Analysis
-
max time kernel
50s -
max time network
49s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
02-06-2024 17:43
Static task
static1
URLScan task
urlscan1
General
Malware Config
Extracted
quasar
1.4.1
SynapseX
espiny-38468.portmap.host:38468
987e6177-8b62-48ea-8ca9-c699971b74ba
-
encryption_key
C7EC88A5CCB59BD73EF3F7D4787818BE89C06664
-
install_name
Boot 10.5.exe
-
log_directory
Windows Logs
-
reconnect_delay
3000
-
startup_key
Windows 10 Boot
-
subdirectory
Windows 10 Boot
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/4900-208-0x0000000000370000-0x00000000006B0000-memory.dmp family_quasar C:\Windows\System32\Windows 10 Boot\Boot 10.5.exe family_quasar -
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Boot 10.5.exeBoot 10.5.exeBoot 10.5.exeBoot 10.5.exeBoot 10.5.exeBoot 10.5.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation Boot 10.5.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation Boot 10.5.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation Boot 10.5.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation Boot 10.5.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation Boot 10.5.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation Boot 10.5.exe -
Executes dropped EXE 6 IoCs
Processes:
Boot 10.5.exeBoot 10.5.exeBoot 10.5.exeBoot 10.5.exeBoot 10.5.exeBoot 10.5.exepid process 2512 Boot 10.5.exe 5208 Boot 10.5.exe 5488 Boot 10.5.exe 5732 Boot 10.5.exe 5948 Boot 10.5.exe 5216 Boot 10.5.exe -
Drops file in System32 directory 22 IoCs
Processes:
Synapse Launcher.exeBoot 10.5.exeSynapse Launcher.exeSynapse Launcher.exeBoot 10.5.exeBoot 10.5.exeBoot 10.5.exeBoot 10.5.exeBoot 10.5.exeSynapse Launcher.exedescription ioc process File opened for modification C:\Windows\system32\Windows 10 Boot Synapse Launcher.exe File opened for modification C:\Windows\system32\Windows 10 Boot\Boot 10.5.exe Boot 10.5.exe File created C:\Windows\system32\Windows 10 Boot\Boot 10.5.exe Synapse Launcher.exe File opened for modification C:\Windows\system32\Windows 10 Boot\Boot 10.5.exe Synapse Launcher.exe File created C:\Windows\system32\Windows 10 Boot\Boot 10.5.exe Synapse Launcher.exe File opened for modification C:\Windows\system32\Windows 10 Boot\Boot 10.5.exe Boot 10.5.exe File opened for modification C:\Windows\system32\Windows 10 Boot\Boot 10.5.exe Synapse Launcher.exe File opened for modification C:\Windows\system32\Windows 10 Boot Boot 10.5.exe File opened for modification C:\Windows\system32\Windows 10 Boot Boot 10.5.exe File opened for modification C:\Windows\system32\Windows 10 Boot\Boot 10.5.exe Boot 10.5.exe File opened for modification C:\Windows\system32\Windows 10 Boot\Boot 10.5.exe Synapse Launcher.exe File opened for modification C:\Windows\system32\Windows 10 Boot\Boot 10.5.exe Boot 10.5.exe File opened for modification C:\Windows\system32\Windows 10 Boot Boot 10.5.exe File opened for modification C:\Windows\system32\Windows 10 Boot\Boot 10.5.exe Boot 10.5.exe File opened for modification C:\Windows\system32\Windows 10 Boot Synapse Launcher.exe File created C:\Windows\system32\Windows 10 Boot\Boot 10.5.exe Synapse Launcher.exe File opened for modification C:\Windows\system32\Windows 10 Boot Boot 10.5.exe File created C:\Windows\system32\Windows 10 Boot\Boot 10.5.exe Synapse Launcher.exe File opened for modification C:\Windows\system32\Windows 10 Boot Boot 10.5.exe File opened for modification C:\Windows\system32\Windows 10 Boot Synapse Launcher.exe File opened for modification C:\Windows\system32\Windows 10 Boot Boot 10.5.exe File opened for modification C:\Windows\system32\Windows 10 Boot\Boot 10.5.exe Boot 10.5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 6000 schtasks.exe 5516 schtasks.exe 5760 schtasks.exe 5124 schtasks.exe 4160 schtasks.exe 3936 schtasks.exe 4816 schtasks.exe 5144 schtasks.exe 5300 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings msedge.exe -
Runs ping.exe 1 TTPs 6 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 5908 PING.EXE 5176 PING.EXE 5448 PING.EXE 4436 PING.EXE 5456 PING.EXE 5660 PING.EXE -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exeSynapse Launcher.exepid process 4328 msedge.exe 4328 msedge.exe 720 msedge.exe 720 msedge.exe 4688 identity_helper.exe 4688 identity_helper.exe 1032 msedge.exe 1032 msedge.exe 5708 Synapse Launcher.exe 5708 Synapse Launcher.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 720 msedge.exe 720 msedge.exe 720 msedge.exe 720 msedge.exe 720 msedge.exe 720 msedge.exe 720 msedge.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
Synapse Launcher.exeBoot 10.5.exeSynapse Launcher.exeBoot 10.5.exeBoot 10.5.exeSynapse Launcher.exeBoot 10.5.exeBoot 10.5.exeSynapse Launcher.exeBoot 10.5.exedescription pid process Token: SeDebugPrivilege 4900 Synapse Launcher.exe Token: SeDebugPrivilege 2512 Boot 10.5.exe Token: SeDebugPrivilege 4160 Synapse Launcher.exe Token: SeDebugPrivilege 5208 Boot 10.5.exe Token: SeDebugPrivilege 5488 Boot 10.5.exe Token: SeDebugPrivilege 5708 Synapse Launcher.exe Token: SeDebugPrivilege 5732 Boot 10.5.exe Token: SeDebugPrivilege 5948 Boot 10.5.exe Token: SeDebugPrivilege 5976 Synapse Launcher.exe Token: SeDebugPrivilege 5216 Boot 10.5.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
Processes:
msedge.exepid process 720 msedge.exe 720 msedge.exe 720 msedge.exe 720 msedge.exe 720 msedge.exe 720 msedge.exe 720 msedge.exe 720 msedge.exe 720 msedge.exe 720 msedge.exe 720 msedge.exe 720 msedge.exe 720 msedge.exe 720 msedge.exe 720 msedge.exe 720 msedge.exe 720 msedge.exe 720 msedge.exe 720 msedge.exe 720 msedge.exe 720 msedge.exe 720 msedge.exe 720 msedge.exe 720 msedge.exe 720 msedge.exe 720 msedge.exe 720 msedge.exe 720 msedge.exe 720 msedge.exe 720 msedge.exe 720 msedge.exe 720 msedge.exe 720 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 720 msedge.exe 720 msedge.exe 720 msedge.exe 720 msedge.exe 720 msedge.exe 720 msedge.exe 720 msedge.exe 720 msedge.exe 720 msedge.exe 720 msedge.exe 720 msedge.exe 720 msedge.exe 720 msedge.exe 720 msedge.exe 720 msedge.exe 720 msedge.exe 720 msedge.exe 720 msedge.exe 720 msedge.exe 720 msedge.exe 720 msedge.exe 720 msedge.exe 720 msedge.exe 720 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 720 wrote to memory of 2680 720 msedge.exe msedge.exe PID 720 wrote to memory of 2680 720 msedge.exe msedge.exe PID 720 wrote to memory of 1644 720 msedge.exe msedge.exe PID 720 wrote to memory of 1644 720 msedge.exe msedge.exe PID 720 wrote to memory of 1644 720 msedge.exe msedge.exe PID 720 wrote to memory of 1644 720 msedge.exe msedge.exe PID 720 wrote to memory of 1644 720 msedge.exe msedge.exe PID 720 wrote to memory of 1644 720 msedge.exe msedge.exe PID 720 wrote to memory of 1644 720 msedge.exe msedge.exe PID 720 wrote to memory of 1644 720 msedge.exe msedge.exe PID 720 wrote to memory of 1644 720 msedge.exe msedge.exe PID 720 wrote to memory of 1644 720 msedge.exe msedge.exe PID 720 wrote to memory of 1644 720 msedge.exe msedge.exe PID 720 wrote to memory of 1644 720 msedge.exe msedge.exe PID 720 wrote to memory of 1644 720 msedge.exe msedge.exe PID 720 wrote to memory of 1644 720 msedge.exe msedge.exe PID 720 wrote to memory of 1644 720 msedge.exe msedge.exe PID 720 wrote to memory of 1644 720 msedge.exe msedge.exe PID 720 wrote to memory of 1644 720 msedge.exe msedge.exe PID 720 wrote to memory of 1644 720 msedge.exe msedge.exe PID 720 wrote to memory of 1644 720 msedge.exe msedge.exe PID 720 wrote to memory of 1644 720 msedge.exe msedge.exe PID 720 wrote to memory of 1644 720 msedge.exe msedge.exe PID 720 wrote to memory of 1644 720 msedge.exe msedge.exe PID 720 wrote to memory of 1644 720 msedge.exe msedge.exe PID 720 wrote to memory of 1644 720 msedge.exe msedge.exe PID 720 wrote to memory of 1644 720 msedge.exe msedge.exe PID 720 wrote to memory of 1644 720 msedge.exe msedge.exe PID 720 wrote to memory of 1644 720 msedge.exe msedge.exe PID 720 wrote to memory of 1644 720 msedge.exe msedge.exe PID 720 wrote to memory of 1644 720 msedge.exe msedge.exe PID 720 wrote to memory of 1644 720 msedge.exe msedge.exe PID 720 wrote to memory of 1644 720 msedge.exe msedge.exe PID 720 wrote to memory of 1644 720 msedge.exe msedge.exe PID 720 wrote to memory of 1644 720 msedge.exe msedge.exe PID 720 wrote to memory of 1644 720 msedge.exe msedge.exe PID 720 wrote to memory of 1644 720 msedge.exe msedge.exe PID 720 wrote to memory of 1644 720 msedge.exe msedge.exe PID 720 wrote to memory of 1644 720 msedge.exe msedge.exe PID 720 wrote to memory of 1644 720 msedge.exe msedge.exe PID 720 wrote to memory of 1644 720 msedge.exe msedge.exe PID 720 wrote to memory of 1644 720 msedge.exe msedge.exe PID 720 wrote to memory of 4328 720 msedge.exe msedge.exe PID 720 wrote to memory of 4328 720 msedge.exe msedge.exe PID 720 wrote to memory of 4500 720 msedge.exe msedge.exe PID 720 wrote to memory of 4500 720 msedge.exe msedge.exe PID 720 wrote to memory of 4500 720 msedge.exe msedge.exe PID 720 wrote to memory of 4500 720 msedge.exe msedge.exe PID 720 wrote to memory of 4500 720 msedge.exe msedge.exe PID 720 wrote to memory of 4500 720 msedge.exe msedge.exe PID 720 wrote to memory of 4500 720 msedge.exe msedge.exe PID 720 wrote to memory of 4500 720 msedge.exe msedge.exe PID 720 wrote to memory of 4500 720 msedge.exe msedge.exe PID 720 wrote to memory of 4500 720 msedge.exe msedge.exe PID 720 wrote to memory of 4500 720 msedge.exe msedge.exe PID 720 wrote to memory of 4500 720 msedge.exe msedge.exe PID 720 wrote to memory of 4500 720 msedge.exe msedge.exe PID 720 wrote to memory of 4500 720 msedge.exe msedge.exe PID 720 wrote to memory of 4500 720 msedge.exe msedge.exe PID 720 wrote to memory of 4500 720 msedge.exe msedge.exe PID 720 wrote to memory of 4500 720 msedge.exe msedge.exe PID 720 wrote to memory of 4500 720 msedge.exe msedge.exe PID 720 wrote to memory of 4500 720 msedge.exe msedge.exe PID 720 wrote to memory of 4500 720 msedge.exe msedge.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/areinto/Synapse-X-Byfron-Bypass1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe24a846f8,0x7ffe24a84708,0x7ffe24a847182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,12833894607800610729,15859681722312995386,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,12833894607800610729,15859681722312995386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,12833894607800610729,15859681722312995386,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12833894607800610729,15859681722312995386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12833894607800610729,15859681722312995386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,12833894607800610729,15859681722312995386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,12833894607800610729,15859681722312995386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12833894607800610729,15859681722312995386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12833894607800610729,15859681722312995386,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12833894607800610729,15859681722312995386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12833894607800610729,15859681722312995386,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2168,12833894607800610729,15859681722312995386,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5816 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12833894607800610729,15859681722312995386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2168,12833894607800610729,15859681722312995386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5704 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\Synapse-X-Byfron-Bypass-main\Synapse-X-Byfron-Bypass-main\Synapse Launcher.exe"C:\Users\Admin\Downloads\Synapse-X-Byfron-Bypass-main\Synapse-X-Byfron-Bypass-main\Synapse Launcher.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Windows\system32\Windows 10 Boot\Boot 10.5.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\Windows 10 Boot\Boot 10.5.exe"C:\Windows\system32\Windows 10 Boot\Boot 10.5.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Windows\system32\Windows 10 Boot\Boot 10.5.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8lntu2vBK6Yh.bat" "3⤵
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
-
C:\Windows\system32\Windows 10 Boot\Boot 10.5.exe"C:\Windows\system32\Windows 10 Boot\Boot 10.5.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Windows\system32\Windows 10 Boot\Boot 10.5.exe" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dEastBIiJY3K.bat" "5⤵
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- Runs ping.exe
-
C:\Windows\system32\Windows 10 Boot\Boot 10.5.exe"C:\Windows\system32\Windows 10 Boot\Boot 10.5.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Windows\system32\Windows 10 Boot\Boot 10.5.exe" /rl HIGHEST /f7⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TLa9S0q6qknQ.bat" "7⤵
-
C:\Windows\system32\chcp.comchcp 650018⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- Runs ping.exe
-
C:\Users\Admin\Downloads\Synapse-X-Byfron-Bypass-main\Synapse-X-Byfron-Bypass-main\Synapse Launcher.exe"C:\Users\Admin\Downloads\Synapse-X-Byfron-Bypass-main\Synapse-X-Byfron-Bypass-main\Synapse Launcher.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Windows\system32\Windows 10 Boot\Boot 10.5.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\Windows 10 Boot\Boot 10.5.exe"C:\Windows\system32\Windows 10 Boot\Boot 10.5.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Windows\system32\Windows 10 Boot\Boot 10.5.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qq7iCbkD3bhu.bat" "3⤵
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
-
C:\Windows\system32\Windows 10 Boot\Boot 10.5.exe"C:\Windows\system32\Windows 10 Boot\Boot 10.5.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Windows\system32\Windows 10 Boot\Boot 10.5.exe" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ds3WD7FnYjYx.bat" "5⤵
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- Runs ping.exe
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Synapse-X-Byfron-Bypass-main\Synapse-X-Byfron-Bypass-main\README.txt1⤵
-
C:\Users\Admin\Downloads\Synapse-X-Byfron-Bypass-main\Synapse-X-Byfron-Bypass-main\Synapse Launcher.exe"C:\Users\Admin\Downloads\Synapse-X-Byfron-Bypass-main\Synapse-X-Byfron-Bypass-main\Synapse Launcher.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\Synapse-X-Byfron-Bypass-main\Synapse-X-Byfron-Bypass-main\Synapse Launcher.exe"C:\Users\Admin\Downloads\Synapse-X-Byfron-Bypass-main\Synapse-X-Byfron-Bypass-main\Synapse Launcher.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Windows\system32\Windows 10 Boot\Boot 10.5.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\Windows 10 Boot\Boot 10.5.exe"C:\Windows\system32\Windows 10 Boot\Boot 10.5.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Windows\system32\Windows 10 Boot\Boot 10.5.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Pkqmycbbyte4.bat" "3⤵
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Boot 10.5.exe.logFilesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Synapse Launcher.exe.logFilesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD556641592f6e69f5f5fb06f2319384490
SHA16a86be42e2c6d26b7830ad9f4e2627995fd91069
SHA25602d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455
SHA512c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5612a6c4247ef652299b376221c984213
SHA1d306f3b16bde39708aa862aee372345feb559750
SHA2569d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a
SHA51234a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
1KB
MD5d6c61b2613b48a33da58632bd1fbffb0
SHA1bf33ae1f3f822a897ad411a4a73ccfa9288de66b
SHA25672af856f6ef7ab6e9ea2ab75e2dc3773c1fc8d8927552efcb4761e828e84cdff
SHA512d9ed6053033b7bcf690992fe30466023ee27aaa10114f2a4cba7d24ddc2d2c4a5f26b1c2a367a34a8da60545bd09af5faa1c8f16c2f0f64d9dd7127d730d5bfb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD59ffb49d5de0d68bc97ecff20ef3d7c3c
SHA1a22a7f8de65022e593199d7cde457dd129d6db75
SHA25605cf12175cbebf91739132ba67a34ec08c0eb7c8fddf02308abeba84de4f7abb
SHA5125aa079e2b6324a2a942c7652c1e6a2d49a9ae917345a71a66e2109c99818c218bc3a41f1b90f439f8ae77c24ca014c2506993969f8d34d926b43c46bdbdbbf7e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5166f254d1a30ad1a3a1bd295c5ddad79
SHA1a9cc2d91e42309845844eccdc78b47c8b3be4445
SHA2560c4dec90e8704a186e14bc029b0cc738c774350eef84d4517c0e73ff85d750f1
SHA512c9dab924ced96ddb6636c08630b7928b21b7f02ddf7b7d2b7603ebb2801de39cc2a6f955c2976414cb555f0ca132ad6ef584eb41d184b28a510cea0d669ede86
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD57c6dd652ec25b4243c936b00ddcdd850
SHA18a3ad12188e0526788a37a75e0d1d7553c2d5299
SHA2562d4d3a10feb89c445516f4952d7216090d4bad6c078a43e5d94c93757594cb0a
SHA5127fd24ae65caca4b67753b3bb94160cb0cca0083b0fee517137dd6331256aa682dfd276a60b01b80d3e1494f1b698d4315d27d82ffaceddc60f7a1ea74bdfe541
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5fb05a42f142aec34d9ad1aec5f6d3235
SHA1df4a08e866c3d2d05dbcb66dd2eac74ab28ed5c1
SHA25664f6195e4e93d274e932afb3ee9244fab50555c600ea449bc34e79a63cc53e45
SHA512c1a8d8853cb9abdd4dc5a576b38fa76d35aec007deba39aaf57747c7e3bbda14c9cfce8191079573e4c958b5b19081c23cf409c2ed9ce56d7bb31fcbfb9001b7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD521def73f66a27bdf765a3cdbc3603dc7
SHA1a68cd0ddb4ac3a6cb028162ab8b6da7f9a4eb7eb
SHA25634c6e4cfc3a23601ef92a99be2acb1d7bb72e70e22982cafdef1a3a67f02871d
SHA5124df68c6c1e238204a7b39455b32acb09a6b385dc9ae5c1ae77dbe16e366cf827083b13ec7ab307e618c3b39c8052069fb04f7d40dd9e50e10b0198a5b6b196c5
-
C:\Users\Admin\AppData\Local\Temp\8lntu2vBK6Yh.batFilesize
208B
MD5fa40ef78ae3c7d66ac018d29c38a99b5
SHA1dea3d328df36139c562c41a786f1bc111c9a5b14
SHA256bf80745eb5c319aeecadadb9b5177a56ee418398432714aff3e673936a239bfa
SHA5123bfb868091de888a7549be18e183d7e8788eab7cd0c4b47f9b43bff37d5a2b17573cd692562936608a95ba400a4d3d2cb58441f28793a3fd0ea0d2f5898a6e8d
-
C:\Users\Admin\AppData\Local\Temp\Pkqmycbbyte4.batFilesize
208B
MD521fec8a3dd520f7dbd860b9f52e6329c
SHA12b94bd9cd57976d016533d10014fd2cdff397efd
SHA256bddc6e8bc75bb358f7588e7afd9f440c05323d0590b6955d351f1b811347afcd
SHA512b15a5c6bfd19ae496fe4e1b927472fe039644fa5fcff505025e15944c84973000dd49d3950afb683e569dc8e91718446efe303bbd76a27596a12e571eb3645dc
-
C:\Users\Admin\AppData\Local\Temp\TLa9S0q6qknQ.batFilesize
208B
MD55dd9b9ddeb180ba85503d38f75da4cec
SHA1997d03d70f81638325590de06d5e8204dd0e5671
SHA256e237933b043574ad056e1f8eb0d7336b5ba7b48e992a556139dc418feaa89c5c
SHA5126210ba0297e4a3a71c193f6ea528b160955d72a9c3caaa5ac402557f9736238ff2fa51515b5c79000790f3a60e69ae14912c5a468e5bebdb1cd362a96ecbe57f
-
C:\Users\Admin\AppData\Local\Temp\dEastBIiJY3K.batFilesize
208B
MD5cc234b3988ce146df375b19728545120
SHA1a21ab9ca32247c5c692d8e0192321c0c1c67fb64
SHA2566d05e53a9e2b9acf662d211b2e0117687122535110ea2bd5451959db1eb5a07f
SHA512551f3f4692bac8ed32f0ee33ca22a88cb02fed253a0e34ec59fb3acb14eec1dbf18b523a6a8eea123d4cb22bf54f214599cc5bd1aad8b137188501019cc47e82
-
C:\Users\Admin\AppData\Local\Temp\ds3WD7FnYjYx.batFilesize
208B
MD5ca575b5c4d340f591ae122100b313ca9
SHA172f102c80b952d126e93ffa49b8f59f5833cfc19
SHA2569648ea21fef42089a3558ff423e059628a168b2d78a2f03dfba8ce4f38b45c82
SHA51209cf0b66735a4b74bbf82d95678006b29b64177de6100dd497589e8967cec5320d752ad3094a04f8decbe4cc1b55c34662a5431354ca4ca11cd0223569a05f8c
-
C:\Users\Admin\AppData\Local\Temp\qq7iCbkD3bhu.batFilesize
208B
MD53723e1f8f74944912259f59c4a2a5bb5
SHA1544a0706fa94a292ce5017dfc1e0eff3a2cf248e
SHA256957a13517ee96529f643ed2f2e794cd2c336b314cfa832929f5ec34c7aee3a48
SHA51293acb1a1018bd665e61278ecc06d12ac6ddf2b5c4b26887902309ded37517b25186e84510f3cb716466762a9f425ff359725d67487b7f9cf67eca3b0fc942f3c
-
C:\Users\Admin\Downloads\Synapse-X-Byfron-Bypass-main.zipFilesize
1.3MB
MD5c82c249169187a781eb3291f00cb4f2c
SHA1a80829c9a0a63327bd0d04d3112b21601a046367
SHA2562313d08efbd82859f8d77c712eab1e4e7dd795404dee5fdcb3f3e2c7e85a1b93
SHA512f7a6447c679afd498847b9dd4315ab706ddbacd0f3076d38ab3b8afde34ad40a42913cadf872974ffc56f4ce081ecd1a008abb77e2dd509dca00ac1dcfeb32f0
-
C:\Windows\System32\Windows 10 Boot\Boot 10.5.exeFilesize
3.2MB
MD5e2714f403955519640abda3d9994ab49
SHA12f49f53f4c8b84440690a3e930920c56131d7008
SHA25622445a645229adce8803c92dbd9fe58beb3e50115352696e1adbab4dbcef0828
SHA5123efc0da405999d7b8a0bdf682a5bf179477d31e34823f8d7c9e19da44801481cbcc151f4d39a40e323f4fc087a0fc068eeff216c2d227fa1b5747394d4112cea
-
\??\pipe\LOCAL\crashpad_720_FHHVLMMRAELXLSTHMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/2512-215-0x000000001C470000-0x000000001C4C0000-memory.dmpFilesize
320KB
-
memory/2512-216-0x000000001C580000-0x000000001C632000-memory.dmpFilesize
712KB
-
memory/4900-208-0x0000000000370000-0x00000000006B0000-memory.dmpFilesize
3.2MB