2a5f74e8268ad2d38c18f57a19d723b72b2dadd11b3ab993507dd2863d18008d

Analysis

max time kernel
150s
max time network
143s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01-02-2023 17:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a5f74e8268ad2d38c18f57a19d723b72b2dadd11b3ab993507dd2863d18008d.msi
Size

5.9MB
MD5

68352f61da6e3236c4fe760997a981ea
SHA1

e2d16fdf836d5697cba2223ae288e756df319406
SHA256

2a5f74e8268ad2d38c18f57a19d723b72b2dadd11b3ab993507dd2863d18008d
SHA512

fa085589f8fb44ce76983fc77a186fd1213e659881b73b5c5ba07ff53dc31e4830e6509459b4aa82805e2a66632e047a20664f81a73e58c8faa9bb8a2ec7288f
SSDEEP

98304:GAC9AGDm8MytOY9woKC4BDBwWlKylZ/FxCeMxlGV9GZRik9VI5TMwGP2KEfT:w9mzytc/CKDllTllCeue6STz/T

Score

8^/10

discovery persistence spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
2	1496	msiexec.exe
4	1496	msiexec.exe
6	1496	msiexec.exe
8	1496	msiexec.exe
10	1496	msiexec.exe

Downloads MZ/PE file

Executes dropped EXE 14 IoCs

pid	Process
1664	Installer.exe
1748	Syncro.Installer.exe
556	Syncro.Service.Runner.exe
636	Syncro.App.Runner.exe
1132	tmp1D1B.tmp.SyncroLive.Installer-latest.exe
1840	tmp1D1B.tmp.SyncroLive.Installer-latest.tmp
568	7za.exe
1332	7za.exe
1628	7za.exe
580	SyncroLive.Service.Runner.exe
1532	SyncroLive.Service.Runner.exe
1212	SyncroLive.Agent.Runner.exe
2364	Syncro.Overmind.Service.exe
2504	Syncro.Overmind.Service.exe

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SyncroLive\ImagePath = "\"C:\\Program Files\\RepairTech\\LiveAgent\\SyncroLive.Service.Runner.exe\" -displayname \"SyncroLive\" -servicename \"SyncroLive\""	SyncroLive.Service.Runner.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SyncroOvermind\ImagePath = "\"C:\\ProgramData\\Syncro\\bin\\Syncro.Overmind.Service.exe\" -displayname \"SyncroRecovery\" -servicename \"SyncroOvermind\""	Syncro.Overmind.Service.exe

Loads dropped DLL 9 IoCs

pid	Process
1132	tmp1D1B.tmp.SyncroLive.Installer-latest.exe
1840	tmp1D1B.tmp.SyncroLive.Installer-latest.tmp
1840	tmp1D1B.tmp.SyncroLive.Installer-latest.tmp
1840	tmp1D1B.tmp.SyncroLive.Installer-latest.tmp
1840	tmp1D1B.tmp.SyncroLive.Installer-latest.tmp
1840	tmp1D1B.tmp.SyncroLive.Installer-latest.tmp
1840	tmp1D1B.tmp.SyncroLive.Installer-latest.tmp
1840	tmp1D1B.tmp.SyncroLive.Installer-latest.tmp
1212	SyncroLive.Agent.Runner.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A	Syncro.Installer.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	Syncro.Installer.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	Syncro.Installer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_E6095CD2AECC9011BCD0D7B421356B17	Syncro.Overmind.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	Syncro.Installer.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	Syncro.Service.Runner.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	SyncroLive.Agent.Runner.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E	Syncro.Overmind.Service.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D7833C286363AD25C70511661A83D581_52894DBA51C2BA5ACE3EE5577FB04C4C	Syncro.Overmind.Service.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E	Syncro.Overmind.Service.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_E6095CD2AECC9011BCD0D7B421356B17	Syncro.Overmind.Service.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D7833C286363AD25C70511661A83D581_52894DBA51C2BA5ACE3EE5577FB04C4C	Syncro.Overmind.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A	Syncro.Installer.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	Syncro.Installer.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\RepairTech\Syncro\app-1.0.171\en\Syncro.App.resources.dll	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\Syncro\app-1.0.171\System.Spatial.dll	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\LiveAgent\app-0.0.62\System.Management.Automation.dll	7za.exe
File created	C:\Program Files\RepairTech\Syncro\app-1.0.171\sl-SI\Syncro.App.resources.dll	Syncro.Installer.exe
File opened for modification	C:\Program Files\RepairTech\Syncro\app-1.0.171\System.ValueTuple.dll	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\Syncro\app-1.0.171\CSharpFunctionalExtensions.dll	Syncro.Installer.exe
File opened for modification	C:\Program Files\RepairTech\Syncro\app-1.0.171\el-GR\Syncro.App.resources.dll	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\Syncro\app-1.0.171\fr-FR\Syncro.App.resources.dll	Syncro.Installer.exe
File opened for modification	C:\Program Files\RepairTech\Syncro\app-1.0.171\fr\Microsoft.Data.Services.Client.resources.dll	Syncro.Installer.exe
File opened for modification	C:\Program Files\RepairTech\Syncro\app-1.0.171\ja\Microsoft.Data.Services.Client.resources.dll	Syncro.Installer.exe
File opened for modification	C:\Program Files\RepairTech\Syncro\app-1.0.171\JetBrains.Annotations.dll	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\Syncro\app-1.0.171\Telerik.Windows.Controls.ConversationalUI.dll	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\LiveAgent\app-0.0.62\JetBrains.Annotations.dll	7za.exe
File opened for modification	C:\Program Files\RepairTech\LiveAgent\app-0.0.62\Newtonsoft.Json.dll	7za.exe
File created	C:\Program Files\RepairTech\LiveAgent\app-0.0.62\RepairTech.Common.Tools.dll.config	7za.exe
File created	C:\Program Files\RepairTech\LiveAgent\app-0.0.62\OpenHardwareMonitorLib.sys	SyncroLive.Agent.Runner.exe
File opened for modification	C:\Program Files\RepairTech\LiveAgent\app-0.0.62\System.ValueTuple.dll	7za.exe
File opened for modification	C:\Program Files\RepairTech\Syncro\app-1.0.171\Images\custom-logo.png	Syncro.Installer.exe
File opened for modification	C:\Program Files\RepairTech\Syncro\app-1.0.171\Itenso.TimePeriod.dll	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\Syncro\app-1.0.171\JetBrains.Annotations.dll	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\LiveAgent\app-0.0.62\CSharpFunctionalExtensions.dll	7za.exe
File created	C:\Program Files\RepairTech\LiveAgent\app-0.0.62\RollbarSharp.dll	7za.exe
File created	C:\Program Files\RepairTech\LiveAgent\app-0.0.62\SyncroLive.Service.Runner.exe	7za.exe
File opened for modification	C:\Program Files\RepairTech\Syncro\app-1.0.171\NuGet.Squirrel.dll	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\Syncro\app-1.0.171\SharpCompress.dll	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\Syncro\app-1.0.171\Syncro.Uninstaller.exe	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\LiveAgent\app-0.0.62\Flurl.Http.dll	7za.exe
File opened for modification	C:\Program Files\RepairTech\LiveAgent\app-0.0.62\JetBrains.Annotations.dll	7za.exe
File created	C:\Program Files\RepairTech\LiveAgent\app-0.0.62\Squirrel.dll	7za.exe
File created	C:\Program Files\RepairTech\LiveAgent\app-0.0.62\System.Runtime.dll	7za.exe
File opened for modification	C:\Program Files\RepairTech\LiveAgent\app-0.0.62\UrlCombineLib.dll	7za.exe
File opened for modification	C:\Program Files\RepairTech\Syncro\app-1.0.171\it\System.Spatial.resources.dll	Syncro.Installer.exe
File opened for modification	C:\Program Files\RepairTech\Syncro\app-1.0.171\System.Net.WebSockets.dll	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\Syncro\Syncro.Service.Runner.InstallState	InstallUtil.exe
File created	C:\Program Files\RepairTech\LiveAgent\app-0.0.62\Cassia.dll	7za.exe
File opened for modification	C:\Program Files\RepairTech\LiveAgent\app-0.0.62\SharpDX.Mathematics.dll	7za.exe
File opened for modification	C:\Program Files\RepairTech\Syncro\app-1.0.171\es\Microsoft.Data.Services.Client.resources.dll	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\Syncro\app-1.0.171\ko\System.Spatial.resources.dll	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\LiveAgent\app-0.0.62\Serilog.Sinks.Console.dll	7za.exe
File opened for modification	C:\Program Files\RepairTech\Syncro\app-1.0.171\fr-FR\Syncro.App.resources.dll	Syncro.Installer.exe
File opened for modification	C:\Program Files\RepairTech\Syncro\app-1.0.171\it\Microsoft.Data.Services.Client.resources.dll	Syncro.Installer.exe
File opened for modification	C:\Program Files\RepairTech\Syncro\app-1.0.171\ja\Microsoft.Data.Edm.resources.dll	Syncro.Installer.exe
File opened for modification	C:\Program Files\RepairTech\Syncro\app-1.0.171\ko\Microsoft.Data.Edm.resources.dll	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\Syncro\app-1.0.171\System.Runtime.dll	Syncro.Installer.exe
File opened for modification	C:\Program Files\RepairTech\LiveAgent\app-0.0.62\Destructurama.Attributed.dll	7za.exe
File created	C:\Program Files\RepairTech\Syncro\app-1.0.171\System.ValueTuple.dll	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\Syncro\app-1.0.171\zh-Hans\System.Spatial.resources.dll	Syncro.Installer.exe
File opened for modification	C:\Program Files\RepairTech\LiveAgent\app-0.0.62\System.Runtime.CompilerServices.Unsafe.dll	7za.exe
File created	C:\Program Files\RepairTech\LiveAgent\app-0.0.62\x86\WebRTC.Native.Internal.dll	7za.exe
File opened for modification	C:\Program Files\RepairTech\Syncro\app-1.0.171\CSharpFunctionalExtensions.dll	Syncro.Installer.exe
File opened for modification	C:\Program Files\RepairTech\Syncro\app-1.0.171\zh-CHS\Syncro.App.resources.dll	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\Syncro\app-1.0.171\zh-Hans\Microsoft.Data.Edm.resources.dll	Syncro.Installer.exe
File opened for modification	C:\Program Files\RepairTech\LiveAgent\app-0.0.62\CSharpFunctionalExtensions.dll	7za.exe
File created	C:\Program Files\RepairTech\LiveAgent\app-0.0.62\SyncroLive.Interface.dll.config	7za.exe
File created	C:\Program Files\RepairTech\Syncro\Syncro.App.Runner.exe	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\Syncro\app-1.0.171\es-ES\Syncro.App.resources.dll	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\Syncro\app-1.0.171\Interop.NetFwTypeLib.dll	Syncro.Installer.exe
File opened for modification	C:\Program Files\RepairTech\Syncro\app-1.0.171\Syncro.App.dll.config	Syncro.Installer.exe
File opened for modification	C:\Program Files\RepairTech\LiveAgent\app-0.0.62\NuGet.Squirrel.dll	7za.exe
File created	C:\Program Files\RepairTech\LiveAgent\app-0.0.62\SyncroLive.Agent.exe	7za.exe
File opened for modification	C:\Program Files\RepairTech\Syncro\app-1.0.171\System.Threading.Tasks.Extensions.dll	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\Syncro\packages\Kabuto-1.0.171-full.nupkg	Syncro.Installer.exe
File opened for modification	C:\Program Files\RepairTech\Syncro\app-1.0.171\ja\System.Spatial.resources.dll	Syncro.Installer.exe
File created	C:\Program Files\RepairTech\Syncro\app-1.0.171\Serilog.Sinks.Console.dll	Syncro.Installer.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\6c4d56.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4FA9.tmp	msiexec.exe
File opened for modification	C:\Windows\WindowsUpdate.log	Syncro.Installer.exe
File created	C:\Windows\Installer\6c4d59.msi	msiexec.exe
File created	C:\Windows\Installer\{B7F56D3D-2AD3-4021-9D36-3B9E9C9FBE33}\DefaultIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\{B7F56D3D-2AD3-4021-9D36-3B9E9C9FBE33}\DefaultIcon	msiexec.exe
File created	C:\Windows\Installer\6c4d56.msi	msiexec.exe
File created	C:\Windows\Installer\6c4d57.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\6c4d57.ipi	msiexec.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1228	sc.exe
1960	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	SyncroLive.Agent.Runner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	SyncroLive.Agent.Runner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	SyncroLive.Agent.Runner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	Syncro.Overmind.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	Syncro.Installer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	Syncro.Service.Runner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	Syncro.Service.Runner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	Syncro.Service.Runner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	Syncro.Service.Runner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	SyncroLive.Agent.Runner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	SyncroLive.Agent.Runner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	Syncro.Installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	SyncroLive.Agent.Runner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	SyncroLive.Agent.Runner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	SyncroLive.Agent.Runner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	Syncro.Overmind.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	Syncro.Installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	Syncro.Service.Runner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	SyncroLive.Agent.Runner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	Syncro.Overmind.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	Syncro.Overmind.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	Syncro.Overmind.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	Syncro.Overmind.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	Syncro.Installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	Syncro.Overmind.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	Syncro.Overmind.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	Syncro.Overmind.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	Syncro.Installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	Syncro.Service.Runner.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00500072006f006700720061006d002000460069006c00650073005c0052006500700061006900720054006500630068005c004c006900760065004100670065006e0074005c00530079006e00630072006f004c006900760065002e004100670065006e0074002e00520075006e006e00650072002e00650078006500000043003a005c00500072006f006700720061006d002000460069006c00650073005c0052006500700061006900720054006500630068005c004c006900760065004100670065006e0074005c00530079006e00630072006f004c006900760065002e0053006500720076006900630065002e00520075006e006e00650072002e00650078006500000043003a005c00500072006f006700720061006d002000460069006c00650073005c0052006500700061006900720054006500630068005c004c006900760065004100670065006e0074005c005500700064006100740065002e00650078006500000043003a005c00570069006e0064006f00770073005c00540045004d0050005c00690073002d004c00420048004b0042002e0074006d0070005c0037007a0061002e0065007800650000000000	tmp1D1B.tmp.SyncroLive.Installer-latest.tmp
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	Syncro.Service.Runner.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 5476f83a1f0d7c6f1acdf28aefb6184fb96cb12c660a18c49c1b87b566b30922	tmp1D1B.tmp.SyncroLive.Installer-latest.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	SyncroLive.Agent.Runner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	Syncro.Overmind.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	tmp1D1B.tmp.SyncroLive.Installer-latest.tmp
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	Syncro.Service.Runner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	Syncro.Overmind.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	Syncro.Installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	Syncro.Service.Runner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	SyncroLive.Agent.Runner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	Syncro.Overmind.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	Syncro.Overmind.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	Syncro.Installer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\Owner = 30070000d0820b1c6a36d901	tmp1D1B.tmp.SyncroLive.Installer-latest.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SyncroLive.Agent.Runner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Syncro.Overmind.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	Syncro.Service.Runner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	Syncro.Overmind.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	Syncro.Overmind.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	Syncro.Installer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	SyncroLive.Service.Runner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	Syncro.Service.Runner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	SyncroLive.Service.Runner.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	SyncroLive.Agent.Runner.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SyncroLive.Agent.Runner.exe

Modifies registry class 23 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D3D65F7B3DA21204D963B3E9C9F9EB33\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D3D65F7B3DA21204D963B3E9C9F9EB33\ProductFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D3D65F7B3DA21204D963B3E9C9F9EB33	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D3D65F7B3DA21204D963B3E9C9F9EB33\Version = "16777216"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\7500CEBB70B554E4C93BAE54CF782BB3	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\7500CEBB70B554E4C93BAE54CF782BB3\D3D65F7B3DA21204D963B3E9C9F9EB33	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D3D65F7B3DA21204D963B3E9C9F9EB33\ProductName = "Syncro"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D3D65F7B3DA21204D963B3E9C9F9EB33\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D3D65F7B3DA21204D963B3E9C9F9EB33\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D3D65F7B3DA21204D963B3E9C9F9EB33\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D3D65F7B3DA21204D963B3E9C9F9EB33\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D3D65F7B3DA21204D963B3E9C9F9EB33	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D3D65F7B3DA21204D963B3E9C9F9EB33\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D3D65F7B3DA21204D963B3E9C9F9EB33\ProductIcon = "C:\\Windows\\Installer\\{B7F56D3D-2AD3-4021-9D36-3B9E9C9FBE33}\\DefaultIcon"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D3D65F7B3DA21204D963B3E9C9F9EB33\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D3D65F7B3DA21204D963B3E9C9F9EB33\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D3D65F7B3DA21204D963B3E9C9F9EB33\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D3D65F7B3DA21204D963B3E9C9F9EB33\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D3D65F7B3DA21204D963B3E9C9F9EB33\PackageCode = "778729A429A44874D8D4D102C27F49E9"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D3D65F7B3DA21204D963B3E9C9F9EB33\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D3D65F7B3DA21204D963B3E9C9F9EB33\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D3D65F7B3DA21204D963B3E9C9F9EB33\SourceList\PackageName = "2a5f74e8268ad2d38c18f57a19d723b72b2dadd11b3ab993507dd2863d18008d.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D3D65F7B3DA21204D963B3E9C9F9EB33\SourceList\Net	msiexec.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Syncro.Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Syncro.Installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Syncro.Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Syncro.Installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Syncro.Installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Syncro.Installer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1372	msiexec.exe
1372	msiexec.exe
1748	Syncro.Installer.exe
1748	Syncro.Installer.exe
556	Syncro.Service.Runner.exe
556	Syncro.Service.Runner.exe
636	Syncro.App.Runner.exe
636	Syncro.App.Runner.exe
556	Syncro.Service.Runner.exe
1840	tmp1D1B.tmp.SyncroLive.Installer-latest.tmp
1840	tmp1D1B.tmp.SyncroLive.Installer-latest.tmp
556	Syncro.Service.Runner.exe
1532	SyncroLive.Service.Runner.exe
1532	SyncroLive.Service.Runner.exe
1532	SyncroLive.Service.Runner.exe
1532	SyncroLive.Service.Runner.exe
1532	SyncroLive.Service.Runner.exe
1532	SyncroLive.Service.Runner.exe
1212	SyncroLive.Agent.Runner.exe
1532	SyncroLive.Service.Runner.exe
556	Syncro.Service.Runner.exe
1532	SyncroLive.Service.Runner.exe
1532	SyncroLive.Service.Runner.exe
1532	SyncroLive.Service.Runner.exe
1532	SyncroLive.Service.Runner.exe
1532	SyncroLive.Service.Runner.exe
1212	SyncroLive.Agent.Runner.exe
1212	SyncroLive.Agent.Runner.exe
1212	SyncroLive.Agent.Runner.exe
1212	SyncroLive.Agent.Runner.exe
1212	SyncroLive.Agent.Runner.exe
1212	SyncroLive.Agent.Runner.exe
1212	SyncroLive.Agent.Runner.exe
1212	SyncroLive.Agent.Runner.exe
1212	SyncroLive.Agent.Runner.exe
1212	SyncroLive.Agent.Runner.exe
1212	SyncroLive.Agent.Runner.exe
1532	SyncroLive.Service.Runner.exe
1532	SyncroLive.Service.Runner.exe
1532	SyncroLive.Service.Runner.exe
1532	SyncroLive.Service.Runner.exe
1532	SyncroLive.Service.Runner.exe
1532	SyncroLive.Service.Runner.exe
1532	SyncroLive.Service.Runner.exe
2504	Syncro.Overmind.Service.exe
2504	Syncro.Overmind.Service.exe
2504	Syncro.Overmind.Service.exe
2504	Syncro.Overmind.Service.exe
1532	SyncroLive.Service.Runner.exe
1532	SyncroLive.Service.Runner.exe
1532	SyncroLive.Service.Runner.exe
1532	SyncroLive.Service.Runner.exe
1212	SyncroLive.Agent.Runner.exe
1532	SyncroLive.Service.Runner.exe
1532	SyncroLive.Service.Runner.exe
1532	SyncroLive.Service.Runner.exe
1532	SyncroLive.Service.Runner.exe
1532	SyncroLive.Service.Runner.exe
1532	SyncroLive.Service.Runner.exe
1532	SyncroLive.Service.Runner.exe
1532	SyncroLive.Service.Runner.exe
1532	SyncroLive.Service.Runner.exe
1532	SyncroLive.Service.Runner.exe
1212	SyncroLive.Agent.Runner.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
460	Process not Found
460	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1496	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1496	msiexec.exe
Token: SeRestorePrivilege	1372	msiexec.exe
Token: SeTakeOwnershipPrivilege	1372	msiexec.exe
Token: SeSecurityPrivilege	1372	msiexec.exe
Token: SeCreateTokenPrivilege	1496	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1496	msiexec.exe
Token: SeLockMemoryPrivilege	1496	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1496	msiexec.exe
Token: SeMachineAccountPrivilege	1496	msiexec.exe
Token: SeTcbPrivilege	1496	msiexec.exe
Token: SeSecurityPrivilege	1496	msiexec.exe
Token: SeTakeOwnershipPrivilege	1496	msiexec.exe
Token: SeLoadDriverPrivilege	1496	msiexec.exe
Token: SeSystemProfilePrivilege	1496	msiexec.exe
Token: SeSystemtimePrivilege	1496	msiexec.exe
Token: SeProfSingleProcessPrivilege	1496	msiexec.exe
Token: SeIncBasePriorityPrivilege	1496	msiexec.exe
Token: SeCreatePagefilePrivilege	1496	msiexec.exe
Token: SeCreatePermanentPrivilege	1496	msiexec.exe
Token: SeBackupPrivilege	1496	msiexec.exe
Token: SeRestorePrivilege	1496	msiexec.exe
Token: SeShutdownPrivilege	1496	msiexec.exe
Token: SeDebugPrivilege	1496	msiexec.exe
Token: SeAuditPrivilege	1496	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1496	msiexec.exe
Token: SeChangeNotifyPrivilege	1496	msiexec.exe
Token: SeRemoteShutdownPrivilege	1496	msiexec.exe
Token: SeUndockPrivilege	1496	msiexec.exe
Token: SeSyncAgentPrivilege	1496	msiexec.exe
Token: SeEnableDelegationPrivilege	1496	msiexec.exe
Token: SeManageVolumePrivilege	1496	msiexec.exe
Token: SeImpersonatePrivilege	1496	msiexec.exe
Token: SeCreateGlobalPrivilege	1496	msiexec.exe
Token: SeBackupPrivilege	596	vssvc.exe
Token: SeRestorePrivilege	596	vssvc.exe
Token: SeAuditPrivilege	596	vssvc.exe
Token: SeBackupPrivilege	1372	msiexec.exe
Token: SeRestorePrivilege	1372	msiexec.exe
Token: SeRestorePrivilege	1124	DrvInst.exe
Token: SeRestorePrivilege	1124	DrvInst.exe
Token: SeRestorePrivilege	1124	DrvInst.exe
Token: SeRestorePrivilege	1124	DrvInst.exe
Token: SeRestorePrivilege	1124	DrvInst.exe
Token: SeRestorePrivilege	1124	DrvInst.exe
Token: SeRestorePrivilege	1124	DrvInst.exe
Token: SeLoadDriverPrivilege	1124	DrvInst.exe
Token: SeLoadDriverPrivilege	1124	DrvInst.exe
Token: SeLoadDriverPrivilege	1124	DrvInst.exe
Token: SeRestorePrivilege	1372	msiexec.exe
Token: SeTakeOwnershipPrivilege	1372	msiexec.exe
Token: SeRestorePrivilege	1372	msiexec.exe
Token: SeTakeOwnershipPrivilege	1372	msiexec.exe
Token: SeRestorePrivilege	1372	msiexec.exe
Token: SeTakeOwnershipPrivilege	1372	msiexec.exe
Token: SeDebugPrivilege	1748	Syncro.Installer.exe
Token: SeRestorePrivilege	1372	msiexec.exe
Token: SeTakeOwnershipPrivilege	1372	msiexec.exe
Token: SeRestorePrivilege	1372	msiexec.exe
Token: SeTakeOwnershipPrivilege	1372	msiexec.exe
Token: SeRestorePrivilege	1372	msiexec.exe
Token: SeTakeOwnershipPrivilege	1372	msiexec.exe
Token: SeRestorePrivilege	1372	msiexec.exe
Token: SeTakeOwnershipPrivilege	1372	msiexec.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1496	msiexec.exe
1496	msiexec.exe
636	Syncro.App.Runner.exe
1840	tmp1D1B.tmp.SyncroLive.Installer-latest.tmp

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 1372 wrote to memory of 1664	1372	msiexec.exe	31
PID 1372 wrote to memory of 1664	1372	msiexec.exe	31
PID 1372 wrote to memory of 1664	1372	msiexec.exe	31
PID 1664 wrote to memory of 1748	1664	Installer.exe	32
PID 1664 wrote to memory of 1748	1664	Installer.exe	32
PID 1664 wrote to memory of 1748	1664	Installer.exe	32
PID 1748 wrote to memory of 1276	1748	Syncro.Installer.exe	34
PID 1748 wrote to memory of 1276	1748	Syncro.Installer.exe	34
PID 1748 wrote to memory of 1276	1748	Syncro.Installer.exe	34
PID 1276 wrote to memory of 708	1276	cmd.exe	36
PID 1276 wrote to memory of 708	1276	cmd.exe	36
PID 1276 wrote to memory of 708	1276	cmd.exe	36
PID 1276 wrote to memory of 1228	1276	cmd.exe	37
PID 1276 wrote to memory of 1228	1276	cmd.exe	37
PID 1276 wrote to memory of 1228	1276	cmd.exe	37
PID 1276 wrote to memory of 1960	1276	cmd.exe	38
PID 1276 wrote to memory of 1960	1276	cmd.exe	38
PID 1276 wrote to memory of 1960	1276	cmd.exe	38
PID 556 wrote to memory of 636	556	Syncro.Service.Runner.exe	40
PID 556 wrote to memory of 636	556	Syncro.Service.Runner.exe	40
PID 556 wrote to memory of 636	556	Syncro.Service.Runner.exe	40
PID 556 wrote to memory of 1132	556	Syncro.Service.Runner.exe	41
PID 556 wrote to memory of 1132	556	Syncro.Service.Runner.exe	41
PID 556 wrote to memory of 1132	556	Syncro.Service.Runner.exe	41
PID 556 wrote to memory of 1132	556	Syncro.Service.Runner.exe	41
PID 556 wrote to memory of 1132	556	Syncro.Service.Runner.exe	41
PID 556 wrote to memory of 1132	556	Syncro.Service.Runner.exe	41
PID 556 wrote to memory of 1132	556	Syncro.Service.Runner.exe	41
PID 1132 wrote to memory of 1840	1132	tmp1D1B.tmp.SyncroLive.Installer-latest.exe	42
PID 1132 wrote to memory of 1840	1132	tmp1D1B.tmp.SyncroLive.Installer-latest.exe	42
PID 1132 wrote to memory of 1840	1132	tmp1D1B.tmp.SyncroLive.Installer-latest.exe	42
PID 1132 wrote to memory of 1840	1132	tmp1D1B.tmp.SyncroLive.Installer-latest.exe	42
PID 1132 wrote to memory of 1840	1132	tmp1D1B.tmp.SyncroLive.Installer-latest.exe	42
PID 1132 wrote to memory of 1840	1132	tmp1D1B.tmp.SyncroLive.Installer-latest.exe	42
PID 1132 wrote to memory of 1840	1132	tmp1D1B.tmp.SyncroLive.Installer-latest.exe	42
PID 1840 wrote to memory of 568	1840	tmp1D1B.tmp.SyncroLive.Installer-latest.tmp	43
PID 1840 wrote to memory of 568	1840	tmp1D1B.tmp.SyncroLive.Installer-latest.tmp	43
PID 1840 wrote to memory of 568	1840	tmp1D1B.tmp.SyncroLive.Installer-latest.tmp	43
PID 1840 wrote to memory of 568	1840	tmp1D1B.tmp.SyncroLive.Installer-latest.tmp	43
PID 1840 wrote to memory of 1332	1840	tmp1D1B.tmp.SyncroLive.Installer-latest.tmp	45
PID 1840 wrote to memory of 1332	1840	tmp1D1B.tmp.SyncroLive.Installer-latest.tmp	45
PID 1840 wrote to memory of 1332	1840	tmp1D1B.tmp.SyncroLive.Installer-latest.tmp	45
PID 1840 wrote to memory of 1332	1840	tmp1D1B.tmp.SyncroLive.Installer-latest.tmp	45
PID 1840 wrote to memory of 1628	1840	tmp1D1B.tmp.SyncroLive.Installer-latest.tmp	47
PID 1840 wrote to memory of 1628	1840	tmp1D1B.tmp.SyncroLive.Installer-latest.tmp	47
PID 1840 wrote to memory of 1628	1840	tmp1D1B.tmp.SyncroLive.Installer-latest.tmp	47
PID 1840 wrote to memory of 1628	1840	tmp1D1B.tmp.SyncroLive.Installer-latest.tmp	47
PID 1840 wrote to memory of 580	1840	tmp1D1B.tmp.SyncroLive.Installer-latest.tmp	49
PID 1840 wrote to memory of 580	1840	tmp1D1B.tmp.SyncroLive.Installer-latest.tmp	49
PID 1840 wrote to memory of 580	1840	tmp1D1B.tmp.SyncroLive.Installer-latest.tmp	49
PID 1840 wrote to memory of 580	1840	tmp1D1B.tmp.SyncroLive.Installer-latest.tmp	49
PID 1532 wrote to memory of 1212	1532	SyncroLive.Service.Runner.exe	51
PID 1532 wrote to memory of 1212	1532	SyncroLive.Service.Runner.exe	51
PID 1532 wrote to memory of 1212	1532	SyncroLive.Service.Runner.exe	51
PID 556 wrote to memory of 2364	556	Syncro.Service.Runner.exe	54
PID 556 wrote to memory of 2364	556	Syncro.Service.Runner.exe	54
PID 556 wrote to memory of 2364	556	Syncro.Service.Runner.exe	54
PID 556 wrote to memory of 2364	556	Syncro.Service.Runner.exe	54

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\SoftwareSASGeneration = "1"	SyncroLive.Agent.Runner.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\2a5f74e8268ad2d38c18f57a19d723b72b2dadd11b3ab993507dd2863d18008d.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1496

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1372
- C:\Users\Admin\AppData\Local\Temp\Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\Installer.exe" --msi --key kv2pMH1kmj9vqgw-OipaNA --customerid 01037712 --policyid 0 --folderid 02898862
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Users\Admin\AppData\Local\Temp\Syncro.Installer.exe
    "C:\Users\Admin\AppData\Local\Temp\Syncro.Installer.exe" --msi --key kv2pMH1kmj9vqgw-OipaNA --customerid 01037712 --policyid 0 --folderid 02898862
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1748
  - - C:\Windows\system32\cmd.exe
      "cmd.exe" /c "C:\Program Files\RepairTech\Syncro\install.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1276
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\installutil.exe" /ShowCallStack /LogFile=C:\ProgramData/Syncro/logs/ServiceInstall.log "C:\Program Files\RepairTech\Syncro\Syncro.Service.Runner.exe"
        5⤵
        Drops file in Program Files directory
        
        PID:708
    - - C:\Windows\system32\sc.exe
        
        sc failure Syncro reset= 60 actions= restart/5000/restart/10000/restart/60000
        5⤵
        Launches sc.exe
        
        PID:1228
    - - C:\Windows\system32\sc.exe
        
        sc start Syncro
        5⤵
        Launches sc.exe
        
        PID:1960

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:596

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005D4" "00000000000005D0"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1124

C:\Program Files\RepairTech\Syncro\Syncro.Service.Runner.exe
"C:\Program Files\RepairTech\Syncro\Syncro.Service.Runner.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:556
- C:\Program Files\RepairTech\Syncro\Syncro.App.Runner.exe
  "C:\Program Files\RepairTech\Syncro\Syncro.App.Runner.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:636
- C:\Windows\TEMP\tmp1D1B.tmp.SyncroLive.Installer-latest.exe
  "C:\Windows\TEMP\tmp1D1B.tmp.SyncroLive.Installer-latest.exe" /VERYSILENT
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1132
- - C:\Windows\TEMP\is-VD8UO.tmp\tmp1D1B.tmp.SyncroLive.Installer-latest.tmp
    "C:\Windows\TEMP\is-VD8UO.tmp\tmp1D1B.tmp.SyncroLive.Installer-latest.tmp" /SL5="$6004A,13891222,57856,C:\Windows\TEMP\tmp1D1B.tmp.SyncroLive.Installer-latest.exe" /VERYSILENT
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1840
  - - C:\Windows\TEMP\is-LBHKB.tmp\7za.exe
      "C:\Windows\TEMP\is-LBHKB.tmp\7za.exe" e "C:\Program Files\RepairTech\LiveAgent\packages\SyncroLive-0.0.62-full.nupkg" -o"C:\Program Files\RepairTech\LiveAgent\app-0.0.62\" lib\net45\*.* -aoa
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:568
  - - C:\Windows\TEMP\is-LBHKB.tmp\7za.exe
      "C:\Windows\TEMP\is-LBHKB.tmp\7za.exe" e "C:\Program Files\RepairTech\LiveAgent\packages\SyncroLive-0.0.62-full.nupkg" -o"C:\Program Files\RepairTech\LiveAgent\app-0.0.62\x64" lib\net45\x64\*.* -aoa
      4⤵
      Executes dropped EXE
      PID:1332
  - - C:\Windows\TEMP\is-LBHKB.tmp\7za.exe
      "C:\Windows\TEMP\is-LBHKB.tmp\7za.exe" e "C:\Program Files\RepairTech\LiveAgent\packages\SyncroLive-0.0.62-full.nupkg" -o"C:\Program Files\RepairTech\LiveAgent\app-0.0.62\x86" lib\net45\x86\*.* -aoa
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:1628
  - - C:\Program Files\RepairTech\LiveAgent\SyncroLive.Service.Runner.exe
      "C:\Program Files\RepairTech\LiveAgent\SyncroLive.Service.Runner.exe" install start
      4⤵
      Executes dropped EXE
      Sets service image path in registry
      Modifies data under HKEY_USERS
      PID:580
- C:\ProgramData\Syncro\bin\Syncro.Overmind.Service.exe
  "C:\ProgramData\Syncro\bin\Syncro.Overmind.Service.exe" install
  2⤵
  - Executes dropped EXE
  - Sets service image path in registry
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2364

C:\Program Files\RepairTech\LiveAgent\SyncroLive.Service.Runner.exe
"C:\Program Files\RepairTech\LiveAgent\SyncroLive.Service.Runner.exe" -displayname "SyncroLive" -servicename "SyncroLive"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Program Files\RepairTech\LiveAgent\SyncroLive.Agent.Runner.exe
  "C:\Program Files\RepairTech\LiveAgent\SyncroLive.Agent.Runner.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - System policy modification
  PID:1212

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2320

C:\ProgramData\Syncro\bin\Syncro.Overmind.Service.exe
"C:\ProgramData\Syncro\bin\Syncro.Overmind.Service.exe" -displayname "SyncroRecovery" -servicename "SyncroOvermind"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2504

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\RepairTech\Syncro\Syncro.App.Runner.exe

Filesize
32KB

MD5
1aa2d8a5d3ecc3aa134528b7117244b3

SHA1
0b149d62a7883c6c903118c7b6886a981d1ff31c

SHA256
60abbb3e61ba60715051790ad84703855455a24533e6e68b7fd0791b79d37b14

SHA512
500938e0df236efc0242a81bfbef2c9f8a7ca52644fd1c05146c7a4333f8d525d57169ac38cce945d0cdc6759601e41e17db06f71fad8e5436fe94c0d050d958

Download Submit
C:\Program Files\RepairTech\Syncro\Syncro.App.Runner.exe

Filesize
32KB

MD5
1aa2d8a5d3ecc3aa134528b7117244b3

SHA1
0b149d62a7883c6c903118c7b6886a981d1ff31c

SHA256
60abbb3e61ba60715051790ad84703855455a24533e6e68b7fd0791b79d37b14

SHA512
500938e0df236efc0242a81bfbef2c9f8a7ca52644fd1c05146c7a4333f8d525d57169ac38cce945d0cdc6759601e41e17db06f71fad8e5436fe94c0d050d958

Download Submit
C:\Program Files\RepairTech\Syncro\Syncro.Service.Runner.exe

Filesize
36KB

MD5
55d568af3444a7319dfdb2ddc0a6bc2f

SHA1
e6fb8fc639c71c2ef922ed9f36b29cda45622292

SHA256
10c8cd588d627f46df3a7385e07d36674c2f0374e6327c7f9595cb22d8635753

SHA512
1cdb5edd9ed982e6eaa20042efaa4e57a5d6b6927c921d06accad2493bc7ac6d7444a2467b38b82a5a6cd3c7d8bf59e32ba0e858290327770007914818fac3a5

Download Submit
C:\Program Files\RepairTech\Syncro\Syncro.Service.Runner.exe

Filesize
36KB

MD5
55d568af3444a7319dfdb2ddc0a6bc2f

SHA1
e6fb8fc639c71c2ef922ed9f36b29cda45622292

SHA256
10c8cd588d627f46df3a7385e07d36674c2f0374e6327c7f9595cb22d8635753

SHA512
1cdb5edd9ed982e6eaa20042efaa4e57a5d6b6927c921d06accad2493bc7ac6d7444a2467b38b82a5a6cd3c7d8bf59e32ba0e858290327770007914818fac3a5

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.171\Autofac.dll

Filesize
247KB

MD5
94bce38faf97857d39b9348f43664317

SHA1
8adf558ad484b47a94e199318a4fad70eab0f090

SHA256
0bfa585a98172330547fec4bda0d747afea4b01bc691378dfbef2ae82d110dd4

SHA512
e7ca307423aa8527b379a88f2bcf2cabe34b58d04b2f979ad4ae11867fa6a08984ca5212706f749fcfab5338e0cceefa1dd35bfa8e9921fa40ec8cd0c8caab8d

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.171\CSharpFunctionalExtensions.dll

Filesize
125KB

MD5
841e154928ed4f18c7750a39780d118b

SHA1
f383e8aae69a942ffd0915122f67b0f963d6c119

SHA256
dacbb5f45d70b290bbed42249c06d26cf65440e63f2ac1c8db125e808a693bbf

SHA512
22e68af198233d374e609809666bc8d77f1afc741c1436fcdd321ccd7bae8a52663e7284350211cdc640cd29af550084b52343b79e8584464733200ad74bfdfd

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.171\Destructurama.Attributed.dll

Filesize
15KB

MD5
7eabdc9525bd1814899de66fef6be715

SHA1
04cf3922eb9d39adf9e3acfe7cb5246c5f718c86

SHA256
ac6ef04b83ca3ec163e6998ef4904434bffc0405a793ae5dbb2e800e3984dabb

SHA512
a0b95e6f5212ea7c2cfa52e372143973f72254aeb67fe6032b1db58b840f93ec9da87e565bb696417bb5bd7b6dd9a3a35af461cf51b0651fb2419ead79ccadd0

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.171\FluentCommandLineParser.dll

Filesize
51KB

MD5
de2b96fbe5b4104094389d69afb3ee4e

SHA1
d264d7519a6f4b6a6df6f39a382e352d4a48acdf

SHA256
0118168035446602ef5ca6f5426f8d54975f58613c3898e0b6689d92a35c589f

SHA512
c73a93fcbffdcbfa1b1c5928ab4304eb172710cd4ea3795796edc6e08145078199a4b0208464438d08fc569212fc11778b1d2c86ed7e6ee7e3b86f5321f33b03

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.171\Flurl.Http.dll

Filesize
103KB

MD5
67c42a9cd1262c422f8ea562805f0294

SHA1
23d99f695530cb18bf9009668bb414338c953f60

SHA256
62d4336b23c78955d9e51573935102beadd58bdb19530bb6d650cf39f4d8bc30

SHA512
881cf4f3fb64dd2d1f42146abec7bfddf95a80a131774d7a6196b54197161866bfc09e1b6f16074f96454aecec3a03540b706e2c43df828a7c954e57e282ccca

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.171\Flurl.dll

Filesize
35KB

MD5
88d6cef2bd73709f7f35d6cdb63c6b52

SHA1
9ec6e0b10922101af0135d40f2a5fcbb798002a4

SHA256
17714b55721d04c35ebb4898afd9e267e3cb04b25beb8bda9a460c52587955f5

SHA512
c187f53222988c23f45946cfce5e18d32c5ac3af22e65097aafcef0f3ddbc83f3c0acb02a90cf16c5241a0dda5162674ee7bd2627e1da38c13fff22bdf8febf8

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.171\Interop.NetFwTypeLib.dll

Filesize
22KB

MD5
65a6be1f8674bf2489d8e858ee8d7e65

SHA1
46a5a710f2fceb5c4daa7150a4b2517478fff0ae

SHA256
72a5ad582c5e1f754256a5de51ad01602ba23b295172de0efd27137affc44454

SHA512
333d1756b30b802c1ba3a690381238da8d356944ffc4fa1f49d9f97374d476de1989e66613fe97ddf8c6db76c567cd6f4f58651452baafd899d4c4e5c24c922c

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.171\MetroFramework.dll

Filesize
343KB

MD5
d9fc57f451780a9afee72d870b460d4d

SHA1
6554fd655df6efd3f5de4559b915ceeb11a8ef41

SHA256
fd45b9b900e163ab1aa6e703408ea281be3292089d4b45b646e826df02e3c88e

SHA512
1c8b9f67400a43596e289b3c44c27f55da87a88578a336f5933a81f808074bb5c79cd40e9cb706f81eb4d433ff4af1c4f5d02af2a79ed8860d6a1d42eaa338d3

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.171\Microsoft.Bcl.AsyncInterfaces.dll

Filesize
20KB

MD5
5220eefd7753e11b99d73faf39fbb486

SHA1
7d8264be4fcb17f81acb8b1add980cd96a6fd856

SHA256
ed5bc605f7f9fcc382183abef06c354dad946abb42a07631712077b2157d6bc9

SHA512
81e483bd76240543704194c0eb0c8a9e7dc46aa535653e7d5590e00c002b2980237ada793c05c0eedd5d1a92de90055867b21be665ff94fac038e280939c66c1

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.171\Microsoft.Win32.TaskScheduler.dll

Filesize
229KB

MD5
3b64aebb9d2a910b6839b56c84653a9b

SHA1
0fdd9adc8048547cf3328295db2ac291f5c6b81b

SHA256
fcc18b30e67afe2e5e037ec4e2bcbcf1153e0c257dc26dc48084676a87be2486

SHA512
463a3fb2957bdbbf6effa43562e331a24aa49d1c5dbd0509773f5d3ba2830d93a684876c5eea0b744a2fec7d7b70e12c1d1533c671ccf590f53aaaf9252d23f0

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.171\Newtonsoft.Json.dll

Filesize
659KB

MD5
4df6c8781e70c3a4912b5be796e6d337

SHA1
cbc510520fcd85dbc1c82b02e82040702aca9b79

SHA256
3598cccad5b535fea6f93662107a4183bfd6167bf1d0f80260436093edc2e3af

SHA512
964d9813e4d11e1e603e0a9627885c52034b088d0b0dfa5ac0043c27df204e621a2a654445f440ae318e15b1c5fea5c469da9e6a7350a787fef9edf6f0418e5c

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.171\NuGet.Squirrel.dll

Filesize
501KB

MD5
f4ae30f0e016cd13ec31132252c48e35

SHA1
67129ef7122d5772ca22e8af2604711c82d2eb45

SHA256
2b19ae0e153fd9805f0c705b7fa7c6cf3dc253a162b49b4703ff70ba21036fb5

SHA512
579c6cacc7389b50affc59b6da71fe4db48bf408187b41086bec6ac6b494859de0b500223c8fd9b2a14eccec6f80d68cde8ba202ac0b8c61b05b0d287148bd82

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.171\Phoenix.dll

Filesize
19KB

MD5
f067a2894bf796fccc0ba8ceb03b4e10

SHA1
6c8037c1cab8d320978307a54259680b474edb9e

SHA256
e1f8a0c7705ad8b62db26dcb0e3eb1251bb39ba652c2c14705f4ce5d35f72448

SHA512
846ea9f96417083e20c7c0988f379d85d2fcc389daffbc2f9c895326b088a19cc1abf55db4320bf12012732a8fb3d6d05000dc0ffee4b1a24b6bb907376f542d

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.171\RepairTech.Common.Tools.dll

Filesize
327KB

MD5
89c4e5fe3a3b22d37cfc730c485f130e

SHA1
0faa0417f9dfb07de7c780a74e2df92a711821b3

SHA256
33499236635962a661d1c9d9b90835536079e0253aaf4b3a299ecd0d8068fe9f

SHA512
212be1e8cfbf30a0e5592b66d7b7bf80449efb12f565ff14f0326cb272e0d9c01cecd72a7d18d8880567899d9e094bd85bef2e06c8a9e07e7d5268b0764cc54b

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.171\RepairTech.Common.Wpf.dll

Filesize
52KB

MD5
99aae73defc6e5836da11993062b185e

SHA1
97540f32a00a01086b51a3a460fed5bc1998d31a

SHA256
c7a3fe889e88f1a92bf906e2cf0bf84624552e2cee56569061436f618dce9947

SHA512
33a37dc7e2511aae45c738840031e6348844301c94b75a3f516932808352d4be3d9bed716a9dce5d8278dbb4b7a382489b6c43dcfddb1f190d4422f906f1d09c

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.171\RestSharp.dll

Filesize
167KB

MD5
b4aaa21288c1d923150c8d88b6ece126

SHA1
6d99e70ab9511aee701ff7068b5792f4194377bf

SHA256
b539f648dab37f211acb38dfcf4c79b488fa3beb5a7edf6740f894d2d1807449

SHA512
0de9227f5d134fc6b7029fb8202beade5e30be1f236e785eaae534cb0e944a98d9adfa2dd1917138994cfcfa2047a45c935f2b4f96944ed3dc017762ab9e08ca

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.171\RollbarSharp.dll

Filesize
36KB

MD5
7931fd2a2e06c7a654c9edfe388a8033

SHA1
2fb6de045f81bd56fce6a367dd992efc73ba4405

SHA256
cd722eda12d89b33cc00fa7e967eb6837b8335fada88368a6896d357f4362c15

SHA512
33ff92fa6dbb93b97c739ece89433c7ed34106e91cd76eb2431d0e840338af3dd456c3116b8362de33906eb348ad7eded630e28a98c94536ee8c1f3baf8f6b80

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.171\Serilog.Formatting.Compact.dll

Filesize
8KB

MD5
fdb7ad01c66a0c96174300167fadd249

SHA1
38b9971de844165f164e37e2d234d16f6022636c

SHA256
2d7dec266c5436f58ab620db4e3b5c83e550e7f76caff26eae8186b14b52cdd6

SHA512
13df8a0ec363dc3a8f80114c64869db6f1233ae250df1bf48260cf62588065200d5a920f7d16d41faac4ddd4b9edd4d3383d1bbdb1849d120a145175d3a74d4a

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.171\Serilog.Sinks.Console.dll

Filesize
31KB

MD5
c48bf7030e583e273e94e2d32b752a83

SHA1
51666bcec96f529b1a28b72db54cc7fcdf68441d

SHA256
ded3b57b64eca479f2a659a244e4c403ebfb83a9a9b30ced893c145e77affd29

SHA512
475e61bbb4484f468548dd7590d1d0bcc19912b322eacf2960b32c2c3ff1084231ddf8e689735e385a1f43e9912f79a028eae136c7dc8e130f2d3dd1eaf1f004

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.171\Serilog.Sinks.File.dll

Filesize
25KB

MD5
6509ca95a38ac29c03379113172cacb7

SHA1
f94b8d751fefcd29d28875e291fd570e103d12d7

SHA256
85ad8530adc1dec3b97f2074c720b81528ba5ea6c7274e1a98a906304bccd12f

SHA512
d8bd0b8998725e2fa361bcb446f48b6105bd603707bf914bb978c63b5c40958bcd2a3fef1f666541793f1d06377f3f2967d1241e445bee6919eb8f84f5a5d7f5

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.171\Serilog.Sinks.Literate.dll

Filesize
5KB

MD5
a0ebef9e8cce247cc12310a03b38aa7e

SHA1
22848b43d3b7f99cea7b339e86fcb4c08d7e6e51

SHA256
5e2e204439217c960237a894548680b39d5972fabfa3009538f43530eac23a3e

SHA512
53dc332b0329899883e019a4adbead244c65324fc4654c6c4d8080b3f2cc1953f2d0c61ac3507d00ac85c9cb98d711e127df335e334a3e2b2e70e59e3239d758

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.171\Serilog.dll

Filesize
115KB

MD5
fbfbf8c2de7f389105d728037bfcc11f

SHA1
91dd7e807ffcfdc9cb67f5a75d85dcf537475583

SHA256
e7c7528f8a920988862b8c22d0ae4c40df6824332780c1cec41d84fe633b6bed

SHA512
264667b13ff54e8ae24663f6ea11225794946c5db34d440bd68cc90c940c92d1da7faf39dfa551d13a19f5e21c82130662ffab2a2e2ebfb004576d880e9fb369

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.171\Splat.dll

Filesize
45KB

MD5
1975e684c48457d72f37696bb1b880e6

SHA1
eb254b470df9172aa07f13e7280bced746d95e22

SHA256
7a6f255cf59d6594c8f5bc466956f09305a3a10c8d683e485c7e1f14371701c4

SHA512
edb06da485e4dc562c7833ef887172be5ddb4d36a041463dc662ccafaa8fad816306091f774a7463f1538ad1c62ee9433bd12673d943bd885bf2cb38fc633a08

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.171\Squirrel.dll

Filesize
235KB

MD5
5089c9f103ae97bc2ffa985cea4e0fc5

SHA1
d3535af2742493f51639cad96c87fa658dda0224

SHA256
2975536e72db0f1460c9deb2db3faf2239a45113fac39c496d7fc4ffbd647afb

SHA512
9d0b5abae5a051cbce27983bdf0f4c92d134299b2d3cdfdda6ab54e39bcd8878aed5221af8fb993dc668cc74046aca69f19b2387d149860b81d76e8aa4934a8d

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.171\Syncro.App.dll

Filesize
432KB

MD5
af35d27132cc30f5c3e162912da3b521

SHA1
08ac8b17943c9cdaa0efa546e24c683ec69dc36a

SHA256
bffc5df5fd77d0cd4e18a4f15a130543e598b2849c5fe86b1c0569f34fbbb738

SHA512
9ad9754cc2eeac811ad61ba4c5c7b9ab101d253fc284b9330df64eaa74457868167c8df7462efec5709e283deffafe88536cbd15c20176babe18ace0a0917881

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.171\Syncro.App.dll.config

Filesize
3KB

MD5
3883a64bb36fba1aae73ceacef993bee

SHA1
bc0691cfb76abe52a9c8fac9f270b9ff0ba8f2c1

SHA256
f0568d55befeb796cc20edd1a51ed7414a8942562ffb92027d2222765d161391

SHA512
51e65140b1b03b95b2b46cd4216d32c4ccecca98f376dc371bb076e259d34a031cfad74cd90fce578beb132b263f52552b7ece14cf3d88e201ed271d7f9271e1

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.171\Syncro.Contracts.dll

Filesize
106KB

MD5
d6f854cc2a24765cdea7ed2b04da2b7d

SHA1
1cc334d2fb871fc61b85252b48bd0a4c88d69fca

SHA256
2a31de3356325d3d3b405c18e899cf31aea49be233853872d6fabefa62e80e81

SHA512
d43b7d2144a4da8e5c7ca7e0693b0c9cbb05cbe23da1b030165610d8679abf47d62fe90f54aae1da626d4accf04d7f2f1a62060d6cae13c5e7faa5bc8ec3c9da

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.171\Syncro.Service.Configuration.dll

Filesize
10KB

MD5
effcc4fa8991066d7eca2b7d5712375a

SHA1
607306b2f1716fea2203dc40fc2807f37e90efb5

SHA256
2fe74c75118f02592a913be425a775941d4bf315a6d9d9cb723b6606d3ac2045

SHA512
29ebd43eb0eb7cb863cfd4ca6383d9aa6e03699d415dad62813441c24606c2149f6c0fc5282784363377c77ba3a2163341a5682532797e0e5bf69b0fbc93aee4

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.171\Syncro.Service.exe

Filesize
1015KB

MD5
411b07dfcfabd203d81d4c6836ff70f4

SHA1
42dc360c7a87f55f1f2ea8d2f0019986d0bb74f2

SHA256
aa4679b84c252b7c4c3fac06c57bc898eacbbcd9498f9474a044f2f66b1e2e52

SHA512
5295a859a992fc197d0cb185c99e23c90abdd15d4922ca869f38226acd0308ae7b2f030f8fc851635809779161ab59bf31ee7454a689577a132c8b4ea2236238

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.171\Syncro.Service.exe.config

Filesize
4KB

MD5
8d8995a5b322b505d622af6cd2bfdffa

SHA1
56f353b5df27ff2dc98f9fef29bdab086a8a0fda

SHA256
5af11c9ce145d76e865f091da12d3cc70f84e069e790dc54eb2c93b92b84fa8c

SHA512
a8d0e6a67ec700e37b19fde7768bc3d2b8db6d90b96b7e276fad8fb3d851508f718ce0370b06c26cdeb87711b24798925150ec56ed20b48c46a51fe3c8801834

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.171\Syncro.Tools.dll

Filesize
83KB

MD5
f47dcf3b04afd994b43dfaccdcd2348f

SHA1
e8fbc4662fa8bd24fc5c5237108951c287438b9c

SHA256
0baf2c35f3dc81cfb8ef32e0aa1c263185337cf047ba53533fe409ba73dd5206

SHA512
cd3fdd363fd5c6187d580769c7aeabed73090ee2160074dcb92c328abf15d119420fb17d2e3a3cc5e07e603b8a91b98c06180d331c60f5002b27281f3d82dbbc

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.171\System.Threading.Tasks.Extensions.dll

Filesize
25KB

MD5
e1e9d7d46e5cd9525c5927dc98d9ecc7

SHA1
2242627282f9e07e37b274ea36fac2d3cd9c9110

SHA256
4f81ffd0dc7204db75afc35ea4291769b07c440592f28894260eea76626a23c6

SHA512
da7ab8c0100e7d074f0e680b28d241940733860dfbdc5b8c78428b76e807f27e44d1c5ec95ee80c0b5098e8c5d5da4d48bce86800164f9734a05035220c3ff11

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.171\config.json

Filesize
869B

MD5
b8131bcfde5af2f88c7ebe90bbbab965

SHA1
a82ff00ad442d1af4356fcf8729abb3164077be1

SHA256
f22f770c78a63b75d079a2b919938613edf10a1360a05b64e42aeb676e868efb

SHA512
5b1d052dd5e96082d64bd61531b3cd3f48861929e62de2bf7022d9d39e0d02bb08655832538f7fbce241b07755c51d7b1a96ad6ebc46204e24742e011a9ada28

Download Submit
C:\Program Files\RepairTech\Syncro\app-1.0.171\en\Syncro.App.resources.dll

Filesize
39KB

MD5
794e1ed803a64dde6ab99f761bbab5f3

SHA1
80ac010da05d853d0ba04f74791226c42a1d19d7

SHA256
081bd816c1ff56ed69dfb8b3fa104dc89c8ceda161df715708b82ca9d487e89c

SHA512
7f75a3720b99bf4ba52916e80f678435044f4295578b7dc74dee13343fa5dfe86fdabc3268d8bf9462a2d1603358fa5f6f3bed01060bd7a1442365eb4e6203ee

Download Submit
C:\Program Files\RepairTech\Syncro\install.bat

Filesize
639B

MD5
e3eb8d69316f0551bda4908c44d8684e

SHA1
dc8d0350c67f2a9b4a2adec253863273c26aa760

SHA256
8952ea8c7a55898f87d131886cad0ceb966ad4475c701ea6590d906bfc6dc0af

SHA512
b276ab4113ff39c715b840d84916c49319d03b8458dea0bc9c1f23f87a331dac1975e5c596c088cbdf44c50e5a9bc54ddfdbb5fe9363f7496ce242dab3f37865

Download Submit
C:\ProgramData\Syncro\Images\logo.ico

Filesize
14KB

MD5
940cfaf4c3be79e182f60375900fc2b3

SHA1
4c476f0b6eeb7a99912b1a5b2a7ee43c96d40baa

SHA256
97dda1267bb780b5c073d57367fc3590548fab97b9d90ee86d5a55dffd5847e9

SHA512
774e2f1bd38a1145ad7758964276a74c3f8c7deb6932c5203a4c19050d3f4cf38ee71d6ac645c4a55ba3559ea031623267ea5ccd9fbf26a758234203d1590b90

Download Submit
C:\ProgramData\Syncro\logs\20230201-Syncro.Installer.log

Filesize
6KB

MD5
b9cfa9f00c1145983e2a2d349c6317b8

SHA1
6c33ea14302f64f78ed0add80e250c3e57abfafe

SHA256
de1751c74bd40872ab16dc99641ecf8ad7b65ef26c42fde87148527938264cc0

SHA512
e724ef48cca28a14b25ff616eeac9a8216641c2f4f0cb6c221f1f64cc3467af197b1ac5f8fa6f97d104c608d4df99e749c868e4d38de14e415160fe6463836ae

Download Submit
C:\ProgramData\Syncro\logs\MasterInstaller.log

Filesize
1KB

MD5
a255cf6ef130f271a6c11b54f7d1bcf9

SHA1
e1c33b96132f0be11e0e6e3b76878cd281015338

SHA256
cae59562b10bed85a4228337fb91cc738bb9ab9fc05c024dfc1a9fe703ed5958

SHA512
d17dec8602d5996a4180817cdebdd3e84ef46c5ff2e5eeb1b69a8631f1e377f0127189ed45d8e5950c76b3b699bd114afa07c921e380cd5b1b99e1e6b4ff2684

Download Submit
C:\ProgramData\Syncro\logs\ServiceInstall.log

Filesize
1KB

MD5
5be5998b9b6bdae1128e45955f106f79

SHA1
2383b5d93f47be54fe89f6184cb764bb756156f2

SHA256
f10d0f36784db77a8b3c39ca688d36678fdc332cc74636f463d8d4a2fe267a09

SHA512
0fd4853fbee83fcde004c904653396b510ca840ac2b2c276497c247d718b1679ca50a7d5a84e54e74e6bfec01882a99ca3c83b9a1b00f0cf085c3025b6e665c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_E6095CD2AECC9011BCD0D7B421356B17

Filesize
2KB

MD5
66e27974d84b6e95471cf10484262e5a

SHA1
ff5a56cba444389ea71263abc1fd242976057b9e

SHA256
9c2df8268aa9bfea093a724abe8ff577e5122cc2424e91f224ce91d8079e852f

SHA512
d168c85920a386445d45fe92526fb320fb5e6f440b7d28b0fed94143b8ce542625249db56b0d7f2c748fbc6e3b21647a936f96504ac859a38d5147d7bdec15be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
9bf10855213d2d2b26123cd2a04220b8

SHA1
231d2ed3b9098617f196e89cee3c2a82b38b5d40

SHA256
a508e5bc0086119681076c2b05889d6f70047f971342d65792776ab7b53ca1e9

SHA512
df78a9f4ed0296f9a16d17672758411306e1b3664e9c6aece1ec738da350e2ee703f5c4f30167c4d5b54de8d154a7a4dc7250420c024e26063c8521a333e3dfd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D7833C286363AD25C70511661A83D581_52894DBA51C2BA5ACE3EE5577FB04C4C

Filesize
510B

MD5
5f7e05c8d41bd8ccabf95155f25d1b17

SHA1
b67af640bb9cc2e7394ded0a91340732984e6527

SHA256
32db0be400da6d21f44bb989aeb00b20e4bccd122f81c674f3c7c468911ed28c

SHA512
2164551e094ec023264d1d4e9db7b82002a8abf789dac7473170e7d4815c92d488068a8ed1755042d67cd59825e9d9d95850ae91ad3f76bc68720808b64f68cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_E6095CD2AECC9011BCD0D7B421356B17

Filesize
488B

MD5
45d5678266bc9e9b751ac8d8697af8da

SHA1
cfdfbe05ea4042f3c25da591766ee4e6c2c94261

SHA256
2e0874c5d9b2b33c2058469c502ccc4f09e911b2c92ff961580b8900a1490fe2

SHA512
b440ea75461db8c165741a8b01a5185ff60b45b1470c107ae6874e30fbf62bce7a65345952f7819917156f6636faa2bd7ae414b616e8a49cb46c94f21ab3afc1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6fe5e7c2410ad19e647343cb8b330147

SHA1
5797c80406ad42697995bfa4ed38a9021566d454

SHA256
3f61bbbc2221aee066920c88bb78250d5ebfc1f925cb968c438d65c5de396c29

SHA512
400324a555f85e25401104e12da3f7d03428bd583375da3c27bd184d1a3f02f524caab888021ff24ceda9083ee35099d01c99090e638356f2f6826bd2ebbdd84

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
44a8a27c3ba0f7a1a4ac98fff7bb0f42

SHA1
098b87d914d33f839f51b43f183b7b0801feffc9

SHA256
5384e8d76cfd39dc73b611859e40981e601372c8019bcaed6b9988e3d6f47b5b

SHA512
ee8f0d9cb6f396cc555ced72eac756e56098458db4864cf78cf631cdea025ac1f7456eb71d79f670945137245bf6e181665273ba507e958c2cf3cef64021b22f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D7833C286363AD25C70511661A83D581_52894DBA51C2BA5ACE3EE5577FB04C4C

Filesize
480B

MD5
f66bfbe1026f484c209c7edf465cbc9f

SHA1
2fae6e649f2eeca6653bbf82c5323e53fb310632

SHA256
25209ab7c276832b4178a04da70c0f014a4a46b57a185764cad01179fc33a427

SHA512
4b3ffc64213f74b205ad695ac6676dd30b4f77b016696319d2b1a36665764fef757ec65937e8186f95575d41f0f1280422c3c52e31bd74302d26a1587790f5cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Installer.exe

Filesize
7.1MB

MD5
5fdc21287fa2a976bb5a661e6a2a4d85

SHA1
3bb03dca0de6961b0be9403979a3847d8ba4466d

SHA256
09ac0ed20fdc3cb6b6ff969d18d94f28031d6992fb49f739d0db61d2486cbc54

SHA512
f86827404b703f915ad055604cf8d8d533ed3fe7e9856c77809cf7aa13967844c1dc0716bfc27386f5ac1fa2c0d3c70f25bc1791f3957325893322088fcdd9bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Installer.exe

Filesize
7.1MB

MD5
5fdc21287fa2a976bb5a661e6a2a4d85

SHA1
3bb03dca0de6961b0be9403979a3847d8ba4466d

SHA256
09ac0ed20fdc3cb6b6ff969d18d94f28031d6992fb49f739d0db61d2486cbc54

SHA512
f86827404b703f915ad055604cf8d8d533ed3fe7e9856c77809cf7aa13967844c1dc0716bfc27386f5ac1fa2c0d3c70f25bc1791f3957325893322088fcdd9bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Syncro.Installer.exe

Filesize
7.0MB

MD5
7bb45f8522187b26bbef2d9957bbe5fa

SHA1
4f4bbc74fe99a4f8f288a28cdfbc86441d182f0f

SHA256
6547e5d392ed49b02c9afff77cd9c7d36f29193e7c2b511b7e2f31e5650a853c

SHA512
1b535e99ea81007eb47cfcb51bbd6c054a4dd312624ef9047d3293e5fa3c0a3a646f737268275a9bb6af1028d1e2607164daffd484a0bb2c01b47305d5517be1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Syncro.Installer.exe

Filesize
7.0MB

MD5
7bb45f8522187b26bbef2d9957bbe5fa

SHA1
4f4bbc74fe99a4f8f288a28cdfbc86441d182f0f

SHA256
6547e5d392ed49b02c9afff77cd9c7d36f29193e7c2b511b7e2f31e5650a853c

SHA512
1b535e99ea81007eb47cfcb51bbd6c054a4dd312624ef9047d3293e5fa3c0a3a646f737268275a9bb6af1028d1e2607164daffd484a0bb2c01b47305d5517be1

Download Submit
C:\Windows\TEMP\is-VD8UO.tmp\tmp1D1B.tmp.SyncroLive.Installer-latest.tmp

Filesize
706KB

MD5
4d77c41ecb0fe9113fd7d81e136bb3f1

SHA1
312f0bceabeaa2ad59b79f9656ca94b7f4453258

SHA256
c6fcb8184a3ec70654690413e735ee7c18251da9f3bc708ff2f54d186b6acdb4

SHA512
79dd09f4870a1822c4606dadce47712d8bb1c2ea2bd9d4d743f8b78fb8c1f93227603eba00068a53227186ae6a1a000ca8a21097e69b13e656d0cc401612af30

Download Submit
C:\Windows\TEMP\tmp1D1B.tmp.SyncroLive.Installer-latest.exe

Filesize
13.5MB

MD5
6ee357d6ff97bd054f2f8d6c1e72f0e7

SHA1
d01ceb73738cf0e2c86463f86292c38e4873c524

SHA256
ad3ebf1789063615ef35ae5583d9641765670fed1ac57659e2d1010f54109f24

SHA512
2b458237b74143e732fbc4740b0437d058966845c2fc4f9f64a4932a98cd6f44e63aedad3ad17aca3f6fc01ccc0b400747b406c38c4595cd22d883cb8aca28f0

Download Submit
C:\Windows\Temp\is-VD8UO.tmp\tmp1D1B.tmp.SyncroLive.Installer-latest.tmp

Filesize
706KB

MD5
4d77c41ecb0fe9113fd7d81e136bb3f1

SHA1
312f0bceabeaa2ad59b79f9656ca94b7f4453258

SHA256
c6fcb8184a3ec70654690413e735ee7c18251da9f3bc708ff2f54d186b6acdb4

SHA512
79dd09f4870a1822c4606dadce47712d8bb1c2ea2bd9d4d743f8b78fb8c1f93227603eba00068a53227186ae6a1a000ca8a21097e69b13e656d0cc401612af30

Download Submit
C:\Windows\Temp\tmp1D1B.tmp.SyncroLive.Installer-latest.exe

Filesize
13.5MB

MD5
6ee357d6ff97bd054f2f8d6c1e72f0e7

SHA1
d01ceb73738cf0e2c86463f86292c38e4873c524

SHA256
ad3ebf1789063615ef35ae5583d9641765670fed1ac57659e2d1010f54109f24

SHA512
2b458237b74143e732fbc4740b0437d058966845c2fc4f9f64a4932a98cd6f44e63aedad3ad17aca3f6fc01ccc0b400747b406c38c4595cd22d883cb8aca28f0

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
34909d0f5c6add7250dfbd3b4a1dae5f

SHA1
fbc828f8eb040168c50915b4ae1ab3532e2ec90a

SHA256
99d6d3af655908324746a361e511217ea0984f4154ba2ecd90aaaca8001a1df6

SHA512
e281f26b531d3571c0c16834cb72890fbdec9f47d06f3f34227f267d8c2f0312e14b9382cc4dc802622adc4745b88a9301af6df2d176ab92cbf2620461317f50

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
ec85873ba45078ac0a331d0bca5e5827

SHA1
e1d02f44dc625c9b3c51b4f7d530d456973986f6

SHA256
cd0594be2ccfe6e693bb5eccc7a1578aef0b87fe7cf8c8618e66f026b2d79b58

SHA512
b3e3b43bde08e2a20de4002872fb734f89003995d5054d813721a4f4e8e9c83de844cbc07af503ea25214eb6e7493e1d95b962bab8cc707678e5173f5044f98a

Download Submit
\Windows\Temp\is-VD8UO.tmp\tmp1D1B.tmp.SyncroLive.Installer-latest.tmp

Filesize
706KB

MD5
4d77c41ecb0fe9113fd7d81e136bb3f1

SHA1
312f0bceabeaa2ad59b79f9656ca94b7f4453258

SHA256
c6fcb8184a3ec70654690413e735ee7c18251da9f3bc708ff2f54d186b6acdb4

SHA512
79dd09f4870a1822c4606dadce47712d8bb1c2ea2bd9d4d743f8b78fb8c1f93227603eba00068a53227186ae6a1a000ca8a21097e69b13e656d0cc401612af30

Download Submit
memory/556-164-0x000000001A240000-0x000000001A2C4000-memory.dmp

Filesize
528KB

Download
memory/556-162-0x000000001A0C0000-0x000000001A0E0000-memory.dmp

Filesize
128KB

Download
memory/556-124-0x00000000192C0000-0x00000000192E6000-memory.dmp

Filesize
152KB

Download
memory/556-126-0x00000000192F0000-0x000000001930C000-memory.dmp

Filesize
112KB

Download
memory/556-120-0x0000000000C80000-0x0000000000CD8000-memory.dmp

Filesize
352KB

Download
memory/556-118-0x0000000000AE0000-0x0000000000AEA000-memory.dmp

Filesize
40KB

Download
memory/556-117-0x0000000000AE0000-0x0000000000AEA000-memory.dmp

Filesize
40KB

Download
memory/556-115-0x0000000000AD0000-0x0000000000ADA000-memory.dmp

Filesize
40KB

Download
memory/556-128-0x0000000019810000-0x0000000019850000-memory.dmp

Filesize
256KB

Download
memory/556-130-0x00000000196E0000-0x0000000019704000-memory.dmp

Filesize
144KB

Download
memory/556-132-0x0000000019890000-0x000000001989A000-memory.dmp

Filesize
40KB

Download
memory/556-113-0x0000000000510000-0x0000000000554000-memory.dmp

Filesize
272KB

Download
memory/556-111-0x0000000019CB0000-0x0000000019DB2000-memory.dmp

Filesize
1.0MB

Download
memory/556-109-0x00000000002E0000-0x00000000002EE000-memory.dmp

Filesize
56KB

Download
memory/556-134-0x000000001A010000-0x000000001A0BA000-memory.dmp

Filesize
680KB

Download
memory/556-167-0x000000001A2D0000-0x000000001A2D8000-memory.dmp

Filesize
32KB

Download
memory/556-166-0x000000001A0E0000-0x000000001A0E8000-memory.dmp

Filesize
32KB

Download
memory/556-137-0x0000000000CE0000-0x0000000000CF4000-memory.dmp

Filesize
80KB

Download
memory/556-165-0x0000000019F40000-0x0000000019F48000-memory.dmp

Filesize
32KB

Download
memory/556-139-0x0000000019850000-0x000000001985A000-memory.dmp

Filesize
40KB

Download
memory/556-140-0x0000000019870000-0x000000001987A000-memory.dmp

Filesize
40KB

Download
memory/556-122-0x0000000000AF0000-0x0000000000B10000-memory.dmp

Filesize
128KB

Download
memory/556-142-0x0000000019880000-0x000000001988C000-memory.dmp

Filesize
48KB

Download
memory/556-160-0x0000000019F20000-0x0000000019F32000-memory.dmp

Filesize
72KB

Download
memory/556-144-0x00000000198B0000-0x00000000198B8000-memory.dmp

Filesize
32KB

Download
memory/556-158-0x000000001A1F0000-0x000000001A232000-memory.dmp

Filesize
264KB

Download
memory/556-146-0x00000000198C0000-0x00000000198C8000-memory.dmp

Filesize
32KB

Download
memory/556-156-0x0000000019E10000-0x0000000019E1C000-memory.dmp

Filesize
48KB

Download
memory/556-148-0x0000000019DD0000-0x0000000019DDE000-memory.dmp

Filesize
56KB

Download
memory/556-149-0x0000000019DD0000-0x0000000019DDE000-memory.dmp

Filesize
56KB

Download
memory/556-150-0x00000000198A0000-0x00000000198A8000-memory.dmp

Filesize
32KB

Download
memory/556-152-0x0000000019DC0000-0x0000000019DD0000-memory.dmp

Filesize
64KB

Download
memory/556-154-0x0000000019DE0000-0x0000000019E10000-memory.dmp

Filesize
192KB

Download
memory/568-210-0x0000000000000000-mapping.dmp

Download
memory/580-213-0x0000000000000000-mapping.dmp

Download
memory/636-171-0x0000000000000000-mapping.dmp

Download
memory/708-105-0x0000000000920000-0x000000000092E000-memory.dmp

Filesize
56KB

Download
memory/708-102-0x0000000000000000-mapping.dmp

Download
memory/708-103-0x000000013FAF0000-0x000000013FAFA000-memory.dmp

Filesize
40KB

Download
memory/1132-201-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1132-200-0x00000000761F1000-0x00000000761F3000-memory.dmp

Filesize
8KB

Download
memory/1132-198-0x0000000000000000-mapping.dmp

Download
memory/1212-234-0x0000000000000000-mapping.dmp

Download
memory/1228-106-0x0000000000000000-mapping.dmp

Download
memory/1276-100-0x0000000000000000-mapping.dmp

Download
memory/1332-211-0x0000000000000000-mapping.dmp

Download
memory/1496-54-0x000007FEFBF41000-0x000007FEFBF43000-memory.dmp

Filesize
8KB

Download
memory/1628-212-0x0000000000000000-mapping.dmp

Download
memory/1664-64-0x0000000000000000-mapping.dmp

Download
memory/1664-67-0x0000000000FD0000-0x00000000016F0000-memory.dmp

Filesize
7.1MB

Download
memory/1748-78-0x00000000005C0000-0x00000000005E0000-memory.dmp

Filesize
128KB

Download
memory/1748-73-0x00000000001C0000-0x00000000001E6000-memory.dmp

Filesize
152KB

Download
memory/1748-88-0x000000001ADE0000-0x000000001AE00000-memory.dmp

Filesize
128KB

Download
memory/1748-87-0x000000001B7C0000-0x000000001B86A000-memory.dmp

Filesize
680KB

Download
memory/1748-86-0x000000001AD40000-0x000000001AD4C000-memory.dmp

Filesize
48KB

Download
memory/1748-85-0x000000001AD20000-0x000000001AD28000-memory.dmp

Filesize
32KB

Download
memory/1748-84-0x000000001AD30000-0x000000001AD3E000-memory.dmp

Filesize
56KB

Download
memory/1748-83-0x0000000000E80000-0x0000000000E88000-memory.dmp

Filesize
32KB

Download
memory/1748-82-0x0000000000E70000-0x0000000000E78000-memory.dmp

Filesize
32KB

Download
memory/1748-81-0x0000000000E50000-0x0000000000E5A000-memory.dmp

Filesize
40KB

Download
memory/1748-80-0x00000000005E0000-0x00000000005EA000-memory.dmp

Filesize
40KB

Download
memory/1748-79-0x0000000000480000-0x000000000048A000-memory.dmp

Filesize
40KB

Download
memory/1748-90-0x000000001AE10000-0x000000001AE18000-memory.dmp

Filesize
32KB

Download
memory/1748-77-0x0000000000490000-0x00000000004AA000-memory.dmp

Filesize
104KB

Download
memory/1748-76-0x00000000001E0000-0x0000000000204000-memory.dmp

Filesize
144KB

Download
memory/1748-75-0x0000000000800000-0x0000000000854000-memory.dmp

Filesize
336KB

Download
memory/1748-74-0x0000000000B60000-0x0000000000BBC000-memory.dmp

Filesize
368KB

Download
memory/1748-89-0x000000001AD50000-0x000000001AD64000-memory.dmp

Filesize
80KB

Download
memory/1748-94-0x000000001B8C0000-0x000000001B8C8000-memory.dmp

Filesize
32KB

Download
memory/1748-93-0x000000001B870000-0x000000001B880000-memory.dmp

Filesize
64KB

Download
memory/1748-95-0x000000001B8D0000-0x000000001B8D8000-memory.dmp

Filesize
32KB

Download
memory/1748-72-0x0000000000E90000-0x0000000001598000-memory.dmp

Filesize
7.0MB

Download
memory/1748-69-0x0000000000000000-mapping.dmp

Download
memory/1748-98-0x000000001B8F0000-0x000000001B8F8000-memory.dmp

Filesize
32KB

Download
memory/1748-91-0x000000001AE20000-0x000000001AE28000-memory.dmp

Filesize
32KB

Download
memory/1748-96-0x000000001B8E0000-0x000000001B8E8000-memory.dmp

Filesize
32KB

Download
memory/1748-92-0x000000001C970000-0x000000001CA6A000-memory.dmp

Filesize
1000KB

Download
memory/1748-99-0x000000001B910000-0x000000001B92A000-memory.dmp

Filesize
104KB

Download
memory/1748-97-0x000000001B900000-0x000000001B908000-memory.dmp

Filesize
32KB

Download
memory/1840-208-0x0000000074561000-0x0000000074563000-memory.dmp

Filesize
8KB

Download
memory/1840-205-0x0000000000000000-mapping.dmp

Download
memory/1960-107-0x0000000000000000-mapping.dmp

Download
memory/2364-250-0x0000000000000000-mapping.dmp

Download