{ "version": "1.0", "truncation": null, "padding": null, "added_tokens": [ { "id": 0, "content": "[PAD]", "single_word": false, "lstrip": false, "rstrip": false, "normalized": false, "special": true }, { "id": 1, "content": "[UNK]", "single_word": false, "lstrip": false, "rstrip": false, "normalized": false, "special": true }, { "id": 2, "content": "[CLS]", "single_word": false, "lstrip": false, "rstrip": false, "normalized": false, "special": true }, { "id": 3, "content": "[SEP]", "single_word": false, "lstrip": false, "rstrip": false, "normalized": false, "special": true }, { "id": 4, "content": "[MASK]", "single_word": false, "lstrip": false, "rstrip": false, "normalized": false, "special": true } ], "normalizer": { "type": "BertNormalizer", "clean_text": true, "handle_chinese_chars": true, "strip_accents": null, "lowercase": false }, "pre_tokenizer": { "type": "BertPreTokenizer" }, "post_processor": { "type": "TemplateProcessing", "single": [ { "SpecialToken": { "id": "[CLS]", "type_id": 0 } }, { "Sequence": { "id": "A", "type_id": 0 } }, { "SpecialToken": { "id": "[SEP]", "type_id": 0 } } ], "pair": [ { "SpecialToken": { "id": "[CLS]", "type_id": 0 } }, { "Sequence": { "id": "A", "type_id": 0 } }, { "SpecialToken": { "id": "[SEP]", "type_id": 0 } }, { "Sequence": { "id": "B", "type_id": 1 } }, { "SpecialToken": { "id": "[SEP]", "type_id": 1 } } ], "special_tokens": { "[CLS]": { "id": "[CLS]", "ids": [ 2 ], "tokens": [ "[CLS]" ] }, "[SEP]": { "id": "[SEP]", "ids": [ 3 ], "tokens": [ "[SEP]" ] } } }, "decoder": { "type": "WordPiece", "prefix": "##", "cleanup": true }, "model": { "type": "WordPiece", "unk_token": "[UNK]", "continuing_subword_prefix": "##", "max_input_chars_per_word": 100, "vocab": { "[PAD]": 0, "[UNK]": 1, "[CLS]": 2, "[SEP]": 3, "[MASK]": 4, "!": 5, "\"": 6, "#": 7, "$": 8, "%": 9, "&": 10, "'": 11, "(": 12, ")": 13, "*": 14, "+": 15, ",": 16, "-": 17, ".": 18, "/": 19, "0": 20, "1": 21, "2": 22, "3": 23, "4": 24, "5": 25, "6": 26, "7": 27, "8": 28, "9": 29, ":": 30, ";": 31, "<": 32, "=": 33, ">": 34, "?": 35, "@": 36, "A": 37, "B": 38, "C": 39, "D": 40, "E": 41, "F": 42, "G": 43, "H": 44, "I": 45, "J": 46, "K": 47, "L": 48, "M": 49, "N": 50, "O": 51, "P": 52, "Q": 53, "R": 54, "S": 55, "T": 56, "U": 57, "V": 58, "W": 59, "X": 60, "Y": 61, "Z": 62, "[": 63, "\\": 64, "]": 65, "_": 66, "`": 67, "a": 68, "b": 69, "c": 70, "d": 71, "e": 72, "f": 73, "g": 74, "h": 75, "i": 76, "j": 77, "k": 78, "l": 79, "m": 80, "n": 81, "o": 82, "p": 83, "q": 84, "r": 85, "s": 86, "t": 87, "u": 88, "v": 89, "w": 90, "x": 91, "y": 92, "z": 93, "{": 94, "|": 95, "}": 96, "~": 97, "ë": 98, "–": 99, "‘": 100, "’": 101, "“": 102, "”": 103, "##x": 104, "##p": 105, "##l": 106, "##o": 107, "##i": 108, "##t": 109, "##a": 110, "##n": 111, "##h": 112, "##c": 113, "##e": 114, "##s": 115, "##r": 116, "##d": 117, "##v": 118, "##k": 119, "##u": 120, "##m": 121, "##f": 122, "##w": 123, "##q": 124, "##y": 125, "##U": 126, "##D": 127, "##O": 128, "##b": 129, "##j": 130, "##E": 131, "##M": 132, "##P": 133, "##z": 134, "##g": 135, "##1": 136, "##5": 137, "##4": 138, "##6": 139, "##I": 140, "##L": 141, "##N": 142, "##A": 143, "##S": 144, "##3": 145, "##R": 146, "##0": 147, "##2": 148, "##C": 149, "##Q": 150, "##T": 151, "##G": 152, "##9": 153, "##8": 154, "##7": 155, "##W": 156, "##Y": 157, "##B": 158, "##H": 159, "##F": 160, "##V": 161, "##X": 162, "##K": 163, "##Z": 164, "##J": 165, "##er": 166, "##in": 167, "##he": 168, "##es": 169, "##on": 170, "##te": 171, "##ti": 172, "the": 173, "##ll": 174, "##ec": 175, "##or": 176, "##is": 177, "##le": 178, "##nd": 179, "to": 180, "##om": 181, "##ing": 182, "##re": 183, "ex": 184, "##tion": 185, "##ow": 186, "wi": 187, "##ed": 188, "##ic": 189, "##en": 190, "##at": 191, "in": 192, "us": 193, "##ecu": 194, "##ar": 195, "##ou": 196, "##as": 197, "##al": 198, "and": 199, "##et": 200, "##ess": 201, "execu": 202, "##ro": 203, "##th": 204, "fi": 205, "##ta": 206, "##ers": 207, "##an": 208, "will": 209, "##ri": 210, "##ma": 211, "of": 212, "##his": 213, "##ate": 214, "##od": 215, "##cess": 216, "##ul": 217, "##un": 218, "be": 219, "com": 220, "with": 221, "##est": 222, "file": 223, "##ist": 224, "##ad": 225, "##ac": 226, "Win": 227, "##ut": 228, "lo": 229, "##hell": 230, "is": 231, "##tem": 232, "##ys": 233, "on": 234, "##pt": 235, "re": 236, "##ation": 237, "exe": 238, "##ows": 239, "execution": 240, "##it": 241, "##mand": 242, "using": 243, "##ol": 244, "##ir": 245, "##ay": 246, "This": 247, "for": 248, "##ver": 249, "##ia": 250, "##ass": 251, "##pl": 252, "##dows": 253, "##nt": 254, "th": 255, "test": 256, "##um": 257, "##am": 258, "##rom": 259, "##ystem": 260, "su": 261, "##pon": 262, "##ent": 263, "pro": 264, "command": 265, "##wor": 266, "##ble": 267, "##lo": 268, "##ccess": 269, "Windows": 270, "con": 271, "##il": 272, "##ain": 273, "Ex": 274, "##st": 275, "##if": 276, "an": 277, "Upon": 278, "##ve": 279, "via": 280, "Pow": 281, "user": 282, "##im": 283, "##ect": 284, "by": 285, "##ge": 286, "##ted": 287, "##ory": 288, "ad": 289, "##ck": 290, "##ot": 291, "de": 292, "##ce": 293, "##den": 294, "##ew": 295, "##ote": 296, "##ry": 297, "##qu": 298, "that": 299, "dis": 300, "Re": 301, "##word": 302, "##assword": 303, "at": 304, "it": 305, "or": 306, "##ur": 307, "##omain": 308, "from": 309, "run": 310, "Power": 311, "as": 312, "##ch": 313, "##erv": 314, "log": 315, "en": 316, "##ice": 317, "cre": 318, "##til": 319, "Cre": 320, "##ary": 321, "Dis": 322, "##ccessf": 323, "ac": 324, "The": 325, "system": 326, "##sta": 327, "##op": 328, "##denti": 329, "##wn": 330, "sc": 331, "##all": 332, "Us": 333, "##ft": 334, "successf": 335, "##ion": 336, "##are": 337, "st": 338, "##gist": 339, "##load": 340, "PowerS": 341, "password": 342, "##les": 343, "##able": 344, "##ript": 345, "In": 346, "##min": 347, "Ad": 348, "##ile": 349, "##ervice": 350, "##id": 351, "##for": 352, "PowerShell": 353, "mod": 354, "##own": 355, "successful": 356, "this": 357, "##ig": 358, "##ount": 359, "##ly": 360, "##stall": 361, "##put": 362, "##cal": 363, "##tes": 364, "##count": 365, "##gistry": 366, "De": 367, "##ata": 368, "sh": 369, "##out": 370, "##mote": 371, "domain": 372, "##vers": 373, "Execu": 374, "##over": 375, "##ter": 376, "can": 377, "Lo": 378, "##play": 379, "##ure": 380, "##ction": 381, "##so": 382, "##rou": 383, "##irect": 384, "##ting": 385, "display": 386, "sp": 387, "##cover": 388, "wh": 389, "##ates": 390, "##ack": 391, "##ies": 392, "may": 393, "##der": 394, "##ity": 395, "process": 396, "##ke": 397, "##ify": 398, "##em": 399, "##md": 400, "##ated": 401, "##ip": 402, "##inu": 403, "ch": 404, "##dential": 405, "##irectory": 406, "##ule": 407, "##ware": 408, "##ershell": 409, "util": 410, "execute": 411, "System": 412, "##ost": 413, "##inux": 414, "##ownload": 415, "En": 416, "account": 417, "##iz": 418, "##ine": 419, "set": 420, "##ts": 421, "##tive": 422, "new": 423, "##us": 424, "##ech": 425, "##tain": 426, "##ication": 427, "##Pwn": 428, "##ous": 429, "advers": 430, "displayed": 431, "files": 432, "WinPwn": 433, "Discover": 434, "Linux": 435, "##iqu": 436, "##niqu": 437, "Pro": 438, "##ump": 439, "service": 440, "tech": 441, "##ree": 442, "##ode": 443, "techniqu": 444, "Com": 445, "cmd": 446, "data": 447, "##per": 448, "used": 449, "se": 450, "##up": 451, "bas": 452, "remote": 453, "##older": 454, "At": 455, "##umer": 456, "script": 457, "##tr": 458, "registry": 459, "technique": 460, "out": 461, "##iew": 462, "##tro": 463, "local": 464, "An": 465, "mal": 466, "##ple": 467, "##el": 468, "##ort": 469, "##art": 470, "##olic": 471, "Discovery": 472, "Ac": 473, "you": 474, "##age": 475, "##ull": 476, "mac": 477, "##pen": 478, "##omic": 479, "pow": 480, "##ment": 481, "then": 482, "install": 483, "adversary": 484, "all": 485, "##oll": 486, "Create": 487, "##oot": 488, "##roup": 489, "Sh": 490, "##ious": 491, "##che": 492, "##ud": 493, "not": 494, "shell": 495, "##ten": 496, "##dentials": 497, "ke": 498, "##OS": 499, "##BS": 500, "##mation": 501, "##formation": 502, "download": 503, "folder": 504, "##riv": 505, "St": 506, "##to": 507, "##aun": 508, "def": 509, "Ch": 510, "fun": 511, "##xt": 512, "##hen": 513, "function": 514, "ar": 515, "##ult": 516, "##opy": 517, "tim": 518, "Con": 519, "##vent": 520, "##ust": 521, "##icious": 522, "use": 523, "##olicy": 524, "##ty": 525, "information": 526, "##ame": 527, "var": 528, "##bs": 529, "##urre": 530, "##oo": 531, "##tack": 532, "##ang": 533, "##urrent": 534, "sim": 535, "##ection": 536, "##istory": 537, "powershell": 538, "Free": 539, "##ld": 540, "##ied": 541, "##cript": 542, "##BSD": 543, "FreeBSD": 544, "##ab": 545, "##ault": 546, "##end": 547, "##ich": 548, "##icro": 549, "##ally": 550, "spec": 551, "which": 552, "conf": 553, "create": 554, "Get": 555, "Mod": 556, "list": 557, "##work": 558, "contain": 559, "##soft": 560, "net": 561, "we": 562, "##ppl": 563, "##ire": 564, "##ther": 565, "##ange": 566, "do": 567, "host": 568, "was": 569, "##ag": 570, "##ning": 571, "##ath": 572, "##tempt": 573, "al": 574, "if": 575, "per": 576, "win": 577, "##fy": 578, "##lete": 579, "users": 580, "##ould": 581, "##ask": 582, "##icrosoft": 583, "Domain": 584, "access": 585, "directory": 586, "laun": 587, "open": 588, "##sion": 589, "add": 590, "##ail": 591, "commands": 592, "Microsoft": 593, "bin": 594, "##si": 595, "##mp": 596, "##32": 597, "Add": 598, "un": 599, "##pp": 600, "##se": 601, "##ue": 602, "##ST": 603, "##ern": 604, "##table": 605, "so": 606, "##heck": 607, "executed": 608, "env": 609, "##ere": 610, "Disable": 611, "##dentify": 612, "Use": 613, "utility": 614, "output": 615, "Az": 616, "##yp": 617, "##LL": 618, "##ark": 619, "##ersis": 620, "##tern": 621, "key": 622, "##pplication": 623, "tr": 624, "##ct": 625, "##ress": 626, "attack": 627, "Admin": 628, "specif": 629, "##alc": 630, "macOS": 631, "Azure": 632, "history": 633, "##vo": 634, "File": 635, "group": 636, "priv": 637, "##erver": 638, "##ick": 639, "##rity": 640, "AD": 641, "policy": 642, "val": 643, "##ff": 644, "##fil": 645, "##wall": 646, "##ind": 647, "##our": 648, "##eth": 649, "##iron": 650, "Directory": 651, "code": 652, "##rompt": 653, "Registry": 654, "bash": 655, "malicious": 656, "##ironment": 657, "##sh": 658, "##mon": 659, "##int": 660, "varia": 661, "##ethod": 662, "##ecurity": 663, "##ard": 664, "Executes": 665, "default": 666, "Set": 667, "has": 668, "##ap": 669, "##cl": 670, "##ru": 671, "##ject": 672, "##AC": 673, "into": 674, "##umerate": 675, "Service": 676, "pre": 677, "##tu": 678, "##av": 679, "##ear": 680, "##econ": 681, "##ator": 682, "attempt": 683, "running": 684, "##ftware": 685, "Def": 686, "##emp": 687, "time": 688, "config": 689, "HK": 690, "cl": 691, "pr": 692, "##dule": 693, "##vid": 694, "##ub": 695, "##uer": 696, "requ": 697, "##ully": 698, "WM": 699, "##apt": 700, "comp": 701, "enc": 702, "##ize": 703, "Command": 704, "##ender": 705, "windows": 706, "##filtr": 707, "WMI": 708, "DLL": 709, "are": 710, "em": 711, "foll": 712, "##ging": 713, "##ID": 714, "##ero": 715, "##ayload": 716, "modif": 717, "##trol": 718, "Active": 719, "res": 720, "##mis": 721, "##LM": 722, "##lear": 723, "##ating": 724, "##ession": 725, "##ulates": 726, "within": 727, "admin": 728, "atomic": 729, "Log": 730, "##mission": 731, "current": 732, "temp": 733, "executable": 734, "Powershell": 735, "dele": 736, "Remote": 737, "credentials": 738, "calc": 739, "root": 740, "##gh": 741, "##SI": 742, "##ase": 743, "##rib": 744, "##oded": 745, "##istr": 746, "##form": 747, "follow": 748, "Copy": 749, "Mac": 750, "dump": 751, "##ox": 752, "##awn": 753, "##gr": 754, "##64": 755, "##aries": 756, "##ules": 757, "##ument": 758, "User": 759, "modify": 760, "##igh": 761, "Delete": 762, "Atomic": 763, "##troll": 764, "##ook": 765, "binary": 766, "privile": 767, "value": 768, "ab": 769, "check": 770, "le": 771, "##ires": 772, "Creates": 773, "Credentials": 774, "std": 775, "##idden": 776, "##tence": 777, "environment": 778, "##ersistence": 779, "Application": 780, "Data": 781, "HT": 782, "To": 783, "ha": 784, "note": 785, "tar": 786, "task": 787, "ver": 788, "##ake": 789, "##tent": 790, "executes": 791, "##ersion": 792, "##olum": 793, "##amed": 794, "Install": 795, "##ign": 796, "Execute": 797, "##rough": 798, "setting": 799, "stdout": 800, "Net": 801, "et": 802, "man": 803, "over": 804, "when": 805, "##pad": 806, "##iti": 807, "##fer": 808, "##tection": 809, "##tiv": 810, "##orer": 811, "start": 812, "##puter": 813, "Local": 814, "Process": 815, "##voke": 816, "##olume": 817, "Run": 818, "Util": 819, "no": 820, "prompt": 821, "##trib": 822, "##reat": 823, "##ans": 824, "##plo": 825, "##log": 826, "should": 827, "Execution": 828, "##emory": 829, "following": 830, "##troller": 831, "etc": 832, "Un": 833, "view": 834, "##po": 835, "##EM": 836, "##ore": 837, "##adow": 838, "##plorer": 839, "dev": 840, "##fter": 841, "module": 842, "installed": 843, "##ches": 844, "variable": 845, "Defender": 846, "Fire": 847, "li": 848, "##port": 849, "##ove": 850, "##do": 851, "##uil": 852, "##AP": 853, "comple": 854, "Modify": 855, "specified": 856, "##apture": 857, "##istrator": 858, "List": 859, "call": 860, "copy": 861, "mess": 862, "session": 863, "txt": 864, "wri": 865, "##ole": 866, "##du": 867, "##wd": 868, "##ges": 869, "##View": 870, "##mage": 871, "without": 872, "only": 873, "through": 874, "##uration": 875, "Invoke": 876, "spawn": 877, "see": 878, "##udit": 879, "##ernel": 880, "##duled": 881, "Identify": 882, "Password": 883, "So": 884, "method": 885, "path": 886, "provid": 887, "its": 888, "##acket": 889, "Account": 890, "##ables": 891, "##clud": 892, "##uery": 893, "Note": 894, "T1": 895, "ob": 896, "payload": 897, "sta": 898, "##ext": 899, "##ron": 900, "##tif": 901, "##ected": 902, "logs": 903, "created": 904, "sche": 905, "change": 906, "malware": 907, "network": 908, "notepad": 909, "verify": 910, "Software": 911, "Download": 912, "If": 913, "Security": 914, "UAC": 915, "dll": 916, "server": 917, "wor": 918, "##and": 919, "##nce": 920, "##tic": 921, "load": 922, "disable": 923, "Comp": 924, "permission": 925, "launch": 926, "##rute": 927, "##filtration": 928, "about": 929, "have": 930, "Aut": 931, "NT": 932, "pip": 933, "##xec": 934, "##rary": 935, "##ged": 936, "##AM": 937, "##SH": 938, "##esk": 939, "tool": 940, "##ingle": 941, "##rewall": 942, "inter": 943, "firewall": 944, "Using": 945, "##trac": 946, "also": 947, "HKLM": 948, "HI": 949, "Ke": 950, "Th": 951, "coll": 952, "dec": 953, "other": 954, "##ith": 955, "##yth": 956, "##ET": 957, "##LE": 958, "##ermin": 959, "uses": 960, "##ults": 961, "common": 962, "computer": 963, "##ace": 964, "##cho": 965, "##icket": 966, "HIST": 967, "buil": 968, "echo": 969, "named": 970, "pl": 971, "par": 972, "pass": 973, "up": 974, "##bed": 975, "##ome": 976, "##ach": 977, "loc": 978, "##opies": 979, "utiliz": 980, "your": 981, "Start": 982, "perform": 983, "##ource": 984, "Network": 985, "message": 986, "##ython": 987, "Current": 988, "ES": 989, "Test": 990, "ls": 991, "single": 992, "typ": 993, "##bit": 994, "##Pro": 995, "inf": 996, "##ound": 997, "##ample": 998, "Requ": 999, "Advers": 1000, "Enc": 1001, "Enumerate": 1002, "Administrator": 1003, "##econd": 1004, "configuration": 1005, "permissions": 1006, "ESX": 1007, "Group": 1008, "JS": 1009, "Out": 1010, "Sc": 1011, "Sear": 1012, "SSH": 1013, "VB": 1014, "cer": 1015, "event": 1016, "free": 1017, "memory": 1018, "ne": 1019, "role": 1020, "sys": 1021, "serv": 1022, "second": 1023, "##ill": 1024, "##tor": 1025, "##bal": 1026, "##ord": 1027, "##ish": 1028, "##reen": 1029, "##arp": 1030, "##ulate": 1031, "any": 1032, "##imi": 1033, "##rypt": 1034, "processes": 1035, "mach": 1036, "##ched": 1037, "art": 1038, "##bsd": 1039, "##gram": 1040, "work": 1041, "freebsd": 1042, "Bas": 1043, "Ed": 1044, "Fil": 1045, "SY": 1046, "Volume": 1047, "aut": 1048, "after": 1049, "identify": 1050, "line": 1051, "rec": 1052, "ret": 1053, "##line": 1054, "##ak": 1055, "##name": 1056, "##ss": 1057, "##ror": 1058, "##und": 1059, "##mark": 1060, "##Upon": 1061, "##ILE": 1062, "##NS": 1063, "##TP": 1064, "##erb": 1065, "their": 1066, "##ener": 1067, "##ensi": 1068, "##quer": 1069, "discover": 1070, "##uring": 1071, "PowerView": 1072, "Share": 1073, "simulates": 1074, "prevent": 1075, "##ookmark": 1076, "pipe": 1077, "20": 1078, "Clear": 1079, "Shell": 1080, "Sim": 1081, "audit": 1082, "but": 1083, "back": 1084, "er": 1085, "end": 1086, "##rows": 1087, "##bles": 1088, "##let": 1089, "##ence": 1090, "includ": 1091, "Explorer": 1092, "Change": 1093, "arg": 1094, "##ternal": 1095, "##tual": 1096, "modification": 1097, "privileges": 1098, "built": 1099, "##bedd": 1100, "Access": 1101, "Per": 1102, "Python": 1103, "RD": 1104, "Sp": 1105, "When": 1106, "ev": 1107, "find": 1108, "get": 1109, "persistence": 1110, "und": 1111, "##ok": 1112, "##nc": 1113, "##fully": 1114, "##Com": 1115, "##ices": 1116, "##icate": 1117, "ins": 1118, "off": 1119, "being": 1120, "##admin": 1121, "##irtual": 1122, "##ames": 1123, "##amet": 1124, "##lock": 1125, "Rem": 1126, "attrib": 1127, "order": 1128, "logging": 1129, "Uses": 1130, "##ide": 1131, "seen": 1132, "##umeration": 1133, "Chrom": 1134, "web": 1135, "##STEM": 1136, "VBA": 1137, "need": 1138, "SYSTEM": 1139, "Al": 1140, "AP": 1141, "Dump": 1142, "DNS": 1143, "Man": 1144, "Red": 1145, "app": 1146, "text": 1147, "##xy": 1148, "##top": 1149, "##ative": 1150, "##col": 1151, "##ev": 1152, "##file": 1153, "##Con": 1154, "##FILE": 1155, "##one": 1156, "lock": 1157, "sudo": 1158, "content": 1159, "logon": 1160, "stor": 1161, "##gister": 1162, "##sole": 1163, "chang": 1164, "based": 1165, "Shadow": 1166, "##tocol": 1167, "times": 1168, "##ities": 1169, "Firewall": 1170, "##esktop": 1171, "Adversaries": 1172, "##undll": 1173, "##ensitive": 1174, "Copies": 1175, "Event": 1176, "Mal": 1177, "Open": 1178, "SO": 1179, "ag": 1180, "during": 1181, "es": 1182, "hidden": 1183, "own": 1184, "po": 1185, "rules": 1186, "##ption": 1187, "##lag": 1188, "##hav": 1189, "##get": 1190, "##SA": 1191, "##RE": 1192, "they": 1193, "##asquer": 1194, "##ading": 1195, "##very": 1196, "such": 1197, "produ": 1198, "##lobal": 1199, "control": 1200, "login": 1201, "enable": 1202, "enumerate": 1203, "systems": 1204, "what": 1205, "accounts": 1206, "##ired": 1207, "##ypass": 1208, "compress": 1209, "embedd": 1210, "##uments": 1211, "Utilize": 1212, "##point": 1213, "scheduled": 1214, "##undll32": 1215, "again": 1216, "##havi": 1217, "All": 1218, "App": 1219, "Bl": 1220, "Kerb": 1221, "Res": 1222, "kernel": 1223, "must": 1224, "ren": 1225, "version": 1226, "##kat": 1227, "##ON": 1228, "##IS": 1229, "##00": 1230, "##tec": 1231, "exist": 1232, "##ant": 1233, "##ade": 1234, "##itor": 1235, "delete": 1236, "actor": 1237, "successfully": 1238, "##use": 1239, "keys": 1240, "containing": 1241, "doc": 1242, "##ernet": 1243, "encoded": 1244, "settings": 1245, "like": 1246, "Key": 1247, "ESXi": 1248, "##katz": 1249, "00": 1250, "Bypass": 1251, "LD": 1252, "MSI": 1253, "clear": 1254, "cron": 1255, "dri": 1256, "name": 1257, "obs": 1258, "zero": 1259, "##nection": 1260, "##script": 1261, "##ves": 1262, "##SS": 1263, "##install": 1264, "them": 1265, "##ream": 1266, "##ache": 1267, "##utes": 1268, "program": 1269, "console": 1270, "##cel": 1271, "##url": 1272, "##ures": 1273, "creates": 1274, "passwords": 1275, "##fore": 1276, "share": 1277, "datab": 1278, "##ctl": 1279, "specific": 1280, "Setting": 1281, "MacOS": 1282, "target": 1283, "##ansom": 1284, "##tificate": 1285, "##bitrary": 1286, "Search": 1287, "machine": 1288, "error": 1289, "endpoint": 1290, "##rowser": 1291, "Black": 1292, "AW": 1293, "Check": 1294, "Capture": 1295, "Off": 1296, "Priv": 1297, "Policy": 1298, "Sys": 1299, "det": 1300, "gener": 1301, "ip": 1302, "image": 1303, "main": 1304, "oper": 1305, "rest": 1306, "security": 1307, "some": 1308, "ticket": 1309, "##ber": 1310, "##boot": 1311, "##bject": 1312, "##ong": 1313, "##lev": 1314, "exp": 1315, "##ater": 1316, "##arted": 1317, "##tation": 1318, "##tamp": 1319, "Exfiltration": 1320, "credential": 1321, "screen": 1322, "base": 1323, "installation": 1324, "##tension": 1325, "Stop": 1326, "Controller": 1327, "##ternate": 1328, "##ight": 1329, "##igned": 1330, "##tivity": 1331, "##tract": 1332, "Threat": 1333, "paramet": 1334, "Requires": 1335, "Output": 1336, "seconds": 1337, "Files": 1338, "RDP": 1339, "Chrome": 1340, "timestamp": 1341, "embedded": 1342, "against": 1343, "AWS": 1344, "Office": 1345, "10": 1346, "Cl": 1347, "C2": 1348, "Do": 1349, "For": 1350, "IIS": 1351, "No": 1352, "RA": 1353, "Sche": 1354, "UF": 1355, "av": 1356, "ent": 1357, "##sv": 1358, "##rst": 1359, "##uth": 1360, "##uage": 1361, "##MD": 1362, "##LI": 1363, "explo": 1364, "first": 1365, "behavi": 1366, "reg": 1367, "sub": 1368, "detection": 1369, "disk": 1370, "Reg": 1371, "runs": 1372, "mode": 1373, "who": 1374, "where": 1375, "Attempt": 1376, "##elp": 1377, "Chang": 1378, "##anguage": 1379, "does": 1380, "requires": 1381, "deletes": 1382, "HISTFILE": 1383, "lsass": 1384, "retri": 1385, "stored": 1386, "base64": 1387, "UFW": 1388, "Hidden": 1389, "IP": 1390, "Laun": 1391, "NET": 1392, "Over": 1393, "Port": 1394, "Persistence": 1395, "Packet": 1396, "Script": 1397, "Task": 1398, "application": 1399, "brute": 1400, "each": 1401, "found": 1402, "query": 1403, "would": 1404, "zip": 1405, "##ob": 1406, "##og": 1407, "##ner": 1408, "##cs": 1409, "##eb": 1410, "##ring": 1411, "##dump": 1412, "##ually": 1413, "##ync": 1414, "##ML": 1415, "##lean": 1416, "##ndard": 1417, "executing": 1418, "threat": 1419, "profile": 1420, "ass": 1421, "logged": 1422, "Disables": 1423, "Loot": 1424, "##ustom": 1425, "##abil": 1426, "launches": 1427, "HTTP": 1428, "##Process": 1429, "JScript": 1430, "services": 1431, "##imikatz": 1432, "autom": 1433, "##ookmarks": 1434, "LDAP": 1435, "##ansomware": 1436, "Find": 1437, "Pr": 1438, "Query": 1439, "block": 1440, "non": 1441, "ps": 1442, "port": 1443, "source": 1444, "sensitive": 1445, "##picious": 1446, "##ler": 1447, "##ition": 1448, "##ive": 1449, "##net": 1450, "##cc": 1451, "##com": 1452, "##eat": 1453, "##eam": 1454, "##exec": 1455, "##ute": 1456, "##Util": 1457, "##OM": 1458, "##Ex": 1459, "##gg": 1460, "##gle": 1461, "##IN": 1462, "##TW": 1463, "##ink": 1464, "input": 1465, "##ecur": 1466, "##ann": 1467, "##unc": 1468, "Win32": 1469, "##its": 1470, "force": 1471, "string": 1472, "sets": 1473, "adversaries": 1474, "##oogle": 1475, "contains": 1476, "launched": 1477, "software": 1478, "attacks": 1479, "startup": 1480, "passwd": 1481, "Encoded": 1482, "Scan": 1483, "under": 1484, "contents": 1485, "Kerbero": 1486, "##tected": 1487, "database": 1488, "##leanup": 1489, "GP": 1490, "Global": 1491, "Google": 1492, "History": 1493, "PS": 1494, "Sn": 1495, "With": 1496, "flag": 1497, "ms": 1498, "num": 1499, "packet": 1500, "tri": 1501, "##pass": 1502, "##li": 1503, "##ause": 1504, "##cip": 1505, "##de": 1506, "##mod": 1507, "##wri": 1508, "##Object": 1509, "##bo": 1510, "##box": 1511, "##jection": 1512, "##Pack": 1513, "##Version": 1514, "##incip": 1515, "##tend": 1516, "insta": 1517, "##ast": 1518, "been": 1519, "before": 1520, "Winlog": 1521, "##old": 1522, "##amper": 1523, "controller": 1524, "##ilar": 1525, "bypass": 1526, "Credential": 1527, "action": 1528, "Lock": 1529, "utilize": 1530, "remotely": 1531, "Attack": 1532, "allow": 1533, "variables": 1534, "required": 1535, "modified": 1536, "deleted": 1537, "provided": 1538, "Auto": 1539, "Startup": 1540, "CurrentVersion": 1541, "Bash": 1542, "Remove": 1543, "parameter": 1544, "exploi": 1545, "##incipal": 1546, "Winlogon": 1547, "AV": 1548, "By": 1549, "CMD": 1550, "He": 1551, "It": 1552, "Int": 1553, "Kernel": 1554, "LSA": 1555, "PID": 1556, "UP": 1557, "Word": 1558, "You": 1559, "box": 1560, "custom": 1561, "cleanup": 1562, "elev": 1563, "go": 1564, "how": 1565, "kn": 1566, "lis": 1567, "later": 1568, "null": 1569, "pack": 1570, "part": 1571, "persis": 1572, "vul": 1573, "virtual": 1574, "##pted": 1575, "##ial": 1576, "##harp": 1577, "##ced": 1578, "##eve": 1579, "##fl": 1580, "##fus": 1581, "##OR": 1582, "##hes": 1583, "##ties": 1584, "##ecre": 1585, "extension": 1586, "##cessfully": 1587, "##pty": 1588, "rem": 1589, "##irm": 1590, "sucessfully": 1591, "proper": 1592, "Excel": 1593, "##rypted": 1594, "Users": 1595, "PowerSharp": 1596, "Env": 1597, "Enable": 1598, "Protocol": 1599, "cmdlet": 1600, "downloading": 1601, "arbitrary": 1602, "Control": 1603, "confirm": 1604, "Modif": 1605, "Module": 1606, "added": 1607, "address": 1608, "##siexec": 1609, "prere": 1610, "empty": 1611, "dumped": 1612, "HTML": 1613, "##ference": 1614, "utilizing": 1615, "API": 1616, "enabled": 1617, "avail": 1618, "behavior": 1619, "Changes": 1620, "LSASS": 1621, "UPX": 1622, "##fusc": 1623, "PowerSharpPack": 1624, "Cent": 1625, "Em": 1626, "EX": 1627, "Has": 1628, "Kub": 1629, "Method": 1630, "Su": 1631, "Tr": 1632, "View": 1633, "Web": 1634, "boot": 1635, "cache": 1636, "dif": 1637, "ei": 1638, "every": 1639, "numer": 1640, "pri": 1641, "volume": 1642, "##ever": 1643, "##rc": 1644, "##ray": 1645, "##ution": 1646, "##ual": 1647, "##fig": 1648, "##ym": 1649, "##UID": 1650, "##bl": 1651, "##Pwd": 1652, "##IT": 1653, "##AN": 1654, "##ARE": 1655, "##RL": 1656, "##esc": 1657, "##orts": 1658, "exfiltration": 1659, "##ense": 1660, "##atch": 1661, "##ance": 1662, "there": 1663, "username": 1664, "##urn": 1665, "started": 1666, "Dele": 1667, "Load": 1668, "##izing": 1669, "sear": 1670, "##udo": 1671, "##hentic": 1672, "similar": 1673, "##ager": 1674, "##ails": 1675, "trunc": 1676, "groups": 1677, "##tutil": 1678, "attempts": 1679, "configure": 1680, "##ueries": 1681, "Logging": 1682, "leg": 1683, "lever": 1684, "manually": 1685, "##ferent": 1686, "Utilizing": 1687, "Uninstall": 1688, "write": 1689, "T10": 1690, "Compress": 1691, "plac": 1692, "info": 1693, "Groups": 1694, "Permission": 1695, "##Command": 1696, "appear": 1697, "changed": 1698, "Malware": 1699, "##asquerading": 1700, "##ernetes": 1701, "Settings": 1702, "maintain": 1703, "entry": 1704, "Launch": 1705, "##ability": 1706, "number": 1707, "vulner": 1708, "Kubernetes": 1709, "different": 1710, "either": 1711, "Browser": 1712, "Cr": 1713, "CA": 1714, "CH": 1715, "Cer": 1716, "Image": 1717, "New": 1718, "On": 1719, "Ps": 1720, "Payload": 1721, "Rundll32": 1722, "SM": 1723, "TEM": 1724, "Team": 1725, "VM": 1726, "VBS": 1727, "capture": 1728, "desktop": 1729, "few": 1730, "feat": 1731, "im": 1732, "mail": 1733, "might": 1734, "rs": 1735, "rule": 1736, "sv": 1737, "sw": 1738, "try": 1739, "##ool": 1740, "##af": 1741, "##nti": 1742, "##nect": 1743, "##cut": 1744, "##mun": 1745, "##mPwd": 1746, "##DS": 1747, "##Path": 1748, "##FTW": 1749, "##ined": 1750, "##lly": 1751, "##ically": 1752, "##tance": 1753, "##mate": 1754, "one": 1755, "read": 1756, "reboot": 1757, "##ations": 1758, "##plic": 1759, "##romis": 1760, "connection": 1761, "##ild": 1762, "##vely": 1763, "##ime": 1764, "##chost": 1765, "enumeration": 1766, "AdmPwd": 1767, "spool": 1768, "##ization": 1769, "Attrib": 1770, "##ortcut": 1771, "##sively": 1772, "attacker": 1773, "compromis": 1774, "results": 1775, "tempor": 1776, "InstallUtil": 1777, "##itimate": 1778, "##ploy": 1779, "called": 1780, "provide": 1781, "NTDS": 1782, "##erminal": 1783, "arguments": 1784, "##eved": 1785, "SOFTW": 1786, "driver": 1787, "Scheduled": 1788, "##uthor": 1789, "##ecursively": 1790, "packets": 1791, "##tended": 1792, "Attackers": 1793, "exploitation": 1794, "Environment": 1795, "Successf": 1796, "configured": 1797, "legitimate": 1798, "TEMP": 1799, "rsync": 1800, "svchost": 1801, "SOFTWARE": 1802, "From": 1803, "Host": 1804, "LO": 1805, "MS": 1806, "Prompt": 1807, "Sus": 1808, "Ticket": 1809, "Tamper": 1810, "bit": 1811, "cr": 1812, "dit": 1813, "full": 1814, "gu": 1815, "help": 1816, "ind": 1817, "imp": 1818, "just": 1819, "jour": 1820, "language": 1821, "mul": 1822, "post": 1823, "queries": 1824, "ransomware": 1825, "ste": 1826, "ssh": 1827, "tw": 1828, "tmp": 1829, "wm": 1830, "wish": 1831, "##por": 1832, "##ling": 1833, "##os": 1834, "##ock": 1835, "##ale": 1836, "##atic": 1837, "##nal": 1838, "##hip": 1839, "##code": 1840, "##ep": 1841, "##sing": 1842, "##res": 1843, "##dow": 1844, "##ken": 1845, "##fw": 1846, "##Dump": 1847, "##brary": 1848, "##Exec": 1849, "##IG": 1850, "##To": 1851, "##erve": 1852, "##ines": 1853, "##inal": 1854, "##tect": 1855, "##tim": 1856, "##llo": 1857, "example": 1858, "extract": 1859, "intended": 1860, "##ership": 1861, "##rike": 1862, "##ulating": 1863, "proxy": 1864, "Export": 1865, "Read": 1866, "enables": 1867, "creation": 1868, "##stabl": 1869, "stream": 1870, "Injection": 1871, "shadow": 1872, "##ipbo": 1873, "chmod": 1874, "utilities": 1875, "send": 1876, "scripts": 1877, "Sharp": 1878, "functional": 1879, "lists": 1880, "##ages": 1881, "opened": 1882, "##shark": 1883, "hash": 1884, "##aph": 1885, "class": 1886, "Logs": 1887, "device": 1888, "copying": 1889, "##duct": 1890, "obtain": 1891, "standard": 1892, "##andler": 1893, "tools": 1894, "collection": 1895, "upd": 1896, "type": 1897, "syslog": 1898, "Editor": 1899, "discovery": 1900, "Alternate": 1901, "escal": 1902, "ownership": 1903, "Results": 1904, "observe": 1905, "determin": 1906, "Snake": 1907, "prereq": 1908, "journal": 1909, "multi": 1910, "##ipboard": 1911, "Ar": 1912, "After": 1913, "Base": 1914, "Brute": 1915, "Code": 1916, "COM": 1917, "Desktop": 1918, "Folder": 1919, "LAP": 1920, "Masquerading": 1921, "Oper": 1922, "Path": 1923, "Sta": 1924, "Server": 1925, "Ub": 1926, "US": 1927, "bookmarks": 1928, "could": 1929, "curl": 1930, "establ": 1931, "long": 1932, "mcs": 1933, "pull": 1934, "ports": 1935, "red": 1936, "rundll32": 1937, "same": 1938, "take": 1939, "tshark": 1940, "upon": 1941, "ufw": 1942, "want": 1943, "##pa": 1944, "##her": 1945, "##host": 1946, "##cp": 1947, "##ses": 1948, "##fox": 1949, "##bod": 1950, "##ER": 1951, "##EY": 1952, "##gine": 1953, "##In": 1954, "##NC": 1955, "##Set": 1956, "##36": 1957, "##33": 1958, "##21": 1959, "##CP": 1960, "##CLI": 1961, "##Bit": 1962, "##ZE": 1963, "##ination": 1964, "##onitor": 1965, "##text": 1966, "##orm": 1967, "##read": 1968, "exfiltr": 1969, "##ases": 1970, "##asion": 1971, "##tables": 1972, "##ular": 1973, "##untu": 1974, "##irus": 1975, "form": 1976, "##look": 1977, "Exam": 1978, "##vel": 1979, "##cket": 1980, "##otenti": 1981, "##chi": 1982, "store": 1983, "modules": 1984, "chown": 1985, "Enumeration": 1986, "##ized": 1987, "##olicies": 1988, "allows": 1989, "defender": 1990, "vari": 1991, "##abling": 1992, "specify": 1993, "container": 1994, "containers": 1995, "##aging": 1996, "trick": 1997, "##void": 1998, "##jects": 1999, "##aptures": 2000, "compile": 2001, "Login": 2002, "##SIZE": 2003, "Macro": 2004, "##ights": 2005, "privilege": 2006, "nobod": 2007, "Firefox": 2008, "##ovement": 2009, "T11": 2010, "T15": 2011, "obfusc": 2012, "NTLM": 2013, "collect": 2014, "utilizes": 2015, "including": 2016, "##Control": 2017, "existing": 2018, "likely": 2019, "RAT": 2020, "Regsv": 2021, "automatic": 2022, "##gger": 2023, "Kerberos": 2024, "LockBit": 2025, "elevated": 2026, "going": 2027, "available": 2028, "##hentication": 2029, "CHM": 2030, "SMB": 2031, "feature": 2032, "Successful": 2033, "Suspicious": 2034, "determine": 2035, "multiple": 2036, "Base64": 2037, "LAPS": 2038, "Ubuntu": 2039, "nobody": 2040, "Bin": 2041, "Cmd": 2042, "Coll": 2043, "Dark": 2044, "Ev": 2045, "Gr": 2046, "IN": 2047, "Imp": 2048, "Memory": 2049, "Mimikatz": 2050, "OS": 2051, "PAM": 2052, "Root": 2053, "Recon": 2054, "Rock": 2055, "Session": 2056, "Saf": 2057, "Up": 2058, "VI": 2059, "Virtual": 2060, "Wer": 2061, "achi": 2062, "cor": 2063, "direct": 2064, "gain": 2065, "hi": 2066, "high": 2067, "id": 2068, "linux": 2069, "last": 2070, "mark": 2071, "more": 2072, "rm": 2073, "ran": 2074, "recursively": 2075, "sample": 2076, "secre": 2077, "vbs": 2078, "wscript": 2079, "##password": 2080, "##lter": 2081, "##oz": 2082, "##other": 2083, "##ient": 2084, "##ays": 2085, "##aft": 2086, "##ci": 2087, "##r32": 2088, "##dmin": 2089, "##face": 2090, "##zip": 2091, "##gan": 2092, "##55": 2093, "##Server": 2094, "##Re": 2095, "##27": 2096, "##CU": 2097, "##CK": 2098, "##Time": 2099, "##Hound": 2100, "##Fault": 2101, "##internal": 2102, "##tead": 2103, "these": 2104, "##lets": 2105, "explorer": 2106, "external": 2107, "##ari": 2108, "##arac": 2109, "##arts": 2110, "filter": 2111, "##ulation": 2112, "look": 2113, "rel": 2114, "##ply": 2115, "proc": 2116, "##ily": 2117, "another": 2118, "##cker": 2119, "ens": 2120, "active": 2121, "activity": 2122, "scann": 2123, "##arent": 2124, "##puters": 2125, "Detection": 2126, "##emb": 2127, "Proxy": 2128, "##perties": 2129, "##tra": 2130, "Activity": 2131, "##agement": 2132, "downloaded": 2133, "Stream": 2134, "defined": 2135, "Config": 2136, "##uster": 2137, "well": 2138, "unl": 2139, "attackers": 2140, "HKCU": 2141, "cluster": 2142, "print": 2143, "principal": 2144, "encrypt": 2145, "result": 2146, "level": 2147, "HTA": 2148, "Uncom": 2149, "Compile": 2150, "Autom": 2151, "collected": 2152, "locale": 2153, "typically": 2154, "certificate": 2155, "certutil": 2156, "servers": 2157, "works": 2158, "include": 2159, "attributes": 2160, "attribute": 2161, "Manager": 2162, "locked": 2163, "SOCK": 2164, "##asquerade": 2165, "document": 2166, "documents": 2167, "tickets": 2168, "Class": 2169, "Force": 2170, "Overwri": 2171, "Hello": 2172, "known": 2173, "Emulates": 2174, "numerous": 2175, "truncate": 2176, "PsExec": 2177, "##plicated": 2178, "Attributes": 2179, "temporary": 2180, "functionality": 2181, "##ormal": 2182, "format": 2183, "Examine": 2184, "Regsvr32": 2185, "Rocke": 2186, "WerFault": 2187, "##internals": 2188, "##aracter": 2189, "scanned": 2190, "Uncomplicated": 2191, "AM": 2192, "AF": 2193, "Audit": 2194, "Cron": 2195, "Dec": 2196, "Den": 2197, "Every": 2198, "Gu": 2199, "ID": 2200, "Item": 2201, "Msiexec": 2202, "Moz": 2203, "Rest": 2204, "Wor": 2205, "avoid": 2206, "bp": 2207, "bec": 2208, "cat": 2209, "cap": 2210, "ds": 2211, "gr": 2212, "mimikatz": 2213, "masquerade": 2214, "native": 2215, "pat": 2216, "pur": 2217, "pus": 2218, "rights": 2219, "sav": 2220, "sym": 2221, "ter": 2222, "tty": 2223, "tcp": 2224, "##xity": 2225, "##ps": 2226, "##ix": 2227, "##the": 2228, "##aem": 2229, "##ness": 2230, "##van": 2231, "##view": 2232, "##ues": 2233, "##mu": 2234, "##ball": 2235, "##EL": 2236, "##MAN": 2237, "##Item": 2238, "##SR": 2239, "##Shell": 2240, "##Tr": 2241, "##The": 2242, "##init": 2243, "##ested": 2244, "exec": 2245, "exclud": 2246, "##ares": 2247, "##arily": 2248, "##etch": 2249, "##ription": 2250, "##mail": 2251, "##ulator": 2252, "##act": 2253, "##utl": 2254, "register": 2255, "##irection": 2256, "thus": 2257, "protocol": 2258, "cons": 2259, "Extract": 2260, "##str": 2261, "logout": 2262, "##ilent": 2263, "##soci": 2264, "##round": 2265, "choo": 2266, "Product": 2267, "Properties": 2268, "##umerates": 2269, "installer": 2270, "shellcode": 2271, "downloads": 2272, "arp": 2273, "##usts": 2274, "simple": 2275, "simulate": 2276, "simply": 2277, "alternate": 2278, "openss": 2279, "adding": 2280, "Addition": 2281, "##ternative": 2282, "trusts": 2283, "HKEY": 2284, "clipboard": 2285, "request": 2286, "encrypted": 2287, "Tool": 2288, "hand": 2289, "completed": 2290, "completes": 2291, "complexity": 2292, "Lists": 2293, "object": 2294, "##tification": 2295, "schedule": 2296, "loaded": 2297, "Keys": 2298, "decod": 2299, "decode": 2300, "##ithub": 2301, "##aching": 2302, "location": 2303, "CurrentControl": 2304, "Encrypt": 2305, "Screen": 2306, "##illa": 2307, "Basic": 2308, "Edit": 2309, "Clears": 2310, "Simulate": 2311, "inside": 2312, "offline": 2313, "Manip": 2314, "Malicious": 2315, "point": 2316, "production": 2317, "Append": 2318, "renamed": 2319, "exists": 2320, "details": 2321, "iptables": 2322, "retrieve": 2323, "ps1": 2324, "EncodedCommand": 2325, "instance": 2326, "Internet": 2327, "listen": 2328, "packed": 2329, "persistent": 2330, "remove": 2331, "Hash": 2332, "prior": 2333, "Deletes": 2334, "search": 2335, "placed": 2336, "Certificate": 2337, "##munication": 2338, "compromised": 2339, "escalation": 2340, "COMMAN": 2341, "establish": 2342, "variations": 2343, "Binary": 2344, "VIB": 2345, "related": 2346, "AMSI": 2347, "Mozilla": 2348, "bpf": 2349, "purpo": 2350, "##aemon": 2351, "openssl": 2352, "Additionally": 2353, "CurrentControlSet": 2354, "COMMAND": 2355, "Bookmarks": 2356, "BIT": 2357, "Can": 2358, "Cim": 2359, "Calc": 2360, "Dll": 2361, "Gener": 2362, "Help": 2363, "Handler": 2364, "Ide": 2365, "Li": 2366, "Mail": 2367, "Non": 2368, "Own": 2369, "PU": 2370, "Pre": 2371, "Pop": 2372, "PAC": 2373, "Policies": 2374, "Rec": 2375, "Serv": 2376, "SIG": 2377, "Silent": 2378, "URL": 2379, "UNC": 2380, "Via": 2381, "bl": 2382, "bat": 2383, "copies": 2384, "don": 2385, "dest": 2386, "down": 2387, "fam": 2388, "fur": 2389, "github": 2390, "he": 2391, "hal": 2392, "ima": 2393, "me": 2394, "mak": 2395, "py": 2396, "ping": 2397, "potenti": 2398, "size": 2399, "##pec": 2400, "##lic": 2401, "##off": 2402, "##ogr": 2403, "##tten": 2404, "##ais": 2405, "##aults": 2406, "##nam": 2407, "##nais": 2408, "##cation": 2409, "##cts": 2410, "##ser": 2411, "##sance": 2412, "##ric": 2413, "##rame": 2414, "##date": 2415, "##dit": 2416, "##down": 2417, "##kit": 2418, "##ynam": 2419, "##OL": 2420, "##bot": 2421, "##jack": 2422, "##Ass": 2423, "##Admin": 2424, "##Service": 2425, "##RI": 2426, "##Run": 2427, "##CA": 2428, "##Cmd": 2429, "##Test": 2430, "##Gate": 2431, "##KET": 2432, "##esfully": 2433, "theft": 2434, "thepassword": 2435, "token": 2436, "##red": 2437, "exit": 2438, "extrac": 2439, "##atus": 2440, "##aster": 2441, "##ries": 2442, "##main": 2443, "often": 2444, "communication": 2445, "Window": 2446, "refl": 2447, "remain": 2448, "##iration": 2449, "sus": 2450, "succ": 2451, "conn": 2452, "Example": 2453, "##stru": 2454, "bytes": 2455, "deploy": 2456, "Reboot": 2457, "##erved": 2458, "Creating": 2459, "stop": 2460, "show": 2461, "Executable": 2462, "##ackup": 2463, "child": 2464, "Engine": 2465, "setup": 2466, "Provid": 2467, "Program": 2468, "techniques": 2469, "cmdlets": 2470, "##elf": 2471, "##elper": 2472, "power": 2473, "Show": 2474, "Contain": 2475, "Connection": 2476, "Connect": 2477, "netsh": 2478, "##ather": 2479, "adds": 2480, "until": 2481, "socket": 2482, "trans": 2483, "##alcon": 2484, "##shta": 2485, "##shot": 2486, "Sets": 2487, "hashes": 2488, "Defense": 2489, "timeout": 2490, "client": 2491, "resource": 2492, "administrator": 2493, "##istrative": 2494, "AtomicTest": 2495, "privileged": 2496, "Applications": 2497, "tasks": 2498, "##tivate": 2499, "##doc": 2500, "writes": 2501, "writing": 2502, "written": 2503, "Passwords": 2504, "commonly": 2505, "infected": 2506, "JSON": 2507, "Searches": 2508, "machines": 2509, "Filter": 2510, "recent": 2511, "record": 2512, "Simulates": 2513, "argument": 2514, "Perform": 2515, "Spawn": 2516, "##nces": 2517, "instead": 2518, "##gisterServer": 2519, "owner": 2520, "pos": 2521, "Allow": 2522, "AppCmd": 2523, "renames": 2524, "001": 2525, "observed": 2526, "Privile": 2527, "Sysmon": 2528, "operation": 2529, "restarts": 2530, "screenshot": 2531, "assemb": 2532, "HTTPS": 2533, "blocking": 2534, "GPO": 2535, "trigger": 2536, "instances": 2537, "##olders": 2538, "however": 2539, "Center": 2540, "leveraging": 2541, "vulnerable": 2542, "##porting": 2543, "updated": 2544, "USER": 2545, "Cmdlet": 2546, "DarkGate": 2547, "Update": 2548, "achieved": 2549, "hives": 2550, "##ganogr": 2551, "Overwrite": 2552, "choosing": 2553, "Ideally": 2554, "Owner": 2555, "PACKET": 2556, "further": 2557, "halt": 2558, "images": 2559, "##naissance": 2560, "##ramework": 2561, "reflect": 2562, "succesfully": 2563, "assembly": 2564, "##ganograph": 2565, "11": 2566, "19": 2567, "24": 2568, "30": 2569, "32": 2570, "64": 2571, "AT": 2572, "Blo": 2573, "Bookmark": 2574, "Det": 2575, "Es": 2576, "Full": 2577, "Falcon": 2578, "Language": 2579, "Mode": 2580, "MAC": 2581, "Make": 2582, "Monitor": 2583, "Not": 2584, "Pass": 2585, "RH": 2586, "Rub": 2587, "Ransomware": 2588, "Se": 2589, "SAM": 2590, "Tor": 2591, "Terminal": 2592, "UID": 2593, "Vis": 2594, "Val": 2595, "Wri": 2596, "Will": 2597, "author": 2598, "ben": 2599, "bad": 2600, "cam": 2601, "cscript": 2602, "captures": 2603, "caching": 2604, "des": 2605, "den": 2606, "dmp": 2607, "email": 2608, "fish": 2609, "gi": 2610, "min": 2611, "msiexec": 2612, "master": 2613, "names": 2614, "normal": 2615, "ori": 2616, "pod": 2617, "rc": 2618, "rout": 2619, "recon": 2620, "rand": 2621, "say": 2622, "section": 2623, "signed": 2624, "tor": 2625, "turn": 2626, "terminal": 2627, "ur": 2628, "vault": 2629, "way": 2630, "##ph": 2631, "##pg": 2632, "##pend": 2633, "##ptance": 2634, "##ls": 2635, "##late": 2636, "##list": 2637, "##ose": 2638, "##ite": 2639, "##ible": 2640, "##test": 2641, "##ax": 2642, "##nn": 2643, "##ns": 2644, "##names": 2645, "##hing": 2646, "##hold": 2647, "##ces": 2648, "##cat": 2649, "##cDump": 2650, "##ef": 2651, "##eus": 2652, "##ration": 2653, "##dst": 2654, "##ven": 2655, "##ks": 2656, "##mb": 2657, "##fo": 2658, "##fing": 2659, "##ward": 2660, "##UI": 2661, "##Desk": 2662, "##PN": 2663, "##PC": 2664, "##ger": 2665, "##gress": 2666, "##12": 2667, "##50": 2668, "##40": 2669, "##No": 2670, "##AD": 2671, "##AT": 2672, "##Sup": 2673, "##35": 2674, "##RM": 2675, "##TE": 2676, "##HIN": 2677, "##inter": 2678, "##tit": 2679, "##tire": 2680, "##orma": 2681, "##orted": 2682, "##relate": 2683, "export": 2684, "##owdst": 2685, "##ented": 2686, "injects": 2687, "##ecure": 2688, "##asting": 2689, "##als": 2690, "##rop": 2691, "##erson": 2692, "##anting": 2693, "comb": 2694, "computers": 2695, "WinRM": 2696, "##utdown": 2697, "once": 2698, "repl": 2699, "##ites": 2700, "##iting": 2701, "##itch": 2702, "thres": 2703, "subs": 2704, "##entutl": 2705, "protection": 2706, "progress": 2707, "conce": 2708, "##ilies": 2709, "usernames": 2710, "advan": 2711, "##otnet": 2712, "##ceptance": 2713, "##quis": 2714, "Report": 2715, "associ": 2716, "logoff": 2717, "entire": 2718, "acceptance": 2719, "systemd": 2720, "systemctl": 2721, "Input": 2722, "Inline": 2723, "##force": 2724, "Detect": 2725, "shortcut": 2726, "chann": 2727, "Systemd": 2728, "Enumerates": 2729, "##usion": 2730, "Protection": 2731, "Common": 2732, "maldoc": 2733, "powero": 2734, "Shortcut": 2735, "defense": 2736, "functions": 2737, "timer": 2738, "various": 2739, "simulating": 2740, "listing": 2741, "##pplied": 2742, "along": 2743, "DomainG": 2744, "Adds": 2745, "unre": 2746, "uninstall": 2747, "uncom": 2748, "trap": 2749, "private": 2750, "ADCom": 2751, "valid": 2752, "##ffect": 2753, "bashrc": 2754, "##clusion": 2755, "click": 2756, "pres": 2757, "emulate": 2758, "reset": 2759, "administrative": 2760, "##ookies": 2761, "tarball": 2762, "Installation": 2763, "##ignment": 2764, "overwri": 2765, "library": 2766, "complete": 2767, "completion": 2768, "callout": 2769, "methods": 2770, "itself": 2771, "Notepad": 2772, "stage": 2773, "staging": 2774, "##AME": 2775, "interface": 2776, "locally": 2777, "Administrators": 2778, "ESXCLI": 2779, "Outlook": 2780, "##imited": 2781, "2021": 2782, "builtin": 2783, "evasion": 2784, "unde": 2785, "Alternative": 2786, "changes": 2787, "esentutl": 2788, "##ptions": 2789, "##lags": 2790, "produce": 2791, "products": 2792, "controls": 2793, "Private": 2794, "Sysinternals": 2795, "generated": 2796, "RAW": 2797, "applications": 2798, "Print": 2799, "Principal": 2800, "##Exp": 2801, "##INT": 2802, "Kerberoasting": 2803, "tries": 2804, "actions": 2805, "AutoRun": 2806, "persistance": 2807, "remo": 2808, "Modifies": 2809, "CentOS": 2810, "EXE": 2811, "##utions": 2812, "##atching": 2813, "Crowdst": 2814, "VBScript": 2815, "LOCA": 2816, "guess": 2817, "two": 2818, "wmic": 2819, "SharpHound": 2820, "Arbitrary": 2821, "redirection": 2822, "##paign": 2823, "automatically": 2824, "Safari": 2825, "Virtualization": 2826, "looked": 2827, "Configuration": 2828, "Everyone": 2829, "push": 2830, "saves": 2831, "tcpdump": 2832, "decoding": 2833, "Canary": 2834, "Mailbox": 2835, "SIGINT": 2836, "destination": 2837, "families": 2838, "##ynamic": 2839, "##jacking": 2840, "suspicious": 2841, "connected": 2842, "possi": 2843, "MACHIN": 2844, "RHEL": 2845, "Rubeus": 2846, "campaign": 2847, "designed": 2848, "random": 2849, "saying": 2850, "url": 2851, "##ormally": 2852, "threshold": 2853, "channel": 2854, "poweroff": 2855, "ADComputer": 2856, "Crowdstrike": 2857, "LOCAL": 2858, "MACHINE": 2859, "16": 2860, "127": 2861, "Author": 2862, "ASR": 2863, "Be": 2864, "Backup": 2865, "Co": 2866, "Curl": 2867, "CLI": 2868, "ER": 2869, "GA": 2870, "Identi": 2871, "Line": 2872, "Later": 2873, "Movement": 2874, "Mshta": 2875, "NO": 2876, "Name": 2877, "PR": 2878, "Rules": 2879, "SU": 2880, "Sensitive": 2881, "Sudo": 2882, "Temp": 2883, "TCP": 2884, "Ul": 2885, "Virus": 2886, "WD": 2887, "XLL": 2888, "affect": 2889, "brows": 2890, "browser": 2891, "batch": 2892, "ca": 2893, "cs": 2894, "cause": 2895, "dat": 2896, "dir": 2897, "driv": 2898, "dang": 2899, "fail": 2900, "framework": 2901, "gather": 2902, "hav": 2903, "job": 2904, "la": 2905, "ld": 2906, "link": 2907, "mem": 2908, "mech": 2909, "make": 2910, "movement": 2911, "nl": 2912, "os": 2913, "pause": 2914, "qu": 2915, "range": 2916, "sa": 2917, "sq": 2918, "sti": 2919, "sil": 2920, "te": 2921, "termin": 2922, "vic": 2923, "vss": 2924, "whe": 2925, "x64": 2926, "##pn": 2927, "##ped": 2928, "##pro": 2929, "##pray": 2930, "##less": 2931, "##oth": 2932, "##obs": 2933, "##ience": 2934, "##iObject": 2935, "##iases": 2936, "##aff": 2937, "##ne": 2938, "##capture": 2939, "##eep": 2940, "##sa": 2941, "##side": 2942, "##rv": 2943, "##ds": 2944, "##kes": 2945, "##ms": 2946, "##met": 2947, "##fetch": 2948, "##when": 2949, "##User": 2950, "##Data": 2951, "##Once": 2952, "##bin": 2953, "##bolic": 2954, "##Method": 2955, "##Po": 2956, "##PE": 2957, "##PR": 2958, "##Pre": 2959, "##Password": 2960, "##ginal": 2961, "##ground": 2962, "##19": 2963, "##Line": 2964, "##App": 2965, "##Script": 2966, "##Spray": 2967, "##ROR": 2968, "##TR": 2969, "##TY": 2970, "##86": 2971, "##erous": 2972, "##hed": 2973, "##oning": 2974, "##tify": 2975, "##ors": 2976, "##ortable": 2977, "##isor": 2978, "##led": 2979, "##rep": 2980, "exch": 2981, "##ower": 2982, "##entation": 2983, "intern": 2984, "##aramet": 2985, "##oud": 2986, "##ascript": 2987, "##tage": 2988, "##anis": 2989, "##anted": 2990, "##rit": 2991, "##map": 2992, "report": 2993, "reference": 2994, "##veral": 2995, "##ially": 2996, "##place": 2997, "those": 2998, "tests": 2999, "##ami": 3000, "supp": 3001, "project": 3002, "Exfiltr": 3003, "##ryption": 3004, "##quent": 3005, "Replace": 3006, "##ervisor": 3007, "creating": 3008, "They": 3009, "stating": 3010, "status": 3011, "Inform": 3012, "##ider": 3013, "##idump": 3014, "Deb": 3015, "Detected": 3016, "Deploy": 3017, "shares": 3018, "##overy": 3019, "space": 3020, "spray": 3021, "character": 3022, "##uses": 3023, "filesystem": 3024, "##perience": 3025, "several": 3026, "Anti": 3027, "##elnet": 3028, "installing": 3029, "CreateProcess": 3030, "shells": 3031, "Stub": 3032, "Strike": 3033, "##oofing": 3034, "Modules": 3035, "alread": 3036, "opening": 3037, "addition": 3038, "unlock": 3039, "##ypervisor": 3040, "ADS": 3041, "values": 3042, "##files": 3043, "##ources": 3044, "SetUID": 3045, "preload": 3046, "##earch": 3047, "##ublic": 3048, "require": 3049, "encryption": 3050, "WMIC": 3051, "modifies": 3052, "resources": 3053, "deletion": 3054, "Mach": 3055, "checks": 3056, "environments": 3057, "targe": 3058, "manip": 3059, "##tivities": 3060, "Running": 3061, "RunOnce": 3062, "viewed": 3063, "##uild": 3064, "calls": 3065, "messages": 3066, "spawns": 3067, "paths": 3068, "Accounts": 3069, "state": 3070, "word": 3071, "loading": 3072, "Compil": 3073, "Authentication": 3074, "Through": 3075, "HISTSIZE": 3076, "plist": 3077, "place": 3078, "utilized": 3079, "performs": 3080, "Request": 3081, "Adversary": 3082, "certain": 3083, "##balt": 3084, "Edge": 3085, "authentication": 3086, "return": 3087, "backup": 3088, "backdo": 3089, "background": 3090, "Spec": 3091, "evade": 3092, "needed": 3093, "APT": 3094, "Management": 3095, "Redline": 3096, "append": 3097, "stores": 3098, "compression": 3099, "Kerbrute": 3100, "versions": 3101, "actors": 3102, "004": 3103, "programs": 3104, "errors": 3105, "endpointwhen": 3106, "operating": 3107, "DoH": 3108, "Docker": 3109, "Schedule": 3110, "entries": 3111, "HISTFILESIZE": 3112, "retriev": 3113, "retrieved": 3114, "automated": 3115, "##itsadmin": 3116, "Scanning": 3117, "GPP": 3118, "flags": 3119, "##lite": 3120, "know": 3121, "listed": 3122, "lateral": 3123, "properties": 3124, "Modification": 3125, "Hashes": 3126, "Methods": 3127, "prim": 3128, "Loadable": 3129, "sweep": 3130, "connections": 3131, "AdmPwdExp": 3132, "steganograph": 3133, "Opera": 3134, "Operation": 3135, "Standard": 3136, "Collection": 3137, "Rootkit": 3138, "correlate": 3139, "directly": 3140, "secrets": 3141, "##RegisterServer": 3142, "unlink": 3143, "Automated": 3144, "Deny": 3145, "Guest": 3146, "because": 3147, "capability": 3148, "listening": 3149, "purposes": 3150, "BITS": 3151, "Calculator": 3152, "Library": 3153, "Services": 3154, "blue": 3155, "##pecially": 3156, "##irationTime": 3157, "Provider": 3158, "Details": 3159, "Visual": 3160, "Value": 3161, "original": 3162, "routing": 3163, "##ATA": 3164, "advantage": 3165, "##quisites": 3166, "associated": 3167, "present": 3168, "overwrites": 3169, "undetected": 3170, "Cobalt": 3171, "ERROR": 3172, "Lateral": 3173, "Ultra": 3174, "drives": 3175, "dangerous": 3176, "having": 3177, "mechanis": 3178, "nltest": 3179, "sqlite": 3180, "silver": 3181, "victim": 3182, "vssadmin": 3183, "whether": 3184, "exchange": 3185, "internet": 3186, "Informed": 3187, "StubPath": 3188, "already": 3189, "AdmPwdExpirationTime": 3190, "steganography": 3191, "0x": 3192, "7z": 3193, "Am": 3194, "BP": 3195, "BA": 3196, "Bind": 3197, "CP": 3198, "CT": 3199, "Call": 3200, "Core": 3201, "Captures": 3202, "DD": 3203, "DC": 3204, "Dri": 3205, "Dynamic": 3206, "Er": 3207, "Elev": 3208, "ETW": 3209, "Folders": 3210, "Fax": 3211, "Go": 3212, "Gn": 3213, "Gate": 3214, "GCP": 3215, "Hi": 3216, "IS": 3217, "IT": 3218, "Jav": 3219, "Job": 3220, "Le": 3221, "Mp": 3222, "Min": 3223, "Men": 3224, "NS": 3225, "Normally": 3226, "OST": 3227, "Once": 3228, "OLE": 3229, "Pl": 3230, "PF": 3231, "Persis": 3232, "Parent": 3233, "Portable": 3234, "QUI": 3235, "Ret": 3236, "Role": 3237, "RSA": 3238, "S3": 3239, "She": 3240, "Ste": 3241, "Sup": 3242, "Secre": 3243, "SPN": 3244, "TR": 3245, "TG": 3246, "Tim": 3247, "UD": 3248, "URI": 3249, "Version": 3250, "VSS": 3251, "Wh": 3252, "Wm": 3253, "W32": 3254, "Wires": 3255, "Wev": 3256, "XS": 3257, "able": 3258, "auth": 3259, "bre": 3260, "bet": 3261, "both": 3262, "cri": 3263, "clo": 3264, "cake": 3265, "dist": 3266, "dial": 3267, "fa": 3268, "fut": 3269, "final": 3270, "gpg": 3271, "grep": 3272, "hta": 3273, "hint": 3274, "hive": 3275, "ig": 3276, "ide": 3277, "kit": 3278, "kill": 3279, "kerb": 3280, "low": 3281, "len": 3282, "monitor": 3283, "next": 3284, "nix": 3285, "occ": 3286, "pf": 3287, "pam": 3288, "pop": 3289, "pse": 3290, "python": 3291, "parent": 3292, "rol": 3293, "sft": 3294, "sign": 3295, "secure": 3296, "tamper": 3297, "telnet": 3298, "vm": 3299, "vis": 3300, "ws": 3301, "were": 3302, "xls": 3303, "##pol": 3304, "##pwn": 3305, "##pwd": 3306, "##lper": 3307, "##oc": 3308, "##of": 3309, "##oice": 3310, "##ium": 3311, "##task": 3312, "##aible": 3313, "##not": 3314, "##hark": 3315, "##con": 3316, "##call": 3317, "##cmd": 3318, "##cription": 3319, "##ee": 3320, "##eper": 3321, "##ehavi": 3322, "##equent": 3323, "##sed": 3324, "##sent": 3325, "##sel": 3326, "##slook": 3327, "##rect": 3328, "##dd": 3329, "##v4": 3330, "##ving": 3331, "##ved": 3332, "##kfl": 3333, "##uP": 3334, "##util": 3335, "##uff": 3336, "##find": 3337, "##we": 3338, "##wind": 3339, "##yer": 3340, "##ykatz": 3341, "##US": 3342, "##DLL": 3343, "##DATA": 3344, "##OFILE": 3345, "##ORE": 3346, "##bang": 3347, "##ME": 3348, "##PT": 3349, "##Policy": 3350, "##Prompt": 3351, "##Power": 3352, "##Paramet": 3353, "##PDATA": 3354, "##gin": 3355, "##gal": 3356, "##gth": 3357, "##gent": 3358, "##grity": 3359, "##10": 3360, "##59": 3361, "##44": 3362, "##65": 3363, "##600": 3364, "##LP": 3365, "##LY": 3366, "##Log": 3367, "##ND": 3368, "##NK": 3369, "##NAME": 3370, "##NORE": 3371, "##At": 3372, "##SQ": 3373, "##39": 3374, "##38": 3375, "##Recon": 3376, "##22": 3377, "##Cat": 3378, "##Cache": 3379, "##Tun": 3380, "##GID": 3381, "##76": 3382, "##Behavi": 3383, "##Handler": 3384, "##HPower": 3385, "##Job": 3386, "##inder": 3387, "##ints": 3388, "##information": 3389, "##helper": 3390, "##once": 3391, "##tegrity": 3392, "##tice": 3393, "##ective": 3394, "##oring": 3395, "##ories": 3396, "##orAdmin": 3397, "##lease": 3398, "toc": 3399, "##omp": 3400, "##omps": 3401, "##rend": 3402, "excel": 3403, "inc": 3404, "invo": 3405, "intent": 3406, "invoke": 3407, "injection": 3408, "usage": 3409, "##arge": 3410, "##ouble": 3411, "##alaible": 3412, "##royer": 3413, "##ansi": 3414, "##odhelper": 3415, "##uler": 3416, "##ulated": 3417, "##estomp": 3418, "##acy": 3419, "##acing": 3420, "##activate": 3421, "##aconing": 3422, "##uts": 3423, "real": 3424, "##olden": 3425, "##plays": 3426, "##ponse": 3427, "proce": 3428, "proof": 3429, "conta": 3430, "controll": 3431, "context": 3432, "constru": 3433, "External": 3434, "Extension": 3435, "Experience": 3436, "##stat": 3437, "anti": 3438, "userinit": 3439, "##ectl": 3440, "adfind": 3441, "detected": 3442, "detect": 3443, "disc": 3444, "displays": 3445, "Register": 3446, "runonce": 3447, "PowerCLI": 3448, "##chive": 3449, "Display": 3450, "activities": 3451, "##state": 3452, "scp": 3453, "scan": 3454, "scans": 3455, "Information": 3456, "Inbox": 3457, "Info": 3458, "InTun": 3459, "##iled": 3460, "##forced": 3461, "Dev": 3462, "shred": 3463, "shuts": 3464, "domaininformation": 3465, "cannot": 3466, "##itySup": 3467, "##keeper": 3468, "choice": 3469, "System32": 3470, "Enabling": 3471, "ProcDump": 3472, "Commun": 3473, "##trokes": 3474, "##plem": 3475, "macro": 3476, "Shutdown": 3477, "##check": 3478, "Stuff": 3479, "Stomps": 3480, "Child": 3481, "Character": 3482, "Consent": 3483, "##bserver": 3484, "netstat": 3485, "docker": 3486, "hosts": 3487, "hostname": 3488, "##agic": 3489, "alter": 3490, "aliases": 3491, "win32": 3492, "window": 3493, "DomainCon": 3494, "DomainUser": 3495, "opens": 3496, "##pping": 3497, "outputting": 3498, "keylog": 3499, "transi": 3500, "##ctor": 3501, "##cture": 3502, "privesc": 3503, "##monly": 3504, "##arding": 3505, "SetGID": 3506, "##rupt": 3507, "prefetch": 3508, "Default": 3509, "CommandProcess": 3510, "WMIObject": 3511, "##eros": 3512, "##ributions": 3513, "followed": 3514, "Userinit": 3515, "abuse": 3516, "checking": 3517, "tasklist": 3518, "many": 3519, "manage": 3520, "management": 3521, "notification": 3522, "##pload": 3523, "viewer": 3524, "lie": 3525, "sessions": 3526, "##Viewer": 3527, "provides": 3528, "payloads": 3529, "##ticular": 3530, "disabled": 3531, "interest": 3532, "interested": 3533, "interrupt": 3534, "decoded": 3535, "decrypt": 3536, "HISTIG": 3537, "build": 3538, "particular": 3539, "passed": 3540, "located": 3541, "Testing": 3542, "##Provid": 3543, "events": 3544, "sysadmin": 3545, "syscall": 3546, "##akes": 3547, "##query": 3548, "Simulating": 3549, "auditd": 3550, "includes": 3551, "RDON": 3552, "Spoofing": 3553, "even": 3554, "gets": 3555, "Remo": 3556, "RemCom": 3557, "Chromium": 3558, "APPDATA": 3559, "##Connect": 3560, "changing": 3561, "Events": 3562, "Opens": 3563, "Opened": 3564, "loginwind": 3565, "compressed": 3566, "Response": 3567, "crond": 3568, "cronta": 3569, "drive": 3570, "drivers": 3571, "shared": 3572, "databases": 3573, "BlackCat": 3574, "Privacy": 3575, "general": 3576, "generate": 3577, "expected": 3578, "expired": 3579, "parameters": 3580, "Notify": 3581, "avalaible": 3582, "behaviour": 3583, "regarding": 3584, "whoami": 3585, "Changing": 3586, "doesn": 3587, "Launches": 3588, "Tasks": 3589, "bruteforce": 3590, "assigned": 3591, "##abilities": 3592, "blocked": 3593, "##OMPT": 3594, "PS1": 3595, "Without": 3596, "##lib": 3597, "allowing": 3598, "Inter": 3599, "package": 3600, "extensions": 3601, "confirming": 3602, "addresses": 3603, "availability": 3604, "EXIT": 3605, "Trap": 3606, "Viewer": 3607, "numeric": 3608, "##escription": 3609, "startedThe": 3610, "Loads": 3611, "truncates": 3612, "Compressing": 3613, "Compressed": 3614, "places": 3615, "##CommandLine": 3616, "vulnerability": 3617, "ImagePath": 3618, "VMs": 3619, "immu": 3620, "implem": 3621, "spoolsv": 3622, "compromise": 3623, "craft": 3624, "imperson": 3625, "steal": 3626, "twice": 3627, "##ported": 3628, "##time": 3629, "Reader": 3630, "sending": 3631, "##365": 3632, "exfiltrate": 3633, "T1119": 3634, "T154": 3635, "obfuscation": 3636, "Collect": 3637, "Evasion": 3638, "Graph": 3639, "INET": 3640, "Import": 3641, "Reconnaissance": 3642, "highly": 3643, "marks": 3644, "secret": 3645, "Classes": 3646, "CronJob": 3647, "Decode": 3648, "Decrypt": 3649, "Items": 3650, "Workfl": 3651, "patches": 3652, "symbolic": 3653, "territ": 3654, "##ShellCommandLine": 3655, "##Trust": 3656, "ScreenConnect": 3657, "Manipulate": 3658, "Manipulation": 3659, "searching": 3660, "bpfN": 3661, "DllRegisterServer": 3662, "General": 3663, "PUA": 3664, "making": 3665, "potential": 3666, "##Assignment": 3667, "deployment": 3668, "Programs": 3669, "Container": 3670, "transfer": 3671, "Privileged": 3672, "USERPR": 3673, "ATHPower": 3674, "Blood": 3675, "Write": 3676, "given": 3677, "vaultcmd": 3678, "##Notice": 3679, "combination": 3680, "subscription": 3681, "concept": 3682, "DomainGroup": 3683, "unregister": 3684, "uncommonly": 3685, "possible": 3686, "PROMPT": 3687, "browsers": 3688, "save": 3689, "##Preference": 3690, "Exfiltrate": 3691, "additional": 3692, "Machine": 3693, "Compiler": 3694, "backdoor": 3695, "primarily": 3696, "mechanism": 3697, "BPF": 3698, "BASH": 3699, "CTRL": 3700, "Driver": 3701, "Error": 3702, "GnuP": 3703, "Gatekeeper": 3704, "Hijacking": 3705, "ISO": 3706, "ITS": 3707, "Legal": 3708, "MpPreference": 3709, "Menu": 3710, "NSudo": 3711, "Persistent": 3712, "QUIC": 3713, "Retri": 3714, "RSAT": 3715, "Shebang": 3716, "TRAP": 3717, "UDP": 3718, "W32Time": 3719, "Wireshark": 3720, "XSL": 3721, "break": 3722, "distributions": 3723, "dialog": 3724, "failed": 3725, "future": 3726, "ign": 3727, "idea": 3728, "kerberos": 3729, "length": 3730, "psexec": 3731, "roles": 3732, "sftp": 3733, "visudo": 3734, "##selves": 3735, "##slookup": 3736, "##PromptBehavi": 3737, "##Parameter": 3738, "##SQL": 3739, "##ectively": 3740, "proceed": 3741, "constructor": 3742, "InTune": 3743, "##itySupported": 3744, "CommunitySupported": 3745, "Stuffing": 3746, "ChildItem": 3747, "ConsentPromptBehavi": 3748, "DomainController": 3749, "keylogger": 3750, "transient": 3751, "CommandProcessor": 3752, "HISTIGNORE": 3753, "sysadminctl": 3754, "RDONLY": 3755, "loginwindow": 3756, "immutable": 3757, "Workflow": 3758, "territory": 3759, "##ShellCommandLineParameter": 3760, "USERPROFILE": 3761, "ATHPowerShellCommandLineParameter": 3762, "GnuPG": 3763, "LegalNotice": 3764, "ConsentPromptBehaviorAdmin": 3765, "01": 3766, "365": 3767, "As": 3768, "AN": 3769, "AR": 3770, "ATP": 3771, "But": 3772, "CM": 3773, "Cat": 3774, "Custom": 3775, "Cookies": 3776, "DS": 3777, "Dest": 3778, "Dir": 3779, "DIS": 3780, "Daemon": 3781, "Description": 3782, "Ep": 3783, "ED": 3784, "Fon": 3785, "FILE": 3786, "Flags": 3787, "Gs": 3788, "HV": 3789, "How": 3790, "Hook": 3791, "Hide": 3792, "Helper": 3793, "Hypervisor": 3794, "Is": 3795, "IO": 3796, "IE": 3797, "IF": 3798, "Ind": 3799, "IAM": 3800, "Link": 3801, "LAN": 3802, "LNK": 3803, "Mc": 3804, "Mess": 3805, "Map": 3806, "Names": 3807, "Normal": 3808, "Or": 3809, "Oly": 3810, "Object": 3811, "Options": 3812, "Pu": 3813, "PD": 3814, "PP": 3815, "PC": 3816, "PSI": 3817, "PRE": 3818, "Potenti": 3819, "Please": 3820, "Qu": 3821, "Qak": 3822, "Ry": 3823, "Ren": 3824, "Rust": 3825, "Recursively": 3826, "RPC": 3827, "Spo": 3828, "Side": 3829, "Signed": 3830, "Stit": 3831, "Tar": 3832, "Take": 3833, "Time": 3834, "WLL": 3835, "XL": 3836, "XML": 3837, "ap": 3838, "around": 3839, "applied": 3840, "bu": 3841, "best": 3842, "bookmark": 3843, "bitsadmin": 3844, "cc": 3845, "c2": 3846, "cpl": 3847, "case": 3848, "dd": 3849, "du": 3850, "due": 3851, "dub": 3852, "done": 3853, "daemon": 3854, "drop": 3855, "dotnet": 3856, "ever": 3857, "eff": 3858, "fru": 3859, "global": 3860, "gzip": 3861, "home": 3862, "hide": 3863, "item": 3864, "kr": 3865, "ln": 3866, "lat": 3867, "mis": 3868, "met": 3869, "micro": 3870, "microsoft": 3871, "mav": 3872, "masquerading": 3873, "matching": 3874, "nt": 3875, "nc": 3876, "node": 3877, "none": 3878, "nslookup": 3879, "options": 3880, "pers": 3881, "pem": 3882, "page": 3883, "poll": 3884, "policies": 3885, "public": 3886, "sch": 3887, "src": 3888, "tit": 3889, "tail": 3890, "team": 3891, "upload": 3892, "vpn": 3893, "wb": 3894, "won": 3895, "xm": 3896, "x86": 3897, "year": 3898, "##xplorer": 3899, "##pr": 3900, "##link": 3901, "##lanting": 3902, "##lbin": 3903, "##ier": 3904, "##ian": 3905, "##iod": 3906, "##ivid": 3907, "##tle": 3908, "##tinu": 3909, "##tart": 3910, "##aution": 3911, "##aScript": 3912, "##apping": 3913, "##np": 3914, "##nted": 3915, "##cle": 3916, "##case": 3917, "##cument": 3918, "##cache": 3919, "##ex": 3920, "##eed": 3921, "##eIn": 3922, "##sF": 3923, "##son": 3924, "##set": 3925, "##rar": 3926, "##ras": 3927, "##df": 3928, "##domain": 3929, "##ua": 3930, "##uk": 3931, "##uf": 3932, "##ug": 3933, "##uid": 3934, "##ucture": 3935, "##my": 3936, "##man": 3937, "##ful": 3938, "##with": 3939, "##wanted": 3940, "##yDesk": 3941, "##ycle": 3942, "##Up": 3943, "##UH": 3944, "##De": 3945, "##DO": 3946, "##DB": 3947, "##Dut": 3948, "##Def": 3949, "##OAD": 3950, "##bt": 3951, "##bil": 3952, "##base": 3953, "##book": 3954, "##jected": 3955, "##En": 3956, "##ES": 3957, "##Edit": 3958, "##MP": 3959, "##Mod": 3960, "##MeIn": 3961, "##Pr": 3962, "##Pass": 3963, "##P36": 3964, "##Planting": 3965, "##gation": 3966, "##56": 3967, "##58": 3968, "##4f": 3969, "##Int": 3970, "##Lo": 3971, "##LD": 3972, "##LS": 3973, "##List": 3974, "##LOAD": 3975, "##AS": 3976, "##ARI": 3977, "##Sh": 3978, "##Search": 3979, "##Start": 3980, "##Rule": 3981, "##28": 3982, "##CI": 3983, "##CC": 3984, "##Cer": 3985, "##CON": 3986, "##CMD": 3987, "##This": 3988, "##Task": 3989, "##Text": 3990, "##TTY": 3991, "##Gop": 3992, "##Global": 3993, "##70": 3994, "##With": 3995, "##Box": 3996, "##Browser": 3997, "##Helper": 3998, "##FS": 3999, "##VNC": 4000, "##XCer": 4001, "##ert": 4002, "##inject": 4003, "##eshell": 4004, "##onym": 4005, "##ectiv": 4006, "##ecdump": 4007, "##ise": 4008, "##ished": 4009, "##lemet": 4010, "top": 4011, "##rease": 4012, "exection": 4013, "exclusion": 4014, "##eder": 4015, "##edit": 4016, "##enari": 4017, "int": 4018, "inv": 4019, "inac": 4020, "internal": 4021, "instru": 4022, "injected": 4023, "##arting": 4024, "##ough": 4025, "##ounted": 4026, "##alog": 4027, "##etCache": 4028, "executor": 4029, "##rol": 4030, "##rok": 4031, "##ross": 4032, "##take": 4033, "##mall": 4034, "##hish": 4035, "##hishing": 4036, "##unks": 4037, "comadmin": 4038, "fileand": 4039, "##adows": 4040, "##action": 4041, "loop": 4042, "lots": 4043, "lolbin": 4044, "ons": 4045, "onion": 4046, "rever": 4047, "reading": 4048, "review": 4049, "exeUpon": 4050, "##olog": 4051, "##olution": 4052, "##ird": 4053, "##ayer": 4054, "forest": 4055, "testing": 4056, "##umentation": 4057, "##aming": 4058, "success": 4059, "supplied": 4060, "conduct": 4061, "##aintext": 4062, "Exp": 4063, "Exit": 4064, "Extrac": 4065, "Exclusion": 4066, "##ific": 4067, "##ified": 4068, "antiv": 4069, "##velo": 4070, "Powers": 4071, "byte": 4072, "depend": 4073, "develo": 4074, "##quence": 4075, "disables": 4076, "Regist": 4077, "Reporting": 4078, "##urer": 4079, "PowerPo": 4080, "PowerUp": 4081, "##ching": 4082, "engine": 4083, "enabling": 4084, "enough": 4085, "Creation": 4086, "across": 4087, "Then": 4088, "system32": 4089, "##station": 4090, "##ope": 4091, "Usage": 4092, "password12": 4093, "Inject": 4094, "Integrity": 4095, "shrc": 4096, "domains": 4097, "Executing": 4098, "Loading": 4099, "##ctions": 4100, "##keep": 4101, "##ement": 4102, "##ipher": 4103, "setuid": 4104, "##used": 4105, "##usual": 4106, "##nique": 4107, "Computer": 4108, "Computers": 4109, "sel": 4110, "sequence": 4111, "Atta": 4112, "##tructure": 4113, "outside": 4114, "AnyDesk": 4115, "##omicsF": 4116, "poweshell": 4117, "Shares": 4118, "kext": 4119, "Stor": 4120, "Console": 4121, "Conrol": 4122, "GetObject": 4123, "weak": 4124, "webserver": 4125, "##agne": 4126, "period": 4127, "winpwn": 4128, "DomainPassword": 4129, "accessing": 4130, "accessed": 4131, "##ailable": 4132, "##mpic": 4133, "unat": 4134, "unit": 4135, "unload": 4136, "unset": 4137, "##STP": 4138, "traff": 4139, "##arded": 4140, "##ardware": 4141, "##ardDut": 4142, "Setup": 4143, "emulates": 4144, "follows": 4145, "LogMeIn": 4146, "currently": 4147, "deleting": 4148, "RemotePC": 4149, "calculator": 4150, "Macos": 4151, "dumps": 4152, "dumping": 4153, "##grade": 4154, "AtomicService": 4155, "Database": 4156, "Token": 4157, "taskhost": 4158, "very": 4159, "Netsh": 4160, "manager": 4161, "##feren": 4162, "Processes": 4163, "Runs": 4164, "Utility": 4165, "##ansfer": 4166, "Unwanted": 4167, "Unusual": 4168, "lib": 4169, "ListPlanting": 4170, "calling": 4171, "provider": 4172, "sched": 4173, "verifyctl": 4174, "launching": 4175, "NTFS": 4176, "piping": 4177, "interact": 4178, "There": 4179, "decrypted": 4180, "HISTCON": 4181, "plaintext": 4182, "parts": 4183, "passes": 4184, "types": 4185, "infras": 4186, "Required": 4187, "Encrypted": 4188, "sysinternals": 4189, "##torage": 4190, "##cheduler": 4191, "workstation": 4192, "Based": 4193, "authentic": 4194, "rece": 4195, "recovery": 4196, "##ensive": 4197, "prevents": 4198, "2022": 4199, "auditpol": 4200, "ers": 4201, "Space": 4202, "Spray": 4203, "evil": 4204, "evading": 4205, "finds": 4206, "office": 4207, "Also": 4208, "locking": 4209, "EventLog": 4210, "pointer": 4211, "embedding": 4212, "AppData": 4213, "Resource": 4214, "##0000": 4215, "keystrokes": 4216, "005": 4217, "clears": 4218, "cleartext": 4219, "themselves": 4220, "generally": 4221, "operator": 4222, "operations": 4223, "restore": 4224, "restarted": 4225, "exports": 4226, "Stops": 4227, "timestamps": 4228, "Clipboard": 4229, "Cloud": 4230, "Document": 4231, "Notification": 4232, "##svcs": 4233, "regular": 4234, "Attempts": 4235, "Attempting": 4236, "IPv4": 4237, "querying": 4238, "blocks": 4239, "##Execu": 4240, "##ecurse": 4241, "strings": 4242, "undertake": 4243, "exploited": 4244, "Head": 4245, "elevation": 4246, "properly": 4247, "confirms": 4248, "Modified": 4249, "prerequisites": 4250, "Embedd": 4251, "Transfer": 4252, "WebGlobal": 4253, "WebBrowser": 4254, "searched": 4255, "leverages": 4256, "T1027": 4257, "T1059": 4258, "appearance": 4259, "Craft": 4260, "Only": 4261, "Payloads": 4262, "mailbox": 4263, "swap": 4264, "switch": 4265, "spooler": 4266, "temporarily": 4267, "MSP36": 4268, "cras": 4269, "crack": 4270, "guest": 4271, "individ": 4272, "index": 4273, "import": 4274, "wmiObject": 4275, "##ToAss": 4276, "##ToAt": 4277, "sends": 4278, "obtained": 4279, "update": 4280, "AlternateShell": 4281, "PathToAt": 4282, "Stage": 4283, "redirect": 4284, "exfiltrated": 4285, "exfiltrating": 4286, "compiled": 4287, "obfuscate": 4288, "obfuscated": 4289, "Evade": 4290, "INetCache": 4291, "SessionGop": 4292, "directories": 4293, "marker": 4294, "##5535": 4295, "ensures": 4296, "Automation": 4297, "Denied": 4298, "GuardDut": 4299, "Restart": 4300, "Restore": 4301, "World": 4302, "become": 4303, "dscl": 4304, "dsquery": 4305, "grant": 4306, "patched": 4307, "##viewer": 4308, "##Trail": 4309, "exclude": 4310, "excluded": 4311, "##acturer": 4312, "consider": 4313, "##strumentation": 4314, "handled": 4315, "Screencapture": 4316, "VIBs": 4317, "purpose": 4318, "CimMethod": 4319, "Generic": 4320, "means": 4321, "makes": 4322, "potentially": 4323, "extraction": 4324, "powerSQL": 4325, "Connections": 4326, "192": 4327, "1970": 4328, "Especially": 4329, "Seen": 4330, "authors": 4331, "authorized": 4332, "benign": 4333, "denied": 4334, "denial": 4335, "minidump": 4336, "reconnaissance": 4337, "##phone": 4338, "##wards": 4339, "guesses": 4340, "guessing": 4341, "urlcache": 4342, "168": 4343, "Identif": 4344, "NOTE": 4345, "SUDO": 4346, "TCPdump": 4347, "causes": 4348, "osascript": 4349, "still": 4350, "telemet": 4351, "##TROL": 4352, "supported": 4353, "Debian": 4354, "targeted": 4355, "bluekeep": 4356, "UltraVNC": 4357, "Ammy": 4358, "Elevation": 4359, "GoToAss": 4360, "JavaScript": 4361, "PFXCer": 4362, "Support": 4363, "Secrets": 4364, "SPNs": 4365, "TGT": 4366, "Timestomp": 4367, "occur": 4368, "pfx": 4369, "tampering": 4370, "##tasks": 4371, "##config": 4372, "tocopy": 4373, "contact": 4374, "controllers": 4375, "discarded": 4376, "scanning": 4377, "Removes": 4378, "Interface": 4379, "implemented": 4380, "impersonating": 4381, "BloodHound": 4382, "ignore": 4383, "CMSTP": 4384, "Destroyer": 4385, "DISM": 4386, "Epxplorer": 4387, "EDR": 4388, "Fonts": 4389, "FILENAME": 4390, "Gsecdump": 4391, "HVCI": 4392, "However": 4393, "Indirect": 4394, "LANG": 4395, "McA": 4396, "Olympic": 4397, "PuTTY": 4398, "PDQ": 4399, "PCAP": 4400, "PSImage": 4401, "PRELOAD": 4402, "Potentially": 4403, "Qakbot": 4404, "Ryuk": 4405, "RustDesk": 4406, "Spool": 4407, "Stitch": 4408, "XLAM": 4409, "bucket": 4410, "bestarted": 4411, "dupl": 4412, "dubbed": 4413, "latest": 4414, "microphone": 4415, "mavinject": 4416, "ntds": 4417, "pollute": 4418, "schtasks": 4419, "tailor": 4420, "wbadmin": 4421, "xml": 4422, "##ufacturer": 4423, "##Module": 4424, "##PassView": 4425, "##Startup": 4426, "##onymous": 4427, "##enarios": 4428, "instructions": 4429, "##adowstorage": 4430, "Extracting": 4431, "antivirus": 4432, "Registration": 4433, "PowerPoint": 4434, "password123": 4435, "##ipheral": 4436, "##omicsFolder": 4437, "DomainPasswordSpray": 4438, "traffic": 4439, "taskhostw": 4440, "HISTCONTROL": 4441, "infrastructure": 4442, "WebGlobalModule": 4443, "WebBrowserPassView": 4444, "Crafting": 4445, "MSP360": 4446, "individual": 4447, "AlternateShellStartup": 4448, "PathToAtomicsFolder": 4449, "SessionGopher": 4450, "GuardDuty": 4451, "telemetry": 4452, "Ammyy": 4453, "GoToAssist": 4454, "PFXCertificate": 4455, "04": 4456, "18": 4457, "31": 4458, "300": 4459, "339": 4460, "46": 4461, "40": 4462, "444": 4463, "476": 4464, "500": 4465, "600": 4466, "7zip": 4467, "80": 4468, "821": 4469, "90": 4470, "9600": 4471, "Ap": 4472, "Aw": 4473, "Ab": 4474, "AL": 4475, "Action": 4476, "Avo": 4477, "Ass": 4478, "Avoid": 4479, "AES": 4480, "Bron": 4481, "Bitsadmin": 4482, "CU": 4483, "Cb": 4484, "C9": 4485, "Car": 4486, "Caution": 4487, "DO": 4488, "D1": 4489, "DB": 4490, "Dat": 4491, "Dia": 4492, "Direct": 4493, "Dcc": 4494, "DSR": 4495, "Dotnet": 4496, "DLP": 4497, "Double": 4498, "EW": 4499, "Ent": 4500, "Email": 4501, "FA": 4502, "FTP": 4503, "Feat": 4504, "Framework": 4505, "Fodhelper": 4506, "GU": 4507, "GZ": 4508, "Gri": 4509, "Gath": 4510, "GID": 4511, "Ghost": 4512, "Golden": 4513, "Har": 4514, "Home": 4515, "Hive": 4516, "Hardware": 4517, "Io": 4518, "IC": 4519, "Iced": 4520, "IME": 4521, "Ju": 4522, "Jscript": 4523, "Jobs": 4524, "Kin": 4525, "Kill": 4526, "KEY": 4527, "La": 4528, "LS": 4529, "Lin": 4530, "Lit": 4531, "Long": 4532, "Leve": 4533, "Lever": 4534, "Large": 4535, "LUH": 4536, "MF": 4537, "Mic": 4538, "Mir": 4539, "Must": 4540, "Morer": 4541, "Mimi": 4542, "Mcs": 4543, "Magic": 4544, "Nt": 4545, "Nin": 4546, "Node": 4547, "Named": 4548, "NAME": 4549, "Nmap": 4550, "Of": 4551, "Ob": 4552, "Oct": 4553, "Option": 4554, "O365": 4555, "Pn": 4556, "Pe": 4557, "Par": 4558, "Pan": 4559, "Pad": 4560, "Pot": 4561, "Pup": 4562, "Page": 4563, "Pub": 4564, "Public": 4565, "Phishing": 4566, "Queries": 4567, "RE": 4568, "RB": 4569, "Rcl": 4570, "Radmin": 4571, "Rights": 4572, "Recurse": 4573, "Sw": 4574, "SR": 4575, "Sec": 4576, "Sig": 4577, "Sel": 4578, "SAC": 4579, "SID": 4580, "Single": 4581, "Source": 4582, "Sync": 4583, "Seat": 4584, "Sym": 4585, "SUID": 4586, "SEL": 4587, "Smb": 4588, "SDe": 4589, "Scheduler": 4590, "Tin": 4591, "Tou": 4592, "Top": 4593, "Termin": 4594, "TTP": 4595, "Turn": 4596, "TTY": 4597, "Trend": 4598, "TLS": 4599, "UI": 4600, "UUID": 4601, "Umb": 4602, "Unique": 4603, "Ver": 4604, "Var": 4605, "VPN": 4606, "VARI": 4607, "We": 4608, "Wat": 4609, "War": 4610, "Wif": 4611, "WIN": 4612, "WOR": 4613, "Woc": 4614, "WCMD": 4615, "XLM": 4616, "XOR": 4617, "Zip": 4618, "Zone": 4619, "a1": 4620, "aid": 4621, "bt": 4622, "bz": 4623, "bun": 4624, "blo": 4625, "b64": 4626, "bde": 4627, "cp": 4628, "cover": 4629, "card": 4630, "core": 4631, "cpassword": 4632, "dm": 4633, "db": 4634, "ded": 4635, "dro": 4636, "dot": 4637, "dail": 4638, "desk": 4639, "dynamic": 4640, "double": 4641, "el": 4642, "ed": 4643, "eas": 4644, "edit": 4645, "fs": 4646, "fin": 4647, "fac": 4648, "foo": 4649, "fetch": 4650, "folders": 4651, "fodhelper": 4652, "feder": 4653, "gn": 4654, "gz": 4655, "great": 4656, "gcc": 4657, "golden": 4658, "glib": 4659, "hh": 4660, "har": 4661, "had": 4662, "hid": 4663, "hang": 4664, "here": 4665, "hook": 4666, "hypervisor": 4667, "hinder": 4668, "io": 4669, "ic": 4670, "iw": 4671, "jo": 4672, "jse": 4673, "jscript": 4674, "jobs": 4675, "kx": 4676, "kub": 4677, "kmu": 4678, "let": 4679, "lim": 4680, "land": 4681, "lines": 4682, "limited": 4683, "large": 4684, "mat": 4685, "most": 4686, "move": 4687, "mimi": 4688, "memb": 4689, "mshta": 4690, "max": 4691, "magic": 4692, "mounted": 4693, "ng": 4694, "nec": 4695, "now": 4696, "normally": 4697, "nolog": 4698, "our": 4699, "old": 4700, "odd": 4701, "pa": 4702, "pc": 4703, "pk": 4704, "pg": 4705, "pid": 4706, "pcal": 4707, "pyp": 4708, "pdf": 4709, "qual": 4710, "ques": 4711, "rd": 4712, "rf": 4713, "rar": 4714, "rou": 4715, "ransom": 4716, "rather": 4717, "sd": 4718, "sec": 4719, "sent": 4720, "ske": 4721, "saf": 4722, "site": 4723, "smb": 4724, "sbin": 4725, "small": 4726, "tz": 4727, "tun": 4728, "table": 4729, "tables": 4730, "trend": 4731, "takes": 4732, "ud": 4733, "vect": 4734, "virus": 4735, "wa": 4736, "wine": 4737, "wav": 4738, "ways": 4739, "xw": 4740, "xwd": 4741, "##xS": 4742, "##xcl": 4743, "##ping": 4744, "##par": 4745, "##path": 4746, "##press": 4747, "##lish": 4748, "##limited": 4749, "##oC": 4750, "##oted": 4751, "##osoft": 4752, "##ocation": 4753, "##io": 4754, "##ie": 4755, "##ib": 4756, "##ias": 4757, "##iet": 4758, "##ita": 4759, "##iate": 4760, "##ibit": 4761, "##tx": 4762, "##tre": 4763, "##tUtil": 4764, "##ao": 4765, "##a0": 4766, "##ng": 4767, "##nre": 4768, "##nown": 4769, "##nel": 4770, "##nized": 4771, "##nitch": 4772, "##hun": 4773, "##hider": 4774, "##hibit": 4775, "##cing": 4776, "##can": 4777, "##cure": 4778, "##coded": 4779, "##cord": 4780, "##c4f": 4781, "##cope": 4782, "##eys": 4783, "##emote": 4784, "##e35": 4785, "##e28": 4786, "##sor": 4787, "##shell": 4788, "##slock": 4789, "##sensitive": 4790, "##stead": 4791, "##rle": 4792, "##row": 4793, "##raft": 4794, "##db": 4795, "##dia": 4796, "##dinal": 4797, "##vt": 4798, "##vc": 4799, "##vP": 4800, "##vul": 4801, "##vest": 4802, "##vious": 4803, "##kC": 4804, "##king": 4805, "##kurl": 4806, "##uH": 4807, "##uction": 4808, "##ugg": 4809, "##ugger": 4810, "##m4": 4811, "##mor": 4812, "##med": 4813, "##mst": 4814, "##mend": 4815, "##fs": 4816, "##f7": 4817, "##fIn": 4818, "##fix": 4819, "##faults": 4820, "##flags": 4821, "##fee": 4822, "##f38": 4823, "##wB": 4824, "##win": 4825, "##web": 4826, "##wutl": 4827, "##yT": 4828, "##ylib": 4829, "##UM": 4830, "##UT": 4831, "##UAC": 4832, "##URL": 4833, "##Unre": 4834, "##D0": 4835, "##Domain": 4836, "##DNS": 4837, "##Deb": 4838, "##DLP": 4839, "##OUS": 4840, "##by": 4841, "##bon": 4842, "##bers": 4843, "##bel": 4844, "##bour": 4845, "##backup": 4846, "##build": 4847, "##bf38": 4848, "##ja": 4849, "##EO": 4850, "##E9": 4851, "##ESS": 4852, "##MC": 4853, "##Mem": 4854, "##Micro": 4855, "##Mag": 4856, "##Mapping": 4857, "##MOUS": 4858, "##PO": 4859, "##Pip": 4860, "##Priv": 4861, "##Phish": 4862, "##ze": 4863, "##zone": 4864, "##gt": 4865, "##gI": 4866, "##gid": 4867, "##16": 4868, "##17": 4869, "##54": 4870, "##52": 4871, "##4c4f": 4872, "##60": 4873, "##It": 4874, "##IfIn": 4875, "##NT": 4876, "##Note": 4877, "##Name": 4878, "##NSI": 4879, "##NUM": 4880, "##A3": 4881, "##AR": 4882, "##Access": 4883, "##Audit": 4884, "##Agent": 4885, "##SP": 4886, "##SV": 4887, "##Sty": 4888, "##Send": 4889, "##Sync": 4890, "##SxS": 4891, "##Snitch": 4892, "##Scope": 4893, "##Svc": 4894, "##364": 4895, "##3f7": 4896, "##Red": 4897, "##Role": 4898, "##RRE": 4899, "##CD": 4900, "##Cre": 4901, "##Code": 4902, "##Current": 4903, "##Cap": 4904, "##Cron": 4905, "##Thing": 4906, "##GON": 4907, "##GUID": 4908, "##99": 4909, "##98": 4910, "##74": 4911, "##Win": 4912, "##Wri": 4913, "##Will": 4914, "##WOR": 4915, "##WDB": 4916, "##YMOUS": 4917, "##Build": 4918, "##History": 4919, "##Hidden": 4920, "##F1": 4921, "##Fil": 4922, "##File": 4923, "##Finder": 4924, "##Keys": 4925, "##Zagne": 4926, "##ince": 4927, "##inting": 4928, "##info": 4929, "##esg": 4930, "##tex": 4931, "##tie": 4932, "##tial": 4933, "##tical": 4934, "##lla": 4935, "##lls": 4936, "##ecated": 4937, "##ecraft": 4938, "##oration": 4939, "##orrect": 4940, "##omration": 4941, "##ommend": 4942, "##ingServer": 4943, "##reporting": 4944, "##rella": 4945, "exits": 4946, "explic": 4947, "extra": 4948, "wiper": 4949, "##icy": 4950, "##ical": 4951, "##icates": 4952, "##icated": 4953, "##icator": 4954, "##eness": 4955, "##enum": 4956, "##enumeration": 4957, "##enses": 4958, "##ato": 4959, "##ature": 4960, "##attr": 4961, "##atform": 4962, "init": 4963, "inject": 4964, "initi": 4965, "inhibit": 4966, "usr": 4967, "usually": 4968, "##aring": 4969, "##arch": 4970, "##arab": 4971, "##asing": 4972, "##aler": 4973, "##etykatz": 4974, "##essary": 4975, "executables": 4976, "##thold": 4977, "fills": 4978, "##tam": 4979, "##tane": 4980, "##any": 4981, "##ants": 4982, "##ride": 4983, "##ateProcess": 4984, "##odial": 4985, "##cesshider": 4986, "##uling": 4987, "##ultane": 4988, "begin": 4989, "beaconing": 4990, "comm": 4991, "coming": 4992, "comsvcs": 4993, "##estTrust": 4994, "filename": 4995, "fileless": 4996, "##aders": 4997, "##adually": 4998, "##ad364": 4999, "##aces": 5000, "##acent": 5001, "##acted": 5002, "##acls": 5003, "WinSxS": 5004, "##utor": 5005, "lost": 5006, "onto": 5007, "online": 5008, "reve": 5009, "really": 5010, "repo": 5011, "reaching": 5012, "reactivate": 5013, "referen": 5014, "exeuction": 5015, "##olang": 5016, "##olves": 5017, "##iring": 5018, "fork": 5019, "forfiles": 5020, "forcing": 5021, "##plate": 5022, "##plants": 5023, "thing": 5024, "than": 5025, "third": 5026, "throw": 5027, "##umed": 5028, "surv": 5029, "##pond": 5030, "##ponent": 5031, "##ently": 5032, "protected": 5033, "proced": 5034, "profiles": 5035, "##ility": 5036, "##ained": 5037, "Exec": 5038, "Extra": 5039, "##star": 5040, "##stest": 5041, "##status": 5042, "##veigh": 5043, "userenum": 5044, "##imic": 5045, "##imum": 5046, "##imgr": 5047, "ads": 5048, "adid": 5049, "adstest": 5050, "##cky": 5051, "##otes": 5052, "##oting": 5053, "demon": 5054, "detec": 5055, "depr": 5056, "##quest": 5057, "##quoted": 5058, "disabling": 5059, "Refl": 5060, "Reference": 5061, "Reactivate": 5062, "atp": 5063, "itm4": 5064, "organ": 5065, "##urning": 5066, "runner": 5067, "runbook": 5068, "Powercat": 5069, "##chain": 5070, "##chment": 5071, "##ervals": 5072, "enumerates": 5073, "credit": 5074, "Created": 5075, "DiskC": 5076, "activate": 5077, "accord": 5078, "These": 5079, "systemstate": 5080, "##stance": 5081, "##opus": 5082, "##opied": 5083, "scenarios": 5084, "##allpa": 5085, "Usern": 5086, "UsoC": 5087, "starts": 5088, "starting": 5089, "Initi": 5090, "Inher": 5091, "Injects": 5092, "Inser": 5093, "Instrumentation": 5094, "Instead": 5095, "Inveigh": 5096, "Advan": 5097, "##ilege": 5098, "PowerShellUpon": 5099, "successfuly": 5100, "##igate": 5101, "##igest": 5102, "##lyCon": 5103, "##stallable": 5104, "##calation": 5105, "Demand": 5106, "Detec": 5107, "Depend": 5108, "shows": 5109, "shim": 5110, "shown": 5111, "short": 5112, "sharp": 5113, "shutdown": 5114, "sharing": 5115, "Executed": 5116, "##teria": 5117, "cancel": 5118, "Loc": 5119, "Look": 5120, "Location": 5121, "processor": 5122, "##emplate": 5123, "chcp": 5124, "chunks": 5125, "chflags": 5126, "chattr": 5127, "utilis": 5128, "Enforced": 5129, "setgid": 5130, "##usted": 5131, "Comple": 5132, "sekurl": 5133, "##upg": 5134, "scriptlet": 5135, "localhost": 5136, "localectl": 5137, "Anonymous": 5138, "##ageBox": 5139, "macos": 5140, "thenew": 5141, "allocation": 5142, "Shim": 5143, "Shadowstorage": 5144, "##tenz": 5145, "downloadand": 5146, "##rivesc": 5147, "defaults": 5148, "defensive": 5149, "defenses": 5150, "Chown": 5151, "Chmod": 5152, "archive": 5153, "Contrib": 5154, "##bsequent": 5155, "simulation": 5156, "simulated": 5157, "powershellsensitive": 5158, "special": 5159, "conflic": 5160, "GetCurrent": 5161, "contained": 5162, "hostUpon": 5163, "alternative": 5164, "winzip": 5165, "winPE": 5166, "winrar": 5167, "DomainPolicy": 5168, "DomainTrust": 5169, "accessible": 5170, "binPath": 5171, "AddTo": 5172, "unp": 5173, "unable": 5174, "unav": 5175, "##search": 5176, "##ernals": 5177, "##erequisites": 5178, "AzRole": 5179, "trad": 5180, "trace": 5181, "attacking": 5182, "Admins": 5183, "specifice": 5184, "AzureAD": 5185, "##ickbot": 5186, "##icktime": 5187, "ADRecon": 5188, "##ffon": 5189, "##shred": 5190, "##ape": 5191, "##apted": 5192, "##apMC": 5193, "##clt": 5194, "##ruc": 5195, "prefer": 5196, "previous": 5197, "attempting": 5198, "timezone": 5199, "configuring": 5200, "clang": 5201, "cloud": 5202, "prctl": 5203, "printer": 5204, "##ublish": 5205, "encod": 5206, "Commands": 5207, "WMIExec": 5208, "DLLs": 5209, "research": 5210, "admins": 5211, "Logon": 5212, "delegation": 5213, "rootkit": 5214, "modifying": 5215, "##ighbour": 5216, "AtomicRed": 5217, "ability": 5218, "lead": 5219, "left": 5220, "least": 5221, "tarfile": 5222, "targer": 5223, "verbo": 5224, "verified": 5225, "Installed": 5226, "InstallHelper": 5227, "NetSup": 5228, "managing": 5229, "manufacturer": 5230, "LocalApp": 5231, "Processors": 5232, "prompting": 5233, "##ploits": 5234, "shouldn": 5235, "Union": 5236, "Unload": 5237, "Unlimited": 5238, "##points": 5239, "devices": 5240, "Firepwd": 5241, "txtto": 5242, "spawned": 5243, "seeing": 5244, "objects": 5245, "##tificates": 5246, "createdump": 5247, "Downloads": 5248, "Downloaded": 5249, "SecurityProvid": 5250, "Compute": 5251, "Company": 5252, "Autodial": 5253, "pipes": 5254, "interaction": 5255, "##traction": 5256, "Thread": 5257, "decre": 5258, "platform": 5259, "parse": 5260, "passing": 5261, "passhun": 5262, "##achable": 5263, "performed": 5264, "lsm": 5265, "typed": 5266, "typical": 5267, "##ProcDump": 5268, "##ProgI": 5269, "infl": 5270, "infomration": 5271, "configurations": 5272, "Scarab": 5273, "certre": 5274, "neighbour": 5275, "roleAssignment": 5276, "sysmon": 5277, "sysctl": 5278, "##ordump": 5279, "Edition": 5280, "SYSV": 5281, "recog": 5282, "recommend": 5283, "returning": 5284, "##akdia": 5285, "discovering": 5286, "Shared": 5287, "ShareFinder": 5288, "200": 5289, "Shellcode": 5290, "Similar": 5291, "Simultane": 5292, "endpoints": 5293, "included": 5294, "Perl": 5295, "evtx": 5296, "findstr": 5297, "insmod": 5298, "insert": 5299, "needs": 5300, "Redirection": 5301, "textEx": 5302, "##eving": 5303, "lockout": 5304, "Eventlog": 5305, "OpenWith": 5306, "OpenDNS": 5307, "especially": 5308, "##SAdmin": 5309, "product": 5310, "accountsUpon": 5311, "##ypassUAC": 5312, "AllThe": 5313, "Resize": 5314, "kernels": 5315, "renew": 5316, "rename": 5317, "renaming": 5318, "##ONYMOUS": 5319, "docx": 5320, "006": 5321, "Bypasses": 5322, "obscure": 5323, "zeroes": 5324, "##urla": 5325, "shareenumeration": 5326, "targetted": 5327, "SearchScope": 5328, "errorreporting": 5329, "endpointUpon": 5330, "CheckIfIn": 5331, "Privesc": 5332, "SysV": 5333, "SysInt": 5334, "ipconfig": 5335, "restart": 5336, "restoring": 5337, "expect": 5338, "expire": 5339, "expiration": 5340, "screencapture": 5341, "Click": 5342, "Forward": 5343, "ForestTrust": 5344, "RAND": 5345, "subf": 5346, "subnet": 5347, "Regular": 5348, "whois": 5349, "whose": 5350, "ScriptControl": 5351, "zipfile": 5352, "##obfusc": 5353, "assum": 5354, "assign": 5355, "assignment": 5356, "##ProcessEx": 5357, "LDAPSearch": 5358, "LDAPDomain": 5359, "Prerequisites": 5360, "portpro": 5361, "##ggers": 5362, "##uncate": 5363, "forcefully": 5364, "setspn": 5365, "GPOR": 5366, "GlobalF": 5367, "PS4": 5368, "PS3": 5369, "PS2": 5370, "Snaff": 5371, "SnapMC": 5372, "msbuild": 5373, "numbers": 5374, "triggers": 5375, "##lient": 5376, "##like": 5377, "Lockout": 5378, "Lockbit": 5379, "Attacks": 5380, "AutoIt": 5381, "StartupItem": 5382, "customshell": 5383, "good": 5384, "packages": 5385, "party": 5386, "virtualization": 5387, "virtualized": 5388, "property": 5389, "Enabled": 5390, "emptying": 5391, "##fuscated": 5392, "EXTE": 5393, "Tracing": 5394, "Truncate": 5395, "WebRe": 5396, "##ANT": 5397, "therefore": 5398, "Deletion": 5399, "searches": 5400, "leverage": 5401, "T1055": 5402, "T1010": 5403, "Permissions": 5404, "vulnerabilities": 5405, "Crad": 5406, "CHAR": 5407, "Certain": 5408, "ImageMag": 5409, "Online": 5410, "PsSend": 5411, "SMTP": 5412, "TeamViewer": 5413, "Teamviewer": 5414, "features": 5415, "immed": 5416, "implants": 5417, "##ntity": 5418, "reads": 5419, "spoolvul": 5420, "NTDSUtil": 5421, "argumentsWill": 5422, "ScheduledTask": 5423, "Successfully": 5424, "Hostname": 5425, "LOTR": 5426, "LOGON": 5427, "MSOL": 5428, "MS17": 5429, "MSBuild": 5430, "guid": 5431, "helps": 5432, "indicate": 5433, "indicator": 5434, "imported": 5435, "posting": 5436, "steps": 5437, "##eps": 5438, "##reset": 5439, "##respond": 5440, "##times": 5441, "chmods": 5442, "Sharpup": 5443, "Sharpweb": 5444, "collectionto": 5445, "escalating": 5446, "Archive": 5447, "Afterwards": 5448, "Staging": 5449, "USE": 5450, "established": 5451, "##pair": 5452, "##Instance": 5453, "##3339": 5454, "chowns": 5455, "variant": 5456, "LoginItem": 5457, "T1136": 5458, "T1564": 5459, "T1560": 5460, "T1574": 5461, "Cmdlets": 5462, "Darkside": 5463, "Evil": 5464, "Grant": 5465, "Granting": 5466, "INF": 5467, "Impacket": 5468, "Imperson": 5469, "Safetykatz": 5470, "achieve": 5471, "correct": 5472, "correspond": 5473, "idle": 5474, "lastlog": 5475, "##5550": 5476, "procdump": 5477, "procfs": 5478, "ensure": 5479, "ensuring": 5480, "ens33": 5481, "Streams": 5482, "Configure": 5483, "unless": 5484, "unlimited": 5485, "encrypts": 5486, "Compiled": 5487, "Overwrites": 5488, "WerFaultSvc": 5489, "Auditing": 5490, "Restric": 5491, "capabilities": 5492, "granted": 5493, "gradually": 5494, "pushed": 5495, "saved": 5496, "symmet": 5497, "symlink": 5498, "term": 5499, "terms": 5500, "##nesses": 5501, "excluding": 5502, "registering": 5503, "consent": 5504, "consumed": 5505, "##strates": 5506, "##sociation": 5507, "requesting": 5508, "handles": 5509, "handler": 5510, "decodes": 5511, "Appends": 5512, "listener": 5513, "Hashcat": 5514, "BITSAdmin": 5515, "CimInstance": 5516, "DllUnre": 5517, "PUT": 5518, "Prevent": 5519, "Preference": 5520, "Recovery": 5521, "Recycle": 5522, "Recently": 5523, "SilentlyCon": 5524, "SilentProcessEx": 5525, "downgrade": 5526, "hex": 5527, "hello": 5528, "headers": 5529, "meet": 5530, "##rics": 5531, "extracts": 5532, "WindowSty": 5533, "stopped": 5534, "stopping": 5535, "powerhell": 5536, "ShowUI": 5537, "Containers": 5538, "transacted": 5539, "administrators": 5540, "Filtered": 5541, "recently": 5542, "recorded": 5543, "Spawns": 5544, "Privilege": 5545, "GPOAudit": 5546, "triggering": 5547, "##ganographic": 5548, "11D0": 5549, "64bit": 5550, "Escalation": 5551, "MonitorProcess": 5552, "SeDeb": 5553, "Writes": 5554, "benef": 5555, "badpwd": 5556, "minutes": 5557, "pods": 5558, "##phine": 5559, "##nnnn": 5560, "##nsdump": 5561, "##nscan": 5562, "##40600": 5563, "##titPo": 5564, "replication": 5565, "replacing": 5566, "subsequent": 5567, "DomainGPO": 5568, "unreachable": 5569, "uncompress": 5570, "builtins": 5571, "SysinternalsProcDump": 5572, "removes": 5573, "removed": 5574, "suspiciousness": 5575, "possibil": 5576, "1638": 5577, "Authorization": 5578, "Before": 5579, "Beaconing": 5580, "Identity": 5581, "NOT": 5582, "SUCC": 5583, "WDigest": 5584, "csc": 5585, "member": 5586, "osk": 5587, "quiet": 5588, "quotes": 5589, "sticky": 5590, "tell": 5591, "terminate": 5592, "terminates": 5593, "##processhider": 5594, "##saver": 5595, "##PEntity": 5596, "##AppvP": 5597, "##mapexec": 5598, "Debugger": 5599, "spraying": 5600, "AntiPhish": 5601, "unlocked": 5602, "manipulated": 5603, "Specify": 5604, "appending": 5605, "retrieving": 5606, "retrieval": 5607, "GPPPassword": 5608, "UltraViewer": 5609, "0x4c4f": 5610, "0x5550": 5611, "CPU": 5612, "DDE": 5613, "DCSh": 5614, "Mini": 5615, "Minidump": 5616, "OSTap": 5617, "OSTAP": 5618, "Player": 5619, "Plugg": 5620, "Steganographic": 5621, "What": 5622, "WmiObject": 5623, "Wevtutil": 5624, "WevtUtil": 5625, "better": 5626, "betwe": 5627, "critical": 5628, "criteria": 5629, "closed": 5630, "kittie": 5631, "kittenz": 5632, "monitoring": 5633, "popup": 5634, "signal": 5635, "vmx": 5636, "wsf": 5637, "wsreset": 5638, "xlsm": 5639, "increase": 5640, "incorrect": 5641, "invocation": 5642, "invoking": 5643, "Extensions": 5644, "detectedby": 5645, "Device": 5646, "##checks": 5647, "win32times": 5648, "disabledin": 5649, "crontab": 5650, "crontabs": 5651, "generaldomain": 5652, "crafts": 5653, "stealth": 5654, "T1546": 5655, "T1547": 5656, "GeneralRecon": 5657, "subscriptions": 5658, "DomainGroupMem": 5659, "MachineGUID": 5660, "Retrieve": 5661, "Retrieving": 5662, "LegalNoticeText": 5663, "LegalNoticeCap": 5664, "011": 5665, "Association": 5666, "ANONYMOUS": 5667, "ART": 5668, "Butter": 5669, "Catalog": 5670, "DirList": 5671, "Hooks": 5672, "IsHidden": 5673, "IFEO": 5674, "MessageBox": 5675, "PPAM": 5676, "Quicktime": 5677, "Rename": 5678, "Tarball": 5679, "api": 5680, "ccmst": 5681, "dropper": 5682, "effectiv": 5683, "fruit": 5684, "krbt": 5685, "lnk": 5686, "missing": 5687, "metrics": 5688, "persist": 5689, "title": 5690, "##tleSnitch": 5691, "##tinue": 5692, "##nprivesc": 5693, "##ugPriv": 5694, "##fulshred": 5695, "##Defaults": 5696, "##Enum": 5697, "##Prn": 5698, "##56ad364": 5699, "##5821": 5700, "##Load": 5701, "topic": 5702, "intervals": 5703, "involves": 5704, "inactive": 5705, "revert": 5706, "Expected": 5707, "Powersploits": 5708, "ComputerDefaults": 5709, "Attaches": 5710, "kextload": 5711, "Storage": 5712, "unattend": 5713, "libprocesshider": 5714, "scheduling": 5715, "authenticate": 5716, "recei": 5717, "##Execution": 5718, "Headless": 5719, "Embedding": 5720, "crackmapexec": 5721, "##553540600": 5722, "considered": 5723, "Identifier": 5724, "McAfee": 5725, "Spooler": 5726, "buckets": 5727, "duplicate": 5728, "180": 5729, "31bf38": 5730, "3000": 5731, "3390": 5732, "444553540600": 5733, "4769": 5734, "821E": 5735, "Apple": 5736, "Awfulshred": 5737, "ALNUM": 5738, "Avoslock": 5739, "Assis": 5740, "Bronze": 5741, "CURRE": 5742, "C9E9": 5743, "Carbon": 5744, "D1F1": 5745, "Datacent": 5746, "Diamor": 5747, "DccwB": 5748, "DSRM": 5749, "Dotnetsearch": 5750, "EWM": 5751, "Features": 5752, "GUP": 5753, "GZip": 5754, "Griffon": 5755, "Gathers": 5756, "IoT": 5757, "ICMP": 5758, "IcedID": 5759, "IMEWDB": 5760, "Juicy": 5761, "Kinsing": 5762, "LaZagne": 5763, "LSM": 5764, "LinEnum": 5765, "LittleSnitch": 5766, "Level": 5767, "Leverage": 5768, "LUHN": 5769, "MFA": 5770, "Micosoft": 5771, "Mirror": 5772, "Morerecon": 5773, "Mimik": 5774, "Ninja": 5775, "NamedPip": 5776, "Obfuscated": 5777, "Octopus": 5778, "PnPEntity": 5779, "PetitPo": 5780, "Parses": 5781, "Potato": 5782, "Pupy": 5783, "PubPrn": 5784, "RBCD": 5785, "Rclone": 5786, "SecEdit": 5787, "Sigma": 5788, "Select": 5789, "SACL": 5790, "SyncAppvP": 5791, "Seatbel": 5792, "SELinux": 5793, "SmbMapping": 5794, "SDelete": 5795, "TinyT": 5796, "Touching": 5797, "Topic": 5798, "TrendMicro": 5799, "Umbrella": 5800, "Verify": 5801, "VARIANT": 5802, "Watson": 5803, "Warning": 5804, "Wifi": 5805, "WINWOR": 5806, "WORK": 5807, "Wocao": 5808, "WCMDump": 5809, "a13f7": 5810, "bz2": 5811, "bunch": 5812, "blob": 5813, "covert": 5814, "dmesg": 5815, "dedicated": 5816, "dotm": 5817, "daily": 5818, "fsutil": 5819, "finite": 5820, "facil": 5821, "foothold": 5822, "federated": 5823, "gnupg": 5824, "glibc": 5825, "iwr": 5826, "joined": 5827, "kxwn": 5828, "kubectl": 5829, "kmutil": 5830, "lets": 5831, "members": 5832, "maximum": 5833, "ngrok": 5834, "necessary": 5835, "nologin": 5836, "pcwutl": 5837, "pkill": 5838, "pcalua": 5839, "pypykatz": 5840, "quality": 5841, "question": 5842, "rdrle": 5843, "route": 5844, "sdclt": 5845, "secedit": 5846, "skel": 5847, "smbstatus": 5848, "tunnel": 5849, "udp": 5850, "vectors": 5851, "waiting": 5852, "winevt": 5853, "xwud": 5854, "##xcli": 5855, "##iately": 5856, "##a050": 5857, "##emoteAccess": 5858, "##e283339": 5859, "##DLPAgent": 5860, "##5452": 5861, "##NSION": 5862, "##A340": 5863, "##Cronj": 5864, "##Things": 5865, "##Write": 5866, "##HistoryHandler": 5867, "initial": 5868, "inhibiting": 5869, "begins": 5870, "reveals": 5871, "referenced": 5872, "survive": 5873, "procedure": 5874, "##imgrab": 5875, "adidnsdump": 5876, "demonstrates": 5877, "deprecated": 5878, "Reflectively": 5879, "itm4nprivesc": 5880, "organization": 5881, "DiskCleanup": 5882, "according": 5883, "systemstatebackup": 5884, "##allpaper": 5885, "UsoClient": 5886, "Initiating": 5887, "Inherit": 5888, "Inserts": 5889, "Advanced": 5890, "Depending": 5891, "sharpview": 5892, "Completed": 5893, "sekurlsa": 5894, "Contributor": 5895, "conflict": 5896, "winPEAS": 5897, "AddToHistoryHandler": 5898, "unavailable": 5899, "AzRoleAssignment": 5900, "previously": 5901, "cloudTrail": 5902, "printercheck": 5903, "##ublishingServer": 5904, "NetSupport": 5905, "LocalAppData": 5906, "SecurityProviders": 5907, "AutodialDLL": 5908, "platforms": 5909, "passhunt": 5910, "##ProgIds": 5911, "certreq": 5912, "roleAssignments": 5913, "SYSVOL": 5914, "recognized": 5915, "##akdiag": 5916, "Simultaneous": 5917, "textExtraction": 5918, "OpenWithProgIds": 5919, "AllTheThings": 5920, "errorreportingfaults": 5921, "CheckIfInstallable": 5922, "SysInternals": 5923, "RANDOM": 5924, "LDAPDomainDump": 5925, "portproxy": 5926, "GPORemoteAccess": 5927, "Snaffler": 5928, "StartupItems": 5929, "customshellhost": 5930, "EXTENSION": 5931, "WebRequest": 5932, "CHARS": 5933, "ImageMagick": 5934, "PsSendKeys": 5935, "immediately": 5936, "spoolvulnscan": 5937, "MSOLSpray": 5938, "Impersonation": 5939, "Restricted": 5940, "symmetric": 5941, "termsrv": 5942, "DllUnregisterServer": 5943, "SilentlyContinue": 5944, "SilentProcessExit": 5945, "WindowStyle": 5946, "SeDebugPriv": 5947, "benefiting": 5948, "badpwdcount": 5949, "possibilities": 5950, "16384": 5951, "SUCCESS": 5952, "AntiPhishRule": 5953, "0x4c4f5452": 5954, "0x55505821": 5955, "DCShadow": 5956, "Pluggable": 5957, "between": 5958, "generaldomaininfo": 5959, "DomainGroupMember": 5960, "LegalNoticeCaption": 5961, "DirLister": 5962, "ccmstp": 5963, "effectiveness": 5964, "krbtgt": 5965, "##56ad364e35": 5966, "McAfeeDLPAgent": 5967, "31bf3856ad364e35": 5968, "Avoslocker": 5969, "CURRENT": 5970, "C9E9A340": 5971, "Datacenter": 5972, "Diamorphine": 5973, "DccwBypassUAC": 5974, "IMEWDBLD": 5975, "NamedPipe": 5976, "PetitPotam": 5977, "SyncAppvPublishingServer": 5978, "Seatbelt": 5979, "TinyTurla": 5980, "WINWORD": 5981, "a13f7e283339": 5982, "rdrleakdiag": 5983, "GPORemoteAccessPolicy": 5984, "SeDebugPrivilege": 5985, "McAfeeDLPAgentService": 5986, "a13f7e283339a050": 5987, "0D": 5988, "0E": 5989, "05": 5990, "06": 5991, "0A": 5992, "03": 5993, "02": 5994, "0C": 5995, "09": 5996, "08": 5997, "07": 5998, "0B": 5999, "0F": 6000, "12": 6001, "26": 6002, "23": 6003, "2is": 6004, "2nd": 6005, "4E": 6006, "47": 6007, "5M": 6008, "54": 6009, "53": 6010, "52": 6011, "60": 6012, "65535": 6013, "999": 6014, "Av": 6015, "AC": 6016, "Appl": 6017, "ALL": 6018, "Auth": 6019, "Agent": 6020, "AUT": 6021, "Astar": 6022, "Ba": 6023, "Boot": 6024, "Buil": 6025, "Bund": 6026, "BLI": 6027, "Batch": 6028, "Botnet": 6029, "Build": 6030, "CD": 6031, "CI": 6032, "CC": 6033, "CV": 6034, "Cle": 6035, "Count": 6036, "Cook": 6037, "CLS": 6038, "Copied": 6039, "DY": 6040, "Date": 6041, "Dot": 6042, "Down": 6043, "DOS": 6044, "Due": 6045, "Dok": 6046, "DATA": 6047, "Dylib": 6048, "Eu": 6049, "EI": 6050, "EB": 6051, "End": 6052, "Ether": 6053, "Emp": 6054, "Echo": 6055, "Each": 6056, "Establ": 6057, "Fr": 6058, "FL": 6059, "Fin": 6060, "Fav": 6061, "FIN": 6062, "Fetch": 6063, "Feder": 6064, "Git": 6065, "Gam": 6066, "Grou": 6067, "GET": 6068, "Give": 6069, "GUID": 6070, "Goz": 6071, "Github": 6072, "Gpg": 6073, "Golang": 6074, "Here": 6075, "Hence": 6076, "HuH": 6077, "IV": 6078, "Ify": 6079, "INS": 6080, "Kle": 6081, "Kal": 6082, "Kit": 6083, "Kir": 6084, "Kext": 6085, "Known": 6086, "LE": 6087, "LI": 6088, "Less": 6089, "Lim": 6090, "LLM": 6091, "Light": 6092, "Lsa": 6093, "Lower": 6094, "Me": 6095, "Med": 6096, "Mat": 6097, "Met": 6098, "Main": 6099, "Mig": 6100, "Mount": 6101, "Mock": 6102, "Masquerade": 6103, "Makes": 6104, "M365": 6105, "Mounted": 6106, "Mimic": 6107, "NU": 6108, "NM": 6109, "Num": 6110, "Nix": 6111, "Ncat": 6112, "Nslookup": 6113, "Nimgrab": 6114, "OU": 6115, "OO": 6116, "OI": 6117, "Other": 6118, "OSA": 6119, "Odb": 6120, "Po": 6121, "Ph": 6122, "PE": 6123, "PT": 6124, "Pat": 6125, "Pers": 6126, "Pod": 6127, "Post": 6128, "Patching": 6129, "Paramet": 6130, "Qbot": 6131, "Rt": 6132, "RU": 6133, "Rar": 6134, "Rule": 6135, "RAM": 6136, "Ransom": 6137, "Right": 6138, "RPR": 6139, "Sa": 6140, "SI": 6141, "SA": 6142, "SQ": 6143, "ST": 6144, "SH": 6145, "Ser": 6146, "Sod": 6147, "Sol": 6148, "Say": 6149, "Str": 6150, "Section": 6151, "Sub": 6152, "Size": 6153, "SET": 6154, "Some": 6155, "Smu": 6156, "Secure": 6157, "SNK": 6158, "Small": 6159, "SSP": 6160, "Since": 6161, "Tw": 6162, "TA": 6163, "TT": 6164, "Ter": 6165, "Tri": 6166, "Tech": 6167, "Tree": 6168, "Tail": 6169, "Typ": 6170, "Text": 6171, "Tshark": 6172, "T50": 6173, "Telnet": 6174, "Takes": 6175, "TMP": 6176, "TCC": 6177, "Template": 6178, "Upen": 6179, "Upload": 6180, "Van": 6181, "VMD": 6182, "Wann": 6183, "WER": 6184, "Worm": 6185, "WSR": 6186, "Wallpaper": 6187, "Xcl": 6188, "XIn": 6189, "Xordump": 6190, "Yes": 6191, "ZI": 6192, "ak": 6193, "aure": 6194, "aware": 6195, "aud": 6196, "atack": 6197, "appl": 6198, "amon": 6199, "agr": 6200, "ble": 6201, "bro": 6202, "bri": 6203, "bot": 6204, "blog": 6205, "bund": 6206, "bits": 6207, "brit": 6208, "co": 6209, "cd": 6210, "car": 6211, "care": 6212, "cab": 6213, "cour": 6214, "crypt": 6215, "clock": 6216, "csv": 6217, "clean": 6218, "cookies": 6219, "catching": 6220, "cacls": 6221, "copied": 6222, "cruc": 6223, "dic": 6224, "date": 6225, "dum": 6226, "did": 6227, "desc": 6228, "days": 6229, "dynam": 6230, "dns": 6231, "description": 6232, "dylib": 6233, "ea": 6234, "eg": 6235, "equ": 6236, "ess": 6237, "effect": 6238, "fl": 6239, "ft": 6240, "fr": 6241, "fre": 6242, "fal": 6243, "fault": 6244, "four": 6245, "fully": 6246, "fake": 6247, "fron": 6248, "fact": 6249, "faster": 6250, "falcon": 6251, "foc": 6252, "feed": 6253, "gec": 6254, "gpp": 6255, "gap": 6256, "gone": 6257, "google": 6258, "gci": 6259, "golang": 6260, "hl": 6261, "hun": 6262, "hot": 6263, "hour": 6264, "hard": 6265, "hap": 6266, "hos": 6267, "helper": 6268, "hardware": 6269, "ir": 6270, "ill": 6271, "identi": 6272, "iore": 6273, "icon": 6274, "js": 6275, "jav": 6276, "jpg": 6277, "json": 6278, "ku": 6279, "less": 6280, "layer": 6281, "ma": 6282, "mk": 6283, "mm": 6284, "my": 6285, "m4": 6286, "mon": 6287, "mass": 6288, "mst": 6289, "mount": 6290, "minu": 6291, "mous": 6292, "mask": 6293, "msi": 6294, "mill": 6295, "made": 6296, "match": 6297, "mimic": 6298, "nom": 6299, "nop": 6300, "nav": 6301, "near": 6302, "nested": 6303, "nmap": 6304, "naming": 6305, "nnnnn": 6306, "nimgrab": 6307, "op": 6308, "ok": 6309, "ou": 6310, "ole": 6311, "opt": 6312, "opp": 6313, "option": 6314, "pp": 6315, "ph": 6316, "pw": 6317, "p7": 6318, "pan": 6319, "pure": 6320, "psh": 6321, "pher": 6322, "paging": 6323, "pix": 6324, "p12": 6325, "patching": 6326, "portable": 6327, "pee": 6328, "please": 6329, "pnp": 6330, "pua": 6331, "phishing": 6332, "png": 6333, "que": 6334, "quer": 6335, "rt": 6336, "ris": 6337, "radmin": 6338, "rundll": 6339, "right": 6340, "rob": 6341, "recurse": 6342, "si": 6343, "sn": 6344, "she": 6345, "som": 6346, "sed": 6347, "sit": 6348, "sol": 6349, "spl": 6350, "sect": 6351, "sound": 6352, "side": 6353, "sync": 6354, "says": 6355, "silent": 6356, "solution": 6357, "since": 6358, "t1": 6359, "tes": 6360, "tac": 6361, "tak": 6362, "tested": 6363, "t10": 6364, "template": 6365, "unt": 6366, "unique": 6367, "vb": 6368, "v1": 6369, "v5": 6370, "v4": 6371, "vS": 6372, "v2": 6373, "v9": 6374, "vir": 6375, "vmd": 6376, "volum": 6377, "wt": 6378, "w64": 6379, "wget": 6380, "wallpaper": 6381, "xC": 6382, "xordump": 6383, "ypp": 6384, "zon": 6385, "zone": 6386, "ëR": 6387, "##xies": 6388, "##x64": 6389, "##xcs": 6390, "##pe": 6391, "##pow": 6392, "##pare": 6393, "##pile": 6394, "##pection": 6395, "##pres": 6396, "##parent": 6397, "##phish": 6398, "##low": 6399, "##lip": 6400, "##language": 6401, "##last": 6402, "##lCre": 6403, "##lecraft": 6404, "##oH": 6405, "##oin": 6406, "##overs": 6407, "##oCon": 6408, "##oast": 6409, "##ojacking": 6410, "##oami": 6411, "##o28": 6412, "##iy": 6413, "##iest": 6414, "##item": 6415, "##itation": 6416, "##ibl": 6417, "##iks": 6418, "##iMethod": 6419, "##tn": 6420, "##tom": 6421, "##ters": 6422, "##tch": 6423, "##tree": 6424, "##tWin": 6425, "##ae": 6426, "##aw": 6427, "##a1": 6428, "##a6": 6429, "##aC": 6430, "##ati": 6431, "##ama": 6432, "##air": 6433, "##aire": 6434, "##application": 6435, "##author": 6436, "##autions": 6437, "##aLoad": 6438, "##nl": 6439, "##nS": 6440, "##nes": 6441, "##nig": 6442, "##nolog": 6443, "##hl": 6444, "##hc": 6445, "##hat": 6446, "##hind": 6447, "##hand": 6448, "##hound": 6449, "##cy": 6450, "##c7": 6451, "##ccount": 6452, "##cting": 6453, "##come": 6454, "##curl": 6455, "##cookies": 6456, "##casing": 6457, "##cape": 6458, "##ek": 6459, "##e7": 6460, "##eal": 6461, "##ely": 6462, "##eged": 6463, "##eak": 6464, "##sc": 6465, "##su": 6466, "##sw": 6467, "##sP": 6468, "##sS": 6469, "##she": 6470, "##sic": 6471, "##sit": 6472, "##service": 6473, "##sity": 6474, "##sage": 6475, "##sues": 6476, "##ra": 6477, "##rg": 6478, "##rate": 6479, "##rve": 6480, "##rup": 6481, "##rase": 6482, "##raries": 6483, "##rans": 6484, "##rays": 6485, "##rarily": 6486, "##dg": 6487, "##d8": 6488, "##dec": 6489, "##dam": 6490, "##dated": 6491, "##dps": 6492, "##daemon": 6493, "##dapted": 6494, "##v6": 6495, "##vil": 6496, "##vable": 6497, "##vtutil": 6498, "##ko": 6499, "##known": 6500, "##uas": 6501, "##upt": 6502, "##uation": 6503, "##uch": 6504, "##uable": 6505, "##uard": 6506, "##uence": 6507, "##uching": 6508, "##uement": 6509, "##me": 6510, "##men": 6511, "##mask": 6512, "##mlog": 6513, "##memory": 6514, "##mits": 6515, "##mService": 6516, "##mxcs": 6517, "##f0": 6518, "##f9": 6519, "##f8": 6520, "##fic": 6521, "##fies": 6522, "##fven": 6523, "##f50": 6524, "##f65": 6525, "##wz": 6526, "##wre": 6527, "##was": 6528, "##will": 6529, "##wise": 6530, "##qj": 6531, "##ye": 6532, "##yQ": 6533, "##yle": 6534, "##UA": 6535, "##Dll": 6536, "##Dis": 6537, "##Directory": 6538, "##Desktop": 6539, "##Daemon": 6540, "##OP": 6541, "##OW": 6542, "##OnS": 6543, "##be": 6544, "##b0": 6545, "##bar": 6546, "##back": 6547, "##boo": 6548, "##buil": 6549, "##b33": 6550, "##bug": 6551, "##brok": 6552, "##braries": 6553, "##jor": 6554, "##jectiv": 6555, "##EX": 6556, "##Eye": 6557, "##MA": 6558, "##Min": 6559, "##Mess": 6560, "##Man": 6561, "##Mode": 6562, "##Memory": 6563, "##Maf": 6564, "##Ptr": 6565, "##Payload": 6566, "##zagne": 6567, "##zaLoad": 6568, "##gor": 6569, "##gre": 6570, "##gate": 6571, "##gst": 6572, "##gated": 6573, "##gment": 6574, "##group": 6575, "##geth": 6576, "##gument": 6577, "##global": 6578, "##gwre": 6579, "##11": 6580, "##15": 6581, "##5ct": 6582, "##5b0": 6583, "##4win": 6584, "##4Win": 6585, "##68": 6586, "##635": 6587, "##6This": 6588, "##IO": 6589, "##Identi": 6590, "##Image": 6591, "##ION": 6592, "##LB": 6593, "##LSA": 6594, "##Light": 6595, "##LUA": 6596, "##NR": 6597, "##Net": 6598, "##Names": 6599, "##Night": 6600, "##Need": 6601, "##An": 6602, "##Aut": 6603, "##Action": 6604, "##Application": 6605, "##AID": 6606, "##After": 6607, "##AUT": 6608, "##Arg": 6609, "##Adapted": 6610, "##Ste": 6611, "##Sen": 6612, "##Session": 6613, "##SAM": 6614, "##Secre": 6615, "##SUID": 6616, "##Sock": 6617, "##Scheduler": 6618, "##30": 6619, "##3ab": 6620, "##3bt": 6621, "##Rem": 6622, "##Root": 6623, "##RUS": 6624, "##RARI": 6625, "##Roast": 6626, "##RAID": 6627, "##0m": 6628, "##0A": 6629, "##040": 6630, "##068": 6631, "##2DLL": 6632, "##2a6": 6633, "##Count": 6634, "##Check": 6635, "##Cookies": 6636, "##Caution": 6637, "##Query": 6638, "##Tem": 6639, "##Tech": 6640, "##Typ": 6641, "##Tok": 6642, "##Team": 6643, "##TCP": 6644, "##Tries": 6645, "##Gog": 6646, "##GIT": 6647, "##Guard": 6648, "##G4Win": 6649, "##81": 6650, "##83": 6651, "##800": 6652, "##822": 6653, "##82a6": 6654, "##7f50": 6655, "##75b0": 6656, "##Word": 6657, "##WARE": 6658, "##WOW": 6659, "##You": 6660, "##BE": 6661, "##Bas": 6662, "##BLI": 6663, "##Blast": 6664, "##BRARI": 6665, "##HK": 6666, "##Hat": 6667, "##Har": 6668, "##Host": 6669, "##Hub": 6670, "##Hook": 6671, "##HOR": 6672, "##Func": 6673, "##V2": 6674, "##Virtual": 6675, "##X82a6": 6676, "##Ks": 6677, "##Kit": 6678, "##Kext": 6679, "##erce": 6680, "##erting": 6681, "##erts": 6682, "##erpr": 6683, "##erDe": 6684, "##erGog": 6685, "##inted": 6686, "##inated": 6687, "##inten": 6688, "##inok": 6689, "##hem": 6690, "##eset": 6691, "##escript": 6692, "##estation": 6693, "##onf": 6694, "##oned": 6695, "##tell": 6696, "##temand": 6697, "##team": 6698, "##tely": 6699, "##teull": 6700, "##tient": 6701, "##tise": 6702, "thelanguage": 6703, "##ecot": 6704, "##ectivity": 6705, "##ecautions": 6706, "##orate": 6707, "##orting": 6708, "##orrelate": 6709, "##orites": 6710, "##isecond": 6711, "##ishes": 6712, "##isoning": 6713, "##letes": 6714, "##nding": 6715, "##ndpoint": 6716, "tota": 6717, "touching": 6718, "togeth": 6719, "##omation": 6720, "##registry": 6721, "##revers": 6722, "##report": 6723, "expl": 6724, "exil": 6725, "experience": 6726, "##tional": 6727, "##tionary": 6728, "##owRun": 6729, "wild": 6730, "##edom": 6731, "##edup": 6732, "##icing": 6733, "##icit": 6734, "##icient": 6735, "##icbot": 6736, "##enes": 6737, "##enab": 6738, "##encode": 6739, "##ential": 6740, "##ency": 6741, "##ensic": 6742, "##atched": 6743, "##atra": 6744, "ini": 6745, "ing": 6746, "intro": 6747, "inline": 6748, "inher": 6749, "inthe": 6750, "instrumentation": 6751, "intial": 6752, "inbuil": 6753, "intell": 6754, "usnig": 6755, "##ecuted": 6756, "##arue": 6757, "##arial": 6758, "##arigate": 6759, "##artely": 6760, "##asm": 6761, "##asure": 6762, "##asplo": 6763, "##asures": 6764, "##asive": 6765, "##asedup": 6766, "##alth": 6767, "##alys": 6768, "##alid": 6769, "##also": 6770, "##along": 6771, "##ety": 6772, "##thing": 6773, "##that": 6774, "##thly": 6775, "fix": 6776, "##tand": 6777, "##tant": 6778, "##tapp": 6779, "##tached": 6780, "##tagent": 6781, "##tachment": 6782, "##erstand": 6783, "##ank": 6784, "willbe": 6785, "##riare": 6786, "##mare": 6787, "##maccount": 6788, "ofsoft": 6789, "ofsu": 6790, "##ateFile": 6791, "##ulting": 6792, "begr": 6793, "beused": 6794, "below": 6795, "behind": 6796, "combo": 6797, "component": 6798, "withthe": 6799, "##ests": 6800, "##estine": 6801, "fileSet": 6802, "fileTries": 6803, "##ists": 6804, "##add": 6805, "##acting": 6806, "##acts": 6807, "##active": 6808, "##acb33": 6809, "##actise": 6810, "WinDef": 6811, "WinWord": 6812, "loot": 6813, "loose": 6814, "iso": 6815, "isn": 6816, "issues": 6817, "isalso": 6818, "##temp": 6819, "##tement": 6820, "##pthem": 6821, "req": 6822, "relo": 6823, "rely": 6824, "revers": 6825, "reach": 6826, "relev": 6827, "reporting": 6828, "repair": 6829, "repres": 6830, "reboo": 6831, "exeNote": 6832, "exeAdapted": 6833, "exeYou": 6834, "executiona": 6835, "executions": 6836, "executionther": 6837, "##itly": 6838, "##itating": 6839, "##itImage": 6840, "##ayed": 6841, "Thisis": 6842, "Thistest": 6843, "forge": 6844, "forward": 6845, "forensic": 6846, "##vert": 6847, "##iable": 6848, "##ples": 6849, "##plished": 6850, "three": 6851, "thread": 6852, "testA": 6853, "##umented": 6854, "##rome": 6855, "sure": 6856, "suit": 6857, "super": 6858, "suppl": 6859, "suff": 6860, "sugg": 6861, "suite": 6862, "surve": 6863, "##entries": 6864, "profil": 6865, "progr": 6866, "protect": 6867, "commandline": 6868, "commandlet": 6869, "##losed": 6870, "WindowsIdenti": 6871, "WindowsSen": 6872, "Windowsregistry": 6873, "condu": 6874, "connect": 6875, "conven": 6876, "continu": 6877, "##iling": 6878, "##ilie": 6879, "Explo": 6880, "Extend": 6881, "##iffing": 6882, "anonymous": 6883, "answ": 6884, "analys": 6885, "Powel": 6886, "userdaemon": 6887, "useradd": 6888, "##importing": 6889, "byimporting": 6890, "adapt": 6891, "deobfusc": 6892, "debug": 6893, "##cept": 6894, "##ryout": 6895, "##quire": 6896, "thatart": 6897, "thatthe": 6898, "thatmemory": 6899, "Real": 6900, "Reload": 6901, "Replic": 6902, "Repair": 6903, "atr": 6904, "attached": 6905, "ordinal": 6906, "##urrup": 6907, "runtime": 6908, "PowerDump": 6909, "asc": 6910, "asingle": 6911, "##chk": 6912, "##child": 6913, "logic": 6914, "loghost": 6915, "logman": 6916, "enumer": 6917, "enforce": 6918, "enforced": 6919, "en0A": 6920, "Disall": 6921, "Disabling": 6922, "act": 6923, "actu": 6924, "actual": 6925, "accom": 6926, "acquire": 6927, "##standard": 6928, "##opatra": 6929, "scr": 6930, "scope": 6931, "scenes": 6932, "##ftRAID": 6933, "successfull": 6934, "##ared": 6935, "stru": 6936, "stmxcs": 6937, "##ableNo": 6938, "Invent": 6939, "Invo": 6940, "Includ": 6941, "Adapted": 6942, "PowerShelland": 6943, "PowerShellMaf": 6944, "model": 6945, "modern": 6946, "successfulport": 6947, "thisole": 6948, "thiswe": 6949, "##igence": 6950, "Deli": 6951, "Deobfusc": 6952, "shadowstorage": 6953, "shape": 6954, "##overable": 6955, "##terfw": 6956, "##solete": 6957, "displaying": 6958, "spread": 6959, "spoofing": 6960, "speed": 6961, "spaces": 6962, "while": 6963, "whole": 6964, "##acking": 6965, "processed": 6966, "processwith": 6967, "##emble": 6968, "##ipment": 6969, "##iprv": 6970, "chain": 6971, "chsh": 6972, "chos": 6973, "chrome": 6974, "Systems": 6975, "Systemas": 6976, "SystemRoot": 6977, "##ostart": 6978, "Enables": 6979, "accountThis": 6980, "sethc": 6981, "newer": 6982, "newly": 6983, "##ush": 6984, "##user": 6985, "##using": 6986, "##tains": 6987, "##tainer": 6988, "##ously": 6989, "adversely": 6990, "adversarial": 6991, "displayedalong": 6992, "Profile": 6993, "Proxies": 6994, "serviceab": 6995, "Comadmin": 6996, "Communication": 6997, "Component": 6998, "cmds": 6999, "cmdline": 7000, "##per2": 7001, "##peration": 7002, "##perty": 7003, "##percase": 7004, "##perature": 7005, "separ": 7006, "segment": 7007, "##upCommand": 7008, "basic": 7009, "basically": 7010, "Atbrok": 7011, "scriptUpon": 7012, "##tration": 7013, "registryCaution": 7014, "registryentries": 7015, "outdated": 7016, "localized": 7017, "localwe": 7018, "##els": 7019, "Activate": 7020, "Activities": 7021, "##agemen": 7022, "##pening": 7023, "##pension": 7024, "installty": 7025, "allthe": 7026, "CreateCronj": 7027, "Short": 7028, "Should": 7029, "##iousSAM": 7030, "##ude": 7031, "notrans": 7032, "keeps": 7033, "downloaders": 7034, "folderEx": 7035, "Store": 7036, "Storing": 7037, "Starting": 7038, "Style": 7039, "##tov4": 7040, "Chain": 7041, "Chunks": 7042, "artif": 7043, "arbit": 7044, "archi": 7045, "arrays": 7046, "timestomp": 7047, "Conse": 7048, "Content": 7049, "Constr": 7050, "##ustroyer": 7051, "##ustrate": 7052, "useful": 7053, "informations": 7054, "informationUpon": 7055, "##urrence": 7056, "##ections": 7057, "##abf65": 7058, "##aborate": 7059, "specfic": 7060, "whichwill": 7061, "netrc": 7062, "netsvcs": 7063, "netmask": 7064, "week": 7065, "wevtutil": 7066, "doing": 7067, "hosting": 7068, "##aged": 7069, "##agment": 7070, "altit": 7071, "alert": 7072, "alias": 7073, "alters": 7074, "algor": 7075, "alerting": 7076, "peripheral": 7077, "pertains": 7078, "usersdps": 7079, "accesss": 7080, "accessibl": 7081, "accesschk": 7082, "binaries": 7083, "binpath": 7084, "##3283": 7085, "uname": 7086, "unzip": 7087, "unquoted": 7088, "unlike": 7089, "unauthor": 7090, "##STAT": 7091, "##ernal": 7092, "environ": 7093, "##erequis": 7094, "utilityThis": 7095, "outputs": 7096, "keyword": 7097, "keyname": 7098, "keychain": 7099, "keyHK": 7100, "keythat": 7101, "true": 7102, "trusted": 7103, "tricbot": 7104, "##ression": 7105, "Administrative": 7106, "Adminstar": 7107, "AzureAut": 7108, "FilePro": 7109, "Filename": 7110, "Fileless": 7111, "privill": 7112, "privled": 7113, "privilie": 7114, "##ickest": 7115, "ADObject": 7116, "valuable": 7117, "##ffee": 7118, "##filterfw": 7119, "##ething": 7120, "DirectorySearch": 7121, "##shadow": 7122, "SetFile": 7123, "##rutil": 7124, "##ACE": 7125, "ServiceDll": 7126, "preference": 7127, "prepar": 7128, "prefix": 7129, "prepare": 7130, "Defaults": 7131, "configures": 7132, "clic": 7133, "cland": 7134, "cloned": 7135, "precur": 7136, "prints": 7137, "printing": 7138, "printen": 7139, "precautions": 7140, "practise": 7141, "requested": 7142, "requiring": 7143, "compat": 7144, "compute": 7145, "compiling": 7146, "enclosed": 7147, "WMIMethod": 7148, "DLLS": 7149, "DLLRegisterServer": 7150, "embed": 7151, "modifiy": 7152, "ActiveDirectory": 7153, "reside": 7154, "resolution": 7155, "resulting": 7156, "resemble": 7157, "within30": 7158, "atomicNo": 7159, "Logoff": 7160, "executableUpon": 7161, "delegated": 7162, "RemoteUpon": 7163, "RemoteApp": 7164, "##ribed": 7165, "Copying": 7166, "DeleteLog": 7167, "AtomicAdmin": 7168, "AtomicUser": 7169, "AtomicSh": 7170, "binarycookies": 7171, "binaryCookies": 7172, "above": 7173, "abuses": 7174, "abused": 7175, "checkbox": 7176, "stdin": 7177, "taskbar": 7178, "Installs": 7179, "Netcat": 7180, "NetTCP": 7181, "etl": 7182, "manner": 7183, "override": 7184, "overcome": 7185, "whenever": 7186, "whenCMD": 7187, "##tives": 7188, "##tivated": 7189, "LocalUpon": 7190, "LocalAdmin": 7191, "ProcessName": 7192, "RunPE": 7193, "RunPre": 7194, "RunDLL": 7195, "Runbook": 7196, "notic": 7197, "novel": 7198, "noise": 7199, "nothing": 7200, "prompts": 7201, "##logs": 7202, "Executions": 7203, "Until": 7204, "Unquoted": 7205, "Unlike": 7206, "viewing": 7207, "viewpoint": 7208, "viewthe": 7209, "FireEye": 7210, "live": 7211, "living": 7212, "##does": 7213, "Listing": 7214, "ListView": 7215, "ListCronj": 7216, "ListSecre": 7217, "messsage": 7218, "writable": 7219, "##duced": 7220, "throughout": 7221, "##urations": 7222, "spawning": 7223, "SoftRAID": 7224, "itspath": 7225, "objectiv": 7226, "obsolete": 7227, "stays": 7228, "static": 7229, "staged": 7230, "standpoint": 7231, "statement": 7232, "##tifact": 7233, "##tifestation": 7234, "logsUpon": 7235, "networksP": 7236, "UACDis": 7237, "##andPro": 7238, "##tically": 7239, "loader": 7240, "disablewin": 7241, "Compati": 7242, "launchctl": 7243, "NTUS": 7244, "interupt": 7245, "interactive": 7246, "intercept": 7247, "Keeps": 7248, "Thund": 7249, "decrease": 7250, "otherchecks": 7251, "otherwise": 7252, "##ithms": 7253, "##ything": 7254, "echos": 7255, "echoes": 7256, "echoing": 7257, "plan": 7258, "parsed": 7259, "locate": 7260, "locations": 7261, "performing": 7262, "performance": 7263, "CurrentTem": 7264, "TestNames": 7265, "typing": 7266, "##Proxy": 7267, "infections": 7268, "Requiring": 7269, "Encode": 7270, "ESXI": 7271, "JSE": 7272, "Scenarios": 7273, "SSHD": 7274, "SSHRe": 7275, "SSHLo": 7276, "VBscript": 7277, "certificates": 7278, "eventlogs": 7279, "systemand": 7280, "served": 7281, "secondary": 7282, "##ords": 7283, "working": 7284, "autostart": 7285, "afterwards": 7286, "recycle": 7287, "recoverable": 7288, "retained": 7289, "##akness": 7290, "##erbird": 7291, "discovered": 7292, "2012": 7293, "2019": 7294, "2016": 7295, "2011": 7296, "Simple": 7297, "Simulation": 7298, "auditing": 7299, "butdoes": 7300, "erli": 7301, "erasedup": 7302, "ExplorerSync": 7303, "args": 7304, "arguement": 7305, "modifications": 7306, "Accessed": 7307, "Peripheral": 7308, "RDS": 7309, "Spread": 7310, "Spaw": 7311, "evasive": 7312, "finding": 7313, "getting": 7314, "getglobal": 7315, "undoc": 7316, "understand": 7317, "##Compile": 7318, "insall": 7319, "insight": 7320, "inspection": 7321, "inserts": 7322, "offensive": 7323, "Remoting": 7324, "Chromes": 7325, "Aliases": 7326, "Alias": 7327, "AltWin": 7328, "Dumps": 7329, "DNSAdmin": 7330, "Manufacturer": 7331, "RedLine": 7332, "Redhat": 7333, "apps": 7334, "approp": 7335, "appeal": 7336, "##Connection": 7337, "##Config": 7338, "sudoers": 7339, "##tocolHandler": 7340, "EventCode": 7341, "Maldoc": 7342, "OpenURL": 7343, "SOME": 7344, "esxcli": 7345, "escape": 7346, "owned": 7347, "pofile": 7348, "points": 7349, "pointing": 7350, "pointed": 7351, "logins": 7352, "systemsUpon": 7353, "Allows": 7354, "AllCheck": 7355, "AppX82a6": 7356, "Blast": 7357, "Resolution": 7358, "##003": 7359, "##tectable": 7360, "##antly": 7361, "##ant0m": 7362, "Keychain": 7363, "003": 7364, "007": 7365, "clearing": 7366, "clearance": 7367, "nameExecution": 7368, "##installed": 7369, "passwordsDB": 7370, "passwordsdb": 7371, "specifically": 7372, "targeting": 7373, "Blackbit": 7374, "BlackHat": 7375, "Checks": 7376, "Syslog": 7377, "SysWOW": 7378, "generation": 7379, "generates": 7380, "ipUpon": 7381, "operate": 7382, "restric": 7383, "restoration": 7384, "exported": 7385, "exporting": 7386, "screensaver": 7387, "installationrar": 7388, "installationwz": 7389, "Filesystem": 7390, "Officeis": 7391, "Office365": 7392, "Officeapplication": 7393, "10Upon": 7394, "Client": 7395, "Does": 7396, "Scheme": 7397, "##uths": 7398, "##LITE": 7399, "exploit": 7400, "exploits": 7401, "exploiting": 7402, "subdomain": 7403, "subtree": 7404, "submits": 7405, "subvert": 7406, "detections": 7407, "disks": 7408, "diskshadow": 7409, "RegEdit": 7410, "Regasm": 7411, "IPC": 7412, "IPv6": 7413, "NETUpon": 7414, "Override": 7415, "Portal": 7416, "PortProxy": 7417, "PersistenceUpon": 7418, "Scripts": 7419, "Scriptlet": 7420, "TaskCache": 7421, "TaskScheduler": 7422, "zipped": 7423, "zipwas": 7424, "threats": 7425, "automate": 7426, "automation": 7427, "LDAPFil": 7428, "Prperties": 7429, "Printer": 7430, "nonstandard": 7431, "pschild": 7432, "sensitivefiles": 7433, "##leroot": 7434, "##itional": 7435, "##netsh": 7436, "##cconf": 7437, "##Extension": 7438, "##ggling": 7439, "##ING": 7440, "##itself": 7441, "Scanner": 7442, "GPG4Win": 7443, "PSRem": 7444, "flagged": 7445, "msfven": 7446, "##both": 7447, "##Package": 7448, "##astore": 7449, "beforehand": 7450, "controllerAn": 7451, "bypassing": 7452, "LockerGog": 7453, "allowed": 7454, "variablesUpon": 7455, "AutoSUID": 7456, "AVs": 7457, "Hex": 7458, "Hey": 7459, "Into": 7460, "Internal": 7461, "boxes": 7462, "elevate": 7463, "listapp": 7464, "vulns": 7465, "##flection": 7466, "EnableLUA": 7467, "ProtocolHandler": 7468, "APIs": 7469, "behaviors": 7470, "Emulation": 7471, "EXO": 7472, "Subsequent": 7473, "Trusted": 7474, "Trickbot": 7475, "cached": 7476, "##blue": 7477, "##PwdCount": 7478, "##ITY": 7479, "exfiltrationExp": 7480, "Deleting": 7481, "Delegation": 7482, "Delegate": 7483, "##agerLoad": 7484, "LoggingService": 7485, "legit": 7486, "leveraged": 7487, "manuallyor": 7488, "T1036": 7489, "T1086": 7490, "T1098": 7491, "placement": 7492, "appearwith": 7493, "Launchctl": 7494, "LaunchDaemon": 7495, "LaunchApplication": 7496, "BrowserPwn": 7497, "BrowserSte": 7498, "Cracking": 7499, "Certutil": 7500, "Certificates": 7501, "Psr": 7502, "VMware": 7503, "VMWARE": 7504, "captureAfter": 7505, "swapping": 7506, "tryto": 7507, "readable": 7508, "Attribute": 7509, "driverquery": 7510, "Environments": 7511, "LOLB": 7512, "PromptOnS": 7513, "Suspension": 7514, "Tickets": 7515, "crmlog": 7516, "industroyer": 7517, "impaire": 7518, "impacting": 7519, "sshd": 7520, "tweak": 7521, "wmio": 7522, "wmiprv": 7523, "##osed": 7524, "##aled": 7525, "##epRoast": 7526, "##DumpWrite": 7527, "streams": 7528, "SharpView": 7529, "functionalities": 7530, "hashing": 7531, "hashdump": 7532, "updates": 7533, "escalate": 7534, "determines": 7535, "prereqs": 7536, "journald": 7537, "journalctl": 7538, "Argument": 7539, "Artifact": 7540, "Bruteforce": 7541, "Serverity": 7542, "USB": 7543, "longer": 7544, "takeown": 7545, "##ERT": 7546, "##Integrity": 7547, "##SetupCommand": 7548, "##3356": 7549, "Examples": 7550, "specifying": 7551, "LoginHook": 7552, "T1133": 7553, "T1127": 7554, "T1140": 7555, "T1115": 7556, "collector": 7557, "likelyto": 7558, "Regsvcs": 7559, "##ggering": 7560, "KerberosPr": 7561, "Binaries": 7562, "Grae": 7563, "Impair": 7564, "OSConfig": 7565, "Safe": 7566, "Uppercase": 7567, "VIRUS": 7568, "Virtualbox": 7569, "VirtualBox": 7570, "hijack": 7571, "hijacking": 7572, "idmu": 7573, "markdown": 7574, "samplef9": 7575, "vbscript": 7576, "vbsIn": 7577, "##Reflection": 7578, "filtering": 7579, "filtered": 7580, "looks": 7581, "relies": 7582, "printers": 7583, "Automatic": 7584, "Auditd": 7585, "Works": 7586, "avoids": 7587, "catalog": 7588, "caption": 7589, "dsedit": 7590, "dsenab": 7591, "granting": 7592, "pattern": 7593, "##thew": 7594, "##ShellHost": 7595, "##Trickbot": 7596, "##These": 7597, "registered": 7598, "consists": 7599, "choose": 7600, "Tools": 7601, "handle": 7602, "##tificationPackage": 7603, "Keystrokes": 7604, "Screensaver": 7605, "pointers": 7606, "listeners": 7607, "HashNote": 7608, "CimProvid": 7609, "CimSession": 7610, "HelpText": 7611, "Living": 7612, "Libraries": 7613, "PUBLI": 7614, "Prefetch": 7615, "Preferen": 7616, "Popular": 7617, "Records": 7618, "Servers": 7619, "Servicing": 7620, "SIGMA": 7621, "blind": 7622, "blank": 7623, "destruc": 7624, "family": 7625, "heap": 7626, "meant": 7627, "measures": 7628, "pyc": 7629, "##pecific": 7630, "##pectives": 7631, "##CAR": 7632, "tokens": 7633, "extracted": 7634, "extracting": 7635, "suspend": 7636, "connectivity": 7637, "deployed": 7638, "showcase": 7639, "showcasing": 7640, "Provide": 7641, "Providers": 7642, "Contained": 7643, "Connecting": 7644, "netshnetsh": 7645, "sockets": 7646, "socketfilterfw": 7647, "transparent": 7648, "AtomicTestHar": 7649, "records": 7650, "argumentlist": 7651, "Performs": 7652, "postex": 7653, "Privileges": 7654, "screenshots": 7655, "USERNAME": 7656, "Blob": 7657, "Blotch": 7658, "Detail": 7659, "Esxcli": 7660, "Fullname": 7661, "Model": 7662, "See": 7663, "SAMR": 7664, "Vista": 7665, "Valid": 7666, "bengin": 7667, "badPwdCount": 7668, "emails": 7669, "gives": 7670, "mini": 7671, "oriented": 7672, "routine": 7673, "turned": 7674, "##phere": 7675, "##nnn": 7676, "##efly": 7677, "##12e7": 7678, "##ADME": 7679, "##ecureDesktop": 7680, "##rope": 7681, "combined": 7682, "combines": 7683, "WinRMUpon": 7684, "replace": 7685, "replaces": 7686, "conceal": 7687, "concealed": 7688, "advanced": 7689, "association": 7690, "InputArg": 7691, "listings": 7692, "uninstaller": 7693, "uninstalling": 7694, "validate": 7695, "validation": 7696, "clicking": 7697, "presented": 7698, "overwrite": 7699, "completely": 7700, "undetectable": 7701, "Alternatively": 7702, "persistanceUpon": 7703, "removing": 7704, "removable": 7705, "SharpHound3": 7706, "lookedup": 7707, "CanaryTok": 7708, "campaigne": 7709, "campaigns": 7710, "sayingit": 7711, "Authority": 7712, "Authorized": 7713, "ASRepRoast": 7714, "Begin": 7715, "SensitiveFil": 7716, "browse": 7717, "browserpwn": 7718, "caution": 7719, "causing": 7720, "cspro": 7721, "csrutil": 7722, "datastore": 7723, "direcot": 7724, "failures": 7725, "frameworks": 7726, "gathering": 7727, "lauch": 7728, "lazagne": 7729, "linker": 7730, "quickest": 7731, "samaccount": 7732, "terminated": 7733, "##msdd": 7734, "##86040": 7735, "##entations": 7736, "support": 7737, "suppression": 7738, "Exfiltrates": 7739, "##quently": 7740, "Deployment": 7741, "unlocks": 7742, "Machines": 7743, "manipulate": 7744, "manipulating": 7745, "manipulation": 7746, "RunOnceEx": 7747, "wordlist": 7748, "Compiles": 7749, "Requesting": 7750, "returns": 7751, "returned": 7752, "backdoors": 7753, "backgroundtask": 7754, "backgrounditem": 7755, "Special": 7756, "Specific": 7757, "Specified": 7758, "APTs": 7759, "APT33": 7760, "appends": 7761, "retrieves": 7762, "primary": 7763, "Operational": 7764, "capabilityuses": 7765, "blueblue": 7766, "Detailsand": 7767, "VisualBas": 7768, "associatedwith": 7769, "mechanisms": 7770, "Amnes": 7771, "Called": 7772, "DCSync": 7773, "DynamicCompile": 7774, "Elevated": 7775, "Javascript": 7776, "Stealer": 7777, "Stealth": 7778, "Supply": 7779, "Secret": 7780, "TGS": 7781, "Timer": 7782, "Where": 7783, "Whoami": 7784, "Wmic": 7785, "WmiMethod": 7786, "close": 7787, "closes": 7788, "htaTrickbot": 7789, "kills": 7790, "killing": 7791, "killng": 7792, "monitored": 7793, "occurrence": 7794, "signific": 7795, "signature": 7796, "securely": 7797, "vmm": 7798, "vmw": 7799, "xlsx": 7800, "##polit": 7801, "##dd75b0": 7802, "##103356": 7803, "##444": 7804, "##NDING": 7805, "##Attachment": 7806, "##76acb33": 7807, "tocorrelate": 7808, "realm": 7809, "contacting": 7810, "controlled": 7811, "ExternalPayload": 7812, "antiphish": 7813, "discovers": 7814, "Registering": 7815, "InboxRule": 7816, "InfoTech": 7817, "##forcedCode": 7818, "altered": 7819, "opensource": 7820, "notifications": 7821, "interesting": 7822, "##Provided": 7823, "evening": 7824, "Removing": 7825, "Intergre": 7826, "vulnerabilityknown": 7827, "implementation": 7828, "impersonate": 7829, "stealer": 7830, "stealing": 7831, "Collector": 7832, "PUAs": 7833, "transferand": 7834, "transferring": 7835, "Bloodhound": 7836, "DriverQuery": 7837, "ErrorAction": 7838, "breaking": 7839, "dialogs": 7840, "dialogue": 7841, "ignoring": 7842, "proceeds": 7843, "ARP": 7844, "CustomShellHost": 7845, "Dirty": 7846, "HypervisorEn": 7847, "IOKit": 7848, "IEX": 7849, "IFM": 7850, "Messages": 7851, "Ordinal": 7852, "PPA": 7853, "Quartely": 7854, "Renamed": 7855, "Target": 7856, "apple": 7857, "ccrypt": 7858, "daemons": 7859, "everything": 7860, "effectively": 7861, "fruits": 7862, "globalstate": 7863, "items": 7864, "krnl": 7865, "misconfig": 7866, "perspectives": 7867, "publicly": 7868, "titles": 7869, "teamer": 7870, "teamviewer": 7871, "uploaded": 7872, "##dfd8": 7873, "##managemen": 7874, "##UHoH": 7875, "##bility": 7876, "##58abf65": 7877, "##4fdg": 7878, "##IntoCon": 7879, "##WithURL": 7880, "inturrup": 7881, "invalid": 7882, "inactivated": 7883, "reverting": 7884, "reviewthe": 7885, "forests": 7886, "successul": 7887, "ExpandPro": 7888, "ExitProcess": 7889, "ExclusionProcess": 7890, "ExclusionPath": 7891, "ExclusionExtension": 7892, "Powerspolit": 7893, "depending": 7894, "dependency": 7895, "develop": 7896, "developer": 7897, "developed": 7898, "ReportingMode": 7899, "PowerUpSQL": 7900, "Injecting": 7901, "ComputerName": 7902, "select": 7903, "selected": 7904, "selectively": 7905, "Attachment": 7906, "Stores": 7907, "weakness": 7908, "weaknesses": 7909, "webserverand": 7910, "unattended": 7911, "NetshHelper": 7912, "libcurl": 7913, "scheduler": 7914, "Therefore": 7915, "authenticated": 7916, "receive": 7917, "##00000000": 7918, "keystrokesProvided": 7919, "CloudTrail": 7920, "Notifications": 7921, "##Execute": 7922, "HeaderDe": 7923, "Embedded": 7924, "crash": 7925, "crashes": 7926, "crashing": 7927, "Identifies": 7928, "occurs": 7929, "ignoreboth": 7930, "McAffee": 7931, "duplication": 7932, "ntdsutil": 7933, "4698": 7934, "40444": 7935, "600s": 7936, "8081": 7937, "About": 7938, "Abuse": 7939, "Directories": 7940, "Entry": 7941, "Enterpr": 7942, "GhostTask": 7943, "Harcoded": 7944, "Harvest": 7945, "HiveNight": 7946, "NtCre": 7947, "NtWrite": 7948, "Panel": 7949, "Panther": 7950, "PhishingAttachment": 7951, "REvil": 7952, "README": 7953, "Swap": 7954, "Switch": 7955, "Symbolic": 7956, "Symlink": 7957, "Terminates": 7958, "TerminateProcess": 7959, "UniqueID": 7960, "Vars": 7961, "Variable": 7962, "Weakness": 7963, "btm": 7964, "btmp": 7965, "b64dec": 7966, "b64encode": 7967, "drops": 7968, "dropping": 7969, "else": 7970, "elaborate": 7971, "edge": 7972, "easier": 7973, "easiest": 7974, "harness": 7975, "harvest": 7976, "hides": 7977, "hiding": 7978, "hanging": 7979, "hooks": 7980, "icmp": 7981, "icacls": 7982, "jscriptExecution": 7983, "limit": 7984, "limiting": 7985, "matches": 7986, "mattifestation": 7987, "ourselves": 7988, "oldchecks": 7989, "pair": 7990, "patient": 7991, "pgp": 7992, "pgrep": 7993, "safe": 7994, "safety": 7995, "viruses": 7996, "##ieMin": 7997, "##ibi": 7998, "##ibly": 7999, "##itate": 8000, "##itauths": 8001, "##uHUHoH": 8002, "##SPACE": 8003, "##texecuted": 8004, "explicitly": 8005, "explicitauths": 8006, "injecting": 8007, "##ateProcessReflection": 8008, "reposit": 8009, "forked": 8010, "things": 8011, "profilesand": 8012, "ExecIntoCon": 8013, "detecting": 8014, "detects": 8015, "PowercatTo": 8016, "Username": 8017, "Usernames": 8018, "Detecting": 8019, "Detects": 8020, "cancels": 8021, "Located": 8022, "Locale": 8023, "utilises": 8024, "utilised": 8025, "alternatively": 8026, "unpack": 8027, "unpatched": 8028, "tradecraft": 8029, "traditional": 8030, "preferred": 8031, "encodes": 8032, "encoding": 8033, "researcher": 8034, "AtomicRedTeam": 8035, "AtomicRedteam": 8036, "leads": 8037, "verbose": 8038, "verbosity": 8039, "Unloads": 8040, "decreases": 8041, "decreasing": 8042, "parseable": 8043, "inflight": 8044, "influence": 8045, "recommended": 8046, "2008": 8047, "Forwarding": 8048, "ForwardTo": 8049, "subfolder": 8050, "subfolders": 8051, "assume": 8052, "assumes": 8053, "GlobalFlag": 8054, "GlobalFlags": 8055, "triggerspecific": 8056, "Cradle": 8057, "Cradlecraft": 8058, "guidance": 8059, "indicatethe": 8060, "correctly": 8061, "corresponding": 8062, "Prevents": 8063, "quietly": 8064, "terminatesitself": 8065, "GPPPasswords": 8066, "DDEAUT": 8067, "MiniDumpWrite": 8068, "DeviceGuard": 8069, "receives": 8070, "received": 8071, "1803": 8072, "1809": 8073, "AppleScript": 8074, "Assistive": 8075, "Assistant": 8076, "MirrorBlast": 8077, "SACLThese": 8078, "WORKSTAT": 8079, "WORKSPACE": 8080, "covertly": 8081, "dedicatedservice": 8082, "facilitating": 8083, "facilitate": 8084, "tunneling": 8085, "accordingly": 8086, "AllTheThingsx64": 8087, "badpwdcountNeed": 8088, "0F00000000": 8089, "120": 8090, "2316": 8091, "4776": 8092, "5Mb": 8093, "9999": 8094, "Available": 8095, "ACL": 8096, "Applescript": 8097, "AUTHOR": 8098, "Astaroth": 8099, "BazaLoad": 8100, "Builder": 8101, "Bundles": 8102, "BLIND": 8103, "CVE": 8104, "Cleared": 8105, "CookieMin": 8106, "CLSID": 8107, "DYLD": 8108, "DotNet": 8109, "Downgrade": 8110, "Doki": 8111, "Europe": 8112, "EICAR": 8113, "Ethernet": 8114, "Empire": 8115, "Establishes": 8116, "Fragment": 8117, "Finally": 8118, "Favorites": 8119, "FIN7": 8120, "Federation": 8121, "GitHub": 8122, "Gamarue": 8123, "Grouper2": 8124, "Gozi": 8125, "Gpg4win": 8126, "HuHuHUHoH": 8127, "Ifyou": 8128, "INSERT": 8129, "Kleopatra": 8130, "Kali": 8131, "Kirk": 8132, "KextMan": 8133, "LEGIT": 8134, "LIBRARI": 8135, "Limits": 8136, "LLMNR": 8137, "Lowercase": 8138, "Measure": 8139, "Media": 8140, "Matthew": 8141, "Metasplo": 8142, "Migration": 8143, "Mocking": 8144, "NMap": 8145, "Number": 8146, "NcatTo": 8147, "OOBE": 8148, "OIIO": 8149, "OSAScript": 8150, "Odbcconf": 8151, "Poisoning": 8152, "Phant0m": 8153, "PENDING": 8154, "PTH": 8155, "Pattern": 8156, "Persist": 8157, "Podman": 8158, "PostMess": 8159, "Parameters": 8160, "RtlCre": 8161, "RUN": 8162, "RansomEX": 8163, "RPRN": 8164, "Said": 8165, "SIEM": 8166, "SQLITE": 8167, "STOP": 8168, "SeriousSAM": 8169, "Sodinok": 8170, "Solarigate": 8171, "Sayre": 8172, "String": 8173, "Subnet": 8174, "Smuggling": 8175, "Two": 8176, "TTL": 8177, "TermService": 8178, "Triggering": 8179, "Technolog": 8180, "Typically": 8181, "Tsharkinstalled": 8182, "T505": 8183, "TMPFILE": 8184, "Vanity": 8185, "VMDKs": 8186, "WannaC": 8187, "Worming": 8188, "WSReset": 8189, "Xclip": 8190, "XInitImage": 8191, "ZIP": 8192, "akteull": 8193, "aureport": 8194, "awareness": 8195, "audio": 8196, "atacker": 8197, "applies": 8198, "amongst": 8199, "agruments": 8200, "blending": 8201, "broken": 8202, "briefly": 8203, "bottom": 8204, "bundled": 8205, "bitsdam": 8206, "brittle": 8207, "coerce": 8208, "carryout": 8209, "carefully": 8210, "course": 8211, "cryptojacking": 8212, "crucial": 8213, "dictionary": 8214, "dumpthem": 8215, "described": 8216, "dynamically": 8217, "equipment": 8218, "essential": 8219, "flush": 8220, "ftp": 8221, "frustrate": 8222, "freedom": 8223, "false": 8224, "front": 8225, "falcond": 8226, "focused": 8227, "feedback": 8228, "gecko": 8229, "gaps": 8230, "hlk": 8231, "hunting": 8232, "hotfix": 8233, "hourly": 8234, "hardcoded": 8235, "happening": 8236, "hosted": 8237, "irrevers": 8238, "illicit": 8239, "identifies": 8240, "ioreg": 8241, "javascript": 8242, "kuhl": 8243, "major": 8244, "mktemp": 8245, "m4a": 8246, "monthly": 8247, "massive": 8248, "mstsc": 8249, "minute": 8250, "mouse": 8251, "millisecond": 8252, "nominated": 8253, "navigate": 8254, "nnnnnnnn": 8255, "opperation": 8256, "ouput": 8257, "oleObject": 8258, "optoin": 8259, "opposed": 8260, "ppk": 8261, "phrase": 8262, "p7b": 8263, "pane": 8264, "purepow": 8265, "pheripheral": 8266, "pixels": 8267, "peek": 8268, "pnputil": 8269, "queue": 8270, "queried": 8271, "rtf": 8272, "risk": 8273, "robust": 8274, "sniffing": 8275, "sheduled": 8276, "something": 8277, "situation": 8278, "solutions": 8279, "split": 8280, "sector": 8281, "syncing": 8282, "t1003": 8283, "testexecuted": 8284, "tactic": 8285, "taken": 8286, "t1059": 8287, "untested": 8288, "v4tov4": 8289, "vSphere": 8290, "virt": 8291, "vmdks": 8292, "volumes": 8293, "wtmp": 8294, "w64time": 8295, "xClip": 8296, "ypprop": 8297, "zones": 8298, "##o283283": 8299, "##tn5ct": 8300, "##a158abf65": 8301, "##amatically": 8302, "##c7dd75b0": 8303, "##sSection": 8304, "##sheet": 8305, "##uasar": 8306, "##f07f50": 8307, "##f8msdd": 8308, "##qjf8msdd": 8309, "##yQuasar": 8310, "##Ptrs": 8311, "##gwre4fdg": 8312, "##635tn5ct": 8313, "##IONThe": 8314, "##Sock2DLL": 8315, "##3ab068": 8316, "##3bt635tn5ct": 8317, "##Type": 8318, "##800f07f50": 8319, "##8226This": 8320, "##FuncPtrs": 8321, "##VirtualMemory": 8322, "##KextWithURL": 8323, "totally": 8324, "together": 8325, "exploration": 8326, "exiltration": 8327, "introduced": 8328, "inherits": 8329, "inbuilt": 8330, "intelligence": 8331, "ofsoftware": 8332, "ofsubsequent": 8333, "begrayed": 8334, "combos": 8335, "##estinely": 8336, "fileSetting": 8337, "WinDefend": 8338, "relocation": 8339, "reverse": 8340, "relevant": 8341, "representations": 8342, "rebooted": 8343, "executionthere": 8344, "superuser": 8345, "supply": 8346, "sufficient": 8347, "suggests": 8348, "survey": 8349, "profiler": 8350, "programatically": 8351, "WindowsIdentity": 8352, "WindowsSensor": 8353, "conducts": 8354, "connects": 8355, "conventional": 8356, "continuously": 8357, "Exploitation": 8358, "answers": 8359, "analysis": 8360, "Poweliks": 8361, "adaptor": 8362, "deobfuscates": 8363, "debugging": 8364, "Replicating": 8365, "enumerated": 8366, "enforcement": 8367, "DisallowRun": 8368, "actually": 8369, "accomplished": 8370, "acquireLSA": 8371, "structure": 8372, "stmxcsr": 8373, "##ableNotify": 8374, "Inventory": 8375, "Invokes": 8376, "Include": 8377, "PowerShellMafia": 8378, "thisoleObject": 8379, "Delivery": 8380, "Deobfuscate": 8381, "spreadsheet": 8382, "chosen": 8383, "serviceabuse": 8384, "Communications": 8385, "Components": 8386, "separate": 8387, "Atbroker": 8388, "localwebserver": 8389, "installtype": 8390, "CreateCronjob": 8391, "notransaction": 8392, "folderExample": 8393, "artifacts": 8394, "arbitrarily": 8395, "archived": 8396, "Consequently": 8397, "ContentType": 8398, "Constrained": 8399, "weekly": 8400, "altitude": 8401, "algorithms": 8402, "usersdpsLight": 8403, "accessiblity": 8404, "unzipped": 8405, "unlikely": 8406, "unauthorized": 8407, "environement": 8408, "##erequisite": 8409, "keyHKLM": 8410, "Adminstartion": 8411, "AzureAutomation": 8412, "FileProtocolHandler": 8413, "privilleged": 8414, "privledges": 8415, "privilieges": 8416, "DirectorySearcher": 8417, "preparation": 8418, "clandestinely": 8419, "precursor": 8420, "printenv": 8421, "embeds": 8422, "modifiying": 8423, "atomicNotificationPackage": 8424, "delegatedas": 8425, "AtomicAdministrator": 8426, "AtomicShim": 8427, "NetTCPConnection": 8428, "RunPreSetupCommand": 8429, "noticed": 8430, "ListCronjobs": 8431, "ListSecrets": 8432, "objectives": 8433, "networksPython": 8434, "UACDisableNotify": 8435, "disablewindows": 8436, "Compatibility": 8437, "NTUSER": 8438, "Thunderbird": 8439, "CurrentTemperature": 8440, "SSHRemote": 8441, "SSHLocal": 8442, "erlier": 8443, "erasedups": 8444, "Spawnd": 8445, "getglobalstate": 8446, "undocumented": 8447, "AltWinSock2DLL": 8448, "DNSAdmins": 8449, "appropriare": 8450, "appealing": 8451, "AllChecks": 8452, "AppX82a6gwre4fdg": 8453, "SysWOW64": 8454, "restrict": 8455, "installationwzzip": 8456, "subdomains": 8457, "LDAPFilter": 8458, "pschildname": 8459, "PSRemoting": 8460, "msfvenom": 8461, "LockerGoga": 8462, "listapps": 8463, "Subsequently": 8464, "exfiltrationExpected": 8465, "DelegateExecute": 8466, "##agerLoadKextWithURL": 8467, "LoggingServiceV2": 8468, "BrowserStealer": 8469, "LOLBAS": 8470, "PromptOnSecureDesktop": 8471, "industroyer2": 8472, "tweaking": 8473, "wmiobject": 8474, "wmiprvse": 8475, "ArgumentList": 8476, "KerberosPrerequisite": 8477, "Graeber": 8478, "samplef986040": 8479, "dseditgroup": 8480, "dsenableroot": 8481, "CimProvider": 8482, "PUBLIC": 8483, "Preferences": 8484, "destructive": 8485, "transparently": 8486, "AtomicTestHarnesses": 8487, "BlotchyQuasar": 8488, "##12e7dfd8": 8489, "InputArgs": 8490, "CanaryToken": 8491, "Beginning": 8492, "SensitiveFiles": 8493, "csproj": 8494, "direcotry": 8495, "samaccountname": 8496, "backgroundtaskmanagemen": 8497, "backgrounditems": 8498, "VisualBasic": 8499, "Amnesia": 8500, "significantly": 8501, "##1033563ab068": 8502, "##76acb33a158abf65": 8503, "ExternalPayloads": 8504, "##forcedCodeIntegrity": 8505, "Intergrety": 8506, "HypervisorEnforcedCodeIntegrity": 8507, "Quartelyreport": 8508, "misconfigurations": 8509, "inturruption": 8510, "ExpandProperty": 8511, "HeaderDeletes": 8512, "Enterprise": 8513, "HiveNightmare": 8514, "NtCreateFile": 8515, "NtWriteVirtualMemory": 8516, "b64decode": 8517, "harvesting": 8518, "repository": 8519, "ExecIntoContainer": 8520, "DDEAUTO": 8521, "MiniDumpWriteDump": 8522, "WORKSTATIONThe": 8523, "AUTHORITY": 8524, "BazaLoader": 8525, "CookieMiner": 8526, "HuHuHUHoHo283283": 8527, "KextManagerLoadKextWithURL": 8528, "LIBRARIES": 8529, "Metasploit": 8530, "PostMessage": 8531, "RtlCreateProcessReflection": 8532, "RansomEXX": 8533, "Sodinokibi": 8534, "Technologies": 8535, "WannaCry": 8536, "XInitImageFuncPtrs": 8537, "akteullen": 8538, "bitsdamin": 8539, "irreversibly": 8540, "milliseconds": 8541, "purepowershell": 8542, "situational": 8543, "v4tov4Upon": 8544, "##c7dd75b012e7dfd8": 8545, "##qjf8msdd2": 8546, "##3bt635tn5ctqjf8msdd2": 8547, "##800f07f508226This": 8548, "RunPreSetupCommandsSection": 8549, "AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2": 8550, "samplef986040c7dd75b012e7dfd8": 8551, "backgroundtaskmanagementagent": 8552, "##1033563ab068800f07f508226This": 8553, "##76acb33a158abf651033563ab068800f07f508226This": 8554, "samplef986040c7dd75b012e7dfd876acb33a158abf651033563ab068800f07f508226This": 8555 } } }