Malware Analysis Report

2024-10-24 17:05

Sample ID 240202-gdr3tshdcr
Target StudioApp.exe
SHA256 22442d487765e55be893d7b769b48bdcc193d537aada4435954d6cbdb0563d86
Tags
pyinstaller crealstealer spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

22442d487765e55be893d7b769b48bdcc193d537aada4435954d6cbdb0563d86

Threat Level: Known bad

The file StudioApp.exe was found to be: Known bad.

Malicious Activity Summary

pyinstaller crealstealer spyware stealer

An infostealer written in Python and packaged with PyInstaller.

Crealstealer family

Loads dropped DLL

Drops startup file

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Unsigned PE

Detects Pyinstaller

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Enumerates processes with tasklist

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-02 05:41

Signatures

An infostealer written in Python and packaged with PyInstaller.

Description Indicator Process Target
N/A N/A N/A N/A

Crealstealer family

crealstealer

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-02 05:41

Reported

2024-02-02 05:44

Platform

win7-20231215-en

Max time kernel

140s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\StudioApp.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\StudioApp.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{19DC8FD1-C18E-11EE-8AA0-CE9B5D0C5DE4} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\StudioApp.exe

"C:\Users\Admin\AppData\Local\Temp\StudioApp.exe"

C:\Users\Admin\AppData\Local\Temp\StudioApp.exe

"C:\Users\Admin\AppData\Local\Temp\StudioApp.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:988 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI21042\python310.dll

MD5 deaf0c0cc3369363b800d2e8e756a402
SHA1 3085778735dd8badad4e39df688139f4eed5f954
SHA256 156cf2b64dd0f4d9bdb346b654a11300d6e9e15a65ef69089923dafc1c71e33d
SHA512 5cac1d92af7ee18425b5ee8e7cd4e941a9ddffb4bc1c12bb8aeabeed09acec1ff0309abc41a2e0c8db101fee40724f8bfb27a78898128f8746c8fe01c1631989

C:\Users\Admin\AppData\Local\Temp\Cab1C5A.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar1CE9.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b3f1efa1768f9b978687f555106826f7
SHA1 2db061973c9408a2ed563fffc66a522c85a5d415
SHA256 095885756c5577fd0a0e0c94b49d9f2dbdfa58defc7bdeba9c405d61c95f847a
SHA512 3e46e0a60388f327e3b0d7daf5210d5fc084de6b5badda34a719e7d63da66c77f941198de956f5f993de6a1ee853af7ed57ebacb48d9705d4b34c24f942c3987

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 01731f5e92face21227394ffd0c413af
SHA1 358da4cb3fd30245c7ba7aed5a2282a6a7ddbcd0
SHA256 ed11d0f4627bd9d80831cfae9abee478eee3841bf02bf2fbfc7ea03bfbd5ef81
SHA512 0df6bfdb695469ca6da08450a714521691b3a28369aadf8be9c58a21349ae3d1bbb7bae1150e22929c4a60081bf17afa0dd5450e7b563d0e7b73f059fe9cb674

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f7f94711dfca12cd19ff8e623b1b4ca9
SHA1 6b1b5b5e24969551c1423dc86550ae2f123879b4
SHA256 e9e3a27e90a3d2c24efded3d4f13a4caa0dc6407146b6ee8428630c1b726a9c2
SHA512 61cebf95640c7493562bb90a87e120de1164a5144adee741beb14b7f001a8d427f1f26e5223ae4ad8ecb75ba34d70b6c18d49ba65ae8ce9a524212758259a961

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 71c825bd03228b68a063d93bfc09bfd6
SHA1 c79b9023089cc3a5c08416508744182a4d47fc0a
SHA256 73dde7b8c1dff01e7c54f04ed508638380344be9698f684ef10271d016e9d7aa
SHA512 dd0265d5927ba3e1994eb4b08ead8f67e45a7f35f819241328b210959b79920dab00907ca9cf64caf887806bff8d858730d6b2e721f6da53b82a0f4a31cacca1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4f3a48e190e435ee1e0eed3bb109eefe
SHA1 e7b47a5e24efdaff0a7069f425566cd365466320
SHA256 b8cdca30d7018ed029ee7256651cb8479c4691127ba8e9f6d26bbc5afedc19e8
SHA512 e87a3ec5575e4509db9bcc6d3f84a4020ccce7df2ca8f423f1639b7fe580b7f3975e9b551152131f6996d451eac5887dbfae437d44efbdf25dd7fcd311397711

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ed693d54b39857adc0359fdfda722a5a
SHA1 15418e734af0e94dd31ad1f5ed054ef76f2ded93
SHA256 6be2a4a7a9c77e33904e3d53109dbf1e0f4d55f88b114c8eb7793a597b453de7
SHA512 854dce73a274ee7bb172dfed42bbd6e74379a450edbd6a6f1d05184430c3d3d216d27b2606691edd10e4cf2554e55a348a109e53685d8d81ad64bef97f13c360

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 22e0b66ecc9b7fb10315f3afb363a6a6
SHA1 ea9a8e5caa2c4bb62563e659c01b01f47176a07b
SHA256 0bf22d58cbac17156f0e667bef6a275f3313ef8ae38e4480008a8903bb640f82
SHA512 a96fa5758758a634fe1d8f2a3dcde89a8f2d245fe4e4e2f8bd13427a4cf670bc52c6bb6bdd10d39b075670fa96b497dd0bbb211d0f18bd6e9b99ed2ba6b19ee6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dc634558a27919ed6f0f33b4eafee10c
SHA1 80ee3fec0e1767c4ba5f2ba95c092052a4615d66
SHA256 9f637c276db8e6ab0ec3c60db8aadabf93c6aac35ca74ba1f9ae27a877090cb8
SHA512 267f8efce72728c9e02e71bf2d1dc813d0eff4325aed2561bfeb0e46855d92840b255d42075b2488d49072811e971dbb19e2283f0ad6fcd3b1f75bc0a52dfb01

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 772c5ce03154acba001c60d6a454fe7f
SHA1 565b703284d02fe92db2a2906989eb79886279ed
SHA256 63a43335287ca70362c41f9526e1d3e8b455af533600caf7c9d99b437f9132d2
SHA512 9b9182b9a5520b18f85b68a6078c74d50b071eaba01f304e3ced370d2c4f1fec779de652ef1df5ab4d56b5f387d0ccb8cdb628615a394c2fd5de247bc0aeef73

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-02 05:41

Reported

2024-02-02 05:44

Platform

win10v2004-20231215-en

Max time kernel

91s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\StudioApp.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StudioApp.exe C:\Users\Admin\AppData\Local\Temp\StudioApp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\StudioApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\StudioApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\StudioApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\StudioApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\StudioApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\StudioApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\StudioApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\StudioApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\StudioApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\StudioApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\StudioApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\StudioApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\StudioApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\StudioApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\StudioApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\StudioApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\StudioApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\StudioApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\StudioApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\StudioApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\StudioApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\StudioApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\StudioApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\StudioApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\StudioApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\StudioApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\StudioApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\StudioApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\StudioApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\StudioApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\StudioApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\StudioApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\StudioApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\StudioApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\StudioApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\StudioApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\StudioApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\StudioApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\StudioApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\StudioApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\StudioApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\StudioApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\StudioApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\StudioApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\StudioApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\StudioApp.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\StudioApp.exe

"C:\Users\Admin\AppData\Local\Temp\StudioApp.exe"

C:\Users\Admin\AppData\Local\Temp\StudioApp.exe

"C:\Users\Admin\AppData\Local\Temp\StudioApp.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

Network

Country Destination Domain Proto
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 8.8.8.8:53 api.gofile.io udp
US 173.231.16.76:443 api.ipify.org tcp
FR 51.178.66.33:443 api.gofile.io tcp
US 8.8.8.8:53 store3.gofile.io udp
US 136.175.10.233:443 store3.gofile.io tcp
US 8.8.8.8:53 geolocation-db.com udp
DE 159.89.102.253:443 geolocation-db.com tcp
US 8.8.8.8:53 33.66.178.51.in-addr.arpa udp
US 8.8.8.8:53 76.16.231.173.in-addr.arpa udp
US 8.8.8.8:53 discordapp.com udp
US 162.159.135.233:443 discordapp.com tcp
US 173.231.16.76:443 api.ipify.org tcp
US 8.8.8.8:53 233.10.175.136.in-addr.arpa udp
US 8.8.8.8:53 253.102.89.159.in-addr.arpa udp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
DE 159.89.102.253:443 geolocation-db.com tcp
US 162.159.135.233:443 discordapp.com tcp
FR 51.178.66.33:443 api.gofile.io tcp
US 136.175.10.233:443 store3.gofile.io tcp
US 173.231.16.76:443 api.ipify.org tcp
DE 159.89.102.253:443 geolocation-db.com tcp
US 162.159.135.233:443 discordapp.com tcp
US 173.231.16.76:443 api.ipify.org tcp
DE 159.89.102.253:443 geolocation-db.com tcp
US 162.159.135.233:443 discordapp.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI4322\python310.dll

MD5 deaf0c0cc3369363b800d2e8e756a402
SHA1 3085778735dd8badad4e39df688139f4eed5f954
SHA256 156cf2b64dd0f4d9bdb346b654a11300d6e9e15a65ef69089923dafc1c71e33d
SHA512 5cac1d92af7ee18425b5ee8e7cd4e941a9ddffb4bc1c12bb8aeabeed09acec1ff0309abc41a2e0c8db101fee40724f8bfb27a78898128f8746c8fe01c1631989

C:\Users\Admin\AppData\Local\Temp\_MEI4322\python310.dll

MD5 ec4f54f9998d020784b97f4e03a95ce3
SHA1 34c8616d226fbc83050527a4a19942084ef0c37b
SHA256 ab493a14f67b91b2d0fbb44ff8d0606f3509e5940644b6102e913257491f8959
SHA512 e6aae7646cac46890978dfe50c571d47b6051608f263af76d3c2f6397e743262cad4b184c137bd6de9b1da7e2735c1f0d85ab975f7f2eddb556854183eeb2687

C:\Users\Admin\AppData\Local\Temp\_MEI4322\VCRUNTIME140.dll

MD5 870fea4e961e2fbd00110d3783e529be
SHA1 a948e65c6f73d7da4ffde4e8533c098a00cc7311
SHA256 76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644
SHA512 0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

C:\Users\Admin\AppData\Local\Temp\_MEI4322\base_library.zip

MD5 22fee1506d933abb3335ffb4a1e1d230
SHA1 18331cba91f33fb6b11c6fdefa031706ae6d43a0
SHA256 03f6a37fc2e166e99ce0ad8916dfb8a70945e089f9fc09b88e60a1649441ab6e
SHA512 3f764337a3fd4f8271cba9602aef0663d6b7c37a021389395a00d39bd305d2b927a150c2627b1c629fdbd41c044af0f7bc9897f84c348c2bccc085df911eee02

C:\Users\Admin\AppData\Local\Temp\_MEI4322\_ctypes.pyd

MD5 ca4cef051737b0e4e56b7d597238df94
SHA1 583df3f7ecade0252fdff608eb969439956f5c4a
SHA256 e60a2b100c4fa50b0b144cf825fe3cde21a8b7b60b92bfc326cb39573ce96b2b
SHA512 17103d6b5fa84156055e60f9e5756ffc31584cdb6274c686a136291c58ba0be00238d501f8acc1f1ca7e1a1fadcb0c7fefddcb98cedb9dd04325314f7e905df3

C:\Users\Admin\AppData\Local\Temp\_MEI4322\libffi-7.dll

MD5 eef7981412be8ea459064d3090f4b3aa
SHA1 c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256 f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512 dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

C:\Users\Admin\AppData\Local\Temp\_MEI4322\_bz2.pyd

MD5 bbe89cf70b64f38c67b7bf23c0ea8a48
SHA1 44577016e9c7b463a79b966b67c3ecc868957470
SHA256 775fbc6e9a4c7e9710205157350f3d6141b5a9e8f44cb07b3eac38f2789c8723
SHA512 3ee72ba60541116bbca1a62db64074276d40ad8ed7d0ca199a9c51d65c3f0762a8ef6d0e1e9ebf04bf4efe1347f120e4bc3d502dd288339b4df646a59aad0ec1

C:\Users\Admin\AppData\Local\Temp\_MEI4322\_lzma.pyd

MD5 0a94c9f3d7728cf96326db3ab3646d40
SHA1 8081df1dca4a8520604e134672c4be79eb202d14
SHA256 0a70e8546fa6038029f2a3764e721ceebea415818e5f0df6b90d6a40788c3b31
SHA512 6f047f3bdaead121018623f52a35f7e8b38c58d3a9cb672e8056a5274d02395188975de08cabae948e2cc2c1ca01c74ca7bc1b82e2c23d652e952f3745491087

C:\Users\Admin\AppData\Local\Temp\_MEI4322\_decimal.pyd

MD5 6339fa92584252c3b24e4cce9d73ef50
SHA1 dccda9b641125b16e56c5b1530f3d04e302325cd
SHA256 4ae6f6fb3992bb878416211221b3d62515e994d78f72eab51e0126ca26d0ee96
SHA512 428b62591d4eba3a4e12f7088c990c48e30b6423019bebf8ede3636f6708e1f4151f46d442516d2f96453694ebeef78618c0c8a72e234f679c6e4d52bebc1b84

C:\Users\Admin\AppData\Local\Temp\_MEI4322\_uuid.pyd

MD5 041556420bdb334a71765d33229e9945
SHA1 0122316e74ee4ada1ce1e0310b8dca1131972ce1
SHA256 8b3d4767057c18c1c496e138d4843f25e5c98ddfc6a8d1b0ed46fd938ede5bb6
SHA512 18da574b362726ede927d4231cc7f2aebafbaaab47df1e31b233f7eda798253aef4c142bed1a80164464bd629015d387ae97ba36fcd3cedcfe54a5a1e5c5caa3

C:\Users\Admin\AppData\Local\Temp\_MEI4322\_ssl.pyd

MD5 9ddb64354ef0b91c6999a4b244a0a011
SHA1 86a9dc5ea931638699eb6d8d03355ad7992d2fee
SHA256 e33b7a4aa5cdd5462ee66830636fdd38048575a43d06eb7e2f688358525ddeab
SHA512 4c86478861fa4220680a94699e7d55fbdc90d2785caee10619cecb058f833292ee7c3d6ac2ed1ef34b38fbff628b79d672194a337701727a54bb6bbc5bf9aeca

C:\Users\Admin\AppData\Local\Temp\_MEI4322\_socket.pyd

MD5 0f5e64e33f4d328ef11357635707d154
SHA1 8b6dcb4b9952b362f739a3f16ae96c44bea94a0e
SHA256 8af6d70d44bb9398733f88bcfb6d2085dd1a193cd00e52120b96a651f6e35ebe
SHA512 4be9febb583364da75b6fb3a43a8b50ee29ca8fc1dda35b96c0fcc493342372f69b4f27f2604888bca099c8d00f38a16f4c9463c16eff098227d812c29563643

C:\Users\Admin\AppData\Local\Temp\_MEI4322\select.pyd

MD5 c119811a40667dca93dfe6faa418f47a
SHA1 113e792b7dcec4366fc273e80b1fc404c309074c
SHA256 8f27cd8c5071cb740a2191b3c599e99595b121f461988166f07d9f841e7116b7
SHA512 107257dbd8cf2607e4a1c7bef928a6f61ebdfc21be1c4bdc3a649567e067e9bb7ea40c0ac8844d2cedd08682447b963148b52f85adb1837f243df57af94c04b3

C:\Users\Admin\AppData\Local\Temp\_MEI4322\_sqlite3.pyd

MD5 9f38f603bd8f7559609c4ffa47f23c86
SHA1 8b0136fc2506c1ccef2009db663e4e7006e23c92
SHA256 28090432a18b59eb8cbe8fdcf11a277420b404007f31ca571321488a43b96319
SHA512 273a19f2f609bede9634dae7c47d7b28d369c88420b2b62d42858b1268d6c19b450d83877d2dba241e52755a3f67a87f63fea8e5754831c86d16e2a8f214ad72

C:\Users\Admin\AppData\Local\Temp\_MEI4322\_queue.pyd

MD5 52d0a6009d3de40f4fa6ec61db98c45c
SHA1 5083a2aff5bcce07c80409646347c63d2a87bd25
SHA256 007bcf19d9b036a7e73f5ef31f39bfb1910f72c9c10e4a1b0658352cfe7a8b75
SHA512 cd552a38efaa8720a342b60318f62320ce20c03871d2e50d3fa3a9a730b84dacdbb8eb4d0ab7a1c8a97215b537826c8dc532c9a55213bcd0c1d13d7d8a9ad824

C:\Users\Admin\AppData\Local\Temp\_MEI4322\pyexpat.pyd

MD5 43e5a1470c298ba773ac9fcf5d99e8f9
SHA1 06db03daf3194c9e492b2f406b38ed33a8c87ab3
SHA256 56984d43be27422d31d8ece87d0abda2c0662ea2ff22af755e49e3462a5f8b65
SHA512 a5a1ebb34091ea17c8f0e7748004558d13807fdc16529bc6f8f6c6a3a586ee997bf72333590dc451d78d9812ef8adfa7deabab6c614fce537f56fa38ce669cfc

C:\Users\Admin\AppData\Local\Temp\_MEI4322\_overlapped.pyd

MD5 02c0f2eff280b9a92003786fded7c440
SHA1 5a7fe7ed605ff1c49036d001ae60305e309c5509
SHA256 f16e595b0a87c32d9abd2035f8ea97b39339548e7c518df16a6cc27ba7733973
SHA512 2b05ddf7bc57e8472e5795e68660d52e843271fd08f2e8002376b056a8c20200d31ffd5e194ce486f8a0928a8486951fdb5670246f1c909f82cf4b0929efedac

C:\Users\Admin\AppData\Local\Temp\_MEI4322\_multiprocessing.pyd

MD5 62733ce8ae95241bf9ca69f38c977923
SHA1 e5c3f4809e85b331cc8c5ba0ae76979f2dfddf85
SHA256 af84076b03a0eadec2b75d01f06bb3765b35d6f0639fb7c14378736d64e1acaa
SHA512 fdfbf5d74374f25ed5269cdbcdf8e643b31faa9c8205eac4c22671aa5debdce4052f1878f38e7fab43b85a44cb5665e750edce786caba172a2861a5eabfd8d49

C:\Users\Admin\AppData\Local\Temp\_MEI4322\_hashlib.pyd

MD5 d856a545a960bf2dca1e2d9be32e5369
SHA1 67a15ecf763cdc2c2aa458a521db8a48d816d91e
SHA256 cd33f823e608d3bda759ad441f583a20fc0198119b5a62a8964f172559acb7d3
SHA512 34a074025c8b28f54c01a7fd44700fdedb391f55be39d578a003edb90732dec793c2b0d16da3da5cdbd8adbaa7b3b83fc8887872e284800e7a8389345a30a6a4

C:\Users\Admin\AppData\Local\Temp\_MEI4322\_cffi_backend.cp310-win_amd64.pyd

MD5 ebb660902937073ec9695ce08900b13d
SHA1 881537acead160e63fe6ba8f2316a2fbbb5cb311
SHA256 52e5a0c3ca9b0d4fc67243bd8492f5c305ff1653e8d956a2a3d9d36af0a3e4fd
SHA512 19d5000ef6e473d2f533603afe8d50891f81422c59ae03bead580412ec756723dc3379310e20cd0c39e9683ce7c5204791012e1b6b73996ea5cb59e8d371de24

C:\Users\Admin\AppData\Local\Temp\_MEI4322\pywin32_system32\pywintypes310.dll

MD5 ceb06a956b276cea73098d145fa64712
SHA1 6f0ba21f0325acc7cf6bf9f099d9a86470a786bf
SHA256 c8ec6429d243aef1f78969863be23d59273fa6303760a173ab36ab71d5676005
SHA512 05bab4a293e4c7efa85fa2491c32f299afd46fdb079dcb7ee2cc4c31024e01286daaf4aead5082fc1fd0d4169b2d1be589d1670fcf875b06c6f15f634e0c6f34

C:\Users\Admin\AppData\Local\Temp\_MEI4322\VCRUNTIME140_1.dll

MD5 bba9680bc310d8d25e97b12463196c92
SHA1 9a480c0cf9d377a4caedd4ea60e90fa79001f03a
SHA256 e0b66601cc28ecb171c3d4b7ac690c667f47da6b6183bff80604c84c00d265ab
SHA512 1575c786ac3324b17057255488da5f0bc13ad943ac9383656baf98db64d4ec6e453230de4cd26b535ce7e8b7d41a9f2d3f569a0eff5a84aeb1c2f9d6e3429739

C:\Users\Admin\AppData\Local\Temp\_MEI4322\_asyncio.pyd

MD5 4543813a21958d0764975032b09ded7b
SHA1 c571dea89ab89b6aab6da9b88afe78ace90dd882
SHA256 45c229c3988f30580c79b38fc0c19c81e6f7d5778e64cef6ce04dd188a9ccab5
SHA512 3b007ab252cccda210b473ca6e2d4b7fe92c211fb81ade41a5a69c67adde703a9b0bc97990f31dcbe049794c62ba2b70dadf699e83764893a979e95fd6e89d8f

C:\Users\Admin\AppData\Local\Temp\_MEI4322\unicodedata.pyd

MD5 4c8af8a30813e9380f5f54309325d6b8
SHA1 169a80d8923fb28f89bc26ebf89ffe37f8545c88
SHA256 4b6e3ba734c15ec789b5d7469a5097bd082bdfd8e55e636ded0d097cf6511e05
SHA512 ea127779901b10953a2bf9233e20a4fab2fba6f97d7baf40c1b314b7cd03549e0f4d2fb9bad0fbc23736e21eb391a418d79a51d64402245c1cd8899e4d765c5a

C:\Users\Admin\AppData\Local\Temp\_MEI4322\sqlite3.dll

MD5 aaf9fd98bc2161ad7dff996450173a3b
SHA1 ab634c09b60aa18ea165084a042d917b65d1fe85
SHA256 f1e8b6c4d61ac6a320fa2566da9391fbfd65a5ac34ac2e2013bc37c8b7b41592
SHA512 597ffe3c2f0966ab94fbb7ecac27160c691f4a07332311f6a9baf8dec8b16fb16ec64df734c3bdbabf2c0328699e234d14f1b8bd5ac951782d35ea0c78899e5f

C:\Users\Admin\AppData\Local\Temp\_MEI4322\libssl-1_1.dll

MD5 8769adafca3a6fc6ef26f01fd31afa84
SHA1 38baef74bdd2e941ccd321f91bfd49dacc6a3cb6
SHA256 2aebb73530d21a2273692a5a3d57235b770daf1c35f60c74e01754a5dac05071
SHA512 fac22f1a2ffbfb4789bdeed476c8daf42547d40efe3e11b41fadbc4445bb7ca77675a31b5337df55fdeb4d2739e0fb2cbcac2feabfd4cd48201f8ae50a9bd90b

C:\Users\Admin\AppData\Local\Temp\_MEI4322\libcrypto-1_1.dll

MD5 68baa73d91574453a722366cce0ff111
SHA1 b0d6e248d2fb20b12c655658232a061c63790379
SHA256 0e9cf4a7f6b1f5d2afbe3af91789ca3e342f95d00e38ff0fe86e1e666712e49e
SHA512 73b6affeaccfde3fa401ea63509e135a472f53d332cfed3d887f8102f64ee893fb8d33e44f5ed5142db4f800cf90b87e985e0dd5eca8900c629f59e6a1d1cc43

C:\Users\Admin\AppData\Local\Temp\_MEI4322\pywin32_system32\pythoncom310.dll

MD5 65dd753f51cd492211986e7b700983ef
SHA1 f5b469ec29a4be76bc479b2219202f7d25a261e2
SHA256 c3b33ba6c4f646151aed4172562309d9f44a83858ddfd84b2d894a8b7da72b1e
SHA512 8bd505e504110e40fa4973feff2fae17edc310a1ce1dc78b6af7972efdd93348087e6f16296bfd57abfdbbe49af769178f063bb0aa1dee661c08659f47a6216d

C:\Users\Admin\AppData\Local\Temp\_MEI4322\win32\win32api.pyd

MD5 00e5da545c6a4979a6577f8f091e85e1
SHA1 a31a2c85e272234584dacf36f405d102d9c43c05
SHA256 ac483d60a565cc9cbf91a6f37ea516b2162a45d255888d50fbbb7e5ff12086ee
SHA512 9e4f834f56007f84e8b4ec1c16fb916e68c3baadab1a3f6b82faf5360c57697dc69be86f3c2ea6e30f95e7c32413babbe5d29422d559c99e6cf4242357a85f31

C:\Users\Admin\AppData\Local\Temp\_MEI4322\libcrypto-1_1.dll

MD5 dc93ae16de20a0f3c3382e1521830711
SHA1 5a14a95b788150e2f765a7f547e478417fd18783
SHA256 9396ae19ac7af4ff54fccb5ea7d0c45e93579e249f718dccb0cdf2bff2a0d6e7
SHA512 e5fff0966dec7b78d40f6062997095f62a31e454bfe27408b79a5814cadc5e8fa9426f8aeec55af13fa71c67f6374bf880df496e0a7b89de67c70ed9d100ec88

C:\Users\Admin\AppData\Local\Temp\_MEI4322\libcrypto-1_1.dll

MD5 2a1718b8dca4ce696d10fac26f6eeaaa
SHA1 105c478e1a27b265f8b4ce43dd592e21c0cd98d0
SHA256 e11b8738adf31e83d8bbd050d4d78e92706f23c5e0feb161bc7e5ee5c20dd359
SHA512 5fe0424ecb24c69e625590af94dcbb25791c1122642a4aef8010c885d0b67cd8866bed798b206ade8f18dedf0ad9dfa0794aaeec2d017d1dcb5e89c89eeb8dbd

C:\Users\Admin\AppData\Local\Temp\_MEI4322\sqlite3.dll

MD5 239c9b567848f8d1158f6aa096ad8481
SHA1 05e9fdd04393bf84c6b3490d02e860cf52c999f9
SHA256 3dc02a193919342f1dd2f13f8bec2f82b04a30b8172d4b5a2cf399939ec98dad
SHA512 dab1baf44c42d25fef1bc37181f4a0dd048e40933967f72cde2640116277cd9b56254aa545f9c789ea4c33c42dd3df2cd0642af070baacaf89c4187e4b2eee21

C:\Users\Admin\AppData\Local\Temp\_MEI4322\charset_normalizer\md.cp310-win_amd64.pyd

MD5 f33ca57d413e6b5313272fa54dbc8baa
SHA1 4e0cabe7d38fe8d649a0a497ed18d4d1ca5f4c44
SHA256 9b3d70922dcfaeb02812afa9030a40433b9d2b58bcf088781f9ab68a74d20664
SHA512 f17c06f4202b6edbb66660d68ff938d4f75b411f9fab48636c3575e42abaab6464d66cb57bce7f84e8e2b5755b6ef757a820a50c13dd5f85faa63cd553d3ff32

C:\Users\Admin\AppData\Local\Temp\_MEI4322\charset_normalizer\md__mypyc.cp310-win_amd64.pyd

MD5 494f5b9adc1cfb7fdb919c9b1af346e1
SHA1 4a5fddd47812d19948585390f76d5435c4220e6b
SHA256 ad9bcc0de6815516dfde91bb2e477f8fb5f099d7f5511d0f54b50fa77b721051
SHA512 2c0d68da196075ea30d97b5fd853c673e28949df2b6bf005ae72fd8b60a0c036f18103c5de662cac63baaef740b65b4ed2394fcd2e6da4dfcfbeef5b64dab794

C:\Users\Admin\AppData\Local\Temp\_MEI4322\charset_normalizer\md__mypyc.cp310-win_amd64.pyd

MD5 6138676f72fd9aada89d1660b80d19d3
SHA1 35b9c2a1caad1ca3c8b3d0a85a1e4760da3d3ab5
SHA256 c330324d804f6c160ebf98986457f73224abbf16cfe1c915062bb6efa3a8f98a
SHA512 4395f0a875809c39ad77a534fbf2e06ba43c8281c5ec767f8b2e53cafb96f51d828dc474feffeb96876e92130647cb07c6595c43c72fab5c9ea98930b24802e1

C:\Users\Admin\AppData\Local\Temp\_MEI4322\unicodedata.pyd

MD5 3dd2eecdd08972f2e735603b11c6735d
SHA1 77cc6cf60cf8c50c6f928eed8aa51a8580b7338a
SHA256 4bf3eb28df8f838e601f90a43cc3b2c3376dfc747449660d2637c260fed36a14
SHA512 4c9da47fa745b4d54b7ffbcd57c9bfbf27ae9874cc9093c42e6e9d5636d14603a5ea11c404da02daf78490ee76c33cd316249556e70188418a0782ca959b1118

C:\Users\Admin\AppData\Local\Temp\_MEI4322\Crypto\Cipher\_raw_cbc.pyd

MD5 0c46d7b7cd00b3d474417de5d6229c41
SHA1 825bdb1ea8bbfe7de69487b76abb36196b5fdac0
SHA256 9d0a5c9813ad6ba129cafef815741636336eb9426ac4204de7bc0471f7b006e1
SHA512 d81b17b100a052899d1fd4f8cea1b1919f907daa52f1bad8dc8e3f5afc230a5bca465bbac2e45960e7f8072e51fdd86c00416d06cf2a1f07db5ad8a4e3930864

C:\Users\Admin\AppData\Local\Temp\_MEI4322\Crypto\Cipher\_raw_ecb.pyd

MD5 dedae3efda452bab95f69cae7aebb409
SHA1 520f3d02693d7013ea60d51a605212efed9ca46b
SHA256 6248fdf98f949d87d52232ddf61fada5ef02cd3e404bb222d7541a84a3b07b8a
SHA512 8c1cab8f34de2623a42f0750f182b6b9a7e2affa2667912b3660af620c7d9ad3bd5b46867b3c2d50c0cae2a1bc03d03e20e4020b7ba0f313b6a599726f022c6c

C:\Users\Admin\AppData\Local\Temp\_MEI4322\Crypto\Cipher\_raw_cfb.pyd

MD5 3142c93a6d9393f071ab489478e16b86
SHA1 4fe99c817ed3bcc7708a6631f100862ebda2b33d
SHA256 5ea310e0f85316c8981ed6293086a952fa91a6d12ca3f8af9581521ee2b15586
SHA512 dcafec54bd9f9f42042e6fa4ac5ed53feb6cf8d56ada6a1787cafc3736aa72f14912bbd1b27d0af87e79a6d406b0326602ecd1ad394acdc6275aed4c41cdb9ef

C:\Users\Admin\AppData\Local\Temp\crcook.txt

MD5 155ea3c94a04ceab8bd7480f9205257d
SHA1 b46bbbb64b3df5322dd81613e7fa14426816b1c1
SHA256 445e2bcecaa0d8d427b87e17e7e53581d172af1b9674cf1a33dbe1014732108b
SHA512 3d47449da7c91fe279217a946d2f86e5d95d396f53b55607ec8aca7e9aa545cfaf9cb97914b643a5d8a91944570f9237e18eecec0f1526735be6ceee45ecba05