babadeda | d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26

Analysis

max time kernel
119s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-04-2024 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Size

7.6MB
MD5

ed1deddf6287d2435e1c4c02daf0278d
SHA1

7b67ed1f42e5cf388a0a981566598e716d9b4f99
SHA256

d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26
SHA512

59fca204756d029f33bb6211c59fd1cd480fd106a7ed8d463d4d1400065ac929f21bf90562eaed88a4ba8ca376eedac537a6b635c81b3fa255d6b3a76eeb4b3b
SSDEEP

196608:V+gqLKB2pMcJa4n6Sq7YPi8TzF1Onq2f+VUGdGQcx+lEL:V+jOB2pvJx6SqgigF1UmJ/OL

Score

10^/10

babadeda crypter loader

Malware Config

Signatures

Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
loader crypter babadeda

Babadeda Crypter 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\manual.pdf	family_babadeda

Executes dropped EXE 1 IoCs

Processes:

mathparser.exe

pid process

840 mathparser.exe

pid	process
840	mathparser.exe

Loads dropped DLL 11 IoCs

Processes:

d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exeMsiExec.exeMsiExec.exemathparser.exe

pid	process
2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
1724	MsiExec.exe
1724	MsiExec.exe
2028	MsiExec.exe
2028	MsiExec.exe
2028	MsiExec.exe
2028	MsiExec.exe
2028	MsiExec.exe
2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
840	mathparser.exe

Blocklisted process makes network request 2 IoCs

Processes:

msiexec.exemsiexec.exe

flow pid process

4 1012 msiexec.exe
5 2604 msiexec.exe

flow	pid	process
4	1012	msiexec.exe
5	2604	msiexec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exed4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
File opened (read-only)	\??\H:	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
File opened (read-only)	\??\R:	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Q:	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
File opened (read-only)	\??\U:	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\G:	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
File opened (read-only)	\??\M:	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
File opened (read-only)	\??\P:	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
File opened (read-only)	\??\J:	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
File opened (read-only)	\??\V:	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
File opened (read-only)	\??\O:	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\W:	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
File opened (read-only)	\??\Z:	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
File opened (read-only)	\??\Y:	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\X:	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe

Drops file in Windows directory 11 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\f769e90.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA0C6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA24E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA404.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA58B.tmp	msiexec.exe
File created	C:\Windows\Installer\f769e93.ipi	msiexec.exe
File created	C:\Windows\Installer\f769e90.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA182.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB3DE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f769e93.ipi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

2604 msiexec.exe
2604 msiexec.exe

pid	process
2604	msiexec.exe
2604	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exed4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe

description	pid	process
Token: SeRestorePrivilege	2604	msiexec.exe
Token: SeTakeOwnershipPrivilege	2604	msiexec.exe
Token: SeSecurityPrivilege	2604	msiexec.exe
Token: SeCreateTokenPrivilege	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeAssignPrimaryTokenPrivilege	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeLockMemoryPrivilege	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeIncreaseQuotaPrivilege	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeMachineAccountPrivilege	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeTcbPrivilege	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeSecurityPrivilege	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeTakeOwnershipPrivilege	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeLoadDriverPrivilege	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeSystemProfilePrivilege	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeSystemtimePrivilege	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeProfSingleProcessPrivilege	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeIncBasePriorityPrivilege	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeCreatePagefilePrivilege	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeCreatePermanentPrivilege	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeBackupPrivilege	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeRestorePrivilege	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeShutdownPrivilege	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeDebugPrivilege	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeAuditPrivilege	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeSystemEnvironmentPrivilege	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeChangeNotifyPrivilege	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeRemoteShutdownPrivilege	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeUndockPrivilege	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeSyncAgentPrivilege	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeEnableDelegationPrivilege	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeManageVolumePrivilege	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeImpersonatePrivilege	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeCreateGlobalPrivilege	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeCreateTokenPrivilege	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeAssignPrimaryTokenPrivilege	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeLockMemoryPrivilege	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeIncreaseQuotaPrivilege	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeMachineAccountPrivilege	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeTcbPrivilege	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeSecurityPrivilege	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeTakeOwnershipPrivilege	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeLoadDriverPrivilege	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeSystemProfilePrivilege	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeSystemtimePrivilege	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeProfSingleProcessPrivilege	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeIncBasePriorityPrivilege	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeCreatePagefilePrivilege	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeCreatePermanentPrivilege	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeBackupPrivilege	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeRestorePrivilege	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeShutdownPrivilege	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeDebugPrivilege	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeAuditPrivilege	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeSystemEnvironmentPrivilege	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeChangeNotifyPrivilege	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeRemoteShutdownPrivilege	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeUndockPrivilege	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeSyncAgentPrivilege	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeEnableDelegationPrivilege	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeManageVolumePrivilege	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeImpersonatePrivilege	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeCreateGlobalPrivilege	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeCreateTokenPrivilege	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeAssignPrimaryTokenPrivilege	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeLockMemoryPrivilege	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

1012 msiexec.exe
1012 msiexec.exe

pid	process
1012	msiexec.exe
1012	msiexec.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

msiexec.exed4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe

description	pid	process	target process
PID 2604 wrote to memory of 1724	2604	msiexec.exe	MsiExec.exe
PID 2604 wrote to memory of 1724	2604	msiexec.exe	MsiExec.exe
PID 2604 wrote to memory of 1724	2604	msiexec.exe	MsiExec.exe
PID 2604 wrote to memory of 1724	2604	msiexec.exe	MsiExec.exe
PID 2604 wrote to memory of 1724	2604	msiexec.exe	MsiExec.exe
PID 2604 wrote to memory of 1724	2604	msiexec.exe	MsiExec.exe
PID 2604 wrote to memory of 1724	2604	msiexec.exe	MsiExec.exe
PID 2168 wrote to memory of 1012	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe	msiexec.exe
PID 2168 wrote to memory of 1012	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe	msiexec.exe
PID 2168 wrote to memory of 1012	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe	msiexec.exe
PID 2168 wrote to memory of 1012	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe	msiexec.exe
PID 2168 wrote to memory of 1012	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe	msiexec.exe
PID 2168 wrote to memory of 1012	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe	msiexec.exe
PID 2168 wrote to memory of 1012	2168	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe	msiexec.exe
PID 2604 wrote to memory of 2028	2604	msiexec.exe	MsiExec.exe
PID 2604 wrote to memory of 2028	2604	msiexec.exe	MsiExec.exe
PID 2604 wrote to memory of 2028	2604	msiexec.exe	MsiExec.exe
PID 2604 wrote to memory of 2028	2604	msiexec.exe	MsiExec.exe
PID 2604 wrote to memory of 2028	2604	msiexec.exe	MsiExec.exe
PID 2604 wrote to memory of 2028	2604	msiexec.exe	MsiExec.exe
PID 2604 wrote to memory of 2028	2604	msiexec.exe	MsiExec.exe
PID 2604 wrote to memory of 840	2604	msiexec.exe	mathparser.exe
PID 2604 wrote to memory of 840	2604	msiexec.exe	mathparser.exe
PID 2604 wrote to memory of 840	2604	msiexec.exe	mathparser.exe
PID 2604 wrote to memory of 840	2604	msiexec.exe	mathparser.exe

C:\Users\Admin\AppData\Local\Temp\d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
"C:\Users\Admin\AppData\Local\Temp\d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\adv.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1712499478 " AI_EUIMSI=""
  2⤵
  - Blocklisted process makes network request
  - Enumerates connected drives
  - Suspicious use of FindShellTrayWindow
  PID:1012

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 331BA7E9325C31209300DEB2BB153422 C
  2⤵
  - Loads dropped DLL
  PID:1724
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C78EDDA4CEAA38F312290FFC5FC1B24D
  2⤵
  - Loads dropped DLL
  PID:2028
- C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit\mathparser.exe
  "C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit\mathparser.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f769e94.rbs

Filesize
27KB

MD5
461b6c531840a0757ecc373e4923eaf5

SHA1
b84d77cb742c807b8c0d697db7c7dd5e8a5ebf1d

SHA256
fec6be6604de873d1dfd7acd8451ff2ddb344218d786edc12d1286480908a422

SHA512
3516aac180c8ac96d468de83f37843525a8982ee74315826787ea1d3c7d26b89bbfa9be7a976c52775c8285b602de20529ad9dc4bd31f2483e82fc286b9aa881

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1b8bf2e4ba7255fead9db410623a5948

SHA1
2cda268c99881fd45e76d8151dfc2ab0c31fa3de

SHA256
b79c6986b4d01e4884d18327f450f91ada18c245654897d00a338d3f45d895ad

SHA512
8acfa7aec3428c4e2b9b83acb807972af9706f0ac7ab5650be311fede5621ff689e7c122a2eab0b00101a403bfa0b4669a51ef9fa50254e7b075b9ad54ab7783

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
18247544ba9f887546936ab694eda8d7

SHA1
408adac99308738fce1f91472bd4e923f17f0e5c

SHA256
8440d1b881b8b6097b16d95cffd39dd383c0e97f4479b2f7ca3f77ff0405fd62

SHA512
5de21ceeb88e099ed530e73b0ee20de34d3c4d40b368db86c8c1773218d090c588c1f13c8c241e68e2187fe74641e60b0025956b7a2251c266918ca5cd59090d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab957E.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9D1A.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI99F9.tmp

Filesize
391KB

MD5
a32decee57c661563b038d4f324e2b42

SHA1
3f381a7e31f450a40c8c2cf2c40c36a61fb7a4c2

SHA256
fcf24b9b574ed026d3f68b7b70aa6533806ba7fc566c476ccb62e6493ac28f04

SHA512
e17c125adad4702c9a30639858e22a2f0dc4f2926fca89758d544c62fe1fb95360dabd5bd2de2f62a607158bd9ef108c60d8cb5ce709c634668ee509988214f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9B22.tmp

Filesize
864KB

MD5
4e2e67fc241ab6e440ad2789f705fc69

SHA1
bda5f46c1f51656d3cbad481fa2c76a553f03aba

SHA256
98f4ebaa6ea1083e98ea0dd5c74c2cb22b1375c55b6a12cfdc5d877f716de392

SHA512
452df66dd2b09485bf92d92b72b3ad2638cbf0a570741b80309056d1e67e68a18cbd0ad3616a2943bb29de62a057848a7382b6c64c3821335a51b0a03131564c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar95B0.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9D9A.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\JxCnv40.dll

Filesize
3.1MB

MD5
7052d63610b063c859af7f128a0c05cd

SHA1
7d44391b76368b8331c4f468f8ddbaf6ee5a6793

SHA256
6e3917257f9239ff1c0ec0c17a7d9b6b01dead526c56218a11b0676174440112

SHA512
8d34fdd4a48835b6db7ceda48716959e8c50bee04d10aa66044a880a78c13760cf314781f8e347644c5a2d71ff467577e431c70beaafcd52db72cb8044c9bc05

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\LICENSE.TXT

Filesize
648B

MD5
e861259956300fda84ba540e2a63e391

SHA1
5a842455b3d18d9371054bde9cfbad15f9a2aa95

SHA256
6a35ce1eb7da4598b066d2ec3663ab272b28c9bc83ec0ea2319c5708397fdcef

SHA512
c7c8514b4f79abcac214c998d9952048449876cd375d0cb55ee2efb8d2a19afec6dca4519bab4297dd0acf21155d90b849019c23f28fe82692f826488d12eade

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\MixPanel.dll

Filesize
49KB

MD5
abab72ed49b141ad05841d92ffbb425a

SHA1
058b173204910d6299e8adeba9b1e530502f238f

SHA256
eb8f046e2404e91748976f409814ffc862c40835d080c06d4b83088515851927

SHA512
9d2a81851b0bf2f65771e29726c2b58e1b07af0c840deb71283d19693d4a2ad00020aad3fdbecdc920dfdcbcb3f4ca4e7efe09ed0bbfa273738ad0fb7599ced7

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\README.txt

Filesize
1KB

MD5
1b715b15bd03b3c4f39273c051951a4b

SHA1
925f3b7dc176f7db479b99114df6dfd0e1053cca

SHA256
fec5a295a6f3289f1504c94d71a7e06777f36e35605059d15a425a9ae6d253c8

SHA512
dc017819b236b89c64171f5d69796e3a83333f5264d2c332376338a9955790b958b002658a3fa462c95cba9c01ff2e65674c440969fd9a79da11c3d7b3fc8e12

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\SdCrashReporter.dll

Filesize
52KB

MD5
f55d8ae20f049265aebe704e9df97fc8

SHA1
401534ad6a34b99929bfff3621d1de8777aa3d5b

SHA256
ce8ac2e3fee5ef0c3f0959f11220d061d41998ae973d9f9efb88c220c41598c3

SHA512
d867f722ca477766116233d9ddee06391829ee877c424d58e37cf06f4c8e3c4618a7c67d0804d382f4fbf216a2a27d87911bfba2b453ebecc37202d6fb95188e

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\VistaBridgeLibrary.dll

Filesize
95KB

MD5
66010aedea55e9a4bbd300e089110193

SHA1
6f1333d62367dfc5ffead6b8ff822310709f1a83

SHA256
c9d1a4715b0982a8bda6eb2d69f5a17656880a43875146a6beee02b00fbede4e

SHA512
ffe4a419487b9e4eab8eded57cfbe3b9f46f12bf9c7e02e7dff79d14c33fc7ed0a346ca2a2624f033fe962309fa87d0ac6ba31e4fdaff4d9968cb8b0444bb712

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\adv.msi

Filesize
2.1MB

MD5
7448dc006a545059ba1258d4091b94c4

SHA1
a3da9ebfce37cc127307fc22a9cf247d93337c94

SHA256
b8860bc6b7e6581ce137e1ed1f65dcaaa74854ae02f6c7ce596d11ed803cc60c

SHA512
cbb9da1ca3a8d7df98b995fef9b8a6cf50e0497326b4dc38a4a8d973c2a662fd9fece6bbde7418427cd735d22fde3debd935433dd54143c12e2286a582627563

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\eula.txt

Filesize
10KB

MD5
b255e01ecedad3f7a600109b01943074

SHA1
0896cbd77645152c4c867e585ba2475af9e9819c

SHA256
5b756a48762ad896de58b973e4b87d4e76ff25023a727f0a08aad9ea66e7b843

SHA512
0e809e567c7aca6bd1a3b59a879864cc091bf24021da0f125a02a2881832a54bc2f9472cb4b9c80db7c44031dd11959ddf2988e359c6f855fce954aef7da982d

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\images\[email protected]

Filesize
2KB

MD5
862e7c478602f3bd7c1ad8ca710e2ef1

SHA1
ca22694cc6fc1caa96ca37135050ed967753b0bc

SHA256
1b89214126aacc175421aa0e288f6ccab860f5306f95aa1db145f0d22f7a512b

SHA512
ff774ee71c8db98ea074144ffa657a99d21944259ae607c36c19d7f3f79497d2eef1ef826905ee0095322fb5d317e1d5826a3edd309565a8afa0bbc160f6b198

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\images\[email protected]

Filesize
2KB

MD5
d42ec3b301acfcda039530ee5914bf69

SHA1
dc705e5985443446e4c44f9f6588f08e28e8e330

SHA256
aee398a7d3a6bbc5204aed10c467725545355e2f264bf01b2712ef9c757b6d9b

SHA512
e5122a6f56b5f817fc40a0c67b6c6df68609fffeeb6c80718bf990dea829d4c1115614b82de1025b2075e7333c0cce7b327396613e0bd6db91a91b45b629fc5d

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\images\[email protected]

Filesize
2KB

MD5
1ee3e85f8257830697304e3bc93bface

SHA1
92486c4b9768fa14b146540ff072881a4de20c46

SHA256
97020c7255bc11b12e64c8f18d30a7d0bc51f907c7b78fca8d52fbc39cf75c1a

SHA512
c7949058dae0b045dd8605eb64a197dfeee54399fa24c3bc904bae6db2bd600076c352b2147b29df6f9916d07800c3f4c1e251eca76569e84a54f2b28045cf9d

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\images\[email protected]

Filesize
2KB

MD5
cc7f410250697d82bdd5d01baf6f9d83

SHA1
c29a67f5735bedb4e790230e686fd590c6ed00e2

SHA256
133d046a4fe796f8d9d218c93db7b9dafe430af41eae37235a32c4f074463438

SHA512
12ddf8471582bf9ead0bbe66c699be3c3b99e0947ebe600262155705c19b4889fabd9677e5c62304d92f2a9226fd09181d54fd5396e1c9d28e955beade8055e9

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\images\[email protected]

Filesize
2KB

MD5
ad76b31e75197975af306528a8f73d4a

SHA1
aa17254bae04e1fe52c823e7eaff302528fe2744

SHA256
03e1f20dc96309e51fe3b2314aac6bf0da1ceb68bbd3e03f5a388dd480503a3c

SHA512
d6deb03bd5957b407f50703cd119851742dfbd884e2a8268190c7f332d482fe11829cf73b5bb9df9850440ebf538bf1cf8affcf9f200167042e226d8ab9dc23b

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\images\[email protected]

Filesize
2KB

MD5
e167fb197b5932b5c60ac56aef01a34d

SHA1
e15cb4c8a4fbd6d80ba944728aa1d67675ce80ad

SHA256
a99237fcbc43b9834ccb4e8375c9b81a2508734035059d678c08d9c7b6b3ce05

SHA512
d817197cf64d7dc5d1a1551364cb4f5c1e29f4abf8ae6ebdbcd431e165746e04bb1fbc5af2927c46b09b802ac7e40196dcef88d3aeaaed2df351949e02ca95a0

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\images\[email protected]

Filesize
2KB

MD5
b5fbc6d861264c2cd1893159516ca619

SHA1
1abdeec3d766937a0743c83aeb3300c670377ded

SHA256
46fc69a51d3a6482a7a99f18f31dc1f3b361e1a58f4e4edf0f01610e9b599442

SHA512
383c6d0c204f70add0eff15fbba66c7e70e4b107834e1ea36645122b7a0a75703d94917f21e0da56fe9b5796c5812d038f43b552d2e54a16c93b2b2711b0a4ae

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\images\[email protected]

Filesize
2KB

MD5
e8eedb9962ec4e13890a85dfe6300736

SHA1
72daed37d275a0ab13fd544db204fed308967ef5

SHA256
f3c0f3190836bb96e289d0df83b4a94a5aa9223e230775db5dec8c98afc7f949

SHA512
8957c598588d468850c1d1f82bc14a117575eb73f08349e2ba704e0e2e725e33918b6c5238dd5e1307c813b137f3dd216f75dd80400781108f2bfd514fd85f0f

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\images\[email protected]

Filesize
2KB

MD5
54b4f86374ed83c3f4871f386273ded2

SHA1
96d0440fb5d57c314c5f87248d57768007a67808

SHA256
b861f21258e40495e03ca369e78759d26611a1fdd814d8b55aa05937b6d7e0c6

SHA512
c716213fb91608d39f4d1ca1a62b26fc02dce02f5fe8fb9f1e0615210a56bb60da1e8a71ae0e94ce64c71c2d90cc57d2451cd98e90eee9bb264c3abbeb8cada3

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\images\[email protected]

Filesize
2KB

MD5
b72322c495daed471e4ffc9338d11388

SHA1
56e3ed76cdd923c6a6297f999a109d170c2aa511

SHA256
a8b18c966a299ece5b2332f29e60ad78ef4f54b5ff449d2f7539dfb9b39f0b1c

SHA512
fd085fd8ed0643d3a100e2f7f417e0717823f41a1f0c5f2fc5ffe198904bc8a3e84e6e44879231c61a39dc252ddf2a3e3a1f28deb16532c18e423ec58208c6ef

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\images\[email protected]

Filesize
2KB

MD5
7ff957407851bb63beccf2a9aeec387e

SHA1
669bf4dc949c3558679084b8a2c057bf7ac036ad

SHA256
f6456315250f7c9a216a9d8b4c4e2bebedd4b364ab88f560744a0e460bcb262f

SHA512
7b57273b7d4096a8080300dfa1ed4388694b27abff165969dd59fabe7fd7a24ca4d98cfcda1fbf6d5cc6303bf5c57acc6345b6c0e78f1b87deef1ba3c05a516e

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\images\[email protected]

Filesize
483B

MD5
23d34cfd73e18438d7a352fc58008a67

SHA1
38c6158ed085dcfa9144a3f8ff3fcb801a10ba1f

SHA256
e8178172cb8280545c3e115b09e14cd42b04910018758f7d46959469f11c2ade

SHA512
b73d7de71189ea0fedc014b5ab53317237d4f7becb29af6d9b26e1a76b8297b9d0ffb6dde52a39410d057ed750345b2da1fd19cfc4c67890e55a529124ab4190

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\images\[email protected]

Filesize
703B

MD5
b26dec1a2e40b83920fb139e8dcdd7d8

SHA1
138ac87485192cef25f033c18cb72413cd9d6120

SHA256
333307048a93f4fa05d55525751f297df8451feee3c7149864d40bf95748c09a

SHA512
37c7717a5fd3b6d13003327eb15d3653d75271ff5cb96d0d14b01221e485080508c67c2c059d804004dc770f62f50c16f548b31e506976d75e7d011ed00537c0

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\images\[email protected]

Filesize
845B

MD5
5f07cf4b314e6e85bfb821b5ce85b5a7

SHA1
9cb06700e8503949b145f20e6a3dbfda727b70eb

SHA256
7482d6d528532f8afa81c83c01237b63a90caa029c649a47356438c6869ca8ff

SHA512
0574463b34353e5da88349661eef9209984e448201615df727a3f747c0954254881da0d06fdb165369e26ffa1ccae9e44e0a66e43c6c9e41d914c9c4dba893a3

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\images\[email protected]

Filesize
4KB

MD5
f81b0ade573c74d35cb2c3323f961387

SHA1
9c00c76dab48a6de7cfd57b1988d8a8447b27902

SHA256
8c893e14b95cfd0ee58bd1e5c288dfa8516f263955e3bece794e73cf36dcfe80

SHA512
025888c2fd7744e792cf0a14ef7c24a3fdac690f849593d1576b1129f6bda70a9013a7a59245d32f1f401653dd1debdb97ca6a263ccbeb9e4254466acd05c5a9

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\images\[email protected]

Filesize
1KB

MD5
6d786d0492052cbed9073c342dcc3388

SHA1
e8fc3b8379318cafa2a8d6606633e17c8935467f

SHA256
f7b711849623eb1cf52c644dbc27f45c0bead848d3158b15915809af0ba887f7

SHA512
6ca7bd4363f2f65f9da4ad5a10b9119437b07c05b75bfc16030dec2fc018a426883db30cfbeb4ecef561146394de1f590562cfe12abd76994485622c25dcf1d0

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\images\[email protected]

Filesize
2KB

MD5
c0bef6146e2e48b4c69b9a5d739ed394

SHA1
49da14f062edfcd65f848db2697a16d24c5710a9

SHA256
61bb84c7a31ee9e82378e27103a49ebef8afda47b10318e8d34ec243f90fbf74

SHA512
6173725e4eb7901bb31513c42713d2ecc3d9d74deb0c3ed64174690ec1efaef977b842e6bd20643688ab0467dcc4d6b5f62c7e218b494e180966dadfd64722dc

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\images\[email protected]

Filesize
2KB

MD5
cd65d392e4f6b26f9e74df077fdf6ac1

SHA1
7f6be789bdeff09dcb51621030dfc142f3bc0c72

SHA256
fbcfd285f0fa868f27b7d661e724dbe4db8176b15c357ca2d09107810763711c

SHA512
0208c5734b5a12aa4295e87808a65ca9cc5b4e76e78359b12fd737b140b5069f0272ca962fe52f0088377b79b7a19e1ea96453de0b1d0ef81736010df9e8c63e

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\images\[email protected]

Filesize
2KB

MD5
a417b1ebe3d8c4bdbf63ab7235cfc005

SHA1
a88c4f44c801dba9621697ec0dba2b8b0d7025b0

SHA256
ef9b9ab5433c85b8bcc013fa53003a5adce144fb2ef35b74e312be400181b3e4

SHA512
7fcf7780ece651ef1d9021d6b61fc050fb7c30fd0681c3dd163a76d9e9cf1f7e22adff6b5bad002a29b4b06d5e234722d406afcc0e880c0bc613d62d5e259139

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\images\[email protected]

Filesize
3KB

MD5
cf3d216360fec663cc0e97166058f192

SHA1
5d73fdff0f87ee4dc3dfc26737ea2c5958678d41

SHA256
a70ca03c172770577c217302087bd5fb1e495a009627c984fa896d276bf770a7

SHA512
58f11ab4715bbfe8f311042f10e932fb2242df96a40b0472618abcd66d4836b503970d8b5f65e1c99deeda7cd9254f99e329faa45b2f1a4b16b79511e8956d36

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\images\add.png

Filesize
3KB

MD5
0128ad7e04e9a25c9ab4316c13d8deff

SHA1
55068a4cc67a2fe94ec15ee46be67ad367d31117

SHA256
3386cab5cf90d40db4f15e34c6bd15cb832848c6b61fa1ca5fa3ad60ae7d9b04

SHA512
93baa7a401192059fbd95bd82449e9461ef5124bf748d8a9226e3df9a7194fc5eebb105146258e2629f0b139d00e6d2a30eec09510215fd69b9f788f18784fcd

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\images\check.bmp

Filesize
574B

MD5
613f8a5427662e9fc08805a6ccfdf596

SHA1
7b4bccd143d286f455e98ddb04f36dd5e9f2f09b

SHA256
f6e2cc8eb2a197421fbb112383a7424d27ae66c26a423f2a2b446fd248e0cec0

SHA512
a218645a1bc0ede5b9c4ad4f87df3544fe43d88564e36a077a4b6dc0cf7fa3459c5ff85f2720085d170f00be7247f2696da9c1daf8d2979022bc52a3fb4b714d

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\images\check_sel.bmp

Filesize
574B

MD5
380057851231099f05da502cec65e694

SHA1
45730f3ecf9e51206a152d4a822ebdc45bd96369

SHA256
9b2ebafa403c72e5a5baf02b9a49d91d73577ec3e6716de3c6a0b1d6d0682246

SHA512
3e3b36a4e84fb7198cbc467f94eef232cc57074436c7469c0c4f12796e355f69bdda7b054e0d9747031809aeaf23783cf4c1e0d0ab9d7ddceeba1ef8ff4372e8

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\libffi-6.dll

Filesize
49KB

MD5
c4059a8eec8ad3abc6432238f7491a2b

SHA1
f1c6cf3fa216f73ba44bd481c685ef30cfd3d284

SHA256
a9d3f2056f8e888edc5abfa18178fc0b3ef99880c9c410e2c7d6a64386fb57da

SHA512
0bb582a9a02cbd29c007e9cfed9dabe53ef087814c7aa8195c82d4b15302f95408a15710a3f83a970c35db26f77a9a34549d6906a7440fa7d0127aeca9bc8efc

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\libgmodule-2.0-0.dll

Filesize
41KB

MD5
4d233a220f91de3b1510d017b5481942

SHA1
c59f449b0d09127d18268e7b07da3f7d749b2720

SHA256
08336089e280805c8ac89f7476526f944b5868c014748b6dc29f65167e9e3ab0

SHA512
a86a1f9b5d160813c6e2f771962f303428604057b9613021bf7844c1204cfca0a18571a28d950d7999acc4ecde0605095f9a460a9b79fe2bbe02f080c2683923

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\libgthread-2.0-0.dll

Filesize
35KB

MD5
cf2571c125fa1d2ec55b9977054f380a

SHA1
91014dd50f0eeb0d3d1faed77541c76a05b712b8

SHA256
02b817b6db18db2dfccefdd08eed64a696e2bf326f4120ee7e93ae6aa73bccb3

SHA512
a95bf3436ea2fac443924c5fc31fcd4337a44702ef38ca82d744474301e53f14721eaeb0f21e515ccff8569e7b7d81107fb5a4cf2ae485cd4a5d2dc95dae8f9b

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\libics4.0.dll

Filesize
1.4MB

MD5
28267ea322e3975f1e98c64a1c77f509

SHA1
e1d92e085df142d703ed9fd9c65ed92562a759fa

SHA256
18f24841651461bd84a5eac08be9bce9eab54b133b0e837d5298dac44e199d5f

SHA512
2c0bd061a51e48c057fdd0b05dc959c48e79ef3df3ca1abec105b8be2aa53f416f92c109c23029a11d4d3e7e75529215877d41b5bfe5d462d844b3bae29c1a42

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\libogg-0.dll

Filesize
45KB

MD5
84e8e72572d53558d52403011fa0d388

SHA1
865160da7dbfaaea224541eb44e9430e1a7b7b20

SHA256
ca717b5cf2a7b0e047aabad985c631278941c58f16e2e9650ca12c3a331fcd4f

SHA512
47ee932bfa4ee3c51c3828ef8c6923e5b946966ad8e255bc2c53a60443aa2d4ab17521f21912a6f0469c7898d6543dc4b1783a86ddb5a84568818a7b37ec3992

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\liborc-test-0.4-0.dll

Filesize
51KB

MD5
00d68e20169f763376095705c1520c4f

SHA1
75ec5e1974654613c9eeeff047f1eb58694fd656

SHA256
3c12f0a9f43cf88d82f5cc482627237f51a63a293ef95f2342222ebde1fb909f

SHA512
4e180a8ce0e30cfc82883d05d8708fe82442541a4c522055d00f381bf47a0a4f269bc1f5e1ebbfec888edbe455ce145e24cb4c734e682e830322e13479a62c34

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\lua5.1.dll

Filesize
326KB

MD5
05ceb6d2e88a896d6ada0ab3f0dc40aa

SHA1
2b62cc437f5b3268acb3f569b43fd6c0a08e4e47

SHA256
b574d89422afcaae5446d8fd88d3b7cb48d608cf5411db761916b35c9999b41a

SHA512
fd9a03167c70ddd156d6942e503f7d9528e4748e9613cfba69181eb8b50fcaea9f6d3b9e1398da21d4e4c8bf47c99fe2becc88b98107a4fdcb80697510c1860f

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\manual.pdf

Filesize
2.2MB

MD5
079766094541035de5f115a9bbb4f583

SHA1
8423b25054aa78535c49042295558f33d34deae1

SHA256
6434913278186cb5b12ca38580a4e94b2ce2af83a836f7e50ab9c5ea8e265a59

SHA512
35b56c24d0b8aa2fec31ab9f329a1bfee15d97eb4fcce795e08bd15c5fd31726aae91c16bce0e1956cc2bbc2b529ace18212b09f47668e540f72079398dd3426

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\mathparser.exe

Filesize
5.9MB

MD5
dd9439b5cb3b1fc91181092f9da5aa69

SHA1
f2b8ab6f531621ab355912de64385410c39c1909

SHA256
db03917ca3cb91cdebcb681fa2733c1a2a9679e5201beeba21aee911de05973e

SHA512
6bf565095d1dee5acc4f05ff0c66adec3069e72ad371f517f7a763d273679f15eaa2c8f15b3dcce23f237786a014f9384f2d6c7e352b079c39707364f5c8ef25

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\mingwm10.dll

Filesize
7KB

MD5
a5a239c980d6791086b7fe0e2ca38974

SHA1
dbd8e70db07ac78e007b13cc8ae80c9a3885a592

SHA256
fb33c708c2f83c188dc024b65cb620d7e2c3939c155bc1c15dc73dccebe256b7

SHA512
8667904dda77c994f646083ef39b1f69c2961758c3da60cecadfe6d349dd99934c4d8784f8e38ae8b8c9eb9762edd546f2a7b579f02612578f8049e9d10e8da7

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\pthreadGC2.dll

Filesize
35KB

MD5
928c9eea653311af8efc155da5a1d6a5

SHA1
27300fcd5c22245573f5595ecbd64fce89c53750

SHA256
6dc4bee625a2c5e3499e36fe7c6ff8ead92adf6aae40c4099fdc8ef82e85b387

SHA512
0541d706bb53f8a04c78fcf327c4557553fa901d645ad2fd446e79753b4729f1e36793f42fbdd9b5e92073a30ed9a3dd853773a06ebea8e9302ece91a6c5362c

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\ssleay32.dll

Filesize
270KB

MD5
cb48c0854cf3264c3baa3c2da76ec014

SHA1
01152fecaf127f9874ce8c9978bf570aa6309beb

SHA256
dc1684abc539f789791ad1518557d5ad654816dee904eaa5021556419ae5325b

SHA512
dd67a556a7c20e51129640eb1ab590c4da5fbbff9ae965adb56bdbc5079f9f468473728c60d229c1a1bc70a872da2ac250b080df1ad55534b88a1d61bd3b5e10

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\zlibwapi.dll

Filesize
138KB

MD5
54789344b07bed58e43851eca47e2b12

SHA1
93c561365bc7f1cbb5385d0323ed81044a6ec276

SHA256
9f8729ac49e0ccea86fe3b1a9b2c3fae9986ecd09db92853e7a588dbda85bf90

SHA512
54d4af3de4b12ff8f25a4596cdb97bb32fd739217f99849bdebe5ca92d801cb5564d4407193bcbfaf8118e5d3391543a80ff08371e28c35c2c091d9ff90a3692

Download Submit
C:\Windows\Installer\MSIA58B.tmp

Filesize
569KB

MD5
0be7cdee6c5103c740539d18a94acbd0

SHA1
a364c342ff150f69b471b922c0d065630a0989bb

SHA256
41abe8eb54a1910e6fc97fcea4de37a67058b7527badae8f39fba3788c46de14

SHA512
f96ef5458fdc985501e0dca9cac3c912b3f2308be29eb8e6a305a3b02a3c61b129c4db2c98980b32fd01779566fa5173b2d841755d3cb30885e2f130e4ad6e2c

Download Submit
\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\decoder.dll

Filesize
202KB

MD5
831e0b597db11a6eb6f3f797105f7be8

SHA1
d89154670218f9fba4515b0c1c634ae0900ca6d4

SHA256
e3404d4af16702a67dcaa4da4c5a8776ef350343b179ae6e7f2d347e7e1d1fb7

SHA512
e5e71a62c937e7d1c2cf7698bc80fa42732ddd82735ba0ccaee28aee7a7ea7b2132650dfd2c483eb6fb93f447b59643e1a3d6d077a50f0cd42b6f3fc78c1ad8f

Download Submit
memory/840-739-0x0000000000AA0000-0x000000000135B000-memory.dmp

Filesize
8.7MB

Download
memory/840-744-0x0000000000AA0000-0x000000000135B000-memory.dmp

Filesize
8.7MB

Download