hxxps://drive[.]google[.]com/drive/folders/14gMeaNXfcmEv7F8FzBLyIHcVHi1fgbX2?usp=sharing

Analysis

max time kernel
166s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20241007-es
resource tags

arch:x64arch:x86image:win10v2004-20241007-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
16-10-2024 10:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/drive/folders/14gMeaNXfcmEv7F8FzBLyIHcVHi1fgbX2?usp=sharing

Score

7^/10

discovery

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Rainmeter.lnk	Rainmeter-4.5.20.exe

Executes dropped EXE 1 IoCs

pid	Process
1424	Rainmeter.exe

Loads dropped DLL 22 IoCs

pid	Process
3396	Rainmeter-4.5.20.exe
3396	Rainmeter-4.5.20.exe
3396	Rainmeter-4.5.20.exe
3396	Rainmeter-4.5.20.exe
1424	Rainmeter.exe
5992	UltraUXThemePatcher_4.4.3.exe
5992	UltraUXThemePatcher_4.4.3.exe
5992	UltraUXThemePatcher_4.4.3.exe
5992	UltraUXThemePatcher_4.4.3.exe
5992	UltraUXThemePatcher_4.4.3.exe
5992	UltraUXThemePatcher_4.4.3.exe
5992	UltraUXThemePatcher_4.4.3.exe
5992	UltraUXThemePatcher_4.4.3.exe
5992	UltraUXThemePatcher_4.4.3.exe
5992	UltraUXThemePatcher_4.4.3.exe
5992	UltraUXThemePatcher_4.4.3.exe
5992	UltraUXThemePatcher_4.4.3.exe
5992	UltraUXThemePatcher_4.4.3.exe
5992	UltraUXThemePatcher_4.4.3.exe
5992	UltraUXThemePatcher_4.4.3.exe
5992	UltraUXThemePatcher_4.4.3.exe
5992	UltraUXThemePatcher_4.4.3.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
9	drive.google.com
11	drive.google.com
148	drive.google.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\SYSTEM32\WINBIODATABASE\51F39552-1075-4199-B513-0C10EA185DB0.DAT	svchost.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Rainmeter\Languages\1055.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Defaults\Layouts\illustro default\Rainmeter.ini	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Plugins\CoreTemp.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Plugins\PingPlugin.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Plugins\iTunesPlugin.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\1066.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Defaults\Skins\illustro\Disk\1 Disk.ini	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Defaults\Skins\illustro\Welcome\Background.png	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\1036.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\1053.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\1060.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Plugins\WindowMessagePlugin.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\1033.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\3098.dll	Rainmeter-4.5.20.exe
File opened for modification	C:\Program Files\Rainmeter\writetest~.rm	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Plugins\AudioLevel.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Plugins\PerfMon.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Defaults\Skins\illustro\Recycle Bin\Recycle Bin.ini	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Plugins\UsageMonitor.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\1041.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Plugins\FileView.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Plugins\Win7AudioPlugin.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\2074.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Rainmeter.VisualElementsManifest.xml	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Plugins\ActionTimer.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Plugins\AdvancedCPU.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\1046.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\2070.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\1029.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\1038.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\1045.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Defaults\Skins\illustro\Google\Google.ini	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Rainmeter.exe.config	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Plugins\InputText.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\1051.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\1049.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Defaults\Skins\illustro\Clock\Clock.ini	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Rainmeter.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Plugins\PowerPlugin.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\1037.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\3082.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\SkinInstaller.exe	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Plugins\FolderInfo.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\1031.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\1057.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\1058.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Defaults\Skins\illustro\@Resources\Background.png	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Defaults\Skins\illustro\Disk\2 Disks.ini	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Defaults\Skins\illustro\Network\Network.ini	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Plugins\RunCommand.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Plugins\SpeedFanPlugin.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\1030.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\1040.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\1042.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\1043.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\1044.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\1048.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\RestartRainmeter.exe	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Plugins\QuotePlugin.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\1035.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\1025.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\Languages\1054.dll	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\VisualElements\Rainmeter_600.png	Rainmeter-4.5.20.exe
File created	C:\Program Files\Rainmeter\VisualElements\Rainmeter_176.png	Rainmeter-4.5.20.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rainmeter-4.5.20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UltraUXThemePatcher_4.4.3.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 17 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Rainmeter.SkinInstaller\ = "Rainmeter Skin Installer"	Rainmeter-4.5.20.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Rainmeter.SkinInstaller\shell	Rainmeter-4.5.20.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Rainmeter.SkinInstaller\DefaultIcon	Rainmeter-4.5.20.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Rainmeter.SkinInstaller\shell\open\command	Rainmeter-4.5.20.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.inc\ = "inifile"	Rainmeter-4.5.20.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rmskin\ = "Rainmeter.SkinInstaller"	Rainmeter-4.5.20.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Rainmeter.SkinInstaller	Rainmeter-4.5.20.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Rainmeter.SkinInstaller\shell\open	Rainmeter-4.5.20.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Rainmeter.SkinInstaller\shell\edit\command	Rainmeter-4.5.20.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Rainmeter.SkinInstaller\shell\edit\command\ = "\"C:\\Program Files\\Rainmeter\\SkinInstaller.exe\" %1"	Rainmeter-4.5.20.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Rainmeter.SkinInstaller\shell\ = "open"	Rainmeter-4.5.20.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Rainmeter.SkinInstaller\shell\open\command\ = "\"C:\\Program Files\\Rainmeter\\SkinInstaller.exe\" %1"	Rainmeter-4.5.20.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Rainmeter.SkinInstaller\shell\edit	Rainmeter-4.5.20.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Rainmeter.SkinInstaller\shell\edit\ = "Install Rainmeter skin"	Rainmeter-4.5.20.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.inc	Rainmeter-4.5.20.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rmskin	Rainmeter-4.5.20.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Rainmeter.SkinInstaller\DefaultIcon\ = "C:\\Program Files\\Rainmeter\\SkinInstaller.exe,0"	Rainmeter-4.5.20.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3692	msedge.exe
3692	msedge.exe
1940	msedge.exe
1940	msedge.exe
4244	identity_helper.exe
4244	identity_helper.exe
5780	msedge.exe
5780	msedge.exe
3668	msedge.exe
3668	msedge.exe
3668	msedge.exe
3668	msedge.exe
2152	msedge.exe
2152	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5600	svchost.exe

Suspicious use of FindShellTrayWindow 60 IoCs

pid	Process
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1424	Rainmeter.exe
1424	Rainmeter.exe
1424	Rainmeter.exe
1424	Rainmeter.exe

Suspicious use of SendNotifyMessage 29 IoCs

pid	Process
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1424	Rainmeter.exe
1424	Rainmeter.exe
1424	Rainmeter.exe
1424	Rainmeter.exe
1424	Rainmeter.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1388	CredentialUIBroker.exe
6080	CredentialUIBroker.exe
5636	CredentialUIBroker.exe
5532	UserAccountBroker.exe
5992	UltraUXThemePatcher_4.4.3.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 1696	1940	msedge.exe	84
PID 1940 wrote to memory of 1696	1940	msedge.exe	84
PID 1940 wrote to memory of 4072	1940	msedge.exe	85
PID 1940 wrote to memory of 4072	1940	msedge.exe	85
PID 1940 wrote to memory of 4072	1940	msedge.exe	85
PID 1940 wrote to memory of 4072	1940	msedge.exe	85
PID 1940 wrote to memory of 4072	1940	msedge.exe	85
PID 1940 wrote to memory of 4072	1940	msedge.exe	85
PID 1940 wrote to memory of 4072	1940	msedge.exe	85
PID 1940 wrote to memory of 4072	1940	msedge.exe	85
PID 1940 wrote to memory of 4072	1940	msedge.exe	85
PID 1940 wrote to memory of 4072	1940	msedge.exe	85
PID 1940 wrote to memory of 4072	1940	msedge.exe	85
PID 1940 wrote to memory of 4072	1940	msedge.exe	85
PID 1940 wrote to memory of 4072	1940	msedge.exe	85
PID 1940 wrote to memory of 4072	1940	msedge.exe	85
PID 1940 wrote to memory of 4072	1940	msedge.exe	85
PID 1940 wrote to memory of 4072	1940	msedge.exe	85
PID 1940 wrote to memory of 4072	1940	msedge.exe	85
PID 1940 wrote to memory of 4072	1940	msedge.exe	85
PID 1940 wrote to memory of 4072	1940	msedge.exe	85
PID 1940 wrote to memory of 4072	1940	msedge.exe	85
PID 1940 wrote to memory of 4072	1940	msedge.exe	85
PID 1940 wrote to memory of 4072	1940	msedge.exe	85
PID 1940 wrote to memory of 4072	1940	msedge.exe	85
PID 1940 wrote to memory of 4072	1940	msedge.exe	85
PID 1940 wrote to memory of 4072	1940	msedge.exe	85
PID 1940 wrote to memory of 4072	1940	msedge.exe	85
PID 1940 wrote to memory of 4072	1940	msedge.exe	85
PID 1940 wrote to memory of 4072	1940	msedge.exe	85
PID 1940 wrote to memory of 4072	1940	msedge.exe	85
PID 1940 wrote to memory of 4072	1940	msedge.exe	85
PID 1940 wrote to memory of 4072	1940	msedge.exe	85
PID 1940 wrote to memory of 4072	1940	msedge.exe	85
PID 1940 wrote to memory of 4072	1940	msedge.exe	85
PID 1940 wrote to memory of 4072	1940	msedge.exe	85
PID 1940 wrote to memory of 4072	1940	msedge.exe	85
PID 1940 wrote to memory of 4072	1940	msedge.exe	85
PID 1940 wrote to memory of 4072	1940	msedge.exe	85
PID 1940 wrote to memory of 4072	1940	msedge.exe	85
PID 1940 wrote to memory of 4072	1940	msedge.exe	85
PID 1940 wrote to memory of 4072	1940	msedge.exe	85
PID 1940 wrote to memory of 3692	1940	msedge.exe	86
PID 1940 wrote to memory of 3692	1940	msedge.exe	86
PID 1940 wrote to memory of 4240	1940	msedge.exe	87
PID 1940 wrote to memory of 4240	1940	msedge.exe	87
PID 1940 wrote to memory of 4240	1940	msedge.exe	87
PID 1940 wrote to memory of 4240	1940	msedge.exe	87
PID 1940 wrote to memory of 4240	1940	msedge.exe	87
PID 1940 wrote to memory of 4240	1940	msedge.exe	87
PID 1940 wrote to memory of 4240	1940	msedge.exe	87
PID 1940 wrote to memory of 4240	1940	msedge.exe	87
PID 1940 wrote to memory of 4240	1940	msedge.exe	87
PID 1940 wrote to memory of 4240	1940	msedge.exe	87
PID 1940 wrote to memory of 4240	1940	msedge.exe	87
PID 1940 wrote to memory of 4240	1940	msedge.exe	87
PID 1940 wrote to memory of 4240	1940	msedge.exe	87
PID 1940 wrote to memory of 4240	1940	msedge.exe	87
PID 1940 wrote to memory of 4240	1940	msedge.exe	87
PID 1940 wrote to memory of 4240	1940	msedge.exe	87
PID 1940 wrote to memory of 4240	1940	msedge.exe	87
PID 1940 wrote to memory of 4240	1940	msedge.exe	87
PID 1940 wrote to memory of 4240	1940	msedge.exe	87
PID 1940 wrote to memory of 4240	1940	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/drive/folders/14gMeaNXfcmEv7F8FzBLyIHcVHi1fgbX2?usp=sharing
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaa9ae46f8,0x7ffaa9ae4708,0x7ffaa9ae4718
  2⤵
  PID:1696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,10774246411398979367,8834571249875910267,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
  2⤵
  PID:4072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,10774246411398979367,8834571249875910267,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,10774246411398979367,8834571249875910267,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
  2⤵
  PID:4240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,10774246411398979367,8834571249875910267,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:3940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,10774246411398979367,8834571249875910267,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:364
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,10774246411398979367,8834571249875910267,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=4984 /prefetch:8
  2⤵
  PID:3764
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,10774246411398979367,8834571249875910267,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=4984 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,10774246411398979367,8834571249875910267,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
  2⤵
  PID:2284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,10774246411398979367,8834571249875910267,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
  2⤵
  PID:1328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,10774246411398979367,8834571249875910267,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:2552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,10774246411398979367,8834571249875910267,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:4476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,10774246411398979367,8834571249875910267,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
  2⤵
  PID:5808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,10774246411398979367,8834571249875910267,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:2096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2168,10774246411398979367,8834571249875910267,131072 --lang=es --service-sandbox-type=collections --mojo-platform-channel-handle=5384 /prefetch:8
  2⤵
  PID:3772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,10774246411398979367,8834571249875910267,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4764 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2168,10774246411398979367,8834571249875910267,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=1792 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2152

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:952

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault6377ca3chb6e3h4783h83c1h108d5f366fbc
1⤵
PID:5352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffaa9ae46f8,0x7ffaa9ae4708,0x7ffaa9ae4718
  2⤵
  PID:5444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,4140783774045539926,11040789970383701894,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
  2⤵
  PID:5772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,4140783774045539926,11040789970383701894,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5780

C:\Windows\system32\CredentialEnrollmentManager.exe
C:\Windows\system32\CredentialEnrollmentManager.exe
1⤵
PID:5616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k WbioSvcGroup -s WbioSrvc
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5600

C:\Windows\System32\CredentialUIBroker.exe
"C:\Windows\System32\CredentialUIBroker.exe" NonAppContainer -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1388

C:\Windows\System32\CredentialUIBroker.exe
"C:\Windows\System32\CredentialUIBroker.exe" NonAppContainer -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:6080

C:\Windows\System32\CredentialUIBroker.exe
"C:\Windows\System32\CredentialUIBroker.exe" NonAppContainer -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5636

C:\Windows\System32\UserAccountBroker.exe
C:\Windows\System32\UserAccountBroker.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5532

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1708

C:\Users\Admin\Desktop\Windows to MacOS\Rainmeter-4.5.20.exe
"C:\Users\Admin\Desktop\Windows to MacOS\Rainmeter-4.5.20.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3396
- C:\Program Files\Rainmeter\Rainmeter.exe
  "C:\Program Files\Rainmeter\Rainmeter.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1424

C:\Users\Admin\Desktop\Windows to MacOS\UltraUXThemePatcher_4.4.3.exe
"C:\Users\Admin\Desktop\Windows to MacOS\UltraUXThemePatcher_4.4.3.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Rainmeter\Defaults\Layouts\illustro default\Rainmeter.ini

Filesize
698B

MD5
7ed3f1a420c2ba65345af28455a754da

SHA1
798075c46eded535f7a3191b38c5c6128dbfb4af

SHA256
97030b68fafaee7bb69eacb3c737ba0ca0d75b70e805166494b34fc589f1b7d9

SHA512
fd3c12386c671089f7f7ac23450318c64cf69eae908fafcbc264c9d7f842482efdb5667f18c0cd7bd015715d06e43260c394a5ebc9639526eae504614e89aba5

Download Submit
C:\Program Files\Rainmeter\Defaults\Skins\illustro\@Resources\Background.png

Filesize
1KB

MD5
751ae72195e782cf91732d0e89138582

SHA1
13a3f32b1b34b61a8ea51efb9098ffc82925dd5d

SHA256
ae72127580a6401f4b3cba621267fcb4d13f0547b7ea00d2748a3a3892cb54de

SHA512
00f821d05e77e5a8bd9cfcb7ac3f963a9dc826521aa9192801d8ea38d085651f3cccc4ab306b58d6310d5445b36645849a4df9adbf6befedf17a785e95424ab4

Download Submit
C:\Program Files\Rainmeter\Defaults\Skins\illustro\Clock\Clock.ini

Filesize
2KB

MD5
a23de9c5c90b698420fc8b3517f36598

SHA1
8f872f02bdd7be04d340c4f1d0a97f795cd66f6e

SHA256
45b2d5644208a29e7e90cc74e130c0fb77c35099e9dbd17ffc010080a3ef1d8d

SHA512
c8030bfbde83fab6ebaeef2a080b55cfa463ece91732e79b0c11ff204bf86715095fe128cbbf76d4cc4029880ec97ba6a7b6f14561bdecf790d3d4359e74176a

Download Submit
C:\Program Files\Rainmeter\Defaults\Skins\illustro\Disk\1 Disk.ini

Filesize
3KB

MD5
bd443770cbb26712f476fa3d41ab812c

SHA1
12aa90188125460708af5fa135cff7f1985c6408

SHA256
1e243b7ec358bc79d65da9d5446758cfd567847cf7fea6ce128f4947d04d7346

SHA512
48e1efcd309d9ea9e780ca7873a2996ee3cbd7bacc6f30b6f017df7c76392d34ca3dd847e5d2b4e36bb340ba8e9a8f095efa8a5e0fc5c11b4f73586356cf625c

Download Submit
C:\Program Files\Rainmeter\Defaults\Skins\illustro\Disk\2 Disks.ini

Filesize
5KB

MD5
7215e77b41579b66126d8d010ab6894a

SHA1
47462528453382376fab2ee6985fe6347ffbfc6a

SHA256
3106efa019016e9d84d0ee4e484f45ffc4311617d3ef3ddce74393a6e41952f0

SHA512
b9abb0081838cde464b6047af7f8f6ca983a33c37e32dbd0e43c64e943389051b5daf195e7843dece36dd295bbb6a05be7dec27af810ebb49c31e164b7ce2469

Download Submit
C:\Program Files\Rainmeter\Defaults\Skins\illustro\Google\Google.ini

Filesize
2KB

MD5
bd09d2ec738a5961d283b2e0d1678708

SHA1
c10f4af7c828377b709d66e0ddfbf99ba2b15fbb

SHA256
9b59768e3a736140970c253fe0ceda0c78b47f4007ec62772e9aedf0a0b5457a

SHA512
b0e2ea96b3d635516e31f4714f863d2cbfc5f4f7fcbecaac17de0c6608b3abd1efafcc07b92c94cf4093fc75feeff60362306ad7ba18b1796c92e63ac58fd1d6

Download Submit
C:\Program Files\Rainmeter\Defaults\Skins\illustro\Network\Network.ini

Filesize
4KB

MD5
573339229e8dfd4d57f46145f9099e70

SHA1
6fb4d80c1bf259d20ba906d48eb716df8c519283

SHA256
8509aa1b6e7a873659d5896fd18477f36be0fbff5e425e86951644e9549b3aa7

SHA512
a6239fa54195eee42360f3f5a2df187fbbb55e8c21ea9919e71507524500f4618ecaffa41e2407ae252dc9a3a37434233175f33575878bcc137e18b4c8cce869

Download Submit
C:\Program Files\Rainmeter\Defaults\Skins\illustro\Recycle Bin\Recycle Bin.ini

Filesize
3KB

MD5
14f0547f1b32795714cabd315b64c80b

SHA1
fe8504e6988db711b306586768f9fc7f71c3747e

SHA256
3959453679d3b47df104e28f6ad51476db53630658339355b72400f8a98e512c

SHA512
46dfab176f225120ef9ae4a44cf0c1a8c3a291ea75abfe779199d350831301b81410b3cf32763f23b9e5e4f2fd828ede67618e978b37e7afabc5d202a0dee02a

Download Submit
C:\Program Files\Rainmeter\Defaults\Skins\illustro\System\System.ini

Filesize
4KB

MD5
e7c252045282bcc9b1e5675865d8408c

SHA1
2d035d8c608afd1cdcbaa931b1a170de06e60910

SHA256
a2298019b2774ef5f7fa1d22d08738f36e7749ea125bf441a6b8bad23b960826

SHA512
8444337335973db2a6578d49332ccbe5b2e151aac8428b9f6da92f184af91c782a4b6e15164162db85dedcaca3524804ef31a2da90a359e88af9e609f3ef01c5

Download Submit
C:\Program Files\Rainmeter\Defaults\Skins\illustro\Welcome\Background.png

Filesize
1KB

MD5
27c60fa5b6e8c9545c885f108f501a36

SHA1
58439914234e29a6e8973328dae945ec2fc569ce

SHA256
3aea0caa797e487abb0901648773251ca52f14b680a960baee080f263d2dd9ec

SHA512
26f6a7057f31aab9b88ed5fd779e83e82d32205eb568c46f4fbe93a79182e1f09e00a06d842fea180c2ee469510ad08e26fb8cd08228e3ad6f037802b2b965d1

Download Submit
C:\Program Files\Rainmeter\Defaults\Skins\illustro\Welcome\Welcome.ini

Filesize
3KB

MD5
9fd985ded033fa0fcc86c222e8e4370d

SHA1
83615886c788f272078fbbe02e1f8af87ca1ef4e

SHA256
6b710c75c1bfc4046ce0bdcde3c4f920aaefe1ecd4fa186d3bdfee12af897707

SHA512
4165e953773328557f42f1f8a29f0b566bcd5c347b8d5e9586ba09f2a4283a64e6f0ae6aa0ea0ba2b6ae8b0598ca4fed7e6878969eed371a1e6fe6dd23695c3c

Download Submit
C:\Program Files\Rainmeter\Languages\3082.dll

Filesize
16KB

MD5
466a834d75e06f59bab79c3ed97a9a76

SHA1
3c3cf65c95178f52902e721ff166ecc84df07f21

SHA256
9914b051773cdbaf643ad34ae4f0bfbab0f73929d627baf0416881ab7ac3a659

SHA512
b0ee4f67cc94ff6428350fc37474910ab598784767a21e049f66b944589b5f48f4220c534cb9c79d528bfa91a879819f66fce21277c23d6fdaa660687e23120b

Download Submit
C:\Program Files\Rainmeter\Rainmeter.dll

Filesize
2.5MB

MD5
0658cb31cfcb7bda7f98c9a856c7fa16

SHA1
176cb1121d30f4ad3d7190faa6c41ffe018e8534

SHA256
ee383a2d401f8c5569f267c93804e4371e6f6543ed01cfcce5dcefa5091c19b0

SHA512
10ec757aa5913f60e8a28158a87d8918acb3ea4252176773612099b4993592139d46d70123cdfaf38a224b8e51f4b404230070edc2fd0b74eee8f071938bf026

Download Submit
C:\Program Files\Rainmeter\Rainmeter.exe

Filesize
458KB

MD5
9d84ee1acd3e3bd55d0b1c997316f00a

SHA1
471823ba11ab7402b1b7c8035651b4d71adf34c2

SHA256
825897feed83fb9b8881943177741723746ac876e3d8485b759f0e53af52566b

SHA512
ac5794bb9abe164c2b5b08d7135cfe419601af4944c844682d762aad4c71f76ada7d65e2248bb645a420d90322a9d8ebccca083fc54b287d250660b21f469a17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56a4f78e21616a6e19da57228569489b

SHA1
21bfabbfc294d5f2aa1da825c5590d760483bc76

SHA256
d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb

SHA512
c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5002d271251d88d519e66f352bfe7c68

SHA1
e799c40eebcd2cda90f85b9cdb61b0295542a008

SHA256
644ed7861450bbbada72d6bdc93b573de913d8ebc6c3d0254ae0d94ccb3fea95

SHA512
411eaa877a84dd8168760d1b10d8d0a5ed90b725bdb1680e0c5caeaabf6bf5fb8266eb493fa30ecff4d676502972479e1881108f7654edf0379c018923cb0781

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e443ee4336fcf13c698b8ab5f3c173d0

SHA1
9bf70b16f03820cbe3158e1f1396b07b8ac9d75a

SHA256
79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b

SHA512
cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
e814f530c0d5da006352c3a3e8e0857a

SHA1
7d476e984d283ee0f70a6527d1a2f2e8c5005aaf

SHA256
dbf146a319dfb8902228e03aafa2fbff1b7513f026721fe55ed0256be486d266

SHA512
249f266c94cd9c6d482f1c01ae03bf0d23be5d450cec7454e5193adb8ba2e30de5f96eb1f9b27d0fa6bdbd0386c0875c724d5f9f199840a0c497e04b62d49e73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
172f3e4b1505af9ddd8b6c9f46b7c584

SHA1
d8e2d8c3e6b7413b8c70389ea7e756c1b73fae9b

SHA256
b8ac93bbca7aa04769e4670025b42328c1d5500d850cae98d41b0c31d5d146f3

SHA512
e9d8b41d4d1f085fcce67157c6a88962dd58e3c115515dd26aeef7ae272a47557d258e30c4c65da5fb1aa27fbc97f638460c4ea02acd7605b79e3920697ec365

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
ad8becda19e07871c1b4a27496220d09

SHA1
7b85d6bae0d2ea10abe1bf4d73ec6a5d10e2756d

SHA256
1b9eca88eeda943cd9e403bc1c69ddf19dfe25d3fb9274364870857374a44bf6

SHA512
ab950cd1e58a464515e92fffbeb08889ed14266d78af0d55866ede932cd87587cb1d33457bf88041cd5d45ae8edac81969e941bcbe512cd02914cf2294279e1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
8676d60184ed82658c89d4f1644ca287

SHA1
787fae0058cffb03927858c3007b55952188454d

SHA256
4f15fc5afe8970706b010ee2f345adc0e5b368df640048821a8529576682a43e

SHA512
a0bfed7b3fcf9b78a0eb3d4682e9a735320732d584b1019eb7ec30b847ce8cb39224e7153f6cf5ff42a264286e0e782de3e14924da0c8a1e416ff63bbe1465d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3b6102c575cdd1d6337492c6f22438cd

SHA1
43c8e7bd681f3469095117f81a36eb01871c1cb2

SHA256
00291e7c1551854943e23bff58f95b7d95f693e55e645e2f6616dc179c920d01

SHA512
71cb6b975959325ed31f2e0733eacb89131500b3c8e3d17e33511606ff3500d82cdbf7b71b3079ddb8cf57c4a3047eb55181eedb8ff05d367060cad324708005

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
415b46ea0122c9529d878ac508daf0a8

SHA1
49e49bb9be5932c289d2b77fbd4c39222ff4e9e4

SHA256
a385359a33ea0a0aa43f42b805b09f6e6aee199d178c00039afe9b84b4318a07

SHA512
8140a4ff1b1cb276746e99880ca27dcad5a041d1f6d9ac9bb24f805b66b8bd698a22e783c2c6d32f683372931a41e280a459a9d7653cacb7fac5ba41665ba682

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
54b0c6c55ea843d8303cfcf17ac6a90d

SHA1
a75e96eac94bf9b97140ec5f4e2b8a5f34b99b98

SHA256
8494f344a17f356ee26f954862bbc2e8b14ed8709fd5ec41ee5cbbba44af610d

SHA512
e032ac610087387df9f069dc76db1f6576367c7accfcf6335aacdf29ae5c84a88f519900d41bcf0645d6c0f3d13a03ca892adc1b9eff2a49b847bf18db2dc507

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5f5c7b93b751e2442332dda0abe04328

SHA1
de3c6969346b8c51710c44ce463f9deca9c8a451

SHA256
c89a6cdfa23733cc1aa440db4900c1cb3d2c2c4bacc033ceafe1d3a01cb3ddd1

SHA512
9ad0f47140d43483a6f4e47e9fc566948b4f4caed63a4041dae55fce2f82aa37f19b18d7b42343de66f02cb76bbc7bbf3e36fddf5a292e2e28b46b9ca1817561

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
de76f194f90d1d91ff25c52ae4d39c93

SHA1
53d2606b7e672abbc6ffb216cb216f5e49c85d56

SHA256
afd29f0a1ae4e70589d640673edc29996a88f05c32f6f4bc8e3dc5e619071cd2

SHA512
07c0e45259f5b3e04600ea5d2b92873a0e5ba17930b9db99389baebba600e8b105862a0fc191cad3def441d6ee3c6fce81bfc09bc07d5bac907ff31b6ef204f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ba86cfcad5af3fa012c971a113b808cc

SHA1
6f0e3dfcb57f91999480700c976fbadacf7e4719

SHA256
e984394c413c23f63be5d15ebd7d36923d5f0f17de603aefe5c4f388c35ac4b7

SHA512
3ae1574e6c000e6002220b59234c091d0e24a447d548dcc92a88d21716008373c412969c21e0c43204fdefd186426d436d6fa4c1442bebb0f8b0e1654ff00dc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d86eeffea27c3b80cfc022b591adcbe7

SHA1
775ac08b8869983f60732e2946ae161cec0c4534

SHA256
a90b0e9e23c133a93a33d81a63c1ae69993fb5fbe3276691acfd6e12daebddca

SHA512
2d82a5750688d170629027ef3a52e40ca3eed4ef8496c28143a67ebaa120b8c8f7807f6f452b2a43286bd1872fe5c0b245ba60107f6f669db7654106d2499679

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0dd4c192db2f685f0b31c08fb18b14ea

SHA1
0cf03188a6f701b012974ad11c08f59d00e4c416

SHA256
4f1202736bff805c94252dacccfb4498b82a26aeddd3543f1f012402a8204bdd

SHA512
e2b9a5fc5e370394410ac93078af5f16e7d8b27e72736b3ead06da95a2cb71567de8cc886046226252ec58b7b74975e56dbb5aee010b252122e42017930b23ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e84951f117a625ff487814857d11310c

SHA1
ffe3297c5be7556c627c73ec97bcb2a279e8ab8a

SHA256
d86146443fa4dc1f0ad6fc7532ca153de13eca82f9d5410c6a761648792826dc

SHA512
ada1b3b57eed4284ee0bca59a9c2cd3d82f9dcedaabecee18ed01b7ae83bae8d168f51583440506182032065764898933b83b8b37477097fd75dd7436a3554ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
805ea54c024c364acacb56143e8352c6

SHA1
c43a80fd3e48c9a64cf7728132a74f6fc2f7de95

SHA256
e0fac16e4029a19b8200955c24113bc80c7d337a133205d689abbfc2d2c4698d

SHA512
54eac93f1531d20457fb64b855811d8030f30394cac2d93754791d6815058eb82d2d162f42ec0011e0fc3b98bb3d5218c56ece0477ad02e4d780504deb3557b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
786f75f69f35ccf507228f21617af491

SHA1
9ec431d5fbaa57d1c46ae9fd0e149a03bff5cbd6

SHA256
b247af4a33767f94e55b0c02ee21d7fbba7f06b377ab2c61e4b31e5119bd11ad

SHA512
756aa477c42b4115ea7de28275b68ab0a1b9419b402a73a2b196f23616b6c00e1f1d3c1a5180bf8f7a7aee84299a67407584d4cd315f90eeaca7d042096d14db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3ec90d33e36f85819f68e0757f9aa227

SHA1
502feca7298835a579d478d839684ee5189bea40

SHA256
a73bfa16982b243b0452dd49172346719c4e7a11858eca3802a053d247e68702

SHA512
da9211aa899fb0ce9141b8cfecbc32be00321dd662aa1cbe4ee02499654214dcc4c32af453e88efda344fcc0393a478c04d11d681a329b1c3eb49164f2595132

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9f525db11d716800b96f4f52cfd80c10

SHA1
29752b821b9f2c37682d486f3b8e379ba5d2cff0

SHA256
447250140bb9878bf85dda310b5fbd19f8f24be1974c71381d72bdf1d10909af

SHA512
8551c6ef7fdbc9031aa4693f77c7fb185830f863429174f0be4c0782fef507bf4c37d180310fe19b80d1571c875b435adc2e93cc3329e7faaab014caaec5d68b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
140a9ad0b25793684186e04ddc503e0b

SHA1
84f99fcbf43f190fa8bff579d5014eab3bd10f69

SHA256
b99b967093c644cbd98f651004ed1b71542362dd3ddefb87d36d15d4cbe6d076

SHA512
4be8360975867c16de781d6c620d58c5da6b98aa6e18c164d21a80799805d05af0f118be272e41514e228a8fb1f779df130b551f9a93bcc408ebb80914a79b25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58049f.TMP

Filesize
1KB

MD5
c7daf298cb16bcd7ed9558feb8679d55

SHA1
d3ac9bff4a948789f808bb6cf6b497cd74c6be0c

SHA256
8a6fe3b5458ab8c7b3de5eb27bfcd9017a7444aa2e0f828523c99ca02e75e968

SHA512
73643c353b0ce4795865042ac93901e2b54a3c45927ac633c2162950995477763e1e62f63b76136941a868a8f8b965bb067c78fab825e606b88b0797535b9e33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
93c8440bfeebd5b9456f9215cbddb37e

SHA1
dbe3ed01a241852c27130bce562d30113d446176

SHA256
7d29d36346a6fe8857285c30fdc0bebf63140c41bb14576926d5a965603397d2

SHA512
bb48290105e614df6729fe36a597ab0794509137191aa0ae665ec59084e653f7602b8a37e7a0e854a0458f6871e856d568cceee922db62e5373af553613efcc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
01920569dbf9a9558c43109b3a7bd8e5

SHA1
f0ad65777c26461db8a28af8657499b57e4f77f4

SHA256
5aa94bd2a1d57325501bb26fdeda241c86267cf722bfb4e26e3e1cf8d248b480

SHA512
9faeffdf7ea0c2fa9a394862b555809d1e86c8e9a23e403d422df1b277385655a9e7fe0f47fd238c90948a362aa288f5eba2536b277d6d0e84e40a73a99f0004

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b350a34426f22486f6959e1a57529246

SHA1
5b8eaaf9d056df65fbfa510cd4ee45632f1ccf58

SHA256
43d8e2abcac06e8b51d6b651875b72dec5b47ef8ebd7354f1230b23acce03fc8

SHA512
3faca8cd62f00ddd286a01ed3f9303c1e75b976d6011250690c676de311bad3038e79f3292f9a4274a62d76f046ed32305c0874a4dbbecfa81930539e16916bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
983b2a1a3505263d4ec79d7d97ddbd5a

SHA1
25f950d42e398f857c0f47d7ec42f5460050b3b2

SHA256
242976c04e58210b048ac7a3982851d624a3bbfdf95dee28b5b290e0f013e6da

SHA512
b89bf328bf8e78cab02260ee29f30c468748f4464f25bdf3c693bf4460b184c81bc86dfc296c9d0c46dcdecb0fe55c29a3b39163344d8ab38bc78a144d000cad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ea3e167b-1880-4858-86a8-696e80d71fe7.tmp

Filesize
10KB

MD5
b25cd73454d6a107c459439ebe901945

SHA1
a20bab4d95996c51c07b7367d60a9b3f1363a08b

SHA256
85e0c34539034513c8b817ce3c5b28b88c59c5e0f3b7dfccbfc8c17d737f3f39

SHA512
3c82ef0e861a36835165641579aadbd1991248eddab03767e5e65b8b4034b5f0090063e35d499a5577327d6837018c19a94adb965e429f4367275ace1c319100

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1735.tmp\System.dll

Filesize
12KB

MD5
192639861e3dc2dc5c08bb8f8c7260d5

SHA1
58d30e460609e22fa0098bc27d928b689ef9af78

SHA256
23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6

SHA512
6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1735.tmp\nsDialogs.dll

Filesize
9KB

MD5
b7d61f3f56abf7b7ff0d4e7da3ad783d

SHA1
15ab5219c0e77fd9652bc62ff390b8e6846c8e3e

SHA256
89a82c4849c21dfe765052681e1fad02d2d7b13c8b5075880c52423dca72a912

SHA512
6467c0de680fadb8078bdaa0d560d2b228f5a22d4d8358a1c7d564c6ebceface5d377b870eaf8985fbee727001da569867554154d568e3b37f674096bbafafb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1735.tmp\nsisFile.dll

Filesize
5KB

MD5
b7d0d765c151d235165823b48554e442

SHA1
fe530e6c6fd60392d4ce611b21ec9daad3f1bc84

SHA256
a820a32e5ce89e3e336afc71aa1bf42a357ec542c2bc6e50c6255c1333812587

SHA512
5d801c24dfa1b7326f72f9c0acf3a330ef0cc3fce25ceee200bb12eab8c2b653025602e610e0cecda1e7cbd851ce1b66252531220b557a378ddb0b4a1741fa66

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrEC2D.tmp\LangDLL.dll

Filesize
5KB

MD5
68b287f4067ba013e34a1339afdb1ea8

SHA1
45ad585b3cc8e5a6af7b68f5d8269c97992130b3

SHA256
18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026

SHA512
06c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrEC2D.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrEC2D.tmp\UAC.dll

Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrEC2D.tmp\nsDialogs.dll

Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
C:\Users\Admin\AppData\Roaming\Rainmeter\Rainmeter.ini

Filesize
828B

MD5
b01e0c5e180ed70626c4456d9a70a526

SHA1
e0ea07166ac47587cc02011cb792b49458470d6e

SHA256
ba4107f9844b0d4053f48a8a1273774e5a634e3161aa71b5d66d497e05594ffc

SHA512
4affce4002b0d8ea30036f009d6d2a661cf94558a9b2023157258c4d98dde047388dbe90701f8a4a9f29fe269653e851bd24caa3eeccdf6cba28fe341a3c3102

Download Submit