*
False
False
Sysmon
sethc.exe
utilman.exe
osk.exe
Magnify.exe
DisplaySwitch.exe
Narrator.exe
AtBroker.exe
sdbinst.exe
bitsadmin.exe
eventvwr.exe
c:\windows\system32\mmc.exe
fodhelper.exe
Set-MpPreference
-DisableRealTimeMonitoring $true;-DisableBehaviorMonitoring $true;-DisableBlockAtFirstSeen $true;-DisableIOAVProtection $true;-DisablePrivacyMode $true;-SignatureDisableUpdateOnStartupWithoutEngine $true;-DisableArchiveScanning $true;-DisableIntrusionPreventionSystem $true;-DisableScriptScanning $true
^
../../
C:\Windows\explorer.exe
C:\Windows\explorer.exe
fltMC.exe
unload;detach
fltMC.exe
misc::mflt
InstallUtil.exe
/logfile=;/LogToConsole=false;/U
rundll32.exe
werfault.exe
whoami.exe
ipconfig.exe
tasklist.exe
systeminfo.exe;sysinfo.exe
netstat.exe
qprocess.exe
nslookup.exe
net.exe;net1.exe
quser.exe
query.exe
tracert.exe
tree.com
route.exe
runas.exe
reg.exe
taskkill.exe
netsh.exe
klist.exe
wevtutil.exe
fsutil.exe
taskeng.exe
regsvr32.exe
wmiprvse.exe
wmiprvse.exe
hh.exe
hh.exe
hh.exe
.exe
cmd.exe
cmd.exe
powershell.exe
powershell.exe
powershell_ise.exe
bash.exe
odbcconf.exe
pcalua.exe
cscript.exe
wscript.exe
pcalua.exe
cscript.exe
wscript.exe
csc.exe
-target:library
.cs
csc.exe
-out:
.cs
cscript.exe
.js
mshta.exe
control.exe
mshta.exe
attrib.exe
cmdkey.exe
cmdkey.exe
/list
At.exe
nbtstat.exe;nbtinfo.exe
qwinsta.exe
rwinsta.exe
schtasks.exe;sctasks.exe
replace.exe
jjs.exe
appcmd.exe
sc.exe
certutil.exe
findstr.exe
where.exe
forfiles.exe
icacls.exe;cacls.exe
xcopy.exe
robocopy.exe
takeown.exe
makecab.exe
wusa.exe
vassadmin.exe
nltest.exe;nltestk.exe
winrs.exe
computerdefaults.exe
dism.exe
fodhelper.exe
mofcomp.exe
Microsoft.Workflow.Compiler.exe
C:\WINDOWS\system32\wbem\scrcons.exe
ScrCons
esentutl.exe
/y;/vss/d
vssadmin.exe delete
wbadmin.exe delete
bcedit.exe /set
rundll32.exe dfshim.dll,ShOpenVerbApplication http://
diskshadow.exe
diskshadow.exe /s
diskshadow.exe
expand.exe
ftp.exe
GfxDownloadWrapper.exe
ieexec.exe http
ilasm
installutil.exe
jsc.exe
msdt.exe
rasautou.exe
print.exe
:
regedit.exe
:
Register-cimprovider.exe
rpcping.exe
runscripthelper.exe surfacecheck
Scriptrunner.exe -appvscript
Scriptrunner.exe
tttracer.exe
vbc.exe /target:exe
vbc.exe
wab.exe
wsreset.exe
xwizard RunWizard
Appvlp.exe
bginfo
bginfo
cbd
csi.exe
csi.exe
devtoolslauncher.exe LaunchForDeploy
devtoolslauncher.exe
dnx.exe consoleapp
dotnet.exe
.dll
pester
winrm
slmgr
pubprn
manage-bde
CL_Invocation
CL_Mutexverifiers
wsl.exe
vsjitdebugger.exe
vsjitdebugger
update --download
update.exe --update
update.exe --ProcessStart
tracker.exe
te.exe
squirrel --download
squirrel.exe --update
Sqlps.exe
sqldumper.exe
rcsi.exe
ntdsutil.exe
ifm
msxls.exe
msdeploy.exe -verb:sync -source:RunCommand
mftrace.exe
dxcap.exe
dxcap.exe -c
taskmgr.exe
regedit.exe
netsh.exe
taskeng.exe
regsvr32.exe
cmd.exe
cmd.exe
powershell.exe
powershell.exe
powershell_ise.exe
mshta.exe
mshta.exe
attrib.exe
schtasks.exe;sctasks.exe
sc.exe
desktopimgdownldr.exe
findstr.exe
where.exe
computerdefaults.exe
dism.exe
fodhelper.exe
djoin.exe
PktMon.exe
C:\WINDOWS\system32\wbem\scrcons.exe
esentutl.exe
/y;/vss/d
nltestrk.exe
/domain_trusts
ATBroker.exe
csc.exe
dfsvc.exe
dnscmd.exe
esentutl.exe
expand
extexport.exe
extrac32.exe
IEExec.exe
ilasm.exe
InfDefaultInstall.EXE
jsc.exe
vbc.exe
Microsoft.Workflow.Compiler.exe
msconfig.EXE
msiexec.exe
odbcconf.exe
PresentationHost.exe
Print.Exe
rasdlui.exe
RegisterCimProvider2.exe
RegisterCimProvider.exe
ScriptRunner.exe
TTTracer.exe
verclsid.exe
wab.exe
WSReset.exe
xwizard.exe
curl.exe
Mavinject.exe;mavinject64.exe
/INJECTRUNNING
CMSTP.exe
/ni;/s
MSBuild.exe
excel.exe
winword.exe
powerpnt.exe
outlook.exe
msaccess.exe
mspub.exe
regsvcs.exe;regasm.exe
FromBase64
gzip
decompress
http
replace
SyncAppvPublishingServer.exe
PsList.exe
PsService.exe
PsExec.exe
PsExec.c
PsGetSID.exe
PsKill.exe
PKill.exe
ProcDump
PsLoggedOn.exe
PsFile.exe
ShellRunas
PipeList.exe
AccessChk.exe
AccessEnum.exe
LogonSessions.exe
PsLogList.exe
PsInfo.exe
LoadOrd
PsPasswd.exe
ru.exe
Regsize
ProcDump
-ma lsass.exe
-accepteula -ma
vssadmin.exe
delete;shadow
vssadmin.exe
resize;shadowstorage
wmic.exe
delete;shadowcopy
wbadmin.exe
delete;catalog
bcdedit.exe
recoveryenabled;no
bcdedit.exe
bootstatuspolicy;ignoreallfailures
C:\PerfLogs\
C:\$Recycle.bin\
C:\Intel\Logs\
C:\Users\Default\
C:\Users\Public\
C:\Users\NetworkService\
C:\Windows\Fonts\
C:\Windows\Debug\
C:\Windows\Media\
C:\Windows\Help\
C:\Windows\addins\
C:\Windows\repair\
C:\Windows\security\
C:\Windows\system32\config\systemprofile\
VolumeShadowCopy
\htdocs\
\wwwroot\
\Temp\
\Downloads\
\Desktop\
\Appdata\Local\
control;/name
rundll32.exe;shell32.dll;Control_RunDLL
MpCmdRun.exe
Add-MpPreference;RemoveDefinitions;DisableIOAVProtection
wsmprovhost.exe
winrshost.exe
winrm.cmd
wsl.exe
wsl.exe -e
wsl.exe -e
wsl.exe -u root
wsl.exe --exec bash
wsl.exe --exec bash
/dev/tcp
AcroRd32.exe
/CR;channel=
C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe
C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\LogTransport2.exe
C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe
C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe
C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\CCXProcess.exe
C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe
C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe
C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AdobeGCClient.exe
C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P6\adobe_licutil.exe
C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P7\adobe_licutil.exe
C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P7\adobe_licutil.exe
C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
"C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe" -Embedding
"C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe"
C:\Windows\system32\cscript.exe" /nologo "MonitorKnowledgeDiscovery.vbs
C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
C:\Program Files\NVIDIA Corporation\
C:\Program Files\Realtek\
C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
C:\Program Files\ESET\ESET Nod32 Antivirus\ekrn.exe
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=
C:\Program Files (x86)\Google\Update\
C:\Program Files (x86)\Google\Update\
C:\Program Files (x86)\RES Software\Workspace Manager\pfwsmgr.exe
C:\Program Files (x86)\RES Software\Workspace Manager\respesvc64.exe
C:\Program Files (x86)\Ivanti\Workspace Control\pfwsmgr.exe
C:\Program Files (x86)\RES Software\Workspace Manager\ResPesvc64.exe
C:\Program Files\RES Software\Workspace Manager\respesvc.exe
C:\Program Files\Ivanti\Workspace Control\ResPesvc.exe
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Mozilla Firefox\plugin-container.exe" --channel
"C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe" --channel
C:\Users\;\AppData\Local\Microsoft\OneDrive;\FileCoAuth.exe
C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe
C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe
C:\Program Files (x86)\Sophos\Sophos System Protection\ssp.exe
C:\Program Files (x86)\Sophos\Remote Management System\RouterNT.exe
C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files (x86)\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files\Splunk\bin\
C:\Program Files\Splunk\bin\splunkd.exe
C:\Program Files\Splunk\bin\splunk.exe
D:\Program Files\Splunk\bin\
D:\Program Files\Splunk\bin\splunkd.exe
D:\Program Files\Splunk\bin\splunk.exe
C:\Program Files\SplunkUniversalForwarder\bin\
C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe
D:\Program Files\SplunkUniversalForwarder\bin\
D:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
D:\Program Files\SplunkUniversalForwarder\bin\splunk.exe
C:\Windows\system32\svchost.exe -k appmodel -s StateRepository
C:\Windows\system32\svchost.exe -k appmodel
C:\WINDOWS\system32\svchost.exe -k appmodel -p -s tiledatamodelsvc
C:\Windows\system32\svchost.exe -k camera -s FrameServer
C:\Windows\system32\svchost.exe -k dcomlaunch -s LSM
C:\Windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
C:\Windows\system32\svchost.exe -k defragsvc
C:\Windows\system32\svchost.exe -k devicesflow -s DevicesFlowUserSvc
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k localService -s EventSystem
C:\Windows\system32\svchost.exe -k localService -s bthserv
C:\Windows\system32\svchost.exe -k localService -s nsi
C:\Windows\system32\svchost.exe -k localService -s w32Time
C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s Dhcp
C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s EventLog
C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s TimeBrokerSvc
C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s WFDSConMgrSvc
C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -s SensrSvc
C:\Windows\system32\svchost.exe -k localServiceNoNetwork
C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s WPDBusEnum
C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s fhsvc
C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s DeviceAssociationService
C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s NcbService
C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s SensorService
C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s TabletInputService
C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s UmRdpService
C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WPDBusEnum
C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WdiSystemHost
C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost
C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted
C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\system32\svchost.exe -k netsvcs -p -s ncaSvc
C:\Windows\system32\svchost.exe -k netsvcs -s BDESVC
C:\Windows\system32\svchost.exe -k netsvcs -s BITS
C:\Windows\system32\svchost.exe -k netsvcs -s CertPropSvc
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
C:\Windows\system32\svchost.exe -k netsvcs -s Gpsvc
C:\Windows\system32\svchost.exe -k netsvcs -s ProfSvc
C:\Windows\system32\svchost.exe -k netsvcs -s SENS
C:\Windows\system32\svchost.exe -k netsvcs -s SessionEnv
C:\Windows\system32\svchost.exe -k netsvcs -s Themes
C:\Windows\system32\svchost.exe -k netsvcs -s Winmgmt
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k networkService -p -s DoSvc
C:\Windows\system32\svchost.exe -k networkService -s Dnscache
C:\Windows\system32\svchost.exe -k networkService -s LanmanWorkstation
C:\Windows\system32\svchost.exe -k networkService -s NlaSvc
C:\Windows\system32\svchost.exe -k networkService -s TermService
C:\Windows\system32\svchost.exe -k networkService
C:\Windows\system32\svchost.exe -k networkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k rPCSS
C:\Windows\system32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k swprv
C:\Windows\system32\svchost.exe -k unistackSvcGroup
C:\Windows\system32\svchost.exe -k utcsvc
C:\Windows\system32\svchost.exe -k wbioSvcGroup
C:\Windows\system32\svchost.exe -k werSvcGroup
C:\WINDOWS\System32\svchost.exe -k wsappx -p -s ClipSVC
C:\WINDOWS\system32\svchost.exe -k wsappx -p -s AppXSvc
C:\Windows\system32\svchost.exe -k wsappx -s ClipSVC
C:\Windows\system32\svchost.exe -k wsappx
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted
C:\Program Files\Trend Micro\Deep Security Agent\ds_monitor.exe
C:\Program Files\Trend Micro\Deep Security Agent\dsa.exe
C:\Program Files\Trend Micro\Deep Security Agent\dsuam.exe
C:\Program Files\Trend Micro\Deep Security Agent\Notifier.exe
C:\Program Files\Trend Micro\Deep Security Agent\lib\Patch.exe
C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe
C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmopExtIns32.exe
C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmExtIns.exe
C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmListen.exe
C:\Program Files\Windows Defender\
C:\Windows\system32\MpSigStub.exe
C:\Windows\SoftwareDistribution\Download\Install\AM_
C:\Program Files\Microsoft Security Client\MpCmdRun.exe
C:\Windows\system32\DllHost.exe /Processid
C:\Windows\system32\SearchIndexer.exe /Embedding
C:\Windows\System32\CompatTelRunner.exe
C:\Windows\System32\MusNotification.exe
C:\Windows\System32\MusNotificationUx.exe
C:\Windows\System32\audiodg.exe
C:\Windows\System32\conhost.exe
C:\Windows\System32\powercfg.exe
C:\Windows\System32\wbem\WmiApSrv.exe
C:\Windows\System32\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
C:\Windows\system32\sppsvc.exe
AppContainer
%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows
C:\Windows\system32\SearchIndexer.exe
C:\Temp
C:\Windows\Temp
C:\Tmp
C:\Users
AppData\Local\Google\Chrome\Application\chrome.exe
Root\VFS\ProgramFilesX86\Google\Chrome\Application\chrome.exe
OneDrive.exe
setup
slack.exe
AppData\Local\Microsoft\Teams\current\Teams.exe
vnc.exe
vncviewer.exe
vncservice.exe
winexesvc.exe
bitsadmin.exe
omniinet.exe
hpsmhd.exe
C:\Program Files\Microsoft\HybridConnectionManager
ipconfig.exe
tasklist.exe
netstat.exe
qprocess.exe
nslookup.exe
quser.exe
query.exe
runas.exe
reg.exe
netsh.exe
klist.exe
wevtutil.exe
taskeng.exe
regsvr32.exe
cmd.exe
powershell.exe
bash.exe
pcalua.exe
cscript.exe
wscript.exe
mshta.exe
nbtstat.exe
net1.exe
nslookup.exe
qwinsta.exe
rwinsta.exe
sc.exe
nltest.exe
winrs.exe
dfsvc.exe
dnscmd.exe
esentutl.exe
expand.exe
extrac32.exe
IEExec.exe
Msdt.exe
msiexec.exe
Print.Exe
RegisterCimProvider.exe
RpcPing.exe
ScriptRunner.exe
xwizard.exe
desktopimgdownldr.exe
OpenConsole.exe
WindowsTerminal.exe
dllhost.exe
ipconfig.exe
tasklist.exe
netstat.exe
qprocess.exe
nslookup.exe
net.exe
quser.exe
query.exe
runas.exe
reg.exe
netsh.exe
klist.exe
wevtutil.exe
taskeng.exe
regsvr32.exe
hh.exe
cmd.exe
powershell.exe
bash.exe
pcalua.exe
cscript.exe
wscript.exe
mshta.exe
nbtstat.exe
net1.exe
nslookup.exe
qwinsta.exe
rwinsta.exe
schtasks.exe
taskkill.exe
sc.exe
nltest.exe
winrs.exe
dfsvc.exe
dnscmd.exe
esentutl.exe
expand.exe
extrac32.exe
IEExec.exe
Msdt.exe
msiexec.exe
Print.Exe
RegisterCimProvider.exe
RpcPing.exe
ScriptRunner.exe
xwizard.exe
desktopimgdownldr.exe
Mavinject.exe
at.exe
certutil.exe
cscript.exe
java.exe
mshta.exe
msiexec.exe
net.exe
notepad.exe
reg.exe
regsvr32.exe
rundll32.exe
sc.exe
wmic.exe
wscript.exe
driverquery.exe
dsquery.exe
AdFind.exe
hh.exe
infDefaultInstall.exe
javaw.exe
javaws.exe
mmc.exe
msbuild.exe
nbtstat.exe
nslookup.exe
qprocess.exe
qwinsta.exe
regsvcs.exe
rwinsta.exe
schtasks.exe
taskkill.exe
replace.exe
1080
3128
8080
22
23
25
88
3389
5800
5900
psexec.exe
psexesvc.exe
C:\Users
C:\ProgramData
C:\Windows\Temp
C:\Temp
C:\PerfLogs\
C:\$Recycle.bin\
C:\Intel\Logs\
C:\Users\Default\
C:\Users\Public\
C:\Users\NetworkService\
C:\Windows\Fonts\
C:\Windows\Debug\
C:\Windows\Media\
C:\Windows\Help\
C:\Windows\addins\
C:\Windows\repair\
C:\Windows\security\
C:\Windows\system32\config\systemprofile\
\htdocs\
\wwwroot\
\AppData\Local\
\AppData\Local\Temp\
\AppData\Roaming\
\AppData\LocalLow\
C:\Windows\SysWOW64
SyncAppvPublishingServer.exe
tor.exe
1723
4500
9001
9030
5985
5986
AppData\Roaming\Dropbox\bin\Dropbox.exe
winlogbeat.exe
packetbeat.exe
C:\Program Files\ESET\ESET Nod32 Antivirus\ekrn.exe
C:\Windows\System32\lsass.exe
88
OneDrive.exe
OneDriveStandaloneUpdater.exe
ownCloud\owncloud.exe
C:\Program Files\Palo Alto Networks\Traps\cyserver.exe
udp
3389
C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe
C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files (x86)\Sophos\Remote Management System\RouterNT.exe
C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe
C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe
C:\Program Files\Sophos\Sophos Network Threat Protection\bin\SntpService.exe
AppData\Roaming\Spotify\Spotify.exe
AppData\Local\SynologyDrive\SynologyDrive.app\bin\cloud-drive-ui.exe
AppData\Local\SynologyDrive\SynologyDrive.app\bin\cloud-drive-daemon.exe
C:\Program files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe
.windowsupdate.microsoft.com
.windowsupdate.com
wustat.windows.com
go.microsoft.com
.update.microsoft.com
download.microsoft.com
microsoft.com.akadns.net
microsoft.com.nsatc.net
C:\Users
C:\Temp
C:\Windows\Temp
Intel
Valid
Microsoft
Valid
amsi.dll
powershell.exe;powershell_ise.exe
bginfo.exe
System.ni.dll;System.Core.ni.dll
bitsproxy.dll
clr.dll
C:\Windows\Microsoft.NET\
clrjit.dll
C:\Windows\Microsoft.NET\
mscoreei.dll
C:\Windows\Microsoft.NET\
mscoree.dll
C:\Windows\Microsoft.NET\
mscoreeis.dll
C:\Windows\Microsoft.NET\
mscorlib.dll
C:\Windows\Microsoft.NET\
mscorlib.ni.dll
C:\Windows\Microsoft.NET\
mstask.dll
wshom.ocx
scrrun.dll
vbscript.dll
jscript.dll
mshta.exe
jscript9.dll
mshta.exe
.wll
.xll
C:\Program Files;\Microsoft Office\root\Office
combase.dll
C:\Program Files;\Microsoft Office\root\Office
coml2.dll
C:\Program Files;\Microsoft Office\root\Office
comsvcs.dll
C:\Program Files;\Microsoft Office\root\Office
C:\Windows\assembly\
C:\Program Files;\Microsoft Office\root\Office
C:\Windows\Microsoft.NET\assembly\GAC_MSIL
C:\Program Files;\Microsoft Office\root\Office
clr.dll
C:\Program Files;\Microsoft Office\root\Office
VBE7INTL.DLL
C:\Program Files;\Microsoft Office\root\Office
VBE7.DLL
C:\Program Files;\Microsoft Office\root\Office
VBEUI.DLL
C:\Program Files;\Microsoft Office\root\Office
OUTLVBA.DLL
VSTOInstaller.exe
C:\Program Files;\Microsoft Office\root\Office
C:\Windows\SysWOW64\wbem\wbemdisp.dll
system.management.automation.ni.dll
system.management.automation.dll
Microsoft.PowerShell.Commands.Diagnostics.dll
Microsoft.PowerShell.Commands.Management.dll
Microsoft.PowerShell.Commands.Utility.dll
Microsoft.PowerShell.ConsoleHost.dll
Microsoft.PowerShell.Security.dll
C:\Windows\System32\spool\drivers\
regsvc.dll
rundll32.exe
comsvcs.dll
taskschd.dll
scrobj.dll
scrobj.dll
admin$;c$;\\;\appdata\;\temp\
c:\programdata\
C:\Windows\Media\
C:\Windows\addins\
C:\Windows\system32\config\systemprofile\
C:\Windows\Debug\
C:\Windows\Temp
C:\PerfLogs\
C:\Windows\Help\
C:\Intel\Logs\
C:\Temp
C:\Windows\repair\
C:\Windows\security\
C:\Windows\Fonts\
Downloads
Public
Documents
Music
Video
file:
$Recycle.bin\
\Windows\IME\
urlmon.dll
wmiutils.dll
C:\Windows\System32\cscript.exe
scrobj.dll
VSTOInstaller.exe
C:\Windows\
C:\Users\;\AppData\Local\Microsoft\OneDrive;\FileCoAuth.exe
C:\Users\;\AppData\Local\Microsoft\OneDrive\;\FileSyncTelemetryExtensions.dll
C:\Users\;\AppData\Local\Microsoft\OneDrive;\FileCoAuth.exe
C:\Users\;\AppData\Local\Microsoft\OneDrive\;\FileCoAuthLib.dll
C:\Users\;\AppData\Local\Microsoft\OneDrive;\FileCoAuth.exe
C:\Users\;\AppData\Local\Microsoft\OneDrive\;\OneDriveTelemetryStable.dll
C:\Users\;\AppData\Local\Microsoft\OneDrive;\FileCoAuth.exe
C:\Users\;\AppData\Local\Microsoft\OneDrive\;\vcruntime140.dll
C:\Users\;\AppData\Local\Microsoft\OneDrive;\FileCoAuth.exe
C:\Users\;\AppData\Local\Microsoft\OneDrive\;\UpdateRingSettings.dll
C:\Users\;\AppData\Local\Microsoft\OneDrive;\FileCoAuth.exe
C:\Users\;\AppData\Local\Microsoft\OneDrive\;\LoggingPlatform.dll
C:\Users\;\AppData\Local\Microsoft\OneDrive;\FileCoAuth.exe
C:\Users\;\AppData\Local\Microsoft\OneDrive\;\FileCoAuth.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\wininit.exe
C:\Windows\System32\csrss.exe
C:\Windows\System32\services.exe
C:\Windows\System32\winlogon.exe
C:\Windows\System32\audiodg.exe
C:\Windows\System32\dwm.exe
C:\Windows\System32\csrss.exe
Google\Chrome\Application\chrome.exe
C:\Windows\System32\wbem\WmiPrvSE.exe
dbghelp.dll
dbgcore.dll
Desktop
C:\Windows\system32\csrss.exe
0x1F1FFF
C:\Windows\system32\wininit.exe
0x1F1FFF
C:\Windows\system32\winlogon.exe
0x1F1FFF
C:\Windows\system32\services.exe
0x1F1FFF
0x21410
C:\Windows\system32\lsass.exe
0x1FFFFF
C:\Windows\system32\lsass.exe
0x1F1FFF
C:\Windows\system32\lsass.exe
0x1010
C:\Windows\system32\lsass.exe
0x143A
lsass.exe
wsmprovhost.exe
C:\Program Files;\Microsoft Office\Root\Office
\Microsoft Shared\VBA
C:\Windows\SYSTEM32\ntdll.dll;C:\Windows\System32\kernelbase.dll;UNKNOWN
0x1F0FFF;0x1F1FFF;0x143A;0x1410;0x1010;0x1F2FFF;0x1F3FFF;0x1FFFFF
0x0800
0x0810
0x0820
0x800
0x810
0x820
C:\PerfLogs\
C:\$Recycle.bin\
C:\Intel\Logs\
C:\Users\Default\
C:\Users\Public\
C:\Users\NetworkService\
C:\Windows\Fonts\
C:\Windows\Debug\
C:\Windows\Media\
C:\Windows\Help\
C:\Windows\addins\
C:\Windows\repair\
C:\Windows\security\
C:\Windows\system32\config\systemprofile\
VolumeShadowCopy
\htdocs\
\wwwroot\
\Temp\
\AppData\
\AppData\Local\Microsoft\Teams\current\Teams.exe
System.Management.Automation.ni.dll
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\SYSTEM32\win32u.dll
C:\Windows\SYSTEM32\wow64win.dll
C:\Program Files\Adobe\Adobe Creative Cloud Experience\libs\node.exe
C:\Program Files;\Common Files\Adobe\AdobeGCClient\AGMService.exe
C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\Acrobat.exe
C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe
C:\Program Files\Adobe\Adobe Photoshop 2021\Photoshop.exe
C:\Program Files\Autodesk\Autodesk Desktop App
C:\Program Files (x86)\Autodesk\Autodesk Desktop App
C:\Windows\CarbonBlack\cb.exe
C:\Program Files\Cisco\AMP\;sfc.exe
C:\Users\;\AppData\Local\Citrix\ICA Client\receiver\Receiver.exe
C:\Program Files (x86)\Citrix\ICA Client\Receiver\Receiver.exe
c:\Program Files\Couchbase\Server\bin\sigar_port.exe
C:\Program Files;\FireEye\xagt\xagt.exe
C:\Program Files (x86)\Ivanti\Workspace Control\cpushld.exe
C:\Program Files (x86)\RES Software\Workspace Manager\cpushld.exe
C:\Program Files\Ivanti\Workspace Control\cpushld.exe
C:\Program Files\RES Software\Workspace Manager\cpushld.exe
wmiprvse.exe
GoogleUpdate.exe
LTSVC.exe
taskmgr.exe
VBoxService.exe
vmtoolsd.exe
\Citrix\System32\wfshell.exe
C:\Windows\System32\lsm.exe
Microsoft.Identity.AadConnect.Health.AadSync.Host.exe
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection
0x1000
0x1400
0x101400
0x101000
C:\Program Files\McAfee\Endpoint Security\Endpoint Security Platform\mfeesp.exe
C:\Program Files\McAfee\Agent\x86\macompatsvc.exe
C:\Users\;\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe
C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
C:\Program Files\PowerToys\modules\KeyboardManager\KeyboardManagerEngine\PowerToys.KeyboardManagerEngine.exe
C:\Users\;\AppData\Local\Microsoft\Teams\current\Teams.exe
C:\Users\;\AppData\Local\Microsoft\Teams\current\Teams.exe
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\ProgramData\Microsoft\Windows Defender\Platform\;\MsMpEng.exe
C:\Program Files (x86)\Mobatek\MobaXterm\MobaXterm.exe
C:\Program Files\Palo Alto Networks\Traps\cyserver.exe
C:\Program Files\Qualys\QualysAgent\QualysAgent.exe
C:\Program Files (x86)\Razer Chroma SDK\bin\RzSDKService.exe
C:\WINDOWS\CCM\CcmExec.exe
C:\Program Files\Splunk\bin\splunkd.exe
C:\Program Files (x86)\VMware\VMWare Player\vmware-authd.exe
C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\WinZip\FAHWindow64.exe
C:\Windows\AppPatch\Custom
.bat
.cmd
.chm
C:\Users\Default
Desktop
AppData\Local\Microsoft\CLR_v2.0\UsageLogs\
\UsageLogs\cscript.exe.log
\UsageLogs\wscript.exe.log
\UsageLogs\wmic.exe.log
\UsageLogs\mshta.exe.log
\UsageLogs\svchost.exe.log
\UsageLogs\regsvr32.exe.log
\UsageLogs\rundll32.exe.log
\Downloads\
C:\Windows\System32\Drivers
C:\Windows\SysWOW64\Drivers
.exe
C:\Windows\System32\GroupPolicy\Machine\Scripts
C:\Windows\System32\GroupPolicy\User\Scripts
.hta
.iso
.img
.kirbi
.lnk
.scf
.application
.appref-ms
.*proj
.sln
.settingcontent-ms
.docm
.pptm
.xlsm
.xlm
.dotm
.xltm
.potm
.ppsm
.sldm
.xlam
.xla
.iqy
.slk
\Content.Outlook\
Roaming\Microsoft\Outlook\VbaProject.OTM
.rwz
Roaming\Microsoft\Outlook\Outlook.xml
.rft
.jsp
.jspx
.asp
.aspx
.php
.war
.ace
C:\Windows\System32\WindowsPowerShell
C:\Windows\SysWOW64\WindowsPowerShell
.ps1
.ps2
.py
.pyc
.pyw
rundll32.exe
C:\Windows\System32\Tasks
C:\Windows\Tasks\
\Start Menu
\Startup
C:\Windows\SysWoW64
C:\Windows\System32
C:\Windows\
.sys
\*lsass*.dmp\
taskmgr.exe
.url
.vb
.vbe
.vbs
C:\Windows\System32\Wbem
C:\Windows\SysWOW64\Wbem
C:\WINDOWS\system32\wbem\scrcons.exe
C:\Windows\Temp\
C:\Program\
C:\Temp\
C:\PerfLogs\
C:\Users\Public\
\AppData\Temp\
C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe
C:\Windows\system32\igfxCUIService.exe
C:\Program Files (x86)\Ivanti\Workspace Control\pfwsmgr.exe
C:\Program Files (x86)\RES Software\Workspace Manager\pfwsmgr.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
C:\Windows\System32\smss.exe
C:\Windows\system32\CompatTelRunner.exe
C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\System32\DriverStore\Temp\
C:\Windows\System32\wbem\Performance\
WRITABLE.TST
\AppData\Roaming\Microsoft\Windows\Recent\
C:\$WINDOWS.~BT\Sources\SafeOS\SafeOS.Mount\
C:\WINDOWS\winsxs\amd64_microsoft-windows
c:\Program Files\Microsoft Security Client\MsMpEng.exe
Outlook.exe
Roaming\Microsoft\Outlook\Outlook.xml
c:\windows\system32\provtool.exe
C:\WINDOWS\CCM\CcmExec.exe
C:\Windows\CCM
C:\Windows\System32\Tasks\Microsoft\Windows\PLA\FabricTraces
C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask
C:\Windows\System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerRoleUsageCollector
C:\Windows\System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerCeipAssistant
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL
\CurrentVersion\Run
\Group Policy\Scripts
\Windows\System\Scripts
\Policies\Explorer\Run
\ServiceDll
\ImagePath
\Start
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Specialaccounts\userlist
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Uihostl
HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute
\Explorer\FileExts
\shell\install\command
\shell\open\command
\shell\open\ddeexec
Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Startup
hkcu\software\microsoft\windows nt\currentversion\accessibility\ATs\\*(1)\StartExe
hkcu\software\microsoft\windows nt\currentversion\windows\run\
hkcu\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\
hkcu\software\microsoft\windows\currentversion\explorer\shell folders\common startup
hkcu\software\microsoft\windows\currentversion\explorer\shell folders\startup
hklm\software\microsoft\command processor\autorun
\mscfile\shell\open\command
ms-settings\shell\open\command
Classes\exefile\shell\runas\command\isolatedCommand
Software\Classes\CLSID;inprocserver32
Software\Classes\CLSID;localserver32
Classes\CLSID\;TreatAs
System\CurrentControlSet\Services\VSS
\services\Netlogon\Parameters\DisablePasswordChange
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls
\SYSTEM\;\Services\DNS\Parameters\ServerLevelPluginDll
SOFTWARE\Microsoft\.NETFramework\ETWEnabled
HKCU\Environment
HKLM\SYSTEM\setup\cmdline
HKLM\SYSTEM\setup\upgrade
HKCU\Software\microsoft\ctf\langbaraddin\;\Enable
HKCU\Software\microsoft\ctf\langbaraddin\;\FilePath
Software\policies\microsoft\windows\control panel\desktop\scrnsave.exe
HKLM\Software\Classes\protocols\filter\
HKLM\Software\Classes\protocols\handler\
\SYSTEM\;\Service\EventLog;Retention
\SYSTEM\;\Service\EventLog;MaxSize
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
\Internet Explorer\Toolbar
\Internet Explorer\Extensions
\Browser Helper Objects
HKCU\software\microsoft\internet explorer\desktop\components\Source
HKCU\software\microsoft\internet explorer\explorer bars\
HKCU\software\microsoft\internet explorer\Styles\MaxScriptStatements
HKCU\software\microsoft\internet explorer\toolbar\WebBrowser\ITBarLayout
HKCU\software\wow6432node\microsoft\internet explorer\toolbar\WebBrowser\ITBarLayout
HKCU\software\microsoft\internet explorer\urlsearchhooks\
HKLM\software\wow6432node\microsoft\internet explorer\urlsearchhooks\
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
hklm\system\mounteddevices\
hklm\system\;\enum\usb\
SOFTWARE\Microsoft\Netsh
\Microsoft\Office\Outlook\Addins
\Software\Microsoft\VSTO\Security\Inclusion
\Software\Microsoft\VSTO\SolutionMetadata
Identities
HKCU\SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\Account Name
HKCU\SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\Display Name
HKCU\SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\Email
HKCU\SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\HTTP Password
HKCU\SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\HTTP User
HKCU\SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\IMAP Password
HKCU\SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\IMAP User
HKCU\SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\MAPI Provider
HKCU\SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\POP3 Password
HKCU\SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\POP3 User
HKCU\SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\SMTP Password
HKCU\SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\SMTP User
hkcu\software\microsoft\office\;\outlook\security\
hkcu\software\microsoft\office\;\outlook\today\
hkcu\software\microsoft\office\;\outlook\webview\;\
hkcu\software\microsoft\office\;\word\options\globaldotname
hkcu\software\microsoft\office\16.0\common\internet\server cache\
\Security\Trusted Documents\TrustRecords
\UrlUpdateInfo
hkcu\software\microsoft\windows\currentversion\explorer\recentdocs\.docx\
hkcu\software\microsoft\windows\currentversion\explorer\recentdocs\.xlsx\
HKLM\SOFTWARE\Clients\Mail\Microsoft Outlook\DllPath
HKLM\SOFTWARE\Clients\Mail\Microsoft Outlook\DllPathEx
software\microsoft\Office test\special\perf\
hkcu\software\microsoft\office\;\Options\OPEN
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\MaxInstanceCount
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\RaunSolicit
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks;Actions
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe
HKLM\SYSTEM\CurrentControlSet\Services
HKLM\SOFTWARE\Microsoft\Cryptography\OID
HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID
HKLM\SOFTWARE\Microsoft\Cryptography\Providers\Trust
HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust
HKLM\SOFTWARE\Microsoft\Cryptography\Offload\ExpoOffload
\PsExec\EulaAccepted
\PsFile\EulaAccepted
\PsGetSID\EulaAccepted
\PsInfo\EulaAccepted
\PsKill\EulaAccepted
\PsList\EulaAccepted
\PsLoggedOn\EulaAccepted
\PsLogList\EulaAccepted
\PsPasswd\EulaAccepted
\PsService\EulaAccepted
\PsShutDown\EulaAccepted
\PsSuspend\EulaAccepted
SYSTEM\CurrentControlSet\services\SysmonDrv
SYSTEM\CurrentControlSet\services\Sysmon
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram
HKLM\System\CurrentControlSet\Services\W32Time\TimeProviders
HKLM\Software\Microsoft\WAB\DLLPath
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Control.exe
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls
software\classes\clsid\{083863f1-70de-11d0-bd40-00a0c911ce86}\instance
software\classes\clsid\{7ed96837-96f0-4812-b211-f13c24117ed3}\instance
\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam
\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone
\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\bluetooth
\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\usb
\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location
\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\contacts
\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\hunmanInterfaceDevice
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Plap Providers
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\
\Control\SecurityProviders\WDigest
HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiVirus
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\SpyNetReporting
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender
HKLM\software\microsoft\microsoft antimalware\exclusions\paths\
HKLM\software\microsoft\Windows Advanced Threat Protection\TelLib
HKLM\software\policies\microsoft\windows advanced threat protection\
HKLM\SYSTEM\CurrentControlSet\Services\Sense
DWORD (0x00000004)
HKLM\SYSTEM\CurrentControlSet\Services\WinDefend
DWORD (0x00000004)
HKLM\SYSTEM\CurrentControlSet\Services\MsMpSvc
DWORD (0x00000004)
HKLM\SYSTEM\CurrentControlSet\Services\NisSrv
DWORD (0x00000004)
HKLM\SYSTEM\CurrentControlSet\Services\WdBoot
DWORD (0x00000004)
HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv
DWORD (0x00000004)
HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc
DWORD (0x00000004)
HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
DWORD (0x00000004)
HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService
DWORD (0x00000004)
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
DWORD (0x00000004)
HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc
DWORD (0x00000004)
hklm\software\microsoft\windows script\settings\amsienable
hkcu\software\microsoft\windows script\settings\amsienable
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify
HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride
HKLM\software\policies\microsoft\windowsfirewall\;\authorizedapplications
HKLM\software\policies\microsoft\windowsfirewall\;\authorizedapplications\list
HKLM\software\policies\microsoft\windowsfirewall\;\globallyopenports
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT
HKLM\SYSTEM\CurrentControlSet\Control\Safeboot
HKLM\SYSTEM\CurrentControlSet\Control\Winlogon
\FriendlyName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
C:\Windows\System32\svchost.exe
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
C:\Windows\System32\svchost.exe
HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports
HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging
HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription
software\microsoft\powershell\;\shellids\microsoft.powershell\executionpolicy
HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates
\Microsoft\SystemCertificates\Root\Certificates
\Microsoft\SystemCertificates\CA\Certificates
HKLM\SOFTWARE\Microsoft\Security Center\AllAlertsDisabled
HKLM\SOFTWARE\Microsoft\Security Center\DisableMonitoring
\Classes\AllFilesystemObjects
\Classes\Directory
\Classes\Drive
\Classes\Folder
\ShellEx\ContextMenuHandlers
\CurrentVersion\Shell
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObject
HKLM\SOFTWARE\Microsoft\Windows;\CurrentVersion\Print\Connections
HKCU\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command
{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUsername
HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify
HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify
HKU;Environment
HKLM;Environment
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Setup\ServiceStartup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Services\Pending\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\PostRebootReporting\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired\
HKLM\SYSTEM\CurrentControlSet\Services\WinSock
\ProxyServer
SYSTEM\CurrentControlSet\Control\CrashControl
HKLM\SYSTEM\;Control\WMI\autologger\senseauditlogger
HKLM\SYSTEM\;Control\WMI\autologger\senseeventlog
HKLM\SYSTEM\;Control\WMI\EtwMaxLoggers
HKLM\SYSTEM\;Control\WMI\Security
C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\aciseposture.exe
C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe
C:\Program Files\Cylance\Optics\CyOptics.exe
C:\Program Files\Cylance\Desktop\CylanceSvc.exe
Toolbar\WebBrowser
Toolbar\WebBrowser\ITBar7Height
Toolbar\ShellBrowser\ITBar7Layout
Internet Explorer\Toolbar\Locked
ShellBrowser
C:\Program Files (x86)\Ivanti\Workspace Control\pfwsmgr.exe
C:\Program Files\RES Software\Workspace Manager\pfwsmgr.exe
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security
C:\Program Files\McAfee\Endpoint Encryption Agent\MfeEpeHost.exe
C:\Program Files\McAfee\Endpoint Security\Adaptive Threat Protection\mfeatp.exe
C:\Program Files\McAfee\Endpoint Security\Endpoint Security Platform\mfeesp.exe
C:\Program Files\Common Files\McAfee\Engine\AMCoreUpdater\amupdate.exe
C:\Program Files\McAfee\Agent\masvc.exe
C:\Program Files\McAfee\Agent\x86\mfemactl.exe
C:\Program Files\McAfee\Agent\x86\McScript_InUse.exe
C:\Program Files\McAfee\Agent\x86\macompatsvc.exe
C:\Program Files\McAfee\Endpoint Security\Threat Prevention\mfeensppl.exe
C:\Program Files\Common Files\McAfee\Engine\scanners
C:\Program Files\Common Files\McAfee\AVSolution\mcshield.exe
C:\Program Files\ownCloud\owncloud.exe
C:\Program Files (x86)\ownCloud\owncloud.exe
svchost.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks
C:\Program Files\SentinelOne\Sentinel Agent
System
C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters
C:\Program Files (x86)\Webroot\WRSA.exe
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit\AuditPolicy
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit
\OpenWithProgids
\OpenWithList
\UserChoice
\UserChoice\ProgId
\UserChoice\Hash
\OpenWithList\MRUList
} 0xFFFF
Office\root\integration\integrator.exe
C:\WINDOWS\system32\backgroundTaskHost.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
C:\Program Files\Microsoft Application Virtualization\Client\AppVClient.exe
\CurrentVersion\App Paths
\CurrentVersion\Image File Execution Options
\CurrentVersion\Shell Extensions\Cached
\CurrentVersion\Shell Extensions\Approved
}\PreviousPolicyAreas
\Control\WMI\Autologger\
HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc\Start
\Lsa\OfflineJoin\CurrentValue
\Components\TrustedInstaller\Events
\Components\TrustedInstaller
\Components\Wlansvc
\Components\Wlansvc\Events
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\
\Directory\shellex
\Directory\shellex\DragDropHandlers
\Drive\shellex
\Drive\shellex\DragDropHandlers
_Classes\AppX
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\
HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
C:\$WINDOWS.~BT\
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters
C:\Windows\system32\lsass.exe
HKLM\System\CurrentControlSet\Services
\services\clr_optimization_v2.0.50727_32\Start
\services\clr_optimization_v2.0.50727_64\Start
\services\clr_optimization_v4.0.30319_32\Start
\services\clr_optimization_v4.0.30319_64\Start
\services\DeviceAssociationService\Start
\services\BITS\Start
\services\TrustedInstaller\Start
\services\tunnel\Start
\services\UsoSvc\Start
Temp\7z
.bat
.cmd
Temp\debug.bin
.dll
.exe
.hta
:Zone.Identifier
blob:;about:internet
.lnk
Content.Outlook
.ps1
.ps2
.reg
Downloads
AppData
Temp
ProgramData
Users
.vb
.vbe
.vbs
\
CreatePipe
\atsvc
\msse-
-server
\msagent_
\postex_
\postex_ssh_
\status_
\gruntsvc
\svcctl
\msf-pipe
\PSHost
powershell.exe
\PSHost
powershell_ise.exe
\PSEXESVC
\srvsvc
\winreg
C:\Program Files;\Common Files\Adobe\ARM\1.0\AdobeARM.exe
\32B6B37A-4A7D-4e00-95F2-
thsnYaVieBoda
C:\Program Files;\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
\com.adobe.reader.rna.;\mojo
C:\Program Files;\Common Files\Adobe\AdobeGCClient\AGMService.exe
\gc_pipe_
C:\Program Files;\Common Files\Adobe\Creative Cloud Libraries\libs\node.exe
\uv\
"C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe"
C:\Users\;\AppData\Local\Programs\Call Manager\Call Manager.exe
\crashpad_;\mojo.;\uv\
C:\Program Files;\Citrix\ICA Client\SelfServicePlugin\SelfService.exe
C:\Program Files;\Citrix\ICA Client\Receiver\Receiver.exe
C:\Program Files;\Citrix\ICA Client\wfcrun32.exe
C:\Program Files;\Citrix\ICA Client\concentr.exe
C:\Users\;\AppData\Local\Citrix\ICA Client\receiver\Receiver.exe
C:\Users\;\AppData\Local\Citrix\ICA Client\SelfServicePlugin\SelfService.exe
C:\Program Files;\FireEye\xagt\xagt.exe
C:\Program Files;\Google\Update\Install\;setup.exe
\crashpad_
C:\Program Files;\Google\Chrome\Application\chrome.exe
\mojo.
C:\Program Files;\Google\Chrome\Application\;\Installer\chrmstp.exe
\crashpad_
\Vivisimo Velocity
C:\Program Files;\Microsoft\Edge\Application\msedge.exe
\LOCAL\mojo.
C:\Program Files;\Microsoft\Edge\Application\msedge.exe
\LOCAL\chrome.sync.
C:\Program Files;\Microsoft\Edge\Application\msedge.exe
\LOCAL\crashpad_
C:\Program Files;\Microsoft Office\root\Office16\OUTLOOK.EXE
\MsFteWds
C:\Users\;\AppData\Local\Microsoft\Teams\current\Teams.exe
\mojo.
C:\Users\;\AppData\Local\Microsoft\Teams\current\Teams.exe
\chrome.sync.
C:\Program Files;\Mozilla Firefox\firefox.exe
\cubeb-pipe-
C:\Program Files;\Mozilla Firefox\firefox.exe
\chrome.
C:\Program Files;\Mozilla Firefox\firefox.exe
\gecko-crash-server-pipe.
\SQLLocal\MSSQLSERVER
\SQLLocal\INSTANCE01
\SQLLocal\SQLEXPRESS
\SQLLocal\COMMVAULT
\SQLLocal\RTCLOCAL
\SQLLocal\RTC
\SQLLocal\TMSM
Program Files (x86)\Microsoft SQL Server\110\DTS\binn\dtexec.exe
PostgreSQL\9.6\bin\postgres.exe
\pgsignal_
Program Files\Qlik\Sense\Engine\Engine.exe
C:\Program Files;\Qualys\QualysAgent\QualysAgent.exe
Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Program Files\SplunkUniversalForwarder\bin\splunk.exe
Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\CMAgent\OfcCMAgent.exe
Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\web\service\ofcservice.exe
Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\Web\Service\DbServer.exe
Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\web\service\verconn.exe
Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\WEB_OSCE\WEB\CGI\cgiOnClose.exe
Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\WEB_OSCE\WEB\CGI\cgiRqHotFix.exe
Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\LWCS\LWCSService.exe
Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\WSS\iCRCService.exe
Program Files\Trend\SPROTECT\x64\tsc.exe
Program Files\Trend\SPROTECT\x64\tsc64.exe
Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\web\service\osceintegrationservice.exe
Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\web\service\OfcLogReceiverSvc.exe
\Trend Micro OSCE Command Handler Manager
\Trend Micro OSCE Command Handler2 Manager
\Trend Micro Endpoint Encryption ToolBox Command Handler Manager
\OfcServerNamePipe
\ntapvsrq
\srvsvc
\wkssvc
\lsass
\winreg
\spoolss
Anonymous Pipe
c:\windows\system32\inetsrv\w3wp.exe
Created
.1rx.io
.2mdn.net
.adadvisor.net
.adap.tv
.addthis.com
.adform.net
.adnxs.com
.adroll.com
.adrta.com
.adsafeprotected.com
.adsrvr.org
.advertising.com
.amazon-adsystem.com
.amazon-adsystem.com
.analytics.yahoo.com
.aol.com
.betrad.com
.bidswitch.net
.casalemedia.com
.chartbeat.net
.cnn.com
.convertro.com
.criteo.com
.criteo.net
.crwdcntrl.net
.demdex.net
.domdex.com
.dotomi.com
.doubleclick.net
.doubleverify.com
.emxdgt.com
.exelator.com
.google-analytics.com
.googleadservices.com
.googlesyndication.com
.googletagmanager.com
.googlevideo.com
.gstatic.com
.gvt1.com
.gvt2.com
.ib-ibi.com
.jivox.com
.mathtag.com
.moatads.com
.moatpixel.com
.mookie1.com
.myvisualiq.net
.netmng.com
.nexac.com
.openx.net
.optimizely.com
.outbrain.com
.pardot.com
.phx.gbl
.pinterest.com
.pubmatic.com
.quantcount.com
.quantserve.com
.revsci.net
.rfihub.net
.rlcdn.com
.rubiconproject.com
.scdn.co
.scorecardresearch.com
.serving-sys.com
.sharethrough.com
.simpli.fi
.sitescout.com
.smartadserver.com
.snapads.com
.spotxchange.com
.taboola.com
.taboola.map.fastly.net
.tapad.com
.tidaltv.com
.trafficmanager.net
.tremorhub.com
.tribalfusion.com
.turn.com
.twimg.com
.tynt.com
.w55c.net
.ytimg.com
.zorosrv.com
1rx.io
adservice.google.com
ampcid.google.com
clientservices.googleapis.com
googleadapis.l.google.com
imasdk.googleapis.com
l.google.com
ml314.com
mtalk.google.com
update.googleapis.com
www.googletagservices.com
.mozaws.net
.mozilla.com
.mozilla.net
.mozilla.org
clients1.google.com
clients2.google.com
clients3.google.com
clients4.google.com
clients5.google.com
clients6.google.com
safebrowsing.googleapis.com
.akadns.net
.netflix.com
.aspnetcdn.com
ajax.googleapis.com
cdnjs.cloudflare.com
fonts.googleapis.com
.typekit.net
cdnjs.cloudflare.com
.stackassets.com
.steamcontent.com
.arpa.
.arpa
.msftncsi.com
.localmachine
localhost
C:\ProgramData\LogiShrd\LogiOptions\Software\Current\updater.exe
.logitech.com
C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe
-pushp.svc.ms
.b-msedge.net
.bing.com
.hotmail.com
.live.com
.live.net
.s-microsoft.com
.microsoft.com
.microsoftonline.com
.microsoftstore.com
.ms-acdc.office.com
.msedge.net
.msn.com
.msocdn.com
.skype.com
.skype.net
.windows.com
.windows.net.nsatc.net
.windowsupdate.com
.xboxlive.com
login.windows.net
outlook.office.com
statics.teams.cdn.office.net
acdc-direct.office.com
.fp.measure.office.com
office365.com
.activedirectory.windowsazure.com
.aria.microsoft.com
.msauth.net
.msftauth.net
.opinsights.azure.com
management.azure.com
outlook.office365.com
portal.azure.com
substrate.office.com
osi.office.net
.digicert.com
.globalsign.com
.globalsign.net
msocsp.com
ocsp.msocsp.com
pki.goog
.pki.goog
ocsp.godaddy.com
amazontrust.com
.amazontrust.com
ocsp.sectigo.com
pki-goog.l.google.com
.usertrust.com
ocsp.comodoca.com
ocsp.verisign.com
ocsp.entrust.net
ocsp.identrust.com
status.rapidssl.com
status.thawte.com
ocsp.int-x3.letsencrypt.org
subca.ocsp-certum.com
cscasha2.ocsp-certum.com
crl.verisign.com
C:\Program Files\SentinelOne\Sentinel Agent;\SentinelAgent.exe
.spotify.com
.spotify.map.fastly.net
C:\Windows\SystemApps\Microsoft.Windows.Search;SearchApp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\updater.exe
C:\Program Files\Mozilla Firefox\default-browser-agent.exe
C:\Program Files\Mozilla Firefox\pingsender.exe
C:\Program Files\Git\cmd\git.exe
C:\Program Files\Git\mingw64\bin\git.exe
C:\Program Files\Git\mingw64\libexec\git-core\git.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
C:\Program Files (x86)\Microsoft\Edge\Application\
\BHO\ie_to_edge_stub.exe
C:\Program Files (x86)\Microsoft\Edge\Application\
\identity_helper.exe
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\
\MicrosoftEdge_X64_
unknown process
C:\Program Files\Microsoft VS Code\Code.exe
C:\Program Files\Microsoft SQL Server;\Shared\ErrorDumps
C:\Program Files\Microsoft SQL Server;\DataDumps
C:\Program Files (X86)\Microsoft SQL Server\;Shared\ErrorDumps
C:\Program Files\Qualys\QualysAgent
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
\Downloads\
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
\Appdata\Local\Temp\
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
\Appdata\Local\Microsoft\Windows\INetCache\Content.Outlook\
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\ProgramData\Intel
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\ProgramData\Mozilla
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\ProgramData\chocolatey\logs
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\ProgramData\Microsoft\DeviceSync
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\ProgramData\Microsoft\PlayReady
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\ProgramData\Microsoft\User Account Pictures
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\ProgramData\Microsoft\Crypto\DSS\MachineKeys
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\ProgramData\Microsoft\Office\Heartbeat
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\ProgramData\Microsoft\Windows\WER\ReportQueue
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\ProgramData\Microsoft\Windows\WER\Temp
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\ProgramData\Microsoft\Windows\WER\Temp
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\ProgramData\Microsoft\Windows\WER\Temp
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\ProgramData\Microsoft\Windows\WER\Temp
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\ProgramData\Microsoft\Windows\WER\Temp
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\Users\All Users\Intel
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\Users\All Users\Mozilla
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\Users\All Users\chocolatey\logs
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\Users\All Users\Microsoft\DeviceSync
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\Users\All Users\Microsoft\PlayReady
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\Users\All Users\Microsoft\User Account Pictures
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\Users\All Users\Microsoft\Crypto\DSS\MachineKeys
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\Users\All Users\Microsoft\NetFramework\BreadcrumbStore
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\Users\All Users\Microsoft\Office\Heartbeat
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\Users\All Users\Microsoft\Windows\WER\ReportArchive
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\Users\All Users\Microsoft\Windows\WER\ReportQueue
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\Users\All Users\Microsoft\Windows\WER\Temp
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\Windows\Tasks
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\Windows\tracing
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\Windows\Registration\CRMLog
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\Windows\System32\Tasks
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\Windows\System32\spool\drivers\color
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
C:\Windows\SysWOW64\Tasks
.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct
\appdata\local\google\chrome\user data\swreporter\;software_reporter_tool.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
NETWORK SERVICE; LOCAL SERVICE
C:\
\\