md5,imphash,sha256 unknown process unknown process regsvr32.exe bitsadmin.exe eventvwr.exe fodhelper.exe InstallUtil.exe /logfile= /LogToConsole=false /U MSBuild.exe regsvcs.exe regasm.exe SyncAppvPublishingServer.exe control.exe control.exe /name rundll32.exe shell32.dll,Control_RunDLL mshta.exe mshta.exe wevutil.exe wevutil cl C:\Windows\Fonts\ C:\Windows\Fonts\ \htdocs\ C:\Windows\Media\ C:\Users\Public\ C:\Windows\system32\config\systemprofile\ C:\Windows\addins\ C:\Windows\Debug\ C:\Users\NetworkService\ C:\PerfLogs\ C:\Users\Default\ C:\Windows\Help\ C:\Intel\Logs\ C:\Windows\repair\ C:\$Recycle.bin\ C:\Windows\security\ \wwwroot\ \htdocs\ C:\Windows\Media\ C:\Windows\addins\ C:\ProgramData C:\Windows\system32\config\systemprofile\ C:\Users\NetworkService\ C:\Windows\Debug\ C:\Temp C:\Windows\Temp C:\PerfLogs\ C:\Users\Default\ C:\Windows\Help\ C:\Intel\Logs\ C:\Windows\repair\ C:\$Recycle.bin\ C:\Users\Public\ C:\Windows\security\ C:\Users C:\Windows\Fonts\ \wwwroot\ MpCmdRun.exe PsKill.exe DisableIOAVProtection RemoveDefinitions Add-MpPreference net user net user net.exe user net.exe user net1 user net1 user net1.exe user net1.exe user net localgroup net localgroup net.exe localgroup net.exe localgroup net1 localgroup net1 localgroup net group net group net group net group net.exe group net.exe group net group net group net.exe group net.exe group net1.exe group net1.exe group dsadd dsmod dsquery.exe dsmod.exe dsadd.exe whoami.exe ipconfig.exe tasklist.exe sysinfo.exe netstat.exe qprocess.exe quser.exe route.exe reg query reg.exe query netsh.exe wscript.exe pcalua.exe cscript.exe wscript.exe pcalua.exe cscript.exe COMSPEC COMSPEC powershell.exe powershell_ise.exe powershell.exe -Version powershell powershell powershell -Version iex Invoke-Expression iwr Invoke-WebRequest DownloadFile DownloadString Net.WebClient System.Net.WebRequest System.Net.SecurityProtocolType Shellcode bash.exe bash.exe psexesvc.exe Execute processes remotely psexec.exe Execute processes remotely pskill.exe forfiles.exe forfiles.exe pcalua.exe wsmprovhost.exe wsmprovhost.exe winrm.cmd sethc.exe utilman.exe osk.exe Magnify.exe DisplaySwitch.exe Narrator.exe AtBroker.exe sdbinst.exe schtasks.exe schtasks.exe schtasks /create schtasks.exe /create at.exe at.exe System.Management.Automation net user /add net localgroup administrators /add sc create sc.exe create new-service wmiprvse.exe /shadow /noConsentPrompt FromBase64String convertto-securestring VerbosePreference.ToString runtime.interopservices.marshal VerbosePreference.ToString -windowstyle h -windowstyl h -windowsty h -windowst h -windows h -window h -windo h -wind h -win h -wi h -w h -wi h -win hi -win hid -win hidd -win hidde -win hidden -Nop -Noni -encodedc -ec -en ^c^o^m^S^p^E^c^ C^om^S^pEc query.exe tracert.exe tree.com runas.exe taskkill.exe klist.exe hh.exe odbcconf.exe pcalua.exe attrib.exe cmdkey.exe nltest.exe nltest.exe ExtExport bash -c bash.exe -c cmdkey /list cmdkey.exe /list certutil.exe -urlcache -split -f certutil -urlcache -split -f csc -out: csc.exe -out: csc -target:library csc.exe -target:library cmdkey /list cmd.exe /k cmstp.exe /ni /s cmstp /ni /s esentutl.exe /y \\ esentutl /y \\ expand \\ expand.exe \\ extrac32 \\ extrac32.exe \\ ieexec.exe http ieexec http diskshadow advpack.dll,LaunchINFSection mshtml,RunHTMLApplication /s /n /u /i:http: mshtml,RunHTMLApplication bginfo.bgi /popup /nolicprompt set setx pushd popd subst ren move md del rd expand find.exe format format assoc cls.exe doskey.exe Mavinject.exe /INJECTRUNNING CMSTP.exe certutil.exe -decode certutil -decode acrobat.exe acrord32.exe chrome.exe firefox.exe iexplore.exe MicrosoftEdgeCP.exe MicrosoftEdge.exe vivaldi.exe waterfox.exe java.exe javaw.exe word.exe excel.exe POWERPNT.exe outlook.exe visio.exe msaccess.exe lync.exe skype.exe 2> < > ^ & ; | more \\tsclient .. wmic shadowcopy delete wbadmin delete catalog /set {default} recoveryenabled no telnet -dumpcr putty bash.exe pssh sdelete shareenum sekurlsa reg SAVE Invoke-DllInjection Invoke-Shellcode Invoke-WmiCommand Get-GPPPassword Get-Keystrokes Get-TimedScreenshot Get-VaultCredential Invoke-CredentialInjection mimikatz Invoke-NinjaCopy Invoke-TokenManipulation Out-Minidump VolumeShadowCopyTools Invoke-ReflectivePEInjection Invoke-UserHunter Find-GPOLocation Invoke-ACLScanner Invoke-DowngradeAccount Get-ServiceUnquoted Get-ServiceFilePermission Get-ServicePermission Invoke-ServiceAbuse Install-ServiceBinary Get-RegAutoLogon Get-VulnAutoRun Get-VulnSchTask Get-UnattendedInstallFile Get-WebConfig Get-ApplicationHost Get-RegAlwaysInstallElevated Get-Unconstrained Add-RegBackdoor Add-ScrnSaveBackdoor Gupt-Backdoor Invoke-ADSBackdoor Enabled-DuplicateToken Invoke-PsUaCme Remove-Update Check-VM Get-LSASecret Get-PassHashes Show-TargetScreen Port-Scan netscan psscan Invoke-PoshRatHttp Invoke-PowerShellTCP Invoke-PowerShellWMI Add-Exfiltration Add-Persistence Do-Exfiltration Start-CaptureServer Invoke-DllInjection Invoke-ReflectivePEInjection Invoke-ShellCode Get-ChromeDump Get-ClipboardContents Get-FoxDump Get-IndexedItem Get-Keystrokes Get-Screenshot Invoke-Inveigh Invoke-NetRipper Invoke-NinjaCopy Out-Minidump Invoke-EgressCheck Invoke-PSInject Invoke-RunAs MailRaider New-HoneyHash Set-MacAttribute Get-VaultCredential Invoke-DCSync Invoke-PowerDump Invoke-TokenManipulation Exploit-Jboss Invoke-ThunderStruck Invoke-VoiceTroll Set-Wallpaper Invoke-InveighRelay Invoke-PsExec Invoke-SSHCommand Get-SecurityPackages Install-SSP Invoke-BackdoorLNK PowerBreach Get-GPPPassword Get-SiteListPassword Get-System BypassUAC Invoke-Tater PowerUp PowerView Get-RickAstley Find-Fruit HTTP-Login Find-TrustedDocuments Invoke-Paranoia Invoke-WinEnum Invoke-ARPScan Invoke-ReverseDNSLookup smbscanner Invoke-FruityC2 Invoke-Stager process call create call set priority call terminate product get name bios, get serialNumber onboarddevice get useraccount where name nteventlog where filename cleareventlog root\\default FilterToConsumerBinding root\\subscription Win32_TaskService Win32_TaskService stratum+tcp -donate-level= Wmiclass WmiCl'+'as'+'s ntdsutil mimiauth Powersploit Mimikittenz -ma lsass.exe ProcDump.exe AdjustTokenPrivileges IMAGE_NT_OPTIONAL_HDR64_MAGIC Management.Automation.RuntimeException Microsoft.Win32.UnsafeNativeMethods ReadProcessMemory.Invoke Runtime.InteropServices SE_PRIVILEGE_ENABLED System.Security.Cryptography System.Runtime.InteropServices LSA_UNICODE_STRING MiniDumpWriteDump PAGE_EXECUTE_READ Net.Sockets.SocketFlags Reflection.Assembly SECURITY_DELEGATION TOKEN_ADJUST_PRIVILEGES TOKEN_ALL_ACCESS TOKEN_ASSIGN_PRIMARY TOKEN_DUPLICATE TOKEN_ELEVATION TOKEN_IMPERSONATE TOKEN_INFORMATION_CLASS TOKEN_PRIVILEGES TOKEN_QUERY Metasploit Mimikatz usn deletejournal ^h^t^t^p h"t"t"p script:http rundll32.exe notepad.exe regsvr32.exe regsvcs.exe C:\Windows\system32\svchost.exe mshta.exe psexe pskill psshutdown psservice PsPasswd msbuild.exe msiexec.exe mstsc.exe telnet.exe SyncAppvPublishingServer.exe Mavinject.exe ssh.exe putty.exe kitty.exe kitty_portable.exe psftp.exe tftp.exe wmic.exe nbtstat.exe driverquery.exe infDefaultInstall.exe sc.exe auditpol.exe qwinsta.exe rwinsta.exe curl.exe wget.exe www.exe awk.exe sed.exe stratum+tcp coinhive minergate ccminer cgminer sgminer rainbowminer xmrMiner poolpassword poolurl poolname ahashpool poolname blazepool blockmasters blockmasterscoins hashrefinery miningpoolhubcoins nicehash yiimp zergpool zergpoolcoins zpool tor.exe .com \temp\ C:\users explorer.exe control.exe acrord32.exe installutil.exe \reg.exe ipconfig.exe \appdata\ \programdata\ \Users \ProgramData \Windows\ \Perflogs\ \config\systemprofile\ netsh advfirewall firewall \ DisableRealtimeMonitoring --disable-http2 --disable-quic 291ff87948e45914424cec9510c297da 304772c80b157a916c7041f2f15939fb 5E022694C0DBD1FBBC263D608E577949 71345b139166482acaa568ac8816c7bc 1b60021baedc3f9201bcdb40e9b87f62 c7c8d584758854bbe0d8e64ef53ae1a8 AppContainer C:\Windows\system32\DllHost.exe /Processid C:\Windows\system32\SearchIndexer.exe /Embedding C:\Windows\System32\CompatTelRunner.exe C:\Windows\System32\MusNotification.exe C:\Windows\System32\MusNotificationUx.exe C:\Windows\System32\audiodg.exe C:\Windows\System32\conhost.exe C:\Windows\System32\powercfg.exe C:\Windows\System32\wbem\WmiApSrv.exe C:\Windows\servicing\TrustedInstaller.exe C:\Windows\system32\sppsvc.exe C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\DllHost.exe /Processid C:\Windows\system32\svchost.exe -k DcomLaunch \SystemRoot\System32\smss.exe 00000100 0000007c \SystemRoot\System32\smss.exe 00000100 0000007c C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\vssvc.exe net.exe use net use net1 use net.exe time net time net1 time C:\Program Files\Windows Defender C:\Windows\System32\CompatTelRunner.exe C:\Windows\System32\wermgr.exe C:\Windows\SysWOW64\wermgr.exe C:\Windows\System32\MpSigStub.exe C:\Windows\SoftwareDistribution\Download\Install\AM_Delta C:\Windows\SoftwareDistribution\Download\Install\AM_Engine C:\Windows\SoftwareDistribution\Download\Install\AM_Base C:\Windows\System32\MusNotification.exe C:\Windows\System32\MusNotificationUx.exe C:\Windows\system32\SearchIndexer.exe /Embedding C:\Windows\System32\svchost.exe -k wsappx C:\Windows\System32\svchost.exe -k appmodel C:\Windows\System32\svchost.exe -k UnistackSvcGroup C:\Windows\System32\svchost.exe -k defragsvc C:\Windows\System32\svchost.exe -k RPCSS C:\Windows\System32\svchost.exe -k utcsvc C:\Windows\System32\svchost.exe -k wbioSvcGroup C:\Windows\System32\svchost.exe -k DcomLaunch C:\Windows\System32\svchost.exe -k swprv C:\Windows\System32\svchost.exe -k imgsvc C:\Windows\System32\svchost.exe -k NetworkServiceNetworkRestricted C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s WFDSConMgrSvc C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -s SensrSvc C:\Windows\system32\svchost.exe -k localServiceNoNetwork C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s WPDBusEnum C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s fhsvc C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s DeviceAssociationService C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s NcbService C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s SensorService C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s TabletInputService C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s UmRdpService C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WPDBusEnum C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WdiSystemHost C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs -p -s NcaSvc C:\Windows\system32\svchost.exe -k netsvcs -s BDESVC C:\Windows\system32\svchost.exe -k netsvcs -s BITS C:\Windows\system32\svchost.exe -k netsvcs -s CertPropSvc C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc C:\Windows\system32\svchost.exe -k netsvcs -s ProfSvc C:\Windows\system32\svchost.exe -k netsvcs -s SENS C:\Windows\system32\svchost.exe -k netsvcs -s SessionEnv C:\Windows\system32\svchost.exe -k netsvcs -s Themes C:\Windows\system32\svchost.exe -k netsvcs -s Winmgmt C:\Windows\system32\svchost.exe -k netsvcs -s gpsvc C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\svchost.exe -k networkService -p -s DoSvc C:\Windows\system32\svchost.exe -k networkService -s Dnscache C:\Windows\system32\svchost.exe -k networkService -s LanmanWorkstation C:\Windows\system32\svchost.exe -k networkService -s NlaSvc C:\Windows\system32\svchost.exe -k networkService -s TermService C:\Windows\system32\svchost.exe -k networkService C:\Windows\system32\svchost.exe -k networkServiceNetworkRestricted C:\Windows\system32\svchost.exe -k rPCSS C:\Windows\system32\svchost.exe -k secsvcs C:\Windows\system32\svchost.exe -k swprv C:\Windows\system32\svchost.exe -k unistackSvcGroup C:\Windows\system32\svchost.exe -k utcsvc C:\Windows\system32\svchost.exe -k wbioSvcGroup C:\Windows\system32\svchost.exe -k werSvcGroup C:\Windows\system32\svchost.exe -k wsappx -s ClipSVC C:\Windows\system32\svchost.exe -k wsappx C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\System32\svchost.exe -k LocalServiceAndNoImpersonation C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k GPSvcGroup C:\Windows\System32\svchost.exe -k tapisrv C:\WINDOWS\System32\svchost.exe -k wsappx C:\Windows\System32\svchost.exe -k netsvcs C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\System32\powercfg.exe C:\Windows\System32\taskeng.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE C:\Program Files\Microsoft Office\Office16\MSOSYNC.EXE C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE C:\Program Files\Microsoft Office\Office15\MSOSYNC.EXE C:\Program Files (x86)\Microsoft Office\Office15\MSOSYNC.EXE C:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe C:\Windows\splwow64.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Diagnostics.Service.exe C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe C:\Program Files\Microsoft\Exchange Server\V14\Scripts\CheckDatabaseRedundancy.ps1 C:\Windows\System32\ddpcli.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type= "C:\Program Files\Google\Chrome\Application\chrome.exe" --type= C:\Program Files (x86)\Google\Update\ C:\Program Files (x86)\Google\Update\ "C:\Program Files\Mozilla Firefox\plugin-container.exe" --channel "C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe" --channel AcroRd32.exe" /CR AcroRd32.exe" --channel= "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer /o /eo /l /b /id C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer /o /eo /l /b /ac /id "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" /o /eo /l /b /id C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\LogTransport2.exe C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\LogTransport2.exe C:\Program Files (x86)\Adobe\Acrobat 2015\Acrobat\AcroCEF\AcroCEF.exe C:\Program Files (x86)\Adobe\Acrobat 2015\Acrobat\LogTransport2.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AdobeGCClient.exe C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P6\adobe_licutil.exe C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P7\adobe_licutil.exe C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P7\adobe_licutil.exe C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\CCXProcess.exe C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe "C:\Program Files\DellTPad\ApMsgFwd.exe" -s{ C:\Program Files\NVIDIA Corporation\ \NVIDIA\NvBackend\ApplicationOntology\OAWrapper.exe C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamuseragent.exe C:\Program Files\Realtek\ C:\Program Files\DellTPad\HidMonitorSvc.exe "C:\Program Files\DellTPad\ApMsgFwd.exe" -s{ C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe C:\Program Files\Dell\SupportAssist\pcdrcui.exe C:\Program Files\Dell\SupportAssist\koala.exe "-outc=C:\ProgramData\Dell\CommandUpdate\inventory.xml" "-logc=C:\ProgramData\Dell\CommandUpdate\scanerrs.xml" "-lang=en" "-enc=UTF-16" C:\Program Files (x86)\Lenovo\System Update\ConfigService.exe C:\PROGRA~3\Lenovo\SYSTEM~1\SESSIO~1\REPOSI~1\fwdphb06\fwdphb06_version.exe C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.exe C:\Windows\system32\LPlatSvc.exe C:\Program Files\Lenovo\HOTKEY\tphkload.exe C:\Program Files\Lenovo\HOTKEY\micmute.exe C:\Program Files\Lenovo\InstantOn\InstantOnSrv.exe C:\Program Files\Lenovo\Lenovo Mouse Suite\Service\PelService.exe C:\Program Files\Lenovo\ImController\PluginHost\Lenovo.Modern.ImController.PluginHost.Device.exe C:\Program Files\Lenovo\iMController\PluginHost\Lenovo.Modern.ImController.PluginHost.Device.exe C:\Program Files (x86)\Lenovo\System Update\tvsukernel.exe C:\Program Files (x86)\Lenovo\System Update\UACSdk.exe C:\Program Files (x86)\Lenovo\System Update\SUService.exe C:\Program Files\Lenovo\Lenovo Ultraslim Plus Wireless Keyboard & Mouse\Pelico.exe C:\Program Files\Lenovo\Lenovo Ultraslim Plus Wireless Keyboard & Mouse\LeDaemon.exe C:\Program Files\Lenovo\Lenovo Mouse Suite\ICO.exe C:\Program Files\Lenovo\Lenovo Mouse Suite\Service\PelElvDm.exe C:\Program Files (x86)\Lenovo\System Update\tvsuShim.exe C:\Program Files (x86)\Lenovo\System Update\tvsu.exe C:\Program Files (x86)\Lenovo\System Update\TvsuCommandLauncher.exe C:\Program Files (x86)\SCM\SCM.exe C:\Program Files (x86)\SCM\SCM_Notice.exe C:\Program Files (x86)\MSI\Help Desk\MSI Update Agent.exe C:\Program Files (x86)\MSI\Help Desk\MSI Update Agent.exe C:\Program Files (x86)\MSI\Dragon Center\Dragon Center.exe C:\Program Files (x86)\MSI\Dragon Center\Dragon Center.exe C:\Program Files\Intel\Telemetry 2.0\lrio.exe C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe C:\Windows\System32\DriverStore\FileRepository\ki120591.inf_amd64_7a2f7b04e15632c2\igfxCUIService.exe C:\Windows\System32\DriverStore\FileRepository\ki120591.inf_amd64_7a2f7b04e15632c2\igfxEM.exe "C:\Windows\sysnative\rundll32.exe" "C:\Windows\system32\WRusr.dll",SynProc C:\Program Files (x86)\Webroot\WRSA.exe" -ul "C:\Program Files (x86)\Webroot\WRSA.exe" -service C:\Program Files (x86)\Webroot\WRSA.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe ScreenConnect.WindowsClient.exe C:\Program Files (x86)\SmartGit C:\Program Files (x86)\SmartGit Vivaldi\Application\vivaldi.exe controls\cef\ConnectWise.exe C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe C:\Program Files (x86)\SyncedTool\bin\agent_service.exe C:\Program Files (x86)\Notepad++\notepad++.exe C:\Program Files\OpenVPN\bin\openvpn-gui.exe C:\Program Files (x86)\Enpass\Enpass.exe C:\Program Files (x86)\Enpass\Enpass.exe C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe C:\Program Files (x86)\Fortinet\FortiClient\scheduler.exe C:\Program Files (x86)\Fortinet\FortiClient\FCHelper64.exe C:\Program Files (x86)\Fortinet\FortiClient\update_task.exe C:\Program Files (x86)\SyncedTool\bin\agent_gui.exe C:\Anchor Server\penv\Scripts\python.exe C:\Anchor Server\redis\redis-server.exe C:\Anchor Server\redis\redis-server.exe C:\PostgreSQL9.1\bin\postgres.exe C:\PostgreSQL9.1\bin\postgres.exe C:\ProgramData\sysmon\sysmon64.exe 56BFB300BA379181CE09C3130775DFBBCAFF9DB764BDC39086C2FEC2547EE900 C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\bitsadmin.exe C:\Program Files\N-able Technologies\Windows Agent\bin\bitsadmin.exe C:\Program Files (x86)\N-able Technologies\Windows Software Probe\bin\wsp.exe N-able Technologies\Windows Software Probe\bin\wsp.exe C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\agent.exe C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\AutomationManager.ScriptRunner64.exe C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\AutomationManager.ScriptRunner64.exe C:\Program Files\N-able Technologies\AVDefender\installer\installer.exe C:\Program Files\N-able Technologies\AVDefender\epupdateservice.exe C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\ShadowProtectDataReader.exe 3070E798134A11ADB01129F06A36CD924267E6DA95DAB2E3196105264D2BF818 \sysmon\Auto_Update.bat \sysmon\Auto_Update.bat ion-storm/sysmon-config \netlogon\ \netlogon\ C:\PROGRA~2\SAAZOD\SAAZMSMACTL.EXE net use net.exe use net1 use net1.exe use net time net.exe time net1 time C:\Windows\system32\cmd.exe /c UsrLogon.cmd C:\Program Files (x86)\MaaS360\Cloud Extender\EMSAgent.exe C:\Program Files\Octopus Deploy\Tentacle\Tentacle.exe chrome.nativeMessaging.out C:\Users C:\ProgramData \Temp\ C:\Windows\system32\backgroundTaskHost.exe TrustedInstaller.exe OneDrive.exe vivaldi.exe chrome.exe C:\WINDOWS\system32\backgroundTaskHost.exe setup C:\Users \temp\ $RECYCLE.BIN C:\ProgramData C:\Perflogs\ config\systemprofile\ \Windows\Fonts\ \Windows\IME\ \Windows\addins\ chrome.exe iexplore.exe firefox.exe MicrosoftEdgeCP.exe MicrosoftEdge.exe explorer.exe unknown process at.exe schtasks.exe certutil.exe cmd.exe cscript.exe wscript.exewscript.exe rundll32.exe notepad.exe regsvr32.exe regsvcs.exe C:\Windows\system32\svchost.exe mshta.exe powershell.exe psexe pskill psshutdown psservice PsPasswd java.exe msbuild.exe installutil.exe msiexec.exe reg.exe mstsc.exe telnet.exe SyncAppvPublishingServer.exe Mavinject.exe ssh.exe putty.exe kitty.exe kitty_portable.exe psftp.exe tftp.exe wmic.exe net.exe nbtstat.exe dsquery.exe driverquery.exe infDefaultInstall.exe sc.exe auditpol.exe qwinsta.exe rwinsta.exe tor.exe 185.41.154.130 37.252.190.176 82.118.17.235 83.163.164.15 69.163.34.173 159.89.151.231 212.47.246.229 84.40.112.70 2.137.16.245 199.249.223.62 185.22.172.237 88.99.216.194 185.13.39.197 162.247.72.201 174.127.217.73 githubusercontent.com github.com api.ipify.org whatismyipaddress.com edns.ip-api.com checkip.dyndns.org icanhazip.com ifconfig.me ifconfig.co ipaddress.com ipinfo.io ident.me api.ip.sb www.myexternalip.com ip.anysrc.net wtfismyip.com myexternalip.com api.ip.sb ipecho.net checkip.amazonaws.com goo.gl git.io bit.ly t.co ow.ly ip-api.com dlinkddns.com no-ip.com no-ip.org no-ip.biz no-ip.info noip.com afraid.org duckdns.org changeip.com ddns.net hopto.org zapto.org servehttp.com sytes.net onion.to onion.cab onion.sh onion.nu onion.direct tor2web.org tor2web.fi tor2web.io tor2web.blutmagie.de tor-gateways.de hiddenservice.net shodan shadow researchscan census sl-reverse scanhub .edu 158.130.6. 71.6.216. 137.226.113. 138.246.252. 128.32.30. 208.93.152. 162.216.46. 169.229.3. 155.94.254. 98.143.148. 155.94.222. 134.147.203. 69.170.62. 159.203.213. 209.236.120. 158.130.6 blazepool blockmasters blockmasterscoins hashrefinery miningpoolhubcoins nicehash yiimp zergpool zergpoolcoins zpool slushpool minexmr minergate monero prohash dwarfpool nanopool.org mixpools.org viaxmr.com hashvault.pro moriaxmr.com suprnova.cc mixpools.org monero usxmrpool xmrpool poolto.be mineXMR prohash.net mine.bz mypool.online bohemianpool mineXMR iwanttoearn.money pool.xmr crypto-pool miners.pro minercircle.com monero.lindon-pool.win teracycle.net ratchetmining.com cryptmonero mineXMR 80 443 3389 3540 22 23 25 139 5800 5900 1194 1701 1723 1293 4500 1080 8080 3128 9001 9030 4443 2448 8143 1777 1443 243 65535 13506 3360 200 198 49180 13507 3360 6625 4444 4438 1904 13505 13504 12102 9631 5445 2443 777 13394 13145 12103 5552 3939 3675 666 473 5649 4455 4433 1817 100 65520 1960 1515 743 700 14154 14103 14102 12322 10101 7210 4040 9943 7777 9943 666 C:\Windows\System32\dns.exe C:\Windows\System32\find.exe C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe C:\Program Files\Microsoft\Exchange Server\V15\Bin\EdgeTransport.exe C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe aps.windows.com arc.msn.com arc.msn.com.nsatc.net atson.telemetry.microsoft.com au.download.windowsupdate.com b.akamaiedge.net bing.com cdn.onenote.net client-office365-tas.msedge.net config.edge.skype.com csp.digicert.com ctldl.windowsupdate.com cy2.licensing.md.mp.microsoft.com.akadns.net cy2.settings.data.microsoft.com.akadns.net displaycatalog.mp.microsoft.com download.windowsupdate.com e3.delivery.dsp.mp.microsoft.com.nsatc.net e-msedge.net emdl.ws.microsoft.com ettings-win.data.microsoft.com fe2.update.microsoft.com fe3.delivery.dsp.mp.microsoft.com.nsatc.net fe3.delivery.mp.microsoft.com g.akamaiedge.net g.live.com g.msn.com.nsatc.net geo-prod.do.dsp.mp.microsoft.com geo-prod.dodsp.mp.microsoft.com.nsatc.net ile-service.weather.microsoft.com ip5.afdorigin-prod-am02.afdogw.com ipv4.login.msa.akadns6.net licensing.mp.microsoft.com m3p.wns.notify.windows.com.akadns.net modern.watson.data.microsoft.com.akadns.net msn.com.nsatc.net ocation-inference-westus.cloudapp.net ocos-office365-s2s.msedge.net ocsp.digicert.com odern.watson.data.microsoft.com.akadns.net oneclient.sfx.ms pv4.login.msa.akadns6.net query.prod.cms.rt.microsoft.com ris.api.iris.microsoft.com ris.api.iris.microsoft.com.akadns.net s-msedge.net settings.data.microsoft.com sfe.trafficshaping.dsp.mp.microsoft.com sls.update.microsoft.com storecatalogrevocation.storequality.microsoft.com storeedgefd.dsx.mp.microsoft.com telecommand.telemetry.microsoft.com.akadns.net tile-service.weather.microsoft.com tlu.dl.delivery.mp.microsoft.com tsfe.trafficshaping.dsp.mp.microsoft.com vip5.afdorigin-prod-am02.afdogw.com vip5.afdorigin-prod-ch02.afdogw.com windowsupdate.com y2.displaycatalog.md.mp.microsoft.com.akadns.net y2.licensing.md.mp.microsoft.com.akadns.net y2.settings.data.microsoft.com.akadns.net msedge.net windows.net msn.com virtualearth.net bingforbusiness.com outlook.com lync.com cloudapp.net microsoft.com ec2-34-204-73-148.compute-1.amazonaws.com ec2-52-201-35-219.compute-1.amazonaws.com ec2-34-230-137-236.compute-1.amazonaws.com ec2-52-45-9-47.compute-1.amazonaws.com ec2-52-71-74-246.compute-1.amazonaws.com ec2-54-89-54-171.compute-1.amazonaws.com eset.com n-able.com www.agentexchange.com map2.hwcdn.net C:\Windows\SysWOW64\SearchProtocolHost.exe true OneDrive.exe Spotify.exe AppData\Roaming\Dropbox\bin\Dropbox.exe OneDriveStandaloneUpdater.exe ConnectWise.exe ScreenConnect.WindowsClient.exe AppData\Roaming\Dashlane\Dashlane.exe AppData\Roaming\Dashlane\DashlanePlugin.exe Vivaldi\Application\vivaldi.exe microsoft.com microsoft.com.akadns.net microsoft.com.nsatc.net .search.msn.com .wns.windows.com akamaitechnologies.com llmnr ldap ldap epmap epmap 135 135 ntp ntp llmnr ssdp ssdp 5353 netbios-ns netbios-dgm 1e100.net 5228 5357 3544 3702 3702 50646 53 53 67 67 1812 1812 49154 49154 59241 59241 52176 52176 49209 49209 6007 6007 C:\Program Files (x86)\SmartGit\jre\bin\java.exe C:\Program Files (x86)\SyncedTool\bin\autoupdate.exe penv\Scripts\python.exe efolder01 2080 g2mcomm.exe C:\Program Files (x86)\LabTech Client\LTClient.exe C:\Windows\LTSvc\LTSVC.exe C:\Program Files (x86)\Webroot\WRSA.exe C:\Program Files (x86)\SmartGit\ DSPro\Programs\pr001Celery98.exe g2ax_comm_expert.exe g2mcomm.exe AppData\Local\Microsoft\Teams\current\Teams.exe 53 C:\Users C:\ProgramData \Temp\ Sysmon.exe Sysmon64.exe microsoft Microsoft Windows windows Intel Lenovo Synaptic Nvidia Broadcom AMD VMware Realtek Micro-Star Logitech Asmedia SteelSeries Fortinet Webroot NoVirusThanks Company Srl Invincea ShoreTel Synology Citrix SonicWall Sophos OpenVPN false Invalid Unavailable C:\windows\system32\fxsst.dll C:\Windows\System32\wbem\oci.dll \Temp\ NetshHelperBeacon netsh.exe rmnsoft.dll Valid System32\samlib.dll System32\cryptdll.dlll microsoft Microsoft Windows windows Intel Lenovo Synaptic Nvidia Broadcom AMD VMware Realtek Micro-Star Logitech Asmedia SteelSeries Fortinet Microsoft Microsoft C:\Windows\System32\backgroundTaskHost.exe Webroot C:\Windows\System32\backgroundTaskHost.exe C:\Windows\System32\mmc.exe C:\Windows\System32\SearchFilterHost.exe C:\Windows\System32\SearchProtocolHost.exe C:\Windows\sysmon64.exe C:\Windows\System32\inetsrv\w3wp.exe C:\Windows\sysmon64.exe C:\Windows\System32\conhost.exe C:\Windows\System32\winspool.drv C:\Windows\System32\wshqos. C:\Windows\System32\wow64.dll C:\Windows\System32\clusapi.dll C:\Windows\System32\cryptdll.dll C:\Windows\System32\wow64win.dll C:\Windows\System32\wow64.dll C:\Windows\System32\pcwum.dll C:\Windows\System32\kernel32.dll C:\Windows\System32\user32.dll C:\Windows\System32\cryptdll.dll C:\Windows\System32\dns.exe C:\Windows\System32\zvprtmon5.dll C:\Windows\System32\termsrv.dll C:\Windows\System32\spool\ samlib.dll C:\Program Files (x86)\SmartGit syntevo\SmartGit Labtech Client CrystalDecisions ShoreWare C:\Program Files\Microsoft SQL Server\100\Shared\dbghelp.dll C:\Windows\System32\backgroundTaskHost.exe C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe C:\Program Files C:\Windows\assembly\NativeImages C:\Program Files\WindowsApps C:\Program Files (x86)\AutoSizer\AutoSizer.dll C:\Program Files (x86)\Notepad++ C:\Program Files (x86)\SyncedTool\bin\autoupdate.exe C:\PostgreSQL9.1\bin\postgres.exe C:\Windows\System32\VSSVC. C:\Windows\System32\conhost.exe C:\Windows\System32\svchost.exe C:\Windows\System32\NETSTAT.EXE C:\Windows\System32\inetsrv\w3wp.exe C:\Windows\System32\tasklist.exe C:\Windows\System32\nslookup.exe C:\Windows\System32\find.exe C:\cs\tools\php\php-cgi.exe C:\Windows\System32\nbtstat.exe C:\Windows\System32\dsquery.exe C:\Windows\System32\netsh.exe C:\Windows\System32\taskeng.exe C:\ProgramData\sysmon\sysmon64.exe SQL Server SQL Server Exchange Server Exchange Server LoadLibrary \ 0B80 C:\Windows\system32\wbem\WmiPrvSE.exe C:\Windows\SysWOW64\wbem\WmiPrvSE.exe C:\Windows\system32\svchost.exe C:\Windows\system32\wininit.exe C:\Windows\system32\csrss.exe C:\Windows\system32\services.exe C:\Windows\system32\winlogon.exe C:\Windows\system32\audiodg.exe Google\Chrome\Application\chrome.exe FireSvc.exe C:\Program Files (x86)\Webroot\WRSA.exe controls\cef\ConnectWise.exe C:\Program Files\N-able Technologies\AVDefender\epsecurityservice.exe C:\Program Files\N-able Technologies\AVDefender\EPSecurityService.exe C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP1\avp.exe C:\Program Files (x86)\Microsoft Visual Studio\2017\Enterprise\Common7\IDE\Remote Debugger\x64\msvsmon.exe C:\Windows\System32\rdpclip.exe C:\Windows\sysmon64.exe C:\Windows\sysmon.exe :\Windows\System32\lsass.exe :\Windows\System32\winlogon.exe powershell.exe verclsid.exe VBE7.dll CorperfmontExt.dll 0x40 0x101000 0x1000 0x1400 0x100000 0x3200 0x101400 0x101001 C:\Windows\sysWOW64\wbem\wmiprvse.exe C:\ProgramData\Microsoft\Windows Defender\platform\ C:\Windows\system32\msiexec.exe C:\Windows\system32\svchost.exe C:\Windows\system32\spoolsv.exe C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\agent.exe C:\Program Files\N-able Technologies\AVDefender\EPUpdateService.exe taskmgr wbem\wmiprvse.exe \EMET_Service.exe \EMET_GUI.exe \procexp64.exe processhacker \Bin\FMS.exe \Exchange Server\ SQL :\Windows\System32\smss.exe :\Windows\system32\csrss.exe :\Windows\system32\wininit.exe \Google\Update\GoogleUpdate.exe C:\Program Files (x86)\Webroot\WRSA.exe C:\Program Files\Webroot\WRSA.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\Windows\Sysmon.exe C:\Windows\Sysmon64.exe ScreenConnect :\Windows\system32\sppsvc.exe :\Windows\system32\sdiagnhost.exe UNKNOWN(00007F ShadowProtect C:\Hlthpnt\bin\IM.exe Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Common Files\Adobe\AdobeGCClient\AGSService.exe C:\ProgramData\WebEx\webex\ Dropbox\Update\DropboxUpdate.exe LTSvc\LTSVC.exe \Trusteer\Rapport\bin\RapportMgmtService.exe Adobe\AdobeGCClient\AGMService.exe NT-ware Shared\MomAdmSvc\MomAdmSvc.exe \Autodesk\Autodesk Desktop App\AdAppMgrSvc.exe C:\Windows\Prefetch C:\Windows\System32\drivers \Start Menu \Startup \Programs\Startup \Content.Outlook\ \Downloads\ $RECYCLE.BIN \Microsoft\Office\Recent .dll .ocx .sys .application .appref-ms .bat .cmd .com .btm .cmdline .docm .exe .msc .hta .ws .wsf .wsh .pptm .ps1 .ps1xml .psc1 .psd1 .psm1 .pssc .cdxml .sys .reg .docm .xlsm .xlam .pptm .potm .pptm .sldm .scf .appref-ms .rdp .vbs .vb .vbsript .vbe .js .jse proj .sln .xls .ppt .rtf .SettingContent-ms C:\Users\Default \Desktop \Documents C:\Windows\System32\Drivers C:\Windows\SysWOW64\Drivers C:\Windows\System32\GroupPolicy\Machine\Scripts C:\Windows\System32\GroupPolicy\User\Scripts C:\Windows\System32\Tasks C:\Windows\System32\Wbem C:\Windows\SysWOW64\Wbem C:\Windows\System32\WindowsPowerShell C:\Windows\SysWOW64\WindowsPowerShell C:\Windows\Tasks\ C:\Windows\System32\Tasks C:\Windows\SysWow64\Tasks C:\Windows\Minidump Microsoft\Windows\WER\ MEMORY.dmp C:\Windows\AppPatch\Custom .cmdline C:\Windows\System32\ .ICL .FON .FOT .ico .lnk .eml .msg .SCT .SCR .SHB .SHS .PAF .JSE .gadget .cpl .inf help_decrypt help_restore ReadDecryptFilesHere howto_recover_file recover_file_ Recovery_file_ how_to_decrypt encryptor_raas_readme_liesmich _how_recover_ HOWTO_RESTORE_FILES_ help_my_files how_recover HELP_TO_SAVE_FILES DECRYPT_INSTRUCTIONS YOUR_FILES.url Coin.Locker.txt _secret_code.txt Decrypt_readme.txt INSTUCCIONES_DESCRIFRADO FILESAREGONE.txt IAMREADYTOPAY.TXT HELLOTHERE.TXT READTHISNOW!!!.txt SECRETIDHERE.KEY IHAVEYOURSECRET.KEY SECRET.KEY HELPDECRYPT_YOUR_FILES.HTML RECOVERY_FILES.TXT RECOVERY_FILE. HowtoRestore_Files restorefiles howrecover+ recoveryfile help_recover_instructions _Locky_recover help_decrypt help_restore .CRAB .cerber help_decrypt help_restore_files HELP_YOUR_FILES ReadDecryptFilesHere howto_recover_file recover_file Recovery_File_ HOW_TO_DECRYPT_ DecryptAllFiles encryptor_raas_readme_liesmich _how_recover_ HOWTO_RESTORE_FILES_ help_my_files how_recover HELP_TO_SAVE_FILES DECRYPT_INSTRUCTIONS INSTUCCIONES_DESCRIFRADO YOUR_FILES.url Coin.Locker.txt _secret_code.txt Decrypt_readme.txt FILESAREGONE.txt IAMREADYTOPAY.TXT HELLOTHERE.TXT READTHISNOW!!!.txt SECRETIDHERE.KEY IHAVEYOURSECRET.KEY SECRET.KEY HELPDECRYPT_YOUR_FILES.HTML RECOVERY_FILES.TXT RECOVERY_FILE. HowtoRestore_File restorefiles_ howrecover+ recoveryfile_ recoverfile_ help_recover_instructions _ReCoVeRy_+ _Locky_recover .zzzzz aeroware howto_recover_file _how_recover_ HOWTO_RESTORE_FILES help_my_files how_recover HELP_TO_SAVE_FILES DECRYPT_INSTRUCTIONS YOUR_FILES.url Coin.Locker.txt _secret_code.txt Decrypt_readme.txt FILESAREGONE.txt IAMREADYTOPAY.TXT HELLOTHERE.TXT READTHISNOW!!!.txt SECRETIDHERE.KEY IHAVEYOURSECRET.KEY SECRET.KEY HELPDECRYPT_YOUR_FILES.HTML RECOVERY_FILES.TXT restorefiles howrecover+ restorefiles contains(to_string($message.file_created), "howrecover+ restorefiles help_recover_instructions _Locky_recover !!!READ_TO_UNLOCK!!!.TXT openforyou@india.com .warn_wallet hacks.at.sigaint.org .MATRIX Crytp0l0cker decrypted_files.dat padcrypt Vape Launcher.exe READ_ME_!.txt .enjey Aescrypt.exe PINGY@INDIA.COM WORMKILLER@INDIA.COM.XTBL CEBER3 IF_WANT_FILES_BACK_PLS_READ.html _HELP_HELP_HELP_ zXz.html HELP_ME_PLEASE.txt !_RECOVERY_HELP_!.txt PLEASE-READIT-IF_YOU-WANT.html .filegofprencrp COME_RIPRISTINARE_I_FILE. fattura_ _steaveiwalker@india.com_ COMO_ABRIR_ARQUIVOS.txt info@kraken.cc_worldcza@email.cz COMO_RESTAURAR_ARCHIVOS What happen to my files.txt ASSISTANCE_IN_RECOVERY _DECRYPT_ASSISTANCE_ _HELP_HELP_HELP_ BTC_DECRYPT_FILES .TheTrumpLocker READ-READ-READ .weencedufiles .powned [KASISKI] INSTRUCCIONES _USE_TO_FIX_ .happydayzz 001-READ-FOR-DECRYPT-FILES DECRYPT_INFORMATION Rans0m_N0te_Read_ME wowwhereismyfiles decryptional wowreadfordecryp .HERMES _DECRYPT_INFO_szesnl 000-IF-YOU-WANT-DEC-FILES .evillock .letmetrydecfiles .yourransom .lambda_l0cked .gefickt .sigaint.org .HakunaMatata .CRYPTOSHIELD .weareyourfriends MERRY_I_LOVE_YOU_BRUCE.hta How decrypt files.hta unCrypte decipher_ne .paytounlock TRY-READ-ME-TO-DEC protonmail.ch LEER_INMEDIATAMENTE .killedXXX .doomed 000-No-PROBLEM-WE-DEC-FILES .noproblemwedecfiles WE-MUST-DEC-FILES powerfulldecrypt opensourcemail.org READ_ME_TO_DECRYPT_YOU_INFORMA file0locked CryptoRansomware .VBRANSOM _HELP_Recover_Files_ .oops .deria .RMCM1 Locked-by-Mafia -filesencrypted decrypt_Globe .hnumkhotep .decrypt2017 DecryptFile .L0CKED 1025-7152.exe firstransomware.exe HELP-ME-ENCED-FILES helpmeencedfiles EdgeLocker .XBTL .firecrypt YOUR_FILES_ARE_DEAD .airacropencrypted! @mail.ru WHERE-YOUR-FILES Whereisyourfiles india.com _README.hta _README.jpg HOW_OPEN_FILES .gangbang GJENOPPRETTING_AV_FILER !!! HOW TO DECRYPT FILES !!! .braincrypt INSTRUCTION RESTORE FILE Survey Locker.exe Receipt.exe WindowsApplication1.exe HWID Lock.exe VIP72.exe DALE_FILES.TXT HOW_TO_RESTORE_YOUR_DATA RESTORE_CORUPTED_FILES Cyber SpLiTTer Vbs.exe 000-PLEASE-READ-WE-HELP .VforVendetta popcorn_time.exe OSIRIS- DesktopOsiris inbox.ru .no_more_ransom .lovewindows .osiris .R.i.P Important!.txt !_HOW_TO_RESTORE_ HOW_TO_RESTORE_FILES HOWTO_RECOVER_FILES_ HELP_RESTORE_FILES_ ThxForYurTyme _HOW_TO_Decrypt _RECOVER_INSTRUCTIONS DECRYPTION INSTRUCTIONS. decrypt explanations. _WHAT_is.html _HOWDO_text.html readme_liesmich_encryptor_raas _Adatok_visszaallitasahoz_utasitasok README_TO_RECURE_YOUR_FILES Your files encrypted by our friends !!!.txt README HOW TO DECRYPT YOUR FILES.HTML READ_IT.txt !Recovery_ ATTENTION.url README!!! email-salazar_slytherin10 ._AiraCropEncrypted! README_RECOVER_FILES_ _HOWDO_text.html _HOWDO_text.bmp _HOWDO_text.html zzzzzzzzzzzzzzzzzyyy zycrypt. decrypt your file _H_e_l_p_RECOVER_INSTRUCTIONS+ HOW-TO-DECRYPT-FILES.HTML HOW_TO_DECRYPT.HTML exit.hhr.obleep UnblockFiles.vbs README_DECRYPT_HYDRA_ID_ DECRYPT_Readme.TXT.ReadMe Decrypt All Files HowDecrypt.gif HELP_YOURFILES.HTML HOW TO DECRYPT FILES.HTML BUYUNLOCKCODE BitCryptorFileList.txt How_to_decrypt_your_files.jpg How_to_restore_files.hta Como descriptografar seus arquivos.txt !Recovery_ Read_this_file.txt ATTENTION!!!.txt HELP_DECRYPT.lnk how to decrypt aes files.lnk restore_files.txt HowDecrypt.txt wie_zum_Wiederherstellen_von_Dateien.txt paycrypt.bmp maxcrypt.bmp how_decrypt.gif how to get data.txt help_recover_instructions help-file-decrypt.enc enigma_encr.txt enigma.hta default432643264.jpg default32643264.bmp decypt_your_files.html de_crypt_readme.txt de_crypt_readme.html de_crypt_readme.bmp cryptinfo.txt crjoker.html _how_recover _Locky_recover_instructions.bmp _H_e_l_p_RECOVER_INSTRUCTIONS _HELP_instructions.txt _HELP_instructions.bmp _DECRYPT_INFO_ Your files encrypted by our friends !!! txt Your files are locked !.txt Your files are locked !!.txt Your files are locked !!!.txt Your files are locked !!!!.txt YOUR_FILES_ARE_LOCKED.txt YOUR_FILES_ARE_ENCRYPTED.TXT YOUR_FILES_ARE_ENCRYPTED.HTML YOUGOTHACKED.TXT UNLOCK_FILES_INSTRUCTIONS.txt UNLOCK_FILES_INSTRUCTIONS.html SIFRE_COZME_TALIMATI.html SHTODELATVAM.txt Read Me (How Decrypt) !!!!.txt RESTORE_FILES_ READ_THIS_TO_DECRYPT.html README_HOW_TO_UNLOCK.TXT README_HOW_TO_UNLOCK.HTML README_DECRYPT_UMBRE_ID_ README_DECRYPT_HYRDA_ID_ READ ME FOR DECRYPT.txt READ IF YOU WANT YOUR FILES BACK.html Payment_Instructions.jpg ONTSLEUTELINGS_INSTRUCTIES.html OKSOWATHAPPENDTOYOURFILES.TXT MENSAGEM.txt KryptoLocker_README.txt Instructionaga.txt ISTRUZIONI_DECRITTAZIONE.html INSTRUCTIONS_DE_DECRYPTAGE.html INSTRUCCIONES_DESCIFRADO.html INSTALL_TOR.URL IMPORTANT.README IMPORTANT READ ME.txt Howto_RESTORE_FILES.html How to decrypt your data.txt How to decrypt LeChiffre files.html Help Decrypt.html Hacked_Read_me_to_decrypt_files.html HOW_TO_UNLOCK_FILES_README_ HOW_TO_RESTORE_FILES.html HOW_DECRYPT.URL HOW_DECRYPT.TXT HOW_DECRYPT.HTML HOWTO_RECOVER_FILES_ HOW TO DECRYPT FILES.txt HELP_YOUR_FILES.html HELP_YOUR_FILES.PNG HELP_TO_SAVE_FILES.bmp HELP_RESTORE_FILES_ HELP_DECRYPT.URL HELP_DECRYPT.PNG HELP_DECRYPT.HTML GetYouFiles.txt File Decrypt Help.html FILES_BACK.txt ENTSCHLUSSELN_HINWEISE.html DecryptAllFiles DESIFROVANI_POKYNY.html DECRYPT_YOUR_FILES.txt DECRYPT_YOUR_FILES.HTML DECRYPT_ReadMe1.TXT DECRYPT_INSTRUCTIONS.html DECRYPT_INSTRUCTION.URL DECRYPT_INSTRUCTION.HTML DECRYPTION_HOWTO.Notepad Comment débloquer mes fichiers.txt BUYUNLOCKCODE.txt AllFilesAreLocked @ukr.net .fuckyourdata .encrypted.locked .Where_my_files.txt .RSplited .KEYZ.KEYH0LES .How_To_Get_Back.txt .How_To_Decrypt.txt .Contact_Here_To_Recover_Your_Files.txt .31392E30362E32303136_ # DECRYPT MY FILES #.vbs # DECRYPT MY FILES #.txt # DECRYPT MY FILES #.html !Where_are_my_files!.html !!!README!!! !!!-WARNING-!!!.txt !!!-WARNING-!!!.html .magic_software_syndicate maestro@pizzacrypts.info howtodecryptaesfiles.txt .SecureCrypted decrypt-instruct files_are_encrypted. decryptmyfiles help_instructions. de_crypt_readme. !recover! recover}- _help_instruct _recover_ +recover+ warning-!! decrypt my file help_file_ recovery+ readme_for_decrypt install_tor readme_decrypt howtodecrypt howto_restore how_to_recover how_recover how_to_decrypt how to decrypt help_restore help_your_file help_recover help_decrypt decrypt_instruct cryptolocker. recover_instruction .hydracrypt_ID .cryptotorlocker .one-we_can-help_you .OMG! .nochance .LOL! .CryptoTorLocker2015! .{CRYPTENDBLACKDC} vault.txt vault.key recovery_key.txt vault.hta message.txt recovery_file.txt confirmation.key enc_files.txt last_chance.txt want your files back. _Locky_recover_instructions.txt help_recover_instructions recoverfile Howto_Restore_FILES.TXT recoveryfile _how_recover.txt .SUPERCRYPT .helpdecrypt only-we_can-help_you .fileiscryptedhard .blocatto .8lock8 ==READ==THIS==PLEASE== randomname .weapologize SORRY-FOR-FILES PLEASE-READ-WE-HELP. CHECK-IT-HELP-FILES HAPPEN-ENCED-FILES HELP-ME-ENCED-FILES PLS-DEC-MY-FILES WE-MUST-DEC-FILES No-PROBLEM-WE-DEC-FILES TRY-READ-ME-TO-DEC IF-YOU-WANT-DEC-FILES LET-ME-TRY-DEC-FILES READ-FOR-DECRYPT-FILES PLEASE-READIT-IF_YOU-WANT READ-READ-READ WANT_FILES_BACK READ-FOR-DECCCC-FILESSS PLEASE-README-AFFECTED-FILES _DEC_FILES. .notfoundrans .VforVendetta .theworldisyours .helpmeencedfiles .wowwhereismyfiles .wowreadfordecryp .powerfulldecrypt .noproblemwedecfiles .weareyourfriends .otherinformation .letmetrydecfiles .encryptedyourfiles .weencedufiles .filegofprencrp .iaufkakfhsaraf .cifgksaffsfyghd .skjdthghh .ransom .breeding123 .mention9823 .suppose666 .moments2900 .country82000 .supported2017 .prosperous666 .disposed2017 .myrandsext2017 .loveransisgood .areyoulovemyrans .stubbin .berkshire \www.exe \ps.exe \nt.exe \doliohdyjkajd.dll \run2.exe \ping2.exe .pem .crt .ca-bundle .cer .csr .der .p7b .p7r .p7s .pfx .sto .p12 .crl .sst .key .mht .cpl .scr .manifest .inf HammerDrillStatus.dll PSReadLine\ConsoleHost_history.txt C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\Request\Certificates\ \Downloads \Start Menu \Start Menu\Programs \Start Menu\Programs\Startup C:\Windows\System32\svchost.exe C:\Windows\System32\smss.exe \Microsoft\Windows\INetCache\IE \Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\Request\Certificates WRITABLE.TST C:\Windows\System32\wbem\Performance\ C:\Windows\System32\DriverStore\Temp\ C:\Windows\System32\wbem\Performance\ WRITABLE.TST .SQM .SPL .SHD C:\Program Files (x86)\EMET 5.5\EMET_Service.exe C:\Windows\system32\mobsync.exe C:\Windows\Installer\ C:\Windows\System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask C:\$WINDOWS.~BT\Sources\SafeOS\SafeOS.Mount\ .etl .log C:\WINDOWS\winsxs\amd64_microsoft-windows Firefox Setup C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\config\netlogon.ftl \\?\C:\Windows\system32\wbem\WMIADAP.EXE C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe C:\Windows\system32\CompatTelRunner.exe C:\Program Files\Microsoft SQL Server\110\LocalDB\Binn\sqlservr.exe C:\Windows\System32\smss.exe C:\Program Files (x86)\MSI\Help Desk\MSI Update Agent.exe C:\Program Files (x86)\MSI\Dragon Center\Dragon Center.exe C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe C:\Windows\system32\igfxCUIService.exe Google\Chrome\User Data\Safe Browsing\UrlUws.store_new Google\Chrome\User Data\Safe Browsing\UrlMalBin.store_new Google\Chrome\User Data\Safe Browsing\UrlMalware.store_new Google\Chrome\User Data\Safe Browsing\UrlSoceng.store_new Google\Chrome\User Data\Safe Browsing\ChromeExtMalware.store_new Google\Chrome\User Data\Safe Browsing\ChromeFilenameClientIncident.store_new Google\Chrome\User Data\Safe Browsing\ChromeUrlClientIncident.store_new Google\Chrome\User Data\Safe Browsing\IpMalware.store_new Google\Chrome\User Data\Safe Browsing\UrlSubresourceFilter.store_new Google\Chrome\User Data\Safe Browsing\UrlCsdWhitelist.store_new Google\Chrome\User Data\Safe Browsing\UrlCsdDownloadWhitelist.store_new Google\Chrome\User Data\Safe Browsing\CertCsdDownloadWhitelist.store_new .default\prefs-1.js C:\Windows\System32\Tasks\Adobe Acrobat Update Task C:\Windows\System32\Tasks\Adobe Flash Player Updater C:\Program Files (x86)\ConnectWise\PSA.net\ConnectWise.exe C:\Program Files\Datto\Datto Windows Agent\DattoBackupAgent.exe C:\Windows\System32\config\systemprofile\TOSHIBA\ TOSHIBA\eSTUDIOX\UNIDRV N-able Technologies\AVDefender\ThreatScanner\Antivirus-NewTemp\bdcore.dll N-able Technologies\AVDefender\ThreatScanner\Antivirus-NewTemp\scanclient.dll C:\Program Files (x86)\N-able Technologies\Windows Software Probe\Repository\nagent C:\Program Files (x86)\N-able Technologies\Windows Agent\Temp\ C:\Program Files (x86)\MaaS360\Cloud Extender\EMSAgent.exe C:\Program Files\graylog\collector-sidecar\winlogbeat.exe C:\Program Files\N-able Technologies\Endpoint Update Server\bin\EPUpdateServer.exe C:\Program Files (x86)\N-able Technologies\Windows Agent\AVDefender\Installer.exe C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\AutomationManager.ScriptRunner64.exe C:\Program Files (x86)\StorageCraft\ShadowProtect\ShadowSnap\raw_agent_svc.exe C:\Windows\system32\printfilterpipelinesvc.exe C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\updateservice.exe \Runtime\1.0\NodeRunner.exe \CurrentVersion\Run \Group Policy\Scripts \Windows\System\Scripts \Microsoft\System\Scripts \ServiceDll \ImagePath \Start HKLM\SYSTEM\Setup\CmdLine Session Manager\KnownDlls HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors HKLM\SYSTEM\CurrentControlSet\Control\Print\Providers HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages HKLM\System\CurrentControlSet\Control\Lsa\Notification Packages HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Notification Packages HKLM\System\CurrentControlSet\Control\Lsa\Authentication Packages HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Authentication Packages HKLM\HARDWARE\ACPI\DSDT HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit\ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet HKLM\System\CurrentControlSet\Control\Session Manager\Execute HKLM\System\CurrentControlSet\Control\Session Manager\SetupExecute HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AppSetup HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute HKLM\SYSTEM\CurrentControlSet\Control\BootVerificationProgram\ImagePath HKLM\Software\Microsoft\Command Processor\AutoRun HKLM\Software\Wow6432Node\Microsoft\Command Processor\AutoRun HKLU\Software\Microsoft\Command Processor\AutoRun HKLM\Software\Wow6432Node\Microsoft\Command Processor\AutoRun HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell UserInitMprLogonScript \CurrentVersion\Font Drivers Active Setup\Installed Components Windows CE Services\AutoStartOnConnect Windows CE Services\AutoStartOnDisconnect CurrentVersion\Windows\IconServiceLib Winlogon\AlternateShells\AvailableShells Terminal Server\Wds\rdpwd\StartupPrograms SafeBoot\AlternateShell Terminal Server\WinStations\RDP-Tcp\InitialProgram HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown Policies\System\Shell Desktop\Scrnsave.exe SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit \Explorer\FileExts\ \shell\install\command\ \shell\open\command\ \shell\open\ddeexec\ SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ \InprocServer32\(Default) \PropertySheetHandlers \CopyHookHandlers \ColumnHandlers \ExtShellFolderViews \ShellServiceObjects \ShellServiceObjectDelayLoad \SOFTWARE\Classes\Protocols\Filter \SOFTWARE\Classes\Protocols\Handler \Software\Microsoft\Ctf\LangBarAddin \SOFTWARE\Microsoft\Internet Explorer\Desktop\Components \SharedTaskScheduler \ContextMenuHandlers\ \CurrentVersion\Shell HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjectDelayLoad \Classes\Folder\ \Classes\*\ \Classes\AllFilesystemObjects\ \Classes\Directory\ \Classes\Drive\ \ShowSuperHidden HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellIconOverlayIdentifiers HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\ HKLM\System\CurrentControlSet\Control\Session Manager\S0InitialCommand HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\ HKLM\SYSTEM\CurrentControlSet\Services\WinSock\ \ProxyServer Software\Microsoft\Windows\CurrentVersion\Internet Settings\Proxy \DisableSecuritySettingsCheck \3\1206 \3\2500 \3\1809 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders HKLM\SOFTWARE\Microsoft\Netsh HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles EnableFirewall HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\ HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\ Office Test\ \Outlook\Addins\ \Excel\Addins\ \Word\Addins\ \Access\Addins\ \Powerpoint\Addins\ \Internet Explorer\Toolbar\ \Internet Explorer\Extensions\ \Browser Helper Objects\ {AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\ \UrlUpdateInfo \InstallSource HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\ HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\ HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce \Software\Microsoft\Windows\CurrentVersion\RunServicesOnce HKLM\Software\Microsoft\Windows\CurrentVersion\RunService HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run \Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run \Software\Microsoft\Windows NT\CurrentVersion\Windows\load HKLM\SOFTWARE\Classes\ CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32 CurrentVersion\Windows\Load CurrentVersion\Windows\Run CurrentVersion\Winlogon\Shell CurrentVersion\Winlogon\System \Software\Policies\Microsoft\Windows\System\Scripts\Logon \Software\Policies\Microsoft\Windows\System\Scripts\Logoff HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Shutdown \Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logoff \Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logon HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Shutdown HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Startup HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles Domain DefaultGateway DHCPDefaultGateway DhcpIPAddress DhcpNameserver Nameserver Dhcpserver DhcpSubnetMask SubnetMask PersistentRoutes }\Category \Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR \Software\Microsoft\Terminal Server Client \WRData\Threats\Active \WRData\Threats\History \Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy \Security\Level \Security\Level1Remove HKLM\SOFTWARE\Microsoft\Security Center\AllAlertsDisabled HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify HKLM\SOFTWARE\Microsoft\Security Center\DisableMonitoring HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify \HideSCAHealth HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\SpyNetReporting HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RefusePasswordChange HKLM\SOFTWARE\Microsoft\Cryptography\OID HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID HKLM\SOFTWARE\Microsoft\Cryptography\Providers\Trust HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust \Software\Classes\mscfile\shell\open\command HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad \comfile\shell\open\command \htafile\shell\open\command \batfile\shell\open\command \piffile\shell\open\command \exefile\shell\open\command Classes\exefile\shell\runas\command\isolatedCommand \piffile\shell\open\command \regfile\shell\open\command \mscfile\shell\open\command \InprocServer32 HKLM\SYSTEM\CurrentControlSet\Control\Safeboot\ HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\ \FriendlyName HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default) HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e96b-e325-11ce-bfc1-08002be10318} HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ServerLevelPluginDll HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default) HKLM\SOFTWARE\Microsoft\Tracing\RASAPI32 HKLM\SYSTEM\CurrentControlSet\Control\Lsa\lmcompatibilitylevel HKLM\SYSTEM\CurrentControlSet\Control\Lsa\NtlmMinClientSec HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RestrictSendingNTLMTraffic Office\root\integration\integrator.exe C:\WINDOWS\system32\backgroundTaskHost.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe C:\Program Files (x86)\Microsoft Office\Office16\lync.exe C:\Program Files (x86)\Microsoft Office\Office15\lync.exe C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe C:\Program Files\Windows Defender\MsMpEng.exe \Microsoft\Exchange Server Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\ HKLM\SOFTWARE\Microsoft\ExchangeServer\ HKLM\CLUSTER\ExchangeActiveManager HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\Schedule\TaskCache\Tree\Optimize Start Menu Cache Files- HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\Schedule\TaskCache\Tree\User_Feed_Synchronization- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\WindowsUpdate HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SoftwareProtectionPlatform HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\ Toolbar\WebBrowser Toolbar\WebBrowser\ITBar7Height Toolbar\WebBrowser\ITBar7Layout Toolbar\ShellBrowser\ITBar7Layout Internet Explorer\Toolbar\Locked Toolbar\WebBrowser\{47833539-D0C5-4125-9FA8-0819E2EAAC93} Toolbar\WebBrowser\{724D43A0-0D85-11D4-9908-00400523E39A} Toolbar\WebBrowser\ITBar7Layout ShellBrowser \CurrentVersion\Run \CurrentVersion\RunOnce \CurrentVersion\App Paths \CurrentVersion\Image File Execution Options \CurrentVersion\Shell Extensions\Cached \CurrentVersion\Shell Extensions\Approved \PreviousPolicyAreas }\PreviousPolicyAreas \Control\WMI\Autologger\ HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc\Start \Lsa\OfflineJoin\CurrentValue \Components\TrustedInstaller\Events \Components\TrustedInstaller \Components\Wlansvc \Components\Wlansvc\Events HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\ \Directory\shellex \Directory\shellex\DragDropHandlers \Drive\shellex \Drive\shellex\DragDropHandlers _Classes\AppX HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\ C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit\AuditPolicy HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit \services\clr_optimization_v2.0.50727_32\Start \services\clr_optimization_v2.0.50727_64\Start \services\clr_optimization_v4.0.30319_32\Start \services\clr_optimization_v4.0.30319_64\Start \services\DeviceAssociationService\Start \services\BITS\Start \services\TrustedInstaller\Start \services\tunnel\Start \services\UsoSvc\Start \OpenWithProgids \OpenWithList \UserChoice \UserChoice\ProgId \UserChoice\Hash \OpenWithList\MRUList } 0xFFFF Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dib Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jfif Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpe Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tiff Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tif Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpeg Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wdp Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jxr Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raf Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3 Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4v Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.avi Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rw2 Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pef Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4v Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.kdc Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4 Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.crw Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mrw Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rwl Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.arw Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.nrw Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.nef Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raw Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cr2 Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.srw Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3g2 Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sr2 Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wm Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gp Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mov Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gpp Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.erf Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aac Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.orf SOFTWARE\Classes\Wow6432Node\CLSID\{955C0D7D-042E-4034-9D54-EBD52477A6DB}\ SOFTWARE\Classes\Wow6432Node\CLSID\{BEACC58F-E643-4e97-B19E-95F6EE3500FA}\ SOFTWARE\Classes\Wow6432Node\CLSID\{07598BD3-ABBE-4bee-959F-7B90253EADFF}\ SOFTWARE\Classes\Wow6432Node\CLSID\{31240348-66EE-4F14-A42A-39F373A834C7}\ SOFTWARE\Classes\Wow6432Node\CLSID\{8C8EC235-0786-4DAD-A957-1A6CD76C28F5}\ HKLM\System\CurrentControlSet\Control\Lsa\Audit\SpecialGroups SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0 SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\PSScriptOrder SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\SOM-ID SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\GPO-ID SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\0\IsPowershell SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\0\ExecTime SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0 SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\PSScriptOrder SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\SOM-ID SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\GPO-ID SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\0\IsPowershell SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\0\ExecTime \safer\codeidentifiers\0\HASHES\{ } 0xFFFF C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe HKLM\System\CurrentControlSet\Services\DeviceAssociationService\Start HKLM\System\CurrentControlSet\Control\Class\{4d36e96c-e325-11ce-bfc1-08002be10318}\ C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe C:\Program Files (x86)\PGP Corporation\PGP Desktop\PGPtray.exe \LTSvcMon\Start \LTService\Start {F2C2787D-95AB-40D4-942D-298F5F757874} C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\ \Software\Policies\Microsoft\SystemCertificates\ HKLM\Software\Microsoft\Cryptography\Services\ServiceName\SystemCertificates\ HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\ \SOFTWARE\Microsoft\EnterpriseCertificates\ HKLM\SOFTWARE\Microsoft\SystemCertificates\ C:\Windows\SysWOW64\SearchProtocolHost.exe HKLM\System\CurrentControlSet\Control\Print\Monitors\Standard TCP/IP Port\Ports HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\legalnotice HKCR\VLC. HKCR\iTunes. \Software\NITRO\PRO HKLM\SOFTWARE\Wow6432Node\WRData\Status HKLM\System\CurrentControlSet\Services\RapportIaso HKLM\System\CurrentControlSet\Services\gzflt HKLM\System\CurrentControlSet\Services\trufos HKLM\System\CurrentControlSet\Services\wudfsvc HKLM\System\CurrentControlSet\Services\EFS HKLM\System\CurrentControlSet\Services\avc3 HKLM\System\CurrentControlSet\Services\NableRemoteService HKLM\System\CurrentControlSet\Services\TabletInputService HKLM\System\CurrentControlSet\Services\AdobeARMservice HKLM\System\CurrentControlSet\Services\EPUpdateService HKLM\System\CurrentControlSet\Services\ScreenConnect HKLM\System\CurrentControlSet\Services\EPSecurityService HKLM\System\CurrentControlSet\Services\EPIntegrationService HKLM\System\CurrentControlSet\Services\wrUrlFlt HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WRSVC HKLM\System\CurrentControlSet\Services\avckf HKLM\System\CurrentControlSet\services\NableRemoteService HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WRSVC HKLM\System\CurrentControlSet\Services\BDElam Content.Outlook Downloads Temp\7z Startup .vb .application .appref-ms .bat .cmd .cmdline .docm .exe .dll .sys .hta .pptm .ps1 .sys .reg .docm .xlsm .xlam .pptm .potm .pptm .sldm .scf .appref-ms .rdp .vbs .js .pem .crt .ca-bundle .cer .csr .der .p7b .p7r .p7s .pfx .sto .p12 .crl .sst .key .mht .manifest .cpl .scr .inf 291ff87948e45914424cec9510c297da 304772c80b157a916c7041f2f15939fb 5E022694C0DBD1FBBC263D608E577949 88ce6c0affcdbdc82abe53957dddfa12 .default\prefs-1.js \Mozilla\Firefox\Profiles\ \Microsoft\Windows\INetCache\ \Microsoft\Windows\Temporary Internet Files\Content.IE5 \isapi_http \isapi_dg \isapi_dg2 \isapi_http \sdlrpc \ahexec \winsession \lsassw \46a676ab7f179e511e30dd2dc41bd388 \9f81f59bc58452127884ce513865ed20 \e710f28d59aa529d6792ca6ff0ca1b34 \rpchlp_3 \NamePipe_MoreWindows \pcheap_reuse \ lsass \SQLLocal\RTCLOCAL \spoolss \M.E.C.Core.WinRMDataCommunicator.NamedPipe. c:\windows\system32\inetsrv\w3wp.exe C:\Windows\syswow64\snmp.exe C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\BIN\OWSTIMER.EXE Exchange Server C:\Windows\system32\dns.exe \sql\query C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\Program Files\Skype for Business Server 2015\Server\Core\RtcHost.exee C:\Program Files\Skype for Business Server 2015\OCSMCU\AV Conferencing\AVMCUSvc.exe C:\Program Files\Skype for Business Server 2015\Server\Health Agent\HealthAgent.exe C:\Program Files\Skype for Business Server 2015\Server\Core\LysSvc.exe C:\Program Files\Skype for Business Server 2015\File Transfer Agent\FileTransferAgent.exe C:\Program Files\Skype for Business Server 2015\Web Conferencing\DataMCUSvc.exe C:\Program Files\Skype for Business Server 2015\Application Host\OcsAppServerHost.exe C:\Program Files\Skype for Business Server 2015\Server\Core\ABServer.exe C:\Program Files\Skype for Business Server 2015\Master Replicator Agent\MasterReplicatorAgent.exe C:\Program Files\Skype for Business Server 2015\OCSMCU\IM Conferencing\IMMCUSvc.exe C:\Program Files\Common Files\Skype for Business Server 2015\ClsAgent\ClsAgent.exe C:\Program Files\Skype for Business Server 2015\Server\Core\ReplicationApp.exe C:\Program Files\Skype for Business Server 2015\OCSMCU\Application Sharing\ASMCUSvc.exe C:\Program Files\Skype for Business Server 2015\Server\Replica Replicator Agent\ReplicaReplicatorAgent.exe C:\Program Files\Skype for Business Server 2015\Server\Core\RtcHost.exe C:\Windows\system32\DFSRs.exee C:\Windows\SystemApps\Microsoft.Windows C:\Windows\system32\SearchProtocolHost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe C:\Windows\System32\LxRun.exe vmware- \System \InitShutdown C:\Windows\System32\wininit.exe C:\Windows\System32\SearchIndexer.exe C:\Windows\System32\services.exe \ntsvcs \scerpc C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe C:\Windows\System32\smss.exe C:\Windows\System32\spoolsv.exe \epmapper \atsvc \browser \srvsvc \Winsock2CatelogChangeListener ProtectedPrefix\LocalService\FTHPIPE \W32TIME_ALT \eventlog \wkssvc \TDLN- \WiFiNetworkManagerTask \MsFteWds \WRSVCPipe \WRSynUM2 \wrUrl C:\Program Files (x86)\Webroot\WRSA.exe C:\Program Files (x86)\Google\Chrome\Application\chrome.exe C:\Program Files (x86)\Google\Update\GoogleUpdate.exe AppData\Local\Google\Chrome\User Data\SwReporter\ mojo. crashpad_ chrome. GoogleCrashServices slack.exe booma\ qtsingleapp-enpass- qtsingleapp-enpass- eo.ipc. C:\Program Files\Windows Firewall Control\wfc.exe Everything Service anchor_gui_agent Adobe\ARM\1.0\AdobeARM.exe C:\Program Files (x86)\Lenovo\System Update\SUService.exe C:\Program Files\Common Files\VMware\DeviceRedirectionCommon\ftnlsv.exe C:\Program Files\Lenovo\ImController\Service\Lenovo.Modern.ImController.exe C:\Program Files\Lenovo\HOTKEY\shtctky.exe C:\PROGRA~1\Lenovo\HOTKEY\SHTCTKY.EXE C:\Windows\System32\LPlatSvc.exe C:\PROGRA~1\Lenovo\HOTKEY\TPOSD.EXE C:\Program Files (x86)\Lenovo\iMController\PluginHost\Lenovo.Modern.ImController.PluginHost.Device.exe C:\Program Files (x86)\Lenovo\System Update\TvsuCommandLauncher.exe C:\Program Files (x86)\Fortinet\FortiClient\FortiSSLVPNdaemon.exe c:\program files (x86)\sophos\sophos ssl vpn client\bin\openvpnserv.exe ScreenConnect.WindowsClient.exe ScreenConnect.ClientService.exe N-able Technologies\Windows Agent\bin\agent.exe N-able Technologies\AVDefender\EPIntegrationService.exe C:\Program Files\OpenVPN\bin\openvpn-gui.exe C:\Program Files\OpenVPN\bin\openvpn.exe C:\Program Files\OpenVPN\bin\openvpnserv.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe C:\Program Files\Lenovo\HOTKEY\tphkload.exe C:\Program Files\Lenovo\ C:\Program Files (x86)\Common Files\VMware\SerialPortRedirection\Client\vmwsprrdpwks.exe Graylog-collector-sidecar.exe C:\Program Files (x86)\SmartGit\git\mingw32\libexec\git-core\git-remote-https.exe C:\Program Files (x86)\SmartGit\git\mingw32\bin\git.exe C:\Program Files (x86)\SmartGit\git\mingw32\libexec\git-core\git.exe C:\Program Files (x86)\SmartGit\bin\smartgit.exe C:\Program Files (x86)\Fortinet\FortiClient\FortiESNAC.exe C:\Program Files (x86)\Fortinet\FortiClient\update_task.exe C:\Program Files (x86)\Fortinet\FortiClient\FortiTray.exe C:\Program Files (x86)\Fortinet\FortiClient\FCDBLog.exe C:\Program Files (x86)\Enpass\Enpass.exe C:\Program Files (x86)\VMware\VMware Horizon View Client\vmware-view.exe C:\Program Files (x86)\VMware\ScannerRedirection\ftscanmgrhv.exe C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe C:\Program Files (x86)\Common Files\VMware\VMware Remote Console Plug-in 5.5\Internet Explorer\vmware-vmrc.exe SQLAnywhereLRM pgsignal postgres.exe MICROSOFT##WID\tsql\query TSVCPIPE- BB4BB19A178C25D1 SQLAnywhereLRM SQLLocal DropboxPipe_ c:\windows\system32\inetsrv\w3wp.exe C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel RMS License Manager\WinNT\mfcesd.exe C:\Pfx Engagement\WM\PFXEngagement.exe C:\Pfx Engagement\WM\Pfx.KnowledgeCoach.SharedServices.exe C:\Program Files (x86)\Micro Focus\COBOL Server 2012\bin\mfds.exe ScreenConnect.WindowsClient.exe ScreenConnect.ClientService.exe QBW32.EXE EXCEL.EXE ADCUpdate.exe Hydrous.Host.exe TNSLSNR.exe ShoreWare Server