hxxps://archive[.]org/download/snap-camera-1[.]21[.]0_202301/Snap%20Camera%201[.]21[.]0[.]exe

Analysis

max time kernel
599s
max time network
560s
platform
windows10-2004_x64
resource
win10v2004-20230221-es
resource tags

arch:x64arch:x86image:win10v2004-20230221-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
10/03/2023, 15:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://archive.org/download/snap-camera-1.21.0_202301/Snap%20Camera%201.21.0.exe

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	vc_redist.x86.exe

Executes dropped EXE 7 IoCs

pid	Process
60	Snap Camera 1.21.0.exe
1512	Snap Camera 1.21.0.tmp
2804	vc_redist.x64.exe
4256	vc_redist.x64.exe
1984	vc_redist.x86.exe
740	vc_redist.x86.exe
2632	VC_redist.x86.exe

Loads dropped DLL 2 IoCs

pid	Process
4256	vc_redist.x64.exe
740	vc_redist.x86.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Snap Camera 1.21.0.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Snap Camera = "\"C:\\Program Files\\Snap Inc\\Snap Camera\\Snap Camera.exe\" --minimized-mode"	Snap Camera 1.21.0.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Snap Inc\Snap Camera\QtQuick\PrivateWidgets\widgetsplugin.dll	Snap Camera 1.21.0.tmp
File created	C:\Program Files\Snap Inc\Snap Camera\QtQuick\Controls\Styles\Flat\is-E2GLQ.tmp	Snap Camera 1.21.0.tmp
File opened for modification	C:\Program Files\Snap Inc\Snap Camera\QtQuick\Extras\DelayButton.qml	Snap Camera 1.21.0.tmp
File created	C:\Program Files\Snap Inc\Snap Camera\driver\is-6HCT5.tmp	Snap Camera 1.21.0.tmp
File created	C:\Program Files\Snap Inc\Snap Camera\mediaservice\is-JO9RD.tmp	Snap Camera 1.21.0.tmp
File created	C:\Program Files\Snap Inc\Snap Camera\QtQuick\Controls\is-4O4H0.tmp	Snap Camera 1.21.0.tmp
File opened for modification	C:\Program Files\Snap Inc\Snap Camera\QtQuick\Controls\Styles\Base\TextFieldStyle.qmlc	Snap Camera 1.21.0.tmp
File opened for modification	C:\Program Files\Snap Inc\Snap Camera\QtQuick\Controls.2\Switch.qml	Snap Camera 1.21.0.tmp
File created	C:\Program Files\Snap Inc\Snap Camera\QtQuick\Controls\is-2T5IJ.tmp	Snap Camera 1.21.0.tmp
File created	C:\Program Files\Snap Inc\Snap Camera\QtQuick\Controls.2\Imagine\is-EU738.tmp	Snap Camera 1.21.0.tmp
File opened for modification	C:\Program Files\Snap Inc\Snap Camera\CoreResources.bundle\shaders\common\malibuTransform.glsl	Snap Camera 1.21.0.tmp
File opened for modification	C:\Program Files\Snap Inc\Snap Camera\QtGraphicalEffects\private\FastInnerShadow.qmlc	Snap Camera 1.21.0.tmp
File opened for modification	C:\Program Files\Snap Inc\Snap Camera\QtQuick\Controls\Styles\Base\DelayButtonStyle.qmlc	Snap Camera 1.21.0.tmp
File created	C:\Program Files\Snap Inc\Snap Camera\QtGraphicalEffects\is-7C6CQ.tmp	Snap Camera 1.21.0.tmp
File created	C:\Program Files\Snap Inc\Snap Camera\QtQuick\Controls\Styles\Base\is-FALRP.tmp	Snap Camera 1.21.0.tmp
File created	C:\Program Files\Snap Inc\Snap Camera\QtQuick\Controls\Styles\Base\images\is-E3BT1.tmp	Snap Camera 1.21.0.tmp
File opened for modification	C:\Program Files\Snap Inc\Snap Camera\CoreResources.bundle\scenarium\envProvider\filterEnvmap.glsl	Snap Camera 1.21.0.tmp
File opened for modification	C:\Program Files\Snap Inc\Snap Camera\imageformats\qwebp.dll	Snap Camera 1.21.0.tmp
File opened for modification	C:\Program Files\Snap Inc\Snap Camera\QtQuick\Controls.2\Frame.qml	Snap Camera 1.21.0.tmp
File opened for modification	C:\Program Files\Snap Inc\Snap Camera\QtQuick\Controls.2\Material\CheckBox.qml	Snap Camera 1.21.0.tmp
File opened for modification	C:\Program Files\Snap Inc\Snap Camera\QtQuick\Extras\Private\TextSingleton.qmlc	Snap Camera 1.21.0.tmp
File created	C:\Program Files\Snap Inc\Snap Camera\CoreResources.bundle\scenarium\depth\is-339HV.tmp	Snap Camera 1.21.0.tmp
File created	C:\Program Files\Snap Inc\Snap Camera\QtQuick\Controls\Styles\Base\is-3CC4V.tmp	Snap Camera 1.21.0.tmp
File created	C:\Program Files\Snap Inc\Snap Camera\QtQuick\Dialogs\images\is-UO03L.tmp	Snap Camera 1.21.0.tmp
File opened for modification	C:\Program Files\Snap Inc\Snap Camera\CoreResources.bundle\scenarium\statistics_mipmaps.glsl	Snap Camera 1.21.0.tmp
File opened for modification	C:\Program Files\Snap Inc\Snap Camera\QtQuick\Controls\Private\MenuItemSubControls.qmlc	Snap Camera 1.21.0.tmp
File created	C:\Program Files\Snap Inc\Snap Camera\QtQuick\Extras\is-GLVMO.tmp	Snap Camera 1.21.0.tmp
File created	C:\Program Files\Snap Inc\Snap Camera\QtQuick\Extras\Private\is-L2M7I.tmp	Snap Camera 1.21.0.tmp
File created	C:\Program Files\Snap Inc\Snap Camera\QtQuick\Controls\Private\is-IV66G.tmp	Snap Camera 1.21.0.tmp
File created	C:\Program Files\Snap Inc\Snap Camera\QtQuick\Controls.2\is-8A1F5.tmp	Snap Camera 1.21.0.tmp
File created	C:\Program Files\Snap Inc\Snap Camera\QtQuick\Controls.2\is-0JG03.tmp	Snap Camera 1.21.0.tmp
File created	C:\Program Files\Snap Inc\Snap Camera\QtQuick\Controls.2\Imagine\is-KD2I7.tmp	Snap Camera 1.21.0.tmp
File created	C:\Program Files\Snap Inc\Snap Camera\QtQuick\Controls.2\Imagine\is-SM01G.tmp	Snap Camera 1.21.0.tmp
File created	C:\Program Files\Snap Inc\Snap Camera\Resources\PrecachedAssets.bundle\is-C9AK1.tmp	Snap Camera 1.21.0.tmp
File opened for modification	C:\Program Files\Snap Inc\Snap Camera\QtQuick\Controls\RadioButton.qml	Snap Camera 1.21.0.tmp
File created	C:\Program Files\Snap Inc\Snap Camera\CoreResources.bundle\scenarium\human3d\is-PSME5.tmp	Snap Camera 1.21.0.tmp
File created	C:\Program Files\Snap Inc\Snap Camera\QtQuick\Controls.2\Material\is-K4A5J.tmp	Snap Camera 1.21.0.tmp
File opened for modification	C:\Program Files\Snap Inc\Snap Camera\QtQuick\Controls\Styles\Desktop\TableViewStyle.qmlc	Snap Camera 1.21.0.tmp
File created	C:\Program Files\Snap Inc\Snap Camera\QtQuick\Controls\Private\is-OP0DG.tmp	Snap Camera 1.21.0.tmp
File created	C:\Program Files\Snap Inc\Snap Camera\QtMultimedia\is-S21DH.tmp	Snap Camera 1.21.0.tmp
File created	C:\Program Files\Snap Inc\Snap Camera\QtQuick\Controls\Styles\Base\is-UL84A.tmp	Snap Camera 1.21.0.tmp
File created	C:\Program Files\Snap Inc\Snap Camera\QtQuick\Controls.2\is-07MEL.tmp	Snap Camera 1.21.0.tmp
File created	C:\Program Files\Snap Inc\Snap Camera\QtQuick\Controls.2\Imagine\is-9RLU5.tmp	Snap Camera 1.21.0.tmp
File created	C:\Program Files\Snap Inc\Snap Camera\QtQuick\Controls.2\Universal\is-102LP.tmp	Snap Camera 1.21.0.tmp
File opened for modification	C:\Program Files\Snap Inc\Snap Camera\QtQuick\Controls.2\Universal\StackView.qml	Snap Camera 1.21.0.tmp
File created	C:\Program Files\Snap Inc\Snap Camera\CoreResources.bundle\scenarium\is-0J7N6.tmp	Snap Camera 1.21.0.tmp
File created	C:\Program Files\Snap Inc\Snap Camera\QtQuick\Controls.2\Fusion\is-JEEJK.tmp	Snap Camera 1.21.0.tmp
File opened for modification	C:\Program Files\Snap Inc\Snap Camera\QtQuick\Controls\Styles\Base\ScrollViewStyle.qmlc	Snap Camera 1.21.0.tmp
File opened for modification	C:\Program Files\Snap Inc\Snap Camera\QtQuick\Controls.2\Universal\TabButton.qml	Snap Camera 1.21.0.tmp
File opened for modification	C:\Program Files\Snap Inc\Snap Camera\QtQuick\Dialogs\images\checkers.png	Snap Camera 1.21.0.tmp
File opened for modification	C:\Program Files\Snap Inc\Snap Camera\QtQuick\Controls\Styles\Desktop\ComboBoxStyle.qml	Snap Camera 1.21.0.tmp
File opened for modification	C:\Program Files\Snap Inc\Snap Camera\CoreResources.bundle\Overlay.lns	Snap Camera 1.21.0.tmp
File opened for modification	C:\Program Files\Snap Inc\Snap Camera\QtQuick\Extras\ToggleButton.qml	Snap Camera 1.21.0.tmp
File opened for modification	C:\Program Files\Snap Inc\Snap Camera\QtQuick\Controls.2\Container.qml	Snap Camera 1.21.0.tmp
File created	C:\Program Files\Snap Inc\Snap Camera\QtQuick\Controls.2\Material\is-DMD6R.tmp	Snap Camera 1.21.0.tmp
File created	C:\Program Files\Snap Inc\Snap Camera\QtQuick\Dialogs\qml\is-DONLI.tmp	Snap Camera 1.21.0.tmp
File opened for modification	C:\Program Files\Snap Inc\Snap Camera\QtQuick\Controls\Styles\Base\images\check.png	Snap Camera 1.21.0.tmp
File opened for modification	C:\Program Files\Snap Inc\Snap Camera\scenegraph\qsgd3d12backend.dll	Snap Camera 1.21.0.tmp
File created	C:\Program Files\Snap Inc\Snap Camera\QtQuick\Controls\Private\is-HPUHG.tmp	Snap Camera 1.21.0.tmp
File created	C:\Program Files\Snap Inc\Snap Camera\QtQuick\Controls\Styles\Base\images\is-6ONDS.tmp	Snap Camera 1.21.0.tmp
File opened for modification	C:\Program Files\Snap Inc\Snap Camera\QtQuick\Controls\Private\MenuContentScroller.qml	Snap Camera 1.21.0.tmp
File opened for modification	C:\Program Files\Snap Inc\Snap Camera\CoreResources.bundle\scenarium\desktop\glsl430\std2_fs_depth_output.glsl	Snap Camera 1.21.0.tmp
File opened for modification	C:\Program Files\Snap Inc\Snap Camera\QtQuick\Controls\Styles\Base\TumblerStyle.qml	Snap Camera 1.21.0.tmp
File created	C:\Program Files\Snap Inc\Snap Camera\CoreResources.bundle\shaders\common\is-OFB8O.tmp	Snap Camera 1.21.0.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000008ccb747e6bc781e30000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800008ccb747e0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809008ccb747e000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000008ccb747e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000008ccb747e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133229404064159605"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4272	chrome.exe
4272	chrome.exe
4856	chrome.exe
4856	chrome.exe
1512	Snap Camera 1.21.0.tmp
1512	Snap Camera 1.21.0.tmp

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4272	chrome.exe
4272	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4272	chrome.exe
Token: SeCreatePagefilePrivilege	4272	chrome.exe
Token: SeShutdownPrivilege	4272	chrome.exe
Token: SeCreatePagefilePrivilege	4272	chrome.exe
Token: SeShutdownPrivilege	4272	chrome.exe
Token: SeCreatePagefilePrivilege	4272	chrome.exe
Token: SeShutdownPrivilege	4272	chrome.exe
Token: SeCreatePagefilePrivilege	4272	chrome.exe
Token: SeShutdownPrivilege	4272	chrome.exe
Token: SeCreatePagefilePrivilege	4272	chrome.exe
Token: SeShutdownPrivilege	4272	chrome.exe
Token: SeCreatePagefilePrivilege	4272	chrome.exe
Token: SeShutdownPrivilege	4272	chrome.exe
Token: SeCreatePagefilePrivilege	4272	chrome.exe
Token: SeShutdownPrivilege	4272	chrome.exe
Token: SeCreatePagefilePrivilege	4272	chrome.exe
Token: SeShutdownPrivilege	4272	chrome.exe
Token: SeCreatePagefilePrivilege	4272	chrome.exe
Token: SeShutdownPrivilege	4272	chrome.exe
Token: SeCreatePagefilePrivilege	4272	chrome.exe
Token: SeShutdownPrivilege	4272	chrome.exe
Token: SeCreatePagefilePrivilege	4272	chrome.exe
Token: SeShutdownPrivilege	4272	chrome.exe
Token: SeCreatePagefilePrivilege	4272	chrome.exe
Token: SeShutdownPrivilege	4272	chrome.exe
Token: SeCreatePagefilePrivilege	4272	chrome.exe
Token: SeShutdownPrivilege	4272	chrome.exe
Token: SeCreatePagefilePrivilege	4272	chrome.exe
Token: SeShutdownPrivilege	4272	chrome.exe
Token: SeCreatePagefilePrivilege	4272	chrome.exe
Token: SeShutdownPrivilege	4272	chrome.exe
Token: SeCreatePagefilePrivilege	4272	chrome.exe
Token: SeShutdownPrivilege	4272	chrome.exe
Token: SeCreatePagefilePrivilege	4272	chrome.exe
Token: SeShutdownPrivilege	4272	chrome.exe
Token: SeCreatePagefilePrivilege	4272	chrome.exe
Token: SeShutdownPrivilege	4272	chrome.exe
Token: SeCreatePagefilePrivilege	4272	chrome.exe
Token: SeShutdownPrivilege	4272	chrome.exe
Token: SeCreatePagefilePrivilege	4272	chrome.exe
Token: SeShutdownPrivilege	4272	chrome.exe
Token: SeCreatePagefilePrivilege	4272	chrome.exe
Token: SeShutdownPrivilege	4272	chrome.exe
Token: SeCreatePagefilePrivilege	4272	chrome.exe
Token: SeShutdownPrivilege	4272	chrome.exe
Token: SeCreatePagefilePrivilege	4272	chrome.exe
Token: SeShutdownPrivilege	4272	chrome.exe
Token: SeCreatePagefilePrivilege	4272	chrome.exe
Token: SeShutdownPrivilege	4272	chrome.exe
Token: SeCreatePagefilePrivilege	4272	chrome.exe
Token: SeShutdownPrivilege	4272	chrome.exe
Token: SeCreatePagefilePrivilege	4272	chrome.exe
Token: SeShutdownPrivilege	4272	chrome.exe
Token: SeCreatePagefilePrivilege	4272	chrome.exe
Token: SeShutdownPrivilege	4272	chrome.exe
Token: SeCreatePagefilePrivilege	4272	chrome.exe
Token: SeShutdownPrivilege	4272	chrome.exe
Token: SeCreatePagefilePrivilege	4272	chrome.exe
Token: SeShutdownPrivilege	4272	chrome.exe
Token: SeCreatePagefilePrivilege	4272	chrome.exe
Token: SeShutdownPrivilege	4272	chrome.exe
Token: SeCreatePagefilePrivilege	4272	chrome.exe
Token: SeShutdownPrivilege	4272	chrome.exe
Token: SeCreatePagefilePrivilege	4272	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe
4272	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4272 wrote to memory of 1520	4272	chrome.exe	87
PID 4272 wrote to memory of 1520	4272	chrome.exe	87
PID 4272 wrote to memory of 3792	4272	chrome.exe	88
PID 4272 wrote to memory of 3792	4272	chrome.exe	88
PID 4272 wrote to memory of 3792	4272	chrome.exe	88
PID 4272 wrote to memory of 3792	4272	chrome.exe	88
PID 4272 wrote to memory of 3792	4272	chrome.exe	88
PID 4272 wrote to memory of 3792	4272	chrome.exe	88
PID 4272 wrote to memory of 3792	4272	chrome.exe	88
PID 4272 wrote to memory of 3792	4272	chrome.exe	88
PID 4272 wrote to memory of 3792	4272	chrome.exe	88
PID 4272 wrote to memory of 3792	4272	chrome.exe	88
PID 4272 wrote to memory of 3792	4272	chrome.exe	88
PID 4272 wrote to memory of 3792	4272	chrome.exe	88
PID 4272 wrote to memory of 3792	4272	chrome.exe	88
PID 4272 wrote to memory of 3792	4272	chrome.exe	88
PID 4272 wrote to memory of 3792	4272	chrome.exe	88
PID 4272 wrote to memory of 3792	4272	chrome.exe	88
PID 4272 wrote to memory of 3792	4272	chrome.exe	88
PID 4272 wrote to memory of 3792	4272	chrome.exe	88
PID 4272 wrote to memory of 3792	4272	chrome.exe	88
PID 4272 wrote to memory of 3792	4272	chrome.exe	88
PID 4272 wrote to memory of 3792	4272	chrome.exe	88
PID 4272 wrote to memory of 3792	4272	chrome.exe	88
PID 4272 wrote to memory of 3792	4272	chrome.exe	88
PID 4272 wrote to memory of 3792	4272	chrome.exe	88
PID 4272 wrote to memory of 3792	4272	chrome.exe	88
PID 4272 wrote to memory of 3792	4272	chrome.exe	88
PID 4272 wrote to memory of 3792	4272	chrome.exe	88
PID 4272 wrote to memory of 3792	4272	chrome.exe	88
PID 4272 wrote to memory of 3792	4272	chrome.exe	88
PID 4272 wrote to memory of 3792	4272	chrome.exe	88
PID 4272 wrote to memory of 3792	4272	chrome.exe	88
PID 4272 wrote to memory of 3792	4272	chrome.exe	88
PID 4272 wrote to memory of 3792	4272	chrome.exe	88
PID 4272 wrote to memory of 3792	4272	chrome.exe	88
PID 4272 wrote to memory of 3792	4272	chrome.exe	88
PID 4272 wrote to memory of 3792	4272	chrome.exe	88
PID 4272 wrote to memory of 3792	4272	chrome.exe	88
PID 4272 wrote to memory of 3792	4272	chrome.exe	88
PID 4272 wrote to memory of 4948	4272	chrome.exe	89
PID 4272 wrote to memory of 4948	4272	chrome.exe	89
PID 4272 wrote to memory of 64	4272	chrome.exe	90
PID 4272 wrote to memory of 64	4272	chrome.exe	90
PID 4272 wrote to memory of 64	4272	chrome.exe	90
PID 4272 wrote to memory of 64	4272	chrome.exe	90
PID 4272 wrote to memory of 64	4272	chrome.exe	90
PID 4272 wrote to memory of 64	4272	chrome.exe	90
PID 4272 wrote to memory of 64	4272	chrome.exe	90
PID 4272 wrote to memory of 64	4272	chrome.exe	90
PID 4272 wrote to memory of 64	4272	chrome.exe	90
PID 4272 wrote to memory of 64	4272	chrome.exe	90
PID 4272 wrote to memory of 64	4272	chrome.exe	90
PID 4272 wrote to memory of 64	4272	chrome.exe	90
PID 4272 wrote to memory of 64	4272	chrome.exe	90
PID 4272 wrote to memory of 64	4272	chrome.exe	90
PID 4272 wrote to memory of 64	4272	chrome.exe	90
PID 4272 wrote to memory of 64	4272	chrome.exe	90
PID 4272 wrote to memory of 64	4272	chrome.exe	90
PID 4272 wrote to memory of 64	4272	chrome.exe	90
PID 4272 wrote to memory of 64	4272	chrome.exe	90
PID 4272 wrote to memory of 64	4272	chrome.exe	90
PID 4272 wrote to memory of 64	4272	chrome.exe	90
PID 4272 wrote to memory of 64	4272	chrome.exe	90

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://archive.org/download/snap-camera-1.21.0_202301/Snap%20Camera%201.21.0.exe
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9cb899758,0x7ff9cb899768,0x7ff9cb899778
  2⤵
  PID:1520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1792 --field-trial-handle=1808,i,13141754945844053456,1025369068215623213,131072 /prefetch:2
  2⤵
  PID:3792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1808,i,13141754945844053456,1025369068215623213,131072 /prefetch:8
  2⤵
  PID:4948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2200 --field-trial-handle=1808,i,13141754945844053456,1025369068215623213,131072 /prefetch:8
  2⤵
  PID:64
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3168 --field-trial-handle=1808,i,13141754945844053456,1025369068215623213,131072 /prefetch:1
  2⤵
  PID:4756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3172 --field-trial-handle=1808,i,13141754945844053456,1025369068215623213,131072 /prefetch:1
  2⤵
  PID:724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4876 --field-trial-handle=1808,i,13141754945844053456,1025369068215623213,131072 /prefetch:8
  2⤵
  PID:3308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5128 --field-trial-handle=1808,i,13141754945844053456,1025369068215623213,131072 /prefetch:8
  2⤵
  PID:3688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5152 --field-trial-handle=1808,i,13141754945844053456,1025369068215623213,131072 /prefetch:8
  2⤵
  PID:2172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5452 --field-trial-handle=1808,i,13141754945844053456,1025369068215623213,131072 /prefetch:8
  2⤵
  PID:4596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5572 --field-trial-handle=1808,i,13141754945844053456,1025369068215623213,131072 /prefetch:8
  2⤵
  PID:4800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2816 --field-trial-handle=1808,i,13141754945844053456,1025369068215623213,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4484 --field-trial-handle=1808,i,13141754945844053456,1025369068215623213,131072 /prefetch:8
  2⤵
  PID:3256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1660 --field-trial-handle=1808,i,13141754945844053456,1025369068215623213,131072 /prefetch:8
  2⤵
  PID:2328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1032 --field-trial-handle=1808,i,13141754945844053456,1025369068215623213,131072 /prefetch:8
  2⤵
  PID:3004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 --field-trial-handle=1808,i,13141754945844053456,1025369068215623213,131072 /prefetch:8
  2⤵
  PID:1072
- C:\Users\Admin\Downloads\Snap Camera 1.21.0.exe
  "C:\Users\Admin\Downloads\Snap Camera 1.21.0.exe"
  2⤵
  - Executes dropped EXE
  PID:60
- - C:\Users\Admin\AppData\Local\Temp\is-D5LPL.tmp\Snap Camera 1.21.0.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-D5LPL.tmp\Snap Camera 1.21.0.tmp" /SL5="$D0066,170561280,850944,C:\Users\Admin\Downloads\Snap Camera 1.21.0.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    PID:1512
  - - C:\Program Files\Snap Inc\Snap Camera\vc_redist.x64.exe
      "C:\Program Files\Snap Inc\Snap Camera\vc_redist.x64.exe" /install /passive /quiet /norestart
      4⤵
      Executes dropped EXE
      PID:2804
    - - C:\Windows\Temp\{344D9B98-0969-4560-880A-54FE8212CEB9}\.cr\vc_redist.x64.exe
        
        "C:\Windows\Temp\{344D9B98-0969-4560-880A-54FE8212CEB9}\.cr\vc_redist.x64.exe" -burn.clean.room="C:\Program Files\Snap Inc\Snap Camera\vc_redist.x64.exe" -burn.filehandle.attached=568 -burn.filehandle.self=576 /install /passive /quiet /norestart
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4256
  - - C:\Program Files\Snap Inc\Snap Camera\vc_redist.x86.exe
      "C:\Program Files\Snap Inc\Snap Camera\vc_redist.x86.exe" /install /passive /quiet /norestart
      4⤵
      Executes dropped EXE
      PID:1984
    - - C:\Windows\Temp\{82AF5869-AE06-427C-A871-1D5A53A3D0F6}\.cr\vc_redist.x86.exe
        
        "C:\Windows\Temp\{82AF5869-AE06-427C-A871-1D5A53A3D0F6}\.cr\vc_redist.x86.exe" -burn.clean.room="C:\Program Files\Snap Inc\Snap Camera\vc_redist.x86.exe" -burn.filehandle.attached=568 -burn.filehandle.self=576 /install /passive /quiet /norestart
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:740
      - C:\Windows\Temp\{8C312B5D-9EB2-49F9-A041-41DE7CB79EF7}\.be\VC_redist.x86.exe
        
        "C:\Windows\Temp\{8C312B5D-9EB2-49F9-A041-41DE7CB79EF7}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{5C0EEA87-A87D-4DB6-8CDD-26D258B607D1} {31FCB176-C0DE-4A32-8026-32C6409293B6} 740
        6⤵
        Executes dropped EXE
        
        PID:2632

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4732

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:3844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Snap Inc\Snap Camera\CoreResources.bundle\scenarium\desktop\glsl430\is-U760H.tmp

Filesize
261B

MD5
811469ebf66860b70d77979cf19ea703

SHA1
a31f5b9b1590b60800c7d1ee3eb768bee2b9b7de

SHA256
35e7e17967b232bba641986f8c52cfa066d434653bb96495f7d4425e11e24331

SHA512
b7d13e312bac1c81eb3ba55baee084cc39b337c5d37888c17997e66830e14e3dbef3b6faa06506b1a0906915465e016ea601695bffac6adfc007c5e4bd05d08f

Download Submit
C:\Program Files\Snap Inc\Snap Camera\Resources\PrecachedAssets.bundle\18112347238\Content\Resources\Resource14\is-O1FNH.tmp

Filesize
4KB

MD5
ba85cae66fe4b7ba673ea04842181871

SHA1
4cebe901781adbe3da236c198a22a0c30da38efc

SHA256
d7eb70cab55e687acf8a51e5b651a1fbf60f505d3cb8ec248e8ededd9f014b91

SHA512
385f4cfbf0e718324f65ff95a57115fb9ab1d7fa6e5410aa6e7bd53880b1ea1a6f504f80ba52a1e26df9b6df23e0557ac3f338c4b5563318e7321be8c3a5ef03

Download Submit
C:\Program Files\Snap Inc\Snap Camera\Snap Camera.exe

Filesize
64.2MB

MD5
9d23de5bc731a6c93e4eef17c70cb9df

SHA1
a1085e9acbddfe040b9b3553b9c5b08855e55972

SHA256
7b19c690248d74941a8d450a025a8fddd1dec6421f0c80c3ffd8d9cda8a358d6

SHA512
dea4c8fe3aae4e4027eae7265c892c33268b9b782544af4f6f5159a9878ac6479f1ec734f12e024109a973a2b9a4eab69353fd075b3cba4f2bc2381517d94080

Download Submit
C:\Program Files\Snap Inc\Snap Camera\SnapVirtualCam32.dll

Filesize
2.7MB

MD5
1ddcf53f65ee70dea9aa90d2c074de4d

SHA1
0bc8e2e0e7df13f781b21dbe69cfe60ea0107f21

SHA256
ab4d9a71297dbb5bb8c2563e7ba3c52d0f506d653a114ae7c8f5882a3b3be5f2

SHA512
0a4ecad5d04a3085f63c6deb49a7aaae01fea583c87da884ebfce7c1fe8df5e9b0aee61f3d982f52993ec89208a0fe3474412d6fe24a9c52fb84c572b824fac7

Download Submit
C:\Program Files\Snap Inc\Snap Camera\SnapVirtualCam64.dll

Filesize
2.7MB

MD5
4f388ca6f87cbe8278bb8997a820140a

SHA1
350a97a22cf7f40844c66b2090ded40976f32e38

SHA256
ac7ba70ea82b62e7f57942d7267b58163c0449d5493e5ab671e198d92e73c37c

SHA512
9f8174b48ac9cd451652c5c796c4ea620eb092cf57f014ff1a5c378cfe5146c85b4217bdfae967780efbd611363b0fcc5def810c81f72595119235226036c7f3

Download Submit
C:\Program Files\Snap Inc\Snap Camera\unins000.exe

Filesize
3.0MB

MD5
11042202b0b85a77ee8b9be86fbb13b7

SHA1
75cc7bdf52ec7c9c3190e591943adc796ecad7ee

SHA256
3163419f7eaf1d9e93392c872a44f83820a0c0285632ed00472d0228525765c9

SHA512
375f9ff8a7a2425ca70a291738799dd2c44f3445fe6fa6708757149558e616b7a4ed40854be7707ce11c3f6b918bfab17706b9734b0288d26068252e24308ae9

Download Submit
C:\Program Files\Snap Inc\Snap Camera\vc_redist.x64.exe

Filesize
14.2MB

MD5
9f096b97d204078b443dbcbf18e0ebb0

SHA1
a55510a8c9708b2c68b39cd50bbcaf86e2c885f0

SHA256
4b5890eb1aefdf8dfa3234b5032147eb90f050c5758a80901b201ae969780107

SHA512
c606a3ac915a62608b71bd3114a9725746f17a882420c38eaf905c3433a95187bff61013b8cf1af2013cc504ab07726758388beef2063709af253ffd2d7572ec

Download Submit
C:\Program Files\Snap Inc\Snap Camera\vc_redist.x64.exe

Filesize
14.2MB

MD5
9f096b97d204078b443dbcbf18e0ebb0

SHA1
a55510a8c9708b2c68b39cd50bbcaf86e2c885f0

SHA256
4b5890eb1aefdf8dfa3234b5032147eb90f050c5758a80901b201ae969780107

SHA512
c606a3ac915a62608b71bd3114a9725746f17a882420c38eaf905c3433a95187bff61013b8cf1af2013cc504ab07726758388beef2063709af253ffd2d7572ec

Download Submit
C:\Program Files\Snap Inc\Snap Camera\vc_redist.x64.exe

Filesize
14.2MB

MD5
9f096b97d204078b443dbcbf18e0ebb0

SHA1
a55510a8c9708b2c68b39cd50bbcaf86e2c885f0

SHA256
4b5890eb1aefdf8dfa3234b5032147eb90f050c5758a80901b201ae969780107

SHA512
c606a3ac915a62608b71bd3114a9725746f17a882420c38eaf905c3433a95187bff61013b8cf1af2013cc504ab07726758388beef2063709af253ffd2d7572ec

Download Submit
C:\Program Files\Snap Inc\Snap Camera\vc_redist.x86.exe

Filesize
13.1MB

MD5
dd89ae7bc09cad5648524905d0f53214

SHA1
29e23dd7c19b03eb59304f9d1f8e7209c1167348

SHA256
cf92a10c62ffab83b4a2168f5f9a05e5588023890b5c0cc7ba89ed71da527b0f

SHA512
7174a4c0c90beef6c091f3b1065fd951c2ecf16aa6170af56c2b226f4d352f90e13afdb6bd3b61f81f0b1050482f21d3c3b61c0de379277459e4c966ec9e823e

Download Submit
C:\Program Files\Snap Inc\Snap Camera\vc_redist.x86.exe

Filesize
13.1MB

MD5
dd89ae7bc09cad5648524905d0f53214

SHA1
29e23dd7c19b03eb59304f9d1f8e7209c1167348

SHA256
cf92a10c62ffab83b4a2168f5f9a05e5588023890b5c0cc7ba89ed71da527b0f

SHA512
7174a4c0c90beef6c091f3b1065fd951c2ecf16aa6170af56c2b226f4d352f90e13afdb6bd3b61f81f0b1050482f21d3c3b61c0de379277459e4c966ec9e823e

Download Submit
C:\Program Files\Snap Inc\Snap Camera\vc_redist.x86.exe

Filesize
13.1MB

MD5
dd89ae7bc09cad5648524905d0f53214

SHA1
29e23dd7c19b03eb59304f9d1f8e7209c1167348

SHA256
cf92a10c62ffab83b4a2168f5f9a05e5588023890b5c0cc7ba89ed71da527b0f

SHA512
7174a4c0c90beef6c091f3b1065fd951c2ecf16aa6170af56c2b226f4d352f90e13afdb6bd3b61f81f0b1050482f21d3c3b61c0de379277459e4c966ec9e823e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
014a66543cc1f83d28893a9770ee88ad

SHA1
0f1f7955fc6ceebb592b1b6927ff83536b19e81d

SHA256
21d6f60637f3fe773b7681ef933444d0e21577bb72a383ad478d2bc14c1c9574

SHA512
d2a4b0aaec2fd9a61aac1a379dcc3b4b102e73e8617f5ccbb63122ef4b7757ff88a403c554b401f3667b42ae3e4e620794aa4e51fdb6d703691fd9b5e89e35cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
707B

MD5
9c49ca56847b3b602ff2606dbca1aae4

SHA1
554e0b770e9be679727d419b68c514fccd23ce8b

SHA256
2d853bf08f0aa49a5382ee4be83cfd95cfe571f0ba680b69b10a7afc52e787a5

SHA512
9df516082ab558865e132e21671ab8607ed690bc2efe17c7e6bde2c98afaece931ef9d1a51b7022f33311be1f540c79575b2551fdca4a4b6f90a261ffc257ff6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
7f66ca42e741216b5c5d77154cf91ce5

SHA1
d155cc528662fe076b3a6f2d410e63ba0b90864c

SHA256
a15066f49a363ae0d862f889407c658f552495a6bd8b8190aa18bdaee4c5378e

SHA512
924282b22975566a03314412d20adc7a8e0bcc28a5e7fad76aa586bcf7e885b62b6299e3149e6bec492608641dc5c8fb6992b8e0864ff81783528c774a0deb48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
6297cfbcf7b7179cb3274f0110e91035

SHA1
bd2cc4a3a52c66f566a49109a66c4ccac628604a

SHA256
25f96cda38c80d4fa5050e2dfcc49b6a8f6460716a4c821c0aa31a5c25d180b3

SHA512
ab2c9fcb451dfc10cf6d82053fbcd04840364202097d5445a1583dddba44516af8355004695606cbf339fd6c5fef975de87eed4f6268fcd349f8f01359ea2a8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
5af9b56f4cd4768a1027f3b7c673016c

SHA1
3ea6e4f166784701b9046a947fe0ebf532eae07b

SHA256
119b0f323261f834e6176e0083d6a097d64d75226357db45fd127c4b391a93d1

SHA512
9fd41e1ffcc7bd737cd953e72054ff9c8158ca6d0f57f34e8cdd99731e2d39da69baab47ebed2aaf0398fb7b04637ecd209e584a4215aaf6a0b9a03783b229c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
bf555424e1ecc43887966cd7fee2b379

SHA1
acc4afb41c2c89da367d4bd7a2ff9d836a5cf8cc

SHA256
670fbeddcf81e4ebe4aecb662e177e76195e2ab241acbb1197040af834ab5f5e

SHA512
6ba3fbfe7e174b7405b0a0220cded8c9b0b854de9f13db083b7f92f478e2876d7c1a5e65c69a2862da1851ccceff14a0ef7afd9dab44db8d65f3f5d0efb9ded3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
143KB

MD5
3ac7299b0cc11c994542e9e6bf47f764

SHA1
4b02ffad7c0655a95f807f002f16b8a82e16e83d

SHA256
5a4c558a8574d898673f7474dd416a5e904a1ed716c16fe95c28617affbce7fc

SHA512
cc20916e7ef8c26c19f137481586d574cf1752c169fb44ec033d5ae86306e398f85511f4eff93959207b5958dc37d457e66b1d28b41a11de089b78f835df33c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
111KB

MD5
76f314e9a767362367fff655380ce395

SHA1
7a2916599f9cb1c9a501e669097c8870d5fe1be5

SHA256
5f00e5f3bedbc1937db0dd3680f256ad77fd9c50c4b405cb7e665efb1dacb278

SHA512
1231d16f095b0ca60f977787778e1f6054bee87665809e5d32808e2c4ee9399f0a0947977a0f19e46e0bb86b9db4056f5ccf821a4cfe5d2ceee7721bf78a070d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5ebb01.TMP

Filesize
104KB

MD5
584a866d2a347fbe280e468f1d54f229

SHA1
16abd4b134ecdd7ddfa3c8c1ae651e08cfe71954

SHA256
577590fb2583212b0c78ea0ee816d7839031e80a930975e48313c589a723f5c9

SHA512
935258f4c491f577240bc7f3c0d27a236d3eab9e06aa4b72e2908e2969154134fb8583f55b67fd18f19f926550f0b4ad11230a5b4de7c4dde280451685243131

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D5LPL.tmp\Snap Camera 1.21.0.tmp

Filesize
3.0MB

MD5
11042202b0b85a77ee8b9be86fbb13b7

SHA1
75cc7bdf52ec7c9c3190e591943adc796ecad7ee

SHA256
3163419f7eaf1d9e93392c872a44f83820a0c0285632ed00472d0228525765c9

SHA512
375f9ff8a7a2425ca70a291738799dd2c44f3445fe6fa6708757149558e616b7a4ed40854be7707ce11c3f6b918bfab17706b9734b0288d26068252e24308ae9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D5LPL.tmp\Snap Camera 1.21.0.tmp

Filesize
3.0MB

MD5
11042202b0b85a77ee8b9be86fbb13b7

SHA1
75cc7bdf52ec7c9c3190e591943adc796ecad7ee

SHA256
3163419f7eaf1d9e93392c872a44f83820a0c0285632ed00472d0228525765c9

SHA512
375f9ff8a7a2425ca70a291738799dd2c44f3445fe6fa6708757149558e616b7a4ed40854be7707ce11c3f6b918bfab17706b9734b0288d26068252e24308ae9

Download Submit
C:\Users\Admin\Downloads\Snap Camera 1.21.0.exe

Filesize
163.9MB

MD5
ec0816368314db8a35ddf06784ffadfe

SHA1
a196fe5ced9018d839fa0b827fb89ac3a41fc408

SHA256
0d71ba3b05862979b5b6ce00808901bf9d762f7a607c60179344253f5c8e1a4c

SHA512
1b33fbabd277a3618fdcc3aaad441b45bdbf809ac58653e3fc4ac6b33f90bf16c82264109f079aa7ee869c297d315d2695ccaab4d1353079220782aa44fc306a

Download Submit
C:\Users\Admin\Downloads\Snap Camera 1.21.0.exe

Filesize
163.9MB

MD5
ec0816368314db8a35ddf06784ffadfe

SHA1
a196fe5ced9018d839fa0b827fb89ac3a41fc408

SHA256
0d71ba3b05862979b5b6ce00808901bf9d762f7a607c60179344253f5c8e1a4c

SHA512
1b33fbabd277a3618fdcc3aaad441b45bdbf809ac58653e3fc4ac6b33f90bf16c82264109f079aa7ee869c297d315d2695ccaab4d1353079220782aa44fc306a

Download Submit
C:\Users\Admin\Downloads\Snap Camera 1.21.0.exe

Filesize
163.9MB

MD5
ec0816368314db8a35ddf06784ffadfe

SHA1
a196fe5ced9018d839fa0b827fb89ac3a41fc408

SHA256
0d71ba3b05862979b5b6ce00808901bf9d762f7a607c60179344253f5c8e1a4c

SHA512
1b33fbabd277a3618fdcc3aaad441b45bdbf809ac58653e3fc4ac6b33f90bf16c82264109f079aa7ee869c297d315d2695ccaab4d1353079220782aa44fc306a

Download Submit
C:\Windows\Temp\{344D9B98-0969-4560-880A-54FE8212CEB9}\.cr\vc_redist.x64.exe

Filesize
632KB

MD5
968e1c550c1254a3d5f63f4a78ac3b2b

SHA1
1b1427bf86c326e1f402887af5082653129cf03e

SHA256
bd6e4dae56565a5be06b849a596ff2a552b2d89de96014f0dbbce5d8e4ab39f6

SHA512
d5b53a0a7fbc5316228e101ebc753df373c2d795dc89678f33280bc4835cd400edf653ea9f7b0dbf6d03c31048ebc88ae17d9618ea3a805f96ca71502299515f

Download Submit
C:\Windows\Temp\{344D9B98-0969-4560-880A-54FE8212CEB9}\.cr\vc_redist.x64.exe

Filesize
632KB

MD5
968e1c550c1254a3d5f63f4a78ac3b2b

SHA1
1b1427bf86c326e1f402887af5082653129cf03e

SHA256
bd6e4dae56565a5be06b849a596ff2a552b2d89de96014f0dbbce5d8e4ab39f6

SHA512
d5b53a0a7fbc5316228e101ebc753df373c2d795dc89678f33280bc4835cd400edf653ea9f7b0dbf6d03c31048ebc88ae17d9618ea3a805f96ca71502299515f

Download Submit
C:\Windows\Temp\{82AF5869-AE06-427C-A871-1D5A53A3D0F6}\.cr\vc_redist.x86.exe

Filesize
634KB

MD5
254bcff0bd40d24a331f2db7ad3fc266

SHA1
7c614fefa4e8ee974cea424ada2f1c3a669df6f4

SHA256
f5da3508f7201513aff013a1f1aa5164fcc248956efba739419592d94354b3cb

SHA512
367257e77baa450fc9b9243ea33b9b4e78d0b6333ad1b6ea2aafdfc7a66efb4d845725456a992903494d6493c77606b673fa798de60a259ecaedf79a7eef6063

Download Submit
C:\Windows\Temp\{82AF5869-AE06-427C-A871-1D5A53A3D0F6}\.cr\vc_redist.x86.exe

Filesize
634KB

MD5
254bcff0bd40d24a331f2db7ad3fc266

SHA1
7c614fefa4e8ee974cea424ada2f1c3a669df6f4

SHA256
f5da3508f7201513aff013a1f1aa5164fcc248956efba739419592d94354b3cb

SHA512
367257e77baa450fc9b9243ea33b9b4e78d0b6333ad1b6ea2aafdfc7a66efb4d845725456a992903494d6493c77606b673fa798de60a259ecaedf79a7eef6063

Download Submit
C:\Windows\Temp\{8C312B5D-9EB2-49F9-A041-41DE7CB79EF7}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
C:\Windows\Temp\{8C312B5D-9EB2-49F9-A041-41DE7CB79EF7}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
C:\Windows\Temp\{8C312B5D-9EB2-49F9-A041-41DE7CB79EF7}\.be\VC_redist.x86.exe

Filesize
634KB

MD5
254bcff0bd40d24a331f2db7ad3fc266

SHA1
7c614fefa4e8ee974cea424ada2f1c3a669df6f4

SHA256
f5da3508f7201513aff013a1f1aa5164fcc248956efba739419592d94354b3cb

SHA512
367257e77baa450fc9b9243ea33b9b4e78d0b6333ad1b6ea2aafdfc7a66efb4d845725456a992903494d6493c77606b673fa798de60a259ecaedf79a7eef6063

Download Submit
C:\Windows\Temp\{8C312B5D-9EB2-49F9-A041-41DE7CB79EF7}\.be\VC_redist.x86.exe

Filesize
634KB

MD5
254bcff0bd40d24a331f2db7ad3fc266

SHA1
7c614fefa4e8ee974cea424ada2f1c3a669df6f4

SHA256
f5da3508f7201513aff013a1f1aa5164fcc248956efba739419592d94354b3cb

SHA512
367257e77baa450fc9b9243ea33b9b4e78d0b6333ad1b6ea2aafdfc7a66efb4d845725456a992903494d6493c77606b673fa798de60a259ecaedf79a7eef6063

Download Submit
C:\Windows\Temp\{8C312B5D-9EB2-49F9-A041-41DE7CB79EF7}\.be\VC_redist.x86.exe

Filesize
634KB

MD5
254bcff0bd40d24a331f2db7ad3fc266

SHA1
7c614fefa4e8ee974cea424ada2f1c3a669df6f4

SHA256
f5da3508f7201513aff013a1f1aa5164fcc248956efba739419592d94354b3cb

SHA512
367257e77baa450fc9b9243ea33b9b4e78d0b6333ad1b6ea2aafdfc7a66efb4d845725456a992903494d6493c77606b673fa798de60a259ecaedf79a7eef6063

Download Submit
C:\Windows\Temp\{C852BA22-401F-4221-8558-20EB76539752}\.ba\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\Temp\{C852BA22-401F-4221-8558-20EB76539752}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
memory/60-262-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/60-248-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/60-247-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/60-242-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/1512-261-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/1512-2440-0x0000000000400000-0x0000000000718000-memory.dmp

Filesize
3.1MB

Download
memory/1512-263-0x0000000000400000-0x0000000000718000-memory.dmp

Filesize
3.1MB

Download
memory/1512-2292-0x0000000000400000-0x0000000000718000-memory.dmp

Filesize
3.1MB

Download
memory/1512-281-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/1512-282-0x0000000000400000-0x0000000000718000-memory.dmp

Filesize
3.1MB

Download
memory/1512-1477-0x0000000000400000-0x0000000000718000-memory.dmp

Filesize
3.1MB

Download