Malware Analysis Report

2025-05-06 01:34

Sample ID 241116-hfrqhs1hna
Target 4ad1cc11410e486d132dce9716eebe6a2db0af0fcbf53ee87bc9c0af6a5aa1d4.exe
SHA256 4ad1cc11410e486d132dce9716eebe6a2db0af0fcbf53ee87bc9c0af6a5aa1d4
Tags
collection discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

4ad1cc11410e486d132dce9716eebe6a2db0af0fcbf53ee87bc9c0af6a5aa1d4

Threat Level: Shows suspicious behavior

The file 4ad1cc11410e486d132dce9716eebe6a2db0af0fcbf53ee87bc9c0af6a5aa1d4.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection discovery spyware stealer

Reads WinSCP keys stored on the system

Loads dropped DLL

Reads user/profile data of web browsers

Checks computer location settings

Executes dropped EXE

Accesses Microsoft Outlook accounts

Checks installed software on the system

Accesses Microsoft Outlook profiles

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Embeds OpenSSL

Unsigned PE

outlook_win_path

Suspicious behavior: EnumeratesProcesses

outlook_office_path

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-16 06:41

Signatures

Embeds OpenSSL

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-16 06:41

Reported

2024-11-16 06:43

Platform

win7-20240903-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4ad1cc11410e486d132dce9716eebe6a2db0af0fcbf53ee87bc9c0af6a5aa1d4.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4ad1cc11410e486d132dce9716eebe6a2db0af0fcbf53ee87bc9c0af6a5aa1d4.exe

"C:\Users\Admin\AppData\Local\Temp\4ad1cc11410e486d132dce9716eebe6a2db0af0fcbf53ee87bc9c0af6a5aa1d4.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-16 06:41

Reported

2024-11-16 06:43

Platform

win10v2004-20241007-en

Max time kernel

129s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4ad1cc11410e486d132dce9716eebe6a2db0af0fcbf53ee87bc9c0af6a5aa1d4.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4ad1cc11410e486d132dce9716eebe6a2db0af0fcbf53ee87bc9c0af6a5aa1d4.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4ad1cc11410e486d132dce9716eebe6a2db0af0fcbf53ee87bc9c0af6a5aa1d4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2304 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\4ad1cc11410e486d132dce9716eebe6a2db0af0fcbf53ee87bc9c0af6a5aa1d4.exe C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe
PID 2304 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\4ad1cc11410e486d132dce9716eebe6a2db0af0fcbf53ee87bc9c0af6a5aa1d4.exe C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe
PID 2304 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\4ad1cc11410e486d132dce9716eebe6a2db0af0fcbf53ee87bc9c0af6a5aa1d4.exe C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe
PID 556 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe
PID 556 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe
PID 556 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe
PID 2420 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe C:\Windows\SysWOW64\cmd.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4ad1cc11410e486d132dce9716eebe6a2db0af0fcbf53ee87bc9c0af6a5aa1d4.exe

"C:\Users\Admin\AppData\Local\Temp\4ad1cc11410e486d132dce9716eebe6a2db0af0fcbf53ee87bc9c0af6a5aa1d4.exe"

C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe

"C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe"

C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe

"C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe" restart

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ver

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 20.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.exe

MD5 9a994d678fb05bf73d7b61c76788f7eb
SHA1 3eb3769906efb6ff161555ebf04c78cb10d60501
SHA256 84ca892ab2410acef28721d58067fcba71f0de54ede62ef2fca9aeb845b5227f
SHA512 c7c846d6d8d2e43871c1c4471d26c6cfcee29a5b563eca69fef2f4e394767ef3e61a231626a1ff64aaf6a907d66a0cbe9db1c965128e3bab373e406ea891e6ce

C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\PureSync.dll

MD5 010908233328c294e5e5877e07285478
SHA1 18a560584c682b2dc21a1228228192c4baf47f6d
SHA256 a902df81dce5a9b84929c88a5d219df0a5a07206b0801a7a723c4548609b953c
SHA512 7d36f6c400271344ac91e33cac6045b3642ba59b730dd21b678bb1b9de42619766f9739bff51423f8fb4a8304fecf61f13a14987b59b098ff99062bdc795eda4

C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\VBCCR15.OCX

MD5 a00469043467b0ed571938679ab2e796
SHA1 68ae694ee41f86ee9240ac8abd516c668d3b907e
SHA256 83e48fb3b98f83c89a79d3d77698ae565a3f8ea09450d5a9dc5c4815d079e0fa
SHA512 e8986c0c100ee8edbab67febe0a4f6fa36d716fc2397fddd0df1b86a1eafb6d85ccab8f2f48c059fd0cc9aec1119caa5e4f6c387eb23bbc9aa876bf10a3218f3

memory/2420-44-0x00000000030D0000-0x00000000035DA000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\jb2.ocx

MD5 1396e7462eb8ce452b0f0e2540f2a0e6
SHA1 1a205c5a45e7fc0856db974605a1b01ad655b788
SHA256 83f5e5c8adc1ab0c701ec63a33e1ff3e114583116b04d31e3e6d6a37fb61defb
SHA512 2b00518d2e22d726aab3df67eaf468c49fca43d7ef2583092e04ad23b0f6085b4672fe9b1a6d80227461aafd97596e8fab176ef3f5ce2f94cda8bc3f9e6c5c04

C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\VCOMP140.DLL

MD5 94950136ca0c9fde9d1dd02125420e42
SHA1 43ed4a5f1bf21202be48fae8244294824ea46815
SHA256 5474e4b5b012fa630adc969e049b35623ce8373e7d095ecfc8ba2f825350bab3
SHA512 6adbfe24b7e2c5596595ebf36843025b8305391154b8448cc738d358922f1d8175974120182b9fe9f3b6e190d2bc70569148466218f56e61ca8f3d49beded404

memory/2420-54-0x0000000002380000-0x0000000002381000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\Model++Xs.dll

MD5 905a19d6f5e9856ebf1ebae8566f840e
SHA1 fe2fc3cf3af1a5b5de76793c64a32fdf95d7fb3a
SHA256 d8e8ec0f6c15c1165acefd3a2b88c9bafed45e777c71d24270d672111c2b822e
SHA512 bfbde612ce50082b66e23a080d436c7676c78200b4f5ecd61a68db9a56f6a3dbe8390789e2a45469e153fb449e09a17ea364dd19f8910e71634b7efa38928120

memory/2420-50-0x00000000035E0000-0x000000000364D000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\comctl32.ocx

MD5 2640ad05ab39321e6c9d3c71236ca0df
SHA1 03d30b572f312c2b554e76b3a18fbbb4a38a9be4
SHA256 634d27df20591de4d9b44dfb7f1ef03284c1d120f61b0801d668c1076d72cb6d
SHA512 7ea1357dcb7c22870c4993df30b00a79e61731cbea87775d800b7ff7f435858167780b22fd5af6a2df59edc1c5d5fb0e184c5f7ed4436c70ea5f91b8be4a1e75

C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\ValueTransformers.dll

MD5 473fe371f857c6bc57bcc6e879abdce0
SHA1 6c9bba7026bd56ff7e01213126e82b58b6b0ab04
SHA256 d13f8cafe9ae83284ff0bebaee9fa72515bf7bde2251f94879e3eac302483a5c
SHA512 7ea6c95c8d6ce86fe12d348d1ff2ce664d10f4e0288c430cf353de136de9df2ec40e0a7c6772d524be523110b86abf7cbb4ecbd719f06210104091d0448b51e7

memory/2420-67-0x0000000073FF0000-0x000000007405E000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\SE_CLSEditorX.dll

MD5 c2a51f02511eff6edf77bc99e50ad427
SHA1 a72700705c3fa64b5717ee30a4485b5299c7ac19
SHA256 dcfea0126e1c02aad0ea2fb6ef93d308fa20e67d4aa812487b4a5dc57e0ff16a
SHA512 1c7a0201e7b074f2dceba7e764eec261ecefd92a34741b4e152018aca41129ceb26d3a3cbe19ee7fc268820b1ff3b66e5b7e2523b076f45ad85b1d3cb11b12f0

C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\soundeffects\review.wav

MD5 03f82642911d65bf9e055c1aef0468ef
SHA1 bfa726886ad082181b0bf8b8e99cfeb28c67c09b
SHA256 3c4e0d77225af8fe092d6d2ece9bfe916d99205999def1247fe4b6183224e5c8
SHA512 7fc17025892ec041ac90a728f07b7a922a5e24256e9f689afb5d799f1c8d65c3a45513dc695ade4727e409d61a687fc550bd9cdd5ecc0a485d6587e261f1f86c

memory/2420-68-0x0000000005AE0000-0x0000000005C39000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\COMDLG32.OCX

MD5 ab412429f1e5fb9708a8cdea07479099
SHA1 eb49323be4384a0e7e36053f186b305636e82887
SHA256 e32d8bbe8e6985726742b496520fa47827f3b428648fa1bc34ecffdd9bdac240
SHA512 f3348dbc3b05d14482250d7c399c00533598973f8e9168b4082ee5cbb81089dfaefcfda5a6a3c9f05b4445d655051b7a5170c57ee32d7a783dc35a75fee41aa9

C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\Mscomct2.ocx

MD5 27ec2b0aebea97aa3f343dea1501ec3a
SHA1 c44b40baa25f257d874fee1c7b4ef9137f2ced51
SHA256 589e26a16d9171ce22b9a5eb95064cc96c866b1f08ab634d714231b35c2812a8
SHA512 25ac2951cb890a7747fab37ac1997e842800e71325c510122599dade0cf5bbb2cc490d87596bf8f5e9a16adc40ce1f2e19ffb0a5671597af6cb9e07ec7df9b96

C:\Users\Admin\AppData\Roaming\Jumping Bytes\PureSync\settings.psy

MD5 efc87472699854a8dc06148b239d4198
SHA1 25f942e70e419d016fa0083d933cf42b35e24ec8
SHA256 91edab2ed6515a1180519d0084e4cb615548177a7084668b5e18d8b2875ca56f
SHA512 6e2db0b1047a469b0268fae0686a18ac56b7fcb93621ca09abeb3986b30b1888c1e392201830fac28977378cdc9d562ed82e36078877594324abc0e85429c96d

C:\Users\Admin\AppData\Roaming\Jumping Bytes\PureSync\settings.psy

MD5 b14f1dc20713e52839142fffd56f21b7
SHA1 efe7e76e6a835b46d7034d143c4fea5bfaf90d6d
SHA256 de160943cff9979e82bc2875627e5bb2647696f30f08fef878a7d778561134e8
SHA512 f51e2492cbe0150163670777a5d0ecbe755e17b8d4d05c55db288b68e19b8a5146483aa4a9ebf4922a9897599c261cf0c5c9e896bcede78f3e8bcec2bcbef2c0

C:\Users\Admin\AppData\Roaming\Jumping Bytes\PureSync\settings.psy

MD5 c88e8818dde0a85db3df98d3809fd615
SHA1 d13dd2ade4666b20b20f557e8849c5367d40b455
SHA256 78cf40f38c501bec247cae219f76cbc458ef966040fafe42940bab4d27e6869b
SHA512 5d6f855bc1a32592b68cab680b8855be51efebb8712c9e73ceaba794e39f59166ab8826f8f44ce7e1fea20a1525f93c8491a959166254796883a5b6a54482104

C:\Users\Admin\AppData\Roaming\Jumping Bytes\PureSync\settings.psy

MD5 443bf42764c7b36d99236145177438b9
SHA1 10117525f97d669ae84a4705bb081f5292d04b65
SHA256 1628e117bbc1d78622ddc80b6e66ffef13012f8dd7e1e8eaea2beb0234acabf9
SHA512 90d36f32ac465563f5a80f7df354efe19b17e86693ed0515ad766007c4d7372cab13354d288cf8710e58fd7be4ac58302c63fb34dca3ae1d661f851db4752234

C:\Users\Admin\AppData\Roaming\Jumping Bytes\PureSync\settings.psy

MD5 bde99d5d6c89edafc8816ea869bf5014
SHA1 5f054c8a0a356d5bd2183926c0429f7408058279
SHA256 43b6ab2e3a7b9a9e7ce0facccebd4c192003a493fc6858c87d1241e5b9a32cd9
SHA512 7cf9850dfaff5f96075d535d6b1c2d35bf880eae2bd94de8d6ec2eb990159aae27185c4f4a82d753ee7c61536e3d2af39ed2e59a913baf930017ddfd153a5ffe

C:\Users\Admin\AppData\Roaming\Jumping Bytes\PureSync\settings.psy

MD5 64fccdd46dc9a1b62722f9f54c73e292
SHA1 7e730f92d6a811a0b622d77d6aec176cc00ee3cf
SHA256 f225b800ea023187111acd528093162bb88329e14a23235c6f8661637ad95e9c
SHA512 08f84c0c9f1da17b905ee2adfa94025d0b16b77d68a1bc87677685fb9a5b55c5e0788bb064ee9f79de753718360a1a31cf90ec0dfca26e1701a18c22fafef4af

C:\Users\Admin\AppData\Roaming\Jumping Bytes\PureSync\settings.psy

MD5 cfdd2ac1ca4cc840013ab113d8d055f4
SHA1 7bc55aef530bef1cc446333abf025c0e78a75e52
SHA256 37e171cc522981fe04f2ac3d24b691f24542ec40a1a005b966a482bce99c92f7
SHA512 d3df8b24756b1b82106776449d94cd0ee6af3b9f2e098890adf6c0a0a2677899d61c336c4192cc295aa84022481967d369d372bcb5af28ddcafea78711911251

C:\Users\Admin\AppData\Roaming\Jumping Bytes\PureSync\settings.psy

MD5 d7d923ca636f3b2e4901c4153b41268e
SHA1 ae3f27828e9c52080274ccf195280802c1727448
SHA256 7a9184579aaf3f07ccd51d22fa5a58dd2d7a226b68ae39bb9301bd2fed6553ee
SHA512 9a02ea17fe93321421c4120591a9c2c8b25a80bfe65ab4d0d2a9e153a63711020d68075d0853cf47121fb5c4edf6aa2b213f4e51ee46d19ce345b9f053f1c37e

C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\RICHTX32.OCX

MD5 045a16822822426c305ea7280270a3d6
SHA1 43075b6696bb2d2f298f263971d4d3e48aa4f561
SHA256 318cc48cbcfaba9592956e4298886823cc5f37626c770d6dadbcd224849680c5
SHA512 5a042ff0a05421fb01e0a95a8b62f3ce81f90330daed78f09c7d5d2abcb822a2fe99d00494c3ddd96226287fae51367e264b48b2831a8c080916ce18c0a675fa

C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\MSINET.OCX

MD5 90a39346e9b67f132ef133725c487ff6
SHA1 9cd22933f628465c863bed7895d99395acaa5d2a
SHA256 e55627932120be87c7950383a75a5712b0ff2c00b8d18169195ad35bc2502fc2
SHA512 0337817b9194a10b946d7381a84a2aeefd21445986afef1b9ae5a52921e598cdb0d1a576bdf8391f1ebf8be74950883a6f50ad1f61ff08678782c6b05a18adbf

C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\MSCOMCTL.OCX

MD5 273676426739b02a45a0fc9349500b65
SHA1 a23c709fae04feef87358abd59504940d0d0c806
SHA256 152121a5d1ac8f12002c18afc294bb1ebcecc1d61deec6211df586c11acde9b6
SHA512 8945d8a68c4ebb5845fb7f6abf3b4947eb6c37812c32d4ff2f30a0472489496c4506b3be358bb350df5c3d3be11c43c19ba6d3ca72449a7122bcec73cee181d2

C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\tssOfficeMenu1d.ocx

MD5 8f25663fc3d70f649cecf90fec0d5b4c
SHA1 7f77efb66aaf465c5b4a8ecc2bfe97ac5ba74801
SHA256 9ea2226c11465ca91fcda1761f3a9c0863ed47d33fc4c21df8084e59d9094e43
SHA512 38551de8779871471e4d7658cd100e2b6ffe522581463cee09a7743556e5ec8737c02db01dec001d57ffe573b75dd706f92a8750633232bb7ae0d4d169424aed

C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\settings.ini

MD5 2d707a1b8f827b5a7f54d5cfaa8e81c4
SHA1 684f00ae0cf04506ae48132d9f5eb6b913df74ea
SHA256 fac3409a96f95fd417f8525eba7c26486b1cc219b2fb257a9501c990743dea51
SHA512 5eb6a57d6e040da3990d5e88c741df25730f5cb17cbd7c20df1ae58f7af6659891efbea93ecec499b761824ddf0d8d357fb2b3063a1d08be5f5c5dfab43dbc8b

C:\Users\Admin\AppData\Local\Programs\Advanced Sync Tools\Source.dat

MD5 60147cda18bf6490afeeaa6635ea569c
SHA1 679d9c0923c71603c15a896d3485cbf26a289291
SHA256 7b668c5d6532b0e39afabc458426347c5e8f77566f608574e7d9c9a0dbccf290
SHA512 31465940d267af7e712372615837971903100702fa64a43edfe4a96a0988c685ccdaf8dee9e3a6bf5655ba5329040877da15fd4f3431dce34916d6fda9334a98

memory/2420-238-0x0000000005AE0000-0x0000000005C39000-memory.dmp

memory/2420-240-0x0000000005AE0000-0x0000000005C39000-memory.dmp

memory/2420-266-0x0000000005AE0000-0x0000000005C39000-memory.dmp

memory/2420-276-0x0000000005AE0000-0x0000000005C39000-memory.dmp

memory/2420-270-0x000000000A0F0000-0x000000000A698000-memory.dmp

memory/2420-272-0x0000000005AE0000-0x0000000005C39000-memory.dmp

memory/2420-271-0x0000000005AE0000-0x0000000005C39000-memory.dmp

memory/2420-278-0x000000006E600000-0x000000006E69D000-memory.dmp

memory/2420-277-0x0000000063280000-0x00000000634BE000-memory.dmp

memory/2420-279-0x000000000A7E0000-0x000000000AD81000-memory.dmp

memory/2420-280-0x000000000A7E0000-0x000000000AD81000-memory.dmp

memory/2420-281-0x000000000A7E0000-0x000000000AD81000-memory.dmp

memory/2420-285-0x000000000A7E0000-0x000000000AD81000-memory.dmp

memory/2420-284-0x000000000A7E0000-0x000000000AD81000-memory.dmp

memory/2420-283-0x000000000A7E0000-0x000000000AD81000-memory.dmp

memory/2420-282-0x000000000A7E0000-0x000000000AD81000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Puadhuphpa

MD5 ab893875d697a3145af5eed5309bee26
SHA1 c90116149196cbf74ffb453ecb3b12945372ebfa
SHA256 02b1c2234680617802901a77eae606ad02e4ddb4282ccbc60061eac5b2d90bba
SHA512 6b65c0a1956ce18df2d271205f53274d2905c803d059a0801bf8331ccaa28a1d4842d3585dd9c2b01502a4be6664bde2e965b15fcfec981e85eed37c595cd6bc

memory/2420-326-0x00000000035E0000-0x000000000364D000-memory.dmp

memory/2420-327-0x0000000073FF0000-0x000000007405E000-memory.dmp