darkcomet | hxxps://github[.]com/SimpleCrea/SynapseX

Analysis

max time kernel
67s
max time network
67s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
27-04-2024 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/SimpleCrea/SynapseX

Score

10^/10

darkcomet skece evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

skece

tcp://5.tcp.eu.ngrok.io:19556

Mutex

DC_MUTEX-67FH6JT6

Attributes

InstallPath
MSDCSC\win10defender.exe
gencode
vU2KnHMvXcMY
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

SynapseX.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\win10defender.exe"	SynapseX.exe

Disables RegEdit via registry modification 4 IoCs

evasion

Processes:

SynapseX.exeSynapseX.exeSynapseX.exewin10defender.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SynapseX.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SynapseX.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SynapseX.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	win10defender.exe

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SynapseX.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	SynapseX.exe

Executes dropped EXE 5 IoCs

Processes:

SynapseX.exewin10defender.exeSynapseX.exeSynapseX.exeSynapseX.exe

pid	Process
1940	SynapseX.exe
3808	win10defender.exe
4800	SynapseX.exe
2656	SynapseX.exe
1072	SynapseX.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

SynapseX.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\win10defender.exe"	SynapseX.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
59	raw.githubusercontent.com
60	raw.githubusercontent.com

Drops file in System32 directory 3 IoCs

Processes:

SynapseX.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\MSDCSC\win10defender.exe	SynapseX.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\win10defender.exe	SynapseX.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	SynapseX.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133587289618927341"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid	Process
2752	chrome.exe
2752	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid	Process
2752	chrome.exe
2752	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	Process
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

chrome.exe7zG.exe

pid	Process
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
1424	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	Process
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

win10defender.exe

pid	Process
3808	win10defender.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	Process	procid_target
PID 2752 wrote to memory of 4600	2752	chrome.exe	80
PID 2752 wrote to memory of 4600	2752	chrome.exe	80
PID 2752 wrote to memory of 2904	2752	chrome.exe	83
PID 2752 wrote to memory of 2904	2752	chrome.exe	83
PID 2752 wrote to memory of 2904	2752	chrome.exe	83
PID 2752 wrote to memory of 2904	2752	chrome.exe	83
PID 2752 wrote to memory of 2904	2752	chrome.exe	83
PID 2752 wrote to memory of 2904	2752	chrome.exe	83
PID 2752 wrote to memory of 2904	2752	chrome.exe	83
PID 2752 wrote to memory of 2904	2752	chrome.exe	83
PID 2752 wrote to memory of 2904	2752	chrome.exe	83
PID 2752 wrote to memory of 2904	2752	chrome.exe	83
PID 2752 wrote to memory of 2904	2752	chrome.exe	83
PID 2752 wrote to memory of 2904	2752	chrome.exe	83
PID 2752 wrote to memory of 2904	2752	chrome.exe	83
PID 2752 wrote to memory of 2904	2752	chrome.exe	83
PID 2752 wrote to memory of 2904	2752	chrome.exe	83
PID 2752 wrote to memory of 2904	2752	chrome.exe	83
PID 2752 wrote to memory of 2904	2752	chrome.exe	83
PID 2752 wrote to memory of 2904	2752	chrome.exe	83
PID 2752 wrote to memory of 2904	2752	chrome.exe	83
PID 2752 wrote to memory of 2904	2752	chrome.exe	83
PID 2752 wrote to memory of 2904	2752	chrome.exe	83
PID 2752 wrote to memory of 2904	2752	chrome.exe	83
PID 2752 wrote to memory of 2904	2752	chrome.exe	83
PID 2752 wrote to memory of 2904	2752	chrome.exe	83
PID 2752 wrote to memory of 2904	2752	chrome.exe	83
PID 2752 wrote to memory of 2904	2752	chrome.exe	83
PID 2752 wrote to memory of 2904	2752	chrome.exe	83
PID 2752 wrote to memory of 2904	2752	chrome.exe	83
PID 2752 wrote to memory of 2904	2752	chrome.exe	83
PID 2752 wrote to memory of 2904	2752	chrome.exe	83
PID 2752 wrote to memory of 2904	2752	chrome.exe	83
PID 2752 wrote to memory of 1572	2752	chrome.exe	84
PID 2752 wrote to memory of 1572	2752	chrome.exe	84
PID 2752 wrote to memory of 4796	2752	chrome.exe	85
PID 2752 wrote to memory of 4796	2752	chrome.exe	85
PID 2752 wrote to memory of 4796	2752	chrome.exe	85
PID 2752 wrote to memory of 4796	2752	chrome.exe	85
PID 2752 wrote to memory of 4796	2752	chrome.exe	85
PID 2752 wrote to memory of 4796	2752	chrome.exe	85
PID 2752 wrote to memory of 4796	2752	chrome.exe	85
PID 2752 wrote to memory of 4796	2752	chrome.exe	85
PID 2752 wrote to memory of 4796	2752	chrome.exe	85
PID 2752 wrote to memory of 4796	2752	chrome.exe	85
PID 2752 wrote to memory of 4796	2752	chrome.exe	85
PID 2752 wrote to memory of 4796	2752	chrome.exe	85
PID 2752 wrote to memory of 4796	2752	chrome.exe	85
PID 2752 wrote to memory of 4796	2752	chrome.exe	85
PID 2752 wrote to memory of 4796	2752	chrome.exe	85
PID 2752 wrote to memory of 4796	2752	chrome.exe	85
PID 2752 wrote to memory of 4796	2752	chrome.exe	85
PID 2752 wrote to memory of 4796	2752	chrome.exe	85
PID 2752 wrote to memory of 4796	2752	chrome.exe	85
PID 2752 wrote to memory of 4796	2752	chrome.exe	85
PID 2752 wrote to memory of 4796	2752	chrome.exe	85
PID 2752 wrote to memory of 4796	2752	chrome.exe	85
PID 2752 wrote to memory of 4796	2752	chrome.exe	85
PID 2752 wrote to memory of 4796	2752	chrome.exe	85
PID 2752 wrote to memory of 4796	2752	chrome.exe	85
PID 2752 wrote to memory of 4796	2752	chrome.exe	85
PID 2752 wrote to memory of 4796	2752	chrome.exe	85
PID 2752 wrote to memory of 4796	2752	chrome.exe	85
PID 2752 wrote to memory of 4796	2752	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/SimpleCrea/SynapseX
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa6060ab58,0x7ffa6060ab68,0x7ffa6060ab78
  2⤵
  PID:4600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1608 --field-trial-handle=1880,i,12359320095680719149,9572793891709725592,131072 /prefetch:2
  2⤵
  PID:2904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1880,i,12359320095680719149,9572793891709725592,131072 /prefetch:8
  2⤵
  PID:1572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2192 --field-trial-handle=1880,i,12359320095680719149,9572793891709725592,131072 /prefetch:8
  2⤵
  PID:4796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2960 --field-trial-handle=1880,i,12359320095680719149,9572793891709725592,131072 /prefetch:1
  2⤵
  PID:1672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2968 --field-trial-handle=1880,i,12359320095680719149,9572793891709725592,131072 /prefetch:1
  2⤵
  PID:2332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4432 --field-trial-handle=1880,i,12359320095680719149,9572793891709725592,131072 /prefetch:8
  2⤵
  PID:1620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4564 --field-trial-handle=1880,i,12359320095680719149,9572793891709725592,131072 /prefetch:8
  2⤵
  PID:2944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4764 --field-trial-handle=1880,i,12359320095680719149,9572793891709725592,131072 /prefetch:8
  2⤵
  PID:3760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4928 --field-trial-handle=1880,i,12359320095680719149,9572793891709725592,131072 /prefetch:8
  2⤵
  PID:2600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4600 --field-trial-handle=1880,i,12359320095680719149,9572793891709725592,131072 /prefetch:8
  2⤵
  PID:4108

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:5096

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1856

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\SynapseX Roblox Exploit - master\" -spe -an -ai#7zMap26513:126:7zEvent3443
1⤵
- Suspicious use of FindShellTrayWindow
PID:1424

C:\Users\Admin\Downloads\SynapseX Roblox Exploit - master\SynapseX - main\SynapseX.exe
"C:\Users\Admin\Downloads\SynapseX Roblox Exploit - master\SynapseX - main\SynapseX.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1940
- C:\Windows\SysWOW64\MSDCSC\win10defender.exe
  "C:\Windows\system32\MSDCSC\win10defender.exe"
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3808
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:4948
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    PID:968

C:\Users\Admin\Downloads\SynapseX Roblox Exploit - master\SynapseX - main\SynapseX.exe
"C:\Users\Admin\Downloads\SynapseX Roblox Exploit - master\SynapseX - main\SynapseX.exe"
1⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
PID:4800

C:\Users\Admin\Downloads\SynapseX Roblox Exploit - master\SynapseX - main\SynapseX.exe
"C:\Users\Admin\Downloads\SynapseX Roblox Exploit - master\SynapseX - main\SynapseX.exe"
1⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
PID:2656

C:\Users\Admin\Downloads\SynapseX Roblox Exploit - master\SynapseX - main\SynapseX.exe
"C:\Users\Admin\Downloads\SynapseX Roblox Exploit - master\SynapseX - main\SynapseX.exe"
1⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
PID:1072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
59eb26cc21c6533d303fb81054dcf5bb

SHA1
63cd289d88b4c93276018eb6771011187a2db96a

SHA256
56caea729ab94f21e32e581649255a54e4474b9b5f2e5864d365bc2bf3f84ff0

SHA512
a7cc446d7af889d510630a9297f1e5bb8327d4497922174137b238351b6228a73e3adbd3c662936c332bc16c2a4221700388b25489ba1803f703e865cefe5905

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
5d48434d866c83b730de52e5611cb1dc

SHA1
f6c4efa4ead0cedb318d0223d25d931ed6732b31

SHA256
812801dd88edcd214e382fc460c89670b7abdc2321f4f9df0d98c69840eeff0b

SHA512
cd7dba78d7780d351a72ede1bd555c7503655d906b434bf5d536b16bdd5b9649fa20f5169667e071e3d72cea25dde0705856d0dde07d55b9d998f4aa0b157d3c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
6cfb99b0ec76f805cc745f4ef1573ccd

SHA1
15a75d60fdd701034a6275c998066a612400abd4

SHA256
dec90e7c89dc2c0ee9c16ae95f362ef57e094d1d08dc12d225cf53ea892b7aa3

SHA512
da2ec03113f6d9d094003dc4238ca81953ba4f9f7bf59d41ff687d1bc329c9d1fa385532b75d41f16886b81c2dee3b6f09821128b47bf4375c50a898eb65458d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
538ef7e948e9a476381261ef04101a26

SHA1
4b8c8d4eda9f70c298a9d7cc9c922a1708b1245b

SHA256
cd5d25d12a07dd2c20b4724ea360dd20f8d891cf4779a8340d2070fd922fadec

SHA512
9cd843196d23959429d2f4e94835f43b19ff2fe453db4a8f3eae55f7b2043137174a59e93d33113cbd9cda143f72fd7a135326884df1995df17ad30f4f95e713

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
8850d812f1d571dfae5a79c92fef22ca

SHA1
c9e2b0b9b0026105535c89f91b3d240a1d475f0c

SHA256
823cad3f1dcd11d1ec8d56bb27574c07491f02016d18385abfb89fd364b0f0f9

SHA512
482b15558dfb7f88fe25e02b83281136162e6ac228f6f1b17110be5f27a14b67811c5665837df6376a8fc389b1323dc068834ba9e039b55b7a7f54eb18612194

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
97668da3e923ae2d4b6260bf2cd4904c

SHA1
d9e69c06f443fa679cf9a9e3b87a22c0b522e427

SHA256
28cf856332257402154d1fbfd1711a721ef7cdcef01458a92cd5081a11972f81

SHA512
f02e54bb14c211b7a4d0632b3a4b83d8bac54428b79aeb1a9faa56cb776eea5f6157bc2b7cf4e6ecb547e372ca4f76de1eeb7e492eecf138663577e0dc04c58d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
98KB

MD5
e6b9308e78ee20b4f654ff0d1bea8789

SHA1
92757fffad9f20fc5aaafa2670f98cacffddf469

SHA256
7315858e8494bc9ce7e3564c9b9190867c6bc6028b483c9f2429c557d37a41e4

SHA512
90a24b63a996d63049bf2de0cad41e0d684210629e868822027c2d90c3259174c4a6d454a1bf4060087377f0eb1837274cf499cafa953fa8409f142fb169c0f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57a623.TMP

Filesize
88KB

MD5
b4da56b5a7091e7d9e54f75e9b126b2e

SHA1
8089a0414f61db0e4cd3917be662d99bca269d15

SHA256
a77bd2584e710b33a53dbd51f8ce6706ab250a43c3ad03100cf9733468ed106d

SHA512
2622e5f01d2674e02c75e422d4759c731dd571f635fbb46d7384c900102aafff1f686950ded46a431e3247366fabfdb22f82c1d24b52023df92031c2c8771798

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\d27b32fa-8e63-4b3c-b1bf-2491885f2c26.tmp

Filesize
94KB

MD5
082e1540d7a4bbd0ae2d03d57cc6dc16

SHA1
b52e28752f459fbf535d764b6814312076b243d6

SHA256
b809bfb19b2afedea60b0124142b4db05e81181de336f091b02758c95ead5f91

SHA512
86c3f6f34b8e0a71f31376f2d96de78632581968df5163013e687f814c3c235f1ff2a5d2de81a614b342ffc12e5936a17498fe7254cc0199421b3307152928c7

Download Submit
C:\Users\Admin\Downloads\SynapseX Roblox Exploit - master.rar

Filesize
511KB

MD5
4485a640a1f182703c96d3fc0d629d42

SHA1
d21101813ef506621759d7b43629d5026844dc00

SHA256
159266d50d37660577c34a50ef0ac31798127e4af7f8c627bdad765663da129e

SHA512
5fc87e3547218729869b5da379ecd30ffa6f2a1b5c692abd8dd8260eafce9ccff36f332810931199b09f1b3fb0275a3717754c6c8cce27d3e828031be302e5cb

Download Submit
C:\Users\Admin\Downloads\SynapseX Roblox Exploit - master\SynapseX - main\SynapseX.exe

Filesize
662KB

MD5
9c548d59bbfb05c0f1de777e4ad690f5

SHA1
ec68c5564acadd4f64f6ce4151a72d6b96fa89ea

SHA256
a7bcd2972b0b478ea0510061d4799b9454a14646009253b87da3493229e784e3

SHA512
4f78941f0966b052cecc3cd5b278849866965b821c82a89991ef71fe331c7f2313a9f95b57089658d03c5e50f42bc57c60d0faa635b38c8f364b4cbf248d516c

Download Submit
\??\pipe\crashpad_2752_MSTRLFISMWRXOQTM

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1072-292-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/1940-270-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/1940-284-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2656-288-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3808-289-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3808-293-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/4800-286-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download