*
sethc.exe
utilman.exe
osk.exe
Magnify.exe
DisplaySwitch.exe
Narrator.exe
AtBroker.exe
sdbinst.exe
bitsadmin.exe
eventvwr.exe
c:\windows\system32\mmc.exe
fodhelper.exe
ˆ
fltMC.exe
unload;detach
fltMC.exe
misc::mflt
InstallUtil.exe
/logfile=;/LogToConsole=false;/U
whoami.exe
ipconfig.exe
tasklist.exe
systeminfo.exe;sysinfo.exe
netstat.exe
qprocess.exe
nslookup.exe
net.exe;net1.exe
quser.exe
hostname.exe
query.exe
tracert.exe
tree.com
route.exe
runas.exe
reg.exe
procdump.exe
telnet.exe
ssh.exe
putty.exe
mstsc.exe
tscon.exe
7z.exe
winrar.exe
tar.exe
zip.exe
hdiutil.exe
upx.exe
gzip.exe
rar.exe
SoundRecorder.exe
taskkill.exe
bcdedit.exe
vssadmin.exe
wbadmin.exe
wmic.exe
msxsl.exe
tor.exe
meek-client.exe
ntdsutil.exe
bginfo.exe
svchost.exe
smss.exe
spoolsv.exe
lsass.exe
services.exe
csrss.exe
wininit.exe
winlogon.exe
mmc.exe
dcomcnfg.exe
winSAT.exe
pkgmgr.exe
netsh.exe
klist.exe
wevtutil.exe
sdelete.exe
taskeng.exe
regsvr32.exe
wmiprvse.exe
wmiprvse.exe
hh.exe
explorer.exe
cmd.exe
cmd.exe
powershell.exe
powershell.exe
powershell_ise.exe
bash.exe
odbcconf.exe
pcalua.exe
cscript.exe
wscript.exe
pcalua.exe
cscript.exe
wscript.exe
mshta.exe
control.exe
mshta.exe
attrib.exe
cmdkey.exe
nbtstat.exe;nbtinfo.exe
qwinsta.exe
rwinsta.exe
schtasks.exe;sctasks.exe
replace.exe
jjs.exe
appcmd.exe
sc.exe
certutil.exe
findstr.exe
where.exe
forfiles.exe
icacls.exe;cacls.exe
xcopy.exe
robocopy.exe
takeown.exe
icalcs.exe
makecab.exe
wusa.exe
dccw.exe
vassadmin.exe
nltest.exe;nltestk.exe
winrs.exe
computerdefaults.exe
dism.exe
fodhelper.exe
WSReset.exe
slui.exe
sdclt.exe
CMSTP.exe
mofcomp.exe
C:\WINDOWS\system32\wbem\scrcons.exe
ScrCons
esentutl.exe
/y;/vss/d
Mavinject.exe;mavinject64.exe
/INJECTRUNNING
CMSTP.exe
/ni;/s
MSBuild.exe
csc.exe
excel.exe
winword.exe
powerpnt.exe
outlook.exe
msaccess.exe
mspub.exe
regsvcs.exe;regasm.exe
SyncAppvPublishingServer.exe
PsList.exe
PsService.exe
PsExec.exe
PsExec.c
PsGetSID.exe
PsKill.exe
PKill.exe
ProcDump
PsLoggedOn.exe
PsFile.exe
ShellRunas
PipeList.exe
AccessChk.exe
AccessEnum.exe
LogonSessions.exe
PsLogList.exe
PsInfo.exe
LoadOrd
PsPasswd.exe
ru.exe
Regsize
ProcDump
rundll32.exe
-ma lsass.exe
C:\PerfLogs\
C:\$Recycle.bin\
C:\Intel\Logs\
C:\Users\Default\
C:\Users\Public\
C:\Users\NetworkService\
C:\Windows\Fonts\
C:\Windows\Debug\
C:\Windows\Media\
C:\Windows\Help\
C:\Windows\addins\
C:\Windows\repair\
C:\Windows\security\
C:\Windows\system32\config\systemprofile\
VolumeShadowCopy
\htdocs\
\wwwroot\
\Temp\
\Appdata\Local\
control;/name
rundll32.exe;shell32.dll;Control_RunDLL
MpCmdRun.exe
Add-MpPreference;RemoveDefinitions;DisableIOAVProtection
wsmprovhost.exe
winrshost.exe
winrm.cmd
C:\Temp
C:\Windows\Temp
C:\Tmp
C:\Users
vnc.exe
vncviewer.exe
vncservice.exe
winexesvc.exe
bitsadmin.exe
omniinet.exe
hpsmhd.exe
ipconfig.exe
tasklist.exe
netstat.exe
qprocess.exe
nslookup.exe
net.exe
quser.exe
query.exe
runas.exe
reg.exe
netsh.exe
klist.exe
wevtutil.exe
taskeng.exe
regsvr32.exe
hh.exe
cmd.exe
powershell.exe
bash.exe
pcalua.exe
cscript.exe
wscript.exe
mshta.exe
nbtstat.exe
net1.exe
nslookup.exe
qwinsta.exe
rwinsta.exe
schtasks.exe
taskkill.exe
sc.exe
nltest.exe
winrs.exe
Mavinject.exe
at.exe
certutil.exe
cmd.exe
cscript.exe
java.exe
mshta.exe
msiexec.exe
net.exe
notepad.exe
powershell.exe
reg.exe
regsvr32.exe
rundll32.exe
sc.exe
wmic.exe
wscript.exe
driverquery.exe
dsquery.exe
hh.exe
infDefaultInstall.exe
javaw.exe
javaws.exe
mmc.exe
msbuild.exe
nbtstat.exe
net1.exe
nslookup.exe
qprocess.exe
qwinsta.exe
regsvcs.exe
rwinsta.exe
schtasks.exe
taskkill.exe
tasklist.exe
replace.exe
1080
3128
8080
80
443
135
139
3306
8443
5985
5986
22
23
25
3389
5800
5900
445
139
psexec.exe
psexesvc.exe
C:\Users
C:\ProgramData
C:\Windows\Temp
C:\Temp
C:\PerfLogs\
C:\$Recycle.bin\
C:\Intel\Logs\
C:\Users\Default\
C:\Users\Public\
C:\Users\NetworkService\
C:\Windows\Fonts\
C:\Windows\Debug\
C:\Windows\Media\
C:\Windows\Help\
C:\Windows\addins\
C:\Windows\repair\
C:\Windows\security\
C:\Windows\system32\config\systemprofile\
\htdocs\
\wwwroot\
SyncAppvPublishingServer.exe
tor.exe
1723
4500
9001
9030
5986
C:\Users
C:\Temp
C:\Windows\Temp
outlook.exe
C:\Windows\System32\samlib.dll
C:\Windows\System32\WinSCard.dll
C:\Windows\System32\cryptdll.dll
C:\Windows\System32\hid.dll
C:\Windows\System32\vaultcli.dll
C:\Windows\System32\wlanapi.dll
.wll
.xll
system.management.automation.ni.dll
system.management.automation.dll
taskschd.dll
scrobj.dll
admin$;c$;\\;\appdata\;\temp\
c:\programdata\
C:\Windows\Media\
C:\Windows\addins\
C:\Windows\system32\config\systemprofile\
C:\Windows\Debug\
C:\Windows\Temp
C:\PerfLogs\
C:\Windows\Help\
C:\Intel\Logs\
C:\Temp
C:\Windows\repair\
C:\Windows\security\
C:\Windows\Fonts\
file:
$Recycle.bin\
\Windows\IME\
comctl32.dll
GdiPlus.dll
wmiutils.dll
wow64log.dll
LoadLibrary
C:\Windows\System32\rundll32.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\sysmon.exe
0x001A0000
c:\windows\system32\lsass.exe
0x00590000
dbghelp.dll
dbgore.dll
C:\Windows\system32\csrss.exe
0x1F1FFF
C:\Windows\system32\wininit.exe
0x1F1FFF
C:\Windows\system32\winlogon.exe
0x1F1FFF
C:\Windows\system32\services.exe
0x1F1FFF
0x21410
C:\Windows\system32\lsass.exe
0x1FFFFF
C:\Windows\system32\lsass.exe
0x1F1FFF
C:\Windows\system32\lsass.exe
0x1010
C:\Windows\system32\lsass.exe
0x143A
0x0800
0x0810
0x0820
0x800
0x810
0x820
C:\PerfLogs\
C:\$Recycle.bin\
C:\Intel\Logs\
C:\Users\Default\
C:\Users\Public\
C:\Users\NetworkService\
C:\Windows\Fonts\
C:\Windows\Debug\
C:\Windows\Media\
C:\Windows\Help\
C:\Windows\addins\
C:\Windows\repair\
C:\Windows\security\
C:\Windows\system32\config\systemprofile\
VolumeShadowCopy
\htdocs\
\wwwroot\
\Temp\
System.Management.Automation.ni.dll
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\AppPatch\Custom
.bat
.cmd
.chm
C:\Users\Default
AppData\Local\Microsoft\CLR_v2.0\UsageLogs\
\UsageLogs\cscript.exe.log
\UsageLogs\wscript.exe.log
\UsageLogs\wmic.exe.log
\UsageLogs\mshta.exe.log
\UsageLogs\svchost.exe.log
\UsageLogs\regsvr32.exe.log
\UsageLogs\rundll32.exe.log
\Downloads\
C:\Windows\System32\Drivers
C:\Windows\SysWOW64\Drivers
C:\Program Files(x86)\Google\GoogleService.exe
C:\Program Files(x86)\Google\GoogleUpdate.exe
wceaux.dll
fgdump-log
PwHashes
SECURITY.out
pstgdump.exe
SAM.out
servpw.exe
lservpw64.exe
DumpSvc.exe
cachedump64.exe
SYSTEM.out
DumpExt.dll
fgexec.exe
wce_krbtkts
pwdump.exe.exe
lsremora.dll
test.pwd
lsremora64.dll
NTWDBLIB.dll
comctl32.dll
GdiPlus.dll
consent.exe.local
duser.dll
DismCore.dll
OskSupport.dll
Windows\Microsoft.NET
AppData\Local\Microsoft\WindowsApps\srrstr.dll
pe386.dll
wow64log.dll
WINMM.dll
wscript.exe.manifest
AppData\\Local\\Temp\\CRYPTBASE.dll
.exe
C:\Windows\System32\GroupPolicy\Machine\Scripts
C:\Windows\System32\GroupPolicy\User\Scripts
.hta
.iso
.img
.lnk
.scf
.application
.appref-ms
.*proj
.sln
.settingcontent-ms
.docm
.pptm
.xlsm
.xlm
.dotm
.xltm
.potm
.ppsm
.sldm
.xlam
.xla
.iqy
.slk
\Content.Outlook\
.rft
.jsp
.jspx
.asp
.aspx
.php
.war
.ace
.dmp
C:\Windows\System32\WindowsPowerShell
C:\Windows\SysWOW64\WindowsPowerShell
.ps1
.ps2
.py
.pyc
.pyw
rundll32.exe
C:\Windows\System32\Tasks
C:\Windows\Tasks\
\Start Menu
\Startup
.sys
.url
.vb
.vbe
.vbs
C:\Windows\System32\Wbem
C:\Windows\SysWOW64\Wbem
C:\WINDOWS\system32\wbem\scrcons.exe
C:\Windows\Temp\
C:\Temp\
C:\PerfLogs\
C:\Users\Public\
\AppData\Temp\
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
\CurrentVersion\Run
\Group Policy\Scripts
\Microsoft\Credentials
\Windows\System\Scripts
\Policies\Explorer\Run
\ServiceDll
\ImagePath
\Start
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute
CurrentVersion\Explorer\Shell Folders
\CurrentVersion\Windows\load
CurrentVersion\Winlogon\Notify
CurrentVersion\RunOnce
\Explorer\FileExts
\shell\install\command
\shell\open\command
\shell\open\ddeexec
Environment\UserInitMprLogonScript
Environment\
Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Startup
\mscfile\shell\open\command
ms-settings\shell\open\command
Classes\exefile\shell\runas\command\isolatedCommand
Software\Classes\CLSID
\services\Netlogon\Parameters\DisablePasswordChange
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls
REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DNS\Parameters\ServerLevelPluginDll
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
\Internet Explorer\Toolbar
\Internet Explorer\Extensions
\Browser Helper Objects
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
SOFTWARE\Microsoft\Netsh
\UrlUpdateInfo
\Microsoft\Office\Outlook\Addins
\Software\Microsoft\VSTO\Security\Inclusion
\Software\Microsoft\VSTO\SolutionMetadata
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe
HKLM\SOFTWARE\Microsoft\Cryptography\OID
HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID
HKLM\SOFTWARE\Microsoft\Cryptography\Providers\Trust
HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust
\PsExec\EulaAccepted
\PsFile\EulaAccepted
\PsGetSID\EulaAccepted
\PsInfo\EulaAccepted
\PsKill\EulaAccepted
\PsList\EulaAccepted
\PsLoggedOn\EulaAccepted
\PsLogList\EulaAccepted
\PsPasswd\EulaAccepted
\PsService\EulaAccepted
\PsShutDown\EulaAccepted
\PsSuspend\EulaAccepted
SYSTEM\CurrentControlSet\services\SysmonDrv
SYSTEM\CurrentControlSet\services\Sysmon
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls
\InprocServer32\(Default)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders
\Control\SecurityProviders\WDigest
HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiVirus
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\SpyNetReporting
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify
HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT
HKLM\SYSTEM\CurrentControlSet\Control\Safeboot
HKLM\SYSTEM\CurrentControlSet\Control\Winlogon
\FriendlyName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
C:\Windows\System32\svchost.exe
HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles
HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates
\Microsoft\SystemCertificates\Root\Certificates
HKLM\SOFTWARE\Microsoft\Security Center\AllAlertsDisabled
HKLM\SOFTWARE\Microsoft\Security Center\DisableMonitoring
\Classes\AllFilesystemObjects
\Classes\Directory
\Classes\Drive
\Classes\Folder
\ContextMenuHandlers
\CurrentVersion\Shell
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjectDelayLoad
{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy
HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify
HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Setup\ServiceStartup
HKLM\SYSTEM\CurrentControlSet\Services\WinSock
\ProxyServer
SYSTEM\CurrentControlSet\Control\CrashControl
Temp\7z
.bat
.cmd
Temp\debug.bin
Downloads
.exe
.hta
.lnk
Content.Outlook
.ps1
.ps2
.reg
.vb
.vbe
.vbs
.txt
.dat
.tmp
.dll
Program Files (x86)\Citrix\ICA Client\SelfServicePlugin\SelfService.exe
Program Files (x86)\Citrix\ICA Client\Receiver\Receiver.exe
Program Files (x86)\Citrix\ICA Client\wfcrun32.exe
Program Files (x86)\Citrix\ICA Client\concentr.exe
\Vivisimo Velocity
\SQLLocal\MSSQLSERVER
\SQLLocal\INSTANCE01
\SQLLocal\SQLEXPRESS
\SQLLocal\COMMVAULT
\SQLLocal\RTCLOCAL
\SQLLocal\RTC
\SQLLocal\TMSM
Program Files (x86)\Microsoft SQL Server\110\DTS\binn\dtexec.exe
PostgreSQL\9.6\bin\postgres.exe
\pgsignal_
Program Files\Qlik\Sense\Engine\Engine.exe
Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Program Files\SplunkUniversalForwarder\bin\splunk.exe
Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\CMAgent\OfcCMAgent.exe
Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\web\service\ofcservice.exe
Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\Web\Service\DbServer.exe
Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\web\service\verconn.exe
Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\WEB_OSCE\WEB\CGI\cgiOnClose.exe
Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\WEB_OSCE\WEB\CGI\cgiRqHotFix.exe
Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\LWCS\LWCSService.exe
Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\WSS\iCRCService.exe
Program Files\Trend\SPROTECT\x64\tsc.exe
Program Files\Trend\SPROTECT\x64\tsc64.exe
Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\web\service\osceintegrationservice.exe
Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\web\service\OfcLogReceiverSvc.exe
\Trend Micro OSCE Command Handler Manager
\Trend Micro OSCE Command Handler2 Manager
\Trend Micro Endpoint Encryption ToolBox Command Handler Manager
\OfcServerNamePipe
\ntapvsrq
\srvsvc
\wkssvc
\lsass
\winreg
\spoolss
Anonymous Pipe
c:\windows\system32\inetsrv\w3wp.exe
Created
.1rx.io
.2mdn.net
.adadvisor.net
.adap.tv
.addthis.com
.adform.net
.adnxs.com
.adroll.com
.adrta.com
.adsafeprotected.com
.adsrvr.org
.advertising.com
.amazon-adsystem.com
.amazon-adsystem.com
.analytics.yahoo.com
.aol.com
.betrad.com
.bidswitch.net
.casalemedia.com
.chartbeat.net
.cnn.com
.convertro.com
.criteo.com
.criteo.net
.crwdcntrl.net
.demdex.net
.domdex.com
.dotomi.com
.doubleclick.net
.doubleverify.com
.emxdgt.com
.exelator.com
.google-analytics.com
.googleadservices.com
.googlesyndication.com
.googletagmanager.com
.googlevideo.com
.gstatic.com
.gvt1.com
.gvt2.com
.ib-ibi.com
.jivox.com
.mathtag.com
.moatads.com
.moatpixel.com
.mookie1.com
.myvisualiq.net
.netmng.com
.nexac.com
.openx.net
.optimizely.com
.outbrain.com
.pardot.com
.phx.gbl
.pinterest.com
.pubmatic.com
.quantcount.com
.quantserve.com
.revsci.net
.rfihub.net
.rlcdn.com
.rubiconproject.com
.scdn.co
.scorecardresearch.com
.serving-sys.com
.sharethrough.com
.simpli.fi
.sitescout.com
.smartadserver.com
.snapads.com
.spotxchange.com
.taboola.com
.taboola.map.fastly.net
.tapad.com
.tidaltv.com
.trafficmanager.net
.tremorhub.com
.tribalfusion.com
.turn.com
.twimg.com
.tynt.com
.w55c.net
.ytimg.com
.zorosrv.com
1rx.io
adservice.google.com
ampcid.google.com
clientservices.googleapis.com
googleadapis.l.google.com
imasdk.googleapis.com
l.google.com
ml314.com
mtalk.google.com
update.googleapis.com
www.googletagservices.com
.mozaws.net
.mozilla.com
.mozilla.net
.mozilla.org
clients1.google.com
clients2.google.com
clients3.google.com
clients4.google.com
clients5.google.com
clients6.google.com
safebrowsing.googleapis.com
.akadns.net
.netflix.com
aspnetcdn.com
ajax.googleapis.com
cdnjs.cloudflare.com
fonts.googleapis.com
.typekit.net
cdnjs.cloudflare.com
.stackassets.com
.steamcontent.com
.arpa.
.arpa
.msftncsi.com
.localmachine
localhost
C:\ProgramData\LogiShrd\LogiOptions\Software\Current\updater.exe
.logitech.com
C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe
-pushp.svc.ms
.b-msedge.net
.bing.com
.hotmail.com
.live.com
.live.net
.s-microsoft.com
.microsoft.com
.microsoftonline.com
.microsoftstore.com
.ms-acdc.office.com
.msedge.net
.msn.com
.msocdn.com
.skype.com
.skype.net
.windows.com
.windows.net.nsatc.net
.windowsupdate.com
.xboxlive.com
login.windows.net
.activedirectory.windowsazure.com
.aria.microsoft.com
.msauth.net
.msftauth.net
.opinsights.azure.com
management.azure.com
outlook.office365.com
portal.azure.com
substrate.office.com
osi.office.net
.digicert.com
.globalsign.com
.globalsign.net
msocsp.com
ocsp.msocsp.com
pki.goog
ocsp.godaddy.com
amazontrust.com
ocsp.sectigo.com
pki-goog.l.google.com
.usertrust.com
ocsp.comodoca.com
ocsp.verisign.com
ocsp.entrust.net
ocsp.identrust.com
status.rapidssl.com
status.thawte.com
ocsp.int-x3.letsencrypt.org
subca.ocsp-certum.com
cscasha2.ocsp-certum.com
.spotify.com
.spotify.map.fastly.net
C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe
C:\Windows\system32\igfxCUIService.exe
C:\Program Files (x86)\Ivanti\Workspace Control\pfwsmgr.exe
C:\Program Files (x86)\RES Software\Workspace Manager\pfwsmgr.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
C:\Windows\System32\smss.exe
C:\Windows\system32\CompatTelRunner.exe
C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\System32\DriverStore\Temp\
C:\Windows\System32\wbem\Performance\
WRITABLE.TST
\AppData\Roaming\Microsoft\Windows\Recent\
C:\$WINDOWS.~BT\Sources\SafeOS\SafeOS.Mount\
C:\WINDOWS\winsxs\amd64_microsoft-windows
c:\Program Files\Microsoft Security Client\MsMpEng.exe
c:\windows\system32\provtool.exe
C:\WINDOWS\CCM\CcmExec.exe
C:\Windows\CCM
C:\Windows\System32\Tasks\Microsoft\Windows\PLA\FabricTraces
C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask
C:\Windows\System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerRoleUsageCollector
C:\Windows\System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerCeipAssistant
C:\WINDOWS\system32\svchost.exe
C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\aciseposture.exe
C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe
Toolbar\WebBrowser
Toolbar\WebBrowser\ITBar7Height
Toolbar\ShellBrowser\ITBar7Layout
Internet Explorer\Toolbar\Locked
ShellBrowser
C:\Program Files (x86)\Ivanti\Workspace Control\pfwsmgr.exe
C:\Program Files\RES Software\Workspace Manager\pfwsmgr.exe
C:\Program Files\McAfee\Endpoint Encryption Agent\MfeEpeHost.exe
C:\Program Files\McAfee\Endpoint Security\Adaptive Threat Protection\mfeatp.exe
C:\Program Files\McAfee\Endpoint Security\Endpoint Security Platform\mfeesp.exe
C:\Program Files\Common Files\McAfee\Engine\AMCoreUpdater\amupdate.exe
C:\Program Files\McAfee\Agent\masvc.exe
C:\Program Files\McAfee\Agent\x86\mfemactl.exe
C:\Program Files\McAfee\Agent\x86\McScript_InUse.exe
C:\Program Files\McAfee\Agent\x86\macompatsvc.exe
C:\Program Files\McAfee\Endpoint Security\Threat Prevention\mfeensppl.exe
C:\Program Files\Common Files\McAfee\Engine\scanners
C:\Program Files\Common Files\McAfee\AVSolution\mcshield.exe
C:\Program Files (x86)\Webroot\WRSA.exe
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit\AuditPolicy
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit
\OpenWithProgids
\OpenWithList
\UserChoice
\UserChoice\ProgId
\UserChoice\Hash
\OpenWithList\MRUList
} 0xFFFF
Office\root\integration\integrator.exe
C:\WINDOWS\system32\backgroundTaskHost.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
C:\Program Files\Microsoft Application Virtualization\Client\AppVClient.exe
\CurrentVersion\Run
\CurrentVersion\RunOnce
\CurrentVersion\App Paths
\CurrentVersion\Image File Execution Options
\CurrentVersion\Shell Extensions\Cached
\CurrentVersion\Shell Extensions\Approved
}\PreviousPolicyAreas
\Control\WMI\Autologger\
HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc\Start
\Lsa\OfflineJoin\CurrentValue
\Components\TrustedInstaller\Events
\Components\TrustedInstaller
\Components\Wlansvc
\Components\Wlansvc\Events
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\
\Directory\shellex
\Directory\shellex\DragDropHandlers
\Drive\shellex
\Drive\shellex\DragDropHandlers
_Classes\AppX
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\
HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
C:\$WINDOWS.~BT\
\services\clr_optimization_v2.0.50727_32\Start
\services\clr_optimization_v2.0.50727_64\Start
\services\clr_optimization_v4.0.30319_32\Start
\services\clr_optimization_v4.0.30319_64\Start
\services\DeviceAssociationService\Start
\services\BITS\Start
\services\TrustedInstaller\Start
\services\tunnel\Start
\services\UsoSvc\Start
AcroRd32.exe
/CR;channel=
C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe
C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\LogTransport2.exe
C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe
C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe
C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\CCXProcess.exe
C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe
C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe
C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AdobeGCClient.exe
C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P6\adobe_licutil.exe
C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P7\adobe_licutil.exe
C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P7\adobe_licutil.exe
C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
C:\Program Files\NVIDIA Corporation\
C:\Program Files\Realtek\
C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
C:\Program Files\ESET\ESET Nod32 Antivirus\ekrn.exe
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=
C:\Program Files (x86)\Google\Update\
C:\Program Files (x86)\Google\Update\
C:\Program Files (x86)\RES Software\Workspace Manager\pfwsmgr.exe
C:\Program Files (x86)\RES Software\Workspace Manager\respesvc64.exe
C:\Program Files (x86)\Ivanti\Workspace Control\pfwsmgr.exe
C:\Program Files (x86)\RES Software\Workspace Manager\ResPesvc64.exe
C:\Program Files\RES Software\Workspace Manager\respesvc.exe
C:\Program Files\Ivanti\Workspace Control\ResPesvc.exe
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Mozilla Firefox\plugin-container.exe" --channel
"C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe" --channel
C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe
C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe
C:\Program Files (x86)\Sophos\Sophos System Protection\ssp.exe
C:\Program Files (x86)\Sophos\Remote Management System\RouterNT.exe
C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files (x86)\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files\SplunkUniversalForwarder\bin\
C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe
D:\Program Files\SplunkUniversalForwarder\bin\
D:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
D:\Program Files\SplunkUniversalForwarder\bin\splunk.exe
C:\Program Files\Splunk\bin\
C:\Program Files\Splunk\bin\splunkd.exe
D:\Program Files\Splunk\bin\
D:\Program Files\Splunk\bin\splunkd.exe
C:\Windows\system32\svchost.exe -k appmodel -s StateRepository
C:\Windows\system32\svchost.exe -k appmodel
C:\WINDOWS\system32\svchost.exe -k appmodel -p -s tiledatamodelsvc
C:\Windows\system32\svchost.exe -k camera -s FrameServer
C:\Windows\system32\svchost.exe -k dcomlaunch -s LSM
C:\Windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
C:\Windows\system32\svchost.exe -k defragsvc
C:\Windows\system32\svchost.exe -k devicesflow -s DevicesFlowUserSvc
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k localService -s EventSystem
C:\Windows\system32\svchost.exe -k localService -s bthserv
C:\Windows\system32\svchost.exe -k localService -s nsi
C:\Windows\system32\svchost.exe -k localService -s w32Time
C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s Dhcp
C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s EventLog
C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s TimeBrokerSvc
C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s WFDSConMgrSvc
C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -s SensrSvc
C:\Windows\system32\svchost.exe -k localServiceNoNetwork
C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s WPDBusEnum
C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s fhsvc
C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s DeviceAssociationService
C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s NcbService
C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s SensorService
C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s TabletInputService
C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s UmRdpService
C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WPDBusEnum
C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WdiSystemHost
C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost
C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted
C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\system32\svchost.exe -k netsvcs -p -s ncaSvc
C:\Windows\system32\svchost.exe -k netsvcs -s BDESVC
C:\Windows\system32\svchost.exe -k netsvcs -s BITS
C:\Windows\system32\svchost.exe -k netsvcs -s CertPropSvc
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
C:\Windows\system32\svchost.exe -k netsvcs -s Gpsvc
C:\Windows\system32\svchost.exe -k netsvcs -s ProfSvc
C:\Windows\system32\svchost.exe -k netsvcs -s SENS
C:\Windows\system32\svchost.exe -k netsvcs -s SessionEnv
C:\Windows\system32\svchost.exe -k netsvcs -s Themes
C:\Windows\system32\svchost.exe -k netsvcs -s Winmgmt
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k networkService -p -s DoSvc
C:\Windows\system32\svchost.exe -k networkService -s Dnscache
C:\Windows\system32\svchost.exe -k networkService -s LanmanWorkstation
C:\Windows\system32\svchost.exe -k networkService -s NlaSvc
C:\Windows\system32\svchost.exe -k networkService -s TermService
C:\Windows\system32\svchost.exe -k networkService
C:\Windows\system32\svchost.exe -k networkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k rPCSS
C:\Windows\system32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k swprv
C:\Windows\system32\svchost.exe -k unistackSvcGroup
C:\Windows\system32\svchost.exe -k utcsvc
C:\Windows\system32\svchost.exe -k wbioSvcGroup
C:\Windows\system32\svchost.exe -k werSvcGroup
C:\WINDOWS\System32\svchost.exe -k wsappx -p -s ClipSVC
C:\WINDOWS\system32\svchost.exe -k wsappx -p -s AppXSvc
C:\Windows\system32\svchost.exe -k wsappx -s ClipSVC
C:\Windows\system32\svchost.exe -k wsappx
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted
C:\Program Files\Trend Micro\Deep Security Agent\ds_monitor.exe
C:\Program Files\Trend Micro\Deep Security Agent\dsa.exe
C:\Program Files\Trend Micro\Deep Security Agent\dsuam.exe
C:\Program Files\Trend Micro\Deep Security Agent\Notifier.exe
C:\Program Files\Trend Micro\Deep Security Agent\lib\Patch.exe
C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe
C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmopExtIns32.exe
C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmExtIns.exe
C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmListen.exe
C:\Program Files\Windows Defender\
C:\Windows\system32\MpSigStub.exe
C:\Windows\SoftwareDistribution\Download\Install\AM_
C:\Program Files\Microsoft Security Client\MpCmdRun.exe
C:\Windows\system32\DllHost.exe /Processid
C:\Windows\system32\SearchIndexer.exe /Embedding
C:\Windows\System32\CompatTelRunner.exe
C:\Windows\System32\MusNotification.exe
C:\Windows\System32\MusNotificationUx.exe
C:\Windows\System32\audiodg.exe
C:\Windows\System32\conhost.exe
C:\Windows\System32\powercfg.exe
C:\Windows\System32\wbem\WmiApSrv.exe
C:\Windows\System32\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
C:\Windows\system32\sppsvc.exe
AppContainer
%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows
C:\Windows\system32\SearchIndexer.exe
AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files\ESET\ESET Nod32 Antivirus\ekrn.exe
OneDrive.exe
OneDriveStandaloneUpdater.exe
C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe
C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files (x86)\Sophos\Remote Management System\RouterNT.exe
C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe
C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe
C:\Program Files\Sophos\Sophos Network Threat Protection\bin\SntpService.exe
Spotify.exe
C:\Program files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe
microsoft.com
microsoft.com.akadns.net
microsoft.com.nsatc.net
Intel
microsoft
windows
C:\Windows\CarbonBlack\cb.exe
c:\Program Files\Couchbase\Server\bin\sigar_port.exe
C:\Program Files (x86)\Ivanti\Workspace Control\cpushld.exe
C:\Program Files (x86)\RES Software\Workspace Manager\cpushld.exe
C:\Program Files\Ivanti\Workspace Control\cpushld.exe
C:\Program Files\RES Software\Workspace Manager\cpushld.exe
wmiprvse.exe
GoogleUpdate.exe
LTSVC.exe
taskmgr.exe
VBoxService.exe
vmtoolsd.exe
\Citrix\System32\wfshell.exe
C:\Windows\System32\lsm.exe
Microsoft.Identity.AadConnect.Health.AadSync.Host.exe
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection
0x1000
0x1400
0x101400
0x101000
C:\Program Files\McAfee\Endpoint Security\Endpoint Security Platform\mfeesp.exe
C:\Program Files\McAfee\Agent\x86\macompatsvc.exe
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files (x86)\Mobatek\MobaXterm\MobaXterm.exe
C:\Program Files (x86)\Razer Chroma SDK\bin\RzSDKService.exe
C:\WINDOWS\CCM\CcmExec.exe
C:\Program Files (x86)\VMware\VMWare Player\vmware-authd.exe
C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\WinZip\FAHWindow64.exe
AppData\Local\Google\Chrome\Application\chrome.exe
Root\VFS\ProgramFilesX86\Google\Chrome\Application\chrome.exe
OneDrive.exe
setup
\atsvc
\msagent_
\msf-pipe
\PSEXESVC
\srvsvc
\winreg
C:\Windows\System32\svchost.exe
C:\Windows\System32\wininit.exe
C:\Windows\System32\csrss.exe
C:\Windows\System32\services.exe
C:\Windows\System32\winlogon.exe
C:\Windows\System32\audiodg.exe
C:\windows\system32\kernel32.dll
Google\Chrome\Application\chrome.exe
C:\Windows\System32\wbem\WmiPrvSE.exe