653046fa62d3c9325dbff5cb7961965a8bf5f96fa4e815b494c8d3e165b9c94a

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
26/10/2022, 16:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

653046fa62d3c9325dbff5cb7961965a8bf5f96fa4e815b494c8d3e165b9c94a.msi
Size

5.9MB
MD5

0873ce3db84b79da935f71df3d6c8e6d
SHA1

b7c4d32a1efa003742994253712593406480e68a
SHA256

653046fa62d3c9325dbff5cb7961965a8bf5f96fa4e815b494c8d3e165b9c94a
SHA512

26ca9c40a92442f56e52ef10310b3f9bf822560bf647e56f2fd86e45cee9f8e6683fddff8ffedf8397ada94b260a3f14ecfdc9c78550bf31f4169d3f555fcca3
SSDEEP

98304:GAC9AGDm8MytOY9woKC4BDBwWlKylZ/FxCeMxlGV9GZRik9VI5TMwGP2KEhT:w9mzytc/CKDllTllCeue6STzBT

Score

8^/10

bootkit discovery persistence spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
4	4012	msiexec.exe
6	4012	msiexec.exe
8	4012	msiexec.exe
10	4012	msiexec.exe
12	4012	msiexec.exe

Downloads MZ/PE file

Executes dropped EXE 14 IoCs

pid	Process
4816	Installer.exe
1736	Syncro.Installer.exe
4756	Syncro.Service.Runner.exe
972	Syncro.App.Runner.exe
3920	tmpBDC3.tmp.SyncroLive.Installer-latest.exe
2056	Syncro.Overmind.Service.exe
4548	tmpBDC3.tmp.SyncroLive.Installer-latest.tmp
4204	Syncro.Overmind.Service.exe
3916	7za.exe
2184	7za.exe
4888	7za.exe
720	SyncroLive.Service.Runner.exe
908	SyncroLive.Service.Runner.exe
4376	SyncroLive.Agent.Runner.exe

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SyncroOvermind\ImagePath = "\"C:\\ProgramData\\Syncro\\bin\\Syncro.Overmind.Service.exe\" -displayname \"SyncroRecovery\" -servicename \"SyncroOvermind\""	Syncro.Overmind.Service.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SyncroLive\ImagePath = "\"C:\\Program Files\\RepairTech\\LiveAgent\\SyncroLive.Service.Runner.exe\" -displayname \"SyncroLive\" -servicename \"SyncroLive\""	SyncroLive.Service.Runner.exe

Loads dropped DLL 1 IoCs

pid	Process
4376	SyncroLive.Agent.Runner.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Syncro.Service.Runner.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	Syncro.Overmind.Service.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E	Syncro.Overmind.Service.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	Syncro.Overmind.Service.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E	Syncro.Overmind.Service.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_E6095CD2AECC9011BCD0D7B421356B17	Syncro.Overmind.Service.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_E6095CD2AECC9011BCD0D7B421356B17	Syncro.Overmind.Service.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D7833C286363AD25C70511661A83D581_52894DBA51C2BA5ACE3EE5577FB04C4C	Syncro.Overmind.Service.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	Syncro.Overmind.Service.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SyncroLive.Service.Runner.exe.log	SyncroLive.Service.Runner.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D7833C286363AD25C70511661A83D581_52894DBA51C2BA5ACE3EE5577FB04C4C	Syncro.Overmind.Service.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Syncro.Overmind.Service.exe.log	Syncro.Overmind.Service.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	Syncro.Overmind.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\RepairTech\Syncro\app-1.0.168\System.Security.Cryptography.Encoding.dll	Syncro.Installer.exe
File opened for modification	C:\Program Files\RepairTech\Syncro\app-1.0.168\System.Security.Cryptography.X509Certificates.dll	Syncro.Installer.exe
File opened for modification	C:\Program Files\RepairTech\LiveAgent\app-0.0.62\Serilog.Sinks.RollingFile.dll	7za.exe
File created	C:\Program Files\RepairTech\Syncro\app-1.0.168\7za-x86.dll	Syncro.Installer.exe
File opened for modification	C:\Program Files\RepairTech\Syncro\app-1.0.168\DeltaCompressionDotNet.dll	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\LiveAgent\app-0.0.62\JetBrains.Annotations.dll	7za.exe
File opened for modification	C:\Program Files\RepairTech\LiveAgent\app-0.0.62\SystemWrapper.dll	7za.exe
File opened for modification	C:\Program Files\RepairTech\Syncro\app-1.0.168\zh-Hant\Microsoft.Data.Edm.resources.dll	Syncro.Installer.exe
File opened for modification	C:\Program Files\RepairTech\Syncro\app-1.0.168\zh-Hant\Microsoft.Data.Services.Client.resources.dll	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\LiveAgent\app-0.0.62\Serilog.Sinks.Console.dll	7za.exe
File created	C:\Program Files\RepairTech\LiveAgent\app-0.0.62\Serilog.Sinks.Literate.dll	7za.exe
File opened for modification	C:\Program Files\RepairTech\Syncro\app-1.0.168\SharpCompress.dll	Syncro.Installer.exe
File opened for modification	C:\Program Files\RepairTech\Syncro\app-1.0.168\Telerik.Windows.Controls.dll	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\Syncro\app-1.0.168\Microsoft.Bcl.AsyncInterfaces.dll	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\Syncro\app-1.0.168\Microsoft.Data.Services.Client.dll	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\Syncro\app-1.0.168\SevenZipSharp.dll	Syncro.Installer.exe
File opened for modification	C:\Program Files\RepairTech\Syncro\app-1.0.168\SevenZipSharp.dll	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\Syncro\app-1.0.168\System.Security.Cryptography.X509Certificates.dll	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\Syncro\app-1.0.168\zh-Hans\Microsoft.Data.OData.resources.dll	Syncro.Installer.exe
File opened for modification	C:\Program Files\RepairTech\Syncro\app-1.0.168\en\Syncro.App.resources.dll	Syncro.Installer.exe
File opened for modification	C:\Program Files\RepairTech\Syncro\app-1.0.168\fr\Microsoft.Data.Edm.resources.dll	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\LiveAgent\app-0.0.62\Mixpanel.dll	7za.exe
File opened for modification	C:\Program Files\RepairTech\LiveAgent\app-0.0.62\SharpDX.Direct3D11.dll	7za.exe
File opened for modification	C:\Program Files\RepairTech\LiveAgent\app-0.0.62\System.Spatial.dll	7za.exe
File created	C:\Program Files\RepairTech\Syncro\app-1.0.168\zh-Hant\System.Spatial.resources.dll	Syncro.Installer.exe
File opened for modification	C:\Program Files\RepairTech\LiveAgent\app-0.0.62\Cassia.dll	7za.exe
File opened for modification	C:\Program Files\RepairTech\Syncro\app-1.0.168\ko\Microsoft.Data.Services.Client.resources.dll	Syncro.Installer.exe
File opened for modification	C:\Program Files\RepairTech\Syncro\app-1.0.168\Microsoft.Bcl.AsyncInterfaces.dll	Syncro.Installer.exe
File opened for modification	C:\Program Files\RepairTech\Syncro\app-1.0.168\RepairTech.Common.Tools.dll	Syncro.Installer.exe
File opened for modification	C:\Program Files\RepairTech\Syncro\app-1.0.168\Serilog.Formatting.Compact.dll	Syncro.Installer.exe
File opened for modification	C:\Program Files\RepairTech\Syncro\app-1.0.168\sl-SI\Syncro.App.resources.dll	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\Syncro\app-1.0.168\Syncro.App.dll.config	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\Syncro\app-1.0.168\Interop.IWshRuntimeLibrary.dll	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\Syncro\app-1.0.168\ja\Microsoft.Data.OData.resources.dll	Syncro.Installer.exe
File opened for modification	C:\Program Files\RepairTech\Syncro\app-1.0.168\Telerik.Windows.Controls.Navigation.dll	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\LiveAgent\app-0.0.62\Microsoft.Data.OData.dll	7za.exe
File created	C:\Program Files\RepairTech\LiveAgent\app-0.0.62\Serilog.Sinks.File.dll	7za.exe
File created	C:\Program Files\RepairTech\LiveAgent\app-0.0.62\SyncroLive.Service.exe	7za.exe
File opened for modification	C:\Program Files\RepairTech\LiveAgent\app-0.0.62\x86\WebRTC.Native.Internal.dll	7za.exe
File opened for modification	C:\Program Files\RepairTech\Syncro\app-1.0.168\Syncro.Service.Configuration.dll.config	Syncro.Installer.exe
File opened for modification	C:\Program Files\RepairTech\Syncro\app-1.0.168\Syncro.Service.exe	Syncro.Installer.exe
File opened for modification	C:\Program Files\RepairTech\Syncro\app-1.0.168\ko\Microsoft.Data.Edm.resources.dll	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\Syncro\app-1.0.168\MetroFramework.Fonts.dll	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\Syncro\app-1.0.168\Syncro.Service.exe	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\LiveAgent\app-0.0.62\Interop.NetFwTypeLib.dll	7za.exe
File created	C:\Program Files\RepairTech\LiveAgent\app-0.0.62\Microsoft.Data.Services.Client.dll	7za.exe
File created	C:\Program Files\RepairTech\LiveAgent\app-0.0.62\Squirrel.dll	7za.exe
File opened for modification	C:\Program Files\RepairTech\Syncro\app-1.0.168\es-ES\Syncro.App.resources.dll	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\Syncro\app-1.0.168\it-IT\Syncro.App.resources.dll	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\LiveAgent\app-0.0.62\System.ValueTuple.dll	7za.exe
File opened for modification	C:\Program Files\RepairTech\LiveAgent\app-0.0.62\x64\turbojpeg.dll	7za.exe
File opened for modification	C:\Program Files\RepairTech\LiveAgent\app-0.0.62\SyncroLive.Interface.dll	7za.exe
File created	C:\Program Files\RepairTech\LiveAgent\app-0.0.62\System.Runtime.CompilerServices.Unsafe.dll	7za.exe
File created	C:\Program Files\RepairTech\Syncro\app-1.0.168\ko\Microsoft.Data.Services.Client.resources.dll	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\Syncro\app-1.0.168\Mono.Cecil.dll	Syncro.Installer.exe
File opened for modification	C:\Program Files\RepairTech\Syncro\app-1.0.168\ru\Microsoft.Data.Services.Client.resources.dll	Syncro.Installer.exe
File opened for modification	C:\Program Files\RepairTech\Syncro\app-1.0.168\es\Microsoft.Data.OData.resources.dll	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\Syncro\app-1.0.168\ICSharpCode.SharpZipLib.dll	Syncro.Installer.exe
File opened for modification	C:\Program Files\RepairTech\Syncro\app-1.0.168\pt-BR\Syncro.App.resources.dll	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\Syncro\app-1.0.168\Squirrel.dll	Syncro.Installer.exe
File opened for modification	C:\Program Files\RepairTech\LiveAgent\app-0.0.62\Interop.NetFwTypeLib.dll	7za.exe
File opened for modification	C:\Program Files\RepairTech\Syncro\app-1.0.168\ja\Microsoft.Data.OData.resources.dll	Syncro.Installer.exe
File opened for modification	C:\Program Files\RepairTech\Syncro\app-1.0.168\MetroFramework.Fonts.dll	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\Syncro\app-1.0.168\RollbarSharp.dll	Syncro.Installer.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e571000.msi	msiexec.exe
File created	C:\Windows\Installer\{B7F56D3D-2AD3-4021-9D36-3B9E9C9FBE33}\DefaultIcon	msiexec.exe
File created	C:\Windows\Installer\e570ffe.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e570ffe.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{B7F56D3D-2AD3-4021-9D36-3B9E9C9FBE33}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI128E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{B7F56D3D-2AD3-4021-9D36-3B9E9C9FBE33}\DefaultIcon	msiexec.exe

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3644	sc.exe
1948	sc.exe
1204	sc.exe
1888	sc.exe
388	sc.exe
760	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000045e03923b2b2bc3e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000045e039230000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff00000000070001000068090045e03923000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000045e0392300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000045e0392300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	Syncro.Overmind.Service.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 5bc905d40563297d120ed7cb16bd015504dfbd4cdd0e42e61aae0e29c9ac3028	tmpBDC3.tmp.SyncroLive.Installer-latest.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	InstallUtil.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	Syncro.Overmind.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	Syncro.Overmind.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	Syncro.Overmind.Service.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	SyncroLive.Service.Runner.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	InstallUtil.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	Syncro.Overmind.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	Syncro.Overmind.Service.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	Syncro.Overmind.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	Syncro.Overmind.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	Syncro.Overmind.Service.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	Installer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	InstallUtil.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	Syncro.Overmind.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	Syncro.Overmind.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	SyncroLive.Service.Runner.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	Installer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Sequence = "1"	tmpBDC3.tmp.SyncroLive.Installer-latest.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	Syncro.Overmind.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	Syncro.Overmind.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	Syncro.Overmind.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	Syncro.Overmind.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	Syncro.Overmind.Service.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	Syncro.Service.Runner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	Syncro.Overmind.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	Syncro.Overmind.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	Syncro.Overmind.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	Syncro.Overmind.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	Syncro.Overmind.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	Syncro.Overmind.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	tmpBDC3.tmp.SyncroLive.Installer-latest.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	Syncro.Overmind.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	Syncro.Overmind.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	Syncro.Overmind.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	Syncro.Overmind.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	Syncro.Overmind.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	Syncro.Overmind.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	Syncro.Overmind.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	Syncro.Overmind.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	Syncro.Overmind.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	Syncro.Overmind.Service.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	Syncro.Overmind.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	Syncro.Overmind.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	Syncro.Overmind.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager	tmpBDC3.tmp.SyncroLive.Installer-latest.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	Syncro.Overmind.Service.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	SyncroLive.Service.Runner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	SyncroLive.Agent.Runner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	InstallUtil.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	SyncroLive.Service.Runner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	SyncroLive.Service.Runner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	Syncro.Overmind.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	Syncro.Overmind.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Syncro.Service.Runner.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	Syncro.Service.Runner.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	Syncro.Overmind.Service.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	Syncro.Overmind.Service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@%systemroot%\system32\FirewallControlPanel.dll,-12122 = "Windows Defender Firewall"	Syncro.Service.Runner.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	Syncro.Overmind.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	Syncro.Overmind.Service.exe

Modifies registry class 23 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D3D65F7B3DA21204D963B3E9C9F9EB33\ProductFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D3D65F7B3DA21204D963B3E9C9F9EB33	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D3D65F7B3DA21204D963B3E9C9F9EB33\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D3D65F7B3DA21204D963B3E9C9F9EB33\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\7500CEBB70B554E4C93BAE54CF782BB3	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D3D65F7B3DA21204D963B3E9C9F9EB33\PackageCode = "778729A429A44874D8D4D102C27F49E9"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D3D65F7B3DA21204D963B3E9C9F9EB33\Version = "16777216"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D3D65F7B3DA21204D963B3E9C9F9EB33\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D3D65F7B3DA21204D963B3E9C9F9EB33\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D3D65F7B3DA21204D963B3E9C9F9EB33\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D3D65F7B3DA21204D963B3E9C9F9EB33\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D3D65F7B3DA21204D963B3E9C9F9EB33	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D3D65F7B3DA21204D963B3E9C9F9EB33\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D3D65F7B3DA21204D963B3E9C9F9EB33\ProductIcon = "C:\\Windows\\Installer\\{B7F56D3D-2AD3-4021-9D36-3B9E9C9FBE33}\\DefaultIcon"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D3D65F7B3DA21204D963B3E9C9F9EB33\SourceList	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D3D65F7B3DA21204D963B3E9C9F9EB33\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D3D65F7B3DA21204D963B3E9C9F9EB33\ProductName = "Syncro"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D3D65F7B3DA21204D963B3E9C9F9EB33\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D3D65F7B3DA21204D963B3E9C9F9EB33\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D3D65F7B3DA21204D963B3E9C9F9EB33\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\7500CEBB70B554E4C93BAE54CF782BB3\D3D65F7B3DA21204D963B3E9C9F9EB33	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D3D65F7B3DA21204D963B3E9C9F9EB33\SourceList\PackageName = "653046fa62d3c9325dbff5cb7961965a8bf5f96fa4e815b494c8d3e165b9c94a.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D3D65F7B3DA21204D963B3E9C9F9EB33\SourceList\Media\1 = ";"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1588	msiexec.exe
1588	msiexec.exe
1736	Syncro.Installer.exe
1736	Syncro.Installer.exe
1736	Syncro.Installer.exe
4756	Syncro.Service.Runner.exe
4756	Syncro.Service.Runner.exe
972	Syncro.App.Runner.exe
972	Syncro.App.Runner.exe
4756	Syncro.Service.Runner.exe
4756	Syncro.Service.Runner.exe
4756	Syncro.Service.Runner.exe
4756	Syncro.Service.Runner.exe
4756	Syncro.Service.Runner.exe
4756	Syncro.Service.Runner.exe
4756	Syncro.Service.Runner.exe
4756	Syncro.Service.Runner.exe
4756	Syncro.Service.Runner.exe
4756	Syncro.Service.Runner.exe
4756	Syncro.Service.Runner.exe
4756	Syncro.Service.Runner.exe
4756	Syncro.Service.Runner.exe
4756	Syncro.Service.Runner.exe
4756	Syncro.Service.Runner.exe
4756	Syncro.Service.Runner.exe
4756	Syncro.Service.Runner.exe
4756	Syncro.Service.Runner.exe
4756	Syncro.Service.Runner.exe
4756	Syncro.Service.Runner.exe
4756	Syncro.Service.Runner.exe
4756	Syncro.Service.Runner.exe
4756	Syncro.Service.Runner.exe
4548	tmpBDC3.tmp.SyncroLive.Installer-latest.tmp
4548	tmpBDC3.tmp.SyncroLive.Installer-latest.tmp
4204	Syncro.Overmind.Service.exe
4204	Syncro.Overmind.Service.exe
4204	Syncro.Overmind.Service.exe
4204	Syncro.Overmind.Service.exe
4204	Syncro.Overmind.Service.exe
908	SyncroLive.Service.Runner.exe
908	SyncroLive.Service.Runner.exe
908	SyncroLive.Service.Runner.exe
908	SyncroLive.Service.Runner.exe
908	SyncroLive.Service.Runner.exe
908	SyncroLive.Service.Runner.exe
908	SyncroLive.Service.Runner.exe
4376	SyncroLive.Agent.Runner.exe
908	SyncroLive.Service.Runner.exe
908	SyncroLive.Service.Runner.exe
908	SyncroLive.Service.Runner.exe
908	SyncroLive.Service.Runner.exe
908	SyncroLive.Service.Runner.exe
908	SyncroLive.Service.Runner.exe
908	SyncroLive.Service.Runner.exe
908	SyncroLive.Service.Runner.exe
908	SyncroLive.Service.Runner.exe
908	SyncroLive.Service.Runner.exe
908	SyncroLive.Service.Runner.exe
908	SyncroLive.Service.Runner.exe
908	SyncroLive.Service.Runner.exe
908	SyncroLive.Service.Runner.exe
908	SyncroLive.Service.Runner.exe
4376	SyncroLive.Agent.Runner.exe
4376	SyncroLive.Agent.Runner.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4012	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4012	msiexec.exe
Token: SeSecurityPrivilege	1588	msiexec.exe
Token: SeCreateTokenPrivilege	4012	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4012	msiexec.exe
Token: SeLockMemoryPrivilege	4012	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4012	msiexec.exe
Token: SeMachineAccountPrivilege	4012	msiexec.exe
Token: SeTcbPrivilege	4012	msiexec.exe
Token: SeSecurityPrivilege	4012	msiexec.exe
Token: SeTakeOwnershipPrivilege	4012	msiexec.exe
Token: SeLoadDriverPrivilege	4012	msiexec.exe
Token: SeSystemProfilePrivilege	4012	msiexec.exe
Token: SeSystemtimePrivilege	4012	msiexec.exe
Token: SeProfSingleProcessPrivilege	4012	msiexec.exe
Token: SeIncBasePriorityPrivilege	4012	msiexec.exe
Token: SeCreatePagefilePrivilege	4012	msiexec.exe
Token: SeCreatePermanentPrivilege	4012	msiexec.exe
Token: SeBackupPrivilege	4012	msiexec.exe
Token: SeRestorePrivilege	4012	msiexec.exe
Token: SeShutdownPrivilege	4012	msiexec.exe
Token: SeDebugPrivilege	4012	msiexec.exe
Token: SeAuditPrivilege	4012	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4012	msiexec.exe
Token: SeChangeNotifyPrivilege	4012	msiexec.exe
Token: SeRemoteShutdownPrivilege	4012	msiexec.exe
Token: SeUndockPrivilege	4012	msiexec.exe
Token: SeSyncAgentPrivilege	4012	msiexec.exe
Token: SeEnableDelegationPrivilege	4012	msiexec.exe
Token: SeManageVolumePrivilege	4012	msiexec.exe
Token: SeImpersonatePrivilege	4012	msiexec.exe
Token: SeCreateGlobalPrivilege	4012	msiexec.exe
Token: SeBackupPrivilege	3460	vssvc.exe
Token: SeRestorePrivilege	3460	vssvc.exe
Token: SeAuditPrivilege	3460	vssvc.exe
Token: SeBackupPrivilege	1588	msiexec.exe
Token: SeRestorePrivilege	1588	msiexec.exe
Token: SeRestorePrivilege	1588	msiexec.exe
Token: SeTakeOwnershipPrivilege	1588	msiexec.exe
Token: SeRestorePrivilege	1588	msiexec.exe
Token: SeTakeOwnershipPrivilege	1588	msiexec.exe
Token: SeDebugPrivilege	1736	Syncro.Installer.exe
Token: SeBackupPrivilege	1328	srtasks.exe
Token: SeRestorePrivilege	1328	srtasks.exe
Token: SeSecurityPrivilege	1328	srtasks.exe
Token: SeTakeOwnershipPrivilege	1328	srtasks.exe
Token: SeBackupPrivilege	1328	srtasks.exe
Token: SeRestorePrivilege	1328	srtasks.exe
Token: SeSecurityPrivilege	1328	srtasks.exe
Token: SeTakeOwnershipPrivilege	1328	srtasks.exe
Token: SeRestorePrivilege	1588	msiexec.exe
Token: SeTakeOwnershipPrivilege	1588	msiexec.exe
Token: SeRestorePrivilege	1588	msiexec.exe
Token: SeTakeOwnershipPrivilege	1588	msiexec.exe
Token: SeRestorePrivilege	1588	msiexec.exe
Token: SeTakeOwnershipPrivilege	1588	msiexec.exe
Token: SeRestorePrivilege	1588	msiexec.exe
Token: SeTakeOwnershipPrivilege	1588	msiexec.exe
Token: SeRestorePrivilege	1588	msiexec.exe
Token: SeTakeOwnershipPrivilege	1588	msiexec.exe
Token: SeRestorePrivilege	1588	msiexec.exe
Token: SeTakeOwnershipPrivilege	1588	msiexec.exe
Token: SeRestorePrivilege	1588	msiexec.exe
Token: SeTakeOwnershipPrivilege	1588	msiexec.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4012	msiexec.exe
4012	msiexec.exe
972	Syncro.App.Runner.exe
4548	tmpBDC3.tmp.SyncroLive.Installer-latest.tmp

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 1588 wrote to memory of 1328	1588	msiexec.exe	94
PID 1588 wrote to memory of 1328	1588	msiexec.exe	94
PID 1588 wrote to memory of 4816	1588	msiexec.exe	96
PID 1588 wrote to memory of 4816	1588	msiexec.exe	96
PID 4816 wrote to memory of 1736	4816	Installer.exe	97
PID 4816 wrote to memory of 1736	4816	Installer.exe	97
PID 1736 wrote to memory of 1372	1736	Syncro.Installer.exe	99
PID 1736 wrote to memory of 1372	1736	Syncro.Installer.exe	99
PID 1372 wrote to memory of 360	1372	cmd.exe	101
PID 1372 wrote to memory of 360	1372	cmd.exe	101
PID 1372 wrote to memory of 1888	1372	cmd.exe	102
PID 1372 wrote to memory of 1888	1372	cmd.exe	102
PID 1372 wrote to memory of 388	1372	cmd.exe	103
PID 1372 wrote to memory of 388	1372	cmd.exe	103
PID 4756 wrote to memory of 972	4756	Syncro.Service.Runner.exe	105
PID 4756 wrote to memory of 972	4756	Syncro.Service.Runner.exe	105
PID 4756 wrote to memory of 3920	4756	Syncro.Service.Runner.exe	107
PID 4756 wrote to memory of 3920	4756	Syncro.Service.Runner.exe	107
PID 4756 wrote to memory of 3920	4756	Syncro.Service.Runner.exe	107
PID 4756 wrote to memory of 2056	4756	Syncro.Service.Runner.exe	108
PID 4756 wrote to memory of 2056	4756	Syncro.Service.Runner.exe	108
PID 4756 wrote to memory of 2056	4756	Syncro.Service.Runner.exe	108
PID 3920 wrote to memory of 4548	3920	tmpBDC3.tmp.SyncroLive.Installer-latest.exe	110
PID 3920 wrote to memory of 4548	3920	tmpBDC3.tmp.SyncroLive.Installer-latest.exe	110
PID 3920 wrote to memory of 4548	3920	tmpBDC3.tmp.SyncroLive.Installer-latest.exe	110
PID 4548 wrote to memory of 3916	4548	tmpBDC3.tmp.SyncroLive.Installer-latest.tmp	112
PID 4548 wrote to memory of 3916	4548	tmpBDC3.tmp.SyncroLive.Installer-latest.tmp	112
PID 4548 wrote to memory of 3916	4548	tmpBDC3.tmp.SyncroLive.Installer-latest.tmp	112
PID 4548 wrote to memory of 2184	4548	tmpBDC3.tmp.SyncroLive.Installer-latest.tmp	114
PID 4548 wrote to memory of 2184	4548	tmpBDC3.tmp.SyncroLive.Installer-latest.tmp	114
PID 4548 wrote to memory of 2184	4548	tmpBDC3.tmp.SyncroLive.Installer-latest.tmp	114
PID 4548 wrote to memory of 4888	4548	tmpBDC3.tmp.SyncroLive.Installer-latest.tmp	116
PID 4548 wrote to memory of 4888	4548	tmpBDC3.tmp.SyncroLive.Installer-latest.tmp	116
PID 4548 wrote to memory of 4888	4548	tmpBDC3.tmp.SyncroLive.Installer-latest.tmp	116
PID 4548 wrote to memory of 720	4548	tmpBDC3.tmp.SyncroLive.Installer-latest.tmp	118
PID 4548 wrote to memory of 720	4548	tmpBDC3.tmp.SyncroLive.Installer-latest.tmp	118
PID 908 wrote to memory of 4376	908	SyncroLive.Service.Runner.exe	120
PID 908 wrote to memory of 4376	908	SyncroLive.Service.Runner.exe	120
PID 4756 wrote to memory of 760	4756	Syncro.Service.Runner.exe	124
PID 4756 wrote to memory of 760	4756	Syncro.Service.Runner.exe	124
PID 4756 wrote to memory of 3644	4756	Syncro.Service.Runner.exe	126
PID 4756 wrote to memory of 3644	4756	Syncro.Service.Runner.exe	126
PID 4756 wrote to memory of 1948	4756	Syncro.Service.Runner.exe	128
PID 4756 wrote to memory of 1948	4756	Syncro.Service.Runner.exe	128
PID 4756 wrote to memory of 1204	4756	Syncro.Service.Runner.exe	130
PID 4756 wrote to memory of 1204	4756	Syncro.Service.Runner.exe	130

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\SoftwareSASGeneration = "1"	SyncroLive.Agent.Runner.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\653046fa62d3c9325dbff5cb7961965a8bf5f96fa4e815b494c8d3e165b9c94a.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4012

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1588
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1328
- C:\Users\Admin\AppData\Local\Temp\Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\Installer.exe" --msi --key 3jjNXsu0hrOCdquJ9Oa0fQ --customerid 01009865 --policyid 0 --folderid 02804548
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:4816
- - C:\Users\Admin\AppData\Local\Temp\Syncro.Installer.exe
    "C:\Users\Admin\AppData\Local\Temp\Syncro.Installer.exe" --msi --key 3jjNXsu0hrOCdquJ9Oa0fQ --customerid 01009865 --policyid 0 --folderid 02804548
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1736
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c "C:\Program Files\RepairTech\Syncro\install.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1372
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\installutil.exe" /ShowCallStack /LogFile=C:\ProgramData/Syncro/logs/ServiceInstall.log "C:\Program Files\RepairTech\Syncro\Syncro.Service.Runner.exe"
        5⤵
        Modifies data under HKEY_USERS
        
        PID:360
    - - C:\Windows\system32\sc.exe
        
        sc failure Syncro reset= 60 actions= restart/5000/restart/10000/restart/60000
        5⤵
        Launches sc.exe
        
        PID:1888
    - - C:\Windows\system32\sc.exe
        
        sc start Syncro
        5⤵
        Launches sc.exe
        
        PID:388

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3460

C:\Program Files\RepairTech\Syncro\Syncro.Service.Runner.exe
"C:\Program Files\RepairTech\Syncro\Syncro.Service.Runner.exe"
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4756
- C:\Program Files\RepairTech\Syncro\Syncro.App.Runner.exe
  "C:\Program Files\RepairTech\Syncro\Syncro.App.Runner.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:972
- C:\Windows\TEMP\tmpBDC3.tmp.SyncroLive.Installer-latest.exe
  "C:\Windows\TEMP\tmpBDC3.tmp.SyncroLive.Installer-latest.exe" /VERYSILENT
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3920
- - C:\Windows\TEMP\is-O6AJ1.tmp\tmpBDC3.tmp.SyncroLive.Installer-latest.tmp
    "C:\Windows\TEMP\is-O6AJ1.tmp\tmpBDC3.tmp.SyncroLive.Installer-latest.tmp" /SL5="$A0044,13891222,57856,C:\Windows\TEMP\tmpBDC3.tmp.SyncroLive.Installer-latest.exe" /VERYSILENT
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4548
  - - C:\Windows\TEMP\is-ST94E.tmp\7za.exe
      "C:\Windows\TEMP\is-ST94E.tmp\7za.exe" e "C:\Program Files\RepairTech\LiveAgent\packages\SyncroLive-0.0.62-full.nupkg" -o"C:\Program Files\RepairTech\LiveAgent\app-0.0.62\" lib\net45\*.* -aoa
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:3916
  - - C:\Windows\TEMP\is-ST94E.tmp\7za.exe
      "C:\Windows\TEMP\is-ST94E.tmp\7za.exe" e "C:\Program Files\RepairTech\LiveAgent\packages\SyncroLive-0.0.62-full.nupkg" -o"C:\Program Files\RepairTech\LiveAgent\app-0.0.62\x64" lib\net45\x64\*.* -aoa
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:2184
  - - C:\Windows\TEMP\is-ST94E.tmp\7za.exe
      "C:\Windows\TEMP\is-ST94E.tmp\7za.exe" e "C:\Program Files\RepairTech\LiveAgent\packages\SyncroLive-0.0.62-full.nupkg" -o"C:\Program Files\RepairTech\LiveAgent\app-0.0.62\x86" lib\net45\x86\*.* -aoa
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:4888
  - - C:\Program Files\RepairTech\LiveAgent\SyncroLive.Service.Runner.exe
      "C:\Program Files\RepairTech\LiveAgent\SyncroLive.Service.Runner.exe" install start
      4⤵
      Executes dropped EXE
      Sets service image path in registry
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      PID:720
- C:\ProgramData\Syncro\bin\Syncro.Overmind.Service.exe
  "C:\ProgramData\Syncro\bin\Syncro.Overmind.Service.exe" install
  2⤵
  - Executes dropped EXE
  - Sets service image path in registry
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2056
- C:\Windows\system32\sc.exe
  "sc" config SyncroOvermind DisplayName= "SyncroRecovery"
  2⤵
  - Launches sc.exe
  PID:760
- C:\Windows\system32\sc.exe
  "sc" description SyncroOvermind "Syncro recovery service"
  2⤵
  - Launches sc.exe
  PID:3644
- C:\Windows\system32\sc.exe
  "sc" config SyncroOvermind DisplayName= "SyncroRecovery"
  2⤵
  - Launches sc.exe
  PID:1948
- C:\Windows\system32\sc.exe
  "sc" description SyncroOvermind "Syncro recovery service"
  2⤵
  - Launches sc.exe
  PID:1204

C:\ProgramData\Syncro\bin\Syncro.Overmind.Service.exe
"C:\ProgramData\Syncro\bin\Syncro.Overmind.Service.exe" -displayname "SyncroRecovery" -servicename "SyncroOvermind"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4204

C:\Program Files\RepairTech\LiveAgent\SyncroLive.Service.Runner.exe
"C:\Program Files\RepairTech\LiveAgent\SyncroLive.Service.Runner.exe" -displayname "SyncroLive" -servicename "SyncroLive"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:908
- C:\Program Files\RepairTech\LiveAgent\SyncroLive.Agent.Runner.exe
  "C:\Program Files\RepairTech\LiveAgent\SyncroLive.Agent.Runner.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - System policy modification
  PID:4376

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\RepairTech\Syncro\Syncro.App.Runner.exe

Filesize
32KB

MD5
1aa2d8a5d3ecc3aa134528b7117244b3

SHA1
0b149d62a7883c6c903118c7b6886a981d1ff31c

SHA256
60abbb3e61ba60715051790ad84703855455a24533e6e68b7fd0791b79d37b14

SHA512
500938e0df236efc0242a81bfbef2c9f8a7ca52644fd1c05146c7a4333f8d525d57169ac38cce945d0cdc6759601e41e17db06f71fad8e5436fe94c0d050d958

Download Submit
C:\Program Files\RepairTech\Syncro\Syncro.App.Runner.exe

Filesize
32KB

MD5
1aa2d8a5d3ecc3aa134528b7117244b3

SHA1
0b149d62a7883c6c903118c7b6886a981d1ff31c

SHA256
60abbb3e61ba60715051790ad84703855455a24533e6e68b7fd0791b79d37b14

SHA512
500938e0df236efc0242a81bfbef2c9f8a7ca52644fd1c05146c7a4333f8d525d57169ac38cce945d0cdc6759601e41e17db06f71fad8e5436fe94c0d050d958

Download Submit
C:\Program Files\RepairTech\Syncro\Syncro.Service.Runner.exe

Filesize
36KB

MD5
55d568af3444a7319dfdb2ddc0a6bc2f

SHA1
e6fb8fc639c71c2ef922ed9f36b29cda45622292

SHA256
10c8cd588d627f46df3a7385e07d36674c2f0374e6327c7f9595cb22d8635753

SHA512
1cdb5edd9ed982e6eaa20042efaa4e57a5d6b6927c921d06accad2493bc7ac6d7444a2467b38b82a5a6cd3c7d8bf59e32ba0e858290327770007914818fac3a5

Download Submit
C:\Program Files\RepairTech\Syncro\Syncro.Service.Runner.exe

Filesize
36KB

MD5
55d568af3444a7319dfdb2ddc0a6bc2f

SHA1
e6fb8fc639c71c2ef922ed9f36b29cda45622292

SHA256
10c8cd588d627f46df3a7385e07d36674c2f0374e6327c7f9595cb22d8635753

SHA512
1cdb5edd9ed982e6eaa20042efaa4e57a5d6b6927c921d06accad2493bc7ac6d7444a2467b38b82a5a6cd3c7d8bf59e32ba0e858290327770007914818fac3a5

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\Autofac.dll

Filesize
247KB

MD5
94bce38faf97857d39b9348f43664317

SHA1
8adf558ad484b47a94e199318a4fad70eab0f090

SHA256
0bfa585a98172330547fec4bda0d747afea4b01bc691378dfbef2ae82d110dd4

SHA512
e7ca307423aa8527b379a88f2bcf2cabe34b58d04b2f979ad4ae11867fa6a08984ca5212706f749fcfab5338e0cceefa1dd35bfa8e9921fa40ec8cd0c8caab8d

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\CSharpFunctionalExtensions.dll

Filesize
125KB

MD5
841e154928ed4f18c7750a39780d118b

SHA1
f383e8aae69a942ffd0915122f67b0f963d6c119

SHA256
dacbb5f45d70b290bbed42249c06d26cf65440e63f2ac1c8db125e808a693bbf

SHA512
22e68af198233d374e609809666bc8d77f1afc741c1436fcdd321ccd7bae8a52663e7284350211cdc640cd29af550084b52343b79e8584464733200ad74bfdfd

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\Destructurama.Attributed.dll

Filesize
15KB

MD5
7eabdc9525bd1814899de66fef6be715

SHA1
04cf3922eb9d39adf9e3acfe7cb5246c5f718c86

SHA256
ac6ef04b83ca3ec163e6998ef4904434bffc0405a793ae5dbb2e800e3984dabb

SHA512
a0b95e6f5212ea7c2cfa52e372143973f72254aeb67fe6032b1db58b840f93ec9da87e565bb696417bb5bd7b6dd9a3a35af461cf51b0651fb2419ead79ccadd0

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\FluentCommandLineParser.dll

Filesize
51KB

MD5
de2b96fbe5b4104094389d69afb3ee4e

SHA1
d264d7519a6f4b6a6df6f39a382e352d4a48acdf

SHA256
0118168035446602ef5ca6f5426f8d54975f58613c3898e0b6689d92a35c589f

SHA512
c73a93fcbffdcbfa1b1c5928ab4304eb172710cd4ea3795796edc6e08145078199a4b0208464438d08fc569212fc11778b1d2c86ed7e6ee7e3b86f5321f33b03

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\Flurl.Http.dll

Filesize
103KB

MD5
67c42a9cd1262c422f8ea562805f0294

SHA1
23d99f695530cb18bf9009668bb414338c953f60

SHA256
62d4336b23c78955d9e51573935102beadd58bdb19530bb6d650cf39f4d8bc30

SHA512
881cf4f3fb64dd2d1f42146abec7bfddf95a80a131774d7a6196b54197161866bfc09e1b6f16074f96454aecec3a03540b706e2c43df828a7c954e57e282ccca

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\Flurl.dll

Filesize
35KB

MD5
88d6cef2bd73709f7f35d6cdb63c6b52

SHA1
9ec6e0b10922101af0135d40f2a5fcbb798002a4

SHA256
17714b55721d04c35ebb4898afd9e267e3cb04b25beb8bda9a460c52587955f5

SHA512
c187f53222988c23f45946cfce5e18d32c5ac3af22e65097aafcef0f3ddbc83f3c0acb02a90cf16c5241a0dda5162674ee7bd2627e1da38c13fff22bdf8febf8

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\Interop.NetFwTypeLib.dll

Filesize
22KB

MD5
65a6be1f8674bf2489d8e858ee8d7e65

SHA1
46a5a710f2fceb5c4daa7150a4b2517478fff0ae

SHA256
72a5ad582c5e1f754256a5de51ad01602ba23b295172de0efd27137affc44454

SHA512
333d1756b30b802c1ba3a690381238da8d356944ffc4fa1f49d9f97374d476de1989e66613fe97ddf8c6db76c567cd6f4f58651452baafd899d4c4e5c24c922c

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\MetroFramework.dll

Filesize
343KB

MD5
d9fc57f451780a9afee72d870b460d4d

SHA1
6554fd655df6efd3f5de4559b915ceeb11a8ef41

SHA256
fd45b9b900e163ab1aa6e703408ea281be3292089d4b45b646e826df02e3c88e

SHA512
1c8b9f67400a43596e289b3c44c27f55da87a88578a336f5933a81f808074bb5c79cd40e9cb706f81eb4d433ff4af1c4f5d02af2a79ed8860d6a1d42eaa338d3

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\Microsoft.Bcl.AsyncInterfaces.dll

Filesize
20KB

MD5
5220eefd7753e11b99d73faf39fbb486

SHA1
7d8264be4fcb17f81acb8b1add980cd96a6fd856

SHA256
ed5bc605f7f9fcc382183abef06c354dad946abb42a07631712077b2157d6bc9

SHA512
81e483bd76240543704194c0eb0c8a9e7dc46aa535653e7d5590e00c002b2980237ada793c05c0eedd5d1a92de90055867b21be665ff94fac038e280939c66c1

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\Microsoft.Win32.TaskScheduler.dll

Filesize
229KB

MD5
3b64aebb9d2a910b6839b56c84653a9b

SHA1
0fdd9adc8048547cf3328295db2ac291f5c6b81b

SHA256
fcc18b30e67afe2e5e037ec4e2bcbcf1153e0c257dc26dc48084676a87be2486

SHA512
463a3fb2957bdbbf6effa43562e331a24aa49d1c5dbd0509773f5d3ba2830d93a684876c5eea0b744a2fec7d7b70e12c1d1533c671ccf590f53aaaf9252d23f0

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\Newtonsoft.Json.dll

Filesize
659KB

MD5
4df6c8781e70c3a4912b5be796e6d337

SHA1
cbc510520fcd85dbc1c82b02e82040702aca9b79

SHA256
3598cccad5b535fea6f93662107a4183bfd6167bf1d0f80260436093edc2e3af

SHA512
964d9813e4d11e1e603e0a9627885c52034b088d0b0dfa5ac0043c27df204e621a2a654445f440ae318e15b1c5fea5c469da9e6a7350a787fef9edf6f0418e5c

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\NuGet.Squirrel.dll

Filesize
501KB

MD5
60c7dc7ba7d0ae42e2228e5c49bbe162

SHA1
806b0955e67c1243c29b3216dc913c003c3e9321

SHA256
705d9545b33072323ddaf7d26d90c5e18b15754dfcddc04a58afab51368c5559

SHA512
8b25a9b584c9feec1fd04d22300ace5fe74a594bb4edbc5205142b7267d0941e51f419260fdd8a51f7f8cffe4a473cc66afef4dfc296a021840db444c9a4d36b

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\Phoenix.dll

Filesize
19KB

MD5
a7c8097f71478a1c6ddd30cd8113ad46

SHA1
ef9a449f64b75b5419b51361a416e70c81d9f7d6

SHA256
374c1350475a34aa369bd80061910476cd22d587a55038853fc976197440162b

SHA512
c2497e90e0cc990b3dff8e0b3e6bbf158d53c862edae3103c054278d2e38499915a575fc7378e869b52ad22f3c6e34450e14071b05eb1202de4930cd76dea2f0

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\RepairTech.Common.Tools.dll

Filesize
272KB

MD5
796f43a73a63c3e097763f66aa3b8ff7

SHA1
d22210904bfef6092776a47fe6b98c12b6dbe153

SHA256
b8e79e671256b865d8db3ea2cd58b3159bf7b708f3459828278cab928ac5d510

SHA512
26be758076b3b8cce45cbe59d4b03650b144f819c421051de8e22351ce883dceee2f5aed2658d9657a769f34d7e6fcda769d4d6d857bffdce2032466d0585062

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\RepairTech.Common.Wpf.dll

Filesize
52KB

MD5
8141f0af4cd425514411660a4d5bd8f5

SHA1
c8d6824e2cf33f68bca5ef371a5901162200bc40

SHA256
343bf1060d5e2f62692178a4daa51b3a6a53e386d2cad2cc0f452050a282b31c

SHA512
c8cea2cf48361792a99cbf8edac0c15e2de88a1e123aa9fe34020f1fe54f22d190277f286b1d90f18831a4f48e281eef417727d52adf55a8a3274a3ea455fb5a

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\RestSharp.dll

Filesize
167KB

MD5
b4aaa21288c1d923150c8d88b6ece126

SHA1
6d99e70ab9511aee701ff7068b5792f4194377bf

SHA256
b539f648dab37f211acb38dfcf4c79b488fa3beb5a7edf6740f894d2d1807449

SHA512
0de9227f5d134fc6b7029fb8202beade5e30be1f236e785eaae534cb0e944a98d9adfa2dd1917138994cfcfa2047a45c935f2b4f96944ed3dc017762ab9e08ca

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\RollbarSharp.dll

Filesize
36KB

MD5
7931fd2a2e06c7a654c9edfe388a8033

SHA1
2fb6de045f81bd56fce6a367dd992efc73ba4405

SHA256
cd722eda12d89b33cc00fa7e967eb6837b8335fada88368a6896d357f4362c15

SHA512
33ff92fa6dbb93b97c739ece89433c7ed34106e91cd76eb2431d0e840338af3dd456c3116b8362de33906eb348ad7eded630e28a98c94536ee8c1f3baf8f6b80

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\Serilog.Formatting.Compact.dll

Filesize
8KB

MD5
fdb7ad01c66a0c96174300167fadd249

SHA1
38b9971de844165f164e37e2d234d16f6022636c

SHA256
2d7dec266c5436f58ab620db4e3b5c83e550e7f76caff26eae8186b14b52cdd6

SHA512
13df8a0ec363dc3a8f80114c64869db6f1233ae250df1bf48260cf62588065200d5a920f7d16d41faac4ddd4b9edd4d3383d1bbdb1849d120a145175d3a74d4a

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\Serilog.Sinks.Console.dll

Filesize
31KB

MD5
c48bf7030e583e273e94e2d32b752a83

SHA1
51666bcec96f529b1a28b72db54cc7fcdf68441d

SHA256
ded3b57b64eca479f2a659a244e4c403ebfb83a9a9b30ced893c145e77affd29

SHA512
475e61bbb4484f468548dd7590d1d0bcc19912b322eacf2960b32c2c3ff1084231ddf8e689735e385a1f43e9912f79a028eae136c7dc8e130f2d3dd1eaf1f004

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\Serilog.Sinks.File.dll

Filesize
25KB

MD5
6509ca95a38ac29c03379113172cacb7

SHA1
f94b8d751fefcd29d28875e291fd570e103d12d7

SHA256
85ad8530adc1dec3b97f2074c720b81528ba5ea6c7274e1a98a906304bccd12f

SHA512
d8bd0b8998725e2fa361bcb446f48b6105bd603707bf914bb978c63b5c40958bcd2a3fef1f666541793f1d06377f3f2967d1241e445bee6919eb8f84f5a5d7f5

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\Serilog.Sinks.Literate.dll

Filesize
5KB

MD5
a0ebef9e8cce247cc12310a03b38aa7e

SHA1
22848b43d3b7f99cea7b339e86fcb4c08d7e6e51

SHA256
5e2e204439217c960237a894548680b39d5972fabfa3009538f43530eac23a3e

SHA512
53dc332b0329899883e019a4adbead244c65324fc4654c6c4d8080b3f2cc1953f2d0c61ac3507d00ac85c9cb98d711e127df335e334a3e2b2e70e59e3239d758

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\Serilog.dll

Filesize
115KB

MD5
fbfbf8c2de7f389105d728037bfcc11f

SHA1
91dd7e807ffcfdc9cb67f5a75d85dcf537475583

SHA256
e7c7528f8a920988862b8c22d0ae4c40df6824332780c1cec41d84fe633b6bed

SHA512
264667b13ff54e8ae24663f6ea11225794946c5db34d440bd68cc90c940c92d1da7faf39dfa551d13a19f5e21c82130662ffab2a2e2ebfb004576d880e9fb369

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\Splat.dll

Filesize
45KB

MD5
1975e684c48457d72f37696bb1b880e6

SHA1
eb254b470df9172aa07f13e7280bced746d95e22

SHA256
7a6f255cf59d6594c8f5bc466956f09305a3a10c8d683e485c7e1f14371701c4

SHA512
edb06da485e4dc562c7833ef887172be5ddb4d36a041463dc662ccafaa8fad816306091f774a7463f1538ad1c62ee9433bd12673d943bd885bf2cb38fc633a08

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\Squirrel.dll

Filesize
235KB

MD5
f337f9b5615590307732f1e94b8ebcb4

SHA1
30110300fb63a72827aaf1b594f21632594f4c82

SHA256
46a139b49a419e2217bc09700121a08e6e169f654b076866590a9360957a3b34

SHA512
60e057f432488aebb77e584b5deb9535913d1fbd320cd63cd0746d6c7765f1866e3678150c9393e9ce55ab2a7840e0271a5556cc91c7bc0eaf7072283c2d8549

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\Syncro.App.dll

Filesize
432KB

MD5
fa11417c9172c86dd8d5c08370e132db

SHA1
028e7c09caf1e25673f5774a2d98f58e5b890bc3

SHA256
a79e60e88045051f5290bdd5ab76dae83f78828b850bd11f769ac25e3cb4d9c2

SHA512
ebdda723dd1101cb67a12e402aef9a4a5e1f5918171c3040b3f891092037f039f88ed8a7df42a18dab1e5c269642edd75292b9098b5b7b2fe5512aa789a27481

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\Syncro.App.dll.config

Filesize
3KB

MD5
29a3fb17a36c73f4c578b948950572f0

SHA1
7fbd63662d4ca33028cc23828849461b6422609a

SHA256
6d3ce7aa37dd56dbfca1770777d414e9683dce6e402f031fc2f7cbb98fdd82c6

SHA512
63ac42a22ebba9ba5bbbe20113ce97889f27d1869ab6334e0871c5a7184354548d0225efb344a7dee8cd545ab13b052e13f207f9b4c2ef7e5eaec33bb90acce6

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\Syncro.Contracts.dll

Filesize
106KB

MD5
1863a5697f2fcac4d590587e97bf36d9

SHA1
b90ef5cf2edb66d1cee0cd5a9be38ac832c69158

SHA256
807f68a74686038c9b91b55393053ac130b6cce3469c63a598111639c1a9cea9

SHA512
7af4847c1db7760d1644eb311a5932bae3da60fc1ba1a701afc3725a5d899026424210e4c497b801be7307684f130351d8fc87b923d4237628d85d02f9f1d363

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\Syncro.Service.Configuration.dll

Filesize
10KB

MD5
adbb784da491cb2b3e690bb5612e6854

SHA1
240873851b5ff2f612509f80fa94073ca0576357

SHA256
2b939583c11aab90e350cdb533caa719bd57254aff58e7d87fadf0de29fec049

SHA512
50e78fa65c3142239b993e12dd92e368d31a5fbeb87d3601f98da9683c96bcf243c2bc5b7706059f84c9e56c09e0177af8b86d7abb9a661f04bce44de2084d00

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\Syncro.Service.exe

Filesize
1007KB

MD5
b58599b0f8dedd76ab622d5eea9497cd

SHA1
436ce0e8022935a61eccb94679e9c19dca781362

SHA256
31c096d1075cbe54ae0274c7828904bee807be2bd8fffcb6257d91e681fa764a

SHA512
58b350ec82cb6f4cb778a860d9d235f561810b917a782dedf8c3b65c930d99bcc6e0d6e04a7108c6d61c598b6cb310daee7f77691e946afc6afa26fdf6ac17a5

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\Syncro.Service.exe.config

Filesize
4KB

MD5
8d8995a5b322b505d622af6cd2bfdffa

SHA1
56f353b5df27ff2dc98f9fef29bdab086a8a0fda

SHA256
5af11c9ce145d76e865f091da12d3cc70f84e069e790dc54eb2c93b92b84fa8c

SHA512
a8d0e6a67ec700e37b19fde7768bc3d2b8db6d90b96b7e276fad8fb3d851508f718ce0370b06c26cdeb87711b24798925150ec56ed20b48c46a51fe3c8801834

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\Syncro.Tools.dll

Filesize
83KB

MD5
cff50121d9807e654c1074143a015335

SHA1
d1ebb1a9d67e9fe3ed1d78bd6102658dea2df641

SHA256
1d3dd902c2449e5470225175c6793241418ec01c5eb802cecab0b31694ce1253

SHA512
8c99f97bfdc9f71232a4a729991c6736a3246f553dd18c96c459e389dc5240218ab0fa43a96e11b2ffa5f3cdab7d5e884ebc479d2b17485ef66e17657fdb960c

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\System.Threading.Tasks.Extensions.dll

Filesize
25KB

MD5
e1e9d7d46e5cd9525c5927dc98d9ecc7

SHA1
2242627282f9e07e37b274ea36fac2d3cd9c9110

SHA256
4f81ffd0dc7204db75afc35ea4291769b07c440592f28894260eea76626a23c6

SHA512
da7ab8c0100e7d074f0e680b28d241940733860dfbdc5b8c78428b76e807f27e44d1c5ec95ee80c0b5098e8c5d5da4d48bce86800164f9734a05035220c3ff11

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\SystemInterface.dll

Filesize
87KB

MD5
6c19cad7d00cee4e4aae931b79c0cbd2

SHA1
b8e275ee742584b017fe48918d35edfbba97c1b8

SHA256
e9ecc8b5c887b3eb58523d108aa7a74340c5b5270aa3182d5dd1fc363afdbc02

SHA512
c1892e5b45a4c48a342fe869c43e2348c6d21dd14771ee0c4a59ff1eca6b9b77b2742e54106d956e9f7c7c9ea13f9d41b6a2ef1b4f9a036a96e76b9373c58363

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\SystemWrapper.dll

Filesize
174KB

MD5
e5dd264a7dc69d6f9bb85919984955a3

SHA1
4d83ac11160295835f3c8266e9d96f49446e0023

SHA256
122dabfe8a6b37cbbb6b062ca99fc567128037178764b9b0965706938ded6d05

SHA512
640316365ed262bc4725b9c103bfa9754dce44e74b9a18dbd7fe9f413cd8904a7ad9282796eb2b1253f3039c789bb513746f517c37d4ba0057e8cdc375939d20

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\UrlCombineLib.dll

Filesize
5KB

MD5
d25bca8e62ef1de7af0d1e382528c71b

SHA1
9232becb3a55cf81ce8775b6cf2e2d89fbafe5f8

SHA256
c0960a5c185f852da9feba9f075da744be50ba64da69f48b5166ff9c556838d6

SHA512
617ae67fb8d9e60bd0517186f18f26a2d4bf2ee14f45c1887fb060f7d5d1fcdcbe2d49b1994593ab3a580dd98c85f2f5dee43d33c8d16e42f3e4237013cba33d

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\config.json

Filesize
869B

MD5
b8131bcfde5af2f88c7ebe90bbbab965

SHA1
a82ff00ad442d1af4356fcf8729abb3164077be1

SHA256
f22f770c78a63b75d079a2b919938613edf10a1360a05b64e42aeb676e868efb

SHA512
5b1d052dd5e96082d64bd61531b3cd3f48861929e62de2bf7022d9d39e0d02bb08655832538f7fbce241b07755c51d7b1a96ad6ebc46204e24742e011a9ada28

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\en\Syncro.App.resources.dll

Filesize
39KB

MD5
f61cac27413de146d3e70c5d6c4a9e2c

SHA1
16415b8df306ef3ec0a9ff25ec0db435fecf737f

SHA256
d551be97aa15cbb9122a59f33e03a7128e090cbdd94df71ac53fa3e0b357343b

SHA512
550a45b080e6f6d2b815a14039f6e032f52c77e39f6e8e02749989dca5d4c5d44f68ff68c017fca4212e07edb7d4affd4c40cda9548248e32397fc47a316b669

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.168\websocket-sharp.dll

Filesize
244KB

MD5
7379936cac71973885587a3bc6fbb70b

SHA1
e72fec39314d7eb75f13c1ff0459515d95dd910c

SHA256
fb06ffceb4f8789c893d2f292e5810927dd7266d3bad68df2cedb8775500e8be

SHA512
d9da358bcc134232f6418d49fe98c427ad49fe8a212a2f166fcbf1718d0a8f8b0fa055caec30b267c6e4b1b4d687f08394830e3fadbae812c4b255abdf8c7b7a

Download Submit
C:\Program Files\RepairTech\Syncro\install.bat

Filesize
639B

MD5
e3eb8d69316f0551bda4908c44d8684e

SHA1
dc8d0350c67f2a9b4a2adec253863273c26aa760

SHA256
8952ea8c7a55898f87d131886cad0ceb966ad4475c701ea6590d906bfc6dc0af

SHA512
b276ab4113ff39c715b840d84916c49319d03b8458dea0bc9c1f23f87a331dac1975e5c596c088cbdf44c50e5a9bc54ddfdbb5fe9363f7496ce242dab3f37865

Download Submit
C:\ProgramData\Syncro\Images\logo.ico

Filesize
14KB

MD5
940cfaf4c3be79e182f60375900fc2b3

SHA1
4c476f0b6eeb7a99912b1a5b2a7ee43c96d40baa

SHA256
97dda1267bb780b5c073d57367fc3590548fab97b9d90ee86d5a55dffd5847e9

SHA512
774e2f1bd38a1145ad7758964276a74c3f8c7deb6932c5203a4c19050d3f4cf38ee71d6ac645c4a55ba3559ea031623267ea5ccd9fbf26a758234203d1590b90

Download Submit
C:\ProgramData\Syncro\bin\Syncro.Overmind.Service.exe

Filesize
758KB

MD5
454bbb242ae4afbb0cc09425b3644b62

SHA1
df2cb4cc0d2abe86abe08ad9751dad63c6cd30eb

SHA256
78eac23016bf631a1e63aee99391f7e34e43a5759ff9278567af6370d13eb924

SHA512
cb92853f41f8bed4f51ecfd33cf6ec4284cdd87bcc76a90c75ebc510e8430ad157cb93673a0466909a8a38e4b22fd1049070d3d5392002839c15a1649a17b9bc

Download Submit
C:\ProgramData\Syncro\bin\Syncro.Overmind.Service.exe

Filesize
758KB

MD5
454bbb242ae4afbb0cc09425b3644b62

SHA1
df2cb4cc0d2abe86abe08ad9751dad63c6cd30eb

SHA256
78eac23016bf631a1e63aee99391f7e34e43a5759ff9278567af6370d13eb924

SHA512
cb92853f41f8bed4f51ecfd33cf6ec4284cdd87bcc76a90c75ebc510e8430ad157cb93673a0466909a8a38e4b22fd1049070d3d5392002839c15a1649a17b9bc

Download Submit
C:\ProgramData\Syncro\logs\20221026-Syncro.Installer.log

Filesize
6KB

MD5
78536896d73e45985ad7de9cb18cac0f

SHA1
9106c68237e341aa58e132c460e09429897fe50b

SHA256
6574cbebc5a335df02e206f0c222fb285182740a2ae93c1e7c616786261ec360

SHA512
5cbd2b6345684cd7665d275376c273cbb33046ecc6151b929f362817fe41abec6fb5058d18c10d53c8760712740807566c1102610fd9dd86bdfa041f3142f0d5

Download Submit
C:\ProgramData\Syncro\logs\MasterInstaller.log

Filesize
1KB

MD5
c119225ed538920720d05a0ed9d33e5f

SHA1
109db078e5fab6cbfdcf7510ccd81119fb964765

SHA256
db54446e656c777ed5c1be8a6ce3044c2923e750674bbffa9d227f572dc34b93

SHA512
860157e25e5af887c580f3876ca0b450d21734899b2b1231faec48c3f2cf132ead3f80922121abfbbe9c29c99919e4c94ac01524a22a7f37d62701f84d0eec8f

Download Submit
C:\ProgramData\Syncro\logs\ServiceInstall.log

Filesize
1KB

MD5
5be5998b9b6bdae1128e45955f106f79

SHA1
2383b5d93f47be54fe89f6184cb764bb756156f2

SHA256
f10d0f36784db77a8b3c39ca688d36678fdc332cc74636f463d8d4a2fe267a09

SHA512
0fd4853fbee83fcde004c904653396b510ca840ac2b2c276497c247d718b1679ca50a7d5a84e54e74e6bfec01882a99ca3c83b9a1b00f0cf085c3025b6e665c1

Download Submit
C:\ProgramData\Syncro\logs\Syncro.App.Runner20221026.log

Filesize
1KB

MD5
ed68424f09a16916e93ea43eb45619cf

SHA1
e184fb06a42d2e145b55d474a323fef84d3bdc14

SHA256
e764e2bea5e838726335d6932a29fad2dabe3ffc9c8fad50930d092160f669a7

SHA512
2cc627e88ce6242f0d94deccfe23a943530ade2a42f93554999b3024f51828fdc273b216ecf1e012ca8faf8fc8af31041a6946b73f49f6bc39c0afbedd66f776

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_E6095CD2AECC9011BCD0D7B421356B17

Filesize
2KB

MD5
2cdf0bc3eb656733f254955bba8dc797

SHA1
8a70c7aca8ddda3ea02256332cdd1976dc903464

SHA256
63ca7d8e3bd9896dcd94fd3259323a300750bcad3a922b62216ea003c4cae5d2

SHA512
63977af9ef214c7ae287bb85dd1e6e9bc83427f78a4581aa7d30ff7170f9a4ec19e31c20e3267ce309699675621fb0040a15c4975ab14cf928659aa1553a6629

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
d9a93ddf4a07b6efa9e706f12c2931dd

SHA1
29f3030ca4c32bf5929c5b14dc24e3d5f7b96261

SHA256
d637153e9fffb1edfdec7cf5532b13f1575278470cfd3b7e2483cb5bb1f21ba9

SHA512
97dbab491a5c61293da64d5ce9c08f2fe1c1b892e11f82d3c4c26ef7c153e631a3ca0e51f6d1d554c0d79a97f54a834b0e64eed8c803bb04c81b33f8988d8148

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D7833C286363AD25C70511661A83D581_52894DBA51C2BA5ACE3EE5577FB04C4C

Filesize
510B

MD5
066254830fee574efad063d64844044f

SHA1
963900b25eb10bbb63438aa6e693d91869f80b87

SHA256
662f57b21927da1d57a5368cd1483bb9c255d1879a6bee2475b39cbdecddd30f

SHA512
1d610442b4d8f70a21f69305f36ad1f990dcd6fa2934dbdac2ca70c40eada96512be00faf3b0b8b2e93bf610b45478595e100c1397732a8d20a4e0c45ba962f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_E6095CD2AECC9011BCD0D7B421356B17

Filesize
488B

MD5
b18253508c44a93a786398c34b910e98

SHA1
d15707a18c847e53d82d1501e9607cd04719ad47

SHA256
8a0157fd5c8b85c88b7327ee839922a508b45327906d84ada141d4c5f3a56a55

SHA512
25aa0819c166dabac7c40725db490bba77eaf9ed57a4a7277a7064e319b17770a41c182fabce3cfc21ed17e525fe25138457d5145f4a0c80d56a2c626febc5ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
302b3076a93b66a53672b4cd81e7d89b

SHA1
f9363b0dd1eab58fa4fdfee0492150ab31dc6d5f

SHA256
6ab952cd4e5f08a624a6d129cc49cf63a0de208c04aed8c29f528c2066fa0e31

SHA512
3488c68d2b6409a4ab2c4134d382722cdf898a61420bfb4729a93e480830fe82e34935945f25edfda836c8bb78e75b95a0889357f8f14003b7f14a01f656e0af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D7833C286363AD25C70511661A83D581_52894DBA51C2BA5ACE3EE5577FB04C4C

Filesize
480B

MD5
e4ef1314778ce123be79bef6162aa5fe

SHA1
5e2f9fb564ece55abbd3fac44e070c00e2b2eb9d

SHA256
aed679b4a0e80e69c3ce4d5f60a07e815907b75a85a0d2e4dafae8a0d903fd88

SHA512
9fcb320ba402eeda4b8753d7dcd28587e1042c477ef7341501dd7293152e6e5792db296ff246aa65c79cb03f538d1e5f8a51967150c93e52285728ee94ba798a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Installer.exe

Filesize
7.1MB

MD5
5fdc21287fa2a976bb5a661e6a2a4d85

SHA1
3bb03dca0de6961b0be9403979a3847d8ba4466d

SHA256
09ac0ed20fdc3cb6b6ff969d18d94f28031d6992fb49f739d0db61d2486cbc54

SHA512
f86827404b703f915ad055604cf8d8d533ed3fe7e9856c77809cf7aa13967844c1dc0716bfc27386f5ac1fa2c0d3c70f25bc1791f3957325893322088fcdd9bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Installer.exe

Filesize
7.1MB

MD5
5fdc21287fa2a976bb5a661e6a2a4d85

SHA1
3bb03dca0de6961b0be9403979a3847d8ba4466d

SHA256
09ac0ed20fdc3cb6b6ff969d18d94f28031d6992fb49f739d0db61d2486cbc54

SHA512
f86827404b703f915ad055604cf8d8d533ed3fe7e9856c77809cf7aa13967844c1dc0716bfc27386f5ac1fa2c0d3c70f25bc1791f3957325893322088fcdd9bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Syncro.Installer.exe

Filesize
7.0MB

MD5
7bb45f8522187b26bbef2d9957bbe5fa

SHA1
4f4bbc74fe99a4f8f288a28cdfbc86441d182f0f

SHA256
6547e5d392ed49b02c9afff77cd9c7d36f29193e7c2b511b7e2f31e5650a853c

SHA512
1b535e99ea81007eb47cfcb51bbd6c054a4dd312624ef9047d3293e5fa3c0a3a646f737268275a9bb6af1028d1e2607164daffd484a0bb2c01b47305d5517be1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Syncro.Installer.exe

Filesize
7.0MB

MD5
7bb45f8522187b26bbef2d9957bbe5fa

SHA1
4f4bbc74fe99a4f8f288a28cdfbc86441d182f0f

SHA256
6547e5d392ed49b02c9afff77cd9c7d36f29193e7c2b511b7e2f31e5650a853c

SHA512
1b535e99ea81007eb47cfcb51bbd6c054a4dd312624ef9047d3293e5fa3c0a3a646f737268275a9bb6af1028d1e2607164daffd484a0bb2c01b47305d5517be1

Download Submit
C:\Windows\TEMP\tmpBDC3.tmp.SyncroLive.Installer-latest.exe

Filesize
13.5MB

MD5
6ee357d6ff97bd054f2f8d6c1e72f0e7

SHA1
d01ceb73738cf0e2c86463f86292c38e4873c524

SHA256
ad3ebf1789063615ef35ae5583d9641765670fed1ac57659e2d1010f54109f24

SHA512
2b458237b74143e732fbc4740b0437d058966845c2fc4f9f64a4932a98cd6f44e63aedad3ad17aca3f6fc01ccc0b400747b406c38c4595cd22d883cb8aca28f0

Download Submit
C:\Windows\Temp\tmpBDC3.tmp.SyncroLive.Installer-latest.exe

Filesize
13.5MB

MD5
6ee357d6ff97bd054f2f8d6c1e72f0e7

SHA1
d01ceb73738cf0e2c86463f86292c38e4873c524

SHA256
ad3ebf1789063615ef35ae5583d9641765670fed1ac57659e2d1010f54109f24

SHA512
2b458237b74143e732fbc4740b0437d058966845c2fc4f9f64a4932a98cd6f44e63aedad3ad17aca3f6fc01ccc0b400747b406c38c4595cd22d883cb8aca28f0

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
11.8MB

MD5
c02ca7a01719b3d22be9776fc72d0461

SHA1
480d848f3300d1a2a1c7b2d1dc20b2ad83e10b2a

SHA256
2c7355b1e6cee72d15fed8d18a6d07a89d431feaeac5d2654376b2c995f0960b

SHA512
c24d203a5fe56a31cb1a8a8510273d429ef4884600306a5acbb48f9e507b50a4b42510492616d73b75b2affa720d2c46e592c981e897aa233bf81cf963951e7d

Download Submit
\??\Volume{2339e045-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{80d6b415-25b6-4f87-8acb-79de6b82c24f}_OnDiskSnapshotProp

Filesize
5KB

MD5
41d79f646199946ae7f6d18084f429ad

SHA1
1f980d9e7f5ae57b3f94c50569f3b2fad5dd8de8

SHA256
94265496816dcd37f7f0775aa408d40a0f447314076d45a684cde3b77663d533

SHA512
9776c131eecb0be890d24268fda7083f1ea1c508fcace24e47dd6ec2e34edcf015d4571a3984828d1d387e399588e0719f272da9c7b71ac4981e7c6977acf57d

Download Submit
memory/360-165-0x0000020D4F820000-0x0000020D4F82A000-memory.dmp

Filesize
40KB

Download
memory/360-167-0x0000020D4FB70000-0x0000020D4FB7E000-memory.dmp

Filesize
56KB

Download
memory/360-168-0x0000020D4FBB0000-0x0000020D4FBC2000-memory.dmp

Filesize
72KB

Download
memory/360-169-0x0000020D51640000-0x0000020D5167C000-memory.dmp

Filesize
240KB

Download
memory/360-170-0x00007FF8F7760000-0x00007FF8F8221000-memory.dmp

Filesize
10.8MB

Download
memory/972-247-0x000002D818DA0000-0x000002D818E10000-memory.dmp

Filesize
448KB

Download
memory/972-252-0x00007FF8F7760000-0x00007FF8F8221000-memory.dmp

Filesize
10.8MB

Download
memory/972-245-0x000002D817080000-0x000002D81708C000-memory.dmp

Filesize
48KB

Download
memory/972-258-0x000002D8334E0000-0x000002D83353C000-memory.dmp

Filesize
368KB

Download
memory/1736-146-0x000001FA95890000-0x000001FA95F98000-memory.dmp

Filesize
7.0MB

Download
memory/1736-157-0x000001FAB2400000-0x000001FAB2408000-memory.dmp

Filesize
32KB

Download
memory/1736-160-0x000001FAB2440000-0x000001FAB2448000-memory.dmp

Filesize
32KB

Download
memory/1736-150-0x000001FAB1A80000-0x000001FAB1A88000-memory.dmp

Filesize
32KB

Download
memory/1736-156-0x00007FF8F7760000-0x00007FF8F8221000-memory.dmp

Filesize
10.8MB

Download
memory/1736-205-0x00007FF8F7760000-0x00007FF8F8221000-memory.dmp

Filesize
10.8MB

Download
memory/1736-149-0x000001FAB1A20000-0x000001FAB1A2A000-memory.dmp

Filesize
40KB

Download
memory/1736-148-0x00007FF8F7760000-0x00007FF8F8221000-memory.dmp

Filesize
10.8MB

Download
memory/1736-152-0x000001FAB1B10000-0x000001FAB1B18000-memory.dmp

Filesize
32KB

Download
memory/1736-159-0x000001FAB2420000-0x000001FAB2428000-memory.dmp

Filesize
32KB

Download
memory/1736-161-0x000001FAB2430000-0x000001FAB2438000-memory.dmp

Filesize
32KB

Download
memory/1736-151-0x000001FAB1AE0000-0x000001FAB1B02000-memory.dmp

Filesize
136KB

Download
memory/1736-158-0x000001FAB2410000-0x000001FAB2418000-memory.dmp

Filesize
32KB

Download
memory/3920-278-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4756-196-0x0000017FE7CA0000-0x0000017FE7CE0000-memory.dmp

Filesize
256KB

Download
memory/4756-213-0x0000017FCDCA0000-0x0000017FCDCAA000-memory.dmp

Filesize
40KB

Download
memory/4756-239-0x0000017FE8A10000-0x0000017FE8B1A000-memory.dmp

Filesize
1.0MB

Download
memory/4756-237-0x0000017FE8830000-0x0000017FE8858000-memory.dmp

Filesize
160KB

Download
memory/4756-235-0x0000017FE8560000-0x0000017FE85E4000-memory.dmp

Filesize
528KB

Download
memory/4756-244-0x0000017FE8500000-0x0000017FE850C000-memory.dmp

Filesize
48KB

Download
memory/4756-174-0x0000017FCD350000-0x0000017FCD35E000-memory.dmp

Filesize
56KB

Download
memory/4756-233-0x0000017FE8450000-0x0000017FE8470000-memory.dmp

Filesize
128KB

Download
memory/4756-176-0x0000017FE7A80000-0x0000017FE7B80000-memory.dmp

Filesize
1024KB

Download
memory/4756-231-0x0000017FE8430000-0x0000017FE8442000-memory.dmp

Filesize
72KB

Download
memory/4756-229-0x0000017FE8480000-0x0000017FE84C2000-memory.dmp

Filesize
264KB

Download
memory/4756-227-0x0000017FE83D0000-0x0000017FE83DC000-memory.dmp

Filesize
48KB

Download
memory/4756-225-0x0000017FE8400000-0x0000017FE8430000-memory.dmp

Filesize
192KB

Download
memory/4756-223-0x0000017FE83B0000-0x0000017FE83C0000-memory.dmp

Filesize
64KB

Download
memory/4756-178-0x0000017FE7980000-0x0000017FE79C4000-memory.dmp

Filesize
272KB

Download
memory/4756-221-0x0000017FE83C0000-0x0000017FE83CE000-memory.dmp

Filesize
56KB

Download
memory/4756-254-0x0000017FE8550000-0x0000017FE8560000-memory.dmp

Filesize
64KB

Download
memory/4756-219-0x0000017FE83A0000-0x0000017FE83A8000-memory.dmp

Filesize
32KB

Download
memory/4756-217-0x0000017FE7E30000-0x0000017FE7E38000-memory.dmp

Filesize
32KB

Download
memory/4756-256-0x0000017FE9600000-0x0000017FE9B28000-memory.dmp

Filesize
5.2MB

Download
memory/4756-215-0x0000017FE7C20000-0x0000017FE7C2C000-memory.dmp

Filesize
48KB

Download
memory/4756-238-0x0000017FE88B0000-0x0000017FE8900000-memory.dmp

Filesize
320KB

Download
memory/4756-211-0x0000017FE8340000-0x0000017FE838A000-memory.dmp

Filesize
296KB

Download
memory/4756-210-0x0000017FE7E10000-0x0000017FE7E24000-memory.dmp

Filesize
80KB

Download
memory/4756-208-0x0000017FE7C40000-0x0000017FE7C5E000-memory.dmp

Filesize
120KB

Download
memory/4756-180-0x0000017FCDC20000-0x0000017FCDC2A000-memory.dmp

Filesize
40KB

Download
memory/4756-182-0x0000017FCDC40000-0x0000017FCDC4A000-memory.dmp

Filesize
40KB

Download
memory/4756-201-0x00007FF8F7760000-0x00007FF8F8221000-memory.dmp

Filesize
10.8MB

Download
memory/4756-204-0x0000017FE7F70000-0x0000017FE7FE6000-memory.dmp

Filesize
472KB

Download
memory/4756-203-0x0000017FE7EC0000-0x0000017FE7F6A000-memory.dmp

Filesize
680KB

Download
memory/4756-200-0x0000017FE7C30000-0x0000017FE7C3A000-memory.dmp

Filesize
40KB

Download
memory/4756-198-0x0000017FE7DE0000-0x0000017FE7E04000-memory.dmp

Filesize
144KB

Download
memory/4756-194-0x0000017FE7A60000-0x0000017FE7A7C000-memory.dmp

Filesize
112KB

Download
memory/4756-192-0x0000017FE7C60000-0x0000017FE7C92000-memory.dmp

Filesize
200KB

Download
memory/4756-190-0x0000017FE7A40000-0x0000017FE7A5C000-memory.dmp

Filesize
112KB

Download
memory/4756-188-0x0000017FE7B80000-0x0000017FE7BA6000-memory.dmp

Filesize
152KB

Download
memory/4756-186-0x0000017FCDC70000-0x0000017FCDC90000-memory.dmp

Filesize
128KB

Download
memory/4756-184-0x0000017FE7BD0000-0x0000017FE7C1A000-memory.dmp

Filesize
296KB

Download
memory/4816-207-0x00007FF8F7760000-0x00007FF8F8221000-memory.dmp

Filesize
10.8MB

Download
memory/4816-155-0x00007FF8F7760000-0x00007FF8F8221000-memory.dmp

Filesize
10.8MB

Download
memory/4816-147-0x00007FF8F7760000-0x00007FF8F8221000-memory.dmp

Filesize
10.8MB

Download
memory/4816-142-0x0000000000B60000-0x0000000001280000-memory.dmp

Filesize
7.1MB

Download