quasar | hxxps://gofile[.]io/d/ZkLIUG

Analysis

max time kernel
46s
max time network
48s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17-05-2024 17:30

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://gofile.io/d/ZkLIUG

Score

10^/10

quasar windows update spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Windows Update

skbidiooiilet-31205.portmap.host:31205

Mutex

7357b58d-e5d4-42be-8b74-db6eee6cde6d

Attributes

encryption_key
6F721445F7E0B1CF58980D84A9D49F4458D4EFD9
install_name
Update.exe
log_directory
Logs
reconnect_delay
3000
startup_key
WindowsUpdate
subdirectory
Windows Update

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\SynapseX.revamaped.V1.2\SynapseX revamaped V1.2\Synapse X Launcher.exe	family_quasar
behavioral1/memory/1916-150-0x00000000005F0000-0x0000000000914000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Update.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Update.exe
Executes dropped EXE 2 IoCs

Processes:

Synapse X Launcher.exeUpdate.exe

pid process

1916 Synapse X Launcher.exe
5152 Update.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1540 schtasks.exe
5196 schtasks.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Update.exe

pid	process
1916	Synapse X Launcher.exe
5152	Update.exe

pid	process
1540	schtasks.exe
5196	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "217"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid process

4524 msedge.exe
4524 msedge.exe
232 msedge.exe
232 msedge.exe
2304 identity_helper.exe
2304 identity_helper.exe
4900 msedge.exe
4900 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

msedge.exe

pid process

232 msedge.exe
232 msedge.exe
232 msedge.exe
232 msedge.exe
232 msedge.exe

pid	process
4524	msedge.exe
4524	msedge.exe
232	msedge.exe
232	msedge.exe
2304	identity_helper.exe
2304	identity_helper.exe
4900	msedge.exe
4900	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

7zG.exeSynapse X Launcher.exeUpdate.exeshutdown.exe

description	pid	process
Token: SeRestorePrivilege	2244	7zG.exe
Token: 35	2244	7zG.exe
Token: SeSecurityPrivilege	2244	7zG.exe
Token: SeSecurityPrivilege	2244	7zG.exe
Token: SeDebugPrivilege	1916	Synapse X Launcher.exe
Token: SeDebugPrivilege	5152	Update.exe
Token: SeShutdownPrivilege	5452	shutdown.exe
Token: SeRemoteShutdownPrivilege	5452	shutdown.exe

Suspicious use of FindShellTrayWindow 52 IoCs

Processes:

msedge.exe7zG.exe

pid	process
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
2244	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

5516 LogonUI.exe

pid	process
5516	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 232 wrote to memory of 264	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 264	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4932	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4932	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4932	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4932	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4932	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4932	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4932	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4932	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4932	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4932	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4932	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4932	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4932	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4932	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4932	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4932	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4932	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4932	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4932	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4932	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4932	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4932	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4932	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4932	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4932	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4932	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4932	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4932	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4932	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4932	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4932	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4932	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4932	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4932	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4932	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4932	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4932	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4932	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4932	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4932	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4524	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4524	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 2436	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 2436	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 2436	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 2436	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 2436	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 2436	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 2436	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 2436	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 2436	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 2436	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 2436	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 2436	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 2436	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 2436	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 2436	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 2436	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 2436	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 2436	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 2436	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 2436	232	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/ZkLIUG
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff810c046f8,0x7ff810c04708,0x7ff810c04718
2⤵
PID:264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,16679129998515390559,11465983527031320686,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
2⤵
PID:4932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,16679129998515390559,11465983527031320686,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,16679129998515390559,11465983527031320686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:8
2⤵
PID:2436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,16679129998515390559,11465983527031320686,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
2⤵
PID:4672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,16679129998515390559,11465983527031320686,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
2⤵
PID:868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,16679129998515390559,11465983527031320686,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4636 /prefetch:1
2⤵
PID:1416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,16679129998515390559,11465983527031320686,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:1
2⤵
PID:2732

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,16679129998515390559,11465983527031320686,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4648 /prefetch:8
2⤵
PID:1500

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,16679129998515390559,11465983527031320686,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4648 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2104,16679129998515390559,11465983527031320686,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5248 /prefetch:8
2⤵
PID:2784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,16679129998515390559,11465983527031320686,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:1
2⤵
PID:1712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,16679129998515390559,11465983527031320686,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3532 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4900

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3716

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3896

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1980

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\SynapseX.revamaped.V1.2\" -spe -an -ai#7zMap31860:108:7zEvent22938
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2244

C:\Users\Admin\Downloads\SynapseX.revamaped.V1.2\SynapseX revamaped V1.2\Synapse X Launcher.exe
"C:\Users\Admin\Downloads\SynapseX.revamaped.V1.2\SynapseX revamaped V1.2\Synapse X Launcher.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Update\Update.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1540

C:\Users\Admin\AppData\Roaming\Windows Update\Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update\Update.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5152

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Update\Update.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:5196

C:\Windows\System32\shutdown.exe
"C:\Windows\System32\shutdown.exe" /s /t 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5452

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3972055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
25eff9514929f0aed11ccf2f7e49b659

SHA1
818670c5b675befb093c704c680e1bc41c4286ab

SHA256
6cc1e23b678f73ae2dbd24487f78f6692006c1a6582c96c626190ee2bfa306bb

SHA512
0879019d9a2e6d106a878aef5f644149cad4fd3a961c1a8af10683d78c5a0a1810d6fdd3fb1068c892924ffd996d03061d2ac9bbb330bdf23d090d38a926987e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4e1c7f3665b4538676ad15073056ea68

SHA1
b8650f97b89db17e37f113ec9d39635a389b18b8

SHA256
fcd4fcde8ebe5e25ecf2b791b13a8a231ce876d3250bf59cc359e9fcb3cfde28

SHA512
d046ebce9faa295db26f32c66be5229df1176e99ef81fd65cfbb6f91d42f8cf84d69f0fed5dd1d762f9770a8628cee7bd41c7bc6e293f55df671dcd40f063da2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e14f40f9b5cd0ea6cc14c40920cc3b81

SHA1
fb0e426c5bae896f14829ec8f14a9ec4251fa62f

SHA256
2ce5e2354177c93e798d2c237e560537476b3733915bc87b35bc4ee63f919b01

SHA512
62a663a407007fdbf346fab11ff70ec577939a0c4cb6138dafae00c23f3069c59cd10ef72acca617226c7a46c6f4d4789d296e318f011b85939ec57b16f400b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0be7c3ba55d20f80e0269ee12e638b63

SHA1
ed1e64857c7eb26898aaef0b4a8953ecc0eb02e3

SHA256
95b0197944c14a46970583fa96f4d56a99122cf34306b5e632217317336f6b7b

SHA512
707cb37fb8fc3e851972e55b489293f7ea986eea083d7c692c1fa16d1538c6d1672d7ddb634ec1662ebb1d7998210ef2ae6bc5f923a259856b54e31060be0188

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
276819c224876cda687d2aef75bcca14

SHA1
e46b87c2c8d39855ce7d89db4bafdfd90d6f2def

SHA256
71b2276bb9b5d9bd35a484001740f7e665be2faf52dca6d393b91ac425b81b46

SHA512
8de6f169cfa69c9e349d960d640c03fa6967ec3cc6febd1e73517acd4435c859b519dae7d36db18fece2f05c0a7b69cc118d66fb7641b44b8d6fc0c3ddb34650

Download Submit
C:\Users\Admin\Downloads\SynapseX.revamaped.V1.2\SynapseX revamaped V1.2\Synapse X Launcher.exe

Filesize
3.1MB

MD5
1a1fda92143e414b4d4153ab05dd1ce8

SHA1
33ac2b2d228a1ec93b0ea70ffadb436933b9a1e5

SHA256
f0160a1f7a39862e14063ac468957559656405f51d97ad56dc7cff9ad34da9f1

SHA512
70a9a6948f98f3bdc2c7b461634098347bdf683dec36fa92bd1ac652f72daf7fa01f842cbb8331f26c9c5f76907604f75f7c45b746bcfe8f395b3864f998f391

Download Submit
\??\pipe\LOCAL\crashpad_232_CTYLUDFHQWOBLBWY

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1916-150-0x00000000005F0000-0x0000000000914000-memory.dmp

Filesize
3.1MB

Download
memory/5152-157-0x000000001BC70000-0x000000001BCC0000-memory.dmp

Filesize
320KB

Download
memory/5152-158-0x000000001BD80000-0x000000001BE32000-memory.dmp

Filesize
712KB

Download
memory/5152-161-0x000000001BD00000-0x000000001BD12000-memory.dmp

Filesize
72KB

Download
memory/5152-162-0x000000001C580000-0x000000001C5BC000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads