md5,sha1,sha256,imphash
TEMP\nessus_;nessus_task_list
TEMP\nessus_;nessus_task_list
rcpping;tcpping;tcping;routerscan;grabff;Port-Scan;netscan;\nmap;ipscan;nacmdline.exe
advanced_port_scanner.exe;rcpping.exe;nc.exe;nc64.exe;netcat.exe;ncat.exe;nmap.exe;zenmap.exe;advanced_ip_scanner.exe
Network Scanner;Advanced IP Scanner
adfind
adfind
-gcb -sc;/gcb /sc;-f (objectcategory=;/f (objectcategory=;trustdmp
PurpleSharp;xyz123456
PurpleSharp
/serverlevelplugindll
add;sslcert;http
http del sslcert
C:\Users\
Content.Outlook
.SettingContent-ms
immersivecontrolpanel
Hwp.exe
gbb.exe
iexplore.exe;chrome.exe;firefox.exe;browser_broker.exe;vivaldi.exe;microsoftedge.exe;microsoftedgecp.exe;brave.exe;vivaldi.exe
tracert.exe;csc.exe;cscript.exe;wscript.exe;cmd.exe;powershell.exe;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;regsvcs.exe;sh.exe;wmic.exe;mshta.exe;rundll32.exe;msiexec.exe;forfiles.exe;scriptrunner.exe;mftrace.exe;AppVLP.exe;svchost.exe;MicroScMgmt.exe;FLTLDR.exe;wmic.exe;Microsoft.Workflow.Compiler.exe;atbroker.exe;bginfo.exe;certutil.exe;csi.exe;dnx.exe;cdb.exe;bitsadmin.exe;forfiles.exe;fsi.exe;ftp.exe;hostname.exe;gpresult.exe;ipconfig.exe;nbtstat.exe;ping.exe;pwsh.exe;qprocess.exe;quser.exe;qwinsta.exe;reg.exe;svchost.exe;installutil.exe;pwsh.exe;msxsl.exe;ieexec.exe;msdt.exe;verclsid.exe
apt-config
cmd.exe /c C:\Windows\Setup\Scripts\SetupComplete.cmd;cmd.exe /c C:\Windows\Setup\Scripts\PartnerSetupComplete.cmd
C:\Windows\Setup
C:\Windows\SysWOW64
C:\Windows\System32
C:\Windows\WinSxS
consent.exe
http
iexplore.exe
SYSTEM
w3wp.exe
\csc.exe;\TranscodingService.exe;\werfault.exe;\appcmd.exe
w3wp.exe
appcmd.exe
appcmd.exe add module;system.enterpriseservices.internal.publish;\gacutil.exe /I;gacutil.exe -I
apache;php-cgi.exe;nginx.exe;httpd.exe;tomcat;php.exe
arp.exe;at.exe;cscript.exe;wscript.exe;cmd.exe;powershell.exe;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;sh.exe;ping.exe;whoami.exe;net.exe;net1.exe;systeminfo.exe;bitsadmin.exe;dsget.exe;dsquery.exe;find.exe;findstr.exe;fsutil.exe;hostname.exe;ipconfig.exe;nbtstat.exe;net.exe;net1.exe;netdom.exe;netsh.exe;netstat.exe;nltest.exe;nslookup.exe;ntdutil.exe;pathping.exe;qprocess.exe;query.exe;qwinsta.exe;reg.exe;rundll32.exe;sc.exe;schtasks.exe;systeminfo.exe;tasklist.exe;tracert.exe;ver.exe;vssadmin.exe;wevtutil.exe;whoami.exe;wmic.exe;wusa.exe;certutil.exe
cmd.exe
ping 127.0.0.1
c:\windows\system32\inetsrv\
svchost.exe;termsvcs
rdpclip.exe;csrss.exe;wininit.exe
dns.exe
werfault.exe;conhost.exe;dnscmd.exe;dns.exe
UMWorkerProcess.exe;UMService.exe
perfenabled
UMWorkerProcess.exe;UMService.exe
perfenabled
wemgr.exe;werfault.exe
\wwwroot\
\Atlassian\Confluence\jre\bin\java.exe
cmd;powershell;certutil;curl;whoami;ipconfig;mshta;wscript;cscript;rundll32;bitsadmin
DesktopCentral_Server\jre\bin\java.exe
cmd;powershell;certutil;curl;whoami;ipconfig;mshta;wscript;cscript;rundll32;bitsadmin
\jre\bin\java.exe
cmd;powershell;pwsh;certutil;curl;whoami;ipconfig;mshta;wscript;cscript;rundll32;bitsadmin;pwsh.exe;bitsadmin;hh.exe;wmic.exe;rundll32.exe;forfiles.exe;scriptrunner.exe;mftrace.exe;AppVLP.exe;curl.exe
\Atlassian\Confluence\jre\bin\java.exe
sqlservr
arp.exe;at.exe;cscript.exe;wscript.exe;cmd.exe;powershell;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;sh.exe;ping.exe;whoami.exe;net.exe;net1.exe;systeminfo.exe;bitsadmin.exe;dsget.exe;dsquery.exe;find.exe;findstr.exe;fsutil.exe;hostname.exe;ipconfig.exe;nbtstat.exe;net.exe;net1.exe;netdom.exe;netsh.exe;netstat.exe;nltest.exe;nslookup.exe;ntdutil.exe;pathping.exe;qprocess.exe;query.exe;qwinsta.exe;reg.exe;rundll32.exe;sc.exe;schtasks.exe;systeminfo.exe;tasklist.exe;tracert.exe;ver.exe;vssadmin.exe;wevtutil.exe;whoami.exe;wmic.exe;wusa.exe;sh.exe;bash.exe
keytool.exe
cmd;powershell;pwsh;certutil;curl;whoami;ipconfig;mshta;wscript;cscript;rundll32;bitsadmin;pwsh.exe;bitsadmin;hh.exe;wmic.exe;rundll32.exe;forfiles.exe;scriptrunner.exe;mftrace.exe;AppVLP.exe;curl.exe
bash.exe;cmd.exe;powershell.exe;pwsh.exe
id -Gn `;id /Gn `;id -Gn ';id /Gn '
e=Access&;y=Guest&;&p=;&c=;&k=
wmic.exe
process;call;create
wmic.exe
call set priority;call terminate;product get name;bios, get serialNumber;BIOS GET SERIALNUMBER;onboarddevice get;useraccount where name;useraccount get;path win32_networkadapter where index=;process list;useraccount get /ALL;useraccount list;qfe get description,installedOn /format:csv;process get caption,executablepath,commandline;service get name,displayname,pathname,startmode;share list;win32_share
C:\Users\;$Recycle;\Temp\;\Downloads\
\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1
conhost.exe
svchost.exe;lsass.exe;services.exe;smss.exe;winlogon.exe;explorer.exe;dllhost.exe;rundll32.exe;regsvr32.exe;userinit.exe;winit.exe;spoolsv.exe;wermgr.exe;csrss.exe;ctfmon.exe;werfault.exe
conhost.exe
conhost.exe
:\Windows\splwow64.exe;:\Windows\System32\WerFault.exe;:\Windows\System32\conhost.exe
\cmd.exe;WindowsTerminal;powershell
explorer.exe
cmd.exe
powershell.exe;powershell_ise.exe
Get-ItemProperty HKLM:\software\wow6432node\microsoft\windows\currentversion\uninstall\
mysql server
select-object displayversion,displayname
cscript.exe;wscript.exe
powershell.exe;powershell_ise.exe
cscript.exe;wscript.exe
powershell.exe;powershell_ise.exe
powershell.exe;powershell_ise.exe
mshta.exe
wscript.exe;cscript.exe
IEX;Net.WebClient;ospp.vbs;powershell;slmgr.vbs;spiceworks_upload
wscript.exe
.jse
.js
.vba
.vbe
\wscript.exe;\cscript.exe
\rundll32.exe;regsvr32.exe
\rundll32.exe;regsvr32.exe
.dll;.cpl;.ocx;localserver;enable-speech-input;auto-scan-plugin;enable-media-stream;CastMediaRouteProvider;-eoim;/eoim
setupapi;InstallHinfSection;DefaultInstall;SplunkUniversalForwarder\bin\spl;rundll32.exe "C:\Windows\Installer\MSI
\MSI;.tmp",zzzInvokeManagerCustomActionOutOfProc
cscript.exe
.js
.jse
.vba
.vbe
mshta vbscript:CreateObject("Wscript.Shell");mshta vbscript:Execute("Execute;mshta vbscript:CreateObject("Wscript.Shell").Run("mshta.exe;javascript:a=
.jpg;.png;.lnk;.xls;.doc;.zip;.sct;.hta
C:\Windows\Temp\hpqhvind.exe;C:\ProgramData\DRM\;Test.exe
C:\ProgramData\DRM;wmplayer.exe;C:\ProgramData\DRM\CLR\CLR.EXE
regedit.exe
explorer.exe
\svchost.exe;\taskhostw.exe;\userinit.exe;\smss.exe;\csrss.exe;\wininit.exe;\winlogon.exe;\lsass.exe;\logonui.exe;\services.exe
C:\windows\System32\;C:\windows\syswow64\
\wininit.exe;\winlogon.exe;\services.exe;\dwm.exe;System;\smss.exe;\svchost.exe
\spoolsv.exe;\PrintIsolationHost.exe
C:\Windows\System32\spoolsv.exe;\GPLGS\gswin32c.exe;C:\Windows\System32\spool\drivers\;\bin\gswin64c.exe;C:\PROGRA~2\CUTEPD~1\;C:\Windows\EEFPrinter.exe
C:\Windows\system32\spool\DRIVERS
Brother Industries;Thomson Reuters
COMSPEC
ScriptFile
\Temp\7z
\Temp\Temp1_
\Temp\Rar$
powershell.exe;powershell_ise.exe
C:\users\
Microsoft VS Code\Code.exe
\Deployment tool extract\setupodt.exe
Shellcode
ipy.exe
python.exe
-agentpath:
-agentlib:
winword.exe;excel.exe;powerpnt.exe;outlook.exe;msaccess.exe;mspub.exe;visio.exe;notepad.exe;wordpad.exe;eqnedt32.exe;wordview.exe
tracert.exe;csc.exe;cscript.exe;wscript.exe;cmd.exe;powershell.exe;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;regsvcs.exe;sh.exe;wmic.exe;mshta.exe;rundll32.exe;msiexec.exe;forfiles.exe;scriptrunner.exe;mftrace.exe;AppVLP.exe;svchost.exe;MicroScMgmt.exe;FLTLDR.exe;wmic.exe;Microsoft.Workflow.Compiler.exe;atbroker.exe;bginfo.exe;certutil.exe;csi.exe;dnx.exe;cdb.exe;bitsadmin.exe;forfiles.exe;fsi.exe;ftp.exe;hostname.exe;gpresult.exe;ipconfig.exe;nbtstat.exe;ping.exe;pwsh.exe;qprocess.exe;quser.exe;qwinsta.exe;reg.exe;svchost.exe;installutil.exe;pwsh.exe;msxsl.exe;ieexec.exe;msdt.exe;verclsid.exe;msidb.exe
.cmd;-
C:\Windows\system32\spool\DRIVERS\
PhotoViewer.dll
outlook.exe
http:;https:;ftp:;mailto:;tel:
.html
outlook.exe
http:;https:;ftp:;mailto:;tel:
.html"
outlook.exe
http:;https:;ftp:;mailto:;tel:
.html"
outlook.exe
.pdf"
outlook.exe
.pdf
outlook.exe
.iso"
outlook.exe
.iso
outlook.exe
\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe;\opera.exe;BrowserAssist.exe;\msedgewebview;\msedge.exe
http:;https:;ftp:;mailto:;tel:
outlook.exe
http:;https:;ftp:;mailto:;tel:
\Content.Outlook\;\Downloads\;\Documents\;:\Users\Public\;\Desktop\
outlook.exe
\\
winword.exe;excel.exe;powerpnt.exe;outlook.exe;msaccess.exe;mspub.exe;visio.exe;notepad.exe;wordpad.exe;eqnedt32.exe;wordview.exe
C:\Users\
.exe
Zoom Video
Firefox
Microsoft Edge
Microsoft Teams
GrammarlyAddInSetupe
Teams.exe
Zoom.exe
browser_broker.exe
chrome.exe
edge.exe
firefox.exe
iexplore.exe
vivaldi.exe
winword.exe;excel.exe;powerpnt.exe;outlook.exe;msaccess.exe;mspub.exe;visio.exe;notepad.exe;wordpad.exe;eqnedt32.exe;wordview.exe
C:\ProgramData\
Firefox
Microsoft Edge
Microsoft Teams
Zoom Video
.zip\
acrobat.exe;acrord32.exe
tracert.exe;csc.exe;cscript.exe;wscript.exe;cmd.exe;powershell.exe;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;regsvcs.exe;sh.exe;wmic.exe;mshta.exe;rundll32.exe;msiexec.exe;forfiles.exe;scriptrunner.exe;mftrace.exe;AppVLP.exe;svchost.exe;MicroScMgmt.exe;FLTLDR.exe;wmic.exe;Microsoft.Workflow.Compiler.exe;atbroker.exe;bginfo.exe;certutil.exe;csi.exe;dnx.exe;cdb.exe;bitsadmin.exe;forfiles.exe;fsi.exe;ftp.exe;hostname.exe;gpresult.exe;ipconfig.exe;nbtstat.exe;ping.exe;pwsh.exe;qprocess.exe;quser.exe;qwinsta.exe;reg.exe;svchost.exe;installutil.exe;pwsh.exe;msxsl.exe;ieexec.exe;msdt.exe;verclsid.exe
winword.exe;powerpnt.exe;excel.exe
control.exe
input.dll
msdt.exe
msdt.exe
BrowseForFile=;PCWDiagnostic
/af;-af
msdt.exe
pcwrun.exe
PCWDiagnostic
msdt.exe
/cab;-cab
.diagcab
powershell.exe;pwsh.exe;cmd.exe;mshta.exe;cscript.exe;wscript.exe;wsl.exe;rundll32.exe;regsvr32.exe
msdt.exe
EQNEDT32.EXE
winword.exe;excel.exe;powerpnt.exe
FLTLDR.EXE
/dde;-dde
schtasks.exe
/create;-create;/change;-change
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\
taskeng.exe
schtasks.exe
/Run;-run
Sentinel\AutoRepair
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\
schtasks.exe
schtasks /TN RtkAudUService64_BG
-change;/change;-delete;/delete;-create;/create
at.exe
at.exe
C:\Windows\System32\svchost.exe
netsvcs;-p;-s;Schedule
netsvcs;-p;-s;Schedule
net.exe;net1.exe;net2.exe
stop
tvsu_tmp
net.exe;net1.exe;net2.exe
start
tvsu_tmp
wmiprvse.exe;mmc.exe;explorer.exe;services.exe
&1;cmd.exe;\\127.0.0.1\;/Q /c
wmiprvse.exe;mmc.exe;explorer.exe;services.exe
&1;cmd.exe;\\127.0.0.1\;-Q -c
schtasks;Create;ONLOGON;TN;Updater;TR;powershell
sc.exe
create
\NIC_Emulex_Firmware\;C:\Windows\Temp\ExchangeSetup\
sc.exe
config;binpath
cmd.exe;powershell.exe
services.exe
new-service
psexesvc.exe
Execute processes remotely
psexe
PsExec Service
PsExec Launched
accepteula
Execute processes remotely
-s;/s
psexec.exe
pskill.exe
pskill
C:\WINDOWS\system32\svchost.exe -k NetworkService -p
C:\WINDOWS\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\WINDOWS\System32\svchost.exe -k netprofm -p -s netprofm
C:\WINDOWS\system32\svchost.exe;RPCSS
C:\WINDOWS\system32\svchost.exe;RPCSS
werfault.exe
&& type
>
cmd.exe" /c cd
ntdsutil;/set {default} recoveryenabled no;telnet ;-dumpcr;putty;bash.exe;pssh;shareenum;sekurlsa;reg save;reg save;psscan;shellexec;vbscript:createobject;/output:clipboard;root\\default;root\\subscription;Wmiclass;WmiCl'+'as'+'s;export-mft;ApplicationImpersonation
ERROR kuhl;windows/meterpreter;InjectDLL;ReflectiveLoader;Koadic.;@subtee;-donate-level=;stratum+tcp;Win32_TaskService;FilterToConsumerBinding;Invoke-Stager;Invoke-FruityC2;smbscanner;Invoke-ReverseDNSLookup;Invoke-ARPScan;Invoke-Paranoia;Find-TrustedDocuments;Find-Fruit;Get-RickAstley;PowerView;Invoke-Tater;Get-System;Get-SiteListPassword;PowerBreach;Invoke-BackdoorLNK;Install-SSP;Get-SecurityPackages;Invoke-SSHCommand;Invoke-PsExec;Invoke-InveighRelay;Set-Wallpaper;Invoke-VoiceTroll;Invoke-ThunderStruck;Exploit-Jboss;Invoke-PowerDump;Invoke-DCSync;Get-VaultCredential;Set-MacAttribute;New-HoneyHash;MailRaider;Invoke-RunAs;Invoke-PSInject;Invoke-EgressCheck;Invoke-NetRipper;Invoke-Inveigh;Get-Screenshot;Get-IndexedItem;Get-FoxDump'Get-Clipboard;Get-ChromeDump;Start-CaptureServer;Add-Persistence;Add-Exfiltration;Invoke-PowerShellWMI;Invoke-PowerShellTCP;Invoke-PoshRatHttp;Show-TargetScreen;Get-PassHashes;Get-LSASecret;Check-VM;Remove-Update;Enabled-DuplicateToken;Invoke-ADSBackdoor;Gupt-Backdoor;Add-ScrnSaveBackdoor;Add-RegBackdoor;Get-Unconstrained;Get-RegAlwaysInstallElevated;Get-ApplicationHost;Get-WebConfig;Get-UnattendedInstallFile;Get-VulnAutoRun;Get-RegAutoLogon;Install-ServiceBinary;Invoke-ServiceAbuse;Get-ServicePermission;Get-ServiceFilePermission;Get-ServiceUnquoted;Invoke-DowngradeAccount;Invoke-ACLScanner;Find-GPOLocation;Invoke-UserHunter;Invoke-ReflectivePEInjectionInvoke-ReflectivePEInjection;Invoke-ReflectivePEInjection;VolumeShadowCopyTools;Out-Minidump;Invoke-TokenManipulation;Invoke-DllInjection;Invoke-SessionGopher;Invoke-Shellcode;Invoke-WmiCommand;Get-GPPPassword;Get-Keystrokes;Get-TimedScreenshot;Get-VaultCredential;Invoke-CredentialInjection;Invoke-NinjaCopy
ERROR kuhl;windows/meterpreter;InjectDLL;ReflectiveLoader;Koadic.;@subtee;-donate-level=;stratum+tcp;Win32_TaskService;FilterToConsumerBinding;Invoke-Stager;Invoke-FruityC2;smbscanner;Invoke-ReverseDNSLookup;Invoke-ARPScan;Invoke-Paranoia;Find-TrustedDocuments;Find-Fruit;Get-RickAstley;PowerView;Invoke-Tater;Get-System;Get-SiteListPassword;PowerBreach;Invoke-BackdoorLNK;Install-SSP;Get-SecurityPackages;Invoke-SSHCommand;Invoke-PsExec;Invoke-InveighRelay;Set-Wallpaper;Invoke-VoiceTroll;Invoke-ThunderStruck;Exploit-Jboss;Invoke-PowerDump;Invoke-DCSync;Get-VaultCredential;Set-MacAttribute;New-HoneyHash;MailRaider;Invoke-RunAs;Invoke-PSInject;Invoke-EgressCheck;Invoke-NetRipper;Invoke-Inveigh;Get-Screenshot;Get-IndexedItem;Get-FoxDump'Get-Clipboard;Get-ChromeDump;Start-CaptureServer;Add-Persistence;Add-Exfiltration;Invoke-PowerShellWMI;Invoke-PowerShellTCP;Invoke-PoshRatHttp;Show-TargetScreen;Get-PassHashes;Get-LSASecret;Check-VM;Remove-Update;Enabled-DuplicateToken;Invoke-ADSBackdoor;Gupt-Backdoor;Add-ScrnSaveBackdoor;Add-RegBackdoor;Get-Unconstrained;Get-RegAlwaysInstallElevated;Get-ApplicationHost;Get-WebConfig;Get-UnattendedInstallFile;Get-VulnAutoRun;Get-RegAutoLogon;Install-ServiceBinary;Invoke-ServiceAbuse;Get-ServicePermission;Get-ServiceFilePermission;Get-ServiceUnquoted;Invoke-DowngradeAccount;Invoke-ACLScanner;Find-GPOLocation;Invoke-UserHunter;Invoke-ReflectivePEInjectionInvoke-ReflectivePEInjection;Invoke-ReflectivePEInjection;VolumeShadowCopyTools;Out-Minidump;Invoke-TokenManipulation;Invoke-DllInjection;Invoke-SessionGopher;Invoke-Shellcode;Invoke-WmiCommand;Get-GPPPassword;Get-Keystrokes;Get-TimedScreenshot;Get-VaultCredential;Invoke-CredentialInjection;Invoke-NinjaCopy
--disable-http2 --disable-quic
/Client/Login?id=
JABzA
2f40abbb4f78e77745f0e657a19903fc953cc664;478dc5a5f934c62a9246f7d1fc275868f568bc07;37b4496e650b3994312c838435013560b3ca8571;37b4496e650b3994312c838435013560b3ca8571;e8542c07b2af63ee7e72ce5d97d91036c5da56e2b091aa2afe737b224305d230;08c34c6ac9186b61d9f29a77ef5e618067e0bc9fe85cab1ad25dc6049c376949;5fc4b0076eac7aa7815302b0c3158076e3569086c4c6aa2f71cd258238440d14;bef59b9a3e00a14956e0cd4a1f3e7524448cbe5d3cc1295d95a15b83a3579c59;2c1d3d0a9c6f76726994b88589219cb8d9c39dd9924bc8d2d02bf41d955fe326;1a2ab4df156ccd685f795baee7df49f8e701f271d3e5676b507112e30ce03c42;758598370c3b84c6fbb452e3d7119f700f970ed566171e879d3cb41102154272;5c776a33568f4c16fee7140c249c0d2b1e0798a96c7a01bfd2d5684e58c9bb32;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;36dd195269979e01a29e37c488928497;7d9d29c1c03461608bcab930fef2f568;807d86da63f0db1fc746d1f0b05bc357;849a2b0dc80aeca3d175c139efe5221c;86A4CAC227078B9C95C560C8F0370BF0;98908ce6f80ecc48628c8d2bf5b2a50c;a4b42c2c95d1f2ff12171a01c86cd64f;4abe604916c04fe3dd8b9cb3d501d3f;eac3e3ece94bc84e922ec077efb15edd;128CECC59C91C0D0574BC1075FE7CB40;88777aacd5f16599547926a4c9202862;0f49621b06f2cdaac8850c6e9581a594;17a36ac3e31f3a18936552aff2c80249;322cb39bc049aa69136925137906d855;2010f38ef300be4349e7bc287e720b1ecec678cacbf0ea0556bcf765f6e073ec;cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5;5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c;b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04;6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11;3d129263f6a48647f103a04446fb0c2f;37cd353621b0f4fc6981b50071c94f01;1b60021baedc3f9201bcdb40e9b87f62;71345b139166482acaa568ac8816c7bc;5E022694C0DBD1FBBC263D608E577949;304772c80b157a916c7041f2f15939fb;291ff87948e45914424cec9510c297da;b8fcd4a3902064907fb19e0da3ca7aed72a7e6d1f94d971d1ee7a4d3af6a800d;965884f19026913b2c57b8cd4a86455a61383de01dabb69c557f45bb848f6c26;4a069c1abe5aca148d5a8fdabc26751e;dc5733c013378fa418d13773f5bfe6f1;c579341f86f7e962719c7113943bb6e4;d326e629a90e78825645963b35e53a6a;5E022694C0DBD1FBBC263D608E577949;53841a0c6a3ff92976db08bfdf95e083;dc7e564809d6c2a2f3457c3c9b91f22b;5470f0644589685000154cb7d3f60280acb16e39ca961cce2c016078b303bc1b;FE2CA1BE3BDA2A757036A89E54CC02DB;FE2CA1BE3BDA2A757036A89E54CC02DB
22d142f11cf2a30ea4953e1fffb0fa7e;2317d65da4639f4246de200650a70753;27612cb03c89158225ca201721ea1aad;412956675fbc3f8c51f438c1abc100eb;daf2da52475fd8981b19ec3c321a983c;490a140093b5870a47edc29f33542fd2;51a7068640af42c3a7c1b94f1c11ab9d;533340c54bd25256873b3dca34d7f74e;684eca6b62d69ce899a3ec3bb04d0a5b;69a19abf5ba56ee07cdd3425b07cf8bf;6cfd131fef548fcd60fbcdb59317df8e;72dc98449b45a7f1ccdef27d51e31e91;7c733607a0932b1b9a9e27cd6ab55fe0;7d5265e814843b24fcb3787768129040;80c37e062aa4c94697f287352acf2e9d;815f1f8a7bc1e6f94cb5c416e381a110;a43d3b31575846fa4c3992b4143a06da;08e82dc7bae524884b7dc2134942aadb;7bcd736a2394fc49f3e27b3987cce640;57314359df11ffdf476f809671ec0275;b72737b464e50aa3664321e8e001ff32;ce8ce92fb6565181572dce00d69c24f8;5985087678414143d33ffc6e8863b887;84730a6e426fbd3cf6b821c59674c8a0;d5377dc1821c935302c065ad8432c0d2;d8f1356bebda9e77f480a6a60eab36bb;92f8e3f0f1f7cc49fad797a62a169acd;9003cfaac523e94d5479dc6a10575e60;df91b86189adb0a11c47ce2405878fa1;e17bd40f5b5005f4a0c61f9e79a9d8c2;c1e7850da5604e081b9647b58248d7e8;99828721ac1a0e32e4582c3f615d6e57;f559c87b4a14a4be1bd84df6553aaf56;b9c208ea8115232bfd9ec2c62f32d6b8;061089d8cb0ca58e660ce2e433a689b3;0e9afd3a870906ebf34a0b66d8b07435;9c115e9a81d25f9d88e7aaa4313d9a8f;520ee02668a1c7b7c262708e12b1ba6b;7bfba2c69bed6b160261bdbf2b826401;77a745b07d9c453650dd7f683b02b3ed;3a771efb7ba2cd0df247ab570e1408b2;0969b2b399a8d4cd2d751824d0d842b4;fc53f2cd780cd3a01a4299b8445f8511;4e39620afca6f60bb30e031ddc5a4330;bfe3f6a79cad5b9c642bb56f8037c43b;3dfebce4703f30eed713d795b90538b5;9793afcea43110610757bd3b800de517;36db24006e2b492cafb75f2663f241b2;21feb6aa15e02bb0cddbd544605aabad;21feb6aa15e02bb0cddbd544605aabad;649ef1dd4a5411d3afcf108d57ff87af;320b2f1d9551b5d1df4fb19bd9ab253a;3d75c72144d873b3c1c4977fbafe9184;b9cf4301b7b186a75e82a04e87b30fe4;b4e67706103c3b8ee148394ebee3f268;7bfbd72441e1f2ed48fbc0f33be00f24;cdb303f61a47720c7a8c5086e6b2a743;2a6f7ec77ab6bd4297e7b15ae06e2e61;8403a28e0bffa9cc085e7b662d0d5412;3ffd2915d285ad748202469d4a04e1f5;04078ef95a70a04e95bda06cc7bec3fa;235d427f94630575a4ea4bff180ecf5d;8035a8a143765551ca7db4bc5efb5dfd;cacaa3bf3b2801956318251db5e90f3c;1aadf739782afcae6d1c3e4d1f315cbd;c3e255888211d74cc6e3fb66b69bbffb;d9e9f22988d43d73d79db6ee178d70a4;16ab79fb2fd92db0b1f38bedb2f02ed8;8da15a97eaf69ff7ee184fc446f19cf1;ffc7305cb24c1955f9625e525d58aeee;c0e72eb4c9f897410c795c1b360090ef;9ad6fa6fdedb2df8055b3d30bd6f64f1;44619a88a6cff63523163c6a4cf375dd;a571660c9cf1696a2f4689b2007a12c7;81229c1e272218eeda14892fa8425883;0ac48cfa2ff8351365e99c1d26e082ad;afcdf79be1557326c854b6e20cb900a7
a53a02b997935fd8eedcb5f7abab9b9f
e96a73c7bf33a464c510ede582318bf2
serialfunc.exe
e PAA;en PAA;enc PAA;enco PAA;encode PAA;encoded PAA;encodedco PAA;encodedcom PAA;encodedcomm PAA;encodedcomma PAA;encodedcomman PAA;encodedcommand PAA;e IAA;en IAA;enc IAA;enco IAA;encode IAA;encoded IAA;encodedco IAA;encodedcom IAA;encodedcomm IAA;encodedcomma IAA;encodedcomman IAA;encodedcommand IAA;e JAB;en JAB;enc JAB;enco JAB;encode JAB;encoded JAB;encodedco JAB;encodedcom JAB;encodedcomm JAB;encodedcomma JAB;encodedcomman JAB;encodedcommand JAB;e cwBFAFQA;en cwBFAFQA;enc cwBFAFQA;enco cwBFAFQA;encode cwBFAFQA;encoded cwBFAFQA;encodedco cwBFAFQA;encodedcom cwBFAFQA;encodedcomm cwBFAFQA;encodedcomma cwBFAFQA;encodedcomman cwBFAFQA;encodedcommand cwBFAFQA;e SQBFAF;en SQBFAF;enc SQBFAF;enco SQBFAF;encode SQBFAF;encoded SQBFAF;encodedco SQBFAF;encodedcom SQBFAF;encodedcomm SQBFAF;encodedcomma SQBFAF;encodedcomman SQBFAF;encodedcommand SQBFAF;e UwBFAFQA;en UwBFAFQA;enc UwBFAFQA;enco UwBFAFQA;encode UwBFAFQA;encoded UwBFAFQA;encodedco UwBFAFQA;encodedcom UwBFAFQA;encodedcomm UwBFAFQA;encodedcomma UwBFAFQA;encodedcomman UwBFAFQA;encodedcommand UwBFAFQA;e IABpAE4AdgBPAEsAZQAt;en IABpAE4AdgBPAEsAZQAt;enc IABpAE4AdgBPAEsAZQAt;enco IABpAE4AdgBPAEsAZQAt;encode IABpAE4AdgBPAEsAZQAt;encoded IABpAE4AdgBPAEsAZQAt;encodedco IABpAE4AdgBPAEsAZQAt;encodedcom IABpAE4AdgBPAEsAZQAt;encodedcomm IABpAE4AdgBPAEsAZQAt;encodedcomma IABpAE4AdgBPAEsAZQAt;encodedcomman IABpAE4AdgBPAEsAZQAt;encodedcommand IABpAE4AdgBPAEsAZQAt;e SQBmACgAJAB;en SQBmACgAJAB;enc SQBmACgAJAB;enco SQBmACgAJAB;encode SQBmACgAJAB;encoded SQBmACgAJAB;encodedco SQBmACgAJAB;encodedcom SQBmACgAJAB;encodedcomm SQBmACgAJAB;encodedcomma SQBmACgAJAB;encodedcomman SQBmACgAJAB;encodedcommand SQBmACgAJAB;e J;en J;enc J;enco J;encode J;encoded J;encodedco J;encodedcom J;encodedcomm J;encodedcomma J;encodedcomman J;encodedcommand J;e SUVY;en SUVY;enc SUVY;enco SUVY;encode SUVY;encoded SUVY;encodedco SUVY;encodedcom SUVY;encodedcomm SUVY;encodedcomma SUVY;encodedcomman SUVY;encodedcommand SUVY;e aWV4;en aWV4;enc aWV4;enco aWV4;encode aWV4;encoded aWV4;encodedco aWV4;encodedcom aWV4;encodedcomm aWV4;encodedcomma aWV4;encodedcomman aWV4;encodedcommand aWV4;e dmFy;en dmFy;enc dmFy;enco dmFy;encode dmFy;encoded dmFy;encodedco dmFy;encodedcom dmFy;encodedcomm dmFy;encodedcomma dmFy;encodedcomman dmFy;encodedcommand dmFy;e dgBhA;en dgBhA;enc dgBhA;enco dgBhA;encode dgBhA;encoded dgBhA;encodedco dgBhA;encodedcom dgBhA;encodedcomm dgBhA;encodedcomma dgBhA;encodedcomman dgBhA;encodedcommand dgBhA;e R2V0;en R2V0;enc R2V0;enco R2V0;encode R2V0;encoded R2V0;encodedco R2V0;encodedcom R2V0;encodedcomm R2V0;encodedcomma R2V0;encodedcomman R2V0;encodedcommand R2V0;e IAAgAH;en IAAgAH;enc IAAgAH;enco IAAgAH;encode IAAgAH;encoded IAAgAH;encodedco IAAgAH;encodedcom IAAgAH;encodedcomm IAAgAH;encodedcomma IAAgAH;encodedcomman IAAgAH;encodedcommand IAAgAH;e TVq;en TVq;enc TVq;enco TVq;encode TVq;encoded TVq;encodedco TVq;encodedcom TVq;encodedcomm TVq;encodedcomma TVq;encodedcomman TVq;encodedcommand TVq;e aQBIA;en aQBIA;enc aQBIA;enco aQBIA;encode aQBIA;encoded aQBIA;encodedco aQBIA;encodedcom aQBIA;encodedcomm aQBIA;encodedcomma aQBIA;encodedcomman aQBIA;encodedcommand aQBIA;e UEs;en UEs;enc UEs;enco UEs;encode UEs;encoded UEs;encodedco UEs;encodedcom UEs;encodedcomm UEs;encodedcomma UEs;encodedcomman UEs;encodedcommand UEs;e H4s;en H4s;enc H4s;enco H4s;encode H4s;encoded H4s;encodedco H4s;encodedcom H4s;encodedcomm H4s;encodedcomma H4s;encodedcomman H4s;encodedcommand H4s;e dXNpbm;en dXNpbm;enc dXNpbm;enco dXNpbm;encode dXNpbm;encoded dXNpbm;encodedco dXNpbm;encodedcom dXNpbm;encodedcomm dXNpbm;encodedcomma dXNpbm;encodedcomman dXNpbm;encodedcommand dXNpbm;e cwBhA;en cwBhA;enc cwBhA;enco cwBhA;encode cwBhA;encoded cwBhA;encodedco cwBhA;encodedcom cwBhA;encodedcomm cwBhA;encodedcomma cwBhA;encodedcomman cwBhA;encodedcommand cwBhA;JABzA
FromBase64String
JAB;SUVY;aWV4;dmFy;dgBhA;R2V0;SQBFAF;TVq;aQBIA;UEs;H4s;dXNpbm;cwBhA
/v Word experienced;/v Excel experienced;-v Word experienced;-v Excel experienced
JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ;QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA;kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA;IgAoACcAKgAnACkAOwAkA;IAKAAnACoAJwApADsAJA;iACgAJwAqACcAKQA7ACQA
e^;^en^;^nc
^
..\;\..
\cmd.exe /c del "C:\Users\*\AppData\Local\Temp\*.exe;\cmd.exe /c del "C:\Users\*\Desktop\*.exe;\cmd.exe -c del "C:\Users\*\AppData\Local\Temp\*.exe;\cmd.exe -c del "C:\Users\*\Desktop\*.exe
ping.exe -n 6 127.0.0.1 &ping.exe /n 6 127.0.0.1 & type
System.Net.Networkinformation.ping
mofcomp.exe
net.exe;net1.exe;net2.exe
user;group;localgroup
remove;delete;active;del
tvsu_tmp
net.exe;net1.exe;net2.exe
user
add
tvsu_tmp
dsmod.exe
dsadd.exe
WerFault.exe
-s;/s
cmd.exe
echo;\pipe\;>
cmd.exe
/c;copy;dll;\\;admin$
rundll32.exe
,;StartW
rundll32.exe
,;update;appdata;temp;/i:
rundll32.exe
,;update;appdata;temp;-i:
dllhost.exe
{3E5FC7F9-9A51-4367-9063-A120244FBEC7};{3E000D72-A845-4CD9-BD83-80C07C3B881F};{D2E7041B-2927-42fb-8E9F-7CE93B6DC937};{02B49784-1CA2-436C-BC08-72FA3956507D};{BEF590BE-11A6-442A-A85B-656C1081E04C}
dllhost.exe
{3E5FC7F9-9A51-4367-9063-A120244FBEC7};{3E000D72-A845-4CD9-BD83-80C07C3B881F};{D2E7041B-2927-42fb-8E9F-7CE93B6DC937};{02B49784-1CA2-436C-BC08-72FA3956507D};{BEF590BE-11A6-442A-A85B-656C1081E04C}
winlogon.exe;services.exe;lsass.exe;csrss.exe;wininit.exe;spoolsv.exe;searchindexer.exe
powershell.exe;pwsh.exe;cmd.exe
AUTHORI;AUTORI
route ; ADD
eventvwr.exe
c:\windows\system32\mmc.exe
fodhelper.exe
InstallUtil.exe
Invoke-PsUaCme
BypassUAC
PowerUp
computerdefaults.exe
dism.exe
fodhelper.exe
NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE;SERVICE LOCAL;ERVICE RÉSEAU;NETZWERKDIENST;LOKALER DIENST;NETZWERKDIENST;SERVICIO DE RED;ERVICIO LOC
NT AUTHORITY\SYSTEM;СИСТЕМА;NT-AUTORITÄT\SYSTEM;AUTORITE NT\SYSTEM
c:\windows\system32\svchost.exe -k netsvcs -s Appinfo
runas.exe
Cmd.Exe
winlogon.exe
utilman.exe
Cmd.Exe
winlogon.exe
sethc.exe
utilman.exe
C:\Windows\System32\ATBroker.exe;Magnify.exe;C:\Windows\System32\osk.exe
sethc.exe
osk.exe
Magnify.exe
DisplaySwitch.exe
Narrator.exe
AtBroker.exe
sdbinst.exe
dwm.exe
cmd.exe
7zFM.exe
;/c;-c
cmd.exe
elevation_service.exe
System
unknown process
\LocalState\rootfs\
\LocalState\rootfs\
auditpol
/set;-set;/restore;-restore;/clear;-clear;/remove;-remove;/resourceSACL;-resourceSACL
+s;+h
attrib.exe
Hidden;Attributes
powershell.exe
Sysinternals Sysmon
/u;/c;-u;-c
C:\ProgramdData\sysmon\
MpCmdRun.exe
Add-MpPreference;RemoveDefinitions;DisableIOAVProtection
IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE
IMPHASH=19584675D94829987952432E018D5056
IMPHASH=330768a4f172e10acb6287b87289d83b
PsKill.exe
Set-MpPreference;Add-MpPreference;Remove-MpPreference;MpCmdRun.exe
RemoveDefinitions;RemoveDynamicSignature;DisableIOAVProtection;DisableRealTimeMonitoring;DisableBehaviorMonitoring;DisableBlockAtFirstSeen;DisableIOAVProtection;DisablePrivacyMode;DisableScriptScanning;DisableRealtimeMonitoring;DisableScanningNetworkFiles;DisableScanningMappedNetworkDrivesForFullScan;DisableRestorePoint;DisableRemovableDriveScanning;SignatureDisableUpdateOnStartupWithoutEngine;DisableIntrusionPreventionSystem;DisableScanOnRealtimeEnable;DisableArchiveScanning;DisableIntrusionPreventionSystem;DisableScriptScanning;DisableOnAccessProtection;ExclusionExtension;ExclusionPath;ExclusionProcess;ThreatDefaultAction;TamperProtection
interface ipv6 set
interface ipv4 set
taskkill.exe
firewall delete
firewall add
firewall set opmode disable
Core Networking - Router Solicitation
netsh advfirewall firewall
wevtutil.exe
cl
wevtutil im
wevtutil.exe im
ClickToRun
fltMC.exe
detach;unload
appcmd.exe
DontLog;True
iisetup.exe
set;NGenAssemblyUsageLog
New-ItemProperty;NGenAssemblyUsageLog
reg;add;dword;NGenAssemblyUsageLog
$env;NGenAssemblyUsageLog
set;COMPlus_ETWEnabled
New-ItemProperty;COMPlus_ETWEnabled
reg;add;dword;COMPlus_ETWEnabled
$env;COMPlus_ETWEnabled
bash.exe;wsl.exe;ubuntu.exe;kali.exe
-e;/e;-u root;--exec bash;dev/tcp;~ -d;~ /d
wsl.exe
wsl.exe
wslhost.exe
wslhost.exe
ubuntu.exe
ubuntu.exe
kali.exe
kali.exe
distro-id;vm-id
pcalua.exe
pcalua.exe
bash.exe
bash.exe
forfiles.exe
forfiles.exe
.com
-appvscript
C:\Users\NetworkService\;C:\Users\NetworkService\;HarddiskVolumeShadowCopy;C:\Users\Default\;C:\Users\Public;C:\Users\Guest\;\administrateur\;C:\Windows\Media\;C:\Windows\addins\;tsclient\;\htdocs\;\config\systemprofile\;C:\PerfLogs\;c:\windows\ServiceProfiles\;C:\Intel\Logs\;C:\Windows\repair\;C:\Windows\Help\;$Recycle;C:\Windows\Debug\;C:\Windows\Security\;C:\Windows\Fonts\;\wwwroot\;\Contacts;C:\Windows\vss\
.exe
.7z.exe
.doc.exe
.doc.exe
.docx.exe
.ico.exe
.iso.exe
.lnk.exe
.pdf.exe
.ppt.exe
.pptx.exe
.rar.exe
.rtf.exe
.txt.exe
.xls.exe
.xlsx.exe
.zip.exe
______.exe
reg add hkcu\software\classes\
reg.exe add hkcu\software\classes\
C:\WINDOWS\system32\svchost.exe -k localService -s RemoteRegistry
regedit.exe
:
reg.exe
delete
regedit.exe
/d;-d
HKCU:;HKLM
remove-item
HKCU:;HKLM
set-item;new-item
chcp.exe
936
1256
864
1258
855
866
powershell.exe
-e ;-en;-enc;-enco;-encod;-encode;-encoded;-encodedc;-encodedco;-encodedcom;-encodedcomm;-encodedcomma;-encodedcomman;-encodedcommand;/e ;/en;/enc;/enco;/encod;/encode;/encoded;/encodedc;/encodedco;/encodedcom;/encodedcomm;/encodedcomma;/encodedcomman;/encodedcommand
powershell.exe
-w h;-wi h;-win h;-wind h;-windo h;-window h;-windows h;-windowst h;-windowsty h;-windowstyl h;-windowstyle h;/w h;/wi h;/win h;/wind h;/windo h;/window h;/windows h;/windowst h;/windowsty h;/windowstyl h;/windowstyle h
powershell.exe
-ex;/ex
bypass
powershell.exe
-noni;/noni
Import-Module FileServerResourceManager
C:\Program Files\LogicMonitor
powershell.exe
hextobin;iex;io.filestream;system.text;base64;system.io;io.file;IMAGE_SUBSYSTEM_WINDOWS_GUI;IMAGE_NT_OPTIONAL_HDR32;IMAGE_NT_OPTIONAL_HDR64;DllCharacteristicsType;GetDelegateForFunctionPointer;WriteProcessMemory;ReadProcessMemory;ImpersonateSelf;AdjustTokenPrivileges;NtCreateThreadEx;CreateRemoteThread;io.seek;iwr;-bxor;invoke-expression;remove.to.string;shellcode;System.Net.WebClient;System.Net.WebRequest;System.Net.SecurityProtocolType;unicode;-useb;msxml2.serverxmlhttp;wscript.shell;-comobject;frombase64;io.compression;system.convert;io.streamreader;io.memorystream;compression.gzipstream;text.encoding;executioncontext;text.enc;convertto-securestring;runtime.interop;verbosepreference;[[string]]::join
powershell.exe
SUVYI;aWV4I;SQBFAFgA;aQBlA;TW96aWxsYS;1vemlsbGEv;Nb3ppbGxhL;TQBvAHoAaQBsAGwAYQAv;0AbwB6AGkAbABsAGEAL;BNAG8AegBpAGwAbABhAC;UwB0AGE
C^om^S^pEc;^c^o^m^S^p^E^c^;Wscript.Shell;-ComObject;MsXml2.ServerXmlHttp;Remove.ToString;System.Convert;-UseB;[Byte[];^h^t^t^p;h"t"t"p
IwAjACMAd;IyM=;SUVYI;aWV4I;SQBFAFgA;aQBlAHgA;TW96aWxsYS;1vemlsbGEv;Nb3ppbGxhL;TQBvAHoAaQBsAGwAYQAv;0AbwB6AGkAbABsAGEAL;BNAG8AegBpAGwAbABhAC
WindowStyle Hidden function;WindowStyle Hidden;windowstyle h;windowstyl h;windowsty h;windowst h;windows h;window h;windo h;wind h;win h;wi h;-w h;/w h;win hi;win hid;win hidd;win hidde;win hidden
^
TYPE CON >
copy CON >
FromBase64String;action=create keyvalue=;VerbosePreference.ToString;SecureString;CSharpCodeProvider;runtime.interopservices.marshal;system.globalization.numberstyles;system.reflection.assembly;hextobin;VerbosePreference.ToString;system.text.encoding;io.filestream;io.filestream;io.seekorigin;text.encoding;unicode.getstring;FromBase64;[Convert]::;System.IO.File]::ReadAllText;|iex
ngen.exe;install
certutil
decode;encode
ping.exe
0x
csc.exe
\AppData\;\Windows\Temp\
csc.exe
wscript.exe
cscript.exe
mshta.exe
mofcomp.exe
.mof
C:\WINDOWS\Installer\MSI
MsMpEng.exe
aspnet_regiis.exe
msiexec.exe
csc.exe
out:;target:library
Microsoft.Workflow.Compiler.exe
autochk.exe
\smss.exe;\fontdrvhost.exe;\dwm.exe
\consent.exe;\Runtimebroker.exe;\TiWorker.exe
\svchost.exe
-
\consent.exe;\Runtimebroker.exe;\TiWorker.exe
svchost.exe
-
SearchProtocolHost.exe
\SearchIndexer.exe;\dllhost.exe
-
dllhost.exe
\services.exe;\svchost.exe
-
smss.exe
\smss.exe
System
-
csrss.exe
-
\smss.exe;svchost.exe
wininit.exe
-
\smss.exe
winlogon.exe
\smss.exe
\lsass.exe;LsaIso.exe
\wininit.exe
LogonUI.exe
\wininit.exe;\winlogon.exe
services.exe
\wininit.exe
svchost.exe
-
\MsMpEng.exe;\services.exe
spoolsv.exe
\services.exe
taskhost.exe
\services.exe;\svchost.exe
userinit.exe
\dwm.exe;\winlogon.exe
\wmiprvse.exe;\wsmprovhost.exe;\winrshost.exe
-
\svchost.exe
\SearchProtocolHost.exe;\taskhost.exe;\csrss.exe
\werfault.exe;\wermgr.exe;\WerFaultSecure.exe
autochk.exe
\chkdsk.exe;\doskey.exe;\WerFault.exe
smss.exe
\autochk.exe;\smss.exe;\csrss.exe;\wininit.exe;\winlogon.exe;\setupcl.exe;\WerFault.exe
wermgr.exe
\WerFaultSecure.exe;\wermgr.exe;\WerFault.exe
wermgr.exe
wermgr.exe
\rundll32.exe;\regsvr32.exe
\explorer.exe;\wermgr.exe;\msra.exe;\OneDriveSetup.exe;\mobsync.exe;\xwizard.exe
.exe
conhost.exe
\mscorsvw.exe;\wermgr.exe;\WerFault.exe;\WerFaultSecure.exe
System.Management.Automation
"C:\Windows\Microsoft.NET\Framework\;\ngen.exe;install
InstallUtil.exe
/logfile=;/LogToConsole=false;/U
InstallUtil.exe
-logfile=;-LogToConsole=false;-U
Mavinject.exe;mavinject64.exe
INJECTRUNNING
CMSTP.exe
/ni;/s
CMSTP.exe
/ns;/s
CMSTP.exe
-ni;-s
CMSTP.exe
-ns;-s
rundll32.exe;shell32.dll;_RunDLL
C:\Windows\ImmersiveControlPanel\SystemSettings.exe
odbcconf.exe
/S /A {REGSVR;-S -A {REGSVR
script:http
Register-cimprovider
Scriptrunner.exe -appvscript
bginfo
cbd
runscripthelper.exe surfacecheck
xwizard RunWizard
PresentationHost
driver executeinf
control.exe /name;control.exe -name
Control_RunDLL
SyncAppvPublishingServer.exe
Scriptrunner.exe
ATBroker.exe
Appvlp.exe
InfDefaultInstall.EXE
PresentationHost.exe
RegisterCimProvider2.exe
RegisterCimProvider.exe
ScriptRunner.exe
csi.exe
extexport.exe
msconfig.EXE
rasdlui.exe
tttracer.exe
verclsid.exe
wab.exe
Register-cimprovider.exe
csi.exe
devtoolslauncher.exe LaunchForDeploy
bginfo
devtoolslauncher.exe
wab.exe
wsreset.exe
cmstp.exe /ni /s;cmstp.exe -ni -s
cmstp /ni /s;cmstp -ni -s
Mavinject.exe
INJECTRUNNING
rundll32.exe
DllRegisterServer
xapauthenticodesip.dll
regsvr32.exe
C:\Users;Appdata;Temp
regsvr32.exe
C:\Users;Public
Microsoft(C) Register Server
SyncAppvPublishingServer.exe
control.exe
rasautou.exe
control.exe /name;control.exe -name
Control_RunDLL
msiexec.exe
/y;-y
C:\Windows\SysWOW64\DartSock.dll
C:\Windows\SysWOW64\ImageViewer2.OCX
C:\Windows\SysWOW64\SysTray.ocx
C:\Windows\SysWOW64\tdbg6.ocx
C:\Windows\SysWOW64\tdbg7.ocx
C:\Windows\SysWOW64\tdbg7.ocx
C:\Windows\SysWOW64\todg7.ocx
C:\Windows\SysWOW64\todgub7.dll
C:\Windows\SysWOW64\xarraydb.ocx
msiexec.exe
/i;-i
http
RUNDLL32.EXE
,;#
C:\Windows\resources\themes\Aero\AeroLite.msstyles
uxtheme.dll
ImageView_Fullscreen
EDGEHTML.dll
PhotoViewer.dll
\AppData\Local\WebEx\WebEx\
RUNDLL32.EXE
-sta;/sta
RUNDLL32.EXE
-localserver;/localserver
RUNDLL32.EXE
shell32.dll;OpenAs_RunDLL
RUNDLL32.EXE
powershell
RUNDLL32.EXE
url.dll;OpenURL
RUNDLL32.EXE
url.dll;FileProtocolHandler
RUNDLL32.EXE
zipfldr.dll;RouteTheCall
RUNDLL32.EXE
Shell32.dll;Control_RunDLL
RUNDLL32.EXE
javascript:
RUNDLL32.EXE
RegisterXLL
rundll32.exe
C:\Users;Public
rdpinit.exe
rdpinit.exe;G2MInstaller;GoToMeeting;LogMeIn;firefox.exe
rundll32.exe
C:\Users;Appdata;Temp
ImageView_
rdpinit.exe
rdpinit.exe;G2MInstaller;GoToMeeting;LogMeIn;firefox.exe
advpack.dll;LaunchINFSection
ieadvpack.dll;LaunchINFSection
syssetup.dll;SetupInfObjectInstallAction
setupapi.dll;InstallHinfSection
InstallHinfSection
infDefaultInstall.exe
rundll32.exe "C:\Windows\twain_64.dll"
shdocvw.dll;OpenURL
advpack.dll;RegisterOCX
Zipfldr.dll;RouteTheCall
url.dll;FileProtocolHandler
url.dll;FileProtocolHandler
OpenURLA;file:
OpenURL;file:
mshta.exe
cmd.exe;powershell.exe;wscript.exe;cscript.exe;sh.exe;bash.exe;reg.exe;regsvr32.exe;bitsadmin
mshta.exe
RunHTMLApplication
mshtml
vbscript:CreateObject
odbcconf.exe
manage-bde.wsf
powershell.exe;powershell_ise.exe
msbuild.exe
msbuild.exe
regasm.exe
msbuild.exe
userinit.exe
msbuild.exe
.xml
regasm.exe
\conhost.exe
msbuild.exe
.lnk
.csproj
msxsl.exe
msxsl.exe
/stext
keylog
keyscan_
Get-Keystrokes
/scomma
sniff
C:\Program Files\Adobe\
tcpdump.exe;tcpdump.c;tshark.exe;tshark.c;windump.exe;windump.c;wireshark.c;wireshark.exe
windump;tshark;tcpdump;windump;wireshark
netsh;trace;start;capture=yes
vssadmin.exe
create;shadow
wmic.exe
shadowcopy;call;create
wmic.exe
call;create;esentutl;vss
win32_shadowcopy;create;clientaccessible
mklink;GLOBALROOT;Shadow
copy;NTDS\ntds.dit
ntdsutil.exe
copy;System32\config\SYSTEM
reg;save;HKLM
mimikatz;mimidrv;mimilove;mimilib;sekurlsa;lsadump;dumpcreds;privilege::;token::;logonpasswords;mimikittenz;mimiauth;::;kerberos::;misc::skeleton;privilege::debug;dpapi::cred;vault::cred;lsadump;misc::;Krbtgt;TOKEN::;invoke-mimi
cmdkey
rpcping.exe
nltest.exe
-ma lsass.exe;Do-Exfiltration;Powersploit;GPPPassword;gpprefdecrypt;gsecdump;hashdump;laZagne;ntds.dit;ppldump;pwdump;pwdumpx;secretsdump;/listcreds:;-listcreds:
VaultCloseVault
VaultEnumerateItem
VaultFree
VaultGetItem
VaultOpenVault
Vaultcmd
vaultcli.dll
select * from moz_login
Invoke-WinEnum
System.Net.CredentialCache
create shadow
wlan;export;profile;key=clear
dcsync
HKCU /f password;HKCU -f password
HKLM /f password;HKLM -f password
nltest.exe
ProcDump.exe
ProcDump
asktgt;asktgs
createnetonly /program:;createnetonly -program:
dump /service:krbtgt;dump -service:krbtgt
harvest /interval:;harvest -interval:
renew /ticket:;renew -ticket:
asreproast
impersonateuser:
kerberoast
ptt /ticket:
klist.exe
hh.exe
appcmd.exe
list;text;password
quser.exe
net.exe;net1.exe;net2.exe
group;localgroup; user
/domain
SUService
\users
tvsu_tmp
net.exe;net1.exe;net2.exe
group;localgroup; user
/domain
SUService
\users
tvsu_tmp
sharphound;bloodhound;azurehound;CollectionMethod;encryptzip;randomizefilenames;dumpcomputerstatus
sharphound;bloodhound
sharphound;bloodhound
sharphound;bloodhound
sharphound;bloodhound
sharphound;bloodhound
sharphound;bloodhound
dscl . list /Groups;dscl . list -Groups
dscl . list /Users;dscl . list -Users
dsquery.exe
query.exe
tree.com
auditpol
/get;-get;/list;-list;/backup;-backup
gpresult.exe
get-gpo;get-gpresult;get-gpreg
tasklist.exe
qprocess.exe
reg query
reg.exe query
driverquery.exe
tracert.exe
pathping.exe
find;385201
select-string;385201
find;virus
select-string;virus
process;Description;virus
find;cb
select-string;cb
process;Description;cb
find;defender
select-string;defender
process;Description;defender
find;crowdstrike
select-string;crowdstrike
process;Description;crowdstrike
find;sentinel
select-string;sentinel
process;Description;sentinel
find;nessusd
select-string;nessusd
process;Description;nessusd
find;td-agent
select-string;td-agent
process;Description;td-agent
find;cbagentd
select-string;cbagentd
process;Description;cbagentd
find;sysmon
select-string;sysmon
process;Description;sysmon
find;winlogbeat
select-string;winlogbeat
process;Description;winlogbeat
find;winlogbeat
select-string;winlogbeat
process;Description;winlogbeat
find;csfalcon
select-string;csfalcon
process;Description;csfalcon
find;splunk
select-string;splunk
process;Description;splunk
find;sidecar
select-string;sidecar
process;Description;sidecar
fltMC.exe
misc::mflt
AntiVirusProduct
root\SecurityCenter2
sysinfo.exe
systeminfo
netsh.exe
get;list;show
netsh.exe
get;list;show
ipconfig.exe
netstat.exe
arp -a
arp.exe -a
arp -a
whoami.exe;whoami1.exe
wmic.exe
get;useraccount
netsh.exe
add;set
encryption;dohtemplate
netsh.exe
add;del;set
nbtstat
nessus
route.exe
print
route.exe
ADD;DEL;CHANGE;-f
qwinsta.exe
rwinsta.exe
Microsoft Office\root\Office
Microsoft Office\root\Office
automation;Embedding
admin$
davclnt.dll
WebClientGroup
/shadow;-shadow
noConsentPrompt
tscon.exe
dest:rdp-tcp:
powershell.exe
WmiPrvSE.exe
WmiPrvSE.exe
\Users\
NetworkDetective
WmiPrvSE.exe
sc.exe
tenable
WmiPrvSE.exe
cmd.exe
WmiPrvSE.exe
do_vbsUpload;Spiceworks
regsvr32.exe
WmiPrvSE.exe
cmd.exe
WmiPrvSE.exe
powershell.exe
WmiPrvSE.exe
dsa.msc
virtmgmt.msc
wmiprvse.exe
CompMgmtLauncher.exe
DismHost.exe
Microsoft.NET\Framework
NetEvtFwdr.exe
ServerManager.exe
WerFault.exe
chcp.com
g2mupdate.exe
slack.exe
wsmprovhost.exe
cmd.exe
sh.exe
bash.exe
wsl.exe
powershell.exe
powershell_ise.exe
schtasks.exe
at.exe
certutil.exe
mshta.exe
whoami.exe
ping.exe
ping.exe
bitsadmin.exe
winrm.cmd
winrs.exe
winrshost.exe
waitfor.exe
wsmprovhost.exe
winrshost.exe
wsmprovhost.exe
wmiprvse.exe
mshta.exe
ssh.exe;putty.exe;kitty.exe;kitty_portable.exe
PuTTY suite
sftp;psftp
rundll32.exe
rundll32.exe
..\;,
rundll32.exe
,StartW
psshutdown
psservice
PsPasswd
mstsc.exe
telnet.exe
tftp.exe
powershellcustomhost
-Embedding
c:\windows\system32\mmc.exe
--execm;atexec
{4991d34b-80a1-4291-83b6-3328366b9097}
{00020812-0000-0000-C000-000000000046}
{40AEEAB6-8FDA-41e3-9A5F-8350D4CFCA91}
{7e0423cd-1119-0928-900c-e6d4a52a0715}
{0006F04A-0000-0000-C000-000000000046}
{048EB43E-2059-422F-95E0-557DA96038AF}
{13709620-C279-11CE-A49E-444553540000}
{c08afd90-f2a1-11d1-8455-00a0c91f3880}
9BA05972-F6A8-11CF-A442-00A0C90A8F39
{00021A20-0000-0000-C000-000000000046}
{72C24DD5-D70A-438B-8A42-98424B88AFB8}
{00020906-0000-0000-C000-000000000046}
{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}
{1b7cd997-e5ff-4932-a7a6-2a9e636da385}
{16d51579-a30b-4c8b-a276-0ff4dc41e755}
rundll32.exe -sta;rundll32.exe /sta;rundll32 -sta;rundll32 /sta
shell32.dll;SHCreateLocalServerRunDll
-k DcomLaunch;/k DcomLaunch
7z.exe
a -mx9 -r0 -p;a -v500m -mx9 -r0 -p
7z
7z
winrar
winrar
winrar
winrar
winzip
winzip
Compress-Archive
WindowsAudioDevice-Powershell-Cmdlet
SoundRecorder.exe
clip.exe
get-clipboard
New-MailboxExportRequest
add-pssnapin;exchange;new-managementroleassignment;applicationimpersonation
screencapture
system.drawing.Imaging
system.drawing.bitmap
system.windows.forms.screen
odHRwczovL;aHR0cDovL;h0dHA6Ly;odHRwOi8v;aHR0cHM6Ly;h0dHBzOi8v
ie_to_edge_stub.exe;chrome.exe;firefox.exe;iexplore.exe;brave.exe;vivaldi.exe;msedge.exe;webex;teams.exe;goto opener.exe;lynx.exe;\Webex\webexAppLauncherLatest.exe;\WebEx\webexAppLauncher.exe;\WebEx\Applications\webexAppLauncher.exe;WebEx\webex.exe
wbx:;/SITE_TOKEN=;msteams:;PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSI
msedgeupdate.dll
VFZvQUFBQ;RWb0FBQU;UVm9BQUFB;VFZxQUFBR;RWcUFBQU;UVnFBQUFF;VFZwUUFBS;RWcFFBQU;UVnBRQUFJ;VFZxUUFBT;RWcVFBQU;UVnFRQUFN;VFZwVEFRR;RWcFRBUU;UVnBUQVFF
powershell.exe
AAAAYInlM;OiCAAAAYInlM;OiJAAAAYInlM;RwBlAHQAL;WwBOAGUAdAAuAFM;W05ldC5TZXJ2aWNl
Г;И;К;П;д;и;к;л;л;н;н;о;ф;ե;թ;յ;ն;ն;ն;ն;տ;ւ;ք
certutil.exe
urlcache;split;f
DownloadFile;DownloadString;Net.WebClient;System.Net.WebRequest;System.Net.SecurityProtocolType;Invoke-Expression;Invoke-WebRequest
powershell.exe;cmd.exe
bitsadmin.exe
CREATE;TRANSFER;DOWNLOAD;UPLOAD;ADDFILE;SetNotifyFlags;SetNotifyCmdLine;SetMinRetryDelay;SetCustomHeaders;RESUME
util;setieproxy;localsystem;AUTODETECT
BITS administration utility
CREATE;TRANSFER;DOWNLOAD;UPLOAD;ADDFILE;SetNotifyFlags;SetNotifyCmdLine;SetMinRetryDelay;SetCustomHeaders;RESUME
\curl.exe;\wget.exe;\www.exe
\curl.exe;\wget.exe;\www.exe
certutil
split;f
certutil
verifyctl;URL
C:\Perflogs\;C:\Users\Public\;C:\root\
C:\Perflogs\;C:\Users\Public\;C:\root\
start-bitstransfer
expand \\
expand.exe \\
ieexec http
ieexec.exe http
powercat
esentutl /y \\;esentutl -y \\
esentutl.exe /y \\;esentutl.exe -y \\
extrac32 \\
extrac32.exe \\
portproxy
tor.exe
TeamViewer_Desktop.exe
psexec
winscp.exe;winscp.com;scp.exe;pscp
bitch.exe;bitch.bat;bitch_lasagna.exe;Admin Cracker.exe;BulletsPassView.exe;ChromePass.exe;Dialupass.exe;LSASecretsView.exe;OpenedFilesView.exe;OperaPassView.exe;PasswordFox.exe;ProduKey.exe;RouterPassView.exe;USBDeview.exe;USBStealer.exe;VNCPassView.exe;WebBrowserPassView.exe;WirelessKeyView.exe;WirelessKeyView.exe;empv.exe;netpass.exe;pspv.exe;usbdll.exe;rdpv.exe;WirelessKeyView.exe;lasagna.exe;all -vvv >>;rsync -r
CredsLeaker;Windows.Security.Credentials.UI.CredentialPicker;function Leaker;function Await
.exe -url https://;dll,Run https://;Invoke-Merlin;-m SimpleHTTPServer;/m SimpleHTTPServer
-q=txt;/q=txt
nslookup.exe
rclone
Rsync for cloud storage
rclone
rclone
\rclone
s3browser
s3browser
s3browser
s3browser
add-ftp;.UploadFile(
ftp.exe
rundll32.exe
davclnt.dll;DavSetCookie
bcdedit.exe
safeboot
bootcfg.exe
safeboot
-startvm;vrun.exe -vm
vssadmin.exe
delete;resize
wmic.exe
shadowcopy;delete
wbadmin.exe
SYSTEMSTATEBACKUP;delete
wmic.exe
wmic shadowstorage SET MaxSpace=
wmic.exe
cleareventlog;call disable;nteventlog where filename
diskpart.exe
format;clean;delete;remove
manage-bde.exe
changepin;changepassword;changekey;wipefreespace;lock;/on;-on;/off;-off;-add;/add;-pw;/pw
manage-bde.wsf
changepin;changepassword;changekey;wipefreespace;lock;/on;-on;/off;-off;-add;/add;-pw;/pw
format
format
bootstatuspolicy ignoreallfailures
recoveryenabled No
Win32_Shadowcopy
sdelete
delete catalog
wbadmin delete catalog
erase
-nw -exec=
-p -nw
shred
diskshadow
del ; /f
del ; -f
rmdir ; /s ; /q
rmdir ; -s ; -q
rd ; /s ; /q
rd ; -s ; -q
usn deletejournal
fsutil.exe
deletejournal
usn
AdjustTokenPrivileges;IMAGE_NT_OPTIONAL_HDR64_MAGIC;LSA_UNICODE_STRING;Management.Automation.RuntimeException;Metasploit;Microsoft.Win32.UnsafeNativeMethods;Mimikatz;MiniDumpWriteDump;Net.Sockets.SocketFlags;PAGE_EXECUTE_READ;ReadProcessMemory.Invoke;Reflection.Assembly;Runtime.InteropServices;SECURITY_DELEGATION;SE_PRIVILEGE_ENABLED;System.Runtime.InteropServices;System.Security.Cryptography;TOKEN_ADJUST_PRIVILEGES;TOKEN_ALL_ACCESS;TOKEN_ASSIGN_PRIMARY;TOKEN_DUPLICATE;TOKEN_ELEVATION;TOKEN_IMPERSONATE;TOKEN_INFORMATION_CLASS;TOKEN_PRIVILEGES;TOKEN_QUERY;powerkatz
ahashpool;blazepool;blockmasters;blockmasterscoins;ccminer;cgminer;coinhive;hashrefinery;minergate;miningpoolhubcoins;nicehash;poolname;poolpassword;poolurl;rainbowminer;sgminer;stratum+tcp;xmrMiner;xmrig;yiimp;zergpool;zergpoolcoins;zpool
CPU miner;GPU miner;Lime Miner;XMRig CPU miner; miner
b91ce2fa41029f6955bff20079468448;02af7cec58b9a5da1c542b5a32151ba1;2c4a910a1299cdae2a4e55988a2f102e;846e27a652a5e1bfbd0ddd38a16dc865;4f2eb62fa529c0283b28d05ddd311fae;56ceb6d0011d87b6e4d7023d7ef85676
87AECF008D87EC86EC8B00A2394B3E6C
FB3F0D0DE8B80EA8CFAB2A025EC6B833
F4067FBF7FFF6945D0BB485B727B39AA
4a069c1abe5aca148d5a8fdabc26751e;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;304772c80b157a916c7041f2f15939fb;291ff87948e45914424cec9510c297da;a4b42c2c95d1f2ff12171a01c86cd64f;98908ce6f80ecc48628c8d2bf5b2a50c;849a2b0dc80aeca3d175c139efe5221c;807d86da63f0db1fc746d1f0b05bc357;322cb39bc049aa69136925137906d855;86A4CAC227078B9C95C560C8F0370BF0;36dd195269979e01a29e37c488928497;7d9d29c1c03461608bcab930fef2f568;eac3e3ece94bc84e922ec077efb15edd;b4abe604916c04fe3dd8b9cb3d501d3f;88777aacd5f16599547926a4c9202862;128CECC59C91C0D0574BC1075FE7CB40;17a36ac3e31f3a18936552aff2c80249;0f49621b06f2cdaac8850c6e9581a594;3d129263f6a48647f103a04446fb0c2f;71345b139166482acaa568ac8816c7bc;1b60021baedc3f9201bcdb40e9b87f62;5E022694C0DBD1FBBC263D608E577949;cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5;b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04;2010f38ef300be4349e7bc287e720b1ecec678cacbf0ea0556bcf765f6e073ec;6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11;5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c;37cd353621b0f4fc6981b50071c94f01;daf2da52475fd8981b19ec3c321a983c;afcdf79be1557326c854b6e20cb900a7;2f40abbb4f78e77745f0e657a19903fc953cc664;37b4496e650b3994312c838435013560b3ca8571;478dc5a5f934c62a9246f7d1fc275868f568bc07;1a2ab4df156ccd685f795baee7df49f8e701f271d3e5676b507112e30ce03c42;2c1d3d0a9c6f76726994b88589219cb8d9c39dd9924bc8d2d02bf41d955fe326;5c776a33568f4c16fee7140c249c0d2b1e0798a96c7a01bfd2d5684e58c9bb32;5fc4b0076eac7aa7815302b0c3158076e3569086c4c6aa2f71cd258238440d14;08c34c6ac9186b61d9f29a77ef5e618067e0bc9fe85cab1ad25dc6049c376949;758598370c3b84c6fbb452e3d7119f700f970ed566171e879d3cb41102154272;bef59b9a3e00a14956e0cd4a1f3e7524448cbe5d3cc1295d95a15b83a3579c59;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;e8542c07b2af63ee7e72ce5d97d91036c5da56e2b091aa2afe737b224305d230;0ac48cfa2ff8351365e99c1d26e082ad;0e9afd3a870906ebf34a0b66d8b07435;1aadf739782afcae6d1c3e4d1f315cbd;2a6f7ec77ab6bd4297e7b15ae06e2e61;3a771efb7ba2cd0df247ab570e1408b2;3d75c72144d873b3c1c4977fbafe9184;3dfebce4703f30eed713d795b90538b5;3ffd2915d285ad748202469d4a04e1f5;4e39620afca6f60bb30e031ddc5a4330;6cfd131fef548fcd60fbcdb59317df8e;7bcd736a2394fc49f3e27b3987cce640;7bfba2c69bed6b160261bdbf2b826401;7bfbd72441e1f2ed48fbc0f33be00f24;7c733607a0932b1b9a9e27cd6ab55fe0;7d5265e814843b24fcb3787768129040;08e82dc7bae524884b7dc2134942aadb;8da15a97eaf69ff7ee184fc446f19cf1;9ad6fa6fdedb2df8055b3d30bd6f64f1;9c115e9a81d25f9d88e7aaa4313d9a8f;16ab79fb2fd92db0b1f38bedb2f02ed8;21feb6aa15e02bb0cddbd544605aabad;21feb6aa15e02bb0cddbd544605aabad;22d142f11cf2a30ea4953e1fffb0fa7e;36db24006e2b492cafb75f2663f241b2;51a7068640af42c3a7c1b94f1c11ab9d;69a19abf5ba56ee07cdd3425b07cf8bf;72dc98449b45a7f1ccdef27d51e31e91;77a745b07d9c453650dd7f683b02b3ed;80c37e062aa4c94697f287352acf2e9d;92f8e3f0f1f7cc49fad797a62a169acd;235d427f94630575a4ea4bff180ecf5d;320b2f1d9551b5d1df4fb19bd9ab253a;490a140093b5870a47edc29f33542fd2;520ee02668a1c7b7c262708e12b1ba6b;649ef1dd4a5411d3afcf108d57ff87af;684eca6b62d69ce899a3ec3bb04d0a5b;815f1f8a7bc1e6f94cb5c416e381a110;0969b2b399a8d4cd2d751824d0d842b4;2317d65da4639f4246de200650a70753;04078ef95a70a04e95bda06cc7bec3fa;8035a8a143765551ca7db4bc5efb5dfd;8403a28e0bffa9cc085e7b662d0d5412;9003cfaac523e94d5479dc6a10575e60;9793afcea43110610757bd3b800de517;27612cb03c89158225ca201721ea1aad;44619a88a6cff63523163c6a4cf375dd;061089d8cb0ca58e660ce2e433a689b3;81229c1e272218eeda14892fa8425883;84730a6e426fbd3cf6b821c59674c8a0;533340c54bd25256873b3dca34d7f74e;57314359df11ffdf476f809671ec0275;99828721ac1a0e32e4582c3f615d6e57;412956675fbc3f8c51f438c1abc100eb;5985087678414143d33ffc6e8863b887;a43d3b31575846fa4c3992b4143a06da;a571660c9cf1696a2f4689b2007a12c7;b4e67706103c3b8ee148394ebee3f268;b9c208ea8115232bfd9ec2c62f32d6b8;b9cf4301b7b186a75e82a04e87b30fe4;b72737b464e50aa3664321e8e001ff32;bfe3f6a79cad5b9c642bb56f8037c43b;c0e72eb4c9f897410c795c1b360090ef;c1e7850da5604e081b9647b58248d7e8;c3e255888211d74cc6e3fb66b69bbffb;cacaa3bf3b2801956318251db5e90f3c;cdb303f61a47720c7a8c5086e6b2a743;ce8ce92fb6565181572dce00d69c24f8;d8f1356bebda9e77f480a6a60eab36bb;d9e9f22988d43d73d79db6ee178d70a4;d5377dc1821c935302c065ad8432c0d2;df91b86189adb0a11c47ce2405878fa1;e17bd40f5b5005f4a0c61f9e79a9d8c2;f559c87b4a14a4be1bd84df6553aaf56;fc53f2cd780cd3a01a4299b8445f8511;ffc7305cb24c1955f9625e525d58aeee
e96a73c7bf33a464c510ede582318bf2;a53a02b997935fd8eedcb5f7abab9b9f
d326e629a90e78825645963b35e53a6a;c579341f86f7e962719c7113943bb6e4;dc5733c013378fa418d13773f5bfe6f1;b8fcd4a3902064907fb19e0da3ca7aed72a7e6d1f94d971d1ee7a4d3af6a800d;965884f19026913b2c57b8cd4a86455a61383de01dabb69c557f45bb848f6c26;4a069c1abe5aca148d5a8fdabc26751e;dc7e564809d6c2a2f3457c3c9b91f22b;FE2CA1BE3BDA2A757036A89E54CC02DB;5470f0644589685000154cb7d3f60280acb16e39ca961cce2c016078b303bc1b
53841a0c6a3ff92976db08bfdf95e083
zoommtg
pwd=
zoommtg
zc=0
zoommtg
zc=1
msteams:
wbx:
C:\Users\
\Downloads\
C:\Users\
\Desktop\
\awk.exe;\sed.exe
C:\Users\Public\;$Recyclebin;\Desktop\;\Content.Outlook\
C:\Users\Public\;$Recyclebin;\Desktop\;\Content.Outlook\;\Downloads\
.html;.hta;.iso;.js;.bat;.cmd;.cmdline;.vbs;.vb;.vbe;.reg;.com
listena
-s -n -u -i:http:
/s /n /u /i:http:
assoc
del
expand
md
move
rd
ren
set
setx
bginfo.bgi /popup /nolicprompt;bginfo.bgi -popup -nolicprompt
find.exe
grabff
routerscan
pythonEngine.Execute
sesshijack
file://
HTML Application host
Manager Profile Installer
Microsoft Application Virtualization Injector
Application Compatibility Database Installer
popd.exe
pushd.exe
subst.exe
doskey.exe
cls.exe
\
C:\Windows\system32\svchost.exe -k iissvcs
\
acrobat.exe
acrord32.exe
java.exe
javaw.exe
C:\Windows\system32\svchost.exe
cacls.exe
takeown.exe
/x Macro
\pipe\
>
/noprofile
/sc ONEVENT
\\VBOXSVR
| more
|more
\\tsclient
%PROCESSOR_ARCHITECTURE%
sysnative
AutoIt
Microsoft Filter Loader
more.com
:\Windows\Microsoft.NET\
acrord32.exe
gpupdate.exe
:\Windows\Microsoft.NET\
System
explorer.exe
\regedit.exe;\cmd.exe;terminal;\powershell
C:\Windows\System32\WerFault.exe
C:\Windows\System32\wbem\WmiPrvSE.exe
C:\Users
C:\ProgramData
\Temp\
\tmp\
\drivers\
\Download
C:\Windows\system32\backgroundTaskHost.exe
TrustedInstaller.exe
OneDrive.exe
vivaldi.exe
chrome.exe
C:\WINDOWS\system32\backgroundTaskHost.exe
setup
AppData\Local\Microsoft\Teams\current\Teams.exe
\AppData\Local\Microsoft\Edge SxS\Application\msedge.exe
census
researchscan
scanhub
shadow
shodan
137.184.67.33;206.188.196.77;125.212.220.48;5.180.61.17;47.242.39.92;61.244.94.85;86.48.6.69;86.48.12.64;94.140.8.48;94.140.8.113;103.9.76.208;103.9.76.211;104.244.79.6;112.118.48.186;122.155.174.188;125.212.241.134;185.220.101.182;194.150.167.88;212.119.34.11
137.184.67.
httpbin.org
advanced-ip-scanner.com
kali.download
shodan
wscript.exe
at.exe
schtasks.exe
\temp\
127.0.0.1
\wwwroot\
\Windows\addins\
C:\Windows\repair\
\htdocs\
C:\Windows\system32\config\systemprofile\
C:\Intel\Logs\
C:\Windows\addins\
C:\Windows\security\
C:\Windows\Help\
$RECYCLE.BIN
C:\Windows\Debug\
C:\Windows\Fonts\
C:\PerfLogs\
:\$Recycle.bin\
:\Users\Default\
C:\Users\NetworkService\
C:\Users\Public\
C:\Windows\Media\
\Windows\IME\
C:\ProgramData
CSC.exe
infDefaultInstall.exe
SyncAppvPublishingServer.exe
InstallUtil.exe
msiexec.exe
regasm.exe;regsvcs.exe
Mavinject.exe
msbuild.exe
dsquery.exe
driverquery.exe
nbtstat.exe
net.exe
net1.exe
qwinsta.exe
rwinsta.exe
true
3389
AutomationManager.ScriptRunner64.exe
C:\Program Files (x86)\VMware\VMware Remote Console\vmrc.exe
C:\Program Files\VMware\VMware Remote Console\vmrc.exe
C:\Program Files\WindowsApps\Microsoft.RemoteDesktop_
CtxLicUsageRecorder.exe
FSAssessment.exe
FSDiscovery.exe
MobaRTE.exe
RDCMan.exe
RSSensor.exe
RTS2App.exe
RTSApp.exe
RemoteDesktopManager64.exe
RemoteDesktopManager.exe
RemoteDesktopManagerFree.exe
Terminals.exe
chrome.exe
mRemote.exe
mRemoteNG.exe
mstsc.exe
spiceworks-finder.exe
svchost.exe
thor64.exe
thor.exe
true
3391
AutomationManager.ScriptRunner64.exe
C:\Program Files (x86)\VMware\VMware Remote Console\vmrc.exe
C:\Program Files\VMware\VMware Remote Console\vmrc.exe
C:\Program Files\WindowsApps\Microsoft.RemoteDesktop_
CtxLicUsageRecorder.exe
FSAssessment.exe
FSDiscovery.exe
MobaRTE.exe
RDCMan.exe
RSSensor.exe
RTS2App.exe
RTSApp.exe
RemoteDesktopManager64.exe
RemoteDesktopManager.exe
RemoteDesktopManagerFree.exe
Terminals.exe
chrome.exe
mRemote.exe
mRemoteNG.exe
mstsc.exe
spiceworks-finder.exe
svchost.exe
thor64.exe
thor.exe
true
3389
127.0.0.1;0:0:0:0:0:0:0:1
true
3389
fe80:0
putty.exe;kitty.exe;kitty_portable.exe
wsmprovhost.exe
psftp.exe
reg.exe
psshutdown
PsPasswd
psservice
ssh.exe
psexe
tftp.exe
telnet.exe
mstsc.exe
wmic.exe
sc.exe
pskill
dsquery.exe
plink.exe
vnc.exe
vncviewer.exe
vncservice.exe
omniinet.exe
hpsmhd.exe
50050
true
25
\Bin\EdgeTransport.exe;Bin\MSExchangeFrontendTransport.exe
true
powershell.exe
0:0:0:0:0:0:0:;127.0.0.1
mshta.exe
cmd.exe
certutil.exe
certutil.exe
notepad.exe
regsvcs.exe
regsvr32.exe
rundll32.exe
tor.exe
hiddenservice.net;onion.city;onion.direct;onion.direct;onion.link;onion.nu;onion.pet;onion.plus;onion.rip;onion.sh;onion.sh;onion.si;onion.to;onion.top;onion.ws;tor-gateways.de;tor2net.com;tor2web.blutmagie.de;tor2web.fi;tor2web.info;tor2web.io;tor2web.org;onion.to
dns.google;cloudflare-dns.com;mozilla.cloudflare-dns.com;dns.233py.com;dns.aaflalo.me;doh.opendns.com;.quad9.net;dns.cleanbrowsing.org;dns-family.adguard.com;dns.adguard.com;.233py.com;dnscrypt;dnscrypt-cert.oszx.co;dns.oszx.co;doh.dns.sb;doh.defaultroutes.de;doh.tiarap.org;doh.tiar.app;doh.captnemo.in;.aaflalo.me;doh.appliedprivacy.net;doh.dnswarden.com;commons.host;dns.twnic.tw;ibuki.cgnat.net;doh.xfinity.com;dns.nextdns.io;dns.dnsoverhttps.net;doh.crypto.sx;doh.powerdns.org;.blahdns.com;dns.rubyfish.cn;dns.containerpi.com;.seby.io;rdns.faelix.net;doh.li;.armadillodns.net;doh.netweaver.uk;doh.42l.fr;dns.aa.net.uk;adblock.mydns.network;ibksturm.synology.me;jcdns.fun
privatlab.com
mega.nz;mega.co.nz
.pcloud.com
0x1f4b0.com;1q2w3.life;1q2w3.website;31.187.64.216;185.193.38.148;aalbbh84.info;adfreetv.ch;adless.io;adplusplus.fr;adrenali.gq;ajcryptominer.com;ajplugins.com;allfontshere.press;altavista.ovh;amhixwqagiz.ru;analytics.blue;appelamule.com;arizona-miner.tk;aster18cdn.nl;aster18prx.nl;avero.xyz;averoconnector.com;bauersagtnein.myeffect.net;bhzejltg.info;blazepool;blockmasters;blockmasterscoins;bmnr.pw;bmst.pw;bohemianpool;carry.myeffect.net;cashbeet.com;cdn-code.host;cfceu.duckdns.org;cfcnet.gdn;cfcnet.top;cfcs1.duckdns.org;chainblock.science;cieh.mx;coin-hive.com;coin-service.com;coin-services.info;coiner.site;coinpirate.cf;coinrail.io;coinwebmining.com;cpu2cash.link;cryptaloot.pro;cryptmonero;crypto-loot.com;crypto-pool;crypto-webminer.com;cryptoloot.pro;d-ns.ga;dataservices.download;directprimal.com;dwarfpool;encoding.ovh;estream.to;eth-pocket.com;eth-pocket.de;eth-pocket.eu;ethereum-pocket.de;ethereum-pocket.eu;ethtrader.de;eu.sushipool.com;f1tbit.com;flnqmin.org;freecontent.bid;freecontent.date;freecontent.loan;freecontent.racing;freecontent.stream;freecontent.win;gnrdomimplementation.com;graftpool.ovh;greenindex.dynamic-dns.net;gustaver.ddns.net;hashrefinery;hashvault.pro;herphemiste.com;hide.ovh;hk.rs;hlpidkr.ru;hodlers.party;hodling.faith;hostingcloud.win;hrfziiddxa.ru;ihdvilappuxpgiv.ru;imhvlhaelvvbrq.ru;insdrbot.com;irrrymucwxjl.ru;istlandoll.com;ivuovhsn.ru;iwanttoearn.money;ixvenhgwukn.ru;jqassets.download;jqr-cdn.download;jqrcdn.download;jquerrycdn.download;jqwww.download;jqxrrygqnagn.ru;jscoinminer.com;jwduahujge.ru;ksimdw.ru;l33tsite.info;laferia.cr;ledhenone.com;ltstyov.ru;mepirtedic.com;mine.bz;minercircle.com;minercry.pt;minergate;minero.cc;miners.pro;minescripts.info;mininghub.club;miningpoolhubcoins;minr.pw;mixpools.org;mmc.center;mollnia.com;monerise.com;monero.lindon-pool.win;monero;moriaxmr.com;munero.me;mxcdn1.now.sh;mxcdn2.now.sh;myadstats.com;mypool.online;nablabee.com;nanopool.org;nathetsof.com;nicehash;nimiqpool.com;nimpool.io;node.philpool.com;npcdn1.now.sh;nunu-001.now.sh;ogondkskyahxa.ru;ogrid.org;oinkinns.tk;olecintri.com;omine.org;onvid.club;open-hive-server-1.pp.ua;oxwwoeukjispema.ru;pcejuyhjucmkiny.ru;pool.nimiq.watch;pool.nimiqchain.info;pool.porkypool.com;pool.xmr;poolto.be;prohash.net;prohash;proj2018.xyz;pzoifaum.info;ratchetmining.com;realnetwrk.com;reauthenticator.com;rove.cl;ruvuryua.ru;s7ven.com;scaleway.ovh;sentemanactri.com;sickrage.ca/ch;sighash.info;slushpool;soodatmish.com;sparechange.io;statdynamic.com;stati.bid;staticsfs.host;streamplay.to;supportxmr;suprnova.cc;svivqrhrh.ru;sxcdn02.now.sh;sxcdn3.now.sh;sxcdn4.now.sh;sxcdn6.now.sh;synconnector.com;teracycle.net;tercabilis.info;thelifeisbinary.ddns.net;thersprens.com;torrent.pw;ulnawoyyzbljc.ru;unrummaged.com;uoldid.ru;usxmrpool;viaxmr.com;vpzccwpyilvoyg.ru;vzzexalcirfgrf.ru;wbmwss.beetv.net;webmine.cz;webmine.pro;webminepool.tk;webminerpool.com;webwidgetz.duckdns.org;wmemsnhgldd.ru;wmtech.website;wmwmwwfmkvucbln.ru;wrxgandsfcz.ru;xmrm.pw;xmrminingproxy.com;xmrpool;yiimp;yuyyio.com;zavzlen.ru;zergpool;zergpoolcoins;ziykrgc.ru;zlx.com.br;zpool
C:\Windows\system32\svchost.exe
3389
22
21
5985
false
C:\Windows\system32\svchost.exe
true
135
445
5985
System
svchost.exe
445
System
svchost.exe;lsass.exe
389
C:\Windows\System32\lsass.exe
389
127.0.0.1;0:0:0:0:0:0:0:1;fe80:0
EXCH
127.0.0.1;0:0:0:0:0:0:0:1;fe80:0
false
notepad.exe
127.0.0.1
\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe;\opera.exe
80
443
true
github
githubusercontent.com
dropboxapi.com
\Dropbox\Client\Dropbox.exe;\Dropbox\bin\Dropbox.exe;\Oracle\Java\
1drv
C:\Program Files\Microsoft OneDrive\OneDrive.exe;\AppData\Local\Microsoft\OneDrive\OneDrive.exe;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;\Internet Explorer\iexplore.exe;C:\Windows\System32\AppHostRegistrationVerifier.exe;C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe;C:\Program Files (x86)\BraveSoftware\Brave-Browser\Application\brave.exe;C:\Program Files (x86)\Microsoft OneDrive\OneDrive.exe;C:\Program Files\Mozilla Firefox\firefox.exe
.box.com;upload
mega.nz;mega.co.nz
privatlab.com
tiktok;parler.com;gab.com;mewe.com;4chan;8chan;facebook;fbcdn;twitter;instagram;snapchat
efnet;undernet;freenode;ircnet;.rizon;quakenet;oftc.net;dalnet
.slack.com;discord.;telegram.;rocketchat.;mattermost.;flock.com
apache.exe
java.exe
w3wp.exe
\php-cgi.exe;\php.exe
setup
tomcat
unins
unknown process
explorer.exe
inetinfo.exe
netcat.exe;nc.exe;nc64.exe;ncat.exe
procdump
psexe
vnc;vncs;vncv
rcpping;tcpping;tcping;routerscan;grabff;Port-Scan;netscan;\nmap;ipscan;nacmdline.exe;advanced_port_scanner.exe;rcpping.exe;nmap.exe;zenmap.exe;advanced_ip_scanner.exe
0
5985
5986
1293
1701
1194
3540
3389
22
1080
3128
8080
1723
23
4500
9001
9030
5900
5800
0
80
443
636
5900
443
\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe;\opera.exe
80
true
\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe
https
true
\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe
http
true
\iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe;\opera.exe
443
true
afraid.org;duckdns.org;changeip.com;ddns.net;hopto.org;zapto.org;servehttp.com;sytes.net;whoer.net;bravica.net;ip.webmasterhome.cn;whatsmyip.us;myip.kz;ip-addr.es;curlmyip;anysrc.net;anysrc.net;dlinkddns.com;no-ip.com;no-ip.org;no-ip.biz;no-ip.info;noip.com
udp
System;svchost.exe;oracle.exe;apache.exe;java.exe;php-cgi.exe;w3wp.exe;httpd;ServerManager.exe;unknown process;sql;wscript;cscript;schtasks;at.exe;reg.exe;C:\Windows\System32\find.exe
127.0.0.1;0:0:0:0:0:0:0:1
127.0.0.1;0:0:0:0:0:0:0:1
C:\Windows\System32\lsass.exe
88
epmap
llmnr
microsoft-ds
netbios-dgm
ntp
ssdp
epmap
llmnr
microsoft-ds
netbios-dgm
ntp
ssdp
53
67
68
1434
1812
3544
3702
5228
5353
5357
5989
6007
49154
49209
52176
59241
53
67
68
1812
3702
6007
49154
49209
50646
52176
59241
.bing.com
.cloudapp.net
.lync.com
.microsoft.com
.outlook.com
.search.msn.com
.wns.windows.com
aps.windows.com
arc.msn.com.nsatc.net
arc.msn.com
atson.telemetry.microsoft.com
au.download.windowsupdate.com
b.akamaiedge.net
bingforbusiness.com
client-office365-tas.msedge.net
config.edge.skype.com
csp.digicert.com
ctldl.windowsupdate.com
cy2.licensing.md.mp.microsoft.com.akadns.net
cy2.settings.data.microsoft.com.akadns.net
displaycatalog.mp.microsoft.com
download.windowsupdate.com
e-msedge.net
e3.delivery.dsp.mp.microsoft.com.nsatc.net
emdl.ws.microsoft.com
ettings-win.data.microsoft.com
fe2.update.microsoft.com
fe3.delivery.dsp.mp.microsoft.com.nsatc.net
fe3.delivery.mp.microsoft.com
g.akamaiedge.net
g.live.com
g.msn.com.nsatc.net
geo-prod.do.dsp.mp.microsoft.com
geo-prod.dodsp.mp.microsoft.com.nsatc.net
ile-service.weather.microsoft.com
ip5.afdorigin-prod-am02.afdogw.com
ipv4.login.msa.akadns6.net
licensing.mp.microsoft.com
m3p.wns.notify.windows.com.akadns.net
microsoft.com.akadns.net
microsoft.com.nsatc.net
microsoft.com
modern.watson.data.microsoft.com.akadns.net
msedge.net
msn.com.nsatc.net
msn.com
ocation-inference-westus.cloudapp.net
ocos-office365-s2s.msedge.net
ocsp.digicert.com
odern.watson.data.microsoft.com.akadns.net
oneclient.sfx.ms
pv4.login.msa.akadns6.net
query.prod.cms.rt.microsoft.com
ris.api.iris.microsoft.com.akadns.net
ris.api.iris.microsoft.com
s-msedge.net
settings.data.microsoft.com
sfe.trafficshaping.dsp.mp.microsoft.com
sls.update.microsoft.com
storecatalogrevocation.storequality.microsoft.com
storeedgefd.dsx.mp.microsoft.com
telecommand.telemetry.microsoft.com.akadns.net
tile-service.weather.microsoft.com
tlu.dl.delivery.mp.microsoft.com
tsfe.trafficshaping.dsp.mp.microsoft.com
vip5.afdorigin-prod-am02.afdogw.com
vip5.afdorigin-prod-ch02.afdogw.com
virtualearth.net
windows.net
windowsupdate.com
y2.displaycatalog.md.mp.microsoft.com.akadns.net
y2.licensing.md.mp.microsoft.com.akadns.net
y2.settings.data.microsoft.com.akadns.net
EdgeTransport.exe
MSExchangeDelivery.exe
MSExchangeFrontendTransport.exe
MSExchangeHMWorker.exe
MSExchangeSubmission.exe
\
C:\Program Files (x86)\Kaspersky Lab
C:\Program Files\Kaspersky Lab
C:\Program Files (x86)\ESET
C:\Program Files\ESET
C:\Windows\
\System32\;Syswow64;sysmon.exe;sysmon64.exe
C:\Windows\system32\
config\systemprofile\
C:\Windows\sysmon.exe;C:\Windows\sysmon64.exe
A:\;B:\;C:\;D:\;E:\;F:\;G:\;H:\;I:\;J:\;K:\;L:\;M:\;N:\;O:\;P:\;Q:\;R:\;S:\;T:\;U:\;V:\;W:\;X:\;Y:\;Z:\;AA:\;BB:\;CC:\;DD:\;EE:\;FF:\;GG:\;HH:\;II:\;JJ:\;KK:\;LL:\;MM:\;NN:\;OO:\;PP:\;QQ:\;RR:\;SS:\;TT:\;UU:\;VV:\;WW:\;XX:\;YY;ZZ:\
:\PROGRA~
:\Program Files
:\Program Files
:\Program Files
:\ProgramData\
:\Users\
:\Windows\
:\inetpub\
:\$SysReset
:\$WinREAgent
:\inetpub\
\
C:\Users\
C:\ProgramData\
C:\ProgramData\sysmon\sysmon64.exe;C:\ProgramData\sysmon\sysmon.exe
C:\Program Files;C:\PROGRA~
C:\inetpub\
$RECYCLE.BIN
packetbeat.exe;metricbeat.exe;filebeat.exe;winlogbeat.exe;o365beat.exe;graylog-sidecar.exe;graylog-collector-sidecar.exe;splunkd.exe;splunk.exe;syslogng.exe;syslog-ng.exe;nxlog-processor.exe;snarecore.exe;fluentd;td-agent
C:\Windows\system32\config\systemprofile\
C:\Windows\sysWOW64\config\systemprofile\
\Temp\
C:\Users\
Microsoft\Teams\current\Teams.exe
\git.exe
Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
C:\ProgramData\Lenovo\ImController\
56ceb6d0011d87b6e4d7023d7ef85676;4f2eb62fa529c0283b28d05ddd311fae;b91ce2fa41029f6955bff20079468448;b91ce2fa41029f6955bff20079468448;846e27a652a5e1bfbd0ddd38a16dc865;2c4a910a1299cdae2a4e55988a2f102e
0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5;c948ae14761095e4d76b55d9de86412258be7afd;c996d7971c49252c582171d9380360f2;ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1;10b30bdee43b3a2ec4aa63375577ade650269d25;d2fd132ab7bbc6bbb87a84f026fa0244
DumpExt.dll
mimidrv
lsremora
wceaux.dll
npcap
\Temp
:\Users
ChongKim Chan
?
Revoked
Unavailable
Valid
false
SHA1=2261198385d62d2117f50f631652eded0ecc71db
SHA1=8db869c0674221a2d3280143cbb0807fac08e0cc
SHA1=27d3ebea7655a72e6e8b95053753a25db944ec0f
SHA1=33cdab3bbc8b3adce4067a1b042778607dce2acd
SHA1=21e6c104fe9731c874fab5c9560c929b2857b918
SHA1=d979353d04bf65cc92ad3412605bc81edbb75ec2
SHA1=2f991435a6f58e25c103a657d24ed892b99690b8
SHA1=f02af84393e9627ba808d4159841854a6601cf80
SHA1=bb962c9a8dda93e94fef504c4159de881e4706fe
SHA1=b97a8d506be2e7eaa4385f70c009b22adbd071ba
SHA1=92f251358b3fe86fd5e7aa9b17330afa0d64a705
SHA1=8b6aa5b2bff44766ef7afbe095966a71bc4183fa
SHA1=af6e1f2cfb230907476e8b2d676129b6d6657124
SHA1=fcde5275ee1913509927ce5f0f85e6681064c9d2
SHA1=00a442a4305c62cefa8105c0b4c4a9a5f4d1e93b
SHA1=6523b3fd87de39eb5db1332e4523ce99556077dc
SHA1=72966ca845759d239d09da0de7eebe3abe86fee3
SHA1=57511ef5ff8162a9d793071b5bf7ebe8371759de
SHA1=2d503a2457a787014a1fdd48a2ece2e6cbe98ea7
SHA1=400f833dcc2ef0a122dd0e0b1ec4ec929340d90e
SHA1=89cd760e8cb19d29ee08c430fb17a5fd4455c741
SHA1=1d0df45ee3fa758f0470e055915004e6eae54c95
SHA1=d5fd9fe10405c4f90235e583526164cd0902ed86
SHA1=c52cef5b9e1d4a78431b7af56a6fdb6aa1bcad65
SHA1=609fa1efcf61e26d64a5ceb13b044175ab2b3a13
SHA1=7d7c03e22049a725ace2a9812c72b53a66c2548b
SHA1=f9519d033d75e1ab6b82b2e156eafe9607edbcfb
SHA1=468e2e5505a3d924b14fedee4ddf240d09393776
SHA1=2e3de9bff43d7712707ef8a0b10f7e4ad8427fd8
SHA1=c9cbfdd0be7b35751a017ec59ff7237ffdc4df1f
SHA1=078ae07dec258db4376d5a2a05b9b508d68c0123
SHA1=623cd2abef6c92255f79cbbd3309cb59176771da
SHA1=1f3a9265963b660392c4053329eb9436deeed339
SHA1=4a235f0b84ff615e2879fa9e0ec0d745fcfdaa5c
SHA1=ace6b9e34e3e2e73fe584f3bbdb4e4ec106e0a7d
SHA1=4268f30b79ce125a81d0d588bef0d4e2ad409bbb
SHA1=c834c4931b074665d56ccab437dfcc326649d612
SHA1=8f5cd4a56e6e15935491aa40adb1ecad61eafe7c
SHA1=51b60eaa228458dee605430aae1bc26f3fc62325
SHA1=3270720a066492b046d7180ca6e60602c764cac7
SHA1=2a6e6bd51c7062ad24c02a4d2c1b5e948908d131
SHA1=19bd488fe54b011f387e8c5d202a70019a204adf
SHA1=a6fe4f30ca7cb94d74bc6d42cdd09a136056952e
SHA1=ea877092d57373cb466b44e7dbcad4ce9a547344
SHA1=205c69f078a563f54f4c0da2d02a25e284370251
SHA1=f9feb60b23ca69072ce42264cd821fe588a186a6
SHA1=b25170e09c9fb7c0599bfba3cf617187f6a733ac
SHA1=160c96b5e5db8c96b821895582b501e3c2d5d6e7
SHA1=a2e0b3162cfa336cd4ab40a2acc95abe7dc53843
SHA1=4e826430a1389032f3fe06e2cc292f643fb0c417
SHA1=7ab4565ba24268f0adadb03a5506d4eb1dc7c181
SHA1=dc7b022f8bd149efbcb2204a48dce75c72633526
SHA1=0307d76750dd98d707c699aee3b626643afb6936
SHA1=5711c88e9e64e45b8fc4b90ab6f2dd6437dc5a8a
SHA1=6714380bc0b8ab09b9a0d2fa66d1b025b646b946
SHA1=8626ab1da6bfbdf61bd327eb944b39fd9df33d1d
SHA1=30a224b22592d952fbe2e6ad97eda4a8f2c734e0
SHA1=c95db1e82619fb16f8eec9a8209b7b0e853a4ebe
SHA1=fe1d909ab38de1389a2a48352fd1c8415fd2eab0
SHA1=b4d1554ec19504215d27de0758e13c35ddd6db3e
SHA1=5dd2c31c4357a8b76db095364952b3d0e3935e1d
SHA1=ecb4d096a9c58643b02f328d2c7742a38e017cf0
SHA1=4a705af959af61bad48ef7579f839cb5ebd654d2
SHA1=d2e6fc9259420f0c9b6b1769be3b1f63eb36dc57
SHA1=c948ae14761095e4d76b55d9de86412258be7afd
SHA1=ddbe809b731a0962e404a045ab9e65a0b64917ad
SHA1=745bad097052134548fe159f158c04be5616afc2
SHA1=8d59fd14a445c8f3f0f7991fa6cd717d466b3754
SHA1=2dfcb799b3c42ecb0472e27c19b24ac7532775ce
SHA1=cc51be79ae56bc97211f6b73cc905c3492da8f9d
SHA1=ac13941f436139b909d105ad55637e1308f49d9a
SHA1=2b0bb408ff0e66bcdf6574f1ca52cbf4015b257b
SHA1=cc0e0440adc058615e31e8a52372abadf658e6b1
SHA1=5520ac25d81550a255dc16a0bb89d4b275f6f809
SHA1=6afc6b04cf73dd461e4a4956365f25c1f1162387
SHA1=4b009e91bae8d27b160dc195f10c095f8a2441e1
SHA1=6003184788cd3d2fc624ca801df291ccc4e225ee
SHA1=0466e90bf0e83b776ca8716e01d35a8a2e5f96d3
SHA1=e6305dddd06490d7f87e3b06d09e9d4c1c643af0
SHA1=89909fa481ff67d7449ee90d24c167b17b0612f1
SHA1=d7e8aef8c8feb87ce722c0b9abf34a7e6bab6eb4
SHA1=5e6ddd2b39a3de0016385cbd7aa50e49451e376d
SHA1=976777d39d73034df6b113dfce1aa6e1d00ffcfd
SHA1=9c6749fc6c1127f8788bff70e0ce9062959637c9
SHA1=53acd4d9e7ba0b1056cf52af0d191f226eddf312
SHA1=3abb9d0a9d600200ae19c706e570465ef0a15643
SHA1=27eab595ec403580236e04101172247c4f5d5426
SHA1=78b9481607ca6f3a80b4515c432ddfe6550b18a8
SHA1=414cd15d6c991d19fb5be02e3b9fb0e6c5ce731c
SHA1=d9c09dd725bc7bc3c19b4db37866015817a516ef
SHA1=9c256edd10823ca76c0443a330e523027b70522d
SHA1=35829e096a15e559fcbabf3441d99e580ca3b26e
SHA1=b8de3a1aeeda9deea43e3f768071125851c85bd0
SHA1=054a50293c7b4eea064c91ef59cf120d8100f237
SHA1=d94f2fb3198e14bfe69b44fb9f00f2551f7248b2
SHA1=01a578a3a39697c4de8e3dab04dba55a4c35163e
SHA1=14bf0eaa90e012169745b3e30c281a327751e316
SHA1=f50c6b84dfb8f2d53ba3bce000a55f0a486c0e79
SHA1=6100eb82a25d64a7a7702e94c2b21333bc15bd08
SHA1=bf87e32a651bdfd9b9244a8cf24fca0e459eb614
SHA1=28b1c0b91eb6afd2d26b239c9f93beb053867a1a
SHA1=879fcc6795cebe67718388228e715c470de87dca
SHA1=1f7501e01d84a2297c85cb39880ec4e40ac3fe8a
SHA1=152b6bb9ffd2ffec00cc46f5c6e29362d0e66e67
SHA1=5f8356ffa8201f338dd2ea979eb47881a6db9f03
SHA1=a7bd05de737f8ea57857f1e0845a25677df01872
SHA1=cce9b82f01ec68f450f5fe4312f40d929c6a506e
SHA1=e35a2b009d54e1a0b231d8a276251f64231b66a3
SHA1=37364cb5f5cefd68e5eca56f95c0ab4aff43afcc
SHA1=d62fa51e520022483bdc5847141658de689c0c29
SHA1=93aa3bb934b74160446df3a47fa085fd7f3a6be9
SHA1=ec4cc6de4c779bb1ca1dd32ee3a03f7e8d633a9b
SHA1=35f1ba60ba0da8512a0b1b15ee8e30fe240d77cd
SHA1=3805e4e08ad342d224973ecdade8b00c40ed31be
SHA1=65d8a7c2e867b22d1c14592b020c548dd0665646
SHA1=c8d87f3cd34c572870e63a696cf771580e6ea81b
SHA1=c4d7fb9db3c3459f7e8c0e3d48c95c7c9c4cff60
SHA1=d34a7c497c603f3f7fcad546dc4097c2da17c430
SHA1=1fd7f881ea4a1dbb5c9aeb9e7ad659a85421745b
SHA1=0b8b83f245d94107cb802a285e6529161d9a834d
SHA1=c969f1f73922fd95db1992a5b552fbc488366a40
SHA1=ac600a2bc06b312d92e649b7b55e3e91e9d63451
SHA1=da9cea92f996f938f699902482ac5313d5e8b28e
SHA1=33285b2e97a0aeb317166cce91f6733cf9c1ad53
SHA1=21edff2937eb5cd6f6b0acb7ee5247681f624260
SHA1=f052dc35b74a1a6246842fbb35eb481577537826
SHA1=f0c463d29a5914b01e4607889094f1b7d95e7aaf
SHA1=0c26ab1299adcd9a385b541ef1653728270aa23e
SHA1=f36a47edfacd85e0c6d4d22133dd386aee4eec15
SHA1=460008b1ffd31792a6deadfa6280fb2a30c8a5d2
SHA1=738b7918d85e5cb4395df9e3f6fc94ddad90e939
SHA1=43419df1f9a07430a18c5f3b3cc74de621be0f8e
SHA1=558aad879b6a47d94a968f39d0a4e3a3aaef1ef1
SHA1=7fb52290883a6b69a96d480f2867643396727e83
SHA1=f5696fb352a3fbd14fb1a89ad21a71776027f9ab
SHA1=693a2645c28fc3b248fda95179c36c3ac64f6fc2
SHA1=05c0c49e8bcf11b883d41441ce87a2ee7a3aba1d
SHA1=d25340ae8e92a6d29f599fef426a2bc1b5217299
SHA1=7c1b25518dee1e30b5a6eaa1ea8e4a3780c24d0c
SHA1=fe10018af723986db50701c8532df5ed98b17c39
SHA1=bfe55cacc7c56c9f7bd75bdb4b352c0b745d071b
SHA1=a21c84c6bf2e21d69fa06daaf19b4cc34b589347
SHA1=82ba5513c33e056c3f54152c8555abf555f3e745
SHA1=d098600152e5ee6a8238d414d2a77a34da8afaaa
SHA1=64e4ac8b9ea2f050933b7ec76a55dd04e97773b4
SHA1=bbc1e5fd826961d93b76abd161314cb3592c4436
SHA1=90a76945fd2fa45fab2b7bcfdaf6563595f94891
SHA1=b03b1996a40bfea72e4584b82f6b845c503a9748
SHA1=c771ea59f075170e952c393cfd6fc784b265027c
SHA1=cb44c6f0ee51cb4c5836499bc61dd6c1fbdf8aa1
SHA1=0918277fcdc64a9dc51c04324377b3468fa1269b
SHA1=b09bcc042d60d2f4c0d08284818ed198cededa04
SHA1=8dc2097a90eb7e9d6ee31a7c7a95e7a0b2093b89
SHA1=15df139494d2c40a645fb010908551185c27f3c5
SHA1=012db3a80faf1f7f727b538cbe5d94064e7159de
SHA1=d04e5db5b6c848a29732bfd52029001f23c3da75
SHA1=490109fa6739f114651f4199196c5121d1c6bdf2
SHA1=b4d014b5edd6e19ce0e8395a64faedf49688ecb5
SHA1=a87d6eac2d70a3fbc04e59412326b28001c179de
SHA1=3f223581409492172a1e875f130f3485b90fbe5f
SHA1=5db61d00a001fd493591dc919f69b14713889fc5
SHA1=9923c8f1e565a05b3c738d283cf5c0ed61a0b90f
SHA1=15d1a6a904c8409fb47a82aefa42f8c3c7d8c370
SHA1=9d07df024ec457168bf0be7e0009619f6ac4f13c
SHA1=9a35ae9a1f95ce4be64adc604c80079173e4a676
SHA1=c6bd965300f07012d1b651a9b8776028c45b149a
SHA1=e83458c4a6383223759cd8024e60c17be4e7c85f
SHA1=cb3de54667548a5c9abf5d8fa47db4097fcee9f1
SHA1=9c24dd75e4074041dbe03bf21f050c77d748b8e9
SHA1=dc55217b6043d819eadebd423ff07704ee103231
SHA1=e92817a8744ebc4e4fa5383cdce2b2977f01ecd4
SHA1=dc0e97adb756c0f30b41840a59b85218cbdd198f
SHA1=26c4a7b392d7e7bd7f0a2a758534e45c0d9a56ab
SHA1=d0d39e1061f30946141b6ecfa0957f8cc3ddeb63
SHA1=c6d349823bbb1f5b44bae91357895dba653c5861
SHA1=f42f28d164205d9f6dab9317c9fecad54c38d5d2
SHA1=bbc0b9fd67c8f4cefa3d76fcb29ff3cef996b825
SHA1=8183a341ba6c3ce1948bf9be49ab5320e0ee324d
SHA1=eb1ecad3d37bb980f908bf1a912415cff32e79e6
SHA1=eb0d45aa6f537f5b2f90f3ad99013606eafcd162
SHA1=6053d258096bccb07cb0057d700fe05233ab1fbb
SHA1=29a190727140f40cea9514a6420f5a195e36386b
SHA1=a4b2c56c12799855162ca3b004b4b2078c6ecf77
SHA1=7667b72471689151e176baeba4e1cd9cd006a09a
SHA1=d7f7594ff084201c0d9fa2f4ef1626635b67bce5
SHA1=99201c9555e5faf6e8d82da793b148311f8aa4b8
SHA1=947db58d6f36a8df9fa2a1057f3a7f653ccbc42e
SHA1=6a3d3b9ab3d201cd6b0316a7f9c3fb4d34d0f403
SHA1=d702d88b12233be9413446c445f22fda4a92a1d9
SHA1=910cb12aa49e9f35ecc4907e8304adf0dcca8cf1
SHA1=643383938d5e0d4fd30d302af3e9293a4798e392
SHA1=c4ed28fdfba7b8a8dfe39e591006f25d39990f07
SHA1=b0032b8d8e6f4bd19a31619ce38d8e010f29a816
SHA1=db6245578ec57bd767b27ecf8085095e1c8e5a6e
SHA1=166759fd511613414d3213942fe2575b926a6226
SHA1=02a8b74899591da7b7f49c0450328d39b939d7e4
SHA1=98ceed786f79288becc08c3b82c57e8d4bfa1bca
SHA1=f6b3577ea4b1a5641ae3421151a26268434c3db8
SHA1=4de33d03fee52f396a1c788000ca868d56ac30de
SHA1=c6920171fa6dff2c17eb83befb5fd28e8dddf5f0
SHA1=fbc6d2448739ddec35bb5d6c94b46df4148f648d
SHA1=6b54f8f137778c1391285fee6150dfa58a8120b1
SHA1=943593e880b4d340f2548548e6e673ef6f61eed3
SHA1=5ac4d0e2381fc4a8aebe94a0fb6fe5e7558e4dcd
SHA1=e44297a2b750ec1958bef265e2f1ae6fa4323b28
SHA1=aa2ea973bb248b18973e57339307cfb8d309f687
SHA1=3a5d176c50f97b71d139767ed795d178623f491d
SHA1=25d812a5ece19ea375178ef9d60415841087726e
SHA1=3795e32592ab6d8074b6f7ad33759c6a39b0df07
SHA1=fc121ed6fb37e97a004b6faf217435b772dfc4c0
SHA1=ab2b8602e4baef828b58b995d0889a8e5b8dbd02
SHA1=cf040040628b58f4a811f98c2690913c1e8e4e3c
SHA1=3296844d22c87dd5eba3aa378a8242b41d59db7a
SHA1=bc47e15537fa7c32dfefd23168d7e1741f8477ed
SHA1=cb22723faa5ae2809476e5c5e9b9a597b26cab9b
SHA1=f3c5e723ae009b336cd2719137b8cd194c9ee51d
SHA1=41f2d0f9863bce8920c207b1ef5d3d32b603edef
SHA1=eb93d2f564fea9b3dc350f386b45de2cd9a3e001
SHA1=3cd037fbba8aae82c1b111c9f8755349c98bcb3c
SHA1=9401389fba314d1810f83edce33c37e84a78e112
SHA1=7eb34cc1fcffb4fdb5cb7e97184dd64a65cb9371
SHA1=16d7ecf09fc98798a6170e4cef2745e0bee3f5c7
SHA1=fcd615df88645d1f57ff5702bd6758b77efea6d0
SHA1=f3db629cfe37a73144d5258e64d9dd8b38084cf4
SHA1=a00e444120449e35641d58e62ed64bb9c9f518d2
SHA1=38571f14fc014487194d1eecfa80561ee8644e09
SHA1=4d41248078181c7f61e6e4906aa96bbdea320dc2
SHA1=3599ea2ac1fa78f423423a4cf90106ea0938dde8
SHA1=3d6d53b0f1cc908b898610227b9f1b9352137aba
SHA1=4c18754dca481f107f0923fb8ef5e149d128525d
SHA1=8c377ab4eebc5f4d8dd7bb3f90c0187dfdd3349f
SHA1=cde32654a041fedc7b0fa1083f6005b950760062
SHA1=5fb9421be8a8b08ec395d05e00fd45eb753b593a
SHA1=b480c54391a2a2f917a44f91a5e9e4590648b332
SHA1=4f7a8e26a97980544be634b26899afbefb0a833c
SHA256=05F052C64D192CF69A462A5EC16DDA0D43CA5D0245900C9FCB9201685A2E7748
SHA256=4045AE77859B1DBF13972451972EAAF6F3C97BEA423E9E78F1C2F14330CD47CA
SHA256=6948480954137987A0BE626C24CF594390960242CD75F094CD6AAA5C2E7A54FA
SHA256=8CB62C5D41148DE416014F80BD1FD033FD4D2BD504CB05B90EEB6992A382D58F
SHA256=B1D96233235A62DBB21B8DBE2D1AE333199669F67664B107BFF1AD49B41D9414
SHA256=7196187FB1EF8D108B380D37B2AF8EFDEB3CA1F6EEFD37B5DC114C609147216D
SHA256=7F375639A0DF7FE51E5518CF87C3F513C55BC117DB47D28DA8C615642EB18BFA
SHA256=42579A759F3F95F20A2C51D5AC2047A2662A2675B3FB9F46C1ED7F23393A0F00
SHA256=2DA330A2088409EFC351118445A824F11EDBE51CF3D653B298053785097FE40E
SHA256=436CCAB6F62FA2D29827916E054ADE7ACAE485B3DE1D3E5C6C62D3DEBF1480E7
SHA256=B4D47EA790920A4531E3DF5A4B4B0721B7FEA6B49A35679F0652F1E590422602
SHA256=DDE6F28B3F7F2ABBEE59D4864435108791631E9CB4CDFB1F178E5AA9859956D8
SHA256=B48A309EE0960DA3CAAAAF1E794E8C409993AEB3A2B64809F36B97AAC8A1E62A
SHA256=025E7BE9FCEFD6A83F4471BBA0C11F1C11BD5047047D26626DA24EE9A419CDC4
SHA256=2AA1B08F47FBB1E2BD2E4A492F5D616968E703E1359A921F62B38B8E4662F0C4
SHA256=ECE0A900EA089E730741499614C0917432246CEB5E11599EE3A1BB679E24FD2C
SHA256=F40435488389B4FB3B945CA21A8325A51E1B5F80F045AB019748D0EC66056A8B
SHA256=2A652DE6B680D5AD92376AD323021850DAB2C653ABF06EDF26120F7714B8E08A
SHA256=950A4C0C772021CEE26011A92194F0E58D61588F77F2873AA0599DFF52A160C9
SHA256=0AAFA9F47ACF69D46C9542985994FF5321F00842A28DF2396D4A3076776A83CB
SHA256=47F08F7D30D824A8F4BB8A98916401A37C0FD8502DB308ABA91FE3112B892DCC
SHA256=B9A4E40A5D80FEDD1037EAED958F9F9EFED41EB01ADA73D51B5DCD86E27E0CBF
SHA256=5C04C274A708C9A7D993E33BE3EA9E6119DC29527A767410DBAF93996F87369A
SHA256=0040153302B88BEE27EB4F1ECA6855039E1A057370F5E8C615724FA5215BADA3
SHA256=3326E2D32BBABD69FEB6024809AFC56C7E39241EBE70A53728C77E80995422A5
SHA256=36B9E31240AB0341873C7092B63E2E0F2CAB2962EBF9B25271C3A1216B7669EB
SHA256=29E0062A017A93B2F2F5207A608A96DF4D554C5DE976BD0276C2590A03BD3E94
SHA256=45ABDBCD4C0916B7D9FAAF1CD08543A3A5178871074628E0126A6EDA890D26E0
SHA256=50DB5480D0392A7DD6AB5DF98389DC24D1ED1E9C98C9C35964B19DABCD6DC67F
SHA256=607DC4C75AC7AEF82AE0616A453866B3B358C6CF5C8F9D29E4D37F844306B97C
SHA256=61D6E40601FA368800980801A662A5B3B36E3C23296E8AE1C85726A56EF18CC8
SHA256=74A846C61ADC53692D3040AFF4C1916F32987AD72B07FE226E9E7DBEFF1036C4
SHA256=76FB4DEAEE57EF30E56C382C92ABFFE2CF616D08DBECB3368C8EE6B02E59F303
SHA256=81939E5C12BD627FF268E9887D6FB57E95E6049F28921F3437898757E7F21469
SHA256=9790A7B9D624B2B18768BB655DDA4A05A9929633CEF0B1521E79E40D7DE0A05B
SHA256=9A1D66036B0868BBB1B2823209FEDEA61A301D5DD245F8E7D390BD31E52D663E
SHA256=AA9AB1195DC866270E984F1BED5E1358D6EF24C515DFDB6C2A92D1E1B94BF608
SHA256=AF095DE15A16255CA1B2C27DAD365DFF9AC32D2A75E8E288F5A1307680781685
SHA256=D5586DC1E61796A9AE5E5D1CED397874753056C3DF2EB963A8916287E1929A71
SHA256=D8459F7D707C635E2C04D6D6D47B63F73BA3F6629702C7A6E0DF0462F6478AE2
SHA256=E81230217988F3E7EC6F89A06D231EC66039BDBA340FD8EBB2BBB586506E3293
SHA256=F88EBB633406A086D9CCA6BC8B66A4EA940C5476529F9033A9E0463512A23A57
SHA256=1C8DFA14888BB58848B4792FB1D8A921976A9463BE8334CFF45CC96F1276049A
SHA256=22418016E980E0A4A2D01CA210A17059916A4208352C1018B0079CCB19AAF86A
SHA256=405472A8F9400A54BB29D03B436CCD58CFD6442FE686F6D2ED4F63F002854659
SHA256=49F75746EEBE14E5DB11706B3E58ACCC62D4034D2F1C05C681ECEF5D1AD933BA
SHA256=4A3D4DB86F580B1680D6454BAEE1C1A139E2DDE7D55E972BA7C92EC3F555DCE2
SHA256=4AB41816ABBF14D59E75B7FAD49E2CB1C1FEB27A3CB27402297A2A4793FF9DA7
SHA256=54841D9F89E195196E65AA881834804FE3678F1CF6B328CAB8703EDD15E3EC57
SHA256=5EE292B605CD3751A24E5949AAE615D472A3C72688632C3040DC311055B75A92
SHA256=76B86543CE05540048F954FED37BDDA66360C4A3DDB8328213D5AEF7A960C184
SHA256=7F190F6E5AB0EDAFD63391506C2360230AF4C2D56C45FC8996A168A1FC12D457
SHA256=845F1E228DE249FC1DDF8DC28C39D03E8AD328A6277B6502D3932E83B879A65A
SHA256=84BF1D0BCDF175CFE8AEA2973E0373015793D43907410AE97E2071B2C4B8E2D4
SHA256=8EF0AD86500094E8FA3D9E7D53163AA6FEEF67C09575C169873C494ED66F057F
SHA256=A56C2A2425EB3A4260CC7FC5C8D7BED7A3B4CD2AF256185F24471C668853AEE8
SHA256=AC3F613D457FC4D44FA27B2E0B1BAA62C09415705EFB5A40A4756DA39B3AC165
SHA256=B1334A71CC73B3D0C54F62D8011BEC330DFC355A239BF94A121F6E4C86A30A2E
SHA256=B47BE212352D407D0EF7458A7161C66B47C2AEC8391DD101DF11E65728337A6A
SHA256=B9B3878DDC5DFB237D38F8D25067267870AFD67D12A330397A8853209C4D889C
SHA256=DB90E554AD249C2BD888282ECF7D8DA4D1538DD364129A3327B54F8242DD5653
SHA256=E61A54F6D3869B43C4ECEAC3016DF73DF67CCE03878C5A6167166601C5D3F028
SHA256=3871E16758A1778907667F78589359734F7F62F9DC953EC558946DCDBE6951E3
SHA256=DED2927F9A4E64EEFD09D0CABA78E94F309E3A6292841AE81D5528CAB109F95D
SHA256=0296E2CE999E67C76352613A718E11516FE1B0EFC3FFDB8918FC999DD76A73A5
SHA256=80CBBA9F404DF3E642F22C476664D63D7C229D45D34F5CD0E19C65EB41BECEC3
SHA256=BB50818A07B0EB1BD317467139B7EB4BAD6CD89053FECDABFEAE111689825955
SHA256=FF6729518A380BF57F1BC6F1EC0AA7F3012E1618B8D9B0F31A61D299EE2B4339
SHA256=3A5EC83FE670E5E23AEF3AFA0A7241053F5B6BE5E6CA01766D6B5F9177183C25
SHA256=61A1BDDDD3C512E681818DEBB5BEE94DB701768FC25E674FCAD46592A3259BD0
SHA256=07B6D69BAFCFD767F1B63A490A8843C3BB1F8E1BBEA56176109B5743C8F7D357
SHA256=21CCDD306B5183C00ECFD0475B3152E7D94B921E858E59B68A03E925D1715F21
SHA256=2D83CCB1AD9839C9F5B3F10B1F856177DF1594C66CBBC7661677D4B462EBF44D
SHA256=F581DECC2888EF27EE1EA85EA23BBB5FB2FE6A554266FF5A1476ACD1D29D53AF
SHA256=F8965FDCE668692C3785AFA3559159F9A18287BC0D53ABB21902895A8ECF221B
SHA256=3D23BDBAF9905259D858DF5BF991EB23D2DC9F4ECDA7F9F77839691ACEF1B8C4
SHA256=DD4A1253D47DE14EF83F1BC8B40816A86CCF90D1E624C5ADF9203AE9D51D4097
SHA256=509628B6D16D2428031311D7BD2ADD8D5F5160E9ECC0CD909F1E82BBBB3234D6
SHA256=525D9B51A80CA0CD4C5889A96F857E73F3A80DA1FFBAE59851E0F51BDFB0B6CD
SHA256=6DE84CAA2CA18673E01B91AF58220C60AECD5CCCF269725EC3C7F226B2167492
SHA256=09BEDBF7A41E0F8DABE4F41D331DB58373CE15B2E9204540873A1884F38BDDE1
SHA256=101402D4F5D1AE413DED499C78A5FCBBC7E3BAE9B000D64C1DD64E3C48C37558
SHA256=131D5490CEB9A5B2324D8E927FEA5BECFC633015661DE2F4C2F2375A3A3B64C6
SHA256=1DDFE4756F5DB9FB319D6C6DA9C41C588A729D9E7817190B027B38E9C076D219
SHA256=1E8B0C1966E566A523D652E00F7727D8B0663F1DFDCE3B9A09B9ADFAEF48D8EE
SHA256=2BBE65CBEC3BB069E92233924F7EE1F95FFA16173FCEB932C34F68D862781250
SHA256=30706F110725199E338E9CC1C940D9A644D19A14F0EB8847712CBA4CACDA67AB
SHA256=3124B0411B8077605DB2A9B7909D8240E0D554496600E2706E531C93C931E1B5
SHA256=38FA0C663C8689048726666F1C5E019FEAA9DA8278F1DF6FF62DA33961891D2A
SHA256=39CFDE7D401EFCE4F550E0A9461F5FC4D71FA07235E1336E4F0B4882BD76550E
SHA256=3D9E83B189FCF5C3541C62D1F54A0DA0A4E5B62C3243D2989AFC46644056C8E3
SHA256=3F2FDA9A7A9C57B7138687BBCE49A2E156D6095DDDABB3454EA09737E02C3FA5
SHA256=47F0CDAA2359A63AD1389EF4A635F1F6EEE1F63BDF6EF177F114BDCDADC2E005
SHA256=50D5EAA168C077CE5B7F15B3F2C43BD2B86B07B1E926C1B332F8CB13BD2E0793
SHA256=56A3C9AC137D862A85B4004F043D46542A1B61C6ACB438098A9640469E2D80E7
SHA256=591BD5E92DFA0117B3DAA29750E73E2DB25BAA717C31217539D30FFB1F7F3A52
SHA256=5D530E111400785D183057113D70623E17AF32931668AB7C7FC826F0FD4F91A3
SHA256=6F1FF29E2E710F6D064DC74E8E011331D807C32CC2A622CBE507FD4B4D43F8F4
SHA256=79E2D37632C417138970B4FEBA91B7E10C2EA251C5EFE3D1FC6FA0190F176B57
SHA256=85866E8C25D82C1EC91D7A8076C7D073CCCF421CF57D9C83D80D63943A4EDD94
SHA256=89B0017BC30CC026E32B758C66A1AF88BD54C6A78E11EC2908FF854E00AC46BE
SHA256=9254F012009D55F555418FF85F7D93B184AB7CB0E37AECDFDAB62CFE94DEA96B
SHA256=984A77E5424C6D099051441005F2938AE92B31B5AD8F6521C6B001932862ADD7
SHA256=98B734DDA78C16EBCAA4AFEB31007926542B63B2F163B2F733FA0D00DBB344D8
SHA256=99F4994A0E5BD1BF6E3F637D3225C69FF4CD620557E23637533E7F18D7D6CBA1
SHA256=9C10E2EC4F9EF591415F9A784B93DC9C9CDAFA7C69602C0DC860C5B62222E449
SHA256=A961F5939088238D76757669A9A81905E33F247C9C635B908DAAC146AE063499
SHA256=A9706E320179993DADE519A83061477ACE195DAA1B788662825484813001F526
SHA256=B7A20B5F15E1871B392782C46EBCC897929443D82073EE4DCB3874B6A5976B5D
SHA256=CC586254E9E89E88334ADEE44E332166119307E79C2F18F6C2AB90CE8BA7FC9B
SHA256=CD4A249C3EF65AF285D0F8F30A8A96E83688486AAB515836318A2559757A89BB
SHA256=CF4B5FA853CE809F1924DF3A3AE3C4E191878C4EA5248D8785DC7E51807A512B
SHA256=D0BD1AE72AEB5F3EABF1531A635F990E5EAAE7FDD560342F915F723766C80889
SHA256=D8B58F6A89A7618558E37AFC360CD772B6731E3BA367F8D58734ECEE2244A530
SHA256=D92EAB70BCECE4432258C9C9A914483A2267F6AB5CE2630048D3A99E8CB1B482
SHA256=E005E8D183E853A27AD3BB56F25489F369C11B0D47E3D4095AAD9291B3343BF1
SHA256=E68D453D333854787F8470C8BAEF3E0D082F26DF5AA19C0493898BCF3401E39A
SHA256=E83908EBA2501A00EF9E74E7D1C8B4FF1279F1CD6051707FD51824F87E4378FA
SHA256=EF86C4E5EE1DBC4F81CD864E8CD2F4A2A85EE4475B9A9AB698A4AE1CC71FBEB0
SHA256=F088B2BA27DACD5C28F8EE428F1350DCA4BC7C6606309C287C801B2E1DA1A53D
SHA256=FD8669794C67B396C12FC5F08E9C004FDF851A82FAF302846878173E4FBECB03
SHA256=91314768DA140999E682D2A290D48B78BB25A35525EA12C1B1F9634D14602B2C
SHA256=F0605DDA1DEF240DC7E14EFA73927D6C6D89988C01EA8647B671667B2B167008
SHA256=6CB51AE871FBD5D07C5AAD6FF8EEA43D34063089528603CA9CEB8B4F52F68DDC
SHA256=DB2A9247177E8CDD50FE9433D066B86FFD2A84301AA6B2EB60F361CFFF077004
SHA256=7EC93F34EB323823EB199FBF8D06219086D517D0E8F4B9E348D7AFD41EC9FD5D
SHA256=7049F3C939EFE76A5556C2A2C04386DB51DAF61D56B679F4868BB0983C996EBB
SHA256=7877C1B0E7429453B750218CA491C2825DAE684AD9616642EFF7B41715C70ACA
SHA256=159E7C5A12157AF92E0D14A0D3EA116F91C09E21A9831486E6DC592C93C10980
SHA256=3243AAB18E273A9B9C4280A57AECEF278E10BFFF19ABB260D7A7820E41739099
SHA256=7CFA5E10DFF8A99A5D544B011F676BC383991274C693E21E3AF40CF6982ADB8C
SHA256=C9B49B52B493B53CD49C12C3FA9553E57C5394555B64E32D1208F5B96A5B8C6E
SHA256=3EC5AD51E6879464DFBCCB9F4ED76C6325056A42548D5994BA869DA9C4C039A8
SHA256=47EAEBC920CCF99E09FC9924FEB6B19B8A28589F52783327067C9B09754B5E84
SHA256=1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b
SHA256=e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790
SHA256=76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22
SHA256=6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44
SHA256=2e6b339597a89e875f175023ed952aaac64e9d20d457bbc07acf1586e7fe2df8
SHA256=71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009
SHA256=39937d239220c1b779d7d55613de2c0a48bd6e12e0214da4c65992b96cf591df
SHA256=7ed26a593524a2a92ffcfb075a42bb4fa4775ffbf83af98525244a4710886ead
SHA256=aa717e9ab4d614497df19f602d289a6eddcdba8027c71bcc807780a219347d16
SHA256=ff5f6048a3d6f6738b60e911e3876fcbdc9a02ec9862f909345c8a50fd4cc0a7
SHA256=11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5
SHA256=58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495
SHA256=01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd
SHA256=22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c
SHA256=31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427
SHA256=952199C28332BC90CFD74530A77EE237967ED32B3C71322559C59F7A42187DC4
SHA256=9529EFB1837B1005E5E8F477773752078E0A46500C748BC30C9B5084D04082E6
SHA256=A7B000ABBCC344444A9B00CFADE7AA22AB92CE0CADEC196C30EB1851AE4FA062
SHA256=4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b
SHA256=01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece
SHA256=9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374
SHA256=06bda5a1594f7121acd2efe38ccb617fbc078bb9a70b665a5f5efd70e3013f50
SHA256=cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6
SHA256=d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e
SHA256=a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc
SHA256=2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d
SHA256=f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65
SHA256=59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347
SHA256=552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9
SHA256=86a8e0aa29a5b52c84921188cc1f0eca9a7904dcfe09544602933d8377720219
SHA256=1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8
SHA256=60c6f4f34c7319cb3f9ca682e59d92711a05a2688badbae4891b1303cd384813
SHA256=55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a
SHA256=42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f
SHA256=bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc
SHA256=b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de
SHA256=314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073
SHA256=65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890
SHA256=19a212e6fc324f4cb9ee5eba60f5c1fc0191799a4432265cbeaa3307c76a7fc0
SHA256=a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200
SHA256=677c0b1add3990fad51f492553d3533115c50a242a919437ccb145943011d2bf
SHA256=fc22977ff721b3d718b71c42440ee2d8a144f3fbc7755e4331ddd5bcc65158d2
SHA256=ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173
SHA256=18e1707b319c279c7e0204074088cc39286007a1cf6cb6e269d5067d8d0628c6
SHA256=c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8
SHA256=afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508
SHA256=a899b659b08fbae30b182443be8ffb6a6471c1d0497b52293061754886a937a3
SHA256=1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52
SHA256=7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129
SHA256=32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993
SHA256=082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d
SHA256=65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd
SHA256=f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35
SHA256=9f1229cd8dd9092c27a01f5d56e3c0d59c2bb9f0139abf042e56f343637fda33
SHA256=b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29
SHA256=3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838
SHA256=3c5bf92c26398695f9ced7ce647a7e9f6ddcc89eea66b45aa3607196a187431b
SHA256=478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82
SHA256=4ed2d2c1b00e87b926fb58b4ea43d2db35e5912975f4400aa7bd9f8c239d08b7
SHA256=b205835b818d8a50903cf76936fcf8160060762725bd74a523320cfbd091c038
SHA256=ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89
SHA256=73327429c505d8c5fd690a8ec019ed4fd5a726b607cabe71509111c7bfe9fc7e
SHA256=87e38e7aeaaaa96efe1a74f59fca8371de93544b7af22862eb0e574cec49c7c3
SHA256=2270a8144dabaf159c2888519b11b61e5e13acdaa997820c09798137bded3dd6
SHA256=43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89
SHA256=e1980c6592e6d2d92c1a65acad8f1071b6a404097bb6fcce494f3c8ac31385cf
SHA256=1dadd707c55413a16320dc70d2ca7784b94c6658331a753b3424ae696c5d93ea
SHA256=d84e3e250a86227c64a96f6d5ac2b447674ba93d399160850acb2339da43eae5
SHA256=5ae23f1fcf3fb735fcf1fa27f27e610d9945d668a149c7b7b0c84ffd6409d99a
SHA256=0f726d8ce21c0c9e01ebe6b55913c519ad6086bcaec1a89f8308f3effacd435f
SHA256=95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3
SHA256=0e14a4401011a9f4e444028ac5b1595da34bbbf9af04a00670f15ff839734003
SHA256=26c86227d3f387897c1efd77dc711eef748eb90be84149cb306e3d4c45cc71c7
SHA256=42d926cfb3794f9b1e3cb397498696cb687f505e15feb9df11b419c49c9af498
SHA256=1684e24dae20ab83ab5462aa1ff6473110ec53f52a32cfb8c1fe95a2642c6d22
SHA256=9b6a84f7c40ea51c38cc4d2e93efb3375e9d98d4894a85941190d94fbe73a4e4
SHA256=440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c
SHA256=e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53
SHA256=3a364a7a3f6c0f2f925a060e84fb18b16c118125165b5ea6c94363221dc1b6de
SHA256=fda506e2aa85dc41a4cbc23d3ecc71ab34e06f1def736e58862dc449acbc2330
SHA256=3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46
SHA256=175eed7a4c6de9c3156c7ae16ae85c554959ec350f1c8aaa6dfe8c7e99de3347
SHA256=8596ea3952d84eeef8f5dc5b0b83014feb101ec295b2d80910f21508a95aa026
SHA256=52a90fd1546c068b92add52c29fbb8a87d472a57e609146bbcb34862f9dcec15
SHA256=543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91
SHA256=e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf
SHA256=1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c
SHA256=cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64
SHA256=3ed15a390d8dfbd8a8fb99e8367e19bfd1cced0e629dfe43ccdb46c863394b59
SHA256=8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6
SHA256=eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b
SHA256=37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9
SHA256=32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351
SHA256=c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5
SHA256=ff803017d1acafde6149fe7d463aee23b1c4f6f3b97c698c05f3ca6f07e4df6c
SHA256=000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b
SHA256=0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05
SHA256=a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433
msdt.exe
sdiageng.dll
WINWORD.exe;EXCEL.EXE
VBE7.DLL;VBE7INTL.DLL;VBEUI.DLL;wshom.ocx
wbemdisp.dll;wbemcomn.dll;wbemprox.dll;wmiutils.dll;wbemsvc.dll
ntkrnlmp.exe
\spool\drivers\x64\3\;\spool\drivers\W32X86\3\;\spool\drivers\IA64\3\
spoolsv.exe;printisolationhost.exe
Valid
Brother Industries;Canon;Sharp;Microsoft Corporation;DYMO;Euro Plus d.o.o;HP Inc;Hewlett-Packard
C:\Windows\
\Users\Public\;\Desktop\;\Downloads\;\AppData\Local\Temp\;\PerfLogs\;$Recycle;\Fonts\
\Program Files
EQNEDT32.EXE
EQNEDT32.EXE
ACTIVEDS.DLL;Adsldpc.dll;Wldap32.dll;adsldp.dll
C:\Users;\Temp\;\ProgramData\
ACTIVEDS.DLL;Adsldpc.dll;Wldap32.dll;adsldp.dll
\wscript.exe;\cscript.exe;\powershell.exe;\powershell_ise.exe;\rundll32.exe;\msbuild.exe;\csc.exe
WINWORD.exe;EXCEL.EXE
VBEUI.DLL;VBE6.DLL;VBE6INTL.DLL;wshom.ocx
wbemdisp.dll;wbemcomn.dll;wbemprox.dll;wmiutils.dll;wbemsvc.dll;fastprox.dll
WINWORD.exe;EXCEL.EXE
VBE7.DLL;VBE7INTL.DLL;VBEUI.DLL;wbemdisp.dll;wbemcomn.dll;wbemprox.dll;wmiutils.dll;wbemsvc.dll
WINWORD.exe;EXCEL.EXE
VBEUI.DLL;VBE6.DLL;VBE6INTL.DLL;wbemdisp.dll;wbemcomn.dll;wbemprox.dll;wmiutils.dll;wbemsvc.dll
WINWORD.exe;EXCEL.EXE
taskschd.dll
wscript.exe;cscript.exe
taskschd.dll
wmiprvse.exe
taskschd.dll
powershell.exe
msi.dll
powershell
amsi.dll
powershell
amsi.dll
logoncli.dll
C:\Windows\System32\wbem\WmiPrvSE.exe
WINWORD.exe;EXCEL.EXE
clr.dll
clr.dll;System.Management.ni.dll;Microsoft.Build.Utilities
wscript.exe;cscript.exe
msxml;wshom.ocx
wscript.exe;cscript.exe
winhttp.dll;mswsock.dll;IPHLPAPI.DLL
installutil.exe
CustomMarshalers.dll;CustomMarshalers.ni.dll;System.Management.ni.dll;WMINet_Utils.dll;mswsock.dll
System.Management.Automation.ni.dll
C:\Windows\Microsoft.NET\assembly\GAC_MSIL\
System.Management.Automation.dll
C:\Windows\Microsoft.NET\assembly\GAC_MSIL\
Lenovo.Vantage.AddinHost;\Microsoft.Sara.exe;C:\Program Files\CONEXANT
C:\Windows\System32\vaultcli.dll
\svchost.exe;\GameBar.exe;C:\Program Files\WindowsApps;\Microsoft\Teams\current\Teams.exe
\\
\Microsoft\Word\Startup\
.wll
\Microsoft\Excel\Startup\
.xll
\Microsoft\Addins\
.xla
tor-lib.dll
C:\Windows\System32\WinSCard.dll;C:\Windows\System32\cryptdll.dll;C:\Windows\System32\hid.dll;C:\Windows\System32\samlib.dll;C:\Windows\System32\vaultcli.dll
rundll32.exe
vaultcli.dll;wlanapi.dll
combase.dll
cryptdll.dll
imm32.dll
logoncli.dll
netapi32.dll
ntasn1.dll
ntdsapi.dll
samlib.dll
shcore.dll
srvcli.dll
odbc32.dll;winhttp.dll;netapi32.dll;SHLWAPI.dll
C:\Windows\Explorer.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\ProgramData\
C:\ProgramData\
.exe
Adobe
C:\ProgramData\Lenovo\
C:\ProgramData\Microsoft\Windows Defender\
C:\ProgramData\sysmon\sysmon64.exe
C:\Users\Default\;C:\Users\Public\
.exe
C:\Users\Default\;C:\Users\Public\
.dll
56ceb6d0011d87b6e4d7023d7ef85676;4f2eb62fa529c0283b28d05ddd311fae;b91ce2fa41029f6955bff20079468448;b91ce2fa41029f6955bff20079468448;846e27a652a5e1bfbd0ddd38a16dc865;2c4a910a1299cdae2a4e55988a2f102e
SHA256=074eb0e75bb2d8f59f1fd571a8c5b76f9c899834893da6f7591b68531f2b5d82
SHA256=45c8233236a69a081ee390d4faa253177180b2bd45d8ed08369e07429ffbe0a9
SHA256=9ceca98c2b24ee30d64184d9d2470f6f2509ed914dafb87604123057a14c57c0
SHA256=29b75f0db3006440651c6342dc3c0672210cfb339141c75e12f6c84d990931c3
SHA256=c8c907a67955bcdf07dd11d35f2a23498fb5ffe5c6b5d7f36870cf07da47bff2
SHA256=76a2f2644cb372f540e179ca2baa110b71de3370bb560aca65dcddbd7da3701e
C:\Windows\System32\svchost.exe
false
Revoked
Expired
jscript9.dll
mshta.exe
scrobj.dll
crypt0.dll
C:\Windows\System32\wlanapi.dll
C:\Program Files\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe
C:\Program Files\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe
C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience
C:\Windows\ImmersiveControlPanel\SystemSettings.exe
C:\Windows\ImmersiveControlPanel\SystemSettings.exe
C:\Windows\System32\AppHostRegistrationVerifier.exe
C:\Windows\System32\CompatTelRunner.exe
C:\Windows\System32\DeviceCensus.exe
C:\Windows\System32\DriverStore\FileRepository\
C:\Windows\System32\LogonUI.exe
C:\Windows\System32\MoNotificationUx.exe
C:\Windows\System32\SystemSettingsBroker.exe
C:\Windows\System32\dxgiadaptercache.exe
C:\Windows\System32\netsh.exe
C:\Windows\System32\wlanext.exe
C:\Windows\UUS\amd64\MoUsoCoreWorker.exe
C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_
C:\Windows\explorer.exe
python
C:\Windows\Microsoft.NET\assembly\GAC_MSIL
false
C:\Windows\Microsoft.NET\assembly\GAC_MSIL
true
\Microsoft Office\
\mscorlib.ni.dll
\Microsoft Office\
\sppc.dll
C:\Windows\System32\svchost.exe
true
C:\Program Files (x86)\Kaspersky Lab
C:\Program Files\Kaspersky Lab
C:\Program Files (x86)\ESET
C:\Program Files\ESET
C:\ProgramData\Microsoft\Windows Defender\
Fortinet
Lenovo
Sophos
mscorsvw.exe
C:\Program Files (x86)\Microsoft Office\root\Office15\officebackgroundtaskhandler.exe
C:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe
C:\Program Files\Microsoft Office\root\Office15\officebackgroundtaskhandler.exe
C:\Program Files\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe
C:\Windows\SysWOW64\SearchProtocolHost.exe
C:\Windows\System32\InstallAgentUserBroker.exe
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\SearchIndexer.exe
C:\Windows\System32\SettingSyncHost.exe
C:\Windows\System32\backgroundTaskHost.exe
C:\Windows\System32\sppsvc.exe
C:\Windows\System32\taskhost.exe
C:\Windows\System32\taskhostw.exe
C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Microsoft.AAD.BrokerPlugin.exe
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
HxTsr.exe
SearchUI.exe
C:\Program Files (x86)\Common Files\BIExcelFunctions1.1\32bit\Sage.
C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Pfx.
C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Adist64.dll
C:\Program Files (x86)\Microsoft Office\Office15\Library\Analysis\ANALYS32.XLL
C:\Program Files (x86)\Microsoft Office\Office16\Library\Analysis\ANALYS32.XLL
C:\Program Files\Microsoft Office\Office15\Library\Analysis\ANALYS32.XLL
C:\Program Files\Microsoft Office\Office16\Library\Analysis\ANALYS32.XLL
C:\Windows\SysWOW64\sppc.dll
Microsoft.Office.Interop.VisOcx.dll
Microsoft.Office.Interop.Word.dll
Microsoft.Vbe.Interop.dll
OFFICE.DLL
0x001A0000
c:\windows\system32\lsass.exe
msiexec.exe
chrome.exe;firefox.exe;edge.exe;browser_broker.exe;iexplore.exe;opera.exe
0x001A0000
c:\windows\system32\lsass.exe
c:\windows\system32\lsass.exe
c:\windows\system32\rundll32.exe
DbgUiRemoteBreakin
nacl64.exe
QueryProcessDebugInformationRemote
nacl64.exe
isdebuggerpresent
nacl64.exe
DebugActiveProcess
nacl64.exe
LoadLibrary
C:\Program Files\Bitdefender\Endpoint Security\EPSecurityService.exe
C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe
C:\Windows\ImmersiveControlPanel\SystemSettings.exe
C:\Windows\System32\DriverStore\FileRepository\
C:\Windows\System32\igfxEM.exe
C:\Windows\System32\igfxHK.exe
Enterprise\Common7\IDE\devenv.exe
C:\Program Files (x86)\ASUS\ROG Live Service\FileOperator.exe
C:\ProgramData\Microsoft\Windows Defender\Platform\;\MsMpEng.exe
CreateFileMapping;MapViewOfFile
LdrLoadDll
CryptAcquireContextA;CryptDecodeObjectEx;CryptImportPublicKeyInfo;CryptEncrypt;CryptGenKey;CryptDecrypt;CryptStringToBinary;CryptBinaryToString;CryptImportKey
c:\windows\system32\csrss.exe
CrtlRoutine
0B80
0C7C
0C88
c:\windows\system32\mstsc.exe
C:\WINDOWS\SYSTEM32\ntdll.dll
EtwEventWrite
C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
C:\Windows\system32\audiodg.exe
C:\Windows\system32\services.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\wbem\WmiPrvSE.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\winlogon.exe
C:\Windows\System32\SHELL32.dll+9b5bd
\LocalBridge.exe
C:\Windows\System32\wshom.ocx+c8a0;C:\Windows\System32\wshom.ocx+c39d
C:\Windows\SYSTEM32\framedynos.dll+2cb3e
C:\Windows\system32\SgrmBroker.exe;C:\Windows\system32\SecurityHealthService.exe;C:\ProgramData\Microsoft\Windows Defender\platform\;C:\Windows\system32\services.exe;C:\Windows\system32\wininit.exe;C:\Windows\system32\sppsvc.exe;C:\Windows\System32\smss.exe;C:\Windows\system32\csrss.exe;C:\Windows\System32\svchost.exe
C:\Windows\SYSTEM32\framedynos.dll+2b496
C:\Windows\SYSTEM32\dbgcore.DLL+6cfb
C:\Windows\System32\KernelBase.dll+de67e
ntdll.dll+a0044
clr.dll+6c23;clr.dll+6b38
C:\Windows\\SYSTEM32\ntdll.dll+;|C:\Windows\System32\KERNELBASE.dll+;|UNKNOWN(
)
"UNKNOWN(;)|UNKNOWN(
)
"UNKNOWN
0x1F0FFF;0x1F1FFF;0x143A;0x1410;0x1010;0x1F2FFF;0x1F3FFF;0x1FFFFF
C:\Program Files;\Microsoft Office\Root\Office
\Microsoft Shared\VBA
C:\Program Files (x86)\Intuit\
C:\Windows\system32\lsass.exe
0x1FFFFF
UNKNOWN
WmiPerfClass.dll
C:\Windows\sysWOW64\wbem\wmiprvse.exe;C:\Windows\system32\wbem\wmiprvse.exe;C:\Program Files\VMware\VMware Tools\vmtoolsd.exe;C:\Program Files (x86)\VMware\VMware Tools\vmtoolsd.exe;WmiPerfClass.dll;C:\Program Files (x86)\Adobe\Adobe Sync\CoreSync\customhook\CoreSyncCustomHook.exe;C:\Program Files\Adobe\Adobe Sync\CoreSync\customhook\CoreSyncCustomHook.exe;C:\Program Files (x86)\Common Files\Adobe
C:\Windows\system32\lsass.exe
C:\Windows\system32\wsmprovhost.exe
C:\Windows\system32\lsass.exe
0x1FFFFF
python27.dll;_ctypes.pyd;KERNELBASE.dll;ntdll.dll
C:\Windows\system32\lsass.exe
C:\Windows\SYSTEM32\ntdll.dll+4595c|C:\Windows\system32\KERNELBASE.dll+8185
C:\Windows\system32\lsass.exe
C:\WINDOWS\SYSTEM32\ntdll.dll+
)
|C:\WINDOWS\System32\KERNELBASE.dll+;|UNKNOWN(
wow64.dll;)|C;Exchange.Diagnostics;Microsoft.Exchange
C:\Program Files\Bitdefender\Endpoint Security\EPSecurityService.exe;c:\windows\system32\inetsrv\w3wp.exe;MSExchangeHMHost.exe;C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Windows\system32\winlogon.exe
0x1F3FFF
C:\Windows\Microsoft.NET;UNKNOWN
.exe
C:\Windows\sysmon64.exe;C:\Windows\sysmon64.exe
0x1C00
C:\Windows\system32\lsass.exe
0x1F1FFF
UNKNOWN
C:\Windows\system32\lsass.exe
0x1010
UNKNOWN
C:\Windows\system32\lsass.exe
0x143A
UNKNOWN
C:\Windows\system32\lsass.exe
0x1fffff
dbghelp.dll;dbgcore.dll
dbghelp.dll;dbgcore.dll
C:\Windows\system32\lsass.exe
C:\wfx32\
powershell.exe
C:\Programdata\sysmon\sysmon64.exe;C:\Programdata\sysmon\sysmon.exe;C:\Windows\sysmon.exe;C:\Windows\sysmon64.exe;\dismhost.exe
C:\WINDOWS\SYSTEM32\ntdll.dll+;|C:\WINDOWS\System32\KERNELBASE.dll+;|C:\ProgramData\Microsoft\Windows Defender\Platform\;\MPCLIENT.DLL;\MpOav.dll+;|C:\WINDOWS\SYSTEM32\amsi.dll
getasynckeystate
cmlua.dll
System.Management.Automation
C:\ProgramData\Microsoft\Windows Defender\platform\
ctiuser.dll
C:\Program Files\Citrix\ConfigSync\ConfigSyncRun.exe
C:\Program Files\Microsoft\Exchange Server\V14\bin\ExSetupUI.exe
C:\Program Files\Microsoft\Exchange Server\V15\bin\ExSetupUI.exe
C:\Program Files\Microsoft\Exchange Server\V16\bin\ExSetupUI.exe
C:\Windows\SysWOW64\sdiagnhost.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\Temp\ExchangeSetup\ExSetupUI.exe
C:\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe
C:\Program Files\Microsoft Azure Active Directory Connect\AzureADConnect.exe
C:\Windows\system32\HOSTNAME.EXE
C:\Windows\system32\ROUTE.exe
C:\Windows\system32\query.exe
MsMpEng.exe
C:\Windows\system32\lsass.exe
comsvcs.dll
VBE7.dll;VBEUI.DLL;VBE7INTL.DLL
VBE6.dll;VBEUI.DLL;VBE6INTL.DLL
Office
verclsid.exe
VBE7.dll;VBEUI.DLL;VBE7INTL.DLL
|UNKNOWN(
0x1FFFFF
C:\Program Files\Microsoft Office\Root\Office
C:\Windows\System32\KERNELBASE.dll+76516
C:\Windows\System32\SHELL32.dll+ae3b9
C:\WINDOWS\system32\sihost.exe
C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub
UNKNOWN
|UNKNOWN(
C:\WINDOWS\SYSTEM32\ntdll.dll+
|C:\WINDOWS\System32\KERNELBASE.dll+
)
0x1028;0x1fffff
C:\Program Files\SmartGit\bin\;C:\Program Files (x86)\ASUS\Update\;C:\Program Files (x86)\Razer\Synapse3\Service\Razer Synapse Service.exe;C:\Program Files (x86)\Citrix\ICA Client\Receiver\UpdaterService.exe;C:\WINDOWS\SysWOW64\config\systemprofile\Citrix\UpdaterBinaries\;C:\Program Files\Mozilla Firefox\firefox.exe;C:\Program Files\SmartGit\git;\Intel\Driver and Support Assistant\DSAService.exe
C:\Windows\Microsoft.NET\Framework\;\NGenTask.exe
\Intel\Driver and Support Assistant\
C:\Windows\Microsoft.NET\Framework\;\ngen.exe
winword.exe;excel.exe;powerpnt.exe
:\Windows\Microsoft.NET\Framework64\v2.;UNKNOWN
UNKNOWN
0x147a
C:\Windows\Sysmon64.exe;C:\Windows\Sysmon.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\ASUS\Update\AsusUpdate.exe
C:\Program Files\Intel\SUR\QUEENCREEK\x64\esrv_svc.exe
C:\ProgramData\Microsoft\Windows Defender\Platform\;\MsMpEng.exe;C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe;C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
0x1400
0x0800
0x0810
0x0820
0x810
0x820
cscript.exe
wscript.exe
jjs.exe
dump
mimikatz
CorperfmontExt.dll
wmiprvse.exe
lsass.exe
lsass.exe
winlogon.exe
lsass.exe
C:\Windows\system32\w32tm.exe;C:\Windows\System32\ping.exe;C:\Windows\System32\net.exe;C:\Windows\System32\net1.exe;C:\Windows\SYSTEM32\HOSTNAME.EXE;C:\Programdata\sysmon\sysmon.exe;C:\Programdata\sysmon\sysmon64.exe;C:\Program Files\Windows Defender\MsMpEng.exe;C:\Program Files (x86)\BeAnywhere Support Express\;C:\Program Files (x86)\CheckPoint\;C:\Program Files (x86)\Common Files\Intuit\QuickBooks\;C:\Program Files (x86)\Fortinet\;C:\Program Files (x86)\Trend Micro\;C:\Program Files\Adobe\Adobe Creative Cloud Experience\;C:\Program Files\CheckPoint\;C:\Program Files\Fortinet\;C:\Program Files\Realtek;C:\Program Files\Trend Micro\;C:\ProgramData\Microsoft\Windows Defender\platform\;C:\Program Files (x86)\Lenovo\;snmpd.exe;taskmgr;:\Windows\System32\smss.exe;:\Windows\system32\wininit.exe;\Bin\FMS.exe; \EMET_GUI.exe;\EMET_Service.exe;\Google\Update\GoogleUpdate.exe;\RAAGTAPP.EXE;\controls\cef\ConnectWise.exe;C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe;C:\Program Files\Hewlett-Packard\AMS\service\hpqams.exe;C:\Program Files\Intel\SUR\WILLAMETTE\ESRV\esrv_svc.exe;C:\Program Files\VMware\VMware Tools\vmtoolsd.exe;C:\Program Files\Windows Defender\MsMpEng.exe;C:\WINDOWS\system32\WerFault.exe;C:\WINDOWS\system32\taskkill.exe;C:\Windows\SysWOW64\WerFault.exe;C:\Windows\System32\snmp.exe;C:\Windows\system32\msiexec.exe;C:\Windows\system32\spoolsv.exe;C:\Windows\system32\svchost.exe
:\Windows\system32\sppsvc.exe
:\Windows\system32\sdiagnhost.exe
UNKNOWN(00007F
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\SYSTEM32\win32u.dll
C:\Windows\SYSTEM32\wow64win.dll
C:\Program Files (x86)\Kaspersky Lab
C:\Program Files\Kaspersky Lab
C:\Program Files (x86)\ESET
C:\Program Files\ESET
C:\ProgramData\Microsoft\Windows Defender\
\TEMP\nessus_
solarwinds.businesslayerhost
.exe;.dll;.ps1;.mz;.jpg;.png
C:\WINDOWS\SysWOW64\netsetupsvc.dll
C:\Windows\SoftwareDistribution
C:\Windows\SoftwareDistribution\Download\Install\AM_Delta.exe
.exe
proj
.targets
.build
.props
.tasks
.sln
.cs
.bat
.btm
.cmd
.com
.cmdline
.bas
.bin
C:\Windows\SysWOW64\Wbem
C:\Windows\System32\Wbem
.ws
.wsc
.wsf
.wsh
.pif
.hta
IronPython
.py
.pyc
.pyd
.cdxml
.ps1
.ps1xml
.psc1
.psd1
.psm1
.pssc
powershell.exe;powershell_ise.exe
\Recent\CustomDestinations\
C:\Windows\SysWOW64\WindowsPowerShell
C:\Windows\System32\WindowsPowerShell
c:\Windows\System32\WindowsPowerShell\v1.0\profile
c:\Windows\Syswow64\WindowsPowerShell\v1.0\profile
\UsageLogs\powershell.exe.log
PSReadLine\ConsoleHost_history.txt
.vbs
.oracle_jre_usage\
.js
.jse
.vb
.vbe
.vbsript
Report.wer.tmp
\WER\
C:\Windows\system32\wermgr.exe
winword.exe;excel.exe;powerpnt.exe;outlook.exe;msaccess.exe;mspub.exe;visio.exe;notepad.exe;wordpad.exe;eqnedt32.exe;wordview.exe
.exe
C:\Users
winword.exe;excel.exe;powerpnt.exe;outlook.exe;msaccess.exe;mspub.exe;visio.exe;notepad.exe;wordpad.exe;eqnedt32.exe;wordview.exe
.dll
C:\Users
!!!-WARNING-!!!.html;!!!-WARNING-!!!.txt;!!! HOW TO DECRYPT FILES !!!;!!!README!!!;!!!READ_TO_UNLOCK!!!.TXT;!!!_READ_ME_;!Recovery_;!Where_are_my_files!.html;!_HOW_TO_RESTORE_;!_RECOVERY_HELP_!.txt;!recover!;# DECRYPT MY FILES #.html;# DECRYPT MY FILES #.txt;# DECRYPT MY FILES #.vbs;# SATAN CRYPTOR #;+recover+;.8lock8;.31392E30362E32303136_;.ABCDEF;.CIop;.CR1;.CRAB;.CRYPTOSHIELD;.Cl0p;.Contact_Here_To_Recover_Your_Files.txt;.CryptoTorLocker2015!;.HERMES;.HakunaMatata;.How_To_Decrypt.txt;.How_To_Get_Back.txt;.KEYZ.KEYH0LES;.L0CKED;.LOL!;.MATRIX;.OMG!;.R.i.P;.RMCM1;.RSplited;.SUPERCRYPT;.SecureCrypted;.TheTrumpLocker;.VBRANSOM;.VforVendetta;.Where_my_files.txt;.XBTL;._AiraCropEncrypted!;.airacropencrypted!;.areyoulovemyrans;.berkshire;.bitpy;.bitx;.blocatto;.bomber;.braincrypt;.breakingbad;.breeding123;.cerber;.cifgksaffsfyghd;.country82000;.crypt;.crypted;.crypton;.cryptotorlocker;.decrypt2017;.deria;.dglnl;.disposed2017;.doomed;.encrypted.locked;.encrypted;.encryptedyourfiles;.enjey;.evillock;.filegofprencrp;.fileiscryptedhard;.firecrypt;.fuckyourdata;.gangbang;.gefickt;.googl;.happydayzz;.hceem;.helpdecrypt;.helpmeencedfiles;.hnumkhotep;.hydracrypt_ID;.iaufkakfhsaraf;.info.txt;.jimm;.kharma;.killedXXX;.lambda_l0cked;.letmetrydecfiles;.locked;.locker16;.loveransisgood;.lovewindows;.magic_software_syndicate;.mention9823;.moments2900;.myrandsext2017;.newlock;.no_more_ransom;.nochance;.noproblemwedecfiles;.notfoundrans;.ohwqg;.one-we_can-help_you;.oops;.osiris;.otherinformation;.paytounlock;.powerfulldecrypt;.powned;.pr0lock;.prolock;.prosperous666;.pwnd;.ransom;.readme2unlock;.righ;.roger;.ryk;.satan;.savethequeen;.sigaint.org;.skjdthghh;.skynet;.snatch;.stubbin;.supported2017;.suppose666;.theworldisyours;.txd0t;.warn_wallet;.weapologize;.weareyourfriends;.weencedufiles;.wowreadfordecryp;.wowwhereismyfiles;.wvtr0;.yourransom;.zzzzz ;.{CRYPTENDBLACKDC};-DECRYPT.txt;000-IF-YOU-WANT-DEC-FILES;000-No-PROBLEM-WE-DEC-FILES;000-PLEASE-READ-WE-HELP;001-READ-FOR-DECRYPT-FILES;1025-7152.exe;:\windows\update_collector.exe;=READ=THIS=PLEASE=;@cock.li;@countermail.com;@firemail.cc;@india.com;@mail.ru;@ukr.net;ASSISTANCE_IN_RECOVERY;ATTENTION!!!.txt;ATTENTION.url;Aescrypt.exe;AllFilesAreLocked;BTC_DECRYPT_FILES;BUYUNLOCKCODE.txt;BUYUNLOCKCODE;BitCryptorFileList.txt;C:\ProgramData\dtb.dat;C:\Programdata\WinMgr;C:\Programdata\clean.bat;C:\Programdata\run.bat;C:\Windows\svchost.exe;CEBER3;CHECK-IT-HELP-FILES;COME_RIPRISTINARE_I_FILE.;COMO_ABRIR_ARQUIVOS.txt;COMO_RESTAURAR_ARCHIVOS;Coin.Locker.txt;Comment débloquer mes fichiers.txt;Como descriptografar seus arquivos.txt;Corona-virus-Map;Corona.bat;Corona.sfx;CryptoRansomware;Crytp0l0cker;Cyber SpLiTTer Vbs.exe;Cyborg_DECRYPT;DALE_FILES.TXT;DECRYPT-FILES;DECRYPTION INSTRUCTIONS.;DECRYPTION_HOWTO.Notepad;DECRYPT_INFORMATION;DECRYPT_INSTRUCTION.HTML;DECRYPT_INSTRUCTION.URL;DECRYPT_INSTRUCTIONS.html;DECRYPT_INSTRUCTIONS;DECRYPT_ReadMe1.TXT;DECRYPT_Readme.TXT.ReadMe;DECRYPT_YOUR_FILES;DESIFROVANI_POKYNY.html;Decrypt All Files;DecryptAllFiles;DecryptFile;Decrypt_readme.txt;DesktopOsiris;ENTSCHLUSSELN_HINWEISE.html;EdgeLocker;FILESAREGONE.txt;FILES_BACK.txt;File Decrypt Help.html;GJENOPPRETTING_AV_FILER;GetYouFiles.txt;HAPPEN-ENCED-FILES;HELLOTHERE.TXT;HELP-ME-ENCED-FILES;HELPDECRYPT_YOUR_FILES.HTML;HELP_DECRYPT.HTML;HELP_DECRYPT.PNG;HELP_DECRYPT.URL;HELP_DECRYPT.lnk;HELP_ME_PLEASE.txt;HELP_RESTORE_FILES_;HELP_TO_SAVE_FILES.bmp;HELP_TO_SAVE_FILES;HELP_YOURFILES.HTML;HELP_YOUR_FILES.PNG;HELP_YOUR_FILES.html;HELP_YOUR_FILES;HOW-TO-DECRYPT-FILES.HTML;HOW-TO-RESTORE-FILES;HOW TO BACK YOUR FILES;HOW TO DECRYPT FILES.HTML;HOW TO DECRYPT FILES.txt;HOW TO RECOVER;HOWTO_RECOVER_FILES_;HOWTO_RESTORE_FILES;HOWTO_RESTORE_FILES_;HOW_DECRYPT.HTML;HOW_DECRYPT.TXT;HOW_DECRYPT.URL;HOW_OPEN_FILES;HOW_TO_DECRYPT.HTML;HOW_TO_DECRYPT_;HOW_TO_PAY_THE_RANSOM;HOW_TO_RESTORE_FILES.html;HOW_TO_RESTORE_FILES;HOW_TO_RESTORE_YOUR_DATA;HOW_TO_UNLOCK_FILES_README_;HWID Lock.exe;Hacked_Read_me_to_decrypt_files.html;Help Decrypt.html;How decrypt files.hta;How to decrypt LeChiffre files.html;How to decrypt your data.txt;HowDecrypt.gif;HowDecrypt.txt;How_to_decrypt_your_files.jpg;How_to_restore_files.hta;HowtoRestore_File;HowtoRestore_Files;Howto_RESTORE_FILES.html;Howto_Restore_FILES.TXT;IAMREADYTOPAY.TXT;IF-YOU-WANT-DEC-FILES;IF_WANT_FILES_BACK_PLS_READ.html;IHAVEYOURSECRET.KEY;IMPORTANT READ ME.txt;IMPORTANT.README;INSTALL_TOR.URL;INSTRUCCIONES;INSTRUCCIONES_DESCIFRADO.html;INSTRUCTION RESTORE FILE;INSTRUCTIONS_DE_DECRYPTAGE.html;INSTUCCIONES_DESCRIFRADO;ISTRUZIONI_DECRITTAZIONE.html;Important!.txt;Instructionaga.txt;KryptoLocker_README.txt;LEER_INMEDIATAMENTE;LET-ME-TRY-DEC-FILES;Locked-by-Mafia;MENSAGEM.txt;MERRY_I_LOVE_YOU_BRUCE.hta;No-PROBLEM-WE-DEC-FILES;OKSOWATHAPPENDTOYOURFILES.TXT;ONTSLEUTELINGS_INSTRUCTIES.html;OSIRIS-;PAYLOADBIN;PINGY@INDIA.COM;PLEASE-READ-WE-HELP.;PLEASE-READIT-IF_YOU-WANT.html;PLEASE-READIT-IF_YOU-WANT;PLEASE-README-AFFECTED-FILES;PLS-DEC-MY-FILES;PURELOCKER;Payment_Instructions.jpg;Please Read Me!!!;READ-FOR-DECCCC-FILESSS;READ-FOR-DECRYPT-FILES;READ-READ-READ;READ IF YOU WANT YOUR FILES BACK.html;READ ME FOR DECRYPT.txt;README HOW TO DECRYPT YOUR FILES.HTML;README!!!;README_DECRYPT_HYDRA_ID_;README_DECRYPT_HYRDA_ID_;README_DECRYPT_UMBRE_ID_;README_DONT_DELETE;README_HOW_TO_UNLOCK.HTML;README_HOW_TO_UNLOCK.TXT;README_RECOVER_FILES_;README_TO_RECURE_YOUR_FILES;READTHISNOW!!!.txt;READ_IT.txt;READ_ME_!.txt;READ_ME_TO_DECRYPT_YOU_INFORMA;READ_THIS_TO_DECRYPT.html;RECOVER-FILES;RECOVERY_FILE.;RECOVERY_FILES.TXT;RECOVER_MY_FILE;RESTORE_CORUPTED_FILES;RESTORE_FILES_;RETURN FILES.txt;RETURN YOUR FILES;RETURNFILES_.txt;RETURN_FILES.txt;RETURN_FILES_.txt;Rans0m_N0te_Read_ME;Read Me (How Decrypt) !!!!.txt;ReadDecryptFilesHere;Read_this_file.txt;Receipt.exe;RecoveryManual.html;Recovery_File_;Recovery_file_;Rooster865qq;SECRET.KEY;SECRETIDHERE.KEY;SHTODELATVAM.txt;SIFRE_COZME_TALIMATI.html;SORRY-FOR-FILES;Survey Locker.exe;TRY-READ-ME-TO-DEC;Temp\satan\satan;ThxForYurTyme;UNLOCK_FILES_INSTRUCTIONS.html;UNLOCK_FILES_INSTRUCTIONS.txt;UnblockFiles.vbs;VIP72.exe;Vape Launcher.exe;WANT_FILES_BACK;WE-MUST-DEC-FILES;WHERE-YOUR-FILES;WORMKILLER@INDIA.COM.XTBL;What happen to my files.txt;Whereisyourfiles;WindowsApplication1.exe;YOUGOTHACKED.TXT;YOUR_FILES.txt;YOUR_FILES.url;YOUR_FILES_ARE_DEAD;YOUR_FILES_ARE_ENCRYPTED.HTML;YOUR_FILES_ARE_ENCRYPTED.TXT;YOUR_FILES_ARE_LOCKED.txt;Your files are locked !!!!.txt;Your files are locked !!!.txt;Your files are locked !!.txt;Your files are locked !.txt;Your files encrypted by our friends !!! txt;Your files encrypted by our friends !!!.txt;[KASISKI];_Adatok_visszaallitasahoz_utasitasok;_DECRYPT_ASSISTANCE_;_DECRYPT_INFO_;_DECRYPT_INFO_szesnl;_DEC_FILES.;_FILES_WERE_ENCRYPTED_@.TXT;_HELP_HELP_HELP_;_HELP_Recover_Files_;_HELP_instructions.bmp;_HELP_instructions.txt;_HOWDO_text.bmp;_HOWDO_text.html;_HOW_TO_Decrypt;_H_e_l_p_RECOVER_INSTRUCTIONS+;_H_e_l_p_RECOVER_INSTRUCTIONS;_Locky_recover;_Locky_recover_instructions.bmp;_Locky_recover_instructions.txt;_README.hta;_README.jpg;_READ_ME!;_RECOVER_INSTRUCTIONS;_ReCoVeRy_+;_USE_TO_FIX_;_WHAT_is.html;_help_instruct;_how_recover.txt;_how_recover;_how_recover_;_recover_;_secret_code.txt;_steaveiwalker@india.com_;aeroware;confirmation.key;contains(to_string($message.file_created), "howrecover+;crjoker.html;cryptinfo.txt;cryptolocker.;cryptopp;de_crypt_readme.;de_crypt_readme.bmp;de_crypt_readme.html;de_crypt_readme.txt;decipher_ne;decrypt-instruct;decrypt explanations.;decrypt my file;decrypt your file;decrypt_Globe;decrypt_instruct;decrypted_files.dat;decryptional;decryptmyfiles;decypt_your_files.html;default32643264.bmp;default432643264.jpg;email-salazar_slytherin10;enc_files.txt;encryptor_raas_readme_liesmich;enigma.hta;enigma_encr.txt;exit.hhr.obleep;fattura_;file0locked;files_are_encrypted.;-filesencrypted;firemail.cc;firstransomware.exe;gmx.de;hacks.at.sigaint.org;help-file-decrypt.enc;help_decrypt;help_file_;help_instructions.;help_my_files;help_recover;help_recover_instructions;help_restore;help_restore_files;help_your_file;helpmeencedfiles;how to decrypt aes files.lnk;how to decrypt;how to get data.txt;how_decrypt.gif;how_recover;how_to_decrypt;how_to_recover;howrecover+ recoveryfile_;howrecover+;howto_recover_file;howto_restore;howtodecrypt;howtodecryptaesfiles.txt;inbox.ru;info@kraken.cc_worldcza@email.cz;install_tor;iran.ir;last_chance.txt;maestro@pizzacrypts.info;maxcrypt.bmp;only-we_can-help_you;openforyou@india.com;opensourcemail.org;padcrypt;paycrypt.bmp;popcorn_time.exe;powerfulldecrypt;protonmail.ch;qbmail.biz;randomname;readme_decrypt;readme_for_decrypt;readme_liesmich_encryptor_raas;recover_file;recover_file_;recover_instruction;recoverfile;recoverfile_;recovery+;recovery_file.txt;recovery_key.txt;recoveryfile;recover}-;restore_files.txt;restorefiles;restorefiles_;ryukreadme.html;tuta.io;tutanota.com;tutanota.de;unCrypte;vault.hta;vault.key;vault.txt;want your files back.;warning-!!;wie_zum_Wiederherstellen_von_Dateien.txt;wowreadfordecryp;wowwhereismyfiles;zXz.html;zycrypt.;zzzzzzzzzzzzzzzzzyyy
C:\Users\;\Google\Chrome Beta\User Data\;\IndexedDB\
C:\Program Files\WindowsApps\Microsoft.YourPhone_;C:\Program Files\dotnet\shared\Microsoft.NETCore.App\;\Microsoft.NET\assembly\GAC_MSIL
crackmapexec
\Crypto.Cipher._AES.pyd
\Crypto.Cipher._DES.pyd
\Crypto.Hash._SHA256.pyd
\Crypto.Random.OSRNG.winrandom.pyd
\Crypto.Util.strxor.pyd
\crackmapexec.exe.manifest
\greenlet.pyd
BootStrapDLL.dll
C:\windows\temp\wininit.exe
lazycat;powerkatz;mimikatz;mimidrv;mimilove;mimilib;mimikittenz;mimiauth;invoke-mimi
rdpwrap.dll
winspool.drv
C:\Windows\System32\Wbem
C:\Windows\SysWOW64\Wbem
C:\WINDOWS\system32\wbem\scrcons.exe
\Programs\Startup\
\Startup\
\Word\STARTUP\
\Microsoft\Templates\
\Excel\XLSTART\
.dotm
.XLSB
C:\Windows\Tasks\
RedirSuiteServiceProxy.aspx
w3wp.exe
.aspx
w3wp.exe
.asp
w3wp.exe
.ashx
w3wp.exe
.php
w3wp.exe
.aaa
\wwwroot\aspnet_client\;\FrontEnd\HttpProxy\owa\auth
.aspx;.php;.ashx
w3wp.exe
.ps1
w3wp.exe
.bat
w3wp.exe
.dll
w3wp.exe
.vbs
w3wp.exe
.hta
\wwwroot\
\wwwroot\aspnet_client\;jpg
.asp
\wwwroot\
.aspx
\wwwroot\
\ecp\auth\
\oab\auth\
ClientAccess\Owa\
\owa\auth\
httpproxy\rpc\
ClientAccess\ecp\
\htdocs\
.SPL
spoolsv.exe;printfilterpipelinesvc.exe;printisolationhost.exe;splwow64.exe;msiexec.exe;poqexec.exe
spoolsv.exe
.exe
C\:\Windows\System32\spool\;C\:\Windows\Temp\;C\:\Users\
msiexec.exe
\Microsoft\Edge\Application
elevation_service.exe
\LocalState\rootfs\
C:\PerfLogs\
C:\Temp\
C:\Users\Default\
C:\Users\Public\
C:\Windows\Temp\
\AppData\Temp\
$Recycle.Bin
$Recycle.Bin
C:\Windows\
\config\systemprofile\
C:\Windows\
\config\systemprofile\
.exe
.7z.exe
.doc.exe
.doc.exe
.docx.exe
.ico.exe
.iso.exe
.lnk.exe
.pdf.exe
.ppt.exe
.pptx.exe
.rar.exe
.rtf.exe
.txt.exe
.xls.exe
.xlsx.exe
.zip.exe
______.exe
.chm
proj
.sln
UMWorkerProcess.exe;UMService.exe
.
.log;.cfg;.txt;cleanup;.HealthCheck;\wp.active;.db
.7z
.7zip
.arj
.s7z
.a
.ace
.ar
.arc
.bin
.cab
.pak
.gz
.img
.iso
.lzm
.lzma
Temp\Rar$
.rar
RarSFX
.sfx
.sz
.tar
.tar.gz
.tgz
.xz
.zip
.ost
.eml
.msg
.pst
Г;И;К;П;д;и;к;л;л;н;н;о;ф;ե;թ;յ;ն;ն;ն;ն;տ;ւ;ք
Teamviewer.exe
rundll32.exe
mstsc.exe
cmd.exe
ipy.exe
WScript.exe
cscript.exe
mshta.exe
python.exe
wmic.exe
C:\Users\Default\;C:\Users\Public\
.dll
C:\Users\Default\;C:\Users\Public\
.exe
HiddenService
torrc
\tor.exe
tor-gencert
rclone
s3browser
grabff.exe
grabff.exe
RESTORE_;_FILES.txt
DECRYPT_;_FILES.txt
\run.dat;\task.dat;\storage.dat
AppData
Symantec
BlueJeans
VBoxRT.dll;VboxC.dll
Content.IE5;INetCache
.exe;.zip;.ps1;.bat;.rar;.dll
MSForms.exd
.exe
C:\windows\system32\
.exe
C:\windows\
\system32\
.dll;.exe
C:\windows\
C:\Users\
.dll;.exe
C:\Users\
\Microsoft\Word\Startup\
.wll
C:\windows\system32\CodeIntegrity\
\Microsoft\Excel\Startup\
.xll
\Microsoft\Outlook\VbaProject.OTM
\Microsoft\Addins\
.xla
.vsto
.bat
C:\Windows\
C:\ProgramData\Lenovo\SystemUpdate\sessionSE\
.dll
C:\Windows\
.sys
C:\Windows\
.exe
C:\Windows\
C:\Windows\System32\;C:\windows\syswow64\
.exe
C:\Windows\System32\
.exe
C:\Windows\SysWow64\
.theme
\Packages\oice_
VirtualboxVM.exe
notepad++.exe
.lnk:Zone.Identifier
\UsageLogs\cscript.exe.log
\UsageLogs\mshta.exe.log
\UsageLogs\msiexec.exe.log
\UsageLogs\regsvr32.exe.log
\UsageLogs\rundll32.exe.log
\UsageLogs\svchost.exe.log
\UsageLogs\wmic.exe.log
\UsageLogs\wscript.exe.log
\regsvr32.exe.log
\UsageLogs\wsmprovhost.exe.log
.lnk
.url
.sys
.inf
C:\Windows\SysWOW64\Drivers
C:\Windows\System32\Drivers
\Drivers\
.drv
.xlam
.xlsm
.xla
.xll
.xls
.xlsb
.xlsx
.xlt
.xltm
.xlw
\Microsoft\Templates\
.eml
.msg
.pptm
.potm
.pptm
.pptm
.sldm
\Microsoft\Office\Recent
oleObject
\Recent\CustomDestinations\
\Downloads\
\Content.Outlook\
.docb
.wbk
.ped
.dot
.dotx
.doc
.docm
.docx
.accdb
.accde
.accdr
.accdt
.mdb
.mde
.msc
.mst
.potx
.ppam
.ppsm
.ppsx
.ppt
.pptm
.pptx
.pub
.sldm
.sldx
.xls
.xps
.pem
.crt
.ca-bundle
.cer
.csr
.der
.p7b
.p7r
.p7s
.pfx
.sto
.p12
.crl
.sst
.key
.hlp
ACLUI.DLL.UI
ACLUI.DLL
AFLogVw.exe
AShld.exe
AShldRes.DLL.asr
AShldRes.DLL
AhnI2.dll
CamMute.exe
CommFunc.dll
CommFunc.jax
DESqmWrapper.dll
DESqmWrapper.wrapper
FSPMAPI.dll.fsp
FSPMAPI.dll
Gadget.exe
LoLTWLauncher.exe
Mc.exe
McUtil.dll.ping
McUtil.dll.url
McUtil.dll
MpSvc.dll
MsMpEng.exe
NtUserEx.dat
NtUserEx.dat
NtUserEx.dll
NtUserEx.dll
NvSmart.exe
NvSmartMax.dll
NvSmartMax.dll
NvSmartMaxapp.dll
OInfo11.ISO
OInfo11.ocx
OInfoP11.exe
OleView.exe
OleView.exe
POETWLauncher.exe
RasTls.dll.config
RasTls.dll.msc
RasTls.dll
RasTls.exe
RunHelp.exe
Sidebar.dll.doc
Sidebar.dll
Ushata.dll
Ushata.exe
Ushata.fox
VeetlePlayer.exe
boot.ldr
chrome_frame_helper.dll.rom
chrome_frame_helper.dll
chrome_frame_helper.exe
dvcemumanager.exe
fsguidll.exe
fslapi.dll.gui
fslapi.dll
fsstm.exe
hccutils.dll.res
hccutils.dll
hha.dll.bak
hha.dll
hhc.exe
hkcmd.exe
iviewers.dll
jli.dll
libvlc.dll
mPclient.dll
mcf.ep
mcf.exe
mcupdui.exe
mcut.exe
mcutil.dll.bbc
mcvsmap.exe
msi.dll.dat
msi.dll
msseces.asm
msseces.exe
mtcReport.ktc
rc.dll
rc.exe
rc.hlp
sep_NE.exe
sep_NE.slf
tplcdclr.exe
winmm.dll
wts.chm
credwiz.exe
ssMUIDLL.dll
aepic.dll
ftllib.dll
userenv.dll
\Terminal Server Client\Cache\
C:\Windows\Prefetch
\\tsclient
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\
\Temp\debug.bin
Temp\7z
C:\Windows\AppPatch\Custom
.chm
.cpl
.mht
\Chrome\User Data\Default\Extensions\
.crx
.appref-ms
.gadget
.JSE
.exe
.scf
Exchange Server\ClientAccess\Owa\
\Device\HarddiskVolumeShadowCopy
.zip\
.FON
.FOT
C:\Windows\System32\GroupPolicy\Machine\Scripts
C:\Windows\System32\GroupPolicy\User\Scripts
.iqy
.ico
.isp
.msc
.manifest
MEMORY.dmp
.msi
.cs
.customDestinations-ms
C:\Windows\Minidump
.PAF
.bmc
.rdp
.rtf
.reg
.SHS
.slk
.SCR
.set
.SettingContent-ms
.SHD
.SPL
.scr
HammerDrillStatus.dll
Microsoft\Windows\WER\
.ICL
.sdb
.SCT
.SHB
Temp\Temp1_
\Microsoft\;CLR_v;\UsageLogs\
.ade
.adp
.application
.appref-ms
.asc
.bmf
.cer
.dmp
.gpg
.htm
.html
.json
.jsp
.key
.mof
.ocx
.p7b
.p12
.pem
.pfx
.pgp
.php
.ppk
.war
.xml
Software\Famatech\advanced_ip_scanner\State
LastRangeUsed
SetValue
\Software\Microsoft\Terminal Server Client
DefaultPrinter
HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e96b-e325-11ce-bfc1-08002be10318}
SetValue
HKLM\SYSTEM\CurrentControlSet\Control\Class\{745a17a0-74d3-11d0-b6fe-00a0c90f57da}
SetValue
HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e96f-e325-11ce-bfc1-08002be10318}
SetValue
HKLM\SYSTEM\CurrentControlSet\Control\Class\{36fc9e60-c465-11cf-8056-444553540000}
SetValue
HKLM\SYSTEM\CurrentControlSet\Control\Class\{e0cbf06c-cd8b-4647-bb8a-263b43f0f974
SetValue
HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}
SetValue
HKLM\SYSTEM\CurrentControlSet\Control\Class\{eec5ad98-8080-425f-922a-dabf3de3f69a}
SetValue
HKLM\SYSTEM\CurrentControlSet\Control\Class\{53D29EF7-377C-4D14-864B-EB3A85769359}
SetValue
Root\InventoryDevicePnp;prod_virtual_dvd-rom
SetValue
MountedDevices
Mountpoints2
Active Setup\Installed Components
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData\
LoggedOnUser
LastLoggedOnUser
LastLoggedOnProvider
HKCR\ms-msdt\
HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics\TurnOffCheck
DWORD (0x00000001)
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
\print\
\AzureAttestService\CoInitializeSecurityParam
C:\$WINDOWS.~BT\
\AccessVBOM
C:\Windows\system32\svchost.exe;C:\WINDOWS\system32\mmc.exe;C:\Windows\system32\userinit.exe
Security\VBAWarnings
C:\Windows\system32\svchost.exe;C:\WINDOWS\system32\mmc.exe;C:\Windows\system32\userinit.exe
Security\VBAWarnings
C:\Windows\system32\svchost.exe;C:\WINDOWS\system32\mmc.exe;C:\Windows\system32\userinit.exe
EXCEL.exe;WINWORD.exe
{8BD21D32-EC42-11CE-9E0D-00AA006002F3};{5B9D8FC8-4A71-101B-97A6-00000B65C08B}
HKCU\di
HKCU\�
HKLM\SOFTWARE\Microsoft\AMSI\Providers\
hklm\software\microsoft\windows script\settings\amsienable
hkcu\software\microsoft\windows script\settings\amsienable
Google\Chrome\Extensions
update_url
SetValue
ForcePasswordReset
HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\CurrVal
HKLM\SAM\SAM\DOMAINS\Account\Users\
Last Password Change
HKLM\SAM\SAM\DOMAINS\Account\Users\
Account Expiration
HKLM\SAM\SAM\DOMAINS\Account\Users\
Last Failed Logon
HKLM\SAM\SAM\Domains\Builtin\Aliases\00000220\
HKLM\SAM\SAM\Domains\Builtin\Aliases\0000022B\
SOFTWARE\Microsoft\Wow64\x86\
SetValue
\CurrentVersion\Run\
Add_exclusions_here
\Microsoft\System\Scripts
\Windows\System\Scripts
HKLM\SYSTEM\Setup\CmdLine
\Start
DWORD (0x00000000)
\Start
DWORD (0x00000001)
\Start
DWORD (0x00000002)
\Start
DWORD (0x00000003)
\Start
DWORD (0x00000004)
\ImagePath
\ServiceDll
\ServiceManifest
hkcu\software\microsoft\windows nt\currentversion\windows\run\
hkcu\software\microsoft\windows\currentversion\explorer\shell folders\common startup
hkcu\software\microsoft\windows\currentversion\explorer\shell folders\startup
hklm\software\microsoft\command processor\autorun
hkcu\software\microsoft\windows nt\currentversion\accessibility\ATs\\*(1)\StartExe
Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Startup
\Print\Monitors
HKLM\SAM\SAM\DOMAINS\Account\Users\Names\
$
CreateKey
HKLM\SAM\SAM\DOMAINS\Account\Users\Names\
$
CreateKey
HKLM\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}
C:\WINDOWS\sysmon64.exe
C:\WINDOWS\sysmon.exe
C:\Programdata\sysmon\sysmon64.exe
HKCR\
(Default)
\shell\open\command\(Default)
URL:
HKCU\Software\Classes\
(Default)
\shell\open\command\(Default)
URL:
HKCR\
\shell\open\command\(Default)
%1
HKCU\Software\Classes\
\shell\open\command\(Default)
%1
\shell\open\command\DelegateExecute
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe
Session Manager\KnownDlls
Outlook\Addins
Word\Addins
Excel\Addins
Powerpoint\Addins
Software\Microsoft\VSTO\Security\Inclusion\
Software\Microsoft\VSTO\SolutionMetadata\
cmmgr32.exe
HKLU\Software\Microsoft\Command Processor\AutoRun
HKLM\System\CurrentControlSet\Control\Session Manager\SetupExecute
HKLM\System\CurrentControlSet\Control\Session Manager\Execute
HKLM\Software\Wow6432Node\Microsoft\Command Processor\AutoRun
HKLM\Software\Wow6432Node\Microsoft\Command Processor\AutoRun
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug
HKLM\Software\Microsoft\Command Processor\AutoRun
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDllSearchMode
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit\
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AppSetup
UserInitMprLogonScript
HKLM\SYSTEM\CurrentControlSet\Control\BootVerificationProgram\ImagePath
HKLM\System\CurrentControlSet\Control\Lsa\Authentication Packages
HKLM\System\CurrentControlSet\Control\Lsa\Notification Packages
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages
HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Authentication Packages
HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Notification Packages
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages
\InprocServer32\(Default);\LocalServer32\(Default);\ScriptletURL\(Default)
C:\Users\Public\;$Recyclebin;\temp\;\Desktop\;\Downloads\;\Content.Outlook\;\Microsoft\Office\
C:\WINDOWS\SYSTEM32\UpdateDeploy.dll
\InprocServer32\(Default);\LocalServer32\(Default);\ScriptletURL\(Default)
C:\WINDOWS\SYSTEM32\UpdateDeploy.dll
\ProgID\(Default);\TreatAs\(Default)
\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
Debugger;ReportingMode;MonitorProcess
\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
GlobalFlag
DWORD (0x00000200)
\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\
MonitorProcess
\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\
ReportingMode
DWORD (0x00000001)
\Microsoft\Windows NT\CurrentVersion\SilentProcessExit
CreateKey
\Microsoft\Windows\Windows Error Reporting\RuntimeExceptionHelperModules\
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{;}\EDGEMITMP_;.tmp\setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
C:\Program Files\Microsoft Office\root\integration\integrator.exe
C:\Program Files\Google\Chrome Beta\Application\;\Installer\setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\;\OfficeClickToRun.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree
SD
Microsoft\Windows\UpdateOrchestrator
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\SD
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\OneDrive Per-Machine Standalone Update Task\SD
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Office\Office Feature Updates\SD
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Office\Office Feature Updates Logon\SD
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Office\Office Performance Monitor\SD
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\SnapshotCleanupTask\SD
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Office\Office ClickToRun Service Monitor\SD
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Office\Office Automatic Updates 2.0\SD
Microsoft\Windows\UpdateOrchestrator
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree
ID
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks
Author
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks
Path
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks
Date
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot
SetValue
\Environment\
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
DWORD (0x00000000)
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin
DWORD (0x00000000)
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop
DWORD (0x00000000)
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy
\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe
exefile\shell\runas\command\isolatedCommand
\Hidden
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist\
$
DWORD (0x00000000)
HKLM\SYSTEM\CurrentControlSet\Services\SysmonDrv\Parameters
C:\WINDOWS\sysmon64.exe
C:\WINDOWS\sysmon.exe
C:\Programdata\sysmon\sysmon64.exe
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel
MitigationOptions;MitigationAuditOptions
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
MitigationOptions;MitigationAuditOptions
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vmcompute.exe\0\MitigationOptions
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vmwp.exe\0\MitigationOptions
msiexec.exe
TiWorker.exe
HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
MitigationOptions;MitigationAuditOptions
C:\Program Files\Microsoft Office 15\root\integration\integrator.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Acro
DisableTaskMgr
C:\WINDOWS\system32\svchost.exe
C:\windows\SysWOW64\svchost.exe
HKLM\SYSTEM\CurrentControlSet\
\Instances\;Altitude
HKLM\System\CurrentControlSet\Services\CldFlt\Instances\CldFlt\Altitude
SetValue
\Security\Level
DWORD (0x00000001)
\Security\Level
DWORD (0x00000002)
\Security\Level
DWORD (0x00000003)
\Security\Level
DWORD (0x00000004)
\Outlook\Security
\Security\Level
\Word\Security
\Excel\Security
\Security\Level1Remove
\HideSCAHealth
HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify
HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify
HKLM\SOFTWARE\Microsoft\Security Center\DisableMonitoring
HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify
HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify
HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride
HKLM\SOFTWARE\Microsoft\Security Center\AllAlertsDisabled
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\RPSessionInterval
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\SystemRestorePointCreationFrequency
HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange
HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\FullSecureChannelProtection
HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RefusePasswordChange
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\SpyNetReporting
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\
\Enabled
DWORD (0x00000000)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\
\Enabled
DWORD (0x00000001)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\
\Enabled
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\
\ChannelAccess
(A;;0x1;;;SY);(A;;0x5;;;BA);(A;;0x1;;;LA)
C:\Windows\servicing\TrustedInstaller.exe;\TiWorker.exe
HKLM\SOFTWARE\Policies\Microsoft\Windows\Powershell\ScriptBlockLogging
\EnableScriptBlockLogging
DWORD (0x00000000)
HKLM\SOFTWARE\Policies\Microsoft\Windows\Powershell\ScriptBlockLogging
\EnableScriptBlockLogging
DeleteKey;DeleteValue
hklm\software\microsoft\windows\currentversion\policies\system\audit
\ProcessCreationIncludeCmdLine_Enabled
DWORD (0x00000000)
hklm\software\microsoft\windows\currentversion\policies\system\audit
\ProcessCreationIncludeCmdLine_Enabled
DeleteKey;DeleteValue
HKLM\System\CurrentControlSet\Services\Eventlog
\CustomSD
HKLM\System\CurrentControlSet\Services\Eventlog
\MaxSize
globallyopenports
EnableFirewall
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
\Microsoft\.NETFramework\ETWEnabled
DWORD (0x00000000)
\Microsoft\.NETFramework\NGenAssemblyUsageLog
SetValue
\Environment\NGenAssemblyUsageLog
SetValue
\Environment\COMPlus_ETWEnabled
\LastKey
SymbolicLinkValue
\Software\Microsoft\Windows\CurrentVersion\Explorer
\AppData\;\ProgramData\;\Temp\;C:\users
HKLM\System\CurrentControlSet\Control\SecurePipeServers\winreg
\Software\Policies\Microsoft\SystemCertificates\;\SOFTWARE\Microsoft\EnterpriseCertificates\;HKLM\SOFTWARE\Microsoft\SystemCertificates\;HKLM\Software\Microsoft\Cryptography\Services\ServiceName\SystemCertificates\
CreateKey
C:\WINDOWS\Sysmon64.exe
C:\WINDOWS\Sysmon.exe
C:\WINDOWS\system32\certsrv.exe
C:\WINDOWS\system32\CompatTelRunner.exe
C:\WINDOWS\system32\svchost.exe
C:\Windows\SysWOW64\SearchProtocolHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\taskhost.exe
C:\windows\SysWOW64\svchost.exe
C:\WINDOWS\System32\DriverStore\FileRepository\asus
C:\ProgramData\Microsoft\Windows Defender\Platform\
C:\Program Files\ASUS\ARMOURY CRATE Service\ArmouryCrate.Service.exe
C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe
fDenyTSConnections
Terminal Server\WinStations\RDP-Tcp
RDP-tcp\PortNumber
Control\Terminal Server\fSingleSessionPerUser
�
Й;ќ;Л;я;К
HKLM\HARDWARE\ACPI\DSDT
SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\Account Name
SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\Display Name
SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\Email
SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\HTTP User
SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\IMAP User
SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\MAPI Provider
SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\POP3 User
SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\SMTP User
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultPassword
SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\HTTP Password
SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\IMAP Password
SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\POP3 Password
SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\SMTP Password
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomainName
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName
SecurityPasswordAES
OptionsPasswordAES
SecurityPasswordExported
PermanentPassword
HKLM\SOFTWARE\GitForWindows
HKLM\SAM\SAM\DOMAINS\Account\Users\Names\
DeleteKey
HKLM\SYSTEM\CurrentControlSet\Control\BitlockerStatus\BootStatus
DWORD (0x00000001)
HKLM\SYSTEM\CurrentControlSet\Control\BitlockerStatus\BootStatus
DWORD (0x00000000)
\Services\VSS\Diag\(Default)
HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
HKLM\SYSTEM\CurrentControlSet\Services\Lanmanworkstation\Parameters
\LastKey
\WinStationsDisabled
\TSServerDrainMode
\TypedURLs
HKLM\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters\disabledcomponents
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Linkage\Bind
Binary Data
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards
services\http\parameters\urlaclinf
cRecentFiles\c1\
tDIText
\File MRU\Item 1
HKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigHash
HKLM\SOFTWARE\Classes\ CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunService
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
CurrentVersion\Windows\Load
CurrentVersion\Windows\Run
CurrentVersion\Winlogon\Shell
CurrentVersion\Winlogon\System
\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
SOFTWARE\Microsoft\.NETFramework\ETWEnabled
\Group Policy\Scripts
Terminal Server\Wds\rdpwd\StartupPrograms
Winlogon\AlternateShells\AvailableShells
Policies\System\Shell
Windows CE Services\AutoStartOnConnect
Windows CE Services\AutoStartOnDisconnect
PreferenceMACs\Default\extensions.settings
CurrentVersion\URL
\CurrentVersion\Font Drivers
HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown
CurrentVersion\Windows\IconServiceLib
Active Setup\Installed Components
NullSessionShares
NullSessionPipes
PasswordExpiryNotification
SafeBoot\AlternateShell
Desktop\Scrnsave.exe
\DisplayVersion
\ModifyPath
\Microsoft\Windows\CurrentVersion\Uninstall\
\UninstallString
Terminal Server\WinStations\RDP-Tcp\InitialProgram
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman
\Explorer\FileExts\
\shell\install\command\
\ProfileImagePath
\Classes\AllFilesystemObjects\
\Classes\*\
\Software\Microsoft\Ctf\LangBarAddin
\ContextMenuHandlers\
\CurrentVersion\Shell
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellIconOverlayIdentifiers
\Classes\Directory\
\Classes\Drive\
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks
\Classes\Folder\
\Hidden
\HideFileExt
\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components
\SOFTWARE\Classes\Protocols\Filter
\SOFTWARE\Classes\Protocols\Handler
\SharedTaskScheduler
\ShowSuperHidden
\ColumnHandlers
\CopyHookHandlers
\ExtShellFolderViews
\PropertySheetHandlers
\ShellServiceObjectDelayLoad
\ShellServiceObjects
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\
HKLM\System\CurrentControlSet\Control\Session Manager\S0InitialCommand
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\
\3\1809
\3\2500
\3\1206
\DisableSecuritySettingsCheck
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries
HKLM\SYSTEM\CurrentControlSet\Services\WinSock\
\ProxyServer
SavedLegacySettings
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Proxy
EnableConsoleTracing
EnableFileTracing
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
HKLM\SOFTWARE\Microsoft\Netsh
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders\
HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\
Office Test\
\Internet Explorer\Toolbar\
\Internet Explorer\Extensions\
\Browser Helper Objects\
{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\
\UrlUpdateInfo
\InstallSource
HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\
\Exclusions\Paths
\Exclusions\Extensions
\Exclusions\Processes
TamperProtection
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logoff
\Software\Policies\Microsoft\Windows\System\Scripts\Logoff
\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logon
\Software\Policies\Microsoft\Windows\System\Scripts\Logon
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Shutdown
HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Shutdown
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Startup
HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup
Domain
DHCPDefaultGateway
DhcpIPAddress
DhcpNameserver
Dhcpserver
DhcpSubnetMask
Nameserver
\DefaultGateway
PersistentRoutes
}\Category
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles
SubnetMask
\Trusted Documents\TrustRecords
Software\Microsoft\VBA\7.1\Common
Software\Microsoft\VBA\7.1\Trusted
\Security\DontTrustInstalledFiles
\Security\Trusted Locations
Security\ProtectedView\DisableInternetFilesInPV
Security\ProtectedView\DisableAttachmentsInPV
Security\ProtectedView\DisableUnsafeLocationsInPV
Software\WinRAR\ArcHistory
WinZip\mru\
Recent File List
Outlook\WebView\Inbox
Outlook\Today\UserDefinedUrl
Outlook\WebView\Calendar
\Place MRU
\LinkDate
\DriverVerVersion
\DriverVersion
\LowerCaseLongPath
\Publisher
Compatibility Assistant\Store\
\BinProductVersion
Root\InventoryApplicationShortcut\
Root\InventoryDriverBinary
Root\InventoryDriverPackage
Root\InventoryDevicePnp
Root\InventoryDeviceContainer
Root\InventoryApplication\
ProgramID;Name;Version;Publisher;Language;InstallDate;Source;RootDirPath;HiddenArp;UninstallString;RegistryKeyPath;UserSID;sha256
Root\InventoryApplicationFile\
ProgramId;FileId;LowerCaseLongPath;Name;OriginalFileName;Publisher;Version;binfileversion;LinkDate;Size;Language;USN;IsPeFile;IsOsComponent;sha256;AppxPackageFullName
Root\InventoryApplicationAppV\
Root\InventoryMiscellaneousOfficeAddIn;Root\InventoryMiscellaneousOfficeIdentifiers;Root\InventoryMiscellaneousOfficeIESettings;Root\InventoryMiscellaneousOfficeInsights;Root\InventoryMiscellaneousOfficeProducts;Root\InventoryMiscellaneousOfficeSettings;Root\InventoryMiscellaneousOfficeVBA;Root\InventoryMiscellaneousOfficeVBARuleViolations
\Software\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume
Drive Type
DWORD (0x00000011)
\Explorer\MountPoints2
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\DOS Devices
HKLM\System\CurrentControlSet\services\
\DeleteFlag
DWORD (0x00000001)
HKLM\System\CurrentControlSet\services\
\Type
DWORD (0x00000001)
HKLM\System\CurrentControlSet\services\
\Type
DWORD (0x00000002)
HKLM\System\CurrentControlSet\services\
\Type
DWORD (0x00000004)
HKLM\System\CurrentControlSet\services\
\Type
DWORD (0x00000020)
HKLM\System\CurrentControlSet\services\
\Type
DWORD (0x00000020)
HKLM\System\CurrentControlSet\services\
\Type
DWORD (0x00000100)
HKLM\System\CurrentControlSet\services\
\Group
HKLM\System\CurrentControlSet\services\
\DependOnService
HKLM\System\CurrentControlSet\services\
\BinaryPathName
HKLM\System\CurrentControlSet\services\
\RequiredPrivileges
HKLM\System\CurrentControlSet\services\
\Owners
HKLM\System\CurrentControlSet\services\
\ObjectName
HKLM\System\CurrentControlSet\services\
\ServiceStartName
HKLM\System\CurrentControlSet\services\
\ErrorControl
HKLM\System\CurrentControlSet\services\
\DependOnGroup
HKLM\System\CurrentControlSet\services\
\DisplayName
HKLM\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder
\List
HKLM\System\CurrentControlSet\services\
\Type
DWORD (0x00000001)
\ConsentStore\bluetooth
\ConsentStore\contacts
\ConsentStore\hunmanInterfaceDevice
\ConsentStore\location
\ConsentStore\microphone
\ConsentStore\usb\
\ConsentStore\webcam
\ConsentStore\humanInterfaceDevice
LastVisitedMRU
SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\RegEdit
\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR
HKLM\SYSTEM\CurrentControlSet\Control\Safeboot\
HKLM\SOFTWARE\Microsoft\Cryptography\Providers\Trust
HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust
HKLM\SOFTWARE\Microsoft\Cryptography\OID
HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID
HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ServerLevelPluginDll
Classes\exefile\shell\runas\command\isolatedCommand
\FriendlyName
HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB
HKLM\SOFTWARE\Microsoft\Tracing\
HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}
ndis;rndis
HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4
\Software\AppDataLow\Software\Microsoft\
.exe;.dll;powershell;wmic
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\lmcompatibilitylevel
DWORD (0x00000005)
Software\Microsoft\Office test\Special\Perf
\CurrentControlSet\Services\NTDS\LsaDbExtPt
\Services\NTDS\DirectoryServiceExtPt
GoToMyPc\FileTransfer\history
GoToMyPc\GuestInvite
Filesharing
DesktopSharing
LogIncomingConnections
LogOutgoingConnections
PermanentPasswordDate
Security_Adminrights
vncviewer\MRU
Autostart_GUI
Meeting_UserName
BuddyLoginName
BuddyLoginTokenID
Always_Online
HKLM\SOFTWARE\Microsoft\CurrentVersion\Policies\System\EnableLinkedConnections
Software\recfg
\Keyboard Layout\Preload\
\Keyboard Layout\Substitutes\
HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\
\Client\Enabled
\Server\Enabled
Kitty\Sessions
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\NtlmMinClientSec
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RestrictSendingNTLMTraffic
PuTTY\Sessions
Terminal Server Client\Servers
WinSCP 2\Sessions
C:\Program Files (x86)\Kaspersky Lab
C:\Program Files\Kaspersky Lab
C:\Program Files (x86)\ESET
C:\Program Files\ESET
Content.IE5;INetCache
.exe;.zip;.ps1;.bat;.rar;.vbs;.hta
:Zone.Identifier
blob:;about:internet
56ceb6d0011d87b6e4d7023d7ef85676;4f2eb62fa529c0283b28d05ddd311fae;b91ce2fa41029f6955bff20079468448;b91ce2fa41029f6955bff20079468448;846e27a652a5e1bfbd0ddd38a16dc865;2c4a910a1299cdae2a4e55988a2f102e
SHA256=074eb0e75bb2d8f59f1fd571a8c5b76f9c899834893da6f7591b68531f2b5d82
SHA256=45c8233236a69a081ee390d4faa253177180b2bd45d8ed08369e07429ffbe0a9
SHA256=9ceca98c2b24ee30d64184d9d2470f6f2509ed914dafb87604123057a14c57c0
SHA256=29b75f0db3006440651c6342dc3c0672210cfb339141c75e12f6c84d990931c3
SHA256=c8c907a67955bcdf07dd11d35f2a23498fb5ffe5c6b5d7f36870cf07da47bff2
SHA256=76a2f2644cb372f540e179ca2baa110b71de3370bb560aca65dcddbd7da3701e
Content.Outlook;Downloads;Recycle;\Users\;\ProgramData\;\Windows\;Temp\7z;Temp\;Startup;.vb;.vbe;.vbs;.application;.appref-ms;.bat;.cmd;.cmdline;.docm;.exe;.lnk;.eml;.dll;.sys;.hta;.pptm;.ps1;.sys;.reg;.docm;.xlsm;.xlam;.pptm;.potm;.pptm;.sldm;.scf;.appref-ms;.rdp;.vbs;.js;.pem;.crt;.ca-bundle;.cer;.csr;.der;.p7b;.p7r;.p7s;.pfx;.sto;.p12;.crl;.sst;.key;:bin;.mht;.manifest;.cpl;.scr;.inf
IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE
IMPHASH=19584675D94829987952432E018D5056
IMPHASH=330768a4f172e10acb6287b87289d83b
IMPHASH=00000000000000000000000000000000
AppData\Local\Microsoft\Windows\AppCache\
\Microsoft\Windows\INetCache\
\Microsoft\Windows\Temporary Internet Files\Content.IE5
\Mozilla\Firefox\Profiles\
.default\prefs-1.js
Microsoft\Windows\Start Menu\Programs\Startup
msagent_;\MSSE-;postex;\status_
\atctl;\userpipe;\iehelper;\sdlrpc;\comnap
\PSEXESVC
-stdin
-stdout
RemCom_
stdin;stdout;stderr;communication
\svcctl
\ntsvcs
ConnectPipe
\lsadump;\cachedump;\wceservicepipe
\9f81f59bc58452127884ce513865ed20
\46a676ab7f179e511e30dd2dc41bd388
tssmp_endpoint
\NamePipe_MoreWindows
\WCEServicePipe
\ahexec
\cachedumppipe
\csexec
\e710f28d59aa529d6792ca6ff0ca1b34
\isapi_dg
\isapi_http
\isapi_http
\lsadump
\lsassw
\paexec
\pcheap_reuse
\gruntsvc
\remcom
\rpchlp_3
\sdlrpc
\winsession
\adschemerpc
\AnonymousPipe
\bc367
\bc31a7
\testPipe
msf-pipe
\atsvc
\isapi_http;\isapi_dg;\isapi_dg2;\sdlrpc;\ahexec;\winsession;\lsassw;\46a676ab7f179e511e30dd2dc41bd388;\9f81f59bc58452127884ce513865ed20;\e710f28d59aa529d6792ca6ff0ca1b34;\rpchlp_3;\NamePipe_MoreWindows;\pcheap_reuse;\gruntsvc;\583da945-62af-10e8-4902-a8f205c72b2e;\bizkaz;\Posh;\jaccdpqnvbrrxlaf;\csexecsvc
\atctl;\userpipe;\iehelper;\sdlrpc;\comnap
\DserNamedPipe;\mypipe-;\windows.update.manager;\ntsvcs_;scerpc_;\demoagent;\PGMessagePipe;\MsFTeWds;\f4c3;\fullduplex_;\msrpc_;\f53f;\rpc_;\spoolss_;\win_svc;\SearchTextHarvester;demoagent_
\wkssvc
\spoolss
\scerpc
\ntsvcs
\SearchTextHarvester
\PGMessagePipe
\MsFteWds
ConnectPipe
\MICROSOFT##WID\tsql\query
\Winsock2\CatalogChangeListener-
-0,
\pipe\
CtxSharefilepipe0
\winreg
Anonymous Pipe
ConnectPipe
lsass
\SQLLocal\RTCLOCAL
\spoolss
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\LxRun.exe
C:\Windows\System32\SearchIndexer.exe
C:\Windows\System32\smss.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\wininit.exe
C:\Windows\system32\DFSRs.exe
C:\Windows\SystemApps\Microsoft.Windows
C:\Windows\Microsoft.NET\Framework
ngen.exe
C:\Windows\SystemApps\ShellExperienceHost_
ShellExperienceHost.exe
C:\Windows\system32\SearchProtocolHost.exe
\System
ProtectedPrefix\LocalService\FTHPIPE
Exchange Server
C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\BIN\OWSTIMER.EXE
C:\Windows\syswow64\snmp.exe
c:\windows\system32\inetsrv\w3wp.exe
\M.E.C.Core.WinRMDataCommunicator.NamedPipe.
C:\Windows\system32\dns.exe
\sql\query
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
\TDLN-
vmware-
\InitShutdown
\MsFteWds
\W32TIME_ALT
\WiFiNetworkManagerTask
\Winsock2CatelogChangeListener
\browser
\epmapper
\eventlog
\scerpc
\wkssvc
\ntapvsrq
Anonymous Pipe
Created
type: 16;type: 16
powershell.exe
github
powershell.exe
powershell;cscript.exe;wscript.exe;mshta.exe;bitsadmin.exe;\cmd.exe
.
dropboxapi.com
\Dropbox\Client\Dropbox.exe;\Dropbox\bin\Dropbox.exe;\Oracle\Java\
1drv
\AppData\Local\Microsoft\OneDrive\OneDrive.exe;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;\Internet Explorer\iexplore.exe;C:\Windows\System32\AppHostRegistrationVerifier.exe;C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe;C:\Program Files (x86)\BraveSoftware\Brave-Browser\Application\brave.exe;C:\Program Files (x86)\Microsoft OneDrive\OneDrive.exe;C:\Program Files\Mozilla Firefox\firefox.exe
.box.com;upload
mega.nz;mega.co.nz
privatlab.com
thedoccloud.com;deftsecurity.com;websitetheme.com;highdatabase.com;incomeupdate.com;zupertech.com;panhardware.com;databasegalore.com;avsvmcloud.com;freescanonline.com
tiktok;parler.com;gab.com;mewe.com;4chan;8chan;facebook;fbcdn;twitter;instagram;snapchat
efnet;undernet;freenode;ircnet;.rizon;quakenet;oftc.net;dalnet
.slack.com;discord.;telegram.;rocketchat.;mattermost.;flock.com
advanced-ip-scanner.com
kali.download
0x1f4b0.com;1q2w3.life;1q2w3.website;31.187.64.216;185.193.38.148;aalbbh84.info;adfreetv.ch;adless.io;adplusplus.fr;adrenali.gq;ajcryptominer.com;ajplugins.com;allfontshere.press;altavista.ovh;amhixwqagiz.ru;appelamule.com;arizona-miner.tk;aster18cdn.nl;aster18prx.nl;avero.xyz;averoconnector.com;bauersagtnein.myeffect.net;bhzejltg.info;blazepool;blockmasters;blockmasterscoins;bmnr.pw;bmst.pw;bohemianpool;carry.myeffect.net;cashbeet.com;cdn-code.host;cfceu.duckdns.org;cfcnet.gdn;cfcnet.top;cfcs1.duckdns.org;chainblock.science;cieh.mx;coin-hive.com;coin-service.com;coin-services.info;coiner.site;coinpirate.cf;coinrail.io;coinwebmining.com;cpu2cash.link;cryptaloot.pro;cryptmonero;crypto-loot.com;crypto-pool;crypto-webminer.com;cryptoloot.pro;d-ns.ga;dataservices.download;directprimal.com;dwarfpool;encoding.ovh;eth-pocket.com;eth-pocket.de;eth-pocket.eu;ethereum-pocket.de;ethereum-pocket.eu;ethtrader.de;eu.nimpool.io;eu.sushipool.com;f1tbit.com;flnqmin.org;freecontent.bid;freecontent.date;freecontent.loan;freecontent.racing;freecontent.stream;freecontent.win;gnrdomimplementation.com;graftpool.ovh;greenindex.dynamic-dns.net;gustaver.ddns.net;hashrefinery;hashvault.pro;herphemiste.com;hide.ovh;hk.rs;hlpidkr.ru;hodlers.party;hodling.faith;hostingcloud.win;hrfziiddxa.ru;ihdvilappuxpgiv.ru;imhvlhaelvvbrq.ru;insdrbot.com;irrrymucwxjl.ru;istlandoll.com;ivuovhsn.ru;iwanttoearn.money;ixvenhgwukn.ru;jqassets.download;jqr-cdn.download;jqrcdn.download;jquerrycdn.download;jqwww.download;jqxrrygqnagn.ru;jscoinminer.com;jwduahujge.ru;ksimdw.ru;l33tsite.info;laferia.cr;ledhenone.com;ltstyov.ru;mepirtedic.com;mine.bz;minercircle.com;minercry.pt;minergate;minero.cc;miners.pro;minescripts.info;mininghub.club;miningpoolhubcoins;minr.pw;mixpools.org;mmc.center;mollnia.com;monerise.com;monero.lindon-pool.win;monero;moriaxmr.com;munero.me;mxcdn1.now.sh;mxcdn2.now.sh;myadstats.com;mypool.online;nablabee.com;nanopool.org;nathetsof.com;nicehash;nimiqpool.com;node.philpool.com;npcdn1.now.sh;nunu-001.now.sh;ogondkskyahxa.ru;ogrid.org;oinkinns.tk;olecintri.com;omine.org;onvid.club;open-hive-server-1.pp.ua;oxwwoeukjispema.ru;pcejuyhjucmkiny.ru;pool.nimiq.watch;pool.nimiqchain.info;pool.porkypool.com;pool.xmr;poolto.be;prohash.net;prohash;proj2018.xyz;pzoifaum.info;ratchetmining.com;realnetwrk.com;reauthenticator.com;rove.cl;ruvuryua.ru;s7ven.com;scaleway.ovh;sentemanactri.com;sickrage.ca/ch;sighash.info;slushpool;soodatmish.com;sparechange.io;statdynamic.com;stati.bid;staticsfs.host;streamplay.to;suprnova.cc;svivqrhrh.ru;sxcdn02.now.sh;sxcdn3.now.sh;sxcdn4.now.sh;sxcdn6.now.sh;synconnector.com;teracycle.net;tercabilis.info;thelifeisbinary.ddns.net;thersprens.com;torrent.pw;ulnawoyyzbljc.ru;unrummaged.com;uoldid.ru;usxmrpool;viaxmr.com;vpzccwpyilvoyg.ru;vzzexalcirfgrf.ru;wbmwss.beetv.net;webmine.cz;webmine.pro;webminepool.tk;webminerpool.com;webwidgetz.duckdns.org;wmemsnhgldd.ru;wmtech.website;wmwmwwfmkvucbln.ru;wrxgandsfcz.ru;xmrm.pw;xmrminingproxy.com;xmrpool;yiimp;yuyyio.com;zavzlen.ru;zergpool;zergpoolcoins;ziykrgc.ru;zlx.com.br;zpool;analytics.blue;estream.to
graph.microsoft.com
dl.dropboxusercontent.com
api.onedrive.com
zoom.us
teamviewer
Screenconnect
census
researchscan
scanhub
shadow
shodan
.download
.kp
.su
.ss
.xn
.sy
.ve
.xxx
.cn
.click
.club
.ir
.ru
.host
.icu
.pw
.website
.ninja
.rocks
.top
.ua
.xyz
kuternull.com;rimrun.com;0ffice36o;asushotfix;infestexe;rahasn.webhop.org;rahasn.akamake.net;rahasn.homewealth.biz;winodwsupdates;israirairlines
githubusercontent.com;github.com
api.ipify.org;whatismyipaddress.com;edns.ip-api.com;checkip.dyndns.org;icanhazip.com;ifconfig.me;ifconfig.co;ipaddress.com;ipecho.net;ident.me;api.ip.sb;www.myexternalip.com;ip.anysrc.net;wtfismyip.com;myexternalip.com;ipecho.net;checkip.amazonaws.com;goo.gl;git.io;bit.ly;ow.ly;ip-api.com
tiny-share.com;paste.ee;pastebin.com
afraid.org;duckdns.org;changeip.com;ddns.net;hopto.org;zapto.org;servehttp.com;sytes.net;whoer.net;bravica.net;ip.webmasterhome.cn;whatsmyip.us;myip.kz;ip-addr.es;curlmyip;anysrc.net;anysrc.net;dlinkddns.com;no-ip.com;no-ip.org;no-ip.biz;no-ip.info;noip.com
darknet.to;hiddenservice.net;onion.cab;onion.city;onion.direct;onion.nu;onion.pet;onion.plus;onion.rip;onion.sh;onion.si;onion.to;onion.top;onion.ws;tor-gateways.de;tor2net.com;tor2web.blutmagie.de;tor2web.fi;tor2web.info;tor2web.io;tor2web.org
adblock.mydns.network;ibksturm.synology.me;jcdns.fun;ibuki.cgnat.net;dns.twnic.tw;commons.host;doh.dnswarden.com;dns-nyc.aaflalo.me;dns.aaflalo.me;doh.appliedprivacy.net;doh.captnemo.in;doh.tiar.app;doh.tiarap.org;doh.defaultroutes.de;doh.dns.sb;dns.oszx.co;2.dnscrypt-cert.oszx.co;dnscrypt;edns.233py.com;hk-dns.233py.com;hk2dns.233py.com;hkdns.233py.com;hkdns.233py.com;ndns.233py.com;sdns.233py.com;wdns.233py.com;pastebin.com;dns.adguard.com;dns-family.adguard.com;security-filter-dns.cleanbrowsing.org;family-filter-dns.cleanbrowsing.org;adult-filter-dns.cleanbrowsing.org;cloudflare-dns.com;mozilla.cloudflare-dns.com;dns.233py.com;dns.aaflalo.me;dns.google;doh.opendns.com;dns.quad9.net;dns9.quad9.net;dns10.quad9.net;dns11.quad9.net;doh.xfinity.com;dns.nextdns.io;dns.dnsoverhttps.net;doh.crypto.sx;doh.powerdns.org;doh-ch.blahdns.com;doh-de.blahdns.com;dns.rubyfish.cn;dns.containerpi.com;doh-2.seby.io;doh.seby.io;rdns.faelix.net;doh.li;doh.armadillodns.net;doh.netweaver.uk;doh.42l.fr;dns.aa.net.uk
gc._msdcs.
_kerberos._tcp.dc._msdcs.
_kerberos._udp.dc._msdcs.
_ldap._tcp.pdc._msdcs.
wpad
_ldap.
C:\Windows\
unknown process
C:\ProgramData\Microsoft\Windows Defender\Platform\;\Windows Defender\MsMpEng.exe;C:\Windows\
System;svchost.exe;services.exe;unknown process;\;;
C:\Program Files (x86)\Admin Arsenal\
C:\Program Files (x86)\CheckPoint\
C:\Program Files (x86)\Fortinet\
C:\Program Files (x86)\OpenDNS\OpenDNS Connector
C:\Program Files (x86)\Razer\Razer Services\
C:\Program Files (x86)\Trend Micro\
C:\Program Files (x86)\VMware
C:\Program Files (x86)\Veeam\
C:\Program Files\CheckPoint\
C:\Program Files\Trend Micro\
Slack.exe
ConnectWise.exe
git-remote-https.exe
C:\Program Files (x86)\Enpass\Enpass.exe
C:\Program Files (x86)\Fiserv\Vision\VisionGUI.NET.exe
C:\Program Files (x86)\Fortinet\FortiClient\update_task.exe
C:\Program Files (x86)\Lenovo\System Update\Tvsukernel.exe
C:\Program Files\VMware\vCenter Server\jre\bin\java.exe
C:\Program Files\VMware\vCenter Server\python\python.exe
C:\Windows\SysWOW64\SearchProtocolHost.exe
C:\Windows\System32\dsregcmd.exe
C:\Windows\sysmon64.exe
C:\Windows\sysmon.exe
brave-sync.s3.dualstack.
.salesforceliveagent.com
ads-serve.brave.com
.msftncsi.com
..localmachine
-pushp.svc.ms
.b-msedge.net
.bing.com
.hotmail.com
.live.com
.live.net
.microsoft.com
.microsoftonline.com
.microsoftstore.com
.ms-acdc.office.com
.msedge.net
.msn.com
.msocdn.com
.s-microsoft.com
.skype.com
.skype.net
.windows.com
.windows.net.nsatc.net
.windowsupdate.com
.xboxlive.com
login.windows.net
.activedirectory.windowsazure.com
.msauth.net
.msftauth.net
.opinsights.azure.com
management.azure.com
outlook.office365.com
portal.azure.com
.mozaws.net
.mozilla.com
.mozilla.net
.mozilla.org
.spotify.com
.spotify.map.fastly.net
googleapis.com
clients1.google.com
clients2.google.com
clients3.google.com
clients4.google.com
clients5.google.com
clients6.google.com
cloudsearch.googleapis.com
id.google.com
safebrowsing.googleapis.com
www.googleapis.com
.akadns.net
.netflix.com
.typekit.net
aspnetcdn.com
ajax.googleapis.com
cdnjs.cloudflare.com
cdnjs.cloudflare.com
fonts.googleapis.com
.steamcontent.com
.disqus.com
.fontawesome.com
disqus.com
.1rx.io
.2mdn.net
.adadvisor.net
.adap.tv
.addthis.com
.adform.net
.adnxs.com
.adroll.com
.adrta.com
.adsafeprotected.com
.adsrvr.org
.advertising.com
.amazon-adsystem.com
.amazon-adsystem.com
.analytics.yahoo.com
.aol.com
.betrad.com
.bidswitch.net
.casalemedia.com
.chartbeat.net
.cnn.com
.convertro.com
.criteo.com
.criteo.net
.crwdcntrl.net
.demdex.net
.domdex.com
.dotomi.com
.doubleclick.net
.doubleverify.com
.emxdgt.com
.exelator.com
.google-analytics.com
.googleadservices.com
.googlesyndication.com
.googletagmanager.com
.googlevideo.com
.gstatic.com
.gvt1.com
.gvt2.com
.ib-ibi.com
.jivox.com
.mathtag.com
.moatads.com
.moatpixel.com
.mookie1.com
.myvisualiq.net
.netmng.com
.nexac.com
.nexac.com
.openx.net
.optimizely.com
.outbrain.com
.pardot.com
.phx.gbl
.pinterest.com
.pubmatic.com
.quantcount.com
.quantserve.com
.revsci.net
.rfihub.net
.rlcdn.com
.rubiconproject.com
.scdn.co
.scorecardresearch.com
.serving-sys.com
.sharethrough.com
.simpli.fi
.sitescout.com
.smartadserver.com
.snapads.com
.spotxchange.com
.taboola.com
.taboola.map.fastly.net
.tapad.com
.tidaltv.com
.trafficmanager.net
.tremorhub.com
.tribalfusion.com
.turn.com
.twimg.com
.tynt.com
.w55c.net
.ytimg.com
.zorosrv.com
ads.yahoo.com
1rx.io
adservice.google.com
ampcid.google.com
clientservices.googleapis.com
d29x207vrinatv.cloudfront.net
googleadapis.l.google.com
imasdk.googleapis.com
l.google.com
ml314.com
mtalk.google.com
update.googleapis.com
www.googletagservices.com
.pscp.tv
adsniper.ru
cdnvideo.ru
chat.minergate.com
cwsa.minergate.com
forum.minergate.com
leadlab.click
mc.yandex.ru
pool.ntp.org
vmg.host
yandex.ru
.adobe.com
.autodesk.com
.avast.com
.avcdn.net
.cdn.bitdefender.net
.digicert.com
.eset.com
.globalsign.com
.globalsign.net
.intuit.com
.java.com
.macromedia.com
.oracle.com
.quickbooks.com
.usertrust.com
amazontrust.com
ocsp.identrust.com
pki.goog
ads.playground.xyz
citrixupdates.cloud.com
forticlient.fortinet.net
mft10.onbaseonline.com
msocsp.com
ocsp.comodoca.com
ocsp.cybertrust.ne.jp
ocsp.entrust.net
ocsp.entrust.net
ocsp.godaddy.com
ocsp.int-x3.letsencrypt.org
ocsp.intel.com
ocsp.msocsp.com
ocsp.quovadisglobal.com
ocsp.quovadisoffshore.com
ocsp.sectigo.com
ocsp.starfieldtech.com
ocsp.thawte.com
ocsp.trustwave.com
ocsp.verisign.com
pki-goog.l.google.com
pki.intel.com
scrootca1.ocsp.secomtrust.net
scrootca2.ocsp.secomtrust.net
stats.anchor.host
status.rapidssl.com
status.thawte.com
ts-ocsp.ws.symantec.com
upgrade.bitdefender.com
.;>;unknown;anonymous
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Symantec\
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Symantec\
\BHO\ie_to_edge_stub.exe;\Microsoft\Teams\;\Vivaldi\Application\;Google\Chrome\;Google\Update;BraveSoftware\Brave-Browser\;Edge\Application\;EdgeUpdate\Install\;Program Files\SmartGit\
\appdata\local\google\chrome\user data\swreporter\;software_reporter_tool.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
NETWORK SERVICE; LOCAL SERVICE