quasar | 55c022e23bde36f465a1ac4e0c0558f4f6118a2df180c08ecd1afc1529d4c15f

Analysis

max time kernel
99s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-10-2024 20:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Vyper.exe
Size

3.1MB
MD5

bc8ff64cac1ae0bc4f1ae65075f6c26a
SHA1

11ce47e3f7a25add1ed9fd54ce25878106b82db9
SHA256

55c022e23bde36f465a1ac4e0c0558f4f6118a2df180c08ecd1afc1529d4c15f
SHA512

270b3b94fbfc734740907c303a2d4a4f0cf30d23d9e7a76c9535c80a92d427e20061c48e8eabfe523405058c75e79b9d10561e855fa06f0c02fef938641f17bd
SSDEEP

49152:eveI22SsaNYfdPBldt698dBcjHkfNlmGmzgsoGd2THHB72eh2NT:evT22SsaNYfdPBldt6+dBcjH8lmh

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

411db-59874.portmap.host:1333

Mutex

8d945983-5644-413f-bb5d-4f7a064e793c

Attributes

encryption_key
6382B85CDCFFEEDACE064DDD30D7729DCE176C73
install_name
Discord Updater.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Discord Updater
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2072-1-0x0000000000D40000-0x0000000001064000-memory.dmp	family_quasar
behavioral1/files/0x0008000000015fc4-6.dat	family_quasar
behavioral1/memory/2568-9-0x0000000000A10000-0x0000000000D34000-memory.dmp	family_quasar
behavioral1/memory/1596-288-0x0000000001390000-0x00000000016B4000-memory.dmp	family_quasar

Executes dropped EXE 1 IoCs

Processes:

Discord Updater.exe

pid	Process
2568	Discord Updater.exe

Drops file in System32 directory 5 IoCs

Processes:

Vyper.exeDiscord Updater.exe

description	ioc	Process
File opened for modification	C:\Windows\system32\SubDir	Vyper.exe
File opened for modification	C:\Windows\system32\SubDir\Discord Updater.exe	Discord Updater.exe
File opened for modification	C:\Windows\system32\SubDir	Discord Updater.exe
File created	C:\Windows\system32\SubDir\Discord Updater.exe	Vyper.exe
File opened for modification	C:\Windows\system32\SubDir\Discord Updater.exe	Vyper.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exe

pid	Process
2504	schtasks.exe
1688	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid	Process
2620	chrome.exe
2620	chrome.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

Processes:

Vyper.exeDiscord Updater.exechrome.exe

description	pid	Process
Token: SeDebugPrivilege	2072	Vyper.exe
Token: SeDebugPrivilege	2568	Discord Updater.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

Discord Updater.exechrome.exe

pid	Process
2568	Discord Updater.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe

Suspicious use of SendNotifyMessage 33 IoCs

Processes:

Discord Updater.exechrome.exe

pid	Process
2568	Discord Updater.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Vyper.exeDiscord Updater.exechrome.exe

description	pid	Process	procid_target
PID 2072 wrote to memory of 2504	2072	Vyper.exe	30
PID 2072 wrote to memory of 2504	2072	Vyper.exe	30
PID 2072 wrote to memory of 2504	2072	Vyper.exe	30
PID 2072 wrote to memory of 2568	2072	Vyper.exe	32
PID 2072 wrote to memory of 2568	2072	Vyper.exe	32
PID 2072 wrote to memory of 2568	2072	Vyper.exe	32
PID 2568 wrote to memory of 1688	2568	Discord Updater.exe	33
PID 2568 wrote to memory of 1688	2568	Discord Updater.exe	33
PID 2568 wrote to memory of 1688	2568	Discord Updater.exe	33
PID 2620 wrote to memory of 2848	2620	chrome.exe	37
PID 2620 wrote to memory of 2848	2620	chrome.exe	37
PID 2620 wrote to memory of 2848	2620	chrome.exe	37
PID 2620 wrote to memory of 304	2620	chrome.exe	39
PID 2620 wrote to memory of 304	2620	chrome.exe	39
PID 2620 wrote to memory of 304	2620	chrome.exe	39
PID 2620 wrote to memory of 304	2620	chrome.exe	39
PID 2620 wrote to memory of 304	2620	chrome.exe	39
PID 2620 wrote to memory of 304	2620	chrome.exe	39
PID 2620 wrote to memory of 304	2620	chrome.exe	39
PID 2620 wrote to memory of 304	2620	chrome.exe	39
PID 2620 wrote to memory of 304	2620	chrome.exe	39
PID 2620 wrote to memory of 304	2620	chrome.exe	39
PID 2620 wrote to memory of 304	2620	chrome.exe	39
PID 2620 wrote to memory of 304	2620	chrome.exe	39
PID 2620 wrote to memory of 304	2620	chrome.exe	39
PID 2620 wrote to memory of 304	2620	chrome.exe	39
PID 2620 wrote to memory of 304	2620	chrome.exe	39
PID 2620 wrote to memory of 304	2620	chrome.exe	39
PID 2620 wrote to memory of 304	2620	chrome.exe	39
PID 2620 wrote to memory of 304	2620	chrome.exe	39
PID 2620 wrote to memory of 304	2620	chrome.exe	39
PID 2620 wrote to memory of 304	2620	chrome.exe	39
PID 2620 wrote to memory of 304	2620	chrome.exe	39
PID 2620 wrote to memory of 304	2620	chrome.exe	39
PID 2620 wrote to memory of 304	2620	chrome.exe	39
PID 2620 wrote to memory of 304	2620	chrome.exe	39
PID 2620 wrote to memory of 304	2620	chrome.exe	39
PID 2620 wrote to memory of 304	2620	chrome.exe	39
PID 2620 wrote to memory of 304	2620	chrome.exe	39
PID 2620 wrote to memory of 304	2620	chrome.exe	39
PID 2620 wrote to memory of 304	2620	chrome.exe	39
PID 2620 wrote to memory of 304	2620	chrome.exe	39
PID 2620 wrote to memory of 304	2620	chrome.exe	39
PID 2620 wrote to memory of 304	2620	chrome.exe	39
PID 2620 wrote to memory of 304	2620	chrome.exe	39
PID 2620 wrote to memory of 304	2620	chrome.exe	39
PID 2620 wrote to memory of 304	2620	chrome.exe	39
PID 2620 wrote to memory of 304	2620	chrome.exe	39
PID 2620 wrote to memory of 304	2620	chrome.exe	39
PID 2620 wrote to memory of 304	2620	chrome.exe	39
PID 2620 wrote to memory of 304	2620	chrome.exe	39
PID 2620 wrote to memory of 2020	2620	chrome.exe	40
PID 2620 wrote to memory of 2020	2620	chrome.exe	40
PID 2620 wrote to memory of 2020	2620	chrome.exe	40
PID 2620 wrote to memory of 2700	2620	chrome.exe	41
PID 2620 wrote to memory of 2700	2620	chrome.exe	41
PID 2620 wrote to memory of 2700	2620	chrome.exe	41
PID 2620 wrote to memory of 2700	2620	chrome.exe	41
PID 2620 wrote to memory of 2700	2620	chrome.exe	41
PID 2620 wrote to memory of 2700	2620	chrome.exe	41
PID 2620 wrote to memory of 2700	2620	chrome.exe	41
PID 2620 wrote to memory of 2700	2620	chrome.exe	41
PID 2620 wrote to memory of 2700	2620	chrome.exe	41
PID 2620 wrote to memory of 2700	2620	chrome.exe	41

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Vyper.exe
"C:\Users\Admin\AppData\Local\Temp\Vyper.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Discord Updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Discord Updater.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2504
- C:\Windows\system32\SubDir\Discord Updater.exe
  "C:\Windows\system32\SubDir\Discord Updater.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Discord Updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Discord Updater.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6fd9758,0x7fef6fd9768,0x7fef6fd9778
  2⤵
  PID:2848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1152 --field-trial-handle=1248,i,10799331884238752632,868249377614505650,131072 /prefetch:2
  2⤵
  PID:304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1532 --field-trial-handle=1248,i,10799331884238752632,868249377614505650,131072 /prefetch:8
  2⤵
  PID:2020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1592 --field-trial-handle=1248,i,10799331884238752632,868249377614505650,131072 /prefetch:8
  2⤵
  PID:2700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2156 --field-trial-handle=1248,i,10799331884238752632,868249377614505650,131072 /prefetch:1
  2⤵
  PID:1872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2164 --field-trial-handle=1248,i,10799331884238752632,868249377614505650,131072 /prefetch:1
  2⤵
  PID:1928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1500 --field-trial-handle=1248,i,10799331884238752632,868249377614505650,131072 /prefetch:2
  2⤵
  PID:1736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1484 --field-trial-handle=1248,i,10799331884238752632,868249377614505650,131072 /prefetch:1
  2⤵
  PID:2260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3448 --field-trial-handle=1248,i,10799331884238752632,868249377614505650,131072 /prefetch:8
  2⤵
  PID:484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3564 --field-trial-handle=1248,i,10799331884238752632,868249377614505650,131072 /prefetch:8
  2⤵
  PID:2408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3544 --field-trial-handle=1248,i,10799331884238752632,868249377614505650,131072 /prefetch:8
  2⤵
  PID:2516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3768 --field-trial-handle=1248,i,10799331884238752632,868249377614505650,131072 /prefetch:1
  2⤵
  PID:2144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3704 --field-trial-handle=1248,i,10799331884238752632,868249377614505650,131072 /prefetch:1
  2⤵
  PID:2928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3868 --field-trial-handle=1248,i,10799331884238752632,868249377614505650,131072 /prefetch:1
  2⤵
  PID:2688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=2088 --field-trial-handle=1248,i,10799331884238752632,868249377614505650,131072 /prefetch:1
  2⤵
  PID:2896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1860 --field-trial-handle=1248,i,10799331884238752632,868249377614505650,131072 /prefetch:8
  2⤵
  PID:1692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=2260 --field-trial-handle=1248,i,10799331884238752632,868249377614505650,131072 /prefetch:1
  2⤵
  PID:1696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=1624 --field-trial-handle=1248,i,10799331884238752632,868249377614505650,131072 /prefetch:1
  2⤵
  PID:1812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3472 --field-trial-handle=1248,i,10799331884238752632,868249377614505650,131072 /prefetch:8
  2⤵
  PID:2880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4072 --field-trial-handle=1248,i,10799331884238752632,868249377614505650,131072 /prefetch:8
  2⤵
  PID:576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4300 --field-trial-handle=1248,i,10799331884238752632,868249377614505650,131072 /prefetch:8
  2⤵
  PID:2744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4060 --field-trial-handle=1248,i,10799331884238752632,868249377614505650,131072 /prefetch:8
  2⤵
  PID:2252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4120 --field-trial-handle=1248,i,10799331884238752632,868249377614505650,131072 /prefetch:8
  2⤵
  PID:836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4108 --field-trial-handle=1248,i,10799331884238752632,868249377614505650,131072 /prefetch:8
  2⤵
  PID:1720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4060 --field-trial-handle=1248,i,10799331884238752632,868249377614505650,131072 /prefetch:8
  2⤵
  PID:2380

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2272

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2084

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x17c
1⤵
PID:448

C:\Users\Admin\Downloads\Vyper.exe
"C:\Users\Admin\Downloads\Vyper.exe"
1⤵
PID:1596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
6baa376d3b9d6047ad022565785e4649

SHA1
d3816d292917db7b97ed6481223b298fa48c38b5

SHA256
711e43c0d547e9057d6800788c9ec25d3274844ac8088e5ee94f26005cb381f6

SHA512
2da6e74fdfa17ba0f6db64fc57b08907a8f9577db422dfe87f0e0451461508a76c7d54d5726d0f5b4022401f47f8d4d4797d867ef250f6e2b3a789697041edff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1017B

MD5
17990d6fd51901475d764fa928923eb4

SHA1
b24487f54765e848d5958420a7351a31fb6c180d

SHA256
95587b712ce3fd4662c388be5f09b9cf29f76881335dec1befe432f942dfc6f2

SHA512
26fd0b53ae58891d73d796b9f7d80a30d43710d029b832171765eba4abda2c8e958e268ed28d7b9f3570a57876bab3968609f1d1730c71394d8ac4fc769d6ff7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
527B

MD5
e67e6bb7c30aba2d36e15738941d66bb

SHA1
56915febdd04e1d61fdd1d336746fea21e638058

SHA256
4e136a625da78ad3f148fabaf885adce5340bc2df8ecd334e564ae7f2bda1f22

SHA512
40b326bd471c3dde7c0a306af34eb6e86b84b9b6813dc1b987f153eeb22079a2794f1c0d201b472a6fcd60611e371b8b6420dc095dd41d70bbcfc897da35b44a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
eb11fc4be31c3a1771aaf6c4b3a446cb

SHA1
fd66de517652d15f050fa91ca1626c38a61a09a1

SHA256
09210dae6e37daabd07d950370c72ff26f1d4e580a65772ce4655eb4c3e01494

SHA512
ec57f1e898bde8c9066c75759485ebe1f4c175423e8fb51f595e28bccb99688861120dd5dfba1948c93791f05a51d9ffb7559e7eae4aed6aca2737b8d9c23448

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
94e0c0acbb279604ba8acb72607b7bfc

SHA1
c051a805136e89cd2a676db8579701a7d6a29460

SHA256
4c18b2a87f999c4eab7259556232f37828814a024ad2d5457cd329c1a063c0d9

SHA512
a297eb4f7f3d2139deb0d4b5e65fd3c0d8511e3101bee82726f7ef07dcd9249dcae3637eab2016b220f0a4fe73eb28b8a183805fb023a86177568f43c01f4f94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9A6D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 913650.crdownload

Filesize
48KB

MD5
7225a1cc64357cd6fe9dc5313749a75a

SHA1
35c442548a33052b500ca6116441aed3f0caf31b

SHA256
a9969cc05b751375b424d54666d27f2c19eda22ac641c1999c4f427b29ea514b

SHA512
12341743aaa2d28aba1cc66db9a0a039e36a6e74fdde54da1f643e178067da2c794a954746b2557b5befb1dbe6be47d4c01b8cefd3c25ad2497deaaca9e26785

Download Submit
C:\Windows\System32\SubDir\Discord Updater.exe

Filesize
3.1MB

MD5
bc8ff64cac1ae0bc4f1ae65075f6c26a

SHA1
11ce47e3f7a25add1ed9fd54ce25878106b82db9

SHA256
55c022e23bde36f465a1ac4e0c0558f4f6118a2df180c08ecd1afc1529d4c15f

SHA512
270b3b94fbfc734740907c303a2d4a4f0cf30d23d9e7a76c9535c80a92d427e20061c48e8eabfe523405058c75e79b9d10561e855fa06f0c02fef938641f17bd

Download Submit
\??\pipe\crashpad_2620_HKZWIACDUPZKDKAH

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1596-288-0x0000000001390000-0x00000000016B4000-memory.dmp

Filesize
3.1MB

Download
memory/2072-8-0x000007FEF5CD0000-0x000007FEF66BC000-memory.dmp

Filesize
9.9MB

Download
memory/2072-2-0x000007FEF5CD0000-0x000007FEF66BC000-memory.dmp

Filesize
9.9MB

Download
memory/2072-1-0x0000000000D40000-0x0000000001064000-memory.dmp

Filesize
3.1MB

Download
memory/2072-0-0x000007FEF5CD3000-0x000007FEF5CD4000-memory.dmp

Filesize
4KB

Download
memory/2568-12-0x000007FEF5CD0000-0x000007FEF66BC000-memory.dmp

Filesize
9.9MB

Download
memory/2568-9-0x0000000000A10000-0x0000000000D34000-memory.dmp

Filesize
3.1MB

Download
memory/2568-10-0x000007FEF5CD0000-0x000007FEF66BC000-memory.dmp

Filesize
9.9MB

Download
memory/2568-11-0x000007FEF5CD0000-0x000007FEF66BC000-memory.dmp

Filesize
9.9MB

Download