Analysis
-
max time kernel
385s -
max time network
390s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26-05-2024 09:36
Static task
static1
URLScan task
urlscan1
General
Malware Config
Extracted
xenorat
192.168.1.219
131313131323
-
delay
1000
-
install_path
temp
-
port
1234
-
startup_name
Windows Client
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Synapse X Installer.exe -
Executes dropped EXE 7 IoCs
pid Process 1168 Synapse X Installer.exe 5868 Synapse X Installer.exe 5564 Synapse X Installer.exe 3804 Synapse X Installer.exe 1924 Synapse X Installer.exe 3944 Synapse X Installer.exe 4468 Synapse X Installer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4368 schtasks.exe 4840 schtasks.exe 1404 schtasks.exe 444 schtasks.exe 4324 schtasks.exe 2052 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings OpenWith.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 6056 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1904 msedge.exe 1904 msedge.exe 3948 msedge.exe 3948 msedge.exe 3700 identity_helper.exe 3700 identity_helper.exe 1168 msedge.exe 1168 msedge.exe 1348 msedge.exe 1348 msedge.exe 1348 msedge.exe 1348 msedge.exe 5216 msedge.exe 5216 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
pid Process 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeRestorePrivilege 5740 7zG.exe Token: 35 5740 7zG.exe Token: SeSecurityPrivilege 5740 7zG.exe Token: SeSecurityPrivilege 5740 7zG.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
pid Process 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe 5740 7zG.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe 3948 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2612 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3948 wrote to memory of 1828 3948 msedge.exe 83 PID 3948 wrote to memory of 1828 3948 msedge.exe 83 PID 3948 wrote to memory of 3236 3948 msedge.exe 84 PID 3948 wrote to memory of 3236 3948 msedge.exe 84 PID 3948 wrote to memory of 3236 3948 msedge.exe 84 PID 3948 wrote to memory of 3236 3948 msedge.exe 84 PID 3948 wrote to memory of 3236 3948 msedge.exe 84 PID 3948 wrote to memory of 3236 3948 msedge.exe 84 PID 3948 wrote to memory of 3236 3948 msedge.exe 84 PID 3948 wrote to memory of 3236 3948 msedge.exe 84 PID 3948 wrote to memory of 3236 3948 msedge.exe 84 PID 3948 wrote to memory of 3236 3948 msedge.exe 84 PID 3948 wrote to memory of 3236 3948 msedge.exe 84 PID 3948 wrote to memory of 3236 3948 msedge.exe 84 PID 3948 wrote to memory of 3236 3948 msedge.exe 84 PID 3948 wrote to memory of 3236 3948 msedge.exe 84 PID 3948 wrote to memory of 3236 3948 msedge.exe 84 PID 3948 wrote to memory of 3236 3948 msedge.exe 84 PID 3948 wrote to memory of 3236 3948 msedge.exe 84 PID 3948 wrote to memory of 3236 3948 msedge.exe 84 PID 3948 wrote to memory of 3236 3948 msedge.exe 84 PID 3948 wrote to memory of 3236 3948 msedge.exe 84 PID 3948 wrote to memory of 3236 3948 msedge.exe 84 PID 3948 wrote to memory of 3236 3948 msedge.exe 84 PID 3948 wrote to memory of 3236 3948 msedge.exe 84 PID 3948 wrote to memory of 3236 3948 msedge.exe 84 PID 3948 wrote to memory of 3236 3948 msedge.exe 84 PID 3948 wrote to memory of 3236 3948 msedge.exe 84 PID 3948 wrote to memory of 3236 3948 msedge.exe 84 PID 3948 wrote to memory of 3236 3948 msedge.exe 84 PID 3948 wrote to memory of 3236 3948 msedge.exe 84 PID 3948 wrote to memory of 3236 3948 msedge.exe 84 PID 3948 wrote to memory of 3236 3948 msedge.exe 84 PID 3948 wrote to memory of 3236 3948 msedge.exe 84 PID 3948 wrote to memory of 3236 3948 msedge.exe 84 PID 3948 wrote to memory of 3236 3948 msedge.exe 84 PID 3948 wrote to memory of 3236 3948 msedge.exe 84 PID 3948 wrote to memory of 3236 3948 msedge.exe 84 PID 3948 wrote to memory of 3236 3948 msedge.exe 84 PID 3948 wrote to memory of 3236 3948 msedge.exe 84 PID 3948 wrote to memory of 3236 3948 msedge.exe 84 PID 3948 wrote to memory of 3236 3948 msedge.exe 84 PID 3948 wrote to memory of 1904 3948 msedge.exe 85 PID 3948 wrote to memory of 1904 3948 msedge.exe 85 PID 3948 wrote to memory of 2952 3948 msedge.exe 86 PID 3948 wrote to memory of 2952 3948 msedge.exe 86 PID 3948 wrote to memory of 2952 3948 msedge.exe 86 PID 3948 wrote to memory of 2952 3948 msedge.exe 86 PID 3948 wrote to memory of 2952 3948 msedge.exe 86 PID 3948 wrote to memory of 2952 3948 msedge.exe 86 PID 3948 wrote to memory of 2952 3948 msedge.exe 86 PID 3948 wrote to memory of 2952 3948 msedge.exe 86 PID 3948 wrote to memory of 2952 3948 msedge.exe 86 PID 3948 wrote to memory of 2952 3948 msedge.exe 86 PID 3948 wrote to memory of 2952 3948 msedge.exe 86 PID 3948 wrote to memory of 2952 3948 msedge.exe 86 PID 3948 wrote to memory of 2952 3948 msedge.exe 86 PID 3948 wrote to memory of 2952 3948 msedge.exe 86 PID 3948 wrote to memory of 2952 3948 msedge.exe 86 PID 3948 wrote to memory of 2952 3948 msedge.exe 86 PID 3948 wrote to memory of 2952 3948 msedge.exe 86 PID 3948 wrote to memory of 2952 3948 msedge.exe 86 PID 3948 wrote to memory of 2952 3948 msedge.exe 86 PID 3948 wrote to memory of 2952 3948 msedge.exe 86
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/cfedss/Synapse-X-Revamped/releases/download/rELASE1.4/SynapseX.revamaped.V1.3.rar1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffadd346f8,0x7fffadd34708,0x7fffadd347182⤵PID:1828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,17465655297266604314,9224772233844123376,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2040 /prefetch:22⤵PID:3236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,17465655297266604314,9224772233844123376,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,17465655297266604314,9224772233844123376,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:82⤵PID:2952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17465655297266604314,9224772233844123376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:12⤵PID:1944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17465655297266604314,9224772233844123376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:12⤵PID:2140
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,17465655297266604314,9224772233844123376,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 /prefetch:82⤵PID:3996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,17465655297266604314,9224772233844123376,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17465655297266604314,9224772233844123376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:12⤵PID:2348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17465655297266604314,9224772233844123376,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:12⤵PID:4572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17465655297266604314,9224772233844123376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:12⤵PID:2216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17465655297266604314,9224772233844123376,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:12⤵PID:628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2056,17465655297266604314,9224772233844123376,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5424 /prefetch:82⤵PID:4748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17465655297266604314,9224772233844123376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:12⤵PID:2240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,17465655297266604314,9224772233844123376,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6124 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1168
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,17465655297266604314,9224772233844123376,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1776 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17465655297266604314,9224772233844123376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3928 /prefetch:12⤵PID:3368
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4404
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:528
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2612
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5492
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\SynapseX.revamaped.V1.3\" -ad -an -ai#7zMap17236:108:7zEvent297421⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5740
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\SynapseX.revamaped.V1.3\SynapseX revamaped V1.3\Synapse X Installer.txt1⤵
- Opens file in notepad (likely ransom note)
PID:6056
-
C:\Users\Admin\Downloads\SynapseX.revamaped.V1.3\SynapseX revamaped V1.3\Synapse X Installer.exe"C:\Users\Admin\Downloads\SynapseX.revamaped.V1.3\SynapseX revamaped V1.3\Synapse X Installer.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
PID:1168 -
C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe"C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe"2⤵
- Executes dropped EXE
PID:5868 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "Windows Client" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB12A.tmp" /F3⤵
- Creates scheduled task(s)
PID:4368
-
-
-
C:\Users\Admin\Downloads\SynapseX.revamaped.V1.3\SynapseX revamaped V1.3\Synapse X Installer.exe"C:\Users\Admin\Downloads\SynapseX.revamaped.V1.3\SynapseX revamaped V1.3\Synapse X Installer.exe"1⤵
- Executes dropped EXE
PID:5564 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "Windows Client" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFA0B.tmp" /F2⤵
- Creates scheduled task(s)
PID:4840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault313a8f52hc6d5h4112h915ehf0d412aec2f81⤵PID:4376
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7fffadd346f8,0x7fffadd34708,0x7fffadd347182⤵PID:4084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,16765007798261858155,1471252846858375939,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:22⤵PID:1712
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,16765007798261858155,1471252846858375939,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:5216
-
-
C:\Users\Admin\Downloads\SynapseX.revamaped.V1.3\SynapseX revamaped V1.3\Synapse X Installer.exe"C:\Users\Admin\Downloads\SynapseX.revamaped.V1.3\SynapseX revamaped V1.3\Synapse X Installer.exe"1⤵
- Executes dropped EXE
PID:3804 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "Windows Client" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9A04.tmp" /F2⤵
- Creates scheduled task(s)
PID:1404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultd3b80f65h6d71h46e8h8dddh77ecba3bdd4b1⤵PID:5664
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fffadd346f8,0x7fffadd34708,0x7fffadd347182⤵PID:5052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2216,18203945934819896284,787259313455434778,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:32⤵PID:5832
-
-
C:\Users\Admin\Downloads\SynapseX.revamaped.V1.3\SynapseX revamaped V1.3\Synapse X Installer.exe"C:\Users\Admin\Downloads\SynapseX.revamaped.V1.3\SynapseX revamaped V1.3\Synapse X Installer.exe"1⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "Windows Client" /XML "C:\Users\Admin\AppData\Local\Temp\tmp327B.tmp" /F2⤵
- Creates scheduled task(s)
PID:444
-
-
C:\Users\Admin\Downloads\SynapseX.revamaped.V1.3\SynapseX revamaped V1.3\Synapse X Installer.exe"C:\Users\Admin\Downloads\SynapseX.revamaped.V1.3\SynapseX revamaped V1.3\Synapse X Installer.exe"1⤵
- Executes dropped EXE
PID:3944 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "Windows Client" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1171.tmp" /F2⤵
- Creates scheduled task(s)
PID:4324
-
-
C:\Users\Admin\Downloads\SynapseX.revamaped.V1.3\SynapseX revamaped V1.3\Synapse X Installer.exe"C:\Users\Admin\Downloads\SynapseX.revamaped.V1.3\SynapseX revamaped V1.3\Synapse X Installer.exe"1⤵
- Executes dropped EXE
PID:4468 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "Windows Client" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5512.tmp" /F2⤵
- Creates scheduled task(s)
PID:2052
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
Filesize
152B
MD5a8e767fd33edd97d306efb6905f93252
SHA1a6f80ace2b57599f64b0ae3c7381f34e9456f9d3
SHA256c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb
SHA51207b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241
-
Filesize
152B
MD5dd7f392257954f1edc345932b4fda013
SHA1d0a5ca70e532b852d9c37c2c4259486a0bd79b70
SHA256c9720ed47a357c3b5d32205b62ea1d6bc9ef50fc38673371d26b1f31b493f5c6
SHA512e694f8712d32c318cf9b64bcfcccfdab25aa5bd023f789856b3b40bfd58aaaa97cb49c76b21833e3c31dd31be6ca3418008d9d4613c55316a2066a525db0256b
-
Filesize
152B
MD5439b5e04ca18c7fb02cf406e6eb24167
SHA1e0c5bb6216903934726e3570b7d63295b9d28987
SHA256247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654
SHA512d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2
-
Filesize
265B
MD5f5cd008cf465804d0e6f39a8d81f9a2d
SHA16b2907356472ed4a719e5675cc08969f30adc855
SHA256fcea95cc39dc6c2a925f5aed739dbedaa405ee4ce127f535fcf1c751b2b8fb5d
SHA512dc97034546a4c94bdaa6f644b5cfd1e477209de9a03a5b02a360c254a406c1d647d6f90860f385e27387b35631c41f0886cb543ede9116436941b9af6cd3285d
-
Filesize
5KB
MD597f4659fd112f30e1ced324259b7d73a
SHA10370f111f24b7166efea437642e3de268982359a
SHA256fa96409b28d99e78a33fee42638df67b95bed8cfab306ae42a1842fbe16110d5
SHA512ae680a858032e8be64a24b32e29f5692468a88ee689b65bac51e8ce25aec2dcacdd5e248d24ba9565522ca2094721ebbbb1f019ed0b9c1517576f160a500064a
-
Filesize
6KB
MD5672c77571bd198db3d4d5e407de2d695
SHA1e0fe76c12a83179adf51810057772cdee2c255aa
SHA256659c71ce723df8c54baca1d3963aafdbf52e05caaded7eec0f860f385e6d533c
SHA512956895fe3d5460074efdfda867a463bf9314f68b2137418f576b110ed95cc73631810acf630a8dc0faf6469e709fc6b634276c34f3ae4511f41c3225d2ee1847
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
12KB
MD55a128415dc1914aa2b9c7b17af7c1e49
SHA1ac4de06e620fb52637a4a0787b341e6f51f221ed
SHA2567ac25b2ecbf078040967e070e4602428651a85c048ab05f1ea550a3fd28396c9
SHA5124bb0180ad38111fa152cf8fe6aeea4fa485d968dc620f45c41ca533b9ff93740f894706c34f59b8a56ca7ea6588049d942ed59e65c74e1c4ad4eb3a4bfe13032
-
Filesize
12KB
MD5520f8d217198dba441350c8c518e6ea1
SHA1fa530fa61a80b995c56ede2aa58e55ff15da076d
SHA256456b07cb718de7291960c24447d2d6ae5dc4700e203aa39b25e1981a7308ec9c
SHA5123fc99cc6ff4ac31459499b5e4f455a7145cfaa59b93ca66ea812b4b2332b931f1cc7871c626aff234ff66c03e5878d75222572328125cb620acca57b5f904bef
-
Filesize
11KB
MD5d8afc6f797615919acbaa742baa79e2c
SHA1dcc17d460951e90fc0c387ae87e0c0aa400b9ef0
SHA2563b9eee2e8dbefe76f8e1dc3de6ac09fe6ecef9119202a7ea53ff7ce6ad13b911
SHA512fb09bc86d1e949e5c1f3d03ef641873901c6a76a848c21290bfaf26cfa9384b23e337f3abce1d17b33452ab34ce10c2a93dab5254282c63a99d09e8b27a76dd9
-
Filesize
12KB
MD5a4e763f7d2ccbe68ce82b888935c661b
SHA1eec795ca688f598d46ec91f45e81887227363eb5
SHA256e1cb6ff27087fe88cf43b44deb68329e64ee0c29c03251908e8d0223a0d56dfd
SHA512147c16d41461c2f434c4a77968f418558a2f8ca15f15287a0386649ef392acde6ec0c08a54497881bf8558eafe4d6aa8e9aa8efc11119008b7aab21e7dc4058b
-
Filesize
11KB
MD5d3d16870cddcd143dc8e008e8ba2d083
SHA199ab479966f5249256189134608736c2947ffa7d
SHA25672c170dbccd36fffa466648d3b707d3c87048ab4d4651a080bfcdb8b6e8497b0
SHA512841e5e3a6fe60ae4d63401ea5e833632b59b6b0b1d3c7d01ded60759c2d2c97c4e537a8b0e3de67df55262fe96e853d99e65d15bd3723ba95d42ad47a542c836
-
Filesize
12KB
MD54521bb896550456460070b0510902dbb
SHA108e075f52cf4a2329d476210b797381f82b885ce
SHA2560bc9a9ebc24607677c93ad73016024dd82c0d8af5a75fcbf68893d7cd3fef3fa
SHA512e84a5c11b8ccdc74e5e846a09e9c9431617f4c7c7fa7154a6e5fc22c679b27004729de95fe8f5c4787740dc729faa5d72d925c29e87c330fabb42a4f1f0958ff
-
Filesize
1KB
MD5a27e485b47a3c136c01199b55f08c0d8
SHA199a6c183d0673217570cf2e5efcc8bf44d78f483
SHA2560c297eec1e3f58624331b58ae22a57cdd344071d58942c6897bb6ae1409e95df
SHA512386fe030cbcb380350e5e5cc8179b76115601ad9b322f90a9d71f76fb2468993986a224796b489c600b4a388d76584772369259ac05d64a6551978e3c9102b60
-
Filesize
1KB
MD572375c19b52536c9df51a668d84fc207
SHA175db62e61e70b86e86154e36ba722f7f6b0ef8be
SHA256517b68916ade362d60ffa24314fcdde2c26ab217776de9238f9fd0f6e7819d2e
SHA512f1dc78994b23947e6a62a76ee172383a0cf139f496ecc06e7f99c75d1a710ac65a22e5492ebdeafc9a7df5b2c600a9d847a9974f135a4e80bde7eb132d86ffa0
-
Filesize
659KB
MD525e767f22f576a1187ca297428a909b3
SHA1a6ad4d278d09e0ecab07d095e996c91e9afb3b18
SHA25613f63c65ac270ce6d8f462791b1bb0ca64b8f7000f230b1c2ade64db617c5eac
SHA51237e4e4dd2d0c03d00f7afb024406f7445142b82f24648da287ef9008805af6b083223e9d0a34fa343bf5dc0300c701f71151eebe9be459157daf10d0d5275689
-
Filesize
43KB
MD5769aad21a347b7576895910e55970390
SHA136831993993050af72ea201cfa6ebc4726860e56
SHA25672e0f8bf690b647ae965d9a99f89c4f04c3b9500aac53f2a3fd376a2546b287a
SHA5129bb36a376f0b3e8a26a813f1054bf92a9ca737bd9eb96403d28b4edb81c361408a058e5ccefda3e44bbf4943d9799203665161b02394d35a05faa20851f670a5