File name:

Synapse Z.zip

Full analysis: https://app.any.run/tasks/c4239ebb-0483-4e98-9f9e-2a7a8b16cb58
Verdict: Malicious activity
Analysis date: November 02, 2024, 10:04:30
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-exec
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=store
MD5:

2D57B54CF0472ECD6AC6C31C5ED5AA04

SHA1:

CCB3F600FFC3A7711F951431EBBE7275F0813A5E

SHA256:

E5E08E06805507504311242781E7A892AAE60C3B5C318CD579D710D31E529B50

SSDEEP:

98304:xspvsvdhQoZd21bw3sHjx+MXoVIdRpG9XJGgo1eSDVMGQCCzRfyprwi3zWrDOoXK:EmSihwBLdHFh

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 5920)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 5920)

    • Manual execution by a user

      • SynapseLauncher.exe (PID: 6212)
      • cmd.exe (PID: 4584)
      • SynapseLauncher.exe (PID: 6992)
      • SynapseLauncher.exe (PID: 6552)
      • SynapseLauncher.exe (PID: 3744)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2024:10:04 09:13:36
ZipCRC: 0x0723a841
ZipCompressedSize: 41
ZipUncompressedSize: 41
ZipFileName: info.cmd
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
151
Monitored processes
17
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe sppextcomobj.exe no specs slui.exe rundll32.exe no specs synapselauncher.exe no specs synapselauncher.exe conhost.exe no specs slui.exe no specs cmd.exe no specs conhost.exe no specs synapselauncher.exe no specs synapselauncher.exe no specs synapselauncher.exe conhost.exe no specs synapselauncher.exe no specs synapselauncher.exe conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1552\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSynapseLauncher.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2620\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSynapseLauncher.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3008\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3744"C:\Users\admin\Desktop\Synapse Z\SynapseLauncher.exe" C:\Users\admin\Desktop\Synapse Z\SynapseLauncher.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\synapse z\synapselauncher.exe
c:\windows\system32\ntdll.dll
3844C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4516"C:\Users\admin\Desktop\Synapse Z\SynapseLauncher.exe" redeemC:\Users\admin\Desktop\Synapse Z\SynapseLauncher.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\synapse z\synapselauncher.exe
c:\windows\system32\ntdll.dll
4584C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\Synapse Z\redeem.cmd" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
4676C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
5920"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Synapse Z.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
6028"C:\Users\admin\Desktop\Synapse Z\SynapseLauncher.exe" redeemC:\Users\admin\Desktop\Synapse Z\SynapseLauncher.exe
cmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\synapse z\synapselauncher.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
4 227
Read events
4 189
Write events
13
Delete events
25

Modification events

(PID) Process:(5920) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:(5920) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Synapse Z.zip
(PID) Process:(5920) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(5920) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(5920) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(5920) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(5920) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:15
Value:
(PID) Process:(5920) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:14
Value:
(PID) Process:(5920) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:13
Value:
(PID) Process:(5920) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:12
Value:
Executable files
2
Suspicious files
0
Text files
7
Unknown types
0

Dropped files

PID
Process
Filename
Type
5920WinRAR.exeC:\Users\admin\Desktop\SynapseLauncher.exeexecutable
MD5:0048A1911839E7B7999B62094E63CD84
SHA256:6527B3540E93FAEBB9AD37ADDBB7CE92DEE8BFA8514458FE953AD191801C27D2
6992SynapseLauncher.exeC:\Users\admin\Desktop\Synapse Z\README.txttext
MD5:68BAC92C91307FDDC9E91F99D4DAC1E5
SHA256:F65BB9B68043F6130769C01E2844A4C00905401DEE483147D149488BA5332915
5920WinRAR.exeC:\Users\admin\Desctop\Synapse Z\info.cmdtext
MD5:F630C5E22556DB1310FAEAB5FF373F78
SHA256:DE78474FD346B5EC79F577B312A252DE8615EC8A1C10FE13A43C979224785106
5920WinRAR.exeC:\Users\admin\Desctop\Synapse Z\SynapseLauncher.exeexecutable
MD5:0048A1911839E7B7999B62094E63CD84
SHA256:6527B3540E93FAEBB9AD37ADDBB7CE92DEE8BFA8514458FE953AD191801C27D2
5920WinRAR.exeC:\Users\admin\Desktop\info.cmdtext
MD5:F630C5E22556DB1310FAEAB5FF373F78
SHA256:DE78474FD346B5EC79F577B312A252DE8615EC8A1C10FE13A43C979224785106
5920WinRAR.exeC:\Users\admin\Desktop\redeem.cmdtext
MD5:6C7844CEFB607ABAED7207A6234EDA71
SHA256:FD66F408540D64C25248487C6380430B21672EACE2782D2B3039A2CE1E766AEF
5920WinRAR.exeC:\Users\admin\Desctop\Synapse Z\redeem.cmdtext
MD5:6C7844CEFB607ABAED7207A6234EDA71
SHA256:FD66F408540D64C25248487C6380430B21672EACE2782D2B3039A2CE1E766AEF
5920WinRAR.exeC:\Users\admin\Desctop\Synapse Z\resethwid.cmdtext
MD5:01860CB9EF68521CB490DE8492CDDFF7
SHA256:DBBC8D693171130722551524D75EDB17A31221CECFE28755C2E10D7D0CA8256F
5920WinRAR.exeC:\Users\admin\Desktop\resethwid.cmdtext
MD5:01860CB9EF68521CB490DE8492CDDFF7
SHA256:DBBC8D693171130722551524D75EDB17A31221CECFE28755C2E10D7D0CA8256F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
45
DNS requests
23
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6944
svchost.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7092
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6944
svchost.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7028
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7092
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5068
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6992
SynapseLauncher.exe
POST
200
5.83.218.158:80
http://api.synapsez.net/createaccount
unknown
unknown
6992
SynapseLauncher.exe
POST
200
5.83.218.158:80
http://api.synapsez.net/auth
unknown
unknown
6552
SynapseLauncher.exe
POST
200
5.83.218.158:80
http://api.synapsez.net/auth
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6944
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
5488
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1248
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4360
SearchApp.exe
92.123.104.38:443
www.bing.com
Akamai International B.V.
DE
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted
7028
svchost.exe
20.190.159.73:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7028
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4360
SearchApp.exe
92.123.104.53:443
www.bing.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
whitelisted
www.bing.com
  • 92.123.104.38
  • 92.123.104.58
  • 92.123.104.37
  • 92.123.104.35
  • 92.123.104.47
  • 92.123.104.42
  • 92.123.104.51
  • 92.123.104.34
  • 92.123.104.53
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
google.com
  • 172.217.23.110
whitelisted
login.live.com
  • 20.190.159.73
  • 40.126.31.69
  • 20.190.159.2
  • 40.126.31.67
  • 20.190.159.4
  • 20.190.159.68
  • 40.126.31.73
  • 20.190.159.75
whitelisted
th.bing.com
  • 92.123.104.53
  • 92.123.104.63
  • 92.123.104.64
  • 92.123.104.67
  • 92.123.104.54
  • 92.123.104.59
  • 92.123.104.58
  • 92.123.104.66
  • 92.123.104.62
whitelisted
go.microsoft.com
  • 23.213.166.81
whitelisted
client.wns.windows.com
  • 40.113.110.67
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
arc.msn.com
  • 20.199.58.43
whitelisted

Threats

Found threats are available for the paid subscriptions
4 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Synapse Z.zip