d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4

Analysis

max time kernel
152s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 19:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
Size

1.8MB
MD5

f819f00375b7314af393b8c8545374f2
SHA1

55835a13e59d24d17d6ea2273070e698f01a12c3
SHA256

d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4
SHA512

15552dfd99e37c3ed94f36c28a5be41b1db2d21daf6b0dfcc2f5b202fb5315fb7f00bda4f1a7a1d7daf6e386675703fd6716002b916135af8f26c68b3039bdf8
SSDEEP

49152:lnwJte53FoqI+qOGYdU3YNTMXQkwk67sFnpD5yv2nwu:lnwJ5+qOtdUoFMUh7antUv2nwu

Score

8^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 13 IoCs

Processes:

rundll32.exerundll32.exe

flow	pid	process
33	4212	rundll32.exe
58	4212	rundll32.exe
75	2096	rundll32.exe
78	4212	rundll32.exe
83	2096	rundll32.exe
86	4212	rundll32.exe
91	2096	rundll32.exe
94	4212	rundll32.exe
97	2096	rundll32.exe
101	4212	rundll32.exe
121	2096	rundll32.exe
124	4212	rundll32.exe
127	2096	rundll32.exe

Executes dropped EXE 3 IoCs

Processes:

firefox-installer.exeie-installer.exeCouponMarvel.exe

pid process

4116 firefox-installer.exe
692 ie-installer.exe
4884 CouponMarvel.exe
Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
4116	firefox-installer.exe
692	ie-installer.exe
4884	CouponMarvel.exe

Loads dropped DLL 27 IoCs

Processes:

d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exefirefox-installer.exeie-installer.exeCouponMarvel.exechrome.exechrome.exerundll32.exechrome.exeCompPkgSrv.exechrome.exechrome.exerundll32.exechrome.exechrome.exechrome.exechrome.exechrome.exe

pid	process
4964	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
4964	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
4964	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
4964	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
4116	firefox-installer.exe
692	ie-installer.exe
692	ie-installer.exe
4884	CouponMarvel.exe
1892	chrome.exe
2100	chrome.exe
4212	rundll32.exe
2816
4996
4156	chrome.exe
4032	CompPkgSrv.exe
3964	chrome.exe
1820	chrome.exe
2096	rundll32.exe
1892	chrome.exe
4156	chrome.exe
1820	chrome.exe
380	chrome.exe
1364	chrome.exe
4080	chrome.exe
4796	chrome.exe
4496	chrome.exe
3508

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

ie-installer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b3e3f753-ef08-4a62-9fb9-43a83cb0818b}	ie-installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b3e3f753-ef08-4a62-9fb9-43a83cb0818b}\ = "Coupon Marvel"	ie-installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b3e3f753-ef08-4a62-9fb9-43a83cb0818b}\NoExplorer = "1"	ie-installer.exe

Drops file in System32 directory 4 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	rundll32.exe

Drops file in Program Files directory 15 IoCs

Processes:

d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exefirefox-installer.exeie-installer.exe

description	ioc	process
File created	C:\Program Files (x86)\Coupon Marvel\bin\ie-installer.exe	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
File created	C:\Program Files (x86)\Mozilla Firefox\defaults\pref\cm_prefs.js	firefox-installer.exe
File created	C:\Program Files (x86)\Coupon Marvel\bin\firefox-installer.exe	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
File created	C:\Program Files (x86)\Coupon Marvel\coupon-marvel.dll	ie-installer.exe
File opened for modification	C:\Program Files (x86)\Coupon Marvel\bin\CouponMarvel.exe.old.20221123222103.766	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
File opened for modification	C:\Program Files (x86)\Coupon Marvel\bin\CouponMarvel64.dll.old.20221123222103.766	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
File opened for modification	C:\Program Files (x86)\Coupon Marvel\bin\ie-installer.exe.old.20221123222103.783	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
File opened for modification	C:\Program Files (x86)\Coupon Marvel\bin\ie-installer.exe	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
File created	C:\Program Files (x86)\Coupon Marvel\Uninstall.exe	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
File opened for modification	C:\Program Files (x86)\Coupon Marvel\bin\CouponMarvel32.dll.old.20221123222103.751	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
File created	C:\Program Files (x86)\Coupon Marvel\bin\CouponMarvel32.dll	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
File created	C:\Program Files (x86)\Coupon Marvel\bin\CouponMarvel.exe	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
File created	C:\Program Files (x86)\Coupon Marvel\bin\CouponMarvel64.dll	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
File opened for modification	C:\Program Files (x86)\Coupon Marvel\bin\firefox-installer.exe.old.20221123222103.783	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
File opened for modification	C:\Program Files (x86)\Coupon Marvel\bin\firefox-installer.exe	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe

Drops file in Windows directory 2 IoCs

Processes:

d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe

description	ioc	process
File created	C:\Windows\Tasks\Coupon Marvel.job	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
File opened for modification	C:\Windows\Tasks\Coupon Marvel.job	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

Processes:

resource	yara_rule
C:\Program Files (x86)\Coupon Marvel\bin\firefox-installer.exe	nsis_installer_2
C:\Program Files (x86)\Coupon Marvel\bin\firefox-installer.exe	nsis_installer_2
C:\Program Files (x86)\Coupon Marvel\bin\ie-installer.exe	nsis_installer_2
C:\Program Files (x86)\Coupon Marvel\bin\ie-installer.exe	nsis_installer_2

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

rundll32.exerundll32.exeCouponMarvel.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	CouponMarvel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	CouponMarvel.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	CouponMarvel.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	CouponMarvel.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	CouponMarvel.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	CouponMarvel.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	CouponMarvel.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	CouponMarvel.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	rundll32.exe

Modifies registry class 5 IoCs

Processes:

ie-installer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{b3e3f753-ef08-4a62-9fb9-43a83cb0818b}	ie-installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{b3e3f753-ef08-4a62-9fb9-43a83cb0818b}\ = "Coupon Marvel"	ie-installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{b3e3f753-ef08-4a62-9fb9-43a83cb0818b}\InProcServer32	ie-installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{b3e3f753-ef08-4a62-9fb9-43a83cb0818b}\InProcServer32\ = "C:\\Program Files (x86)\\Coupon Marvel\\coupon-marvel.dll"	ie-installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{b3e3f753-ef08-4a62-9fb9-43a83cb0818b}\InProcServer32\ThreadingModel = "Apartment"	ie-installer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exeCouponMarvel.exechrome.exechrome.exerundll32.exechrome.exe

pid	process
4964	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
4964	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
4964	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
4964	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
4964	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
4964	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
4964	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
4964	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
4964	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
4964	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
4964	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
4964	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
4964	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
4964	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
4964	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
4964	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
4964	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
4964	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
4964	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
4964	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
4884	CouponMarvel.exe
4884	CouponMarvel.exe
4884	CouponMarvel.exe
4884	CouponMarvel.exe
4884	CouponMarvel.exe
4884	CouponMarvel.exe
4884	CouponMarvel.exe
4884	CouponMarvel.exe
4884	CouponMarvel.exe
4884	CouponMarvel.exe
4884	CouponMarvel.exe
4884	CouponMarvel.exe
4884	CouponMarvel.exe
4884	CouponMarvel.exe
4884	CouponMarvel.exe
4884	CouponMarvel.exe
4884	CouponMarvel.exe
4884	CouponMarvel.exe
1892	chrome.exe
1892	chrome.exe
2100	chrome.exe
2100	chrome.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
2100	chrome.exe
2100	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

2100 chrome.exe
2100 chrome.exe
2100 chrome.exe
2100 chrome.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exeCouponMarvel.exerundll32.exerundll32.exe

description	pid	process
Token: SeDebugPrivilege	4964	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
Token: SeTcbPrivilege	4964	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
Token: SeDebugPrivilege	4964	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
Token: SeTcbPrivilege	4884	CouponMarvel.exe
Token: SeTcbPrivilege	4884	CouponMarvel.exe
Token: SeTcbPrivilege	4884	CouponMarvel.exe
Token: SeIncreaseQuotaPrivilege	4884	CouponMarvel.exe
Token: SeAssignPrimaryTokenPrivilege	4884	CouponMarvel.exe
Token: SeTcbPrivilege	4884	CouponMarvel.exe
Token: SeIncreaseQuotaPrivilege	4884	CouponMarvel.exe
Token: SeAssignPrimaryTokenPrivilege	4884	CouponMarvel.exe
Token: SeDebugPrivilege	4212	rundll32.exe
Token: SeIncreaseQuotaPrivilege	4884	CouponMarvel.exe
Token: SeAssignPrimaryTokenPrivilege	4884	CouponMarvel.exe
Token: SeDebugPrivilege	2096	rundll32.exe
Token: SeIncreaseQuotaPrivilege	4884	CouponMarvel.exe
Token: SeAssignPrimaryTokenPrivilege	4884	CouponMarvel.exe
Token: SeTcbPrivilege	4884	CouponMarvel.exe
Token: SeTcbPrivilege	4884	CouponMarvel.exe
Token: SeTcbPrivilege	4884	CouponMarvel.exe
Token: SeTcbPrivilege	4884	CouponMarvel.exe
Token: SeTcbPrivilege	4884	CouponMarvel.exe
Token: SeTcbPrivilege	4884	CouponMarvel.exe
Token: SeTcbPrivilege	4884	CouponMarvel.exe
Token: SeTcbPrivilege	4884	CouponMarvel.exe
Token: SeTcbPrivilege	4884	CouponMarvel.exe
Token: SeTcbPrivilege	4884	CouponMarvel.exe
Token: SeTcbPrivilege	4884	CouponMarvel.exe
Token: SeTcbPrivilege	4884	CouponMarvel.exe
Token: SeTcbPrivilege	4884	CouponMarvel.exe
Token: SeTcbPrivilege	4884	CouponMarvel.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exeCouponMarvel.exerundll32.exechrome.exe

description	pid	process	target process
PID 4964 wrote to memory of 4116	4964	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe	firefox-installer.exe
PID 4964 wrote to memory of 4116	4964	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe	firefox-installer.exe
PID 4964 wrote to memory of 4116	4964	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe	firefox-installer.exe
PID 4964 wrote to memory of 692	4964	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe	ie-installer.exe
PID 4964 wrote to memory of 692	4964	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe	ie-installer.exe
PID 4964 wrote to memory of 692	4964	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe	ie-installer.exe
PID 4884 wrote to memory of 2100	4884	CouponMarvel.exe	chrome.exe
PID 4884 wrote to memory of 2100	4884	CouponMarvel.exe	chrome.exe
PID 4884 wrote to memory of 3388	4884	CouponMarvel.exe	rundll32.exe
PID 4884 wrote to memory of 3388	4884	CouponMarvel.exe	rundll32.exe
PID 3388 wrote to memory of 4212	3388	rundll32.exe	rundll32.exe
PID 3388 wrote to memory of 4212	3388	rundll32.exe	rundll32.exe
PID 3388 wrote to memory of 4212	3388	rundll32.exe	rundll32.exe
PID 2100 wrote to memory of 1892	2100	chrome.exe	chrome.exe
PID 2100 wrote to memory of 1892	2100	chrome.exe	chrome.exe
PID 2100 wrote to memory of 4984	2100	chrome.exe	chrome.exe
PID 2100 wrote to memory of 4984	2100	chrome.exe	chrome.exe
PID 2100 wrote to memory of 4984	2100	chrome.exe	chrome.exe
PID 2100 wrote to memory of 4984	2100	chrome.exe	chrome.exe
PID 2100 wrote to memory of 4984	2100	chrome.exe	chrome.exe
PID 2100 wrote to memory of 4984	2100	chrome.exe	chrome.exe
PID 2100 wrote to memory of 4984	2100	chrome.exe	chrome.exe
PID 2100 wrote to memory of 4984	2100	chrome.exe	chrome.exe
PID 2100 wrote to memory of 4984	2100	chrome.exe	chrome.exe
PID 2100 wrote to memory of 4984	2100	chrome.exe	chrome.exe
PID 2100 wrote to memory of 4984	2100	chrome.exe	chrome.exe
PID 2100 wrote to memory of 4984	2100	chrome.exe	chrome.exe
PID 2100 wrote to memory of 4984	2100	chrome.exe	chrome.exe
PID 2100 wrote to memory of 4984	2100	chrome.exe	chrome.exe
PID 2100 wrote to memory of 4984	2100	chrome.exe	chrome.exe
PID 2100 wrote to memory of 4984	2100	chrome.exe	chrome.exe
PID 2100 wrote to memory of 4984	2100	chrome.exe	chrome.exe
PID 2100 wrote to memory of 4984	2100	chrome.exe	chrome.exe
PID 2100 wrote to memory of 4984	2100	chrome.exe	chrome.exe
PID 2100 wrote to memory of 4984	2100	chrome.exe	chrome.exe
PID 2100 wrote to memory of 4984	2100	chrome.exe	chrome.exe
PID 2100 wrote to memory of 4984	2100	chrome.exe	chrome.exe
PID 2100 wrote to memory of 4984	2100	chrome.exe	chrome.exe
PID 2100 wrote to memory of 4984	2100	chrome.exe	chrome.exe
PID 2100 wrote to memory of 4984	2100	chrome.exe	chrome.exe
PID 2100 wrote to memory of 4984	2100	chrome.exe	chrome.exe
PID 2100 wrote to memory of 4984	2100	chrome.exe	chrome.exe
PID 2100 wrote to memory of 4984	2100	chrome.exe	chrome.exe
PID 2100 wrote to memory of 4984	2100	chrome.exe	chrome.exe
PID 2100 wrote to memory of 4984	2100	chrome.exe	chrome.exe
PID 2100 wrote to memory of 4984	2100	chrome.exe	chrome.exe
PID 2100 wrote to memory of 4984	2100	chrome.exe	chrome.exe
PID 2100 wrote to memory of 4984	2100	chrome.exe	chrome.exe
PID 2100 wrote to memory of 4984	2100	chrome.exe	chrome.exe
PID 2100 wrote to memory of 4984	2100	chrome.exe	chrome.exe
PID 2100 wrote to memory of 4984	2100	chrome.exe	chrome.exe
PID 2100 wrote to memory of 4984	2100	chrome.exe	chrome.exe
PID 2100 wrote to memory of 4984	2100	chrome.exe	chrome.exe
PID 2100 wrote to memory of 4984	2100	chrome.exe	chrome.exe
PID 2100 wrote to memory of 4984	2100	chrome.exe	chrome.exe
PID 2100 wrote to memory of 4156	2100	chrome.exe	chrome.exe
PID 2100 wrote to memory of 4156	2100	chrome.exe	chrome.exe
PID 2100 wrote to memory of 3776	2100	chrome.exe	chrome.exe
PID 2100 wrote to memory of 3776	2100	chrome.exe	chrome.exe
PID 2100 wrote to memory of 3776	2100	chrome.exe	chrome.exe
PID 2100 wrote to memory of 3776	2100	chrome.exe	chrome.exe
PID 2100 wrote to memory of 3776	2100	chrome.exe	chrome.exe
PID 2100 wrote to memory of 3776	2100	chrome.exe	chrome.exe
PID 2100 wrote to memory of 3776	2100	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
"C:\Users\Admin\AppData\Local\Temp\d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4964

C:\Program Files (x86)\Coupon Marvel\bin\firefox-installer.exe
"C:\Program Files (x86)\Coupon Marvel\bin\firefox-installer.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:4116

C:\Program Files (x86)\Coupon Marvel\bin\ie-installer.exe
"C:\Program Files (x86)\Coupon Marvel\bin\ie-installer.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies registry class
PID:692

C:\PROGRA~2\COUPON~1\bin\CouponMarvel.exe
C:\PROGRA~2\COUPON~1\bin\CouponMarvel.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --silent-launch
2⤵
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd0b4a4f50,0x7ffd0b4a4f60,0x7ffd0b4a4f70
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=2120,11289782824157918170,5757006467743369387,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2240 /prefetch:2
3⤵
PID:4984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,11289782824157918170,5757006467743369387,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2524 /prefetch:8
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,11289782824157918170,5757006467743369387,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8
3⤵
PID:3776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2120,11289782824157918170,5757006467743369387,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4020 /prefetch:8
3⤵
PID:1484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2120,11289782824157918170,5757006467743369387,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3436 /prefetch:8
3⤵
- Loads dropped DLL
PID:3964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2120,11289782824157918170,5757006467743369387,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4380 /prefetch:8
3⤵
PID:4620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2120,11289782824157918170,5757006467743369387,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4524 /prefetch:8
3⤵
- Loads dropped DLL
PID:1820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2120,11289782824157918170,5757006467743369387,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4568 /prefetch:8
3⤵
PID:3428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2120,11289782824157918170,5757006467743369387,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4492 /prefetch:8
3⤵
PID:5100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2120,11289782824157918170,5757006467743369387,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4516 /prefetch:8
3⤵
PID:4404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=2120,11289782824157918170,5757006467743369387,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4208 /prefetch:1
3⤵
PID:2308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=2120,11289782824157918170,5757006467743369387,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4380 /prefetch:1
3⤵
PID:1576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2120,11289782824157918170,5757006467743369387,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2624 /prefetch:8
3⤵
- Loads dropped DLL
PID:380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2120,11289782824157918170,5757006467743369387,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4340 /prefetch:8
3⤵
- Loads dropped DLL
PID:4796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2120,11289782824157918170,5757006467743369387,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2664 /prefetch:8
3⤵
- Loads dropped DLL
PID:4496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=2120,11289782824157918170,5757006467743369387,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
3⤵
PID:2392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=2120,11289782824157918170,5757006467743369387,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
3⤵
PID:4280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2120,11289782824157918170,5757006467743369387,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5408 /prefetch:8
3⤵
PID:1712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2120,11289782824157918170,5757006467743369387,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5488 /prefetch:8
3⤵
PID:3500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2120,11289782824157918170,5757006467743369387,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5232 /prefetch:8
3⤵
PID:4840

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe "C:\PROGRA~2\COUPON~1\bin\CouponMarvel32.dll",Extra
2⤵
- Suspicious use of WriteProcessMemory
PID:3388

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe "C:\PROGRA~2\COUPON~1\bin\CouponMarvel32.dll",Extra
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4212

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe "C:\PROGRA~2\COUPON~1\bin\CouponMarvel64.dll",Extra
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --install-from-webstore=ldoelldhnadjajbpdkgajifamomngnmc
2⤵
- Loads dropped DLL
PID:4080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffd0b4a4f50,0x7ffd0b4a4f60,0x7ffd0b4a4f70
3⤵
- Loads dropped DLL
PID:1364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=2160,17730930710262092332,12162922210963193160,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2172 /prefetch:2
3⤵
PID:3424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,17730930710262092332,12162922210963193160,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2464 /prefetch:8
3⤵
PID:4296

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
- Loads dropped DLL
PID:4032

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\COUPON~1\bin\CouponMarvel.exe
Filesize
431KB

MD5
ffdb2f56f32f977883b8ef43ab3f22ac

SHA1
13f9e58c1bab75b3b95a2178ae7cd19bc6605a3b

SHA256
0e5183f73fd21ca4426ddeea428f4eff5d6d82c6c1ce8d5b2b85dc4f31caa83d

SHA512
617825be77106104e9eca095cbca978f9e93c11e70aeedc4fefbc730e3e4f97b4cd4839b053fa5c51124a14da3da0463825b69ce3a2c006d1db1a98595572a78

Download Submit
C:\PROGRA~2\COUPON~1\bin\CouponMarvel32.dll
Filesize
1.2MB

MD5
fdad3414437c22baab613a5dc9390102

SHA1
1dcf85bb8e4051a51c6affbc868a129f5d2ebdde

SHA256
5a993cab63367545234ec2b0342274ed1214574481c5045579928248d9211ef4

SHA512
44e1bea82ad5bfb00ea666b0cd4c4acc69476f93d8d8239c134f9e9c45393a0294f7c9731fdfeaa397a892f28f3525a3ffe51937608efb17dbcb76efa2b4f11e

Download Submit
C:\PROGRA~2\COUPON~1\bin\CouponMarvel64.dll
Filesize
1.6MB

MD5
44d2eaabc46e96cfe3aca350e63e7513

SHA1
f2187c9df56ad5ea084fb711c90a5115bed911f6

SHA256
d1467103cd91966956a35462a666aaf69592752d41d802b83e2110252b029341

SHA512
29a945c81271332ab225148c5099517c6599a66f891acc211865e932872b88f658a05ca4f7e40c7b931436b0e588e62e1b2b37bbe2679e7505f1a54bdeb0b33c

Download Submit
C:\Program Files (x86)\Coupon Marvel\bin\CouponMarvel.exe
Filesize
431KB

MD5
ffdb2f56f32f977883b8ef43ab3f22ac

SHA1
13f9e58c1bab75b3b95a2178ae7cd19bc6605a3b

SHA256
0e5183f73fd21ca4426ddeea428f4eff5d6d82c6c1ce8d5b2b85dc4f31caa83d

SHA512
617825be77106104e9eca095cbca978f9e93c11e70aeedc4fefbc730e3e4f97b4cd4839b053fa5c51124a14da3da0463825b69ce3a2c006d1db1a98595572a78

Download Submit
C:\Program Files (x86)\Coupon Marvel\bin\CouponMarvel32.dll
Filesize
1.2MB

MD5
fdad3414437c22baab613a5dc9390102

SHA1
1dcf85bb8e4051a51c6affbc868a129f5d2ebdde

SHA256
5a993cab63367545234ec2b0342274ed1214574481c5045579928248d9211ef4

SHA512
44e1bea82ad5bfb00ea666b0cd4c4acc69476f93d8d8239c134f9e9c45393a0294f7c9731fdfeaa397a892f28f3525a3ffe51937608efb17dbcb76efa2b4f11e

Download Submit
C:\Program Files (x86)\Coupon Marvel\bin\CouponMarvel32.dll
Filesize
1.2MB

MD5
fdad3414437c22baab613a5dc9390102

SHA1
1dcf85bb8e4051a51c6affbc868a129f5d2ebdde

SHA256
5a993cab63367545234ec2b0342274ed1214574481c5045579928248d9211ef4

SHA512
44e1bea82ad5bfb00ea666b0cd4c4acc69476f93d8d8239c134f9e9c45393a0294f7c9731fdfeaa397a892f28f3525a3ffe51937608efb17dbcb76efa2b4f11e

Download Submit
C:\Program Files (x86)\Coupon Marvel\bin\CouponMarvel32.dll
Filesize
1.2MB

MD5
fdad3414437c22baab613a5dc9390102

SHA1
1dcf85bb8e4051a51c6affbc868a129f5d2ebdde

SHA256
5a993cab63367545234ec2b0342274ed1214574481c5045579928248d9211ef4

SHA512
44e1bea82ad5bfb00ea666b0cd4c4acc69476f93d8d8239c134f9e9c45393a0294f7c9731fdfeaa397a892f28f3525a3ffe51937608efb17dbcb76efa2b4f11e

Download Submit
C:\Program Files (x86)\Coupon Marvel\bin\CouponMarvel64.dll
Filesize
1.6MB

MD5
44d2eaabc46e96cfe3aca350e63e7513

SHA1
f2187c9df56ad5ea084fb711c90a5115bed911f6

SHA256
d1467103cd91966956a35462a666aaf69592752d41d802b83e2110252b029341

SHA512
29a945c81271332ab225148c5099517c6599a66f891acc211865e932872b88f658a05ca4f7e40c7b931436b0e588e62e1b2b37bbe2679e7505f1a54bdeb0b33c

Download Submit
C:\Program Files (x86)\Coupon Marvel\bin\CouponMarvel64.dll
Filesize
1.6MB

MD5
44d2eaabc46e96cfe3aca350e63e7513

SHA1
f2187c9df56ad5ea084fb711c90a5115bed911f6

SHA256
d1467103cd91966956a35462a666aaf69592752d41d802b83e2110252b029341

SHA512
29a945c81271332ab225148c5099517c6599a66f891acc211865e932872b88f658a05ca4f7e40c7b931436b0e588e62e1b2b37bbe2679e7505f1a54bdeb0b33c

Download Submit
C:\Program Files (x86)\Coupon Marvel\bin\CouponMarvel64.dll
Filesize
1.6MB

MD5
44d2eaabc46e96cfe3aca350e63e7513

SHA1
f2187c9df56ad5ea084fb711c90a5115bed911f6

SHA256
d1467103cd91966956a35462a666aaf69592752d41d802b83e2110252b029341

SHA512
29a945c81271332ab225148c5099517c6599a66f891acc211865e932872b88f658a05ca4f7e40c7b931436b0e588e62e1b2b37bbe2679e7505f1a54bdeb0b33c

Download Submit
C:\Program Files (x86)\Coupon Marvel\bin\CouponMarvel64.dll
Filesize
1.6MB

MD5
44d2eaabc46e96cfe3aca350e63e7513

SHA1
f2187c9df56ad5ea084fb711c90a5115bed911f6

SHA256
d1467103cd91966956a35462a666aaf69592752d41d802b83e2110252b029341

SHA512
29a945c81271332ab225148c5099517c6599a66f891acc211865e932872b88f658a05ca4f7e40c7b931436b0e588e62e1b2b37bbe2679e7505f1a54bdeb0b33c

Download Submit
C:\Program Files (x86)\Coupon Marvel\bin\CouponMarvel64.dll
Filesize
1.6MB

MD5
44d2eaabc46e96cfe3aca350e63e7513

SHA1
f2187c9df56ad5ea084fb711c90a5115bed911f6

SHA256
d1467103cd91966956a35462a666aaf69592752d41d802b83e2110252b029341

SHA512
29a945c81271332ab225148c5099517c6599a66f891acc211865e932872b88f658a05ca4f7e40c7b931436b0e588e62e1b2b37bbe2679e7505f1a54bdeb0b33c

Download Submit
C:\Program Files (x86)\Coupon Marvel\bin\CouponMarvel64.dll
Filesize
1.6MB

MD5
44d2eaabc46e96cfe3aca350e63e7513

SHA1
f2187c9df56ad5ea084fb711c90a5115bed911f6

SHA256
d1467103cd91966956a35462a666aaf69592752d41d802b83e2110252b029341

SHA512
29a945c81271332ab225148c5099517c6599a66f891acc211865e932872b88f658a05ca4f7e40c7b931436b0e588e62e1b2b37bbe2679e7505f1a54bdeb0b33c

Download Submit
C:\Program Files (x86)\Coupon Marvel\bin\CouponMarvel64.dll
Filesize
1.6MB

MD5
44d2eaabc46e96cfe3aca350e63e7513

SHA1
f2187c9df56ad5ea084fb711c90a5115bed911f6

SHA256
d1467103cd91966956a35462a666aaf69592752d41d802b83e2110252b029341

SHA512
29a945c81271332ab225148c5099517c6599a66f891acc211865e932872b88f658a05ca4f7e40c7b931436b0e588e62e1b2b37bbe2679e7505f1a54bdeb0b33c

Download Submit
C:\Program Files (x86)\Coupon Marvel\bin\CouponMarvel64.dll
Filesize
1.6MB

MD5
44d2eaabc46e96cfe3aca350e63e7513

SHA1
f2187c9df56ad5ea084fb711c90a5115bed911f6

SHA256
d1467103cd91966956a35462a666aaf69592752d41d802b83e2110252b029341

SHA512
29a945c81271332ab225148c5099517c6599a66f891acc211865e932872b88f658a05ca4f7e40c7b931436b0e588e62e1b2b37bbe2679e7505f1a54bdeb0b33c

Download Submit
C:\Program Files (x86)\Coupon Marvel\bin\CouponMarvel64.dll
Filesize
1.6MB

MD5
44d2eaabc46e96cfe3aca350e63e7513

SHA1
f2187c9df56ad5ea084fb711c90a5115bed911f6

SHA256
d1467103cd91966956a35462a666aaf69592752d41d802b83e2110252b029341

SHA512
29a945c81271332ab225148c5099517c6599a66f891acc211865e932872b88f658a05ca4f7e40c7b931436b0e588e62e1b2b37bbe2679e7505f1a54bdeb0b33c

Download Submit
C:\Program Files (x86)\Coupon Marvel\bin\CouponMarvel64.dll
Filesize
1.6MB

MD5
44d2eaabc46e96cfe3aca350e63e7513

SHA1
f2187c9df56ad5ea084fb711c90a5115bed911f6

SHA256
d1467103cd91966956a35462a666aaf69592752d41d802b83e2110252b029341

SHA512
29a945c81271332ab225148c5099517c6599a66f891acc211865e932872b88f658a05ca4f7e40c7b931436b0e588e62e1b2b37bbe2679e7505f1a54bdeb0b33c

Download Submit
C:\Program Files (x86)\Coupon Marvel\bin\CouponMarvel64.dll
Filesize
1.6MB

MD5
44d2eaabc46e96cfe3aca350e63e7513

SHA1
f2187c9df56ad5ea084fb711c90a5115bed911f6

SHA256
d1467103cd91966956a35462a666aaf69592752d41d802b83e2110252b029341

SHA512
29a945c81271332ab225148c5099517c6599a66f891acc211865e932872b88f658a05ca4f7e40c7b931436b0e588e62e1b2b37bbe2679e7505f1a54bdeb0b33c

Download Submit
C:\Program Files (x86)\Coupon Marvel\bin\CouponMarvel64.dll
Filesize
1.6MB

MD5
44d2eaabc46e96cfe3aca350e63e7513

SHA1
f2187c9df56ad5ea084fb711c90a5115bed911f6

SHA256
d1467103cd91966956a35462a666aaf69592752d41d802b83e2110252b029341

SHA512
29a945c81271332ab225148c5099517c6599a66f891acc211865e932872b88f658a05ca4f7e40c7b931436b0e588e62e1b2b37bbe2679e7505f1a54bdeb0b33c

Download Submit
C:\Program Files (x86)\Coupon Marvel\bin\CouponMarvel64.dll
Filesize
1.6MB

MD5
44d2eaabc46e96cfe3aca350e63e7513

SHA1
f2187c9df56ad5ea084fb711c90a5115bed911f6

SHA256
d1467103cd91966956a35462a666aaf69592752d41d802b83e2110252b029341

SHA512
29a945c81271332ab225148c5099517c6599a66f891acc211865e932872b88f658a05ca4f7e40c7b931436b0e588e62e1b2b37bbe2679e7505f1a54bdeb0b33c

Download Submit
C:\Program Files (x86)\Coupon Marvel\bin\CouponMarvel64.dll
Filesize
1.6MB

MD5
44d2eaabc46e96cfe3aca350e63e7513

SHA1
f2187c9df56ad5ea084fb711c90a5115bed911f6

SHA256
d1467103cd91966956a35462a666aaf69592752d41d802b83e2110252b029341

SHA512
29a945c81271332ab225148c5099517c6599a66f891acc211865e932872b88f658a05ca4f7e40c7b931436b0e588e62e1b2b37bbe2679e7505f1a54bdeb0b33c

Download Submit
C:\Program Files (x86)\Coupon Marvel\bin\CouponMarvel64.dll
Filesize
1.6MB

MD5
44d2eaabc46e96cfe3aca350e63e7513

SHA1
f2187c9df56ad5ea084fb711c90a5115bed911f6

SHA256
d1467103cd91966956a35462a666aaf69592752d41d802b83e2110252b029341

SHA512
29a945c81271332ab225148c5099517c6599a66f891acc211865e932872b88f658a05ca4f7e40c7b931436b0e588e62e1b2b37bbe2679e7505f1a54bdeb0b33c

Download Submit
C:\Program Files (x86)\Coupon Marvel\bin\CouponMarvel64.dll
Filesize
1.6MB

MD5
44d2eaabc46e96cfe3aca350e63e7513

SHA1
f2187c9df56ad5ea084fb711c90a5115bed911f6

SHA256
d1467103cd91966956a35462a666aaf69592752d41d802b83e2110252b029341

SHA512
29a945c81271332ab225148c5099517c6599a66f891acc211865e932872b88f658a05ca4f7e40c7b931436b0e588e62e1b2b37bbe2679e7505f1a54bdeb0b33c

Download Submit
C:\Program Files (x86)\Coupon Marvel\bin\CouponMarvel64.dll
Filesize
1.6MB

MD5
44d2eaabc46e96cfe3aca350e63e7513

SHA1
f2187c9df56ad5ea084fb711c90a5115bed911f6

SHA256
d1467103cd91966956a35462a666aaf69592752d41d802b83e2110252b029341

SHA512
29a945c81271332ab225148c5099517c6599a66f891acc211865e932872b88f658a05ca4f7e40c7b931436b0e588e62e1b2b37bbe2679e7505f1a54bdeb0b33c

Download Submit
C:\Program Files (x86)\Coupon Marvel\bin\CouponMarvel64.dll
Filesize
1.6MB

MD5
44d2eaabc46e96cfe3aca350e63e7513

SHA1
f2187c9df56ad5ea084fb711c90a5115bed911f6

SHA256
d1467103cd91966956a35462a666aaf69592752d41d802b83e2110252b029341

SHA512
29a945c81271332ab225148c5099517c6599a66f891acc211865e932872b88f658a05ca4f7e40c7b931436b0e588e62e1b2b37bbe2679e7505f1a54bdeb0b33c

Download Submit
C:\Program Files (x86)\Coupon Marvel\bin\CouponMarvel64.dll
Filesize
1.6MB

MD5
44d2eaabc46e96cfe3aca350e63e7513

SHA1
f2187c9df56ad5ea084fb711c90a5115bed911f6

SHA256
d1467103cd91966956a35462a666aaf69592752d41d802b83e2110252b029341

SHA512
29a945c81271332ab225148c5099517c6599a66f891acc211865e932872b88f658a05ca4f7e40c7b931436b0e588e62e1b2b37bbe2679e7505f1a54bdeb0b33c

Download Submit
C:\Program Files (x86)\Coupon Marvel\bin\firefox-installer.exe
Filesize
108KB

MD5
6ebbb81d978d8e8d284f371a51170ac8

SHA1
5e3f615dfcbe3dd0177204b474b9cc77baa29a46

SHA256
466cdb1757a78f63d73bab89b49f5405a192d7f346c17f5fb6e2ee340e089c09

SHA512
af9e9f7d89aa6ed4d4b102f89d752f1f5275e072e4e9db4dd8d9824aa5bb783aa1cc3ddd6ee7fac7c692e10a15b21d743ca415e70c1a6e8112057033d13adfe5

Download Submit
C:\Program Files (x86)\Coupon Marvel\bin\firefox-installer.exe
Filesize
108KB

MD5
6ebbb81d978d8e8d284f371a51170ac8

SHA1
5e3f615dfcbe3dd0177204b474b9cc77baa29a46

SHA256
466cdb1757a78f63d73bab89b49f5405a192d7f346c17f5fb6e2ee340e089c09

SHA512
af9e9f7d89aa6ed4d4b102f89d752f1f5275e072e4e9db4dd8d9824aa5bb783aa1cc3ddd6ee7fac7c692e10a15b21d743ca415e70c1a6e8112057033d13adfe5

Download Submit
C:\Program Files (x86)\Coupon Marvel\bin\ie-installer.exe
Filesize
313KB

MD5
b875f57879f9843920da1adac820c6d0

SHA1
19ca8f427bc3fea7b018251f8a76670a180cb4dc

SHA256
45dd10893acb2f62360f65a6d0916940fc062259b913afe4822f3525341b6b18

SHA512
3b2a7ed36e51314e59e35223760e816c037ac654d02969c96e2927825b3718a9b03776d9b3dea18633a231922494f6ec64019987142048e328a28fb03523b35e

Download Submit
C:\Program Files (x86)\Coupon Marvel\bin\ie-installer.exe
Filesize
313KB

MD5
b875f57879f9843920da1adac820c6d0

SHA1
19ca8f427bc3fea7b018251f8a76670a180cb4dc

SHA256
45dd10893acb2f62360f65a6d0916940fc062259b913afe4822f3525341b6b18

SHA512
3b2a7ed36e51314e59e35223760e816c037ac654d02969c96e2927825b3718a9b03776d9b3dea18633a231922494f6ec64019987142048e328a28fb03523b35e

Download Submit
C:\Program Files (x86)\Coupon Marvel\coupon-marvel.dll
Filesize
218KB

MD5
b708a2266a96bc6b8437a2ebeab01060

SHA1
7481fadbf5a8785d1fb3169b5d55188c87140a09

SHA256
70af5551101ac56fb89b5cac653b87b1a9fbd6024c2b520fdd6e1b9a4d171472

SHA512
2f5d9d98a7a110d262f5a51bcc020bded07c366f3eab7b13ab63f265c1c61ea6fbacc8c7483907f1ca19dfbf251ef53506ad42fd8d7eb2e591849cd206bb4471

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
f9117eef265e523cfb5089ab5388e102

SHA1
13da751278466c6af5b00499ddc8f4cc129a6056

SHA256
97625a9a59a2481937e156777eb38537f212ad290e3c9d974f5c558ddd490268

SHA512
14fb42f95120fefe78ad63945521cbef00ddbeec7619b08855b580eef59769d051ccdd05a7409347bdbb0c85c1f934f4dc91928f9122ad12bd66dbb97934f6fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
f9117eef265e523cfb5089ab5388e102

SHA1
13da751278466c6af5b00499ddc8f4cc129a6056

SHA256
97625a9a59a2481937e156777eb38537f212ad290e3c9d974f5c558ddd490268

SHA512
14fb42f95120fefe78ad63945521cbef00ddbeec7619b08855b580eef59769d051ccdd05a7409347bdbb0c85c1f934f4dc91928f9122ad12bd66dbb97934f6fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
103KB

MD5
42f6c75a26414187759a1a4efc24909d

SHA1
a7bf822dda0fd077fc5ebfd57f01312c7be465ba

SHA256
4fdd38db34982e0a47528f1c859d3aeed576261ed52c1116b44e180159b85b21

SHA512
8fe8c25633dc4e3f8442404394404e79319e6cf25fef9ae6fd077517e0d05c6eac9c368223bec62785d3683b847df4ab12abac824d2f9b1e65325d3ea6d9e2f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
103KB

MD5
0f6c7bd6fe7c7f946b645c14211570e2

SHA1
68e63c2090856ad2be7df3b9444985eec48cc0a4

SHA256
2b3642cfec9b20ac637a07490027db8794c682d48ad2b0a5d9182965cda26f1f

SHA512
30e9b71e905404fbeb49c94cf61397f2dfe3bc08471f89f4cd708f9bfc47500ff1a01f0ae07430414b86e01be63ee780ce52f8fbce3314d7e1ab07329f359551

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskC70F.tmp\NSISHelper.dll
Filesize
268KB

MD5
04a992b8f4e102ffeed95d53609a12e3

SHA1
e5490eb13a3f02c78e4042b90e8b179b7a6f7c81

SHA256
5bd646e3b575448b9e7d1f11f7a17ef41b112bdd9cd877e047453069ac39098b

SHA512
6112990aa60da60aac2ebf902526cbf7e4963c8e5f044644faf06e2e18b16ec6d9b5b3709df5cd3b701c5157711ae77f8131d71b5bb34f841fc0a7bb1c9d1f5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskC70F.tmp\System.dll
Filesize
11KB

MD5
883eff06ac96966270731e4e22817e11

SHA1
523c87c98236cbc04430e87ec19b977595092ac8

SHA256
44e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82

SHA512
60333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskC70F.tmp\System.dll
Filesize
11KB

MD5
883eff06ac96966270731e4e22817e11

SHA1
523c87c98236cbc04430e87ec19b977595092ac8

SHA256
44e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82

SHA512
60333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskC70F.tmp\UserInfo.dll
Filesize
4KB

MD5
d9a3fc12d56726dde60c1ead1df366f7

SHA1
f531768159c14f07ac896437445652b33750a237

SHA256
401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a

SHA512
6b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51

Download Submit
\??\pipe\crashpad_2100_PODHEDEMDDNSGKNJ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\crashpad_4080_OFOOCJHAKVYGRCUD
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/692-141-0x0000000000000000-mapping.dmp

Download
memory/2096-162-0x0000000000000000-mapping.dmp

Download
memory/3388-150-0x0000000000000000-mapping.dmp

Download
memory/4116-136-0x0000000000000000-mapping.dmp

Download
memory/4212-151-0x0000000000000000-mapping.dmp

Download