xmrig | hxxps://drive[.]google[.]com/file/d/14nvUtR0d8prxdJc5vpxn6fqOGSFWD6k4/view?usp=sharing

Analysis

max time kernel
323s
max time network
328s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
02-12-2024 22:21

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://drive.google.com/file/d/14nvUtR0d8prxdJc5vpxn6fqOGSFWD6k4/view?usp=sharing

Score

10^/10

xmrig discovery miner pyinstaller

Malware Config

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/files/0x0002000000040d93-1171.dat	disable_win_def

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral1/files/0x0005000000043c22-1157.dat	family_xmrig
behavioral1/files/0x0005000000043c22-1157.dat	xmrig

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Executes dropped EXE 4 IoCs

pid	Process
4672	Server.exe
2980	Server.exe
5760	Client.exe
3284	Client.exe

Loads dropped DLL 32 IoCs

pid	Process
4672	Server.exe
4672	Server.exe
4672	Server.exe
4672	Server.exe
4672	Server.exe
4672	Server.exe
4672	Server.exe
4672	Server.exe
4672	Server.exe
4672	Server.exe
4672	Server.exe
4672	Server.exe
4672	Server.exe
4672	Server.exe
4672	Server.exe
2980	Server.exe
2980	Server.exe
2980	Server.exe
2980	Server.exe
2980	Server.exe
2980	Server.exe
2980	Server.exe
2980	Server.exe
2980	Server.exe
2980	Server.exe
2980	Server.exe
2980	Server.exe
2980	Server.exe
2980	Server.exe
2980	Server.exe
2980	Server.exe
2980	Server.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
10	drive.google.com
7	drive.google.com

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0002000000043611-1160.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies Control Panel 26 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\Cursors\SizeNS = "C:\\Windows\\cursors\\aero_ns.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\Cursors\SizeNWSE = "C:\\Windows\\cursors\\aero_nwse.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\Appearance\NewCurrent	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\Appearance\Current	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\Accessibility\HighContrast\Flags = "126"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\Accessibility\HighContrast\High Contrast Scheme	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\Cursors\NWPen = "C:\\Windows\\cursors\\aero_pen.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\Cursors\SizeNESW = "C:\\Windows\\cursors\\aero_nesw.cur"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\Accessibility\HighContrast	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\Cursors\Hand = "C:\\Windows\\cursors\\aero_link.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\Cursors\No = "C:\\Windows\\cursors\\aero_unavail.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\Cursors\SizeWE = "C:\\Windows\\cursors\\aero_ew.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\Cursors\Crosshair	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\Cursors\ = "Windows Default"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\Cursors\Scheme Source = "2"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\Accessibility\HighContrast\Previous High Contrast Scheme MUI Value	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\cursors\\aero_working.ani"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\Cursors\Wait = "C:\\Windows\\cursors\\aero_busy.ani"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\Cursors\IBeam	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\Cursors\SizeAll = "C:\\Windows\\cursors\\aero_move.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\Cursors\UpArrow = "C:\\Windows\\cursors\\aero_up.cur"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\Appearance	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\Desktop\UserPreferencesMask = 9e1e078012000000	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\Cursors	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\Cursors\Arrow = "C:\\Windows\\cursors\\aero_arrow.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\Cursors\Help = "C:\\Windows\\cursors\\aero_helpsel.cur"	rundll32.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpv2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@C:\Windows\system32\psr.exe,-1701 = "Steps Recorder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\mip.exe,-291 = "Math Input Panel"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%windir%\system32\miguiresource.dll,-102 = "View monitoring and troubleshooting messages from windows and other programs."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009bd219cb0845db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@C:\Windows\System32\AuthFWGP.dll,-20 = "Windows Defender Firewall with Advanced Security"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000ba8f8c70845db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%systemroot%\system32\RecoveryDrive.exe,-600 = "Create a recovery drive"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000071b8dec40845db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	Client.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%windir%\ImmersiveControlPanel\systemsettings.exe,-651 = "Change settings and customize the functionality of your computer"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000950377c80845db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@C:\Windows\system32\SnippingTool.exe,-15051 = "Snipping Tool"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	Client.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133776517279188960"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@C:\Windows\system32\wdc.dll,-10021 = "Performance Monitor"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@C:\Windows\ImmersiveControlPanel\systemsettings.exe,-650 = "Settings"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpa	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%systemroot%\system32\mycomput.dll,-112 = "Manages disks and provides access to other tools to manage local and remote computers."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%systemroot%\system32\Taskmgr.exe,-33551 = "Manage running apps and view system performance"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@C:\Windows\system32\Speech\SpeechUX\sapi.cpl,-5555 = "Windows Speech Recognition"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%windir%\system32\speech\speechux\sapi.cpl,-5556 = "Dictate text and control your computer by voice."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\mip.exe,-292 = "Math Input Panel"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%systemroot%\system32\msconfig.exe,-6001 = "Perform advanced troubleshooting and system configuration"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4v	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@C:\Windows\system32\quickassist.exe,-806 = "Quick Assist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@C:\Windows\system32\filemgmt.dll,-2204 = "Services"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@C:\Windows\system32\pmcsnap.dll,-700 = "Print Management"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@C:\Windows\system32\iscsicpl.dll,-5001 = "iSCSI Initiator"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpv2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%systemroot%\system32\Filemgmt.dll,-602 = "Starts, stops, and configures Windows services."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@C:\Windows\system32\comres.dll,-3410 = "Component Services"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	Client.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	Client.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000054dde1c30845db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe

Modifies registry class 51 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell	Server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = 020000000100000000000000ffffffff	Server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\2\0\MRUListEx = ffffffff	Server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\2\0	Server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\2\MRUListEx = 00000000ffffffff	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11	Server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\2\0\NodeSlot = "10"	Server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\2\NodeSlot = "11"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\SniffedFolderType = "Generic"	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg	Server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202	Server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\2 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	Server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\2\0 = 68003100000000007258e88510005348454554527e312e3600004e0009000400efbe8259f0b28259f1b22e000000450300000000040000000000000000000000000000002af622007300680065006500740020007200610074002000760032002e00360000001a000000	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings	Server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000500000003000000040000000100000000000000ffffffff	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\2	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\SniffedFolderType = "Generic"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Server.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2124	chrome.exe
2124	chrome.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
5656	taskmgr.exe
5656	taskmgr.exe
5656	taskmgr.exe
5656	taskmgr.exe
5656	taskmgr.exe
5656	taskmgr.exe
5656	taskmgr.exe
5656	taskmgr.exe
5656	taskmgr.exe
5656	taskmgr.exe
5656	taskmgr.exe
5656	taskmgr.exe
4296	chrome.exe
4296	chrome.exe
5656	taskmgr.exe
4296	chrome.exe
4296	chrome.exe
5656	taskmgr.exe
5656	taskmgr.exe
5656	taskmgr.exe
5656	taskmgr.exe
5656	taskmgr.exe
5656	taskmgr.exe
5656	taskmgr.exe
5656	taskmgr.exe
5656	taskmgr.exe
5656	taskmgr.exe
5656	taskmgr.exe
5656	taskmgr.exe
5656	taskmgr.exe
5656	taskmgr.exe
5656	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5656	taskmgr.exe
2980	Server.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeDebugPrivilege	3348	taskmgr.exe
Token: SeSystemProfilePrivilege	3348	taskmgr.exe
Token: SeCreateGlobalPrivilege	3348	taskmgr.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: 33	3348	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3348	taskmgr.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2980	Server.exe
2980	Server.exe
3500	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 1628	2124	chrome.exe	81
PID 2124 wrote to memory of 1628	2124	chrome.exe	81
PID 2124 wrote to memory of 900	2124	chrome.exe	82
PID 2124 wrote to memory of 900	2124	chrome.exe	82
PID 2124 wrote to memory of 900	2124	chrome.exe	82
PID 2124 wrote to memory of 900	2124	chrome.exe	82
PID 2124 wrote to memory of 900	2124	chrome.exe	82
PID 2124 wrote to memory of 900	2124	chrome.exe	82
PID 2124 wrote to memory of 900	2124	chrome.exe	82
PID 2124 wrote to memory of 900	2124	chrome.exe	82
PID 2124 wrote to memory of 900	2124	chrome.exe	82
PID 2124 wrote to memory of 900	2124	chrome.exe	82
PID 2124 wrote to memory of 900	2124	chrome.exe	82
PID 2124 wrote to memory of 900	2124	chrome.exe	82
PID 2124 wrote to memory of 900	2124	chrome.exe	82
PID 2124 wrote to memory of 900	2124	chrome.exe	82
PID 2124 wrote to memory of 900	2124	chrome.exe	82
PID 2124 wrote to memory of 900	2124	chrome.exe	82
PID 2124 wrote to memory of 900	2124	chrome.exe	82
PID 2124 wrote to memory of 900	2124	chrome.exe	82
PID 2124 wrote to memory of 900	2124	chrome.exe	82
PID 2124 wrote to memory of 900	2124	chrome.exe	82
PID 2124 wrote to memory of 900	2124	chrome.exe	82
PID 2124 wrote to memory of 900	2124	chrome.exe	82
PID 2124 wrote to memory of 900	2124	chrome.exe	82
PID 2124 wrote to memory of 900	2124	chrome.exe	82
PID 2124 wrote to memory of 900	2124	chrome.exe	82
PID 2124 wrote to memory of 900	2124	chrome.exe	82
PID 2124 wrote to memory of 900	2124	chrome.exe	82
PID 2124 wrote to memory of 900	2124	chrome.exe	82
PID 2124 wrote to memory of 900	2124	chrome.exe	82
PID 2124 wrote to memory of 900	2124	chrome.exe	82
PID 2124 wrote to memory of 972	2124	chrome.exe	83
PID 2124 wrote to memory of 972	2124	chrome.exe	83
PID 2124 wrote to memory of 1496	2124	chrome.exe	84
PID 2124 wrote to memory of 1496	2124	chrome.exe	84
PID 2124 wrote to memory of 1496	2124	chrome.exe	84
PID 2124 wrote to memory of 1496	2124	chrome.exe	84
PID 2124 wrote to memory of 1496	2124	chrome.exe	84
PID 2124 wrote to memory of 1496	2124	chrome.exe	84
PID 2124 wrote to memory of 1496	2124	chrome.exe	84
PID 2124 wrote to memory of 1496	2124	chrome.exe	84
PID 2124 wrote to memory of 1496	2124	chrome.exe	84
PID 2124 wrote to memory of 1496	2124	chrome.exe	84
PID 2124 wrote to memory of 1496	2124	chrome.exe	84
PID 2124 wrote to memory of 1496	2124	chrome.exe	84
PID 2124 wrote to memory of 1496	2124	chrome.exe	84
PID 2124 wrote to memory of 1496	2124	chrome.exe	84
PID 2124 wrote to memory of 1496	2124	chrome.exe	84
PID 2124 wrote to memory of 1496	2124	chrome.exe	84
PID 2124 wrote to memory of 1496	2124	chrome.exe	84
PID 2124 wrote to memory of 1496	2124	chrome.exe	84
PID 2124 wrote to memory of 1496	2124	chrome.exe	84
PID 2124 wrote to memory of 1496	2124	chrome.exe	84
PID 2124 wrote to memory of 1496	2124	chrome.exe	84
PID 2124 wrote to memory of 1496	2124	chrome.exe	84
PID 2124 wrote to memory of 1496	2124	chrome.exe	84
PID 2124 wrote to memory of 1496	2124	chrome.exe	84
PID 2124 wrote to memory of 1496	2124	chrome.exe	84
PID 2124 wrote to memory of 1496	2124	chrome.exe	84
PID 2124 wrote to memory of 1496	2124	chrome.exe	84
PID 2124 wrote to memory of 1496	2124	chrome.exe	84
PID 2124 wrote to memory of 1496	2124	chrome.exe	84
PID 2124 wrote to memory of 1496	2124	chrome.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.google.com/file/d/14nvUtR0d8prxdJc5vpxn6fqOGSFWD6k4/view?usp=sharing
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ffbb9fbcc40,0x7ffbb9fbcc4c,0x7ffbb9fbcc58
  2⤵
  PID:1628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2020,i,17624542440616136495,10722173297022400896,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1864 /prefetch:2
  2⤵
  PID:900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2168,i,17624542440616136495,10722173297022400896,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2188 /prefetch:3
  2⤵
  PID:972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2260,i,17624542440616136495,10722173297022400896,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2276 /prefetch:8
  2⤵
  PID:1496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3144,i,17624542440616136495,10722173297022400896,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:1068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3152,i,17624542440616136495,10722173297022400896,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:3924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4540,i,17624542440616136495,10722173297022400896,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4564 /prefetch:1
  2⤵
  PID:1248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5176,i,17624542440616136495,10722173297022400896,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5184 /prefetch:8
  2⤵
  PID:2684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4700,i,17624542440616136495,10722173297022400896,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5016 /prefetch:1
  2⤵
  PID:3824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5432,i,17624542440616136495,10722173297022400896,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4716 /prefetch:8
  2⤵
  PID:4336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5276,i,17624542440616136495,10722173297022400896,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5328 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4296

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:348

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4692

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
PID:3100
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:556
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 820 824 832 8192 828 804
  2⤵
  - Modifies data under HKEY_USERS
  PID:3396
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 820 824 832 8192 828 804
  2⤵
  PID:1376

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:540

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5464

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\themecpl.dll,OpenThemeAction C:\Windows\WinSxS\amd64_microsoft-windows-themefile-aero_31bf3856ad364e35_10.0.19041.1_none_2fe4331ee906f14a\aero.theme
1⤵
- Modifies Control Panel
PID:5604

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap6224:84:7zEvent18892
1⤵
PID:5760

C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe
"C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4672

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:5656

C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe
"C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2980

C:\Users\Admin\Desktop\Client.exe
"C:\Users\Admin\Desktop\Client.exe"
1⤵
- Executes dropped EXE
PID:5760
- C:\Users\Admin\Desktop\Client.exe
  C:\Users\Admin\Desktop\Client.exe /WithTokenOf:TrustedInstaller.exe
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:3284

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4736

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3980055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
d2fb266b97caff2086bf0fa74eddb6b2

SHA1
2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

SHA256
b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

SHA512
c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
944B

MD5
6bd369f7c74a28194c991ed1404da30f

SHA1
0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

SHA256
878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

SHA512
8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

Download Submit
C:\Users\Admin\AppData\Local\GMap.NET\DllCache\SQLite_v98_NET4_x86\System.Data.SQLite.DLL

Filesize
1.3MB

MD5
14393eb908e072fa3164597414bb0a75

SHA1
5e04e084ec44a0b29196d0c21213201240f11ba0

SHA256
59b9d95ae42e35525fc63f93168fe304409463ee070a3cf21a427a2833564b80

SHA512
f5fc3d9e98cca1fbbbe026707086a71f801016348d2355541d630879ad51a850f49eb4a5f7a94e12a844d7a7108d69fa6d762ee19f4805d6aafef16259b4330b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
e5d7eaa6bdeb820efd1cd44e120b44a7

SHA1
9f562da40464a431f9d6edb46e8eae4d6ff0acaa

SHA256
8df154ea203ff733463a91f8f9c0d4e7a662695955349a4849463808c9200038

SHA512
f2f18ee5558ebdef95ffa81675b8b96a6918cab0c50ab0806931a58de9ae50dadeb500380060143d9befbc766bbd00313d9a56519fde5d98038f8e05b0f21c9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
4a873d150f0fe30918451465c8a75a56

SHA1
f7193f72344788dddf21fadbe98cd496ecaac729

SHA256
908bc936770fba671a76cdc516cf76e1d47973cc4fefb06a4dbdb9d5e1009276

SHA512
fb0988603a0860d8e607128838ab85bea2728352e29297b45b2d6fc32e2b14a42c610de82f0523c427d313e402594476f625d7216dba596eaf5a02b3e61c77db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
bab1938ed67ef7115ac64ff3590f5215

SHA1
7aff334b2f4f6ecf165c5d66116c5145e65381f2

SHA256
24f73d516ec458354b5d81e72e969e882b1d0a4d2e19d7d5f622cbcf65d7fbc4

SHA512
42d815e2664f0dc43c21f7103e8750d80d82b6339daad4f60c9091eb8d43b47a08249659bf1c55e81a1936a9e780b9540de7909a2724540cef51d62c0055d2f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
53852e9073c0d38a76dc697ff39a051e

SHA1
d1c0a0dbf92930fe83bc722040dc812f4c4366db

SHA256
5a61d5edab91ee47ff0e7ef6e19c3864210551dc381e064b465c68907e290ff6

SHA512
19ce71c8483caad8c5de768945ccc35ec40bac346234967449440cd4547d241fd700adda4ea64b856c9c17c7adbf2d4905ef124c7cac02bd6b9b9681edf3fbcc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
4713c355ec2a3d9a3ac8df9a1bc07ebe

SHA1
96962ab5afd642a4d32031d3aa6af04071ec0c68

SHA256
097c17edb8ab8fd6ef3b2ea3e3f418000986e61a46660ab171f1c4836e39eeb5

SHA512
f02887351a817856d0d3e8e8c66aaba25e9b23f7d5012208b688ada3654eb864d55576aa7319f650efde45cb1c3e2e17b41323b64fb67d3ce6a0dced92c12438

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b05dd1a9086551ff35253facdfd1912e

SHA1
d052e676939ed1f1f8d8637666ce8fe73c9745cc

SHA256
21f626da1c62b5bf9c4752a9842ad3ce21d10774a0ca75575cc11ebac02e65b1

SHA512
128d2cb186e5d5ef23b834e090db465375421efb7d7e6b2e43ec6662ed160812c390c20d1f4f56a25cacbcd4ab8dcdb43d69f1d032f362b22694a2bee3c0aead

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
6dcd0a8ce33c2ff618565ccf9a430ed4

SHA1
4951d8dc528e6aac0a24272e9cd759e83af4d83a

SHA256
b0acab41523fb000e770705f5cf821c98237e059081ee814cd6d2dd4a05037d7

SHA512
09f7c8bf2343cc28b66c8c1cb7da6e35a193778c97011bbdaaf9a66deaf819af517dce42c48e705972effd008eb38d6bd3ce13666746522cb911a0a44ee92dd9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
853e745b3d217d4f8fc48e1c42f3e074

SHA1
f189bfcc9138e0f2a73dada4aadbd442d93ce068

SHA256
bd2c8842445b4167720d6b26023802c8fae742b37faa181d8157319bcc5f1728

SHA512
344fc046e3567bf85331d3b787bbcf273b4b0f5477366604fa874b51c03b37b9fc575d8139b738f265672e499a5b523800cac71b711a9c4446fe817d24f89441

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d1cb4d01bc39d6005b5a7e6139b517cf

SHA1
88c99c87fb81736f5eb8600f74b136b81af3ca35

SHA256
fc8c4825d9c6df8047e1dd95c93000512b09378bfd7ee3d2b5030a3dc379495c

SHA512
1848c4214b36d2a9761bfcd642730260fcfa505dbaade2ff6724b4e6af8c42466ee85ec15362c45d0e62607fab5d96b41422eb1f99583404936b2f9c631ca6ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
7cf1a8160603b524aa99cdbd6011f6c8

SHA1
10e1d8ae11cafb6bb7259db896fd741c8aa8239e

SHA256
4dae716b4deb5d788a6f16951b819fa04835b1eeb7421795a582f0b9fb14e73e

SHA512
9efba9acc38ab5e94f53b29fa39f9d725f0bd9f5d5f97bed7ddf0c8b07750585e52d486072c63008fc884bf3c3f29fd8d7509feca6550b351bf40b363cf4f0eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c049b06ce969471bec643e077ddbbbc9

SHA1
13480d49ade5c1d78705fb5c1b7c69ea1d50e74d

SHA256
d23af737bc694b2df881a4a323270b82bd46149099f0a98390a85db29f12f566

SHA512
2bf93608bc3ef4119beb7c61ee06519a7c89cc54f23072ecccab52a49a8fe5a371c0713bd49c2605ca88e740a07425c6bc962e15a1e41ed55af61bb7b366b4b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
40c9932568fc3444c5786df4942992d6

SHA1
7e136a0efec933f89842cca9f1e8a99950de32d9

SHA256
38a44856a89be4b0176c2d75d07af614cbb28a87b60a79aa952c1b9e392e6a2c

SHA512
3c427dfb48c480070e78d849b7bcd3a17c0fe11f385ec47f058dce4512695378a091c5ec37d7db3e78df16c6729ad2a1092ba7a5210ed85fd4e6a3ca4495d5b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
36ce08f8c6bde39fc274bd192c389ef5

SHA1
89ce98a4f39fd121b11fdae262b57c5c11ba9eb8

SHA256
cc733c8841a52a96087469e420084952b60ef5d3c2e8bfb9da8f9a6d6ec76de0

SHA512
4bf36f4be4ccfb3dd9abd8e267a32ff767b2218380ffc09425fa8e6570b8bf3955b4dc8bd058c4342ce1a97d06c78b07e80e01055188d8f5413dccc13e9fbbd5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ebce43db4468ce9a6bc98ee423346321

SHA1
e2158080a92085018441f5238760830279a39dc7

SHA256
384ee7557ae088443df97191d4b23411a0873b431b4490046a0ec5a1a83efe54

SHA512
751307c7859f0d94d1255d3849235d400f88860699a8b3424797dfbe88c594e44d1c5b1ddeba0f204e628c67110666108afed59fbf1c9904123eefc605dfa8bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
6dbcb1467f14ff186065272c92a73558

SHA1
576f76e0b67b03fbda69cd2ca45760c46efc5fed

SHA256
202ca69a4cbe297933f0a30177ddf5697c3fb4adb72bb36fe81ccface3277976

SHA512
463194e6917aafb7c5aba0e8d5ebcce77f357ed450951a6b7d2470f773627e30d7d306bb47c4f9b1570802b7167b4a86683f246d6f871138d4cb58b450edcb13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
3920261560d2b8cf29ca5f1969cb9be6

SHA1
0896cc2fe384db3152b275fa3b2604fd7c1f3ba0

SHA256
8467771fe7a8b8dcece889537b60d4cfbf6c57500467f8cea41f19b538f899aa

SHA512
8ce0709e8c16cc0798df40bdae17ba9839b1cf8902adc799e8cbd1b27139c277a6957c7c1cc2d4fa0c4806293069ce287544889a60f0dc9ca4dcbb108c96ea6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
cea0a1bd26b363836dd0ab4966f2d9ed

SHA1
32c4337bfa99a159931f7bde7467906c1fd08892

SHA256
acb18820fa4f2e641b85d35f9290cdfb3511e5c31ecf1950a2fafe38d88c5ba9

SHA512
60ac26017f42bf9cfed6a15045fdf1e116e21b555d07fa630c9e54c5f07b37246529ecf56b1f2ec6d6c1b38b7d67b07978f2c05898cfd7041055f6ee99745c14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
0ec97598119afcc2aedeb058f6471487

SHA1
530c3e4e9b8a71c9ffa1617a99df3db8c882eb7b

SHA256
8ef735013097f6f127a0b3ed0c8b8273d61e1bfe5624078c4da98ac0a943d651

SHA512
0b28d0a35daf675a135dfbfdf327a2002d2af4b74a5bfa8009d2d93a5bf169c547a3589c7280a8b3749a10f44ca5f3b8814d0e744d0e3708285fc044e3d3ee2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f1b042ae40ecd338f6528da353d2a282

SHA1
86883b515706797230836ba43ad3c2e672cde8dc

SHA256
02cdc2a5a07e801d64fb82fc194afb7a1883d013f02a134af758e02cf816673a

SHA512
372ff39319c640c2ea96b5c3b29340c8bb4b491d4b62c540beeecfe61ef28514151eb3747e7c8de5c1b510aeae5c2cb0c3159a6f1760d4a2087191eba0a6810d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ac043f79fddb679ae4099f599b06a53d

SHA1
dd3dbfc8dc888bae48be4f9ed101b38d819a762a

SHA256
d2f9d696288904cad31faa06f696ba87da285dc1983297271ec62aa4de6fc9d1

SHA512
144e072ae3306c6882b559e4def7ff4ca086d878b62e7c2b19d4a083c615ece85ccb8ceaa5843fbec2be96a0bcecbf5c3b6dffe8dd6c917e16c5f6966c5dd1a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
67cdc91c715490906ee379b69ece63dd

SHA1
77b1f9470d606f5e5525e111523d012dcf2dd88a

SHA256
400349758db1b0982833c4076076fb5a00a64b40407dd4ce4f1acfa7ca73af4a

SHA512
3877297b4f25df52a6923279ba8e5a6f9b3c7402d9385aa1c76b5d217f8c3dce2acb729c3da8f99cd4340551e68ac25e9c54f0648df2d02abb126f2c46c862f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
3d37326e057b513d5f324a14c8cde0c5

SHA1
6cd08fe0fd52f051c6f45a19a835104518c20cda

SHA256
bf031da418b38f0a5f8b186cb54c3c62a442dcb2d2217b94e66830c06ca7e6fb

SHA512
e3374e4c542b5878727411afb82611a5c380b29d73604289d1cefd156984bbd18eabd61a9287c9ea978729443f515e82fd6c6e87538ef72024d5a3890f22dd4b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1ae3f2d9ab6164164ad04a673b4b9130

SHA1
18ff7a5e528ed3487b1ce868be1eb6931f148086

SHA256
45b951c22dbcff3388eb0b0e04b497f9e15bf7ba55a63dbf169e25cee9d1866a

SHA512
df58dbec6bdd0aa8984215b4e6289ab2a2406dc26050396b2bf5e5ff696ba755ae11b5a78991154e9b4da109ba2a318f40b59d71771c38c9d6355399f9406981

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
08d75045dd7e45efa604bc33818b65bc

SHA1
7ae88e83f04c8fd3fbdcec120fae405324588802

SHA256
8b334c3a227aa81f29b0e43715f5da30e97afdf1612cb97428e0a23ff46c679e

SHA512
e3f352a89f21554a973ec3f88063541b6ffba822373991689713b3a650edf8cd532e6709659fc9c4d36c0f6707b11676c48c273e2a6fdef34194f22acef2ad0e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
6a590473a29f54318e3ef6c987690a92

SHA1
dab9a008092ae279cf679f69b6f0a517867ddc83

SHA256
590b76f878f6845e428b431d5e83c69982b8bec95055d0aed518a89088525a5f

SHA512
2f83e5ecbb283dacdbfa46e46473d22c8183f4fa94531a71657e82f7239eea42b26813607adc7b3199e44f22c807d67cfc70dc99e838738cc875266f620129b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
39d6ef795d10c5bf9b4c68cbf74f54a5

SHA1
1a6e0130f673c8d42a09fb8db0bcb8f5b497f08f

SHA256
35e32a704f88ce92300827062b307df2191087ed1527b785982ffc4c14e33427

SHA512
ede15f8109e219d3b7712a55c605a6d11efaf4959b46fd6b453b661c3dc66fbffdb3dcea071e813596563b430f48d9dc22b336f5504d713ef83cc0037aeebba5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
5d5a5928be906d478e53e320ab939027

SHA1
736cf322fce726278535f2740f1c6086f7baec44

SHA256
93c5e30036e4c40db63d29936ba7931ce20a5e1cd792b6168223e1b473104d49

SHA512
fe0e02fb9f99691924945268739e375e5c71108f6446cc91abef14178ff13684da3ce37832837a6877291fea14f5a56fed9753f103956cd38ab02ce9347707e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
118KB

MD5
63235e7063238e71bfd91dc16809c902

SHA1
d5aa0a4c2c26898721f316e1fa1f2442d2b926a9

SHA256
6b5b9ec558c413fcf814afb2b520e3f99b0ee5e558269b502bff2f29ba0c44d6

SHA512
53ce78141df3d16e9df8ba42e75844f1b642e48e2f4bbd64f4935cb5aef744372f3989f6067cbd0e3ff8ac7288e9e731669c94be6fa85bfa6649a491be37f418

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
118KB

MD5
92cc065df3a946746cc59b6a22bda035

SHA1
4955dbdadb1f6a19a6847b860cedbd83013f5a2c

SHA256
9f8b8e886e4e431b24d84d2a8d693bcdbb3887baba2944bd63e190371ce3453f

SHA512
3712e292561881ffadb32b557beef6d5431b9c7927e941342233746486e81ddf3e2dc88984246d2367a07d08edb6044df04cbc0d48ea7ecfe331bc8deaf07137

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
118KB

MD5
41d649680e480e8a87fc29d365cd5a74

SHA1
526347c09af9b57c9c8734499fb61c6091711238

SHA256
954d1bef54a040e629b48f374a7d611f13df24693c59e1e16d2805c53e5c2fd4

SHA512
8b775c4644d37924df797768661c4ef2a59bb0abafa5179918a6f612daa844bd2bf04ace4033fefab9897afb8a8919adfc1afd91c782bd9c1cba0911348f7f30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

Filesize
1KB

MD5
b296ef1f46b01093d6eb99e32a860867

SHA1
712084c446b9e6e5d73a4738fbcd3af7487ca3ba

SHA256
be57476c04f05b2595e0728da3f7d234aedf27f7a1c4183888e6f9630c9c276b

SHA512
3514f72c26404fab4ea3de99c1456d4d0f61d639b5bdf74aece855073b00cff1239deac64303bdadb40332b52fa1a0ef7600a2b7917881cef19250e53e88b19a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

Filesize
1KB

MD5
a51833cbb108ade3cad95abb6748d04f

SHA1
4262a39f22d77671cfbb72ac6f4425e73206fc15

SHA256
779c3a5e3fb2715b46bff2e9bf89a05808cab111b527d3f1f4262fb23fa6e20e

SHA512
32b2c214141fb8bd8299395122c74d622a497a9c4ab670825cbdd6f87cf966ca65aa7017a04ca9f7b92da847f9ab0ad0575ba2449f7ccc26bd04c80338898810

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

Filesize
1KB

MD5
bdb14bf0922171f8e8e26c6d00646df5

SHA1
ec36345843c4781bc377ffe33c72927dc698fbdf

SHA256
5f704efb4fa19635d0959551158f0d91f7a0bde4b6df4cf88161ce60df1735ab

SHA512
476653f5672a3d303184ef373464be1d269eac9435ad13d78f2dde4c7a931dbb12a94ac3b6e4966198d8efbfc48d5e89b1a9366e7e46919e65263f47a3a72af2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

Filesize
1KB

MD5
bcf814038bb56e7da74956b16596f0e7

SHA1
f7e1ce5d6000d1849f235b23ba5682cc914b39fd

SHA256
d7e451f018fd6d76753125941476f87479a5cf1ee362f1fb7ef7b3af60d265d9

SHA512
424e3248e24522e39a751a8be896e5d7067da0543224ac7c7bcc05ee89a7f258abe21db0f47fda178e3c23072fc5851ef4b1dbca995ff62c0cd90ef007d0fd92

Download Submit
C:\Users\Admin\AppData\Local\Server\Server.exe_Url_i5cm5l3jhkqbqgcva4ebc4kkrfcdkh51\1.0.0.0\n2cegasz.newcfg

Filesize
804B

MD5
0fdec7b2e03a2c083abc92ed4456e592

SHA1
1cb0f8f788d848cd94e033a412d771a2246db905

SHA256
3ad604abe4483f139ae2f55d0168f24d0b6cbdd53e09e810be333afd4cc76033

SHA512
fb799f171a6e1d0abde06265ddbfadd8d0c1ddf1049a8a546d2b0c38d1a9161897e5e3995fcd13a3058579b5f80500d36c626631b5f3c4e533e2eb98963aff33

Download Submit
C:\Users\Admin\AppData\Local\Server\Server.exe_Url_i5cm5l3jhkqbqgcva4ebc4kkrfcdkh51\1.0.0.0\user.config

Filesize
311B

MD5
a35bc67d130a4fb76c2c2831cbdddd55

SHA1
66502423bba03870522e50608212b6ee27ebf4c5

SHA256
e94a97e512fbc8ed9f5691d921fdeddbff4cc16b024c5335adf66bff3a7a8192

SHA512
4401b234d7914afa860e356be1667cc5f44402255f7cc6cc3d8df80883167f6b55463e62156df57be697ee501897fac61a71f97911c6fdb6630272341ac8a07e

Download Submit
C:\Users\Admin\AppData\Local\Server\Server.exe_Url_i5cm5l3jhkqbqgcva4ebc4kkrfcdkh51\1.0.0.0\user.config

Filesize
434B

MD5
cfcf8e91857f364e002065c52ff8f91c

SHA1
8407ecb3c33a1f3fcf18a723e6884acf7e5a0f4a

SHA256
572dda8c7f211dc6a4efc7aecb4a54cb4e0ced1e4c9a4b9f96bb329c983c64e6

SHA512
364fecac3a051441b4fefcebb2cc9e38632f99dd04593cd5d9b148986afb09b195e88cdbfa2e778b8934564b76d04fe053f919f0a60769b023f2f753ede06d1e

Download Submit
C:\Users\Admin\AppData\Local\Server\Server.exe_Url_i5cm5l3jhkqbqgcva4ebc4kkrfcdkh51\1.0.0.0\user.config

Filesize
561B

MD5
2e8ab7cdc2081c09a98f6c5593909409

SHA1
282769c943f8ab0429315869466d042a99de95f4

SHA256
17eee8708a1bbc35422e6ad9b6eff3bec4f8a8b8a87cce8e6cc0da2d94c9b3ae

SHA512
b815e0deaea5348d5ec68cdba3e4b5018e6224299f170859181f90961831b7d14deda144b32d64b11f8da7f4cbdb0b86a8d253b0ee179df68baac274a363ef2a

Download Submit
C:\Users\Admin\AppData\Local\Server\Server.exe_Url_i5cm5l3jhkqbqgcva4ebc4kkrfcdkh51\1.0.0.0\w0n23olm.newcfg

Filesize
687B

MD5
b18785caae8834f89e34cde89b93cafc

SHA1
cee194149b484295ddba88111a251986bdc0c7af

SHA256
105971bbe15f24f50dad97d466b55222e52dfdb4a71b1b3a6452cfba28a10811

SHA512
fb108e2997a0ea7bce21113118997f358d73a43a40e2b4b9962738cd88dc6d9dfc17e17e63c8ba8c5a5504e5775fbe9e8084ee8e6086cf0eab709335ed8b282c

Download Submit
C:\Users\Admin\Desktop\sheet rat v2.6\ConfigBulid.json

Filesize
1KB

MD5
3071a60e3daac1fe7b97d115628c98d9

SHA1
249d49479a8a6544f025c6e781268847f42a4469

SHA256
2a725ea0ebc6ce93f78c3f785781558723f663fb42f171b18a8f9e51c5aad725

SHA512
e9745de08c87d2f6746d9fb5f988eb109e9a25b7f61f9ad75aefd90559b1a77a054ccdc942c384b0d1933310345fd68777adf2dc8485bb9a9c83cfdfd7e9e1c8

Download Submit
C:\Users\Admin\Desktop\sheet rat v2.6\Confused\Server.exe

Filesize
1.8MB

MD5
2f4953747860b6b9f5e2d281ad7b33ed

SHA1
b3c494f18efc33201bfeb70c46a20305e9e6a4c1

SHA256
b497e24534343529d5393ebdbb2d9f7418ee984621a1ac17c61f6b69a19ea548

SHA512
e64337f8cb3491b0962c9caa6a44fb6dbeb4d439b1ea9959475b85244537ada732a894199c77f56c92fa28f676ffac371c84769acdcac7400493f9042710c765

Download Submit
C:\Users\Admin\Desktop\sheet rat v2.6\GMap.NET.Core.dll

Filesize
2.9MB

MD5
819352ea9e832d24fc4cebb2757a462b

SHA1
aba7e1b29bdcd0c5a307087b55c2ec0c7ca81f11

SHA256
58c755fcfc65cddea561023d736e8991f0ad69da5e1378dea59e98c5db901b86

SHA512
6a5b0e1553616ea29ec72c12072ae05bdd709468a173e8adbdfe391b072c001ecacb3dd879845f8d599c6152eca2530cdaa2c069b1f94294f778158eaaebe45a

Download Submit
C:\Users\Admin\Desktop\sheet rat v2.6\GMap.NET.WindowsForms.dll

Filesize
147KB

MD5
32a8742009ffdfd68b46fe8fd4794386

SHA1
de18190d77ae094b03d357abfa4a465058cd54e3

SHA256
741e1a8f05863856a25d101bd35bf97cba0b637f0c04ecb432c1d85a78ef1365

SHA512
22418d5e887a6022abe8a7cbb0b6917a7478d468d211eecd03a95b8fb6452fc59db5178573e25d5d449968ead26bb0b2bfbfada7043c9a7a1796baca5235a82b

Download Submit
C:\Users\Admin\Desktop\sheet rat v2.6\IconExtractor.dll

Filesize
10KB

MD5
640d8ffa779c6dd5252a262e440c66c0

SHA1
3252d8a70a18d5d4e0cc84791d587dd12a394c2a

SHA256
440912d85d2f98bb4f508ab82847067c18e1e15be0d8ecdcff0cc19327527fc2

SHA512
e12084f87bd46010aded22be30e902c5269a6f6bc88286d3bef17c71d070b17beada0fe9e691a2b2f76202b5f9265329f6444575f89aff8551c486eafe4d5f32

Download Submit
C:\Users\Admin\Desktop\sheet rat v2.6\Ionic.Zip.dll

Filesize
451KB

MD5
6ded8fcbf5f1d9e422b327ca51625e24

SHA1
8a1140cebc39f6994eef7e8de4627fb7b72a2dd9

SHA256
3b3e541682e48f3fd2872f85a06278da2f3e7877ee956da89b90d732a1eaa0bd

SHA512
bda3a65133b7b1e2765c7d07c7da5103292b3c4c2f0673640428b3e7e8637b11539f06c330ab5d0ba6e2274bd2dcd2c50312be6579e75c4008ff5ae7dae34ce4

Download Submit
C:\Users\Admin\Desktop\sheet rat v2.6\MetroFramework.Design.dll

Filesize
16KB

MD5
ab4c3529694fc8d2427434825f71b2b8

SHA1
7be378e382e43eae84f1567b3570bca9a67e7697

SHA256
0a4a96082e25767e4697033649b16c76a652e120757a2cecab8092ad0d716b65

SHA512
02d7935f68c30457da79ad7b039b22caed11d8aedfec7c96619ac6da59ceb7c5e7a758dced64ec02d31c37a2befccdc8eb59be9e2dc849aa2bc22fabb5fa00a5

Download Submit
C:\Users\Admin\Desktop\sheet rat v2.6\MetroFramework.Fonts.dll

Filesize
656KB

MD5
65ef4b23060128743cef937a43b82aa3

SHA1
cc72536b84384ec8479b9734b947dce885ef5d31

SHA256
c843869aaca5135c2d47296985f35c71ca8af4431288d04d481c4e46cc93ee26

SHA512
d06690f9aac0c6500aed387f692b3305dfc0708b08fc2f27eaa44b108908ccd8267b07f8fb8608eef5c803039caeabf8f88a18b7e5b1d850f32bbb72bcd3b0b7

Download Submit
C:\Users\Admin\Desktop\sheet rat v2.6\MetroFramework.dll

Filesize
345KB

MD5
34ea7f7d66563f724318e322ff08f4db

SHA1
d0aa8038a92eb43def2fffbbf4114b02636117c5

SHA256
c2c12d31b4844e29de31594fc9632a372a553631de0a0a04c8af91668e37cf49

SHA512
dceb1f9435b9479f6aea9b0644ba8c46338a7f458c313822a9d9b3266d79af395b9b2797ed3217c7048db8b22955ec6fe8b0b1778077fa1de587123ad9e6b148

Download Submit
C:\Users\Admin\Desktop\sheet rat v2.6\NAudio.dll

Filesize
464KB

MD5
2e68aeb46e26a29ffe74cf97b94cbaf0

SHA1
9384fa2946f744be3b47e131df14cbc0632052d2

SHA256
8e347abc9301d67dd7493a0fbbe5cc1f912900c204a84220cc8cdf0e0b8df0de

SHA512
39e56b0dd316e9a927ffeff486969f2a472f9b262b6a131afa60c34baa01784cde9cc6944f1a46ee73f3cc7135cb0049cc5a4bdfa419fab37667829522f6e7c9

Download Submit
C:\Users\Admin\Desktop\sheet rat v2.6\Newtonsoft.Json.dll

Filesize
695KB

MD5
195ffb7167db3219b217c4fd439eedd6

SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8

SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

Download Submit
C:\Users\Admin\Desktop\sheet rat v2.6\Plugins\MinerXmr.dll

Filesize
20KB

MD5
99fa25800b9fae285578f10f94028664

SHA1
51e08fd7c41e857776efdb1562178bd7126f4b6b

SHA256
5c1d6717a5adede293ca0cfbaeffc805add2eb1086d50c9b3465eea35391a395

SHA512
e64eb8ed8183c0d78c25f7bb67b267792bf34cb8a7d72deac457cda8a69f16b737e8972f588ce58566c10fda6f57fa389c59ee5637f8e91ea7f51724dad9a3dc

Download Submit
C:\Users\Admin\Desktop\sheet rat v2.6\Plugins\Netstat.dll

Filesize
12KB

MD5
89a00c87c006c3a62058c0e748d2bd2e

SHA1
902af277b4216bedac469ef06eabceaacbf6c1c1

SHA256
c5fda1aa90d4bbc8762e488f8bfcf98d90993a4cccac1a866a9701a76cdb237f

SHA512
d8d1fbb7bec76feaa48fd28f2c541c824d759a2fa3b9a244a17859452309eb901f73d864151a8808991eee7ebbd8542a8152a78409b44d398f032e5b2239e1b2

Download Submit
C:\Users\Admin\Desktop\sheet rat v2.6\Plugins\Regedit.dll

Filesize
266KB

MD5
6d576833fe0c563d123d1091d26d5405

SHA1
1af67253ef16a4244fb29bb37945aea6e2636976

SHA256
63f64144f2802f2298d3956c25eda341d961b99eec9b27fe74b0256d89146feb

SHA512
10bc068bb79548b2d965feb555d504b28db8edcbba5a56dd52b902375a08ddc8a1cceded9180367e393582a76b86ca00bd2a7e2cb152692affba35c071252ec3

Download Submit
C:\Users\Admin\Desktop\sheet rat v2.6\Plugins\RemoteCamera.dll

Filesize
95KB

MD5
0fea40d86be5f053179814b6d7b6d17f

SHA1
3778ef8bc09b791d517fe90da64978e58480dda4

SHA256
5e33ae7f7b3e5838550a37501683aad0b77383ec8f3b7ddbfd295514c8645a67

SHA512
a8e2ca51b343532a0ff7585f1a25f9b4b17f5dd521385fd2294b7197f0394279665f513af712a263d8d877d62a79008c794b958b1f0a838644ce092203e9ac9a

Download Submit
C:\Users\Admin\Desktop\sheet rat v2.6\Plugins\RemoteDesktop.dll

Filesize
1.2MB

MD5
f8aef2a46829420080682c1233dd0e15

SHA1
b75cde7ad84f187a2ceaac0f32749a34539c342e

SHA256
f7a83c1455e0e0b41dbe6e69daa346356fbfc076f3edb12b99b9d0f76ec4068e

SHA512
36e21f7ab7fbab14e5e56eb45950d999448201cb245ebe0471cacd5883d41e344eb80cf7408aacd6a1560fd9629b63f8e380dff8f17258a2db96907898abd522

Download Submit
C:\Users\Admin\Desktop\sheet rat v2.6\Plugins\ReverseProxy.dll

Filesize
14KB

MD5
da656fe7d882ae6f8c78101acf4e0a2a

SHA1
99a183d8fcbab8b8e594627989b260ff1494558c

SHA256
99997873b952b44998d9c28a25d26c97046c6152f517deb9c06f738733df7415

SHA512
3b666d5c1e5a21facab580ad6837bab267c64c902f25af9fdf185e60e3c4d73a64681c987471803e3c48182e9b526cd35173ed3cb28d101e402638c7b9c344d4

Download Submit
C:\Users\Admin\Desktop\sheet rat v2.6\Plugins\Scheduler.dll

Filesize
353KB

MD5
a604f7d5acca504de9021798c3ac4bf7

SHA1
8368cf3bd6035c9951eb83e4dbb95b237584c2a6

SHA256
5f15a72a9f53fef2084ad853cdbfd867f4ac8f792fc649b8c3befa7c98a03d64

SHA512
054b3e447d87c3433604bfa808fb7f0096fa0b05b74cd31a6faf9ed679f5e7a4694a25be78525bc7364b05060195e903e3154241171bf306d088c1c6a32b700e

Download Submit
C:\Users\Admin\Desktop\sheet rat v2.6\Plugins\SendFile.dll

Filesize
19KB

MD5
75ef0d23e82fe64a3ac7980a57149aa2

SHA1
2e1505803f415c2f2c033a2b8996df0ed916f8a6

SHA256
d396f3c20883a3b71244c87c537595108010239e4e17e6c09bca83ea5a475677

SHA512
9b99b78cc3a94e68d72d2a5aadf07a12c6b18c0e076a25e17533323b7d8cfb86d05ce7e0b46aaf8821070bb369e277f28bc9d3c957904a6de66257e3502734e5

Download Submit
C:\Users\Admin\Desktop\sheet rat v2.6\Plugins\Service.dll

Filesize
10KB

MD5
5784f50a914a811660b9f52dd06582cc

SHA1
7657546e28dff1d6aefef1e686fbc0d94fd49fa3

SHA256
c2a8c6e202547543b3230641976d83f6f73552b511dff7e4d3d67331a568fc27

SHA512
d9bc3053733e085eb0b7dd69d99abce60822dd19ee2cba390448509de4365b56fe38f8d4f7837a4c5432f851cbc4f0ea070ce2046dc58518e86208f11393d339

Download Submit
C:\Users\Admin\Desktop\sheet rat v2.6\Plugins\Shell.dll

Filesize
11KB

MD5
3d2ba275ab2effe84b2133e454369d8d

SHA1
459409c58abb1a9a3dfa982e4936b5cc0113f701

SHA256
814ff32263b24e91ad6a8d00e6a9fce3e79bee939d76824d8727b04d772b4fa3

SHA512
46fb7675a51df8b15c0460ba2d774d83b9630caa1fbc7cbab417ab4a966cbf30e9e64f3ee6e2e65cb1650d1cf431a2682b4f680256d8c3598b845cbeaf062977

Download Submit
C:\Users\Admin\Desktop\sheet rat v2.6\Plugins\SpeakBot.dll

Filesize
9KB

MD5
8ecf481177682ecb8902dd85f7dcc607

SHA1
0575c5068aabab48ab3b5895128cd95743dbd5da

SHA256
f5cf80fdd20004e3a9613cb4bdfcfc388f84c8f94db88698da68ba450ff2b2c7

SHA512
472d0a67fea7411deb9ebb486495d92a7aa1c45fbc3fe05e7ac65b6d8f2839e2b34eb02ab55135726f3d0ae1942ba77f2e0bd9264b7bee0e3610d122aafe4d9a

Download Submit
C:\Users\Admin\Desktop\sheet rat v2.6\Plugins\Stealer.dll

Filesize
588KB

MD5
4f4396fa54d391387278e7a01bf86b90

SHA1
6b802ae39bc0b0124b5a728e1d8d82979d09dd85

SHA256
3bde5b1c709aee5e9f37da56e69311a4f90bb49b1d48f63837d9d2cb61c8d998

SHA512
e24f55ffe8e0f34450f7e2b84cc7e8df727282cd1153a720856c3d480ca4b165089d3134580a3f0e6f4b0a08bd358c0fba6a2203404ced1efdc23b8db9c5bf2e

Download Submit
C:\Users\Admin\Desktop\sheet rat v2.6\Plugins\System.dll

Filesize
9KB

MD5
c2385c1f53830a5460c1860a45d87d80

SHA1
f17bfa6627fc74a25f3d1f820487e4186fe58d6a

SHA256
b16a3300b9e6fc91952aabdaae1e23988af9d11d47a219c943b24f9c34a96c5e

SHA512
4345833f6976f5e8c0a60e436e0a31c5a2778a7987eabf4da0d7319758c0ea3e258306573207b8101edd8f6c5a02b9104fe5d81bc6a101d161f8f3ec9000af15

Download Submit
C:\Users\Admin\Desktop\sheet rat v2.6\Plugins\SystemDisable.dll

Filesize
13KB

MD5
416fb9285fe6e40959e3e2a9f4d87919

SHA1
3ac1683244a009d8ccd43c5d136a7acd64203bc3

SHA256
5166d3458c98962a5c49786185d26600563b6ca3afef2c9e35079c7dd4b865c3

SHA512
cf325b560d55c396cfaf25b005eb481db3acef4fed53729795c094faf238234474c2fd9bd9e45978b504bd1c881fb346781a606e90a2e102014b79adf8815010

Download Submit
C:\Users\Admin\Desktop\sheet rat v2.6\Plugins\TaskMgr.dll

Filesize
12KB

MD5
c49afe7c8af97fce442ef4e0dd796b7e

SHA1
18234fb90c4676fc1a493fdef87168bce8775cc4

SHA256
79c00793de5d62302c16d60f00dd21f864748de4ae17b2cb6cd4eeaab87fe9a4

SHA512
b36307eb3c2615cda99fdd594fb1c119df2ab59a87a2f4c34878ed640c47118439d02ccd0f43e9051dd188cd2fb9c3dc4952a13a9832ee129ea0fb2e6f880274

Download Submit
C:\Users\Admin\Desktop\sheet rat v2.6\Plugins\Uac.dll

Filesize
19KB

MD5
53bd2ce77bfb21d22bc831285d64a1ee

SHA1
573b8beb4766374531eb373dd48ddde45f14e0d0

SHA256
fec5ce9214e638a7b337177d4c9ac927734872e5198a7e7201a0ce6273cfa77b

SHA512
09bcb81d6a72d9ecb392f3fcbadddbdea8966e14cd6c64fa6011020dc48a84bbd8ee69a593dabf12e9711e09908edfde09581210a4501317bd107951eaa929ba

Download Submit
C:\Users\Admin\Desktop\sheet rat v2.6\Plugins\WormJoiner.dll

Filesize
1.4MB

MD5
47cd65eeacbf54f87f2aa9cc16c6e31c

SHA1
eac36baa52bf5ee9a844732c1b84e1557a72c12d

SHA256
83bf7e0729f78c1c38bb77025843d4b680103aa70c4a84f19041efff8c88c7cd

SHA512
b7a50627a50df81fa283cdec14b30576179d867a57fb9fdee42adf1740ab598f07a6424f795f34f457e82ddce8af74339fb88657b9a4761465cee4fcc86c67de

Download Submit
C:\Users\Admin\Desktop\sheet rat v2.6\Plugins\WormSMB.dll

Filesize
458KB

MD5
1a74d3d32675790e76281df64148383c

SHA1
1191e52832f8a93e5bd814d147b9c70986c6af6d

SHA256
fe347d754bad7d8e7a9b446d94b965b43e987819af6afe6160d4dc73ea3b5b1c

SHA512
e53b4bf6c8343b432ade5776971b9c79f6bf9393b11e692e9e6f7938416e97c7c78f40babd336f28481d59107f0cad8748dbfbaef5bd91d142450e8c07db3592

Download Submit
C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe

Filesize
1.3MB

MD5
dd6667db55acaefa2d7e99dcf5d97a26

SHA1
c1b281ef573df4da584294c61b5322edfed589ad

SHA256
ce8fd5ec0b2ee4e5d87d35622eeaa022ee971801c97bcb3726ca6ebe4b576238

SHA512
916c8b63400c0a8e495fc59d8e348499a6f04421e79599803c7ac4cd828c82f389bfd733471de27cc1643c03723429f8544446d9adc69082e6a5032139a1f1f1

Download Submit
C:\Users\Admin\Desktop\sheet rat v2.6\Server.exe.config

Filesize
7KB

MD5
2083876ec03ad06e5c16490fcb4ab8b6

SHA1
b8f50f08abd53225c046912471dfd271a98cf15a

SHA256
28026de2c65972cb8fac1ff2865c33e24d1086f7242b2fe951cef172909ad128

SHA512
b16f1fbe8e10b66079d83a46818423fb2e2e8619cbdc1427ce0cd27f06092af52bcc003755e939320cf84f8cc5a26c92e43041013fe3ef60c7d73d8624ee6096

Download Submit
C:\Users\Admin\Desktop\sheet rat v2.6\Stub\Client.exe

Filesize
47KB

MD5
a0e04bf9b43f0b442bd3193f06dc52b5

SHA1
30bb0c17640c414d948ed3e2fdf571b98f125efb

SHA256
71824238c3baec179911bd6e4655ebff234e15d0f14248077e2c388ef4337009

SHA512
d7015f5c8223ba0f4e3b478185fa3e4de0831aee949302185fdc8b3afe59105fe096a3e5ee23219a1c16dfcbc77d169a82774ecd727ef98bdb94a878583a2ae2

Download Submit
C:\Users\Admin\Desktop\sheet rat v2.6\Stub\UserMode.obf.dll

Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
C:\Users\Admin\Desktop\sheet rat v2.6\Stub\WinRing0x64.sys

Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
C:\Users\Admin\Desktop\sheet rat v2.6\Stub\ddb64.dll

Filesize
32.2MB

MD5
82967b6c24f52664a3b9399f853ea812

SHA1
064e83897c545f71f2f6a879ea0845f6d23ec9b9

SHA256
528458c9d7ac88959d2d83aecd0544bf75727d34795deaf658ff3b82000a9e44

SHA512
69625de4e8cadfd361858cd588ef514cf8cac5f1a022541f831ff490bcc5048bb580f1c2a04820f3f978c299cf7b24058c9173cb51086e8bc4813432012e697f

Download Submit
C:\Users\Admin\Desktop\sheet rat v2.6\Stub\ethminer.exe

Filesize
4.4MB

MD5
38cfdd6cac508c40137ee45dc6857a59

SHA1
199f87fd7bb827b75543141acf580f4e53417595

SHA256
7ca69c624f9745a11ece45baaec80a3e7b596199d4997b4a3a07caecb0cb02d7

SHA512
d4dc8f03288c09c82308025e138c027335067cd6b88ef078ae6a6ec2a79f12e69628ca52a08c19cf0b985acee301c0b823b42ef9830fa94c305f2377c29deb50

Download Submit
C:\Users\Admin\Desktop\sheet rat v2.6\Stub\fds.dll

Filesize
106KB

MD5
a6616dc75aa8f04a473e93d36315696d

SHA1
bfaae46514424f27c1204aa7a4ddf3497a4eec4e

SHA256
97d5a331191b9361ed82c41dbdf74a0b54901d20129a0c0a0f1ecbeca5e9d1ab

SHA512
5eaf900eda2c6f494750d59b7bfa90d05374146e006ffce3b6997b9a3aedff1d0b9a6c4cffc796950b63f7c6708ad64bcaae3a517e8ee27c79e6a0bff435783f

Download Submit
C:\Users\Admin\Desktop\sheet rat v2.6\Stub\nvrtc-builtins64_112.dll

Filesize
5.3MB

MD5
61c8ad0912cd1a5a4093342a4ceb9888

SHA1
80c0b77d68643680b364604e91104f23a61ba2f4

SHA256
fdf1b46d181009aa3ea08e4692499e25edf2dd9ca6bbdd9cfa3ee37a73e8ad3b

SHA512
deb8d3d9d95d7cb7380b1fb0835f3f80268dce63cc1bce06d30ef050179f92c403f6e8d45b0ad8d4ced53649c7a744ade6743c4a98384ee336a4c103b118e38b

Download Submit
C:\Users\Admin\Desktop\sheet rat v2.6\Stub\nvrtc64_112_0.dll

Filesize
30.5MB

MD5
5bb58f73e1d17bf4263eac2390095140

SHA1
a451494f177a323badee994f5973ec76c264c405

SHA256
53275679bcf450cf7199a9267f7fcf669a2c457b19d67699391e30d5ff944481

SHA512
6396b27e243280ed7cfdd86ed8b9ea914e7a2b17bc21607ccd148ff1aa4c230603e58b5dc48244d3f2b47cc1dd53266c33502907b82e181b0b78dc9d2c0b964b

Download Submit
C:\Users\Admin\Desktop\sheet rat v2.6\Stub\sigthief.exe

Filesize
6.4MB

MD5
3e261becbfe12d7a5ffdbba91c76011b

SHA1
2e5849aa0be921849f42121544895ce405fd9af1

SHA256
c85e5240da0e9d06677278f01c55f7d2611641ebeeafff9529e383e6948fd9ee

SHA512
02e897be04fd0d42300d6822f21cf8e435c53ef8ddd5054d9313fb348ad6ccfb70da3cec402d1aa1589217911f9bbfa3623d73dc647c23b0db3e0a656ffd76ae

Download Submit
C:\Users\Admin\Desktop\sheet rat v2.6\Stub\xmrminer.exe

Filesize
4.9MB

MD5
f97406a10af445519bbb391b22366978

SHA1
400339e335bc0352a9a342008c1d146cddb1b2d2

SHA256
4766966b4c125dcdbba55f6d9beacc371ee9700e0f10900a35ef9f15b3357022

SHA512
1df48a68e2458109d4cbc0331ab11c1c76558d617c2a70d6f60ca3783aea7c895f05204d647986d28b8d6e48f6479e68c4b9e87176a8761219ae4b636a37c6f0

Download Submit
C:\Users\Admin\Desktop\sheet rat v2.6\System.Buffers.dll

Filesize
20KB

MD5
ecdfe8ede869d2ccc6bf99981ea96400

SHA1
2f410a0396bc148ed533ad49b6415fb58dd4d641

SHA256
accccfbe45d9f08ffeed9916e37b33e98c65be012cfff6e7fa7b67210ce1fefb

SHA512
5fc7fee5c25cb2eee19737068968e00a00961c257271b420f594e5a0da0559502d04ee6ba2d8d2aad77f3769622f6743a5ee8dae23f8f993f33fb09ed8db2741

Download Submit
C:\Users\Admin\Desktop\sheet rat v2.6\System.Collections.Immutable.dll

Filesize
175KB

MD5
8f55c22412f7d448d6e7b83102665368

SHA1
88df86ee0b137992af15a35825804274fa252e30

SHA256
67730917b4e856e37a9d78245527584087fac6b20a7377677b2f444cd15db918

SHA512
058431aa2280511b00a72ea55ded9bdaef55420f5bce10c9352d4f92736a11884d1e70706016b988cca560358b3b43ce1bad5c9bd726f11d8ad66e3c91f98ccb

Download Submit
C:\Users\Admin\Desktop\sheet rat v2.6\System.Memory.dll

Filesize
137KB

MD5
6fb95a357a3f7e88ade5c1629e2801f8

SHA1
19bf79600b716523b5317b9a7b68760ae5d55741

SHA256
8e76318e8b06692abf7dab1169d27d15557f7f0a34d36af6463eff0fe21213c7

SHA512
293d8c709bc68d2c980a0df423741ce06d05ff757077e63986d34cb6459f9623a024d12ef35a280f50d3d516d98abe193213b9ca71bfde2a9fe8753b1a6de2f0

Download Submit
C:\Users\Admin\Desktop\sheet rat v2.6\System.Numerics.Vectors.dll

Filesize
113KB

MD5
aaa2cbf14e06e9d3586d8a4ed455db33

SHA1
3d216458740ad5cb05bc5f7c3491cde44a1e5df0

SHA256
1d3ef8698281e7cf7371d1554afef5872b39f96c26da772210a33da041ba1183

SHA512
0b14a039ca67982794a2bb69974ef04a7fbee3686d7364f8f4db70ea6259d29640cbb83d5b544d92fa1d3676c7619cd580ff45671a2bb4753ed8b383597c6da8

Download Submit
C:\Users\Admin\Desktop\sheet rat v2.6\System.Runtime.CompilerServices.Unsafe.dll

Filesize
16KB

MD5
da04a75ddc22118ed24e0b53e474805a

SHA1
2d68c648a6a6371b6046e6c3af09128230e0ad32

SHA256
66409f670315afe8610f17a4d3a1ee52d72b6a46c544cec97544e8385f90ad74

SHA512
26af01ca25e921465f477a0e1499edc9e0ac26c23908e5e9b97d3afd60f3308bfbf2c8ca89ea21878454cd88a1cddd2f2f0172a6e1e87ef33c56cd7a8d16e9c8

Download Submit
C:\Users\Admin\Desktop\sheet rat v2.6\Themes.json

Filesize
33B

MD5
fdf6d963491b41d9ba798f60fe27ef8c

SHA1
4908bfc78d191f60ab583fe093bc579fd5ff06a3

SHA256
bfe1437218dd94ccd078a8683f59b65e28d8d63defa7f419b2cef81bc031a7bf

SHA512
96e5981739a3328387aaf80b6b6a071dc7a2135d5bdaa99b638527b9cd82eb514d21d27a26445a01082a4ba8811ac130a671690e51cf780fd66acdd3a12a3c25

Download Submit
C:\Users\Admin\Desktop\sheet rat v2.6\Vestris.ResourceLib.dll

Filesize
76KB

MD5
22fbd571c82399e06e0a7321eedef722

SHA1
ed5aa859dc8141d93a2bd8a8dd14fc50391b66db

SHA256
c05a6f13106e2dd10ae279c3435fb63fbabdc328f94d8065231c3cacfff5fc4b

SHA512
65aa846054a2b0c0dcb2db15273269d8514e000ac67e71542f910d8f556a0ea11e5ab5400b7f2026e5e51fef185d8e12379ac52fa4788c8940727a3721d134d0

Download Submit
C:\Users\Admin\Desktop\sheet rat v2.6\cGeoIp.dll

Filesize
2.3MB

MD5
6d6e172e7965d1250a4a6f8a0513aa9f

SHA1
b0fd4f64e837f48682874251c93258ee2cbcad2b

SHA256
d1ddd15e9c727a5ecf78d3918c17aee0512f5b181ad44952686beb89146e6bd0

SHA512
35daa38ad009599145aa241102bcd1f69b4caa55ebc5bb11df0a06567056c0ec5fcd02a33576c54c670755a6384e0229fd2f96622f12304dec58f79e1e834155

Download Submit
C:\Users\Admin\Desktop\sheet rat v2.6\dnlib.dll

Filesize
1.1MB

MD5
508ccde8bc7003696f32af7054ca3d97

SHA1
1f6a0303c5ae5dc95853ec92fd8b979683c3f356

SHA256
4758c7c39522e17bf93b3993ada4a1f7dd42bb63331bac0dcd729885e1ba062a

SHA512
92a59a2e1f6bf0ce512d21cf4148fe027b3a98ed6da46925169a4d0d9835a7a4b1374ba0be84e576d9a8d4e45cb9c2336e1f5bd1ea53e39f0d8553db264e746d

Download Submit
C:\Users\Admin\Desktop\sheet rat v2.6\protobuf-net.dll

Filesize
278KB

MD5
9fbb8cec55b2115c00c0ba386c37ce62

SHA1
e2378a1c22c35e40fd1c3e19066de4e33b50f24a

SHA256
9f01d9f2ed07e630ec078efa5d760762c3c8ad3b06e9e8a9062a37d63d57b026

SHA512
da0211d1c9ba0a59616bc15de80a1fed62b0405cad3b11ae4220ef1488c7837634aad67cbc8b484621a2a6288ef5e424cd816a2523bdb6167abcab76f3ac1a04

Download Submit
C:\Users\Admin\Downloads\sheet rat v2.6.7z

Filesize
29.8MB

MD5
7171abcbf9456bb4818e80b86d65a073

SHA1
5cd5f315f1c3492cba87e45c043f261787067efa

SHA256
a189bfb57431f8b6aafd8f1ea88d716f12e223ffe06a42e7ed2b362d6f3ffd09

SHA512
1c41262fac2884ddf4649934a9090b42af136bf0ce62361671f39089ed3e9192c14789bb9b3d10294725e06303b14cd52004b8faaf7381be02e6a0aa786079ad

Download Submit
memory/540-179-0x0000022C39A50000-0x0000022C39A51000-memory.dmp

Filesize
4KB

Download
memory/540-178-0x0000022C39A50000-0x0000022C39A51000-memory.dmp

Filesize
4KB

Download
memory/540-177-0x0000022C39A50000-0x0000022C39A51000-memory.dmp

Filesize
4KB

Download
memory/540-184-0x0000022C39A50000-0x0000022C39A51000-memory.dmp

Filesize
4KB

Download
memory/540-185-0x0000022C39A50000-0x0000022C39A51000-memory.dmp

Filesize
4KB

Download
memory/540-186-0x0000022C39A50000-0x0000022C39A51000-memory.dmp

Filesize
4KB

Download
memory/540-187-0x0000022C39A50000-0x0000022C39A51000-memory.dmp

Filesize
4KB

Download
memory/540-188-0x0000022C39A50000-0x0000022C39A51000-memory.dmp

Filesize
4KB

Download
memory/540-189-0x0000022C39A50000-0x0000022C39A51000-memory.dmp

Filesize
4KB

Download
memory/2980-1482-0x000000000F430000-0x000000000F4CC000-memory.dmp

Filesize
624KB

Download
memory/2980-1334-0x0000000007030000-0x000000000717B000-memory.dmp

Filesize
1.3MB

Download
memory/2980-1418-0x00000000101C0000-0x00000000102E2000-memory.dmp

Filesize
1.1MB

Download
memory/2980-1333-0x000000000A9C0000-0x000000000AD17000-memory.dmp

Filesize
3.3MB

Download
memory/2980-1380-0x000000000A370000-0x000000000A391000-memory.dmp

Filesize
132KB

Download
memory/2980-1335-0x0000000007190000-0x00000000071DC000-memory.dmp

Filesize
304KB

Download
memory/3100-157-0x0000015740980000-0x0000015740990000-memory.dmp

Filesize
64KB

Download
memory/3100-141-0x0000015740760000-0x0000015740770000-memory.dmp

Filesize
64KB

Download
memory/3100-173-0x0000015744D40000-0x0000015744D48000-memory.dmp

Filesize
32KB

Download
memory/3348-63-0x000001CAAB380000-0x000001CAAB381000-memory.dmp

Filesize
4KB

Download
memory/3348-64-0x000001CAAB380000-0x000001CAAB381000-memory.dmp

Filesize
4KB

Download
memory/3348-67-0x000001CAAB380000-0x000001CAAB381000-memory.dmp

Filesize
4KB

Download
memory/3348-66-0x000001CAAB380000-0x000001CAAB381000-memory.dmp

Filesize
4KB

Download
memory/3348-68-0x000001CAAB380000-0x000001CAAB381000-memory.dmp

Filesize
4KB

Download
memory/3348-69-0x000001CAAB380000-0x000001CAAB381000-memory.dmp

Filesize
4KB

Download
memory/3348-65-0x000001CAAB380000-0x000001CAAB381000-memory.dmp

Filesize
4KB

Download
memory/3348-59-0x000001CAAB380000-0x000001CAAB381000-memory.dmp

Filesize
4KB

Download
memory/3348-58-0x000001CAAB380000-0x000001CAAB381000-memory.dmp

Filesize
4KB

Download
memory/3348-57-0x000001CAAB380000-0x000001CAAB381000-memory.dmp

Filesize
4KB

Download
memory/3396-207-0x0000027D43F30000-0x0000027D43F40000-memory.dmp

Filesize
64KB

Download
memory/3396-214-0x0000027D43F30000-0x0000027D43F40000-memory.dmp

Filesize
64KB

Download
memory/3396-206-0x0000027D43F30000-0x0000027D43F40000-memory.dmp

Filesize
64KB

Download
memory/3396-208-0x0000027D43F30000-0x0000027D43F40000-memory.dmp

Filesize
64KB

Download
memory/3396-210-0x0000027D43F30000-0x0000027D43F40000-memory.dmp

Filesize
64KB

Download
memory/3396-211-0x0000027D43F30000-0x0000027D43F40000-memory.dmp

Filesize
64KB

Download
memory/3396-209-0x0000027D43F30000-0x0000027D43F40000-memory.dmp

Filesize
64KB

Download
memory/3396-212-0x0000027D43F30000-0x0000027D43F40000-memory.dmp

Filesize
64KB

Download
memory/3396-213-0x0000027D43F30000-0x0000027D43F40000-memory.dmp

Filesize
64KB

Download
memory/3396-215-0x0000027D43F30000-0x0000027D43F40000-memory.dmp

Filesize
64KB

Download
memory/3396-216-0x0000027D43F30000-0x0000027D43F40000-memory.dmp

Filesize
64KB

Download
memory/4672-1201-0x00000000095E0000-0x000000000960C000-memory.dmp

Filesize
176KB

Download
memory/4672-1203-0x0000000009ED0000-0x000000000A227000-memory.dmp

Filesize
3.3MB

Download
memory/4672-1197-0x0000000005110000-0x00000000051A2000-memory.dmp

Filesize
584KB

Download
memory/4672-1196-0x0000000004CD0000-0x0000000004D2C000-memory.dmp

Filesize
368KB

Download
memory/4672-1195-0x0000000005220000-0x00000000057C6000-memory.dmp

Filesize
5.6MB

Download
memory/4672-1194-0x00000000002E0000-0x0000000000428000-memory.dmp

Filesize
1.3MB

Download
memory/4672-1199-0x00000000050E0000-0x00000000050EA000-memory.dmp

Filesize
40KB

Download
memory/4672-1282-0x000000000E590000-0x000000000E642000-memory.dmp

Filesize
712KB

Download
memory/4672-1200-0x0000000007E40000-0x0000000007EEA000-memory.dmp

Filesize
680KB

Download
memory/4672-1271-0x00000000098C0000-0x00000000098E1000-memory.dmp

Filesize
132KB

Download
memory/4672-1202-0x0000000009900000-0x0000000009BE2000-memory.dmp

Filesize
2.9MB

Download
memory/4672-1198-0x0000000005B50000-0x0000000005DA2000-memory.dmp

Filesize
2.3MB

Download
memory/4672-1204-0x0000000009650000-0x0000000009672000-memory.dmp

Filesize
136KB

Download
memory/4672-1270-0x0000000009DF0000-0x0000000009E2C000-memory.dmp

Filesize
240KB

Download
memory/4672-1221-0x0000000006860000-0x00000000068AC000-memory.dmp

Filesize
304KB

Download
memory/4672-1207-0x0000000006700000-0x000000000684B000-memory.dmp

Filesize
1.3MB

Download
memory/5760-1504-0x000000001BF20000-0x000000001BF3E000-memory.dmp

Filesize
120KB

Download
memory/5760-1547-0x00000000012B0000-0x00000000012BA000-memory.dmp

Filesize
40KB

Download
memory/5760-1502-0x000000001BFA0000-0x000000001C016000-memory.dmp

Filesize
472KB

Download
memory/5760-1557-0x0000000001340000-0x000000000134C000-memory.dmp

Filesize
48KB

Download
memory/5760-1503-0x000000001C020000-0x000000001C182000-memory.dmp

Filesize
1.4MB

Download
memory/5760-1438-0x0000000000AB0000-0x0000000000B42000-memory.dmp

Filesize
584KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads