xenorat | hxxps://github[.]com/cfedss/Synapse-X-Revamped/releases/tag/rELASE1[.]4

Analysis

max time kernel
106s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 07:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/cfedss/Synapse-X-Revamped/releases/tag/rELASE1.4

Score

10^/10

xenorat rat trojan

Malware Config

Extracted

Family

xenorat

192.168.1.219

Mutex

131313131323

Attributes

delay
1000
install_path
temp
port
1234
startup_name
Windows Client

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Synapse X Installer.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	Synapse X Installer.exe

Executes dropped EXE 4 IoCs

Processes:

Synapse X Installer.exeSynapse X Installer.exeOoxIi8qtt.exeSynapse X Installer.exe

pid process

5832 Synapse X Installer.exe
5980 Synapse X Installer.exe
4028 OoxIi8qtt.exe
6068 Synapse X Installer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
5832	Synapse X Installer.exe
5980	Synapse X Installer.exe
4028	OoxIi8qtt.exe
6068	Synapse X Installer.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

6052 schtasks.exe
1584 schtasks.exe

pid	process
6052	schtasks.exe
1584	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

taskmgr.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings taskmgr.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exetaskmgr.exe

pid	process
2648	msedge.exe
2648	msedge.exe
3052	msedge.exe
3052	msedge.exe
4244	identity_helper.exe
4244	identity_helper.exe
984	msedge.exe
984	msedge.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

3052 msedge.exe
3052 msedge.exe
3052 msedge.exe
3052 msedge.exe
3052 msedge.exe
3052 msedge.exe
3052 msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

7zG.exetaskmgr.exe

description	pid	process
Token: SeRestorePrivilege	5672	7zG.exe
Token: 35	5672	7zG.exe
Token: SeSecurityPrivilege	5672	7zG.exe
Token: SeSecurityPrivilege	5672	7zG.exe
Token: SeDebugPrivilege	5388	taskmgr.exe
Token: SeSystemProfilePrivilege	5388	taskmgr.exe
Token: SeCreateGlobalPrivilege	5388	taskmgr.exe
Token: 33	5388	taskmgr.exe
Token: SeIncBasePriorityPrivilege	5388	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe7zG.exetaskmgr.exe

pid	process
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
5672	7zG.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

msedge.exetaskmgr.exe

pid	process
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe
5388	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3052 wrote to memory of 1372	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 1372	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3980	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3980	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3980	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3980	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3980	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3980	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3980	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3980	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3980	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3980	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3980	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3980	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3980	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3980	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3980	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3980	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3980	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3980	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3980	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3980	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3980	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3980	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3980	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3980	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3980	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3980	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3980	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3980	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3980	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3980	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3980	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3980	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3980	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3980	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3980	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3980	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3980	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3980	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3980	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3980	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 2648	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 2648	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 4004	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 4004	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 4004	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 4004	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 4004	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 4004	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 4004	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 4004	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 4004	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 4004	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 4004	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 4004	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 4004	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 4004	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 4004	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 4004	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 4004	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 4004	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 4004	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 4004	3052	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/cfedss/Synapse-X-Revamped/releases/tag/rELASE1.4
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffff2ca46f8,0x7ffff2ca4708,0x7ffff2ca4718
2⤵
PID:1372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,16575714743248820576,12335117757181916942,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
2⤵
PID:3980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,16575714743248820576,12335117757181916942,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,16575714743248820576,12335117757181916942,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2912 /prefetch:8
2⤵
PID:4004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16575714743248820576,12335117757181916942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
2⤵
PID:2280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16575714743248820576,12335117757181916942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
2⤵
PID:3616

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,16575714743248820576,12335117757181916942,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:8
2⤵
PID:1664

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,16575714743248820576,12335117757181916942,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16575714743248820576,12335117757181916942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
2⤵
PID:4888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16575714743248820576,12335117757181916942,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
2⤵
PID:3912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2124,16575714743248820576,12335117757181916942,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3448 /prefetch:8
2⤵
PID:2452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16575714743248820576,12335117757181916942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
2⤵
PID:4100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,16575714743248820576,12335117757181916942,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4072 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16575714743248820576,12335117757181916942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6156 /prefetch:1
2⤵
PID:5208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16575714743248820576,12335117757181916942,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6304 /prefetch:1
2⤵
PID:5216

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2660

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3204

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5516

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\SynapseX.revamaped.V1.3\" -ad -an -ai#7zMap6766:108:7zEvent19541
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5672

C:\Users\Admin\Downloads\SynapseX.revamaped.V1.3\SynapseX revamaped V1.3\Synapse X Installer.exe
"C:\Users\Admin\Downloads\SynapseX.revamaped.V1.3\SynapseX revamaped V1.3\Synapse X Installer.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:5832

C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe
"C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe"
2⤵
- Executes dropped EXE
PID:5980

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "Windows Client" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD65B.tmp" /F
3⤵
- Creates scheduled task(s)
PID:6052

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5388

C:\Users\Admin\Downloads\SynapseX.revamaped.V1.3\SynapseX revamaped V1.3\bin\OoxIi8qtt.exe
"C:\Users\Admin\Downloads\SynapseX.revamaped.V1.3\SynapseX revamaped V1.3\bin\OoxIi8qtt.exe"
1⤵
- Executes dropped EXE
PID:4028

C:\Users\Admin\Downloads\SynapseX.revamaped.V1.3\SynapseX revamaped V1.3\Synapse X Installer.exe
"C:\Users\Admin\Downloads\SynapseX.revamaped.V1.3\SynapseX revamaped V1.3\Synapse X Installer.exe"
1⤵
- Executes dropped EXE
PID:6068

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "Windows Client" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC7A0.tmp" /F
2⤵
- Creates scheduled task(s)
PID:1584

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Synapse X Installer.exe.log
Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c9c4c494f8fba32d95ba2125f00586a3

SHA1
8a600205528aef7953144f1cf6f7a5115e3611de

SHA256
a0ca609205813c307df9122c0c5b0967c5472755700f615b0033129cf7d6b35b

SHA512
9d30cea6cfc259e97b0305f8b5cd19774044fb78feedfcef2014b2947f2e6a101273bc4ad30db9cc1724e62eb441266d7df376e28ac58693f128b9cce2c7d20d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
4dc6fc5e708279a3310fe55d9c44743d

SHA1
a42e8bdf9d1c25ef3e223d59f6b1d16b095f46d2

SHA256
a1c5f48659d4b3af960971b3a0f433a95fee5bfafe5680a34110c68b342377d8

SHA512
5874b2310187f242b852fa6dcded244cc860abb2be4f6f5a6a1db8322e12e1fef8f825edc0aae75adbb7284a2cd64730650d0643b1e2bb7ead9350e50e1d8c13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
61e58cb92f916c98e2479009b50c81fd

SHA1
10f7eaf52ce8573f05580a098536482426ba0ec6

SHA256
48c1c272c4d47f7fb4178f15617e1b9cf9390ba52997d457be56508fc1a852b5

SHA512
59bf88a628dd35c2f9b65336d70c749026c535bbb7438bc00e1c9be66727d6de21307de345414dfe4200441dfa08dda292fd5af7ea0ba7a948b8c6c2549ee204

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
496B

MD5
486f305a90a456ee245f58c283ed7075

SHA1
ffb22f995cbc936b3a8ad34ff3e0ac0d94b02d51

SHA256
94157b6388a91a38407aad2ffe09238b41eede735416fd6c208bc0af6d1a8b03

SHA512
65146c487ab665d5a3b588b414d51d75977eb72dbf268bffbfa1bed4ef5d47e7219b8b4cfebaf721eb9aafb15fcccf2811e9bb4d9e206fc59b7592fe03dfb8d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
70076da9a08b5d5629d625d5f8ab17a6

SHA1
ccdc19f163ff72c2f16fb7b8cc758ec0a44ce76f

SHA256
e91ba1e14a2aad6792feb59a15a2227b50ead2af55ba365120f6a95db33c139f

SHA512
6bc1519453e94f128b3621c8fa52a10935c640f1abe65545d5911a384411a55ac68d1863d9d6d86168ec60ee15225d2e674344672021195c12e0ba7aca5786b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
154a8e043312f72156aa09182895b0e4

SHA1
f82a82130b25adcfa2d2cc72ffc831ea7102832d

SHA256
b988f09b45bee74f378ff9ba957f42de2ca1e472c4c7f77f3db897e603936486

SHA512
abc03a1ad45ed53b9ee6611247f0d79552ac621ae342891b9bef46d07c543a29475fdcdec4260cf3903314d5f1a93888b9806964c2700e9dea00fef165957493

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
b010e22b7314aee7d2ec1624132bd36e

SHA1
3ccbde5080e6d63ccf7827580f7dd562a7f3e525

SHA256
e4a1c19dba1da56e4112ae487a3ce9152c394fdf6314db7d20f8d4ed4a6c810f

SHA512
70dc02b8c6f52f676fa24465656f57f9b466dafd512b5af7485106c5003b363033e43376565b22328a2a68ebaf3eae93b054b8c5fe4f5011cf009ba7f9d88a93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
e5ef7729d65f187954c4d0026212595f

SHA1
b578d503e12390bf6bfa867d16714dcf663a7881

SHA256
3d728796685125a7bf99840ef6e65694f8d228a6ef848bd0a63da8251467545f

SHA512
345fe8e48b2770a284d1479603ad5fc8f8ad0a33ffbf97cc59e77a6f31478ae174a103b3cd59b0fe35de030d39c14938cb627adf148ae3e510f54f8b1444f470

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
51d56b37735601ce960eccfd760e2fa8

SHA1
e97557e5a9e8067c7b2b7f57e5456a88e1c78bb1

SHA256
220841caf526b983520afb7a21c8e9302b2070785a7169bfabe19db2678f87de

SHA512
3d040b002ea25e9701297924a42c4013786f3a353d8072cb2a333b7e6376a3c7f008f2358c422169859f5419f87d1687eb84042be11bf22be854ed71835f6495

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
107663e8eefec039a8bd88558bbde6f9

SHA1
69c611596bd33c156a14909f4704ce277e100dfd

SHA256
48f2b2ec1b5eda64bf53e486e2df9b5cf96927ebec24e1a17d2cc05669adeb44

SHA512
4a5f82d92dc50a44e3f4b0ed27ee441fa917f8e10d4de076e0d9b6975970c2fcb3c12f0b84911ed0d65ca66541c4ccbad085ecfd239d9c93c10f198a4d7ade4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC7A0.tmp
Filesize
1KB

MD5
72375c19b52536c9df51a668d84fc207

SHA1
75db62e61e70b86e86154e36ba722f7f6b0ef8be

SHA256
517b68916ade362d60ffa24314fcdde2c26ab217776de9238f9fd0f6e7819d2e

SHA512
f1dc78994b23947e6a62a76ee172383a0cf139f496ecc06e7f99c75d1a710ac65a22e5492ebdeafc9a7df5b2c600a9d847a9974f135a4e80bde7eb132d86ffa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD65B.tmp
Filesize
1KB

MD5
a27e485b47a3c136c01199b55f08c0d8

SHA1
99a6c183d0673217570cf2e5efcc8bf44d78f483

SHA256
0c297eec1e3f58624331b58ae22a57cdd344071d58942c6897bb6ae1409e95df

SHA512
386fe030cbcb380350e5e5cc8179b76115601ad9b322f90a9d71f76fb2468993986a224796b489c600b4a388d76584772369259ac05d64a6551978e3c9102b60

Download Submit
C:\Users\Admin\Downloads\SynapseX.revamaped.V1.3.rar
Filesize
659KB

MD5
25e767f22f576a1187ca297428a909b3

SHA1
a6ad4d278d09e0ecab07d095e996c91e9afb3b18

SHA256
13f63c65ac270ce6d8f462791b1bb0ca64b8f7000f230b1c2ade64db617c5eac

SHA512
37e4e4dd2d0c03d00f7afb024406f7445142b82f24648da287ef9008805af6b083223e9d0a34fa343bf5dc0300c701f71151eebe9be459157daf10d0d5275689

Download Submit
C:\Users\Admin\Downloads\SynapseX.revamaped.V1.3\SynapseX revamaped V1.3\Synapse X Installer.exe
Filesize
43KB

MD5
769aad21a347b7576895910e55970390

SHA1
36831993993050af72ea201cfa6ebc4726860e56

SHA256
72e0f8bf690b647ae965d9a99f89c4f04c3b9500aac53f2a3fd376a2546b287a

SHA512
9bb36a376f0b3e8a26a813f1054bf92a9ca737bd9eb96403d28b4edb81c361408a058e5ccefda3e44bbf4943d9799203665161b02394d35a05faa20851f670a5

Download Submit
C:\Users\Admin\Downloads\SynapseX.revamaped.V1.3\SynapseX revamaped V1.3\bin\OoxIi8qtt.exe
Filesize
1.1MB

MD5
a48d6b525da2501d8ec661f2f2f1b0e8

SHA1
5737e465e5ffbed6b51e6775b5e05b5769f89e6b

SHA256
a6e52cc20913ae168b7dcbb923ea8cd7bdda93e43399ec22a85dabfab14ddf3a

SHA512
3cf1d6acbf1a3c3e99739af505b57aef7e8db5a2a84db2310c1d6490a097e11065510d2aaaac6ea71fd226b421d87be216993528e245e0bdee9b6000e68e32ab

Download Submit
\??\pipe\LOCAL\crashpad_3052_ITYDAIJRRNAFEMHM
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4028-289-0x0000000004DA0000-0x0000000004DF0000-memory.dmp

Filesize
320KB

Download
memory/4028-288-0x0000000004C80000-0x0000000004D2A000-memory.dmp

Filesize
680KB

Download
memory/4028-287-0x00000000000A0000-0x00000000001B8000-memory.dmp

Filesize
1.1MB

Download
memory/5388-247-0x0000016FC9BD0000-0x0000016FC9BD1000-memory.dmp

Filesize
4KB

Download
memory/5388-252-0x0000016FC9BD0000-0x0000016FC9BD1000-memory.dmp

Filesize
4KB

Download
memory/5388-251-0x0000016FC9BD0000-0x0000016FC9BD1000-memory.dmp

Filesize
4KB

Download
memory/5388-249-0x0000016FC9BD0000-0x0000016FC9BD1000-memory.dmp

Filesize
4KB

Download
memory/5388-248-0x0000016FC9BD0000-0x0000016FC9BD1000-memory.dmp

Filesize
4KB

Download
memory/5388-253-0x0000016FC9BD0000-0x0000016FC9BD1000-memory.dmp

Filesize
4KB

Download
memory/5388-250-0x0000016FC9BD0000-0x0000016FC9BD1000-memory.dmp

Filesize
4KB

Download
memory/5388-242-0x0000016FC9BD0000-0x0000016FC9BD1000-memory.dmp

Filesize
4KB

Download
memory/5388-243-0x0000016FC9BD0000-0x0000016FC9BD1000-memory.dmp

Filesize
4KB

Download
memory/5388-241-0x0000016FC9BD0000-0x0000016FC9BD1000-memory.dmp

Filesize
4KB

Download
memory/5832-196-0x0000000000740000-0x0000000000752000-memory.dmp

Filesize
72KB

Download