ryuk | 8f6bddd131f27472a4b974c3a141f8eba3a2c110b4b19d755408f67aed212b68

Resubmissions

10/12/2024, 01:39

241210-b3gqhaypes 10

Analysis

max time kernel
83s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/12/2024, 01:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-10_7bcbd03a264f616bcbf64dd973c9e120_luca-stealer_ryuk.exe
Size

378KB
MD5

7bcbd03a264f616bcbf64dd973c9e120
SHA1

5d2b6c04f634672ba0a11063dd1bc225446af2c2
SHA256

8f6bddd131f27472a4b974c3a141f8eba3a2c110b4b19d755408f67aed212b68
SHA512

f5b1dc62441d9bfdb57a7ae6ef41c46106e510ba73cea8372cc0a2765c192d27dc3f41c1dfadadcaaa39ff4fd87b0c84b81ecd3b14c8315edeca3dd0a8789242
SSDEEP

6144:sMfwnT2W/Pw5qjylH1/7QXMWibyJp/qQ:snTzPqHkiuX

Score

10^/10

ryuk defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

F:\RyukReadMe.txt

Family

ryuk

Ransom Note

Gentlemen! Your business is at serious risk. There is a significant hole in the security system of your company. We've easily penetrated your network. You should thank the Lord for being hacked by serious people not some stupid schoolboys or dangerous punks. They can damage all your important data just for fun. Now your files are crypted with the strongest millitary algorithms RSA4096 and AES-256. No one can help you to restore files without our special decoder. Photorec, RannohDecryptor etc. repair tools are useless and can destroy your files irreversibly. If you want to restore your files write to emails (contacts are at the bottom of the sheet) and attach 2-3 encrypted files (Less than 5 Mb each, non-archived and your files should not contain valuable information (Databases, backups, large excel sheets, etc.)). You will receive decrypted samples and our conditions how to get the decoder. Please don't forget to write the name of your company in the subject of your e-mail. You have to pay for decryption in Bitcoins. The final price depends on how fast you write to us. Every day of delay will cost you additional +0.5 BTC Nothing personal just business As soon as we get bitcoins you'll get all your decrypted data back. Moreover you will get instructions how to close the hole in security and how to avoid such problems in the future + we will recommend you special software that makes the most problems to hackers. Attention! One more time ! Do not rename encrypted files. Do not try to decrypt your data using third party software. P.S. Remember, we are not scammers. We don`t need your files and your information. But after 2 weeks all your files and keys will be deleted automatically. Just send a request immediately after infection. All data will be restored absolutely. Your warranty - decrypted samples. contact emails [email protected] or [email protected] BTC wallet: 1NQ42zc51stA4WAVkUK8uqFAjo1DbWv4Kz Ryuk No system is safe

Emails

[email protected]

Wallets

1NQ42zc51stA4WAVkUK8uqFAjo1DbWv4Kz

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Ryuk family
ryuk
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Boot or Logon Autostart Execution: Active Setup 2 TTPs 3 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	2024-12-10_7bcbd03a264f616bcbf64dd973c9e120_luca-stealer_ryuk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	BIYpj.exe

Deletes itself 1 IoCs

pid	Process
840	BIYpj.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.txt	RuntimeBroker.exe

Executes dropped EXE 1 IoCs

pid	Process
840	BIYpj.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\users\\Public\\BIYpj.exe"	reg.exe

Enumerates connected drives 3 TTPs 38 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\illustrations.png	RuntimeBroker.exe
File opened for modification	C:\Program Files\ClearCompare.avi	sihost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\vlc.mo	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Resources\RyukReadMe.txt	RuntimeBroker.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\sd\icecast.luac	RuntimeBroker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\RyukReadMe.txt	RuntimeBroker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ro-ro\ui-strings.js	RuntimeBroker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\cacerts.pem	RuntimeBroker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ca-es\RyukReadMe.txt	RuntimeBroker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\css\main-selector.css	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\proof.en-us.msi.16.en-us.boot.tree.dat	RuntimeBroker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\de-de\RyukReadMe.txt	RuntimeBroker.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\nb.pak.DATA	RuntimeBroker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL087.XML	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Grace-ppd.xrm-ms	RuntimeBroker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ul.xrm-ms	RuntimeBroker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-ul-phn.xrm-ms	RuntimeBroker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\HintBarEllipses.16.White.png	RuntimeBroker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\multi-tab-file-view-2x.png	RuntimeBroker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\RyukReadMe.txt	RuntimeBroker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sl-si\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\modules\common.luac	RuntimeBroker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sl-si\ui-strings.js	RuntimeBroker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ar-ae\ui-strings.js	RuntimeBroker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_KMS_Client_AE-ppd.xrm-ms	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ja-jp\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fi-fi\ui-strings.js	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_delete_18.svg	RuntimeBroker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\it-it\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\plugin.js	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-left.gif	RuntimeBroker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL111.XML	sihost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\vlc.mo	RuntimeBroker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hu-hu\RyukReadMe.txt	RuntimeBroker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_2x.gif	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-gb\ui-strings.js	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected]	sihost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\tzmappings	RuntimeBroker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\versions\framework-dev.js	RuntimeBroker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\uk-ua\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\zh-tw\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\root\ui-strings.js	RuntimeBroker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft.NET\ADOMD.NET\130\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Common Files\System\en-US\RyukReadMe.txt	RuntimeBroker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\RyukReadMe.txt	RuntimeBroker.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\te\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MEDIA\LASER.WAV	RuntimeBroker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pl-pl\ui-strings.js	RuntimeBroker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sl-sl\RyukReadMe.txt	RuntimeBroker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql2000.xsl	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\WelcomeCardRdr-2x.png	sihost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\RyukReadMe.txt	RuntimeBroker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-ul-oob.xrm-ms	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\share_icons2x.png	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fi-fi\ui-strings.js	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\line_2x.png	RuntimeBroker.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\net.properties	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\officeinventoryagentlogon.xml	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_COL.HXC	RuntimeBroker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql90.xsl	RuntimeBroker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ro-ro\RyukReadMe.txt	RuntimeBroker.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\msado28.tlb	RuntimeBroker.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\da.pak	sihost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-10_7bcbd03a264f616bcbf64dd973c9e120_luca-stealer_ryuk.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe

Interacts with shadow copies 3 TTPs 63 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
19752	vssadmin.exe
25492	vssadmin.exe
21312	vssadmin.exe
11428	vssadmin.exe
8828	vssadmin.exe
5444	vssadmin.exe
11780	vssadmin.exe
8912	vssadmin.exe
10968	vssadmin.exe
13280	vssadmin.exe
14284	vssadmin.exe
5372	vssadmin.exe
10884	vssadmin.exe
6252	vssadmin.exe
19780	vssadmin.exe
13236	vssadmin.exe
25316	vssadmin.exe
11372	vssadmin.exe
25540	vssadmin.exe
11472	vssadmin.exe
5240	vssadmin.exe
5392	vssadmin.exe
19888	vssadmin.exe
9048	vssadmin.exe
19556	vssadmin.exe
25216	vssadmin.exe
9348	vssadmin.exe
9620	vssadmin.exe
17512	vssadmin.exe
9020	vssadmin.exe
19584	vssadmin.exe
19524	vssadmin.exe
11344	vssadmin.exe
11884	vssadmin.exe
9188	vssadmin.exe
19496	vssadmin.exe
19468	vssadmin.exe
19808	vssadmin.exe
11220	vssadmin.exe
4764	vssadmin.exe
21196	vssadmin.exe
11524	vssadmin.exe
8684	vssadmin.exe
10832	vssadmin.exe
19860	vssadmin.exe
25584	vssadmin.exe
9728	vssadmin.exe
10108	vssadmin.exe
17496	vssadmin.exe
8968	vssadmin.exe
19648	vssadmin.exe
10044	vssadmin.exe
16188	vssadmin.exe
9468	vssadmin.exe
8596	vssadmin.exe
11116	vssadmin.exe
25180	vssadmin.exe
3012	vssadmin.exe
11400	vssadmin.exe
11316	vssadmin.exe
12164	vssadmin.exe
25388	vssadmin.exe
11072	vssadmin.exe

Kills process with taskkill 44 IoCs

evasion

pid	Process
4044	taskkill.exe
3840	taskkill.exe
1068	taskkill.exe
836	taskkill.exe
3512	taskkill.exe
4968	taskkill.exe
1500	taskkill.exe
2468	taskkill.exe
932	taskkill.exe
4636	taskkill.exe
4292	taskkill.exe
2824	taskkill.exe
4376	taskkill.exe
3140	taskkill.exe
3684	taskkill.exe
4568	taskkill.exe
412	taskkill.exe
3976	taskkill.exe
4372	taskkill.exe
1000	taskkill.exe
4196	taskkill.exe
3016	taskkill.exe
4804	taskkill.exe
2484	taskkill.exe
2700	taskkill.exe
4088	taskkill.exe
2880	taskkill.exe
1524	taskkill.exe
3100	taskkill.exe
3972	taskkill.exe
1776	taskkill.exe
3164	taskkill.exe
1376	taskkill.exe
4800	taskkill.exe
1104	taskkill.exe
4584	taskkill.exe
4832	taskkill.exe
552	taskkill.exe
4360	taskkill.exe
1444	taskkill.exe
772	taskkill.exe
1612	taskkill.exe
2872	taskkill.exe
4816	taskkill.exe

Modifies registry class 45 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\CurrentWorkingDirectory	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-940901362-3608833189-1915618603-1000\{FE3D7DBA-929D-4044-B01A-6584B9038650}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-940901362-3608833189-1915618603-1000\{80CCDB04-EECA-4051-BB16-3B903CB08B54}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-940901362-3608833189-1915618603-1000\{457A07F3-CF9D-4F79-A06A-CF7A77EB2D4F}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-940901362-3608833189-1915618603-1000\{7BDD3E10-CDF8-4265-9E1B-14DE97A57E58}	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\ManagedByApp	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\MostRecentlyUsed	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-940901362-3608833189-1915618603-1000\{39E33141-1B59-4252-AB3F-551FB2B844C1}	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
840	BIYpj.exe
840	BIYpj.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
840	BIYpj.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2824	taskkill.exe
Token: SeDebugPrivilege	1776	taskkill.exe
Token: SeDebugPrivilege	1000	taskkill.exe
Token: SeDebugPrivilege	4376	taskkill.exe
Token: SeDebugPrivilege	3164	taskkill.exe
Token: SeDebugPrivilege	772	taskkill.exe
Token: SeDebugPrivilege	4196	taskkill.exe
Token: SeDebugPrivilege	1612	taskkill.exe
Token: SeDebugPrivilege	4804	taskkill.exe
Token: SeDebugPrivilege	2484	taskkill.exe
Token: SeDebugPrivilege	3016	taskkill.exe
Token: SeDebugPrivilege	4088	taskkill.exe
Token: SeDebugPrivilege	1376	taskkill.exe
Token: SeDebugPrivilege	3684	taskkill.exe
Token: SeDebugPrivilege	932	taskkill.exe
Token: SeDebugPrivilege	4968	taskkill.exe
Token: SeDebugPrivilege	3140	taskkill.exe
Token: SeDebugPrivilege	3840	taskkill.exe
Token: SeDebugPrivilege	2880	taskkill.exe
Token: SeDebugPrivilege	1068	taskkill.exe
Token: SeDebugPrivilege	836	taskkill.exe
Token: SeDebugPrivilege	2700	taskkill.exe
Token: SeDebugPrivilege	2872	taskkill.exe
Token: SeDebugPrivilege	1524	taskkill.exe
Token: SeDebugPrivilege	4584	taskkill.exe
Token: SeDebugPrivilege	3100	taskkill.exe
Token: SeDebugPrivilege	552	taskkill.exe
Token: SeDebugPrivilege	4832	taskkill.exe
Token: SeDebugPrivilege	3972	taskkill.exe
Token: SeDebugPrivilege	4360	taskkill.exe
Token: SeDebugPrivilege	1500	taskkill.exe
Token: SeDebugPrivilege	4636	taskkill.exe
Token: SeDebugPrivilege	4044	taskkill.exe
Token: SeDebugPrivilege	4568	taskkill.exe
Token: SeDebugPrivilege	2468	taskkill.exe
Token: SeDebugPrivilege	4292	taskkill.exe
Token: SeDebugPrivilege	4800	taskkill.exe
Token: SeDebugPrivilege	1104	taskkill.exe
Token: SeDebugPrivilege	412	taskkill.exe
Token: SeDebugPrivilege	3976	taskkill.exe
Token: SeDebugPrivilege	3512	taskkill.exe
Token: SeDebugPrivilege	4816	taskkill.exe
Token: SeDebugPrivilege	1444	taskkill.exe
Token: SeDebugPrivilege	4372	taskkill.exe
Token: SeDebugPrivilege	840	BIYpj.exe
Token: SeShutdownPrivilege	4016	RuntimeBroker.exe
Token: SeShutdownPrivilege	4016	RuntimeBroker.exe
Token: SeShutdownPrivilege	4016	RuntimeBroker.exe
Token: SeBackupPrivilege	16228	vssvc.exe
Token: SeRestorePrivilege	16228	vssvc.exe
Token: SeAuditPrivilege	16228	vssvc.exe
Token: SeShutdownPrivilege	8988	explorer.exe
Token: SeCreatePagefilePrivilege	8988	explorer.exe
Token: SeShutdownPrivilege	8988	explorer.exe
Token: SeCreatePagefilePrivilege	8988	explorer.exe
Token: SeShutdownPrivilege	8988	explorer.exe
Token: SeCreatePagefilePrivilege	8988	explorer.exe
Token: SeShutdownPrivilege	8988	explorer.exe
Token: SeCreatePagefilePrivilege	8988	explorer.exe
Token: SeShutdownPrivilege	8988	explorer.exe
Token: SeCreatePagefilePrivilege	8988	explorer.exe
Token: SeShutdownPrivilege	3808	DllHost.exe
Token: SeCreatePagefilePrivilege	3808	DllHost.exe
Token: SeShutdownPrivilege	8988	explorer.exe

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
16108	sihost.exe
8988	explorer.exe
8988	explorer.exe
8988	explorer.exe
8988	explorer.exe
8988	explorer.exe
8988	explorer.exe
8988	explorer.exe
8988	explorer.exe
8988	explorer.exe
8988	explorer.exe
8988	explorer.exe
8988	explorer.exe
8988	explorer.exe
8988	explorer.exe
8988	explorer.exe
8988	explorer.exe
8988	explorer.exe
8988	explorer.exe
8988	explorer.exe
8988	explorer.exe
8988	explorer.exe
8988	explorer.exe
8988	explorer.exe
8988	explorer.exe
8988	explorer.exe
19632	explorer.exe
19632	explorer.exe
19632	explorer.exe
19632	explorer.exe
19632	explorer.exe
19632	explorer.exe
19632	explorer.exe
19632	explorer.exe
19632	explorer.exe
19632	explorer.exe
19632	explorer.exe
19632	explorer.exe
19632	explorer.exe
19632	explorer.exe
19632	explorer.exe
19632	explorer.exe
19632	explorer.exe
23740	explorer.exe
23740	explorer.exe
23740	explorer.exe
23740	explorer.exe
23740	explorer.exe
23740	explorer.exe
23740	explorer.exe
23740	explorer.exe

Suspicious use of SendNotifyMessage 34 IoCs

pid	Process
8988	explorer.exe
8988	explorer.exe
8988	explorer.exe
8988	explorer.exe
8988	explorer.exe
8988	explorer.exe
8988	explorer.exe
8988	explorer.exe
8988	explorer.exe
8988	explorer.exe
8988	explorer.exe
8988	explorer.exe
8988	explorer.exe
19632	explorer.exe
19632	explorer.exe
19632	explorer.exe
19632	explorer.exe
19632	explorer.exe
19632	explorer.exe
19632	explorer.exe
19632	explorer.exe
19632	explorer.exe
19632	explorer.exe
19632	explorer.exe
23740	explorer.exe
23740	explorer.exe
23740	explorer.exe
23740	explorer.exe
23740	explorer.exe
23740	explorer.exe
23740	explorer.exe
23740	explorer.exe
23740	explorer.exe
23740	explorer.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2552	StartMenuExperienceHost.exe
8576	StartMenuExperienceHost.exe
20192	StartMenuExperienceHost.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3440	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1568 wrote to memory of 840	1568	2024-12-10_7bcbd03a264f616bcbf64dd973c9e120_luca-stealer_ryuk.exe	85
PID 1568 wrote to memory of 840	1568	2024-12-10_7bcbd03a264f616bcbf64dd973c9e120_luca-stealer_ryuk.exe	85
PID 840 wrote to memory of 2824	840	BIYpj.exe	89
PID 840 wrote to memory of 2824	840	BIYpj.exe	89
PID 840 wrote to memory of 1776	840	BIYpj.exe	91
PID 840 wrote to memory of 1776	840	BIYpj.exe	91
PID 840 wrote to memory of 1000	840	BIYpj.exe	93
PID 840 wrote to memory of 1000	840	BIYpj.exe	93
PID 840 wrote to memory of 3164	840	BIYpj.exe	239
PID 840 wrote to memory of 3164	840	BIYpj.exe	239
PID 840 wrote to memory of 4376	840	BIYpj.exe	97
PID 840 wrote to memory of 4376	840	BIYpj.exe	97
PID 840 wrote to memory of 772	840	BIYpj.exe	99
PID 840 wrote to memory of 772	840	BIYpj.exe	99
PID 840 wrote to memory of 4196	840	BIYpj.exe	307
PID 840 wrote to memory of 4196	840	BIYpj.exe	307
PID 840 wrote to memory of 4804	840	BIYpj.exe	103
PID 840 wrote to memory of 4804	840	BIYpj.exe	103
PID 840 wrote to memory of 1612	840	BIYpj.exe	582
PID 840 wrote to memory of 1612	840	BIYpj.exe	582
PID 840 wrote to memory of 2484	840	BIYpj.exe	694
PID 840 wrote to memory of 2484	840	BIYpj.exe	694
PID 840 wrote to memory of 3016	840	BIYpj.exe	714
PID 840 wrote to memory of 3016	840	BIYpj.exe	714
PID 840 wrote to memory of 1376	840	BIYpj.exe	545
PID 840 wrote to memory of 1376	840	BIYpj.exe	545
PID 840 wrote to memory of 4088	840	BIYpj.exe	583
PID 840 wrote to memory of 4088	840	BIYpj.exe	583
PID 840 wrote to memory of 3684	840	BIYpj.exe	301
PID 840 wrote to memory of 3684	840	BIYpj.exe	301
PID 840 wrote to memory of 932	840	BIYpj.exe	644
PID 840 wrote to memory of 932	840	BIYpj.exe	644
PID 840 wrote to memory of 4968	840	BIYpj.exe	427
PID 840 wrote to memory of 4968	840	BIYpj.exe	427
PID 840 wrote to memory of 3840	840	BIYpj.exe	641
PID 840 wrote to memory of 3840	840	BIYpj.exe	641
PID 840 wrote to memory of 3140	840	BIYpj.exe	125
PID 840 wrote to memory of 3140	840	BIYpj.exe	125
PID 840 wrote to memory of 2880	840	BIYpj.exe	704
PID 840 wrote to memory of 2880	840	BIYpj.exe	704
PID 840 wrote to memory of 1068	840	BIYpj.exe	129
PID 840 wrote to memory of 1068	840	BIYpj.exe	129
PID 840 wrote to memory of 836	840	BIYpj.exe	131
PID 840 wrote to memory of 836	840	BIYpj.exe	131
PID 840 wrote to memory of 2700	840	BIYpj.exe	465
PID 840 wrote to memory of 2700	840	BIYpj.exe	465
PID 840 wrote to memory of 2872	840	BIYpj.exe	563
PID 840 wrote to memory of 2872	840	BIYpj.exe	563
PID 840 wrote to memory of 4584	840	BIYpj.exe	362
PID 840 wrote to memory of 4584	840	BIYpj.exe	362
PID 840 wrote to memory of 1524	840	BIYpj.exe	207
PID 840 wrote to memory of 1524	840	BIYpj.exe	207
PID 840 wrote to memory of 3100	840	BIYpj.exe	518
PID 840 wrote to memory of 3100	840	BIYpj.exe	518
PID 840 wrote to memory of 4832	840	BIYpj.exe	674
PID 840 wrote to memory of 4832	840	BIYpj.exe	674
PID 840 wrote to memory of 3972	840	BIYpj.exe	683
PID 840 wrote to memory of 3972	840	BIYpj.exe	683
PID 840 wrote to memory of 552	840	BIYpj.exe	217
PID 840 wrote to memory of 552	840	BIYpj.exe	217
PID 840 wrote to memory of 4360	840	BIYpj.exe	591
PID 840 wrote to memory of 4360	840	BIYpj.exe	591
PID 840 wrote to memory of 1500	840	BIYpj.exe	647
PID 840 wrote to memory of 1500	840	BIYpj.exe	647

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Drops startup file
- Drops file in Program Files directory
- Modifies registry class
PID:2648
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
  2⤵
  PID:16060
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:16188
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:8596
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:8684
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:8828
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:9020
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:9188
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:5240
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:5372
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:5444
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:5392
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:9048
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:8968
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:8912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2660

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2772

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3628
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
  2⤵
  PID:10016
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:10044
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:11524
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:11472
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:11428
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:11400
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:11372
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:11344
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:11316
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:10108
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:11780
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:11884
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:12164
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:17512
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:17496

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3808
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
  2⤵
  PID:25024
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:25180
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:25216
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:25316
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:25388
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:25492
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:25540
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:25584
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:13236
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:13280
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:11072
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:11116
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:11220
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:4764
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:3012

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3952

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4016

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3092

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4128

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:1812

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Drops startup file
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of UnmapMainImage
PID:3440
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
  2⤵
  PID:10688
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:10832
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:10884
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:10968
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:19468
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:19496
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:19524
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:19556
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:19584
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:19648
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:19752
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:19780
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:19808
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:19860
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:19888

C:\Users\Admin\AppData\Local\Temp\2024-12-10_7bcbd03a264f616bcbf64dd973c9e120_luca-stealer_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-10_7bcbd03a264f616bcbf64dd973c9e120_luca-stealer_ryuk.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1568
- C:\users\Public\BIYpj.exe
  "C:\users\Public\BIYpj.exe" C:\Users\Admin\AppData\Local\Temp\2024-12-10_7bcbd03a264f616bcbf64dd973c9e120_luca-stealer_ryuk.exe
  2⤵
  - Checks computer location settings
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:840
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM zoolz.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2824
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM agntsvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1776
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM dbeng50.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1000
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM dbsnmp.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3164
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM encsvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4376
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM excel.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:772
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM firefoxconfig.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4196
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM infopath.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4804
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM isqlplussvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1612
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM msaccess.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2484
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM msftesql.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3016
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM mspub.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1376
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4088
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM mydesktopservice.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3684
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM mysqld.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:932
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM mysqld-nt.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4968
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM mysqld-opt.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3840
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM ocautoupds.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3140
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM ocomm.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2880
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM ocssd.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1068
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM onenote.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:836
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM oracle.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2700
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM outlook.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2872
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM powerpnt.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4584
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM sqbcoreservice.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1524
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM sqlagent.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3100
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM sqlbrowser.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4832
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM sqlservr.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3972
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM sqlwriter.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:552
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM steam.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4360
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM synctime.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1500
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM tbirdconfig.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4636
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM thebat.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4568
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM thebat64.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4044
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM thunderbird.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2468
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM visio.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4292
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM winword.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3512
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM wordpad.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:412
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM xfssvccon.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4800
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM tmlisten.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1444
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM PccNTMon.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1104
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM CNTAoSMgr.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3976
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM Ntrtscan.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4372
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM mbamtray.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4816
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "Acronis VSS Provider" /y
    3⤵
    PID:984
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Acronis VSS Provider" /y
      4⤵
      PID:2060
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "Enterprise Client Service" /y
    3⤵
    PID:2328
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Enterprise Client Service" /y
      4⤵
      PID:2028
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "Sophos Agent" /y
    3⤵
    PID:3508
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos Agent" /y
      4⤵
      PID:728
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "Sophos AutoUpdate Service" /y
    3⤵
    PID:1780
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y
      4⤵
      PID:1332
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "Sophos Clean Service" /y
    3⤵
    PID:4224
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos Clean Service" /y
      4⤵
      PID:4680
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "Sophos Device Control Service" /y
    3⤵
    PID:3312
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos Device Control Service" /y
      4⤵
      PID:3596
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "Sophos File Scanner Service" /y
    3⤵
    PID:2940
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos File Scanner Service" /y
      4⤵
      PID:2116
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "Sophos Health Service" /y
    3⤵
    PID:1180
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos Health Service" /y
      4⤵
      PID:1524
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "Sophos MCS Agent" /y
    3⤵
    PID:2252
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos MCS Agent" /y
      4⤵
      PID:3180
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "Sophos MCS Client" /y
    3⤵
    PID:4912
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos MCS Client" /y
      4⤵
      PID:1496
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "Sophos Message Router" /y
    3⤵
    PID:3360
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos Message Router" /y
      4⤵
      PID:1972
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "Sophos Safestore Service" /y
    3⤵
    PID:4976
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos Safestore Service" /y
      4⤵
      PID:968
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "Sophos System Protection Service" /y
    3⤵
    PID:3536
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos System Protection Service" /y
      4⤵
      PID:3684
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "Sophos Web Control Service" /y
    3⤵
    PID:1224
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos Web Control Service" /y
      4⤵
      PID:880
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "SQLsafe Backup Service" /y
    3⤵
    PID:4576
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:552
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y
      4⤵
      PID:4136
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "SQLsafe Filter Service" /y
    3⤵
    PID:1452
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y
      4⤵
      PID:2484
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "Symantec System Recovery" /y
    3⤵
    PID:4084
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Symantec System Recovery" /y
      4⤵
      PID:2824
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "Veeam Backup Catalog Data Service" /y
    3⤵
    PID:4076
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y
      4⤵
      PID:4296
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop AcronisAgent /y
    3⤵
    PID:4520
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop AcronisAgent /y
      4⤵
      PID:4316
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop AcrSch2Svc /y
    3⤵
    PID:4924
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop AcrSch2Svc /y
      4⤵
      PID:3932
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop Antivirus /y
    3⤵
    PID:2948
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop Antivirus /y
      4⤵
      PID:4668
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop ARSM /y
    3⤵
    PID:752
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ARSM /y
      4⤵
      PID:4304
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop BackupExecAgentAccelerator /y
    3⤵
    PID:3032
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3164
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
      4⤵
      PID:2412
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop BackupExecAgentBrowser /y
    3⤵
    PID:3060
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
      4⤵
      PID:4608
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop BackupExecDeviceMediaService /y
    3⤵
    PID:3448
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
      4⤵
      PID:4452
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop BackupExecJobEngine /y
    3⤵
    PID:4500
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecJobEngine /y
      4⤵
      PID:4236
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop BackupExecManagementService /y
    3⤵
    PID:3820
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecManagementService /y
      4⤵
      PID:1380
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop BackupExecRPCService /y
    3⤵
    PID:4100
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecRPCService /y
      4⤵
      PID:3704
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop BackupExecVSSProvider /y
    3⤵
    PID:1908
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecVSSProvider /y
      4⤵
      PID:1648
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop bedbg /y
    3⤵
    PID:32
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop bedbg /y
      4⤵
      PID:4312
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop DCAgent /y
    3⤵
    PID:4112
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop DCAgent /y
      4⤵
      PID:2452
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop EPSecurityService /y
    3⤵
    PID:4024
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop EPSecurityService /y
      4⤵
      PID:2252
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop EPUpdateService /y
    3⤵
    PID:2332
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop EPUpdateService /y
      4⤵
      PID:3560
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop EraserSvc11710 /y
    3⤵
    PID:4372
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop EraserSvc11710 /y
      4⤵
      PID:5032
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop EsgShKernel /y
    3⤵
    PID:2168
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop EsgShKernel /y
      4⤵
      PID:3684
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop FA_Scheduler /y
    3⤵
    PID:3672
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop FA_Scheduler /y
      4⤵
      PID:2596
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop IISAdmin /y
    3⤵
    PID:2912
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop IISAdmin /y
      4⤵
      PID:4376
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop IMAP4Svc /y
    3⤵
    PID:4036
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop IMAP4Svc /y
      4⤵
      PID:4828
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop macmnsvc /y
    3⤵
    PID:1180
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop macmnsvc /y
      4⤵
      PID:4012
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop masvc /y
    3⤵
    PID:4568
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop masvc /y
      4⤵
      PID:3648
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MBAMService /y
    3⤵
    PID:4032
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MBAMService /y
      4⤵
      PID:3512
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MBEndpointAgent /y
    3⤵
    PID:1212
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MBEndpointAgent /y
      4⤵
      PID:4044
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop McAfeeEngineService /y
    3⤵
    PID:4932
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop McAfeeEngineService /y
      4⤵
      PID:4404
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop McAfeeFramework /y
    3⤵
    PID:1676
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop McAfeeFramework /y
      4⤵
      PID:4500
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop McAfeeFrameworkMcAfeeFramework /y
    3⤵
    PID:4780
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
      4⤵
      PID:1852
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop McShield /y
    3⤵
    PID:4440
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop McShield /y
      4⤵
      PID:4880
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop McTaskManager /y
    3⤵
    PID:5016
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4196
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop McTaskManager /y
      4⤵
      PID:3476
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop mfemms /y
    3⤵
    PID:2256
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop mfemms /y
      4⤵
      PID:3224
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop mfevtp /y
    3⤵
    PID:3616
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4520
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop mfevtp /y
      4⤵
      PID:1908
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MMS /y
    3⤵
    PID:5076
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MMS /y
      4⤵
      PID:2808
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop mozyprobackup /y
    3⤵
    PID:1792
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop mozyprobackup /y
      4⤵
      PID:1000
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MsDtsServer /y
    3⤵
    PID:2196
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MsDtsServer /y
      4⤵
      PID:800
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MsDtsServer100 /y
    3⤵
    PID:2060
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MsDtsServer100 /y
      4⤵
      PID:436
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MsDtsServer110 /y
    3⤵
    PID:3744
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MsDtsServer110 /y
      4⤵
      PID:4392
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSExchangeES /y
    3⤵
    PID:5108
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4608
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSExchangeES /y
      4⤵
      PID:4432
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSExchangeIS /y
    3⤵
    PID:1860
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSExchangeIS /y
      4⤵
      PID:4312
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSExchangeMGMT /y
    3⤵
    PID:2784
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSExchangeMGMT /y
      4⤵
      PID:2700
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSExchangeMTA /y
    3⤵
    PID:2116
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSExchangeMTA /y
      4⤵
      PID:5032
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSExchangeSA /y
    3⤵
    PID:3164
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSExchangeSA /y
      4⤵
      PID:4648
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSExchangeSRS /y
    3⤵
    PID:2872
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSExchangeSRS /y
      4⤵
      PID:2468
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSOLAP$SQL_2008 /y
    3⤵
    PID:116
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
      4⤵
      PID:4408
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSOLAP$SYSTEM_BGC /y
    3⤵
    PID:4396
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
      4⤵
      PID:2424
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSOLAP$TPS /y
    3⤵
    PID:4112
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSOLAP$TPS /y
      4⤵
      PID:4992
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSOLAP$TPSAMA /y
    3⤵
    PID:412
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4584
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
      4⤵
      PID:4036
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQL$BKUPEXEC /y
    3⤵
    PID:4664
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
      4⤵
      PID:3568
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQL$ECWDB2 /y
    3⤵
    PID:2576
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
      4⤵
      PID:4076
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQL$PRACTICEMGT /y
    3⤵
    PID:4412
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
      4⤵
      PID:436
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQL$PRACTTICEBGC /y
    3⤵
    PID:1188
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
      4⤵
      PID:4912
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQL$PROFXENGAGEMENT /y
    3⤵
    PID:880
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
      4⤵
      PID:388
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQL$SBSMONITORING /y
    3⤵
    PID:2824
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
      4⤵
      PID:3840
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQL$SHAREPOINT /y
    3⤵
    PID:2668
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
      4⤵
      PID:3236
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQL$SQL_2008 /y
    3⤵
    PID:3156
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
      4⤵
      PID:1584
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQL$SYSTEM_BGC /y
    3⤵
    PID:4004
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
      4⤵
      PID:2216
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQL$TPS /y
    3⤵
    PID:2360
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$TPS /y
      4⤵
      PID:2924
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQL$TPSAMA /y
    3⤵
    PID:4808
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4136
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
      4⤵
      PID:2188
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:4384
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
      4⤵
      PID:3508
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2012 /y
    3⤵
    PID:1968
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
      4⤵
      PID:4112
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQLFDLauncher /y
    3⤵
    PID:2256
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher /y
      4⤵
      PID:1644
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
    3⤵
    PID:2532
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
      4⤵
      PID:2932
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
    3⤵
    PID:4824
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
      4⤵
      PID:1212
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
    3⤵
    PID:2208
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
      4⤵
      PID:4220
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SQL_2008 /y
    3⤵
    PID:4952
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
      4⤵
      PID:464
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
    3⤵
    PID:1960
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
      4⤵
      PID:3292
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPS /y
    3⤵
    PID:2540
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
      4⤵
      PID:2700
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPSAMA /y
    3⤵
    PID:3740
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
      4⤵
      PID:1400
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQLSERVER /y
    3⤵
    PID:720
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER /y
      4⤵
      PID:5028
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQLServerADHelper100 /y
    3⤵
    PID:3648
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4968
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
      4⤵
      PID:4560
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQLServerOLAPService /y
    3⤵
    PID:2452
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
      4⤵
      PID:1000
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MySQL80 /y
    3⤵
    PID:1376
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MySQL80 /y
      4⤵
      PID:4360
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MySQL57 /y
    3⤵
    PID:2144
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MySQL57 /y
      4⤵
      PID:3508
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop ntrtscan /y
    3⤵
    PID:2324
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2328
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ntrtscan /y
      4⤵
      PID:4140
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop OracleClientCache80 /y
    3⤵
    PID:2176
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop OracleClientCache80 /y
      4⤵
      PID:3248
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop PDVFSService /y
    3⤵
    PID:4320
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3164
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop PDVFSService /y
      4⤵
      PID:4168
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop POP3Svc /y
    3⤵
    PID:1216
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop POP3Svc /y
      4⤵
      PID:1312
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop ReportServer /y
    3⤵
    PID:4084
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ReportServer /y
      4⤵
      PID:1416
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop ReportServer$SQL_2008 /y
    3⤵
    PID:4988
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
      4⤵
      PID:4452
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop ReportServer$SYSTEM_BGC /y
    3⤵
    PID:3172
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4912
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
      4⤵
      PID:3724
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop ReportServer$TPS /y
    3⤵
    PID:3476
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ReportServer$TPS /y
      4⤵
      PID:3460
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop ReportServer$TPSAMA /y
    3⤵
    PID:3568
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
      4⤵
      PID:3124
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop RESvc /y
    3⤵
    PID:2544
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop RESvc /y
      4⤵
      PID:1912
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop sacsvr /y
    3⤵
    PID:2476
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop sacsvr /y
      4⤵
      PID:2308
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SamSs /y
    3⤵
    PID:3156
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SamSs /y
      4⤵
      PID:3180
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SAVAdminService /y
    3⤵
    PID:2692
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SAVAdminService /y
      4⤵
      PID:4568
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SAVService /y
    3⤵
    PID:4412
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SAVService /y
      4⤵
      PID:4556
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SDRSVC /y
    3⤵
    PID:3904
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:388
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SDRSVC /y
      4⤵
      PID:4160
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SepMasterService /y
    3⤵
    PID:2300
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SepMasterService /y
      4⤵
      PID:3732
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop ShMonitor /y
    3⤵
    PID:4908
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ShMonitor /y
      4⤵
      PID:3308
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop Smcinst /y
    3⤵
    PID:2376
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop Smcinst /y
      4⤵
      PID:3384
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SmcService /y
    3⤵
    PID:4472
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4408
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SmcService /y
      4⤵
      PID:3512
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SMTPSvc /y
    3⤵
    PID:1328
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SMTPSvc /y
      4⤵
      PID:1516
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SNAC /y
    3⤵
    PID:404
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1644
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SNAC /y
      4⤵
      PID:4800
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SntpService /y
    3⤵
    PID:1636
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SntpService /y
      4⤵
      PID:4360
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop sophossps /y
    3⤵
    PID:1104
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop sophossps /y
      4⤵
      PID:4852
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLAgent$BKUPEXEC /y
    3⤵
    PID:4932
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
      4⤵
      PID:8
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLAgent$ECWDB2 /y
    3⤵
    PID:2680
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
      4⤵
      PID:3672
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEBGC /y
    3⤵
    PID:3552
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5032
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
      4⤵
      PID:3508
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEMGT /y
    3⤵
    PID:116
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2532
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
      4⤵
      PID:4076
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLAgent$PROFXENGAGEMENT /y
    3⤵
    PID:372
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
      4⤵
      PID:5080
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLAgent$SBSMONITORING /y
    3⤵
    PID:3436
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2252
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
      4⤵
      PID:3744
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLAgent$SHAREPOINT /y
    3⤵
    PID:3292
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3100
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
      4⤵
      PID:2080
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLAgent$SQL_2008 /y
    3⤵
    PID:4036
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1792
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
      4⤵
      PID:1760
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLAgent$SYSTEM_BGC /y
    3⤵
    PID:2540
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
      4⤵
      PID:1252
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLAgent$TPS /y
    3⤵
    PID:5028
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$TPS /y
      4⤵
      PID:2000
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLAgent$TPSAMA /y
    3⤵
    PID:4104
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
      4⤵
      PID:4672
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
    3⤵
    PID:4032
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
      4⤵
      PID:4236
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2012 /y
    3⤵
    PID:3704
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1312
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
      4⤵
      PID:3124
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLBrowser /y
    3⤵
    PID:1400
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4312
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser /y
      4⤵
      PID:5068
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLSafeOLRService /y
    3⤵
    PID:1376
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLSafeOLRService /y
      4⤵
      PID:2088
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLSERVERAGENT /y
    3⤵
    PID:1568
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT /y
      4⤵
      PID:4412
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLTELEMETRY /y
    3⤵
    PID:2644
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLTELEMETRY /y
      4⤵
      PID:3960
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLTELEMETRY$ECWDB2 /y
    3⤵
    PID:4100
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4112
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
      4⤵
      PID:4168
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLWriter /y
    3⤵
    PID:2732
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2168
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLWriter /y
      4⤵
      PID:5076
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SstpSvc /y
    3⤵
    PID:4108
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3172
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SstpSvc /y
      4⤵
      PID:4156
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop svcGenericHost /y
    3⤵
    PID:4644
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop svcGenericHost /y
      4⤵
      PID:2356
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop swi_filter /y
    3⤵
    PID:2872
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3236
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop swi_filter /y
      4⤵
      PID:5052
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop swi_service /y
    3⤵
    PID:720
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2308
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop swi_service /y
      4⤵
      PID:1320
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop swi_update_64 /y
    3⤵
    PID:4316
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop swi_update_64 /y
      4⤵
      PID:1632
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop TmCCSF /y
    3⤵
    PID:3268
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4088
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop TmCCSF /y
      4⤵
      PID:1468
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop tmlisten /y
    3⤵
    PID:1612
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop tmlisten /y
      4⤵
      PID:800
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop TrueKey /y
    3⤵
    PID:2576
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop TrueKey /y
      4⤵
      PID:1104
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop TrueKeyScheduler /y
    3⤵
    PID:3672
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop TrueKeyScheduler /y
      4⤵
      PID:2440
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop TrueKeyServiceHelper /y
    3⤵
    PID:2736
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2680
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
      4⤵
      PID:4876
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop UI0Detect /y
    3⤵
    PID:4360
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3448
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop UI0Detect /y
      4⤵
      PID:4744
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop VeeamBackupSvc /y
    3⤵
    PID:3508
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamBackupSvc /y
      4⤵
      PID:2764
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop VeeamBrokerSvc /y
    3⤵
    PID:2692
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2468
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamBrokerSvc /y
      4⤵
      PID:2360
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop VeeamCatalogSvc /y
    3⤵
    PID:4960
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1328
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamCatalogSvc /y
      4⤵
      PID:2116
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop VeeamCloudSvc /y
    3⤵
    PID:1952
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamCloudSvc /y
      4⤵
      PID:4988
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop VeeamDeploymentService /y
    3⤵
    PID:4292
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamDeploymentService /y
      4⤵
      PID:3548
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop VeeamDeploySvc /y
    3⤵
    PID:1492
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamDeploySvc /y
      4⤵
      PID:4404
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop VeeamEnterpriseManagerSvc /y
    3⤵
    PID:2668
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5080
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
      4⤵
      PID:932
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop VeeamMountSvc /y
    3⤵
    PID:3476
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2000
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamMountSvc /y
      4⤵
      PID:4540
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop VeeamNFSSvc /y
    3⤵
    PID:4304
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1496
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamNFSSvc /y
      4⤵
      PID:1188
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop VeeamRESTSvc /y
    3⤵
    PID:2580
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1224
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamRESTSvc /y
      4⤵
      PID:1500
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop VeeamTransportSvc /y
    3⤵
    PID:4828
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4004
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamTransportSvc /y
      4⤵
      PID:2552
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop W3Svc /y
    3⤵
    PID:1760
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4924
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop W3Svc /y
      4⤵
      PID:3656
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop wbengine /y
    3⤵
    PID:3744
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop wbengine /y
      4⤵
      PID:4824
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop WRSVC /y
    3⤵
    PID:2904
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3560
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop WRSVC /y
      4⤵
      PID:372
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:3840
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:968
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
      4⤵
      PID:3460
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
    3⤵
    PID:3648
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
      4⤵
      PID:3740
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop VeeamHvIntegrationSvc /y
    3⤵
    PID:4156
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
      4⤵
      PID:4876
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop swi_update /y
    3⤵
    PID:4104
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop swi_update /y
      4⤵
      PID:3508
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLAgent$CXDB /y
    3⤵
    PID:3552
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$CXDB /y
      4⤵
      PID:772
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLAgent$CITRIX_METAFRAME /y
    3⤵
    PID:1860
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:464
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
      4⤵
      PID:3704
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "SQL Backups" /y
    3⤵
    PID:4296
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2644
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQL Backups" /y
      4⤵
      PID:4188
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQL$PROD /y
    3⤵
    PID:2732
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$PROD /y
      4⤵
      PID:4556
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "Zoolz 2 Service" /y
    3⤵
    PID:3712
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Zoolz 2 Service" /y
      4⤵
      PID:4508
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQLServerADHelper /y
    3⤵
    PID:3188
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3384
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLServerADHelper /y
      4⤵
      PID:1476
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLAgent$PROD /y
    3⤵
    PID:1548
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$PROD /y
      4⤵
      PID:64
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop msftesql$PROD /y
    3⤵
    PID:4832
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop msftesql$PROD /y
      4⤵
      PID:4292
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop NetMsmqActivator /y
    3⤵
    PID:1768
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3972
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop NetMsmqActivator /y
      4⤵
      PID:1712
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop EhttpSrv /y
    3⤵
    PID:1320
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2596
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop EhttpSrv /y
      4⤵
      PID:2924
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop ekrn /y
    3⤵
    PID:5028
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ekrn /y
      4⤵
      PID:3664
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop ESHASRV /y
    3⤵
    PID:3268
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1584
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ESHASRV /y
      4⤵
      PID:4852
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQL$SOPHOS /y
    3⤵
    PID:5052
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4880
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
      4⤵
      PID:1216
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLAgent$SOPHOS /y
    3⤵
    PID:2484
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
      4⤵
      PID:3016
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop AVP /y
    3⤵
    PID:3820
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4500
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop AVP /y
      4⤵
      PID:1936
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop klnagent /y
    3⤵
    PID:3176
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop klnagent /y
      4⤵
      PID:728
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQL$SQLEXPRESS /y
    3⤵
    PID:1332
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
      4⤵
      PID:4976
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLAgent$SQLEXPRESS /y
    3⤵
    PID:2880
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4808
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
      4⤵
      PID:3492
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop wbengine /y
    3⤵
    PID:4824
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4992
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop wbengine /y
      4⤵
      PID:4680
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop kavfsslp /y
    3⤵
    PID:1648
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3124
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop kavfsslp /y
      4⤵
      PID:4556
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop KAVFSGT /y
    3⤵
    PID:4160
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2176
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop KAVFSGT /y
      4⤵
      PID:1944
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop KAVFS /y
    3⤵
    PID:5036
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop KAVFS /y
      4⤵
      PID:2356
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop mfefire /y
    3⤵
    PID:244
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4952
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop mfefire /y
      4⤵
      PID:772
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\BIYpj.exe" /f
    3⤵
    PID:3756
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2824
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\BIYpj.exe" /f
      4⤵
      Adds Run key to start application
      PID:1380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:800

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:2452

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2324

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:5016

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:2080

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1768

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2552

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2116

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv LqK+mZg0m0mYB5beSzQrVA.0.2
1⤵
PID:4296

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1500

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:16108
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:8988
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
  2⤵
  PID:21140
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:21196
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:21312
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:6252
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:9348
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:9468
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:9620
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:9728
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:14284

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:16228

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x49c 0x4c4
1⤵
PID:8664

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:8576

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:19632

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:20192

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:23740

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:24272

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:24436

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:24976

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:10992

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:11232

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:20784

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:21272

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:9224

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:9532

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:13352

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:16556

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:16984

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:17372

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:10124

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:11900

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:21540

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:22080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Share Discovery

T1135

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip.chm

Filesize
112KB

MD5
c5611034998b279d98ce62f5b6342d3d

SHA1
b9c204ab75e31c5626f9ee8c38d40bd9839bb9bb

SHA256
58b20a26f17b3a5004916b0f03c80db6f5b267cf05f00eb0fc434cca1d19e579

SHA512
a61a7ab60a88919e36a7bcb564850b4a624d627c7ca73dcf6422a4506c5a0e2ddbee09027b1bb6c39aab3b72c61e952ec5f5b6523e31eb77ba502228f71d6455

Download Submit
C:\Program Files\7-Zip\7z.sfx

Filesize
209KB

MD5
484ef09d2bc969ca2ad432fce64bc72d

SHA1
f6b66a5abdd2f6a926c85574d9b0fa6b557a96f9

SHA256
4ee311bbb53bda61a41f596360466db431dac218c06b5b7bb943927e11515b5d

SHA512
5683e7df5fa9f1d1d5c67c1d36b08e3e575cbc133618ca49d57818a8705ca7a79d5b82861aee5eb2347e76a9608f80f0e40923ef44984b672c21b389f4a40386

Download Submit
C:\Program Files\7-Zip\7zCon.sfx

Filesize
188KB

MD5
1fccdae21c67c9f77234d92297fbfbff

SHA1
abffb1d007c277d01e723f1264d330cd5a55208c

SHA256
6757aba44de66bee01b404d9c9cef613087df00ef5d8706800bc3104939c459c

SHA512
8462fcf3c069827fb73101a4e8e5fe18516a582da07d0fe93a5b49ffcbaae99fe15153b199dabd1ab21d91183d51c5b038d290f3927d9bbee7a9c4cd807ac878

Download Submit
C:\Program Files\7-Zip\History.txt

Filesize
57KB

MD5
928d8c9de4b0ff2d64becdd65a44dd5e

SHA1
288194b928b6bbf4ba432d7d72dec0d4e04406d0

SHA256
c1cdd63f3f91e5d6e08e83958be3ccf5645fcb8d5752c2ee0f4e02aeeb04d7cd

SHA512
9fa89890aea975a9f9b9318483d4c6e75f6f16a82b9ff22feadd02cd1127694a9e9a388a5d89a02392005cce6b06890af98e4442e8b4809f56b3f8b7f1ccc5c5

Download Submit
C:\Program Files\7-Zip\Lang\af.txt

Filesize
5KB

MD5
27918ddd82f78b607a27b9a2e64f031a

SHA1
86d3be863cf564028464ae8e4bd9de9b47716dfd

SHA256
575f7eda9c20eccf0f037cf19d2ca59a09c9852bbaae47c1a3611247da9f6ccf

SHA512
ab56c769fd32230f1c0a005bd9e62c131d8c5c66c2b2ebdd475ff3cc385ee6b60b620fa8ef8982500ec1265d5214e02382cafac8059d9d7dc4f9a5ecacc69209

Download Submit
C:\Program Files\7-Zip\Lang\an.txt

Filesize
7KB

MD5
29b76f5779465f8eeae620f8c182f8bb

SHA1
34ca195636a93da4329788ed0fa37b65d011e75c

SHA256
01548879aa90e701cafa30dfffcb0b4c7b0751df98519d58ae54b1f039213dfc

SHA512
52eabff3af002afef9a352db20c4600ebc1e71baeb7b0c672f6e5de812701714442c6f9cf5f57db4da2a42fd9ed1c9d3eafe84ee6e20327686b242f5ce277a87

Download Submit
C:\Program Files\7-Zip\Lang\ar.txt

Filesize
12KB

MD5
84ac94a9903bada50e65476a820e5d81

SHA1
696f0efe73c2759b528639d54268b8b00b886912

SHA256
3671b7b4653671e2a68f6d5254e58915fe7311012308018ba61243960051ea3e

SHA512
0dea60c0cc23d091a22fda76393b5db2b280ca505a8c173d54132a0c43730647895c2553b4ecdd5b8183fe079d113a19cb9c5a1870e89a4795ada66a685720df

Download Submit
C:\Program Files\7-Zip\Lang\ast.txt

Filesize
5KB

MD5
55fd43e8aa1747b5f182d01dfaf1b522

SHA1
c410ac4b09c65a4bad4442fa14c98e1418a6106c

SHA256
91658ccc497833158d48072bed9a1a6c81a57d09f17be4fa6a0ace3621e2b090

SHA512
77d1f98215e6cafc295fd5da2803d1a32e5cf4de725cdeb13f00cf027ae099782faeec86e2f3f71d2e09937033916c65d30833c79ffc1e1d47dfa829903208b7

Download Submit
C:\Program Files\7-Zip\Lang\az.txt

Filesize
9KB

MD5
12931be05050b67cb175f8626300f345

SHA1
4b47315ee812b60f943b025e5d1f1de60fdc15ab

SHA256
2b96e0fec962c29c52d873305f758eb37863b6f9c3c85250e352dff3376846f4

SHA512
fcbaf21b9326cef07ef653ed8404348936d0a93bbf3523a56279f78d0c2f0f8d1dfee4ec4f8c82e2e688da19f2fbc37e19171ce3ca82484474203e751c45251e

Download Submit
C:\Program Files\7-Zip\Lang\ba.txt

Filesize
11KB

MD5
0f77256f2c2f9d64005f01798281ab27

SHA1
a01d1bdfcb6e5d29a75d38436ac269d1929d6fa0

SHA256
b542252fa6f7151a0d23b6bc9bc67b218750cb8207ddbf2be2e2883ab614d5a5

SHA512
d779aadaa1ecb76675e28127c290ca6d2d1c3ed28c8649b9e1dbe11e50a59e5b39c2596af9952c613dedc93fd4f0441eee1ddccabeae6eb302c0e3d112f7a442

Download Submit
C:\Program Files\7-Zip\Lang\be.txt

Filesize
11KB

MD5
2f63f755826321b62ba97e2841f7fb42

SHA1
c21f8e62d5551ed52e3784565fde006f902eb125

SHA256
6caad5f5a44508e6417a5cd039e0c06e27d4e8b0ceea80ac3c4932a342c3664f

SHA512
2eb7a86d3a61d96d001b605d406caf33a97f0d8453a5848db9af7d8544416b94f34b93f5af3f1eb26639b5a94a0e6c5d45c4b284fd243b25e0e013f85ebdb608

Download Submit
C:\Program Files\7-Zip\Lang\bg.txt

Filesize
13KB

MD5
bb0f7fe44333ecd6fb4d5032bc6dd5b7

SHA1
db87094727a49d8ccd3fe5c1e28d8e5e8095d762

SHA256
b273c1774a705f975dbe8d96028ee7254ee2ab18c52a01993f9f71a3b8a6d94a

SHA512
481cff5e726c44e5d29e01598b5d09fb4b0e6c30e99b08ad9c69a00d9dab09d842f3ac8e50c402f6c485ed44cc0a4984e947c0420b973f22bc39ab94b0ca9949

Download Submit
C:\Program Files\7-Zip\Lang\bn.txt

Filesize
14KB

MD5
0b68710c831702305181078faefc7903

SHA1
19f07f4d187d474622135c28942d8df968c461d3

SHA256
802639d8987bd209a7b8bcbb992f35e5315a26c5e9950f2c235aa14e0783e235

SHA512
2ebc15626b119eebedd7f31a8c71bc45d5d9b8ca91d5d8bad38781dcc9d0671101c4a314c1103d6c852578215a207c2c822e6e105477997d73f9a880339e6843

Download Submit
C:\Program Files\7-Zip\Lang\br.txt

Filesize
5KB

MD5
2ccda8eb4b89476bd3c962f11889b8e4

SHA1
80bd5bd393f7ffc3326413fce6ed115168c86b06

SHA256
01fb2994e69e560c2591733d88aa615819137225f13ac092ec5cec7d0de4961e

SHA512
0e168acb90e3eff10ad54a271ab8bab68a7c5cc26b0ff0c35b4304d4187a09d4cfcd12e19a40c177f829d41f46d3328edf7c05371527fd3f6a37b56d613ec4e8

Download Submit
C:\Program Files\7-Zip\Lang\ca.txt

Filesize
9KB

MD5
8017cbbe257ee5d7260e4ea79491a623

SHA1
3c4fa8ba3e262ac6beec1e187a631d7f83beba10

SHA256
285376caa9b6bfa0333cc763d55492824f288be670828832347819939f72abe5

SHA512
52d7bf53fc52374e2008eb960def1cbbea8e9b0c33137bf82cfb252d42a13928005020be8eb9f34bad90c4525a46dfc8d1febb009691736b098dfd5c014371fb

Download Submit
C:\Program Files\7-Zip\Lang\co.txt

Filesize
10KB

MD5
6feedda63fec3870739026da936a1383

SHA1
8b1c4ce6c3df8faada0daf2e0ffb73fc5a9354ca

SHA256
c15bcaaa3f73b819bcb5e38e7a2706f6c9c666136d4d6974e27bf9a1faa1d180

SHA512
de2128b0bf8af07fb88a42d97efdef5563c6cc2e18cc1179b7387e9ad974777a7acb16a249608fcdef6a45b08f00bc80f833651bd56966c490b986fe03329ba3

Download Submit
C:\Program Files\7-Zip\Lang\cs.txt

Filesize
9KB

MD5
97f272a6855ea575fd1211e54aa7d114

SHA1
b983a4a3436f27686db4db4a6b223a9b0c1db2fc

SHA256
b9d65d938ae747615e747920a831b4d67fd90d828bd59dd75c720c4b297f6fdd

SHA512
b203091e026bec8974b5eb6a1a997c46d2831a1e16f9c38022350d9e0a5ced4b6fd1afdc001f8a07d31e450d32e19d9a305990a4bd32ad33f451fdcb957b38d0

Download Submit
C:\Program Files\7-Zip\Lang\cy.txt

Filesize
5KB

MD5
91ece03a67949b8fc2a3eb724623a149

SHA1
e11da7c1f8896c8c47bcf243bb29f27b61ba03be

SHA256
0b143117e1d545c3265a29e30c1e0f604fdbb1c83a7deb0b8a3f180fe71ff40d

SHA512
d2d4c0cba74299a05d7d41a5c671d89cf5b2de0d6e8ba17528af05b5f1fac5460429e1380122c6e123934a2a451a73a8cfc6c0e9a70c4b9bcc74361c63de118e

Download Submit
C:\Program Files\7-Zip\Lang\da.txt

Filesize
8KB

MD5
24cd5a46bcacde63f8318f00d4196945

SHA1
197861a41733429485df376441f693c271f53c5c

SHA256
7493e637474a53475f259be0f4a04ae50966fe0d5be7ed6310afe4a24ccf8ea7

SHA512
fbadca7321713c38b427f123a2d4c373cf2b91276f088c3b6499ff0e5baa3ebc03d435582e31784d92ff0395811c8c03de5ab27f81c25360416c1e9e9e3aed83

Download Submit
C:\Program Files\7-Zip\Lang\de.txt

Filesize
9KB

MD5
d17d75ab624122968c99c99916baa503

SHA1
2cac134925ad49145f6d50e984354e0cd3c5d03a

SHA256
0f1b98b9a885f25c6b5b27c7ac3495e2b1613690658b1554858521569aaa2707

SHA512
08d336c212aabb99f8383bd0ace0c1f412503c5d48c56f208a35dad6eb59d18dc1fb11a427646a9e6dd58e4ee76bbfb5909f002194ea885f5b3f8f74046cfebb

Download Submit
C:\Program Files\7-Zip\Lang\el.txt

Filesize
16KB

MD5
d737ef314146767f8e17fc2af041cb68

SHA1
7ef8f4629fd959d6072507d1dea759d7c0a24ead

SHA256
7beba5548ad8d5451310b7776bf3b3fbba81a10cdb53ee893b9cb4288f34684f

SHA512
0366d303a6f34a56d961d9792074a56d266a59a13ce61305b2cd24bbc25b4689cc6063dba86f6474aa2c1d73d7b838226f8403a92d273c48e864b160ff19d1e5

Download Submit
C:\Program Files\7-Zip\Lang\en.ttt

Filesize
8KB

MD5
b8158d683ae717e090bffc213ddaea01

SHA1
426b262489888718e4a5e2e05dd7812213b2063f

SHA256
459507d5c44941368a0061e33cc8ee15c2042368c06664349612f4eda5f3c094

SHA512
ff651b910622dce47ab2675014a432d55f31da948c1bbff5014fef3853added9ca29075f25491abc940e04355aa3e6c65d6e7337682cef76d4e72f53fb4189c7

Download Submit
C:\Program Files\7-Zip\Lang\eo.txt

Filesize
5KB

MD5
86fcc9130f8cf84e1893c1dfd8a5eb4e

SHA1
af4dcb0f69f34ec7474f8d7ce354c92773abfe41

SHA256
6f1cd1155244eb78aa450e1f044ee7a0f0b7bd08c270f3a0294c23bf27a002be

SHA512
de63745f669c1036785441a89253f2c6ffe25ecfbfb24d93c3982e693b7c084eb180d7c12bb809b4f314e39796959fffb57ad09a166099c2e3ffe23a81269d43

Download Submit
C:\Program Files\7-Zip\Lang\es.txt

Filesize
10KB

MD5
4429cfccc5065ef41a5cb0f0011fc5b0

SHA1
67f60a7c7c63bce981374bbb6747603fdcd32c12

SHA256
287d6b6aa419bfb61b8c15cc9c338bb90f8342954fd46bd0fadd02fe98422f8f

SHA512
3451f2acf96a0fd2c96f3e43dea2d1651855a4f8e580912904ab9a420c07c304f3fa27d39e6435aacfad7781dcf84a89b2a4e603f1062d35e9a1523049d9edec

Download Submit
C:\Program Files\7-Zip\Lang\et.txt

Filesize
7KB

MD5
b5e865b5747ac39f31d6f49d0cfc9b39

SHA1
5a8b65d0dfb90a2dea6b9289cc263c1e33ab0b0d

SHA256
d77ab49817bba07ad833a1dabc8ec370687f0d242ae2397b8b595332e21f6afa

SHA512
4741e8a4b745f19eaccc5f689482c9dc3b9d5eb45a80362ddb768029ce08ef216c6960b8a276860279ed6332e2dd9d90c2997072d013b24e554ce4722ef643ab

Download Submit
C:\Program Files\7-Zip\Lang\eu.txt

Filesize
8KB

MD5
7932d1cf13fa235a5a960737a7130e56

SHA1
017b2c4cead57ae2a7f75d45697c0ed3a2ddc67f

SHA256
a1771eee39177c5935518d0db44c09fb1a347d19cf133164cf9e2e0e29379eac

SHA512
37ee785681b753207cef7980fc05b05d5a694d7f3a1cb96aae950f3dfabaaeb3be3049831ed3358bde1e1c300ed505171d377346a98394ac9f5e46dea4ebc8c5

Download Submit
C:\Program Files\7-Zip\Lang\ext.txt

Filesize
7KB

MD5
436570c6d12fd37975ab7bb01d5a3cae

SHA1
1d79a5948166903241254929350f074ab429aaa9

SHA256
0242d8c78558726fefe3fae735947c6552ee2f71330c0c728249a141f6a3c66c

SHA512
af04d3d3bef0b89be22dda2c7a53f668decd75cf0181d27a5184974445f8ee0560ebb9abba3c2516f001082c8a1e39f9af85320c98aee5a2b17e79c4fb393ff1

Download Submit
C:\Program Files\7-Zip\Lang\fa.txt

Filesize
13KB

MD5
154ce7ec000ceb9fde7b375112082ef6

SHA1
1eef0618aa8b2dc4f27cadc4644522fc20432a02

SHA256
44a831575536a704efca1f218eb341f5036f8b10f1c30a657f9b96fbb7837788

SHA512
f46645a56019d5e94eaa234a27e57b5b158fb25533a9fcb0277772c729201a1a92a8737631bc4d938bfc31ba7d2bbcf81c1eb0b5b36cdabad161a4270331a3c2

Download Submit
C:\Program Files\7-Zip\Lang\fi.txt

Filesize
9KB

MD5
e55fd17ed34101ffeaa47e736ea8959e

SHA1
be3e8a06361bf52f72bcfd9ac2ca29f34cac690d

SHA256
1a60a445494ef98f5770dcdc73554b8425269199ec42b89d611289f0e8994040

SHA512
e3c82cd95d097ea0a9be09307a1e2bdd291bd08c0c6ae94e8728108f011f0774d834cb1fb411c62d02b8f2d286a3d56d65c63bcdacc0fc9cbd8c5da2c92aa3d1

Download Submit
C:\Program Files\7-Zip\Lang\fr.txt

Filesize
9KB

MD5
76e9bf51fd5ab9c9e742807b6a005438

SHA1
45e214f5e2debeb43aac2f35c3348d026d2448b6

SHA256
c1d8d6c2b2c0cb1ae5e7803c4b91f5c724be017bf2cc4680c7bc23e410713960

SHA512
f76cfb65643a45606859e17657f2172bd7be180a733655ae68d02a24018a917a4f9ad38b6a30520c701196f5c10fc5cba15ace161d50a308b993b8eb01b80ef1

Download Submit
C:\Program Files\7-Zip\Lang\fur.txt

Filesize
7KB

MD5
9e2b4a390a0cd487a391187266c90448

SHA1
0d1fb5d729bb8015ee181a2d53d23eb60d47f0e3

SHA256
d593f69fa929c6feafb4dd1599cfb2ba54d352cfda0a70a5ab2a456d785cb0fe

SHA512
b3c6acd31c373f6657a98001000ba5618da973dbe733592f237eff66ef27ef691c9bd0fa87f39053d18877a81884f2d8d6d6ed8e40ff95fb052fb1d21e327851

Download Submit
C:\Program Files\7-Zip\Lang\fy.txt

Filesize
6KB

MD5
9d4140c503fe6f8565d581e2fa56bb16

SHA1
6b0ec93b9e9da1869bd6ba4288e1636f87f86f2c

SHA256
d55c7d814883526f2fcaf926787c03463b5c68b016980f00f21609704f786e4a

SHA512
4573029a9e6b48312bb784fe77cfbf2be9094c559de4a14f9182bf2bde005b1e93322b313f178c491b679ee52c0a39e54d0e11f488f0b0d6694c6dab75880ca6

Download Submit
C:\Program Files\7-Zip\Lang\ga.txt

Filesize
8KB

MD5
90d322f96d54e1496340d07768806c70

SHA1
de309add0866d041ab0e26d67af113da21ff7f55

SHA256
50d8423a42034a3c2da3524dc778aaf17e6a36b53a510df73743650cd58989f7

SHA512
2dc139cccc941813c97b06b836a3c4f36038ab55333c208f83852a97b85a8f6cb8ba2053bafea8cfaa79a0dcc8fb417f7da29e991b1a7aec8f97b5dfc044e27c

Download Submit
C:\Program Files\7-Zip\Lang\gl.txt

Filesize
9KB

MD5
b5da8e2504e540b65ec51f92d9c1ad4e

SHA1
d84b58d47dcd5f3dd411d80c7bf64d7fa6b021a8

SHA256
526e50f429731891c0e202841f7051f2645f3b9ec76684ebf67a177f8b62146c

SHA512
cf7cc2821997ce89fe3f204f697d13474e7866be519b9aba09c7207532cd534a5d881f88c70624ec456f3d999f35c2976259b9d32e23e6eec81b295e85afddb9

Download Submit
C:\Program Files\7-Zip\Lang\gu.txt

Filesize
17KB

MD5
b7c99c40eed9fe384735f8d8fff1a3a9

SHA1
d3429766a4ba9b1587ba5fc2e4684265b1f061d9

SHA256
3b57fc3118edd66451fa0c1554eb197a0e7921d5c2cd7aaa6efb7bf50ecdabe4

SHA512
a0c73e727e7c377c9529e0c032068836bb431c6d69da47d64e0714e707b9d0664fca4fe69eb17eff874491156110c4d63b1a58e365b5d4ca8dd259896ea01ffa

Download Submit
C:\Program Files\7-Zip\Lang\he.txt

Filesize
11KB

MD5
670e5e535e26ca0ebdd581d771bd37d1

SHA1
d7ceaa7cb0a01de8bd7036f28f4935170aa02f4d

SHA256
a907420c9bea60381793e9feb6a75576d36328509e8fefc8e9607d258a358827

SHA512
8c61154d4f6f1819ec71d46d3354e435db71ddb7f4a9f86127fad62c95919205698b8f89403bb2b084ea5c1d1424f9ad99043acba46844ab727085aa2b46c291

Download Submit
C:\Program Files\7-Zip\Lang\hi.txt

Filesize
17KB

MD5
f4f12a12449e8a95e16f092cfbc304a6

SHA1
9671ab1f8215f1b1adebb6245f82a975e6795e12

SHA256
fa1ee949b22a9d9c4df2bcf272ebd65151bb407623dc7dfce67d97f44f6043e8

SHA512
18a36f849f830cae0878200ec4958bafb484a7c729c70170be8cf51986d55aa1a155e0d15a0db57b7f15883da56aea343e8822fe36ad955125eabbcb144f7d3b

Download Submit
C:\Program Files\7-Zip\Lang\hr.txt

Filesize
8KB

MD5
3c1230a71e3a2f23d0fb84bdf4a98f9e

SHA1
3391b036fe23c40d37eba71842283146fdf99d59

SHA256
23ec91ad0bd7b5805261f3680b943f924488792ce786ece572af5ca393733b91

SHA512
1003942f840fee5b5a39f258c75dfc31b5e036c89c485315311f1835eeca3b720e9b577e4fc227157002125475c9e82ca76b2bd9e93a6f164733beafc6ecfbca

Download Submit
C:\Program Files\7-Zip\Lang\hu.txt

Filesize
10KB

MD5
407cd19b3e6496a49e13c2ac3a048ee5

SHA1
a486ef31e8c913c76eb513fe5c9e529980462a6d

SHA256
8528451c5f0d47503db1f5f30323ea8f351a13f3d1791fdec84004d9a28bd9b7

SHA512
e5c62fa376ba7dc1b13e6235757ac256d55adcddc72e646d9e2514ca43a0962a2f239e1d9a0ceba6cd5f588dcc6bd9731281255bbee572a958343dcb0caff62d

Download Submit
C:\Program Files\7-Zip\Lang\hy.txt

Filesize
14KB

MD5
0861da3fbfbd4c4f730c1d82fd8c7fbf

SHA1
bd6a084fea5312b7e60829fb8e64decd94df62a1

SHA256
8311531bf05916c6dc32fca5d748f6226dee393dc36a482ff524686a32cebd3e

SHA512
988b636017c53b7c75a89605b169c9b5e82e399d7d138f08cb402a6d944edc05732577f36a87ac7374affad1753deedbd0bb659494e98d0440246dbc2dedc291

Download Submit
C:\Program Files\7-Zip\Lang\id.txt

Filesize
8KB

MD5
15648210e03c2f671a41cd718e79e1b5

SHA1
1ade1ea3660a6290c0ef3632ad22df55cb0101af

SHA256
5a897b842ffc33ee1f3189c3e383d6d55b45003de4fc3c202cc89546d5dc6d05

SHA512
849ddc1dbf8be0c7bf16283382d7e865e344be082a75bab112c6a42f7132b06f50547dd950982d913fc5852a2acbe489eed8a2d1d2f6699b10f35f05cc5f75ae

Download Submit
C:\Program Files\7-Zip\Lang\io.txt

Filesize
5KB

MD5
11cc3b93ffed3b1f7af2877fa1cff8b5

SHA1
57950ce18d3503706249f4e7a5212f1eb6fb691c

SHA256
bc6ea5dfb934f1eb9d77156926ca5ae8acb3e01047ca2dd0a00a31c4f38af9d7

SHA512
66e15120b2b57d00be239db10bb1c420fd2776a80f0f057a5b12bf1f26ecd35ff67ee09ad7fc3a8b347285624f7788359c97581610ac4c0c9445cfac77bc3a79

Download Submit
C:\Program Files\7-Zip\Lang\is.txt

Filesize
8KB

MD5
57fcd80df3fea24b8775950ef8e09583

SHA1
484782506e4a6041e6f4388d767bf83b75f251ef

SHA256
853476cf4f27c0bed470b3e0952a159544ae6e1452b341e96dcef6d8656a4b8c

SHA512
600f6427e97e67b9850df3e7ec3719478fd14307dba1f8b509cfbf72a9e56ee202d1c444e9c23c4591a9c2fa7df2c0ea998893e21ca68e7d6c0732bb8113bbb8

Download Submit
C:\Program Files\7-Zip\Lang\it.txt

Filesize
9KB

MD5
a47dc7e903bfb5c4922f0a9e7ed180be

SHA1
1bd11afd1a87a5afcbc3dcf993c1d817a0ad7f5f

SHA256
f623c8b25a2b689787c747d8bf6887d8328b97d7beae932afd7540d0739571c0

SHA512
43fae72ca82f47df37601ac679ee733755069dd67c2d64e0250bb2f17b397bb7e1343b7f24cd18be93a52495f3d9232e2897b983a3682d7ec2215ae84f149c74

Download Submit
C:\Program Files\7-Zip\Lang\ja.txt

Filesize
12KB

MD5
f7da4a04e2ec292addf676161253acad

SHA1
e5dba9b3721e305a1f03efed84259643936ce61a

SHA256
70314f8f6a2dd7c7eeb40959be1f9be9cc29b4fd6dd27f7328556b2cbb81a5eb

SHA512
f89fe81d30a05bbf5af350b4ace8cf265b84fad548300724cef4117ff88624ddd8ce387de2b342f9dbbeb50bf5948808cfae2b09c35b58b53fb01e6fb6e15bfc

Download Submit
C:\Program Files\7-Zip\Lang\ka.txt

Filesize
18KB

MD5
fa031a188f6559b27c80211791ef2e71

SHA1
47bd6b2b82069bb11750b37b9237f18d2f1ea0dc

SHA256
14e5b6ba2a78772e2e94d62ed27d129f9623f7da6be8870515dafa60d2cb4ec2

SHA512
60d28e0f4652d1071519b2fe49e15fbf589b2828d60b8d949e025e500f9de5511ee5f43e6078c9807e7f70e001032aa07c4f56062fe4f2317150bdb5f5c0c4a7

Download Submit
C:\Program Files\7-Zip\Lang\kaa.txt

Filesize
8KB

MD5
4dabf4cb9b12e7e3911daea73f8e3626

SHA1
f3583471e8efb25240b6dd2cb66b757c97a62efc

SHA256
209d40f73ba7db346ffb5d4faf0f5cef7ba358f0beec0a39588e9f9a59deaa25

SHA512
e322e3b94d69d58ee2714e9800dbba128ef6a85e87f70bfa7bad6940d7fb92e1e232cb270bd49cdb7160e33e22d2aece281b6cdd178c7740f4d87f0ba51672cc

Download Submit
C:\Program Files\7-Zip\descript.ion

Filesize
642B

MD5
6982844532e429204410aa1462b5e9d2

SHA1
b9032a790c0be415775c1d669dc1bcf991d02316

SHA256
1e6553ee43ae6e06946feb35e24a49777fd341ebc204ea464a7496cdbe32aed2

SHA512
ddde16ab38c71fee1e7d47a91858a05abb003c198bbecfe47c6db15ca94bdde097db67d209236aeed56ffaa417a542387f2c0f43213dda1cad41399bb07c0b6b

Download Submit
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRead.msi

Filesize
2.7MB

MD5
21600315edd7b1c899221011d582d31a

SHA1
e85f25da63b46c9383559eea007dc221b56a8a9e

SHA256
7208319ee3516c2692f6f84d0e0e88479b5ecbc5780491cc54da83f7548cfc65

SHA512
97c89bef75a6499eb9ae543dc557b1d90df0b0d4af12a4e938b3ceb03ee5488a71439628a5aedefe8c9a4e12878dcf2ac2632497f02567e7f2b70859be4cc2f3

Download Submit
C:\ProgramData\Microsoft\ClickToRun\DeploymentConfig.0.xml

Filesize
2KB

MD5
f2b7a8f0eebfb3b1b225d7821fcb79e9

SHA1
f40f5209a73aea5c20d863b7657c026c2d2edb19

SHA256
346372d6268ec17f7834ece85f7137dec810a45d53276c09732789332dfe4128

SHA512
5304f7646a775be9b91105262cd7f874c047bdc3d4f9b5a2129371dc2ee1efcaf8964612d0e2eff16380bd63ca1b7556ea66985c14d5d119ce88d2d2b12f6fe4

Download Submit
C:\ProgramData\Microsoft\ClickToRun\DeploymentConfig.2.xml

Filesize
1KB

MD5
671c16e6d44a02e1e5a2330d2befed4a

SHA1
4818dc9bbd000070f1f8b3578f50f8bfd5ec2491

SHA256
57869cb86bceaf7e9af309ba396acf36930add2c0ba32fecbd23a68a514a8936

SHA512
6289c263f6152f07a9a88f7eea18fad5ce0085fb2ddafba3552b0e4caba72837d74fb6fec4496a1ab519fbc3a399017b3a889c0c4f58e35735652e0005fdb7e3

Download Submit
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\DeploymentConfiguration.xml

Filesize
898B

MD5
ee39b0895282c368fa3d86106bdc1832

SHA1
d3292be75ff89bd0b5388db8d400b0fc7a2ad928

SHA256
b923edf19d5402c74cdb3e9ee02859e01b3fba1266d093a21a228b1e75e0444d

SHA512
616aa38ed453e22d5d2dfc0d568556013574f72132e6ce325cf521a8f6ca6887369e5c5604ac8bc82312a602730d7ece083b0cb6779e280377a7293d6ec3c9b9

Download Submit
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml

Filesize
3.3MB

MD5
72f6d482e799c7ab69f934cac56dce2e

SHA1
06d51d2f17243ec7e7c1fb69c334d7fe969d9ec7

SHA256
645bcb165a84a8e14708a6789e98962db5bb64fd207eb441a24c793e07c849bc

SHA512
509253dd2fd1d13608a9e68e62e3b5336ae8e580ba022721394e97694a16cad413fa54ee55fad1ac55f2b1f77ee52816fc62363f35b184703c570782220e3530

Download Submit
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\UserDeploymentConfiguration.xml

Filesize
898B

MD5
97e9e649dcd4d85c39204f5c3c1a0f74

SHA1
bc65bd9d649f9c2f27a5389cb5a7472ba1d62692

SHA256
d6cfdbfc30770d7d3e35dea2bda2bb557a086c9bdca409a6f267fb1b20e66f9a

SHA512
2fcfdfbf1d6eb3565744dd4230214bd6df0b921331234eba6b219417df413dc8fc17030065baf5e239b45e8069898ad7c73142a0b403f95102a9649fae9bad71

Download Submit
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\UserManifest.xml

Filesize
2.1MB

MD5
aa20cca80ce08edf12e21ce45ae72899

SHA1
615d1e252e5208befb083a9ec71d2f6f1c362316

SHA256
a6c1ddf48dac72b71ee243eafe86b88d0a4344539a2afa095df11bc108e46709

SHA512
d8df0697098562c3be1609b1e460845c7ea99fc01cfc21949f4546623cce8303c3485003de312010e7aea37bc8c816990e570c65d9e16174cd28ba233a572fd5

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\BF982F93-3B3C-4CA1-8A6E-8130BEE5C625\en-us.16\MasterDescriptor.en-us.xml

Filesize
28KB

MD5
dc47d3a2215f1c55900270d797af13f3

SHA1
c03ba9509b15e20e3073d35070ccbdffa8decfb4

SHA256
c4d34fab54a7409a568b9ae0be0eb92ea4c104353f9232b4397440204800018a

SHA512
06fa2d7732b6937f8db7644e3632ebf1633167df5a6c9a447f1ef6f2e5c2b0c40d7dd00755b976a1c51af6040c3e74fd72dcaa6916b6e889232d9059e0eb4e54

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\BF982F93-3B3C-4CA1-8A6E-8130BEE5C625\en-us.16\s641033.hash

Filesize
386B

MD5
50e2f6df7f423693955d057eeb78a197

SHA1
144019b9115b72123e9742326d13255d85b4592b

SHA256
850f5fa8a59e8995fdcf8487abe3dc39db1ab22480acb62a05e604e25d0c0913

SHA512
4f0fe037b002e8f0f5f6faaa85e9f1bc8d2b83294abba8a0cb3b49b622b0241b96143198a75c5a55c1188e729c4a8aae3e66515a45299f4444ce97e37d5e56f8

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\BF982F93-3B3C-4CA1-8A6E-8130BEE5C625\en-us.16\stream.x64.en-us.dat.cat

Filesize
109KB

MD5
f7ee745dc166cf112738457b25cc2131

SHA1
d84830a17f5ca30b08f1f21cd174b6bfdf0a5cb9

SHA256
2aadf140f646a356c98e66f64124d8e7fb8fe941750ab9d0216287a418cd070c

SHA512
bcc0c576ad25ede004a4a12395d27b4acfc73de024b1c343053c6f9b12934a699bb0a5b0a3ac23c5200db339acccc6141488650ce5079ef8a289b57ef1552ab4

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\BF982F93-3B3C-4CA1-8A6E-8130BEE5C625\en-us.16\stream.x64.en-us.db

Filesize
438KB

MD5
f0608064d318ad9e692583a4390e0076

SHA1
d9bb83903f93fd94c922a75d006fe5c58eebc996

SHA256
e6d33ea4f0012cf2546c92b9f2c2d4f536f6038eec8609cc8f3344073fbdd619

SHA512
2bb1548c42cba6008bc11b0163d80c2769b3180b31fbbf860031c4149ab4265b7d827ff7e15f8aac5c055019cbffc64787cfbe2a912c304352003e0ff635bfde

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\BF982F93-3B3C-4CA1-8A6E-8130BEE5C625\en-us.16\stream.x64.en-us.hash

Filesize
418B

MD5
d5255d7461e1c815c9a3bdfe5cb83320

SHA1
67bc5ea691e01fbc2ecae7cd44075cf692771f8b

SHA256
d3aff1399ad03bba14e1b04378a08854e3ad146ddeffd66a5f666c025527326b

SHA512
0dbfa0abfde389dd64ed0b41e4964197c86eadd2af31c91115a1ba4442f73df164778e9d131c7b8bab5636ddc9e568e6ebb95cbccf447a3ea135b90a94a94822

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\BF982F93-3B3C-4CA1-8A6E-8130BEE5C625\en-us.16\stream.x64.en-us.man.dat

Filesize
622KB

MD5
67a0c1d436ee358a938f3fbf519c38a0

SHA1
0fbabb6c05dd254ae1b405362fb7ce3dce79463b

SHA256
92c47b5b8eb667d2812f497ac07d71f1dcb25bc8172769facf06006ab66859c4

SHA512
d9f18820db345b600f47009b2a44db705cd03259722211ba3ab95d8a40a411ea9d4c5e6b9c9db646012cca67d987a8e4d41c6a023f4778a6346c5672036fdfc6

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\BF982F93-3B3C-4CA1-8A6E-8130BEE5C625\mergedVirtualRegistry.dat

Filesize
5.9MB

MD5
becf6a623f82609f3f05bf44243a542a

SHA1
85a2cc48f3f74f1c328e1beb156701d4af55fad8

SHA256
700e6b8919ba737cb9fc4654f4d97b022ed30ce9b9e4515c7ec2a8c12f5df83d

SHA512
fcfd05a6fb0f4cb6c0b11a7279c610bd1ab3a936dff6d71a91a0a0a62c83538bf2bd034e3b2d2f116593e232277a085e3ff1e083d25db248a159cec6435611c3

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\BF982F93-3B3C-4CA1-8A6E-8130BEE5C625\x-none.16\MasterDescriptor.x-none.xml

Filesize
27KB

MD5
ebb20d4cc089c2c361d860c2a3d22d3c

SHA1
520ccfbb8c6b81472adc64ec8dacd2f48a62c489

SHA256
bb5cc55bdad933ad7e95d56651815ccc56639b02db50a8f984c0538bc6bf1543

SHA512
f07dfe32f6953ed435ec8999e179ba39eab8484b37245ef8279152f50a5c67dfbee7ae005243f7c52b891c5841a6483a72f85ab452803fdc573c83d778693ced

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\BF982F93-3B3C-4CA1-8A6E-8130BEE5C625\x-none.16\s640.hash

Filesize
386B

MD5
845bfbf73371873a56c234d954f748c5

SHA1
52c11c036264cb715bca22782a941521ddfe2a24

SHA256
c1a5c0b536d33f030c8bf9564c3b7a4f3fa67333b4ce2f14f0c563df14506cef

SHA512
a4c50e12f8fe6b4771380fb86a3e3367b17763fd1b6940d4342f3356090a0cb7ff476b0707614c21988ab67bed17725ddd6cbb4e3bea46e9cf8e96e8ea880e88

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\BF982F93-3B3C-4CA1-8A6E-8130BEE5C625\x-none.16\stream.x64.x-none.dat.cat

Filesize
574KB

MD5
4634991fe79af6c2f905ada0f03747e8

SHA1
573f4827436f45459732df57851b39247cd60d41

SHA256
0e52cf34702d4f1c6b57d522d430ffa9cd49d7564a8d1c6e5e9c43e4185e610d

SHA512
48ceaa2b8062f78d29da047a7e830a4cfeab463d17673e64bfcb331d668b3d89a873510ded8627def7f2f42bf23e3972fe18376abbce52c525c3f9a68804a924

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\BF982F93-3B3C-4CA1-8A6E-8130BEE5C625\x-none.16\stream.x64.x-none.db

Filesize
1.8MB

MD5
95478ea96f698ebd9a388021b4f2a0eb

SHA1
f26b0d5daffd55d0c4e50e672dedf65edf2b745b

SHA256
936a6b094e2a0be7723f06e8e3d233f583735160edc083993a885841f441e687

SHA512
a39310b467cfcc18654564d0ebb78f10439729a8b2096dbcaa212f5f7fbe5526a5124d409ef50f6ac624915d55bb35d01bd0858faf8af189be7ffaa30d402457

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\BF982F93-3B3C-4CA1-8A6E-8130BEE5C625\x-none.16\stream.x64.x-none.hash

Filesize
418B

MD5
efa93f2d52dddf03ba3fa46a10bc8368

SHA1
cedc938446d2b66963368e6582e451b66f0cab9e

SHA256
b670d34f71f42b6652b97f8998ccf9f0d06ba28ee811c594048adabac4d733fb

SHA512
d329b0b03bebf14aae010d6bddcb6973e6070f4d18ff349955bd16ebe0f1d433bc59a9a2883c157c696a95f7cfadc1346dfe9e5a688c65fc270fdeb70cafee49

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\BF982F93-3B3C-4CA1-8A6E-8130BEE5C625\x-none.16\stream.x64.x-none.man.dat

Filesize
2.6MB

MD5
b0471b178527d69c6d3f0ee01821f484

SHA1
b5a9a30305415c4143e0bdc8b0558fc54e1ce3cd

SHA256
110e0833df869d9a327421a2c909ad80aa3feadb2cf6beaaa4b95fe5129df659

SHA512
0e00ea461899ec2fb49974e69ff0272fcdc00c1d8de09519fa8ddb87042aa9f609923fae4e9e638fce65bd3a5e97c7a8419b4643b635a275acb68d2a12ad8f69

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\AirSpace.Etw.man

Filesize
412KB

MD5
a526e98a54ebba2d3646b4b0d4b8106c

SHA1
a68ba787d6d18e93baf5ca9efc298f9fa6a76171

SHA256
e1c391ee389c89d9c985a43d15c7c77c5a699ffb9a2fb8acc9dac0e1c17488c7

SHA512
6f746dc4819960e642a5aadb97be8a1d8cc0ac0b49a1b5456aed2cf5091013bedf7f2f437b4e4ba1c753c324064092e5f18a0249ce6b1c5448cc0e292def5f27

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml

Filesize
16KB

MD5
0a150ec9c1e5165e2560ffe840b9837f

SHA1
2ab1494138fe5ad4003cfc02daaf3bc0950c0064

SHA256
d7a766943e59d3110874a1e3139ab5cb4a7814efe31d92f4efaef3c96a72f05d

SHA512
76b729799b46160f95733430624f262aa7149958fe8d6f988129e5b9846017738355848b12941e221ddb6a21036610a3d3c8324dffd7dc2f7be4cbce0b7c9ed3

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml

Filesize
150KB

MD5
98dce61fd4ae3b923b35b89a1117fd9a

SHA1
df22852a45b5aac24b1af06f7c32d02087558b2f

SHA256
9c6e25178c2204d30b2f9092ea28e1d252606674b26e0023b4d75bca61679480

SHA512
7a13eb3d64f299587d325091677b5c626fb3c6d606b0f2aa6fc460a6bca42c129225dd3fdadcabef865d0523b43a2a83a503e86bae9556f9509b9dc5343bb795

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml

Filesize
1KB

MD5
764f71a6a6f04594dfe61a42af3b26c7

SHA1
2d63060125c1b9ee97e74142b3ec7de2dee51353

SHA256
f0ca0113f8e6ca1fb889eab9d269fede9059dc6996e91d38419e004f584abcf8

SHA512
fb0e4f98543eeaf0fec01dbc017e277a15dfee8568efa9e5711425d48c0adb3b1044a22746b6bba0308f52aab3ed6ec7e31ff21708892eb1677d7eef7f324b6c

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml

Filesize
2KB

MD5
a686ed5684b66e4a481d05b677d02e08

SHA1
ef607ba79de15c2e384b045313ec3c7030a3df99

SHA256
4e2f915abbf3ead4fa50f27ff63981a250baba67d74908029e2d213f99a13a7c

SHA512
b78e8f82af8a0d12fb71ca4fd830f9a6b16c9d669ccffa000dc64e5f8d39dc4cf23031274a23fb2a8c2c6481be33822be55c974f1663b39660b5e365268f2d23

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml

Filesize
98KB

MD5
5e48abe29d8c397791d36311a2128d6d

SHA1
22c72c59f730f4a5c431eabb265d60ccba35fc2e

SHA256
6a7e59eb32dfdd38d47c4cace1f185bef59414dbc41a338a506d0d76f6cf2c99

SHA512
b89a49568356dbf101ab48a3110e2494b4033d0f5ac9621171f751da732d516901bee21dcbbb642b9ab5f6cde75a04a6961970eacd1a9c89a068ab8c7016d960

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml

Filesize
31KB

MD5
dc4f0fec1ab1010ab25444dfcabdce7a

SHA1
414f32722956fd27ed4911a2998c5bc70b815468

SHA256
d4d5e880b9fd5f773ddb3868fc8be3ca6e26745b306cf2193bc2d1f075c850c1

SHA512
dd5bb3c1f0c39d8d42d1eb599c445909706ee39e66115a8918f472c4b8cc72c5ce0c7eb591b1093de21a1654f65d4d127e37294398191a2496e7261ce5b6a4be

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml

Filesize
109KB

MD5
cc9664ea357898090358cf60ef398215

SHA1
52160903ceaceb13b012d5fe147fec0642cb5bd4

SHA256
5412e469c177bbe848ea11d1b60b23c214382d0b36e42b13ddc26b3cc56d726d

SHA512
1c77697b904f3e3ef8295bc6142e2379ce8f3d759735615cae3d5b2dcc3aa0ac06c4ca94af8eb642ae98be08620261ab31d7916c2189a0822b1013eaa476ce2a

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerView.PowerView.x-none.msi.16.x-none.xml

Filesize
14KB

MD5
1033243e23b15cc22ccb7ca3d8a78480

SHA1
fbd9fe6a13a6dd04468ca7773294a9501d0ab7cd

SHA256
0990f6bfaf82050ac19a8bf1f53ee610a18f0dc16b383bb6603940748d4ae255

SHA512
5958db1c7b06901db834f009c77d342565a109276469260ec862f1dc01b87bbf33946114e94b3681934f3b2062837c1f9606a8c5ecb9f4e7219424200c65bb29

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.en-us.xml

Filesize
25KB

MD5
911cd3f0038d3ab9de661ec8d1cef5b0

SHA1
add33924bfc571023ffc25036da2721de80929a3

SHA256
3ba1ed21c1db07ec20dea06034da811fc69e243b19fc5e810d641a9bcac91867

SHA512
98381a6ff232dff101694ee45a05d30d39dd20ec6f207db2ec2b4d7faa1d059b2a97e8185627209596d097ca22a9e444ad143e308dd5a56f34ae5f42ab1cd994

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.es-es.xml

Filesize
24KB

MD5
94fc0e778b667147e41d39b9e1f7e563

SHA1
1ae2059c06057ba98e9768c7359a0ddc0d6c69cd

SHA256
66a721635f40dd1ba7a5473e9193eac13f4a09a48fec46008c67ecb4f55ad15b

SHA512
ee3714c15642f286213b441ae8e420e58f31afd4e74ee693ff09223c4095dc09d281a545d41bd8bbcac90b1ec3665a73b08e66e4a8d2636176a92c1bb061e036

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.fr-fr.xml

Filesize
24KB

MD5
4cff3412aad7ec1fb81bf9f4c0e9e06e

SHA1
7336594de234aaf173416a0dca11912e498aabef

SHA256
e9325afbd1dac47d8bf6ab527df8bd728b29dc227b2b82789edb9fc3bcb5b580

SHA512
030233ba08998143dcaa31a603dc3a12c7f47806b95569040b71f3b104910d93b29a2c7da88aabbadf93e5d28b4e6c4176c4cda0f9deb532d818fb5643ee5819

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Word.Word.x-none.msi.16.x-none.xml

Filesize
93KB

MD5
494778c491234b0be1401152c5cdaa05

SHA1
c7ad278237a919977478f0ea19557aa0586cdb5c

SHA256
ffca97afeac6f95bebc2fb68ead3073daf16989c2b459a5dbbc389293b4606c7

SHA512
5725d6c25159c76f9ebc88106b71d11e01995d899990f100bf22f3d8968a1abd91d00e6b5065d202d431ab38e6e32354fa6e15be362bb9165a4b4ecc3425688b

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.dcfmui.msi.16.en-us.xml

Filesize
9KB

MD5
cf7168317ed14afb02d31de530dcdc10

SHA1
26769ec2e6b5d363c9f35bdd88de1f0221900e93

SHA256
d13b8c156e25144ceca064d100342e9c5dd6058bacee978f58a5e327534f05b7

SHA512
503837f923f093b5e269b0cb68991b2a1f1e84f95fcea8349f792a83783b827726f92487b8b3ff84255e7691e0b7a238dbee3599fe63757c3ee6ea7456290123

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.excelmui.msi.16.en-us.xml

Filesize
39KB

MD5
0d4a893ae7c9914215000873efe5fd2f

SHA1
eaf994f584d6a6f7cf0118a686b7623c2fdbe1b9

SHA256
6bd07b830b99bf712260a3ca94f63becf3de5032306b6e6cc4a6df6f111b7479

SHA512
25de7fcd71cd1618ad560767298e9f04670444f8b8b8784d51294783f147cfe992bf9423b5c930d7efa70173e3a6e9aa99cc3e0aa98b867eaa47c8610369020d

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.office32mui.msi.16.en-us.xml

Filesize
16KB

MD5
a0f49d0e82d760177dbd4b71d33225f0

SHA1
6966f195384bd118cf0980eb58a644c7cf8b2959

SHA256
4b570bd82f1f0230205d7a810b95596d58b1c355038fbc7736ac09e4c6e58a12

SHA512
f4b733579d1e0a63cf25edfadbf3f0abd84fff0b03cb028e74a8986b541cef32c7ea28ba167ff269416e99a92878a2b8fd96c4a5a5fce79b7322946bc5e5d6bb

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.office32ww.msi.16.x-none.xml

Filesize
331KB

MD5
e71220393f6320b51d8612a0861bfd74

SHA1
c072350d68302366faf12ed63abbc0d3490ad0a3

SHA256
41ecef41a8bc0d519861dcaafe03255b4450a1b4b2bfb265a305419e4fe38efd

SHA512
653db5a53d20d284a9bf68b06c124c815b5d3abf12e1b76b11f6a7a68cdcf2ed0160edfd7cb61282059517b67c8d39d139776151139af73bf7edc6bacd1d32ae

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.officemui.msi.16.en-us.xml

Filesize
122KB

MD5
9667900a50f5e8f7a6303110afad9d59

SHA1
614e8eab4cdc39d319a5115cae387d71d9c7569d

SHA256
8844d2360255a39c82e3c48d535d206d92a32aa22bf3183379f3c9a24bc26fcf

SHA512
65f17f694be934fb4653bbd99dcaf99b331f65328484ce4629f8308859868d0b261a0990a2a1ff1e933f43be58aaae5ba9ddc443ccd06fa402ab7020524d89c4

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.officemuiset.msi.16.en-us.xml

Filesize
2KB

MD5
821269bae3cc92cbda060f0c9cd628d3

SHA1
4f07784768242fe6c685e9a4da6aab3c9d87e87d

SHA256
c67f11a16c0dae082170ae0b4f4ad90a7a6003830e88add93f8006c08b997be1

SHA512
fbdd6f2ab853ec7f617ff77f98a24da88c813c19ee84f5c6e6bce01a77afba4af0fe276a8c300e0a91f2edc381aa9eac0edb011aafa839e4be9503190d780a9d

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.onenotemui.msi.16.en-us.xml

Filesize
18KB

MD5
2d46fdcd164375218fac9ba0bb8ca47f

SHA1
3ec4c275f65abced3fdf0ab57f379d5ebfee7bbf

SHA256
f1be9309acd87b4ea460f8caa325b7701373764165c2967d45693ee5e134c28e

SHA512
8d7845642e2c24801baff9af3db624622b2cdad56e793b5102e3c9f2f0017a78419f4b9fdbf5d57fa37c0ebf7ba72046008c284ca3decb84d31b7901861f40c9

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.osmmui.msi.16.en-us.xml

Filesize
11KB

MD5
7db0a689ba5c63720aae9652d3894c1d

SHA1
885cf2866e455952185fc854e024d5c742be2401

SHA256
5eb6fddfce21b667b00bc02f1c4fc47f52580d1e92f1a8ee7b0d49f52aa37dfb

SHA512
621e4cbbe71400ff1338f4631c6d0a8010c46b871a9022070d58ef24abda440c99c2ce7f3210156575ac6c0fc68cbc49cd6cc68c2f0d15a8ff8e8b81b9c774ab

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.osmuxmui.msi.16.en-us.xml

Filesize
11KB

MD5
87ab3cd8c3d19924f473cf5c64eae006

SHA1
651b38adc7595a258238da5b1dc82da156125332

SHA256
bed3507d7a89b26451efeb138eb82edb42da3fa6fcd39ed9019d10f19f960e9c

SHA512
08b3e0326a2a3eaeca1d2af8d72dba2e2ada626128c4fdf8f2cb4800d430bab229bf6599bb54545037561186849d0bc5cbde891a55b54e9a4f24765b35966b56

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.powerpointmui.msi.16.en-us.xml

Filesize
27KB

MD5
9b7b8872ee990c5228e328d1f78c237b

SHA1
163316dfc20b519b390927cc766849f75420fd53

SHA256
213c7bc610b14035ba0b5eeda3f91044b129ef77abe203e03ada7e938d2e1501

SHA512
ed6d244ccdb8a97a2dd5deca46f0c3742f0001b19c5a06f5ed8100d114f12c658bb1238e6c5f6829790eb029e15c7fd0cae901221cb979aa3fde73e653f40b54

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.proofing.msi.16.en-us.xml

Filesize
2KB

MD5
0fe7d10f6b86045aceafe92280ddc17d

SHA1
524655182b36fbfd28c06ff08fab40b5f6d8d03b

SHA256
f87f4c7a66834a81e98503af09f7cbb473266aea53fa4003c67c3a484b3faee4

SHA512
ad0edd95e75f64bbb9e3fe592de3bb1e4160a924ff00389888fda6d03c22da6fe0d1ab6ba51fc2c415820512943fea14ed142412283c1a5d4fdce478e6e4d7fc

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.shared.Office.x-none.msi.16.x-none.xml

Filesize
719KB

MD5
6ecd87af390739ba0e3b95019adca8c3

SHA1
4758542007ab1879e175ff60bfa872cf03b90c3a

SHA256
90f9ca0e8285480d33ce92058bcca42f2dceb3318c79a44b38daad50cd510b02

SHA512
731dd0ed346328000bd2999dd324fa8c12dd3ce23479a3b849e32b3f073c9eb18ec8b41fc436c5db431718ca629cbdaa5cd29b2ae969f574de3b09168bcd9f96

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.wordmui.msi.16.en-us.xml

Filesize
77KB

MD5
bf182d8765d5db461a2e58f34a905ce7

SHA1
fa842d76d59b910b8041bbccf3e90dc457dd0a2b

SHA256
8bb29259e538bd656c681cfbd741b686251a83ea02a02ba0647a9dbe9c88086d

SHA512
1c4209c7b7d2267f08fa89b473858662d3774235cf3e6a1df22698598946dbe3104cbf4c2db97b757c2554790e98e5c2cc3d0534caba97c5364c06b8ef9a4bfb

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_Office Feature Updates Logon.xml

Filesize
4KB

MD5
e522c51892524a480a19d7894ac62b16

SHA1
5c6bcf9dccf26e9caa571dad594536031dd78180

SHA256
215d4985f8037e94eef1d0d408eb022bac4ae3d57ad4edd78976e541ca1c5358

SHA512
7d86f667299d55f273e698fe4c1d9982d5f602928a5d6cadf9f451b30f49d5bb29138f8e210c9aed20c1f426e8d35671d82447f5dcd6eaae74a5274176190dfd

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_Office Feature Updates.xml

Filesize
6KB

MD5
cec16ee95d016fd1c28c785651a0f17f

SHA1
51ea1f067edb6f858f1b2ad329f3916337d7a771

SHA256
431d8a62557521a41accca13a0d5aa0d87276891eb76551609a75163f0e358cd

SHA512
b2d18ed88295232ad0c614b1e579aa2135c2421a35fe7108720785507ec1fdf8e70a22e66de81e0d1a03774a435d8df76129161e23e39c20db2b95781e2d1203

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml

Filesize
3KB

MD5
285377d07e423edb525c21ce19b604a3

SHA1
dd4d774fffec4418fbd5ed5d41ea22f19317240d

SHA256
c6e213a1d6e454d870e61352c8829222c1edd9ea05b7530f6910389cb1ba8e68

SHA512
75eae8fdc33fb7013acb9e7d2d17dd18cb5890f84fb9a0843f136116db50a85e9fcb6aa9c3a9fc94729d44c33c19ff579f6c804dc0960154ae347c5142fb3274

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml

Filesize
3KB

MD5
a825cde3243567f627e7dc445d800289

SHA1
d1743958d2a4184fac3037df28b68fdbf0ca568a

SHA256
87ff472806990c04c696b84c9a637e25c6d81cb44aea322b47e872ad0f7f096b

SHA512
cc89bf22b9e49370fb7365baacbd82ad60625dc76c33000394166794c0608d98f36b67fbe74681e1253853a66433c3916f9f76d602b62f8a7b7a8df0d7fbe107

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\msoutilstat.etw.man

Filesize
111KB

MD5
9a94f7703e06f48f42bd06e561c60cf7

SHA1
07025c651acff11045d7bf8b98f063b063a9bfa8

SHA256
f640a209e6186274c226badeefc7540110da3cd35162a4713fdd37d36e027bae

SHA512
672b2dc7e8d75d8524c17397b2913ac29a9264d9c35647a82c67a5b6944bb743493a3d8cd3e877757d7a29d6ac6174cdb7d5ea6f482dfd4ef097d67c4f03ad22

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\wordEtw.man

Filesize
1.1MB

MD5
9b8ce83a2a84833969e41c069185af3d

SHA1
55bd1ca7c7e0d3aafd391ab1051806f60d6fa8fb

SHA256
52904e6ae36bb8b3123680c147a980ae930fca6f37c78406b52b41a767a813b3

SHA512
f0406174d262403882689c9fbee38dd57199773aa83e7afb99cc35ca696fe94dce86cf652b66a45ba6e9cb5e6bbdecc21e4615ccdb1b2db2115a221090b46fa5

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_f2cdb6fb-4ab8-4547-9f25-fad1f7a44351

Filesize
338B

MD5
3ef8389bf5ffe73ae9f6547289d6f32f

SHA1
673b6f55b83ab33a74c06626bf2b6eef049c5cef

SHA256
2d7129f65a820fe157f2977e1c2d50825c51e191a3e82437da1fbe44ba2b05a0

SHA512
3dfe6f2849c8ce8d28e5f7882ef37d1fbe7fb060121c38027fa3f5c9fc2055813029f66f0baf8cb5dcd6bd65629b4e58fea22dc599c6298ccc2d2b1937154e0b

Download Submit
C:\ProgramData\Microsoft\Crypto\SystemKeys\2c8b3735cac7aa094d7cdcf7e1357b17_f2cdb6fb-4ab8-4547-9f25-fad1f7a44351

Filesize
1KB

MD5
c16d021c4e5ac1579ba131c26cad603a

SHA1
0d98aa14cf1416a3ede3c480f33166357396c47d

SHA256
5d1af8bafb80e816b29c0bc9ca77a7ea44a8ebfb87308369368fbbf6e09f1331

SHA512
b646838f8e7542cb7e30917260e15d24fe858094e4fc4b18e8420785eb988e816c92c515771ee9293f51e7c11d7129877dcc7402386e3ab29be0e9f095921c77

Download Submit
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-4bb4d6f7cafc4e9292f972dca2dcde42-bd019ee8-e59c-4b0f-a02c-84e72157a3ef-7485.json

Filesize
402B

MD5
174710a91c9bd1a0f1e1bb8cd141336e

SHA1
56812a8dd7dd7cd7a074d85ac6bf31a8b71ba3d5

SHA256
cf4cf7a0d7dd198ee3be33f10e33e11fe97136fa5963801fbda9157c325ef075

SHA512
f80ee3132e551cdbf5c5d5321e8d06ec917350555f2914894d03d68ef600c07c10af4f604fa000d822bf3776333de059e186ddd63f3a908049cc82ee4bf416e7

Download Submit
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-af397ef28e484961ba48646a5d38cf54-77418283-d6f6-4a90-b0c8-37e0f5e7b087-7425.json

Filesize
402B

MD5
6ec52c96a6efb5924abbc5ac7421abe3

SHA1
ae862d0081d779bef1bbf8ba080e520137b432c4

SHA256
f57ce00a8556582df4ac9425a70a58e53506f613370c59d86028f78f1081c894

SHA512
bc45393ac31b1d7b04004e2e4ed456de7665c42b32a29f2f68bd51c711de1c50fa9859497bd46420623c397e58664a06695328d9f7618e8a6ae8bc0e7846234f

Download Submit
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-d5a8f02229be41efb047bd8f883ba799-59258264-451c-4459-8c09-75d7d721219a-7112.json

Filesize
402B

MD5
cb01100bf9e18cbf9278594d9c2fb605

SHA1
efd3766907401d3fe3beff668d3c4c31226d733d

SHA256
7ae7f63173e53b02cf8cbfd56fe8540a069a6669898769ea9ec087f5077c4e65

SHA512
db412d7a58c878dc4a069a1e6465350eb6d2bd80adbfb10eafc25221b12703488e6845b167eeec85dac73c8e5e4a51620fb1b894f518564773cd2a2765bfff97

Download Submit
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-Eco3PTelDefault.json

Filesize
338B

MD5
0fee0b8b9a6fcbbb0ab635f07b1d4024

SHA1
b8b05db403788c46dab44ccb5ecbd3d4edbd41bb

SHA256
5090cd6faa0109709e169c23a590c153e4adb3bc93909157cbd8ad2879e1c2c7

SHA512
cfa8a03acb87be34320a5b2231de4544f0691ad9c534eb276cac4fbce7a11d4003f49dffd887c061e231e232884c0a61889f78e56b6ab8ef069703205b762f45

Download Submit
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.allow.json

Filesize
2.2MB

MD5
bda63bb44ac53de13ecb7ee295d8252d

SHA1
268db795f23d5500fcaff5b58dd08dda65c3f4ff

SHA256
2a8d51dc95b38d5acbb33fa9f7937093170744182d30c89e3b6d5a7bfe0616ee

SHA512
4b10c72516a183abcb75f481a03430b4392d7cf658536869a7c04313c608ea95489dbaef286015ff1e7c9ece4d0fedb8948af94f20ae7409826548ffde6fb744

Download Submit
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.app.json

Filesize
126KB

MD5
3a24f0b26be415fd2b0ab9d4dfe30a50

SHA1
a0966acb20c4099b1889c8ae2cb4d80bf9cb089b

SHA256
7e17b107b338d497d4760c2bb4b62ceba605e2bfdcf5c97dbad1173d7cb88e57

SHA512
8cdf3f0179a29c1702913e8e9922eda6cacb22d5c75d7fcae18e7fd69ec5ab8344e22c1135467fd8990dc23ed0fc89c37c8caea9ab20d29f990c8a888d4a8095

Download Submit
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.app.json.bk

Filesize
4KB

MD5
3292c84bb722b63a957c574131bb9c7f

SHA1
0f5c01fe7ad175106674f70e1f1b815cc1abd294

SHA256
8b01bcc05e4cc46340d79af877a734c7a775438b6a3a57e92ab6e8089362c6cd

SHA512
b13b94920cc01aaa89d0435d1ecf72359b8cba99019f411ab939ddb9430d29df3f7fe36ff27ae572db2d4080587a67669874b01e9cc22eb89b419045cd35483f

Download Submit
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.cert.json

Filesize
2KB

MD5
8d8570b291c66012e517a1b78e1481af

SHA1
b303f9423c893c9e56fe6bb43bf1ad9d49795b95

SHA256
dffc4387d8dae1d01b33fc7b0077e419592eac4acec0582b49f438c5f8a54286

SHA512
20a93cff141fa3c84d49553f891584a79f071dd547578b220724e02e1aaaab4d96e0b3a2311a1337e08461a8fda57ea2a107948671f8cc01e3fbc1576578fadc

Download Submit
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.privacy.json

Filesize
2.4MB

MD5
8246593593dc6207ebfcbd9ebb595428

SHA1
4053c5400e44eff6ce0ba5e1de9b3fad7049d8f4

SHA256
4aec9043db0228b1a889a4b7a728637cbf56c2fd619d51ccfcc3d3e4ce899b37

SHA512
aaa5fb655208e532ded362068f799b5363773efd8b9e3d3c4676e89c64a8e6bd5c5fd7166576adb093b3de55678c97e8847fc983b120b895064252a838542d05

Download Submit
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.tracing.json

Filesize
322B

MD5
5a3fd02108a8a72279b0d73d65f3da32

SHA1
a90b2bde8d4dcee51e1dad2e5c0785fe289a1fd1

SHA256
15fde1133c46a240e30348487f595404b06aa03dac4460bfda0b6d198b409141

SHA512
c61a8537e4690e09052a68d21de19e584439ee3ee28411c8ff55f6ff0b1f39eae3b3cbc9ec32209166a9a382d7995eb431a6824f0555007c67e17846c84b89d5

Download Submit
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.tracing.json.bk

Filesize
306B

MD5
4cfb0188a8fe482d36f15e5de85621ac

SHA1
e6079ff950a1a9a9a941a5cf11f70c1bfe3fe556

SHA256
36a6f45413be48b6e231edc2cfebbd2d15409d9ea84a8ccf3bc43270361f3b7f

SHA512
5d1f7dd7f2221008e72d74bdb412d057411e041c923dae973f794fe534b253793f64b257e6a8e785abe48391c335f0ea128dc912bd18145087b4eeb3badd2dbe

Download Submit
C:\ProgramData\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\Diagtrack-Listener.etl

Filesize
192KB

MD5
82d8282e908d729f66fb2ed1a536052c

SHA1
996db587189529c4db046cbc9ef5d4999ba43d6e

SHA256
856e83a3d85b1a8e1a089011a8584f8c2d13d42312db239677280c423618a70a

SHA512
534c1f2331bdbd3692aecbdb2cfd2e3a6ebfb28e85f2c86cba82bacebc7e8367638ab800ee2f991b19f77ff6b2a99a743d57891cefa4ecba5475ca709c0a01a1

Download Submit
C:\ProgramData\Microsoft\Diagnosis\EventStore.db

Filesize
60KB

MD5
a8ba5182f391dd880c53c17465301955

SHA1
ef74decbe36e3a3160d1bbe4e12ce3b4f54db99c

SHA256
a04a2b715f39d04e64e6a136c26dca4749d39ef416af354425457f4c3e2b4d49

SHA512
cd2969dd7cc0762eaf683ba84bc3acc27a4bc180854fcaf70a92f3086cfc6a80266bab96387d3eed56f00249302cdd530f1edd33aee249c3cc9cb86e5c274fe5

Download Submit
C:\ProgramData\Microsoft\Diagnosis\ScenariosSqlStore\EventStore.db

Filesize
32KB

MD5
afd622e1eeca75136ec22c6716789390

SHA1
ef7ae960552bccffeba1a6a6f7cbbe580096d8c7

SHA256
f7866c89e1457f176551ad8205a9b96e50c1f530ad074d3b68fb8b713413a068

SHA512
2d5e260631660650a492387eeec17fd538823aeda1a6c300ba60deea62eac2a7f20eefb5119266ba7357819bd7d47093079e89ba7eddc28c6394096803e14b0a

Download Submit
C:\ProgramData\Microsoft\Diagnosis\TenantStorage\P-ARIA\EventStore.db

Filesize
20KB

MD5
e291be9656e149da4e4b639569d31544

SHA1
32533d7112903e694e43b0fae086eb82637cab68

SHA256
3b845669766de3e02b46bb621a8e897c402461afd60c1ced1571ec225796efbe

SHA512
934d562a33af83a9464af8396d0b1990f7536e705f0f82b6010cab862d9ffdab3143a319fbaed68572ae463bdf65c4f6d7bdcda290f16b2f0062b715085ab1fc

Download Submit
C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_DeviceProvisioning_2024_10_7_9_14_53.etl

Filesize
256KB

MD5
9d0a45b1a6bdc926758c182fb9ce0853

SHA1
47dd2a39ce7bdba595edd4895e0f9b6a865139e4

SHA256
cbba55fde0b9fd1e9ff123ae33654fa1586ad9387122fd1cbbc3e6433219817c

SHA512
1b0371ec654a98a9fdebd40c54518aba385bc1d798e31283250901612cb962a82b230afd83375c823ff011036c465fa32bea32e936ac0461de8fc7817eeb6763

Download Submit
C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_DeviceProvisioning_2024_10_7_9_15_19.etl

Filesize
256KB

MD5
892d5dfac81a653d37caee64ddecfe39

SHA1
c4d334600a04e3b57ab0f8ce335eeba96cb26b0f

SHA256
a1b25439b0778ba2d936b7c33565482079471634cb870d0cd5a6099e254b9596

SHA512
2063eed141394cd8604f527b661544786871beff7b2a4f54d4fc36d6768e581a620f1e3311337dedb88409f277bbbcd83fd845a1e87132a1b9736ca94a3f14c5

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
64KB

MD5
a68c29479c0178222385144d37472bfc

SHA1
0351b36819f7b3ccb09bee78ebe5dd7ea98459bb

SHA256
2cace75c6e6e03f6867866ddadbc926c4ace6bfb43e1b6d2f8bcd81290696eee

SHA512
f9548a068d2b7be16d91d44077910f419c1a1d6c41cc6cc1a64f89b271b163a5a5603447c969414da78145dacc247e9f1723f36e1a1cc6ff36e7a477bd47dbe7

Download Submit
C:\ProgramData\Microsoft\IdentityCRL\INT\wlidsvcconfig.xml

Filesize
12KB

MD5
b194566b4977362895edefbde984cf71

SHA1
25b9c67553058c1279757c60f758089c1a768e09

SHA256
6da8b6c89155f478ab0bc00b89a1588ace5a08587bc4c07c483c665b0a72e8b1

SHA512
7a836ab800b56a35b840e8a6f31a02937c93b11a2b58508d3b932cd9d8bc2c0ba8bc862685dfcb777f5977a08334a479e4358a7dcfee47236b379b4d6f9eb483

Download Submit
C:\ProgramData\Microsoft\IdentityCRL\production\wlidsvcconfig.xml

Filesize
14KB

MD5
e6fcbbea8d73a95c92f07392742e1863

SHA1
e84933e4dba30f9f2ee93ec1da6a3cd88763720a

SHA256
7d8ed9f26a22f55471203acd3dabef3699503b2fc40ad7d25442ac022ba7c6b5

SHA512
251eebe76215add7bdfe5e27ff75a0be91db20900cc138b2591bb4a08b3dd859366506e3fa2498ff031605707078e85e107a9ad12acf54f687527cd05c200ba6

Download Submit
C:\ProgramData\Microsoft\MF\Active.GRL

Filesize
14KB

MD5
39ee621025fd5844978376ff1607d687

SHA1
d553c2fe2be4d5f953e26dbb5e3aafdfcef88f41

SHA256
abfba32e3840128793915e8c092802793eebe911a980da3f8e3cf13fea8ef1bb

SHA512
d4e5c4a0d19f7126636b476c3078c8749100d8918f2c00db1cdcf79f0aeb0dd91a388831cce3b96541f3d1f90d79ac1787feb9fbbe73301f7e5d86451cc6bc24

Download Submit
C:\ProgramData\Microsoft\MF\Pending.GRL

Filesize
14KB

MD5
8c9101cdb5b908de03eb2f9fc74b5a11

SHA1
4f9ed8946d88241908ef501feebea0e6eab850bc

SHA256
c83490d4bd7f41923412bcf446516a602561fc0ad7d9c6f2c8dc0aa3eb8b372a

SHA512
87f21c50051ef364cf55f3dc25d44e9246fa6b4b37c86f8553305e10cf6a566bd44e61fbadaaec8985566713dc8bcc06ab50718b333fea30d4aee23f48b62b25

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\edb.chk

Filesize
8KB

MD5
aaf8baba6682c4cd5f8966fd480d97e4

SHA1
bdfe176f2108ccb8014a95763df063f53d65c7be

SHA256
059ebe165397150dd68e09167fef3de3388ba43b2bb88870ffdcf387ae1dedc7

SHA512
1c0bd2d96d5439383163c7746d78d4b0a379a0caf5063bdc45dbde1d52db178c4612403e972003fccb9a626ddc53bec6d775e0be75aa4d73dba6c29f0f3a85c3

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\edb.log

Filesize
1.3MB

MD5
19047ef0e9763ca55b07b9b76093ea7d

SHA1
d4584dca3039ba7f0627a46ec9af6b909e554ea8

SHA256
80663b6ae8418e83f7d869e7e757f57582706b798aae3d675ed749434f64451d

SHA512
e61557efc71c79d8ec5cd0e34b8d067521d6fcf27a93db2b4c1401aa218be305e366541f6c73fd50d7caed9e72c3419287c65add21d98308beb89b60cc8e983c

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\edbres00001.jrs

Filesize
1.3MB

MD5
6701b1be4fb1d0c5862a38e36400d0b3

SHA1
2b8b9040618676427ee72dc1ee36747d55bf0294

SHA256
df968c676493e495cf2759925115a8b821612d6c8094313e735e9f07cede616f

SHA512
2172281dfb39a379c8a5d4443708735884d9c6b8a4241787165e255fada585bb07d417eb08ab7f199c6e68d91897aaf0a5f34e83f56a345f8df7a07273ce5bb5

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\edbres00002.jrs

Filesize
1.3MB

MD5
29e5c6437e01f6097889c60d46bacc12

SHA1
7052fc6b669e49989fe60933d2b3dc00b9a2a949

SHA256
809b8a44f3bef1d3ca1e075c257af2c1ae79da210a41b726992d9d49419d3dae

SHA512
d29900c0efc0deddc21e4d0a6685ace22093949c234660e60120de015b1c030666d295233dd2347b13a95b98bd38c393e8e94db6d7c14820034cbecd0ee97247

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log

Filesize
1.3MB

MD5
529e2804234c9f7ad9f31635f6612d02

SHA1
baf9290bf4a88084163e6b8a93be3a0a29ab5696

SHA256
fde909bde580df4f94100a6f52100d36a3e90267574b793bbf904e728a5aefa2

SHA512
e0b7004ac5a7353fe0925a97c9becd0a1a1ad21363f416a391faf6c34a6b9ffe4b4cf51f52c48b21f3526150e28da22572d961b989e037b5227bf3b52c7932d0

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Filesize
768KB

MD5
8bd313c387d72e60b5ed14c6a241bda3

SHA1
e854ad8d01bb54a63a079a5879c349a9d6912b4c

SHA256
4c4bdaa8e4ca136a74472ebcaf96d379673e4ea7321a23ece4ac850be44f8def

SHA512
08cc78c82e61c2f903df5708f2481731a2359991820e098f58a89904d3ae0d3c0572cdaa89e027c33ddda776cbbdd35fdeb70aba85a8b8181a702bea78cbe05e

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Filesize
16KB

MD5
50e7d4d1bac76a8437910122757de0f5

SHA1
610dc70116c24cd2629e17bc7405b2ef7064d30f

SHA256
320d5d40a46466ff4f8dcec40e3b094c60f2ce633b0257dead8d18dedb337e63

SHA512
9d14f6b3fe3d77e87f9ba4cbd23fc9008e77cdef87f43dd087bdf1da128c0c55409e2090fb0c66f46864d5d1f210aba430f3df624140fc63cf93fc1b910c50f8

Download Submit
C:\ProgramData\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db

Filesize
192KB

MD5
137604271888cc1821ea07e4333c19b6

SHA1
67f9a59ace438761ef415ce10a6ff1b74807600b

SHA256
52253ccaf76ce35f37366d58a02d338c20ad945b652817a4a40b03dd804ed68b

SHA512
40c93f3d1192db3004461072f5839c81951b8f711426ae1cf25ea22f1dd307f76495be2854e3928be945f90e6133a6f8df9c0dc802199e8256e4aac7587e8ae5

Download Submit
C:\ProgramData\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm

Filesize
16KB

MD5
6bf47399bdb2c13b4c60fad28f452f48

SHA1
31ce5ea20d8399d54d5a0a5002b8e754c7b061d2

SHA256
411e7f424bfd8a5318e9adbce8bdda9797679022c13151c5d698ef21697ddc78

SHA512
f3dccdb6b2eb6a728a92dc34653f52d5b7e5d4da5566437fbd3a56bbb63d4c4c259f9c0faf1df7e075f8aaa0ff091d6695abf77bd5f5599f72aab7dead6a896a

Download Submit
C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb.chk

Filesize
8KB

MD5
ffe71b6f70bd611efd34ad2a78512e41

SHA1
941539d0fc696cd645e706383db58b91fe3b98ef

SHA256
c29edf37eaa40f1e28f34818135de075fc044c3d9b27a504c325c32e222a2c03

SHA512
c8ede1b3bfe9e3251c016b463a2356e667e674ba31cd3c3ca3e4a7182d89914a9cdd0c474bf815845362e9668b2a8b68fb0a26536c009e58135831d09dcd1499

Download Submit
C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb.log

Filesize
64KB

MD5
27aecf82e034c6bf74398fe586a8df7d

SHA1
f74df534d9ff79b12ada2331fbad1aff683530f6

SHA256
58ae995d3fa82cc79d8b186b55c8e225f0fd1de7c7036f12d00d90da18cc963b

SHA512
5aadbbb7bd81eb459568835300812989a0bc42860d886699ed0c98b29e6119f9e802768c31d9c8bb20dc63e6617edc649bcf8fcc75e20a9963ac1e34b9a065ae

Download Submit
C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb00002.log

Filesize
64KB

MD5
f3e739f8ed4e1f1f8f74f1daee467524

SHA1
06a50af94540a3f5fc332d56f340c8b1e08c9a00

SHA256
a47d1adbf1ad1916237dfa75510b63b7b8ec9405d998608642f2e828810ea40e

SHA512
9f5d8b253fa53634a0ea7fec66e7b03049d097bfdaf05ba804f411489fb09dddada6784b5ccb562ad6339251fe6b65d2d93e57ac381c9d306f03a9043b180fa0

Download Submit
C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbres00001.jrs

Filesize
64KB

MD5
c3529ec814bcb136b8181b397d24c418

SHA1
b7a33bd8310c977d49b1c7e9036590b880ef1fd4

SHA256
ac5880ab5cbad7cc268e84af13f2d23df4f29de228109aecd45f713203050f31

SHA512
9946d6f13fa5bb7fda2306be6b8a7b425f7aad7c2c26624b9ddf21760d7684ee0d14f28c656017fd37cf798664992cf9289c3e1913114a0374b1ef29b467af26

Download Submit
C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbres00002.jrs

Filesize
64KB

MD5
64594d737c44cdac03fa267fbfae8520

SHA1
aeecd2d90e3995ae5bb1635d76b854fce65b30e9

SHA256
41ed852bf8abaa47ca1d8c583b2620a4e26e7214bf46e0e667f4e56500844f1b

SHA512
7d950b6629e7fdcbd367fe7f5edd9b765b30fb83c34c471fc5575be50e19c4fc573adccd0c74d94a96f830b1dc93752d83399fcf813010e3839c728facc9990b

Download Submit
C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbtmp.log

Filesize
64KB

MD5
d68034465d9ff1e21b6d57bb0371f8d9

SHA1
a13bc29809dd61bf3abd0fc075643c35e831d97d

SHA256
95dd009b99912c1b83f5a87fe421ce48ca2ad6dc07a4fab39929d197e4ee1255

SHA512
921556e8f9bb9dd53dd5972fa843ba38bb7a3c88c5d90d70ea3b2c3f7eebf5d79844428e92d1d9a484f9aa9f95af5a55361af6f1c94d18165654cb14638f6703

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\guest.bmp

Filesize
588KB

MD5
9ab23c2bbe199b2b5d38173e88ccc595

SHA1
57b427f1b8eba952d63471a836c7cdd384687b02

SHA256
f6dbdd0fc91cafa491d940b1af7a335920278903fddd3c8dd1de139c2e0c792b

SHA512
b01494e7fb70aab2aaefac452c2ddb4da6369db0b808597fce22a906fc19ec33f14ec53f62bbc4e0a4ddd3250490b52a3a3c91ccc36489bc5ee4df6a6d09f04c

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\guest.png

Filesize
6KB

MD5
b067fcf2ec6fb00440530c9cbcf02f70

SHA1
fb5c04d8d9d97d4a475bed7a78a8cc7f0a6ff2aa

SHA256
46414834d8a45a99f2bdbe117f416e285861335851650f596002482fcc9f672f

SHA512
5e6419940d65f99a7fcdc18552e8b3a5bc5460a037df7fb2621e3cf80a951040b58563d450c47297250a9b6dd57380acee32e6cc69279f1d3bba62501be836d6

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user-192.png

Filesize
2KB

MD5
ba29eb9b337383ec0758dd82af36f1d0

SHA1
bf03caf2f43196b88f87657431f6c6099c4a795f

SHA256
4517cd11a5b9cc0483db52f309a27c31d859408cfb15372c138b29dd42376965

SHA512
872e0e4a3ec525847d4b2c49f24dcb9c2c14f0dcc86322e18627ec81fa9abd9f9776818d790b860ca531fb31fe604c1481b4e9db6c103d8d5c3c84f7c8db5348

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user-32.png

Filesize
722B

MD5
2a17ae09397de4e7d8bd982bb5e52744

SHA1
ebb3d1d036d2e5f20c5301d7b27f458bd422b654

SHA256
3f347ef4710b24d319ffbc3419e18e32cd719dfc5a05e8d99526ea383390bb2d

SHA512
ecbf555a3bf96808863ca35a1ac3977cd58264e44770024fd313d1a98d83be98f13eec2c1f3c4c40108b6a2d4db86b73488d9d4c2791693a5231a43a9ce340a8

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user-40.png

Filesize
802B

MD5
aeeb4c9cdf40b73761cf6ca26b35a1d3

SHA1
0f9aff935ae58fd3104fb9b08348ba66019f3390

SHA256
eca5447bad21ec1115789e962636aa122adebd42869a2c8d10cc4e0017ff104e

SHA512
30b308b71546d14309d81603615095959493d60f02d40d529a63e95e77f8a8c04c2c0d66a75cd4aff85bc049c9511c154769da4e10c977f3862261957d43fc84

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user-48.png

Filesize
898B

MD5
cbf21efb20dc9dda1bad06408c2b46fb

SHA1
58a792a56de005b1721d6b674fb626a45b127c1d

SHA256
556e932a8999d66bed8b1bf3197e228b0cae6e752543e8dee7c09a7173133dc2

SHA512
13ebfbe14f4f90c7ea25faf172ba14d31ef1758f6e53d16d1a8b4440cfd5baca7648561115cdc351ac1cb6030d13c61182f2aa143638cd1bd72d02afc39764dc

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user.bmp

Filesize
588KB

MD5
e433a7dc56326eefff3985c52087c68b

SHA1
8bf8ee22105f445a859e25480798fecc3c33d77a

SHA256
0b7ad58c6f897c706cb2970527a921406b15bc7c802cf2747d28ff1c7e376da4

SHA512
84fa5f134b295cfe60b40309f4f482f8d6e75cf0b87d9108549caa7f2c8ab6b207a84ebdac1d7937e141e6f874451289795c91a1ffba054d49031b783139fcfc

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user.png

Filesize
6KB

MD5
3ff42695969fbb4737a91fc534c527fd

SHA1
5fa58c9d61a09c00f09bd5e4e5bd275a51532197

SHA256
111adf9ec60e27057e7983232f538f80962acadcc4bac9b3b5c2bd6706c66998

SHA512
fe0cc99920e751381971b3d1531d933080e406f8cddf1e852a6ff6f823b6f7076d7d8004bb6d337efda1b7ddbf95699c70f6b5ce7ae6cf3c28a1620166d70c70

Download Submit
C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\154E23D0-C644-4E6F-8CE6-5069272F999F.vsch

Filesize
434B

MD5
31e940e7da0c346e2bf9921efead0d98

SHA1
d589221046941b068060c65ad3e3a179055a6353

SHA256
830ba48d81eaaad94439ec85fa523bb077bada68947f331b680fc3509dc5b1cc

SHA512
b8b9f04071c356b54e1eb510ab4fb4cc2baf3bddb58ba317b323920ddf320bbb2a9c01bef6afd9a6f53974374b6e3c99bcc8a68a6c3654e356c8049f3d225e28

Download Submit
C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch

Filesize
386B

MD5
e3503ac501a00745c9e251f73b222a7c

SHA1
d4b4cfb85de11fe25c6fb72a35d6869260bd9fa2

SHA256
eb63ad9ff52888bf68c4d1c80b99fec94a3cc2e043b4636cb47e49c0e304b264

SHA512
477c14fc28b47dcd36014025c5a3e285593c76e727992db4034479565bd5bcd042a249b32b4cd7810728ac4d4ddfcf7b4a4a5bef0014a656875d0385075dbb21

Download Submit
C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\3CCD5499-87A8-4B10-A215-608888DD3B55.vsch

Filesize
546B

MD5
0a82a9d2ffa28d80d223d15360d94ee8

SHA1
ddae3b3ab720d5f04fce1eb448847b46ce91f3f4

SHA256
2df8415ca0f95ca917991dc5c8fbe7e351432791e36f3c2e3d13e597810d9463

SHA512
dde7e4edfcbed3b7241f0dfc07bdd26c77f2034de2103bd053f2a1700d1a05a7eabb90847f914ce44259cbe3c4a428a9731b7c58c8a4845a9502b2c0f0e35109

Download Submit
C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\Policy.vpol

Filesize
722B

MD5
9eaa300f53e7d155547d554e13b9c685

SHA1
08f0e3aaff8d73a7418077aff666b86371e7a987

SHA256
a66c2d1faed432bdf56f0d2c4a467629d12cf29b6ef8a4cb9e63fb273e1518cf

SHA512
19df3ac5a3e91cb2ce219368a7be91e57ef90c7cc87ff33627b93cf82a98f738fa0d9516a9319026b96a9a28cd509c07b16d6142397f4e407f2e023debbbb1f9

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
322B

MD5
8402f584e75a6537cefdccb278504494

SHA1
9fdeb3c2f0b44e20b61d8aecf36518c29ee2daaf

SHA256
1c8dc1f0ddfabe972dce5bab8ae90cbfe481a38db9a80d95fff060063b4888ac

SHA512
a520ee0be0605a898df9888ecf894cbebff1420325668cacd3f40064f7c846d88a8efcb93df81b59a29adb31b5d8d4bea7630ad0534a3bc2ce2cdab55c0bd030

Download Submit
C:\ProgramData\Package Cache\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}v56.64.8804\windowsdesktop-runtime-7.0.16-win-x64.msi

Filesize
28.8MB

MD5
16e9c63a9ae11556021a88c40a46f1fe

SHA1
ee1c02859d165c06e458d0289c928536cc62baa3

SHA256
bdd653c98962c68908decf867e9ade99a705e7d5561d501311946523fed66fc7

SHA512
74f26535fe7ee5140f8a41967cbdee26f02a56116c83c16e1b7b747a84699b11cf8d29cceb855b6c4d51aee0b0cc1fdc0549f75be29c94c10e25937b953f50de

Download Submit
C:\ProgramData\Package Cache\{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}v56.64.8781\dotnet-hostfxr-7.0.16-win-x64.msi

Filesize
804KB

MD5
034f60fd2e064217a5f7a9aaa8521462

SHA1
1a6dca7a288b04bb12f0addd9c5eee3df08c7948

SHA256
ed51a42115c0df4abbfea17e849fc7f67815e982117fbc01d8cc2f25449a29ce

SHA512
9d2c0ea7586ca165ff31b6484890366b2601cc62363e75002676e3bbc75b523caf9477b6be7faedd43a0ab47d48264124f5627686b0871319e542352a68a8996

Download Submit
C:\ProgramData\Package Cache\{2BB73336-4F69-4141-9797-E9BD6FE3980A}v64.8.8795\dotnet-host-8.0.2-win-x64.msi

Filesize
728KB

MD5
b10f020bb22ca53c11967121e1f9fb3f

SHA1
15cdd00629ef3df4f1999387db74ab9d4ff8fbbc

SHA256
037a74a0580a9142d79d782764c526503c7c093fa0157c297405af12a73b4082

SHA512
6a83d8d0fc373c7b6705f7174b2d379de4fa9d3c0626a957ea01a84edd18f2bca2615921b55b44ee7443c41c05055fa87ab9bb4eeba099abab9c2a25bf19ef68

Download Submit
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm

Filesize
914B

MD5
5426075b4117b7c4c78efc2df9164590

SHA1
19dafe6eeffd2668fd7020d02dbf89fcd3339462

SHA256
011a0f0f89528462ef43bfb27b7fbcaeff673a50e15f9f53a832a086e7d81615

SHA512
c747190106d1ba2a8170584474c2995b56e200fcebc79084ee46014ca6f3a6d859d0e7bfc522727365b1a5e854bd1206cb7fb3a945b3213b1c75acd0a7bc2863

Download Submit
C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab

Filesize
5.5MB

MD5
bbaa93a53568392f98bf73717a59f3fc

SHA1
c640e56e7dcf475e12df5c6c92a790eb0b4ffc86

SHA256
e0dae4dc250714946428a7905c303c45d5929628cec5d6098220cd14dd7d38d8

SHA512
10f365aee0016cf521ef2bc64bb3e88c17641e4ba7a1d464e7c18742751d6ecb49754398dfef58dcaf1184e54598ae1ad738becf5b7e8220c098bb84970637a5

Download Submit
C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi

Filesize
148KB

MD5
dc67c78aa2a8b6d1a033c502763b0a22

SHA1
1f12b71aa7d3b2d23a9d8b6814cdd3a5fc6994ad

SHA256
bb080724cbf15e425487cea708b4468781949d4665af5f6738dd3ea6b0fe33a8

SHA512
c9c587e7adc89fe31172da6e5a08de94f11b679f64d922637c9e0ff90b25043f67a5c11a8ff257bb0ce8c4ab91085572471dede2cc6af46f5af90f4b22305bad

Download Submit
C:\ProgramData\Package Cache\{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}v48.108.8828\dotnet-host-6.0.27-win-x64.msi

Filesize
736KB

MD5
b6b5ba4ab4b5e5e16d92b2121c58c198

SHA1
e0dc07d13ed027bb73f9a0670d65af2bb9e5db36

SHA256
1d8b6708a44c1007fca7b839878daca8342061eba3476865404b21d5f3979595

SHA512
e88306a37eea1f58484384aabd3b86b94f6cd723a6ef91a05d9b6f998f23775c22f5bbec6380bd4d13d958fcc716ef24b361fa2261125fec023126aabe5194fb

Download Submit
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\state.rsm

Filesize
1KB

MD5
d733bba50a19423eb84d5cecb93d28d5

SHA1
9e7a09eb68d91125fd555a227759dd1e0d904730

SHA256
86d1ae48172a25f0c028710ed657a539a0adbd003a5a0feb3111ff8297b4d0f8

SHA512
023979dc0a78469d3bca262b7d516fdd727d0e4eab2889ce450b539a24e443e2ceb963dcd482650a1be1efd05d66988b8df4e51a7b08f2a2a3f05a2db010c67e

Download Submit
C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab

Filesize
5.3MB

MD5
a3f62d596cc01bb05376e760fea1753c

SHA1
5e0e4e58013742ff494a88ade92a620a8db86896

SHA256
59de8963671835037213f108518c37c74b2c4eb9c58356272cf24a1116eefb6c

SHA512
7da2060b08ede7bb36f8e0b6c5ef851ddd3e5e005773b87bed0fb148ec988952dc8fff737f40ad94d6ec90524e75ee3945830b19dc9a9ee36eff3fb716240bf7

Download Submit
C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi

Filesize
140KB

MD5
9ed94d984a2968570e32ffb3e2f0d24c

SHA1
eb471e7f5a8a48558e0a0bca56945d5d95144ba0

SHA256
518d2522dd4c833dab175b6fc1162f83f905b0195834796f29392d2a0a65eed6

SHA512
b5c90b2e1d5cfb8b3fbb4a6777f6b5ada431b8e7564a4cc62093457b28569f006aba4a7433f73c81e6969523eb0e3587367080ce1a6f691ef979d0288dd71e3f

Download Submit
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\state.rsm

Filesize
1KB

MD5
e9eec0195ec3278442df4852d4d4b109

SHA1
994ceeb9cef6d7ac1df5deca8bda23b530ee03c5

SHA256
65d180f31e042c4b783fefb0eeeec85f5af64adae5ba90b7d1ff13523090b27e

SHA512
94ba6028bc15a1f7be4d730ad23b25b2949c7f0d9df6f549bd9d57e963e477e45f0e24e4fa069e31b84e261b49c97d12adec61bc1e33b5a03a12b7e4ad2a563d

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\state.rsm

Filesize
930B

MD5
f892307e07d1af6da2871f2978909676

SHA1
924a563c987e5476ca4cb58a59dc340ed9ee596d

SHA256
d697937a30f422228d4082dd8629380786e6f217706d36a8d667af860e5c7bae

SHA512
b3ad11bbe4857947625a28a46a5689ed5a486357e68283e8373d42b260ac234a9091b44baaf9151c5e1c4608e09591ab1b248334467ecadfa720dec603247452

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\state.rsm

Filesize
1KB

MD5
acfa71143620632972e9198cc6e7794f

SHA1
123a6f232044bfd7875761892bb1fcae5847bf20

SHA256
984d797d18e504529df88f6a151a0db54a7bc57b8a52839d6884ca6188a84417

SHA512
fbc200f8b9db4d727366348bc89c23a7b1e4fcd02bbde49cc8613b189e33e84c27a551a40b5537489596704e7f1a11172a0f8239d6b235c97bb766b39f5dbf6f

Download Submit
C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\cab1.cab

Filesize
870KB

MD5
d4605d026c5b388149aae4d278124a46

SHA1
6dda48d5b30007b92746445869384bbb243be657

SHA256
0f23a121d27a37c67a1a793eb581fe57a37bdb395c242c14549e4922d694da3a

SHA512
7e6ad368cfbb76a91d8a59f9d2b772b4654cb2419884aa28c3a2f88329b9c3b7a9fe437bf9e91a3511d56188624ec7039ed0f732ed66f9eb793c6fb93fdedc3d

Download Submit
C:\ProgramData\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\cab1.cab

Filesize
5.4MB

MD5
c945efb3d21030de5973bb57d1e3409c

SHA1
5e5dfca2c516ad2a3eff51bc79931a1731814d3b

SHA256
a11e1ae3e144d75bddbf8b57f9becb5ec61c5a1b683c0adfbad958c6fb3fa060

SHA512
45bcfd2f9c17f08efda8fd31c691754c46671e113760ecd32587a1d65720c8ebdf2b42758149307c45de9a9d0293211372a1498875904cdc85a56f9f1cfa0b03

Download Submit
C:\ProgramData\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi

Filesize
180KB

MD5
dcd4e5dd7140e0080f007011f423a1f4

SHA1
a241c4db0c2264818f7d5e3ff920ba36804963bd

SHA256
ba45e5d975971e3fabcccac9e2de582e9290d41fe6fe0f77533cc3ae2ee47226

SHA512
d09227d3c81192941bb127760c3934159d4f9331982b7de7fef7d511d866b81ccae6e24a1931b03eec8090e10875caeea5065de994109781eee8ea5a50a08af6

Download Submit
C:\ProgramData\Package Cache\{7447A794-FA2E-42BE-BA9A-5FCBD54C5DF3}v48.108.8828\dotnet-hostfxr-6.0.27-win-x64.msi

Filesize
804KB

MD5
9b5f340b9a76945a07d6e37b528e2aeb

SHA1
94aece53c5271f651cee609ef5515872791b18ca

SHA256
790561c01b3eb6f6289a4216ced0524a0433807901dbf22e2c53031cd5118f6b

SHA512
50c63c6a4180bfce900e6aa04ebeece5fe87146959953fd18321969a8ed2a2b64c210c9c942b7a168c8dbb66e78df73e92ea85c33efa9f7cd3851d9a52f9bc0b

Download Submit
C:\ProgramData\Package Cache\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}v48.108.8828\dotnet-runtime-6.0.27-win-x64.msi

Filesize
25.7MB

MD5
6cb178191d681bc44412606323078b6e

SHA1
709c1d8aced2259523abcb8812aefb64b660554a

SHA256
3dd0a6f218dabaf6d9a4f36f6bf505a522fcbf7ecfcb7cd44b69fa78e0517395

SHA512
ee8d4a2772ea9de99979f688bdc86b4a8824ac4031b3265e6573131184ece1f52c61ffccadaaae95648cc9b2cb3593c3f57be7d4cbce5ea71a4dd7e94c3174e2

Download Submit
C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\cab1.cab

Filesize
4.7MB

MD5
f9401e9e42109c555164ddb99f916623

SHA1
298696e1ed41c9781e7ce14c6961c6b46f3be33f

SHA256
9ca392daa4ab3e874471d9073c0591ea78c41acc8be9a412d757eead6d0a57ac

SHA512
4e93abe0dc91410bd3265032ed0cf1e22f8663ea37a377dc469f1486f0fae599aa25f088b674c7e41d62e134abdf6aee5bfe741095fadf3755003675e655eaf8

Download Submit
C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi

Filesize
140KB

MD5
96473ba0373b57e4691217c6ce9b89bf

SHA1
e36a2e76cf39539d4865181b87265346084e8f0a

SHA256
995640d33127d7697eb69f326f11ab86334e51aa52034c5a63ac4597e7568f93

SHA512
124885b343707db338326d1ac2ddfa53bcd3805183c9a4994dd95fb3adef29717d8cffe105146c7f6213748687568c59a48aa8cbdde339aa070ddc2c47d62107

Download Submit
C:\ProgramData\Package Cache\{9F51D16B-42E8-4A4A-8228-75045541A2AE}v56.64.8781\dotnet-host-7.0.16-win-x64.msi

Filesize
744KB

MD5
48f9ef82e27a7d38f59f571fa944a752

SHA1
bc5d59504b091725f4944a5ec92e7d693dcb0491

SHA256
3904142fecb200eb02688c144df04a8c970545a447615dc8dc7012ac7609c056

SHA512
dbe10da7d106d18d29cdee93d19c5de3c23528f9c148f099c098b1446c5b46a4eb79631601bbef658c29e7a5d2ece38ba4a595e5ae16084abf5a7bd310a67ea2

Download Submit
C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\cab1.cab

Filesize
4.9MB

MD5
21e1731bd2191a223d9014da2d39c096

SHA1
0f41935ae5d5c6c89b46755ebd832639e8e8b3a5

SHA256
ea5a50beeb95ce704142fba6fa1f62818490d6cb1f5bf4c0f94c5e4e28d88f04

SHA512
6d78b0d396e05778c61dbdf97b8631b0c7b56ffbf791c96a7cb23406ec8941a272ada00116e3368b7a5d767487f60dbf7436a5e79a9f7be81e8df1af3c76893c

Download Submit
C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi

Filesize
148KB

MD5
f54a283e7aaaedf17d6aa88bbf7ca5ad

SHA1
75811c1c6bbbb1d24d5a1ad3f92eef65163bcb0d

SHA256
8c3466d196a54d68c7da92c584b15cea48745811dec7f2b87c7d4f3535f545ea

SHA512
a93acbbb3bdc5e9b14cbd3b871b0a11793f56087e6383c01ccb178707ac4cd2d17f67c981d4f5f5351d5135320d0ac0fca60ce65159e25ce9c651f4b1310082e

Download Submit
C:\ProgramData\Package Cache\{BCC2FB07-8CF0-4542-B10C-61BCEF04AFF2}v64.8.8795\dotnet-hostfxr-8.0.2-win-x64.msi

Filesize
796KB

MD5
959458081d3e2f62669364bbb96f3d95

SHA1
e4560006b5b73a09ba4652cece5786f73976fb95

SHA256
27888514b44ad3e3ee07e14cdb835b6599c62a613e18eabeea5ff44404f5883a

SHA512
b824820d180b127552038401a75fc5770342dc9944b2ffb0e3849170d2f293a6cdfe8cb006ec704412086da2ba0def77c27d8e004ce23ef00fbc41bf8757d1d9

Download Submit
C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab

Filesize
802KB

MD5
99bb24919c10ca374669785a45525cf2

SHA1
93bad2d21ca160a2819af967266d02bdda87542a

SHA256
8c76a5a6afcf9a0625bc670540d61f31097e2ec6765e003f90171cf95d80b2ac

SHA512
2de94a011b26cfdc69a616f8c0d1ff9d266a0a3086da4d6af5a589d0c1b3703cce7f6a0a1d2b63bd35ecd84dc346d836cb117a0350e053b29f3c76658cef4aad

Download Submit
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\cab1.cab

Filesize
4.9MB

MD5
6b6c2ea6691dc08e52b9038447914342

SHA1
e8cfa68e7d1c7aa2f80e30c9b154e9095d729e9c

SHA256
e97a38869095f9bbe98598d87660ecb5c3fec48e8b750c30d4276bc08d900336

SHA512
5d2eef49f4f0de485b84a9329ef19c79a05c45c29750e032f5d68b83988635d2524631e195e330a86bf090fdb7b5095b7dbaa90124c00cde5f97201877e51c57

Download Submit
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi

Filesize
180KB

MD5
f2affb7a5a40148c9355142e56855f5e

SHA1
237b7785d4498dd39e9562450b56685827b304db

SHA256
714b0ae036a7cd13ffe95703c8eb38d7b6060c0325abaed149c3dd9bdf213db5

SHA512
b654f9c5d859143a9d5b8527102f36fc4d3dae340a14c377b022e74ad4877b54af708c3b02fc4fb0ec8e1767019ee508b4895b4bd14df9a3110b1fe782efc806

Download Submit
C:\ProgramData\Package Cache\{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}v64.8.8795\dotnet-runtime-8.0.2-win-x64.msi

Filesize
26.2MB

MD5
39712e886ebad0a9e449e200291dbbd3

SHA1
6b79f8ac24ed02ae025817e6f3415f023e8445d0

SHA256
4c00f5e5ffdc3675fb35f6c9a9fce752764449b83f981152dd26475a748bf345

SHA512
215d1d2d2ba1035ea68ae4358e14377dceeb044bc9dbbcd3de4a67f6dac283945b27bdf0d8ce3e8eed703b93f20b3cb48366ee6ebebb4456bf81e57ccd5b4ee7

Download Submit
C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab

Filesize
1010KB

MD5
9235939a3858f9380632dd0c950d1e0d

SHA1
861b3969d72267ca38ab3e35b22b9967e1e3fa13

SHA256
34c488080d8d144e9449e9b8ab1501fe94dfc0b3f0d241c96b5841a0febee2ad

SHA512
d2a6941f7280de013fc2de56e095add91b260bfcb303fa2eabaddc6c71942f6e07de0094237694c3d594af507be536137513ae7282afa83986d871623e5b725a

Download Submit
C:\ProgramData\Package Cache\{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}v56.64.8781\dotnet-runtime-7.0.16-win-x64.msi

Filesize
26.0MB

MD5
9fb12ea17484903b83c41386d0e605f2

SHA1
03a514ee91a1c949f7103ab2ed1f2204ff30f54e

SHA256
0e3fb4ab5b914c0db41dc1d1e76beeee08ac2c2f52d31034e54c74279cbfd529

SHA512
d64848bf2a57472b05c0d51ab353a1bdc3fb500948a530ecf62981f38bb6d16dabf2b676d1d9b6f84dbb66214401ab863f5fcb49abc53c7919686a275e89269e

Download Submit
C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab

Filesize
791KB

MD5
a12442f612b162bf7afc1e801b5fb848

SHA1
de4cb6e21c2320a7287495ab43ebabfaa8d3f9d4

SHA256
5747e334f41671d3289b10b01c6af9ce4f30c7586c7ecf1fa2ac07d13c06b8fb

SHA512
91ad0dc3ebf08edd1632afb1f7e524a627f795c49a68d83b8ec071540016d7dcee84238573381a35c911fe899aaa8b9431cad2216675d099164d91bdb80548b8

Download Submit
C:\ProgramData\Package Cache\{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}v64.8.8806\windowsdesktop-runtime-8.0.2-win-x64.msi

Filesize
28.9MB

MD5
327c7264a191cb431a5d5fb5a79dcc14

SHA1
669254cc87fc5da5235ee487a98388854dce6f46

SHA256
4715666ef1d6969679d1d31bd11505881c2a04287c167c956334546a6effcd2f

SHA512
eb7b1e378cb0a03cc2e2dc574ca53350facd14702c0551562155acc8accb3090721aa933135bb34421bb2619531563497cb4b8ba02260ca56400410357c0b2e6

Download Submit
C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\cab1.cab

Filesize
974KB

MD5
2713dbdcccd5693784e348a6297c7c9d

SHA1
204beee3da4556eb05dfae31ee49ce280a97a406

SHA256
d776579b139b85d801f8121a6aec3e81d4241163ed87cd3a1b907bbf6432edaf

SHA512
ee5264a39ac1e565b2dd655f2435df373cb459f71f7685a649c13b04f749e597cbe74cd90161eab01fc401580e92cd9fc9aba330e02abe7350a5461b46ad73db

Download Submit
C:\ProgramData\Package Cache\{E634F316-BEB6-4FB3-A612-F7102F576165}v48.108.8836\windowsdesktop-runtime-6.0.27-win-x64.msi

Filesize
28.5MB

MD5
e4da2a07f8f4b5f4e5f5e0adbc125495

SHA1
15d6424aa897345ca5326ff0f1c6a239689bda4d

SHA256
d2b6d473f096eeec1b7886b9c5c06ef03b5754c941c30e75a26da149e3f3f0ad

SHA512
d2e064942f21f7c48fb4845749c08dbe947cc28e7557375589e2141447b41f9c3707f238da17484a610908cd8024d5a08b53fc38e206b641c305d748f81f6e4c

Download Submit
C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\cab1.cab

Filesize
742KB

MD5
2d40d006241e9f6818d40d5567ed3b65

SHA1
101baadde2a5ce001176dcc1aac68d4c504b2261

SHA256
4ad9ada2b09832ce715237dd003b1bba094da206aa0e49e4cc0f2da3b8e4c2bc

SHA512
3708c0f7e1b51252406872b4abc151253d019e0fd5f68ec2d7d4c4dfc939737908840a60ab331e248759975a193ad8a932a262806e5806769c103365de1203de

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm

Filesize
914B

MD5
b720365839abfa789d8ae6925ae9724c

SHA1
ef81cea98a3c5b34c9f4d5c56c409f054cc1eabe

SHA256
a458e010b6c24746a522f9f01f05f6b7d6458682e0174a73707432577c54b183

SHA512
53bb5d704d56fa925b496784516142e615fcb1790d0f1e84109200da95bd04957d4e71ac3e5be0d0b9fe57a6f2083b4d007a31a654c57751b4c3c481bc5c513e

Download Submit
C:\ProgramData\Package Cache\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\state.rsm

Filesize
1KB

MD5
49b0c33ae5c3e9e1a5375117de49d00c

SHA1
3d1069288a728eb20715019e60484211cf1c6e2e

SHA256
9bd990486d15d63025183b84ab121a565d40e05e3650774bbc1d9a3b47f06d6c

SHA512
d680c7a71815ba335c554143e88d0cbe5cdb64561d36edef47ab54319dde1d8ab8de43fa5d5eb5c54669b58b8b4413a1a13f66b080ca4941c9b67ac08173b380

Download Submit
C:\ProgramData\Package Cache\{ef5af41f-d68c-48f7-bfb0-5055718601fc}\state.rsm

Filesize
1KB

MD5
790baf174e8f495ff4e2fa7fb7cbebfb

SHA1
c908c8d12077da41ecf45e73b5de727919c0d64c

SHA256
3799126e72fc4c97154920e4b3fba60088ed16bd4e24debcced718f686bc926b

SHA512
fe027f234d8fa04c3ba786d2abafee34187e6ecbcfa2cd6f76e002be629055c48504a827fcfaba94dba3d291b2ad2903f5477525aff92535bfde77836197cfe5

Download Submit
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm

Filesize
930B

MD5
1b710aa57379bc5780340d58d9336eb1

SHA1
53200e7b6a35ab3f90303882cb06e5a438b64cf3

SHA256
9b1794b523cdfb15e63dfc096697f3d8d257db809b7dceaa3f76baf3defb94b5

SHA512
9a70fc26ddc421b057e9672edefc9b540caaf877ccb7678fb10a5af8f56ad8ac1c7b66e0d396170457422d5b384de6dd19311fc35b86ace246a9b38b1b797047

Download Submit
C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag

Filesize
1KB

MD5
c5e3b1fe6ff6f2600a37539b37d23499

SHA1
eb95191ca3b97d6e9053954e36e689cb87a4ee76

SHA256
c7aa390474f25e356df9104cd21db934672cee3bd00f37b4d22fb5ff0df3a253

SHA512
d1cad3e1066e8b72eda1a9ba8c4868dcec16966d03798487b713bc542ffbdb1881ce87547d1f237822673c932269cedb0347f73fdab96d5b49c3454f9f64dc91

Download Submit
C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag

Filesize
1KB

MD5
368ead32f7f0b48f90bdaac2179541da

SHA1
ad46b9e0cf2d43ff714e90a6ff5ff273a217808e

SHA256
ca3a8112de8a99bb2a80a9ebd092170ca125ed35d35ccf065609d9a8bed8a436

SHA512
aa0a46e625eab3cf5195fde154c8ecacb35e6a6a9848d2c81a9e78cf3f126779f3cce0389a5dfe70090baa82bd4a569c197fc66d8b4c9d357d84d6f0feaf18cd

Download Submit
C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag

Filesize
1KB

MD5
0be3439e5a96b1b3c7907cb0d08e9dda

SHA1
a4c5e94fa8f68bc0b712246747b19285b94140ef

SHA256
d3aa98a2fa192fd5fac0463d590cc21c56613a1e49ba6f92db57442e139d3275

SHA512
424e12708309f50db15ed72d0a154fec5df63b359b825c09121f609005212c7cb1054f6c48a0f4d9eb5f8037342a44b45478d61ace6f391cbc282b081e2b2b48

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
471B

MD5
f9f4f28330762f1e5dfc6bac948e28d2

SHA1
9f359b2af69ac60fb892d5ee9bba3145191095df

SHA256
c6ccd3baf57741a9c7468bbd9a0c5b9ad6be2f447803306e647763bf76079476

SHA512
c7a90b4a44dc4089a691574bcd718b9df9d984a7ce6da918c48649162310f6b7a04da5e172da3c4560059b9ba01bb71ff5a0ff0364ddbee360b3644a27e6a76b

Download Submit
C:\Users\Admin\AppData\Local\IconCache.db

Filesize
15KB

MD5
897a6a8dbc881d91876022392451d011

SHA1
061d13871c3c79d8ddd787eac20a9356486fbf63

SHA256
80822bb07b400c11064d2962dbe86263c6d39eaf2a5dcf7adddc42a92504596e

SHA512
78ce2f29a1f8d1257ae4e6cfc5a718310369db559106a9c31d4c1914763cad5569410ea4dce6e94676983ae488b9481f4457f45cf7c9dbf9a6e54ede56bdd56a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat

Filesize
1022B

MD5
e1e0496137822db5512c5a8837ad4587

SHA1
6e8b8ca10ae50c1a2e7a5181cbc307106cd3fc82

SHA256
ef3a1feb723c7bb8462c1a4489684d84ede5775565215550121e357498a9404b

SHA512
2e096facb571687cb87af842e12f9fed6fdac31d654b8b9bebc2b4037742f8c19aed6f80018bbbb6dbcf008ecee77bfc550cc7cec2380adbb1867c9e1b8e1d3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.chk

Filesize
8KB

MD5
5d2bc3746e5ff382c7aae60083a3b296

SHA1
f85fd18c4aecec55b689f7877117e56cdd597514

SHA256
5a6c22b2b3f40613efd646a8c5eb50f39b4c809244489c99636db1c2a2d360a8

SHA512
51ed95d1bd87489e3c95767dca13af01f80f738407d3865a574c09ad0e92bf768fc58c8c3fed9c9f4dc3313e2c8d57e55edd23940a2941c9687784d348c55ac6

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\FKEP33TV\microsoft.windows[1].xml

Filesize
96B

MD5
dcfd0f22889d8b3a982fbe019d01d543

SHA1
fe866022f3fdf8fba4d3bd366ff0e2683fe58e59

SHA256
2337927b5b24c83c8ab37dfc0fe7ddcd832ffb16d0cee5d50344478218893f5b

SHA512
11b59e18705c1d95508e298938525f931c12c9010cdc03fad15f5585bc503713670d93739668d886ed9446d528c3dc7ac8cbc8e52198eb85ea6557821a124cc8

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133782684717161988.txt

Filesize
76KB

MD5
8a51f20a59e1f9a78130bfb29266d698

SHA1
f4ca82f66efb1724695fe6ee64c679ed13385388

SHA256
e8260cae6cfd9605fff1f9d9e25987091f42a18a9f50bd4b4f2acf016999d4e2

SHA512
440dec2d5075846abd8b4597d77e3aad11ca31889d3452df85d6af5c308284e1fdde15c7b719a012557d77b8306029c0155e217bd5e754a238ad47b32286add8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-940901362-3608833189-1915618603-1000\08e575673cce10c72090304839888e02_f2cdb6fb-4ab8-4547-9f25-fad1f7a44351

Filesize
52B

MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\Users\Public\BIYpj.exe

Filesize
168KB

MD5
166686d538ec9a0e0550347149aac4cc

SHA1
e50b973d43a77d7a2c1bf56e22d64d168ee8c170

SHA256
1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7

SHA512
72dc38caa810a976a2497306a87e637ff9e47ca145ede2bdc0e3d687c1793df6b734538c22de37f45d74aaf7472e07fc11df399fef03bda203eb078188d37129

Download Submit
C:\users\Public\PUBLIC

Filesize
276B

MD5
2520beadff142483ff0135d20f80ad5b

SHA1
fe7e6ff0a792fa110b74842f3e47a27a46b3d483

SHA256
db9e8fd9b31b60bde269bfd14ad1d7bd60c41fe3c8c893682e06808195dfaf85

SHA512
bf780c565e0a9bb533b804e8985ef58abaa70a80b1a0d6bcc53c570374d47ed980ebaf43a79730b23ff2b9f281e5f9241c5a298356b8029f47d8622dc4cc91ac

Download Submit
C:\users\Public\UNIQUE_ID_DO_NOT_REMOVE

Filesize
1KB

MD5
9532ed8d551a4c09947d6b499a340802

SHA1
5b97021076eb27e4b2e512e4b034724818d84dec

SHA256
ff4fe2e5350398f34540548cdcc373e8777e4c28470424d84010ddfa2061eacf

SHA512
8aeaad79662a9c4ce4c77b2799ebaa5b74eba1a1d283ad6088cf09d5f8ab28b395e5810f6c89ebcd09c3896d70454468ca9206738db97c87ce5c6d8416259ecf

Download Submit
C:\users\Public\window.bat

Filesize
1KB

MD5
d2aba3e1af80edd77e206cd43cfd3129

SHA1
3116da65d097708fad63a3b73d1c39bffa94cb01

SHA256
8940135a58d28338ce4ea9b9933e6780507c56ab37a2f2e3a1a98c6564548a12

SHA512
0059bd4cc02c52a219a0a2e1836bf04c11e2693446648dd4d92a2f38ed060ecd6c0f835e542ff8cfef8903873c01b8de2b38ed6ed2131a131bdd17887c11d0ec

Download Submit
F:\RyukReadMe.txt

Filesize
1KB

MD5
c03e00c87643eb8a7003f8d4f316f07a

SHA1
aaa7c803c46cd29e2f3bf7e4fd175ab37c6a505f

SHA256
b26adbe1ce66ce56ca20e28d3e8c1bf6d810f8a7f3a1680760b7e16827a2f6e9

SHA512
fe378fea020670dee255cbafa3b7e97cab9ba0c7eef08083e7af5022515d073e932827a07caff9e2dee78fe765ea51f0ed2b8a601bf7febe353b472da674e14c

Download Submit
memory/2648-8-0x00007FF72B690000-0x00007FF72B6C5000-memory.dmp

Filesize
212KB

Download
memory/2648-36851-0x00007FF72B690000-0x00007FF72B6C5000-memory.dmp

Filesize
212KB

Download
memory/3092-36852-0x00007FF72B690000-0x00007FF72B6C5000-memory.dmp

Filesize
212KB

Download
memory/3440-36966-0x00007FF72B690000-0x00007FF72B6C5000-memory.dmp

Filesize
212KB

Download
memory/3808-37124-0x00007FF72B690000-0x00007FF72B6C5000-memory.dmp

Filesize
212KB

Download
memory/3808-36936-0x0000022155A30000-0x0000022155A40000-memory.dmp

Filesize
64KB

Download
memory/3808-36930-0x00000221559D0000-0x00000221559E0000-memory.dmp

Filesize
64KB

Download
memory/3808-36867-0x0000022157CB0000-0x0000022157CB8000-memory.dmp

Filesize
32KB

Download
memory/3808-36947-0x0000022157CB0000-0x0000022157CB8000-memory.dmp

Filesize
32KB

Download
memory/3808-36861-0x0000022157E70000-0x0000022157E78000-memory.dmp

Filesize
32KB

Download
memory/3808-36976-0x0000022157F30000-0x0000022157F38000-memory.dmp

Filesize
32KB

Download
memory/3808-36864-0x0000022157CC0000-0x0000022157CC8000-memory.dmp

Filesize
32KB

Download
memory/3808-36865-0x0000022157CB0000-0x0000022157CB1000-memory.dmp

Filesize
4KB

Download
memory/3808-36868-0x0000022153F40000-0x0000022153F41000-memory.dmp

Filesize
4KB

Download
memory/3808-36862-0x0000022157E00000-0x0000022157E01000-memory.dmp

Filesize
4KB

Download
memory/3952-399-0x00007FF72B690000-0x00007FF72B6C5000-memory.dmp

Filesize
212KB

Download
memory/4128-37305-0x00007FF72B690000-0x00007FF72B6C5000-memory.dmp

Filesize
212KB

Download
memory/9224-37315-0x0000000004850000-0x0000000004851000-memory.dmp

Filesize
4KB

Download
memory/11232-37145-0x0000018BFA900000-0x0000018BFA920000-memory.dmp

Filesize
128KB

Download
memory/11232-37136-0x0000018BFA940000-0x0000018BFA960000-memory.dmp

Filesize
128KB

Download
memory/11232-37132-0x0000018BF9800000-0x0000018BF9900000-memory.dmp

Filesize
1024KB

Download
memory/11232-37158-0x0000018BFAD10000-0x0000018BFAD30000-memory.dmp

Filesize
128KB

Download
memory/13352-37329-0x0000018A1D2D0000-0x0000018A1D2F0000-memory.dmp

Filesize
128KB

Download
memory/13352-37324-0x0000018A1C360000-0x0000018A1C460000-memory.dmp

Filesize
1024KB

Download
memory/13352-37340-0x0000018A1D290000-0x0000018A1D2B0000-memory.dmp

Filesize
128KB

Download
memory/13352-37360-0x0000018A1D8A0000-0x0000018A1D8C0000-memory.dmp

Filesize
128KB

Download
memory/21540-37481-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

Filesize
4KB

Download
memory/23740-36978-0x0000000004690000-0x0000000004691000-memory.dmp

Filesize
4KB

Download
memory/24436-37007-0x0000024C657E0000-0x0000024C65800000-memory.dmp

Filesize
128KB

Download
memory/24436-36985-0x0000024C65420000-0x0000024C65440000-memory.dmp

Filesize
128KB

Download
memory/24436-36996-0x0000024C651D0000-0x0000024C651F0000-memory.dmp

Filesize
128KB

Download
memory/24436-36980-0x0000024C643D0000-0x0000024C644D0000-memory.dmp

Filesize
1024KB

Download
memory/24976-37130-0x0000000004200000-0x0000000004201000-memory.dmp

Filesize
4KB

Download