md5,sha256,IMPHASH
C:\Users
.exe
\Device\HarddiskVolumeShadowCopy
OneDrive.exe
C:\Windows\system32\backgroundTaskHost.exe
setup
install
Update\
redist.exe
msiexec.exe
TrustedInstaller.exe
\NVIDIA\NvBackend\ApplicationOntology\
127.0.0.1
fe80:0:0:0
C:\Users
\
microsoft
windows
Intel
C:\Windows\system32\wbem\WmiPrvSE.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\audiodg.exe
C:\Windows\system32\kernel32.dll
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
\Start Menu
\Startup\
\Content.Outlook\
\Downloads\
.application
.appref-ms
.bat
.chm
.cmd
.cmdline
.crx
.dmp
.docm
.dll
.exe
.exe.log
.jar
.jnlp
.jse
.hta
.job
.pptm
.ps1
.sys
.scr
.vbe
.vbs
.xlsm
proj
.sln
C:\Users\Default
C:\Windows\system32\Drivers
C:\Windows\SysWOW64\Drivers
C:\Windows\system32\GroupPolicy\Machine\Scripts
C:\Windows\system32\GroupPolicy\User\Scripts
C:\Windows\system32\Wbem
C:\Windows\SysWOW64\Wbem
C:\Windows\system32\WindowsPowerShell
C:\Windows\SysWOW64\WindowsPowerShell
C:\Windows\Tasks\
C:\Windows\system32\Tasks
C:\Windows\SysWOW64\Tasks
\Device\HarddiskVolumeShadowCopy
C:\Windows\AppPatch\Custom
VirtualStore
.xls
.ppt
.rtf
C:\Program Files (x86)\EMET 5.5\EMET_Service.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
C:\Windows\system32\smss.exe
C:\Windows\system32\CompatTelRunner.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\mobsync.exe
C:\Windows\system32\DriverStore\Temp\
C:\Windows\system32\wbem\Performance\
C:\Windows\Installer\
C:\$WINDOWS.~BT\Sources\
C:\Windows\winsxs\amd64_microsoft-windows
CurrentVersion\Run
Policies\Explorer\Run
Group Policy\Scripts
Windows\System\Scripts
CurrentVersion\Windows\Load
CurrentVersion\Windows\Run
CurrentVersion\Winlogon\Shell
CurrentVersion\Winlogon\System
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute
HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug
UserInitMprLogonScript
user shell folders\startup
\ServiceDll
\ServiceManifest
\ImagePath
\Start
Control\Terminal Server\WinStations\RDP-Tcp\PortNumber
Control\Terminal Server\fSingleSessionPerUser
fDenyTSConnections
LastLoggedOnUser
RDP-tcp\PortNumber
Services\PortProxy\v4tov4
\command\
\ddeexec\
{86C86720-42A0-1069-A2E8-08002B30309D}
exefile
\InprocServer32\(Default)
\Hidden
\ShowSuperHidden
\HideFileExt
Classes\*\
Classes\AllFilesystemObjects\
Classes\Directory\
Classes\Drive\
Classes\Folder\
Classes\PROTOCOLS\
ContextMenuHandlers\
CurrentVersion\Shell
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjectDelayLoad
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellIconOverlayIdentifiers
HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\
HKLM\SYSTEM\CurrentControlSet\Services\WinSock
\ProxyServer
HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders
HKLM\Software\Microsoft\Netsh
HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\
HKLM\Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles
\EnableFirewall
\DoNotAllowExceptions
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\
HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\
Microsoft\Office\Outlook\Addins\
Office Test\
Security\Trusted Documents\TrustRecords
Internet Explorer\Toolbar\
Internet Explorer\Extensions\
Browser Helper Objects\
\DisableSecuritySettingsCheck
\3\1206
\3\2500
\3\1809
HKLM\Software\Classes\CLSID\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}\
HKLM\Software\Classes\WOW6432Node\CLSID\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}\
HKLM\Software\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\
HKLM\Software\Classes\WOW6432Node\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\
\UrlUpdateInfo
\InstallSource
\EulaAccepted
\DisableAntiSpyware
\DisableAntiVirus
\SpynetReporting
DisableRealtimeMonitoring
\SubmitSamplesConsent
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy
HKLM\Software\Microsoft\Security Center\
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth
HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom
HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB
VirtualStore
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\
HKLM\SYSTEM\CurrentControlSet\Control\Safeboot\
HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\
\FriendlyName
HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)
HKLM\Software\Microsoft\Tracing\RASAPI32
\LowerCaseLongPath
\Publisher
\BinProductVersion
\DriverVersion
\DriverVerVersion
\LinkDate
Compatibility Assistant\Store\
\
\{CAFEEFAC-
CreateKey
HKLM\COMPONENTS
HKLM\Software\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache
Toolbar\WebBrowser
Browser\ITBar7Height
Browser\ITBar7Layout
Internet Explorer\Toolbar\Locked
Toolbar\WebBrowser\{47833539-D0C5-4125-9FA8-0819E2EAAC93}
}\PreviousPolicyAreas
\Control\WMI\Autologger\
HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc\Start
\Lsa\OfflineJoin\CurrentValue
HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\
_Classes\AppX
HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\LsaPid
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains
\Services\BITS\Start
\services\clr_optimization_v2.0.50727_32\Start
\services\clr_optimization_v2.0.50727_64\Start
\services\clr_optimization_v4.0.30319_32\Start
\services\clr_optimization_v4.0.30319_64\Start
\services\deviceAssociationService\Start
\services\fhsvc\Start
\services\nal\Start
\services\trustedInstaller\Start
\services\tunnel\Start
\services\usoSvc\Start
\UserChoice\ProgId
\UserChoice\Hash
\OpenWithList\MRUList
Shell Extentions\Cached
HKLM\System\CurrentControlSet\Control\Lsa\Audit\SpecialGroups
SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\PSScriptOrder
SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\SOM-ID
SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\GPO-ID
SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\0\IsPowershell
SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\0\ExecTime
SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\PSScriptOrder
SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\SOM-ID
SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\GPO-ID
SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\0\IsPowershell
SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\0\ExecTime
\safer\codeidentifiers\0\HASHES\{
VirtualStore\MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\
HKLM\SOFTWARE\Microsoft\Office\ClickToRun\
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
HKCR\VLC.
HKCR\iTunes.
HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{945a8954-c147-4acd-923f-40c45405a658}
Downloads
Temp\7z
Startup
.bat
.cmd
.doc
.hta
.lnk
.ppt
.ps1
.ps2
.reg
.jse
.vb
.vbe
.vbs
.arpa.
.arpa
.msftncsi.com
..localmachine
localhost
-pushp.svc.ms
.b-msedge.net
.bing.com
.hotmail.com
.live.com
.live.net
.s-microsoft.com
.microsoft.com
.microsoftonline.com
.microsoftstore.com
.ms-acdc.office.com
.msedge.net
.msn.com
.msocdn.com
.skype.com
.skype.net
.windows.com
.windows.net.nsatc.net
.windowsupdate.com
.xboxlive.com
login.windows.net
C:\ProgramData\Microsoft\Windows Defender\Platform\
.activedirectory.windowsazure.com
.aria.microsoft.com
.msauth.net
.msftauth.net
.opinsights.azure.com
osi.office.net
loki.delve.office.com
management.azure.com
messaging.office.com
outlook.office365.com
portal.azure.com
protection.outlook.com
substrate.office.com
.mozaws.net
.mozilla.com
.mozilla.net
.mozilla.org
.spotify.com
.spotify.map.fastly.net
clients1.google.com
clients2.google.com
clients3.google.com
clients4.google.com
clients5.google.com
clients6.google.com
safebrowsing.googleapis.com
.akadns.net
.netflix.com
aspnetcdn.com
ajax.googleapis.com
cdnjs.cloudflare.com
fonts.googleapis.com
.typekit.net
cdnjs.cloudflare.com
.stackassets.com
.steamcontent.com
.disqus.com
.fontawesome.com
disqus.com
.1rx.io
.2mdn.net
.adadvisor.net
.adap.tv
.addthis.com
.adform.net
.adnxs.com
.adroll.com
.adrta.com
.adsafeprotected.com
.adsrvr.org
.advertising.com
.amazon-adsystem.com
.amazon-adsystem.com
.analytics.yahoo.com
.aol.com
.betrad.com
.bidswitch.net
.casalemedia.com
.chartbeat.net
.cnn.com
.convertro.com
.criteo.com
.criteo.net
.crwdcntrl.net
.demdex.net
.domdex.com
.dotomi.com
.doubleclick.net
.doubleverify.com
.emxdgt.com
.exelator.com
.google-analytics.com
.googleadservices.com
.googlesyndication.com
.googletagmanager.com
.googlevideo.com
.gstatic.com
.gvt1.com
.gvt2.com
.ib-ibi.com
.jivox.com
.mathtag.com
.moatads.com
.moatpixel.com
.mookie1.com
.myvisualiq.net
.netmng.com
.nexac.com
.openx.net
.optimizely.com
.outbrain.com
.pardot.com
.phx.gbl
.pinterest.com
.pubmatic.com
.quantcount.com
.quantserve.com
.revsci.net
.rfihub.net
.rlcdn.com
.rubiconproject.com
.scdn.co
.scorecardresearch.com
.serving-sys.com
.sharethrough.com
.simpli.fi
.sitescout.com
.smartadserver.com
.snapads.com
.spotxchange.com
.taboola.com
.taboola.map.fastly.net
.tapad.com
.tidaltv.com
.trafficmanager.net
.tremorhub.com
.tribalfusion.com
.turn.com
.twimg.com
.tynt.com
.w55c.net
.ytimg.com
.zorosrv.com
1rx.io
adservice.google.com
ampcid.google.com
clientservices.googleapis.com
googleadapis.l.google.com
imasdk.googleapis.com
l.google.com
ml314.com
mtalk.google.com
update.googleapis.com
www.googletagservices.com
.pscp.tv
.digicert.com
.globalsign.com
.globalsign.net
msocsp.com
ocsp.msocsp.com
pki.goog
ocsp.godaddy.com
amazontrust.com
ocsp.sectigo.com
pki-goog.l.google.com
.usertrust.com
ocsp.comodoca.com
ocsp.verisign.com
ocsp.entrust.net
ocsp.identrust.com
status.rapidssl.com
status.thawte.com
ocsp.int-x3.letsencrypt.org