hxxps://drive[.]google[.]com/file/d/1e9sQz-FLV3_rq4CMNanNH7VAbkFvpv3G/view?usp=drive_link

Analysis

max time kernel
131s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20241007-es
resource tags

arch:x64arch:x86image:win10v2004-20241007-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
15-10-2024 13:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1e9sQz-FLV3_rq4CMNanNH7VAbkFvpv3G/view?usp=drive_link

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Rainmeter-4.5.20.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Rainmeter.lnk	Rainmeter-4.5.20.exe

Executes dropped EXE 2 IoCs

pid	Process
1484	Rainmeter-4.5.20.exe
3912	Rainmeter.exe

Loads dropped DLL 5 IoCs

pid	Process
1484	Rainmeter-4.5.20.exe
1484	Rainmeter-4.5.20.exe
1484	Rainmeter-4.5.20.exe
1484	Rainmeter-4.5.20.exe
3912	Rainmeter.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
8	drive.google.com
11	drive.google.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Rainmeter\Plugins\PerfMon.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Plugins\ResMon.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\1049.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\1053.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Plugins\CoreTemp.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Defaults\Skins\illustro\System\System.ini	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Defaults\Skins\illustro\Disk\2 Disks.ini	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\1041.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\1054.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\1055.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\1066.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\2052.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Defaults\Skins\illustro\Recycle Bin\Recycle Bin.ini	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\VisualElements\Rainmeter_600.png	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\1086.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\3098.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Defaults\Skins\illustro\Disk\1 Disk.ini	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Defaults\Skins\illustro\Google\Google.ini	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Rainmeter.exe	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\uninst.exe	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Rainmeter.VisualElementsManifest.xml	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Plugins\AudioLevel.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Plugins\WindowMessagePlugin.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\1058.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Defaults\Skins\illustro\@Resources\Background.png	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\SkinInstaller.exe	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Plugins\SpeedFanPlugin.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Plugins\Win7AudioPlugin.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\1030.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\1037.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Plugins\FileView.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Plugins\FolderInfo.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\1031.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\1043.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Defaults\Skins\illustro\Network\Network.ini	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Plugins\AdvancedCPU.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\1033.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\1035.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\2074.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\VisualElements\Rainmeter_176.png	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Rainmeter.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\1029.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\1042.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\1060.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\1057.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Defaults\Skins\illustro\Clock\Clock.ini	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Rainmeter.exe.config	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Plugins\PingPlugin.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\1036.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\1038.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\1046.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Plugins\UsageMonitor.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Plugins\iTunesPlugin.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\1048.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\1051.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Defaults\Skins\illustro\Welcome\Welcome.ini	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Plugins\InputText.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Defaults\Skins\illustro\Welcome\Background.png	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Defaults\Layouts\illustro default\Rainmeter.ini	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Plugins\PowerPlugin.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\1025.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\1028.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\1044.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\3082.dll	Rainmeter-4.5.20.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rainmeter-4.5.20.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 17 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Rainmeter.SkinInstaller\shell\edit\command\ = "\"C:\\Program Files\\Rainmeter\\SkinInstaller.exe\" %1"	Rainmeter-4.5.20.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rmskin\ = "Rainmeter.SkinInstaller"	Rainmeter-4.5.20.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Rainmeter.SkinInstaller	Rainmeter-4.5.20.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Rainmeter.SkinInstaller\ = "Rainmeter Skin Installer"	Rainmeter-4.5.20.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Rainmeter.SkinInstaller\shell\edit	Rainmeter-4.5.20.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Rainmeter.SkinInstaller\shell	Rainmeter-4.5.20.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Rainmeter.SkinInstaller\DefaultIcon\ = "C:\\Program Files\\Rainmeter\\SkinInstaller.exe,0"	Rainmeter-4.5.20.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Rainmeter.SkinInstaller\shell\open\command	Rainmeter-4.5.20.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Rainmeter.SkinInstaller\shell\edit\ = "Install Rainmeter skin"	Rainmeter-4.5.20.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Rainmeter.SkinInstaller\shell\ = "open"	Rainmeter-4.5.20.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.inc\ = "inifile"	Rainmeter-4.5.20.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Rainmeter.SkinInstaller\shell\edit\command	Rainmeter-4.5.20.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.inc	Rainmeter-4.5.20.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rmskin	Rainmeter-4.5.20.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Rainmeter.SkinInstaller\DefaultIcon	Rainmeter-4.5.20.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Rainmeter.SkinInstaller\shell\open	Rainmeter-4.5.20.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Rainmeter.SkinInstaller\shell\open\command\ = "\"C:\\Program Files\\Rainmeter\\SkinInstaller.exe\" %1"	Rainmeter-4.5.20.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2108	msedge.exe
2108	msedge.exe
1376	msedge.exe
1376	msedge.exe
1360	identity_helper.exe
1360	identity_helper.exe
4804	msedge.exe
4804	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeRestorePrivilege	4464	7zG.exe
Token: 35	4464	7zG.exe
Token: SeSecurityPrivilege	4464	7zG.exe
Token: SeSecurityPrivilege	4464	7zG.exe
Token: SeRestorePrivilege	380	7zG.exe
Token: 35	380	7zG.exe
Token: SeSecurityPrivilege	380	7zG.exe
Token: SeSecurityPrivilege	380	7zG.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe

Suspicious use of SendNotifyMessage 29 IoCs

pid	Process
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
3912	Rainmeter.exe
3912	Rainmeter.exe
3912	Rainmeter.exe
3912	Rainmeter.exe
3912	Rainmeter.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 4032	1376	msedge.exe	85
PID 1376 wrote to memory of 4032	1376	msedge.exe	85
PID 1376 wrote to memory of 320	1376	msedge.exe	86
PID 1376 wrote to memory of 320	1376	msedge.exe	86
PID 1376 wrote to memory of 320	1376	msedge.exe	86
PID 1376 wrote to memory of 320	1376	msedge.exe	86
PID 1376 wrote to memory of 320	1376	msedge.exe	86
PID 1376 wrote to memory of 320	1376	msedge.exe	86
PID 1376 wrote to memory of 320	1376	msedge.exe	86
PID 1376 wrote to memory of 320	1376	msedge.exe	86
PID 1376 wrote to memory of 320	1376	msedge.exe	86
PID 1376 wrote to memory of 320	1376	msedge.exe	86
PID 1376 wrote to memory of 320	1376	msedge.exe	86
PID 1376 wrote to memory of 320	1376	msedge.exe	86
PID 1376 wrote to memory of 320	1376	msedge.exe	86
PID 1376 wrote to memory of 320	1376	msedge.exe	86
PID 1376 wrote to memory of 320	1376	msedge.exe	86
PID 1376 wrote to memory of 320	1376	msedge.exe	86
PID 1376 wrote to memory of 320	1376	msedge.exe	86
PID 1376 wrote to memory of 320	1376	msedge.exe	86
PID 1376 wrote to memory of 320	1376	msedge.exe	86
PID 1376 wrote to memory of 320	1376	msedge.exe	86
PID 1376 wrote to memory of 320	1376	msedge.exe	86
PID 1376 wrote to memory of 320	1376	msedge.exe	86
PID 1376 wrote to memory of 320	1376	msedge.exe	86
PID 1376 wrote to memory of 320	1376	msedge.exe	86
PID 1376 wrote to memory of 320	1376	msedge.exe	86
PID 1376 wrote to memory of 320	1376	msedge.exe	86
PID 1376 wrote to memory of 320	1376	msedge.exe	86
PID 1376 wrote to memory of 320	1376	msedge.exe	86
PID 1376 wrote to memory of 320	1376	msedge.exe	86
PID 1376 wrote to memory of 320	1376	msedge.exe	86
PID 1376 wrote to memory of 320	1376	msedge.exe	86
PID 1376 wrote to memory of 320	1376	msedge.exe	86
PID 1376 wrote to memory of 320	1376	msedge.exe	86
PID 1376 wrote to memory of 320	1376	msedge.exe	86
PID 1376 wrote to memory of 320	1376	msedge.exe	86
PID 1376 wrote to memory of 320	1376	msedge.exe	86
PID 1376 wrote to memory of 320	1376	msedge.exe	86
PID 1376 wrote to memory of 320	1376	msedge.exe	86
PID 1376 wrote to memory of 320	1376	msedge.exe	86
PID 1376 wrote to memory of 320	1376	msedge.exe	86
PID 1376 wrote to memory of 2108	1376	msedge.exe	87
PID 1376 wrote to memory of 2108	1376	msedge.exe	87
PID 1376 wrote to memory of 2788	1376	msedge.exe	88
PID 1376 wrote to memory of 2788	1376	msedge.exe	88
PID 1376 wrote to memory of 2788	1376	msedge.exe	88
PID 1376 wrote to memory of 2788	1376	msedge.exe	88
PID 1376 wrote to memory of 2788	1376	msedge.exe	88
PID 1376 wrote to memory of 2788	1376	msedge.exe	88
PID 1376 wrote to memory of 2788	1376	msedge.exe	88
PID 1376 wrote to memory of 2788	1376	msedge.exe	88
PID 1376 wrote to memory of 2788	1376	msedge.exe	88
PID 1376 wrote to memory of 2788	1376	msedge.exe	88
PID 1376 wrote to memory of 2788	1376	msedge.exe	88
PID 1376 wrote to memory of 2788	1376	msedge.exe	88
PID 1376 wrote to memory of 2788	1376	msedge.exe	88
PID 1376 wrote to memory of 2788	1376	msedge.exe	88
PID 1376 wrote to memory of 2788	1376	msedge.exe	88
PID 1376 wrote to memory of 2788	1376	msedge.exe	88
PID 1376 wrote to memory of 2788	1376	msedge.exe	88
PID 1376 wrote to memory of 2788	1376	msedge.exe	88
PID 1376 wrote to memory of 2788	1376	msedge.exe	88
PID 1376 wrote to memory of 2788	1376	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1e9sQz-FLV3_rq4CMNanNH7VAbkFvpv3G/view?usp=drive_link
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ffd5c8446f8,0x7ffd5c844708,0x7ffd5c844718
  2⤵
  PID:4032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,13388877507783936320,10162934194814190808,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
  2⤵
  PID:320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,13388877507783936320,10162934194814190808,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,13388877507783936320,10162934194814190808,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8
  2⤵
  PID:2788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13388877507783936320,10162934194814190808,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
  2⤵
  PID:4308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13388877507783936320,10162934194814190808,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
  2⤵
  PID:3928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13388877507783936320,10162934194814190808,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:1
  2⤵
  PID:956
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,13388877507783936320,10162934194814190808,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=5752 /prefetch:8
  2⤵
  PID:4080
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,13388877507783936320,10162934194814190808,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=5752 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13388877507783936320,10162934194814190808,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:1
  2⤵
  PID:3076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13388877507783936320,10162934194814190808,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
  2⤵
  PID:1528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13388877507783936320,10162934194814190808,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
  2⤵
  PID:3036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13388877507783936320,10162934194814190808,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:1
  2⤵
  PID:516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13388877507783936320,10162934194814190808,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
  2⤵
  PID:4992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2152,13388877507783936320,10162934194814190808,131072 --lang=es --service-sandbox-type=collections --mojo-platform-channel-handle=4088 /prefetch:8
  2⤵
  PID:3504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13388877507783936320,10162934194814190808,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
  2⤵
  PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13388877507783936320,10162934194814190808,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1
  2⤵
  PID:1724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13388877507783936320,10162934194814190808,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6512 /prefetch:1
  2⤵
  PID:3504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2152,13388877507783936320,10162934194814190808,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=6136 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13388877507783936320,10162934194814190808,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
  2⤵
  PID:648

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2164

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1452

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3636

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Windows to MacOS\" -spe -an -ai#7zMap28319:94:7zEvent30418
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4464

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Windows to MacOS\*\" -spe -an -ai#7zMap14879:332:7zEvent24801
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:380

C:\Users\Admin\Desktop\Windows to MacOS\Rainmeter-4.5.20.exe
"C:\Users\Admin\Desktop\Windows to MacOS\Rainmeter-4.5.20.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1484
- C:\Program Files\Rainmeter\Rainmeter.exe
  "C:\Program Files\Rainmeter\Rainmeter.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SendNotifyMessage
  PID:3912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Rainmeter\Defaults\Layouts\illustro default\Rainmeter.ini

Filesize
698B

MD5
7ed3f1a420c2ba65345af28455a754da

SHA1
798075c46eded535f7a3191b38c5c6128dbfb4af

SHA256
97030b68fafaee7bb69eacb3c737ba0ca0d75b70e805166494b34fc589f1b7d9

SHA512
fd3c12386c671089f7f7ac23450318c64cf69eae908fafcbc264c9d7f842482efdb5667f18c0cd7bd015715d06e43260c394a5ebc9639526eae504614e89aba5

Download Submit
C:\Program Files\Rainmeter\Defaults\Skins\illustro\@Resources\Background.png

Filesize
1KB

MD5
751ae72195e782cf91732d0e89138582

SHA1
13a3f32b1b34b61a8ea51efb9098ffc82925dd5d

SHA256
ae72127580a6401f4b3cba621267fcb4d13f0547b7ea00d2748a3a3892cb54de

SHA512
00f821d05e77e5a8bd9cfcb7ac3f963a9dc826521aa9192801d8ea38d085651f3cccc4ab306b58d6310d5445b36645849a4df9adbf6befedf17a785e95424ab4

Download Submit
C:\Program Files\Rainmeter\Defaults\Skins\illustro\Clock\Clock.ini

Filesize
2KB

MD5
a23de9c5c90b698420fc8b3517f36598

SHA1
8f872f02bdd7be04d340c4f1d0a97f795cd66f6e

SHA256
45b2d5644208a29e7e90cc74e130c0fb77c35099e9dbd17ffc010080a3ef1d8d

SHA512
c8030bfbde83fab6ebaeef2a080b55cfa463ece91732e79b0c11ff204bf86715095fe128cbbf76d4cc4029880ec97ba6a7b6f14561bdecf790d3d4359e74176a

Download Submit
C:\Program Files\Rainmeter\Defaults\Skins\illustro\Disk\1 Disk.ini

Filesize
3KB

MD5
bd443770cbb26712f476fa3d41ab812c

SHA1
12aa90188125460708af5fa135cff7f1985c6408

SHA256
1e243b7ec358bc79d65da9d5446758cfd567847cf7fea6ce128f4947d04d7346

SHA512
48e1efcd309d9ea9e780ca7873a2996ee3cbd7bacc6f30b6f017df7c76392d34ca3dd847e5d2b4e36bb340ba8e9a8f095efa8a5e0fc5c11b4f73586356cf625c

Download Submit
C:\Program Files\Rainmeter\Defaults\Skins\illustro\Disk\2 Disks.ini

Filesize
5KB

MD5
7215e77b41579b66126d8d010ab6894a

SHA1
47462528453382376fab2ee6985fe6347ffbfc6a

SHA256
3106efa019016e9d84d0ee4e484f45ffc4311617d3ef3ddce74393a6e41952f0

SHA512
b9abb0081838cde464b6047af7f8f6ca983a33c37e32dbd0e43c64e943389051b5daf195e7843dece36dd295bbb6a05be7dec27af810ebb49c31e164b7ce2469

Download Submit
C:\Program Files\Rainmeter\Defaults\Skins\illustro\Google\Google.ini

Filesize
2KB

MD5
bd09d2ec738a5961d283b2e0d1678708

SHA1
c10f4af7c828377b709d66e0ddfbf99ba2b15fbb

SHA256
9b59768e3a736140970c253fe0ceda0c78b47f4007ec62772e9aedf0a0b5457a

SHA512
b0e2ea96b3d635516e31f4714f863d2cbfc5f4f7fcbecaac17de0c6608b3abd1efafcc07b92c94cf4093fc75feeff60362306ad7ba18b1796c92e63ac58fd1d6

Download Submit
C:\Program Files\Rainmeter\Defaults\Skins\illustro\Network\Network.ini

Filesize
4KB

MD5
573339229e8dfd4d57f46145f9099e70

SHA1
6fb4d80c1bf259d20ba906d48eb716df8c519283

SHA256
8509aa1b6e7a873659d5896fd18477f36be0fbff5e425e86951644e9549b3aa7

SHA512
a6239fa54195eee42360f3f5a2df187fbbb55e8c21ea9919e71507524500f4618ecaffa41e2407ae252dc9a3a37434233175f33575878bcc137e18b4c8cce869

Download Submit
C:\Program Files\Rainmeter\Defaults\Skins\illustro\Recycle Bin\Recycle Bin.ini

Filesize
3KB

MD5
14f0547f1b32795714cabd315b64c80b

SHA1
fe8504e6988db711b306586768f9fc7f71c3747e

SHA256
3959453679d3b47df104e28f6ad51476db53630658339355b72400f8a98e512c

SHA512
46dfab176f225120ef9ae4a44cf0c1a8c3a291ea75abfe779199d350831301b81410b3cf32763f23b9e5e4f2fd828ede67618e978b37e7afabc5d202a0dee02a

Download Submit
C:\Program Files\Rainmeter\Defaults\Skins\illustro\System\System.ini

Filesize
4KB

MD5
e7c252045282bcc9b1e5675865d8408c

SHA1
2d035d8c608afd1cdcbaa931b1a170de06e60910

SHA256
a2298019b2774ef5f7fa1d22d08738f36e7749ea125bf441a6b8bad23b960826

SHA512
8444337335973db2a6578d49332ccbe5b2e151aac8428b9f6da92f184af91c782a4b6e15164162db85dedcaca3524804ef31a2da90a359e88af9e609f3ef01c5

Download Submit
C:\Program Files\Rainmeter\Defaults\Skins\illustro\Welcome\Background.png

Filesize
1KB

MD5
27c60fa5b6e8c9545c885f108f501a36

SHA1
58439914234e29a6e8973328dae945ec2fc569ce

SHA256
3aea0caa797e487abb0901648773251ca52f14b680a960baee080f263d2dd9ec

SHA512
26f6a7057f31aab9b88ed5fd779e83e82d32205eb568c46f4fbe93a79182e1f09e00a06d842fea180c2ee469510ad08e26fb8cd08228e3ad6f037802b2b965d1

Download Submit
C:\Program Files\Rainmeter\Defaults\Skins\illustro\Welcome\Welcome.ini

Filesize
3KB

MD5
9fd985ded033fa0fcc86c222e8e4370d

SHA1
83615886c788f272078fbbe02e1f8af87ca1ef4e

SHA256
6b710c75c1bfc4046ce0bdcde3c4f920aaefe1ecd4fa186d3bdfee12af897707

SHA512
4165e953773328557f42f1f8a29f0b566bcd5c347b8d5e9586ba09f2a4283a64e6f0ae6aa0ea0ba2b6ae8b0598ca4fed7e6878969eed371a1e6fe6dd23695c3c

Download Submit
C:\Program Files\Rainmeter\Languages\3082.dll

Filesize
16KB

MD5
466a834d75e06f59bab79c3ed97a9a76

SHA1
3c3cf65c95178f52902e721ff166ecc84df07f21

SHA256
9914b051773cdbaf643ad34ae4f0bfbab0f73929d627baf0416881ab7ac3a659

SHA512
b0ee4f67cc94ff6428350fc37474910ab598784767a21e049f66b944589b5f48f4220c534cb9c79d528bfa91a879819f66fce21277c23d6fdaa660687e23120b

Download Submit
C:\Program Files\Rainmeter\Rainmeter.dll

Filesize
2.5MB

MD5
0658cb31cfcb7bda7f98c9a856c7fa16

SHA1
176cb1121d30f4ad3d7190faa6c41ffe018e8534

SHA256
ee383a2d401f8c5569f267c93804e4371e6f6543ed01cfcce5dcefa5091c19b0

SHA512
10ec757aa5913f60e8a28158a87d8918acb3ea4252176773612099b4993592139d46d70123cdfaf38a224b8e51f4b404230070edc2fd0b74eee8f071938bf026

Download Submit
C:\Program Files\Rainmeter\Rainmeter.exe

Filesize
458KB

MD5
9d84ee1acd3e3bd55d0b1c997316f00a

SHA1
471823ba11ab7402b1b7c8035651b4d71adf34c2

SHA256
825897feed83fb9b8881943177741723746ac876e3d8485b759f0e53af52566b

SHA512
ac5794bb9abe164c2b5b08d7135cfe419601af4944c844682d762aad4c71f76ada7d65e2248bb645a420d90322a9d8ebccca083fc54b287d250660b21f469a17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fab8d8d865e33fe195732aa7dcb91c30

SHA1
2637e832f38acc70af3e511f5eba80fbd7461f2c

SHA256
1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea

SHA512
39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36988ca14952e1848e81a959880ea217

SHA1
a0482ef725657760502c2d1a5abe0bb37aebaadb

SHA256
d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

SHA512
d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\267c9f5f-453d-4319-a958-bba3d1f33b47.tmp

Filesize
7KB

MD5
cd7393f3c13b07173388f037cb9bd70c

SHA1
bdc5c389e516f1e34550cc29ff76dfc6f7efa121

SHA256
ed1e9ce31673ea07f182831cb33fe5ea5cd6f187738cebb1879995726b20fddb

SHA512
dce01421235cdeeb2ab8a856f6dd7ef21028b3c6ae419031ba934b1d2003137df2d9be98443d246007fd80edc695e2e15571061dc41be23eda5f0f70eb44281f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
3.8MB

MD5
6adae625e839a13dd701394608213f81

SHA1
0698d93bb23bc861245a0124471e469d2947db18

SHA256
4e03e4f789ec169a16a9ec53168e9f4868ad636f6143d10e459572a29db376c8

SHA512
7fcfff4c19db2d5ef04ad4317d00c8f84f1a4384cf6a646af102abfdf9cfe0c82b61b863ea14197b6b5e1186df6c4662299b0538867b6e08c3347acbe6e44bc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
b329f02bd1b2700e5d26ed1352788cf3

SHA1
af2a93eb01bfd1d13e24e3a7a7e6cd4b3ee6c8cc

SHA256
d9755462f5ff3049a8a410c222ef989f945633d3976d0779b054c991da224558

SHA512
87704f513ec61454dddeacb30dd5cfc5059963f6bacd771bb8532c498be4a3caad6bf5b7e636dd1eca33aead62d92fb9b3733f964a8c6ac2049f38400275eb10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
018da6e00c5af43e83c69536037a86b0

SHA1
82ea46d4f37f41b045b83c945b96ec8839479259

SHA256
8682d1aa686f6922ad3ca4dc233a446f0d6ab76cddfc3000530bc26a4dd58b84

SHA512
cd9adac7fd6cd9e447d8ac6c8009d5ac8a19a7cd5c8951337bf0995ee5ba2194e036a2ee721d2dd25b5f61ff78fc67bcb31f0379b78248ec0d66b37f8597b593

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
9d848943059e8bfda16cc488e8def509

SHA1
6d5405c6ca98fef95f18fd963c27a4fde6e0c2b6

SHA256
15c986da652b069ff2bae13f351e3c933d25a7f11c7d5e29e16fce40559252ab

SHA512
7b17f925e586cf791255ac14ad716cce878b8e41be8d3181726971ed7b78db82de3cc3970746df0673fee8cb37062bc199f5f5b5f33888b97877c6afb9cb2c0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
18ce8c4cd84423238367f7415a448261

SHA1
15f74cd41a33f6b8a7047defaa9ef0846fa7a404

SHA256
ce0fbba3621290ad19d91fb55f178686e7813299b5e993e5bd344b178ffa2bd0

SHA512
4a44b2fbb418f96835c740bfa9727884cea1248dbe4cb441ff94e70a83140b6ab2fa4014853d2d8e8b59c0ff45a7827111b75ac4eedbe84fc3e8e1e59f543572

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
927afb9a1ebcb4194c5635971cfe5619

SHA1
58cbc655def7ce3e0c9862d2977b71121829942d

SHA256
842e85132fd74c5740767504698be148a43e73abedf0187be3d13a49f0bf434f

SHA512
8b9a1348ebd5983a879b7e7fdc4441f5e4d93ca8701868564a5d9ebb9e006e812583a839a974fef73c8352b3cb6c469d158d67ea013291489603b04770d02e2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
cf529b705cb7b7feee1586cb343a6cb4

SHA1
8f51923702a98e945f910c0ae87a358fd857f119

SHA256
91f51298588847209fd6ab8b33a74415558e93b8274f71670666e92f7ad3a554

SHA512
4624354307efc025cadfd536f6a660f5e9787711ed38e6fe43fc5309b55ce7a0ffbbb3c2c60392aaf6a1d806a076d7766964f23c8608e8d7f74bc58f9afab221

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a02fa1df3709f29bd62b2056849265d3

SHA1
533afb44e8d7459123107678cd975b4abfcc477d

SHA256
c76edc07835913487abb7ba457da73c279283b96a7c4ba924ce491921d81c561

SHA512
2f69b97aba22e6ab7aa672615b9cb8a5a6fd7ce72b1bee3f180fbb08b8da0271be9fbee4c3c54283253bc2cd49174d305e9d260864a99c936e2eefd5de171951

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7df3857ab9ee0c8f3b268ea82f260e2f

SHA1
62810235f848c44f20e3117c4b7818cbabe11175

SHA256
2608ca9a314e0db566178469c50f43258ac6684387c4b51ca7bc70983edd68c5

SHA512
bdc18a2cfb331280a22addac3b388aff97594ff7497dd0a2164bad7f35433395a1739f2488ec5ae639d8472f324bc2527fd30b440ea7829edcbd18c437831cdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4f0367cfa57b3dbae1aa5ef00a2c36cf

SHA1
fde26039f40325295b7a5f99d0a50e0366eb0963

SHA256
05b43d07c1b7e3f3ef546b16898f49143c5ee8caacb566798ad293616af8f658

SHA512
16d997e752ac35c71ab9ec5ce7178d9ac4432c2ddc61341f762837fdf02eca209f588aee408071319afc06779073d00795fb437f26d1c8f9b126fe6397daba30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
33c433e8c1c718ee7804d342d2391e61

SHA1
83c978defa93ffa0bae837218670e7cedfa1c143

SHA256
02db9f8522025c838fb64590a70a61ce5d9527367cc5782f6852f94c7028485c

SHA512
e91f552a92ce7d2f3ce062a3841da2f4b6cbcd0852a87dba85566e2563662cb4234b08bc4f501b313c560542d316e6f7706d6d5a94b8ce33a8384845fb995ad7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr6CEB.tmp\LangDLL.dll

Filesize
5KB

MD5
68b287f4067ba013e34a1339afdb1ea8

SHA1
45ad585b3cc8e5a6af7b68f5d8269c97992130b3

SHA256
18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026

SHA512
06c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr6CEB.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr6CEB.tmp\UAC.dll

Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr6CEB.tmp\nsDialogs.dll

Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
C:\Users\Admin\AppData\Roaming\Rainmeter\Rainmeter.ini

Filesize
828B

MD5
b01e0c5e180ed70626c4456d9a70a526

SHA1
e0ea07166ac47587cc02011cb792b49458470d6e

SHA256
ba4107f9844b0d4053f48a8a1273774e5a634e3161aa71b5d66d497e05594ffc

SHA512
4affce4002b0d8ea30036f009d6d2a661cf94558a9b2023157258c4d98dde047388dbe90701f8a4a9f29fe269653e851bd24caa3eeccdf6cba28fe341a3c3102

Download Submit
C:\Users\Admin\Desktop\Windows to MacOS\7z2408-x64.exe

Filesize
1.5MB

MD5
0330d0bd7341a9afe5b6d161b1ff4aa1

SHA1
86918e72f2e43c9c664c246e62b41452d662fbf3

SHA256
67cb9d3452c9dd974b04f4a5fd842dbcba8184f2344ff72e3662d7cdb68b099b

SHA512
850382414d9d33eab134f8bd89dc99759f8d0459b7ad48bd9588405a3705aeb2cd727898529e3f71d9776a42e141c717e844e0b5c358818bbeac01d096907ad1

Download Submit
C:\Users\Admin\Desktop\Windows to MacOS\Aerial_1.0.5.0.zip

Filesize
334KB

MD5
ac56288791666dc522f6646d4d43a705

SHA1
7c4266c95649a9320d23099988356b2dcf634c91

SHA256
3fa4b63910c7336c7ca40b024bdb294740fe477544e2199d3c182efb26547921

SHA512
9a86bed9e4be2b5c7edde8e87033a63d8ceb15741fa031b7caaebfd631b145c65679d0fef58d6eddd19cf85050176a52b8b749b5292c883ad4d5ae427341a07c

Download Submit
C:\Users\Admin\Desktop\Windows to MacOS\Rainmeter-4.5.20.exe

Filesize
2.4MB

MD5
b8337b134f4fe6f4b5e3d98174a78e7e

SHA1
77f8542101143d35be7521c3fa14c0beb1df278a

SHA256
9024b3b01b3883af3e12c3023ca9f7569893d25bb8154d785ac5737c7fff3ac9

SHA512
4439739e051563977854ca2aa6fd75e3468de065cbe3888d292d991955ae98e7c9f7288ba6bd5e71d9eef763202d3a69863236a3e725c44411f401b2aa2a3063

Download Submit
C:\Users\Admin\Desktop\Windows to MacOS\macOS Theme.zip

Filesize
34.8MB

MD5
cb6c26c5a4b70d5640ef0d955db10854

SHA1
3120116fa8e4e5c087e1eef63e54e3a8caab4cf8

SHA256
d560d6030dc7aee3459ff3ac750a42c020d896d33a76029bdc2af61785f82688

SHA512
ff29299ab62d8254def091f55f201cc49f35aa1fcf9d1925a14a36126d26c8a0403a4f268ab8b88a3516d331fe76ecc05ff9a87014477a1d523a392ef341757f

Download Submit
C:\Users\Admin\Desktop\Windows to MacOS\macOS Theme\macOS\launchpad\Contacts.runtimeconfig.json

Filesize
154B

MD5
42f40b6c1b9ab7f8f92b0ae5d8c5fdab

SHA1
92e1d5e7ffae89550a815389b851648f9bb6e64b

SHA256
ed69fdc80437b2d0fd2b177d018a6e800517200e4fb6dd54705f5a62a908ec38

SHA512
dac3b6a2cf992f23e0d15ad31449ba15f1a309dbbdaf11f7e62c44c7081fab8968986ff6690039c86522609b03ae95b127938c5e6f3c3ff9396a2911e81bc40e

Download Submit
C:\Users\Admin\Desktop\Windows to MacOS\nexus.zip

Filesize
37.9MB

MD5
dc0f2f6f01e9087f04d1953159e74949

SHA1
7c5527575be3c77eb52c1a744cc41c3a4a3736d5

SHA256
24076317c0a06c64c7a49e05835f16354f17c80246174b780c53efb8cff367b8

SHA512
fdf5b4125b5e86b2a7bae04a1c84110bdb90927ff3d9c84069076686a2feab90c2e233bb6b39cc9b4156fe744a2128c7c0f1efe1ad9a787f2740aa91b7bd1510

Download Submit