hxxps://docs[.]google[.]com/uc?export=download&id=1iPOwg4hTcVfLegAcM8-57_Xpu-lehlSW

Resubmissions

18/09/2023, 13:51

230918-q6cchsca46 1

18/09/2023, 13:46

230918-q293zsca32 7

Analysis

max time kernel
63s
max time network
69s
platform
windows10-2004_x64
resource
win10v2004-20230915-es
resource tags

arch:x64arch:x86image:win10v2004-20230915-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
18/09/2023, 13:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://docs.google.com/uc?export=download&id=1iPOwg4hTcVfLegAcM8-57_Xpu-lehlSW

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1560	T1738 TUTELA RAD 2023-00851.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Yuvsuqnmey = "C:\\Users\\Admin\\AppData\\Roaming\\Yuvsuqnmey.exe"	T1738 TUTELA RAD 2023-00851.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
4968	msedge.exe
4968	msedge.exe
3888	msedge.exe
3888	msedge.exe
2376	identity_helper.exe
2376	identity_helper.exe
5116	msedge.exe
5116	msedge.exe
1560	T1738 TUTELA RAD 2023-00851.exe
1560	T1738 TUTELA RAD 2023-00851.exe
1560	T1738 TUTELA RAD 2023-00851.exe
1560	T1738 TUTELA RAD 2023-00851.exe
1560	T1738 TUTELA RAD 2023-00851.exe
1560	T1738 TUTELA RAD 2023-00851.exe
1560	T1738 TUTELA RAD 2023-00851.exe
1560	T1738 TUTELA RAD 2023-00851.exe
1560	T1738 TUTELA RAD 2023-00851.exe
1560	T1738 TUTELA RAD 2023-00851.exe
1560	T1738 TUTELA RAD 2023-00851.exe
1560	T1738 TUTELA RAD 2023-00851.exe
1560	T1738 TUTELA RAD 2023-00851.exe
1560	T1738 TUTELA RAD 2023-00851.exe
1560	T1738 TUTELA RAD 2023-00851.exe
1560	T1738 TUTELA RAD 2023-00851.exe
1560	T1738 TUTELA RAD 2023-00851.exe
1560	T1738 TUTELA RAD 2023-00851.exe
1560	T1738 TUTELA RAD 2023-00851.exe
1560	T1738 TUTELA RAD 2023-00851.exe
1560	T1738 TUTELA RAD 2023-00851.exe
1560	T1738 TUTELA RAD 2023-00851.exe
3736	7zFM.exe
3736	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3736	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	3736	7zFM.exe
Token: 35	3736	7zFM.exe
Token: SeSecurityPrivilege	3736	7zFM.exe
Token: SeDebugPrivilege	1560	T1738 TUTELA RAD 2023-00851.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3736	7zFM.exe
3736	7zFM.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3888 wrote to memory of 2744	3888	msedge.exe	84
PID 3888 wrote to memory of 2744	3888	msedge.exe	84
PID 3888 wrote to memory of 1824	3888	msedge.exe	86
PID 3888 wrote to memory of 1824	3888	msedge.exe	86
PID 3888 wrote to memory of 1824	3888	msedge.exe	86
PID 3888 wrote to memory of 1824	3888	msedge.exe	86
PID 3888 wrote to memory of 1824	3888	msedge.exe	86
PID 3888 wrote to memory of 1824	3888	msedge.exe	86
PID 3888 wrote to memory of 1824	3888	msedge.exe	86
PID 3888 wrote to memory of 1824	3888	msedge.exe	86
PID 3888 wrote to memory of 1824	3888	msedge.exe	86
PID 3888 wrote to memory of 1824	3888	msedge.exe	86
PID 3888 wrote to memory of 1824	3888	msedge.exe	86
PID 3888 wrote to memory of 1824	3888	msedge.exe	86
PID 3888 wrote to memory of 1824	3888	msedge.exe	86
PID 3888 wrote to memory of 1824	3888	msedge.exe	86
PID 3888 wrote to memory of 1824	3888	msedge.exe	86
PID 3888 wrote to memory of 1824	3888	msedge.exe	86
PID 3888 wrote to memory of 1824	3888	msedge.exe	86
PID 3888 wrote to memory of 1824	3888	msedge.exe	86
PID 3888 wrote to memory of 1824	3888	msedge.exe	86
PID 3888 wrote to memory of 1824	3888	msedge.exe	86
PID 3888 wrote to memory of 1824	3888	msedge.exe	86
PID 3888 wrote to memory of 1824	3888	msedge.exe	86
PID 3888 wrote to memory of 1824	3888	msedge.exe	86
PID 3888 wrote to memory of 1824	3888	msedge.exe	86
PID 3888 wrote to memory of 1824	3888	msedge.exe	86
PID 3888 wrote to memory of 1824	3888	msedge.exe	86
PID 3888 wrote to memory of 1824	3888	msedge.exe	86
PID 3888 wrote to memory of 1824	3888	msedge.exe	86
PID 3888 wrote to memory of 1824	3888	msedge.exe	86
PID 3888 wrote to memory of 1824	3888	msedge.exe	86
PID 3888 wrote to memory of 1824	3888	msedge.exe	86
PID 3888 wrote to memory of 1824	3888	msedge.exe	86
PID 3888 wrote to memory of 1824	3888	msedge.exe	86
PID 3888 wrote to memory of 1824	3888	msedge.exe	86
PID 3888 wrote to memory of 1824	3888	msedge.exe	86
PID 3888 wrote to memory of 1824	3888	msedge.exe	86
PID 3888 wrote to memory of 1824	3888	msedge.exe	86
PID 3888 wrote to memory of 1824	3888	msedge.exe	86
PID 3888 wrote to memory of 1824	3888	msedge.exe	86
PID 3888 wrote to memory of 1824	3888	msedge.exe	86
PID 3888 wrote to memory of 4968	3888	msedge.exe	85
PID 3888 wrote to memory of 4968	3888	msedge.exe	85
PID 3888 wrote to memory of 3020	3888	msedge.exe	87
PID 3888 wrote to memory of 3020	3888	msedge.exe	87
PID 3888 wrote to memory of 3020	3888	msedge.exe	87
PID 3888 wrote to memory of 3020	3888	msedge.exe	87
PID 3888 wrote to memory of 3020	3888	msedge.exe	87
PID 3888 wrote to memory of 3020	3888	msedge.exe	87
PID 3888 wrote to memory of 3020	3888	msedge.exe	87
PID 3888 wrote to memory of 3020	3888	msedge.exe	87
PID 3888 wrote to memory of 3020	3888	msedge.exe	87
PID 3888 wrote to memory of 3020	3888	msedge.exe	87
PID 3888 wrote to memory of 3020	3888	msedge.exe	87
PID 3888 wrote to memory of 3020	3888	msedge.exe	87
PID 3888 wrote to memory of 3020	3888	msedge.exe	87
PID 3888 wrote to memory of 3020	3888	msedge.exe	87
PID 3888 wrote to memory of 3020	3888	msedge.exe	87
PID 3888 wrote to memory of 3020	3888	msedge.exe	87
PID 3888 wrote to memory of 3020	3888	msedge.exe	87
PID 3888 wrote to memory of 3020	3888	msedge.exe	87
PID 3888 wrote to memory of 3020	3888	msedge.exe	87
PID 3888 wrote to memory of 3020	3888	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://docs.google.com/uc?export=download&id=1iPOwg4hTcVfLegAcM8-57_Xpu-lehlSW
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaa16346f8,0x7ffaa1634708,0x7ffaa1634718
  2⤵
  PID:2744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,4130521383476507840,11804499511215449741,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,4130521383476507840,11804499511215449741,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2216 /prefetch:2
  2⤵
  PID:1824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,4130521383476507840,11804499511215449741,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:8
  2⤵
  PID:3020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,4130521383476507840,11804499511215449741,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:4456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,4130521383476507840,11804499511215449741,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:4024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,4130521383476507840,11804499511215449741,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
  2⤵
  PID:4164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,4130521383476507840,11804499511215449741,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
  2⤵
  PID:2416
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,4130521383476507840,11804499511215449741,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=5508 /prefetch:8
  2⤵
  PID:2780
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,4130521383476507840,11804499511215449741,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=5508 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,4130521383476507840,11804499511215449741,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
  2⤵
  PID:4576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,4130521383476507840,11804499511215449741,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:2928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2196,4130521383476507840,11804499511215449741,131072 --lang=es --service-sandbox-type=collections --mojo-platform-channel-handle=5616 /prefetch:8
  2⤵
  PID:3900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,4130521383476507840,11804499511215449741,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
  2⤵
  PID:2044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2196,4130521383476507840,11804499511215449741,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=6016 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,4130521383476507840,11804499511215449741,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
  2⤵
  PID:3828

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1820

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3956

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3140

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\T1738 TUTELA RAD 2023-00851.tar"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3736
- C:\Users\Admin\AppData\Local\Temp\7zO89E00CA8\T1738 TUTELA RAD 2023-00851.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO89E00CA8\T1738 TUTELA RAD 2023-00851.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1560
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    PID:3360
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    PID:2724
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    PID:2284
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    PID:3724
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    PID:3988
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    PID:2616
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    PID:2508
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    PID:1328
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    PID:3924
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3d8f4eadb68a3e3d1bf2fa3006af5510

SHA1
d5d8239ec8a3bf5dadf52360350251d90d9e0142

SHA256
85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c

SHA512
554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
162e2697e8a0e4fd4f3729faa1ef327a

SHA1
b1d261cd1a5ee34948ea3cdb8b39c7ff1dc6c005

SHA256
e632e1af10822e2356e052985a73c933e1bca6b1bddb9b932805155f4d0727ee

SHA512
e943d6573c40c2f2ad77be5f74d1715343223ee76fc0b98357a75a79d4addc73618127dd84e0a00155e0c8697538623dc83f27c1b7f17ad9f6281442ae163c30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e61957e4dd7f518398e939aa6f6fbdba

SHA1
bd15a1c7659f793439db3fc142cddfaf41f3c579

SHA256
517bee330ee47fd41bb3a09f00d11be0a38fe11bc6f1bf7e1a495c89b00bfc63

SHA512
4151e11388352dc50e1a90147e30c01eb6ab9c5867a17728106a7d4c3815cc3e846b8c736e3d93ddf4de4bdf9dacb6e8d873b8eae4b25f2eb8867f2ec15f1739

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
d985875547ce8936a14b00d1e571365f

SHA1
040d8e5bd318357941fca03b49f66a1470824cb3

SHA256
8455a012296a7f4b10ade39e1300cda1b04fd0fc1832ffc043e66f48c6aecfbf

SHA512
ca31d3d6c44d52a1f817731da2e7ac98402cd19eeb4b48906950a2f22f961c8b1f665c3eaa62bf73cd44eb94ea377f7e2ceff9ef682a543771344dab9dbf5a38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a830224c795f88b968e36c728ef5b4c7

SHA1
24859a3605e3f2ad3bae8253a5305364d7d468d9

SHA256
00aa201ded42dbf2fb33fa5cb05f6b1b1867e9d26be691bb6361c0c21420ab05

SHA512
7c732632c85095985f3cf1c109ac5815503da392ae49e76f8f3092a97aa126492c551e15b54bc01d0ee137292392980ddaa2ae5212f9aa59f4b8d70d47e8f13f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
655481fd201ac8ae26e014393f0ada2f

SHA1
cb8b55a3f04829f8fcfb216edef130e75d250600

SHA256
cd5d38569151029ecbba99d06ecc57d69bd32fb9bcdc0b97a668d5b01ca55547

SHA512
9383dd1857ad25dd8f0e4b24262ad64bc790d65e63ba7e75dc5a1ae5ff286dc57174b81464388859089b361fecb59182ca2e1aeb7fe07f2bdd62586833ee381c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO89E00CA8\T1738 TUTELA RAD 2023-00851.exe

Filesize
5.6MB

MD5
3ff0e1d5e93e5fe9f7f43cf51ebb8563

SHA1
cc3e03c6e43e2488653e92ade1f26045363e7e08

SHA256
2d31d6335c73a213b92b3aa923db02f3e4d688a651bba962abb5b205931d560b

SHA512
7e43f641524277bcd950919614639ded2b7ec4bcff4e7110659a7e8aac52452c035aa7e015f0731a0d3de0b0c87cffe60d1180d2d6108c9aca286822daab87c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO89E00CA8\T1738 TUTELA RAD 2023-00851.exe

Filesize
5.6MB

MD5
3ff0e1d5e93e5fe9f7f43cf51ebb8563

SHA1
cc3e03c6e43e2488653e92ade1f26045363e7e08

SHA256
2d31d6335c73a213b92b3aa923db02f3e4d688a651bba962abb5b205931d560b

SHA512
7e43f641524277bcd950919614639ded2b7ec4bcff4e7110659a7e8aac52452c035aa7e015f0731a0d3de0b0c87cffe60d1180d2d6108c9aca286822daab87c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO89E00CA8\T1738 TUTELA RAD 2023-00851.exe

Filesize
5.6MB

MD5
3ff0e1d5e93e5fe9f7f43cf51ebb8563

SHA1
cc3e03c6e43e2488653e92ade1f26045363e7e08

SHA256
2d31d6335c73a213b92b3aa923db02f3e4d688a651bba962abb5b205931d560b

SHA512
7e43f641524277bcd950919614639ded2b7ec4bcff4e7110659a7e8aac52452c035aa7e015f0731a0d3de0b0c87cffe60d1180d2d6108c9aca286822daab87c1

Download Submit
C:\Users\Admin\Downloads\T1738 TUTELA RAD 2023-00851.tar

Filesize
5.2MB

MD5
b007b3fcf650d49ffd565c3f26521d31

SHA1
2bbaf0979bd07b59ba479f7fe64db842af7e67c7

SHA256
d2b9fb9178607d707042db848b4cffd5e96f158363430ee3d2b55e93642af48a

SHA512
7f6ff7425112e36200153ef85664039491329f009b53d3277d6a12938a1130c026c4991ef467bca9010412d619e554f90186127544be7cc905c0b74c263c72a1

Download Submit
C:\Users\Admin\Downloads\T1738 TUTELA RAD 2023-00851.tar

Filesize
5.2MB

MD5
b007b3fcf650d49ffd565c3f26521d31

SHA1
2bbaf0979bd07b59ba479f7fe64db842af7e67c7

SHA256
d2b9fb9178607d707042db848b4cffd5e96f158363430ee3d2b55e93642af48a

SHA512
7f6ff7425112e36200153ef85664039491329f009b53d3277d6a12938a1130c026c4991ef467bca9010412d619e554f90186127544be7cc905c0b74c263c72a1

Download Submit
memory/1560-114-0x0000000005120000-0x0000000005130000-memory.dmp

Filesize
64KB

Download
memory/1560-113-0x0000000000160000-0x00000000006F0000-memory.dmp

Filesize
5.6MB

Download
memory/1560-112-0x00000000752F0000-0x0000000075AA0000-memory.dmp

Filesize
7.7MB

Download
memory/1560-115-0x0000000001140000-0x0000000001146000-memory.dmp

Filesize
24KB

Download
memory/1560-116-0x0000000006610000-0x0000000006712000-memory.dmp

Filesize
1.0MB

Download
memory/1560-117-0x0000000006720000-0x000000000679E000-memory.dmp

Filesize
504KB

Download
memory/1560-118-0x00000000069A0000-0x0000000006A0E000-memory.dmp

Filesize
440KB

Download
memory/1560-119-0x0000000006A90000-0x0000000006ADC000-memory.dmp

Filesize
304KB

Download
memory/1560-120-0x0000000007100000-0x00000000076A4000-memory.dmp

Filesize
5.6MB

Download
memory/1560-123-0x00000000752F0000-0x0000000075AA0000-memory.dmp

Filesize
7.7MB

Download