hxxps://www[.]youtube[.]com/redirect?event=comments&redir_token=QUFFLUhqbm5LeEFZc1c5Q2JCVHducmVxRFRIQUhyZmxmUXxBQ3Jtc0tud0FtR20zeHQ5U0QzZnA5aDBJYTFDM0pndFV1aFVyb3hBUjR6UF8xdXJ5VGtYYklLdk9yakF2NFBBSWtjUkRERGhIMUplR0RQMTY0eU5iQ3Nyc2tTYllFQTVqd0ZjUTJ6ZWxzcW0xX01CeHFKbGF3Zw&q=https%3A%2F%2Fworkupload[.]com%2Ffile%2FutDNccNtzpw

Resubmissions

10/08/2024, 16:14

240810-tp4bfsxbqr 10

10/08/2024, 16:09

240810-tl9zts1cpe 10

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10/08/2024, 16:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.youtube.com/redirect?event=comments&redir_token=QUFFLUhqbm5LeEFZc1c5Q2JCVHducmVxRFRIQUhyZmxmUXxBQ3Jtc0tud0FtR20zeHQ5U0QzZnA5aDBJYTFDM0pndFV1aFVyb3hBUjR6UF8xdXJ5VGtYYklLdk9yakF2NFBBSWtjUkRERGhIMUplR0RQMTY0eU5iQ3Nyc2tTYllFQTVqd0ZjUTJ6ZWxzcW0xX01CeHFKbGF3Zw&q=https%3A%2F%2Fworkupload.com%2Ffile%2FutDNccNtzpw

Score

10^/10

discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://www.python.org/ftp/python/3.11.0/python-3.11.0-amd64.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://www.python.org/ftp/python/3.11.0/python-3.11.0-amd64.exe

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
166	5936	powershell.exe
168	4932	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
5936	powershell.exe
4932	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
3920	ChapoStealer.exe
4428	ChapoStealer.exe

Loads dropped DLL 24 IoCs

pid	Process
3920	ChapoStealer.exe
3920	ChapoStealer.exe
3920	ChapoStealer.exe
3920	ChapoStealer.exe
3920	ChapoStealer.exe
3920	ChapoStealer.exe
3920	ChapoStealer.exe
3920	ChapoStealer.exe
3920	ChapoStealer.exe
3920	ChapoStealer.exe
3920	ChapoStealer.exe
3920	ChapoStealer.exe
4428	ChapoStealer.exe
4428	ChapoStealer.exe
4428	ChapoStealer.exe
4428	ChapoStealer.exe
4428	ChapoStealer.exe
4428	ChapoStealer.exe
4428	ChapoStealer.exe
4428	ChapoStealer.exe
4428	ChapoStealer.exe
4428	ChapoStealer.exe
4428	ChapoStealer.exe
4428	ChapoStealer.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1156	msedge.exe
1156	msedge.exe
1468	msedge.exe
1468	msedge.exe
2380	identity_helper.exe
2380	identity_helper.exe
5752	msedge.exe
5752	msedge.exe
5936	powershell.exe
5936	powershell.exe
4932	powershell.exe
4932	powershell.exe
4932	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3572	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	3572	7zFM.exe
Token: 35	3572	7zFM.exe
Token: SeSecurityPrivilege	3572	7zFM.exe
Token: SeDebugPrivilege	5936	powershell.exe
Token: SeDebugPrivilege	4932	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe

Suspicious use of SendNotifyMessage 30 IoCs

pid	Process
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2368	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 3604	1468	msedge.exe	84
PID 1468 wrote to memory of 3604	1468	msedge.exe	84
PID 1468 wrote to memory of 4504	1468	msedge.exe	85
PID 1468 wrote to memory of 4504	1468	msedge.exe	85
PID 1468 wrote to memory of 4504	1468	msedge.exe	85
PID 1468 wrote to memory of 4504	1468	msedge.exe	85
PID 1468 wrote to memory of 4504	1468	msedge.exe	85
PID 1468 wrote to memory of 4504	1468	msedge.exe	85
PID 1468 wrote to memory of 4504	1468	msedge.exe	85
PID 1468 wrote to memory of 4504	1468	msedge.exe	85
PID 1468 wrote to memory of 4504	1468	msedge.exe	85
PID 1468 wrote to memory of 4504	1468	msedge.exe	85
PID 1468 wrote to memory of 4504	1468	msedge.exe	85
PID 1468 wrote to memory of 4504	1468	msedge.exe	85
PID 1468 wrote to memory of 4504	1468	msedge.exe	85
PID 1468 wrote to memory of 4504	1468	msedge.exe	85
PID 1468 wrote to memory of 4504	1468	msedge.exe	85
PID 1468 wrote to memory of 4504	1468	msedge.exe	85
PID 1468 wrote to memory of 4504	1468	msedge.exe	85
PID 1468 wrote to memory of 4504	1468	msedge.exe	85
PID 1468 wrote to memory of 4504	1468	msedge.exe	85
PID 1468 wrote to memory of 4504	1468	msedge.exe	85
PID 1468 wrote to memory of 4504	1468	msedge.exe	85
PID 1468 wrote to memory of 4504	1468	msedge.exe	85
PID 1468 wrote to memory of 4504	1468	msedge.exe	85
PID 1468 wrote to memory of 4504	1468	msedge.exe	85
PID 1468 wrote to memory of 4504	1468	msedge.exe	85
PID 1468 wrote to memory of 4504	1468	msedge.exe	85
PID 1468 wrote to memory of 4504	1468	msedge.exe	85
PID 1468 wrote to memory of 4504	1468	msedge.exe	85
PID 1468 wrote to memory of 4504	1468	msedge.exe	85
PID 1468 wrote to memory of 4504	1468	msedge.exe	85
PID 1468 wrote to memory of 4504	1468	msedge.exe	85
PID 1468 wrote to memory of 4504	1468	msedge.exe	85
PID 1468 wrote to memory of 4504	1468	msedge.exe	85
PID 1468 wrote to memory of 4504	1468	msedge.exe	85
PID 1468 wrote to memory of 4504	1468	msedge.exe	85
PID 1468 wrote to memory of 4504	1468	msedge.exe	85
PID 1468 wrote to memory of 4504	1468	msedge.exe	85
PID 1468 wrote to memory of 4504	1468	msedge.exe	85
PID 1468 wrote to memory of 4504	1468	msedge.exe	85
PID 1468 wrote to memory of 4504	1468	msedge.exe	85
PID 1468 wrote to memory of 1156	1468	msedge.exe	86
PID 1468 wrote to memory of 1156	1468	msedge.exe	86
PID 1468 wrote to memory of 4948	1468	msedge.exe	87
PID 1468 wrote to memory of 4948	1468	msedge.exe	87
PID 1468 wrote to memory of 4948	1468	msedge.exe	87
PID 1468 wrote to memory of 4948	1468	msedge.exe	87
PID 1468 wrote to memory of 4948	1468	msedge.exe	87
PID 1468 wrote to memory of 4948	1468	msedge.exe	87
PID 1468 wrote to memory of 4948	1468	msedge.exe	87
PID 1468 wrote to memory of 4948	1468	msedge.exe	87
PID 1468 wrote to memory of 4948	1468	msedge.exe	87
PID 1468 wrote to memory of 4948	1468	msedge.exe	87
PID 1468 wrote to memory of 4948	1468	msedge.exe	87
PID 1468 wrote to memory of 4948	1468	msedge.exe	87
PID 1468 wrote to memory of 4948	1468	msedge.exe	87
PID 1468 wrote to memory of 4948	1468	msedge.exe	87
PID 1468 wrote to memory of 4948	1468	msedge.exe	87
PID 1468 wrote to memory of 4948	1468	msedge.exe	87
PID 1468 wrote to memory of 4948	1468	msedge.exe	87
PID 1468 wrote to memory of 4948	1468	msedge.exe	87
PID 1468 wrote to memory of 4948	1468	msedge.exe	87
PID 1468 wrote to memory of 4948	1468	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/redirect?event=comments&redir_token=QUFFLUhqbm5LeEFZc1c5Q2JCVHducmVxRFRIQUhyZmxmUXxBQ3Jtc0tud0FtR20zeHQ5U0QzZnA5aDBJYTFDM0pndFV1aFVyb3hBUjR6UF8xdXJ5VGtYYklLdk9yakF2NFBBSWtjUkRERGhIMUplR0RQMTY0eU5iQ3Nyc2tTYllFQTVqd0ZjUTJ6ZWxzcW0xX01CeHFKbGF3Zw&q=https%3A%2F%2Fworkupload.com%2Ffile%2FutDNccNtzpw
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd99e846f8,0x7ffd99e84708,0x7ffd99e84718
  2⤵
  PID:3604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2228,588868046807597822,18163902047621130625,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2260 /prefetch:2
  2⤵
  PID:4504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2228,588868046807597822,18163902047621130625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2228,588868046807597822,18163902047621130625,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2948 /prefetch:8
  2⤵
  PID:4948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,588868046807597822,18163902047621130625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:1556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,588868046807597822,18163902047621130625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:4960
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2228,588868046807597822,18163902047621130625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:8
  2⤵
  PID:2468
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2228,588868046807597822,18163902047621130625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,588868046807597822,18163902047621130625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:1
  2⤵
  PID:1088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,588868046807597822,18163902047621130625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3552 /prefetch:1
  2⤵
  PID:1792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,588868046807597822,18163902047621130625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:1
  2⤵
  PID:1096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,588868046807597822,18163902047621130625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4172 /prefetch:1
  2⤵
  PID:3724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,588868046807597822,18163902047621130625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:1
  2⤵
  PID:2052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,588868046807597822,18163902047621130625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
  2⤵
  PID:1636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,588868046807597822,18163902047621130625,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
  2⤵
  PID:3804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,588868046807597822,18163902047621130625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
  2⤵
  PID:5268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2228,588868046807597822,18163902047621130625,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6388 /prefetch:8
  2⤵
  PID:5468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,588868046807597822,18163902047621130625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:1
  2⤵
  PID:5588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,588868046807597822,18163902047621130625,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6380 /prefetch:1
  2⤵
  PID:5596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,588868046807597822,18163902047621130625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3960 /prefetch:1
  2⤵
  PID:5960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,588868046807597822,18163902047621130625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
  2⤵
  PID:6052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,588868046807597822,18163902047621130625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6704 /prefetch:1
  2⤵
  PID:6060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,588868046807597822,18163902047621130625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:1
  2⤵
  PID:5452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2228,588868046807597822,18163902047621130625,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6128 /prefetch:8
  2⤵
  PID:5524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,588868046807597822,18163902047621130625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1
  2⤵
  PID:5572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2228,588868046807597822,18163902047621130625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4812 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5752

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2772

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2944

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x514 0x518
1⤵
PID:5516

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5588

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2368

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Chapostealer.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3572

C:\Users\Admin\Desktop\ChapoStealer\ChapoStealer.exe
"C:\Users\Admin\Desktop\ChapoStealer\ChapoStealer.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command " $url = \"https://www.python.org/ftp/python/3.11.0/python-3.11.0-amd64.exe\" $filePath = \"C:\Users\Admin\AppData\Local\Temp\tmpfysiski3.exe\" Invoke-WebRequest -Uri $url -OutFile $filePath "
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5936

C:\Users\Admin\Desktop\ChapoStealer\ChapoStealer.exe
"C:\Users\Admin\Desktop\ChapoStealer\ChapoStealer.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4428
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command " $url = \"https://www.python.org/ftp/python/3.11.0/python-3.11.0-amd64.exe\" $filePath = \"C:\Users\Admin\AppData\Local\Temp\tmp1lw7v_3b.exe\" Invoke-WebRequest -Uri $url -OutFile $filePath "
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f9664c896e19205022c094d725f820b6

SHA1
f8f1baf648df755ba64b412d512446baf88c0184

SHA256
7121d84202a850791c2320385eb59eda4d697310dc51b1fcd4d51264aba2434e

SHA512
3fa5d2c68a9e70e4a25eaac2095171d87c741eec2624c314c6a56f4fa390d6319633bf4c48b1a4af7e9a0451f346beced9693da88cfc7bcba8dfe209cbd1b3ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
847d47008dbea51cb1732d54861ba9c9

SHA1
f2099242027dccb88d6f05760b57f7c89d926c0d

SHA256
10292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1

SHA512
bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
37KB

MD5
27eec7e8f48ac0d64e62ec535a19ed37

SHA1
0454ae16951154ff4d64dc2dd20f780b6da87ee8

SHA256
9107d29b79f5c0e9d7ac88f893e0afb7c672d536b2e41de469172c8b7366e3d0

SHA512
f93033661c1974d9225b7e05543d7efe62574567abf7bdbb982b36e5b0be658937a7128de10376f9e39c20a2d40688862fa0e76aa53b0b8c87b99ee536fbb175

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
18KB

MD5
af73a83498e939379445066f4be6686b

SHA1
bd5fb87bbb126fd672ec96b3a17e85ef92f8bcdc

SHA256
680fce4f4484948006f144bbabcbbc43b898e82ffe80b1f36b2a381f48507585

SHA512
e923a671dd7b9f2a3ee90b93eda9ec5dad3e4084053cb6c0a2002f02a4fdb0706f9d5c1859a8c2495ba08c6d6f641ca77dcab41987d1da08f8c0395a9e5cdd6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
51KB

MD5
f828ca0d0ec680be63a581fba298296d

SHA1
bb61b2164718524523e3c4a281e95e1b1040f93b

SHA256
1f3234206acee9523c49f7899a676d629942c45b6169c2e524e152be6eadae1a

SHA512
b8eb4b5d65b6d182ec287287207013a78ed0770ef37919f65fd4289e99b5288d18177ef9101588ea648f02892e1d8441e6f94554d42cc915163bae67f6dfd144

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
31KB

MD5
8e9469cac7c307f308503576c1fe387d

SHA1
aadb8a8dcea41e44c5ff043dd0708edc95b627fc

SHA256
e9baaf6f504519308c2b752172f0c7c71e95f4fd7544419bbbd41f55171b512b

SHA512
af3299260dbf83c829144f9c80e8337133e52e0814d3cedb28fb978a95eef30ccb48664ab2acad66e6fa3d409497c5d2eff95aca70025073bb5dd02a38cfccc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
20KB

MD5
631c4ff7d6e4024e5bdf8eb9fc2a2bcb

SHA1
c59d67b2bb027b438d05bd7c3ad9214393ef51c6

SHA256
27ccc7fad443790d6f9dc6fbb217fc2bc6e12f6a88e010e76d58cc33e1e99c82

SHA512
12517b3522fcc96cfafc031903de605609f91232a965d92473be5c1e7fc9ad4b1a46fa38c554e0613f0b1cfb02fd0a14122eaf77a0bbf3a06bd5868d31d0160e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
fc17f780ad905ed4093f9b7bfce18655

SHA1
041a9b55a3b21564a431e4aa76268ebd519a6076

SHA256
6eaf1658a69477ce242aefcb69c02bee24da750d89212b7b017d5c4dd0f92350

SHA512
969d2707af5c62cd02b2a8b39b973f4464fca62df2c15fb7c9af983ef3a03fd182ba05164f4d200fed20f96c2fe63d4d5af455879dcc6671f8dd94d269bb1b0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
f4fe5dcf87f1a0a5881c033c92b03443

SHA1
854933eb4f1c09e8192fb9e0f7fba822e6985e6a

SHA256
544e5fafcefd69c8077dc5300fc869b5ff5a23d6b2eb27a9beffc00f2312087e

SHA512
240110901336351287a92dc7d1e3cf2833f0781ddf3fb4427fba2296c067882d3d2693dd266ad64a5d561feac6774f92efc5aa7cb089165c6690488d39bb2974

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
9629f7ee454796dc75cbfb4cbc4f2acf

SHA1
dfb2df42aa2e26dd75cfc2818429e6d90a2e02ce

SHA256
95f5c6b712a38a094ab5ebbbd294b73c1bf22ebaccf36a45811282659c8b952f

SHA512
17052aa68efbe0c842c20fa852ca1055315cb765909adfce8cfaa9e19edcc0d0760cda99d203fc23d2dc4b89a483bcd4fd09177d44c84ee8a700a4b58a7f066a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0438fc6c92c9db75c4cc39b65e4ec4a1

SHA1
d6cac0bd845293b3f14cdc1ddbdef5e113f02be6

SHA256
38697ff8c71c20705ea7039a5e246449f443a8b13d885eb9db4949cdbeb339d5

SHA512
492df8a4d67ecac263b1044c51b48650fb94dcc0ee0e33c9119621d854d4397a288c1b1fbf80131bf2c3998ba83fdb15dc7ff1bdcb246ca8b3410f68dd99f1a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
d46b489a6360dea913b3a1ca431e218b

SHA1
75d4e94c8b14744a7c00d4c2a88affafa58f9b2f

SHA256
2951bd5f8533f63d26836d6962baaf5a1af56c86df1bb52d6f1223935097f6e1

SHA512
eac273c94801827f74ac12662bbddb37e9c70b32ccda40d7b9b339bf03f033e79346ffcbba831796df56ccbd66382848fb392542c46c40b90341d83df3df0624

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
63d8fe428b1f6fd33c15d5b7ab3b99cb

SHA1
523bc1810fff263cc6f3d526b543893534820c86

SHA256
7ddb1b535712654dbe9094d714d5c634c8a6ec43c1d437ce023e6757998f2326

SHA512
4d9a639675ec5de0016ecae03d7edd888d05c295eb375b2af397e80ad275c1e60949f5dbe915d29cadfea46b0b5f1b7902375e6a754d4dda2d78ad246bdafea5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
ec25433037a6db4b64b51c84fb564406

SHA1
564af99011918a750ea6c3529c44263a74c893bf

SHA256
a1cdc7d2c62df2dce9210e58a172880aa49255e5c9242089a135d6f9ce2e33ca

SHA512
412007ffd76ee3df10903cdfba1105f7f0c6d47b06e481825ab3277b6e6542db27c05717709c0be5097027dcb956ea635983ea61c8d9e8342a8bacabf0c7c450

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
422bd856a66b41991910e0d60be0664b

SHA1
9bac953281066adc189658b66b87728392560110

SHA256
104487bf47a8680001fb35c0f2a784be592ed03569a2793950d82826f298dbad

SHA512
38b1feffc2de415ded6283422bc50341a95e88531923641d3cf73484b73f1ccac7d4b245280321cab9285b3fce2c7ac7c84ff948e1fc060949ebcea0880c6ffc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580068.TMP

Filesize
372B

MD5
4c3765618d2da58c25cbdc0ef3ea82ad

SHA1
d4fd108e97d8dfdfca459af1d4552eb6144c5893

SHA256
7f0082d00e1ae4f73dac9445267e274331c997ea592f0e7971a7c269ac29ff4e

SHA512
5373561e8137daeccec5b38cdcc76b37f36eee34ec0a79b35573d3720618b3f4431fdf3cc484144ef3f44f2bcd14e69834095aa1460779e883c2714efd1d48dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\ee31409f-65e2-4a0a-becd-d27ef8424dc2.tmp

Filesize
8KB

MD5
3a6c96e238fb2dbd1a1c90005dc55134

SHA1
470381b1db877ed17d76dff4f392d6a0f7836365

SHA256
a2ea85900e55a83e1992e2a7ccb05641dc3ed095e00ce74c3e828385edc4b7da

SHA512
17dda2423cfba2de1c04a98a9d25f6d14196f3d02d2887618d3a181b8e14bbb592a7805a7c992b77fac68c5c2b30aaa4d2062f74554d3df6c99de3b21459d2c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
dcf8b3fc93b0d3154b2e4d24cdfc0550

SHA1
1e8ae01f9be7861ff2796a5cac00e644ba975f53

SHA256
22e5e083f1e5d3d4359c4d3b5dd724406d6dae8b67ab30353dc1218bcc3e7531

SHA512
9736e764fc9ed243cdbbf37597555b3f6b191714d363e2785367115a22273da2cc837ab67414ebc3bbc873c1fb5c82503734bffe6b3173701e099209c3e2baac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
cd703e536b887d40e04b9e3795639dba

SHA1
3146ef5e948fc3eab049b6fe7766a801666d9c75

SHA256
bf0d3a6aebd34be348261f8606283afe8ccf891950d6bcd0935a348ee0777d76

SHA512
0501f73da7f53db63595daba8d9bb4f1314640601f9f94afd0f41db01d2204e626e7b4dc80362f9bb0d9fc878368c9613077879db8c36a00de054f975dafdfce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
c879f9eb52fa34b5f1963e9e9de71ec6

SHA1
1153e55f79a85b75d8a25af34b01b3f37cd6353e

SHA256
ef410a585bbd100041fe0442ec0b1d96a462dc552577fb8adb44d04b0e887bff

SHA512
17d6ba7b2be2836d39a108f5a2c1e6486b67717087253d2ce4c17f5f7dd3785bd513e14f0eb63a7dbc03d668aa50c56287e749ed9a091f27b5fe544f7c7ddd96

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE4FD27B39\ChapoStealer\lib\PIL\_webp.pyi

Filesize
66B

MD5
e82ce1a659755bafda7bc3e0e2d1b814

SHA1
7f0b9ccdf21682246966759e4006b013c26503dc

SHA256
cc3f2f0283c2f1a1085637dc90bb45b24456e6c6a255e977fac254036a476867

SHA512
a63ea8c91c8843f16bd7163ce1c570e8708ec5bbda66381cacdd53a53d8e9bf2e4cb475aa957c3c603ee9d9ce7427b137e5d5a188d1953a6ed0b496d23a3a034

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b1hdraze.k0h.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\ChapoStealer\ChapoStealer.exe

Filesize
19KB

MD5
bd1ee151914cea0bbf3569d053e371d3

SHA1
565c071070319aefd97e256f7c4bb1e379065f46

SHA256
96fc357072448048c39fe44574e50c5212c02ac5e420b9b1b6cc072862d9fbf9

SHA512
092e90fb83bec6af753de2f8a2acb02b24ed3e6f632fd7e00a735a54b8737cfbf7142d4f163af974e9ef84afe33873cab59ea01362c226c2e570080860d38b7f

Download Submit
C:\Users\Admin\Desktop\ChapoStealer\lib\_bz2.pyd

Filesize
83KB

MD5
5bebc32957922fe20e927d5c4637f100

SHA1
a94ea93ee3c3d154f4f90b5c2fe072cc273376b3

SHA256
3ed0e5058d370fb14aa5469d81f96c5685559c054917c7280dd4125f21d25f62

SHA512
afbe80a73ee9bd63d9ffa4628273019400a75f75454667440f43beb253091584bf9128cbb78ae7b659ce67a5faefdba726edb37987a4fe92f082d009d523d5d6

Download Submit
C:\Users\Admin\Desktop\ChapoStealer\lib\_ctypes.pyd

Filesize
122KB

MD5
fb454c5e74582a805bc5e9f3da8edc7b

SHA1
782c3fa39393112275120eaf62fc6579c36b5cf8

SHA256
74e0e8384f6c2503215f4cf64c92efe7257f1aec44f72d67ad37dc8ba2530bc1

SHA512
727ada80098f07849102c76b484e9a61fb0f7da328c0276d82c6ee08213682c89deeb8459139a3fbd7f561bffaca91650a429e1b3a1ff8f341cebdf0bfa9b65d

Download Submit
C:\Users\Admin\Desktop\ChapoStealer\lib\_lzma.pyd

Filesize
156KB

MD5
195defe58a7549117e06a57029079702

SHA1
3795b02803ca37f399d8883d30c0aa38ad77b5f2

SHA256
7bf9ff61babebd90c499a8ed9b62141f947f90d87e0bbd41a12e99d20e06954a

SHA512
c47a9b1066dd9744c51ed80215bd9645aab6cc9d6a3f9df99f618e3dd784f6c7ce6f53eabe222cf134ee649250834193d5973e6e88f8a93151886537c62e2e2b

Download Submit
C:\Users\Admin\Desktop\ChapoStealer\lib\_socket.pyd

Filesize
81KB

MD5
dd8ff2a3946b8e77264e3f0011d27704

SHA1
a2d84cfc4d6410b80eea4b25e8efc08498f78990

SHA256
b102522c23dac2332511eb3502466caf842d6bcd092fbc276b7b55e9cc01b085

SHA512
958224a974a3449bcfb97faab70c0a5b594fa130adc0c83b4e15bdd7aab366b58d94a4a9016cb662329ea47558645acd0e0cc6df54f12a81ac13a6ec0c895cd8

Download Submit
C:\Users\Admin\Desktop\ChapoStealer\lib\_wmi.pyd

Filesize
36KB

MD5
8a9a59559c614fc2bcebb50073580c88

SHA1
4e4ced93f2cb5fe6a33c1484a705e10a31d88c4d

SHA256
752fb80edb51f45d3cc1c046f3b007802432b91aef400c985640d6b276a67c12

SHA512
9b17c81ff89a41307740371cb4c2f5b0cf662392296a7ab8e5a9eba75224b5d9c36a226dce92884591636c343b8238c19ef61c1fdf50cc5aa2da86b1959db413

Download Submit
C:\Users\Admin\Desktop\ChapoStealer\lib\collections\__init__.pyc

Filesize
71KB

MD5
77f61887b0da347a2a0c37dd96eb8cd6

SHA1
277d49db9a53b751e43adad2da4f5750003c1661

SHA256
282418cf95470d247243c1fe98118b00513b91b82f8922ab38f65ca6394d6021

SHA512
bedffd298aefd2e376340d2580b8ddfbc9013f5bfde04eab30f790755aa3d901e511f48f4e8aebad54b4878cfe9935c4a705c7900b688e407faa75be12010aba

Download Submit
C:\Users\Admin\Desktop\ChapoStealer\lib\collections\abc.pyc

Filesize
286B

MD5
fffe5bb945c05c00d61076ab93a6c0a0

SHA1
678e5221d654ebab6bacf840efaef3af8d2a9e55

SHA256
f443262b0f520547de798b52a9e81ded24615676ee41008c74973920d5fd81f2

SHA512
ed80ee7e38a91d16400bf9663fe9bf7f67a4622f85e614513aa31ccfc053c75339f814635a29f00fd86f214e763581d2d829ce2c89ee8f4d31a48c6f1f757510

Download Submit
C:\Users\Admin\Desktop\ChapoStealer\lib\encodings\__init__.pyc

Filesize
5KB

MD5
6bfd0ef39bbe4bd3f2dba24cbf81053b

SHA1
d99591cc86cb88caf5179c30e2a11a378d135c67

SHA256
8759ba0fbf62b5cca40301d92437c3dc4fb1b33db1528719a48284ea6780ae4b

SHA512
ae939da53c42c6db58771389028b34355b6f0ac1f69a3856a48e0cdcdd53ac08886d118eea5d4697e54a709eca559edee371966dc30714314870e9e99662a594

Download Submit
C:\Users\Admin\Desktop\ChapoStealer\lib\encodings\aliases.pyc

Filesize
12KB

MD5
c48abaca13eaf401efb7e21e79faffca

SHA1
44ec6a22d0c601ca9dd38f46b4d6ee9b8c533d5b

SHA256
de6b328694fe23c8e67a4d8bdb82d97220c8cb3e2a751f978d00f537d9e619ab

SHA512
7a06699d1eaa963bc98179b29d1747836c94bf3ce708f535eab87d0cee4a82960507c64b108cfc755d8a05f2e70124c8437889f161c720d8d6a6b09201235420

Download Submit
C:\Users\Admin\Desktop\ChapoStealer\lib\encodings\cp1252.pyc

Filesize
3KB

MD5
cd7d2024b2946db784683e546b9b6fe1

SHA1
cf327bbabb108d00141ebd497264ce703270e095

SHA256
cfd17f3b0d4944a6e054bde8995c2f66110bd53a029760cc17a515f3c833ee2e

SHA512
af725ec82be83c869dbdda663511713b087a0f2a64bc4f80bbc2f858ad8bfdd9a424931e48b8d693dc019aebfec9af8a68c93f7106fa69c06beacc9394a8b087

Download Submit
C:\Users\Admin\Desktop\ChapoStealer\lib\encodings\utf_8.pyc

Filesize
2KB

MD5
4229a1cf6dbb373390675a9c85340db8

SHA1
7c54e7941e81915841ae86691664205ac1f2b5b4

SHA256
075c351da3b186e6aa88d0a09dd860c036c924284209c36f0929ec092c262098

SHA512
35c0b8912a6a8263c849fca0270e6080e2300d851addc872b468dc878f23f4ef2a287def1373a690259495bb22a87ad4af3368e5e8d783ca4cd2c0081ca6bb1a

Download Submit
C:\Users\Admin\Desktop\ChapoStealer\lib\importlib\__init__.pyc

Filesize
4KB

MD5
94d335efd2dde10899fd1c1e4af6f7fd

SHA1
4e9d9301732f174c0bec8798b659b8decb3a316c

SHA256
f212323ab8e19de51f55bc0fd1aafe1746d91ee8e245d291a3f26b22140c8690

SHA512
0617b0dc2667e9c0fc7ff73f4a99354f6a87c0529211a6f3a5ef466520329229d60a74730ec2ca8bfcbff555a8b4ce805c3077669faef009c7ba28afb111e304

Download Submit
C:\Users\Admin\Desktop\ChapoStealer\lib\importlib\_abc.pyc

Filesize
1KB

MD5
c040e2fbfc8333b0225a405a2603ea30

SHA1
df298b13cf51c2bf0c4e8d18d62630441dbe8675

SHA256
00655325fa9941a223bcae7bb6baef6a1a1333a1438c5b5ab999922cb2741e4d

SHA512
4b155fafbab0a9ecd11a9a34f8400f0e2b0a2a8a8b8fcb1296845289e34332a81232a9269796a3789e6008267df8c2606abbe6298b7e530be3e1c1ccb9140d77

Download Submit
C:\Users\Admin\Desktop\ChapoStealer\lib\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\Desktop\ChapoStealer\lib\library.dat

Filesize
11B

MD5
12d737558481ffdec6d9fc90f1c64e10

SHA1
2d99fd826f22325c6715a6b9fabc64ffa56ba7c9

SHA256
1794a90e19985ee2dee89f9bdffac8dcb3676e2555db9469384493d14708aed5

SHA512
2c62c69718a41d011cb9a0bc436e874f967e4174094802e13142eaba4967e61a76ba06eeb3c6b4dd8c76dc4c41df6bd1e4397143f94aad03cc534d3084ee32d8

Download Submit
C:\Users\Admin\Desktop\ChapoStealer\lib\library.zip

Filesize
2.2MB

MD5
57b60fd635bbd54c3bbe9ffc80f02c59

SHA1
ec6048d0f3c1ff9efe995df429f7e5fbb69a24ad

SHA256
123d7b038623b15db38a05b75245a55d4e4cff9227cc6d38d5db2f6f1cc6abf6

SHA512
747c3ba52d02828bb186175dd25697f40dc27790c4f589becf2487975da9f0219824489a13de90bb6ed100f29ef1ea4405e9dc8504ac553bcefa3d4f7aec200c

Download Submit
C:\Users\Admin\Desktop\ChapoStealer\lib\re\__init__.pyc

Filesize
17KB

MD5
f5473007a1ae246caba82d33b7832ea4

SHA1
8cc42cee206cdc7d684bdd4710ca6e9271fce1f3

SHA256
16155a8b4f17372eda5e1406b32706b814345c2f121f2e538279253da9ee8049

SHA512
190b56dc6b6973118005095c7e20b512c496c2c24b35da82b14e9a6978bfef2f25d581d41d8a533fd10b17a911eed50fba37f2f74ab7550a6939ea60089f0929

Download Submit
C:\Users\Admin\Desktop\ChapoStealer\lib\re\_casefix.pyc

Filesize
1KB

MD5
0439e73fd069438465960740a335f829

SHA1
95972cf835c58bcbe254bcdd3bd95b4d16a70990

SHA256
69d20701a208d765cb3cd51d10b47339e75cb137c09898bd324964c64d1c0b39

SHA512
a69e73337fd669cbb7e9c68652b7c96c9c2eb8ccde95abbb872669a629e9b0651d5d1bd43da43d39bfb3c9039dbfddb6b9b5772b74d01527340bb5946fce474d

Download Submit
C:\Users\Admin\Desktop\ChapoStealer\lib\re\_compiler.pyc

Filesize
25KB

MD5
a54d70dc8890f157527173bde3668892

SHA1
9e528755b9b9be5749ba2f3c026c7c24e824b8ca

SHA256
66583359a8132cdf1757596367450296506847e8e00e01665691fe2001b42071

SHA512
2b6ad195ca52b287c3674685cef7da0b2e967fcd7dfa1da388d990d349d677e3eff193e84995448074ad1302982b24d45035c2e8928ef9ad9220b537951a3d6f

Download Submit
C:\Users\Admin\Desktop\ChapoStealer\lib\re\_constants.pyc

Filesize
5KB

MD5
e8cedfcb9cea0a73aeed59e1d940c2d4

SHA1
5b1a8d4e16ab39cc6546afa62f3c97da6accaad6

SHA256
091a8a9d088541867973901a0f5dd4222595543f8110b3a299d74d49ada44c9b

SHA512
7a0511597197bf8e77e386f7a76c69ba62446f5812c035533234c1dede55923cb584f0d5f1ce9429e574d4c8ac9bc8560fafa2d96e08f6cc6c16a01d0664b130

Download Submit
C:\Users\Admin\Desktop\ChapoStealer\lib\re\_parser.pyc

Filesize
41KB

MD5
d6450bf5a829704fb0846fb8b3fe191e

SHA1
f33d5802834fa48fcda12d2f6b532135cfcfa238

SHA256
81d3400b54535dfbadcfed1e087c6a8df80b771ff5edbd7d9c6fa297b120764b

SHA512
16218b15b7f81e6fb4242b38d99dfa0334067759a3164bf22fee78a84ccfce6271066dd8c119ea29a856f4f373fa0684031b1af43c8964bd70d1b29b0c931c7b

Download Submit
C:\Users\Admin\Desktop\ChapoStealer\lib\select.pyd

Filesize
30KB

MD5
d0cc9fc9a0650ba00bd206720223493b

SHA1
295bc204e489572b74cc11801ed8590f808e1618

SHA256
411d6f538bdbaf60f1a1798fa8aa7ed3a4e8fcc99c9f9f10d21270d2f3742019

SHA512
d3ebcb91d1b8aa247d50c2c4b2ba1bf3102317c593cbf6c63883e8bf9d6e50c0a40f149654797abc5b4f17aee282ddd972a8cd9189bfcd5b9cec5ab9c341e20b

Download Submit
C:\Users\Admin\Desktop\ChapoStealer\python3.dll

Filesize
66KB

MD5
a07661c5fad97379cf6d00332999d22c

SHA1
dca65816a049b3cce5c4354c3819fef54c6299b0

SHA256
5146005c36455e7ede4b8ecc0dc6f6fa8ea6b4a99fedbabc1994ae27dfab9d1b

SHA512
6ddeb9d89ccb4d2ec5d994d85a55e5e2cc7af745056dae030ab8d72ee7830f672003f4675b6040f123fc64c19e9b48cabd0da78101774dafacf74a88fbd74b4d

Download Submit
C:\Users\Admin\Desktop\ChapoStealer\python312.dll

Filesize
6.6MB

MD5
d521654d889666a0bc753320f071ef60

SHA1
5fd9b90c5d0527e53c199f94bad540c1e0985db6

SHA256
21700f0bad5769a1b61ea408dc0a140ffd0a356a774c6eb0cc70e574b929d2e2

SHA512
7a726835423a36de80fb29ef65dfe7150bd1567cac6f3569e24d9fe091496c807556d0150456429a3d1a6fd2ed0b8ae3128ea3b8674c97f42ce7c897719d2cd3

Download Submit
C:\Users\Admin\Desktop\ChapoStealer\vcruntime140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\Desktop\ChapoStealer\vcruntime140_1.dll

Filesize
48KB

MD5
f8dfa78045620cf8a732e67d1b1eb53d

SHA1
ff9a604d8c99405bfdbbf4295825d3fcbc792704

SHA256
a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5

SHA512
ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

Download Submit
C:\Users\Admin\Downloads\Chapostealer.zip

Filesize
46.9MB

MD5
f0d46fd169aaeb6dae7c00248c4cf42c

SHA1
ea7fb5067e41374275fc8b56265a417790982e8d

SHA256
992ea669a6cd51aaaebb3ad111d9afa27dcf45876109cb4ffa8ca35ae6494023

SHA512
332f807f7eecd675b0772e09b2883c6440fb77a0e3d8c4ff99d0d1a132fdeaa3ec49a7cac1d1ff0a9fc32eadd4dbe3f858def3af91cc2ca4be0864aa8114dc15

Download Submit
memory/5936-7022-0x000001A3B6C70000-0x000001A3B6C92000-memory.dmp

Filesize
136KB

Download