Malware Analysis Report

2025-05-06 01:34

Sample ID 241116-bwst7axdlq
Target 2024-11-16_c3968e6090d03e52679657e1715ea39a_hijackloader_luca-stealer_magniber_revil
SHA256 4ad1cc11410e486d132dce9716eebe6a2db0af0fcbf53ee87bc9c0af6a5aa1d4
Tags
collection discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

4ad1cc11410e486d132dce9716eebe6a2db0af0fcbf53ee87bc9c0af6a5aa1d4

Threat Level: Shows suspicious behavior

The file 2024-11-16_c3968e6090d03e52679657e1715ea39a_hijackloader_luca-stealer_magniber_revil was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection discovery spyware stealer

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Reads WinSCP keys stored on the system

Checks computer location settings

Checks installed software on the system

Accesses Microsoft Outlook accounts

Accesses Microsoft Outlook profiles

Unsigned PE

Embeds OpenSSL

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of WriteProcessMemory

outlook_win_path

outlook_office_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-16 01:30

Signatures

Embeds OpenSSL

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-16 01:30

Reported

2024-11-16 01:34

Platform

win7-20240903-en

Max time kernel

121s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-16_c3968e6090d03e52679657e1715ea39a_hijackloader_luca-stealer_magniber_revil.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-16_c3968e6090d03e52679657e1715ea39a_hijackloader_luca-stealer_magniber_revil.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-16_c3968e6090d03e52679657e1715ea39a_hijackloader_luca-stealer_magniber_revil.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-16 01:30

Reported

2024-11-16 01:32

Platform

win10v2004-20241007-en

Max time kernel

131s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-16_c3968e6090d03e52679657e1715ea39a_hijackloader_luca-stealer_magniber_revil.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-11-16_c3968e6090d03e52679657e1715ea39a_hijackloader_luca-stealer_magniber_revil.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-16_c3968e6090d03e52679657e1715ea39a_hijackloader_luca-stealer_magniber_revil.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3948 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-16_c3968e6090d03e52679657e1715ea39a_hijackloader_luca-stealer_magniber_revil.exe C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe
PID 3948 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-16_c3968e6090d03e52679657e1715ea39a_hijackloader_luca-stealer_magniber_revil.exe C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe
PID 3948 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-16_c3968e6090d03e52679657e1715ea39a_hijackloader_luca-stealer_magniber_revil.exe C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe
PID 1648 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe
PID 1648 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe
PID 1648 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe
PID 2136 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe C:\Windows\SysWOW64\cmd.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-16_c3968e6090d03e52679657e1715ea39a_hijackloader_luca-stealer_magniber_revil.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-16_c3968e6090d03e52679657e1715ea39a_hijackloader_luca-stealer_magniber_revil.exe"

C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe

"C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe"

C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe

"C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe" restart

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ver

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe

MD5 9a994d678fb05bf73d7b61c76788f7eb
SHA1 3eb3769906efb6ff161555ebf04c78cb10d60501
SHA256 84ca892ab2410acef28721d58067fcba71f0de54ede62ef2fca9aeb845b5227f
SHA512 c7c846d6d8d2e43871c1c4471d26c6cfcee29a5b563eca69fef2f4e394767ef3e61a231626a1ff64aaf6a907d66a0cbe9db1c965128e3bab373e406ea891e6ce

C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.dll

MD5 010908233328c294e5e5877e07285478
SHA1 18a560584c682b2dc21a1228228192c4baf47f6d
SHA256 a902df81dce5a9b84929c88a5d219df0a5a07206b0801a7a723c4548609b953c
SHA512 7d36f6c400271344ac91e33cac6045b3642ba59b730dd21b678bb1b9de42619766f9739bff51423f8fb4a8304fecf61f13a14987b59b098ff99062bdc795eda4

C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\VBCCR15.OCX

MD5 a00469043467b0ed571938679ab2e796
SHA1 68ae694ee41f86ee9240ac8abd516c668d3b907e
SHA256 83e48fb3b98f83c89a79d3d77698ae565a3f8ea09450d5a9dc5c4815d079e0fa
SHA512 e8986c0c100ee8edbab67febe0a4f6fa36d716fc2397fddd0df1b86a1eafb6d85ccab8f2f48c059fd0cc9aec1119caa5e4f6c387eb23bbc9aa876bf10a3218f3

memory/2136-44-0x00000000031D0000-0x00000000036DA000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\jb2.ocx

MD5 1396e7462eb8ce452b0f0e2540f2a0e6
SHA1 1a205c5a45e7fc0856db974605a1b01ad655b788
SHA256 83f5e5c8adc1ab0c701ec63a33e1ff3e114583116b04d31e3e6d6a37fb61defb
SHA512 2b00518d2e22d726aab3df67eaf468c49fca43d7ef2583092e04ad23b0f6085b4672fe9b1a6d80227461aafd97596e8fab176ef3f5ce2f94cda8bc3f9e6c5c04

memory/2136-50-0x0000000002DC0000-0x0000000002E2D000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\Model++Xs.dll

MD5 905a19d6f5e9856ebf1ebae8566f840e
SHA1 fe2fc3cf3af1a5b5de76793c64a32fdf95d7fb3a
SHA256 d8e8ec0f6c15c1165acefd3a2b88c9bafed45e777c71d24270d672111c2b822e
SHA512 bfbde612ce50082b66e23a080d436c7676c78200b4f5ecd61a68db9a56f6a3dbe8390789e2a45469e153fb449e09a17ea364dd19f8910e71634b7efa38928120

C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\VCOMP140.DLL

MD5 94950136ca0c9fde9d1dd02125420e42
SHA1 43ed4a5f1bf21202be48fae8244294824ea46815
SHA256 5474e4b5b012fa630adc969e049b35623ce8373e7d095ecfc8ba2f825350bab3
SHA512 6adbfe24b7e2c5596595ebf36843025b8305391154b8448cc738d358922f1d8175974120182b9fe9f3b6e190d2bc70569148466218f56e61ca8f3d49beded404

memory/2136-54-0x00000000022E0000-0x00000000022E1000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\ValueTransformers.dll

MD5 473fe371f857c6bc57bcc6e879abdce0
SHA1 6c9bba7026bd56ff7e01213126e82b58b6b0ab04
SHA256 d13f8cafe9ae83284ff0bebaee9fa72515bf7bde2251f94879e3eac302483a5c
SHA512 7ea6c95c8d6ce86fe12d348d1ff2ce664d10f4e0288c430cf353de136de9df2ec40e0a7c6772d524be523110b86abf7cbb4ecbd719f06210104091d0448b51e7

C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\SE_CLSEditorX.dll

MD5 c2a51f02511eff6edf77bc99e50ad427
SHA1 a72700705c3fa64b5717ee30a4485b5299c7ac19
SHA256 dcfea0126e1c02aad0ea2fb6ef93d308fa20e67d4aa812487b4a5dc57e0ff16a
SHA512 1c7a0201e7b074f2dceba7e764eec261ecefd92a34741b4e152018aca41129ceb26d3a3cbe19ee7fc268820b1ff3b66e5b7e2523b076f45ad85b1d3cb11b12f0

memory/2136-65-0x0000000074490000-0x00000000744FE000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\soundeffects\review.wav

MD5 03f82642911d65bf9e055c1aef0468ef
SHA1 bfa726886ad082181b0bf8b8e99cfeb28c67c09b
SHA256 3c4e0d77225af8fe092d6d2ece9bfe916d99205999def1247fe4b6183224e5c8
SHA512 7fc17025892ec041ac90a728f07b7a922a5e24256e9f689afb5d799f1c8d65c3a45513dc695ade4727e409d61a687fc550bd9cdd5ecc0a485d6587e261f1f86c

C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\comctl32.ocx

MD5 2640ad05ab39321e6c9d3c71236ca0df
SHA1 03d30b572f312c2b554e76b3a18fbbb4a38a9be4
SHA256 634d27df20591de4d9b44dfb7f1ef03284c1d120f61b0801d668c1076d72cb6d
SHA512 7ea1357dcb7c22870c4993df30b00a79e61731cbea87775d800b7ff7f435858167780b22fd5af6a2df59edc1c5d5fb0e184c5f7ed4436c70ea5f91b8be4a1e75

memory/2136-68-0x0000000005660000-0x00000000057B9000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\COMDLG32.OCX

MD5 ab412429f1e5fb9708a8cdea07479099
SHA1 eb49323be4384a0e7e36053f186b305636e82887
SHA256 e32d8bbe8e6985726742b496520fa47827f3b428648fa1bc34ecffdd9bdac240
SHA512 f3348dbc3b05d14482250d7c399c00533598973f8e9168b4082ee5cbb81089dfaefcfda5a6a3c9f05b4445d655051b7a5170c57ee32d7a783dc35a75fee41aa9

C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\Mscomct2.ocx

MD5 27ec2b0aebea97aa3f343dea1501ec3a
SHA1 c44b40baa25f257d874fee1c7b4ef9137f2ced51
SHA256 589e26a16d9171ce22b9a5eb95064cc96c866b1f08ab634d714231b35c2812a8
SHA512 25ac2951cb890a7747fab37ac1997e842800e71325c510122599dade0cf5bbb2cc490d87596bf8f5e9a16adc40ce1f2e19ffb0a5671597af6cb9e07ec7df9b96

C:\Users\Admin\AppData\Roaming\Jumping Bytes\PureSync\settings.psy

MD5 efc87472699854a8dc06148b239d4198
SHA1 25f942e70e419d016fa0083d933cf42b35e24ec8
SHA256 91edab2ed6515a1180519d0084e4cb615548177a7084668b5e18d8b2875ca56f
SHA512 6e2db0b1047a469b0268fae0686a18ac56b7fcb93621ca09abeb3986b30b1888c1e392201830fac28977378cdc9d562ed82e36078877594324abc0e85429c96d

C:\Users\Admin\AppData\Roaming\Jumping Bytes\PureSync\settings.psy

MD5 b14f1dc20713e52839142fffd56f21b7
SHA1 efe7e76e6a835b46d7034d143c4fea5bfaf90d6d
SHA256 de160943cff9979e82bc2875627e5bb2647696f30f08fef878a7d778561134e8
SHA512 f51e2492cbe0150163670777a5d0ecbe755e17b8d4d05c55db288b68e19b8a5146483aa4a9ebf4922a9897599c261cf0c5c9e896bcede78f3e8bcec2bcbef2c0

C:\Users\Admin\AppData\Roaming\Jumping Bytes\PureSync\settings.psy

MD5 c88e8818dde0a85db3df98d3809fd615
SHA1 d13dd2ade4666b20b20f557e8849c5367d40b455
SHA256 78cf40f38c501bec247cae219f76cbc458ef966040fafe42940bab4d27e6869b
SHA512 5d6f855bc1a32592b68cab680b8855be51efebb8712c9e73ceaba794e39f59166ab8826f8f44ce7e1fea20a1525f93c8491a959166254796883a5b6a54482104

C:\Users\Admin\AppData\Roaming\Jumping Bytes\PureSync\settings.psy

MD5 f5aaec431f18aed59ed7c4bba9447c55
SHA1 5afb8659f05b09581efce2b844be296bb60e559b
SHA256 3426e31738c2caf4dec60832977a2293ba2619056dc80938e1c646c4a3223fe2
SHA512 158acbd94cade13530d7387acf045bc2ffdb78ef85de90e624ee2ee5b9f093ce7ab3c3e99655f2f5678c8ea197b3eb2b00eab746694ef7a34acd82a02a880c06

C:\Users\Admin\AppData\Roaming\Jumping Bytes\PureSync\settings.psy

MD5 a6ce489b6f0df861e6ff1b570241091f
SHA1 5ac5d8941232b84dd9f31be14402245c250fd8a8
SHA256 5d270713fa26bc088f6726b93d0d3a59f023b6b8e1065964e0de9e643c09e87d
SHA512 a2b4871df5cc3b8f9b67197ba6126f45e9e87e95a5a53e4fc25632b37f425f6f293f026d06b3e53bb4d71eb366f31462fffe02e5ef4bcd982684fe296f1a618d

C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\Source.dat

MD5 60147cda18bf6490afeeaa6635ea569c
SHA1 679d9c0923c71603c15a896d3485cbf26a289291
SHA256 7b668c5d6532b0e39afabc458426347c5e8f77566f608574e7d9c9a0dbccf290
SHA512 31465940d267af7e712372615837971903100702fa64a43edfe4a96a0988c685ccdaf8dee9e3a6bf5655ba5329040877da15fd4f3431dce34916d6fda9334a98

C:\Users\Admin\AppData\Roaming\Jumping Bytes\PureSync\settings.psy

MD5 2897bcb1e68d97c8071b4249c8578a1f
SHA1 636548715fa13014399f65cf20e235bb5cb6a2e1
SHA256 5ff771dbf877fea7c7ca082769d92a384225db69be6afc9a1355b1ce45d42cfd
SHA512 b2a091c2ce9468dd05d56b0afa19700fe5fcf1df5277f11ba33bcf70b58ff452bab1e2444bbcc06050c1315949e4e0f16d4f12f216ecb790c57ae6d734f3cf0d

C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\MSCOMCTL.OCX

MD5 273676426739b02a45a0fc9349500b65
SHA1 a23c709fae04feef87358abd59504940d0d0c806
SHA256 152121a5d1ac8f12002c18afc294bb1ebcecc1d61deec6211df586c11acde9b6
SHA512 8945d8a68c4ebb5845fb7f6abf3b4947eb6c37812c32d4ff2f30a0472489496c4506b3be358bb350df5c3d3be11c43c19ba6d3ca72449a7122bcec73cee181d2

C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\tssOfficeMenu1d.ocx

MD5 8f25663fc3d70f649cecf90fec0d5b4c
SHA1 7f77efb66aaf465c5b4a8ecc2bfe97ac5ba74801
SHA256 9ea2226c11465ca91fcda1761f3a9c0863ed47d33fc4c21df8084e59d9094e43
SHA512 38551de8779871471e4d7658cd100e2b6ffe522581463cee09a7743556e5ec8737c02db01dec001d57ffe573b75dd706f92a8750633232bb7ae0d4d169424aed

C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\RICHTX32.OCX

MD5 045a16822822426c305ea7280270a3d6
SHA1 43075b6696bb2d2f298f263971d4d3e48aa4f561
SHA256 318cc48cbcfaba9592956e4298886823cc5f37626c770d6dadbcd224849680c5
SHA512 5a042ff0a05421fb01e0a95a8b62f3ce81f90330daed78f09c7d5d2abcb822a2fe99d00494c3ddd96226287fae51367e264b48b2831a8c080916ce18c0a675fa

C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\MSINET.OCX

MD5 90a39346e9b67f132ef133725c487ff6
SHA1 9cd22933f628465c863bed7895d99395acaa5d2a
SHA256 e55627932120be87c7950383a75a5712b0ff2c00b8d18169195ad35bc2502fc2
SHA512 0337817b9194a10b946d7381a84a2aeefd21445986afef1b9ae5a52921e598cdb0d1a576bdf8391f1ebf8be74950883a6f50ad1f61ff08678782c6b05a18adbf

C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\settings.ini

MD5 2d707a1b8f827b5a7f54d5cfaa8e81c4
SHA1 684f00ae0cf04506ae48132d9f5eb6b913df74ea
SHA256 fac3409a96f95fd417f8525eba7c26486b1cc219b2fb257a9501c990743dea51
SHA512 5eb6a57d6e040da3990d5e88c741df25730f5cb17cbd7c20df1ae58f7af6659891efbea93ecec499b761824ddf0d8d357fb2b3063a1d08be5f5c5dfab43dbc8b

memory/2136-211-0x0000000005660000-0x00000000057B9000-memory.dmp

memory/2136-210-0x0000000005660000-0x00000000057B9000-memory.dmp

memory/2136-209-0x0000000005660000-0x00000000057B9000-memory.dmp

C:\Users\Admin\AppData\Roaming\Jumping Bytes\PureSync\settings.psy

MD5 e6fd1b8485cb4a176936ab4055083783
SHA1 ff9e07317264cda2088e17a784ec8248dca3bcd7
SHA256 23ee1ca2c871f231b86d6b6e4c2aff99b10b9bad8b6139c54fb3fa7589f858e6
SHA512 b27c9b954968bdd1361306b7e75e5f8f7ee218539f10d200e0e65e092e5b9967d910a8e965bfd2a1ee58a494e32690374ce4d967483c6871860af1cc07df82c4

memory/2136-266-0x0000000005660000-0x00000000057B9000-memory.dmp

memory/2136-275-0x000000000AB20000-0x000000000B0CD000-memory.dmp

memory/2136-271-0x0000000005660000-0x00000000057B9000-memory.dmp

memory/2136-278-0x000000006E600000-0x000000006E69D000-memory.dmp

memory/2136-277-0x0000000063280000-0x00000000634BE000-memory.dmp

memory/2136-270-0x0000000005660000-0x00000000057B9000-memory.dmp

memory/2136-279-0x0000000009FC0000-0x000000000A561000-memory.dmp

memory/2136-280-0x0000000009FC0000-0x000000000A561000-memory.dmp

memory/2136-284-0x0000000009FC0000-0x000000000A561000-memory.dmp

memory/2136-285-0x0000000009FC0000-0x000000000A561000-memory.dmp

memory/2136-283-0x0000000009FC0000-0x000000000A561000-memory.dmp

memory/2136-282-0x0000000009FC0000-0x000000000A561000-memory.dmp

memory/2136-281-0x0000000009FC0000-0x000000000A561000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Sopwhduseeuq

MD5 ab893875d697a3145af5eed5309bee26
SHA1 c90116149196cbf74ffb453ecb3b12945372ebfa
SHA256 02b1c2234680617802901a77eae606ad02e4ddb4282ccbc60061eac5b2d90bba
SHA512 6b65c0a1956ce18df2d271205f53274d2905c803d059a0801bf8331ccaa28a1d4842d3585dd9c2b01502a4be6664bde2e965b15fcfec981e85eed37c595cd6bc

memory/2136-326-0x0000000002DC0000-0x0000000002E2D000-memory.dmp

memory/2136-327-0x0000000074490000-0x00000000744FE000-memory.dmp