xenorat | hxxps://github[.]com/cfedss/Synapse-X-Revamped/releases/download/rELASE1[.]4/SynapseX[.]revamaped[.]V1[.]3[.]rar

Analysis

max time kernel
385s
max time network
390s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 09:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/cfedss/Synapse-X-Revamped/releases/download/rELASE1.4/SynapseX.revamaped.V1.3.rar

Score

10^/10

xenorat rat trojan

Malware Config

Extracted

Family

xenorat

192.168.1.219

Mutex

131313131323

Attributes

delay
1000
install_path
temp
port
1234
startup_name
Windows Client

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Synapse X Installer.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Synapse X Installer.exe

Executes dropped EXE 7 IoCs

Processes:

Synapse X Installer.exeSynapse X Installer.exeSynapse X Installer.exeSynapse X Installer.exeSynapse X Installer.exeSynapse X Installer.exeSynapse X Installer.exe

pid	process
1168	Synapse X Installer.exe
5868	Synapse X Installer.exe
5564	Synapse X Installer.exe
3804	Synapse X Installer.exe
1924	Synapse X Installer.exe
3944	Synapse X Installer.exe
4468	Synapse X Installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4368 schtasks.exe
4840 schtasks.exe
1404 schtasks.exe
444 schtasks.exe
4324 schtasks.exe
2052 schtasks.exe

pid	process
4368	schtasks.exe
4840	schtasks.exe
1404	schtasks.exe
444	schtasks.exe
4324	schtasks.exe
2052	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

Processes:

msedge.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

6056 NOTEPAD.EXE

pid	process
6056	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exe

pid	process
1904	msedge.exe
1904	msedge.exe
3948	msedge.exe
3948	msedge.exe
3700	identity_helper.exe
3700	identity_helper.exe
1168	msedge.exe
1168	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
5216	msedge.exe
5216	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

msedge.exe

pid process

3948 msedge.exe
3948 msedge.exe
3948 msedge.exe
3948 msedge.exe
3948 msedge.exe
3948 msedge.exe
3948 msedge.exe
3948 msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

7zG.exe

description	pid	process
Token: SeRestorePrivilege	5740	7zG.exe
Token: 35	5740	7zG.exe
Token: SeSecurityPrivilege	5740	7zG.exe
Token: SeSecurityPrivilege	5740	7zG.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

msedge.exe7zG.exe

pid	process
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
5740	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid process

2612 OpenWith.exe

pid	process
2612	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3948 wrote to memory of 1828	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 1828	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3236	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3236	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3236	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3236	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3236	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3236	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3236	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3236	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3236	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3236	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3236	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3236	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3236	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3236	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3236	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3236	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3236	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3236	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3236	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3236	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3236	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3236	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3236	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3236	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3236	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3236	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3236	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3236	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3236	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3236	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3236	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3236	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3236	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3236	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3236	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3236	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3236	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3236	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3236	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3236	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 1904	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 1904	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 2952	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 2952	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 2952	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 2952	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 2952	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 2952	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 2952	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 2952	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 2952	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 2952	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 2952	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 2952	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 2952	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 2952	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 2952	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 2952	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 2952	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 2952	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 2952	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 2952	3948	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/cfedss/Synapse-X-Revamped/releases/download/rELASE1.4/SynapseX.revamaped.V1.3.rar
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffadd346f8,0x7fffadd34708,0x7fffadd34718
2⤵
PID:1828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,17465655297266604314,9224772233844123376,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2040 /prefetch:2
2⤵
PID:3236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,17465655297266604314,9224772233844123376,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,17465655297266604314,9224772233844123376,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
2⤵
PID:2952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17465655297266604314,9224772233844123376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
2⤵
PID:1944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17465655297266604314,9224772233844123376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
2⤵
PID:2140

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,17465655297266604314,9224772233844123376,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 /prefetch:8
2⤵
PID:3996

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,17465655297266604314,9224772233844123376,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17465655297266604314,9224772233844123376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
2⤵
PID:2348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17465655297266604314,9224772233844123376,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
2⤵
PID:4572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17465655297266604314,9224772233844123376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
2⤵
PID:2216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17465655297266604314,9224772233844123376,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
2⤵
PID:628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2056,17465655297266604314,9224772233844123376,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5424 /prefetch:8
2⤵
PID:4748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17465655297266604314,9224772233844123376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
2⤵
PID:2240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,17465655297266604314,9224772233844123376,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6124 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,17465655297266604314,9224772233844123376,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1776 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17465655297266604314,9224772233844123376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3928 /prefetch:1
2⤵
PID:3368

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4404

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:528

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2612

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5492

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\SynapseX.revamaped.V1.3\" -ad -an -ai#7zMap17236:108:7zEvent29742
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5740

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\SynapseX.revamaped.V1.3\SynapseX revamaped V1.3\Synapse X Installer.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:6056

C:\Users\Admin\Downloads\SynapseX.revamaped.V1.3\SynapseX revamaped V1.3\Synapse X Installer.exe
"C:\Users\Admin\Downloads\SynapseX.revamaped.V1.3\SynapseX revamaped V1.3\Synapse X Installer.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:1168

C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe
"C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe"
2⤵
- Executes dropped EXE
PID:5868

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "Windows Client" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB12A.tmp" /F
3⤵
- Creates scheduled task(s)
PID:4368

C:\Users\Admin\Downloads\SynapseX.revamaped.V1.3\SynapseX revamaped V1.3\Synapse X Installer.exe
"C:\Users\Admin\Downloads\SynapseX.revamaped.V1.3\SynapseX revamaped V1.3\Synapse X Installer.exe"
1⤵
- Executes dropped EXE
PID:5564

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "Windows Client" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFA0B.tmp" /F
2⤵
- Creates scheduled task(s)
PID:4840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault313a8f52hc6d5h4112h915ehf0d412aec2f8
1⤵
PID:4376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7fffadd346f8,0x7fffadd34708,0x7fffadd34718
2⤵
PID:4084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,16765007798261858155,1471252846858375939,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
2⤵
PID:1712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,16765007798261858155,1471252846858375939,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5216

C:\Users\Admin\Downloads\SynapseX.revamaped.V1.3\SynapseX revamaped V1.3\Synapse X Installer.exe
"C:\Users\Admin\Downloads\SynapseX.revamaped.V1.3\SynapseX revamaped V1.3\Synapse X Installer.exe"
1⤵
- Executes dropped EXE
PID:3804

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "Windows Client" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9A04.tmp" /F
2⤵
- Creates scheduled task(s)
PID:1404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultd3b80f65h6d71h46e8h8dddh77ecba3bdd4b
1⤵
PID:5664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fffadd346f8,0x7fffadd34708,0x7fffadd34718
2⤵
PID:5052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2216,18203945934819896284,787259313455434778,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
2⤵
PID:5832

C:\Users\Admin\Downloads\SynapseX.revamaped.V1.3\SynapseX revamaped V1.3\Synapse X Installer.exe
"C:\Users\Admin\Downloads\SynapseX.revamaped.V1.3\SynapseX revamaped V1.3\Synapse X Installer.exe"
1⤵
- Executes dropped EXE
PID:1924

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "Windows Client" /XML "C:\Users\Admin\AppData\Local\Temp\tmp327B.tmp" /F
2⤵
- Creates scheduled task(s)
PID:444

C:\Users\Admin\Downloads\SynapseX.revamaped.V1.3\SynapseX revamaped V1.3\Synapse X Installer.exe
"C:\Users\Admin\Downloads\SynapseX.revamaped.V1.3\SynapseX revamaped V1.3\Synapse X Installer.exe"
1⤵
- Executes dropped EXE
PID:3944

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "Windows Client" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1171.tmp" /F
2⤵
- Creates scheduled task(s)
PID:4324

C:\Users\Admin\Downloads\SynapseX.revamaped.V1.3\SynapseX revamaped V1.3\Synapse X Installer.exe
"C:\Users\Admin\Downloads\SynapseX.revamaped.V1.3\SynapseX revamaped V1.3\Synapse X Installer.exe"
1⤵
- Executes dropped EXE
PID:4468

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "Windows Client" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5512.tmp" /F
2⤵
- Creates scheduled task(s)
PID:2052

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Synapse X Installer.exe.log
Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
dd7f392257954f1edc345932b4fda013

SHA1
d0a5ca70e532b852d9c37c2c4259486a0bd79b70

SHA256
c9720ed47a357c3b5d32205b62ea1d6bc9ef50fc38673371d26b1f31b493f5c6

SHA512
e694f8712d32c318cf9b64bcfcccfdab25aa5bd023f789856b3b40bfd58aaaa97cb49c76b21833e3c31dd31be6ca3418008d9d4613c55316a2066a525db0256b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
265B

MD5
f5cd008cf465804d0e6f39a8d81f9a2d

SHA1
6b2907356472ed4a719e5675cc08969f30adc855

SHA256
fcea95cc39dc6c2a925f5aed739dbedaa405ee4ce127f535fcf1c751b2b8fb5d

SHA512
dc97034546a4c94bdaa6f644b5cfd1e477209de9a03a5b02a360c254a406c1d647d6f90860f385e27387b35631c41f0886cb543ede9116436941b9af6cd3285d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
97f4659fd112f30e1ced324259b7d73a

SHA1
0370f111f24b7166efea437642e3de268982359a

SHA256
fa96409b28d99e78a33fee42638df67b95bed8cfab306ae42a1842fbe16110d5

SHA512
ae680a858032e8be64a24b32e29f5692468a88ee689b65bac51e8ce25aec2dcacdd5e248d24ba9565522ca2094721ebbbb1f019ed0b9c1517576f160a500064a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
672c77571bd198db3d4d5e407de2d695

SHA1
e0fe76c12a83179adf51810057772cdee2c255aa

SHA256
659c71ce723df8c54baca1d3963aafdbf52e05caaded7eec0f860f385e6d533c

SHA512
956895fe3d5460074efdfda867a463bf9314f68b2137418f576b110ed95cc73631810acf630a8dc0faf6469e709fc6b634276c34f3ae4511f41c3225d2ee1847

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
5a128415dc1914aa2b9c7b17af7c1e49

SHA1
ac4de06e620fb52637a4a0787b341e6f51f221ed

SHA256
7ac25b2ecbf078040967e070e4602428651a85c048ab05f1ea550a3fd28396c9

SHA512
4bb0180ad38111fa152cf8fe6aeea4fa485d968dc620f45c41ca533b9ff93740f894706c34f59b8a56ca7ea6588049d942ed59e65c74e1c4ad4eb3a4bfe13032

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
520f8d217198dba441350c8c518e6ea1

SHA1
fa530fa61a80b995c56ede2aa58e55ff15da076d

SHA256
456b07cb718de7291960c24447d2d6ae5dc4700e203aa39b25e1981a7308ec9c

SHA512
3fc99cc6ff4ac31459499b5e4f455a7145cfaa59b93ca66ea812b4b2332b931f1cc7871c626aff234ff66c03e5878d75222572328125cb620acca57b5f904bef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
d8afc6f797615919acbaa742baa79e2c

SHA1
dcc17d460951e90fc0c387ae87e0c0aa400b9ef0

SHA256
3b9eee2e8dbefe76f8e1dc3de6ac09fe6ecef9119202a7ea53ff7ce6ad13b911

SHA512
fb09bc86d1e949e5c1f3d03ef641873901c6a76a848c21290bfaf26cfa9384b23e337f3abce1d17b33452ab34ce10c2a93dab5254282c63a99d09e8b27a76dd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
a4e763f7d2ccbe68ce82b888935c661b

SHA1
eec795ca688f598d46ec91f45e81887227363eb5

SHA256
e1cb6ff27087fe88cf43b44deb68329e64ee0c29c03251908e8d0223a0d56dfd

SHA512
147c16d41461c2f434c4a77968f418558a2f8ca15f15287a0386649ef392acde6ec0c08a54497881bf8558eafe4d6aa8e9aa8efc11119008b7aab21e7dc4058b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
d3d16870cddcd143dc8e008e8ba2d083

SHA1
99ab479966f5249256189134608736c2947ffa7d

SHA256
72c170dbccd36fffa466648d3b707d3c87048ab4d4651a080bfcdb8b6e8497b0

SHA512
841e5e3a6fe60ae4d63401ea5e833632b59b6b0b1d3c7d01ded60759c2d2c97c4e537a8b0e3de67df55262fe96e853d99e65d15bd3723ba95d42ad47a542c836

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
4521bb896550456460070b0510902dbb

SHA1
08e075f52cf4a2329d476210b797381f82b885ce

SHA256
0bc9a9ebc24607677c93ad73016024dd82c0d8af5a75fcbf68893d7cd3fef3fa

SHA512
e84a5c11b8ccdc74e5e846a09e9c9431617f4c7c7fa7154a6e5fc22c679b27004729de95fe8f5c4787740dc729faa5d72d925c29e87c330fabb42a4f1f0958ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB12A.tmp
Filesize
1KB

MD5
a27e485b47a3c136c01199b55f08c0d8

SHA1
99a6c183d0673217570cf2e5efcc8bf44d78f483

SHA256
0c297eec1e3f58624331b58ae22a57cdd344071d58942c6897bb6ae1409e95df

SHA512
386fe030cbcb380350e5e5cc8179b76115601ad9b322f90a9d71f76fb2468993986a224796b489c600b4a388d76584772369259ac05d64a6551978e3c9102b60

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFA0B.tmp
Filesize
1KB

MD5
72375c19b52536c9df51a668d84fc207

SHA1
75db62e61e70b86e86154e36ba722f7f6b0ef8be

SHA256
517b68916ade362d60ffa24314fcdde2c26ab217776de9238f9fd0f6e7819d2e

SHA512
f1dc78994b23947e6a62a76ee172383a0cf139f496ecc06e7f99c75d1a710ac65a22e5492ebdeafc9a7df5b2c600a9d847a9974f135a4e80bde7eb132d86ffa0

Download Submit
C:\Users\Admin\Downloads\SynapseX.revamaped.V1.3.rar
Filesize
659KB

MD5
25e767f22f576a1187ca297428a909b3

SHA1
a6ad4d278d09e0ecab07d095e996c91e9afb3b18

SHA256
13f63c65ac270ce6d8f462791b1bb0ca64b8f7000f230b1c2ade64db617c5eac

SHA512
37e4e4dd2d0c03d00f7afb024406f7445142b82f24648da287ef9008805af6b083223e9d0a34fa343bf5dc0300c701f71151eebe9be459157daf10d0d5275689

Download Submit
C:\Users\Admin\Downloads\SynapseX.revamaped.V1.3\SynapseX revamaped V1.3\Synapse X Installer.txt
Filesize
43KB

MD5
769aad21a347b7576895910e55970390

SHA1
36831993993050af72ea201cfa6ebc4726860e56

SHA256
72e0f8bf690b647ae965d9a99f89c4f04c3b9500aac53f2a3fd376a2546b287a

SHA512
9bb36a376f0b3e8a26a813f1054bf92a9ca737bd9eb96403d28b4edb81c361408a058e5ccefda3e44bbf4943d9799203665161b02394d35a05faa20851f670a5

Download Submit
\??\pipe\LOCAL\crashpad_3948_CNFQAQAZDSOOJXVH
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1168-144-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download