remcos | hxxps://docs[.]google[.]com/uc?export=download&id=1iPOwg4hTcVfLegAcM8-57_Xpu-lehlSW

Resubmissions

18/09/2023, 14:01

230918-rbp6kaca75 10

18/09/2023, 13:15

230918-qhegzabg85 10

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230915-es
resource tags

arch:x64arch:x86image:win10v2004-20230915-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
18/09/2023, 14:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://docs.google.com/uc?export=download&id=1iPOwg4hTcVfLegAcM8-57_Xpu-lehlSW

Score

10^/10

remcos furia persistence rat

Malware Config

Extracted

Family

remcos

Botnet

FURIA

comico.con-ip.com:7770

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-RXH6GX
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 1 IoCs

pid	Process
1624	T1738 TUTELA RAD 2023-00851.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Yuvsuqnmey = "C:\\Users\\Admin\\AppData\\Roaming\\Yuvsuqnmey.exe"	T1738 TUTELA RAD 2023-00851.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1624 set thread context of 4500	1624	T1738 TUTELA RAD 2023-00851.exe	113

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
640	msedge.exe
640	msedge.exe
1608	msedge.exe
1608	msedge.exe
552	identity_helper.exe
552	identity_helper.exe
4652	msedge.exe
4652	msedge.exe
1624	T1738 TUTELA RAD 2023-00851.exe
1624	T1738 TUTELA RAD 2023-00851.exe
1116	7zFM.exe
1116	7zFM.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1116	7zFM.exe
4500	AppLaunch.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	1116	7zFM.exe
Token: 35	1116	7zFM.exe
Token: SeSecurityPrivilege	1116	7zFM.exe
Token: SeDebugPrivilege	1624	T1738 TUTELA RAD 2023-00851.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1116	7zFM.exe
1116	7zFM.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
572	OpenWith.exe
4500	AppLaunch.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 4288	1608	msedge.exe	83
PID 1608 wrote to memory of 4288	1608	msedge.exe	83
PID 1608 wrote to memory of 2544	1608	msedge.exe	86
PID 1608 wrote to memory of 2544	1608	msedge.exe	86
PID 1608 wrote to memory of 2544	1608	msedge.exe	86
PID 1608 wrote to memory of 2544	1608	msedge.exe	86
PID 1608 wrote to memory of 2544	1608	msedge.exe	86
PID 1608 wrote to memory of 2544	1608	msedge.exe	86
PID 1608 wrote to memory of 2544	1608	msedge.exe	86
PID 1608 wrote to memory of 2544	1608	msedge.exe	86
PID 1608 wrote to memory of 2544	1608	msedge.exe	86
PID 1608 wrote to memory of 2544	1608	msedge.exe	86
PID 1608 wrote to memory of 2544	1608	msedge.exe	86
PID 1608 wrote to memory of 2544	1608	msedge.exe	86
PID 1608 wrote to memory of 2544	1608	msedge.exe	86
PID 1608 wrote to memory of 2544	1608	msedge.exe	86
PID 1608 wrote to memory of 2544	1608	msedge.exe	86
PID 1608 wrote to memory of 2544	1608	msedge.exe	86
PID 1608 wrote to memory of 2544	1608	msedge.exe	86
PID 1608 wrote to memory of 2544	1608	msedge.exe	86
PID 1608 wrote to memory of 2544	1608	msedge.exe	86
PID 1608 wrote to memory of 2544	1608	msedge.exe	86
PID 1608 wrote to memory of 2544	1608	msedge.exe	86
PID 1608 wrote to memory of 2544	1608	msedge.exe	86
PID 1608 wrote to memory of 2544	1608	msedge.exe	86
PID 1608 wrote to memory of 2544	1608	msedge.exe	86
PID 1608 wrote to memory of 2544	1608	msedge.exe	86
PID 1608 wrote to memory of 2544	1608	msedge.exe	86
PID 1608 wrote to memory of 2544	1608	msedge.exe	86
PID 1608 wrote to memory of 2544	1608	msedge.exe	86
PID 1608 wrote to memory of 2544	1608	msedge.exe	86
PID 1608 wrote to memory of 2544	1608	msedge.exe	86
PID 1608 wrote to memory of 2544	1608	msedge.exe	86
PID 1608 wrote to memory of 2544	1608	msedge.exe	86
PID 1608 wrote to memory of 2544	1608	msedge.exe	86
PID 1608 wrote to memory of 2544	1608	msedge.exe	86
PID 1608 wrote to memory of 2544	1608	msedge.exe	86
PID 1608 wrote to memory of 2544	1608	msedge.exe	86
PID 1608 wrote to memory of 2544	1608	msedge.exe	86
PID 1608 wrote to memory of 2544	1608	msedge.exe	86
PID 1608 wrote to memory of 2544	1608	msedge.exe	86
PID 1608 wrote to memory of 2544	1608	msedge.exe	86
PID 1608 wrote to memory of 640	1608	msedge.exe	85
PID 1608 wrote to memory of 640	1608	msedge.exe	85
PID 1608 wrote to memory of 2024	1608	msedge.exe	87
PID 1608 wrote to memory of 2024	1608	msedge.exe	87
PID 1608 wrote to memory of 2024	1608	msedge.exe	87
PID 1608 wrote to memory of 2024	1608	msedge.exe	87
PID 1608 wrote to memory of 2024	1608	msedge.exe	87
PID 1608 wrote to memory of 2024	1608	msedge.exe	87
PID 1608 wrote to memory of 2024	1608	msedge.exe	87
PID 1608 wrote to memory of 2024	1608	msedge.exe	87
PID 1608 wrote to memory of 2024	1608	msedge.exe	87
PID 1608 wrote to memory of 2024	1608	msedge.exe	87
PID 1608 wrote to memory of 2024	1608	msedge.exe	87
PID 1608 wrote to memory of 2024	1608	msedge.exe	87
PID 1608 wrote to memory of 2024	1608	msedge.exe	87
PID 1608 wrote to memory of 2024	1608	msedge.exe	87
PID 1608 wrote to memory of 2024	1608	msedge.exe	87
PID 1608 wrote to memory of 2024	1608	msedge.exe	87
PID 1608 wrote to memory of 2024	1608	msedge.exe	87
PID 1608 wrote to memory of 2024	1608	msedge.exe	87
PID 1608 wrote to memory of 2024	1608	msedge.exe	87
PID 1608 wrote to memory of 2024	1608	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://docs.google.com/uc?export=download&id=1iPOwg4hTcVfLegAcM8-57_Xpu-lehlSW
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa550a46f8,0x7ffa550a4708,0x7ffa550a4718
  2⤵
  PID:4288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,6259757455051602028,15052480498820563286,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,6259757455051602028,15052480498820563286,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2236 /prefetch:2
  2⤵
  PID:2544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,6259757455051602028,15052480498820563286,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
  2⤵
  PID:2024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,6259757455051602028,15052480498820563286,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,6259757455051602028,15052480498820563286,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,6259757455051602028,15052480498820563286,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
  2⤵
  PID:3400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,6259757455051602028,15052480498820563286,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:1
  2⤵
  PID:1760
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,6259757455051602028,15052480498820563286,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=5460 /prefetch:8
  2⤵
  PID:856
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,6259757455051602028,15052480498820563286,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=5460 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,6259757455051602028,15052480498820563286,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
  2⤵
  PID:1504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,6259757455051602028,15052480498820563286,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4552 /prefetch:1
  2⤵
  PID:2656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,6259757455051602028,15052480498820563286,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
  2⤵
  PID:2852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2184,6259757455051602028,15052480498820563286,131072 --lang=es --service-sandbox-type=collections --mojo-platform-channel-handle=5672 /prefetch:8
  2⤵
  PID:4520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2184,6259757455051602028,15052480498820563286,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=6120 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,6259757455051602028,15052480498820563286,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5216 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3936

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1524

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2476

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3284

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:572

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\T1738 TUTELA RAD 2023-00851.tar"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1116
- C:\Users\Admin\AppData\Local\Temp\7zOC5456AD8\T1738 TUTELA RAD 2023-00851.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC5456AD8\T1738 TUTELA RAD 2023-00851.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1624
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:4500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
228B

MD5
8b9e9e5160a0664262f7e5c32ca58f33

SHA1
f650e0351346758eb2cfdc33410893e70356c593

SHA256
8aa6ae5e4aec3a0b25bc3abe86b44877d67e2b3f6881362b151b1d2e7fa4d2d2

SHA512
279a6c925b6a2fd70f4e62f98ddc198bf4a37d4816b84a86c20d25d996a7f6296e6bafe3f2679db573795f2d34476c4924d3b5ef4baf1d321e418a7adb25d2b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3d8f4eadb68a3e3d1bf2fa3006af5510

SHA1
d5d8239ec8a3bf5dadf52360350251d90d9e0142

SHA256
85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c

SHA512
554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
519B

MD5
76ef283d251879313a1ab200d83ea64b

SHA1
f27b7efc7f2b2d178b64b1d4cca6b13f30bc225c

SHA256
398435b0b79964cfe44d0ab7f370beec88a9fe956966bc69419f6c603b0d8a36

SHA512
3970c44e75b4a9c8ab1205ac75d01fb0443a5e19d621de3dd44685643afb5b885b2558267a4049c806b03495189a2fef2277da4ebe4ea9222631f85199933dac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3e5cd98ff439fd0fe4aca24f34efd322

SHA1
d6b73e5c1e2e749ec07cb70c46937a0958abfd9c

SHA256
0ddd74ae778785fdfbfa1a91afdb9963161c0c5ccc9edaeb8fe027f0ad192cfd

SHA512
c379f11123a1ac19a2c9b325d1899b662adcd8a5c9e79e6a5232293b37ff039376fad34e668a96ac9e72c348576de8f7d2f9c147eae84c62d733cf4b469942f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ac038d1982b3df1ff22af8d86265afdb

SHA1
b879d11ff7e83e501a89538edb0a5d94397636cf

SHA256
94d5936805f5b876f168bc319007db4cfac4d4a5228f0349a63a88714a0c4f9e

SHA512
e8dd0428c7e6e5606bbb734bdcd9c0e7a87c866ea5a153015ce53c1be1ebb0042546f576f37c70a81505c91f445e901ba9675c34880b35cd887d33082cba7b11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
d985875547ce8936a14b00d1e571365f

SHA1
040d8e5bd318357941fca03b49f66a1470824cb3

SHA256
8455a012296a7f4b10ade39e1300cda1b04fd0fc1832ffc043e66f48c6aecfbf

SHA512
ca31d3d6c44d52a1f817731da2e7ac98402cd19eeb4b48906950a2f22f961c8b1f665c3eaa62bf73cd44eb94ea377f7e2ceff9ef682a543771344dab9dbf5a38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c1c1eb4d697180b9c3ea737e10b84cdd

SHA1
5607b20bc25be884eb14396fe755007f7ad7b170

SHA256
b9a25ff0cbf11bc9aa0d559535735da460dbdac67e414b513df5367ed0d25570

SHA512
d3c8daa8f12b1063212d14485385ca1d5b3ec3296e99f31c39695f6fcbfc9421b95753ff1bef2203f26954d92850188907c8c3eb29afc7ce7d17e7c0c29d0ec9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
cd3abfc825510d67eb4bb85c405c7417

SHA1
aca87ed5188ad021a7c736b791c5a5d571988661

SHA256
b0ae7e64ebdc669717caa06ba63e776491df7c0b3b3e93ea785260f7baf82b16

SHA512
777b07e09e7763e5a70dd441ecc12ed11ae6f46fc5e48bd8d89c2807d1659ac825ecd7ac14bd9ceff9e667ff49626613af919fa62705ce38f11549afa4595f9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
cc90b2a9441916895bcfd4807107af53

SHA1
1883f7caa43a8946618fd1d385e9e340144acfca

SHA256
6413d69b0fb65c76b115ee268bf6771c5f714b07216a4c6e1fced96452028c60

SHA512
5d8e87381350459abe92a7efe66222cf2e38414ae1c1c6b327f62b2a8a67b7a81e2a88eae7b4d148ea558840b1b94e5dd664f1ed10f8c4f8d44826afbe030297

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOC5456AD8\T1738 TUTELA RAD 2023-00851.exe

Filesize
5.6MB

MD5
3ff0e1d5e93e5fe9f7f43cf51ebb8563

SHA1
cc3e03c6e43e2488653e92ade1f26045363e7e08

SHA256
2d31d6335c73a213b92b3aa923db02f3e4d688a651bba962abb5b205931d560b

SHA512
7e43f641524277bcd950919614639ded2b7ec4bcff4e7110659a7e8aac52452c035aa7e015f0731a0d3de0b0c87cffe60d1180d2d6108c9aca286822daab87c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOC5456AD8\T1738 TUTELA RAD 2023-00851.exe

Filesize
5.6MB

MD5
3ff0e1d5e93e5fe9f7f43cf51ebb8563

SHA1
cc3e03c6e43e2488653e92ade1f26045363e7e08

SHA256
2d31d6335c73a213b92b3aa923db02f3e4d688a651bba962abb5b205931d560b

SHA512
7e43f641524277bcd950919614639ded2b7ec4bcff4e7110659a7e8aac52452c035aa7e015f0731a0d3de0b0c87cffe60d1180d2d6108c9aca286822daab87c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOC5456AD8\T1738 TUTELA RAD 2023-00851.exe

Filesize
5.6MB

MD5
3ff0e1d5e93e5fe9f7f43cf51ebb8563

SHA1
cc3e03c6e43e2488653e92ade1f26045363e7e08

SHA256
2d31d6335c73a213b92b3aa923db02f3e4d688a651bba962abb5b205931d560b

SHA512
7e43f641524277bcd950919614639ded2b7ec4bcff4e7110659a7e8aac52452c035aa7e015f0731a0d3de0b0c87cffe60d1180d2d6108c9aca286822daab87c1

Download Submit
C:\Users\Admin\Downloads\T1738 TUTELA RAD 2023-00851.tar

Filesize
5.2MB

MD5
b007b3fcf650d49ffd565c3f26521d31

SHA1
2bbaf0979bd07b59ba479f7fe64db842af7e67c7

SHA256
d2b9fb9178607d707042db848b4cffd5e96f158363430ee3d2b55e93642af48a

SHA512
7f6ff7425112e36200153ef85664039491329f009b53d3277d6a12938a1130c026c4991ef467bca9010412d619e554f90186127544be7cc905c0b74c263c72a1

Download Submit
C:\Users\Admin\Downloads\T1738 TUTELA RAD 2023-00851.tar

Filesize
5.2MB

MD5
b007b3fcf650d49ffd565c3f26521d31

SHA1
2bbaf0979bd07b59ba479f7fe64db842af7e67c7

SHA256
d2b9fb9178607d707042db848b4cffd5e96f158363430ee3d2b55e93642af48a

SHA512
7f6ff7425112e36200153ef85664039491329f009b53d3277d6a12938a1130c026c4991ef467bca9010412d619e554f90186127544be7cc905c0b74c263c72a1

Download Submit
memory/1624-138-0x00000000066E0000-0x000000000675E000-memory.dmp

Filesize
504KB

Download
memory/1624-133-0x0000000002B60000-0x0000000002B66000-memory.dmp

Filesize
24KB

Download
memory/1624-137-0x00000000065D0000-0x00000000066D2000-memory.dmp

Filesize
1.0MB

Download
memory/1624-131-0x0000000002B90000-0x0000000002BA0000-memory.dmp

Filesize
64KB

Download
memory/1624-139-0x00000000745B0000-0x0000000074D60000-memory.dmp

Filesize
7.7MB

Download
memory/1624-140-0x00000000059F0000-0x0000000005A5E000-memory.dmp

Filesize
440KB

Download
memory/1624-141-0x00000000069E0000-0x0000000006A2C000-memory.dmp

Filesize
304KB

Download
memory/1624-142-0x0000000007050000-0x00000000075F4000-memory.dmp

Filesize
5.6MB

Download
memory/1624-129-0x00000000745B0000-0x0000000074D60000-memory.dmp

Filesize
7.7MB

Download
memory/1624-146-0x00000000745B0000-0x0000000074D60000-memory.dmp

Filesize
7.7MB

Download
memory/1624-130-0x0000000000130000-0x00000000006C0000-memory.dmp

Filesize
5.6MB

Download
memory/4500-150-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4500-184-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4500-148-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4500-152-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4500-153-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4500-154-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4500-147-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4500-149-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4500-187-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4500-188-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4500-144-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4500-193-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4500-194-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4500-204-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4500-205-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download