c05163a1b43b0111c167363f2510dfdf726d30c9c8b0a91c98e2cb8cd8a4fdbc

Analysis

max time kernel
32s
max time network
37s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
23-09-2023 02:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

photosync_setup.exe
Size

5.9MB
MD5

a4e8d8c838ffc19e0ea227abacd2b5d2
SHA1

4372afa05a0a8cc241af5593e48d6904e2423e88
SHA256

c05163a1b43b0111c167363f2510dfdf726d30c9c8b0a91c98e2cb8cd8a4fdbc
SHA512

b929c14fdb10a889707391c8f4ade27905593f7d562464d5595d9578d18c8e93084c1eb5f17488ed94c66fa3d0a71469f9ef4f1c1676356fb93a9fd1f5bd6f31
SSDEEP

98304:eQsuCfBBecaPT4IMQ8wVDaDsBJ2hqpcutkSYhmJ262lZoV4wn/Si4nYrxuDzKQb:eQzqBBedPT4IMQ8EDYMtWk2LcV4SAYrq

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules	mDNSResponder.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
40	3564	msiexec.exe
42	3564	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	photosync_setup_x64.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\system32\dnssd.dll	msiexec.exe
File created	C:\Windows\SysWOW64\dnssdX.dll	msiexec.exe
File created	C:\Windows\system32\dnssdX.dll	msiexec.exe
File created	C:\Windows\SysWOW64\jdns_sd.dll	msiexec.exe
File created	C:\Windows\system32\jdns_sd.dll	msiexec.exe
File created	C:\Windows\SysWOW64\dns-sd.exe	msiexec.exe
File created	C:\Windows\system32\dns-sd.exe	msiexec.exe
File created	C:\Windows\SysWOW64\dnssd.dll	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\es.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files\PhotoSync\PhotoSync.exe	photosync_setup_x64.exe
File created	C:\Program Files (x86)\Bonjour\mdnsNSP.dll	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\About Bonjour.lnk	msiexec.exe
File created	C:\Program Files\PhotoSync\System.ValueTuple.dll	photosync_setup_x64.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\en.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files\Bonjour\mDNSResponder.exe	msiexec.exe
File created	C:\Program Files\PhotoSync\Common.Logging.Core.xml	photosync_setup_x64.exe
File created	C:\Program Files\PhotoSync\EmbedIO.dll	photosync_setup_x64.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\ru.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files\PhotoSync\es\PhotoSync.resources.dll	photosync_setup_x64.exe
File created	C:\Program Files\PhotoSync\ExifLibrary.dll.config	photosync_setup_x64.exe
File opened for modification	C:\Program Files\PhotoSync\SharpShell.dll	photosync_setup_x64.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\it.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\sv.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files\Bonjour\dns_sd.jar	msiexec.exe
File created	C:\Program Files\PhotoSync\SharpShell.dll	photosync_setup_x64.exe
File created	C:\Program Files\PhotoSync\Makaretu.Dns.dll	photosync_setup_x64.exe
File created	C:\Program Files\PhotoSync\PhotoSyncShellExtension.dll	photosync_setup_x64.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\fr.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\ja.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\mDNSResponder.exe	msiexec.exe
File created	C:\Program Files\PhotoSync\zh-Hans\PhotoSync.resources.dll	photosync_setup_x64.exe
File created	C:\Program Files\PhotoSync\BugSplatDotNet.dll	photosync_setup_x64.exe
File created	C:\Program Files\PhotoSync\Nunycode.dll	photosync_setup_x64.exe
File created	C:\Program Files\PhotoSync\PhotoSync.exe.config	photosync_setup_x64.exe
File created	C:\Program Files\PhotoSync\Swan.Lite.dll	photosync_setup_x64.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\nb.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\pt.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files\PhotoSync\BsSndRpt.exe	photosync_setup_x64.exe
File created	C:\Program Files\PhotoSync\Common.Logging.dll	photosync_setup_x64.exe
File created	C:\Program Files\PhotoSync\Newtonsoft.Json.dll	photosync_setup_x64.exe
File created	C:\Program Files\PhotoSync\ZeroconfService.xml	photosync_setup_x64.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\zh_TW.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files\PhotoSync\log4net.xml	photosync_setup_x64.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\da.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\pl.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files\PhotoSync\Interop.NETWORKLIST.dll	photosync_setup_x64.exe
File created	C:\Program Files\PhotoSync\Swan.Lite.xml	photosync_setup_x64.exe
File created	C:\Program Files\PhotoSync\EmbedIO.xml	photosync_setup_x64.exe
File created	C:\Program Files\PhotoSync\shortcut.vbs	photosync_setup_x64.exe
File created	C:\Program Files\PhotoSync\SimpleBase.dll	photosync_setup_x64.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\de.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\ko.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files\PhotoSync\de\PhotoSync.resources.dll	photosync_setup_x64.exe
File created	C:\Program Files\PhotoSync\ja\PhotoSync.resources.dll	photosync_setup_x64.exe
File created	C:\Program Files\PhotoSync\zh-Hant\PhotoSync.resources.dll	photosync_setup_x64.exe
File created	C:\Program Files\PhotoSync\System.Net.IPNetwork.dll	photosync_setup_x64.exe
File created	C:\Program Files\PhotoSync\ko\PhotoSync.resources.dll	photosync_setup_x64.exe
File created	C:\Program Files\PhotoSync\AppLimit.NetSparkle.Net40.dll	photosync_setup_x64.exe
File created	C:\Program Files\PhotoSync\Common.Logging.xml	photosync_setup_x64.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\fi.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\nl.lproj\About Bonjour.rtf	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\ext\dns_sd.jar	msiexec.exe
File created	C:\Program Files\PhotoSync\uninstall.exe	photosync_setup_x64.exe
File created	C:\Program Files\PhotoSync\fr\PhotoSync.resources.dll	photosync_setup_x64.exe
File created	C:\Program Files\PhotoSync\ManagedWifi.dll	photosync_setup_x64.exe
File created	C:\Program Files\PhotoSync\ExifLibrary.dll	photosync_setup_x64.exe
File created	C:\Program Files\PhotoSync\ZeroconfService.dll	photosync_setup_x64.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\zh_CN.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\dns_sd.jar	msiexec.exe
File created	C:\Program Files\Bonjour\mdnsNSP.dll	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\ext\dns_sd.jar	msiexec.exe
File created	C:\Program Files\PhotoSync\Common.Logging.Core.dll	photosync_setup_x64.exe

Drops file in Windows directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}\Bonjour.ico	msiexec.exe
File created	C:\Windows\Installer\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}\RichText.ico	msiexec.exe
File created	C:\Windows\Installer\e581d37.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI25D5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI26D1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI28C6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2C60.tmp	msiexec.exe
File created	C:\Windows\Installer\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}\Bonjour.ico	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI23A0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI243D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}\RichText.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2691.tmp	msiexec.exe
File created	C:\Windows\Installer\e581d3c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e581d37.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}	msiexec.exe

Executes dropped EXE 4 IoCs

pid	Process
3788	photosync_setup_x64.exe
4160	mDNSResponder.exe
2540	Process not Found
1680	PhotoSync.exe

Loads dropped DLL 20 IoCs

pid	Process
940	photosync_setup.exe
3788	photosync_setup_x64.exe
3788	photosync_setup_x64.exe
3788	photosync_setup_x64.exe
3788	photosync_setup_x64.exe
3788	photosync_setup_x64.exe
3788	photosync_setup_x64.exe
3788	photosync_setup_x64.exe
3788	photosync_setup_x64.exe
5060	MsiExec.exe
5060	MsiExec.exe
5060	MsiExec.exe
2592	MsiExec.exe
2592	MsiExec.exe
4420	MsiExec.exe
2084	MsiExec.exe
2736	MsiExec.exe
4132	Process not Found
1376	Process not Found
2476	Process not Found

Registers COM server for autorun 1 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\InprocServer32\ = "C:\\Windows\\system32\\dnssdX.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\InprocServer32\ = "C:\\Windows\\system32\\dnssdX.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\InprocServer32\ = "C:\\Windows\\system32\\dnssdX.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\InprocServer32\ = "C:\\Windows\\system32\\dnssdX.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\InprocServer32\ = "C:\\Windows\\system32\\dnssdX.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\InprocServer32\ThreadingModel = "Both"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\InprocServer32	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{18FBED6D-F2B7-4EC8-A4A4-46282E635308}\1.0\ = "Apple Bonjour Library 1.0"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{18FBED6D-F2B7-4EC8-A4A4-46282E635308}\1.0\0\win32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{18FBED6D-F2B7-4EC8-A4A4-46282E635308}\1.0\0\win32\ = "C:\\Windows\\SysWOW64\\dnssdX.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\Programmable	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\AppID = "{56608F9C-223B-4CB6-813D-85EDCCADFB4B}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B0163E6D0340BE4183EB2758E9BEDD8	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\1523EA646D34FC14C8FD9E203C58611D	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Bonjour.DNSSDService.1\ = "DNSSDService Class"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{21AE8D7F-D5FE-45CF-B632-CFA2C2C6B498}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{29DE265F-8402-474F-833A-D4653B23458F}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{9CE603A0-3365-4DA0-86D1-3F780ECBA110}\NumMethods	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{18FBED6D-F2B7-4EC8-A4A4-46282E635308}\1.0\0\win64	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Bonjour.DNSSDEventManager	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\NumMethods	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{9CE603A0-3365-4DA0-86D1-3F780ECBA110}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Bonjour.DNSSDEventManager\ = "DNSSDEventManager Class"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{29DE265F-8402-474F-833A-D4653B23458F}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\AppID = "{56608F9C-223B-4CB6-813D-85EDCCADFB4B}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Bonjour.TXTRecord.1\CLSID\ = "{AFEE063C-05BA-4248-A26E-168477F49734}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{18FBED6D-F2B7-4EC8-A4A4-46282E635308}\1.0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\ = "PSFactoryBuffer"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{8FA0889C-5973-4FC9-970B-EC15C925D0CE}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{9CE603A0-3365-4DA0-86D1-3F780ECBA110}\NumMethods	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Bonjour.DNSSDService\CurVer\ = "Bonjour.DNSSDService.1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29DE265F-8402-474F-833A-D4653B23458F}\TypeLib\Version = "1.0"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\ProxyStubClsid	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21AE8D7F-D5FE-45CF-B632-CFA2C2C6B498}\ = "_IDNSSDEvents"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9CE603A0-3365-4DA0-86D1-3F780ECBA110}\NumMethods\ = "9"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\VersionIndependentProgID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\ProgID\ = "Bonjour.TXTRecord.1"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{29DE265F-8402-474F-833A-D4653B23458F}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{29DE265F-8402-474F-833A-D4653B23458F}\ProxyStubClsid	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\ProgID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Bonjour.DNSSDService.1\CLSID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Bonjour.DNSSDRecord\CLSID\ = "{5E93C5A9-7516-4259-A67B-41A656F6E01C}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Bonjour.DNSSDRecord.1\CLSID\ = "{5E93C5A9-7516-4259-A67B-41A656F6E01C}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{29DE265F-8402-474F-833A-D4653B23458F}\NumMethods	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\ProgID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Bonjour.DNSSDRecord.1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FA0889C-5973-4FC9-970B-EC15C925D0CE}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9CE603A0-3365-4DA0-86D1-3F780ECBA110}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\1523EA646D34FC14C8FD9E203C58611D\2B0163E6D0340BE4183EB2758E9BEDD8	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Bonjour.DNSSDEventManager.1	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\VersionIndependentProgID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21AE8D7F-D5FE-45CF-B632-CFA2C2C6B498}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{29DE265F-8402-474F-833A-D4653B23458F}\ProxyStubClsid	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FA0889C-5973-4FC9-970B-EC15C925D0CE}\ = "ITXTRecord"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\TypeLib\ = "{18FBED6D-F2B7-4EC8-A4A4-46282E635308}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{18FBED6D-F2B7-4EC8-A4A4-46282E635308}\1.0\HELPDIR	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\ = "TXTRecord Class"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\ProxyStubClsid	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2B0163E6D0340BE4183EB2758E9BEDD8\Bonjour	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\TypeLib\ = "{18FBED6D-F2B7-4EC8-A4A4-46282E635308}"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3788	photosync_setup_x64.exe
3788	photosync_setup_x64.exe
3788	photosync_setup_x64.exe
3788	photosync_setup_x64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4624	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4624	msiexec.exe
Token: SeSecurityPrivilege	3564	msiexec.exe
Token: SeCreateTokenPrivilege	4624	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4624	msiexec.exe
Token: SeLockMemoryPrivilege	4624	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4624	msiexec.exe
Token: SeMachineAccountPrivilege	4624	msiexec.exe
Token: SeTcbPrivilege	4624	msiexec.exe
Token: SeSecurityPrivilege	4624	msiexec.exe
Token: SeTakeOwnershipPrivilege	4624	msiexec.exe
Token: SeLoadDriverPrivilege	4624	msiexec.exe
Token: SeSystemProfilePrivilege	4624	msiexec.exe
Token: SeSystemtimePrivilege	4624	msiexec.exe
Token: SeProfSingleProcessPrivilege	4624	msiexec.exe
Token: SeIncBasePriorityPrivilege	4624	msiexec.exe
Token: SeCreatePagefilePrivilege	4624	msiexec.exe
Token: SeCreatePermanentPrivilege	4624	msiexec.exe
Token: SeBackupPrivilege	4624	msiexec.exe
Token: SeRestorePrivilege	4624	msiexec.exe
Token: SeShutdownPrivilege	4624	msiexec.exe
Token: SeDebugPrivilege	4624	msiexec.exe
Token: SeAuditPrivilege	4624	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4624	msiexec.exe
Token: SeChangeNotifyPrivilege	4624	msiexec.exe
Token: SeRemoteShutdownPrivilege	4624	msiexec.exe
Token: SeUndockPrivilege	4624	msiexec.exe
Token: SeSyncAgentPrivilege	4624	msiexec.exe
Token: SeEnableDelegationPrivilege	4624	msiexec.exe
Token: SeManageVolumePrivilege	4624	msiexec.exe
Token: SeImpersonatePrivilege	4624	msiexec.exe
Token: SeCreateGlobalPrivilege	4624	msiexec.exe
Token: SeRestorePrivilege	3564	msiexec.exe
Token: SeTakeOwnershipPrivilege	3564	msiexec.exe
Token: SeRestorePrivilege	3564	msiexec.exe
Token: SeTakeOwnershipPrivilege	3564	msiexec.exe
Token: SeRestorePrivilege	3564	msiexec.exe
Token: SeTakeOwnershipPrivilege	3564	msiexec.exe
Token: SeRestorePrivilege	3564	msiexec.exe
Token: SeTakeOwnershipPrivilege	3564	msiexec.exe
Token: SeRestorePrivilege	3564	msiexec.exe
Token: SeTakeOwnershipPrivilege	3564	msiexec.exe
Token: SeRestorePrivilege	3564	msiexec.exe
Token: SeTakeOwnershipPrivilege	3564	msiexec.exe
Token: SeRestorePrivilege	3564	msiexec.exe
Token: SeTakeOwnershipPrivilege	3564	msiexec.exe
Token: SeRestorePrivilege	3564	msiexec.exe
Token: SeTakeOwnershipPrivilege	3564	msiexec.exe
Token: SeRestorePrivilege	3564	msiexec.exe
Token: SeTakeOwnershipPrivilege	3564	msiexec.exe
Token: SeRestorePrivilege	3564	msiexec.exe
Token: SeTakeOwnershipPrivilege	3564	msiexec.exe
Token: SeRestorePrivilege	3564	msiexec.exe
Token: SeTakeOwnershipPrivilege	3564	msiexec.exe
Token: SeRestorePrivilege	3564	msiexec.exe
Token: SeTakeOwnershipPrivilege	3564	msiexec.exe
Token: SeRestorePrivilege	3564	msiexec.exe
Token: SeTakeOwnershipPrivilege	3564	msiexec.exe
Token: SeRestorePrivilege	3564	msiexec.exe
Token: SeTakeOwnershipPrivilege	3564	msiexec.exe
Token: SeRestorePrivilege	3564	msiexec.exe
Token: SeTakeOwnershipPrivilege	3564	msiexec.exe
Token: SeRestorePrivilege	3564	msiexec.exe
Token: SeTakeOwnershipPrivilege	3564	msiexec.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 940 wrote to memory of 3788	940	photosync_setup.exe	89
PID 940 wrote to memory of 3788	940	photosync_setup.exe	89
PID 940 wrote to memory of 3788	940	photosync_setup.exe	89
PID 3788 wrote to memory of 4624	3788	photosync_setup_x64.exe	94
PID 3788 wrote to memory of 4624	3788	photosync_setup_x64.exe	94
PID 3788 wrote to memory of 4624	3788	photosync_setup_x64.exe	94
PID 3564 wrote to memory of 5060	3564	msiexec.exe	98
PID 3564 wrote to memory of 5060	3564	msiexec.exe	98
PID 3564 wrote to memory of 2592	3564	msiexec.exe	99
PID 3564 wrote to memory of 2592	3564	msiexec.exe	99
PID 3564 wrote to memory of 2592	3564	msiexec.exe	99
PID 3564 wrote to memory of 4420	3564	msiexec.exe	100
PID 3564 wrote to memory of 4420	3564	msiexec.exe	100
PID 3564 wrote to memory of 4420	3564	msiexec.exe	100
PID 3564 wrote to memory of 2084	3564	msiexec.exe	102
PID 3564 wrote to memory of 2084	3564	msiexec.exe	102
PID 3564 wrote to memory of 2736	3564	msiexec.exe	103
PID 3564 wrote to memory of 2736	3564	msiexec.exe	103
PID 3564 wrote to memory of 2736	3564	msiexec.exe	103
PID 3788 wrote to memory of 2436	3788	photosync_setup_x64.exe	107
PID 3788 wrote to memory of 2436	3788	photosync_setup_x64.exe	107
PID 3788 wrote to memory of 1680	3788	photosync_setup_x64.exe	110
PID 3788 wrote to memory of 1680	3788	photosync_setup_x64.exe	110
PID 3788 wrote to memory of 1680	3788	photosync_setup_x64.exe	110

C:\Users\Admin\AppData\Local\Temp\photosync_setup.exe
"C:\Users\Admin\AppData\Local\Temp\photosync_setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:940
- C:\Users\Admin\AppData\Local\Temp\Installer\photosync_setup_x64.exe
  "C:\Users\Admin\AppData\Local\Temp\Installer\photosync_setup_x64.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3788
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\Bonjour64.msi" /qn
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4624
- - C:\Windows\system32\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\PhotoSync\PhotoSyncShellExtension.dll"
    3⤵
    PID:2436
- - C:\Program Files\PhotoSync\PhotoSync.exe
    "C:\Program Files\PhotoSync\PhotoSync.exe"
    3⤵
    - Executes dropped EXE
    PID:1680

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Registers COM server for autorun
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3564
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding B353050ADE306175D624D327421812B0
  2⤵
  - Loads dropped DLL
  PID:5060
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 33C3CC9D36E8809F2FF5552391F35881
  2⤵
  - Loads dropped DLL
  PID:2592
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 12C537135241DFE02649AF786FC9C32A E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:4420
- C:\Windows\System32\MsiExec.exe
  "C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\Bonjour\mdnsNSP.dll"
  2⤵
  - Loads dropped DLL
  PID:2084
- C:\Windows\syswow64\MsiExec.exe
  "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\Bonjour\mdnsNSP.dll"
  2⤵
  - Loads dropped DLL
  PID:2736

C:\Program Files\Bonjour\mDNSResponder.exe
"C:\Program Files\Bonjour\mDNSResponder.exe"
1⤵
- Modifies firewall policy service
- Executes dropped EXE
PID:4160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e581d3a.rbs

Filesize
126KB

MD5
e64f107314c8366d7c955fdfae611350

SHA1
5f01c5cc262bcd26c9db983b07ec7f4abb7e9547

SHA256
6e4e428f62efee387c4997490daa0e2c42079a105c7e7d465c55b4297171bf80

SHA512
5a78854bdc6248693242e785327a6d83a65d7610f81674e37c56bbe981ac825c8dcdeb2f1525e70c502afc263cd0ad86d6790bf6442a6acead8c77a9e69d3ab7

Download Submit
C:\Program Files (x86)\Bonjour\mDNSResponder.exe

Filesize
381KB

MD5
db5bea73edaf19ac68b2c0fad0f92b1a

SHA1
74bb0197763e386036751bf30c5bbf4c389fa24e

SHA256
10f21999ff6b1d410ebf280f7f27deaca5289739cf12f4293b614b8fc6c88dcc

SHA512
63b718288c266debf3f58ac1a62cdcca6f09350616d53a406271d8f4fe6144751eddf7b7ba2dbfe79cfda671ee5afbdbae5798204edaaf4f0391895b824ae7c5

Download Submit
C:\Program Files (x86)\Bonjour\mdnsNSP.dll

Filesize
118KB

MD5
40947436a70e0034e41123df5a0a7702

SHA1
6c27e1dd1c1533feb6435190a5074300ac2a9822

SHA256
5d40fd92da5ca59c1badb58ad509db6a6d613f18660a9a270a53eca85d34c3a9

SHA512
ba5634cc82f306245f9f0350bfa0b91e2f5ffc6c355b1452a95483f47e6acdb42c4e063f6c15115faf0f0630005df4fe8ef0e01539c270031cbd07a34a929704

Download Submit
C:\Program Files (x86)\Bonjour\mdnsNSP.dll

Filesize
118KB

MD5
40947436a70e0034e41123df5a0a7702

SHA1
6c27e1dd1c1533feb6435190a5074300ac2a9822

SHA256
5d40fd92da5ca59c1badb58ad509db6a6d613f18660a9a270a53eca85d34c3a9

SHA512
ba5634cc82f306245f9f0350bfa0b91e2f5ffc6c355b1452a95483f47e6acdb42c4e063f6c15115faf0f0630005df4fe8ef0e01539c270031cbd07a34a929704

Download Submit
C:\Program Files\Bonjour\mDNSResponder.exe

Filesize
451KB

MD5
ebbcd5dfbb1de70e8f4af8fa59e401fd

SHA1
5ca966b9a5ff4ecd0e139e21b3e30f3ea48e1a88

SHA256
17bffc5df609ce3b2f0cab4bd6c118608c66a3ad86116a47e90b2bb7d8954122

SHA512
2fbfcff6bc25461e7c98aabdae0efb33f2df64140aaf4b2b0c253e34294e1606077ae47b000ebababb3600bd4d9154a945036c58e4e930da445a0dda765ac8a4

Download Submit
C:\Program Files\Bonjour\mDNSResponder.exe

Filesize
451KB

MD5
ebbcd5dfbb1de70e8f4af8fa59e401fd

SHA1
5ca966b9a5ff4ecd0e139e21b3e30f3ea48e1a88

SHA256
17bffc5df609ce3b2f0cab4bd6c118608c66a3ad86116a47e90b2bb7d8954122

SHA512
2fbfcff6bc25461e7c98aabdae0efb33f2df64140aaf4b2b0c253e34294e1606077ae47b000ebababb3600bd4d9154a945036c58e4e930da445a0dda765ac8a4

Download Submit
C:\Program Files\Bonjour\mdnsNSP.dll

Filesize
129KB

MD5
f9d908de6b166dac9b89bf62fa291ce8

SHA1
938b53238291fc41ae852fdde51eed7a2bff0604

SHA256
d0a918ad60221623bb0278ea94cd6938744617fdbb2054968afafc2940648f02

SHA512
6643a7066974abfd5904df73ed225fd5eed4a84341b12199b6eb9a8a2ad234dba865d50f8ccff8a88002ce4c6ae2131745cf43aac88a3a0a66b596fb0d93e56e

Download Submit
C:\Program Files\Bonjour\mdnsNSP.dll

Filesize
129KB

MD5
f9d908de6b166dac9b89bf62fa291ce8

SHA1
938b53238291fc41ae852fdde51eed7a2bff0604

SHA256
d0a918ad60221623bb0278ea94cd6938744617fdbb2054968afafc2940648f02

SHA512
6643a7066974abfd5904df73ed225fd5eed4a84341b12199b6eb9a8a2ad234dba865d50f8ccff8a88002ce4c6ae2131745cf43aac88a3a0a66b596fb0d93e56e

Download Submit
C:\Program Files\Bonjour\mdnsNSP.dll

Filesize
129KB

MD5
f9d908de6b166dac9b89bf62fa291ce8

SHA1
938b53238291fc41ae852fdde51eed7a2bff0604

SHA256
d0a918ad60221623bb0278ea94cd6938744617fdbb2054968afafc2940648f02

SHA512
6643a7066974abfd5904df73ed225fd5eed4a84341b12199b6eb9a8a2ad234dba865d50f8ccff8a88002ce4c6ae2131745cf43aac88a3a0a66b596fb0d93e56e

Download Submit
C:\Program Files\Bonjour\mdnsNSP.dll

Filesize
129KB

MD5
f9d908de6b166dac9b89bf62fa291ce8

SHA1
938b53238291fc41ae852fdde51eed7a2bff0604

SHA256
d0a918ad60221623bb0278ea94cd6938744617fdbb2054968afafc2940648f02

SHA512
6643a7066974abfd5904df73ed225fd5eed4a84341b12199b6eb9a8a2ad234dba865d50f8ccff8a88002ce4c6ae2131745cf43aac88a3a0a66b596fb0d93e56e

Download Submit
C:\Program Files\Bonjour\mdnsNSP.dll

Filesize
129KB

MD5
f9d908de6b166dac9b89bf62fa291ce8

SHA1
938b53238291fc41ae852fdde51eed7a2bff0604

SHA256
d0a918ad60221623bb0278ea94cd6938744617fdbb2054968afafc2940648f02

SHA512
6643a7066974abfd5904df73ed225fd5eed4a84341b12199b6eb9a8a2ad234dba865d50f8ccff8a88002ce4c6ae2131745cf43aac88a3a0a66b596fb0d93e56e

Download Submit
C:\Program Files\Bonjour\mdnsNSP.dll

Filesize
129KB

MD5
f9d908de6b166dac9b89bf62fa291ce8

SHA1
938b53238291fc41ae852fdde51eed7a2bff0604

SHA256
d0a918ad60221623bb0278ea94cd6938744617fdbb2054968afafc2940648f02

SHA512
6643a7066974abfd5904df73ed225fd5eed4a84341b12199b6eb9a8a2ad234dba865d50f8ccff8a88002ce4c6ae2131745cf43aac88a3a0a66b596fb0d93e56e

Download Submit
C:\Program Files\Java\jre1.8.0_66\lib\ext\dns_sd.jar

Filesize
16KB

MD5
ca086bb31b598febd7e8d44daf14714a

SHA1
4838808e80df811cfb2bf7faf361b3cbc16f9f81

SHA256
3818abdee5b1d3d77ae4a5ace25a638b2d7d624605f8e8ce14dd6d4c6639c00c

SHA512
54188bf433a0da1b6b8f6f881af6d681a6bb629693191c7ee46f852953529cb94dfa894aca574e1cd7355985ea8d6187e7694c8144ea1db880922676f0dfe0c5

Download Submit
C:\Program Files\PhotoSync\BugSplatDotNet.dll

Filesize
25KB

MD5
41a4144993742928c3fd2b9ddbe07312

SHA1
688bfa717945c90e75443c0e90ee437bba1b0f9b

SHA256
89c2d2d6c9291c19aa7edc668f5adbe9ad0a37dceb2c4678ab0804d4244fd637

SHA512
b2da5c412ec1b659c7507027048c74f519dddfac203a22187dbe9f909956ec42886c226b9c48f6945e3f394518231ca35833a7ea638eb5603a0eed1704836078

Download Submit
C:\Program Files\PhotoSync\BugSplatDotNet.dll

Filesize
25KB

MD5
41a4144993742928c3fd2b9ddbe07312

SHA1
688bfa717945c90e75443c0e90ee437bba1b0f9b

SHA256
89c2d2d6c9291c19aa7edc668f5adbe9ad0a37dceb2c4678ab0804d4244fd637

SHA512
b2da5c412ec1b659c7507027048c74f519dddfac203a22187dbe9f909956ec42886c226b9c48f6945e3f394518231ca35833a7ea638eb5603a0eed1704836078

Download Submit
C:\Program Files\PhotoSync\BugSplatDotNet.dll

Filesize
25KB

MD5
41a4144993742928c3fd2b9ddbe07312

SHA1
688bfa717945c90e75443c0e90ee437bba1b0f9b

SHA256
89c2d2d6c9291c19aa7edc668f5adbe9ad0a37dceb2c4678ab0804d4244fd637

SHA512
b2da5c412ec1b659c7507027048c74f519dddfac203a22187dbe9f909956ec42886c226b9c48f6945e3f394518231ca35833a7ea638eb5603a0eed1704836078

Download Submit
C:\Program Files\PhotoSync\PhotoSync.exe

Filesize
1.5MB

MD5
d54816a80dbdd1e9899fbfde9785b547

SHA1
0d0d6b522900e9b617b38e5e154e22a71c0d0f68

SHA256
45223bb40083f22682d2fff3efa45e6a83050e05b88260844f36e7eccd59a19c

SHA512
7890642a3e790884d434e6c7e3fdd201fb064703ac6acc91020ff3cea906eadcb511d2215e246f1f79ad92f7726729916bf79e01beea9c75deca412d5888d358

Download Submit
C:\Program Files\PhotoSync\PhotoSync.exe

Filesize
1.5MB

MD5
d54816a80dbdd1e9899fbfde9785b547

SHA1
0d0d6b522900e9b617b38e5e154e22a71c0d0f68

SHA256
45223bb40083f22682d2fff3efa45e6a83050e05b88260844f36e7eccd59a19c

SHA512
7890642a3e790884d434e6c7e3fdd201fb064703ac6acc91020ff3cea906eadcb511d2215e246f1f79ad92f7726729916bf79e01beea9c75deca412d5888d358

Download Submit
C:\Program Files\PhotoSync\PhotoSync.exe

Filesize
1.5MB

MD5
d54816a80dbdd1e9899fbfde9785b547

SHA1
0d0d6b522900e9b617b38e5e154e22a71c0d0f68

SHA256
45223bb40083f22682d2fff3efa45e6a83050e05b88260844f36e7eccd59a19c

SHA512
7890642a3e790884d434e6c7e3fdd201fb064703ac6acc91020ff3cea906eadcb511d2215e246f1f79ad92f7726729916bf79e01beea9c75deca412d5888d358

Download Submit
C:\Program Files\PhotoSync\PhotoSync.exe.config

Filesize
5KB

MD5
c868b6ef30d52eedca292550b6289c57

SHA1
0d08e8df10a076e5fbe1b88f1a0557b6c3dbf44c

SHA256
2ee6d5522568d6824677d9fed8587c242353ce0187e325229a5d6c5bb15c6744

SHA512
57202ed0f1fa361092259a1f6c6b7b20605c57d163ee44968e68e2670db3ae58a981f8b05b39b4a613258ad1ded75b2e229e1997d5fe31f500546ec5357dcbad

Download Submit
C:\Program Files\PhotoSync\PhotoSyncShellExtension.dll

Filesize
11KB

MD5
12cd8e2b51816e852c97e562ef66a58b

SHA1
c1a8d3ea13c625bf7dde3702380785c9fe914828

SHA256
94ad6949e77e7e73e4921cde172041a40b28ffcb8a1e5268b41c654aa24c4105

SHA512
6d3ee7bf142cf9f93066f1570e84a97b45e59588f90a64235f2715b83f1883e64da8d6f28d646bc4a438243abb049a7c49e06a4eb5e0a0cc7e57bf22faf12aab

Download Submit
C:\Program Files\PhotoSync\log4net.dll

Filesize
264KB

MD5
46319a38ce5d09020d2ac56b67829c6c

SHA1
ffe64ca4d4bc9e1dab1d195982d22121a6baa058

SHA256
1d45a6afa38f0b10814063f2a42e6efce45752853667650e765844b8566b3332

SHA512
0de61771a92ee71470e51bccf66d3a39c105ae23d60e73d8e4e7d44135dff4c8d1dddff9bbb6be72ff083d51c784e5ca829a6adefee87fd901d2de58db0ddb03

Download Submit
C:\Program Files\PhotoSync\log4net.dll

Filesize
264KB

MD5
46319a38ce5d09020d2ac56b67829c6c

SHA1
ffe64ca4d4bc9e1dab1d195982d22121a6baa058

SHA256
1d45a6afa38f0b10814063f2a42e6efce45752853667650e765844b8566b3332

SHA512
0de61771a92ee71470e51bccf66d3a39c105ae23d60e73d8e4e7d44135dff4c8d1dddff9bbb6be72ff083d51c784e5ca829a6adefee87fd901d2de58db0ddb03

Download Submit
C:\Program Files\PhotoSync\log4net.dll

Filesize
264KB

MD5
46319a38ce5d09020d2ac56b67829c6c

SHA1
ffe64ca4d4bc9e1dab1d195982d22121a6baa058

SHA256
1d45a6afa38f0b10814063f2a42e6efce45752853667650e765844b8566b3332

SHA512
0de61771a92ee71470e51bccf66d3a39c105ae23d60e73d8e4e7d44135dff4c8d1dddff9bbb6be72ff083d51c784e5ca829a6adefee87fd901d2de58db0ddb03

Download Submit
C:\Program Files\PhotoSync\uninstall.exe

Filesize
178KB

MD5
31ba1dab6d7f394f18fde8eefc287979

SHA1
660a0aa1c9fb1daf1b0b1ffea63ac1d4c087f9cc

SHA256
4eca652388ce1167494f1c3ac9941a71913f09a247a51a3cde6b4c4412b0cf7c

SHA512
37029f6368de904b3806c941431e3c143f9583cfd41cc642c3e19c19e8504f49d9295b3222734b2a9792e8dac8a9fa8eb55735880e3315b8e51f5ba7bdd21d20

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bonjour64.msi

Filesize
2.6MB

MD5
8dcf5c9eaacdaf4568220d103f393dea

SHA1
27f68596398b68ba048f95752b4eeb4aa013c23f

SHA256
53be81cc6e2dc95a1041e8f3d8f500fad4259ab20a1aac151b5fc7a64d354a93

SHA512
10f8ffb6fa5e7163f0a83190ddf211479f12e16635389b49ac041eceafd7f04c040d830065adc89b1003f38d8381851c09150a5bc8edced6ecae8ee5ae801088

Download Submit
C:\Users\Admin\AppData\Local\Temp\Installer\photosync_setup_x64.exe

Filesize
3.1MB

MD5
22fa393d0fc589cb1e5f0bb4738e1ce3

SHA1
880edce25807650ecad05c49e4a45a63c4ac4042

SHA256
1c2466c33712db28138b1c913dbe64f94831dc3debf623a827a2aa5321168b24

SHA512
e6f82077ad3cbf78ef7feb886bfb7631c7f7267e3a1490f98ea3fb2f051a2fa589354ecacf00146d80c2be8eb817aca42aea712d63567e6d9ab0c453b38d96dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Installer\photosync_setup_x64.exe

Filesize
3.1MB

MD5
22fa393d0fc589cb1e5f0bb4738e1ce3

SHA1
880edce25807650ecad05c49e4a45a63c4ac4042

SHA256
1c2466c33712db28138b1c913dbe64f94831dc3debf623a827a2aa5321168b24

SHA512
e6f82077ad3cbf78ef7feb886bfb7631c7f7267e3a1490f98ea3fb2f051a2fa589354ecacf00146d80c2be8eb817aca42aea712d63567e6d9ab0c453b38d96dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshFCD0.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxFF51.tmp\LangDLL.dll

Filesize
5KB

MD5
68b287f4067ba013e34a1339afdb1ea8

SHA1
45ad585b3cc8e5a6af7b68f5d8269c97992130b3

SHA256
18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026

SHA512
06c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxFF51.tmp\StartMenu.dll

Filesize
7KB

MD5
d070f3275df715bf3708beff2c6c307d

SHA1
93d3725801e07303e9727c4369e19fd139e69023

SHA256
42dd4dda3249a94e32e20f76eaffae784a5475ed00c60ef0197c8a2c1ccd2fb7

SHA512
fcaf625dac4684dad33d12e3a942b38489ecc90649eee885d823a932e70db63c1edb8614b9fa8904d1710e9b820e82c5a37aeb8403cf21cf1e3692f76438664d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxFF51.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxFF51.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxFF51.tmp\UAC.dll

Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxFF51.tmp\UserInfo.dll

Filesize
4KB

MD5
2f69afa9d17a5245ec9b5bb03d56f63c

SHA1
e0a133222136b3d4783e965513a690c23826aec9

SHA256
e54989d2b83e7282d0bec56b098635146aab5d5a283f1f89486816851ef885a0

SHA512
bfd4af50e41ebc56e30355c722c2a55540a5bbddb68f1522ef7aabfe4f5f2a20e87fa9677ee3cdb3c0bf5bd3988b89d1224d32c9f23342a16e46c542d8dc0926

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxFF51.tmp\modern-wizard.bmp

Filesize
25KB

MD5
cbe40fd2b1ec96daedc65da172d90022

SHA1
366c216220aa4329dff6c485fd0e9b0f4f0a7944

SHA256
3ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2

SHA512
62990cb16e37b6b4eff6ab03571c3a82dcaa21a1d393c3cb01d81f62287777fb0b4b27f8852b5fa71bc975feab5baa486d33f2c58660210e115de7e2bd34ea63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxFF51.tmp\nsDialogs.dll

Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxFF51.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxFF51.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxFF51.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Windows\Installer\MSI23A0.tmp

Filesize
75KB

MD5
08c031fa82a09aae1079378669678fe6

SHA1
b109251d2fef08bd446be0c92369e6f11eb67093

SHA256
8764d060558a9d4ef24adb43201d5178033171a649ad497f79ce3b6cc8eda98a

SHA512
d133a7c02ee8e6e4a971ed4a6537c11cb58516a5ac0501672169805f7b97591d7cffd3a72133bd1df4b8d8a4f4965ddf324a83cd9be0d8af15e646a121e2ea4c

Download Submit
C:\Windows\Installer\MSI23A0.tmp

Filesize
75KB

MD5
08c031fa82a09aae1079378669678fe6

SHA1
b109251d2fef08bd446be0c92369e6f11eb67093

SHA256
8764d060558a9d4ef24adb43201d5178033171a649ad497f79ce3b6cc8eda98a

SHA512
d133a7c02ee8e6e4a971ed4a6537c11cb58516a5ac0501672169805f7b97591d7cffd3a72133bd1df4b8d8a4f4965ddf324a83cd9be0d8af15e646a121e2ea4c

Download Submit
C:\Windows\Installer\MSI243D.tmp

Filesize
75KB

MD5
08c031fa82a09aae1079378669678fe6

SHA1
b109251d2fef08bd446be0c92369e6f11eb67093

SHA256
8764d060558a9d4ef24adb43201d5178033171a649ad497f79ce3b6cc8eda98a

SHA512
d133a7c02ee8e6e4a971ed4a6537c11cb58516a5ac0501672169805f7b97591d7cffd3a72133bd1df4b8d8a4f4965ddf324a83cd9be0d8af15e646a121e2ea4c

Download Submit
C:\Windows\Installer\MSI243D.tmp

Filesize
75KB

MD5
08c031fa82a09aae1079378669678fe6

SHA1
b109251d2fef08bd446be0c92369e6f11eb67093

SHA256
8764d060558a9d4ef24adb43201d5178033171a649ad497f79ce3b6cc8eda98a

SHA512
d133a7c02ee8e6e4a971ed4a6537c11cb58516a5ac0501672169805f7b97591d7cffd3a72133bd1df4b8d8a4f4965ddf324a83cd9be0d8af15e646a121e2ea4c

Download Submit
C:\Windows\Installer\MSI2691.tmp

Filesize
75KB

MD5
08c031fa82a09aae1079378669678fe6

SHA1
b109251d2fef08bd446be0c92369e6f11eb67093

SHA256
8764d060558a9d4ef24adb43201d5178033171a649ad497f79ce3b6cc8eda98a

SHA512
d133a7c02ee8e6e4a971ed4a6537c11cb58516a5ac0501672169805f7b97591d7cffd3a72133bd1df4b8d8a4f4965ddf324a83cd9be0d8af15e646a121e2ea4c

Download Submit
C:\Windows\Installer\MSI2691.tmp

Filesize
75KB

MD5
08c031fa82a09aae1079378669678fe6

SHA1
b109251d2fef08bd446be0c92369e6f11eb67093

SHA256
8764d060558a9d4ef24adb43201d5178033171a649ad497f79ce3b6cc8eda98a

SHA512
d133a7c02ee8e6e4a971ed4a6537c11cb58516a5ac0501672169805f7b97591d7cffd3a72133bd1df4b8d8a4f4965ddf324a83cd9be0d8af15e646a121e2ea4c

Download Submit
C:\Windows\Installer\MSI2691.tmp

Filesize
75KB

MD5
08c031fa82a09aae1079378669678fe6

SHA1
b109251d2fef08bd446be0c92369e6f11eb67093

SHA256
8764d060558a9d4ef24adb43201d5178033171a649ad497f79ce3b6cc8eda98a

SHA512
d133a7c02ee8e6e4a971ed4a6537c11cb58516a5ac0501672169805f7b97591d7cffd3a72133bd1df4b8d8a4f4965ddf324a83cd9be0d8af15e646a121e2ea4c

Download Submit
C:\Windows\Installer\MSI26D1.tmp

Filesize
75KB

MD5
6f8e3e4f72620bddc633f0175f47161e

SHA1
53ed75a208cc84f1a065e9e4ece356371cac0341

SHA256
2adf199f6baf245f0b07d31a3a1401d4262c3e6c98b8f10df923ceb2c937291e

SHA512
80187277e78f59b7ea71ed3caa55452e730d93b8c296d5820d470776a428cbb7e7fead87240e811436f85e4d89df2b9f31d6d16658d21abf59395cab7074a869

Download Submit
C:\Windows\Installer\MSI26D1.tmp

Filesize
75KB

MD5
6f8e3e4f72620bddc633f0175f47161e

SHA1
53ed75a208cc84f1a065e9e4ece356371cac0341

SHA256
2adf199f6baf245f0b07d31a3a1401d4262c3e6c98b8f10df923ceb2c937291e

SHA512
80187277e78f59b7ea71ed3caa55452e730d93b8c296d5820d470776a428cbb7e7fead87240e811436f85e4d89df2b9f31d6d16658d21abf59395cab7074a869

Download Submit
C:\Windows\Installer\MSI28C6.tmp

Filesize
75KB

MD5
6f8e3e4f72620bddc633f0175f47161e

SHA1
53ed75a208cc84f1a065e9e4ece356371cac0341

SHA256
2adf199f6baf245f0b07d31a3a1401d4262c3e6c98b8f10df923ceb2c937291e

SHA512
80187277e78f59b7ea71ed3caa55452e730d93b8c296d5820d470776a428cbb7e7fead87240e811436f85e4d89df2b9f31d6d16658d21abf59395cab7074a869

Download Submit
C:\Windows\Installer\MSI28C6.tmp

Filesize
75KB

MD5
6f8e3e4f72620bddc633f0175f47161e

SHA1
53ed75a208cc84f1a065e9e4ece356371cac0341

SHA256
2adf199f6baf245f0b07d31a3a1401d4262c3e6c98b8f10df923ceb2c937291e

SHA512
80187277e78f59b7ea71ed3caa55452e730d93b8c296d5820d470776a428cbb7e7fead87240e811436f85e4d89df2b9f31d6d16658d21abf59395cab7074a869

Download Submit
C:\Windows\Installer\MSI2C60.tmp

Filesize
75KB

MD5
6f8e3e4f72620bddc633f0175f47161e

SHA1
53ed75a208cc84f1a065e9e4ece356371cac0341

SHA256
2adf199f6baf245f0b07d31a3a1401d4262c3e6c98b8f10df923ceb2c937291e

SHA512
80187277e78f59b7ea71ed3caa55452e730d93b8c296d5820d470776a428cbb7e7fead87240e811436f85e4d89df2b9f31d6d16658d21abf59395cab7074a869

Download Submit
C:\Windows\Installer\MSI2C60.tmp

Filesize
75KB

MD5
6f8e3e4f72620bddc633f0175f47161e

SHA1
53ed75a208cc84f1a065e9e4ece356371cac0341

SHA256
2adf199f6baf245f0b07d31a3a1401d4262c3e6c98b8f10df923ceb2c937291e

SHA512
80187277e78f59b7ea71ed3caa55452e730d93b8c296d5820d470776a428cbb7e7fead87240e811436f85e4d89df2b9f31d6d16658d21abf59395cab7074a869

Download Submit
C:\Windows\Installer\MSI2C60.tmp

Filesize
75KB

MD5
6f8e3e4f72620bddc633f0175f47161e

SHA1
53ed75a208cc84f1a065e9e4ece356371cac0341

SHA256
2adf199f6baf245f0b07d31a3a1401d4262c3e6c98b8f10df923ceb2c937291e

SHA512
80187277e78f59b7ea71ed3caa55452e730d93b8c296d5820d470776a428cbb7e7fead87240e811436f85e4d89df2b9f31d6d16658d21abf59395cab7074a869

Download Submit
C:\Windows\Installer\e581d37.msi

Filesize
2.6MB

MD5
8dcf5c9eaacdaf4568220d103f393dea

SHA1
27f68596398b68ba048f95752b4eeb4aa013c23f

SHA256
53be81cc6e2dc95a1041e8f3d8f500fad4259ab20a1aac151b5fc7a64d354a93

SHA512
10f8ffb6fa5e7163f0a83190ddf211479f12e16635389b49ac041eceafd7f04c040d830065adc89b1003f38d8381851c09150a5bc8edced6ecae8ee5ae801088

Download Submit
memory/1680-302-0x00000000025A0000-0x00000000025AA000-memory.dmp

Filesize
40KB

Download
memory/1680-304-0x0000000004F80000-0x0000000005012000-memory.dmp

Filesize
584KB

Download
memory/1680-308-0x0000000005040000-0x0000000005086000-memory.dmp

Filesize
280KB

Download
memory/1680-303-0x00000000055F0000-0x0000000005B94000-memory.dmp

Filesize
5.6MB

Download
memory/1680-298-0x0000000000010000-0x0000000000198000-memory.dmp

Filesize
1.5MB

Download
memory/1680-296-0x0000000074A30000-0x00000000751E0000-memory.dmp

Filesize
7.7MB

Download
memory/1680-309-0x0000000005030000-0x0000000005040000-memory.dmp

Filesize
64KB

Download