hxxps://www[.]dropbox[.]com/s/l199fl8tua6jn2n/omega[.]exe?dl=1

Resubmissions

12/02/2023, 19:58

230212-yp4z7sgb88 7

12/02/2023, 19:55

230212-yndfvsfe8z 6

12/02/2023, 14:26

230212-rr4znadh9y 7

Analysis

max time kernel
358s
max time network
361s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
12/02/2023, 19:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.dropbox.com/s/l199fl8tua6jn2n/omega.exe?dl=1

Score

7^/10

pyinstaller spyware stealer

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
4720	ChromeRecovery.exe
2156	omega.sfx.exe
1676	stealer.exe
4640	stealer.exe

Loads dropped DLL 40 IoCs

pid	Process
4640	stealer.exe
4640	stealer.exe
4640	stealer.exe
4640	stealer.exe
4640	stealer.exe
4640	stealer.exe
4640	stealer.exe
4640	stealer.exe
4640	stealer.exe
4640	stealer.exe
4640	stealer.exe
4640	stealer.exe
4640	stealer.exe
4640	stealer.exe
4640	stealer.exe
4640	stealer.exe
4640	stealer.exe
4640	stealer.exe
4640	stealer.exe
4640	stealer.exe
4640	stealer.exe
4640	stealer.exe
4640	stealer.exe
4640	stealer.exe
4640	stealer.exe
4640	stealer.exe
4640	stealer.exe
4640	stealer.exe
4640	stealer.exe
4640	stealer.exe
4640	stealer.exe
4640	stealer.exe
4640	stealer.exe
4640	stealer.exe
4640	stealer.exe
4640	stealer.exe
4640	stealer.exe
4640	stealer.exe
4640	stealer.exe
4640	stealer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
124	api.ipify.org
126	api.ipify.org

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir644_1990294615\manifest.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir644_1990294615\_metadata\verified_contents.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir644_1990294615\_metadata\verified_contents.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir644_1990294615\ChromeRecoveryCRX.crx	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir644_1990294615\ChromeRecovery.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir644_1990294615\ChromeRecovery.exe	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir644_1990294615\manifest.json	elevation_service.exe

Detects Pyinstaller 3 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0002000000015597-345.dat	pyinstaller
behavioral1/files/0x0002000000015597-351.dat	pyinstaller
behavioral1/files/0x0002000000015597-354.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
4892	chrome.exe
4892	chrome.exe
2976	chrome.exe
2976	chrome.exe
3172	chrome.exe
3172	chrome.exe
3076	chrome.exe
3076	chrome.exe
1464	chrome.exe
1464	chrome.exe
2448	chrome.exe
2448	chrome.exe
2308	chrome.exe
2308	chrome.exe
4428	chrome.exe
4428	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
1800	chrome.exe
1800	chrome.exe
4768	chrome.exe
4768	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe

Suspicious use of SendNotifyMessage 34 IoCs

pid	Process
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 2664	2976	chrome.exe	66
PID 2976 wrote to memory of 2664	2976	chrome.exe	66
PID 2976 wrote to memory of 1560	2976	chrome.exe	69
PID 2976 wrote to memory of 1560	2976	chrome.exe	69
PID 2976 wrote to memory of 1560	2976	chrome.exe	69
PID 2976 wrote to memory of 1560	2976	chrome.exe	69
PID 2976 wrote to memory of 1560	2976	chrome.exe	69
PID 2976 wrote to memory of 1560	2976	chrome.exe	69
PID 2976 wrote to memory of 1560	2976	chrome.exe	69
PID 2976 wrote to memory of 1560	2976	chrome.exe	69
PID 2976 wrote to memory of 1560	2976	chrome.exe	69
PID 2976 wrote to memory of 1560	2976	chrome.exe	69
PID 2976 wrote to memory of 1560	2976	chrome.exe	69
PID 2976 wrote to memory of 1560	2976	chrome.exe	69
PID 2976 wrote to memory of 1560	2976	chrome.exe	69
PID 2976 wrote to memory of 1560	2976	chrome.exe	69
PID 2976 wrote to memory of 1560	2976	chrome.exe	69
PID 2976 wrote to memory of 1560	2976	chrome.exe	69
PID 2976 wrote to memory of 1560	2976	chrome.exe	69
PID 2976 wrote to memory of 1560	2976	chrome.exe	69
PID 2976 wrote to memory of 1560	2976	chrome.exe	69
PID 2976 wrote to memory of 1560	2976	chrome.exe	69
PID 2976 wrote to memory of 1560	2976	chrome.exe	69
PID 2976 wrote to memory of 1560	2976	chrome.exe	69
PID 2976 wrote to memory of 1560	2976	chrome.exe	69
PID 2976 wrote to memory of 1560	2976	chrome.exe	69
PID 2976 wrote to memory of 1560	2976	chrome.exe	69
PID 2976 wrote to memory of 1560	2976	chrome.exe	69
PID 2976 wrote to memory of 1560	2976	chrome.exe	69
PID 2976 wrote to memory of 1560	2976	chrome.exe	69
PID 2976 wrote to memory of 1560	2976	chrome.exe	69
PID 2976 wrote to memory of 1560	2976	chrome.exe	69
PID 2976 wrote to memory of 1560	2976	chrome.exe	69
PID 2976 wrote to memory of 1560	2976	chrome.exe	69
PID 2976 wrote to memory of 1560	2976	chrome.exe	69
PID 2976 wrote to memory of 1560	2976	chrome.exe	69
PID 2976 wrote to memory of 1560	2976	chrome.exe	69
PID 2976 wrote to memory of 1560	2976	chrome.exe	69
PID 2976 wrote to memory of 1560	2976	chrome.exe	69
PID 2976 wrote to memory of 1560	2976	chrome.exe	69
PID 2976 wrote to memory of 1560	2976	chrome.exe	69
PID 2976 wrote to memory of 1560	2976	chrome.exe	69
PID 2976 wrote to memory of 4892	2976	chrome.exe	68
PID 2976 wrote to memory of 4892	2976	chrome.exe	68
PID 2976 wrote to memory of 4960	2976	chrome.exe	70
PID 2976 wrote to memory of 4960	2976	chrome.exe	70
PID 2976 wrote to memory of 4960	2976	chrome.exe	70
PID 2976 wrote to memory of 4960	2976	chrome.exe	70
PID 2976 wrote to memory of 4960	2976	chrome.exe	70
PID 2976 wrote to memory of 4960	2976	chrome.exe	70
PID 2976 wrote to memory of 4960	2976	chrome.exe	70
PID 2976 wrote to memory of 4960	2976	chrome.exe	70
PID 2976 wrote to memory of 4960	2976	chrome.exe	70
PID 2976 wrote to memory of 4960	2976	chrome.exe	70
PID 2976 wrote to memory of 4960	2976	chrome.exe	70
PID 2976 wrote to memory of 4960	2976	chrome.exe	70
PID 2976 wrote to memory of 4960	2976	chrome.exe	70
PID 2976 wrote to memory of 4960	2976	chrome.exe	70
PID 2976 wrote to memory of 4960	2976	chrome.exe	70
PID 2976 wrote to memory of 4960	2976	chrome.exe	70
PID 2976 wrote to memory of 4960	2976	chrome.exe	70
PID 2976 wrote to memory of 4960	2976	chrome.exe	70
PID 2976 wrote to memory of 4960	2976	chrome.exe	70
PID 2976 wrote to memory of 4960	2976	chrome.exe	70

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.dropbox.com/s/l199fl8tua6jn2n/omega.exe?dl=1
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffe7f664f50,0x7ffe7f664f60,0x7ffe7f664f70
  2⤵
  PID:2664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1636,6651704098935483373,18103064430827932475,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1696 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1636,6651704098935483373,18103064430827932475,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1644 /prefetch:2
  2⤵
  PID:1560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1636,6651704098935483373,18103064430827932475,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1692 /prefetch:8
  2⤵
  PID:4960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,6651704098935483373,18103064430827932475,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2832 /prefetch:1
  2⤵
  PID:3620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,6651704098935483373,18103064430827932475,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2816 /prefetch:1
  2⤵
  PID:3612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,6651704098935483373,18103064430827932475,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4148 /prefetch:8
  2⤵
  PID:1968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,6651704098935483373,18103064430827932475,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:1
  2⤵
  PID:4544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,6651704098935483373,18103064430827932475,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
  2⤵
  PID:4020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,6651704098935483373,18103064430827932475,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5176 /prefetch:8
  2⤵
  PID:2980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,6651704098935483373,18103064430827932475,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5312 /prefetch:8
  2⤵
  PID:4296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,6651704098935483373,18103064430827932475,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
  2⤵
  PID:3116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,6651704098935483373,18103064430827932475,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3564 /prefetch:1
  2⤵
  PID:3896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,6651704098935483373,18103064430827932475,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1616 /prefetch:1
  2⤵
  PID:5080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,6651704098935483373,18103064430827932475,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:1
  2⤵
  PID:4716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,6651704098935483373,18103064430827932475,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3068 /prefetch:1
  2⤵
  PID:3812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,6651704098935483373,18103064430827932475,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
  2⤵
  PID:3204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,6651704098935483373,18103064430827932475,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,6651704098935483373,18103064430827932475,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5396 /prefetch:8
  2⤵
  PID:4604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1636,6651704098935483373,18103064430827932475,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6212 /prefetch:8
  2⤵
  PID:1248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1636,6651704098935483373,18103064430827932475,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6196 /prefetch:8
  2⤵
  PID:1252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,6651704098935483373,18103064430827932475,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6488 /prefetch:1
  2⤵
  PID:1164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1636,6651704098935483373,18103064430827932475,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6736 /prefetch:8
  2⤵
  PID:1812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1636,6651704098935483373,18103064430827932475,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6752 /prefetch:8
  2⤵
  PID:912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,6651704098935483373,18103064430827932475,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6664 /prefetch:8
  2⤵
  PID:288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,6651704098935483373,18103064430827932475,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6304 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,6651704098935483373,18103064430827932475,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3580 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,6651704098935483373,18103064430827932475,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6816 /prefetch:8
  2⤵
  PID:4828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,6651704098935483373,18103064430827932475,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6788 /prefetch:8
  2⤵
  PID:2536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,6651704098935483373,18103064430827932475,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5340 /prefetch:8
  2⤵
  PID:2592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1636,6651704098935483373,18103064430827932475,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6456 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1636,6651704098935483373,18103064430827932475,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6196 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1636,6651704098935483373,18103064430827932475,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6256 /prefetch:8
  2⤵
  PID:1944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1636,6651704098935483373,18103064430827932475,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6252 /prefetch:8
  2⤵
  PID:4028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1636,6651704098935483373,18103064430827932475,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6652 /prefetch:8
  2⤵
  PID:3536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1636,6651704098935483373,18103064430827932475,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5948 /prefetch:8
  2⤵
  PID:4532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,6651704098935483373,18103064430827932475,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2160 /prefetch:1
  2⤵
  PID:5104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,6651704098935483373,18103064430827932475,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1720 /prefetch:8
  2⤵
  PID:352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,6651704098935483373,18103064430827932475,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4576 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,6651704098935483373,18103064430827932475,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5464 /prefetch:8
  2⤵
  PID:4940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1636,6651704098935483373,18103064430827932475,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4712 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,6651704098935483373,18103064430827932475,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4720 /prefetch:8
  2⤵
  PID:1664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,6651704098935483373,18103064430827932475,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4080 /prefetch:8
  2⤵
  PID:1252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,6651704098935483373,18103064430827932475,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5072 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,6651704098935483373,18103064430827932475,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2472 /prefetch:8
  2⤵
  PID:2184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,6651704098935483373,18103064430827932475,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5896 /prefetch:8
  2⤵
  PID:2596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,6651704098935483373,18103064430827932475,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5980 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,6651704098935483373,18103064430827932475,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6172 /prefetch:8
  2⤵
  PID:3088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,6651704098935483373,18103064430827932475,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6204 /prefetch:8
  2⤵
  PID:4504

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4636

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:644
- C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir644_1990294615\ChromeRecovery.exe
  "C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir644_1990294615\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={3b9588aa-1f94-4ef3-8992-1e4094075990} --system
  2⤵
  - Executes dropped EXE
  PID:4720

C:\Users\Admin\Desktop\omega.exe
"C:\Users\Admin\Desktop\omega.exe"
1⤵
PID:4428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\omega_login.bat" "
  2⤵
  PID:504
- - C:\Users\Admin\AppData\Local\Temp\omega.sfx.exe
    omega.sfx.exe -pvape -dC:\Users\Admin\AppData\Local\Temp
    3⤵
    - Executes dropped EXE
    PID:2156
  - - C:\Users\Admin\AppData\Local\Temp\stealer.exe
      "C:\Users\Admin\AppData\Local\Temp\stealer.exe"
      4⤵
      Executes dropped EXE
      PID:1676
    - - C:\Users\Admin\AppData\Local\Temp\stealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\stealer.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4640
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:4088

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir644_1990294615\ChromeRecovery.exe

Filesize
253KB

MD5
49ac3c96d270702a27b4895e4ce1f42a

SHA1
55b90405f1e1b72143c64113e8bc65608dd3fd76

SHA256
82aa3fd6a25cda9e16689cfadea175091be010cecae537e517f392e0bef5ba0f

SHA512
b62f6501cb4c992d42d9097e356805c88ac4ac5a46ead4a8eee9f8cbae197b2305da8aab5b4a61891fe73951588025f2d642c32524b360687993f98c913138a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\RecoveryImproved\1.3.36.141\Recovery.crx3

Filesize
141KB

MD5
ea1c1ffd3ea54d1fb117bfdbb3569c60

SHA1
10958b0f690ae8f5240e1528b1ccffff28a33272

SHA256
7c3a6a7d16ac44c3200f572a764bce7d8fa84b9572dd028b15c59bdccbc0a77d

SHA512
6c30728cac9eac53f0b27b7dbe2222da83225c3b63617d6b271a6cfedf18e8f0a8dffa1053e1cbc4c5e16625f4bbc0d03aa306a946c9d72faa4ceb779f8ffcaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16762\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16762\_bz2.pyd

Filesize
81KB

MD5
bbe89cf70b64f38c67b7bf23c0ea8a48

SHA1
44577016e9c7b463a79b966b67c3ecc868957470

SHA256
775fbc6e9a4c7e9710205157350f3d6141b5a9e8f44cb07b3eac38f2789c8723

SHA512
3ee72ba60541116bbca1a62db64074276d40ad8ed7d0ca199a9c51d65c3f0762a8ef6d0e1e9ebf04bf4efe1347f120e4bc3d502dd288339b4df646a59aad0ec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16762\_ctypes.pyd

Filesize
119KB

MD5
ca4cef051737b0e4e56b7d597238df94

SHA1
583df3f7ecade0252fdff608eb969439956f5c4a

SHA256
e60a2b100c4fa50b0b144cf825fe3cde21a8b7b60b92bfc326cb39573ce96b2b

SHA512
17103d6b5fa84156055e60f9e5756ffc31584cdb6274c686a136291c58ba0be00238d501f8acc1f1ca7e1a1fadcb0c7fefddcb98cedb9dd04325314f7e905df3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16762\base_library.zip

Filesize
1.0MB

MD5
b8b69095629fb834685a30c4548b6c89

SHA1
4ee72c2726234b6f6029760bb92296b61fb2e80d

SHA256
89e70656b0296ad83f36287d112465f12efe85b778b6777eb54efed589ea3e62

SHA512
5053ec44ee662b82dfa36330cd2b1e281883310dbd2fa0d75b3c094b05fb66a51e71d343eab05e5fb80c85b50c8dbbb89390ab6d2db3338cf31db06f87b074bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16762\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16762\python310.dll

Filesize
4.3MB

MD5
deaf0c0cc3369363b800d2e8e756a402

SHA1
3085778735dd8badad4e39df688139f4eed5f954

SHA256
156cf2b64dd0f4d9bdb346b654a11300d6e9e15a65ef69089923dafc1c71e33d

SHA512
5cac1d92af7ee18425b5ee8e7cd4e941a9ddffb4bc1c12bb8aeabeed09acec1ff0309abc41a2e0c8db101fee40724f8bfb27a78898128f8746c8fe01c1631989

Download Submit
C:\Users\Admin\AppData\Local\Temp\omega.sfx.exe

Filesize
10.4MB

MD5
dd31fbafe4c9c57da0f19c453a09e955

SHA1
96bf35a1cbdafa055e8da8add5e35720ad7c328a

SHA256
e7443e501b6b76fef3137baf8f858b35761579a410485074de7494d6286e5ff7

SHA512
43145e7dcec7b38333553b282b4b7883d4428a5a05971243a46a9c373a1aa4ed232536d3d2f7dbea517bf6d36a8a1a783ac969f19bb66c80c4d48e8adb41be61

Download Submit
C:\Users\Admin\AppData\Local\Temp\omega.sfx.exe

Filesize
10.4MB

MD5
dd31fbafe4c9c57da0f19c453a09e955

SHA1
96bf35a1cbdafa055e8da8add5e35720ad7c328a

SHA256
e7443e501b6b76fef3137baf8f858b35761579a410485074de7494d6286e5ff7

SHA512
43145e7dcec7b38333553b282b4b7883d4428a5a05971243a46a9c373a1aa4ed232536d3d2f7dbea517bf6d36a8a1a783ac969f19bb66c80c4d48e8adb41be61

Download Submit
C:\Users\Admin\AppData\Local\Temp\omega_login.bat

Filesize
29B

MD5
59926e1103d12fa7201150bdebbe4f3c

SHA1
d98ce7af2e01239a3752930d81ef81aa47e3906a

SHA256
d3e4cac4ff1254a15d1dd89d28adc58b6399ee6d58f30a4a07abddaa6dd2a764

SHA512
f7b8029d1f8be0031fdc4404b12bc61438a25df0e3600ef5e6e7bfebb1d652af4ad79f57fc9fc5a4a140247ce1f484529294fb5aef351f09a76db87a9b44772e

Download Submit
C:\Users\Admin\AppData\Local\Temp\stealer.exe

Filesize
10.2MB

MD5
6429ad5b80f89d0967dc69188166f801

SHA1
03963ef3b60d4a2b2dd2b0fb777b62f8d2012d9c

SHA256
6461df81c1f894620f1a7ec288bcbe9995cc27737fa56194b2b59f747e64b9b2

SHA512
291324db290fe431140de1c50b738a82fa9a4112103c79ad5b564fa60422af439f1d6f2d95f40be37b19c84cf8ffc8c138dde8df4e7b5df84be3f7b0d0e5dadf

Download Submit
C:\Users\Admin\AppData\Local\Temp\stealer.exe

Filesize
10.2MB

MD5
6429ad5b80f89d0967dc69188166f801

SHA1
03963ef3b60d4a2b2dd2b0fb777b62f8d2012d9c

SHA256
6461df81c1f894620f1a7ec288bcbe9995cc27737fa56194b2b59f747e64b9b2

SHA512
291324db290fe431140de1c50b738a82fa9a4112103c79ad5b564fa60422af439f1d6f2d95f40be37b19c84cf8ffc8c138dde8df4e7b5df84be3f7b0d0e5dadf

Download Submit
C:\Users\Admin\AppData\Local\Temp\stealer.exe

Filesize
10.2MB

MD5
6429ad5b80f89d0967dc69188166f801

SHA1
03963ef3b60d4a2b2dd2b0fb777b62f8d2012d9c

SHA256
6461df81c1f894620f1a7ec288bcbe9995cc27737fa56194b2b59f747e64b9b2

SHA512
291324db290fe431140de1c50b738a82fa9a4112103c79ad5b564fa60422af439f1d6f2d95f40be37b19c84cf8ffc8c138dde8df4e7b5df84be3f7b0d0e5dadf

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI16762\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI16762\_bz2.pyd

Filesize
81KB

MD5
bbe89cf70b64f38c67b7bf23c0ea8a48

SHA1
44577016e9c7b463a79b966b67c3ecc868957470

SHA256
775fbc6e9a4c7e9710205157350f3d6141b5a9e8f44cb07b3eac38f2789c8723

SHA512
3ee72ba60541116bbca1a62db64074276d40ad8ed7d0ca199a9c51d65c3f0762a8ef6d0e1e9ebf04bf4efe1347f120e4bc3d502dd288339b4df646a59aad0ec1

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI16762\_ctypes.pyd

Filesize
119KB

MD5
ca4cef051737b0e4e56b7d597238df94

SHA1
583df3f7ecade0252fdff608eb969439956f5c4a

SHA256
e60a2b100c4fa50b0b144cf825fe3cde21a8b7b60b92bfc326cb39573ce96b2b

SHA512
17103d6b5fa84156055e60f9e5756ffc31584cdb6274c686a136291c58ba0be00238d501f8acc1f1ca7e1a1fadcb0c7fefddcb98cedb9dd04325314f7e905df3

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI16762\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI16762\python310.dll

Filesize
4.3MB

MD5
deaf0c0cc3369363b800d2e8e756a402

SHA1
3085778735dd8badad4e39df688139f4eed5f954

SHA256
156cf2b64dd0f4d9bdb346b654a11300d6e9e15a65ef69089923dafc1c71e33d

SHA512
5cac1d92af7ee18425b5ee8e7cd4e941a9ddffb4bc1c12bb8aeabeed09acec1ff0309abc41a2e0c8db101fee40724f8bfb27a78898128f8746c8fe01c1631989

Download Submit
memory/4720-159-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-173-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-142-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-143-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-144-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-145-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-146-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-147-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-148-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-149-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-150-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-151-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-152-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-154-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-155-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-153-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-156-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-157-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-158-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-140-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-160-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-161-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-162-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-163-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-164-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-165-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-167-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-166-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-168-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-169-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-170-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-172-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-171-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-141-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-174-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-175-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-176-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-177-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-178-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-179-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-180-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-181-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-182-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-139-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-138-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-137-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-136-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-135-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-134-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-133-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-132-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-131-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-130-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-129-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-127-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-128-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-126-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-125-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-124-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-123-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-122-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-183-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-184-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-185-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download