ryuk | 3b21b98d92725cfd4d253b0022bd2cc1bba910e0ce928a94fa970cc9bca5a992

Analysis

max time kernel
64s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-01-2025 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-10_7bcbd03a264f616bcbf64dd973c9e120_luca-stealer_ryuk.exe
Size

378KB
MD5

7bcbd03a264f616bcbf64dd973c9e120
SHA1

5d2b6c04f634672ba0a11063dd1bc225446af2c2
SHA256

8f6bddd131f27472a4b974c3a141f8eba3a2c110b4b19d755408f67aed212b68
SHA512

f5b1dc62441d9bfdb57a7ae6ef41c46106e510ba73cea8372cc0a2765c192d27dc3f41c1dfadadcaaa39ff4fd87b0c84b81ecd3b14c8315edeca3dd0a8789242
SSDEEP

6144:sMfwnT2W/Pw5qjylH1/7QXMWibyJp/qQ:snTzPqHkiuX

Score

10^/10

ryuk defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

F:\RyukReadMe.txt

Family

ryuk

Ransom Note

Gentlemen! Your business is at serious risk. There is a significant hole in the security system of your company. We've easily penetrated your network. You should thank the Lord for being hacked by serious people not some stupid schoolboys or dangerous punks. They can damage all your important data just for fun. Now your files are crypted with the strongest millitary algorithms RSA4096 and AES-256. No one can help you to restore files without our special decoder. Photorec, RannohDecryptor etc. repair tools are useless and can destroy your files irreversibly. If you want to restore your files write to emails (contacts are at the bottom of the sheet) and attach 2-3 encrypted files (Less than 5 Mb each, non-archived and your files should not contain valuable information (Databases, backups, large excel sheets, etc.)). You will receive decrypted samples and our conditions how to get the decoder. Please don't forget to write the name of your company in the subject of your e-mail. You have to pay for decryption in Bitcoins. The final price depends on how fast you write to us. Every day of delay will cost you additional +0.5 BTC Nothing personal just business As soon as we get bitcoins you'll get all your decrypted data back. Moreover you will get instructions how to close the hole in security and how to avoid such problems in the future + we will recommend you special software that makes the most problems to hackers. Attention! One more time ! Do not rename encrypted files. Do not try to decrypt your data using third party software. P.S. Remember, we are not scammers. We don`t need your files and your information. But after 2 weeks all your files and keys will be deleted automatically. Just send a request immediately after infection. All data will be restored absolutely. Your warranty - decrypted samples. contact emails [email protected] or [email protected] BTC wallet: 1NQ42zc51stA4WAVkUK8uqFAjo1DbWv4Kz Ryuk No system is safe

Emails

[email protected]

Wallets

1NQ42zc51stA4WAVkUK8uqFAjo1DbWv4Kz

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Ryuk family
ryuk

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3912 created 13060	3912	RuntimeBroker.exe	741

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Boot or Logon Autostart Execution: Active Setup 2 TTPs 3 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	2024-12-10_7bcbd03a264f616bcbf64dd973c9e120_luca-stealer_ryuk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	wwEsu.exe

Deletes itself 1 IoCs

pid	Process
4016	wwEsu.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.txt	RuntimeBroker.exe

Executes dropped EXE 1 IoCs

pid	Process
4016	wwEsu.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\users\\Public\\wwEsu.exe"	reg.exe

Enumerates connected drives 3 TTPs 38 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\zh-cn\ui-strings.js	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\hr-hr\ui-strings.js	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\snapshot_blob.bin	RuntimeBroker.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\es-ES\RyukReadMe.txt	RuntimeBroker.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipscsy.xml	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OFFSYMXB.TTF	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-ppd.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ul-phn.xrm-ms	RuntimeBroker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\ui-strings.js	RuntimeBroker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\tr-tr\RyukReadMe.txt	RuntimeBroker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\eu-es\ui-strings.js	RuntimeBroker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\ui-strings.js	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription1-pl.xrm-ms	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\cs-cz\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\RyukReadMe.txt	RuntimeBroker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\bg_patterns_header.png	RuntimeBroker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\uk-ua\ui-strings.js	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MSUIGHUR.TTF	RuntimeBroker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\en-gb\ui-strings.js	RuntimeBroker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\eu-es\ui-strings.js	RuntimeBroker.exe
File opened for modification	C:\Program Files\dotnet\host\RyukReadMe.txt	svchost.exe
File opened for modification	C:\Program Files\Java\jre-1.8\RyukReadMe.txt	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue.xml	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fi-fi\ui-strings.js	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\nl-nl\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_listview_selected.svg	RuntimeBroker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-gb\RyukReadMe.txt	RuntimeBroker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\da-dk\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTest-ul-oob.xrm-ms	RuntimeBroker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\XLMACRO.CHM	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\powerpoint.x-none.msi.16.x-none.boot.tree.dat	sihost.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msadox28.tlb	RuntimeBroker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\css\main.css	RuntimeBroker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-pl.xrm-ms	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN048.XML	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_selectlist_checkmark_18.svg	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\hr-hr\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_gridview.svg	RuntimeBroker.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-ppd.xrm-ms	RuntimeBroker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\tr-tr\ui-strings.js	RuntimeBroker.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientCapabilities.json	svchost.exe
File opened for modification	C:\Program Files\FindSelect.tmp	sihost.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\javafx\libxml2.md	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gd\RyukReadMe.txt	RuntimeBroker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_export_18.svg	RuntimeBroker.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\ActionsPane3.xsd	RuntimeBroker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ul-oob.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-180.png	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\it-it\ui-strings.js	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentDemoR_BypassTrial180-ppd.xrm-ms	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ru-ru\ui-strings.js	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-pl.xrm-ms	RuntimeBroker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\RyukReadMe.txt	RuntimeBroker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-pl.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ppd.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT.HXS	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\office.core.operational.js	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sv-se\ui-strings.js	sihost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-10_7bcbd03a264f616bcbf64dd973c9e120_luca-stealer_ryuk.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe

Interacts with shadow copies 3 TTPs 56 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
15716	vssadmin.exe
16116	vssadmin.exe
4520	vssadmin.exe
12592	vssadmin.exe
5260	vssadmin.exe
6884	vssadmin.exe
6924	vssadmin.exe
7444	vssadmin.exe
15284	vssadmin.exe
10204	vssadmin.exe
16040	vssadmin.exe
16140	vssadmin.exe
15940	vssadmin.exe
16196	vssadmin.exe
9452	vssadmin.exe
9404	vssadmin.exe
5688	vssadmin.exe
6564	vssadmin.exe
6228	vssadmin.exe
6432	vssadmin.exe
15256	vssadmin.exe
11220	vssadmin.exe
5880	vssadmin.exe
11560	vssadmin.exe
9656	vssadmin.exe
6404	vssadmin.exe
15196	vssadmin.exe
7076	vssadmin.exe
16084	vssadmin.exe
884	vssadmin.exe
6036	vssadmin.exe
6304	vssadmin.exe
12240	vssadmin.exe
9488	vssadmin.exe
15900	vssadmin.exe
11680	vssadmin.exe
11148	vssadmin.exe
4948	vssadmin.exe
15576	vssadmin.exe
15872	vssadmin.exe
15124	vssadmin.exe
7604	vssadmin.exe
15968	vssadmin.exe
16236	vssadmin.exe
12628	vssadmin.exe
15324	vssadmin.exe
10320	vssadmin.exe
15680	vssadmin.exe
2148	vssadmin.exe
772	vssadmin.exe
12948	vssadmin.exe
9784	vssadmin.exe
15160	vssadmin.exe
3984	vssadmin.exe
6672	vssadmin.exe
6760	vssadmin.exe

Kills process with taskkill 44 IoCs

evasion

pid	Process
712	taskkill.exe
4352	taskkill.exe
2988	taskkill.exe
1332	taskkill.exe
1680	taskkill.exe
1228	taskkill.exe
5088	taskkill.exe
4088	taskkill.exe
3588	taskkill.exe
4156	taskkill.exe
8	taskkill.exe
4808	taskkill.exe
3476	taskkill.exe
4076	taskkill.exe
3764	taskkill.exe
2128	taskkill.exe
3940	taskkill.exe
4564	taskkill.exe
4084	taskkill.exe
840	taskkill.exe
3460	taskkill.exe
4052	taskkill.exe
4600	taskkill.exe
2712	taskkill.exe
3412	taskkill.exe
3252	taskkill.exe
916	taskkill.exe
1664	taskkill.exe
4128	taskkill.exe
2644	taskkill.exe
3632	taskkill.exe
3644	taskkill.exe
4320	taskkill.exe
3524	taskkill.exe
3708	taskkill.exe
2976	taskkill.exe
2928	taskkill.exe
3948	taskkill.exe
2276	taskkill.exe
1200	taskkill.exe
464	taskkill.exe
3088	taskkill.exe
4948	taskkill.exe
3068	taskkill.exe

Modifies registry class 45 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3756129449-3121373848-4276368241-1000\{2ED4A979-C472-4B81-861C-4C936EF2B029}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\MostRecentlyUsed	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3756129449-3121373848-4276368241-1000\{47170F60-94DA-4EB7-8788-F1601E276466}	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3756129449-3121373848-4276368241-1000\{FDAFEBDD-D651-4429-BB52-796A2D49E0C3}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3756129449-3121373848-4276368241-1000\{8D79C6B0-E4F6-4DD2-B912-1D64409BB430}	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\ManagedByApp	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\CurrentWorkingDirectory	RuntimeBroker.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3756129449-3121373848-4276368241-1000\{6F600296-B687-465A-956B-854EC6E08CF6}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4016	wwEsu.exe
4016	wwEsu.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4016	wwEsu.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	8	taskkill.exe
Token: SeDebugPrivilege	3412	taskkill.exe
Token: SeDebugPrivilege	1200	taskkill.exe
Token: SeDebugPrivilege	3252	taskkill.exe
Token: SeDebugPrivilege	3940	taskkill.exe
Token: SeDebugPrivilege	4564	taskkill.exe
Token: SeDebugPrivilege	4084	taskkill.exe
Token: SeDebugPrivilege	916	taskkill.exe
Token: SeDebugPrivilege	1664	taskkill.exe
Token: SeDebugPrivilege	464	taskkill.exe
Token: SeDebugPrivilege	4320	taskkill.exe
Token: SeDebugPrivilege	3708	taskkill.exe
Token: SeDebugPrivilege	712	taskkill.exe
Token: SeDebugPrivilege	1228	taskkill.exe
Token: SeDebugPrivilege	3524	taskkill.exe
Token: SeDebugPrivilege	4128	taskkill.exe
Token: SeDebugPrivilege	2976	taskkill.exe
Token: SeDebugPrivilege	4088	taskkill.exe
Token: SeDebugPrivilege	5088	taskkill.exe
Token: SeDebugPrivilege	3588	taskkill.exe
Token: SeDebugPrivilege	2928	taskkill.exe
Token: SeDebugPrivilege	4808	taskkill.exe
Token: SeDebugPrivilege	4352	taskkill.exe
Token: SeDebugPrivilege	4156	taskkill.exe
Token: SeDebugPrivilege	3088	taskkill.exe
Token: SeDebugPrivilege	4948	taskkill.exe
Token: SeDebugPrivilege	3476	taskkill.exe
Token: SeDebugPrivilege	840	taskkill.exe
Token: SeDebugPrivilege	4076	taskkill.exe
Token: SeDebugPrivilege	3068	taskkill.exe
Token: SeDebugPrivilege	2988	taskkill.exe
Token: SeDebugPrivilege	4600	taskkill.exe
Token: SeDebugPrivilege	4052	taskkill.exe
Token: SeDebugPrivilege	1332	taskkill.exe
Token: SeDebugPrivilege	3948	taskkill.exe
Token: SeDebugPrivilege	2644	taskkill.exe
Token: SeDebugPrivilege	2712	taskkill.exe
Token: SeDebugPrivilege	2276	taskkill.exe
Token: SeDebugPrivilege	3460	taskkill.exe
Token: SeDebugPrivilege	1680	taskkill.exe
Token: SeDebugPrivilege	3632	taskkill.exe
Token: SeDebugPrivilege	3764	taskkill.exe
Token: SeDebugPrivilege	2128	taskkill.exe
Token: SeDebugPrivilege	3644	taskkill.exe
Token: SeDebugPrivilege	4016	wwEsu.exe
Token: SeShutdownPrivilege	3912	RuntimeBroker.exe
Token: SeShutdownPrivilege	3912	RuntimeBroker.exe
Token: SeShutdownPrivilege	3912	RuntimeBroker.exe
Token: SeShutdownPrivilege	3912	RuntimeBroker.exe
Token: SeShutdownPrivilege	3912	RuntimeBroker.exe
Token: SeBackupPrivilege	12860	vssvc.exe
Token: SeRestorePrivilege	12860	vssvc.exe
Token: SeAuditPrivilege	12860	vssvc.exe
Token: SeShutdownPrivilege	9712	explorer.exe
Token: SeCreatePagefilePrivilege	9712	explorer.exe
Token: SeShutdownPrivilege	9712	explorer.exe
Token: SeCreatePagefilePrivilege	9712	explorer.exe
Token: SeShutdownPrivilege	9712	explorer.exe
Token: SeCreatePagefilePrivilege	9712	explorer.exe
Token: SeShutdownPrivilege	9712	explorer.exe
Token: SeCreatePagefilePrivilege	9712	explorer.exe
Token: SeShutdownPrivilege	9712	explorer.exe
Token: SeCreatePagefilePrivilege	9712	explorer.exe
Token: SeShutdownPrivilege	3748	DllHost.exe

Suspicious use of FindShellTrayWindow 57 IoCs

pid	Process
13060	sihost.exe
9712	explorer.exe
9712	explorer.exe
9712	explorer.exe
9712	explorer.exe
9712	explorer.exe
9712	explorer.exe
9712	explorer.exe
9712	explorer.exe
9712	explorer.exe
9712	explorer.exe
9712	explorer.exe
9712	explorer.exe
9712	explorer.exe
9712	explorer.exe
9712	explorer.exe
9712	explorer.exe
14736	explorer.exe
14736	explorer.exe
14736	explorer.exe
14736	explorer.exe
14736	explorer.exe
14736	explorer.exe
14736	explorer.exe
14736	explorer.exe
14736	explorer.exe
14736	explorer.exe
14736	explorer.exe
14736	explorer.exe
14736	explorer.exe
14736	explorer.exe
14736	explorer.exe
14736	explorer.exe
14736	explorer.exe
14736	explorer.exe
14736	explorer.exe
14736	explorer.exe
14736	explorer.exe
14736	explorer.exe
14736	explorer.exe
14736	explorer.exe
10728	explorer.exe
10728	explorer.exe
10728	explorer.exe
10728	explorer.exe
10728	explorer.exe
10728	explorer.exe
10728	explorer.exe
10728	explorer.exe
10728	explorer.exe
10728	explorer.exe
10728	explorer.exe
10728	explorer.exe
10728	explorer.exe
10728	explorer.exe
10728	explorer.exe
10728	explorer.exe

Suspicious use of SendNotifyMessage 35 IoCs

pid	Process
9712	explorer.exe
9712	explorer.exe
9712	explorer.exe
9712	explorer.exe
9712	explorer.exe
9712	explorer.exe
9712	explorer.exe
9712	explorer.exe
9712	explorer.exe
9712	explorer.exe
9712	explorer.exe
14736	explorer.exe
14736	explorer.exe
14736	explorer.exe
14736	explorer.exe
14736	explorer.exe
14736	explorer.exe
14736	explorer.exe
14736	explorer.exe
14736	explorer.exe
14736	explorer.exe
14736	explorer.exe
14736	explorer.exe
14736	explorer.exe
10728	explorer.exe
10728	explorer.exe
10728	explorer.exe
10728	explorer.exe
10728	explorer.exe
10728	explorer.exe
10728	explorer.exe
10728	explorer.exe
10728	explorer.exe
10728	explorer.exe
10728	explorer.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2900	StartMenuExperienceHost.exe
4156	StartMenuExperienceHost.exe
11108	StartMenuExperienceHost.exe
11184	StartMenuExperienceHost.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3912	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 4016	1100	2024-12-10_7bcbd03a264f616bcbf64dd973c9e120_luca-stealer_ryuk.exe	82
PID 1100 wrote to memory of 4016	1100	2024-12-10_7bcbd03a264f616bcbf64dd973c9e120_luca-stealer_ryuk.exe	82
PID 4016 wrote to memory of 8	4016	wwEsu.exe	83
PID 4016 wrote to memory of 8	4016	wwEsu.exe	83
PID 4016 wrote to memory of 3412	4016	wwEsu.exe	85
PID 4016 wrote to memory of 3412	4016	wwEsu.exe	85
PID 4016 wrote to memory of 1200	4016	wwEsu.exe	87
PID 4016 wrote to memory of 1200	4016	wwEsu.exe	87
PID 4016 wrote to memory of 3252	4016	wwEsu.exe	88
PID 4016 wrote to memory of 3252	4016	wwEsu.exe	88
PID 4016 wrote to memory of 3940	4016	wwEsu.exe	91
PID 4016 wrote to memory of 3940	4016	wwEsu.exe	91
PID 4016 wrote to memory of 4564	4016	wwEsu.exe	93
PID 4016 wrote to memory of 4564	4016	wwEsu.exe	93
PID 4016 wrote to memory of 4084	4016	wwEsu.exe	95
PID 4016 wrote to memory of 4084	4016	wwEsu.exe	95
PID 4016 wrote to memory of 916	4016	wwEsu.exe	499
PID 4016 wrote to memory of 916	4016	wwEsu.exe	499
PID 4016 wrote to memory of 1664	4016	wwEsu.exe	455
PID 4016 wrote to memory of 1664	4016	wwEsu.exe	455
PID 4016 wrote to memory of 464	4016	wwEsu.exe	365
PID 4016 wrote to memory of 464	4016	wwEsu.exe	365
PID 4016 wrote to memory of 4320	4016	wwEsu.exe	104
PID 4016 wrote to memory of 4320	4016	wwEsu.exe	104
PID 4016 wrote to memory of 3708	4016	wwEsu.exe	281
PID 4016 wrote to memory of 3708	4016	wwEsu.exe	281
PID 4016 wrote to memory of 712	4016	wwEsu.exe	399
PID 4016 wrote to memory of 712	4016	wwEsu.exe	399
PID 4016 wrote to memory of 1228	4016	wwEsu.exe	654
PID 4016 wrote to memory of 1228	4016	wwEsu.exe	654
PID 4016 wrote to memory of 3524	4016	wwEsu.exe	270
PID 4016 wrote to memory of 3524	4016	wwEsu.exe	270
PID 4016 wrote to memory of 4128	4016	wwEsu.exe	604
PID 4016 wrote to memory of 4128	4016	wwEsu.exe	604
PID 4016 wrote to memory of 2976	4016	wwEsu.exe	640
PID 4016 wrote to memory of 2976	4016	wwEsu.exe	640
PID 4016 wrote to memory of 5088	4016	wwEsu.exe	723
PID 4016 wrote to memory of 5088	4016	wwEsu.exe	723
PID 4016 wrote to memory of 4088	4016	wwEsu.exe	532
PID 4016 wrote to memory of 4088	4016	wwEsu.exe	532
PID 4016 wrote to memory of 3588	4016	wwEsu.exe	287
PID 4016 wrote to memory of 3588	4016	wwEsu.exe	287
PID 4016 wrote to memory of 4808	4016	wwEsu.exe	124
PID 4016 wrote to memory of 4808	4016	wwEsu.exe	124
PID 4016 wrote to memory of 4352	4016	wwEsu.exe	126
PID 4016 wrote to memory of 4352	4016	wwEsu.exe	126
PID 4016 wrote to memory of 2928	4016	wwEsu.exe	128
PID 4016 wrote to memory of 2928	4016	wwEsu.exe	128
PID 4016 wrote to memory of 4156	4016	wwEsu.exe	662
PID 4016 wrote to memory of 4156	4016	wwEsu.exe	662
PID 4016 wrote to memory of 3088	4016	wwEsu.exe	610
PID 4016 wrote to memory of 3088	4016	wwEsu.exe	610
PID 4016 wrote to memory of 4948	4016	wwEsu.exe	134
PID 4016 wrote to memory of 4948	4016	wwEsu.exe	134
PID 4016 wrote to memory of 3476	4016	wwEsu.exe	712
PID 4016 wrote to memory of 3476	4016	wwEsu.exe	712
PID 4016 wrote to memory of 4076	4016	wwEsu.exe	679
PID 4016 wrote to memory of 4076	4016	wwEsu.exe	679
PID 4016 wrote to memory of 840	4016	wwEsu.exe	439
PID 4016 wrote to memory of 840	4016	wwEsu.exe	439
PID 4016 wrote to memory of 3068	4016	wwEsu.exe	142
PID 4016 wrote to memory of 3068	4016	wwEsu.exe	142
PID 4016 wrote to memory of 4052	4016	wwEsu.exe	558
PID 4016 wrote to memory of 4052	4016	wwEsu.exe	558

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Drops startup file
- Drops file in Program Files directory
- Modifies registry class
PID:2940
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
  2⤵
  PID:10864
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:12948
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:6036
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:6228
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:6304
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:6404
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:6432
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:6924
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:7076
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:7444
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:9784
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:9656
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:9488
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:9452
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:9404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
- Drops file in Program Files directory
PID:3004
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
  2⤵
  PID:15412
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:15576
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:15680
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:15716
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:15872
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:15900
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:15940
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:15968
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:16040
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:16084
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:16116
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:16140
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:16196
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:16236
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:11560

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2492

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3564
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
  2⤵
  PID:8528

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3748
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
  2⤵
  PID:5068
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:4948
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:2148
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:4520
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:5260
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:5688
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:884
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:3984
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:6564
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:6672
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:6760
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:6884
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:772
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:12628
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:12592

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3848

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops startup file
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3912

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4000

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3844

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:3040

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2968

C:\Users\Admin\AppData\Local\Temp\2024-12-10_7bcbd03a264f616bcbf64dd973c9e120_luca-stealer_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-10_7bcbd03a264f616bcbf64dd973c9e120_luca-stealer_ryuk.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1100
- C:\users\Public\wwEsu.exe
  "C:\users\Public\wwEsu.exe" C:\Users\Admin\AppData\Local\Temp\2024-12-10_7bcbd03a264f616bcbf64dd973c9e120_luca-stealer_ryuk.exe
  2⤵
  - Checks computer location settings
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4016
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM zoolz.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:8
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM agntsvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3412
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM dbeng50.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1200
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM dbsnmp.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3252
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM encsvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3940
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM excel.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4564
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM firefoxconfig.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4084
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM infopath.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:916
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM isqlplussvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1664
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM msaccess.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:464
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM msftesql.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4320
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM mspub.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3708
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:712
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM mydesktopservice.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1228
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM mysqld.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3524
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM mysqld-nt.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4128
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM mysqld-opt.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2976
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM ocautoupds.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5088
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM ocomm.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4088
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM ocssd.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3588
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM onenote.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4808
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM oracle.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4352
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM outlook.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2928
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM powerpnt.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4156
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM sqbcoreservice.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3088
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM sqlagent.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4948
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM sqlbrowser.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3476
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM sqlservr.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4076
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM sqlwriter.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:840
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM steam.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3068
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM synctime.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4052
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM tbirdconfig.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2988
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM thebat.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4600
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM thebat64.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1332
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM thunderbird.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3948
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM visio.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2712
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM winword.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2644
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM wordpad.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2276
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM xfssvccon.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3460
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM tmlisten.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1680
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM PccNTMon.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3632
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM CNTAoSMgr.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3764
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM Ntrtscan.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2128
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM mbamtray.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3644
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "Acronis VSS Provider" /y
    3⤵
    PID:3120
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Acronis VSS Provider" /y
      4⤵
      PID:3324
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "Enterprise Client Service" /y
    3⤵
    PID:3984
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Enterprise Client Service" /y
      4⤵
      PID:4348
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "Sophos Agent" /y
    3⤵
    PID:1352
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos Agent" /y
      4⤵
      PID:2900
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "Sophos AutoUpdate Service" /y
    3⤵
    PID:3420
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y
      4⤵
      PID:3356
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "Sophos Clean Service" /y
    3⤵
    PID:3404
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos Clean Service" /y
      4⤵
      PID:1500
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "Sophos Device Control Service" /y
    3⤵
    PID:3108
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos Device Control Service" /y
      4⤵
      PID:772
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "Sophos File Scanner Service" /y
    3⤵
    PID:112
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos File Scanner Service" /y
      4⤵
      PID:1888
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "Sophos Health Service" /y
    3⤵
    PID:3444
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos Health Service" /y
      4⤵
      PID:832
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "Sophos MCS Agent" /y
    3⤵
    PID:2888
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos MCS Agent" /y
      4⤵
      PID:3956
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "Sophos MCS Client" /y
    3⤵
    PID:1748
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos MCS Client" /y
      4⤵
      PID:1332
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "Sophos Message Router" /y
    3⤵
    PID:3932
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos Message Router" /y
      4⤵
      PID:1340
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "Sophos Safestore Service" /y
    3⤵
    PID:1596
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos Safestore Service" /y
      4⤵
      PID:4848
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "Sophos System Protection Service" /y
    3⤵
    PID:4256
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos System Protection Service" /y
      4⤵
      PID:4316
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "Sophos Web Control Service" /y
    3⤵
    PID:2756
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos Web Control Service" /y
      4⤵
      PID:2644
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "SQLsafe Backup Service" /y
    3⤵
    PID:888
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y
      4⤵
      PID:1128
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "SQLsafe Filter Service" /y
    3⤵
    PID:4396
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y
      4⤵
      PID:3616
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "Symantec System Recovery" /y
    3⤵
    PID:1008
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Symantec System Recovery" /y
      4⤵
      PID:4560
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "Veeam Backup Catalog Data Service" /y
    3⤵
    PID:2200
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y
      4⤵
      PID:1212
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop AcronisAgent /y
    3⤵
    PID:3136
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop AcronisAgent /y
      4⤵
      PID:2292
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop AcrSch2Svc /y
    3⤵
    PID:4400
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop AcrSch2Svc /y
      4⤵
      PID:4472
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop Antivirus /y
    3⤵
    PID:932
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop Antivirus /y
      4⤵
      PID:2064
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop ARSM /y
    3⤵
    PID:2808
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ARSM /y
      4⤵
      PID:708
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop BackupExecAgentAccelerator /y
    3⤵
    PID:3672
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
      4⤵
      PID:636
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop BackupExecAgentBrowser /y
    3⤵
    PID:2916
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2712
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
      4⤵
      PID:1204
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop BackupExecDeviceMediaService /y
    3⤵
    PID:3428
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
      4⤵
      PID:3860
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop BackupExecJobEngine /y
    3⤵
    PID:3756
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecJobEngine /y
      4⤵
      PID:3356
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop BackupExecManagementService /y
    3⤵
    PID:3900
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecManagementService /y
      4⤵
      PID:4068
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop BackupExecRPCService /y
    3⤵
    PID:796
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecRPCService /y
      4⤵
      PID:832
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop BackupExecVSSProvider /y
    3⤵
    PID:1176
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecVSSProvider /y
      4⤵
      PID:4348
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop bedbg /y
    3⤵
    PID:4332
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop bedbg /y
      4⤵
      PID:3524
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop DCAgent /y
    3⤵
    PID:368
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop DCAgent /y
      4⤵
      PID:4632
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop EPSecurityService /y
    3⤵
    PID:2780
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop EPSecurityService /y
      4⤵
      PID:2080
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop EPUpdateService /y
    3⤵
    PID:4376
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop EPUpdateService /y
      4⤵
      PID:432
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop EraserSvc11710 /y
    3⤵
    PID:4344
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop EraserSvc11710 /y
      4⤵
      PID:3588
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop EsgShKernel /y
    3⤵
    PID:4432
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop EsgShKernel /y
      4⤵
      PID:2948
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop FA_Scheduler /y
    3⤵
    PID:1368
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop FA_Scheduler /y
      4⤵
      PID:3000
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop IISAdmin /y
    3⤵
    PID:3540
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1748
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop IISAdmin /y
      4⤵
      PID:4356
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop IMAP4Svc /y
    3⤵
    PID:4864
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop IMAP4Svc /y
      4⤵
      PID:3940
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop macmnsvc /y
    3⤵
    PID:3932
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3708
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop macmnsvc /y
      4⤵
      PID:4472
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop masvc /y
    3⤵
    PID:4504
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop masvc /y
      4⤵
      PID:4044
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MBAMService /y
    3⤵
    PID:1472
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MBAMService /y
      4⤵
      PID:2756
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MBEndpointAgent /y
    3⤵
    PID:2124
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MBEndpointAgent /y
      4⤵
      PID:1008
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop McAfeeEngineService /y
    3⤵
    PID:3556
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop McAfeeEngineService /y
      4⤵
      PID:3672
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop McAfeeFramework /y
    3⤵
    PID:1540
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop McAfeeFramework /y
      4⤵
      PID:3860
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop McAfeeFrameworkMcAfeeFramework /y
    3⤵
    PID:3864
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
      4⤵
      PID:4396
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop McShield /y
    3⤵
    PID:3248
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop McShield /y
      4⤵
      PID:3984
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop McTaskManager /y
    3⤵
    PID:4312
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop McTaskManager /y
      4⤵
      PID:4920
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop mfemms /y
    3⤵
    PID:1700
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2292
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop mfemms /y
      4⤵
      PID:4452
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop mfevtp /y
    3⤵
    PID:952
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop mfevtp /y
      4⤵
      PID:3576
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MMS /y
    3⤵
    PID:888
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MMS /y
      4⤵
      PID:1816
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop mozyprobackup /y
    3⤵
    PID:4300
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop mozyprobackup /y
      4⤵
      PID:3944
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MsDtsServer /y
    3⤵
    PID:3388
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MsDtsServer /y
      4⤵
      PID:3148
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MsDtsServer100 /y
    3⤵
    PID:3868
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MsDtsServer100 /y
      4⤵
      PID:1588
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MsDtsServer110 /y
    3⤵
    PID:3312
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MsDtsServer110 /y
      4⤵
      PID:2912
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSExchangeES /y
    3⤵
    PID:2564
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSExchangeES /y
      4⤵
      PID:1776
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSExchangeIS /y
    3⤵
    PID:580
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSExchangeIS /y
      4⤵
      PID:3540
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSExchangeMGMT /y
    3⤵
    PID:4288
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSExchangeMGMT /y
      4⤵
      PID:1212
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSExchangeMTA /y
    3⤵
    PID:1888
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSExchangeMTA /y
      4⤵
      PID:2524
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSExchangeSA /y
    3⤵
    PID:756
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSExchangeSA /y
      4⤵
      PID:4504
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSExchangeSRS /y
    3⤵
    PID:3204
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4332
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSExchangeSRS /y
      4⤵
      PID:708
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSOLAP$SQL_2008 /y
    3⤵
    PID:2812
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
      4⤵
      PID:3316
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSOLAP$SYSTEM_BGC /y
    3⤵
    PID:1492
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
      4⤵
      PID:4864
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSOLAP$TPS /y
    3⤵
    PID:3420
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSOLAP$TPS /y
      4⤵
      PID:1700
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSOLAP$TPSAMA /y
    3⤵
    PID:2148
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
      4⤵
      PID:1476
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQL$BKUPEXEC /y
    3⤵
    PID:1844
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
      4⤵
      PID:1416
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQL$ECWDB2 /y
    3⤵
    PID:3332
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
      4⤵
      PID:3100
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQL$PRACTICEMGT /y
    3⤵
    PID:3940
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
      4⤵
      PID:2276
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQL$PRACTTICEBGC /y
    3⤵
    PID:4924
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
      4⤵
      PID:4732
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQL$PROFXENGAGEMENT /y
    3⤵
    PID:3252
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
      4⤵
      PID:3428
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQL$SBSMONITORING /y
    3⤵
    PID:3340
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
      4⤵
      PID:4312
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQL$SHAREPOINT /y
    3⤵
    PID:228
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:464
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
      4⤵
      PID:4052
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQL$SQL_2008 /y
    3⤵
    PID:1684
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
      4⤵
      PID:4788
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQL$SYSTEM_BGC /y
    3⤵
    PID:2136
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
      4⤵
      PID:1940
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQL$TPS /y
    3⤵
    PID:2204
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$TPS /y
      4⤵
      PID:448
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQL$TPSAMA /y
    3⤵
    PID:4860
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
      4⤵
      PID:3388
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:2740
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
      4⤵
      PID:3136
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2012 /y
    3⤵
    PID:3404
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
      4⤵
      PID:2064
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQLFDLauncher /y
    3⤵
    PID:1980
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher /y
      4⤵
      PID:976
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
    3⤵
    PID:1676
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
      4⤵
      PID:1588
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
    3⤵
    PID:3644
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
      4⤵
      PID:4784
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
    3⤵
    PID:3472
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
      4⤵
      PID:3356
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SQL_2008 /y
    3⤵
    PID:2988
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
      4⤵
      PID:3680
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
    3⤵
    PID:1436
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:712
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
      4⤵
      PID:2336
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPS /y
    3⤵
    PID:3636
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
      4⤵
      PID:3496
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPSAMA /y
    3⤵
    PID:5084
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
      4⤵
      PID:1816
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQLSERVER /y
    3⤵
    PID:4356
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER /y
      4⤵
      PID:4312
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQLServerADHelper100 /y
    3⤵
    PID:3616
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3932
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
      4⤵
      PID:3444
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQLServerOLAPService /y
    3⤵
    PID:4800
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
      4⤵
      PID:1604
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MySQL80 /y
    3⤵
    PID:4600
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MySQL80 /y
      4⤵
      PID:3972
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MySQL57 /y
    3⤵
    PID:4088
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MySQL57 /y
      4⤵
      PID:4732
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop ntrtscan /y
    3⤵
    PID:1808
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ntrtscan /y
      4⤵
      PID:3928
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop OracleClientCache80 /y
    3⤵
    PID:4992
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3148
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop OracleClientCache80 /y
      4⤵
      PID:228
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop PDVFSService /y
    3⤵
    PID:3756
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:840
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop PDVFSService /y
      4⤵
      PID:4680
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop POP3Svc /y
    3⤵
    PID:368
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop POP3Svc /y
      4⤵
      PID:1756
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop ReportServer /y
    3⤵
    PID:636
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ReportServer /y
      4⤵
      PID:4376
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop ReportServer$SQL_2008 /y
    3⤵
    PID:4044
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
      4⤵
      PID:1684
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop ReportServer$SYSTEM_BGC /y
    3⤵
    PID:3952
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2204
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
      4⤵
      PID:2812
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop ReportServer$TPS /y
    3⤵
    PID:2676
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ReportServer$TPS /y
      4⤵
      PID:5112
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop ReportServer$TPSAMA /y
    3⤵
    PID:4108
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
      4⤵
      PID:1676
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop RESvc /y
    3⤵
    PID:1664
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop RESvc /y
      4⤵
      PID:1328
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop sacsvr /y
    3⤵
    PID:2028
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop sacsvr /y
      4⤵
      PID:3540
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SamSs /y
    3⤵
    PID:4068
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SamSs /y
      4⤵
      PID:4844
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SAVAdminService /y
    3⤵
    PID:756
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SAVAdminService /y
      4⤵
      PID:1356
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SAVService /y
    3⤵
    PID:3612
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SAVService /y
      4⤵
      PID:4600
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SDRSVC /y
    3⤵
    PID:1388
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SDRSVC /y
      4⤵
      PID:2656
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SepMasterService /y
    3⤵
    PID:316
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SepMasterService /y
      4⤵
      PID:1472
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop ShMonitor /y
    3⤵
    PID:2808
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ShMonitor /y
      4⤵
      PID:2900
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop Smcinst /y
    3⤵
    PID:452
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop Smcinst /y
      4⤵
      PID:2564
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SmcService /y
    3⤵
    PID:1152
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1500
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SmcService /y
      4⤵
      PID:1028
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SMTPSvc /y
    3⤵
    PID:2912
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SMTPSvc /y
      4⤵
      PID:772
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SNAC /y
    3⤵
    PID:2624
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SNAC /y
      4⤵
      PID:4956
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SntpService /y
    3⤵
    PID:4552
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4920
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SntpService /y
      4⤵
      PID:4784
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop sophossps /y
    3⤵
    PID:1212
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop sophossps /y
      4⤵
      PID:4676
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLAgent$BKUPEXEC /y
    3⤵
    PID:916
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
      4⤵
      PID:3860
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLAgent$ECWDB2 /y
    3⤵
    PID:3388
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
      4⤵
      PID:1596
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEBGC /y
    3⤵
    PID:3460
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
      4⤵
      PID:3340
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEMGT /y
    3⤵
    PID:1760
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
      4⤵
      PID:4864
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLAgent$PROFXENGAGEMENT /y
    3⤵
    PID:1860
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
      4⤵
      PID:1340
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLAgent$SBSMONITORING /y
    3⤵
    PID:3368
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5084
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
      4⤵
      PID:1348
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLAgent$SHAREPOINT /y
    3⤵
    PID:3936
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4992
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
      4⤵
      PID:4740
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLAgent$SQL_2008 /y
    3⤵
    PID:3680
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
      4⤵
      PID:4256
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLAgent$SYSTEM_BGC /y
    3⤵
    PID:2076
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
      4⤵
      PID:4880
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLAgent$TPS /y
    3⤵
    PID:3316
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$TPS /y
      4⤵
      PID:1692
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLAgent$TPSAMA /y
    3⤵
    PID:4164
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4088
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
      4⤵
      PID:3616
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
    3⤵
    PID:1176
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
      4⤵
      PID:4380
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2012 /y
    3⤵
    PID:4376
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1808
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
      4⤵
      PID:976
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLBrowser /y
    3⤵
    PID:3496
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1940
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser /y
      4⤵
      PID:2956
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLSafeOLRService /y
    3⤵
    PID:2888
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLSafeOLRService /y
      4⤵
      PID:3104
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLSERVERAGENT /y
    3⤵
    PID:2336
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT /y
      4⤵
      PID:436
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLTELEMETRY /y
    3⤵
    PID:8
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLTELEMETRY /y
      4⤵
      PID:3472
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLTELEMETRY$ECWDB2 /y
    3⤵
    PID:2104
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
      4⤵
      PID:796
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLWriter /y
    3⤵
    PID:2412
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1388
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLWriter /y
      4⤵
      PID:3836
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SstpSvc /y
    3⤵
    PID:1684
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4052
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SstpSvc /y
      4⤵
      PID:396
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop svcGenericHost /y
    3⤵
    PID:1640
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop svcGenericHost /y
      4⤵
      PID:3540
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop swi_filter /y
    3⤵
    PID:1376
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4504
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop swi_filter /y
      4⤵
      PID:3444
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop swi_service /y
    3⤵
    PID:1508
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4108
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop swi_service /y
      4⤵
      PID:4956
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop swi_update_64 /y
    3⤵
    PID:3248
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop swi_update_64 /y
      4⤵
      PID:3160
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop TmCCSF /y
    3⤵
    PID:1356
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop TmCCSF /y
      4⤵
      PID:4316
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop tmlisten /y
    3⤵
    PID:1164
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop tmlisten /y
      4⤵
      PID:1680
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop TrueKey /y
    3⤵
    PID:1352
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3900
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop TrueKey /y
      4⤵
      PID:2224
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop TrueKeyScheduler /y
    3⤵
    PID:1700
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1368
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop TrueKeyScheduler /y
      4⤵
      PID:2064
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop TrueKeyServiceHelper /y
    3⤵
    PID:1196
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
      4⤵
      PID:2124
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop UI0Detect /y
    3⤵
    PID:1320
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3252
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop UI0Detect /y
      4⤵
      PID:2672
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop VeeamBackupSvc /y
    3⤵
    PID:2300
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamBackupSvc /y
      4⤵
      PID:968
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop VeeamBrokerSvc /y
    3⤵
    PID:4628
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3940
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamBrokerSvc /y
      4⤵
      PID:2076
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop VeeamCatalogSvc /y
    3⤵
    PID:2276
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamCatalogSvc /y
      4⤵
      PID:3652
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop VeeamCloudSvc /y
    3⤵
    PID:1488
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamCloudSvc /y
      4⤵
      PID:3312
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop VeeamDeploymentService /y
    3⤵
    PID:3408
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4128
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamDeploymentService /y
      4⤵
      PID:2948
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop VeeamDeploySvc /y
    3⤵
    PID:1832
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1844
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamDeploySvc /y
      4⤵
      PID:3836
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop VeeamEnterpriseManagerSvc /y
    3⤵
    PID:3340
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
      4⤵
      PID:4464
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop VeeamMountSvc /y
    3⤵
    PID:4428
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3088
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamMountSvc /y
      4⤵
      PID:4848
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop VeeamNFSSvc /y
    3⤵
    PID:4740
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamNFSSvc /y
      4⤵
      PID:4044
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop VeeamRESTSvc /y
    3⤵
    PID:5064
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamRESTSvc /y
      4⤵
      PID:4864
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop VeeamTransportSvc /y
    3⤵
    PID:3316
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamTransportSvc /y
      4⤵
      PID:4164
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop W3Svc /y
    3⤵
    PID:3840
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop W3Svc /y
      4⤵
      PID:2756
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop wbengine /y
    3⤵
    PID:1492
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1472
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop wbengine /y
      4⤵
      PID:1916
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop WRSVC /y
    3⤵
    PID:1128
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop WRSVC /y
      4⤵
      PID:1856
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:3556
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4376
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
      4⤵
      PID:3220
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
    3⤵
    PID:1516
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
      4⤵
      PID:3272
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop VeeamHvIntegrationSvc /y
    3⤵
    PID:4288
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
      4⤵
      PID:4076
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop swi_update /y
    3⤵
    PID:3080
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop swi_update /y
      4⤵
      PID:756
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLAgent$CXDB /y
    3⤵
    PID:2976
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4344
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$CXDB /y
      4⤵
      PID:1196
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLAgent$CITRIX_METAFRAME /y
    3⤵
    PID:4364
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3756
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
      4⤵
      PID:3676
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "SQL Backups" /y
    3⤵
    PID:1684
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQL Backups" /y
      4⤵
      PID:3204
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQL$PROD /y
    3⤵
    PID:3324
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$PROD /y
      4⤵
      PID:4800
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "Zoolz 2 Service" /y
    3⤵
    PID:1332
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:112
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Zoolz 2 Service" /y
      4⤵
      PID:2676
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQLServerADHelper /y
    3⤵
    PID:1228
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1980
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLServerADHelper /y
      4⤵
      PID:1944
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLAgent$PROD /y
    3⤵
    PID:2584
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$PROD /y
      4⤵
      PID:2548
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop msftesql$PROD /y
    3⤵
    PID:1224
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2900
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop msftesql$PROD /y
      4⤵
      PID:3868
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop NetMsmqActivator /y
    3⤵
    PID:4156
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop NetMsmqActivator /y
      4⤵
      PID:4084
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop EhttpSrv /y
    3⤵
    PID:1152
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3356
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop EhttpSrv /y
      4⤵
      PID:1476
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop ekrn /y
    3⤵
    PID:1008
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3108
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ekrn /y
      4⤵
      PID:4268
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop ESHASRV /y
    3⤵
    PID:4488
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ESHASRV /y
      4⤵
      PID:4972
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQL$SOPHOS /y
    3⤵
    PID:4380
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4600
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
      4⤵
      PID:3476
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLAgent$SOPHOS /y
    3⤵
    PID:4316
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
      4⤵
      PID:3808
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop AVP /y
    3⤵
    PID:3528
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4732
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop AVP /y
      4⤵
      PID:1488
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop klnagent /y
    3⤵
    PID:3612
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:888
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop klnagent /y
      4⤵
      PID:4312
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQL$SQLEXPRESS /y
    3⤵
    PID:1700
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
      4⤵
      PID:3576
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLAgent$SQLEXPRESS /y
    3⤵
    PID:1804
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
      4⤵
      PID:4632
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop wbengine /y
    3⤵
    PID:2992
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop wbengine /y
      4⤵
      PID:5088
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop kavfsslp /y
    3⤵
    PID:1756
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2136
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop kavfsslp /y
      4⤵
      PID:1624
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop KAVFSGT /y
    3⤵
    PID:1508
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3836
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop KAVFSGT /y
      4⤵
      PID:3336
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop KAVFS /y
    3⤵
    PID:1832
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2224
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop KAVFS /y
      4⤵
      PID:4960
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop mfefire /y
    3⤵
    PID:2124
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop mfefire /y
      4⤵
      PID:4692
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\wwEsu.exe" /f
    3⤵
    PID:4432
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\wwEsu.exe" /f
      4⤵
      Adds Run key to start application
      PID:5096

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:3404

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:3588

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2900

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4156

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:13060
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:9712
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
  2⤵
  PID:15068
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:15124
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:15160
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:15196
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:15256
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:15284
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:7604
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:11680
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:15324
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:11148
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:11220
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:12240
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:5880
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:10320
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:10204

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:12860

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:11108

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:14736

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:11184

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:10728

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:10116

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5456

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:16244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:9044

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:11732

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5788

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6704

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:12424

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:8464

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:8372

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8144

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:7440

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:7040

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:13404

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:13680

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:16720

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:17032

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:17156

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:10876

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:10152

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:10372

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:18180

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4428

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4388

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6012

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:10992

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:14592

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:15252

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:14940

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:11452

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:15684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Share Discovery

T1135

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip.chm

Filesize
112KB

MD5
a1cf73d09f0fdf940ef27f4b9749af13

SHA1
fe59ecec0dd2d5ead0d9f0832ec9f3ca121bcb06

SHA256
25bbb16614a3601b3a7cea068cf144f159a9bd2bdb4e6a1b1516669260dde1b1

SHA512
17ade844fa02c888db19ea84cc9ce157d642af318dbf453a576075458f19b709b29f716866d109107aa59132ce0b6d47f1cfdd2e42be3c13a1ba19dfd098a420

Download Submit
C:\Program Files\7-Zip\7z.sfx

Filesize
209KB

MD5
1b61877390a61a7300428803409536ac

SHA1
4b89047d4cdbc3daf90f722cd57c87ecb149ba18

SHA256
283114e489416219d9b7f955c0c84563419752499c17fbf35a991cc3a4e1e834

SHA512
2ac702b7c4a2cecd69c65373456346c97cd86aa898d19e8a9180ba7fa84469fb1935ecf01805f52cb158ffb4b9c2e436dc674b99e4b1941313bedc729b123473

Download Submit
C:\Program Files\7-Zip\7zCon.sfx

Filesize
188KB

MD5
1c8a9a4045a403847c6485e940e87c16

SHA1
6f0c75b97e4285b0b4034c73254832acf15283aa

SHA256
3b20d535389fd1dfbef0f4c047dc87ff048fd3b4a7125de279bb5e3abd222d82

SHA512
097183e7b074ab4580a25d3d8302b270bf105ca613d7d98915f15e09823c5b7e26e218358999aa0eb7d0a7c07ec2b9ed18ef10d1683d548657db875956822cd2

Download Submit
C:\Program Files\7-Zip\History.txt

Filesize
57KB

MD5
2dedc107c734b07aee39d6cb4aca999c

SHA1
619faf78c03924c5c3b4b3e5843f97c32c533aeb

SHA256
29d206c0d4c7d2d9599154a64bc42a9e4b358d2027d6149488aaed01bc7a30d4

SHA512
f0c0082aeb62b38d49a870d3465a782e421234510ff8dd9c4171fd1a314859501ee12da4f4e726d2dedca030839624306b4c345106f8123ed1a16cad90806242

Download Submit
C:\Program Files\7-Zip\Lang\af.txt

Filesize
5KB

MD5
0c9c9bada436a859adee31af4492a222

SHA1
31c6c26d6b0016a0a0aaede22b7adfd4d1c10899

SHA256
466592a04f0c5f2290bf7d4dd3036b21dca575ca14ce9643b07918c06d511c5c

SHA512
8b6368cdc74cf39c13e456fd58978f844e4a56bd2dca1d01cd3a4154ee1c9a9a04d113b32d2eea2b0cb660160084e33b998b5e9a7e8edec69fe07af21fcd2094

Download Submit
C:\Program Files\7-Zip\Lang\an.txt

Filesize
7KB

MD5
72d8a4816705cd9db3c7f6e4fda36237

SHA1
7732429cceb72127ebb683b49118c5df5773a723

SHA256
eb434b1099ac4befe2de8d0d43cc19192b7a97b74c04a4a358a526e4e86d7c22

SHA512
1a301eba711e6090d9d27b18e4e842614a451d5d2232df1af929238ab7ba74e793655f16a9ec4ee74d55ed05dc5f1e26bb747a5a98e219370a65c0235f469f7f

Download Submit
C:\Program Files\7-Zip\Lang\ar.txt

Filesize
12KB

MD5
3b3b4d438dbcf79efcc5881fced931dc

SHA1
49bf1a0ade06a160214bdae4b4cf735e2d61004a

SHA256
752a791a739befe8d802bc0a8a029aa24c76189a083d2df89492ce88135592fd

SHA512
0d0e2671098074966202af92f6ba5f5c00d53776473297e3329cad21fc7d7fdf2ae014fc9d2a303c2e83106b14df3610a3134678a9163af617a596c2ef298522

Download Submit
C:\Program Files\7-Zip\Lang\ast.txt

Filesize
5KB

MD5
57802ca8175de0792d3cd40947a05a5d

SHA1
0b2158c12463e753a4aac0cee3fb235d31c03add

SHA256
4dbbee1cee5203a593ba0183a2b0f69e66a11794ee2ce966eacd76738785cb5c

SHA512
1e8d274cf41af92e6ec43c6d4cc205f48c5310d550e8b9f33576cb6f8cc71897f8b9412fc19389cb0f1908d90d4c8fb3eba7730f7b2374b9532f75904964400c

Download Submit
C:\Program Files\7-Zip\Lang\az.txt

Filesize
9KB

MD5
f0593602e0f0823750c5150a223c743a

SHA1
5d7e1feec8db3a362afe19832f069f5970baa603

SHA256
0be601c09040b0b84bb6fcdffa5a0f1eebbfc2458815f983226cc1591f984598

SHA512
b8ae956381941d9a1a33e3c1a99b721698080a5070b18428041cdb358e60b6900ce03ced0f6e652af37c64140aafd18c667a841ecc055f79272648ea2d2ea603

Download Submit
C:\Program Files\7-Zip\Lang\ba.txt

Filesize
11KB

MD5
35d71396106cc4932dfe69c5b8ac1ec7

SHA1
9c39ec440e9aa2a68964a4c52b4c83fb0f167b31

SHA256
e0a953e46a1f7ff2655ab830669c16e3de0174e67a8d3f88121f09ab635e68fe

SHA512
8cd92b60714c4553278e3e93ca73ed627c1f9146be36afbfe24309f32cc738a29afbf16546ec1083c7ad04349535f474c12bc5d1311e9dfb50b1f900fd0e7880

Download Submit
C:\Program Files\7-Zip\Lang\be.txt

Filesize
11KB

MD5
6fdba419d1f84825cc209fff349c617c

SHA1
95c056a11365fa5222192ca624d21eedb34d1775

SHA256
b515bf7ac16e7cb088a173cba0a2344735b6bf1c5da7ef4767f435286a9b1269

SHA512
d5918c7b1ff93c55bf67fada39de13fbbb68df77765fdf41d61f55eae5f38136efb4c1d038773c1362ff089d60b8d84a56e6498e3a709671de7a928ea6ec3ea9

Download Submit
C:\Program Files\7-Zip\Lang\bg.txt

Filesize
13KB

MD5
1dddf32f315d24ccb10016d51e083f9e

SHA1
21175de92cd97e730d54ced14adfc6df361cf039

SHA256
cbf73eae96e6aa8d5a7e6dec808d736bf2c51fa579d97865a027430d110be486

SHA512
418fa06a191a4795a32ebd16adbdf669c9e4f2abb952db40762de675e49937e9176e6b12cb8c83eb875f65a4992743fce5c29b7b3382fcf0324cf7f376b26444

Download Submit
C:\Program Files\7-Zip\Lang\bn.txt

Filesize
14KB

MD5
a605dfb4164b7c72b0f294474cdff958

SHA1
0ab733b6dd75bf39fb0675e87093ba80d0e28b0d

SHA256
9d7507a7add98b116ae34f492f74ab94c577842c4713583ed8b6b98e9bc417ad

SHA512
5a87b8c332a6fd4a3685bbf02ee38f30133a83820578c77e4ffabcf11c060c655c390edb97361ab6ac2d080fb61d84c7c716d7af500da19b2bc2711d24e54e89

Download Submit
C:\Program Files\7-Zip\Lang\br.txt

Filesize
5KB

MD5
e5680b50bfc6b9232b70c42897883783

SHA1
63afdc85937afbe286e90221387e1aecebd8f265

SHA256
1879fd94f850367be617f7046ada102217639f1bce71d95355e63fe72ceb3a91

SHA512
cad7a2520fe46ec03fca6caff7c2a1701990cc59d386fc1ffd75d5068b699c613192ef206a1ae567ce078967b88bd531022adeae82b171d58c0168b12a4a4053

Download Submit
C:\Program Files\7-Zip\Lang\ca.txt

Filesize
9KB

MD5
17065dd44b0143f9c47cca41466ca7b1

SHA1
8085ae28521ba01e3bb95ebab14723dd35a6e86f

SHA256
2d5d44cf906cc9ebb73ce18ce0a292e7fc72844871fe954f20dda79aacbc67fd

SHA512
47e80650fd001620dca9d805bc17067ac3fa2c03b8fde0e0351fe4c87f741faeb5fd3186575d5581f26d0de2725fc27cb604a3cc0a58ee45a91bd141f5d99169

Download Submit
C:\Program Files\7-Zip\Lang\co.txt

Filesize
10KB

MD5
7316ea5737d615c31f387ec90e151acc

SHA1
419f4038c8b3ba6687f420d8de6236b472f04ee9

SHA256
02914fd7a1b03bdd7820435ed9a69d33e418188aeba11cc80dd997cde9228937

SHA512
d12c43dd7fd8388c9ee945b1a0c401f8dbddb99efc61cd06f961ef54afa83e465376445d19fafadbebe1835ee802734aa9d7d31da7af0442c524d5c570e14e63

Download Submit
C:\Program Files\7-Zip\descript.ion

Filesize
642B

MD5
f85d227cbead2f03fe121ff355caeda3

SHA1
7e9498a63c905a2dfebe6c3bb4b37b899da265eb

SHA256
0f8ebdf7f3f8dbd3aaf7e1c0005952c0fda68c404687546342b099dc5aa4237c

SHA512
f0da278ed4c4691cc1175a0107de4e217caf41ba6202c858a60c9f50ce7acab2059b56f03e52eda2200b4ef52c5b3e6091bbeaa9cff3615da3970e72a32de3a6

Download Submit
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRead.msi

Filesize
2.7MB

MD5
7676ecbc0c56133c866c371a435f89eb

SHA1
fdb5f9b6c7798ca888cefdd3778a3fb3ff854af6

SHA256
e5860485eaa854e8a427f60b543ba94d8aa4bc8618dd580a916d1420feb250c1

SHA512
552868b16a3b1d108f8326f28647177c94ced3074e0ca0da9c3e7c487aa522a3652eaa56b485b853ec2c830117e869f624263d308164937e0cc38f720522d955

Download Submit
C:\ProgramData\Microsoft\ClickToRun\DeploymentConfig.0.xml

Filesize
2KB

MD5
81eb45363f4b51d156878df059d58890

SHA1
004b3a89f9ab5a22fae67e74fc8e0d007239eff2

SHA256
4ab7f7e857643563dc5f2c5ce91ac4666b3b1e1d5c57fcfa39e93873a3668d32

SHA512
4ba8bd72a463376f533439439031cf745616605520401919a9149151a3f4bd7ecd9e310e744ba6c382867a0e27a2739f4129e32f3333164b349acbcef8521ef1

Download Submit
C:\ProgramData\Microsoft\ClickToRun\DeploymentConfig.2.xml

Filesize
1KB

MD5
66d32ff444bc2d26d06d1780a5552063

SHA1
688363f02151b4366e6d4465f548f10ce47e32b2

SHA256
b840b8cfa943ca29df6c8e8a0faabcd7926f8e507892e33c2c089ce98feaf4fe

SHA512
79a2f43eba3bba2779e3964218cfc10382126c637bcb4511a6aa7406e14fb92dfa56e0e2934cba757d3d001b547da8a53578a79028a56e777ff1e3100babbb04

Download Submit
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\DeploymentConfiguration.xml

Filesize
898B

MD5
21b138624ea683cafdc2330cb99c6b44

SHA1
bbc083530fd4e4d201370cd0fcabaef312a9aefe

SHA256
1972ba3ec81ecb25d1dabb938133e4fae2fee077ffb92139414b6476087b27ca

SHA512
85992d75a4d51f9b0fa8ee5dcd974f96e4a4a100f057beafc645b57709a5466b403c6b4b6d5f1821e10fb1d44279e3836f67a16f2430023633058c436fd68c3d

Download Submit
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml

Filesize
3.3MB

MD5
b3e6c703d0c83dc932eaac7d14554aa2

SHA1
3394cacb41eac23e4b1adb0c966d3de27c11c916

SHA256
ee46087c22894dc45b81f5f1c479e81c95c2820bf3acfed8794aa7bfe3423d9f

SHA512
1a8c5bcbda4cdbf53f6e0a52c919d460ea26efe04d53676f97337fc5fc9751bf564ff83b61a244c3022c2c2abbc3b36399dd43e272e1a72580f473957648aa01

Download Submit
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\UserDeploymentConfiguration.xml

Filesize
898B

MD5
33d58928afb589f5e520313383725828

SHA1
268d511f0c2463785f170d1a0c7b2dc40b34ff02

SHA256
82a1f47379d8f9f2903e5fa2f7485f64fe6bc4c87330304d887dea9cc5df3c9d

SHA512
5e67b37caaae414a171c4a6a48706eddfe596a4148d848c15825769000a3c5c5e8d7df87b00bc9d5737d987884e5940fe044b202c94425faa69d0ec9b455b95e

Download Submit
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\UserManifest.xml

Filesize
2.1MB

MD5
b1893b7ebbe974192b29115167202847

SHA1
d227448cf51b8604956a5a9b90b42f4ea76d0182

SHA256
bb109a5957f563c3913a198c6df9d2e0c0125a96774c3040ae7b16f5c6d0a090

SHA512
77cd8ba0d41ff7773f450d59db7811059e0f52e86f85b4e6f491416655ef846a438ca621181a243ff38466d204d7ba1de36c4eda26062fbc1b5274045833b6ae

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\A9C88E0B-9DC8-47AB-AB89-9AE025316701\en-us.16\MasterDescriptor.en-us.xml

Filesize
28KB

MD5
1e8beac5c0c9d68cbf99b5a5a1c40342

SHA1
1c1fe4fd85d2e03b992f3e267361e7c189fe0dfe

SHA256
2dfada483d3a24769ef09a6ebb1df75585acd97d5662dadd9fdf535bea5921d5

SHA512
3ddbf96932ff3072b6c401f47f1ce66d0d31fcf9e7653347b1b6926c393049395f83a14d3edbb04b1d0e093ef53774844db808bb65ee5eb9a66ea03bf05f7b94

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\A9C88E0B-9DC8-47AB-AB89-9AE025316701\en-us.16\s641033.hash

Filesize
386B

MD5
76eb8b35b44f53a789b7666388ae4993

SHA1
7f21cf80a68b1e559ab1606e846214d2cdfe3b16

SHA256
c5121ec37dfeaa2cc4615d2adb09d5aab7c28bd5b209c22672d36afa29cfbd08

SHA512
4d7c15f19580832e29634c2ba7dc3a80a2e4bd99289504e0141531ad7c4654d347b4bb7c062464245bedffacb4c2dce87e1f18bff292915011fd9d678bc0f8fc

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\A9C88E0B-9DC8-47AB-AB89-9AE025316701\en-us.16\stream.x64.en-us.dat.cat

Filesize
109KB

MD5
21b594e52c60c971571f37d291a07c87

SHA1
0d36e6c3b59ea7c3dacc493457979674cc3fd019

SHA256
817556c71af091a495e8c54ab43f1d9479ed144f2e8911beaf447f8fe04be107

SHA512
209fcb119d9e98a0374d6d0862e7df7df20494657ca2000ab0cabeff37a83014a6411227934ea7feec9c9cbb996577acfa7e8531d90a6835ead47cce2eeb280f

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\A9C88E0B-9DC8-47AB-AB89-9AE025316701\en-us.16\stream.x64.en-us.db

Filesize
438KB

MD5
f61ba9a85abe46046c5ceae6d6949392

SHA1
7a392259886b7eb466e4d043ed62f826bc2ffb93

SHA256
f263d8f29a199bd7a5d53d6b68e286a3f401e8bbbf613d1522f9b3b5e465bed2

SHA512
e815ab7e9e3b4ee637e27824a826166388bd0fc78a384bd8121c8cae759f985cd0bc03a3fcb9d3589b1edbb12fe341d3392bb72f13d344264086513f7c7c8963

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\A9C88E0B-9DC8-47AB-AB89-9AE025316701\en-us.16\stream.x64.en-us.hash

Filesize
418B

MD5
8bf718777a9e9d0b94c00c0ea8e56866

SHA1
8b175081a2fb44d787e6126c1b9e8e7ff62a3259

SHA256
b7ed12899a48294cf652b0372b7edececea229448561880086ce51d273a57127

SHA512
07ebc95bb8c1116ec1f2d49d24f269d2b1162acce35b751a67d4105805a5bb65a0949577fcdbb0b2fc07b07d893ab3cede6f06c6f9e6f04e6cfe50072a234af9

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\A9C88E0B-9DC8-47AB-AB89-9AE025316701\en-us.16\stream.x64.en-us.man.dat

Filesize
622KB

MD5
ab0bbb6d0cef15de138c17313f1d664a

SHA1
4717da7f922dfcbc80c77fdc25eae1d4f2a04200

SHA256
7ccbc2239376f0122cbddb2ab41c14a8d10358ba22d1332cbf38d13fe914c63e

SHA512
9543bc77f0c1991950559876adca5068f6cbaa284ce1533ee4458444a144ce4d6168f5732a0e51410ade5c940249d49f0d8b86517c07f299843999e40ba5d19c

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\A9C88E0B-9DC8-47AB-AB89-9AE025316701\mergedVirtualRegistry.dat

Filesize
5.9MB

MD5
a79cc430e18a4976176ac3068cdfe779

SHA1
6d44f9a1e9e9ce02c7ccc35d85126b2413a49fbf

SHA256
0351055da3449f10677798b4ed1f6a4c452fd40511ea2b565ed8398c4c5b6f32

SHA512
0b719743c08707fc1f6f27b91724b0136164944105226f2b0eddf70ec3052729b087d30d535b2d19e46ec28136803f85ad080c962807c5eae9341ab64dfabe6c

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\A9C88E0B-9DC8-47AB-AB89-9AE025316701\x-none.16\MasterDescriptor.x-none.xml

Filesize
27KB

MD5
6f9cfd04a84341efd410c839bc0b84f2

SHA1
92bb70533e1bc936ab8f1e6a6e994122cf5846f0

SHA256
fe28804b01db582cc930ecbb3ef09137527bfa9fca86df52127c6f5da60e2ccb

SHA512
8e4d70246a83847eb45410bcf7fd9ea945c3ea5d5312f2aa979213a827b15ea4c1e3eda9b30c262150fbdbdd8022906f02bf2627c757c7cb20d87684209c875a

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\A9C88E0B-9DC8-47AB-AB89-9AE025316701\x-none.16\s640.hash

Filesize
386B

MD5
7ea33de79f23c2ed67ef75f914f51e66

SHA1
7d1c0d83381a2bc51424a9770c58b079b6814b24

SHA256
fe1af1051ea0eab73da408e18ed0fe95c1d691db656de060196c057b0e5400fe

SHA512
f71dad1dd62f5fd75071634750b43e653acc3603ec5e4a3125a23dbc4f3d563967ecbbff2c3cc25ac2a7391091a33df545cf7811c127f6ef3b01b5e94efbbcbe

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\A9C88E0B-9DC8-47AB-AB89-9AE025316701\x-none.16\stream.x64.x-none.dat.cat

Filesize
574KB

MD5
c8e73152e995e48e0afc7f8184e54991

SHA1
a3eaaa6eb8396fe5f2bd2c6b9c8b956933871277

SHA256
55f7f125b9b64e329916dabb9bae7bc76fbf262c90fe484f3ebc497502948109

SHA512
633d0352cc6ff0ef39b4bc60c67f9e72683e275c04d13e7f46c6591b6921bc757f14b6280fb21e51966cd4b75b8fa59f60f6190e94de568bf6476a8533105711

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\A9C88E0B-9DC8-47AB-AB89-9AE025316701\x-none.16\stream.x64.x-none.db

Filesize
1.8MB

MD5
b850374cc2dc935fc19163f323e1df93

SHA1
dab3e0e256f7f43cf83aaf42e5f5396b9a7c91a0

SHA256
0e8165d27e45d8100bd457c68157380aa7261d9fb4fdfaf1180353310cffde66

SHA512
e8ed9ee5304cb08e2ad88b92f812880b1b7ffd321775cb05254c3a1971a1848f4a9df9849c636d7628a44f332f62cac2191c278b65396c5c47c24451f00e9093

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\A9C88E0B-9DC8-47AB-AB89-9AE025316701\x-none.16\stream.x64.x-none.hash

Filesize
418B

MD5
d72f1df15cdadc660f7c257d8a4ae652

SHA1
760b40e0dd6d5f14c9f2d241c2665d98079ef3e7

SHA256
6f2fc3850cb3ec0c5a49b9a2f04183d24fdab65bfd14b32eb279b3fabd138674

SHA512
f2cc7fed4298ba60becc0052d29cce0dd093b425f4e8242ab5bede65a58900d77f125a9a7d2ac2f3d6bd686eac8dcf5dcd1140fc2c98033fdd17c7008697b14c

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\A9C88E0B-9DC8-47AB-AB89-9AE025316701\x-none.16\stream.x64.x-none.man.dat

Filesize
2.6MB

MD5
5b6bf28a9830843961ba1b11b094c50b

SHA1
0b673f658b45e406e576fdc13f37d4d5368c1122

SHA256
f541ee08eff5ddc5f51ba88521218f3896322c3f00c8994bdab34a5e2de04c74

SHA512
5cabe1a72f11bcae44988f8f60dbff8dc4e599d062a77dd146bd54fc8d28574f179caea40afc24eb68e3d999ebea2a57c16ab1993a1c890f61fbbafec38f5945

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\AirSpace.Etw.man

Filesize
412KB

MD5
26cc63f3fc443a52b865fa064e1099a5

SHA1
8e0d376e1945e85654a7c841523932b4724ec75b

SHA256
818b231030461f8bb15a433db95850863e1324e07bb0a2de997b21bbc20a2120

SHA512
6fa1addb07164ee7ffac1bc6042651eb8e118c7da45edc58c84d7e33a88539bd7059967f4a046783c873718a3ceb473d57cd0ae2c2576aaecae3498fe049011e

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml

Filesize
16KB

MD5
3ecaccea678031a7c1b18d7ed8544599

SHA1
d78cda402123a350749eda82544273b70630a110

SHA256
bdfbdbc3dd7856db377b173ab025fc8c5a7b30df62289c133245bce50ca372f0

SHA512
2b5b663dcfa8060ef44140c17c75f942265cdc7a6865be1fb7a7b125354c81bc29cf8c463be16cab0f7ae5e903340de334938e96d5c8410a9e428cef7ecc4fcc

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml

Filesize
150KB

MD5
24f33ac52759925699b1367fbb65651a

SHA1
bd9d01ab57b635bbbfd732496f350f38d6bb1c00

SHA256
561a617cc4004ce30c3c766ce16fca8e473eb83b7773d8f9fb1cb8796a6ffa9c

SHA512
f4d1b7d70a2cd3312b9f75aed1d08a5d4c5ef59f067706e25fd317767c33b180c7e59661f121650956654e1404fa779e545cdcbe7c88407254a61b762413f846

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml

Filesize
1KB

MD5
5e86c9b33899c8f400609873bd65f083

SHA1
b8de16ca745c3a2e46a0384256db1229d4c0f0d5

SHA256
90033c5eced911ab74a35a55435ce688bdc72fc5b54dc28e2e1c03e6aa958cd6

SHA512
969a9a5a4e8dbf178469bb8030daee388c5f25e8a9dda53c17d305d9bc85e81075e7711f0bf34a4acba50f525bcff401a6bb4e21a2515f02d55baa37cfea614c

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml

Filesize
2KB

MD5
71c8ccece625b6b2969faf62766cd408

SHA1
a224fbaf083e9643a1a9995b055e2aefced051cf

SHA256
50df030f770e46fd9de88b93aa401ccd3c930d0efeb82a0d3e06cf666ffb14ce

SHA512
9b0dc0f56e6cabfa042ba1405096588b1688f9914f53b0755dea025738c776721a69750ef301d8e693f8a1d8ea099e87798978ca1db36e020117a1cb7520bbd0

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml

Filesize
98KB

MD5
131b7a949bbca5a6d11d937b447994a1

SHA1
473f7e24eaac586b003bfa6ef501af8b78a927cc

SHA256
676d8737cbeb05b57e90217fbee1b2c756f996e3524c784659a991f95e8cf1e9

SHA512
2d4bd8ec1539d60b6f123350da93409c8554f42a52caf3a15ba5821ac308f50e8e7cc1374067e32f82ace965276df1bc1a869344fb37185be9ccd43866a90ff3

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml

Filesize
31KB

MD5
253e1c1267d4155eba9236b2db477982

SHA1
fee6c1153e2e5bbbd016533fba722e46b1307510

SHA256
ae0034ba744128cd739a1d110e0c0a61a308b41c03923dde761f2d14c3ff5f35

SHA512
9f9ca51393e25883ba861a46961d190c01025d3c4e07d2daa68f0ea4886a2b018a7ffc71b672ee5a11e198e16d9496f2b90a22d0d09826dcb7fd79c0cfbe1bf8

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml

Filesize
109KB

MD5
0ae7737b605be87a5f98aa453b09a796

SHA1
1be1f620326dea99ccd4b5ef3710bb2f4caf5914

SHA256
b8320c4e334246e2dd6732aa51cc34472abd5a7adc7d2d2fb0a6151d1a0ea76b

SHA512
e3d206f190a0769aa9baa3452fcf8014a89445b4d0796ae9aa430d204115246ecfb083993c5b8546bd6e80ece5c6df54dda22073b4b5d14b76520c43ced9fe1e

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerView.PowerView.x-none.msi.16.x-none.xml

Filesize
14KB

MD5
215c96e2a200e3422490cbbbfe755b2e

SHA1
a989138febd97db3af9c18dcb1a0549b40ad1333

SHA256
7c4d4d6bd8a85af1820de30b1e4d4c34265aaa2b1326591d0dded635b43909b2

SHA512
a25b5a1bd6b8fb187e850018f60fc1921be8465451e62c6f34f0ff1ce1921c30f0061a4744a577bb49102cdf7f9c6fc99e2fda300a260435f9eb5da993d0482c

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.en-us.xml

Filesize
25KB

MD5
fca358064edba66a7a09b6646e5453c4

SHA1
4fbac9c9a52250076846ef9285a6edaf0781a9e8

SHA256
3aac65b355cddd88744481657faed305eedc934192e720baeeeea5b1940a8e54

SHA512
e7f1284f4d2fde975f538cbee6b56f4eaa1625133071cdb36ba62d30b4a3233d75360ee36d8a21ad89af545b8a400d3f9a10dd01b654da25b3baba0781e20877

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.es-es.xml

Filesize
24KB

MD5
c5a68b990b6e485006d938b189d642bb

SHA1
8b3e46cb9665332ab89129db0364f524ce4fe5f1

SHA256
d2792786c918c81372e2983cd170b8fe686913f0a1749ef7b917e7a2e6bb27a7

SHA512
1ea36bddc96df4d998f9d8a7991165c66d54ff1abd529b1304c9fd482ada7df4393178478b8594276a9b8a5bb25bec65f8873d45c1502238f75228ed7714c2a3

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.fr-fr.xml

Filesize
24KB

MD5
132995aa8627753d5cfc491eaac94fbe

SHA1
a1f1ce8e4279b1e0a1ffd295692aa7f4569187a0

SHA256
2be83d429c64a8c706631fcafd3524eea591b234344f1b1c9139e468a5c111e2

SHA512
54a2e18fd99487ad1eb87d3a270ecda6eae6aff5f44fd2340a11846d65a7aea4cfeee27c3b0e11d86c6dd8ade90d17d92cbac4d43214ab4876dc490512654036

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Word.Word.x-none.msi.16.x-none.xml

Filesize
93KB

MD5
0912fdb37164cbd4cecd69cf47893e49

SHA1
c0335d8e090325699eee3cc39f2f5335d389f37f

SHA256
1272ee603141c16785d299707298756bb98d800fba84a4e3e8f492980567c126

SHA512
222af8dd3c3eb90ceb25308fde261527492eb8da136e0b6ca3d3fbbff234a614d46262b3443580546132853c15f8fde78a43de0554cfdc3bbb824043c8a460c0

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.dcfmui.msi.16.en-us.xml

Filesize
9KB

MD5
1823c66c875863cd29f2dfd205872b2f

SHA1
8a485a0f1787deda823f32a8d25579dd3bc9e0a0

SHA256
744f6a8afd0400e88eb473fc9054c79d2e9c3823050e64cba1bb7673b92891d9

SHA512
54291be06a6020c58ce78ff13e4e8daf3ec666a5e62857616adfc60bcd511b28fa3b00eeb2d03bdeca4e4b322b5490e0f2f07b82db2e17ae86345b812604eb31

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.excelmui.msi.16.en-us.xml

Filesize
39KB

MD5
762944215f571b8f6f293ece070e7c8b

SHA1
5e712eeb5d548dd546b8dac3a0191fe155dc63c7

SHA256
77947474a4ca7c2adb39524eeb47d49e1b1743b20d96f2f712d7ea332ce76259

SHA512
b48c2d3c34ad3d3c2c0754c81fbc56032736fae1f30d255a52718398c22493ea44e4aa64fcd4f3e18c55adbf4681639739e4928955f76d502d227f23cdfdf5cb

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.office32mui.msi.16.en-us.xml

Filesize
16KB

MD5
1aebdcc0fff2833b49e5f5d59fb473fd

SHA1
c614911d8358971f2f6243b2d481bc9f476e9555

SHA256
724432202f264070d707650e3a549c58a0f219385233086c95cd86d1de413bad

SHA512
31c5706125f32335aee799c3aa0520d239dd247746f75a2f84778235adb089a23cd875e8c3b6e99b546142aaf58f40e346a5ae0ff1903be6a6eb99b470d976d2

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.office32ww.msi.16.x-none.xml

Filesize
331KB

MD5
790c7863d040c572bdeeb49e6f994a96

SHA1
5971381c4428e58380d3d028cadb79daa3bc06c3

SHA256
a4900adc6bb72087411c45c3cda7b92828b466f53de0322ceecb089a8f57da87

SHA512
ad89c3e69dc540f537ce0d4dc7914c489f30403bb6e91855bfbdf52e1a725cbd8d42784a6ca809cb43d273d049410c5333adaa5de2e6e8ff6bd4b3580b5a635a

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.officemui.msi.16.en-us.xml

Filesize
122KB

MD5
11bb3b9d62e623056fccfdf9b07fb076

SHA1
ac971e21e62bc3ec76bfb49ec818c6c578479956

SHA256
dc426e3fe00fac2c1bc7f30950ae90e98c2bc28837cda688bf17974b1bb78f29

SHA512
6dae6d2b2a41631af9618bc38accc198befe6b8247cfa4ce71f5298c0f4caf6b62c52bf64840ba2a5e3d7f952c132af26d4a087e9a58094516ef54c51908d7ed

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.officemuiset.msi.16.en-us.xml

Filesize
2KB

MD5
1847312129362cb0c130099dc2030189

SHA1
c508936101024d6331fbeb57e6afefa0658179bb

SHA256
cd119627b6cc923516b77a04d36c410354af3cc02115ea3bc58b32b38f38b9db

SHA512
0a367f087052e5612f89efd4eb64de15dfd075d37344729292f1a1430ab01a2208a056e49d7007cbc6fb4e7ba81977a312dcf14a6450fc99430b043bdac09818

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.onenotemui.msi.16.en-us.xml

Filesize
18KB

MD5
39aae5aef6d96a72b3c5a4647ee0d7ba

SHA1
651b692bfbed1e55374474e8055212c99c9ccaae

SHA256
c8ac13288de2aa5e00bc3422d7b82dc0577d7924ae334ca08cf8af755727804a

SHA512
e8671c5b18eba74ff7dc1048ba3818710eee5db6307ecd53b428bacbe5c9936f21e2ec6d26fdb99d614440b4a1785552ebe6f2a2d76841e52e51c0de3dfe6f22

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.osmmui.msi.16.en-us.xml

Filesize
11KB

MD5
306e066ed0e0592f96c75001b748f464

SHA1
5612062550e8e6afd0e753ad862f30df2fc8ae0f

SHA256
847f7346ccbf7a5ac83c4890ea494f1b0662e338b6573e043df37129780b9a44

SHA512
3c3dc500ab6caac903bd034cb67bc19ed7044aee8c5b34ee45b7164d4ea984c0e8ecb117d4b06cc6a5ad3e06e95a434917dd3aacdfd585aca96ee9e3dd6a1362

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.osmuxmui.msi.16.en-us.xml

Filesize
11KB

MD5
31c287d404bb6b62a31439982ee8ba01

SHA1
d9a881a1a653dfe9d5f4f19a343e80ab839d78ca

SHA256
690ff6969af482992a6f020eed5c59e92184c60ab385618025f6c136789a51c1

SHA512
ce0441d579dd3be58b6bb97190b3fcea90e70a0fb1cef54e3313a2b28bf063b8f7540693a84a75e68b79d7fd1bfeca5a85358be1547678f41d9e6ca50dfaf3b3

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.powerpointmui.msi.16.en-us.xml

Filesize
27KB

MD5
9e6e16901869c835e2465e1cf712ce0d

SHA1
21d4a740ecf8e2118615bb4457dea86764b2e8ca

SHA256
c5418da7ac72ffbcad5951f133ad17ca5ccb586c74684625be7f043062953c86

SHA512
184f64dbf7397662a68be76f507ffc5832fb51f04e348091d2bf390c9cb2fdd467fd177fe016de7b30dfc138d1b1e8eca3d86e4a9526c49cf2e4383716463e9b

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.proofing.msi.16.en-us.xml

Filesize
2KB

MD5
32ccb1fac13baf76efacff8133876496

SHA1
80637a7be2696fc71f62d4b7090e5c7e28a0080e

SHA256
275b6b4ae1e4bb4a4cb86b3bc65882801b641bdf0802c4d63de66ffaf3c55512

SHA512
7e96a4332c4cf13d073a38be784ba2b2b85ad7fd1d613478e5a543e26ffa67e970e92d39ce511442afffdbd0875fdfb780e41e5369312198f2779ab1b12a02f7

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.shared.Office.x-none.msi.16.x-none.xml

Filesize
719KB

MD5
64e818a7ca7a55407008f8d906afb25a

SHA1
00cf301c7c29dd146a93e8ad33ff91f931eaeade

SHA256
d460683a804abf7f187aa0b20e5735394d8c20da0c58288cdaa1623b203adc0e

SHA512
0b902c9d26ebadd46b126b05c82e3703b377e0416674250b1608a63b8f153cd7b151c2e1fad3c81c994b8a75483b43cd7782bbc81b6a8bb36a506549b507d779

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.wordmui.msi.16.en-us.xml

Filesize
77KB

MD5
11e591ee9b950dccf796e3bfc091dc44

SHA1
ee7c157d6ab2bae241d780df84a0bba0abfa956a

SHA256
984256ee7451e0fbba101fb7f1994eaf468c8da85643d13b01747a81b396dbcf

SHA512
0e92ede7d43cae62b73ba1d08d019caf847e2d659c69b23e451cbe2993200d41194273d3201158c0b40828b7dc164e21a625b7579c4eafcdf9c4a59311c6fc9e

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_Office Feature Updates Logon.xml

Filesize
4KB

MD5
de359180273df7058e57988002bd32ef

SHA1
d8cdfd188ca48a500e94c1d5fdcf1349397a5cf4

SHA256
4ae5f6a0cee0354953a9703453a9248566590c55a3ce2d0e615c1ed8261f8be9

SHA512
d6beb1b403abdaa3fcb6bc4c9ea8eea1d4de3dd0430d25ad173c054129ff301aeb2811b460391c58c57ccf34b3ac52d34ffed201c4c753e99fffffe9c3476464

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_Office Feature Updates.xml

Filesize
6KB

MD5
beb3bd6d68339a68d8ec20d93307a173

SHA1
ef23ce55521aece6952cfe620a6c60c7cd42827c

SHA256
7075800acd8bb842967ef9bba80d6a0dfd97622a1e20d9b91999370ec513510c

SHA512
c1ecb855e225810d0abd1fd68d77beaedea47ee6b62ffe30f70697d3bdef5c917cca8c68d62a3bac824546d19171029c64aa6af3ba6f518e2e3d5c56e10e0909

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml

Filesize
3KB

MD5
a15495bec8c58e915e2934bafee5d27f

SHA1
d20f286fd751e5fb5118dd468de504354937e269

SHA256
e0f131883878f2e2565ac0d1949d64b8f7254abaa864605babab529178e7d8c1

SHA512
da3f6ced27d7534ce2232c3051f2ddd961d9617341036fe29c6318eb8d6342dde86632e64e9e14dfe7118d12c61062bf9360cdf74fe6606145694f9e4b5e465a

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml

Filesize
3KB

MD5
415acbdc6d6ca27433782107bd8532b3

SHA1
3b0f9e59f0a930570db9e1346799563cf9976e2f

SHA256
bc5052d4f005233bb8e3bb0c70b4a3681362d3aa04710dc2ec2e3a234f2cb1f0

SHA512
e6047cc1aad4a1712f3a56d67d9e5302efb44895ce18475d5cbd12f96e8b20cda17e8442d5310d08dfbdc755c6866e4082560ed879b765ef7de2260644e0d15f

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\msoutilstat.etw.man

Filesize
111KB

MD5
136c2471f750c429d1aafbbc6aeb8db3

SHA1
c8d769a6b579496cbe453de2862bb763fbfdce8d

SHA256
835be2d3f1513a9e9436acdd3c612910305a307c74dc4bd9ba8ff978f91cf93b

SHA512
99a2dcda02d4cfdaa6057d71ac3375823ead30d9da159bdf55ecca8b40da2fec4a23d342c7245c64ed43bd1931306851f6a948d335eb3624b73e99676ae5b13e

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\wordEtw.man

Filesize
1.1MB

MD5
effed4be7bcc41b4b97625b3f070df33

SHA1
123e7724498137c1376c182f28412cac51bfce54

SHA256
02c00f95b0b2eb1e5fdb570db39e1a252ee3b13df61f2d83d3fb7610a65719fc

SHA512
ed16b9dcc885040392c74d6d3436935259e5774011a1771f56ad5a2d09941da40c7ba5e175eae842a7aa91c8c31859dd5c0c91b0037e93d343539d8691cc3395

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_a63d6fdc-08cb-4232-ab51-76cafdcb4d96

Filesize
338B

MD5
16b6f74008ab424fce19b0f0f83fea90

SHA1
7d03013f0805cbfee777b59f5d3831051d685731

SHA256
93d0e75249505b0b135f09c83773d861f729dc47f172737267db7225f0642c58

SHA512
6560e76b79e8c39d08810f1b2499a28c360012e7b771d981a80876f2bf2eb8ddec0ea4415ebdba7d9002ebf5641a78a66889f776859ee2ba0d9d533e4129191e

Download Submit
C:\ProgramData\Microsoft\Crypto\SystemKeys\3c1d01b80c5768ffbe574da5798bdb5f_a63d6fdc-08cb-4232-ab51-76cafdcb4d96

Filesize
1KB

MD5
71def7e48db10a3c1d87da5a384c19f3

SHA1
4ceaa53dc5f5fac55cdb43065e3b612153612596

SHA256
69e2f84ce31135d924482a9d6a11de4148104feae499919682ff3b6318f6fbc8

SHA512
beaffa92e99e5bcd261cd7f9151a701d39c8655d800642914852de61a32007628dffecf3bc962c7727d978aa106ff00ae0ce49fd7845daf07825361a5cee21a9

Download Submit
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-4bb4d6f7cafc4e9292f972dca2dcde42-bd019ee8-e59c-4b0f-a02c-84e72157a3ef-7485.json

Filesize
402B

MD5
0215d3b66cdcef0fecef9f4b758999a3

SHA1
06d228ee31a9a67a690046e3db67bdc040462374

SHA256
5e7175a3855b46d956fc1da57ea3544eb8f3af5de146311f9afca0de1c4aabb2

SHA512
ad319359abf4130b32b01e5a8aac964ef5245588ae32405a01200ec9dff2ee5f2902e8862a642ff3b27c91cc8f8df143ab5c5c1c45e118e75afaa6756e6dfd83

Download Submit
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-af397ef28e484961ba48646a5d38cf54-77418283-d6f6-4a90-b0c8-37e0f5e7b087-7425.json

Filesize
402B

MD5
e399d74ec662dbce7b51b7c2ddd99f6f

SHA1
00c498a7a8d9384a3a62c0a8dfd62254bed53d68

SHA256
d088f0f1d5530b7c8d6e5d18e8a88501559edddb6a85219a18e0a89398944a1c

SHA512
f966927fb707b1ee0e106250c78c870279509a54d849ac08fdb247d0bf9dae28895cddb79afbacee31ef07fd810dcce42f00545bcd0f5201b04d016ed55c2dee

Download Submit
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-d5a8f02229be41efb047bd8f883ba799-59258264-451c-4459-8c09-75d7d721219a-7112.json

Filesize
402B

MD5
5603abb06103329c825586db0572f5fe

SHA1
c506449cbed1b44f8c6f3f0f553003ef7c513b7b

SHA256
8951cc07acd43e24058222e854ab0ee9c41e1f0467ac4f40524ec859b5fb3f18

SHA512
ad6baae752f156d3d0f32c8c7d727975b7f806d482b12e72e32e64c3bb02d8bd98700713d81aa4d94cbf2271984abebdd77c4cb7715bc764b635fbd539efdf66

Download Submit
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-Eco3PTelDefault.json

Filesize
338B

MD5
a6d78c94595f77ba4e0604ed64e8e428

SHA1
3ac6a65307154420685d8b27c79133626c451d1d

SHA256
0c75ec72dc65bcbf83400ce090c9871ab1010c25062c01db2a4178dc5e1fd610

SHA512
6c2aab3db26cda7dbbe6fb7cc959f979d0a291aa4f48189c2579112dc86bb45f8ff9d09d722c5f868b9df62256ad3a692b54d41acdca9bcff782b82f88fcb543

Download Submit
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.allow.json

Filesize
2.2MB

MD5
717b588c06141279ddd7ae019db0b5b5

SHA1
9e4979e54e86deca68a53d0e5bad5a801b3f2ae8

SHA256
3259a9bb50178c28324b9e6e278cdcb8316a937ec1926caac4afe8c1e81082a8

SHA512
f533ff15e94aa8d68869f97b5fe69c6d4882b6dc8ba8adb1a695efdcd9b3cca121fb69d92d2c8ce9341e69cf70ec17ae4332a6f25c16e0037578999595dec7e7

Download Submit
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.app.json

Filesize
126KB

MD5
3ca86eccc547f892406befb9f1e5cfba

SHA1
aedffcab86f90eec70fc239298bb1fe81597f789

SHA256
76d2f8ef7ab81700ab46e9ddcd46d4a8b022510be627e46d97e644178861f409

SHA512
9f1cecfb567ccbdad0c7828df3a2d04fce118ff0b4469eda0a5879be369284a7c9e61974530b766c091ff4dfaa25203eff69a2fe629e148b5ca45b38826bc5ff

Download Submit
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.app.json.bk

Filesize
4KB

MD5
378f3c7ce80e167b41d17d59376f00e4

SHA1
b5c6876d7b1469fc30254a43022e343ae1f1f176

SHA256
720b6f581db9ec55f61231aaca87ce6d5a96da03abeb665dfd439a5ea6744954

SHA512
8d3607c6084a39f25cb3c0229c7985032b823f4fad532c9e6e1a34580ea1f523ae3e26075c58bdae15fc8a14a2869d32b4afaf1536472fc6c6971bf37e60214d

Download Submit
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.cert.json

Filesize
2KB

MD5
8200dc7806dc3d402c6961eaaa52be53

SHA1
002ad73a01719f6e3182cb29a58c825eafa9fb21

SHA256
ab7a52dbdaa199d79a6ef8ef3ef5897d0b442496e1a8b8c6d10ed47a5865e181

SHA512
acf4d0b0da775b548598af88314e61184cbb969cac90af50e56a21115f9ae203126182d0d123589afb5fbd79e331cba65b49a2600f058add19bfcf0f0fab506f

Download Submit
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.privacy.json

Filesize
2.4MB

MD5
463001b0374a397699c3d285bf877866

SHA1
5a532dd7b52ba24ae422ce8dfd66c21e15ccb975

SHA256
0eafac0447f8a5f10fa3963ecf9375e5bc6f796d8eb9c67176e1b77ca9625bb8

SHA512
0164a02b37bf19422c61d0f4dd5b047342770e557980b46daa48ed99be7be1bd4f8143c7e57aae97c041d20b8896c4622265f3b6a9f7bcaa62e3429f3ba3f2df

Download Submit
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.tracing.json

Filesize
322B

MD5
5554af5bd6310537796917b619a1d84b

SHA1
08cd210ba3ad50fcf18f5c7d556711b36d7b1ada

SHA256
dd506f1257949eac37359301d967494d7f36f4632414bb21bdddec3c0d27edc7

SHA512
0eeabcd565c67feebd7d417dd593a63affc6523fa99c6961c338cd6c7d64f2c835259ca9f680952319c942cff177e01a47403d93bd621249a793ae8a564ae346

Download Submit
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.tracing.json.bk

Filesize
306B

MD5
23a6b07db9e5dfa85f4e5f14306000ec

SHA1
57b01185eab0ef344a2bacec3d2d73f642e26c04

SHA256
41e8008ed4c80b0f1cc8a98e8e1f777ddafa42bdd4689e486f4ab82e19e6777e

SHA512
20e0e9921aa4d657dc0cd8c9f3f08f233467ec2a4f9c550c5bdc9c921025d4f7fb916bf4c8cf40b89b03dfbb254e9f751f34beffefea202beb4a2a25a599b8bc

Download Submit
C:\ProgramData\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\Diagtrack-Listener.etl

Filesize
256KB

MD5
9fe4a3ed1287d98ff742f663bec49887

SHA1
94c5ced453032bfb4679ebbbf9f3cab2708f7528

SHA256
c930299061be476fa64f972798bc48169e20af8ebe4e77ee88ad91e40e411fd1

SHA512
642f010d1e41058bdca903f186384f4b97be5aa65e025b096d1a0d51c22510e8774b9cdeca01f50eb8fd074bee59e64e28e5c83e98a50abc85691cd521375841

Download Submit
C:\ProgramData\Microsoft\Diagnosis\EventStore.db

Filesize
60KB

MD5
9069c31aa1f701b6fd637a1d3c923424

SHA1
a3192023e85f7762ca089376b60d9b6fbdcf4795

SHA256
ed1d2ca7d0bed2e1a432545b8a12fae0df01d76f3929eac628d93f01bd0c6056

SHA512
66b6a6b43e0783c94883e1c18b000642be6c1f12d03cb3f6a90ce3596405910cc38997c2f64864f6c8e64aec8d4d2d5f2f579e69f8508fe18bb472bc0a5cc8ee

Download Submit
C:\ProgramData\Microsoft\Diagnosis\ScenariosSqlStore\EventStore.db

Filesize
32KB

MD5
f67998a1d0dc22e5ebbb13dfd8aa330e

SHA1
715892ac5b62e2d98c3d4bec916e2ee159b008ed

SHA256
ec5e4c9a398097dcbab83d11c04ee89accc3711666e5dafaf615bed2446cd277

SHA512
009ab51d39741ac1da76613d07822543e33f28a467936634cfffae91870c59521592bde4ef08ea225a464f72f67f548d52855d5d013b61bdda5c36e4bc9ff957

Download Submit
C:\ProgramData\Microsoft\Diagnosis\TenantStorage\P-ARIA\EventStore.db

Filesize
20KB

MD5
4286a189c439fb39693f33d9e744f534

SHA1
7e6484e3a269cc5b84ba094bb076c04680f6196a

SHA256
42b1b2b60af6f7275ba99a5c1bb628ba43d43c3c567aedef71a1f330b784de92

SHA512
263bf9785d75d96d8713717b8c9ca153182f3f758fd376ec190385a6c7c388d7f64bc31e876ea6d23e2f327388e60a38fce3c60b2897d8200bf4b8e3f32d191e

Download Submit
C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_DeviceProvisioning_2024_10_7_9_15_28.etl

Filesize
256KB

MD5
305f58cfd76b18194f4253412c8b4246

SHA1
6c9ff6e029a459c911c499e7bd83472707ac3f37

SHA256
5cd70ee12794feb8e7e92ca9aedb907968234fd75456a5d5dfcdf8f52bd63174

SHA512
d5633c6dc5abf26f22fb2c25b00fef0d1fb58a8bd342aef2f74f09168455dec049434202a06da01a42be74ef3759bdb1506f91e844fbdd631104a90ee8038a8e

Download Submit
C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_DeviceProvisioning_2024_10_7_9_15_3.etl

Filesize
256KB

MD5
ef263015473d0cae787bf3c38abc0299

SHA1
82764724913ac1cfd0ddcb686014ccdb5800a76a

SHA256
21610298e6869adad5aa63ccec2729659a4825312724addde8a6820fc776af49

SHA512
7e38283cece63a46ca9c103b30a6502f5b1f1b80b4aa6bd54ae13da2b577f5a5500db8f78c54be394e5d6f4bc9a20c0dc2916a43b4fc3a88fd14b9364972c8bc

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
75KB

MD5
905b6ab5ee3389d666ea3774a5c9c38e

SHA1
0ecb314ec79a35972a6b4405415d42df8ee7839d

SHA256
056588a72af054018b36e3364bc2a431b39a49ca5347faaea1e7f21ed7bbc463

SHA512
2dc65243c39297f12a3dc2e3671335e1e6d584f663f010fa27acfe159858d1465ae89abbe132364a5902e6d5a8de8ecb3b1a0dc4e4ad247424119756341e0a24

Download Submit
C:\ProgramData\Microsoft\IdentityCRL\INT\wlidsvcconfig.xml

Filesize
12KB

MD5
0088804da6aaf09b4be1c7f879554493

SHA1
2ce00afd426fcdee62a72d9ed6fecb05d45b03b8

SHA256
9301908d5d178f4c097d36f1ab7ff1c0f2ea7d55555ff26a250d985505c18a58

SHA512
771fbb7c44d8673ff984a07690985574da67a64edc4fecf06b57f165595bd7fa9d682e21b779c8c68105037dad6734ab8485ae5f4203c437ef431cfe1727b926

Download Submit
C:\ProgramData\Microsoft\IdentityCRL\production\wlidsvcconfig.xml

Filesize
14KB

MD5
ebe6dd85d181c664951ba54b193a9ca0

SHA1
7b12e7fadb6f2886ce7cf6614367934329ae74d7

SHA256
b83b17abfe0cba80a4dc6d38b7210234e1d15e9f1908ea1a62b2d3960edcec30

SHA512
cae8b8ac08c7a41f27ac3a23a6297ec3c06443baf3201b4ab4065c867478b2f06879ee6e54aabe857e0c7c3fee0bb9aa094b18767643229f51e4fa1e43eb24b4

Download Submit
C:\ProgramData\Microsoft\MF\Active.GRL

Filesize
14KB

MD5
1dcb74eea80e5653d7d05d30158c7efe

SHA1
ba1b3bf9aec8c80a4b5b017c1aabebd298acb1a7

SHA256
7376f2e0bca2d6d140b33603cd488297e27af4820b2bb0e6b70321d6ea0227b1

SHA512
4cd585ab8ebf9a2a96f006e4a75148ae91d3bd75af6affbeb7d033ad98f17778c88ef48c36c758553efb6947ff187f91353adb80897b9c5be731f2e2ba992ac8

Download Submit
C:\ProgramData\Microsoft\MF\Pending.GRL

Filesize
14KB

MD5
b59cf698dd4ca9e1a0b82882298f4b95

SHA1
2805d685f2e54220c3687416cb5deed3513bbf5c

SHA256
8f276ffa33655898ed7e94957b5fe734db659391796679ae14ccf3f29cf451ef

SHA512
fd2fec86b822f21b4744edd48f7403fbe2ac755832ca9cb8950ce032306bdcaa02e95e5c8b43a2c34e631c34895c8b92a9b78bcbda3819160314447672137c5b

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\edb.chk

Filesize
8KB

MD5
2d3b54a544b7ccb21ec6f395d54c08c8

SHA1
489d344ca0b2f6b5084b4b4ae645003af5efd15e

SHA256
3742b79d3bbd6a126db66e3466c2d6df4ec072995de80daada9c193797185fef

SHA512
0e729930818d3c3753c9760f555f8e96ff9171c5bd471f84cd2e1d21da223f8c67aab9c9243620b3e705b57f17a71e58ce725e7e604b530ca1d71a71706c3dd6

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\edb.log

Filesize
1.3MB

MD5
ec6b4817d3f50b9c13b4ffbdc6fee8b6

SHA1
09321a0df0f3288abf2051ac8086d2c0c66e9377

SHA256
e261aacc7f195772dc010a0ee261278f11d572d7b749a4dc1b254a65be973ea3

SHA512
a71a2500e81e0c1a571ea42821b7b5ab1c44e14681537f0f8c80e7c87a5182a18e54a564abb8d4491688fa703abfd46017af03644d9282acf22cd38b73ab3715

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\edbres00001.jrs

Filesize
1.3MB

MD5
6e0f08e11f038d627c56d8629131475e

SHA1
5de1b3d88d958a130522aeabccfb0eb6c816c5d4

SHA256
57ac29a2900c0e1068c24302d7805278fcb829d4991c2270aedbb109ad8b74e7

SHA512
a9fd75e6a2c8c9e7bc0de56388c6ce0bd52d4b6c2ff83e3e40d48ffbaed367d7be4aee53d371e48051355b4f0965c7784b114b4a37c16804315fea99825848cd

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\edbres00002.jrs

Filesize
1.3MB

MD5
2d1409d1b3c3b30911d77d5477a39812

SHA1
50e78b9fd957854a3804758f3860a44c20ef8fe7

SHA256
0cf2b1f88384dab2677821dbeea29a6b36135f64cc6455aa5b8d374bf1c688c8

SHA512
15dfeea37d47595cf5c3745e79154edc8eddedbde2a5e7f981a0ae9f7821e687ec921a05d657fd815f99bd6939f98c1b2c5915e5be788551228f242d29c0b8dd

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log

Filesize
1.3MB

MD5
b812956f7a28cc4fa8e36cd7b18eec0d

SHA1
d76074e5292499dc96439808a315905ae3d8c9e7

SHA256
fec0049538394d07a8e7556263a0818dd782fcec8547b6e3eb9ed577bcbb0e93

SHA512
657975d3b432541b472d4327810cd5d3c0ab27beb8de16efbf1247f88201c1bdb2a28a49ef44fbcdcce7438a72d1fdde231a7691ec52635fad50070e40862b10

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Filesize
1.3MB

MD5
3f566a82a9201f40fa2a60c0a2203f1b

SHA1
418b2b754f9771d2bd448d8193dd993d44cd6e35

SHA256
5f505cced21a0922b42a3df303c9612f44f2534b40023d1f8455b4768356e617

SHA512
5483ef0f4182c51a94aa88379edc685f0a786617af3edc134c6cf42e1d7abe38af0b274d0a78421041c12c8125abcc535e03c7452c6b2dcd298add11dd8ffaef

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Filesize
16KB

MD5
053b3064efeb9328ca5d400ddf5ef27d

SHA1
d392d0b1921c76d410440d31784dee60e0f7bdb3

SHA256
b689d87a9fd8bcbe9cec4fac12ac7889a0a96eb049bd76541147dc461412609b

SHA512
4c3497d3d2378146613029b67e5be243d92259cfe583d43dcbb725dc0d9d1d8d9761ee629a7cb22eb5de301bdc5926877ffcc2e1302b65b447f6eefad7114175

Download Submit
C:\ProgramData\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db

Filesize
192KB

MD5
73020cce0fe83d49a0f1a59a16fbf22b

SHA1
fefd784de778ea1f8b67cb9f1b9af75e8f856632

SHA256
887904f06150f68a65873a037f710988506beef92b8ac06563ee1787ee5a7d32

SHA512
8bb24f26d04c5120aa60d88709e155ab027d2a69f30ac3106a9a2ddc2764bcc5094361409a3684206bacc31c5e596fa8ccfc7443f4c5c317661a13330cb5978d

Download Submit
C:\ProgramData\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm

Filesize
16KB

MD5
7918cc105f4102cdc4b568c47c0c887f

SHA1
ff861d8de74e53f47f700bdf96b9763ef06620ca

SHA256
4ace528ea66c2f1a776bf589a9263505a6eee7461f7b869fe7b7a6164c438b8a

SHA512
7c579d3a4b3a0c34c5fdb68227d80e2cb04e9005494275408df383d8b42b65ea99fc46ec34bb06ee0096f0f211bf945f32cef5c65a5e90c4ed417bd61f5ac032

Download Submit
C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb.chk

Filesize
8KB

MD5
b57fbf4bddc6c9b72e0bee8b0ec8b0e9

SHA1
8e76df13e4c12a038bf06eb1222ec657f61622f9

SHA256
c4076541865e8f9181f00e77d6223611c1c362d6ca4ecaff69f7399ee513e92e

SHA512
0812a76d9ef6801e69ada7b2c2fa68fdabbdaa59aef0ae29766baa1abdf908b634826bd184fa6b433294deba5eaa961a322f2919d21f190911397a48057cb91d

Download Submit
C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb.log

Filesize
64KB

MD5
1676f7dc0d0e5b5e7c0d3943408bdf6c

SHA1
969ed8401ca197536ddd75f25ddda54f91a2b322

SHA256
ec95b1c8f0350f0272a2166c08f331c071e7a2d262707bfd2465b988bd37175f

SHA512
4e5bbc1fd143b0da53f98933fed20aeb6d1a3cfb96e3982a02cc9c4af5a14e9830759cb7fbe4e7d0c29ae6200568197d58f01976b90a153bd45987c8f95cd81a

Download Submit
C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb00002.log

Filesize
64KB

MD5
684eb82bf3680fafcfa5e1c2dab01f6f

SHA1
4a48a40bb31bb1137c743966a4a2076afd744b4c

SHA256
0880722676055f54c123074331a44791e6ecc0fba32f28d495e5e53e81eba539

SHA512
567eb68cb2f209f6f3a84fd7488543a299898a6e434776ddfa5133523da3cd8418f6793daa6d3f3b5dba27940af13980fc30730084c07f976b365324cc83800b

Download Submit
C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbres00001.jrs

Filesize
64KB

MD5
55a0403d76533aa65b64decf98c440ae

SHA1
fa2f6f1997b71df0fd5296e7f0e7e1dec621eb18

SHA256
38824b4348540caa705f1b5bb3b433cc21cdddeaf707eac91d88584a961a604e

SHA512
ed9d3978fd5ce2facc713f002f6de1658eb77a7a491c422574e8e3fc2a2b8a6bc6dfac6b229b08042c88d5575a4b5dcbd4ca7a571d783a602cef2b535dc46225

Download Submit
C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbres00002.jrs

Filesize
64KB

MD5
8646f97ad48fd2faf0ed7fb1d8636021

SHA1
ff37c5308051afcb0da4ee551b4da5d7c4548ce0

SHA256
eedc0a13e24dbafec9dc80203d97ed67d9e4a5294ffe27f53d7b9ccc650dabe0

SHA512
e7899a1d9087aa741fb43a83c986d12c6d0d76b871aaf787e205ea781f83e552c15256a4f1242ee2ef507790ac8350524537b06f4c1d6aa0d203a6ae1f933679

Download Submit
C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbtmp.log

Filesize
64KB

MD5
a1d2b527b75fca53ae714fc39bf81ecd

SHA1
656696706820a27373694a1deb562f576d00886f

SHA256
e61dd6f4eab43a93ed2c31b9aa48de19d0c2c742322b81d6408356a5fb9bb758

SHA512
a7411cff6581c0a606eb5608bcd78066022842208122374ce4ac3c645fd4f5d810946095f652522c1d5f76daa12a6c415d0770964e40a34fe855a94e016422ae

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\guest.bmp

Filesize
588KB

MD5
fb73a30469bd298d6310ccbf5a770748

SHA1
7a2bad43c358d56279ed540cd19c1cf624ed8891

SHA256
b18c0de5f2fe84469471b64e11726d06086fd6ad4607d274f5e7c86e2084923f

SHA512
fe54f775861ecf15d1af7a3f7f86b122082da09cd1103e884a291c32d709518f168110ee8e2aa85119d9e1e186aa047c7c92ab96766199309e41c3ee7fcdbba0

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\guest.png

Filesize
6KB

MD5
b670634ae673616c884a33c82a1e0a15

SHA1
63edc682c4f931565eef72ecf60930a1866e5bb6

SHA256
d46cc7a4203a4049c9701764f38fb2ce04ac017eb2e7ab92c7535b653d24da04

SHA512
b7ee5f6724db7465fb6eb9d992b9cbb54661f876d35f6550a21c4fc04093e324a789d2adb15bce56534c64e61a6ac8b3c47759db8c14fdc9bcafca80da6cf82f

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user-192.png

Filesize
2KB

MD5
d6575a0538915dee09ccd981d93a7801

SHA1
0e1b62f7df5e316e10b1ab58da450e7304592f6e

SHA256
4998c521ebb22f0ffb3683797c2b64654420c91825d7279eda56af373efddaf5

SHA512
1d6546c9824d4b4312aef95cbc178f5280a70ec5d5ef0c46e8d9888c49657b74ffbad229dab4c2efa3bad9fdb649bedf40e92c0c4c730ae37e21e48e3431b5a3

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user-32.png

Filesize
722B

MD5
02c06a3a12517d64b079479bca52098f

SHA1
26579c896d110071e7ed4536a3410e504c73223a

SHA256
60c07623000ff4b071d9ed98c664503133811a964e4d7d26f01e5e6644e7cb8a

SHA512
01db3698d7065d9d159b8d36a079dbd65191ad278fc08613d6ba389ab99580d1a2c8f4e0b7edaffadc53fce7f85bbb61facba755b42be182c2ed705b22bcb9e7

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user-40.png

Filesize
802B

MD5
8e4480bf2971510ce293a1c14fb3e80b

SHA1
d1532971608df4082846ffeb067ad2dd86dbb981

SHA256
cf44ee000769fd88a232b30deadb03dd01b610b8f86d9b2a695d70bf8f0e6f12

SHA512
4bc2653bc2aff1f336bfeb196cb21362df0d67efdbc33ee188c71aa284ca5d4af74dad62a4a5a64488fa278f07b1a8ce158436101ad5f668ec2e2622689d3038

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user-48.png

Filesize
898B

MD5
e86ce89cdd6de597348c4a084160f26b

SHA1
6758fcc31665c785c7372a3bf824e79d9b03fa79

SHA256
632811ae86004a2abd2d8f7bd97c6bddcb62c41e3b749c4306de7d2031103017

SHA512
fea141f456a705a429e1931d80cce32ae40cc88ef2f07cb7a0de1dc9c43c8a944ddf78246dac91d6c8a7ee426683f7661224eacf7a2961001c89186d6543dd25

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user.bmp

Filesize
588KB

MD5
32f20e17d13293a96b17e6af95b95add

SHA1
4954f81bc3bc5267834937ff45acfdf560809b74

SHA256
22eebd8ca7d8f672ff6560ce141c0a1c2f54665f4f1edec15aa79c6311455fea

SHA512
202548e06eed6d64e633382189b38efd4d8d01de2a471c7b6f5b46363b08961f566966a23970238e8409243b2e06cbe6172b5956e1dc75b2dc71386514b43541

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user.png

Filesize
6KB

MD5
252a2e0a8abb170f8a77e8884ca01426

SHA1
aa462739481058781ccbdc4bbfe4991a6310e460

SHA256
4398773be52df0da52fca16a418af3b09cd943507ed31c232d2c629f9739041a

SHA512
e42e4204518d2f3407168f570d7a898b5953d18b90c190a7fdac4c1f52115f50b0e14ad4a5689f27c7696247f9d3f4d08a12a791134b74bd2df8161e049db0e9

Download Submit
C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\154E23D0-C644-4E6F-8CE6-5069272F999F.vsch

Filesize
434B

MD5
e0e3978e4fc34fefbfb4feae8dee2277

SHA1
bfd62b9f1db29cf724c8222900a763097f7df6d7

SHA256
5edfecc4c1feb2b630abadc7d22c2d45727e55ee88f78cec6849d814d4e716df

SHA512
579b668eddc77f15bdcbabf68efa0caf9207e034b088dc6266e8d15bc886cb6e298702f2662a4d149670996b8ace8d80941086feba7c90da5aa29dbe571b64d2

Download Submit
C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch

Filesize
386B

MD5
7ea657fbf2303d66b0969e92cb58891a

SHA1
990dcb9cacb8da55d3b345851709f3a69987149a

SHA256
3f827a560fc10f09651fff19f75c202980db30c75cda209c4b86d5ef76f7ea49

SHA512
227dde0f3d0f22d63f389ddc6666a695d93d3712d1d2b1ed3af7c1fea8a58a5e28e0ae521c464d7adc52fb1c0bf50952e932a319fece9d9a98d2758032baca47

Download Submit
C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\3CCD5499-87A8-4B10-A215-608888DD3B55.vsch

Filesize
546B

MD5
8c7410d17efbfa4a9d5950a5bb1b69df

SHA1
3d91aedfe3a375eeaf051b185926cc24abd5a10b

SHA256
9b3c7cea8fbdbc707a2b7da386804ad68128fb290bfd86e594ecc397dd958caa

SHA512
e15b061155e58b7be643df55ba18230b2e87d0bec30c20c56b08b64e675b9f86b5d941b2c45cc1fd3eab53fa1067792817e4a86583effad5f12566c579557abb

Download Submit
C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\Policy.vpol

Filesize
722B

MD5
9dc357ab22eadfc4d614883ba5dfe21d

SHA1
2d7c530cf5e149b8e8dbec125bc91d0f7b3aab60

SHA256
0681ccd402d762e9d5ddf7bcbeef525e2801b2bc548331b17ff9523efff219d6

SHA512
47ae83d70bc3257aa1b3f4d1e97d42243e2beba1fecf45d2c5b0ff1977e6f479233ae3506c509c889c05027d3066f8c7b42fcc96a1e6f8e8639b3ed18157163d

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
322B

MD5
18694ac867441073249d6db5158dedb9

SHA1
36923a975de2b4596534b33ac41f5ed75d86bbb8

SHA256
805332ab319bc5e997e0435f26535c9d8db2e619ee5e7f736e5e86671628d9c3

SHA512
78ea7e82f2f33b76d4bd6920e071a931ec93a61e8661a60d1cfc5672871b0229037f409da324558487d5480bb665a38cf4c4d1754958b1346cefc62f65ba808d

Download Submit
C:\ProgramData\Package Cache\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}v56.64.8804\windowsdesktop-runtime-7.0.16-win-x64.msi

Filesize
28.8MB

MD5
b44657b303b8f648af6c06c261cb4f7b

SHA1
5b45f5d5138a8741fce3488fb368b6b9cd8c743e

SHA256
8cdc691f29ac01cc754a8dc13c4452ea1060a74b5c94bcc73504e50b256b11e7

SHA512
723c24b9a540383709f7f90ed073088f07a6a4219a65bb10bbde4334ce289332f07bec06ac4566aa9882e2a8555838041c76f795db06676d8d20c02a13ea1791

Download Submit
C:\ProgramData\Package Cache\{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}v56.64.8781\dotnet-hostfxr-7.0.16-win-x64.msi

Filesize
804KB

MD5
3e901c5b098a6e599b9bea62b5b83cbb

SHA1
35cbd94ca91ef80d79f1da2ce439b2232f45627e

SHA256
d264dc62e16e5b17f5cc5d1be787f53efedee0dfed02543f470ade592a520e2c

SHA512
6229c45c11b74bf19d69f8051864e4049639d6c139dd63b50cb6209ea2766af66b8569bde75e0cdc09a3dbd67710f033848120e17dadded6a3ab6c49fdb42826

Download Submit
C:\ProgramData\Package Cache\{2BB73336-4F69-4141-9797-E9BD6FE3980A}v64.8.8795\dotnet-host-8.0.2-win-x64.msi

Filesize
728KB

MD5
73f04839d2e87c68f0d0e7421ac9a935

SHA1
82bd4b53290612d96d07360e447a5d926238d8ff

SHA256
7c0b0ee24a0f977f3eb93422440b8a9cab44f81ebb7d97f1c5e0694362f9c63d

SHA512
532ec67cc996931797af559e1aaff5bb125fb954a2890ee064c8f7299563de607b11365b13ce09b37dee1eaff0811f178816b3fc3b35855e2978936082f686a8

Download Submit
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm

Filesize
914B

MD5
38990293fba00afd2919b6bac10552ac

SHA1
f726416dbaa1f666bf3c910d2f9da40493d632d2

SHA256
c2cb6052e41e981cee1c4b64de31b5f5959009dde7b67165a6799074becb4951

SHA512
3068d78203f8b737ea31ce4cc50653546e6de9645cc459d98948f5bff13e61381d3f4a4f75d0193a4acdb83127029263162289db8744963253aaf2f69764da22

Download Submit
C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab

Filesize
5.5MB

MD5
f4b0c517a42b1f0e4246eb86ae89e311

SHA1
c68a77afde3e47c2afb53c6520f0be19fa6341a5

SHA256
fb9f793a8fc9be997dcd936a8ab08f272a41d46e2e4c6b39f53011f48c53a2eb

SHA512
6b3d95713fe2ee8ffd4e985fbf5447687d6abaaef714bc2f08c4cebfd2fdd9becb686d2848c12ec0461338722bec108ec093d4785e98c95a65acb3cc3d2e8b46

Download Submit
C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi

Filesize
148KB

MD5
58591f24298de63ab374130f010f5020

SHA1
6af11061b28a020a52700824815d35f9a5bdc40c

SHA256
dfde074383f68651c1f6df47bba73ebdbe15603ea3b7f7f9e43e30efeaaa5ba8

SHA512
f5bfb8a51a8665cadcac3b07fa71e32cb617727fa68f58d2239704931138f98d3ab2d2a0f1008c02e89f88c5cbd72263412388cefe16bc90f50a0a835e1d71ec

Download Submit
C:\ProgramData\Package Cache\{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}v48.108.8828\dotnet-host-6.0.27-win-x64.msi

Filesize
736KB

MD5
ee95ffc077164cf2433bc78ad6be3cee

SHA1
95f01fdd15399dfa064b0fc2ead19ff82036aebd

SHA256
3b361f21210b66abf3bc826e0719c6315f751ac09b1b21a55576b787f88095a2

SHA512
37fd19c7698123d5ea7372c5d7953f9555b1fb3828212238c1a04018c64476460b129c3eb8e8a2f1f7776bee63541bbd66e9169afe169444e1ee13f9ddc211ff

Download Submit
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\state.rsm

Filesize
1KB

MD5
b3a64aabe5d963ebd6c0182382cfd519

SHA1
8267450f974a3d062bff442ec8349c6ee0da067c

SHA256
6bc5d0d9587983bc8c2eb8fb40ae0bc15d15ac5a4a5be0b1e081b525bf363b81

SHA512
c3538044785ccb5be2fcc2772410aa21c7e16a0c4ac1888cbdde17be7da444e04cbd57734203ca9fb72fc09553246ae4d58250c7e7f6e4892fbd3e912ac7af6b

Download Submit
C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab

Filesize
5.3MB

MD5
d52fb375000cea660380a410962554d4

SHA1
ba1f9aa58f7606d02ad26d5461f088222e98630a

SHA256
f68c993b9dfef15a7753c57e626bebb86c1dfb3b9dcd1c3871490bee6de6e069

SHA512
addf2b835db9d56e693f9adf10428f3cd159e2266826c96e4814f28b5099c9875ef20d5a8ecffbdcdb23b8d1152db4ff7d1c9c9780ecb7014d8f1aaa17fc0cd3

Download Submit
C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi

Filesize
140KB

MD5
e978a2ca00cb5a5e1677247994106b97

SHA1
ec8a77d32e76ec7c14ea430f3c12d0c600109c2c

SHA256
a7e21f37ee93028beaeb390f16c706aa235e5f2bb9a14d59b5095736a779edf1

SHA512
d625bee7ffc5b5733ebcc3a32df3b5c6e5b0f9d20286d4a136194092e3e34c587cf0ec1d332018918741c22f245deb92d570fdf9ae7e4ec783da2ef310fe3502

Download Submit
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\state.rsm

Filesize
1KB

MD5
23b9f9ef2ac4bede4e5ebf5ab3ce92d5

SHA1
667d9c2adaf389707391d93100849976d68abdfe

SHA256
86e56899a149628ed4bf7e415604a90a8a0d740ecf6ff3b665be81f459807295

SHA512
a710328666739170d3e804f94e88fb08597c165f80d47a61a917e85561ddc4574ff7fa99d9edb45888513cff2b51b8796ce950258e0001eb8161921c3ad24eb3

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\state.rsm

Filesize
930B

MD5
7ffb4eef606871ad3b7e564b9a9c9173

SHA1
5ca8ffb9df5080feb9279112f3e405983a32506d

SHA256
125c235f09133aebc1a6a12d52fe59405166979a8c2dba4300d41606fdd80e9f

SHA512
1720877172f23eb3c22b7ed298baf303e4ed60071b15ec990ab61c698cda2a7612ce6e49678c988376f193934d20cbd280aa7392ec1047071c32e6ad1dc66595

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\state.rsm

Filesize
1KB

MD5
3f6bbd27c32affe2b0e640298233114e

SHA1
7bcc2c53be2cdf3c6d42ff91fa056e46d340c044

SHA256
1101a455204fbe980e576a96824dcd44659c044fb2b39b22187b5718bff9b1b4

SHA512
707826ed4b6648da29ce76462c56c1320a5e9382552bf8fd639c8050d82bd2b898087e59ad0c7a11bf2b41a22be2530b7f3ba012714b42fbc255d2a78ff1d409

Download Submit
C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\cab1.cab

Filesize
870KB

MD5
d619a78be7c4c541372a547a514b0853

SHA1
d075fa8c918fcd2c0ca190c0bfa30237752ad411

SHA256
c6b415683eecbb6d0c105b78ec51aaf42c77438bf7fd5cfe30ce6a51a3014a61

SHA512
973a6a618c3523581bcdd2d0ff5db05f0b45b0db4a17bdb31bea7e35e025d141fd13e1a7661f5f44bf086991faf35a22bfacc5d722849d3c4896ea7f65ce4da7

Download Submit
C:\ProgramData\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\cab1.cab

Filesize
5.4MB

MD5
b6857284f2f9cfc4403cdcaed8273b11

SHA1
850d6b7d7ec7f1450a90499be5e5d8a6449fd384

SHA256
ea4ba263f907e2943fa439d710b495add6a6d5df3161763a398a46a66b51d178

SHA512
7deb7876d17ca294ca3b6e439af510c99bff95bd0d50ab4dfa74331f4ccb9578dafbd8c6e1c64dda266c989bb9cdc1aece9936dd5a8205a4765af0efddb1a135

Download Submit
C:\ProgramData\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi

Filesize
180KB

MD5
41245e85d15d71c6c22169d1cca16da7

SHA1
9e78f8a8d5128f8cdc8ce5a9229a115c9586e115

SHA256
4a46ae19832a7c2f25b22dff45612e0486cca626c31357b01a3a9c8377a77601

SHA512
ab7f5bfcdfd16d2966535384db986dcbe1ec979b255bd1302232e3021e7d0e90e7578a92a820751ba88ca94956e879931bb745f28b1b5797559bc49ec64efeac

Download Submit
C:\ProgramData\Package Cache\{7447A794-FA2E-42BE-BA9A-5FCBD54C5DF3}v48.108.8828\dotnet-hostfxr-6.0.27-win-x64.msi

Filesize
804KB

MD5
f39e5577124699228cc08d378e51f176

SHA1
dfbdaeb330e0a3938513d9e0af462ce367f66855

SHA256
4e30a7efd4b694dbcb19771d6df88bd3515bcaf732fa356ce5375b1aefb6e4ed

SHA512
a0447cf7ef671f7baa2bde26cfaf09b86ef1021af34e6f81641bb185dab6ac5e21ae0641d0d36a68b15ebb46ef106e5a97d6ecbaef5026802001e8cef9ed68d9

Download Submit
C:\ProgramData\Package Cache\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}v48.108.8828\dotnet-runtime-6.0.27-win-x64.msi

Filesize
25.7MB

MD5
87dabe7079c8c75bc710afc819fd2641

SHA1
3a8cfde4e41c990d83cd0fddc83c5cb742f35a68

SHA256
4f357adc95ca91eee514bb6bbbe634e7aa905d3b1eab17a0c238a3d09acad774

SHA512
a2fae493cf3cbc872b3d5b6de3f33c70398f54c524076e65be000527d40c4fda66d9952594e71d1587076c75557975319bcff34019574d77296831afbe0703d7

Download Submit
C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\cab1.cab

Filesize
4.7MB

MD5
749fe033a7b4e02b44d82a8b4389ed87

SHA1
4bd1c0df2cddaa531b40c1138e02016312492b90

SHA256
1b6e8a5e3eb9a1a94f52673db4c5249353911776c93492066f2c4f5eda2eb1cc

SHA512
a0604ad0af5d12441ae6e92ee9aa2664321d32990382612d0bb357ca13972d69b804ddc2bc4af21eccc0d888c3d202cdbcae23229a052cd18b2f561fd6719ac6

Download Submit
C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi

Filesize
140KB

MD5
cad75d0a6004a3de6cdca961f30c6393

SHA1
7a9d6cfe6401dc5b095e7b917ccb12db721be81e

SHA256
0872b6deff52637b8a7c6e2bfd4ae2603ee36b0e9f179d0f8a0148d1735467d8

SHA512
e1ab220bd10e6902dc9cb3ac6f9984ad4b528c3187e23096d32a12321268a19dc70a4e117f9f5d7e8d89ef115924c8ef61ba5a30038d47a4bd3da543c88ad02a

Download Submit
C:\ProgramData\Package Cache\{9F51D16B-42E8-4A4A-8228-75045541A2AE}v56.64.8781\dotnet-host-7.0.16-win-x64.msi

Filesize
744KB

MD5
889dca3c5959ff8348c57560b3b98dee

SHA1
3164918b26d45fc3c4725ac3c631b4b2390e1473

SHA256
05ab32d6e9a908f3a9ed572ba09c5517bb0c8d7832d87d6e735fec5aacb64a3e

SHA512
ddbf6bc731a1247f91a99dfb78a647452680b7a8069cd7645b9cb48653d374aef31285491b03623ef60185683796bb84236e56fecdba19d962314f3ec5f4b940

Download Submit
C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\cab1.cab

Filesize
4.9MB

MD5
836d7b12d75de09854f924aad4be3b96

SHA1
542fdb8971edfb6dd4f8fa52e74c3ced2dd9981e

SHA256
16085e41386999692ffad37b3d27554e35cfb70bf9b5e7b4c73fcb70db3b8533

SHA512
aafd50da429734a42621928a0328661fb98cd5dd594f764707516333c9efb660d6835586b59932a95cedf6f6274f7594e911ba1c5256ee02dffdf05a22997b89

Download Submit
C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi

Filesize
148KB

MD5
8e522c8b8c6be70feb82f61326b15b17

SHA1
7d71fc9be7b4b8a585cdb07f64b51ca5751a10d1

SHA256
221a7ea322837355b8dca22d0f9e36cf7908dbd469668e1d7a21ab5b5e0a8f2f

SHA512
5171868c67c6c138db736a98ba92da4bb24e645092848faf7d81e3e36844b75b148aa782e62ddb421eb24b074c330ea95fbb0a008bddacb5379d6254f89d993f

Download Submit
C:\ProgramData\Package Cache\{BCC2FB07-8CF0-4542-B10C-61BCEF04AFF2}v64.8.8795\dotnet-hostfxr-8.0.2-win-x64.msi

Filesize
796KB

MD5
d40942bc1ba2c9b9582cdc4eaea0620d

SHA1
2704178767a668e5ac94fe22371da0b4f528058d

SHA256
f935359337cb12235e47f8c806a45432428186250ce5b0f17f1af4f72ca7e3f4

SHA512
a07e941dcaa5ae4fe5be3296d5990abf81162f124c26e54e08068222bf606b3e4edf815bb5cb7036c7b1b2e1c139f980d3a32640e0b175164e97b2845fe27ede

Download Submit
C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab

Filesize
802KB

MD5
3547e9587d4a5c5972ff9abd20cac51d

SHA1
3facab224aaf30cb48ae51d85971f4f05838cf8b

SHA256
5ba8ee091aaa794288dec102ee21e8b80a0cef2b5e3acfefa63b38aa5941bf9d

SHA512
5c6cb941f30043fbc44900e1ac1f93cc9a1613b76d025be2d0d873974e991d188fc0c6dd5f3a82c17382a9bf39f58ba28c7c795d34cb1e75bdc837790adc8dec

Download Submit
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\cab1.cab

Filesize
4.9MB

MD5
60ff444e6d32e5c8a843f72ed38b4c19

SHA1
6a15002e9b8b91f97478fa272c2317c463fa9de3

SHA256
25ab708852a12cbfb0d8bf5ff7110fe377bd296280a912ce00c67d799137f638

SHA512
f78ef28efb0817452937fa3643d7d4434ce1c13ded3f9b49722fc0250ef5c345d4229e58e5b00d04465b6a79b19b996575386c57ab588def628dd83ca4b8eb6c

Download Submit
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi

Filesize
180KB

MD5
849ae57c2720c5f9866e6c6b5128fee1

SHA1
5ddaf016f8950189bd071f704abedf97188cc897

SHA256
b48448c51a211780af0cb7354ade0f994dc6ae25176ed5e7fe78e2839fdd9831

SHA512
112ad6001274007c3502611ba77d83e01533239e1fd818d145319a883346ce9bbe7059f5b82edeb8c05f4c3031dc449f51e41ac1367e8abbbee44ca1f2254c8f

Download Submit
C:\ProgramData\Package Cache\{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}v64.8.8795\dotnet-runtime-8.0.2-win-x64.msi

Filesize
26.2MB

MD5
4de25c47d86db851b5e73e14c4069082

SHA1
1eb447427ce3d9c64b7510e10e752d54e8b8a5da

SHA256
eded8836fa99b70e572ed23154c410b73a17583907440052888e328862594048

SHA512
018348119459f311d137913d057f6423de529e329925b081378c31ae7d02c01fb774fedeb686bfd698dbb48301bf705fdad6ae55ea7b131eff5b368946b297ab

Download Submit
C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab

Filesize
1010KB

MD5
d20135cbc83d8472e78449b290e27aba

SHA1
902c8fdcc772ff4ec1a2178a7ac1198787e9c2b9

SHA256
583f5b946dda363b7132219580edfcb59b479e282ec86437af935dcf24ae033d

SHA512
8b004c3feb16eecc556722ce54b1e3f52417bdd8058b44a54a30e374b052cd0505168b056b7ef85a0852e643111bec1d545c1496106fb0a098ee27c6f24b8708

Download Submit
C:\ProgramData\Package Cache\{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}v56.64.8781\dotnet-runtime-7.0.16-win-x64.msi

Filesize
26.0MB

MD5
872eb66892580412f52a24f095e33466

SHA1
d15a85a98266da77fcbc2579e57856775d6f94c4

SHA256
2627bd91a17d874768b2a34bc6bb7b770c8db85b6e40ab21ddf235dd6c899454

SHA512
34da2b40f5301c0b04296137673b9d6fce2ba0398bb12c057aa252ae55c61ece155e96891e7303b964e5a00d09cbcfd6b1a2f7efd0d69c66048a1acab0bb805f

Download Submit
C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab

Filesize
791KB

MD5
f9e2ca89a0f5f32878cbc7dff00486f9

SHA1
e195f802f449e41928cde719a56bfe2eea3fc1dd

SHA256
ed7540db92fab8d575e2d0d7d01e85cf0e96b2e8bff50db7fe4e4751314aab19

SHA512
f0b225ccb5f874040e8186ecc21d0aac280e9d6c4a6f213b35ff1b0635b05f12f22a31228b092e4870b2eb0cd1dc3b26872dd1ac82ee5118737112aaee10b368

Download Submit
C:\ProgramData\Package Cache\{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}v64.8.8806\windowsdesktop-runtime-8.0.2-win-x64.msi

Filesize
28.9MB

MD5
e5a17b4ce5497b561ca327d159b8139e

SHA1
2712237137e18bf6c4f9f40f46866c2282f608ee

SHA256
af312fca5e3aa9d11f21bae50111ace8dbad4479ff4ff02305edddf8b3ee24d1

SHA512
388ed8973da383f6fd91ee6c91fb5c75764dc6df3a3e0e82c29224f228c35cbf11b8ecd31fc6c366dde92fd078ce4bc6dac28340dd32d906e5899d83377d39da

Download Submit
C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\cab1.cab

Filesize
974KB

MD5
9583de3fb88e4c672d09b2017a57ef14

SHA1
612a06a7905609765484023ef1656f0ac2756dab

SHA256
43b012e943e1441b065ccce72bf6ad9a70f0473cc90fc0c0cd3adb2b85c4ab87

SHA512
6e0cf3bb7341a44f32de077bf2f232d4fcea58a54d0756a1f0ad267e98f630c352ca90fd9b07c7eb4f99d0627fb1e8911e5074a1442d53abc7a694a6112f3119

Download Submit
C:\ProgramData\Package Cache\{E634F316-BEB6-4FB3-A612-F7102F576165}v48.108.8836\windowsdesktop-runtime-6.0.27-win-x64.msi

Filesize
28.5MB

MD5
3a2fa5babfdb3e55ee644fea91c186a5

SHA1
09a1a7f066cb0df9c016b9460b018bfde08f6b3f

SHA256
6f08886a67f3e5485725f981e7ca22049ebf2eeffb2f60fcf1d0b7b91a6fd724

SHA512
987fe8ed47f07deb619ddb90883162553daa01e19a4c876386bcaea237ec4d1c8a03e82757f104c41d67a75f9ed0c98bbc6fb195ff399446bef81d81bd68d4ff

Download Submit
C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\cab1.cab

Filesize
742KB

MD5
8f6e0f67710b0ad029aa6612031786b7

SHA1
aaf241dbe95e82fe92598f580aa0f25999342035

SHA256
1cfa11f91da1b16cb48c46ea4c9666539e91c0966e4b7774214eeb52fd6d5ad1

SHA512
088b6c08da5a5f2a3519e5352bf3db16714179437b7ca32163f12edd61c74bef091161074ac16e424be863648f484932448912b02f92f763fcdaa6a181c77917

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm

Filesize
914B

MD5
a747f38322730bc466db5cacf929a3a7

SHA1
f2a7cb68c9a983c1720ed6fc93cbbab039910da8

SHA256
58e0fba316f528a0ce4e77813807d16c187ee6be181640c871a3d9b27b3c8eb8

SHA512
e72bca25ff61fca6b2eba7ac7d4f3a99cd878854a5b69f279b0c044588a7348a0abe77b13a9051006c9f12ce2945af5cadc0f1a9b6d70ead60c27c6e4e3c2548

Download Submit
C:\ProgramData\Package Cache\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\state.rsm

Filesize
1KB

MD5
c87cfc5d61c6c2bdf5ac2416ed80caee

SHA1
ddfa5757627e4c8773aba7176576f57dc64ee0cd

SHA256
965e1bea0acc70dba38bcf41b615db1049d1974aeb92a8f7c5f368a18b449d5d

SHA512
633d215a199fef0598849b2bc563f9df34ea3330f873ae49f639ba0a0464c2e9beaa055011d6f3236d83840a45a4adf43be7e369d167c86f91e18aae180b79fb

Download Submit
C:\ProgramData\Package Cache\{ef5af41f-d68c-48f7-bfb0-5055718601fc}\state.rsm

Filesize
1KB

MD5
aa1d2ed1df9955ea4fd7940a1e882901

SHA1
2815e79144498c3faf659aac811124eaef8d5790

SHA256
72a3b1f317b879bacfe5d1f8de67625350c0c5e07a8d4cd4b5319329971c499e

SHA512
8978d3f3e7dca6a9ad72b0c01a3eeb7cfe4b97d08d0ecdb32a8a3e7aa88da9a0fd14afbeb82582ab56b05c938730f6bd8d38c70cc1d02df00aa811d525493a9c

Download Submit
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm

Filesize
930B

MD5
fe5f93d37b71d4f585a0eb2cf6742a7f

SHA1
2e3f1eb332cf86bec0beb4ae79d900f13ddd6a22

SHA256
48efeff6c20f9af734b9679190de274ae6497680eeadfca9131630c6af5db6cb

SHA512
0697e421e39a1e7cfa6e1e588a3c57d8d73e3b0f1d110d27acbd5d5c9a167dbedce0fa4986d306e122f1b563585f1f980753c6473454aa4aedba95fe95c359b9

Download Submit
C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag

Filesize
1KB

MD5
00c05c2774f06d6623477797160a23f9

SHA1
8fa778070cbfc487ea579dd14fb033d7638d223a

SHA256
aec7d5a70487f8ba2c6ee032298c94a041800fd2ce76b3606cbf0f3bf3a40f74

SHA512
5c6d4ffe4e361a66ab5870d074e8d6279a144dca029cd65a16d6a4b87b1013c05587b2abbc31bffe1866bbad175ce5a6a20e24166e38a0672236126646a07c70

Download Submit
C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag

Filesize
1KB

MD5
6a9ca567d7ae99aa05f298e7b6a0946c

SHA1
4e267ad7470db6f57b68a72833c744786b42cce1

SHA256
505762d551bf0378ac401da9c307f06847795cda8e8ecd977d799b414f2643a7

SHA512
9f671ae5b2b2aed88f085cd9846bfcfd107da275045d46023deec51e2d485200a65c57455a220e466ac47e713926a5f721c70aec0222cdd2f08a308bd720cc2f

Download Submit
C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag

Filesize
1KB

MD5
1aee026bf7dca50a22ad2f2e75b72d51

SHA1
7721d7fe6f42e274d7bf832cdd5f73d9d73f981b

SHA256
c519eb1bb1600b77d1020f6243f71a51a5b77afe40f948d2918b5e65a4839363

SHA512
054d412014030b7f8a56c173859adca17fccccf9008a03235fc5c2682d8abf1b31100c08f3ace7f5c5eea66d2236f1f1f83a15ac47be745b03aa6b675573d2e5

Download Submit
C:\USERS\ADMIN\DESKTOP\ASSERTCONVERTTO.MID

Filesize
332KB

MD5
681cee754b8b74645018c36010005642

SHA1
057639a961d16b68454150322b006bbb0ac73f33

SHA256
62dd6890916b203d956d6a942e21f63d547084599160b7b20dc1f44979baab8f

SHA512
a35dc85e457a49f0ac84bb9dab53f6707e1a7fa21a9d8fbff4e98abf970c924b8aee68be2ff87ce7906422293c5613b59c76516da94a340fa4ea7a98199fae91

Download Submit
C:\USERS\ADMIN\DESKTOP\COMPLETEMOVE.JPG

Filesize
725KB

MD5
aea16d400b41e440e15ce5ef149ee27e

SHA1
5e01aba6e0c8b8a45b23a0bb6475d3e890c0c1a7

SHA256
53f74ebcd4461d7f7fda5acfc52bf8d3ba10e02a4e2b493a3311045f3bd49ba3

SHA512
7b035fe3b022fad6fcb3757e8976dd6fed97d3d49e901dc1e802c5f602b864f132f16395fbb6e190ba8dd83c799ad74d5fd61c4407aa17cdf13ac03187c36823

Download Submit
C:\USERS\ADMIN\DESKTOP\CONVERTFROMJOIN.XLTX

Filesize
651KB

MD5
5bb8e9fba15a186376fd09ec530ce894

SHA1
0d04167ae4926f6cc652cb773f94004da60af425

SHA256
26f0b3a092449174f3ef20583a02252fc072f1861ede38373249ed72a1cb5553

SHA512
98dec824885039f5e05fbb829c9c63684a6fb707f7e932146f02a1879849fc56c443e9f9fe463482866d86c886a189580c3aa06ed5beacd380ee9a813cd2ae66

Download Submit
C:\USERS\ADMIN\DESKTOP\CONVERTTOSELECT.XLSX

Filesize
13KB

MD5
c9bf9b6f095300892b352cc5df5a5366

SHA1
750e7ce0f630dec9f31221712419e81cb40043e0

SHA256
f8fe3d42e017124b505a36d52165050b4acb1d491b9a257806f7851326e354da

SHA512
f41fcdf715c6ab412dc7cce88940ddd60171709f9db5ca666b4a90284b1f391c0086f5c4e5c41f357ef6be8052c45a22600bcafae847e78b1d17ccb84149ba7c

Download Submit
C:\USERS\ADMIN\DESKTOP\COPYSET.DIB

Filesize
872KB

MD5
2a345edcb26636c6dc70c5e88de10ae0

SHA1
1ebb8d35fdee64071dd4a23bab0c733d767f56de

SHA256
2a83bf1f897caf07390b4cd7e0cef0b336cb6789563753834ca0875078cf2cfd

SHA512
e8899a5902b214e1d841ff12583c5f50ef73cbbdc76c17b1cc09587824203afd5b57796956773375c02a5d2124dff571aacacc562ae3d3a0ec8bbb398d5bd523

Download Submit
C:\USERS\ADMIN\DESKTOP\DEBUGSTEP.WM

Filesize
749KB

MD5
fe91a7627eadeed74d09e27212a61aa8

SHA1
069f0cbf76674ff0df1108c0d3339027f534bced

SHA256
e0a266a77799fedee1b81adbae06ab951e1de9c4520b907696485896700cb1f2

SHA512
f3b46cc3df9277fce425f9c15e0af62d823fe2583a8947e471d26159bce965410b60cb15d6e5085f3d2232b07084eaf5ef364c77032d48eaa202c7352073ddf5

Download Submit
C:\USERS\ADMIN\DESKTOP\ENTERRESOLVE.3G2

Filesize
626KB

MD5
4b83422895dbc3d5c3418d3c7af0bbb5

SHA1
7b18e180358289ee380a8e497275941be84373fb

SHA256
f793d622344bd1e261c80cdef487a7ec7cd741cc0b6b33c1fd788bf4443a46f0

SHA512
df5d31a47ecab1b62bb61135abc782c0b9fc4228072ebd50d4d18ddb46654fee8a09318dbc9fb9e2172d03b0bc021cee35b67d4bf4425880dd6725be0ccb6a72

Download Submit
C:\USERS\ADMIN\DESKTOP\EXITPROTECT.VDW

Filesize
676KB

MD5
2c9129d84ca5f9033c76967bc5f79509

SHA1
1063e4e9f8b12945d9475e74af65afe771d798c0

SHA256
eb08fa964b92ba01f54b095a57f84e6b8610328a7fdbe0217f5fd682d9c8473e

SHA512
5429370518b43d43506df8b2216deada2362d6b7588d5afb9c4d01fbb8874e4d4215b5202ccb7dde4f38e2c0fbd1e5787413c9a47bad5b85cbe7c836c0e045e0

Download Submit
C:\USERS\ADMIN\DESKTOP\EXITUNPUBLISH.SVGZ

Filesize
381KB

MD5
43775230698dbc8fabf1c3279c7a1b3d

SHA1
db788eef1629063455ce7e1faf7662d55713980f

SHA256
a251e4ecb124865a67072d3de457cd2d9dec1bc8dfdbd9c11eb335a007eb0a91

SHA512
16494df504c35fe73266e1690ca59f7772903c0f7571c4a04386169784fdc3c873c29a5620b285da400f5e901134e2b804f35c798d3ed81ac122a8e3087b5039

Download Submit
C:\USERS\ADMIN\DESKTOP\EXPORTLIMIT.DOCX

Filesize
17KB

MD5
91a5d93c1710cef8fc7be3e15c271e37

SHA1
f354a5485ea237062862fd5d5738308a6f282e46

SHA256
46cf711c8228d967f6b393d4051cc14f91ecc58bfb559aded8180bd198c554d7

SHA512
ee809d380fa864d102c9595932ee1baf4b1621f32f1b99fd54dd3cc317968c56775f80d5ceaabfc5783202abb13c60a60134c81ff26a7655dcce8b7f296e219e

Download Submit
C:\USERS\ADMIN\DESKTOP\GROUPWATCH.RAR

Filesize
454KB

MD5
c60f10ee1e7f6effe506ecd4b8f5b0eb

SHA1
876a72f14a1449d577a744c344c8e04b261ee335

SHA256
5c313ff06953c1af9a4d977d7ee24763023c7be12f930efe2735252de0b0bd30

SHA512
7ba8779ff17b316c66192a4d060d65899e19245c8f82f6c5a2540e41d4766be072a973994d0010e4569c0e38293ef497747a3ee2e7f54bf4be68c14ab09375eb

Download Submit
C:\USERS\ADMIN\DESKTOP\HIDEDISCONNECT.MHT

Filesize
356KB

MD5
e25ec913b83bd7b4ac4bd40ffad27be3

SHA1
139b21f814556d92daf43c22870689d4b64e6890

SHA256
a5671689d5df825257508a066b7357c11a1af240ebfa9db7dbaed16bb74938de

SHA512
d34cfe4a93487fa1878c2dba2701e669d0e7b0b4432b46268b1f93cac4ecec39908f62b86c9bc428e10a360fd2b047b11af0a786547ca9c58ccfe572e9c772a5

Download Submit
C:\USERS\ADMIN\DESKTOP\MEASUREPUBLISH.BIN

Filesize
799KB

MD5
f150aa54800ee39b1fd53ff1a3f530e3

SHA1
edc5901ddfe7dedd259a9a340cc514a3b1b18073

SHA256
c7af765eeea1b59fd225a651860bb55f2e7af048f7abadcd2a28fc262f44f1b6

SHA512
437b5bb071161300a5d14f75237bac9a35a62c956def381eb1af7954eab86fe5e9ddb015f685fa503cb1c0dafeedf7c580449b70f9f6030c589baf28d872f3a1

Download Submit
C:\USERS\ADMIN\DESKTOP\OPENRESIZE.SCF

Filesize
528KB

MD5
ea14f4749dd179ee9f50c396faa3f1fb

SHA1
3d5c61c3b05a1fbbe5860462f49849bd820c67be

SHA256
6095cb454274bf176fb06d1567f6aad44502e2a1cb54ad6eeacba5a805cd4527

SHA512
e8f3d650c30b319702ce2f2b8351852ab1523a1796f82d73ac7f1015e2df1dc4dcdbc0bb22d46021df640d222ac18fbe6d84e8f16a7f3542cf460ec85fc159a0

Download Submit
C:\USERS\ADMIN\DESKTOP\OPTIMIZERESTORE.RAM

Filesize
700KB

MD5
bb450d72e59c29415fd4485c4d2b608e

SHA1
2f68e658d91807bab196e58f541e3c1c902719e0

SHA256
692636a42142d76cf9abaa78c822594ad6f18ee50332cd8f33f6689e3df64560

SHA512
9a746061f628a969dd70d4785e43e711c998f0ff900b09c7371d8340d5570a2a64c2623b01d7387cbfebc60e18dab45a164753e20c1219f1cfb66b5f0f921e54

Download Submit
C:\USERS\ADMIN\DESKTOP\PROTECTUNPROTECT.TTS

Filesize
577KB

MD5
d24ff5a82c960406d52b459b47b21f19

SHA1
797c1553a8358f6467ec9ab89950d38feee77fc7

SHA256
1b9defc1f61ee75171404bdba68f836d5f0be45ac58428037aaf640c80f34552

SHA512
a1d2f45d00fd3ca9f481f266d6b0f72ffe99f39404833e220c3f2c0ecdd04303653211c92410ea3dc546148d20d7592d958d6e9f1ae48e61cb4cf5af2aab8017

Download Submit
C:\USERS\ADMIN\DESKTOP\PUBLISHFORMAT.ICO

Filesize
504KB

MD5
e8f262a6ca02600b53a952001e036012

SHA1
95975e96d762c69a89889c1f63e0a6b7c03debd2

SHA256
f17c8773bc8678c1da28964708809c6e80a0f9a1e1601f7b459645de7b81119f

SHA512
71ba8cc8cd576acb5ca87cc6b0a7b8c302d751a0b3c36e194f571373748399e0954c771e569b815b69a072ff012ea93e9378570c905ee733f3ec23409f13ff8a

Download Submit
C:\USERS\ADMIN\DESKTOP\PUBLISHSET.MTS

Filesize
823KB

MD5
41e31b337b730434e4a0aa52f8613b8a

SHA1
4a0b1b6750fca88c6accf647881ef73e1ce93b5f

SHA256
8853cea9a25377c901d7f88f2456a0ee984d8ed9c22dac63a87d93998142d1bd

SHA512
be129b8ea822b0ceaa6748f4a16434d5e08872a63f5b2b857fa000c827e688254f301cbe15a34a645305bcc7647268aa752c97c9696f9d83d668c514bbadb827

Download Submit
C:\USERS\ADMIN\DESKTOP\REPAIRHIDE.AIF

Filesize
774KB

MD5
22c6314869eea91045faccdc1ab0e96c

SHA1
43d5029e2d91ecd64dd421b12d540490501827d3

SHA256
81ff538226b3a94718a6148ff22f1e64c3877ad5321f4e47f47a494c831685bc

SHA512
233ef260c1b24321c1be84625827c2170b5ec0dd5eb430efe7f0ccb2390080ec75cb06a284166bc84387ab81844ceb7ac5aa842a0ddb44bfdabcc51bc9635e91

Download Submit
C:\USERS\ADMIN\DESKTOP\SHOWREGISTER.ICO

Filesize
553KB

MD5
dc33d313935f71fa65f3976e321f9896

SHA1
0239432badbf76638f957172f6e1ca6ed71c96b0

SHA256
96bb399db200933e9224885627c09de13d2f5237e607168b2242f3bdb43524a0

SHA512
72e9d0cb3e2b929134dc224867b3ad16731f38dab2f1f992e83816e108a4196c47571ca21d721b4c0800597272cf958d3e80b5f7bfd9954d5fe24e57211247c3

Download Submit
C:\USERS\ADMIN\DESKTOP\STARTTEST.VSTM

Filesize
405KB

MD5
6b0d891789393ce504b90c41eba452a2

SHA1
aa72b350e130efeceaecb1ffb06f1b69c4115f97

SHA256
e7970ff55a4b0db94820228778b10aed484cb82de320b3ef57f493db63721cbb

SHA512
654539e3b66cc37425333054b2b1df2011d8b05b9809a10eb0db59ecd0f9895e1e3736d2cdea816911b5746ec0c3e892a2b129ab9f8e159cf5091dd4db256c7c

Download Submit
C:\USERS\ADMIN\DESKTOP\SUBMITSET.AVI

Filesize
430KB

MD5
7f8b813fe2c5aae152d84995542f8ff7

SHA1
9ad004a7a064d2ac042cf535a853d542c4c84360

SHA256
7b5b4f3be647b2a2739d080a52f846b4d461d962016426f4a0fb08b8113b911a

SHA512
985b7d6fd4ec3399d01b5d6afd442802a4783f7a8787228d0d606336c3eeab05f66ee08725f94df81376336c37593dc4fa8738fc687083c5f571eef80d841251

Download Submit
C:\USERS\ADMIN\DESKTOP\UNPROTECTCOMPRESS.DVR

Filesize
479KB

MD5
ca7f655b1ec1af9fb7d103ca290c08a4

SHA1
f2c1a338ef74912bb2553941bad59d655b5d9f61

SHA256
d3c431dd7522af81f12588a32672c3f3993ecf86358b0e47587ae11e67e61b8a

SHA512
b88f60521902763368a2002da324e48d4e3c39a5c83d7261743a7ecf60964989ad57cd3956ec8e102387bfbe2b39fc76ba8818eeb819d42bf091458f3b4c9659

Download Submit
C:\USERS\ADMIN\DESKTOP\UNPROTECTUNBLOCK.JS

Filesize
1.2MB

MD5
297277481f4b58ce2437843c7c0d4ff6

SHA1
fd8f9558cb01765f94557fdf468f7ada2ab6797a

SHA256
54bd078ab0a34967e316f8732622a2de911fc0e4174cb0519ce3f1fbfe8a282a

SHA512
55eba2057c50623601c2d6be35c79609da68d2fcae0a5ab3b0f45a4094cad878a24eb979153ad6710550d0f86f70a907503ef02fdeaa4c544857811a9dbad174

Download Submit
C:\USERS\ADMIN\DESKTOP\UPDATEPING.CAB

Filesize
307KB

MD5
9a6b0d3a38c4f6d641724959b368448d

SHA1
779c6b61de2ee7717f16a5777bac29ad2641ac98

SHA256
dbc61e2b1f2b08cef03be231db2fb2d13d5e6d083913bdc88b43e90076a0f88a

SHA512
6db1c704685eedf76e65f72088112a3c0d41dc3112a8fd8eccfc8442ff019e4a446c0d8c5e973c997d3aea9a4bde4c974499afa4eb24b51e1568b213a1e1b0c2

Download Submit
C:\USERS\ADMIN\DESKTOP\UPDATESELECT.VSDM

Filesize
602KB

MD5
86d1c45751e6b6ee1c6dbcd52e848b94

SHA1
6e8e9023953ad02b610b131e429d24da9c870fff

SHA256
689b7accb4b56084e971c17b086c7f66631e03a2869e3517a66f4f0aae26767b

SHA512
b55f03d7a5fcb085957cd761e221106824db755146d8b3ada351465f54cfcdf52e47ea3c398a5174f1d7356f76842c406871cfc2638a2c59462847e271a1ddc0

Download Submit
C:\USERS\ADMIN\DESKTOP\WRITENEW.XLT

Filesize
848KB

MD5
668233236d0454b9a92469b4967e18c5

SHA1
524c0a497f077ae21c30e09cf0a695f29ec3d30c

SHA256
ea3bffe78b49969f685864fb4d6720db294d981e3df921327a4153ad617d6727

SHA512
55c30964867d9758fda43a4d29186cdc1f25b2407f9a7937b76bdcdda19dfe52c57ddf8fa0eedfb63e1d3c53a2fb6aca98aada048ff047bbf1e57e1976c67d6b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
754B

MD5
7b1b2044177841af4785600993030fa4

SHA1
c65218eeaa0aecc3c5c52b36000bb9d32402f384

SHA256
dd6162eb49d05a506a88e96eb0c48ab449b539ae8106934d266da2cfcca22b99

SHA512
269f65719d2b4433acc82c81739c3efde982dc10811a6e3f5c5b9f3f91e6f328e1ab417f1582e325ca3a0b9e42844c1db56e5d47f269abb39db9ad2889b732f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
690B

MD5
543204d081d2a679def7612f3e1e29c2

SHA1
6a0778017c6ed10134707a9c8dc684445572e282

SHA256
e5fb46bacc1652b2b07aeab2e79b453b7613aacf990720e142a00aac42c4c9b8

SHA512
f9839319e4442a0dbc02e7d865607024cf4eadc3f4e182da60ccd6334fdfd6d5ec3421141c6648e1866a5ea87bb1c739d88890b32cf567f73cc3a940679d1439

Download Submit
C:\Users\Admin\AppData\Local\IconCache.db

Filesize
14KB

MD5
8d23816cadf1db21b5672c3fd28621b4

SHA1
d3122f605eae66f3a7eee2be022a941bfd21c061

SHA256
54531b74ac9460407b82610736ff24d8e93c9764a9add82f87bb1e457b5c0c2d

SHA512
befd48c6d593222149c839c101a7c09786c75fe29b9c3016cea1454341667558d2fd80d6b3fa0ad4cfbaa03e83b2489850689a55470c959c155cbf3183a48251

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat

Filesize
1022B

MD5
e2a22d2827859dae6f9af33bb39538c9

SHA1
120a8b7b188fe0066cfd311170963d9b95ffa007

SHA256
74d492725d170de39f6f6ce5e186544ec30e3dba923fdc053f2e0215668bc3a5

SHA512
2383f68992a42b5c2910c0bd4b74fc3253d65465ad3acdac225dde61b1229afaa02e50dc7179465c728915fd5dba3441c0b62fa185985c9001367ac33027e813

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.chk

Filesize
8KB

MD5
cb4a8ea57c56876c0fcd4e94c738f937

SHA1
0c03a7fdef75984a16231fa4ae089d7461d0dc0a

SHA256
9c579510e63f6de1758ca2a7e18bfbf24c9311afbf6c92d77a5c812daf0ad120

SHA512
49167bf06fbcc2a922bcadd4b253721c5679401bfa959d002d5141f249fd1ac53e50535ccd9a38b780f5c58e1a9e26baf3c054bb6e119b781956e69d2dcb3742

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\M6JCG2RK\microsoft.windows[1].xml

Filesize
96B

MD5
732a32ad072ef786d816a4f85b1b6bea

SHA1
fe1945717c160ac3266f291564a003c044d409b0

SHA256
7dd2262373fcd6ebe2ed2c6e66242c85b1434c3fe23ca92ba41ae328ce8b941e

SHA512
55b57d5bf942f20a3557f20adeebb4c01cde4aec9d7a4fa8bfe6281fe0981773d8ce637fdbd1dc64f25abe72d75fad2a6538fadc86483ede9fdc5b59c0d36b79

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133802881769002686.txt

Filesize
74KB

MD5
7d4cedc98a2ae6ca99a9df4b9cecec13

SHA1
2717b3371155c15ec0dce54ea59d855e7d2f37c9

SHA256
072c63fa37baa7ca4fc04c6d3e44de31647b7fade4985c3f4aff06d9102379db

SHA512
232d6ff7af974a711884ef52e2b021307612f9c10d6f4eea03d9d6de4ad7b41d3ea2867ba10a6dfb1a96eb02ac23f038a0c5c485c27024a8c266866331c9f6ba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3756129449-3121373848-4276368241-1000\08e575673cce10c72090304839888e02_a63d6fdc-08cb-4232-ab51-76cafdcb4d96

Filesize
52B

MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\Users\Public\wwEsu.exe

Filesize
168KB

MD5
166686d538ec9a0e0550347149aac4cc

SHA1
e50b973d43a77d7a2c1bf56e22d64d168ee8c170

SHA256
1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7

SHA512
72dc38caa810a976a2497306a87e637ff9e47ca145ede2bdc0e3d687c1793df6b734538c22de37f45d74aaf7472e07fc11df399fef03bda203eb078188d37129

Download Submit
C:\users\Public\PUBLIC

Filesize
276B

MD5
2520beadff142483ff0135d20f80ad5b

SHA1
fe7e6ff0a792fa110b74842f3e47a27a46b3d483

SHA256
db9e8fd9b31b60bde269bfd14ad1d7bd60c41fe3c8c893682e06808195dfaf85

SHA512
bf780c565e0a9bb533b804e8985ef58abaa70a80b1a0d6bcc53c570374d47ed980ebaf43a79730b23ff2b9f281e5f9241c5a298356b8029f47d8622dc4cc91ac

Download Submit
C:\users\Public\UNIQUE_ID_DO_NOT_REMOVE

Filesize
1KB

MD5
9532ed8d551a4c09947d6b499a340802

SHA1
5b97021076eb27e4b2e512e4b034724818d84dec

SHA256
ff4fe2e5350398f34540548cdcc373e8777e4c28470424d84010ddfa2061eacf

SHA512
8aeaad79662a9c4ce4c77b2799ebaa5b74eba1a1d283ad6088cf09d5f8ab28b395e5810f6c89ebcd09c3896d70454468ca9206738db97c87ce5c6d8416259ecf

Download Submit
C:\users\Public\window.bat

Filesize
1KB

MD5
d2aba3e1af80edd77e206cd43cfd3129

SHA1
3116da65d097708fad63a3b73d1c39bffa94cb01

SHA256
8940135a58d28338ce4ea9b9933e6780507c56ab37a2f2e3a1a98c6564548a12

SHA512
0059bd4cc02c52a219a0a2e1836bf04c11e2693446648dd4d92a2f38ed060ecd6c0f835e542ff8cfef8903873c01b8de2b38ed6ed2131a131bdd17887c11d0ec

Download Submit
F:\RyukReadMe.txt

Filesize
1KB

MD5
c03e00c87643eb8a7003f8d4f316f07a

SHA1
aaa7c803c46cd29e2f3bf7e4fd175ab37c6a505f

SHA256
b26adbe1ce66ce56ca20e28d3e8c1bf6d810f8a7f3a1680760b7e16827a2f6e9

SHA512
fe378fea020670dee255cbafa3b7e97cab9ba0c7eef08083e7af5022515d073e932827a07caff9e2dee78fe765ea51f0ed2b8a601bf7febe353b472da674e14c

Download Submit
memory/2940-36896-0x00007FF665FC0000-0x00007FF665FF5000-memory.dmp

Filesize
212KB

Download
memory/2940-8-0x00007FF665FC0000-0x00007FF665FF5000-memory.dmp

Filesize
212KB

Download
memory/3004-37154-0x00007FF665FC0000-0x00007FF665FF5000-memory.dmp

Filesize
212KB

Download
memory/3748-36905-0x000002991A4A0000-0x000002991A4A8000-memory.dmp

Filesize
32KB

Download
memory/3748-37195-0x000002991A680000-0x000002991A681000-memory.dmp

Filesize
4KB

Download
memory/3748-36903-0x000002991A4A0000-0x000002991A4A1000-memory.dmp

Filesize
4KB

Download
memory/3748-36906-0x0000029917F10000-0x0000029917F11000-memory.dmp

Filesize
4KB

Download
memory/3748-36899-0x000002991A660000-0x000002991A668000-memory.dmp

Filesize
32KB

Download
memory/3748-36955-0x000002991A4A0000-0x000002991A4A8000-memory.dmp

Filesize
32KB

Download
memory/3748-36902-0x000002991A4B0000-0x000002991A4B8000-memory.dmp

Filesize
32KB

Download
memory/3748-36900-0x000002991A5F0000-0x000002991A5F1000-memory.dmp

Filesize
4KB

Download
memory/3748-36945-0x0000029916680000-0x0000029916690000-memory.dmp

Filesize
64KB

Download
memory/3748-37026-0x000002991A740000-0x000002991A741000-memory.dmp

Filesize
4KB

Download
memory/3748-37025-0x000002991A750000-0x000002991A758000-memory.dmp

Filesize
32KB

Download
memory/3748-37251-0x00007FF665FC0000-0x00007FF665FF5000-memory.dmp

Filesize
212KB

Download
memory/3748-37194-0x000002991A6B0000-0x000002991A6B8000-memory.dmp

Filesize
32KB

Download
memory/3748-36939-0x0000029916410000-0x0000029916420000-memory.dmp

Filesize
64KB

Download
memory/3848-179-0x00007FF665FC0000-0x00007FF665FF5000-memory.dmp

Filesize
212KB

Download
memory/3912-37020-0x00007FF665FC0000-0x00007FF665FF5000-memory.dmp

Filesize
212KB

Download
memory/4000-36897-0x00007FF665FC0000-0x00007FF665FF5000-memory.dmp

Filesize
212KB

Download
memory/5456-37063-0x000001F651430000-0x000001F651450000-memory.dmp

Filesize
128KB

Download
memory/5456-37082-0x000001F651840000-0x000001F651860000-memory.dmp

Filesize
128KB

Download
memory/5456-37045-0x000001F651470000-0x000001F651490000-memory.dmp

Filesize
128KB

Download
memory/5456-37040-0x000001F650440000-0x000001F650540000-memory.dmp

Filesize
1024KB

Download
memory/8144-37272-0x00000000046C0000-0x00000000046C1000-memory.dmp

Filesize
4KB

Download
memory/8464-37293-0x000002255B740000-0x000002255B760000-memory.dmp

Filesize
128KB

Download
memory/8464-37280-0x000002255A420000-0x000002255A520000-memory.dmp

Filesize
1024KB

Download
memory/8464-37285-0x000002255B780000-0x000002255B7A0000-memory.dmp

Filesize
128KB

Download
memory/8464-37302-0x000002255BB50000-0x000002255BB70000-memory.dmp

Filesize
128KB

Download
memory/10728-37039-0x0000000004110000-0x0000000004111000-memory.dmp

Filesize
4KB

Download
memory/13404-37279-0x0000000004450000-0x0000000004451000-memory.dmp

Filesize
4KB

Download
memory/16720-37444-0x00000000043F0000-0x00000000043F1000-memory.dmp

Filesize
4KB

Download
memory/17156-37448-0x0000020973F00000-0x0000020974000000-memory.dmp

Filesize
1024KB

Download
memory/17156-37451-0x0000020974FC0000-0x0000020974FE0000-memory.dmp

Filesize
128KB

Download
memory/17156-37447-0x0000020973F00000-0x0000020974000000-memory.dmp

Filesize
1024KB

Download
memory/17156-37446-0x0000020973F00000-0x0000020974000000-memory.dmp

Filesize
1024KB

Download