Malware Analysis Report

2024-10-19 06:33

Sample ID 240528-c3cl8acg65
Target SynapseX.Revamped.V1.5.rar
SHA256 8739b236fb674c2c3516bc43ecf4b6583ea22ca0d4b2fe417b6223d654d52011
Tags
quasar windows update spyware trojan evasion
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8739b236fb674c2c3516bc43ecf4b6583ea22ca0d4b2fe417b6223d654d52011

Threat Level: Known bad

The file SynapseX.Revamped.V1.5.rar was found to be: Known bad.

Malicious Activity Summary

quasar windows update spyware trojan evasion

Quasar family

Quasar payload

Quasar RAT

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Executes dropped EXE

Checks whether UAC is enabled

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Opens file in notepad (likely ransom note)

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Modifies registry class

Creates scheduled task(s)

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-28 02:35

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-28 02:35

Reported

2024-05-28 02:42

Platform

win10v2004-20240426-en

Max time kernel

93s

Max time network

100s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\SynapseX.Revamped.V1.5.rar

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3024 wrote to memory of 392 N/A C:\Windows\system32\OpenWith.exe C:\Windows\system32\NOTEPAD.EXE
PID 3024 wrote to memory of 392 N/A C:\Windows\system32\OpenWith.exe C:\Windows\system32\NOTEPAD.EXE

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\SynapseX.Revamped.V1.5.rar

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\SynapseX.Revamped.V1.5.rar

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-28 02:35

Reported

2024-05-28 02:43

Platform

win7-20240221-en

Max time kernel

40s

Max time network

41s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SynapseX Revamped V1.5\SynapseXBootstrapper.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update\Update.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SynapseX Revamped V1.5\SynapseXBootstrapper.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\Update.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\SynapseX Revamped V1.5\SynapseXBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SynapseX Revamped V1.5\SynapseXBootstrapper.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Update\Update.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\Windows Update\Update.exe

"C:\Users\Admin\AppData\Roaming\Windows Update\Update.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Update\Update.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 skbidiooiilet-31205.portmap.host udp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp

Files

memory/2436-0-0x000007FEF57D3000-0x000007FEF57D4000-memory.dmp

memory/2436-1-0x0000000000D40000-0x0000000001064000-memory.dmp

memory/2436-2-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmp

C:\Users\Admin\AppData\Roaming\Windows Update\Update.exe

MD5 9434a1822088cedbce057d280c235864
SHA1 c09173a18e5ae2d9d38bd4d3d196adf1423f924e
SHA256 de29011246319ec8b60774d8c4cad4e8299e27eba6dc7699cd257fbdda338336
SHA512 7461b706ef796abc96d7f2549091061910fdf81a77ae0f8d0c20c5de870164410f5dd3b68e3e33a5bb9b77c3ccf59fd787164530b6d2d03688d4dceccb4fb632

memory/2588-8-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmp

memory/2588-10-0x00000000013C0000-0x00000000016E4000-memory.dmp

memory/2436-9-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmp

memory/2588-11-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmp

memory/2588-12-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-28 02:35

Reported

2024-05-28 03:13

Platform

win10v2004-20240508-en

Max time kernel

1795s

Max time network

1799s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SynapseX Revamped V1.5\SynapseXBootstrapper.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update\Update.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SynapseX Revamped V1.5\SynapseXBootstrapper.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\Update.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\SynapseX Revamped V1.5\SynapseXBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SynapseX Revamped V1.5\SynapseXBootstrapper.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Update\Update.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\Windows Update\Update.exe

"C:\Users\Admin\AppData\Roaming\Windows Update\Update.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Update\Update.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 skbidiooiilet-31205.portmap.host udp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
IE 52.111.236.23:443 tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
US 8.8.8.8:53 skbidiooiilet-31205.portmap.host udp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
US 8.8.8.8:53 skbidiooiilet-31205.portmap.host udp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
US 8.8.8.8:53 skbidiooiilet-31205.portmap.host udp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
US 8.8.8.8:53 skbidiooiilet-31205.portmap.host udp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
US 8.8.8.8:53 skbidiooiilet-31205.portmap.host udp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
US 8.8.8.8:53 skbidiooiilet-31205.portmap.host udp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp

Files

memory/3656-0-0x00007FFB9F603000-0x00007FFB9F605000-memory.dmp

memory/3656-1-0x0000000000640000-0x0000000000964000-memory.dmp

memory/3656-2-0x00007FFB9F600000-0x00007FFBA00C1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Windows Update\Update.exe

MD5 9434a1822088cedbce057d280c235864
SHA1 c09173a18e5ae2d9d38bd4d3d196adf1423f924e
SHA256 de29011246319ec8b60774d8c4cad4e8299e27eba6dc7699cd257fbdda338336
SHA512 7461b706ef796abc96d7f2549091061910fdf81a77ae0f8d0c20c5de870164410f5dd3b68e3e33a5bb9b77c3ccf59fd787164530b6d2d03688d4dceccb4fb632

memory/4492-10-0x00007FFB9F600000-0x00007FFBA00C1000-memory.dmp

memory/3656-9-0x00007FFB9F600000-0x00007FFBA00C1000-memory.dmp

memory/4492-11-0x00007FFB9F600000-0x00007FFBA00C1000-memory.dmp

memory/4492-12-0x0000000002A40000-0x0000000002A90000-memory.dmp

memory/4492-13-0x000000001B6C0000-0x000000001B772000-memory.dmp

memory/4492-14-0x00007FFB9F600000-0x00007FFBA00C1000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-28 02:35

Reported

2024-05-28 03:15

Platform

win7-20240419-en

Max time kernel

1561s

Max time network

1561s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\SynapseX Revamped V1.5\bin\SynapseInjector.dll",#1

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Windows\SysWOW64\rundll32.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2656 wrote to memory of 2292 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2656 wrote to memory of 2292 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2656 wrote to memory of 2292 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2656 wrote to memory of 2292 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2656 wrote to memory of 2292 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2656 wrote to memory of 2292 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2656 wrote to memory of 2292 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\SynapseX Revamped V1.5\bin\SynapseInjector.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\SynapseX Revamped V1.5\bin\SynapseInjector.dll",#1

Network

N/A

Files

memory/2292-1-0x00000000724D0000-0x00000000733F6000-memory.dmp

memory/2292-2-0x00000000724D0000-0x00000000733F6000-memory.dmp

memory/2292-3-0x000000007272C000-0x0000000072ECA000-memory.dmp

memory/2292-0-0x00000000724D0000-0x00000000733F6000-memory.dmp

memory/2292-5-0x00000000724D0000-0x00000000733F6000-memory.dmp

memory/2292-6-0x00000000724D0000-0x00000000733F6000-memory.dmp

memory/2292-7-0x00000000724D0000-0x00000000733F6000-memory.dmp

memory/2292-4-0x00000000724D0000-0x00000000733F6000-memory.dmp

memory/2292-9-0x000000007272C000-0x0000000072ECA000-memory.dmp

memory/2292-8-0x00000000724D0000-0x00000000733F6000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-28 02:35

Reported

2024-05-28 03:15

Platform

win10v2004-20240508-en

Max time kernel

1385s

Max time network

1174s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\SynapseX Revamped V1.5\bin\SynapseInjector.dll",#1

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Windows\SysWOW64\rundll32.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\rundll32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 412 wrote to memory of 2136 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 412 wrote to memory of 2136 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 412 wrote to memory of 2136 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\SynapseX Revamped V1.5\bin\SynapseInjector.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\SynapseX Revamped V1.5\bin\SynapseInjector.dll",#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2136 -ip 2136

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 660

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 210.80.50.20.in-addr.arpa udp

Files

memory/2136-1-0x000000007474C000-0x0000000074EEA000-memory.dmp

memory/2136-0-0x00000000744F0000-0x0000000075416000-memory.dmp

memory/2136-2-0x00000000744F0000-0x0000000075416000-memory.dmp

memory/2136-3-0x00000000744F0000-0x0000000075416000-memory.dmp

memory/2136-4-0x00000000744F0000-0x0000000075416000-memory.dmp

memory/2136-5-0x00000000744F0000-0x0000000075416000-memory.dmp

memory/2136-7-0x00000000744F0000-0x0000000075416000-memory.dmp

memory/2136-6-0x00000000744F0000-0x0000000075416000-memory.dmp

memory/2136-8-0x00000000744F0000-0x0000000075416000-memory.dmp

memory/2136-9-0x000000007474C000-0x0000000074EEA000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-28 02:35

Reported

2024-05-28 03:09

Platform

win7-20240221-en

Max time kernel

1799s

Max time network

1802s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\SynapseX.Revamped.V1.5.rar

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\text_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\text_auto_file\shell\edit\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\text_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\text_auto_file\shell\open C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\text_auto_file\shell\open\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\text_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\text_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.text C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.text\ = "text_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\text_auto_file\shell\edit C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\text_auto_file C:\Windows\system32\rundll32.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zOC6A74786\SynapseXBootstrapper.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\Update.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1284 wrote to memory of 2668 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 1284 wrote to memory of 2668 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 1284 wrote to memory of 2668 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 2668 wrote to memory of 2540 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zOC6A74786\SynapseXBootstrapper.exe
PID 2668 wrote to memory of 2540 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zOC6A74786\SynapseXBootstrapper.exe
PID 2668 wrote to memory of 2540 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zOC6A74786\SynapseXBootstrapper.exe
PID 2540 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\7zOC6A74786\SynapseXBootstrapper.exe C:\Windows\system32\schtasks.exe
PID 2540 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\7zOC6A74786\SynapseXBootstrapper.exe C:\Windows\system32\schtasks.exe
PID 2540 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\7zOC6A74786\SynapseXBootstrapper.exe C:\Windows\system32\schtasks.exe
PID 2540 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\7zOC6A74786\SynapseXBootstrapper.exe C:\Users\Admin\AppData\Roaming\Windows Update\Update.exe
PID 2540 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\7zOC6A74786\SynapseXBootstrapper.exe C:\Users\Admin\AppData\Roaming\Windows Update\Update.exe
PID 2540 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\7zOC6A74786\SynapseXBootstrapper.exe C:\Users\Admin\AppData\Roaming\Windows Update\Update.exe
PID 2480 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Roaming\Windows Update\Update.exe C:\Windows\system32\schtasks.exe
PID 2480 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Roaming\Windows Update\Update.exe C:\Windows\system32\schtasks.exe
PID 2480 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Roaming\Windows Update\Update.exe C:\Windows\system32\schtasks.exe
PID 2668 wrote to memory of 1252 N/A C:\Program Files\7-Zip\7zFM.exe C:\Windows\system32\rundll32.exe
PID 2668 wrote to memory of 1252 N/A C:\Program Files\7-Zip\7zFM.exe C:\Windows\system32\rundll32.exe
PID 2668 wrote to memory of 1252 N/A C:\Program Files\7-Zip\7zFM.exe C:\Windows\system32\rundll32.exe
PID 2668 wrote to memory of 2648 N/A C:\Program Files\7-Zip\7zFM.exe C:\Windows\system32\NOTEPAD.EXE
PID 2668 wrote to memory of 2648 N/A C:\Program Files\7-Zip\7zFM.exe C:\Windows\system32\NOTEPAD.EXE
PID 2668 wrote to memory of 2648 N/A C:\Program Files\7-Zip\7zFM.exe C:\Windows\system32\NOTEPAD.EXE
PID 2668 wrote to memory of 2636 N/A C:\Program Files\7-Zip\7zFM.exe C:\Windows\system32\rundll32.exe
PID 2668 wrote to memory of 2636 N/A C:\Program Files\7-Zip\7zFM.exe C:\Windows\system32\rundll32.exe
PID 2668 wrote to memory of 2636 N/A C:\Program Files\7-Zip\7zFM.exe C:\Windows\system32\rundll32.exe
PID 2668 wrote to memory of 644 N/A C:\Program Files\7-Zip\7zFM.exe C:\Windows\system32\rundll32.exe
PID 2668 wrote to memory of 644 N/A C:\Program Files\7-Zip\7zFM.exe C:\Windows\system32\rundll32.exe
PID 2668 wrote to memory of 644 N/A C:\Program Files\7-Zip\7zFM.exe C:\Windows\system32\rundll32.exe
PID 644 wrote to memory of 840 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\NOTEPAD.EXE
PID 644 wrote to memory of 840 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\NOTEPAD.EXE
PID 644 wrote to memory of 840 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\NOTEPAD.EXE

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\SynapseX.Revamped.V1.5.rar

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\SynapseX.Revamped.V1.5.rar"

C:\Users\Admin\AppData\Local\Temp\7zOC6A74786\SynapseXBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\7zOC6A74786\SynapseXBootstrapper.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Update\Update.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\Windows Update\Update.exe

"C:\Users\Admin\AppData\Roaming\Windows Update\Update.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Update\Update.exe" /rl HIGHEST /f

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\7zOC6A86607\1

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zOC6AFB068\version.txt

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\7zOC6A71398\.text

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\7zOC6AC1DF8\.text

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zOC6AC1DF8\.text

Network

Country Destination Domain Proto
US 8.8.8.8:53 skbidiooiilet-31205.portmap.host udp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
US 8.8.8.8:53 skbidiooiilet-31205.portmap.host udp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
US 8.8.8.8:53 skbidiooiilet-31205.portmap.host udp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
US 8.8.8.8:53 skbidiooiilet-31205.portmap.host udp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
US 8.8.8.8:53 skbidiooiilet-31205.portmap.host udp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
US 8.8.8.8:53 skbidiooiilet-31205.portmap.host udp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
US 8.8.8.8:53 skbidiooiilet-31205.portmap.host udp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 skbidiooiilet-31205.portmap.host tcp
DE 193.161.193.99:31205 tcp

Files

C:\Users\Admin\AppData\Local\Temp\7zOC6A74786\SynapseXBootstrapper.exe

MD5 9434a1822088cedbce057d280c235864
SHA1 c09173a18e5ae2d9d38bd4d3d196adf1423f924e
SHA256 de29011246319ec8b60774d8c4cad4e8299e27eba6dc7699cd257fbdda338336
SHA512 7461b706ef796abc96d7f2549091061910fdf81a77ae0f8d0c20c5de870164410f5dd3b68e3e33a5bb9b77c3ccf59fd787164530b6d2d03688d4dceccb4fb632

memory/2540-35-0x00000000002A0000-0x00000000005C4000-memory.dmp

memory/2480-41-0x0000000001010000-0x0000000001334000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zOC6AFB068\version.txt

MD5 ab6f65c5a67f69a1f23c29373b6b6ada
SHA1 eb80cda039fd6ac2453402f793dc372eadf0e24f
SHA256 e333770e0c4c51e6c05101eae443bde40a7ab64fe4362374e4a900dc6cbe2aca
SHA512 d8910b4105e7925e4597d8011cf415453571e4f2ee61e39a0ad14be549ef51ce20e11502b4790536ac02724d2f12ae9717a1cadbd3eb02bfc459b8868f29fd12

C:\Users\Admin\AppData\Local\Temp\7zOC6AC1DF8\.text

MD5 9693ab4017b430693aab5ed990a8161a
SHA1 03d71ff31ff1b9d516ddaa77668cbaafd8f39905
SHA256 052a59ba9192055583d81d9e50b6a723c1f2323e0fca8e35c7af1f361ca76518
SHA512 02ca270ee8242196548bc1d9f1642e5e6e58792081c28c12ab7e3bac6d723f14f0dcdaaf4f5279f2077c6523f65a558185a8f2c79a5d5bd0e24d061ef785435e