lucastealer | f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077

Analysis

max time kernel
165s
max time network
181s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
14-10-2023 03:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077_JC.exe
Size

54.3MB
MD5

ccf8ac85bd8c852fe818875ad7cdccd4
SHA1

1938cfb720e3a0fe2af2aaf28755d9d2749f65af
SHA256

f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077
SHA512

ef9253507d90b1731f05811ba4ed263ecccbc1e8abdcaf1ee7b2f9a5ce5cf66dedb3c5ca99a47b9516aa8ae7bf7c07c0a7b98f7eec33e33bb7b1eda7abf7911f
SSDEEP

1572864:YXog+tP2EY414hjFiHaAXH7JxA+GBO+shlvjgg9sf:8t+tP12E3Ud43h1cg9

Score

10^/10

lucastealer xworm persistence rat stealer trojan

Malware Config

Extracted

Family

xworm

Version

3.1

216.230.73.215:6789

Mutex

JhB3xwmTJqR9i5Pu

Attributes

Install_directory
%ProgramData%
install_file
SyncHost.exe
telegram
https://api.telegram.org/bot6051093382:AAFB_OlEEXCr5NVu4fhuf3m_RPUHXO-LxuA/sendMessage?chat_id=1876538826

aes.plain

Signatures

Detect Xworm Payload 6 IoCs

resource	yara_rule
behavioral2/files/0x00110000000231ed-63.dat	family_xworm
behavioral2/files/0x00110000000231ed-69.dat	family_xworm
behavioral2/files/0x00110000000231ed-71.dat	family_xworm
behavioral2/memory/544-74-0x0000000000670000-0x0000000000682000-memory.dmp	family_xworm
behavioral2/files/0x000b0000000231f0-136.dat	family_xworm
behavioral2/files/0x000b0000000231f0-137.dat	family_xworm

Luca Stealer
Info stealer written in Rust first seen in July 2022.
stealer lucastealer

Luca Stealer payload 3 IoCs

resource	yara_rule
behavioral2/files/0x00060000000231ea-35.dat	family_lucastealer
behavioral2/files/0x00060000000231ea-39.dat	family_lucastealer
behavioral2/files/0x00060000000231ea-38.dat	family_lucastealer

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077_JC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	SyncHost.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SyncHost.lnk	SyncHost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SyncHost.lnk	SyncHost.exe

Executes dropped EXE 4 IoCs

pid	Process
1128	MaxCare_v23.02.09.exe
2536	ProximityUxHost.exe
544	SyncHost.exe
2940	SyncHost.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ProximityUxHost = "C:\\Windows\\ProximityUxHost.exe"	f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SyncHost = "C:\\Windows\\SyncHost.exe"	f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SyncHost = "C:\\ProgramData\\SyncHost.exe"	SyncHost.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
38	ip-api.com

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SyncHost.exe	f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077_JC.exe
File created	C:\Windows\ProximityUxHost.exe	f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077_JC.exe
File opened for modification	C:\Windows\ProximityUxHost.exe	f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077_JC.exe
File created	C:\Windows\SyncHost.exe	f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3872	schtasks.exe
4244	schtasks.exe
8	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
544	SyncHost.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2152	powershell.exe
2152	powershell.exe
2152	powershell.exe
4940	powershell.exe
4940	powershell.exe
4940	powershell.exe
4748	powershell.exe
4748	powershell.exe
4748	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
116	powershell.exe
116	powershell.exe
116	powershell.exe
544	SyncHost.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	392	f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077_JC.exe
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeDebugPrivilege	4940	powershell.exe
Token: SeDebugPrivilege	544	SyncHost.exe
Token: SeDebugPrivilege	4748	powershell.exe
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeDebugPrivilege	116	powershell.exe
Token: SeDebugPrivilege	544	SyncHost.exe
Token: SeDebugPrivilege	2940	SyncHost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1128	MaxCare_v23.02.09.exe
1128	MaxCare_v23.02.09.exe
544	SyncHost.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 392 wrote to memory of 1128	392	f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077_JC.exe	92
PID 392 wrote to memory of 1128	392	f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077_JC.exe	92
PID 392 wrote to memory of 1128	392	f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077_JC.exe	92
PID 392 wrote to memory of 2152	392	f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077_JC.exe	94
PID 392 wrote to memory of 2152	392	f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077_JC.exe	94
PID 392 wrote to memory of 3872	392	f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077_JC.exe	100
PID 392 wrote to memory of 3872	392	f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077_JC.exe	100
PID 392 wrote to memory of 2536	392	f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077_JC.exe	101
PID 392 wrote to memory of 2536	392	f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077_JC.exe	101
PID 392 wrote to memory of 4940	392	f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077_JC.exe	104
PID 392 wrote to memory of 4940	392	f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077_JC.exe	104
PID 392 wrote to memory of 4244	392	f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077_JC.exe	105
PID 392 wrote to memory of 4244	392	f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077_JC.exe	105
PID 392 wrote to memory of 544	392	f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077_JC.exe	107
PID 392 wrote to memory of 544	392	f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077_JC.exe	107
PID 544 wrote to memory of 4748	544	SyncHost.exe	108
PID 544 wrote to memory of 4748	544	SyncHost.exe	108
PID 544 wrote to memory of 1964	544	SyncHost.exe	110
PID 544 wrote to memory of 1964	544	SyncHost.exe	110
PID 544 wrote to memory of 116	544	SyncHost.exe	112
PID 544 wrote to memory of 116	544	SyncHost.exe	112
PID 544 wrote to memory of 8	544	SyncHost.exe	114
PID 544 wrote to memory of 8	544	SyncHost.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077_JC.exe
"C:\Users\Admin\AppData\Local\Temp\f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077_JC.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:392
- C:\Users\Admin\AppData\Local\Temp\MaxCare_v23.02.09.exe
  "C:\Users\Admin\AppData\Local\Temp\MaxCare_v23.02.09.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\ProximityUxHost.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2152
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /F /TN "ProximityUxHost" /SC ONLOGON /TR "C:\Windows\ProximityUxHost.exe" /RL HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:3872
- C:\Windows\ProximityUxHost.exe
  "C:\Windows\ProximityUxHost.exe"
  2⤵
  - Executes dropped EXE
  PID:2536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\SyncHost.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4940
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /F /TN "SyncHost" /SC ONLOGON /TR "C:\Windows\SyncHost.exe" /RL HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:4244
- C:\Windows\SyncHost.exe
  "C:\Windows\SyncHost.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:544
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\SyncHost.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4748
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SyncHost.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1964
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\SyncHost.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:116
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SyncHost" /tr "C:\ProgramData\SyncHost.exe"
    3⤵
    - Creates scheduled task(s)
    PID:8

C:\ProgramData\SyncHost.exe
C:\ProgramData\SyncHost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SyncHost.exe

Filesize
47KB

MD5
5698e687d698f497c02cea695a944922

SHA1
6525c9d9703fe9be44118cd98b3d9d040a4db2db

SHA256
3be42aea40996dcf6100461cd2a77f54921c160ff4044ff98f7c8810f2bb393e

SHA512
7627a773869497e9eb7d766923b9e1d841751cc5138635ec1d7d59299c2e6743b6ca06273d5bf7b0ec5e4bd46c2fb4cd418f3fb5e670959388b5b0c0f0bffaa5

Download Submit
C:\ProgramData\SyncHost.exe

Filesize
47KB

MD5
5698e687d698f497c02cea695a944922

SHA1
6525c9d9703fe9be44118cd98b3d9d040a4db2db

SHA256
3be42aea40996dcf6100461cd2a77f54921c160ff4044ff98f7c8810f2bb393e

SHA512
7627a773869497e9eb7d766923b9e1d841751cc5138635ec1d7d59299c2e6743b6ca06273d5bf7b0ec5e4bd46c2fb4cd418f3fb5e670959388b5b0c0f0bffaa5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
63aec5618613b4be6bd15b82345a971e

SHA1
cf3df18b2ed2b082a513dd53e55afb720cefe40e

SHA256
f67a667039290434cad954285ef9a93ab76b848158bb7fd1f698bd76b5bdd721

SHA512
a6c3b084ae6b41b2c3a9acb90a6f52a5acaff3bd94927389aa6698d1f2713e494b2e8f190cbbc963d56d8d30d5644df0e5c616c1f081d19275e0803dc576a033

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e3b6cc0fbea08a0831f0026a696db8b8

SHA1
4e32202d4700061cfd80d55e42798131c9f530d4

SHA256
3284cae7b82be99d93064390ba071ba4321f3f24dd21515b37b2ca9f31b2e8d5

SHA512
6a06856f360b48c8bc8a15ffb8d7a6604ec357bcb1d0fad5d71a2cb876929a7b67eb40ba4493998ab1bbae8cb71212e124276f27d5c138a135041c27a41a0b7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2979eabc783eaca50de7be23dd4eafcf

SHA1
d709ce5f3a06b7958a67e20870bfd95b83cad2ea

SHA256
006cca90e78fbb571532a83082ac6712721a34ea4b21f490058ffb3f521f4903

SHA512
92bc433990572d9427d0c93eef9bd1cc23fa00ed60dd0c9c983d87d3421e02ce3f156c6f88fe916ef6782dbf185cbce083bc0094f8c527f302be6a37d1c53aba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1099dc40baabde4be41cc1faf6353f7d

SHA1
345705c6b9adc64389b6d142e7484d0cdd4f2bd0

SHA256
6cec99d44ed65e73240a96691f299a41e944a9c8f59c543df3ecd73d95c8bf40

SHA512
6315f1089cc8139531acc422741290c84a60841a65a8cc9844cd907c96694d33d164120c36f460a0bef03e67e2a60c33f9c968ac41edf3dd82cab015e00e74a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MaxCare_v23.02.09.exe

Filesize
52.4MB

MD5
745d07515f4134e28c7018949c322bf2

SHA1
c0f39869b974bd0bf12b16ac0727742a98789f57

SHA256
a2911abfcda6aaaa1bc4a37cbdedf4562b05c2c4458d41a4897edd5b76fe7e07

SHA512
bd48f398cd0da608a66097b2f530faa7b0a9bd853bd996418b0239bb3b92c5e554f096edd2325ee09ebf5051051b14d126e515375860ad7ba5d056e46f0bb67a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MaxCare_v23.02.09.exe

Filesize
52.4MB

MD5
745d07515f4134e28c7018949c322bf2

SHA1
c0f39869b974bd0bf12b16ac0727742a98789f57

SHA256
a2911abfcda6aaaa1bc4a37cbdedf4562b05c2c4458d41a4897edd5b76fe7e07

SHA512
bd48f398cd0da608a66097b2f530faa7b0a9bd853bd996418b0239bb3b92c5e554f096edd2325ee09ebf5051051b14d126e515375860ad7ba5d056e46f0bb67a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MaxCare_v23.02.09.exe

Filesize
52.4MB

MD5
745d07515f4134e28c7018949c322bf2

SHA1
c0f39869b974bd0bf12b16ac0727742a98789f57

SHA256
a2911abfcda6aaaa1bc4a37cbdedf4562b05c2c4458d41a4897edd5b76fe7e07

SHA512
bd48f398cd0da608a66097b2f530faa7b0a9bd853bd996418b0239bb3b92c5e554f096edd2325ee09ebf5051051b14d126e515375860ad7ba5d056e46f0bb67a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qc1dqrt3.041.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\ProximityUxHost.exe

Filesize
3.9MB

MD5
4b947e3d4a5da18764a788c51c2e401f

SHA1
d54952e3f8c2de20726225d14b701ff7476c834f

SHA256
73f20b8daa0ce8013f10ec9cbd9bc04e66fe2f85c1f3c9558525fd629f9f7c3a

SHA512
faa2193560cc3515fb52c6c01419c2d933fbacc7c999f8d606d2056e96b09bb7b2024881393c856a48c3d1e1d1106d1fb965a0d3ec3bb6133a6caf61ff5e258e

Download Submit
C:\Windows\ProximityUxHost.exe

Filesize
3.9MB

MD5
4b947e3d4a5da18764a788c51c2e401f

SHA1
d54952e3f8c2de20726225d14b701ff7476c834f

SHA256
73f20b8daa0ce8013f10ec9cbd9bc04e66fe2f85c1f3c9558525fd629f9f7c3a

SHA512
faa2193560cc3515fb52c6c01419c2d933fbacc7c999f8d606d2056e96b09bb7b2024881393c856a48c3d1e1d1106d1fb965a0d3ec3bb6133a6caf61ff5e258e

Download Submit
C:\Windows\ProximityUxHost.exe

Filesize
3.9MB

MD5
4b947e3d4a5da18764a788c51c2e401f

SHA1
d54952e3f8c2de20726225d14b701ff7476c834f

SHA256
73f20b8daa0ce8013f10ec9cbd9bc04e66fe2f85c1f3c9558525fd629f9f7c3a

SHA512
faa2193560cc3515fb52c6c01419c2d933fbacc7c999f8d606d2056e96b09bb7b2024881393c856a48c3d1e1d1106d1fb965a0d3ec3bb6133a6caf61ff5e258e

Download Submit
C:\Windows\SyncHost.exe

Filesize
47KB

MD5
5698e687d698f497c02cea695a944922

SHA1
6525c9d9703fe9be44118cd98b3d9d040a4db2db

SHA256
3be42aea40996dcf6100461cd2a77f54921c160ff4044ff98f7c8810f2bb393e

SHA512
7627a773869497e9eb7d766923b9e1d841751cc5138635ec1d7d59299c2e6743b6ca06273d5bf7b0ec5e4bd46c2fb4cd418f3fb5e670959388b5b0c0f0bffaa5

Download Submit
C:\Windows\SyncHost.exe

Filesize
47KB

MD5
5698e687d698f497c02cea695a944922

SHA1
6525c9d9703fe9be44118cd98b3d9d040a4db2db

SHA256
3be42aea40996dcf6100461cd2a77f54921c160ff4044ff98f7c8810f2bb393e

SHA512
7627a773869497e9eb7d766923b9e1d841751cc5138635ec1d7d59299c2e6743b6ca06273d5bf7b0ec5e4bd46c2fb4cd418f3fb5e670959388b5b0c0f0bffaa5

Download Submit
C:\Windows\SyncHost.exe

Filesize
47KB

MD5
5698e687d698f497c02cea695a944922

SHA1
6525c9d9703fe9be44118cd98b3d9d040a4db2db

SHA256
3be42aea40996dcf6100461cd2a77f54921c160ff4044ff98f7c8810f2bb393e

SHA512
7627a773869497e9eb7d766923b9e1d841751cc5138635ec1d7d59299c2e6743b6ca06273d5bf7b0ec5e4bd46c2fb4cd418f3fb5e670959388b5b0c0f0bffaa5

Download Submit
memory/116-110-0x00007FF9AC690000-0x00007FF9AD151000-memory.dmp

Filesize
10.8MB

Download
memory/116-111-0x000001D5B1A90000-0x000001D5B1AA0000-memory.dmp

Filesize
64KB

Download
memory/116-112-0x000001D5B1A90000-0x000001D5B1AA0000-memory.dmp

Filesize
64KB

Download
memory/116-124-0x000001D5B1A90000-0x000001D5B1AA0000-memory.dmp

Filesize
64KB

Download
memory/116-126-0x00007FF9AC690000-0x00007FF9AD151000-memory.dmp

Filesize
10.8MB

Download
memory/392-34-0x0000000020980000-0x0000000020990000-memory.dmp

Filesize
64KB

Download
memory/392-0-0x00007FF9AC690000-0x00007FF9AD151000-memory.dmp

Filesize
10.8MB

Download
memory/392-1-0x0000000000760000-0x0000000003DB2000-memory.dmp

Filesize
54.3MB

Download
memory/392-2-0x0000000020980000-0x0000000020990000-memory.dmp

Filesize
64KB

Download
memory/392-11-0x00007FF9AC690000-0x00007FF9AD151000-memory.dmp

Filesize
10.8MB

Download
memory/392-72-0x00007FF9AC690000-0x00007FF9AD151000-memory.dmp

Filesize
10.8MB

Download
memory/544-74-0x0000000000670000-0x0000000000682000-memory.dmp

Filesize
72KB

Download
memory/544-123-0x000000001B520000-0x000000001B530000-memory.dmp

Filesize
64KB

Download
memory/544-73-0x00007FF9AC690000-0x00007FF9AD151000-memory.dmp

Filesize
10.8MB

Download
memory/544-75-0x000000001B520000-0x000000001B530000-memory.dmp

Filesize
64KB

Download
memory/544-105-0x00007FF9AC690000-0x00007FF9AD151000-memory.dmp

Filesize
10.8MB

Download
memory/1964-107-0x00000169FBEA0000-0x00000169FBEB0000-memory.dmp

Filesize
64KB

Download
memory/1964-109-0x00007FF9AC690000-0x00007FF9AD151000-memory.dmp

Filesize
10.8MB

Download
memory/1964-93-0x00007FF9AC690000-0x00007FF9AD151000-memory.dmp

Filesize
10.8MB

Download
memory/1964-106-0x00000169FBEA0000-0x00000169FBEB0000-memory.dmp

Filesize
64KB

Download
memory/1964-94-0x00000169FBEA0000-0x00000169FBEB0000-memory.dmp

Filesize
64KB

Download
memory/2152-24-0x0000028433770000-0x0000028433780000-memory.dmp

Filesize
64KB

Download
memory/2152-25-0x0000028433770000-0x0000028433780000-memory.dmp

Filesize
64KB

Download
memory/2152-14-0x0000028433780000-0x00000284337A2000-memory.dmp

Filesize
136KB

Download
memory/2152-18-0x00007FF9AC690000-0x00007FF9AD151000-memory.dmp

Filesize
10.8MB

Download
memory/2152-23-0x0000028433770000-0x0000028433780000-memory.dmp

Filesize
64KB

Download
memory/2152-29-0x00007FF9AC690000-0x00007FF9AD151000-memory.dmp

Filesize
10.8MB

Download
memory/2152-26-0x0000028433770000-0x0000028433780000-memory.dmp

Filesize
64KB

Download
memory/2940-138-0x00007FF9AC690000-0x00007FF9AD151000-memory.dmp

Filesize
10.8MB

Download
memory/2940-140-0x00007FF9AC690000-0x00007FF9AD151000-memory.dmp

Filesize
10.8MB

Download
memory/4748-90-0x00000225DE140000-0x00000225DE150000-memory.dmp

Filesize
64KB

Download
memory/4748-89-0x00000225DE140000-0x00000225DE150000-memory.dmp

Filesize
64KB

Download
memory/4748-88-0x00000225DE140000-0x00000225DE150000-memory.dmp

Filesize
64KB

Download
memory/4748-92-0x00007FF9AC690000-0x00007FF9AD151000-memory.dmp

Filesize
10.8MB

Download
memory/4748-87-0x00000225DE140000-0x00000225DE150000-memory.dmp

Filesize
64KB

Download
memory/4748-85-0x00007FF9AC690000-0x00007FF9AD151000-memory.dmp

Filesize
10.8MB

Download
memory/4940-42-0x000001D37A6D0000-0x000001D37A6E0000-memory.dmp

Filesize
64KB

Download
memory/4940-43-0x000001D37A6D0000-0x000001D37A6E0000-memory.dmp

Filesize
64KB

Download
memory/4940-58-0x00007FF9AC690000-0x00007FF9AD151000-memory.dmp

Filesize
10.8MB

Download
memory/4940-57-0x000001D37A6E0000-0x000001D37A728000-memory.dmp

Filesize
288KB

Download
memory/4940-55-0x000001D37A6D0000-0x000001D37A6E0000-memory.dmp

Filesize
64KB

Download
memory/4940-54-0x000001D37A6D0000-0x000001D37A6E0000-memory.dmp

Filesize
64KB

Download
memory/4940-41-0x00007FF9AC690000-0x00007FF9AD151000-memory.dmp

Filesize
10.8MB

Download