md5,sha1,sha256,imphash TEMP\nessus_;nessus_task_list TEMP\nessus_;nessus_task_list rcpping;tcpping;tcping;routerscan;grabff;Port-Scan;netscan;\nmap;ipscan;nacmdline.exe advanced_port_scanner.exe;rcpping.exe;nc.exe;nc64.exe;netcat.exe;ncat.exe;nmap.exe;zenmap.exe;advanced_ip_scanner.exe Network Scanner;Advanced IP Scanner adfind adfind -gcb -sc;/gcb /sc;-f (objectcategory=;/f (objectcategory=;trustdmp PurpleSharp;xyz123456 PurpleSharp /serverlevelplugindll add;sslcert;http http del sslcert C:\Users\ Content.Outlook .SettingContent-ms immersivecontrolpanel Hwp.exe gbb.exe iexplore.exe;chrome.exe;firefox.exe;browser_broker.exe;vivaldi.exe;microsoftedge.exe;microsoftedgecp.exe;brave.exe;vivaldi.exe tracert.exe;csc.exe;cscript.exe;wscript.exe;cmd.exe;powershell.exe;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;regsvcs.exe;sh.exe;wmic.exe;mshta.exe;rundll32.exe;msiexec.exe;forfiles.exe;scriptrunner.exe;mftrace.exe;AppVLP.exe;svchost.exe;MicroScMgmt.exe;FLTLDR.exe;wmic.exe;Microsoft.Workflow.Compiler.exe;atbroker.exe;bginfo.exe;certutil.exe;csi.exe;dnx.exe;cdb.exe;bitsadmin.exe;forfiles.exe;fsi.exe;ftp.exe;hostname.exe;gpresult.exe;ipconfig.exe;nbtstat.exe;ping.exe;pwsh.exe;qprocess.exe;quser.exe;qwinsta.exe;reg.exe;svchost.exe;installutil.exe;pwsh.exe;msxsl.exe;ieexec.exe;msdt.exe;verclsid.exe apt-config cmd.exe /c C:\Windows\Setup\Scripts\SetupComplete.cmd;cmd.exe /c C:\Windows\Setup\Scripts\PartnerSetupComplete.cmd C:\Windows\Setup C:\Windows\SysWOW64 C:\Windows\System32 C:\Windows\WinSxS consent.exe http iexplore.exe SYSTEM w3wp.exe \csc.exe;\TranscodingService.exe;\werfault.exe;\appcmd.exe w3wp.exe appcmd.exe appcmd.exe add module;system.enterpriseservices.internal.publish;\gacutil.exe /I;gacutil.exe -I apache;php-cgi.exe;nginx.exe;httpd.exe;tomcat;php.exe arp.exe;at.exe;cscript.exe;wscript.exe;cmd.exe;powershell.exe;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;sh.exe;ping.exe;whoami.exe;net.exe;net1.exe;systeminfo.exe;bitsadmin.exe;dsget.exe;dsquery.exe;find.exe;findstr.exe;fsutil.exe;hostname.exe;ipconfig.exe;nbtstat.exe;net.exe;net1.exe;netdom.exe;netsh.exe;netstat.exe;nltest.exe;nslookup.exe;ntdutil.exe;pathping.exe;qprocess.exe;query.exe;qwinsta.exe;reg.exe;rundll32.exe;sc.exe;schtasks.exe;systeminfo.exe;tasklist.exe;tracert.exe;ver.exe;vssadmin.exe;wevtutil.exe;whoami.exe;wmic.exe;wusa.exe;certutil.exe cmd.exe ping 127.0.0.1 c:\windows\system32\inetsrv\ svchost.exe;termsvcs rdpclip.exe;csrss.exe;wininit.exe dns.exe werfault.exe;conhost.exe;dnscmd.exe;dns.exe UMWorkerProcess.exe;UMService.exe perfenabled UMWorkerProcess.exe;UMService.exe perfenabled wemgr.exe;werfault.exe \wwwroot\ \Atlassian\Confluence\jre\bin\java.exe cmd;powershell;certutil;curl;whoami;ipconfig;mshta;wscript;cscript;rundll32;bitsadmin DesktopCentral_Server\jre\bin\java.exe cmd;powershell;certutil;curl;whoami;ipconfig;mshta;wscript;cscript;rundll32;bitsadmin \jre\bin\java.exe cmd;powershell;pwsh;certutil;curl;whoami;ipconfig;mshta;wscript;cscript;rundll32;bitsadmin;pwsh.exe;bitsadmin;hh.exe;wmic.exe;rundll32.exe;forfiles.exe;scriptrunner.exe;mftrace.exe;AppVLP.exe;curl.exe \Atlassian\Confluence\jre\bin\java.exe sqlservr arp.exe;at.exe;cscript.exe;wscript.exe;cmd.exe;powershell;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;sh.exe;ping.exe;whoami.exe;net.exe;net1.exe;systeminfo.exe;bitsadmin.exe;dsget.exe;dsquery.exe;find.exe;findstr.exe;fsutil.exe;hostname.exe;ipconfig.exe;nbtstat.exe;net.exe;net1.exe;netdom.exe;netsh.exe;netstat.exe;nltest.exe;nslookup.exe;ntdutil.exe;pathping.exe;qprocess.exe;query.exe;qwinsta.exe;reg.exe;rundll32.exe;sc.exe;schtasks.exe;systeminfo.exe;tasklist.exe;tracert.exe;ver.exe;vssadmin.exe;wevtutil.exe;whoami.exe;wmic.exe;wusa.exe;sh.exe;bash.exe keytool.exe cmd;powershell;pwsh;certutil;curl;whoami;ipconfig;mshta;wscript;cscript;rundll32;bitsadmin;pwsh.exe;bitsadmin;hh.exe;wmic.exe;rundll32.exe;forfiles.exe;scriptrunner.exe;mftrace.exe;AppVLP.exe;curl.exe bash.exe;cmd.exe;powershell.exe;pwsh.exe id -Gn `;id /Gn `;id -Gn ';id /Gn ' e=Access&;y=Guest&;&p=;&c=;&k= wmic.exe process;call;create wmic.exe call set priority;call terminate;product get name;bios, get serialNumber;BIOS GET SERIALNUMBER;onboarddevice get;useraccount where name;useraccount get;path win32_networkadapter where index=;process list;useraccount get /ALL;useraccount list;qfe get description,installedOn /format:csv;process get caption,executablepath,commandline;service get name,displayname,pathname,startmode;share list;win32_share C:\Users\;$Recycle;\Temp\;\Downloads\ \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 conhost.exe svchost.exe;lsass.exe;services.exe;smss.exe;winlogon.exe;explorer.exe;dllhost.exe;rundll32.exe;regsvr32.exe;userinit.exe;winit.exe;spoolsv.exe;wermgr.exe;csrss.exe;ctfmon.exe;werfault.exe conhost.exe conhost.exe :\Windows\splwow64.exe;:\Windows\System32\WerFault.exe;:\Windows\System32\conhost.exe \cmd.exe;WindowsTerminal;powershell explorer.exe cmd.exe powershell.exe;powershell_ise.exe Get-ItemProperty HKLM:\software\wow6432node\microsoft\windows\currentversion\uninstall\ mysql server select-object displayversion,displayname cscript.exe;wscript.exe powershell.exe;powershell_ise.exe cscript.exe;wscript.exe powershell.exe;powershell_ise.exe powershell.exe;powershell_ise.exe mshta.exe wscript.exe;cscript.exe IEX;Net.WebClient;ospp.vbs;powershell;slmgr.vbs;spiceworks_upload wscript.exe .jse .js .vba .vbe \wscript.exe;\cscript.exe \rundll32.exe;regsvr32.exe \rundll32.exe;regsvr32.exe .dll;.cpl;.ocx;localserver;enable-speech-input;auto-scan-plugin;enable-media-stream;CastMediaRouteProvider;-eoim;/eoim setupapi;InstallHinfSection;DefaultInstall;SplunkUniversalForwarder\bin\spl;rundll32.exe "C:\Windows\Installer\MSI \MSI;.tmp",zzzInvokeManagerCustomActionOutOfProc cscript.exe .js .jse .vba .vbe mshta vbscript:CreateObject("Wscript.Shell");mshta vbscript:Execute("Execute;mshta vbscript:CreateObject("Wscript.Shell").Run("mshta.exe;javascript:a= .jpg;.png;.lnk;.xls;.doc;.zip;.sct;.hta C:\Windows\Temp\hpqhvind.exe;C:\ProgramData\DRM\;Test.exe C:\ProgramData\DRM;wmplayer.exe;C:\ProgramData\DRM\CLR\CLR.EXE regedit.exe explorer.exe \svchost.exe;\taskhostw.exe;\userinit.exe;\smss.exe;\csrss.exe;\wininit.exe;\winlogon.exe;\lsass.exe;\logonui.exe;\services.exe C:\windows\System32\;C:\windows\syswow64\ \wininit.exe;\winlogon.exe;\services.exe;\dwm.exe;System;\smss.exe;\svchost.exe \spoolsv.exe;\PrintIsolationHost.exe C:\Windows\System32\spoolsv.exe;\GPLGS\gswin32c.exe;C:\Windows\System32\spool\drivers\;\bin\gswin64c.exe;C:\PROGRA~2\CUTEPD~1\;C:\Windows\EEFPrinter.exe C:\Windows\system32\spool\DRIVERS Brother Industries;Thomson Reuters COMSPEC ScriptFile \Temp\7z \Temp\Temp1_ \Temp\Rar$ powershell.exe;powershell_ise.exe C:\users\ Microsoft VS Code\Code.exe \Deployment tool extract\setupodt.exe Shellcode ipy.exe python.exe -agentpath: -agentlib: winword.exe;excel.exe;powerpnt.exe;outlook.exe;msaccess.exe;mspub.exe;visio.exe;notepad.exe;wordpad.exe;eqnedt32.exe;wordview.exe tracert.exe;csc.exe;cscript.exe;wscript.exe;cmd.exe;powershell.exe;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;regsvcs.exe;sh.exe;wmic.exe;mshta.exe;rundll32.exe;msiexec.exe;forfiles.exe;scriptrunner.exe;mftrace.exe;AppVLP.exe;svchost.exe;MicroScMgmt.exe;FLTLDR.exe;wmic.exe;Microsoft.Workflow.Compiler.exe;atbroker.exe;bginfo.exe;certutil.exe;csi.exe;dnx.exe;cdb.exe;bitsadmin.exe;forfiles.exe;fsi.exe;ftp.exe;hostname.exe;gpresult.exe;ipconfig.exe;nbtstat.exe;ping.exe;pwsh.exe;qprocess.exe;quser.exe;qwinsta.exe;reg.exe;svchost.exe;installutil.exe;pwsh.exe;msxsl.exe;ieexec.exe;msdt.exe;verclsid.exe;msidb.exe .cmd;- C:\Windows\system32\spool\DRIVERS\ PhotoViewer.dll outlook.exe http:;https:;ftp:;mailto:;tel: .html outlook.exe http:;https:;ftp:;mailto:;tel: .html" outlook.exe http:;https:;ftp:;mailto:;tel: .html" outlook.exe .pdf" outlook.exe .pdf outlook.exe .iso" outlook.exe .iso outlook.exe \iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe;\opera.exe;BrowserAssist.exe;\msedgewebview;\msedge.exe http:;https:;ftp:;mailto:;tel: outlook.exe http:;https:;ftp:;mailto:;tel: \Content.Outlook\;\Downloads\;\Documents\;:\Users\Public\;\Desktop\ outlook.exe \\ winword.exe;excel.exe;powerpnt.exe;outlook.exe;msaccess.exe;mspub.exe;visio.exe;notepad.exe;wordpad.exe;eqnedt32.exe;wordview.exe C:\Users\ .exe Zoom Video Firefox Microsoft Edge Microsoft Teams GrammarlyAddInSetupe Teams.exe Zoom.exe browser_broker.exe chrome.exe edge.exe firefox.exe iexplore.exe vivaldi.exe winword.exe;excel.exe;powerpnt.exe;outlook.exe;msaccess.exe;mspub.exe;visio.exe;notepad.exe;wordpad.exe;eqnedt32.exe;wordview.exe C:\ProgramData\ Firefox Microsoft Edge Microsoft Teams Zoom Video .zip\ acrobat.exe;acrord32.exe tracert.exe;csc.exe;cscript.exe;wscript.exe;cmd.exe;powershell.exe;bash.exe;scrcons.exe;schtasks.exe;hh.exe;regsvr32.exe;regsvcs.exe;sh.exe;wmic.exe;mshta.exe;rundll32.exe;msiexec.exe;forfiles.exe;scriptrunner.exe;mftrace.exe;AppVLP.exe;svchost.exe;MicroScMgmt.exe;FLTLDR.exe;wmic.exe;Microsoft.Workflow.Compiler.exe;atbroker.exe;bginfo.exe;certutil.exe;csi.exe;dnx.exe;cdb.exe;bitsadmin.exe;forfiles.exe;fsi.exe;ftp.exe;hostname.exe;gpresult.exe;ipconfig.exe;nbtstat.exe;ping.exe;pwsh.exe;qprocess.exe;quser.exe;qwinsta.exe;reg.exe;svchost.exe;installutil.exe;pwsh.exe;msxsl.exe;ieexec.exe;msdt.exe;verclsid.exe winword.exe;powerpnt.exe;excel.exe control.exe input.dll msdt.exe msdt.exe BrowseForFile=;PCWDiagnostic /af;-af msdt.exe pcwrun.exe PCWDiagnostic msdt.exe /cab;-cab .diagcab powershell.exe;pwsh.exe;cmd.exe;mshta.exe;cscript.exe;wscript.exe;wsl.exe;rundll32.exe;regsvr32.exe msdt.exe EQNEDT32.EXE winword.exe;excel.exe;powerpnt.exe FLTLDR.EXE /dde;-dde schtasks.exe /create;-create;/change;-change C:\Program Files\Common Files\Microsoft Shared\ClickToRun\ taskeng.exe schtasks.exe /Run;-run Sentinel\AutoRepair C:\Program Files\Common Files\Microsoft Shared\ClickToRun\ schtasks.exe schtasks /TN RtkAudUService64_BG -change;/change;-delete;/delete;-create;/create at.exe at.exe C:\Windows\System32\svchost.exe netsvcs;-p;-s;Schedule netsvcs;-p;-s;Schedule net.exe;net1.exe;net2.exe stop tvsu_tmp net.exe;net1.exe;net2.exe start tvsu_tmp wmiprvse.exe;mmc.exe;explorer.exe;services.exe &1;cmd.exe;\\127.0.0.1\;/Q /c wmiprvse.exe;mmc.exe;explorer.exe;services.exe &1;cmd.exe;\\127.0.0.1\;-Q -c schtasks;Create;ONLOGON;TN;Updater;TR;powershell sc.exe create \NIC_Emulex_Firmware\;C:\Windows\Temp\ExchangeSetup\ sc.exe config;binpath cmd.exe;powershell.exe services.exe new-service psexesvc.exe Execute processes remotely psexe PsExec Service PsExec Launched accepteula Execute processes remotely -s;/s psexec.exe pskill.exe pskill C:\WINDOWS\system32\svchost.exe -k NetworkService -p C:\WINDOWS\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation C:\WINDOWS\System32\svchost.exe -k netprofm -p -s netprofm C:\WINDOWS\system32\svchost.exe;RPCSS C:\WINDOWS\system32\svchost.exe;RPCSS werfault.exe && type > cmd.exe" /c cd ntdsutil;/set {default} recoveryenabled no;telnet ;-dumpcr;putty;bash.exe;pssh;shareenum;sekurlsa;reg save;reg save;psscan;shellexec;vbscript:createobject;/output:clipboard;root\\default;root\\subscription;Wmiclass;WmiCl'+'as'+'s;export-mft;ApplicationImpersonation ERROR kuhl;windows/meterpreter;InjectDLL;ReflectiveLoader;Koadic.;@subtee;-donate-level=;stratum+tcp;Win32_TaskService;FilterToConsumerBinding;Invoke-Stager;Invoke-FruityC2;smbscanner;Invoke-ReverseDNSLookup;Invoke-ARPScan;Invoke-Paranoia;Find-TrustedDocuments;Find-Fruit;Get-RickAstley;PowerView;Invoke-Tater;Get-System;Get-SiteListPassword;PowerBreach;Invoke-BackdoorLNK;Install-SSP;Get-SecurityPackages;Invoke-SSHCommand;Invoke-PsExec;Invoke-InveighRelay;Set-Wallpaper;Invoke-VoiceTroll;Invoke-ThunderStruck;Exploit-Jboss;Invoke-PowerDump;Invoke-DCSync;Get-VaultCredential;Set-MacAttribute;New-HoneyHash;MailRaider;Invoke-RunAs;Invoke-PSInject;Invoke-EgressCheck;Invoke-NetRipper;Invoke-Inveigh;Get-Screenshot;Get-IndexedItem;Get-FoxDump'Get-Clipboard;Get-ChromeDump;Start-CaptureServer;Add-Persistence;Add-Exfiltration;Invoke-PowerShellWMI;Invoke-PowerShellTCP;Invoke-PoshRatHttp;Show-TargetScreen;Get-PassHashes;Get-LSASecret;Check-VM;Remove-Update;Enabled-DuplicateToken;Invoke-ADSBackdoor;Gupt-Backdoor;Add-ScrnSaveBackdoor;Add-RegBackdoor;Get-Unconstrained;Get-RegAlwaysInstallElevated;Get-ApplicationHost;Get-WebConfig;Get-UnattendedInstallFile;Get-VulnAutoRun;Get-RegAutoLogon;Install-ServiceBinary;Invoke-ServiceAbuse;Get-ServicePermission;Get-ServiceFilePermission;Get-ServiceUnquoted;Invoke-DowngradeAccount;Invoke-ACLScanner;Find-GPOLocation;Invoke-UserHunter;Invoke-ReflectivePEInjectionInvoke-ReflectivePEInjection;Invoke-ReflectivePEInjection;VolumeShadowCopyTools;Out-Minidump;Invoke-TokenManipulation;Invoke-DllInjection;Invoke-SessionGopher;Invoke-Shellcode;Invoke-WmiCommand;Get-GPPPassword;Get-Keystrokes;Get-TimedScreenshot;Get-VaultCredential;Invoke-CredentialInjection;Invoke-NinjaCopy ERROR kuhl;windows/meterpreter;InjectDLL;ReflectiveLoader;Koadic.;@subtee;-donate-level=;stratum+tcp;Win32_TaskService;FilterToConsumerBinding;Invoke-Stager;Invoke-FruityC2;smbscanner;Invoke-ReverseDNSLookup;Invoke-ARPScan;Invoke-Paranoia;Find-TrustedDocuments;Find-Fruit;Get-RickAstley;PowerView;Invoke-Tater;Get-System;Get-SiteListPassword;PowerBreach;Invoke-BackdoorLNK;Install-SSP;Get-SecurityPackages;Invoke-SSHCommand;Invoke-PsExec;Invoke-InveighRelay;Set-Wallpaper;Invoke-VoiceTroll;Invoke-ThunderStruck;Exploit-Jboss;Invoke-PowerDump;Invoke-DCSync;Get-VaultCredential;Set-MacAttribute;New-HoneyHash;MailRaider;Invoke-RunAs;Invoke-PSInject;Invoke-EgressCheck;Invoke-NetRipper;Invoke-Inveigh;Get-Screenshot;Get-IndexedItem;Get-FoxDump'Get-Clipboard;Get-ChromeDump;Start-CaptureServer;Add-Persistence;Add-Exfiltration;Invoke-PowerShellWMI;Invoke-PowerShellTCP;Invoke-PoshRatHttp;Show-TargetScreen;Get-PassHashes;Get-LSASecret;Check-VM;Remove-Update;Enabled-DuplicateToken;Invoke-ADSBackdoor;Gupt-Backdoor;Add-ScrnSaveBackdoor;Add-RegBackdoor;Get-Unconstrained;Get-RegAlwaysInstallElevated;Get-ApplicationHost;Get-WebConfig;Get-UnattendedInstallFile;Get-VulnAutoRun;Get-RegAutoLogon;Install-ServiceBinary;Invoke-ServiceAbuse;Get-ServicePermission;Get-ServiceFilePermission;Get-ServiceUnquoted;Invoke-DowngradeAccount;Invoke-ACLScanner;Find-GPOLocation;Invoke-UserHunter;Invoke-ReflectivePEInjectionInvoke-ReflectivePEInjection;Invoke-ReflectivePEInjection;VolumeShadowCopyTools;Out-Minidump;Invoke-TokenManipulation;Invoke-DllInjection;Invoke-SessionGopher;Invoke-Shellcode;Invoke-WmiCommand;Get-GPPPassword;Get-Keystrokes;Get-TimedScreenshot;Get-VaultCredential;Invoke-CredentialInjection;Invoke-NinjaCopy --disable-http2 --disable-quic /Client/Login?id= JABzA 2f40abbb4f78e77745f0e657a19903fc953cc664;478dc5a5f934c62a9246f7d1fc275868f568bc07;37b4496e650b3994312c838435013560b3ca8571;37b4496e650b3994312c838435013560b3ca8571;e8542c07b2af63ee7e72ce5d97d91036c5da56e2b091aa2afe737b224305d230;08c34c6ac9186b61d9f29a77ef5e618067e0bc9fe85cab1ad25dc6049c376949;5fc4b0076eac7aa7815302b0c3158076e3569086c4c6aa2f71cd258238440d14;bef59b9a3e00a14956e0cd4a1f3e7524448cbe5d3cc1295d95a15b83a3579c59;2c1d3d0a9c6f76726994b88589219cb8d9c39dd9924bc8d2d02bf41d955fe326;1a2ab4df156ccd685f795baee7df49f8e701f271d3e5676b507112e30ce03c42;758598370c3b84c6fbb452e3d7119f700f970ed566171e879d3cb41102154272;5c776a33568f4c16fee7140c249c0d2b1e0798a96c7a01bfd2d5684e58c9bb32;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;36dd195269979e01a29e37c488928497;7d9d29c1c03461608bcab930fef2f568;807d86da63f0db1fc746d1f0b05bc357;849a2b0dc80aeca3d175c139efe5221c;86A4CAC227078B9C95C560C8F0370BF0;98908ce6f80ecc48628c8d2bf5b2a50c;a4b42c2c95d1f2ff12171a01c86cd64f;4abe604916c04fe3dd8b9cb3d501d3f;eac3e3ece94bc84e922ec077efb15edd;128CECC59C91C0D0574BC1075FE7CB40;88777aacd5f16599547926a4c9202862;0f49621b06f2cdaac8850c6e9581a594;17a36ac3e31f3a18936552aff2c80249;322cb39bc049aa69136925137906d855;2010f38ef300be4349e7bc287e720b1ecec678cacbf0ea0556bcf765f6e073ec;cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5;5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c;b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04;6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11;3d129263f6a48647f103a04446fb0c2f;37cd353621b0f4fc6981b50071c94f01;1b60021baedc3f9201bcdb40e9b87f62;71345b139166482acaa568ac8816c7bc;5E022694C0DBD1FBBC263D608E577949;304772c80b157a916c7041f2f15939fb;291ff87948e45914424cec9510c297da;b8fcd4a3902064907fb19e0da3ca7aed72a7e6d1f94d971d1ee7a4d3af6a800d;965884f19026913b2c57b8cd4a86455a61383de01dabb69c557f45bb848f6c26;4a069c1abe5aca148d5a8fdabc26751e;dc5733c013378fa418d13773f5bfe6f1;c579341f86f7e962719c7113943bb6e4;d326e629a90e78825645963b35e53a6a;5E022694C0DBD1FBBC263D608E577949;53841a0c6a3ff92976db08bfdf95e083;dc7e564809d6c2a2f3457c3c9b91f22b;5470f0644589685000154cb7d3f60280acb16e39ca961cce2c016078b303bc1b;FE2CA1BE3BDA2A757036A89E54CC02DB;FE2CA1BE3BDA2A757036A89E54CC02DB 22d142f11cf2a30ea4953e1fffb0fa7e;2317d65da4639f4246de200650a70753;27612cb03c89158225ca201721ea1aad;412956675fbc3f8c51f438c1abc100eb;daf2da52475fd8981b19ec3c321a983c;490a140093b5870a47edc29f33542fd2;51a7068640af42c3a7c1b94f1c11ab9d;533340c54bd25256873b3dca34d7f74e;684eca6b62d69ce899a3ec3bb04d0a5b;69a19abf5ba56ee07cdd3425b07cf8bf;6cfd131fef548fcd60fbcdb59317df8e;72dc98449b45a7f1ccdef27d51e31e91;7c733607a0932b1b9a9e27cd6ab55fe0;7d5265e814843b24fcb3787768129040;80c37e062aa4c94697f287352acf2e9d;815f1f8a7bc1e6f94cb5c416e381a110;a43d3b31575846fa4c3992b4143a06da;08e82dc7bae524884b7dc2134942aadb;7bcd736a2394fc49f3e27b3987cce640;57314359df11ffdf476f809671ec0275;b72737b464e50aa3664321e8e001ff32;ce8ce92fb6565181572dce00d69c24f8;5985087678414143d33ffc6e8863b887;84730a6e426fbd3cf6b821c59674c8a0;d5377dc1821c935302c065ad8432c0d2;d8f1356bebda9e77f480a6a60eab36bb;92f8e3f0f1f7cc49fad797a62a169acd;9003cfaac523e94d5479dc6a10575e60;df91b86189adb0a11c47ce2405878fa1;e17bd40f5b5005f4a0c61f9e79a9d8c2;c1e7850da5604e081b9647b58248d7e8;99828721ac1a0e32e4582c3f615d6e57;f559c87b4a14a4be1bd84df6553aaf56;b9c208ea8115232bfd9ec2c62f32d6b8;061089d8cb0ca58e660ce2e433a689b3;0e9afd3a870906ebf34a0b66d8b07435;9c115e9a81d25f9d88e7aaa4313d9a8f;520ee02668a1c7b7c262708e12b1ba6b;7bfba2c69bed6b160261bdbf2b826401;77a745b07d9c453650dd7f683b02b3ed;3a771efb7ba2cd0df247ab570e1408b2;0969b2b399a8d4cd2d751824d0d842b4;fc53f2cd780cd3a01a4299b8445f8511;4e39620afca6f60bb30e031ddc5a4330;bfe3f6a79cad5b9c642bb56f8037c43b;3dfebce4703f30eed713d795b90538b5;9793afcea43110610757bd3b800de517;36db24006e2b492cafb75f2663f241b2;21feb6aa15e02bb0cddbd544605aabad;21feb6aa15e02bb0cddbd544605aabad;649ef1dd4a5411d3afcf108d57ff87af;320b2f1d9551b5d1df4fb19bd9ab253a;3d75c72144d873b3c1c4977fbafe9184;b9cf4301b7b186a75e82a04e87b30fe4;b4e67706103c3b8ee148394ebee3f268;7bfbd72441e1f2ed48fbc0f33be00f24;cdb303f61a47720c7a8c5086e6b2a743;2a6f7ec77ab6bd4297e7b15ae06e2e61;8403a28e0bffa9cc085e7b662d0d5412;3ffd2915d285ad748202469d4a04e1f5;04078ef95a70a04e95bda06cc7bec3fa;235d427f94630575a4ea4bff180ecf5d;8035a8a143765551ca7db4bc5efb5dfd;cacaa3bf3b2801956318251db5e90f3c;1aadf739782afcae6d1c3e4d1f315cbd;c3e255888211d74cc6e3fb66b69bbffb;d9e9f22988d43d73d79db6ee178d70a4;16ab79fb2fd92db0b1f38bedb2f02ed8;8da15a97eaf69ff7ee184fc446f19cf1;ffc7305cb24c1955f9625e525d58aeee;c0e72eb4c9f897410c795c1b360090ef;9ad6fa6fdedb2df8055b3d30bd6f64f1;44619a88a6cff63523163c6a4cf375dd;a571660c9cf1696a2f4689b2007a12c7;81229c1e272218eeda14892fa8425883;0ac48cfa2ff8351365e99c1d26e082ad;afcdf79be1557326c854b6e20cb900a7 a53a02b997935fd8eedcb5f7abab9b9f e96a73c7bf33a464c510ede582318bf2 serialfunc.exe e PAA;en PAA;enc PAA;enco PAA;encode PAA;encoded PAA;encodedco PAA;encodedcom PAA;encodedcomm PAA;encodedcomma PAA;encodedcomman PAA;encodedcommand PAA;e IAA;en IAA;enc IAA;enco IAA;encode IAA;encoded IAA;encodedco IAA;encodedcom IAA;encodedcomm IAA;encodedcomma IAA;encodedcomman IAA;encodedcommand IAA;e JAB;en JAB;enc JAB;enco JAB;encode JAB;encoded JAB;encodedco JAB;encodedcom JAB;encodedcomm JAB;encodedcomma JAB;encodedcomman JAB;encodedcommand JAB;e cwBFAFQA;en cwBFAFQA;enc cwBFAFQA;enco cwBFAFQA;encode cwBFAFQA;encoded cwBFAFQA;encodedco cwBFAFQA;encodedcom cwBFAFQA;encodedcomm cwBFAFQA;encodedcomma cwBFAFQA;encodedcomman cwBFAFQA;encodedcommand cwBFAFQA;e SQBFAF;en SQBFAF;enc SQBFAF;enco SQBFAF;encode SQBFAF;encoded SQBFAF;encodedco SQBFAF;encodedcom SQBFAF;encodedcomm SQBFAF;encodedcomma SQBFAF;encodedcomman SQBFAF;encodedcommand SQBFAF;e UwBFAFQA;en UwBFAFQA;enc UwBFAFQA;enco UwBFAFQA;encode UwBFAFQA;encoded UwBFAFQA;encodedco UwBFAFQA;encodedcom UwBFAFQA;encodedcomm UwBFAFQA;encodedcomma UwBFAFQA;encodedcomman UwBFAFQA;encodedcommand UwBFAFQA;e IABpAE4AdgBPAEsAZQAt;en IABpAE4AdgBPAEsAZQAt;enc IABpAE4AdgBPAEsAZQAt;enco IABpAE4AdgBPAEsAZQAt;encode IABpAE4AdgBPAEsAZQAt;encoded IABpAE4AdgBPAEsAZQAt;encodedco IABpAE4AdgBPAEsAZQAt;encodedcom IABpAE4AdgBPAEsAZQAt;encodedcomm IABpAE4AdgBPAEsAZQAt;encodedcomma IABpAE4AdgBPAEsAZQAt;encodedcomman IABpAE4AdgBPAEsAZQAt;encodedcommand IABpAE4AdgBPAEsAZQAt;e SQBmACgAJAB;en SQBmACgAJAB;enc SQBmACgAJAB;enco SQBmACgAJAB;encode SQBmACgAJAB;encoded SQBmACgAJAB;encodedco SQBmACgAJAB;encodedcom SQBmACgAJAB;encodedcomm SQBmACgAJAB;encodedcomma SQBmACgAJAB;encodedcomman SQBmACgAJAB;encodedcommand SQBmACgAJAB;e J;en J;enc J;enco J;encode J;encoded J;encodedco J;encodedcom J;encodedcomm J;encodedcomma J;encodedcomman J;encodedcommand J;e SUVY;en SUVY;enc SUVY;enco SUVY;encode SUVY;encoded SUVY;encodedco SUVY;encodedcom SUVY;encodedcomm SUVY;encodedcomma SUVY;encodedcomman SUVY;encodedcommand SUVY;e aWV4;en aWV4;enc aWV4;enco aWV4;encode aWV4;encoded aWV4;encodedco aWV4;encodedcom aWV4;encodedcomm aWV4;encodedcomma aWV4;encodedcomman aWV4;encodedcommand aWV4;e dmFy;en dmFy;enc dmFy;enco dmFy;encode dmFy;encoded dmFy;encodedco dmFy;encodedcom dmFy;encodedcomm dmFy;encodedcomma dmFy;encodedcomman dmFy;encodedcommand dmFy;e dgBhA;en dgBhA;enc dgBhA;enco dgBhA;encode dgBhA;encoded dgBhA;encodedco dgBhA;encodedcom dgBhA;encodedcomm dgBhA;encodedcomma dgBhA;encodedcomman dgBhA;encodedcommand dgBhA;e R2V0;en R2V0;enc R2V0;enco R2V0;encode R2V0;encoded R2V0;encodedco R2V0;encodedcom R2V0;encodedcomm R2V0;encodedcomma R2V0;encodedcomman R2V0;encodedcommand R2V0;e IAAgAH;en IAAgAH;enc IAAgAH;enco IAAgAH;encode IAAgAH;encoded IAAgAH;encodedco IAAgAH;encodedcom IAAgAH;encodedcomm IAAgAH;encodedcomma IAAgAH;encodedcomman IAAgAH;encodedcommand IAAgAH;e TVq;en TVq;enc TVq;enco TVq;encode TVq;encoded TVq;encodedco TVq;encodedcom TVq;encodedcomm TVq;encodedcomma TVq;encodedcomman TVq;encodedcommand TVq;e aQBIA;en aQBIA;enc aQBIA;enco aQBIA;encode aQBIA;encoded aQBIA;encodedco aQBIA;encodedcom aQBIA;encodedcomm aQBIA;encodedcomma aQBIA;encodedcomman aQBIA;encodedcommand aQBIA;e UEs;en UEs;enc UEs;enco UEs;encode UEs;encoded UEs;encodedco UEs;encodedcom UEs;encodedcomm UEs;encodedcomma UEs;encodedcomman UEs;encodedcommand UEs;e H4s;en H4s;enc H4s;enco H4s;encode H4s;encoded H4s;encodedco H4s;encodedcom H4s;encodedcomm H4s;encodedcomma H4s;encodedcomman H4s;encodedcommand H4s;e dXNpbm;en dXNpbm;enc dXNpbm;enco dXNpbm;encode dXNpbm;encoded dXNpbm;encodedco dXNpbm;encodedcom dXNpbm;encodedcomm dXNpbm;encodedcomma dXNpbm;encodedcomman dXNpbm;encodedcommand dXNpbm;e cwBhA;en cwBhA;enc cwBhA;enco cwBhA;encode cwBhA;encoded cwBhA;encodedco cwBhA;encodedcom cwBhA;encodedcomm cwBhA;encodedcomma cwBhA;encodedcomman cwBhA;encodedcommand cwBhA;JABzA FromBase64String JAB;SUVY;aWV4;dmFy;dgBhA;R2V0;SQBFAF;TVq;aQBIA;UEs;H4s;dXNpbm;cwBhA /v Word experienced;/v Excel experienced;-v Word experienced;-v Excel experienced JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ;QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA;kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA;IgAoACcAKgAnACkAOwAkA;IAKAAnACoAJwApADsAJA;iACgAJwAqACcAKQA7ACQA e^;^en^;^nc ^ ..\;\.. \cmd.exe /c del "C:\Users\*\AppData\Local\Temp\*.exe;\cmd.exe /c del "C:\Users\*\Desktop\*.exe;\cmd.exe -c del "C:\Users\*\AppData\Local\Temp\*.exe;\cmd.exe -c del "C:\Users\*\Desktop\*.exe ping.exe -n 6 127.0.0.1 &ping.exe /n 6 127.0.0.1 & type System.Net.Networkinformation.ping mofcomp.exe net.exe;net1.exe;net2.exe user;group;localgroup remove;delete;active;del tvsu_tmp net.exe;net1.exe;net2.exe user add tvsu_tmp dsmod.exe dsadd.exe WerFault.exe -s;/s cmd.exe echo;\pipe\;> cmd.exe /c;copy;dll;\\;admin$ rundll32.exe ,;StartW rundll32.exe ,;update;appdata;temp;/i: rundll32.exe ,;update;appdata;temp;-i: dllhost.exe {3E5FC7F9-9A51-4367-9063-A120244FBEC7};{3E000D72-A845-4CD9-BD83-80C07C3B881F};{D2E7041B-2927-42fb-8E9F-7CE93B6DC937};{02B49784-1CA2-436C-BC08-72FA3956507D};{BEF590BE-11A6-442A-A85B-656C1081E04C} dllhost.exe {3E5FC7F9-9A51-4367-9063-A120244FBEC7};{3E000D72-A845-4CD9-BD83-80C07C3B881F};{D2E7041B-2927-42fb-8E9F-7CE93B6DC937};{02B49784-1CA2-436C-BC08-72FA3956507D};{BEF590BE-11A6-442A-A85B-656C1081E04C} winlogon.exe;services.exe;lsass.exe;csrss.exe;wininit.exe;spoolsv.exe;searchindexer.exe powershell.exe;pwsh.exe;cmd.exe AUTHORI;AUTORI route ; ADD eventvwr.exe c:\windows\system32\mmc.exe fodhelper.exe InstallUtil.exe Invoke-PsUaCme BypassUAC PowerUp computerdefaults.exe dism.exe fodhelper.exe NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE;SERVICE LOCAL;ERVICE RÉSEAU;NETZWERKDIENST;LOKALER DIENST;NETZWERKDIENST;SERVICIO DE RED;ERVICIO LOC NT AUTHORITY\SYSTEM;СИСТЕМА;NT-AUTORITÄT\SYSTEM;AUTORITE NT\SYSTEM c:\windows\system32\svchost.exe -k netsvcs -s Appinfo runas.exe Cmd.Exe winlogon.exe utilman.exe Cmd.Exe winlogon.exe sethc.exe utilman.exe C:\Windows\System32\ATBroker.exe;Magnify.exe;C:\Windows\System32\osk.exe sethc.exe osk.exe Magnify.exe DisplaySwitch.exe Narrator.exe AtBroker.exe sdbinst.exe dwm.exe cmd.exe 7zFM.exe ;/c;-c cmd.exe elevation_service.exe System unknown process \LocalState\rootfs\ \LocalState\rootfs\ auditpol /set;-set;/restore;-restore;/clear;-clear;/remove;-remove;/resourceSACL;-resourceSACL +s;+h attrib.exe Hidden;Attributes powershell.exe Sysinternals Sysmon /u;/c;-u;-c C:\ProgramdData\sysmon\ MpCmdRun.exe Add-MpPreference;RemoveDefinitions;DisableIOAVProtection IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE IMPHASH=19584675D94829987952432E018D5056 IMPHASH=330768a4f172e10acb6287b87289d83b PsKill.exe Set-MpPreference;Add-MpPreference;Remove-MpPreference;MpCmdRun.exe RemoveDefinitions;RemoveDynamicSignature;DisableIOAVProtection;DisableRealTimeMonitoring;DisableBehaviorMonitoring;DisableBlockAtFirstSeen;DisableIOAVProtection;DisablePrivacyMode;DisableScriptScanning;DisableRealtimeMonitoring;DisableScanningNetworkFiles;DisableScanningMappedNetworkDrivesForFullScan;DisableRestorePoint;DisableRemovableDriveScanning;SignatureDisableUpdateOnStartupWithoutEngine;DisableIntrusionPreventionSystem;DisableScanOnRealtimeEnable;DisableArchiveScanning;DisableIntrusionPreventionSystem;DisableScriptScanning;DisableOnAccessProtection;ExclusionExtension;ExclusionPath;ExclusionProcess;ThreatDefaultAction;TamperProtection interface ipv6 set interface ipv4 set taskkill.exe firewall delete firewall add firewall set opmode disable Core Networking - Router Solicitation netsh advfirewall firewall wevtutil.exe cl wevtutil im wevtutil.exe im ClickToRun fltMC.exe detach;unload appcmd.exe DontLog;True iisetup.exe set;NGenAssemblyUsageLog New-ItemProperty;NGenAssemblyUsageLog reg;add;dword;NGenAssemblyUsageLog $env;NGenAssemblyUsageLog set;COMPlus_ETWEnabled New-ItemProperty;COMPlus_ETWEnabled reg;add;dword;COMPlus_ETWEnabled $env;COMPlus_ETWEnabled bash.exe;wsl.exe;ubuntu.exe;kali.exe -e;/e;-u root;--exec bash;dev/tcp;~ -d;~ /d wsl.exe wsl.exe wslhost.exe wslhost.exe ubuntu.exe ubuntu.exe kali.exe kali.exe distro-id;vm-id pcalua.exe pcalua.exe bash.exe bash.exe forfiles.exe forfiles.exe .com -appvscript C:\Users\NetworkService\;C:\Users\NetworkService\;HarddiskVolumeShadowCopy;C:\Users\Default\;C:\Users\Public;C:\Users\Guest\;\administrateur\;C:\Windows\Media\;C:\Windows\addins\;tsclient\;\htdocs\;\config\systemprofile\;C:\PerfLogs\;c:\windows\ServiceProfiles\;C:\Intel\Logs\;C:\Windows\repair\;C:\Windows\Help\;$Recycle;C:\Windows\Debug\;C:\Windows\Security\;C:\Windows\Fonts\;\wwwroot\;\Contacts;C:\Windows\vss\ .exe .7z.exe .doc.exe .doc.exe .docx.exe .ico.exe .iso.exe .lnk.exe .pdf.exe .ppt.exe .pptx.exe .rar.exe .rtf.exe .txt.exe .xls.exe .xlsx.exe .zip.exe ______.exe reg add hkcu\software\classes\ reg.exe add hkcu\software\classes\ C:\WINDOWS\system32\svchost.exe -k localService -s RemoteRegistry regedit.exe : reg.exe delete regedit.exe /d;-d HKCU:;HKLM remove-item HKCU:;HKLM set-item;new-item chcp.exe 936 1256 864 1258 855 866 powershell.exe -e ;-en;-enc;-enco;-encod;-encode;-encoded;-encodedc;-encodedco;-encodedcom;-encodedcomm;-encodedcomma;-encodedcomman;-encodedcommand;/e ;/en;/enc;/enco;/encod;/encode;/encoded;/encodedc;/encodedco;/encodedcom;/encodedcomm;/encodedcomma;/encodedcomman;/encodedcommand powershell.exe -w h;-wi h;-win h;-wind h;-windo h;-window h;-windows h;-windowst h;-windowsty h;-windowstyl h;-windowstyle h;/w h;/wi h;/win h;/wind h;/windo h;/window h;/windows h;/windowst h;/windowsty h;/windowstyl h;/windowstyle h powershell.exe -ex;/ex bypass powershell.exe -noni;/noni Import-Module FileServerResourceManager C:\Program Files\LogicMonitor powershell.exe hextobin;iex;io.filestream;system.text;base64;system.io;io.file;IMAGE_SUBSYSTEM_WINDOWS_GUI;IMAGE_NT_OPTIONAL_HDR32;IMAGE_NT_OPTIONAL_HDR64;DllCharacteristicsType;GetDelegateForFunctionPointer;WriteProcessMemory;ReadProcessMemory;ImpersonateSelf;AdjustTokenPrivileges;NtCreateThreadEx;CreateRemoteThread;io.seek;iwr;-bxor;invoke-expression;remove.to.string;shellcode;System.Net.WebClient;System.Net.WebRequest;System.Net.SecurityProtocolType;unicode;-useb;msxml2.serverxmlhttp;wscript.shell;-comobject;frombase64;io.compression;system.convert;io.streamreader;io.memorystream;compression.gzipstream;text.encoding;executioncontext;text.enc;convertto-securestring;runtime.interop;verbosepreference;[[string]]::join powershell.exe SUVYI;aWV4I;SQBFAFgA;aQBlA;TW96aWxsYS;1vemlsbGEv;Nb3ppbGxhL;TQBvAHoAaQBsAGwAYQAv;0AbwB6AGkAbABsAGEAL;BNAG8AegBpAGwAbABhAC;UwB0AGE C^om^S^pEc;^c^o^m^S^p^E^c^;Wscript.Shell;-ComObject;MsXml2.ServerXmlHttp;Remove.ToString;System.Convert;-UseB;[Byte[];^h^t^t^p;h"t"t"p IwAjACMAd;IyM=;SUVYI;aWV4I;SQBFAFgA;aQBlAHgA;TW96aWxsYS;1vemlsbGEv;Nb3ppbGxhL;TQBvAHoAaQBsAGwAYQAv;0AbwB6AGkAbABsAGEAL;BNAG8AegBpAGwAbABhAC WindowStyle Hidden function;WindowStyle Hidden;windowstyle h;windowstyl h;windowsty h;windowst h;windows h;window h;windo h;wind h;win h;wi h;-w h;/w h;win hi;win hid;win hidd;win hidde;win hidden ^ TYPE CON > copy CON > FromBase64String;action=create keyvalue=;VerbosePreference.ToString;SecureString;CSharpCodeProvider;runtime.interopservices.marshal;system.globalization.numberstyles;system.reflection.assembly;hextobin;VerbosePreference.ToString;system.text.encoding;io.filestream;io.filestream;io.seekorigin;text.encoding;unicode.getstring;FromBase64;[Convert]::;System.IO.File]::ReadAllText;|iex ngen.exe;install certutil decode;encode ping.exe 0x csc.exe \AppData\;\Windows\Temp\ csc.exe wscript.exe cscript.exe mshta.exe mofcomp.exe .mof C:\WINDOWS\Installer\MSI MsMpEng.exe aspnet_regiis.exe msiexec.exe csc.exe out:;target:library Microsoft.Workflow.Compiler.exe autochk.exe \smss.exe;\fontdrvhost.exe;\dwm.exe \consent.exe;\Runtimebroker.exe;\TiWorker.exe \svchost.exe - \consent.exe;\Runtimebroker.exe;\TiWorker.exe svchost.exe - SearchProtocolHost.exe \SearchIndexer.exe;\dllhost.exe - dllhost.exe \services.exe;\svchost.exe - smss.exe \smss.exe System - csrss.exe - \smss.exe;svchost.exe wininit.exe - \smss.exe winlogon.exe \smss.exe \lsass.exe;LsaIso.exe \wininit.exe LogonUI.exe \wininit.exe;\winlogon.exe services.exe \wininit.exe svchost.exe - \MsMpEng.exe;\services.exe spoolsv.exe \services.exe taskhost.exe \services.exe;\svchost.exe userinit.exe \dwm.exe;\winlogon.exe \wmiprvse.exe;\wsmprovhost.exe;\winrshost.exe - \svchost.exe \SearchProtocolHost.exe;\taskhost.exe;\csrss.exe \werfault.exe;\wermgr.exe;\WerFaultSecure.exe autochk.exe \chkdsk.exe;\doskey.exe;\WerFault.exe smss.exe \autochk.exe;\smss.exe;\csrss.exe;\wininit.exe;\winlogon.exe;\setupcl.exe;\WerFault.exe wermgr.exe \WerFaultSecure.exe;\wermgr.exe;\WerFault.exe wermgr.exe wermgr.exe \rundll32.exe;\regsvr32.exe \explorer.exe;\wermgr.exe;\msra.exe;\OneDriveSetup.exe;\mobsync.exe;\xwizard.exe .exe conhost.exe \mscorsvw.exe;\wermgr.exe;\WerFault.exe;\WerFaultSecure.exe System.Management.Automation "C:\Windows\Microsoft.NET\Framework\;\ngen.exe;install InstallUtil.exe /logfile=;/LogToConsole=false;/U InstallUtil.exe -logfile=;-LogToConsole=false;-U Mavinject.exe;mavinject64.exe INJECTRUNNING CMSTP.exe /ni;/s CMSTP.exe /ns;/s CMSTP.exe -ni;-s CMSTP.exe -ns;-s rundll32.exe;shell32.dll;_RunDLL C:\Windows\ImmersiveControlPanel\SystemSettings.exe odbcconf.exe /S /A {REGSVR;-S -A {REGSVR script:http Register-cimprovider Scriptrunner.exe -appvscript bginfo cbd runscripthelper.exe surfacecheck xwizard RunWizard PresentationHost driver executeinf control.exe /name;control.exe -name Control_RunDLL SyncAppvPublishingServer.exe Scriptrunner.exe ATBroker.exe Appvlp.exe InfDefaultInstall.EXE PresentationHost.exe RegisterCimProvider2.exe RegisterCimProvider.exe ScriptRunner.exe csi.exe extexport.exe msconfig.EXE rasdlui.exe tttracer.exe verclsid.exe wab.exe Register-cimprovider.exe csi.exe devtoolslauncher.exe LaunchForDeploy bginfo devtoolslauncher.exe wab.exe wsreset.exe cmstp.exe /ni /s;cmstp.exe -ni -s cmstp /ni /s;cmstp -ni -s Mavinject.exe INJECTRUNNING rundll32.exe DllRegisterServer xapauthenticodesip.dll regsvr32.exe C:\Users;Appdata;Temp regsvr32.exe C:\Users;Public Microsoft(C) Register Server SyncAppvPublishingServer.exe control.exe rasautou.exe control.exe /name;control.exe -name Control_RunDLL msiexec.exe /y;-y C:\Windows\SysWOW64\DartSock.dll C:\Windows\SysWOW64\ImageViewer2.OCX C:\Windows\SysWOW64\SysTray.ocx C:\Windows\SysWOW64\tdbg6.ocx C:\Windows\SysWOW64\tdbg7.ocx C:\Windows\SysWOW64\tdbg7.ocx C:\Windows\SysWOW64\todg7.ocx C:\Windows\SysWOW64\todgub7.dll C:\Windows\SysWOW64\xarraydb.ocx msiexec.exe /i;-i http RUNDLL32.EXE ,;# C:\Windows\resources\themes\Aero\AeroLite.msstyles uxtheme.dll ImageView_Fullscreen EDGEHTML.dll PhotoViewer.dll \AppData\Local\WebEx\WebEx\ RUNDLL32.EXE -sta;/sta RUNDLL32.EXE -localserver;/localserver RUNDLL32.EXE shell32.dll;OpenAs_RunDLL RUNDLL32.EXE powershell RUNDLL32.EXE url.dll;OpenURL RUNDLL32.EXE url.dll;FileProtocolHandler RUNDLL32.EXE zipfldr.dll;RouteTheCall RUNDLL32.EXE Shell32.dll;Control_RunDLL RUNDLL32.EXE javascript: RUNDLL32.EXE RegisterXLL rundll32.exe C:\Users;Public rdpinit.exe rdpinit.exe;G2MInstaller;GoToMeeting;LogMeIn;firefox.exe rundll32.exe C:\Users;Appdata;Temp ImageView_ rdpinit.exe rdpinit.exe;G2MInstaller;GoToMeeting;LogMeIn;firefox.exe advpack.dll;LaunchINFSection ieadvpack.dll;LaunchINFSection syssetup.dll;SetupInfObjectInstallAction setupapi.dll;InstallHinfSection InstallHinfSection infDefaultInstall.exe rundll32.exe "C:\Windows\twain_64.dll" shdocvw.dll;OpenURL advpack.dll;RegisterOCX Zipfldr.dll;RouteTheCall url.dll;FileProtocolHandler url.dll;FileProtocolHandler OpenURLA;file: OpenURL;file: mshta.exe cmd.exe;powershell.exe;wscript.exe;cscript.exe;sh.exe;bash.exe;reg.exe;regsvr32.exe;bitsadmin mshta.exe RunHTMLApplication mshtml vbscript:CreateObject odbcconf.exe manage-bde.wsf powershell.exe;powershell_ise.exe msbuild.exe msbuild.exe regasm.exe msbuild.exe userinit.exe msbuild.exe .xml regasm.exe \conhost.exe msbuild.exe .lnk .csproj msxsl.exe msxsl.exe /stext keylog keyscan_ Get-Keystrokes /scomma sniff C:\Program Files\Adobe\ tcpdump.exe;tcpdump.c;tshark.exe;tshark.c;windump.exe;windump.c;wireshark.c;wireshark.exe windump;tshark;tcpdump;windump;wireshark netsh;trace;start;capture=yes vssadmin.exe create;shadow wmic.exe shadowcopy;call;create wmic.exe call;create;esentutl;vss win32_shadowcopy;create;clientaccessible mklink;GLOBALROOT;Shadow copy;NTDS\ntds.dit ntdsutil.exe copy;System32\config\SYSTEM reg;save;HKLM mimikatz;mimidrv;mimilove;mimilib;sekurlsa;lsadump;dumpcreds;privilege::;token::;logonpasswords;mimikittenz;mimiauth;::;kerberos::;misc::skeleton;privilege::debug;dpapi::cred;vault::cred;lsadump;misc::;Krbtgt;TOKEN::;invoke-mimi cmdkey rpcping.exe nltest.exe -ma lsass.exe;Do-Exfiltration;Powersploit;GPPPassword;gpprefdecrypt;gsecdump;hashdump;laZagne;ntds.dit;ppldump;pwdump;pwdumpx;secretsdump;/listcreds:;-listcreds: VaultCloseVault VaultEnumerateItem VaultFree VaultGetItem VaultOpenVault Vaultcmd vaultcli.dll select * from moz_login Invoke-WinEnum System.Net.CredentialCache create shadow wlan;export;profile;key=clear dcsync HKCU /f password;HKCU -f password HKLM /f password;HKLM -f password nltest.exe ProcDump.exe ProcDump asktgt;asktgs createnetonly /program:;createnetonly -program: dump /service:krbtgt;dump -service:krbtgt harvest /interval:;harvest -interval: renew /ticket:;renew -ticket: asreproast impersonateuser: kerberoast ptt /ticket: klist.exe hh.exe appcmd.exe list;text;password quser.exe net.exe;net1.exe;net2.exe group;localgroup; user /domain SUService \users tvsu_tmp net.exe;net1.exe;net2.exe group;localgroup; user /domain SUService \users tvsu_tmp sharphound;bloodhound;azurehound;CollectionMethod;encryptzip;randomizefilenames;dumpcomputerstatus sharphound;bloodhound sharphound;bloodhound sharphound;bloodhound sharphound;bloodhound sharphound;bloodhound sharphound;bloodhound dscl . list /Groups;dscl . list -Groups dscl . list /Users;dscl . list -Users dsquery.exe query.exe tree.com auditpol /get;-get;/list;-list;/backup;-backup gpresult.exe get-gpo;get-gpresult;get-gpreg tasklist.exe qprocess.exe reg query reg.exe query driverquery.exe tracert.exe pathping.exe find;385201 select-string;385201 find;virus select-string;virus process;Description;virus find;cb select-string;cb process;Description;cb find;defender select-string;defender process;Description;defender find;crowdstrike select-string;crowdstrike process;Description;crowdstrike find;sentinel select-string;sentinel process;Description;sentinel find;nessusd select-string;nessusd process;Description;nessusd find;td-agent select-string;td-agent process;Description;td-agent find;cbagentd select-string;cbagentd process;Description;cbagentd find;sysmon select-string;sysmon process;Description;sysmon find;winlogbeat select-string;winlogbeat process;Description;winlogbeat find;winlogbeat select-string;winlogbeat process;Description;winlogbeat find;csfalcon select-string;csfalcon process;Description;csfalcon find;splunk select-string;splunk process;Description;splunk find;sidecar select-string;sidecar process;Description;sidecar fltMC.exe misc::mflt AntiVirusProduct root\SecurityCenter2 sysinfo.exe systeminfo netsh.exe get;list;show netsh.exe get;list;show ipconfig.exe netstat.exe arp -a arp.exe -a arp -a whoami.exe;whoami1.exe wmic.exe get;useraccount netsh.exe add;set encryption;dohtemplate netsh.exe add;del;set nbtstat nessus route.exe print route.exe ADD;DEL;CHANGE;-f qwinsta.exe rwinsta.exe Microsoft Office\root\Office Microsoft Office\root\Office automation;Embedding admin$ davclnt.dll WebClientGroup /shadow;-shadow noConsentPrompt tscon.exe dest:rdp-tcp: powershell.exe WmiPrvSE.exe WmiPrvSE.exe \Users\ NetworkDetective WmiPrvSE.exe sc.exe tenable WmiPrvSE.exe cmd.exe WmiPrvSE.exe do_vbsUpload;Spiceworks regsvr32.exe WmiPrvSE.exe cmd.exe WmiPrvSE.exe powershell.exe WmiPrvSE.exe dsa.msc virtmgmt.msc wmiprvse.exe CompMgmtLauncher.exe DismHost.exe Microsoft.NET\Framework NetEvtFwdr.exe ServerManager.exe WerFault.exe chcp.com g2mupdate.exe slack.exe wsmprovhost.exe cmd.exe sh.exe bash.exe wsl.exe powershell.exe powershell_ise.exe schtasks.exe at.exe certutil.exe mshta.exe whoami.exe ping.exe ping.exe bitsadmin.exe winrm.cmd winrs.exe winrshost.exe waitfor.exe wsmprovhost.exe winrshost.exe wsmprovhost.exe wmiprvse.exe mshta.exe ssh.exe;putty.exe;kitty.exe;kitty_portable.exe PuTTY suite sftp;psftp rundll32.exe rundll32.exe ..\;, rundll32.exe ,StartW psshutdown psservice PsPasswd mstsc.exe telnet.exe tftp.exe powershellcustomhost -Embedding c:\windows\system32\mmc.exe --execm;atexec {4991d34b-80a1-4291-83b6-3328366b9097} {00020812-0000-0000-C000-000000000046} {40AEEAB6-8FDA-41e3-9A5F-8350D4CFCA91} {7e0423cd-1119-0928-900c-e6d4a52a0715} {0006F04A-0000-0000-C000-000000000046} {048EB43E-2059-422F-95E0-557DA96038AF} {13709620-C279-11CE-A49E-444553540000} {c08afd90-f2a1-11d1-8455-00a0c91f3880} 9BA05972-F6A8-11CF-A442-00A0C90A8F39 {00021A20-0000-0000-C000-000000000046} {72C24DD5-D70A-438B-8A42-98424B88AFB8} {00020906-0000-0000-C000-000000000046} {cc5bbec3-db4a-4bed-828d-08d78ee3e1ed} {1b7cd997-e5ff-4932-a7a6-2a9e636da385} {16d51579-a30b-4c8b-a276-0ff4dc41e755} rundll32.exe -sta;rundll32.exe /sta;rundll32 -sta;rundll32 /sta shell32.dll;SHCreateLocalServerRunDll -k DcomLaunch;/k DcomLaunch 7z.exe a -mx9 -r0 -p;a -v500m -mx9 -r0 -p 7z 7z winrar winrar winrar winrar winzip winzip Compress-Archive WindowsAudioDevice-Powershell-Cmdlet SoundRecorder.exe clip.exe get-clipboard New-MailboxExportRequest add-pssnapin;exchange;new-managementroleassignment;applicationimpersonation screencapture system.drawing.Imaging system.drawing.bitmap system.windows.forms.screen odHRwczovL;aHR0cDovL;h0dHA6Ly;odHRwOi8v;aHR0cHM6Ly;h0dHBzOi8v ie_to_edge_stub.exe;chrome.exe;firefox.exe;iexplore.exe;brave.exe;vivaldi.exe;msedge.exe;webex;teams.exe;goto opener.exe;lynx.exe;\Webex\webexAppLauncherLatest.exe;\WebEx\webexAppLauncher.exe;\WebEx\Applications\webexAppLauncher.exe;WebEx\webex.exe wbx:;/SITE_TOKEN=;msteams:;PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSI msedgeupdate.dll VFZvQUFBQ;RWb0FBQU;UVm9BQUFB;VFZxQUFBR;RWcUFBQU;UVnFBQUFF;VFZwUUFBS;RWcFFBQU;UVnBRQUFJ;VFZxUUFBT;RWcVFBQU;UVnFRQUFN;VFZwVEFRR;RWcFRBUU;UVnBUQVFF powershell.exe AAAAYInlM;OiCAAAAYInlM;OiJAAAAYInlM;RwBlAHQAL;WwBOAGUAdAAuAFM;W05ldC5TZXJ2aWNl Г;И;К;П;д;и;к;л;л;н;н;о;ф;ե;թ;յ;ն;ն;ն;ն;տ;ւ;ք certutil.exe urlcache;split;f DownloadFile;DownloadString;Net.WebClient;System.Net.WebRequest;System.Net.SecurityProtocolType;Invoke-Expression;Invoke-WebRequest powershell.exe;cmd.exe bitsadmin.exe CREATE;TRANSFER;DOWNLOAD;UPLOAD;ADDFILE;SetNotifyFlags;SetNotifyCmdLine;SetMinRetryDelay;SetCustomHeaders;RESUME util;setieproxy;localsystem;AUTODETECT BITS administration utility CREATE;TRANSFER;DOWNLOAD;UPLOAD;ADDFILE;SetNotifyFlags;SetNotifyCmdLine;SetMinRetryDelay;SetCustomHeaders;RESUME \curl.exe;\wget.exe;\www.exe \curl.exe;\wget.exe;\www.exe certutil split;f certutil verifyctl;URL C:\Perflogs\;C:\Users\Public\;C:\root\ C:\Perflogs\;C:\Users\Public\;C:\root\ start-bitstransfer expand \\ expand.exe \\ ieexec http ieexec.exe http powercat esentutl /y \\;esentutl -y \\ esentutl.exe /y \\;esentutl.exe -y \\ extrac32 \\ extrac32.exe \\ portproxy tor.exe TeamViewer_Desktop.exe psexec winscp.exe;winscp.com;scp.exe;pscp bitch.exe;bitch.bat;bitch_lasagna.exe;Admin Cracker.exe;BulletsPassView.exe;ChromePass.exe;Dialupass.exe;LSASecretsView.exe;OpenedFilesView.exe;OperaPassView.exe;PasswordFox.exe;ProduKey.exe;RouterPassView.exe;USBDeview.exe;USBStealer.exe;VNCPassView.exe;WebBrowserPassView.exe;WirelessKeyView.exe;WirelessKeyView.exe;empv.exe;netpass.exe;pspv.exe;usbdll.exe;rdpv.exe;WirelessKeyView.exe;lasagna.exe;all -vvv >>;rsync -r CredsLeaker;Windows.Security.Credentials.UI.CredentialPicker;function Leaker;function Await .exe -url https://;dll,Run https://;Invoke-Merlin;-m SimpleHTTPServer;/m SimpleHTTPServer -q=txt;/q=txt nslookup.exe rclone Rsync for cloud storage rclone rclone \rclone s3browser s3browser s3browser s3browser add-ftp;.UploadFile( ftp.exe rundll32.exe davclnt.dll;DavSetCookie bcdedit.exe safeboot bootcfg.exe safeboot -startvm;vrun.exe -vm vssadmin.exe delete;resize wmic.exe shadowcopy;delete wbadmin.exe SYSTEMSTATEBACKUP;delete wmic.exe wmic shadowstorage SET MaxSpace= wmic.exe cleareventlog;call disable;nteventlog where filename diskpart.exe format;clean;delete;remove manage-bde.exe changepin;changepassword;changekey;wipefreespace;lock;/on;-on;/off;-off;-add;/add;-pw;/pw manage-bde.wsf changepin;changepassword;changekey;wipefreespace;lock;/on;-on;/off;-off;-add;/add;-pw;/pw format format bootstatuspolicy ignoreallfailures recoveryenabled No Win32_Shadowcopy sdelete delete catalog wbadmin delete catalog erase -nw -exec= -p -nw shred diskshadow del ; /f del ; -f rmdir ; /s ; /q rmdir ; -s ; -q rd ; /s ; /q rd ; -s ; -q usn deletejournal fsutil.exe deletejournal usn AdjustTokenPrivileges;IMAGE_NT_OPTIONAL_HDR64_MAGIC;LSA_UNICODE_STRING;Management.Automation.RuntimeException;Metasploit;Microsoft.Win32.UnsafeNativeMethods;Mimikatz;MiniDumpWriteDump;Net.Sockets.SocketFlags;PAGE_EXECUTE_READ;ReadProcessMemory.Invoke;Reflection.Assembly;Runtime.InteropServices;SECURITY_DELEGATION;SE_PRIVILEGE_ENABLED;System.Runtime.InteropServices;System.Security.Cryptography;TOKEN_ADJUST_PRIVILEGES;TOKEN_ALL_ACCESS;TOKEN_ASSIGN_PRIMARY;TOKEN_DUPLICATE;TOKEN_ELEVATION;TOKEN_IMPERSONATE;TOKEN_INFORMATION_CLASS;TOKEN_PRIVILEGES;TOKEN_QUERY;powerkatz ahashpool;blazepool;blockmasters;blockmasterscoins;ccminer;cgminer;coinhive;hashrefinery;minergate;miningpoolhubcoins;nicehash;poolname;poolpassword;poolurl;rainbowminer;sgminer;stratum+tcp;xmrMiner;xmrig;yiimp;zergpool;zergpoolcoins;zpool CPU miner;GPU miner;Lime Miner;XMRig CPU miner; miner b91ce2fa41029f6955bff20079468448;02af7cec58b9a5da1c542b5a32151ba1;2c4a910a1299cdae2a4e55988a2f102e;846e27a652a5e1bfbd0ddd38a16dc865;4f2eb62fa529c0283b28d05ddd311fae;56ceb6d0011d87b6e4d7023d7ef85676 87AECF008D87EC86EC8B00A2394B3E6C FB3F0D0DE8B80EA8CFAB2A025EC6B833 F4067FBF7FFF6945D0BB485B727B39AA 4a069c1abe5aca148d5a8fdabc26751e;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;304772c80b157a916c7041f2f15939fb;291ff87948e45914424cec9510c297da;a4b42c2c95d1f2ff12171a01c86cd64f;98908ce6f80ecc48628c8d2bf5b2a50c;849a2b0dc80aeca3d175c139efe5221c;807d86da63f0db1fc746d1f0b05bc357;322cb39bc049aa69136925137906d855;86A4CAC227078B9C95C560C8F0370BF0;36dd195269979e01a29e37c488928497;7d9d29c1c03461608bcab930fef2f568;eac3e3ece94bc84e922ec077efb15edd;b4abe604916c04fe3dd8b9cb3d501d3f;88777aacd5f16599547926a4c9202862;128CECC59C91C0D0574BC1075FE7CB40;17a36ac3e31f3a18936552aff2c80249;0f49621b06f2cdaac8850c6e9581a594;3d129263f6a48647f103a04446fb0c2f;71345b139166482acaa568ac8816c7bc;1b60021baedc3f9201bcdb40e9b87f62;5E022694C0DBD1FBBC263D608E577949;cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5;b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04;2010f38ef300be4349e7bc287e720b1ecec678cacbf0ea0556bcf765f6e073ec;6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11;5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c;37cd353621b0f4fc6981b50071c94f01;daf2da52475fd8981b19ec3c321a983c;afcdf79be1557326c854b6e20cb900a7;2f40abbb4f78e77745f0e657a19903fc953cc664;37b4496e650b3994312c838435013560b3ca8571;478dc5a5f934c62a9246f7d1fc275868f568bc07;1a2ab4df156ccd685f795baee7df49f8e701f271d3e5676b507112e30ce03c42;2c1d3d0a9c6f76726994b88589219cb8d9c39dd9924bc8d2d02bf41d955fe326;5c776a33568f4c16fee7140c249c0d2b1e0798a96c7a01bfd2d5684e58c9bb32;5fc4b0076eac7aa7815302b0c3158076e3569086c4c6aa2f71cd258238440d14;08c34c6ac9186b61d9f29a77ef5e618067e0bc9fe85cab1ad25dc6049c376949;758598370c3b84c6fbb452e3d7119f700f970ed566171e879d3cb41102154272;bef59b9a3e00a14956e0cd4a1f3e7524448cbe5d3cc1295d95a15b83a3579c59;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1;e8542c07b2af63ee7e72ce5d97d91036c5da56e2b091aa2afe737b224305d230;0ac48cfa2ff8351365e99c1d26e082ad;0e9afd3a870906ebf34a0b66d8b07435;1aadf739782afcae6d1c3e4d1f315cbd;2a6f7ec77ab6bd4297e7b15ae06e2e61;3a771efb7ba2cd0df247ab570e1408b2;3d75c72144d873b3c1c4977fbafe9184;3dfebce4703f30eed713d795b90538b5;3ffd2915d285ad748202469d4a04e1f5;4e39620afca6f60bb30e031ddc5a4330;6cfd131fef548fcd60fbcdb59317df8e;7bcd736a2394fc49f3e27b3987cce640;7bfba2c69bed6b160261bdbf2b826401;7bfbd72441e1f2ed48fbc0f33be00f24;7c733607a0932b1b9a9e27cd6ab55fe0;7d5265e814843b24fcb3787768129040;08e82dc7bae524884b7dc2134942aadb;8da15a97eaf69ff7ee184fc446f19cf1;9ad6fa6fdedb2df8055b3d30bd6f64f1;9c115e9a81d25f9d88e7aaa4313d9a8f;16ab79fb2fd92db0b1f38bedb2f02ed8;21feb6aa15e02bb0cddbd544605aabad;21feb6aa15e02bb0cddbd544605aabad;22d142f11cf2a30ea4953e1fffb0fa7e;36db24006e2b492cafb75f2663f241b2;51a7068640af42c3a7c1b94f1c11ab9d;69a19abf5ba56ee07cdd3425b07cf8bf;72dc98449b45a7f1ccdef27d51e31e91;77a745b07d9c453650dd7f683b02b3ed;80c37e062aa4c94697f287352acf2e9d;92f8e3f0f1f7cc49fad797a62a169acd;235d427f94630575a4ea4bff180ecf5d;320b2f1d9551b5d1df4fb19bd9ab253a;490a140093b5870a47edc29f33542fd2;520ee02668a1c7b7c262708e12b1ba6b;649ef1dd4a5411d3afcf108d57ff87af;684eca6b62d69ce899a3ec3bb04d0a5b;815f1f8a7bc1e6f94cb5c416e381a110;0969b2b399a8d4cd2d751824d0d842b4;2317d65da4639f4246de200650a70753;04078ef95a70a04e95bda06cc7bec3fa;8035a8a143765551ca7db4bc5efb5dfd;8403a28e0bffa9cc085e7b662d0d5412;9003cfaac523e94d5479dc6a10575e60;9793afcea43110610757bd3b800de517;27612cb03c89158225ca201721ea1aad;44619a88a6cff63523163c6a4cf375dd;061089d8cb0ca58e660ce2e433a689b3;81229c1e272218eeda14892fa8425883;84730a6e426fbd3cf6b821c59674c8a0;533340c54bd25256873b3dca34d7f74e;57314359df11ffdf476f809671ec0275;99828721ac1a0e32e4582c3f615d6e57;412956675fbc3f8c51f438c1abc100eb;5985087678414143d33ffc6e8863b887;a43d3b31575846fa4c3992b4143a06da;a571660c9cf1696a2f4689b2007a12c7;b4e67706103c3b8ee148394ebee3f268;b9c208ea8115232bfd9ec2c62f32d6b8;b9cf4301b7b186a75e82a04e87b30fe4;b72737b464e50aa3664321e8e001ff32;bfe3f6a79cad5b9c642bb56f8037c43b;c0e72eb4c9f897410c795c1b360090ef;c1e7850da5604e081b9647b58248d7e8;c3e255888211d74cc6e3fb66b69bbffb;cacaa3bf3b2801956318251db5e90f3c;cdb303f61a47720c7a8c5086e6b2a743;ce8ce92fb6565181572dce00d69c24f8;d8f1356bebda9e77f480a6a60eab36bb;d9e9f22988d43d73d79db6ee178d70a4;d5377dc1821c935302c065ad8432c0d2;df91b86189adb0a11c47ce2405878fa1;e17bd40f5b5005f4a0c61f9e79a9d8c2;f559c87b4a14a4be1bd84df6553aaf56;fc53f2cd780cd3a01a4299b8445f8511;ffc7305cb24c1955f9625e525d58aeee e96a73c7bf33a464c510ede582318bf2;a53a02b997935fd8eedcb5f7abab9b9f d326e629a90e78825645963b35e53a6a;c579341f86f7e962719c7113943bb6e4;dc5733c013378fa418d13773f5bfe6f1;b8fcd4a3902064907fb19e0da3ca7aed72a7e6d1f94d971d1ee7a4d3af6a800d;965884f19026913b2c57b8cd4a86455a61383de01dabb69c557f45bb848f6c26;4a069c1abe5aca148d5a8fdabc26751e;dc7e564809d6c2a2f3457c3c9b91f22b;FE2CA1BE3BDA2A757036A89E54CC02DB;5470f0644589685000154cb7d3f60280acb16e39ca961cce2c016078b303bc1b 53841a0c6a3ff92976db08bfdf95e083 zoommtg pwd= zoommtg zc=0 zoommtg zc=1 msteams: wbx: C:\Users\ \Downloads\ C:\Users\ \Desktop\ \awk.exe;\sed.exe C:\Users\Public\;$Recyclebin;\Desktop\;\Content.Outlook\ C:\Users\Public\;$Recyclebin;\Desktop\;\Content.Outlook\;\Downloads\ .html;.hta;.iso;.js;.bat;.cmd;.cmdline;.vbs;.vb;.vbe;.reg;.com listena -s -n -u -i:http: /s /n /u /i:http: assoc del expand md move rd ren set setx bginfo.bgi /popup /nolicprompt;bginfo.bgi -popup -nolicprompt find.exe grabff routerscan pythonEngine.Execute sesshijack file:// HTML Application host Manager Profile Installer Microsoft Application Virtualization Injector Application Compatibility Database Installer popd.exe pushd.exe subst.exe doskey.exe cls.exe \ C:\Windows\system32\svchost.exe -k iissvcs \ acrobat.exe acrord32.exe java.exe javaw.exe C:\Windows\system32\svchost.exe cacls.exe takeown.exe /x Macro \pipe\ > /noprofile /sc ONEVENT \\VBOXSVR | more |more \\tsclient %PROCESSOR_ARCHITECTURE% sysnative AutoIt Microsoft Filter Loader more.com :\Windows\Microsoft.NET\ acrord32.exe gpupdate.exe :\Windows\Microsoft.NET\ System explorer.exe \regedit.exe;\cmd.exe;terminal;\powershell C:\Windows\System32\WerFault.exe C:\Windows\System32\wbem\WmiPrvSE.exe C:\Users C:\ProgramData \Temp\ \tmp\ \drivers\ \Download C:\Windows\system32\backgroundTaskHost.exe TrustedInstaller.exe OneDrive.exe vivaldi.exe chrome.exe C:\WINDOWS\system32\backgroundTaskHost.exe setup AppData\Local\Microsoft\Teams\current\Teams.exe \AppData\Local\Microsoft\Edge SxS\Application\msedge.exe census researchscan scanhub shadow shodan 137.184.67.33;206.188.196.77;125.212.220.48;5.180.61.17;47.242.39.92;61.244.94.85;86.48.6.69;86.48.12.64;94.140.8.48;94.140.8.113;103.9.76.208;103.9.76.211;104.244.79.6;112.118.48.186;122.155.174.188;125.212.241.134;185.220.101.182;194.150.167.88;212.119.34.11 137.184.67. httpbin.org advanced-ip-scanner.com kali.download shodan wscript.exe at.exe schtasks.exe \temp\ 127.0.0.1 \wwwroot\ \Windows\addins\ C:\Windows\repair\ \htdocs\ C:\Windows\system32\config\systemprofile\ C:\Intel\Logs\ C:\Windows\addins\ C:\Windows\security\ C:\Windows\Help\ $RECYCLE.BIN C:\Windows\Debug\ C:\Windows\Fonts\ C:\PerfLogs\ :\$Recycle.bin\ :\Users\Default\ C:\Users\NetworkService\ C:\Users\Public\ C:\Windows\Media\ \Windows\IME\ C:\ProgramData CSC.exe infDefaultInstall.exe SyncAppvPublishingServer.exe InstallUtil.exe msiexec.exe regasm.exe;regsvcs.exe Mavinject.exe msbuild.exe dsquery.exe driverquery.exe nbtstat.exe net.exe net1.exe qwinsta.exe rwinsta.exe true 3389 AutomationManager.ScriptRunner64.exe C:\Program Files (x86)\VMware\VMware Remote Console\vmrc.exe C:\Program Files\VMware\VMware Remote Console\vmrc.exe C:\Program Files\WindowsApps\Microsoft.RemoteDesktop_ CtxLicUsageRecorder.exe FSAssessment.exe FSDiscovery.exe MobaRTE.exe RDCMan.exe RSSensor.exe RTS2App.exe RTSApp.exe RemoteDesktopManager64.exe RemoteDesktopManager.exe RemoteDesktopManagerFree.exe Terminals.exe chrome.exe mRemote.exe mRemoteNG.exe mstsc.exe spiceworks-finder.exe svchost.exe thor64.exe thor.exe true 3391 AutomationManager.ScriptRunner64.exe C:\Program Files (x86)\VMware\VMware Remote Console\vmrc.exe C:\Program Files\VMware\VMware Remote Console\vmrc.exe C:\Program Files\WindowsApps\Microsoft.RemoteDesktop_ CtxLicUsageRecorder.exe FSAssessment.exe FSDiscovery.exe MobaRTE.exe RDCMan.exe RSSensor.exe RTS2App.exe RTSApp.exe RemoteDesktopManager64.exe RemoteDesktopManager.exe RemoteDesktopManagerFree.exe Terminals.exe chrome.exe mRemote.exe mRemoteNG.exe mstsc.exe spiceworks-finder.exe svchost.exe thor64.exe thor.exe true 3389 127.0.0.1;0:0:0:0:0:0:0:1 true 3389 fe80:0 putty.exe;kitty.exe;kitty_portable.exe wsmprovhost.exe psftp.exe reg.exe psshutdown PsPasswd psservice ssh.exe psexe tftp.exe telnet.exe mstsc.exe wmic.exe sc.exe pskill dsquery.exe plink.exe vnc.exe vncviewer.exe vncservice.exe omniinet.exe hpsmhd.exe 50050 true 25 \Bin\EdgeTransport.exe;Bin\MSExchangeFrontendTransport.exe true powershell.exe 0:0:0:0:0:0:0:;127.0.0.1 mshta.exe cmd.exe certutil.exe certutil.exe notepad.exe regsvcs.exe regsvr32.exe rundll32.exe tor.exe hiddenservice.net;onion.city;onion.direct;onion.direct;onion.link;onion.nu;onion.pet;onion.plus;onion.rip;onion.sh;onion.sh;onion.si;onion.to;onion.top;onion.ws;tor-gateways.de;tor2net.com;tor2web.blutmagie.de;tor2web.fi;tor2web.info;tor2web.io;tor2web.org;onion.to dns.google;cloudflare-dns.com;mozilla.cloudflare-dns.com;dns.233py.com;dns.aaflalo.me;doh.opendns.com;.quad9.net;dns.cleanbrowsing.org;dns-family.adguard.com;dns.adguard.com;.233py.com;dnscrypt;dnscrypt-cert.oszx.co;dns.oszx.co;doh.dns.sb;doh.defaultroutes.de;doh.tiarap.org;doh.tiar.app;doh.captnemo.in;.aaflalo.me;doh.appliedprivacy.net;doh.dnswarden.com;commons.host;dns.twnic.tw;ibuki.cgnat.net;doh.xfinity.com;dns.nextdns.io;dns.dnsoverhttps.net;doh.crypto.sx;doh.powerdns.org;.blahdns.com;dns.rubyfish.cn;dns.containerpi.com;.seby.io;rdns.faelix.net;doh.li;.armadillodns.net;doh.netweaver.uk;doh.42l.fr;dns.aa.net.uk;adblock.mydns.network;ibksturm.synology.me;jcdns.fun privatlab.com mega.nz;mega.co.nz .pcloud.com 0x1f4b0.com;1q2w3.life;1q2w3.website;31.187.64.216;185.193.38.148;aalbbh84.info;adfreetv.ch;adless.io;adplusplus.fr;adrenali.gq;ajcryptominer.com;ajplugins.com;allfontshere.press;altavista.ovh;amhixwqagiz.ru;analytics.blue;appelamule.com;arizona-miner.tk;aster18cdn.nl;aster18prx.nl;avero.xyz;averoconnector.com;bauersagtnein.myeffect.net;bhzejltg.info;blazepool;blockmasters;blockmasterscoins;bmnr.pw;bmst.pw;bohemianpool;carry.myeffect.net;cashbeet.com;cdn-code.host;cfceu.duckdns.org;cfcnet.gdn;cfcnet.top;cfcs1.duckdns.org;chainblock.science;cieh.mx;coin-hive.com;coin-service.com;coin-services.info;coiner.site;coinpirate.cf;coinrail.io;coinwebmining.com;cpu2cash.link;cryptaloot.pro;cryptmonero;crypto-loot.com;crypto-pool;crypto-webminer.com;cryptoloot.pro;d-ns.ga;dataservices.download;directprimal.com;dwarfpool;encoding.ovh;estream.to;eth-pocket.com;eth-pocket.de;eth-pocket.eu;ethereum-pocket.de;ethereum-pocket.eu;ethtrader.de;eu.sushipool.com;f1tbit.com;flnqmin.org;freecontent.bid;freecontent.date;freecontent.loan;freecontent.racing;freecontent.stream;freecontent.win;gnrdomimplementation.com;graftpool.ovh;greenindex.dynamic-dns.net;gustaver.ddns.net;hashrefinery;hashvault.pro;herphemiste.com;hide.ovh;hk.rs;hlpidkr.ru;hodlers.party;hodling.faith;hostingcloud.win;hrfziiddxa.ru;ihdvilappuxpgiv.ru;imhvlhaelvvbrq.ru;insdrbot.com;irrrymucwxjl.ru;istlandoll.com;ivuovhsn.ru;iwanttoearn.money;ixvenhgwukn.ru;jqassets.download;jqr-cdn.download;jqrcdn.download;jquerrycdn.download;jqwww.download;jqxrrygqnagn.ru;jscoinminer.com;jwduahujge.ru;ksimdw.ru;l33tsite.info;laferia.cr;ledhenone.com;ltstyov.ru;mepirtedic.com;mine.bz;minercircle.com;minercry.pt;minergate;minero.cc;miners.pro;minescripts.info;mininghub.club;miningpoolhubcoins;minr.pw;mixpools.org;mmc.center;mollnia.com;monerise.com;monero.lindon-pool.win;monero;moriaxmr.com;munero.me;mxcdn1.now.sh;mxcdn2.now.sh;myadstats.com;mypool.online;nablabee.com;nanopool.org;nathetsof.com;nicehash;nimiqpool.com;nimpool.io;node.philpool.com;npcdn1.now.sh;nunu-001.now.sh;ogondkskyahxa.ru;ogrid.org;oinkinns.tk;olecintri.com;omine.org;onvid.club;open-hive-server-1.pp.ua;oxwwoeukjispema.ru;pcejuyhjucmkiny.ru;pool.nimiq.watch;pool.nimiqchain.info;pool.porkypool.com;pool.xmr;poolto.be;prohash.net;prohash;proj2018.xyz;pzoifaum.info;ratchetmining.com;realnetwrk.com;reauthenticator.com;rove.cl;ruvuryua.ru;s7ven.com;scaleway.ovh;sentemanactri.com;sickrage.ca/ch;sighash.info;slushpool;soodatmish.com;sparechange.io;statdynamic.com;stati.bid;staticsfs.host;streamplay.to;supportxmr;suprnova.cc;svivqrhrh.ru;sxcdn02.now.sh;sxcdn3.now.sh;sxcdn4.now.sh;sxcdn6.now.sh;synconnector.com;teracycle.net;tercabilis.info;thelifeisbinary.ddns.net;thersprens.com;torrent.pw;ulnawoyyzbljc.ru;unrummaged.com;uoldid.ru;usxmrpool;viaxmr.com;vpzccwpyilvoyg.ru;vzzexalcirfgrf.ru;wbmwss.beetv.net;webmine.cz;webmine.pro;webminepool.tk;webminerpool.com;webwidgetz.duckdns.org;wmemsnhgldd.ru;wmtech.website;wmwmwwfmkvucbln.ru;wrxgandsfcz.ru;xmrm.pw;xmrminingproxy.com;xmrpool;yiimp;yuyyio.com;zavzlen.ru;zergpool;zergpoolcoins;ziykrgc.ru;zlx.com.br;zpool C:\Windows\system32\svchost.exe 3389 22 21 5985 false C:\Windows\system32\svchost.exe true 135 445 5985 System svchost.exe 445 System svchost.exe;lsass.exe 389 C:\Windows\System32\lsass.exe 389 127.0.0.1;0:0:0:0:0:0:0:1;fe80:0 EXCH 127.0.0.1;0:0:0:0:0:0:0:1;fe80:0 false notepad.exe 127.0.0.1 \iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe;\opera.exe 80 443 true github githubusercontent.com dropboxapi.com \Dropbox\Client\Dropbox.exe;\Dropbox\bin\Dropbox.exe;\Oracle\Java\ 1drv C:\Program Files\Microsoft OneDrive\OneDrive.exe;\AppData\Local\Microsoft\OneDrive\OneDrive.exe;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;\Internet Explorer\iexplore.exe;C:\Windows\System32\AppHostRegistrationVerifier.exe;C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe;C:\Program Files (x86)\BraveSoftware\Brave-Browser\Application\brave.exe;C:\Program Files (x86)\Microsoft OneDrive\OneDrive.exe;C:\Program Files\Mozilla Firefox\firefox.exe .box.com;upload mega.nz;mega.co.nz privatlab.com tiktok;parler.com;gab.com;mewe.com;4chan;8chan;facebook;fbcdn;twitter;instagram;snapchat efnet;undernet;freenode;ircnet;.rizon;quakenet;oftc.net;dalnet .slack.com;discord.;telegram.;rocketchat.;mattermost.;flock.com apache.exe java.exe w3wp.exe \php-cgi.exe;\php.exe setup tomcat unins unknown process explorer.exe inetinfo.exe netcat.exe;nc.exe;nc64.exe;ncat.exe procdump psexe vnc;vncs;vncv rcpping;tcpping;tcping;routerscan;grabff;Port-Scan;netscan;\nmap;ipscan;nacmdline.exe;advanced_port_scanner.exe;rcpping.exe;nmap.exe;zenmap.exe;advanced_ip_scanner.exe 0 5985 5986 1293 1701 1194 3540 3389 22 1080 3128 8080 1723 23 4500 9001 9030 5900 5800 0 80 443 636 5900 443 \iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe;\opera.exe 80 true \iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe https true \iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe http true \iexplore.exe;\chrome.exe;\firefox.exe;\MicrosoftEdge;browser_broker.exe;\vivaldi.exe;\brave.exe;\opera.exe 443 true afraid.org;duckdns.org;changeip.com;ddns.net;hopto.org;zapto.org;servehttp.com;sytes.net;whoer.net;bravica.net;ip.webmasterhome.cn;whatsmyip.us;myip.kz;ip-addr.es;curlmyip;anysrc.net;anysrc.net;dlinkddns.com;no-ip.com;no-ip.org;no-ip.biz;no-ip.info;noip.com udp System;svchost.exe;oracle.exe;apache.exe;java.exe;php-cgi.exe;w3wp.exe;httpd;ServerManager.exe;unknown process;sql;wscript;cscript;schtasks;at.exe;reg.exe;C:\Windows\System32\find.exe 127.0.0.1;0:0:0:0:0:0:0:1 127.0.0.1;0:0:0:0:0:0:0:1 C:\Windows\System32\lsass.exe 88 epmap llmnr microsoft-ds netbios-dgm ntp ssdp epmap llmnr microsoft-ds netbios-dgm ntp ssdp 53 67 68 1434 1812 3544 3702 5228 5353 5357 5989 6007 49154 49209 52176 59241 53 67 68 1812 3702 6007 49154 49209 50646 52176 59241 .bing.com .cloudapp.net .lync.com .microsoft.com .outlook.com .search.msn.com .wns.windows.com aps.windows.com arc.msn.com.nsatc.net arc.msn.com atson.telemetry.microsoft.com au.download.windowsupdate.com b.akamaiedge.net bingforbusiness.com client-office365-tas.msedge.net config.edge.skype.com csp.digicert.com ctldl.windowsupdate.com cy2.licensing.md.mp.microsoft.com.akadns.net cy2.settings.data.microsoft.com.akadns.net displaycatalog.mp.microsoft.com download.windowsupdate.com e-msedge.net e3.delivery.dsp.mp.microsoft.com.nsatc.net emdl.ws.microsoft.com ettings-win.data.microsoft.com fe2.update.microsoft.com fe3.delivery.dsp.mp.microsoft.com.nsatc.net fe3.delivery.mp.microsoft.com g.akamaiedge.net g.live.com g.msn.com.nsatc.net geo-prod.do.dsp.mp.microsoft.com geo-prod.dodsp.mp.microsoft.com.nsatc.net ile-service.weather.microsoft.com ip5.afdorigin-prod-am02.afdogw.com ipv4.login.msa.akadns6.net licensing.mp.microsoft.com m3p.wns.notify.windows.com.akadns.net microsoft.com.akadns.net microsoft.com.nsatc.net microsoft.com modern.watson.data.microsoft.com.akadns.net msedge.net msn.com.nsatc.net msn.com ocation-inference-westus.cloudapp.net ocos-office365-s2s.msedge.net ocsp.digicert.com odern.watson.data.microsoft.com.akadns.net oneclient.sfx.ms pv4.login.msa.akadns6.net query.prod.cms.rt.microsoft.com ris.api.iris.microsoft.com.akadns.net ris.api.iris.microsoft.com s-msedge.net settings.data.microsoft.com sfe.trafficshaping.dsp.mp.microsoft.com sls.update.microsoft.com storecatalogrevocation.storequality.microsoft.com storeedgefd.dsx.mp.microsoft.com telecommand.telemetry.microsoft.com.akadns.net tile-service.weather.microsoft.com tlu.dl.delivery.mp.microsoft.com tsfe.trafficshaping.dsp.mp.microsoft.com vip5.afdorigin-prod-am02.afdogw.com vip5.afdorigin-prod-ch02.afdogw.com virtualearth.net windows.net windowsupdate.com y2.displaycatalog.md.mp.microsoft.com.akadns.net y2.licensing.md.mp.microsoft.com.akadns.net y2.settings.data.microsoft.com.akadns.net EdgeTransport.exe MSExchangeDelivery.exe MSExchangeFrontendTransport.exe MSExchangeHMWorker.exe MSExchangeSubmission.exe \ C:\Program Files (x86)\Kaspersky Lab C:\Program Files\Kaspersky Lab C:\Program Files (x86)\ESET C:\Program Files\ESET C:\Windows\ \System32\;Syswow64;sysmon.exe;sysmon64.exe C:\Windows\system32\ config\systemprofile\ C:\Windows\sysmon.exe;C:\Windows\sysmon64.exe A:\;B:\;C:\;D:\;E:\;F:\;G:\;H:\;I:\;J:\;K:\;L:\;M:\;N:\;O:\;P:\;Q:\;R:\;S:\;T:\;U:\;V:\;W:\;X:\;Y:\;Z:\;AA:\;BB:\;CC:\;DD:\;EE:\;FF:\;GG:\;HH:\;II:\;JJ:\;KK:\;LL:\;MM:\;NN:\;OO:\;PP:\;QQ:\;RR:\;SS:\;TT:\;UU:\;VV:\;WW:\;XX:\;YY;ZZ:\ :\PROGRA~ :\Program Files :\Program Files :\Program Files :\ProgramData\ :\Users\ :\Windows\ :\inetpub\ :\$SysReset :\$WinREAgent :\inetpub\ \ C:\Users\ C:\ProgramData\ C:\ProgramData\sysmon\sysmon64.exe;C:\ProgramData\sysmon\sysmon.exe C:\Program Files;C:\PROGRA~ C:\inetpub\ $RECYCLE.BIN packetbeat.exe;metricbeat.exe;filebeat.exe;winlogbeat.exe;o365beat.exe;graylog-sidecar.exe;graylog-collector-sidecar.exe;splunkd.exe;splunk.exe;syslogng.exe;syslog-ng.exe;nxlog-processor.exe;snarecore.exe;fluentd;td-agent C:\Windows\system32\config\systemprofile\ C:\Windows\sysWOW64\config\systemprofile\ \Temp\ C:\Users\ Microsoft\Teams\current\Teams.exe \git.exe Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe C:\ProgramData\Lenovo\ImController\ 56ceb6d0011d87b6e4d7023d7ef85676;4f2eb62fa529c0283b28d05ddd311fae;b91ce2fa41029f6955bff20079468448;b91ce2fa41029f6955bff20079468448;846e27a652a5e1bfbd0ddd38a16dc865;2c4a910a1299cdae2a4e55988a2f102e 0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5;c948ae14761095e4d76b55d9de86412258be7afd;c996d7971c49252c582171d9380360f2;ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1;10b30bdee43b3a2ec4aa63375577ade650269d25;d2fd132ab7bbc6bbb87a84f026fa0244 DumpExt.dll mimidrv lsremora wceaux.dll npcap \Temp :\Users ChongKim Chan ? Revoked Unavailable Valid false SHA1=2261198385d62d2117f50f631652eded0ecc71db SHA1=8db869c0674221a2d3280143cbb0807fac08e0cc SHA1=27d3ebea7655a72e6e8b95053753a25db944ec0f SHA1=33cdab3bbc8b3adce4067a1b042778607dce2acd SHA1=21e6c104fe9731c874fab5c9560c929b2857b918 SHA1=d979353d04bf65cc92ad3412605bc81edbb75ec2 SHA1=2f991435a6f58e25c103a657d24ed892b99690b8 SHA1=f02af84393e9627ba808d4159841854a6601cf80 SHA1=bb962c9a8dda93e94fef504c4159de881e4706fe SHA1=b97a8d506be2e7eaa4385f70c009b22adbd071ba SHA1=92f251358b3fe86fd5e7aa9b17330afa0d64a705 SHA1=8b6aa5b2bff44766ef7afbe095966a71bc4183fa SHA1=af6e1f2cfb230907476e8b2d676129b6d6657124 SHA1=fcde5275ee1913509927ce5f0f85e6681064c9d2 SHA1=00a442a4305c62cefa8105c0b4c4a9a5f4d1e93b SHA1=6523b3fd87de39eb5db1332e4523ce99556077dc SHA1=72966ca845759d239d09da0de7eebe3abe86fee3 SHA1=57511ef5ff8162a9d793071b5bf7ebe8371759de SHA1=2d503a2457a787014a1fdd48a2ece2e6cbe98ea7 SHA1=400f833dcc2ef0a122dd0e0b1ec4ec929340d90e SHA1=89cd760e8cb19d29ee08c430fb17a5fd4455c741 SHA1=1d0df45ee3fa758f0470e055915004e6eae54c95 SHA1=d5fd9fe10405c4f90235e583526164cd0902ed86 SHA1=c52cef5b9e1d4a78431b7af56a6fdb6aa1bcad65 SHA1=609fa1efcf61e26d64a5ceb13b044175ab2b3a13 SHA1=7d7c03e22049a725ace2a9812c72b53a66c2548b SHA1=f9519d033d75e1ab6b82b2e156eafe9607edbcfb SHA1=468e2e5505a3d924b14fedee4ddf240d09393776 SHA1=2e3de9bff43d7712707ef8a0b10f7e4ad8427fd8 SHA1=c9cbfdd0be7b35751a017ec59ff7237ffdc4df1f SHA1=078ae07dec258db4376d5a2a05b9b508d68c0123 SHA1=623cd2abef6c92255f79cbbd3309cb59176771da SHA1=1f3a9265963b660392c4053329eb9436deeed339 SHA1=4a235f0b84ff615e2879fa9e0ec0d745fcfdaa5c SHA1=ace6b9e34e3e2e73fe584f3bbdb4e4ec106e0a7d SHA1=4268f30b79ce125a81d0d588bef0d4e2ad409bbb SHA1=c834c4931b074665d56ccab437dfcc326649d612 SHA1=8f5cd4a56e6e15935491aa40adb1ecad61eafe7c SHA1=51b60eaa228458dee605430aae1bc26f3fc62325 SHA1=3270720a066492b046d7180ca6e60602c764cac7 SHA1=2a6e6bd51c7062ad24c02a4d2c1b5e948908d131 SHA1=19bd488fe54b011f387e8c5d202a70019a204adf SHA1=a6fe4f30ca7cb94d74bc6d42cdd09a136056952e SHA1=ea877092d57373cb466b44e7dbcad4ce9a547344 SHA1=205c69f078a563f54f4c0da2d02a25e284370251 SHA1=f9feb60b23ca69072ce42264cd821fe588a186a6 SHA1=b25170e09c9fb7c0599bfba3cf617187f6a733ac SHA1=160c96b5e5db8c96b821895582b501e3c2d5d6e7 SHA1=a2e0b3162cfa336cd4ab40a2acc95abe7dc53843 SHA1=4e826430a1389032f3fe06e2cc292f643fb0c417 SHA1=7ab4565ba24268f0adadb03a5506d4eb1dc7c181 SHA1=dc7b022f8bd149efbcb2204a48dce75c72633526 SHA1=0307d76750dd98d707c699aee3b626643afb6936 SHA1=5711c88e9e64e45b8fc4b90ab6f2dd6437dc5a8a SHA1=6714380bc0b8ab09b9a0d2fa66d1b025b646b946 SHA1=8626ab1da6bfbdf61bd327eb944b39fd9df33d1d SHA1=30a224b22592d952fbe2e6ad97eda4a8f2c734e0 SHA1=c95db1e82619fb16f8eec9a8209b7b0e853a4ebe SHA1=fe1d909ab38de1389a2a48352fd1c8415fd2eab0 SHA1=b4d1554ec19504215d27de0758e13c35ddd6db3e SHA1=5dd2c31c4357a8b76db095364952b3d0e3935e1d SHA1=ecb4d096a9c58643b02f328d2c7742a38e017cf0 SHA1=4a705af959af61bad48ef7579f839cb5ebd654d2 SHA1=d2e6fc9259420f0c9b6b1769be3b1f63eb36dc57 SHA1=c948ae14761095e4d76b55d9de86412258be7afd SHA1=ddbe809b731a0962e404a045ab9e65a0b64917ad SHA1=745bad097052134548fe159f158c04be5616afc2 SHA1=8d59fd14a445c8f3f0f7991fa6cd717d466b3754 SHA1=2dfcb799b3c42ecb0472e27c19b24ac7532775ce SHA1=cc51be79ae56bc97211f6b73cc905c3492da8f9d SHA1=ac13941f436139b909d105ad55637e1308f49d9a SHA1=2b0bb408ff0e66bcdf6574f1ca52cbf4015b257b SHA1=cc0e0440adc058615e31e8a52372abadf658e6b1 SHA1=5520ac25d81550a255dc16a0bb89d4b275f6f809 SHA1=6afc6b04cf73dd461e4a4956365f25c1f1162387 SHA1=4b009e91bae8d27b160dc195f10c095f8a2441e1 SHA1=6003184788cd3d2fc624ca801df291ccc4e225ee SHA1=0466e90bf0e83b776ca8716e01d35a8a2e5f96d3 SHA1=e6305dddd06490d7f87e3b06d09e9d4c1c643af0 SHA1=89909fa481ff67d7449ee90d24c167b17b0612f1 SHA1=d7e8aef8c8feb87ce722c0b9abf34a7e6bab6eb4 SHA1=5e6ddd2b39a3de0016385cbd7aa50e49451e376d SHA1=976777d39d73034df6b113dfce1aa6e1d00ffcfd SHA1=9c6749fc6c1127f8788bff70e0ce9062959637c9 SHA1=53acd4d9e7ba0b1056cf52af0d191f226eddf312 SHA1=3abb9d0a9d600200ae19c706e570465ef0a15643 SHA1=27eab595ec403580236e04101172247c4f5d5426 SHA1=78b9481607ca6f3a80b4515c432ddfe6550b18a8 SHA1=414cd15d6c991d19fb5be02e3b9fb0e6c5ce731c SHA1=d9c09dd725bc7bc3c19b4db37866015817a516ef SHA1=9c256edd10823ca76c0443a330e523027b70522d SHA1=35829e096a15e559fcbabf3441d99e580ca3b26e SHA1=b8de3a1aeeda9deea43e3f768071125851c85bd0 SHA1=054a50293c7b4eea064c91ef59cf120d8100f237 SHA1=d94f2fb3198e14bfe69b44fb9f00f2551f7248b2 SHA1=01a578a3a39697c4de8e3dab04dba55a4c35163e SHA1=14bf0eaa90e012169745b3e30c281a327751e316 SHA1=f50c6b84dfb8f2d53ba3bce000a55f0a486c0e79 SHA1=6100eb82a25d64a7a7702e94c2b21333bc15bd08 SHA1=bf87e32a651bdfd9b9244a8cf24fca0e459eb614 SHA1=28b1c0b91eb6afd2d26b239c9f93beb053867a1a SHA1=879fcc6795cebe67718388228e715c470de87dca SHA1=1f7501e01d84a2297c85cb39880ec4e40ac3fe8a SHA1=152b6bb9ffd2ffec00cc46f5c6e29362d0e66e67 SHA1=5f8356ffa8201f338dd2ea979eb47881a6db9f03 SHA1=a7bd05de737f8ea57857f1e0845a25677df01872 SHA1=cce9b82f01ec68f450f5fe4312f40d929c6a506e SHA1=e35a2b009d54e1a0b231d8a276251f64231b66a3 SHA1=37364cb5f5cefd68e5eca56f95c0ab4aff43afcc SHA1=d62fa51e520022483bdc5847141658de689c0c29 SHA1=93aa3bb934b74160446df3a47fa085fd7f3a6be9 SHA1=ec4cc6de4c779bb1ca1dd32ee3a03f7e8d633a9b SHA1=35f1ba60ba0da8512a0b1b15ee8e30fe240d77cd SHA1=3805e4e08ad342d224973ecdade8b00c40ed31be SHA1=65d8a7c2e867b22d1c14592b020c548dd0665646 SHA1=c8d87f3cd34c572870e63a696cf771580e6ea81b SHA1=c4d7fb9db3c3459f7e8c0e3d48c95c7c9c4cff60 SHA1=d34a7c497c603f3f7fcad546dc4097c2da17c430 SHA1=1fd7f881ea4a1dbb5c9aeb9e7ad659a85421745b SHA1=0b8b83f245d94107cb802a285e6529161d9a834d SHA1=c969f1f73922fd95db1992a5b552fbc488366a40 SHA1=ac600a2bc06b312d92e649b7b55e3e91e9d63451 SHA1=da9cea92f996f938f699902482ac5313d5e8b28e SHA1=33285b2e97a0aeb317166cce91f6733cf9c1ad53 SHA1=21edff2937eb5cd6f6b0acb7ee5247681f624260 SHA1=f052dc35b74a1a6246842fbb35eb481577537826 SHA1=f0c463d29a5914b01e4607889094f1b7d95e7aaf SHA1=0c26ab1299adcd9a385b541ef1653728270aa23e SHA1=f36a47edfacd85e0c6d4d22133dd386aee4eec15 SHA1=460008b1ffd31792a6deadfa6280fb2a30c8a5d2 SHA1=738b7918d85e5cb4395df9e3f6fc94ddad90e939 SHA1=43419df1f9a07430a18c5f3b3cc74de621be0f8e SHA1=558aad879b6a47d94a968f39d0a4e3a3aaef1ef1 SHA1=7fb52290883a6b69a96d480f2867643396727e83 SHA1=f5696fb352a3fbd14fb1a89ad21a71776027f9ab SHA1=693a2645c28fc3b248fda95179c36c3ac64f6fc2 SHA1=05c0c49e8bcf11b883d41441ce87a2ee7a3aba1d SHA1=d25340ae8e92a6d29f599fef426a2bc1b5217299 SHA1=7c1b25518dee1e30b5a6eaa1ea8e4a3780c24d0c SHA1=fe10018af723986db50701c8532df5ed98b17c39 SHA1=bfe55cacc7c56c9f7bd75bdb4b352c0b745d071b SHA1=a21c84c6bf2e21d69fa06daaf19b4cc34b589347 SHA1=82ba5513c33e056c3f54152c8555abf555f3e745 SHA1=d098600152e5ee6a8238d414d2a77a34da8afaaa SHA1=64e4ac8b9ea2f050933b7ec76a55dd04e97773b4 SHA1=bbc1e5fd826961d93b76abd161314cb3592c4436 SHA1=90a76945fd2fa45fab2b7bcfdaf6563595f94891 SHA1=b03b1996a40bfea72e4584b82f6b845c503a9748 SHA1=c771ea59f075170e952c393cfd6fc784b265027c SHA1=cb44c6f0ee51cb4c5836499bc61dd6c1fbdf8aa1 SHA1=0918277fcdc64a9dc51c04324377b3468fa1269b SHA1=b09bcc042d60d2f4c0d08284818ed198cededa04 SHA1=8dc2097a90eb7e9d6ee31a7c7a95e7a0b2093b89 SHA1=15df139494d2c40a645fb010908551185c27f3c5 SHA1=012db3a80faf1f7f727b538cbe5d94064e7159de SHA1=d04e5db5b6c848a29732bfd52029001f23c3da75 SHA1=490109fa6739f114651f4199196c5121d1c6bdf2 SHA1=b4d014b5edd6e19ce0e8395a64faedf49688ecb5 SHA1=a87d6eac2d70a3fbc04e59412326b28001c179de SHA1=3f223581409492172a1e875f130f3485b90fbe5f SHA1=5db61d00a001fd493591dc919f69b14713889fc5 SHA1=9923c8f1e565a05b3c738d283cf5c0ed61a0b90f SHA1=15d1a6a904c8409fb47a82aefa42f8c3c7d8c370 SHA1=9d07df024ec457168bf0be7e0009619f6ac4f13c SHA1=9a35ae9a1f95ce4be64adc604c80079173e4a676 SHA1=c6bd965300f07012d1b651a9b8776028c45b149a SHA1=e83458c4a6383223759cd8024e60c17be4e7c85f SHA1=cb3de54667548a5c9abf5d8fa47db4097fcee9f1 SHA1=9c24dd75e4074041dbe03bf21f050c77d748b8e9 SHA1=dc55217b6043d819eadebd423ff07704ee103231 SHA1=e92817a8744ebc4e4fa5383cdce2b2977f01ecd4 SHA1=dc0e97adb756c0f30b41840a59b85218cbdd198f SHA1=26c4a7b392d7e7bd7f0a2a758534e45c0d9a56ab SHA1=d0d39e1061f30946141b6ecfa0957f8cc3ddeb63 SHA1=c6d349823bbb1f5b44bae91357895dba653c5861 SHA1=f42f28d164205d9f6dab9317c9fecad54c38d5d2 SHA1=bbc0b9fd67c8f4cefa3d76fcb29ff3cef996b825 SHA1=8183a341ba6c3ce1948bf9be49ab5320e0ee324d SHA1=eb1ecad3d37bb980f908bf1a912415cff32e79e6 SHA1=eb0d45aa6f537f5b2f90f3ad99013606eafcd162 SHA1=6053d258096bccb07cb0057d700fe05233ab1fbb SHA1=29a190727140f40cea9514a6420f5a195e36386b SHA1=a4b2c56c12799855162ca3b004b4b2078c6ecf77 SHA1=7667b72471689151e176baeba4e1cd9cd006a09a SHA1=d7f7594ff084201c0d9fa2f4ef1626635b67bce5 SHA1=99201c9555e5faf6e8d82da793b148311f8aa4b8 SHA1=947db58d6f36a8df9fa2a1057f3a7f653ccbc42e SHA1=6a3d3b9ab3d201cd6b0316a7f9c3fb4d34d0f403 SHA1=d702d88b12233be9413446c445f22fda4a92a1d9 SHA1=910cb12aa49e9f35ecc4907e8304adf0dcca8cf1 SHA1=643383938d5e0d4fd30d302af3e9293a4798e392 SHA1=c4ed28fdfba7b8a8dfe39e591006f25d39990f07 SHA1=b0032b8d8e6f4bd19a31619ce38d8e010f29a816 SHA1=db6245578ec57bd767b27ecf8085095e1c8e5a6e SHA1=166759fd511613414d3213942fe2575b926a6226 SHA1=02a8b74899591da7b7f49c0450328d39b939d7e4 SHA1=98ceed786f79288becc08c3b82c57e8d4bfa1bca SHA1=f6b3577ea4b1a5641ae3421151a26268434c3db8 SHA1=4de33d03fee52f396a1c788000ca868d56ac30de SHA1=c6920171fa6dff2c17eb83befb5fd28e8dddf5f0 SHA1=fbc6d2448739ddec35bb5d6c94b46df4148f648d SHA1=6b54f8f137778c1391285fee6150dfa58a8120b1 SHA1=943593e880b4d340f2548548e6e673ef6f61eed3 SHA1=5ac4d0e2381fc4a8aebe94a0fb6fe5e7558e4dcd SHA1=e44297a2b750ec1958bef265e2f1ae6fa4323b28 SHA1=aa2ea973bb248b18973e57339307cfb8d309f687 SHA1=3a5d176c50f97b71d139767ed795d178623f491d SHA1=25d812a5ece19ea375178ef9d60415841087726e SHA1=3795e32592ab6d8074b6f7ad33759c6a39b0df07 SHA1=fc121ed6fb37e97a004b6faf217435b772dfc4c0 SHA1=ab2b8602e4baef828b58b995d0889a8e5b8dbd02 SHA1=cf040040628b58f4a811f98c2690913c1e8e4e3c SHA1=3296844d22c87dd5eba3aa378a8242b41d59db7a SHA1=bc47e15537fa7c32dfefd23168d7e1741f8477ed SHA1=cb22723faa5ae2809476e5c5e9b9a597b26cab9b SHA1=f3c5e723ae009b336cd2719137b8cd194c9ee51d SHA1=41f2d0f9863bce8920c207b1ef5d3d32b603edef SHA1=eb93d2f564fea9b3dc350f386b45de2cd9a3e001 SHA1=3cd037fbba8aae82c1b111c9f8755349c98bcb3c SHA1=9401389fba314d1810f83edce33c37e84a78e112 SHA1=7eb34cc1fcffb4fdb5cb7e97184dd64a65cb9371 SHA1=16d7ecf09fc98798a6170e4cef2745e0bee3f5c7 SHA1=fcd615df88645d1f57ff5702bd6758b77efea6d0 SHA1=f3db629cfe37a73144d5258e64d9dd8b38084cf4 SHA1=a00e444120449e35641d58e62ed64bb9c9f518d2 SHA1=38571f14fc014487194d1eecfa80561ee8644e09 SHA1=4d41248078181c7f61e6e4906aa96bbdea320dc2 SHA1=3599ea2ac1fa78f423423a4cf90106ea0938dde8 SHA1=3d6d53b0f1cc908b898610227b9f1b9352137aba SHA1=4c18754dca481f107f0923fb8ef5e149d128525d SHA1=8c377ab4eebc5f4d8dd7bb3f90c0187dfdd3349f SHA1=cde32654a041fedc7b0fa1083f6005b950760062 SHA1=5fb9421be8a8b08ec395d05e00fd45eb753b593a SHA1=b480c54391a2a2f917a44f91a5e9e4590648b332 SHA1=4f7a8e26a97980544be634b26899afbefb0a833c SHA256=05F052C64D192CF69A462A5EC16DDA0D43CA5D0245900C9FCB9201685A2E7748 SHA256=4045AE77859B1DBF13972451972EAAF6F3C97BEA423E9E78F1C2F14330CD47CA SHA256=6948480954137987A0BE626C24CF594390960242CD75F094CD6AAA5C2E7A54FA SHA256=8CB62C5D41148DE416014F80BD1FD033FD4D2BD504CB05B90EEB6992A382D58F SHA256=B1D96233235A62DBB21B8DBE2D1AE333199669F67664B107BFF1AD49B41D9414 SHA256=7196187FB1EF8D108B380D37B2AF8EFDEB3CA1F6EEFD37B5DC114C609147216D SHA256=7F375639A0DF7FE51E5518CF87C3F513C55BC117DB47D28DA8C615642EB18BFA SHA256=42579A759F3F95F20A2C51D5AC2047A2662A2675B3FB9F46C1ED7F23393A0F00 SHA256=2DA330A2088409EFC351118445A824F11EDBE51CF3D653B298053785097FE40E SHA256=436CCAB6F62FA2D29827916E054ADE7ACAE485B3DE1D3E5C6C62D3DEBF1480E7 SHA256=B4D47EA790920A4531E3DF5A4B4B0721B7FEA6B49A35679F0652F1E590422602 SHA256=DDE6F28B3F7F2ABBEE59D4864435108791631E9CB4CDFB1F178E5AA9859956D8 SHA256=B48A309EE0960DA3CAAAAF1E794E8C409993AEB3A2B64809F36B97AAC8A1E62A SHA256=025E7BE9FCEFD6A83F4471BBA0C11F1C11BD5047047D26626DA24EE9A419CDC4 SHA256=2AA1B08F47FBB1E2BD2E4A492F5D616968E703E1359A921F62B38B8E4662F0C4 SHA256=ECE0A900EA089E730741499614C0917432246CEB5E11599EE3A1BB679E24FD2C SHA256=F40435488389B4FB3B945CA21A8325A51E1B5F80F045AB019748D0EC66056A8B SHA256=2A652DE6B680D5AD92376AD323021850DAB2C653ABF06EDF26120F7714B8E08A SHA256=950A4C0C772021CEE26011A92194F0E58D61588F77F2873AA0599DFF52A160C9 SHA256=0AAFA9F47ACF69D46C9542985994FF5321F00842A28DF2396D4A3076776A83CB SHA256=47F08F7D30D824A8F4BB8A98916401A37C0FD8502DB308ABA91FE3112B892DCC SHA256=B9A4E40A5D80FEDD1037EAED958F9F9EFED41EB01ADA73D51B5DCD86E27E0CBF SHA256=5C04C274A708C9A7D993E33BE3EA9E6119DC29527A767410DBAF93996F87369A SHA256=0040153302B88BEE27EB4F1ECA6855039E1A057370F5E8C615724FA5215BADA3 SHA256=3326E2D32BBABD69FEB6024809AFC56C7E39241EBE70A53728C77E80995422A5 SHA256=36B9E31240AB0341873C7092B63E2E0F2CAB2962EBF9B25271C3A1216B7669EB SHA256=29E0062A017A93B2F2F5207A608A96DF4D554C5DE976BD0276C2590A03BD3E94 SHA256=45ABDBCD4C0916B7D9FAAF1CD08543A3A5178871074628E0126A6EDA890D26E0 SHA256=50DB5480D0392A7DD6AB5DF98389DC24D1ED1E9C98C9C35964B19DABCD6DC67F SHA256=607DC4C75AC7AEF82AE0616A453866B3B358C6CF5C8F9D29E4D37F844306B97C SHA256=61D6E40601FA368800980801A662A5B3B36E3C23296E8AE1C85726A56EF18CC8 SHA256=74A846C61ADC53692D3040AFF4C1916F32987AD72B07FE226E9E7DBEFF1036C4 SHA256=76FB4DEAEE57EF30E56C382C92ABFFE2CF616D08DBECB3368C8EE6B02E59F303 SHA256=81939E5C12BD627FF268E9887D6FB57E95E6049F28921F3437898757E7F21469 SHA256=9790A7B9D624B2B18768BB655DDA4A05A9929633CEF0B1521E79E40D7DE0A05B SHA256=9A1D66036B0868BBB1B2823209FEDEA61A301D5DD245F8E7D390BD31E52D663E SHA256=AA9AB1195DC866270E984F1BED5E1358D6EF24C515DFDB6C2A92D1E1B94BF608 SHA256=AF095DE15A16255CA1B2C27DAD365DFF9AC32D2A75E8E288F5A1307680781685 SHA256=D5586DC1E61796A9AE5E5D1CED397874753056C3DF2EB963A8916287E1929A71 SHA256=D8459F7D707C635E2C04D6D6D47B63F73BA3F6629702C7A6E0DF0462F6478AE2 SHA256=E81230217988F3E7EC6F89A06D231EC66039BDBA340FD8EBB2BBB586506E3293 SHA256=F88EBB633406A086D9CCA6BC8B66A4EA940C5476529F9033A9E0463512A23A57 SHA256=1C8DFA14888BB58848B4792FB1D8A921976A9463BE8334CFF45CC96F1276049A SHA256=22418016E980E0A4A2D01CA210A17059916A4208352C1018B0079CCB19AAF86A SHA256=405472A8F9400A54BB29D03B436CCD58CFD6442FE686F6D2ED4F63F002854659 SHA256=49F75746EEBE14E5DB11706B3E58ACCC62D4034D2F1C05C681ECEF5D1AD933BA SHA256=4A3D4DB86F580B1680D6454BAEE1C1A139E2DDE7D55E972BA7C92EC3F555DCE2 SHA256=4AB41816ABBF14D59E75B7FAD49E2CB1C1FEB27A3CB27402297A2A4793FF9DA7 SHA256=54841D9F89E195196E65AA881834804FE3678F1CF6B328CAB8703EDD15E3EC57 SHA256=5EE292B605CD3751A24E5949AAE615D472A3C72688632C3040DC311055B75A92 SHA256=76B86543CE05540048F954FED37BDDA66360C4A3DDB8328213D5AEF7A960C184 SHA256=7F190F6E5AB0EDAFD63391506C2360230AF4C2D56C45FC8996A168A1FC12D457 SHA256=845F1E228DE249FC1DDF8DC28C39D03E8AD328A6277B6502D3932E83B879A65A SHA256=84BF1D0BCDF175CFE8AEA2973E0373015793D43907410AE97E2071B2C4B8E2D4 SHA256=8EF0AD86500094E8FA3D9E7D53163AA6FEEF67C09575C169873C494ED66F057F SHA256=A56C2A2425EB3A4260CC7FC5C8D7BED7A3B4CD2AF256185F24471C668853AEE8 SHA256=AC3F613D457FC4D44FA27B2E0B1BAA62C09415705EFB5A40A4756DA39B3AC165 SHA256=B1334A71CC73B3D0C54F62D8011BEC330DFC355A239BF94A121F6E4C86A30A2E SHA256=B47BE212352D407D0EF7458A7161C66B47C2AEC8391DD101DF11E65728337A6A SHA256=B9B3878DDC5DFB237D38F8D25067267870AFD67D12A330397A8853209C4D889C SHA256=DB90E554AD249C2BD888282ECF7D8DA4D1538DD364129A3327B54F8242DD5653 SHA256=E61A54F6D3869B43C4ECEAC3016DF73DF67CCE03878C5A6167166601C5D3F028 SHA256=3871E16758A1778907667F78589359734F7F62F9DC953EC558946DCDBE6951E3 SHA256=DED2927F9A4E64EEFD09D0CABA78E94F309E3A6292841AE81D5528CAB109F95D SHA256=0296E2CE999E67C76352613A718E11516FE1B0EFC3FFDB8918FC999DD76A73A5 SHA256=80CBBA9F404DF3E642F22C476664D63D7C229D45D34F5CD0E19C65EB41BECEC3 SHA256=BB50818A07B0EB1BD317467139B7EB4BAD6CD89053FECDABFEAE111689825955 SHA256=FF6729518A380BF57F1BC6F1EC0AA7F3012E1618B8D9B0F31A61D299EE2B4339 SHA256=3A5EC83FE670E5E23AEF3AFA0A7241053F5B6BE5E6CA01766D6B5F9177183C25 SHA256=61A1BDDDD3C512E681818DEBB5BEE94DB701768FC25E674FCAD46592A3259BD0 SHA256=07B6D69BAFCFD767F1B63A490A8843C3BB1F8E1BBEA56176109B5743C8F7D357 SHA256=21CCDD306B5183C00ECFD0475B3152E7D94B921E858E59B68A03E925D1715F21 SHA256=2D83CCB1AD9839C9F5B3F10B1F856177DF1594C66CBBC7661677D4B462EBF44D SHA256=F581DECC2888EF27EE1EA85EA23BBB5FB2FE6A554266FF5A1476ACD1D29D53AF SHA256=F8965FDCE668692C3785AFA3559159F9A18287BC0D53ABB21902895A8ECF221B SHA256=3D23BDBAF9905259D858DF5BF991EB23D2DC9F4ECDA7F9F77839691ACEF1B8C4 SHA256=DD4A1253D47DE14EF83F1BC8B40816A86CCF90D1E624C5ADF9203AE9D51D4097 SHA256=509628B6D16D2428031311D7BD2ADD8D5F5160E9ECC0CD909F1E82BBBB3234D6 SHA256=525D9B51A80CA0CD4C5889A96F857E73F3A80DA1FFBAE59851E0F51BDFB0B6CD SHA256=6DE84CAA2CA18673E01B91AF58220C60AECD5CCCF269725EC3C7F226B2167492 SHA256=09BEDBF7A41E0F8DABE4F41D331DB58373CE15B2E9204540873A1884F38BDDE1 SHA256=101402D4F5D1AE413DED499C78A5FCBBC7E3BAE9B000D64C1DD64E3C48C37558 SHA256=131D5490CEB9A5B2324D8E927FEA5BECFC633015661DE2F4C2F2375A3A3B64C6 SHA256=1DDFE4756F5DB9FB319D6C6DA9C41C588A729D9E7817190B027B38E9C076D219 SHA256=1E8B0C1966E566A523D652E00F7727D8B0663F1DFDCE3B9A09B9ADFAEF48D8EE SHA256=2BBE65CBEC3BB069E92233924F7EE1F95FFA16173FCEB932C34F68D862781250 SHA256=30706F110725199E338E9CC1C940D9A644D19A14F0EB8847712CBA4CACDA67AB SHA256=3124B0411B8077605DB2A9B7909D8240E0D554496600E2706E531C93C931E1B5 SHA256=38FA0C663C8689048726666F1C5E019FEAA9DA8278F1DF6FF62DA33961891D2A SHA256=39CFDE7D401EFCE4F550E0A9461F5FC4D71FA07235E1336E4F0B4882BD76550E SHA256=3D9E83B189FCF5C3541C62D1F54A0DA0A4E5B62C3243D2989AFC46644056C8E3 SHA256=3F2FDA9A7A9C57B7138687BBCE49A2E156D6095DDDABB3454EA09737E02C3FA5 SHA256=47F0CDAA2359A63AD1389EF4A635F1F6EEE1F63BDF6EF177F114BDCDADC2E005 SHA256=50D5EAA168C077CE5B7F15B3F2C43BD2B86B07B1E926C1B332F8CB13BD2E0793 SHA256=56A3C9AC137D862A85B4004F043D46542A1B61C6ACB438098A9640469E2D80E7 SHA256=591BD5E92DFA0117B3DAA29750E73E2DB25BAA717C31217539D30FFB1F7F3A52 SHA256=5D530E111400785D183057113D70623E17AF32931668AB7C7FC826F0FD4F91A3 SHA256=6F1FF29E2E710F6D064DC74E8E011331D807C32CC2A622CBE507FD4B4D43F8F4 SHA256=79E2D37632C417138970B4FEBA91B7E10C2EA251C5EFE3D1FC6FA0190F176B57 SHA256=85866E8C25D82C1EC91D7A8076C7D073CCCF421CF57D9C83D80D63943A4EDD94 SHA256=89B0017BC30CC026E32B758C66A1AF88BD54C6A78E11EC2908FF854E00AC46BE SHA256=9254F012009D55F555418FF85F7D93B184AB7CB0E37AECDFDAB62CFE94DEA96B SHA256=984A77E5424C6D099051441005F2938AE92B31B5AD8F6521C6B001932862ADD7 SHA256=98B734DDA78C16EBCAA4AFEB31007926542B63B2F163B2F733FA0D00DBB344D8 SHA256=99F4994A0E5BD1BF6E3F637D3225C69FF4CD620557E23637533E7F18D7D6CBA1 SHA256=9C10E2EC4F9EF591415F9A784B93DC9C9CDAFA7C69602C0DC860C5B62222E449 SHA256=A961F5939088238D76757669A9A81905E33F247C9C635B908DAAC146AE063499 SHA256=A9706E320179993DADE519A83061477ACE195DAA1B788662825484813001F526 SHA256=B7A20B5F15E1871B392782C46EBCC897929443D82073EE4DCB3874B6A5976B5D SHA256=CC586254E9E89E88334ADEE44E332166119307E79C2F18F6C2AB90CE8BA7FC9B SHA256=CD4A249C3EF65AF285D0F8F30A8A96E83688486AAB515836318A2559757A89BB SHA256=CF4B5FA853CE809F1924DF3A3AE3C4E191878C4EA5248D8785DC7E51807A512B SHA256=D0BD1AE72AEB5F3EABF1531A635F990E5EAAE7FDD560342F915F723766C80889 SHA256=D8B58F6A89A7618558E37AFC360CD772B6731E3BA367F8D58734ECEE2244A530 SHA256=D92EAB70BCECE4432258C9C9A914483A2267F6AB5CE2630048D3A99E8CB1B482 SHA256=E005E8D183E853A27AD3BB56F25489F369C11B0D47E3D4095AAD9291B3343BF1 SHA256=E68D453D333854787F8470C8BAEF3E0D082F26DF5AA19C0493898BCF3401E39A SHA256=E83908EBA2501A00EF9E74E7D1C8B4FF1279F1CD6051707FD51824F87E4378FA SHA256=EF86C4E5EE1DBC4F81CD864E8CD2F4A2A85EE4475B9A9AB698A4AE1CC71FBEB0 SHA256=F088B2BA27DACD5C28F8EE428F1350DCA4BC7C6606309C287C801B2E1DA1A53D SHA256=FD8669794C67B396C12FC5F08E9C004FDF851A82FAF302846878173E4FBECB03 SHA256=91314768DA140999E682D2A290D48B78BB25A35525EA12C1B1F9634D14602B2C SHA256=F0605DDA1DEF240DC7E14EFA73927D6C6D89988C01EA8647B671667B2B167008 SHA256=6CB51AE871FBD5D07C5AAD6FF8EEA43D34063089528603CA9CEB8B4F52F68DDC SHA256=DB2A9247177E8CDD50FE9433D066B86FFD2A84301AA6B2EB60F361CFFF077004 SHA256=7EC93F34EB323823EB199FBF8D06219086D517D0E8F4B9E348D7AFD41EC9FD5D SHA256=7049F3C939EFE76A5556C2A2C04386DB51DAF61D56B679F4868BB0983C996EBB SHA256=7877C1B0E7429453B750218CA491C2825DAE684AD9616642EFF7B41715C70ACA SHA256=159E7C5A12157AF92E0D14A0D3EA116F91C09E21A9831486E6DC592C93C10980 SHA256=3243AAB18E273A9B9C4280A57AECEF278E10BFFF19ABB260D7A7820E41739099 SHA256=7CFA5E10DFF8A99A5D544B011F676BC383991274C693E21E3AF40CF6982ADB8C SHA256=C9B49B52B493B53CD49C12C3FA9553E57C5394555B64E32D1208F5B96A5B8C6E SHA256=3EC5AD51E6879464DFBCCB9F4ED76C6325056A42548D5994BA869DA9C4C039A8 SHA256=47EAEBC920CCF99E09FC9924FEB6B19B8A28589F52783327067C9B09754B5E84 SHA256=1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b SHA256=e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790 SHA256=76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22 SHA256=6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44 SHA256=2e6b339597a89e875f175023ed952aaac64e9d20d457bbc07acf1586e7fe2df8 SHA256=71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009 SHA256=39937d239220c1b779d7d55613de2c0a48bd6e12e0214da4c65992b96cf591df SHA256=7ed26a593524a2a92ffcfb075a42bb4fa4775ffbf83af98525244a4710886ead SHA256=aa717e9ab4d614497df19f602d289a6eddcdba8027c71bcc807780a219347d16 SHA256=ff5f6048a3d6f6738b60e911e3876fcbdc9a02ec9862f909345c8a50fd4cc0a7 SHA256=11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5 SHA256=58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495 SHA256=01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd SHA256=22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c SHA256=31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427 SHA256=952199C28332BC90CFD74530A77EE237967ED32B3C71322559C59F7A42187DC4 SHA256=9529EFB1837B1005E5E8F477773752078E0A46500C748BC30C9B5084D04082E6 SHA256=A7B000ABBCC344444A9B00CFADE7AA22AB92CE0CADEC196C30EB1851AE4FA062 SHA256=4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b SHA256=01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece SHA256=9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374 SHA256=06bda5a1594f7121acd2efe38ccb617fbc078bb9a70b665a5f5efd70e3013f50 SHA256=cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6 SHA256=d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e SHA256=a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc SHA256=2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d SHA256=f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65 SHA256=59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347 SHA256=552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9 SHA256=86a8e0aa29a5b52c84921188cc1f0eca9a7904dcfe09544602933d8377720219 SHA256=1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8 SHA256=60c6f4f34c7319cb3f9ca682e59d92711a05a2688badbae4891b1303cd384813 SHA256=55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a SHA256=42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f SHA256=bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc SHA256=b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de SHA256=314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073 SHA256=65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890 SHA256=19a212e6fc324f4cb9ee5eba60f5c1fc0191799a4432265cbeaa3307c76a7fc0 SHA256=a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200 SHA256=677c0b1add3990fad51f492553d3533115c50a242a919437ccb145943011d2bf SHA256=fc22977ff721b3d718b71c42440ee2d8a144f3fbc7755e4331ddd5bcc65158d2 SHA256=ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173 SHA256=18e1707b319c279c7e0204074088cc39286007a1cf6cb6e269d5067d8d0628c6 SHA256=c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8 SHA256=afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508 SHA256=a899b659b08fbae30b182443be8ffb6a6471c1d0497b52293061754886a937a3 SHA256=1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52 SHA256=7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129 SHA256=32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993 SHA256=082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d SHA256=65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd SHA256=f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35 SHA256=9f1229cd8dd9092c27a01f5d56e3c0d59c2bb9f0139abf042e56f343637fda33 SHA256=b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29 SHA256=3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838 SHA256=3c5bf92c26398695f9ced7ce647a7e9f6ddcc89eea66b45aa3607196a187431b SHA256=478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82 SHA256=4ed2d2c1b00e87b926fb58b4ea43d2db35e5912975f4400aa7bd9f8c239d08b7 SHA256=b205835b818d8a50903cf76936fcf8160060762725bd74a523320cfbd091c038 SHA256=ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89 SHA256=73327429c505d8c5fd690a8ec019ed4fd5a726b607cabe71509111c7bfe9fc7e SHA256=87e38e7aeaaaa96efe1a74f59fca8371de93544b7af22862eb0e574cec49c7c3 SHA256=2270a8144dabaf159c2888519b11b61e5e13acdaa997820c09798137bded3dd6 SHA256=43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89 SHA256=e1980c6592e6d2d92c1a65acad8f1071b6a404097bb6fcce494f3c8ac31385cf SHA256=1dadd707c55413a16320dc70d2ca7784b94c6658331a753b3424ae696c5d93ea SHA256=d84e3e250a86227c64a96f6d5ac2b447674ba93d399160850acb2339da43eae5 SHA256=5ae23f1fcf3fb735fcf1fa27f27e610d9945d668a149c7b7b0c84ffd6409d99a SHA256=0f726d8ce21c0c9e01ebe6b55913c519ad6086bcaec1a89f8308f3effacd435f SHA256=95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3 SHA256=0e14a4401011a9f4e444028ac5b1595da34bbbf9af04a00670f15ff839734003 SHA256=26c86227d3f387897c1efd77dc711eef748eb90be84149cb306e3d4c45cc71c7 SHA256=42d926cfb3794f9b1e3cb397498696cb687f505e15feb9df11b419c49c9af498 SHA256=1684e24dae20ab83ab5462aa1ff6473110ec53f52a32cfb8c1fe95a2642c6d22 SHA256=9b6a84f7c40ea51c38cc4d2e93efb3375e9d98d4894a85941190d94fbe73a4e4 SHA256=440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c SHA256=e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53 SHA256=3a364a7a3f6c0f2f925a060e84fb18b16c118125165b5ea6c94363221dc1b6de SHA256=fda506e2aa85dc41a4cbc23d3ecc71ab34e06f1def736e58862dc449acbc2330 SHA256=3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46 SHA256=175eed7a4c6de9c3156c7ae16ae85c554959ec350f1c8aaa6dfe8c7e99de3347 SHA256=8596ea3952d84eeef8f5dc5b0b83014feb101ec295b2d80910f21508a95aa026 SHA256=52a90fd1546c068b92add52c29fbb8a87d472a57e609146bbcb34862f9dcec15 SHA256=543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91 SHA256=e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf SHA256=1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c SHA256=cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64 SHA256=3ed15a390d8dfbd8a8fb99e8367e19bfd1cced0e629dfe43ccdb46c863394b59 SHA256=8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6 SHA256=eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b SHA256=37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9 SHA256=32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351 SHA256=c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5 SHA256=ff803017d1acafde6149fe7d463aee23b1c4f6f3b97c698c05f3ca6f07e4df6c SHA256=000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b SHA256=0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05 SHA256=a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433 msdt.exe sdiageng.dll WINWORD.exe;EXCEL.EXE VBE7.DLL;VBE7INTL.DLL;VBEUI.DLL;wshom.ocx wbemdisp.dll;wbemcomn.dll;wbemprox.dll;wmiutils.dll;wbemsvc.dll ntkrnlmp.exe \spool\drivers\x64\3\;\spool\drivers\W32X86\3\;\spool\drivers\IA64\3\ spoolsv.exe;printisolationhost.exe Valid Brother Industries;Canon;Sharp;Microsoft Corporation;DYMO;Euro Plus d.o.o;HP Inc;Hewlett-Packard C:\Windows\ \Users\Public\;\Desktop\;\Downloads\;\AppData\Local\Temp\;\PerfLogs\;$Recycle;\Fonts\ \Program Files EQNEDT32.EXE EQNEDT32.EXE ACTIVEDS.DLL;Adsldpc.dll;Wldap32.dll;adsldp.dll C:\Users;\Temp\;\ProgramData\ ACTIVEDS.DLL;Adsldpc.dll;Wldap32.dll;adsldp.dll \wscript.exe;\cscript.exe;\powershell.exe;\powershell_ise.exe;\rundll32.exe;\msbuild.exe;\csc.exe WINWORD.exe;EXCEL.EXE VBEUI.DLL;VBE6.DLL;VBE6INTL.DLL;wshom.ocx wbemdisp.dll;wbemcomn.dll;wbemprox.dll;wmiutils.dll;wbemsvc.dll;fastprox.dll WINWORD.exe;EXCEL.EXE VBE7.DLL;VBE7INTL.DLL;VBEUI.DLL;wbemdisp.dll;wbemcomn.dll;wbemprox.dll;wmiutils.dll;wbemsvc.dll WINWORD.exe;EXCEL.EXE VBEUI.DLL;VBE6.DLL;VBE6INTL.DLL;wbemdisp.dll;wbemcomn.dll;wbemprox.dll;wmiutils.dll;wbemsvc.dll WINWORD.exe;EXCEL.EXE taskschd.dll wscript.exe;cscript.exe taskschd.dll wmiprvse.exe taskschd.dll powershell.exe msi.dll powershell amsi.dll powershell amsi.dll logoncli.dll C:\Windows\System32\wbem\WmiPrvSE.exe WINWORD.exe;EXCEL.EXE clr.dll clr.dll;System.Management.ni.dll;Microsoft.Build.Utilities wscript.exe;cscript.exe msxml;wshom.ocx wscript.exe;cscript.exe winhttp.dll;mswsock.dll;IPHLPAPI.DLL installutil.exe CustomMarshalers.dll;CustomMarshalers.ni.dll;System.Management.ni.dll;WMINet_Utils.dll;mswsock.dll System.Management.Automation.ni.dll C:\Windows\Microsoft.NET\assembly\GAC_MSIL\ System.Management.Automation.dll C:\Windows\Microsoft.NET\assembly\GAC_MSIL\ Lenovo.Vantage.AddinHost;\Microsoft.Sara.exe;C:\Program Files\CONEXANT C:\Windows\System32\vaultcli.dll \svchost.exe;\GameBar.exe;C:\Program Files\WindowsApps;\Microsoft\Teams\current\Teams.exe \\ \Microsoft\Word\Startup\ .wll \Microsoft\Excel\Startup\ .xll \Microsoft\Addins\ .xla tor-lib.dll C:\Windows\System32\WinSCard.dll;C:\Windows\System32\cryptdll.dll;C:\Windows\System32\hid.dll;C:\Windows\System32\samlib.dll;C:\Windows\System32\vaultcli.dll rundll32.exe vaultcli.dll;wlanapi.dll combase.dll cryptdll.dll imm32.dll logoncli.dll netapi32.dll ntasn1.dll ntdsapi.dll samlib.dll shcore.dll srvcli.dll odbc32.dll;winhttp.dll;netapi32.dll;SHLWAPI.dll C:\Windows\Explorer.EXE C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\ProgramData\ C:\ProgramData\ .exe Adobe C:\ProgramData\Lenovo\ C:\ProgramData\Microsoft\Windows Defender\ C:\ProgramData\sysmon\sysmon64.exe C:\Users\Default\;C:\Users\Public\ .exe C:\Users\Default\;C:\Users\Public\ .dll 56ceb6d0011d87b6e4d7023d7ef85676;4f2eb62fa529c0283b28d05ddd311fae;b91ce2fa41029f6955bff20079468448;b91ce2fa41029f6955bff20079468448;846e27a652a5e1bfbd0ddd38a16dc865;2c4a910a1299cdae2a4e55988a2f102e SHA256=074eb0e75bb2d8f59f1fd571a8c5b76f9c899834893da6f7591b68531f2b5d82 SHA256=45c8233236a69a081ee390d4faa253177180b2bd45d8ed08369e07429ffbe0a9 SHA256=9ceca98c2b24ee30d64184d9d2470f6f2509ed914dafb87604123057a14c57c0 SHA256=29b75f0db3006440651c6342dc3c0672210cfb339141c75e12f6c84d990931c3 SHA256=c8c907a67955bcdf07dd11d35f2a23498fb5ffe5c6b5d7f36870cf07da47bff2 SHA256=76a2f2644cb372f540e179ca2baa110b71de3370bb560aca65dcddbd7da3701e C:\Windows\System32\svchost.exe false Revoked Expired jscript9.dll mshta.exe scrobj.dll crypt0.dll C:\Windows\System32\wlanapi.dll C:\Program Files\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe C:\Program Files\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience C:\Windows\ImmersiveControlPanel\SystemSettings.exe C:\Windows\ImmersiveControlPanel\SystemSettings.exe C:\Windows\System32\AppHostRegistrationVerifier.exe C:\Windows\System32\CompatTelRunner.exe C:\Windows\System32\DeviceCensus.exe C:\Windows\System32\DriverStore\FileRepository\ C:\Windows\System32\LogonUI.exe C:\Windows\System32\MoNotificationUx.exe C:\Windows\System32\SystemSettingsBroker.exe C:\Windows\System32\dxgiadaptercache.exe C:\Windows\System32\netsh.exe C:\Windows\System32\wlanext.exe C:\Windows\UUS\amd64\MoUsoCoreWorker.exe C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_ C:\Windows\explorer.exe python C:\Windows\Microsoft.NET\assembly\GAC_MSIL false C:\Windows\Microsoft.NET\assembly\GAC_MSIL true \Microsoft Office\ \mscorlib.ni.dll \Microsoft Office\ \sppc.dll C:\Windows\System32\svchost.exe true C:\Program Files (x86)\Kaspersky Lab C:\Program Files\Kaspersky Lab C:\Program Files (x86)\ESET C:\Program Files\ESET C:\ProgramData\Microsoft\Windows Defender\ Fortinet Lenovo Sophos mscorsvw.exe C:\Program Files (x86)\Microsoft Office\root\Office15\officebackgroundtaskhandler.exe C:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe C:\Program Files\Microsoft Office\root\Office15\officebackgroundtaskhandler.exe C:\Program Files\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe C:\Windows\SysWOW64\SearchProtocolHost.exe C:\Windows\System32\InstallAgentUserBroker.exe C:\Windows\System32\RuntimeBroker.exe C:\Windows\System32\SearchIndexer.exe C:\Windows\System32\SettingSyncHost.exe C:\Windows\System32\backgroundTaskHost.exe C:\Windows\System32\sppsvc.exe C:\Windows\System32\taskhost.exe C:\Windows\System32\taskhostw.exe C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Microsoft.AAD.BrokerPlugin.exe C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe HxTsr.exe SearchUI.exe C:\Program Files (x86)\Common Files\BIExcelFunctions1.1\32bit\Sage. C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Pfx. C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Adist64.dll C:\Program Files (x86)\Microsoft Office\Office15\Library\Analysis\ANALYS32.XLL C:\Program Files (x86)\Microsoft Office\Office16\Library\Analysis\ANALYS32.XLL C:\Program Files\Microsoft Office\Office15\Library\Analysis\ANALYS32.XLL C:\Program Files\Microsoft Office\Office16\Library\Analysis\ANALYS32.XLL C:\Windows\SysWOW64\sppc.dll Microsoft.Office.Interop.VisOcx.dll Microsoft.Office.Interop.Word.dll Microsoft.Vbe.Interop.dll OFFICE.DLL 0x001A0000 c:\windows\system32\lsass.exe msiexec.exe chrome.exe;firefox.exe;edge.exe;browser_broker.exe;iexplore.exe;opera.exe 0x001A0000 c:\windows\system32\lsass.exe c:\windows\system32\lsass.exe c:\windows\system32\rundll32.exe DbgUiRemoteBreakin nacl64.exe QueryProcessDebugInformationRemote nacl64.exe isdebuggerpresent nacl64.exe DebugActiveProcess nacl64.exe LoadLibrary C:\Program Files\Bitdefender\Endpoint Security\EPSecurityService.exe C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe C:\Windows\ImmersiveControlPanel\SystemSettings.exe C:\Windows\System32\DriverStore\FileRepository\ C:\Windows\System32\igfxEM.exe C:\Windows\System32\igfxHK.exe Enterprise\Common7\IDE\devenv.exe C:\Program Files (x86)\ASUS\ROG Live Service\FileOperator.exe C:\ProgramData\Microsoft\Windows Defender\Platform\;\MsMpEng.exe CreateFileMapping;MapViewOfFile LdrLoadDll CryptAcquireContextA;CryptDecodeObjectEx;CryptImportPublicKeyInfo;CryptEncrypt;CryptGenKey;CryptDecrypt;CryptStringToBinary;CryptBinaryToString;CryptImportKey c:\windows\system32\csrss.exe CrtlRoutine 0B80 0C7C 0C88 c:\windows\system32\mstsc.exe C:\WINDOWS\SYSTEM32\ntdll.dll EtwEventWrite C:\Windows\SysWOW64\wbem\WmiPrvSE.exe C:\Windows\system32\audiodg.exe C:\Windows\system32\services.exe C:\Windows\system32\svchost.exe C:\Windows\system32\wbem\WmiPrvSE.exe C:\Windows\system32\wininit.exe C:\Windows\system32\winlogon.exe C:\Windows\System32\SHELL32.dll+9b5bd \LocalBridge.exe C:\Windows\System32\wshom.ocx+c8a0;C:\Windows\System32\wshom.ocx+c39d C:\Windows\SYSTEM32\framedynos.dll+2cb3e C:\Windows\system32\SgrmBroker.exe;C:\Windows\system32\SecurityHealthService.exe;C:\ProgramData\Microsoft\Windows Defender\platform\;C:\Windows\system32\services.exe;C:\Windows\system32\wininit.exe;C:\Windows\system32\sppsvc.exe;C:\Windows\System32\smss.exe;C:\Windows\system32\csrss.exe;C:\Windows\System32\svchost.exe C:\Windows\SYSTEM32\framedynos.dll+2b496 C:\Windows\SYSTEM32\dbgcore.DLL+6cfb C:\Windows\System32\KernelBase.dll+de67e ntdll.dll+a0044 clr.dll+6c23;clr.dll+6b38 C:\Windows\\SYSTEM32\ntdll.dll+;|C:\Windows\System32\KERNELBASE.dll+;|UNKNOWN( ) "UNKNOWN(;)|UNKNOWN( ) "UNKNOWN 0x1F0FFF;0x1F1FFF;0x143A;0x1410;0x1010;0x1F2FFF;0x1F3FFF;0x1FFFFF C:\Program Files;\Microsoft Office\Root\Office \Microsoft Shared\VBA C:\Program Files (x86)\Intuit\ C:\Windows\system32\lsass.exe 0x1FFFFF UNKNOWN WmiPerfClass.dll C:\Windows\sysWOW64\wbem\wmiprvse.exe;C:\Windows\system32\wbem\wmiprvse.exe;C:\Program Files\VMware\VMware Tools\vmtoolsd.exe;C:\Program Files (x86)\VMware\VMware Tools\vmtoolsd.exe;WmiPerfClass.dll;C:\Program Files (x86)\Adobe\Adobe Sync\CoreSync\customhook\CoreSyncCustomHook.exe;C:\Program Files\Adobe\Adobe Sync\CoreSync\customhook\CoreSyncCustomHook.exe;C:\Program Files (x86)\Common Files\Adobe C:\Windows\system32\lsass.exe C:\Windows\system32\wsmprovhost.exe C:\Windows\system32\lsass.exe 0x1FFFFF python27.dll;_ctypes.pyd;KERNELBASE.dll;ntdll.dll C:\Windows\system32\lsass.exe C:\Windows\SYSTEM32\ntdll.dll+4595c|C:\Windows\system32\KERNELBASE.dll+8185 C:\Windows\system32\lsass.exe C:\WINDOWS\SYSTEM32\ntdll.dll+ ) |C:\WINDOWS\System32\KERNELBASE.dll+;|UNKNOWN( wow64.dll;)|C;Exchange.Diagnostics;Microsoft.Exchange C:\Program Files\Bitdefender\Endpoint Security\EPSecurityService.exe;c:\windows\system32\inetsrv\w3wp.exe;MSExchangeHMHost.exe;C:\Windows\sysWOW64\wbem\wmiprvse.exe C:\Windows\system32\winlogon.exe 0x1F3FFF C:\Windows\Microsoft.NET;UNKNOWN .exe C:\Windows\sysmon64.exe;C:\Windows\sysmon64.exe 0x1C00 C:\Windows\system32\lsass.exe 0x1F1FFF UNKNOWN C:\Windows\system32\lsass.exe 0x1010 UNKNOWN C:\Windows\system32\lsass.exe 0x143A UNKNOWN C:\Windows\system32\lsass.exe 0x1fffff dbghelp.dll;dbgcore.dll dbghelp.dll;dbgcore.dll C:\Windows\system32\lsass.exe C:\wfx32\ powershell.exe C:\Programdata\sysmon\sysmon64.exe;C:\Programdata\sysmon\sysmon.exe;C:\Windows\sysmon.exe;C:\Windows\sysmon64.exe;\dismhost.exe C:\WINDOWS\SYSTEM32\ntdll.dll+;|C:\WINDOWS\System32\KERNELBASE.dll+;|C:\ProgramData\Microsoft\Windows Defender\Platform\;\MPCLIENT.DLL;\MpOav.dll+;|C:\WINDOWS\SYSTEM32\amsi.dll getasynckeystate cmlua.dll System.Management.Automation C:\ProgramData\Microsoft\Windows Defender\platform\ ctiuser.dll C:\Program Files\Citrix\ConfigSync\ConfigSyncRun.exe C:\Program Files\Microsoft\Exchange Server\V14\bin\ExSetupUI.exe C:\Program Files\Microsoft\Exchange Server\V15\bin\ExSetupUI.exe C:\Program Files\Microsoft\Exchange Server\V16\bin\ExSetupUI.exe C:\Windows\SysWOW64\sdiagnhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Temp\ExchangeSetup\ExSetupUI.exe C:\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe C:\Program Files\Microsoft Azure Active Directory Connect\AzureADConnect.exe C:\Windows\system32\HOSTNAME.EXE C:\Windows\system32\ROUTE.exe C:\Windows\system32\query.exe MsMpEng.exe C:\Windows\system32\lsass.exe comsvcs.dll VBE7.dll;VBEUI.DLL;VBE7INTL.DLL VBE6.dll;VBEUI.DLL;VBE6INTL.DLL Office verclsid.exe VBE7.dll;VBEUI.DLL;VBE7INTL.DLL |UNKNOWN( 0x1FFFFF C:\Program Files\Microsoft Office\Root\Office C:\Windows\System32\KERNELBASE.dll+76516 C:\Windows\System32\SHELL32.dll+ae3b9 C:\WINDOWS\system32\sihost.exe C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub UNKNOWN |UNKNOWN( C:\WINDOWS\SYSTEM32\ntdll.dll+ |C:\WINDOWS\System32\KERNELBASE.dll+ ) 0x1028;0x1fffff C:\Program Files\SmartGit\bin\;C:\Program Files (x86)\ASUS\Update\;C:\Program Files (x86)\Razer\Synapse3\Service\Razer Synapse Service.exe;C:\Program Files (x86)\Citrix\ICA Client\Receiver\UpdaterService.exe;C:\WINDOWS\SysWOW64\config\systemprofile\Citrix\UpdaterBinaries\;C:\Program Files\Mozilla Firefox\firefox.exe;C:\Program Files\SmartGit\git;\Intel\Driver and Support Assistant\DSAService.exe C:\Windows\Microsoft.NET\Framework\;\NGenTask.exe \Intel\Driver and Support Assistant\ C:\Windows\Microsoft.NET\Framework\;\ngen.exe winword.exe;excel.exe;powerpnt.exe :\Windows\Microsoft.NET\Framework64\v2.;UNKNOWN UNKNOWN 0x147a C:\Windows\Sysmon64.exe;C:\Windows\Sysmon.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\Program Files (x86)\ASUS\Update\AsusUpdate.exe C:\Program Files\Intel\SUR\QUEENCREEK\x64\esrv_svc.exe C:\ProgramData\Microsoft\Windows Defender\Platform\;\MsMpEng.exe;C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe;C:\Program Files (x86)\Google\Update\GoogleUpdate.exe 0x1400 0x0800 0x0810 0x0820 0x810 0x820 cscript.exe wscript.exe jjs.exe dump mimikatz CorperfmontExt.dll wmiprvse.exe lsass.exe lsass.exe winlogon.exe lsass.exe C:\Windows\system32\w32tm.exe;C:\Windows\System32\ping.exe;C:\Windows\System32\net.exe;C:\Windows\System32\net1.exe;C:\Windows\SYSTEM32\HOSTNAME.EXE;C:\Programdata\sysmon\sysmon.exe;C:\Programdata\sysmon\sysmon64.exe;C:\Program Files\Windows Defender\MsMpEng.exe;C:\Program Files (x86)\BeAnywhere Support Express\;C:\Program Files (x86)\CheckPoint\;C:\Program Files (x86)\Common Files\Intuit\QuickBooks\;C:\Program Files (x86)\Fortinet\;C:\Program Files (x86)\Trend Micro\;C:\Program Files\Adobe\Adobe Creative Cloud Experience\;C:\Program Files\CheckPoint\;C:\Program Files\Fortinet\;C:\Program Files\Realtek;C:\Program Files\Trend Micro\;C:\ProgramData\Microsoft\Windows Defender\platform\;C:\Program Files (x86)\Lenovo\;snmpd.exe;taskmgr;:\Windows\System32\smss.exe;:\Windows\system32\wininit.exe;\Bin\FMS.exe; \EMET_GUI.exe;\EMET_Service.exe;\Google\Update\GoogleUpdate.exe;\RAAGTAPP.EXE;\controls\cef\ConnectWise.exe;C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe;C:\Program Files\Hewlett-Packard\AMS\service\hpqams.exe;C:\Program Files\Intel\SUR\WILLAMETTE\ESRV\esrv_svc.exe;C:\Program Files\VMware\VMware Tools\vmtoolsd.exe;C:\Program Files\Windows Defender\MsMpEng.exe;C:\WINDOWS\system32\WerFault.exe;C:\WINDOWS\system32\taskkill.exe;C:\Windows\SysWOW64\WerFault.exe;C:\Windows\System32\snmp.exe;C:\Windows\system32\msiexec.exe;C:\Windows\system32\spoolsv.exe;C:\Windows\system32\svchost.exe :\Windows\system32\sppsvc.exe :\Windows\system32\sdiagnhost.exe UNKNOWN(00007F C:\Windows\SYSTEM32\ntdll.dll C:\Windows\SYSTEM32\win32u.dll C:\Windows\SYSTEM32\wow64win.dll C:\Program Files (x86)\Kaspersky Lab C:\Program Files\Kaspersky Lab C:\Program Files (x86)\ESET C:\Program Files\ESET C:\ProgramData\Microsoft\Windows Defender\ \TEMP\nessus_ solarwinds.businesslayerhost .exe;.dll;.ps1;.mz;.jpg;.png C:\WINDOWS\SysWOW64\netsetupsvc.dll C:\Windows\SoftwareDistribution C:\Windows\SoftwareDistribution\Download\Install\AM_Delta.exe .exe proj .targets .build .props .tasks .sln .cs .bat .btm .cmd .com .cmdline .bas .bin C:\Windows\SysWOW64\Wbem C:\Windows\System32\Wbem .ws .wsc .wsf .wsh .pif .hta IronPython .py .pyc .pyd .cdxml .ps1 .ps1xml .psc1 .psd1 .psm1 .pssc powershell.exe;powershell_ise.exe \Recent\CustomDestinations\ C:\Windows\SysWOW64\WindowsPowerShell C:\Windows\System32\WindowsPowerShell c:\Windows\System32\WindowsPowerShell\v1.0\profile c:\Windows\Syswow64\WindowsPowerShell\v1.0\profile \UsageLogs\powershell.exe.log PSReadLine\ConsoleHost_history.txt .vbs .oracle_jre_usage\ .js .jse .vb .vbe .vbsript Report.wer.tmp \WER\ C:\Windows\system32\wermgr.exe winword.exe;excel.exe;powerpnt.exe;outlook.exe;msaccess.exe;mspub.exe;visio.exe;notepad.exe;wordpad.exe;eqnedt32.exe;wordview.exe .exe C:\Users winword.exe;excel.exe;powerpnt.exe;outlook.exe;msaccess.exe;mspub.exe;visio.exe;notepad.exe;wordpad.exe;eqnedt32.exe;wordview.exe .dll C:\Users !!!-WARNING-!!!.html;!!!-WARNING-!!!.txt;!!! HOW TO DECRYPT FILES !!!;!!!README!!!;!!!READ_TO_UNLOCK!!!.TXT;!!!_READ_ME_;!Recovery_;!Where_are_my_files!.html;!_HOW_TO_RESTORE_;!_RECOVERY_HELP_!.txt;!recover!;# DECRYPT MY FILES #.html;# DECRYPT MY FILES #.txt;# DECRYPT MY FILES #.vbs;# SATAN CRYPTOR #;+recover+;.8lock8;.31392E30362E32303136_;.ABCDEF;.CIop;.CR1;.CRAB;.CRYPTOSHIELD;.Cl0p;.Contact_Here_To_Recover_Your_Files.txt;.CryptoTorLocker2015!;.HERMES;.HakunaMatata;.How_To_Decrypt.txt;.How_To_Get_Back.txt;.KEYZ.KEYH0LES;.L0CKED;.LOL!;.MATRIX;.OMG!;.R.i.P;.RMCM1;.RSplited;.SUPERCRYPT;.SecureCrypted;.TheTrumpLocker;.VBRANSOM;.VforVendetta;.Where_my_files.txt;.XBTL;._AiraCropEncrypted!;.airacropencrypted!;.areyoulovemyrans;.berkshire;.bitpy;.bitx;.blocatto;.bomber;.braincrypt;.breakingbad;.breeding123;.cerber;.cifgksaffsfyghd;.country82000;.crypt;.crypted;.crypton;.cryptotorlocker;.decrypt2017;.deria;.dglnl;.disposed2017;.doomed;.encrypted.locked;.encrypted;.encryptedyourfiles;.enjey;.evillock;.filegofprencrp;.fileiscryptedhard;.firecrypt;.fuckyourdata;.gangbang;.gefickt;.googl;.happydayzz;.hceem;.helpdecrypt;.helpmeencedfiles;.hnumkhotep;.hydracrypt_ID;.iaufkakfhsaraf;.info.txt;.jimm;.kharma;.killedXXX;.lambda_l0cked;.letmetrydecfiles;.locked;.locker16;.loveransisgood;.lovewindows;.magic_software_syndicate;.mention9823;.moments2900;.myrandsext2017;.newlock;.no_more_ransom;.nochance;.noproblemwedecfiles;.notfoundrans;.ohwqg;.one-we_can-help_you;.oops;.osiris;.otherinformation;.paytounlock;.powerfulldecrypt;.powned;.pr0lock;.prolock;.prosperous666;.pwnd;.ransom;.readme2unlock;.righ;.roger;.ryk;.satan;.savethequeen;.sigaint.org;.skjdthghh;.skynet;.snatch;.stubbin;.supported2017;.suppose666;.theworldisyours;.txd0t;.warn_wallet;.weapologize;.weareyourfriends;.weencedufiles;.wowreadfordecryp;.wowwhereismyfiles;.wvtr0;.yourransom;.zzzzz ;.{CRYPTENDBLACKDC};-DECRYPT.txt;000-IF-YOU-WANT-DEC-FILES;000-No-PROBLEM-WE-DEC-FILES;000-PLEASE-READ-WE-HELP;001-READ-FOR-DECRYPT-FILES;1025-7152.exe;:\windows\update_collector.exe;=READ=THIS=PLEASE=;@cock.li;@countermail.com;@firemail.cc;@india.com;@mail.ru;@ukr.net;ASSISTANCE_IN_RECOVERY;ATTENTION!!!.txt;ATTENTION.url;Aescrypt.exe;AllFilesAreLocked;BTC_DECRYPT_FILES;BUYUNLOCKCODE.txt;BUYUNLOCKCODE;BitCryptorFileList.txt;C:\ProgramData\dtb.dat;C:\Programdata\WinMgr;C:\Programdata\clean.bat;C:\Programdata\run.bat;C:\Windows\svchost.exe;CEBER3;CHECK-IT-HELP-FILES;COME_RIPRISTINARE_I_FILE.;COMO_ABRIR_ARQUIVOS.txt;COMO_RESTAURAR_ARCHIVOS;Coin.Locker.txt;Comment débloquer mes fichiers.txt;Como descriptografar seus arquivos.txt;Corona-virus-Map;Corona.bat;Corona.sfx;CryptoRansomware;Crytp0l0cker;Cyber SpLiTTer Vbs.exe;Cyborg_DECRYPT;DALE_FILES.TXT;DECRYPT-FILES;DECRYPTION INSTRUCTIONS.;DECRYPTION_HOWTO.Notepad;DECRYPT_INFORMATION;DECRYPT_INSTRUCTION.HTML;DECRYPT_INSTRUCTION.URL;DECRYPT_INSTRUCTIONS.html;DECRYPT_INSTRUCTIONS;DECRYPT_ReadMe1.TXT;DECRYPT_Readme.TXT.ReadMe;DECRYPT_YOUR_FILES;DESIFROVANI_POKYNY.html;Decrypt All Files;DecryptAllFiles;DecryptFile;Decrypt_readme.txt;DesktopOsiris;ENTSCHLUSSELN_HINWEISE.html;EdgeLocker;FILESAREGONE.txt;FILES_BACK.txt;File Decrypt Help.html;GJENOPPRETTING_AV_FILER;GetYouFiles.txt;HAPPEN-ENCED-FILES;HELLOTHERE.TXT;HELP-ME-ENCED-FILES;HELPDECRYPT_YOUR_FILES.HTML;HELP_DECRYPT.HTML;HELP_DECRYPT.PNG;HELP_DECRYPT.URL;HELP_DECRYPT.lnk;HELP_ME_PLEASE.txt;HELP_RESTORE_FILES_;HELP_TO_SAVE_FILES.bmp;HELP_TO_SAVE_FILES;HELP_YOURFILES.HTML;HELP_YOUR_FILES.PNG;HELP_YOUR_FILES.html;HELP_YOUR_FILES;HOW-TO-DECRYPT-FILES.HTML;HOW-TO-RESTORE-FILES;HOW TO BACK YOUR FILES;HOW TO DECRYPT FILES.HTML;HOW TO DECRYPT FILES.txt;HOW TO RECOVER;HOWTO_RECOVER_FILES_;HOWTO_RESTORE_FILES;HOWTO_RESTORE_FILES_;HOW_DECRYPT.HTML;HOW_DECRYPT.TXT;HOW_DECRYPT.URL;HOW_OPEN_FILES;HOW_TO_DECRYPT.HTML;HOW_TO_DECRYPT_;HOW_TO_PAY_THE_RANSOM;HOW_TO_RESTORE_FILES.html;HOW_TO_RESTORE_FILES;HOW_TO_RESTORE_YOUR_DATA;HOW_TO_UNLOCK_FILES_README_;HWID Lock.exe;Hacked_Read_me_to_decrypt_files.html;Help Decrypt.html;How decrypt files.hta;How to decrypt LeChiffre files.html;How to decrypt your data.txt;HowDecrypt.gif;HowDecrypt.txt;How_to_decrypt_your_files.jpg;How_to_restore_files.hta;HowtoRestore_File;HowtoRestore_Files;Howto_RESTORE_FILES.html;Howto_Restore_FILES.TXT;IAMREADYTOPAY.TXT;IF-YOU-WANT-DEC-FILES;IF_WANT_FILES_BACK_PLS_READ.html;IHAVEYOURSECRET.KEY;IMPORTANT READ ME.txt;IMPORTANT.README;INSTALL_TOR.URL;INSTRUCCIONES;INSTRUCCIONES_DESCIFRADO.html;INSTRUCTION RESTORE FILE;INSTRUCTIONS_DE_DECRYPTAGE.html;INSTUCCIONES_DESCRIFRADO;ISTRUZIONI_DECRITTAZIONE.html;Important!.txt;Instructionaga.txt;KryptoLocker_README.txt;LEER_INMEDIATAMENTE;LET-ME-TRY-DEC-FILES;Locked-by-Mafia;MENSAGEM.txt;MERRY_I_LOVE_YOU_BRUCE.hta;No-PROBLEM-WE-DEC-FILES;OKSOWATHAPPENDTOYOURFILES.TXT;ONTSLEUTELINGS_INSTRUCTIES.html;OSIRIS-;PAYLOADBIN;PINGY@INDIA.COM;PLEASE-READ-WE-HELP.;PLEASE-READIT-IF_YOU-WANT.html;PLEASE-READIT-IF_YOU-WANT;PLEASE-README-AFFECTED-FILES;PLS-DEC-MY-FILES;PURELOCKER;Payment_Instructions.jpg;Please Read Me!!!;READ-FOR-DECCCC-FILESSS;READ-FOR-DECRYPT-FILES;READ-READ-READ;READ IF YOU WANT YOUR FILES BACK.html;READ ME FOR DECRYPT.txt;README HOW TO DECRYPT YOUR FILES.HTML;README!!!;README_DECRYPT_HYDRA_ID_;README_DECRYPT_HYRDA_ID_;README_DECRYPT_UMBRE_ID_;README_DONT_DELETE;README_HOW_TO_UNLOCK.HTML;README_HOW_TO_UNLOCK.TXT;README_RECOVER_FILES_;README_TO_RECURE_YOUR_FILES;READTHISNOW!!!.txt;READ_IT.txt;READ_ME_!.txt;READ_ME_TO_DECRYPT_YOU_INFORMA;READ_THIS_TO_DECRYPT.html;RECOVER-FILES;RECOVERY_FILE.;RECOVERY_FILES.TXT;RECOVER_MY_FILE;RESTORE_CORUPTED_FILES;RESTORE_FILES_;RETURN FILES.txt;RETURN YOUR FILES;RETURNFILES_.txt;RETURN_FILES.txt;RETURN_FILES_.txt;Rans0m_N0te_Read_ME;Read Me (How Decrypt) !!!!.txt;ReadDecryptFilesHere;Read_this_file.txt;Receipt.exe;RecoveryManual.html;Recovery_File_;Recovery_file_;Rooster865qq;SECRET.KEY;SECRETIDHERE.KEY;SHTODELATVAM.txt;SIFRE_COZME_TALIMATI.html;SORRY-FOR-FILES;Survey Locker.exe;TRY-READ-ME-TO-DEC;Temp\satan\satan;ThxForYurTyme;UNLOCK_FILES_INSTRUCTIONS.html;UNLOCK_FILES_INSTRUCTIONS.txt;UnblockFiles.vbs;VIP72.exe;Vape Launcher.exe;WANT_FILES_BACK;WE-MUST-DEC-FILES;WHERE-YOUR-FILES;WORMKILLER@INDIA.COM.XTBL;What happen to my files.txt;Whereisyourfiles;WindowsApplication1.exe;YOUGOTHACKED.TXT;YOUR_FILES.txt;YOUR_FILES.url;YOUR_FILES_ARE_DEAD;YOUR_FILES_ARE_ENCRYPTED.HTML;YOUR_FILES_ARE_ENCRYPTED.TXT;YOUR_FILES_ARE_LOCKED.txt;Your files are locked !!!!.txt;Your files are locked !!!.txt;Your files are locked !!.txt;Your files are locked !.txt;Your files encrypted by our friends !!! txt;Your files encrypted by our friends !!!.txt;[KASISKI];_Adatok_visszaallitasahoz_utasitasok;_DECRYPT_ASSISTANCE_;_DECRYPT_INFO_;_DECRYPT_INFO_szesnl;_DEC_FILES.;_FILES_WERE_ENCRYPTED_@.TXT;_HELP_HELP_HELP_;_HELP_Recover_Files_;_HELP_instructions.bmp;_HELP_instructions.txt;_HOWDO_text.bmp;_HOWDO_text.html;_HOW_TO_Decrypt;_H_e_l_p_RECOVER_INSTRUCTIONS+;_H_e_l_p_RECOVER_INSTRUCTIONS;_Locky_recover;_Locky_recover_instructions.bmp;_Locky_recover_instructions.txt;_README.hta;_README.jpg;_READ_ME!;_RECOVER_INSTRUCTIONS;_ReCoVeRy_+;_USE_TO_FIX_;_WHAT_is.html;_help_instruct;_how_recover.txt;_how_recover;_how_recover_;_recover_;_secret_code.txt;_steaveiwalker@india.com_;aeroware;confirmation.key;contains(to_string($message.file_created), "howrecover+;crjoker.html;cryptinfo.txt;cryptolocker.;cryptopp;de_crypt_readme.;de_crypt_readme.bmp;de_crypt_readme.html;de_crypt_readme.txt;decipher_ne;decrypt-instruct;decrypt explanations.;decrypt my file;decrypt your file;decrypt_Globe;decrypt_instruct;decrypted_files.dat;decryptional;decryptmyfiles;decypt_your_files.html;default32643264.bmp;default432643264.jpg;email-salazar_slytherin10;enc_files.txt;encryptor_raas_readme_liesmich;enigma.hta;enigma_encr.txt;exit.hhr.obleep;fattura_;file0locked;files_are_encrypted.;-filesencrypted;firemail.cc;firstransomware.exe;gmx.de;hacks.at.sigaint.org;help-file-decrypt.enc;help_decrypt;help_file_;help_instructions.;help_my_files;help_recover;help_recover_instructions;help_restore;help_restore_files;help_your_file;helpmeencedfiles;how to decrypt aes files.lnk;how to decrypt;how to get data.txt;how_decrypt.gif;how_recover;how_to_decrypt;how_to_recover;howrecover+ recoveryfile_;howrecover+;howto_recover_file;howto_restore;howtodecrypt;howtodecryptaesfiles.txt;inbox.ru;info@kraken.cc_worldcza@email.cz;install_tor;iran.ir;last_chance.txt;maestro@pizzacrypts.info;maxcrypt.bmp;only-we_can-help_you;openforyou@india.com;opensourcemail.org;padcrypt;paycrypt.bmp;popcorn_time.exe;powerfulldecrypt;protonmail.ch;qbmail.biz;randomname;readme_decrypt;readme_for_decrypt;readme_liesmich_encryptor_raas;recover_file;recover_file_;recover_instruction;recoverfile;recoverfile_;recovery+;recovery_file.txt;recovery_key.txt;recoveryfile;recover}-;restore_files.txt;restorefiles;restorefiles_;ryukreadme.html;tuta.io;tutanota.com;tutanota.de;unCrypte;vault.hta;vault.key;vault.txt;want your files back.;warning-!!;wie_zum_Wiederherstellen_von_Dateien.txt;wowreadfordecryp;wowwhereismyfiles;zXz.html;zycrypt.;zzzzzzzzzzzzzzzzzyyy C:\Users\;\Google\Chrome Beta\User Data\;\IndexedDB\ C:\Program Files\WindowsApps\Microsoft.YourPhone_;C:\Program Files\dotnet\shared\Microsoft.NETCore.App\;\Microsoft.NET\assembly\GAC_MSIL crackmapexec \Crypto.Cipher._AES.pyd \Crypto.Cipher._DES.pyd \Crypto.Hash._SHA256.pyd \Crypto.Random.OSRNG.winrandom.pyd \Crypto.Util.strxor.pyd \crackmapexec.exe.manifest \greenlet.pyd BootStrapDLL.dll C:\windows\temp\wininit.exe lazycat;powerkatz;mimikatz;mimidrv;mimilove;mimilib;mimikittenz;mimiauth;invoke-mimi rdpwrap.dll winspool.drv C:\Windows\System32\Wbem C:\Windows\SysWOW64\Wbem C:\WINDOWS\system32\wbem\scrcons.exe \Programs\Startup\ \Startup\ \Word\STARTUP\ \Microsoft\Templates\ \Excel\XLSTART\ .dotm .XLSB C:\Windows\Tasks\ RedirSuiteServiceProxy.aspx w3wp.exe .aspx w3wp.exe .asp w3wp.exe .ashx w3wp.exe .php w3wp.exe .aaa \wwwroot\aspnet_client\;\FrontEnd\HttpProxy\owa\auth .aspx;.php;.ashx w3wp.exe .ps1 w3wp.exe .bat w3wp.exe .dll w3wp.exe .vbs w3wp.exe .hta \wwwroot\ \wwwroot\aspnet_client\;jpg .asp \wwwroot\ .aspx \wwwroot\ \ecp\auth\ \oab\auth\ ClientAccess\Owa\ \owa\auth\ httpproxy\rpc\ ClientAccess\ecp\ \htdocs\ .SPL spoolsv.exe;printfilterpipelinesvc.exe;printisolationhost.exe;splwow64.exe;msiexec.exe;poqexec.exe spoolsv.exe .exe C\:\Windows\System32\spool\;C\:\Windows\Temp\;C\:\Users\ msiexec.exe \Microsoft\Edge\Application elevation_service.exe \LocalState\rootfs\ C:\PerfLogs\ C:\Temp\ C:\Users\Default\ C:\Users\Public\ C:\Windows\Temp\ \AppData\Temp\ $Recycle.Bin $Recycle.Bin C:\Windows\ \config\systemprofile\ C:\Windows\ \config\systemprofile\ .exe .7z.exe .doc.exe .doc.exe .docx.exe .ico.exe .iso.exe .lnk.exe .pdf.exe .ppt.exe .pptx.exe .rar.exe .rtf.exe .txt.exe .xls.exe .xlsx.exe .zip.exe ______.exe .chm proj .sln UMWorkerProcess.exe;UMService.exe . .log;.cfg;.txt;cleanup;.HealthCheck;\wp.active;.db .7z .7zip .arj .s7z .a .ace .ar .arc .bin .cab .pak .gz .img .iso .lzm .lzma Temp\Rar$ .rar RarSFX .sfx .sz .tar .tar.gz .tgz .xz .zip .ost .eml .msg .pst Г;И;К;П;д;и;к;л;л;н;н;о;ф;ե;թ;յ;ն;ն;ն;ն;տ;ւ;ք Teamviewer.exe rundll32.exe mstsc.exe cmd.exe ipy.exe WScript.exe cscript.exe mshta.exe python.exe wmic.exe C:\Users\Default\;C:\Users\Public\ .dll C:\Users\Default\;C:\Users\Public\ .exe HiddenService torrc \tor.exe tor-gencert rclone s3browser grabff.exe grabff.exe RESTORE_;_FILES.txt DECRYPT_;_FILES.txt \run.dat;\task.dat;\storage.dat AppData Symantec BlueJeans VBoxRT.dll;VboxC.dll Content.IE5;INetCache .exe;.zip;.ps1;.bat;.rar;.dll MSForms.exd .exe C:\windows\system32\ .exe C:\windows\ \system32\ .dll;.exe C:\windows\ C:\Users\ .dll;.exe C:\Users\ \Microsoft\Word\Startup\ .wll C:\windows\system32\CodeIntegrity\ \Microsoft\Excel\Startup\ .xll \Microsoft\Outlook\VbaProject.OTM \Microsoft\Addins\ .xla .vsto .bat C:\Windows\ C:\ProgramData\Lenovo\SystemUpdate\sessionSE\ .dll C:\Windows\ .sys C:\Windows\ .exe C:\Windows\ C:\Windows\System32\;C:\windows\syswow64\ .exe C:\Windows\System32\ .exe C:\Windows\SysWow64\ .theme \Packages\oice_ VirtualboxVM.exe notepad++.exe .lnk:Zone.Identifier \UsageLogs\cscript.exe.log \UsageLogs\mshta.exe.log \UsageLogs\msiexec.exe.log \UsageLogs\regsvr32.exe.log \UsageLogs\rundll32.exe.log \UsageLogs\svchost.exe.log \UsageLogs\wmic.exe.log \UsageLogs\wscript.exe.log \regsvr32.exe.log \UsageLogs\wsmprovhost.exe.log .lnk .url .sys .inf C:\Windows\SysWOW64\Drivers C:\Windows\System32\Drivers \Drivers\ .drv .xlam .xlsm .xla .xll .xls .xlsb .xlsx .xlt .xltm .xlw \Microsoft\Templates\ .eml .msg .pptm .potm .pptm .pptm .sldm \Microsoft\Office\Recent oleObject \Recent\CustomDestinations\ \Downloads\ \Content.Outlook\ .docb .wbk .ped .dot .dotx .doc .docm .docx .accdb .accde .accdr .accdt .mdb .mde .msc .mst .potx .ppam .ppsm .ppsx .ppt .pptm .pptx .pub .sldm .sldx .xls .xps .pem .crt .ca-bundle .cer .csr .der .p7b .p7r .p7s .pfx .sto .p12 .crl .sst .key .hlp ACLUI.DLL.UI ACLUI.DLL AFLogVw.exe AShld.exe AShldRes.DLL.asr AShldRes.DLL AhnI2.dll CamMute.exe CommFunc.dll CommFunc.jax DESqmWrapper.dll DESqmWrapper.wrapper FSPMAPI.dll.fsp FSPMAPI.dll Gadget.exe LoLTWLauncher.exe Mc.exe McUtil.dll.ping McUtil.dll.url McUtil.dll MpSvc.dll MsMpEng.exe NtUserEx.dat NtUserEx.dat NtUserEx.dll NtUserEx.dll NvSmart.exe NvSmartMax.dll NvSmartMax.dll NvSmartMaxapp.dll OInfo11.ISO OInfo11.ocx OInfoP11.exe OleView.exe OleView.exe POETWLauncher.exe RasTls.dll.config RasTls.dll.msc RasTls.dll RasTls.exe RunHelp.exe Sidebar.dll.doc Sidebar.dll Ushata.dll Ushata.exe Ushata.fox VeetlePlayer.exe boot.ldr chrome_frame_helper.dll.rom chrome_frame_helper.dll chrome_frame_helper.exe dvcemumanager.exe fsguidll.exe fslapi.dll.gui fslapi.dll fsstm.exe hccutils.dll.res hccutils.dll hha.dll.bak hha.dll hhc.exe hkcmd.exe iviewers.dll jli.dll libvlc.dll mPclient.dll mcf.ep mcf.exe mcupdui.exe mcut.exe mcutil.dll.bbc mcvsmap.exe msi.dll.dat msi.dll msseces.asm msseces.exe mtcReport.ktc rc.dll rc.exe rc.hlp sep_NE.exe sep_NE.slf tplcdclr.exe winmm.dll wts.chm credwiz.exe ssMUIDLL.dll aepic.dll ftllib.dll userenv.dll \Terminal Server Client\Cache\ C:\Windows\Prefetch \\tsclient C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\ \Temp\debug.bin Temp\7z C:\Windows\AppPatch\Custom .chm .cpl .mht \Chrome\User Data\Default\Extensions\ .crx .appref-ms .gadget .JSE .exe .scf Exchange Server\ClientAccess\Owa\ \Device\HarddiskVolumeShadowCopy .zip\ .FON .FOT C:\Windows\System32\GroupPolicy\Machine\Scripts C:\Windows\System32\GroupPolicy\User\Scripts .iqy .ico .isp .msc .manifest MEMORY.dmp .msi .cs .customDestinations-ms C:\Windows\Minidump .PAF .bmc .rdp .rtf .reg .SHS .slk .SCR .set .SettingContent-ms .SHD .SPL .scr HammerDrillStatus.dll Microsoft\Windows\WER\ .ICL .sdb .SCT .SHB Temp\Temp1_ \Microsoft\;CLR_v;\UsageLogs\ .ade .adp .application .appref-ms .asc .bmf .cer .dmp .gpg .htm .html .json .jsp .key .mof .ocx .p7b .p12 .pem .pfx .pgp .php .ppk .war .xml Software\Famatech\advanced_ip_scanner\State LastRangeUsed SetValue \Software\Microsoft\Terminal Server Client DefaultPrinter HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e96b-e325-11ce-bfc1-08002be10318} SetValue HKLM\SYSTEM\CurrentControlSet\Control\Class\{745a17a0-74d3-11d0-b6fe-00a0c90f57da} SetValue HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e96f-e325-11ce-bfc1-08002be10318} SetValue HKLM\SYSTEM\CurrentControlSet\Control\Class\{36fc9e60-c465-11cf-8056-444553540000} SetValue HKLM\SYSTEM\CurrentControlSet\Control\Class\{e0cbf06c-cd8b-4647-bb8a-263b43f0f974 SetValue HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318} SetValue HKLM\SYSTEM\CurrentControlSet\Control\Class\{eec5ad98-8080-425f-922a-dabf3de3f69a} SetValue HKLM\SYSTEM\CurrentControlSet\Control\Class\{53D29EF7-377C-4D14-864B-EB3A85769359} SetValue Root\InventoryDevicePnp;prod_virtual_dvd-rom SetValue MountedDevices Mountpoints2 Active Setup\Installed Components HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData\ LoggedOnUser LastLoggedOnUser LastLoggedOnProvider HKCR\ms-msdt\ HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics\TurnOffCheck

DWORD (0x00000001)

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost \print\ \AzureAttestService\CoInitializeSecurityParam C:\$WINDOWS.~BT\ \AccessVBOM C:\Windows\system32\svchost.exe;C:\WINDOWS\system32\mmc.exe;C:\Windows\system32\userinit.exe Security\VBAWarnings C:\Windows\system32\svchost.exe;C:\WINDOWS\system32\mmc.exe;C:\Windows\system32\userinit.exe Security\VBAWarnings C:\Windows\system32\svchost.exe;C:\WINDOWS\system32\mmc.exe;C:\Windows\system32\userinit.exe EXCEL.exe;WINWORD.exe {8BD21D32-EC42-11CE-9E0D-00AA006002F3};{5B9D8FC8-4A71-101B-97A6-00000B65C08B} HKCU\di HKCU\� HKLM\SOFTWARE\Microsoft\AMSI\Providers\ hklm\software\microsoft\windows script\settings\amsienable hkcu\software\microsoft\windows script\settings\amsienable Google\Chrome\Extensions update_url SetValue ForcePasswordReset HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\CurrVal HKLM\SAM\SAM\DOMAINS\Account\Users\ Last Password Change HKLM\SAM\SAM\DOMAINS\Account\Users\ Account Expiration HKLM\SAM\SAM\DOMAINS\Account\Users\ Last Failed Logon HKLM\SAM\SAM\Domains\Builtin\Aliases\00000220\ HKLM\SAM\SAM\Domains\Builtin\Aliases\0000022B\ SOFTWARE\Microsoft\Wow64\x86\ SetValue \CurrentVersion\Run\ Add_exclusions_here \Microsoft\System\Scripts \Windows\System\Scripts HKLM\SYSTEM\Setup\CmdLine \Start

DWORD (0x00000000)

\Start

DWORD (0x00000001)

\Start

DWORD (0x00000002)

\Start

DWORD (0x00000003)

\Start

DWORD (0x00000004)

\ImagePath \ServiceDll \ServiceManifest hkcu\software\microsoft\windows nt\currentversion\windows\run\ hkcu\software\microsoft\windows\currentversion\explorer\shell folders\common startup hkcu\software\microsoft\windows\currentversion\explorer\shell folders\startup hklm\software\microsoft\command processor\autorun hkcu\software\microsoft\windows nt\currentversion\accessibility\ATs\\*(1)\StartExe Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Startup \Print\Monitors HKLM\SAM\SAM\DOMAINS\Account\Users\Names\ $ CreateKey HKLM\SAM\SAM\DOMAINS\Account\Users\Names\ $ CreateKey HKLM\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{5770385f-c22a-43e0-bf4c-06f5698ffbd9} C:\WINDOWS\sysmon64.exe C:\WINDOWS\sysmon.exe C:\Programdata\sysmon\sysmon64.exe HKCR\ (Default) \shell\open\command\(Default)

URL:

HKCU\Software\Classes\ (Default) \shell\open\command\(Default)

URL:

HKCR\ \shell\open\command\(Default)

%1

HKCU\Software\Classes\ \shell\open\command\(Default)

%1

\shell\open\command\DelegateExecute HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe Session Manager\KnownDlls Outlook\Addins Word\Addins Excel\Addins Powerpoint\Addins Software\Microsoft\VSTO\Security\Inclusion\ Software\Microsoft\VSTO\SolutionMetadata\ cmmgr32.exe HKLU\Software\Microsoft\Command Processor\AutoRun HKLM\System\CurrentControlSet\Control\Session Manager\SetupExecute HKLM\System\CurrentControlSet\Control\Session Manager\Execute HKLM\Software\Wow6432Node\Microsoft\Command Processor\AutoRun HKLM\Software\Wow6432Node\Microsoft\Command Processor\AutoRun HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug HKLM\Software\Microsoft\Command Processor\AutoRun HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDllSearchMode HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit\ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AppSetup UserInitMprLogonScript HKLM\SYSTEM\CurrentControlSet\Control\BootVerificationProgram\ImagePath HKLM\System\CurrentControlSet\Control\Lsa\Authentication Packages HKLM\System\CurrentControlSet\Control\Lsa\Notification Packages HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Authentication Packages HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Notification Packages HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages \InprocServer32\(Default);\LocalServer32\(Default);\ScriptletURL\(Default)

C:\Users\Public\;$Recyclebin;\temp\;\Desktop\;\Downloads\;\Content.Outlook\;\Microsoft\Office\

C:\WINDOWS\SYSTEM32\UpdateDeploy.dll

\InprocServer32\(Default);\LocalServer32\(Default);\ScriptletURL\(Default)

C:\WINDOWS\SYSTEM32\UpdateDeploy.dll

\ProgID\(Default);\TreatAs\(Default) \Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ Debugger;ReportingMode;MonitorProcess \Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ GlobalFlag

DWORD (0x00000200)

\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\ MonitorProcess \Microsoft\Windows NT\CurrentVersion\SilentProcessExit\ ReportingMode

DWORD (0x00000001)

\Microsoft\Windows NT\CurrentVersion\SilentProcessExit CreateKey \Microsoft\Windows\Windows Error Reporting\RuntimeExceptionHelperModules\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{;}\EDGEMITMP_;.tmp\setup.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe C:\Program Files\Microsoft Office\root\integration\integrator.exe C:\Program Files\Google\Chrome Beta\Application\;\Installer\setup.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\;\OfficeClickToRun.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree SD Microsoft\Windows\UpdateOrchestrator HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\SD HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\OneDrive Per-Machine Standalone Update Task\SD HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Office\Office Feature Updates\SD HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Office\Office Feature Updates Logon\SD HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Office\Office Performance Monitor\SD HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\SnapshotCleanupTask\SD HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Office\Office ClickToRun Service Monitor\SD HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Office\Office Automatic Updates 2.0\SD Microsoft\Windows\UpdateOrchestrator HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree ID HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks Author HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks Path HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks Date HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot SetValue \Environment\ HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA

DWORD (0x00000000)

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin

DWORD (0x00000000)

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop

DWORD (0x00000000)

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy \Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe exefile\shell\runas\command\isolatedCommand \Hidden SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist\ $

DWORD (0x00000000)

HKLM\SYSTEM\CurrentControlSet\Services\SysmonDrv\Parameters C:\WINDOWS\sysmon64.exe C:\WINDOWS\sysmon.exe C:\Programdata\sysmon\sysmon64.exe HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel MitigationOptions;MitigationAuditOptions HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options MitigationOptions;MitigationAuditOptions HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vmcompute.exe\0\MitigationOptions HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vmwp.exe\0\MitigationOptions msiexec.exe TiWorker.exe HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options MitigationOptions;MitigationAuditOptions C:\Program Files\Microsoft Office 15\root\integration\integrator.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Acro DisableTaskMgr C:\WINDOWS\system32\svchost.exe C:\windows\SysWOW64\svchost.exe HKLM\SYSTEM\CurrentControlSet\ \Instances\;Altitude HKLM\System\CurrentControlSet\Services\CldFlt\Instances\CldFlt\Altitude SetValue \Security\Level

DWORD (0x00000001)

\Security\Level

DWORD (0x00000002)

\Security\Level

DWORD (0x00000003)

\Security\Level

DWORD (0x00000004)

\Outlook\Security \Security\Level \Word\Security \Excel\Security \Security\Level1Remove \HideSCAHealth HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify HKLM\SOFTWARE\Microsoft\Security Center\DisableMonitoring HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride HKLM\SOFTWARE\Microsoft\Security Center\AllAlertsDisabled HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\RPSessionInterval HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\SystemRestorePointCreationFrequency HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\FullSecureChannelProtection HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RefusePasswordChange HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\SpyNetReporting HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\ \Enabled

DWORD (0x00000000)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\ \Enabled

DWORD (0x00000001)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\ \Enabled HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\ \ChannelAccess

(A;;0x1;;;SY);(A;;0x5;;;BA);(A;;0x1;;;LA)

C:\Windows\servicing\TrustedInstaller.exe;\TiWorker.exe HKLM\SOFTWARE\Policies\Microsoft\Windows\Powershell\ScriptBlockLogging \EnableScriptBlockLogging

DWORD (0x00000000)

HKLM\SOFTWARE\Policies\Microsoft\Windows\Powershell\ScriptBlockLogging \EnableScriptBlockLogging DeleteKey;DeleteValue hklm\software\microsoft\windows\currentversion\policies\system\audit \ProcessCreationIncludeCmdLine_Enabled

DWORD (0x00000000)

hklm\software\microsoft\windows\currentversion\policies\system\audit \ProcessCreationIncludeCmdLine_Enabled DeleteKey;DeleteValue HKLM\System\CurrentControlSet\Services\Eventlog \CustomSD HKLM\System\CurrentControlSet\Services\Eventlog \MaxSize globallyopenports EnableFirewall HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List \Microsoft\.NETFramework\ETWEnabled

DWORD (0x00000000)

\Microsoft\.NETFramework\NGenAssemblyUsageLog SetValue \Environment\NGenAssemblyUsageLog SetValue \Environment\COMPlus_ETWEnabled \LastKey SymbolicLinkValue \Software\Microsoft\Windows\CurrentVersion\Explorer \AppData\;\ProgramData\;\Temp\;C:\users ‮ HKLM\System\CurrentControlSet\Control\SecurePipeServers\winreg \Software\Policies\Microsoft\SystemCertificates\;\SOFTWARE\Microsoft\EnterpriseCertificates\;HKLM\SOFTWARE\Microsoft\SystemCertificates\;HKLM\Software\Microsoft\Cryptography\Services\ServiceName\SystemCertificates\ CreateKey C:\WINDOWS\Sysmon64.exe C:\WINDOWS\Sysmon.exe C:\WINDOWS\system32\certsrv.exe C:\WINDOWS\system32\CompatTelRunner.exe C:\WINDOWS\system32\svchost.exe C:\Windows\SysWOW64\SearchProtocolHost.exe C:\Windows\system32\SearchProtocolHost.exe C:\Windows\system32\taskhost.exe C:\windows\SysWOW64\svchost.exe C:\WINDOWS\System32\DriverStore\FileRepository\asus C:\ProgramData\Microsoft\Windows Defender\Platform\ C:\Program Files\ASUS\ARMOURY CRATE Service\ArmouryCrate.Service.exe C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe fDenyTSConnections Terminal Server\WinStations\RDP-Tcp RDP-tcp\PortNumber Control\Terminal Server\fSingleSessionPerUser � Й;ќ;Л;я;К HKLM\HARDWARE\ACPI\DSDT SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\Account Name SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\Display Name SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\Email SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\HTTP User SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\IMAP User SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\MAPI Provider SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\POP3 User SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\SMTP User HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultPassword SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\HTTP Password SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\IMAP Password SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\POP3 Password SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\SMTP Password HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomainName HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName SecurityPasswordAES OptionsPasswordAES SecurityPasswordExported PermanentPassword HKLM\SOFTWARE\GitForWindows HKLM\SAM\SAM\DOMAINS\Account\Users\Names\ DeleteKey HKLM\SYSTEM\CurrentControlSet\Control\BitlockerStatus\BootStatus

DWORD (0x00000001)

HKLM\SYSTEM\CurrentControlSet\Control\BitlockerStatus\BootStatus

DWORD (0x00000000)

\Services\VSS\Diag\(Default) HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters HKLM\SYSTEM\CurrentControlSet\Services\Lanmanworkstation\Parameters \LastKey \WinStationsDisabled \TSServerDrainMode \TypedURLs HKLM\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters\disabledcomponents HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Linkage\Bind

Binary Data

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards services\http\parameters\urlaclinf cRecentFiles\c1\ tDIText \File MRU\Item 1 HKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigHash HKLM\SOFTWARE\Classes\ CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32 HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKLM\Software\Microsoft\Windows\CurrentVersion\RunService HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce CurrentVersion\Windows\Load CurrentVersion\Windows\Run CurrentVersion\Winlogon\Shell CurrentVersion\Winlogon\System \Software\Microsoft\Windows NT\CurrentVersion\Windows\load \Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run \Software\Microsoft\Windows\CurrentVersion\RunServicesOnce SOFTWARE\Microsoft\.NETFramework\ETWEnabled \Group Policy\Scripts Terminal Server\Wds\rdpwd\StartupPrograms Winlogon\AlternateShells\AvailableShells Policies\System\Shell Windows CE Services\AutoStartOnConnect Windows CE Services\AutoStartOnDisconnect PreferenceMACs\Default\extensions.settings CurrentVersion\URL \CurrentVersion\Font Drivers HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown CurrentVersion\Windows\IconServiceLib Active Setup\Installed Components NullSessionShares NullSessionPipes PasswordExpiryNotification SafeBoot\AlternateShell Desktop\Scrnsave.exe \DisplayVersion \ModifyPath \Microsoft\Windows\CurrentVersion\Uninstall\ \UninstallString Terminal Server\WinStations\RDP-Tcp\InitialProgram HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman \Explorer\FileExts\ \shell\install\command\ \ProfileImagePath \Classes\AllFilesystemObjects\ \Classes\*\ \Software\Microsoft\Ctf\LangBarAddin \ContextMenuHandlers\ \CurrentVersion\Shell HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellIconOverlayIdentifiers \Classes\Directory\ \Classes\Drive\ HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks \Classes\Folder\ \Hidden \HideFileExt \SOFTWARE\Microsoft\Internet Explorer\Desktop\Components \SOFTWARE\Classes\Protocols\Filter \SOFTWARE\Classes\Protocols\Handler \SharedTaskScheduler \ShowSuperHidden \ColumnHandlers \CopyHookHandlers \ExtShellFolderViews \PropertySheetHandlers \ShellServiceObjectDelayLoad \ShellServiceObjects HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\ HKLM\System\CurrentControlSet\Control\Session Manager\S0InitialCommand HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\ \3\1809 \3\2500 \3\1206 \DisableSecuritySettingsCheck HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries HKLM\SYSTEM\CurrentControlSet\Services\WinSock\ \ProxyServer SavedLegacySettings Software\Microsoft\Windows\CurrentVersion\Internet Settings\Proxy EnableConsoleTracing EnableFileTracing HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ HKLM\SOFTWARE\Microsoft\Netsh HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders\ HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\ HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\ Office Test\ \Internet Explorer\Toolbar\ \Internet Explorer\Extensions\ \Browser Helper Objects\ {AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\ \UrlUpdateInfo \InstallSource HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\ \Exclusions\Paths \Exclusions\Extensions \Exclusions\Processes TamperProtection HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ \Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logoff \Software\Policies\Microsoft\Windows\System\Scripts\Logoff \Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logon \Software\Policies\Microsoft\Windows\System\Scripts\Logon HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Shutdown HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Shutdown HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Startup HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup Domain DHCPDefaultGateway DhcpIPAddress DhcpNameserver Dhcpserver DhcpSubnetMask Nameserver \DefaultGateway PersistentRoutes }\Category HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles SubnetMask \Trusted Documents\TrustRecords Software\Microsoft\VBA\7.1\Common Software\Microsoft\VBA\7.1\Trusted \Security\DontTrustInstalledFiles \Security\Trusted Locations Security\ProtectedView\DisableInternetFilesInPV Security\ProtectedView\DisableAttachmentsInPV Security\ProtectedView\DisableUnsafeLocationsInPV Software\WinRAR\ArcHistory WinZip\mru\ Recent File List Outlook\WebView\Inbox Outlook\Today\UserDefinedUrl Outlook\WebView\Calendar \Place MRU \LinkDate \DriverVerVersion \DriverVersion \LowerCaseLongPath \Publisher Compatibility Assistant\Store\ \BinProductVersion Root\InventoryApplicationShortcut\ Root\InventoryDriverBinary Root\InventoryDriverPackage Root\InventoryDevicePnp Root\InventoryDeviceContainer Root\InventoryApplication\ ProgramID;Name;Version;Publisher;Language;InstallDate;Source;RootDirPath;HiddenArp;UninstallString;RegistryKeyPath;UserSID;sha256 Root\InventoryApplicationFile\ ProgramId;FileId;LowerCaseLongPath;Name;OriginalFileName;Publisher;Version;binfileversion;LinkDate;Size;Language;USN;IsPeFile;IsOsComponent;sha256;AppxPackageFullName Root\InventoryApplicationAppV\ Root\InventoryMiscellaneousOfficeAddIn;Root\InventoryMiscellaneousOfficeIdentifiers;Root\InventoryMiscellaneousOfficeIESettings;Root\InventoryMiscellaneousOfficeInsights;Root\InventoryMiscellaneousOfficeProducts;Root\InventoryMiscellaneousOfficeSettings;Root\InventoryMiscellaneousOfficeVBA;Root\InventoryMiscellaneousOfficeVBARuleViolations \Software\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume Drive Type

DWORD (0x00000011)

\Explorer\MountPoints2 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\DOS Devices HKLM\System\CurrentControlSet\services\ \DeleteFlag

DWORD (0x00000001)

HKLM\System\CurrentControlSet\services\ \Type

DWORD (0x00000001)

HKLM\System\CurrentControlSet\services\ \Type

DWORD (0x00000002)

HKLM\System\CurrentControlSet\services\ \Type

DWORD (0x00000004)

HKLM\System\CurrentControlSet\services\ \Type

DWORD (0x00000020)

HKLM\System\CurrentControlSet\services\ \Type

DWORD (0x00000020)

HKLM\System\CurrentControlSet\services\ \Type

DWORD (0x00000100)

HKLM\System\CurrentControlSet\services\ \Group HKLM\System\CurrentControlSet\services\ \DependOnService HKLM\System\CurrentControlSet\services\ \BinaryPathName HKLM\System\CurrentControlSet\services\ \RequiredPrivileges HKLM\System\CurrentControlSet\services\ \Owners HKLM\System\CurrentControlSet\services\ \ObjectName HKLM\System\CurrentControlSet\services\ \ServiceStartName HKLM\System\CurrentControlSet\services\ \ErrorControl HKLM\System\CurrentControlSet\services\ \DependOnGroup HKLM\System\CurrentControlSet\services\ \DisplayName HKLM\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder \List HKLM\System\CurrentControlSet\services\ \Type

DWORD (0x00000001)

\ConsentStore\bluetooth \ConsentStore\contacts \ConsentStore\hunmanInterfaceDevice \ConsentStore\location \ConsentStore\microphone \ConsentStore\usb\ \ConsentStore\webcam \ConsentStore\humanInterfaceDevice LastVisitedMRU SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\RegEdit \Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR HKLM\SYSTEM\CurrentControlSet\Control\Safeboot\ HKLM\SOFTWARE\Microsoft\Cryptography\Providers\Trust HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust HKLM\SOFTWARE\Microsoft\Cryptography\OID HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ServerLevelPluginDll Classes\exefile\shell\runas\command\isolatedCommand \FriendlyName HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\ \Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default) HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB HKLM\SOFTWARE\Microsoft\Tracing\ HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}

ndis;rndis

HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4 \Software\AppDataLow\Software\Microsoft\

.exe;.dll;powershell;wmic

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\lmcompatibilitylevel

DWORD (0x00000005)

Software\Microsoft\Office test\Special\Perf \CurrentControlSet\Services\NTDS\LsaDbExtPt \Services\NTDS\DirectoryServiceExtPt GoToMyPc\FileTransfer\history GoToMyPc\GuestInvite Filesharing DesktopSharing LogIncomingConnections LogOutgoingConnections PermanentPasswordDate Security_Adminrights vncviewer\MRU Autostart_GUI Meeting_UserName BuddyLoginName BuddyLoginTokenID Always_Online HKLM\SOFTWARE\Microsoft\CurrentVersion\Policies\System\EnableLinkedConnections Software\recfg \Keyboard Layout\Preload\ \Keyboard Layout\Substitutes\ HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002 HKLM\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\ HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\ HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\ \Client\Enabled \Server\Enabled Kitty\Sessions HKLM\SYSTEM\CurrentControlSet\Control\Lsa\NtlmMinClientSec HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RestrictSendingNTLMTraffic PuTTY\Sessions Terminal Server Client\Servers WinSCP 2\Sessions C:\Program Files (x86)\Kaspersky Lab C:\Program Files\Kaspersky Lab C:\Program Files (x86)\ESET C:\Program Files\ESET Content.IE5;INetCache .exe;.zip;.ps1;.bat;.rar;.vbs;.hta :Zone.Identifier blob:;about:internet 56ceb6d0011d87b6e4d7023d7ef85676;4f2eb62fa529c0283b28d05ddd311fae;b91ce2fa41029f6955bff20079468448;b91ce2fa41029f6955bff20079468448;846e27a652a5e1bfbd0ddd38a16dc865;2c4a910a1299cdae2a4e55988a2f102e SHA256=074eb0e75bb2d8f59f1fd571a8c5b76f9c899834893da6f7591b68531f2b5d82 SHA256=45c8233236a69a081ee390d4faa253177180b2bd45d8ed08369e07429ffbe0a9 SHA256=9ceca98c2b24ee30d64184d9d2470f6f2509ed914dafb87604123057a14c57c0 SHA256=29b75f0db3006440651c6342dc3c0672210cfb339141c75e12f6c84d990931c3 SHA256=c8c907a67955bcdf07dd11d35f2a23498fb5ffe5c6b5d7f36870cf07da47bff2 SHA256=76a2f2644cb372f540e179ca2baa110b71de3370bb560aca65dcddbd7da3701e Content.Outlook;Downloads;Recycle;\Users\;\ProgramData\;\Windows\;Temp\7z;Temp\;Startup;.vb;.vbe;.vbs;.application;.appref-ms;.bat;.cmd;.cmdline;.docm;.exe;.lnk;.eml;.dll;.sys;.hta;.pptm;.ps1;.sys;.reg;.docm;.xlsm;.xlam;.pptm;.potm;.pptm;.sldm;.scf;.appref-ms;.rdp;.vbs;.js;.pem;.crt;.ca-bundle;.cer;.csr;.der;.p7b;.p7r;.p7s;.pfx;.sto;.p12;.crl;.sst;.key;:bin;.mht;.manifest;.cpl;.scr;.inf IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE IMPHASH=19584675D94829987952432E018D5056 IMPHASH=330768a4f172e10acb6287b87289d83b IMPHASH=00000000000000000000000000000000 AppData\Local\Microsoft\Windows\AppCache\ \Microsoft\Windows\INetCache\ \Microsoft\Windows\Temporary Internet Files\Content.IE5 \Mozilla\Firefox\Profiles\ .default\prefs-1.js Microsoft\Windows\Start Menu\Programs\Startup msagent_;\MSSE-;postex;\status_ \atctl;\userpipe;\iehelper;\sdlrpc;\comnap \PSEXESVC -stdin -stdout RemCom_ stdin;stdout;stderr;communication \svcctl \ntsvcs ConnectPipe \lsadump;\cachedump;\wceservicepipe \9f81f59bc58452127884ce513865ed20 \46a676ab7f179e511e30dd2dc41bd388 tssmp_endpoint \NamePipe_MoreWindows \WCEServicePipe \ahexec \cachedumppipe \csexec \e710f28d59aa529d6792ca6ff0ca1b34 \isapi_dg \isapi_http \isapi_http \lsadump \lsassw \paexec \pcheap_reuse \gruntsvc \remcom \rpchlp_3 \sdlrpc \winsession \adschemerpc \AnonymousPipe \bc367 \bc31a7 \testPipe msf-pipe \atsvc \isapi_http;\isapi_dg;\isapi_dg2;\sdlrpc;\ahexec;\winsession;\lsassw;\46a676ab7f179e511e30dd2dc41bd388;\9f81f59bc58452127884ce513865ed20;\e710f28d59aa529d6792ca6ff0ca1b34;\rpchlp_3;\NamePipe_MoreWindows;\pcheap_reuse;\gruntsvc;\583da945-62af-10e8-4902-a8f205c72b2e;\bizkaz;\Posh;\jaccdpqnvbrrxlaf;\csexecsvc \atctl;\userpipe;\iehelper;\sdlrpc;\comnap \DserNamedPipe;\mypipe-;\windows.update.manager;\ntsvcs_;scerpc_;\demoagent;\PGMessagePipe;\MsFTeWds;\f4c3;\fullduplex_;\msrpc_;\f53f;\rpc_;\spoolss_;\win_svc;\SearchTextHarvester;demoagent_ \wkssvc \spoolss \scerpc \ntsvcs \SearchTextHarvester \PGMessagePipe \MsFteWds ConnectPipe \MICROSOFT##WID\tsql\query \Winsock2\CatalogChangeListener- -0, \pipe\ CtxSharefilepipe0 \winreg Anonymous Pipe ConnectPipe lsass \SQLLocal\RTCLOCAL \spoolss C:\Windows\system32\wbem\wmiprvse.exe C:\Windows\System32\LxRun.exe C:\Windows\System32\SearchIndexer.exe C:\Windows\System32\smss.exe C:\Windows\System32\spoolsv.exe C:\Windows\System32\wininit.exe C:\Windows\system32\DFSRs.exe C:\Windows\SystemApps\Microsoft.Windows C:\Windows\Microsoft.NET\Framework ngen.exe C:\Windows\SystemApps\ShellExperienceHost_ ShellExperienceHost.exe C:\Windows\system32\SearchProtocolHost.exe \System ProtectedPrefix\LocalService\FTHPIPE Exchange Server C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\BIN\OWSTIMER.EXE C:\Windows\syswow64\snmp.exe c:\windows\system32\inetsrv\w3wp.exe \M.E.C.Core.WinRMDataCommunicator.NamedPipe. C:\Windows\system32\dns.exe \sql\query C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe \TDLN- vmware- \InitShutdown \MsFteWds \W32TIME_ALT \WiFiNetworkManagerTask \Winsock2CatelogChangeListener \browser \epmapper \eventlog \scerpc \wkssvc \ntapvsrq Anonymous Pipe Created type: 16;type: 16 powershell.exe github powershell.exe powershell;cscript.exe;wscript.exe;mshta.exe;bitsadmin.exe;\cmd.exe . dropboxapi.com \Dropbox\Client\Dropbox.exe;\Dropbox\bin\Dropbox.exe;\Oracle\Java\ 1drv \AppData\Local\Microsoft\OneDrive\OneDrive.exe;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;\Internet Explorer\iexplore.exe;C:\Windows\System32\AppHostRegistrationVerifier.exe;C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe;C:\Program Files (x86)\BraveSoftware\Brave-Browser\Application\brave.exe;C:\Program Files (x86)\Microsoft OneDrive\OneDrive.exe;C:\Program Files\Mozilla Firefox\firefox.exe .box.com;upload mega.nz;mega.co.nz privatlab.com thedoccloud.com;deftsecurity.com;websitetheme.com;highdatabase.com;incomeupdate.com;zupertech.com;panhardware.com;databasegalore.com;avsvmcloud.com;freescanonline.com tiktok;parler.com;gab.com;mewe.com;4chan;8chan;facebook;fbcdn;twitter;instagram;snapchat efnet;undernet;freenode;ircnet;.rizon;quakenet;oftc.net;dalnet .slack.com;discord.;telegram.;rocketchat.;mattermost.;flock.com advanced-ip-scanner.com kali.download 0x1f4b0.com;1q2w3.life;1q2w3.website;31.187.64.216;185.193.38.148;aalbbh84.info;adfreetv.ch;adless.io;adplusplus.fr;adrenali.gq;ajcryptominer.com;ajplugins.com;allfontshere.press;altavista.ovh;amhixwqagiz.ru;appelamule.com;arizona-miner.tk;aster18cdn.nl;aster18prx.nl;avero.xyz;averoconnector.com;bauersagtnein.myeffect.net;bhzejltg.info;blazepool;blockmasters;blockmasterscoins;bmnr.pw;bmst.pw;bohemianpool;carry.myeffect.net;cashbeet.com;cdn-code.host;cfceu.duckdns.org;cfcnet.gdn;cfcnet.top;cfcs1.duckdns.org;chainblock.science;cieh.mx;coin-hive.com;coin-service.com;coin-services.info;coiner.site;coinpirate.cf;coinrail.io;coinwebmining.com;cpu2cash.link;cryptaloot.pro;cryptmonero;crypto-loot.com;crypto-pool;crypto-webminer.com;cryptoloot.pro;d-ns.ga;dataservices.download;directprimal.com;dwarfpool;encoding.ovh;eth-pocket.com;eth-pocket.de;eth-pocket.eu;ethereum-pocket.de;ethereum-pocket.eu;ethtrader.de;eu.nimpool.io;eu.sushipool.com;f1tbit.com;flnqmin.org;freecontent.bid;freecontent.date;freecontent.loan;freecontent.racing;freecontent.stream;freecontent.win;gnrdomimplementation.com;graftpool.ovh;greenindex.dynamic-dns.net;gustaver.ddns.net;hashrefinery;hashvault.pro;herphemiste.com;hide.ovh;hk.rs;hlpidkr.ru;hodlers.party;hodling.faith;hostingcloud.win;hrfziiddxa.ru;ihdvilappuxpgiv.ru;imhvlhaelvvbrq.ru;insdrbot.com;irrrymucwxjl.ru;istlandoll.com;ivuovhsn.ru;iwanttoearn.money;ixvenhgwukn.ru;jqassets.download;jqr-cdn.download;jqrcdn.download;jquerrycdn.download;jqwww.download;jqxrrygqnagn.ru;jscoinminer.com;jwduahujge.ru;ksimdw.ru;l33tsite.info;laferia.cr;ledhenone.com;ltstyov.ru;mepirtedic.com;mine.bz;minercircle.com;minercry.pt;minergate;minero.cc;miners.pro;minescripts.info;mininghub.club;miningpoolhubcoins;minr.pw;mixpools.org;mmc.center;mollnia.com;monerise.com;monero.lindon-pool.win;monero;moriaxmr.com;munero.me;mxcdn1.now.sh;mxcdn2.now.sh;myadstats.com;mypool.online;nablabee.com;nanopool.org;nathetsof.com;nicehash;nimiqpool.com;node.philpool.com;npcdn1.now.sh;nunu-001.now.sh;ogondkskyahxa.ru;ogrid.org;oinkinns.tk;olecintri.com;omine.org;onvid.club;open-hive-server-1.pp.ua;oxwwoeukjispema.ru;pcejuyhjucmkiny.ru;pool.nimiq.watch;pool.nimiqchain.info;pool.porkypool.com;pool.xmr;poolto.be;prohash.net;prohash;proj2018.xyz;pzoifaum.info;ratchetmining.com;realnetwrk.com;reauthenticator.com;rove.cl;ruvuryua.ru;s7ven.com;scaleway.ovh;sentemanactri.com;sickrage.ca/ch;sighash.info;slushpool;soodatmish.com;sparechange.io;statdynamic.com;stati.bid;staticsfs.host;streamplay.to;suprnova.cc;svivqrhrh.ru;sxcdn02.now.sh;sxcdn3.now.sh;sxcdn4.now.sh;sxcdn6.now.sh;synconnector.com;teracycle.net;tercabilis.info;thelifeisbinary.ddns.net;thersprens.com;torrent.pw;ulnawoyyzbljc.ru;unrummaged.com;uoldid.ru;usxmrpool;viaxmr.com;vpzccwpyilvoyg.ru;vzzexalcirfgrf.ru;wbmwss.beetv.net;webmine.cz;webmine.pro;webminepool.tk;webminerpool.com;webwidgetz.duckdns.org;wmemsnhgldd.ru;wmtech.website;wmwmwwfmkvucbln.ru;wrxgandsfcz.ru;xmrm.pw;xmrminingproxy.com;xmrpool;yiimp;yuyyio.com;zavzlen.ru;zergpool;zergpoolcoins;ziykrgc.ru;zlx.com.br;zpool;analytics.blue;estream.to graph.microsoft.com dl.dropboxusercontent.com api.onedrive.com zoom.us teamviewer Screenconnect census researchscan scanhub shadow shodan .download .kp .su .ss .xn .sy .ve .xxx .cn .click .club .ir .ru .host .icu .pw .website .ninja .rocks .top .ua .xyz kuternull.com;rimrun.com;0ffice36o;asushotfix;infestexe;rahasn.webhop.org;rahasn.akamake.net;rahasn.homewealth.biz;winodwsupdates;israirairlines githubusercontent.com;github.com api.ipify.org;whatismyipaddress.com;edns.ip-api.com;checkip.dyndns.org;icanhazip.com;ifconfig.me;ifconfig.co;ipaddress.com;ipecho.net;ident.me;api.ip.sb;www.myexternalip.com;ip.anysrc.net;wtfismyip.com;myexternalip.com;ipecho.net;checkip.amazonaws.com;goo.gl;git.io;bit.ly;ow.ly;ip-api.com tiny-share.com;paste.ee;pastebin.com afraid.org;duckdns.org;changeip.com;ddns.net;hopto.org;zapto.org;servehttp.com;sytes.net;whoer.net;bravica.net;ip.webmasterhome.cn;whatsmyip.us;myip.kz;ip-addr.es;curlmyip;anysrc.net;anysrc.net;dlinkddns.com;no-ip.com;no-ip.org;no-ip.biz;no-ip.info;noip.com darknet.to;hiddenservice.net;onion.cab;onion.city;onion.direct;onion.nu;onion.pet;onion.plus;onion.rip;onion.sh;onion.si;onion.to;onion.top;onion.ws;tor-gateways.de;tor2net.com;tor2web.blutmagie.de;tor2web.fi;tor2web.info;tor2web.io;tor2web.org adblock.mydns.network;ibksturm.synology.me;jcdns.fun;ibuki.cgnat.net;dns.twnic.tw;commons.host;doh.dnswarden.com;dns-nyc.aaflalo.me;dns.aaflalo.me;doh.appliedprivacy.net;doh.captnemo.in;doh.tiar.app;doh.tiarap.org;doh.defaultroutes.de;doh.dns.sb;dns.oszx.co;2.dnscrypt-cert.oszx.co;dnscrypt;edns.233py.com;hk-dns.233py.com;hk2dns.233py.com;hkdns.233py.com;hkdns.233py.com;ndns.233py.com;sdns.233py.com;wdns.233py.com;pastebin.com;dns.adguard.com;dns-family.adguard.com;security-filter-dns.cleanbrowsing.org;family-filter-dns.cleanbrowsing.org;adult-filter-dns.cleanbrowsing.org;cloudflare-dns.com;mozilla.cloudflare-dns.com;dns.233py.com;dns.aaflalo.me;dns.google;doh.opendns.com;dns.quad9.net;dns9.quad9.net;dns10.quad9.net;dns11.quad9.net;doh.xfinity.com;dns.nextdns.io;dns.dnsoverhttps.net;doh.crypto.sx;doh.powerdns.org;doh-ch.blahdns.com;doh-de.blahdns.com;dns.rubyfish.cn;dns.containerpi.com;doh-2.seby.io;doh.seby.io;rdns.faelix.net;doh.li;doh.armadillodns.net;doh.netweaver.uk;doh.42l.fr;dns.aa.net.uk gc._msdcs. _kerberos._tcp.dc._msdcs. _kerberos._udp.dc._msdcs. _ldap._tcp.pdc._msdcs. wpad _ldap. C:\Windows\ unknown process C:\ProgramData\Microsoft\Windows Defender\Platform\;\Windows Defender\MsMpEng.exe;C:\Windows\ System;svchost.exe;services.exe;unknown process;\;; C:\Program Files (x86)\Admin Arsenal\ C:\Program Files (x86)\CheckPoint\ C:\Program Files (x86)\Fortinet\ C:\Program Files (x86)\OpenDNS\OpenDNS Connector C:\Program Files (x86)\Razer\Razer Services\ C:\Program Files (x86)\Trend Micro\ C:\Program Files (x86)\VMware C:\Program Files (x86)\Veeam\ C:\Program Files\CheckPoint\ C:\Program Files\Trend Micro\ Slack.exe ConnectWise.exe git-remote-https.exe C:\Program Files (x86)\Enpass\Enpass.exe C:\Program Files (x86)\Fiserv\Vision\VisionGUI.NET.exe C:\Program Files (x86)\Fortinet\FortiClient\update_task.exe C:\Program Files (x86)\Lenovo\System Update\Tvsukernel.exe C:\Program Files\VMware\vCenter Server\jre\bin\java.exe C:\Program Files\VMware\vCenter Server\python\python.exe C:\Windows\SysWOW64\SearchProtocolHost.exe C:\Windows\System32\dsregcmd.exe C:\Windows\sysmon64.exe C:\Windows\sysmon.exe brave-sync.s3.dualstack. .salesforceliveagent.com ads-serve.brave.com .msftncsi.com ..localmachine -pushp.svc.ms .b-msedge.net .bing.com .hotmail.com .live.com .live.net .microsoft.com .microsoftonline.com .microsoftstore.com .ms-acdc.office.com .msedge.net .msn.com .msocdn.com .s-microsoft.com .skype.com .skype.net .windows.com .windows.net.nsatc.net .windowsupdate.com .xboxlive.com login.windows.net .activedirectory.windowsazure.com .msauth.net .msftauth.net .opinsights.azure.com management.azure.com outlook.office365.com portal.azure.com .mozaws.net .mozilla.com .mozilla.net .mozilla.org .spotify.com .spotify.map.fastly.net googleapis.com clients1.google.com clients2.google.com clients3.google.com clients4.google.com clients5.google.com clients6.google.com cloudsearch.googleapis.com id.google.com safebrowsing.googleapis.com www.googleapis.com .akadns.net .netflix.com .typekit.net aspnetcdn.com ajax.googleapis.com cdnjs.cloudflare.com cdnjs.cloudflare.com fonts.googleapis.com .steamcontent.com .disqus.com .fontawesome.com disqus.com .1rx.io .2mdn.net .adadvisor.net .adap.tv .addthis.com .adform.net .adnxs.com .adroll.com .adrta.com .adsafeprotected.com .adsrvr.org .advertising.com .amazon-adsystem.com .amazon-adsystem.com .analytics.yahoo.com .aol.com .betrad.com .bidswitch.net .casalemedia.com .chartbeat.net .cnn.com .convertro.com .criteo.com .criteo.net .crwdcntrl.net .demdex.net .domdex.com .dotomi.com .doubleclick.net .doubleverify.com .emxdgt.com .exelator.com .google-analytics.com .googleadservices.com .googlesyndication.com .googletagmanager.com .googlevideo.com .gstatic.com .gvt1.com .gvt2.com .ib-ibi.com .jivox.com .mathtag.com .moatads.com .moatpixel.com .mookie1.com .myvisualiq.net .netmng.com .nexac.com .nexac.com .openx.net .optimizely.com .outbrain.com .pardot.com .phx.gbl .pinterest.com .pubmatic.com .quantcount.com .quantserve.com .revsci.net .rfihub.net .rlcdn.com .rubiconproject.com .scdn.co .scorecardresearch.com .serving-sys.com .sharethrough.com .simpli.fi .sitescout.com .smartadserver.com .snapads.com .spotxchange.com .taboola.com .taboola.map.fastly.net .tapad.com .tidaltv.com .trafficmanager.net .tremorhub.com .tribalfusion.com .turn.com .twimg.com .tynt.com .w55c.net .ytimg.com .zorosrv.com ads.yahoo.com 1rx.io adservice.google.com ampcid.google.com clientservices.googleapis.com d29x207vrinatv.cloudfront.net googleadapis.l.google.com imasdk.googleapis.com l.google.com ml314.com mtalk.google.com update.googleapis.com www.googletagservices.com .pscp.tv adsniper.ru cdnvideo.ru chat.minergate.com cwsa.minergate.com forum.minergate.com leadlab.click mc.yandex.ru pool.ntp.org vmg.host yandex.ru .adobe.com .autodesk.com .avast.com .avcdn.net .cdn.bitdefender.net .digicert.com .eset.com .globalsign.com .globalsign.net .intuit.com .java.com .macromedia.com .oracle.com .quickbooks.com .usertrust.com amazontrust.com ocsp.identrust.com pki.goog ads.playground.xyz citrixupdates.cloud.com forticlient.fortinet.net mft10.onbaseonline.com msocsp.com ocsp.comodoca.com ocsp.cybertrust.ne.jp ocsp.entrust.net ocsp.entrust.net ocsp.godaddy.com ocsp.int-x3.letsencrypt.org ocsp.intel.com ocsp.msocsp.com ocsp.quovadisglobal.com ocsp.quovadisoffshore.com ocsp.sectigo.com ocsp.starfieldtech.com ocsp.thawte.com ocsp.trustwave.com ocsp.verisign.com pki-goog.l.google.com pki.intel.com scrootca1.ocsp.secomtrust.net scrootca2.ocsp.secomtrust.net stats.anchor.host status.rapidssl.com status.thawte.com ts-ocsp.ws.symantec.com upgrade.bitdefender.com .;>;unknown;anonymous C:\Program Files (x86)\Google\Chrome\Application\chrome.exe C:\Program Files (x86)\Symantec\ C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Symantec\ \BHO\ie_to_edge_stub.exe;\Microsoft\Teams\;\Vivaldi\Application\;Google\Chrome\;Google\Update;BraveSoftware\Brave-Browser\;Edge\Application\;EdgeUpdate\Install\;Program Files\SmartGit\ \appdata\local\google\chrome\user data\swreporter\;software_reporter_tool.exe C:\Program Files (x86)\Google\Chrome\Application\chrome.exe NETWORK SERVICE; LOCAL SERVICE