quasar | hxxps://github[.]com/cfedss/Synapse-X-Revamped/releases/tag/Relase1[.]5

Analysis

max time kernel
136s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30-05-2024 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/cfedss/Synapse-X-Revamped/releases/tag/Relase1.5

Score

10^/10

quasar windows update spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Windows Update

skbidiooiilet-31205.portmap.host:31205

Mutex

b2f09b33-2e5b-4ffa-afbf-3f1aaed274a6

Attributes

encryption_key
6F721445F7E0B1CF58980D84A9D49F4458D4EFD9
install_name
Update.exe
log_directory
Logs
reconnect_delay
3000
startup_key
WindowsUpdate
subdirectory
Windows Update

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\SynapseX.Revamped.V1.5\SynapseX Revamped V1.5\SynapseXBootstrapper.exe	family_quasar
behavioral1/memory/1844-209-0x0000000000F90000-0x00000000012B4000-memory.dmp	family_quasar

Executes dropped EXE 4 IoCs

Processes:

SynapseXBootstrapper.exeUpdate.exeSynapseXBootstrapper.exeSynapseXBootstrapper.exe

pid process

1844 SynapseXBootstrapper.exe
2216 Update.exe
5056 SynapseXBootstrapper.exe
4632 SynapseXBootstrapper.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4188 schtasks.exe
2528 schtasks.exe

pid	process
1844	SynapseXBootstrapper.exe
2216	Update.exe
5056	SynapseXBootstrapper.exe
4632	SynapseXBootstrapper.exe

pid	process
4188	schtasks.exe
2528	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133615687201222297"	chrome.exe

Modifies registry class 1 IoCs

Processes:

OpenWith.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings OpenWith.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

4592 chrome.exe
4592 chrome.exe
1560 chrome.exe
1560 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

4592 chrome.exe
4592 chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe

Suspicious use of FindShellTrayWindow 38 IoCs

Processes:

chrome.exe7zG.exe

pid	process
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
2660	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid process

828 OpenWith.exe

pid	process
828	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4592 wrote to memory of 1576	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 1576	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 1896	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 1896	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 1896	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 1896	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 1896	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 1896	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 1896	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 1896	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 1896	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 1896	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 1896	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 1896	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 1896	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 1896	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 1896	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 1896	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 1896	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 1896	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 1896	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 1896	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 1896	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 1896	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 1896	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 1896	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 1896	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 1896	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 1896	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 1896	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 1896	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 1896	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 1896	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 3516	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 3516	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 1664	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 1664	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 1664	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 1664	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 1664	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 1664	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 1664	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 1664	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 1664	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 1664	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 1664	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 1664	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 1664	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 1664	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 1664	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 1664	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 1664	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 1664	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 1664	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 1664	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 1664	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 1664	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 1664	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 1664	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 1664	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 1664	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 1664	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 1664	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 1664	4592	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/cfedss/Synapse-X-Revamped/releases/tag/Relase1.5
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff12eeab58,0x7fff12eeab68,0x7fff12eeab78
  2⤵
  PID:1576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1656 --field-trial-handle=1860,i,7112927711914081009,1088448206200995891,131072 /prefetch:2
  2⤵
  PID:1896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1860,i,7112927711914081009,1088448206200995891,131072 /prefetch:8
  2⤵
  PID:3516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2160 --field-trial-handle=1860,i,7112927711914081009,1088448206200995891,131072 /prefetch:8
  2⤵
  PID:1664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3044 --field-trial-handle=1860,i,7112927711914081009,1088448206200995891,131072 /prefetch:1
  2⤵
  PID:3104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3064 --field-trial-handle=1860,i,7112927711914081009,1088448206200995891,131072 /prefetch:1
  2⤵
  PID:3912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4388 --field-trial-handle=1860,i,7112927711914081009,1088448206200995891,131072 /prefetch:8
  2⤵
  PID:4924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4560 --field-trial-handle=1860,i,7112927711914081009,1088448206200995891,131072 /prefetch:8
  2⤵
  PID:4928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4792 --field-trial-handle=1860,i,7112927711914081009,1088448206200995891,131072 /prefetch:8
  2⤵
  PID:756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1808 --field-trial-handle=1860,i,7112927711914081009,1088448206200995891,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1560

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3888

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1992

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\SynapseX.Revamped.V1.5\" -ad -an -ai#7zMap4111:106:7zEvent3444
1⤵
- Suspicious use of FindShellTrayWindow
PID:2660

C:\Users\Admin\Downloads\SynapseX.Revamped.V1.5\SynapseX Revamped V1.5\SynapseXBootstrapper.exe
"C:\Users\Admin\Downloads\SynapseX.Revamped.V1.5\SynapseX Revamped V1.5\SynapseXBootstrapper.exe"
1⤵
- Executes dropped EXE
PID:1844
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Update\Update.exe" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:4188
- C:\Users\Admin\AppData\Roaming\Windows Update\Update.exe
  "C:\Users\Admin\AppData\Roaming\Windows Update\Update.exe"
  2⤵
  - Executes dropped EXE
  PID:2216
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Update\Update.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:2528

C:\Users\Admin\Downloads\SynapseX.Revamped.V1.5\SynapseX Revamped V1.5\SynapseXBootstrapper.exe
"C:\Users\Admin\Downloads\SynapseX.Revamped.V1.5\SynapseX Revamped V1.5\SynapseXBootstrapper.exe"
1⤵
- Executes dropped EXE
PID:5056

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:828

C:\Users\Admin\Downloads\SynapseX.Revamped.V1.5\SynapseX Revamped V1.5\SynapseXBootstrapper.exe
"C:\Users\Admin\Downloads\SynapseX.Revamped.V1.5\SynapseX Revamped V1.5\SynapseXBootstrapper.exe"
1⤵
- Executes dropped EXE
PID:4632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
1737b830e3a08fcf5c477f909ce0b8c8

SHA1
d58f377be4671f4d4110cb22deac447e04f4a175

SHA256
1c4f10c5cab0534d98c701032040b96af1d7a33ab256ffd6719301292e9f01e4

SHA512
124f6e6b912441a932b5d2a2b20bb0f4bf299fd0a7105985b1a97deb4a8f5fd17bc1cc7ba1dfdd8f79103ca9d37b5f9dd54d97e7e3adffdfdd68c80159b772b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
b7bf519eb7fe2ce2d9ed33cdf8111ee5

SHA1
f679ede91281e0b9d89d34a4717c67b202ad26e5

SHA256
a9b5f0a801fb8dfe10b7a7b1511db43529cef552936407cfccf09bc4646297b5

SHA512
3a806d06502b243ab597854c644d1e70b56c9f02d74728d0594c83834ec257590d3dcbeba34ca507ca49b14c4b0f1775ba7ebf0732525542255b8d4dd0188d34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
75ab077b735376923901bb94a8f0030c

SHA1
2aefb3c0711a2a84cdc4a60dcba98a02bfb68bc4

SHA256
098cb5a1c62d60a2ea6f9f1cbc0cbaa4228afec03020f4d1698f0742c1f9e78f

SHA512
a19c645d1263c386e1a9e2c8e11f3c878c70d2de33acef8e196b1a645c81c4cb02d06d6f6eebd0f641e63ede0d68a609ec3c6954ad1869c2cc3ab9bcd7f1f146

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
e7bb7ffca45b80bca54aa8ad894acb14

SHA1
4f402341898103376d5bc460e24a1626ef30769c

SHA256
dc612499dd227a78ec835721e0c5330d233ebaf11d1b040108e0741ee2ad857a

SHA512
c67fb05fb103b8eef8e0ccdb6322448ca8debbc7073c88a648cdfdabbe24a04c2f5204d27504e8eae0557866f544f9e21b0c335ac8f4b784df68b1c32c33145b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
0300382ac5c0081958f97ba445bddd2f

SHA1
32900a5c79180d31d39be5015be5199fd96cb3cc

SHA256
6b8a67d960898d6c3585d380c1a549ecd4da3d8893eb28878a81f70221d2dd85

SHA512
a87d85862c29605bec18e12f592b9d64c6a48bb46596bd5fab4a2934f5e8a27428558c22a07a8dac097df4111747e26f39f4f1db47d55551fe9a5a7106e2c5c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
85c7fe650e6b05111c562286b96733fc

SHA1
7e7aff50197263129075b18c1c4c8997b594067a

SHA256
b827e4e707fed1eea78caff9f05ba463136cea76513ac7c44806d1d45a017492

SHA512
12b153379e7e26d23562e843db742a8d1ccf9d000b09b4a3337c1cf05098c30787570f13d75dc62e6c253327f4ca43911a99656cd6bc3e8ccd88edd64e43ca67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
255KB

MD5
0b80a4aedf82830d152d1d02f3022643

SHA1
cf9fb2992c87d4ecbc994a937b3c5b9e409a60a2

SHA256
5af07281391421c7c6fd3ceda6f5cd887ef4145041fc69252b94e077c51aacb9

SHA512
b931f15817f83e6b48b13902b546535f1c4b2ae995329186bc5695f5b3e2d5f173f7248b0b631994dd3322581b67eb8487fa3524d655915d2ac62c87aaa6bd39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SynapseXBootstrapper.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\Downloads\SynapseX.Revamped.V1.5.rar

Filesize
6.9MB

MD5
358e3fc465a47e440775cd04fe9e9650

SHA1
c0dea173ba12149b325de5831c2e08d8c3ff7b21

SHA256
8739b236fb674c2c3516bc43ecf4b6583ea22ca0d4b2fe417b6223d654d52011

SHA512
1a8dad583487280053ec13a088f02f54177f2c14318d9edfc60121884e6bda8e06979c47fa2e9100db21ecedcb30431a1842c2a6ef3c69f20b703ea07865348f

Download Submit
C:\Users\Admin\Downloads\SynapseX.Revamped.V1.5\SynapseX Revamped V1.5\SynapseXBootstrapper.exe

Filesize
3.1MB

MD5
9434a1822088cedbce057d280c235864

SHA1
c09173a18e5ae2d9d38bd4d3d196adf1423f924e

SHA256
de29011246319ec8b60774d8c4cad4e8299e27eba6dc7699cd257fbdda338336

SHA512
7461b706ef796abc96d7f2549091061910fdf81a77ae0f8d0c20c5de870164410f5dd3b68e3e33a5bb9b77c3ccf59fd787164530b6d2d03688d4dceccb4fb632

Download Submit
\??\pipe\crashpad_4592_TOAUUQMKDLFZDKOY

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1844-208-0x00007FFEFF723000-0x00007FFEFF725000-memory.dmp

Filesize
8KB

Download
memory/1844-209-0x0000000000F90000-0x00000000012B4000-memory.dmp

Filesize
3.1MB

Download
memory/1844-210-0x00007FFEFF720000-0x00007FFF001E1000-memory.dmp

Filesize
10.8MB

Download
memory/1844-217-0x00007FFEFF720000-0x00007FFF001E1000-memory.dmp

Filesize
10.8MB

Download
memory/2216-218-0x000000001B620000-0x000000001B670000-memory.dmp

Filesize
320KB

Download
memory/2216-219-0x000000001BD30000-0x000000001BDE2000-memory.dmp

Filesize
712KB

Download
memory/2216-220-0x000000001B5F0000-0x000000001B602000-memory.dmp

Filesize
72KB

Download
memory/2216-221-0x000000001BCB0000-0x000000001BCEC000-memory.dmp

Filesize
240KB

Download