Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
@(
[PSCustomObject]@{
Path='HKLM:\SOFTWARE\Classes\Exefile\Shell\Open\Command'
Item='exefile'
Category='Image Hijacks'
Value='"%1" %*'
ImagePath=$null
Size=$null
LastWriteTime=$null
Version=$null
MD5=$null
SHA1=$null
SHA256=$null
Signed=$null
IsOSBinary=$null
Publisher=$null
},
[PSCustomObject]@{
Path='HKLM:\Software\Classes\exefile\shell\open\command'
Item='.exe'
Category='Image Hijacks'
Value='"%1" %*'
ImagePath=$null
Size=$null
LastWriteTime=$null
Version=$null
MD5=$null
SHA1=$null
SHA256=$null
Signed=$null
IsOSBinary=$null
Publisher=$null
},
[PSCustomObject]@{
Path='HKLM:\Software\Classes\cmdfile\shell\open\command'
Item='.cmd'
Category='Image Hijacks'
Value='"%1" %*'
ImagePath=$null
Size=$null
LastWriteTime=$null
Version=$null
MD5=$null
SHA1=$null
SHA256=$null
Signed=$null
IsOSBinary=$null
Publisher=$null
},
[PSCustomObject]@{
Path='HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs'
Item='_wowarmhw'
Category='Known Dlls'
Value='wowarmhw.dll'
ImagePath='C:\WINDOWS\System32\wowarmhw.dll'
Size=$null
LastWriteTime=$null
Version=$null
MD5=$null
SHA1=$null
SHA256=$null
Signed=$null
IsOSBinary=$null
Publisher=$null
},
[PSCustomObject]@{
Path='HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs'
Item='_xtajit'
Category='Known Dlls'
Value='xtajit.dll'
ImagePath='C:\WINDOWS\System32\xtajit.dll'
Size=$null
LastWriteTime=$null
Version=$null
MD5=$null
SHA1=$null
SHA256=$null
Signed=$null
IsOSBinary=$null
Publisher=$null
},
[PSCustomObject]@{
Path='HKLM:\SOFTWARE\\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}'
Item='StubPath'
Category='Logon'
Value='/UserInstall'
ImagePath=''
Size=$null
LastWriteTime=$null
Version=$null
MD5=$null
SHA1=$null
SHA256=$null
Signed=$null
IsOSBinary=$null
Publisher=$null
},
[PSCustomObject]@{
Path='HKLM:\SOFTWARE\\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}'
Item='StubPath'
Category='Logon'
Value='U'
ImagePath=''
Size=$null
LastWriteTime=$null
Version=$null
MD5=$null
SHA1=$null
SHA256=$null
Signed=$null
IsOSBinary=$null
Publisher=$null
},
[PSCustomObject]@{
Path='HKCU:\Software\\Microsoft\Windows\CurrentVersion\Run'
Item='EpicGamesLauncher'
Category='Logon'
Value='"C:\Program Files (x86)\Epic Games\Launcher\Portal\Binaries\Win64\EpicGamesLauncher.exe" -silent'
ImagePath='C:\Program Files (x86)\Epic Games\Launcher\Portal\Binaries\Win64\EpicGamesLauncher.exe'
Size=[long]33092496
LastWriteTime=[datetime]637395902546270989 # 2020-10-29 17:44:14Z
Version=''
MD5='1976F94E64C4252948085BA70C1FC235'
SHA1='9A083D2F11D4990F4869002B47F33F728060616C'
SHA256='5E92C272BD57928CD4C78F45CD778CAA6243BD069228D63462D6B89B861EFB26'
Signed=[bool]'True'
Publisher='CN=Epic Games Inc., O=Epic Games Inc., L=Raleigh, S=North Carolina, C=US'
},
[PSCustomObject]@{
Path='HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders'
Item='Startup'
Category='Logon'
Value='%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'
ImagePath=''
Size=$null
LastWriteTime=$null
Version=$null
MD5=$null
SHA1=$null
SHA256=$null
Signed=$null
IsOSBinary=$null
Publisher=$null
},
[PSCustomObject]@{
Path='HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders'
Item='Startup'
Category='Logon'
Value='C:\Users\Emin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'
ImagePath=''
Size=$null
LastWriteTime=$null
Version=$null
MD5=$null
SHA1=$null
SHA256=$null
Signed=$null
IsOSBinary=$null
Publisher=$null
},
[PSCustomObject]@{
Path='HKLM:\System\CurrentControlSet\Services\AsIO'
Item='ImagePath'
Category='Drivers'
Value='SysWow64\drivers\AsIO.sys'
ImagePath='C:\WINDOWS\SysWow64\drivers\AsIO.sys'
Size=[long]15232
LastWriteTime=[datetime]636499403080000000 # 2017-12-27 02:58:28Z
Version=$null
MD5='798DE15F187C1F013095BBBEB6FB6197'
SHA1='92F251358B3FE86FD5E7AA9B17330AFA0D64A705'
SHA256='436CCAB6F62FA2D29827916E054ADE7ACAE485B3DE1D3E5C6C62D3DEBF1480E7'
Signed=[bool]'True'
Publisher='CN=ASUSTeK Computer Inc., OU=Quality Testing Department, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=ASUSTeK Computer Inc., L=Taipei / Peitou, S=Taiwan, C=TW'
},
[PSCustomObject]@{
Path='HKLM:\System\CurrentControlSet\Services\AsUpIO'
Item='ImagePath'
Category='Drivers'
Value='SysWow64\drivers\AsUpIO.sys'
ImagePath='C:\WINDOWS\SysWow64\drivers\AsUpIO.sys'
Size=[long]14464
LastWriteTime=[datetime]636251198780000000 # 2017-03-14 20:24:38Z
Version=$null
MD5='1392B92179B07B672720763D9B1028A5'
SHA1='8B6AA5B2BFF44766EF7AFBE095966A71BC4183FA'
SHA256='B4D47EA790920A4531E3DF5A4B4B0721B7FEA6B49A35679F0652F1E590422602'
Signed=[bool]'True'
Publisher='CN=ASUSTeK Computer Inc., OU=Quality Testing Department, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=ASUSTeK Computer Inc., L=Taipei / Peitou, S=Taiwan, C=TW'
},
[PSCustomObject]@{
Path='HKLM:\System\CurrentControlSet\Services\AsusUpdateCheck'
Item='ImagePath'
Category='Services'
Value='C:\WINDOWS\System32\AsusUpdateCheck.exe'
ImagePath='C:\WINDOWS\System32\AsusUpdateCheck.exe'
Size=[long]1087736
LastWriteTime=[datetime]637399454371900172 # 2020-11-02 20:23:57Z
Version=$null
MD5='D57184AF48A5A46C822A4AE065FC0477'
SHA1='4EB5DAEC89EBEE9DD741953CAB26D9479724B8CB'
SHA256='C5F306367772D07806D978E8C0F99E007661CCCEA9E92668EC6B01A69640F1E2'
Signed=[bool]'True'
Publisher='CN=ASUSTeK Computer Inc., O=ASUSTeK Computer Inc., L=Taipei City, S=Taipei, C=TW'
},
[PSCustomObject]@{
Path='HKLM:\System\CurrentControlSet\Services\BEService'
Item='ImagePath'
Category='Services'
Value='"C:\Program Files (x86)\Common Files\BattlEye\BEService.exe"'
ImagePath='C:\Program Files (x86)\Common Files\BattlEye\BEService.exe'
Size=[long]8736880
LastWriteTime=[datetime]637388834289920460 # 2020-10-21 13:23:48Z
Version=$null
MD5='570F946AF4081C9837BD3E22234D332C'
SHA1='C8884AC27F0BD787BF735E2BC41AD57F4755F1CC'
SHA256='654CD0FA0FEFF856D1187E8D403796F1AD9CE8FE7B7AC40B11FEF412C78C126D'
Signed=[bool]'True'
Publisher='CN=BattlEye Innovations e.K., O=BattlEye Innovations e.K., L=Reutlingen, S=Baden-Württemberg, C=DE'
},
[PSCustomObject]@{
Path='HKLM:\System\CurrentControlSet\Services\DTSAPO3Service'
Item='ImagePath'
Category='Services'
Value='C:\WINDOWS\System32\DTS\PC\APO3x\DTSAPO3Service.exe'
ImagePath='C:\WINDOWS\System32\DTS\PC\APO3x\DTSAPO3Service.exe'
Size=[long]207840
LastWriteTime=[datetime]636658397000000000 # 2018-06-29 03:28:20Z
Version=$null
MD5='72A4531F2D04499527B481B9DB2CEBF5'
SHA1='4324251B1C62C5BD144E44A03A9CF0D1FDBA076C'
SHA256='0BB112234DEED6398419A05E8335197200B69495CD994A79159CDE30FA2F1435'
Signed=[bool]'True'
Publisher='CN=Microsoft Windows Hardware Compatibility Publisher, O=Microsoft Corporation, L=Redmond, S=Washington, C=US'
},
[PSCustomObject]@{
Path='HKLM:\System\CurrentControlSet\Services\ibtsiva'
Item='ImagePath'
Category='Services'
Value='C:\WINDOWS\system32\ibtsiva'
ImagePath='C:\WINDOWS\system32\ibtsiva'
Size=$null
LastWriteTime=$null
Version=$null
MD5=$null
SHA1=$null
SHA256=$null
Signed=$null
IsOSBinary=$null
Publisher=$null
},
[PSCustomObject]@{
Path='HKLM:\System\CurrentControlSet\Services\MpKslf44fd7b4'
Item='ImagePath'
Category='Drivers'
Value='\??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{F291B230-0A0A-4F6D-B004-BD76AFDC495E}\MpKslDrv.sys'
ImagePath='C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{F291B230-0A0A-4F6D-B004-BD76AFDC495E}\MpKslDrv.sys'
Size=$null
LastWriteTime=$null
Version=$null
MD5=$null
SHA1=$null
SHA256=$null
Signed=$null
IsOSBinary=$null
Publisher=$null
},
[PSCustomObject]@{
Path='HKLM:\System\CurrentControlSet\Services\Netwtw08'
Item='ImagePath'
Category='Drivers'
Value='\SystemRoot\System32\drivers\Netwtw08.sys'
ImagePath='C:\WINDOWS\System32\drivers\Netwtw08.sys'
Size=[long]8851480
LastWriteTime=[datetime]636688977340000000 # 2018-08-03 12:55:34Z
Version=''
MD5='D73AD77D8D7E108298B6EF4533D69479'
SHA1='4B05A4C53086163743BDC21977E818C06E8C9E03'
SHA256='A71D9124811A5AF60DA505FC34475EF25C46B81A58084A27A1792BB35EFD1721'
Signed=[bool]'True'
Publisher='CN=Microsoft Windows Hardware Compatibility Publisher, O=Microsoft Corporation, L=Redmond, S=Washington, C=US'
},
[PSCustomObject]@{
Path='HKLM:\System\CurrentControlSet\Services\NVDisplay.ContainerLocalSystem'
Item='ImagePath'
Category='Services'
Value='"C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe" -s NVDisplay.ContainerLocalSystem -f "C:\ProgramData\NVIDIA\NVDisplay.ContainerLocalSystem.log" -l 3 -d "C:\Program Files\NVIDIA Corporation\Display.NvContainer\plugins\LocalSystem" -r -p 30000 '
ImagePath='C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe'
Size=[long]781680
LastWriteTime=[datetime]637056584811873954 # 2019-10-03 00:14:41Z
Version=''
MD5='8B5841A9FCC251272232C281CBB2D312'
SHA1='9E577BA2F76567B9048B5C191F61C0C15EA77C80'
SHA256='A35DA5CAB574F799C0A9F51CAE98B152993F7BB5BDB1669E8973547658D1843D'
Signed=[bool]'True'
Publisher='CN=NVIDIA Corporation, OU=IT-MIS, O=NVIDIA Corporation, L=Santa Clara, S=California, C=US'
},
[PSCustomObject]@{
Path='HKLM:\System\CurrentControlSet\Services\NvTelemetryContainer'
Item='ImagePath'
Category='Services'
Value='"C:\Program Files\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe" -s NvTelemetryContainer -f "C:\ProgramData\NVIDIA\NvTelemetryContainer.log" -l 3 -d "C:\Program Files\NVIDIA Corporation\NvTelemetry\plugins" -r'
ImagePath='C:\Program Files\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe'
Size=[long]790384
LastWriteTime=[datetime]636828051730000000 # 2019-01-11 12:06:13Z
Version=''
MD5='FA8017E0195172669AF1DF96DE4A49AF'
SHA1='E85727B6FF84BE5D077DBEC35DFA94777C08418D'
SHA256='045079E482011D575BDDE158C728DB93801E7D64DC9AA8C3BD05A85F75F34350'
Signed=[bool]'True'
Publisher='CN=NVIDIA Corporation, OU=IT-MIS, O=NVIDIA Corporation, L=Santa Clara, S=California, C=US'
},
[PSCustomObject]@{
Path='HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font Drivers'
Item='Adobe Type Manager'
Category='Services'
Value='atmfd.dll'
ImagePath='C:\WINDOWS\System32\atmfd.dll'
Size=$null
LastWriteTime=$null
Version=$null
MD5=$null
SHA1=$null
SHA256=$null
Signed=$null
IsOSBinary=$null
Publisher=$null
},
[PSCustomObject]@{
Path='C:\WINDOWS\system32\Tasks\ASUS\Ez Update'
Item='Ez Update'
Category='Task'
Value='C:\Program Files (x86)\ASUS\AI Suite III\EZ Update\EzUpdt.exe -onlytray'
ImagePath='C:\Program Files (x86)\ASUS\AI Suite III\EZ Update\EzUpdt.exe'
Size=[long]1466816
LastWriteTime=[datetime]636755095380000000 # 2018-10-19 01:32:18Z
Version=$null
MD5='5F1E4618C6CDDF47199AA832412EC561'
SHA1='4C732D0114BBA2497F55B4DCD0D8E69F72A1E1BA'
SHA256='679464A7EBB57C3ED67574D67B52A4847B635813958302C88EE8F766C682FECC'
Signed=[bool]'True'
Publisher='CN=ASUSTeK Computer Inc., O=ASUSTeK Computer Inc., L=Taipei City, S=Taipei, C=TW'
}
)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment