recordbreaker | aba77fcc24b7172206eda1a7f47eff0e0f2fe6ad988536d995ab38ee1a28e783

Analysis

max time kernel
107s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
21-06-2022 15:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ProtonVPN.msi
Size

1.5MB
MD5

926ec22b8ba727571a2f85148489fd85
SHA1

e6cb03d143489f3af01575de4ea917b680109105
SHA256

aba77fcc24b7172206eda1a7f47eff0e0f2fe6ad988536d995ab38ee1a28e783
SHA512

c1a344377997ebb354d2bf0c916744a28723aa0845a4cb4a6b59eb6be4317f205386628b4a7bba5baba47203a628c843190de64532dc5496c8396a738da8407a

Score

10^/10

recordbreaker discovery spyware stealer suricata

Malware Config

Extracted

Family

recordbreaker

http://142.132.229.12/

http://164.92.172.4/

Signatures

RecordBreaker
RecordBreaker is an information stealer capable of downloading and executing secondary payloads written in C++.
stealer recordbreaker
suricata: ET MALWARE Generic Stealer Config Download Request
suricata: ET MALWARE Generic Stealer Config Download Request
suricata
suricata: ET MALWARE Recordbreaker Stealer CnC Checkin
suricata: ET MALWARE Recordbreaker Stealer CnC Checkin
suricata
Downloads MZ/PE file

Executes dropped EXE 1 IoCs

Processes:

X5C2FUk80DDy5JAd.exe

pid	Process
2252	X5C2FUk80DDy5JAd.exe

Loads dropped DLL 4 IoCs

Processes:

MsiExec.exeInstallUtil.exe

pid	Process
992	MsiExec.exe
1808	InstallUtil.exe
1808	InstallUtil.exe
1808	InstallUtil.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

ICACLS.EXEICACLS.EXE

pid	Process
3108	ICACLS.EXE
3200	ICACLS.EXE

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	Process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

X5C2FUk80DDy5JAd.exe

description	pid	Process	procid_target
PID 2252 set thread context of 1808	2252	X5C2FUk80DDy5JAd.exe	104

Drops file in Windows directory 9 IoCs

Processes:

EXPAND.EXEmsiexec.exe

description	ioc	Process
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI18E7.tmp	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE
File created	C:\Windows\Installer\e5716e3.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5716e3.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{561DFC68-E9CD-4346-9DC2-56D46C9D008F}	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000036afcf5ac1e326070000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000036afcf5a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff00000000070001000068090036afcf5a000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000036afcf5a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000036afcf5a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msiexec.exeX5C2FUk80DDy5JAd.exe

pid	Process
2644	msiexec.exe
2644	msiexec.exe
2252	X5C2FUk80DDy5JAd.exe
2252	X5C2FUk80DDy5JAd.exe
2252	X5C2FUk80DDy5JAd.exe
2252	X5C2FUk80DDy5JAd.exe
2252	X5C2FUk80DDy5JAd.exe
2252	X5C2FUk80DDy5JAd.exe
2252	X5C2FUk80DDy5JAd.exe
2252	X5C2FUk80DDy5JAd.exe
2252	X5C2FUk80DDy5JAd.exe
2252	X5C2FUk80DDy5JAd.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exesrtasks.exe

description	pid	Process
Token: SeShutdownPrivilege	2600	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2600	msiexec.exe
Token: SeSecurityPrivilege	2644	msiexec.exe
Token: SeCreateTokenPrivilege	2600	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2600	msiexec.exe
Token: SeLockMemoryPrivilege	2600	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2600	msiexec.exe
Token: SeMachineAccountPrivilege	2600	msiexec.exe
Token: SeTcbPrivilege	2600	msiexec.exe
Token: SeSecurityPrivilege	2600	msiexec.exe
Token: SeTakeOwnershipPrivilege	2600	msiexec.exe
Token: SeLoadDriverPrivilege	2600	msiexec.exe
Token: SeSystemProfilePrivilege	2600	msiexec.exe
Token: SeSystemtimePrivilege	2600	msiexec.exe
Token: SeProfSingleProcessPrivilege	2600	msiexec.exe
Token: SeIncBasePriorityPrivilege	2600	msiexec.exe
Token: SeCreatePagefilePrivilege	2600	msiexec.exe
Token: SeCreatePermanentPrivilege	2600	msiexec.exe
Token: SeBackupPrivilege	2600	msiexec.exe
Token: SeRestorePrivilege	2600	msiexec.exe
Token: SeShutdownPrivilege	2600	msiexec.exe
Token: SeDebugPrivilege	2600	msiexec.exe
Token: SeAuditPrivilege	2600	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2600	msiexec.exe
Token: SeChangeNotifyPrivilege	2600	msiexec.exe
Token: SeRemoteShutdownPrivilege	2600	msiexec.exe
Token: SeUndockPrivilege	2600	msiexec.exe
Token: SeSyncAgentPrivilege	2600	msiexec.exe
Token: SeEnableDelegationPrivilege	2600	msiexec.exe
Token: SeManageVolumePrivilege	2600	msiexec.exe
Token: SeImpersonatePrivilege	2600	msiexec.exe
Token: SeCreateGlobalPrivilege	2600	msiexec.exe
Token: SeBackupPrivilege	4560	vssvc.exe
Token: SeRestorePrivilege	4560	vssvc.exe
Token: SeAuditPrivilege	4560	vssvc.exe
Token: SeBackupPrivilege	2644	msiexec.exe
Token: SeRestorePrivilege	2644	msiexec.exe
Token: SeRestorePrivilege	2644	msiexec.exe
Token: SeTakeOwnershipPrivilege	2644	msiexec.exe
Token: SeRestorePrivilege	2644	msiexec.exe
Token: SeTakeOwnershipPrivilege	2644	msiexec.exe
Token: SeBackupPrivilege	3628	srtasks.exe
Token: SeRestorePrivilege	3628	srtasks.exe
Token: SeSecurityPrivilege	3628	srtasks.exe
Token: SeTakeOwnershipPrivilege	3628	srtasks.exe
Token: SeBackupPrivilege	3628	srtasks.exe
Token: SeRestorePrivilege	3628	srtasks.exe
Token: SeSecurityPrivilege	3628	srtasks.exe
Token: SeTakeOwnershipPrivilege	3628	srtasks.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid	Process
2600	msiexec.exe
2600	msiexec.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

msiexec.exeMsiExec.exeX5C2FUk80DDy5JAd.exe

description	pid	Process	procid_target
PID 2644 wrote to memory of 3628	2644	msiexec.exe	88
PID 2644 wrote to memory of 3628	2644	msiexec.exe	88
PID 2644 wrote to memory of 992	2644	msiexec.exe	91
PID 2644 wrote to memory of 992	2644	msiexec.exe	91
PID 2644 wrote to memory of 992	2644	msiexec.exe	91
PID 992 wrote to memory of 3108	992	MsiExec.exe	92
PID 992 wrote to memory of 3108	992	MsiExec.exe	92
PID 992 wrote to memory of 3108	992	MsiExec.exe	92
PID 992 wrote to memory of 552	992	MsiExec.exe	94
PID 992 wrote to memory of 552	992	MsiExec.exe	94
PID 992 wrote to memory of 552	992	MsiExec.exe	94
PID 992 wrote to memory of 2252	992	MsiExec.exe	96
PID 992 wrote to memory of 2252	992	MsiExec.exe	96
PID 992 wrote to memory of 2252	992	MsiExec.exe	96
PID 2252 wrote to memory of 2276	2252	X5C2FUk80DDy5JAd.exe	103
PID 2252 wrote to memory of 2276	2252	X5C2FUk80DDy5JAd.exe	103
PID 2252 wrote to memory of 2276	2252	X5C2FUk80DDy5JAd.exe	103
PID 2252 wrote to memory of 1808	2252	X5C2FUk80DDy5JAd.exe	104
PID 2252 wrote to memory of 1808	2252	X5C2FUk80DDy5JAd.exe	104
PID 2252 wrote to memory of 1808	2252	X5C2FUk80DDy5JAd.exe	104
PID 2252 wrote to memory of 1808	2252	X5C2FUk80DDy5JAd.exe	104
PID 2252 wrote to memory of 1808	2252	X5C2FUk80DDy5JAd.exe	104
PID 992 wrote to memory of 1424	992	MsiExec.exe	105
PID 992 wrote to memory of 1424	992	MsiExec.exe	105
PID 992 wrote to memory of 1424	992	MsiExec.exe	105
PID 992 wrote to memory of 3200	992	MsiExec.exe	107
PID 992 wrote to memory of 3200	992	MsiExec.exe	107
PID 992 wrote to memory of 3200	992	MsiExec.exe	107

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ProtonVPN.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2600

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3628
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1ACE251A19173D972EE717C65563D3BB
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:992
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-663a8a66-2980-4a26-9311-e53c9773d47b\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:3108
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:552
- - C:\Users\Admin\AppData\Local\Temp\MW-663a8a66-2980-4a26-9311-e53c9773d47b\files\X5C2FUk80DDy5JAd.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-663a8a66-2980-4a26-9311-e53c9773d47b\files\X5C2FUk80DDy5JAd.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2252
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      PID:2276
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      Loads dropped DLL
      PID:1808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-663a8a66-2980-4a26-9311-e53c9773d47b\files"
    3⤵
    PID:1424
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-663a8a66-2980-4a26-9311-e53c9773d47b\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:3200

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\mozglue.dll

Filesize
612KB

MD5
f07d9977430e762b563eaadc2b94bbfa

SHA1
da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

SHA256
4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

SHA512
6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

Download Submit
C:\Users\Admin\AppData\LocalLow\nss3.dll

Filesize
1.9MB

MD5
f67d08e8c02574cbc2f1122c53bfb976

SHA1
6522992957e7e4d074947cad63189f308a80fcf2

SHA256
c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

SHA512
2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

Download Submit
C:\Users\Admin\AppData\LocalLow\sqlite3.dll

Filesize
1.0MB

MD5
dbf4f8dcefb8056dc6bae4b67ff810ce

SHA1
bbac1dd8a07c6069415c04b62747d794736d0689

SHA256
47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

SHA512
b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-663a8a66-2980-4a26-9311-e53c9773d47b\files.cab

Filesize
1.1MB

MD5
11983dda7f04b10dde29656cd05e119f

SHA1
c43dfb4a404b183cf7b69120224329aa22b598d5

SHA256
9a47c85b7508ede06caefc61cfdf5a9f3b757dd64cf41cf7dbe25c72c17b059b

SHA512
3ba1821de94ac45dfffe0a868ba2e21de3ce96bf8a1c02fc1be6e19ce638f118f78248c5fb04b33569e59b768d572c7cc7bc280083d4586339a83a4321c7eae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-663a8a66-2980-4a26-9311-e53c9773d47b\files\X5C2FUk80DDy5JAd.exe

Filesize
1.6MB

MD5
fb0e77955a8b400a73e4156d1d66e860

SHA1
0eb0910fba5418dffeb59ccf7cff5bb2af4d9ebb

SHA256
ab3110124ba23e717a71eedbcf44197b20308efa621118dd4fcc936a8976cdfa

SHA512
bad2a0b4b1df892c21085985452bd1bd7a314f697813ae2199c734c3432b1beb23a0039b8629e4ab27c57eb79c6996d6b2d30f33804608e33280f7031f77af12

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-663a8a66-2980-4a26-9311-e53c9773d47b\files\X5C2FUk80DDy5JAd.exe

Filesize
1.6MB

MD5
fb0e77955a8b400a73e4156d1d66e860

SHA1
0eb0910fba5418dffeb59ccf7cff5bb2af4d9ebb

SHA256
ab3110124ba23e717a71eedbcf44197b20308efa621118dd4fcc936a8976cdfa

SHA512
bad2a0b4b1df892c21085985452bd1bd7a314f697813ae2199c734c3432b1beb23a0039b8629e4ab27c57eb79c6996d6b2d30f33804608e33280f7031f77af12

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-663a8a66-2980-4a26-9311-e53c9773d47b\msiwrapper.ini

Filesize
1KB

MD5
a1176e396deed4b36370d2382fc6c7e6

SHA1
3b489222eabf92467af4f0321f4572a5b37dd079

SHA256
4d993ab274eca4a721867ab9db85834ab25aa36cdb15a51b51f58a8871bd008f

SHA512
143f0049c06ad54a95a4e6edf5bd49752635e874ff4e6f7017ae1af07c8b774e225f42fca63c5099434db50ab99859fe5315106d7243f446454deb00a4e86730

Download Submit
C:\Windows\Installer\MSI18E7.tmp

Filesize
208KB

MD5
4caaa03e0b59ca60a3d34674b732b702

SHA1
ee80c8f4684055ac8960b9720fb108be07e1d10c

SHA256
d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d

SHA512
25888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34

Download Submit
C:\Windows\Installer\MSI18E7.tmp

Filesize
208KB

MD5
4caaa03e0b59ca60a3d34674b732b702

SHA1
ee80c8f4684055ac8960b9720fb108be07e1d10c

SHA256
d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d

SHA512
25888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
bb22a548070403cb77cbde6ae26046cb

SHA1
7876cc7332e576d60662e157feeb21a7ce1bf537

SHA256
085b66b1220a9d0f69c09c9334373f7d4c87bba83fdac3e737a37d733bf67822

SHA512
58280832898f8877a56016465084971e552f350fee4cf0c42da7b18f08e610da3c7560e8f79eb8b8bedec8cedd1db6c114a68b982efcb510aa738befa00536bd

Download Submit
\??\Volume{5acfaf36-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{aff65eb3-f5d8-4f27-b61c-4c1ed5b5e0dc}_OnDiskSnapshotProp

Filesize
5KB

MD5
6cc0081d3ebe850d207b219634400691

SHA1
8228a4b086cbcac8ba49fa72157d443ff9d762f7

SHA256
1e234647fd2386e6ad87d8c4b1fabc26669851f9742ea8ac1d9098c734720d8b

SHA512
336fe930b6d5558f9d4aeb866ed43d588f5e08608d4bf6b469c7e765dd21bb82daafd1646d557a7f60dc62fc490170a522f4aa03062587a14521a626493fb7b0

Download Submit
memory/552-137-0x0000000000000000-mapping.dmp

Download
memory/992-131-0x0000000000000000-mapping.dmp

Download
memory/1424-159-0x0000000000000000-mapping.dmp

Download
memory/1808-160-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1808-152-0x0000000000000000-mapping.dmp

Download
memory/1808-165-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1808-157-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1808-155-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1808-153-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2252-149-0x000000000ECC0000-0x000000000ED99000-memory.dmp

Filesize
868KB

Download
memory/2252-143-0x0000000002E60000-0x0000000002FAF000-memory.dmp

Filesize
1.3MB

Download
memory/2252-150-0x000000000ECC0000-0x000000000ED99000-memory.dmp

Filesize
868KB

Download
memory/2252-144-0x0000000002E60000-0x0000000002FAF000-memory.dmp

Filesize
1.3MB

Download
memory/2252-148-0x0000000002E60000-0x0000000002FAF000-memory.dmp

Filesize
1.3MB

Download
memory/2252-158-0x0000000002E60000-0x0000000002FAF000-memory.dmp

Filesize
1.3MB

Download
memory/2252-147-0x0000000003060000-0x0000000003459000-memory.dmp

Filesize
4.0MB

Download
memory/2252-141-0x0000000003060000-0x0000000003459000-memory.dmp

Filesize
4.0MB

Download
memory/2252-139-0x0000000000000000-mapping.dmp

Download
memory/2252-142-0x0000000003060000-0x0000000003459000-memory.dmp

Filesize
4.0MB

Download
memory/2276-151-0x0000000000000000-mapping.dmp

Download
memory/3108-134-0x0000000000000000-mapping.dmp

Download
memory/3200-161-0x0000000000000000-mapping.dmp

Download
memory/3628-130-0x0000000000000000-mapping.dmp

Download