3578e3c186ef2b39c4bf393ab5e399913a6

\Users\Admin\AppData\Local\GSA Backup Manager\api-ms-win-core-file-l1-2-0.dll

MD5 86279521328398e87699d248628eb13a
SHA1 e4d4c39bda90635f1f5c2fc58b1304e2daac9caf
SHA256 3c9b67616fd0ceb3dd92e605918b08556683ebab5537aa76dff300fbd54b0337
SHA512 2cc328955611ad8369ff9facf9c1aabe99a20c3ded2977ad86c69e0f54acd78fa6f572ed688625c8c63016826a10b3578e3c186ef2b39c4bf393ab5e399913a6

C:\Users\Admin\AppData\Local\GSA Backup Manager\api-ms-win-crt-heap-l1-1-0.dll

MD5 cf5f256e8cd76ba85e6c3047f078814a
SHA1 b7cde77313ceaae76a46c1111b33b3d8f47c4214
SHA256 9382fc8d5cbcc23c5d05e6f48f4188af3f96efbbdc5a7ec05b37e252440ecfc1
SHA512 856eff4fff1d11a725af9c3e5ceac6d02a89297a16e97edec171839aa12c468fc37d60ec5df06d507cee695f71b7fbd4bc0ba51b7934d886e66a43b249e62da5

\Users\Admin\AppData\Local\GSA Backup Manager\api-ms-win-crt-heap-l1-1-0.dll

MD5 cf5f256e8cd76ba85e6c3047f078814a
SHA1 b7cde77313ceaae76a46c1111b33b3d8f47c4214
SHA256 9382fc8d5cbcc23c5d05e6f48f4188af3f96efbbdc5a7ec05b37e252440ecfc1
SHA512 856eff4fff1d11a725af9c3e5ceac6d02a89297a16e97edec171839aa12c468fc37d60ec5df06d507cee695f71b7fbd4bc0ba51b7934d886e66a43b249e62da5

C:\Users\Admin\AppData\Local\GSA Backup Manager\api-ms-win-crt-string-l1-1-0.dll

MD5 00446e48d60abf044acc72b46d5c3afb
SHA1 0ccc0c5034ac063e1d4af851b0de1f4ea99aff97
SHA256 82d26998b4b3c26dbc1c1fff9d6106109a081205081d3c0669e59d20d918bc5a
SHA512 69114f0efb3c853bffb55c15e5ad1b7919057a676056d57634a6a39916e232cde2dcdc49ea0f9751ddea6550ffa58f84b1f8918b3c9fd7e88c8b8f7eb4afeaf2

\Users\Admin\AppData\Local\GSA Backup Manager\api-ms-win-crt-string-l1-1-0.dll

MD5 00446e48d60abf044acc72b46d5c3afb
SHA1 0ccc0c5034ac063e1d4af851b0de1f4ea99aff97
SHA256 82d26998b4b3c26dbc1c1fff9d6106109a081205081d3c0669e59d20d918bc5a
SHA512 69114f0efb3c853bffb55c15e5ad1b7919057a676056d57634a6a39916e232cde2dcdc49ea0f9751ddea6550ffa58f84b1f8918b3c9fd7e88c8b8f7eb4afeaf2

C:\Users\Admin\AppData\Local\GSA Backup Manager\api-ms-win-crt-stdio-l1-1-0.dll

MD5 f681a45c47ebb2c56c1465677ec33ff3
SHA1 06bf7798c51325cf1806e14dea56ff98b05b7846
SHA256 3a03d727d291be57057587227273af410eda935438d8a0a165ec63ae772809af
SHA512 eeb05f1af7e1c714c658e9aa06e8c6dbeeb5f2e8dcf3fdb7b9b408018e41402d83893472114e0cf6d3a9a3bf54ec45c4f7a4840a09570d190277aa3514681ab8

\Users\Admin\AppData\Local\GSA Backup Manager\api-ms-win-crt-stdio-l1-1-0.dll

MD5 f681a45c47ebb2c56c1465677ec33ff3
SHA1 06bf7798c51325cf1806e14dea56ff98b05b7846
SHA256 3a03d727d291be57057587227273af410eda935438d8a0a165ec63ae772809af
SHA512 eeb05f1af7e1c714c658e9aa06e8c6dbeeb5f2e8dcf3fdb7b9b408018e41402d83893472114e0cf6d3a9a3bf54ec45c4f7a4840a09570d190277aa3514681ab8

C:\Users\Admin\AppData\Local\GSA Backup Manager\api-ms-win-crt-convert-l1-1-0.dll

MD5 c6385b316bb04ca36d76b077eeb9a61e
SHA1 fc376f68798fecd41fb1c936eed1bce3f2ee6bef
SHA256 060636cfc58587b4344a6d0ff4f44dd77266f2bbdb877cb50cb1b44a7e3969bc
SHA512 bddf0f34bedb17ecf1d270a0613f27d174ae04f920192d7d1af6c15245175318b29691e748c36e2ce0a3027495b2f5a0bb688ae16095fad9dcd8c283b6d1b1d4

\Users\Admin\AppData\Local\GSA Backup Manager\api-ms-win-crt-convert-l1-1-0.dll

MD5 c6385b316bb04ca36d76b077eeb9a61e
SHA1 fc376f68798fecd41fb1c936eed1bce3f2ee6bef
SHA256 060636cfc58587b4344a6d0ff4f44dd77266f2bbdb877cb50cb1b44a7e3969bc
SHA512 bddf0f34bedb17ecf1d270a0613f27d174ae04f920192d7d1af6c15245175318b29691e748c36e2ce0a3027495b2f5a0bb688ae16095fad9dcd8c283b6d1b1d4

C:\Users\Admin\AppData\Local\GSA Backup Manager\api-ms-win-crt-locale-l1-1-0.dll

MD5 60ffdc3ef20b127e3fd14a0719328c34
SHA1 b510833350328f79a79fa464ea9d5e9455643659
SHA256 43c9ea4ddecf2f34852559cf0b40b5261e6701d3743ab219f48d43a312707ad9
SHA512 caef6ee08c9f6fabecef1f0be37ab34e2d4dc22f15a775b2f0dcacda1f0fcdf2259399e6fbab85f0f00e8e4b03d77fe88b85b901a9ba2f775a50f2da724da26e

\Users\Admin\AppData\Local\GSA Backup Manager\api-ms-win-crt-locale-l1-1-0.dll

MD5 60ffdc3ef20b127e3fd14a0719328c34
SHA1 b510833350328f79a79fa464ea9d5e9455643659
SHA256 43c9ea4ddecf2f34852559cf0b40b5261e6701d3743ab219f48d43a312707ad9
SHA512 caef6ee08c9f6fabecef1f0be37ab34e2d4dc22f15a775b2f0dcacda1f0fcdf2259399e6fbab85f0f00e8e4b03d77fe88b85b901a9ba2f775a50f2da724da26e

C:\Users\Admin\AppData\Local\GSA Backup Manager\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 10731d3320c12abb62d3866d7e728cce
SHA1 df4e131c825d1ca5cd14e00e5c04785d6ca508f7
SHA256 9f3eb90963916194f167e98e049707b14fa84a3f11cb8cc7b940d95956601700
SHA512 7eeef98682872fd95a38a03435546349c8488607e59870086b486b807e8b53893603175d9ad0f3b80c1924381daca8d14868a6079988a944b005783b4e2e358e

\Users\Admin\AppData\Local\GSA Backup Manager\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 10731d3320c12abb62d3866d7e728cce
SHA1 df4e131c825d1ca5cd14e00e5c04785d6ca508f7
SHA256 9f3eb90963916194f167e98e049707b14fa84a3f11cb8cc7b940d95956601700
SHA512 7eeef98682872fd95a38a03435546349c8488607e59870086b486b807e8b53893603175d9ad0f3b80c1924381daca8d14868a6079988a944b005783b4e2e358e

C:\Users\Admin\AppData\Local\GSA Backup Manager\api-ms-win-crt-time-l1-1-0.dll

MD5 376b4a7a02f20ed3aede05039ec3daf0
SHA1 c9149b37f85cfc724bedc0ecd543d95280055de1
SHA256 b0b8fc7de3641c3f23d30a4792c8584db33db6133ee29135c70bb504e80e4a2c
SHA512 ff7fba7cd8c9b55c1c87104d7d9074ef0eed524b02480ecf2c80e5cd489c568e1ed63bc62699a03272cab3dcbf20e6437e1f47ce112bcb3336d27ed2790430c5

\Users\Admin\AppData\Local\GSA Backup Manager\api-ms-win-crt-time-l1-1-0.dll

MD5 376b4a7a02f20ed3aede05039ec3daf0
SHA1 c9149b37f85cfc724bedc0ecd543d95280055de1
SHA256 b0b8fc7de3641c3f23d30a4792c8584db33db6133ee29135c70bb504e80e4a2c
SHA512 ff7fba7cd8c9b55c1c87104d7d9074ef0eed524b02480ecf2c80e5cd489c568e1ed63bc62699a03272cab3dcbf20e6437e1f47ce112bcb3336d27ed2790430c5

C:\Users\Admin\AppData\Local\GSA Backup Manager\api-ms-win-crt-environment-l1-1-0.dll

MD5 311e582d5d3d8421e883c4a8248eacc8
SHA1 c99e61d1446fce0f883a2aad261af22d77953a59
SHA256 369cc4d3bb05f4160a0bc9683feb1df2e94d02f061e4b23d53c3a6e2230cd5e4
SHA512 050ed1310e667e6bb22bb7952794745df1eee0c78f18240cc2217e748a11213d094b48153964c3da0ad8141da1709ece637315633396c77c035bb0565fa981b4

\Users\Admin\AppData\Local\GSA Backup Manager\api-ms-win-crt-environment-l1-1-0.dll

MD5 311e582d5d3d8421e883c4a8248eacc8
SHA1 c99e61d1446fce0f883a2aad261af22d77953a59
SHA256 369cc4d3bb05f4160a0bc9683feb1df2e94d02f061e4b23d53c3a6e2230cd5e4
SHA512 050ed1310e667e6bb22bb7952794745df1eee0c78f18240cc2217e748a11213d094b48153964c3da0ad8141da1709ece637315633396c77c035bb0565fa981b4

C:\Users\Admin\AppData\Local\GSA Backup Manager\api-ms-win-crt-math-l1-1-0.dll

MD5 78dfcb76dc8b42411dbc682f78f5c6eb
SHA1 e50f6719fee44c70518cf8442737a688b5f45e62
SHA256 8673dd898f899de831fc3052c8b8254b7b85ee7f2b9b6c422736668689c9b14f
SHA512 968bb3bc952f4057f74c9c8825fcc2db34b9c56166ee39db3bab3d4ecf51fb65af250a8a65340274a1a0c0eed73b6c8962df5d2fce586c1ef4e19706edd5e6e1

\Users\Admin\AppData\Local\GSA Backup Manager\api-ms-win-crt-math-l1-1-0.dll

MD5 78dfcb76dc8b42411dbc682f78f5c6eb
SHA1 e50f6719fee44c70518cf8442737a688b5f45e62
SHA256 8673dd898f899de831fc3052c8b8254b7b85ee7f2b9b6c422736668689c9b14f
SHA512 968bb3bc952f4057f74c9c8825fcc2db34b9c56166ee39db3bab3d4ecf51fb65af250a8a65340274a1a0c0eed73b6c8962df5d2fce586c1ef4e19706edd5e6e1

C:\Users\Admin\AppData\Local\GSA Backup Manager\api-ms-win-crt-utility-l1-1-0.dll

MD5 6376bf5bac3f0208f0a5d11415ccd444
SHA1 c3fe96e51c3f3e622dcedd2ddf8d23f9442361b8
SHA256 e36763df57cd26ec2b4d52e27de51a4ca6f18caf86cbac8307bf4817705f9a0e
SHA512 9614e423c850bdb584f18555825214d42106966b1ee71e75ba7407591aa5de407b43909ce972e1923df82e9a0e953597fe19646296962194ebeb1579493d91c2

\Users\Admin\AppData\Local\GSA Backup Manager\api-ms-win-crt-utility-l1-1-0.dll

MD5 6376bf5bac3f0208f0a5d11415ccd444
SHA1 c3fe96e51c3f3e622dcedd2ddf8d23f9442361b8
SHA256 e36763df57cd26ec2b4d52e27de51a4ca6f18caf86cbac8307bf4817705f9a0e
SHA512 9614e423c850bdb584f18555825214d42106966b1ee71e75ba7407591aa5de407b43909ce972e1923df82e9a0e953597fe19646296962194ebeb1579493d91c2

C:\Users\Admin\AppData\Local\GSA Backup Manager\DDCore.dll

MD5 16ba1969a3b74bcaa3d6773ba1ab6844
SHA1 6d71fdc783a13e5c93350ae7233653320f36f905
SHA256 9e5c81b8f0d9e6fc5e038c88ce738974c2325e9238cb7c89be766fc2ac89c5fa
SHA512 b07af23de05cac007f28a57b6e7ebc00e19d54ae1fb90f146ededfe6ee6aa009d478e490a22401e121b33ad35a6d1ebbfaad7effc2f8cec8e13ef968e97877a9

\Users\Admin\AppData\Local\GSA Backup Manager\DDCore.dll

MD5 16ba1969a3b74bcaa3d6773ba1ab6844
SHA1 6d71fdc783a13e5c93350ae7233653320f36f905
SHA256 9e5c81b8f0d9e6fc5e038c88ce738974c2325e9238cb7c89be766fc2ac89c5fa
SHA512 b07af23de05cac007f28a57b6e7ebc00e19d54ae1fb90f146ededfe6ee6aa009d478e490a22401e121b33ad35a6d1ebbfaad7effc2f8cec8e13ef968e97877a9

C:\Users\Admin\AppData\Local\GSA Backup Manager\libhmap.dll

MD5 d58d8ac1bbd1734e6ceda17ecd0b04c2
SHA1 911aac3715eec5ebd30c7cc05cecf55332e0b722
SHA256 60149f318be263e391e74137060ef2b2bda9d15361ce40779a76e508140bfccd
SHA512 52d1755b6ac22447e4848a9f745bb43eb1ddf48d6f13f06abeb07a66ff10583bac7dc2c851b4bb2d7673f4ceae00de6f71b5f831171c1e7b9446ea4f227c131c

\Users\Admin\AppData\Local\GSA Backup Manager\libhmap.dll

MD5 d58d8ac1bbd1734e6ceda17ecd0b04c2
SHA1 911aac3715eec5ebd30c7cc05cecf55332e0b722
SHA256 60149f318be263e391e74137060ef2b2bda9d15361ce40779a76e508140bfccd
SHA512 52d1755b6ac22447e4848a9f745bb43eb1ddf48d6f13f06abeb07a66ff10583bac7dc2c851b4bb2d7673f4ceae00de6f71b5f831171c1e7b9446ea4f227c131c

C:\Users\Admin\AppData\Local\GSA Backup Manager\paths.ini

MD5 8ad85a252352aa655f18d1b9300667b1
SHA1 5d2939f3b6c29739303f2caa4560d1f5376309c6
SHA256 fb7293e289aa918d2cbc3c362cea48dd061b0e12616924460466f26df28ff05c
SHA512 aa3c14551846a2a89b7c4ecbb9ac63e3c83501de5e088634c77e92ffd068a0aa547ad5c0d06890b553469013ff0de0dfe2058de86677966ace9c4d0b8c7b5525

C:\Users\Admin\AppData\Local\GSA Backup Manager\Shared\nde.dll

MD5 9aa20f78c012bb1efa1eff57fcda6ff8
SHA1 9c4389463029509e41c149968d51ac61eedbde82
SHA256 b34aeb6801aa2c6a3ebd397b04c14bf8dda9a87ac998b733fcf43315e89e9a09
SHA512 58df5b24097b9309efc5908df831d487bb7af8cee47d89774dfa5250fc8161fb84648e750ea4fc02c92ebf86e0a7cb0e92690ace90a548bf4c64865b1e20475b

\Users\Admin\AppData\Local\GSA Backup Manager\Shared\nde.dll

MD5 9aa20f78c012bb1efa1eff57fcda6ff8
SHA1 9c4389463029509e41c149968d51ac61eedbde82
SHA256 b34aeb6801aa2c6a3ebd397b04c14bf8dda9a87ac998b733fcf43315e89e9a09
SHA512 58df5b24097b9309efc5908df831d487bb7af8cee47d89774dfa5250fc8161fb84648e750ea4fc02c92ebf86e0a7cb0e92690ace90a548bf4c64865b1e20475b

C:\Users\Admin\AppData\Local\GSA Backup Manager\Shared\nxlite.dll

MD5 e788352b5dad6b57193e208e80831083
SHA1 d0f3e96255fcec92f12efe1cecd3c764c0b3f7de
SHA256 0b0165ce80ae16e01e5a5f4bc946bd80df95e0e543ebbda803588030f90f8f78
SHA512 79db28f38d206c2517fbf2d199d2f8702b2aad0d5b36b07c754f8883de5dc571cea4a27642881322cdaa8feee82a8b2408c514991693e96cc90f2540c3da64ab

\Users\Admin\AppData\Local\GSA Backup Manager\Shared\nxlite.dll

MD5 e788352b5dad6b57193e208e80831083
SHA1 d0f3e96255fcec92f12efe1cecd3c764c0b3f7de
SHA256 0b0165ce80ae16e01e5a5f4bc946bd80df95e0e543ebbda803588030f90f8f78
SHA512 79db28f38d206c2517fbf2d199d2f8702b2aad0d5b36b07c754f8883de5dc571cea4a27642881322cdaa8feee82a8b2408c514991693e96cc90f2540c3da64ab

C:\Users\Admin\AppData\Local\GSA Backup Manager\Shared\nsutil.dll

MD5 a09694c05b0fc21377223789a33bce10
SHA1 0b9cbb4de28fd050d40d1706097efb71a15bfb25
SHA256 c0436892c7b9d0013a892000b00966f24bc76507ac13d51cf7ede810b8645fd8
SHA512 9801526c39e09b202e80551a9e6fdf5444105a66c8b3e21f30d73500f7b3ee5e66ab054f1c452b4aa902ad2b4c690d363b41502bccf411d8609e6dc1dd0d1c6b

\Users\Admin\AppData\Local\GSA Backup Manager\Shared\nsutil.dll

MD5 a09694c05b0fc21377223789a33bce10
SHA1 0b9cbb4de28fd050d40d1706097efb71a15bfb25
SHA256 c0436892c7b9d0013a892000b00966f24bc76507ac13d51cf7ede810b8645fd8
SHA512 9801526c39e09b202e80551a9e6fdf5444105a66c8b3e21f30d73500f7b3ee5e66ab054f1c452b4aa902ad2b4c690d363b41502bccf411d8609e6dc1dd0d1c6b

memory/1488-129-0x0000000000B50000-0x0000000000BCC000-memory.dmp

memory/1988-131-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\AppData\Local\GSA Backup Manager\js.zip

MD5 655358c23319cf833afdfbf97fe78ec7
SHA1 58bac28b528d64345a93e25643128328d50c3761
SHA256 829cfa83aff95273d1c8b812c81a9bb02764403932337733d863f9c02790804e
SHA512 80ac76bddc377ebb121a668669128352f0f7ebd756aa4d81a2becdaad5e082ebdad0ef3839a79e74999e42748593e0e03e79234f41a8221d947ac2a108af39ae

C:\Users\Admin\AppData\Local\GSA Backup Manager\fxui.dll

MD5 7259be44bb84b3147e58d87e89355523
SHA1 5f39919ea6f80daba9832438542f4c62c4f55d40
SHA256 130944dbf10de1cacb1a2446c6c264d5266787b4840a41e55e9e1eaf99047350
SHA512 95c16b7147a0a561fba54debc48e44dc662dbb77e0371312bf78c3395e554502e28188d56103aa34cb2b1d42f6100d8ac8b764e0d452a1c19d72d0ee2cfd2d5e

\Users\Admin\AppData\Local\GSA Backup Manager\fxui.dll

MD5 7259be44bb84b3147e58d87e89355523
SHA1 5f39919ea6f80daba9832438542f4c62c4f55d40
SHA256 130944dbf10de1cacb1a2446c6c264d5266787b4840a41e55e9e1eaf99047350
SHA512 95c16b7147a0a561fba54debc48e44dc662dbb77e0371312bf78c3395e554502e28188d56103aa34cb2b1d42f6100d8ac8b764e0d452a1c19d72d0ee2cfd2d5e

memory/1488-135-0x0000000005A80000-0x0000000005F2D000-memory.dmp

memory/1488-136-0x0000000005F30000-0x0000000005FFC000-memory.dmp

memory/1624-143-0x0000000000000000-mapping.dmp

memory/1488-145-0x0000000005A80000-0x0000000005F2D000-memory.dmp

memory/984-144-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe

MD5 0c7fcf9045547aa235ec345877f5d557
SHA1 e704d13ad4dda1a61b30a51460eb83db6570bf32
SHA256 6e67f21c0f64a103daebde136697d824fd630d7048492fdefad9d357dc002cce
SHA512 d5623fc7f76799aa3eb447f9c3823286418881a73d1df3f72a7aef8bef88e46c7834b9646bb1780669a30d7ba0393b5f6bcec4819976c2b7ead1dafdf7618de5

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-20 12:41

Reported

2023-02-20 12:43

Platform

win10v2004-20220812-en

Max time kernel

134s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\74fc503e1100f6c092cc42c3d747fc31.bin.exe"

Signatures

Babadeda

loader crypter babadeda

Babadeda Crypter

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-VJQJH.tmp\74fc503e1100f6c092cc42c3d747fc31.bin.tmp N/A
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-8TJ8G.tmp\74fc503e1100f6c092cc42c3d747fc31.bin.tmp N/A
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\info107 C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe N/A
File opened for modification C:\Windows\info108 C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8TJ8G.tmp\74fc503e1100f6c092cc42c3d747fc31.bin.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5004 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\74fc503e1100f6c092cc42c3d747fc31.bin.exe C:\Users\Admin\AppData\Local\Temp\is-VJQJH.tmp\74fc503e1100f6c092cc42c3d747fc31.bin.tmp
PID 5004 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\74fc503e1100f6c092cc42c3d747fc31.bin.exe C:\Users\Admin\AppData\Local\Temp\is-VJQJH.tmp\74fc503e1100f6c092cc42c3d747fc31.bin.tmp
PID 5004 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\74fc503e1100f6c092cc42c3d747fc31.bin.exe C:\Users\Admin\AppData\Local\Temp\is-VJQJH.tmp\74fc503e1100f6c092cc42c3d747fc31.bin.tmp
PID 2276 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\is-VJQJH.tmp\74fc503e1100f6c092cc42c3d747fc31.bin.tmp C:\Users\Admin\AppData\Local\Temp\74fc503e1100f6c092cc42c3d747fc31.bin.exe
PID 2276 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\is-VJQJH.tmp\74fc503e1100f6c092cc42c3d747fc31.bin.tmp C:\Users\Admin\AppData\Local\Temp\74fc503e1100f6c092cc42c3d747fc31.bin.exe
PID 2276 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\is-VJQJH.tmp\74fc503e1100f6c092cc42c3d747fc31.bin.tmp C:\Users\Admin\AppData\Local\Temp\74fc503e1100f6c092cc42c3d747fc31.bin.exe
PID 2112 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\74fc503e1100f6c092cc42c3d747fc31.bin.exe C:\Users\Admin\AppData\Local\Temp\is-8TJ8G.tmp\74fc503e1100f6c092cc42c3d747fc31.bin.tmp
PID 2112 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\74fc503e1100f6c092cc42c3d747fc31.bin.exe C:\Users\Admin\AppData\Local\Temp\is-8TJ8G.tmp\74fc503e1100f6c092cc42c3d747fc31.bin.tmp
PID 2112 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\74fc503e1100f6c092cc42c3d747fc31.bin.exe C:\Users\Admin\AppData\Local\Temp\is-8TJ8G.tmp\74fc503e1100f6c092cc42c3d747fc31.bin.tmp
PID 4364 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\is-8TJ8G.tmp\74fc503e1100f6c092cc42c3d747fc31.bin.tmp C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe
PID 4364 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\is-8TJ8G.tmp\74fc503e1100f6c092cc42c3d747fc31.bin.tmp C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe
PID 4364 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\is-8TJ8G.tmp\74fc503e1100f6c092cc42c3d747fc31.bin.tmp C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe
PID 2988 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe C:\Windows\SysWOW64\cmd.exe
PID 3132 wrote to memory of 3512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3132 wrote to memory of 3512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3132 wrote to memory of 3512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\74fc503e1100f6c092cc42c3d747fc31.bin.exe

"C:\Users\Admin\AppData\Local\Temp\74fc503e1100f6c092cc42c3d747fc31.bin.exe"

C:\Users\Admin\AppData\Local\Temp\is-VJQJH.tmp\74fc503e1100f6c092cc42c3d747fc31.bin.tmp

"C:\Users\Admin\AppData\Local\Temp\is-VJQJH.tmp\74fc503e1100f6c092cc42c3d747fc31.bin.tmp" /SL5="$50060,20492506,832512,C:\Users\Admin\AppData\Local\Temp\74fc503e1100f6c092cc42c3d747fc31.bin.exe"

C:\Users\Admin\AppData\Local\Temp\74fc503e1100f6c092cc42c3d747fc31.bin.exe

"C:\Users\Admin\AppData\Local\Temp\74fc503e1100f6c092cc42c3d747fc31.bin.exe" /VERYSILENT

C:\Users\Admin\AppData\Local\Temp\is-8TJ8G.tmp\74fc503e1100f6c092cc42c3d747fc31.bin.tmp

"C:\Users\Admin\AppData\Local\Temp\is-8TJ8G.tmp\74fc503e1100f6c092cc42c3d747fc31.bin.tmp" /SL5="$60060,20492506,832512,C:\Users\Admin\AppData\Local\Temp\74fc503e1100f6c092cc42c3d747fc31.bin.exe" /VERYSILENT

C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe

"C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout -t 5 && del "C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe"

C:\Windows\SysWOW64\timeout.exe

timeout -t 5

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2988 -ip 2988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 1204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2988 -ip 2988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 236

Network

Country Destination Domain Proto
US 8.248.3.254:80 tcp
US 8.248.3.254:80 tcp
US 8.248.3.254:80 tcp
US 8.8.8.8:53 ewzwea12.top udp
NL 84.21.172.161:80 ewzwea12.top tcp
US 93.184.220.29:80 tcp

Files

memory/5004-132-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/5004-134-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/2276-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\is-VJQJH.tmp\74fc503e1100f6c092cc42c3d747fc31.bin.tmp

MD5 3f2a608fbbe8dc5829d6991093ea014e
SHA1 1cda3c2738c2185a24423b93e7f9fbbe6b4300ba
SHA256 2f25b851d010702076e70969360dcbe2221d32e4ca0abe1d4debca1ba7b9fa31
SHA512 3e44793920f15753d8d5bfe22427b2e25e72f4f36f87609fae0a7c7adca743fa3858224f49d17e27581a8071e8314688771a27fc877052d8113fa1824860bcf9

memory/2112-137-0x0000000000000000-mapping.dmp

memory/2112-138-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/2112-140-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/5004-141-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-8TJ8G.tmp\74fc503e1100f6c092cc42c3d747fc31.bin.tmp

MD5 3f2a608fbbe8dc5829d6991093ea014e
SHA1 1cda3c2738c2185a24423b93e7f9fbbe6b4300ba
SHA256 2f25b851d010702076e70969360dcbe2221d32e4ca0abe1d4debca1ba7b9fa31
SHA512 3e44793920f15753d8d5bfe22427b2e25e72f4f36f87609fae0a7c7adca743fa3858224f49d17e27581a8071e8314688771a27fc877052d8113fa1824860bcf9

memory/4364-142-0x0000000000000000-mapping.dmp

memory/2988-144-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe

MD5 0c7fcf9045547aa235ec345877f5d557
SHA1 e704d13ad4dda1a61b30a51460eb83db6570bf32
SHA256 6e67f21c0f64a103daebde136697d824fd630d7048492fdefad9d357dc002cce
SHA512 d5623fc7f76799aa3eb447f9c3823286418881a73d1df3f72a7aef8bef88e46c7834b9646bb1780669a30d7ba0393b5f6bcec4819976c2b7ead1dafdf7618de5

C:\Users\Admin\AppData\Local\GSA Backup Manager\fmt.dll

MD5 5377d5e1489af181a502b058b18eb8ab
SHA1 90b8ef5ed482871ec353c104536aaf72d8baea54
SHA256 b3c30600616b93fda649f93dbaf67a1430432024cb0bc8b816ce89ab16352ef0
SHA512 e1f522199f78062bf7fe9b3a7d8f81e115199062aa0cc042edb60dd053747fbd6ae306ee7add977fe7624e9840f09e09c7bd7325f1c3ba584e2b074fa3c9eabf

C:\Users\Admin\AppData\Local\GSA Backup Manager\MSVCP140.dll

MD5 fdd04dbbcf321eee5f4dd67266f476b0
SHA1 65ffdfe2664a29a41fcf5039229ccecad5b825b9
SHA256 21570bcb7a77e856f3113235d2b05b2b328d4bb71b4fd9ca4d46d99adac80794
SHA512 04cfc3097fbce6ee1b7bac7bd63c3cffe7dca16f0ec9cd8fe657d8b7ebd06dcba272ff472f98c6385c3cfb9b1ac3f47be8ca6d3ea80ab4aeed44a0e2ce3185dd

C:\Users\Admin\AppData\Local\GSA Backup Manager\vcruntime140.dll

MD5 ba65db6bfef78a96aee7e29f1449bf8a
SHA1 06c7beb9fd1f33051b0e77087350903c652f4b77
SHA256 141690572594dbd3618a4984712e9e36fc09c9906bb845ce1a9531ac8f7ad493
SHA512 ca63eeac10ef55d7e2e55479b25cf394e58aef1422951f361f762ab667f72a3454f55afc04e967e8cdd20cf3eebe97083e0438ea941916a09e7d091818ea830e

C:\Users\Admin\AppData\Local\GSA Backup Manager\vcruntime140.dll

MD5 ba65db6bfef78a96aee7e29f1449bf8a
SHA1 06c7beb9fd1f33051b0e77087350903c652f4b77
SHA256 141690572594dbd3618a4984712e9e36fc09c9906bb845ce1a9531ac8f7ad493
SHA512 ca63eeac10ef55d7e2e55479b25cf394e58aef1422951f361f762ab667f72a3454f55afc04e967e8cdd20cf3eebe97083e0438ea941916a09e7d091818ea830e

C:\Users\Admin\AppData\Local\GSA Backup Manager\libhmap.dll

MD5 d58d8ac1bbd1734e6ceda17ecd0b04c2
SHA1 911aac3715eec5ebd30c7cc05cecf55332e0b722
SHA256 60149f318be263e391e74137060ef2b2bda9d15361ce40779a76e508140bfccd
SHA512 52d1755b6ac22447e4848a9f745bb43eb1ddf48d6f13f06abeb07a66ff10583bac7dc2c851b4bb2d7673f4ceae00de6f71b5f831171c1e7b9446ea4f227c131c

C:\Users\Admin\AppData\Local\GSA Backup Manager\libhmap.dll

MD5 d58d8ac1bbd1734e6ceda17ecd0b04c2
SHA1 911aac3715eec5ebd30c7cc05cecf55332e0b722
SHA256 60149f318be263e391e74137060ef2b2bda9d15361ce40779a76e508140bfccd
SHA512 52d1755b6ac22447e4848a9f745bb43eb1ddf48d6f13f06abeb07a66ff10583bac7dc2c851b4bb2d7673f4ceae00de6f71b5f831171c1e7b9446ea4f227c131c

C:\Users\Admin\AppData\Local\GSA Backup Manager\DDCore.dll

MD5 16ba1969a3b74bcaa3d6773ba1ab6844
SHA1 6d71fdc783a13e5c93350ae7233653320f36f905
SHA256 9e5c81b8f0d9e6fc5e038c88ce738974c2325e9238cb7c89be766fc2ac89c5fa
SHA512 b07af23de05cac007f28a57b6e7ebc00e19d54ae1fb90f146ededfe6ee6aa009d478e490a22401e121b33ad35a6d1ebbfaad7effc2f8cec8e13ef968e97877a9

C:\Users\Admin\AppData\Local\GSA Backup Manager\js.zip

MD5 655358c23319cf833afdfbf97fe78ec7
SHA1 58bac28b528d64345a93e25643128328d50c3761
SHA256 829cfa83aff95273d1c8b812c81a9bb02764403932337733d863f9c02790804e
SHA512 80ac76bddc377ebb121a668669128352f0f7ebd756aa4d81a2becdaad5e082ebdad0ef3839a79e74999e42748593e0e03e79234f41a8221d947ac2a108af39ae

C:\Users\Admin\AppData\Local\GSA Backup Manager\DDCore.dll

MD5 16ba1969a3b74bcaa3d6773ba1ab6844
SHA1 6d71fdc783a13e5c93350ae7233653320f36f905
SHA256 9e5c81b8f0d9e6fc5e038c88ce738974c2325e9238cb7c89be766fc2ac89c5fa
SHA512 b07af23de05cac007f28a57b6e7ebc00e19d54ae1fb90f146ededfe6ee6aa009d478e490a22401e121b33ad35a6d1ebbfaad7effc2f8cec8e13ef968e97877a9

C:\Users\Admin\AppData\Local\GSA Backup Manager\msvcp140.dll

MD5 fdd04dbbcf321eee5f4dd67266f476b0
SHA1 65ffdfe2664a29a41fcf5039229ccecad5b825b9
SHA256 21570bcb7a77e856f3113235d2b05b2b328d4bb71b4fd9ca4d46d99adac80794
SHA512 04cfc3097fbce6ee1b7bac7bd63c3cffe7dca16f0ec9cd8fe657d8b7ebd06dcba272ff472f98c6385c3cfb9b1ac3f47be8ca6d3ea80ab4aeed44a0e2ce3185dd

C:\Users\Admin\AppData\Local\GSA Backup Manager\VCRUNTIME140.dll

MD5 ba65db6bfef78a96aee7e29f1449bf8a
SHA1 06c7beb9fd1f33051b0e77087350903c652f4b77
SHA256 141690572594dbd3618a4984712e9e36fc09c9906bb845ce1a9531ac8f7ad493
SHA512 ca63eeac10ef55d7e2e55479b25cf394e58aef1422951f361f762ab667f72a3454f55afc04e967e8cdd20cf3eebe97083e0438ea941916a09e7d091818ea830e

C:\Users\Admin\AppData\Local\GSA Backup Manager\fmt.dll

MD5 5377d5e1489af181a502b058b18eb8ab
SHA1 90b8ef5ed482871ec353c104536aaf72d8baea54
SHA256 b3c30600616b93fda649f93dbaf67a1430432024cb0bc8b816ce89ab16352ef0
SHA512 e1f522199f78062bf7fe9b3a7d8f81e115199062aa0cc042edb60dd053747fbd6ae306ee7add977fe7624e9840f09e09c7bd7325f1c3ba584e2b074fa3c9eabf

C:\Users\Admin\AppData\Local\GSA Backup Manager\paths.ini

MD5 8ad85a252352aa655f18d1b9300667b1
SHA1 5d2939f3b6c29739303f2caa4560d1f5376309c6
SHA256 fb7293e289aa918d2cbc3c362cea48dd061b0e12616924460466f26df28ff05c
SHA512 aa3c14551846a2a89b7c4ecbb9ac63e3c83501de5e088634c77e92ffd068a0aa547ad5c0d06890b553469013ff0de0dfe2058de86677966ace9c4d0b8c7b5525

C:\Users\Admin\AppData\Local\GSA Backup Manager\Shared\nde.dll

MD5 9aa20f78c012bb1efa1eff57fcda6ff8
SHA1 9c4389463029509e41c149968d51ac61eedbde82
SHA256 b34aeb6801aa2c6a3ebd397b04c14bf8dda9a87ac998b733fcf43315e89e9a09
SHA512 58df5b24097b9309efc5908df831d487bb7af8cee47d89774dfa5250fc8161fb84648e750ea4fc02c92ebf86e0a7cb0e92690ace90a548bf4c64865b1e20475b

C:\Users\Admin\AppData\Local\GSA Backup Manager\Shared\nde.dll

MD5 9aa20f78c012bb1efa1eff57fcda6ff8
SHA1 9c4389463029509e41c149968d51ac61eedbde82
SHA256 b34aeb6801aa2c6a3ebd397b04c14bf8dda9a87ac998b733fcf43315e89e9a09
SHA512 58df5b24097b9309efc5908df831d487bb7af8cee47d89774dfa5250fc8161fb84648e750ea4fc02c92ebf86e0a7cb0e92690ace90a548bf4c64865b1e20475b

C:\Users\Admin\AppData\Local\GSA Backup Manager\Shared\nxlite.dll

MD5 e788352b5dad6b57193e208e80831083
SHA1 d0f3e96255fcec92f12efe1cecd3c764c0b3f7de
SHA256 0b0165ce80ae16e01e5a5f4bc946bd80df95e0e543ebbda803588030f90f8f78
SHA512 79db28f38d206c2517fbf2d199d2f8702b2aad0d5b36b07c754f8883de5dc571cea4a27642881322cdaa8feee82a8b2408c514991693e96cc90f2540c3da64ab

C:\Users\Admin\AppData\Local\GSA Backup Manager\Shared\nxlite.dll

MD5 e788352b5dad6b57193e208e80831083
SHA1 d0f3e96255fcec92f12efe1cecd3c764c0b3f7de
SHA256 0b0165ce80ae16e01e5a5f4bc946bd80df95e0e543ebbda803588030f90f8f78
SHA512 79db28f38d206c2517fbf2d199d2f8702b2aad0d5b36b07c754f8883de5dc571cea4a27642881322cdaa8feee82a8b2408c514991693e96cc90f2540c3da64ab

C:\Users\Admin\AppData\Local\GSA Backup Manager\Shared\nsutil.dll

MD5 a09694c05b0fc21377223789a33bce10
SHA1 0b9cbb4de28fd050d40d1706097efb71a15bfb25
SHA256 c0436892c7b9d0013a892000b00966f24bc76507ac13d51cf7ede810b8645fd8
SHA512 9801526c39e09b202e80551a9e6fdf5444105a66c8b3e21f30d73500f7b3ee5e66ab054f1c452b4aa902ad2b4c690d363b41502bccf411d8609e6dc1dd0d1c6b

memory/2988-166-0x00000000048F0000-0x000000000496C000-memory.dmp

C:\Users\Admin\AppData\Local\GSA Backup Manager\Shared\nsutil.dll

MD5 a09694c05b0fc21377223789a33bce10
SHA1 0b9cbb4de28fd050d40d1706097efb71a15bfb25
SHA256 c0436892c7b9d0013a892000b00966f24bc76507ac13d51cf7ede810b8645fd8
SHA512 9801526c39e09b202e80551a9e6fdf5444105a66c8b3e21f30d73500f7b3ee5e66ab054f1c452b4aa902ad2b4c690d363b41502bccf411d8609e6dc1dd0d1c6b

C:\Users\Admin\AppData\Local\GSA Backup Manager\Shared\nsutil.dll

MD5 a09694c05b0fc21377223789a33bce10
SHA1 0b9cbb4de28fd050d40d1706097efb71a15bfb25
SHA256 c0436892c7b9d0013a892000b00966f24bc76507ac13d51cf7ede810b8645fd8
SHA512 9801526c39e09b202e80551a9e6fdf5444105a66c8b3e21f30d73500f7b3ee5e66ab054f1c452b4aa902ad2b4c690d363b41502bccf411d8609e6dc1dd0d1c6b

memory/2112-168-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\AppData\Local\GSA Backup Manager\fxui.dll

MD5 7259be44bb84b3147e58d87e89355523
SHA1 5f39919ea6f80daba9832438542f4c62c4f55d40
SHA256 130944dbf10de1cacb1a2446c6c264d5266787b4840a41e55e9e1eaf99047350
SHA512 95c16b7147a0a561fba54debc48e44dc662dbb77e0371312bf78c3395e554502e28188d56103aa34cb2b1d42f6100d8ac8b764e0d452a1c19d72d0ee2cfd2d5e

C:\Users\Admin\AppData\Local\GSA Backup Manager\fxui.dll

MD5 7259be44bb84b3147e58d87e89355523
SHA1 5f39919ea6f80daba9832438542f4c62c4f55d40
SHA256 130944dbf10de1cacb1a2446c6c264d5266787b4840a41e55e9e1eaf99047350
SHA512 95c16b7147a0a561fba54debc48e44dc662dbb77e0371312bf78c3395e554502e28188d56103aa34cb2b1d42f6100d8ac8b764e0d452a1c19d72d0ee2cfd2d5e

C:\Users\Admin\AppData\Local\GSA Backup Manager\fxui.dll

MD5 7259be44bb84b3147e58d87e89355523
SHA1 5f39919ea6f80daba9832438542f4c62c4f55d40
SHA256 130944dbf10de1cacb1a2446c6c264d5266787b4840a41e55e9e1eaf99047350
SHA512 95c16b7147a0a561fba54debc48e44dc662dbb77e0371312bf78c3395e554502e28188d56103aa34cb2b1d42f6100d8ac8b764e0d452a1c19d72d0ee2cfd2d5e

memory/2988-173-0x00000000074C0000-0x000000000796D000-memory.dmp

memory/2988-174-0x00000000074C0000-0x000000000796D000-memory.dmp

memory/2988-175-0x0000000006570000-0x000000000663C000-memory.dmp

memory/2988-178-0x000000000662A000-0x0000000006633000-memory.dmp

memory/3132-182-0x0000000000000000-mapping.dmp

memory/3512-183-0x0000000000000000-mapping.dmp

memory/2988-184-0x00000000074C0000-0x000000000796D000-memory.dmp

C:\Users\Admin\AppData\Local\GSA Backup Manager\winamp.exe

MD5 0c7fcf9045547aa235ec345877f5d557
SHA1 e704d13ad4dda1a61b30a51460eb83db6570bf32
SHA256 6e67f21c0f64a103daebde136697d824fd630d7048492fdefad9d357dc002cce
SHA512 d5623fc7f76799aa3eb447f9c3823286418881a73d1df3f72a7aef8bef88e46c7834b9646bb1780669a30d7ba0393b5f6bcec4819976c2b7ead1dafdf7618de5