remcos | hxxps://docs[.]google[.]com/uc?export=download&id=1O_9GOOcLZvJOE4vs4mrnXzmBJEI_RyxO

Analysis

max time kernel
390s
max time network
365s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-09-2024 05:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://docs.google.com/uc?export=download&id=1O_9GOOcLZvJOE4vs4mrnXzmBJEI_RyxO

Score

10^/10

remcos vuendia discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

VUENDIA

jorgeperezpu145.con-ip.com:1661

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-I897UU
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 2 IoCs

pid	Process
4904	MODELO DE CONTRATO PAGADO Y AUTORIZADO.exe
1648	MODELO DE CONTRATO PAGADO Y AUTORIZADO.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CertainThings = "C:\\Users\\Admin\\Pictures\\GamingUnu\\GamingHeadset.exe"	MODELO DE CONTRATO PAGADO Y AUTORIZADO.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MODELO DE CONTRATO PAGADO Y AUTORIZADO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MODELO DE CONTRATO PAGADO Y AUTORIZADO.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133711094075727013"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1596	chrome.exe
1596	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1648	MODELO DE CONTRATO PAGADO Y AUTORIZADO.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1596	chrome.exe
1596	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
4184	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1648	MODELO DE CONTRATO PAGADO Y AUTORIZADO.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1596 wrote to memory of 1540	1596	chrome.exe	84
PID 1596 wrote to memory of 1540	1596	chrome.exe	84
PID 1596 wrote to memory of 1852	1596	chrome.exe	85
PID 1596 wrote to memory of 1852	1596	chrome.exe	85
PID 1596 wrote to memory of 1852	1596	chrome.exe	85
PID 1596 wrote to memory of 1852	1596	chrome.exe	85
PID 1596 wrote to memory of 1852	1596	chrome.exe	85
PID 1596 wrote to memory of 1852	1596	chrome.exe	85
PID 1596 wrote to memory of 1852	1596	chrome.exe	85
PID 1596 wrote to memory of 1852	1596	chrome.exe	85
PID 1596 wrote to memory of 1852	1596	chrome.exe	85
PID 1596 wrote to memory of 1852	1596	chrome.exe	85
PID 1596 wrote to memory of 1852	1596	chrome.exe	85
PID 1596 wrote to memory of 1852	1596	chrome.exe	85
PID 1596 wrote to memory of 1852	1596	chrome.exe	85
PID 1596 wrote to memory of 1852	1596	chrome.exe	85
PID 1596 wrote to memory of 1852	1596	chrome.exe	85
PID 1596 wrote to memory of 1852	1596	chrome.exe	85
PID 1596 wrote to memory of 1852	1596	chrome.exe	85
PID 1596 wrote to memory of 1852	1596	chrome.exe	85
PID 1596 wrote to memory of 1852	1596	chrome.exe	85
PID 1596 wrote to memory of 1852	1596	chrome.exe	85
PID 1596 wrote to memory of 1852	1596	chrome.exe	85
PID 1596 wrote to memory of 1852	1596	chrome.exe	85
PID 1596 wrote to memory of 1852	1596	chrome.exe	85
PID 1596 wrote to memory of 1852	1596	chrome.exe	85
PID 1596 wrote to memory of 1852	1596	chrome.exe	85
PID 1596 wrote to memory of 1852	1596	chrome.exe	85
PID 1596 wrote to memory of 1852	1596	chrome.exe	85
PID 1596 wrote to memory of 1852	1596	chrome.exe	85
PID 1596 wrote to memory of 1852	1596	chrome.exe	85
PID 1596 wrote to memory of 1852	1596	chrome.exe	85
PID 1596 wrote to memory of 4328	1596	chrome.exe	86
PID 1596 wrote to memory of 4328	1596	chrome.exe	86
PID 1596 wrote to memory of 1080	1596	chrome.exe	87
PID 1596 wrote to memory of 1080	1596	chrome.exe	87
PID 1596 wrote to memory of 1080	1596	chrome.exe	87
PID 1596 wrote to memory of 1080	1596	chrome.exe	87
PID 1596 wrote to memory of 1080	1596	chrome.exe	87
PID 1596 wrote to memory of 1080	1596	chrome.exe	87
PID 1596 wrote to memory of 1080	1596	chrome.exe	87
PID 1596 wrote to memory of 1080	1596	chrome.exe	87
PID 1596 wrote to memory of 1080	1596	chrome.exe	87
PID 1596 wrote to memory of 1080	1596	chrome.exe	87
PID 1596 wrote to memory of 1080	1596	chrome.exe	87
PID 1596 wrote to memory of 1080	1596	chrome.exe	87
PID 1596 wrote to memory of 1080	1596	chrome.exe	87
PID 1596 wrote to memory of 1080	1596	chrome.exe	87
PID 1596 wrote to memory of 1080	1596	chrome.exe	87
PID 1596 wrote to memory of 1080	1596	chrome.exe	87
PID 1596 wrote to memory of 1080	1596	chrome.exe	87
PID 1596 wrote to memory of 1080	1596	chrome.exe	87
PID 1596 wrote to memory of 1080	1596	chrome.exe	87
PID 1596 wrote to memory of 1080	1596	chrome.exe	87
PID 1596 wrote to memory of 1080	1596	chrome.exe	87
PID 1596 wrote to memory of 1080	1596	chrome.exe	87
PID 1596 wrote to memory of 1080	1596	chrome.exe	87
PID 1596 wrote to memory of 1080	1596	chrome.exe	87
PID 1596 wrote to memory of 1080	1596	chrome.exe	87
PID 1596 wrote to memory of 1080	1596	chrome.exe	87
PID 1596 wrote to memory of 1080	1596	chrome.exe	87
PID 1596 wrote to memory of 1080	1596	chrome.exe	87
PID 1596 wrote to memory of 1080	1596	chrome.exe	87
PID 1596 wrote to memory of 1080	1596	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://docs.google.com/uc?export=download&id=1O_9GOOcLZvJOE4vs4mrnXzmBJEI_RyxO
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe5fbbcc40,0x7ffe5fbbcc4c,0x7ffe5fbbcc58
  2⤵
  PID:1540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1824,i,8195275690833477214,13609905399149118782,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1740 /prefetch:2
  2⤵
  PID:1852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1680,i,8195275690833477214,13609905399149118782,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2184 /prefetch:3
  2⤵
  PID:4328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2192,i,8195275690833477214,13609905399149118782,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2408 /prefetch:8
  2⤵
  PID:1080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,8195275690833477214,13609905399149118782,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3128 /prefetch:1
  2⤵
  PID:3420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,8195275690833477214,13609905399149118782,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:1952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4572,i,8195275690833477214,13609905399149118782,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4580 /prefetch:8
  2⤵
  PID:1436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4828,i,8195275690833477214,13609905399149118782,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4988 /prefetch:8
  2⤵
  PID:4004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=724,i,8195275690833477214,13609905399149118782,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4992 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3000

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2364

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1304

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Analisis\" -an -ai#7zMap26929:152:7zEvent21050
1⤵
- Suspicious use of FindShellTrayWindow
PID:4184

C:\Users\Admin\Desktop\Analisis\MODELO DE CONTRATO PAGADO Y AUTORIZADO.exe
"C:\Users\Admin\Desktop\Analisis\MODELO DE CONTRATO PAGADO Y AUTORIZADO.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4904
- C:\Users\Admin\Desktop\Analisis\MODELO DE CONTRATO PAGADO Y AUTORIZADO.exe
  "C:\Users\Admin\Desktop\Analisis\MODELO DE CONTRATO PAGADO Y AUTORIZADO.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
130B

MD5
65338260a91086c2dd732623a1320abf

SHA1
3c93cfe7c23affb0320640eae722f9a02554d19c

SHA256
831b80ad0facd43fb9bd2f72c0a8f63beeb0dbd63cbdf64bfab9a86db93824de

SHA512
45b9da157b294515dded662ea8350d7cadbe81d6caac95ddcc7ef9a75528a6217c2a5d3b0888ecce734cff61de15f891effc9d6e1eef8475fb2ea86f09cdd20b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
fdf13822fc520effff6fe87de3eba67c

SHA1
060df2467fb8dbe1be5587408000fcd7bf106e96

SHA256
dff35380c4aededeb6c5782410f9a08556bd4319822d7b2ce170170dfa36f023

SHA512
0a200d483860a904f0ead5001e1225f61e9a40696d6fca8cf5ac5e5cc159f9495b38ac8c48bb6a1054f7e236f91645e195425dccd3268271f9a1e7b1e99161de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
c9a767f0918270c4f266e673f315097f

SHA1
62663d3009e697da1d4e4bd0127f7a717b92f9d7

SHA256
3d5a63f2b6a01a66a96a8e26510315c5e14f804d8f9f183dcd8aa29e727c98ab

SHA512
3e3ae0c0a7b5cd8becb9c45c9d0210fd7270123ebcc8cb48d4d848193a18a16744175ffd2dc5f470df3e267f440047a2187092f5318eeca93044b4a243dd151e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
69cc84ee643acfc1d3eaf4bb3020a1e7

SHA1
b2eb386b060b777ff3d80b5206a412a33eb85438

SHA256
88f904fa6376aac82ab7a50a4282bc75fb887bbcd26fa99723b7a38864abea77

SHA512
1e65206b05dcba4dca8669264be2a1c12509ce2fd01f515caa1c119361702943251181a7fdcd3ab94cee355ff40396768af163d57d952f29ffb2b17e9b683c11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
e7b20253131fdb0a323b6cfc771c8269

SHA1
633b74b821b4f3553a8a02dcdd999db875941c44

SHA256
54fc0c0cf77079a341f7235ed51806a46ef6c3a70bf4a297124cba2e1e2af050

SHA512
bcbeb198a4bc3939b3df8ac555e5b8e13fe86c747ec6e787bf3d5386611ee777bd7f45b11849508123d8a417e7af23205b68d416b52102e351296a9825bdec40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
217c54d33c3f0948dc1fb4b0210bfd26

SHA1
6cae1bd23cdee79acdf96fe6b2028a40a40737c0

SHA256
c360c0bcc515ce1d0eb9f03a020682cb367091074d202b6698425973255215ad

SHA512
cd268f1360fd52cccea44dae4e9c713c17d9ca21fc346b62da9bef59d5d4d9a31ae410aa241d986d6ec5a31e0d1a5c106295a219a47eec207da0dfa7c4f8d688

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
efde8398f153c8ef77896df8f98241e3

SHA1
0126322e656c141cd8ea67a5489589f954ca3217

SHA256
2aad192e2aafebfcdb225b428c7525498251ceb72e93804517bc92536bd1faf8

SHA512
89b755be24fe2a97046782a7000ee8ded8a366b0554b0e7bb656a20cd176ce1a9a0ebd5330a5dd2dfd0ee6d2d76a431cb6b002830ec9e867a87709c7a6c3026d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
da43041bc5baca075dc964b3cb7fdb54

SHA1
625e975a45af052b8f0a547dc263292d90184e8d

SHA256
784788d9312dfbb50b3e9adce76f28f6c298cf5d7a8a9fc10089f87ab56c7ab2

SHA512
fafb7c525ab76915754fac1eddcd0557894441865d9ad6dda9aba98922161598fe6564e0790c5903aecf461e0b956c8ceb91b88c53e293a1fac1c9a6539038d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f7fe294d8b8d86ae40c7bf318d0d15ec

SHA1
55c73842f9420bd069443fef067c17803f6230b4

SHA256
8db866abca468e1794e5ea5a3a85fa69346f1debd2f0f1c8c53a03878c62f56a

SHA512
a28beb77354cb914370bf6bf1b09b65bbbefc51cb87549b271176a7e17b8e65fff855f94fa29a05a6aff584aeb73c3182e44baa180ac9a49226268c4c8ea2da1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7de702d26a18c8b4dface367334a544d

SHA1
e7ae17af1a400c9b1b113e191841d3078e9fd3a6

SHA256
16b31b0ee1c1e066bbc3d53d7baada8e7af49b759f17392609c6087e25208a22

SHA512
4a7d3d875a2e9fe83c7667d983c0180f1d4fcd291ebe7dbae1b233b48da625a94e5dec0fd7763eab0655dd874eef4162a15d0c85392c3ca35c01a8790c4e4ce4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
21a5f256b49e1a6862447703dbf50d6b

SHA1
4143b707327e678bc4742ef7c4c47826295e600b

SHA256
8d0f9a830138f891aa03dac3d68e000a3e110b8fb6c6bbc89e1749a731097acf

SHA512
128065c8d68fbb30e4ebd7a321a4036f8be8dcea77b36dcaedbfc56da1de34b59b954cc5220c92300d68f42522328ccc3615e482042e513220e5341442e21a69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ce59499ce9ac35166e939113441ec952

SHA1
07f6c4a44ce8f116dd1a52b4551cef8e2285c3ee

SHA256
1eaaf8fec1a8db7c477a11588e35142298a476fb46e41356ea8fad29b35a6593

SHA512
2ce78c6685651ebff224f5cbdce5ac89121992f4daeaccdefb92fcf91475033206ce2c306dcab22ae5f36e8e995b0fd934e614f418f01b1e153ba0c32d4e46d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
91e644f843dcb0e3881fceac6456c31b

SHA1
0f636b9e7f811622a60361263f8fbd8529316e5b

SHA256
7ad00606a927cb9c2fee09ba76a5e270c6f1fae5a7dcf6a847b6144dc8b2c91d

SHA512
280f1937a4d4a9ae0a79f02c5d75a7d3b714ca3ca8a8bb10d9a7d4552b72c1316240abf352bac5e35aa8ca9ae360716fc4ba3f856e765c9354c8421c5478468b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
26311498c694e00e05b43afd36051f62

SHA1
17b8d7591f2ccc521efde929e9121506b934fc96

SHA256
14ad17774c265b507314b4242741754f285f0b8b79cef26346b4edbee799cf92

SHA512
4416fef213591172ac08ca524196595d98a43d070b77beac5f9c8d9fa9deb72eba3224f8823bdaa0a07b9031781eb9b004eb97f49fa2026374fb673421d9202e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
02fc60374a1b8426ab3d2ba115a88c79

SHA1
774b45843c2e5cf8ada830eaaf4c79458eeab540

SHA256
b9345068235d91a5cd2b043a778c74d4babb553c455b7778b767ff6e1f74100b

SHA512
1ec64a7759c6654c1652c1728a4ae6ccf6b8780fc0aa6a38d56a0864cc3eac9daeca3eb97e945275c54be14eecaac186b63a7f1a65b3cde5e31b0242be2737e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7d08a84f5087e7bcdbf911e831c62400

SHA1
f831cb1390e7ecb1bb5b98cca8cc37d3967ed00c

SHA256
4e35dcfbbe2338e97357cd96c435ba8f6b08216bb56590747cd6c194f2045bda

SHA512
140634aa9cd81f87a4d17407a78d3da65673d8898a4e77a16b369ce7715d7d41832a89b23b222c046f8cc19a5541fc92d498f192dca7ed9e2e5e0c1bacee10bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f92c21c1b56bf08379bda38b20553dbf

SHA1
e3fd362d43d8002fb83c5ec1467f0b9f41f23d06

SHA256
78c4a544f70333583eb1af3bc25ea5a782fad9bdf7685a92b782f476a49a0f2a

SHA512
d1394b015dd8102425a6220b764e27bb64c3c84f75a5cbe5283d87fc41fee35cdf1241acb84fd231931c0aa8a29bbc7d1d7374505f6cac4cee2efb9cca2c31da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6355ddad0b1fc2b63037fbad4e34282f

SHA1
df0c7102621754a9c5971bd7cfabedacbeb5d037

SHA256
ab726a625ee6dcfc3c54ba593290017ca84e218288675ce47f5b222c3d1958ca

SHA512
ba310318f0779a53332608ec81ea132d101aacd2ff579438e5ae9cc7a8c5a54053c2a0c90daa583416c597deab14875c604e10dec17c206157ca556a398471fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2226746b993f601da90dc324e85bf96f

SHA1
8cd60a56430faf140ea9cc40ea19e082c0790999

SHA256
b76cfedc82c677c88fdb0c153b5c59a16b9c28cb38761e0b1e6eb1ca9daebc1b

SHA512
794643ec708175987e563c9645e45b26d32e0b2ffbd69b315835f439b2cc01b934f3818f64a544c93b738dc63353ca69dd4332e17f5b7fb029f133eddce22c00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9de17949e458a4c4958e0317e842b856

SHA1
72dee01dcc7775a2dc77047cfda51822ccf03aac

SHA256
cbd9055759c3ffdb5fe42ef02373e15d604f216912925b63a28aa569c7eb1d82

SHA512
b9fdd93c58432cfb8d373414fdd456e241196c0b7723f66bd4e986c35195844acc8d67ed5f663b1e83115cee6646c923b58080430dff39946af9429480456160

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
243578d83d2b89b0122ab8c8a57c91c5

SHA1
17ec8bad7f8eebdbc07409f646b87d0b40218042

SHA256
1ecb9c18af598cf55ac90a6f274eb53c2e0880cbd61ec2744e31491c0ccab5ab

SHA512
1f2d7105660b01aaa4b6fe34b3141d9954857f9797cecd7c03c68fa68ea0d0869cbd280a8ca5041b1c5256da28dd9ef78e6c0c576ddc291de8f0499c5b69236e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d38686d1bbb1a0e62f8e540da38068af

SHA1
2388587130db8119572c13ac06d6e695a43bb16a

SHA256
b9a36524824ff89e714f9ae3cbb6b7a8ca9af176aeeb6847d467b6731188a54f

SHA512
bae0043cbff4bce97ace9994079997e1190655fd99233e3b39bcd6461be4d5569235c412b0936dd53ed24180ffc128a6daa32ebc14b9b6b972f38191e57a24a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7ebaf2b3cdf9fec0092d137c88b2a5ff

SHA1
7e4cee8290d3fcdfb29b2cdfc74d5b4f54ca9b94

SHA256
a537516b058159176e15eb57ba3e98de1b9cab3d3b9ca013d7432b6393429591

SHA512
3e83a8d15db0871ef4c8b9189b01816e79f800041327c7c718c67d86911d1b1bdbd1a5a26d0f22cb07e6a33ceba77209533d5a01b58a99e11b89b11ca49b7edd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c2e53a990f5ae95cd77bfecbd2541153

SHA1
95c6f5aae62dfc8da309dd6de4b02a6b00511e1e

SHA256
a8b7ecd34fc830201255d31ee3ab7d03ccd4b31595b1ed7691e4fd4d2774c86d

SHA512
8f2707f20328fd13cff07827bfa638fdb06dce142d5b5b680b931cf0b55ef3be1f51d33916818c88607045303700b4a264f17b65c2b00959d2cdef5d6fab5f58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2309f6022ae70fc4cf81561751087e7e

SHA1
ab0599a3f66ae4ba3130a8997ecddbed0146e265

SHA256
8c3d321d450e5c4d462b92a9363927e92fada0b554a1aec9971669a44a84d846

SHA512
47d21fda8518474892b6bdab847176d6845c0c424f52cd799e947ccd28580bdf907b1f420da33697a4c908e631c30c40c3721df2a605d842bf6e1c36737baf37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
7901d3aff10075d7f2fb9b832844e38e

SHA1
516fcbb484d8e8f7da0aee5abb68a53883a63062

SHA256
0ad87a5fc2dfe4c8cb931b89ff6235f3d5af6989f330ff69b8d1a90bad07414a

SHA512
ad20c85ba37d9505d04d2d83d9a72b8d456fb24a8aee5f868848cb12ea66b5bf9329298ab1b67e262300bf0a428b39c69bd70cefdab458609af41706d997adb1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
55d5e9f17677d8223e2ad10bf13ac59f

SHA1
ffa0095d8575aab3bad7e2fbbb9f50d8c34ce97a

SHA256
8f57bdc16c62706563708ee752d1331ae14af1a53a827f24c87f9ddb98612960

SHA512
1f075fa4e84dea7395545a65fa6044f914e791892041ae7d519ceb3e4b25e080b128eab4e7cf8eebae1e7202caffbe5a30b9d4a66f587ea0fe78f15a174e36c9

Download Submit
C:\Users\Admin\Desktop\Analisis\MODELO DE CONTRATO PAGADO Y AUTORIZADO.exe

Filesize
1.8MB

MD5
c0f68b5a05bb0dcfd2e8fd1a1e0f9f51

SHA1
048e068806c78939eaabafd2242a7d202cf9ced8

SHA256
fb3a1a86a07de26747ba6e03714199ea532537581b8ee4e1ee1fc9c991f4e7e3

SHA512
bb45f50b29d9ce9eedba0a7f97b1d7599ac64a4624958b0c2354b1bd32737625ec3a640ac79cf4998fa142c47ddea8e78ce4548a5b6fd929fadde94ad07eb7f7

Download Submit
C:\Users\Admin\Downloads\MODELO DE CONTRATO PAGADO Y AUTORIZADO.zip.crdownload

Filesize
1015KB

MD5
18601eb92e1edc7a80850d8de9c4be3d

SHA1
bf9216a11811a784af4c0eeaea3b657524f387f0

SHA256
b4851349f2b97ce9fd4eaa81af5100c4d3a3463fbb79c07cfcddb4ae24bcce71

SHA512
c617c7f4f72d26a201798479c5d6f40bc19227d47c920c51b2425c5ca639a600af9075b76ddefee907c78bae9e7420bf3c77079aa8e6828b107ccdc5142439d1

Download Submit
memory/1648-238-0x00000000005D0000-0x0000000000652000-memory.dmp

Filesize
520KB

Download
memory/1648-119-0x00000000005D0000-0x0000000000652000-memory.dmp

Filesize
520KB

Download
memory/1648-142-0x00000000005D0000-0x0000000000652000-memory.dmp

Filesize
520KB

Download
memory/1648-127-0x00000000005D0000-0x0000000000652000-memory.dmp

Filesize
520KB

Download
memory/1648-171-0x00000000005D0000-0x0000000000652000-memory.dmp

Filesize
520KB

Download
memory/1648-125-0x00000000005D0000-0x0000000000652000-memory.dmp

Filesize
520KB

Download
memory/1648-126-0x00000000005D0000-0x0000000000652000-memory.dmp

Filesize
520KB

Download
memory/1648-212-0x00000000005D0000-0x0000000000652000-memory.dmp

Filesize
520KB

Download
memory/1648-213-0x00000000005D0000-0x0000000000652000-memory.dmp

Filesize
520KB

Download
memory/1648-333-0x00000000005D0000-0x0000000000652000-memory.dmp

Filesize
520KB

Download
memory/1648-113-0x00000000005D0000-0x0000000000652000-memory.dmp

Filesize
520KB

Download
memory/1648-124-0x00000000005D0000-0x0000000000652000-memory.dmp

Filesize
520KB

Download
memory/1648-239-0x00000000005D0000-0x0000000000652000-memory.dmp

Filesize
520KB

Download
memory/1648-143-0x00000000005D0000-0x0000000000652000-memory.dmp

Filesize
520KB

Download
memory/1648-120-0x00000000005D0000-0x0000000000652000-memory.dmp

Filesize
520KB

Download
memory/1648-123-0x00000000005D0000-0x0000000000652000-memory.dmp

Filesize
520KB

Download
memory/1648-308-0x00000000005D0000-0x0000000000652000-memory.dmp

Filesize
520KB

Download
memory/1648-117-0x00000000005D0000-0x0000000000652000-memory.dmp

Filesize
520KB

Download
memory/1648-307-0x00000000005D0000-0x0000000000652000-memory.dmp

Filesize
520KB

Download
memory/4904-114-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/4904-116-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/4904-109-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/4904-110-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/4904-112-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/4904-111-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download