xenorat | hxxps://github[.]com/cfedss/Synapse-X-Revamped/releases/tag/rELASE1[.]4

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	Synapse X Installer.exe

Executes dropped EXE 4 IoCs

pid	Process
5832	Synapse X Installer.exe
5980	Synapse X Installer.exe
4028	OoxIi8qtt.exe
6068	Synapse X Installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
6052	schtasks.exe
1584	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
2648	msedge.exe
2648	msedge.exe
3052	msedge.exe
3052	msedge.exe
4244	identity_helper.exe
4244	identity_helper.exe
984	msedge.exe
984	msedge.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeRestorePrivilege	5672	7zG.exe
Token: 35	5672	7zG.exe
Token: SeSecurityPrivilege	5672	7zG.exe
Token: SeSecurityPrivilege	5672	7zG.exe
Token: SeDebugPrivilege	5388	taskmgr.exe
Token: SeSystemProfilePrivilege	5388	taskmgr.exe
Token: SeCreateGlobalPrivilege	5388	taskmgr.exe
Token: 33	5388	taskmgr.exe
Token: SeIncBasePriorityPrivilege	5388	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
5672	7zG.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 1372	3052	msedge.exe	83
PID 3052 wrote to memory of 1372	3052	msedge.exe	83
PID 3052 wrote to memory of 3980	3052	msedge.exe	84
PID 3052 wrote to memory of 3980	3052	msedge.exe	84
PID 3052 wrote to memory of 3980	3052	msedge.exe	84
PID 3052 wrote to memory of 3980	3052	msedge.exe	84
PID 3052 wrote to memory of 3980	3052	msedge.exe	84
PID 3052 wrote to memory of 3980	3052	msedge.exe	84
PID 3052 wrote to memory of 3980	3052	msedge.exe	84
PID 3052 wrote to memory of 3980	3052	msedge.exe	84
PID 3052 wrote to memory of 3980	3052	msedge.exe	84
PID 3052 wrote to memory of 3980	3052	msedge.exe	84
PID 3052 wrote to memory of 3980	3052	msedge.exe	84
PID 3052 wrote to memory of 3980	3052	msedge.exe	84
PID 3052 wrote to memory of 3980	3052	msedge.exe	84
PID 3052 wrote to memory of 3980	3052	msedge.exe	84
PID 3052 wrote to memory of 3980	3052	msedge.exe	84
PID 3052 wrote to memory of 3980	3052	msedge.exe	84
PID 3052 wrote to memory of 3980	3052	msedge.exe	84
PID 3052 wrote to memory of 3980	3052	msedge.exe	84
PID 3052 wrote to memory of 3980	3052	msedge.exe	84
PID 3052 wrote to memory of 3980	3052	msedge.exe	84
PID 3052 wrote to memory of 3980	3052	msedge.exe	84
PID 3052 wrote to memory of 3980	3052	msedge.exe	84
PID 3052 wrote to memory of 3980	3052	msedge.exe	84
PID 3052 wrote to memory of 3980	3052	msedge.exe	84
PID 3052 wrote to memory of 3980	3052	msedge.exe	84
PID 3052 wrote to memory of 3980	3052	msedge.exe	84
PID 3052 wrote to memory of 3980	3052	msedge.exe	84
PID 3052 wrote to memory of 3980	3052	msedge.exe	84
PID 3052 wrote to memory of 3980	3052	msedge.exe	84
PID 3052 wrote to memory of 3980	3052	msedge.exe	84
PID 3052 wrote to memory of 3980	3052	msedge.exe	84
PID 3052 wrote to memory of 3980	3052	msedge.exe	84
PID 3052 wrote to memory of 3980	3052	msedge.exe	84
PID 3052 wrote to memory of 3980	3052	msedge.exe	84
PID 3052 wrote to memory of 3980	3052	msedge.exe	84
PID 3052 wrote to memory of 3980	3052	msedge.exe	84
PID 3052 wrote to memory of 3980	3052	msedge.exe	84
PID 3052 wrote to memory of 3980	3052	msedge.exe	84
PID 3052 wrote to memory of 3980	3052	msedge.exe	84
PID 3052 wrote to memory of 3980	3052	msedge.exe	84
PID 3052 wrote to memory of 2648	3052	msedge.exe	85
PID 3052 wrote to memory of 2648	3052	msedge.exe	85
PID 3052 wrote to memory of 4004	3052	msedge.exe	86
PID 3052 wrote to memory of 4004	3052	msedge.exe	86
PID 3052 wrote to memory of 4004	3052	msedge.exe	86
PID 3052 wrote to memory of 4004	3052	msedge.exe	86
PID 3052 wrote to memory of 4004	3052	msedge.exe	86
PID 3052 wrote to memory of 4004	3052	msedge.exe	86
PID 3052 wrote to memory of 4004	3052	msedge.exe	86
PID 3052 wrote to memory of 4004	3052	msedge.exe	86
PID 3052 wrote to memory of 4004	3052	msedge.exe	86
PID 3052 wrote to memory of 4004	3052	msedge.exe	86
PID 3052 wrote to memory of 4004	3052	msedge.exe	86
PID 3052 wrote to memory of 4004	3052	msedge.exe	86
PID 3052 wrote to memory of 4004	3052	msedge.exe	86
PID 3052 wrote to memory of 4004	3052	msedge.exe	86
PID 3052 wrote to memory of 4004	3052	msedge.exe	86
PID 3052 wrote to memory of 4004	3052	msedge.exe	86
PID 3052 wrote to memory of 4004	3052	msedge.exe	86
PID 3052 wrote to memory of 4004	3052	msedge.exe	86
PID 3052 wrote to memory of 4004	3052	msedge.exe	86
PID 3052 wrote to memory of 4004	3052	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/cfedss/Synapse-X-Revamped/releases/tag/rELASE1.4
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffff2ca46f8,0x7ffff2ca4708,0x7ffff2ca4718
  2⤵
  PID:1372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,16575714743248820576,12335117757181916942,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
  2⤵
  PID:3980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,16575714743248820576,12335117757181916942,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,16575714743248820576,12335117757181916942,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2912 /prefetch:8
  2⤵
  PID:4004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16575714743248820576,12335117757181916942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:2280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16575714743248820576,12335117757181916942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:3616
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,16575714743248820576,12335117757181916942,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:8
  2⤵
  PID:1664
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,16575714743248820576,12335117757181916942,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16575714743248820576,12335117757181916942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
  2⤵
  PID:4888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16575714743248820576,12335117757181916942,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
  2⤵
  PID:3912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2124,16575714743248820576,12335117757181916942,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3448 /prefetch:8
  2⤵
  PID:2452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16575714743248820576,12335117757181916942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
  2⤵
  PID:4100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,16575714743248820576,12335117757181916942,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4072 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16575714743248820576,12335117757181916942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6156 /prefetch:1
  2⤵
  PID:5208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16575714743248820576,12335117757181916942,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6304 /prefetch:1
  2⤵
  PID:5216

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2660

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3204

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5516

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\SynapseX.revamaped.V1.3\" -ad -an -ai#7zMap6766:108:7zEvent19541
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5672

C:\Users\Admin\Downloads\SynapseX.revamaped.V1.3\SynapseX revamaped V1.3\Synapse X Installer.exe
"C:\Users\Admin\Downloads\SynapseX.revamaped.V1.3\SynapseX revamaped V1.3\Synapse X Installer.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:5832
- C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe"
  2⤵
  - Executes dropped EXE
  PID:5980
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /Create /TN "Windows Client" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD65B.tmp" /F
    3⤵
    - Creates scheduled task(s)
    PID:6052

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5388

C:\Users\Admin\Downloads\SynapseX.revamaped.V1.3\SynapseX revamaped V1.3\bin\OoxIi8qtt.exe
"C:\Users\Admin\Downloads\SynapseX.revamaped.V1.3\SynapseX revamaped V1.3\bin\OoxIi8qtt.exe"
1⤵
- Executes dropped EXE
PID:4028

C:\Users\Admin\Downloads\SynapseX.revamaped.V1.3\SynapseX revamaped V1.3\Synapse X Installer.exe
"C:\Users\Admin\Downloads\SynapseX.revamaped.V1.3\SynapseX revamaped V1.3\Synapse X Installer.exe"
1⤵
- Executes dropped EXE
PID:6068
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /Create /TN "Windows Client" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC7A0.tmp" /F
  2⤵
  - Creates scheduled task(s)
  PID:1584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery