hxxps://drive[.]google[.]com/file/d/1e9sQz-FLV3_rq4CMNanNH7VAbkFvpv3G/view?usp=drive_link

Analysis

max time kernel
644s
max time network
698s
platform
windows7_x64
resource
win7-20240708-es
resource tags

arch:x64arch:x86image:win7-20240708-eslocale:es-esos:windows7-x64systemwindows
submitted
15-10-2024 13:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1e9sQz-FLV3_rq4CMNanNH7VAbkFvpv3G/view?usp=drive_link

Score

7^/10

discovery persistence

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Rainmeter.lnk	Rainmeter-4.5.20.exe

Executes dropped EXE 19 IoCs

pid	Process
1332	Rainmeter.exe
2956	SkinInstaller.exe
2660	SkinInstaller.exe
1784	SkinInstaller.exe
936	Rainmeter.exe
1652	Rainmeter.exe
2476	RainFocus.exe
2260	RainFocus.exe
2012	RainFocus.exe
2712	NexusSetup.exe
2120	NexusSetup.tmp
704	WsxService.exe
840	WsxService.exe
1120	Nexus.exe
3028	winstep.exe
2896	winstep.exe
1368	wsupdate.exe
2616	winstep.exe
2224	WinLaunchInstaller.exe

Loads dropped DLL 64 IoCs

pid	Process
1204	Process not Found
1204	Process not Found
3004	Rainmeter-4.5.20.exe
3004	Rainmeter-4.5.20.exe
3004	Rainmeter-4.5.20.exe
3004	Rainmeter-4.5.20.exe
3004	Rainmeter-4.5.20.exe
3004	Rainmeter-4.5.20.exe
3004	Rainmeter-4.5.20.exe
1332	Rainmeter.exe
1204	Process not Found
1204	Process not Found
1204	Process not Found
1332	Rainmeter.exe
2956	SkinInstaller.exe
1204	Process not Found
2660	SkinInstaller.exe
1204	Process not Found
1204	Process not Found
1784	SkinInstaller.exe
936	Rainmeter.exe
1204	Process not Found
1652	Rainmeter.exe
1204	Process not Found
936	Rainmeter.exe
936	Rainmeter.exe
936	Rainmeter.exe
2712	NexusSetup.exe
2120	NexusSetup.tmp
2120	NexusSetup.tmp
2120	NexusSetup.tmp
2312	regsvr32.exe
2312	regsvr32.exe
1040	regsvr32.exe
2500	regsvr32.exe
2500	regsvr32.exe
2316	regsvr32.exe
2120	NexusSetup.tmp
2120	NexusSetup.tmp
704	WsxService.exe
840	WsxService.exe
2120	NexusSetup.tmp
1120	Nexus.exe
1120	Nexus.exe
1120	Nexus.exe
1120	Nexus.exe
1120	Nexus.exe
1120	Nexus.exe
1120	Nexus.exe
3028	winstep.exe
1120	Nexus.exe
1120	Nexus.exe
2896	winstep.exe
1204	Process not Found
1204	Process not Found
1120	Nexus.exe
1368	wsupdate.exe
1368	wsupdate.exe
1368	wsupdate.exe
1120	Nexus.exe
2616	winstep.exe
1204	Process not Found
1204	Process not Found
1120	Nexus.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nexus	NexusSetup.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\NeXuS = "C:\\Program Files (x86)\\Winstep\\Nexus.exe autostart"	Nexus.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Documents\WinStep\Themes\Male Voice\desktop.ini	Nexus.exe
File created	C:\Users\Public\Documents\WinStep\Themes\Male Voice\desktop.ini	Nexus.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	winstep.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
79	drive.google.com
80	drive.google.com
81	drive.google.com
82	drive.google.com
3	drive.google.com
6	drive.google.com
7	drive.google.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\is-A67SE.tmp	NexusSetup.tmp
File opened for modification	C:\Windows\SysWOW64\msvbvm50.dll	NexusSetup.tmp
File created	C:\Windows\SysWOW64\is-40C8M.tmp	NexusSetup.tmp
File created	C:\Windows\SysWOW64\is-UL9E3.tmp	NexusSetup.tmp

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Rainmeter\SkinInstaller.exe	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\3098.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files (x86)\Winstep\is-OJ41L.tmp	NexusSetup.tmp
File opened for modification	C:\Program Files\Rainmeter\writetest~.rm	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\1055.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Defaults\Skins\illustro\Network\Network.ini	Rainmeter-4.5.20.exe
File opened for modification	C:\Program Files (x86)\Winstep\Nexus.exe	NexusSetup.tmp
File created	C:\Program Files\Rainmeter\Plugins\WindowMessagePlugin.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\1054.dll	Rainmeter-4.5.20.exe
File opened for modification	C:\Program Files (x86)\Winstep\WsFxImageRes.dll	NexusSetup.tmp
File created	C:\Program Files\Rainmeter\Rainmeter.exe	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\1066.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Defaults\Skins\illustro\Clock\Clock.ini	Rainmeter-4.5.20.exe
File opened for modification	C:\Program Files (x86)\Winstep\wodTelnetDLX.dll	NexusSetup.tmp
File created	C:\Program Files (x86)\Winstep\is-H3HAV.tmp	NexusSetup.tmp
File created	C:\Program Files\Rainmeter\Plugins\Win7AudioPlugin.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Defaults\Skins\illustro\Welcome\Welcome.ini	Rainmeter-4.5.20.exe
File opened for modification	C:\Program Files (x86)\Winstep\WsMMPlay.exe	NexusSetup.tmp
File created	C:\Program Files\Rainmeter\Languages\1041.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files (x86)\Winstep\Help\Nexus\is-DG1C2.tmp	NexusSetup.tmp
File created	C:\Program Files\Rainmeter\Plugins\FileView.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\1037.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\1043.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Defaults\Skins\illustro\System\System.ini	Rainmeter-4.5.20.exe
File created	C:\Program Files (x86)\Winstep\is-P8EES.tmp	NexusSetup.tmp
File created	C:\Program Files\Rainmeter\Plugins\RunCommand.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\1028.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\1058.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files (x86)\Winstep\is-TUCS7.tmp	NexusSetup.tmp
File created	C:\Program Files (x86)\Winstep\Help\Nexus\is-54UJN.tmp	NexusSetup.tmp
File created	C:\Program Files\Rainmeter\Plugins\AdvancedCPU.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\1032.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\2074.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files (x86)\Winstep\is-24ED9.tmp	NexusSetup.tmp
File created	C:\Program Files (x86)\Winstep\is-TIA8F.tmp	NexusSetup.tmp
File created	C:\Program Files\Rainmeter\Languages\1035.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Defaults\Skins\illustro\@Resources\Background.png	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Defaults\Skins\illustro\Recycle Bin\Recycle Bin.ini	Rainmeter-4.5.20.exe
File created	C:\Program Files (x86)\Winstep\is-MCE9L.tmp	NexusSetup.tmp
File created	C:\Program Files (x86)\Winstep\is-SQHLS.tmp	NexusSetup.tmp
File created	C:\Program Files\Rainmeter\Languages\1036.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\1045.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files (x86)\Winstep\is-GU4K2.tmp	NexusSetup.tmp
File created	C:\Program Files\Rainmeter\Rainmeter.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Plugins\InputText.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\1038.dll	Rainmeter-4.5.20.exe
File opened for modification	C:\Program Files (x86)\Winstep\InterprocessImageList.dll	NexusSetup.tmp
File created	C:\Program Files (x86)\Winstep\is-TO7T5.tmp	NexusSetup.tmp
File created	C:\Program Files (x86)\Winstep\is-FOU3I.tmp	NexusSetup.tmp
File created	C:\Program Files\Rainmeter\Languages\1030.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Defaults\Layouts\illustro default\Rainmeter.ini	Rainmeter-4.5.20.exe
File opened for modification	C:\Program Files (x86)\Winstep\Help\Nexus\English.chm	NexusSetup.tmp
File created	C:\Program Files (x86)\Winstep\is-H09R8.tmp	NexusSetup.tmp
File created	C:\Program Files\Rainmeter\RestartRainmeter.exe	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Defaults\Skins\illustro\Welcome\Background.png	Rainmeter-4.5.20.exe
File opened for modification	C:\Program Files (x86)\Winstep\Help\Nexus\German.chm	NexusSetup.tmp
File opened for modification	C:\Program Files (x86)\Winstep\WsxMMTimer.dll	NexusSetup.tmp
File created	C:\Program Files (x86)\Winstep\is-O7FLF.tmp	NexusSetup.tmp
File created	C:\Program Files (x86)\Winstep\is-ASAFL.tmp	NexusSetup.tmp
File created	C:\Program Files\Rainmeter\Plugins\PerfMon.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\1025.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\1053.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\2070.dll	Rainmeter-4.5.20.exe
File opened for modification	C:\Program Files (x86)\Winstep\wszip.dll	NexusSetup.tmp

Drops file in Windows directory 20 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\digital-7 (mono).ttf	WsxService.exe
File created	C:\Windows\Fonts\HOOG0553.TTF	WsxService.exe
File created	C:\Windows\Fonts\HOOG0554.TTF	WsxService.exe
File opened for modification	C:\Windows\Fonts\HOOG0555.TTF	WsxService.exe
File opened for modification	C:\Windows\Fonts\LCDM2B__.TTF	WsxService.exe
File created	C:\Windows\Fonts\dungeon.TTF	WsxService.exe
File opened for modification	C:\Windows\Fonts\LCDM2L__.TTF	WsxService.exe
File opened for modification	C:\Windows\Fonts\LCDM2N__.TTF	WsxService.exe
File created	C:\Windows\Fonts\LCDM2U__.TTF	WsxService.exe
File opened for modification	C:\Windows\Fonts\LCDM2U__.TTF	WsxService.exe
File opened for modification	C:\Windows\	Rainmeter.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe	Rainmeter.exe
File opened for modification	C:\Windows\Fonts\HOOG0553.TTF	WsxService.exe
File created	C:\Windows\Fonts\LCDM2B__.TTF	WsxService.exe
File created	C:\Windows\Fonts\LCDM2N__.TTF	WsxService.exe
File opened for modification	C:\Windows\Fonts\digital-7 (mono).ttf	WsxService.exe
File opened for modification	C:\Windows\Fonts\dungeon.TTF	WsxService.exe
File opened for modification	C:\Windows\Fonts\HOOG0554.TTF	WsxService.exe
File created	C:\Windows\Fonts\HOOG0555.TTF	WsxService.exe
File created	C:\Windows\Fonts\LCDM2L__.TTF	WsxService.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WsxService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winstep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wsupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RainFocus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RainFocus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RainFocus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winstep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nexus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winstep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rainmeter-4.5.20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NexusSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NexusSetup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WsxService.exe

System Time Discovery 1 TTPs 1 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
400	iexplore.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Nexus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Nexus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Nexus.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003ef71c45362ec54bac16f97d4199319500000000020000000000106600000001000020000000ac2caa46005453bae6a1d6aa02842bad9146f9e82120f66d0b6431eaf33d68b5000000000e8000000002000020000000c5e7ed4e9df7632dfdfef6188ba0300181646f0243a8bec440c88ddac849d946200000000990f581939b314368100cb0e59d82879245dc47c9372b838429d3bb9da352af40000000015a3474face44c8f2ebcf2babe9b53315a600e254b0b293101a72b81c996b4fe579bbc82c6ffc0322dfc07d3d12de6da9246f15f177cdbfc45349fba2d8840b	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30e6f43b031fdb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003ef71c45362ec54bac16f97d41993195000000000200000000001066000000010000200000008a7cabf56f0f8fb4896c475efdda4e55e5ce353cbcc4a99d246c055731751464000000000e80000000020000200000004f9956a75d12a28c4ab0a5465e1ab84a325557cf541a78eae01fc397c62a18a090000000ad9400beb8516b6a87d5527896941b9c21a015eb547adb8462ef21a8468f2392aae3d16a75b6f3595dd16d1303e84822eb10156979118c4b8a5f27fdb9c6396e145e6880ac861398687418c75392e63972cedd425b38aabc0340f8fee9b294f1f29688f760b6906520f8e4fc795c28463005e051cdf82ab0d319eb4f3b5e3c5f218bd45d5fda5d3b8e5cb23261202dc640000000a12e0c22281354acffebf4efbca775f3d4e1ebdad2693d66bc9a319e9f0ba0f87c701df6aa9f86995fb4b199feae7cca21a354606e5be8534ab1591e2c9824c4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CCC08151-8AF7-11EF-9FE9-566D30F46FFD} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{64671D91-8AF6-11EF-9FE9-566D30F46FFD} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "435159500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BA3303D5-580D-11D3-9AA5-00000100673E}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\NextControls.ocx, 30004"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5C11908A-DB9C-11D2-9AA5-0020A90A358B}\TypeLib\ = "{EE74AD62-C2F7-11D2-9AA5-0020A90A358B}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{58DA8D8A-9D6A-101B-AFC0-4210102A8DA7}\ProgID\ = "COMCTL.ListViewCtrl.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7791BA52-E020-11CF-8E74-00A0C90F26F8}\TypeLib\Version = "1.3"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D624E3E0-720A-11CF-8136-00AA00C14959}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5C11909D-DB9C-11D2-9AA5-0020A90A358B}\TypeLib\Version = "4.9"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5C11909D-DB9C-11D2-9AA5-0020A90A358B}\TypeLib\Version = "4.9"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BA3303D4-580D-11D3-9AA5-00000100673E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6E17E80-DF38-11CF-8E74-00A0C90F26F8}\TypeLib\Version = "1.3"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{373FF7F1-EB8B-11CD-8820-08002B2F4F5A}\ = "ISlider10"	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Nexus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Nexus.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ACBB957-5C57-11CF-8993-00AA00688B10}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9ED94442-E5E8-101B-B9B5-444553540000}\ = "ITabStripEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B7E6391-850A-101B-AFC0-4210102A8DA7}\TypeLib\Version = "1.3"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F4D83600-895E-11D0-B0A6-000000000000}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C97E005E-03CE-11D3-9AA5-00000100673E}\TypeLib\Version = "4.9"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A5BF7276-A360-4557-A67C-F47B3D0C2AA7}\Control\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{58DA8D8A-9D6A-101B-AFC0-4210102A8DA7}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{612A8624-0FB3-11CE-8747-524153480004}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NextControls.NxTasklist	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5C1190A1-DB9C-11D2-9AA5-0020A90A358B}\ = "NextControls.NxOption"	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1"	Nexus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NextControls.NxMWheel\ = "NextControls.NxMWheel"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9ED94440-E5E8-101B-B9B5-444553540000}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6E17E8C-DF38-11CF-8E74-00A0C90F26F8}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CA4FD6E-0818-11D3-9AA5-00000100673E}\Version\ = "4.9"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B923D81-F2DB-11D2-9AA5-00000100673E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C97E005E-03CE-11D3-9AA5-00000100673E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5C1190A2-DB9C-11D2-9AA5-0020A90A358B}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B36653D-9063-445F-A496-3D484FB7DE8A}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A24213D-2D05-46D5-B00E-983D6B03DC11}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\NextControls.ocx, 30002"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{41A7D760-6018-11CF-9016-00AA0068841E}\TypeLib\Version = "5.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0713E8AE-850A-101B-AFC0-4210102A8DA7}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DA8D8B-9D6A-101B-AFC0-4210102A8DA7}\ = "IListView10"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic"	Nexus.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{12887B7B-E71B-4BA3-9223-475BCD30AC74}\ProxyStubClsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\COMCTL.Toolbar\CurVer\ = "COMCTL.Toolbar.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0713E8D2-850A-101B-AFC0-4210102A8DA7}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6E17E84-DF38-11CF-8E74-00A0C90F26F8}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EE74AD62-C2F7-11D2-9AA5-0020A90A358B}\4.9	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5C11909F-DB9C-11D2-9AA5-0020A90A358B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CA4FD6E-0818-11D3-9AA5-00000100673E}\Control	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5C11909B-DB9C-11D2-9AA5-0020A90A358B}\ProgID\ = "NextControls.NxFrame"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BF877892-E026-11CF-8E74-00A0C90F26F8}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{373FF7F1-EB8B-11CD-8820-08002B2F4F5A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6E17E8A-DF38-11CF-8E74-00A0C90F26F8}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C787A52-E01C-11CF-8E74-00A0C90F26F8}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0713E8A0-850A-101B-AFC0-4210102A8DA7}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0713E8A3-850A-101B-AFC0-4210102A8DA7}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B039FF7A-CE35-4622-B4E3-B8A60D3BBC00}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5C11908E-DB9C-11D2-9AA5-0020A90A358B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5C119093-DB9C-11D2-9AA5-0020A90A358B}\TypeLib\ = "{EE74AD62-C2F7-11D2-9AA5-0020A90A358B}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\COMCTL.ProgCtrl\ = "Microsoft ProgressBar Control, version 5.0 (SP2)"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F4D83601-895E-11D0-B0A6-000000000000}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5A5AB3B2-FBE0-468B-8975-27A6375C3AB0}\TypeLib\ = "{21D9DA11-CD0B-4904-B982-6C06559A7506}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4798B9A8-35C7-4D54-873D-60F28C612A8F}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B923D81-F2DB-11D2-9AA5-00000100673E}\Forward	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5C11909E-DB9C-11D2-9AA5-0020A90A358B}\InprocServer32\ = "C:\\Windows\\SysWow64\\NextControls.ocx"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0713E8D1-850A-101B-AFC0-4210102A8DA7}\TypeLib\Version = "1.3"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D4E0F020-720A-11CF-8136-00AA00C14959}\ = "DataBindings"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B5273328-7B5E-4E68-BEDC-22B3C0DA0013}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5C119093-DB9C-11D2-9AA5-0020A90A358B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B36653D-9063-445F-A496-3D484FB7DE8A}\TypeLib\ = "{EE74AD62-C2F7-11D2-9AA5-0020A90A358B}"	regsvr32.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2756	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2324	chrome.exe
2324	chrome.exe
2120	NexusSetup.tmp
2120	NexusSetup.tmp
840	WsxService.exe
840	WsxService.exe
840	WsxService.exe
840	WsxService.exe
840	WsxService.exe
840	WsxService.exe
840	WsxService.exe
840	WsxService.exe
840	WsxService.exe
840	WsxService.exe
840	WsxService.exe
840	WsxService.exe
840	WsxService.exe
840	WsxService.exe
840	WsxService.exe
840	WsxService.exe
840	WsxService.exe
840	WsxService.exe
840	WsxService.exe
840	WsxService.exe
840	WsxService.exe
840	WsxService.exe
840	WsxService.exe
840	WsxService.exe
840	WsxService.exe
840	WsxService.exe
840	WsxService.exe
840	WsxService.exe
840	WsxService.exe
840	WsxService.exe
840	WsxService.exe
840	WsxService.exe
840	WsxService.exe
840	WsxService.exe
840	WsxService.exe
840	WsxService.exe
840	WsxService.exe
840	WsxService.exe
840	WsxService.exe
840	WsxService.exe
840	WsxService.exe
840	WsxService.exe
840	WsxService.exe
840	WsxService.exe
840	WsxService.exe
840	WsxService.exe
840	WsxService.exe
840	WsxService.exe
840	WsxService.exe
840	WsxService.exe
840	WsxService.exe
840	WsxService.exe
840	WsxService.exe
840	WsxService.exe
840	WsxService.exe
840	WsxService.exe
840	WsxService.exe
840	WsxService.exe
840	WsxService.exe
840	WsxService.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
1332	Rainmeter.exe
936	Rainmeter.exe
1120	Nexus.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2324	chrome.exe
Token: SeShutdownPrivilege	2324	chrome.exe
Token: SeShutdownPrivilege	2324	chrome.exe
Token: SeShutdownPrivilege	2324	chrome.exe
Token: SeShutdownPrivilege	2324	chrome.exe
Token: SeShutdownPrivilege	2324	chrome.exe
Token: SeShutdownPrivilege	2324	chrome.exe
Token: SeShutdownPrivilege	2324	chrome.exe
Token: SeShutdownPrivilege	2324	chrome.exe
Token: SeShutdownPrivilege	2324	chrome.exe
Token: SeShutdownPrivilege	2324	chrome.exe
Token: SeShutdownPrivilege	2324	chrome.exe
Token: SeShutdownPrivilege	2324	chrome.exe
Token: SeShutdownPrivilege	2324	chrome.exe
Token: SeShutdownPrivilege	2324	chrome.exe
Token: SeShutdownPrivilege	2324	chrome.exe
Token: SeShutdownPrivilege	2324	chrome.exe
Token: SeShutdownPrivilege	2324	chrome.exe
Token: SeShutdownPrivilege	2324	chrome.exe
Token: SeShutdownPrivilege	2324	chrome.exe
Token: SeShutdownPrivilege	2324	chrome.exe
Token: SeShutdownPrivilege	2324	chrome.exe
Token: SeShutdownPrivilege	2324	chrome.exe
Token: SeShutdownPrivilege	2324	chrome.exe
Token: SeShutdownPrivilege	2324	chrome.exe
Token: SeShutdownPrivilege	2324	chrome.exe
Token: SeShutdownPrivilege	2324	chrome.exe
Token: SeShutdownPrivilege	2324	chrome.exe
Token: SeShutdownPrivilege	2324	chrome.exe
Token: SeShutdownPrivilege	2324	chrome.exe
Token: SeShutdownPrivilege	2324	chrome.exe
Token: SeShutdownPrivilege	2324	chrome.exe
Token: SeShutdownPrivilege	2324	chrome.exe
Token: SeShutdownPrivilege	2324	chrome.exe
Token: SeShutdownPrivilege	2324	chrome.exe
Token: SeShutdownPrivilege	2324	chrome.exe
Token: SeShutdownPrivilege	2324	chrome.exe
Token: SeShutdownPrivilege	2324	chrome.exe
Token: SeShutdownPrivilege	2324	chrome.exe
Token: SeShutdownPrivilege	2324	chrome.exe
Token: SeShutdownPrivilege	2324	chrome.exe
Token: SeShutdownPrivilege	2324	chrome.exe
Token: SeShutdownPrivilege	2324	chrome.exe
Token: SeShutdownPrivilege	2324	chrome.exe
Token: SeShutdownPrivilege	2324	chrome.exe
Token: SeShutdownPrivilege	2324	chrome.exe
Token: SeShutdownPrivilege	2324	chrome.exe
Token: SeShutdownPrivilege	2324	chrome.exe
Token: SeShutdownPrivilege	2324	chrome.exe
Token: SeShutdownPrivilege	2324	chrome.exe
Token: SeShutdownPrivilege	2324	chrome.exe
Token: SeShutdownPrivilege	2324	chrome.exe
Token: SeShutdownPrivilege	2324	chrome.exe
Token: SeShutdownPrivilege	2324	chrome.exe
Token: SeShutdownPrivilege	2324	chrome.exe
Token: SeShutdownPrivilege	2324	chrome.exe
Token: SeShutdownPrivilege	2324	chrome.exe
Token: SeShutdownPrivilege	2324	chrome.exe
Token: SeShutdownPrivilege	2324	chrome.exe
Token: SeShutdownPrivilege	2324	chrome.exe
Token: SeShutdownPrivilege	2324	chrome.exe
Token: SeShutdownPrivilege	2324	chrome.exe
Token: SeShutdownPrivilege	2324	chrome.exe
Token: SeShutdownPrivilege	2324	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1884	iexplore.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2020	7zG.exe
728	7zG.exe
1332	Rainmeter.exe
1332	Rainmeter.exe
1332	Rainmeter.exe
1332	Rainmeter.exe
1332	Rainmeter.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
1332	Rainmeter.exe
1332	Rainmeter.exe
1332	Rainmeter.exe
1332	Rainmeter.exe
1332	Rainmeter.exe
1332	Rainmeter.exe
1332	Rainmeter.exe
1332	Rainmeter.exe
1332	Rainmeter.exe
1332	Rainmeter.exe
1332	Rainmeter.exe
1332	Rainmeter.exe
1332	Rainmeter.exe
1332	Rainmeter.exe
1332	Rainmeter.exe
1332	Rainmeter.exe
1332	Rainmeter.exe
936	Rainmeter.exe
936	Rainmeter.exe
936	Rainmeter.exe
936	Rainmeter.exe
936	Rainmeter.exe
936	Rainmeter.exe
936	Rainmeter.exe
936	Rainmeter.exe
2476	RainFocus.exe
2476	RainFocus.exe
2476	RainFocus.exe
2260	RainFocus.exe
2260	RainFocus.exe
2260	RainFocus.exe
2012	RainFocus.exe

Suspicious use of SetWindowsHookEx 39 IoCs

pid	Process
1884	iexplore.exe
1884	iexplore.exe
1604	IEXPLORE.EXE
1604	IEXPLORE.EXE
1604	IEXPLORE.EXE
1604	IEXPLORE.EXE
1332	Rainmeter.exe
1332	Rainmeter.exe
1332	Rainmeter.exe
1332	Rainmeter.exe
936	Rainmeter.exe
936	Rainmeter.exe
936	Rainmeter.exe
936	Rainmeter.exe
936	Rainmeter.exe
936	Rainmeter.exe
936	Rainmeter.exe
936	Rainmeter.exe
936	Rainmeter.exe
936	Rainmeter.exe
936	Rainmeter.exe
936	Rainmeter.exe
936	Rainmeter.exe
936	Rainmeter.exe
704	WsxService.exe
840	WsxService.exe
1120	Nexus.exe
1120	Nexus.exe
3028	winstep.exe
1120	Nexus.exe
2896	winstep.exe
1368	wsupdate.exe
2616	winstep.exe
400	iexplore.exe
400	iexplore.exe
1848	IEXPLORE.EXE
1848	IEXPLORE.EXE
1848	IEXPLORE.EXE
1848	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 1604	1884	iexplore.exe	31
PID 1884 wrote to memory of 1604	1884	iexplore.exe	31
PID 1884 wrote to memory of 1604	1884	iexplore.exe	31
PID 1884 wrote to memory of 1604	1884	iexplore.exe	31
PID 2324 wrote to memory of 3000	2324	chrome.exe	34
PID 2324 wrote to memory of 3000	2324	chrome.exe	34
PID 2324 wrote to memory of 3000	2324	chrome.exe	34
PID 2324 wrote to memory of 2932	2324	chrome.exe	36
PID 2324 wrote to memory of 2932	2324	chrome.exe	36
PID 2324 wrote to memory of 2932	2324	chrome.exe	36
PID 2324 wrote to memory of 2932	2324	chrome.exe	36
PID 2324 wrote to memory of 2932	2324	chrome.exe	36
PID 2324 wrote to memory of 2932	2324	chrome.exe	36
PID 2324 wrote to memory of 2932	2324	chrome.exe	36
PID 2324 wrote to memory of 2932	2324	chrome.exe	36
PID 2324 wrote to memory of 2932	2324	chrome.exe	36
PID 2324 wrote to memory of 2932	2324	chrome.exe	36
PID 2324 wrote to memory of 2932	2324	chrome.exe	36
PID 2324 wrote to memory of 2932	2324	chrome.exe	36
PID 2324 wrote to memory of 2932	2324	chrome.exe	36
PID 2324 wrote to memory of 2932	2324	chrome.exe	36
PID 2324 wrote to memory of 2932	2324	chrome.exe	36
PID 2324 wrote to memory of 2932	2324	chrome.exe	36
PID 2324 wrote to memory of 2932	2324	chrome.exe	36
PID 2324 wrote to memory of 2932	2324	chrome.exe	36
PID 2324 wrote to memory of 2932	2324	chrome.exe	36
PID 2324 wrote to memory of 2932	2324	chrome.exe	36
PID 2324 wrote to memory of 2932	2324	chrome.exe	36
PID 2324 wrote to memory of 2932	2324	chrome.exe	36
PID 2324 wrote to memory of 2932	2324	chrome.exe	36
PID 2324 wrote to memory of 2932	2324	chrome.exe	36
PID 2324 wrote to memory of 2932	2324	chrome.exe	36
PID 2324 wrote to memory of 2932	2324	chrome.exe	36
PID 2324 wrote to memory of 2932	2324	chrome.exe	36
PID 2324 wrote to memory of 2932	2324	chrome.exe	36
PID 2324 wrote to memory of 2932	2324	chrome.exe	36
PID 2324 wrote to memory of 2932	2324	chrome.exe	36
PID 2324 wrote to memory of 2932	2324	chrome.exe	36
PID 2324 wrote to memory of 2932	2324	chrome.exe	36
PID 2324 wrote to memory of 2932	2324	chrome.exe	36
PID 2324 wrote to memory of 2932	2324	chrome.exe	36
PID 2324 wrote to memory of 2932	2324	chrome.exe	36
PID 2324 wrote to memory of 2932	2324	chrome.exe	36
PID 2324 wrote to memory of 2932	2324	chrome.exe	36
PID 2324 wrote to memory of 2932	2324	chrome.exe	36
PID 2324 wrote to memory of 2932	2324	chrome.exe	36
PID 2324 wrote to memory of 3040	2324	chrome.exe	37
PID 2324 wrote to memory of 3040	2324	chrome.exe	37
PID 2324 wrote to memory of 3040	2324	chrome.exe	37
PID 2324 wrote to memory of 2792	2324	chrome.exe	38
PID 2324 wrote to memory of 2792	2324	chrome.exe	38
PID 2324 wrote to memory of 2792	2324	chrome.exe	38
PID 2324 wrote to memory of 2792	2324	chrome.exe	38
PID 2324 wrote to memory of 2792	2324	chrome.exe	38
PID 2324 wrote to memory of 2792	2324	chrome.exe	38
PID 2324 wrote to memory of 2792	2324	chrome.exe	38
PID 2324 wrote to memory of 2792	2324	chrome.exe	38
PID 2324 wrote to memory of 2792	2324	chrome.exe	38
PID 2324 wrote to memory of 2792	2324	chrome.exe	38
PID 2324 wrote to memory of 2792	2324	chrome.exe	38
PID 2324 wrote to memory of 2792	2324	chrome.exe	38
PID 2324 wrote to memory of 2792	2324	chrome.exe	38
PID 2324 wrote to memory of 2792	2324	chrome.exe	38
PID 2324 wrote to memory of 2792	2324	chrome.exe	38

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://drive.google.com/file/d/1e9sQz-FLV3_rq4CMNanNH7VAbkFvpv3G/view?usp=drive_link
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1884 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6029758,0x7fef6029768,0x7fef6029778
  2⤵
  PID:3000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1140 --field-trial-handle=1268,i,9669004925467239091,3384869518664863747,131072 /prefetch:2
  2⤵
  PID:2932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1508 --field-trial-handle=1268,i,9669004925467239091,3384869518664863747,131072 /prefetch:8
  2⤵
  PID:3040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1552 --field-trial-handle=1268,i,9669004925467239091,3384869518664863747,131072 /prefetch:8
  2⤵
  PID:2792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2240 --field-trial-handle=1268,i,9669004925467239091,3384869518664863747,131072 /prefetch:1
  2⤵
  PID:868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2248 --field-trial-handle=1268,i,9669004925467239091,3384869518664863747,131072 /prefetch:1
  2⤵
  PID:2068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1464 --field-trial-handle=1268,i,9669004925467239091,3384869518664863747,131072 /prefetch:2
  2⤵
  PID:952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2152 --field-trial-handle=1268,i,9669004925467239091,3384869518664863747,131072 /prefetch:1
  2⤵
  PID:968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3216 --field-trial-handle=1268,i,9669004925467239091,3384869518664863747,131072 /prefetch:8
  2⤵
  PID:608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3564 --field-trial-handle=1268,i,9669004925467239091,3384869518664863747,131072 /prefetch:8
  2⤵
  PID:1472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3848 --field-trial-handle=1268,i,9669004925467239091,3384869518664863747,131072 /prefetch:8
  2⤵
  PID:1300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3864 --field-trial-handle=1268,i,9669004925467239091,3384869518664863747,131072 /prefetch:1
  2⤵
  PID:2840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3872 --field-trial-handle=1268,i,9669004925467239091,3384869518664863747,131072 /prefetch:1
  2⤵
  PID:2508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=2368 --field-trial-handle=1268,i,9669004925467239091,3384869518664863747,131072 /prefetch:1
  2⤵
  PID:2532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4112 --field-trial-handle=1268,i,9669004925467239091,3384869518664863747,131072 /prefetch:8
  2⤵
  PID:1804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4120 --field-trial-handle=1268,i,9669004925467239091,3384869518664863747,131072 /prefetch:8
  2⤵
  PID:1668

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2372

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:3004

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x558
1⤵
PID:2996

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Windows to MacOS\" -spe -an -ai#7zMap8593:94:7zEvent12807
1⤵
- Suspicious use of FindShellTrayWindow
PID:2020

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Windows to MacOS\*\" -spe -an -ai#7zMap4788:332:7zEvent16335
1⤵
- Suspicious use of FindShellTrayWindow
PID:728

C:\Users\Admin\Desktop\Windows to MacOS\Rainmeter-4.5.20.exe
"C:\Users\Admin\Desktop\Windows to MacOS\Rainmeter-4.5.20.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3004
- C:\Program Files\Rainmeter\Rainmeter.exe
  "C:\Program Files\Rainmeter\Rainmeter.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1332
- - C:\Program Files\Rainmeter\SkinInstaller.exe
    "C:\Program Files\Rainmeter\SkinInstaller.exe" /Packager
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2956
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" "C:\Users\Admin\AppData\Roaming\Rainmeter\Rainmeter.ini"
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:2756
- - C:\Program Files\Rainmeter\SkinInstaller.exe
    "C:\Program Files\Rainmeter\SkinInstaller.exe" /Packager
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2660

C:\Program Files\Rainmeter\SkinInstaller.exe
"C:\Program Files\Rainmeter\SkinInstaller.exe" C:\Users\Admin\Desktop\Windows to MacOS\macOS Theme\1. macOS Top Bar.rmskin
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1784
- C:\Program Files\Rainmeter\Rainmeter.exe
  "C:\Program Files\Rainmeter\Rainmeter.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:936
- - C:\Users\Admin\Documents\Rainmeter\Skins\NR_Yosemite_Menu_Bar\@Resources\Addons\RainFocus.exe
    "C:\Users\Admin\Documents\Rainmeter\Skins\NR_Yosemite_Menu_Bar\@Resources\Addons\RainFocus.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SendNotifyMessage
    PID:2476
- - C:\Users\Admin\Documents\Rainmeter\Skins\NR_Yosemite_Menu_Bar\@Resources\Addons\RainFocus.exe
    "C:\Users\Admin\Documents\Rainmeter\Skins\NR_Yosemite_Menu_Bar\@Resources\Addons\RainFocus.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SendNotifyMessage
    PID:2260
- - C:\Users\Admin\Documents\Rainmeter\Skins\NR_Yosemite_Menu_Bar\@Resources\Addons\RainFocus.exe
    "C:\Users\Admin\Documents\Rainmeter\Skins\NR_Yosemite_Menu_Bar\@Resources\Addons\RainFocus.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SendNotifyMessage
    PID:2012
- - C:\Users\Admin\Documents\Rainmeter\Skins\NR_Yosemite_Menu_Bar\@Resources\Addons\RainFocus.exe
    "C:\Users\Admin\Documents\Rainmeter\Skins\NR_Yosemite_Menu_Bar\@Resources\Addons\RainFocus.exe"
    3⤵
    PID:1844

C:\Program Files\Rainmeter\Rainmeter.exe
"C:\Program Files\Rainmeter\Rainmeter.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1652

C:\Users\Admin\Desktop\Windows to MacOS\nexus\NexusSetup.exe
"C:\Users\Admin\Desktop\Windows to MacOS\nexus\NexusSetup.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2712
- C:\Users\Admin\AppData\Local\Temp\is-O8HPF.tmp\NexusSetup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-O8HPF.tmp\NexusSetup.tmp" /SL5="$1002E8,39685280,410624,C:\Users\Admin\Desktop\Windows to MacOS\nexus\NexusSetup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2120
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\NextControls.ocx"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2312
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\comctl32.ocx"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:1040
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Winstep\WsxMMTimer.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2500
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Winstep\wodTelnetDLX.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2316
- - C:\Program Files (x86)\Winstep\WsxService.exe
    "C:\Program Files (x86)\Winstep\WsxService.exe" install
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:704
- - C:\Program Files (x86)\Winstep\Nexus.exe
    "C:\Program Files (x86)\Winstep\Nexus.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops desktop.ini file(s)
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:1120
  - - C:\Program Files (x86)\Winstep\winstep.exe
      "C:\Program Files (x86)\Winstep\winstep.exe" /recycle 328292
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3028
  - - C:\Program Files (x86)\Winstep\winstep.exe
      "C:\Program Files (x86)\Winstep\winstep.exe" /recycle 328292
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2896
  - - C:\Program Files (x86)\Winstep\wsupdate.exe
      "C:\Program Files (x86)\Winstep\wsupdate.exe" verbose
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1368
  - - C:\Program Files (x86)\Winstep\winstep.exe
      "C:\Program Files (x86)\Winstep\winstep.exe" /recycle 328292
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2616
  - - C:\program files\google\chrome\application\chrome.exe
      "C:\program files\google\chrome\application\chrome.exe"
      4⤵
      Enumerates system info in registry
      PID:2244
    - - C:\program files\google\chrome\application\chrome.exe
        
        "C:\program files\google\chrome\application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6029758,0x7fef6029768,0x7fef6029778
        5⤵
        
        PID:1644
    - - C:\program files\google\chrome\application\chrome.exe
        
        "C:\program files\google\chrome\application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1100 --field-trial-handle=1340,i,10282663381545138263,7228768065908467083,131072 /prefetch:2
        5⤵
        
        PID:2380
    - - C:\program files\google\chrome\application\chrome.exe
        
        "C:\program files\google\chrome\application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1476 --field-trial-handle=1340,i,10282663381545138263,7228768065908467083,131072 /prefetch:8
        5⤵
        
        PID:1812
    - - C:\program files\google\chrome\application\chrome.exe
        
        "C:\program files\google\chrome\application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1604 --field-trial-handle=1340,i,10282663381545138263,7228768065908467083,131072 /prefetch:8
        5⤵
        
        PID:2792
    - - C:\program files\google\chrome\application\chrome.exe
        
        "C:\program files\google\chrome\application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2272 --field-trial-handle=1340,i,10282663381545138263,7228768065908467083,131072 /prefetch:1
        5⤵
        
        PID:1692
    - - C:\program files\google\chrome\application\chrome.exe
        
        "C:\program files\google\chrome\application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2284 --field-trial-handle=1340,i,10282663381545138263,7228768065908467083,131072 /prefetch:1
        5⤵
        
        PID:488
    - - C:\program files\google\chrome\application\chrome.exe
        
        "C:\program files\google\chrome\application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1372 --field-trial-handle=1340,i,10282663381545138263,7228768065908467083,131072 /prefetch:2
        5⤵
        
        PID:584
    - - C:\program files\google\chrome\application\chrome.exe
        
        "C:\program files\google\chrome\application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2252 --field-trial-handle=1340,i,10282663381545138263,7228768065908467083,131072 /prefetch:1
        5⤵
        
        PID:3048
    - - C:\program files\google\chrome\application\chrome.exe
        
        "C:\program files\google\chrome\application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3360 --field-trial-handle=1340,i,10282663381545138263,7228768065908467083,131072 /prefetch:8
        5⤵
        
        PID:2012
    - - C:\program files\google\chrome\application\chrome.exe
        
        "C:\program files\google\chrome\application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3552 --field-trial-handle=1340,i,10282663381545138263,7228768065908467083,131072 /prefetch:8
        5⤵
        
        PID:524
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
        5⤵
        
        PID:780
      - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x13fb47688,0x13fb47698,0x13fb476a8
        6⤵
        
        PID:2632
    - - C:\program files\google\chrome\application\chrome.exe
        
        "C:\program files\google\chrome\application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4012 --field-trial-handle=1340,i,10282663381545138263,7228768065908467083,131072 /prefetch:8
        5⤵
        
        PID:400
    - - C:\program files\google\chrome\application\chrome.exe
        
        "C:\program files\google\chrome\application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3960 --field-trial-handle=1340,i,10282663381545138263,7228768065908467083,131072 /prefetch:1
        5⤵
        
        PID:2720
    - - C:\program files\google\chrome\application\chrome.exe
        
        "C:\program files\google\chrome\application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3700 --field-trial-handle=1340,i,10282663381545138263,7228768065908467083,131072 /prefetch:1
        5⤵
        
        PID:2268
    - - C:\program files\google\chrome\application\chrome.exe
        
        "C:\program files\google\chrome\application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=2320 --field-trial-handle=1340,i,10282663381545138263,7228768065908467083,131072 /prefetch:1
        5⤵
        
        PID:1992
    - - C:\program files\google\chrome\application\chrome.exe
        
        "C:\program files\google\chrome\application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=2752 --field-trial-handle=1340,i,10282663381545138263,7228768065908467083,131072 /prefetch:1
        5⤵
        
        PID:2636
    - - C:\program files\google\chrome\application\chrome.exe
        
        "C:\program files\google\chrome\application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=2336 --field-trial-handle=1340,i,10282663381545138263,7228768065908467083,131072 /prefetch:1
        5⤵
        
        PID:1476

C:\Program Files (x86)\Winstep\WsxService.exe
"C:\Program Files (x86)\Winstep\WsxService"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:840

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
- System Location Discovery: System Language Discovery
PID:2120

C:\Users\Admin\Desktop\Windows to MacOS\WinLaunchInstaller.exe
"C:\Users\Admin\Desktop\Windows to MacOS\WinLaunchInstaller.exe"
1⤵
- Executes dropped EXE
PID:2224
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=x64&rid=win7-x64&apphost_version=6.0.9&gui=true
  2⤵
  - System Time Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:400
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:400 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1848

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2336

C:\Users\Admin\Desktop\Windows to MacOS\WinLaunchInstaller.exe
"C:\Users\Admin\Desktop\Windows to MacOS\WinLaunchInstaller.exe"
1⤵
PID:1264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Time Discovery

T1124

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Winstep\Nexus.exe

Filesize
17.3MB

MD5
9669e9541939c8ee18f9175ecc5d6159

SHA1
58ebbe720b60988bbcf405ca139233220d1b5545

SHA256
91b26fbd13cd54a4f1c7756104f3b36e56d2a758302b1822d4e8ff320a6a86f0

SHA512
adff70eb57ce8eb5e62db413f60720f77e8d251f5f849699e730f3f6ee1880ed862184890d57fe64ccad09482ac529311a3a05a294777f07e51d6556333468d4

Download Submit
C:\Program Files (x86)\Winstep\WsxService.exe

Filesize
758KB

MD5
e35e14841ed353631f94c6c71025fef1

SHA1
7bc0992a9d1d65d9f8b066ce7cbc416f2cc656b0

SHA256
6fba31c917c306af26553d7cae5b1818a6c104b3911383dae7920c60539c3775

SHA512
943a90c3ddc53f7695ba05bdfed5f304b5ae568a7dead4199377284b00343595d1cb1dd64b0d13cb6bba11564d9fc9569e6be3737decdfb4450d0989012cb53c

Download Submit
C:\Program Files\Rainmeter\Defaults\Layouts\illustro default\Rainmeter.ini

Filesize
698B

MD5
7ed3f1a420c2ba65345af28455a754da

SHA1
798075c46eded535f7a3191b38c5c6128dbfb4af

SHA256
97030b68fafaee7bb69eacb3c737ba0ca0d75b70e805166494b34fc589f1b7d9

SHA512
fd3c12386c671089f7f7ac23450318c64cf69eae908fafcbc264c9d7f842482efdb5667f18c0cd7bd015715d06e43260c394a5ebc9639526eae504614e89aba5

Download Submit
C:\Program Files\Rainmeter\Defaults\Skins\illustro\@Resources\Background.png

Filesize
1KB

MD5
751ae72195e782cf91732d0e89138582

SHA1
13a3f32b1b34b61a8ea51efb9098ffc82925dd5d

SHA256
ae72127580a6401f4b3cba621267fcb4d13f0547b7ea00d2748a3a3892cb54de

SHA512
00f821d05e77e5a8bd9cfcb7ac3f963a9dc826521aa9192801d8ea38d085651f3cccc4ab306b58d6310d5445b36645849a4df9adbf6befedf17a785e95424ab4

Download Submit
C:\Program Files\Rainmeter\Defaults\Skins\illustro\Clock\Clock.ini

Filesize
2KB

MD5
a23de9c5c90b698420fc8b3517f36598

SHA1
8f872f02bdd7be04d340c4f1d0a97f795cd66f6e

SHA256
45b2d5644208a29e7e90cc74e130c0fb77c35099e9dbd17ffc010080a3ef1d8d

SHA512
c8030bfbde83fab6ebaeef2a080b55cfa463ece91732e79b0c11ff204bf86715095fe128cbbf76d4cc4029880ec97ba6a7b6f14561bdecf790d3d4359e74176a

Download Submit
C:\Program Files\Rainmeter\Defaults\Skins\illustro\Disk\1 Disk.ini

Filesize
3KB

MD5
bd443770cbb26712f476fa3d41ab812c

SHA1
12aa90188125460708af5fa135cff7f1985c6408

SHA256
1e243b7ec358bc79d65da9d5446758cfd567847cf7fea6ce128f4947d04d7346

SHA512
48e1efcd309d9ea9e780ca7873a2996ee3cbd7bacc6f30b6f017df7c76392d34ca3dd847e5d2b4e36bb340ba8e9a8f095efa8a5e0fc5c11b4f73586356cf625c

Download Submit
C:\Program Files\Rainmeter\Defaults\Skins\illustro\Disk\2 Disks.ini

Filesize
5KB

MD5
7215e77b41579b66126d8d010ab6894a

SHA1
47462528453382376fab2ee6985fe6347ffbfc6a

SHA256
3106efa019016e9d84d0ee4e484f45ffc4311617d3ef3ddce74393a6e41952f0

SHA512
b9abb0081838cde464b6047af7f8f6ca983a33c37e32dbd0e43c64e943389051b5daf195e7843dece36dd295bbb6a05be7dec27af810ebb49c31e164b7ce2469

Download Submit
C:\Program Files\Rainmeter\Defaults\Skins\illustro\Google\Google.ini

Filesize
2KB

MD5
bd09d2ec738a5961d283b2e0d1678708

SHA1
c10f4af7c828377b709d66e0ddfbf99ba2b15fbb

SHA256
9b59768e3a736140970c253fe0ceda0c78b47f4007ec62772e9aedf0a0b5457a

SHA512
b0e2ea96b3d635516e31f4714f863d2cbfc5f4f7fcbecaac17de0c6608b3abd1efafcc07b92c94cf4093fc75feeff60362306ad7ba18b1796c92e63ac58fd1d6

Download Submit
C:\Program Files\Rainmeter\Defaults\Skins\illustro\Network\Network.ini

Filesize
4KB

MD5
573339229e8dfd4d57f46145f9099e70

SHA1
6fb4d80c1bf259d20ba906d48eb716df8c519283

SHA256
8509aa1b6e7a873659d5896fd18477f36be0fbff5e425e86951644e9549b3aa7

SHA512
a6239fa54195eee42360f3f5a2df187fbbb55e8c21ea9919e71507524500f4618ecaffa41e2407ae252dc9a3a37434233175f33575878bcc137e18b4c8cce869

Download Submit
C:\Program Files\Rainmeter\Defaults\Skins\illustro\Recycle Bin\Recycle Bin.ini

Filesize
3KB

MD5
14f0547f1b32795714cabd315b64c80b

SHA1
fe8504e6988db711b306586768f9fc7f71c3747e

SHA256
3959453679d3b47df104e28f6ad51476db53630658339355b72400f8a98e512c

SHA512
46dfab176f225120ef9ae4a44cf0c1a8c3a291ea75abfe779199d350831301b81410b3cf32763f23b9e5e4f2fd828ede67618e978b37e7afabc5d202a0dee02a

Download Submit
C:\Program Files\Rainmeter\Defaults\Skins\illustro\System\System.ini

Filesize
4KB

MD5
e7c252045282bcc9b1e5675865d8408c

SHA1
2d035d8c608afd1cdcbaa931b1a170de06e60910

SHA256
a2298019b2774ef5f7fa1d22d08738f36e7749ea125bf441a6b8bad23b960826

SHA512
8444337335973db2a6578d49332ccbe5b2e151aac8428b9f6da92f184af91c782a4b6e15164162db85dedcaca3524804ef31a2da90a359e88af9e609f3ef01c5

Download Submit
C:\Program Files\Rainmeter\Defaults\Skins\illustro\Welcome\Background.png

Filesize
1KB

MD5
27c60fa5b6e8c9545c885f108f501a36

SHA1
58439914234e29a6e8973328dae945ec2fc569ce

SHA256
3aea0caa797e487abb0901648773251ca52f14b680a960baee080f263d2dd9ec

SHA512
26f6a7057f31aab9b88ed5fd779e83e82d32205eb568c46f4fbe93a79182e1f09e00a06d842fea180c2ee469510ad08e26fb8cd08228e3ad6f037802b2b965d1

Download Submit
C:\Program Files\Rainmeter\Defaults\Skins\illustro\Welcome\Welcome.ini

Filesize
3KB

MD5
9fd985ded033fa0fcc86c222e8e4370d

SHA1
83615886c788f272078fbbe02e1f8af87ca1ef4e

SHA256
6b710c75c1bfc4046ce0bdcde3c4f920aaefe1ecd4fa186d3bdfee12af897707

SHA512
4165e953773328557f42f1f8a29f0b566bcd5c347b8d5e9586ba09f2a4283a64e6f0ae6aa0ea0ba2b6ae8b0598ca4fed7e6878969eed371a1e6fe6dd23695c3c

Download Submit
C:\Program Files\Rainmeter\Languages\3082.dll

Filesize
16KB

MD5
466a834d75e06f59bab79c3ed97a9a76

SHA1
3c3cf65c95178f52902e721ff166ecc84df07f21

SHA256
9914b051773cdbaf643ad34ae4f0bfbab0f73929d627baf0416881ab7ac3a659

SHA512
b0ee4f67cc94ff6428350fc37474910ab598784767a21e049f66b944589b5f48f4220c534cb9c79d528bfa91a879819f66fce21277c23d6fdaa660687e23120b

Download Submit
C:\Program Files\Rainmeter\Rainmeter.dll

Filesize
2.5MB

MD5
0658cb31cfcb7bda7f98c9a856c7fa16

SHA1
176cb1121d30f4ad3d7190faa6c41ffe018e8534

SHA256
ee383a2d401f8c5569f267c93804e4371e6f6543ed01cfcce5dcefa5091c19b0

SHA512
10ec757aa5913f60e8a28158a87d8918acb3ea4252176773612099b4993592139d46d70123cdfaf38a224b8e51f4b404230070edc2fd0b74eee8f071938bf026

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
854B

MD5
e935bc5762068caf3e24a2683b1b8a88

SHA1
82b70eb774c0756837fe8d7acbfeec05ecbf5463

SHA256
a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d

SHA512
bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
0535d3441bab6423c6ba4b9f13ac62f9

SHA1
af17562d6dc4939b5002e535c32b8d0659d539bc

SHA256
32c026188c50d3b5acfb1464e2fa729ba28efb648c3c57dcbd84fb971e39f2c6

SHA512
c556a684a575aa088f6d4ab582ac6194a77dbe49cbd5e39047089232ca352e59ad58a9fc597afa776f9d5c6d032a4e8817be2f522ca9dad1ac4f989de8680dd2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_143164F02B79878E8D2FECFCEB1FA51F

Filesize
471B

MD5
f3546207fafb25b97928abb0e904e921

SHA1
aaec60f5e2baa4b98ae88efc1f980947f5afc488

SHA256
0f5f2374fce71970f6b7ad1666b6fe3132ef7b9969b630a114ce5fab8177d2e5

SHA512
d8de4c9640b7cae52d3e13085a2aaf6fd60bd05d0e53eef6836fd4195c7aa56d883c15f9307aee5d3813430a4038065fc74a1a3b1d899b1956e38e928e694510

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_CB647167AB794CB46A6AF30723BEEFA6

Filesize
472B

MD5
a88944c393c7a6e93086fd2f53121069

SHA1
46dbd1534b8f7fe29cd7b77dccfb11dc192fd498

SHA256
b5f51768f4794362b8d21751493505ca8f705d8c13cd411f0a187fa5cf1851ad

SHA512
a36fd6e0e2f789e44cf41f732d6caba9e4904c0d73c0cff0e4bb4468099d4c4c174cff2801644934fa864dadbdd0b110979e2f0866ca17fc1d0a0bf96ab4e700

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6DA548C7E5915679F87E910D6581DEF1_E2BFF8162D8FC100A428C4266337A31F

Filesize
472B

MD5
5ea85c32beb06621d3c98a9d9d5b8cf8

SHA1
93a361890013c599f35ea545964fa81c05ecaf92

SHA256
c21799b4716e3b725b841fc5f08734fb03ff8378d948256de6f8c71812cfa517

SHA512
b62e823dc46527129fb957b57173be13a0e5cb2e8cbd1e0b74c04b44992ceb1e0c60a4b1aea0775f9fbce1349ccbe0213ff92fa10532fde6bf1b22cdd339e8e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C02877841121CC45139CB51404116B25_CFDBFDB29AA6A71EBDC3E04CD6E276F4

Filesize
472B

MD5
1ad4491483b9980f4608a7923ebb364e

SHA1
6d1e66da4d76f5d1c045cad25499223454a0e722

SHA256
51906193c0a4e8d70ecc05d0b224dd57f2b13f8a3dc49258b860edee74617e21

SHA512
2c31e6dc4c5bc7af5090dc544e0501c97dfd945d6f46feeb98f59aba86a54d27a7b10c46f98a52737cac2b245f0b64fc6c475b9adadc9792f0b7b73a64c2303a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
170B

MD5
7ea78a0ff2567ac6fa536cd58b88e2b9

SHA1
ffe9a4ebaf5a929920627dd29cd60c896d422ec1

SHA256
37949bb499a993bf89b5b2bce816cc2718428ed68333d704a8e09579cfae52a7

SHA512
06779d8e8c6b913e7d3288465c1ed0a9cec83f91298403c525e233da6f50044d19aa6a77cfcb87f6bf2bab7ee7bf0c11665bc3495d9ad4ddbf5894802329190c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
efd7d0dfb3416810b624943a7272c4a0

SHA1
e46be25b12ad724583d1f619e1271ccf6015d82f

SHA256
9e510124c2267534cba92e5767497df0b9daeddd6778dda5e70d76d102e9cc02

SHA512
f038776e38ee3d281ef99a50f1119ad5b28e9d68c3534786e4142f7efc500505af40b8cb067ce3aa912ba931d58c766bf17c68f0047aef5d206cb88bef06c301

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
f7f8af0bb098741fe494f2089cbe673b

SHA1
056a936ad022b9ea079039b0de393f415a782f3b

SHA256
9df17377e57da635d376db404eb6d5f6ecf7885f1317a44c0362d7eebb625534

SHA512
e33d89e96e2a277796977a879992f08144e90c7c6fdaeaef7c2be38fc99a8a0aec2e810080d06a373f7f6865fe8bc3ecf5277e3b6d2061eaea56ad608dc8783e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_143164F02B79878E8D2FECFCEB1FA51F

Filesize
402B

MD5
882cdaf43a03ece707905aec17e7397e

SHA1
06901017054e497a46e7300d25e905d5cbd1d90d

SHA256
31279d695f47e954ea150556a4db94abc45e8d0e4838400d00bab641e5b7995b

SHA512
93161fdcf82fd87fb0fe94098f8a72cb775941c4363907c519980bb4268ba555a91d51a716f1b00a68a0cae0c90ce156ad0fd1d709802c290482f3bdfcf51f0d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_CB647167AB794CB46A6AF30723BEEFA6

Filesize
402B

MD5
25fceba10ed93b92c9ffddf1fa4735cb

SHA1
c1aee1faaf17e09ef6c0617ac6ee126aff358ba0

SHA256
03af1d69408d4128a472b3845cb69a4c567276f774b3663406d8075663dd40d7

SHA512
87b4a209a3c61a8ad4468917e78c8a1803fff1fcb843fef81fe44fd9de049eb452dcd89afcf773c71ce473becd6329d1566e3bafa51f9cefda6ed45046027d1a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6DA548C7E5915679F87E910D6581DEF1_E2BFF8162D8FC100A428C4266337A31F

Filesize
398B

MD5
2d6a861fb3e99670c97ebe692e3b1d02

SHA1
cb423f0f8968666a96e2395b9508a93b0d271652

SHA256
ee8df1b989d15ffa0fb24ce567db8c05218ac4dc111d00650c7c2ca6f5431585

SHA512
c97f67ebd664f7f825edf1f2886e635de9a47be64e2177b3c6b01ce03dec8a6d78642fb774293d617a29a2d6ffedcd98bc5076663b80d15fb62de9cba9be7e05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a6f9bf8a281efbbf9218e1d34fe9b352

SHA1
38b06ad64ce63eb5f37388fcc1b13ba2fe058127

SHA256
6ba3222c295949bf1477038436b853607be7526149145f96b2a16a9918fe40b0

SHA512
0f5af62608a58ffe18d0391c6e7ecd65e982187d65e5deb5feffa83b1fddfa0a02c649a94588969a933f15408ad3ce02328b62377b04542b38eecc986ac0a80a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3e335ec20ca9325002af15d6b3580791

SHA1
9117d1cd24cc027f6403d9fe34dc586ebe5e5671

SHA256
10dbfa533eb95144b10786471cb14d1729a269a19a3233f3df78f5c5b9bfd42e

SHA512
b057087e444c2ba745a1bfdf78a6078d11b1fab494d494d26352c88d2de06ac2aff442ce07f90801898068cf50271438f195e26fb74d2214dd1b891b813f407c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2c305e42aac32a817c94552a21cfaa3e

SHA1
4191ad1bc664a635f1545eb4069724bb2d2715c5

SHA256
9717ed08af96bd57cf43db1f72c659341d5264306781cc420fc97737326e687b

SHA512
d201eb9d245d57606c6048e845586cb82452e871fe27759f34d677c80fa556f0d7761958ce67d84111cb8aca078b490cbce228d7c4428bf04a601e747ecd6d90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
48019f137c66abc805331d1132f1f01a

SHA1
9080c39422177acab19ce7393474399ea4a4692c

SHA256
0443ca698e1bc8a55aecd583e238f2342af79269e7024fcd956745fce6d8bea3

SHA512
6e5f3a0a94269ffc422a639203cc3064b1460afa64b5f8bebd83d888f28d1d90a8a7fb4fc768fbc941c528dc24423798e46c16407ee40ea9e55b658658c1594a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d7b8ede86935bf6f7ca97c938dcd0ee0

SHA1
da239151183b2396f62ae3a6ec202aeeb6e8c811

SHA256
fe7740ff29e9cc88d7d9dbdc9545637411aea7a14e7eee9ebbd1c0bf49152026

SHA512
ed1f86dbbaf9141cab71a4ea15d09ff68a6e7888c395f1dca6399286bcf1f92cf89637c4d0ce397a315db2cece7af4d0d31a458c70c791b4d1d15ac92a453ac5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ce024072f39ccdf94852b221fc94db9c

SHA1
3e975e8c4578ccfbcb93dd3eeca965431b500203

SHA256
15b639ee5e080fdb0634c6986422e1d68d2c3936bd5b221e0153e8ea1eb28bd2

SHA512
f9af292a57ca268b517c143d280ab3ef5d840b6df8317b00a9b31abad5f351dfdacc9fe95140a84a255080ababd4a0b232c00f790ea7b34aaea45c35f8f0d537

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3dd4fcfcd8bcd0e712bd18e90d8f6ba8

SHA1
c5a974d634ca4f5b0763db6ce7b7866895d7a809

SHA256
fe9a4e27489706651d7501078a50dcaac656d0974f292389b979269acd74d830

SHA512
b6b2efa5971943bac5a7e35e38c0d48ae4a7dc8c5f11753ac025bbad096690d7eab50df5968d8ecac54c2a368f6552c6c135a0be9054f697e4f1d72e8542e120

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ba4a6276f63310399a628082c819678e

SHA1
53f1bfdf12e1f60af2346fec6d3e3bb59c9d9686

SHA256
fdbbfe18e9a276f1d4ab7e723c43302d7d0fbd01efbd90a795c8a887bec16a4b

SHA512
03707934a9b0ecdc825b32fa4cbcf0114404dd4981a045dc687b848287ebddd695d8579eef3f36b25213039bf289e95f15bd19b38c1dfd75d0d75e95ddabbf49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
77837ff5685760044cde658f8a46abcc

SHA1
3ae7f141bd979c190c289bb161cb3874b8277333

SHA256
88a215213085079956b6da921c1bf78babc08caed45697a75695086f2da4a72d

SHA512
3ee2f8d080faa216813b808997358af2ebec54f9ef2c21444287274ddc9056f3bd122b6ae3c22b7c849bfdc99fe25c421b0526ac80d163f6e0e16dc8d6b57d58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b0044f058e7861ce90c4bf22c8ba9826

SHA1
4ae91c9313465829bcdd4040a1544afb174aa92b

SHA256
9801192e0c4f06c4e75204328d645393832d7096dfae4d3c1ff22658d0175a62

SHA512
a2eef2496677bd65191625ecaf89a9e51de055ab429c09247941434ea5d47fd82c6ea17f0954d7fe5ebced2608bffc67d52e014fe15a8847f92b50bd5c87380d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6165806b8c60d30928b3bfff7393b07c

SHA1
0be064702e6810eb817b2171a85be2edc2595526

SHA256
5add31177e8bae873c0fa0b5983b83252fc099a483037f345a241f4f43d3d557

SHA512
2a06c3e5319428ece62ce02444c1eebdc35eaf013da374130baccca3c78e2447702cbed8d44dca761f3be233216a8b7830337d49189f7a8a75ecfff3ee1e8fc7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
49ab7e327ba54927f24d19b01d216a41

SHA1
aeb2d02a62b9ad97340717417a3f8d82eae8f505

SHA256
2c3c887ad06fcd1cad9183530c4fe8b3af109be34bcb32ec3b400fae662bbc5d

SHA512
a516e34e8fe1a89f0c394ab5bc242cfa5ee04d56a3951e01ebbafcc3e711f7db21a89fae26d1627cefc06de16c62d2720bdae3cfe397aa35c581afb9b1473a86

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
38aa316ee83aad34d51c5414eeb78354

SHA1
f351be890a98c2e97cab70823df1962117a9eb93

SHA256
f721ca9d3c20f13c90ffb580040be798c3cae69012f3658990bf0f6413815062

SHA512
b4d552f92f55b00d2496b246cacec8d86ac71171ebb38cbe333481b216d897719b0aadd4e92388c33513f850f32286b44c72ad862c4e6a10a7a2c60cea581850

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fb230199f01d4e14e4df2e63b0e3b149

SHA1
1fd6f341dd64d130db34c573c00a3becbdfa078f

SHA256
720fd7560b4beccb9f63c931ff24d1c1736bcefed3eef1a698f45f30fadfcba0

SHA512
7602e30b9e30051c0520a0001b19fe3151e33f2ec2cad79195d825594eee671041f5e46746040f1792f25115541985f25b94891c8d9fd5ac67629748704a81ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ec44916a1f0c0114d11a718773f4cb02

SHA1
a452f4d949dbb5e711567b6761fc9899244758a8

SHA256
21db153af56ca0d3159c28e4d78554ac38680ceb67712c48268fb66522f0c401

SHA512
b8d6792f3495914ba34e2fc360086cb7f68e29074d0c34d6e09ee89e2e623830101bfb5e9cbb5f4649745b482c15050fa6b9c08a7d636c0f0f6c4743072bd490

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c991326352bd4fcdc7c86c865982ecdd

SHA1
ad91efea779f382a45f091028ba914d0621ad6ed

SHA256
911b4f95277ea152261eb20730fa5a71fbdd37aa721f0cb09041b061cdfee628

SHA512
a4987b5c401c71cb1355170ad156d9285e14dc0cd13a3dbb91ff055ec9b351b6b693771c1824d3637f521a025e0c4b3270d769a1ae0498d6135c8bfd041ed307

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
61f3bbece120847b9acfa345ae35b775

SHA1
714c5614013d060aad74c955c0779863c6c8c981

SHA256
ebb59c86ef72402ca014251b63e7901dbff76592466c8b648cfb3e4f5b907e7b

SHA512
f3714b496d125f34d505521e9b6f39685edaf26016f2b91479c884715ecfe1ea7fed481435adef87a951483b4274a2407d800d217728779a94db0165bd1ff6ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fcb31e946882ff66398de70acd7b7ceb

SHA1
bc13621a95c629e5ddbd459e3b3afa9da92d471c

SHA256
8e34f9afee92973be6c93cf030096567cb2b27dac35ec6dad000cecff8719c2b

SHA512
e46dca7b914741711e0e7154ee03666c0e1954b92b2df2be900c0c47437302a54806124f5681f7a038cdc85f4850bfa46e52877f7aa1d2e9234ede2fb6f33e43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
43a13904e24d1b2616f2eb1b62e557bf

SHA1
6058e2e8699bb33819ecaa87a10745629a872893

SHA256
1e80012b9f3a5af19d96eb50e0846e04a161914812a0e16ca7eb08e4feaa2e87

SHA512
9d4d0beb83d55795d6733bfbed4cb782d1454a56f6306f5d0e75fe2aed0357ed1a96b0c7521e88050d53c4c4bf12451ceb24db60ab7d33fb24522f78e064f501

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
318643850ba510eed1a5db1e18840ec0

SHA1
c393d3c272c7693ad4d76135dc87bc230c176642

SHA256
ffd57ecb65677abcb16c6ca5a85cd30a7d5acac30146400845a9e0e9117f0b4a

SHA512
d17b6706782e28643d74b2353fa55f180227606e12542ca2f5a58a249322d2f74522f2cfab0904eaa3dd4ddbd7942cc50edafe77c733cebd503d42bd94cd43f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
83360330a26d0043cf9f4e2952fe918c

SHA1
543fff209f03c7e50c9cd038f40fe2ba29ca11e2

SHA256
2d2056f8cfadb699d8a035aba21d08026b47b67429be72318220b4f0785b9482

SHA512
a486bb2e8e054d8194d29078bd76ada454e2942f1eebdcd5ec2ad055f258379494987e4b494ea678d3a6cd6d27a0f8f607512ade858f2682b317c38c3c5405da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e44a1f088d25b271e14f7d3cb50b2922

SHA1
0014d26fec0ab9b5b11d0f94cc61eb17496a69ea

SHA256
a47dacdd9eea9a362424dadd2a54bcd21c5bd289fb6dd7ba08d35d8575931837

SHA512
459bdc5eda40166493d2dd83e9fd9eec7289483ef2365d30e15a577db67336c8d97f132071d31fb35d5a06dcf35d4f4abb0804108cb60cab7dc213263e2a63f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
93b921cf122d7c9963c97cbc9de428be

SHA1
b81e0d464935b0d3e2f5bc1ea1e5836448b86124

SHA256
fa47295617dbf2afd51bd6ae77e448639fdb6c692c1548925eeaa543e51058cb

SHA512
c89b9f7f0c3632c2e41b25ca29e6a3ad3e3f311d44506d64f35e6dc3c969c466e9be42b3b4749d9a71107d4b3aa368020072603b9a246cb768ea7085a8dd0059

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
88fda867327fc4dd41f5b5e0e59f693f

SHA1
e0fc485b9fd0db69b8c20dd3984670ba5900710a

SHA256
49857f096ed5fa509f7d5cbef116efc98a2bd9fc5ff3784f1abde28b9cbe078b

SHA512
c3279c82928df67c49746159aa2c10efdd2ae403b94e6beb791c0e2e366186ac790fe87126c495969544950db9b0d2a6f6c9a9c5555c004bd89518619cf6ffc9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
219c1b3318c9d45629b85531015e542f

SHA1
aa9e2bb0f3a2d044848acf13aec3d734268cfeff

SHA256
a041420320294dd118968a58cb1c6dbc4caf325769edb4b42876e2b9e4829ecc

SHA512
8e879bc0b508713d3ee0db377160a4c2d4a6b1097e3afc944a162561e0a36c80e086d66d76c8ee7cb6eb40fd3f1c2a0c024b5b3e5069515dccd3782d40908e49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c906b6693282bc156ba485e13240289c

SHA1
87ed1dbe733b0704d81ab06454a2bc40d9dccfce

SHA256
db607810d761bb5c8fc20a5ed2451bf81c2dd8b5ffe04d6f51c82fb285c55fed

SHA512
02b204e1769143cce1b3afd555558e6fb42f935a5f994241840437bf5499dea4c6d68489eebe5769e283ad70877e6bf39026a6ef35710974b71c564ee5b64b3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
632fe21a15a7feb668185deafbae3a64

SHA1
1d185f768cfc698daf78064e60b3ee5f00217164

SHA256
c238db0daf98e4ce53d09ba4f684f5d3d2ee04a582e5a0c77ef6c6b73d6b7b37

SHA512
389e9391ae47c592e96107a40a478bd90209d44f4d1df4bf38db024dbad71606ada39249f7c87207a1e1746414b1f5e40565114a83bd7ab30098ce45837c92ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d9a755129142634a4411871dcda6d756

SHA1
03b393212be1356739caad9935599c02c624fa7c

SHA256
30af5a046ef28d69ad79f218daba19529c3c08b4937e42ac8af13142e26d44ee

SHA512
e578e9f60ea3e9418774a02d62982e48c8e44549e0d8ea2506acd34c7d086045fa6b63bd4aa701382fbb141914742f2e86b859c0e8b86c69538807bda7773b04

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
50d0a8981a947533b1fd50028891bf8c

SHA1
2b261717325683a450086f1a3fb99f285356ecc5

SHA256
4ddff2700d773779fa1a5e8cf385032e08ee8c7d2f1f1849d99af506a7946e0a

SHA512
8240f791f63c5201c1167fa753b2fad4e813afe6b1c8dcc8143116b711f632e5e2c22029c2d9e2d5e992b78d2acc7ab7cb0f41d96ed2cc1b92e224cc6925998b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea4ea3cbb9ae088f15f9d1994dcec60a

SHA1
88647b94921d9af1f3cda383e1821330698f3b08

SHA256
7d3b5435e6cf4d8440005fe28603cdbf7b2dd79e7b89c5ad7e680ec9b1df58ed

SHA512
7ab0428749622aa8fa777d79316da75ea338be4131874df3c07c1b24d9d25138bb4d8786574b7fd3b87b8b21ff507eae9ee50fff97db9aac94e155944718ce6f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8db4a34d2f3b2545618d793af2b37da4

SHA1
44facf152ae87f4646cca807d08edf846e54fd09

SHA256
3cc10d0f247c9ad47a446802fd1ae1c938319e9289539f5b8c2c33075006e7c6

SHA512
24eccbb912df0eb7f684306038677ed1946910071d910fe1c885b998df553d06eee421d26d5c3d25db56c90e9bffd47d4136362b80dd75470d32f2b6b1b15463

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
02387952fde4133417128c5f0d8e0f8c

SHA1
b26b7e7fe4399bb2e9ea6c3f62664f2f14dd9be3

SHA256
ace9feee0f5e7321c8ae0bd425e306ccd6194d13d1622b91cf8bbf17bec6cf45

SHA512
d8c96ca2a8dca56288f9fbc693f43df4d0a352943aa040d05a4a3b9721d20f51cf62c84b6a54cf5b01610a3d66e77765683dcd429ddc9f661985c540808f5165

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C02877841121CC45139CB51404116B25_CFDBFDB29AA6A71EBDC3E04CD6E276F4

Filesize
398B

MD5
01a1c1788e371bef9b586240dba9a633

SHA1
1e28638972b42f1c85222997bc29d2d300230c8c

SHA256
7ec101b4be3d53b5b24722b3deea62c7776676e90d5a2da1f0815ae1b068cfda

SHA512
8563260c1c5ef8ae418d29cad6211d14aae4ac691ab7c430b67da5b71ba3ac2b5e6b417d13d7ada050f04ab35eb61f2b6e67d50cd9b2a2e690224b2627af7f37

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
03db3411a79ac3975f3138e5187204a5

SHA1
7bc4183fda8d515c55bc49d9feeb66d25498c925

SHA256
576db8ccfdb1f2b41cdd0c415c004f17a59d1f14c7a3a6df95c2b13c91f1ccb9

SHA512
f30afac00e1de694fbea4e1b9c113d14a6720b0983568edb49aeacd8478440c95d158412f19ea0899c7f38e9f9557e80be04ce3653018e02e76afdbb6dc58eed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\0b4b9032-c3fb-4aa7-bf74-a3c351dd377b.tmp

Filesize
326KB

MD5
e55e46ac925fbb9802da970fc505eea3

SHA1
f37899a856898770811195c9ef274a0fd9d01ae7

SHA256
37fa0134f47ab24d7af47c1d032d753cf6037f17e51afc242902c3bb290d77d9

SHA512
43e709928588737ba49f9dfe6bff81d41b6a1fe9691319e2e284777ecebd5a3a935bcff1a9ddf59faff8cab640efffd08d555ee79b62471b9f7768cc5397afd7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\172d147f-222e-4101-b817-c565be5a778e.tmp

Filesize
175KB

MD5
fdfd64f7fb277c2669407ad9b2eee01c

SHA1
9ce859b0e47fd11a5a13ee97274c1055657d7f78

SHA256
f95ec078656776fc28aa7883d10921d461bcbc58fccb93fdbad3fba8cff2d2c9

SHA512
7d2b98232de453d52ef6282e2e72dcf16d7dcde889fc8bee0edc15ebed7e899638ed5c26b17a75b41dcd9400f57afe96a282f6a8b0cf864b0d52a5321f2f22bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\1e5e09e8-347f-4615-be14-d2da4f46074c.tmp

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
6440e5b4ea3156744e4a29d42c8a2bd7

SHA1
da7b625fdca100cadf355ded3e112a57f8d25866

SHA256
c06f6986514f9e2a2853949c3809aa06a2d39594470ed4ffc77b5a9552565fb7

SHA512
960de88d405bccc917ad98c1cc04b9a3cb2daddd7a53ab5934e27e3bb2b1638dfa81688239db0910b53af711521a998a788ffabcdcaecf36caa0df2a31582d7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\1e4b675b-8d00-48d3-8582-f6175d889f2c.tmp

Filesize
6KB

MD5
4731392ff0267fd2ef8fa8f4d9ead3d6

SHA1
76b33a3e5ca42c4ad586484d377629f3724b4df5

SHA256
2db7445d2d7609327453eb8b10705041571c1d4a2d13f7e5595ab0e2f5a9ad0e

SHA512
9e8d2ed012ca7bb352b1ca77b925f43e1efe375a8a2f94ab9610c6fb2e1aebbcbd790c50bf20095a068725642a2471cd22e975a6870f35cbdf6d74557ec24baa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000c

Filesize
28KB

MD5
78fbaa6c69ccc961b8ec438a8588001b

SHA1
990c7f85fd6739a39ceb934cacbddd8ca7672627

SHA256
708cc85c1b714f37d78a73e237276b2525f644e3e5ab935d7671368f21c2d4d9

SHA512
c9b167bc97e6a65745576831721bc21c1ebb4ea9545643f2af6e7b4879b5930db85991013a12a8debf645f3b152b9c27afa619c245e21d35d9cd66b1347a0aa1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
a46e5ff78d7790f766bc921f1c6c9b66

SHA1
f2f737f4fe0217e6851be83c823ec76b20e58ed8

SHA256
54f8e472a1fd1e4d03993f967a751f67290456c66b2a7be36a0bb1c364d7aca0

SHA512
e953e205c843bf2714bd3f562bbd4ceb6a3a6c387949c4b53317131d4147027b10d33c0a5047691f09d46a0755237fa8b8449c4c33cbbb1d12d03a4698112829

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1017B

MD5
c4704c9c9186943f0b4a28adf4217dfb

SHA1
f98cf5fea0840f6a7af18ffeb53caec4d54ef5d6

SHA256
9c73015ca848edb2d3ed3779a70ecb274d80f8008f91d02a3d890b09530e16af

SHA512
74de5b264f0991d6d2f1969c6dcfc14c7798a68c07519340d1c891313de14e1d3e84096493b6553ce4a0025cfb6b73e9bb3d5cf44c7438843bbab65d533e049e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
e34693876f150dc5d7f9cdd5b0730aa6

SHA1
579f32b458246d4591e6ccc4cceb4539638c77c6

SHA256
8aa14978298a485658d3adfc762e402ef8a8529833892d350b934237b43386e6

SHA512
f4faccf5e51353d55cfbc61bc6af08028aeb2aef6e38762004775a02c274b414f9572c319815e036c9c33064daee8ccd9cdc9ec2c05a0f3319a6716eae27f3a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
25081983d05143ec26381208085e8975

SHA1
f2eeff1c5179a3ca70c09ac2f1c10006ea891685

SHA256
256363d08c2cfa06cd1c10bcc58d7e653576835e151c30ab935971de93ded362

SHA512
1da20f7b4771acffd2b413a0ccf40a9429da86034fae4cfc12e662555a5a24d3ba677c4b8f18c7765016ce38a9bfc3f5567b44cb829e4264047551a61dad2268

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
a0f1df3abab1be4e77fc27c9b4708c30

SHA1
ee148ab521f693b7c5b44a4cc528e8e65a4f0d16

SHA256
c989871b293e5571d4602fe46f6e36810646fb41d949445dc6368607e58e6573

SHA512
f8b5993c788285e31c6a184099b11b1b0046274330cf431c1fe7b6c5cf4ac989b58f3dbc845332cbf9dc1e083150d1d3731efc43c67967b9633152e969675650

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
600b38bef4bd18891fe720229b7f4149

SHA1
27ac5fb30ef24e67ca55b007d14196a5a30a67d9

SHA256
caffd1756482a8f79e92bb981a1c60b0744f17519dd2ae6dd7711c0337d79d26

SHA512
02f4665891de51f7b59e5eadadf56aebaf7f65bb126c46e0eadba78c944e90e40fe3580261cb5c16609b25404ba4094efafa5c4ca60e067ca5be9742044b80af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
6dc06d795ec18583f6e15b82da8c2d8d

SHA1
d3cab2406f5259fb0b2e0696b57f0a94a988bcb9

SHA256
721a62a363a842ccd4698ba8e5910b4b3941dca9d92c39eb96c1a9a3885a9d54

SHA512
5b184bd830163e3a6e26fa0613037f9b8c7ba164fa0bd9714da10dcbe24813c27fc97ef9de8f5eefeb1fbc2d8175378f5e2babb861e0ade87fbe839d61aa3aab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
243fc865a44c311f6deca54e00cfb634

SHA1
11695f93d0997882cf71926531180dbe220d1585

SHA256
9a4c087d06cf622095c640b440228229383d7790e8f52372d074f18cd6d3fad3

SHA512
3f7b9dd3c266202cb319f96918ec89bec38c2aa88652c7b72cc6ee33aa95ef6ed7e592819eb53d48de33bce524decffb036322d52bae4f2adfe227a5695725a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000009.dbtmp

Filesize
16B

MD5
979c29c2917bed63ccf520ece1d18cda

SHA1
65cd81cdce0be04c74222b54d0881d3fdfe4736c

SHA256
b3524365a633ee6d1fa9953638d2867946c515218c497a5ec2dbef7dc44a7c53

SHA512
e38f694fd6ab9f678ae156528230d7a8bfb7b59a13b227f59f9c38ab5617db11ebb6be1276323a905d09c4066a3fe820cf58077ab48bf201f3c467a98516ee7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000010.dbtmp

Filesize
16B

MD5
60e3f691077715586b918375dd23c6b0

SHA1
476d3eab15649c40c6aebfb6ac2366db50283d1b

SHA256
e91d13722e31f9b06c5df3582cad1ea5b73547ce3dc08b12ed461f095aad48ee

SHA512
d1c146d27bbf19362d6571e2865bb472ce4fe43dc535305615d92d6a2366f98533747a8a70a578d1f00199f716a61ce39fac5cab9dd67e9c044bc49e7343130e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
326KB

MD5
2d4d705fd7136151fac99cbe45d55850

SHA1
430a47d13645be0ccba60cdd4fdd254835d4fc52

SHA256
ca99552fd08ae2a933fb5bd5f2bf3bcdd6e29473dbe9d49bac5a0b52ab3fe524

SHA512
67f1d74b0291fb9716d884cbd88ca0f301abed1323cc595de0a1306a394cf8426601a15b96df80633a61ea89fd84d27963c5bdb4f05fd8f7812b1c0c4d0e45ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
326KB

MD5
d6275993a372115de7b5ccbfd522de34

SHA1
5f9856fb2e5e82db4a644d1805b5f1f2f72f816f

SHA256
68af4dd28c7ca62efebd089a465f9165bd6523d0051983bca2f67f921028aa60

SHA512
fdeda3e0a4dc01df06c7602b842d1720da911994eaa4c25fe51070fc13abc2fa88bd81d35a8b8c50c3a5c5d7395491f9e01aa2f0ce531d9516e1098fa3ca3f2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
175KB

MD5
f4dc68593fd6abbbc159f21ccd4e4908

SHA1
e9084f26272a0c7dbe2b70065bc79781ab5d30cd

SHA256
1ac4ed0e2b0b50ec1ba4e6f72e922eec774d0b03016289882c0abac617004e6f

SHA512
8ea4711d6ae0ea890f1d5d3d3c3deeb7a17834b7b7e2ce28d4f1e8e51e25998bd9873897da1e9325bbe36c8ae97c9bb3d75f0dd38dbde72635fcfe36623f4329

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\0qn8gcy\imagestore.dat

Filesize
1KB

MD5
5bb48f4d5c6cdb0e773d08e8c4c7f5f0

SHA1
9f488304412666879a76ad2dca49513adb580397

SHA256
e080ea3cd561f46e7b516c6ede47c25fb2b25eca6f7d99f1d54e9e57fef2f96f

SHA512
b7b3606fcdc8f423e1f67451a5db6ed77f479666970ce94830cf6224eb79d5507b5465ee2426b2935e5b8baa29699d92f33acfabf6ccab4a5ed9b9becbc476c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\0qn8gcy\imagestore.dat

Filesize
1021B

MD5
9eb903bc7da4c88f2bbe1bd695678a12

SHA1
281d5ded4029371fb5779b3b453cb7816985d0b0

SHA256
ce1477457610f1e0ddf246ea0afcfc10535cd060d102f90e567485decc2beea1

SHA512
c0fdef97d37cf4325f25d3c2971577620c2d1fb2c7060227a8977006c55a9c07d5ba81944171e4b864ce792a00069e2e9023f96daa03f29fae41b3945c594306

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\39GEHZPO\KFOkCnqEu92Fr1Mu51xIIzQ[1].woff

Filesize
21KB

MD5
9680d5a0c32d2fd084e07bbc4c8b2923

SHA1
8020b21e3db55ff7a02100faebd92c2305e7156e

SHA256
2cfe69657c55133dac6ea017b4452efff2131422abd9e90500a072df7ca5a9c8

SHA512
e19a498866f69f3d8136a65a5ab4e92cc047170673ed00b506e325165a84216267b9fef1e5cfd66458e85ed820c12e9c345cec9bee4de48e1c2e2b1a784f179f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\39GEHZPO\KFOlCnqEu92Fr1MmEU9fBBc-[1].woff

Filesize
19KB

MD5
de8b7431b74642e830af4d4f4b513ec9

SHA1
f549f1fe8a0b86ef3fbdcb8d508440aff84c385c

SHA256
3bfe46bb1ca35b205306c5ec664e99e4a816f48a417b6b42e77a1f43f0bc4e7a

SHA512
57d3d4de3816307ed954b796c13bfa34af22a46a2fea310df90e966301350ae8adac62bcd2abf7d7768e6bdcbb3dfc5069378a728436173d07abfa483c1025ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HHT5LGG0\KFOlCnqEu92Fr1MmWUlfBBc-[1].woff

Filesize
19KB

MD5
cf6613d1adf490972c557a8e318e0868

SHA1
b2198c3fc1c72646d372f63e135e70ba2c9fed8e

SHA256
468e579fe1210fa55525b1c470ed2d1958404512a2dd4fb972cac5ce0ff00b1f

SHA512
1866d890987b1e56e1337ec1e975906ee8202fcc517620c30e9d3be0a9e8eaf3105147b178deb81fa0604745dfe3fb79b3b20d5f2ff2912b66856c38a28c07ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HHT5LGG0\css2[2].css

Filesize
607B

MD5
9971f6671a5d2203916c9172157cbf34

SHA1
c0ac281111f1c4876e0661b845363cb477dcfbe9

SHA256
34b99e216821e273bd666ec978d00c9f2149327f2c608deaa6896c06c6b778ab

SHA512
db8bef30c02671f965c9ba33740f51cf70306b83da67aa805c73e10970c4100cdef53df7b9c7db70e1fdbda8b2adf4ec2480966904244a25d8e5a9212507811f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HHT5LGG0\css[1].css

Filesize
794B

MD5
cfd7319c9c4788ba190a46215513157b

SHA1
de7d0cf7498ec54e1c19393d6f5d380b63df4e11

SHA256
758ae31e2c874158a350af456841cff0ade4b82ad57ad4d363d6813b9df772e6

SHA512
9d849b15c3dd99863b3eb87319c24e2fdc3757e0fcf07448daa97e8d6c202c6090d11e6de301e8e8f1ca586429aa8f65b2c2969a0b2ffcbc70b310c5cbcb0ff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HHT5LGG0\drive_2020q4_32dp[1].png

Filesize
831B

MD5
916c9bcccf19525ad9d3cd1514008746

SHA1
9ccce6978d2417927b5150ffaac22f907ff27b6e

SHA256
358e814139d3ed8469b36935a071be6696ccad7dd9bdbfdb80c052b068ae2a50

SHA512
b73c1a81997abe12dba4ae1fa38f070079448c3798e7161c9262ccba6ee6a91e8a243f0e4888c8aef33ce1cf83818fc44c85ae454a522a079d08121cd8628d00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LPQ313RR\KFOlCnqEu92Fr1MmSU5fBBc-[1].woff

Filesize
19KB

MD5
a1471d1d6431c893582a5f6a250db3f9

SHA1
ff5673d89e6c2893d24c87bc9786c632290e150e

SHA256
3ab30e780c8b0bcc4998b838a5b30c3bfe28edead312906dc3c12271fae0699a

SHA512
37b9b97549fe24a9390ba540be065d7e5985e0fbfbe1636e894b224880e64203cb0dde1213ac72d44ebc65cdc4f78b80bd7b952ff9951a349f7704631b903c63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LPQ313RR\KFOmCnqEu92Fr1Mu4mxM[1].woff

Filesize
19KB

MD5
bafb105baeb22d965c70fe52ba6b49d9

SHA1
934014cc9bbe5883542be756b3146c05844b254f

SHA256
1570f866bf6eae82041e407280894a86ad2b8b275e01908ae156914dc693a4ed

SHA512
85a91773b0283e3b2400c773527542228478cc1b9e8ad8ea62435d705e98702a40bedf26cb5b0900dd8fecc79f802b8c1839184e787d9416886dbc73dff22a64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UQFHO95Z\cb=gapi[1].js

Filesize
123KB

MD5
c299a572df117831926bc3a0a25ba255

SHA1
673f2ac4c7a41ab95fb14e2687666e81bc731e95

SHA256
f847294692483e4b7666c0f98cbe2bd03b86ae27b721cae332feb26223dde9fc

SHA512
b418a87a350dbc0def9faf3be4b910cb21ae6fffc6749eecea486e3eb603f5af92f70b936c3d440009482ede572ee9736422cf89dcdd2b758dfa829216049179

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UQFHO95Z\cb=gapi[2].js

Filesize
203KB

MD5
b53067a92a1a2972e65acbd28c1bd4b6

SHA1
73f76c08e36b3859382534ffd9f098a5a2ac8844

SHA256
ecc876c51af40d46138afc49ed08fb18ecb4bb8550f6587e8df0c3e71fa67448

SHA512
cdbc28fa4a0a1fac371c54b05614afa8b6839fef405aeb78880e8ef2d0106a28b4e59fb7ba1a7dca99abe1ea6eb52fed74b3ae6b61114eb757e972b5b96fe934

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1CB7.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1CB6.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dat4A97.tmp

Filesize
111B

MD5
699b288fee6e354d086244f09bfda0bb

SHA1
7d1a95192a67175f5c8758a14fd39bc64d8d1582

SHA256
a671883faefb77095dbff37977cdc31a7d18c2e4a092637305b8994d81b6ed3d

SHA512
a6c28427e1be90ca1ff359b70a64436750eb56830cf624bcc9df020598803286fb7b6f46ce80c4d3141ffdf58c8314f964b7683e5efd9a400e872ff2bdaf45a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF54F72A5287F6AFA0.TMP

Filesize
20KB

MD5
e545af69985ee09574844e15c432d40f

SHA1
10e5367f5967cba56be797066dc817d0b03dc86d

SHA256
5f2c4e51e08d19ed621c35d9b7389437526093d1b3e78be2a7b0c9b17c92ce30

SHA512
2df442d3e32d226dde3676c4e1d6925b665b2d18b779a9cfe5c481ff702ef96ae460fee13aa3d49d4f14f8674c8aa501cc103a64c0baed53d96cecde6e4d26e5

Download Submit
C:\Users\Admin\AppData\Roaming\Rainmeter\Rainmeter.ini

Filesize
828B

MD5
b01e0c5e180ed70626c4456d9a70a526

SHA1
e0ea07166ac47587cc02011cb792b49458470d6e

SHA256
ba4107f9844b0d4053f48a8a1273774e5a634e3161aa71b5d66d497e05594ffc

SHA512
4affce4002b0d8ea30036f009d6d2a661cf94558a9b2023157258c4d98dde047388dbe90701f8a4a9f29fe269653e851bd24caa3eeccdf6cba28fe341a3c3102

Download Submit
C:\Users\Admin\AppData\Roaming\Rainmeter\Rainmeter.ini

Filesize
1KB

MD5
21adfd3a11eb62d75aaa926729877eb9

SHA1
bcb8fb6e6ca4a0b96c15326c4acfc022fe31f28f

SHA256
f8faa1e6f6d0c6f52a171fcbdac6ae39b73c5154f26f3602771dfc9bc0e06227

SHA512
56dda815f333a438ef41de4d85aff77baf0a57d601c9c2b0ed06bf11d02f0f64125aee29c0c0ac9d3f5f6a87048a02b7ffea4fbbceef32abe191747d625b9aa6

Download Submit
C:\Users\Admin\AppData\Roaming\Rainmeter\Rainmeter.ini

Filesize
1KB

MD5
dbb83754ef2b79dec488fb4fe75a0d70

SHA1
e85d09bc5a57f3057387bd1813d7030a6859e53d

SHA256
1455c7ff0ac8974b3361e67d7d38dfe56ac89ce8d3c8c008946146b1ea80045e

SHA512
5d06f90e7e435f03a7833240e15a17b4df1b636daeb8868b148ab6939bf32a51501e168e6b2a49193ce1396551bd7e79892045b0d4e38afa6130e807a638def7

Download Submit
C:\Users\Admin\AppData\Roaming\Rainmeter\Rainmeter.ini

Filesize
1KB

MD5
37ab7d235b06d8c774915b2d838abd33

SHA1
8e5e9faa53bd9d8c2a3ce168025f1aded0f5d3e0

SHA256
bba58f5cd0e60e51af40c2db7c3dcde56f87125054195ad51fc4620da32312b9

SHA512
76b857a520f290873d9e25d4d6aaac48716d015cf3a88ac5a78a3015384d515dacffbea6e43453a36a5d94bfcee54bbb0a3464d3ac7b5866295941988dc79943

Download Submit
C:\Users\Admin\AppData\Roaming\Rainmeter\Rainmeter.ini

Filesize
1KB

MD5
4a5bef9cc937df8381709a1e8c76620c

SHA1
f1c87715c7830a86ed2ad17547ebd3bb5f9861e2

SHA256
313e91feee8dcd37d051f1c8d145e3f6631749ac8d44377463387f8fabbdfbbc

SHA512
fada02a7edc6c5740150b7ec7eb6d89d6bb623f2f57862fe6197c71701dc557ed2320620e7f13cfac9932f74f8b936f68b8789e84f7726a9b87fe8a94278d3e3

Download Submit
C:\Users\Admin\AppData\Roaming\Rainmeter\Rainmeter.ini

Filesize
2KB

MD5
0ba3e9061efbf75379ec0c63949bb4e2

SHA1
cebfc07422814b540b0975ba266b796fbaebc101

SHA256
746cd5e2900c5abf4878d9fa8839224650cf02942faa25085deff54611489f46

SHA512
6ae7b483f29a994b9fc49ae13eaa0b8e95250a06005f3fa915cda849b83f4836fae97ded643fbb1cabfd43fccfd029ecdc207c90cdd15fe50d3461488ce87258

Download Submit
C:\Users\Admin\AppData\Roaming\Rainmeter\Rainmeter.ini

Filesize
2KB

MD5
d376d1be10854036dbe55990210b1ac7

SHA1
fd4c738bef81e73dae51d97173169a62f4732938

SHA256
0f60b26e5c767bbb5379ffccd9f6977c8b5e0f3df9d40b9af71b25348837870c

SHA512
28055cf6c621f5964e10d289ca30c7e44cbe5fc6dcd602e220f9a375ea1369418a2db318a4eb71dd18eddaaf01072f863ff7c350297bd49dc28c40f742e59d00

Download Submit
C:\Users\Admin\AppData\Roaming\Rainmeter\Rainmeter.ini

Filesize
2KB

MD5
742161d78e14c954d8dd487f6c3e903f

SHA1
832eb6c491cf28e2a9c1c7c31b6ec83ff42e234e

SHA256
5979b39a8482c777884f900f8b77d5f71dc79e2c8eca27c158fba9b252c31be2

SHA512
1354d9d1880a86feca8795521e5465088a74e53e3c0ffc199d6ecbe0f667bc7f45f03715124dba3571201f047df7119b1190d9d38a7304296c8e905e5b73fc9d

Download Submit
C:\Users\Admin\AppData\Roaming\Rainmeter\Rainmeter.ini

Filesize
2KB

MD5
78d5cd29b34905b3bba62a7d4c3c0e14

SHA1
da479ff24c3126ea2eff8902975bc30f4529bf17

SHA256
b33f404181928d743e8374431b1e7f3cd5f13f5b41090d4d95865863a4025c49

SHA512
e241dca22a9b79b76d9e8ec80da3515b8fe22cbba2f6736d040cc652c539b31331d4fb782396d5dd3f49dab54e18de571484b5179ccd06f9320d91e139b32981

Download Submit
C:\Users\Admin\AppData\Roaming\Rainmeter\Rainmeter.ini

Filesize
3KB

MD5
2feb7757beb86c72406fb488429d8192

SHA1
2a43c9bbfcea187a7ca04e2af9622bd967229749

SHA256
7faab8a80544e64bac0c11f9bb38b45ec947f3764efa6be8c8742bb2bc70f7f9

SHA512
c30c2040bb3b9b62d47ad90c4a034024fbda681b9a49c68ebaa6ce00476dc7711dfe4fcba069674ac820ef26e75aac6f97817ef3f5afee447a36c725bc634241

Download Submit
C:\Users\Admin\AppData\Roaming\Rainmeter\Rainmeter.ini

Filesize
4KB

MD5
7a08f676d9c4846ea679571d64f50b51

SHA1
40e71ede96d540b2126d26ad4cb1760508ec4e7f

SHA256
37c3cced8a92645e598ca88c68f1d2bf870c3ae03876dd4a4ad14b43d3f7ee09

SHA512
7efeb04abdd4298395fcd73e133c2df471f24bd61f1a49ba8b0f85141ca6e38f7593249137745861dd4e74669d8565c9640129dcfaa4cc0a517680e0e20f9071

Download Submit
C:\Users\Admin\Desktop\Windows to MacOS\Aerial_1.0.5.0.zip

Filesize
334KB

MD5
ac56288791666dc522f6646d4d43a705

SHA1
7c4266c95649a9320d23099988356b2dcf634c91

SHA256
3fa4b63910c7336c7ca40b024bdb294740fe477544e2199d3c182efb26547921

SHA512
9a86bed9e4be2b5c7edde8e87033a63d8ceb15741fa031b7caaebfd631b145c65679d0fef58d6eddd19cf85050176a52b8b749b5292c883ad4d5ae427341a07c

Download Submit
C:\Users\Admin\Desktop\Windows to MacOS\Rainmeter-4.5.20.exe

Filesize
2.4MB

MD5
b8337b134f4fe6f4b5e3d98174a78e7e

SHA1
77f8542101143d35be7521c3fa14c0beb1df278a

SHA256
9024b3b01b3883af3e12c3023ca9f7569893d25bb8154d785ac5737c7fff3ac9

SHA512
4439739e051563977854ca2aa6fd75e3468de065cbe3888d292d991955ae98e7c9f7288ba6bd5e71d9eef763202d3a69863236a3e725c44411f401b2aa2a3063

Download Submit
C:\Users\Admin\Desktop\Windows to MacOS\macOS Theme.zip

Filesize
34.8MB

MD5
cb6c26c5a4b70d5640ef0d955db10854

SHA1
3120116fa8e4e5c087e1eef63e54e3a8caab4cf8

SHA256
d560d6030dc7aee3459ff3ac750a42c020d896d33a76029bdc2af61785f82688

SHA512
ff29299ab62d8254def091f55f201cc49f35aa1fcf9d1925a14a36126d26c8a0403a4f268ab8b88a3516d331fe76ecc05ff9a87014477a1d523a392ef341757f

Download Submit
C:\Users\Admin\Desktop\Windows to MacOS\macOS Theme\macOS\launchpad\Contacts.runtimeconfig.json

Filesize
154B

MD5
42f40b6c1b9ab7f8f92b0ae5d8c5fdab

SHA1
92e1d5e7ffae89550a815389b851648f9bb6e64b

SHA256
ed69fdc80437b2d0fd2b177d018a6e800517200e4fb6dd54705f5a62a908ec38

SHA512
dac3b6a2cf992f23e0d15ad31449ba15f1a309dbbdaf11f7e62c44c7081fab8968986ff6690039c86522609b03ae95b127938c5e6f3c3ff9396a2911e81bc40e

Download Submit
C:\Users\Admin\Desktop\Windows to MacOS\nexus.zip

Filesize
37.9MB

MD5
dc0f2f6f01e9087f04d1953159e74949

SHA1
7c5527575be3c77eb52c1a744cc41c3a4a3736d5

SHA256
24076317c0a06c64c7a49e05835f16354f17c80246174b780c53efb8cff367b8

SHA512
fdf5b4125b5e86b2a7bae04a1c84110bdb90927ff3d9c84069076686a2feab90c2e233bb6b39cc9b4156fe744a2128c7c0f1efe1ad9a787f2740aa91b7bd1510

Download Submit
C:\Users\Admin\Documents\Rainmeter\Skins\NR_Yosemite_Menu_Bar\@Resources\Images\Empty\11.png

Filesize
124B

MD5
f8bc9ad54b0f7a700fc9317e8ef572b3

SHA1
6e3837ddb5837cb4da6b3d33f23790d4a996e5a9

SHA256
e7ef95b9949b4ed2b234bb43387b68e0303b69dc40d1042a453216e9b22f93bb

SHA512
909d33115ca8cf8e0f5c717c868670dba2c4ec90b8d22ed81e9209ba8cdb04419183654242085ab6dd5876de6d0b49840060ca12e4bd8bd61000c253297196ba

Download Submit
C:\Users\Admin\Documents\Rainmeter\Skins\NR_Yosemite_Menu_Bar\Menu\Applications\icon10.ico

Filesize
1KB

MD5
5164537a6d6f1bc9af10581c5473eebc

SHA1
0a3e89a87fa924b87e624da237cfc5915ef28e1e

SHA256
fcc7cf0e25d69255575b639c49b7923fa233a0e3e31dc8595518c5531edb6c46

SHA512
4b1a032b295667bde1d63e735b642e562066470fce950267d64a5f6ea0c371de5766c3aa5751fa11f0e8146edaeae05f6652b8a717a3df9c276f5768099eb68b

Download Submit
C:\Users\Admin\Documents\Rainmeter\Skins\NR_Yosemite_Menu_Bar\Menu\Applications\icon2.ico

Filesize
1KB

MD5
98b5a1b002632d175c690a9a689c90bb

SHA1
95fcf76a4c1da4fce1f011b10d868bce917b8817

SHA256
c89b704c956c5ac12a215c3e0add7095417b102ddeba31f8f49076d0769c860f

SHA512
4a7cf7c8fd948c1afdcdfa250a2a709d40170ea0b6a4190020f8cbc94fd20fcfbaf5e3dffaf15f8f963f5bb8a0742d1a4dc096e1bcf3751623e098da8cd5294d

Download Submit
C:\Users\Admin\Documents\Rainmeter\Skins\NR_Yosemite_Menu_Bar\Menu\Applications\icon3.ico

Filesize
1KB

MD5
c7b3837f47360e783d8cb6d8c994e40d

SHA1
1569ae08838877c70dbb3729c7221d8b49d4adce

SHA256
bacfd59719bd7db4d56f15d30830aaae37a83e8ecc07e9f584d1d14960bdf4a8

SHA512
e5b00e87e3431dc5387d6bf389a65aa6e5cfb39a3f819d787280b8fa07a58134c74bc622bbdc1044ac066d7be5cffc2f10a58fe710a95c262c07fe5ec031918f

Download Submit
C:\Users\Admin\Documents\Rainmeter\Skins\NR_Yosemite_Menu_Bar\Menu\Applications\icon8.ico

Filesize
1KB

MD5
0b52e8c5a5535f05506eea93deb3312c

SHA1
2b82de4361562de14677f6a409f531477fd19428

SHA256
24a9c19e5c3227274a6d42759fe2c9d6ddc049f428e6ef94f1df477feeabe63f

SHA512
57d2edb40d943c33d61ba9dedeac0ee8aaf0cdeb9e192d22783d43d9770876f86123f36b124ba55ddc42d2d030639e0ab89c2ed79b7f12354ab0e8d5e859218c

Download Submit
C:\Users\Admin\Documents\Rainmeter\Skins\NR_Yosemite_Menu_Bar\Menu\Documents\icon11.ico

Filesize
1KB

MD5
c1e97d825a5c1ac2626bc6d0465389cb

SHA1
f787bd4289cfb4370aedcf25e0f88ca00987cc9b

SHA256
199ddcdca7ba7337cf6bd25ab76647429b8d13c03bc4e465491b158c8500742b

SHA512
dce995bfb1d47a54278546ce4eb941490583c9f014fcd7a7736152c04dad23deb7826c6adc44e37b2e70a2381cd761c42f018ad3bf1516879f3ed0350ad0ce5a

Download Submit
C:\Users\Admin\Documents\Rainmeter\Skins\NR_Yosemite_Menu_Bar\Menu\Documents\icon13.ico

Filesize
1KB

MD5
147b1aff14fee6b101ad1bb46797d9c2

SHA1
ce4a8a4658945a364e1c86ea4a496888426cedc1

SHA256
e49bd4c371c8ceab78def31e6fe3051568f327c3370d155a40501f563c45db71

SHA512
d5d9bb92fa6ea9150132d3564978e3d7f19912095cddc569da1163650434ba228db55b159c3cbe1007f64465ebeb3ea717a6c0018aa6046734db19c059d44382

Download Submit
C:\Users\Admin\Documents\Rainmeter\Skins\NR_Yosemite_Menu_Bar\Menu\Documents\icon6.ico

Filesize
1KB

MD5
2aa04e1e6f6ad2b3f5a7f785e391a756

SHA1
bb33a125d95f04611e9e4ae6f4f845d84387c8ad

SHA256
77e4f6ee96e90a5b87e356a7e47decbea6bcba3feeaf3f3749a26b149947ec44

SHA512
6f82c57cc7048e3121df5efb175cf808d8163d2e64ab923373e0479ab72f0f99b45fbdf8c3fc96a53a9efb7c45acf6f0011e1b94519c756603faca76eeedce79

Download Submit
C:\Users\Admin\Documents\Rainmeter\Skins\NR_Yosemite_Menu_Bar\Menu\Documents\icon9.ico

Filesize
1KB

MD5
456dc486fec3329666ae33255db8e067

SHA1
9b49b4314e62d1cc6c391fafb2b72bb2cce16386

SHA256
0ee868aef63adb1bfda6422f0307a88f76a7458d6f7cec188190ba5c59333273

SHA512
7a6f81c71c4548c41f71fcd4bfa04fecf668cb54ea58c582c1ce954905d77156c00f724b362ebd5a1e883ab5d43be3ddc00c7dd7a063527d9a212daedd509ea7

Download Submit
C:\Users\Admin\Documents\Rainmeter\Skins\NR_Yosemite_Menu_Bar\Menu\StartMenu\icon14.ico

Filesize
1KB

MD5
7d5260bca57bba72ffb48641a39c0f37

SHA1
f04cc6fedd3f1116d2a3d13ab6d36a5da5601c4c

SHA256
00c66d59e6c56c45cf19a0480dd5103a7569842c8123d4ae4ce35a13a0afa57f

SHA512
e21b6565ab315203ed0d54d110b893067ac4d2c337e5b1271ca255c66bed69b59a0bc1ed584ea063e9cf2e354adb871e5d9c3a23bddfc91d94df05fb908a78c8

Download Submit
C:\Users\Admin\Documents\Rainmeter\Skins\NR_Yosemite_Menu_Bar\Menu\StartMenu\icon15.ico

Filesize
1KB

MD5
ee97e1160b392f9150a446411a904a5a

SHA1
7011e1fb5f418d06fb38c855803fac0334fb2a2e

SHA256
8bf35f610040eaa5f97df0f5452f2a8a56fb4595fb29a20699e22ed35932db52

SHA512
77e857a7096bace5ab20c53da50e8a8a770b36c1ad66196d16282f550ec3dc8e1d3f0a3cb77042c20525e26309bb625358a2e5d4277ea7a90cc8a56ca869a8b2

Download Submit
C:\Users\Admin\Documents\Rainmeter\Skins\NR_Yosemite_Menu_Bar\Menu\StartMenu\icon16.ico

Filesize
1KB

MD5
5d7090f9ee5450526fce5a03b12a5b3b

SHA1
0b439370e73c3c7eb6b17b8e70eda16a90681ccb

SHA256
323c3c3c48465676c7169c15ce12393cb9d6c4e5576d735b9d590b113987afe1

SHA512
1d4afa9dda9140754837bb5abb220ab53cdab92797c9afe6deb6e767f53ae4e074f9547854809058988a873162ba803ada05a9af7645eee82fa2a8abfd963011

Download Submit
C:\Users\Admin\Documents\Rainmeter\Skins\NR_Yosemite_Menu_Bar\Menu\StartMenu\icon17.ico

Filesize
1KB

MD5
13b62c5f49193d1efeb2e66cac0189df

SHA1
2c6fcacc9184defe2453f80ba503246b81a2ea22

SHA256
1d00f0a31a225c2ff1909b2601dc14d9f2c974ab85c0fc062ce96a1e902d0390

SHA512
7c7f1e66518b1e902878b03509aea0844caed539314b9487064ac3956de2f33427422d1969debb73e3dcc67b780d9145bd7cbd557662ad860f41fa9eff2d7973

Download Submit
C:\Users\Admin\Documents\Rainmeter\Skins\NR_Yosemite_Menu_Bar\Menu\StartMenu\icon18.ico

Filesize
1KB

MD5
b8ab9b29891f1ef86f2b75c66f76014f

SHA1
2870d3f4858933985b31c5bfbb173dd301c0aa10

SHA256
a4774e08fa44e17a5a98710f77731f4fc49faf0c57078c38ba791dd065d444a3

SHA512
96db957e852b770028854fd4867ce56de621940b7bbfbe08499d566cec5958ce4886c74c5e09aa8afa123e71fc7b1a87c13b81361a9daf26bd8de31974107b5d

Download Submit
C:\Users\Admin\Documents\Rainmeter\Skins\NR_Yosemite_Menu_Bar\Menu\StartMenu\icon19.ico

Filesize
1KB

MD5
b9d02367256afb0c0dc31d90b0336d42

SHA1
b7e6bd86245cea44eb6face42952fca3d96ee353

SHA256
90daa029486c10436916a6f3fd979ecca19dc913dcfdd2e25cc09a3e61e6bce7

SHA512
42bd4897d3ef9fa1ec19c4f2585c93c231e7ada6bb6112f95a8644b958ce49ba3ac8587515bcf1084b5e7bfe7730406945d919721a9206fabc2a138f526d1651

Download Submit
C:\Users\Admin\Documents\Rainmeter\Skins\NR_Yosemite_Menu_Bar\Menu\StartMenu\icon20.ico

Filesize
1KB

MD5
4ecc336aefb56de421ddbe78b666ab0d

SHA1
09cb6cbd513c52665778a8c4a42ba135648ea348

SHA256
f37d652b5cdea1f92a6831da21b13af1aef5db1a324dae24f9cd6a8d01606f30

SHA512
9bafcf250bb456e3cc969fd507805ecd1c400b6f7a247e5ce9dd429bd932a6458d074555ab5136cae26fa7e47c1e2472841edb56349df46bb8c22a644682b448

Download Submit
C:\Users\Admin\Documents\Rainmeter\Skins\NR_Yosemite_Menu_Bar\Menu\StartMenu\icon21.ico

Filesize
1KB

MD5
df41bb2b034f2097bb7571f29b6e1570

SHA1
493ca267069a89de3d4074345664cc4ab0d3f069

SHA256
31c709381b7b087fb17d5361aa46bd919312d519f080955b3d7d286068014064

SHA512
01d1f8151fa75624c38cfd0c7dd2ed91bf68a700124137809d4ea70c815c9dafcc08ec501de73088ea873c4dcbf4503601792eaa2a87d104bb1a88982439cf12

Download Submit
C:\Users\Admin\Documents\Rainmeter\Skins\NR_Yosemite_Menu_Bar\Menu\StartMenu\icon22.ico

Filesize
1KB

MD5
aa3f19437d725a65fba6b7fbc642e40a

SHA1
3306996f5868eb64896d8a4910236eb5ea3f75b6

SHA256
fd75bb3fe7b1db0d03866c3dd86024be8fe39d450bfb60cc365ca7bfb1c01c7b

SHA512
b242aca48f31f81e4ce234a35203dcb3f1073d33e81fd3bbe4e95903851b3ce3b7119df69f709dcfe344d46687f2f6f552d8cb36dcba742dd5b474cde4b990b6

Download Submit
C:\Users\Admin\Documents\Rainmeter\Skins\NR_Yosemite_Menu_Bar\Menu\StartMenu\icon23.ico

Filesize
1KB

MD5
1856c473bc8e763dc7e7635df50da8ba

SHA1
ed5309f8978c91170001234645523c9b2090ae0c

SHA256
d9c3d83406224b014840f828b20755ea50cca04bfdab589b37ad7ac92e6e792c

SHA512
741b58b14f4ae15dc7dfc08a40620dc5d0ec9b3ba1e1c77ec623b7ea2911384da12404edfed5234e4d308a8ab0fc842f8e225379c401bc841d4318c0a8cb86e8

Download Submit
C:\Users\Admin\Documents\Rainmeter\Skins\NR_Yosemite_Menu_Bar\Menu\StartMenu\icon26.ico

Filesize
1B

MD5
0d61f8370cad1d412f80b84d143e1257

SHA1
32096c2e0eff33d844ee6d675407ace18289357d

SHA256
6b23c0d5f35d1b11f9b683f0b0a617355deb11277d91ae091d399c655b87940d

SHA512
3d637ae63d59522dd3cb1b81c1ad67e56d46185b0971e0bc7dd2d8ad3b26090acb634c252fc6a63b3766934314ea1a6e59fa0c8c2bc027a7b6a460b291cd4dfb

Download Submit
C:\Users\Admin\Documents\Rainmeter\Skins\NR_Yosemite_Menu_Bar\Menu\StartMenu\icon5.ico

Filesize
1KB

MD5
a0323dcf7b3a122ea2600b870decddb7

SHA1
62144a5065e4248f377e02ba54d2fda270226012

SHA256
2243fbf1e1428b6b72cfd45c747765e2d887759c87d2a3ede3914297700a31d6

SHA512
5bc6567b7306b2308b35afa400ab3bc29dcbf5da0e8a3b79e20bcea3d37c8e0d48248737137c45d09ea091dd878d0016fb0e9f2ea90f6989c46345485f392402

Download Submit
C:\Users\Public\Documents\Winstep\AutoInstall\Leonida3Dthin.zip

Filesize
158KB

MD5
a8db9218d19bcb953b6ee6a2fc8290d6

SHA1
99ba1378c181abfdb99548aef213b5f325eb60bf

SHA256
5320b8f16ee80290387f91f7967d70fe9828dfddb0b346ad28f1103d585f0c70

SHA512
ea82b5394eac1fd4d9b1f090efd35243661dc4769edbe4308219906fcb2a3dc105f970789882fc0b5004ce92ea901fc9fa37a8fa7356084ef64d7b5212d144ba

Download Submit
C:\Users\Public\Documents\Winstep\NeXuS\Backgrounds\SDVZ2\is-JTNK9.tmp

Filesize
49B

MD5
87621fdf2fcabbc69e553758da2753cf

SHA1
5e116eb9598441b6e924b7f320b6142769934fb0

SHA256
bbc092fc23e839ad2e7dc08816f93b6c3c7e8a01e776d31e6c58e5e97c291f4d

SHA512
5d0ff0f032272772e8031aa559eb659969e5b6179dea9e126ac9f9d61d5669eeedda3ae139da5f3dcb806276fa99e29e2afc1b3ab2c87ebd9d90668032e9ebc2

Download Submit
C:\Users\Public\Documents\Winstep\NeXuS\Backgrounds\Zippy_20\White\is-6A2G5.tmp

Filesize
63B

MD5
d790ef81c98f5e58509753663c555450

SHA1
114b312c07d64f3bb51d58a461a79109751df34d

SHA256
1b5fbb364299f161c9a6ee23d64a611492761c9712e349132915b7717cce77f4

SHA512
460ddca2cd01449cc8312ba08816de256b06bb0c1084a2b7ed57c9afb5e01b6da23e44c4b3f07f7c348cb6a47dc5319cfd3dd83188c3fbbc29d83831920ef5d6

Download Submit
C:\Users\Public\Documents\Winstep\Themes\Aero LowRes\NxBack.png

Filesize
4KB

MD5
fed9959e376e9e107e9aabf630236c7b

SHA1
2f922057f6e0d8ced67158ae61290c2a8111bf92

SHA256
90b385da167e2505d1fecebb7a2bda59ba8034567fe49ac2e1be844b32806e04

SHA512
02de2cca310fef209b0333b1509397e539bfb6790d327c1f2f620510a8a37363adade4b8acd2d4d0005983826c63b6cb6e48c92af593615d3cfe24f0235f4aaf

Download Submit
C:\Users\Public\Documents\Winstep\Themes\Brisa\WsMailES.png

Filesize
30KB

MD5
0f676bd6e76282fe38c29533d776e9f2

SHA1
3c5d74f3be7562b82083df24e25a14eaf29fbcf1

SHA256
52defb4a068e5d0d3d45cb3f5ec89af4d972d67141b73acb663881d6e3f8503a

SHA512
92e4a8174fc479d11ecdbb1d4f05a72c96c7629fda7cc7df8d51cec13c6389768ec7ffd74f1d2da3f4905f622a8d14ec02a1a351f65fedabc03523793ffe9c2c

Download Submit
C:\Users\Public\Documents\Winstep\Themes\K-TEK4D3\nxtile-mask.png

Filesize
2KB

MD5
34fd6f7149a1056324be0ef13fe49274

SHA1
4499fdb9eebcb9c7fc35658586581d20844f9f8e

SHA256
525de130b6160022da1cc9e2c856a5704e2ace28ba43c663532b2da4ba2348ed

SHA512
f2469925169756d0d924ff55eca87d68894178256fe839191a848a379a985d09bb16307d7f68b1bac1b846501184a291ea1c69aefee9e019b7d2778ec25f308f

Download Submit
C:\Users\Public\Documents\Winstep\Themes\Leonida3Dthin\WsMailFS.png

Filesize
34KB

MD5
996a07d73c05526c2a63208510c09f7f

SHA1
940f83642d6f7595060c66c0cd5c1746be81f5b2

SHA256
02c711312989c335a074e590c8e42fdce138ccab4b44d5f895a8d9b59e9ba2b0

SHA512
29c9e84aadc9cdab3cf8d9d72eb353aea6a442b577533a713d5eb7a52e3c76c8dc8935ad14151263c64d2ec5c082e20f6e8b4e61e00930459679869c5086e74d

Download Submit
C:\Users\Public\Documents\Winstep\Themes\Leonida3Dthin\WsTrashES.png

Filesize
14KB

MD5
deb5ea512d8527daf9e468afc4865ad6

SHA1
485aba500a74e81c978135bca970d7b33b4f2058

SHA256
44d3f2f285bcb65a1217cf979ebbe67f60d8a2a1d7ef9dccbb809a7122515399

SHA512
dbd3167e85c920f31454979745b6d44d22d466698f167939c850e71abb5eb171db9ab79f3ae6dcd02cd5b16a1190137e76ec577983f729b38fcce04cae78859a

Download Submit
C:\Users\Public\Documents\Winstep\Themes\Leonida3Dthin\WsTrashFS.png

Filesize
16KB

MD5
935e0e984b2681fe169d4171340d7104

SHA1
1bba2920f2356fef69b2c85c7eb4133e0bcfbca6

SHA256
be539bfc01cfabdd01a63a845d06cad4e793ab98762453c3576eb8a59bf5759b

SHA512
ce31c1a0c0bf5f9bdf9abfc435ed688cf4f84902f074dc608bbacbf1eea4a3d0f1d8257829c5e31e1b36dfc78c3f0ab316cb346d877549a02566aa2aadb5bc87

Download Submit
C:\Users\Public\Documents\Winstep\Themes\Leopard\WsClockA.png

Filesize
17KB

MD5
20fdec478d7137024468d89471596954

SHA1
acff633dfcf239a5830a58ef8f648444f2c52f8f

SHA256
2fdcb9c592b431ec9ecedb52f9615caef46691af1f01dafaaaee27be29f5acdd

SHA512
81d9938ab34911f95e7b333f124c83294f638c32549b39f0c14f135cb69d4edea6dfcf6d2f02bed4ed109a93d4112beb484843f208314d5a91b2ee117c11f4c6

Download Submit
\Program Files\Rainmeter\Rainmeter.exe

Filesize
458KB

MD5
9d84ee1acd3e3bd55d0b1c997316f00a

SHA1
471823ba11ab7402b1b7c8035651b4d71adf34c2

SHA256
825897feed83fb9b8881943177741723746ac876e3d8485b759f0e53af52566b

SHA512
ac5794bb9abe164c2b5b08d7135cfe419601af4944c844682d762aad4c71f76ada7d65e2248bb645a420d90322a9d8ebccca083fc54b287d250660b21f469a17

Download Submit
\Users\Admin\AppData\Local\Temp\nsp8835.tmp\LangDLL.dll

Filesize
5KB

MD5
68b287f4067ba013e34a1339afdb1ea8

SHA1
45ad585b3cc8e5a6af7b68f5d8269c97992130b3

SHA256
18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026

SHA512
06c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb

Download Submit
\Users\Admin\AppData\Local\Temp\nsp8835.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
\Users\Admin\AppData\Local\Temp\nsp8835.tmp\UAC.dll

Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
\Users\Admin\AppData\Local\Temp\nsp8835.tmp\nsDialogs.dll

Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
\Users\Admin\Desktop\Windows to MacOS\WinLaunchInstaller.exe

Filesize
657KB

MD5
3434b2e312f78e796d4603c448084a5f

SHA1
94cc779c9b27b801f1590a3764bf0e7e24ffd178

SHA256
ae10bfb89bee7b698d35401cb58b32aca19b3b4b8352914a7de1a2ee0bef677f

SHA512
3ac69785c58900dcabf1b2298f3b7f0378698839a52564f255ad070d0091b6ae8e812e8ead75a1d0bb19a5faa5ec7fed7afa6d66871d58697500a95b0ccd3467

Download Submit
memory/936-3272-0x000007FFFFF70000-0x000007FFFFF80000-memory.dmp

Filesize
64KB

Download
memory/936-3238-0x000007FFFFF80000-0x000007FFFFF90000-memory.dmp

Filesize
64KB

Download
memory/1120-5719-0x000000000A2C0000-0x000000000A2C2000-memory.dmp

Filesize
8KB

Download
memory/2120-4925-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2120-4918-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2712-4917-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2712-3936-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2712-4926-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3004-2603-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3004-2619-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download