hxxps://www[.]youtube[.]com/redirect?event=comments&redir_token=QUFFLUhqbm5LeEFZc1c5Q2JCVHducmVxRFRIQUhyZmxmUXxBQ3Jtc0tud0FtR20zeHQ5U0QzZnA5aDBJYTFDM0pndFV1aFVyb3hBUjR6UF8xdXJ5VGtYYklLdk9yakF2NFBBSWtjUkRERGhIMUplR0RQMTY0eU5iQ3Nyc2tTYllFQTVqd0ZjUTJ6ZWxzcW0xX01CeHFKbGF3Zw&q=https%3A%2F%2Fworkupload[.]com%2Ffile%2FutDNccNtzpw

Resubmissions

10-08-2024 16:14

240810-tp4bfsxbqr 10

10-08-2024 16:09

240810-tl9zts1cpe 10

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10-08-2024 16:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.youtube.com/redirect?event=comments&redir_token=QUFFLUhqbm5LeEFZc1c5Q2JCVHducmVxRFRIQUhyZmxmUXxBQ3Jtc0tud0FtR20zeHQ5U0QzZnA5aDBJYTFDM0pndFV1aFVyb3hBUjR6UF8xdXJ5VGtYYklLdk9yakF2NFBBSWtjUkRERGhIMUplR0RQMTY0eU5iQ3Nyc2tTYllFQTVqd0ZjUTJ6ZWxzcW0xX01CeHFKbGF3Zw&q=https%3A%2F%2Fworkupload.com%2Ffile%2FutDNccNtzpw

Score

10^/10

discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://www.python.org/ftp/python/3.11.0/python-3.11.0-amd64.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://www.python.org/ftp/python/3.11.0/python-3.11.0-amd64.exe

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
165	6104	powershell.exe
178	7016	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
6104	powershell.exe
7016	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2604	ChapoStealer.exe
6920	ChapoStealer.exe

Loads dropped DLL 24 IoCs

pid	Process
2604	ChapoStealer.exe
2604	ChapoStealer.exe
2604	ChapoStealer.exe
2604	ChapoStealer.exe
2604	ChapoStealer.exe
2604	ChapoStealer.exe
2604	ChapoStealer.exe
2604	ChapoStealer.exe
2604	ChapoStealer.exe
2604	ChapoStealer.exe
2604	ChapoStealer.exe
2604	ChapoStealer.exe
6920	ChapoStealer.exe
6920	ChapoStealer.exe
6920	ChapoStealer.exe
6920	ChapoStealer.exe
6920	ChapoStealer.exe
6920	ChapoStealer.exe
6920	ChapoStealer.exe
6920	ChapoStealer.exe
6920	ChapoStealer.exe
6920	ChapoStealer.exe
6920	ChapoStealer.exe
6920	ChapoStealer.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1188	msedge.exe
1188	msedge.exe
4116	msedge.exe
4116	msedge.exe
1396	identity_helper.exe
1396	identity_helper.exe
5980	msedge.exe
5980	msedge.exe
6104	powershell.exe
6104	powershell.exe
6104	powershell.exe
7016	powershell.exe
7016	powershell.exe
7016	powershell.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

pid	Process
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	5448	7zG.exe
Token: 35	5448	7zG.exe
Token: SeSecurityPrivilege	5448	7zG.exe
Token: SeSecurityPrivilege	5448	7zG.exe
Token: SeDebugPrivilege	6104	powershell.exe
Token: SeDebugPrivilege	7016	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4116 wrote to memory of 4588	4116	msedge.exe	85
PID 4116 wrote to memory of 4588	4116	msedge.exe	85
PID 4116 wrote to memory of 100	4116	msedge.exe	86
PID 4116 wrote to memory of 100	4116	msedge.exe	86
PID 4116 wrote to memory of 100	4116	msedge.exe	86
PID 4116 wrote to memory of 100	4116	msedge.exe	86
PID 4116 wrote to memory of 100	4116	msedge.exe	86
PID 4116 wrote to memory of 100	4116	msedge.exe	86
PID 4116 wrote to memory of 100	4116	msedge.exe	86
PID 4116 wrote to memory of 100	4116	msedge.exe	86
PID 4116 wrote to memory of 100	4116	msedge.exe	86
PID 4116 wrote to memory of 100	4116	msedge.exe	86
PID 4116 wrote to memory of 100	4116	msedge.exe	86
PID 4116 wrote to memory of 100	4116	msedge.exe	86
PID 4116 wrote to memory of 100	4116	msedge.exe	86
PID 4116 wrote to memory of 100	4116	msedge.exe	86
PID 4116 wrote to memory of 100	4116	msedge.exe	86
PID 4116 wrote to memory of 100	4116	msedge.exe	86
PID 4116 wrote to memory of 100	4116	msedge.exe	86
PID 4116 wrote to memory of 100	4116	msedge.exe	86
PID 4116 wrote to memory of 100	4116	msedge.exe	86
PID 4116 wrote to memory of 100	4116	msedge.exe	86
PID 4116 wrote to memory of 100	4116	msedge.exe	86
PID 4116 wrote to memory of 100	4116	msedge.exe	86
PID 4116 wrote to memory of 100	4116	msedge.exe	86
PID 4116 wrote to memory of 100	4116	msedge.exe	86
PID 4116 wrote to memory of 100	4116	msedge.exe	86
PID 4116 wrote to memory of 100	4116	msedge.exe	86
PID 4116 wrote to memory of 100	4116	msedge.exe	86
PID 4116 wrote to memory of 100	4116	msedge.exe	86
PID 4116 wrote to memory of 100	4116	msedge.exe	86
PID 4116 wrote to memory of 100	4116	msedge.exe	86
PID 4116 wrote to memory of 100	4116	msedge.exe	86
PID 4116 wrote to memory of 100	4116	msedge.exe	86
PID 4116 wrote to memory of 100	4116	msedge.exe	86
PID 4116 wrote to memory of 100	4116	msedge.exe	86
PID 4116 wrote to memory of 100	4116	msedge.exe	86
PID 4116 wrote to memory of 100	4116	msedge.exe	86
PID 4116 wrote to memory of 100	4116	msedge.exe	86
PID 4116 wrote to memory of 100	4116	msedge.exe	86
PID 4116 wrote to memory of 100	4116	msedge.exe	86
PID 4116 wrote to memory of 100	4116	msedge.exe	86
PID 4116 wrote to memory of 1188	4116	msedge.exe	87
PID 4116 wrote to memory of 1188	4116	msedge.exe	87
PID 4116 wrote to memory of 4936	4116	msedge.exe	88
PID 4116 wrote to memory of 4936	4116	msedge.exe	88
PID 4116 wrote to memory of 4936	4116	msedge.exe	88
PID 4116 wrote to memory of 4936	4116	msedge.exe	88
PID 4116 wrote to memory of 4936	4116	msedge.exe	88
PID 4116 wrote to memory of 4936	4116	msedge.exe	88
PID 4116 wrote to memory of 4936	4116	msedge.exe	88
PID 4116 wrote to memory of 4936	4116	msedge.exe	88
PID 4116 wrote to memory of 4936	4116	msedge.exe	88
PID 4116 wrote to memory of 4936	4116	msedge.exe	88
PID 4116 wrote to memory of 4936	4116	msedge.exe	88
PID 4116 wrote to memory of 4936	4116	msedge.exe	88
PID 4116 wrote to memory of 4936	4116	msedge.exe	88
PID 4116 wrote to memory of 4936	4116	msedge.exe	88
PID 4116 wrote to memory of 4936	4116	msedge.exe	88
PID 4116 wrote to memory of 4936	4116	msedge.exe	88
PID 4116 wrote to memory of 4936	4116	msedge.exe	88
PID 4116 wrote to memory of 4936	4116	msedge.exe	88
PID 4116 wrote to memory of 4936	4116	msedge.exe	88
PID 4116 wrote to memory of 4936	4116	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/redirect?event=comments&redir_token=QUFFLUhqbm5LeEFZc1c5Q2JCVHducmVxRFRIQUhyZmxmUXxBQ3Jtc0tud0FtR20zeHQ5U0QzZnA5aDBJYTFDM0pndFV1aFVyb3hBUjR6UF8xdXJ5VGtYYklLdk9yakF2NFBBSWtjUkRERGhIMUplR0RQMTY0eU5iQ3Nyc2tTYllFQTVqd0ZjUTJ6ZWxzcW0xX01CeHFKbGF3Zw&q=https%3A%2F%2Fworkupload.com%2Ffile%2FutDNccNtzpw
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8156b46f8,0x7ff8156b4708,0x7ff8156b4718
  2⤵
  PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,4619202626970231574,15483756869098229590,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
  2⤵
  PID:100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,4619202626970231574,15483756869098229590,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2396 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,4619202626970231574,15483756869098229590,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
  2⤵
  PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4619202626970231574,15483756869098229590,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:4288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4619202626970231574,15483756869098229590,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:1264
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,4619202626970231574,15483756869098229590,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8
  2⤵
  PID:440
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,4619202626970231574,15483756869098229590,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4619202626970231574,15483756869098229590,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
  2⤵
  PID:2076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4619202626970231574,15483756869098229590,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
  2⤵
  PID:1160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4619202626970231574,15483756869098229590,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
  2⤵
  PID:2292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4619202626970231574,15483756869098229590,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:1
  2⤵
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4619202626970231574,15483756869098229590,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:1
  2⤵
  PID:4092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4619202626970231574,15483756869098229590,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
  2⤵
  PID:5360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4619202626970231574,15483756869098229590,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
  2⤵
  PID:5372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4619202626970231574,15483756869098229590,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
  2⤵
  PID:5576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4619202626970231574,15483756869098229590,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6240 /prefetch:1
  2⤵
  PID:5936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2080,4619202626970231574,15483756869098229590,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5968 /prefetch:8
  2⤵
  PID:6140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4619202626970231574,15483756869098229590,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:1
  2⤵
  PID:5316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4619202626970231574,15483756869098229590,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
  2⤵
  PID:5704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4619202626970231574,15483756869098229590,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6252 /prefetch:1
  2⤵
  PID:5712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4619202626970231574,15483756869098229590,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6480 /prefetch:1
  2⤵
  PID:5960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2080,4619202626970231574,15483756869098229590,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5636 /prefetch:8
  2⤵
  PID:5972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4619202626970231574,15483756869098229590,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:1
  2⤵
  PID:5248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4619202626970231574,15483756869098229590,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
  2⤵
  PID:5680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4619202626970231574,15483756869098229590,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
  2⤵
  PID:5380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4619202626970231574,15483756869098229590,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6888 /prefetch:1
  2⤵
  PID:5832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,4619202626970231574,15483756869098229590,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5560 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,4619202626970231574,15483756869098229590,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5840 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4619202626970231574,15483756869098229590,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
  2⤵
  PID:1636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4619202626970231574,15483756869098229590,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6860 /prefetch:1
  2⤵
  PID:3476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4619202626970231574,15483756869098229590,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6796 /prefetch:1
  2⤵
  PID:3704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4619202626970231574,15483756869098229590,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6316 /prefetch:1
  2⤵
  PID:2492

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2236

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2968

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x304 0x31c
1⤵
PID:2020

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5252

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap13163:86:7zEvent19960
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5448

C:\Users\Admin\Downloads\ChapoStealer\ChapoStealer.exe
"C:\Users\Admin\Downloads\ChapoStealer\ChapoStealer.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command " $url = \"https://www.python.org/ftp/python/3.11.0/python-3.11.0-amd64.exe\" $filePath = \"C:\Users\Admin\AppData\Local\Temp\tmpo4t9_ihh.exe\" Invoke-WebRequest -Uri $url -OutFile $filePath "
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6104

C:\Users\Admin\Downloads\ChapoStealer\ChapoStealer.exe
"C:\Users\Admin\Downloads\ChapoStealer\ChapoStealer.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command " $url = \"https://www.python.org/ftp/python/3.11.0/python-3.11.0-amd64.exe\" $filePath = \"C:\Users\Admin\AppData\Local\Temp\tmpv4e6b43p.exe\" Invoke-WebRequest -Uri $url -OutFile $filePath "
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:7016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://appdata/
1⤵
PID:5336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8156b46f8,0x7ff8156b4708,0x7ff8156b4718
  2⤵
  PID:5692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
111c361619c017b5d09a13a56938bd54

SHA1
e02b363a8ceb95751623f25025a9299a2c931e07

SHA256
d7be4042a1e3511b0dbf0ab5c493245e4ac314440a4ae0732813db01a21ef8bc

SHA512
fc16a4ad0b56899b82d05114d7b0ca8ee610cdba6ff0b6a67dea44faf17b3105109335359b78c0a59c9011a13152744a7f5d4f6a5b66ea519df750ef03f622b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
983cbc1f706a155d63496ebc4d66515e

SHA1
223d0071718b80cad9239e58c5e8e64df6e2a2fe

SHA256
cc34b8f8e3f4bfe4c9a227d88f56ea2dd276ca3ac81df622ff5e9a8ec46b951c

SHA512
d9cf2ca46d9379902730c81e615a3eb694873ffd535c6bb3ded2dc97cdbbfb71051ab11a07754ed6f610f04285605b702b5a48a6cfda3ee3287230c41c9c45cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
37KB

MD5
27eec7e8f48ac0d64e62ec535a19ed37

SHA1
0454ae16951154ff4d64dc2dd20f780b6da87ee8

SHA256
9107d29b79f5c0e9d7ac88f893e0afb7c672d536b2e41de469172c8b7366e3d0

SHA512
f93033661c1974d9225b7e05543d7efe62574567abf7bdbb982b36e5b0be658937a7128de10376f9e39c20a2d40688862fa0e76aa53b0b8c87b99ee536fbb175

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
21KB

MD5
6facc79f6cd8bf7faabef4e10c0378e3

SHA1
d6f21d215eb457509b8dee6c13b1ec4e25fd3b6c

SHA256
94519548151f8ef04815e1f02bb807f9430b31a2259ac1a6f8e27f05c13ac0ed

SHA512
79ab3c5e93f14bc6c16a6140f43f45c5daefa1047531bef1ebe4be2d385f098ee4a711f9a7c7e6077c05be4e760157c10feaa34bf8cf06c263b2435b5f2da37c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
18KB

MD5
af73a83498e939379445066f4be6686b

SHA1
bd5fb87bbb126fd672ec96b3a17e85ef92f8bcdc

SHA256
680fce4f4484948006f144bbabcbbc43b898e82ffe80b1f36b2a381f48507585

SHA512
e923a671dd7b9f2a3ee90b93eda9ec5dad3e4084053cb6c0a2002f02a4fdb0706f9d5c1859a8c2495ba08c6d6f641ca77dcab41987d1da08f8c0395a9e5cdd6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
51KB

MD5
157aaf317174a31b85afebdfe02b05b0

SHA1
79ff5e65841c0be435d6acc7e8b782803bc84b6f

SHA256
fd856b95331fe964fab7ff8e9bbe858a63711a59d88cd3aaa3a22c15f44e76e9

SHA512
b8afafedb0f24145bb535a17ba292dc7d346a57c759edf6d6c5498966537cde91066f14cab8a7d76d62cd9875a04aaf2c796a7af431863fc6046a08b67647201

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
31KB

MD5
5675e5c9af2afa2ae9eedd2ed7b80ff8

SHA1
4a278697d26fe7faba55b8c5e5960e249015cfc8

SHA256
cc3fadfc31fac7ff8a5335a32d1ccc93230ea9a1f53329e15ab73dbe8e7c6f43

SHA512
1990d5e0068fd0508d2a8a441a36f696a8c3885310983745ab115dfd5f74e2fe52139c190b3b62feed71b633f1e80ec3045636714e3a043eb92335ea04886d81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
29KB

MD5
69b2ce9696ad743a596123aa4aa8c713

SHA1
35c69e073ddfdb490a2cd5690950b2fe79de24a7

SHA256
baeee419a874403ee92b09c0fdda4416f3063da95f6ff1aff1578724c77d8230

SHA512
e95cce403430b7422d15cb6fc3e9d120eeeb4f1c5f5a3a1a0d9d4629b59b038cc0033bbb6153d2645bc5d4b96e3d00ca55642d48ce793263387f6ae941057395

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
142KB

MD5
9f2d6f72b76a230c0cf4f135e2e06131

SHA1
11c2af326dd9304847e32951b5bd7828a821bfdf

SHA256
caf9f10fb4d13cb3d28b1d1f80af7204a7b6144b651106c05cd3f0700455c90e

SHA512
4eda2d4f653f067f567ea41c29c393a1fc3870358f5b91b31838c445ff08cf5c3a7aac9957fe16244c08244264f9c5a4eeba9433d124d70c2298e37fe34df956

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
147KB

MD5
2ffa40a18e79cdc8e4de8109a647f37c

SHA1
9b663751e7ef29ee8a46e40c565e47f02bd60779

SHA256
d40c5f48fe21a5206cfdd42cae37a74cf2d23f1f9e54925e7d33d3acb0df246b

SHA512
e816903ac4ea642991caa2126b743f7009b221d99d80f4516a953c8bb9ac208ed58a7c1c99c78ef7685e43eb7ce3362dd416176ddf73ae4c920047822d18f061

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
20KB

MD5
631c4ff7d6e4024e5bdf8eb9fc2a2bcb

SHA1
c59d67b2bb027b438d05bd7c3ad9214393ef51c6

SHA256
27ccc7fad443790d6f9dc6fbb217fc2bc6e12f6a88e010e76d58cc33e1e99c82

SHA512
12517b3522fcc96cfafc031903de605609f91232a965d92473be5c1e7fc9ad4b1a46fa38c554e0613f0b1cfb02fd0a14122eaf77a0bbf3a06bd5868d31d0160e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000023

Filesize
31KB

MD5
c03ff64e7985603de96e7f84ec7dd438

SHA1
dfc067c6cb07b81281561fdfe995aca09c18d0e9

SHA256
0db8e9f0a185bd5dd2ec4259db0a0e89363afa953069f5238a0537671de6f526

SHA512
bb0fd94c5a8944a99f792f336bb8a840f23f6f0f1cb9661b156511a9984f0bb6c96baf05b7c1cf0efb83f43a224ecea52740432e3cfc85e0799428765eefb692

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
862a06e64c71917d4033eba921e6d322

SHA1
f50d16e866c041ae4c3b35ed02c360507eccae2b

SHA256
f3ad5babc1761e1a5c2bd1ef2649b60ea22cafc77a7d8275dccabc305f13ba39

SHA512
11860d5d028c58dd632af38e79da59d6b7967b1204be39a0ff298013d33a4d827503381efa13f76a8c25fb0a9cd77aa552e53d9b73b167f38faa715936716023

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
2b3f808dc99655b13ecb261f03c73d19

SHA1
117dfa92a7187a3dc0726f564079e3db4122f3e7

SHA256
0f29269ab444ce4949efab1c8e39695eb8d22cf5653b6285e3d9ceb4066b69f2

SHA512
1a596dda0cae118a738c392263b291622186062dc086619c45b3856e1518f9f892984a78d55935a2ebd6b0aa973274210c999139fbbbe2498c779e8d445e99ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
06e848bdbe743b092798f636d7b861a8

SHA1
7fb69f323cd8cae53da1a0a7e25fbe1dd9d18024

SHA256
faa574061bef6df7a8a66af1394b4d485d364e6f1894abb2535bc1dac29c6827

SHA512
67513d1bd4c51faa38af6acdac185544ccfd5b8b1964b4a0fe4ad1394eb88b2036145d3a13f726be253933770b2a87c8d344a1fc70961a3edc37dd3b9e12990e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a25cd5a0b68e7ac4d61ba227e621b64b

SHA1
873b2f44914898e7c241404a27e13613cfff2960

SHA256
c2367bd07de1ebe907ddde646a3c49d38eb66145bf885816e57feab587a6c39a

SHA512
303ddf0fe4eef3a08deeb72faea7eeb9f5d4710b0d3880069302e0adf788419681912dc535f84eba69f0d866ed8f4cd51c75dc2576f0d7b2e0fc12190fbcdf6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
f08ffd84a9c9e356f54327dd8d6dbb7c

SHA1
e368c8e27f01eb64eab050848fcd6605bb395cf2

SHA256
36563c2956bc87b4472f59f4150d370ba356e9198d605a24ad6fa6ceecf7f647

SHA512
4fb87e9d6fde396ca4a4e988e6bdd8badeb62cd9952859942c794685b83be59fbfd51fae844b1b5fe28dba6cc8effe125fc28d2f86832fc3b6bac95bcd5f69eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e70137506442e7545b0275f818977c62

SHA1
4701008b91c4e205ce7efcb4b929ed7c9e0cacb5

SHA256
6d09630648507fe1c4f5d63e187a7f9094a64c0a312d75e99fb52252161dcac7

SHA512
f0794e95478ff662c183bb060ec5f69bf9e0b30b4eb353e581699feebdd28077d651243f716e082a4b10ca3d63005e898bfda7ef780fad376336cb7d0801e4ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
df4767477dc81cfbc6e076f6c0157004

SHA1
bba17a7fc0095b653b08f3405bc83604e5074b55

SHA256
885110b04519b14fe690df9f3d7e58ce599158169889d0b760e5bcb20b2e9b57

SHA512
5ec26f91991f65e4149d7cdb6a93e0ae27d1fdd5a4c8aeeaed6caeed8a7245c0264148708daf25bd1b0345b86cd7729f210667e819b466631272b6331823754b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
2840bc19e93572a309fbedcddf961f91

SHA1
7be3349823c330666ce142e1d91686d968291fd2

SHA256
4cdd03dac088ff81f1d96ce0e0997bef45226f70dc7bd427be314033c85a2d8e

SHA512
190fe017ccf5c47b53841bc4bcbe0d90893a6fa59082339907f81afe87da202b1c1442d45a6667c5f3f0b7c314c5eaca7b9e7f16e5a4b3d25fba232fcb375a66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5814cb.TMP

Filesize
372B

MD5
a19c523d05ee95f257a177275288c8a3

SHA1
5cda7d63e832d880c78fa2ecc39318ef52afb8ed

SHA256
2c1ba1106c5bdfcb43f14a937610d45658a5fa7612d95bf773a78404c15453e5

SHA512
9000fc9b98e857ac641acbaf39153e3fdf34a621ee2c5cc7a20dbe92629794dacb87f2b9e10a9aa8caeaf83ed4635b9345218ba7e2eca3396492f0f6c017afd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
f80180d07f772c10aeffb1283e46fdd4

SHA1
f9cd269bd1a3a2c441a7a29cde25e0184fa5780e

SHA256
b46ebdd1d286f41e1c4fdcac15f10262632c33054f16a431dd14318f9cf667e6

SHA512
8fe841f19647d013b0be3a2b5e92433e7aeee79259071a9a24e8640dfff122cf5a216a35c1fc74aa2e0f2a8d6959d67a0aa0b5aa504b4f93e9f25041946355ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ae34e12083d8e9c4d3f80445c53a59e7

SHA1
f3e1c08b2b2f005b3bf87178a1b893ed6a640772

SHA256
3441a8b13933fa7cf3006de235fc0d983443d22c58133c66db2584e65af115d8

SHA512
b80b3fbd3aa66a978d24641f856a761b74d52cf48f6e3b48086866991c5d4868ce9a06a762256cabc6efb88c53e60ca91df0348617735d05e8a441fee52c027c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fe2ee3e8aff15a0e48b7267195ee9592

SHA1
0c94e9eb57ca68c51b6bed3fd838dd776de4c309

SHA256
b380cd4255a4551fd9a663d769900c591392adbd65262e9e52aae9a83d484463

SHA512
526c2152be1d2967a74ab06781f325e930990e362cfc3d2e53ec5b7ffb054a3054b1643e484f4c5d3eb1d7d6c7371870836419df120c6fe776ff725940db1b9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_old2bzan.kse.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\ChapoStealer\ChapoStealer.exe

Filesize
19KB

MD5
bd1ee151914cea0bbf3569d053e371d3

SHA1
565c071070319aefd97e256f7c4bb1e379065f46

SHA256
96fc357072448048c39fe44574e50c5212c02ac5e420b9b1b6cc072862d9fbf9

SHA512
092e90fb83bec6af753de2f8a2acb02b24ed3e6f632fd7e00a735a54b8737cfbf7142d4f163af974e9ef84afe33873cab59ea01362c226c2e570080860d38b7f

Download Submit
C:\Users\Admin\Downloads\ChapoStealer\VCRUNTIME140_1.dll

Filesize
48KB

MD5
f8dfa78045620cf8a732e67d1b1eb53d

SHA1
ff9a604d8c99405bfdbbf4295825d3fcbc792704

SHA256
a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5

SHA512
ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

Download Submit
C:\Users\Admin\Downloads\ChapoStealer\lib\PIL\_webp.pyi

Filesize
66B

MD5
e82ce1a659755bafda7bc3e0e2d1b814

SHA1
7f0b9ccdf21682246966759e4006b013c26503dc

SHA256
cc3f2f0283c2f1a1085637dc90bb45b24456e6c6a255e977fac254036a476867

SHA512
a63ea8c91c8843f16bd7163ce1c570e8708ec5bbda66381cacdd53a53d8e9bf2e4cb475aa957c3c603ee9d9ce7427b137e5d5a188d1953a6ed0b496d23a3a034

Download Submit
C:\Users\Admin\Downloads\ChapoStealer\lib\_bz2.pyd

Filesize
83KB

MD5
5bebc32957922fe20e927d5c4637f100

SHA1
a94ea93ee3c3d154f4f90b5c2fe072cc273376b3

SHA256
3ed0e5058d370fb14aa5469d81f96c5685559c054917c7280dd4125f21d25f62

SHA512
afbe80a73ee9bd63d9ffa4628273019400a75f75454667440f43beb253091584bf9128cbb78ae7b659ce67a5faefdba726edb37987a4fe92f082d009d523d5d6

Download Submit
C:\Users\Admin\Downloads\ChapoStealer\lib\_ctypes.pyd

Filesize
122KB

MD5
fb454c5e74582a805bc5e9f3da8edc7b

SHA1
782c3fa39393112275120eaf62fc6579c36b5cf8

SHA256
74e0e8384f6c2503215f4cf64c92efe7257f1aec44f72d67ad37dc8ba2530bc1

SHA512
727ada80098f07849102c76b484e9a61fb0f7da328c0276d82c6ee08213682c89deeb8459139a3fbd7f561bffaca91650a429e1b3a1ff8f341cebdf0bfa9b65d

Download Submit
C:\Users\Admin\Downloads\ChapoStealer\lib\_lzma.pyd

Filesize
156KB

MD5
195defe58a7549117e06a57029079702

SHA1
3795b02803ca37f399d8883d30c0aa38ad77b5f2

SHA256
7bf9ff61babebd90c499a8ed9b62141f947f90d87e0bbd41a12e99d20e06954a

SHA512
c47a9b1066dd9744c51ed80215bd9645aab6cc9d6a3f9df99f618e3dd784f6c7ce6f53eabe222cf134ee649250834193d5973e6e88f8a93151886537c62e2e2b

Download Submit
C:\Users\Admin\Downloads\ChapoStealer\lib\_wmi.pyd

Filesize
36KB

MD5
8a9a59559c614fc2bcebb50073580c88

SHA1
4e4ced93f2cb5fe6a33c1484a705e10a31d88c4d

SHA256
752fb80edb51f45d3cc1c046f3b007802432b91aef400c985640d6b276a67c12

SHA512
9b17c81ff89a41307740371cb4c2f5b0cf662392296a7ab8e5a9eba75224b5d9c36a226dce92884591636c343b8238c19ef61c1fdf50cc5aa2da86b1959db413

Download Submit
C:\Users\Admin\Downloads\ChapoStealer\lib\collections\__init__.pyc

Filesize
71KB

MD5
77f61887b0da347a2a0c37dd96eb8cd6

SHA1
277d49db9a53b751e43adad2da4f5750003c1661

SHA256
282418cf95470d247243c1fe98118b00513b91b82f8922ab38f65ca6394d6021

SHA512
bedffd298aefd2e376340d2580b8ddfbc9013f5bfde04eab30f790755aa3d901e511f48f4e8aebad54b4878cfe9935c4a705c7900b688e407faa75be12010aba

Download Submit
C:\Users\Admin\Downloads\ChapoStealer\lib\collections\abc.pyc

Filesize
286B

MD5
fffe5bb945c05c00d61076ab93a6c0a0

SHA1
678e5221d654ebab6bacf840efaef3af8d2a9e55

SHA256
f443262b0f520547de798b52a9e81ded24615676ee41008c74973920d5fd81f2

SHA512
ed80ee7e38a91d16400bf9663fe9bf7f67a4622f85e614513aa31ccfc053c75339f814635a29f00fd86f214e763581d2d829ce2c89ee8f4d31a48c6f1f757510

Download Submit
C:\Users\Admin\Downloads\ChapoStealer\lib\ctypes\__init__.pyc

Filesize
22KB

MD5
65e8f88b2eed051602ab45bf55e9d801

SHA1
a625893b98712fba3fcc823e7e81ed4de54c73b1

SHA256
87322c9ab2912f5c5495ba84a9dc409e6e0a44bf4e0691c31d9fbe694d388283

SHA512
7cb6b22badbdebb78ebf80ae64c919167c14986516992b4e137b29e1cd3819a2f2a4aad19ca3d57190e4e342d5f128a8e60b6269eb09b89150de2caee359e62a

Download Submit
C:\Users\Admin\Downloads\ChapoStealer\lib\ctypes\_endian.pyc

Filesize
3KB

MD5
1e313e504a3ee89b5341901d68be6b2a

SHA1
f964ccb317d5af126f774cb786317f7a5525cef2

SHA256
737bc19eec2a2ce6dd0d0e53ac663c866fcf240c669a41b2d3da93a96418258b

SHA512
8d98e40392c3270f927baae2deafa4867a1339c77fd5915f6b1e81039fea21b2fcd82822e825744f7746be56fc2dfd07c7c0e463247e2900c1787880181221a7

Download Submit
C:\Users\Admin\Downloads\ChapoStealer\lib\encodings\__init__.pyc

Filesize
5KB

MD5
6bfd0ef39bbe4bd3f2dba24cbf81053b

SHA1
d99591cc86cb88caf5179c30e2a11a378d135c67

SHA256
8759ba0fbf62b5cca40301d92437c3dc4fb1b33db1528719a48284ea6780ae4b

SHA512
ae939da53c42c6db58771389028b34355b6f0ac1f69a3856a48e0cdcdd53ac08886d118eea5d4697e54a709eca559edee371966dc30714314870e9e99662a594

Download Submit
C:\Users\Admin\Downloads\ChapoStealer\lib\encodings\aliases.pyc

Filesize
12KB

MD5
c48abaca13eaf401efb7e21e79faffca

SHA1
44ec6a22d0c601ca9dd38f46b4d6ee9b8c533d5b

SHA256
de6b328694fe23c8e67a4d8bdb82d97220c8cb3e2a751f978d00f537d9e619ab

SHA512
7a06699d1eaa963bc98179b29d1747836c94bf3ce708f535eab87d0cee4a82960507c64b108cfc755d8a05f2e70124c8437889f161c720d8d6a6b09201235420

Download Submit
C:\Users\Admin\Downloads\ChapoStealer\lib\encodings\cp1252.pyc

Filesize
3KB

MD5
cd7d2024b2946db784683e546b9b6fe1

SHA1
cf327bbabb108d00141ebd497264ce703270e095

SHA256
cfd17f3b0d4944a6e054bde8995c2f66110bd53a029760cc17a515f3c833ee2e

SHA512
af725ec82be83c869dbdda663511713b087a0f2a64bc4f80bbc2f858ad8bfdd9a424931e48b8d693dc019aebfec9af8a68c93f7106fa69c06beacc9394a8b087

Download Submit
C:\Users\Admin\Downloads\ChapoStealer\lib\encodings\utf_8.pyc

Filesize
2KB

MD5
4229a1cf6dbb373390675a9c85340db8

SHA1
7c54e7941e81915841ae86691664205ac1f2b5b4

SHA256
075c351da3b186e6aa88d0a09dd860c036c924284209c36f0929ec092c262098

SHA512
35c0b8912a6a8263c849fca0270e6080e2300d851addc872b468dc878f23f4ef2a287def1373a690259495bb22a87ad4af3368e5e8d783ca4cd2c0081ca6bb1a

Download Submit
C:\Users\Admin\Downloads\ChapoStealer\lib\importlib\__init__.pyc

Filesize
4KB

MD5
94d335efd2dde10899fd1c1e4af6f7fd

SHA1
4e9d9301732f174c0bec8798b659b8decb3a316c

SHA256
f212323ab8e19de51f55bc0fd1aafe1746d91ee8e245d291a3f26b22140c8690

SHA512
0617b0dc2667e9c0fc7ff73f4a99354f6a87c0529211a6f3a5ef466520329229d60a74730ec2ca8bfcbff555a8b4ce805c3077669faef009c7ba28afb111e304

Download Submit
C:\Users\Admin\Downloads\ChapoStealer\lib\importlib\_abc.pyc

Filesize
1KB

MD5
c040e2fbfc8333b0225a405a2603ea30

SHA1
df298b13cf51c2bf0c4e8d18d62630441dbe8675

SHA256
00655325fa9941a223bcae7bb6baef6a1a1333a1438c5b5ab999922cb2741e4d

SHA512
4b155fafbab0a9ecd11a9a34f8400f0e2b0a2a8a8b8fcb1296845289e34332a81232a9269796a3789e6008267df8c2606abbe6298b7e530be3e1c1ccb9140d77

Download Submit
C:\Users\Admin\Downloads\ChapoStealer\lib\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\Downloads\ChapoStealer\lib\library.dat

Filesize
11B

MD5
12d737558481ffdec6d9fc90f1c64e10

SHA1
2d99fd826f22325c6715a6b9fabc64ffa56ba7c9

SHA256
1794a90e19985ee2dee89f9bdffac8dcb3676e2555db9469384493d14708aed5

SHA512
2c62c69718a41d011cb9a0bc436e874f967e4174094802e13142eaba4967e61a76ba06eeb3c6b4dd8c76dc4c41df6bd1e4397143f94aad03cc534d3084ee32d8

Download Submit
C:\Users\Admin\Downloads\ChapoStealer\lib\library.zip

Filesize
2.2MB

MD5
57b60fd635bbd54c3bbe9ffc80f02c59

SHA1
ec6048d0f3c1ff9efe995df429f7e5fbb69a24ad

SHA256
123d7b038623b15db38a05b75245a55d4e4cff9227cc6d38d5db2f6f1cc6abf6

SHA512
747c3ba52d02828bb186175dd25697f40dc27790c4f589becf2487975da9f0219824489a13de90bb6ed100f29ef1ea4405e9dc8504ac553bcefa3d4f7aec200c

Download Submit
C:\Users\Admin\Downloads\ChapoStealer\lib\re\__init__.pyc

Filesize
17KB

MD5
f5473007a1ae246caba82d33b7832ea4

SHA1
8cc42cee206cdc7d684bdd4710ca6e9271fce1f3

SHA256
16155a8b4f17372eda5e1406b32706b814345c2f121f2e538279253da9ee8049

SHA512
190b56dc6b6973118005095c7e20b512c496c2c24b35da82b14e9a6978bfef2f25d581d41d8a533fd10b17a911eed50fba37f2f74ab7550a6939ea60089f0929

Download Submit
C:\Users\Admin\Downloads\ChapoStealer\lib\re\_casefix.pyc

Filesize
1KB

MD5
0439e73fd069438465960740a335f829

SHA1
95972cf835c58bcbe254bcdd3bd95b4d16a70990

SHA256
69d20701a208d765cb3cd51d10b47339e75cb137c09898bd324964c64d1c0b39

SHA512
a69e73337fd669cbb7e9c68652b7c96c9c2eb8ccde95abbb872669a629e9b0651d5d1bd43da43d39bfb3c9039dbfddb6b9b5772b74d01527340bb5946fce474d

Download Submit
C:\Users\Admin\Downloads\ChapoStealer\lib\re\_compiler.pyc

Filesize
25KB

MD5
a54d70dc8890f157527173bde3668892

SHA1
9e528755b9b9be5749ba2f3c026c7c24e824b8ca

SHA256
66583359a8132cdf1757596367450296506847e8e00e01665691fe2001b42071

SHA512
2b6ad195ca52b287c3674685cef7da0b2e967fcd7dfa1da388d990d349d677e3eff193e84995448074ad1302982b24d45035c2e8928ef9ad9220b537951a3d6f

Download Submit
C:\Users\Admin\Downloads\ChapoStealer\lib\re\_constants.pyc

Filesize
5KB

MD5
e8cedfcb9cea0a73aeed59e1d940c2d4

SHA1
5b1a8d4e16ab39cc6546afa62f3c97da6accaad6

SHA256
091a8a9d088541867973901a0f5dd4222595543f8110b3a299d74d49ada44c9b

SHA512
7a0511597197bf8e77e386f7a76c69ba62446f5812c035533234c1dede55923cb584f0d5f1ce9429e574d4c8ac9bc8560fafa2d96e08f6cc6c16a01d0664b130

Download Submit
C:\Users\Admin\Downloads\ChapoStealer\lib\re\_parser.pyc

Filesize
41KB

MD5
d6450bf5a829704fb0846fb8b3fe191e

SHA1
f33d5802834fa48fcda12d2f6b532135cfcfa238

SHA256
81d3400b54535dfbadcfed1e087c6a8df80b771ff5edbd7d9c6fa297b120764b

SHA512
16218b15b7f81e6fb4242b38d99dfa0334067759a3164bf22fee78a84ccfce6271066dd8c119ea29a856f4f373fa0684031b1af43c8964bd70d1b29b0c931c7b

Download Submit
C:\Users\Admin\Downloads\ChapoStealer\python3.dll

Filesize
66KB

MD5
a07661c5fad97379cf6d00332999d22c

SHA1
dca65816a049b3cce5c4354c3819fef54c6299b0

SHA256
5146005c36455e7ede4b8ecc0dc6f6fa8ea6b4a99fedbabc1994ae27dfab9d1b

SHA512
6ddeb9d89ccb4d2ec5d994d85a55e5e2cc7af745056dae030ab8d72ee7830f672003f4675b6040f123fc64c19e9b48cabd0da78101774dafacf74a88fbd74b4d

Download Submit
C:\Users\Admin\Downloads\ChapoStealer\python312.dll

Filesize
6.6MB

MD5
d521654d889666a0bc753320f071ef60

SHA1
5fd9b90c5d0527e53c199f94bad540c1e0985db6

SHA256
21700f0bad5769a1b61ea408dc0a140ffd0a356a774c6eb0cc70e574b929d2e2

SHA512
7a726835423a36de80fb29ef65dfe7150bd1567cac6f3569e24d9fe091496c807556d0150456429a3d1a6fd2ed0b8ae3128ea3b8674c97f42ce7c897719d2cd3

Download Submit
C:\Users\Admin\Downloads\ChapoStealer\vcruntime140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\Downloads\Chapostealer.zip

Filesize
46.9MB

MD5
f0d46fd169aaeb6dae7c00248c4cf42c

SHA1
ea7fb5067e41374275fc8b56265a417790982e8d

SHA256
992ea669a6cd51aaaebb3ad111d9afa27dcf45876109cb4ffa8ca35ae6494023

SHA512
332f807f7eecd675b0772e09b2883c6440fb77a0e3d8c4ff99d0d1a132fdeaa3ec49a7cac1d1ff0a9fc32eadd4dbe3f858def3af91cc2ca4be0864aa8114dc15

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 864797.crdownload

Filesize
8.6MB

MD5
bc3a0bbf9ff7363c8d6eeaf58a22ae2c

SHA1
a373c31da23741a28baaffeaa6870bd62571976b

SHA256
40665ab4b1177d0e61a362a9f47d3cd79e0499505f93775e1dd81cfe70bd6988

SHA512
4767ffd40bbf3e6fe6523014ddfb13671eec0b416b98f6b5d5bf3d6dc890130d88b1c301440ddde6c7b6b520afa45679d2b8b1dbb12fb6411afcb097cf6cc8bf

Download Submit
memory/6104-7039-0x0000024BB66B0000-0x0000024BB66D2000-memory.dmp

Filesize
136KB

Download