md5,sha256,IMPHASH
"C:\Windows\system32\wermgr.exe" "-queuereporting_svc"
C:\Windows\system32\DllHost.exe /Processid
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\system32\wermgr.exe -upload
C:\Windows\system32\SearchIndexer.exe /Embedding
C:\windows\system32\wermgr.exe -queuereporting
\??\C:\Windows\system32\autochk.exe *
\SystemRoot\System32\smss.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe
C:\Windows\System32\TokenBrokerCookies.exe
C:\Windows\System32\plasrv.exe
C:\Windows\System32\wifitask.exe
C:\Windows\system32\CompatTelRunner.exe
C:\Windows\system32\PrintIsolationHost.exe
C:\Windows\system32\SppExtComObj.Exe
C:\Windows\system32\audiodg.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\mobsync.exe
C:\Windows\system32\musNotification.exe
C:\Windows\system32\musNotificationUx.exe
C:\Windows\system32\powercfg.exe
C:\Windows\system32\sndVol.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\wbem\WmiApSrv.exe
AppContainer
%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows
C:\windows\system32\wermgr.exe -queuereporting
C:\WINDOWS\system32\devicecensus.exe UserCxt
C:\Windows\System32\usocoreworker.exe -Embedding
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k appmodel -s StateRepository
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
C:\Windows\system32\svchost.exe -k appmodel
C:\Windows\system32\svchost.exe -k appmodel -p -s tiledatamodelsvc
C:\Windows\system32\svchost.exe -k camera -s FrameServer
C:\Windows\system32\svchost.exe -k dcomlaunch -s LSM
C:\Windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
C:\Windows\system32\svchost.exe -k defragsvc
C:\Windows\system32\svchost.exe -k devicesflow -s DevicesFlowUserSvc
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k localService -s EventSystem
C:\Windows\system32\svchost.exe -k localService -s bthserv
C:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc
C:\Windows\system32\svchost.exe -k localService -s nsi
C:\Windows\system32\svchost.exe -k localService -s w32Time
C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -p
C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s Dhcp
C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s EventLog
C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s TimeBrokerSvc
C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s WFDSConMgrSvc
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -s BTAGService
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -s SensrSvc
C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\system32\svchost.exe -k localServiceNoNetwork
C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s WPDBusEnum
C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s fhsvc
C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s DeviceAssociationService
C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s NcbService
C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s SensorService
C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s TabletInputService
C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s UmRdpService
C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WPDBusEnum
C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s NgcSvc
C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -p -s NgcCtnrSvc
C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -s SCardSvr
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Windows\System32\svchost.exe -k netsvcs -p -s SessionEnv
C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WdiSystemHost
C:\Windows\System32\svchost.exe -k localSystemNetworkRestricted -p -s WdiSystemHost
C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\system32\svchost.exe -k netsvcs -p -s ncaSvc
C:\Windows\system32\svchost.exe -k netsvcs -s BDESVC
C:\Windows\System32\svchost.exe -k netsvcs -p -s BDESVC
C:\Windows\system32\svchost.exe -k netsvcs -p -s BITS
C:\Windows\system32\svchost.exe -k netsvcs -s BITS
C:\Windows\system32\svchost.exe -k netsvcs -s CertPropSvc
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
C:\Windows\system32\svchost.exe -k netsvcs -s Gpsvc
C:\Windows\system32\svchost.exe -k netsvcs -s ProfSvc
C:\Windows\system32\svchost.exe -k netsvcs -s SENS
C:\Windows\system32\svchost.exe -k netsvcs -s SessionEnv
C:\Windows\system32\svchost.exe -k netsvcs -s Themes
C:\Windows\system32\svchost.exe -k netsvcs -s Winmgmt
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k networkService -p -s DoSvc
C:\Windows\system32\svchost.exe -k networkService -s Dnscache
C:\Windows\system32\svchost.exe -k networkService -s LanmanWorkstation
C:\Windows\system32\svchost.exe -k networkService -s NlaSvc
C:\Windows\system32\svchost.exe -k networkService -s TermService
C:\Windows\system32\svchost.exe -k networkService
C:\Windows\system32\svchost.exe -k networkService -p
C:\Windows\system32\svchost.exe -k networkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k rPCSS
C:\Windows\system32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k swprv
C:\Windows\system32\svchost.exe -k unistackSvcGroup
C:\Windows\system32\svchost.exe -k utcsvc
C:\Windows\system32\svchost.exe -k wbioSvcGroup
C:\Windows\system32\svchost.exe -k werSvcGroup
C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc
C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC
C:\Windows\system32\svchost.exe -k wsappx -p -s AppXSvc
C:\Windows\system32\svchost.exe -k wsappx -s ClipSVC
C:\Windows\system32\svchost.exe -k wsappx
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted
C:\Windows\system32\deviceenroller.exe /c /AutoEnrollMDM
"C:\Program Files (x86)\Microsoft\Edge Dev\Application\msedge.exe" --type=
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\Ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
C:\Program Files\Microsoft Office\Office16\MSOSYNC.EXE
C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files\Microsoft Office\Office16\msoia.exe
C:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=
C:\Users
.exe
\Device\HarddiskVolumeShadowCopy
OneDrive.exe
C:\Windows\system32\backgroundTaskHost.exe
setup
install
Update\
redist.exe
msiexec.exe
TrustedInstaller.exe
\NVIDIA\NvBackend\ApplicationOntology\
C:\Users
C:\Recycle
C:\ProgramData
C:\Windows\Temp
\
C:\perflogs
C:\intel
C:\Windows\fonts
C:\Windows\system32\config
at.exe
certutil.exe
cmd.exe
cmstp.exe
cscript.exe
driverquery.exe
dsquery.exe
hh.exe
infDefaultInstall.exe
java.exe
javaw.exe
javaws.exe
mmc.exe
msbuild.exe
mshta.exe
msiexec.exe
nbtstat.exe
net.exe
net1.exe
notepad.exe
nslookup.exe
powershell.exe
powershell_ise.exe
qprocess.exe
qwinsta.exe
qwinsta.exe
reg.exe
regsvcs.exe
regsvr32.exe
rundll32.exe
rwinsta.exe
sc.exe
schtasks.exe
taskkill.exe
tasklist.exe
wmic.exe
wscript.exe
bitsadmin.exe
esentutl.exe
expand.exe
extrac32.exe
findstr.exe
GfxDownloadWrapper.exe
ieexec.exe
makecab.exe
replace.exe
Excel.exe
Powerpnt.exe
Winword.exe
squirrel.exe
nc.exe
ncat.exe
psexec.exe
psexesvc.exe
tor.exe
vnc.exe
vncservice.exe
vncviewer.exe
winexesvc.exe
nmap.exe
psinfo.exe
22
23
25
143
3389
5800
5900
4444
1080
3128
8080
1723
9001
9030
C:\ProgramData\Microsoft\Windows Defender\Platform\
AppData\Local\Microsoft\Teams\current\Teams.exe
.microsoft.com
microsoft.com.akadns.net
microsoft.com.nsatc.net
23.4.43.27
72.21.91.29
127.0.0.1
fe80:0:0:0
C:\Users
\
microsoft
windows
Intel
C:\Users\
C:\PerfLogs\
\ProgramData\
\Downloads\
\Windows\Fonts
\Windows\Tasks
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\
M:\
N:\
O:\
P:\
Q:\
R:\
S:\
T:\
U:\
V:\
W:\
X:\
Y:\
Z:\
\Microsoft\OneDrive\2
C:\Windows\system32\wbem\WmiPrvSE.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\audiodg.exe
C:\Windows\system32\kernel32.dll
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
\Start Menu
\Startup\
\Content.Outlook\
\Downloads\
.application
.appref-ms
.bat
.chm
.cmd
.cmdline
.crx
.dmp
.docm
.dll
.exe
.exe.log
.jar
.jnlp
.jse
.hta
.job
.pptm
.ps1
.sct
.sys
.scr
.vbe
.vbs
.wsc
.wsf
.xlsm
.ocx
.lnk
.url
proj
.sln
.xls
C:\Users\Default
C:\Windows\system32\Drivers
C:\Windows\SysWOW64\Drivers
C:\Windows\system32\GroupPolicy\Machine\Scripts
C:\Windows\system32\GroupPolicy\User\Scripts
C:\Windows\system32\Wbem
C:\Windows\SysWOW64\Wbem
C:\Windows\system32\WindowsPowerShell
C:\Windows\SysWOW64\WindowsPowerShell
C:\Windows\Tasks\
C:\Windows\system32\Tasks
C:\Windows\SysWOW64\Tasks
\Device\HarddiskVolumeShadowCopy
C:\Windows\AppPatch\Custom
VirtualStore
.xls
.ppt
.rtf
C:\Program Files\Microsoft Office (x86)\Templates
C:\Program Files\Microsoft Office\Templates
C:\Program Files (x86)\Microsoft Office\root\Templates
C:\Program Files\Microsoft Office\root\Templates
C:\ProgramData
C:\Windows\Temp
C:\Windows\Fonts
C:\Windows\Tasks
C:\PerfLogs
C:\Program Files (x86)\EMET 5.5\EMET_Service.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
C:\Windows\system32\smss.exe
C:\Windows\system32\CompatTelRunner.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\mobsync.exe
C:\Windows\system32\DriverStore\Temp\
C:\Windows\system32\wbem\Performance\
C:\Windows\Installer\
C:\$WINDOWS.~BT\Sources\
C:\Windows\winsxs\amd64_microsoft-windows
\Windows\system32\WerFault.exe
CurrentVersion\Run
Policies\Explorer\Run
Group Policy\Scripts
Windows\System\Scripts
CurrentVersion\Windows\Load
CurrentVersion\Windows\Run
CurrentVersion\Winlogon\Shell
CurrentVersion\Winlogon\System
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute
HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug
UserInitMprLogonScript
user shell folders\startup
\ServiceDll
\ServiceManifest
\ImagePath
\Start
Control\Terminal Server\WinStations\RDP-Tcp\PortNumber
Control\Terminal Server\fSingleSessionPerUser
fDenyTSConnections
LastLoggedOnUser
RDP-tcp\PortNumber
Services\PortProxy\v4tov4
\command\
\ddeexec\
{86C86720-42A0-1069-A2E8-08002B30309D}
exefile
\InprocServer32\(Default)
\Hidden
\ShowSuperHidden
\HideFileExt
Classes\*\
Classes\AllFilesystemObjects\
Classes\Directory\
Classes\Drive\
Classes\Folder\
Classes\PROTOCOLS\
ContextMenuHandlers\
CurrentVersion\Shell
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjectDelayLoad
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellIconOverlayIdentifiers
HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\
HKLM\SYSTEM\CurrentControlSet\Services\WinSock
\ProxyServer
HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders
HKLM\Software\Microsoft\Netsh
Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\
HKLM\Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles
\EnableFirewall
\DoNotAllowExceptions
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\
HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\
Microsoft\Office\Outlook\Addins\
Office Test\
Security\Trusted Documents\TrustRecords
\EnableBHO
Internet Explorer\Toolbar\
Internet Explorer\Extensions\
Browser Helper Objects\
\DisableSecuritySettingsCheck
\3\1206
\3\2500
\3\1809
HKLM\Software\Classes\CLSID\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}\
HKLM\Software\Classes\WOW6432Node\CLSID\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}\
HKLM\Software\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\
HKLM\Software\Classes\WOW6432Node\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\
\UrlUpdateInfo
\InstallSource
\EulaAccepted
\DisableAntiSpyware
\DisableAntiVirus
\SpynetReporting
DisableRealtimeMonitoring
\SubmitSamplesConsent
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy
HKLM\Software\Microsoft\Security Center\
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth
HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom
HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB
VirtualStore
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\
HKLM\SYSTEM\CurrentControlSet\Control\Safeboot\
HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\
\FriendlyName
HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)
HKLM\Software\Microsoft\Tracing\RASAPI32
HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\
\Keyboard Layout\Preload
\Keyboard Layout\Substitutes
\LowerCaseLongPath
\Publisher
\BinProductVersion
\DriverVersion
\DriverVerVersion
\LinkDate
Compatibility Assistant\Store\
regedit.exe
reg.exe
powershell.exe
powershell_ise.exe
pwsh.exe
wscript.exe
cscript.exe
C:\Users\Public
C:\Windows\Temp
C:\Windows\Fonts
\appdata\local\
\
\{CAFEEFAC-
CreateKey
HKLM\COMPONENTS
HKLM\Software\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache
Toolbar\WebBrowser
Browser\ITBar7Height
Browser\ITBar7Layout
Internet Explorer\Toolbar\Locked
Toolbar\WebBrowser\{47833539-D0C5-4125-9FA8-0819E2EAAC93}
}\PreviousPolicyAreas
\Control\WMI\Autologger\
HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc\Start
\Lsa\OfflineJoin\CurrentValue
HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\
_Classes\AppX
HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\LsaPid
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains
\Services\BITS\Start
\services\clr_optimization_v2.0.50727_32\Start
\services\clr_optimization_v2.0.50727_64\Start
\services\clr_optimization_v4.0.30319_32\Start
\services\clr_optimization_v4.0.30319_64\Start
\services\deviceAssociationService\Start
\services\fhsvc\Start
\services\nal\Start
\services\trustedInstaller\Start
\services\tunnel\Start
\services\usoSvc\Start
\UserChoice\ProgId
\UserChoice\Hash
\OpenWithList\MRUList
Shell Extentions\Cached
HKLM\System\CurrentControlSet\Control\Lsa\Audit\SpecialGroups
SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\PSScriptOrder
SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\SOM-ID
SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\GPO-ID
SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\0\IsPowershell
SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\0\ExecTime
SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\PSScriptOrder
SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\SOM-ID
SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\GPO-ID
SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\0\IsPowershell
SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\0\ExecTime
\safer\codeidentifiers\0\HASHES\{
VirtualStore\MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\
HKLM\SOFTWARE\Microsoft\Office\ClickToRun\
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
HKCR\VLC.
HKCR\iTunes.
HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{945a8954-c147-4acd-923f-40c45405a658}
\CompatTelRunner.exe
Downloads
Temp\7z
Startup
.bat
.cmd
.doc
.hta
.jse
.lnk
.ppt
.ps1
.ps2
.reg
.sct
.vb
.vbe
.vbs
.wsc
.wsf
paexec;remcom;csexec
\lsadump;\cachedump;\wceservicepipe
\isapi_http;\isapi_dg;\isapi_dg2;\sdlrpc;\ahexec;\winsession;\lsassw;\46a676ab7f179e511e30dd2dc41bd388;\9f81f59bc58452127884ce513865ed20;\e710f28d59aa529d6792ca6ff0ca1b34;\rpchlp_3;\NamePipe_MoreWindows;\pcheap_reuse;\gruntsvc;\583da945-62af-10e8-4902-a8f205c72b2e;\bizkaz;\svcctl;\Posh;\jaccdpqnvbrrxlaf;\csexecsvc
\atctl;\userpipe;\iehelper;\sdlrpc;\comnap
MSSE-;-server
\postex_
\postex_ssh_
\status_
\msagent_
\mojo.5688.8052.
\ntsvcs
\DserNamePipe
\SearchTextHarvester
\scerpc
\mypipe-f
\mypipe-h
\windows.update.manager
\win_svc
.arpa.
.arpa
.msftncsi.com
..localmachine
localhost
-pushp.svc.ms
.b-msedge.net
.bing.com
.hotmail.com
.live.com
.live.net
.s-microsoft.com
.microsoft.com
.microsoftonline.com
.microsoftstore.com
.ms-acdc.office.com
.msedge.net
.msn.com
.msocdn.com
.skype.com
.skype.net
.windows.com
.windows.net.nsatc.net
.windowsupdate.com
.xboxlive.com
login.windows.net
C:\ProgramData\Microsoft\Windows Defender\Platform\
.activedirectory.windowsazure.com
.aria.microsoft.com
.msauth.net
.msftauth.net
.office.net
.opinsights.azure.com
.res.office365.com
acdc-direct.office.com
atm-fp-direct.office.com
loki.delve.office.com
management.azure.com
messaging.office.com
outlook.office365.com
portal.azure.com
protection.outlook.com
substrate.office.com
.measure.office.com
.adobe.com
.adobe.io
.mozaws.net
.mozilla.com
.mozilla.net
.mozilla.org
.spotify.com
.spotify.map.fastly.net
.wbx2.com
.webex.com
clients1.google.com
clients2.google.com
clients3.google.com
clients4.google.com
clients5.google.com
clients6.google.com
safebrowsing.googleapis.com
.akadns.net
.netflix.com
aspnetcdn.com
ajax.googleapis.com
cdnjs.cloudflare.com
fonts.googleapis.com
.typekit.net
cdnjs.cloudflare.com
.stackassets.com
.steamcontent.com
play.google.com
content-autofill.googleapis.com
.disqus.com
.fontawesome.com
disqus.com
.1rx.io
.2mdn.net
.3lift.com
.adadvisor.net
.adap.tv
.addthis.com
.adform.net
.adnxs.com
.adroll.com
.adrta.com
.adsafeprotected.com
.adsrvr.org
.adsymptotic.com
.advertising.com
.agkn.com
.amazon-adsystem.com
.amazon-adsystem.com
.analytics.yahoo.com
.aol.com
.betrad.com
.bidswitch.net
.casalemedia.com
.chartbeat.net
.cnn.com
.convertro.com
.criteo.com
.criteo.net
.crwdcntrl.net
.demdex.net
.domdex.com
.dotomi.com
.doubleclick.net
.doubleverify.com
.emxdgt.com
.everesttech.net
.exelator.com
.google-analytics.com
.googleadservices.com
.googlesyndication.com
.googletagmanager.com
.googlevideo.com
.gstatic.com
.gvt1.com
.gvt2.com
.ib-ibi.com
.jivox.com
.krxd.net
.lijit.com
.mathtag.com
.moatads.com
.moatpixel.com
.mookie1.com
.myvisualiq.net
.netmng.com
.nexac.com
.openx.net
.optimizely.com
.outbrain.com
.pardot.com
.phx.gbl
.pinterest.com
.pubmatic.com
.quantcount.com
.quantserve.com
.revsci.net
.rfihub.net
.rlcdn.com
.rubiconproject.com
.scdn.co
.scorecardresearch.com
.serving-sys.com
.sharethrough.com
.simpli.fi
.sitescout.com
.smartadserver.com
.snapads.com
.spotxchange.com
.taboola.com
.taboola.map.fastly.net
.tapad.com
.tidaltv.com
.trafficmanager.net
.tremorhub.com
.tribalfusion.com
.turn.com
.twimg.com
.tynt.com
.w55c.net
.ytimg.com
.zorosrv.com
1rx.io
adservice.google.com
ampcid.google.com
clientservices.googleapis.com
googleadapis.l.google.com
imasdk.googleapis.com
l.google.com
ml314.com
mtalk.google.com
update.googleapis.com
www.googletagservices.com
.pscp.tv
.amazontrust.com
.digicert.com
.globalsign.com
.globalsign.net
.intel.com
.symcb.com
.symcd.com
.thawte.com
.usertrust.com
.verisign.com
ocsp.identrust.com
pki.goog
msocsp.com
ocsp.comodoca.com
ocsp.entrust.net
ocsp.godaddy.com
ocsp.int-x3.letsencrypt.org
ocsp.msocsp.com
pki.goog
ocsp.godaddy.com
amazontrust.com
ocsp.sectigo.com
pki-goog.l.google.com
.usertrust.com
ocsp.comodoca.com
ocsp.verisign.com
ocsp.entrust.net
ocsp.identrust.com
status.rapidssl.com
status.thawte.com
ocsp.int-x3.letsencrypt.org
NETWORK SERVICE
LOCAL SERVICE
\appdata\local\google\chrome\user data\swreporter\
software_reporter_tool.exe
C:\Program Files
\CompatTelRunner.exe
\WerFault.exe
\DllHost.exe
\SearchIndexer.exe
C:\Windows\System32\GroupPolicy\DataStore
C:\Windows\Prefetch