*
False
False
Sysmon
sethc.exe
utilman.exe
osk.exe
Magnify.exe
DisplaySwitch.exe
Narrator.exe
AtBroker.exe
\
sdbinst.exe
bitsadmin.exe
eventvwr.exe
c:\windows\system32\mmc.exe
fodhelper.exe
-Embedding
c:\windows\system32\mmc.exe
Set-MpPreference
-DisableRealTimeMonitoring $true;-DisableBehaviorMonitoring $true;-DisableBlockAtFirstSeen $true;-DisableIOAVProtection $true;-DisablePrivacyMode $true;-SignatureDisableUpdateOnStartupWithoutEngine $true;-DisableArchiveScanning $true;-DisableIntrusionPreventionSystem $true;-DisableScriptScanning $true
^
../../
C:\Windows\explorer.exe
C:\Windows\explorer.exe
fltMC.exe
unload;detach
fltMC.exe
misc::mflt
InstallUtil.exe
/logfile=;/LogToConsole=false;/U
werfault.exe
odbcconf.exe
csc.exe
-target:library
.cs
csc.exe
-out:
.cs
attrib.exe
sc.exe
dnscmd.exe
taskkill.exe
xcopy.exe
robocopy.exe
GfxDownloadWrapper.exe
update;--download
squirrel;--download
expand.exe
attrib.exe
sc.exe
PktMon.exe
esentutl.exe
/y;/vss/d
TTTracer.exe
sqldumper.exe
ntdsutil.exe
ifm
diskshadow.exe
rpcping.exe
\s;-s
-u;\u;-t;\t
NTLM;ncacn_np
rpcping.exe
expand
IEExec.exe
Print.Exe
curl.exe
ftp.exe
print.exe
:
regedit.exe
:
esentutl.exe
extrac32.exe
schtasks.exe;sctasks.exe
at.exe;At.exe
taskeng.exe
takeown.exe
forfiles.exe
icacls.exe;cacls.exe;xcacls.exe
runas.exe
runas
WSReset.exe
xwizard.exe
computerdefaults.exe
dism.exe
fodhelper.exe
computerdefaults.exe
dism.exe
fodhelper.exe
vssadmin.exe;wbadmin.exe
delete
bcdedit.exe
/set
vssadmin.exe
vssadmin;delete
wbadmin;delete
bcedit;set
wmic;delete
mofcomp.exe
C:\WINDOWS\system32\wbem\scrcons.exe
ScrCons
wmiprvse.exe
wmiprvse.exe
klist.exe
cmdkey.exe
net localgroup;net user;net group
dir C:\users;ls C:\users;dir C:\Users;ls C:\Users
djoin.exe
systeminfo.exe;sysinfo.exe
whoami.exe
quser.exe
nltest.exe;nltestk.exe
ipconfig.exe
nslookup.exe
tracert.exe
route.exe
nbtstat.exe;nbtinfo.exe
netsh.exe
netsh advfirewall
net.exe;net1.exe
ping.exe
dsquery.exe
net view;net group
tasklist.exe
qprocess.exe
query.exe
qwinsta.exe
rwinsta.exe
tree.com;findstr.exe;where.exe
ls;dir
netstat.exe
nltestrk.exe
/domain_trusts
nltest.exe
reg.exe;regedit.exe
wevtutil.exe
cl;clear-log
wevtutil.exe
fsutil.exe
reg.exe;regedit.exe
/i;.reg
reg.exe;regedit.exe
hklm;HKLM;hkey_local_machine
\system;\sam;\security
hh.exe
.exe
pcalua.exe
cscript.exe
wscript.exe
pcalua.exe
cscript.exe
wscript.exe
bash.exe
certutil.exe
winrs.exe
control.exe
desktopimgdownldr.exe
wsl.exe
pubprn
slmgr
manage-bde
CL_Invocation
CL_Mutexverifiers
winrm
cscript.exe
.js
hh.exe
hh.exe
installutil.exe
mshta.exe
mshta.exe
regsvr32.exe
rundll32.exe
InfDefaultInstall.EXE
extexport.exe
msconfig.EXE
msiexec.exe
odbcconf.exe
PresentationHost.exe
rasdlui.exe
RegisterCimProvider2.exe
RegisterCimProvider.exe
ScriptRunner.exe
verclsid.exe
wab.exe
wab.exe
wsreset.exe
xwizard RunWizard
Appvlp.exe
bginfo
bginfo
cbd
csi.exe
csi.exe
devtoolslauncher.exe LaunchForDeploy
devtoolslauncher.exe
runscripthelper.exe surfacecheck
Scriptrunner.exe -appvscript
Scriptrunner.exe
tttracer.exe
msdt.exe
rasautou.exe
Register-cimprovider.exe
diskshadow.exe
diskshadow.exe;/s
diskshadow.exe;-s
replace.exe
jjs.exe
appcmd.exe
ieexec.exe http
vbc.exe /target:exe
vbc.exe
dnx.exe
csc.exe
dfsvc.exe
msdeploy.exe -verb:sync -source:RunCommand
mftrace.exe
dxcap.exe
dxcap.exe;-c
dxcap.exe;/c
ilasm.exe
jsc.exe
vbc.exe
Microsoft.Workflow.Compiler.exe
vsjitdebugger.exe
vsjitdebugger
update.exe;--update
update.exe;--ProcessStart
tracker.exe
te.exe
rcsi.exe
squirrel.exe;--update
Microsoft.Workflow.Compiler.exe
rundll32.exe dfshim.dll,ShOpenVerbApplication http://
ilasm
jsc.exe
Mavinject.exe;mavinject64.exe
/INJECTRUNNING
CMSTP.exe
/ni;/s
MSBuild.exe
excel.exe
winword.exe
powerpnt.exe
outlook.exe
msaccess.exe
mspub.exe
regsvcs.exe;regasm.exe
cmd.exe
cmd.exe
powershell.exe
powershell_ise.exe
Sqlps.exe
pester
ATBroker.exe
start
FromBase64
gzip
decompress
http
replace
SyncAppvPublishingServer.exe
PsList.exe
PsService.exe
PsExec.exe
PsExec.c
PsGetSID.exe
PsKill.exe
PKill.exe
ProcDump
PsLoggedOn.exe
PsFile.exe
ShellRunas
PipeList.exe
AccessChk.exe
AccessEnum.exe
LogonSessions.exe
PsLogList.exe
PsInfo.exe
LoadOrd
PsPasswd.exe
ru.exe
Regsize
ProcDump
-ma lsass.exe
-accepteula -ma
vssadmin.exe
delete;shadow
vssadmin.exe
resize;shadowstorage
wmic.exe
delete;shadowcopy
wbadmin.exe
delete;catalog
bcdedit.exe
recoveryenabled;no
bcdedit.exe
bootstatuspolicy;ignoreallfailures
C:\PerfLogs\
C:\$Recycle.bin\
C:\Intel\Logs\
C:\Users\Default\
C:\Users\Public\
C:\Users\NetworkService\
C:\Windows\Fonts\
C:\Windows\Debug\
C:\Windows\Media\
C:\Windows\Help\
C:\Windows\addins\
C:\Windows\repair\
C:\Windows\security\
C:\Windows\system32\config\systemprofile\
VolumeShadowCopy
\htdocs\
\wwwroot\
\Temp\
\Downloads\
\Desktop\
\Appdata\Local\
control;/name
rundll32.exe;shell32.dll;Control_RunDLL
MpCmdRun.exe
Add-MpPreference;RemoveDefinitions;DisableIOAVProtection
wsmprovhost.exe
winrshost.exe
winrm.cmd
wsl.exe
wsl.exe;-e
wsl.exe;/e
wsl.exe;-e
wsl.exe;/e
wsl.exe;-u root
wsl.exe;/u root
wsl.exe;--exec bash
wsl.exe;--exec bash
/dev/tcp
.exe
C:\Temp
C:\Windows\Temp
C:\Tmp
C:\Users
\Device\HarddiskVolumeShadowCopy
vnc.exe
vncviewer.exe
vncservice.exe
winexesvc.exe
bitsadmin.exe
4444
31337
6667
5555
5353
omniinet.exe
hpsmhd.exe
C:\Program Files\Microsoft\HybridConnectionManager
dllhost.exe
hh.exe
klist.exe
schtasks.exe
taskkill.exe
mshta.exe
regsvr32.exe
netsh.exe
xwizard.exe
esentutl.exe
reg.exe
runas.exe
net1.exe
wevtutil.exe
RpcPing.exe
ipconfig.exe
nbtstat.exe
nslookup.exe
net.exe
nslookup.exe
nltest.exe
quser.exe
netstat.exe
qprocess.exe
query.exe
qwinsta.exe
rwinsta.exe
tasklist.exe
expand.exe
extrac32.exe
IEExec.exe
Print.Exe
cscript.exe
desktopimgdownldr.exe
pcalua.exe
winrs.exe
wscript.exe
Msdt.exe
msiexec.exe
RegisterCimProvider.exe
ScriptRunner.exe
dfsvc.exe
dnscmd.exe
sc.exe
taskeng.exe
OpenConsole.exe
powershell.exe
WindowsTerminal.exe
cmd.exe
bash.exe
Mavinject.exe
at.exe
certutil.exe
cscript.exe
java.exe
mshta.exe
msiexec.exe
net.exe
notepad.exe
reg.exe
regsvr32.exe
rundll32.exe
sc.exe
wmic.exe
wscript.exe
driverquery.exe
dsquery.exe
AdFind.exe
hh.exe
infDefaultInstall.exe
javaw.exe
javaws.exe
mmc.exe
msbuild.exe
nbtstat.exe
nslookup.exe
qprocess.exe
qwinsta.exe
regsvcs.exe
rwinsta.exe
schtasks.exe
taskkill.exe
replace.exe
1080
3128
8080
22
23
25
88
C:\Windows\System32\lsass.exe
3389
5800
5900
5985
5986
9389
psexec.exe
psexesvc.exe
445;389;8492;636;3268;3269
C:\Windows\System32\lsass.exe
c:\Windows\System32\dsamain.exe
4
C:\Users
C:\ProgramData
C:\Windows\Temp
C:\Temp
C:\PerfLogs\
C:\$Recycle.bin\
C:\Intel\Logs\
C:\Users\Default\
C:\Users\Public\
C:\Users\NetworkService\
C:\Windows\Fonts\
C:\Windows\Debug\
C:\Windows\Media\
C:\Windows\Help\
C:\Windows\addins\
C:\Windows\repair\
C:\Windows\security\
C:\Windows\system32\config\systemprofile\
\htdocs\
\wwwroot\
\AppData\Local\
\AppData\Local\Temp\
\AppData\Roaming\
\AppData\LocalLow\
C:\Windows\SysWOW64
SyncAppvPublishingServer.exe
tor.exe
1723
4500
9001
9030
5985
5986
AppData\Roaming\Dropbox\bin\Dropbox.exe
winlogbeat.exe
packetbeat.exe
C:\Program Files\ESET\ESET Nod32 Antivirus\ekrn.exe
C:\Windows\System32\lsass.exe
88
OneDrive.exe
OneDriveStandaloneUpdater.exe
ownCloud\owncloud.exe
C:\Program Files\Palo Alto Networks\Traps\cyserver.exe
udp
3389
C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe
C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files (x86)\Sophos\Remote Management System\RouterNT.exe
C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe
C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe
C:\Program Files\Sophos\Sophos Network Threat Protection\bin\SntpService.exe
AppData\Roaming\Spotify\Spotify.exe
AppData\Local\SynologyDrive\SynologyDrive.app\bin\cloud-drive-ui.exe
AppData\Local\SynologyDrive\SynologyDrive.app\bin\cloud-drive-daemon.exe
C:\Program files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe
.windowsupdate.microsoft.com
.windowsupdate.com
wustat.windows.com
go.microsoft.com
.update.microsoft.com
download.microsoft.com
microsoft.com.akadns.net
microsoft.com.nsatc.net
C:\Users
C:\Temp
C:\Windows\Temp
amsi.dll
powershell.exe;powershell_ise.exe
bginfo.exe
System.ni.dll;System.Core.ni.dll
bitsproxy.dll
clr.dll
C:\Windows\Microsoft.NET\
clrjit.dll
C:\Windows\Microsoft.NET\
mscoreei.dll
C:\Windows\Microsoft.NET\
mscoree.dll
C:\Windows\Microsoft.NET\
mscoreeis.dll
C:\Windows\Microsoft.NET\
mscorlib.dll
C:\Windows\Microsoft.NET\
mscorlib.ni.dll
C:\Windows\Microsoft.NET\
mstask.dll
wshom.ocx
scrrun.dll
vbscript.dll
jscript.dll
mshta.exe
jscript9.dll
mshta.exe
.wll
.xll
C:\Program Files;\Microsoft Office\root\Office
combase.dll
C:\Program Files;\Microsoft Office\root\Office
coml2.dll
C:\Program Files;\Microsoft Office\root\Office
comsvcs.dll
C:\Program Files;\Microsoft Office\root\Office
C:\Windows\assembly\
C:\Program Files;\Microsoft Office\root\Office
C:\Windows\Microsoft.NET\assembly\GAC_MSIL
C:\Program Files;\Microsoft Office\root\Office
clr.dll
C:\Program Files;\Microsoft Office\root\Office
VBE7INTL.DLL
C:\Program Files;\Microsoft Office\root\Office
VBE7.DLL
C:\Program Files;\Microsoft Office\root\Office
VBEUI.DLL
C:\Program Files;\Microsoft Office\root\Office
OUTLVBA.DLL
VSTOInstaller.exe
C:\Program Files;\Microsoft Office\root\Office
C:\Windows\SysWOW64\wbem\wbemdisp.dll
system.management.automation.ni.dll
system.management.automation.dll
Microsoft.PowerShell.Commands.Diagnostics.dll
Microsoft.PowerShell.Commands.Management.dll
Microsoft.PowerShell.Commands.Utility.dll
Microsoft.PowerShell.ConsoleHost.dll
Microsoft.PowerShell.Security.dll
C:\Windows\System32\spool\drivers\
regsvc.dll
rundll32.exe
comsvcs.dll
taskschd.dll
scrobj.dll
scrobj.dll
admin$;c$;\\;\appdata\;\temp\
c:\programdata\
C:\Windows\Media\
C:\Windows\addins\
C:\Windows\system32\config\systemprofile\
C:\Windows\Debug\
C:\Windows\Temp
C:\PerfLogs\
C:\Windows\Help\
C:\Intel\Logs\
C:\Temp
C:\Windows\repair\
C:\Windows\security\
C:\Windows\Fonts\
Downloads
Public
Documents
Music
Video
file:
$Recycle.bin\
\Windows\IME\
urlmon.dll
wmiutils.dll
C:\Windows\System32\cscript.exe
scrobj.dll
powershell.exe
mscoree.dll;mscoreei.dll;mscoreeis.dll;clr.dll;clrjit.dll
VSTOInstaller.exe
C:\Windows\
C:\Users\;\AppData\Local\Microsoft\OneDrive;\FileCoAuth.exe
C:\Users\;\AppData\Local\Microsoft\OneDrive\;\FileSyncTelemetryExtensions.dll
C:\Users\;\AppData\Local\Microsoft\OneDrive;\FileCoAuth.exe
C:\Users\;\AppData\Local\Microsoft\OneDrive\;\FileCoAuthLib.dll
C:\Users\;\AppData\Local\Microsoft\OneDrive;\FileCoAuth.exe
C:\Users\;\AppData\Local\Microsoft\OneDrive\;\OneDriveTelemetryStable.dll
C:\Users\;\AppData\Local\Microsoft\OneDrive;\FileCoAuth.exe
C:\Users\;\AppData\Local\Microsoft\OneDrive\;\vcruntime140.dll
C:\Users\;\AppData\Local\Microsoft\OneDrive;\FileCoAuth.exe
C:\Users\;\AppData\Local\Microsoft\OneDrive\;\UpdateRingSettings.dll
C:\Users\;\AppData\Local\Microsoft\OneDrive;\FileCoAuth.exe
C:\Users\;\AppData\Local\Microsoft\OneDrive\;\LoggingPlatform.dll
C:\Users\;\AppData\Local\Microsoft\OneDrive;\FileCoAuth.exe
C:\Users\;\AppData\Local\Microsoft\OneDrive\;\FileCoAuth.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\netapi32.dll
C:\Windows\System32\svchost.exe
C:\Windows\System32\msvcp110_win.dll
C:\Windows\System32\svchost.exe
C:\Windows\System32\dsreg.dll
C:\Windows\System32\svchost.exe
C:\Windows\System32\perfctrs.dll
C:\
\\
dbghelp.dll
dbgcore.dll
Desktop
C:\Windows\system32\csrss.exe
0x1F1FFF
C:\Windows\system32\wininit.exe
0x1F1FFF
C:\Windows\system32\winlogon.exe
0x1F1FFF
C:\Windows\system32\services.exe
0x1F1FFF
0x21410
C:\Windows\system32\lsass.exe
0x1FFFFF
C:\Windows\system32\lsass.exe
0x1F1FFF
C:\Windows\system32\lsass.exe
0x1010
C:\Windows\system32\lsass.exe
0x143A
lsass.exe
wsmprovhost.exe
C:\Program Files;\Microsoft Office\Root\Office
\Microsoft Shared\VBA
C:\Windows\SYSTEM32\ntdll.dll;C:\Windows\System32\kernelbase.dll;UNKNOWN
0x1F0FFF;0x1F1FFF;0x143A;0x1410;0x1010;0x1F2FFF;0x1F3FFF;0x1FFFFF;0x147A
0x0800
0x0810
0x0820
0x800
0x810
0x820
C:\PerfLogs\
C:\$Recycle.bin\
C:\Intel\Logs\
C:\Users\Default\
C:\Users\Public\
C:\Users\NetworkService\
C:\Windows\Fonts\
C:\Windows\Debug\
C:\Windows\Media\
C:\Windows\Help\
C:\Windows\addins\
C:\Windows\repair\
C:\Windows\security\
C:\Windows\system32\config\systemprofile\
VolumeShadowCopy
\htdocs\
\wwwroot\
\Temp\
\AppData\
\AppData\Local\Microsoft\Teams\current\Teams.exe
System.Management.Automation.ni.dll
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\SYSTEM32\win32u.dll
C:\Windows\SYSTEM32\wow64win.dll
C:\Program Files\Adobe\Adobe Creative Cloud Experience\libs\node.exe
C:\Program Files;\Common Files\Adobe\AdobeGCClient\AGMService.exe
C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\Acrobat.exe
C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe
C:\Program Files\Adobe\Adobe Photoshop 2021\Photoshop.exe
C:\Program Files\Autodesk\Autodesk Desktop App
C:\Program Files (x86)\Autodesk\Autodesk Desktop App
C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe
C:\Windows\system32\cscript.exe
C:\WindowsAzure\GuestAgent_;CollectGuestLogs.exe
C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe
C:\Windows\CarbonBlack\cb.exe
software_reporter_tool.exe
software_reporter_tool.exe
0x1410
software_reporter_tool.exe
chrome.exe
0x1410
software_reporter_tool.exe
0x1410
C:\Program Files\Cisco\AMP\;sfc.exe
C:\Users\;\AppData\Local\Citrix\ICA Client\receiver\Receiver.exe
C:\Program Files (x86)\Citrix\ICA Client\Receiver\Receiver.exe
c:\Program Files\Couchbase\Server\bin\sigar_port.exe
C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe
C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\;\OpenHandleCollector.exe
C:\Program Files\Elastic\Agent\data\;\metricbeat.exe
C:\Program Files;\FireEye\xagt\xagt.exe
C:\Program Files (x86)\Ivanti\Workspace Control\cpushld.exe
C:\Program Files (x86)\RES Software\Workspace Manager\cpushld.exe
C:\Program Files\Ivanti\Workspace Control\cpushld.exe
C:\Program Files\RES Software\Workspace Manager\cpushld.exe
wmiprvse.exe
GoogleUpdate.exe
LTSVC.exe
taskmgr.exe
VBoxService.exe
vmtoolsd.exe
\Citrix\System32\wfshell.exe
C:\Windows\System32\lsm.exe
Microsoft.Identity.AadConnect.Health.AadSync.Host.exe
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection
0x1000
0x1400
0x101400
0x101000
C:\Program Files\McAfee\Endpoint Security\Endpoint Security Platform\mfeesp.exe
C:\Program Files\McAfee\Agent\x86\macompatsvc.exe
C:\Users\;\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe
C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
C:\Program Files\PowerToys\modules\KeyboardManager\KeyboardManagerEngine\PowerToys.KeyboardManagerEngine.exe
C:\Users\;\AppData\Local\Microsoft\Teams\current\Teams.exe
C:\Users\;\AppData\Local\Microsoft\Teams\current\Teams.exe
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\ProgramData\Microsoft\Windows Defender\Platform\;\MsMpEng.exe
C:\Program Files (x86)\Mobatek\MobaXterm\MobaXterm.exe
C:\Program Files\Palo Alto Networks\Traps\cyserver.exe
C:\Program Files\Qualys\QualysAgent\QualysAgent.exe
C:\Program Files (x86)\Razer Chroma SDK\bin\RzSDKService.exe
C:\WINDOWS\CCM\CcmExec.exe
C:\Program Files\Splunk\bin\splunkd.exe
C:\Program Files\Microsoft VS Code\Code.exe
C:\Program Files\Microsoft VS Code\Code.exe
0x100000
C:\Program Files\Microsoft VS Code\Code.exe
C:\Program Files\Microsoft VS Code\Code.exe
0x1401
C:\Users\;\AppData\Local\Programs\Microsoft VS Code\Code.exe
C:\Users\;\AppData\Local\Programs\Microsoft VS Code\Code.exe
0x1401
C:\Program Files (x86)\VMware\VMWare Player\vmware-authd.exe
C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\WinZip\FAHWindow64.exe
C:\Windows\AppPatch\Custom
.bat
.cmd
.chm
C:\Users\;\.azure\accesstokens.json
C:\Users\;\.aws\credentials
C:\Users\;\config\gcloud
C:\Users\;\.alibabacloud\credentials
C:\Users\;\.kube\config
C:\Users\;\.ssh\
\WINWORD.EXE
.cab;.inf
C:\Users\Default
Desktop
AppData\Local\Microsoft\CLR_v2.0\UsageLogs\
\UsageLogs\cscript.exe.log
\UsageLogs\wscript.exe.log
\UsageLogs\wmic.exe.log
\UsageLogs\mshta.exe.log
\UsageLogs\svchost.exe.log
\UsageLogs\regsvr32.exe.log
\UsageLogs\rundll32.exe.log
\Downloads\
C:\Windows\System32\Drivers
C:\Windows\SysWOW64\Drivers
.js
Appdata\Local\whatsapp\
Appdata\Local\whatsapp\
.js
Appdata\Local\Microsoft\Teams\
Appdata\Local\Microsoft\Teams\
.js
Appdata\Local\slack\
Appdata\Local\slack\
.js
Appdata\Local\discord\
Appdata\Local\discord\
.js
Appdata\Local\signal\
Appdata\Local\signal\
.exe
C:\Windows\System32\GroupPolicy\Machine\Scripts
C:\Windows\System32\GroupPolicy\User\Scripts
.hta
.iso
.img
.js
.javascript
.kirbi
.lnk
.scf
.application
.appref-ms
.*proj
.sln
.settingcontent-ms
.docm
.pptm
.xlsm
.xlm
.dotm
.xltm
.potm
.ppsm
.sldm
.xlam
.xla
.iqy
.slk
\Content.Outlook\
Roaming\Microsoft\Outlook\VbaProject.OTM
.rwz
Roaming\Microsoft\Outlook\Outlook.xml
.rft
.jsp
.jspx
.asp
.aspx
.php
.war
.ace
C:\Windows\System32\WindowsPowerShell
C:\Windows\SysWOW64\WindowsPowerShell
.ps1
.ps2
.py
.pyc
.pyw
.rdp
rundll32.exe
C:\Windows\System32\Tasks
C:\Windows\Tasks\
\Start Menu
\Startup
C:\Windows\SysWoW64
C:\Windows\System32
C:\Windows\
.sys
lsass
dmp;DMP
taskmgr.exe
.url
.vb
.vbe
.vbs
C:\Windows\System32\CodeIntegrity\CIPolicies\Active\
.cip
C:\Windows\System32\CodeIntegrity\
.p7b
C:\Windows\System32\Wbem
C:\Windows\SysWOW64\Wbem
C:\WINDOWS\system32\wbem\scrcons.exe
C:\Windows\Temp\
C:\Program\
C:\Temp\
C:\PerfLogs\
C:\Users\Public\
\AppData\Temp\
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\NtlmMinClientSec
\CurrentVersion\Run
\Group Policy\Scripts
\Windows\System\Scripts
\Policies\Explorer\Run
\ServiceDll
\ImagePath
\Start
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Specialaccounts\userlist
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Uihostl
HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
HKLM\SYSTEM\;Control\Session Manager\BootExecute
HKLM\SYSTEM\;Control\Session Manager\excludefromknowndlls
HKLM\SYSTEM\;Control\Session Manager\safedllsearchmode
HKLM\SYSTEM\;Control\Session Manager\setupexecute
\Explorer\FileExts
\shell\install\command
\shell\open\command
\shell\open\ddeexec
Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Startup
software\microsoft\windows nt\currentversion\accessibility\ATs\;\StartExe
software\microsoft\windows nt\currentversion\windows\run\
Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\
software\microsoft\windows\currentversion\explorer\shell folders\common startup
software\microsoft\windows\currentversion\explorer\shell folders\startup
hklm\software\microsoft\command processor\autorun
\mscfile\shell\open\command
ms-settings\shell\open\command
Classes\exefile\shell\runas\command\isolatedCommand
Software\Classes\CLSID;inprocserver32
Software\Classes\CLSID;localserver32
Classes\CLSID\;TreatAs
System\CurrentControlSet\Services\VSS
\services\Netlogon\Parameters\DisablePasswordChange
HKLM\SOFTWARE\;Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls
HKLM\SOFTWARE\;Microsoft\Windows NT\CurrentVersion\Windows\loadappinit_dlls
\SYSTEM\;\Services\DNS\Parameters\ServerLevelPluginDll
SOFTWARE\Microsoft\.NETFramework\ETWEnabled
\Environment\
HKLM\SYSTEM\setup\cmdline
HKLM\SYSTEM\setup\upgrade
Software\microsoft\ctf\langbaraddin\;\Enable
Software\microsoft\ctf\langbaraddin\;\FilePath
Software\policies\microsoft\windows\control panel\desktop\scrnsave.exe
HKLM\Software\Classes\protocols\filter\
HKLM\Software\Classes\protocols\handler\
\SYSTEM\;\Service\EventLog;Retention
\SYSTEM\;\Service\EventLog;MaxSize
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
\Internet Explorer\Toolbar
\Internet Explorer\Extensions
\Browser Helper Objects
\software\microsoft\internet explorer\desktop\components\Source
\software\microsoft\internet explorer\explorer bars\
\software\microsoft\internet explorer\Styles\MaxScriptStatements
\software\microsoft\internet explorer\toolbar\WebBrowser\ITBarLayout
\software\wow6432node\microsoft\internet explorer\toolbar\WebBrowser\ITBarLayout
\software\microsoft\internet explorer\urlsearchhooks\
HKLM\software\wow6432node\microsoft\internet explorer\urlsearchhooks\
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
hklm\system\mounteddevices\
hklm\system\;\enum\usb\
SOFTWARE\Microsoft\Netsh
\Microsoft\Office;\Outlook\Addins
\Software\Microsoft\VSTO\Security\Inclusion
\Software\Microsoft\VSTO\SolutionMetadata
Identities
SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\Account Name
SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\Display Name
SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\Email
SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\HTTP Password
SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\HTTP User
SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\IMAP Password
SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\IMAP User
SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\MAPI Provider
SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\POP3 Password
SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\POP3 User
SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\SMTP Password
SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\SMTP User
software\microsoft\office\;\outlook\security\
software\microsoft\office\;\outlook\today\
software\microsoft\office\;\outlook\webview\;\
software\microsoft\office\;\word\options\globaldotname
software\microsoft\office\;\common\internet\server cache\
software\;microsoft\office\;\addins\
software\;microsoft\office\;\Common\COM Compatibility
\Security\Trusted Documents\TrustRecords
\Security\Trusted Documents\
\UrlUpdateInfo
software\microsoft\windows\currentversion\explorer\recentdocs\.docx\
software\microsoft\windows\currentversion\explorer\recentdocs\.xlsx\
HKLM\SOFTWARE\Clients\Mail\Microsoft Outlook\DllPath
HKLM\SOFTWARE\Clients\Mail\Microsoft Outlook\DllPathEx
software\microsoft\Office test\special\perf\
software\microsoft\office\;\Options\OPEN
\Microsoft\Office;\PowerPoint\Addins
\Word\Security\AllowDDE
\Excel\Security\DisableDDEServerLaunch
\Excel\Security\DisableDDEServerLookup
\VBAWarnings
\DisableInternetFilesInPV
\DisableUnsafeLocationsInPV
\DisableAttachementsInPV
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\MaxInstanceCount
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\RaunSolicit
HKLM\SYSTEM\CurrentControlSet\services\TermService\Parameters\ServiceDll
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\fSingleSessionPerUser
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\fDenyTSConnections
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Shadow
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks;Actions
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe
HKLM\SYSTEM\CurrentControlSet\Services
HKLM\SOFTWARE\Microsoft\Cryptography\OID
HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID
HKLM\SOFTWARE\Microsoft\Cryptography\Providers\Trust
HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust
HKLM\SOFTWARE\Microsoft\Cryptography\Offload\ExpoOffload
\PsExec\EulaAccepted
\PsFile\EulaAccepted
\PsGetSID\EulaAccepted
\PsInfo\EulaAccepted
\PsKill\EulaAccepted
\PsList\EulaAccepted
\PsLoggedOn\EulaAccepted
\PsLogList\EulaAccepted
\PsPasswd\EulaAccepted
\PsService\EulaAccepted
\PsShutDown\EulaAccepted
\PsSuspend\EulaAccepted
SYSTEM\CurrentControlSet\services\SysmonDrv
SYSTEM\CurrentControlSet\services\Sysmon
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram
HKLM\System\CurrentControlSet\Services\W32Time\TimeProviders
HKLM\Software\Microsoft\WAB\DLLPath
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Control.exe
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls
software\classes\clsid\{083863f1-70de-11d0-bd40-00a0c911ce86}\instance
software\classes\clsid\{7ed96837-96f0-4812-b211-f13c24117ed3}\instance
\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam
Google\Chrome\Application\chrome.exe;Zoom\bin\Zoom.exe;slack\slack.exe;Mozilla Firefox\firefox.exe
\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone
Google\Chrome\Application\chrome.exe;Zoom\bin\Zoom.exe;slack\slack.exe;Mozilla Firefox\firefox.exe
\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\bluetooth
Google\Chrome\Application\chrome.exe;Zoom\bin\Zoom.exe;slack\slack.exe;Mozilla Firefox\firefox.exe
\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\usb
Google\Chrome\Application\chrome.exe;Zoom\bin\Zoom.exe;slack\slack.exe;Mozilla Firefox\firefox.exe
\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location
Google\Chrome\Application\chrome.exe;Zoom\bin\Zoom.exe;slack\slack.exe;Mozilla Firefox\firefox.exe
\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\contacts
Google\Chrome\Application\chrome.exe;Zoom\bin\Zoom.exe;slack\slack.exe;Mozilla Firefox\firefox.exe
\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\humanInterfaceDevice
Google\Chrome\Application\chrome.exe;Zoom\bin\Zoom.exe;slack\slack.exe;Mozilla Firefox\firefox.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Plap Providers
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\
\Control\SecurityProviders\WDigest
HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiVirus
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\SpyNetReporting
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender
HKLM\software\microsoft\microsoft antimalware\exclusions\
HKLM\software\microsoft\Windows Advanced Threat Protection\TelLib
HKLM\software\policies\microsoft\windows advanced threat protection\
HKLM\SYSTEM\CurrentControlSet\Services\Sense
DWORD (0x00000004)
HKLM\SYSTEM\CurrentControlSet\Services\WinDefend
DWORD (0x00000004)
HKLM\SYSTEM\CurrentControlSet\Services\MsMpSvc
DWORD (0x00000004)
HKLM\SYSTEM\CurrentControlSet\Services\NisSrv
DWORD (0x00000004)
HKLM\SYSTEM\CurrentControlSet\Services\WdBoot
DWORD (0x00000004)
HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv
DWORD (0x00000004)
HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc
DWORD (0x00000004)
HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
DWORD (0x00000004)
HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService
DWORD (0x00000004)
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
DWORD (0x00000004)
HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc
DWORD (0x00000004)
hklm\software\microsoft\windows script\settings\amsienable
\software\microsoft\windows script\settings\amsienable
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify
HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride
HKLM\software\policies\microsoft\windowsfirewall\;\authorizedapplications
HKLM\software\policies\microsoft\windowsfirewall\;\authorizedapplications\list
HKLM\software\policies\microsoft\windowsfirewall\;\globallyopenports
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT
HKLM\SYSTEM\CurrentControlSet\Control\Safeboot
HKLM\SYSTEM\CurrentControlSet\Control\Winlogon
\FriendlyName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
C:\Windows\System32\svchost.exe
\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
C:\Windows\System32\svchost.exe
HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports
\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports
HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging
HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription
software\microsoft\powershell\;\shellids\microsoft.powershell\executionpolicy
HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates
\Microsoft\SystemCertificates\Root\Certificates
\Microsoft\SystemCertificates\CA\Certificates
HKLM\SOFTWARE\Microsoft\Security Center\AllAlertsDisabled
HKLM\SOFTWARE\Microsoft\Security Center\DisableMonitoring
\Classes\AllFilesystemObjects
\Classes\Directory
\Classes\Drive
\Classes\Folder
\ShellEx\ContextMenuHandlers
\CurrentVersion\Shell
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObject
HKLM\SOFTWARE\Microsoft\Windows;\CurrentVersion\Print\Connections
HKLM\System;\control\print\monitors
\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command
{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUsername
HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify
HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify
HKU;Environment
HKLM;Environment
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Setup\ServiceStartup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Services\Pending\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\PostRebootReporting\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired\
HKLM\SYSTEM\CurrentControlSet\Services\WinSock
\ProxyServer
SYSTEM\CurrentControlSet\Control\CrashControl
HKLM\SYSTEM\;Control\WMI\autologger\senseauditlogger
HKLM\SYSTEM\;Control\WMI\autologger\senseeventlog
HKLM\SYSTEM\;Control\WMI\EtwMaxLoggers
HKLM\SYSTEM\;Control\WMI\Security
Temp\7z
.bat
.cmd
Temp\debug.bin
.dll
.exe
.hta
:Zone.Identifier
blob:;about:internet
.lnk
Content.Outlook
.ps1
.ps2
.reg
Downloads
AppData
Temp
ProgramData
Users
.vb
.vbe
.vbs
\
CreatePipe
\atsvc
\msse-
-server
\msagent_
\postex_
\postex_ssh_
\status_
\gruntsvc
\svcctl
\msf-pipe
\PSHost
powershell.exe
\PSHost
powershell_ise.exe
\PSEXESVC
\srvsvc
\TSVCPIPE
\winreg
Created
.1rx.io
.2mdn.net
.adadvisor.net
.adap.tv
.addthis.com
.adform.net
.adnxs.com
.adroll.com
.adrta.com
.adsafeprotected.com
.adsrvr.org
.advertising.com
.amazon-adsystem.com
.amazon-adsystem.com
.analytics.yahoo.com
.aol.com
.betrad.com
.bidswitch.net
.casalemedia.com
.chartbeat.net
.cnn.com
.convertro.com
.criteo.com
.criteo.net
.crwdcntrl.net
.demdex.net
.domdex.com
.dotomi.com
.doubleclick.net
.doubleverify.com
.emxdgt.com
.exelator.com
.google-analytics.com
.googleadservices.com
.googlesyndication.com
.googletagmanager.com
.googlevideo.com
.gstatic.com
.gvt1.com
.gvt2.com
.ib-ibi.com
.jivox.com
.mathtag.com
.moatads.com
.moatpixel.com
.mookie1.com
.myvisualiq.net
.netmng.com
.nexac.com
.openx.net
.optimizely.com
.outbrain.com
.pardot.com
.phx.gbl
.pinterest.com
.pubmatic.com
.quantcount.com
.quantserve.com
.revsci.net
.rfihub.net
.rlcdn.com
.rubiconproject.com
.scdn.co
.scorecardresearch.com
.serving-sys.com
.sharethrough.com
.simpli.fi
.sitescout.com
.smartadserver.com
.snapads.com
.spotxchange.com
.taboola.com
.taboola.map.fastly.net
.tapad.com
.tidaltv.com
.trafficmanager.net
.tremorhub.com
.tribalfusion.com
.turn.com
.twimg.com
.tynt.com
.w55c.net
.ytimg.com
.zorosrv.com
1rx.io
adservice.google.com
ampcid.google.com
clientservices.googleapis.com
googleadapis.l.google.com
imasdk.googleapis.com
l.google.com
ml314.com
mtalk.google.com
update.googleapis.com
www.googletagservices.com
.mozaws.net
.mozilla.com
.mozilla.net
.mozilla.org
clients1.google.com
clients2.google.com
clients3.google.com
clients4.google.com
clients5.google.com
clients6.google.com
safebrowsing.googleapis.com
.akadns.net
.netflix.com
.aspnetcdn.com
ajax.googleapis.com
cdnjs.cloudflare.com
fonts.googleapis.com
.typekit.net
cdnjs.cloudflare.com
.stackassets.com
.steamcontent.com
.arpa.
.arpa
.msftncsi.com
.localmachine
localhost
C:\ProgramData\LogiShrd\LogiOptions\Software\Current\updater.exe
.logitech.com
C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe
-pushp.svc.ms
.b-msedge.net
.bing.com
.hotmail.com
.live.com
.live.net
.s-microsoft.com
.microsoft.com
.microsoftonline.com
.microsoftstore.com
.ms-acdc.office.com
.msedge.net
.msn.com
.msocdn.com
.skype.com
.skype.net
.windows.com
.windows.net.nsatc.net
.windowsupdate.com
.xboxlive.com
login.windows.net
outlook.office.com
statics.teams.cdn.office.net
acdc-direct.office.com
.fp.measure.office.com
office365.com
.activedirectory.windowsazure.com
.aria.microsoft.com
.msauth.net
.msftauth.net
.opinsights.azure.com
management.azure.com
outlook.office365.com
portal.azure.com
substrate.office.com
osi.office.net
.digicert.com
.globalsign.com
.globalsign.net
msocsp.com
ocsp.msocsp.com
pki.goog
.pki.goog
ocsp.godaddy.com
amazontrust.com
.amazontrust.com
ocsp.sectigo.com
pki-goog.l.google.com
.usertrust.com
ocsp.comodoca.com
ocsp.verisign.com
ocsp.entrust.net
ocsp.identrust.com
status.rapidssl.com
status.thawte.com
ocsp.int-x3.letsencrypt.org
subca.ocsp-certum.com
cscasha2.ocsp-certum.com
crl.verisign.com
C:\Program Files\SentinelOne\Sentinel Agent;\SentinelAgent.exe
.spotify.com
.spotify.map.fastly.net
C:\Windows\SystemApps\Microsoft.Windows.Search;SearchApp.exe
True
C:\Windows\system32\cleanmgr.exe
.mui
.doc
.dot
.docx
.docm
.doc
.dot
.docx
.docm
.dotx
.dotm
.docb
.xls
.xlt
.xlm
.xlsx
.xlsm
.xltx
.xltm
.xlsb
.ppt
.pptx
.pptm
.potx
.potm
.odt
.ods
.odp
.pdf
.rtf
.aspx
.bat
.ps1
.vbs
.vba
.hta
.jar
.js
.cmd
.sh
.sct
.lnk
.bin
.iso
.7z
.msi
.dmp
.reg
C:\Program Files\Microsoft SQL Server;\Shared\ErrorDumps
C:\Program Files\Microsoft SQL Server;\DataDumps
C:\Program Files (X86)\Microsoft SQL Server\;Shared\ErrorDumps
C:\Program Files\Qualys\QualysAgent
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
\Downloads\
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
\Appdata\Local\Temp\
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
\Appdata\Local\Microsoft\Windows\INetCache\Content.Outlook\
Downloads
Temp
AppData
ProgramData
Public
INetCache/Content.Outlook
\Downloads\
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
\Appdata\
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
\Appdata\Local\Microsoft\Windows\INetCache\Content.Outlook\
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\Windows\Temp
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\Windows\System32
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\Windows\SysWOW64
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
AppData
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\ProgramData\Intel
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\ProgramData\Mozilla
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\ProgramData\chocolatey\logs
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\ProgramData\Microsoft\DeviceSync
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\ProgramData\Microsoft\PlayReady
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\ProgramData\Microsoft\User Account Pictures
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\ProgramData\Microsoft\Crypto\DSS\MachineKeys
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\ProgramData\Microsoft\Office\Heartbeat
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\ProgramData\Microsoft\Windows\WER\ReportQueue
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\ProgramData\Microsoft\Windows\WER\Temp
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\ProgramData\Microsoft\Windows\WER\Temp
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\ProgramData\Microsoft\Windows\WER\Temp
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\ProgramData\Microsoft\Windows\WER\Temp
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\ProgramData\Microsoft\Windows\WER\Temp
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\Users\All Users\Intel
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\Users\All Users\Mozilla
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\Users\All Users\chocolatey\logs
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\Users\All Users\Microsoft\DeviceSync
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\Users\All Users\Microsoft\PlayReady
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\Users\All Users\Microsoft\User Account Pictures
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\Users\All Users\Microsoft\Crypto\DSS\MachineKeys
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\Users\All Users\Microsoft\NetFramework\BreadcrumbStore
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\Users\All Users\Microsoft\Office\Heartbeat
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\Users\All Users\Microsoft\Windows\WER\ReportArchive
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\Users\All Users\Microsoft\Windows\WER\ReportQueue
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\Users\All Users\Microsoft\Windows\WER\Temp
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\Windows\Tasks
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\Windows\tracing
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\Windows\Registration\CRMLog
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\Windows\System32\Tasks
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\Windows\System32\spool\drivers\color
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\Windows\SysWOW64\Tasks
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\updater.exe
C:\Program Files\Mozilla Firefox\default-browser-agent.exe
C:\Program Files\Mozilla Firefox\pingsender.exe
C:\Program Files\Git\cmd\git.exe
C:\Program Files\Git\mingw64\bin\git.exe
C:\Program Files\Git\mingw64\libexec\git-core\git.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
C:\Program Files (x86)\Microsoft\Edge\Application\
\BHO\ie_to_edge_stub.exe
C:\Program Files (x86)\Microsoft\Edge\Application\
\identity_helper.exe
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\
\MicrosoftEdge_X64_
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\bin\XDelta64\xdelta3.exe
unknown process
C:\Program Files\Microsoft VS Code\Code.exe
C:\Windows\System32\wbem\WMIADAP.exe
C:\Program Files\Microsoft SQL Server;\Shared\ErrorDumps
C:\Program Files\Microsoft SQL Server;\DataDumps
C:\Program Files (X86)\Microsoft SQL Server\;Shared\ErrorDumps
C:\PS-Transcripts\;PowerShell_transcript
.txt
C:\Program Files\Qualys\QualysAgent
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
\Downloads\
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
\Appdata\Local\Temp\
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
\Appdata\Local\Microsoft\Windows\INetCache\Content.Outlook\
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\ProgramData\Intel
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\ProgramData\Mozilla
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\ProgramData\chocolatey\logs
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\ProgramData\Microsoft\DeviceSync
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\ProgramData\Microsoft\PlayReady
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\ProgramData\Microsoft\User Account Pictures
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\ProgramData\Microsoft\Crypto\DSS\MachineKeys
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\ProgramData\Microsoft\Office\Heartbeat
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\ProgramData\Microsoft\Windows\WER\ReportQueue
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\ProgramData\Microsoft\Windows\WER\Temp
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\Users\All Users\Intel
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\Users\All Users\Mozilla
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\Users\All Users\chocolatey\logs
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\Users\All Users\Microsoft\DeviceSync
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\Users\All Users\Microsoft\PlayReady
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\Users\All Users\Microsoft\User Account Pictures
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\Users\All Users\Microsoft\Crypto\DSS\MachineKeys
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\Users\All Users\Microsoft\NetFramework\BreadcrumbStore
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\Users\All Users\Microsoft\Office\Heartbeat
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\Users\All Users\Microsoft\Windows\WER\ReportArchive
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\Users\All Users\Microsoft\Windows\WER\ReportQueue
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\Users\All Users\Microsoft\Windows\WER\Temp
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\Windows\Tasks
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\Windows\tracing
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\Windows\Registration\CRMLog
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\Windows\System32\Tasks
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\Windows\System32\spool\drivers\color
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\Windows\SysWOW64\Tasks
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
AcroRd32.exe
/CR;channel=
C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe
C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\LogTransport2.exe
C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe
C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe
C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\CCXProcess.exe
C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe
C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe
C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AdobeGCClient.exe
C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P6\adobe_licutil.exe
C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P7\adobe_licutil.exe
C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P7\adobe_licutil.exe
C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
"C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe" -Embedding
"C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe"
"C:\Windows\system32\cscript.exe" /nologo "MonitorKnowledgeDiscovery.vbs"
C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe
C:\program files (x86)\desktopcentral_agent\bin\
C:\program files\desktopcentral_server\bin\
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
C:\Program Files\NVIDIA Corporation\
C:\Program Files\Realtek\
C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
C:\Program Files\ESET\ESET Nod32 Antivirus\ekrn.exe
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=
C:\Program Files (x86)\Google\Update\
C:\Program Files (x86)\Google\Update\
C:\Program Files (x86)\RES Software\Workspace Manager\pfwsmgr.exe
C:\Program Files (x86)\RES Software\Workspace Manager\respesvc64.exe
C:\Program Files (x86)\Ivanti\Workspace Control\pfwsmgr.exe
C:\Program Files (x86)\RES Software\Workspace Manager\ResPesvc64.exe
C:\Program Files\RES Software\Workspace Manager\respesvc.exe
C:\Program Files\Ivanti\Workspace Control\ResPesvc.exe
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Mozilla Firefox\plugin-container.exe" --channel
"C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe" --channel
C:\Users\;\AppData\Local\Microsoft\OneDrive;\FileCoAuth.exe
C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe
C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe
C:\Program Files (x86)\Sophos\Sophos System Protection\ssp.exe
C:\Program Files (x86)\Sophos\Remote Management System\RouterNT.exe
C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files (x86)\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files\Splunk\bin\
C:\Program Files\Splunk\bin\splunkd.exe
C:\Program Files\Splunk\bin\splunk.exe
D:\Program Files\Splunk\bin\
D:\Program Files\Splunk\bin\splunkd.exe
D:\Program Files\Splunk\bin\splunk.exe
C:\Program Files\SplunkUniversalForwarder\bin\
C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe
D:\Program Files\SplunkUniversalForwarder\bin\
D:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
D:\Program Files\SplunkUniversalForwarder\bin\splunk.exe
C:\Windows\system32\svchost.exe -k appmodel -s StateRepository
C:\Windows\system32\svchost.exe -k appmodel
C:\WINDOWS\system32\svchost.exe -k appmodel -p -s tiledatamodelsvc
C:\Windows\system32\svchost.exe -k camera -s FrameServer
C:\Windows\system32\svchost.exe -k dcomlaunch -s LSM
C:\Windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
C:\Windows\system32\svchost.exe -k defragsvc
C:\Windows\system32\svchost.exe -k devicesflow -s DevicesFlowUserSvc
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k localService -s EventSystem
C:\Windows\system32\svchost.exe -k localService -s bthserv
C:\Windows\system32\svchost.exe -k localService -s nsi
C:\Windows\system32\svchost.exe -k localService -s w32Time
C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s Dhcp
C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s EventLog
C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s TimeBrokerSvc
C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s WFDSConMgrSvc
C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -s SensrSvc
C:\Windows\system32\svchost.exe -k localServiceNoNetwork
C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s WPDBusEnum
C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s fhsvc
C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s DeviceAssociationService
C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s NcbService
C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s SensorService
C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s TabletInputService
C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s UmRdpService
C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WPDBusEnum
C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WdiSystemHost
C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost
C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted
C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\system32\svchost.exe -k netsvcs -p -s ncaSvc
C:\Windows\system32\svchost.exe -k netsvcs -s BDESVC
C:\Windows\system32\svchost.exe -k netsvcs -s BITS
C:\Windows\system32\svchost.exe -k netsvcs -s CertPropSvc
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
C:\Windows\system32\svchost.exe -k netsvcs -s Gpsvc
C:\Windows\system32\svchost.exe -k netsvcs -s ProfSvc
C:\Windows\system32\svchost.exe -k netsvcs -s SENS
C:\Windows\system32\svchost.exe -k netsvcs -s SessionEnv
C:\Windows\system32\svchost.exe -k netsvcs -s Themes
C:\Windows\system32\svchost.exe -k netsvcs -s Winmgmt
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k networkService -p -s DoSvc
C:\Windows\system32\svchost.exe -k networkService -s Dnscache
C:\Windows\system32\svchost.exe -k networkService -s LanmanWorkstation
C:\Windows\system32\svchost.exe -k networkService -s NlaSvc
C:\Windows\system32\svchost.exe -k networkService -s TermService
C:\Windows\system32\svchost.exe -k networkService
C:\Windows\system32\svchost.exe -k networkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k rPCSS
C:\Windows\system32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k swprv
C:\Windows\system32\svchost.exe -k unistackSvcGroup
C:\Windows\system32\svchost.exe -k utcsvc
C:\Windows\system32\svchost.exe -k wbioSvcGroup
C:\Windows\system32\svchost.exe -k werSvcGroup
C:\WINDOWS\System32\svchost.exe -k wsappx -p -s ClipSVC
C:\WINDOWS\system32\svchost.exe -k wsappx -p -s AppXSvc
C:\Windows\system32\svchost.exe -k wsappx -s ClipSVC
C:\Windows\system32\svchost.exe -k wsappx
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted
C:\Program Files\Trend Micro\Deep Security Agent\ds_monitor.exe
C:\Program Files\Trend Micro\Deep Security Agent\dsa.exe
C:\Program Files\Trend Micro\Deep Security Agent\dsuam.exe
C:\Program Files\Trend Micro\Deep Security Agent\Notifier.exe
C:\Program Files\Trend Micro\Deep Security Agent\lib\Patch.exe
C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe
C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmopExtIns32.exe
C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmExtIns.exe
C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmListen.exe
C:\Program Files\Windows Defender\
C:\Windows\system32\MpSigStub.exe
C:\Windows\SoftwareDistribution\Download\Install\AM_
C:\Program Files\Microsoft Security Client\MpCmdRun.exe
C:\Windows\system32\DllHost.exe /Processid
C:\Windows\system32\SearchIndexer.exe /Embedding
C:\Windows\System32\CompatTelRunner.exe
C:\Windows\System32\MusNotification.exe
C:\Windows\System32\MusNotificationUx.exe
C:\Windows\System32\audiodg.exe
C:\Windows\System32\conhost.exe
C:\Windows\System32\powercfg.exe
C:\Windows\System32\wbem\WmiApSrv.exe
C:\Windows\System32\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
C:\Windows\system32\sppsvc.exe
AppContainer
%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows
C:\Windows\system32\SearchIndexer.exe
AppData\Local\Google\Chrome\Application\chrome.exe
Root\VFS\ProgramFilesX86\Google\Chrome\Application\chrome.exe
\NVIDIA\NvBackend\ApplicationOntology\
OneDrive.exe
setup
slack.exe
AppData\Local\Microsoft\Teams\current\Teams.exe
Intel
Valid
Microsoft
Valid
C:\Windows\System32\svchost.exe
C:\Windows\System32\wininit.exe
C:\Windows\System32\csrss.exe
C:\Windows\System32\services.exe
C:\Windows\System32\winlogon.exe
C:\Windows\System32\audiodg.exe
C:\Windows\System32\dwm.exe
C:\Windows\System32\csrss.exe
Google\Chrome\Application\chrome.exe
C:\Windows\System32\wbem\WmiPrvSE.exe
C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe
C:\Program Files\Elastic\Endpoint\elastic-endpoint.exe
C:\Program Files\Elastic\Endpoint\state\last-document-id.json
C:\Program Files\Elastic\Agent\data\
C:\Program Files\Elastic\Agent\data\;.ndjson
C:\Windows\system32\igfxCUIService.exe
C:\Program Files (x86)\Ivanti\Workspace Control\pfwsmgr.exe
C:\Program Files (x86)\RES Software\Workspace Manager\pfwsmgr.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
C:\Windows\Prefetch;.pf
C:\Windows\System32\smss.exe
C:\Windows\system32\CompatTelRunner.exe
C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\System32\DriverStore\Temp\
C:\Windows\System32\wbem\Performance\
WRITABLE.TST
\AppData\Roaming\Microsoft\Windows\Recent\
C:\$WINDOWS.~BT\Sources\SafeOS\SafeOS.Mount\
C:\WINDOWS\winsxs\amd64_microsoft-windows
c:\Program Files\Microsoft Security Client\MsMpEng.exe
Outlook.exe
Roaming\Microsoft\Outlook\Outlook.xml
c:\windows\system32\provtool.exe
C:\Windows\system32\wsmprovhost.exe
C:\Users\;\AppData\Local\Temp;__PSScriptPolicyTest;.ps1
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\Temp;__PSScriptPolicyTest;.ps1
NT AUTHORITY\SYSTEM
C:\WINDOWS\CCM\CcmExec.exe
C:\Windows\CCM
C:\Windows\System32\Tasks\Microsoft\Windows\PLA\FabricTraces
C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask
C:\Windows\System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerRoleUsageCollector
C:\Windows\System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerCeipAssistant
C:\Windows\System32\svchost.exe
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
C:\Windows\System32\svchost.exe
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\aciseposture.exe
C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe
C:\Program Files\Cylance\Optics\CyOptics.exe
C:\Program Files\Cylance\Desktop\CylanceSvc.exe
svchost.exe
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters
svchost.exe
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
Toolbar\WebBrowser
Toolbar\WebBrowser\ITBar7Height
Toolbar\ShellBrowser\ITBar7Layout
Internet Explorer\Toolbar\Locked
ShellBrowser
C:\Program Files (x86)\Ivanti\Workspace Control\pfwsmgr.exe
C:\Program Files\RES Software\Workspace Manager\pfwsmgr.exe
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security
C:\Program Files\McAfee\Endpoint Encryption Agent\MfeEpeHost.exe
C:\Program Files\McAfee\Endpoint Security\Adaptive Threat Protection\mfeatp.exe
C:\Program Files\McAfee\Endpoint Security\Endpoint Security Platform\mfeesp.exe
C:\Program Files\Common Files\McAfee\Engine\AMCoreUpdater\amupdate.exe
C:\Program Files\McAfee\Agent\masvc.exe
C:\Program Files\McAfee\Agent\x86\mfemactl.exe
C:\Program Files\McAfee\Agent\x86\McScript_InUse.exe
C:\Program Files\McAfee\Agent\x86\macompatsvc.exe
C:\Program Files\McAfee\Endpoint Security\Threat Prevention\mfeensppl.exe
C:\Program Files\Common Files\McAfee\Engine\scanners
C:\Program Files\Common Files\McAfee\AVSolution\mcshield.exe
C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe
C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe
C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe
C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe
HKLM\System\CurrentControlSet\Services\HealthService\Parameters\Management Groups
\{CAFEEFAC-
CreateKey
HKLM\COMPONENTS
C:\Program Files\ownCloud\owncloud.exe
C:\Program Files (x86)\ownCloud\owncloud.exe
svchost.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks
C:\Program Files\SentinelOne\Sentinel Agent
System
C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters
C:\Program Files (x86)\Webroot\WRSA.exe
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit\AuditPolicy
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit
\OpenWithProgids
\OpenWithList
\UserChoice
\UserChoice\ProgId
\UserChoice\Hash
\OpenWithList\MRUList
} 0xFFFF
Office\root\integration\integrator.exe
C:\WINDOWS\system32\backgroundTaskHost.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
C:\Program Files\Microsoft Application Virtualization\Client\AppVClient.exe
\CurrentVersion\App Paths
\CurrentVersion\Image File Execution Options
\CurrentVersion\Shell Extensions\Cached
\CurrentVersion\Shell Extensions\Approved
}\PreviousPolicyAreas
\Control\WMI\Autologger\
HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc\Start
\Lsa\OfflineJoin\CurrentValue
\Components\TrustedInstaller\Events
\Components\TrustedInstaller
\Components\Wlansvc
\Components\Wlansvc\Events
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\
\Directory\shellex
\Directory\shellex\DragDropHandlers
\Drive\shellex
\Drive\shellex\DragDropHandlers
_Classes\AppX
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\
SOFTWARE;\Microsoft\EnterpriseCertificates\Disallowed
SOFTWARE;\Microsoft\SystemCertificates\Disallowed
Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
C:\$WINDOWS.~BT\
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters
C:\Windows\system32\lsass.exe
HKLM\System\CurrentControlSet\Services
SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization
C:\Windows\System32\svchost.exe
HKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTime
HKLM\System\CurrentControlSet\Services\SmsRouter\State\Registration\Ids
\services\clr_optimization_v2.0.50727_32\Start
\services\clr_optimization_v2.0.50727_64\Start
\services\clr_optimization_v4.0.30319_32\Start
\services\clr_optimization_v4.0.30319_64\Start
\services\DeviceAssociationService\Start
\services\BITS\Start
\services\TrustedInstaller\Start
\services\tunnel\Start
\services\UsoSvc\Start
C:\Program Files;\Common Files\Adobe\ARM\1.0\AdobeARM.exe
\32B6B37A-4A7D-4e00-95F2-
thsnYaVieBoda
C:\Program Files;\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
\com.adobe.reader.rna.;\mojo
C:\Program Files;\Common Files\Adobe\AdobeGCClient\AGMService.exe
\gc_pipe_
C:\Program Files;\Common Files\Adobe\Creative Cloud Libraries\libs\node.exe
\uv\
"C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe"
C:\Users\;\AppData\Local\Programs\Call Manager\Call Manager.exe
\crashpad_;\mojo.;\uv\
C:\Program Files;\Citrix\ICA Client\SelfServicePlugin\SelfService.exe
C:\Program Files;\Citrix\ICA Client\Receiver\Receiver.exe
C:\Program Files;\Citrix\ICA Client\wfcrun32.exe
C:\Program Files;\Citrix\ICA Client\concentr.exe
C:\Users\;\AppData\Local\Citrix\ICA Client\receiver\Receiver.exe
C:\Users\;\AppData\Local\Citrix\ICA Client\SelfServicePlugin\SelfService.exe
C:\Program Files;\FireEye\xagt\xagt.exe
C:\Program Files;\Google\Update\Install\;setup.exe
\crashpad_
C:\Program Files;\Google\Chrome\Application\chrome.exe
\mojo.
C:\Program Files;\Google\Chrome\Application\;\Installer\chrmstp.exe
\crashpad_
\Vivisimo Velocity
C:\Program Files;\Microsoft\Edge\Application\msedge.exe
\LOCAL\mojo.
C:\Program Files;\Microsoft\Edge\Application\msedge.exe
\LOCAL\chrome.sync.
C:\Program Files;\Microsoft\Edge\Application\msedge.exe
\LOCAL\crashpad_
C:\Program Files;\Microsoft Office\root\Office16\OUTLOOK.EXE
\MsFteWds
C:\Users\;\AppData\Local\Microsoft\Teams\current\Teams.exe
\mojo.
C:\Users\;\AppData\Local\Microsoft\Teams\current\Teams.exe
\chrome.sync.
C:\Program Files;\Mozilla Firefox\firefox.exe
\cubeb-pipe-
C:\Program Files;\Mozilla Firefox\firefox.exe
\chrome.
C:\Program Files;\Mozilla Firefox\firefox.exe
\gecko-crash-server-pipe.
\SQLLocal\MSSQLSERVER
\SQLLocal\INSTANCE01
\SQLLocal\SQLEXPRESS
\SQLLocal\COMMVAULT
\SQLLocal\RTCLOCAL
\SQLLocal\RTC
\SQLLocal\TMSM
Program Files (x86)\Microsoft SQL Server\110\DTS\binn\dtexec.exe
PostgreSQL\9.6\bin\postgres.exe
\pgsignal_
Program Files\Qlik\Sense\Engine\Engine.exe
C:\Program Files;\Qualys\QualysAgent\QualysAgent.exe
Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Program Files\SplunkUniversalForwarder\bin\splunk.exe
Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\CMAgent\OfcCMAgent.exe
Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\web\service\ofcservice.exe
Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\Web\Service\DbServer.exe
Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\web\service\verconn.exe
Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\WEB_OSCE\WEB\CGI\cgiOnClose.exe
Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\WEB_OSCE\WEB\CGI\cgiRqHotFix.exe
Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\LWCS\LWCSService.exe
Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\WSS\iCRCService.exe
Program Files\Trend\SPROTECT\x64\tsc.exe
Program Files\Trend\SPROTECT\x64\tsc64.exe
Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\web\service\osceintegrationservice.exe
Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\web\service\OfcLogReceiverSvc.exe
\Trend Micro OSCE Command Handler Manager
\Trend Micro OSCE Command Handler2 Manager
\Trend Micro Endpoint Encryption ToolBox Command Handler Manager
\OfcServerNamePipe
\ntapvsrq
\srvsvc
\wkssvc
\lsass
\winreg
\spoolss
Anonymous Pipe
c:\windows\system32\inetsrv\w3wp.exe
\appdata\local\google\chrome\user data\swreporter\;software_reporter_tool.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\ProgramData\Sophos
C:\Windows\System32\svchost.exe
.tmp
NETWORK SERVICE; LOCAL SERVICE
AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\svchost.exe
.tmp
C:\WindowsAzure\GuestAgent;\WindowsAzureGuestAgent.exe
C:\Packages\Plugins\Microsoft.Azure.Monitor.AzureMonitorWindowsAgent\;\AMAExtHealthMonitor.exe
C:\WindowsAzure\Logs\AggregateStatus\aggregatestatus
\appdata\local\google\chrome\user data\swreporter\;software_reporter_tool.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\Prefetch;.pf
NETWORK SERVICE; LOCAL SERVICE
werfault.exe
odbcconf.exe
csc.exe
sc.exe
taskkill.exe
xcopy.exe
robocopy.exe
makecab.exe
GfxDownloadWrapper.exe
expand.exe
curl.exe
ftp.exe
extrac32.exe
schtasks.exe;sctasks.exe
at.exe;At.exe
taskeng.exe
C:\WINDOWS\system32\wbem\scrcons.exe
wmiprvse.exe
wevtutil.exe
pcalua.exe
cscript.exe
wscript.exe
bash.exe
certutil.exe
winrs.exe
control.exe
desktopimgdownldr.exe
wsl.exe
hh.exe
installutil.exe
mshta.exe
mshta.exe
regsvr32.exe
rundll32.exe
InfDefaultInstall.EXE
extexport.exe
msconfig.EXE
msiexec.exe
odbcconf.exe
PresentationHost.exe
rasdlui.exe
RegisterCimProvider2.exe
RegisterCimProvider.exe
ScriptRunner.exe
verclsid.exe
wab.exe
wab.exe
wsreset.exe
Appvlp.exe
csi.exe
devtoolslauncher.exe
Scriptrunner.exe
tttracer.exe
msdt.exe
rasautou.exe
Register-cimprovider.exe
diskshadow.exe
replace.exe
jjs.exe
appcmd.exe
vbc.exe
csc.exe
dfsvc.exe
mftrace.exe
dxcap.exe
ilasm.exe
jsc.exe
vbc.exe
Microsoft.Workflow.Compiler.exe
vsjitdebugger.exe
tracker.exe
te.exe
rcsi.exe
Microsoft.Workflow.Compiler.exe
jsc.exe
MSBuild.exe
excel.exe
winword.exe
powerpnt.exe
outlook.exe
msaccess.exe
mspub.exe
C:\Program Files\Qualys\QualysAgent
cmd.exe
powershell.exe
pwsh.exe
powershell_ise.exe
Sqlps.exe
\Downloads\
\Appdata\Local\Temp\
\Appdata\Local\Microsoft\Windows\INetCache\Content.Outlook\
wsmprovhost.exe
winrshost.exe
winrm.cmd
C:\ProgramData\Intel
C:\ProgramData\Mozilla
C:\ProgramData\chocolatey\
C:\ProgramData\Microsoft\DeviceSync
C:\ProgramData\Microsoft\PlayReady
C:\ProgramData\Microsoft\User Account Pictures
C:\ProgramData\Microsoft\Office\Heartbeat
C:\ProgramData\Microsoft\Windows\WER
C:\Users\All Users\
C:\Windows\Tasks
C:\Windows\tracing
C:\Windows\System32\Tasks
C:\Windows\System32\spool\drivers\color
C:\Windows\SysWOW64\Tasks