md5,imphash,sha256
unknown process
unknown process
regsvr32.exe
bitsadmin.exe
eventvwr.exe
fodhelper.exe
InstallUtil.exe
/logfile= /LogToConsole=false /U
MSBuild.exe
regsvcs.exe
regasm.exe
SyncAppvPublishingServer.exe
control.exe
control.exe /name
rundll32.exe shell32.dll,Control_RunDLL
mshta.exe
mshta.exe
wevutil.exe
wevutil cl
C:\Windows\Fonts\
C:\Windows\Fonts\
\htdocs\
C:\Windows\Media\
C:\Users\Public\
C:\Windows\system32\config\systemprofile\
C:\Windows\addins\
C:\Windows\Debug\
C:\Users\NetworkService\
C:\PerfLogs\
C:\Users\Default\
C:\Windows\Help\
C:\Intel\Logs\
C:\Windows\repair\
C:\$Recycle.bin\
C:\Windows\security\
\wwwroot\
\htdocs\
C:\Windows\Media\
C:\Windows\addins\
C:\ProgramData
C:\Windows\system32\config\systemprofile\
C:\Users\NetworkService\
C:\Windows\Debug\
C:\Temp
C:\Windows\Temp
C:\PerfLogs\
C:\Users\Default\
C:\Windows\Help\
C:\Intel\Logs\
C:\Windows\repair\
C:\$Recycle.bin\
C:\Users\Public\
C:\Windows\security\
C:\Users
C:\Windows\Fonts\
\wwwroot\
MpCmdRun.exe
PsKill.exe
DisableIOAVProtection
RemoveDefinitions
Add-MpPreference
net user
net user
net.exe user
net.exe user
net1 user
net1 user
net1.exe user
net1.exe user
net localgroup
net localgroup
net.exe localgroup
net.exe localgroup
net1 localgroup
net1 localgroup
net group
net group
net group
net group
net.exe group
net.exe group
net group
net group
net.exe group
net.exe group
net1.exe group
net1.exe group
dsadd
dsmod
dsquery.exe
dsmod.exe
dsadd.exe
whoami.exe
ipconfig.exe
tasklist.exe
sysinfo.exe
netstat.exe
qprocess.exe
quser.exe
route.exe
reg query
reg.exe query
netsh.exe
wscript.exe
pcalua.exe
cscript.exe
wscript.exe
pcalua.exe
cscript.exe
COMSPEC
COMSPEC
powershell.exe
powershell_ise.exe
powershell.exe -Version
powershell
powershell
powershell -Version
iex
Invoke-Expression
iwr
Invoke-WebRequest
DownloadFile
DownloadString
Net.WebClient
System.Net.WebRequest
System.Net.SecurityProtocolType
Shellcode
bash.exe
bash.exe
psexesvc.exe
Execute processes remotely
psexec.exe
Execute processes remotely
pskill.exe
forfiles.exe
forfiles.exe
pcalua.exe
wsmprovhost.exe
wsmprovhost.exe
winrm.cmd
sethc.exe
utilman.exe
osk.exe
Magnify.exe
DisplaySwitch.exe
Narrator.exe
AtBroker.exe
sdbinst.exe
schtasks.exe
schtasks.exe
schtasks /create
schtasks.exe /create
at.exe
at.exe
System.Management.Automation
net user /add
net localgroup administrators /add
sc create
sc.exe create
new-service
wmiprvse.exe
/shadow
/noConsentPrompt
FromBase64String
convertto-securestring
VerbosePreference.ToString
runtime.interopservices.marshal
VerbosePreference.ToString
-windowstyle h
-windowstyl h
-windowsty h
-windowst h
-windows h
-window h
-windo h
-wind h
-win h
-wi h
-w h
-wi h
-win hi
-win hid
-win hidd
-win hidde
-win hidden
-Nop
-Noni
-encodedc
-ec
-en
^c^o^m^S^p^E^c^
C^om^S^pEc
query.exe
tracert.exe
tree.com
runas.exe
taskkill.exe
klist.exe
hh.exe
odbcconf.exe
pcalua.exe
attrib.exe
cmdkey.exe
nltest.exe
nltest.exe
ExtExport
bash -c
bash.exe -c
cmdkey /list
cmdkey.exe /list
certutil.exe -urlcache -split -f
certutil -urlcache -split -f
csc -out:
csc.exe -out:
csc -target:library
csc.exe -target:library
cmdkey /list
cmd.exe /k
cmstp.exe /ni /s
cmstp /ni /s
esentutl.exe /y \\
esentutl /y \\
expand \\
expand.exe \\
extrac32 \\
extrac32.exe \\
ieexec.exe http
ieexec http
diskshadow
advpack.dll,LaunchINFSection
mshtml,RunHTMLApplication
/s /n /u /i:http:
mshtml,RunHTMLApplication
bginfo.bgi /popup /nolicprompt
set
setx
pushd
popd
subst
ren
move
md
del
rd
expand
find.exe
format
format
assoc
cls.exe
doskey.exe
Mavinject.exe
/INJECTRUNNING
CMSTP.exe
certutil.exe -decode
certutil -decode
acrobat.exe
acrord32.exe
chrome.exe
firefox.exe
iexplore.exe
MicrosoftEdgeCP.exe
MicrosoftEdge.exe
vivaldi.exe
waterfox.exe
java.exe
javaw.exe
word.exe
excel.exe
POWERPNT.exe
outlook.exe
visio.exe
msaccess.exe
lync.exe
skype.exe
2>
<
>
^
&
;
|
more
\\tsclient
..
wmic shadowcopy delete
wbadmin delete catalog
/set {default} recoveryenabled no
telnet
-dumpcr
putty
bash.exe
pssh
sdelete
shareenum
sekurlsa
reg SAVE
Invoke-DllInjection
Invoke-Shellcode
Invoke-WmiCommand
Get-GPPPassword
Get-Keystrokes
Get-TimedScreenshot
Get-VaultCredential
Invoke-CredentialInjection
mimikatz
Invoke-NinjaCopy
Invoke-TokenManipulation
Out-Minidump
VolumeShadowCopyTools
Invoke-ReflectivePEInjection
Invoke-UserHunter
Find-GPOLocation
Invoke-ACLScanner
Invoke-DowngradeAccount
Get-ServiceUnquoted
Get-ServiceFilePermission
Get-ServicePermission
Invoke-ServiceAbuse
Install-ServiceBinary
Get-RegAutoLogon
Get-VulnAutoRun
Get-VulnSchTask
Get-UnattendedInstallFile
Get-WebConfig
Get-ApplicationHost
Get-RegAlwaysInstallElevated
Get-Unconstrained
Add-RegBackdoor
Add-ScrnSaveBackdoor
Gupt-Backdoor
Invoke-ADSBackdoor
Enabled-DuplicateToken
Invoke-PsUaCme
Remove-Update
Check-VM
Get-LSASecret
Get-PassHashes
Show-TargetScreen
Port-Scan
netscan
psscan
Invoke-PoshRatHttp
Invoke-PowerShellTCP
Invoke-PowerShellWMI
Add-Exfiltration
Add-Persistence
Do-Exfiltration
Start-CaptureServer
Invoke-DllInjection
Invoke-ReflectivePEInjection
Invoke-ShellCode
Get-ChromeDump
Get-ClipboardContents
Get-FoxDump
Get-IndexedItem
Get-Keystrokes
Get-Screenshot
Invoke-Inveigh
Invoke-NetRipper
Invoke-NinjaCopy
Out-Minidump
Invoke-EgressCheck
Invoke-PSInject
Invoke-RunAs
MailRaider
New-HoneyHash
Set-MacAttribute
Get-VaultCredential
Invoke-DCSync
Invoke-PowerDump
Invoke-TokenManipulation
Exploit-Jboss
Invoke-ThunderStruck
Invoke-VoiceTroll
Set-Wallpaper
Invoke-InveighRelay
Invoke-PsExec
Invoke-SSHCommand
Get-SecurityPackages
Install-SSP
Invoke-BackdoorLNK
PowerBreach
Get-GPPPassword
Get-SiteListPassword
Get-System
BypassUAC
Invoke-Tater
PowerUp
PowerView
Get-RickAstley
Find-Fruit
HTTP-Login
Find-TrustedDocuments
Invoke-Paranoia
Invoke-WinEnum
Invoke-ARPScan
Invoke-ReverseDNSLookup
smbscanner
Invoke-FruityC2
Invoke-Stager
process call create
call set priority
call terminate
product get name
bios, get serialNumber
onboarddevice get
useraccount where name
nteventlog where filename
cleareventlog
root\\default
FilterToConsumerBinding
root\\subscription
Win32_TaskService
Win32_TaskService
stratum+tcp
-donate-level=
Wmiclass
WmiCl'+'as'+'s
ntdsutil
mimiauth
Powersploit
Mimikittenz
-ma lsass.exe
ProcDump.exe
AdjustTokenPrivileges
IMAGE_NT_OPTIONAL_HDR64_MAGIC
Management.Automation.RuntimeException
Microsoft.Win32.UnsafeNativeMethods
ReadProcessMemory.Invoke
Runtime.InteropServices
SE_PRIVILEGE_ENABLED
System.Security.Cryptography
System.Runtime.InteropServices
LSA_UNICODE_STRING
MiniDumpWriteDump
PAGE_EXECUTE_READ
Net.Sockets.SocketFlags
Reflection.Assembly
SECURITY_DELEGATION
TOKEN_ADJUST_PRIVILEGES
TOKEN_ALL_ACCESS
TOKEN_ASSIGN_PRIMARY
TOKEN_DUPLICATE
TOKEN_ELEVATION
TOKEN_IMPERSONATE
TOKEN_INFORMATION_CLASS
TOKEN_PRIVILEGES
TOKEN_QUERY
Metasploit
Mimikatz
usn deletejournal
^h^t^t^p
h"t"t"p
script:http
rundll32.exe
notepad.exe
regsvr32.exe
regsvcs.exe
C:\Windows\system32\svchost.exe
mshta.exe
psexe
pskill
psshutdown
psservice
PsPasswd
msbuild.exe
msiexec.exe
mstsc.exe
telnet.exe
SyncAppvPublishingServer.exe
Mavinject.exe
ssh.exe
putty.exe
kitty.exe
kitty_portable.exe
psftp.exe
tftp.exe
wmic.exe
nbtstat.exe
driverquery.exe
infDefaultInstall.exe
sc.exe
auditpol.exe
qwinsta.exe
rwinsta.exe
curl.exe
wget.exe
www.exe
awk.exe
sed.exe
stratum+tcp
coinhive
minergate
ccminer
cgminer
sgminer
rainbowminer
xmrMiner
poolpassword
poolurl
poolname
ahashpool
poolname
blazepool
blockmasters
blockmasterscoins
hashrefinery
miningpoolhubcoins
nicehash
yiimp
zergpool
zergpoolcoins
zpool
tor.exe
.com
\temp\
C:\users
explorer.exe
control.exe
acrord32.exe
installutil.exe
\reg.exe
ipconfig.exe
\appdata\
\programdata\
\Users
\ProgramData
\Windows\
\Perflogs\
\config\systemprofile\
netsh advfirewall firewall
\
DisableRealtimeMonitoring
--disable-http2 --disable-quic
291ff87948e45914424cec9510c297da
304772c80b157a916c7041f2f15939fb
5E022694C0DBD1FBBC263D608E577949
71345b139166482acaa568ac8816c7bc
1b60021baedc3f9201bcdb40e9b87f62
c7c8d584758854bbe0d8e64ef53ae1a8
AppContainer
C:\Windows\system32\DllHost.exe /Processid
C:\Windows\system32\SearchIndexer.exe /Embedding
C:\Windows\System32\CompatTelRunner.exe
C:\Windows\System32\MusNotification.exe
C:\Windows\System32\MusNotificationUx.exe
C:\Windows\System32\audiodg.exe
C:\Windows\System32\conhost.exe
C:\Windows\System32\powercfg.exe
C:\Windows\System32\wbem\WmiApSrv.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DllHost.exe /Processid
C:\Windows\system32\svchost.exe -k DcomLaunch
\SystemRoot\System32\smss.exe 00000100 0000007c
\SystemRoot\System32\smss.exe 00000100 0000007c
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\vssvc.exe
net.exe use
net use
net1 use
net.exe time
net time
net1 time
C:\Program Files\Windows Defender
C:\Windows\System32\CompatTelRunner.exe
C:\Windows\System32\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
C:\Windows\System32\MpSigStub.exe
C:\Windows\SoftwareDistribution\Download\Install\AM_Delta
C:\Windows\SoftwareDistribution\Download\Install\AM_Engine
C:\Windows\SoftwareDistribution\Download\Install\AM_Base
C:\Windows\System32\MusNotification.exe
C:\Windows\System32\MusNotificationUx.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
C:\Windows\System32\svchost.exe -k wsappx
C:\Windows\System32\svchost.exe -k appmodel
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
C:\Windows\System32\svchost.exe -k defragsvc
C:\Windows\System32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k utcsvc
C:\Windows\System32\svchost.exe -k wbioSvcGroup
C:\Windows\System32\svchost.exe -k DcomLaunch
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\System32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s WFDSConMgrSvc
C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -s SensrSvc
C:\Windows\system32\svchost.exe -k localServiceNoNetwork
C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s WPDBusEnum
C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s fhsvc
C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s DeviceAssociationService
C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s NcbService
C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s SensorService
C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s TabletInputService
C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s UmRdpService
C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WPDBusEnum
C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WdiSystemHost
C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs -p -s NcaSvc
C:\Windows\system32\svchost.exe -k netsvcs -s BDESVC
C:\Windows\system32\svchost.exe -k netsvcs -s BITS
C:\Windows\system32\svchost.exe -k netsvcs -s CertPropSvc
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
C:\Windows\system32\svchost.exe -k netsvcs -s ProfSvc
C:\Windows\system32\svchost.exe -k netsvcs -s SENS
C:\Windows\system32\svchost.exe -k netsvcs -s SessionEnv
C:\Windows\system32\svchost.exe -k netsvcs -s Themes
C:\Windows\system32\svchost.exe -k netsvcs -s Winmgmt
C:\Windows\system32\svchost.exe -k netsvcs -s gpsvc
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k networkService -p -s DoSvc
C:\Windows\system32\svchost.exe -k networkService -s Dnscache
C:\Windows\system32\svchost.exe -k networkService -s LanmanWorkstation
C:\Windows\system32\svchost.exe -k networkService -s NlaSvc
C:\Windows\system32\svchost.exe -k networkService -s TermService
C:\Windows\system32\svchost.exe -k networkService
C:\Windows\system32\svchost.exe -k networkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k rPCSS
C:\Windows\system32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k swprv
C:\Windows\system32\svchost.exe -k unistackSvcGroup
C:\Windows\system32\svchost.exe -k utcsvc
C:\Windows\system32\svchost.exe -k wbioSvcGroup
C:\Windows\system32\svchost.exe -k werSvcGroup
C:\Windows\system32\svchost.exe -k wsappx -s ClipSVC
C:\Windows\system32\svchost.exe -k wsappx
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k GPSvcGroup
C:\Windows\System32\svchost.exe -k tapisrv
C:\WINDOWS\System32\svchost.exe -k wsappx
C:\Windows\System32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\System32\powercfg.exe
C:\Windows\System32\taskeng.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files\Microsoft Office\Office16\MSOSYNC.EXE
C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE
C:\Program Files\Microsoft Office\Office15\MSOSYNC.EXE
C:\Program Files (x86)\Microsoft Office\Office15\MSOSYNC.EXE
C:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe
C:\Windows\splwow64.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Diagnostics.Service.exe
C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe
C:\Program Files\Microsoft\Exchange Server\V14\Scripts\CheckDatabaseRedundancy.ps1
C:\Windows\System32\ddpcli.exe
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=
C:\Program Files (x86)\Google\Update\
C:\Program Files (x86)\Google\Update\
"C:\Program Files\Mozilla Firefox\plugin-container.exe" --channel
"C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe" --channel
AcroRd32.exe" /CR
AcroRd32.exe" --channel=
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer /o /eo /l /b /id
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer /o /eo /l /b /ac /id
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" /o /eo /l /b /id
C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe
C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\LogTransport2.exe
C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe
C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\LogTransport2.exe
C:\Program Files (x86)\Adobe\Acrobat 2015\Acrobat\AcroCEF\AcroCEF.exe
C:\Program Files (x86)\Adobe\Acrobat 2015\Acrobat\LogTransport2.exe
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe
C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe
C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AdobeGCClient.exe
C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P6\adobe_licutil.exe
C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P7\adobe_licutil.exe
C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P7\adobe_licutil.exe
C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe
C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe
C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe
C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\CCXProcess.exe
C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe
"C:\Program Files\DellTPad\ApMsgFwd.exe" -s{
C:\Program Files\NVIDIA Corporation\
\NVIDIA\NvBackend\ApplicationOntology\OAWrapper.exe
C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamuseragent.exe
C:\Program Files\Realtek\
C:\Program Files\DellTPad\HidMonitorSvc.exe
"C:\Program Files\DellTPad\ApMsgFwd.exe" -s{
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe
C:\Program Files\Dell\SupportAssist\pcdrcui.exe
C:\Program Files\Dell\SupportAssist\koala.exe
"-outc=C:\ProgramData\Dell\CommandUpdate\inventory.xml" "-logc=C:\ProgramData\Dell\CommandUpdate\scanerrs.xml" "-lang=en" "-enc=UTF-16"
C:\Program Files (x86)\Lenovo\System Update\ConfigService.exe
C:\PROGRA~3\Lenovo\SYSTEM~1\SESSIO~1\REPOSI~1\fwdphb06\fwdphb06_version.exe
C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.exe
C:\Windows\system32\LPlatSvc.exe
C:\Program Files\Lenovo\HOTKEY\tphkload.exe
C:\Program Files\Lenovo\HOTKEY\micmute.exe
C:\Program Files\Lenovo\InstantOn\InstantOnSrv.exe
C:\Program Files\Lenovo\Lenovo Mouse Suite\Service\PelService.exe
C:\Program Files\Lenovo\ImController\PluginHost\Lenovo.Modern.ImController.PluginHost.Device.exe
C:\Program Files\Lenovo\iMController\PluginHost\Lenovo.Modern.ImController.PluginHost.Device.exe
C:\Program Files (x86)\Lenovo\System Update\tvsukernel.exe
C:\Program Files (x86)\Lenovo\System Update\UACSdk.exe
C:\Program Files (x86)\Lenovo\System Update\SUService.exe
C:\Program Files\Lenovo\Lenovo Ultraslim Plus Wireless Keyboard & Mouse\Pelico.exe
C:\Program Files\Lenovo\Lenovo Ultraslim Plus Wireless Keyboard & Mouse\LeDaemon.exe
C:\Program Files\Lenovo\Lenovo Mouse Suite\ICO.exe
C:\Program Files\Lenovo\Lenovo Mouse Suite\Service\PelElvDm.exe
C:\Program Files (x86)\Lenovo\System Update\tvsuShim.exe
C:\Program Files (x86)\Lenovo\System Update\tvsu.exe
C:\Program Files (x86)\Lenovo\System Update\TvsuCommandLauncher.exe
C:\Program Files (x86)\SCM\SCM.exe
C:\Program Files (x86)\SCM\SCM_Notice.exe
C:\Program Files (x86)\MSI\Help Desk\MSI Update Agent.exe
C:\Program Files (x86)\MSI\Help Desk\MSI Update Agent.exe
C:\Program Files (x86)\MSI\Dragon Center\Dragon Center.exe
C:\Program Files (x86)\MSI\Dragon Center\Dragon Center.exe
C:\Program Files\Intel\Telemetry 2.0\lrio.exe
C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe
C:\Windows\System32\DriverStore\FileRepository\ki120591.inf_amd64_7a2f7b04e15632c2\igfxCUIService.exe
C:\Windows\System32\DriverStore\FileRepository\ki120591.inf_amd64_7a2f7b04e15632c2\igfxEM.exe
"C:\Windows\sysnative\rundll32.exe" "C:\Windows\system32\WRusr.dll",SynProc
C:\Program Files (x86)\Webroot\WRSA.exe" -ul
"C:\Program Files (x86)\Webroot\WRSA.exe" -service
C:\Program Files (x86)\Webroot\WRSA.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe
ScreenConnect.WindowsClient.exe
C:\Program Files (x86)\SmartGit
C:\Program Files (x86)\SmartGit
Vivaldi\Application\vivaldi.exe
controls\cef\ConnectWise.exe
C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe
C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe
C:\Program Files (x86)\SyncedTool\bin\agent_service.exe
C:\Program Files (x86)\Notepad++\notepad++.exe
C:\Program Files\OpenVPN\bin\openvpn-gui.exe
C:\Program Files (x86)\Enpass\Enpass.exe
C:\Program Files (x86)\Enpass\Enpass.exe
C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe
C:\Program Files (x86)\Fortinet\FortiClient\scheduler.exe
C:\Program Files (x86)\Fortinet\FortiClient\FCHelper64.exe
C:\Program Files (x86)\Fortinet\FortiClient\update_task.exe
C:\Program Files (x86)\SyncedTool\bin\agent_gui.exe
C:\Anchor Server\penv\Scripts\python.exe
C:\Anchor Server\redis\redis-server.exe
C:\Anchor Server\redis\redis-server.exe
C:\PostgreSQL9.1\bin\postgres.exe
C:\PostgreSQL9.1\bin\postgres.exe
C:\ProgramData\sysmon\sysmon64.exe
56BFB300BA379181CE09C3130775DFBBCAFF9DB764BDC39086C2FEC2547EE900
C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\bitsadmin.exe
C:\Program Files\N-able Technologies\Windows Agent\bin\bitsadmin.exe
C:\Program Files (x86)\N-able Technologies\Windows Software Probe\bin\wsp.exe
N-able Technologies\Windows Software Probe\bin\wsp.exe
C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\agent.exe
C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\AutomationManager.ScriptRunner64.exe
C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\AutomationManager.ScriptRunner64.exe
C:\Program Files\N-able Technologies\AVDefender\installer\installer.exe
C:\Program Files\N-able Technologies\AVDefender\epupdateservice.exe
C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\ShadowProtectDataReader.exe
3070E798134A11ADB01129F06A36CD924267E6DA95DAB2E3196105264D2BF818
\sysmon\Auto_Update.bat
\sysmon\Auto_Update.bat
ion-storm/sysmon-config
\netlogon\
\netlogon\
C:\PROGRA~2\SAAZOD\SAAZMSMACTL.EXE
net use
net.exe use
net1 use
net1.exe use
net time
net.exe time
net1 time
C:\Windows\system32\cmd.exe /c UsrLogon.cmd
C:\Program Files (x86)\MaaS360\Cloud Extender\EMSAgent.exe
C:\Program Files\Octopus Deploy\Tentacle\Tentacle.exe
chrome.nativeMessaging.out
C:\Users
C:\ProgramData
\Temp\
C:\Windows\system32\backgroundTaskHost.exe
TrustedInstaller.exe
OneDrive.exe
vivaldi.exe
chrome.exe
C:\WINDOWS\system32\backgroundTaskHost.exe
setup
C:\Users
\temp\
$RECYCLE.BIN
C:\ProgramData
C:\Perflogs\
config\systemprofile\
\Windows\Fonts\
\Windows\IME\
\Windows\addins\
chrome.exe
iexplore.exe
firefox.exe
MicrosoftEdgeCP.exe
MicrosoftEdge.exe
explorer.exe
unknown process
at.exe
schtasks.exe
certutil.exe
cmd.exe
cscript.exe
wscript.exewscript.exe
rundll32.exe
notepad.exe
regsvr32.exe
regsvcs.exe
C:\Windows\system32\svchost.exe
mshta.exe
powershell.exe
psexe
pskill
psshutdown
psservice
PsPasswd
java.exe
msbuild.exe
installutil.exe
msiexec.exe
reg.exe
mstsc.exe
telnet.exe
SyncAppvPublishingServer.exe
Mavinject.exe
ssh.exe
putty.exe
kitty.exe
kitty_portable.exe
psftp.exe
tftp.exe
wmic.exe
net.exe
nbtstat.exe
dsquery.exe
driverquery.exe
infDefaultInstall.exe
sc.exe
auditpol.exe
qwinsta.exe
rwinsta.exe
tor.exe
185.41.154.130
37.252.190.176
82.118.17.235
83.163.164.15
69.163.34.173
159.89.151.231
212.47.246.229
84.40.112.70
2.137.16.245
199.249.223.62
185.22.172.237
88.99.216.194
185.13.39.197
162.247.72.201
174.127.217.73
githubusercontent.com
github.com
api.ipify.org
whatismyipaddress.com
edns.ip-api.com
checkip.dyndns.org
icanhazip.com
ifconfig.me
ifconfig.co
ipaddress.com
ipinfo.io
ident.me
api.ip.sb
www.myexternalip.com
ip.anysrc.net
wtfismyip.com
myexternalip.com
api.ip.sb
ipecho.net
checkip.amazonaws.com
goo.gl
git.io
bit.ly
t.co
ow.ly
ip-api.com
dlinkddns.com
no-ip.com
no-ip.org
no-ip.biz
no-ip.info
noip.com
afraid.org
duckdns.org
changeip.com
ddns.net
hopto.org
zapto.org
servehttp.com
sytes.net
onion.to
onion.cab
onion.sh
onion.nu
onion.direct
tor2web.org
tor2web.fi
tor2web.io
tor2web.blutmagie.de
tor-gateways.de
hiddenservice.net
shodan
shadow
researchscan
census
sl-reverse
scanhub
.edu
158.130.6.
71.6.216.
137.226.113.
138.246.252.
128.32.30.
208.93.152.
162.216.46.
169.229.3.
155.94.254.
98.143.148.
155.94.222.
134.147.203.
69.170.62.
159.203.213.
209.236.120.
158.130.6
blazepool
blockmasters
blockmasterscoins
hashrefinery
miningpoolhubcoins
nicehash
yiimp
zergpool
zergpoolcoins
zpool
slushpool
minexmr
minergate
monero
prohash
dwarfpool
nanopool.org
mixpools.org
viaxmr.com
hashvault.pro
moriaxmr.com
suprnova.cc
mixpools.org
monero
usxmrpool
xmrpool
poolto.be
mineXMR
prohash.net
mine.bz
mypool.online
bohemianpool
mineXMR
iwanttoearn.money
pool.xmr
crypto-pool
miners.pro
minercircle.com
monero.lindon-pool.win
teracycle.net
ratchetmining.com
cryptmonero
mineXMR
80
443
3389
3540
22
23
25
139
5800
5900
1194
1701
1723
1293
4500
1080
8080
3128
9001
9030
4443
2448
8143
1777
1443
243
65535
13506
3360
200
198
49180
13507
3360
6625
4444
4438
1904
13505
13504
12102
9631
5445
2443
777
13394
13145
12103
5552
3939
3675
666
473
5649
4455
4433
1817
100
65520
1960
1515
743
700
14154
14103
14102
12322
10101
7210
4040
9943
7777
9943
666
C:\Windows\System32\dns.exe
C:\Windows\System32\find.exe
C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe
C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe
C:\Program Files\Microsoft\Exchange Server\V15\Bin\EdgeTransport.exe
C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe
C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe
C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe
aps.windows.com
arc.msn.com
arc.msn.com.nsatc.net
atson.telemetry.microsoft.com
au.download.windowsupdate.com
b.akamaiedge.net
bing.com
cdn.onenote.net
client-office365-tas.msedge.net
config.edge.skype.com
csp.digicert.com
ctldl.windowsupdate.com
cy2.licensing.md.mp.microsoft.com.akadns.net
cy2.settings.data.microsoft.com.akadns.net
displaycatalog.mp.microsoft.com
download.windowsupdate.com
e3.delivery.dsp.mp.microsoft.com.nsatc.net
e-msedge.net
emdl.ws.microsoft.com
ettings-win.data.microsoft.com
fe2.update.microsoft.com
fe3.delivery.dsp.mp.microsoft.com.nsatc.net
fe3.delivery.mp.microsoft.com
g.akamaiedge.net
g.live.com
g.msn.com.nsatc.net
geo-prod.do.dsp.mp.microsoft.com
geo-prod.dodsp.mp.microsoft.com.nsatc.net
ile-service.weather.microsoft.com
ip5.afdorigin-prod-am02.afdogw.com
ipv4.login.msa.akadns6.net
licensing.mp.microsoft.com
m3p.wns.notify.windows.com.akadns.net
modern.watson.data.microsoft.com.akadns.net
msn.com.nsatc.net
ocation-inference-westus.cloudapp.net
ocos-office365-s2s.msedge.net
ocsp.digicert.com
odern.watson.data.microsoft.com.akadns.net
oneclient.sfx.ms
pv4.login.msa.akadns6.net
query.prod.cms.rt.microsoft.com
ris.api.iris.microsoft.com
ris.api.iris.microsoft.com.akadns.net
s-msedge.net
settings.data.microsoft.com
sfe.trafficshaping.dsp.mp.microsoft.com
sls.update.microsoft.com
storecatalogrevocation.storequality.microsoft.com
storeedgefd.dsx.mp.microsoft.com
telecommand.telemetry.microsoft.com.akadns.net
tile-service.weather.microsoft.com
tlu.dl.delivery.mp.microsoft.com
tsfe.trafficshaping.dsp.mp.microsoft.com
vip5.afdorigin-prod-am02.afdogw.com
vip5.afdorigin-prod-ch02.afdogw.com
windowsupdate.com
y2.displaycatalog.md.mp.microsoft.com.akadns.net
y2.licensing.md.mp.microsoft.com.akadns.net
y2.settings.data.microsoft.com.akadns.net
msedge.net
windows.net
msn.com
virtualearth.net
bingforbusiness.com
outlook.com
lync.com
cloudapp.net
microsoft.com
ec2-34-204-73-148.compute-1.amazonaws.com
ec2-52-201-35-219.compute-1.amazonaws.com
ec2-34-230-137-236.compute-1.amazonaws.com
ec2-52-45-9-47.compute-1.amazonaws.com
ec2-52-71-74-246.compute-1.amazonaws.com
ec2-54-89-54-171.compute-1.amazonaws.com
eset.com
n-able.com
www.agentexchange.com
map2.hwcdn.net
C:\Windows\SysWOW64\SearchProtocolHost.exe
true
OneDrive.exe
Spotify.exe
AppData\Roaming\Dropbox\bin\Dropbox.exe
OneDriveStandaloneUpdater.exe
ConnectWise.exe
ScreenConnect.WindowsClient.exe
AppData\Roaming\Dashlane\Dashlane.exe
AppData\Roaming\Dashlane\DashlanePlugin.exe
Vivaldi\Application\vivaldi.exe
microsoft.com
microsoft.com.akadns.net
microsoft.com.nsatc.net
.search.msn.com
.wns.windows.com
akamaitechnologies.com
llmnr
ldap
ldap
epmap
epmap
135
135
ntp
ntp
llmnr
ssdp
ssdp
5353
netbios-ns
netbios-dgm
1e100.net
5228
5357
3544
3702
3702
50646
53
53
67
67
1812
1812
49154
49154
59241
59241
52176
52176
49209
49209
6007
6007
C:\Program Files (x86)\SmartGit\jre\bin\java.exe
C:\Program Files (x86)\SyncedTool\bin\autoupdate.exe
penv\Scripts\python.exe
efolder01
2080
g2mcomm.exe
C:\Program Files (x86)\LabTech Client\LTClient.exe
C:\Windows\LTSvc\LTSVC.exe
C:\Program Files (x86)\Webroot\WRSA.exe
C:\Program Files (x86)\SmartGit\
DSPro\Programs\pr001Celery98.exe
g2ax_comm_expert.exe
g2mcomm.exe
AppData\Local\Microsoft\Teams\current\Teams.exe
53
C:\Users
C:\ProgramData
\Temp\
Sysmon.exe
Sysmon64.exe
microsoft
Microsoft Windows
windows
Intel
Lenovo
Synaptic
Nvidia
Broadcom
AMD
VMware
Realtek
Micro-Star
Logitech
Asmedia
SteelSeries
Fortinet
Webroot
NoVirusThanks Company Srl
Invincea
ShoreTel
Synology
Citrix
SonicWall
Sophos
OpenVPN
false
Invalid
Unavailable
C:\windows\system32\fxsst.dll
C:\Windows\System32\wbem\oci.dll
\Temp\
NetshHelperBeacon
netsh.exe
rmnsoft.dll
Valid
System32\samlib.dll
System32\cryptdll.dlll
microsoft
Microsoft Windows
windows
Intel
Lenovo
Synaptic
Nvidia
Broadcom
AMD
VMware
Realtek
Micro-Star
Logitech
Asmedia
SteelSeries
Fortinet
Microsoft
Microsoft
C:\Windows\System32\backgroundTaskHost.exe
Webroot
C:\Windows\System32\backgroundTaskHost.exe
C:\Windows\System32\mmc.exe
C:\Windows\System32\SearchFilterHost.exe
C:\Windows\System32\SearchProtocolHost.exe
C:\Windows\sysmon64.exe
C:\Windows\System32\inetsrv\w3wp.exe
C:\Windows\sysmon64.exe
C:\Windows\System32\conhost.exe
C:\Windows\System32\winspool.drv
C:\Windows\System32\wshqos.
C:\Windows\System32\wow64.dll
C:\Windows\System32\clusapi.dll
C:\Windows\System32\cryptdll.dll
C:\Windows\System32\wow64win.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\pcwum.dll
C:\Windows\System32\kernel32.dll
C:\Windows\System32\user32.dll
C:\Windows\System32\cryptdll.dll
C:\Windows\System32\dns.exe
C:\Windows\System32\zvprtmon5.dll
C:\Windows\System32\termsrv.dll
C:\Windows\System32\spool\
samlib.dll
C:\Program Files (x86)\SmartGit
syntevo\SmartGit
Labtech Client
CrystalDecisions
ShoreWare
C:\Program Files\Microsoft SQL Server\100\Shared\dbghelp.dll
C:\Windows\System32\backgroundTaskHost.exe
C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe
C:\Program Files
C:\Windows\assembly\NativeImages
C:\Program Files\WindowsApps
C:\Program Files (x86)\AutoSizer\AutoSizer.dll
C:\Program Files (x86)\Notepad++
C:\Program Files (x86)\SyncedTool\bin\autoupdate.exe
C:\PostgreSQL9.1\bin\postgres.exe
C:\Windows\System32\VSSVC.
C:\Windows\System32\conhost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\NETSTAT.EXE
C:\Windows\System32\inetsrv\w3wp.exe
C:\Windows\System32\tasklist.exe
C:\Windows\System32\nslookup.exe
C:\Windows\System32\find.exe
C:\cs\tools\php\php-cgi.exe
C:\Windows\System32\nbtstat.exe
C:\Windows\System32\dsquery.exe
C:\Windows\System32\netsh.exe
C:\Windows\System32\taskeng.exe
C:\ProgramData\sysmon\sysmon64.exe
SQL Server
SQL Server
Exchange Server
Exchange Server
LoadLibrary
\
0B80
C:\Windows\system32\wbem\WmiPrvSE.exe
C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\audiodg.exe
Google\Chrome\Application\chrome.exe
FireSvc.exe
C:\Program Files (x86)\Webroot\WRSA.exe
controls\cef\ConnectWise.exe
C:\Program Files\N-able Technologies\AVDefender\epsecurityservice.exe
C:\Program Files\N-able Technologies\AVDefender\EPSecurityService.exe
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP1\avp.exe
C:\Program Files (x86)\Microsoft Visual Studio\2017\Enterprise\Common7\IDE\Remote Debugger\x64\msvsmon.exe
C:\Windows\System32\rdpclip.exe
C:\Windows\sysmon64.exe
C:\Windows\sysmon.exe
:\Windows\System32\lsass.exe
:\Windows\System32\winlogon.exe
powershell.exe
verclsid.exe
VBE7.dll
CorperfmontExt.dll
0x40
0x101000
0x1000
0x1400
0x100000
0x3200
0x101400
0x101001
C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\ProgramData\Microsoft\Windows Defender\platform\
C:\Windows\system32\msiexec.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\agent.exe
C:\Program Files\N-able Technologies\AVDefender\EPUpdateService.exe
taskmgr
wbem\wmiprvse.exe
\EMET_Service.exe
\EMET_GUI.exe
\procexp64.exe
processhacker
\Bin\FMS.exe
\Exchange Server\
SQL
:\Windows\System32\smss.exe
:\Windows\system32\csrss.exe
:\Windows\system32\wininit.exe
\Google\Update\GoogleUpdate.exe
C:\Program Files (x86)\Webroot\WRSA.exe
C:\Program Files\Webroot\WRSA.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Windows\Sysmon.exe
C:\Windows\Sysmon64.exe
ScreenConnect
:\Windows\system32\sppsvc.exe
:\Windows\system32\sdiagnhost.exe
UNKNOWN(00007F
ShadowProtect
C:\Hlthpnt\bin\IM.exe
Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe
Common Files\Adobe\AdobeGCClient\AGSService.exe
C:\ProgramData\WebEx\webex\
Dropbox\Update\DropboxUpdate.exe
LTSvc\LTSVC.exe
\Trusteer\Rapport\bin\RapportMgmtService.exe
Adobe\AdobeGCClient\AGMService.exe
NT-ware Shared\MomAdmSvc\MomAdmSvc.exe
\Autodesk\Autodesk Desktop App\AdAppMgrSvc.exe
C:\Windows\Prefetch
C:\Windows\System32\drivers
\Start Menu
\Startup
\Programs\Startup
\Content.Outlook\
\Downloads\
$RECYCLE.BIN
\Microsoft\Office\Recent
.dll
.ocx
.sys
.application
.appref-ms
.bat
.cmd
.com
.btm
.cmdline
.docm
.exe
.msc
.hta
.ws
.wsf
.wsh
.pptm
.ps1
.ps1xml
.psc1
.psd1
.psm1
.pssc
.cdxml
.sys
.reg
.docm
.xlsm
.xlam
.pptm
.potm
.pptm
.sldm
.scf
.appref-ms
.rdp
.vbs
.vb
.vbsript
.vbe
.js
.jse
proj
.sln
.xls
.ppt
.rtf
.SettingContent-ms
C:\Users\Default
\Desktop
\Documents
C:\Windows\System32\Drivers
C:\Windows\SysWOW64\Drivers
C:\Windows\System32\GroupPolicy\Machine\Scripts
C:\Windows\System32\GroupPolicy\User\Scripts
C:\Windows\System32\Tasks
C:\Windows\System32\Wbem
C:\Windows\SysWOW64\Wbem
C:\Windows\System32\WindowsPowerShell
C:\Windows\SysWOW64\WindowsPowerShell
C:\Windows\Tasks\
C:\Windows\System32\Tasks
C:\Windows\SysWow64\Tasks
C:\Windows\Minidump
Microsoft\Windows\WER\
MEMORY.dmp
C:\Windows\AppPatch\Custom
.cmdline
C:\Windows\System32\
.ICL
.FON
.FOT
.ico
.lnk
.eml
.msg
.SCT
.SCR
.SHB
.SHS
.PAF
.JSE
.gadget
.cpl
.inf
help_decrypt
help_restore
ReadDecryptFilesHere
howto_recover_file
recover_file_
Recovery_file_
how_to_decrypt
encryptor_raas_readme_liesmich
_how_recover_
HOWTO_RESTORE_FILES_
help_my_files
how_recover
HELP_TO_SAVE_FILES
DECRYPT_INSTRUCTIONS
YOUR_FILES.url
Coin.Locker.txt
_secret_code.txt
Decrypt_readme.txt
INSTUCCIONES_DESCRIFRADO
FILESAREGONE.txt
IAMREADYTOPAY.TXT
HELLOTHERE.TXT
READTHISNOW!!!.txt
SECRETIDHERE.KEY
IHAVEYOURSECRET.KEY
SECRET.KEY
HELPDECRYPT_YOUR_FILES.HTML
RECOVERY_FILES.TXT
RECOVERY_FILE.
HowtoRestore_Files
restorefiles
howrecover+
recoveryfile
help_recover_instructions
_Locky_recover
help_decrypt
help_restore
.CRAB
.cerber
help_decrypt
help_restore_files
HELP_YOUR_FILES
ReadDecryptFilesHere
howto_recover_file
recover_file
Recovery_File_
HOW_TO_DECRYPT_
DecryptAllFiles
encryptor_raas_readme_liesmich
_how_recover_
HOWTO_RESTORE_FILES_
help_my_files
how_recover
HELP_TO_SAVE_FILES
DECRYPT_INSTRUCTIONS
INSTUCCIONES_DESCRIFRADO
YOUR_FILES.url
Coin.Locker.txt
_secret_code.txt
Decrypt_readme.txt
FILESAREGONE.txt
IAMREADYTOPAY.TXT
HELLOTHERE.TXT
READTHISNOW!!!.txt
SECRETIDHERE.KEY
IHAVEYOURSECRET.KEY
SECRET.KEY
HELPDECRYPT_YOUR_FILES.HTML
RECOVERY_FILES.TXT
RECOVERY_FILE.
HowtoRestore_File
restorefiles_
howrecover+ recoveryfile_
recoverfile_
help_recover_instructions
_ReCoVeRy_+
_Locky_recover
.zzzzz
aeroware
howto_recover_file
_how_recover_
HOWTO_RESTORE_FILES
help_my_files
how_recover
HELP_TO_SAVE_FILES
DECRYPT_INSTRUCTIONS
YOUR_FILES.url
Coin.Locker.txt
_secret_code.txt
Decrypt_readme.txt
FILESAREGONE.txt
IAMREADYTOPAY.TXT
HELLOTHERE.TXT
READTHISNOW!!!.txt
SECRETIDHERE.KEY
IHAVEYOURSECRET.KEY
SECRET.KEY
HELPDECRYPT_YOUR_FILES.HTML
RECOVERY_FILES.TXT
restorefiles
howrecover+
restorefiles
contains(to_string($message.file_created), "howrecover+
restorefiles
help_recover_instructions
_Locky_recover
!!!READ_TO_UNLOCK!!!.TXT
openforyou@india.com
.warn_wallet
hacks.at.sigaint.org
.MATRIX
Crytp0l0cker
decrypted_files.dat
padcrypt
Vape Launcher.exe
READ_ME_!.txt
.enjey
Aescrypt.exe
PINGY@INDIA.COM
WORMKILLER@INDIA.COM.XTBL
CEBER3
IF_WANT_FILES_BACK_PLS_READ.html
_HELP_HELP_HELP_
zXz.html
HELP_ME_PLEASE.txt
!_RECOVERY_HELP_!.txt
PLEASE-READIT-IF_YOU-WANT.html
.filegofprencrp
COME_RIPRISTINARE_I_FILE.
fattura_
_steaveiwalker@india.com_
COMO_ABRIR_ARQUIVOS.txt
info@kraken.cc_worldcza@email.cz
COMO_RESTAURAR_ARCHIVOS
What happen to my files.txt
ASSISTANCE_IN_RECOVERY
_DECRYPT_ASSISTANCE_
_HELP_HELP_HELP_
BTC_DECRYPT_FILES
.TheTrumpLocker
READ-READ-READ
.weencedufiles
.powned
[KASISKI]
INSTRUCCIONES
_USE_TO_FIX_
.happydayzz
001-READ-FOR-DECRYPT-FILES
DECRYPT_INFORMATION
Rans0m_N0te_Read_ME
wowwhereismyfiles
decryptional
wowreadfordecryp
.HERMES
_DECRYPT_INFO_szesnl
000-IF-YOU-WANT-DEC-FILES
.evillock
.letmetrydecfiles
.yourransom
.lambda_l0cked
.gefickt
.sigaint.org
.HakunaMatata
.CRYPTOSHIELD
.weareyourfriends
MERRY_I_LOVE_YOU_BRUCE.hta
How decrypt files.hta
unCrypte
decipher_ne
.paytounlock
TRY-READ-ME-TO-DEC
protonmail.ch
LEER_INMEDIATAMENTE
.killedXXX
.doomed
000-No-PROBLEM-WE-DEC-FILES
.noproblemwedecfiles
WE-MUST-DEC-FILES
powerfulldecrypt
opensourcemail.org
READ_ME_TO_DECRYPT_YOU_INFORMA
file0locked
CryptoRansomware
.VBRANSOM
_HELP_Recover_Files_
.oops
.deria
.RMCM1
Locked-by-Mafia
-filesencrypted
decrypt_Globe
.hnumkhotep
.decrypt2017
DecryptFile
.L0CKED
1025-7152.exe
firstransomware.exe
HELP-ME-ENCED-FILES
helpmeencedfiles
EdgeLocker
.XBTL
.firecrypt
YOUR_FILES_ARE_DEAD
.airacropencrypted!
@mail.ru
WHERE-YOUR-FILES
Whereisyourfiles
india.com
_README.hta
_README.jpg
HOW_OPEN_FILES
.gangbang
GJENOPPRETTING_AV_FILER
!!! HOW TO DECRYPT FILES !!!
.braincrypt
INSTRUCTION RESTORE FILE
Survey Locker.exe
Receipt.exe
WindowsApplication1.exe
HWID Lock.exe
VIP72.exe
DALE_FILES.TXT
HOW_TO_RESTORE_YOUR_DATA
RESTORE_CORUPTED_FILES
Cyber SpLiTTer Vbs.exe
000-PLEASE-READ-WE-HELP
.VforVendetta
popcorn_time.exe
OSIRIS-
DesktopOsiris
inbox.ru
.no_more_ransom
.lovewindows
.osiris
.R.i.P
Important!.txt
!_HOW_TO_RESTORE_
HOW_TO_RESTORE_FILES
HOWTO_RECOVER_FILES_
HELP_RESTORE_FILES_
ThxForYurTyme
_HOW_TO_Decrypt
_RECOVER_INSTRUCTIONS
DECRYPTION INSTRUCTIONS.
decrypt explanations.
_WHAT_is.html
_HOWDO_text.html
readme_liesmich_encryptor_raas
_Adatok_visszaallitasahoz_utasitasok
README_TO_RECURE_YOUR_FILES
Your files encrypted by our friends !!!.txt
README HOW TO DECRYPT YOUR FILES.HTML
READ_IT.txt
!Recovery_
ATTENTION.url
README!!!
email-salazar_slytherin10
._AiraCropEncrypted!
README_RECOVER_FILES_
_HOWDO_text.html
_HOWDO_text.bmp
_HOWDO_text.html
zzzzzzzzzzzzzzzzzyyy
zycrypt.
decrypt your file
_H_e_l_p_RECOVER_INSTRUCTIONS+
HOW-TO-DECRYPT-FILES.HTML
HOW_TO_DECRYPT.HTML
exit.hhr.obleep
UnblockFiles.vbs
README_DECRYPT_HYDRA_ID_
DECRYPT_Readme.TXT.ReadMe
Decrypt All Files
HowDecrypt.gif
HELP_YOURFILES.HTML
HOW TO DECRYPT FILES.HTML
BUYUNLOCKCODE
BitCryptorFileList.txt
How_to_decrypt_your_files.jpg
How_to_restore_files.hta
Como descriptografar seus arquivos.txt
!Recovery_
Read_this_file.txt
ATTENTION!!!.txt
HELP_DECRYPT.lnk
how to decrypt aes files.lnk
restore_files.txt
HowDecrypt.txt
wie_zum_Wiederherstellen_von_Dateien.txt
paycrypt.bmp
maxcrypt.bmp
how_decrypt.gif
how to get data.txt
help_recover_instructions
help-file-decrypt.enc
enigma_encr.txt
enigma.hta
default432643264.jpg
default32643264.bmp
decypt_your_files.html
de_crypt_readme.txt
de_crypt_readme.html
de_crypt_readme.bmp
cryptinfo.txt
crjoker.html
_how_recover
_Locky_recover_instructions.bmp
_H_e_l_p_RECOVER_INSTRUCTIONS
_HELP_instructions.txt
_HELP_instructions.bmp
_DECRYPT_INFO_
Your files encrypted by our friends !!! txt
Your files are locked !.txt
Your files are locked !!.txt
Your files are locked !!!.txt
Your files are locked !!!!.txt
YOUR_FILES_ARE_LOCKED.txt
YOUR_FILES_ARE_ENCRYPTED.TXT
YOUR_FILES_ARE_ENCRYPTED.HTML
YOUGOTHACKED.TXT
UNLOCK_FILES_INSTRUCTIONS.txt
UNLOCK_FILES_INSTRUCTIONS.html
SIFRE_COZME_TALIMATI.html
SHTODELATVAM.txt
Read Me (How Decrypt) !!!!.txt
RESTORE_FILES_
READ_THIS_TO_DECRYPT.html
README_HOW_TO_UNLOCK.TXT
README_HOW_TO_UNLOCK.HTML
README_DECRYPT_UMBRE_ID_
README_DECRYPT_HYRDA_ID_
READ ME FOR DECRYPT.txt
READ IF YOU WANT YOUR FILES BACK.html
Payment_Instructions.jpg
ONTSLEUTELINGS_INSTRUCTIES.html
OKSOWATHAPPENDTOYOURFILES.TXT
MENSAGEM.txt
KryptoLocker_README.txt
Instructionaga.txt
ISTRUZIONI_DECRITTAZIONE.html
INSTRUCTIONS_DE_DECRYPTAGE.html
INSTRUCCIONES_DESCIFRADO.html
INSTALL_TOR.URL
IMPORTANT.README
IMPORTANT READ ME.txt
Howto_RESTORE_FILES.html
How to decrypt your data.txt
How to decrypt LeChiffre files.html
Help Decrypt.html
Hacked_Read_me_to_decrypt_files.html
HOW_TO_UNLOCK_FILES_README_
HOW_TO_RESTORE_FILES.html
HOW_DECRYPT.URL
HOW_DECRYPT.TXT
HOW_DECRYPT.HTML
HOWTO_RECOVER_FILES_
HOW TO DECRYPT FILES.txt
HELP_YOUR_FILES.html
HELP_YOUR_FILES.PNG
HELP_TO_SAVE_FILES.bmp
HELP_RESTORE_FILES_
HELP_DECRYPT.URL
HELP_DECRYPT.PNG
HELP_DECRYPT.HTML
GetYouFiles.txt
File Decrypt Help.html
FILES_BACK.txt
ENTSCHLUSSELN_HINWEISE.html
DecryptAllFiles
DESIFROVANI_POKYNY.html
DECRYPT_YOUR_FILES.txt
DECRYPT_YOUR_FILES.HTML
DECRYPT_ReadMe1.TXT
DECRYPT_INSTRUCTIONS.html
DECRYPT_INSTRUCTION.URL
DECRYPT_INSTRUCTION.HTML
DECRYPTION_HOWTO.Notepad
Comment débloquer mes fichiers.txt
BUYUNLOCKCODE.txt
AllFilesAreLocked
@ukr.net
.fuckyourdata
.encrypted.locked
.Where_my_files.txt
.RSplited
.KEYZ.KEYH0LES
.How_To_Get_Back.txt
.How_To_Decrypt.txt
.Contact_Here_To_Recover_Your_Files.txt
.31392E30362E32303136_
# DECRYPT MY FILES #.vbs
# DECRYPT MY FILES #.txt
# DECRYPT MY FILES #.html
!Where_are_my_files!.html
!!!README!!!
!!!-WARNING-!!!.txt
!!!-WARNING-!!!.html
.magic_software_syndicate
maestro@pizzacrypts.info
howtodecryptaesfiles.txt
.SecureCrypted
decrypt-instruct
files_are_encrypted.
decryptmyfiles
help_instructions.
de_crypt_readme.
!recover!
recover}-
_help_instruct
_recover_
+recover+
warning-!!
decrypt my file
help_file_
recovery+
readme_for_decrypt
install_tor
readme_decrypt
howtodecrypt
howto_restore
how_to_recover
how_recover
how_to_decrypt
how to decrypt
help_restore
help_your_file
help_recover
help_decrypt
decrypt_instruct
cryptolocker.
recover_instruction
.hydracrypt_ID
.cryptotorlocker
.one-we_can-help_you
.OMG!
.nochance
.LOL!
.CryptoTorLocker2015!
.{CRYPTENDBLACKDC}
vault.txt
vault.key
recovery_key.txt
vault.hta
message.txt
recovery_file.txt
confirmation.key
enc_files.txt
last_chance.txt
want your files back.
_Locky_recover_instructions.txt
help_recover_instructions
recoverfile
Howto_Restore_FILES.TXT
recoveryfile
_how_recover.txt
.SUPERCRYPT
.helpdecrypt
only-we_can-help_you
.fileiscryptedhard
.blocatto
.8lock8
==READ==THIS==PLEASE==
randomname
.weapologize
SORRY-FOR-FILES
PLEASE-READ-WE-HELP.
CHECK-IT-HELP-FILES
HAPPEN-ENCED-FILES
HELP-ME-ENCED-FILES
PLS-DEC-MY-FILES
WE-MUST-DEC-FILES
No-PROBLEM-WE-DEC-FILES
TRY-READ-ME-TO-DEC
IF-YOU-WANT-DEC-FILES
LET-ME-TRY-DEC-FILES
READ-FOR-DECRYPT-FILES
PLEASE-READIT-IF_YOU-WANT
READ-READ-READ
WANT_FILES_BACK
READ-FOR-DECCCC-FILESSS
PLEASE-README-AFFECTED-FILES
_DEC_FILES.
.notfoundrans
.VforVendetta
.theworldisyours
.helpmeencedfiles
.wowwhereismyfiles
.wowreadfordecryp
.powerfulldecrypt
.noproblemwedecfiles
.weareyourfriends
.otherinformation
.letmetrydecfiles
.encryptedyourfiles
.weencedufiles
.filegofprencrp
.iaufkakfhsaraf
.cifgksaffsfyghd
.skjdthghh
.ransom
.breeding123
.mention9823
.suppose666
.moments2900
.country82000
.supported2017
.prosperous666
.disposed2017
.myrandsext2017
.loveransisgood
.areyoulovemyrans
.stubbin
.berkshire
\www.exe
\ps.exe
\nt.exe
\doliohdyjkajd.dll
\run2.exe
\ping2.exe
.pem
.crt
.ca-bundle
.cer
.csr
.der
.p7b
.p7r
.p7s
.pfx
.sto
.p12
.crl
.sst
.key
.mht
.cpl
.scr
.manifest
.inf
HammerDrillStatus.dll
PSReadLine\ConsoleHost_history.txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\Request\Certificates\
\Downloads
\Start Menu
\Start Menu\Programs
\Start Menu\Programs\Startup
C:\Windows\System32\svchost.exe
C:\Windows\System32\smss.exe
\Microsoft\Windows\INetCache\IE
\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\Request\Certificates
WRITABLE.TST
C:\Windows\System32\wbem\Performance\
C:\Windows\System32\DriverStore\Temp\
C:\Windows\System32\wbem\Performance\
WRITABLE.TST
.SQM
.SPL
.SHD
C:\Program Files (x86)\EMET 5.5\EMET_Service.exe
C:\Windows\system32\mobsync.exe
C:\Windows\Installer\
C:\Windows\System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask
C:\$WINDOWS.~BT\Sources\SafeOS\SafeOS.Mount\
.etl
.log
C:\WINDOWS\winsxs\amd64_microsoft-windows
Firefox Setup
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
C:\Windows\System32\config\netlogon.ftl
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
C:\Windows\system32\CompatTelRunner.exe
C:\Program Files\Microsoft SQL Server\110\LocalDB\Binn\sqlservr.exe
C:\Windows\System32\smss.exe
C:\Program Files (x86)\MSI\Help Desk\MSI Update Agent.exe
C:\Program Files (x86)\MSI\Dragon Center\Dragon Center.exe
C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe
C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe
C:\Windows\system32\igfxCUIService.exe
Google\Chrome\User Data\Safe Browsing\UrlUws.store_new
Google\Chrome\User Data\Safe Browsing\UrlMalBin.store_new
Google\Chrome\User Data\Safe Browsing\UrlMalware.store_new
Google\Chrome\User Data\Safe Browsing\UrlSoceng.store_new
Google\Chrome\User Data\Safe Browsing\ChromeExtMalware.store_new
Google\Chrome\User Data\Safe Browsing\ChromeFilenameClientIncident.store_new
Google\Chrome\User Data\Safe Browsing\ChromeUrlClientIncident.store_new
Google\Chrome\User Data\Safe Browsing\IpMalware.store_new
Google\Chrome\User Data\Safe Browsing\UrlSubresourceFilter.store_new
Google\Chrome\User Data\Safe Browsing\UrlCsdWhitelist.store_new
Google\Chrome\User Data\Safe Browsing\UrlCsdDownloadWhitelist.store_new
Google\Chrome\User Data\Safe Browsing\CertCsdDownloadWhitelist.store_new
.default\prefs-1.js
C:\Windows\System32\Tasks\Adobe Acrobat Update Task
C:\Windows\System32\Tasks\Adobe Flash Player Updater
C:\Program Files (x86)\ConnectWise\PSA.net\ConnectWise.exe
C:\Program Files\Datto\Datto Windows Agent\DattoBackupAgent.exe
C:\Windows\System32\config\systemprofile\TOSHIBA\
TOSHIBA\eSTUDIOX\UNIDRV
N-able Technologies\AVDefender\ThreatScanner\Antivirus-NewTemp\bdcore.dll
N-able Technologies\AVDefender\ThreatScanner\Antivirus-NewTemp\scanclient.dll
C:\Program Files (x86)\N-able Technologies\Windows Software Probe\Repository\nagent
C:\Program Files (x86)\N-able Technologies\Windows Agent\Temp\
C:\Program Files (x86)\MaaS360\Cloud Extender\EMSAgent.exe
C:\Program Files\graylog\collector-sidecar\winlogbeat.exe
C:\Program Files\N-able Technologies\Endpoint Update Server\bin\EPUpdateServer.exe
C:\Program Files (x86)\N-able Technologies\Windows Agent\AVDefender\Installer.exe
C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\AutomationManager.ScriptRunner64.exe
C:\Program Files (x86)\StorageCraft\ShadowProtect\ShadowSnap\raw_agent_svc.exe
C:\Windows\system32\printfilterpipelinesvc.exe
C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\updateservice.exe
\Runtime\1.0\NodeRunner.exe
\CurrentVersion\Run
\Group Policy\Scripts
\Windows\System\Scripts
\Microsoft\System\Scripts
\ServiceDll
\ImagePath
\Start
HKLM\SYSTEM\Setup\CmdLine
Session Manager\KnownDlls
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
HKLM\SYSTEM\CurrentControlSet\Control\Print\Providers
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages
HKLM\System\CurrentControlSet\Control\Lsa\Notification Packages
HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Notification Packages
HKLM\System\CurrentControlSet\Control\Lsa\Authentication Packages
HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Authentication Packages
HKLM\HARDWARE\ACPI\DSDT
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit\
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet
HKLM\System\CurrentControlSet\Control\Session Manager\Execute
HKLM\System\CurrentControlSet\Control\Session Manager\SetupExecute
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AppSetup
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute
HKLM\SYSTEM\CurrentControlSet\Control\BootVerificationProgram\ImagePath
HKLM\Software\Microsoft\Command Processor\AutoRun
HKLM\Software\Wow6432Node\Microsoft\Command Processor\AutoRun
HKLU\Software\Microsoft\Command Processor\AutoRun
HKLM\Software\Wow6432Node\Microsoft\Command Processor\AutoRun
HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
UserInitMprLogonScript
\CurrentVersion\Font Drivers
Active Setup\Installed Components
Windows CE Services\AutoStartOnConnect
Windows CE Services\AutoStartOnDisconnect
CurrentVersion\Windows\IconServiceLib
Winlogon\AlternateShells\AvailableShells
Terminal Server\Wds\rdpwd\StartupPrograms
SafeBoot\AlternateShell
Terminal Server\WinStations\RDP-Tcp\InitialProgram
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman
HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown
Policies\System\Shell
Desktop\Scrnsave.exe
SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit
\Explorer\FileExts\
\shell\install\command\
\shell\open\command\
\shell\open\ddeexec\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\
\InprocServer32\(Default)
\PropertySheetHandlers
\CopyHookHandlers
\ColumnHandlers
\ExtShellFolderViews
\ShellServiceObjects
\ShellServiceObjectDelayLoad
\SOFTWARE\Classes\Protocols\Filter
\SOFTWARE\Classes\Protocols\Handler
\Software\Microsoft\Ctf\LangBarAddin
\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components
\SharedTaskScheduler
\ContextMenuHandlers\
\CurrentVersion\Shell
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjectDelayLoad
\Classes\Folder\
\Classes\*\
\Classes\AllFilesystemObjects\
\Classes\Directory\
\Classes\Drive\
\ShowSuperHidden
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellIconOverlayIdentifiers
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\
HKLM\System\CurrentControlSet\Control\Session Manager\S0InitialCommand
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\
HKLM\SYSTEM\CurrentControlSet\Services\WinSock\
\ProxyServer
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Proxy
\DisableSecuritySettingsCheck
\3\1206
\3\2500
\3\1809
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders
HKLM\SOFTWARE\Microsoft\Netsh
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers
HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles
EnableFirewall
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\
Office Test\
\Outlook\Addins\
\Excel\Addins\
\Word\Addins\
\Access\Addins\
\Powerpoint\Addins\
\Internet Explorer\Toolbar\
\Internet Explorer\Extensions\
\Browser Helper Objects\
{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\
\UrlUpdateInfo
\InstallSource
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunService
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
HKLM\SOFTWARE\Classes\ CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32
CurrentVersion\Windows\Load
CurrentVersion\Windows\Run
CurrentVersion\Winlogon\Shell
CurrentVersion\Winlogon\System
\Software\Policies\Microsoft\Windows\System\Scripts\Logon
\Software\Policies\Microsoft\Windows\System\Scripts\Logoff
HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup
HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Shutdown
\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logoff
\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logon
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Shutdown
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Startup
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles
Domain
DefaultGateway
DHCPDefaultGateway
DhcpIPAddress
DhcpNameserver
Nameserver
Dhcpserver
DhcpSubnetMask
SubnetMask
PersistentRoutes
}\Category
\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR
\Software\Microsoft\Terminal Server Client
\WRData\Threats\Active
\WRData\Threats\History
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy
\Security\Level
\Security\Level1Remove
HKLM\SOFTWARE\Microsoft\Security Center\AllAlertsDisabled
HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify
HKLM\SOFTWARE\Microsoft\Security Center\DisableMonitoring
HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify
HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride
HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify
HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify
\HideSCAHealth
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\SpyNetReporting
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange
HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RefusePasswordChange
HKLM\SOFTWARE\Microsoft\Cryptography\OID
HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID
HKLM\SOFTWARE\Microsoft\Cryptography\Providers\Trust
HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust
\Software\Classes\mscfile\shell\open\command
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
\comfile\shell\open\command
\htafile\shell\open\command
\batfile\shell\open\command
\piffile\shell\open\command
\exefile\shell\open\command
Classes\exefile\shell\runas\command\isolatedCommand
\piffile\shell\open\command
\regfile\shell\open\command
\mscfile\shell\open\command
\InprocServer32
HKLM\SYSTEM\CurrentControlSet\Control\Safeboot\
HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\
\FriendlyName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)
HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e96b-e325-11ce-bfc1-08002be10318}
HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ServerLevelPluginDll
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)
HKLM\SOFTWARE\Microsoft\Tracing\RASAPI32
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\lmcompatibilitylevel
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\NtlmMinClientSec
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RestrictSendingNTLMTraffic
Office\root\integration\integrator.exe
C:\WINDOWS\system32\backgroundTaskHost.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
C:\Program Files (x86)\Microsoft Office\Office16\lync.exe
C:\Program Files (x86)\Microsoft Office\Office15\lync.exe
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
C:\Program Files\Windows Defender\MsMpEng.exe
\Microsoft\Exchange Server
Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\
HKLM\SOFTWARE\Microsoft\ExchangeServer\
HKLM\CLUSTER\ExchangeActiveManager
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\Schedule\TaskCache\Tree\Optimize Start Menu Cache Files-
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\Schedule\TaskCache\Tree\User_Feed_Synchronization-
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\WindowsUpdate
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SoftwareProtectionPlatform
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\
Toolbar\WebBrowser
Toolbar\WebBrowser\ITBar7Height
Toolbar\WebBrowser\ITBar7Layout
Toolbar\ShellBrowser\ITBar7Layout
Internet Explorer\Toolbar\Locked
Toolbar\WebBrowser\{47833539-D0C5-4125-9FA8-0819E2EAAC93}
Toolbar\WebBrowser\{724D43A0-0D85-11D4-9908-00400523E39A}
Toolbar\WebBrowser\ITBar7Layout
ShellBrowser
\CurrentVersion\Run
\CurrentVersion\RunOnce
\CurrentVersion\App Paths
\CurrentVersion\Image File Execution Options
\CurrentVersion\Shell Extensions\Cached
\CurrentVersion\Shell Extensions\Approved
\PreviousPolicyAreas
}\PreviousPolicyAreas
\Control\WMI\Autologger\
HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc\Start
\Lsa\OfflineJoin\CurrentValue
\Components\TrustedInstaller\Events
\Components\TrustedInstaller
\Components\Wlansvc
\Components\Wlansvc\Events
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\
\Directory\shellex
\Directory\shellex\DragDropHandlers
\Drive\shellex
\Drive\shellex\DragDropHandlers
_Classes\AppX
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit\AuditPolicy
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit
\services\clr_optimization_v2.0.50727_32\Start
\services\clr_optimization_v2.0.50727_64\Start
\services\clr_optimization_v4.0.30319_32\Start
\services\clr_optimization_v4.0.30319_64\Start
\services\DeviceAssociationService\Start
\services\BITS\Start
\services\TrustedInstaller\Start
\services\tunnel\Start
\services\UsoSvc\Start
\OpenWithProgids
\OpenWithList
\UserChoice
\UserChoice\ProgId
\UserChoice\Hash
\OpenWithList\MRUList
} 0xFFFF
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dib
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jfif
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpe
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tiff
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tif
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpeg
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wdp
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jxr
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raf
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4v
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.avi
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rw2
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pef
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4v
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.kdc
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.crw
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mrw
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rwl
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.arw
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.nrw
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.nef
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raw
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cr2
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.srw
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3g2
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sr2
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wm
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gp
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mov
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gpp
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.erf
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aac
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.orf
SOFTWARE\Classes\Wow6432Node\CLSID\{955C0D7D-042E-4034-9D54-EBD52477A6DB}\
SOFTWARE\Classes\Wow6432Node\CLSID\{BEACC58F-E643-4e97-B19E-95F6EE3500FA}\
SOFTWARE\Classes\Wow6432Node\CLSID\{07598BD3-ABBE-4bee-959F-7B90253EADFF}\
SOFTWARE\Classes\Wow6432Node\CLSID\{31240348-66EE-4F14-A42A-39F373A834C7}\
SOFTWARE\Classes\Wow6432Node\CLSID\{8C8EC235-0786-4DAD-A957-1A6CD76C28F5}\
HKLM\System\CurrentControlSet\Control\Lsa\Audit\SpecialGroups
SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts
SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup
SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0
SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\PSScriptOrder
SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\SOM-ID
SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\GPO-ID
SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\0\IsPowershell
SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\0\ExecTime
SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown
SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0
SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\PSScriptOrder
SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\SOM-ID
SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\GPO-ID
SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\0\IsPowershell
SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\0\ExecTime
\safer\codeidentifiers\0\HASHES\{
} 0xFFFF
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
HKLM\System\CurrentControlSet\Services\DeviceAssociationService\Start
HKLM\System\CurrentControlSet\Control\Class\{4d36e96c-e325-11ce-bfc1-08002be10318}\
C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe
C:\Program Files (x86)\PGP Corporation\PGP Desktop\PGPtray.exe
\LTSvcMon\Start
\LTService\Start
{F2C2787D-95AB-40D4-942D-298F5F757874}
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\
\Software\Policies\Microsoft\SystemCertificates\
HKLM\Software\Microsoft\Cryptography\Services\ServiceName\SystemCertificates\
HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\
\SOFTWARE\Microsoft\EnterpriseCertificates\
HKLM\SOFTWARE\Microsoft\SystemCertificates\
C:\Windows\SysWOW64\SearchProtocolHost.exe
HKLM\System\CurrentControlSet\Control\Print\Monitors\Standard TCP/IP Port\Ports
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\legalnotice
HKCR\VLC.
HKCR\iTunes.
\Software\NITRO\PRO
HKLM\SOFTWARE\Wow6432Node\WRData\Status
HKLM\System\CurrentControlSet\Services\RapportIaso
HKLM\System\CurrentControlSet\Services\gzflt
HKLM\System\CurrentControlSet\Services\trufos
HKLM\System\CurrentControlSet\Services\wudfsvc
HKLM\System\CurrentControlSet\Services\EFS
HKLM\System\CurrentControlSet\Services\avc3
HKLM\System\CurrentControlSet\Services\NableRemoteService
HKLM\System\CurrentControlSet\Services\TabletInputService
HKLM\System\CurrentControlSet\Services\AdobeARMservice
HKLM\System\CurrentControlSet\Services\EPUpdateService
HKLM\System\CurrentControlSet\Services\ScreenConnect
HKLM\System\CurrentControlSet\Services\EPSecurityService
HKLM\System\CurrentControlSet\Services\EPIntegrationService
HKLM\System\CurrentControlSet\Services\wrUrlFlt
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WRSVC
HKLM\System\CurrentControlSet\Services\avckf
HKLM\System\CurrentControlSet\services\NableRemoteService
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WRSVC
HKLM\System\CurrentControlSet\Services\BDElam
Content.Outlook
Downloads
Temp\7z
Startup
.vb
.application
.appref-ms
.bat
.cmd
.cmdline
.docm
.exe
.dll
.sys
.hta
.pptm
.ps1
.sys
.reg
.docm
.xlsm
.xlam
.pptm
.potm
.pptm
.sldm
.scf
.appref-ms
.rdp
.vbs
.js
.pem
.crt
.ca-bundle
.cer
.csr
.der
.p7b
.p7r
.p7s
.pfx
.sto
.p12
.crl
.sst
.key
.mht
.manifest
.cpl
.scr
.inf
291ff87948e45914424cec9510c297da
304772c80b157a916c7041f2f15939fb
5E022694C0DBD1FBBC263D608E577949
88ce6c0affcdbdc82abe53957dddfa12
.default\prefs-1.js
\Mozilla\Firefox\Profiles\
\Microsoft\Windows\INetCache\
\Microsoft\Windows\Temporary Internet Files\Content.IE5
\isapi_http
\isapi_dg
\isapi_dg2
\isapi_http
\sdlrpc
\ahexec
\winsession
\lsassw
\46a676ab7f179e511e30dd2dc41bd388
\9f81f59bc58452127884ce513865ed20
\e710f28d59aa529d6792ca6ff0ca1b34
\rpchlp_3
\NamePipe_MoreWindows
\pcheap_reuse
\
lsass
\SQLLocal\RTCLOCAL
\spoolss
\M.E.C.Core.WinRMDataCommunicator.NamedPipe.
c:\windows\system32\inetsrv\w3wp.exe
C:\Windows\syswow64\snmp.exe
C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\BIN\OWSTIMER.EXE
Exchange Server
C:\Windows\system32\dns.exe
\sql\query
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Skype for Business Server 2015\Server\Core\RtcHost.exee
C:\Program Files\Skype for Business Server 2015\OCSMCU\AV Conferencing\AVMCUSvc.exe
C:\Program Files\Skype for Business Server 2015\Server\Health Agent\HealthAgent.exe
C:\Program Files\Skype for Business Server 2015\Server\Core\LysSvc.exe
C:\Program Files\Skype for Business Server 2015\File Transfer Agent\FileTransferAgent.exe
C:\Program Files\Skype for Business Server 2015\Web Conferencing\DataMCUSvc.exe
C:\Program Files\Skype for Business Server 2015\Application Host\OcsAppServerHost.exe
C:\Program Files\Skype for Business Server 2015\Server\Core\ABServer.exe
C:\Program Files\Skype for Business Server 2015\Master Replicator Agent\MasterReplicatorAgent.exe
C:\Program Files\Skype for Business Server 2015\OCSMCU\IM Conferencing\IMMCUSvc.exe
C:\Program Files\Common Files\Skype for Business Server 2015\ClsAgent\ClsAgent.exe
C:\Program Files\Skype for Business Server 2015\Server\Core\ReplicationApp.exe
C:\Program Files\Skype for Business Server 2015\OCSMCU\Application Sharing\ASMCUSvc.exe
C:\Program Files\Skype for Business Server 2015\Server\Replica Replicator Agent\ReplicaReplicatorAgent.exe
C:\Program Files\Skype for Business Server 2015\Server\Core\RtcHost.exe
C:\Windows\system32\DFSRs.exee
C:\Windows\SystemApps\Microsoft.Windows
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\Windows\System32\LxRun.exe
vmware-
\System
\InitShutdown
C:\Windows\System32\wininit.exe
C:\Windows\System32\SearchIndexer.exe
C:\Windows\System32\services.exe
\ntsvcs
\scerpc
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
C:\Windows\System32\smss.exe
C:\Windows\System32\spoolsv.exe
\epmapper
\atsvc
\browser
\srvsvc
\Winsock2CatelogChangeListener
ProtectedPrefix\LocalService\FTHPIPE
\W32TIME_ALT
\eventlog
\wkssvc
\TDLN-
\WiFiNetworkManagerTask
\MsFteWds
\WRSVCPipe
\WRSynUM2
\wrUrl
C:\Program Files (x86)\Webroot\WRSA.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
AppData\Local\Google\Chrome\User Data\SwReporter\
mojo.
crashpad_
chrome.
GoogleCrashServices
slack.exe
booma\
qtsingleapp-enpass-
qtsingleapp-enpass-
eo.ipc.
C:\Program Files\Windows Firewall Control\wfc.exe
Everything Service
anchor_gui_agent
Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Lenovo\System Update\SUService.exe
C:\Program Files\Common Files\VMware\DeviceRedirectionCommon\ftnlsv.exe
C:\Program Files\Lenovo\ImController\Service\Lenovo.Modern.ImController.exe
C:\Program Files\Lenovo\HOTKEY\shtctky.exe
C:\PROGRA~1\Lenovo\HOTKEY\SHTCTKY.EXE
C:\Windows\System32\LPlatSvc.exe
C:\PROGRA~1\Lenovo\HOTKEY\TPOSD.EXE
C:\Program Files (x86)\Lenovo\iMController\PluginHost\Lenovo.Modern.ImController.PluginHost.Device.exe
C:\Program Files (x86)\Lenovo\System Update\TvsuCommandLauncher.exe
C:\Program Files (x86)\Fortinet\FortiClient\FortiSSLVPNdaemon.exe
c:\program files (x86)\sophos\sophos ssl vpn client\bin\openvpnserv.exe
ScreenConnect.WindowsClient.exe
ScreenConnect.ClientService.exe
N-able Technologies\Windows Agent\bin\agent.exe
N-able Technologies\AVDefender\EPIntegrationService.exe
C:\Program Files\OpenVPN\bin\openvpn-gui.exe
C:\Program Files\OpenVPN\bin\openvpn.exe
C:\Program Files\OpenVPN\bin\openvpnserv.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe
C:\Program Files\Lenovo\HOTKEY\tphkload.exe
C:\Program Files\Lenovo\
C:\Program Files (x86)\Common Files\VMware\SerialPortRedirection\Client\vmwsprrdpwks.exe
Graylog-collector-sidecar.exe
C:\Program Files (x86)\SmartGit\git\mingw32\libexec\git-core\git-remote-https.exe
C:\Program Files (x86)\SmartGit\git\mingw32\bin\git.exe
C:\Program Files (x86)\SmartGit\git\mingw32\libexec\git-core\git.exe
C:\Program Files (x86)\SmartGit\bin\smartgit.exe
C:\Program Files (x86)\Fortinet\FortiClient\FortiESNAC.exe
C:\Program Files (x86)\Fortinet\FortiClient\update_task.exe
C:\Program Files (x86)\Fortinet\FortiClient\FortiTray.exe
C:\Program Files (x86)\Fortinet\FortiClient\FCDBLog.exe
C:\Program Files (x86)\Enpass\Enpass.exe
C:\Program Files (x86)\VMware\VMware Horizon View Client\vmware-view.exe
C:\Program Files (x86)\VMware\ScannerRedirection\ftscanmgrhv.exe
C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe
C:\Program Files (x86)\Common Files\VMware\VMware Remote Console Plug-in 5.5\Internet Explorer\vmware-vmrc.exe
SQLAnywhereLRM
pgsignal
postgres.exe
MICROSOFT##WID\tsql\query
TSVCPIPE-
BB4BB19A178C25D1
SQLAnywhereLRM
SQLLocal
DropboxPipe_
c:\windows\system32\inetsrv\w3wp.exe
C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel RMS License Manager\WinNT\mfcesd.exe
C:\Pfx Engagement\WM\PFXEngagement.exe
C:\Pfx Engagement\WM\Pfx.KnowledgeCoach.SharedServices.exe
C:\Program Files (x86)\Micro Focus\COBOL Server 2012\bin\mfds.exe
ScreenConnect.WindowsClient.exe
ScreenConnect.ClientService.exe
QBW32.EXE
EXCEL.EXE
ADCUpdate.exe
Hydrous.Host.exe
TNSLSNR.exe
ShoreWare Server