Malware Analysis Report

2024-10-23 19:40

Sample ID 231004-q89e2aeb47
Target dotNetFx40_Full_setup.exe
SHA256 a604eed1325b12671370e268783cfa74f8675a468492ff98416187d73768b4af
Tags
phemedrone spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a604eed1325b12671370e268783cfa74f8675a468492ff98416187d73768b4af

Threat Level: Known bad

The file dotNetFx40_Full_setup.exe was found to be: Known bad.

Malicious Activity Summary

phemedrone spyware stealer

Phemedrone

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Checks computer location settings

Looks up external IP address via web service

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-04 13:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-04 13:57

Reported

2023-10-04 13:59

Platform

win7-20230831-en

Max time kernel

120s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dotNetFx40_Full_setup.exe"

Signatures

Phemedrone

stealer phemedrone

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Desktop\M6PTHT6K.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Identities\7HVXMWHP.exe N/A
N/A N/A C:\3147febe8244671ef5bd\Setup.exe N/A

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\3147febe8244671ef5bd\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\3147febe8244671ef5bd\Setup.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Identities\7HVXMWHP.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1292 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\dotNetFx40_Full_setup.exe C:\ProgramData\Desktop\M6PTHT6K.exe
PID 1292 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\dotNetFx40_Full_setup.exe C:\ProgramData\Desktop\M6PTHT6K.exe
PID 1292 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\dotNetFx40_Full_setup.exe C:\ProgramData\Desktop\M6PTHT6K.exe
PID 1292 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\dotNetFx40_Full_setup.exe C:\ProgramData\Desktop\M6PTHT6K.exe
PID 1292 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\dotNetFx40_Full_setup.exe C:\Users\Admin\AppData\Roaming\Identities\7HVXMWHP.exe
PID 1292 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\dotNetFx40_Full_setup.exe C:\Users\Admin\AppData\Roaming\Identities\7HVXMWHP.exe
PID 1292 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\dotNetFx40_Full_setup.exe C:\Users\Admin\AppData\Roaming\Identities\7HVXMWHP.exe
PID 2884 wrote to memory of 1856 N/A C:\ProgramData\Desktop\M6PTHT6K.exe C:\3147febe8244671ef5bd\Setup.exe
PID 2884 wrote to memory of 1856 N/A C:\ProgramData\Desktop\M6PTHT6K.exe C:\3147febe8244671ef5bd\Setup.exe
PID 2884 wrote to memory of 1856 N/A C:\ProgramData\Desktop\M6PTHT6K.exe C:\3147febe8244671ef5bd\Setup.exe
PID 2884 wrote to memory of 1856 N/A C:\ProgramData\Desktop\M6PTHT6K.exe C:\3147febe8244671ef5bd\Setup.exe
PID 2884 wrote to memory of 1856 N/A C:\ProgramData\Desktop\M6PTHT6K.exe C:\3147febe8244671ef5bd\Setup.exe
PID 2884 wrote to memory of 1856 N/A C:\ProgramData\Desktop\M6PTHT6K.exe C:\3147febe8244671ef5bd\Setup.exe
PID 2884 wrote to memory of 1856 N/A C:\ProgramData\Desktop\M6PTHT6K.exe C:\3147febe8244671ef5bd\Setup.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dotNetFx40_Full_setup.exe

"C:\Users\Admin\AppData\Local\Temp\dotNetFx40_Full_setup.exe"

C:\ProgramData\Desktop\M6PTHT6K.exe

"C:\ProgramData\Desktop\M6PTHT6K.exe"

C:\Users\Admin\AppData\Roaming\Identities\7HVXMWHP.exe

"C:\Users\Admin\AppData\Roaming\Identities\7HVXMWHP.exe"

C:\3147febe8244671ef5bd\Setup.exe

C:\3147febe8244671ef5bd\\Setup.exe /x86 /x64 /ia64 /web

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 rakishev.net udp
US 104.21.88.34:80 rakishev.net tcp

Files

memory/1292-0-0x0000000000180000-0x0000000000402000-memory.dmp

memory/1292-1-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

C:\Users\Public\Desktop\M6PTHT6K.exe

MD5 53406e9988306cbd4537677c5336aba4
SHA1 06becadb92a5fcca2529c0b93687c2a0c6d0d610
SHA256 fa1afff978325f8818ce3a559d67a58297d9154674de7fd8eb03656d93104425
SHA512 4f89da81b5a3800aa16ff33cc4a42dbb17d4c698a5e2983b88c32738decb57e3088a1da444ad0ec0d745c3c6b6b8b9b86d3f19909142f9e51f513748c0274a99

C:\ProgramData\Desktop\M6PTHT6K.exe

MD5 53406e9988306cbd4537677c5336aba4
SHA1 06becadb92a5fcca2529c0b93687c2a0c6d0d610
SHA256 fa1afff978325f8818ce3a559d67a58297d9154674de7fd8eb03656d93104425
SHA512 4f89da81b5a3800aa16ff33cc4a42dbb17d4c698a5e2983b88c32738decb57e3088a1da444ad0ec0d745c3c6b6b8b9b86d3f19909142f9e51f513748c0274a99

memory/2580-12-0x0000000000D70000-0x0000000000D8C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Identities\7HVXMWHP.exe

MD5 ae881baa8c3a00a94e5994826bdac3aa
SHA1 3f81a9e1cb712b2f69c8ab9104469a436c797706
SHA256 2c669f5390b14c63c91f4898419792aaee9c0b996dc348419e2ee84179cf3531
SHA512 2e1845235d5cb2c710ab8db068cc9cf744ccd2809e8293ef4ce27d090d071a645524d23517f74bf841aca21ddeea7daa21621b537a63a7ec356db7be6dfc21fc

C:\Users\Admin\AppData\Roaming\Identities\7HVXMWHP.exe

MD5 ae881baa8c3a00a94e5994826bdac3aa
SHA1 3f81a9e1cb712b2f69c8ab9104469a436c797706
SHA256 2c669f5390b14c63c91f4898419792aaee9c0b996dc348419e2ee84179cf3531
SHA512 2e1845235d5cb2c710ab8db068cc9cf744ccd2809e8293ef4ce27d090d071a645524d23517f74bf841aca21ddeea7daa21621b537a63a7ec356db7be6dfc21fc

memory/1292-13-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

memory/2580-14-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

memory/2580-18-0x000000001B420000-0x000000001B4A0000-memory.dmp

\3147febe8244671ef5bd\Setup.exe

MD5 006f8a615020a4a17f5e63801485df46
SHA1 78c82a80ebf9c8bf0c996dd8bc26087679f77fea
SHA256 d273460aa4d42f0b5764383e2ab852ab9af6fecb3ed866f1783869f2f155d8be
SHA512 c603ed6f3611eb7049a43a190ed223445a9f7bd5651100a825917198b50c70011e950fa968d3019439afa0a416752517b1c181ee9445e02da3904f4e4b73ce76

C:\3147febe8244671ef5bd\Setup.exe

MD5 006f8a615020a4a17f5e63801485df46
SHA1 78c82a80ebf9c8bf0c996dd8bc26087679f77fea
SHA256 d273460aa4d42f0b5764383e2ab852ab9af6fecb3ed866f1783869f2f155d8be
SHA512 c603ed6f3611eb7049a43a190ed223445a9f7bd5651100a825917198b50c70011e950fa968d3019439afa0a416752517b1c181ee9445e02da3904f4e4b73ce76

C:\3147febe8244671ef5bd\SetupEngine.dll

MD5 84c1daf5f30ff99895ecab3a55354bcf
SHA1 7e25ba36bcc7deed89f3c9568016ddb3156c9c5a
SHA256 7a0d281fa802d615ea1207bd2e9ebb98f3b74f9833bba3cb964ba7c7e0fb67fd
SHA512 e4fb7e4d39f094463fdcdc4895ab2ea500eb51a32b6909cec80a526bbf34d5c0eb98f47ee256c0f0865bf3169374937f047bf5c4d6762779c8ca3332b4103be3

\3147febe8244671ef5bd\SetupEngine.dll

MD5 84c1daf5f30ff99895ecab3a55354bcf
SHA1 7e25ba36bcc7deed89f3c9568016ddb3156c9c5a
SHA256 7a0d281fa802d615ea1207bd2e9ebb98f3b74f9833bba3cb964ba7c7e0fb67fd
SHA512 e4fb7e4d39f094463fdcdc4895ab2ea500eb51a32b6909cec80a526bbf34d5c0eb98f47ee256c0f0865bf3169374937f047bf5c4d6762779c8ca3332b4103be3

C:\3147febe8244671ef5bd\sqmapi.dll

MD5 3f0363b40376047eff6a9b97d633b750
SHA1 4eaf6650eca5ce931ee771181b04263c536a948b
SHA256 bd6395a58f55a8b1f4063e813ce7438f695b9b086bb965d8ac44e7a97d35a93c
SHA512 537be86e2f171e0b2b9f462ac7f62c4342beb5d00b68451228f28677d26a525014758672466ad15ed1fd073be38142dae478df67718908eae9e6266359e1f9e8

\3147febe8244671ef5bd\sqmapi.dll

MD5 3f0363b40376047eff6a9b97d633b750
SHA1 4eaf6650eca5ce931ee771181b04263c536a948b
SHA256 bd6395a58f55a8b1f4063e813ce7438f695b9b086bb965d8ac44e7a97d35a93c
SHA512 537be86e2f171e0b2b9f462ac7f62c4342beb5d00b68451228f28677d26a525014758672466ad15ed1fd073be38142dae478df67718908eae9e6266359e1f9e8

C:\Users\Admin\AppData\Local\Temp\HFI64AD.tmp.html

MD5 cd131d41791a543cc6f6ed1ea5bd257c
SHA1 f42a2708a0b42a13530d26515274d1fcdbfe8490
SHA256 e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb
SHA512 a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a

C:\3147febe8244671ef5bd\DHTMLHeader.html

MD5 cd131d41791a543cc6f6ed1ea5bd257c
SHA1 f42a2708a0b42a13530d26515274d1fcdbfe8490
SHA256 e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb
SHA512 a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a

C:\3147febe8244671ef5bd\UiInfo.xml

MD5 8b8b0a935dc591799a0c6d52fdc33460
SHA1 ce2748bd469aad6e90b06d98531084d00611fb89
SHA256 57a9ccb84cae42e0d8d1a29cfe170ac3f27bdcae829d979cddfd5e757519b159
SHA512 93009b3045939b65a0c1d25e30a07a772bd73dda518529462f9ce1227a311a4d6fd7595f10b4255cc0b352e09c02026e89300a641492f14df908ad256a3c9d76

C:\3147febe8244671ef5bd\SplashScreen.bmp

MD5 0966fcd5a4ab0ddf71f46c01eff3cdd5
SHA1 8f4554f079edad23bcd1096e6501a61cf1f8ec34
SHA256 31c13ecfc0eb27f34036fb65cc0e735cd444eec75376eea2642f926ac162dcb3
SHA512 a9e70a2fb5a9899acf086474d71d0e180e2234c40e68bcadb9bf4fe145774680cb55584b39fe53cc75de445c6bf5741fc9b15b18385cbbe20fc595fe0ff86fce

C:\3147febe8244671ef5bd\ParameterInfo.xml

MD5 7213da83e0f0b8ae4fea44ae1cb7f62b
SHA1 f2e3fcc77a1ad4d042253bd2e0010bcb40b68ed3
SHA256 59e67e4fb46e5490eee63d8b725324f1372720ade7345c74c6138c4a76ea73d9
SHA512 86186ab0f2cb38e520dd1284042eced157f96874846eb9061be9cf56b84a1cab5901a4879e105a8b04b336bbc43b03f4bdf198d43af868be188602347db829e0

C:\3147febe8244671ef5bd\1033\LocalizedData.xml

MD5 326518603d85acd79a6258886fc85456
SHA1 f1cef14bc4671a132225d22a1385936ad9505348
SHA256 665797c7840b86379019e5a46227f888fa1a36a593ea41f9170ef018c337b577
SHA512 f8a514efd70e81d0f2f983282d69040bca6e42f29aa5df554e6874922a61f112e311ad5d2b719b6ca90012f69965447fb91e8cd4103efb2453ff160a9062e5d3

C:\3147febe8244671ef5bd\1029\LocalizedData.xml

MD5 0b6ed582eb557573e959e37ebe2fca6a
SHA1 82c19c7eafb28593f453341eca225873fb011d4c
SHA256 8a0da440261940ed89bad7cd65bbc941cc56001d9aa94515e346d57b7b0838fc
SHA512 aba3d19f408bd74f010ec49b31a2658e0884661d2efda7d999558c90a4589b500570cc80410ba1c323853ca960e7844845729fff708e3a52ea25f597fad90759

C:\3147febe8244671ef5bd\1031\LocalizedData.xml

MD5 8505219c0a8d950ff07dc699d8208309
SHA1 7a557356c57f1fa6d689ea4c411e727438ac46df
SHA256 c48986cdb7fe3401234e0a6540eb394c1201846b5beb1f12f83dc6e14674873a
SHA512 7bcdad0cb4b478068434f4ebd554474b69562dc83df9a423b54c1701ca3b43c3b92de09ee195a86c0d244aa5ef96c77b1a08e73f1f2918c8ac7019f8df27b419

C:\3147febe8244671ef5bd\1035\LocalizedData.xml

MD5 1aa252256c895b806e4e55f3ea8d5ffb
SHA1 0322ee94c3d5ea26418a2fea3f7e62ec5d04b81d
SHA256 8a68b3b6522c30502202ecb8d16ae160856947254461ac845b39451a3f2db35f
SHA512 ce57784892c0be55a00ced0adc594a534d8a40819790ca483a29b6cd544c7a75ae4e9bde9b6dc6de489ceceb7883b7c2ea0e98a38fcc96d511157d61c8aa3e63

C:\3147febe8244671ef5bd\1032\LocalizedData.xml

MD5 3bf8da35b14fbcc564e03f6342bb71f2
SHA1 8f9139f0bb813bf95f8c437548738d32848d8940
SHA256 39efe12c689edfea041613b0e4d6ec78afec8fe38a0e4adc656591ffef8f415d
SHA512 31b050647ba4bd0c2762d77307e1ed2a324e9b152c06ed496b86ea063cdc18bf2bb1f08d2e9b4af3429a2bc333d7891338d7535487c83495304a5f78776dbc03

C:\3147febe8244671ef5bd\1043\LocalizedData.xml

MD5 6506b4e64ebf6121997fa227e762589f
SHA1 71bc1478c012d9ec57fc56a5266dd325b7801221
SHA256 415112ae783a87427c2fadd7b010ade4f1a7c23b27e4b714b7b507c16b572a1c
SHA512 39024ea9d42352f7c1bd6fefe0574054eceb4059f773cfaeb26c42faada2540ae95fb34718d30ccb6da157d2597f80d12a024461fbd0e8d510431ba6ffa81ec2

C:\3147febe8244671ef5bd\1049\LocalizedData.xml

MD5 349b52a81342a7afb8842459e537ecc6
SHA1 6268343e82fbbabe7618bd873335a8f9f84ed64d
SHA256 992bf5aeb06aa3701d50c23fa475b4b86d8997383c9f0e3425663cfbd6b8a2a5
SHA512 ef4cbd3f7f572a9f146a524cfbc2efbd084e6c70a65b96a42339adc088e3f0524bc202548340969481e7f3df3ac517ac34b200b56a3b9957802abd0efa951c49

C:\3147febe8244671ef5bd\1053\LocalizedData.xml

MD5 b3b1a89458bec6af82c5386d26639b59
SHA1 d9320b8cc862f40c65668a40670081079b63cea1
SHA256 1ef312e8be9207466fbfdecee92bfc6c6b7e2da61979b0908eaf575464e7b7a0
SHA512 478ce08619490ed1ecdd8751b5f60da1ee4ac0d08d9a97468c3f595ac4376feca59e9c72dd9c83b00c8d78b298be757c6f24a422b7be8c041f780524844998bf

C:\3147febe8244671ef5bd\3082\LocalizedData.xml

MD5 2d54fe70376db0218e8970b28c1c4518
SHA1 83ee9ac93142751f23d5bb858f7264e27ea2eab0
SHA256 d17c5b638e2a4d43212d21a2052548c8d4909eb6410e30b8a951a292bcdbbedd
SHA512 20c0fb9a046911bc2d702ab321c3992262ac0f80f33ddda5ec2ccafe9ef07611774223369e0dc7cb91c9cda1cbd65c598a7e1c914d6e6ca4b00205a16411be30

C:\3147febe8244671ef5bd\3076\LocalizedData.xml

MD5 967a6d769d849c5ed66d6f46b0b9c5a4
SHA1 c0ff5f094928b2fa8b61e97639c42782e95cc74f
SHA256 0bc010947bff6ec1ce9899623ccfdffd702eee6d2976f28d9e06cc98a79cf542
SHA512 219b13f1beeb7d690af9d9c7d98904494c878fbe9904f8cb7501b9bb4f48762f9d07c3440efa0546600ff62636ac34cb4b32e270cf90cb47a9e08f9cb473030c

C:\3147febe8244671ef5bd\2070\LocalizedData.xml

MD5 7fa9926a4bc678e32e5d676c39f8fb97
SHA1 bba4311dd30261a9b625046f8a6ea215516c9213
SHA256 a25ee75c78c24c50440ad7de9929c6a6e1cc0629009dc0d01b90cbac177dd404
SHA512 e06423bc1ea50a566d341dc513828608e9b6611fea81d33fca471a38f6b2b61b556ea07a5dec0830f3e87194975d87f267a5e5e1a2be5e6a86b07c5bb2bddcb6

C:\3147febe8244671ef5bd\2052\LocalizedData.xml

MD5 10da125eeabcbb45e0a272688b0e2151
SHA1 6c4124ec8ca2d03b5187ba567c922b6c3e5efc93
SHA256 1842f22c6fd4caf6ad217e331b74c6240b19991a82a1a030a6e57b1b8e9fd1ec
SHA512 d968abd74206a280f74bf6947757cca8dd9091b343203e5c2269af2e008d3bb0a17ff600eb961dbf69a93de4960133ade8d606fb9a99402d33b8889f2d0da710

C:\3147febe8244671ef5bd\1055\LocalizedData.xml

MD5 65e771fed28b924942a10452bbbf5c42
SHA1 586921b92d5fb297f35effc2216342dac1ae2355
SHA256 45e30569a756d9bcbc5f9dae78bda02751fd25e1c0aee471ce112cb4464a6ee2
SHA512 d014a2a96f3a5c487ef1caddd69599dbec15da5ad689d68009f1ca4d5cb694105a7903f508476d6ffec9d81386cb184df6fc428d34f056190cee30715514a8f7

C:\3147febe8244671ef5bd\1046\LocalizedData.xml

MD5 a03d2063d388fc7a1b4c36d85efa5a1a
SHA1 88bd5e2ff285ee421ccc523f7582e05a8c3323f8
SHA256 61d8339e89a9e48f8ae2d929900582bb8373f08d553ec72d5e38a0840b47c8a3
SHA512 3a219f36e57d90ca92e9faec4dfd34841c2c9244da4fe7e1d70608dde7857aa36325bdb46652a42922919f782bb7c97f567e69a9fc51942722b8fd66cd4ecaf0

C:\3147febe8244671ef5bd\1045\LocalizedData.xml

MD5 bdb583c7a48f811be3b0f01fcea40470
SHA1 e8453946a6b926e4f4ae5b02ba1d648daf23e133
SHA256 611b7b7352188adffd6380b9c8a85b8ff97c09a1c293bb7ac0ef5478a0e18ac8
SHA512 27b02226f8f86ca4d00789317c79e8ca0089f5b910bed14aa664eeab6be66e98de3bafd7670c895d70ab9c34ece5f05199f3556fddc1b165904e3432a51c008d

C:\3147febe8244671ef5bd\1044\LocalizedData.xml

MD5 120104fa24709c2a9d8efc84ff0786cd
SHA1 b513fa545efae045864d8527a5ec6b6cebe31bb9
SHA256 516525636b91c16a70aef8d6f6b424dc1ee7f747b8508b396ee88131b2bb0947
SHA512 1ea8eb2be9d5f4ef6f1f2c0d90cb228a9bb58d7143ccafe77e18ce52ec4aca25dde0ba18430fd4d3d7962d079ccbe7e2552b2c7090361e03c6fdfb7c2b9c7325

C:\3147febe8244671ef5bd\1042\LocalizedData.xml

MD5 78c16da54542c9ed8fa32fed3efaf10d
SHA1 ad8cfe972c8a418c54230d886e549e00c7e16c40
SHA256 e3e3a2288ff840ab0e7c5e8f7b4cfb1f26e597fb17cfc581b7728116bd739ed1
SHA512 d9d7bb82a1d752a424bf81be3d86abea484acbb63d35c90a8ee628e14cf34a7e8a02f37d2ea82aa2ce2c9aa4e8416a7a6232c632b7655f2033c4aaab208c60bf

C:\3147febe8244671ef5bd\1041\LocalizedData.xml

MD5 64ffa6ff8866a15aff326f11a892bead
SHA1 378201477564507a481ba06ea1bc0620b6254900
SHA256 7570390094c0a199f37b8f83758d09dd2cecd147132c724a810f9330499e0cbf
SHA512 ea5856617b82d13c9a312cb4f10673dbc4b42d9ac5703ad871e8bdfcc6549e262e61288737ab8ebcf77219d24c0822e7dacf043d1f2d94a97c9b7ec0a5917ef2

C:\3147febe8244671ef5bd\1040\LocalizedData.xml

MD5 eda1ec689d45c7faa97da4171b1b7493
SHA1 807fe12689c232ebd8364f48744c82ca278ea9e6
SHA256 80faa30a7592e8278533d3380dcb212e748c190aaeef62136897e09671059b36
SHA512 8385a5de4eb6b38169dd1eb03926bc6d4604545801f13d99cee3acede3d34ec9f9d96b828a23ae6246809dc666e67f77a163979679956297533da40f9365bf2c

C:\3147febe8244671ef5bd\1038\LocalizedData.xml

MD5 89d4356e0f226e75ca71d48690e8ec15
SHA1 2336caa971527977f47512bc74e88cec3f770c7d
SHA256 fcbb619deb2d57b791a78954b0342dbb2fef7ddd711066a0786c8ef669d2b385
SHA512 fa03d55a4aafe94cbf5c134a65bd809fc86c042bc1b8ffbc9a2a5412eb70a468551c05c44b6ce81f638df43cca599aa1dd6f42f2df3012c8a95a3612df7c821e

C:\3147febe8244671ef5bd\1037\LocalizedData.xml

MD5 16e6416756c1829238ef1814ebf48ad6
SHA1 c9236906317b3d806f419b7a98598dd21e27ad64
SHA256 c0ee256567ea26bbd646f019a1d12f3eced20b992718976514afa757adf15dea
SHA512 aa595ed0b3b1db280f94b29fa0cb9db25441a1ef54355abf760b6b837e8ce8e035537738e666d27dd2a8d295d7517c325a5684e16304887ccb17313ca4290ce6

C:\3147febe8244671ef5bd\1036\LocalizedData.xml

MD5 1dad88faed661db34eef535d36563ee2
SHA1 0525b2f97eddbd26325fddc561bf8a0cda3b0497
SHA256 9605468d426bcbbe00165339d84804e5eb2547bfe437d640320b7bfef0b399b6
SHA512 ccd0bffbf0538152cccd4b081c15079716a5ff9ad04cee8679b7f721441f89eb7c6f8004cff7e1dde9188f5201f573000d0c078474edf124cfa4c619e692d6bc

C:\3147febe8244671ef5bd\1030\LocalizedData.xml

MD5 69925e463a6fedce8c8e1b68404502fb
SHA1 76341e490a432a636ed721f0c964fd9026773dd7
SHA256 5f370d2ccdd5fa316bce095bf22670123c09de175b7801d0a77cdb68174ac6b7
SHA512 5f61abec49e1f9cc44c26b83aa5b32c217ebeba63ed90d25836f51f810c59f71ec7430dc5338efba9be720f800204891e5ab9a5f5ec1ff51ef46c629482e5220

C:\3147febe8244671ef5bd\1028\LocalizedData.xml

MD5 967a6d769d849c5ed66d6f46b0b9c5a4
SHA1 c0ff5f094928b2fa8b61e97639c42782e95cc74f
SHA256 0bc010947bff6ec1ce9899623ccfdffd702eee6d2976f28d9e06cc98a79cf542
SHA512 219b13f1beeb7d690af9d9c7d98904494c878fbe9904f8cb7501b9bb4f48762f9d07c3440efa0546600ff62636ac34cb4b32e270cf90cb47a9e08f9cb473030c

C:\3147febe8244671ef5bd\1025\LocalizedData.xml

MD5 c5bf74c96a711b3f7004ca6bddecc491
SHA1 4c4d42ff69455f267ce98f1db8f2c5d76a1046da
SHA256 6b67c8a77c1a637b72736595afdf77bdb3910aa9fe48d959775806a0683ffa66
SHA512 2f2071bf9966bffe64c90263f4b9bd5efcac4f976c4e42fbdeaa5d6a6dee51c33f4902cf5e3d0897e1c841e9182e25c86d42e392887bc3ce3d9ed3d780d96ac9

C:\3147febe8244671ef5bd\SetupUi.dll

MD5 eb881e3dddc84b20bd92abcec444455f
SHA1 e2c32b1c86d4f70e39de65e9ebc4f361b24ff4a1
SHA256 11565d97287c01d22ad2e46c78d8a822fa3e6524561d4c02dfc87e8d346c44e7
SHA512 5750cec73b36a3f19bfb055f880f3b6498a7ae589017333f6272d26f1c72c6f475a3308826268a098372bbb096b43fbd1e06e93eecc0a81046668228bc179a75

\3147febe8244671ef5bd\SetupUi.dll

MD5 eb881e3dddc84b20bd92abcec444455f
SHA1 e2c32b1c86d4f70e39de65e9ebc4f361b24ff4a1
SHA256 11565d97287c01d22ad2e46c78d8a822fa3e6524561d4c02dfc87e8d346c44e7
SHA512 5750cec73b36a3f19bfb055f880f3b6498a7ae589017333f6272d26f1c72c6f475a3308826268a098372bbb096b43fbd1e06e93eecc0a81046668228bc179a75

C:\3147febe8244671ef5bd\SetupUi.xsd

MD5 2fadd9e618eff8175f2a6e8b95c0cacc
SHA1 9ab1710a217d15b192188b19467932d947b0a4f8
SHA256 222211e8f512edf97d78bc93e1f271c922d5e91fa899e092b4a096776a704093
SHA512 a3a934a8572ff9208d38cf381649bd83de227c44b735489fd2a9dc5a636ead9bb62459c9460ee53f61f0587a494877cd3a3c2611997be563f3137f8236ffc4ca

C:\3147febe8244671ef5bd\1033\SetupResources.dll

MD5 9547d24ac04b4d0d1dbf84f74f54faf7
SHA1 71af6001c931c3de7c98ddc337d89ab133fe48bb
SHA256 36d0159ed1a7d88000737e920375868765c0a1dd6f5a5acbb79cf7d97d9e7a34
SHA512 8b6048f4185a711567679e2de4789407077ce5bfe72102d3cb1f23051b8d3e6bfd5886c801d85b4e62f467dd12da1c79026a4bc20b17f54c693b2f24e499d40f

\3147febe8244671ef5bd\1033\SetupResources.dll

MD5 9547d24ac04b4d0d1dbf84f74f54faf7
SHA1 71af6001c931c3de7c98ddc337d89ab133fe48bb
SHA256 36d0159ed1a7d88000737e920375868765c0a1dd6f5a5acbb79cf7d97d9e7a34
SHA512 8b6048f4185a711567679e2de4789407077ce5bfe72102d3cb1f23051b8d3e6bfd5886c801d85b4e62f467dd12da1c79026a4bc20b17f54c693b2f24e499d40f

C:\3147febe8244671ef5bd\Strings.xml

MD5 8a28b474f4849bee7354ba4c74087cea
SHA1 c17514dfc33dd14f57ff8660eb7b75af9b2b37b0
SHA256 2a7a44fb25476886617a1ec294a20a37552fd0824907f5284fade3e496ed609b
SHA512 a7927700d8050623bc5c761b215a97534c2c260fcab68469b7a61c85e2dff22ed9cf57e7cb5a6c8886422abe7ac89b5c71e569741db74daa2dcb4152f14c2369

memory/1856-283-0x0000000000300000-0x0000000000301000-memory.dmp

C:\3147febe8244671ef5bd\graphics\setup.ico

MD5 3d25d679e0ff0b8c94273dcd8b07049d
SHA1 a517fc5e96bc68a02a44093673ee7e076ad57308
SHA256 288e9ad8f0201e45bc187839f15aca79d6b9f76a7d3c9274c80f5d4a4c219c0f
SHA512 3bde668004ca7e28390862d0ae9903c756c16255bdbb3f7e73a5b093ce6a57a3165d6797b0a643b254493149231aca7f7f03e0af15a0cbe28aff02f0071ec255

C:\3147febe8244671ef5bd\graphics\save.ico

MD5 7d62e82d960a938c98da02b1d5201bd5
SHA1 194e96b0440bf8631887e5e9d3cc485f8e90fbf5
SHA256 ae041c8764f56fd89277b34982145d16fc59a4754d261c861b19371c3271c6e5
SHA512 ab06b2605f0c1f6b71ef69563c0c977d06c6ea84d58ef7f2baecba566d6037d1458c2b58e6bfd70ddef47dccbdea6d9c2f2e46dea67ea9e92457f754d7042f67

C:\3147febe8244671ef5bd\graphics\print.ico

MD5 7e55ddc6d611176e697d01c90a1212cf
SHA1 e2620da05b8e4e2360da579a7be32c1b225deb1b
SHA256 ff542e32330b123486797b410621e19eafb39df3997e14701afa4c22096520ed
SHA512 283d381aa396820b7e15768b20099d67688da1f6315ec9f7938c2fcc3167777502cded0d1beddf015a34cc4e5d045bcb665ffd28ba2fbb6faf50fdd38b31d16e

C:\3147febe8244671ef5bd\graphics\warn.ico

MD5 b2b1d79591fca103959806a4bf27d036
SHA1 481fd13a0b58299c41b3e705cb085c533038caf5
SHA256 fe4d06c318701bf0842d4b87d1bad284c553baf7a40987a7451338099d840a11
SHA512 5fe232415a39e0055abb5250b120ccdcd565ab102aa602a3083d4a4705ac6775d45e1ef0c2b787b3252232e9d4673fc3a77aab19ec79a3ff8b13c4d7094530d2

memory/2580-288-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

memory/2580-289-0x000000001B420000-0x000000001B4A0000-memory.dmp

memory/2580-290-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

memory/1856-291-0x0000000000300000-0x0000000000301000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-04 13:57

Reported

2023-10-04 13:59

Platform

win10v2004-20230915-en

Max time kernel

143s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dotNetFx40_Full_setup.exe"

Signatures

Phemedrone

stealer phemedrone

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dotNetFx40_Full_setup.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\ESUO6AUH.exe N/A
N/A N/A C:\ProgramData\ssh\9ZWBI2E2.exe N/A
N/A N/A F:\3ada701e393508d72567f6\Setup.exe N/A

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 F:\3ada701e393508d72567f6\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz F:\3ada701e393508d72567f6\Setup.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A F:\3ada701e393508d72567f6\Setup.exe N/A
N/A N/A F:\3ada701e393508d72567f6\Setup.exe N/A
N/A N/A F:\3ada701e393508d72567f6\Setup.exe N/A
N/A N/A F:\3ada701e393508d72567f6\Setup.exe N/A
N/A N/A F:\3ada701e393508d72567f6\Setup.exe N/A
N/A N/A F:\3ada701e393508d72567f6\Setup.exe N/A
N/A N/A F:\3ada701e393508d72567f6\Setup.exe N/A
N/A N/A F:\3ada701e393508d72567f6\Setup.exe N/A
N/A N/A C:\ProgramData\ssh\9ZWBI2E2.exe N/A
N/A N/A C:\ProgramData\ssh\9ZWBI2E2.exe N/A
N/A N/A C:\ProgramData\ssh\9ZWBI2E2.exe N/A
N/A N/A C:\ProgramData\ssh\9ZWBI2E2.exe N/A
N/A N/A C:\ProgramData\ssh\9ZWBI2E2.exe N/A
N/A N/A C:\ProgramData\ssh\9ZWBI2E2.exe N/A
N/A N/A C:\ProgramData\ssh\9ZWBI2E2.exe N/A
N/A N/A C:\ProgramData\ssh\9ZWBI2E2.exe N/A
N/A N/A C:\ProgramData\ssh\9ZWBI2E2.exe N/A
N/A N/A C:\ProgramData\ssh\9ZWBI2E2.exe N/A
N/A N/A C:\ProgramData\ssh\9ZWBI2E2.exe N/A
N/A N/A C:\ProgramData\ssh\9ZWBI2E2.exe N/A
N/A N/A C:\ProgramData\ssh\9ZWBI2E2.exe N/A
N/A N/A C:\ProgramData\ssh\9ZWBI2E2.exe N/A
N/A N/A C:\ProgramData\ssh\9ZWBI2E2.exe N/A
N/A N/A C:\ProgramData\ssh\9ZWBI2E2.exe N/A
N/A N/A C:\ProgramData\ssh\9ZWBI2E2.exe N/A
N/A N/A C:\ProgramData\ssh\9ZWBI2E2.exe N/A
N/A N/A C:\ProgramData\ssh\9ZWBI2E2.exe N/A
N/A N/A C:\ProgramData\ssh\9ZWBI2E2.exe N/A
N/A N/A C:\ProgramData\ssh\9ZWBI2E2.exe N/A
N/A N/A C:\ProgramData\ssh\9ZWBI2E2.exe N/A
N/A N/A C:\ProgramData\ssh\9ZWBI2E2.exe N/A
N/A N/A C:\ProgramData\ssh\9ZWBI2E2.exe N/A
N/A N/A C:\ProgramData\ssh\9ZWBI2E2.exe N/A
N/A N/A C:\ProgramData\ssh\9ZWBI2E2.exe N/A
N/A N/A C:\ProgramData\ssh\9ZWBI2E2.exe N/A
N/A N/A C:\ProgramData\ssh\9ZWBI2E2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\ProgramData\ssh\9ZWBI2E2.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dotNetFx40_Full_setup.exe

"C:\Users\Admin\AppData\Local\Temp\dotNetFx40_Full_setup.exe"

C:\Users\Admin\AppData\Roaming\Adobe\ESUO6AUH.exe

"C:\Users\Admin\AppData\Roaming\Adobe\ESUO6AUH.exe"

C:\ProgramData\ssh\9ZWBI2E2.exe

"C:\ProgramData\ssh\9ZWBI2E2.exe"

F:\3ada701e393508d72567f6\Setup.exe

F:\3ada701e393508d72567f6\\Setup.exe /x86 /x64 /ia64 /web

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 rakishev.net udp
US 172.67.150.79:80 rakishev.net tcp
US 8.8.8.8:53 79.150.67.172.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 254.177.238.8.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp

Files

memory/1568-0-0x0000000000740000-0x00000000009C2000-memory.dmp

memory/1568-1-0x00007FF96BA70000-0x00007FF96C531000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adobe\ESUO6AUH.exe

MD5 53406e9988306cbd4537677c5336aba4
SHA1 06becadb92a5fcca2529c0b93687c2a0c6d0d610
SHA256 fa1afff978325f8818ce3a559d67a58297d9154674de7fd8eb03656d93104425
SHA512 4f89da81b5a3800aa16ff33cc4a42dbb17d4c698a5e2983b88c32738decb57e3088a1da444ad0ec0d745c3c6b6b8b9b86d3f19909142f9e51f513748c0274a99

C:\Users\Admin\AppData\Roaming\Adobe\ESUO6AUH.exe

MD5 53406e9988306cbd4537677c5336aba4
SHA1 06becadb92a5fcca2529c0b93687c2a0c6d0d610
SHA256 fa1afff978325f8818ce3a559d67a58297d9154674de7fd8eb03656d93104425
SHA512 4f89da81b5a3800aa16ff33cc4a42dbb17d4c698a5e2983b88c32738decb57e3088a1da444ad0ec0d745c3c6b6b8b9b86d3f19909142f9e51f513748c0274a99

C:\ProgramData\ssh\9ZWBI2E2.exe

MD5 ae881baa8c3a00a94e5994826bdac3aa
SHA1 3f81a9e1cb712b2f69c8ab9104469a436c797706
SHA256 2c669f5390b14c63c91f4898419792aaee9c0b996dc348419e2ee84179cf3531
SHA512 2e1845235d5cb2c710ab8db068cc9cf744ccd2809e8293ef4ce27d090d071a645524d23517f74bf841aca21ddeea7daa21621b537a63a7ec356db7be6dfc21fc

C:\ProgramData\ssh\9ZWBI2E2.exe

MD5 ae881baa8c3a00a94e5994826bdac3aa
SHA1 3f81a9e1cb712b2f69c8ab9104469a436c797706
SHA256 2c669f5390b14c63c91f4898419792aaee9c0b996dc348419e2ee84179cf3531
SHA512 2e1845235d5cb2c710ab8db068cc9cf744ccd2809e8293ef4ce27d090d071a645524d23517f74bf841aca21ddeea7daa21621b537a63a7ec356db7be6dfc21fc

C:\ProgramData\ssh\9ZWBI2E2.exe

MD5 ae881baa8c3a00a94e5994826bdac3aa
SHA1 3f81a9e1cb712b2f69c8ab9104469a436c797706
SHA256 2c669f5390b14c63c91f4898419792aaee9c0b996dc348419e2ee84179cf3531
SHA512 2e1845235d5cb2c710ab8db068cc9cf744ccd2809e8293ef4ce27d090d071a645524d23517f74bf841aca21ddeea7daa21621b537a63a7ec356db7be6dfc21fc

memory/752-23-0x0000000000880000-0x000000000089C000-memory.dmp

memory/752-24-0x00007FF96BA70000-0x00007FF96C531000-memory.dmp

memory/752-25-0x0000000002960000-0x0000000002970000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adobe\ESUO6AUH.exe

MD5 53406e9988306cbd4537677c5336aba4
SHA1 06becadb92a5fcca2529c0b93687c2a0c6d0d610
SHA256 fa1afff978325f8818ce3a559d67a58297d9154674de7fd8eb03656d93104425
SHA512 4f89da81b5a3800aa16ff33cc4a42dbb17d4c698a5e2983b88c32738decb57e3088a1da444ad0ec0d745c3c6b6b8b9b86d3f19909142f9e51f513748c0274a99

memory/1568-28-0x00007FF96BA70000-0x00007FF96C531000-memory.dmp

F:\3ada701e393508d72567f6\Setup.exe

MD5 006f8a615020a4a17f5e63801485df46
SHA1 78c82a80ebf9c8bf0c996dd8bc26087679f77fea
SHA256 d273460aa4d42f0b5764383e2ab852ab9af6fecb3ed866f1783869f2f155d8be
SHA512 c603ed6f3611eb7049a43a190ed223445a9f7bd5651100a825917198b50c70011e950fa968d3019439afa0a416752517b1c181ee9445e02da3904f4e4b73ce76

F:\3ada701e393508d72567f6\Setup.exe

MD5 006f8a615020a4a17f5e63801485df46
SHA1 78c82a80ebf9c8bf0c996dd8bc26087679f77fea
SHA256 d273460aa4d42f0b5764383e2ab852ab9af6fecb3ed866f1783869f2f155d8be
SHA512 c603ed6f3611eb7049a43a190ed223445a9f7bd5651100a825917198b50c70011e950fa968d3019439afa0a416752517b1c181ee9445e02da3904f4e4b73ce76

F:\3ada701e393508d72567f6\SetupEngine.dll

MD5 84c1daf5f30ff99895ecab3a55354bcf
SHA1 7e25ba36bcc7deed89f3c9568016ddb3156c9c5a
SHA256 7a0d281fa802d615ea1207bd2e9ebb98f3b74f9833bba3cb964ba7c7e0fb67fd
SHA512 e4fb7e4d39f094463fdcdc4895ab2ea500eb51a32b6909cec80a526bbf34d5c0eb98f47ee256c0f0865bf3169374937f047bf5c4d6762779c8ca3332b4103be3

F:\3ada701e393508d72567f6\SetupEngine.dll

MD5 84c1daf5f30ff99895ecab3a55354bcf
SHA1 7e25ba36bcc7deed89f3c9568016ddb3156c9c5a
SHA256 7a0d281fa802d615ea1207bd2e9ebb98f3b74f9833bba3cb964ba7c7e0fb67fd
SHA512 e4fb7e4d39f094463fdcdc4895ab2ea500eb51a32b6909cec80a526bbf34d5c0eb98f47ee256c0f0865bf3169374937f047bf5c4d6762779c8ca3332b4103be3

F:\3ada701e393508d72567f6\sqmapi.dll

MD5 3f0363b40376047eff6a9b97d633b750
SHA1 4eaf6650eca5ce931ee771181b04263c536a948b
SHA256 bd6395a58f55a8b1f4063e813ce7438f695b9b086bb965d8ac44e7a97d35a93c
SHA512 537be86e2f171e0b2b9f462ac7f62c4342beb5d00b68451228f28677d26a525014758672466ad15ed1fd073be38142dae478df67718908eae9e6266359e1f9e8

F:\3ada701e393508d72567f6\sqmapi.dll

MD5 3f0363b40376047eff6a9b97d633b750
SHA1 4eaf6650eca5ce931ee771181b04263c536a948b
SHA256 bd6395a58f55a8b1f4063e813ce7438f695b9b086bb965d8ac44e7a97d35a93c
SHA512 537be86e2f171e0b2b9f462ac7f62c4342beb5d00b68451228f28677d26a525014758672466ad15ed1fd073be38142dae478df67718908eae9e6266359e1f9e8

F:\3ada701e393508d72567f6\DHTMLHeader.html

MD5 cd131d41791a543cc6f6ed1ea5bd257c
SHA1 f42a2708a0b42a13530d26515274d1fcdbfe8490
SHA256 e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb
SHA512 a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a

C:\Users\Admin\AppData\Local\Temp\HFIC9AA.tmp.html

MD5 bc844ed08676344569c66a201c03cf22
SHA1 728cc4c266b31beb4f97cb8139ad2a783aa1a12f
SHA256 6c364e7e578eff0f68fe4f20695d264afbe9c14c5cab77ed53be81276c089048
SHA512 516105966590cdf2d13791c0b94f6a449e7a6b03fffadd6868d357c472eb458d262615db7e5540e72c9ebf1f1c57a004be912b0f3248797db5c824e2f90f6d26

F:\3ada701e393508d72567f6\UiInfo.xml

MD5 8b8b0a935dc591799a0c6d52fdc33460
SHA1 ce2748bd469aad6e90b06d98531084d00611fb89
SHA256 57a9ccb84cae42e0d8d1a29cfe170ac3f27bdcae829d979cddfd5e757519b159
SHA512 93009b3045939b65a0c1d25e30a07a772bd73dda518529462f9ce1227a311a4d6fd7595f10b4255cc0b352e09c02026e89300a641492f14df908ad256a3c9d76

F:\3ada701e393508d72567f6\ParameterInfo.xml

MD5 7213da83e0f0b8ae4fea44ae1cb7f62b
SHA1 f2e3fcc77a1ad4d042253bd2e0010bcb40b68ed3
SHA256 59e67e4fb46e5490eee63d8b725324f1372720ade7345c74c6138c4a76ea73d9
SHA512 86186ab0f2cb38e520dd1284042eced157f96874846eb9061be9cf56b84a1cab5901a4879e105a8b04b336bbc43b03f4bdf198d43af868be188602347db829e0

F:\3ada701e393508d72567f6\SplashScreen.bmp

MD5 0966fcd5a4ab0ddf71f46c01eff3cdd5
SHA1 8f4554f079edad23bcd1096e6501a61cf1f8ec34
SHA256 31c13ecfc0eb27f34036fb65cc0e735cd444eec75376eea2642f926ac162dcb3
SHA512 a9e70a2fb5a9899acf086474d71d0e180e2234c40e68bcadb9bf4fe145774680cb55584b39fe53cc75de445c6bf5741fc9b15b18385cbbe20fc595fe0ff86fce

F:\3ada701e393508d72567f6\1028\LocalizedData.xml

MD5 967a6d769d849c5ed66d6f46b0b9c5a4
SHA1 c0ff5f094928b2fa8b61e97639c42782e95cc74f
SHA256 0bc010947bff6ec1ce9899623ccfdffd702eee6d2976f28d9e06cc98a79cf542
SHA512 219b13f1beeb7d690af9d9c7d98904494c878fbe9904f8cb7501b9bb4f48762f9d07c3440efa0546600ff62636ac34cb4b32e270cf90cb47a9e08f9cb473030c

F:\3ada701e393508d72567f6\1025\LocalizedData.xml

MD5 c5bf74c96a711b3f7004ca6bddecc491
SHA1 4c4d42ff69455f267ce98f1db8f2c5d76a1046da
SHA256 6b67c8a77c1a637b72736595afdf77bdb3910aa9fe48d959775806a0683ffa66
SHA512 2f2071bf9966bffe64c90263f4b9bd5efcac4f976c4e42fbdeaa5d6a6dee51c33f4902cf5e3d0897e1c841e9182e25c86d42e392887bc3ce3d9ed3d780d96ac9

F:\3ada701e393508d72567f6\1033\LocalizedData.xml

MD5 326518603d85acd79a6258886fc85456
SHA1 f1cef14bc4671a132225d22a1385936ad9505348
SHA256 665797c7840b86379019e5a46227f888fa1a36a593ea41f9170ef018c337b577
SHA512 f8a514efd70e81d0f2f983282d69040bca6e42f29aa5df554e6874922a61f112e311ad5d2b719b6ca90012f69965447fb91e8cd4103efb2453ff160a9062e5d3

F:\3ada701e393508d72567f6\1032\LocalizedData.xml

MD5 3bf8da35b14fbcc564e03f6342bb71f2
SHA1 8f9139f0bb813bf95f8c437548738d32848d8940
SHA256 39efe12c689edfea041613b0e4d6ec78afec8fe38a0e4adc656591ffef8f415d
SHA512 31b050647ba4bd0c2762d77307e1ed2a324e9b152c06ed496b86ea063cdc18bf2bb1f08d2e9b4af3429a2bc333d7891338d7535487c83495304a5f78776dbc03

F:\3ada701e393508d72567f6\1031\LocalizedData.xml

MD5 8505219c0a8d950ff07dc699d8208309
SHA1 7a557356c57f1fa6d689ea4c411e727438ac46df
SHA256 c48986cdb7fe3401234e0a6540eb394c1201846b5beb1f12f83dc6e14674873a
SHA512 7bcdad0cb4b478068434f4ebd554474b69562dc83df9a423b54c1701ca3b43c3b92de09ee195a86c0d244aa5ef96c77b1a08e73f1f2918c8ac7019f8df27b419

F:\3ada701e393508d72567f6\1037\LocalizedData.xml

MD5 16e6416756c1829238ef1814ebf48ad6
SHA1 c9236906317b3d806f419b7a98598dd21e27ad64
SHA256 c0ee256567ea26bbd646f019a1d12f3eced20b992718976514afa757adf15dea
SHA512 aa595ed0b3b1db280f94b29fa0cb9db25441a1ef54355abf760b6b837e8ce8e035537738e666d27dd2a8d295d7517c325a5684e16304887ccb17313ca4290ce6

F:\3ada701e393508d72567f6\1043\LocalizedData.xml

MD5 6506b4e64ebf6121997fa227e762589f
SHA1 71bc1478c012d9ec57fc56a5266dd325b7801221
SHA256 415112ae783a87427c2fadd7b010ade4f1a7c23b27e4b714b7b507c16b572a1c
SHA512 39024ea9d42352f7c1bd6fefe0574054eceb4059f773cfaeb26c42faada2540ae95fb34718d30ccb6da157d2597f80d12a024461fbd0e8d510431ba6ffa81ec2

F:\3ada701e393508d72567f6\1042\LocalizedData.xml

MD5 78c16da54542c9ed8fa32fed3efaf10d
SHA1 ad8cfe972c8a418c54230d886e549e00c7e16c40
SHA256 e3e3a2288ff840ab0e7c5e8f7b4cfb1f26e597fb17cfc581b7728116bd739ed1
SHA512 d9d7bb82a1d752a424bf81be3d86abea484acbb63d35c90a8ee628e14cf34a7e8a02f37d2ea82aa2ce2c9aa4e8416a7a6232c632b7655f2033c4aaab208c60bf

F:\3ada701e393508d72567f6\1041\LocalizedData.xml

MD5 64ffa6ff8866a15aff326f11a892bead
SHA1 378201477564507a481ba06ea1bc0620b6254900
SHA256 7570390094c0a199f37b8f83758d09dd2cecd147132c724a810f9330499e0cbf
SHA512 ea5856617b82d13c9a312cb4f10673dbc4b42d9ac5703ad871e8bdfcc6549e262e61288737ab8ebcf77219d24c0822e7dacf043d1f2d94a97c9b7ec0a5917ef2

F:\3ada701e393508d72567f6\1040\LocalizedData.xml

MD5 eda1ec689d45c7faa97da4171b1b7493
SHA1 807fe12689c232ebd8364f48744c82ca278ea9e6
SHA256 80faa30a7592e8278533d3380dcb212e748c190aaeef62136897e09671059b36
SHA512 8385a5de4eb6b38169dd1eb03926bc6d4604545801f13d99cee3acede3d34ec9f9d96b828a23ae6246809dc666e67f77a163979679956297533da40f9365bf2c

F:\3ada701e393508d72567f6\1045\LocalizedData.xml

MD5 bdb583c7a48f811be3b0f01fcea40470
SHA1 e8453946a6b926e4f4ae5b02ba1d648daf23e133
SHA256 611b7b7352188adffd6380b9c8a85b8ff97c09a1c293bb7ac0ef5478a0e18ac8
SHA512 27b02226f8f86ca4d00789317c79e8ca0089f5b910bed14aa664eeab6be66e98de3bafd7670c895d70ab9c34ece5f05199f3556fddc1b165904e3432a51c008d

F:\3ada701e393508d72567f6\2052\LocalizedData.xml

MD5 10da125eeabcbb45e0a272688b0e2151
SHA1 6c4124ec8ca2d03b5187ba567c922b6c3e5efc93
SHA256 1842f22c6fd4caf6ad217e331b74c6240b19991a82a1a030a6e57b1b8e9fd1ec
SHA512 d968abd74206a280f74bf6947757cca8dd9091b343203e5c2269af2e008d3bb0a17ff600eb961dbf69a93de4960133ade8d606fb9a99402d33b8889f2d0da710

F:\3ada701e393508d72567f6\3082\LocalizedData.xml

MD5 2d54fe70376db0218e8970b28c1c4518
SHA1 83ee9ac93142751f23d5bb858f7264e27ea2eab0
SHA256 d17c5b638e2a4d43212d21a2052548c8d4909eb6410e30b8a951a292bcdbbedd
SHA512 20c0fb9a046911bc2d702ab321c3992262ac0f80f33ddda5ec2ccafe9ef07611774223369e0dc7cb91c9cda1cbd65c598a7e1c914d6e6ca4b00205a16411be30

F:\3ada701e393508d72567f6\3076\LocalizedData.xml

MD5 967a6d769d849c5ed66d6f46b0b9c5a4
SHA1 c0ff5f094928b2fa8b61e97639c42782e95cc74f
SHA256 0bc010947bff6ec1ce9899623ccfdffd702eee6d2976f28d9e06cc98a79cf542
SHA512 219b13f1beeb7d690af9d9c7d98904494c878fbe9904f8cb7501b9bb4f48762f9d07c3440efa0546600ff62636ac34cb4b32e270cf90cb47a9e08f9cb473030c

F:\3ada701e393508d72567f6\2070\LocalizedData.xml

MD5 7fa9926a4bc678e32e5d676c39f8fb97
SHA1 bba4311dd30261a9b625046f8a6ea215516c9213
SHA256 a25ee75c78c24c50440ad7de9929c6a6e1cc0629009dc0d01b90cbac177dd404
SHA512 e06423bc1ea50a566d341dc513828608e9b6611fea81d33fca471a38f6b2b61b556ea07a5dec0830f3e87194975d87f267a5e5e1a2be5e6a86b07c5bb2bddcb6

F:\3ada701e393508d72567f6\1055\LocalizedData.xml

MD5 65e771fed28b924942a10452bbbf5c42
SHA1 586921b92d5fb297f35effc2216342dac1ae2355
SHA256 45e30569a756d9bcbc5f9dae78bda02751fd25e1c0aee471ce112cb4464a6ee2
SHA512 d014a2a96f3a5c487ef1caddd69599dbec15da5ad689d68009f1ca4d5cb694105a7903f508476d6ffec9d81386cb184df6fc428d34f056190cee30715514a8f7

F:\3ada701e393508d72567f6\1053\LocalizedData.xml

MD5 b3b1a89458bec6af82c5386d26639b59
SHA1 d9320b8cc862f40c65668a40670081079b63cea1
SHA256 1ef312e8be9207466fbfdecee92bfc6c6b7e2da61979b0908eaf575464e7b7a0
SHA512 478ce08619490ed1ecdd8751b5f60da1ee4ac0d08d9a97468c3f595ac4376feca59e9c72dd9c83b00c8d78b298be757c6f24a422b7be8c041f780524844998bf

F:\3ada701e393508d72567f6\1049\LocalizedData.xml

MD5 349b52a81342a7afb8842459e537ecc6
SHA1 6268343e82fbbabe7618bd873335a8f9f84ed64d
SHA256 992bf5aeb06aa3701d50c23fa475b4b86d8997383c9f0e3425663cfbd6b8a2a5
SHA512 ef4cbd3f7f572a9f146a524cfbc2efbd084e6c70a65b96a42339adc088e3f0524bc202548340969481e7f3df3ac517ac34b200b56a3b9957802abd0efa951c49

F:\3ada701e393508d72567f6\1046\LocalizedData.xml

MD5 a03d2063d388fc7a1b4c36d85efa5a1a
SHA1 88bd5e2ff285ee421ccc523f7582e05a8c3323f8
SHA256 61d8339e89a9e48f8ae2d929900582bb8373f08d553ec72d5e38a0840b47c8a3
SHA512 3a219f36e57d90ca92e9faec4dfd34841c2c9244da4fe7e1d70608dde7857aa36325bdb46652a42922919f782bb7c97f567e69a9fc51942722b8fd66cd4ecaf0

F:\3ada701e393508d72567f6\1044\LocalizedData.xml

MD5 120104fa24709c2a9d8efc84ff0786cd
SHA1 b513fa545efae045864d8527a5ec6b6cebe31bb9
SHA256 516525636b91c16a70aef8d6f6b424dc1ee7f747b8508b396ee88131b2bb0947
SHA512 1ea8eb2be9d5f4ef6f1f2c0d90cb228a9bb58d7143ccafe77e18ce52ec4aca25dde0ba18430fd4d3d7962d079ccbe7e2552b2c7090361e03c6fdfb7c2b9c7325

F:\3ada701e393508d72567f6\1038\LocalizedData.xml

MD5 89d4356e0f226e75ca71d48690e8ec15
SHA1 2336caa971527977f47512bc74e88cec3f770c7d
SHA256 fcbb619deb2d57b791a78954b0342dbb2fef7ddd711066a0786c8ef669d2b385
SHA512 fa03d55a4aafe94cbf5c134a65bd809fc86c042bc1b8ffbc9a2a5412eb70a468551c05c44b6ce81f638df43cca599aa1dd6f42f2df3012c8a95a3612df7c821e

F:\3ada701e393508d72567f6\1035\LocalizedData.xml

MD5 1aa252256c895b806e4e55f3ea8d5ffb
SHA1 0322ee94c3d5ea26418a2fea3f7e62ec5d04b81d
SHA256 8a68b3b6522c30502202ecb8d16ae160856947254461ac845b39451a3f2db35f
SHA512 ce57784892c0be55a00ced0adc594a534d8a40819790ca483a29b6cd544c7a75ae4e9bde9b6dc6de489ceceb7883b7c2ea0e98a38fcc96d511157d61c8aa3e63

F:\3ada701e393508d72567f6\1030\LocalizedData.xml

MD5 69925e463a6fedce8c8e1b68404502fb
SHA1 76341e490a432a636ed721f0c964fd9026773dd7
SHA256 5f370d2ccdd5fa316bce095bf22670123c09de175b7801d0a77cdb68174ac6b7
SHA512 5f61abec49e1f9cc44c26b83aa5b32c217ebeba63ed90d25836f51f810c59f71ec7430dc5338efba9be720f800204891e5ab9a5f5ec1ff51ef46c629482e5220

F:\3ada701e393508d72567f6\1029\LocalizedData.xml

MD5 0b6ed582eb557573e959e37ebe2fca6a
SHA1 82c19c7eafb28593f453341eca225873fb011d4c
SHA256 8a0da440261940ed89bad7cd65bbc941cc56001d9aa94515e346d57b7b0838fc
SHA512 aba3d19f408bd74f010ec49b31a2658e0884661d2efda7d999558c90a4589b500570cc80410ba1c323853ca960e7844845729fff708e3a52ea25f597fad90759

F:\3ada701e393508d72567f6\1036\LocalizedData.xml

MD5 1dad88faed661db34eef535d36563ee2
SHA1 0525b2f97eddbd26325fddc561bf8a0cda3b0497
SHA256 9605468d426bcbbe00165339d84804e5eb2547bfe437d640320b7bfef0b399b6
SHA512 ccd0bffbf0538152cccd4b081c15079716a5ff9ad04cee8679b7f721441f89eb7c6f8004cff7e1dde9188f5201f573000d0c078474edf124cfa4c619e692d6bc

F:\3ada701e393508d72567f6\SetupUi.dll

MD5 eb881e3dddc84b20bd92abcec444455f
SHA1 e2c32b1c86d4f70e39de65e9ebc4f361b24ff4a1
SHA256 11565d97287c01d22ad2e46c78d8a822fa3e6524561d4c02dfc87e8d346c44e7
SHA512 5750cec73b36a3f19bfb055f880f3b6498a7ae589017333f6272d26f1c72c6f475a3308826268a098372bbb096b43fbd1e06e93eecc0a81046668228bc179a75

F:\3ada701e393508d72567f6\SetupUi.dll

MD5 eb881e3dddc84b20bd92abcec444455f
SHA1 e2c32b1c86d4f70e39de65e9ebc4f361b24ff4a1
SHA256 11565d97287c01d22ad2e46c78d8a822fa3e6524561d4c02dfc87e8d346c44e7
SHA512 5750cec73b36a3f19bfb055f880f3b6498a7ae589017333f6272d26f1c72c6f475a3308826268a098372bbb096b43fbd1e06e93eecc0a81046668228bc179a75

F:\3ada701e393508d72567f6\SetupUi.xsd

MD5 2fadd9e618eff8175f2a6e8b95c0cacc
SHA1 9ab1710a217d15b192188b19467932d947b0a4f8
SHA256 222211e8f512edf97d78bc93e1f271c922d5e91fa899e092b4a096776a704093
SHA512 a3a934a8572ff9208d38cf381649bd83de227c44b735489fd2a9dc5a636ead9bb62459c9460ee53f61f0587a494877cd3a3c2611997be563f3137f8236ffc4ca

F:\3ada701e393508d72567f6\1033\SetupResources.dll

MD5 9547d24ac04b4d0d1dbf84f74f54faf7
SHA1 71af6001c931c3de7c98ddc337d89ab133fe48bb
SHA256 36d0159ed1a7d88000737e920375868765c0a1dd6f5a5acbb79cf7d97d9e7a34
SHA512 8b6048f4185a711567679e2de4789407077ce5bfe72102d3cb1f23051b8d3e6bfd5886c801d85b4e62f467dd12da1c79026a4bc20b17f54c693b2f24e499d40f

F:\3ada701e393508d72567f6\1033\SetupResources.dll

MD5 9547d24ac04b4d0d1dbf84f74f54faf7
SHA1 71af6001c931c3de7c98ddc337d89ab133fe48bb
SHA256 36d0159ed1a7d88000737e920375868765c0a1dd6f5a5acbb79cf7d97d9e7a34
SHA512 8b6048f4185a711567679e2de4789407077ce5bfe72102d3cb1f23051b8d3e6bfd5886c801d85b4e62f467dd12da1c79026a4bc20b17f54c693b2f24e499d40f

F:\3ada701e393508d72567f6\Strings.xml

MD5 8a28b474f4849bee7354ba4c74087cea
SHA1 c17514dfc33dd14f57ff8660eb7b75af9b2b37b0
SHA256 2a7a44fb25476886617a1ec294a20a37552fd0824907f5284fade3e496ed609b
SHA512 a7927700d8050623bc5c761b215a97534c2c260fcab68469b7a61c85e2dff22ed9cf57e7cb5a6c8886422abe7ac89b5c71e569741db74daa2dcb4152f14c2369

F:\3ada701e393508d72567f6\1033\SetupResources.dll

MD5 9547d24ac04b4d0d1dbf84f74f54faf7
SHA1 71af6001c931c3de7c98ddc337d89ab133fe48bb
SHA256 36d0159ed1a7d88000737e920375868765c0a1dd6f5a5acbb79cf7d97d9e7a34
SHA512 8b6048f4185a711567679e2de4789407077ce5bfe72102d3cb1f23051b8d3e6bfd5886c801d85b4e62f467dd12da1c79026a4bc20b17f54c693b2f24e499d40f

memory/2244-296-0x0000000002FE0000-0x0000000002FE1000-memory.dmp

F:\3ada701e393508d72567f6\graphics\setup.ico

MD5 3d25d679e0ff0b8c94273dcd8b07049d
SHA1 a517fc5e96bc68a02a44093673ee7e076ad57308
SHA256 288e9ad8f0201e45bc187839f15aca79d6b9f76a7d3c9274c80f5d4a4c219c0f
SHA512 3bde668004ca7e28390862d0ae9903c756c16255bdbb3f7e73a5b093ce6a57a3165d6797b0a643b254493149231aca7f7f03e0af15a0cbe28aff02f0071ec255

F:\3ada701e393508d72567f6\graphics\print.ico

MD5 7e55ddc6d611176e697d01c90a1212cf
SHA1 e2620da05b8e4e2360da579a7be32c1b225deb1b
SHA256 ff542e32330b123486797b410621e19eafb39df3997e14701afa4c22096520ed
SHA512 283d381aa396820b7e15768b20099d67688da1f6315ec9f7938c2fcc3167777502cded0d1beddf015a34cc4e5d045bcb665ffd28ba2fbb6faf50fdd38b31d16e

F:\3ada701e393508d72567f6\graphics\warn.ico

MD5 b2b1d79591fca103959806a4bf27d036
SHA1 481fd13a0b58299c41b3e705cb085c533038caf5
SHA256 fe4d06c318701bf0842d4b87d1bad284c553baf7a40987a7451338099d840a11
SHA512 5fe232415a39e0055abb5250b120ccdcd565ab102aa602a3083d4a4705ac6775d45e1ef0c2b787b3252232e9d4673fc3a77aab19ec79a3ff8b13c4d7094530d2

F:\3ada701e393508d72567f6\graphics\save.ico

MD5 7d62e82d960a938c98da02b1d5201bd5
SHA1 194e96b0440bf8631887e5e9d3cc485f8e90fbf5
SHA256 ae041c8764f56fd89277b34982145d16fc59a4754d261c861b19371c3271c6e5
SHA512 ab06b2605f0c1f6b71ef69563c0c977d06c6ea84d58ef7f2baecba566d6037d1458c2b58e6bfd70ddef47dccbdea6d9c2f2e46dea67ea9e92457f754d7042f67

memory/752-301-0x00007FF96BA70000-0x00007FF96C531000-memory.dmp

memory/752-302-0x0000000002960000-0x0000000002970000-memory.dmp

memory/752-304-0x00007FF96BA70000-0x00007FF96C531000-memory.dmp

memory/2244-305-0x0000000002FE0000-0x0000000002FE1000-memory.dmp