f0e8ccd2f98ef6f6a4cf2282853e6418a8f3a8873d4eb7d25c5ff20b284d7414

Analysis

max time kernel
639s
max time network
646s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
12-10-2022 18:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uu.msi
Size

5.9MB
MD5

5a35d1da14c8bddf7fecfaefbf76a1b4
SHA1

536bddcecfec95b7c987fb9e248ba7c7da9b8944
SHA256

9fad7afeb555c95ba4f55ac3238e88eb098c7f9f1ab1796c930c5de54634801e
SHA512

e322b04665d46028c8167ada14c1bae8bd53eed04146f93406d01d4a9bd3a7204ac6e14a4bcb6a2e40b5bcef15f04c18542df084f019f4682461050288da735e
SSDEEP

98304:GAC9AGDm8MytOY9woKC4BDBwWlKylZ/FxCeMxlGV9GZRik9VI5TMwGP2KEgT:w9mzytc/CKDllTllCeue6STzAT

Score

8^/10

discovery persistence spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 6 IoCs

flow	pid	Process
3	996	msiexec.exe
5	996	msiexec.exe
7	996	msiexec.exe
9	996	msiexec.exe
11	996	msiexec.exe
15	1944	msiexec.exe

Downloads MZ/PE file

Executes dropped EXE 14 IoCs

pid	Process
952	Installer.exe
2032	Syncro.Installer.exe
956	Syncro.Service.Runner.exe
1552	Syncro.App.Runner.exe
1224	tmp7F04.tmp.SyncroLive.Installer-latest.exe
1908	tmp7F04.tmp.SyncroLive.Installer-latest.tmp
1880	7za.exe
1876	7za.exe
1824	7za.exe
924	SyncroLive.Service.Runner.exe
1376	SyncroLive.Service.Runner.exe
1880	SyncroLive.Agent.Runner.exe
2132	Syncro.Overmind.Service.exe
2360	Syncro.Overmind.Service.exe

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SyncroLive\ImagePath = "\"C:\\Program Files\\RepairTech\\LiveAgent\\SyncroLive.Service.Runner.exe\" -displayname \"SyncroLive\" -servicename \"SyncroLive\""	SyncroLive.Service.Runner.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SyncroOvermind\ImagePath = "\"C:\\ProgramData\\Syncro\\bin\\Syncro.Overmind.Service.exe\" -displayname \"SyncroRecovery\" -servicename \"SyncroOvermind\""	Syncro.Overmind.Service.exe

Loads dropped DLL 9 IoCs

pid	Process
1224	tmp7F04.tmp.SyncroLive.Installer-latest.exe
1908	tmp7F04.tmp.SyncroLive.Installer-latest.tmp
1908	tmp7F04.tmp.SyncroLive.Installer-latest.tmp
1908	tmp7F04.tmp.SyncroLive.Installer-latest.tmp
1908	tmp7F04.tmp.SyncroLive.Installer-latest.tmp
1908	tmp7F04.tmp.SyncroLive.Installer-latest.tmp
1908	tmp7F04.tmp.SyncroLive.Installer-latest.tmp
1908	tmp7F04.tmp.SyncroLive.Installer-latest.tmp
1880	SyncroLive.Agent.Runner.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E	Syncro.Overmind.Service.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_E6095CD2AECC9011BCD0D7B421356B17	Syncro.Overmind.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A	Syncro.Installer.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A	Syncro.Installer.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	Syncro.Installer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E	Syncro.Overmind.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	Syncro.Installer.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	Syncro.Installer.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	Syncro.Installer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D7833C286363AD25C70511661A83D581_52894DBA51C2BA5ACE3EE5577FB04C4C	Syncro.Overmind.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	Syncro.Service.Runner.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	SyncroLive.Agent.Runner.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_E6095CD2AECC9011BCD0D7B421356B17	Syncro.Overmind.Service.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D7833C286363AD25C70511661A83D581_52894DBA51C2BA5ACE3EE5577FB04C4C	Syncro.Overmind.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\RepairTech\Syncro\app-1.0.168\zh-Hant\System.Spatial.resources.dll	Syncro.Installer.exe
File opened for modification	C:\Program Files\RepairTech\LiveAgent\app-0.0.62\Serilog.dll	7za.exe
File created	C:\Program Files\RepairTech\Syncro\app-1.0.168\de\Microsoft.Data.Edm.resources.dll	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\Syncro\app-1.0.168\en\Syncro.App.resources.dll	Syncro.Installer.exe
File opened for modification	C:\Program Files\RepairTech\Syncro\app-1.0.168\System.Threading.Tasks.Extensions.dll	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\Syncro\app-1.0.168\Microsoft.Data.Edm.dll	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\Syncro\app-1.0.168\pt-BR\Syncro.App.resources.dll	Syncro.Installer.exe
File opened for modification	C:\Program Files\RepairTech\LiveAgent\app-0.0.62\SyncroLive.Agent.Runner.exe	7za.exe
File created	C:\Program Files\RepairTech\LiveAgent\app-0.0.62\SyncroLive.Service.exe	7za.exe
File created	C:\Program Files\RepairTech\Syncro\packages\Kabuto-1.0.168-full.nupkg	Syncro.Installer.exe
File opened for modification	C:\Program Files\RepairTech\Syncro\app-1.0.168\CSharpFunctionalExtensions.dll	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\Syncro\app-1.0.168\es\Microsoft.Data.Edm.resources.dll	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\LiveAgent\app-0.0.62\DeltaCompressionDotNet.dll	7za.exe
File opened for modification	C:\Program Files\RepairTech\LiveAgent\app-0.0.62\SystemWrapper.dll	7za.exe
File created	C:\Program Files\RepairTech\Syncro\app-1.0.168\Serilog.Formatting.Compact.dll	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\Syncro\app-1.0.168\Telerik.Windows.Controls.Navigation.dll	Syncro.Installer.exe
File opened for modification	C:\Program Files\RepairTech\Syncro\app-1.0.168\zh-Hant\System.Spatial.resources.dll	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\Syncro\app-1.0.168\System.Security.Cryptography.Algorithms.dll	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\Syncro\app-1.0.168\System.Security.Cryptography.Encoding.dll	Syncro.Installer.exe
File opened for modification	C:\Program Files\RepairTech\Syncro\app-1.0.168\System.Security.Cryptography.Encoding.dll	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\Syncro\app-1.0.168\UrlCombineLib.dll	Syncro.Installer.exe
File opened for modification	C:\Program Files\RepairTech\Syncro\app-1.0.168\zh-Hans\Microsoft.Data.Services.Client.resources.dll	Syncro.Installer.exe
File opened for modification	C:\Program Files\RepairTech\Syncro\app-1.0.168\fr\System.Spatial.resources.dll	Syncro.Installer.exe
File opened for modification	C:\Program Files\RepairTech\Syncro\app-1.0.168\Newtonsoft.Json.dll	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\Syncro\app-1.0.168\Syncro.Uninstaller.Tools.exe.config	Syncro.Installer.exe
File opened for modification	C:\Program Files\RepairTech\LiveAgent\app-0.0.62\SyncroLive.Agent.exe.config	7za.exe
File created	C:\Program Files\RepairTech\LiveAgent\packages\is-VALSC.tmp	tmp7F04.tmp.SyncroLive.Installer-latest.tmp
File opened for modification	C:\Program Files\RepairTech\LiveAgent\app-0.0.62\Newtonsoft.Json.dll	7za.exe
File created	C:\Program Files\RepairTech\LiveAgent\app-0.0.62\SharpDX.dll	7za.exe
File opened for modification	C:\Program Files\RepairTech\Syncro\app-1.0.168\SevenZipSharp.dll	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\Syncro\app-1.0.168\System.Security.Cryptography.X509Certificates.dll	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\LiveAgent\app-0.0.62\SyncroLive.Service.Runner.exe	7za.exe
File created	C:\Program Files\RepairTech\LiveAgent\app-0.0.62\WebRTC.NET.SDK.dll	7za.exe
File created	C:\Program Files\RepairTech\Syncro\app-1.0.168\7za-x86.dll	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\Syncro\app-1.0.168\Microsoft.Win32.TaskScheduler.dll	Syncro.Installer.exe
File opened for modification	C:\Program Files\RepairTech\Syncro\app-1.0.168\RollbarSharp.dll	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\LiveAgent\app-0.0.62\Newtonsoft.Json.dll	7za.exe
File created	C:\Program Files\RepairTech\Syncro\Syncro.Service.Runner.exe	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\Syncro\app-1.0.168\Newtonsoft.Json.dll	Syncro.Installer.exe
File opened for modification	C:\Program Files\RepairTech\Syncro\app-1.0.168\System.Runtime.CompilerServices.Unsafe.dll	Syncro.Installer.exe
File opened for modification	C:\Program Files\RepairTech\Syncro\app-1.0.168\it\System.Spatial.resources.dll	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\LiveAgent\app-0.0.62\Cassia.dll	7za.exe
File opened for modification	C:\Program Files\RepairTech\LiveAgent\app-0.0.62\Microsoft.Data.Edm.dll	7za.exe
File created	C:\Program Files\RepairTech\Syncro\app-1.0.168\Syncro.Uninstaller.exe	Syncro.Installer.exe
File opened for modification	C:\Program Files\RepairTech\Syncro\app-1.0.168\Telerik.Windows.Controls.Navigation.dll	Syncro.Installer.exe
File opened for modification	C:\Program Files\RepairTech\Syncro\install.bat	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\LiveAgent\unins000.dat	tmp7F04.tmp.SyncroLive.Installer-latest.tmp
File opened for modification	C:\Program Files\RepairTech\LiveAgent\app-0.0.62\Mono.Cecil.dll	7za.exe
File opened for modification	C:\Program Files\RepairTech\Syncro\app-1.0.168\Images\custom-logo.png	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\Syncro\app-1.0.168\Images\kabuto-logo.ico	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\Syncro\app-1.0.168\Interop.NetFwTypeLib.dll	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\LiveAgent\app-0.0.62\SyncroLive.Interface.dll.config	7za.exe
File opened for modification	C:\Program Files\RepairTech\Syncro\app-1.0.168\ICSharpCode.SharpZipLib.dll	Syncro.Installer.exe
File opened for modification	C:\Program Files\RepairTech\Syncro\app-1.0.168\JetBrains.Annotations.dll	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\Syncro\app-1.0.168\zh-Hans\Microsoft.Data.Edm.resources.dll	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\LiveAgent\app-0.0.62\Mixpanel.dll	7za.exe
File created	C:\Program Files\RepairTech\LiveAgent\app-0.0.62\SharpDX.DXGI.dll	7za.exe
File created	C:\Program Files\RepairTech\Syncro\app-1.0.168\Destructurama.Attributed.dll	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\Syncro\app-1.0.168\de\System.Spatial.resources.dll	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\Syncro\app-1.0.168\es\Microsoft.Data.Services.Client.resources.dll	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\LiveAgent\app-0.0.62\SystemWrapper.dll	7za.exe
File opened for modification	C:\Program Files\RepairTech\LiveAgent\app-0.0.62\UrlCombineLib.dll	7za.exe
File created	C:\Program Files\RepairTech\Syncro\app-1.0.168\zh-Hans\Microsoft.Data.OData.resources.dll	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\Syncro\app-1.0.168\zh-Hant\Microsoft.Data.Services.Client.resources.dll	Syncro.Installer.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\{B7F56D3D-2AD3-4021-9D36-3B9E9C9FBE33}\DefaultIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\6eeafd.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File created	C:\Windows\Installer\6eeafc.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6eeafc.msi	msiexec.exe
File created	C:\Windows\Installer\6eeafd.ipi	msiexec.exe
File opened for modification	C:\Windows\WindowsUpdate.log	Syncro.Installer.exe
File created	C:\Windows\Installer\6eeaff.msi	msiexec.exe
File created	C:\Windows\Installer\{B7F56D3D-2AD3-4021-9D36-3B9E9C9FBE33}\DefaultIcon	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF598.tmp	msiexec.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1032	sc.exe
1436	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	Syncro.Installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	Syncro.Service.Runner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	SyncroLive.Agent.Runner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	Syncro.Overmind.Service.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	Syncro.Service.Runner.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	Syncro.Service.Runner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	Syncro.Overmind.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	Syncro.Installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	Syncro.Installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	Syncro.Service.Runner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	Syncro.Service.Runner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	Syncro.Service.Runner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	Syncro.Overmind.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	Syncro.Installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	Syncro.Installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	Syncro.Service.Runner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	Syncro.Service.Runner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	SyncroLive.Agent.Runner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	Syncro.Installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	Syncro.Service.Runner.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption"	Syncro.Service.Runner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	Syncro.Overmind.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	Syncro.Overmind.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	Syncro.Installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	Syncro.Installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	Syncro.Service.Runner.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	Syncro.Service.Runner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	SyncroLive.Agent.Runner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	Syncro.Overmind.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	Syncro.Overmind.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	Syncro.Installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SyncroLive.Agent.Runner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	SyncroLive.Agent.Runner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	SyncroLive.Agent.Runner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	Syncro.Overmind.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	Syncro.Overmind.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	Syncro.Overmind.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	SyncroLive.Agent.Runner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	Syncro.Overmind.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	SyncroLive.Service.Runner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	Syncro.Overmind.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	Syncro.Installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	Syncro.Installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	Syncro.Overmind.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	Syncro.Service.Runner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	SyncroLive.Agent.Runner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	Syncro.Overmind.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	Syncro.Overmind.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e\52C64B7E	Syncro.Service.Runner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	tmp7F04.tmp.SyncroLive.Installer-latest.tmp
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000	tmp7F04.tmp.SyncroLive.Installer-latest.tmp
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	SyncroLive.Agent.Runner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	SyncroLive.Agent.Runner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	Syncro.Overmind.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	Syncro.Service.Runner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	SyncroLive.Agent.Runner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	SyncroLive.Agent.Runner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	Syncro.Overmind.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	Syncro.Overmind.Service.exe

Modifies registry class 23 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D3D65F7B3DA21204D963B3E9C9F9EB33	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D3D65F7B3DA21204D963B3E9C9F9EB33\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D3D65F7B3DA21204D963B3E9C9F9EB33\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D3D65F7B3DA21204D963B3E9C9F9EB33\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D3D65F7B3DA21204D963B3E9C9F9EB33\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D3D65F7B3DA21204D963B3E9C9F9EB33\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D3D65F7B3DA21204D963B3E9C9F9EB33\ProductName = "Syncro"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D3D65F7B3DA21204D963B3E9C9F9EB33\Version = "16777216"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D3D65F7B3DA21204D963B3E9C9F9EB33\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D3D65F7B3DA21204D963B3E9C9F9EB33\ProductIcon = "C:\\Windows\\Installer\\{B7F56D3D-2AD3-4021-9D36-3B9E9C9FBE33}\\DefaultIcon"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D3D65F7B3DA21204D963B3E9C9F9EB33\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\7500CEBB70B554E4C93BAE54CF782BB3\D3D65F7B3DA21204D963B3E9C9F9EB33	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D3D65F7B3DA21204D963B3E9C9F9EB33\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D3D65F7B3DA21204D963B3E9C9F9EB33\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\7500CEBB70B554E4C93BAE54CF782BB3	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D3D65F7B3DA21204D963B3E9C9F9EB33\SourceList\PackageName = "uu.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D3D65F7B3DA21204D963B3E9C9F9EB33\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D3D65F7B3DA21204D963B3E9C9F9EB33\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D3D65F7B3DA21204D963B3E9C9F9EB33\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D3D65F7B3DA21204D963B3E9C9F9EB33\ProductFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D3D65F7B3DA21204D963B3E9C9F9EB33	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D3D65F7B3DA21204D963B3E9C9F9EB33\PackageCode = "778729A429A44874D8D4D102C27F49E9"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D3D65F7B3DA21204D963B3E9C9F9EB33\SourceList\Net	msiexec.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Syncro.Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Syncro.Installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Syncro.Installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Syncro.Installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Syncro.Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Syncro.Installer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1944	msiexec.exe
1944	msiexec.exe
2032	Syncro.Installer.exe
2032	Syncro.Installer.exe
956	Syncro.Service.Runner.exe
956	Syncro.Service.Runner.exe
1552	Syncro.App.Runner.exe
1552	Syncro.App.Runner.exe
1908	tmp7F04.tmp.SyncroLive.Installer-latest.tmp
1908	tmp7F04.tmp.SyncroLive.Installer-latest.tmp
956	Syncro.Service.Runner.exe
1376	SyncroLive.Service.Runner.exe
1376	SyncroLive.Service.Runner.exe
1376	SyncroLive.Service.Runner.exe
1376	SyncroLive.Service.Runner.exe
1376	SyncroLive.Service.Runner.exe
1376	SyncroLive.Service.Runner.exe
1880	SyncroLive.Agent.Runner.exe
1376	SyncroLive.Service.Runner.exe
1376	SyncroLive.Service.Runner.exe
1376	SyncroLive.Service.Runner.exe
956	Syncro.Service.Runner.exe
1376	SyncroLive.Service.Runner.exe
1376	SyncroLive.Service.Runner.exe
956	Syncro.Service.Runner.exe
1376	SyncroLive.Service.Runner.exe
1880	SyncroLive.Agent.Runner.exe
1376	SyncroLive.Service.Runner.exe
1880	SyncroLive.Agent.Runner.exe
1880	SyncroLive.Agent.Runner.exe
1880	SyncroLive.Agent.Runner.exe
1880	SyncroLive.Agent.Runner.exe
1376	SyncroLive.Service.Runner.exe
1880	SyncroLive.Agent.Runner.exe
1880	SyncroLive.Agent.Runner.exe
1880	SyncroLive.Agent.Runner.exe
1880	SyncroLive.Agent.Runner.exe
1880	SyncroLive.Agent.Runner.exe
1880	SyncroLive.Agent.Runner.exe
1376	SyncroLive.Service.Runner.exe
1376	SyncroLive.Service.Runner.exe
1376	SyncroLive.Service.Runner.exe
1376	SyncroLive.Service.Runner.exe
1376	SyncroLive.Service.Runner.exe
1376	SyncroLive.Service.Runner.exe
1376	SyncroLive.Service.Runner.exe
1376	SyncroLive.Service.Runner.exe
1376	SyncroLive.Service.Runner.exe
1376	SyncroLive.Service.Runner.exe
1880	SyncroLive.Agent.Runner.exe
1376	SyncroLive.Service.Runner.exe
1376	SyncroLive.Service.Runner.exe
1376	SyncroLive.Service.Runner.exe
1376	SyncroLive.Service.Runner.exe
1376	SyncroLive.Service.Runner.exe
1376	SyncroLive.Service.Runner.exe
1376	SyncroLive.Service.Runner.exe
1376	SyncroLive.Service.Runner.exe
1376	SyncroLive.Service.Runner.exe
2360	Syncro.Overmind.Service.exe
2360	Syncro.Overmind.Service.exe
2360	Syncro.Overmind.Service.exe
2360	Syncro.Overmind.Service.exe
1880	SyncroLive.Agent.Runner.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
996	msiexec.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
464	Process not Found
464	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	996	msiexec.exe
Token: SeIncreaseQuotaPrivilege	996	msiexec.exe
Token: SeRestorePrivilege	1944	msiexec.exe
Token: SeTakeOwnershipPrivilege	1944	msiexec.exe
Token: SeSecurityPrivilege	1944	msiexec.exe
Token: SeCreateTokenPrivilege	996	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	996	msiexec.exe
Token: SeLockMemoryPrivilege	996	msiexec.exe
Token: SeIncreaseQuotaPrivilege	996	msiexec.exe
Token: SeMachineAccountPrivilege	996	msiexec.exe
Token: SeTcbPrivilege	996	msiexec.exe
Token: SeSecurityPrivilege	996	msiexec.exe
Token: SeTakeOwnershipPrivilege	996	msiexec.exe
Token: SeLoadDriverPrivilege	996	msiexec.exe
Token: SeSystemProfilePrivilege	996	msiexec.exe
Token: SeSystemtimePrivilege	996	msiexec.exe
Token: SeProfSingleProcessPrivilege	996	msiexec.exe
Token: SeIncBasePriorityPrivilege	996	msiexec.exe
Token: SeCreatePagefilePrivilege	996	msiexec.exe
Token: SeCreatePermanentPrivilege	996	msiexec.exe
Token: SeBackupPrivilege	996	msiexec.exe
Token: SeRestorePrivilege	996	msiexec.exe
Token: SeShutdownPrivilege	996	msiexec.exe
Token: SeDebugPrivilege	996	msiexec.exe
Token: SeAuditPrivilege	996	msiexec.exe
Token: SeSystemEnvironmentPrivilege	996	msiexec.exe
Token: SeChangeNotifyPrivilege	996	msiexec.exe
Token: SeRemoteShutdownPrivilege	996	msiexec.exe
Token: SeUndockPrivilege	996	msiexec.exe
Token: SeSyncAgentPrivilege	996	msiexec.exe
Token: SeEnableDelegationPrivilege	996	msiexec.exe
Token: SeManageVolumePrivilege	996	msiexec.exe
Token: SeImpersonatePrivilege	996	msiexec.exe
Token: SeCreateGlobalPrivilege	996	msiexec.exe
Token: SeBackupPrivilege	1172	vssvc.exe
Token: SeRestorePrivilege	1172	vssvc.exe
Token: SeAuditPrivilege	1172	vssvc.exe
Token: SeBackupPrivilege	1944	msiexec.exe
Token: SeRestorePrivilege	1944	msiexec.exe
Token: SeRestorePrivilege	620	DrvInst.exe
Token: SeRestorePrivilege	620	DrvInst.exe
Token: SeRestorePrivilege	620	DrvInst.exe
Token: SeRestorePrivilege	620	DrvInst.exe
Token: SeRestorePrivilege	620	DrvInst.exe
Token: SeRestorePrivilege	620	DrvInst.exe
Token: SeRestorePrivilege	620	DrvInst.exe
Token: SeLoadDriverPrivilege	620	DrvInst.exe
Token: SeLoadDriverPrivilege	620	DrvInst.exe
Token: SeLoadDriverPrivilege	620	DrvInst.exe
Token: SeRestorePrivilege	1944	msiexec.exe
Token: SeTakeOwnershipPrivilege	1944	msiexec.exe
Token: SeRestorePrivilege	1944	msiexec.exe
Token: SeTakeOwnershipPrivilege	1944	msiexec.exe
Token: SeRestorePrivilege	1944	msiexec.exe
Token: SeTakeOwnershipPrivilege	1944	msiexec.exe
Token: SeDebugPrivilege	2032	Syncro.Installer.exe
Token: SeRestorePrivilege	1944	msiexec.exe
Token: SeTakeOwnershipPrivilege	1944	msiexec.exe
Token: SeRestorePrivilege	1944	msiexec.exe
Token: SeTakeOwnershipPrivilege	1944	msiexec.exe
Token: SeRestorePrivilege	1944	msiexec.exe
Token: SeTakeOwnershipPrivilege	1944	msiexec.exe
Token: SeRestorePrivilege	1944	msiexec.exe
Token: SeTakeOwnershipPrivilege	1944	msiexec.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
996	msiexec.exe
996	msiexec.exe
1552	Syncro.App.Runner.exe
1908	tmp7F04.tmp.SyncroLive.Installer-latest.tmp

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 952	1944	msiexec.exe	32
PID 1944 wrote to memory of 952	1944	msiexec.exe	32
PID 1944 wrote to memory of 952	1944	msiexec.exe	32
PID 952 wrote to memory of 2032	952	Installer.exe	33
PID 952 wrote to memory of 2032	952	Installer.exe	33
PID 952 wrote to memory of 2032	952	Installer.exe	33
PID 2032 wrote to memory of 1672	2032	Syncro.Installer.exe	35
PID 2032 wrote to memory of 1672	2032	Syncro.Installer.exe	35
PID 2032 wrote to memory of 1672	2032	Syncro.Installer.exe	35
PID 1672 wrote to memory of 1992	1672	cmd.exe	37
PID 1672 wrote to memory of 1992	1672	cmd.exe	37
PID 1672 wrote to memory of 1992	1672	cmd.exe	37
PID 1672 wrote to memory of 1032	1672	cmd.exe	38
PID 1672 wrote to memory of 1032	1672	cmd.exe	38
PID 1672 wrote to memory of 1032	1672	cmd.exe	38
PID 1672 wrote to memory of 1436	1672	cmd.exe	39
PID 1672 wrote to memory of 1436	1672	cmd.exe	39
PID 1672 wrote to memory of 1436	1672	cmd.exe	39
PID 956 wrote to memory of 1552	956	Syncro.Service.Runner.exe	41
PID 956 wrote to memory of 1552	956	Syncro.Service.Runner.exe	41
PID 956 wrote to memory of 1552	956	Syncro.Service.Runner.exe	41
PID 956 wrote to memory of 1224	956	Syncro.Service.Runner.exe	42
PID 956 wrote to memory of 1224	956	Syncro.Service.Runner.exe	42
PID 956 wrote to memory of 1224	956	Syncro.Service.Runner.exe	42
PID 956 wrote to memory of 1224	956	Syncro.Service.Runner.exe	42
PID 956 wrote to memory of 1224	956	Syncro.Service.Runner.exe	42
PID 956 wrote to memory of 1224	956	Syncro.Service.Runner.exe	42
PID 956 wrote to memory of 1224	956	Syncro.Service.Runner.exe	42
PID 1224 wrote to memory of 1908	1224	tmp7F04.tmp.SyncroLive.Installer-latest.exe	43
PID 1224 wrote to memory of 1908	1224	tmp7F04.tmp.SyncroLive.Installer-latest.exe	43
PID 1224 wrote to memory of 1908	1224	tmp7F04.tmp.SyncroLive.Installer-latest.exe	43
PID 1224 wrote to memory of 1908	1224	tmp7F04.tmp.SyncroLive.Installer-latest.exe	43
PID 1224 wrote to memory of 1908	1224	tmp7F04.tmp.SyncroLive.Installer-latest.exe	43
PID 1224 wrote to memory of 1908	1224	tmp7F04.tmp.SyncroLive.Installer-latest.exe	43
PID 1224 wrote to memory of 1908	1224	tmp7F04.tmp.SyncroLive.Installer-latest.exe	43
PID 1908 wrote to memory of 1880	1908	tmp7F04.tmp.SyncroLive.Installer-latest.tmp	44
PID 1908 wrote to memory of 1880	1908	tmp7F04.tmp.SyncroLive.Installer-latest.tmp	44
PID 1908 wrote to memory of 1880	1908	tmp7F04.tmp.SyncroLive.Installer-latest.tmp	44
PID 1908 wrote to memory of 1880	1908	tmp7F04.tmp.SyncroLive.Installer-latest.tmp	44
PID 1908 wrote to memory of 1876	1908	tmp7F04.tmp.SyncroLive.Installer-latest.tmp	46
PID 1908 wrote to memory of 1876	1908	tmp7F04.tmp.SyncroLive.Installer-latest.tmp	46
PID 1908 wrote to memory of 1876	1908	tmp7F04.tmp.SyncroLive.Installer-latest.tmp	46
PID 1908 wrote to memory of 1876	1908	tmp7F04.tmp.SyncroLive.Installer-latest.tmp	46
PID 1908 wrote to memory of 1824	1908	tmp7F04.tmp.SyncroLive.Installer-latest.tmp	48
PID 1908 wrote to memory of 1824	1908	tmp7F04.tmp.SyncroLive.Installer-latest.tmp	48
PID 1908 wrote to memory of 1824	1908	tmp7F04.tmp.SyncroLive.Installer-latest.tmp	48
PID 1908 wrote to memory of 1824	1908	tmp7F04.tmp.SyncroLive.Installer-latest.tmp	48
PID 1908 wrote to memory of 924	1908	tmp7F04.tmp.SyncroLive.Installer-latest.tmp	50
PID 1908 wrote to memory of 924	1908	tmp7F04.tmp.SyncroLive.Installer-latest.tmp	50
PID 1908 wrote to memory of 924	1908	tmp7F04.tmp.SyncroLive.Installer-latest.tmp	50
PID 1908 wrote to memory of 924	1908	tmp7F04.tmp.SyncroLive.Installer-latest.tmp	50
PID 1376 wrote to memory of 1880	1376	SyncroLive.Service.Runner.exe	52
PID 1376 wrote to memory of 1880	1376	SyncroLive.Service.Runner.exe	52
PID 1376 wrote to memory of 1880	1376	SyncroLive.Service.Runner.exe	52
PID 956 wrote to memory of 2132	956	Syncro.Service.Runner.exe	55
PID 956 wrote to memory of 2132	956	Syncro.Service.Runner.exe	55
PID 956 wrote to memory of 2132	956	Syncro.Service.Runner.exe	55
PID 956 wrote to memory of 2132	956	Syncro.Service.Runner.exe	55

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\SoftwareSASGeneration = "1"	SyncroLive.Agent.Runner.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\uu.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:996

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Users\Admin\AppData\Local\Temp\Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\Installer.exe" --msi --key eEv1rOer1Ms5cK_PMCtd6A --customerid 01006130 --policyid 0 --folderid 02794644
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:952
- - C:\Users\Admin\AppData\Local\Temp\Syncro.Installer.exe
    "C:\Users\Admin\AppData\Local\Temp\Syncro.Installer.exe" --msi --key eEv1rOer1Ms5cK_PMCtd6A --customerid 01006130 --policyid 0 --folderid 02794644
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2032
  - - C:\Windows\system32\cmd.exe
      "cmd.exe" /c "C:\Program Files\RepairTech\Syncro\install.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1672
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\installutil.exe" /ShowCallStack /LogFile=C:\ProgramData/Syncro/logs/ServiceInstall.log "C:\Program Files\RepairTech\Syncro\Syncro.Service.Runner.exe"
        5⤵
        
        PID:1992
    - - C:\Windows\system32\sc.exe
        
        sc failure Syncro reset= 60 actions= restart/5000/restart/10000/restart/60000
        5⤵
        Launches sc.exe
        
        PID:1032
    - - C:\Windows\system32\sc.exe
        
        sc start Syncro
        5⤵
        Launches sc.exe
        
        PID:1436

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1172

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000005C" "00000000000005A8"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:620

C:\Program Files\RepairTech\Syncro\Syncro.Service.Runner.exe
"C:\Program Files\RepairTech\Syncro\Syncro.Service.Runner.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:956
- C:\Program Files\RepairTech\Syncro\Syncro.App.Runner.exe
  "C:\Program Files\RepairTech\Syncro\Syncro.App.Runner.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:1552
- C:\Windows\TEMP\tmp7F04.tmp.SyncroLive.Installer-latest.exe
  "C:\Windows\TEMP\tmp7F04.tmp.SyncroLive.Installer-latest.exe" /VERYSILENT
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1224
- - C:\Windows\TEMP\is-SMRK3.tmp\tmp7F04.tmp.SyncroLive.Installer-latest.tmp
    "C:\Windows\TEMP\is-SMRK3.tmp\tmp7F04.tmp.SyncroLive.Installer-latest.tmp" /SL5="$80076,13891222,57856,C:\Windows\TEMP\tmp7F04.tmp.SyncroLive.Installer-latest.exe" /VERYSILENT
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1908
  - - C:\Windows\TEMP\is-3ES5R.tmp\7za.exe
      "C:\Windows\TEMP\is-3ES5R.tmp\7za.exe" e "C:\Program Files\RepairTech\LiveAgent\packages\SyncroLive-0.0.62-full.nupkg" -o"C:\Program Files\RepairTech\LiveAgent\app-0.0.62\" lib\net45\*.* -aoa
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:1880
  - - C:\Windows\TEMP\is-3ES5R.tmp\7za.exe
      "C:\Windows\TEMP\is-3ES5R.tmp\7za.exe" e "C:\Program Files\RepairTech\LiveAgent\packages\SyncroLive-0.0.62-full.nupkg" -o"C:\Program Files\RepairTech\LiveAgent\app-0.0.62\x64" lib\net45\x64\*.* -aoa
      4⤵
      Executes dropped EXE
      PID:1876
  - - C:\Windows\TEMP\is-3ES5R.tmp\7za.exe
      "C:\Windows\TEMP\is-3ES5R.tmp\7za.exe" e "C:\Program Files\RepairTech\LiveAgent\packages\SyncroLive-0.0.62-full.nupkg" -o"C:\Program Files\RepairTech\LiveAgent\app-0.0.62\x86" lib\net45\x86\*.* -aoa
      4⤵
      Executes dropped EXE
      PID:1824
  - - C:\Program Files\RepairTech\LiveAgent\SyncroLive.Service.Runner.exe
      "C:\Program Files\RepairTech\LiveAgent\SyncroLive.Service.Runner.exe" install start
      4⤵
      Executes dropped EXE
      Sets service image path in registry
      PID:924
- C:\ProgramData\Syncro\bin\Syncro.Overmind.Service.exe
  "C:\ProgramData\Syncro\bin\Syncro.Overmind.Service.exe" install
  2⤵
  - Executes dropped EXE
  - Sets service image path in registry
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2132

C:\Program Files\RepairTech\LiveAgent\SyncroLive.Service.Runner.exe
"C:\Program Files\RepairTech\LiveAgent\SyncroLive.Service.Runner.exe" -displayname "SyncroLive" -servicename "SyncroLive"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Program Files\RepairTech\LiveAgent\SyncroLive.Agent.Runner.exe
  "C:\Program Files\RepairTech\LiveAgent\SyncroLive.Agent.Runner.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - System policy modification
  PID:1880

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:924

C:\ProgramData\Syncro\bin\Syncro.Overmind.Service.exe
"C:\ProgramData\Syncro\bin\Syncro.Overmind.Service.exe" -displayname "SyncroRecovery" -servicename "SyncroOvermind"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2360

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\RepairTech\Syncro\Syncro.App.Runner.exe

Filesize
32KB

MD5
1aa2d8a5d3ecc3aa134528b7117244b3

SHA1
0b149d62a7883c6c903118c7b6886a981d1ff31c

SHA256
60abbb3e61ba60715051790ad84703855455a24533e6e68b7fd0791b79d37b14

SHA512
500938e0df236efc0242a81bfbef2c9f8a7ca52644fd1c05146c7a4333f8d525d57169ac38cce945d0cdc6759601e41e17db06f71fad8e5436fe94c0d050d958

Download Submit
C:\Program Files\RepairTech\Syncro\Syncro.App.Runner.exe

Filesize
32KB

MD5
1aa2d8a5d3ecc3aa134528b7117244b3

SHA1
0b149d62a7883c6c903118c7b6886a981d1ff31c

SHA256
60abbb3e61ba60715051790ad84703855455a24533e6e68b7fd0791b79d37b14

SHA512
500938e0df236efc0242a81bfbef2c9f8a7ca52644fd1c05146c7a4333f8d525d57169ac38cce945d0cdc6759601e41e17db06f71fad8e5436fe94c0d050d958

Download Submit
C:\Program Files\RepairTech\Syncro\Syncro.Service.Runner.exe

Filesize
36KB

MD5
55d568af3444a7319dfdb2ddc0a6bc2f

SHA1
e6fb8fc639c71c2ef922ed9f36b29cda45622292

SHA256
10c8cd588d627f46df3a7385e07d36674c2f0374e6327c7f9595cb22d8635753

SHA512
1cdb5edd9ed982e6eaa20042efaa4e57a5d6b6927c921d06accad2493bc7ac6d7444a2467b38b82a5a6cd3c7d8bf59e32ba0e858290327770007914818fac3a5

Download Submit
C:\Program Files\RepairTech\Syncro\Syncro.Service.Runner.exe

Filesize
36KB

MD5
55d568af3444a7319dfdb2ddc0a6bc2f

SHA1
e6fb8fc639c71c2ef922ed9f36b29cda45622292

SHA256
10c8cd588d627f46df3a7385e07d36674c2f0374e6327c7f9595cb22d8635753

SHA512
1cdb5edd9ed982e6eaa20042efaa4e57a5d6b6927c921d06accad2493bc7ac6d7444a2467b38b82a5a6cd3c7d8bf59e32ba0e858290327770007914818fac3a5

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\Autofac.dll

Filesize
247KB

MD5
94bce38faf97857d39b9348f43664317

SHA1
8adf558ad484b47a94e199318a4fad70eab0f090

SHA256
0bfa585a98172330547fec4bda0d747afea4b01bc691378dfbef2ae82d110dd4

SHA512
e7ca307423aa8527b379a88f2bcf2cabe34b58d04b2f979ad4ae11867fa6a08984ca5212706f749fcfab5338e0cceefa1dd35bfa8e9921fa40ec8cd0c8caab8d

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\CSharpFunctionalExtensions.dll

Filesize
125KB

MD5
841e154928ed4f18c7750a39780d118b

SHA1
f383e8aae69a942ffd0915122f67b0f963d6c119

SHA256
dacbb5f45d70b290bbed42249c06d26cf65440e63f2ac1c8db125e808a693bbf

SHA512
22e68af198233d374e609809666bc8d77f1afc741c1436fcdd321ccd7bae8a52663e7284350211cdc640cd29af550084b52343b79e8584464733200ad74bfdfd

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\Destructurama.Attributed.dll

Filesize
15KB

MD5
7eabdc9525bd1814899de66fef6be715

SHA1
04cf3922eb9d39adf9e3acfe7cb5246c5f718c86

SHA256
ac6ef04b83ca3ec163e6998ef4904434bffc0405a793ae5dbb2e800e3984dabb

SHA512
a0b95e6f5212ea7c2cfa52e372143973f72254aeb67fe6032b1db58b840f93ec9da87e565bb696417bb5bd7b6dd9a3a35af461cf51b0651fb2419ead79ccadd0

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\FluentCommandLineParser.dll

Filesize
51KB

MD5
de2b96fbe5b4104094389d69afb3ee4e

SHA1
d264d7519a6f4b6a6df6f39a382e352d4a48acdf

SHA256
0118168035446602ef5ca6f5426f8d54975f58613c3898e0b6689d92a35c589f

SHA512
c73a93fcbffdcbfa1b1c5928ab4304eb172710cd4ea3795796edc6e08145078199a4b0208464438d08fc569212fc11778b1d2c86ed7e6ee7e3b86f5321f33b03

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\Flurl.Http.dll

Filesize
103KB

MD5
67c42a9cd1262c422f8ea562805f0294

SHA1
23d99f695530cb18bf9009668bb414338c953f60

SHA256
62d4336b23c78955d9e51573935102beadd58bdb19530bb6d650cf39f4d8bc30

SHA512
881cf4f3fb64dd2d1f42146abec7bfddf95a80a131774d7a6196b54197161866bfc09e1b6f16074f96454aecec3a03540b706e2c43df828a7c954e57e282ccca

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\Flurl.dll

Filesize
35KB

MD5
88d6cef2bd73709f7f35d6cdb63c6b52

SHA1
9ec6e0b10922101af0135d40f2a5fcbb798002a4

SHA256
17714b55721d04c35ebb4898afd9e267e3cb04b25beb8bda9a460c52587955f5

SHA512
c187f53222988c23f45946cfce5e18d32c5ac3af22e65097aafcef0f3ddbc83f3c0acb02a90cf16c5241a0dda5162674ee7bd2627e1da38c13fff22bdf8febf8

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\Interop.NetFwTypeLib.dll

Filesize
22KB

MD5
65a6be1f8674bf2489d8e858ee8d7e65

SHA1
46a5a710f2fceb5c4daa7150a4b2517478fff0ae

SHA256
72a5ad582c5e1f754256a5de51ad01602ba23b295172de0efd27137affc44454

SHA512
333d1756b30b802c1ba3a690381238da8d356944ffc4fa1f49d9f97374d476de1989e66613fe97ddf8c6db76c567cd6f4f58651452baafd899d4c4e5c24c922c

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\MetroFramework.dll

Filesize
343KB

MD5
d9fc57f451780a9afee72d870b460d4d

SHA1
6554fd655df6efd3f5de4559b915ceeb11a8ef41

SHA256
fd45b9b900e163ab1aa6e703408ea281be3292089d4b45b646e826df02e3c88e

SHA512
1c8b9f67400a43596e289b3c44c27f55da87a88578a336f5933a81f808074bb5c79cd40e9cb706f81eb4d433ff4af1c4f5d02af2a79ed8860d6a1d42eaa338d3

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\Microsoft.Bcl.AsyncInterfaces.dll

Filesize
20KB

MD5
5220eefd7753e11b99d73faf39fbb486

SHA1
7d8264be4fcb17f81acb8b1add980cd96a6fd856

SHA256
ed5bc605f7f9fcc382183abef06c354dad946abb42a07631712077b2157d6bc9

SHA512
81e483bd76240543704194c0eb0c8a9e7dc46aa535653e7d5590e00c002b2980237ada793c05c0eedd5d1a92de90055867b21be665ff94fac038e280939c66c1

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\Microsoft.Win32.TaskScheduler.dll

Filesize
229KB

MD5
3b64aebb9d2a910b6839b56c84653a9b

SHA1
0fdd9adc8048547cf3328295db2ac291f5c6b81b

SHA256
fcc18b30e67afe2e5e037ec4e2bcbcf1153e0c257dc26dc48084676a87be2486

SHA512
463a3fb2957bdbbf6effa43562e331a24aa49d1c5dbd0509773f5d3ba2830d93a684876c5eea0b744a2fec7d7b70e12c1d1533c671ccf590f53aaaf9252d23f0

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\Newtonsoft.Json.dll

Filesize
659KB

MD5
4df6c8781e70c3a4912b5be796e6d337

SHA1
cbc510520fcd85dbc1c82b02e82040702aca9b79

SHA256
3598cccad5b535fea6f93662107a4183bfd6167bf1d0f80260436093edc2e3af

SHA512
964d9813e4d11e1e603e0a9627885c52034b088d0b0dfa5ac0043c27df204e621a2a654445f440ae318e15b1c5fea5c469da9e6a7350a787fef9edf6f0418e5c

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\NuGet.Squirrel.dll

Filesize
501KB

MD5
60c7dc7ba7d0ae42e2228e5c49bbe162

SHA1
806b0955e67c1243c29b3216dc913c003c3e9321

SHA256
705d9545b33072323ddaf7d26d90c5e18b15754dfcddc04a58afab51368c5559

SHA512
8b25a9b584c9feec1fd04d22300ace5fe74a594bb4edbc5205142b7267d0941e51f419260fdd8a51f7f8cffe4a473cc66afef4dfc296a021840db444c9a4d36b

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\Phoenix.dll

Filesize
19KB

MD5
a7c8097f71478a1c6ddd30cd8113ad46

SHA1
ef9a449f64b75b5419b51361a416e70c81d9f7d6

SHA256
374c1350475a34aa369bd80061910476cd22d587a55038853fc976197440162b

SHA512
c2497e90e0cc990b3dff8e0b3e6bbf158d53c862edae3103c054278d2e38499915a575fc7378e869b52ad22f3c6e34450e14071b05eb1202de4930cd76dea2f0

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\RepairTech.Common.Tools.dll

Filesize
272KB

MD5
796f43a73a63c3e097763f66aa3b8ff7

SHA1
d22210904bfef6092776a47fe6b98c12b6dbe153

SHA256
b8e79e671256b865d8db3ea2cd58b3159bf7b708f3459828278cab928ac5d510

SHA512
26be758076b3b8cce45cbe59d4b03650b144f819c421051de8e22351ce883dceee2f5aed2658d9657a769f34d7e6fcda769d4d6d857bffdce2032466d0585062

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\RepairTech.Common.Wpf.dll

Filesize
52KB

MD5
8141f0af4cd425514411660a4d5bd8f5

SHA1
c8d6824e2cf33f68bca5ef371a5901162200bc40

SHA256
343bf1060d5e2f62692178a4daa51b3a6a53e386d2cad2cc0f452050a282b31c

SHA512
c8cea2cf48361792a99cbf8edac0c15e2de88a1e123aa9fe34020f1fe54f22d190277f286b1d90f18831a4f48e281eef417727d52adf55a8a3274a3ea455fb5a

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\RestSharp.dll

Filesize
167KB

MD5
b4aaa21288c1d923150c8d88b6ece126

SHA1
6d99e70ab9511aee701ff7068b5792f4194377bf

SHA256
b539f648dab37f211acb38dfcf4c79b488fa3beb5a7edf6740f894d2d1807449

SHA512
0de9227f5d134fc6b7029fb8202beade5e30be1f236e785eaae534cb0e944a98d9adfa2dd1917138994cfcfa2047a45c935f2b4f96944ed3dc017762ab9e08ca

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\RollbarSharp.dll

Filesize
36KB

MD5
7931fd2a2e06c7a654c9edfe388a8033

SHA1
2fb6de045f81bd56fce6a367dd992efc73ba4405

SHA256
cd722eda12d89b33cc00fa7e967eb6837b8335fada88368a6896d357f4362c15

SHA512
33ff92fa6dbb93b97c739ece89433c7ed34106e91cd76eb2431d0e840338af3dd456c3116b8362de33906eb348ad7eded630e28a98c94536ee8c1f3baf8f6b80

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\Serilog.Formatting.Compact.dll

Filesize
8KB

MD5
fdb7ad01c66a0c96174300167fadd249

SHA1
38b9971de844165f164e37e2d234d16f6022636c

SHA256
2d7dec266c5436f58ab620db4e3b5c83e550e7f76caff26eae8186b14b52cdd6

SHA512
13df8a0ec363dc3a8f80114c64869db6f1233ae250df1bf48260cf62588065200d5a920f7d16d41faac4ddd4b9edd4d3383d1bbdb1849d120a145175d3a74d4a

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\Serilog.Sinks.Console.dll

Filesize
31KB

MD5
c48bf7030e583e273e94e2d32b752a83

SHA1
51666bcec96f529b1a28b72db54cc7fcdf68441d

SHA256
ded3b57b64eca479f2a659a244e4c403ebfb83a9a9b30ced893c145e77affd29

SHA512
475e61bbb4484f468548dd7590d1d0bcc19912b322eacf2960b32c2c3ff1084231ddf8e689735e385a1f43e9912f79a028eae136c7dc8e130f2d3dd1eaf1f004

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\Serilog.Sinks.File.dll

Filesize
25KB

MD5
6509ca95a38ac29c03379113172cacb7

SHA1
f94b8d751fefcd29d28875e291fd570e103d12d7

SHA256
85ad8530adc1dec3b97f2074c720b81528ba5ea6c7274e1a98a906304bccd12f

SHA512
d8bd0b8998725e2fa361bcb446f48b6105bd603707bf914bb978c63b5c40958bcd2a3fef1f666541793f1d06377f3f2967d1241e445bee6919eb8f84f5a5d7f5

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\Serilog.Sinks.Literate.dll

Filesize
5KB

MD5
a0ebef9e8cce247cc12310a03b38aa7e

SHA1
22848b43d3b7f99cea7b339e86fcb4c08d7e6e51

SHA256
5e2e204439217c960237a894548680b39d5972fabfa3009538f43530eac23a3e

SHA512
53dc332b0329899883e019a4adbead244c65324fc4654c6c4d8080b3f2cc1953f2d0c61ac3507d00ac85c9cb98d711e127df335e334a3e2b2e70e59e3239d758

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\Serilog.dll

Filesize
115KB

MD5
fbfbf8c2de7f389105d728037bfcc11f

SHA1
91dd7e807ffcfdc9cb67f5a75d85dcf537475583

SHA256
e7c7528f8a920988862b8c22d0ae4c40df6824332780c1cec41d84fe633b6bed

SHA512
264667b13ff54e8ae24663f6ea11225794946c5db34d440bd68cc90c940c92d1da7faf39dfa551d13a19f5e21c82130662ffab2a2e2ebfb004576d880e9fb369

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\Splat.dll

Filesize
45KB

MD5
1975e684c48457d72f37696bb1b880e6

SHA1
eb254b470df9172aa07f13e7280bced746d95e22

SHA256
7a6f255cf59d6594c8f5bc466956f09305a3a10c8d683e485c7e1f14371701c4

SHA512
edb06da485e4dc562c7833ef887172be5ddb4d36a041463dc662ccafaa8fad816306091f774a7463f1538ad1c62ee9433bd12673d943bd885bf2cb38fc633a08

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\Squirrel.dll

Filesize
235KB

MD5
f337f9b5615590307732f1e94b8ebcb4

SHA1
30110300fb63a72827aaf1b594f21632594f4c82

SHA256
46a139b49a419e2217bc09700121a08e6e169f654b076866590a9360957a3b34

SHA512
60e057f432488aebb77e584b5deb9535913d1fbd320cd63cd0746d6c7765f1866e3678150c9393e9ce55ab2a7840e0271a5556cc91c7bc0eaf7072283c2d8549

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\Syncro.App.dll

Filesize
432KB

MD5
fa11417c9172c86dd8d5c08370e132db

SHA1
028e7c09caf1e25673f5774a2d98f58e5b890bc3

SHA256
a79e60e88045051f5290bdd5ab76dae83f78828b850bd11f769ac25e3cb4d9c2

SHA512
ebdda723dd1101cb67a12e402aef9a4a5e1f5918171c3040b3f891092037f039f88ed8a7df42a18dab1e5c269642edd75292b9098b5b7b2fe5512aa789a27481

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\Syncro.App.dll.config

Filesize
3KB

MD5
29a3fb17a36c73f4c578b948950572f0

SHA1
7fbd63662d4ca33028cc23828849461b6422609a

SHA256
6d3ce7aa37dd56dbfca1770777d414e9683dce6e402f031fc2f7cbb98fdd82c6

SHA512
63ac42a22ebba9ba5bbbe20113ce97889f27d1869ab6334e0871c5a7184354548d0225efb344a7dee8cd545ab13b052e13f207f9b4c2ef7e5eaec33bb90acce6

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\Syncro.Contracts.dll

Filesize
106KB

MD5
1863a5697f2fcac4d590587e97bf36d9

SHA1
b90ef5cf2edb66d1cee0cd5a9be38ac832c69158

SHA256
807f68a74686038c9b91b55393053ac130b6cce3469c63a598111639c1a9cea9

SHA512
7af4847c1db7760d1644eb311a5932bae3da60fc1ba1a701afc3725a5d899026424210e4c497b801be7307684f130351d8fc87b923d4237628d85d02f9f1d363

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\Syncro.Service.Configuration.dll

Filesize
10KB

MD5
adbb784da491cb2b3e690bb5612e6854

SHA1
240873851b5ff2f612509f80fa94073ca0576357

SHA256
2b939583c11aab90e350cdb533caa719bd57254aff58e7d87fadf0de29fec049

SHA512
50e78fa65c3142239b993e12dd92e368d31a5fbeb87d3601f98da9683c96bcf243c2bc5b7706059f84c9e56c09e0177af8b86d7abb9a661f04bce44de2084d00

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\Syncro.Service.exe

Filesize
1007KB

MD5
b58599b0f8dedd76ab622d5eea9497cd

SHA1
436ce0e8022935a61eccb94679e9c19dca781362

SHA256
31c096d1075cbe54ae0274c7828904bee807be2bd8fffcb6257d91e681fa764a

SHA512
58b350ec82cb6f4cb778a860d9d235f561810b917a782dedf8c3b65c930d99bcc6e0d6e04a7108c6d61c598b6cb310daee7f77691e946afc6afa26fdf6ac17a5

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\Syncro.Service.exe.config

Filesize
4KB

MD5
8d8995a5b322b505d622af6cd2bfdffa

SHA1
56f353b5df27ff2dc98f9fef29bdab086a8a0fda

SHA256
5af11c9ce145d76e865f091da12d3cc70f84e069e790dc54eb2c93b92b84fa8c

SHA512
a8d0e6a67ec700e37b19fde7768bc3d2b8db6d90b96b7e276fad8fb3d851508f718ce0370b06c26cdeb87711b24798925150ec56ed20b48c46a51fe3c8801834

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\Syncro.Tools.dll

Filesize
83KB

MD5
cff50121d9807e654c1074143a015335

SHA1
d1ebb1a9d67e9fe3ed1d78bd6102658dea2df641

SHA256
1d3dd902c2449e5470225175c6793241418ec01c5eb802cecab0b31694ce1253

SHA512
8c99f97bfdc9f71232a4a729991c6736a3246f553dd18c96c459e389dc5240218ab0fa43a96e11b2ffa5f3cdab7d5e884ebc479d2b17485ef66e17657fdb960c

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\System.Threading.Tasks.Extensions.dll

Filesize
25KB

MD5
e1e9d7d46e5cd9525c5927dc98d9ecc7

SHA1
2242627282f9e07e37b274ea36fac2d3cd9c9110

SHA256
4f81ffd0dc7204db75afc35ea4291769b07c440592f28894260eea76626a23c6

SHA512
da7ab8c0100e7d074f0e680b28d241940733860dfbdc5b8c78428b76e807f27e44d1c5ec95ee80c0b5098e8c5d5da4d48bce86800164f9734a05035220c3ff11

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\SystemInterface.dll

Filesize
87KB

MD5
6c19cad7d00cee4e4aae931b79c0cbd2

SHA1
b8e275ee742584b017fe48918d35edfbba97c1b8

SHA256
e9ecc8b5c887b3eb58523d108aa7a74340c5b5270aa3182d5dd1fc363afdbc02

SHA512
c1892e5b45a4c48a342fe869c43e2348c6d21dd14771ee0c4a59ff1eca6b9b77b2742e54106d956e9f7c7c9ea13f9d41b6a2ef1b4f9a036a96e76b9373c58363

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\SystemWrapper.dll

Filesize
174KB

MD5
e5dd264a7dc69d6f9bb85919984955a3

SHA1
4d83ac11160295835f3c8266e9d96f49446e0023

SHA256
122dabfe8a6b37cbbb6b062ca99fc567128037178764b9b0965706938ded6d05

SHA512
640316365ed262bc4725b9c103bfa9754dce44e74b9a18dbd7fe9f413cd8904a7ad9282796eb2b1253f3039c789bb513746f517c37d4ba0057e8cdc375939d20

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\config.json

Filesize
869B

MD5
b8131bcfde5af2f88c7ebe90bbbab965

SHA1
a82ff00ad442d1af4356fcf8729abb3164077be1

SHA256
f22f770c78a63b75d079a2b919938613edf10a1360a05b64e42aeb676e868efb

SHA512
5b1d052dd5e96082d64bd61531b3cd3f48861929e62de2bf7022d9d39e0d02bb08655832538f7fbce241b07755c51d7b1a96ad6ebc46204e24742e011a9ada28

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\en\Syncro.App.resources.dll

Filesize
39KB

MD5
f61cac27413de146d3e70c5d6c4a9e2c

SHA1
16415b8df306ef3ec0a9ff25ec0db435fecf737f

SHA256
d551be97aa15cbb9122a59f33e03a7128e090cbdd94df71ac53fa3e0b357343b

SHA512
550a45b080e6f6d2b815a14039f6e032f52c77e39f6e8e02749989dca5d4c5d44f68ff68c017fca4212e07edb7d4affd4c40cda9548248e32397fc47a316b669

Download Submit
C:\Program Files\RepairTech\Syncro\install.bat

Filesize
639B

MD5
e3eb8d69316f0551bda4908c44d8684e

SHA1
dc8d0350c67f2a9b4a2adec253863273c26aa760

SHA256
8952ea8c7a55898f87d131886cad0ceb966ad4475c701ea6590d906bfc6dc0af

SHA512
b276ab4113ff39c715b840d84916c49319d03b8458dea0bc9c1f23f87a331dac1975e5c596c088cbdf44c50e5a9bc54ddfdbb5fe9363f7496ce242dab3f37865

Download Submit
C:\ProgramData\Syncro\Images\logo.ico

Filesize
14KB

MD5
940cfaf4c3be79e182f60375900fc2b3

SHA1
4c476f0b6eeb7a99912b1a5b2a7ee43c96d40baa

SHA256
97dda1267bb780b5c073d57367fc3590548fab97b9d90ee86d5a55dffd5847e9

SHA512
774e2f1bd38a1145ad7758964276a74c3f8c7deb6932c5203a4c19050d3f4cf38ee71d6ac645c4a55ba3559ea031623267ea5ccd9fbf26a758234203d1590b90

Download Submit
C:\ProgramData\Syncro\logs\20221012-Syncro.Installer.log

Filesize
6KB

MD5
9f5021dd0c4322a44034376a8d5e2d5f

SHA1
e5a674883180ee60cec6b4d4bc85f1751dfcaae0

SHA256
5cfe99ca0a4f9c8743d258a42e412087e7b03a00f9b1a5a442a2c4d7d7fae1b2

SHA512
9bb1a06cb43f3c088022d9ca6bf2d663b684ca0861e33f068656be5cbc701a7e0cc3c06dfdd22e9eefd649c0cb9b8f656b5769869d4983ae66f786d75dbf1bc3

Download Submit
C:\ProgramData\Syncro\logs\MasterInstaller.log

Filesize
1KB

MD5
23fbe43f911eb78fb8aa7eac430fd7e3

SHA1
f790a736c361ebf106a815de7f8a9bf2bed9538a

SHA256
9c16d3d4dac33f2ed8a163ecebc5562a15f8277506d3a3a01d7e1b3584a7b062

SHA512
547dedfdc2491ec72bd06b24f03d03a71ccc509893d3807e3811a27859e9672b0a0dac8dc106b14645a460aa117649381661cba12df9da0558af5522f3a423a1

Download Submit
C:\ProgramData\Syncro\logs\ServiceInstall.log

Filesize
1KB

MD5
5be5998b9b6bdae1128e45955f106f79

SHA1
2383b5d93f47be54fe89f6184cb764bb756156f2

SHA256
f10d0f36784db77a8b3c39ca688d36678fdc332cc74636f463d8d4a2fe267a09

SHA512
0fd4853fbee83fcde004c904653396b510ca840ac2b2c276497c247d718b1679ca50a7d5a84e54e74e6bfec01882a99ca3c83b9a1b00f0cf085c3025b6e665c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_E6095CD2AECC9011BCD0D7B421356B17

Filesize
2KB

MD5
67bf17af0d82abb981966a27b2af95cc

SHA1
023ec55468a49253e7c945c9acbd87f757fe72e3

SHA256
65146c52225a28f5187407a4bac6e01c28088204ce16172608ea50c3743e6e1d

SHA512
0650881dabbcb21a0c6007ac748ab9f456aab2f10a11cdb21b83d13de7b5ca374eb33c2e6e4f213f83542d4edb6c37bdc9dbe4ab498a920f2f8c30a6d569f233

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
60KB

MD5
d15aaa7c9be910a9898260767e2490e1

SHA1
2090c53f8d9fc3fbdbafd3a1e4dc25520eb74388

SHA256
f8ebaaf487cba0c81a17c8cd680bdd2dd8e90d2114ecc54844cffc0cc647848e

SHA512
7e1c1a683914b961b5cc2fe5e4ae288b60bab43bfaa21ce4972772aa0589615c19f57e672e1d93e50a7ed7b76fbd2f1b421089dcaed277120b93f8e91b18af94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
0698dbc93ba7b6bef73ba316695f8317

SHA1
a444078ff1eb7c88f52cb4e324365926b491ed47

SHA256
263292040d77903899257c1d21201dc64d6f8d6b5a1d945cd5b28d0124d7906c

SHA512
ebacaa7009aebb88199cd70fd0bb3afe69ed300318cb633edd1c0404e42aef829617f589bcbad6cb7ab4bd0a8ae87f7df1435c786184ecc5de61c8fc6950a900

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D7833C286363AD25C70511661A83D581_52894DBA51C2BA5ACE3EE5577FB04C4C

Filesize
510B

MD5
70d35e9b1604fa420674e4fbba8ff9df

SHA1
25b78f58f2271d3a4876829d1f099105e968747a

SHA256
ef40d5a8c1e166b09860db7c4f4917bc8b368c56efb875f0934c082a06af3b8c

SHA512
47a56593b20d33671414bc70166b0c5b2d4542950a55b7204067543c845511ff9b545528e045413fc5287f27c48055ea182a262e30989ca93039c66ca2fbd40d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_E6095CD2AECC9011BCD0D7B421356B17

Filesize
488B

MD5
1d37935590aabf8989bd7a6f2ff5996d

SHA1
a7d82384307bbe5c934e36347dc727187a16da7b

SHA256
5f2b539deee87bd42c3b1b1676ed3840dc7971b55e37e33ae8351f353e5d41a6

SHA512
aff19c23f76341ae53b17a3715f0a4c6f0b22828eca4536500198c6500035a961748fd9b0373ab089448ba18c813d47166c9fd9bd591e60d8ae3a6e727f0a6bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0df14af046b73f1b242f0e939b42e037

SHA1
d04b9b3ad74001bd5921d74b52ec3efc15c5d925

SHA256
9037890b79103ce006e51698e730ab5cfbea4748cb63fc0d092f906eb78f86d5

SHA512
e517d328e338a103fe7059b4fd7ab1058a0c288a0cfb3e0801cc100dae83c354312929bf6f0f352e28b65ea62ee351497034ccc8a18295d90d45ba1c195f79cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
234ebdb5ab2b13b23ae5b1a434419094

SHA1
00a4611f1ff242784ae376c4578d9384c7c2ea6a

SHA256
9901e2ee3814af3895ab56bd9596e93085fcc739d95100710ddc7f842b28a4ae

SHA512
ab27ee64035352c2ab8d7654affaaeacdfc3704f4411825c83e7930efd4da5d76af15fdd11bcc8459ab59f672b25df3a44a21321318e1fb1f4d28618e1c37fc7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D7833C286363AD25C70511661A83D581_52894DBA51C2BA5ACE3EE5577FB04C4C

Filesize
480B

MD5
ee688bd648f147add5960d9fb21b2597

SHA1
85b6426f073bc3bda0d86eb521ae0d4cd074c1cc

SHA256
e43c1b4c52cb6f6983c9475252c935b540bcec33ea91fce16cb941a531b691f9

SHA512
8be28bbabbd2213ab895528df02c0a5c273594593fc25b7469a87f8324db8fe521fd71d78f81b74f38aa621b2d187b3c759eb1d5f8ac63c20eb453a7f186f110

Download Submit
C:\Users\Admin\AppData\Local\Temp\Installer.exe

Filesize
7.1MB

MD5
5fdc21287fa2a976bb5a661e6a2a4d85

SHA1
3bb03dca0de6961b0be9403979a3847d8ba4466d

SHA256
09ac0ed20fdc3cb6b6ff969d18d94f28031d6992fb49f739d0db61d2486cbc54

SHA512
f86827404b703f915ad055604cf8d8d533ed3fe7e9856c77809cf7aa13967844c1dc0716bfc27386f5ac1fa2c0d3c70f25bc1791f3957325893322088fcdd9bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Installer.exe

Filesize
7.1MB

MD5
5fdc21287fa2a976bb5a661e6a2a4d85

SHA1
3bb03dca0de6961b0be9403979a3847d8ba4466d

SHA256
09ac0ed20fdc3cb6b6ff969d18d94f28031d6992fb49f739d0db61d2486cbc54

SHA512
f86827404b703f915ad055604cf8d8d533ed3fe7e9856c77809cf7aa13967844c1dc0716bfc27386f5ac1fa2c0d3c70f25bc1791f3957325893322088fcdd9bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Syncro.Installer.exe

Filesize
7.0MB

MD5
7bb45f8522187b26bbef2d9957bbe5fa

SHA1
4f4bbc74fe99a4f8f288a28cdfbc86441d182f0f

SHA256
6547e5d392ed49b02c9afff77cd9c7d36f29193e7c2b511b7e2f31e5650a853c

SHA512
1b535e99ea81007eb47cfcb51bbd6c054a4dd312624ef9047d3293e5fa3c0a3a646f737268275a9bb6af1028d1e2607164daffd484a0bb2c01b47305d5517be1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Syncro.Installer.exe

Filesize
7.0MB

MD5
7bb45f8522187b26bbef2d9957bbe5fa

SHA1
4f4bbc74fe99a4f8f288a28cdfbc86441d182f0f

SHA256
6547e5d392ed49b02c9afff77cd9c7d36f29193e7c2b511b7e2f31e5650a853c

SHA512
1b535e99ea81007eb47cfcb51bbd6c054a4dd312624ef9047d3293e5fa3c0a3a646f737268275a9bb6af1028d1e2607164daffd484a0bb2c01b47305d5517be1

Download Submit
C:\Windows\Temp\tmp7F04.tmp.SyncroLive.Installer-latest.exe

Filesize
13.5MB

MD5
6ee357d6ff97bd054f2f8d6c1e72f0e7

SHA1
d01ceb73738cf0e2c86463f86292c38e4873c524

SHA256
ad3ebf1789063615ef35ae5583d9641765670fed1ac57659e2d1010f54109f24

SHA512
2b458237b74143e732fbc4740b0437d058966845c2fc4f9f64a4932a98cd6f44e63aedad3ad17aca3f6fc01ccc0b400747b406c38c4595cd22d883cb8aca28f0

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
60KB

MD5
d15aaa7c9be910a9898260767e2490e1

SHA1
2090c53f8d9fc3fbdbafd3a1e4dc25520eb74388

SHA256
f8ebaaf487cba0c81a17c8cd680bdd2dd8e90d2114ecc54844cffc0cc647848e

SHA512
7e1c1a683914b961b5cc2fe5e4ae288b60bab43bfaa21ce4972772aa0589615c19f57e672e1d93e50a7ed7b76fbd2f1b421089dcaed277120b93f8e91b18af94

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f707abbe022a29b924ba5e7cfae39319

SHA1
ca2e046ac874ef6259b926e13d23e7b997e81556

SHA256
1624c6cf057b87400f8fa2488b98f1c5e46d1f25197f29e0fcdcd692d37db2fc

SHA512
08a6792c94e9c8983a4cf6c5703ec22a249f40fcb9d8a38d06c60efe81520efc71b22262b17a99c22d8d079a39a6bb73e6575a49d69f06d79473b481e241cbfc

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
31cd8024940143f0f6cb71791bfc01ee

SHA1
df5b97df21d5068dda28b8807d6d5a91f1f820f5

SHA256
f2aafb404cc48c3c4f77a38385d8147528a88d620525babcbf3f37ef0490e65c

SHA512
2b32d592cfc73b38b9abebd92c4f96ea70ac39c6c1156c1bd80a7ce059edd6f06ede16c337c37c80580a5519c7e9743ba32580a87768105a9dd49d83094af680

Download Submit
memory/952-68-0x0000000000340000-0x0000000000A60000-memory.dmp

Filesize
7.1MB

Download
memory/956-163-0x0000000019F20000-0x0000000019F62000-memory.dmp

Filesize
264KB

Download
memory/956-149-0x0000000000F00000-0x0000000000F08000-memory.dmp

Filesize
32KB

Download
memory/956-123-0x0000000000D50000-0x0000000000D70000-memory.dmp

Filesize
128KB

Download
memory/956-131-0x0000000000DC0000-0x0000000000DDC000-memory.dmp

Filesize
112KB

Download
memory/956-125-0x0000000000D70000-0x0000000000D96000-memory.dmp

Filesize
152KB

Download
memory/956-127-0x0000000000DA0000-0x0000000000DBC000-memory.dmp

Filesize
112KB

Download
memory/956-121-0x0000000000D00000-0x0000000000D4A000-memory.dmp

Filesize
296KB

Download
memory/956-118-0x0000000000290000-0x000000000029A000-memory.dmp

Filesize
40KB

Download
memory/956-116-0x0000000000280000-0x000000000028A000-memory.dmp

Filesize
40KB

Download
memory/956-119-0x0000000000290000-0x000000000029A000-memory.dmp

Filesize
40KB

Download
memory/956-114-0x0000000000AA0000-0x0000000000AE4000-memory.dmp

Filesize
272KB

Download
memory/956-133-0x0000000019780000-0x00000000197C0000-memory.dmp

Filesize
256KB

Download
memory/956-135-0x0000000019BA0000-0x0000000019BC4000-memory.dmp

Filesize
144KB

Download
memory/956-137-0x0000000000F10000-0x0000000000F1A000-memory.dmp

Filesize
40KB

Download
memory/956-112-0x0000000019CA0000-0x0000000019DA0000-memory.dmp

Filesize
1024KB

Download
memory/956-139-0x0000000019BD0000-0x0000000019C7A000-memory.dmp

Filesize
680KB

Download
memory/956-110-0x0000000000F20000-0x0000000000F2E000-memory.dmp

Filesize
56KB

Download
memory/956-170-0x0000000019DE0000-0x0000000019DE8000-memory.dmp

Filesize
32KB

Download
memory/956-169-0x000000001A820000-0x000000001A8A4000-memory.dmp

Filesize
528KB

Download
memory/956-142-0x0000000019C80000-0x0000000019C94000-memory.dmp

Filesize
80KB

Download
memory/956-167-0x000000001A010000-0x000000001A030000-memory.dmp

Filesize
128KB

Download
memory/956-165-0x0000000019FF0000-0x000000001A002000-memory.dmp

Filesize
72KB

Download
memory/956-144-0x00000000004E0000-0x00000000004EA000-memory.dmp

Filesize
40KB

Download
memory/956-151-0x0000000019DA0000-0x0000000019DA8000-memory.dmp

Filesize
32KB

Download
memory/956-161-0x0000000019DD0000-0x0000000019DDC000-memory.dmp

Filesize
48KB

Download
memory/956-129-0x0000000000EC0000-0x0000000000EF2000-memory.dmp

Filesize
200KB

Download
memory/956-159-0x0000000019EF0000-0x0000000019F20000-memory.dmp

Filesize
192KB

Download
memory/956-147-0x0000000000BF0000-0x0000000000BFC000-memory.dmp

Filesize
48KB

Download
memory/956-157-0x0000000019DB0000-0x0000000019DC0000-memory.dmp

Filesize
64KB

Download
memory/956-155-0x0000000000E70000-0x0000000000E78000-memory.dmp

Filesize
32KB

Download
memory/956-145-0x0000000000B60000-0x0000000000B6A000-memory.dmp

Filesize
40KB

Download
memory/956-154-0x0000000019DC0000-0x0000000019DCE000-memory.dmp

Filesize
56KB

Download
memory/956-153-0x0000000019DC0000-0x0000000019DCE000-memory.dmp

Filesize
56KB

Download
memory/996-54-0x000007FEFC481000-0x000007FEFC483000-memory.dmp

Filesize
8KB

Download
memory/1224-205-0x0000000076DC1000-0x0000000076DC3000-memory.dmp

Filesize
8KB

Download
memory/1224-206-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1908-211-0x0000000074A91000-0x0000000074A93000-memory.dmp

Filesize
8KB

Download
memory/1992-104-0x000000013F650000-0x000000013F65A000-memory.dmp

Filesize
40KB

Download
memory/1992-106-0x0000000000570000-0x000000000057E000-memory.dmp

Filesize
56KB

Download
memory/2032-96-0x000000001B990000-0x000000001B998000-memory.dmp

Filesize
32KB

Download
memory/2032-90-0x000000001B3B0000-0x000000001B3C4000-memory.dmp

Filesize
80KB

Download
memory/2032-89-0x000000001B720000-0x000000001B740000-memory.dmp

Filesize
128KB

Download
memory/2032-88-0x000000001B300000-0x000000001B3AA000-memory.dmp

Filesize
680KB

Download
memory/2032-87-0x000000001B2F0000-0x000000001B2FC000-memory.dmp

Filesize
48KB

Download
memory/2032-86-0x000000001B2D0000-0x000000001B2D8000-memory.dmp

Filesize
32KB

Download
memory/2032-85-0x000000001B2E0000-0x000000001B2EE000-memory.dmp

Filesize
56KB

Download
memory/2032-84-0x000000001B2C0000-0x000000001B2C8000-memory.dmp

Filesize
32KB

Download
memory/2032-83-0x000000001B2B0000-0x000000001B2B8000-memory.dmp

Filesize
32KB

Download
memory/2032-82-0x0000000002720000-0x000000000272A000-memory.dmp

Filesize
40KB

Download
memory/2032-81-0x0000000000580000-0x000000000058A000-memory.dmp

Filesize
40KB

Download
memory/2032-80-0x0000000000460000-0x000000000046A000-memory.dmp

Filesize
40KB

Download
memory/2032-79-0x000000001B280000-0x000000001B2A0000-memory.dmp

Filesize
128KB

Download
memory/2032-78-0x000000001AE90000-0x000000001AEAA000-memory.dmp

Filesize
104KB

Download
memory/2032-77-0x00000000008C0000-0x00000000008E4000-memory.dmp

Filesize
144KB

Download
memory/2032-76-0x00000000026D0000-0x0000000002724000-memory.dmp

Filesize
336KB

Download
memory/2032-75-0x0000000002570000-0x00000000025CC000-memory.dmp

Filesize
368KB

Download
memory/2032-74-0x0000000000440000-0x0000000000466000-memory.dmp

Filesize
152KB

Download
memory/2032-91-0x000000001B750000-0x000000001B758000-memory.dmp

Filesize
32KB

Download
memory/2032-73-0x0000000000A60000-0x0000000001168000-memory.dmp

Filesize
7.0MB

Download
memory/2032-92-0x000000001B760000-0x000000001B768000-memory.dmp

Filesize
32KB

Download
memory/2032-93-0x000000001D2F0000-0x000000001D3EA000-memory.dmp

Filesize
1000KB

Download
memory/2032-94-0x000000001B770000-0x000000001B780000-memory.dmp

Filesize
64KB

Download
memory/2032-95-0x000000001B8E0000-0x000000001B8E8000-memory.dmp

Filesize
32KB

Download
memory/2032-97-0x000000001B9A0000-0x000000001B9A8000-memory.dmp

Filesize
32KB

Download
memory/2032-98-0x000000001B9C0000-0x000000001B9C8000-memory.dmp

Filesize
32KB

Download
memory/2032-99-0x000000001B9B0000-0x000000001B9B8000-memory.dmp

Filesize
32KB

Download
memory/2032-100-0x000000001B9D0000-0x000000001B9EA000-memory.dmp

Filesize
104KB

Download