mercurialgrabber | hxxps://github[.]com/FrzyOnly/Synapse-X-Cracked/archive/refs/heads/main[.]zip

Analysis

max time kernel
90s
max time network
92s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-09-2024 22:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/FrzyOnly/Synapse-X-Cracked/archive/refs/heads/main.zip

Score

10^/10

mercurialgrabber credential_access discovery spyware stealer

Malware Config

Extracted

Family

mercurialgrabber

https://discord.com/api/webhooks/1078786058831024198/quZxUhmquFKZyYdcZMRvL8ERlQrmdG3TwkON_S6oRGgU8_kTlFgbRJl9WXmssMV5xXE8

Signatures

Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
stealer mercurialgrabber
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Executes dropped EXE 2 IoCs

pid	Process
5864	Synapse X .exe
6056	Synapse X .exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
61	discord.com
62	discord.com
63	discord.com
67	discord.com
68	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
56	ip4.seeip.org
59	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Synapse X .exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Synapse X .exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Synapse X .exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Synapse X .exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2480	msedge.exe
2480	msedge.exe
3340	msedge.exe
3340	msedge.exe
232	identity_helper.exe
232	identity_helper.exe
2428	msedge.exe
2428	msedge.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3340	msedge.exe
3340	msedge.exe
3340	msedge.exe
3340	msedge.exe
3340	msedge.exe
3340	msedge.exe
3340	msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeRestorePrivilege	5720	7zG.exe
Token: 35	5720	7zG.exe
Token: SeSecurityPrivilege	5720	7zG.exe
Token: SeSecurityPrivilege	5720	7zG.exe
Token: SeDebugPrivilege	5864	Synapse X .exe
Token: SeDebugPrivilege	6056	Synapse X .exe
Token: SeDebugPrivilege	5004	taskmgr.exe
Token: SeSystemProfilePrivilege	5004	taskmgr.exe
Token: SeCreateGlobalPrivilege	5004	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3340	msedge.exe
3340	msedge.exe
3340	msedge.exe
3340	msedge.exe
3340	msedge.exe
3340	msedge.exe
3340	msedge.exe
3340	msedge.exe
3340	msedge.exe
3340	msedge.exe
3340	msedge.exe
3340	msedge.exe
3340	msedge.exe
3340	msedge.exe
3340	msedge.exe
3340	msedge.exe
3340	msedge.exe
3340	msedge.exe
3340	msedge.exe
3340	msedge.exe
3340	msedge.exe
3340	msedge.exe
3340	msedge.exe
3340	msedge.exe
3340	msedge.exe
3340	msedge.exe
3340	msedge.exe
3340	msedge.exe
3340	msedge.exe
3340	msedge.exe
3340	msedge.exe
3340	msedge.exe
3340	msedge.exe
5720	7zG.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe

Suspicious use of SendNotifyMessage 57 IoCs

pid	Process
3340	msedge.exe
3340	msedge.exe
3340	msedge.exe
3340	msedge.exe
3340	msedge.exe
3340	msedge.exe
3340	msedge.exe
3340	msedge.exe
3340	msedge.exe
3340	msedge.exe
3340	msedge.exe
3340	msedge.exe
3340	msedge.exe
3340	msedge.exe
3340	msedge.exe
3340	msedge.exe
3340	msedge.exe
3340	msedge.exe
3340	msedge.exe
3340	msedge.exe
3340	msedge.exe
3340	msedge.exe
3340	msedge.exe
3340	msedge.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe
5004	taskmgr.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
4784	OpenWith.exe
4784	OpenWith.exe
4784	OpenWith.exe
4784	OpenWith.exe
4784	OpenWith.exe
4784	OpenWith.exe
4784	OpenWith.exe
4784	OpenWith.exe
4784	OpenWith.exe
4784	OpenWith.exe
4784	OpenWith.exe
4784	OpenWith.exe
4784	OpenWith.exe
4784	OpenWith.exe
4784	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3340 wrote to memory of 3780	3340	msedge.exe	86
PID 3340 wrote to memory of 3780	3340	msedge.exe	86
PID 3340 wrote to memory of 3156	3340	msedge.exe	87
PID 3340 wrote to memory of 3156	3340	msedge.exe	87
PID 3340 wrote to memory of 3156	3340	msedge.exe	87
PID 3340 wrote to memory of 3156	3340	msedge.exe	87
PID 3340 wrote to memory of 3156	3340	msedge.exe	87
PID 3340 wrote to memory of 3156	3340	msedge.exe	87
PID 3340 wrote to memory of 3156	3340	msedge.exe	87
PID 3340 wrote to memory of 3156	3340	msedge.exe	87
PID 3340 wrote to memory of 3156	3340	msedge.exe	87
PID 3340 wrote to memory of 3156	3340	msedge.exe	87
PID 3340 wrote to memory of 3156	3340	msedge.exe	87
PID 3340 wrote to memory of 3156	3340	msedge.exe	87
PID 3340 wrote to memory of 3156	3340	msedge.exe	87
PID 3340 wrote to memory of 3156	3340	msedge.exe	87
PID 3340 wrote to memory of 3156	3340	msedge.exe	87
PID 3340 wrote to memory of 3156	3340	msedge.exe	87
PID 3340 wrote to memory of 3156	3340	msedge.exe	87
PID 3340 wrote to memory of 3156	3340	msedge.exe	87
PID 3340 wrote to memory of 3156	3340	msedge.exe	87
PID 3340 wrote to memory of 3156	3340	msedge.exe	87
PID 3340 wrote to memory of 3156	3340	msedge.exe	87
PID 3340 wrote to memory of 3156	3340	msedge.exe	87
PID 3340 wrote to memory of 3156	3340	msedge.exe	87
PID 3340 wrote to memory of 3156	3340	msedge.exe	87
PID 3340 wrote to memory of 3156	3340	msedge.exe	87
PID 3340 wrote to memory of 3156	3340	msedge.exe	87
PID 3340 wrote to memory of 3156	3340	msedge.exe	87
PID 3340 wrote to memory of 3156	3340	msedge.exe	87
PID 3340 wrote to memory of 3156	3340	msedge.exe	87
PID 3340 wrote to memory of 3156	3340	msedge.exe	87
PID 3340 wrote to memory of 3156	3340	msedge.exe	87
PID 3340 wrote to memory of 3156	3340	msedge.exe	87
PID 3340 wrote to memory of 3156	3340	msedge.exe	87
PID 3340 wrote to memory of 3156	3340	msedge.exe	87
PID 3340 wrote to memory of 3156	3340	msedge.exe	87
PID 3340 wrote to memory of 3156	3340	msedge.exe	87
PID 3340 wrote to memory of 3156	3340	msedge.exe	87
PID 3340 wrote to memory of 3156	3340	msedge.exe	87
PID 3340 wrote to memory of 3156	3340	msedge.exe	87
PID 3340 wrote to memory of 3156	3340	msedge.exe	87
PID 3340 wrote to memory of 2480	3340	msedge.exe	88
PID 3340 wrote to memory of 2480	3340	msedge.exe	88
PID 3340 wrote to memory of 1188	3340	msedge.exe	89
PID 3340 wrote to memory of 1188	3340	msedge.exe	89
PID 3340 wrote to memory of 1188	3340	msedge.exe	89
PID 3340 wrote to memory of 1188	3340	msedge.exe	89
PID 3340 wrote to memory of 1188	3340	msedge.exe	89
PID 3340 wrote to memory of 1188	3340	msedge.exe	89
PID 3340 wrote to memory of 1188	3340	msedge.exe	89
PID 3340 wrote to memory of 1188	3340	msedge.exe	89
PID 3340 wrote to memory of 1188	3340	msedge.exe	89
PID 3340 wrote to memory of 1188	3340	msedge.exe	89
PID 3340 wrote to memory of 1188	3340	msedge.exe	89
PID 3340 wrote to memory of 1188	3340	msedge.exe	89
PID 3340 wrote to memory of 1188	3340	msedge.exe	89
PID 3340 wrote to memory of 1188	3340	msedge.exe	89
PID 3340 wrote to memory of 1188	3340	msedge.exe	89
PID 3340 wrote to memory of 1188	3340	msedge.exe	89
PID 3340 wrote to memory of 1188	3340	msedge.exe	89
PID 3340 wrote to memory of 1188	3340	msedge.exe	89
PID 3340 wrote to memory of 1188	3340	msedge.exe	89
PID 3340 wrote to memory of 1188	3340	msedge.exe	89

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/FrzyOnly/Synapse-X-Cracked/archive/refs/heads/main.zip
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff381446f8,0x7fff38144708,0x7fff38144718
  2⤵
  PID:3780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,8750804972749362128,7134115023211748127,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
  2⤵
  PID:3156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,8750804972749362128,7134115023211748127,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,8750804972749362128,7134115023211748127,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
  2⤵
  PID:1188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8750804972749362128,7134115023211748127,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:1148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8750804972749362128,7134115023211748127,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:2912
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,8750804972749362128,7134115023211748127,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 /prefetch:8
  2⤵
  PID:4968
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,8750804972749362128,7134115023211748127,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,8750804972749362128,7134115023211748127,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5024 /prefetch:8
  2⤵
  PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8750804972749362128,7134115023211748127,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
  2⤵
  PID:4608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,8750804972749362128,7134115023211748127,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5712 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8750804972749362128,7134115023211748127,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
  2⤵
  PID:4848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8750804972749362128,7134115023211748127,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:1
  2⤵
  PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8750804972749362128,7134115023211748127,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4088 /prefetch:1
  2⤵
  PID:5032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8750804972749362128,7134115023211748127,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6368 /prefetch:1
  2⤵
  PID:1564

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1728

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3880

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:868

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4784

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Synapse-X-Cracked-main\Synapse-X-Cracked-main\" -an -ai#7zMap26828:188:7zEvent15529
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5720

C:\Users\Admin\Downloads\Synapse-X-Cracked-main\Synapse-X-Cracked-main\Cracked Synapse-X\Synapse X .exe
"C:\Users\Admin\Downloads\Synapse-X-Cracked-main\Synapse-X-Cracked-main\Cracked Synapse-X\Synapse X .exe"
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5864

C:\Users\Admin\Downloads\Synapse-X-Cracked-main\Synapse-X-Cracked-main\Cracked Synapse-X\Synapse X .exe
"C:\Users\Admin\Downloads\Synapse-X-Cracked-main\Synapse-X-Cracked-main\Cracked Synapse-X\Synapse X .exe"
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:6056

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eeaa8087eba2f63f31e599f6a7b46ef4

SHA1
f639519deee0766a39cfe258d2ac48e3a9d5ac03

SHA256
50fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9

SHA512
eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b9569e123772ae290f9bac07e0d31748

SHA1
5806ed9b301d4178a959b26d7b7ccf2c0abc6741

SHA256
20ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b

SHA512
cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
255B

MD5
d11edf9e08a127c768843acea41d0bc5

SHA1
ff1af9b39de4a3f547407fd9864ffdd2bb6c7354

SHA256
217e4d9d1412e45abf7a653f72a5ab8b53bc8fc6f377f52a042668a41abc7478

SHA512
92c3f0def567b0e2f2523ed25eb9d4abff06070b8be744fea4a6678f25f292439d7bc0c8015eaa6281b7f43149eebb3d3821cd6d6436598481113694b11ddea3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3f3d76b0f0f899a55c536dd3edef866f

SHA1
7b9b15fa51bb06b7f8faa3cb9c797cdabd936e70

SHA256
16d9b95a03e7df01779a49242a810c883fa5a0f4d5315ebc0efc3e9215c5cd60

SHA512
0d2dd5b71408f5df83718dacfc688b0212e56be502860d4bb975a591162efb5194dc277d113dcae653eb716586c27434a1f947b6c78ce6513909a3275ddb0249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
88f714c6382df5781abe5b9ef03b9c76

SHA1
668d7906a4a77813f5e93876cce97e70f175c6c8

SHA256
850908937cab0834f13d4f1da1477925b124b186f16bc3d7df042a989d5fbb25

SHA512
8982f3d1a90ac53f07d8e0e97faabff4ccacaf4e6a6f62477aafeeadadfe10013bba1f43996b8d8cb5aacd5971ff70e59961678de56fb4c26547a0cb9f41eca8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
bdc664314714066fd036fac90076bfd8

SHA1
9e2de5615013494dfbb28628056719a65509320f

SHA256
84216885d354a228ada8af0dfce724849c0d00b9c850f1d856b29ae00c28a988

SHA512
32cf5a2a1e90b1e2cdee8cdc3345a06a48107490d004393f64680e0ef7f52dad956788695b3bb1f82ddb8ab4cc5372a32454d46273712ca8f632e2803bbf7230

Download Submit
C:\Users\Admin\Downloads\Synapse-X-Cracked-main.zip

Filesize
18KB

MD5
9601e7958b72567f22c59333f18f038e

SHA1
12a685b9f8f4d124ccd459283c7bca6e6d24c783

SHA256
0d1f577bc0fb88ae3ed1cd99b7279fcc11cc92185a17bfd2638bda0629cc4b5e

SHA512
7b15ba2a2c2f2a07a8b72d25a7d522b566e8ded56c5428a88a1e429be3727e6b6b168e885487eb28046a9105f803acf8739e44d81786ce23c6394328063bb3b9

Download Submit
C:\Users\Admin\Downloads\Synapse-X-Cracked-main\Synapse-X-Cracked-main\Cracked Synapse-X\Synapse X .exe

Filesize
41KB

MD5
724c3520ef4ed221c41b2163f517679e

SHA1
29509d343e37a70a0c76c22eff1687671c2dcf38

SHA256
a491cc4051e8943b280b99e805d161d4230f667948cfa83694a848da6703bd17

SHA512
46325f04447f9d8384155cbab58d3748418f891d99c8bbba31c668cc4020f93619ddfd3634d12e5ed4d329a1e8daf9cff2e15924e3c5cfb04b6bafe3fba43767

Download Submit
memory/5004-134-0x000002954BB30000-0x000002954BB31000-memory.dmp

Filesize
4KB

Download
memory/5004-122-0x000002954BB30000-0x000002954BB31000-memory.dmp

Filesize
4KB

Download
memory/5004-123-0x000002954BB30000-0x000002954BB31000-memory.dmp

Filesize
4KB

Download
memory/5004-124-0x000002954BB30000-0x000002954BB31000-memory.dmp

Filesize
4KB

Download
memory/5004-133-0x000002954BB30000-0x000002954BB31000-memory.dmp

Filesize
4KB

Download
memory/5004-132-0x000002954BB30000-0x000002954BB31000-memory.dmp

Filesize
4KB

Download
memory/5004-131-0x000002954BB30000-0x000002954BB31000-memory.dmp

Filesize
4KB

Download
memory/5004-130-0x000002954BB30000-0x000002954BB31000-memory.dmp

Filesize
4KB

Download
memory/5004-129-0x000002954BB30000-0x000002954BB31000-memory.dmp

Filesize
4KB

Download
memory/5004-128-0x000002954BB30000-0x000002954BB31000-memory.dmp

Filesize
4KB

Download
memory/5864-97-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download