babadeda | d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26

Analysis

max time kernel
175s
max time network
188s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2024 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Size

7.6MB
MD5

ed1deddf6287d2435e1c4c02daf0278d
SHA1

7b67ed1f42e5cf388a0a981566598e716d9b4f99
SHA256

d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26
SHA512

59fca204756d029f33bb6211c59fd1cd480fd106a7ed8d463d4d1400065ac929f21bf90562eaed88a4ba8ca376eedac537a6b635c81b3fa255d6b3a76eeb4b3b
SSDEEP

196608:V+gqLKB2pMcJa4n6Sq7YPi8TzF1Onq2f+VUGdGQcx+lEL:V+jOB2pvJx6SqgigF1UmJ/OL

Score

10^/10

babadeda outsteel crypter loader spyware stealer

Malware Config

Signatures

Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
loader crypter babadeda

Babadeda Crypter 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\manual.pdf	family_babadeda

OutSteel
OutSteel is a file uploader and document stealer written in AutoIT.
stealer outsteel

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

mathparser.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	mathparser.exe

Executes dropped EXE 1 IoCs

Processes:

mathparser.exe

pid process

4644 mathparser.exe

pid	process
4644	mathparser.exe

Loads dropped DLL 13 IoCs

Processes:

d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exeMsiExec.exeMsiExec.exemathparser.exe

pid	process
5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
4100	MsiExec.exe
4100	MsiExec.exe
2784	MsiExec.exe
2784	MsiExec.exe
2784	MsiExec.exe
2784	MsiExec.exe
2784	MsiExec.exe
2784	MsiExec.exe
5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
4644	mathparser.exe
4644	mathparser.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exemathparser.exed4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe

description	ioc	process
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\o:	mathparser.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\p:	mathparser.exe
File opened (read-only)	\??\K:	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
File opened (read-only)	\??\S:	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\i:	mathparser.exe
File opened (read-only)	\??\E:	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\a:	mathparser.exe
File opened (read-only)	\??\e:	mathparser.exe
File opened (read-only)	\??\t:	mathparser.exe
File opened (read-only)	\??\w:	mathparser.exe
File opened (read-only)	\??\y:	mathparser.exe
File opened (read-only)	\??\R:	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
File opened (read-only)	\??\j:	mathparser.exe
File opened (read-only)	\??\m:	mathparser.exe
File opened (read-only)	\??\H:	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
File opened (read-only)	\??\M:	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
File opened (read-only)	\??\J:	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
File opened (read-only)	\??\Y:	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\h:	mathparser.exe
File opened (read-only)	\??\u:	mathparser.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\k:	mathparser.exe
File opened (read-only)	\??\l:	mathparser.exe
File opened (read-only)	\??\v:	mathparser.exe
File opened (read-only)	\??\I:	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
File opened (read-only)	\??\N:	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
File opened (read-only)	\??\X:	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\q:	mathparser.exe
File opened (read-only)	\??\Z:	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe

AutoIT Executable 6 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral2/memory/4644-680-0x0000000000600000-0x0000000000EBB000-memory.dmp	autoit_exe
behavioral2/memory/4644-682-0x0000000000600000-0x0000000000EBB000-memory.dmp	autoit_exe
behavioral2/memory/4644-695-0x0000000000600000-0x0000000000EBB000-memory.dmp	autoit_exe
behavioral2/memory/4644-697-0x0000000000600000-0x0000000000EBB000-memory.dmp	autoit_exe
behavioral2/memory/4644-699-0x0000000000600000-0x0000000000EBB000-memory.dmp	autoit_exe
behavioral2/memory/4644-701-0x0000000000600000-0x0000000000EBB000-memory.dmp	autoit_exe

Drops file in Windows directory 13 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI31E8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3307.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{425BB945-9C92-4B02-8A29-3C8B61D886E2}	msiexec.exe
File created	C:\Windows\Installer\e583033.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI32A7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI32D7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4CD9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3247.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3267.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e583033.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

3916 msiexec.exe
3916 msiexec.exe

pid	process
3916	msiexec.exe
3916	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exed4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe

description	pid	process
Token: SeSecurityPrivilege	3916	msiexec.exe
Token: SeCreateTokenPrivilege	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeAssignPrimaryTokenPrivilege	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeLockMemoryPrivilege	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeIncreaseQuotaPrivilege	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeMachineAccountPrivilege	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeTcbPrivilege	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeSecurityPrivilege	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeTakeOwnershipPrivilege	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeLoadDriverPrivilege	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeSystemProfilePrivilege	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeSystemtimePrivilege	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeProfSingleProcessPrivilege	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeIncBasePriorityPrivilege	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeCreatePagefilePrivilege	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeCreatePermanentPrivilege	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeBackupPrivilege	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeRestorePrivilege	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeShutdownPrivilege	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeDebugPrivilege	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeAuditPrivilege	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeSystemEnvironmentPrivilege	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeChangeNotifyPrivilege	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeRemoteShutdownPrivilege	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeUndockPrivilege	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeSyncAgentPrivilege	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeEnableDelegationPrivilege	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeManageVolumePrivilege	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeImpersonatePrivilege	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeCreateGlobalPrivilege	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeCreateTokenPrivilege	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeAssignPrimaryTokenPrivilege	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeLockMemoryPrivilege	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeIncreaseQuotaPrivilege	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeMachineAccountPrivilege	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeTcbPrivilege	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeSecurityPrivilege	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeTakeOwnershipPrivilege	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeLoadDriverPrivilege	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeSystemProfilePrivilege	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeSystemtimePrivilege	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeProfSingleProcessPrivilege	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeIncBasePriorityPrivilege	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeCreatePagefilePrivilege	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeCreatePermanentPrivilege	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeBackupPrivilege	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeRestorePrivilege	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeShutdownPrivilege	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeDebugPrivilege	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeAuditPrivilege	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeSystemEnvironmentPrivilege	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeChangeNotifyPrivilege	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeRemoteShutdownPrivilege	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeUndockPrivilege	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeSyncAgentPrivilege	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeEnableDelegationPrivilege	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeManageVolumePrivilege	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeImpersonatePrivilege	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeCreateGlobalPrivilege	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeCreateTokenPrivilege	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeAssignPrimaryTokenPrivilege	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeLockMemoryPrivilege	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeIncreaseQuotaPrivilege	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
Token: SeMachineAccountPrivilege	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

3584 msiexec.exe
3584 msiexec.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

mathparser.exe

pid process

4644 mathparser.exe

pid	process
3584	msiexec.exe
3584	msiexec.exe

pid	process
4644	mathparser.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msiexec.exed4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exemathparser.exe

description	pid	process	target process
PID 3916 wrote to memory of 4100	3916	msiexec.exe	MsiExec.exe
PID 3916 wrote to memory of 4100	3916	msiexec.exe	MsiExec.exe
PID 3916 wrote to memory of 4100	3916	msiexec.exe	MsiExec.exe
PID 5008 wrote to memory of 3584	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe	msiexec.exe
PID 5008 wrote to memory of 3584	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe	msiexec.exe
PID 5008 wrote to memory of 3584	5008	d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe	msiexec.exe
PID 3916 wrote to memory of 2784	3916	msiexec.exe	MsiExec.exe
PID 3916 wrote to memory of 2784	3916	msiexec.exe	MsiExec.exe
PID 3916 wrote to memory of 2784	3916	msiexec.exe	MsiExec.exe
PID 3916 wrote to memory of 4644	3916	msiexec.exe	mathparser.exe
PID 3916 wrote to memory of 4644	3916	msiexec.exe	mathparser.exe
PID 3916 wrote to memory of 4644	3916	msiexec.exe	mathparser.exe
PID 4644 wrote to memory of 3556	4644	mathparser.exe	cmd.exe
PID 4644 wrote to memory of 3556	4644	mathparser.exe	cmd.exe
PID 4644 wrote to memory of 3556	4644	mathparser.exe	cmd.exe
PID 4644 wrote to memory of 1332	4644	mathparser.exe	cmd.exe
PID 4644 wrote to memory of 1332	4644	mathparser.exe	cmd.exe
PID 4644 wrote to memory of 1332	4644	mathparser.exe	cmd.exe
PID 4644 wrote to memory of 3728	4644	mathparser.exe	cmd.exe
PID 4644 wrote to memory of 3728	4644	mathparser.exe	cmd.exe
PID 4644 wrote to memory of 3728	4644	mathparser.exe	cmd.exe
PID 4644 wrote to memory of 4740	4644	mathparser.exe	cmd.exe
PID 4644 wrote to memory of 4740	4644	mathparser.exe	cmd.exe
PID 4644 wrote to memory of 4740	4644	mathparser.exe	cmd.exe
PID 4644 wrote to memory of 3612	4644	mathparser.exe	cmd.exe
PID 4644 wrote to memory of 3612	4644	mathparser.exe	cmd.exe
PID 4644 wrote to memory of 3612	4644	mathparser.exe	cmd.exe
PID 4644 wrote to memory of 660	4644	mathparser.exe	cmd.exe
PID 4644 wrote to memory of 660	4644	mathparser.exe	cmd.exe
PID 4644 wrote to memory of 660	4644	mathparser.exe	cmd.exe
PID 4644 wrote to memory of 836	4644	mathparser.exe	cmd.exe
PID 4644 wrote to memory of 836	4644	mathparser.exe	cmd.exe
PID 4644 wrote to memory of 836	4644	mathparser.exe	cmd.exe
PID 4644 wrote to memory of 752	4644	mathparser.exe	cmd.exe
PID 4644 wrote to memory of 752	4644	mathparser.exe	cmd.exe
PID 4644 wrote to memory of 752	4644	mathparser.exe	cmd.exe
PID 4644 wrote to memory of 1204	4644	mathparser.exe	cmd.exe
PID 4644 wrote to memory of 1204	4644	mathparser.exe	cmd.exe
PID 4644 wrote to memory of 1204	4644	mathparser.exe	cmd.exe
PID 4644 wrote to memory of 1740	4644	mathparser.exe	cmd.exe
PID 4644 wrote to memory of 1740	4644	mathparser.exe	cmd.exe
PID 4644 wrote to memory of 1740	4644	mathparser.exe	cmd.exe
PID 4644 wrote to memory of 4380	4644	mathparser.exe	cmd.exe
PID 4644 wrote to memory of 4380	4644	mathparser.exe	cmd.exe
PID 4644 wrote to memory of 4380	4644	mathparser.exe	cmd.exe
PID 4644 wrote to memory of 548	4644	mathparser.exe	cmd.exe
PID 4644 wrote to memory of 548	4644	mathparser.exe	cmd.exe
PID 4644 wrote to memory of 548	4644	mathparser.exe	cmd.exe
PID 4644 wrote to memory of 5000	4644	mathparser.exe	cmd.exe
PID 4644 wrote to memory of 5000	4644	mathparser.exe	cmd.exe
PID 4644 wrote to memory of 5000	4644	mathparser.exe	cmd.exe
PID 4644 wrote to memory of 968	4644	mathparser.exe	cmd.exe
PID 4644 wrote to memory of 968	4644	mathparser.exe	cmd.exe
PID 4644 wrote to memory of 968	4644	mathparser.exe	cmd.exe
PID 4644 wrote to memory of 3892	4644	mathparser.exe	cmd.exe
PID 4644 wrote to memory of 3892	4644	mathparser.exe	cmd.exe
PID 4644 wrote to memory of 3892	4644	mathparser.exe	cmd.exe
PID 4644 wrote to memory of 4016	4644	mathparser.exe	cmd.exe
PID 4644 wrote to memory of 4016	4644	mathparser.exe	cmd.exe
PID 4644 wrote to memory of 4016	4644	mathparser.exe	cmd.exe
PID 4644 wrote to memory of 4028	4644	mathparser.exe	cmd.exe
PID 4644 wrote to memory of 4028	4644	mathparser.exe	cmd.exe
PID 4644 wrote to memory of 4028	4644	mathparser.exe	cmd.exe
PID 4644 wrote to memory of 4408	4644	mathparser.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe
"C:\Users\Admin\AppData\Local\Temp\d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5008
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\adv.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1712518290 " AI_EUIMSI=""
  2⤵
  - Enumerates connected drives
  - Suspicious use of FindShellTrayWindow
  PID:3584

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3916
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D624B4192DE0E36578FB81FB5DFB31C2 C
  2⤵
  - Loads dropped DLL
  PID:4100
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 128C93BD6B06BCDA9EE622B52BDFB285
  2⤵
  - Loads dropped DLL
  PID:2784
- C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit\mathparser.exe
  "C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit\mathparser.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.doc" /S /B /A
    3⤵
    PID:3556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pdf" /S /B /A
    3⤵
    PID:1332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppt" /S /B /A
    3⤵
    PID:3728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
    3⤵
    PID:4740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xl" /S /B /A
    3⤵
    PID:3612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.csv" /S /B /A
    3⤵
    PID:660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rtf" /S /B /A
    3⤵
    PID:836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
    3⤵
    PID:752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.mdb" /S /B /A
    3⤵
    PID:1204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.accdb" /S /B /A
    3⤵
    PID:1740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pot" /S /B /A
    3⤵
    PID:4380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pps" /S /B /A
    3⤵
    PID:548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppa" /S /B /A
    3⤵
    PID:5000
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rar" /S /B /A
    3⤵
    PID:968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.zip" /S /B /A
    3⤵
    PID:3892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.tar" /S /B /A
    3⤵
    PID:4016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.7z" /S /B /A
    3⤵
    PID:4028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.txt" /S /B /A
    3⤵
    PID:4408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e583036.rbs

Filesize
27KB

MD5
5eb8ccd64c05d9c204850fb3e7220388

SHA1
fd6e5e6a2f42f158ea9565476ddc99240a5c0899

SHA256
169bff717078376462f66444d851f6e805a945162ce5e98702bbabd762ccece5

SHA512
3f791b19969526ca17b77b94a1b9db1c3d8252153317807a62620c3a1e7985e18a57b883d43121a02517dd2a48ff7fed70bd3da14bb958c4ec69f65b7fe714a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI1FB9.tmp

Filesize
391KB

MD5
a32decee57c661563b038d4f324e2b42

SHA1
3f381a7e31f450a40c8c2cf2c40c36a61fb7a4c2

SHA256
fcf24b9b574ed026d3f68b7b70aa6533806ba7fc566c476ccb62e6493ac28f04

SHA512
e17c125adad4702c9a30639858e22a2f0dc4f2926fca89758d544c62fe1fb95360dabd5bd2de2f62a607158bd9ef108c60d8cb5ce709c634668ee509988214f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI21CD.tmp

Filesize
864KB

MD5
4e2e67fc241ab6e440ad2789f705fc69

SHA1
bda5f46c1f51656d3cbad481fa2c76a553f03aba

SHA256
98f4ebaa6ea1083e98ea0dd5c74c2cb22b1375c55b6a12cfdc5d877f716de392

SHA512
452df66dd2b09485bf92d92b72b3ad2638cbf0a570741b80309056d1e67e68a18cbd0ad3616a2943bb29de62a057848a7382b6c64c3821335a51b0a03131564c

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\JxCnv40.dll

Filesize
3.1MB

MD5
7052d63610b063c859af7f128a0c05cd

SHA1
7d44391b76368b8331c4f468f8ddbaf6ee5a6793

SHA256
6e3917257f9239ff1c0ec0c17a7d9b6b01dead526c56218a11b0676174440112

SHA512
8d34fdd4a48835b6db7ceda48716959e8c50bee04d10aa66044a880a78c13760cf314781f8e347644c5a2d71ff467577e431c70beaafcd52db72cb8044c9bc05

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\LICENSE.TXT

Filesize
648B

MD5
e861259956300fda84ba540e2a63e391

SHA1
5a842455b3d18d9371054bde9cfbad15f9a2aa95

SHA256
6a35ce1eb7da4598b066d2ec3663ab272b28c9bc83ec0ea2319c5708397fdcef

SHA512
c7c8514b4f79abcac214c998d9952048449876cd375d0cb55ee2efb8d2a19afec6dca4519bab4297dd0acf21155d90b849019c23f28fe82692f826488d12eade

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\Layouts\Bottom.fencelayout

Filesize
838B

MD5
c0969fdbaae430f6c0f53731e86d8bd8

SHA1
9dbe36aa40adb1543569564be6451c0a44d5d11c

SHA256
ae38e8325d0ad1fcbc90e5a67e9867c6c98fc11223cbaea19627fb0a04d79c33

SHA512
d0eb2fb168e3169a432282188c9098c5c7541bb19035c85b22264055110a71a145a153e7d0327a210ac972d686e38020add9f8a1dc33af06336ad43dc052929e

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\MixPanel.dll

Filesize
49KB

MD5
abab72ed49b141ad05841d92ffbb425a

SHA1
058b173204910d6299e8adeba9b1e530502f238f

SHA256
eb8f046e2404e91748976f409814ffc862c40835d080c06d4b83088515851927

SHA512
9d2a81851b0bf2f65771e29726c2b58e1b07af0c840deb71283d19693d4a2ad00020aad3fdbecdc920dfdcbcb3f4ca4e7efe09ed0bbfa273738ad0fb7599ced7

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\README.txt

Filesize
1KB

MD5
1b715b15bd03b3c4f39273c051951a4b

SHA1
925f3b7dc176f7db479b99114df6dfd0e1053cca

SHA256
fec5a295a6f3289f1504c94d71a7e06777f36e35605059d15a425a9ae6d253c8

SHA512
dc017819b236b89c64171f5d69796e3a83333f5264d2c332376338a9955790b958b002658a3fa462c95cba9c01ff2e65674c440969fd9a79da11c3d7b3fc8e12

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\SdCrashReporter.dll

Filesize
52KB

MD5
f55d8ae20f049265aebe704e9df97fc8

SHA1
401534ad6a34b99929bfff3621d1de8777aa3d5b

SHA256
ce8ac2e3fee5ef0c3f0959f11220d061d41998ae973d9f9efb88c220c41598c3

SHA512
d867f722ca477766116233d9ddee06391829ee877c424d58e37cf06f4c8e3c4618a7c67d0804d382f4fbf216a2a27d87911bfba2b453ebecc37202d6fb95188e

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\Templates\CommandHandler.dat

Filesize
868B

MD5
bf2b6fd3796a5a485185b15ba39241e0

SHA1
438ed478342d22622a1ecfc519113e99afb57518

SHA256
585b0ac725ef370124243c99b766dd5d25e63e9c6bc09a6f05cdf0e573a3bf41

SHA512
07485b0a64ad6f039105a9acc9df82f8b6964f3f3978600a1a581121b7ec34b53b45317311d58cf48d4f4eeffeba0d35b5d0cd79a6826eafeace43f5f034b8da

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\VistaBridgeLibrary.dll

Filesize
95KB

MD5
66010aedea55e9a4bbd300e089110193

SHA1
6f1333d62367dfc5ffead6b8ff822310709f1a83

SHA256
c9d1a4715b0982a8bda6eb2d69f5a17656880a43875146a6beee02b00fbede4e

SHA512
ffe4a419487b9e4eab8eded57cfbe3b9f46f12bf9c7e02e7dff79d14c33fc7ed0a346ca2a2624f033fe962309fa87d0ac6ba31e4fdaff4d9968cb8b0444bb712

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\adv.msi

Filesize
2.1MB

MD5
7448dc006a545059ba1258d4091b94c4

SHA1
a3da9ebfce37cc127307fc22a9cf247d93337c94

SHA256
b8860bc6b7e6581ce137e1ed1f65dcaaa74854ae02f6c7ce596d11ed803cc60c

SHA512
cbb9da1ca3a8d7df98b995fef9b8a6cf50e0497326b4dc38a4a8d973c2a662fd9fece6bbde7418427cd735d22fde3debd935433dd54143c12e2286a582627563

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\eula.txt

Filesize
10KB

MD5
b255e01ecedad3f7a600109b01943074

SHA1
0896cbd77645152c4c867e585ba2475af9e9819c

SHA256
5b756a48762ad896de58b973e4b87d4e76ff25023a727f0a08aad9ea66e7b843

SHA512
0e809e567c7aca6bd1a3b59a879864cc091bf24021da0f125a02a2881832a54bc2f9472cb4b9c80db7c44031dd11959ddf2988e359c6f855fce954aef7da982d

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\gio-modules\libgiognutls.dll

Filesize
84KB

MD5
23b5f97cbe4d3689ee08d0ae6abaf679

SHA1
80d7cd7ab23dcc3388531b42b0ee31fcaac16f88

SHA256
3b8faeaac389abd97198569f5e0ffa567e495be01e9a24311d128bd76f1dcc6e

SHA512
a7e4b8e75768e9d3b44b8b48beb5e57dd33a8ad83a8f49bd3adef5bd9a2c25c9832f4f95c13a604a20311a7ed7a74ede4bd6b34662a30e246fbbc2c93fceec98

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\icons\Classic\d1.ico

Filesize
1KB

MD5
0b9387ff14a11123a992fa5b5a015c67

SHA1
3b704d5b706de6b7d33ae21317963c95efe9eb1f

SHA256
5aa1990906323fc78efe40db661bb58305b8c021b197b90ce3291534d38381f3

SHA512
eb4c95fd60d90c68cb98b565c9a47b6da13d7c1f467b490203177a3746637e34111f0e81cebab4dc150d071c22d75af7a35c17cc6549276f878ea80068f33819

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\icons\Classic\d11.ico

Filesize
1KB

MD5
f0466f29d958605c3415f2c7b18d3b62

SHA1
9e47c4d3ff5a904148be631a6e254da00e3beb7b

SHA256
f5b72bf1dea715bce3a322ec4b53e516fb330034f3460d3a1983eefd30bd9c0f

SHA512
b53998f6753706902d6507086204978b7c0042706f41e33b15b03d678264d3791cd5651b24badafbbdaee99ecf23fea90456f9ecda803ff760556d7d647e4bc3

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\icons\Classic\d6.ico

Filesize
1KB

MD5
26136c3bb47ccd00d75afb9744802cfb

SHA1
405628d0f0055f63817370ac86d5031728a6e65b

SHA256
c6ab8de9eaf981abded4e2a3f9cadd15deb7629a26d229f87b4f8e2722a8acfc

SHA512
e9268752673a03d5323421e863c802e05364e517dcbf368f61abdb9f8d864439e09f0f7a5e738b197e06d69ebafe9073e1ef5364baec3ad2eca3de7f7a16e0e0

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\icons\New Blue\d1.ico

Filesize
894B

MD5
d100902fd3e4ea4b91fb16b5220f700f

SHA1
5797cd6b66c5ce6ac572313a45202a252214b2c5

SHA256
4febd01d738ec425d0c13f96f2a2f3239af29bf21dfd7de8019e701e99ee6d71

SHA512
bc0d7255adef6d3901664c5ce4865ff83112f75f48624af4f47bd9d2b84fdc3c2660adf8a61fea886866f973a88dda7738df628092a0b00f035bd5636cc36f2b

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\icons\New Blue\d6.ico

Filesize
894B

MD5
d3e9b0d74054fc985e4837c160ae4d44

SHA1
9fc49ac03fa2885acab1d9a6f9e2b90515c831a4

SHA256
42330bd5334fe3fb1ffbc3b1b88f2f17befd256c83fb827e4fc34e3791b65174

SHA512
fa946d3669be1b3fc3a990a23085b226683f480e94fab9e988eb9350fb9e811453a883cd33a5f783e2acf54432a1bf35f496d1deecc67651de28344f7508d4b2

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\imageformats\qgif4.dll

Filesize
49KB

MD5
b690fdd8fcd1c2700f35388e9b1e5974

SHA1
51669dd917b3f81b7d4526af36938dcf8c0aa7d9

SHA256
3d5a5623cdea823a14102a43cac78902a73840434ba0fe9447aa8f37f887af4a

SHA512
d8f63a1893211d958a47eddc9cfc5de7f8fdf7f530662722d2176c8caf4b8d0791f43bb59048fb075c7f820fb86bd8c79fe96696392a7e336860638a3cee6b9e

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\images\[email protected]

Filesize
2KB

MD5
e167fb197b5932b5c60ac56aef01a34d

SHA1
e15cb4c8a4fbd6d80ba944728aa1d67675ce80ad

SHA256
a99237fcbc43b9834ccb4e8375c9b81a2508734035059d678c08d9c7b6b3ce05

SHA512
d817197cf64d7dc5d1a1551364cb4f5c1e29f4abf8ae6ebdbcd431e165746e04bb1fbc5af2927c46b09b802ac7e40196dcef88d3aeaaed2df351949e02ca95a0

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\images\[email protected]

Filesize
4KB

MD5
f81b0ade573c74d35cb2c3323f961387

SHA1
9c00c76dab48a6de7cfd57b1988d8a8447b27902

SHA256
8c893e14b95cfd0ee58bd1e5c288dfa8516f263955e3bece794e73cf36dcfe80

SHA512
025888c2fd7744e792cf0a14ef7c24a3fdac690f849593d1576b1129f6bda70a9013a7a59245d32f1f401653dd1debdb97ca6a263ccbeb9e4254466acd05c5a9

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\images\[email protected]

Filesize
2KB

MD5
b5bfc099ae356fc96059c19e3bc190a8

SHA1
a29a630a3ef97add564f217b0f3d9cebce3edbe0

SHA256
4b4c37b2b038023bdebf961dec9f20a1f99ea67e591b74ed595d528873daa665

SHA512
da38c177e6c0e00957a62a30442f4f3e9ad62d8017bdeea4696d79a31763ac1b12f401be9664d50077c6ed598396ac4deff3cf7d07a3c0fec94ecf12a8e94eb0

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\images\[email protected]

Filesize
2KB

MD5
ff0997ae7d85ed6ba077d1b89ce65003

SHA1
c53f00d39c550d4e78166d155c9e70b2dbf7011b

SHA256
792436b5d993f4bb2c885a9eb781038849c38c5d369289d941f889496d0289b4

SHA512
65089182c4ca9cf460d57c7010a9a8c7335a4a6d114437ec0cf43db4e26c2feee3c43d61074fff5e0831abeed16f9a5105e10722a67b83ea061ff15b107ca13a

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\images\[email protected]

Filesize
2KB

MD5
c48e5a35301f4d4cf0424189a4aa69af

SHA1
d5aa219e74ac97696016cadd320015bf28e12f7b

SHA256
1c3471860056bf7baf2ac697655956c6565913cf0cdae92bfe709784a948471d

SHA512
5b2ca8287d030bfe52e8d6d6e14ce03889afa042c87e1deb8f62ab21598067bc600a821b56084cde1e33bf38db24c8642169ddfd91c21c426d395186e3385453

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\images\[email protected]

Filesize
2KB

MD5
5164cfdd2f56249dbd42a7b85ed63a76

SHA1
c2660917e479f7eefe1c015e88b36e96b3819db3

SHA256
1b0f40b0b03cf5bb82c00b78126f4cdb3339a360964e27bc9f4e2b03517d79a2

SHA512
69e32e46ac06e24337b6861c192638d5debbbb844fd74f533f50a15719bae1354a9b6b41fe27aa97ed7b310477f403e0e181a76c3f55c3eabde1899b4b7bc0de

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\images\[email protected]

Filesize
2KB

MD5
a7147f2739655be5dd74ebc06b4d3944

SHA1
5d9790738c589d3708a5d9509bad0307cdb33080

SHA256
c5666b5643544b110b8b68929369a16c7cf20c9dfa586f56c97f60f87bd513e8

SHA512
72265cba652298a13c3cab813d0bf93164b3cf7208380dd6eee5a8c168cdb59740f004bd0de3145072b6404ad6c532ee0e75c0527f4a205cbbef3ba635a5ace9

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\images\add.png

Filesize
3KB

MD5
0128ad7e04e9a25c9ab4316c13d8deff

SHA1
55068a4cc67a2fe94ec15ee46be67ad367d31117

SHA256
3386cab5cf90d40db4f15e34c6bd15cb832848c6b61fa1ca5fa3ad60ae7d9b04

SHA512
93baa7a401192059fbd95bd82449e9461ef5124bf748d8a9226e3df9a7194fc5eebb105146258e2629f0b139d00e6d2a30eec09510215fd69b9f788f18784fcd

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\images\down.png

Filesize
2KB

MD5
9c0dba6fd26d332f95cfeb3183ee0b4a

SHA1
de3b3f47f0c0d0f632f22ac7467867cc1d1e0e5f

SHA256
9c66ede3736ecc0b26ea1fd3181f12da8cb7e456da1e066b3eb4fed5a91f18b8

SHA512
ac2d355e56d16db53850dc99994002f682c4be0216a14529cf65e14529ac6d49ad7c1b3fb4fe8a680daf62061e67824164286650c861d7d30b1385dfe94005e4

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\images\erase.png

Filesize
4KB

MD5
00786f0f3fb7705d81c018199412d814

SHA1
cb194c855dbc41063d5e1f488dc4c443e9329898

SHA256
313f14e773f93d470bcff9e42887d8672838cc64dc4682dc3a36cd3e4ade574f

SHA512
1cbdd14be8457582411fd6e1a18346bdbdddb7da7efe835f86058634d8bdb4a0ee92269b9efe7d4da8ea9f9689bfb03f0950dfc35036d2bf649a0e79d5125940

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\images\tool_bk_eye.bmp

Filesize
15KB

MD5
110491a69f4863babe994e482417ce63

SHA1
69d6d6cccf059119c07d53c77abd03b66b4c4ad3

SHA256
3d44922bddc5f46f635e61d5022ca925f125a703153ecc5e4786d16df27a4a83

SHA512
6b87510413028ecc30cea6ecf6061a5d29376ea67ac22713abbdbe44451a44127d88a71182a41cd3929ac6099d53d390f3d1a451df6bbee192299c2683e32976

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\images\tool_menu_bk_l.bmp

Filesize
3KB

MD5
c59017873cda8851111a0248eb98ab25

SHA1
e10c4b6b9a7c21afbb70cd1d8b3b97c3b6d9b805

SHA256
e329a76b3d787652264d1d1306dfc41660dbdc43780ae0933514539c0de4e88b

SHA512
b14af6e5554ff579311550534b91755c80f07aa9aabab032b2fbe793866a2ce75e5d2c10cc58aab6d49f98db9ed5f689e3190aad108c33ccbe013c1f13cd221b

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\images\view_pos.png

Filesize
2KB

MD5
b9f9a3dc2f52f4018994e1412af7765d

SHA1
647861fad3cf60f8c6f0ba508862f6eab18ee2f6

SHA256
97208dd6652c0f7cb00624731d849d3e78d04bad394751aae6a52772d09d309e

SHA512
934055460b060c2fb6494a1c455fd5e6c892fcb7ea7c9a12b0d8eb7c3501a9ddf52c3c2af9599dbb2c9f25bcae5d9e7fe59968243b33ce37afcab628b6a73f88

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\images\view_pos_dis.png

Filesize
2KB

MD5
0de37b5d1f8e800561a45ce1270b5203

SHA1
d9d6c64bd15b5961070ef1a3483ceb6737a07102

SHA256
430fbd57a38cfe1d7bdda3be9c4a508b749b899663ce8b336566772accc6b6a6

SHA512
3852cebf7718bce8e8f9399ac57ac07b4592a09966818225619af8b1e1f27a0e9455a878e4c4183db3c3270067ac55de970a893e3a7a0da351194ce923407954

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\libffi-6.dll

Filesize
49KB

MD5
c4059a8eec8ad3abc6432238f7491a2b

SHA1
f1c6cf3fa216f73ba44bd481c685ef30cfd3d284

SHA256
a9d3f2056f8e888edc5abfa18178fc0b3ef99880c9c410e2c7d6a64386fb57da

SHA512
0bb582a9a02cbd29c007e9cfed9dabe53ef087814c7aa8195c82d4b15302f95408a15710a3f83a970c35db26f77a9a34549d6906a7440fa7d0127aeca9bc8efc

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\libgmodule-2.0-0.dll

Filesize
41KB

MD5
4d233a220f91de3b1510d017b5481942

SHA1
c59f449b0d09127d18268e7b07da3f7d749b2720

SHA256
08336089e280805c8ac89f7476526f944b5868c014748b6dc29f65167e9e3ab0

SHA512
a86a1f9b5d160813c6e2f771962f303428604057b9613021bf7844c1204cfca0a18571a28d950d7999acc4ecde0605095f9a460a9b79fe2bbe02f080c2683923

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\libgthread-2.0-0.dll

Filesize
35KB

MD5
cf2571c125fa1d2ec55b9977054f380a

SHA1
91014dd50f0eeb0d3d1faed77541c76a05b712b8

SHA256
02b817b6db18db2dfccefdd08eed64a696e2bf326f4120ee7e93ae6aa73bccb3

SHA512
a95bf3436ea2fac443924c5fc31fcd4337a44702ef38ca82d744474301e53f14721eaeb0f21e515ccff8569e7b7d81107fb5a4cf2ae485cd4a5d2dc95dae8f9b

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\libics4.0.dll

Filesize
1.4MB

MD5
28267ea322e3975f1e98c64a1c77f509

SHA1
e1d92e085df142d703ed9fd9c65ed92562a759fa

SHA256
18f24841651461bd84a5eac08be9bce9eab54b133b0e837d5298dac44e199d5f

SHA512
2c0bd061a51e48c057fdd0b05dc959c48e79ef3df3ca1abec105b8be2aa53f416f92c109c23029a11d4d3e7e75529215877d41b5bfe5d462d844b3bae29c1a42

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\libogg-0.dll

Filesize
45KB

MD5
84e8e72572d53558d52403011fa0d388

SHA1
865160da7dbfaaea224541eb44e9430e1a7b7b20

SHA256
ca717b5cf2a7b0e047aabad985c631278941c58f16e2e9650ca12c3a331fcd4f

SHA512
47ee932bfa4ee3c51c3828ef8c6923e5b946966ad8e255bc2c53a60443aa2d4ab17521f21912a6f0469c7898d6543dc4b1783a86ddb5a84568818a7b37ec3992

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\liborc-test-0.4-0.dll

Filesize
51KB

MD5
00d68e20169f763376095705c1520c4f

SHA1
75ec5e1974654613c9eeeff047f1eb58694fd656

SHA256
3c12f0a9f43cf88d82f5cc482627237f51a63a293ef95f2342222ebde1fb909f

SHA512
4e180a8ce0e30cfc82883d05d8708fe82442541a4c522055d00f381bf47a0a4f269bc1f5e1ebbfec888edbe455ce145e24cb4c734e682e830322e13479a62c34

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\lua5.1.dll

Filesize
326KB

MD5
05ceb6d2e88a896d6ada0ab3f0dc40aa

SHA1
2b62cc437f5b3268acb3f569b43fd6c0a08e4e47

SHA256
b574d89422afcaae5446d8fd88d3b7cb48d608cf5411db761916b35c9999b41a

SHA512
fd9a03167c70ddd156d6942e503f7d9528e4748e9613cfba69181eb8b50fcaea9f6d3b9e1398da21d4e4c8bf47c99fe2becc88b98107a4fdcb80697510c1860f

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\manual.pdf

Filesize
2.2MB

MD5
079766094541035de5f115a9bbb4f583

SHA1
8423b25054aa78535c49042295558f33d34deae1

SHA256
6434913278186cb5b12ca38580a4e94b2ce2af83a836f7e50ab9c5ea8e265a59

SHA512
35b56c24d0b8aa2fec31ab9f329a1bfee15d97eb4fcce795e08bd15c5fd31726aae91c16bce0e1956cc2bbc2b529ace18212b09f47668e540f72079398dd3426

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\mathparser.exe

Filesize
5.9MB

MD5
dd9439b5cb3b1fc91181092f9da5aa69

SHA1
f2b8ab6f531621ab355912de64385410c39c1909

SHA256
db03917ca3cb91cdebcb681fa2733c1a2a9679e5201beeba21aee911de05973e

SHA512
6bf565095d1dee5acc4f05ff0c66adec3069e72ad371f517f7a763d273679f15eaa2c8f15b3dcce23f237786a014f9384f2d6c7e352b079c39707364f5c8ef25

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\mingwm10.dll

Filesize
7KB

MD5
a5a239c980d6791086b7fe0e2ca38974

SHA1
dbd8e70db07ac78e007b13cc8ae80c9a3885a592

SHA256
fb33c708c2f83c188dc024b65cb620d7e2c3939c155bc1c15dc73dccebe256b7

SHA512
8667904dda77c994f646083ef39b1f69c2961758c3da60cecadfe6d349dd99934c4d8784f8e38ae8b8c9eb9762edd546f2a7b579f02612578f8049e9d10e8da7

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\pthreadGC2.dll

Filesize
35KB

MD5
928c9eea653311af8efc155da5a1d6a5

SHA1
27300fcd5c22245573f5595ecbd64fce89c53750

SHA256
6dc4bee625a2c5e3499e36fe7c6ff8ead92adf6aae40c4099fdc8ef82e85b387

SHA512
0541d706bb53f8a04c78fcf327c4557553fa901d645ad2fd446e79753b4729f1e36793f42fbdd9b5e92073a30ed9a3dd853773a06ebea8e9302ece91a6c5362c

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\sprache\chinesesimp.dxs

Filesize
45KB

MD5
443698f47d051ff3ccda305b6f4b4b45

SHA1
2b31a019ad05a85d53397cb3fe7b08946b951e5c

SHA256
4e01b6ccb668ab1e548ffa72c2ef69c9088d7e910a170cc6a820f7fef08b7d81

SHA512
687eec2c606e09e09ed70cce8532017a8850832e8038d8db4710f81fef69aacbd8040d102bfdf46e5fc9d154664af435a36c7569e6497bf4c566a7b1a00a93e8

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\ssleay32.dll

Filesize
270KB

MD5
cb48c0854cf3264c3baa3c2da76ec014

SHA1
01152fecaf127f9874ce8c9978bf570aa6309beb

SHA256
dc1684abc539f789791ad1518557d5ad654816dee904eaa5021556419ae5325b

SHA512
dd67a556a7c20e51129640eb1ab590c4da5fbbff9ae965adb56bdbc5079f9f468473728c60d229c1a1bc70a872da2ac250b080df1ad55534b88a1d61bd3b5e10

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\1D886E2\zlibwapi.dll

Filesize
138KB

MD5
54789344b07bed58e43851eca47e2b12

SHA1
93c561365bc7f1cbb5385d0323ed81044a6ec276

SHA256
9f8729ac49e0ccea86fe3b1a9b2c3fae9986ecd09db92853e7a588dbda85bf90

SHA512
54d4af3de4b12ff8f25a4596cdb97bb32fd739217f99849bdebe5ca92d801cb5564d4407193bcbfaf8118e5d3391543a80ff08371e28c35c2c091d9ff90a3692

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\Memory Test Toolkit 6.2.4.7\install\decoder.dll

Filesize
202KB

MD5
831e0b597db11a6eb6f3f797105f7be8

SHA1
d89154670218f9fba4515b0c1c634ae0900ca6d4

SHA256
e3404d4af16702a67dcaa4da4c5a8776ef350343b179ae6e7f2d347e7e1d1fb7

SHA512
e5e71a62c937e7d1c2cf7698bc80fa42732ddd82735ba0ccaee28aee7a7ea7b2132650dfd2c483eb6fb93f447b59643e1a3d6d077a50f0cd42b6f3fc78c1ad8f

Download Submit
C:\Users\Admin\Downloads\installation.exe

Filesize
20KB

MD5
345e3700c5b584ca43a6748670480864

SHA1
90802b6139b4ad5c8b218e137af9e5466ad4d0fa

SHA256
e952eeacb54e0d9c07da6db899c7012b49cfd19b19ec46b99321ebe831b53a7c

SHA512
0c17385d336dd25b36e06c2c323694ec43683bf6c179985989eadd680df190bda220ddbd4afa548d6827877fdcfde06f67fd692ebe37653b574d00f5e377a566

Download Submit
C:\Windows\Installer\MSI3307.tmp

Filesize
569KB

MD5
0be7cdee6c5103c740539d18a94acbd0

SHA1
a364c342ff150f69b471b922c0d065630a0989bb

SHA256
41abe8eb54a1910e6fc97fcea4de37a67058b7527badae8f39fba3788c46de14

SHA512
f96ef5458fdc985501e0dca9cac3c912b3f2308be29eb8e6a305a3b02a3c61b129c4db2c98980b32fd01779566fa5173b2d841755d3cb30885e2f130e4ad6e2c

Download Submit
memory/4644-675-0x0000000000600000-0x0000000000EBB000-memory.dmp

Filesize
8.7MB

Download
memory/4644-680-0x0000000000600000-0x0000000000EBB000-memory.dmp

Filesize
8.7MB

Download
memory/4644-682-0x0000000000600000-0x0000000000EBB000-memory.dmp

Filesize
8.7MB

Download
memory/4644-695-0x0000000000600000-0x0000000000EBB000-memory.dmp

Filesize
8.7MB

Download
memory/4644-697-0x0000000000600000-0x0000000000EBB000-memory.dmp

Filesize
8.7MB

Download
memory/4644-699-0x0000000000600000-0x0000000000EBB000-memory.dmp

Filesize
8.7MB

Download
memory/4644-701-0x0000000000600000-0x0000000000EBB000-memory.dmp

Filesize
8.7MB

Download