2016-02-15 09:22:28 +00:00
|
|
|
#
|
|
|
|
# LOKI File Name Characteristics
|
|
|
|
# This file contains regex definitions and a description
|
|
|
|
#
|
|
|
|
# APPLICATION ------------------------------------------------------------------
|
|
|
|
#
|
|
|
|
# Every line is treated as REGEX case sensitive.
|
|
|
|
# Every line includes a description that gives information about the file name
|
|
|
|
# based IOC
|
|
|
|
#
|
|
|
|
# FORMAT -----------------------------------------------------------------------
|
|
|
|
#
|
|
|
|
# # COMMENT
|
|
|
|
# REGEX;SCORE
|
|
|
|
#
|
|
|
|
# EXAMPLES ---------------------------------------------------------------------
|
|
|
|
#
|
|
|
|
# # Various examples from APT case X
|
|
|
|
# \\svcsstat\.exe;70
|
|
|
|
# \\(server|servisces|smrr|srrm|svchost|svhost|svshost|taskmrg)\.exe$;50
|
|
|
|
# ProgramData\\Mail\\MailAg\\;80
|
|
|
|
# (Anwendungsdaten|Application Data|APPDATA)\\sydmain\.dll;80
|
|
|
|
# (TEMP|Temp)\\[^\\]+\.(xmd|yls)$;80
|
|
|
|
# (LOCAL SETTINGS\\Temp|Local Settings\\Temp|Local\\Temp)\\(word\.exe|winword\.exe)[^\.];80
|
|
|
|
#
|
|
|
|
|
|
|
|
# Ncat Example
|
|
|
|
# bin\\nc\.exe;80
|
|
|
|
|
|
|
|
# Regin
|
|
|
|
\\usbclass\.sys;80
|
|
|
|
\\adpu160\.sys;80
|
|
|
|
\\msrdc64\.dat;80
|
|
|
|
\\msdcsvc\.dat;80
|
|
|
|
\\config\\SystemAudit\.Evt;80
|
|
|
|
\\config\\SecurityAudit\.Evt;80
|
|
|
|
\\config\\SystemLog\.evt;80
|
|
|
|
\\config\\ApplicationLog\.evt;80
|
|
|
|
\\ime\\imesc5\\dicts\\pintlgbs\.imd;80
|
|
|
|
\\ime\\imesc5\\dicts\\pintlgbp\.imd;80
|
|
|
|
ystem32\\winhttpc\.dll;80
|
|
|
|
ystem32\\wshnetc\.dll;80
|
|
|
|
\\SysWow64\\wshnetc\.dll;80
|
|
|
|
ystem32\\svcstat\.exe;80
|
|
|
|
ystem32\\svcsstat\.exe;80
|
|
|
|
IME\\IMESC5\\DICTS\\PINTLGBP\.IMD;80
|
|
|
|
ystem32\\wsharp\.dll;80
|
|
|
|
ystem32\\wshnetc\.dll;80
|
|
|
|
pchealth\\helpctr\\Database\\cdata\.dat;80
|
|
|
|
pchealth\\helpctr\\Database\\cdata\.edb;80
|
|
|
|
Windows\\Panther\\setup\.etl\.000;80
|
|
|
|
ystem32\\wbem\\repository\\INDEX2\.DATA;80
|
|
|
|
ystem32\\wbem\\repository\\OBJECTS2\.DATA;80
|
|
|
|
ystem32\\dnscache\.dat;80
|
|
|
|
ystem32\\mregnx\.dat;80
|
|
|
|
ystem32\\displn32\.dat;80
|
|
|
|
ystem32\\dmdskwk\.dat;80
|
|
|
|
ystem32\\nvwrsnu\.dat;80
|
|
|
|
ystem32\\tapiscfg\.dat;80
|
|
|
|
ystem32\\pciclass\.sys;80
|
|
|
|
|
|
|
|
# Five Eyes
|
|
|
|
\\20120\.dll;80
|
|
|
|
\\20121\.dll;80
|
|
|
|
\\20123\.sys;80
|
|
|
|
|
|
|
|
# Skeleton Key File Names
|
|
|
|
\\msuta64\.dll;80
|
|
|
|
\\ole64\.dll;80
|
|
|
|
|
|
|
|
# IXESHE APT Malware
|
|
|
|
\\winhlps\.exe;80
|
|
|
|
\\acrotry\.exe;80
|
|
|
|
|
|
|
|
# PlugX
|
|
|
|
(TEMP|TMP|Temp)\\DW20\.dll;80
|
|
|
|
(TEMP|TMP|Temp)\\DW20\.dll;80
|
|
|
|
(TEMP|TMP|Temp)\\dl_[0-9]{2}\.exe;80
|
|
|
|
(TEMP|TMP|Temp)\\dl_[0-9]{2}\.txt;80
|
|
|
|
(Mailing|Shipment).*Label\.exe;80
|
|
|
|
|
|
|
|
# Mandiant APT
|
|
|
|
\\Temp\\~df~;80
|
|
|
|
\\Temp\\~hf~;80
|
|
|
|
\\Temp\\~[a-z][a-z]~;80
|
|
|
|
\\start menu\\programs\\startup\\adobe_sl.exe;80
|
|
|
|
Temp\\Updatasched\.exe;80
|
|
|
|
\\adobere\.exe;80
|
|
|
|
|
|
|
|
# Mandiant APT - SHELLDC.DLL (BACKDOOR)
|
|
|
|
\\Temp\\svchost\.exe;80
|
|
|
|
\\shelldc\.dll;80
|
|
|
|
\\recyle64\.dll;80
|
|
|
|
\\ws_18\.dll;80
|
|
|
|
|
|
|
|
# Mandiant APT - LIGHTDART (FAMILY)
|
|
|
|
\\ret\.log;80
|
|
|
|
\\1\.rar;80
|
|
|
|
\\qy\.htm;80
|
|
|
|
\\shsat\.exe;80
|
|
|
|
\\imxgy\.exe;80
|
|
|
|
|
|
|
|
# Kaspersky Carbanak APT Malware Hash http://goo.gl/0Nhax2
|
|
|
|
(application data|AppData|Anwendungsdaten)\\mozilla\\[^\\]+\.bin;80
|
|
|
|
\\System32\\com\\svchost\.exe;80
|
|
|
|
\\ProgramData\\mozilla\\[^\\]+\.bin;80
|
|
|
|
\\(Windows|WinXP)\\paexec;80
|
|
|
|
SysWOW64\\com\\svchost\.exe;80
|
|
|
|
|
|
|
|
# Equation Group Malware http://goo.gl/d5ujEH
|
|
|
|
ystem32\\ee\.dll;80
|
|
|
|
# Equation Related File Name http://pastebin.com/QvZNtuQW
|
|
|
|
ystem32\\msregstr\.exe;80
|
|
|
|
ystem32\\khlp894u\.dll;80
|
|
|
|
\\__c__\.lnk;80
|
|
|
|
temp\\msupdate\.exe;80
|
|
|
|
\\fanny\.bmp;80
|
|
|
|
WINDOWS\\mlan\.exe;80
|
|
|
|
Windows\\mlan\.exe;80
|
|
|
|
|
|
|
|
# Former Suspicious File Signatures ###########################################
|
|
|
|
# They get a lower score by default
|
|
|
|
|
|
|
|
# ThreatExpert Statistics
|
|
|
|
\\winsvc\.exe$;45
|
|
|
|
\\blaah\.exe;45
|
|
|
|
\\ldr\.exe$;45
|
|
|
|
\\t\.exe$;45
|
|
|
|
\\user0\.exe;45
|
|
|
|
\\mxplay_installer\.exe;45
|
|
|
|
\\pak\-[0-9]{3,}.exe$;45
|
|
|
|
\\rundll\.exe$;45
|
|
|
|
\\windowsservice\\starter\.exe$;45
|
|
|
|
\\wrar[0-9a-z]+\\.exe$;45
|
|
|
|
\\av[0-9]+\.exe$;45
|
|
|
|
\\eixplorer\.exe;45
|
|
|
|
\\win\.exe$;45
|
|
|
|
\\cleanup\.exe$;45
|
|
|
|
\\winsystem\.exe;45
|
|
|
|
Fonts\\[\w]+\.exe$;45
|
|
|
|
\\(temp|tmp)\\server\.exe;45
|
|
|
|
\\interxpoler\.exe;45
|
|
|
|
\\networkservice\.exe;45
|
|
|
|
\\favorites\.exe;45
|
|
|
|
\\microsoft\.exe$;45
|
|
|
|
\\adobe\.exe$;45
|
|
|
|
\\cncdown\.exe$;45
|
|
|
|
\\ntcom\.dll$;45
|
|
|
|
\\nthead\.dll$;45
|
|
|
|
\\services32\.exe;45
|
|
|
|
\\recycled\.exe;45
|
|
|
|
\\sofware.exe;45
|
|
|
|
\\explorer[0-9]\.exe;45
|
|
|
|
\\criptor\.exe;45
|
|
|
|
\\crypt3r\.exe;45
|
|
|
|
\\temp\\copy\.exe;45
|
|
|
|
\\cuda\.exe;45
|
|
|
|
|
|
|
|
# Typical Malware Name
|
|
|
|
[\s]{7,}\.(exe|com|dll|bat|scr|vbs);45
|
|
|
|
\\[0-9]\.(exe|dll)$;45
|
|
|
|
\\[a-zA-Z]\.exe$;45
|
|
|
|
\.(doc|docx|pdf|txt)\.(exe|bat|com|scr|vbs)$;45
|
|
|
|
\\\.tmp$;45
|
|
|
|
(temp|tmp)\\[a-z]\.(zip|exe|txt)$;45
|
|
|
|
(temp|tmp)\\[a-z]\.rar;45
|
|
|
|
\\32\.exe;45
|
|
|
|
\\64\.exe;45
|
|
|
|
\\d\.exe;45
|
|
|
|
\\s\.exe;45
|
|
|
|
\\ss\.exe;45
|
|
|
|
\\sss\.exe;45
|
|
|
|
|
|
|
|
# Malware locations
|
|
|
|
AppData\\[\w]+\.exe;45
|
|
|
|
[Tt]emp\\[\w]{1,2}\.(exe|com|scr);45
|
|
|
|
[Cc]:\\[\w]{1,2}\.(exe|com|scr);45
|
|
|
|
|
|
|
|
# Symantec Waterbug Attack http://goo.gl/9Tlk90
|
|
|
|
\\tcpdump32c\.exe;45
|
|
|
|
\\typecli\.exe;45
|
|
|
|
\\msc32\.exe;45
|
|
|
|
\\dxsnd32x\.exe;45
|
|
|
|
\\msnetsrv\.exe;45
|
|
|
|
\\mswme32\.exe;45
|
|
|
|
\\msnetserv\.exe;45
|
|
|
|
\\msnet32\.exe;45
|
|
|
|
\\rpcsrv\.exe;45
|
|
|
|
\\charmap32\.exe;45
|
|
|
|
\\mqsvc32\.exe;45
|
|
|
|
\\msrss\.exe;45
|
|
|
|
\\dc1\.exe;45
|
|
|
|
\\svcmgr\.exe;45
|
|
|
|
\\msx32\.exe;45
|
|
|
|
\.XOR$;45
|
|
|
|
|
|
|
|
# Suspected Anthem Deep Panda APT
|
|
|
|
\\lot1\.tmp;45
|
|
|
|
|
|
|
|
# Trojan Characteristics
|
|
|
|
\\EXPL0RER\.exe;55
|
|
|
|
\\srv32\.exe;55
|
|
|
|
\\csrnss\.exe;55
|
|
|
|
\\0\.exe;55
|
|
|
|
\\ntldm\.exe;55
|
|
|
|
\\xxxc\.bat;55
|
|
|
|
\\winkept\.exe;55
|
|
|
|
Temp\\iexplore\.exe;55
|
|
|
|
\\hidserv\.exe;55
|
|
|
|
[Cc]:\\Inetpub\.lnk;55
|
|
|
|
\\zggjmyd\.exe;55
|
|
|
|
ystem32\\2bed\.exe;55
|
|
|
|
360\\sendlog\.txt;55
|
|
|
|
Windows\\[0-9a-z]+.flv;55
|
|
|
|
ystem32\\[0-9a-z]+.flv;55
|
|
|
|
\\downloaded[0-9]+\.exe;55
|
|
|
|
\\New\sFolder[^\\]+\.exe;55
|
|
|
|
\\myloveever\.exe;55
|
|
|
|
\\killer\.exe;55
|
|
|
|
\\mspool\.DLL;55
|
|
|
|
\\superproxy\.exe;55
|
|
|
|
\\zoufoo\.exe;55
|
|
|
|
\\omesuperv\.exe;50
|
|
|
|
ystem32\\dpisca\.exe;45
|
|
|
|
ystem32\\razorp\.exe;45
|
|
|
|
\\aaaaaaaa\.exe;55
|
|
|
|
\\d1\.tmp\.dll;55
|
|
|
|
\\fotos\.exe;55
|
|
|
|
\\new\.exe;60
|
|
|
|
\\image\.exe;60
|
|
|
|
\\movie\.exe;60
|
|
|
|
\\files\.exe;55
|
|
|
|
\\fun\.exe;60
|
|
|
|
\\freepdf\.exe;60
|
|
|
|
\\iexplorei\.exe;80
|
|
|
|
\\imagens\.exe;60
|
|
|
|
\\lost\.dir\.exe;70
|
|
|
|
\\new_folder\.exe;70
|
|
|
|
\\picture\.exe;65
|
|
|
|
\\play me\.exe;65
|
|
|
|
\\ppts\.exe;65
|
|
|
|
\\recycler\.exe;65
|
|
|
|
\\share_apps\.exe;65
|
|
|
|
[^s]\\video\.exe;65
|
|
|
|
\\whatsapp\.exe;65
|
|
|
|
\\xx\.exe;65
|
|
|
|
\\keygen1\.exe;65
|
|
|
|
\\meta\.exe;50
|
|
|
|
\\tmp\.exe;60
|
|
|
|
\\userfiles\.exe;65
|
|
|
|
\\nuevo\.exe;65
|
|
|
|
\\photo\.exe;65
|
|
|
|
\\pdf\.exe;65
|
|
|
|
\\_thumbs\.exe;65
|
|
|
|
\\music\.exe;65
|
|
|
|
\\picture\.exe;65
|
|
|
|
\\music\.exe;65
|
|
|
|
\\movie\.exe;65
|
|
|
|
\\skypee\.exe;65
|
|
|
|
|
|
|
|
# Rombertik / CarbonGrabber http://goo.gl/SGcS2H
|
|
|
|
\\fgf\.vbs;65
|
|
|
|
\\rsr\\yfoye\.bat;75
|
|
|
|
\\rsr\\yfoye\.exe;75
|
|
|
|
|
|
|
|
# Mimikatz Output
|
|
|
|
\.kirbi$;70
|
|
|
|
|
|
|
|
# Kraken / Laziok Bot https://goo.gl/5jvv9q
|
|
|
|
System\\Oracle\\smss\.exe;80
|
|
|
|
|
|
|
|
# CryptoWall http://goo.gl/psjCCc
|
|
|
|
\\HELP_DECRYPT\.URL;60
|
|
|
|
|
|
|
|
# Hawkeye Keylogger https://goo.gl/th5q2v
|
|
|
|
\\HawkEye_Keylogger_;70
|
|
|
|
|
|
|
|
# Kaspersky RAT Report https://goo.gl/th5q2v
|
|
|
|
\\AppData\\Roaming\\Microsoft\\[^\\]{1,32}\.(exe|doc|zip);50
|
|
|
|
\\AudioEndpointBuilder\.exe;60
|
|
|
|
\\BrokerInfrastructure\.exe;60
|
|
|
|
\\WindowsUpdate\.exe;50
|
|
|
|
|
|
|
|
# APT28 https://goo.gl/6Xiayq
|
|
|
|
Microsoft\\MediaPlayer\\updatewindws\.exe;100
|
|
|
|
\\updatewindws\.exe;70
|
|
|
|
\\netui\.dll;50
|
|
|
|
\\edg6EF885E2\.tmp;60
|
|
|
|
\\AppData\\Local\\conhost\.dll;70
|
|
|
|
\\Application Data\\conhost\.dll;70
|
|
|
|
\\Application Data\\svchost\.exe;70
|
|
|
|
\\Application Data\\conhost\.dll;70
|
|
|
|
\\AppData\\Local\\svchost\.exe;70
|
|
|
|
\\AppData\\Local\\conhost\.dll;70
|
|
|
|
|
|
|
|
# Fidelis Threat Advisory http://goo.gl/ZjJyti
|
|
|
|
\\9i86vdi3l1zi1v\\;60
|
|
|
|
\\cvaniocol\.cmd;60
|
|
|
|
\\flrsqgyy\.DVZ;60
|
|
|
|
\\ibdyambl\.vbs;60
|
|
|
|
\\ouhlolswfixh$;60
|
|
|
|
\\slie\.RJD$;60
|
|
|
|
\\znimialt\.exe;60
|
|
|
|
(Temp|Tmp|TEMP)\\cedt370r\(3\)\.exe;60
|
|
|
|
(Temp|Tmp|TEMP)\\penguin\.exe;60
|
|
|
|
\\Microsoft\\Windows\\hknswc\.exe;60
|
|
|
|
\\Microsoft\\Windows\\AppMgnt\.exe;60
|
|
|
|
\\PolicyManager$;60
|
|
|
|
\\FILE_127\.127\.ppt;60
|
|
|
|
\\FILE_127\.127\.ppsx;60
|
|
|
|
(Temp|Tmp|TEMP)\\destsx\.inf;50
|
|
|
|
(Temp|Tmp|TEMP)\\Alsa\\doub\.tmp;60
|
|
|
|
(Temp|Tmp|TEMP)\\muysf\\ipbuy.exe;70
|
|
|
|
\\Order Details\.xls\.pps;60
|
|
|
|
|
2016-05-13 12:06:18 +00:00
|
|
|
# Sofacy - Malware http://goo.gl/OtmPzq
|
2016-02-15 09:22:28 +00:00
|
|
|
\\svchost\.exe\.exe;70
|
|
|
|
|
2016-05-13 12:06:18 +00:00
|
|
|
# Winexesvc - Remote Execution Service - often used by Pentesters and Hackers
|
|
|
|
Windows\\winexesvc\.exe;70
|
|
|
|
|
2016-02-15 09:22:28 +00:00
|
|
|
# Wild Neutron File Names https://goo.gl/Qew6dT
|
|
|
|
AppData\\Roaming\\FlashUtil\.exe;60
|
|
|
|
AppData\\Roaming\\Acer\\LiveUpdater\.exe;60
|
|
|
|
AppData\\Roaming\\Realtek\\RtlUpd\.exe;60
|
|
|
|
ProgramData\\Realtek\\RtlUpd\.exe;60
|
|
|
|
AppData\\Roaming\\sqlite3\.dll;60
|
|
|
|
Windows\\winsession\.dll;60
|
|
|
|
AppData\\appdata\\local\\temp\\teamviewer\\version9\\update\.exe;60
|
|
|
|
Windows\\temp\\_dbg\.tmp;60
|
|
|
|
Windows\\temp\\ok\.tmp;60
|
|
|
|
indows\\temp\\debug\.txt;60
|
|
|
|
indows\\syswow64\\mshtaex\.exe;60
|
|
|
|
\\System32\\mshtaex\.exe;60
|
|
|
|
\\System32\\wdigestEx\.dll;60
|
|
|
|
\\System32\\dpcore16t\.dll;60
|
|
|
|
\\System32\\iastor32\.exe;60
|
|
|
|
\\System32\\mspool\.dll;60
|
|
|
|
\\System32\\msvcse\.exe;60
|
|
|
|
\\System32\\mspool\.exe;60
|
|
|
|
C:\\Program Files (x86)\\LNVSuite\\LnrAuth\.dll;60
|
|
|
|
C:\\Program Files (x86)\\LNVSuite\\LnrAuthSvc\.dll;60
|
|
|
|
C:\\Program Files (x86)\\LNVSuite\\LnrUpdt\.exe;60
|
|
|
|
C:\\Program Files (x86)\\LNVSuite\\LnrUpdtP\.exe;60
|
|
|
|
|
|
|
|
# F-Secure Wonknu APT Backdoor:W32/Wonknu.A https://goo.gl/JjVikT
|
|
|
|
\\programdata\\kav\.exe;85
|
|
|
|
\\Java_Down\.exe;80
|
|
|
|
|
|
|
|
# Phishing Wave Dez 2015
|
|
|
|
\\p0o6543f\.exe;85
|
|
|
|
|
|
|
|
# Sofacy group report Dec 2015 - https://goo.gl/WSvEM8
|
|
|
|
AppData\\Local\\Microsoft\\Windows\\msdeltemp\.dll;80
|
|
|
|
\\msdeltemp\.dll;50
|
|
|
|
\\tf394kv\.dll;75
|
|
|
|
AppData\\dllhost\.exe;80
|
|
|
|
AppData\\sechost\.exe;80
|
|
|
|
Temp\\dllhost\.exe;80
|
|
|
|
Temp\\sechost\.exe;80
|
|
|
|
AppData\\chkdbg.log;60
|
|
|
|
AppData\\svchost\.exe;80
|
|
|
|
Temp\\svchost\.exe;80
|
|
|
|
AppData\\conhost\.dll;80
|
|
|
|
Temp\\conhost\.dll;80
|
|
|
|
|
|
|
|
# FireEye Report admin@338 https://goo.gl/JAlw3s
|
|
|
|
\\upload\.rar;70
|
|
|
|
|
|
|
|
# Microsoft Intelligence Report http://goo.gl/jcS0lO
|
|
|
|
\\SupUpNvidia\.exe;80
|
|
|
|
\\svchosl\.exe;80
|
|
|
|
\\svehost\.exe;80
|
|
|
|
\\run_x64\.exe;55
|
|
|
|
\\run_x86\.exe;55
|
|
|
|
\\advstorshell\.exe;65
|
|
|
|
\\runrun\.exe;60
|
|
|
|
\\MicrosoftSup\.dll;70
|
|
|
|
|
|
|
|
# Inocnation Report - Fidelis Cybersecurity https://goo.gl/HA82xf
|
|
|
|
Temp\\Center[0-9]{6,11}\.dat;65
|
|
|
|
AppData\\adobe\\adobe\.dat;65
|
|
|
|
|
|
|
|
# Hexacorn Blog Entry - Homomorphic abuse http://goo.gl/1UGJVn
|
|
|
|
\\5hrome\.exe;45
|
|
|
|
\\a_chrome\.exe;45
|
|
|
|
\\cchrome\.exe;45
|
|
|
|
\\chorom\.exe;45
|
|
|
|
\\chr0me\.exe;45
|
|
|
|
\\chro2me\.exe;45
|
|
|
|
\\chrom\.exe;45
|
|
|
|
\\-chrome\.exe;45
|
|
|
|
\\chrome1\.exe;45
|
|
|
|
\\chrome10\.exe;45
|
|
|
|
\\chrome3\.exe;45
|
|
|
|
\\chrome32\.exe;45
|
|
|
|
\\chrome9\.exe;45
|
|
|
|
\\chromede\.exe;45
|
|
|
|
\\chromee\.exe;45
|
|
|
|
\\chromeez\.exe;45
|
|
|
|
\\chromei\.exe;45
|
|
|
|
\\chromes\.exe;45
|
|
|
|
\\chromix\.exe;45
|
|
|
|
\\chromme\.exe;45
|
|
|
|
\\chrommm\.exe;45
|
|
|
|
\\chromre\.exe;45
|
|
|
|
\\chromse\.exe;45
|
|
|
|
\\chromyy\.exe;45
|
|
|
|
\\chroom\.exe;45
|
|
|
|
\\chroome\.exe;45
|
|
|
|
\\chroum\.exe;45
|
|
|
|
\\crhome\.exe;45
|
|
|
|
\\nichrome\.exe;45
|
|
|
|
\\_cerss\.exe;45
|
|
|
|
\\_csrss\.exe;45
|
|
|
|
\\carss\.exe;45
|
|
|
|
\\ccrs\.exe;45
|
|
|
|
\\cress\.exe;45
|
|
|
|
\\crrss\.exe;45
|
|
|
|
\\crss\.exe;45
|
|
|
|
\\crsss\.exe;45
|
|
|
|
\\csrcs\.exe;45
|
|
|
|
\\csres\.exe;45
|
|
|
|
\\csriss\.exe;45
|
|
|
|
\\csrlt\.exe;45
|
|
|
|
\\csrms\.exe;45
|
|
|
|
\\csrmss\.exe;45
|
|
|
|
\\csrrss\.exe;45
|
|
|
|
\\csrs\.exe;45
|
|
|
|
\\csrsc\.exe;45
|
|
|
|
\\csrse\.exe;45
|
|
|
|
\\csrsess\.exe;45
|
|
|
|
\\csrsk\.exe;45
|
|
|
|
\\csrsl\.exe;45
|
|
|
|
\\csrsrv\.exe;45
|
|
|
|
\\csrss_1\.exe;45
|
|
|
|
\\csrss_2\.exe;45
|
|
|
|
\\csrss_8\.exe;45
|
|
|
|
\\csrss_9\.exe;45
|
|
|
|
\\csrss32\.exe;45
|
|
|
|
\\csrssa\.exe;45
|
|
|
|
\\csrssc\.exe;45
|
|
|
|
\\csrsses\.exe;45
|
|
|
|
\\csrssr\.exe;45
|
|
|
|
\\csrsss\.exe;45
|
|
|
|
\\csrssw\.exe;45
|
|
|
|
\\csrssys\.exe;45
|
|
|
|
\\csrst\.exe;45
|
|
|
|
\\csrsvc\.exe;45
|
|
|
|
\\csrsvr\.exe;45
|
|
|
|
\\csrsx\.exe;45
|
|
|
|
\\csrtss\.exe;45
|
|
|
|
\\csrus\.exe;45
|
|
|
|
\\csrvs\.exe;45
|
|
|
|
\\cssrs\.exe;45
|
|
|
|
\\cssrsa\.exe;45
|
|
|
|
\\cssrsr\.exe;45
|
|
|
|
\\cssrss\.exe;45
|
|
|
|
\\cvrss\.exe;45
|
|
|
|
\\scrss\.exe;45
|
|
|
|
\\0iexplorer\.exe;45
|
|
|
|
\\12iexplore\.exe;45
|
|
|
|
\\2ciexplore\.exe;45
|
|
|
|
\\2fexplorer\.exe;45
|
|
|
|
\\5explore\.exe;45
|
|
|
|
\\5xplorer\.exe;45
|
|
|
|
\\_iexplors\.exe;45
|
|
|
|
\\dexplorer\.exe;45
|
|
|
|
\\dxplore\.exe;45
|
|
|
|
\\e1xplorer\.exe;45
|
|
|
|
\\eexplorer\.exe;45
|
|
|
|
\\eexxplorer\.exe;45
|
|
|
|
\\eksplorer\.exe;45
|
|
|
|
\\ep1orer\.exe;45
|
|
|
|
\\esplorer\.exe;45
|
|
|
|
\\exeplorer\.exe;45
|
|
|
|
\\exlorer\.exe;45
|
|
|
|
\\exoplorer\.exe;45
|
|
|
|
\\exp10rer\.exe;45
|
|
|
|
\\exp1or\.exe;45
|
|
|
|
\\exp1ore\.exe;45
|
|
|
|
\\exp1orer\.exe;45
|
|
|
|
\\exp1ror\.exe;45
|
|
|
|
\\exp20re\.exe;45
|
|
|
|
\\expiorer\.exe;45
|
|
|
|
\\expioror\.exe;45
|
|
|
|
\\expl0rer\.exe;45
|
|
|
|
\\explarar\.exe;45
|
|
|
|
\\explarer\.exe;45
|
|
|
|
\\expleror\.exe;45
|
|
|
|
\\exploe\.exe;45
|
|
|
|
\\exploer\.exe;45
|
|
|
|
\\exploere\.exe;45
|
|
|
|
\\exploerer\.exe;45
|
|
|
|
\\exploiter\.exe;45
|
|
|
|
\\exploner\.exe;45
|
|
|
|
\\explope\.exe;45
|
|
|
|
\\explor\.exe;45
|
|
|
|
\\explora\.exe;45
|
|
|
|
\\explore\.exe;45
|
|
|
|
\\explored\.exe;45
|
|
|
|
\\exploree\.exe;45
|
|
|
|
\\exploreee\.exe;45
|
|
|
|
\\exploreff\.exe;45
|
|
|
|
\\explorei\.exe;45
|
|
|
|
\\explorep\.exe;45
|
|
|
|
\\explorer1\.exe;45
|
|
|
|
\\explorer32\.exe;45
|
|
|
|
\\explorer64\.exe;45
|
|
|
|
\\explorer66\.exe;45
|
|
|
|
\\explorer_\.exe;45
|
|
|
|
\\explorere\.exe;45
|
|
|
|
\\explorerf\.exe;45
|
|
|
|
\\explorerr\.exe;45
|
|
|
|
\\explorerrr\.exe;45
|
|
|
|
\\explorers\.exe;45
|
|
|
|
\\explorerv\.exe;45
|
|
|
|
\\explorerxx\.exe;45
|
|
|
|
\\explorerz\.exe;45
|
|
|
|
\\explores\.exe;45
|
|
|
|
\\exploret\.exe;45
|
|
|
|
\\explorew\.exe;45
|
|
|
|
\\exploror\.exe;45
|
|
|
|
\\explorr\.exe;45
|
|
|
|
\\explorre\.exe;45
|
|
|
|
\\explorrer\.exe;45
|
|
|
|
\\explorxp\.exe;45
|
|
|
|
\\explre3r\.exe;45
|
|
|
|
\\explrer\.exe;45
|
|
|
|
\\explroer\.exe;45
|
|
|
|
\\expoler\.exe;45
|
|
|
|
\\expolorer\.exe;45
|
|
|
|
\\exporer\.exe;45
|
|
|
|
\\exprer\.exe;45
|
|
|
|
\\exprlore\.exe;45
|
|
|
|
\\exproler\.exe;45
|
|
|
|
\\exqlorer\.exe;45
|
|
|
|
\\exsplorer\.exe;45
|
|
|
|
\\exxplorer\.exe;45
|
|
|
|
\\ieioplore\.exe;45
|
|
|
|
\\ieplore\.exe;45
|
|
|
|
\\ieplorer\.exe;45
|
|
|
|
\\iexeplore\.exe;45
|
|
|
|
\\iexlorer\.exe;45
|
|
|
|
\\iexlplore\.exe;45
|
|
|
|
\\iexp1ore\.exe;45
|
|
|
|
\\iexp1orer\.exe;45
|
|
|
|
\\iexpiore\.exe;45
|
|
|
|
\\iexpl0ra\.exe;45
|
|
|
|
\\iexpl0re\.exe;45
|
|
|
|
\\iexplare\.exe;45
|
|
|
|
\\iexplarer\.exe;45
|
|
|
|
\\iexplere\.exe;45
|
|
|
|
\\iexpllzore\.exe;45
|
|
|
|
\\iexplo\.exe;45
|
|
|
|
\\iexploer\.exe;45
|
|
|
|
\\iexploore\.exe;45
|
|
|
|
\\iexplope\.exe;45
|
|
|
|
\\iexplor\.exe;45
|
|
|
|
\\iexplore32\.exe;45
|
|
|
|
\\iexplorea\.exe;45
|
|
|
|
\\iexplorei\.exe;45
|
|
|
|
\\iexplorer\.exe;45
|
|
|
|
\\iexplorer0\.exe;45
|
|
|
|
\\iexplorer2\.exe;45
|
|
|
|
\\iexplorer7\.exe;45
|
|
|
|
\\iexplorers\.exe;45
|
|
|
|
\\iexplores\.exe;45
|
|
|
|
\\iexploresx\.exe;45
|
|
|
|
\\iexploror\.exe;45
|
|
|
|
\\iexplorrer\.exe;45
|
|
|
|
\\iexplors\.exe;45
|
|
|
|
\\iexplory\.exe;45
|
|
|
|
\\iexplorz\.exe;45
|
|
|
|
\\iexpore\.exe;45
|
|
|
|
\\iiexplore\.exe;45
|
|
|
|
\\iiexplorer\.exe;45
|
|
|
|
\\inexplore\.exe;45
|
|
|
|
\\inexplorer\.exe;45
|
|
|
|
\\intexplore\.exe;45
|
|
|
|
\\ixplorer\.exe;45
|
|
|
|
\\lexpiore\.exe;45
|
|
|
|
\\lexpl1re\.exe;45
|
|
|
|
\\lexpl2re\.exe;45
|
|
|
|
\\lexpl3re\.exe;45
|
|
|
|
\\lexpl4re\.exe;45
|
|
|
|
\\lexpl5re\.exe;45
|
|
|
|
\\lexpl6re\.exe;45
|
|
|
|
\\lexpl7re\.exe;45
|
|
|
|
\\lexpl8re\.exe;45
|
|
|
|
\\lexpl9re\.exe;45
|
|
|
|
\\lexplare\.exe;45
|
|
|
|
\\lexplbre\.exe;45
|
|
|
|
\\lexplcre\.exe;45
|
|
|
|
\\lexpldre\.exe;45
|
|
|
|
\\lexplere\.exe;45
|
|
|
|
\\lexplfre\.exe;45
|
|
|
|
\\lexplgre\.exe;45
|
|
|
|
\\lexplhre\.exe;45
|
|
|
|
\\lexplire\.exe;45
|
|
|
|
\\lexpljre\.exe;45
|
|
|
|
\\lexplkre\.exe;45
|
|
|
|
\\lexpllre\.exe;45
|
|
|
|
\\lexplmre\.exe;45
|
|
|
|
\\lexplnre\.exe;45
|
|
|
|
\\lexplore\.exe;45
|
|
|
|
\\lexplore_\.exe;45
|
|
|
|
\\lexplorer\.exe;45
|
|
|
|
\\lexplors\.exe;45
|
|
|
|
\\lexplpre\.exe;45
|
|
|
|
\\lexplqre\.exe;45
|
|
|
|
\\lexplrre\.exe;45
|
|
|
|
\\lexplsre\.exe;45
|
|
|
|
\\lexpltre\.exe;45
|
|
|
|
\\lexplure\.exe;45
|
|
|
|
\\lexplvre\.exe;45
|
|
|
|
\\lexplwre\.exe;45
|
|
|
|
\\lexplxre\.exe;45
|
|
|
|
\\lexplyre\.exe;45
|
|
|
|
\\lexplzre\.exe;45
|
|
|
|
\\msexplorer\.exe;45
|
|
|
|
\\netplore\.exe;45
|
|
|
|
\\plorer\.exe;45
|
|
|
|
\\vbexplorer\.exe;45
|
|
|
|
\\wexplorer\.exe;45
|
|
|
|
\\winexplore\.exe;45
|
|
|
|
\\xeplorer\.exe;45
|
|
|
|
\\xplore\.exe;45
|
|
|
|
\\xplorer\.exe;45
|
|
|
|
\\yyexplorer\\\.exe;45
|
|
|
|
\\5cfirefox\.exe;45
|
|
|
|
\\5irefox\.exe;45
|
|
|
|
\\f1ref0x\.exe;45
|
|
|
|
\\fire10fox\.exe;45
|
|
|
|
\\firef0x\.exe;45
|
|
|
|
\\firefly\.exe;45
|
|
|
|
\\firefo\.exe;45
|
|
|
|
\\firefox_\.exe;45
|
|
|
|
\\firefox2\.exe;45
|
|
|
|
\\firefox32\.exe;45
|
|
|
|
\\firefoxe\.exe;45
|
|
|
|
\\firefoxx\.exe;45
|
|
|
|
\\firfox\.exe;45
|
|
|
|
\\irefox\.exe;45
|
|
|
|
\\refox\.exe;45
|
|
|
|
\\wireox\.exe;45
|
|
|
|
\\jav3\.exe;45
|
|
|
|
\\java32\.exe;45
|
|
|
|
\\javaa\.exe;45
|
|
|
|
\\javaaa\.exe;45
|
|
|
|
\\javaap\.exe;45
|
|
|
|
\\javacp\.exe;45
|
|
|
|
\\javag\.exe;45
|
|
|
|
\\javaii\.exe;45
|
|
|
|
\\javapw\.exe;45
|
|
|
|
\\javar\.exe;45
|
|
|
|
\\javare\.exe;45
|
|
|
|
\\javas\.exe;45
|
|
|
|
\\javas5\.exe;45
|
|
|
|
\\javasc\.exe;45
|
|
|
|
\\javase\.exe;45
|
|
|
|
\\javaup\.exe;45
|
|
|
|
\\javavm\.exe;45
|
|
|
|
\\javawz\.exe;45
|
|
|
|
\\javax\.exe;45
|
|
|
|
\\javo\.exe;45
|
|
|
|
\\javz\\\.exe;45
|
|
|
|
\\1sass\.exe;45
|
|
|
|
\\iass\.exe;45
|
|
|
|
\\isaas\.exe;45
|
|
|
|
\\isas\.exe;45
|
|
|
|
\\isass\.exe;45
|
|
|
|
\\issass\.exe;45
|
|
|
|
\\laass\.exe;45
|
|
|
|
\\lamss\.exe;45
|
|
|
|
\\larss\.exe;45
|
|
|
|
\\lass\.exe;45
|
|
|
|
\\lassa\.exe;45
|
|
|
|
\\lasse\.exe;45
|
|
|
|
\\lasss\.exe;45
|
|
|
|
\\lcass\.exe;45
|
|
|
|
\\leass\.exe;45
|
|
|
|
\\lhssass\.exe;45
|
|
|
|
\\lrass\.exe;45
|
|
|
|
\\lrsss\.exe;45
|
|
|
|
\\lsa32\.exe;45
|
|
|
|
\\lsac\.exe;45
|
|
|
|
\\lsacs\.exe;45
|
|
|
|
\\lsaess\.exe;45
|
|
|
|
\\lsaoss\.exe;45
|
|
|
|
\\lsas\.exe;45
|
|
|
|
\\lsasa\.exe;45
|
|
|
|
\\lsasas\.exe;45
|
|
|
|
\\lsascs\.exe;45
|
|
|
|
\\lsase\.exe;45
|
|
|
|
\\lsasi\.exe;45
|
|
|
|
\\lsasm\.exe;45
|
|
|
|
\\lsaso\.exe;45
|
|
|
|
\\lsasrv\.exe;45
|
|
|
|
\\lsass3\.exe;45
|
|
|
|
\\lsass32\.exe;45
|
|
|
|
\\lsass47\.exe;45
|
|
|
|
\\lsassi\.exe;45
|
|
|
|
\\lsassn\.exe;45
|
|
|
|
\\lsasss\.exe;45
|
|
|
|
\\lsassv\.exe;45
|
|
|
|
\\lsassx\.exe;45
|
|
|
|
\\lsassys\.exe;45
|
|
|
|
\\lsats\.exe;45
|
|
|
|
\\lsmass\.exe;45
|
|
|
|
\\lsrss\.exe;45
|
|
|
|
\\lssas\.exe;45
|
|
|
|
\\lssass\.exe;45
|
|
|
|
\\msass\.exe;45
|
|
|
|
\\nsrss\.exe;45
|
|
|
|
\\salss\.exe;45
|
|
|
|
\\_sachost\.exe;45
|
|
|
|
\\_svch0st\.exe;45
|
|
|
|
\\_svchost\.exe;45
|
|
|
|
\\00svchost\.exe;45
|
|
|
|
\\0svchost\.exe;45
|
|
|
|
\\achost\.exe;45
|
|
|
|
\\chost\.exe;45
|
|
|
|
\\cvhost\.exe;45
|
|
|
|
\\cvshost\.exe;45
|
|
|
|
\\isvchosty\.exe;45
|
|
|
|
\\lsvchost\.exe;45
|
|
|
|
\\mscchost\.exe;45
|
|
|
|
\\msvchost\.exe;45
|
|
|
|
\\ntsvchost\.exe;45
|
|
|
|
\\rdchost\.exe;45
|
|
|
|
\\s_host\.exe;45
|
|
|
|
\\sach0st\.exe;45
|
|
|
|
\\sachost\.exe;45
|
|
|
|
\\sachostc\.exe;45
|
|
|
|
\\sachostp\.exe;45
|
|
|
|
\\sachostp\.exe;45
|
|
|
|
\\sachosts\.exe;45
|
|
|
|
\\sachosts\.exe;45
|
|
|
|
\\sachostw\.exe;45
|
|
|
|
\\sachostw\.exe;45
|
|
|
|
\\sachostx\.exe;45
|
|
|
|
\\sathost\.exe;45
|
|
|
|
\\sbhost\.exe;45
|
|
|
|
\\scanost\.exe;45
|
|
|
|
\\scchost\.exe;45
|
|
|
|
\\scchost\.exe;45
|
|
|
|
\\scchost2\.exe;45
|
|
|
|
\\scchostc\.exe;45
|
|
|
|
\\scchostc\.exe;45
|
|
|
|
\\scghost\.exe;45
|
|
|
|
\\schost\.exe;45
|
|
|
|
\\schost\.exe;45
|
|
|
|
\\schostc\.exe;45
|
|
|
|
\\schosts\.exe;45
|
|
|
|
\\schovst\.exe;45
|
|
|
|
\\schvost\.exe;45
|
|
|
|
\\scvchost\.exe;45
|
|
|
|
\\scvchusts\.exe;45
|
|
|
|
\\scvh0st\.exe;45
|
|
|
|
\\scvh0st\.exe;45
|
|
|
|
\\scvhost\.exe;45
|
|
|
|
\\scvhost\.exe;45
|
|
|
|
\\scvhosv\.exe;45
|
|
|
|
\\scvost\.exe;45
|
|
|
|
\\scvvhost\.exe;45
|
|
|
|
\\sdchost\.exe;45
|
|
|
|
\\sdhost\.exe;45
|
|
|
|
\\serhost\.exe;45
|
|
|
|
\\servehost\.exe;45
|
|
|
|
\\sethost\.exe;45
|
|
|
|
\\sevchos\.exe;45
|
|
|
|
\\sevhost\.exe;45
|
|
|
|
\\shchost\.exe;45
|
|
|
|
\\shhost\.exe;45
|
|
|
|
\\shost\.exe;45
|
|
|
|
\\shvchost\.exe;45
|
|
|
|
\\shvhost\.exe;45
|
|
|
|
\\sichost\.exe;45
|
|
|
|
\\slchost\.exe;45
|
|
|
|
\\slihost\.exe;45
|
|
|
|
\\smsvchost\.exe;45
|
|
|
|
\\snahost\.exe;45
|
|
|
|
\\snhost\.exe;45
|
|
|
|
\\snphost\.exe;45
|
|
|
|
\\snvhost\.exe;45
|
|
|
|
\\sochost\.exe;45
|
|
|
|
\\sochvst\.exe;45
|
|
|
|
\\soohost\.exe;45
|
|
|
|
\\spchost\.exe;45
|
|
|
|
\\sqlhost\.exe;45
|
|
|
|
\\srchost\.exe;45
|
|
|
|
\\srshost\.exe;45
|
|
|
|
\\srvchost\.exe;45
|
|
|
|
\\srvchost\.exe;45
|
|
|
|
\\srvhost\.exe;45
|
|
|
|
\\sschost\.exe;45
|
|
|
|
\\sshost\.exe;45
|
|
|
|
\\ssvch0st\.exe;45
|
|
|
|
\\ssvchost\.exe;45
|
|
|
|
\\ssvchost\.exe;45
|
|
|
|
\\ssvichosst\.exe;45
|
|
|
|
\\st#host\.exe;45
|
|
|
|
\\stdhost\.exe;45
|
|
|
|
\\suchost\.exe;45
|
|
|
|
\\suchost\.exe;45
|
|
|
|
\\suchostp\.exe;45
|
|
|
|
\\suchostp\.exe;45
|
|
|
|
\\suchosts\.exe;45
|
|
|
|
\\suchosts\.exe;45
|
|
|
|
\\sv_host\.exe;45
|
|
|
|
\\sv±hest\.exe;45
|
|
|
|
\\sv0hoat\.exe;45
|
|
|
|
\\sv1host\.exe;45
|
|
|
|
\\svahost\.exe;45
|
|
|
|
\\svahost\.exe;45
|
|
|
|
\\svcbost\.exe;45
|
|
|
|
\\svcchost\.exe;45
|
|
|
|
\\svcchost\.exe;45
|
|
|
|
\\svcehost\.exe;45
|
|
|
|
\\svcehost\.exe;45
|
|
|
|
\\svcgest\.exe;45
|
|
|
|
\\svcgh0st\.exe;45
|
|
|
|
\\svcgoost\.exe;45
|
|
|
|
\\svch0sat\.exe;45
|
|
|
|
\\svch0sbt\.exe;45
|
|
|
|
\\svch0set\.exe;45
|
|
|
|
\\svch0sft\.exe;45
|
|
|
|
\\svch0slt\.exe;45
|
|
|
|
\\svch0smt\.exe;45
|
|
|
|
\\svch0st\.exe;45
|
|
|
|
\\svch0st\.exe;45
|
|
|
|
\\svch0st_\.exe;45
|
|
|
|
\\svch0sts\.exe;45
|
|
|
|
\\svch7t\.exe;45
|
|
|
|
\\svchaot\.exe;45
|
|
|
|
\\svchast\.exe;45
|
|
|
|
\\svchast\.exe;45
|
|
|
|
\\svchcst\.exe;45
|
|
|
|
\\svchcst\.exe;45
|
|
|
|
\\svchest\.exe;45
|
|
|
|
\\svchest\.exe;45
|
|
|
|
\\svchhost\.exe;45
|
|
|
|
\\svchîst\.exe;45
|
|
|
|
\\svchkost\.exe;45
|
|
|
|
\\svcho\.exe;45
|
|
|
|
\\svchobst\.exe;45
|
|
|
|
\\svchoct\.exe;45
|
|
|
|
\\svcholts\.exe;45
|
|
|
|
\\svchon32\.exe;45
|
|
|
|
\\svchoost\.exe;45
|
|
|
|
\\svchoot\.exe;45
|
|
|
|
\\svchort\.exe;45
|
|
|
|
\\svchos\.exe;45
|
|
|
|
\\svchos12\.exe;45
|
|
|
|
\\svchosd\.exe;45
|
|
|
|
\\svchosf\.exe;45
|
|
|
|
\\svchosf\.exe;45
|
|
|
|
\\svchosi\.exe;45
|
|
|
|
\\svchosl\.exe;45
|
|
|
|
\\svchoso\.exe;45
|
|
|
|
\\svchosr\.exe;45
|
|
|
|
\\svchoss\.exe;45
|
|
|
|
\\svchosst\.exe;45
|
|
|
|
\\svchöst\.exe;45
|
|
|
|
\\svchost_\.exe;45
|
|
|
|
\\svchost_cz\.exe;45
|
|
|
|
\\svchost”\.exe;45
|
|
|
|
\\svchost0\.exe;45
|
|
|
|
\\svchost1\.exe;45
|
|
|
|
\\svchost10\.exe;45
|
|
|
|
\\svchost16\.exe;45
|
|
|
|
\\svchost2\.exe;45
|
|
|
|
\\svchost2\.exe;45
|
|
|
|
\\svchost3\.exe;45
|
|
|
|
\\svchost3\.exe;45
|
|
|
|
\\svchost31\.exe;45
|
|
|
|
\\svchost32\.exe;45
|
|
|
|
\\svchost32\.exe;45
|
|
|
|
\\svchost4\.exe;45
|
|
|
|
\\svchost5\.exe;45
|
|
|
|
\\svchost6\.exe;45
|
|
|
|
\\svchost64\.exe;45
|
|
|
|
\\svchost64\.exe;45
|
|
|
|
\\svchosta\.exe;45
|
|
|
|
\\svchostbb\.exe;45
|
|
|
|
\\svchostbd\.exe;45
|
|
|
|
\\svchostbn\.exe;45
|
|
|
|
\\svchostc\.exe;45
|
|
|
|
\\svchostc32\.exe;45
|
|
|
|
\\svchostcx\.exe;45
|
|
|
|
\\svchostd\.exe;45
|
|
|
|
\\svchostdll\.exe;45
|
|
|
|
\\svchoste\.exe;45
|
|
|
|
\\svchosted\.exe;45
|
|
|
|
\\svchosti\.exe;45
|
|
|
|
\\svchosting\.exe;45
|
|
|
|
\\svchostit\.exe;45
|
|
|
|
\\svchostl\.exe;45
|
|
|
|
\\svchostms\.exe;45
|
|
|
|
\\svchosto\.exe;45
|
|
|
|
\\svchostr\.exe;45
|
|
|
|
\\svchostre\.exe;45
|
|
|
|
\\svchosts\.exe;45
|
|
|
|
\\svchosts\.exe;45
|
|
|
|
\\svchosts32\.exe;45
|
|
|
|
\\svchostsr\.exe;45
|
|
|
|
\\svchostss\.exe;45
|
|
|
|
\\svchostt\.exe;45
|
|
|
|
\\svchostt\.exe;45
|
|
|
|
\\svchostþ\.exe;45
|
|
|
|
\\svchostun\.exe;45
|
|
|
|
\\svchostv\.exe;45
|
|
|
|
\\svchostv\.exe;45
|
|
|
|
\\svchostxi\.exe;45
|
|
|
|
\\svchostxi\.exe;45
|
|
|
|
\\svchostxxx\.exe;45
|
|
|
|
\\svchostz\.exe;45
|
|
|
|
\\svchosv\.exe;45
|
|
|
|
\\svchosy\.exe;45
|
|
|
|
\\svchot\.exe;45
|
|
|
|
\\svchoto\.exe;45
|
|
|
|
\\svchots\.exe;45
|
|
|
|
\\svchots\.exe;45
|
|
|
|
\\svchott\.exe;45
|
|
|
|
\\svchowb\.exe;45
|
|
|
|
\\svchowt\.exe;45
|
|
|
|
\\svchoxt\.exe;45
|
|
|
|
\\svchoxt\.exe;45
|
|
|
|
\\svchpst\.exe;45
|
|
|
|
\\svchpst\.exe;45
|
|
|
|
\\svchqs\.exe;45
|
|
|
|
\\svchqst\.exe;45
|
|
|
|
\\svchs0t\.exe;45
|
|
|
|
\\svchsot\.exe;45
|
|
|
|
\\svchsot\.exe;45
|
|
|
|
\\svchsst\.exe;45
|
|
|
|
\\svchssts\.exe;45
|
|
|
|
\\svchst\.exe;45
|
|
|
|
\\svchste\.exe;45
|
|
|
|
\\svchsts\.exe;45
|
|
|
|
\\svchtst\.exe;45
|
|
|
|
\\svchust\.exe;45
|
|
|
|
\\svchusts\.exe;45
|
|
|
|
\\svcinit\.exe;45
|
|
|
|
\\svcjhost\.exe;45
|
|
|
|
\\svclost\.exe;45
|
|
|
|
\\svcmost\.exe;45
|
|
|
|
\\svcnost\.exe;45
|
|
|
|
\\svcnost\.exe;45
|
|
|
|
\\svcohst\.exe;45
|
|
|
|
\\svcomst\.exe;45
|
|
|
|
\\svcoost\.exe;45
|
|
|
|
\\svcost\.exe;45
|
|
|
|
\\svcpos\.exe;45
|
|
|
|
\\svcroot\.exe;45
|
|
|
|
\\svcroot\.exe;45
|
|
|
|
\\svcshtost\.exe;45
|
|
|
|
\\svcsoft\.exe;45
|
|
|
|
\\svcsost\.exe;45
|
|
|
|
\\svcst\.exe;45
|
|
|
|
\\svctos\.exe;45
|
|
|
|
\\svcxhost\.exe;45
|
|
|
|
\\svdhost\.exe;45
|
|
|
|
\\svdhost\.exe;45
|
|
|
|
\\svdnost\.exe;45
|
|
|
|
\\svehost\.exe;45
|
|
|
|
\\svehost\.exe;45
|
|
|
|
\\svgchost\.exe;45
|
|
|
|
\\svggost\.exe;45
|
|
|
|
\\svghost\.exe;45
|
|
|
|
\\svghost\.exe;45
|
|
|
|
\\svghosts\.exe;45
|
|
|
|
\\svh0st\.exe;45
|
|
|
|
\\svhcost\.exe;45
|
|
|
|
\\svhest\.exe;45
|
|
|
|
\\svhoct\.exe;45
|
|
|
|
\\svhosit\.exe;45
|
|
|
|
\\svhosr\.exe;45
|
|
|
|
\\svhosst\.exe;45
|
|
|
|
\\svhost\.exe;45
|
|
|
|
\\svhost\.exe;45
|
|
|
|
\\svhost1\.exe;45
|
|
|
|
\\svhost2\.exe;45
|
|
|
|
\\svhostc\.exe;45
|
|
|
|
\\svhoste\.exe;45
|
|
|
|
\\svhostr\.exe;45
|
|
|
|
\\svhosts\.exe;45
|
|
|
|
\\svhostt\.exe;45
|
|
|
|
\\svhostu\.exe;45
|
|
|
|
\\svhot\.exe;45
|
|
|
|
\\svhst\.exe;45
|
|
|
|
\\svhust\.exe;45
|
|
|
|
\\svichosst\.exe;45
|
|
|
|
\\svichost\.exe;45
|
|
|
|
\\svlhost\.exe;45
|
|
|
|
\\svnchost\.exe;45
|
|
|
|
\\svnhost\.exe;45
|
|
|
|
\\svohcst\.exe;45
|
|
|
|
\\svohcst\.exe;45
|
|
|
|
\\svohost\.exe;45
|
|
|
|
\\svohost\.exe;45
|
|
|
|
\\svohst\.exe;45
|
|
|
|
\\svost\.exe;45
|
|
|
|
\\svphost\.exe;45
|
|
|
|
\\svphost\.exe;45
|
|
|
|
\\svphostu\.exe;45
|
|
|
|
\\svphostu\.exe;45
|
|
|
|
\\svrhost\.exe;45
|
|
|
|
\\svrhost\.exe;45
|
|
|
|
\\svschost\.exe;45
|
|
|
|
\\svschost\.exe;45
|
|
|
|
\\svschosta\.exe;45
|
|
|
|
\\svsh0st\.exe;45
|
|
|
|
\\svsh0st\.exe;45
|
|
|
|
\\svshoct\.exe;45
|
|
|
|
\\svshost\.exe;45
|
|
|
|
\\svshosti\.exe;45
|
|
|
|
\\svshosts\.exe;45
|
|
|
|
\\svshot\.exe;45
|
|
|
|
\\svuhost\.exe;45
|
|
|
|
\\svvchcst\.exe;45
|
|
|
|
\\svvchost\.exe;45
|
|
|
|
\\svvghost\.exe;45
|
|
|
|
\\svvhost\.exe;45
|
|
|
|
\\svvhost\.exe;45
|
|
|
|
\\svvhosti\.exe;45
|
|
|
|
\\svwhost\.exe;45
|
|
|
|
\\svxhos\.exe;45
|
|
|
|
\\svxhost\.exe;45
|
|
|
|
\\swchost\.exe;45
|
|
|
|
\\swchost\.exe;45
|
|
|
|
\\swdhost\.exe;45
|
|
|
|
\\swhost\.exe;45
|
|
|
|
\\swhost\.exe;45
|
|
|
|
\\sxhost\.exe;45
|
|
|
|
\\sxhost\.exe;45
|
|
|
|
\\sychost\.exe;45
|
|
|
|
\\synchost\.exe;45
|
|
|
|
\\synchost\.exe;45
|
|
|
|
\\synhost\.exe;45
|
|
|
|
\\syschost\.exe;45
|
|
|
|
\\syschost\.exe;45
|
|
|
|
\\syshost\.exe;45
|
|
|
|
\\syshost\.exe;45
|
|
|
|
\\szchostc\.exe;45
|
|
|
|
\\szchostc\.exe;45
|
|
|
|
\\tsvchost\.exe;45
|
|
|
|
\\usvchost\.exe;45
|
|
|
|
\\uvchost\.exe;45
|
|
|
|
\\vcchost\.exe;45
|
|
|
|
\\vchost\.exe;45
|
|
|
|
\\vhchost\.exe;45
|
|
|
|
\\vhost\.exe;45
|
|
|
|
\\vschost\.exe;45
|
|
|
|
\\vsschost\.exe;45
|
|
|
|
\\vxhost\.exe;45
|
|
|
|
\\wsvchost\.exe;45
|
|
|
|
\\wvchosd\.exe;45
|
|
|
|
\\xvshost\.exe;45
|
|
|
|
\\zvchost\.exe;45
|
|
|
|
\\mswin\.exe;45
|
|
|
|
\\win_\.exe;45
|
|
|
|
\\win_5\.exe;45
|
|
|
|
\\win00\.exe;45
|
|
|
|
\\win01\.exe;45
|
|
|
|
\\win07\.exe;45
|
|
|
|
\\win08\.exe;45
|
|
|
|
\\win09\.exe;45
|
|
|
|
\\win1\.exe;45
|
|
|
|
\\win10\.exe;45
|
|
|
|
\\win11\.exe;45
|
|
|
|
\\win16\.exe;45
|
|
|
|
\\win2\.exe;45
|
|
|
|
\\win22\.exe;45
|
|
|
|
\\win23\.exe;45
|
|
|
|
\\win3\.exe;45
|
|
|
|
\\win30\.exe;45
|
|
|
|
\\win32\.exe;45
|
|
|
|
\\win39\.exe;45
|
|
|
|
\\win4\.exe;45
|
|
|
|
\\win42\.exe;45
|
|
|
|
\\win44\.exe;45
|
|
|
|
\\win45\.exe;45
|
|
|
|
\\win5\.exe;45
|
|
|
|
\\win54\.exe;45
|
|
|
|
\\win55\.exe;45
|
|
|
|
\\win62\.exe;45
|
|
|
|
\\win64\.exe;45
|
|
|
|
\\win7\.exe;45
|
|
|
|
\\win76\.exe;45
|
|
|
|
\\win77\.exe;45
|
|
|
|
\\win8\.exe;45
|
|
|
|
\\win91\.exe;45
|
|
|
|
\\win96\.exe;45
|
|
|
|
\\win98\.exe;45
|
|
|
|
\\win9x\.exe;45
|
|
|
|
\\wina\.exe;45
|
|
|
|
\\winad\.exe;45
|
|
|
|
\\winar\.exe;45
|
|
|
|
\\winav\.exe;45
|
|
|
|
\\winb\.exe;45
|
|
|
|
\\winc\.exe;45
|
|
|
|
\\wince\.exe;45
|
|
|
|
\\wind3\.exe;45
|
|
|
|
\\windf\.exe;45
|
|
|
|
\\windm\.exe;45
|
|
|
|
\\winds\.exe;45
|
|
|
|
\\wine\.exe;45
|
|
|
|
\\winet\.exe;45
|
|
|
|
\\winex\.exe;45
|
|
|
|
\\winfc\.exe;45
|
|
|
|
\\wingb\.exe;45
|
|
|
|
\\wings\.exe;45
|
|
|
|
\\wingt\.exe;45
|
|
|
|
\\winhd\.exe;45
|
|
|
|
\\winhv\.exe;45
|
|
|
|
\\wini\.exe;45
|
|
|
|
\\winit\.exe;45
|
|
|
|
\\wink\.exe;45
|
|
|
|
\\winkl\.exe;45
|
|
|
|
\\winl\.exe;45
|
|
|
|
\\winlc\.exe;45
|
|
|
|
\\winma\.exe;45
|
|
|
|
\\winmm\.exe;45
|
|
|
|
\\winmn\.exe;45
|
|
|
|
\\winmx\.exe;45
|
|
|
|
\\winn\.exe;45
|
|
|
|
\\winn1\.exe;45
|
|
|
|
\\winns\.exe;45
|
|
|
|
\\winnt\.exe;45
|
|
|
|
\\winny\.exe;45
|
|
|
|
\\winog\.exe;45
|
|
|
|
\\winok\.exe;45
|
|
|
|
\\winos\.exe;45
|
|
|
|
\\winow\.exe;45
|
|
|
|
\\winp9\.exe;45
|
|
|
|
\\winpc\.exe;45
|
|
|
|
\\winr\.exe;45
|
|
|
|
\\winra\.exe;45
|
|
|
|
\\winrm\.exe;45
|
|
|
|
\\winrr\.exe;45
|
|
|
|
\\wins7\.exe;45
|
|
|
|
\\winsh\.exe;45
|
|
|
|
\\winsp\.exe;45
|
|
|
|
\\winss\.exe;45
|
|
|
|
\\winst\.exe;45
|
|
|
|
\\wint\.exe;45
|
|
|
|
\\winu\.exe;45
|
|
|
|
\\winud\.exe;45
|
|
|
|
\\winup\.exe;45
|
|
|
|
\\winvc\.exe;45
|
|
|
|
\\winvr\.exe;45
|
|
|
|
\\winw\.exe;45
|
|
|
|
\\winwl\.exe;45
|
|
|
|
\\winwn\.exe;45
|
|
|
|
\\winws\.exe;45
|
|
|
|
\\winx\.exe;45
|
|
|
|
\\winxp\.exe;45
|
|
|
|
\\winxv\.exe;45
|
|
|
|
\\winz\\\.exe;45
|
|
|
|
\\_winlogon\.exe;45
|
|
|
|
\\inlogon\.exe;45
|
|
|
|
\\nlogon\.exe;45
|
|
|
|
\\wgalogon\.exe;45
|
|
|
|
\\wimlogom\.exe;45
|
|
|
|
\\win_logn\.exe;45
|
|
|
|
\\win1ogo\.exe;45
|
|
|
|
\\win1ogon\.exe;45
|
|
|
|
\\win1ogons\.exe;45
|
|
|
|
\\windlogon\.exe;45
|
|
|
|
\\winiogon\.exe;45
|
|
|
|
\\winl0g0n\.exe;45
|
|
|
|
\\winl0gin\.exe;45
|
|
|
|
\\winlgon\.exe;45
|
|
|
|
\\winligon\.exe;45
|
|
|
|
\\winlngon\.exe;45
|
|
|
|
\\winlog\.exe;45
|
|
|
|
\\winlog056\.exe;45
|
|
|
|
\\winlog0n\.exe;45
|
|
|
|
\\winlog1\.exe;45
|
|
|
|
\\winlogan\.exe;45
|
|
|
|
\\winloge\.exe;45
|
|
|
|
\\winlogen\.exe;45
|
|
|
|
\\winloger\.exe;45
|
|
|
|
\\winlogin\.exe;45
|
|
|
|
\\winlogins\.exe;45
|
|
|
|
\\winlogn\.exe;45
|
|
|
|
\\winlogo\.exe;45
|
|
|
|
\\winlogom\.exe;45
|
|
|
|
\\winlogoms\.exe;45
|
|
|
|
\\winlogon1\.exe;45
|
|
|
|
\\winlogon3\.exe;45
|
|
|
|
\\winlogon32\.exe;45
|
|
|
|
\\winlogon6\.exe;45
|
|
|
|
\\winlogon86\.exe;45
|
|
|
|
\\winlogone\.exe;45
|
|
|
|
\\winlogonl\.exe;45
|
|
|
|
\\winlogonn\.exe;45
|
|
|
|
\\winlogonpc\.exe;45
|
|
|
|
\\winlogonr\.exe;45
|
|
|
|
\\winlogons\.exe;45
|
|
|
|
\\winlogor\.exe;45
|
|
|
|
\\winlogr\.exe;45
|
|
|
|
\\winlogs\.exe;45
|
|
|
|
\\winlogun\.exe;45
|
|
|
|
\\winlongon\.exe;45
|
|
|
|
\\winlugan\.exe;45
|
|
|
|
\\winslogin\.exe;45
|
|
|
|
\\wnilogon\.exe;45
|
|
|
|
\\wnlgon\.exe;45
|
|
|
|
\\wnlogin\.exe;45
|
|
|
|
|
|
|
|
# Typical Malware Names
|
|
|
|
\\ex[p]?[l1]orer[a-z0-9]{1,3}\.exe;60
|
|
|
|
\\ex[p]?[^l]orer;60
|
|
|
|
\\ex[p]?l[^o]rer;60
|
|
|
|
\\iexp[1l]ore[a-z0-9]{1,3}\.exe;60
|
|
|
|
\\iexp[^l]ore;60
|
|
|
|
\\iexpl[^o]re;60
|
|
|
|
\\l[^s]?ass\.exe;55
|
|
|
|
\\lsa[^s]?s\.exe;55
|
|
|
|
\\l[s]?ass[a-z0-9]\.exe;65
|
|
|
|
\\sv[^c]host\.exe;55
|
|
|
|
\\svch[^o]st\.exe;45
|
|
|
|
\\svc[a-z]host\.exe;45
|
|
|
|
\\svch0s;60
|
|
|
|
\\svchost[a-z0-9]{1,3}\.exe;55
|
|
|
|
\\win[0-9_]{0,3}\.exe;55
|
|
|
|
\\win1ogo;45
|
|
|
|
\\win[^l]ogon\.exe;55
|
|
|
|
\\winl[^o]gon\.exe;55
|
|
|
|
\\winlog[^o]n\.exe;55
|
|
|
|
\\winlogon[0-9_a-z]{1,3}\.exe;55
|
|
|
|
|
2016-06-04 15:07:54 +00:00
|
|
|
# FireEye Irongate
|
|
|
|
\\bla\.exe;80
|
|
|
|
\\update_no_pipe\.exe;80
|
|
|
|
\\scada\.exe;50
|
|
|
|
\\Step7ConMgr\.dll;70
|
|
|
|
\\scomma scxrt2\.ini;80
|
|
|
|
\\scxrt2\.ini;80
|
|
|
|
|
2016-06-15 04:54:30 +00:00
|
|
|
# Sofacy APT http://goo.gl/YXb8ZX
|
|
|
|
[Cc]:\\ProgramData\\iprpp\.dll;100
|
|
|
|
AppData\\Roaming\\amdcache\.dll;100
|
|
|
|
|
|
|
|
# Sofacy APT http://goo.gl/mzAa97
|
|
|
|
AppData\\Roaming\\btecache\.dll;90
|
|
|
|
|
2016-02-15 09:22:28 +00:00
|
|
|
# End
|