#![allow(clippy::too_many_lines)]
mod android_ext;
mod browser_ext;
mod cloud_ext;
mod generated;
mod linux_ext;
mod macos_ext;
mod vehicle_ext;
mod windows_evtx_ext;
mod windows_files_ext;
mod windows_logs_ext;
mod windows_registry_ext;
mod windows_registry_ext2;
mod windows_registry_ext3;
use super::types::{
ArtifactDescriptor, ArtifactType, BinaryField, BinaryFieldType, DataScope, Decoder,
FieldSchema, HiveTarget, OsScope, TriagePriority, ValueType,
};
pub(crate) static USERASSIST_BINARY_FIELDS: &[BinaryField] = &[
BinaryField {
name: "run_count",
offset: 4,
field_type: BinaryFieldType::U32Le,
description: "Number of times the program was launched",
},
BinaryField {
name: "focus_count",
offset: 8,
field_type: BinaryFieldType::U32Le,
description: "Number of times the program received input focus",
},
BinaryField {
name: "focus_duration_ms",
offset: 12,
field_type: BinaryFieldType::U32Le,
description: "Total focus time in milliseconds",
},
BinaryField {
name: "last_run",
offset: 60,
field_type: BinaryFieldType::FiletimeLe,
description: "FILETIME of the last execution",
},
];
pub(crate) static USERASSIST_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "program",
value_type: ValueType::Text,
description: "ROT13-decoded program path or name",
is_uid_component: true,
},
FieldSchema {
name: "run_count",
value_type: ValueType::UnsignedInt,
description: "Number of times launched",
is_uid_component: false,
},
FieldSchema {
name: "focus_count",
value_type: ValueType::UnsignedInt,
description: "Number of times received focus",
is_uid_component: false,
},
FieldSchema {
name: "focus_duration_ms",
value_type: ValueType::UnsignedInt,
description: "Total focus time in milliseconds",
is_uid_component: false,
},
FieldSchema {
name: "last_run",
value_type: ValueType::Timestamp,
description: "FILETIME of last execution as ISO 8601",
is_uid_component: false,
},
];
pub static USERASSIST_EXE: ArtifactDescriptor = ArtifactDescriptor {
id: "userassist_exe",
name: "UserAssist (EXE)",
artifact_type: ArtifactType::RegistryValue,
hive: Some(HiveTarget::NtUser),
key_path: r"Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count",
value_name: None, file_path: None,
scope: DataScope::User,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Rot13NameWithBinaryValue(USERASSIST_BINARY_FIELDS),
meaning: "Interactive program execution history: launch counts, last execution timestamp, and focus duration. Non-zero Focus Time confirms interactive use; zero Focus Time with non-zero Run Count may indicate shell preloading.",
mitre_techniques: &["T1059", "T1204.002"],
fields: USERASSIST_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &["prefetch_dir", "shimcache", "srum_app_resource"],
sources: &[
"https://www.sans.org/blog/computer-forensic-artifacts-windows-7-userassist/",
"https://windowsir.blogspot.com/2004/02/userassist.html",
"http://windowsir.blogspot.com/2007/09/more-on-userassist-keys.html",
"https://www.magnetforensics.com/blog/artifact-profile-userassist/",
"https://raw.githubusercontent.com/bitbug0x55AA/Blue_Team_Hunting_Field_Notes/main/01_Hunting_Cheatsheets/1.5_Forensics_Artifacts_Map.csv",
"https://training.13cubed.com/p/courses/investigating-windows-endpoints",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &[
"Counts GUI application launches; CLI-only execution not recorded",
"ROT13 name encoding can be misread if decoder is missing",
"Run Count alone is insufficient — right-clicking an app in the Start Menu and selecting 'Open file location' increments Run Count and updates Last Executed without actual execution; require Focus Time > 0 for higher confidence",
"Behaviour differs across Windows 10 and 11 builds; verify on an exact matching OS version when this artifact is case-critical",
"Batch (.bat) and .cmd files launched via double-click are tracked; this may be the only GUI-execution artifact that captures them explicitly",
],
volatility: Some(crate::volatility::VolatilityClass::ActivityDriven),
volatility_rationale: "Updated per user GUI interaction; persists in NTUSER.DAT",
};
pub(crate) static RUN_KEY_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "value",
value_type: ValueType::Text,
description: "Autostart command or path",
is_uid_component: false,
}];
pub static RUN_KEY_HKLM_RUN: ArtifactDescriptor = ArtifactDescriptor {
id: "run_key_hklm",
name: "Run Key (HKLM)",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::HklmSoftware),
key_path: r"Microsoft\Windows\CurrentVersion\Run",
value_name: None,
file_path: None,
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "System-wide autostart entry executed at every user logon",
mitre_techniques: &["T1547.001"],
fields: RUN_KEY_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[
"run_key_hklm_once",
"services_imagepath",
"scheduled_tasks_dir",
],
sources: &[
"https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys",
"https://windowsir.blogspot.com/2013/01/run-mru.html",
"https://raw.githubusercontent.com/bitbug0x55AA/Blue_Team_Hunting_Field_Notes/main/01_Hunting_Cheatsheets/1.5_Forensics_Artifacts_Map.csv",
"https://raw.githubusercontent.com/bitbug0x55AA/Blue_Team_Hunting_Field_Notes/main/06_Tool_Command_Vault/6.02_Windows_DFIR_Master_Notes.md",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &["Legitimate software also uses Run keys; context required"],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "System registry key; persists until explicit deletion",
};
pub(crate) static TYPED_URLS_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "value",
value_type: ValueType::Text,
description: "URL typed into the IE/Edge address bar",
is_uid_component: true,
}];
pub static TYPED_URLS: ArtifactDescriptor = ArtifactDescriptor {
id: "typed_urls",
name: "TypedURLs (IE/Edge)",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::NtUser),
key_path: r"Software\Microsoft\Internet Explorer\TypedURLs",
value_name: None,
file_path: None,
scope: DataScope::User,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "URLs manually typed into the Internet Explorer or Edge address bar",
mitre_techniques: &["T1071.001"],
fields: TYPED_URLS_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/digital-forensics-windows-registry-forensics-part-6-internet-explorer-user-typed-urls/",
"https://windowsir.blogspot.com/2006/04/typed-urls.html",
"https://crucialsecurity.wordpress.com/2011/03/14/typedurls-part-1/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static PCA_FIELDS_SCHEMA: &[FieldSchema] = &[
FieldSchema {
name: "exe_path",
value_type: ValueType::Text,
description: "Full path to the executable",
is_uid_component: true,
},
FieldSchema {
name: "timestamp",
value_type: ValueType::Text,
description: "Launch timestamp string",
is_uid_component: false,
},
];
pub(crate) static PCA_PIPE_FIELDS: &[&str] = &["exe_path", "timestamp"];
pub static PCA_APPLAUNCH_DIC: ArtifactDescriptor = ArtifactDescriptor {
id: "pca_applaunch_dic",
name: "PCA AppLaunch.dic",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\Windows\appcompat\pca\AppLaunch.dic"),
scope: DataScope::System,
os_scope: OsScope::Win11_22H2,
decoder: Decoder::PipeDelimited {
fields: PCA_PIPE_FIELDS,
},
meaning: "Program execution evidence from the Program Compatibility Assistant",
mitre_techniques: &["T1059", "T1204.002"],
fields: PCA_FIELDS_SCHEMA,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &["pca_general_db"],
sources: &[
"https://aboutdfir.com/new-windows-11-pro-22h2-evidence-of-execution-artifact/",
"https://www.sygnia.co/blog/new-windows-11-pca-artifact/",
"https://github.com/Psmths/windows-forensic-artifacts/blob/main/execution/program-compatibility-assistant.md",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static PCA_GENERAL_DB_FIELDS_SCHEMA: &[FieldSchema] = &[
FieldSchema {
name: "exe_path",
value_type: ValueType::Text,
description:
"Full path (often %programfiles% / %USERPROFILE%-style) of the process that exited",
is_uid_component: true,
},
FieldSchema {
name: "exit_code",
value_type: ValueType::Text,
description: "Hex Win32 NTSTATUS / process exit code (e.g. 0x2, 0x80) from the \
\"Abnormal process exit with code 0xN\" record",
is_uid_component: false,
},
FieldSchema {
name: "timestamp",
value_type: ValueType::Text,
description: "Unix epoch seconds — Carvey 2024 parsed records use this format; \
raw on-disk records embed FILETIME on Sygnia/AboutDFIR analysis",
is_uid_component: false,
},
];
pub static PCA_GENERAL_DB: ArtifactDescriptor = ArtifactDescriptor {
id: "pca_general_db",
name: "PCA PcaGeneralDb0.txt",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\Windows\appcompat\pca\PcaGeneralDb0.txt"),
scope: DataScope::System,
os_scope: OsScope::Win11_22H2,
decoder: Decoder::Identity,
meaning: "Program Compatibility Assistant abnormal-exit log — each record captures \
an executable path plus its abnormal process exit code (e.g. 0x2, 0x80). \
Sibling to PcaAppLaunchDic in C:\\Windows\\appcompat\\pca\\. \
No user attribution is recorded in the file itself, so analysts must correlate \
with EVTX / EDR telemetry to assign activity to a specific user.",
mitre_techniques: &["T1059", "T1204.002"],
fields: PCA_GENERAL_DB_FIELDS_SCHEMA,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &["pca_applaunch_dic"],
sources: &[
"https://windowsir.blogspot.com/2024/02/pcaparse.html",
"https://www.sygnia.co/blog/new-windows-11-pca-artifact/",
"https://aboutdfir.com/new-windows-11-pro-22h2-evidence-of-execution-artifact/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static WINDOWS_HOSTS_FILE: ArtifactDescriptor = ArtifactDescriptor {
id: "windows_hosts_file",
name: "Windows hosts File",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\Windows\System32\drivers\etc\hosts"),
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "Static name-to-IP overrides consulted before DNS during host name resolution. \
Adversary tradecraft (per Carvey/EDRSilencer write-ups) maps EDR vendor or C2 \
hostnames to 127.0.0.1 / 0.0.0.0 to blackhole agent telemetry without touching \
the EDR process — a stealthier alternative to WFP filters that nonetheless \
leaves a trivially-collected on-disk artifact. Any non-default entry warrants \
triage during incident response.",
mitre_techniques: &["T1562.001", "T1565.001"],
fields: &[FieldSchema {
name: "value",
value_type: ValueType::Text,
description: "Raw hosts-file contents — one record per non-comment line: \
<IP> <hostname1> [hostname2 ...] [# comment]",
is_uid_component: false,
}],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://windowsir.blogspot.com/2024/01/edrsilencer.html",
"https://support.microsoft.com/en-us/topic/microsoft-tcp-ip-host-name-resolution-order-dae00cc9-7e9c-c0cc-8360-477b99cb978a",
"https://academy.bluraven.io/blog/edr-silencer-and-beyond-exploring-methods-to-block-edr-communication-part-2",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &[
"Non-default entries prove tampering but not who made the change — correlate with filesystem timestamps and event logs",
"Hosts file takes precedence over DNS but NOT over hardcoded IPs; tools that embed C2 IPs bypass this artifact entirely",
],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Plain text file on disk; survives reboots indefinitely until explicitly modified or restored — unlike WFP filters, hosts edits are trivially recoverable even after adversary cleanup if VSS copies exist",
};
pub static DNS_POLICY_CONFIG_NRPT: ArtifactDescriptor = ArtifactDescriptor {
id: "dns_policy_config_nrpt",
name: "DNS Name Resolution Policy Table (NRPT)",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::HklmSystem),
key_path: r"CurrentControlSet\Services\Dnscache\Parameters\DnsPolicyConfig",
value_name: None,
file_path: None,
scope: DataScope::System,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Name Resolution Policy Table (NRPT) — per-FQDN / per-suffix DNS \
redirection rules consulted before the system DNS resolver. \
EDR-silencing tradecraft (Carvey 2024-01 addendum, Cloudbrothers \
2024-12) creates a UUID subkey here per rule mapping an EDR vendor \
or C2 hostname to 127.0.0.1 to blackhole agent telemetry. Benign \
uses include VPN clients (e.g. Tailscale) that redirect DNS for \
split-DNS configurations.",
mitre_techniques: &["T1562.001", "T1562.006"],
fields: &[
FieldSchema {
name: "Name",
value_type: ValueType::List,
description: "REG_MULTI_SZ — list of FQDNs or DNS suffixes the rule applies to. \
Sysmon stores this as opaque 'Binary Data', limiting EDR registry \
telemetry visibility.",
is_uid_component: true,
},
FieldSchema {
name: "GenericDNSServers",
value_type: ValueType::Text,
description: "Target IP address(es) the matching DNS query is redirected to \
(e.g. 127.0.0.1 for blackhole). Matches the \
`-NameServers` parameter of `Add-DnsClientNrptRule`.",
is_uid_component: false,
},
FieldSchema {
name: "Comment",
value_type: ValueType::Text,
description: "Optional rule comment from `Add-DnsClientNrptRule -Comment`. \
Carvey-style triage flag: free-text strings like \
\"Silenced by Name Resolution Policy Table\" are explicit IOCs.",
is_uid_component: false,
},
],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &["windows_hosts_file"],
sources: &[
"https://windowsir.blogspot.com/2024/01/edrsilencer.html",
"https://cloudbrothers.info/en/edr-silencers-exploring-methods-block-edr-communication-part-1/",
"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn593632(v=ws.11)",
"https://learn.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static RUN_KEY_HKCU_RUN: ArtifactDescriptor = ArtifactDescriptor {
id: "run_key_hkcu",
name: "Run Key (HKCU)",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::NtUser),
key_path: r"Software\Microsoft\Windows\CurrentVersion\Run",
value_name: None,
file_path: None,
scope: DataScope::User,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "Per-user autostart programs executed at every logon without elevation. \
Lower-privilege than HKLM Run — writable by the user account itself, \
making it a common unprivileged persistence location that survives password resets.",
mitre_techniques: &["T1547.001"],
fields: RUN_KEY_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &["run_key_hklm", "startup_folder_user"],
sources: &[
"https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys",
"https://windowsir.blogspot.com/2013/01/run-mru.html",
"https://raw.githubusercontent.com/bitbug0x55AA/Blue_Team_Hunting_Field_Notes/main/01_Hunting_Cheatsheets/1.5_Forensics_Artifacts_Map.csv",
"https://raw.githubusercontent.com/bitbug0x55AA/Blue_Team_Hunting_Field_Notes/main/06_Tool_Command_Vault/6.02_Windows_DFIR_Master_Notes.md",
"https://raw.githubusercontent.com/bitbug0x55AA/Blue_Team_Hunting_Field_Notes/main/02_Detection_Rules/2.2_sigma_rules/HKCU%20Run%20Key%20Written%20by%20Unusual%20Process.yml",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &["Per-user; requires knowing which user profile to examine"],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Per-user registry key; persists in NTUSER.DAT",
};
pub static RUN_KEY_HKCU_RUNONCE: ArtifactDescriptor = ArtifactDescriptor {
id: "run_key_hkcu_once",
name: "RunOnce Key (HKCU)",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::NtUser),
key_path: r"Software\Microsoft\Windows\CurrentVersion\RunOnce",
value_name: None,
file_path: None,
scope: DataScope::User,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "Per-user one-shot autostart: values execute once at the next \
USER LOGIN (not machine boot) and are immediately deleted by the OS. \
Presence proves a payload was staged for the next logon session of \
that user. Absence after suspected compromise means the trigger already \
fired; correlate execution time with user logon events (Event ID 4624). \
Distinct from the persistent Run key — malware choosing RunOnce may be \
trying to limit dwell time or avoid repeated execution. Raspberry Robin \
used HKCU RunOnce for user-scoped persistence (T1547.001).",
mitre_techniques: &["T1547.001", "T1112"],
fields: RUN_KEY_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &["run_key_hkcu", "run_key_hklm_once"],
sources: &[
"https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys",
"https://windowsir.blogspot.com/2022/11/post-compilation.html",
"https://windowsir.blogspot.com/2022/10/testing-registry-modification-scenarios.html",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &[
"Key is deleted by the OS after the first user login execution — \
absence does not prove the key was never set; correlate with Event ID 4624 \
(user logon) and execution artifacts (Prefetch, Shimcache) at that time",
"HKCU RunOnce fires at USER LOGIN, not machine boot — \
open reporting frequently confuses these; a user-hive persistence entry \
cannot execute before that user logs in",
"Indirect write via key rename (rename RunOnce → add value → rename back, \
used by Raspberry Robin/Roshtyak) leaves no forensic trace distinguishable \
from normal RunOnce usage in the hive — registry-only analysis cannot detect \
this evasion; requires Sysmon EID 12/13/14 or \
Microsoft-Windows-Shell-Core%4Operational.evtx",
],
volatility: Some(crate::volatility::VolatilityClass::ActivityDriven),
volatility_rationale: "Deleted by OS after single user-login execution; \
transient by design — acquire before the user\'s next login",
};
pub static RUN_KEY_HKLM_RUNONCE: ArtifactDescriptor = ArtifactDescriptor {
id: "run_key_hklm_once",
name: "RunOnce Key (HKLM)",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::HklmSoftware),
key_path: r"Microsoft\Windows\CurrentVersion\RunOnce",
value_name: None,
file_path: None,
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "System-wide one-time autostart: values execute once at the next MACHINE BOOT \
and are immediately deleted by the OS. Presence proves a payload was staged for the \
next boot. Absence after suspected compromise means the trigger already fired — \
correlate execution time with boot records (Event ID 4608 System startup) and \
execution artifacts (Prefetch, ShimCache). Distinct from the persistent Run key; \
malware choosing RunOnce may be trying to limit dwell time or leave minimal trace. \
Indirect write via key rename (Raspberry Robin/Roshtyak) can bypass detection rules.",
mitre_techniques: &["T1547.001", "T1112"],
fields: RUN_KEY_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &["run_key_hkcu_once", "run_key_hklm"],
sources: &[
"https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys",
"https://windowsir.blogspot.com/2022/10/testing-registry-modification-scenarios.html",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &[
"Single-run key deleted by OS after boot execution — absence does not prove the \
key was never set; correlate with Event ID 4608 (System startup) and execution \
artifacts (Prefetch, ShimCache) at that boot time",
"Indirect write via key rename (rename RunOnce → add value → rename back, \
used by Raspberry Robin/Roshtyak) leaves no forensic trace distinguishable \
from normal RunOnce usage in the hive — registry-only analysis cannot detect \
this evasion; requires Sysmon EID 12/13/14 or \
Microsoft-Windows-Shell-Core%4Operational.evtx",
],
volatility: Some(crate::volatility::VolatilityClass::ActivityDriven),
volatility_rationale: "Deleted by OS after single boot-time execution; \
transient by design — acquire before the next system restart",
};
pub(crate) static IFEO_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "debugger",
value_type: ValueType::Text,
description: "Debugger path that hijacks the target process launch",
is_uid_component: false,
}];
pub static IFEO_DEBUGGER: ArtifactDescriptor = ArtifactDescriptor {
id: "ifeo_debugger",
name: "IFEO Debugger Hijack",
artifact_type: ArtifactType::RegistryValue,
hive: Some(HiveTarget::HklmSoftware),
key_path: r"Microsoft\Windows NT\CurrentVersion\Image File Execution Options",
value_name: Some("Debugger"),
file_path: None,
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "Redirects target-process launch to an attacker-controlled binary",
mitre_techniques: &["T1546.012"],
fields: IFEO_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/enabling-postmortem-debugging",
"https://www.sans.org/blog/malware-persistence-without-the-windows-registry/",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &["Legitimate debugger keys exist; focus on non-debugger executables"],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Registry key; persists until explicit deletion",
};
pub static USERASSIST_FOLDER: ArtifactDescriptor = ArtifactDescriptor {
id: "userassist_folder",
name: "UserAssist (Shortcut/LNK)",
artifact_type: ArtifactType::RegistryValue,
hive: Some(HiveTarget::NtUser),
key_path: r"Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count",
value_name: None,
file_path: None,
scope: DataScope::User,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Rot13NameWithBinaryValue(USERASSIST_BINARY_FIELDS),
meaning: "Shortcut-initiated launch history (.lnk files, Start Menu, Desktop) with run counts and timestamps",
mitre_techniques: &["T1547.009", "T1204.002"],
fields: USERASSIST_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &["userassist_exe"],
sources: &[
"https://www.magnetforensics.com/blog/artifact-profile-userassist/",
"https://www.sans.org/blog/computer-forensic-artifacts-windows-7-userassist/",
"https://windowsir.blogspot.com/2004/02/userassist.html",
"http://windowsir.blogspot.com/2007/09/more-on-userassist-keys.html",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static USERASSIST_XP_BINARY_FIELDS: &[BinaryField] = &[
BinaryField {
name: "session_id",
offset: 0,
field_type: BinaryFieldType::U32Le,
description: "Session counter or padding (XP-era, often zero)",
},
BinaryField {
name: "run_count",
offset: 4,
field_type: BinaryFieldType::U32Le,
description: "Number of times the item was launched (little-endian DWORD)",
},
BinaryField {
name: "last_run_time",
offset: 8,
field_type: BinaryFieldType::FiletimeLe,
description: "FILETIME of last launch (100-nanosecond intervals since 1601-01-01 UTC)",
},
];
pub(crate) static USERASSIST_XP_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "program",
value_type: ValueType::Text,
description: "ROT13-decoded path or item name",
is_uid_component: true,
},
FieldSchema {
name: "run_count",
value_type: ValueType::UnsignedInt,
description: "Number of times the item was launched",
is_uid_component: false,
},
FieldSchema {
name: "last_run_time",
value_type: ValueType::Timestamp,
description: "Timestamp of most recent launch",
is_uid_component: false,
},
];
pub static USERASSIST_XP_EXE: ArtifactDescriptor = ArtifactDescriptor {
id: "userassist_xp_exe",
name: "UserAssist XP (App/File/Link)",
artifact_type: ArtifactType::RegistryValue,
hive: Some(HiveTarget::NtUser),
key_path: r"Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count",
value_name: None,
file_path: None,
scope: DataScope::User,
os_scope: OsScope::All, decoder: Decoder::Rot13NameWithBinaryValue(USERASSIST_XP_BINARY_FIELDS),
meaning: "Pre-Vista application, file, and link launch history (16-byte record; no focus time fields)",
mitre_techniques: &["T1059", "T1204.002"],
fields: USERASSIST_XP_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &["userassist_exe"],
sources: &[
"https://www.magnetforensics.com/blog/artifact-profile-userassist/",
"https://windowsir.blogspot.com/2004/02/userassist.html",
"http://windowsir.blogspot.com/2007/09/more-on-userassist-keys.html",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static USERASSIST_XP_IE_FAVORITES: ArtifactDescriptor = ArtifactDescriptor {
id: "userassist_xp_ie_favorites",
name: "UserAssist XP (IE Favorites/Toolbar)",
artifact_type: ArtifactType::RegistryValue,
hive: Some(HiveTarget::NtUser),
key_path: r"Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count",
value_name: None,
file_path: None,
scope: DataScope::User,
os_scope: OsScope::All, decoder: Decoder::Rot13NameWithBinaryValue(USERASSIST_XP_BINARY_FIELDS),
meaning: "Pre-Vista Internet Explorer Favorites and toolbar object access history",
mitre_techniques: &["T1071.001"],
fields: USERASSIST_XP_FIELDS,
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &["userassist_xp_exe", "typed_urls"],
sources: &[
"https://www.magnetforensics.com/blog/artifact-profile-userassist/",
"https://windowsir.blogspot.com/2004/02/userassist.html",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static USERASSIST_XP_IE7: ArtifactDescriptor = ArtifactDescriptor {
id: "userassist_xp_ie7",
name: "UserAssist XP (IE7)",
artifact_type: ArtifactType::RegistryValue,
hive: Some(HiveTarget::NtUser),
key_path: r"Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{0D6D4F41-2994-4BA0-8FEF-620E43CD2812}\Count",
value_name: None,
file_path: None,
scope: DataScope::User,
os_scope: OsScope::All, decoder: Decoder::Rot13NameWithBinaryValue(USERASSIST_XP_BINARY_FIELDS),
meaning: "IE7-specific UserAssist tracking on Windows XP (present only when IE7 was installed)",
mitre_techniques: &["T1071.001"],
fields: USERASSIST_XP_FIELDS,
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &["userassist_xp_exe", "userassist_xp_ie_favorites"],
sources: &[
"https://www.magnetforensics.com/blog/artifact-profile-userassist/",
"https://windowsir.blogspot.com/2004/02/userassist.html",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static SHELLBAGS_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "indices",
value_type: ValueType::List,
description: "MRU order of accessed shell folder slots",
is_uid_component: false,
}];
pub static SHELLBAGS_USER: ArtifactDescriptor = ArtifactDescriptor {
id: "shellbags_user",
name: "ShellBags (User)",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::UsrClass),
key_path: r"Local Settings\Software\Microsoft\Windows\Shell\Bags",
value_name: None,
file_path: None,
scope: DataScope::User,
os_scope: OsScope::Win7Plus,
decoder: Decoder::MruListEx,
meaning: "Folder access history; persists paths even after folder deletion",
mitre_techniques: &["T1083", "T1005"],
fields: SHELLBAGS_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/shell-bag-forensics/",
"https://windowsir.blogspot.com/2009/07/shellbag-analysis.html",
"https://ericzimmerman.github.io/#!index.md",
"https://github.com/EricZimmerman/RECmd",
"https://github.com/EricZimmerman/RegistryPlugins",
"https://www.sans.org/white-papers/34545/",
"https://www.magnetforensics.com/blog/forensic-analysis-of-windows-shellbags/",
"https://raw.githubusercontent.com/bitbug0x55AA/Blue_Team_Hunting_Field_Notes/main/01_Hunting_Cheatsheets/1.5_Forensics_Artifacts_Map.csv",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Corroborative),
evidence_caveats: &["Proves folder was browsed; does not prove file access or execution"],
volatility: Some(crate::volatility::VolatilityClass::ActivityDriven),
volatility_rationale: "Updated on folder access; persists in UsrClass.dat",
};
pub(crate) static AMCACHE_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "file_id",
value_type: ValueType::Text,
description: "Volume GUID + MFT file reference (unique file identity)",
is_uid_component: true,
},
FieldSchema {
name: "sha1",
value_type: ValueType::Text,
description: "SHA1 of the first 31.25 MB (0000-prefixed)",
is_uid_component: false,
},
];
pub static AMCACHE_APP_FILE: ArtifactDescriptor = ArtifactDescriptor {
id: "amcache_app_file",
name: "Amcache InventoryApplicationFile",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::Amcache),
key_path: r"Root\InventoryApplicationFile",
value_name: None,
file_path: None,
scope: DataScope::System,
os_scope: OsScope::Win8Plus,
decoder: Decoder::Identity,
meaning: "Program execution evidence with file hash; persists after binary deletion",
mitre_techniques: &["T1218", "T1204.002"],
fields: AMCACHE_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &["shimcache", "prefetch_dir", "srum_app_resource"],
sources: &[
"https://www.sans.org/blog/new-amcache-hve-in-windows-8-1-update-1/",
"https://www.sansforensics.com/blog/amcache-hive-forensics/",
"https://www.researchgate.net/publication/317258237_Leveraging_the_Windows_Amcachehve_File_in_Forensic_Investigations",
"https://www.magnetforensics.com/blog/shimcache-vs-amcache-key-windows-forensic-artifacts/",
"https://github.com/EricZimmerman/AmcacheParser",
"https://raw.githubusercontent.com/bitbug0x55AA/Blue_Team_Hunting_Field_Notes/main/01_Hunting_Cheatsheets/1.5_Forensics_Artifacts_Map.csv",
"https://training.13cubed.com/p/courses/investigating-windows-endpoints",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &[
"Presence proves file was on disk and touched by Windows; not always execution",
"Can be populated by antivirus scans",
"AmCache last write time is NOT a reliable first-execution indicator on modern systems — the hive is updated by multiple mechanisms beyond the Compatibility Appraiser scheduled task (which is often disabled), including normal app launches and PCA activity",
"Run AmcacheParser.exe with the -i flag to generate AssociatedFileEntries output; omitting -i produces incomplete results",
"Transaction log files (.LOG1/.LOG2) must be co-located with the hive; AmcacheParser processes them automatically if present — without them, in-flight writes may be missing",
],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Persists until Windows Update or manual clear",
};
pub(crate) static SHIMCACHE_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "raw",
value_type: ValueType::Bytes,
description: "Raw AppCompatCache binary blob (parsed by shimcache module)",
is_uid_component: false,
}];
pub static SHIMCACHE: ArtifactDescriptor = ArtifactDescriptor {
id: "shimcache",
name: "ShimCache (AppCompatCache)",
artifact_type: ArtifactType::RegistryValue,
hive: Some(HiveTarget::HklmSystem),
key_path: r"CurrentControlSet\Control\Session Manager\AppCompatCache",
value_name: Some("AppCompatCache"),
file_path: None,
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "Executable metadata cache; presence proves binary existed on disk",
mitre_techniques: &["T1218", "T1059"],
fields: SHIMCACHE_FIELDS,
retention: Some("written at clean shutdown only; lost on crash/hard-power-off"),
triage_priority: TriagePriority::Critical,
related_artifacts: &["amcache_app_file", "prefetch_dir", "bam_user", "shimcache_memory"],
sources: &[
"https://www.sans.org/blog/digital-forensics-shimcache/",
"https://redcanary.com/blog/threat-detection/appcompatcache/",
"https://www.sans.org/blog/mass-triage-part-4-processing-returned-files-appcache-shimcache/",
"https://www.magnetforensics.com/blog/shimcache-vs-amcache-key-windows-forensic-artifacts/",
"https://github.com/EricZimmerman/AppCompatCacheParser",
"https://raw.githubusercontent.com/bitbug0x55AA/Blue_Team_Hunting_Field_Notes/main/01_Hunting_Cheatsheets/1.5_Forensics_Artifacts_Map.csv",
"https://raw.githubusercontent.com/bitbug0x55AA/Blue_Team_Hunting_Field_Notes/main/06_Tool_Command_Vault/6.02_Windows_DFIR_Master_Notes.md",
"https://training.13cubed.com/p/courses/investigating-windows-endpoints",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &[
"Presence proves file existed on disk, not necessarily executed",
"Written only on clean shutdown; live system registry shows entries from last reboot only — use shimcache_memory to capture entries since last reboot",
"Copying a file at the Command Prompt without opening it in Windows Explorer does NOT create a Shimcache entry — the file must be accessed through the shell (Explorer view, rename, or move) to be shimmed",
],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Registry value persists until hive is overwritten; see shimcache_memory for the Volatile in-memory counterpart",
};
pub static SHIMCACHE_MEMORY: crate::catalog::ArtifactDescriptor =
crate::catalog::ArtifactDescriptor {
id: "shimcache_memory",
name: "ShimCache In-Memory Buffer (AppCompatCache live)",
artifact_type: ArtifactType::MemoryRegion,
hive: None,
key_path: "",
value_name: None,
file_path: None,
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "Live AppCompatCache entries not yet flushed to registry. Richer than the on-disk \
registry snapshot on a running system — includes all executables touched since the \
last reboot. Collect via memory acquisition before shutdown; flushes to shimcache \
(registry) on clean shutdown, lost on crash/power-off.",
mitre_techniques: &["T1218", "T1059"],
fields: SHIMCACHE_FIELDS,
retention: Some("lost on reboot or crash; flushed to registry AppCompatCache on clean shutdown"),
triage_priority: TriagePriority::Critical,
related_artifacts: &["shimcache", "amcache_app_file", "prefetch_dir"],
sources: &[
"https://www.sans.org/blog/digital-forensics-shimcache/",
"https://www.magnetforensics.com/blog/shimcache-vs-amcache-key-windows-forensic-artifacts/",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &[
"Requires live memory acquisition; not obtainable from disk image alone",
"Presence proves file was loaded by shimming subsystem in current boot session",
],
volatility: Some(crate::volatility::VolatilityClass::Volatile),
volatility_rationale: "In RAM; lost on reboot. Contains entries not visible in registry until shutdown flush.",
};
pub(crate) static BAM_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "last_exec",
value_type: ValueType::Timestamp,
description: "FILETIME of last background execution",
is_uid_component: false,
}];
pub static BAM_USER: ArtifactDescriptor = ArtifactDescriptor {
id: "bam_user",
name: "BAM (Background Activity Moderator)",
artifact_type: ArtifactType::RegistryValue,
hive: Some(HiveTarget::HklmSystem),
key_path: r"CurrentControlSet\Services\bam\State\UserSettings",
value_name: None,
file_path: None,
scope: DataScope::Mixed,
os_scope: OsScope::Win10Plus,
decoder: Decoder::FiletimeAt { offset: 0 },
meaning: "Last execution time of background/UWP processes per-user SID",
mitre_techniques: &["T1059", "T1204"],
fields: BAM_FIELDS,
retention: Some("~7 days rolling window"),
triage_priority: TriagePriority::Critical,
related_artifacts: &["dam_user", "shimcache", "prefetch_dir"],
sources: &[
"https://www.sans.org/blog/background-activity-moderator-bam-forensics/",
"https://www.13cubed.com/downloads/windows10_forensics_cheat_sheet.pdf",
"https://forensafe.com/blogs/bam.html",
"https://github.com/Psmths/windows-forensic-artifacts/blob/main/execution/bam-dam.md",
"https://raw.githubusercontent.com/bitbug0x55AA/Blue_Team_Hunting_Field_Notes/main/01_Hunting_Cheatsheets/1.5_Forensics_Artifacts_Map.csv",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &["Granularity is per-day; precise execution time not available"],
volatility: Some(crate::volatility::VolatilityClass::ActivityDriven),
volatility_rationale: "Rotated by OS on background activity manager flush",
};
pub(crate) static DAM_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "last_exec",
value_type: ValueType::Timestamp,
description: "FILETIME of last desktop application execution",
is_uid_component: false,
}];
pub static DAM_USER: ArtifactDescriptor = ArtifactDescriptor {
id: "dam_user",
name: "DAM (Desktop Activity Moderator)",
artifact_type: ArtifactType::RegistryValue,
hive: Some(HiveTarget::HklmSystem),
key_path: r"CurrentControlSet\Services\dam\State\UserSettings",
value_name: None,
file_path: None,
scope: DataScope::Mixed,
os_scope: OsScope::Win10Plus,
decoder: Decoder::FiletimeAt { offset: 0 },
meaning: "Last execution time of desktop applications per-user SID",
mitre_techniques: &["T1059", "T1204"],
fields: DAM_FIELDS,
retention: Some("~7 days rolling window"),
triage_priority: TriagePriority::Critical,
related_artifacts: &["bam_user", "shimcache"],
sources: &[
"https://www.sans.org/blog/background-activity-moderator-bam-forensics/",
"https://forensafe.com/blogs/bam.html",
"https://github.com/Psmths/windows-forensic-artifacts/blob/main/execution/bam-dam.md",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Corroborative),
evidence_caveats: &["Device Activity Monitor; less studied than BAM"],
volatility: Some(crate::volatility::VolatilityClass::ActivityDriven),
volatility_rationale: "Rotated by OS on desktop activity monitor flush",
};
pub(crate) static SAM_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "username",
value_type: ValueType::Text,
description: "Local account username (sub-key name)",
is_uid_component: true,
}];
pub static SAM_USERS: ArtifactDescriptor = ArtifactDescriptor {
id: "sam_users",
name: "SAM User Accounts",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::HklmSam),
key_path: r"SAM\Domains\Account\Users\Names",
value_name: None,
file_path: None,
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "Local Windows accounts; F/V records contain login counts and NTLM hash metadata",
mitre_techniques: &["T1003.002", "T1087.001"],
fields: SAM_FIELDS,
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &["lsa_secrets", "dcc2_cache"],
sources: &[
"https://www.sans.org/blog/windows-credential-storage-for-penetration-testers/",
"https://windowsir.blogspot.com/2010/11/recovering-passwords.html",
"http://windowsir.blogspot.com/2013/07/howto-determine-users-on-system.html",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &[
"Contains local account NTLM hashes; requires SYSTEM privilege to read",
"Must be used with SYSTEM hive to decrypt",
],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "SAM registry hive; persists until account deleted",
};
pub(crate) static LSA_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "secret_name",
value_type: ValueType::Text,
description: "LSA secret key name (e.g. _SC_*, DPAPI_SYSTEM, DefaultPassword)",
is_uid_component: true,
}];
pub static LSA_SECRETS: ArtifactDescriptor = ArtifactDescriptor {
id: "lsa_secrets",
name: "LSA Secrets",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::HklmSecurity),
key_path: r"Policy\Secrets",
value_name: None,
file_path: None,
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "Encrypted service credentials, auto-logon passwords, and DPAPI master key",
mitre_techniques: &["T1003.004", "T1552.002"],
fields: LSA_FIELDS,
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &["sam_users", "dpapi_system_masterkey", "dcc2_cache"],
sources: &["https://www.sans.org/blog/lsa-secrets/"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &["Requires SYSTEM privileges to read; encrypted at rest"],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "System hive registry; persists until credential removed",
};
pub(crate) static DCC2_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "slot_name",
value_type: ValueType::Text,
description: "Cache slot name (NL$1 through NL$25)",
is_uid_component: true,
}];
pub static DCC2_CACHE: ArtifactDescriptor = ArtifactDescriptor {
id: "dcc2_cache",
name: "Domain Cached Credentials 2 (DCC2)",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::HklmSecurity),
key_path: r"Cache",
value_name: None,
file_path: None,
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "MS-Cache v2 (PBKDF2-SHA1) hashes enabling offline domain logon",
mitre_techniques: &["T1003.005"],
fields: DCC2_FIELDS,
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &["https://www.sans.org/blog/windows-credential-storage-for-penetration-testers/"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &["Only proves domain user logged in; not current password"],
volatility: Some(crate::volatility::VolatilityClass::ActivityDriven),
volatility_rationale: "Rotated; last 10 cached credentials by default",
};
pub(crate) static TYPED_URLS_TIME_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "timestamp",
value_type: ValueType::Timestamp,
description: "FILETIME when the URL slot was typed",
is_uid_component: false,
}];
pub static TYPED_URLS_TIME: ArtifactDescriptor = ArtifactDescriptor {
id: "typed_urls_time",
name: "TypedURLsTime (IE/Edge)",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::NtUser),
key_path: r"Software\Microsoft\Internet Explorer\TypedURLsTime",
value_name: None,
file_path: None,
scope: DataScope::User,
os_scope: OsScope::All,
decoder: Decoder::FiletimeAt { offset: 0 },
meaning: "Timestamps of URLs typed into IE/Edge address bar (paired with TypedURLs)",
mitre_techniques: &["T1071.001"],
fields: TYPED_URLS_TIME_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/digital-forensics-windows-registry-forensics-part-6-internet-explorer-user-typed-urls/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static MRU_RECENT_DOCS_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "indices",
value_type: ValueType::List,
description: "MRUListEx order indices of recently accessed documents",
is_uid_component: false,
}];
pub static MRU_RECENT_DOCS: ArtifactDescriptor = ArtifactDescriptor {
id: "mru_recent_docs",
name: "MRU RecentDocs",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::NtUser),
key_path: r"Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs",
value_name: None,
file_path: None,
scope: DataScope::User,
os_scope: OsScope::All,
decoder: Decoder::MruListEx,
meaning: "Most-recently-used documents list (MRUListEx order of shell32 items)",
mitre_techniques: &["T1005", "T1083"],
fields: MRU_RECENT_DOCS_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://windowsir.blogspot.com/2006/11/recent-docs-mru.html",
"https://www.sans.org/blog/windows-mru-registry-keys/",
"https://www.sans.org/blog/opensavemru-and-lastvisitedmru/",
"https://forensics.wiki/opensavemru/",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Corroborative),
evidence_caveats: &[
"Only tracks files opened via common dialog; programmatic access not recorded",
],
volatility: Some(crate::volatility::VolatilityClass::ActivityDriven),
volatility_rationale: "Updated per file open; fixed max MRU depth",
};
pub(crate) static USB_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "device_id",
value_type: ValueType::Text,
description: "USB device instance ID (VID&PID sub-key name)",
is_uid_component: true,
}];
pub static USB_ENUM: ArtifactDescriptor = ArtifactDescriptor {
id: "usb_enum",
name: "USB Device Enumeration (USBSTOR)",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::HklmSystem),
key_path: r"CurrentControlSet\Enum\USBSTOR",
value_name: None,
file_path: None,
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "USB storage device connection history; persists after device removal",
mitre_techniques: &["T1200", "T1052.001"],
fields: USB_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/computer-forensic-artifacts-windows-7-usb-device-tracking/",
"https://windowsir.blogspot.com/2013/07/usb-device-tracking-in-windows-7.html",
"https://www.magnetforensics.com/blog/artifact-profile-usb-devices/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static MUICACHE_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "display_name",
value_type: ValueType::Text,
description: "Localized display name of the executed application",
is_uid_component: false,
}];
pub static MUICACHE: ArtifactDescriptor = ArtifactDescriptor {
id: "muicache",
name: "MUICache",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::UsrClass),
key_path: r"Local Settings\MuiCache",
value_name: None,
file_path: None,
scope: DataScope::User,
os_scope: OsScope::All,
decoder: Decoder::Utf16Le,
meaning: "Cached display names keyed by executable path; program execution evidence",
mitre_techniques: &["T1059", "T1204.002"],
fields: MUICACHE_FIELDS,
retention: Some("persists until registry cleanup"),
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://windowsir.blogspot.com/2012/08/no-more-mr-nice-guy.html",
"https://www.sans.org/blog/digital-forensics-windows-muicache/",
"http://windowsir.blogspot.com/2005/12/mystery-of-muicachesolved.html",
"https://www.magnetforensics.com/blog/forensic-analysis-of-muicache-files-in-windows/",
"https://forensafe.com/blogs/muicache.html",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static APPINIT_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "dll_list",
value_type: ValueType::Text,
description: "Comma/space-separated DLL paths injected into user32.dll consumers",
is_uid_component: false,
}];
pub static APPINIT_DLLS: ArtifactDescriptor = ArtifactDescriptor {
id: "appinit_dlls",
name: "AppInit_DLLs",
artifact_type: ArtifactType::RegistryValue,
hive: Some(HiveTarget::HklmSoftware),
key_path: r"Microsoft\Windows NT\CurrentVersion\Windows",
value_name: Some("AppInit_DLLs"),
file_path: None,
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "DLLs injected into every process that loads user32.dll",
mitre_techniques: &["T1546.010"],
fields: APPINIT_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://learn.microsoft.com/en-us/windows/win32/dlls/registry-keys-for-appinit-dlls",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &["Only effective when SecureBoot is disabled"],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Registry value; persists until explicit deletion",
};
pub(crate) static WINLOGON_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "userinit",
value_type: ValueType::Text,
description: "Comma-separated executables launched by Winlogon at logon",
is_uid_component: false,
}];
pub static WINLOGON_USERINIT: ArtifactDescriptor = ArtifactDescriptor {
id: "winlogon_userinit",
name: "Winlogon Userinit",
artifact_type: ArtifactType::RegistryValue,
hive: Some(HiveTarget::HklmSoftware),
key_path: r"Microsoft\Windows NT\CurrentVersion\Winlogon",
value_name: Some("Userinit"),
file_path: None,
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "Process(es) launched by Winlogon at logon; default is userinit.exe,",
mitre_techniques: &["T1547.004"],
fields: WINLOGON_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://learn.microsoft.com/en-us/windows/win32/secauthn/winlogon-and-gina"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static SCREENSAVER_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "path",
value_type: ValueType::Text,
description: "Path to the screensaver executable (.scr)",
is_uid_component: false,
}];
pub static SCREENSAVER_EXE: ArtifactDescriptor = ArtifactDescriptor {
id: "screensaver_exe",
name: "Screensaver Executable",
artifact_type: ArtifactType::RegistryValue,
hive: Some(HiveTarget::NtUser),
key_path: r"Control Panel\Desktop",
value_name: Some("SCRNSAVE.EXE"),
file_path: None,
scope: DataScope::User,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "Screensaver path; malicious .scr enables persistence on screen lock",
mitre_techniques: &["T1546.002"],
fields: SCREENSAVER_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://www.sans.org/blog/screensaver-registry-key-for-persistence/"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static PERSIST_CMD_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "command",
value_type: ValueType::Text,
description: "Command, DLL path, or executable registered for execution",
is_uid_component: false,
}];
pub(crate) static DLL_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "dll_path",
value_type: ValueType::Text,
description: "Path to the DLL registered for injection or loading",
is_uid_component: false,
}];
pub(crate) static DIR_ENTRY_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "entry_name",
value_type: ValueType::Text,
description: "Name of the file or shortcut present in this directory",
is_uid_component: true,
}];
pub(crate) static LNK_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "target_path",
value_type: ValueType::Text,
description: "Resolved target path (LocalBasePath + CommonPathSuffix from LinkInfo)",
is_uid_component: true,
},
FieldSchema {
name: "created_time",
value_type: ValueType::Timestamp,
description: "LNK header CreationTime (FILETIME, UTC) — when target file was created",
is_uid_component: false,
},
FieldSchema {
name: "accessed_time",
value_type: ValueType::Timestamp,
description: "LNK header AccessTime (FILETIME, UTC) — last access of target file",
is_uid_component: false,
},
FieldSchema {
name: "modified_time",
value_type: ValueType::Timestamp,
description: "LNK header WriteTime (FILETIME, UTC) — last modification of target file",
is_uid_component: false,
},
FieldSchema {
name: "arguments",
value_type: ValueType::Text,
description: "StringData.Arguments — empty for legitimate LNKs; \
PowerShell/encoded payloads indicate weaponised LNK",
is_uid_component: false,
},
FieldSchema {
name: "working_dir",
value_type: ValueType::Text,
description: "StringData.WorkingDir — execution working directory",
is_uid_component: false,
},
FieldSchema {
name: "drive_type",
value_type: ValueType::Text,
description: "LinkInfo.DriveType: FIXED/REMOVABLE/REMOTE/CDROM/RAMDISK; \
REMOVABLE links to USB artifacts; REMOTE indicates lateral movement",
is_uid_component: false,
},
FieldSchema {
name: "volume_serial_number",
value_type: ValueType::Text,
description: "LinkInfo.VolumeSerialNumber — disk identity; \
cross-reference with MountPoints2 and USB enumeration keys",
is_uid_component: false,
},
FieldSchema {
name: "net_share_name",
value_type: ValueType::Text,
description: "CommonNetworkRelativeLink.NetName — UNC share path \
when DriveType=REMOTE; identifies lateral movement source host",
is_uid_component: false,
},
FieldSchema {
name: "file_size",
value_type: ValueType::Integer,
description: "LNK header FileSize (UInt32, low 32 bits only — truncates for >4 GB targets)",
is_uid_component: false,
},
FieldSchema {
name: "mft_record_number",
value_type: ValueType::Integer,
description: "BEEF0004 MFT record number (48-bit: low 32 bits at +0x12, \
high 16 bits at +0x16); pivot to $MFT/$UsnJrnl for full timeline",
is_uid_component: false,
},
FieldSchema {
name: "mft_sequence_number",
value_type: ValueType::Integer,
description: "BEEF0004 MFT sequence number (UInt16 at +0x18); \
detects MFT record reuse (file deleted then slot reused)",
is_uid_component: false,
},
];
pub(crate) static JUMP_LIST_AUTO_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "app_id_hash",
value_type: ValueType::Text,
description: "8-byte CRC64 AppID hash (filename stem of .automaticDestinations-ms); \
resolved via JumplistData registry key or AppIdlist.csv",
is_uid_component: true,
},
FieldSchema {
name: "mru_rank",
value_type: ValueType::Integer,
description: "DestList entry order (0 = most recently accessed); \
reconstructs file access chronology per application",
is_uid_component: false,
},
FieldSchema {
name: "pin_status",
value_type: ValueType::Text,
description: "Pin Entry field — whether item is pinned and its pinned order",
is_uid_component: false,
},
FieldSchema {
name: "quick_access_order",
value_type: ValueType::Integer,
description: "Quick Access position (item order in Windows Quick Access folder)",
is_uid_component: false,
},
FieldSchema {
name: "lnk_target_path",
value_type: ValueType::Text,
description: "Embedded LNK target path (LocalBasePath + CommonPathSuffix)",
is_uid_component: false,
},
FieldSchema {
name: "accessed_time",
value_type: ValueType::Timestamp,
description: "Embedded LNK header AccessTime (FILETIME, UTC)",
is_uid_component: false,
},
FieldSchema {
name: "modified_time",
value_type: ValueType::Timestamp,
description: "Embedded LNK header WriteTime (FILETIME, UTC)",
is_uid_component: false,
},
FieldSchema {
name: "file_size_64bit",
value_type: ValueType::Integer,
description:
"Full 64-bit target file size (BEEF0004 high 32 bits + LNK header low 32 bits); \
critical for files >4 GB where LNK header alone truncates",
is_uid_component: false,
},
FieldSchema {
name: "mft_record_number",
value_type: ValueType::Integer,
description: "BEEF0004 48-bit MFT record number (low 32 + high 16 bits); \
pivot to $MFT or $UsnJrnl for timestomping or rename-chain analysis",
is_uid_component: false,
},
FieldSchema {
name: "mft_sequence_number",
value_type: ValueType::Integer,
description: "BEEF0004 MFT sequence number — detects MFT record reuse",
is_uid_component: false,
},
];
pub(crate) static JUMP_LIST_CUSTOM_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "group_name",
value_type: ValueType::Text,
description: "Jump list group title (e.g. 'Tasks', 'Recent', 'Pinned', \
or empty for unnamed Tasks groups)",
is_uid_component: true,
},
FieldSchema {
name: "entry_order",
value_type: ValueType::Integer,
description: "Position of this entry within its group (MRU ordering)",
is_uid_component: false,
},
FieldSchema {
name: "lnk_target_path",
value_type: ValueType::Text,
description: "Embedded LNK target path (LocalBasePath + CommonPathSuffix)",
is_uid_component: false,
},
FieldSchema {
name: "arguments",
value_type: ValueType::Text,
description: "LNK StringData.Arguments — primary weaponisation indicator; \
legitimate entries are empty; malicious entries carry payloads",
is_uid_component: false,
},
FieldSchema {
name: "working_dir",
value_type: ValueType::Text,
description: "LNK StringData.WorkingDir — execution working directory",
is_uid_component: false,
},
FieldSchema {
name: "accessed_time",
value_type: ValueType::Timestamp,
description: "Embedded LNK header AccessTime (FILETIME, UTC)",
is_uid_component: false,
},
];
pub(crate) static FILE_PATH_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "path",
value_type: ValueType::Text,
description: "Full path to the artifact file",
is_uid_component: true,
}];
pub static WINLOGON_SHELL: ArtifactDescriptor = ArtifactDescriptor {
id: "winlogon_shell",
name: "Winlogon Shell",
artifact_type: ArtifactType::RegistryValue,
hive: Some(HiveTarget::HklmSoftware),
key_path: r"Microsoft\Windows NT\CurrentVersion\Winlogon",
value_name: Some("Shell"),
file_path: None,
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "Windows shell process(es) launched by Winlogon; default is explorer.exe",
mitre_techniques: &["T1547.004"],
fields: PERSIST_CMD_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://learn.microsoft.com/en-us/windows/win32/secauthn/winlogon-and-gina"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &["Default value is 'explorer.exe'; any deviation is highly suspicious"],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Registry value; persists until explicit deletion",
};
pub static SERVICES_IMAGEPATH: ArtifactDescriptor = ArtifactDescriptor {
id: "services_imagepath",
name: "Services ImagePath",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::HklmSystem),
key_path: r"CurrentControlSet\Services",
value_name: Some("ImagePath"),
file_path: None,
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "Executable path of a Windows service; auto-started services persist across reboots. \
Attackers use sc.exe to set binPath to %COMSPEC% /c powershell.exe -nop -w hidden \
-encodedcommand <base64>, embedding obfuscated PowerShell payloads (base64-encoded \
UTF-16LE, sometimes gzip/deflate-compressed then base64-wrapped) directly in the \
registry. Look for -EncodedCommand, -WindowStyle Hidden, FromBase64String, \
GzipStream, and [IO.Compression.CompressionMode]::Decompress in ImagePath values.",
mitre_techniques: &["T1543.003", "T1059.001", "T1027"],
fields: PERSIST_CMD_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &["evtx_system"],
sources: &[
"https://learn.microsoft.com/en-us/windows/win32/services/service-control-manager",
"https://redcanary.com/threat-detection-report/techniques/t1543/",
"https://raw.githubusercontent.com/bitbug0x55AA/Blue_Team_Hunting_Field_Notes/main/01_Hunting_Cheatsheets/1.5_Forensics_Artifacts_Map.csv",
"https://raw.githubusercontent.com/bitbug0x55AA/Blue_Team_Hunting_Field_Notes/main/06_Tool_Command_Vault/6.02_Windows_DFIR_Master_Notes.md",
"https://az4n6.blogspot.com/2017/10/finding-and-decoding-malicious.html",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &["Many legitimate services present; focus on unsigned/unusual paths"],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Registry key under SYSTEM; persists until service removed",
};
pub(crate) static ACTIVE_SETUP_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "stub_path",
value_type: ValueType::Text,
description: "StubPath command executed once per user at logon for new installs",
is_uid_component: false,
}];
pub static ACTIVE_SETUP_HKLM: ArtifactDescriptor = ArtifactDescriptor {
id: "active_setup_hklm",
name: "Active Setup (HKLM)",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::HklmSoftware),
key_path: r"Microsoft\Active Setup\Installed Components",
value_name: Some("StubPath"),
file_path: None,
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "Per-user setup command executed by HKLM Active Setup; malicious StubPath = user-context persistence",
mitre_techniques: &["T1547.014"],
fields: ACTIVE_SETUP_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/active-setup-registry-persistence/",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &["Registry key presence is definitive persistence evidence; compare sub-key StubPath against known-good baseline"],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Registry key; persists until explicit deletion",
};
pub static ACTIVE_SETUP_HKCU: ArtifactDescriptor = ArtifactDescriptor {
id: "active_setup_hkcu",
name: "Active Setup (HKCU)",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::NtUser),
key_path: r"Software\Microsoft\Active Setup\Installed Components",
value_name: Some("Version"),
file_path: None,
scope: DataScope::User,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "User-side Active Setup version; mismatch with HKLM triggers StubPath re-execution",
mitre_techniques: &["T1547.014"],
fields: RUN_KEY_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://www.sans.org/blog/active-setup-registry-persistence/"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static COM_HIJACK_CLSID_HKCU: ArtifactDescriptor = ArtifactDescriptor {
id: "com_hijack_clsid_hkcu",
name: "COM Hijack CLSID (HKCU)",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::UsrClass),
key_path: r"CLSID",
value_name: Some("InprocServer32"),
file_path: None,
scope: DataScope::User,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "User-space CLSID registration overriding system COM server; no admin needed",
mitre_techniques: &["T1546.015"],
fields: DLL_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://redcanary.com/threat-detection-report/techniques/t1546/"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &["Some legitimate COM redirection exists; compare with HKLM entries"],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Registry key per-user; persists in NTUSER.DAT",
};
pub static APPCERT_DLLS: ArtifactDescriptor = ArtifactDescriptor {
id: "appcert_dlls",
name: "AppCertDlls",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::HklmSystem),
key_path: r"CurrentControlSet\Control\Session Manager\AppCertDlls",
value_name: None,
file_path: None,
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "DLLs injected into every process that calls CreateProcess-family APIs",
mitre_techniques: &["T1546.009"],
fields: DLL_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://learn.microsoft.com/en-us/windows/win32/devnotes/appcertdlls"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static BOOT_EXECUTE_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "commands",
value_type: ValueType::List,
description: "Commands executed by Session Manager before Win32 subsystem starts",
is_uid_component: false,
}];
pub static BOOT_EXECUTE: ArtifactDescriptor = ArtifactDescriptor {
id: "boot_execute",
name: "Boot Execute",
artifact_type: ArtifactType::RegistryValue,
hive: Some(HiveTarget::HklmSystem),
key_path: r"CurrentControlSet\Control\Session Manager",
value_name: Some("BootExecute"),
file_path: None,
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::MultiSz,
meaning: "Native executables run by smss.exe at boot; executes before most security software",
mitre_techniques: &["T1547.001"],
fields: BOOT_EXECUTE_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/boot-time-global-flag-settings",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &["Any non-default value is highly suspicious; default is autocheck autochk *"],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Registry value; persists until explicit deletion",
};
pub static LSA_SECURITY_PKGS: ArtifactDescriptor = ArtifactDescriptor {
id: "lsa_security_pkgs",
name: "LSA Security Packages",
artifact_type: ArtifactType::RegistryValue,
hive: Some(HiveTarget::HklmSystem),
key_path: r"CurrentControlSet\Control\Lsa",
value_name: Some("Security Packages"),
file_path: None,
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::MultiSz,
meaning: "Security Support Providers loaded into LSASS; malicious SSP = persistent LSASS credential access",
mitre_techniques: &["T1547.005"],
fields: BOOT_EXECUTE_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://learn.microsoft.com/en-us/windows/win32/secauthn/lsa-authentication",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LSA_AUTH_PKGS: ArtifactDescriptor = ArtifactDescriptor {
id: "lsa_auth_pkgs",
name: "LSA Authentication Packages",
artifact_type: ArtifactType::RegistryValue,
hive: Some(HiveTarget::HklmSystem),
key_path: r"CurrentControlSet\Control\Lsa",
value_name: Some("Authentication Packages"),
file_path: None,
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::MultiSz,
meaning: "Authentication packages loaded by LSASS; extra DLLs intercept logon credentials",
mitre_techniques: &["T1547.002"],
fields: BOOT_EXECUTE_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://learn.microsoft.com/en-us/windows/win32/secauthn/lsa-authentication"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static PRINT_MONITORS: ArtifactDescriptor = ArtifactDescriptor {
id: "print_monitors",
name: "Print Monitors",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::HklmSystem),
key_path: r"CurrentControlSet\Control\Print\Monitors",
value_name: Some("Driver"),
file_path: None,
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "DLL loaded into spoolsv.exe (SYSTEM); extra monitors = SYSTEM persistence",
mitre_techniques: &["T1547.010"],
fields: DLL_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://learn.microsoft.com/en-us/windows-hardware/drivers/print/print-monitor"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static TIME_PROVIDERS: ArtifactDescriptor = ArtifactDescriptor {
id: "time_providers",
name: "W32Time Time Provider DLLs",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::HklmSystem),
key_path: r"CurrentControlSet\Services\W32Time\TimeProviders",
value_name: Some("DllName"),
file_path: None,
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "DLLs loaded by the Windows Time service; malicious entry = SYSTEM persistence",
mitre_techniques: &["T1547.003"],
fields: DLL_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://learn.microsoft.com/en-us/windows/win32/sysinfo/time-provider"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static NETSH_HELPER_DLLS: ArtifactDescriptor = ArtifactDescriptor {
id: "netsh_helper_dlls",
name: "Netsh Helper DLLs",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::HklmSoftware),
key_path: r"Microsoft\NetSh",
value_name: None,
file_path: None,
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "DLLs loaded whenever netsh.exe is invoked; attacker DLL runs in user's netsh context",
mitre_techniques: &["T1546.007"],
fields: DLL_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://learn.microsoft.com/en-us/windows/win32/netmgmt/network-management-functions",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static BHO_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "clsid",
value_type: ValueType::Text,
description: "CLSID of the Browser Helper Object (sub-key name)",
is_uid_component: true,
}];
pub static BROWSER_HELPER_OBJECTS: ArtifactDescriptor = ArtifactDescriptor {
id: "browser_helper_objects",
name: "Internet Explorer Browser Helper Objects",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::HklmSoftware),
key_path: r"Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects",
value_name: None,
file_path: None,
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "COM components auto-loaded into IE; can intercept browsing and steal credentials",
mitre_techniques: &["T1176"],
fields: BHO_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/platform-apis/aa753582(v=vs.85)",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static STARTUP_FOLDER_USER: ArtifactDescriptor = ArtifactDescriptor {
id: "startup_folder_user",
name: "User Startup Folder",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"),
scope: DataScope::User,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "Executables and LNKs here run at user logon; no admin required",
mitre_techniques: &["T1547.001"],
fields: DIR_ENTRY_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://learn.microsoft.com/en-us/windows/win32/shell/csidl",
"https://raw.githubusercontent.com/bitbug0x55AA/Blue_Team_Hunting_Field_Notes/main/01_Hunting_Cheatsheets/1.5_Forensics_Artifacts_Map.csv",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static STARTUP_FOLDER_SYSTEM: ArtifactDescriptor = ArtifactDescriptor {
id: "startup_folder_system",
name: "System Startup Folder",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"),
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "Executables and LNKs run for every user at logon; requires admin to plant",
mitre_techniques: &["T1547.001"],
fields: DIR_ENTRY_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://learn.microsoft.com/en-us/windows/win32/shell/csidl"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static SCHEDULED_TASKS_DIR: ArtifactDescriptor = ArtifactDescriptor {
id: "scheduled_tasks_dir",
name: "Scheduled Tasks Directory",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\Windows\System32\Tasks"),
scope: DataScope::System,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "XML task definitions; malicious tasks can run at boot, logon, or arbitrary intervals",
mitre_techniques: &["T1053.005"],
fields: DIR_ENTRY_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://learn.microsoft.com/en-us/windows/win32/taskschd/task-scheduler-start-page",
"https://redcanary.com/threat-detection-report/techniques/t1053/",
"https://raw.githubusercontent.com/bitbug0x55AA/Blue_Team_Hunting_Field_Notes/main/01_Hunting_Cheatsheets/1.5_Forensics_Artifacts_Map.csv",
"https://raw.githubusercontent.com/bitbug0x55AA/Blue_Team_Hunting_Field_Notes/main/06_Tool_Command_Vault/6.02_Windows_DFIR_Master_Notes.md",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &["Task XML may be deleted after execution; check event log 4698/4702"],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "XML files in tasks directory; persist until task deleted",
};
pub static WDIGEST_CACHING: ArtifactDescriptor = ArtifactDescriptor {
id: "wdigest_caching",
name: "WDigest UseLogonCredential",
artifact_type: ArtifactType::RegistryValue,
hive: Some(HiveTarget::HklmSystem),
key_path: r"CurrentControlSet\Control\SecurityProviders\WDigest",
value_name: Some("UseLogonCredential"),
file_path: None,
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::DwordLe,
meaning:
"1 = cleartext creds in LSASS; attackers set this before Mimikatz to harvest passwords",
mitre_techniques: &["T1003.001"],
fields: RUN_KEY_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://redcanary.com/threat-detection-report/techniques/t1003/"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static WORDWHEEL_QUERY: ArtifactDescriptor = ArtifactDescriptor {
id: "wordwheel_query",
name: "WordWheelQuery (Explorer Search)",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::NtUser),
key_path: r"Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery",
value_name: None,
file_path: None,
scope: DataScope::User,
os_scope: OsScope::Win7Plus,
decoder: Decoder::MruListEx,
meaning:
"Search terms entered into Windows Explorer search bar; reveals attacker reconnaissance",
mitre_techniques: &["T1083"],
fields: MRU_RECENT_DOCS_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://windowsir.blogspot.com/2012/08/wordwheelquery.html",
"https://github.com/EricZimmerman/RECmd",
"https://github.com/EricZimmerman/RegistryPlugins",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static OPENSAVE_MRU: ArtifactDescriptor = ArtifactDescriptor {
id: "opensave_mru",
name: "OpenSaveMRU (Common Dialog)",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::NtUser),
key_path: r"Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU",
value_name: None,
file_path: None,
scope: DataScope::User,
os_scope: OsScope::All,
decoder: Decoder::MruListEx,
meaning: "Paths of files opened or saved via Win32 common dialog boxes; per-extension history",
mitre_techniques: &["T1083"],
fields: MRU_RECENT_DOCS_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://windowsir.blogspot.com/2006/11/recent-docs-mru.html",
"https://www.sans.org/blog/opensavemru-and-lastvisitedmru/",
"https://forensics.wiki/opensavemru/",
"https://github.com/EricZimmerman/RECmd",
"https://github.com/EricZimmerman/RegistryPlugins",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LASTVISITED_MRU: ArtifactDescriptor = ArtifactDescriptor {
id: "lastvisited_mru",
name: "LastVisitedMRU (Common Dialog)",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::NtUser),
key_path: r"Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU",
value_name: None,
file_path: None,
scope: DataScope::User,
os_scope: OsScope::All,
decoder: Decoder::MruListEx,
meaning: "Application + last-used folder from common dialog; reveals programs accessing files",
mitre_techniques: &["T1083"],
fields: MRU_RECENT_DOCS_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://windowsir.blogspot.com/2006/11/recent-docs-mru.html",
"https://www.sans.org/blog/opensavemru-and-lastvisitedmru/",
"https://github.com/EricZimmerman/RECmd",
"https://github.com/EricZimmerman/RegistryPlugins",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static MFT_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "mft_record_number",
value_type: ValueType::Integer,
description: "Unique 48-bit record number within the $MFT (NTFS 3.1: explicit at header 0x2A; pre-3.1: inferred from file offset)",
is_uid_component: true,
},
FieldSchema {
name: "sequence_number",
value_type: ValueType::Integer,
description: "Reuse counter (uint16 at header 0x10) — incremented each time a record slot is deallocated; stale references detectable",
is_uid_component: false,
},
FieldSchema {
name: "lsn",
value_type: ValueType::UnsignedInt,
description: "$LogFile Sequence Number (uint64 at 0x08); monotonically increasing modification counter; links to $LogFile transaction",
is_uid_component: false,
},
FieldSchema {
name: "hard_link_count",
value_type: ValueType::UnsignedInt,
description: "Number of $FILE_NAME attributes (uint16 at 0x12); > 1 indicates hard links — each is a separate directory entry",
is_uid_component: false,
},
FieldSchema {
name: "si_created",
value_type: ValueType::Timestamp,
description: "$STANDARD_INFORMATION created time (SI offset +0; spoofable via SetFileTime API — compare with FN timestamp)",
is_uid_component: false,
},
FieldSchema {
name: "si_modified",
value_type: ValueType::Timestamp,
description: "$STANDARD_INFORMATION last-modified time (SI offset +8; spoofable)",
is_uid_component: false,
},
FieldSchema {
name: "si_changed",
value_type: ValueType::Timestamp,
description: "$STANDARD_INFORMATION MFT-record-changed time (SI offset +16; requires raw volume write to forge)",
is_uid_component: false,
},
FieldSchema {
name: "si_accessed",
value_type: ValueType::Timestamp,
description: "$STANDARD_INFORMATION last-accessed time (SI offset +24; often disabled on modern Windows)",
is_uid_component: false,
},
FieldSchema {
name: "usn",
value_type: ValueType::UnsignedInt,
description: "Update Sequence Number from $STANDARD_INFORMATION offset +64; links MFT record to its $UsnJrnl:$J change entry",
is_uid_component: false,
},
FieldSchema {
name: "fn_created",
value_type: ValueType::Timestamp,
description: "$FILE_NAME created time (FN offset +8); kernel-maintained, requires raw volume write to falsify",
is_uid_component: false,
},
FieldSchema {
name: "fn_modified",
value_type: ValueType::Timestamp,
description: "$FILE_NAME last-modified time (FN offset +16); kernel-maintained",
is_uid_component: false,
},
FieldSchema {
name: "fn_changed",
value_type: ValueType::Timestamp,
description: "$FILE_NAME MFT-record-changed time (FN offset +24); kernel-maintained",
is_uid_component: false,
},
FieldSchema {
name: "fn_accessed",
value_type: ValueType::Timestamp,
description: "$FILE_NAME last-accessed time (FN offset +32); kernel-maintained",
is_uid_component: false,
},
FieldSchema {
name: "filename",
value_type: ValueType::Text,
description: "UTF-16LE filename from $FILE_NAME (offset +66); namespace: 0=POSIX, 1=Win32, 2=DOS, 3=Win32&DOS",
is_uid_component: true,
},
FieldSchema {
name: "parent_mft_record",
value_type: ValueType::Integer,
description: "48-bit MFT record number of the parent directory (FN offset +0)",
is_uid_component: false,
},
FieldSchema {
name: "file_size",
value_type: ValueType::Integer,
description: "Logical (real) file size in bytes from $FILE_NAME offset +48",
is_uid_component: false,
},
FieldSchema {
name: "flags",
value_type: ValueType::UnsignedInt,
description: "Allocation status flags (header 0x16): bit 15=In Use, bit 14=Is Directory, bit 13=In $Extend",
is_uid_component: false,
},
FieldSchema {
name: "record_slack",
value_type: ValueType::UnsignedInt,
description: "PhysicalSize - LogicalSize (bytes); residual space may contain prior attribute remnants from shrunk metadata",
is_uid_component: false,
},
];
pub static MFT: ArtifactDescriptor = ArtifactDescriptor {
id: "mft",
name: "NTFS Master File Table ($MFT)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"\\.\<volume>\$MFT"),
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "Complete filesystem map with dual timestamps ($STANDARD_INFORMATION vs $FILE_NAME); primary source for timestomping detection and deleted-file recovery",
mitre_techniques: &[
"T1070.006", "T1070.004", "T1564.001", ],
fields: MFT_FIELDS,
retention: Some("Entries persist until overwritten; allocated space grows monotonically"),
triage_priority: TriagePriority::Critical,
related_artifacts: &["usnjrnl", "logfile_ntfs", "prefetch_dir"],
sources: &[
"https://learn.microsoft.com/en-us/windows/win32/fileio/master-file-table",
"https://www.sans.org/blog/windows-file-system-forensics-ntfs-master-file-table/",
"https://github.com/EricZimmerman/MFTECmd",
"https://www.13cubed.com/downloads/Windows_Forensic_Analysis_Poster.pdf",
"https://web.archive.org/web/20210228/https://www.kazamiya.net/files/MFT_Forensics.pdf",
"https://github.com/kacos2000/MFT_Browser",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &[
"Requires raw disk access or volume shadow copy; locked on live systems",
"SI timestamps are user-spoofable; always compare against FN timestamps",
"Deleted-file entries may be overwritten if MFT fills up",
],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "$MFT entries persist until overwritten by new allocations; unallocated entries survive long-term",
};
pub(crate) static USNJRNL_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "usn",
value_type: ValueType::Integer,
description: "Update Sequence Number — monotonically increasing journal position",
is_uid_component: true,
},
FieldSchema {
name: "file_reference",
value_type: ValueType::Integer,
description: "48-bit MFT record number + 16-bit sequence of the affected file",
is_uid_component: true,
},
FieldSchema {
name: "parent_reference",
value_type: ValueType::Integer,
description: "MFT reference of the parent directory at the time of the event",
is_uid_component: false,
},
FieldSchema {
name: "timestamp",
value_type: ValueType::Timestamp,
description: "Event timestamp as a 64-bit Windows FILETIME",
is_uid_component: false,
},
FieldSchema {
name: "reason",
value_type: ValueType::UnsignedInt,
description: "USN reason bitmask: FILE_CREATE (0x100), FILE_DELETE (0x200), RENAME_OLD_NAME (0x1000), RENAME_NEW_NAME (0x2000), DATA_OVERWRITE (0x1), CLOSE (0x80000000)",
is_uid_component: false,
},
FieldSchema {
name: "file_attributes",
value_type: ValueType::UnsignedInt,
description: "Win32 file attribute flags at the time of the event",
is_uid_component: false,
},
FieldSchema {
name: "filename",
value_type: ValueType::Text,
description: "Filename (not full path) of the affected file or directory",
is_uid_component: true,
},
];
pub static USNJRNL: ArtifactDescriptor = ArtifactDescriptor {
id: "usnjrnl",
name: "NTFS USN Change Journal ($UsnJrnl:$J)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"\\.\<volume>\$Extend\$UsnJrnl:$J"),
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "Operation-level file system log: file creates, deletes, renames, and attribute changes — survives directory-entry deletion and MFT reuse",
mitre_techniques: &[
"T1070.004", "T1036.003", "T1070.006", ],
fields: USNJRNL_FIELDS,
retention: Some("Configurable; default ~32 MB rolling window (~days of activity)"),
triage_priority: TriagePriority::Critical,
related_artifacts: &["mft", "logfile_ntfs", "prefetch_dir"],
sources: &[
"https://learn.microsoft.com/en-us/windows/win32/api/winioctl/ns-winioctl-usn_record_v2",
"https://www.sans.org/blog/ntfs-usn-change-journal-forensics/",
"https://github.com/EricZimmerman/MFTECmd",
"https://docs.velociraptor.app/artifact_references/pages/windows.ntfs.usnjournalscanner/",
"https://www.magnetforensics.com/blog/ntfs-usn-change-journal/",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &[
"Journal is a rolling window (~32 MB default); older entries are overwritten",
"Journal can be cleared by an attacker with sufficient privileges",
"$J alternate data stream requires raw NTFS access — not visible via Win32 APIs",
],
volatility: Some(crate::volatility::VolatilityClass::RotatingBuffer),
volatility_rationale: "$UsnJrnl:$J is a rolling window (~32 MB); oldest records are overwritten as the journal grows",
};
pub static LOGFILE_NTFS: ArtifactDescriptor = ArtifactDescriptor {
id: "logfile_ntfs",
name: "NTFS Transaction Log ($LogFile)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"\\.\<volume>\$LogFile"),
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "NTFS transaction log with LSNs that cross-validate MFT timestamps; recent metadata operations only",
mitre_techniques: &[
"T1070.006", ],
fields: &[
FieldSchema {
name: "lsn",
value_type: ValueType::Integer,
description: "Log Sequence Number — monotonically increasing within the volume",
is_uid_component: true,
},
FieldSchema {
name: "record_type",
value_type: ValueType::Text,
description: "NTFS log record type (UPDATE, CHECKPOINT, etc.)",
is_uid_component: false,
},
],
retention: Some("~64 MB rolling window; typically hours of recent activity"),
triage_priority: TriagePriority::High,
related_artifacts: &["mft", "usnjrnl"],
sources: &[
"https://learn.microsoft.com/en-us/windows-server/storage/file-server/ntfs-overview",
"https://github.com/EricZimmerman/NTFSLogTracker",
"https://www.sans.org/blog/the-key-to-ntfs-forensics-the-logfile/",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Corroborative),
evidence_caveats: &[
"~64 MB rolling window; typically only hours of recent metadata operations",
"Primarily useful for cross-validating MFT LSN chains to detect timestamp injection",
"Requires specialised NTFS log parser (e.g. NTFSLogTracker)",
],
volatility: Some(crate::volatility::VolatilityClass::RotatingBuffer),
volatility_rationale: "$LogFile is ~64 MB; wraps on high-activity systems within hours",
};
pub static PREFETCH_DIR: ArtifactDescriptor = ArtifactDescriptor {
id: "prefetch_dir",
name: "Prefetch Files Directory",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\Windows\Prefetch"),
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "Binary .pf files recording 30-day program execution history with timestamps",
mitre_techniques: &["T1204.002"],
fields: DIR_ENTRY_FIELDS,
retention: Some("128 entries; oldest evicted"),
triage_priority: TriagePriority::High,
related_artifacts: &["shimcache", "amcache_app_file", "bam_user"],
sources: &[
"https://www.sans.org/blog/computer-forensic-artifacts-windows-7-prefetch-files/",
"https://13cubed.com/downloads/Windows_Forensic_Analysis_Poster.pdf",
"https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/application-verifier",
"https://isc.sans.edu/diary/Forensic+Value+of+Prefetch/29168",
"https://www.magnetforensics.com/blog/forensic-analysis-of-prefetch-files-in-windows/",
"https://github.com/EricZimmerman/PECmd",
"https://github.com/EricZimmerman/Prefetch",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static SRUM_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "app_name",
value_type: ValueType::Text,
description: "Application executable path or service name",
is_uid_component: true,
},
FieldSchema {
name: "user_sid",
value_type: ValueType::Text,
description: "SID of the user who ran the application",
is_uid_component: false,
},
];
pub static SRUM_DB: ArtifactDescriptor = ArtifactDescriptor {
id: "srum_db",
name: "SRUM Database (SRUDB.dat)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\Windows\System32\sru\SRUDB.dat"),
scope: DataScope::System,
os_scope: OsScope::Win8Plus,
decoder: Decoder::Identity,
meaning:
"Per-app CPU, network, and energy usage records; execution timeline survives log clearing",
mitre_techniques: &["T1204.002"],
fields: SRUM_FIELDS,
retention: Some("~30 days"),
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &[
"https://www.sans.org/white-papers/36660/",
"https://www.sans.org/blog/srum-forensics/",
"https://www.magnetforensics.com/blog/srum-forensic-analysis-of-windows-system-resource-utilization-monitor/",
"https://github.com/MarkBaggett/srum-dump",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &[
"Requires ESE database parsing; data is aggregated over time windows",
"App paths may be partial; correlate with other execution artifacts",
],
volatility: Some(crate::volatility::VolatilityClass::RotatingBuffer),
volatility_rationale: "SRUM ESE database; records rolled up and purged periodically",
};
pub(crate) static WINDOWS_TIMELINE_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "activity_type",
value_type: ValueType::Integer,
description: "5=AppInFocus, 6=AppLifecycle, 11=UserActivity, 12=Notification, 16=CopyPaste",
is_uid_component: true,
},
FieldSchema {
name: "start_time",
value_type: ValueType::Timestamp,
description: "Unix epoch start time of the activity",
is_uid_component: false,
},
FieldSchema {
name: "end_time",
value_type: ValueType::Timestamp,
description: "Unix epoch end time; duration = end_time - start_time gives focus duration",
is_uid_component: false,
},
FieldSchema {
name: "payload_json",
value_type: ValueType::Json,
description: "Type-specific JSON payload; type 16 contains clipboard text",
is_uid_component: false,
},
FieldSchema {
name: "platform_device_id",
value_type: ValueType::Guid,
description: "Device GUID; resolve to name via DeviceCache registry",
is_uid_component: false,
},
FieldSchema {
name: "is_local_only",
value_type: ValueType::Integer,
description:
"1 = not synced to cloud; 0 = was eligible for cross-device sync (pre-July 2021)",
is_uid_component: false,
},
];
pub static WINDOWS_TIMELINE: ArtifactDescriptor = ArtifactDescriptor {
id: "windows_timeline",
name: "Windows Timeline (ActivitiesCache.db)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\Users\*\AppData\Local\ConnectedDevicesPlatform\*\ActivitiesCache.db"),
scope: DataScope::User,
os_scope: OsScope::Win10Plus,
decoder: Decoder::Identity,
meaning: "App focus, lifecycle, and clipboard events with per-device attribution. \
Activity_Type 16 (CopyPaste) entries capture clipboard text — primary indicator \
for credential staging and data exfiltration. platform_device_id GUID resolves \
to device name via DeviceCache registry. Cloud sync disabled July 2021; \
db-wal carving recovers deleted clipboard entries.",
mitre_techniques: &["T1059", "T1204.002", "T1115"],
fields: WINDOWS_TIMELINE_FIELDS,
retention: Some("~30 days"),
triage_priority: TriagePriority::Medium,
related_artifacts: &["windows_timeline_devicecache"],
sources: &[
"https://kacos2000.github.io/WindowsTimeline/WindowsTimeline.pdf",
"https://github.com/kacos2000/WindowsTimeline",
"https://www.sans.org/blog/windows-10-timeline-forensic-artifacts/",
"https://aboutdfir.com/windows-10-timeline/",
"http://windowsir.blogspot.com/2019/11/activitescachedb-vs-ntuserdat.html",
"https://github.com/EricZimmerman/WxTCmd",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static WINDOWS_TIMELINE_DEVICECACHE: ArtifactDescriptor = ArtifactDescriptor {
id: "windows_timeline_devicecache",
name: "Windows Timeline DeviceCache Registry",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::NtUser),
key_path: r"Software\Microsoft\Windows\CurrentVersion\CloudStore\Store\Cache\DefaultAccount\*\Current",
value_name: Some("Data"),
file_path: None,
scope: DataScope::User,
os_scope: OsScope::Win10Plus,
decoder: Decoder::Identity,
meaning: "Maps platform_device_id GUIDs (ActivitiesCache.db Activities.PlatformDeviceId) \
to human-readable device names. Required to determine whether timeline activities \
originated on the examined device or were synced from another.",
mitre_techniques: &["T1059"],
fields: &[
FieldSchema {
name: "device_guid",
value_type: ValueType::Guid,
description: "Device GUID matching Activities.PlatformDeviceId",
is_uid_component: true,
},
FieldSchema {
name: "device_name",
value_type: ValueType::Text,
description: "Human-readable device display name",
is_uid_component: false,
},
],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &["windows_timeline"],
sources: &[
"https://kacos2000.github.io/WindowsTimeline/WindowsTimeline.pdf",
"https://github.com/kacos2000/WindowsTimeline",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static WINDOWS_SEARCH_DB_WIN11: ArtifactDescriptor = ArtifactDescriptor {
id: "windows_search_db_win11",
name: "Windows Search Index SQLite (windows.db, Win11 22H2+)",
artifact_type: ArtifactType::DatabaseEntry,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\ProgramData\Microsoft\Search\Data\Applications\Windows\windows.db"),
scope: DataScope::System,
os_scope: OsScope::Win11_22H2,
decoder: Decoder::Identity,
meaning: "Win11 22H2+ replacement for Windows.edb. Same forensic value — \
gather_time independent of NTFS timestamps — but SQLite3 format. \
Different path: note 'Search' (not 'Windows Search') and 'windows.db' (lowercase). \
Check for both files on Win11 systems.",
mitre_techniques: &["T1070.004", "T1070.006"],
fields: &[
FieldSchema {
name: "file_path",
value_type: ValueType::Text,
description: "Indexed file or folder path",
is_uid_component: true,
},
FieldSchema {
name: "gather_time",
value_type: ValueType::Timestamp,
description: "Last indexed time — independent of NTFS timestamps",
is_uid_component: false,
},
],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &["windows_search_edb", "mft", "usnjrnl"],
sources: &["https://github.com/kacos2000/WinEDB"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static POWERSHELL_HISTORY: ArtifactDescriptor = ArtifactDescriptor {
id: "powershell_history",
name: "PowerShell PSReadLine History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
r"C:\Users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt",
),
scope: DataScope::User,
os_scope: OsScope::Win10Plus,
decoder: Decoder::Identity,
meaning: "Line-by-line PowerShell interactive command history; attackers often clear this",
mitre_techniques: &["T1059.001", "T1552"],
fields: FILE_PATH_FIELDS,
retention: Some("4096 commands; oldest evicted when limit reached"),
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/powershell-forensics/",
"https://redcanary.com/threat-detection-report/techniques/t1059.001/",
"https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics",
"https://raw.githubusercontent.com/bitbug0x55AA/Blue_Team_Hunting_Field_Notes/main/01_Hunting_Cheatsheets/1.5_Forensics_Artifacts_Map.csv",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub const RECYCLE_BIN_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "version",
value_type: ValueType::UnsignedInt,
description: "uint64 at offset 0: 1=Vista/7/8/8.1 (path@24), 2=Win10/11 (path@28); \
selects correct UTF-16LE path offset",
is_uid_component: false,
},
FieldSchema {
name: "original_size",
value_type: ValueType::UnsignedInt,
description: "uint64 at offset 8: size of deleted file in bytes; \
zero if file was a directory",
is_uid_component: false,
},
FieldSchema {
name: "deletion_time",
value_type: ValueType::Timestamp,
description: "FILETIME (100-ns intervals since 1601-01-01) at offset 16: \
moment the file was moved to Recycle.Bin — not secure-delete time; \
convert: (filetime - 116444736000000000) / 10000000 = Unix epoch",
is_uid_component: false,
},
FieldSchema {
name: "original_path",
value_type: ValueType::Text,
description: "UTF-16LE null-terminated string starting at offset 24 (v1) or 28 (v2): \
full pre-deletion Windows path (e.g. C:\\Users\\alice\\Documents\\creds.xlsx); \
survives Recycle.Bin emptying if $I file is not overwritten",
is_uid_component: true,
},
FieldSchema {
name: "sid",
value_type: ValueType::Text,
description: "Security Identifier from parent directory name, format S-1-5-21-…-{RID}; \
identifies which user deleted the file; pivot to SAM hive \
(HKLM\\SAM\\SAM\\Domains\\Account\\Users) for username resolution",
is_uid_component: true,
},
FieldSchema {
name: "i_filename",
value_type: ValueType::Text,
description: "$I{hex} — the metadata filename; hex suffix links to matching $R{hex} \
content file; suffix is random but consistent within the pair",
is_uid_component: true,
},
FieldSchema {
name: "r_file_exists",
value_type: ValueType::Bool,
description: "bool: whether $R{hex} content file is present; False = file permanently \
deleted or Bin emptied — but $I metadata still recoverable; \
analysts can reconstruct deletion evidence from $I alone",
is_uid_component: false,
},
FieldSchema {
name: "mft_addr",
value_type: ValueType::UnsignedInt,
description: "NTFS MFT record address (meta.addr via pytsk3) of the $I file itself; \
pivot to $MFT for additional timeline anchors independent of $I timestamps",
is_uid_component: false,
},
];
pub static RECYCLE_BIN: ArtifactDescriptor = ArtifactDescriptor {
id: "recycle_bin",
name: "Recycle Bin ($I Metadata)",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\$Recycle.Bin\{SID}\$I*"),
scope: DataScope::User,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "$I files reveal original path and deletion timestamp even after Recycle Bin is \
emptied; version field selects correct path offset (24 vs 28); SID directory \
links deletion to a specific user account (pivot to SAM hive for username); \
$R absence means content is unrecoverable but $I metadata always survives until \
MFT slot is reused",
mitre_techniques: &[
"T1070.004", "T1083", "T1078.003", ],
fields: RECYCLE_BIN_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &["sam_users", "mft_file", "usnjrnl", "lnk_files"],
sources: &[
"https://www.sans.org/blog/digital-forensics-recycle-bin-forensics/",
"https://windowsir.blogspot.com/2010/02/more-on-recycle-bin.html",
"https://www.magnetforensics.com/blog/artifact-profile-recycle-bin/",
"https://andreafortuna.org/2019/09/26/windows-forensics-analysis-of-recycle-bin-artifacts/",
"https://github.com/EricZimmerman/RBCmd",
"https://github.com/akhil-dara/RecycleBin-Forensic-Explorer",
"https://raw.githubusercontent.com/bitbug0x55AA/Blue_Team_Hunting_Field_Notes/main/01_Hunting_Cheatsheets/1.5_Forensics_Artifacts_Map.csv",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &["File name and deletion time available; original content may be overwritten"],
volatility: Some(crate::volatility::VolatilityClass::ActivityDriven),
volatility_rationale: "Deleted on permanent delete; survives recycle until purge",
};
pub static THUMBCACHE: ArtifactDescriptor = ArtifactDescriptor {
id: "thumbcache",
name: "Explorer Thumbnail Cache",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\Users\*\AppData\Local\Microsoft\Windows\Explorer"),
scope: DataScope::User,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Cached thumbnails including deleted files; proves files were viewed via Explorer",
mitre_techniques: &["T1083"],
fields: DIR_ENTRY_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/thumbnail-cache-forensics/",
"https://www.nirsoft.net/utils/thumbcache_viewer.html",
"https://www.pentestpartners.com/security-blog/thumbnail-forensics-dfir-techniques-for-analysing-windows-thumbcache/",
"https://thumbcacheviewer.github.io/",
"https://forensics.wiki/windows_thumbcache/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static SEARCH_DB_USER: ArtifactDescriptor = ArtifactDescriptor {
id: "search_db_user",
name: "Windows Search Database (Windows.db)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb"),
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning:
"ESE database of indexed file metadata; reveals filenames and content even after deletion",
mitre_techniques: &["T1083"],
fields: FILE_PATH_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/windows-search-index-forensics/",
"https://learn.microsoft.com/en-us/windows/win32/search/windows-search",
"https://cyber.aon.com/aon_cyber_labs/windows-search-index-the-forensic-artifact-youve-been-searching-for/",
"https://github.com/EricZimmerman/SQLECmd",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static DPAPI_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "guid",
value_type: ValueType::Text,
description: "GUID filename of the DPAPI master key or credential blob",
is_uid_component: true,
}];
pub static DPAPI_MASTERKEY_USER: ArtifactDescriptor = ArtifactDescriptor {
id: "dpapi_masterkey_user",
name: "DPAPI User Master Keys",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\Users\*\AppData\Roaming\Microsoft\Protect\*"),
scope: DataScope::User,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "Master keys protecting all DPAPI-encrypted user secrets (credentials, browser passwords, WiFi PSKs)",
mitre_techniques: &["T1555.004"],
fields: DPAPI_FIELDS,
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &["dpapi_cred_user", "dpapi_credhist", "chrome_login_data"],
sources: &[
"https://www.sans.org/blog/dpapi-forensics-credentials-stored-in-windows/",
"https://posts.specterops.io/operational-guidance-for-offensive-user-dpapi-abuse-1fb7fac8b107",
"https://www.sygnia.co/blog/the-downfall-of-dpapis-top-secret-weapon/",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Corroborative),
evidence_caveats: &["Presence expected for every user; useful for decrypting other artifacts"],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Master keys persist; old keys backed up in AD",
};
pub static DPAPI_CRED_USER: ArtifactDescriptor = ArtifactDescriptor {
id: "dpapi_cred_user",
name: "DPAPI Credential Blobs (Local)",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\Users\*\AppData\Local\Microsoft\Credentials"),
scope: DataScope::User,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning:
"DPAPI-encrypted credential blobs for network resources; decryptable with DPAPI master key",
mitre_techniques: &["T1555.004"],
fields: DPAPI_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &["dpapi_masterkey_user", "windows_vault_user"],
sources: &[
"https://www.sans.org/blog/dpapi-forensics-credentials-stored-in-windows/",
"https://posts.specterops.io/operational-guidance-for-offensive-user-dpapi-abuse-1fb7fac8b107",
"https://www.sygnia.co/blog/the-downfall-of-dpapis-top-secret-weapon/",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Corroborative),
evidence_caveats: &["Encrypted credential blobs; useful with DPAPI master key decryption"],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Encrypted credential blobs; persist until explicit deletion",
};
pub static DPAPI_CRED_ROAMING: ArtifactDescriptor = ArtifactDescriptor {
id: "dpapi_cred_roaming",
name: "DPAPI Credential Blobs (Roaming)",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\Users\*\AppData\Roaming\Microsoft\Credentials"),
scope: DataScope::User,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning:
"Roaming DPAPI credential blobs; same structure as Local, synced across domain machines",
mitre_techniques: &["T1555.004"],
fields: DPAPI_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/dpapi-forensics-credentials-stored-in-windows/",
"https://posts.specterops.io/operational-guidance-for-offensive-user-dpapi-abuse-1fb7fac8b107",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static VAULT_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "policy_file",
value_type: ValueType::Text,
description: ".vpol policy file containing encryption key material",
is_uid_component: false,
},
FieldSchema {
name: "vcrd_file",
value_type: ValueType::Text,
description: ".vcrd credential file containing the encrypted credential",
is_uid_component: true,
},
];
pub static WINDOWS_VAULT_USER: ArtifactDescriptor = ArtifactDescriptor {
id: "windows_vault_user",
name: "Windows Vault (User)",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\Users\*\AppData\Local\Microsoft\Vault"),
scope: DataScope::User,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Per-user Credential Manager vault (.vpol + .vcrd); contains WEB and WINDOWS saved credentials",
mitre_techniques: &["T1555.004"],
fields: VAULT_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://learn.microsoft.com/en-us/windows/win32/secauthn/credential-manager",
"https://blog.digital-forensics.it/2016/01/windows-revaulting.html",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static WINDOWS_VAULT_SYSTEM: ArtifactDescriptor = ArtifactDescriptor {
id: "windows_vault_system",
name: "Windows Vault (System)",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\ProgramData\Microsoft\Vault"),
scope: DataScope::System,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "System-level Windows Credential Manager vault; contains machine-scoped credentials",
mitre_techniques: &["T1555.004"],
fields: VAULT_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://learn.microsoft.com/en-us/windows/win32/secauthn/credential-manager",
"https://blog.digital-forensics.it/2016/01/windows-revaulting.html",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static RDP_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "username_hint",
value_type: ValueType::Text,
description: "Last username used to connect to this RDP server",
is_uid_component: false,
}];
pub static RDP_CLIENT_SERVERS: ArtifactDescriptor = ArtifactDescriptor {
id: "rdp_client_servers",
name: "RDP Client Saved Servers",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::NtUser),
key_path: r"Software\Microsoft\Terminal Server Client\Servers",
value_name: Some("UsernameHint"),
file_path: None,
scope: DataScope::User,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning:
"Hostnames and usernames of previously-connected RDP servers; lateral movement evidence",
mitre_techniques: &["T1021.001"],
fields: RDP_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/windows-rdp-forensics/",
"https://forensafe.com/blogs/rdc.html",
"https://www.magnetforensics.com/blog/rdp-artifacts-in-incident-response/",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &["Proves RDP was initiated FROM this machine; does not confirm success"],
volatility: Some(crate::volatility::VolatilityClass::ActivityDriven),
volatility_rationale: "MRU; rotated when max entries exceeded",
};
pub(crate) static RDP_MRU_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "server",
value_type: ValueType::Text,
description: "RDP server address from the most-recently-used list",
is_uid_component: true,
}];
pub static RDP_CLIENT_DEFAULT: ArtifactDescriptor = ArtifactDescriptor {
id: "rdp_client_default",
name: "RDP Client Default MRU",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::NtUser),
key_path: r"Software\Microsoft\Terminal Server Client\Default",
value_name: None,
file_path: None,
scope: DataScope::User,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning:
"MRU0-MRU9 ordered list of RDP server addresses; confirms specific hosts were targeted",
mitre_techniques: &["T1021.001"],
fields: RDP_MRU_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/windows-rdp-forensics/",
"https://forensafe.com/blogs/rdc.html",
"https://www.magnetforensics.com/blog/rdp-artifacts-in-incident-response/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static NTDS_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "path",
value_type: ValueType::Text,
description: "Full path to the NTDS.dit file",
is_uid_component: true,
}];
pub static NTDS_DIT: ArtifactDescriptor = ArtifactDescriptor {
id: "ntds_dit",
name: "Active Directory Database (NTDS.dit)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\Windows\NTDS\NTDS.dit"),
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "Domain controller AD database; contains NTLM hashes for all domain accounts",
mitre_techniques: &["T1003.003"],
fields: NTDS_FIELDS,
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &["https://www.sans.org/blog/protecting-ad-from-credential-theft/"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &["All domain hashes present; requires parsing with secretsdump or ntdsutil"],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "AD database; persists until account deleted",
};
pub(crate) static BROWSER_CRED_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "origin_url",
value_type: ValueType::Text,
description: "URL the credential is associated with",
is_uid_component: true,
},
FieldSchema {
name: "username_value",
value_type: ValueType::Text,
description: "Saved username",
is_uid_component: false,
},
];
pub static CHROME_LOGIN_DATA: ArtifactDescriptor = ArtifactDescriptor {
id: "chrome_login_data",
name: "Chrome/Edge Login Data (SQLite)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\Users\*\AppData\Local\Google\Chrome\User Data\Default\Login Data"),
scope: DataScope::User,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "SQLite DB with DPAPI-encrypted passwords for saved Chrome/Edge credentials",
mitre_techniques: &["T1555.003"],
fields: BROWSER_CRED_FIELDS,
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &["chrome_cookies", "dpapi_masterkey_user"],
sources: &[
"https://redcanary.com/threat-detection-report/techniques/t1555/",
"https://atropos4n6.com/windows/chrome-login-data-forensics/",
"https://www.foxtonforensics.com/blog/post/analysing-chrome-login-data",
"https://github.com/EricZimmerman/SQLECmd",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &[
"Credentials encrypted with DPAPI; require user masterkey to decrypt",
"May contain stale or user-deleted passwords",
],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "SQLite DB; credentials persist until deleted from browser",
};
pub(crate) static FIREFOX_CRED_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "hostname",
value_type: ValueType::Text,
description: "Hostname the Firefox credential is associated with",
is_uid_component: true,
}];
pub static FIREFOX_LOGINS: ArtifactDescriptor = ArtifactDescriptor {
id: "firefox_logins",
name: "Firefox logins.json",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\logins.json"),
scope: DataScope::User,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning:
"NSS3-encrypted Firefox saved credentials; decryptable with key4.db and master password",
mitre_techniques: &["T1555.003"],
fields: FIREFOX_CRED_FIELDS,
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &[
"https://redcanary.com/threat-detection-report/techniques/t1555/",
"https://atropos4n6.com/windows/chrome-login-data-forensics/",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &[
"Encrypted with Firefox key4.db; requires key extraction for plaintext",
"Primary password (master password) prevents access if set",
],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "JSON file; credentials persist until deleted from browser",
};
pub(crate) static WIFI_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "ssid",
value_type: ValueType::Text,
description: "WiFi network SSID (network name)",
is_uid_component: true,
},
FieldSchema {
name: "key_material",
value_type: ValueType::Text,
description: "Pre-shared key or 802.1X EAP credentials (may be DPAPI-encrypted)",
is_uid_component: false,
},
];
pub static WIFI_PROFILES: ArtifactDescriptor = ArtifactDescriptor {
id: "wifi_profiles",
name: "Wireless Network Profiles (WLAN)",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces"),
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "XML profiles for previously joined WiFi networks; may contain plaintext PSKs",
mitre_techniques: &["T1552.001"],
fields: WIFI_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/wireless-forensics/",
"https://forensafe.com/blogs/winwirelessnetworks.html",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Corroborative),
evidence_caveats: &["Network profile history shows locations visited; useful for timeline and geographic profiling"],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "WiFi profiles persist in registry until deleted",
};
pub(crate) static CRON_LINE_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "schedule_line",
value_type: ValueType::Text,
description: "Cron schedule expression and command, or shell script line",
is_uid_component: false,
}];
pub(crate) static SSH_KEY_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "public_key",
value_type: ValueType::Text,
description: "SSH public key entry (key-type base64 comment)",
is_uid_component: true,
}];
pub(crate) static ACCOUNT_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "username",
value_type: ValueType::Text,
description: "Account username",
is_uid_component: true,
},
FieldSchema {
name: "uid",
value_type: ValueType::UnsignedInt,
description: "Numeric user ID (0 = root)",
is_uid_component: false,
},
];
pub(crate) static LOG_LINE_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "log_line",
value_type: ValueType::Text,
description: "Log line or structured journal entry",
is_uid_component: false,
}];
pub static LINUX_CRONTAB_SYSTEM: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_crontab_system",
name: "System Crontab (/etc/crontab)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/etc/crontab"),
scope: DataScope::System,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "System-wide scheduled job definitions; user field allows cross-account execution",
mitre_techniques: &["T1053.003"],
fields: CRON_LINE_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/linux-persistence-mechanisms/",
"https://linux.die.net/man/5/crontab",
"https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_CRON_D: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_cron_d",
name: "Cron Drop-in Directory (/etc/cron.d/)",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/etc/cron.d"),
scope: DataScope::System,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "Drop-in cron files with full crontab format; easy to add without touching crontab",
mitre_techniques: &["T1053.003"],
fields: CRON_LINE_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/linux-persistence-mechanisms/",
"https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_CRON_PERIODIC: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_cron_periodic",
name: "Cron Periodic Directories (/etc/cron.{daily,hourly,weekly,monthly}/)",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/etc/cron.daily"),
scope: DataScope::System,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "Shell scripts executed periodically by crond/anacron; no schedule syntax required",
mitre_techniques: &["T1053.003"],
fields: DIR_ENTRY_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/linux-persistence-mechanisms/",
"https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_USER_CRONTAB: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_user_crontab",
name: "Per-User Crontab Spool",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/var/spool/cron/crontabs/*"),
scope: DataScope::User,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "Per-user scheduled jobs; attacker can set up recurring execution without admin",
mitre_techniques: &["T1053.003"],
fields: CRON_LINE_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/linux-persistence-mechanisms/",
"https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &["Unexpected cron entries are definitive persistence indicators; compare against known-good baseline"],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Crontab entry; persists until crontab -r",
};
pub static LINUX_ANACRONTAB: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_anacrontab",
name: "Anacrontab (/etc/anacrontab)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/etc/anacrontab"),
scope: DataScope::System,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "Deferred cron jobs for irregular uptime; period-based rather than time-based",
mitre_techniques: &["T1053.003"],
fields: CRON_LINE_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://linux.die.net/man/8/anacron"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_SYSTEMD_SYSTEM_UNIT: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_systemd_system_unit",
name: "systemd System Service Units",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/etc/systemd/system"),
scope: DataScope::System,
os_scope: OsScope::LinuxSystemd,
decoder: Decoder::Identity,
meaning:
"Service definitions executed as root at boot; WantedBy=multi-user.target = auto-start",
mitre_techniques: &["T1543.002"],
fields: DIR_ENTRY_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/linux-persistence-mechanisms/",
"https://www.freedesktop.org/software/systemd/man/systemd.unit.html",
"https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/",
"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_SYSTEMD_USER_UNIT: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_systemd_user_unit",
name: "systemd User Service Units",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/.config/systemd/user"),
scope: DataScope::User,
os_scope: OsScope::LinuxSystemd,
decoder: Decoder::Identity,
meaning: "User-scope service definitions; executed without root on user login",
mitre_techniques: &["T1543.002"],
fields: DIR_ENTRY_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://www.freedesktop.org/software/systemd/man/systemd.unit.html",
"https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_SYSTEMD_TIMER: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_systemd_timer",
name: "systemd Timer Units",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/etc/systemd/system"),
scope: DataScope::System,
os_scope: OsScope::LinuxSystemd,
decoder: Decoder::Identity,
meaning: "Timer-based scheduled execution; malicious timers trigger services on a schedule",
mitre_techniques: &["T1053.006"],
fields: DIR_ENTRY_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://www.freedesktop.org/software/systemd/man/systemd.timer.html",
"https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_RC_LOCAL: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_rc_local",
name: "rc.local Startup Script",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/etc/rc.local"),
scope: DataScope::System,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "Legacy boot-time script executed as root; simple and widely supported",
mitre_techniques: &["T1037.004"],
fields: CRON_LINE_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/linux-persistence-mechanisms/",
"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/",
"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_INIT_D: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_init_d",
name: "SysV Init Scripts (/etc/init.d/)",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/etc/init.d"),
scope: DataScope::System,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "SysV init scripts; malicious script here runs at boot across reboots",
mitre_techniques: &["T1543.002"],
fields: DIR_ENTRY_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_BASHRC_USER: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_bashrc_user",
name: "User ~/.bashrc",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/.bashrc"),
scope: DataScope::User,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "Sourced on every interactive bash session; persistent aliases, functions, or background processes",
mitre_techniques: &["T1546.004"],
fields: CRON_LINE_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/linux-persistence-mechanisms/",
"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/",
"https://www.elastic.co/guide/en/security/current/bash-shell-profile-modification.html",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_BASH_PROFILE_USER: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_bash_profile_user",
name: "User ~/.bash_profile",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/.bash_profile"),
scope: DataScope::User,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "Sourced on Bash login shells; runs at SSH login and console login",
mitre_techniques: &["T1546.004"],
fields: CRON_LINE_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_PROFILE_USER: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_profile_user",
name: "User ~/.profile",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/.profile"),
scope: DataScope::User,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "POSIX login shell startup; sourced by sh, dash, and bash on login",
mitre_techniques: &["T1546.004"],
fields: CRON_LINE_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_ZSHRC_USER: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_zshrc_user",
name: "User ~/.zshrc",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/.zshrc"),
scope: DataScope::User,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "Sourced on every interactive Zsh session; same persistence vector as .bashrc",
mitre_techniques: &["T1546.004"],
fields: CRON_LINE_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_PROFILE_SYSTEM: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_profile_system",
name: "System /etc/profile",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/etc/profile"),
scope: DataScope::System,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "System-wide login shell startup; modifications affect all users",
mitre_techniques: &["T1546.004"],
fields: CRON_LINE_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/linux-persistence-mechanisms/",
"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_PROFILE_D: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_profile_d",
name: "System /etc/profile.d/ Drop-ins",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/etc/profile.d"),
scope: DataScope::System,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "Shell scripts sourced by /etc/profile for all users at login; drop-in persistence",
mitre_techniques: &["T1546.004"],
fields: DIR_ENTRY_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_LD_SO_PRELOAD: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_ld_so_preload",
name: "Dynamic Linker Preload (/etc/ld.so.preload)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/etc/ld.so.preload"),
scope: DataScope::System,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning:
"Libraries preloaded into EVERY process system-wide; standard rootkit hiding mechanism",
mitre_techniques: &["T1574.006"],
fields: CRON_LINE_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/linux-persistence-mechanisms/",
"https://www.wiz.io/blog/linux-rootkits-explained-part-1-dynamic-linker-hijacking",
"https://www.sentinelone.com/labs/leveraging-ld_audit-to-beat-the-traditional-linux-library-preloading-technique/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_LD_SO_CONF_D: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_ld_so_conf_d",
name: "Linker Config Directory (/etc/ld.so.conf.d/)",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/etc/ld.so.conf.d"),
scope: DataScope::System,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning:
"Library search path config; malicious entry adds attacker directory to ldconfig paths",
mitre_techniques: &["T1574.006"],
fields: DIR_ENTRY_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/linux-persistence-mechanisms/",
"https://www.wiz.io/blog/linux-rootkits-explained-part-1-dynamic-linker-hijacking",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_SSH_AUTHORIZED_KEYS: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_ssh_authorized_keys",
name: "SSH authorized_keys",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/.ssh/authorized_keys"),
scope: DataScope::User,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "Public keys permitting passwordless SSH login; attacker key = permanent backdoor",
mitre_techniques: &["T1098.004"],
fields: SSH_KEY_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/ssh-backdoors/",
"https://sandflysecurity.com/blog/detecting-unauthorized-ssh-keys-in-linux/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_PAM_MODULE_DIR: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_pam_module_dir",
name: "PAM Modules Directory (/lib/security/)",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/lib/security"),
scope: DataScope::System,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "Drop location for PAM .so modules; PamDOORa adds pam_linux.so here as a credential-harvesting backdoor loaded via pam_exec config — any .so absent from the installed package manifest proves backdoor installation.",
mitre_techniques: &["T1556.003", "T1574.006"],
fields: DIR_ENTRY_FIELDS,
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &["linux_pam_d", "linux_wtmp", "linux_btmp", "linux_lastlog", "linux_auth_log"],
sources: &[
"https://flare.io/learn/resources/blog/pamdoora-new-linux-pam-based-backdoor-sale-dark-web",
"https://linux.die.net/man/8/pam",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &[
"Also check /lib/x86_64-linux-gnu/security/ (Debian/Ubuntu) and /usr/lib/x86_64-linux-gnu/security/; verify every .so against dpkg/rpm manifest",
"PamDOORa compiles to pam_linux.so — any non-system module name is an immediate IOC",
],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Files on disk in /lib/; persist until explicitly removed",
};
pub static LINUX_PAM_D: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_pam_d",
name: "PAM Configuration (/etc/pam.d/)",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/etc/pam.d"),
scope: DataScope::System,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "PAM module configs per service; malicious module intercepts and logs all passwords",
mitre_techniques: &["T1556.003"],
fields: DIR_ENTRY_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[
"linux_pam_module_dir",
"linux_wtmp",
"linux_btmp",
"linux_lastlog",
"linux_utmp",
"linux_auth_log",
],
sources: &[
"https://x-c3ll.github.io/posts/PAM-backdoor-DNS/",
"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms",
"https://flare.io/learn/resources/blog/pamdoora-new-linux-pam-based-backdoor-sale-dark-web",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &[
"Modification of PAM config proves auth interception capability; correlate with linux_pam_module_dir for dropped .so and auth logs for attacker session timestamps",
"PamDOORa uses pam_exec to load scripts rather than replacing pam_unix.so — check for optional/sufficient module lines referencing non-system paths",
],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Text files in /etc/pam.d/; persist until explicitly modified or restored",
};
pub static LINUX_SUDOERS_D: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_sudoers_d",
name: "Sudoers Drop-ins (/etc/sudoers.d/)",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/etc/sudoers.d"),
scope: DataScope::System,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning:
"Drop-in sudoers rules; NOPASSWD entries enable privilege escalation without credentials",
mitre_techniques: &["T1548.003"],
fields: DIR_ENTRY_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms",
"https://linux.die.net/man/5/sudoers",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &[
"Presence of unexpected rules is high-confidence privilege escalation indicator",
],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Files in /etc/sudoers.d/; persist until explicitly removed",
};
pub static LINUX_MODULES_LOAD_D: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_modules_load_d",
name: "Kernel Module Load Config (/etc/modules-load.d/)",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/etc/modules-load.d"),
scope: DataScope::System,
os_scope: OsScope::LinuxSystemd,
decoder: Decoder::Identity,
meaning: "Kernel modules auto-loaded at boot; rootkit module here = persistent kernel access",
mitre_techniques: &["T1547.006"],
fields: DIR_ENTRY_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://www.freedesktop.org/software/systemd/man/modules-load.d.html",
"https://linux-audit.com/increase-kernel-integrity-with-disabled-linux-kernel-modules-loading/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_MOTD_D: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_motd_d",
name: "Dynamic MOTD Scripts (/etc/update-motd.d/)",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/etc/update-motd.d"),
scope: DataScope::System,
os_scope: OsScope::LinuxDebian,
decoder: Decoder::Identity,
meaning: "Scripts run as root at SSH login for MOTD generation; covert execution vector",
mitre_techniques: &["T1037.004"],
fields: DIR_ENTRY_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms",
"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_UDEV_RULES_D: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_udev_rules_d",
name: "udev Rules (/etc/udev/rules.d/)",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/etc/udev/rules.d"),
scope: DataScope::System,
os_scope: OsScope::LinuxSystemd,
decoder: Decoder::Identity,
meaning: "Device event rules; RUN+= directive executes payload on device attach/detach",
mitre_techniques: &["T1546"],
fields: DIR_ENTRY_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms",
"https://www.freedesktop.org/software/systemd/man/udev_rules.html",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_BASH_HISTORY: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_bash_history",
name: "Bash History (~/.bash_history)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/.bash_history"),
scope: DataScope::User,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning:
"Interactive Bash command history; reveals lateral movement, exfil, and recon commands",
mitre_techniques: &["T1059.004", "T1552"],
fields: CRON_LINE_FIELDS,
retention: Some("HISTSIZE limit; default 500-2000 commands"),
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://bromiley.medium.com/torvalds-tuesday-bash-history-in-linux-forensics-7cc4c9b4db9f",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Circumstantial),
evidence_caveats: &[
"Trivially disabled with HISTSIZE=0 or HISTFILE=/dev/null",
"Written at shell exit; killed shells leave no history",
"Root can modify or delete",
],
volatility: Some(crate::volatility::VolatilityClass::ActivityDriven),
volatility_rationale: "Written at shell exit; max HISTSIZE entries",
};
pub static LINUX_ZSH_HISTORY: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_zsh_history",
name: "Zsh History (~/.zsh_history)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/.zsh_history"),
scope: DataScope::User,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "Interactive Zsh command history; extended format optionally includes timestamps",
mitre_techniques: &["T1059.004", "T1552"],
fields: CRON_LINE_FIELDS,
retention: Some("HISTSIZE limit; default 500-2000 commands"),
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://bromiley.medium.com/torvalds-tuesday-bash-history-in-linux-forensics-7cc4c9b4db9f",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_WTMP: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_wtmp",
name: "Login History (/var/log/wtmp)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/var/log/wtmp"),
scope: DataScope::System,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning:
"Binary record of all successful logins/logouts/reboots; evidence of valid-account abuse",
mitre_techniques: &["T1078", "T1021.004"],
fields: LOG_LINE_FIELDS,
retention: Some("until rotated by logrotate"),
triage_priority: TriagePriority::High,
related_artifacts: &["linux_btmp", "linux_lastlog", "linux_utmp", "linux_auth_log", "linux_pam_d"],
sources: &[
"https://linux.die.net/man/5/wtmp",
"https://bromiley.medium.com/torvalds-tuesday-logon-history-in-the-tmp-files-83530b2acc28",
"https://sandflysecurity.com/blog/using-linux-utmpdump-for-forensics-and-detecting-log-file-tampering",
"https://flare.io/learn/resources/blog/pamdoora-new-linux-pam-based-backdoor-sale-dark-web",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &[
"Binary format; utmpdump needed; can be edited by root",
"PamDOORa explicitly removes attacker login entries from wtmp; gaps in binary record sequence are a tampering indicator — cross-reference with lastlog and auth.log for timeline gaps",
],
volatility: Some(crate::volatility::VolatilityClass::RotatingBuffer),
volatility_rationale: "Rotated by logrotate",
};
pub static LINUX_BTMP: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_btmp",
name: "Failed Login Attempts (/var/log/btmp)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/var/log/btmp"),
scope: DataScope::System,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "Binary record of failed authentication attempts; brute-force and credential-stuffing evidence",
mitre_techniques: &["T1110"],
fields: LOG_LINE_FIELDS,
retention: Some("until rotated by logrotate"),
triage_priority: TriagePriority::High,
related_artifacts: &["linux_wtmp", "linux_lastlog", "linux_utmp", "linux_auth_log", "linux_pam_d"],
sources: &[
"https://linux.die.net/man/5/wtmp",
"https://bromiley.medium.com/torvalds-tuesday-logon-history-in-the-tmp-files-83530b2acc28",
"https://sandflysecurity.com/blog/using-linux-utmpdump-for-forensics-and-detecting-log-file-tampering",
"https://flare.io/learn/resources/blog/pamdoora-new-linux-pam-based-backdoor-sale-dark-web",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &[
"Binary format; lastb command needed; can be zeroed by root",
"PAM backdoors (PamDOORa) deliberately remove their own btmp entries — absence of failed attempts from a source IP that appears in other logs indicates tampering",
],
volatility: Some(crate::volatility::VolatilityClass::RotatingBuffer),
volatility_rationale: "Rotated by logrotate",
};
pub static LINUX_LASTLOG: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_lastlog",
name: "Last Login Database (/var/log/lastlog)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/var/log/lastlog"),
scope: DataScope::System,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "Per-UID last-login record including source IP; never-logged-in vs recent entries",
mitre_techniques: &["T1078"],
fields: LOG_LINE_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &["linux_wtmp", "linux_btmp", "linux_utmp", "linux_auth_log", "linux_pam_d"],
sources: &[
"https://linux.die.net/man/5/wtmp",
"https://bromiley.medium.com/torvalds-tuesday-logon-history-in-the-tmp-files-83530b2acc28",
"https://flare.io/learn/resources/blog/pamdoora-new-linux-pam-based-backdoor-sale-dark-web",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &[
"Fixed-offset binary indexed by UID — zeroing an entry with write access is trivial; PamDOORa explicitly zeroes attacker UID entries to erase login history",
"A UID whose lastlog entry is all-zeros but appears in auth.log or wtmp is a high-confidence tampering indicator",
],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Not rotated; persists until explicitly overwritten; survives reboots",
};
pub static LINUX_AUTH_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_auth_log",
name: "Auth Log (/var/log/auth.log)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/var/log/auth.log"),
scope: DataScope::System,
os_scope: OsScope::LinuxDebian,
decoder: Decoder::Identity,
meaning: "PAM auth events, SSH logins, sudo commands, su usage; primary lateral-movement log",
mitre_techniques: &["T1078", "T1548.003"],
fields: LOG_LINE_FIELDS,
retention: Some("until rotated by logrotate"),
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://sandflysecurity.com/blog/using-linux-utmpdump-for-forensics-and-detecting-log-file-tampering",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &["rsyslog/syslog-ng must be running; can be cleared by root"],
volatility: Some(crate::volatility::VolatilityClass::RotatingBuffer),
volatility_rationale: "logrotate weekly by default",
};
pub static LINUX_JOURNAL_DIR: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_journal_dir",
name: "systemd Journal (/var/log/journal/)",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/var/log/journal"),
scope: DataScope::System,
os_scope: OsScope::LinuxSystemd,
decoder: Decoder::Identity,
meaning:
"Structured binary system journal; includes boot IDs, service crashes, and audit events",
mitre_techniques: &["T1078", "T1059.004"],
fields: DIR_ENTRY_FIELDS,
retention: Some("50MB or 1 month default; configurable in journald.conf"),
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://systemd.io/JOURNAL_NATIVE_PROTOCOL/"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &["systemd journal provides structured authentication and system events; requires journalctl for parsing"],
volatility: Some(crate::volatility::VolatilityClass::RotatingBuffer),
volatility_rationale: "systemd journal; rotated by journald size/time limits",
};
pub static LINUX_PASSWD: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_passwd",
name: "User Account Database (/etc/passwd)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/etc/passwd"),
scope: DataScope::System,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning:
"Local user enumeration; UID=0 duplicates or unusual shells indicate backdoor accounts",
mitre_techniques: &["T1087.001", "T1136.001"],
fields: ACCOUNT_FIELDS,
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &[
"https://linux.die.net/man/5/passwd",
"https://bromiley.medium.com/torvalds-tuesday-user-accounts-597b4ca9dcaf",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &[
"World-readable; shows all accounts but no password hashes (those are in shadow)",
"Added accounts may be backdoors; compare against baseline",
],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "File; persists until account deleted",
};
pub static LINUX_SHADOW: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_shadow",
name: "Shadow Password File (/etc/shadow)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/etc/shadow"),
scope: DataScope::System,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "Password hashes for all local accounts; crackable offline once read",
mitre_techniques: &["T1003.008"],
fields: ACCOUNT_FIELDS,
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/linux-password-security/",
"https://bromiley.medium.com/torvalds-tuesday-user-accounts-597b4ca9dcaf",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &[
"Requires root to read; contains hashed passwords",
"Hash format determines crackability; check for weak algorithms (MD5, SHA-256)",
],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "File; persists until account deleted or password changed",
};
pub static LINUX_SSH_PRIVATE_KEY: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_ssh_private_key",
name: "SSH Private Keys (~/.ssh/id_*)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/.ssh/id_*"),
scope: DataScope::User,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning:
"Private key material for SSH authentication; unencrypted keys = immediate lateral movement",
mitre_techniques: &["T1552.004"],
fields: SSH_KEY_FIELDS,
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/ssh-backdoors/",
"https://sandflysecurity.com/blog/detecting-unauthorized-ssh-keys-in-linux/",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &[
"Private key presence proves capability for lateral movement",
"Passphrase-protected keys require cracking; unprotected keys are immediately usable",
],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "File; persists until explicitly removed",
};
pub static LINUX_SSH_KNOWN_HOSTS: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_ssh_known_hosts",
name: "SSH Known Hosts (~/.ssh/known_hosts)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/.ssh/known_hosts"),
scope: DataScope::User,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "Previously-connected SSH server fingerprints; lateral movement destination history",
mitre_techniques: &["T1021.004", "T1083"],
fields: SSH_KEY_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/ssh-backdoors/",
"https://sandflysecurity.com/blog/detecting-unauthorized-ssh-keys-in-linux/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_GNUPG_PRIVATE: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_gnupg_private",
name: "GnuPG Private Key Store (~/.gnupg/)",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/.gnupg"),
scope: DataScope::User,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "GnuPG private keys; enables message decryption and code-signing forgery",
mitre_techniques: &["T1552.004"],
fields: DPAPI_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://gnupg.org/documentation/manuals/gnupg/GPG-Configuration-Options.html"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_AWS_CREDENTIALS: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_aws_credentials",
name: "AWS Credentials (~/.aws/credentials)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/.aws/credentials"),
scope: DataScope::User,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "AWS long-term or temporary credentials; enables cloud infrastructure compromise",
mitre_techniques: &["T1552.001"],
fields: FILE_PATH_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html",
"https://www.sans.org/blog/cloud-forensics-and-incident-response/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_DOCKER_CONFIG: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_docker_config",
name: "Docker Config (~/.docker/config.json)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/.docker/config.json"),
scope: DataScope::User,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "Docker registry credentials; enables container image exfil or malicious image push",
mitre_techniques: &["T1552.001"],
fields: FILE_PATH_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://docs.docker.com/engine/reference/commandline/login/",
"https://www.sans.org/blog/container-forensics/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LNK_FILES: ArtifactDescriptor = ArtifactDescriptor {
id: "lnk_files",
name: "LNK / Shell Link Recent Files",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"%APPDATA%\Microsoft\Windows\Recent\"),
scope: DataScope::User,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Shell Link (.lnk) files record target path, MAC timestamps, volume serial, \
and NetBIOS host — evidence of file access even after target deletion. \
BEEF0004 extension (Win8+) adds 48-bit MFT record, full 64-bit file size, \
reparse point tags (cloud sync markers), and OS version hint. \
StringData.Arguments is the primary indicator of weaponised LNKs (T1204.002). \
DriveType (FIXED/REMOVABLE/REMOTE) identifies source medium.",
mitre_techniques: &["T1547.009", "T1070.004", "T1204.002"],
fields: LNK_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &["jump_list_auto", "mru_recent_docs"],
sources: &[
"https://github.com/EricZimmerman/LECmd",
"https://github.com/EricZimmerman/Lnk",
"https://github.com/kacos2000/Jumplist-Browser",
"https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-shllink/",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &["Can be spoofed; verify with corroborating artifacts"],
volatility: Some(crate::volatility::VolatilityClass::ActivityDriven),
volatility_rationale: "Created on file open; max ~150 recent items",
};
pub static JUMP_LIST_AUTO: ArtifactDescriptor = ArtifactDescriptor {
id: "jump_list_auto",
name: "Jump Lists — AutomaticDestinations",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"%APPDATA%\Microsoft\Windows\Recent\AutomaticDestinations\"),
scope: DataScope::User,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "OLE Compound Document per application; DestList stream records MRU-ordered \
file access with embedded LNK entries. Filename stem is a CRC64 AppID hash \
resolved via HKCU\\...\\Search\\JumplistData or AppIdlist.csv. \
DestList entries include BEEF0004 extension: 48-bit MFT record number, \
full 64-bit file size (LNK header truncates at 4 GB), reparse tags \
(cloud sync/WSL), and OS-version hint identifying which Windows version \
created the entry (useful for roaming profiles). Also tracks Pin Entry order \
and Quick Access position for pinned items.",
mitre_techniques: &["T1547.009", "T1070.004"],
fields: JUMP_LIST_AUTO_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &["lnk_files", "mru_recent_docs", "jump_list_appid_registry"],
sources: &[
"https://github.com/EricZimmerman/JLECmd",
"https://github.com/EricZimmerman/JumpList",
"https://github.com/kacos2000/Jumplist-Browser",
"https://www.hexacorn.com/blog/2013/04/30/jumplists-file-names-and-appid-calculator/",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &["Application-specific; some apps don't integrate with jump lists"],
volatility: Some(crate::volatility::VolatilityClass::ActivityDriven),
volatility_rationale: "Updated on file access; max entries per app",
};
pub static JUMP_LIST_CUSTOM: ArtifactDescriptor = ArtifactDescriptor {
id: "jump_list_custom",
name: "Jump Lists — CustomDestinations",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"%APPDATA%\Microsoft\Windows\Recent\CustomDestinations\"),
scope: DataScope::User,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Application-defined jump list groups (Tasks/Recent/Pinned) stored as a \
sequence of embedded LNK records separated by group markers (0xAB FB BF BA). \
May persist after file deletion, revealing attacker-pinned tools or \
exfiltrated document access. StringData.Arguments in each embedded LNK \
is the primary weaponisation indicator — legitimate entries are empty, \
malicious entries carry PowerShell commands, encoded payloads, or C2 URLs. \
Group 'Tasks' entries are application-defined and often reveal \
installed capabilities (e.g. browser private mode, admin tools).",
mitre_techniques: &["T1547.009", "T1070.004", "T1204.002"],
fields: JUMP_LIST_CUSTOM_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &["lnk_files", "jump_list_auto"],
sources: &[
"https://github.com/EricZimmerman/JLECmd",
"https://github.com/EricZimmerman/JumpList",
"https://github.com/kacos2000/Jumplist-Browser",
"https://github.com/kacos2000/Jumplist-Browser/blob/master/CustomDestinations-ms.md",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Corroborative),
evidence_caveats: &[
"Pinned items reflect user intent; can be manually set without file access",
],
volatility: Some(crate::volatility::VolatilityClass::ActivityDriven),
volatility_rationale: "Pinned by user; persists until app unpins",
};
pub static EVTX_DIR: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_dir",
name: "Windows Event Log Directory (EVTX)",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\Windows\System32\winevt\Logs\"),
scope: DataScope::System,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Binary EVTX log files — Security.evtx (4624/4625/4688), System.evtx, \
PowerShell/Operational.evtx. Primary execution, logon, and process-creation record.",
mitre_techniques: &["T1070.001", "T1059.001"],
fields: DIR_ENTRY_FIELDS,
retention: Some("configurable; default ~20MB rolling per channel"),
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/evtx"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static MFT_FILE: ArtifactDescriptor = ArtifactDescriptor {
id: "mft_file",
name: "Master File Table ($MFT)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\$MFT"),
scope: DataScope::System,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Complete NTFS filesystem map. Every file record contains 8 timestamps: 4 from \
$STANDARD_INFORMATION (SI, user-space writable via SetFileTime) and 4 from \
$FILE_NAME (FN, kernel-maintained — harder to forge). SI/FN divergence is the \
primary timestomping indicator (T1070.006). Record slack (PhysicalSize - LogicalSize) \
may contain prior attribute remnants. LSN links each record to its $LogFile \
transaction for chronological ordering. Unallocated records (flag bit 15 = 0) \
persist until overwritten — primary deleted-file recovery source.",
mitre_techniques: &["T1070.006", "T1070.004", "T1083", "T1564.001"],
fields: MFT_FIELDS,
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &["usnjrnl", "usn_journal", "recycle_bin", "prefetch_file", "logfile_ntfs"],
sources: &[
"https://learn.microsoft.com/en-us/windows/win32/fileio/master-file-table",
"https://github.com/EricZimmerman/MFTECmd",
"https://github.com/kacos2000/MFT_Browser",
"https://www.sans.org/blog/windows-file-system-forensics-ntfs-master-file-table/",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &[
"Timestamps susceptible to timestomping ($STANDARD_INFORMATION vs $FILE_NAME)",
"$FILE_NAME timestamps harder to tamper; compare both",
],
volatility: Some(crate::volatility::VolatilityClass::Residual),
volatility_rationale: "Metadata persists in unallocated MFT entries after deletion",
};
pub static USN_JOURNAL: ArtifactDescriptor = ArtifactDescriptor {
id: "usn_journal",
name: "USN Journal ($UsnJrnl:$J)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"\\.\C:\$Extend\$UsnJrnl:$J"),
scope: DataScope::System,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "NTFS change journal records file create/delete/rename operations with USN sequence \
number; persists even after file deletion, proving prior file existence.",
mitre_techniques: &["T1070.004", "T1059"],
fields: DIR_ENTRY_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[
"shimcache",
"amcache_app_file",
"bam_user",
"prefetch_file",
"mft_file",
],
sources: &[
"https://github.com/EricZimmerman/MFTECmd",
"https://windowsir.blogspot.com/2022/11/challenge-7-write-up.html",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &["Circular; entries overwritten; may not have full history"],
volatility: Some(crate::volatility::VolatilityClass::RotatingBuffer),
volatility_rationale: "Circular journal; oldest entries overwritten first",
};
pub static WMI_MOF_DIR: ArtifactDescriptor = ArtifactDescriptor {
id: "wmi_mof_dir",
name: "WMI MOF Subscription Repository",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\Windows\System32\wbem\Repository\"),
scope: DataScope::System,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "WMI CIM repository stores EventFilter, EventConsumer, and FilterToConsumerBinding \
objects; persistence survives reboots and is invisible to registry-only tools.",
mitre_techniques: &["T1546.003"],
fields: DIR_ENTRY_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://learn.microsoft.com/en-us/windows/win32/wmisdk/receiving-a-wmi-event",
"https://learn.microsoft.com/en-us/windows/win32/wmisdk/monitoring-and-responding-to-events-with-standard-consumers",
"https://learn.microsoft.com/en-us/windows/win32/wmisdk/commandlineeventconsumer",
"https://learn.microsoft.com/en-us/windows/win32/wmisdk/--filtertoconsumerbinding",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static BITS_DB: ArtifactDescriptor = ArtifactDescriptor {
id: "bits_db",
name: "BITS Job Queue Database",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\ProgramData\Microsoft\Network\Downloader\"),
scope: DataScope::System,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Background Intelligent Transfer Service queue DB (qmgr0.dat); records download \
jobs including URL, destination, and command-to-notify — abused for stealthy malware staging.",
mitre_techniques: &["T1197"],
fields: DIR_ENTRY_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://learn.microsoft.com/en-us/windows/win32/bits/background-intelligent-transfer-service-portal",
"https://learn.microsoft.com/en-us/powershell/module/bitstransfer/get-bitstransfer?view=windowsserver2025-ps",
"https://www.sans.org/white-papers/39195",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static WMI_SUB_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "filter_name",
description: "WMI EventFilter name",
value_type: ValueType::Text,
is_uid_component: true,
},
FieldSchema {
name: "consumer_type",
description: "Consumer type (Script/CommandLine)",
value_type: ValueType::Text,
is_uid_component: false,
},
FieldSchema {
name: "consumer_value",
description: "Script or command executed on trigger",
value_type: ValueType::Text,
is_uid_component: false,
},
FieldSchema {
name: "query",
description: "WQL query that triggers the subscription",
value_type: ValueType::Text,
is_uid_component: false,
},
];
pub static WMI_SUBSCRIPTIONS: ArtifactDescriptor = ArtifactDescriptor {
id: "wmi_subscriptions",
name: "WMI Event Subscriptions (Registry)",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::HklmSoftware),
key_path: r"Microsoft\WBEM\ESS\//./root/subscription",
value_name: None,
file_path: None,
scope: DataScope::System,
os_scope: OsScope::Win7Plus,
decoder: Decoder::MultiSz,
meaning: "Registry-side index of WMI subscriptions; cross-reference with MOF repository for \
complete picture of WMI-based persistence.",
mitre_techniques: &["T1546.003"],
fields: WMI_SUB_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://learn.microsoft.com/en-us/windows/win32/wmisdk/receiving-a-wmi-event",
"https://learn.microsoft.com/en-us/windows/win32/wmisdk/monitoring-and-responding-to-events-with-standard-consumers",
"https://learn.microsoft.com/en-us/windows/win32/wmisdk/--filtertoconsumerbinding",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LOGON_SCRIPTS: ArtifactDescriptor = ArtifactDescriptor {
id: "logon_scripts",
name: "Logon Scripts (UserInitMprLogonScript)",
artifact_type: ArtifactType::RegistryValue,
hive: Some(HiveTarget::NtUser),
key_path: r"Environment",
value_name: Some("UserInitMprLogonScript"),
file_path: None,
scope: DataScope::User,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Script executed at logon via WinLogon; per-user value allowing unprivileged \
persistence that survives password resets.",
mitre_techniques: &["T1037.001"],
fields: PERSIST_CMD_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/opensecurity-persistence/",
"https://www.hexacorn.com/blog/2013/07/04/beyond-good-ol-run-key-part-15/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static WINSOCK_LSP: ArtifactDescriptor = ArtifactDescriptor {
id: "winsock_lsp",
name: "Winsock Layered Service Provider",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::HklmSystem),
key_path: r"CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9",
value_name: None,
file_path: None,
scope: DataScope::System,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "LSP DLLs intercept all Winsock traffic; malicious LSPs can log credentials from \
plaintext protocols. Rare but high-signal indicator of network interception.",
mitre_techniques: &["T1547.010"],
fields: DLL_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/opensecurity-persistence/",
"https://www.hexacorn.com/blog/2013/07/04/beyond-good-ol-run-key-part-15/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static APPSHIM_DB: ArtifactDescriptor = ArtifactDescriptor {
id: "appshim_db",
name: "Application Shim Database",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\Windows\apppatch\Custom\"),
scope: DataScope::System,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Custom SDB shim databases; attackers inject shims to redirect API calls, \
disable security checks, or load malicious DLLs without modifying the target binary.",
mitre_techniques: &["T1546.011"],
fields: DIR_ENTRY_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://www.hexacorn.com/blog/2013/07/04/beyond-good-ol-run-key-part-15/",
"https://www.sans.org/blog/application-shimming/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static PASSWORD_FILTER_DLL: ArtifactDescriptor = ArtifactDescriptor {
id: "password_filter_dll",
name: "Password Filter DLL (Notification Packages)",
artifact_type: ArtifactType::RegistryValue,
hive: Some(HiveTarget::HklmSystem),
key_path: r"CurrentControlSet\Control\Lsa",
value_name: Some("Notification Packages"),
file_path: None,
scope: DataScope::System,
os_scope: OsScope::Win7Plus,
decoder: Decoder::MultiSz,
meaning: "DLLs registered here receive cleartext passwords during every password change; \
malicious filter captures and exfiltrates credentials.",
mitre_techniques: &["T1556.002"],
fields: DLL_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/opensecurity-persistence/",
"https://docs.microsoft.com/en-us/windows/win32/secmgmt/password-filter-programming-considerations",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static OFFICE_NORMAL_DOTM: ArtifactDescriptor = ArtifactDescriptor {
id: "office_normal_dotm",
name: "Office Normal Template (Normal.dotm)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"%APPDATA%\Microsoft\Templates\Normal.dotm"),
scope: DataScope::User,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Global Word template auto-loaded on every document open; malicious macros \
embedded here achieve persistence across all Word sessions.",
mitre_techniques: &["T1137.001"],
fields: FILE_PATH_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/opensecurity-persistence/",
"https://docs.microsoft.com/en-us/office/vba/word/concepts/customizing-word/using-events-with-the-application-object",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static POWERSHELL_PROFILE_ALL: ArtifactDescriptor = ArtifactDescriptor {
id: "powershell_profile_all",
name: "PowerShell All-Users Profile (profile.ps1)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1"),
scope: DataScope::System,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "System-wide PowerShell profile executed for every user on every PS session start; \
SYSTEM-writable, provides privileged persistence without registry modification.",
mitre_techniques: &["T1546.013"],
fields: PERSIST_CMD_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/opensecurity-persistence/",
"https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static DPAPI_SYSTEM_MASTERKEY: ArtifactDescriptor = ArtifactDescriptor {
id: "dpapi_system_masterkey",
name: "DPAPI System Master Key",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\"),
scope: DataScope::System,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "DPAPI master keys for the SYSTEM account; used to decrypt SYSTEM-scope secrets \
such as LSA secrets, service credentials, and scheduled task credentials.",
mitre_techniques: &["T1555.004"],
fields: FILE_PATH_FIELDS,
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &["lsa_secrets", "dpapi_masterkey_user"],
sources: &[
"https://github.com/gentilkiwi/mimikatz",
"https://blog.gentilkiwi.com/securite/mimikatz/dpapi-domain-backup-keys-theft",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &[
"Required to decrypt SYSTEM-scope DPAPI blobs; requires SYSTEM privilege",
"Loss of this key means DPAPI-protected data is unrecoverable",
],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "System DPAPI master key; persists in SYSTEM hive",
};
pub static DPAPI_CREDHIST: ArtifactDescriptor = ArtifactDescriptor {
id: "dpapi_credhist",
name: "DPAPI CREDHIST File",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"%APPDATA%\Microsoft\Protect\CREDHIST"),
scope: DataScope::User,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chain of previous DPAPI master key derivation entries; enables decryption of \
secrets encrypted with old passwords after a password change.",
mitre_techniques: &["T1555.004"],
fields: FILE_PATH_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &["dpapi_masterkey_user"],
sources: &[
"https://github.com/gentilkiwi/mimikatz",
"https://blog.gentilkiwi.com/securite/mimikatz/dpapi-domain-backup-keys-theft",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static CHROME_COOKIES: ArtifactDescriptor = ArtifactDescriptor {
id: "chrome_cookies",
name: "Chrome/Edge Cookies (SQLite)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"%LOCALAPPDATA%\Google\Chrome\User Data\Default\Network\Cookies"),
scope: DataScope::User,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SQLite database of browser session/authentication cookies; adversaries can replay \
these to bypass MFA and impersonate authenticated sessions (pass-the-cookie).",
mitre_techniques: &["T1539", "T1185"],
fields: FILE_PATH_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &["chrome_login_data"],
sources: &["https://github.com/EricZimmerman/SQLECmd"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static EDGE_WEBCACHE: ArtifactDescriptor = ArtifactDescriptor {
id: "edge_webcache",
name: "IE/Edge Legacy WebCacheV01.dat",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"%LOCALAPPDATA%\Microsoft\Windows\INetCache\"),
scope: DataScope::User,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "ESE database recording all IE/Edge Legacy web history, downloads, and cached \
content; reveals browsing patterns and potential data exfiltration URLs.",
mitre_techniques: &["T1539", "T1217"],
fields: FILE_PATH_FIELDS,
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/SQLECmd",
"https://www.sans.org/blog/digital-forensics-windows-browser-artifacts/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static VPN_RAS_PHONEBOOK: ArtifactDescriptor = ArtifactDescriptor {
id: "vpn_ras_phonebook",
name: "VPN Credentials — RAS Phonebook",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"%APPDATA%\Microsoft\Network\Connections\Pbk\rasphone.pbk"),
scope: DataScope::User,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Plain-text INI phonebook storing VPN connection entries including server address \
and saved credential references; reveals network pivoting paths.",
mitre_techniques: &["T1552.001"],
fields: FILE_PATH_FIELDS,
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://docs.microsoft.com/en-us/windows/win32/rras/ras-phone-book-files",
"https://www.sans.org/blog/digital-forensics-windows-artifact-profiles/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static WINDOWS_HELLO_NGC: ArtifactDescriptor = ArtifactDescriptor {
id: "windows_hello_ngc",
name: "Windows Hello / NGC Folder",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Ngc\"),
scope: DataScope::System,
os_scope: OsScope::Win10Plus,
decoder: Decoder::Identity,
meaning: "Stores Windows Hello credential provider keys (PIN protectors, biometric keys); \
compromise reveals authentication material bypassing traditional password forensics.",
mitre_techniques: &["T1555"],
fields: FILE_PATH_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/",
"https://www.sans.org/blog/digital-forensics-windows-artifact-profiles/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static USER_CERT_PRIVATE_KEY: ArtifactDescriptor = ArtifactDescriptor {
id: "user_cert_private_key",
name: "User Certificate Private Keys",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"%APPDATA%\Microsoft\SystemCertificates\My\"),
scope: DataScope::User,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "DPAPI-protected user certificate private keys for code signing, S/MIME, and \
smart-card emulation; exfiltration enables impersonation and signing of malicious artifacts.",
mitre_techniques: &["T1552.004"],
fields: FILE_PATH_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://learn.microsoft.com/en-us/windows/win32/seccng/key-storage-and-retrieval",
"https://github.com/gentilkiwi/mimikatz",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static MACHINE_CERT_STORE: ArtifactDescriptor = ArtifactDescriptor {
id: "machine_cert_store",
name: "Machine Certificate Private Keys",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\"),
scope: DataScope::System,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Machine-scope RSA private keys protected by DPAPI SYSTEM; used for TLS mutual \
auth, code signing, and IPSec — high-value credential exfiltration target.",
mitre_techniques: &["T1552.004"],
fields: FILE_PATH_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://learn.microsoft.com/en-us/windows/win32/seccng/key-storage-and-retrieval",
"https://github.com/gentilkiwi/mimikatz",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_AT_QUEUE: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_at_queue",
name: "AT Job Queue (/var/spool/at/)",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/var/spool/at/"),
scope: DataScope::System,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "One-shot delayed execution jobs from the `at` command; each file contains a shell \
script to run at a specified time, used for stealthy one-shot persistence.",
mitre_techniques: &["T1053.001"],
fields: CRON_LINE_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/linux-persistence-mechanisms/",
"https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_SSHD_CONFIG: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_sshd_config",
name: "SSH Daemon Configuration (/etc/ssh/sshd_config)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/etc/ssh/sshd_config"),
scope: DataScope::System,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "SSH server config; look for unauthorized AuthorizedKeysFile overrides, \
ForceCommand bypass, PermitRootLogin yes, or AllowUsers modifications.",
mitre_techniques: &["T1098.004", "T1021.004"],
fields: PERSIST_CMD_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/ssh-backdoors/",
"https://linux.die.net/man/5/sshd_config",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_ETC_GROUP: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_etc_group",
name: "Group Accounts (/etc/group)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/etc/group"),
scope: DataScope::System,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "Group membership database; cross-reference with /etc/passwd and sudo log to \
detect unauthorized group additions (e.g., added to `sudo` or `docker` group).",
mitre_techniques: &["T1087.001", "T1078.003"],
fields: ACCOUNT_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://linux.die.net/man/5/group",
"https://bromiley.medium.com/torvalds-tuesday-user-accounts-597b4ca9dcaf",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_GNOME_KEYRING: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_gnome_keyring",
name: "GNOME Keyring (keyrings/)",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/.local/share/keyrings/"),
scope: DataScope::User,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "GNOME keyring stores WiFi PSK, SSH passphrases, web service passwords, and \
browser master passwords encrypted with user login credential.",
mitre_techniques: &["T1555.003"],
fields: FILE_PATH_FIELDS,
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &["https://wiki.gnome.org/Projects/GnomeKeyring"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &[
"Encrypted with user login password; accessible after user session unlock",
"Contains Wi-Fi keys, VPN credentials, and application secrets",
],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Keyring database file; persists until secrets removed",
};
pub static LINUX_KDE_KWALLET: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_kde_kwallet",
name: "KDE KWallet (kwalletd/)",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/.local/share/kwalletd/"),
scope: DataScope::User,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "KDE wallet encrypted credential store; stores passwords, SSH keys, and browser \
credentials for KDE applications.",
mitre_techniques: &["T1555.003"],
fields: FILE_PATH_FIELDS,
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &["https://userbase.kde.org/KWallet"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &[
"Encrypted; requires wallet password or auto-unlock to access",
"Coverage depends on which KDE applications store credentials here",
],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "KWallet database file; persists until secrets removed",
};
pub static LINUX_CHROME_LOGIN_LINUX: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_chrome_login_linux",
name: "Chrome/Chromium Login Data (Linux)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/.config/google-chrome/Default/Login Data"),
scope: DataScope::User,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "SQLite database of saved Chrome passwords on Linux; encryption key stored in \
GNOME Keyring or plaintext depending on configuration.",
mitre_techniques: &["T1555.003"],
fields: FILE_PATH_FIELDS,
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &["https://github.com/AlessandroZ/LaZagne"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &[
"On Linux, Chrome uses GNOME Keyring or KWallet for encryption key storage",
"Plaintext accessible if keyring is unlocked",
],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "SQLite DB; credentials persist until deleted from browser",
};
pub static LINUX_FIREFOX_LOGINS_LINUX: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_firefox_logins_linux",
name: "Firefox logins.json (Linux)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/.mozilla/firefox/"),
scope: DataScope::User,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning:
"JSON-encoded saved Firefox credentials protected by NSS (key4.db); \
can be decrypted with master password or via memory forensics of the Firefox process.",
mitre_techniques: &["T1555.003"],
fields: FILE_PATH_FIELDS,
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &["https://github.com/AlessandroZ/LaZagne"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &[
"Same format as Windows Firefox logins; key4.db required for decryption",
"Primary password prevents access if set",
],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "JSON file; credentials persist until deleted from browser",
};
pub static LINUX_UTMP: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_utmp",
name: "Current Login Sessions (/run/utmp)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/run/utmp"),
scope: DataScope::System,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "Binary utmp records of currently logged-in users; cross-reference with wtmp \
to detect sessions not present in persistent logs (anti-forensics via utmp wiper).",
mitre_techniques: &["T1078"],
fields: LOG_LINE_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &["linux_wtmp", "linux_btmp", "linux_lastlog", "linux_auth_log", "linux_pam_d"],
sources: &[
"https://linux.die.net/man/5/utmp",
"https://bromiley.medium.com/torvalds-tuesday-logon-history-in-the-tmp-files-83530b2acc28",
"https://sandflysecurity.com/blog/using-linux-utmpdump-for-forensics-and-detecting-log-file-tampering",
"https://flare.io/learn/resources/blog/pamdoora-new-linux-pam-based-backdoor-sale-dark-web",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &[
"Lives in /run (tmpfs on most modern distros); lost on reboot",
"PAM backdoors can wipe their active session entry — a session visible in network connections (ss/netstat) but absent from utmp is a strong anti-forensics indicator",
],
volatility: Some(crate::volatility::VolatilityClass::Volatile),
volatility_rationale: "Stored in /run (tmpfs); lost on reboot",
};
pub static LINUX_GCP_CREDENTIALS: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_gcp_credentials",
name: "GCP Application Default Credentials",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/.config/gcloud/"),
scope: DataScope::User,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "GCP access tokens and service account keys stored by gcloud CLI; \
exfiltration enables cloud resource takeover without password.",
mitre_techniques: &["T1552.001"],
fields: FILE_PATH_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://cloud.google.com/sdk/docs/authorizing",
"https://www.sans.org/blog/cloud-forensics-and-incident-response/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_AZURE_CREDENTIALS: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_azure_credentials",
name: "Azure CLI Credentials (~/.azure/)",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/.azure/"),
scope: DataScope::User,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "Azure CLI access tokens and service principal credentials; \
msal_token_cache.json contains active OAuth tokens enabling lateral movement in Azure.",
mitre_techniques: &["T1552.001"],
fields: FILE_PATH_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://docs.microsoft.com/en-us/cli/azure/authenticate-azure-cli",
"https://www.sans.org/blog/cloud-forensics-and-incident-response/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_KUBE_CONFIG: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_kube_config",
name: "Kubernetes Config (~/.kube/config)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/.kube/config"),
scope: DataScope::User,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "kubectl cluster credentials including bearer tokens, client certificates, \
and cluster API endpoints; enables full cluster takeover if exfiltrated.",
mitre_techniques: &["T1552.001"],
fields: FILE_PATH_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/",
"https://www.sans.org/blog/cloud-forensics-and-incident-response/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_GIT_CREDENTIALS: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_git_credentials",
name: "Git Credential Store (~/.git-credentials)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/.git-credentials"),
scope: DataScope::User,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "Plaintext git credential store: URL + username + PAT/password per line; \
personal access tokens here can access source repositories and CI/CD pipelines.",
mitre_techniques: &["T1552.001"],
fields: FILE_PATH_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://git-scm.com/docs/git-credential-store"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_NETRC: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_netrc",
name: "Netrc Credential File (~/.netrc)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/.netrc"),
scope: DataScope::User,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "Auto-authentication file for ftp, curl, and legacy tools; stores plaintext \
hostname/login/password triplets, often forgotten and highly sensitive.",
mitre_techniques: &["T1552.001"],
fields: FILE_PATH_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://linux.die.net/man/5/netrc"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_ETC_ENVIRONMENT: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_etc_environment",
name: "System Environment Variables (/etc/environment)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/etc/environment"),
scope: DataScope::System,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning:
"System-wide environment variable definitions loaded for every login session and \
PAM-based authentication. Attackers inject PATH hijacks or LD_PRELOAD values here \
to redirect binary execution system-wide without modifying shell configuration files.",
mitre_techniques: &["T1546.004"],
fields: PERSIST_CMD_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://linux.die.net/man/7/environ"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_XDG_AUTOSTART_USER: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_xdg_autostart_user",
name: "XDG User Autostart (.desktop files)",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/.config/autostart/"),
scope: DataScope::User,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "Per-user XDG autostart .desktop files executed when a desktop session starts \
(GNOME/KDE/XFCE). Exec= field runs arbitrary commands at GUI login without \
root privileges — frequently overlooked by server-focused forensic checklists.",
mitre_techniques: &["T1547.014"],
fields: PERSIST_CMD_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://specifications.freedesktop.org/autostart-spec/autostart-spec-latest.html"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_XDG_AUTOSTART_SYSTEM: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_xdg_autostart_system",
name: "XDG System Autostart (.desktop files)",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/etc/xdg/autostart/"),
scope: DataScope::System,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning:
"System-wide XDG autostart .desktop entries executed for all users at desktop session \
start. Provides privileged persistence targeting all GUI logins on a workstation.",
mitre_techniques: &["T1547.014"],
fields: PERSIST_CMD_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://specifications.freedesktop.org/autostart-spec/autostart-spec-latest.html"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_NETWORKMANAGER_DISPATCHER: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_networkmanager_dispatcher",
name: "NetworkManager Dispatcher Scripts",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/etc/NetworkManager/dispatcher.d/"),
scope: DataScope::System,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "Scripts executed by NetworkManager when network interfaces change state (up/down). \
Provides network-event-triggered persistence — scripts fire on VPN connect, \
WiFi association, or interface cycling, making detection harder than at-boot persistence.",
mitre_techniques: &["T1547.013"],
fields: PERSIST_CMD_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://networkmanager.dev/docs/api/latest/NetworkManager-dispatcher.html",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_APT_HOOKS: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_apt_hooks",
name: "APT Package Manager Hook Scripts",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/etc/apt/apt.conf.d/"),
scope: DataScope::System,
os_scope: OsScope::LinuxDebian,
decoder: Decoder::Identity,
meaning: "APT configuration snippets that can define DPkg::Pre-Install-Pkgs, \
DPkg::Post-Invoke, or APT::Update::Post-Invoke hooks; execute as root during \
every package install or update — long-lived trigger-based privilege persistence.",
mitre_techniques: &["T1546.004"],
fields: PERSIST_CMD_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://wiki.debian.org/DpkgTriggers"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static JUMP_LIST_APPID_REGISTRY: ArtifactDescriptor = ArtifactDescriptor {
id: "jump_list_appid_registry",
name: "JumplistData — AppID Hash Registry Index",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::NtUser),
key_path: r"Software\Microsoft\Windows\CurrentVersion\Search\JumplistData",
value_name: None,
file_path: None,
scope: DataScope::User,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Maps 8-byte CRC64 AppID hashes to application display names. \
AutomaticDestinations filenames use the AppID hash as the stem \
(e.g. db53b23fd1edbd46 = WINZIP64). Without this key, filename-to-app \
resolution requires an external lookup database. \
Presence or absence of an AppID confirms whether an application has \
ever been run on the system — useful for anti-forensics detection \
(attacker may delete jump list files but forget this index key).",
mitre_techniques: &["T1547.009", "T1070.004"],
fields: &[
FieldSchema {
name: "app_id_hash",
value_type: ValueType::Text,
description: "8-byte CRC64 hash (registry value name); \
matches the filename stem of .automaticDestinations-ms files",
is_uid_component: true,
},
FieldSchema {
name: "app_name",
value_type: ValueType::Text,
description: "Application display name (registry value data)",
is_uid_component: false,
},
],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &["jump_list_auto", "jump_list_custom"],
sources: &[
"https://github.com/kacos2000/Jumplist-Browser",
"https://www.hexacorn.com/blog/2013/04/30/jumplists-file-names-and-appid-calculator/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static TASKBAND_FAVORITES: ArtifactDescriptor = ArtifactDescriptor {
id: "taskband_favorites",
name: "Taskband Favorites — Taskbar Pinned Applications",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::NtUser),
key_path: r"Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband",
value_name: Some("Favorites"),
file_path: None,
scope: DataScope::User,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Binary blob (REG_BINARY) encoding taskbar-pinned application order. \
Contains embedded Shell Link (LNK) data for each pinned item. \
FavoritesResolve value (same key) stores the resolved path for each entry. \
Attackers may pin malicious tools here to survive reboots, \
or to mimic legitimate application icons. \
Changes to this key indicate a user (or malware) pinned/unpinned an application.",
mitre_techniques: &["T1547.009"],
fields: &[
FieldSchema {
name: "entry_order",
value_type: ValueType::Integer,
description: "Position of pinned item in taskbar order (0-based)",
is_uid_component: false,
},
FieldSchema {
name: "lnk_target",
value_type: ValueType::Text,
description: "Embedded LNK target path for the pinned application",
is_uid_component: true,
},
],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &["jump_list_auto", "lnk_files"],
sources: &["https://github.com/kacos2000/Jumplist-Browser"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static JUMP_LIST_SYSTEM: ArtifactDescriptor = ArtifactDescriptor {
id: "jump_list_system",
name: "Jump Lists — System AutomaticDestinations",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\ProgramData\Microsoft\Windows\Recent\AutomaticDestinations\"),
scope: DataScope::System,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "System-scope jump lists shared across all users; distinct from per-user \
%APPDATA% copies. Each .automaticDestinations-ms is an OLE CFB containing \
a DestList stream (AppID → target MRU) plus embedded LNK blocks.",
mitre_techniques: &["T1547.009", "T1070.004"],
fields: DIR_ENTRY_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &["jump_list_auto", "jump_list_custom"],
sources: &[
"https://www.sans.org/blog/computer-forensics-windows-7-jump-lists/",
"https://windowsir.blogspot.com/2011/05/jump-lists-in-win7.html",
"https://github.com/EricZimmerman/JLECmd",
"https://github.com/EricZimmerman/JumpList",
"https://forensics.wiki/jump_lists/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LNK_FILES_OFFICE: ArtifactDescriptor = ArtifactDescriptor {
id: "lnk_files_office",
name: "Office Recent LNK Files",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"%APPDATA%\Microsoft\Office\Recent\"),
scope: DataScope::User,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Office-specific shell link files created for every document opened via Office. \
Separate from Windows Recent; survives clearing of Windows Recent Items. \
Reveals document access including network shares and USB paths.",
mitre_techniques: &["T1547.009", "T1070.004"],
fields: DIR_ENTRY_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &["lnk_files", "mru_recent_docs"],
sources: &[
"https://www.sans.org/blog/lnk-files-analysis-in-windows/",
"https://windowsir.blogspot.com/2009/01/lnk-files-are-your-friends.html",
"https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-shllink/",
"https://www.magnetforensics.com/blog/forensic-analysis-of-lnk-files/",
"https://github.com/EricZimmerman/LECmd",
"https://github.com/EricZimmerman/Lnk",
"https://forensics.wiki/lnk/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static PREFETCH_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "executable_name",
description: "Name of the prefetched executable (up to 29 UTF-16 chars from SCCA header offset 0x10)",
value_type: ValueType::Text,
is_uid_component: true,
},
FieldSchema {
name: "format_version",
description: "SCCA format version: 17=XP/2003, 23=Vista/7, 26=Win8, 30/31=Win10/11",
value_type: ValueType::UnsignedInt,
is_uid_component: false,
},
FieldSchema {
name: "run_count",
description: "Cumulative execution count (offset varies by format_version)",
value_type: ValueType::UnsignedInt,
is_uid_component: false,
},
FieldSchema {
name: "last_run_time",
description: "Most recent execution timestamp (FILETIME UTC, 100ns precision)",
value_type: ValueType::Timestamp,
is_uid_component: false,
},
FieldSchema {
name: "previous_run_times",
description: "Up to 7 prior execution timestamps (FILETIME array, v26/30/31 only)",
value_type: ValueType::Text,
is_uid_component: false,
},
FieldSchema {
name: "volume_path",
description: "Volume device path string (e.g. \\DEVICE\\HARDDISKVOLUME3) from Volumes Information block",
value_type: ValueType::Text,
is_uid_component: false,
},
FieldSchema {
name: "volume_creation_time",
description: "FILETIME (UTC) when the source volume was created; pivot to $MFT $Volume_Information",
value_type: ValueType::Timestamp,
is_uid_component: false,
},
FieldSchema {
name: "volume_serial_number",
description: "u32 volume serial number from Volumes Information; corroborates $VOLUME_INFORMATION in $MFT",
value_type: ValueType::UnsignedInt,
is_uid_component: false,
},
FieldSchema {
name: "referenced_files",
description: "Full device paths of DLLs and files loaded during first 10 seconds of execution",
value_type: ValueType::Text,
is_uid_component: false,
},
FieldSchema {
name: "mft_record_number",
description: "48-bit MFT record number of a referenced file (File Metrics flag 0x100); pivot to $MFT for timestomping detection",
value_type: ValueType::UnsignedInt,
is_uid_component: false,
},
FieldSchema {
name: "prefetch_hash",
description: "8-hex SCCA path hash at header offset 0x4C (LE u32 of full executable device path)",
value_type: ValueType::Text,
is_uid_component: true,
},
];
pub static PREFETCH_FILE: ArtifactDescriptor = ArtifactDescriptor {
id: "prefetch_file",
name: "Prefetch File (.pf)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\Windows\Prefetch\*.pf"),
scope: DataScope::System,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Binary execution record: executable name, 8-run-timestamp history (Win8+), \
run count, path hash, and referenced DLL list. Win10+ files are MAM-compressed \
(4-byte magic 0x4D 0x41 0x4D 0x04) — decompress with xpress_huff before parsing. \
Versions: v17 (XP), v23 (Vista/7), v26 (Win8), v30/v31 (Win10+).",
mitre_techniques: &["T1059", "T1070.004"],
fields: PREFETCH_FIELDS,
retention: Some("128 entries; oldest evicted"),
triage_priority: TriagePriority::High,
related_artifacts: &[
"shimcache",
"amcache_app_file",
"evtx_security",
"srum_app_resource",
],
sources: &[
"https://www.sans.org/blog/computer-forensic-artifacts-windows-7-prefetch-files/",
"https://13cubed.com/downloads/Windows_Forensic_Analysis_Poster.pdf",
"https://isc.sans.edu/diary/Forensic+Value+of+Prefetch/29168",
"https://www.magnetforensics.com/blog/forensic-analysis-of-prefetch-files-in-windows/",
"https://github.com/EricZimmerman/PECmd",
"https://github.com/EricZimmerman/Prefetch",
"https://github.com/kacos2000/Prefetch-Browser",
"https://github.com/libyal/libscca/blob/main/documentation/Windows%20Prefetch%20File%20(PF)%20format.asciidoc",
"https://raw.githubusercontent.com/bitbug0x55AA/Blue_Team_Hunting_Field_Notes/main/01_Hunting_Cheatsheets/1.5_Forensics_Artifacts_Map.csv",
"https://raw.githubusercontent.com/bitbug0x55AA/Blue_Team_Hunting_Field_Notes/main/06_Tool_Command_Vault/6.02_Windows_DFIR_Master_Notes.md",
"https://training.13cubed.com/p/courses/investigating-windows-endpoints",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &[
"Prefetch is disabled by default on Windows Server; absence does not imply non-execution on server systems",
"Prefetch can be disabled on workstations via registry (EnablePrefetcher=0); absence does not prove non-execution",
"Volume Serial Number embedded in .pf files can link an executable to a specific removable media source",
"SDelete's own .pf file records the full list of files it deleted — anti-forensic tool use leaves execution evidence of the deletion itself",
"Deleting .pf files with Shift+Delete bypasses the Recycle Bin but leaves recoverable MFT entries; USN Journal also records the deletion",
"Win10+ stores up to 8 last-run timestamps per .pf file; Win7/8 stores only 1 — a single .pf covers broader history on modern Windows",
],
volatility: Some(crate::volatility::VolatilityClass::RotatingBuffer),
volatility_rationale: "Max 1024 entries, FIFO eviction on Win10+",
};
pub(crate) static SRUM_NET_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "app_id",
description: "Application identifier (path or service name)",
value_type: ValueType::Text,
is_uid_component: true,
},
FieldSchema {
name: "user_id",
description: "SID of the user account",
value_type: ValueType::Text,
is_uid_component: true,
},
FieldSchema {
name: "timestamp",
description: "ESE column TimeStamp (UTC)",
value_type: ValueType::Timestamp,
is_uid_component: false,
},
FieldSchema {
name: "bytes_sent",
description: "Total bytes sent by this app in the interval",
value_type: ValueType::UnsignedInt,
is_uid_component: false,
},
FieldSchema {
name: "bytes_received",
description: "Total bytes received by this app in the interval",
value_type: ValueType::UnsignedInt,
is_uid_component: false,
},
FieldSchema {
name: "interface_luid",
description: "Network interface LUID (resolve to adapter name via registry)",
value_type: ValueType::UnsignedInt,
is_uid_component: false,
},
FieldSchema {
name: "l2_profile_id",
description: "Wireless SSID (L2ProfileId) when network is WiFi; null for ethernet",
value_type: ValueType::Text,
is_uid_component: false,
},
];
pub static SRUM_NETWORK_USAGE: ArtifactDescriptor = ArtifactDescriptor {
id: "srum_network_usage",
name: "SRUM Network Data Usage Table",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\Windows\System32\sru\SRUDB.dat:{973F5D5C-1D90-11D3-AE08-00A0C90F57DA}"),
scope: DataScope::System,
os_scope: OsScope::Win8Plus,
decoder: Decoder::Identity,
meaning:
"ESE table {973F5D5C-1D90-11D3-AE08-00A0C90F57DA} records per-app bytes sent/received \
per network interface per hour. ~30-day retention. Proves data exfiltration volume \
even after log deletion; correlate AppId + UserId + BytesSent for exfil attribution.",
mitre_techniques: &["T1049", "T1048"],
fields: SRUM_NET_FIELDS,
retention: Some("~30 days"),
triage_priority: TriagePriority::Critical,
related_artifacts: &["evtx_security", "srum_app_resource", "prefetch_file"],
sources: &[
"https://www.sans.org/white-papers/36660/",
"https://www.sans.org/blog/srum-forensics/",
"https://www.magnetforensics.com/blog/srum-forensic-analysis-of-windows-system-resource-utilization-monitor/",
"https://github.com/EricZimmerman/Srum",
"https://raw.githubusercontent.com/bitbug0x55AA/Blue_Team_Hunting_Field_Notes/main/01_Hunting_Cheatsheets/1.5_Forensics_Artifacts_Map.csv",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &[
"Aggregated bytes sent/received per process; not per-connection detail",
"Clock skew between SRUM and event logs possible",
],
volatility: Some(crate::volatility::VolatilityClass::RotatingBuffer),
volatility_rationale: "SRUM network table; rotated by Windows on schedule",
};
pub(crate) static SRUM_NET_CONN_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "app_id",
description: "Application identifier (path or service name)",
value_type: ValueType::Text,
is_uid_component: true,
},
FieldSchema {
name: "user_id",
description: "SID of the user account",
value_type: ValueType::Text,
is_uid_component: true,
},
FieldSchema {
name: "timestamp",
description: "Connection start time (UTC)",
value_type: ValueType::Timestamp,
is_uid_component: false,
},
FieldSchema {
name: "interface_type",
description: "Network interface type: 6=ethernet, 71=wireless (802.11)",
value_type: ValueType::UnsignedInt,
is_uid_component: false,
},
FieldSchema {
name: "connected_time",
description: "Duration of the network connection in seconds",
value_type: ValueType::UnsignedInt,
is_uid_component: false,
},
FieldSchema {
name: "l2_profile_id",
description: "Wireless SSID when interface is WiFi; null for ethernet",
value_type: ValueType::Text,
is_uid_component: false,
},
FieldSchema {
name: "l2_profile_flags",
description: "Wireless profile flags (0 = managed/infrastructure, 1 = ad-hoc)",
value_type: ValueType::UnsignedInt,
is_uid_component: false,
},
];
pub static SRUM_NETWORK_CONNECTIONS: ArtifactDescriptor = ArtifactDescriptor {
id: "srum_network_connections",
name: "SRUM Network Connections Table",
artifact_type: ArtifactType::EseDatabase,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
r"C:\Windows\System32\sru\SRUDB.dat:{DD6636C4-8929-4683-974E-22C046A43763}",
),
scope: DataScope::System,
os_scope: OsScope::Win8Plus,
decoder: Decoder::Identity,
meaning: "ESE table {DD6636C4-8929-4683-974E-22C046A43763} records per-app \
connection start time, interface type (ethernet/WiFi), duration, and SSID. \
Proves which WiFi network was in use during execution — geo-context \
for lateral movement and exfil timeline.",
mitre_techniques: &["T1049", "T1048"],
fields: SRUM_NET_CONN_FIELDS,
retention: Some("~30 days"),
triage_priority: TriagePriority::High,
related_artifacts: &["srum_network_usage", "srum_app_resource", "networklist_profiles"],
sources: &[
"https://github.com/MarkBaggett/srum-dump",
"https://www.sans.org/white-papers/36660/",
"https://www.magnetforensics.com/blog/srum-forensic-analysis-of-windows-system-resource-utilization-monitor/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static SRUM_APP_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "app_id",
description: "Application path or service name",
value_type: ValueType::Text,
is_uid_component: true,
},
FieldSchema {
name: "user_id",
description: "SID of the user account",
value_type: ValueType::Text,
is_uid_component: true,
},
FieldSchema {
name: "timestamp",
description: "Interval timestamp (UTC)",
value_type: ValueType::Timestamp,
is_uid_component: false,
},
FieldSchema {
name: "foreground_cpu_time",
description: "CPU time used in foreground (100ns units)",
value_type: ValueType::UnsignedInt,
is_uid_component: false,
},
FieldSchema {
name: "background_cpu_time",
description: "CPU time used in background (100ns units)",
value_type: ValueType::UnsignedInt,
is_uid_component: false,
},
FieldSchema {
name: "foreground_cycles",
description: "CPU cycle count in foreground",
value_type: ValueType::UnsignedInt,
is_uid_component: false,
},
FieldSchema {
name: "background_cycles",
description: "CPU cycle count in background",
value_type: ValueType::UnsignedInt,
is_uid_component: false,
},
];
pub static SRUM_APP_RESOURCE: ArtifactDescriptor = ArtifactDescriptor {
id: "srum_app_resource",
name: "SRUM Application Resource Usage Table",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\Windows\System32\sru\SRUDB.dat:{D10CA2FE-6FCF-4F6D-848E-B2E99266FA89}"),
scope: DataScope::System,
os_scope: OsScope::Win8Plus,
decoder: Decoder::Identity,
meaning: "ESE table {D10CA2FE-6FCF-4F6D-848E-B2E99266FA89} records per-app CPU cycles \
(foreground + background) per hour per user. Proves execution even without Prefetch \
or Event Log entries — CPU cycles are non-zero only if the process actually ran.",
mitre_techniques: &["T1059", "T1070.004"],
fields: SRUM_APP_FIELDS,
retention: Some("~30 days"),
triage_priority: TriagePriority::Critical,
related_artifacts: &["srum_network_usage", "prefetch_file", "evtx_security"],
sources: &[
"https://www.sans.org/white-papers/36660/",
"https://www.sans.org/blog/srum-forensics/",
"https://www.magnetforensics.com/blog/srum-forensic-analysis-of-windows-system-resource-utilization-monitor/",
"https://github.com/EricZimmerman/Srum",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Corroborative),
evidence_caveats: &["CPU and memory usage metrics; useful for corroborating execution, not proving it"],
volatility: Some(crate::volatility::VolatilityClass::RotatingBuffer),
volatility_rationale: "SRUM ESE database; rotated by Windows on schedule",
};
pub(crate) static SRUM_ENERGY_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "app_id",
description: "Application path",
value_type: ValueType::Text,
is_uid_component: true,
},
FieldSchema {
name: "user_id",
description: "SID of the user account",
value_type: ValueType::Text,
is_uid_component: true,
},
FieldSchema {
name: "timestamp",
description: "Interval timestamp (UTC)",
value_type: ValueType::Timestamp,
is_uid_component: false,
},
FieldSchema {
name: "charge_level",
description: "Battery charge level at sample time",
value_type: ValueType::UnsignedInt,
is_uid_component: false,
},
FieldSchema {
name: "designed_capacity",
description: "Battery designed capacity (mWh)",
value_type: ValueType::UnsignedInt,
is_uid_component: false,
},
FieldSchema {
name: "full_charge_capacity",
description: "Current full charge capacity (mWh)",
value_type: ValueType::UnsignedInt,
is_uid_component: false,
},
];
pub static SRUM_ENERGY_USAGE: ArtifactDescriptor = ArtifactDescriptor {
id: "srum_energy_usage",
name: "SRUM Energy Usage Table",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\Windows\System32\sru\SRUDB.dat:{FEE4E14F-02A9-4550-B5CE-5FA2DA202E37}"),
scope: DataScope::System,
os_scope: OsScope::Win8Plus,
decoder: Decoder::Identity,
meaning: "ESE table {FEE4E14F-02A9-4550-B5CE-5FA2DA202E37} records battery charge levels \
at each sampling interval — enables timeline reconstruction of device on/off events \
and correlates app activity with physical device presence.",
mitre_techniques: &["T1059"],
fields: SRUM_ENERGY_FIELDS,
retention: Some("~30 days"),
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://www.sans.org/white-papers/36660/",
"https://github.com/EricZimmerman/Srum",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static SRUM_PUSH_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "app_id",
description: "Application that received notification",
value_type: ValueType::Text,
is_uid_component: true,
},
FieldSchema {
name: "user_id",
description: "SID of the user account",
value_type: ValueType::Text,
is_uid_component: true,
},
FieldSchema {
name: "timestamp",
description: "Notification timestamp (UTC)",
value_type: ValueType::Timestamp,
is_uid_component: false,
},
FieldSchema {
name: "notification_type",
description: "WNS notification type code",
value_type: ValueType::UnsignedInt,
is_uid_component: false,
},
FieldSchema {
name: "payload_size",
description: "Notification payload size in bytes",
value_type: ValueType::UnsignedInt,
is_uid_component: false,
},
];
pub static SRUM_PUSH_NOTIFICATION: ArtifactDescriptor = ArtifactDescriptor {
id: "srum_push_notification",
name: "SRUM Push Notification Activity Table",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\Windows\System32\sru\SRUDB.dat:{D10CA2FE-6FCF-4F6D-848E-B2E99266FA86}"),
scope: DataScope::System,
os_scope: OsScope::Win10Plus,
decoder: Decoder::Identity,
meaning: "ESE table {D10CA2FE-6FCF-4F6D-848E-B2E99266FA86} records Windows Push Notification \
(WNS) activity per app — reveals C2-style notification-triggered execution in \
malicious UWP/PWA apps and confirms app network activity.",
mitre_techniques: &["T1059"],
fields: SRUM_PUSH_FIELDS,
retention: Some("~30 days"),
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://www.sans.org/white-papers/36660/",
"https://github.com/EricZimmerman/Srum",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "event_id",
description: "Windows Event ID",
value_type: ValueType::UnsignedInt,
is_uid_component: true,
},
FieldSchema {
name: "timestamp",
description: "Event timestamp (UTC)",
value_type: ValueType::Timestamp,
is_uid_component: false,
},
FieldSchema {
name: "computer",
description: "Source computer name",
value_type: ValueType::Text,
is_uid_component: false,
},
FieldSchema {
name: "subject_user_sid",
description: "SID of the subject user",
value_type: ValueType::Text,
is_uid_component: false,
},
FieldSchema {
name: "subject_user_name",
description: "Username of the subject",
value_type: ValueType::Text,
is_uid_component: false,
},
FieldSchema {
name: "message",
description: "Full event message XML",
value_type: ValueType::Text,
is_uid_component: false,
},
];
pub static EVTX_SECURITY: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_security",
name: "Security Event Log (Security.evtx)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\Windows\System32\winevt\Logs\Security.evtx"),
scope: DataScope::System,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Primary security audit log. Key event IDs: 4624/4625 (logon success/fail), \
4634/4647 (logoff), 4648 (explicit-cred logon), 4688/4689 (process create/exit), \
4698/4702 (scheduled task create/modify), 4720/4732 (account create/group add), \
4616 (system time change — primary timestomping/clock-manipulation indicator; \
records user, previous time, new time, and process that changed the clock; \
back-dated logon records and impossible session durations are downstream symptoms), \
5152 (WFP blocked a packet — pivot for EDR-silencer detection and inbound \
recon/exploitation; source IP recorded but direction is usually inbound), \
5379 (Credential Manager credential read — detects tools like CredentialsFileView harvesting stored passwords), \
1102 (audit log cleared — high-priority anti-forensics indicator).",
mitre_techniques: &["T1070.001", "T1059", "T1078", "T1555"],
fields: EVTX_FIELDS,
retention: Some("configurable; default ~20MB rolling per channel"),
triage_priority: TriagePriority::Critical,
related_artifacts: &[
"srum_network_usage",
"srum_app_resource",
"prefetch_file",
"shimcache",
],
sources: &[
"https://www.sans.org/posters/windows-forensic-analysis/",
"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-security-audit-policies",
"https://www.13cubed.com/downloads/windows_event_log_cheat_sheet.pdf",
"https://www.magnetforensics.com/blog/the-importance-of-powershell-logs-in-digital-forensics/",
"https://github.com/EricZimmerman/evtx",
"https://raw.githubusercontent.com/bitbug0x55AA/Blue_Team_Hunting_Field_Notes/main/01_Hunting_Cheatsheets/1.3_Windows_Event_Core.md",
"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5152",
"https://windowsir.blogspot.com/2023/08/events-ripper-updates.html",
"https://windowsir.blogspot.com/2023/06/events-ripper-update.html",
"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616",
"https://www.linkedin.com/posts/ahmed-thabit_dfir-digitalforensics-incidentresponse-activity",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &[
"Log can be cleared (event 1102/104); absence of log is itself evidence",
"Requires appropriate audit policy to be enabled",
"Event 4624 WorkstationName semantics differ by logon type: \
Type 3 (Network/SMB) — WorkstationName = source machine; \
Type 10 (RDP without NLA) — WorkstationName = destination machine, not source. \
For RDP source attribution always use IpAddress (Source Network Address), \
never WorkstationName alone. Using WorkstationName as the source on a Type 10 \
event misattributes the victim host as the actor.",
],
volatility: Some(crate::volatility::VolatilityClass::RotatingBuffer),
volatility_rationale: "Circular EVTX log; default 128 MB max",
};
pub static EVTX_SYSTEM: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_system",
name: "System Event Log (System.evtx)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\Windows\System32\winevt\Logs\System.evtx"),
scope: DataScope::System,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning:
"System-level events. Key IDs: 7045 (service installed), 7036 (service state change), \
7031 (Service Control Manager — service crash; analyst pivot for \
EDR/AV agent tamper attempts and failed persistence-via-service installs), \
6005/6006 (event log start/stop — boot/shutdown boundary), \
104 (System log cleared). Service installation (7045) is a primary \
lateral-movement and persistence indicator. Attackers abuse sc.exe to create services \
whose binPath uses %COMSPEC% to launch powershell.exe with -encodedcommand and \
-w hidden flags, embedding base64-encoded (often UTF-16LE or gzip-compressed) \
payloads directly in the event log entry. Subsequent Event IDs 7000 and 7009 \
(service timeout/failure) are misleading — the PowerShell payload still executes \
successfully even when Windows reports the service failed to start.",
mitre_techniques: &["T1543.003", "T1070.001", "T1059.001"],
fields: EVTX_FIELDS,
retention: Some("configurable; default ~20MB rolling per channel"),
triage_priority: TriagePriority::High,
related_artifacts: &["evtx_security", "scheduled_tasks_dir", "services_imagepath"],
sources: &[
"https://www.sans.org/posters/windows-forensic-analysis/",
"https://learn.microsoft.com/en-us/windows/win32/eventlog/event-logging",
"https://github.com/EricZimmerman/evtx",
"https://az4n6.blogspot.com/2017/10/finding-and-decoding-malicious.html",
"https://windowsir.blogspot.com/2023/08/events-ripper-updates.html",
"https://www.manageengine.com/products/eventlog/kb/event-7031-service-crash-help.html",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &["Service install/start events useful; can be noisy with false positives"],
volatility: Some(crate::volatility::VolatilityClass::RotatingBuffer),
volatility_rationale: "Circular EVTX log; default 20 MB max",
};
pub static EVTX_APPLICATION_MSIINSTALLER: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_application_msiinstaller",
name: "Application Event Log — MsiInstaller Provider",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\Windows\System32\winevt\Logs\Application.evtx"),
scope: DataScope::System,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Records written to Application.evtx by the Microsoft Installer \
service (Source: MsiInstaller) on every MSI install/uninstall/reconfigure. \
Key host-based artifact for MSI-borne malware (Raspberry Robin, USB-LNK \
droppers that invoke `msiexec.exe /i <url>`, malicious .msi sideloading) \
that open reports routinely omit. Key Event IDs: \
1022 (product update applied), 1033 (install completed — Product Name, \
Product Version, Manufacturer, Install Success/Failure), \
1034 (product removal completed), 1035 (configuration change), \
1036 (windows installer reconfigured), 1040 (transaction begun), \
1042 (transaction ended), 11707 (Installer completed installation \
successfully — friendly product name and language ID), 11708 \
(Installer failed — exit code in event payload), 11724 (uninstall \
succeeded). The MsiInstaller provider records persist in \
Application.evtx independent of msiexec.exe Prefetch evidence and \
survive Defender removal of the dropped MSI itself.",
mitre_techniques: &["T1218.007", "T1204.002", "T1091"],
fields: EVTX_FIELDS,
retention: Some("configurable; Application.evtx default ~20MB rolling"),
triage_priority: TriagePriority::High,
related_artifacts: &[
"evtx_application",
"run_key_hkcu_once",
"run_key_hklm_once",
"prefetch_file",
],
sources: &[
"https://www.huntress.com/blog/evolution-of-usb-borne-malware-raspberry-robin",
"https://windowsir.blogspot.com/2023/09/the-state-of-windows-digital-analysis_19.html",
"https://learn.microsoft.com/en-us/windows/win32/msi/event-logging",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static EVTX_POWERSHELL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_powershell",
name: "PowerShell Operational Log",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
r"C:\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx",
),
scope: DataScope::System,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning:
"PowerShell script execution telemetry. Event 4103 (module logging — pipeline output), \
4104 (ScriptBlock logging — full script text including deobfuscated content). \
4104 captures AMSI-deobfuscated scripts even when encoded; \
highest-fidelity PS forensic source when enabled.",
mitre_techniques: &["T1059.001", "T1027"],
fields: EVTX_FIELDS,
retention: Some("configurable; default ~20MB rolling per channel"),
triage_priority: TriagePriority::High,
related_artifacts: &[
"evtx_security",
"powershell_history",
"powershell_profile_all",
],
sources: &[
"https://www.sans.org/blog/detecting-malicious-powershell/",
"https://redcanary.com/threat-detection-report/techniques/t1059.001/",
"https://github.com/EricZimmerman/evtx",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &[
"Requires script block logging to be enabled (4104)",
"AMSI bypass can prevent logging of obfuscated content",
],
volatility: Some(crate::volatility::VolatilityClass::RotatingBuffer),
volatility_rationale: "Circular EVTX log; oldest events overwritten at max size",
};
pub static EVTX_SYSMON: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_sysmon",
name: "Sysmon Operational Log",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\Windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx"),
scope: DataScope::System,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning:
"Sysmon telemetry (requires deployment). Event 1 (process create + hashes + cmdline), \
3 (network connection), 7 (image load), 8 (CreateRemoteThread), \
10 (ProcessAccess — LSASS reads), 11 (file create), 22 (DNS query). \
Gold standard for EDR-quality forensics without commercial tooling.",
mitre_techniques: &["T1059", "T1055", "T1003.001"],
fields: EVTX_FIELDS,
retention: Some("configurable; default ~20MB rolling per channel"),
triage_priority: TriagePriority::Critical,
related_artifacts: &["evtx_security", "prefetch_file", "srum_app_resource"],
sources: &[
"https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon",
"https://www.sans.org/blog/threat-hunting-using-sysmon/",
"https://www.thedfirspot.com/post/sysmon-when-visibility-is-key",
"https://github.com/EricZimmerman/evtx",
"https://raw.githubusercontent.com/bitbug0x55AA/Blue_Team_Hunting_Field_Notes/main/01_Hunting_Cheatsheets/1.3_Windows_Event_Core.md",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &[
"Requires Sysmon to be installed and configured",
"Sysmon config determines what is logged",
],
volatility: Some(crate::volatility::VolatilityClass::RotatingBuffer),
volatility_rationale: "Circular EVTX log; size depends on Sysmon config",
};
pub static EVTX_DEFENDER_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_defender_operational",
name: "Microsoft-Windows-Windows Defender/Operational",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
r"C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx",
),
scope: DataScope::System,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning:
"Microsoft Defender AV operational telemetry (separate channel from Application.evtx). \
Key Event IDs: 1116 (malware detected — name, severity, file path, user context), \
1117 (malware action taken — quarantined/cleaned/removed), \
1118/1119 (action failed/critically failed — file still on disk), \
2050 (sample uploaded to MAPS cloud — file name and hash recorded; \
high-value DFIR pivot when the dropped binary has been deleted), \
2051 (sample could NOT be uploaded — sometimes indicates the \
sample was already exfiltrated/deleted before MAPS submission), \
5001 (real-time protection disabled — primary AV-tamper indicator), \
5004/5007 (real-time protection config / Defender config changed — \
attackers add path/process exclusions before dropping malware), \
5010 (scanning for malware disabled), 5012 (scanning for viruses disabled). \
Channel survives the dropped malware itself: 2050's file-hash record \
is often the only artifact left after the malware has been cleaned.",
mitre_techniques: &["T1562.001", "T1059", "T1027"],
fields: EVTX_FIELDS,
retention: Some("configurable; default ~1MB rolling per channel"),
triage_priority: TriagePriority::High,
related_artifacts: &[
"evtx_security",
"evtx_application",
"evtx_application_msiinstaller",
"prefetch_file",
],
sources: &[
"https://windowsir.blogspot.com/2023/08/events-ripper-updates.html",
"https://windowsir.blogspot.com/2022/10/events-ripper.html",
"https://kirannr.com/2020/07/02/__trashed/",
"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus",
"https://github.com/EricZimmerman/evtx",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static TYPED_PATHS_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "typed_path",
description: "Path manually entered into Explorer address bar history",
value_type: ValueType::Text,
is_uid_component: true,
}];
pub static TYPED_PATHS: ArtifactDescriptor = ArtifactDescriptor {
id: "typed_paths",
name: "Explorer Typed Paths",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::NtUser),
key_path: r"Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths",
value_name: None,
file_path: None,
scope: DataScope::User,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "Explorer address-bar history of manually entered local, removable, UNC, or shell paths; useful for proving interactive navigation to shares and staged locations.",
mitre_techniques: &["T1083", "T1135"],
fields: TYPED_PATHS_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &["typed_urls", "opensave_mru", "lastvisited_mru"],
sources: &[
"https://github.com/mkorman90/regipy/blob/master/regipy/plugins/ntuser/typed_paths.py",
"https://github.com/mkorman90/regipy/blob/master/regipy/plugins/validated_plugins.json",
"https://github.com/EricZimmerman/RECmd",
"https://github.com/EricZimmerman/RegistryPlugins",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static RUN_MRU_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "mru_order",
description: "Run dialog MRU letter ordering string",
value_type: ValueType::Text,
is_uid_component: false,
},
FieldSchema {
name: "command",
description: "Command line entered via the Run dialog",
value_type: ValueType::Text,
is_uid_component: true,
},
];
pub static RUN_MRU: ArtifactDescriptor = ArtifactDescriptor {
id: "run_mru",
name: "Run Dialog MRU",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::NtUser),
key_path: r"Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU",
value_name: None,
file_path: None,
scope: DataScope::User,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "History of commands launched from the Windows Run dialog, including the user-maintained MRU ordering string and typed execution targets.",
mitre_techniques: &["T1059"],
fields: RUN_MRU_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &["wordwheel_query", "powershell_history", "prefetch_file"],
sources: &[
"https://github.com/mkorman90/regipy/blob/master/regipy/plugins/ntuser/runmru.py",
"https://github.com/mkorman90/regipy/blob/master/regipy/plugins/validated_plugins.json",
"https://github.com/EricZimmerman/RECmd",
"https://github.com/EricZimmerman/RegistryPlugins",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static NETWORK_DRIVES_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "drive_letter",
description: "Mapped drive letter under HKCU\\Network",
value_type: ValueType::Text,
is_uid_component: true,
},
FieldSchema {
name: "remote_path",
description: "UNC path of the mapped network drive",
value_type: ValueType::Text,
is_uid_component: false,
},
];
pub static NETWORK_DRIVES: ArtifactDescriptor = ArtifactDescriptor {
id: "network_drives",
name: "Mapped Network Drives",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::NtUser),
key_path: r"Network",
value_name: Some("RemotePath"),
file_path: None,
scope: DataScope::User,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "Per-user mapped network drives including drive letter to UNC mapping; useful for share-access reconstruction and lateral movement scoping.",
mitre_techniques: &["T1135"],
fields: NETWORK_DRIVES_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &["rdp_client_servers", "networklist_profiles"],
sources: &[
"https://github.com/mkorman90/regipy/blob/master/regipy/plugins/ntuser/network_drives.py",
"https://github.com/mkorman90/regipy/blob/master/regipy/plugins/validated_plugins.json",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &["Mapped drive destinations reveal lateral movement targets; UNC paths may expose internal host names"],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Mapped drive registry entry; persists until unmapped",
};
pub(crate) static APP_PATHS_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "application",
description: "Executable name registered under App Paths",
value_type: ValueType::Text,
is_uid_component: true,
},
FieldSchema {
name: "path",
description: "Default executable path resolved for the application name",
value_type: ValueType::Text,
is_uid_component: false,
},
FieldSchema {
name: "architecture",
description: "Architecture bucket inferred from x64 or Wow6432Node path",
value_type: ValueType::Text,
is_uid_component: false,
},
];
pub static APP_PATHS: ArtifactDescriptor = ArtifactDescriptor {
id: "app_paths",
name: "App Paths Registry Entries",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::HklmSoftware),
key_path: r"Microsoft\Windows\CurrentVersion\App Paths",
value_name: None,
file_path: None,
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "Executable name resolution entries under App Paths and Wow6432Node App Paths; useful for installed-software discovery and hijack-style execution redirection review.",
mitre_techniques: &["T1574"],
fields: APP_PATHS_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &["services_imagepath", "winlogon_shell"],
sources: &[
"https://github.com/mkorman90/regipy/blob/master/regipy/plugins/software/apppaths.py",
"https://github.com/mkorman90/regipy/blob/master/regipy/plugins/validated_plugins.json",
"https://github.com/EricZimmerman/RECmd",
"https://github.com/EricZimmerman/RegistryPlugins",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static MOUNTED_DEVICES_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "value_name",
description: "MountedDevices value name such as a drive letter or volume GUID",
value_type: ValueType::Text,
is_uid_component: true,
},
FieldSchema {
name: "mount_point",
description: "Resolved drive letter or volume mount point",
value_type: ValueType::Text,
is_uid_component: false,
},
FieldSchema {
name: "device_path",
description: "Decoded device path or partition signature data",
value_type: ValueType::Text,
is_uid_component: false,
},
];
pub static MOUNTED_DEVICES: ArtifactDescriptor = ArtifactDescriptor {
id: "mounted_devices",
name: "Mounted Devices",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::HklmSystem),
key_path: r"MountedDevices",
value_name: None,
file_path: None,
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "Drive-letter and volume mappings including device paths, signatures, and removable-media assignments preserved under HKLM\\SYSTEM\\MountedDevices.",
mitre_techniques: &["T1091"],
fields: MOUNTED_DEVICES_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &["usb_enum", "wifi_profiles"],
sources: &[
"https://github.com/mkorman90/regipy/blob/master/regipy/plugins/system/mountdev.py",
"https://github.com/mkorman90/regipy/blob/master/regipy/plugins/validated_plugins.json",
"https://github.com/EricZimmerman/RECmd",
"https://github.com/EricZimmerman/RegistryPlugins",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static NETWORKLIST_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "profile_guid",
description: "GUID of a network profile under NetworkList",
value_type: ValueType::Text,
is_uid_component: true,
},
FieldSchema {
name: "profile_name",
description: "Human-readable network profile name",
value_type: ValueType::Text,
is_uid_component: false,
},
FieldSchema {
name: "date_last_connected",
description: "Timestamp of the most recent recorded connection",
value_type: ValueType::Timestamp,
is_uid_component: false,
},
];
pub static NETWORKLIST_PROFILES: ArtifactDescriptor = ArtifactDescriptor {
id: "networklist_profiles",
name: "Network List Profiles",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::HklmSoftware),
key_path: r"Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles",
value_name: None,
file_path: None,
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "Network profile history including profile names, categories, and created/last-connected dates for wired and wireless networks.",
mitre_techniques: &["T1016"],
fields: NETWORKLIST_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &["wifi_profiles", "network_drives"],
sources: &[
"https://github.com/mkorman90/regipy/blob/master/regipy/plugins/software/networklist.py",
"https://github.com/mkorman90/regipy/blob/master/regipy/plugins/validated_plugins.json",
"https://github.com/EricZimmerman/RECmd",
"https://github.com/EricZimmerman/RegistryPlugins",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &["Profile name set by router; can be spoofed by attacker-controlled AP"],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Network profiles persist in registry",
};
pub(crate) static PUTTY_SESSION_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "session_name",
description: "Saved PuTTY session name",
value_type: ValueType::Text,
is_uid_component: true,
},
FieldSchema {
name: "hostname",
description: "Target host configured in the PuTTY session",
value_type: ValueType::Text,
is_uid_component: false,
},
FieldSchema {
name: "username",
description: "User name configured for the saved session",
value_type: ValueType::Text,
is_uid_component: false,
},
];
pub static PUTTY_SESSIONS: ArtifactDescriptor = ArtifactDescriptor {
id: "putty_sessions",
name: "PuTTY Saved Sessions",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::NtUser),
key_path: r"Software\SimonTatham\PuTTY\Sessions",
value_name: None,
file_path: None,
scope: DataScope::User,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "PuTTY saved sessions, including target hostname, port, protocol, and optional proxy or keyfile settings for SSH and other remote connections.",
mitre_techniques: &["T1021.004"],
fields: PUTTY_SESSION_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &["rdp_client_servers", "winscp_saved_sessions"],
sources: &[
"https://github.com/mkorman90/regipy/blob/master/regipy/plugins/ntuser/putty.py",
"https://the.earth.li/~sgtatham/putty/0.78/htmldoc/AppendixC.html",
"https://github.com/EricZimmerman/RECmd",
"https://github.com/EricZimmerman/RegistryPlugins",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static WINSCP_SESSION_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "session_name",
description: "Saved WinSCP session name",
value_type: ValueType::Text,
is_uid_component: true,
},
FieldSchema {
name: "host_name",
description: "Target host configured in the saved WinSCP session",
value_type: ValueType::Text,
is_uid_component: false,
},
FieldSchema {
name: "user_name",
description: "User name configured for the saved WinSCP session",
value_type: ValueType::Text,
is_uid_component: false,
},
];
pub static WINSCP_SAVED_SESSIONS: ArtifactDescriptor = ArtifactDescriptor {
id: "winscp_saved_sessions",
name: "WinSCP Saved Sessions",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::NtUser),
key_path: r"Software\Martin Prikryl\WinSCP 2\Sessions",
value_name: None,
file_path: None,
scope: DataScope::User,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "WinSCP saved sessions, including host, username, protocol, and optionally recoverable obfuscated credentials or connection defaults.",
mitre_techniques: &["T1021.004", "T1555"],
fields: WINSCP_SESSION_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &["putty_sessions", "rdp_client_servers"],
sources: &[
"https://github.com/mkorman90/regipy/blob/master/regipy/plugins/ntuser/winscp_saved_sessions.py",
"https://winscp.net/eng/docs/ui_pref_storage",
"https://az4n6.blogspot.com/2013/03/winscp-saved-password.html",
"https://github.com/EricZimmerman/RECmd",
"https://github.com/EricZimmerman/RegistryPlugins",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static WINSCP_INI_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "connected_hosts",
value_type: ValueType::Text,
description: "user@host entries from [Configuration\\CDCache]; \
recorded for every connection regardless of whether the session was saved; \
hex-encoded path suffix is last-accessed path on remote host",
is_uid_component: true,
},
FieldSchema {
name: "local_target_dirs",
value_type: ValueType::Text,
description: "[Configuration\\History\\LocalTarget] — local directories \
where remote files were saved; directly identifies exfil staging paths \
even if files were subsequently deleted",
is_uid_component: true,
},
FieldSchema {
name: "last_local_path",
value_type: ValueType::Text,
description: "[Configuration\\Interface\\Commander\\LocalPanel] LastPath — \
last local directory open at session close; often the exfil staging folder",
is_uid_component: false,
},
FieldSchema {
name: "session_hostname",
value_type: ValueType::Text,
description: "[Sessions\\<name>] HostName — target host of a saved session; \
only present if user explicitly saved the session workspace",
is_uid_component: false,
},
FieldSchema {
name: "session_username",
value_type: ValueType::Text,
description: "[Sessions\\<name>] UserName — account used for the saved session",
is_uid_component: false,
},
FieldSchema {
name: "session_password",
value_type: ValueType::Text,
description: "[Sessions\\<name>] Password — XOR-obfuscated credential; \
reversible without a key per github.com/winscp/winscp source/core/Security.cpp; \
only present in saved sessions",
is_uid_component: false,
},
FieldSchema {
name: "local_directory",
value_type: ValueType::Text,
description: "[Sessions\\<name>] LocalDirectory — local panel path at last save; \
corroborates local_target_dirs",
is_uid_component: false,
},
FieldSchema {
name: "remote_directory",
value_type: ValueType::Text,
description: "[Sessions\\<name>] RemoteDirectory — last accessed path on the \
remote host; pivot to logs on the target system",
is_uid_component: false,
},
];
pub(crate) static WINSCP_INI: ArtifactDescriptor = ArtifactDescriptor {
id: "winscp_ini",
name: "WinSCP INI Configuration File",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("WinSCP.ini"),
scope: DataScope::User,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "WinSCP portable configuration file. Records all hosts connected to \
([Configuration\\CDCache]) even without an explicit session save — making it \
the primary indicator of WinSCP-based lateral movement. Also records local \
directories where remote files were saved ([Configuration\\History\\LocalTarget]), \
revealing exfil staging paths. If sessions were saved, contains target hostnames, \
usernames, and reversible obfuscated passwords. The file is updated at session \
close: .ini last-modified vs. WinSCP.exe Prefetch run-time approximates session \
duration. Correlate with SRUM network-usage table for bytes transferred.",
mitre_techniques: &["T1021.004", "T1048", "T1560"],
fields: WINSCP_INI_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[
"winscp_saved_sessions",
"srum_network_usage",
"prefetch_file",
],
sources: &[
"https://az4n6.blogspot.com/2020/02/detecting-laterial-movment-with-winscp.html",
"https://github.com/winscp/winscp/blob/master/source/core/Security.cpp",
"https://winscp.net/eng/docs/ui_pref_storage",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &[
"CDCache records all hosts connected to, but reflects last-session state only; \
entries persist across explicit session deletion but the file itself can be wiped by a cleanup-aware attacker",
"Absence does not prove WinSCP was not used — an attacker may have deleted the file or used a version \
that writes elsewhere (portable build path varies)",
],
volatility: Some(crate::volatility::VolatilityClass::ActivityDriven),
volatility_rationale: "Updated at WinSCP session close; persistent between reboots until manually deleted",
};
pub(crate) static WINRAR_HISTORY_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "operation",
description: "Archive opened, created, or extracted",
value_type: ValueType::Text,
is_uid_component: false,
},
FieldSchema {
name: "file_path",
description: "Archive or extraction path from WinRAR history",
value_type: ValueType::Text,
is_uid_component: true,
},
];
pub static WINRAR_HISTORY: ArtifactDescriptor = ArtifactDescriptor {
id: "winrar_history",
name: "WinRAR Archive History",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::NtUser),
key_path: r"SOFTWARE\WinRAR",
value_name: None,
file_path: None,
scope: DataScope::User,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "WinRAR registry history of archive opens, archive creation targets, and extraction paths; useful for exfiltration staging and archive reconstruction.",
mitre_techniques: &["T1560.001"],
fields: WINRAR_HISTORY_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &["powershell_history", "opensave_mru"],
sources: &[
"https://github.com/mkorman90/regipy/blob/master/regipy/plugins/ntuser/winrar.py",
"https://www.win-rar.com/switches/settings.htm",
"https://github.com/EricZimmerman/RECmd",
"https://github.com/EricZimmerman/RegistryPlugins",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static NETWORK_INTERFACE_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "interface_guid",
description: "TCP/IP interface GUID under the Interfaces key",
value_type: ValueType::Text,
is_uid_component: true,
},
FieldSchema {
name: "ip_address",
description: "Static or DHCP-assigned address values associated with the interface",
value_type: ValueType::Text,
is_uid_component: false,
},
];
pub static NETWORK_INTERFACES: ArtifactDescriptor = ArtifactDescriptor {
id: "network_interfaces",
name: "TCP/IP Network Interfaces",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::HklmSystem),
key_path: r"CurrentControlSet\Services\Tcpip\Parameters\Interfaces",
value_name: None,
file_path: None,
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "Interface GUIDs with DHCP or static addressing details used to tie network activity and lease information back to a host and adapter.",
mitre_techniques: &["T1016"],
fields: NETWORK_INTERFACE_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &["networklist_profiles", "srum_network_usage"],
sources: &[
"https://raw.githubusercontent.com/bitbug0x55AA/Blue_Team_Hunting_Field_Notes/main/01_Hunting_Cheatsheets/1.5_Forensics_Artifacts_Map.csv",
"https://github.com/EricZimmerman/RECmd",
"https://github.com/EricZimmerman/RegistryPlugins",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static PAGEFILE_SYS: ArtifactDescriptor = ArtifactDescriptor {
id: "pagefile_sys",
name: "Pagefile.sys",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\pagefile.sys"),
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "Virtual memory paging file containing memory-resident strings and fragments from paged-out processes when full RAM capture is unavailable.",
mitre_techniques: &["T1005"],
fields: FILE_PATH_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &["hiberfil_sys", "evtx_security"],
sources: &["https://raw.githubusercontent.com/bitbug0x55AA/Blue_Team_Hunting_Field_Notes/main/01_Hunting_Cheatsheets/1.5_Forensics_Artifacts_Map.csv", "https://raw.githubusercontent.com/bitbug0x55AA/Blue_Team_Hunting_Field_Notes/main/06_Tool_Command_Vault/6.02_Windows_DFIR_Master_Notes.md"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static HIBERFIL_SYS: ArtifactDescriptor = ArtifactDescriptor {
id: "hiberfil_sys",
name: "Hibernation File (hiberfil.sys)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\hiberfil.sys"),
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "Compressed hibernation snapshot containing a point-in-time copy of system memory, including processes, sockets, and in-memory strings.",
mitre_techniques: &["T1005"],
fields: FILE_PATH_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &["pagefile_sys", "evtx_security"],
sources: &[
"https://raw.githubusercontent.com/bitbug0x55AA/Blue_Team_Hunting_Field_Notes/main/01_Hunting_Cheatsheets/1.5_Forensics_Artifacts_Map.csv",
"https://forensics.wiki/hiberfil.sys/",
"https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/storport/nf-storport-storportmarkdumpmemory",
"https://github.com/EricZimmerman/RECmd",
"https://github.com/EricZimmerman/RegistryPlugins",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static MOUNTPOINTS2_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "mount_point",
description: "Per-user mount point or device reference cached by Explorer",
value_type: ValueType::Text,
is_uid_component: true,
}];
pub static MOUNTPOINTS2: ArtifactDescriptor = ArtifactDescriptor {
id: "mountpoints2",
name: "MountPoints2",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::NtUser),
key_path: r"Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2",
value_name: None,
file_path: None,
scope: DataScope::User,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "Per-user record of mounted removable media and mapped resources, useful for attributing USB or volume interaction to a specific logged-in user.",
mitre_techniques: &["T1091"],
fields: MOUNTPOINTS2_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &["mounted_devices", "usb_enum"],
sources: &[
"https://raw.githubusercontent.com/bitbug0x55AA/Blue_Team_Hunting_Field_Notes/main/01_Hunting_Cheatsheets/1.5_Forensics_Artifacts_Map.csv",
"https://github.com/EricZimmerman/RECmd",
"https://github.com/EricZimmerman/RegistryPlugins",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static PORTABLE_DEVICES: ArtifactDescriptor = ArtifactDescriptor {
id: "portable_devices",
name: "Windows Portable Devices Mapping",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::HklmSoftware),
key_path: r"Microsoft\Windows Portable Devices\Devices",
value_name: None,
file_path: None,
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "Maps portable device identities to user-visible names or drive assignments, helping correlate USB serials and mounted letters during media analysis.",
mitre_techniques: &["T1091"],
fields: FILE_PATH_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &["mounted_devices", "mountpoints2", "usb_enum"],
sources: &["https://raw.githubusercontent.com/bitbug0x55AA/Blue_Team_Hunting_Field_Notes/main/01_Hunting_Cheatsheets/1.5_Forensics_Artifacts_Map.csv"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static RDP_BITMAP_CACHE: ArtifactDescriptor = ArtifactDescriptor {
id: "rdp_bitmap_cache",
name: "RDP Bitmap Cache",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\Users\*\AppData\Local\Microsoft\Terminal Server Client\Cache"),
scope: DataScope::User,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "Client-side cached bitmap fragments from RDP sessions that can reveal what was rendered on screen during remote administration or attacker activity.",
mitre_techniques: &["T1021.001"],
fields: DIR_ENTRY_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &["rdp_client_servers", "rdp_client_default"],
sources: &["https://raw.githubusercontent.com/bitbug0x55AA/Blue_Team_Hunting_Field_Notes/main/01_Hunting_Cheatsheets/1.5_Forensics_Artifacts_Map.csv"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static MACOS_UNIFIED_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "macos_unified_log",
name: "macOS Unified Log",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/var/db/diagnostics/"),
scope: DataScope::System,
os_scope: OsScope::MacOS12Plus,
decoder: Decoder::Identity,
meaning: "Apple Unified Logging system. Contains all system and application logs since macOS 10.12. Provides timestamped, structured log entries for process activity, crashes, and security events.",
mitre_techniques: &["T1070.001", "T1059"],
fields: &[],
retention: Some("Rotated by OS; typically weeks to months"),
triage_priority: TriagePriority::High,
related_artifacts: &["macos_install_history"],
sources: &[
"https://www.mandiant.com/resources/blog/reviewing-macos-unified-logs",
"https://developer.apple.com/documentation/os/logging",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static MACOS_LAUNCH_AGENTS_USER: ArtifactDescriptor = ArtifactDescriptor {
id: "macos_launch_agents_user",
name: "macOS User LaunchAgents",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/Library/LaunchAgents/"),
scope: DataScope::User,
os_scope: OsScope::MacOS,
decoder: Decoder::Identity,
meaning: "Per-user LaunchAgent plist files. Automatically loaded at user login. Primary persistence mechanism for malware targeting individual users.",
mitre_techniques: &["T1543.001"],
fields: &[],
retention: Some("Persistent until removed"),
triage_priority: TriagePriority::Critical,
related_artifacts: &["macos_launch_agents_system", "macos_launch_daemons"],
sources: &[
"https://www.sentinelone.com/blog/how-malware-persists-on-macos/",
"https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &[
"LaunchAgent plists in ~/Library/LaunchAgents prove user-context persistence",
"Legitimate software also uses LaunchAgents; cross-reference signing and bundle ID",
],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "LaunchAgent plist persists until deleted; survives reboots",
};
pub static MACOS_LAUNCH_AGENTS_SYSTEM: ArtifactDescriptor = ArtifactDescriptor {
id: "macos_launch_agents_system",
name: "macOS System LaunchAgents",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/Library/LaunchAgents/"),
scope: DataScope::System,
os_scope: OsScope::MacOS,
decoder: Decoder::Identity,
meaning: "System-wide LaunchAgent plist files loaded for all users. Requires root to install; used by system-level malware and legitimate software.",
mitre_techniques: &["T1543.001"],
fields: &[],
retention: Some("Persistent until removed"),
triage_priority: TriagePriority::Critical,
related_artifacts: &["macos_launch_agents_user", "macos_launch_daemons"],
sources: &[
"https://www.sentinelone.com/blog/how-malware-persists-on-macos/",
"https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &[
"System LaunchAgents require root installation; elevated-privilege persistence indicator",
"Apple-signed plists are expected; unsigned or ad-hoc signed warrant investigation",
],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "System-wide LaunchAgent plist; requires root to modify",
};
pub static MACOS_LAUNCH_DAEMONS: ArtifactDescriptor = ArtifactDescriptor {
id: "macos_launch_daemons",
name: "macOS LaunchDaemons",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/Library/LaunchDaemons/"),
scope: DataScope::System,
os_scope: OsScope::MacOS,
decoder: Decoder::Identity,
meaning: "System LaunchDaemon plist files. Run as root at system boot, independent of user login. High-value persistence for privileged malware.",
mitre_techniques: &["T1543.004"],
fields: &[],
retention: Some("Persistent until removed"),
triage_priority: TriagePriority::Critical,
related_artifacts: &["macos_launch_agents_system"],
sources: &[
"https://www.sentinelone.com/blog/how-malware-persists-on-macos/",
"https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &[
"LaunchDaemons run as root; highest-privilege persistence mechanism on macOS",
"Correlate with install history and Gatekeeper records for origin attribution",
],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "LaunchDaemon plist; persists across reboots, requires root",
};
pub static MACOS_TCC_DB: ArtifactDescriptor = ArtifactDescriptor {
id: "macos_tcc_db",
name: "macOS TCC Database",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/Library/Application Support/com.apple.TCC/TCC.db"),
scope: DataScope::User,
os_scope: OsScope::MacOS,
decoder: Decoder::Identity,
meaning: "Transparency, Consent, and Control database. Records which applications have been granted permissions (camera, microphone, Full Disk Access, etc.). Attackers may modify TCC.db to bypass privacy controls.",
mitre_techniques: &["T1548"],
fields: &[],
retention: Some("Persistent; updated on permission grant/revoke"),
triage_priority: TriagePriority::High,
related_artifacts: &["macos_launch_agents_user"],
sources: &[
"https://www.sentinelone.com/blog/bypassing-macos-tcc-user-privacy-protections-by-accident-and-design/",
"https://eclecticlight.co/2020/11/04/tcc-in-big-sur-more-permissions-issues/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static MACOS_QUARANTINE_EVENTS: ArtifactDescriptor = ArtifactDescriptor {
id: "macos_quarantine_events",
name: "macOS Quarantine Events Database",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2"),
scope: DataScope::User,
os_scope: OsScope::MacOS,
decoder: Decoder::Identity,
meaning: "SQLite database recording all files downloaded from the internet with their origin URL, download date, and quarantine agent. Proves a file was downloaded even after deletion.",
mitre_techniques: &["T1204.002"],
fields: &[],
retention: Some("Persistent; entries accumulate unless cleared"),
triage_priority: TriagePriority::High,
related_artifacts: &["macos_safari_downloads"],
sources: &[
"https://www.jaiminton.com/cheatsheet/DFIR/#quarantine-events",
"https://eclecticlight.co/2021/06/05/checking-quarantine-flags-in-big-sur/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static MACOS_SAFARI_HISTORY: ArtifactDescriptor = ArtifactDescriptor {
id: "macos_safari_history",
name: "macOS Safari Browser History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/Library/Safari/History.db"),
scope: DataScope::User,
os_scope: OsScope::MacOS,
decoder: Decoder::Identity,
meaning: "SQLite database containing Safari browsing history with URLs, timestamps, and visit counts. Key artifact for establishing attacker research, C2 communication attempts, and data exfiltration.",
mitre_techniques: &["T1217"],
fields: &[],
retention: Some("Rotated; typically weeks to months of history"),
triage_priority: TriagePriority::High,
related_artifacts: &["macos_safari_downloads", "macos_quarantine_events"],
sources: &[
"https://www.sans.org/blog/mac-artifact-safari/",
"https://www.magnetforensics.com/blog/artifacts-for-ios-investigations/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static MACOS_SAFARI_DOWNLOADS: ArtifactDescriptor = ArtifactDescriptor {
id: "macos_safari_downloads",
name: "macOS Safari Downloads",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/Library/Safari/Downloads.plist"),
scope: DataScope::User,
os_scope: OsScope::MacOS,
decoder: Decoder::Identity,
meaning: "Plist file recording all files downloaded via Safari with source URL, local path, and download date. Corroborates quarantine events database.",
mitre_techniques: &["T1217"],
fields: &[],
retention: Some("Persistent; entries accumulate"),
triage_priority: TriagePriority::Medium,
related_artifacts: &["macos_safari_history", "macos_quarantine_events"],
sources: &[
"https://www.sans.org/blog/mac-artifact-safari/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static MACOS_KNOWLEDGEC: ArtifactDescriptor = ArtifactDescriptor {
id: "macos_knowledgec",
name: "macOS KnowledgeC Database",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/Library/Application Support/Knowledge/knowledgeC.db"),
scope: DataScope::User,
os_scope: OsScope::MacOS12Plus,
decoder: Decoder::Identity,
meaning: "SQLite database maintained by the Duet Activity Scheduler. Records application usage, device lock/unlock events, browser activity, and screen time. Rich timeline source for user activity reconstruction.",
mitre_techniques: &["T1083"],
fields: &[],
retention: Some("Rolling window; typically 30 days"),
triage_priority: TriagePriority::High,
related_artifacts: &["macos_unified_log"],
sources: &[
"https://www.mac4n6.com/blog/2018/8/5/knowledge-is-power-using-the-knowledgecdb-database-on-macos-ios-to-determine-precise-user-and-application-usage",
"https://github.com/mac4n6/APOLLO",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static MACOS_BASH_SESSIONS: ArtifactDescriptor = ArtifactDescriptor {
id: "macos_bash_sessions",
name: "macOS Bash Session History",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/.bash_sessions/"),
scope: DataScope::User,
os_scope: OsScope::MacOS,
decoder: Decoder::Identity,
meaning: "Per-session bash history files. macOS Catalina+ uses zsh by default but bash_sessions may persist for users who used bash previously. Contains command history per terminal session.",
mitre_techniques: &["T1059.004"],
fields: &[],
retention: Some("Persistent per session"),
triage_priority: TriagePriority::Medium,
related_artifacts: &["macos_unified_log"],
sources: &[
"https://eclecticlight.co/2019/07/08/why-mojave-could-be-your-last-bash/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static MACOS_INSTALL_HISTORY: ArtifactDescriptor = ArtifactDescriptor {
id: "macos_install_history",
name: "macOS Software Install History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/Library/Receipts/InstallHistory.plist"),
scope: DataScope::System,
os_scope: OsScope::MacOS,
decoder: Decoder::Identity,
meaning: "Plist recording all software packages installed via macOS installer. Includes package name, version, date, and source. Useful for identifying unauthorized software installation.",
mitre_techniques: &["T1204"],
fields: &[],
retention: Some("Persistent; accumulates over system lifetime"),
triage_priority: TriagePriority::Medium,
related_artifacts: &["macos_launch_daemons"],
sources: &[
"https://www.forensicmike1.com/2019/12/17/macos-forensic-artifacts-install-history/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static MACOS_GATEKEEPER_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "macos_gatekeeper_logs",
name: "macOS Gatekeeper Assessment Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/var/db/SystemPolicy-prefs.plist"),
scope: DataScope::System,
os_scope: OsScope::MacOS,
decoder: Decoder::Identity,
meaning: "Gatekeeper policy database and assessment logs. Records which applications were allowed or blocked by Gatekeeper. Useful for detecting Gatekeeper bypass attempts.",
mitre_techniques: &["T1553.001"],
fields: &[],
retention: Some("Persistent; updated on policy decisions"),
triage_priority: TriagePriority::High,
related_artifacts: &["macos_tcc_db"],
sources: &[
"https://support.apple.com/en-us/102445",
"https://www.sentinelone.com/blog/gatekeeper-bypass-macos-security/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static MACOS_KEYCHAIN_USER: ArtifactDescriptor = ArtifactDescriptor {
id: "macos_keychain_user",
name: "macOS User Keychain",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/Library/Keychains/login.keychain-db"),
scope: DataScope::User,
os_scope: OsScope::MacOS,
decoder: Decoder::Identity,
meaning: "User keychain database storing passwords, certificates, and private keys. Unlocked at login with user password. Attackers with user access can dump all stored credentials.",
mitre_techniques: &["T1555.001"],
fields: &[],
retention: Some("Persistent; updated on credential add/remove"),
triage_priority: TriagePriority::Critical,
related_artifacts: &["macos_tcc_db"],
sources: &[
"https://www.hexnode.com/blogs/macos-keychain-forensics/",
"https://github.com/n0fate/chainbreaker",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Corroborative),
evidence_caveats: &[
"Keychain DB requires user unlock; credential entries show what accounts were stored",
"Cannot be read without unlocking; useful post-acquisition with user password",
],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Keychain DB; persists until item deletion or keychain reset",
};
pub static MACOS_EMOND: ArtifactDescriptor = ArtifactDescriptor {
id: "macos_emond",
name: "macOS Event Monitor Daemon Rules",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/etc/emond.d/rules/"),
scope: DataScope::System,
os_scope: OsScope::MacOS,
decoder: Decoder::Identity,
meaning: "emond plist rules executed by the Event Monitor Daemon. Deprecated in macOS 12 but exploited for persistence on older versions. Rules can execute commands on system events.",
mitre_techniques: &["T1546"],
fields: &[],
retention: Some("Persistent until removed"),
triage_priority: TriagePriority::High,
related_artifacts: &["macos_launch_daemons"],
sources: &[
"https://www.xorrior.com/emond-persistence/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static MACOS_COREANALYTICS: ArtifactDescriptor = ArtifactDescriptor {
id: "macos_coreanalytics",
name: "macOS CoreAnalytics Execution Reports",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/Library/Logs/DiagnosticReports/"),
scope: DataScope::System,
os_scope: OsScope::MacOS,
decoder: Decoder::Identity,
meaning: "Execution reports generated by macOS diagnostics. CoreAnalytics .ca_report files record process execution metadata including SHA256 hashes. Provides execution evidence similar to Windows Prefetch.",
mitre_techniques: &["T1059"],
fields: &[],
retention: Some("Rolling; older reports auto-deleted"),
triage_priority: TriagePriority::High,
related_artifacts: &["macos_unified_log"],
sources: &[
"https://www.crowdstrike.com/blog/reconstructing-command-line-activity-on-macos/",
"https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static MEM_RUNNING_PROCESSES_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "pid",
value_type: ValueType::UnsignedInt,
description: "Process identifier",
is_uid_component: true,
},
FieldSchema {
name: "name",
value_type: ValueType::Text,
description: "Process image name",
is_uid_component: false,
},
FieldSchema {
name: "path",
value_type: ValueType::Text,
description: "Full executable path from process object",
is_uid_component: false,
},
];
pub static MEM_RUNNING_PROCESSES: ArtifactDescriptor = ArtifactDescriptor {
id: "mem_running_processes",
name: "Running Processes (Memory)",
artifact_type: ArtifactType::MemoryRegion,
hive: None,
key_path: "",
value_name: None,
file_path: None,
scope: DataScope::System,
os_scope: OsScope::Win10Plus,
decoder: Decoder::Identity,
meaning: "Live process list from RAM; reveals injected processes, hollowing, and malware hiding from OS APIs",
mitre_techniques: &["T1057", "T1055"],
fields: MEM_RUNNING_PROCESSES_FIELDS,
retention: Some("RAM only; lost on power-off"),
triage_priority: TriagePriority::Critical,
related_artifacts: &["mem_loaded_modules", "mem_network_connections"],
sources: &[
"https://volatilityfoundation.org/",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &["Live RAM only; requires active acquisition"],
volatility: Some(crate::volatility::VolatilityClass::Volatile),
volatility_rationale: "RAM; lost on power-off",
};
pub(crate) static MEM_NETWORK_CONNECTIONS_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "local_addr",
value_type: ValueType::Text,
description: "Local IP address and port",
is_uid_component: true,
},
FieldSchema {
name: "remote_addr",
value_type: ValueType::Text,
description: "Remote IP address and port",
is_uid_component: true,
},
FieldSchema {
name: "state",
value_type: ValueType::Text,
description: "TCP connection state (ESTABLISHED, LISTEN, etc.)",
is_uid_component: false,
},
FieldSchema {
name: "pid",
value_type: ValueType::UnsignedInt,
description: "Owning process identifier",
is_uid_component: false,
},
];
pub static MEM_NETWORK_CONNECTIONS: ArtifactDescriptor = ArtifactDescriptor {
id: "mem_network_connections",
name: "Network Connections (Memory)",
artifact_type: ArtifactType::MemoryRegion,
hive: None,
key_path: "",
value_name: None,
file_path: None,
scope: DataScope::System,
os_scope: OsScope::Win10Plus,
decoder: Decoder::Identity,
meaning: "Active and recently closed network connections from kernel socket structures; reveals C2 channels and lateral movement paths",
mitre_techniques: &["T1049"],
fields: MEM_NETWORK_CONNECTIONS_FIELDS,
retention: Some("RAM only; connections may close during acquisition"),
triage_priority: TriagePriority::Critical,
related_artifacts: &["mem_running_processes"],
sources: &[
"https://volatilityfoundation.org/",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &["Volatile; connections may close during acquisition"],
volatility: Some(crate::volatility::VolatilityClass::Volatile),
volatility_rationale: "RAM; lost on power-off",
};
pub(crate) static MEM_LOADED_MODULES_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "base_addr",
value_type: ValueType::UnsignedInt,
description: "Module base address in process virtual memory",
is_uid_component: true,
},
FieldSchema {
name: "name",
value_type: ValueType::Text,
description: "Module image name",
is_uid_component: false,
},
FieldSchema {
name: "path",
value_type: ValueType::Text,
description: "Full path of the loaded DLL or module",
is_uid_component: false,
},
];
pub static MEM_LOADED_MODULES: ArtifactDescriptor = ArtifactDescriptor {
id: "mem_loaded_modules",
name: "Loaded Modules (Memory)",
artifact_type: ArtifactType::MemoryRegion,
hive: None,
key_path: "",
value_name: None,
file_path: None,
scope: DataScope::System,
os_scope: OsScope::Win10Plus,
decoder: Decoder::Identity,
meaning: "DLLs and modules loaded into process address spaces; detects reflective DLL injection and unsigned in-memory modules",
mitre_techniques: &["T1055"],
fields: MEM_LOADED_MODULES_FIELDS,
retention: Some("RAM only; lost on power-off"),
triage_priority: TriagePriority::High,
related_artifacts: &["mem_running_processes"],
sources: &[
"https://volatilityfoundation.org/",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &["Live RAM only; requires active acquisition; unlisted modules indicate injection"],
volatility: Some(crate::volatility::VolatilityClass::Volatile),
volatility_rationale: "RAM; lost on power-off",
};
pub(crate) static MEM_REGISTRY_HIVES_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "hive_name",
value_type: ValueType::Text,
description: "Name of the in-memory registry hive",
is_uid_component: true,
},
FieldSchema {
name: "base_addr",
value_type: ValueType::UnsignedInt,
description: "Hive CM_HIVE base address in kernel memory",
is_uid_component: false,
},
];
pub static MEM_REGISTRY_HIVES: ArtifactDescriptor = ArtifactDescriptor {
id: "mem_registry_hives",
name: "In-Memory Registry Hives",
artifact_type: ArtifactType::MemoryRegion,
hive: None,
key_path: "",
value_name: None,
file_path: None,
scope: DataScope::System,
os_scope: OsScope::Win10Plus,
decoder: Decoder::Identity,
meaning: "Registry hives as held in kernel memory; may reveal keys deleted on disk, transient values, and malware-created volatile hives not flushed to disk",
mitre_techniques: &["T1012"],
fields: MEM_REGISTRY_HIVES_FIELDS,
retention: Some("RAM only; lost on power-off"),
triage_priority: TriagePriority::High,
related_artifacts: &["mem_running_processes"],
sources: &[
"https://volatilityfoundation.org/",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &["Live RAM only; in-memory hive state may differ from on-disk"],
volatility: Some(crate::volatility::VolatilityClass::Volatile),
volatility_rationale: "RAM; lost on power-off",
};
pub(crate) static MEM_USER_CREDENTIALS_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "account",
value_type: ValueType::Text,
description: "Account name associated with the credential material",
is_uid_component: true,
},
FieldSchema {
name: "credential_type",
value_type: ValueType::Text,
description: "Type of credential (NTLM hash, Kerberos ticket, cleartext, etc.)",
is_uid_component: false,
},
];
pub static MEM_USER_CREDENTIALS: ArtifactDescriptor = ArtifactDescriptor {
id: "mem_user_credentials",
name: "User Credentials in Memory (LSASS)",
artifact_type: ArtifactType::MemoryRegion,
hive: None,
key_path: "",
value_name: None,
file_path: None,
scope: DataScope::System,
os_scope: OsScope::Win10Plus,
decoder: Decoder::Identity,
meaning: "NTLM hashes, Kerberos tickets, and cleartext credentials cached in LSASS process memory; most valuable live artifact for credential theft detection",
mitre_techniques: &["T1003.001"],
fields: MEM_USER_CREDENTIALS_FIELDS,
retention: Some("RAM only; lost on power-off"),
triage_priority: TriagePriority::Critical,
related_artifacts: &["mem_running_processes"],
sources: &[
"https://volatilityfoundation.org/",
"https://www.sans.org/blog/protecting-privileged-domain-accounts-lsa-secrets-good-times/",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &["Credentials in memory (LSASS); most valuable live artifact"],
volatility: Some(crate::volatility::VolatilityClass::Volatile),
volatility_rationale: "RAM; lost on power-off",
};
pub(crate) static CATALOG_ENTRIES: &[ArtifactDescriptor] = &[
USERASSIST_EXE,
USERASSIST_FOLDER,
USERASSIST_XP_EXE,
USERASSIST_XP_IE_FAVORITES,
USERASSIST_XP_IE7,
RUN_KEY_HKLM_RUN,
RUN_KEY_HKCU_RUN,
RUN_KEY_HKCU_RUNONCE,
RUN_KEY_HKLM_RUNONCE,
TYPED_URLS,
TYPED_URLS_TIME,
PCA_APPLAUNCH_DIC,
PCA_GENERAL_DB,
WINDOWS_HOSTS_FILE,
DNS_POLICY_CONFIG_NRPT,
IFEO_DEBUGGER,
SHELLBAGS_USER,
AMCACHE_APP_FILE,
SHIMCACHE,
SHIMCACHE_MEMORY,
BAM_USER,
DAM_USER,
SAM_USERS,
LSA_SECRETS,
DCC2_CACHE,
MRU_RECENT_DOCS,
USB_ENUM,
MUICACHE,
APPINIT_DLLS,
WINLOGON_USERINIT,
SCREENSAVER_EXE,
WINLOGON_SHELL,
SERVICES_IMAGEPATH,
ACTIVE_SETUP_HKLM,
ACTIVE_SETUP_HKCU,
COM_HIJACK_CLSID_HKCU,
APPCERT_DLLS,
BOOT_EXECUTE,
LSA_SECURITY_PKGS,
LSA_AUTH_PKGS,
PRINT_MONITORS,
TIME_PROVIDERS,
NETSH_HELPER_DLLS,
BROWSER_HELPER_OBJECTS,
STARTUP_FOLDER_USER,
STARTUP_FOLDER_SYSTEM,
SCHEDULED_TASKS_DIR,
WDIGEST_CACHING,
MFT,
USNJRNL,
LOGFILE_NTFS,
WORDWHEEL_QUERY,
OPENSAVE_MRU,
LASTVISITED_MRU,
PREFETCH_DIR,
SRUM_DB,
WINDOWS_TIMELINE,
WINDOWS_TIMELINE_DEVICECACHE,
WINDOWS_SEARCH_DB_WIN11,
POWERSHELL_HISTORY,
RECYCLE_BIN,
THUMBCACHE,
SEARCH_DB_USER,
DPAPI_MASTERKEY_USER,
DPAPI_CRED_USER,
DPAPI_CRED_ROAMING,
WINDOWS_VAULT_USER,
WINDOWS_VAULT_SYSTEM,
RDP_CLIENT_SERVERS,
RDP_CLIENT_DEFAULT,
NTDS_DIT,
CHROME_LOGIN_DATA,
FIREFOX_LOGINS,
WIFI_PROFILES,
TYPED_PATHS,
RUN_MRU,
NETWORK_DRIVES,
APP_PATHS,
MOUNTED_DEVICES,
NETWORKLIST_PROFILES,
PUTTY_SESSIONS,
WINSCP_SAVED_SESSIONS,
WINSCP_INI,
WINRAR_HISTORY,
NETWORK_INTERFACES,
PAGEFILE_SYS,
HIBERFIL_SYS,
MOUNTPOINTS2,
PORTABLE_DEVICES,
RDP_BITMAP_CACHE,
LINUX_CRONTAB_SYSTEM,
LINUX_CRON_D,
LINUX_CRON_PERIODIC,
LINUX_USER_CRONTAB,
LINUX_ANACRONTAB,
LINUX_SYSTEMD_SYSTEM_UNIT,
LINUX_SYSTEMD_USER_UNIT,
LINUX_SYSTEMD_TIMER,
LINUX_RC_LOCAL,
LINUX_INIT_D,
LINUX_BASHRC_USER,
LINUX_BASH_PROFILE_USER,
LINUX_PROFILE_USER,
LINUX_ZSHRC_USER,
LINUX_PROFILE_SYSTEM,
LINUX_PROFILE_D,
LINUX_LD_SO_PRELOAD,
LINUX_LD_SO_CONF_D,
LINUX_SSH_AUTHORIZED_KEYS,
LINUX_PAM_MODULE_DIR,
LINUX_PAM_D,
LINUX_SUDOERS_D,
LINUX_MODULES_LOAD_D,
LINUX_MOTD_D,
LINUX_UDEV_RULES_D,
LINUX_BASH_HISTORY,
LINUX_ZSH_HISTORY,
LINUX_WTMP,
LINUX_BTMP,
LINUX_LASTLOG,
LINUX_AUTH_LOG,
LINUX_JOURNAL_DIR,
LINUX_PASSWD,
LINUX_SHADOW,
LINUX_SSH_PRIVATE_KEY,
LINUX_SSH_KNOWN_HOSTS,
LINUX_GNUPG_PRIVATE,
LINUX_AWS_CREDENTIALS,
LINUX_DOCKER_CONFIG,
LNK_FILES,
JUMP_LIST_AUTO,
JUMP_LIST_CUSTOM,
JUMP_LIST_APPID_REGISTRY,
TASKBAND_FAVORITES,
EVTX_DIR,
MFT_FILE,
USN_JOURNAL,
WMI_MOF_DIR,
BITS_DB,
WMI_SUBSCRIPTIONS,
LOGON_SCRIPTS,
WINSOCK_LSP,
APPSHIM_DB,
PASSWORD_FILTER_DLL,
OFFICE_NORMAL_DOTM,
POWERSHELL_PROFILE_ALL,
DPAPI_SYSTEM_MASTERKEY,
DPAPI_CREDHIST,
CHROME_COOKIES,
EDGE_WEBCACHE,
VPN_RAS_PHONEBOOK,
WINDOWS_HELLO_NGC,
USER_CERT_PRIVATE_KEY,
MACHINE_CERT_STORE,
LINUX_AT_QUEUE,
LINUX_SSHD_CONFIG,
LINUX_ETC_GROUP,
LINUX_GNOME_KEYRING,
LINUX_KDE_KWALLET,
LINUX_CHROME_LOGIN_LINUX,
LINUX_FIREFOX_LOGINS_LINUX,
LINUX_UTMP,
LINUX_GCP_CREDENTIALS,
LINUX_AZURE_CREDENTIALS,
LINUX_KUBE_CONFIG,
LINUX_GIT_CREDENTIALS,
LINUX_NETRC,
LINUX_ETC_ENVIRONMENT,
LINUX_XDG_AUTOSTART_USER,
LINUX_XDG_AUTOSTART_SYSTEM,
LINUX_NETWORKMANAGER_DISPATCHER,
LINUX_APT_HOOKS,
JUMP_LIST_SYSTEM,
LNK_FILES_OFFICE,
PREFETCH_FILE,
SRUM_NETWORK_USAGE,
SRUM_NETWORK_CONNECTIONS,
SRUM_APP_RESOURCE,
SRUM_ENERGY_USAGE,
SRUM_PUSH_NOTIFICATION,
EVTX_SECURITY,
EVTX_SYSTEM,
EVTX_POWERSHELL,
EVTX_APPLICATION_MSIINSTALLER,
EVTX_SYSMON,
EVTX_DEFENDER_OPERATIONAL,
MACOS_UNIFIED_LOG,
MACOS_LAUNCH_AGENTS_USER,
MACOS_LAUNCH_AGENTS_SYSTEM,
MACOS_LAUNCH_DAEMONS,
MACOS_TCC_DB,
MACOS_QUARANTINE_EVENTS,
MACOS_SAFARI_HISTORY,
MACOS_SAFARI_DOWNLOADS,
MACOS_KNOWLEDGEC,
MACOS_BASH_SESSIONS,
MACOS_INSTALL_HISTORY,
MACOS_GATEKEEPER_LOGS,
MACOS_KEYCHAIN_USER,
MACOS_EMOND,
MACOS_COREANALYTICS,
MEM_RUNNING_PROCESSES,
MEM_NETWORK_CONNECTIONS,
MEM_LOADED_MODULES,
MEM_REGISTRY_HIVES,
MEM_USER_CREDENTIALS,
windows_registry_ext::SAFEBOOT_MINIMAL,
windows_registry_ext::SAFEBOOT_NETWORK,
windows_registry_ext::KNOWN_DLLS,
windows_registry_ext::CMD_AUTORUN_HKLM,
windows_registry_ext::CMD_AUTORUN_HKCU,
windows_registry_ext::CREDENTIAL_PROVIDERS,
windows_registry_ext::NETWORK_PROVIDER_ORDER,
windows_registry_ext::SHELL_EXECUTE_HOOKS,
windows_registry_ext::WER_RUNTIME_EXCEPTION_HELPER,
windows_registry_ext::IFEO_GLOBAL_FLAG,
windows_registry_ext::SCHEDULED_TASK_REGISTRY_CACHE,
windows_registry_ext::GROUP_POLICY_STARTUP_SCRIPTS,
windows_registry_ext::GROUP_POLICY_LOGON_SCRIPTS,
windows_registry_ext::WINLOGON_NOTIFY,
windows_registry_ext::COM_SERVER_HKLM,
windows_registry_ext::OFFICE_ADDINS,
windows_registry_ext::TERMINAL_SERVER_INITIAL_PROGRAM,
windows_registry_ext::RECENTAPPS,
windows_registry_ext::NETWORK_SHARES_HKCU,
windows_registry_ext::DEFAULT_BROWSER,
windows_registry_ext::PROXY_SETTINGS,
windows_registry_ext::SYSTEM_TIMEZONE,
windows_registry_ext::COMPUTER_NAME,
windows_registry_ext::SHUTDOWN_TIME,
windows_registry_ext::USB_STOR_ENUM,
windows_registry_ext::SETUPAPI_DEV_LOG,
windows_registry_ext::UNINSTALL_KEYS,
windows_registry_ext::USER_ACCOUNT_SID,
windows_registry_ext::TERMINAL_SERVER_CLIENT_SERVERS,
windows_registry_ext::INTERNET_EXPLORER_TYPED_URLS,
windows_evtx_ext::EVTX_TASK_SCHEDULER,
windows_evtx_ext::EVTX_RDP_CLIENT,
windows_evtx_ext::EVTX_RDP_INBOUND,
windows_evtx_ext::EVTX_RDP_SESSION,
windows_evtx_ext::EVTX_WINRM,
windows_evtx_ext::EVTX_WMI_ACTIVITY,
windows_evtx_ext::EVTX_BITS_CLIENT,
windows_evtx_ext::EVTX_APPLOCKER,
windows_evtx_ext::EVTX_APPLOCKER_SCRIPT,
windows_evtx_ext::EVTX_DEFENDER,
windows_evtx_ext::EVTX_FIREWALL,
windows_evtx_ext::EVTX_CODE_INTEGRITY,
windows_evtx_ext::EVTX_NTLM,
windows_evtx_ext::EVTX_PRINT_SERVICE,
windows_evtx_ext::EVTX_NETLOGON,
windows_evtx_ext::EVTX_SMB_CLIENT,
windows_evtx_ext::EVTX_NETWORK_PROFILE,
windows_evtx_ext::EVTX_KERNEL_PNP,
windows_evtx_ext::EVTX_DRIVER_FRAMEWORKS,
windows_evtx_ext::EVTX_LSA_PROTECTION,
windows_evtx_ext::EVTX_CAPI2,
windows_evtx_ext::EVTX_POWERSHELL_CLASSIC,
windows_evtx_ext::EVTX_DNS_CLIENT,
windows_evtx_ext::EVTX_TERMINAL_SERVICES,
windows_evtx_ext::EVTX_APPLICATION_EXPERIENCE_TELEMETRY,
macos_ext::MACOS_FSEVENTS,
macos_ext::MACOS_SPOTLIGHT_STORE,
macos_ext::MACOS_DOCK_PLIST,
macos_ext::MACOS_LOGIN_ITEMS_PLIST,
macos_ext::MACOS_SFL2_RECENT_ITEMS,
macos_ext::MACOS_SFL2_RECENT_SERVERS,
macos_ext::MACOS_WIFI_PLIST,
macos_ext::MACOS_SCREEN_TIME_DB,
macos_ext::MACOS_TCC_SYSTEM_DB,
macos_ext::MACOS_SMS_DB,
macos_ext::MACOS_NOTES_DB,
macos_ext::MACOS_PHOTOS_DB,
macos_ext::MACOS_ICLOUD_DRIVE_DB,
macos_ext::MACOS_LOCATIOND_CLIENTS,
macos_ext::MACOS_LOCKDOWND_LOG,
macos_ext::MACOS_INSTALLER_RECEIPTS,
macos_ext::MACOS_SAFARI_LOCALSTORAGE,
macos_ext::MACOS_NOTIFICATION_CENTER_DB,
macos_ext::MACOS_MDM_ENROLLMENT,
macos_ext::MACOS_ASL_LOGS,
macos_ext::MACOS_DIAGNOSTIC_REPORTS,
macos_ext::MACOS_QUICKLOOK_THUMBNAILS,
macos_ext::MACOS_WIFI_INTELLIGENCE,
macos_ext::APFS_CONTAINER,
linux_ext::LINUX_AUDITD_LOG,
linux_ext::LINUX_AUDIT_RULES,
linux_ext::LINUX_SYSLOG,
linux_ext::LINUX_MESSAGES_LOG,
linux_ext::LINUX_SECURE_LOG,
linux_ext::LINUX_APACHE_ACCESS_LOG,
linux_ext::LINUX_APACHE_ERROR_LOG,
linux_ext::LINUX_NGINX_ACCESS_LOG,
linux_ext::LINUX_FAIL2BAN_LOG,
linux_ext::LINUX_DPKG_LOG,
linux_ext::LINUX_RPM_DB,
linux_ext::LINUX_SELINUX_CONFIG,
linux_ext::LINUX_APPARMOR_PROFILES,
linux_ext::LINUX_IPTABLES_RULES,
linux_ext::LINUX_NFTABLES_CONF,
linux_ext::LINUX_HOSTS_FILE,
linux_ext::LINUX_RESOLV_CONF,
linux_ext::LINUX_PROC_MODULES,
linux_ext::LINUX_MODPROBE_D,
linux_ext::LINUX_DOCKER_CONTAINER_LOGS,
linux_ext::LINUX_DOCKER_DAEMON_JSON,
linux_ext::LINUX_COREDUMP_DIR,
linux_ext::LINUX_LOGROTATE_D,
linux_ext::LINUX_SNAP_PACKAGES,
linux_ext::LINUX_DMESG_RING_BUFFER,
linux_ext::LINUX_KERN_LOG,
linux_ext::LINUX_PROC_KALLSYMS,
linux_ext::LINUX_PROC_NET_TCP,
linux_ext::LINUX_PROC_NET_TCP6,
linux_ext::LINUX_PROC_NET_UDP,
linux_ext::LINUX_PROC_NET_UNIX,
linux_ext::LINUX_LSOF_OUTPUT,
linux_ext::LINUX_SS_OUTPUT,
linux_ext::LINUX_CHKROOTKIT_OUTPUT,
linux_ext::LINUX_RKHUNTER_LOG,
linux_ext::LINUX_SYSCTL_CONF,
linux_ext::LINUX_DMESG,
linux_ext::LINUX_BOOT_LOG,
linux_ext::LINUX_FAILLOG,
linux_ext::LAN_TURTLE_LOOT,
windows_logs_ext::WINDOWS_CRASH_DUMP,
windows_logs_ext::WINDOWS_MINIDUMP,
windows_logs_ext::AMCACHE_DRIVER,
windows_logs_ext::WER_REPORT_QUEUE,
windows_logs_ext::WINDOWS_NOTIFICATION_DB,
windows_logs_ext::AMCACHE_SHORTCUT,
windows_registry_ext2::WINLOGON_AUTOADMIN_LOGON,
windows_registry_ext2::WINLOGON_DEFAULT_PASSWORD,
windows_registry_ext2::WINLOGON_DEFAULT_USERNAME,
windows_registry_ext2::LOGONUI_LAST_LOGGEDON_USER,
windows_registry_ext2::PORTPROXY_CONFIG,
windows_registry_ext2::WINDOWS_DEFENDER_EXCLUSIONS_LOCAL,
windows_registry_ext2::WINDOWS_DEFENDER_DISABLED_AV,
windows_registry_ext2::WINDOWS_DEFENDER_REALTIME,
windows_registry_ext2::MS_OFFICE_TRUSTED_DOCS,
windows_registry_ext2::VSS_FILES_NOT_TO_SNAPSHOT,
windows_registry_ext2::VSS_FILES_NOT_TO_BACKUP,
windows_registry_ext2::IFEO_SILENT_EXIT,
windows_registry_ext2::EXEFILE_SHELL_OPEN_SOFTWARE,
windows_registry_ext2::EXEFILE_SHELL_OPEN_USRCLASS,
windows_registry_ext2::RDP_SHADOW_SESSIONS,
windows_registry_ext2::RESTRICTED_ADMIN_RDP,
windows_registry_ext2::NETWORK_SHARES_SERVER,
windows_registry_ext2::SYSINTERNALS_EULA,
windows_registry_ext2::MS_OFFICE_SERVER_CACHE,
windows_registry_ext2::POWERSHELL_COBALT_INFO,
windows_registry_ext2::STARTUP_APPROVED_RUN_SYSTEM,
windows_registry_ext2::STARTUP_APPROVED_RUN_USER,
windows_registry_ext2::TASKCACHE_TASKS_PATH,
windows_registry_ext2::PROFILE_LIST_USERS,
windows_registry_ext2::REGISTRAR_FAVORITES,
windows_registry_ext2::DHCP_IPV4_INTERFACE,
windows_registry_ext2::NTFS_LAST_ACCESS_STATUS,
windows_registry_ext2::PREFETCH_STATUS,
windows_registry_ext2::FIREWALL_RULES,
windows_registry_ext2::EVENT_LOG_CHANNEL_STATUS,
windows_files_ext::CHROME_HISTORY,
windows_files_ext::CHROME_WEB_DATA,
windows_files_ext::EDGE_CHROMIUM_HISTORY,
windows_files_ext::EDGE_CHROMIUM_LOGIN_DATA,
windows_files_ext::FIREFOX_PLACES,
windows_files_ext::FIREFOX_FORM_HISTORY,
windows_files_ext::FIREFOX_SESSION_RESTORE,
windows_files_ext::PSREADLINE_HISTORY,
windows_files_ext::PSREADLINE_HISTORY_SYSTEM,
windows_files_ext::POWERSHELL_TRANSCRIPTS,
windows_files_ext::TEAMVIEWER_CONNECTION_LOG,
windows_files_ext::TEAMVIEWER_APP_LOG,
windows_files_ext::ANYDESK_TRACE_USER,
windows_files_ext::ANYDESK_TRACE_SYSTEM,
windows_files_ext::ANYDESK_CONNECTION_TRACE,
windows_files_ext::ANYDESK_FILE_TRANSFER_LOG,
windows_files_ext::SCREENCONNECT_SESSION_DB,
windows_files_ext::RUSTDESK_LOGS,
windows_files_ext::DROPBOX_INSTANCE_DB,
windows_files_ext::ONEDRIVE_METADATA,
windows_files_ext::GOOGLE_DRIVE_FS_METADATA,
windows_files_ext::MEGASYNC_DATA,
windows_files_ext::TEAMS_INDEXED_DB,
windows_files_ext::SLACK_INDEXED_DB,
windows_files_ext::DISCORD_LOCAL_STORAGE,
windows_files_ext::SIGNAL_DATABASE,
windows_files_ext::SIGNAL_CONFIG_JSON,
windows_files_ext::WINDOWS_SEARCH_EDB,
windows_files_ext::EVENT_TRANSCRIPT_DB,
windows_files_ext::CERTUTIL_CACHE,
windows_files_ext::SDB_CUSTOM_FILES,
windows_files_ext::WER_REPORTS,
windows_files_ext::IIS_W3SVC_LOGS,
windows_files_ext::IIS_CONFIG_APPLICATIONHOST,
windows_files_ext::DNS_DEBUG_LOG,
windows_files_ext::DHCP_SERVER_LOG,
windows_files_ext::SUM_DB,
windows_files_ext::COPILOT_RECALL_UKG,
windows_files_ext::NTUSER_DAT_FILE,
windows_files_ext::USRCLASS_DAT_FILE,
windows_files_ext::CBS_LOG,
windows_files_ext::PFRO_LOG,
windows_files_ext::SETUPERR_LOG,
windows_files_ext::SETUPAPI_UPGRADE_LOG,
windows_files_ext::WER_REPORTS_USER,
windows_files_ext::WER_REPORTS_SYSTEM,
windows_files_ext::APPX_PACKAGES_USER,
windows_files_ext::APPX_INSTALL_LOG,
windows_files_ext::DIAGNOSTIC_DATA_DIR,
windows_files_ext::WINDOWS_UPDATE_SESSION,
windows_registry_ext3::ACTIVE_SETUP,
windows_registry_ext3::LSA_AUTH_PACKAGES,
windows_registry_ext3::LSA_SECURITY_PACKAGES,
windows_registry_ext3::LSA_NOTIFICATION_PACKAGES,
windows_registry_ext3::SCREENSAVER_PERSISTENCE,
windows_registry_ext3::PRINT_MONITOR_DLLS,
windows_registry_ext3::SERVICES_HKLM,
windows_registry_ext3::WINDOWS_INSTALL_DATE,
windows_registry_ext3::WINDOWS_CLIPBOARD_HISTORY,
windows_registry_ext3::VALLEY_RAT_REGISTRY,
windows_registry_ext3::HYPERV_GUEST_PARAMS,
windows_registry_ext3::REGISTRY_FEATUREUSAGE,
windows_registry_ext3::ENABLE_PERIODIC_BACKUP,
windows_registry_ext3::RDP_ENABLE_REGISTRY,
windows_registry_ext3::SPECIAL_ACCOUNTS_USERLIST,
windows_registry_ext3::LOGONTYPE_WINLOGON,
windows_files_ext::NTUSER_MAN_PERSISTENCE,
windows_files_ext::WINDOWS_CLIPBOARD_DATA_FILES,
windows_files_ext::WINDOWS_DEFENDER_MPWPPTRACING,
generated::browsers_generated::BROWSERS_CHROME_HISTORY,
generated::browsers_generated::BROWSERS_CHROME_PROFILE_DIR,
generated::browsers_generated::BROWSERS_CHROME_COOKIES,
generated::browsers_generated::BROWSERS_CHROME_CACHE_DIR,
generated::browsers_generated::BROWSERS_CHROME_EXTENSIONS_DIR,
generated::browsers_generated::BROWSERS_EDGE_HISTORY,
generated::browsers_generated::BROWSERS_EDGE_COOKIES,
generated::browsers_generated::BROWSERS_EDGE_PROFILE_DIR,
generated::browsers_generated::BROWSERS_FIREFOX_PROFILE_DIR,
generated::browsers_generated::BROWSERS_FIREFOX_PLACES_DB,
generated::browsers_generated::BROWSERS_FIREFOX_COOKIES,
generated::browsers_generated::BROWSERS_FIREFOX_LOGINS,
generated::browsers_generated::BROWSERS_BRAVE_HISTORY,
generated::browsers_generated::BROWSERS_BRAVE_COOKIES,
generated::browsers_generated::BROWSERS_OPERA_HISTORY,
generated::browsers_generated::BROWSERS_OPERA_PROFILE_DIR,
generated::browsers_generated::BROWSERS_VIVALDI_HISTORY,
generated::browsers_generated::BROWSERS_VIVALDI_PROFILE_DIR,
generated::browsers_generated::BROWSERS_SAFARI_HISTORY,
generated::browsers_generated::BROWSERS_SAFARI_COOKIES,
generated::browsers_generated::BROWSERS_SAFARI_DOWNLOADS,
generated::browsers_generated::BROWSERS_IE_HISTORY_DIR,
generated::browsers_generated::BROWSERS_IE_WEBCACHE_DB,
generated::browsers_generated::BROWSERS_IE_TYPED_URLS,
generated::browsers_generated::BROWSERS_TOR_PROFILE_DIR,
generated::browsers_generated::BROWSERS_TOR_PLACES_DB,
generated::browsers_generated::BROWSERS_WATERFOX_PROFILE_DIR,
generated::browsers_generated::BROWSERS_LIBREWOLF_PROFILE_DIR,
generated::browsers_generated::BROWSERS_CHROMIUM_HISTORY,
generated::browsers_generated::BROWSERS_PALEMOON_PROFILE_DIR,
generated::browsers_generated::BROWSERS_SEAMONKEY_PROFILE_DIR,
generated::browsers_generated::BROWSERS_BASILISK_PROFILE_DIR,
generated::browsers_generated::BROWSERS_FALKON_PROFILE_DIR,
generated::browsers_generated::BROWSERS_MIDORI_CONFIG_DIR,
generated::browsers_generated::BROWSERS_MIN_HISTORY_DB,
generated::browsers_generated::BROWSERS_MAXTHON_USER_DATA_DIR,
generated::browsers_generated::BROWSERS_SLIMJET_HISTORY,
generated::evtx_generated::EVTX_APPLICATION,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DFSN_SERVERFILTER_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DFSN_SERVERSERVICE_ANALYTIC,
generated::evtx_generated::EVTX_ANALYTIC_CHANNEL,
generated::evtx_generated::EVTX_IALPSS_GPIO2_DEBUG_CHANNEL,
generated::evtx_generated::EVTX_IALPSS_GPIO2_PERFORMANCE_CHANNEL,
generated::evtx_generated::EVTX_IALPSS2_I2C_DEBUG_CHANNEL,
generated::evtx_generated::EVTX_IALPSS2_I2C_PERFORMANCE_CHANNEL,
generated::evtx_generated::EVTX_OPERATIONAL,
generated::evtx_generated::EVTX_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_LSA_PERFORMANCE,
generated::evtx_generated::EVTX_AMSI_DEBUG,
generated::evtx_generated::EVTX_AMSI_OPERATIONAL,
generated::evtx_generated::EVTX_UAC_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_APPV_CLIENT_STREAMINGUX_DEBUG,
generated::evtx_generated::EVTX_ADMIN,
generated::evtx_generated::EVTX_VIRTUAL_APPLICATIONS,
generated::evtx_generated::EVTX_MICROSOFT_APPV_CLIENT_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_APPV_SHAREDPERFORMANCE_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_CLIENT_LICENSE_FLEXIBLE_PLATFORM_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_CLIENT_LICENSING_PLATFORM_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_CLIENT_LICENSING_PLATFORM_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORE_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_WEBPLATSTORAGE_SERVER,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_INDEXEDDB_SERVER,
generated::evtx_generated::EVTX_MICROSOFT_IEDVTOOL_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_IEFRAME_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_ONECORE_SETUP_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_PEF_WFP_MESSAGEPROVIDER_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_PERFTRACK_IEFRAME_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_PERFTRACK_MSHTML_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_SERVERCORE_SHELLLAUNCHER_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_SYSTEM_DIAGNOSTICS_DIAGNOSTICINVOKER_OPERATIO,
generated::evtx_generated::EVTX_MICROSOFT_USER_EXPERIENCE_VIRTUALIZATION_ADMIN_DEBUG,
generated::evtx_generated::EVTX_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_USER_EXPERIENCE_VIRTUALIZATION_APP_AGENT_DEBU,
generated::evtx_generated::EVTX_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WS_LICENSING_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WS_LICENSING_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WS_LICENSING_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_VPN_PLUGIN_PLATFORM_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_VPN_PLUGIN_PLATFORM_OPERATIONALVERBOS,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_AAD_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_AAD_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_ADSI_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_API_TRACING_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_ASN1_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_ATAPORT_SATA_LPM,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_ATAPORT_GENERAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORAGE_ATAPORT_DIAGNOSE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORAGE_ATAPORT_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_ACCELLIB_ACCELCX_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_ACTIONQUEUE_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_ALTTAB_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_ANYTIME_UPGRADE_EVENTS_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_ANYTIME_UPGRADE_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPHOST_INTERNAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPHOST_DIAGNOSTIC,
generated::evtx_generated::EVTX_APPTRACING,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPID_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPLOCKER_EXE_AND_DLL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPLOCKER_MSI_AND_SCRIPT,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPLOCKER_PACKAGED_APP_EXECUTION,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPLOCKER_PACKAGED_APP_DEPLOYMENT,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPLOCKER_VERBOSE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PRIVACY_AUDITING_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPMODEL_RUNTIME_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPMODEL_RUNTIME_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPMODEL_RUNTIME_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPMODEL_RUNTIME_DIAGNOSTICS,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPMODEL_STATE_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPMODEL_STATE_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPSRUPROV,
generated::evtx_generated::EVTX_APPXDEPLOYMENTUNDOCKEDDEH_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPXDEPLOYMENTSERVER_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPXDEPLOYMENTSERVER_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPXDEPLOYMENTSERVER_RESTRICTED,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPXDEPLOYMENTSERVER_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPXDEPLOYMENT_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPXDEPLOYMENT_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPLICABILITYENGINE_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPLICABILITYENGINE_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPLICATION_EXPERIENCE_PROGRAM_COMPAT,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPLICATION_EXPERIENCE_PROGRAM_TELEME,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPLICATION_EXPERIENCE_STEPS_RECORDER,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPLICATION_EXPERIENCE_PROBLEM_STEPS,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPLICATION_EXPERIENCE_PROGRAM_INVENT,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPLICATION_EXPERIENCE_COMPATIBILITY,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_APPHELPCACHE_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_APPHELPCACHE_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_APPHELPCACHE_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPLICATIONRESOURCEMANAGEMENTSYSTEM_D,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPLICATIONRESOURCEMANAGEMENTSYSTEM_O,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPXPACKAGING_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPXPACKAGING_PERFORMANCE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_ASSIGNEDACCESS_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_ASSIGNEDACCESS_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_ASSIGNEDACCESSBROKER_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_ASYNCHRONOUSCAUSALITY_CAUSALITY,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_AUDIO_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_AUDIO_CAPTUREMONITOR,
generated::evtx_generated::EVTX_PERFORMANCE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_AUDIO_PLAYBACKMANAGER,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_AUDIO_GLITCHDETECTION,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_AUDIO_INFORMATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_AUDIT_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_AUTHENTICATION_PROTECTEDUSER_CLIENT,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_AUTHENTICATION_PROTECTED_USER_CLIENT,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_AXINSTALLSERVICE_LOG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_BTH_BTHPORT_HCI,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_BTH_BTHPORT_L2CAP,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_BTH_BTHUSB_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_BTH_BTHUSB_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_BTH_BTHUSB_PERFORMANCE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_BACKGROUNDTRANSFER_CONTENTPREFETCHER,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_BACKUP_OPERATIONAL,
generated::evtx_generated::EVTX_BFE_IPSEC_CONNECTIONS_OPERATIONAL_LOG,
generated::evtx_generated::EVTX_BFE_IPSEC_CONNECTIONS_RESOURCE_FLOWS_OPERATIONAL_LOG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_BASE_FILTERING_ENGINE_RESOURCE_FLOWS,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_BATTERY_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_BIOMETRICS_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_BIOMETRICS_ANALYTIC,
generated::evtx_generated::EVTX_MANAGEMENT,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_BITLOCKER_TRACING,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_BITLOCKER_DRIVEPREPARATIONTOOL_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_BITLOCKER_DRIVEPREPARATIONTOOL_OPERAT,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_BITLOCKER_DRIVER_PERFORMANCE_OPERATIO,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_BITS_CLIENT_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_BITS_CLIENT_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_BITS_COMPACTSERVER_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_BITS_COMPACTSERVER_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_BLUETOOTH_BTHLEPREPAIRING_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_BLUETOOTH_BTHMINI_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_BLUETOOTH_HIDBTHLE_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_BLUETOOTH_POLICY_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_BRANCHCACHE_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_BRANCHCACHECLIENTEVENTPROVIDER_DIAGNO,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_BRANCHCACHEEVENTPROVIDER_DIAGNOSTICCH,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_BRANCHCACHEMONITORING_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_BRANCHCACHESMB_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_BRANCHCACHESMB_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_BACKGROUNDTASKINFRASTRUCTURE_DIAGNOST,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_BACKGROUNDTASKINFRASTRUCTURE_OPERATIO,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_REGSVR32_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CAPI2_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CAPI2_CATALOG_DATABASE_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CDROM_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_RUNTIME_CREATEINSTANCE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_COM_CREATEINSTANCE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_COM_EXTENSIONCATALOG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_COM_CALL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_COM_FREEUNUSEDLIBRARY,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_OLE_CLIPBOARD,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_COM_APARTMENTUNINITIALIZE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_COM_APARTMENTINITIALIZE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_COM_RUNDOWNINSTRUMENTATION,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_COM_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_COMRUNTIME_TRACING,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_COMRUNTIME_MESSAGEPROCESSING,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_COMRUNTIME_ACTIVATIONS,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CALCULATOR_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CALCULATOR_DEBUG,
generated::evtx_generated::EVTX_OPERATION_LOG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CERTIFICATESERVICES_DEPLOYMENT_OPERAT,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CERTIFICATESERVICESCLIENT_CREDENTIALR,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CERTIFICATESERVICESCLIENT_LIFECYCLE_S,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CERTIFICATESERVICESCLIENT_LIFECYCLE_U,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CLEANMGR_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CLEARTYPETEXTTUNER_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CLOUDFILES_FILTER_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CLOUDRESTORELAUNCHER_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CLOUDSTORAGEWIZARD_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CLOUDSTORAGEWIZARD_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CLOUDSTORE_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CLOUDSTORE_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CLOUDSTORE_INITIALIZATION,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CMISETUP_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CODEINTEGRITY_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CODEINTEGRITY_VERBOSE,
generated::evtx_generated::EVTX_ANALYTICAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_COMPAT_APPRAISER_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_COMPAT_APPRAISER_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CONNECTED_SEARCH_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CONNECTED_SEARCH_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CONNECTED_SEARCH_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CONTAINERS_BINDFLT_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CONTAINERS_WCIFS_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CONTAINERS_WCNFS_OPERATIONAL,
generated::evtx_generated::EVTX_SMSROUTER_OPERATIONAL_CHANNEL,
generated::evtx_generated::EVTX_SMSROUTER_DEBUG_CHANNEL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_COREWINDOW_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CORRUPTEDFILERECOVERY_CLIENT_OPERATIO,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CORRUPTEDFILERECOVERY_SERVER_OPERATIO,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CRASHDUMP_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CRASHDUMP_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CREDPROVHOST_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CREDUI_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CREDENTIALPROVIDERS_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CRYPTO_BCRYPT_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CRYPTO_CNG_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CRYPTO_DPAPI_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CRYPTO_DPAPI_BACKUPKEYSVC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CRYPTO_DPAPI_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CRYPTO_DSSENH_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CRYPTO_NCRYPT_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CRYPTO_NCRYPT_CERTINUSE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CRYPTO_NCRYPT_KEYMGMT,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CRYPTO_RNG_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CRYPTO_RSAENH_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_D3D10LEVEL9_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_D3D10LEVEL9_PERFTIMING,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIRECT3D9_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DAL_PROVIDER_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DAL_PROVIDER_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DCLOCATOR_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DDISPLAY_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DHCP_SERVER_EVENTS_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DHCP_SERVER_EVENTS_FILTERNOTIFICATION,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DHCPV6_CLIENT_EVENTS_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DHCP_CLIENT_EVENTS_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DLNA_NAMESPACE_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DNS_CLIENT_EVENTS_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DSC_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DSC_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DSC_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DUI_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DUSER_DIAGNOSTIC,
generated::evtx_generated::EVTX_DVD_NAVIGATOR,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DXGI_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DXGI_LOGGING,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DXP_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DATA_PDF_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DATAINTEGRITYSCAN_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DATAINTEGRITYSCAN_CRASHRECOVERY,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DEDUPLICATION_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DEDUPLICATION_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DEDUPLICATION_SCRUBBING,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DEDUPLICATION_PERFORMANCE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DEFRAG_CORE_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DEPLORCH_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DEPLOYMENT_SERVICES_DIAGNOSTICS_OPERA,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DEPLOYMENT_SERVICES_DIAGNOSTICS_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DESKTOPACTIVITYMODERATOR_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DESKTOPWINDOWMANAGER_DIAG_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DEVICEASSOCIATIONSERVICE_PERFORMANCE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DEVICECONFIDENCE_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DEVICEGUARD_OPERATIONAL,
generated::evtx_generated::EVTX_AUTOPILOT,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DEVICEMANAGEMENT_ENTERPRISE_DIAGNOSTI,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DEVICESETUPMANAGER_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DEVICESETUPMANAGER_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DEVICESETUPMANAGER_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DEVICESETUPMANAGER_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DEVICESYNC_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DEVICESYNC_OPERATIONAL,
generated::evtx_generated::EVTX_DEVICE_UPDATE_AGENT_OPERATIONAL_CHANNEL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DEVICEUX_PERFORMANCE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DEVICEUX_INFORMATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DEVICES_BACKGROUND_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DEVICES_LOCATION_PERFORMANCE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DEVICES_QUERY_PERFORMANCE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DHCP_CLIENT_EVENTS_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DHCPNAP_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DHCPNAP_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIAGCPL_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_ADVANCEDTASKMANAGER_ANALYTI,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_DPS_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_DPS_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_DPS_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_MSDE_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_MSDT_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_MSDT_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_PCW_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_PCW_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_PCW_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_PLA_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_PLA_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_PERFHOST_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_SCHEDULED_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_SCRIPTED_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_SCRIPTED_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_SCRIPTED_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_SCRIPTED_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_SCRIPTEDDIAGNOSTICSPROVIDER,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_TASKMANAGER_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_WDC_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_WDI_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIAGNOSTICS_NETWORKING_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIAGNOSTICS_NETWORKING_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIAGNOSTICS_PERFTRACK_COUNTERS_DIAGNO,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIAGNOSTICS_PERFTRACK_DIAGNOSTIC,
generated::evtx_generated::EVTX_DIAGNOSTIC_LOOPBACK,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIRECT3D10_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIRECT3D10_1_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIRECT3D11_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIRECT3D11_PERFTIMING,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIRECT3D11_LOGGING,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIRECT3D12_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIRECT3D12_LOGGING,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIRECT3D12_PERFTIMING,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIRECT3DSHADERCACHE_DEFAULT,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DAMM_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIRECTCOMPOSITION_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIRECTMANIPULATION_DIAGNOSTIC,
generated::evtx_generated::EVTX_DIRECTSHOWPLUGINCONTROL,
generated::evtx_generated::EVTX_DIRECTSHOW_FILTERGRAPH,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIRECTSHOW_KERNELSUPPORT_PERFORMANCE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIRECTSOUND_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIRECTWRITE_FONTCACHE_TRACING,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIRECTWRITE_TRACING,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIRECTORYSERVICES_DEPLOYMENT_OPERATIO,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DISK_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORAGE_DISK_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORAGE_DISK_DIAGNOSE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DISKDIAGNOSTIC_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DISKDIAGNOSTICDATACOLLECTOR_OPERATION,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DISKDIAGNOSTICRESOLVER_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DISM_API_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DISM_API_INTERNALANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DISM_CLI_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DISPLAYCOLORCALIBRATION_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DISPLAYCOLORCALIBRATION_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DISPLAYSWITCH_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DOT3MM_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DRIVERFRAMEWORKS_USERMODE_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_POWER_DIAGNOSTIC,
generated::evtx_generated::EVTX_DIRVER_PROXY_PERFORMANCE,
generated::evtx_generated::EVTX_DRIVER_PROXY_OPERATIONAL,
generated::evtx_generated::EVTX_DUC_UPDATE_AGENT_OPERATIONAL_CHANNEL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DWM_API_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DWM_COMPOSITOR_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DWM_CORE_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DWM_DWM_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DWM_REDIR_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DWM_UDWM_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DXGKRNL_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DXGKRNL_PERFORMANCE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DXGKRNL_POWER,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DXGKRNL_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DXGKRNL_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DXGKRNL_CONTENTION,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DXPTASKRINGTONE_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DXPTASKSYNCPROVIDER_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_INFORMATION_PROTECTION_APPLICATION_LE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_INFORMATION_PROTECTION_AUDIT_REGULAR,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_EDP_AUDIT_REGULAR_CHANNEL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_INFORMATION_PROTECTION_AUDIT_TCB_CHAN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_EDP_AUDIT_TCB_CHANNEL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_EFS_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_EFS_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_ELS_HYPHENATION_ANALYTIC_CHANNEL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_POLICY_BASED_QOS_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_POLICY_BASED_QOS_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_ESE_IODIAGNOSE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_ESE_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_EAPHOST_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_EAPHOST_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_EAPHOST_DEBUG,
generated::evtx_generated::EVTX_OPERATIONAL_CHANNEL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_EASEOFACCESS_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_EMBEDDEDAPPLAUNCHER_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_ENERGY_ESTIMATION_ENGINE_EVENTLOG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_ENERGY_ESTIMATION_ENGINE_TRACE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_POWEREFFICIENCYDIAGNOSTICS_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_ENHANCEDSTORAGE_EHSTORCLASS_OPERATION,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_ENHANCEDSTORAGE_EHSTORTCGDRV_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_ENROLLMENTPOLICYWEBSERVICE_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_ENROLLMENTWEBSERVICE_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_FMS_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_FAILOVERCLUSTERING_CLIENT_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_FAILOVERCLUSTERING_CLIENT_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_FAILOVERCLUSTERING_MANAGER_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_FAILOVERCLUSTERING_MANAGER_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_FAULT_TOLERANT_HEAP_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_FEDERATIONSERVICES_DEPLOYMENT_OPERATI,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_FEEDBACK_SERVICE_TRIGGERPROVIDER,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_FILEHISTORY_CATALOG_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_FILEHISTORY_CONFIGMANAGER_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_FILEHISTORY_CORE_WHC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_FILEHISTORY_ENGINE_BACKUPLOG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_FILEHISTORY_ENGINE_DEBUG,
generated::evtx_generated::EVTX_FILE_HISTORY_BACKUP_LOG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_FILEHISTORY_SERVICE_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_FILEHISTORY_UI_EVENTS_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_FILEHISTORY_UI_EVENTS_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_FILEINFOMINIFILTER_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_FILEMANAGERAPP_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_FILEMANAGERDATAMODEL_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_FIREWALL_CPL_DIAGNOSTIC,
generated::evtx_generated::EVTX_SETUP_SPLASH_WINDOW_PERFORMANCE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_FOLDER_REDIRECTION_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_FUNCTIONDISCOVERYHOST_TRACING,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_GENERICROAMING_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_GETTINGSTARTED_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_FONTGROUPS_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_GLOBALIZATION_API_ANALYTIC_CHANNEL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_GROUPPOLICY_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_HAL_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_HEALTHCENTER_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_HEALTHCENTER_PERFORMANCE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_HEALTHCENTERCPL_PERFORMANCE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_HELLOFORBUSINESS_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_HELLOFORBUSINESS_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_HELP_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_HOMEGROUP_CONTROL_PANEL_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_HOMEGROUP_CONTROL_PANEL_PERFORMANCE_D,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_HOMEGROUP_LISTENERSERVICE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_HOMEGROUP_LISTENER_SERVICE_OPERATIONA,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_HOMEGROUP_PROVIDER_SERVICE_OPERATIONA,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_HOMEGROUP_PROVIDER_SERVICE_PERFORMANC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_HOTSTART_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_HOTSPOTAUTH_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_HOTSPOTAUTH_OPERATIONAL,
generated::evtx_generated::EVTX_HTTP_LOG_CHANNEL,
generated::evtx_generated::EVTX_HTTP_SERVICE_CHANNEL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_HYPER_V_COMPUTE_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_HYPER_V_COMPUTE_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_HYPER_V_GUEST_DRIVERS_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_HYPER_V_GUEST_DRIVERS_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_HYPER_V_GUEST_DRIVERS_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_HYPER_V_GUEST_DRIVERS_DIAGNOSE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_HYPER_V_GUEST_DRIVERS_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_HYPER_V_HYPERVISOR_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_HYPER_V_HYPERVISOR_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_HYPER_V_KMCL_CHILD_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_HYPER_V_NETVSC_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_HYPER_V_VID_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_HYPER_V_VID_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_IE_SMARTSCREEN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_IIS_CONFIGURATION_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_IIS_CONFIGURATION_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_IIS_CONFIGURATION_ADMINISTRATIVE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_IIS_CONFIGURATION_OPERATIONAL,
generated::evtx_generated::EVTX_IIS_DIAGNOSTICS_CHANNEL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_IME_BROKER_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_IME_CANDIDATEUI_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_IME_CUSTOMERFEEDBACKMANAGER_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_IME_CUSTOMERFEEDBACKMANAGERUI_ANALYTI,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_IME_JPAPI_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_IME_JPLMP_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_IME_JPPRED_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_IME_JPSETTING_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_IME_JPTIP_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_IME_KRAPI_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_IME_KRTIP_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_IME_OEDCOMPILER_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_IME_ROAMING_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_IME_SCCORE_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_IME_SCDICCOMPILER_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_IME_SCTIP_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_IME_TCCORE_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_IME_TCTIP_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_IME_TIP_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_IPBUSENUM_TRACING,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_IPNAT_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_IPSEC_SRV_DIAGNOSTIC,
generated::evtx_generated::EVTX_DEBUG_CHANNEL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_IDCTRLS_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_IDCTRLS_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_TWINAPI_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_COREAPPLICATION_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_COREAPPLICATION_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_COREAPPLICATION_TRACING,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_TWINUI_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_TWINUI_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_INDIRECTDISPLAYS_CLASSEXTENSION_EVENT,
generated::evtx_generated::EVTX_THIS_IS_THE_ANALYTIC_CHANNEL_TO_WHICH_INTERNAL_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_INPUTSWITCH_DIAGNOSTIC,
generated::evtx_generated::EVTX_THIS_IS_THE_ANALYTIC_CHANNEL_FOR_WINDOWS_INSTALL_UX_PER,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_INTERNATIONAL_OPERATIONAL,
generated::evtx_generated::EVTX_IPHLPSVC_ETW_CHANNEL,
generated::evtx_generated::EVTX_IPHLPSVC_ETW_DEBUG_CHANNEL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KDSSVC_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_ACPI_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_APPCOMPAT_GENERAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_APPCOMPAT_PERFORMANCE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_BOOT_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_BOOT_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_BOOTDIAGNOSTICS_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_CPU_PARTITION_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_CPU_STARVATION_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_DISK_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_DUMP_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_EVENTTRACING_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_EVENTTRACING_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_FILE_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_IO_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_IOTRACE_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_LIVEDUMP_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_LIVEDUMP_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_MEMORY_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_NETWORK_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_PEP_DIAGNOSTIC,
generated::evtx_generated::EVTX_BOOT_DIAGNOSTIC_CHANNEL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_PNP_DIAGNOSTIC,
generated::evtx_generated::EVTX_DRIVER_DIAGNOSTIC_CHANNEL,
generated::evtx_generated::EVTX_DEVICE_ENUMERATION_DIAGNOSTIC_CHANNEL,
generated::evtx_generated::EVTX_CONFIGURATION_DIAGNOSTIC_CHANNEL,
generated::evtx_generated::EVTX_DEVICE_CONFIGURATION,
generated::evtx_generated::EVTX_PNP_ANALYTIC_CHANNEL,
generated::evtx_generated::EVTX_DEVICE_MANAGEMENT,
generated::evtx_generated::EVTX_DRIVER_WATCHDOG_CHANNEL,
generated::evtx_generated::EVTX_CONFIGURATION,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_POWER_THERMAL_DIAGNOSTIC,
generated::evtx_generated::EVTX_THERMAL_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_PREFETCH_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_PRM_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_PROCESS_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_PROCESSOR_POWER_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_REGISTRY_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_REGISTRY_PERFORMANCE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_SHIMENGINE_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_SHIMENGINE_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_SHIMENGINE_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_STOREMGR_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_STOREMGR_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_WDI_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_WDI_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_WDI_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_WHEA_ERRORS,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_WHEA,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_WHEA_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_XDV_ANALYTIC,
generated::evtx_generated::EVTX_WINDOWS_KS_CHANNEL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KEYBOARDFILTER_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KEYBOARDFILTER_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KEYBOARDFILTER_PERFORMANCE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KNOWN_FOLDERS_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_WLAN_AUTOCONFIG_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_WIRED_AUTOCONFIG_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_L2NACP_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_LAPS_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_LDAP_CLIENT_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_LUA_CONSENTUI_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_LANGUAGEPACKSETUP_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_LANGUAGEPACKSETUP_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_LANGUAGEPACKSETUP_DEBUG,
generated::evtx_generated::EVTX_MAJOR_STATE_CONFIGURATION_CHANGE_THAT_CAN_HELP_DEBUG_AD,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_LIMITSMANAGEMENT_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_LINKLAYERDISCOVERYPROTOCOL_OPERATIONA,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_LINKLAYERDISCOVERYPROTOCOL_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_LIVEID_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_LIVEID_OPERATIONAL,
generated::evtx_generated::EVTX_AUTOMATION,
generated::evtx_generated::EVTX_MEDIA_FOUNDATION_FRAMESERVER,
generated::evtx_generated::EVTX_MEDIA_FOUNDATION_DEVICEPROXY,
generated::evtx_generated::EVTX_MF_MEDIAFOUNDATIONDEVICEPROXY,
generated::evtx_generated::EVTX_MEDIA_FOUNDATION_PIPELINE,
generated::evtx_generated::EVTX_MEDIA_FOUNDATION_CONTENTPROTECTION,
generated::evtx_generated::EVTX_MEDIA_FOUNDATION_ASYNCWRAPPER,
generated::evtx_generated::EVTX_MEDIAFOUNDATIONASYNCWRAPPER,
generated::evtx_generated::EVTX_MFDS,
generated::evtx_generated::EVTX_SRCPREFETCH,
generated::evtx_generated::EVTX_MP4,
generated::evtx_generated::EVTX_MEDIA_FOUNDATION_DEVICEMFT,
generated::evtx_generated::EVTX_WINDOWS_MFH264ENC_CHANNEL,
generated::evtx_generated::EVTX_WINDOWS_MP4SDECD_CHANNEL,
generated::evtx_generated::EVTX_MUXENCODE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MPS_CLNT_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MPS_DRV_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MPS_SRV_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MSFTEDIT_DIAGNOSTIC,
generated::evtx_generated::EVTX_WINDOWS_MSMPEG2ADEC_CHANNEL,
generated::evtx_generated::EVTX_WINDOWS_MSMPEG2VDEC_CHANNEL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MSMQ_END2END,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MSPAINT_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MSPAINT_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MSSHAV_SHV_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MSSHAV_SHV_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MSSHAV_SHVCNFG_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MUI_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MUI_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MUI_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MUI_ANALYTIC,
generated::evtx_generated::EVTX_MEDIA_CENTER,
generated::evtx_generated::EVTX_PLAYREADY_PERFORMANCE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MEDIA_STREAMING_DMR,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MEDIA_STREAMING_DMC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MEDIA_STREAMING_MDE,
generated::evtx_generated::EVTX_MEDIA_FOUNDATION_MEDIAENGINE,
generated::evtx_generated::EVTX_MEDIA_FOUNDATION_CAPTURE_ENGINE_ETW_CHANNEL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MEDIAFOUNDATION_MFREADWRITE_SOURCEREA,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MEDIAFOUNDATION_MFREADWRITE_SINKWRITE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MEDIAFOUNDATION_MFREADWRITE_TRANSFORM,
generated::evtx_generated::EVTX_MS_VIDEO_PROCESSOR_MFT_D3D11,
generated::evtx_generated::EVTX_MS_VIDEO_PROCESSOR_MFT,
generated::evtx_generated::EVTX_MS_VIDEO_DSP,
generated::evtx_generated::EVTX_MEDIA_FOUNDATION_PERFORMANCE_CORE,
generated::evtx_generated::EVTX_MEDIA_FOUNDATION_PERFORMANCE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MEDIAFOUNDATION_PERFORMANCE_SARSTREAM,
generated::evtx_generated::EVTX_MEDIA_FOUNDATION_PLATFORM,
generated::evtx_generated::EVTX_MEDIAFOUNDATIONDEVICEPROXY,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MEDIAFOUNDATION_PLAYAPI_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MEMORYDIAGNOSTICS_RESULTS_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MIGRATION_ENGINE_ANALYTIC,
generated::evtx_generated::EVTX_MINSTORE_ANALYTIC_CHANNEL,
generated::evtx_generated::EVTX_MINSTORE_DEBUG_CHANNEL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MOBILE_BROADBAND_EXPERIENCE_API_INTER,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MOBILE_BROADBAND_EXPERIENCE_API_ANALY,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MOBILE_BROADBAND_EXPERIENCE_PARSER_TA,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MOBILE_BROADBAND_EXPERIENCE_SMSAPI_AN,
generated::evtx_generated::EVTX_SMSAPI,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MOBILE_BROADBAND_EXPERIENCE_SMSROUTER,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MOBILITYCENTER_PERFORMANCE,
generated::evtx_generated::EVTX_DIAGNOSTICS,
generated::evtx_generated::EVTX_MANAGEMENTSERVICE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MOSHOST_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MOSHOST_PERFORMANCE,
generated::evtx_generated::EVTX_NOTIFICATION_CHANNEL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MSLBFOPROVIDER_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NCSI_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NCSI_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NDIS_PACKETCAPTURE_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NDIS_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NDIS_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_AUTHENTICATION_PROTECTEDUSERFAILURES,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_AUTHENTICATION_AUTHENTICATIONPOLICYFA,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NTLM_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NWIFI_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NARRATOR_INPROC_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NARRATOR_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NCASVC_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NCDAUTOSETUP_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NCDAUTOSETUP_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NDISIMPLATFORM_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NDU_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NETSHELL_PERFORMANCE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NETWORK_CONNECTION_BROKER,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NETWORK_DATAUSAGE_ANALYTIC,
generated::evtx_generated::EVTX_EXECUTION_CONTEXT_OPERATIONAL_CHANNEL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NETWORK_SETUP_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NETWORK_AND_SHARING_CENTER_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NETWORKACCESSPROTECTION_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NETWORKACCESSPROTECTION_WHC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NETWORKBRIDGE_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NETWORKPROFILE_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NETWORKPROFILE_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NETWORKPROVIDER_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NETWORKPROVISIONING_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NETWORKPROVISIONING_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NETWORKSECURITY_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NETWORKSTATUS_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NETWORKING_CORRELATION_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NETWORKING_REALTIMECOMMUNICATION_TRAC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NLASVC_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NLASVC_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NTFS_PERFORMANCE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NTFS_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NTFS_WHC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NVDIMMN_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NVDIMMN_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORAGE_NVMEDISK_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORAGE_NVMEDISK_DIAGNOSE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORAGE_NVMEDISK_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_OLE_CLIPBOARD_PERFORMANCE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_OLE_CLIPBOARD_DIAGNOSTICS,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_OLEACC_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_OLEACC_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_OOBE_FIRSTLOGONANIM_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_OOBE_MACHINE_CORE_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_OOBE_MACHINE_DUI_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_OOBE_MACHINE_DUI_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_OOBE_MACHINE_PLUGINS_WIRELESS_DIAGNOS,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_OOBE_MACHINE_PLUGINS_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_OOBE_MACHINE_DIAGNOSTIC,
generated::evtx_generated::EVTX_SETUP,
generated::evtx_generated::EVTX_OCP_UPDATE_AGENT_OPERATIONAL_CHANNEL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_OFFLINEFILES_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_OFFLINEFILES_SYNCLOG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_ONEBACKUP_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_ONEX_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_ONEX_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_OOBELDR_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_OTPCREDENTIALPROVIDER_OPERATIONAL,
generated::evtx_generated::EVTX_PCI_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PCI_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_PDC_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_GLCND_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_GLCND_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_GLCND_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PACKAGESTATEROAMING_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PACKAGESTATEROAMING_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PACKAGESTATEROAMING_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PARENTALCONTROLS_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PARENTALCONTROLS_TELEMETRY_OPERATIONA,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PARENTALCONTROLS_TELEMETRY_AUDITING,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PARTITION_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PARTITION_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PARTITION_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PEERTOPEERDRTEVENTPROVIDER_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PERSISTENTMEMORY_INVDIMM_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PERSISTENTMEMORY_INVDIMM_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PERSISTENTMEMORY_NVDIMM_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PERSISTENTMEMORY_NVDIMM_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PERSISTENTMEMORY_NVDIMMN_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PERSISTENTMEMORY_NVDIMMN_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PERSISTENTMEMORY_PMEMDISK_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PERSISTENTMEMORY_PMEMDISK_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PERSISTENTMEMORY_PMEMDISK_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PERSISTENTMEMORY_SCMBUS_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PERSISTENTMEMORY_SCMBUS_DIAGNOSE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PERSISTENTMEMORY_SCMBUS_CERTIFICATION,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PERSISTENTMEMORY_SCMBUS_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PERSISTENTMEMORY_VIRTUALNVDIMM_OPERAT,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PERSISTENTMEMORY_VIRTUALNVDIMM_DIAGNO,
generated::evtx_generated::EVTX_WINDOWS_WMPHOTO_CHANNEL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PHOTOACQ_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PLAYTOMANAGER_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PMEMDISK_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PMEMDISK_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PMEMDISK_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PORTABLEDEVICESTATUSPROVIDER_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PORTABLEDEVICESYNCPROVIDER_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_POWER_METER_POLLING_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_POWERCFG_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_POWERCPL_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_POWERSHELL_DESIREDSTATECONFIGURATION,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_POWERSHELL_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_POWERSHELL_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_POWERSHELL_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PRIRESOURCES_DEPLOYMENT_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PRIRESOURCES_DEPLOYMENT_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PRIMARYNETWORKICON_PERFORMANCE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NETWORKLOCATIONWIZARD_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PRINTDIALOGS_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PRINTDIALOGS3D_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PRINTSPOOLER_CORE_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PRINTSPOOLER_CORE_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PRIVACY_AUDITING_PERMISSIVELEARNINGMO,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PROCESSSTATEMANAGER_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PROGRAM_COMPATIBILITY_ASSISTANT_OPERA,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PROXIMITY_COMMON_PERFORMANCE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PROXIMITY_COMMON_INFORMATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PROXIMITY_COMMON_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PUSHNOTIFICATIONS_DEVELOPER_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PUSHNOTIFICATIONS_INPROC_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PUSHNOTIFICATIONS_PLATFORM_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PUSHNOTIFICATIONS_PLATFORM_OPERATIONA,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PUSHNOTIFICATIONS_PLATFORM_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_QOS_PACER_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_QOS_PACER_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_QOS_QWAVE_DEBUG,
generated::evtx_generated::EVTX_EEINFO,
generated::evtx_generated::EVTX_ADMIN_CHANNEL,
generated::evtx_generated::EVTX_RTWORKQUEUE_EXTENDED,
generated::evtx_generated::EVTX_RTWORKQUEUE_THREADING,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_RADIOMANAGER_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_RAS_NDISWANPACKETCAPTURE_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_REFS_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_REFSDEDUPSVC_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_READYBOOST_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_READYBOOSTDRIVER_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_READYBOOSTDRIVER_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_RECOVERY_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_RELIABILITYANALYSISCOMPONENT_OPERATIO,
generated::evtx_generated::EVTX_METRICS,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_REMOTEAPP_AND_DESKTOP_CONNECTIONS_ADM,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_REMOTEAPP_AND_DESKTOP_CONNECTIONS_OPE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_REMOTEASSISTANCE_TRACING,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_REMOTEASSISTANCE_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_REMOTEASSISTANCE_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_REMOTEDESKTOPSERVICES_RDPCORETS_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_REMOTEDESKTOPSERVICES_RDPCORETS_OPERA,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_REMOTEDESKTOPSERVICES_RDPCORETS_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_REMOTEDESKTOPSERVICES_REMOTEFX_VM_KER,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_REMOTEDESKTOPSERVICES_REMOTEFX_VM_USE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_REMOTEDESKTOPSERVICES_SESSIONSERVICES,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_REMOTEFS_RDBSS_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_REMOTEFS_RDBSS_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_REMOTEFS_UTPROVIDER_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_RESETENG_TRACE_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_RESOURCE_EXHAUSTION_DETECTOR_OPERATIO,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_RESOURCE_EXHAUSTION_RESOLVER_OPERATIO,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_RESOURCE_LEAK_DIAGNOSTIC_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_RESOURCEPUBLICATION_TRACING,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_RESTARTMANAGER_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_RUNTIME_GRAPHICS_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_RUNTIME_WINDOWS_MEDIA_WINRTCAPTUREENG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_RUNTIME_WINDOWS_MEDIA_WINRTTRANSCODE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_RUNTIME_WINDOWS_MEDIA_WINRTMEDIASTREA,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_RUNTIME_WINDOWS_MEDIA_WINRTADAPTIVEME,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_RUNTIME_NETWORKING_BACKGROUNDTRANSFER,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_RUNTIME_NETWORKING_TRACING,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_RUNTIME_WEB_HTTP_TRACING,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_RUNTIME_WEBAPI_TRACING,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SENSE_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SMBCLIENT_HELPERCLASSDIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SMBCLIENT_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SMBCLIENT_XPERFANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SMBCLIENT_OBJECTSTATEDIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SMBCLIENT_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SMBCLIENT_CONNECTIVITY,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SMBCLIENT_SECURITY,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SMBCLIENT_AUDIT,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SMBDIRECT_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SMBDIRECT_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SMBDIRECT_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SMBDIRECT_CONNECTIVITY,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SMBDIRECT_NETMON,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SMBSERVER_PERFORMANCE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SMBSERVER_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SMBSERVER_SECURITY,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SMBSERVER_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SMBSERVER_CONNECTIVITY,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SMBSERVER_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SMBSERVER_AUDIT,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SMBWITNESSCLIENT_ADMIN,
generated::evtx_generated::EVTX_WITNESSCLIENTADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SMBWITNESSCLIENT_INFORMATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SCHANNEL_EVENTS_PERF,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SCMBUS_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SCMBUS_DIAGNOSE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SCMBUS_CERTIFICATION,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SCMDISK0101_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SCMDISK0101_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SCMDISK0101_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SDBUS_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SDBUS_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SDSTOR_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SEARCH_CORE_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SEARCH_PROTOCOLHANDLERS_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SECURITY_ADMINLESS_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SECURITY_AUDIT_CONFIGURATION_CLIENT_D,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SECURITY_AUDIT_CONFIGURATION_CLIENT_O,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SECURITY_CONFIGURATION_WIZARD_DIAGNOS,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SECURITY_CONFIGURATION_WIZARD_OPERATI,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SECURITY_ENTERPRISEDATA_FILEREVOCATIO,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SECURITY_EXCHANGEACTIVESYNCPROVISIONI,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SECURITY_IDENTITYSTORE_PERFORMANCE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SECURITY_LESSPRIVILEGEDAPPCONTAINER_O,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SECURITY_LICENSING_SLC_PERF,
generated::evtx_generated::EVTX_KERNEL_MODE,
generated::evtx_generated::EVTX_USER_MODE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SECURITY_NETLOGON_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SECURITY_SPP_UX_GC_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SECURITY_SPP_UX_GENUINECENTER_LOGGING,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SECURITY_SPP_UX_NOTIFICATIONS_ACTIONC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SECURITY_SPP_UX_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SECURITY_SPP_PERF,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SECURITY_USERCONSENTVERIFIER_AUDIT,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SECURITY_VAULT_PERFORMANCE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SECURITYMITIGATIONSBROKER_PERF,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SECURITYMITIGATIONSBROKER_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SECURITYMITIGATIONSBROKER_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SENDTO_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SENSEIR_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SERVER_FOR_NFS_OPERATIONAL,
generated::evtx_generated::EVTX_DEPLOY,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SERVERMANAGER_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SERVICE_REPORTING_API_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SERVICES_SVCHOST_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SERVICES_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SERVICING_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SETTINGSYNC_AZURE_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SETTINGSYNC_AZURE_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SETTINGSYNC_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SETTINGSYNC_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SETTINGSYNC_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SETTINGSYNC_ONEDRIVE_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SETTINGSYNC_VERBOSEDEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SETUP_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SETUPCL_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SETUPPLATFORM_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SETUPQUEUE_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SETUPUGC_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SHAREMEDIA_CONTROLPANEL_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SHELL_APPWIZCPL_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_AUTHENTICATION_USER_INTERFACE_OPERATI,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SHELL_AUTHUI_COMMON_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SHELL_AUTHUI_LOGONUI_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SHELL_AUTHUI_LOGON_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SHELL_AUTHUI_CREDUI_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SHELL_AUTHUI_SHUTDOWN_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SHELL_AUTHUI_CREDENTIALPROVIDERUSER_D,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SHELL_AUTHUI_PASSWORDPROVIDER_DIAGNOS,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SHELL_AUTHUI_BOOTANIM_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SHELL_AUTHUI_PASSWORDPROVIDER_BOOTANI,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SHELL_CONNECTEDACCOUNTSTATE_ACTIONCEN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SHELL_CORE_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SHELL_CORE_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SHELL_CORE_LOGONTASKSCHANNEL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SHELL_CORE_APPDEFAULTS,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SHELL_CORE_ACTIONCENTER,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SHELL_DEFAULTPROGRAMS_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SHELL_LOCKSCREENCONTENT_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SHELL_OPENWITH_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SHELL_SEARCH_URIHANDLER,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SHELL_SHWEBSVC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SHELL_ZIPFOLDER_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SHELLCOMMON_STARTLAYOUTPOPULATION_OPE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SHELLCOMMON_STARTLAYOUTPOPULATION_DIA,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SHSVCS_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SIDEBAR_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SLEEPSTUDY_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SMARTCARD_AUDIT_AUTHENTICATION,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SMARTCARD_DEVICEENUM_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SMARTCARD_TPM_VCARD_MODULE_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SMARTCARD_TPM_VCARD_MODULE_OPERATIONA,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SMARTSCREEN_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SMBHASHGENERATION_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SMBHASHGENERATION_ANALYTIC,
generated::evtx_generated::EVTX_SMBWMIANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_TTS_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SPEECH_USEREXPERIENCE_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SPELL_CHECKING_FACILITY_ANALYTIC_CHAN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SPELLCHECKER_ANALYTIC_CHANNEL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SPELL_CHECKING_HOST_ANALYTIC_CHANNEL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SRUMON_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SRUMTELEMETRY,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STATEREPOSITORY_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STATEREPOSITORY_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STATEREPOSITORY_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STICKYNOTES_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STICKYNOTES_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STICKYNOTES_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORDIAG_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORAGE_CLASSPNP_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORAGE_CLASSPNP_DIAGNOSE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORAGE_CLASSPNP_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORPORT_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORAGE_STORPORT_DIAGNOSE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORAGE_STORPORT_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORAGE_STORPORT_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORAGE_STORPORT_HEALTH,
generated::evtx_generated::EVTX_TIERING_HEAT_MEASUREMENT_CHANNEL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORAGE_TIERING_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORAGEMANAGEMENT_PARTUTIL_OPERATIONA,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORAGEMANAGEMENT_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORAGEMANAGEMENT_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORAGESETTINGS_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORAGESPACES_API_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORAGESPACES_DRIVER_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORAGESPACES_DRIVER_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORAGESPACES_DRIVER_PERFORMANCE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORAGESPACES_MANAGEMENTAGENT_WHC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORAGESPACES_PARSER_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORAGESPACES_PARSER_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORAGESPACES_SPACEMANAGER_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORAGESPACES_SPACEMANAGER_OPERATIONA,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORAGEVOLUME_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORSVC_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SUBSYS_CSR_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SUBSYS_SMSS_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SUDO_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SUPERFETCH_AGMCLOG,
generated::evtx_generated::EVTX_MEMORY_COOLING_OPERATIONAL_CHANNEL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SUPERFETCH_PFAPLOG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SYSPREP_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SYSTEM_PROFILE_HARDWAREID_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SYSTEMDATAARCHIVER_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SYSTEMHEALTHAGENT_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SYSTEMSETTINGS_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SYSTEMSETTINGS_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SYSTEMSETTINGS_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SYSTEMSETTINGSHANDLERS_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SYSTEMSETTINGSTHRESHOLD_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SYSTEMSETTINGSTHRESHOLD_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SYSTEMSETTINGSTHRESHOLD_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SYSTEMSETTINGSV2_INFORMATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_TCPIP_DIAGNOSTIC,
generated::evtx_generated::EVTX_UIMANAGER_CHANNEL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_TSF_MSCTF_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_TSF_MSUTB_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_TZSYNC_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_TZSYNC_ANALYTIC,
generated::evtx_generated::EVTX_TABLETPC_INPUTPANEL_CHANNEL,
generated::evtx_generated::EVTX_OSK_SOFTKEYBOARD_CHANNEL,
generated::evtx_generated::EVTX_TABLETPC_INPUTPANEL_CHANNEL_IHM,
generated::evtx_generated::EVTX_IHM_DEBUGCHANNEL,
generated::evtx_generated::EVTX_PHYSICAL_KEYBOARD_MANAGER_CHANNEL,
generated::evtx_generated::EVTX_MAINTENANCE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_TASKBARCPL_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_TENANTRESTRICTIONS_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_TERMINALSERVICES_RDPCLIENT_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_TERMINALSERVICES_RDPCLIENT_OPERATIONA,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_TERMINALSERVICES_RDPCLIENT_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_TERMINALSERVICES_GATEWAY_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_TERMINALSERVICES_GATEWAY_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_TERMINALSERVICES_GATEWAY_TRACING,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_TERMINALSERVICES_GATEWAY_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_TERMINALSERVICES_LICENSING_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_TERMINALSERVICES_LOCALSESSIONMANAGER,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_TERMINALSERVICES_MEDIAREDIRECTION_ANA,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_TERMINALSERVICES_RDPSOUNDDRIVER_PLAYB,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_TERMINALSERVICES_RDPSOUNDDRIVER_CAPTU,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_TERMINALSERVICES_REMOTECONNECTIONMANA,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_TERMINALSERVICES_SESSIONBROKER_CLIENT,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_TETHERING_MANAGER_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_TETHERING_STATION_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_THEMECPL_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_THEMEUI_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_THREAT_INTELLIGENCE_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_TIME_SERVICE_PTP_PROVIDER_PTP_OPERATI,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_TIME_SERVICE_OPERATIONAL,
generated::evtx_generated::EVTX_TUNNEL_DRIVER_ETW_CHANNEL,
generated::fa_generated::FA_FILE_PARITY_AGENT_CACHE,
generated::fa_generated::FA_FILE_QUARANTINE,
generated::fa_generated::FA_FILE_QUARANTINE_2,
generated::fa_generated::FA_FILE_QUARANTINE_3,
generated::fa_generated::FA_FILE_CS_REGISTRY_BASE,
generated::fa_generated::FA_FILE_QUARANTINE_4,
generated::fa_generated::FA_FILE_LOGS,
generated::fa_generated::FA_FILE_QUARANTINE_5,
generated::fa_generated::FA_FILE_QUARANTINE_6,
generated::fa_generated::FA_FILE_SUPPORT_MPDETECTION_LOG,
generated::fa_generated::FA_FILE_SUPPORT_MPLOG_LOG,
generated::fa_generated::FA_FILE_DETECTIONHISTORY,
generated::fa_generated::FA_FILE_SUPPORT_MPDETECTION_LOG_2,
generated::fa_generated::FA_FILE_SUPPORT_MPLOG_LOG_2,
generated::fa_generated::FA_FILE_TEMP_MPCMDRUN_LOG,
generated::fa_generated::FA_FILE_TEMP_MPCMDRUN_LOG_2,
generated::fa_generated::FA_FILE_USERS_TEMP_MPCMDRUN_LOG,
generated::fa_generated::FA_FILE_,
generated::fa_generated::FA_EXCLUSIONS_PATHS,
generated::fa_generated::FA_EXCLUSIONS_PROCESSES,
generated::fa_generated::FA_EXCLUSIONS_EXTENSIONS,
generated::fa_generated::FA_EXCLUSIONS_TEMPORARYPATHS,
generated::fa_generated::FA_EXCLUSIONS_PATHS_2,
generated::fa_generated::FA_EXCLUSIONS_PROCESSES_2,
generated::fa_generated::FA_EXCLUSIONS_EXTENSIONS_2,
generated::fa_generated::FA_EXCLUSIONS_TEMPORARYPATHS_2,
generated::fa_generated::FA_FILE_SANTA,
generated::fa_generated::FA_FILE_SANTA_2,
generated::fa_generated::FA_FILE_LOGS_SOPHOS_LOG,
generated::fa_generated::FA_FILE_LOGS_2,
generated::fa_generated::FA_FILE_INFECTED,
generated::fa_generated::FA_FILE_INFECTED_2,
generated::fa_generated::FA_FILE_LOGS_LOG,
generated::fa_generated::FA_FILE_AV_LOG,
generated::fa_generated::FA_FILE_AV_LOG_2,
generated::fa_generated::FA_FILE_LOGS_LOG_2,
generated::fa_generated::FA_FILE_5_VBN,
generated::fa_generated::FA_FILE_QUARANTINE_7,
generated::fa_generated::FA_FILE_QUARANTINE_8,
generated::fa_generated::FA_FILE_CCSUBSDK,
generated::fa_generated::FA_FILE_EVOLUTION,
generated::fa_generated::FA_FILE_EVOLUTION_2,
generated::fa_generated::FA_FILE_EVOLUTION_3,
generated::fa_generated::FA_FILE_WORD,
generated::fa_generated::FA_FILE_EXCEL,
generated::fa_generated::FA_FILE_POWERPOINT,
generated::fa_generated::FA_FILE_PUBLISHER,
generated::fa_generated::FA_FILE_PREFERENCES_COM_MICROSOFT_OFFICE_PLIST,
generated::fa_generated::FA_FILE_PREFERENCES_COM_MICROSOFT_SECUREBOOKMARKS_PLIST,
generated::fa_generated::FA_FILE_OUTLOOK_PAB,
generated::fa_generated::FA_FILE_OUTLOOK_FILES_PAB,
generated::fa_generated::FA_FILE_OUTLOOK_PST,
generated::fa_generated::FA_FILE_OUTLOOK_FILES_PST,
generated::fa_generated::FA_FILE_OUTLOOK_OST,
generated::fa_generated::FA_FILE_OUTLOOK_FILES_OST,
generated::fa_generated::FA_FILE_NPM,
generated::fa_generated::FA_FILE_NPM_CACHE,
generated::fa_generated::FA_FILE_LOG_ERRORLOG,
generated::fa_generated::FA_FILE_LOG_ERRORLOG_2,
generated::fa_generated::FA_FILE_THUNDERBIRD,
generated::fa_generated::FA_FILE_DROPBOX_DB,
generated::fa_generated::FA_FILE_DROPBOX_DB_2,
generated::fa_generated::FA_FILE_INSTANCE_SYNC_HISTORY_DB,
generated::fa_generated::FA_FILE_DROPBOX_DB_3,
generated::fa_generated::FA_FILE_INSTANCE_SYNC_HISTORY_DB_2,
generated::fa_generated::FA_FILE_DRIVE_SNAPSHOT_DB,
generated::fa_generated::FA_FILE_DRIVE_SYNC_CONFIG_DB,
generated::fa_generated::FA_FILE_DRIVE_SYNC_CONFIG_LOG,
generated::fa_generated::FA_FILE_USER_DEFAULT_SNAPSHOT_DB,
generated::fa_generated::FA_FILE_USER_DEFAULT_SYNC_CONFIG_DB,
generated::fa_generated::FA_FILE_USER_DEFAULT_SYNC_CONFIG_LOG,
generated::fa_generated::FA_FILE_USER_DEFAULT_SYNC_LOG_LOG,
generated::fa_generated::FA_FILE_DRIVE_SNAPSHOT_DB_2,
generated::fa_generated::FA_FILE_DRIVE_SYNC_CONFIG_DB_2,
generated::fa_generated::FA_FILE_DRIVE_SYNC_CONFIG_LOG_2,
generated::fa_generated::FA_FILE_USER_DEFAULT_SNAPSHOT_DB_2,
generated::fa_generated::FA_FILE_USER_DEFAULT_SYNC_CONFIG_DB_2,
generated::fa_generated::FA_FILE_USER_DEFAULT_SYNC_CONFIG_LOG_2,
generated::fa_generated::FA_FILE_SETTINGS_APPLICATIONSETTINGS_XML,
generated::fa_generated::FA_FILE_SETTINGS_DAT,
generated::fa_generated::FA_FILE_SETTINGS_INI,
generated::fa_generated::FA_FILE_JUPYTER_JUPYTER_NOTEBOOK_CONFIG_PY,
generated::fa_generated::FA_FILE_JUPYTER_JUPYTER_NOTEBOOK_CONFIG_PY_2,
generated::fa_generated::FA_FILE_JUPYTER_JUPYTER_NOTEBOOK_CONFIG_PY_3,
generated::fa_generated::FA_FILE_JUPYTER_JUPYTER_NOTEBOOK_CONFIG_PY_4,
generated::fa_generated::FA_FILE_JUPYTER_JUPYTER_NOTEBOOK_CONFIG_PY_5,
generated::fa_generated::FA_FILE_ETC_EXPORTS,
generated::fa_generated::FA_FILE_ETC_EXPORTS_2,
generated::fa_generated::FA_FILE_ETC_EXPORTS_3,
generated::fa_generated::FA_FILE_CONF_REDIS_WINDOWS_CONF,
generated::fa_generated::FA_FILE_CONF_REDIS_CONF,
generated::fa_generated::FA_FILE_REDIS_REDIS_CONF,
generated::fa_generated::FA_FILE_REDIS_REDIS_CONF_2,
generated::fa_generated::FA_FILE_REDIS_REDIS_CONF_3,
generated::fa_generated::FA_FILE_SAMBA_SMB_CONF,
generated::fa_generated::FA_FILE_SSH_SSHD_CONFIG,
generated::fa_generated::FA_FILE_SSH_SSHD_CONFIG_2,
generated::fa_generated::FA_FILE_SSH_SSHD_CONFIG_3,
generated::fa_generated::FA_FILE_SSH_CONFIG,
generated::fa_generated::FA_FILE_CONTAINERD_CONFIG_TOML,
generated::fa_generated::FA_FILE_IO_CONTAINERD_METADATA_V1_BOLT_META_DB,
generated::fa_generated::FA_FILE_IO_CONTAINERD_SNAPSHOTTER_V1_OVERLAYFS_METADATA_DB,
generated::fa_generated::FA_FILE_CONFIG_JSON,
generated::fa_generated::FA_FILE_OPTIONS_JSON,
generated::fa_generated::FA_FILE_LOG_JSON,
generated::fa_generated::FA_FILE_LOG_DAEMON_LOG,
generated::fa_generated::FA_FILE_LOG_DAEMON_LOG_GZ,
generated::fa_generated::FA_FILE_LOG_SYSLOG,
generated::fa_generated::FA_FILE_LOG_MESSAGE,
generated::fa_generated::FA_FILE_ELASTICSEARCH_ACCESS_LOG,
generated::fa_generated::FA_FILE_ELASTICSEARCH_AUDIT_JSON,
generated::fa_generated::FA_FILE_ELASTICSEARCH_AUDIT_LOG,
generated::fa_generated::FA_FILE_ELASTICSEARCH_GC_LOG,
generated::fa_generated::FA_FILE_ELASTICSEARCH_GC_LOG_0_9,
generated::fa_generated::FA_FILE_ELASTICSEARCH_LOG,
generated::fa_generated::FA_FILE_ELASTICSEARCH_JSON,
generated::fa_generated::FA_FILE_ELASTICSEARCH_JSON_GZ,
generated::fa_generated::FA_FILE_ELASTICSEARCH_SERVER_JSON,
generated::fa_generated::FA_FILE_ELASTICSEARCH_JSON_2,
generated::fa_generated::FA_FILE_ELASTICSEARCH_JSON_GZ_2,
generated::fa_generated::FA_FILE_ETC_MONGOD_CONF,
generated::fa_generated::FA_FILE_ETC_MONGOD_CONF_2,
generated::fa_generated::FA_FILE_ETC_MONGOD_CONF_3,
generated::fa_generated::FA_FILE_MONGODB,
generated::fa_generated::FA_FILE_DB,
generated::fa_generated::FA_FILE_MONGODB_MONGOD_LOG,
generated::fa_generated::FA_FILE_ETC_MY_CNF,
generated::fa_generated::FA_FILE_MYSQL_CONF_D_MYSQLD_CNF,
generated::fa_generated::FA_FILE_MYSQL_MYSQL_IBD,
generated::fa_generated::FA_FILE_MYSQL,
generated::fa_generated::FA_FILE_MYSQL_ERROR_LOG,
generated::fa_generated::FA_FILE_LOG_MYSQL_LOG,
generated::fa_generated::FA_FILE_LOG_LOG,
generated::fa_generated::FA_FILE_OPENSEARCH_LOG,
generated::fa_generated::FA_FILE_OPENSEARCH_JSON,
generated::fa_generated::FA_FILE_POSTGRESQL_CONF,
generated::fa_generated::FA_FILE_PG_HBA_CONF,
generated::fa_generated::FA_FILE_PG_IDENT_CONF,
generated::fa_generated::FA_FILE_PGSQL_POSTGRESQL_CONF,
generated::fa_generated::FA_FILE_PGSQL_PG_HBA_CONF,
generated::fa_generated::FA_FILE_PGSQL_PG_IDENT_CONF,
generated::fa_generated::FA_FILE_DATA_POSTGRESQL_CONF,
generated::fa_generated::FA_FILE_DATA_PG_HBA_CONF,
generated::fa_generated::FA_FILE_DATA_PG_IDENT_CONF,
generated::fa_generated::FA_FILE_DATA,
generated::fa_generated::FA_FILE_DATA_OLD,
generated::fa_generated::FA_FILE__2,
generated::fa_generated::FA_FILE__3,
generated::fa_generated::FA_FILE_POSTGRESQL_POSTGRESQL_LOG,
generated::fa_generated::FA_FILE_POSTGRESQL_POSTGRESQL_CSV,
generated::fa_generated::FA_FILE_POSTGRESQL_POSTGRESQL_LOG_2,
generated::fa_generated::FA_FILE_POSTGRESQL_POSTGRESQL_CSV_2,
generated::fa_generated::FA_FILE_POSTGRESQL_POSTGRESQL_LOG_3,
generated::fa_generated::FA_FILE_POSTGRESQL_POSTGRESQL_CSV_3,
generated::fa_generated::FA_FILE_LOG_POSTGRESQL_LOG,
generated::fa_generated::FA_FILE_LOG_POSTGRESQL_CSV,
generated::fa_generated::FA_FILE_LOG_POSTGRESQL_LOG_2,
generated::fa_generated::FA_FILE_LOG_POSTGRESQL_CSV_2,
generated::fa_generated::FA_FILE_LOG_POSTGRESQL_LOG_3,
generated::fa_generated::FA_FILE_LOG_POSTGRESQL_CSV_3,
generated::fa_generated::FA_FILE_REDIS,
generated::fa_generated::FA_FILE_INIT_D_REDIS,
generated::fa_generated::FA_FILE_REDIS_2,
generated::fa_generated::FA_FILE__4,
generated::fa_generated::FA_FILE_REDIS_REDIS_LOG,
generated::fa_generated::FA_FILE_LOG_REDIS_LOG,
generated::fa_generated::FA_FILE_CONFIG_V2_JSON,
generated::fa_generated::FA_FILE_JSON_LOG,
generated::fa_generated::FA_FILE_LOG_ESXAPIADAPTER_LOG,
generated::fa_generated::FA_FILE_LOG_ATTESTD_LOG,
generated::fa_generated::FA_FILE_LOG_AUTH_LOG,
generated::fa_generated::FA_FILE_LOG_HOSTD_LOG,
generated::fa_generated::FA_FILE_LOG_KMXD_LOG,
generated::fa_generated::FA_FILE_LOG_LOADESX_LOG,
generated::fa_generated::FA_FILE_LOG_SHELL_LOG,
generated::fa_generated::FA_FILE_LOG,
generated::fa_generated::FA_FILE_LOG_SYSLOG_LOG,
generated::fa_generated::FA_FILE_LOG_ESXTOKEND_LOG,
generated::fa_generated::FA_FILE_LOG_KMXA_LOG,
generated::fa_generated::FA_FILE_LOG_VMKERNEL_LOG,
generated::fa_generated::FA_FILE_LOG_VMKSUMMARYLOG_LOG,
generated::fa_generated::FA_FILE_LOG_VMKWARNING_LOG,
generated::fa_generated::FA_FILE_LOG_VXPA_LOG,
generated::fa_generated::FA_FILE_ENVIRON_SYSTEMDRIVE_LOGFILE,
generated::fa_generated::FA_FILE_ENVIRON_SYSTEMDRIVE_MFT,
generated::fa_generated::FA_FILE_ENVIRON_SYSTEMDRIVE_MFTMIRR,
generated::fa_generated::FA_FILE_EXTEND_USNJRNL,
generated::fa_generated::FA_FILE_CONTAINER,
generated::fa_generated::FA_FILE_CONTAINER_2,
generated::fa_generated::FA_FILE_APPLICATION_APPLICATION,
generated::fa_generated::FA_FILE_APPLICATION_APPLICATION_2,
generated::fa_generated::FA_FILE_APPLICATION_APPLICATION_3,
generated::fa_generated::FA_FILE_APPLICATION_APPLICATION_4,
generated::fa_generated::FA_FILE_LEVELDB_TIMELINE_STORE_LDB,
generated::fa_generated::FA_FILE_LEVELDB_TIMELINE_STORE_LDB_2,
generated::fa_generated::FA_FILE_LEVELDB_TIMELINE_STORE_LDB_3,
generated::fa_generated::FA_FILE_LEVELDB_TIMELINE_STORE_LDB_4,
generated::fa_generated::FA_FILE_DIAGNOSE,
generated::fa_generated::FA_FILE_DIAGNOSIS,
generated::fa_generated::FA_FILE_DIAGNOSE_2,
generated::fa_generated::FA_FILE_DIAGNOSIS_2,
generated::fa_generated::FA_FILE_SECURITYCONTROLLER,
generated::fa_generated::FA_FILE_LOGFILES,
generated::fa_generated::FA_FILE_SETUP,
generated::fa_generated::FA_FILE_DIST_INFO,
generated::fa_generated::FA_FILE_DIST_INFO_2,
generated::fa_generated::FA_FILE_DIST_INFO_3,
generated::fa_generated::FA_FILE_DIST_INFO_4,
generated::fa_generated::FA_FILE_DIST_INFO_5,
generated::fa_generated::FA_FILE_DIST_INFO_6,
generated::fa_generated::FA_FILE_DIST_INFO_7,
generated::fa_generated::FA_FILE_DIST_INFO_8,
generated::fa_generated::FA_FILE_DIST_INFO_9,
generated::fa_generated::FA_FILE_DIST_INFO_10,
generated::fa_generated::FA_FILE_SITE_PACKAGES_EGG,
generated::fa_generated::FA_FILE_SITE_PACKAGES_EGG_INFO,
generated::fa_generated::FA_FILE_PIP_EGG,
generated::fa_generated::FA_FILE_PIP_EGG_INFO,
generated::fa_generated::FA_FILE_DIST_PACKAGES_EGG,
generated::fa_generated::FA_FILE_DIST_PACKAGES_EGG_INFO,
generated::fa_generated::FA_FILE_SITE_PACKAGES_EGG_2,
generated::fa_generated::FA_FILE_SITE_PACKAGES_EGG_INFO_2,
generated::fa_generated::FA_FILE_DIST_PACKAGES_EGG_2,
generated::fa_generated::FA_FILE_DIST_PACKAGES_EGG_INFO_2,
generated::fa_generated::FA_FILE_SITE_PACKAGES_EGG_3,
generated::fa_generated::FA_FILE_SITE_PACKAGES_EGG_INFO_3,
generated::fa_generated::FA_FILE_DIST_PACKAGES_EGG_3,
generated::fa_generated::FA_FILE_DIST_PACKAGES_EGG_INFO_3,
generated::fa_generated::FA_FILE_SITE_PACKAGES_EGG_4,
generated::fa_generated::FA_FILE_SITE_PACKAGES_EGG_INFO_4,
generated::fa_generated::FA_FILE_DIST_PACKAGES_EGG_4,
generated::fa_generated::FA_FILE_DIST_PACKAGES_EGG_INFO_4,
generated::fa_generated::FA_FILE_SITE_PACKAGES_EGG_5,
generated::fa_generated::FA_FILE_SITE_PACKAGES_EGG_INFO_5,
generated::fa_generated::FA_FILE_PYSHARED_EGG,
generated::fa_generated::FA_FILE_PYSHARED_EGG_INFO,
generated::fa_generated::FA_FILE_EGG,
generated::fa_generated::FA_FILE_EGG_INFO,
generated::fa_generated::FA_FILE_EGG_2,
generated::fa_generated::FA_FILE_EGG_INFO_2,
generated::fa_generated::FA_FILE_EGG_3,
generated::fa_generated::FA_FILE_EGG_INFO_3,
generated::fa_generated::FA_FILE_EGG_4,
generated::fa_generated::FA_FILE_EGG_INFO_4,
generated::fa_generated::FA_FILE_EGG_5,
generated::fa_generated::FA_FILE_EGG_INFO_5,
generated::fa_generated::FA_FILE_EGG_6,
generated::fa_generated::FA_FILE_EGG_INFO_6,
generated::fa_generated::FA_FILE_EGG_7,
generated::fa_generated::FA_FILE_EGG_INFO_7,
generated::fa_generated::FA_FILE_EGG_8,
generated::fa_generated::FA_FILE_EGG_INFO_8,
generated::fa_generated::FA_FILE_EGG_9,
generated::fa_generated::FA_FILE_EGG_INFO_9,
generated::fa_generated::FA_FILE_EGG_10,
generated::fa_generated::FA_FILE_EGG_INFO_10,
generated::fa_generated::FA_FILE_EGG_11,
generated::fa_generated::FA_FILE_EGG_INFO_11,
generated::fa_generated::FA_FILE_PYTHON_WHEELS_WHL,
generated::fa_generated::FA_FILE_WHEELS_WHL,
generated::fa_generated::FA_FILE_2_GEMSPEC,
generated::fa_generated::FA_FILE_2_GEMSPEC_2,
generated::fa_generated::FA_FILE_2_GEMSPEC_3,
generated::fa_generated::FA_FILE_ATTACHMENTS_NOINDEX,
generated::fa_generated::FA_FILE_CACHE,
generated::fa_generated::FA_FILE_ORG_SIGNAL_SIGNAL_CONFIG_JSON,
generated::fa_generated::FA_FILE_ORG_SIGNAL_SIGNAL_DB_SQLITE,
generated::fa_generated::FA_FILE_CHATSYNC,
generated::fa_generated::FA_FILE_MAIN_DB,
generated::fa_generated::FA_FILE_PREFERENCES_COM_SKYPE_SKYPE_PLIST,
generated::fa_generated::FA_FILE_XCHATLOGS_LOG,
generated::fa_generated::FA_FILE_CACHE_2,
generated::fa_generated::FA_FILE_CACHE_3,
generated::fa_generated::FA_FILE_CACHE_4,
generated::fa_generated::FA_FILE_DS_STORE_APP_10,
generated::fa_generated::FA_FILE_LAUNCHAGENTS_COM_APPLE_LAUNCHPORT_PLIST,
generated::fa_generated::FA_FILE_SYSTEM32_AWCODC32_DLL,
generated::fa_generated::FA_FILE_SYSTEM32_AWVIEW32_DLL,
generated::fa_generated::FA_FILE_SYSTEM32_C_50225_NLS,
generated::fa_generated::FA_FILE_SYSTEM32_C_50227_NLS,
generated::fa_generated::FA_FILE_SYSTEM32_C_50229_NLS,
generated::fa_generated::FA_FILE_SYSTEM32_C_51932_NLS,
generated::fa_generated::FA_FILE_SYSTEM32_C_51936_NLS,
generated::fa_generated::FA_FILE_SYSTEM32_C_51949_NLS,
generated::fa_generated::FA_FILE_SYSTEM32_C_51950_NLS,
generated::fa_generated::FA_FILE_SYSTEM32_C_57002_NLS,
generated::fa_generated::FA_FILE_SYSTEM32_C_57006_NLS,
generated::fa_generated::FA_FILE_SYSTEM32_C_57008_NLS,
generated::fa_generated::FA_FILE_SYSTEM32_C_57010_NLS,
generated::fa_generated::FA_FILE_SYSTEM32_CDGEXT32_DLL,
generated::fa_generated::FA_FILE_SYSTEM32_CDLLAIT32_DLL,
generated::fa_generated::FA_FILE_SYSTEM32_CDLLAIT64_DLL,
generated::fa_generated::FA_FILE_SYSTEM32_CDLLUNINSTALLSGH32_DLL,
generated::fa_generated::FA_FILE_SYSTEM32_CDLLUNINSTALLSGH64_DLL,
generated::fa_generated::FA_FILE_SYSTEM32_CDLLUNINSTALLWS32_DLL,
generated::fa_generated::FA_FILE_SYSTEM32_CDLLUNINSTALLWS64_DLL,
generated::fa_generated::FA_FILE_SYSTEM32_CFGBKMGRS_DLL,
generated::fa_generated::FA_FILE_SYSTEM32_CFGMGR64_DLL,
generated::fa_generated::FA_FILE_SYSTEM32_COMSVRPCS_DLL,
generated::fa_generated::FA_FILE_SYSTEM32_D3DX8_20_DLL,
generated::fa_generated::FA_FILE_SYSTEM32_DLLCOMM_DLL,
generated::fa_generated::FA_FILE_DRIVERS_WMIMGR_SYS,
generated::fa_generated::FA_FILE_SYSTEM32_DRVINFO_BIN,
generated::fa_generated::FA_FILE_SYSTEM32_FCACHE_BIN,
generated::fa_generated::FA_FILE_SYSTEM32_FFEXTENDEDCOMMAND_DLL,
generated::fa_generated::FA_FILE_SYSTEM32_GPKTCSP32_DLL,
generated::fa_generated::FA_FILE_SYSTEM32_HPQUEUE_BIN,
generated::fa_generated::FA_FILE_SYSTEM32_LPQUEUE_BIN,
generated::fa_generated::FA_FILE_SYSTEM32_MDWMNSP_DLL,
generated::fa_generated::FA_FILE_SYSTEM32_MFCN30_DLL,
generated::fa_generated::FA_FILE_SYSTEM32_NMWCDLOG_DLL,
generated::fa_generated::FA_FILE_SYSTEM32_OBJFRAME_DLL,
generated::fa_generated::FA_FILE_SYSTEM32_RPCDIST_DLL,
generated::fa_generated::FA_FILE_SYSTEM32_SCSVRFT_DLL,
generated::fa_generated::FA_FILE_SYSTEM32_SDPTBW_DLL,
generated::fa_generated::FA_FILE_SYSTEM32_SHLINK32_DLL,
generated::fa_generated::FA_FILE_SYSTEM32_SHLINK64_DLL,
generated::fa_generated::FA_FILE_SYSTEM32_SIIW9X_DLL,
generated::fa_generated::FA_FILE_SYSTEM32_SKYPEIE6PLUGIN_DLL,
generated::fa_generated::FA_FILE_SYSTEM32_SLBKBW_DLL,
generated::fa_generated::FA_FILE_SYSTEM32_WIFISCAN_DLL,
generated::fa_generated::FA_FILE_SYSTEM32_WMSPDMGR_DLL,
generated::fa_generated::FA_FILE_MICROSOFT_C_27803_NLS,
generated::fa_generated::FA_FILE_MICROSOFT_OBJFRAME_DLL,
generated::fa_generated::FA_FILE_MICROSOFT_SHMGR_DLL,
generated::fa_generated::FA_FILE_USERS_TEMP_DF01AC74D8BE15EE01_TMP,
generated::fa_generated::FA_FILE_USERS_TEMP_DF23BF45A473C42B56_TMP,
generated::fa_generated::FA_FILE_USERS_TEMP_DF8471938479DA49221_TMP,
generated::fa_generated::FA_FILE_USERS_TEMP_DFA0528CD81300F372_TMP,
generated::fa_generated::FA_FILE_KUBERNETES_ADMIN_CONF,
generated::fa_generated::FA_FILE_KUBERNETES_CONTROLLER_MANAGER_CONF,
generated::fa_generated::FA_FILE_KUBERNETES_KUBELET_CONF,
generated::fa_generated::FA_FILE_KUBERNETES_SCHEDULER_CONF,
generated::fa_generated::FA_FILE_SNAP_DB,
generated::fa_generated::FA_FILE_KUBELET_CONFIG_YAML,
generated::fa_generated::FA_FILE_KUBERNETES_KUBELET_CONF_2,
generated::fa_generated::FA_FILE_MANIFESTS_YAML,
generated::fa_generated::FA_CURRENTVERSION_PROFILELIST_PROFILESDIRECTORY,
generated::fa_generated::FA_CURRENTVERSION_PROFILELIST_ALLUSERSPROFILE,
generated::fa_generated::FA_FILE_ETC_ENTERPRISE_RELEASE,
generated::fa_generated::FA_FILE_ETC_LSB_RELEASE,
generated::fa_generated::FA_FILE_ETC_ORACLE_RELEASE,
generated::fa_generated::FA_FILE_ETC_REDHAT_RELEASE,
generated::fa_generated::FA_FILE_ETC_SYSTEM_RELEASE,
generated::fa_generated::FA_FILE_ETC_ANACRONTAB,
generated::fa_generated::FA_FILE_CRON_DAILY,
generated::fa_generated::FA_FILE_CRON_HOURLY,
generated::fa_generated::FA_FILE_CRON_MONTHLY,
generated::fa_generated::FA_FILE_CRON_WEEKLY,
generated::fa_generated::FA_FILE_ANACRON_CRON_DAILY,
generated::fa_generated::FA_FILE_ANACRON_CRON_HOURLY,
generated::fa_generated::FA_FILE_ANACRON_CRON_MONTHLY,
generated::fa_generated::FA_FILE_ANACRON_CRON_WEEKLY,
generated::fa_generated::FA_FILE_LOG_APTITUDE,
generated::fa_generated::FA_FILE_APT_SOURCES_LIST,
generated::fa_generated::FA_FILE_SOURCES_LIST_D_LIST,
generated::fa_generated::FA_FILE_APT_TRUSTED_GPG,
generated::fa_generated::FA_FILE_TRUSTED_GPG_D_GPG,
generated::fa_generated::FA_FILE_APT_TRUSTDB_GPG,
generated::fa_generated::FA_FILE_KEYRINGS_GPG,
generated::fa_generated::FA_FILE_ETC_CRON_ALLOW,
generated::fa_generated::FA_FILE_ETC_CRON_DENY,
generated::fa_generated::FA_FILE_ETC_AT_ALLOW,
generated::fa_generated::FA_FILE_ETC_AT_DENY,
generated::fa_generated::FA_FILE_LOG_DPKG_LOG,
generated::fa_generated::FA_FILE_APT_HISTORY_LOG,
generated::fa_generated::FA_FILE_APT_TERM_LOG,
generated::fa_generated::FA_FILE_DPKG_STATUS,
generated::fa_generated::FA_FILE_ETC_DEBIAN_VERSION,
generated::fa_generated::FA_FILE_ETC_RESOLV_CONF,
generated::fa_generated::FA_FILE_GNOME_SHELL_APPLICATION_STATE,
generated::fa_generated::FA_FILE_INFO_TRASHINFO,
generated::fa_generated::FA_FILE_FILES,
generated::fa_generated::FA_FILE_TRACKER,
generated::fa_generated::FA_FILE_SHARE_RECENTLY_USED_XBEL,
generated::fa_generated::FA_FILE_ETC_HOSTS_ALLOW,
generated::fa_generated::FA_FILE_ETC_HOSTS_DENY,
generated::fa_generated::FA_FILE_ETC_MODULES_CONF,
generated::fa_generated::FA_FILE_MODPROBE_D,
generated::fa_generated::FA_FILE_USERS_HOMEDIR_LESSHST,
generated::fa_generated::FA_FILE_AT,
generated::fa_generated::FA_FILE_SPOOL,
generated::fa_generated::FA_FILE_ATSPOOL,
generated::fa_generated::FA_FILE_AUDIT,
generated::fa_generated::FA_FILE_LOG_AUTH,
generated::fa_generated::FA_FILE_LOG_SECURE,
generated::fa_generated::FA_FILE_ETC_CA_CERTIFICATES_CONF,
generated::fa_generated::FA_FILE_CERTS_CA_CERTIFICATES_CRT,
generated::fa_generated::FA_FILE_CA_CERTIFICATES,
generated::fa_generated::FA_FILE_CA_CERTIFICATES_2,
generated::fa_generated::FA_FILE_LOG_CRON_LOG,
generated::fa_generated::FA_FILE_ETC_CRONTAB,
generated::fa_generated::FA_FILE_CRON_D,
generated::fa_generated::FA_FILE_CRON,
generated::fa_generated::FA_FILE_LOG_DAEMON,
generated::fa_generated::FA_FILE_DHCP_DHCP_CONF,
generated::fa_generated::FA_FILE_ETC_CENTOS_RELEASE,
generated::fa_generated::FA_FILE_ETC_ROCKY_RELEASE,
generated::fa_generated::FA_FILE_ETC_SUSE_RELEASE,
generated::fa_generated::FA_FILE_TABLES_DSDT,
generated::fa_generated::FA_FILE_ETC_FSTAB,
generated::fa_generated::FA_FILE_GRUB_GRUB_CFG,
generated::fa_generated::FA_FILE_GRUB2_GRUB_CFG,
generated::fa_generated::FA_FILE_ETC_HOSTNAME,
generated::fa_generated::FA_FILE_IF_UP_D,
generated::fa_generated::FA_FILE_IF_DOWN_D,
generated::fa_generated::FA_FILE_BOOT_INITRAMFS,
generated::fa_generated::FA_FILE_BOOT_INITRD,
generated::fa_generated::FA_FILE_ETC_ISSUE,
generated::fa_generated::FA_FILE_ETC_ISSUE_NET,
generated::fa_generated::FA_FILE_ETC_KRB5_CONF,
generated::fa_generated::FA_FILE_LOG_KERN,
generated::fa_generated::FA_FILE_LOG_LASTLOG,
generated::fa_generated::FA_FILE_ETC_LD_SO_PRELOAD,
generated::fa_generated::FA_FILE_INIT_D,
generated::fa_generated::FA_FILE_ETC_INSSERV_CONF,
generated::fa_generated::FA_FILE_INSSERV_CONF_D,
generated::fa_generated::FA_FILE_ETC_LOCALTIME,
generated::fa_generated::FA_FILE_LOG_MESSAGES,
generated::fa_generated::FA_FILE_CONF_D_NAME_CONF,
generated::fa_generated::FA_FILE_NETWORKMANAGER_NETWORKMANAGER_CONF,
generated::fa_generated::FA_FILE_NETWORKMANAGER_SYSTEM_CONNECTIONS,
generated::fa_generated::FA_FILE_CONF_D_NAME_CONF_2,
generated::fa_generated::FA_FILE_CONF_D_NAME_CONF_3,
generated::fa_generated::FA_FILE_NETWORKMANAGER_NETWORKMANAGER_INTERN_CONF,
generated::fa_generated::FA_FILE_NETWORKMANAGER,
generated::fa_generated::FA_FILE_ETC_PASSWD_CACHE,
generated::fa_generated::FA_FILE_ETC_PAM_CONF,
generated::fa_generated::FA_FILE_ETC_PAM_D,
generated::fa_generated::FA_FILE_PAM_D_COMMON_PASSWORD,
generated::fa_generated::FA_FILE_PAM_D,
generated::fa_generated::FA_FILE_ETC_PASSWD,
generated::fa_generated::FA_FILE_ETC_RSYSLOG_CONF,
generated::fa_generated::FA_FILE_ETC_RSYSLOG_D,
generated::fa_generated::FA_FILE_RSYSLOG_D,
generated::fa_generated::FA_FILE_TABLES_SSDT,
generated::fa_generated::FA_FILE_SUDO_IO,
generated::fa_generated::FA_FILE_SYSCTL_D_CONF,
generated::fa_generated::FA_FILE_SYSCTL_D_CONF_2,
generated::fa_generated::FA_FILE_SYSCTL_D_CONF_3,
generated::fa_generated::FA_FILE_SYSCTL_D_CONF_4,
generated::fa_generated::FA_FILE_SYSCTL_D_CONF_5,
generated::fa_generated::FA_FILE_ETC_SYSCTL_CON,
generated::fa_generated::FA_FILE_SYSLOG_NG_SYSLOG_NG_CONF,
generated::fa_generated::FA_FILE_CONF_D_CONF,
generated::fa_generated::FA_FILE_SYSTEMD_JOURNALD_CONF,
generated::fa_generated::FA_FILE_JOURNAL,
generated::fa_generated::FA_FILE_JOURNAL_2,
generated::fa_generated::FA_FILE_ETC_OS_RELEASE,
generated::fa_generated::FA_FILE_LIB_OS_RELEASE,
generated::fa_generated::FA_FILE_SYSTEM_CONTROL_SERVICE,
generated::fa_generated::FA_FILE_SYSTEMD_ATTACHED_SERVICE,
generated::fa_generated::FA_FILE_SYSTEM_SERVICE,
generated::fa_generated::FA_FILE_USER_SERVICE,
generated::fa_generated::FA_FILE_SYSTEM_SERVICE_2,
generated::fa_generated::FA_FILE_USER_SERVICE_2,
generated::fa_generated::FA_FILE_GENERATOR_EARLY_SERVICE,
generated::fa_generated::FA_FILE_GENERATOR_LATE_SERVICE,
generated::fa_generated::FA_FILE_GENERATOR_SERVICE,
generated::fa_generated::FA_FILE_SYSTEM_CONTROL_SERVICE_2,
generated::fa_generated::FA_FILE_SYSTEMD_ATTACHED_SERVICE_2,
generated::fa_generated::FA_FILE_SYSTEM_SERVICE_3,
generated::fa_generated::FA_FILE_TRANSIENT_SERVICE,
generated::fa_generated::FA_FILE_USER_SERVICE_3,
generated::fa_generated::FA_FILE_GENERATOR_EARLY_SERVICE_2,
generated::fa_generated::FA_FILE_GENERATOR_LATE_SERVICE_2,
generated::fa_generated::FA_FILE_GENERATOR_SERVICE_2,
generated::fa_generated::FA_FILE_TRANSIENT_SERVICE_2,
generated::fa_generated::FA_FILE_USER_CONTROL_SERVICE,
generated::fa_generated::FA_FILE_USER_SERVICE_4,
generated::fa_generated::FA_FILE_SYSTEM_SERVICE_4,
generated::fa_generated::FA_FILE_USER_SERVICE_5,
generated::fa_generated::FA_FILE_USER_CONTROL_SERVICE_2,
generated::fa_generated::FA_FILE_USER_SERVICE_6,
generated::fa_generated::FA_FILE_USER_SERVICE_7,
generated::fa_generated::FA_FILE_SYSTEM_CONTROL_TIMER,
generated::fa_generated::FA_FILE_SYSTEMD_ATTACHED_TIMER,
generated::fa_generated::FA_FILE_SYSTEM_TIMER,
generated::fa_generated::FA_FILE_USER_TIMER,
generated::fa_generated::FA_FILE_SYSTEM_TIMER_2,
generated::fa_generated::FA_FILE_USER_TIMER_2,
generated::fa_generated::FA_FILE_GENERATOR_EARLY_TIMER,
generated::fa_generated::FA_FILE_GENERATOR_LATE_TIMER,
generated::fa_generated::FA_FILE_GENERATOR_TIMER,
generated::fa_generated::FA_FILE_SYSTEM_CONTROL_TIMER_2,
generated::fa_generated::FA_FILE_SYSTEMD_ATTACHED_TIMER_2,
generated::fa_generated::FA_FILE_SYSTEM_TIMER_3,
generated::fa_generated::FA_FILE_TRANSIENT_TIMER,
generated::fa_generated::FA_FILE_USER_TIMER_3,
generated::fa_generated::FA_FILE_GENERATOR_EARLY_TIMER_2,
generated::fa_generated::FA_FILE_GENERATOR_LATE_TIMER_2,
generated::fa_generated::FA_FILE_GENERATOR_TIMER_2,
generated::fa_generated::FA_FILE_TRANSIENT_TIMER_2,
generated::fa_generated::FA_FILE_USER_CONTROL_TIMER,
generated::fa_generated::FA_FILE_USER_TIMER_4,
generated::fa_generated::FA_FILE_SYSTEM_TIMER_4,
generated::fa_generated::FA_FILE_USER_TIMER_5,
generated::fa_generated::FA_FILE_USER_CONTROL_TIMER_2,
generated::fa_generated::FA_FILE_USER_TIMER_6,
generated::fa_generated::FA_FILE_USER_TIMER_7,
generated::fa_generated::FA_FILE_ETC_RC_LOCAL,
generated::fa_generated::FA_FILE_ETC_RC_D,
generated::fa_generated::FA_FILE_RC_D,
generated::fa_generated::FA_FILE_RC_D_2,
generated::fa_generated::FA_FILE_INIT_D_2,
generated::fa_generated::FA_FILE_ETC_TIMEZONE,
generated::fa_generated::FA_FILE_RULES_D,
generated::fa_generated::FA_FILE_RULES_D_2,
generated::fa_generated::FA_FILE_LOG_BTMP,
generated::fa_generated::FA_FILE_LOG_WTMP,
generated::fa_generated::FA_FILE_RUN_UTMP,
generated::fa_generated::FA_FILE_LOG_WTMP_2,
generated::fa_generated::FA_FILE_ETC_XINETD_CONF,
generated::fa_generated::FA_FILE_XINETD_D,
generated::fa_generated::FA_FILE_MLOCATE_MLOCATE_DB,
generated::fa_generated::FA_FILE_ETC_UPDATEDB_CONF,
generated::fa_generated::FA_FILE_ETC_NETGROUP,
generated::fa_generated::FA_FILE_ETC_NSSWITCH_CONF,
generated::fa_generated::FA_FILE_ETC_PASSWD_2,
generated::fa_generated::FA_FILE_ETC_SHADOW,
generated::fa_generated::FA_FILE_SECURITY_ACCESS_CONF,
generated::fa_generated::FA_FILE_ROOT_K5LOGIN,
generated::fa_generated::FA_FILE_MYSQL_HISTORY,
generated::fa_generated::FA_FILE_ROOT_MYSQL_HISTORY,
generated::fa_generated::FA_FILE_USERS_HOMEDIR_MYSQL_HISTORY,
generated::fa_generated::FA_FILE_USERS_HOMEDIR_NANO_HISTORY,
generated::fa_generated::FA_FILE_ETC_NETGROUP_2,
generated::fa_generated::FA_FILE_ETC_NTP_CONF,
generated::fa_generated::FA_FILE_VENDOR,
generated::fa_generated::FA_FILE_DEVICE,
generated::fa_generated::FA_FILE_CLASS,
generated::fa_generated::FA_FILE_CONFIG,
generated::fa_generated::FA_FILE_PSQL_HISTORY,
generated::fa_generated::FA_FILE_ROOT_PSQL_HISTORY,
generated::fa_generated::FA_FILE_POSTGRESQL_PSQL_HISTORY,
generated::fa_generated::FA_FILE_PGSQL_PSQL_HISTORY,
generated::fa_generated::FA_FILE_USERS_HOMEDIR_PSQL_HISTORY,
generated::fa_generated::FA_FILE_USERS_HOMEDIR_PYTHON_HISTORY,
generated::fa_generated::FA_FILE_USERS_HOMEDIR_RHOSTS,
generated::fa_generated::FA_FILE_SAMBA_LOG,
generated::fa_generated::FA_FILE_SECRETS_SECRETS_LDB,
generated::fa_generated::FA_FILE_SECRETS_SECRETS_MKEY,
generated::fa_generated::FA_FILE_USERS_HOMEDIR_SQLITE_HISTORY,
generated::fa_generated::FA_FILE_SSH_AUTHORIZED_KEYS,
generated::fa_generated::FA_FILE_SSH_AUTHORIZED_KEYS2,
generated::fa_generated::FA_FILE_SSH_SSH_HOST_KEY_PUB,
generated::fa_generated::FA_FILE_SSH_KNOWN_HOSTS,
generated::fa_generated::FA_FILE_SSH_KNOWN_HOSTS_2,
generated::fa_generated::FA_FILE_THUMBNAILS_3,
generated::fa_generated::FA_FILE_DEFAULT_UFW,
generated::fa_generated::FA_FILE_UFW_SYSCTL_CONF,
generated::fa_generated::FA_FILE_UFW_RULES,
generated::fa_generated::FA_FILE_APPLICATIONS_D,
generated::fa_generated::FA_FILE_LOG_UFW_LOG,
generated::fa_generated::FA_FILE_USERS_HOMEDIR_VIMINFO,
generated::fa_generated::FA_FILE_USERS_HOMEDIR_WGET_HSTS,
generated::fa_generated::FA_FILE_AUTOSTART_DESKTOP,
generated::fa_generated::FA_FILE_AUTOSTART_DESKTOP_2,
generated::fa_generated::FA_FILE_ETC_YUM_CONF,
generated::fa_generated::FA_FILE_YUM_REPOS_D_REPO,
generated::fa_generated::FA_FILE_ZEITGEIST_ACTIVITY_SQLITE,
generated::fa_generated::FA_FILE_ZEITGEIST_ACTIVITY_SQLITE_WAL,
generated::fa_generated::FA_FILE_KERNEL_RANDOMIZE_VA_SPACE,
generated::fa_generated::FA_FILE_IPV4_ICMP_ECHO_IGNORE_BROADCASTS,
generated::fa_generated::FA_FILE_KERNEL_BOOTLOADER_TYPE,
generated::fa_generated::FA_FILE_KERNEL_BOOTLOADER_VERSION,
generated::fa_generated::FA_FILE_KERNEL_KEXEC_LOAD_DISABLED,
generated::fa_generated::FA_FILE_KERNEL_MODULES_DISABLED,
generated::fa_generated::FA_FILE_KERNEL_TAINTED,
generated::fa_generated::FA_FILE_FORWARDING,
generated::fa_generated::FA_FILE_MC_FORWARDING,
generated::fa_generated::FA_FILE_IPV4_IP_FORWARD,
generated::fa_generated::FA_FILE_ACCEPT_SOURCE_ROUTE,
generated::fa_generated::FA_FILE_RP_FILTER,
generated::fa_generated::FA_FILE_LOG_MARTIANS,
generated::fa_generated::FA_FILE_ACCEPT_REDIRECTS,
generated::fa_generated::FA_FILE_SECURE_REDIRECTS,
generated::fa_generated::FA_FILE_SEND_REDIRECTS,
generated::fa_generated::FA_FILE_NET_ARP,
generated::fa_generated::FA_FILE_PROC_MOUNTS,
generated::fa_generated::FA_FILE_KERNEL_DMESG_RESTRICT,
generated::fa_generated::FA_FILE_KERNEL_KPTR_RESTRICT,
generated::fa_generated::FA_FILE_FS_PROTECTED_HARDLINKS,
generated::fa_generated::FA_FILE_FS_PROTECTED_SYMLINKS,
generated::fa_generated::FA_FILE_FS_SUID_DUMPABLE,
generated::fa_generated::FA_FILE_IPV4_TCP_SYNCOOKIES,
generated::fa_generated::FA_FILE_LOGS_CONTROLLER_LOG,
generated::fa_generated::FA_FILE_LOGS_KAFKA_LOG,
generated::fa_generated::FA_FILE_LOGS_SERVER_LOG,
generated::fa_generated::FA_FILE_LOGS_STATE_CHANGE_LOG,
generated::fa_generated::FA_FILE_HAPROXY,
generated::fa_generated::FA_FILE_LOG_HAPROXY_LOG,
generated::fa_generated::FA_FILE_LOG_HAPROXY_TRAFFIC_LOG,
generated::fa_generated::FA_FILE_LOG_HAPROXY_ADMIN_LOG,
generated::fa_generated::FA_FILE_JENKINS_JENKINS_LOG,
generated::fa_generated::FA_FILE_OSQUERY_OSQUERYD_RESULTS_LOG,
generated::fa_generated::FA_FILE_OSQUERY_OSQUERYD_SNAPSHOTS_LOG,
generated::fa_generated::FA_FILE_ADDRESSBOOK_ADDRESSBOOKIMAGES_SQLITEDB,
generated::fa_generated::FA_FILE_ADDRESSBOOK_ADDRESSBOOKIMAGES_SQLITEDB_2,
generated::fa_generated::FA_FILE_SYSTEMCONFIGURATION_COM_APPLE_AIRPORT_PREFERENCES_PL,
generated::fa_generated::FA_FILE_APPLEPUSHSERVICE_APS_DB,
generated::fa_generated::FA_FILE_DB_APPLESETUPDONE,
generated::fa_generated::FA_FILE_DB_APPLESETUPDONE_2,
generated::fa_generated::FA_FILE_ASL_ASL,
generated::fa_generated::FA_FILE_DIAGNOSTICMESSAGES_ASL,
generated::fa_generated::FA_FILE_ASL_ASL_2,
generated::fa_generated::FA_FILE_DIAGNOSTICMESSAGES_ASL_2,
generated::fa_generated::FA_FILE_CACHE_DB,
generated::fa_generated::FA_FILE_LPROJ_STRINGS,
generated::fa_generated::FA_FILE_LPROJ_STRINGS_2,
generated::fa_generated::FA_FILE_COM_APPLE_ASSETCACHE_ASSETINFO_DB,
generated::fa_generated::FA_FILE_DB_AUTH_DB,
generated::fa_generated::FA_FILE_DB_AUTH_DB_2,
generated::fa_generated::FA_FILE_CALENDARS_CALENDAR_CACHE,
generated::fa_generated::FA_FILE_CALLHISTORYDB_CALLHISTORY_STOREDATA,
generated::fa_generated::FA_FILE_PREFERENCES_LSSHAREDFILELIST_PLIST,
generated::fa_generated::FA_FILE_JOBS,
generated::fa_generated::FA_FILE_AUDIT_0_9_0_9,
generated::fa_generated::FA_FILE_AUDIT_0_9_0_9_2,
generated::fa_generated::FA_FILE_PREFERENCES_COM_APPLE_BLUETOOTH_PLIST,
generated::fa_generated::FA_FILE_CODESIGNATURE_CODERESOURCES,
generated::fa_generated::FA_FILE_CODESIGNATURE_CODERESOURCES_2,
generated::fa_generated::FA_FILE_CODESIGNATURE_CODERESOURCES_3,
generated::fa_generated::FA_FILE_CODESIGNATURE_CODERESOURCES_4,
generated::fa_generated::FA_FILE_CODESIGNATURE_CODERESOURCES_5,
generated::fa_generated::FA_FILE_CODESIGNATURE_CODERESOURCES_6,
generated::fa_generated::FA_FILE_CODESIGNATURE_CODERESOURCES_7,
generated::fa_generated::FA_FILE_CODESIGNATURE_CODERESOURCES_8,
generated::fa_generated::FA_FILE_CODESIGNATURE_CODERESOURCES_9,
generated::fa_generated::FA_FILE_CODESIGNATURE_CODERESOURCES_10,
generated::fa_generated::FA_FILE_CONTENTS_INFO_PLIST,
generated::fa_generated::FA_FILE_CONTENTS_INFO_PLIST_2,
generated::fa_generated::FA_FILE_CONTENTS_INFO_PLIST_3,
generated::fa_generated::FA_FILE_CONTENTS_INFO_PLIST_4,
generated::fa_generated::FA_FILE_CONTENTS_INFO_PLIST_5,
generated::fa_generated::FA_FILE_CONTENTS_INFO_PLIST_6,
generated::fa_generated::FA_FILE_CONTENTS_INFO_PLIST_7,
generated::fa_generated::FA_FILE_CONTENTS_INFO_PLIST_8,
generated::fa_generated::FA_FILE_KEXT_INFO_PLIST,
generated::fa_generated::FA_FILE_CONTENTS_INFO_PLIST_9,
generated::fa_generated::FA_FILE_CONTENTS_INFO_PLIST_10,
generated::fa_generated::FA_FILE_RESOURCES_INFO_PLIST,
generated::fa_generated::FA_FILE_CONTENTS_INFO_PLIST_11,
generated::fa_generated::FA_FILE_CONTENTS_VERSION_PLIST,
generated::fa_generated::FA_FILE_CONTENTS_VERSION_PLIST_2,
generated::fa_generated::FA_FILE_CONTENTS_VERSION_PLIST_3,
generated::fa_generated::FA_FILE_CONTENTS_VERSION_PLIST_4,
generated::fa_generated::FA_FILE_CONTENTS_VERSION_PLIST_5,
generated::fa_generated::FA_FILE_CONTENTS_VERSION_PLIST_6,
generated::fa_generated::FA_FILE_CONTENTS_VERSION_PLIST_7,
generated::fa_generated::FA_FILE_CONTENTS_VERSION_PLIST_8,
generated::fa_generated::FA_FILE_KEXT_VERSION_PLIST,
generated::fa_generated::FA_FILE_CONTENTS_VERSION_PLIST_9,
generated::fa_generated::FA_FILE_CONTENTS_VERSION_PLIST_10,
generated::fa_generated::FA_FILE_RESOURCES_VERSION_PLIST,
generated::fa_generated::FA_FILE_CONTENTS_VERSION_PLIST_11,
generated::fa_generated::FA_FILE_DIAGNOSTICREPORTS_CORE_ANALYTICS,
generated::fa_generated::FA_FILE_AGGREGATES,
generated::fa_generated::FA_FILE_AGGREGATES_2,
generated::fa_generated::FA_FILE_ETC_CRONTAB_2,
generated::fa_generated::FA_FILE_TABS,
generated::fa_generated::FA_FILE_TABS_2,
generated::fa_generated::FA_FILE_TABS_3,
generated::fa_generated::FA_FILE_TABS_4,
generated::fa_generated::FA_FILE_TABS_5,
generated::fa_generated::FA_FILE_PREFERENCES_COM_APPLE_DOCK_PLIST,
generated::fa_generated::FA_FILE_DEFAULT_SQLINDEX,
generated::fa_generated::FA_FILE_DEFAULT_SQLINDEX_2,
generated::fa_generated::FA_FILE_DUETACTIVITYSCHEDULER_DUETACTIVITYSCHEDULERCLASSC_DB,
generated::fa_generated::FA_FILE_DUETACTIVITYSCHEDULER_DUETACTIVITYSCHEDULERCLASSC_DB_2,
generated::fa_generated::FA_FILE_PEOPLE_INTERACTIONC_DB,
generated::fa_generated::FA_FILE_PEOPLE_INTERACTIONC_DB_2,
generated::fa_generated::FA_FILE_KNOWLEDGE_KNOWLEDGEC_DB,
generated::fa_generated::FA_FILE_KNOWLEDGE_KNOWLEDGEC_DB_2,
generated::fa_generated::FA_FILE_KNOWLEDGE_KNOWLEDGEC_DB_3,
generated::fa_generated::FA_FILE_COREDUET_COREDUETD_DB,
generated::fa_generated::FA_FILE_COREDUET_COREDUETD_DB_2,
generated::fa_generated::FA_FILE_COREDUET_COREDUETD_DB_3,
generated::fa_generated::FA_FILE_COREDUET_COREDUETD_DB_4,
generated::fa_generated::FA_FILE_FSEVENTSD,
generated::fa_generated::FA_FILE_DATA_FSEVENTSD,
generated::fa_generated::FA_FILE_RESOURCES_GKOPAQUE_DB,
generated::fa_generated::FA_FILE_RESOURCES_GKOPAQUE_DB_2,
generated::fa_generated::FA_FILE_PREFERENCES_GLOBALPREFERENCES_PLIST,
generated::fa_generated::FA_FILE_ACCOUNTS,
generated::fa_generated::FA_FILE_PREFERENCES_MOBILEMEACCOUNTS_PLIST,
generated::fa_generated::FA_FILE_IDENTITYSERVICES_IDS_DB,
generated::fa_generated::FA_FILE_PREFERENCES_COM_APPLE_IPOD_PLIST,
generated::fa_generated::FA_FILE_RECEIPTS_INSTALLHISTORY_PLIST,
generated::fa_generated::FA_FILE_LOG_INSTALL_LOG,
generated::fa_generated::FA_FILE_LOG_INSTALL_LOG_2,
generated::fa_generated::FA_FILE_LPROJ_ITXIB,
generated::fa_generated::FA_FILE_INFO_PLIST,
generated::fa_generated::FA_FILE_MANIFEST_PLIST,
generated::fa_generated::FA_FILE_MANIFEST_MDBD,
generated::fa_generated::FA_FILE_BACKUP,
generated::fa_generated::FA_FILE_STATUS_PLIST,
generated::fa_generated::FA_FILE_EXTENSIONS,
generated::fa_generated::FA_FILE_EXTENSIONS_2,
generated::fa_generated::FA_FILE_PREFERENCES_COM_APPLE_HITOOLBOX_PLIST,
generated::fa_generated::FA_FILE_LOG_LASTLOG_2,
generated::fa_generated::FA_FILE_LAUNCHAGENTS_PLIST,
generated::fa_generated::FA_FILE_LAUNCHAGENTS_PLIST_2,
generated::fa_generated::FA_FILE_LAUNCHAGENTS_PLIST_3,
generated::fa_generated::FA_FILE_LAUNCHDAEMONS_PLIST,
generated::fa_generated::FA_FILE_LAUNCHDAEMONS_PLIST_2,
generated::fa_generated::FA_FILE_LAUNCHDAEMONS_PLIST_3,
generated::fa_generated::FA_FILE_PREFERENCES_COM_APPLE_LOGINWINDOW_PLIST,
generated::fa_generated::FA_FILE_PREFERENCES_LOGINWINDOW_PLIST,
generated::fa_generated::FA_FILE_BYHOST_COM_APPLE_LOGINWINDOW_PLIST,
generated::fa_generated::FA_FILE_BYHOST_COM_APPLE_LOGINWINDOW_PLIST_2,
generated::fa_generated::FA_FILE_PREFERENCES_COM_APPLE_LOGINWINDOW_PLIST_2,
generated::fa_generated::FA_FILE_PREFERENCES_COM_APPLE_LOGINWINDOW_PLIST_3,
generated::fa_generated::FA_FILE_MAILDATA_ACCOUNTS_PLIST,
generated::fa_generated::FA_FILE_MAILDATA_BACKUPTOC_PLIST,
generated::fa_generated::FA_FILE_MAILBOXES,
generated::fa_generated::FA_FILE_MAIL_DOWNLOADS,
generated::fa_generated::FA_FILE_MAILDATA_ENVELOPE_INDEX,
generated::fa_generated::FA_FILE_IMAP,
generated::fa_generated::FA_FILE_V_0_9,
generated::fa_generated::FA_FILE_MAILDATA_OPENEDATTACHMENTSV2_PLIST,
generated::fa_generated::FA_FILE_POP,
generated::fa_generated::FA_FILE_PREFERENCES_COM_APPLE_MAIL_PLIST,
generated::fa_generated::FA_FILE_ADDRESSBOOK_MAILRECENTS_V4_ABCDMR,
generated::fa_generated::FA_FILE_SIGNATURES,
generated::fa_generated::FA_FILE_MESSAGES_CHAT_DB,
generated::fa_generated::FA_FILE_NETWORKD_NETUSAGE_SQLITE,
generated::fa_generated::FA_FILE_NETWORKD_NETUSAGE_SQLITE_2,
generated::fa_generated::FA_FILE_NOTES_NOTESV_STOREDATA,
generated::fa_generated::FA_FILE_NOTIFICATIONCENTER_DB,
generated::fa_generated::FA_FILE_DB_DB,
generated::fa_generated::FA_FILE_DB2_DB,
generated::fa_generated::FA_FILE_DB_DB_2,
generated::fa_generated::FA_FILE_DB2_DB_2,
generated::fa_generated::FA_FILE_DAILY_LOCAL,
generated::fa_generated::FA_FILE_DEFAULTS_PERIODIC_CONF,
generated::fa_generated::FA_FILE_MONTHLY_LOCAL,
generated::fa_generated::FA_FILE_PERIODIC_2,
generated::fa_generated::FA_FILE_ETC_PERIODIC_CONF,
generated::fa_generated::FA_FILE_ETC_PERIODIC_CONF_LOCAL,
generated::fa_generated::FA_FILE_DAILY,
generated::fa_generated::FA_FILE_MONTHLY,
generated::fa_generated::FA_FILE_WEEKLY,
generated::fa_generated::FA_FILE_WEEKLY_LOCAL,
generated::fa_generated::FA_FILE_DAILY_LOCAL_2,
generated::fa_generated::FA_FILE_DEFAULTS_PERIODIC_CONF_2,
generated::fa_generated::FA_FILE_MONTHLY_LOCAL_2,
generated::fa_generated::FA_FILE_PERIODIC_2_2,
generated::fa_generated::FA_FILE_ETC_PERIODIC_CONF_2,
generated::fa_generated::FA_FILE_ETC_PERIODIC_CONF_LOCAL_2,
generated::fa_generated::FA_FILE_DAILY_2,
generated::fa_generated::FA_FILE_MONTHLY_2,
generated::fa_generated::FA_FILE_WEEKLY_2,
generated::fa_generated::FA_FILE_WEEKLY_LOCAL_2,
generated::fa_generated::FA_FILE_PERIODIC_2_3,
generated::fa_generated::FA_FILE_PREFERENCES_COM_APPLE_LAUNCHSERVICES_QUARANTINEEVENT,
generated::fa_generated::FA_FILE_PREFERENCES_COM_APPLE_LAUNCHSERVICES_QUARANTINEEVENT_2,
generated::fa_generated::FA_FILE_PREFERENCES_COM_APPLE_RECENTITEMS_PLIST,
generated::fa_generated::FA_FILE_CLIENTCACHES,
generated::fa_generated::FA_FILE_RMDB_RMDB_SQLITE3,
generated::fa_generated::FA_FILE_CLIENTCACHES_2,
generated::fa_generated::FA_FILE_RMDB_RMDB_SQLITE3_2,
generated::fa_generated::FA_FILE_CACHES_APPUSAGE_PLIST,
generated::fa_generated::FA_FILE_CACHES_APPUSAGE_PLIST_2,
generated::fa_generated::FA_FILE_CACHES_USERACCT_TMP,
generated::fa_generated::FA_FILE_CACHES_USERACCT_TMP_2,
generated::fa_generated::FA_FILE_LPROJ_INFOPLIST_STRINGS,
generated::fa_generated::FA_FILE_LPROJ_INFOPLIST_STRINGS_2,
generated::fa_generated::FA_FILE_LPROJ_INFOPLIST_STRINGS_3,
generated::fa_generated::FA_FILE_LPROJ_INFOPLIST_STRINGS_4,
generated::fa_generated::FA_FILE_LPROJ_INFOPLIST_STRINGS_5,
generated::fa_generated::FA_FILE_RESOURCES_INFOPLIST_STRINGS,
generated::fa_generated::FA_FILE_LPROJ_INFOPLIST_STRINGS_6,
generated::fa_generated::FA_FILE_LPROJ_INFOPLIST_STRINGS_7,
generated::fa_generated::FA_FILE_LPROJ_INFOPLIST_STRINGS_8,
generated::fa_generated::FA_FILE_LPROJ_INFOPLIST_STRINGS_9,
generated::fa_generated::FA_FILE_LPROJ_LOCALIZABLE_STRINGS,
generated::fa_generated::FA_FILE_LPROJ_LOCALIZABLE_STRINGS_2,
generated::fa_generated::FA_FILE_LPROJ_LOCALIZABLE_STRINGS_3,
generated::fa_generated::FA_FILE_LPROJ_LOCALIZABLE_STRINGS_4,
generated::fa_generated::FA_FILE_LPROJ_LOCALIZABLE_STRINGS_5,
generated::fa_generated::FA_FILE_LPROJ_LOCALIZABLE_STRINGS_6,
generated::fa_generated::FA_FILE_LPROJ_LOCALIZABLE_STRINGS_7,
generated::fa_generated::FA_FILE_LPROJ_LOCALIZABLE_STRINGS_8,
generated::fa_generated::FA_FILE_PREFERENCES_COM_APPLE_SIDEBARLISTS_PLIST,
generated::fa_generated::FA_FILE_PREFERENCES_COM_APPLE_SIDEBARLISTS_PLIST_2,
generated::fa_generated::FA_FILE_ASSISTANT_SIRIANALYTICS_DB,
generated::fa_generated::FA_FILE_SUGGESTIONS_ENTITIES_DB,
generated::fa_generated::FA_FILE_SUGGESTIONS_ENTITIES_DB_WAL,
generated::fa_generated::FA_FILE_PENDING_QUEUE_DB,
generated::fa_generated::FA_FILE_PENDING_QUEUE_DB_WAL,
generated::fa_generated::FA_FILE_SUGGESTIONS_SNIPPETS_DB,
generated::fa_generated::FA_FILE_SUGGESTIONS_SNIPPETS_DB_WAL,
generated::fa_generated::FA_FILE_VM_SLEEPIMAGE,
generated::fa_generated::FA_FILE_VM_SLEEPIMAGE_2,
generated::fa_generated::FA_FILE_PREFERENCES_COM_APPLE_SOFTWAREUPDATE_PLIST,
generated::fa_generated::FA_FILE_STORE_V1_VOLUMECONFIG_PLIST,
generated::fa_generated::FA_FILE_SPOTLIGHT_V100_VOLUMECONFIGURATION_PLIST,
generated::fa_generated::FA_FILE_PLIST,
generated::fa_generated::FA_FILE_PLIST_2,
generated::fa_generated::FA_FILE_VM_SWAPFILE_0_9,
generated::fa_generated::FA_FILE_VM_SWAPFILE_0_9_2,
generated::fa_generated::FA_FILE_SYSTEMCONFIGURATION_PREFERENCES_PLIST,
generated::fa_generated::FA_FILE_LOG_2,
generated::fa_generated::FA_FILE_DB_SYSTEMPOLICY,
generated::fa_generated::FA_FILE_DB_SYSTEMPOLICY_2,
generated::fa_generated::FA_FILE_PLIST_3,
generated::fa_generated::FA_FILE_CORESERVICES_SYSTEMVERSION_PLIST,
generated::fa_generated::FA_FILE_COM_APPLE_TCC_TCC_DB,
generated::fa_generated::FA_FILE_COM_APPLE_TCC_TCC_DB_2,
generated::fa_generated::FA_FILE_KEYBOARDSERVICES_TEXTREPLACEMENTS_DB,
generated::fa_generated::FA_FILE_PREFERENCES_COM_APPLE_TIMEMACHINE_PLIST,
generated::fa_generated::FA_FILE_DIAGNOSTICS_TRACEV3,
generated::fa_generated::FA_FILE_TRACEV3,
generated::fa_generated::FA_FILE_DIAGNOSTICS_TRACEV3_2,
generated::fa_generated::FA_FILE_TRACEV3_2,
generated::fa_generated::FA_FILE_DOCK_DESKTOPPICTURE_DB,
generated::fa_generated::FA_FILE_PREFERENCES_GLOBALPREFERENCES_PLIST_2,
generated::fa_generated::FA_FILE_KEYCHAINS_KEYCHAIN,
generated::fa_generated::FA_FILE_OCSPCACHE_SQLITE3,
generated::fa_generated::FA_FILE_USER_DB,
generated::fa_generated::FA_FILE_KEYCHAIN_2_DB,
generated::fa_generated::FA_FILE_PREFERENCES_COM_APPLE_LOGINITEMS_PLIST,
generated::fa_generated::FA_FILE_COM_APPLE_BACKGROUNDTASKMANAGEMENTAGENT_BACKGROUNDIT,
generated::fa_generated::FA_FILE_COM_APPLE_BACKGROUNDTASKMANAGEMENT_BACKGROUNDITEMS_V,
generated::fa_generated::FA_FILE_COM_APPLE_BACKGROUNDTASKMANAGEMENT_BACKGROUNDITEMS_V_2,
generated::fa_generated::FA_FILE_USERS_PLIST,
generated::fa_generated::FA_FILE_USERS_PLIST_2,
generated::fa_generated::FA_FILE_PREFERENCES,
generated::fa_generated::FA_FILE_ACCOUNTS_ACCOUNTS_SQLITE,
generated::fa_generated::FA_FILE_ACCOUNTS_ACCOUNTS_SQLITE_WAL,
generated::fa_generated::FA_FILE_TRASH,
generated::fa_generated::FA_FILE_RUN_UTMPX,
generated::fa_generated::FA_FILE_RUN_UTMPX_2,
generated::fa_generated::FA_FILE_PASSES_PASSES23_SQLITE,
generated::fa_generated::FA_FILE_AWDD_PERSISTENT_DB,
generated::fa_generated::FA_FILE_AWDD_PERSISTENT_DB_2,
generated::fa_generated::FA_FILE_IOS_DEVICE_LOGS_IOS_DEVICE_LOGS_DB,
generated::fa_generated::FA_FILE_USERS_HOMEDIR_BASH_LOGOUT,
generated::fa_generated::FA_FILE_USERS_HOMEDIR_BASH_PROFILE,
generated::fa_generated::FA_FILE_USERS_HOMEDIR_BASHRC,
generated::fa_generated::FA_FILE_ETC_BASH_BASHRC,
generated::fa_generated::FA_FILE_ETC_BASHRC,
generated::fa_generated::FA_FILE_ETC_BASH_BASHRC_2,
generated::fa_generated::FA_FILE_ETC_BASHRC_2,
generated::fa_generated::FA_FILE_BASH_LOGOUT,
generated::fa_generated::FA_FILE_BASH_PROFILE,
generated::fa_generated::FA_FILE_BASHRC,
generated::fa_generated::FA_FILE_USERS_HOMEDIR_BASH_HISTORY,
generated::fa_generated::FA_FILE_BASH_HISTORY,
generated::fa_generated::FA_FILE_BASH_SESSIONS,
generated::fa_generated::FA_FILE_USERS_HOMEDIR_SH_HISTORY,
generated::fa_generated::FA_FILE_SH_HISTORY,
generated::fa_generated::FA_FILE_USERS_HOMEDIR_CSHRC,
generated::fa_generated::FA_FILE_ETC_CSH_CSHRC,
generated::fa_generated::FA_FILE_ETC_CSH_LOGIN,
generated::fa_generated::FA_FILE_ETC_CSH_LOGOUT,
generated::fa_generated::FA_FILE_ETC_CSH_CSHRC_2,
generated::fa_generated::FA_FILE_ETC_CSH_LOGIN_2,
generated::fa_generated::FA_FILE_ETC_CSH_LOGOUT_2,
generated::fa_generated::FA_FILE_CSHRC,
generated::fa_generated::FA_FILE_CONF_D_CONFIG_FISH,
generated::fa_generated::FA_FILE_CONF_D_FISH,
generated::fa_generated::FA_FILE_FISH_CONFIG_FISH,
generated::fa_generated::FA_FILE_FISH_CONFIG_FISH_2,
generated::fa_generated::FA_FILE_FISH_FISH_HISTORY,
generated::fa_generated::FA_FILE_USERS_HOMEDIR_KSH,
generated::fa_generated::FA_FILE_ETC_KSHRC,
generated::fa_generated::FA_FILE_ETC_KSHRC_2,
generated::fa_generated::FA_FILE_KSH,
generated::fa_generated::FA_FILE_ROOT_BASH_LOGOUT,
generated::fa_generated::FA_FILE_ROOT_BASH_PROFILE,
generated::fa_generated::FA_FILE_ROOT_BASHRC,
generated::fa_generated::FA_FILE_ROOT_CSHRC,
generated::fa_generated::FA_FILE_ROOT_KSH,
generated::fa_generated::FA_FILE_FISH_CONFIG_FISH_3,
generated::fa_generated::FA_FILE_ROOT_LOGOUT,
generated::fa_generated::FA_FILE_ROOT_PROFILE,
generated::fa_generated::FA_FILE_ROOT_TCSH,
generated::fa_generated::FA_FILE_ROOT_ZLOGIN,
generated::fa_generated::FA_FILE_ROOT_ZLOGOUT,
generated::fa_generated::FA_FILE_ROOT_ZPROFILE,
generated::fa_generated::FA_FILE_ROOT_BASH_HISTORY,
generated::fa_generated::FA_FILE_FISH_FISH_HISTORY_2,
generated::fa_generated::FA_FILE_ROOT_SH_HISTORY,
generated::fa_generated::FA_FILE_ROOT_ZHISTORY,
generated::fa_generated::FA_FILE_ROOT_ZSH_HISTORY,
generated::fa_generated::FA_FILE_USERS_HOMEDIR_LOGOUT,
generated::fa_generated::FA_FILE_LOGOUT,
generated::fa_generated::FA_FILE_USERS_HOMEDIR_PROFILE,
generated::fa_generated::FA_FILE_ETC_PROFILE,
generated::fa_generated::FA_FILE_ETC_PROFILE_2,
generated::fa_generated::FA_FILE_PROFILE,
generated::fa_generated::FA_FILE_USERS_HOMEDIR_TCSH,
generated::fa_generated::FA_FILE_TCSH,
generated::fa_generated::FA_FILE_USERS_HOMEDIR_ZLOGIN,
generated::fa_generated::FA_FILE_USERS_HOMEDIR_ZLOGOUT,
generated::fa_generated::FA_FILE_USERS_HOMEDIR_ZPROFILE,
generated::fa_generated::FA_FILE_ETC_ZSHENV,
generated::fa_generated::FA_FILE_ETC_ZSHRC,
generated::fa_generated::FA_FILE_ZSH_ZLOGIN,
generated::fa_generated::FA_FILE_ZSH_ZLOGOUT,
generated::fa_generated::FA_FILE_ZSH_ZPROFILE,
generated::fa_generated::FA_FILE_ZSH_ZSHENV,
generated::fa_generated::FA_FILE_ZSH_ZSHRC,
generated::fa_generated::FA_FILE_ETC_ZSHENV_2,
generated::fa_generated::FA_FILE_ETC_ZSHRC_2,
generated::fa_generated::FA_FILE_ZSH_ZLOGIN_2,
generated::fa_generated::FA_FILE_ZSH_ZLOGOUT_2,
generated::fa_generated::FA_FILE_ZSH_ZPROFILE_2,
generated::fa_generated::FA_FILE_ZSH_ZSHENV_2,
generated::fa_generated::FA_FILE_ZSH_ZSHRC_2,
generated::fa_generated::FA_FILE_ZLOGIN,
generated::fa_generated::FA_FILE_ZLOGOUT,
generated::fa_generated::FA_FILE_ZPROFILE,
generated::fa_generated::FA_FILE_USERS_HOMEDIR_ZHISTORY,
generated::fa_generated::FA_FILE_USERS_HOMEDIR_ZSH_HISTORY,
generated::fa_generated::FA_FILE_ZHISTORY,
generated::fa_generated::FA_FILE_ZSH_HISTORY,
generated::fa_generated::FA_FILE_ACCESS_LOG,
generated::fa_generated::FA_FILE_LOGS_ACCESS_LOG,
generated::fa_generated::FA_FILE_CATALINA_OUT,
generated::fa_generated::FA_FILE_LOGS_CATALINA_OUT,
generated::fa_generated::FA_FILE_ACCESS_LOG_2,
generated::fa_generated::FA_FILE_LOGS_ACCESS_LOG_2,
generated::fa_generated::FA_FILE_CATALINA_OUT_2,
generated::fa_generated::FA_FILE_LOGS_CATALINA_OUT_2,
generated::fa_generated::FA_FILE_ACCESS_LOG_3,
generated::fa_generated::FA_FILE_LOGS_ACCESS_LOG_3,
generated::fa_generated::FA_FILE_CATALINA_OUT_3,
generated::fa_generated::FA_FILE_LOGS_CATALINA_OUT_3,
generated::fa_generated::FA_FILE_ACCESS_LOG_4,
generated::fa_generated::FA_FILE_LOGS_ACCESS_LOG_4,
generated::fa_generated::FA_FILE_CATALINA_OUT_4,
generated::fa_generated::FA_FILE_LOGS_CATALINA_OUT_4,
generated::fa_generated::FA_FILE_ACCESS_LOG_5,
generated::fa_generated::FA_FILE_LOGS_ACCESS_LOG_5,
generated::fa_generated::FA_FILE_CATALINA_OUT_5,
generated::fa_generated::FA_FILE_LOGS_CATALINA_OUT_5,
generated::fa_generated::FA_FILE_ACCESS_LOG_6,
generated::fa_generated::FA_FILE_LOGS_ACCESS_LOG_6,
generated::fa_generated::FA_FILE_CATALINA_OUT_6,
generated::fa_generated::FA_FILE_LOGS_CATALINA_OUT_6,
generated::fa_generated::FA_FILE_ACCESS_LOG_7,
generated::fa_generated::FA_FILE_LOGS_ACCESS_LOG_7,
generated::fa_generated::FA_FILE_CATALINA_OUT_7,
generated::fa_generated::FA_FILE_LOGS_CATALINA_OUT_7,
generated::fa_generated::FA_FILE_ACCESS_LOG_8,
generated::fa_generated::FA_FILE_LOGS_ACCESS_LOG_8,
generated::fa_generated::FA_FILE_CATALINA_OUT_8,
generated::fa_generated::FA_FILE_LOGS_CATALINA_OUT_8,
generated::fa_generated::FA_FILE_ACCESS_LOG_9,
generated::fa_generated::FA_FILE_LOGS_ACCESS_LOG_9,
generated::fa_generated::FA_FILE_CATALINA_OUT_9,
generated::fa_generated::FA_FILE_LOGS_CATALINA_OUT_9,
generated::fa_generated::FA_FILE_ACCESS_LOG_10,
generated::fa_generated::FA_FILE_LOGS_ACCESS_LOG_10,
generated::fa_generated::FA_FILE_CATALINA_OUT_10,
generated::fa_generated::FA_FILE_LOGS_CATALINA_OUT_10,
generated::fa_generated::FA_FILE_CONF_TOMCAT_USERS_XML,
generated::fa_generated::FA_FILE_CONF_TOMCAT_USERS_XML_2,
generated::fa_generated::FA_FILE_CONF_TOMCAT_USERS_XML_3,
generated::fa_generated::FA_FILE_CONF_TOMCAT_USERS_XML_4,
generated::fa_generated::FA_FILE_CONF_TOMCAT_USERS_XML_5,
generated::fa_generated::FA_FILE_CONF_TOMCAT_USERS_XML_6,
generated::fa_generated::FA_FILE_CONF_TOMCAT_USERS_XML_7,
generated::fa_generated::FA_FILE_CONF_TOMCAT_USERS_XML_8,
generated::fa_generated::FA_FILE_CONF_TOMCAT_USERS_XML_9,
generated::fa_generated::FA_FILE_CONF_TOMCAT_USERS_XML_10,
generated::fa_generated::FA_FILE_CONF_TOMCAT_USERS_XML_11,
generated::fa_generated::FA_FILE_ETC_GROUP,
generated::fa_generated::FA_FILE_ETC_GROUP_2,
generated::fa_generated::FA_FILE_ETC_HOSTS,
generated::fa_generated::FA_FILE_ETC_HOSTS_2,
generated::fa_generated::FA_FILE_ETC_LOCALTIME_2,
generated::fa_generated::FA_FILE_ETC_SHADOW_2,
generated::fa_generated::FA_FILE_ETC_SHADOW_3,
generated::fa_generated::FA_FILE_ETC_SHADOW_4,
generated::fa_generated::FA_FILE_ETC_SUDOERS,
generated::fa_generated::FA_FILE_ETC_SUDOERS_2,
generated::fa_generated::FA_FILE_LOG_BTMP_2,
generated::fa_generated::FA_FILE_RUN_UTMP_2,
generated::fa_generated::FA_CHROME_EXTENSIONS_5,
generated::fa_generated::FA_CHROME_EXTENSIONS_5_2,
generated::fa_generated::FA_FILE_FILE_SYSTEM_5,
generated::fa_generated::FA_FILE_FILE_SYSTEM_5_2,
generated::fa_generated::FA_FILE_FILE_SYSTEM_5_3,
generated::fa_generated::FA_FILE_FILE_SYSTEM_5_4,
generated::fa_generated::FA_FILE_FILE_SYSTEM_5_5,
generated::fa_generated::FA_FILE_FILE_SYSTEM_5_6,
generated::fa_generated::FA_FILE_FILE_SYSTEM_5_7,
generated::fa_generated::FA_FILE_FILE_SYSTEM_5_8,
generated::fa_generated::FA_FILE_FILE_SYSTEM_5_9,
generated::fa_generated::FA_FILE_FILE_SYSTEM_5_10,
generated::fa_generated::FA_FILE_FILE_SYSTEM_5_11,
generated::fa_generated::FA_FILE_FILE_SYSTEM_5_12,
generated::fa_generated::FA_FILE_FILE_SYSTEM_5_13,
generated::fa_generated::FA_FILE_FILE_SYSTEM_5_14,
generated::fa_generated::FA_FILE_INDEXEDDB_5,
generated::fa_generated::FA_FILE_INDEXEDDB_5_2,
generated::fa_generated::FA_FILE_INDEXEDDB_5_3,
generated::fa_generated::FA_FILE_INDEXEDDB_5_4,
generated::fa_generated::FA_FILE_INDEXEDDB_5_5,
generated::fa_generated::FA_FILE_INDEXEDDB_5_6,
generated::fa_generated::FA_FILE_INDEXEDDB_5_7,
generated::fa_generated::FA_FILE_INDEXEDDB_5_8,
generated::fa_generated::FA_FILE_INDEXEDDB_5_9,
generated::fa_generated::FA_FILE_INDEXEDDB_5_10,
generated::fa_generated::FA_FILE_INDEXEDDB_5_11,
generated::fa_generated::FA_FILE_INDEXEDDB_5_12,
generated::fa_generated::FA_FILE_INDEXEDDB_5_13,
generated::fa_generated::FA_FILE_INDEXEDDB_5_14,
generated::fa_generated::FA_FILE_LOCAL_STORAGE,
generated::fa_generated::FA_FILE_LOCAL_STORAGE_2,
generated::fa_generated::FA_FILE_LOCAL_STORAGE_3,
generated::fa_generated::FA_FILE_LOCAL_STORAGE_4,
generated::fa_generated::FA_FILE_LOCAL_STORAGE_5,
generated::fa_generated::FA_FILE_LOCAL_STORAGE_6,
generated::fa_generated::FA_FILE_LOCAL_STORAGE_7,
generated::fa_generated::FA_FILE_LOCAL_STORAGE_8,
generated::fa_generated::FA_FILE_LOCAL_STORAGE_9,
generated::fa_generated::FA_FILE_LOCAL_STORAGE_10,
generated::fa_generated::FA_FILE_LOCAL_STORAGE_11,
generated::fa_generated::FA_FILE_LOCAL_STORAGE_12,
generated::fa_generated::FA_FILE_LOCAL_STORAGE_13,
generated::fa_generated::FA_FILE_LOCAL_STORAGE_14,
generated::fa_generated::FA_FILE_PLATFORM_NOTIFICATIONS,
generated::fa_generated::FA_FILE_PLATFORM_NOTIFICATIONS_2,
generated::fa_generated::FA_FILE_PLATFORM_NOTIFICATIONS_3,
generated::fa_generated::FA_FILE_SECURE_PREFERENCES,
generated::fa_generated::FA_FILE_PREFERENCES_2,
generated::fa_generated::FA_FILE_SECURE_PREFERENCES_2,
generated::fa_generated::FA_FILE_PREFERENCES_3,
generated::fa_generated::FA_FILE_SECURE_PREFERENCES_3,
generated::fa_generated::FA_FILE_PREFERENCES_4,
generated::fa_generated::FA_FILE_SECURE_PREFERENCES_4,
generated::fa_generated::FA_FILE_PREFERENCES_5,
generated::fa_generated::FA_FILE_SECURE_PREFERENCES_5,
generated::fa_generated::FA_FILE_PREFERENCES_6,
generated::fa_generated::FA_FILE_SECURE_PREFERENCES_6,
generated::fa_generated::FA_FILE_PREFERENCES_7,
generated::fa_generated::FA_FILE_SECURE_PREFERENCES_7,
generated::fa_generated::FA_FILE_PREFERENCES_8,
generated::fa_generated::FA_FILE_SECURE_PREFERENCES_8,
generated::fa_generated::FA_FILE_PREFERENCES_9,
generated::fa_generated::FA_FILE_SECURE_PREFERENCES_9,
generated::fa_generated::FA_FILE_PREFERENCES_10,
generated::fa_generated::FA_FILE_SECURE_PREFERENCES_10,
generated::fa_generated::FA_FILE_PREFERENCES_11,
generated::fa_generated::FA_FILE_SECURE_PREFERENCES_11,
generated::fa_generated::FA_FILE_PREFERENCES_12,
generated::fa_generated::FA_FILE_SESSION_STORAGE,
generated::fa_generated::FA_FILE_SESSION_STORAGE_2,
generated::fa_generated::FA_FILE_SESSION_STORAGE_3,
generated::fa_generated::FA_FILE_SESSION_STORAGE_4,
generated::fa_generated::FA_FILE_SESSIONS_SESSION,
generated::fa_generated::FA_FILE_SESSIONS_TABS,
generated::fa_generated::FA_FILE_SESSIONS_SESSION_2,
generated::fa_generated::FA_FILE_SESSIONS_TABS_2,
generated::fa_generated::FA_FILE_SESSIONS_SESSION_3,
generated::fa_generated::FA_FILE_SESSIONS_TABS_3,
generated::fa_generated::FA_FILE_SESSIONS_SESSION_4,
generated::fa_generated::FA_FILE_SESSIONS_TABS_4,
generated::fa_generated::FA_FILE_SESSION_STORAGE_5,
generated::fa_generated::FA_FILE_SESSION_STORAGE_6,
generated::fa_generated::FA_FILE_SESSION_STORAGE_7,
generated::fa_generated::FA_FILE_SESSION_STORAGE_8,
generated::fa_generated::FA_FILE_SESSION_STORAGE_9,
generated::fa_generated::FA_FILE_SESSION_STORAGE_10,
generated::fa_generated::FA_FILE_SESSIONS_SESSION_5,
generated::fa_generated::FA_FILE_SESSIONS_TABS_5,
generated::fa_generated::FA_FILE_SESSIONS_SESSION_6,
generated::fa_generated::FA_FILE_SESSIONS_TABS_6,
generated::fa_generated::FA_FILE_SESSIONS_SESSION_7,
generated::fa_generated::FA_FILE_SESSIONS_SESSION_8,
generated::fa_generated::FA_FILE_SESSIONS_TABS_7,
generated::fa_generated::FA_FILE_SESSIONS_TABS_8,
generated::fa_generated::FA_FILE_SESSIONS_SESSION_9,
generated::fa_generated::FA_FILE_SESSIONS_TABS_9,
generated::fa_generated::FA_FILE_SESSIONS_SESSION_10,
generated::fa_generated::FA_FILE_SESSIONS_TABS_10,
generated::fa_generated::FA_FILE_SESSION_STORAGE_11,
generated::fa_generated::FA_FILE_SESSION_STORAGE_12,
generated::fa_generated::FA_FILE_SESSION_STORAGE_13,
generated::fa_generated::FA_FILE_SESSION_STORAGE_14,
generated::fa_generated::FA_FILE_SESSIONS_SESSION_11,
generated::fa_generated::FA_FILE_SESSIONS_TABS_11,
generated::fa_generated::FA_FILE_SESSIONS_SESSION_12,
generated::fa_generated::FA_FILE_SESSIONS_TABS_12,
generated::fa_generated::FA_FILE_SESSIONS_SESSION_13,
generated::fa_generated::FA_FILE_SESSIONS_TABS_13,
generated::fa_generated::FA_FILE_SESSIONS_SESSION_14,
generated::fa_generated::FA_FILE_SESSIONS_TABS_14,
generated::fa_generated::FA_FILE_CACHE_DATA,
generated::fa_generated::FA_FILE_GPUCACHE,
generated::fa_generated::FA_FILE_MEDIA_CACHE,
generated::fa_generated::FA_FILE_CACHE_DATA_2,
generated::fa_generated::FA_FILE_GPUCACHE_2,
generated::fa_generated::FA_FILE_MEDIA_CACHE_2,
generated::fa_generated::FA_FILE_CACHE_5,
generated::fa_generated::FA_FILE_CACHE_6,
generated::fa_generated::FA_FILE_CACHE_DATA_3,
generated::fa_generated::FA_FILE_GPUCACHE_3,
generated::fa_generated::FA_FILE_MEDIA_CACHE_3,
generated::fa_generated::FA_FILE_CACHE_7,
generated::fa_generated::FA_FILE_CACHE_8,
generated::fa_generated::FA_FILE_CACHE_DATA_4,
generated::fa_generated::FA_FILE_GPUCACHE_4,
generated::fa_generated::FA_FILE_MEDIA_CACHE_4,
generated::fa_generated::FA_FILE_CACHE_9,
generated::fa_generated::FA_FILE_CACHE_10,
generated::fa_generated::FA_FILE_CACHE_DATA_5,
generated::fa_generated::FA_FILE_GPUCACHE_5,
generated::fa_generated::FA_FILE_MEDIA_CACHE_5,
generated::fa_generated::FA_FILE_CACHE_11,
generated::fa_generated::FA_FILE_CACHE_12,
generated::fa_generated::FA_FILE_CACHE_DATA_6,
generated::fa_generated::FA_FILE_GPUCACHE_6,
generated::fa_generated::FA_FILE_MEDIA_CACHE_6,
generated::fa_generated::FA_FILE_CACHE_13,
generated::fa_generated::FA_FILE_CACHE_14,
generated::fa_generated::FA_FILE_CACHE_DATA_7,
generated::fa_generated::FA_FILE_GPUCACHE_7,
generated::fa_generated::FA_FILE_MEDIA_CACHE_7,
generated::fa_generated::FA_FILE_CACHE_15,
generated::fa_generated::FA_FILE_CACHE_16,
generated::fa_generated::FA_FILE_CACHE_DATA_8,
generated::fa_generated::FA_FILE_GPUCACHE_8,
generated::fa_generated::FA_FILE_MEDIA_CACHE_8,
generated::fa_generated::FA_FILE_CACHE_17,
generated::fa_generated::FA_FILE_CACHE_18,
generated::fa_generated::FA_FILE_CACHE_DATA_9,
generated::fa_generated::FA_FILE_GPUCACHE_9,
generated::fa_generated::FA_FILE_MEDIA_CACHE_9,
generated::fa_generated::FA_FILE_CACHE_DATA_10,
generated::fa_generated::FA_FILE_CACHE_19,
generated::fa_generated::FA_FILE_CACHE_20,
generated::fa_generated::FA_FILE_CACHE_DATA_11,
generated::fa_generated::FA_FILE_GPUCACHE_10,
generated::fa_generated::FA_FILE_MEDIA_CACHE_10,
generated::fa_generated::FA_FILE_CACHE_21,
generated::fa_generated::FA_FILE_CACHE_22,
generated::fa_generated::FA_FILE_CACHE_23,
generated::fa_generated::FA_FILE_CACHE_24,
generated::fa_generated::FA_FILE_APPLICATION_CACHE,
generated::fa_generated::FA_FILE_CACHE_25,
generated::fa_generated::FA_FILE_CACHE_26,
generated::fa_generated::FA_FILE_GPUCACHE_11,
generated::fa_generated::FA_FILE_MEDIA_CACHE_11,
generated::fa_generated::FA_FILE_PNACLTRANSLATIONCACHE,
generated::fa_generated::FA_FILE_APPLICATION_CACHE_2,
generated::fa_generated::FA_FILE_CACHE_27,
generated::fa_generated::FA_FILE_CACHE_28,
generated::fa_generated::FA_FILE_CACHE_29,
generated::fa_generated::FA_FILE_GPUCACHE_12,
generated::fa_generated::FA_FILE_MEDIA_CACHE_12,
generated::fa_generated::FA_FILE_PNACLTRANSLATIONCACHE_2,
generated::fa_generated::FA_FILE_APPLICATION_CACHE_3,
generated::fa_generated::FA_FILE_CACHE_30,
generated::fa_generated::FA_FILE_CACHE_31,
generated::fa_generated::FA_FILE_GPUCACHE_13,
generated::fa_generated::FA_FILE_MEDIA_CACHE_13,
generated::fa_generated::FA_FILE_PNACLTRANSLATIONCACHE_3,
generated::fa_generated::FA_FILE_APPLICATION_CACHE_4,
generated::fa_generated::FA_FILE_CACHE_32,
generated::fa_generated::FA_FILE_CACHE_33,
generated::fa_generated::FA_FILE_CACHE_34,
generated::fa_generated::FA_FILE_APPLICATION_CACHE_5,
generated::fa_generated::FA_FILE_CACHE_35,
generated::fa_generated::FA_FILE_CACHE_36,
generated::fa_generated::FA_FILE_CACHE_37,
generated::fa_generated::FA_FILE_GPUCACHE_14,
generated::fa_generated::FA_FILE_MEDIA_CACHE_14,
generated::fa_generated::FA_FILE_PNACLTRANSLATIONCACHE_4,
generated::fa_generated::FA_FILE_APPLICATION_CACHE_6,
generated::fa_generated::FA_FILE_CACHE_38,
generated::fa_generated::FA_FILE_CACHE_39,
generated::fa_generated::FA_FILE_CACHE_40,
generated::fa_generated::FA_FILE_GPUCACHE_15,
generated::fa_generated::FA_FILE_MEDIA_CACHE_15,
generated::fa_generated::FA_FILE_PNACLTRANSLATIONCACHE_5,
generated::fa_generated::FA_FILE_GPUCACHE_16,
generated::fa_generated::FA_FILE_MEDIA_CACHE_16,
generated::fa_generated::FA_FILE_PNACLTRANSLATIONCACHE_6,
generated::fa_generated::FA_FILE_APPLICATION_CACHE_7,
generated::fa_generated::FA_FILE_APPLICATION_CACHE_8,
generated::fa_generated::FA_FILE_CACHE_41,
generated::fa_generated::FA_FILE_CACHE_42,
generated::fa_generated::FA_FILE_GPUCACHE_17,
generated::fa_generated::FA_FILE_MEDIA_CACHE_17,
generated::fa_generated::FA_FILE_PNACLTRANSLATIONCACHE_7,
generated::fa_generated::FA_FILE_CACHE_43,
generated::fa_generated::FA_FILE_CACHE_44,
generated::fa_generated::FA_FILE_GPUCACHE_18,
generated::fa_generated::FA_FILE_MEDIA_CACHE_18,
generated::fa_generated::FA_FILE_PNACLTRANSLATIONCACHE_8,
generated::fa_generated::FA_FILE_APPLICATION_CACHE_9,
generated::fa_generated::FA_FILE_CACHE_45,
generated::fa_generated::FA_FILE_CACHE_46,
generated::fa_generated::FA_FILE_GPUCACHE_19,
generated::fa_generated::FA_FILE_MEDIA_CACHE_19,
generated::fa_generated::FA_FILE_PNACLTRANSLATIONCACHE_9,
generated::fa_generated::FA_FILE_APPLICATION_CACHE_10,
generated::fa_generated::FA_FILE_CACHE_47,
generated::fa_generated::FA_FILE_CACHE_48,
generated::fa_generated::FA_FILE_GPUCACHE_20,
generated::fa_generated::FA_FILE_MEDIA_CACHE_20,
generated::fa_generated::FA_FILE_PNACLTRANSLATIONCACHE_10,
generated::fa_generated::FA_FILE_CACHE_49,
generated::fa_generated::FA_FILE_CACHE_50,
generated::fa_generated::FA_FILE_CACHE_51,
generated::fa_generated::FA_FILE_CACHE_52,
generated::fa_generated::FA_FILE_MEDIA_CACHE_21,
generated::fa_generated::FA_FILE_PNACLTRANSLATIONCACHE_11,
generated::fa_generated::FA_FILE_CACHE_53,
generated::fa_generated::FA_FILE_CACHE_54,
generated::fa_generated::FA_FILE_MEDIA_CACHE_22,
generated::fa_generated::FA_FILE_PNACLTRANSLATIONCACHE_12,
generated::fa_generated::FA_FILE_MEDIA_CACHE_23,
generated::fa_generated::FA_FILE_PNACLTRANSLATIONCACHE_13,
generated::fa_generated::FA_FILE_CACHE_DATA_12,
generated::fa_generated::FA_FILE_CACHE_DATA_13,
generated::fa_generated::FA_FILE_CACHE_55,
generated::fa_generated::FA_FILE_CACHE_56,
generated::fa_generated::FA_FILE_CACHE_DATA_14,
generated::fa_generated::FA_FILE_MEDIA_CACHE_24,
generated::fa_generated::FA_FILE_PNACLTRANSLATIONCACHE_14,
generated::fa_generated::FA_FILE_CACHE_57,
generated::fa_generated::FA_FILE_CACHE_58,
generated::fa_generated::FA_FILE_CACHE_DATA_15,
generated::fa_generated::FA_FILE_MEDIA_CACHE_25,
generated::fa_generated::FA_FILE_PNACLTRANSLATIONCACHE_15,
generated::fa_generated::FA_FILE_CACHE_59,
generated::fa_generated::FA_FILE_CACHE_60,
generated::fa_generated::FA_FILE_CACHE_DATA_16,
generated::fa_generated::FA_FILE_MEDIA_CACHE_26,
generated::fa_generated::FA_FILE_PNACLTRANSLATIONCACHE_16,
generated::fa_generated::FA_FILE_CACHE_61,
generated::fa_generated::FA_FILE_CACHE_62,
generated::fa_generated::FA_FILE_CACHE_DATA_17,
generated::fa_generated::FA_FILE_MEDIA_CACHE_27,
generated::fa_generated::FA_FILE_PNACLTRANSLATIONCACHE_17,
generated::fa_generated::FA_FILE_CACHE_DATA_18,
generated::fa_generated::FA_FILE_CACHE_DATA_19,
generated::fa_generated::FA_FILE_APPLICATION_CACHE_11,
generated::fa_generated::FA_FILE_CACHE_63,
generated::fa_generated::FA_FILE_CACHE_64,
generated::fa_generated::FA_FILE_GPUCACHE_21,
generated::fa_generated::FA_FILE_MEDIA_CACHE_28,
generated::fa_generated::FA_FILE_PNACLTRANSLATIONCACHE_18,
generated::fa_generated::FA_FILE_APPLICATION_CACHE_12,
generated::fa_generated::FA_FILE_CACHE_65,
generated::fa_generated::FA_FILE_CACHE_66,
generated::fa_generated::FA_FILE_CACHE_DATA_20,
generated::fa_generated::FA_FILE_GPUCACHE_22,
generated::fa_generated::FA_FILE_MEDIA_CACHE_29,
generated::fa_generated::FA_FILE_PNACLTRANSLATIONCACHE_19,
generated::fa_generated::FA_FILE_APPLICATION_CACHE_13,
generated::fa_generated::FA_FILE_CACHE_67,
generated::fa_generated::FA_FILE_CACHE_68,
generated::fa_generated::FA_FILE_CACHE_DATA_21,
generated::fa_generated::FA_FILE_GPUCACHE_23,
generated::fa_generated::FA_FILE_MEDIA_CACHE_30,
generated::fa_generated::FA_FILE_PNACLTRANSLATIONCACHE_20,
generated::fa_generated::FA_FILE_APPLICATION_CACHE_14,
generated::fa_generated::FA_FILE_CACHE_69,
generated::fa_generated::FA_FILE_CACHE_70,
generated::fa_generated::FA_FILE_CACHE_DATA_22,
generated::fa_generated::FA_FILE_GPUCACHE_24,
generated::fa_generated::FA_FILE_MEDIA_CACHE_31,
generated::fa_generated::FA_FILE_PNACLTRANSLATIONCACHE_21,
generated::fa_generated::FA_FILE_APPLICATION_CACHE_15,
generated::fa_generated::FA_FILE_APPLICATION_CACHE_16,
generated::fa_generated::FA_FILE_CACHE_71,
generated::fa_generated::FA_FILE_CACHE_72,
generated::fa_generated::FA_FILE_GPUCACHE_25,
generated::fa_generated::FA_FILE_MEDIA_CACHE_32,
generated::fa_generated::FA_FILE_PNACLTRANSLATIONCACHE_22,
generated::fa_generated::FA_FILE_APPLICATION_CACHE_17,
generated::fa_generated::FA_FILE_CACHE_73,
generated::fa_generated::FA_FILE_CACHE_74,
generated::fa_generated::FA_FILE_GPUCACHE_26,
generated::fa_generated::FA_FILE_MEDIA_CACHE_33,
generated::fa_generated::FA_FILE_PNACLTRANSLATIONCACHE_23,
generated::fa_generated::FA_FILE_CACHE_75,
generated::fa_generated::FA_FILE_CACHE_76,
generated::fa_generated::FA_FILE_CACHE_DATA_23,
generated::fa_generated::FA_FILE_GPUCACHE_27,
generated::fa_generated::FA_FILE_MEDIA_CACHE_34,
generated::fa_generated::FA_FILE_PNACLTRANSLATIONCACHE_24,
generated::fa_generated::FA_FILE_GPUCACHE_28,
generated::fa_generated::FA_FILE_APPLICATION_CACHE_18,
generated::fa_generated::FA_FILE_CACHE_77,
generated::fa_generated::FA_FILE_CACHE_78,
generated::fa_generated::FA_FILE_GPUCACHE_29,
generated::fa_generated::FA_FILE_GPUCACHE_30,
generated::fa_generated::FA_FILE_MEDIA_CACHE_35,
generated::fa_generated::FA_FILE_PNACLTRANSLATIONCACHE_25,
generated::fa_generated::FA_FILE_APPLICATION_CACHE_19,
generated::fa_generated::FA_FILE_CACHE_79,
generated::fa_generated::FA_FILE_CACHE_80,
generated::fa_generated::FA_FILE_GPUCACHE_31,
generated::fa_generated::FA_FILE_MEDIA_CACHE_36,
generated::fa_generated::FA_FILE_PNACLTRANSLATIONCACHE_26,
generated::fa_generated::FA_FILE_APPLICATION_CACHE_20,
generated::fa_generated::FA_FILE_CACHE_81,
generated::fa_generated::FA_FILE_CACHE_82,
generated::fa_generated::FA_FILE_GPUCACHE_32,
generated::fa_generated::FA_FILE_MEDIA_CACHE_37,
generated::fa_generated::FA_FILE_PNACLTRANSLATIONCACHE_27,
generated::fa_generated::FA_FILE_NETWORK_COOKIES,
generated::fa_generated::FA_FILE_NETWORK_COOKIES_JOURNAL,
generated::fa_generated::FA_FILE_COOKIES,
generated::fa_generated::FA_FILE_COOKIES_JOURNAL,
generated::fa_generated::FA_FILE_NETWORK_COOKIES_2,
generated::fa_generated::FA_FILE_NETWORK_COOKIES_JOURNAL_2,
generated::fa_generated::FA_FILE_COOKIES_2,
generated::fa_generated::FA_FILE_COOKIES_JOURNAL_2,
generated::fa_generated::FA_FILE_NETWORK_COOKIES_3,
generated::fa_generated::FA_FILE_NETWORK_COOKIES_JOURNAL_3,
generated::fa_generated::FA_FILE_COOKIES_3,
generated::fa_generated::FA_FILE_COOKIES_JOURNAL_3,
generated::fa_generated::FA_FILE_NETWORK_COOKIES_4,
generated::fa_generated::FA_FILE_NETWORK_COOKIES_JOURNAL_4,
generated::fa_generated::FA_FILE_COOKIES_4,
generated::fa_generated::FA_FILE_COOKIES_JOURNAL_4,
generated::fa_generated::FA_FILE_NETWORK_COOKIES_5,
generated::fa_generated::FA_FILE_NETWORK_COOKIES_JOURNAL_5,
generated::fa_generated::FA_FILE_NETWORK_COOKIES_6,
generated::fa_generated::FA_FILE_NETWORK_COOKIES_JOURNAL_6,
generated::fa_generated::FA_FILE_COOKIES_5,
generated::fa_generated::FA_FILE_COOKIES_JOURNAL_5,
generated::fa_generated::FA_FILE_COOKIES_6,
generated::fa_generated::FA_FILE_COOKIES_JOURNAL_6,
generated::fa_generated::FA_FILE_NETWORK_COOKIES_7,
generated::fa_generated::FA_FILE_NETWORK_COOKIES_JOURNAL_7,
generated::fa_generated::FA_FILE_COOKIES_7,
generated::fa_generated::FA_FILE_COOKIES_JOURNAL_7,
generated::fa_generated::FA_FILE_NETWORK_COOKIES_8,
generated::fa_generated::FA_FILE_NETWORK_COOKIES_JOURNAL_8,
generated::fa_generated::FA_FILE_COOKIES_8,
generated::fa_generated::FA_FILE_COOKIES_JOURNAL_8,
generated::fa_generated::FA_FILE_NETWORK_COOKIES_9,
generated::fa_generated::FA_FILE_NETWORK_COOKIES_JOURNAL_9,
generated::fa_generated::FA_FILE_COOKIES_9,
generated::fa_generated::FA_FILE_COOKIES_JOURNAL_9,
generated::fa_generated::FA_FILE_NETWORK_COOKIES_10,
generated::fa_generated::FA_FILE_NETWORK_COOKIES_JOURNAL_10,
generated::fa_generated::FA_FILE_COOKIES_10,
generated::fa_generated::FA_FILE_COOKIES_JOURNAL_10,
generated::fa_generated::FA_FILE_NETWORK_COOKIES_11,
generated::fa_generated::FA_FILE_NETWORK_COOKIES_JOURNAL_11,
generated::fa_generated::FA_FILE_COOKIES_11,
generated::fa_generated::FA_FILE_COOKIES_JOURNAL_11,
generated::fa_generated::FA_FILE_NETWORK_COOKIES_12,
generated::fa_generated::FA_FILE_NETWORK_COOKIES_JOURNAL_12,
generated::fa_generated::FA_FILE_COOKIES_12,
generated::fa_generated::FA_FILE_COOKIES_JOURNAL_12,
generated::fa_generated::FA_FILE_OPERA_COOKIES,
generated::fa_generated::FA_FILE_OPERA_COOKIES_JOURNAL,
generated::fa_generated::FA_FILE_COOKIES_13,
generated::fa_generated::FA_FILE_COOKIES_JOURNAL_13,
generated::fa_generated::FA_FILE_NETWORK_COOKIES_13,
generated::fa_generated::FA_FILE_NETWORK_COOKIES_JOURNAL_13,
generated::fa_generated::FA_FILE_COOKIES_14,
generated::fa_generated::FA_FILE_COOKIES_JOURNAL_14,
generated::fa_generated::FA_FILE_NETWORK_COOKIES_14,
generated::fa_generated::FA_FILE_NETWORK_COOKIES_JOURNAL_14,
generated::fa_generated::FA_FILE_COOKIES_15,
generated::fa_generated::FA_FILE_COOKIES_JOURNAL_15,
generated::fa_generated::FA_FILE_NETWORK_COOKIES_15,
generated::fa_generated::FA_FILE_NETWORK_COOKIES_JOURNAL_15,
generated::fa_generated::FA_FILE_COOKIES_16,
generated::fa_generated::FA_FILE_COOKIES_JOURNAL_16,
generated::fa_generated::FA_FILE_NETWORK_COOKIES_16,
generated::fa_generated::FA_FILE_NETWORK_COOKIES_JOURNAL_16,
generated::fa_generated::FA_FILE_EXTENSIONS_10,
generated::fa_generated::FA_FILE_EXTENSIONS_10_2,
generated::fa_generated::FA_FILE_EXTENSIONS_10_3,
generated::fa_generated::FA_FILE_EXTENSIONS_10_4,
generated::fa_generated::FA_FILE_EXTENSIONS_10_5,
generated::fa_generated::FA_FILE_EXTENSIONS_10_6,
generated::fa_generated::FA_FILE_EXTENSIONS_10_7,
generated::fa_generated::FA_FILE_EXTENSIONS_10_8,
generated::fa_generated::FA_FILE_EXTENSIONS_10_9,
generated::fa_generated::FA_FILE_EXTENSIONS_10_10,
generated::fa_generated::FA_FILE_EXTENSIONS_10_11,
generated::fa_generated::FA_FILE_EXTENSIONS_10_12,
generated::fa_generated::FA_FILE_EXTENSIONS_10_13,
generated::fa_generated::FA_FILE_EXTENSIONS_10_14,
generated::fa_generated::FA_FILE_EXTENSIONS_10_15,
generated::fa_generated::FA_FILE_EXTENSIONS_10_16,
generated::fa_generated::FA_FILE_EXTENSIONS_10_17,
generated::fa_generated::FA_FILE_EXTENSIONS_10_18,
generated::fa_generated::FA_FILE_EXTENSIONS_10_19,
generated::fa_generated::FA_FILE_EXTENSIONS_10_20,
generated::fa_generated::FA_FILE_EXTENSIONS_10_21,
generated::fa_generated::FA_FILE_EXTENSIONS_10_22,
generated::fa_generated::FA_FILE_EXTENSIONS_10_23,
generated::fa_generated::FA_FILE_EXTENSIONS_10_24,
generated::fa_generated::FA_FILE_EXTENSIONS_10_25,
generated::fa_generated::FA_FILE_EXTENSIONS_10_26,
generated::fa_generated::FA_FILE_EXTENSIONS_10_27,
generated::fa_generated::FA_FILE_EXTENSIONS_10_28,
generated::fa_generated::FA_FILE_EXTENSION_ACTIVITY,
generated::fa_generated::FA_FILE_EXTENSION_ACTIVITY_2,
generated::fa_generated::FA_FILE_EXTENSION_ACTIVITY_3,
generated::fa_generated::FA_FILE_EXTENSION_ACTIVITY_4,
generated::fa_generated::FA_FILE_EXTENSION_ACTIVITY_5,
generated::fa_generated::FA_FILE_EXTENSION_ACTIVITY_6,
generated::fa_generated::FA_FILE_EXTENSION_ACTIVITY_7,
generated::fa_generated::FA_FILE_EXTENSION_ACTIVITY_8,
generated::fa_generated::FA_FILE_EXTENSION_ACTIVITY_9,
generated::fa_generated::FA_FILE_EXTENSION_ACTIVITY_10,
generated::fa_generated::FA_FILE_EXTENSION_ACTIVITY_11,
generated::fa_generated::FA_FILE_EXTENSION_ACTIVITY_12,
generated::fa_generated::FA_FILE_EXTENSION_ACTIVITY_13,
generated::fa_generated::FA_FILE_EXTENSION_ACTIVITY_14,
generated::fa_generated::FA_FILE_EXTENSION_ACTIVITY_15,
generated::fa_generated::FA_FILE_EXTENSION_ACTIVITY_16,
generated::fa_generated::FA_FILE_EXTENSION_ACTIVITY_17,
generated::fa_generated::FA_FILE_EXTENSION_ACTIVITY_18,
generated::fa_generated::FA_FILE_EXTENSION_ACTIVITY_19,
generated::fa_generated::FA_FILE_EXTENSION_ACTIVITY_20,
generated::fa_generated::FA_FILE_EXTENSION_ACTIVITY_21,
generated::fa_generated::FA_FILE_EXTENSION_ACTIVITY_22,
generated::fa_generated::FA_FILE_EXTENSION_ACTIVITY_23,
generated::fa_generated::FA_FILE_EXTENSION_ACTIVITY_24,
generated::fa_generated::FA_FILE_EXTENSION_ACTIVITY_25,
generated::fa_generated::FA_FILE_EXTENSION_ACTIVITY_26,
generated::fa_generated::FA_FILE_EXTENSION_ACTIVITY_27,
generated::fa_generated::FA_FILE_EXTENSION_ACTIVITY_28,
generated::fa_generated::FA_FILE_NETWORK_FAVICONS,
generated::fa_generated::FA_FILE_NETWORK_FAVICONS_JOURNAL,
generated::fa_generated::FA_FILE_FAVICONS,
generated::fa_generated::FA_FILE_FAVICONS_JOURNAL,
generated::fa_generated::FA_FILE_NETWORK_FAVICONS_2,
generated::fa_generated::FA_FILE_NETWORK_FAVICONS_JOURNAL_2,
generated::fa_generated::FA_FILE_FAVICONS_2,
generated::fa_generated::FA_FILE_FAVICONS_JOURNAL_2,
generated::fa_generated::FA_FILE_NETWORK_FAVICONS_3,
generated::fa_generated::FA_FILE_NETWORK_FAVICONS_JOURNAL_3,
generated::fa_generated::FA_FILE_FAVICONS_3,
generated::fa_generated::FA_FILE_FAVICONS_JOURNAL_3,
generated::fa_generated::FA_FILE_NETWORK_FAVICONS_4,
generated::fa_generated::FA_FILE_NETWORK_FAVICONS_JOURNAL_4,
generated::fa_generated::FA_FILE_FAVICONS_4,
generated::fa_generated::FA_FILE_FAVICONS_JOURNAL_4,
generated::fa_generated::FA_FILE_NETWORK_FAVICONS_5,
generated::fa_generated::FA_FILE_NETWORK_FAVICONS_JOURNAL_5,
generated::fa_generated::FA_FILE_NETWORK_FAVICONS_6,
generated::fa_generated::FA_FILE_NETWORK_FAVICONS_JOURNAL_6,
generated::fa_generated::FA_FILE_FAVICONS_5,
generated::fa_generated::FA_FILE_FAVICONS_JOURNAL_5,
generated::fa_generated::FA_FILE_FAVICONS_6,
generated::fa_generated::FA_FILE_FAVICONS_JOURNAL_6,
generated::fa_generated::FA_FILE_NETWORK_FAVICONS_7,
generated::fa_generated::FA_FILE_NETWORK_FAVICONS_JOURNAL_7,
generated::fa_generated::FA_FILE_FAVICONS_7,
generated::fa_generated::FA_FILE_FAVICONS_JOURNAL_7,
generated::fa_generated::FA_FILE_NETWORK_FAVICONS_8,
generated::fa_generated::FA_FILE_NETWORK_FAVICONS_JOURNAL_8,
generated::fa_generated::FA_FILE_FAVICONS_8,
generated::fa_generated::FA_FILE_FAVICONS_JOURNAL_8,
generated::fa_generated::FA_FILE_NETWORK_FAVICONS_9,
generated::fa_generated::FA_FILE_NETWORK_FAVICONS_JOURNAL_9,
generated::fa_generated::FA_FILE_FAVICONS_9,
generated::fa_generated::FA_FILE_FAVICONS_JOURNAL_9,
generated::fa_generated::FA_FILE_NETWORK_FAVICONS_10,
generated::fa_generated::FA_FILE_NETWORK_FAVICONS_JOURNAL_10,
generated::fa_generated::FA_FILE_FAVICONS_10,
generated::fa_generated::FA_FILE_FAVICONS_JOURNAL_10,
generated::fa_generated::FA_FILE_NETWORK_FAVICONS_11,
generated::fa_generated::FA_FILE_NETWORK_FAVICONS_JOURNAL_11,
generated::fa_generated::FA_FILE_FAVICONS_11,
generated::fa_generated::FA_FILE_FAVICONS_JOURNAL_11,
generated::fa_generated::FA_FILE_NETWORK_FAVICONS_12,
generated::fa_generated::FA_FILE_NETWORK_FAVICONS_JOURNAL_12,
generated::fa_generated::FA_FILE_FAVICONS_12,
generated::fa_generated::FA_FILE_FAVICONS_JOURNAL_12,
generated::fa_generated::FA_FILE_OPERA_FAVICONS,
generated::fa_generated::FA_FILE_OPERA_FAVICONS_JOURNAL,
generated::fa_generated::FA_FILE_FAVICONS_13,
generated::fa_generated::FA_FILE_FAVICONS_JOURNAL_13,
generated::fa_generated::FA_FILE_NETWORK_FAVICONS_13,
generated::fa_generated::FA_FILE_NETWORK_FAVICONS_JOURNAL_13,
generated::fa_generated::FA_FILE_FAVICONS_14,
generated::fa_generated::FA_FILE_FAVICONS_JOURNAL_14,
generated::fa_generated::FA_FILE_NETWORK_FAVICONS_14,
generated::fa_generated::FA_FILE_NETWORK_FAVICONS_JOURNAL_14,
generated::fa_generated::FA_FILE_FAVICONS_15,
generated::fa_generated::FA_FILE_FAVICONS_JOURNAL_15,
generated::fa_generated::FA_FILE_NETWORK_FAVICONS_15,
generated::fa_generated::FA_FILE_NETWORK_FAVICONS_JOURNAL_15,
generated::fa_generated::FA_FILE_FAVICONS_16,
generated::fa_generated::FA_FILE_FAVICONS_JOURNAL_16,
generated::fa_generated::FA_FILE_NETWORK_FAVICONS_16,
generated::fa_generated::FA_FILE_NETWORK_FAVICONS_JOURNAL_16,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_JOURNAL,
generated::fa_generated::FA_FILE_HISTORY,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_2,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_JOURNAL_2,
generated::fa_generated::FA_FILE_HISTORY_2,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL_2,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_3,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_JOURNAL_3,
generated::fa_generated::FA_FILE_HISTORY_3,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL_3,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_4,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_JOURNAL_4,
generated::fa_generated::FA_FILE_HISTORY_4,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL_4,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_5,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_JOURNAL_5,
generated::fa_generated::FA_FILE_HISTORY_5,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL_5,
generated::fa_generated::FA_FILE_HISTORY_6,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL_6,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_6,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_JOURNAL_6,
generated::fa_generated::FA_FILE_HISTORY_7,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL_7,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_7,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_JOURNAL_7,
generated::fa_generated::FA_FILE_HISTORY_8,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL_8,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_8,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_JOURNAL_8,
generated::fa_generated::FA_FILE_HISTORY_9,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL_9,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_9,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_JOURNAL_9,
generated::fa_generated::FA_FILE_HISTORY_10,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL_10,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_10,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_JOURNAL_10,
generated::fa_generated::FA_FILE_HISTORY_11,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL_11,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_11,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_JOURNAL_11,
generated::fa_generated::FA_FILE_HISTORY_12,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL_12,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_12,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_JOURNAL_12,
generated::fa_generated::FA_FILE_HISTORY_13,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL_13,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_13,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_JOURNAL_13,
generated::fa_generated::FA_FILE_HISTORY_14,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL_14,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_14,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_JOURNAL_14,
generated::fa_generated::FA_FILE_HISTORY_15,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL_15,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_15,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_JOURNAL_15,
generated::fa_generated::FA_FILE_HISTORY_16,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL_16,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_16,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_JOURNAL_16,
generated::fa_generated::FA_FILE_HISTORY_17,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL_17,
generated::fa_generated::FA_FILE_HISTORY_18,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL_18,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_17,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_JOURNAL_17,
generated::fa_generated::FA_FILE_HISTORY_19,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL_19,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_18,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_JOURNAL_18,
generated::fa_generated::FA_FILE_HISTORY_20,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL_20,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_19,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_JOURNAL_19,
generated::fa_generated::FA_FILE_HISTORY_21,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL_21,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_20,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_JOURNAL_20,
generated::fa_generated::FA_FILE_HISTORY_22,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL_22,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_21,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_JOURNAL_21,
generated::fa_generated::FA_FILE_HISTORY_23,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL_23,
generated::fa_generated::FA_FILE_HISTORY_24,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL_24,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_22,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_JOURNAL_22,
generated::fa_generated::FA_FILE_HISTORY_25,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL_25,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_23,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_JOURNAL_23,
generated::fa_generated::FA_FILE_HISTORY_26,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL_26,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_24,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_JOURNAL_24,
generated::fa_generated::FA_FILE_HISTORY_27,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL_27,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_25,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_JOURNAL_25,
generated::fa_generated::FA_FILE_HISTORY_28,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL_28,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_26,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_JOURNAL_26,
generated::fa_generated::FA_FILE_HISTORY_29,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL_29,
generated::fa_generated::FA_FILE_HISTORY_30,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL_30,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_27,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_JOURNAL_27,
generated::fa_generated::FA_FILE_HISTORY_31,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL_31,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_28,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_JOURNAL_28,
generated::fa_generated::FA_FILE_HISTORY_32,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL_32,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_29,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_JOURNAL_29,
generated::fa_generated::FA_FILE_HISTORY_33,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL_33,
generated::fa_generated::FA_FILE_NETWORK_LOGIN_DATA,
generated::fa_generated::FA_FILE_NETWORK_LOGIN_DATA_JOURNAL,
generated::fa_generated::FA_FILE_LOGIN_DATA,
generated::fa_generated::FA_FILE_LOGIN_DATA_JOURNAL,
generated::fa_generated::FA_FILE_NETWORK_LOGIN_DATA_2,
generated::fa_generated::FA_FILE_NETWORK_LOGIN_DATA_JOURNAL_2,
generated::fa_generated::FA_FILE_LOGIN_DATA_2,
generated::fa_generated::FA_FILE_LOGIN_DATA_JOURNAL_2,
generated::fa_generated::FA_FILE_NETWORK_LOGIN_DATA_3,
generated::fa_generated::FA_FILE_NETWORK_LOGIN_DATA_JOURNAL_3,
generated::fa_generated::FA_FILE_LOGIN_DATA_3,
generated::fa_generated::FA_FILE_LOGIN_DATA_JOURNAL_3,
generated::fa_generated::FA_FILE_NETWORK_LOGIN_DATA_4,
generated::fa_generated::FA_FILE_NETWORK_LOGIN_DATA_JOURNAL_4,
generated::fa_generated::FA_FILE_LOGIN_DATA_4,
generated::fa_generated::FA_FILE_LOGIN_DATA_JOURNAL_4,
generated::fa_generated::FA_FILE_NETWORK_LOGIN_DATA_5,
generated::fa_generated::FA_FILE_NETWORK_LOGIN_DATA_JOURNAL_5,
generated::fa_generated::FA_FILE_NETWORK_LOGIN_DATA_6,
generated::fa_generated::FA_FILE_NETWORK_LOGIN_DATA_JOURNAL_6,
generated::fa_generated::FA_FILE_LOGIN_DATA_5,
generated::fa_generated::FA_FILE_LOGIN_DATA_JOURNAL_5,
generated::fa_generated::FA_FILE_LOGIN_DATA_6,
generated::fa_generated::FA_FILE_LOGIN_DATA_JOURNAL_6,
generated::fa_generated::FA_FILE_NETWORK_LOGIN_DATA_7,
generated::fa_generated::FA_FILE_NETWORK_LOGIN_DATA_JOURNAL_7,
generated::fa_generated::FA_FILE_LOGIN_DATA_7,
generated::fa_generated::FA_FILE_LOGIN_DATA_JOURNAL_7,
generated::fa_generated::FA_FILE_NETWORK_LOGIN_DATA_8,
generated::fa_generated::FA_FILE_NETWORK_LOGIN_DATA_JOURNAL_8,
generated::fa_generated::FA_FILE_LOGIN_DATA_8,
generated::fa_generated::FA_FILE_LOGIN_DATA_JOURNAL_8,
generated::fa_generated::FA_FILE_NETWORK_LOGIN_DATA_9,
generated::fa_generated::FA_FILE_NETWORK_LOGIN_DATA_JOURNAL_9,
generated::fa_generated::FA_FILE_LOGIN_DATA_9,
generated::fa_generated::FA_FILE_LOGIN_DATA_JOURNAL_9,
generated::fa_generated::FA_FILE_NETWORK_LOGIN_DATA_10,
generated::fa_generated::FA_FILE_NETWORK_LOGIN_DATA_JOURNAL_10,
generated::fa_generated::FA_FILE_LOGIN_DATA_10,
generated::fa_generated::FA_FILE_LOGIN_DATA_JOURNAL_10,
generated::fa_generated::FA_FILE_NETWORK_LOGIN_DATA_11,
generated::fa_generated::FA_FILE_NETWORK_LOGIN_DATA_JOURNAL_11,
generated::fa_generated::FA_FILE_LOGIN_DATA_11,
generated::fa_generated::FA_FILE_LOGIN_DATA_JOURNAL_11,
generated::fa_generated::FA_FILE_NETWORK_LOGIN_DATA_12,
generated::fa_generated::FA_FILE_NETWORK_LOGIN_DATA_JOURNAL_12,
generated::fa_generated::FA_FILE_LOGIN_DATA_12,
generated::fa_generated::FA_FILE_LOGIN_DATA_JOURNAL_12,
generated::fa_generated::FA_FILE_OPERA_LOGIN_DATA,
generated::fa_generated::FA_FILE_OPERA_LOGIN_DATA_JOURNAL,
generated::fa_generated::FA_FILE_LOGIN_DATA_13,
generated::fa_generated::FA_FILE_LOGIN_DATA_JOURNAL_13,
generated::fa_generated::FA_FILE_NETWORK_LOGIN_DATA_13,
generated::fa_generated::FA_FILE_NETWORK_LOGIN_DATA_JOURNAL_13,
generated::fa_generated::FA_FILE_LOGIN_DATA_14,
generated::fa_generated::FA_FILE_LOGIN_DATA_JOURNAL_14,
generated::fa_generated::FA_FILE_NETWORK_LOGIN_DATA_14,
generated::fa_generated::FA_FILE_NETWORK_LOGIN_DATA_JOURNAL_14,
generated::fa_generated::FA_FILE_LOGIN_DATA_15,
generated::fa_generated::FA_FILE_LOGIN_DATA_JOURNAL_15,
generated::fa_generated::FA_FILE_NETWORK_LOGIN_DATA_15,
generated::fa_generated::FA_FILE_NETWORK_LOGIN_DATA_JOURNAL_15,
generated::fa_generated::FA_FILE_LOGIN_DATA_16,
generated::fa_generated::FA_FILE_LOGIN_DATA_JOURNAL_16,
generated::fa_generated::FA_FILE_NETWORK_LOGIN_DATA_16,
generated::fa_generated::FA_FILE_NETWORK_LOGIN_DATA_JOURNAL_16,
generated::fa_generated::FA_FILE_NETWORK_WEB_DATA,
generated::fa_generated::FA_FILE_NETWORK_WEB_DATA_JOURNAL,
generated::fa_generated::FA_FILE_WEB_DATA,
generated::fa_generated::FA_FILE_WEB_DATA_JOURNAL,
generated::fa_generated::FA_FILE_NETWORK_WEB_DATA_2,
generated::fa_generated::FA_FILE_NETWORK_WEB_DATA_JOURNAL_2,
generated::fa_generated::FA_FILE_WEB_DATA_2,
generated::fa_generated::FA_FILE_WEB_DATA_JOURNAL_2,
generated::fa_generated::FA_FILE_NETWORK_WEB_DATA_3,
generated::fa_generated::FA_FILE_NETWORK_WEB_DATA_JOURNAL_3,
generated::fa_generated::FA_FILE_WEB_DATA_3,
generated::fa_generated::FA_FILE_WEB_DATA_JOURNAL_3,
generated::fa_generated::FA_FILE_NETWORK_WEB_DATA_4,
generated::fa_generated::FA_FILE_NETWORK_WEB_DATA_JOURNAL_4,
generated::fa_generated::FA_FILE_WEB_DATA_4,
generated::fa_generated::FA_FILE_WEB_DATA_JOURNAL_4,
generated::fa_generated::FA_FILE_NETWORK_WEB_DATA_5,
generated::fa_generated::FA_FILE_NETWORK_WEB_DATA_JOURNAL_5,
generated::fa_generated::FA_FILE_NETWORK_WEB_DATA_6,
generated::fa_generated::FA_FILE_NETWORK_WEB_DATA_JOURNAL_6,
generated::fa_generated::FA_FILE_WEB_DATA_5,
generated::fa_generated::FA_FILE_WEB_DATA_JOURNAL_5,
generated::fa_generated::FA_FILE_WEB_DATA_6,
generated::fa_generated::FA_FILE_WEB_DATA_JOURNAL_6,
generated::fa_generated::FA_FILE_NETWORK_WEB_DATA_7,
generated::fa_generated::FA_FILE_NETWORK_WEB_DATA_JOURNAL_7,
generated::fa_generated::FA_FILE_WEB_DATA_7,
generated::fa_generated::FA_FILE_WEB_DATA_JOURNAL_7,
generated::fa_generated::FA_FILE_NETWORK_WEB_DATA_8,
generated::fa_generated::FA_FILE_NETWORK_WEB_DATA_JOURNAL_8,
generated::fa_generated::FA_FILE_WEB_DATA_8,
generated::fa_generated::FA_FILE_WEB_DATA_JOURNAL_8,
generated::fa_generated::FA_FILE_NETWORK_WEB_DATA_9,
generated::fa_generated::FA_FILE_NETWORK_WEB_DATA_JOURNAL_9,
generated::fa_generated::FA_FILE_WEB_DATA_9,
generated::fa_generated::FA_FILE_WEB_DATA_JOURNAL_9,
generated::fa_generated::FA_FILE_NETWORK_WEB_DATA_10,
generated::fa_generated::FA_FILE_NETWORK_WEB_DATA_JOURNAL_10,
generated::fa_generated::FA_FILE_WEB_DATA_10,
generated::fa_generated::FA_FILE_WEB_DATA_JOURNAL_10,
generated::fa_generated::FA_FILE_NETWORK_WEB_DATA_11,
generated::fa_generated::FA_FILE_NETWORK_WEB_DATA_JOURNAL_11,
generated::fa_generated::FA_FILE_WEB_DATA_11,
generated::fa_generated::FA_FILE_WEB_DATA_JOURNAL_11,
generated::fa_generated::FA_FILE_NETWORK_WEB_DATA_12,
generated::fa_generated::FA_FILE_NETWORK_WEB_DATA_JOURNAL_12,
generated::fa_generated::FA_FILE_WEB_DATA_12,
generated::fa_generated::FA_FILE_WEB_DATA_JOURNAL_12,
generated::fa_generated::FA_FILE_OPERA_WEB_DATA,
generated::fa_generated::FA_FILE_OPERA_WEB_DATA_JOURNAL,
generated::fa_generated::FA_FILE_WEB_DATA_13,
generated::fa_generated::FA_FILE_WEB_DATA_JOURNAL_13,
generated::fa_generated::FA_FILE_NETWORK_WEB_DATA_13,
generated::fa_generated::FA_FILE_NETWORK_WEB_DATA_JOURNAL_13,
generated::fa_generated::FA_FILE_WEB_DATA_14,
generated::fa_generated::FA_FILE_WEB_DATA_JOURNAL_14,
generated::fa_generated::FA_FILE_NETWORK_WEB_DATA_14,
generated::fa_generated::FA_FILE_NETWORK_WEB_DATA_JOURNAL_14,
generated::fa_generated::FA_FILE_WEB_DATA_15,
generated::fa_generated::FA_FILE_WEB_DATA_JOURNAL_15,
generated::fa_generated::FA_FILE_NETWORK_WEB_DATA_15,
generated::fa_generated::FA_FILE_NETWORK_WEB_DATA_JOURNAL_15,
generated::fa_generated::FA_FILE_WEB_DATA_16,
generated::fa_generated::FA_FILE_WEB_DATA_JOURNAL_16,
generated::fa_generated::FA_FILE_NETWORK_WEB_DATA_16,
generated::fa_generated::FA_FILE_NETWORK_WEB_DATA_JOURNAL_16,
generated::fa_generated::FA_FILE_CACHE_83,
generated::fa_generated::FA_FILE_CACHE2,
generated::fa_generated::FA_FILE_DOOMED,
generated::fa_generated::FA_FILE_ENTRIES,
generated::fa_generated::FA_FILE_CACHE_84,
generated::fa_generated::FA_FILE_CACHE2_2,
generated::fa_generated::FA_FILE_DOOMED_2,
generated::fa_generated::FA_FILE_ENTRIES_2,
generated::fa_generated::FA_FILE_CACHE_85,
generated::fa_generated::FA_FILE_CACHE_86,
generated::fa_generated::FA_FILE_CACHE2_3,
generated::fa_generated::FA_FILE_DOOMED_3,
generated::fa_generated::FA_FILE_ENTRIES_3,
generated::fa_generated::FA_FILE_CACHE_87,
generated::fa_generated::FA_FILE_CACHE2_4,
generated::fa_generated::FA_FILE_DOOMED_4,
generated::fa_generated::FA_FILE_ENTRIES_4,
generated::fa_generated::FA_FILE_CACHE_88,
generated::fa_generated::FA_FILE_CACHE2_5,
generated::fa_generated::FA_FILE_DOOMED_5,
generated::fa_generated::FA_FILE_ENTRIES_5,
generated::fa_generated::FA_FILE_CACHE_89,
generated::fa_generated::FA_FILE_CACHE2_6,
generated::fa_generated::FA_FILE_DOOMED_6,
generated::fa_generated::FA_FILE_ENTRIES_6,
generated::fa_generated::FA_FILE_CACHE_90,
generated::fa_generated::FA_FILE_CACHE2_7,
generated::fa_generated::FA_FILE_DOOMED_7,
generated::fa_generated::FA_FILE_ENTRIES_7,
generated::fa_generated::FA_FILE_CACHE_91,
generated::fa_generated::FA_FILE_CACHE2_8,
generated::fa_generated::FA_FILE_DOOMED_8,
generated::fa_generated::FA_FILE_ENTRIES_8,
generated::fa_generated::FA_FILE_COOKIES_SQLITE,
generated::fa_generated::FA_FILE_COOKIES_SQLITE_WAL,
generated::fa_generated::FA_FILE_COOKIES_SQLITE_2,
generated::fa_generated::FA_FILE_COOKIES_SQLITE_SHM,
generated::fa_generated::FA_FILE_COOKIES_SQLITE_WAL_2,
generated::fa_generated::FA_FILE_COOKIES_SQLITE_3,
generated::fa_generated::FA_FILE_COOKIES_SQLITE_WAL_3,
generated::fa_generated::FA_FILE_COOKIES_SQLITE_4,
generated::fa_generated::FA_FILE_COOKIES_SQLITE_WAL_4,
generated::fa_generated::FA_FILE_DOWNLOADS_SQLITE,
generated::fa_generated::FA_FILE_DOWNLOADS_SQLITE_WAL,
generated::fa_generated::FA_FILE_DOWNLOADS_SQLITE_2,
generated::fa_generated::FA_FILE_DOWNLOADS_SQLITE_WAL_2,
generated::fa_generated::FA_FILE_DOWNLOADS_SQLITE_3,
generated::fa_generated::FA_FILE_DOWNLOADS_SQLITE_WAL_3,
generated::fa_generated::FA_FILE_DOWNLOADS_SQLITE_4,
generated::fa_generated::FA_FILE_DOWNLOADS_SQLITE_WAL_4,
generated::fa_generated::FA_FILE_PLACES_SQLITE,
generated::fa_generated::FA_FILE_PLACES_SQLITE_WAL,
generated::fa_generated::FA_FILE_PLACES_SQLITE_2,
generated::fa_generated::FA_FILE_PLACES_SQLITE_WAL_2,
generated::fa_generated::FA_FILE_PLACES_SQLITE_3,
generated::fa_generated::FA_FILE_PLACES_SQLITE_WAL_3,
generated::fa_generated::FA_FILE_PLACES_SQLITE_4,
generated::fa_generated::FA_FILE_PLACES_SQLITE_WAL_4,
generated::fa_generated::FA_FILE_PLACES_SQLITE_5,
generated::fa_generated::FA_FILE_PLACES_SQLITE_WAL_5,
generated::fa_generated::FA_FILE_ADDONS_JSON,
generated::fa_generated::FA_FILE_EXTENSIONS_JSON,
generated::fa_generated::FA_FILE_WEBAPPS_WEBAPPS_JSON,
generated::fa_generated::FA_FILE_ADDONS_JSON_2,
generated::fa_generated::FA_FILE_EXTENSIONS_JSON_2,
generated::fa_generated::FA_FILE_WEBAPPS_WEBAPPS_JSON_2,
generated::fa_generated::FA_FILE_ADDONS_JSON_3,
generated::fa_generated::FA_FILE_EXTENSIONS_JSON_3,
generated::fa_generated::FA_FILE_WEBAPPS_WEBAPPS_JSON_3,
generated::fa_generated::FA_FILE_ADDONS_JSON_4,
generated::fa_generated::FA_FILE_EXTENSIONS_JSON_4,
generated::fa_generated::FA_FILE_WEBAPPS_WEBAPPS_JSON_4,
generated::fa_generated::FA_EXPLORER_BROWSER_HELPER_OBJECTS,
generated::fa_generated::FA_EXPLORER_BROWSER_HELPER_OBJECTS_2,
generated::fa_generated::FA_FILE_COOKIES_INDEX_DAT,
generated::fa_generated::FA_FILE_LOW_INDEX_DAT,
generated::fa_generated::FA_FILE_WEBCACHE_WEBCACHEV_DAT,
generated::fa_generated::FA_FILE_IEDOWNLOADHISTORY_INDEX_DAT,
generated::fa_generated::FA_FILE_FEEDS_CACHE_INDEX_DAT,
generated::fa_generated::FA_FILE_INDEX_DAT,
generated::fa_generated::FA_FILE_HISTORY_IE5_INDEX_DAT,
generated::fa_generated::FA_FILE_INDEX_DAT_2,
generated::fa_generated::FA_FILE_HISTORY_IE5_INDEX_DAT_2,
generated::fa_generated::FA_FILE_CONTENT_IE5_INDEX_DAT,
generated::fa_generated::FA_FILE_CONTENT_IE5_INDEX_DAT_2,
generated::fa_generated::FA_FILE_HISTORY_IE5_INDEX_DAT_3,
generated::fa_generated::FA_INTERNET_EXPLORER_MAIN_NOPROTECTEDMODEBANNER,
generated::fa_generated::FA_INTERNET_EXPLORER_TYPEDURLS,
generated::fa_generated::FA_FILE_OPERA_GLOBAL_HISTORY_DAT,
generated::fa_generated::FA_FILE_OPERA_GLOBAL_HISTORY_DAT_2,
generated::fa_generated::FA_FILE_OPERA_GLOBAL_HISTORY_DAT_3,
generated::fa_generated::FA_FILE_OPERA_STABLE_HISTORY,
generated::fa_generated::FA_FILE_OPERA_STABLE_HISTORY_JOURNAL,
generated::fa_generated::FA_FILE_SAFARI_AUTOFILLCORRECTIONS_DB,
generated::fa_generated::FA_FILE_SAFARI_AUTOFILLCORRECTIONS_DB_WAL,
generated::fa_generated::FA_FILE_COM_APPLE_SAFARI_CACHE_DB,
generated::fa_generated::FA_FILE_COM_APPLE_SAFARI_CACHE_DB_WAL,
generated::fa_generated::FA_FILE_COM_APPLE_SAFARI_CACHE_DB_2,
generated::fa_generated::FA_FILE_COM_APPLE_SAFARI_CACHE_DB_WAL_2,
generated::fa_generated::FA_FILE_SAFARI_CACHE_DB,
generated::fa_generated::FA_FILE_SAFARI_CLOUDAUTOFILLCORRECTIONS_DB,
generated::fa_generated::FA_FILE_SAFARI_CLOUDAUTOFILLCORRECTIONS_DB_WAL,
generated::fa_generated::FA_FILE_COOKIES_COOKIES_BINARYCOOKIES,
generated::fa_generated::FA_FILE_COOKIES_COOKIES_BINARYCOOKIES_2,
generated::fa_generated::FA_FILE_SAFARI_DOWNLOADS_PLIST,
generated::fa_generated::FA_FILE_SAFARI_DOWNLOADS_PLIST_2,
generated::fa_generated::FA_FILE_SAFARI_DOWNLOADS_PLIST_3,
generated::fa_generated::FA_FILE_FAVICON_CACHE_FAVICONS_DB,
generated::fa_generated::FA_FILE_FAVICON_CACHE_FAVICONS_DB_WAL,
generated::fa_generated::FA_FILE_SAFARI_HISTORY_PLIST,
generated::fa_generated::FA_FILE_SAFARI_HISTORY_PLIST_2,
generated::fa_generated::FA_FILE_SAFARI_HISTORY_PLIST_3,
generated::fa_generated::FA_FILE_SAFARI_HISTORY_DB,
generated::fa_generated::FA_FILE_SAFARI_HISTORY_DB_WAL,
generated::fa_generated::FA_FILE_SAFARI_PERSITEPREFERENCES_DB,
generated::fa_generated::FA_FILE_SAFARI_PERSITEPREFERENCES_DB_WAL,
generated::fa_generated::FA_FILE_TABSNAPSHOTS_METADATA_DB,
generated::fa_generated::FA_FILE_TOUCH_ICONS_CACHE_TOUCHICONCACHESETTINGS_DB,
generated::fa_generated::FA_FILE_TOUCH_ICONS_CACHE_TOUCHICONCACHESETTINGS_DB_WAL,
generated::fa_generated::FA_FILE_DATABASE_DATABASE_SQLITE3,
generated::fa_generated::FA_FILE_APACHE_ACCESS_LOG,
generated::fa_generated::FA_FILE_APACHE_ACCESS_LOG_2,
generated::fa_generated::FA_FILE_APACHE2_ACCESS_LOG,
generated::fa_generated::FA_FILE_APACHE2_ACCESS_LOG_2,
generated::fa_generated::FA_FILE_APACHE2_OTHER_VHOSTS_ACCESS_LOG,
generated::fa_generated::FA_FILE_APACHE2_OTHER_VHOSTS_ACCESS_LOG_2,
generated::fa_generated::FA_FILE_HTTPD_ACCESS_LOG,
generated::fa_generated::FA_FILE_HTTPD_ACCESS_LOG_2,
generated::fa_generated::FA_FILE_APACHE2_CONF,
generated::fa_generated::FA_FILE_HTTPD_CONF,
generated::fa_generated::FA_FILE_CONF_MODULES_D_CONF,
generated::fa_generated::FA_FILE_SITES_AVAILABLE_000_DEFAULT_CONF,
generated::fa_generated::FA_FILE_APACHE_ERROR,
generated::fa_generated::FA_FILE_APACHE_ERROR_LOG,
generated::fa_generated::FA_FILE_APACHE2_ERROR,
generated::fa_generated::FA_FILE_APACHE2_ERROR_LOG,
generated::fa_generated::FA_FILE_HTTPD_ERROR,
generated::fa_generated::FA_FILE_HTTPD_ERROR_LOG,
generated::fa_generated::FA_FILE_LOGS_ERROR_LOG,
generated::fa_generated::FA_FILE_NGINX_ACCESS_LOG,
generated::fa_generated::FA_FILE_NGINX_ERROR_LOG,
generated::fa_generated::FA_FILE_WP_CONFIG_PHP,
generated::fa_generated::FA_FILE_WWW_WP_CONFIG_PHP,
generated::fa_generated::FA_FILE_WP_CONFIG_PHP_2,
generated::fa_generated::FA_FILE_WWW_WP_CONFIG_PHP_2,
generated::fa_generated::FA_FILE_WP_WP_CONFIG_PHP,
generated::fa_generated::FA_FILE_LOGFILES_LOG,
generated::fa_generated::FA_FILE_W3SVC_LOG,
generated::fa_generated::FA_FILE_W3SVC_LOG_2,
generated::fa_generated::FA_FILE_W3SVC_LOG_3,
generated::fa_generated::FA_DESKTOP_COMPONENTS,
generated::fa_generated::FA_INTERNET_EXPLORER_DESKTOP_GENERAL,
generated::fa_generated::FA_FILE_NTDS_NTDS_DIT,
generated::fa_generated::FA_FILE_NTDS_DIT,
generated::fa_generated::FA_FILE_NTDS_DIT_2,
generated::fa_generated::FA_FILE_SYSTEM32_NTDS_DIT,
generated::fa_generated::FA_WINDOWS_CE_SERVICES_AUTOSTARTONCONNECT,
generated::fa_generated::FA_WINDOWS_CE_SERVICES_AUTOSTARTONDISCONNECT,
generated::fa_generated::FA_WINDOWS_CE_SERVICES_AUTOSTARTONCONNECT_2,
generated::fa_generated::FA_WINDOWS_CE_SERVICES_AUTOSTARTONDISCONNECT_2,
generated::fa_generated::FA_FILE_L_USERS_USERNAME_ACTIVITIESCACHE_DB,
generated::fa_generated::FA_FILE_PROGRAMS_AMCACHE_HVE,
generated::fa_generated::FA_FILE_PROGRAMS_AMCACHE_HVE_LOG1,
generated::fa_generated::FA_FILE_PROGRAMS_AMCACHE_HVE_LOG2,
generated::fa_generated::FA_CONTROL_SESSION_MANAGER_APPCERTDLLS,
generated::fa_generated::FA_CURRENTVERSION_APP_PATHS,
generated::fa_generated::FA_CURRENTVERSION_APP_PATHS_2,
generated::fa_generated::FA_FILE_APPPATCH_DRVMAIN_SDB,
generated::fa_generated::FA_FILE_APPPATCH_FRXMAIN_SDB,
generated::fa_generated::FA_FILE_APPPATCH_MSIMAIN_SDB,
generated::fa_generated::FA_FILE_APPPATCH_PCAMAIN_SDB,
generated::fa_generated::FA_FILE_APPPATCH_SYSMAIN_SDB,
generated::fa_generated::FA_FILE_CUSTOM,
generated::fa_generated::FA_FILE_CUSTOM_2,
generated::fa_generated::FA_FILE_CUSTOM64,
generated::fa_generated::FA_FILE_CUSTOMSDB,
generated::fa_generated::FA_FILE_SYSTEM32_WINAPPXRT_DLL,
generated::fa_generated::FA_FILE_ENVIRON_SYSTEMROOT_WINAPPXRT_DLL,
generated::fa_generated::FA_FILE_WBEM_WINAPPXRT_DLL,
generated::fa_generated::FA_FILE_V1_0_WINAPPXRT_DLL,
generated::fa_generated::FA_FILE_ENVIRON_SYSTEMDRIVE_AUTOEXEC_BAT,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_AUTOEXEC_NT,
generated::fa_generated::FA_CURRENTVERSION_AUTOEXCLUSIONLIST,
generated::fa_generated::FA_FILE_ENVIRON_SYSTEMDRIVE_AUTORUN_INF,
generated::fa_generated::FA_CURRENTVERSION_TIME_ZONES,
generated::fa_generated::FA_BAM_USERSETTINGS,
generated::fa_generated::FA_STATE_USERSETTINGS,
generated::fa_generated::FA_DAM_USERSETTINGS,
generated::fa_generated::FA_STATE_USERSETTINGS_2,
generated::fa_generated::FA_FILE_DOWNLOADER_QMGR_DAT,
generated::fa_generated::FA_FILE_DOWNLOADER_QMGR_DB,
generated::fa_generated::FA_FILE_BOOT_BCD,
generated::fa_generated::FA_FILE_BOOT_BCD_LOG,
generated::fa_generated::FA_FILE_BOOT_BCD_LOG1,
generated::fa_generated::FA_FILE_BOOT_BCD_LOG2,
generated::fa_generated::FA_FILE_BOOT_BCD_2,
generated::fa_generated::FA_FILE_BOOT_BCD_LOG_2,
generated::fa_generated::FA_FILE_BOOT_BCD_LOG1_2,
generated::fa_generated::FA_FILE_BOOT_BCD_LOG2_2,
generated::fa_generated::FA_FILE_RECOVERY_BCD,
generated::fa_generated::FA_FILE_RECOVERY_BCD_LOG,
generated::fa_generated::FA_FILE_RECOVERY_BCD_LOG1,
generated::fa_generated::FA_FILE_RECOVERY_BCD_LOG2,
generated::fa_generated::FA_FILE_REPOSITORY_CIM_REP,
generated::fa_generated::FA_FILE_REPOSITORY_CIM_REC,
generated::fa_generated::FA_FILE_REPOSITORY_CIM_REP_2,
generated::fa_generated::FA_FILE_REPOSITORY_INDEX_BTR,
generated::fa_generated::FA_FILE_REPOSITORY_INDEX_MAP,
generated::fa_generated::FA_FILE_REPOSITORY_MAPPING_VER,
generated::fa_generated::FA_FILE_REPOSITORY_MAPPING_1_3_MAP,
generated::fa_generated::FA_FILE_REPOSITORY_OBJECTS_DATA,
generated::fa_generated::FA_FILE_REPOSITORY_OBJECTS_MAP,
generated::fa_generated::FA_FILE_FS_INDEX_BTR,
generated::fa_generated::FA_FILE_FS_INDEX_MAP,
generated::fa_generated::FA_FILE_FS_MAPPING_VER,
generated::fa_generated::FA_FILE_FS_MAPPING_1_2_MAP,
generated::fa_generated::FA_FILE_FS_OBJECTS_DATA,
generated::fa_generated::FA_FILE_FS_OBJECTS_MAP,
generated::fa_generated::FA_FILE_REPOSITORY_00_1_9_INDEX_BTR,
generated::fa_generated::FA_FILE_REPOSITORY_00_1_9_INDEX_MAP,
generated::fa_generated::FA_FILE_REPOSITORY_00_1_9_MAPPING_VER,
generated::fa_generated::FA_FILE_REPOSITORY_00_1_9_MAPPING_1_3_MAP,
generated::fa_generated::FA_FILE_REPOSITORY_00_1_9_OBJECTS_DATA,
generated::fa_generated::FA_FILE_REPOSITORY_00_1_9_OBJECTS_MAP,
generated::fa_generated::FA_FILE_FS_INDEX_BTR_2,
generated::fa_generated::FA_FILE_FS_INDEX_MAP_2,
generated::fa_generated::FA_FILE_FS_MAPPING_VER_2,
generated::fa_generated::FA_FILE_FS_MAPPING_1_2_MAP_2,
generated::fa_generated::FA_FILE_FS_OBJECTS_DATA_2,
generated::fa_generated::FA_FILE_FS_OBJECTS_MAP_2,
generated::fa_generated::FA_FILE_INTERNET_EXPLORER_SXS_DLL,
generated::fa_generated::FA_FILE_INTERNET_EXPLORER_SXS_DLL_2,
generated::fa_generated::FA_FILE_ENVIRON_SYSTEMDRIVE_EXPLORER_EXE,
generated::fa_generated::FA_FILE_ENVIRON_SYSTEMDRIVE_PROGRAM_EXE,
generated::fa_generated::FA_FILE_ENVIRON_SYSTEMROOT_LINKINFO_DLL,
generated::fa_generated::FA_FILE_ENVIRON_SYSTEMROOT_NTSHRUI_DLL,
generated::fa_generated::FA_FILE_SYSTEM32_OCI_DLL,
generated::fa_generated::FA_FILE_SYSPREP_CRYPTBASE_DLL,
generated::fa_generated::FA_FILE_SYSWOW64_OCI_DLL,
generated::fa_generated::FA_FILE_SYSPREP_CRYPTBASE_DLL_2,
generated::fa_generated::FA_FILE_ENVIRON_SYSTEMDRIVE_CONFIG_SYS,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_CONFIG_NT,
generated::fa_generated::FA_CURRENTVERSION_CONTROL_PANEL_CPLS,
generated::fa_generated::FA_CURRENTVERSION_CONTROL_PANEL_CPLS_2,
generated::fa_generated::FA_CURRENTVERSION_CONTROL_PANEL_CPLS_3,
generated::fa_generated::FA_CURRENTVERSION_CONTROL_PANEL_CPLS_4,
generated::fa_generated::FA_FILE_INDEXED_DB_INDEXEDDB_EDB,
generated::fa_generated::FA_FILE_ESEDATABASE_CORTANACOREINSTANCE_CORTANACOREDB_DAT,
generated::fa_generated::FA_FILE_WER,
generated::fa_generated::FA_FILE_ENVIRON_SYSTEMROOT_DMP,
generated::fa_generated::FA_FILE_MINIDUMP_DMP,
generated::fa_generated::FA_FILE_CRASHDUMPS,
generated::fa_generated::FA_FILE_TEMP_DMP,
generated::fa_generated::FA_FILE_CRASHDUMPS_2,
generated::fa_generated::FA_FILE_TEMP_DMP_2,
generated::fa_generated::FA_FILE_TEMP_DMP_3,
generated::fa_generated::FA_FILE_CRASHDUMPS_3,
generated::fa_generated::FA_FILE_WER_2,
generated::fa_generated::FA_FILE_TEMP_DMP_4,
generated::fa_generated::FA_AUTHENTICATION_CREDENTIAL_PROVIDER_FILTERS,
generated::fa_generated::FA_AUTHENTICATION_CREDENTIAL_PROVIDER_FILTERS_2,
generated::fa_generated::FA_AUTHENTICATION_CREDENTIAL_PROVIDERS,
generated::fa_generated::FA_AUTHENTICATION_CREDENTIAL_PROVIDERS_2,
generated::fa_generated::FA_FILE_METADATA,
generated::fa_generated::FA_FILE_METADATA_2,
generated::fa_generated::FA_FILE_METADATA_3,
generated::fa_generated::FA_FILE_CONTENT,
generated::fa_generated::FA_FILE_CONTENT_2,
generated::fa_generated::FA_FILE_CONTENT_3,
generated::fa_generated::FA_DISALLOWED_CERTIFICATES,
generated::fa_generated::FA_DISALLOWED_CERTIFICATES_2,
generated::fa_generated::FA_DISALLOWED_CERTIFICATES_3,
generated::fa_generated::FA_DISALLOWED_CERTIFICATES_4,
generated::fa_generated::FA_FILE_CONFIG_APPEVENT_EVT,
generated::fa_generated::FA_WINEVT_PUBLISHERS,
generated::fa_generated::FA_FILE_CONFIG_EVT,
generated::fa_generated::FA_FILE_LOGS_EVTX,
generated::fa_generated::FA_FILE_CONFIG_SECEVENT_EVT,
generated::fa_generated::FA_EVENTLOG,
generated::fa_generated::FA_FILE_CONFIG_SYSEVENT_EVT,
generated::fa_generated::FA_FILE_SHUTDOWNLOGGER_ETL,
generated::fa_generated::FA_FILE_COLLECTORS_ETL,
generated::fa_generated::FA_FILE_WFP_ETL,
generated::fa_generated::FA_FILE_LOGS_ETL,
generated::fa_generated::FA_FILE_SYSTEM_ETL,
generated::fa_generated::FA_FILE_PERSONAL_ETL,
generated::fa_generated::FA_FILE_EXPLORER_ETL,
generated::fa_generated::FA_FILE_LOCALSTATE_ETL,
generated::fa_generated::FA_FILE_ETL,
generated::fa_generated::FA_FILE_PANTHER_ETL,
generated::fa_generated::FA_FILE_LOGS_ETL_2,
generated::fa_generated::FA_FILE_LOGS_ETL_3,
generated::fa_generated::FA_FILE_WMI_ETL,
generated::fa_generated::FA_FILE_WMI_ETL_0,
generated::fa_generated::FA_FILE_RTBACKUP_ETL,
generated::fa_generated::FA_FILE_SLEEPSTUDY_ETL,
generated::fa_generated::FA_FILE_SCREENON_ETL,
generated::fa_generated::FA_FILE_LOGFILES_ETL,
generated::fa_generated::FA_FILE_LOGFILES_ETL_0,
generated::fa_generated::FA_FILE_ETL_2,
generated::fa_generated::FA_AUTOPLAYHANDLERS_HANDLERS,
generated::fa_generated::FA_EXPLORER_COMMONPLACES_NAMESPACE,
generated::fa_generated::FA_EXPLORER_COMMONPLACES_NAMESPACE_2,
generated::fa_generated::FA_EXPLORER_COMMONPLACES_NAMESPACE_3,
generated::fa_generated::FA_EXPLORER_COMMONPLACES_NAMESPACE_4,
generated::fa_generated::FA_COMMONPLACES_NAMESPACE_DELEGATEFOLDERS,
generated::fa_generated::FA_COMMONPLACES_NAMESPACE_DELEGATEFOLDERS_2,
generated::fa_generated::FA_COMMONPLACES_NAMESPACE_DELEGATEFOLDERS_3,
generated::fa_generated::FA_COMMONPLACES_NAMESPACE_DELEGATEFOLDERS_4,
generated::fa_generated::FA_COMMONPLACES_NAMESPACE,
generated::fa_generated::FA_COMMONPLACES_NAMESPACE_2,
generated::fa_generated::FA_COMMONPLACES_NAMESPACE_DELEGATEFOLDERS_5,
generated::fa_generated::FA_COMMONPLACES_NAMESPACE_DELEGATEFOLDERS_6,
generated::fa_generated::FA_EXPLORER_CONTROLPANEL_NAMESPACE,
generated::fa_generated::FA_EXPLORER_CONTROLPANEL_NAMESPACE_2,
generated::fa_generated::FA_CONTROLPANEL_NAMESPACE_DELEGATEFOLDERS,
generated::fa_generated::FA_CONTROLPANEL_NAMESPACE_DELEGATEFOLDERS_2,
generated::fa_generated::FA_CONTROLPANEL_NAMESPACE,
generated::fa_generated::FA_CONTROLPANEL_NAMESPACE_DELEGATEFOLDERS_3,
generated::fa_generated::FA_EXPLORER_CONTROLPANELWOW64_NAMESPACE,
generated::fa_generated::FA_EXPLORER_CONTROLPANELWOW64_NAMESPACE_2,
generated::fa_generated::FA_CONTROLPANEL_NAMESPACEWOW64_DELEGATEFOLDERS,
generated::fa_generated::FA_CONTROLPANELWOW64_NAMESPACE_DELEGATEFOLDERS,
generated::fa_generated::FA_CONTROLPANELWOW64_NAMESPACE,
generated::fa_generated::FA_CONTROLPANELWOW64_NAMESPACE_DELEGATEFOLDERS_2,
generated::fa_generated::FA_EXPLORER_CONTROLPANEL_NAMESPACE_3,
generated::fa_generated::FA_EXPLORER_CONTROLPANEL_NAMESPACE_4,
generated::fa_generated::FA_CONTROLPANEL_NAMESPACE_DELEGATEFOLDERS_4,
generated::fa_generated::FA_CONTROLPANEL_NAMESPACE_DELEGATEFOLDERS_5,
generated::fa_generated::FA_CONTROLPANEL_NAMESPACE_2,
generated::fa_generated::FA_CONTROLPANEL_NAMESPACE_DELEGATEFOLDERS_6,
generated::fa_generated::FA_EXPLORER_CONTROLPANELWOW64_NAMESPACE_3,
generated::fa_generated::FA_CONTROLPANELWOW64_NAMESPACE_DELEGATEFOLDERS_3,
generated::fa_generated::FA_EXPLORER_DESKTOP_NAMESPACE,
generated::fa_generated::FA_EXPLORER_DESKTOP_NAMESPACE_2,
generated::fa_generated::FA_DESKTOP_NAMESPACE_DELEGATEFOLDERS,
generated::fa_generated::FA_DESKTOP_NAMESPACE_DELEGATEFOLDERS_2,
generated::fa_generated::FA_DESKTOP_NAMESPACE,
generated::fa_generated::FA_DESKTOP_NAMESPACE_DELEGATEFOLDERS_3,
generated::fa_generated::FA_EXPLORER_DESKTOP_NAMESPACE_3,
generated::fa_generated::FA_EXPLORER_DESKTOP_NAMESPACE_4,
generated::fa_generated::FA_DESKTOP_NAMESPACE_DELEGATEFOLDERS_4,
generated::fa_generated::FA_DESKTOP_NAMESPACE_DELEGATEFOLDERS_5,
generated::fa_generated::FA_DESKTOP_NAMESPACE_2,
generated::fa_generated::FA_DESKTOP_NAMESPACE_DELEGATEFOLDERS_6,
generated::fa_generated::FA_EXPLORER_MYCOMPUTER_NAMESPACE,
generated::fa_generated::FA_EXPLORER_MYCOMPUTER_NAMESPACE_2,
generated::fa_generated::FA_MYCOMPUTER_NAMESPACE_DELEGATEFOLDERS,
generated::fa_generated::FA_MYCOMPUTER_NAMESPACE_DELEGATEFOLDERS_2,
generated::fa_generated::FA_MYCOMPUTER_NAMESPACE,
generated::fa_generated::FA_MYCOMPUTER_NAMESPACE_DELEGATEFOLDERS_3,
generated::fa_generated::FA_EXPLORER_MYCOMPUTER_NAMESPACE_3,
generated::fa_generated::FA_EXPLORER_MYCOMPUTER_NAMESPACE_4,
generated::fa_generated::FA_MYCOMPUTER_NAMESPACE_DELEGATEFOLDERS_4,
generated::fa_generated::FA_MYCOMPUTER_NAMESPACE_DELEGATEFOLDERS_5,
generated::fa_generated::FA_MYCOMPUTER_NAMESPACE_2,
generated::fa_generated::FA_MYCOMPUTER_NAMESPACE_DELEGATEFOLDERS_6,
generated::fa_generated::FA_EXPLORER_NETWORKNEIGHBORHOOD_NAMESPACE,
generated::fa_generated::FA_EXPLORER_NETWORKNEIGHBORHOOD_NAMESPACE_2,
generated::fa_generated::FA_NETWORKNEIGHBORHOOD_NAMESPACE_DELEGATEFOLDERS,
generated::fa_generated::FA_NETWORKNEIGHBORHOOD_NAMESPACE_DELEGATEFOLDERS_2,
generated::fa_generated::FA_NETWORKNEIGHBORHOOD_NAMESPACE,
generated::fa_generated::FA_NETWORKNEIGHBORHOOD_NAMESPACE_DELEGATEFOLDERS_3,
generated::fa_generated::FA_EXPLORER_NETWORKNEIGHBORHOOD_NAMESPACE_3,
generated::fa_generated::FA_EXPLORER_NETWORKNEIGHBORHOOD_NAMESPACE_4,
generated::fa_generated::FA_NETWORKNEIGHBORHOOD_NAMESPACE_DELEGATEFOLDERS_4,
generated::fa_generated::FA_NETWORKNEIGHBORHOOD_NAMESPACE_DELEGATEFOLDERS_5,
generated::fa_generated::FA_NETWORKNEIGHBORHOOD_NAMESPACE_2,
generated::fa_generated::FA_NETWORKNEIGHBORHOOD_NAMESPACE_DELEGATEFOLDERS_6,
generated::fa_generated::FA_EXPLORER_PRINTERSANDFAXES_NAMESPACE,
generated::fa_generated::FA_EXPLORER_PRINTERSANDFAXES_NAMESPACE_2,
generated::fa_generated::FA_PRINTERSANDFAXES_NAMESPACE_DELEGATEFOLDERS,
generated::fa_generated::FA_PRINTERSANDFAXES_NAMESPACE_DELEGATEFOLDERS_2,
generated::fa_generated::FA_PRINTERSANDFAXES_NAMESPACE,
generated::fa_generated::FA_PRINTERSANDFAXES_NAMESPACE_DELEGATEFOLDERS_3,
generated::fa_generated::FA_EXPLORER_PRINTERSANDFAXES_NAMESPACE_3,
generated::fa_generated::FA_EXPLORER_PRINTERSANDFAXES_NAMESPACE_4,
generated::fa_generated::FA_PRINTERSANDFAXES_NAMESPACE_DELEGATEFOLDERS_4,
generated::fa_generated::FA_PRINTERSANDFAXES_NAMESPACE_DELEGATEFOLDERS_5,
generated::fa_generated::FA_PRINTERSANDFAXES_NAMESPACE_2,
generated::fa_generated::FA_PRINTERSANDFAXES_NAMESPACE_DELEGATEFOLDERS_6,
generated::fa_generated::FA_FILE_FIREWALL_PFIREWALL_LOG,
generated::fa_generated::FA_FILE_SCRIPTS_PSSCRIPTS_INI,
generated::fa_generated::FA_FILE_SCRIPTS_SCRIPTS_INI,
generated::fa_generated::FA_FILE_LOGOFF,
generated::fa_generated::FA_FILE_LOGON,
generated::fa_generated::FA_FILE_SCRIPTS_PSSCRIPTS_INI_2,
generated::fa_generated::FA_FILE_SCRIPTS_SCRIPTS_INI_2,
generated::fa_generated::FA_FILE_SHUTDOWN,
generated::fa_generated::FA_FILE_STARTUP,
generated::fa_generated::FA_AUTHORIZEDAPPLICATIONS_LIST,
generated::fa_generated::FA_AUTHORIZEDAPPLICATIONS_LIST_2,
generated::fa_generated::FA_AUTHORIZEDAPPLICATIONS_LIST_3,
generated::fa_generated::FA_AUTHORIZEDAPPLICATIONS_LIST_4,
generated::fa_generated::FA_AUTHORIZEDAPPLICATIONS_LIST_5,
generated::fa_generated::FA_GLOBALLYOPENPORTS_LIST,
generated::fa_generated::FA_GLOBALLYOPENPORTS_LIST_2,
generated::fa_generated::FA_GLOBALLYOPENPORTS_LIST_3,
generated::fa_generated::FA_GLOBALLYOPENPORTS_LIST_4,
generated::fa_generated::FA_GLOBALLYOPENPORTS_LIST_5,
generated::fa_generated::FA_CURRENTVERSION_FONT_DRIVERS,
generated::fa_generated::FA_FILE_DATABASE_HCDATA_EDB,
generated::fa_generated::FA_FILE_ETC_LMHOSTS,
generated::fa_generated::FA_FILE_SYSTEM32_MAGNIFIER_EXE,
generated::fa_generated::FA_FILE_SYSTEM32_SETHC_EXE,
generated::fa_generated::FA_FILE_SYSTEM32_UTILMAN_EXE,
generated::fa_generated::FA_CURRENTVERSION_EXPLORER_MAP_NETWORK_DRIVE_MRU,
generated::fa_generated::FA_FILE_AC_INETCACHE,
generated::fa_generated::FA_FILE_AC_INETCOOKIES,
generated::fa_generated::FA_FILE_AC_INETHISTORY,
generated::fa_generated::FA_FILE_WINDOWS_ROAMINGTILES,
generated::fa_generated::FA_SYSTEM_MOUNTEDDEVICES,
generated::fa_generated::FA_MSDTC_MTXOCI,
generated::fa_generated::FA_MSDTC_MTXOCI_2,
generated::fa_generated::FA_CURRENTVERSION_DRIVERS32,
generated::fa_generated::FA_CURRENTVERSION_DRIVERS32_2,
generated::fa_generated::FA_CURRENTVERSION_DRIVERS32_3,
generated::fa_generated::FA_CURRENTVERSION_DRIVERS32_4,
generated::fa_generated::FA_SOFTWARE_MICROSOFT_NETSH,
generated::fa_generated::FA_WOW6432NODE_MICROSOFT_NETSH,
generated::fa_generated::FA_OPENSAVEMRU,
generated::fa_generated::FA_OPENSAVEPIDLMRU,
generated::fa_generated::FA_AUTHENTICATION_PLAP_PROVIDERS,
generated::fa_generated::FA_AUTHENTICATION_PLAP_PROVIDERS_2,
generated::fa_generated::FA_EXPLORER_DISALLOWRUN,
generated::fa_generated::FA_EXPLORER_DISALLOWRUN_2,
generated::fa_generated::FA_,
generated::fa_generated::FA_FILE_V1_0_PROFILE_PS1,
generated::fa_generated::FA_FILE_V1_0_MICROSOFT_POWERSHELL_PROFILE_PS1,
generated::fa_generated::FA_FILE_WINDOWSPOWERSHELL_PROFILE_PS1,
generated::fa_generated::FA_FILE_WINDOWSPOWERSHELL_MICROSOFT_POWERSHELL_PROFILE_PS1,
generated::fa_generated::FA_FILE_PSREADLINE_CONSOLEHOST_HISTORY_TXT,
generated::fa_generated::FA_FILE_PREFETCH_PF,
generated::fa_generated::FA_FILE_NOTIFICATIONS_WPNDATABASE_DB,
generated::fa_generated::FA_FILE_NOTIFICATIONS_WPNDATABASE_DB_2,
generated::fa_generated::FA_FILE_PROGRAMS_RECENTFILECACHE_BCF,
generated::fa_generated::FA_FILE_RECYCLE_BIN,
generated::fa_generated::FA_FILE_RECYCLER,
generated::fa_generated::FA_FILE_I,
generated::fa_generated::FA_FILE_INFO2,
generated::fa_generated::FA_FILE_SYSTEM32_ROVER_DLL,
generated::fa_generated::FA_CLSID_16D12736_7A9E_4765_BEC6_F301D679CAAA,
generated::fa_generated::FA_EXPLORER_RUN,
generated::fa_generated::FA_CURRENTVERSION_RUN,
generated::fa_generated::FA_CURRENTVERSION_RUNONCE,
generated::fa_generated::FA_RUNONCE_SETUP,
generated::fa_generated::FA_CURRENTVERSION_RUNONCEEX,
generated::fa_generated::FA_CURRENTVERSION_RUN_2,
generated::fa_generated::FA_CURRENTVERSION_RUNONCE_2,
generated::fa_generated::FA_RUNONCE_SETUP_2,
generated::fa_generated::FA_CURRENTVERSION_RUNONCEEX_2,
generated::fa_generated::FA_EXPLORER_RUN_2,
generated::fa_generated::FA_EXPLORER_RUN_3,
generated::fa_generated::FA_CURRENTVERSION_RUN_3,
generated::fa_generated::FA_CURRENTVERSION_RUNONCE_3,
generated::fa_generated::FA_RUNONCE_SETUP_3,
generated::fa_generated::FA_CURRENTVERSION_RUNONCEEX_3,
generated::fa_generated::FA_EXPLORER_RUN_4,
generated::fa_generated::FA_CURRENTVERSION_RUN_4,
generated::fa_generated::FA_CURRENTVERSION_RUNONCE_4,
generated::fa_generated::FA_RUNONCE_SETUP_4,
generated::fa_generated::FA_CURRENTVERSION_RUNONCEEX_4,
generated::fa_generated::FA_CURRENTVERSION_RUNSERVICESONCE,
generated::fa_generated::FA_CURRENTVERSION_RUNSERVICES,
generated::fa_generated::FA_CURRENTVERSION_RUNSERVICESONCE_2,
generated::fa_generated::FA_CURRENTVERSION_RUNSERVICES_2,
generated::fa_generated::FA_CURRENTVERSION_RUNSERVICESONCE_3,
generated::fa_generated::FA_CURRENTVERSION_RUNSERVICES_3,
generated::fa_generated::FA_CURRENTVERSION_RUNSERVICESONCE_4,
generated::fa_generated::FA_CURRENTVERSION_RUNSERVICES_4,
generated::fa_generated::FA_FILE_TASKS_10,
generated::fa_generated::FA_FILE_TASKS_10_2,
generated::fa_generated::FA_FILE_TASKS_10_3,
generated::fa_generated::FA_FILE_WINDOWS_WINDOWS_EDB,
generated::fa_generated::FA_CONTROL_SECURITYPROVIDERS,
generated::fa_generated::FA_FILE_DATABASE_SECEDIT_SDB,
generated::fa_generated::FA_FILE_TEMPLATES_SPSECUPD_SDB,
generated::fa_generated::FA_CURRENTCONTROLSET_SERVICES,
generated::fa_generated::FA_EXPLORER_SHAREDTASKSCHEDULER,
generated::fa_generated::FA_EXPLORER_SHAREDTASKSCHEDULER_2,
generated::fa_generated::FA_EXPLORER_SHELLEXECUTEHOOKS,
generated::fa_generated::FA_EXPLORER_SHELLEXECUTEHOOKS_2,
generated::fa_generated::FA_CURRENTVERSION_SHELL_EXTENSIONS_APPROVED,
generated::fa_generated::FA_CURRENTVERSION_SHELL_EXTENSIONS_APPROVED_2,
generated::fa_generated::FA_CURRENTVERSION_SHELL_EXTENSIONS_APPROVED_3,
generated::fa_generated::FA_CURRENTVERSION_SHELL_EXTENSIONS_APPROVED_4,
generated::fa_generated::FA_SHELLEX_COLUMNHANDLERS,
generated::fa_generated::FA_SHELLEX_CONTEXTMENUHANDLERS,
generated::fa_generated::FA_SHELLEX_COPYHOOKHANDLERS,
generated::fa_generated::FA_SHELLEX_DRAGDROPHANDLERS,
generated::fa_generated::FA_SHELLEX_PROPERTYSHEETHANDLERS,
generated::fa_generated::FA_SHELLEX_CONTEXTMENUHANDLERS_2,
generated::fa_generated::FA_SHELLEX_COPYHOOKHANDLERS_2,
generated::fa_generated::FA_SHELLEX_DRAGDROPHANDLERS_2,
generated::fa_generated::FA_SHELLEX_PROPERTYSHEETHANDLERS_2,
generated::fa_generated::FA_SHELLEX_COLUMNHANDLERS_2,
generated::fa_generated::FA_SHELLEX_CONTEXTMENUHANDLERS_3,
generated::fa_generated::FA_SHELLEX_COPYHOOKHANDLERS_3,
generated::fa_generated::FA_SHELLEX_DRAGDROPHANDLERS_3,
generated::fa_generated::FA_SHELLEX_PROPERTYSHEETHANDLERS_3,
generated::fa_generated::FA_SHELLEX_CONTEXTMENUHANDLERS_4,
generated::fa_generated::FA_SHELLEX_COPYHOOKHANDLERS_4,
generated::fa_generated::FA_SHELLEX_DRAGDROPHANDLERS_4,
generated::fa_generated::FA_SHELLEX_PROPERTYSHEETHANDLERS_4,
generated::fa_generated::FA_SHELLEX_COLUMNHANDLERS_3,
generated::fa_generated::FA_SHELLEX_CONTEXTMENUHANDLERS_5,
generated::fa_generated::FA_SHELLEX_COPYHOOKHANDLERS_5,
generated::fa_generated::FA_SHELLEX_DRAGDROPHANDLERS_5,
generated::fa_generated::FA_SHELLEX_PROPERTYSHEETHANDLERS_5,
generated::fa_generated::FA_SHELLEX_CONTEXTMENUHANDLERS_6,
generated::fa_generated::FA_SHELLEX_COPYHOOKHANDLERS_6,
generated::fa_generated::FA_SHELLEX_DRAGDROPHANDLERS_6,
generated::fa_generated::FA_SHELLEX_PROPERTYSHEETHANDLERS_6,
generated::fa_generated::FA_SHELLEX_COLUMNHANDLERS_4,
generated::fa_generated::FA_SHELLEX_CONTEXTMENUHANDLERS_7,
generated::fa_generated::FA_SHELLEX_COPYHOOKHANDLERS_7,
generated::fa_generated::FA_SHELLEX_DRAGDROPHANDLERS_7,
generated::fa_generated::FA_SHELLEX_PROPERTYSHEETHANDLERS_7,
generated::fa_generated::FA_SHELLEX_CONTEXTMENUHANDLERS_8,
generated::fa_generated::FA_SHELLEX_COPYHOOKHANDLERS_8,
generated::fa_generated::FA_SHELLEX_DRAGDROPHANDLERS_8,
generated::fa_generated::FA_SHELLEX_PROPERTYSHEETHANDLERS_8,
generated::fa_generated::FA_EXPLORER_SHELLICONOVERLAYIDENTIFIERS,
generated::fa_generated::FA_EXPLORER_SHELLICONOVERLAYIDENTIFIERS_2,
generated::fa_generated::FA_EXPLORER_SHELLICONOVERLAYIDENTIFIERS_3,
generated::fa_generated::FA_EXPLORER_SHELLICONOVERLAYIDENTIFIERS_4,
generated::fa_generated::FA_WINDOWS_CURRENTVERSION_SHELLSERVICEOBJECTDELAYLOAD,
generated::fa_generated::FA_WINDOWS_CURRENTVERSION_SHELLSERVICEOBJECTDELAYLOAD_2,
generated::fa_generated::FA_FILE_MESSAGESTORE_SMSINTERCEPTSTORE_DB,
generated::fa_generated::FA_FILE_ENVIRON_SYSTEMROOT_SETUPAPI_LOG,
generated::fa_generated::FA_FILE_INF_SETUPAPI_APP_LOG,
generated::fa_generated::FA_FILE_INF_SETUPAPI_DEV_LOG,
generated::fa_generated::FA_FILE_INF_SETUPAPI_OFFLINE_LOG,
generated::fa_generated::FA_FILE_APPREPOSITORY_STATEREPOSITORY_DEPLOYMENT_SRD,
generated::fa_generated::FA_FILE_APPREPOSITORY_STATEREPOSITORY_MACHINE_SRD,
generated::fa_generated::FA_FILE_STARTUP_2,
generated::fa_generated::FA_FILE_STARTUP_3,
generated::fa_generated::FA_FILE_STARTUP_4,
generated::fa_generated::FA_FILE_STARTUP_5,
generated::fa_generated::FA_FILE_PREFETCH_AG_DB,
generated::fa_generated::FA_FILE_PREFETCH_AG_DB_TRX,
generated::fa_generated::FA_FILE_ENVIRON_SYSTEMDRIVE_SYSTEM_INI,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_WIN_INI,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_WININIT_INI,
generated::fa_generated::FA_FILE_REGBACK_SAM,
generated::fa_generated::FA_FILE_REGBACK_SECURITY,
generated::fa_generated::FA_FILE_REGBACK_SOFTWARE,
generated::fa_generated::FA_FILE_REGBACK_SYSTEM,
generated::fa_generated::FA_FILE_REGBACK_SAM_LOG,
generated::fa_generated::FA_FILE_REGBACK_SAM_LOG1,
generated::fa_generated::FA_FILE_REGBACK_SAM_LOG2,
generated::fa_generated::FA_FILE_REGBACK_SECURITY_LOG,
generated::fa_generated::FA_FILE_REGBACK_SECURITY_LOG1,
generated::fa_generated::FA_FILE_REGBACK_SECURITY_LOG2,
generated::fa_generated::FA_FILE_REGBACK_SOFTWARE_LOG,
generated::fa_generated::FA_FILE_REGBACK_SOFTWARE_LOG1,
generated::fa_generated::FA_FILE_REGBACK_SOFTWARE_LOG2,
generated::fa_generated::FA_FILE_REGBACK_SYSTEM_LOG,
generated::fa_generated::FA_FILE_REGBACK_SYSTEM_LOG1,
generated::fa_generated::FA_FILE_REGBACK_SYSTEM_LOG2,
generated::fa_generated::FA_FILE_SYSTEM_VOLUME_INFORMATION_SYSCACHE_HVE,
generated::fa_generated::FA_FILE_CONFIG_SAM,
generated::fa_generated::FA_FILE_CONFIG_SECURITY,
generated::fa_generated::FA_FILE_CONFIG_SOFTWARE,
generated::fa_generated::FA_FILE_CONFIG_SYSTEM,
generated::fa_generated::FA_FILE_CONFIG_SAM_LOG,
generated::fa_generated::FA_FILE_CONFIG_SAM_LOG1,
generated::fa_generated::FA_FILE_CONFIG_SAM_LOG2,
generated::fa_generated::FA_FILE_CONFIG_SECURITY_LOG,
generated::fa_generated::FA_FILE_CONFIG_SECURITY_LOG1,
generated::fa_generated::FA_FILE_CONFIG_SECURITY_LOG2,
generated::fa_generated::FA_FILE_CONFIG_SOFTWARE_LOG,
generated::fa_generated::FA_FILE_CONFIG_SOFTWARE_LOG1,
generated::fa_generated::FA_FILE_CONFIG_SOFTWARE_LOG2,
generated::fa_generated::FA_FILE_CONFIG_SYSTEM_LOG,
generated::fa_generated::FA_FILE_CONFIG_SYSTEM_LOG1,
generated::fa_generated::FA_FILE_CONFIG_SYSTEM_LOG2,
generated::fa_generated::FA_FILE_SRU_SRUDB_DAT,
generated::fa_generated::FA_FILE_STARTUPINFO_XML,
generated::fa_generated::FA_FILE_TEMP,
generated::fa_generated::FA_FILE_TEMP_2,
generated::fa_generated::FA_FILE_TEMP_3,
generated::fa_generated::FA_CURRENTVERSION_RUNONCE_5,
generated::fa_generated::FA_CURRENTVERSION_RUNONCEEX_5,
generated::fa_generated::FA_CURRENTVERSION_RUN_5,
generated::fa_generated::FA_CURRENTVERSION_RUNONCE_6,
generated::fa_generated::FA_CURRENTVERSION_RUNONCEEX_6,
generated::fa_generated::FA_CURRENTVERSION_RUN_6,
generated::fa_generated::FA_CURRENTVERSION_RUNONCE_7,
generated::fa_generated::FA_CURRENTVERSION_RUNONCEEX_7,
generated::fa_generated::FA_CURRENTVERSION_RUN_7,
generated::fa_generated::FA_CURRENTVERSION_RUNONCE_8,
generated::fa_generated::FA_CURRENTVERSION_RUNONCEEX_8,
generated::fa_generated::FA_CURRENTVERSION_RUN_8,
generated::fa_generated::FA_FILE_EXPLORER_THUMBCACHE_DB,
generated::fa_generated::FA_EXPLORER_MYCOMPUTER_BACKUPPATH,
generated::fa_generated::FA_EXPLORER_MYCOMPUTER_CHKDSKPATH,
generated::fa_generated::FA_EXPLORER_MYCOMPUTER_CLEANUPPATH,
generated::fa_generated::FA_EXPLORER_MYCOMPUTER_DEFRAGPATH,
generated::fa_generated::FA_FILE_DATABASE_VEDATAMODEL_EDB,
generated::fa_generated::FA_UNINSTALL,
generated::fa_generated::FA_UNINSTALL_2,
generated::fa_generated::FA_UNINSTALL_3,
generated::fa_generated::FA_FILE_CATDB,
generated::fa_generated::FA_FILE_DATASTORE_DATASTORE_EDB,
generated::fa_generated::FA_FILE_SYSTEM_ETL_2,
generated::fa_generated::FA_FILE_CBS_CBS_LOG,
generated::fa_generated::FA_FILE_WINDOWSUPDATE_WINDOWSUPDATE_ETL,
generated::fa_generated::FA_FILE_UPDATESTORE_STORE_DB,
generated::fa_generated::FA_FILE_SUM_MDB,
generated::fa_generated::FA_FILE_AUTOMATICDESTINATIONS_AUTOMATICDESTINATIONS_MS,
generated::fa_generated::FA_FILE_CUSTOMDESTINATIONS_CUSTOMDESTINATIONS_MS,
generated::fa_generated::FA_FILE_RECENT,
generated::fa_generated::FA_FILE_RECENT_2,
generated::fa_generated::FA_FILE_USERS_USERPROFILE_NTUSER_DAT,
generated::fa_generated::FA_FILE_USERS_USERPROFILE_NTUSER_MAN,
generated::fa_generated::FA_FILE_WINDOWS_USRCLASS_DAT,
generated::fa_generated::FA_FILE_USERS_USERPROFILE_NTUSER_DAT_LOG,
generated::fa_generated::FA_FILE_USERS_USERPROFILE_NTUSER_DAT_LOG1,
generated::fa_generated::FA_FILE_USERS_USERPROFILE_NTUSER_DAT_LOG2,
generated::fa_generated::FA_FILE_WINDOWS_USRCLASS_DAT_LOG,
generated::fa_generated::FA_FILE_WINDOWS_USRCLASS_DAT_LOG1,
generated::fa_generated::FA_FILE_WINDOWS_USRCLASS_DAT_LOG2,
generated::fa_generated::FA_EXPLORER_SHELL_FOLDERS,
generated::fa_generated::FA_USERS_SID_ENVIRONMENT,
generated::fa_generated::FA_USERS_SID_VOLATILE_ENVIRONMENT,
generated::fa_generated::FA_FILE_CACHESTORAGE_CACHESTORAGE_EDB,
generated::fa_generated::FA_ALTERNATESHELLS_AVAILABLESHELLS,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_WINSTART_BAT,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_DOSSTART_BAT,
generated::fa_generated::FA_EXPLORER_WORDWHEELQUERY,
generated::fa_generated::FA_FILE_LOGS_APPLICATION_EVTX,
generated::fa_generated::FA_FILE_LOGS_MICROSOFT_WINDOWS_POWERSHELL_4ADMIN_EVTX,
generated::fa_generated::FA_FILE_LOGS_MICROSOFT_WINDOWS_POWERSHELL_4OPERATIONAL_EVTX,
generated::fa_generated::FA_FILE_LOGS_POWERSHELLCORE_OPERATIONAL_EVTX,
generated::fa_generated::FA_FILE_LOGS_WINDOWS_POWERSHELL_EVTX,
generated::fa_generated::FA_FILE_LOGS_SECURITY_EVTX,
generated::fa_generated::FA_FILE_LOGS_MICROSOFT_WINDOWS_SYSMON_4OPERATIONAL_EVTX,
generated::fa_generated::FA_FILE_LOGS_SYSTEM_EVTX,
generated::fa_generated::FA_FILE_LOGS_MICROSOFT_WINDOWS_TERMINALSERVICES_LOCALSESSION,
generated::fa_generated::FA_PROTOCOL_CATALOG9_CATALOG_ENTRIES,
generated::fa_generated::FA_PROTOCOL_CATALOG9_CATALOG_ENTRIES64,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_EXPLORERFRAME_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_DUSER_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_DUI70_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_UXTHEME_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_POWRPROF_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_DWMAPI_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_SLC_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_GDIPLUS_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_SECUR32_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_SSPICLI_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_PROPSYS_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_WINSTA_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_CRYPTBASE_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_WINDOWSCODECS_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_PROFAPI_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_APPHELP_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_EHSTORSHELL_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_CSCUI_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_CSCDLL_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_CSCAPI_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_NTSHRUI_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_SRVCLI_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_ICONCODECSERVICE_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_CRYPTSP_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_RSAENH_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_RPCRTREMOTE_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_SNDVOLSSO_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_HID_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_MMDEVAPI_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_TIMEDATE_CPL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_ATL_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_ACTXPRXY_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_NTMARTA_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_SHDOCVW_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_LINKINFO_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_USERENV_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_SHACCT_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_GAMEUX_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_XMLLITE_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_WER_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_SAMLIB_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_MSLS31_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_TIPTSF_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_AUTHUI_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_CRYPTUI_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_MSILTCFG_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_VERSION_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_MSI_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_NETWORKEXPLORER_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_WINMM_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_WDMAUD_DRV,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_KSUSER_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_AVRT_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_AUDIOSES_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_MSACM32_DRV,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_MSACM32_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_MIDIMAP_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_NETUTILS_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_STOBJECT_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_BATMETER_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_WTSAPI32_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_ES_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_PRNFLDR_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_WINSPOOL_DRV,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_DXP_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_SYNCREG_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_NETSHELL_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_IPHLPAPI_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_WINNSI_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_NLAAPI_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_ALTTAB_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_PNIDUI_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_QUTIL_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_WEVTAPI_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_DHCPCSVC6_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_DHCPCSVC_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_CREDSSP_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_NPMPROXY_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_CSCOBJ_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_WLANAPI_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_WLANUTIL_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_WWANAPI_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_WWAPI_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_QAGENT_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_SRCHADMIN_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_MSSPRXY_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_BTHPROPS_CPL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_IEFRAME_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_OLEACC_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_SYNCCENTER_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_ACTIONCENTER_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_IMAPI2_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_SXS_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_HGCPL_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_PROVSVC_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_WKSCLI_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_FXSST_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_FXSAPI_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_FXSRESM_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_IEPROXY_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_THUMBCACHE_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_RASADHLP_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_MPR_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_VMHGFS_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_DRPROV_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_NTLANMAN_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_DAVCLNT_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_DAVHLPR_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_STRUCTUREDQUERY_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_UIANIMATION_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_DEVRTL_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_MLANG_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_WSCINTEROP_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_WSCAPI_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_WSCUI_CPL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_WERCONCPL_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_FRAMEDYNOS_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_WERCPLSUPPORT_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_MSXML6_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_HCPROVIDERS_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_ZIPFLDR_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_RAREXT_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_7_ZIP_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_TWEXT_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_WINCDEMUCONTEXTMENU_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_SYNCUI_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_SYNCENG_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_SHLEXT010_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_ATL90_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_ACPPAGE_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_SFC_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_SFC_OS_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_DSROLE_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_ACLUI_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_NTDSAPI_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_PHOTOBASE_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_SBDROP_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_TQUERY_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_EHSTORAPI_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_SEARCHFOLDER_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_NATURALLANGUAGE6_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_NLSDATA0009_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_NLSLEXICONS0009_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_MSFTEDIT_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_DNSAPI_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_RASAPI32_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_RASMAN_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_RTUTILS_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_SENSAPI_DLL,
generated::kape_generated::KAPE_FILE_KAPETRIAGE_TKAPE,
generated::kape_generated::KAPE_FILE_USER_APPDATA,
generated::kape_generated::KAPE_FILE_REGEX_3GP_AA_AAC_ACT_AIFF_ALAC_AMR_APE_AU_AWB_DSS,
generated::kape_generated::KAPE_FILE_REGEX_XLS_XLSX_CSV_TSV_XLT_XLM_XLSM_XLTX_XLTM_XLSB,
generated::kape_generated::KAPE_FILE_REGEX_PDF_XPS_OXPS,
generated::kape_generated::KAPE_FILE_REGEX_AI_BMP_BPG_CDR_CPC_EPS_EXR_FLIF_GIF_HEIF_ILB,
generated::kape_generated::KAPE_FILE_REGEX_DB_SQLITE,
generated::kape_generated::KAPE_FILE_REGEX_3G2_3GP_AMV_ASF_AVI_DRC_FLV_F4V_F4P_F4A_F4B,
generated::kape_generated::KAPE_FILE_C_ZIP,
generated::kape_generated::KAPE_FILE_REGEX_DOC_DOCX_DOCM_DOTX_DOTM_DOCB_DOT_WBK_ODT_FOD,
generated::kape_generated::KAPE_FILE_USER_DESKTOP,
generated::kape_generated::KAPE_FILE_USER_DOCUMENTS,
generated::kape_generated::KAPE_FILE_USER_DOWNLOADS,
generated::kape_generated::KAPE_FILE_USER_DROPBOX,
generated::kape_generated::KAPE_FILE_ANTIVIRUS_LOG,
generated::kape_generated::KAPE_FILE_ANTIVIRUS_REPORT,
generated::kape_generated::KAPE_FILE_AVG_AV_LOGS,
generated::kape_generated::KAPE_FILE_AVG_REPORT_LOGS,
generated::kape_generated::KAPE_FILE_ANTIVIRUS_LOGS,
generated::kape_generated::KAPE_FILE_AVG_ANTIVIRUSFILEINFO2_DB,
generated::kape_generated::KAPE_FILE_AVG_ANTIVIRUSLSDB2_JSON,
generated::kape_generated::KAPE_FILE_AVAST_LOG,
generated::kape_generated::KAPE_FILE_AVAST_AV_LOGS,
generated::kape_generated::KAPE_FILE_AVAST_AV_USER_LOGS,
generated::kape_generated::KAPE_FILE_CHEST_INDEX_XML,
generated::kape_generated::KAPE_FILE_AVAST_LOGS,
generated::kape_generated::KAPE_FILE_ICARUS_LOGS,
generated::kape_generated::KAPE_FILE_ANTIVIRUS_LOGFILES,
generated::kape_generated::KAPE_FILE_SECURITY_LOGS,
generated::kape_generated::KAPE_FILE_AVIRA_VPN,
generated::kape_generated::KAPE_FILE_ENDPOINT_SECURITY_LOGS,
generated::kape_generated::KAPE_FILE_PROFILES_LOGS,
generated::kape_generated::KAPE_FILE_REGEX_DB_DB_WAL_DB_SHM,
generated::kape_generated::KAPE_FILE_C_COMBOFIX_TXT,
generated::kape_generated::KAPE_FILE_CROWDSTRIKE_QUARANTINE,
generated::kape_generated::KAPE_FILE_CRS1_LOGS,
generated::kape_generated::KAPE_FILE_APV2_LOGS,
generated::kape_generated::KAPE_FILE_CRB1_LOGS,
generated::kape_generated::KAPE_FILE_CYLANCE_DESKTOP,
generated::kape_generated::KAPE_FILE_OPTICS_LOG,
generated::kape_generated::KAPE_FILE_DESKTOP_LOG,
generated::kape_generated::KAPE_FILE_ESET_NOD32_ANTIVIRUS_LOGS,
generated::kape_generated::KAPE_FILE_ESET_NOD32_AV_LOGS,
generated::kape_generated::KAPE_FILE_ESET_SECURITY_LOGS,
generated::kape_generated::KAPE_FILE_ERAAGENTAPPLICATIONDATA_LOGS,
generated::kape_generated::KAPE_FILE_ESET_SECURITY_QUARANTINE,
generated::kape_generated::KAPE_FILE_SYSTEM_USER_QUARANTI,
generated::kape_generated::KAPE_FILE_LOG_LOG,
generated::kape_generated::KAPE_FILE_EQUARANTINE,
generated::kape_generated::KAPE_FILE_ELASTIC_DEFEND_QUARA,
generated::kape_generated::KAPE_FILE_REPORTS_SCAN_TXT,
generated::kape_generated::KAPE_FILE_F_SECURE_LOG,
generated::kape_generated::KAPE_FILE_F_SECURE_USER_LOGS,
generated::kape_generated::KAPE_FILE_ANTIVIRUS_SCHEDULEDSCANREPORTS,
generated::kape_generated::KAPE_FILE_HITMANPRO_LOGS,
generated::kape_generated::KAPE_FILE_HITMANPRO_ALERT_LOGS,
generated::kape_generated::KAPE_FILE_HITMANPRO_ALERT_EXCALIBUR_DB,
generated::kape_generated::KAPE_FILE_HITMANPRO_QUARANTINE,
generated::kape_generated::KAPE_FILE_LOGS_MBAM_LOG_XML,
generated::kape_generated::KAPE_FILE_LOGS_MBAMSERVICE_LOG,
generated::kape_generated::KAPE_FILE_MALWAREBYTES_ANTI_MALWARE_LOGS,
generated::kape_generated::KAPE_FILE_MBAMSERVICE_SCANRESULTS,
generated::kape_generated::KAPE_FILE_MCAFEE_DESKTOPPROTECTION,
generated::kape_generated::KAPE_FILE_MCAFEE_DESKTOP_PROTE,
generated::kape_generated::KAPE_FILE_ENDPOINT_SECURITY_LOGS_2,
generated::kape_generated::KAPE_FILE_ENDPOINT_SECURITY_LOGS_OLD,
generated::kape_generated::KAPE_FILE_MCAFEE_VIRUSSCAN,
generated::kape_generated::KAPE_FILE_MSC_LOGS,
generated::kape_generated::KAPE_FILE_AGENT_AGENTEVENTS,
generated::kape_generated::KAPE_FILE_AGENT_LOGS,
generated::kape_generated::KAPE_FILE_DATAREPUTATION_LOGS,
generated::kape_generated::KAPE_FILE_VIRUSSCAN_LOGS,
generated::kape_generated::KAPE_FILE_COMMON_FRAMEWORK_AGENTEVENTS,
generated::kape_generated::KAPE_FILE_MCLOGS_SAE,
generated::kape_generated::KAPE_FILE_DATREPUTATION_LOGS,
generated::kape_generated::KAPE_FILE_MCAFEE_MANAGED_VIRUS,
generated::kape_generated::KAPE_FILE_WCF_SERVICE_LOG,
generated::kape_generated::KAPE_FILE_ENDPOINT_SECURITY_LOGS_3,
generated::kape_generated::KAPE_FILE_APACHE2_LOGS,
generated::kape_generated::KAPE_FILE_DB_EVENTS,
generated::kape_generated::KAPE_FILE_EVENTS_DEBUG,
generated::kape_generated::KAPE_FILE_SERVER_LOGS,
generated::kape_generated::KAPE_FILE_DEBUG_MSERT_LOG,
generated::kape_generated::KAPE_FILE_LOGS_ADLICEREPORT_JSON,
generated::kape_generated::KAPE_FILE_SUPERANTISPYWARE_LOGS,
generated::kape_generated::KAPE_FILE_SECUREAGE_LOG,
generated::kape_generated::KAPE_FILE_SENTINEL_LOGS,
generated::kape_generated::KAPE_FILE_SOPHOS_LOGS,
generated::kape_generated::KAPE_FILE_LOGS,
generated::kape_generated::KAPE_FILE_SOPHOS_LOGS_2,
generated::kape_generated::KAPE_FILE_APPLICATIONEVENTS_TKAPE,
generated::kape_generated::KAPE_FILE_LOGS_AV,
generated::kape_generated::KAPE_FILE_DATA_LOGS,
generated::kape_generated::KAPE_FILE_SYMANTEC_ENDPOINT_PROTECTION_LOGS,
generated::kape_generated::KAPE_FILE_LOGS_SYMANTEC_ENDPOINT_PROTECTION_CLIENT_EVTX,
generated::kape_generated::KAPE_FILE_SYMANTEC_EVENT_LOG_W,
generated::kape_generated::KAPE_FILE_APPLICATIONEVENTS_TKAPE_2,
generated::kape_generated::KAPE_FILE_SYMANTEC_ENDPOINT_PROTECTION_QUARANTINE,
generated::kape_generated::KAPE_FILE_DATA_QUARANTINE,
generated::kape_generated::KAPE_FILE_CMNCLNT_CCSUBSDK,
generated::kape_generated::KAPE_FILE_DATA_REGISTRATIONINFO_XML,
generated::kape_generated::KAPE_FILE_TOTALAV_LOGS,
generated::kape_generated::KAPE_FILE_TOTALAV_LOGS_2,
generated::kape_generated::KAPE_FILE_PROGRAMDATA_TREND_MICRO,
generated::kape_generated::KAPE_FILE_REPORT_LOG,
generated::kape_generated::KAPE_FILE_CONNLOG_LOG,
generated::kape_generated::KAPE_FILE_QUARANTINE,
generated::kape_generated::KAPE_FILE_VIPRE_BUSINESS_AGENT_LOGS,
generated::kape_generated::KAPE_FILE_ROAMING_VIPRE_BUSINESS,
generated::kape_generated::KAPE_FILE_ANTIMALWARE_LOGS,
generated::kape_generated::KAPE_FILE_VIPRE_BUSINESS_USER,
generated::kape_generated::KAPE_FILE_WRDATA_WRLOG_LOG,
generated::kape_generated::KAPE_FILE_DETECTIONHISTORY,
generated::kape_generated::KAPE_FILE_MICROSOFT_ANTIMALWARE_SUPPORT,
generated::kape_generated::KAPE_FILE_LOGS_MICROSOFT_WINDOWS_WINDOWS_DEFENDER_EVTX,
generated::kape_generated::KAPE_FILE_WINDOWS_DEFENDER_EVE,
generated::kape_generated::KAPE_FILE_WINDOWS_DEFENDER_SUPPORT,
generated::kape_generated::KAPE_FILE_TEMP_MPCMDRUN_LOG,
generated::kape_generated::KAPE_FILE_WINDOWS_DEFENDER_LOG,
generated::kape_generated::KAPE_FILE_DETECTIONHISTORY_2,
generated::kape_generated::KAPE_FILE_WINDOWS_DEFENDER_QUARANTINE,
generated::kape_generated::KAPE_FILE_SERVICE_DETECTIONS_LOG,
generated::kape_generated::KAPE_FILE_1PASSWORD_DATA_1PASSWORD10_SQLITE,
generated::kape_generated::KAPE_FILE_1PASSWORD_BACKUPS_1PASSWORD10_SQLITE,
generated::kape_generated::KAPE_FILE_1PASSWORD_LOGS_LOG,
generated::kape_generated::KAPE_FILE_4K_VIDEO_DOWNLOADER_4K_VIDEO_DOWNLOADER_SQLITE,
generated::kape_generated::KAPE_FILE_4K_VIDEO_DOWNLOADER,
generated::kape_generated::KAPE_FILE_USER_DOCUMENTS_ATC,
generated::kape_generated::KAPE_FILE_LOGS_TI_DEMON,
generated::kape_generated::KAPE_FILE_TRUEIMAGEHOME_DATABASEARCHIVES_DB,
generated::kape_generated::KAPE_FILE_TRUEIMAGEHOME_SCRIPTS,
generated::kape_generated::KAPE_FILE_ACTION1_LOGS_LOG,
generated::kape_generated::KAPE_FILE_USERS_USER_ADVANCED_IP_SCANNER_ALIASES_BIN,
generated::kape_generated::KAPE_FILE_TEMP_ADVANCED_IP_SCANNER_2_ADVANCED_IP_SCANNER_ALI,
generated::kape_generated::KAPE_FILE_ADVANCED_IP_SCANNER,
generated::kape_generated::KAPE_FILE_CONFIG_SYSTEMPROFILE_ADVANCED_IP_SCANNER_ALIASES_B,
generated::kape_generated::KAPE_FILE_CONFIG_SYSTEMPROFILE_ADVANCED_IP_SCANNER_ALIASES_B_2,
generated::kape_generated::KAPE_FILE_SERVICEPROFILES_LOCALSERVICE_ADVANCED_IP_SCANNER_A,
generated::kape_generated::KAPE_FILE_SERVICEPROFILES_NETWORKSERVICE_ADVANCED_IP_SCANNER,
generated::kape_generated::KAPE_FILE_USERS_USER_ADVANCED_IP_SCANNER_COMMENTS_BIN,
generated::kape_generated::KAPE_FILE_TEMP_ADVANCED_IP_SCANNER_2_ADVANCED_IP_SCANNER_COM,
generated::kape_generated::KAPE_FILE_TEMP_ADVANCED_IP_SCANNER_2_ADVANCED_IP_SCANNER_COM_2,
generated::kape_generated::KAPE_FILE_CONFIG_SYSTEMPROFILE_ADVANCED_IP_SCANNER_COMMENTS,
generated::kape_generated::KAPE_FILE_CONFIG_SYSTEMPROFILE_ADVANCED_IP_SCANNER_COMMENTS_2,
generated::kape_generated::KAPE_FILE_SERVICEPROFILES_LOCALSERVICE_ADVANCED_IP_SCANNER_C,
generated::kape_generated::KAPE_FILE_SERVICEPROFILES_NETWORKSERVICE_ADVANCED_IP_SCANNER_2,
generated::kape_generated::KAPE_FILE_USERS_USER_ADVANCED_IP_SCANNER_MAC_BIN,
generated::kape_generated::KAPE_FILE_TEMP_ADVANCED_IP_SCANNER_2_ADVANCED_IP_SCANNER_MAC,
generated::kape_generated::KAPE_FILE_TEMP_ADVANCED_IP_SCANNER_2_ADVANCED_IP_SCANNER_MAC_2,
generated::kape_generated::KAPE_FILE_CONFIG_SYSTEMPROFILE_ADVANCED_IP_SCANNER_MAC_BIN,
generated::kape_generated::KAPE_FILE_CONFIG_SYSTEMPROFILE_ADVANCED_IP_SCANNER_MAC_BIN_2,
generated::kape_generated::KAPE_FILE_SERVICEPROFILES_LOCALSERVICE_ADVANCED_IP_SCANNER_M,
generated::kape_generated::KAPE_FILE_SERVICEPROFILES_NETWORKSERVICE_ADVANCED_IP_SCANNER_3,
generated::kape_generated::KAPE_FILE_USERS_USER_ADVANCED_IP_SCANNER_FAVORITES_BIN,
generated::kape_generated::KAPE_FILE_TEMP_ADVANCED_IP_SCANNER_2_ADVANCED_IP_SCANNER_FAV,
generated::kape_generated::KAPE_FILE_TEMP_ADVANCED_IP_SCANNER_2_ADVANCED_IP_SCANNER_FAV_2,
generated::kape_generated::KAPE_FILE_CONFIG_SYSTEMPROFILE_ADVANCED_IP_SCANNER_FAVORITES,
generated::kape_generated::KAPE_FILE_CONFIG_SYSTEMPROFILE_ADVANCED_IP_SCANNER_FAVORITES_2,
generated::kape_generated::KAPE_FILE_SERVICEPROFILES_LOCALSERVICE_ADVANCED_IP_SCANNER_F,
generated::kape_generated::KAPE_FILE_SERVICEPROFILES_NETWORKSERVICE_ADVANCED_IP_SCANNER_4,
generated::kape_generated::KAPE_FILE_C_ADVANCED_IP_SCANNER_FAVORITES_BIN,
generated::kape_generated::KAPE_FILE_USERS_USER_ADVANCED_PORT_SCANNER_ALIASES_BIN,
generated::kape_generated::KAPE_FILE_TEMP_ADVANCED_PORT_SCANNER_2_ADVANCED_PORT_SCANNER,
generated::kape_generated::KAPE_FILE_ADVANCED_PORT_SCANNE,
generated::kape_generated::KAPE_FILE_CONFIG_SYSTEMPROFILE_ADVANCED_PORT_SCANNER_ALIASES,
generated::kape_generated::KAPE_FILE_CONFIG_SYSTEMPROFILE_ADVANCED_PORT_SCANNER_ALIASES_2,
generated::kape_generated::KAPE_FILE_SERVICEPROFILES_LOCALSERVICE_ADVANCED_PORT_SCANNER,
generated::kape_generated::KAPE_FILE_SERVICEPROFILES_NETWORKSERVICE_ADVANCED_PORT_SCANN,
generated::kape_generated::KAPE_FILE_USERS_USER_ADVANCED_PORT_SCANNER_COMMENTS_BIN,
generated::kape_generated::KAPE_FILE_TEMP_ADVANCED_PORT_SCANNER_2_ADVANCED_PORT_SCANNER_2,
generated::kape_generated::KAPE_FILE_TEMP_ADVANCED_PORT_SCANNER_2_ADVANCED_PORT_SCANNER_3,
generated::kape_generated::KAPE_FILE_CONFIG_SYSTEMPROFILE_ADVANCED_PORT_SCANNER_COMMENT,
generated::kape_generated::KAPE_FILE_CONFIG_SYSTEMPROFILE_ADVANCED_PORT_SCANNER_COMMENT_2,
generated::kape_generated::KAPE_FILE_SERVICEPROFILES_LOCALSERVICE_ADVANCED_PORT_SCANNER_2,
generated::kape_generated::KAPE_FILE_SERVICEPROFILES_NETWORKSERVICE_ADVANCED_PORT_SCANN_2,
generated::kape_generated::KAPE_FILE_USERS_USER_ADVANCED_PORT_SCANNER_MAC_BIN,
generated::kape_generated::KAPE_FILE_TEMP_ADVANCED_PORT_SCANNER_2_ADVANCED_PORT_SCANNER_4,
generated::kape_generated::KAPE_FILE_TEMP_ADVANCED_PORT_SCANNER_2_ADVANCED_PORT_SCANNER_5,
generated::kape_generated::KAPE_FILE_CONFIG_SYSTEMPROFILE_ADVANCED_PORT_SCANNER_MAC_BIN,
generated::kape_generated::KAPE_FILE_CONFIG_SYSTEMPROFILE_ADVANCED_PORT_SCANNER_MAC_BIN_2,
generated::kape_generated::KAPE_FILE_SERVICEPROFILES_LOCALSERVICE_ADVANCED_PORT_SCANNER_3,
generated::kape_generated::KAPE_FILE_SERVICEPROFILES_NETWORKSERVICE_ADVANCED_PORT_SCANN_3,
generated::kape_generated::KAPE_FILE_USERS_USER_ADVANCED_PORT_SCANNER_FAVORITES_BIN,
generated::kape_generated::KAPE_FILE_TEMP_ADVANCED_PORT_SCANNER_2_ADVANCED_PORT_SCANNER_6,
generated::kape_generated::KAPE_FILE_TEMP_ADVANCED_PORT_SCANNER_2_ADVANCED_PORT_SCANNER_7,
generated::kape_generated::KAPE_FILE_CONFIG_SYSTEMPROFILE_ADVANCED_PORT_SCANNER_FAVORIT,
generated::kape_generated::KAPE_FILE_CONFIG_SYSTEMPROFILE_ADVANCED_PORT_SCANNER_FAVORIT_2,
generated::kape_generated::KAPE_FILE_SERVICEPROFILES_LOCALSERVICE_ADVANCED_PORT_SCANNER_4,
generated::kape_generated::KAPE_FILE_SERVICEPROFILES_NETWORKSERVICE_ADVANCED_PORT_SCANN_4,
generated::kape_generated::KAPE_FILE_C_ADVANCED_PORT_SCANNER_FAVORITES_BIN,
generated::kape_generated::KAPE_FILE_AGENTRANSACK_CONFIG,
generated::kape_generated::KAPE_FILE_AGENTRANSACK_CRASHREPORTS,
generated::kape_generated::KAPE_FILE_AGENTRANSACK_INDEXLOG,
generated::kape_generated::KAPE_FILE_AGENTRANSACK_LOGS,
generated::kape_generated::KAPE_FILE_PROGRAMDATA_AMMYY,
generated::kape_generated::KAPE_FILE_ANYDESK_TRACE,
generated::kape_generated::KAPE_FILE_ANYDESK_LOGS_PROGRAM,
generated::kape_generated::KAPE_FILE_ANYDESK_CONF,
generated::kape_generated::KAPE_FILE_ANYDESK_CONF_2,
generated::kape_generated::KAPE_FILE_ANYDESK_ANYDESK,
generated::kape_generated::KAPE_FILE_ANYDESK_CONNECTION_TRACE_TXT,
generated::kape_generated::KAPE_FILE_ANYDESK_CONNECTION_TRACE_TXT_2,
generated::kape_generated::KAPE_FILE_ROAMING_ANYDESK,
generated::kape_generated::KAPE_FILE_ANYDESK_CHAT_TXT,
generated::kape_generated::KAPE_FILE_ROAMING_ANYDESK_FILE_TRANSFER_TRACE_TXT,
generated::kape_generated::KAPE_FILE_ANYDESK_FILE_TRANSFER_TRACE_TXT,
generated::kape_generated::KAPE_FILE_LOG_LOG_2,
generated::kape_generated::KAPE_FILE_ASPERA_SERVER_LOGS,
generated::kape_generated::KAPE_FILE_ATERA_NETWORKS_ATERAAGENT_INI,
generated::kape_generated::KAPE_FILE_ATERA_NETWORKS_ATERAAGENT_TXT,
generated::kape_generated::KAPE_FILE_ATERA_NETWORKS_ATERAAGENT_DB,
generated::kape_generated::KAPE_FILE_ATERA_NETWORKS_ATERAAGENT_CONFIG,
generated::kape_generated::KAPE_FILE_ATERA_NETWORKS_ATERAAGENT_CFG,
generated::kape_generated::KAPE_FILE_BOX_BOX,
generated::kape_generated::KAPE_FILE_LOCAL_BOX_SYNC,
generated::kape_generated::KAPE_FILE_USER_BOX,
generated::kape_generated::KAPE_FILE_USER_BOX_SYNC,
generated::kape_generated::KAPE_FILE_LOCAL_STORAGE_LEVELDB,
generated::kape_generated::KAPE_FILE_INDEXEDDB_HTTPS_CHATGPT_COM_0_INDEXEDDB_LEVELDB,
generated::kape_generated::KAPE_FILE_CHATGPT_CACHE,
generated::kape_generated::KAPE_FILE_SYSTEMAPPDATA_HELIUM_DAT,
generated::kape_generated::KAPE_FILE_OPENAI_CHATGPT_DESKTOP_2P2NQSD0C76G0_SETTINGS_SETT,
generated::kape_generated::KAPE_FILE_LOGS_LOG,
generated::kape_generated::KAPE_FILE_HISTORY_DB,
generated::kape_generated::KAPE_FILE_CLIPBOARDMASTER_CLIPBOARD_CLM4,
generated::kape_generated::KAPE_FILE_CLIPBOARDMASTER_PICS,
generated::kape_generated::KAPE_FILE_CLIPBOARDMASTER_CLIPBOARD_CLM4_BA,
generated::kape_generated::KAPE_FILE_LOGS_LOG_2,
generated::kape_generated::KAPE_FILE_CONFLUENCE_WIKI_LOG,
generated::kape_generated::KAPE_FILE_DWAGENT_LOG,
generated::kape_generated::KAPE_FILE_AWS_CREDENTIALS,
generated::kape_generated::KAPE_FILE_AWS_CONFIG,
generated::kape_generated::KAPE_FILE_KUBE_CONFIG,
generated::kape_generated::KAPE_FILE_DOCKER_CONFIG_JSON,
generated::kape_generated::KAPE_FILE_USER_GIT_CREDENTIALS,
generated::kape_generated::KAPE_FILE_USER_GITCONFIG,
generated::kape_generated::KAPE_FILE_SSH_CONFIG,
generated::kape_generated::KAPE_FILE_SSH_KNOWN_HOSTS,
generated::kape_generated::KAPE_FILE_USER_NPMRC,
generated::kape_generated::KAPE_FILE_MRU_RENAME_FOLDERS_OSD,
generated::kape_generated::KAPE_FILE_MRU_RENAME_FILES_OSD,
generated::kape_generated::KAPE_FILE_MRU_FIND_CONTAINS_OSD,
generated::kape_generated::KAPE_FILE_MRU_FIND_NAME_OSD,
generated::kape_generated::KAPE_FILE_MRU_FIND_PATH_OSD,
generated::kape_generated::KAPE_FILE_STATE_DATA_RECENT_OSD,
generated::kape_generated::KAPE_FILE_STATE_DATA_BACKUPCONFIG_OSD,
generated::kape_generated::KAPE_FILE_DIRECTORY_OPUS_THUMBNAIL_CACHE,
generated::kape_generated::KAPE_FILE_DIRECTORY_OPUS_LOGS,
generated::kape_generated::KAPE_FILE_DISCORD_CACHE,
generated::kape_generated::KAPE_FILE_LOCAL_STORAGE_LEVELDB_2,
generated::kape_generated::KAPE_FILE_DOUBLECMD_HISTORY_XML,
generated::kape_generated::KAPE_FILE_DOUBLECMD_DOUBLECMD_XML,
generated::kape_generated::KAPE_FILE_DOUBLECMD_DOUBLECMD_LOG,
generated::kape_generated::KAPE_FILE_DOUBLECMD_MULTIARC_INI,
generated::kape_generated::KAPE_FILE_DOUBLECMD_SESSION_INI,
generated::kape_generated::KAPE_FILE_DOUBLECMD_PIXMAPS_TXT,
generated::kape_generated::KAPE_FILE_DOUBLECMD_SHORTCUTS_SCF,
generated::kape_generated::KAPE_FILE_DROPBOX_INFO_JSON,
generated::kape_generated::KAPE_FILE_DROPBOX_HOST_DB,
generated::kape_generated::KAPE_FILE_DROPBOX_MACHINE_STORAGETRAY_THUMBNAILS_DB,
generated::kape_generated::KAPE_FILE_DROPBOX_HOST_DBX,
generated::kape_generated::KAPE_FILE_PROTECT,
generated::kape_generated::KAPE_FILE_DROPBOX_INSTANCE,
generated::kape_generated::KAPE_FILE_USER_DROPBOX_2,
generated::kape_generated::KAPE_FILE_ROAMING_EFSOFTWARE,
generated::kape_generated::KAPE_FILE_DATABASES_ACCOUNTS,
generated::kape_generated::KAPE_FILE_DATABASES_EXB,
generated::kape_generated::KAPE_FILE_DATABASES_EXB_SNIPPETS,
generated::kape_generated::KAPE_FILE_EVERYTHING_EVERYTHING_DB,
generated::kape_generated::KAPE_FILE_EVERYTHING_RUN_HISTORY_CSV,
generated::kape_generated::KAPE_FILE_EVERYTHING_SEARCH_HISTORY_CSV,
generated::kape_generated::KAPE_FILE_EVERYTHING_EVERYTHING_INI,
generated::kape_generated::KAPE_FILE_FSIV_FSIV_DB,
generated::kape_generated::KAPE_FILE_FENCES_BACKUPS,
generated::kape_generated::KAPE_FILE_FILEZILLA_XML,
generated::kape_generated::KAPE_FILE_FILEZILLA_SQLITE3,
generated::kape_generated::KAPE_FILE_FILEZILLA_SERVER_XML,
generated::kape_generated::KAPE_FILE_LOGS_LOG_3,
generated::kape_generated::KAPE_FILE_LOGS_TRACE,
generated::kape_generated::KAPE_FILE_FORTICLIENT_TRACE_LO,
generated::kape_generated::KAPE_FILE_SETTINGS_FREECOMMANDER_INI,
generated::kape_generated::KAPE_FILE_SETTINGS_FREECOMMANDER_FTP_INI,
generated::kape_generated::KAPE_FILE_SETTINGS_FREECOMMANDER_HIST_INI,
generated::kape_generated::KAPE_FILE_SETTINGS_FREECOMMANDER_FAV_XML,
generated::kape_generated::KAPE_FILE_SETTINGS_BKP_SETTINGS,
generated::kape_generated::KAPE_FILE_TEMP_FC_LOG,
generated::kape_generated::KAPE_FILE_TEMP_FREECOMMANDER,
generated::kape_generated::KAPE_FILE_FREE_DOWNLOAD_MANAGER_FDM_SQLITE,
generated::kape_generated::KAPE_FILE_BACKUP_BACKUP_INFO,
generated::kape_generated::KAPE_FILE_BACKUP_USERDATA_ZIP,
generated::kape_generated::KAPE_FILE_FREEFILESYNC_LOGS,
generated::kape_generated::KAPE_FILE_USER_GOOGLE_DRIVE,
generated::kape_generated::KAPE_FILE_GOOGLE_DRIVE,
generated::kape_generated::KAPE_FILE_GOOGLE_DRIVEFS,
generated::kape_generated::KAPE_FILE_GOOGLE_GOOGLEEARTH_MYPLACES_KML,
generated::kape_generated::KAPE_FILE_GOOGLE_GOOGLEEARTH_MYPLACES_BACKUP_KML,
generated::kape_generated::KAPE_FILE_GOOGLE_EARTH_MY_PLAC,
generated::kape_generated::KAPE_FILE_GOOGLE_GOOGLEEARTH_MYPLACES_BACKUP_KML_2,
generated::kape_generated::KAPE_FILE_HEIDISQL_BACKUPS,
generated::kape_generated::KAPE_FILE_HEIDISQL_TABS_INI,
generated::kape_generated::KAPE_FILE_HEXCHAT_LOGS,
generated::kape_generated::KAPE_FILE_ARCHIVE_CLEANUP,
generated::kape_generated::KAPE_FILE_BACKUP,
generated::kape_generated::KAPE_FILE_DELETE,
generated::kape_generated::KAPE_FILE_RESTORE,
generated::kape_generated::KAPE_FILE_LOGXML_XML,
generated::kape_generated::KAPE_FILE_TRACEFILE_TXT,
generated::kape_generated::KAPE_FILE_IBCOMMON_IDMAPPEDDRIVES_TXT,
generated::kape_generated::KAPE_FILE_IBCOMMON_SCHEDULE_XML,
generated::kape_generated::KAPE_FILE_IBCOMMON_SCH_TRACE_TXT,
generated::kape_generated::KAPE_FILE_IBCOMMON_IDRIVE_INI,
generated::kape_generated::KAPE_FILE_IBCOMMON_GET_ALLDRIVES_TXT,
generated::kape_generated::KAPE_FILE_IBCOMMON_EXCLUDE,
generated::kape_generated::KAPE_FILE_IBCOMMON_AUTOCOMP_INI,
generated::kape_generated::KAPE_FILE_IBDS,
generated::kape_generated::KAPE_FILE_ISLCLIENT_OUT,
generated::kape_generated::KAPE_FILE_CONF,
generated::kape_generated::KAPE_FILE_ISL_ALWAYSON_SESSION_XML,
generated::kape_generated::KAPE_FILE_TRACE_OUT,
generated::kape_generated::KAPE_FILE_ISL_ALWAYSON_OUT,
generated::kape_generated::KAPE_FILE_ISL_LIGHT_LOGS_SESSI,
generated::kape_generated::KAPE_FILE_STATUS_TRAY,
generated::kape_generated::KAPE_FILE_ISL_ALWAYSON_STATICCONFIGURATION_INI,
generated::kape_generated::KAPE_FILE_ENDPOINT_MANAGER_RMMLOGS,
generated::kape_generated::KAPE_FILE_ITARIAN,
generated::kape_generated::KAPE_FILE_COMODO,
generated::kape_generated::KAPE_FILE_ENDPOINT_MANAGER_RMMLOGS_2,
generated::kape_generated::KAPE_FILE_ICECHAT_LOGS,
generated::kape_generated::KAPE_FILE_LOG_FILES_IMGBURN_LOG,
generated::kape_generated::KAPE_FILE_IRFANVIEW_I_VIEW32_INI,
generated::kape_generated::KAPE_FILE_JDOWNLOADER_2_0_CFG_DOWNLOADLIST_ZIP,
generated::kape_generated::KAPE_FILE_JDOWNLOADER_2_0_CFG_LINKCOLLECTOR_ZIP,
generated::kape_generated::KAPE_FILE_JDOWNLOADER_2_0_CFG_ORG_JDOWNLOADER_SETTINGS_GENER,
generated::kape_generated::KAPE_FILE_JDOWNLOADER_2_0_CFG_ORG_JDOWNLOADER_GUI_VIEWS_LINK,
generated::kape_generated::KAPE_FILE_JDOWNLOADER_2_0_CFG_ORG_JDOWNLOADER_SETTINGS_INTER,
generated::kape_generated::KAPE_FILE_IDX,
generated::kape_generated::KAPE_FILE_JAVA_WEBSTART_CACHE,
generated::kape_generated::KAPE_FILE_IDX_2,
generated::kape_generated::KAPE_FILE_IDX_3,
generated::kape_generated::KAPE_FILE_IDX_4,
generated::kape_generated::KAPE_FILE_IDX_5,
generated::kape_generated::KAPE_FILE_IDX_6,
generated::kape_generated::KAPE_FILE_IDX_7,
generated::kape_generated::KAPE_FILE_IDX_8,
generated::kape_generated::KAPE_FILE_IDX_9,
generated::kape_generated::KAPE_FILE_IDX_10,
generated::kape_generated::KAPE_FILE_KASEYA_LOG,
generated::kape_generated::KAPE_FILE_LOG_KASEYALIVECONNECT,
generated::kape_generated::KAPE_FILE_LOG_ENDPOINT,
generated::kape_generated::KAPE_FILE_KASEYA_AGENT_ENDPOIN,
generated::kape_generated::KAPE_FILE_AGENTMON_LOG,
generated::kape_generated::KAPE_FILE_TEMP_KASETUP_LOG,
generated::kape_generated::KAPE_FILE_KASEYA_SETUP_LOG,
generated::kape_generated::KAPE_FILE_TEMP_KASETUP_LOG_2,
generated::kape_generated::KAPE_FILE_LOG_KASEYAEDGESERVICES,
generated::kape_generated::KAPE_FILE_KEEPASS_XML,
generated::kape_generated::KAPE_FILE_KEEPASS_PASSWORD_SAFE_XML,
generated::kape_generated::KAPE_FILE_KEEPASS_PASSWORD_SAFE_CONFIG,
generated::kape_generated::KAPE_FILE_KEEPASSXC_INI,
generated::kape_generated::KAPE_FILE_KEEPASS_ROAMING_INI,
generated::kape_generated::KAPE_FILE_PROGRAM_FILES_LEVEL_LOG,
generated::kape_generated::KAPE_FILE_LOGMEIN_LOGS,
generated::kape_generated::KAPE_FILE_APPLICATIONEVENTS_TKAPE_3,
generated::kape_generated::KAPE_FILE_TEMP_LOGMEINLOGS,
generated::kape_generated::KAPE_FILE_MACRIUM_MACRIUM_SERVICE,
generated::kape_generated::KAPE_FILE_MACRIUM_REFLECT,
generated::kape_generated::KAPE_FILE_MACRIUM_REFLECT_LAUNCHER,
generated::kape_generated::KAPE_FILE_MATTERMOST_INDEXEDDB,
generated::kape_generated::KAPE_FILE_ROAMING_MEDIAMONKEY_MM_DB,
generated::kape_generated::KAPE_FILE_ROAMING_MEDIAMONKEY_MEDIAMONKEY_INI,
generated::kape_generated::KAPE_FILE_MEGA_LIMITED_MEGASYNC,
generated::kape_generated::KAPE_FILE_MESH_AGENT_MSH,
generated::kape_generated::KAPE_FILE_MESH_AGENT_LOG,
generated::kape_generated::KAPE_FILE_AZCOPY_LOG,
generated::kape_generated::KAPE_FILE_PLANS_STE,
generated::kape_generated::KAPE_FILE_FULLTEXTSEARCHINDEX,
generated::kape_generated::KAPE_FILE_ONENOTE_NOTIFICATIONSRECENTNOTEBOOKS_SEENURLS,
generated::kape_generated::KAPE_FILE_16_0_ACCESSIBILITYCHECKERINDEX,
generated::kape_generated::KAPE_FILE_16_0_NOTETAGS_LIVEID_DB,
generated::kape_generated::KAPE_FILE_16_0_RECENTSEARCHESRECENTSEARCHES_DB,
generated::kape_generated::KAPE_FILE_STICKYNOTES_STICKYNOTES_SNT,
generated::kape_generated::KAPE_FILE_LOCALSTATE_PLUM_SQLITE,
generated::kape_generated::KAPE_FILE_INDEXEDDB_HTTPS_TEAMS_MICROSOFT_COM_0_INDEXEDDB_LE,
generated::kape_generated::KAPE_FILE_LOCAL_STORAGE_LEVELDB_3,
generated::kape_generated::KAPE_FILE_TEAMS_CACHE,
generated::kape_generated::KAPE_FILE_TEAMS_DESKTOP_CONFIG_JSON,
generated::kape_generated::KAPE_FILE_MSTEAMS_LOGS,
generated::kape_generated::KAPE_FILE_TODOSQLITE_DB,
generated::kape_generated::KAPE_FILE_AVATARS_USERAVATAR_JPG,
generated::kape_generated::KAPE_FILE_USER_MIDNIGHT_COMMANDER,
generated::kape_generated::KAPE_FILE_ROAMING_MOBAXTERM,
generated::kape_generated::KAPE_FILE_MSTY_DB,
generated::kape_generated::KAPE_FILE_LOCAL_MULTICOMMANDER,
generated::kape_generated::KAPE_FILE_MULTICOMMANDER_CONFIG,
generated::kape_generated::KAPE_FILE_MULTICOMMANDER_LOGS,
generated::kape_generated::KAPE_FILE_MULTICOMMANDER_USERDATA,
generated::kape_generated::KAPE_FILE_MULTICOMMANDER_MULTICOMMANDER_LOG,
generated::kape_generated::KAPE_FILE_NESSUS_CONF,
generated::kape_generated::KAPE_FILE_NESSUS_LOGS,
generated::kape_generated::KAPE_FILE_LOG_USER,
generated::kape_generated::KAPE_FILE_NET_MONITOR_FOR_EMPLOYEES_PRO_DATA,
generated::kape_generated::KAPE_FILE_NET_MONITOR_FOR_EMPLOYEES_PRO_CONFIG,
generated::kape_generated::KAPE_FILE_NET_MONITOR_FOR_EMPLOYEES_PRO_TMP,
generated::kape_generated::KAPE_FILE_NET_MONITOR_FOR_EMPLOYEES_PRO_LOG,
generated::kape_generated::KAPE_FILE_NET_MONITOR_CLIENT_C,
generated::kape_generated::KAPE_FILE_NOTEPAD_BACKUP,
generated::kape_generated::KAPE_FILE_NOTEPAD_CONFIG_XML,
generated::kape_generated::KAPE_FILE_NOTEPAD_SESSION_XML,
generated::kape_generated::KAPE_FILE_ROAMING_NOTION_NOTION_DB,
generated::kape_generated::KAPE_FILE_PARTITIONS_NOTION_CUSTOM_DICTIONARY_TXT,
generated::kape_generated::KAPE_FILE_USER_ONECOMMANDER,
generated::kape_generated::KAPE_FILE_ONEC,
generated::kape_generated::KAPE_FILE_MICROSOFT_ONEDRIVE,
generated::kape_generated::KAPE_FILE_USER_ONEDRIVE,
generated::kape_generated::KAPE_FILE_SSH_CONFIG_2,
generated::kape_generated::KAPE_FILE_SSH_KNOWN_HOSTS_2,
generated::kape_generated::KAPE_FILE_SSH_PUB,
generated::kape_generated::KAPE_FILE_SSH_ID_RSA,
generated::kape_generated::KAPE_FILE_SSH_ID_ECDSA,
generated::kape_generated::KAPE_FILE_SSH_ID_ECDSA_SK,
generated::kape_generated::KAPE_FILE_SSH_ID_ED25519,
generated::kape_generated::KAPE_FILE_SSH_ID_ED25519_SK,
generated::kape_generated::KAPE_FILE_SSH_ID_DSA,
generated::kape_generated::KAPE_FILE_SSH_SSHD_CONFIG,
generated::kape_generated::KAPE_FILE_LOGS_2,
generated::kape_generated::KAPE_FILE_SSH_SSH_HOST_ECDSA_KEY,
generated::kape_generated::KAPE_FILE_SSH_SSH_HOST_ED25519_KEY,
generated::kape_generated::KAPE_FILE_SSH_SSH_HOST_DSA_KEY,
generated::kape_generated::KAPE_FILE_SSH_SSH_HOST_RSA_KEY,
generated::kape_generated::KAPE_FILE_SSH_AUTHORIZED_KEYS,
generated::kape_generated::KAPE_FILE_SSH_AUTHORIZED_KEYS2,
generated::kape_generated::KAPE_FILE_SSH_ADMINISTRATORS_AUTHORIZED_KEYS,
generated::kape_generated::KAPE_FILE_OPENVPN_CONFIG,
generated::kape_generated::KAPE_FILE_OPENVPN_CLIENT_CONFI,
generated::kape_generated::KAPE_FILE_LOG_LOG_3,
generated::kape_generated::KAPE_FILE_OUTLOOK_PST,
generated::kape_generated::KAPE_FILE_OUTLOOK_OST,
generated::kape_generated::KAPE_FILE_OUTLOOK_FILES_PST,
generated::kape_generated::KAPE_FILE_OUTLOOK_FILES_OST,
generated::kape_generated::KAPE_FILE_PST,
generated::kape_generated::KAPE_FILE_OST,
generated::kape_generated::KAPE_FILE_OUTLOOK_NST,
generated::kape_generated::KAPE_FILE_INETCACHE_CONTENT_OUTLOOK,
generated::kape_generated::KAPE_FILE_PDQ_DEPLOY_DB,
generated::kape_generated::KAPE_FILE_PALO_ALTO_NETWORKS_GLOBALPROTECT_PANGP_LOG,
generated::kape_generated::KAPE_FILE_PALO_ALTO_NETWORKS_GLOBALPROTECT_LOG,
generated::kape_generated::KAPE_FILE_ROAMING_PEAZIP,
generated::kape_generated::KAPE_FILE_PROTONVPN_LOGS,
generated::kape_generated::KAPE_FILE_PROTON_VPN_LOGS,
generated::kape_generated::KAPE_FILE_SERVICEDATA_LOGS,
generated::kape_generated::KAPE_FILE_PROTON_VPN_STORAGE,
generated::kape_generated::KAPE_FILE_PULSE_SECURE_LOGGING,
generated::kape_generated::KAPE_FILE_PULSE_SECURE_LOGS_IN,
generated::kape_generated::KAPE_FILE_PULSE_SECURE_SETUP_CLIENT_LOG,
generated::kape_generated::KAPE_FILE_PULSE_SECURE_LOGGING_PULSECLIENT_LOG,
generated::kape_generated::KAPE_FILE_Q_DIR_Q_DIR_INI,
generated::kape_generated::KAPE_FILE_Q_DIR_START_QDR,
generated::kape_generated::KAPE_FILE_QNAP_QFINDERPRO,
generated::kape_generated::KAPE_FILE_LOG_PROXY_TXT,
generated::kape_generated::KAPE_FILE_LOG_PROXY_LOG,
generated::kape_generated::KAPE_FILE_LOG_SCHEDULER_TXT,
generated::kape_generated::KAPE_FILE_LOG_SCHEDULER_LOG,
generated::kape_generated::KAPE_FILE_C_RDG,
generated::kape_generated::KAPE_FILE_C_RDG_OLD,
generated::kape_generated::KAPE_FILE_REMOTE_DESKTOP_CONNECTION_MANAGER_SETTINGS,
generated::kape_generated::KAPE_FILE_MY_CERTIFICATES,
generated::kape_generated::KAPE_FILE_RSERVER30_RADM_LOG_HTM,
generated::kape_generated::KAPE_FILE_RADMIN_SERVER_64BIT,
generated::kape_generated::KAPE_FILE_HTM,
generated::kape_generated::KAPE_FILE_HTM_2,
generated::kape_generated::KAPE_FILE_RADMIN_VIEWER_CHATS,
generated::kape_generated::KAPE_FILE_USERS_USER_RCLONE_CONF,
generated::kape_generated::KAPE_FILE_CONFIG_SYSTEMPROFILE_RCLONE_CONF,
generated::kape_generated::KAPE_FILE_RCLONE_CONFIG_SYSTEM,
generated::kape_generated::KAPE_FILE_SERVICEPROFILES_LOCALSERVICE_RCLONE_CONF,
generated::kape_generated::KAPE_FILE_SERVICEPROFILES_NETWORKSERVICE_RCLONE_CONF,
generated::kape_generated::KAPE_FILE_CONFIG_RCLONE_RCLONE_CONF,
generated::kape_generated::KAPE_FILE_CONFIG_RCLONE_RCLONE_CONF_2,
generated::kape_generated::KAPE_FILE_CONFIG_RCLONE_RCLONE_CONF_3,
generated::kape_generated::KAPE_FILE_RCLONE_CONFIG_LOCALS,
generated::kape_generated::KAPE_FILE_RCLONE_CONFIG_NETWOR,
generated::kape_generated::KAPE_FILE_LOCAL_RCLONE_RCLONE_CONF,
generated::kape_generated::KAPE_FILE_LOCAL_RCLONE_RCLONE_CONF_2,
generated::kape_generated::KAPE_FILE_LOCAL_RCLONE_RCLONE_CONF_3,
generated::kape_generated::KAPE_FILE_LOCAL_RCLONE_RCLONE_CONF_4,
generated::kape_generated::KAPE_FILE_LOCAL_RCLONE_RCLONE_CONF_5,
generated::kape_generated::KAPE_FILE_ROAMING_RCLONE_RCLONE_CONF,
generated::kape_generated::KAPE_FILE_ROAMING_RCLONE_RCLONE_CONF_2,
generated::kape_generated::KAPE_FILE_ROAMING_RCLONE_RCLONE_CONF_3,
generated::kape_generated::KAPE_FILE_ROAMING_RCLONE_RCLONE_CONF_4,
generated::kape_generated::KAPE_FILE_ROAMING_RCLONE_RCLONE_CONF_5,
generated::kape_generated::KAPE_FILE_WINDOWS_SYSWOW64_RCLONE_CONF,
generated::kape_generated::KAPE_FILE_WINDOWS_SYSTEM32_RCLONE_CONF,
generated::kape_generated::KAPE_FILE_C_WINDOWS_RCLONE_CONF,
generated::kape_generated::KAPE_FILE_C_RCLONE_CONF,
generated::kape_generated::KAPE_FILE_RCLONE_CONFIG_FALLBA,
generated::kape_generated::KAPE_FILE_ROAMING_REMCOS_LOGS_DAT,
generated::kape_generated::KAPE_FILE_ROAMING_SCREENSHOTS_LOGS_DAT,
generated::kape_generated::KAPE_FILE_ROAMING_NOTESS_LOGS_DAT,
generated::kape_generated::KAPE_FILE_ROAMING_MICRECORDS_LOGS_DAT,
generated::kape_generated::KAPE_FILE_ROAMING_HPSUPPORT_LOGS_DAT,
generated::kape_generated::KAPE_FILE_PROGRAMDATA_REMCOS_LOGS_DAT,
generated::kape_generated::KAPE_FILE_PROGRAMDATA_NOTESS_LOGS_DAT,
generated::kape_generated::KAPE_FILE_PROGRAMDATA_SCREENSHOTS_LOGS_DAT,
generated::kape_generated::KAPE_FILE_PROGRAMDATA_MICRECORDS_LOGS_DAT,
generated::kape_generated::KAPE_FILE_PROGRAMDATA_HPSUPPORT_LOGS_DAT,
generated::kape_generated::KAPE_FILE_DEVOLUTIONS_REMOTEDESKTOPMANAGER_DB,
generated::kape_generated::KAPE_FILE_DEVOLUTIONS_REMOTEDESKTOPMANAGER_XML,
generated::kape_generated::KAPE_FILE_DEVOLUTIONS_REMOTEDESKTOPMANAGER_CONNECTIONS_LOG,
generated::kape_generated::KAPE_FILE_DEVOLUTIONS_REMOTEDESKTOPMANAGER_REMOTEDESKTOPMANA,
generated::kape_generated::KAPE_FILE_MRU_XML,
generated::kape_generated::KAPE_FILE_FAVORITES_XML,
generated::kape_generated::KAPE_FILE_REMOTE_MANIPULATOR_SYSTEM_HOST_LOGS_RMS_LOG_HTML,
generated::kape_generated::KAPE_FILE_REMOTE_MANIPULATOR_SYSTEM_LOGS_RMS_LOG_HTML,
generated::kape_generated::KAPE_FILE_PROGRAMDATA_REMOTE_MANIPULATOR_SYSTEM_INSTALL_LOG,
generated::kape_generated::KAPE_FILE_REMOTE_UTILITIES_HOST_LOGS_RUT_LOG_HTML,
generated::kape_generated::KAPE_FILE_REMOTE_UTILITIES_LOGS_RUT_LOG_HTML,
generated::kape_generated::KAPE_FILE_PROGRAMDATA_REMOTE_UTILITIES_INSTALL_LOG,
generated::kape_generated::KAPE_FILE_SCRIPTS_S,
generated::kape_generated::KAPE_FILE_DEBUG_LOG,
generated::kape_generated::KAPE_FILE_LOGS_3,
generated::kape_generated::KAPE_FILE_CONFIG_XML,
generated::kape_generated::KAPE_FILE_SSH_KEYS,
generated::kape_generated::KAPE_FILE_SSL_CERTIFICATES,
generated::kape_generated::KAPE_FILE_PGP_KEYS,
generated::kape_generated::KAPE_FILE_ROBO_FTP_SSH_KEYS,
generated::kape_generated::KAPE_FILE_ROBO_FTP_SSL_CERTIFI,
generated::kape_generated::KAPE_FILE_ROBO_FTP_PGP_KEYS,
generated::kape_generated::KAPE_FILE_DEBUG,
generated::kape_generated::KAPE_FILE_ROBO_FTP_SCRIPT_TRAC,
generated::kape_generated::KAPE_FILE_PROGRAMDATA_CONFIG_XML,
generated::kape_generated::KAPE_FILE_PROGRAMDATA_SCHEDULERSERVICE_SQLITE,
generated::kape_generated::KAPE_FILE_ROAMING_RUSTDESK,
generated::kape_generated::KAPE_FILE_LOG_SERVER,
generated::kape_generated::KAPE_FILE_POWERSHELL_PSREADLINECONSOLEHOST_HISTORY_TXT,
generated::kape_generated::KAPE_FILE_USERS_USER_BASH_HISTORY,
generated::kape_generated::KAPE_FILE_USERS_USER_ZSH_HISTORY,
generated::kape_generated::KAPE_FILE_USERS_USER_PS1,
generated::kape_generated::KAPE_FILE_USERS_USER_BAT,
generated::kape_generated::KAPE_FILE_USERS_USER_CMD,
generated::kape_generated::KAPE_FILE_USERS_USER_SH,
generated::kape_generated::KAPE_FILE_USER_SSHKNOWN_HOSTS,
generated::kape_generated::KAPE_FILE_USER_SSHCONFIG,
generated::kape_generated::KAPE_FILE_USER_SSH,
generated::kape_generated::KAPE_FILE_APP_DATA_SESSION_DB,
generated::kape_generated::KAPE_FILE_APP_DATA_USER_XML,
generated::kape_generated::KAPE_FILE_APPLICATIONEVENTS_TKAPE_4,
generated::kape_generated::KAPE_FILE_SCREENCONNECT_CLIENT_USER_CONFIG,
generated::kape_generated::KAPE_FILE_ROAMING_SESSION,
generated::kape_generated::KAPE_FILE_DOCUMENTS_SHAREX,
generated::kape_generated::KAPE_FILE_PORTAL_SETTINGS,
generated::kape_generated::KAPE_FILE_SIGNAL_ATTACHMENTS_NOINDEX,
generated::kape_generated::KAPE_FILE_SIGNAL_LOGS,
generated::kape_generated::KAPE_FILE_SIGNAL_CONFIG_JSON,
generated::kape_generated::KAPE_FILE_SQL_DB_SQLITE,
generated::kape_generated::KAPE_FILE_JWRAPPER_REMOTE_ACCESS_LOGS,
generated::kape_generated::KAPE_FILE_SIMPLEHELP_LOGS,
generated::kape_generated::KAPE_FILE_JWRAPPER_SIMPLEHELP_TECHNICIAN_LOGS,
generated::kape_generated::KAPE_FILE_MAIN_DB,
generated::kape_generated::KAPE_FILE_SKYPE_DB,
generated::kape_generated::KAPE_FILE_MAIN_DB_XP,
generated::kape_generated::KAPE_FILE_MAIN_DB_WIN7,
generated::kape_generated::KAPE_FILE_LOCALSTATE_S4L_DB,
generated::kape_generated::KAPE_FILE_INDEXEDDB_LEVELDB,
generated::kape_generated::KAPE_FILE_SKYPE_FOR_DESKTOP_CACHE,
generated::kape_generated::KAPE_FILE_SLACK_INDEXEDDB,
generated::kape_generated::KAPE_FILE_LOCAL_STORAGE_LEVELDB_4,
generated::kape_generated::KAPE_FILE_SLACK_LOGS,
generated::kape_generated::KAPE_FILE_SLACK_CACHE,
generated::kape_generated::KAPE_FILE_SLACK_STORAGE,
generated::kape_generated::KAPE_FILE_SNAGIT_DATASTORE,
generated::kape_generated::KAPE_FILE_C_NETSCAN_XML,
generated::kape_generated::KAPE_FILE_SPEEDPROJECT_SPEEDCOMMANDER_19,
generated::kape_generated::KAPE_FILE_SERVER_LOG,
generated::kape_generated::KAPE_FILE_TEMP_LOG,
generated::kape_generated::KAPE_FILE_SPLASHTOP_GATEWAY_LOG,
generated::kape_generated::KAPE_FILE_LOG,
generated::kape_generated::KAPE_FILE_APPCACHE_LIBRARYCACHE,
generated::kape_generated::KAPE_FILE_CONFIG_LOGINUSERS_VDF,
generated::kape_generated::KAPE_FILE_CONFIG_LOCALCONFIG_VDF,
generated::kape_generated::KAPE_FILE_CONFIG_AVATARCACHE,
generated::kape_generated::KAPE_FILE_STEAM_GAMES,
generated::kape_generated::KAPE_FILE_LOGS_BOOTSTRAP_LOG_TXT,
generated::kape_generated::KAPE_FILE_STEAM_GAME_IMAGE_FIL,
generated::kape_generated::KAPE_FILE_STEAM_LOGIN_METADATA,
generated::kape_generated::KAPE_FILE_STEAM_FRIEND_LIST_AN,
generated::kape_generated::KAPE_FILE_STEAM_USER_AVATAR_FI,
generated::kape_generated::KAPE_FILE_STEAM_GAME_TRAY_ICON,
generated::kape_generated::KAPE_FILE_STEAM_STARTUP_TIMES,
generated::kape_generated::KAPE_FILE_SETTINGS_SESSION_SUBLIME_SESSION,
generated::kape_generated::KAPE_FILE_LOCAL_SUBLIME_SESSION,
generated::kape_generated::KAPE_FILE_SUGARSYNC_SC1_LOG,
generated::kape_generated::KAPE_FILE_DOCUMENTS_SUGARSYNC_SHARED_FOLDERS,
generated::kape_generated::KAPE_FILE_DOCUMENTS_MY_SUGARSYNC,
generated::kape_generated::KAPE_FILE_LOCAL_SUMATRAPDFSUMATRAPDF_SETTINGS_TXT,
generated::kape_generated::KAPE_FILE_SUMATRAPDF_SUMATRAPDFCACHE,
generated::kape_generated::KAPE_FILE_SUPREMOREMOTEDESKTOP_LOG_LOG,
generated::kape_generated::KAPE_FILE_SUPREMOREMOTEDESKTOP_INBOX,
generated::kape_generated::KAPE_FILE_LOCAL_SYNCTHING,
generated::kape_generated::KAPE_FILE_LOCAL_SYNCTRAZOR,
generated::kape_generated::KAPE_FILE_ROAMING_SYNCTRAZOR,
generated::kape_generated::KAPE_FILE_CONFIG_REMEMBER_XML,
generated::kape_generated::KAPE_FILE_CONFIG_WINDOW_XML,
generated::kape_generated::KAPE_FILE_CONFIG_WINDOW1_XML,
generated::kape_generated::KAPE_FILE_TEAMVIEWER_CONNECTIONS_TXT,
generated::kape_generated::KAPE_FILE_TEAMVIEWER_TEAMVIEWER_LOGFILE,
generated::kape_generated::KAPE_FILE_TEAMVIEWER_APPLICATI,
generated::kape_generated::KAPE_FILE_MRU_REMOTESUPPORT,
generated::kape_generated::KAPE_FILE_ROAMING_TELEGRAM_DESKTOP,
generated::kape_generated::KAPE_FILE_DOWNLOADS_TELEGRAM_DESKTOP,
generated::kape_generated::KAPE_FILE_ROAMING_TERACOPY,
generated::kape_generated::KAPE_FILE_CRASH_REPORTS_INSTALLTIME,
generated::kape_generated::KAPE_FILE_THUNDERBIRD_PROFILES_INI,
generated::kape_generated::KAPE_FILE_PREFS_JS,
generated::kape_generated::KAPE_FILE_GLOBAL_MESSAGES_DB_SQLITE,
generated::kape_generated::KAPE_FILE_LOGINS_JSON,
generated::kape_generated::KAPE_FILE_PLACES_SQLITE,
generated::kape_generated::KAPE_FILE_IMAPMAIL_INBOX,
generated::kape_generated::KAPE_FILE_MAIL_INBOX,
generated::kape_generated::KAPE_FILE_CALENDAR_DATA_LOCAL_SQLITE,
generated::kape_generated::KAPE_FILE_ATTACHMENTS,
generated::kape_generated::KAPE_FILE_ABOOK_SQLITE,
generated::kape_generated::KAPE_FILE_GHISLER_WINCMD_INI,
generated::kape_generated::KAPE_FILE_C_TOTALCMD_LOG,
generated::kape_generated::KAPE_FILE_TEMP_FTP_TMP,
generated::kape_generated::KAPE_FILE_GHISLER_WCX_FTP_INI,
generated::kape_generated::KAPE_FILE_GHISLER_TREEINFO_WC,
generated::kape_generated::KAPE_FILE_GHISLER_TCDIRFRQ_TXT,
generated::kape_generated::KAPE_FILE_TEMP_TCFTP_LOG,
generated::kape_generated::KAPE_FILE_JAM_SOFTWARE_TREESIZE_SCANHISTORY_XML,
generated::kape_generated::KAPE_FILE_UEMS_AGENT_LOGS_LOG,
generated::kape_generated::KAPE_FILE_UNIFIED_ENDPOINT_MAN,
generated::kape_generated::KAPE_FILE_ROAMING_ULTRAVIEWER,
generated::kape_generated::KAPE_FILE_ULTRAVIEWER_SYSTEM_L,
generated::kape_generated::KAPE_FILE_PROGRAM_FILES_ULTRAVIEWERULTRAVIEWERSERVICE_LOG_TX,
generated::kape_generated::KAPE_FILE_PROGRAM_FILES_ULTRAVIEWERCONNECTIONLOG_LOG,
generated::kape_generated::KAPE_FILE_VLC_VLC_QT_INTERFACE_INI,
generated::kape_generated::KAPE_FILE_VIDEOS_VLC_AVI,
generated::kape_generated::KAPE_FILE_ROAMING_VMWARE,
generated::kape_generated::KAPE_FILE_C_VMEM,
generated::kape_generated::KAPE_FILE_C_VMSS,
generated::kape_generated::KAPE_FILE_C_VMSN,
generated::kape_generated::KAPE_FILE_REALVNC_VNCSERVER_LOG,
generated::kape_generated::KAPE_FILE_REALVNC_VNCVIEWER_LOG,
generated::kape_generated::KAPE_FILE_PROGRAMDATA_REALVNC_SERVICEVNCSERVER_LOG,
generated::kape_generated::KAPE_FILE_APPLICATIONEVENTS_TKAPE_5,
generated::kape_generated::KAPE_FILE_SERVER_LOGS_2,
generated::kape_generated::KAPE_FILE_VIBERPC_CONFIG_DB,
generated::kape_generated::KAPE_FILE_VIBER_DB,
generated::kape_generated::KAPE_FILE_AVATARS,
generated::kape_generated::KAPE_FILE_BACKGROUNDS,
generated::kape_generated::KAPE_FILE_THUMBNAILS,
generated::kape_generated::KAPE_FILE_C_VBOX,
generated::kape_generated::KAPE_FILE_C_VBOX_PREV,
generated::kape_generated::KAPE_FILE_C_VBOX_LOG,
generated::kape_generated::KAPE_FILE_VIRTUALBOX_BACKUP_LO,
generated::kape_generated::KAPE_FILE_C_VBOXHARDENING_LOG,
generated::kape_generated::KAPE_FILE_C_SAV,
generated::kape_generated::KAPE_FILE_HISTORY,
generated::kape_generated::KAPE_FILE_GLOBALSTORAGE_STORAGE_JSON,
generated::kape_generated::KAPE_FILE_CACHEDEXTENSIONS_USER,
generated::kape_generated::KAPE_FILE_USER_SETTINGS_JSON,
generated::kape_generated::KAPE_FILE_CODE_PREFERENCES,
generated::kape_generated::KAPE_FILE_NETWORK_COOKIES,
generated::kape_generated::KAPE_FILE_NETWORK_NETWORK_PERSISTENT_STATE,
generated::kape_generated::KAPE_FILE_CODE_LOGS,
generated::kape_generated::KAPE_FILE_BACKUPS,
generated::kape_generated::KAPE_FILE_WHATSAPP_CACHE,
generated::kape_generated::KAPE_FILE_LOCAL_STORAGE_LEVELDB_5,
generated::kape_generated::KAPE_FILE_MICROSOFT_STORE_WHAT,
generated::kape_generated::KAPE_FILE_LOCAL_STORAGE_LEVELDB_2_2,
generated::kape_generated::KAPE_FILE_LOCALSTATE_PROFILEPICTURES,
generated::kape_generated::KAPE_FILE_TRANSFERSREGEX_JPG_MP4_PDF_WEBP,
generated::kape_generated::KAPE_FILE_C_WINSCP_INI,
generated::kape_generated::KAPE_FILE_LOCALCACHE_INDEXED,
generated::kape_generated::KAPE_FILE_XYPLORER_XYPLORER_INI,
generated::kape_generated::KAPE_FILE_PANE_INI,
generated::kape_generated::KAPE_FILE_XYPLORER_AUTOBACKUP,
generated::kape_generated::KAPE_FILE_ROAMING_XYPLORER_DAT,
generated::kape_generated::KAPE_FILE_PROGRAM_FILES_XEOX_LOG,
generated::kape_generated::KAPE_FILE_LOCAL_ZSCALER,
generated::kape_generated::KAPE_FILE_ZOHOMEETING_LOG,
generated::kape_generated::KAPE_FILE_LOCAL_ZOHOMEETING_CONF,
generated::kape_generated::KAPE_FILE_ZOHO_ASSIST_LOG_FILE,
generated::kape_generated::KAPE_FILE_PROGRAMDATA_ZOHOMEETING_CONF,
generated::kape_generated::KAPE_FILE_ZOHOMEETING_LOGS,
generated::kape_generated::KAPE_FILE_UNATTENDED_ZOHOMEETING_CONF,
generated::kape_generated::KAPE_FILE_UNATTENDED_ZOHOMEETING_TXT,
generated::kape_generated::KAPE_FILE_ZOOM_LOGS,
generated::kape_generated::KAPE_FILE_ZOOM,
generated::kape_generated::KAPE_FILE_ZOOM_CLIENT_RECORDIN,
generated::kape_generated::KAPE_FILE_ROAMING_ZOOM_PLUGIN_JSON,
generated::kape_generated::KAPE_FILE_MOBILESYNC_BACKUP,
generated::kape_generated::KAPE_FILE_ITUNES_BACKUP_FOLDER,
generated::kape_generated::KAPE_FILE_MOBILESYNC_BACKUP_2,
generated::kape_generated::KAPE_FILE_MIRC_LOGS,
generated::kape_generated::KAPE_FILE_MIRC_CHAT_LOGS_2000,
generated::kape_generated::KAPE_FILE_MREMOTENG_MREMOTENG_LOG,
generated::kape_generated::KAPE_FILE_MREMOTENG_CONFCONS_XML,
generated::kape_generated::KAPE_FILE_MREMOTENG_USER_CONFIG,
generated::kape_generated::KAPE_FILE_PCLOUD_DB,
generated::kape_generated::KAPE_FILE_PCLOUD_DB_WAL,
generated::kape_generated::KAPE_FILE_PCLOUD_DB_SHM,
generated::kape_generated::KAPE_FILE_360BOOKMARKS,
generated::kape_generated::KAPE_FILE_COOKIES,
generated::kape_generated::KAPE_FILE_CURRENT_SESSION,
generated::kape_generated::KAPE_FILE_CURRENT_TABS,
generated::kape_generated::KAPE_FILE_DOWNLOADMETADATA,
generated::kape_generated::KAPE_FILE_EXTENSION_COOKIES,
generated::kape_generated::KAPE_FILE_FAVICONS,
generated::kape_generated::KAPE_FILE_360HISTORY,
generated::kape_generated::KAPE_FILE_LAST_SESSION,
generated::kape_generated::KAPE_FILE_LAST_TABS,
generated::kape_generated::KAPE_FILE_SESSIONS,
generated::kape_generated::KAPE_FILE_LOGIN_DATA,
generated::kape_generated::KAPE_FILE_MEDIA_HISTORY,
generated::kape_generated::KAPE_FILE_NETWORK_ACTION_PREDICTOR,
generated::kape_generated::KAPE_FILE_NETWORK_PERSISTENT_STATE,
generated::kape_generated::KAPE_FILE_PREFERENCES,
generated::kape_generated::KAPE_FILE_QUOTAMANAGER,
generated::kape_generated::KAPE_FILE_REPORTING_AND_NEL,
generated::kape_generated::KAPE_FILE_SHORTCUTS,
generated::kape_generated::KAPE_FILE_TOP_SITES,
generated::kape_generated::KAPE_FILE_TRUST_TOKENS,
generated::kape_generated::KAPE_FILE_SYNC_DATA,
generated::kape_generated::KAPE_FILE_VISITED_LINKS,
generated::kape_generated::KAPE_FILE_WEB_DATA,
generated::kape_generated::KAPE_FILE_PROTECT_2,
generated::kape_generated::KAPE_FILE_SNAPSHOTS,
generated::kape_generated::KAPE_FILE_NETWORKCOOKIES,
generated::kape_generated::KAPE_FILE_FAVICONS_2,
generated::kape_generated::KAPE_FILE_HISTORY_2,
generated::kape_generated::KAPE_FILE_SESSIONS_2,
generated::kape_generated::KAPE_FILE_LOGIN_DATA_2,
generated::kape_generated::KAPE_FILE_NETWORK_ACTION_PREDICTOR_2,
generated::kape_generated::KAPE_FILE_PREFERENCES_2,
generated::kape_generated::KAPE_FILE_SHORTCUTS_2,
generated::kape_generated::KAPE_FILE_TOP_SITES_2,
generated::kape_generated::KAPE_FILE_SYNC_DATA_2,
generated::kape_generated::KAPE_FILE_BOOKMARKS,
generated::kape_generated::KAPE_FILE_VISITED_LINKS_2,
generated::kape_generated::KAPE_FILE_WEB_DATA_2,
generated::kape_generated::KAPE_FILE_LOCAL_ARCSTORABLE_JSON,
generated::kape_generated::KAPE_FILE_LOCALCACHE_LOCALCOM_PLIST,
generated::kape_generated::KAPE_FILE_BOOKMARKS_2,
generated::kape_generated::KAPE_FILE_COOKIES_2,
generated::kape_generated::KAPE_FILE_CURRENT_SESSION_2,
generated::kape_generated::KAPE_FILE_CURRENT_TABS_2,
generated::kape_generated::KAPE_FILE_DOWNLOADMETADATA_2,
generated::kape_generated::KAPE_FILE_FAVICONS_3,
generated::kape_generated::KAPE_FILE_HISTORY_3,
generated::kape_generated::KAPE_FILE_DEFAULT_SESSIONS,
generated::kape_generated::KAPE_FILE_LOGIN_DATA_3,
generated::kape_generated::KAPE_FILE_NETWORK_ACTION_PREDICTOR_3,
generated::kape_generated::KAPE_FILE_NETWORK_PERSISTENT_STATE_2,
generated::kape_generated::KAPE_FILE_PREFERENCES_3,
generated::kape_generated::KAPE_FILE_QUOTAMANAGER_2,
generated::kape_generated::KAPE_FILE_REPORTING_AND_NEL_2,
generated::kape_generated::KAPE_FILE_SHORTCUTS_3,
generated::kape_generated::KAPE_FILE_PUBLISHER_INFO_DB,
generated::kape_generated::KAPE_FILE_TOP_SITES_3,
generated::kape_generated::KAPE_FILE_VISITED_LINKS_3,
generated::kape_generated::KAPE_FILE_WEB_DATA_3,
generated::kape_generated::KAPE_FILE_SECURE_PREFERENCES,
generated::kape_generated::KAPE_FILE_CACHE,
generated::kape_generated::KAPE_FILE_CHROME_BETA_CACHE_FO,
generated::kape_generated::KAPE_FILE_CHROME_DEV_CACHE_FOL,
generated::kape_generated::KAPE_FILE_CHROME_SXS_CANARY_CA,
generated::kape_generated::KAPE_FILE_CHROMIUM_EDGE_CACHE,
generated::kape_generated::KAPE_FILE_CHROMIUM_EDGE_BETA_C,
generated::kape_generated::KAPE_FILE_CHROMIUM_EDGE_DEV_CA,
generated::kape_generated::KAPE_FILE_CHROMIUM_EDGE_SXS_CA,
generated::kape_generated::KAPE_FILE_CHROMIUM_CACHE_FOLDE,
generated::kape_generated::KAPE_FILE_PROFILES,
generated::kape_generated::KAPE_FILE_WINDOWS_TEMPORARY_INTERNET_FILES,
generated::kape_generated::KAPE_FILE_CONTENT_IE5_INDEX_DAT,
generated::kape_generated::KAPE_FILE_WINDOWS_INETCACHE,
generated::kape_generated::KAPE_FILE_WINDOWS_WEBCACHE,
generated::kape_generated::KAPE_FILE_CACHE_CACHE_DATA,
generated::kape_generated::KAPE_FILE_BOOKMARKS_3,
generated::kape_generated::KAPE_FILE_COOKIES_3,
generated::kape_generated::KAPE_FILE_CURRENT_SESSION_3,
generated::kape_generated::KAPE_FILE_CURRENT_TABS_3,
generated::kape_generated::KAPE_FILE_FAVICONS_4,
generated::kape_generated::KAPE_FILE_HISTORY_4,
generated::kape_generated::KAPE_FILE_LAST_SESSION_2,
generated::kape_generated::KAPE_FILE_LAST_TABS_2,
generated::kape_generated::KAPE_FILE_LOGIN_DATA_4,
generated::kape_generated::KAPE_FILE_PREFERENCES_4,
generated::kape_generated::KAPE_FILE_SHORTCUTS_4,
generated::kape_generated::KAPE_FILE_TOP_SITES_4,
generated::kape_generated::KAPE_FILE_VISITED_LINKS_4,
generated::kape_generated::KAPE_FILE_WEB_DATA_4,
generated::kape_generated::KAPE_FILE_CHROME_BOOKMARKS,
generated::kape_generated::KAPE_FILE_CHROME_COOKIES,
generated::kape_generated::KAPE_FILE_CHROME_CURRENT_SESSI,
generated::kape_generated::KAPE_FILE_CHROME_CURRENT_TABS,
generated::kape_generated::KAPE_FILE_DOWNLOADMETADATA_3,
generated::kape_generated::KAPE_FILE_EXTENSION_COOKIES_2,
generated::kape_generated::KAPE_FILE_CHROME_FAVICONS,
generated::kape_generated::KAPE_FILE_CHROME_HISTORY,
generated::kape_generated::KAPE_FILE_CHROME_LAST_SESSION,
generated::kape_generated::KAPE_FILE_CHROME_LAST_TABS,
generated::kape_generated::KAPE_FILE_SESSIONS_3,
generated::kape_generated::KAPE_FILE_CHROME_LOGIN_DATA,
generated::kape_generated::KAPE_FILE_MEDIA_HISTORY_2,
generated::kape_generated::KAPE_FILE_NETWORK_ACTION_PREDICTOR_4,
generated::kape_generated::KAPE_FILE_NETWORK_PERSISTENT_STATE_3,
generated::kape_generated::KAPE_FILE_NETWORKNETWORK_PERSISTENT_STATE,
generated::kape_generated::KAPE_FILE_CHROME_PREFERENCES,
generated::kape_generated::KAPE_FILE_QUOTAMANAGER_3,
generated::kape_generated::KAPE_FILE_WEBSTORAGEQUOTAMANAGER,
generated::kape_generated::KAPE_FILE_REPORTING_AND_NEL_3,
generated::kape_generated::KAPE_FILE_NETWORKREPORTING_AND_NEL,
generated::kape_generated::KAPE_FILE_CHROME_SHORTCUTS,
generated::kape_generated::KAPE_FILE_CHROME_TOP_SITES,
generated::kape_generated::KAPE_FILE_TRUST_TOKENS_2,
generated::kape_generated::KAPE_FILE_NETWORKTRUST_TOKENS,
generated::kape_generated::KAPE_FILE_SYNC_DATASYNCDATA_SQLITE3,
generated::kape_generated::KAPE_FILE_CHROME_VISITED_LINKS,
generated::kape_generated::KAPE_FILE_CHROME_WEB_DATA,
generated::kape_generated::KAPE_FILE_INDEXEDDB,
generated::kape_generated::KAPE_FILE_LOCAL_STORAGE_LEVELDB_6,
generated::kape_generated::KAPE_FILE_PROTECT_3,
generated::kape_generated::KAPE_FILE_SNAPSHOTS_2,
generated::kape_generated::KAPE_FILE_SYSTEM_CHROME_HISTOR,
generated::kape_generated::KAPE_FILE_BOOKMARKS_4,
generated::kape_generated::KAPE_FILE_COOKIES_4,
generated::kape_generated::KAPE_FILE_CURRENT_SESSION_4,
generated::kape_generated::KAPE_FILE_CURRENT_TABS_4,
generated::kape_generated::KAPE_FILE_FAVICONS_5,
generated::kape_generated::KAPE_FILE_HISTORY_5,
generated::kape_generated::KAPE_FILE_LAST_SESSION_3,
generated::kape_generated::KAPE_FILE_LAST_TABS_3,
generated::kape_generated::KAPE_FILE_LOGIN_DATA_5,
generated::kape_generated::KAPE_FILE_PREFERENCES_5,
generated::kape_generated::KAPE_FILE_SHORTCUTS_5,
generated::kape_generated::KAPE_FILE_TOP_SITES_5,
generated::kape_generated::KAPE_FILE_VISITED_LINKS_5,
generated::kape_generated::KAPE_FILE_WEB_DATA_5,
generated::kape_generated::KAPE_FILE_CHROME_BETA_BOOKMARK,
generated::kape_generated::KAPE_FILE_CHROME_BETA_COOKIES,
generated::kape_generated::KAPE_FILE_CHROME_BETA_CURRENT,
generated::kape_generated::KAPE_FILE_CURRENT_TABS_2_2,
generated::kape_generated::KAPE_FILE_DOWNLOADMETADATA_4,
generated::kape_generated::KAPE_FILE_EXTENSION_COOKIES_3,
generated::kape_generated::KAPE_FILE_CHROME_BETA_FAVICONS,
generated::kape_generated::KAPE_FILE_CHROME_BETA_HISTORY,
generated::kape_generated::KAPE_FILE_CHROME_BETA_LAST_SES,
generated::kape_generated::KAPE_FILE_CHROME_BETA_LAST_TAB,
generated::kape_generated::KAPE_FILE_SESSIONS_4,
generated::kape_generated::KAPE_FILE_CHROME_BETA_LOGIN_DA,
generated::kape_generated::KAPE_FILE_MEDIA_HISTORY_3,
generated::kape_generated::KAPE_FILE_NETWORK_ACTION_PREDICTOR_5,
generated::kape_generated::KAPE_FILE_NETWORK_PERSISTENT_STATE_4,
generated::kape_generated::KAPE_FILE_NETWORKNETWORK_PERSISTENT_STATE_2,
generated::kape_generated::KAPE_FILE_CHROME_BETA_PREFEREN,
generated::kape_generated::KAPE_FILE_QUOTAMANAGER_4,
generated::kape_generated::KAPE_FILE_WEBSTORAGEQUOTAMANAGER_2,
generated::kape_generated::KAPE_FILE_REPORTING_AND_NEL_4,
generated::kape_generated::KAPE_FILE_NETWORKREPORTING_AND_NEL_2,
generated::kape_generated::KAPE_FILE_CHROME_BETA_SHORTCUT,
generated::kape_generated::KAPE_FILE_CHROME_BETA_TOP_SITE,
generated::kape_generated::KAPE_FILE_TRUST_TOKENS_3,
generated::kape_generated::KAPE_FILE_NETWORKTRUST_TOKENS_2,
generated::kape_generated::KAPE_FILE_SYNC_DATASYNCDATA_SQLITE3_2,
generated::kape_generated::KAPE_FILE_CHROME_BETA_VISITED,
generated::kape_generated::KAPE_FILE_CHROME_BETA_WEB_DATA,
generated::kape_generated::KAPE_FILE_INDEXEDDB_2,
generated::kape_generated::KAPE_FILE_LOCAL_STORAGE_LEVELDB_7,
generated::kape_generated::KAPE_FILE_PROTECT_4,
generated::kape_generated::KAPE_FILE_SNAPSHOTS_3,
generated::kape_generated::KAPE_FILE_SYSTEM_CHROME_BETA_H,
generated::kape_generated::KAPE_FILE_BOOKMARKS_5,
generated::kape_generated::KAPE_FILE_COOKIES_5,
generated::kape_generated::KAPE_FILE_CURRENT_SESSION_5,
generated::kape_generated::KAPE_FILE_CURRENT_TABS_5,
generated::kape_generated::KAPE_FILE_FAVICONS_6,
generated::kape_generated::KAPE_FILE_HISTORY_6,
generated::kape_generated::KAPE_FILE_LAST_SESSION_4,
generated::kape_generated::KAPE_FILE_LAST_TABS_4,
generated::kape_generated::KAPE_FILE_LOGIN_DATA_6,
generated::kape_generated::KAPE_FILE_PREFERENCES_6,
generated::kape_generated::KAPE_FILE_SHORTCUTS_6,
generated::kape_generated::KAPE_FILE_TOP_SITES_6,
generated::kape_generated::KAPE_FILE_VISITED_LINKS_6,
generated::kape_generated::KAPE_FILE_WEB_DATA_6,
generated::kape_generated::KAPE_FILE_CHROME_DEV_BOOKMARKS,
generated::kape_generated::KAPE_FILE_CHROME_DEV_COOKIES,
generated::kape_generated::KAPE_FILE_CHROME_DEV_CURRENT_S,
generated::kape_generated::KAPE_FILE_CHROME_DEV_CURRENT_T,
generated::kape_generated::KAPE_FILE_DOWNLOADMETADATA_5,
generated::kape_generated::KAPE_FILE_EXTENSION_COOKIES_4,
generated::kape_generated::KAPE_FILE_CHROME_DEV_FAVICONS,
generated::kape_generated::KAPE_FILE_CHROME_DEV_HISTORY,
generated::kape_generated::KAPE_FILE_CHROME_DEV_LAST_SESS,
generated::kape_generated::KAPE_FILE_CHROME_DEV_LAST_TABS,
generated::kape_generated::KAPE_FILE_SESSIONS_5,
generated::kape_generated::KAPE_FILE_CHROME_DEV_LOGIN_DAT,
generated::kape_generated::KAPE_FILE_MEDIA_HISTORY_4,
generated::kape_generated::KAPE_FILE_NETWORK_ACTION_PREDICTOR_6,
generated::kape_generated::KAPE_FILE_NETWORK_PERSISTENT_STATE_5,
generated::kape_generated::KAPE_FILE_NETWORKNETWORK_PERSISTENT_STATE_3,
generated::kape_generated::KAPE_FILE_CHROME_DEV_PREFERENC,
generated::kape_generated::KAPE_FILE_QUOTAMANAGER_5,
generated::kape_generated::KAPE_FILE_WEBSTORAGEQUOTAMANAGER_3,
generated::kape_generated::KAPE_FILE_REPORTING_AND_NEL_5,
generated::kape_generated::KAPE_FILE_NETWORKREPORTING_AND_NEL_3,
generated::kape_generated::KAPE_FILE_CHROME_DEV_SHORTCUTS,
generated::kape_generated::KAPE_FILE_CHROME_DEV_TOP_SITES,
generated::kape_generated::KAPE_FILE_TRUST_TOKENS_4,
generated::kape_generated::KAPE_FILE_NETWORKTRUST_TOKENS_3,
generated::kape_generated::KAPE_FILE_SYNC_DATASYNCDATA_SQLITE3_3,
generated::kape_generated::KAPE_FILE_CHROME_DEV_VISITED_L,
generated::kape_generated::KAPE_FILE_CHROME_DEV_WEB_DATA,
generated::kape_generated::KAPE_FILE_INDEXEDDB_3,
generated::kape_generated::KAPE_FILE_LOCAL_STORAGE_LEVELDB_8,
generated::kape_generated::KAPE_FILE_PROTECT_5,
generated::kape_generated::KAPE_FILE_SNAPSHOTS_4,
generated::kape_generated::KAPE_FILE_SYSTEM_CHROME_DEV_HI,
generated::kape_generated::KAPE_FILE_EXTENSIONS_MANIFEST_JSON,
generated::kape_generated::KAPE_FILE_EN_MESSAGES_JSON,
generated::kape_generated::KAPE_FILE_CHROME_BETA_BROWSER,
generated::kape_generated::KAPE_FILE_EN_MESSAGES_JSON_2,
generated::kape_generated::KAPE_FILE_CHROME_DEV_BROWSER_E,
generated::kape_generated::KAPE_FILE_EN_MESSAGES_JSON_3,
generated::kape_generated::KAPE_FILE_CHROME_SXS_CANARY_BR,
generated::kape_generated::KAPE_FILE_EN_MESSAGES_JSON_4,
generated::kape_generated::KAPE_FILE_EXTENSIONS,
generated::kape_generated::KAPE_FILE_CHROME_EXTENSION_FIL,
generated::kape_generated::KAPE_FILE_CHROME_BETA_EXTENSIO,
generated::kape_generated::KAPE_FILE_EXTENSIONS_2,
generated::kape_generated::KAPE_FILE_CHROME_DEV_EXTENSION,
generated::kape_generated::KAPE_FILE_EXTENSIONS_3,
generated::kape_generated::KAPE_FILE_CHROME_SXS_CANARY_EX,
generated::kape_generated::KAPE_FILE_EXTENSIONS_4,
generated::kape_generated::KAPE_FILE_FILE_SYSTEM,
generated::kape_generated::KAPE_FILE_CHROME_BETA_HTML5_FI,
generated::kape_generated::KAPE_FILE_CHROME_DEV_HTML5_FIL,
generated::kape_generated::KAPE_FILE_CHROME_SXS_CANARY_HT,
generated::kape_generated::KAPE_FILE_BOOKMARKS_6,
generated::kape_generated::KAPE_FILE_COOKIES_6,
generated::kape_generated::KAPE_FILE_CURRENT_SESSION_6,
generated::kape_generated::KAPE_FILE_CURRENT_TABS_6,
generated::kape_generated::KAPE_FILE_FAVICONS_7,
generated::kape_generated::KAPE_FILE_HISTORY_7,
generated::kape_generated::KAPE_FILE_LAST_SESSION_5,
generated::kape_generated::KAPE_FILE_LAST_TABS_5,
generated::kape_generated::KAPE_FILE_LOGIN_DATA_7,
generated::kape_generated::KAPE_FILE_PREFERENCES_7,
generated::kape_generated::KAPE_FILE_SHORTCUTS_7,
generated::kape_generated::KAPE_FILE_TOP_SITES_7,
generated::kape_generated::KAPE_FILE_VISITED_LINKS_7,
generated::kape_generated::KAPE_FILE_WEB_DATA_7,
generated::kape_generated::KAPE_FILE_CHROME_SXS_BOOKMARKS,
generated::kape_generated::KAPE_FILE_CHROME_SXS_COOKIES,
generated::kape_generated::KAPE_FILE_CHROME_SXS_CURRENT_S,
generated::kape_generated::KAPE_FILE_CHROME_SXS_CURRENT_T,
generated::kape_generated::KAPE_FILE_DOWNLOADMETADATA_6,
generated::kape_generated::KAPE_FILE_EXTENSION_COOKIES_5,
generated::kape_generated::KAPE_FILE_CHROME_SXS_FAVICONS,
generated::kape_generated::KAPE_FILE_CHROME_SXS_HISTORY,
generated::kape_generated::KAPE_FILE_CHROME_SXS_LAST_SESS,
generated::kape_generated::KAPE_FILE_CHROME_SXS_LAST_TABS,
generated::kape_generated::KAPE_FILE_SESSIONS_6,
generated::kape_generated::KAPE_FILE_CHROME_SXS_LOGIN_DAT,
generated::kape_generated::KAPE_FILE_MEDIA_HISTORY_5,
generated::kape_generated::KAPE_FILE_NETWORK_ACTION_PREDICTOR_7,
generated::kape_generated::KAPE_FILE_NETWORK_PERSISTENT_STATE_6,
generated::kape_generated::KAPE_FILE_NETWORKNETWORK_PERSISTENT_STATE_4,
generated::kape_generated::KAPE_FILE_CHROME_SXS_PREFERENC,
generated::kape_generated::KAPE_FILE_QUOTAMANAGER_6,
generated::kape_generated::KAPE_FILE_WEBSTORAGEQUOTAMANAGER_4,
generated::kape_generated::KAPE_FILE_REPORTING_AND_NEL_6,
generated::kape_generated::KAPE_FILE_NETWORKREPORTING_AND_NEL_4,
generated::kape_generated::KAPE_FILE_CHROME_SXS_SHORTCUTS,
generated::kape_generated::KAPE_FILE_CHROME_SXS_TOP_SITES,
generated::kape_generated::KAPE_FILE_TRUST_TOKENS_5,
generated::kape_generated::KAPE_FILE_NETWORKTRUST_TOKENS_4,
generated::kape_generated::KAPE_FILE_SYNC_DATASYNCDATA_SQLITE3_4,
generated::kape_generated::KAPE_FILE_CHROME_SXS_VISITED_L,
generated::kape_generated::KAPE_FILE_CHROME_SXS_WEB_DATA,
generated::kape_generated::KAPE_FILE_INDEXEDDB_4,
generated::kape_generated::KAPE_FILE_LOCAL_STORAGE_LEVELDB_9,
generated::kape_generated::KAPE_FILE_PROTECT_6,
generated::kape_generated::KAPE_FILE_SNAPSHOTS_5,
generated::kape_generated::KAPE_FILE_SYSTEM_CHROME_SXS_HI,
generated::kape_generated::KAPE_FILE_BOOKMARKS_7,
generated::kape_generated::KAPE_FILE_COOKIES_7,
generated::kape_generated::KAPE_FILE_CURRENT_SESSION_7,
generated::kape_generated::KAPE_FILE_CURRENT_TABS_7,
generated::kape_generated::KAPE_FILE_FAVICONS_8,
generated::kape_generated::KAPE_FILE_HISTORY_8,
generated::kape_generated::KAPE_FILE_LAST_SESSION_6,
generated::kape_generated::KAPE_FILE_LAST_TABS_6,
generated::kape_generated::KAPE_FILE_LOGIN_DATA_8,
generated::kape_generated::KAPE_FILE_PREFERENCES_8,
generated::kape_generated::KAPE_FILE_SHORTCUTS_8,
generated::kape_generated::KAPE_FILE_TOP_SITES_8,
generated::kape_generated::KAPE_FILE_VISITED_LINKS_8,
generated::kape_generated::KAPE_FILE_WEB_DATA_8,
generated::kape_generated::KAPE_FILE_CHROMIUM_BOOKMARKS,
generated::kape_generated::KAPE_FILE_CHROMIUM_COOKIES,
generated::kape_generated::KAPE_FILE_CHROMIUM_CURRENT_SES,
generated::kape_generated::KAPE_FILE_CHROMIUM_CURRENT_TAB,
generated::kape_generated::KAPE_FILE_DOWNLOADMETADATA_7,
generated::kape_generated::KAPE_FILE_EXTENSION_COOKIES_6,
generated::kape_generated::KAPE_FILE_CHROMIUM_FAVICONS,
generated::kape_generated::KAPE_FILE_CHROMIUM_HISTORY,
generated::kape_generated::KAPE_FILE_CHROMIUM_LAST_SESSIO,
generated::kape_generated::KAPE_FILE_CHROMIUM_LAST_TABS,
generated::kape_generated::KAPE_FILE_SESSIONS_7,
generated::kape_generated::KAPE_FILE_CHROMIUM_LOGIN_DATA,
generated::kape_generated::KAPE_FILE_MEDIA_HISTORY_6,
generated::kape_generated::KAPE_FILE_NETWORK_ACTION_PREDICTOR_8,
generated::kape_generated::KAPE_FILE_NETWORK_PERSISTENT_STATE_7,
generated::kape_generated::KAPE_FILE_NETWORKNETWORK_PERSISTENT_STATE_5,
generated::kape_generated::KAPE_FILE_CHROMIUM_PREFERENCES,
generated::kape_generated::KAPE_FILE_QUOTAMANAGER_7,
generated::kape_generated::KAPE_FILE_WEBSTORAGEQUOTAMANAGER_5,
generated::kape_generated::KAPE_FILE_REPORTING_AND_NEL_7,
generated::kape_generated::KAPE_FILE_NETWORKREPORTING_AND_NEL_5,
generated::kape_generated::KAPE_FILE_CHROMIUM_SHORTCUTS,
generated::kape_generated::KAPE_FILE_CHROMIUM_TOP_SITES,
generated::kape_generated::KAPE_FILE_TRUST_TOKENS_6,
generated::kape_generated::KAPE_FILE_NETWORKTRUST_TOKENS_5,
generated::kape_generated::KAPE_FILE_SYNC_DATASYNCDATA_SQLITE3_5,
generated::kape_generated::KAPE_FILE_CHROMIUM_VISITED_LIN,
generated::kape_generated::KAPE_FILE_CHROMIUM_WEB_DATA,
generated::kape_generated::KAPE_FILE_INDEXEDDB_5,
generated::kape_generated::KAPE_FILE_LOCAL_STORAGE_LEVELDB_10,
generated::kape_generated::KAPE_FILE_PROTECT_7,
generated::kape_generated::KAPE_FILE_SNAPSHOTS_6,
generated::kape_generated::KAPE_FILE_SYSTEM_CHROMIUM_HIST,
generated::kape_generated::KAPE_FILE_BOOKMARKS_8,
generated::kape_generated::KAPE_FILE_COOKIES_8,
generated::kape_generated::KAPE_FILE_CURRENT_SESSION_8,
generated::kape_generated::KAPE_FILE_CURRENT_TABS_8,
generated::kape_generated::KAPE_FILE_DOWNLOADMETADATA_8,
generated::kape_generated::KAPE_FILE_EXTENSION_COOKIES_7,
generated::kape_generated::KAPE_FILE_FAVICONS_9,
generated::kape_generated::KAPE_FILE_HISTORY_9,
generated::kape_generated::KAPE_FILE_LAST_SESSION_7,
generated::kape_generated::KAPE_FILE_LAST_TABS_7,
generated::kape_generated::KAPE_FILE_SESSIONS_8,
generated::kape_generated::KAPE_FILE_LOGIN_DATA_9,
generated::kape_generated::KAPE_FILE_MEDIA_HISTORY_7,
generated::kape_generated::KAPE_FILE_NETWORK_ACTION_PREDICTOR_9,
generated::kape_generated::KAPE_FILE_NETWORK_PERSISTENT_STATE_8,
generated::kape_generated::KAPE_FILE_PREFERENCES_9,
generated::kape_generated::KAPE_FILE_QUOTAMANAGER_8,
generated::kape_generated::KAPE_FILE_REPORTING_AND_NEL_8,
generated::kape_generated::KAPE_FILE_SHORTCUTS_9,
generated::kape_generated::KAPE_FILE_TOP_SITES_9,
generated::kape_generated::KAPE_FILE_TRUST_TOKENS_7,
generated::kape_generated::KAPE_FILE_SYNC_DATA_3,
generated::kape_generated::KAPE_FILE_VISITED_LINKS_9,
generated::kape_generated::KAPE_FILE_WEB_DATA_9,
generated::kape_generated::KAPE_FILE_PROTECT_8,
generated::kape_generated::KAPE_FILE_SNAPSHOTS_7,
generated::kape_generated::KAPE_FILE_PACKAGES_MICROSOFT_MICROSOFTEDGE_8WEKYB3D8BBWE,
generated::kape_generated::KAPE_FILE_COLLECTIONSCOLLECTIONSSQLITE,
generated::kape_generated::KAPE_FILE_BOOKMARKS_9,
generated::kape_generated::KAPE_FILE_NETWORKCOOKIES_2,
generated::kape_generated::KAPE_FILE_CURRENT_SESSION_9,
generated::kape_generated::KAPE_FILE_CURRENT_TABS_9,
generated::kape_generated::KAPE_FILE_EXTENSION_COOKIES_8,
generated::kape_generated::KAPE_FILE_FAVICONS_10,
generated::kape_generated::KAPE_FILE_HISTORY_10,
generated::kape_generated::KAPE_FILE_LAST_SESSION_8,
generated::kape_generated::KAPE_FILE_LAST_TABS_8,
generated::kape_generated::KAPE_FILE_SESSIONS_9,
generated::kape_generated::KAPE_FILE_LOGIN_DATA_10,
generated::kape_generated::KAPE_FILE_MEDIA_HISTORY_8,
generated::kape_generated::KAPE_FILE_NETWORK_ACTION_PREDICTOR_10,
generated::kape_generated::KAPE_FILE_NETWORK_PERSISTENT_STATE_9,
generated::kape_generated::KAPE_FILE_NETWORKNETWORK_PERSISTENT_STATE_6,
generated::kape_generated::KAPE_FILE_PREFERENCES_10,
generated::kape_generated::KAPE_FILE_QUOTAMANAGER_9,
generated::kape_generated::KAPE_FILE_WEBSTORAGEQUOTAMANAGER_6,
generated::kape_generated::KAPE_FILE_REPORTING_AND_NEL_9,
generated::kape_generated::KAPE_FILE_NETWORKREPORTING_AND_NEL_6,
generated::kape_generated::KAPE_FILE_SHORTCUTS_10,
generated::kape_generated::KAPE_FILE_TOP_SITES_10,
generated::kape_generated::KAPE_FILE_TRUST_TOKENS_8,
generated::kape_generated::KAPE_FILE_NETWORKTRUST_TOKENS_6,
generated::kape_generated::KAPE_FILE_SYNC_DATASYNCDATA_SQLITE3_6,
generated::kape_generated::KAPE_FILE_VISITED_LINKS_10,
generated::kape_generated::KAPE_FILE_WEB_DATA_10,
generated::kape_generated::KAPE_FILE_INDEXEDDB_6,
generated::kape_generated::KAPE_FILE_LOCAL_STORAGE_LEVELDB_11,
generated::kape_generated::KAPE_FILE_WEBASSISTDATABASE,
generated::kape_generated::KAPE_FILE_PROTECT_9,
generated::kape_generated::KAPE_FILE_SNAPSHOTS_8,
generated::kape_generated::KAPE_FILE_COLLECTIONSCOLLECTIONSSQLITE_2,
generated::kape_generated::KAPE_FILE_BOOKMARKS_10,
generated::kape_generated::KAPE_FILE_NETWORKCOOKIES_3,
generated::kape_generated::KAPE_FILE_CURRENT_SESSION_10,
generated::kape_generated::KAPE_FILE_CURRENT_TABS_10,
generated::kape_generated::KAPE_FILE_EXTENSION_COOKIES_9,
generated::kape_generated::KAPE_FILE_FAVICONS_11,
generated::kape_generated::KAPE_FILE_HISTORY_11,
generated::kape_generated::KAPE_FILE_LAST_SESSION_9,
generated::kape_generated::KAPE_FILE_LAST_TABS_9,
generated::kape_generated::KAPE_FILE_SESSIONS_10,
generated::kape_generated::KAPE_FILE_LOGIN_DATA_11,
generated::kape_generated::KAPE_FILE_MEDIA_HISTORY_9,
generated::kape_generated::KAPE_FILE_NETWORK_ACTION_PREDICTOR_11,
generated::kape_generated::KAPE_FILE_NETWORK_PERSISTENT_STATE_10,
generated::kape_generated::KAPE_FILE_NETWORKNETWORK_PERSISTENT_STATE_7,
generated::kape_generated::KAPE_FILE_PREFERENCES_11,
generated::kape_generated::KAPE_FILE_QUOTAMANAGER_10,
generated::kape_generated::KAPE_FILE_WEBSTORAGEQUOTAMANAGER_7,
generated::kape_generated::KAPE_FILE_REPORTING_AND_NEL_10,
generated::kape_generated::KAPE_FILE_NETWORKREPORTING_AND_NEL_7,
generated::kape_generated::KAPE_FILE_SHORTCUTS_11,
generated::kape_generated::KAPE_FILE_TOP_SITES_11,
generated::kape_generated::KAPE_FILE_TRUST_TOKENS_9,
generated::kape_generated::KAPE_FILE_NETWORKTRUST_TOKENS_7,
generated::kape_generated::KAPE_FILE_SYNC_DATASYNCDATA_SQLITE3_7,
generated::kape_generated::KAPE_FILE_VISITED_LINKS_11,
generated::kape_generated::KAPE_FILE_WEB_DATA_11,
generated::kape_generated::KAPE_FILE_INDEXEDDB_7,
generated::kape_generated::KAPE_FILE_LOCAL_STORAGE_LEVELDB_12,
generated::kape_generated::KAPE_FILE_WEBASSISTDATABASE_2,
generated::kape_generated::KAPE_FILE_PROTECT_10,
generated::kape_generated::KAPE_FILE_SNAPSHOTS_9,
generated::kape_generated::KAPE_FILE_EXTENSIONS_5,
generated::kape_generated::KAPE_FILE_EDGE_BETA_CHROMIUM_E,
generated::kape_generated::KAPE_FILE_EDGE_DEV_CHROMIUM_EX,
generated::kape_generated::KAPE_FILE_EDGE_SXS_CANARY_CHRO,
generated::kape_generated::KAPE_FILE_COLLECTIONSCOLLECTIONSSQLITE_3,
generated::kape_generated::KAPE_FILE_BOOKMARKS_11,
generated::kape_generated::KAPE_FILE_NETWORKCOOKIES_4,
generated::kape_generated::KAPE_FILE_CURRENT_SESSION_11,
generated::kape_generated::KAPE_FILE_CURRENT_TABS_11,
generated::kape_generated::KAPE_FILE_EXTENSION_COOKIES_10,
generated::kape_generated::KAPE_FILE_FAVICONS_12,
generated::kape_generated::KAPE_FILE_HISTORY_12,
generated::kape_generated::KAPE_FILE_LAST_SESSION_10,
generated::kape_generated::KAPE_FILE_LAST_TABS_10,
generated::kape_generated::KAPE_FILE_SESSIONS_11,
generated::kape_generated::KAPE_FILE_LOGIN_DATA_12,
generated::kape_generated::KAPE_FILE_MEDIA_HISTORY_10,
generated::kape_generated::KAPE_FILE_NETWORK_ACTION_PREDICTOR_12,
generated::kape_generated::KAPE_FILE_NETWORK_PERSISTENT_STATE_11,
generated::kape_generated::KAPE_FILE_NETWORKNETWORK_PERSISTENT_STATE_8,
generated::kape_generated::KAPE_FILE_PREFERENCES_12,
generated::kape_generated::KAPE_FILE_QUOTAMANAGER_11,
generated::kape_generated::KAPE_FILE_WEBSTORAGEQUOTAMANAGER_8,
generated::kape_generated::KAPE_FILE_REPORTING_AND_NEL_11,
generated::kape_generated::KAPE_FILE_NETWORKREPORTING_AND_NEL_8,
generated::kape_generated::KAPE_FILE_SHORTCUTS_12,
generated::kape_generated::KAPE_FILE_TOP_SITES_12,
generated::kape_generated::KAPE_FILE_TRUST_TOKENS_10,
generated::kape_generated::KAPE_FILE_NETWORKTRUST_TOKENS_8,
generated::kape_generated::KAPE_FILE_SYNC_DATASYNCDATA_SQLITE3_8,
generated::kape_generated::KAPE_FILE_VISITED_LINKS_12,
generated::kape_generated::KAPE_FILE_WEB_DATA_12,
generated::kape_generated::KAPE_FILE_INDEXEDDB_8,
generated::kape_generated::KAPE_FILE_LOCAL_STORAGE_LEVELDB_13,
generated::kape_generated::KAPE_FILE_WEBASSISTDATABASE_3,
generated::kape_generated::KAPE_FILE_PROTECT_11,
generated::kape_generated::KAPE_FILE_SNAPSHOTS_10,
generated::kape_generated::KAPE_FILE_FILE_SYSTEM_2,
generated::kape_generated::KAPE_FILE_EDGE_BETA_HTML5_FILE,
generated::kape_generated::KAPE_FILE_EDGE_DEV_HTML5_FILE,
generated::kape_generated::KAPE_FILE_EDGE_SXS_CANARY_HTML,
generated::kape_generated::KAPE_FILE_COLLECTIONSCOLLECTIONSSQLITE_4,
generated::kape_generated::KAPE_FILE_BOOKMARKS_12,
generated::kape_generated::KAPE_FILE_NETWORKCOOKIES_5,
generated::kape_generated::KAPE_FILE_CURRENT_SESSION_12,
generated::kape_generated::KAPE_FILE_CURRENT_TABS_12,
generated::kape_generated::KAPE_FILE_EXTENSION_COOKIES_11,
generated::kape_generated::KAPE_FILE_FAVICONS_13,
generated::kape_generated::KAPE_FILE_HISTORY_13,
generated::kape_generated::KAPE_FILE_LAST_SESSION_11,
generated::kape_generated::KAPE_FILE_LAST_TABS_11,
generated::kape_generated::KAPE_FILE_SESSIONS_12,
generated::kape_generated::KAPE_FILE_LOGIN_DATA_13,
generated::kape_generated::KAPE_FILE_MEDIA_HISTORY_11,
generated::kape_generated::KAPE_FILE_NETWORK_ACTION_PREDICTOR_13,
generated::kape_generated::KAPE_FILE_NETWORK_PERSISTENT_STATE_12,
generated::kape_generated::KAPE_FILE_NETWORKNETWORK_PERSISTENT_STATE_9,
generated::kape_generated::KAPE_FILE_PREFERENCES_13,
generated::kape_generated::KAPE_FILE_QUOTAMANAGER_12,
generated::kape_generated::KAPE_FILE_WEBSTORAGEQUOTAMANAGER_9,
generated::kape_generated::KAPE_FILE_REPORTING_AND_NEL_12,
generated::kape_generated::KAPE_FILE_NETWORKREPORTING_AND_NEL_9,
generated::kape_generated::KAPE_FILE_SHORTCUTS_13,
generated::kape_generated::KAPE_FILE_TOP_SITES_13,
generated::kape_generated::KAPE_FILE_TRUST_TOKENS_11,
generated::kape_generated::KAPE_FILE_NETWORKTRUST_TOKENS_9,
generated::kape_generated::KAPE_FILE_SYNC_DATASYNCDATA_SQLITE3_9,
generated::kape_generated::KAPE_FILE_VISITED_LINKS_13,
generated::kape_generated::KAPE_FILE_WEB_DATA_13,
generated::kape_generated::KAPE_FILE_INDEXEDDB_9,
generated::kape_generated::KAPE_FILE_LOCAL_STORAGE_LEVELDB_14,
generated::kape_generated::KAPE_FILE_WEBASSISTDATABASE_4,
generated::kape_generated::KAPE_FILE_PROTECT_12,
generated::kape_generated::KAPE_FILE_SNAPSHOTS_11,
generated::kape_generated::KAPE_FILE_ADDONS_SQLITE,
generated::kape_generated::KAPE_FILE_WEAVE_BOOKMARKS_SQLITE,
generated::kape_generated::KAPE_FILE_BOOKMARKBACKUPS,
generated::kape_generated::KAPE_FILE_COOKIES_SQLITE,
generated::kape_generated::KAPE_FILE_FIREFOX_COOKIES_SQLITE,
generated::kape_generated::KAPE_FILE_DOWNLOADS_SQLITE,
generated::kape_generated::KAPE_FILE_EXTENSIONS_JSON,
generated::kape_generated::KAPE_FILE_FAVICONS_SQLITE,
generated::kape_generated::KAPE_FILE_FORMHISTORY_SQLITE,
generated::kape_generated::KAPE_FILE_PERMISSIONS_SQLITE,
generated::kape_generated::KAPE_FILE_PLACES_SQLITE_2,
generated::kape_generated::KAPE_FILE_PROTECTIONS_SQLITE,
generated::kape_generated::KAPE_FILE_SEARCH_SQLITE,
generated::kape_generated::KAPE_FILE_SIGNONS_SQLITE,
generated::kape_generated::KAPE_FILE_STORAGE_SYNC_SQLITE,
generated::kape_generated::KAPE_FILE_WEBAPPSTORE_SQLITE,
generated::kape_generated::KAPE_FILE_KEY_DB,
generated::kape_generated::KAPE_FILE_SIGNON,
generated::kape_generated::KAPE_FILE_LOGINS_JSON_2,
generated::kape_generated::KAPE_FILE_PREFS_JS_2,
generated::kape_generated::KAPE_FILE_SESSIONSTORE,
generated::kape_generated::KAPE_FILE_SESSIONSTORE_BACKUPS,
generated::kape_generated::KAPE_FILE_PLACES_XP,
generated::kape_generated::KAPE_FILE_DOWNLOADS_XP,
generated::kape_generated::KAPE_FILE_FORM_HISTORY_XP,
generated::kape_generated::KAPE_FILE_COOKIES_XP,
generated::kape_generated::KAPE_FILE_SIGNONS_XP,
generated::kape_generated::KAPE_FILE_WEBAPPSTORE_XP,
generated::kape_generated::KAPE_FILE_FAVICONS_XP,
generated::kape_generated::KAPE_FILE_ADDONS_XP,
generated::kape_generated::KAPE_FILE_SEARCH_XP,
generated::kape_generated::KAPE_FILE_PASSWORD_XP,
generated::kape_generated::KAPE_FILE_SIGNON_2,
generated::kape_generated::KAPE_FILE_LOGINS_JSON_2_2,
generated::kape_generated::KAPE_FILE_SESSIONSTORE_XP,
generated::kape_generated::KAPE_FILE_HISTORY_IE5_INDEX_DAT,
generated::kape_generated::KAPE_FILE_INDEX_DAT,
generated::kape_generated::KAPE_FILE_COOKIES_INDEX_DAT,
generated::kape_generated::KAPE_FILE_USERDATA_INDEX_DAT,
generated::kape_generated::KAPE_FILE_RECENT_INDEX_DAT,
generated::kape_generated::KAPE_FILE_INDEX_DAT_OFFICE,
generated::kape_generated::KAPE_FILE_MICROSOFT_INTERNET_EXPLORER,
generated::kape_generated::KAPE_FILE_ROAMING_INTERNET_EXP,
generated::kape_generated::KAPE_FILE_WINDOWS_HISTORY,
generated::kape_generated::KAPE_FILE_WINDOWS_COOKIES,
generated::kape_generated::KAPE_FILE_WINDOWS_IEDOWNLOADHISTORY,
generated::kape_generated::KAPE_FILE_WINDOWS_WEBCACHE_2,
generated::kape_generated::KAPE_FILE_WINDOWS_INETCOOKIES,
generated::kape_generated::KAPE_FILE_OPERA_SOFTWARE_OPERA_STABLE,
generated::kape_generated::KAPE_FILE_OPERA_ROAMING_FOLDER,
generated::kape_generated::KAPE_FILE_BOOKMARKS_13,
generated::kape_generated::KAPE_FILE_COOKIES_9,
generated::kape_generated::KAPE_FILE_CURRENT_SESSION_13,
generated::kape_generated::KAPE_FILE_CURRENT_TABS_13,
generated::kape_generated::KAPE_FILE_FAVICONS_14,
generated::kape_generated::KAPE_FILE_HISTORY_14,
generated::kape_generated::KAPE_FILE_LAST_SESSION_12,
generated::kape_generated::KAPE_FILE_LAST_TABS_12,
generated::kape_generated::KAPE_FILE_LOGIN_DATA_14,
generated::kape_generated::KAPE_FILE_PREFERENCES_14,
generated::kape_generated::KAPE_FILE_SHORTCUTS_14,
generated::kape_generated::KAPE_FILE_TOP_SITES_14,
generated::kape_generated::KAPE_FILE_VISITED_LINKS_14,
generated::kape_generated::KAPE_FILE_WEB_DATA_14,
generated::kape_generated::KAPE_FILE_PRISMA_ACCESS_BROWSE,
generated::kape_generated::KAPE_FILE_COOKIES_2_2,
generated::kape_generated::KAPE_FILE_CURRENT_SESSION_2_2,
generated::kape_generated::KAPE_FILE_CURRENT_TABS_2_3,
generated::kape_generated::KAPE_FILE_DOWNLOADMETADATA_9,
generated::kape_generated::KAPE_FILE_EXTENSION_COOKIES_12,
generated::kape_generated::KAPE_FILE_FAVICONS_2_2,
generated::kape_generated::KAPE_FILE_HISTORY_2_2,
generated::kape_generated::KAPE_FILE_LAST_SESSION_2_2,
generated::kape_generated::KAPE_FILE_LAST_TABS_2_2,
generated::kape_generated::KAPE_FILE_SESSIONS_13,
generated::kape_generated::KAPE_FILE_LOGIN_DATA_2_2,
generated::kape_generated::KAPE_FILE_MEDIA_HISTORY_12,
generated::kape_generated::KAPE_FILE_NETWORK_ACTION_PREDICTOR_14,
generated::kape_generated::KAPE_FILE_NETWORK_PERSISTENT_STATE_13,
generated::kape_generated::KAPE_FILE_PREFERENCES_2_2,
generated::kape_generated::KAPE_FILE_QUOTAMANAGER_13,
generated::kape_generated::KAPE_FILE_REPORTING_AND_NEL_13,
generated::kape_generated::KAPE_FILE_SHORTCUTS_2_2,
generated::kape_generated::KAPE_FILE_TOP_SITES_2_2,
generated::kape_generated::KAPE_FILE_TRUST_TOKENS_12,
generated::kape_generated::KAPE_FILE_SYNC_DATASYNCDATA_SQLITE3_10,
generated::kape_generated::KAPE_FILE_VISITED_LINKS_2_2,
generated::kape_generated::KAPE_FILE_WEB_DATA_2_2,
generated::kape_generated::KAPE_FILE_PROTECT_13,
generated::kape_generated::KAPE_FILE_SNAPSHOTS_12,
generated::kape_generated::KAPE_FILE_SYSTEM_CHROME_HISTOR_2,
generated::kape_generated::KAPE_FILE_PRISMAACCESSBROWSER_USER_DATA_BACKUP,
generated::kape_generated::KAPE_FILE_LOCAL_PUFFINSECUREBROWSERDATA_DB,
generated::kape_generated::KAPE_FILE_LOCAL_PUFFINSECUREBROWSERAUTOCOMPLETES_DAT,
generated::kape_generated::KAPE_FILE_LOCAL_PUFFINSECUREBROWSERPASSWORDFORMS_DAT,
generated::kape_generated::KAPE_FILE_LOCAL_PUFFINSECUREBROWSERCREDENTIAL_DAT,
generated::kape_generated::KAPE_FILE_LOCAL_PUFFINSECUREBROWSERSUBSCRIPTION,
generated::kape_generated::KAPE_FILE_LOCAL_PUFFINSECUREBROWSERCOOKIES_DAT,
generated::kape_generated::KAPE_FILE_PUFFINSECUREBROWSER_IMAGE_CACHE,
generated::kape_generated::KAPE_FILE_BOOKMARKS_14,
generated::kape_generated::KAPE_FILE_COOKIES_10,
generated::kape_generated::KAPE_FILE_CURRENT_SESSION_14,
generated::kape_generated::KAPE_FILE_CURRENT_TABS_14,
generated::kape_generated::KAPE_FILE_DOWNLOADMETADATA_10,
generated::kape_generated::KAPE_FILE_EXTENSION_COOKIES_13,
generated::kape_generated::KAPE_FILE_FAVICONS_15,
generated::kape_generated::KAPE_FILE_HISTORY_15,
generated::kape_generated::KAPE_FILE_LAST_SESSION_13,
generated::kape_generated::KAPE_FILE_LAST_TABS_13,
generated::kape_generated::KAPE_FILE_SESSIONS_14,
generated::kape_generated::KAPE_FILE_LOGIN_DATA_15,
generated::kape_generated::KAPE_FILE_MEDIA_HISTORY_13,
generated::kape_generated::KAPE_FILE_NETWORK_ACTION_PREDICTOR_15,
generated::kape_generated::KAPE_FILE_NETWORK_PERSISTENT_STATE_14,
generated::kape_generated::KAPE_FILE_PREFERENCES_15,
generated::kape_generated::KAPE_FILE_QUOTAMANAGER_14,
generated::kape_generated::KAPE_FILE_REPORTING_AND_NEL_14,
generated::kape_generated::KAPE_FILE_SHORTCUTS_15,
generated::kape_generated::KAPE_FILE_TOP_SITES_15,
generated::kape_generated::KAPE_FILE_TRUST_TOKENS_13,
generated::kape_generated::KAPE_FILE_SYNC_DATA_4,
generated::kape_generated::KAPE_FILE_VISITED_LINKS_15,
generated::kape_generated::KAPE_FILE_WEB_DATA_15,
generated::kape_generated::KAPE_FILE_PROTECT_14,
generated::kape_generated::KAPE_FILE_SNAPSHOTS_13,
generated::kape_generated::KAPE_FILE_BOOKMARKS_15,
generated::kape_generated::KAPE_FILE_COOKIES_11,
generated::kape_generated::KAPE_FILE_CURRENT_SESSION_15,
generated::kape_generated::KAPE_FILE_CURRENT_TABS_15,
generated::kape_generated::KAPE_FILE_FAVICONS_16,
generated::kape_generated::KAPE_FILE_HISTORY_16,
generated::kape_generated::KAPE_FILE_LAST_SESSION_14,
generated::kape_generated::KAPE_FILE_LAST_TABS_14,
generated::kape_generated::KAPE_FILE_SESSIONS_15,
generated::kape_generated::KAPE_FILE_NETWORK_ACTION_PREDICTOR_16,
generated::kape_generated::KAPE_FILE_NETWORK_PERSISTENT_STATE_15,
generated::kape_generated::KAPE_FILE_LOGIN_DATA_16,
generated::kape_generated::KAPE_FILE_PREFERENCES_16,
generated::kape_generated::KAPE_FILE_REPORTING_AND_NEL_15,
generated::kape_generated::KAPE_FILE_TRUST_TOKENS_14,
generated::kape_generated::KAPE_FILE_SYNC_DATA_5,
generated::kape_generated::KAPE_FILE_SHORTCUTS_16,
generated::kape_generated::KAPE_FILE_TOP_SITES_16,
generated::kape_generated::KAPE_FILE_VISITED_LINKS_16,
generated::kape_generated::KAPE_FILE_WEB_DATA_16,
generated::kape_generated::KAPE_FILE_SUPERMIUM_BOOKMARKS,
generated::kape_generated::KAPE_FILE_SUPERMIUM_COOKIES,
generated::kape_generated::KAPE_FILE_SUPERMIUM_CURRENT_SE,
generated::kape_generated::KAPE_FILE_SUPERMIUM_CURRENT_TA,
generated::kape_generated::KAPE_FILE_DOWNLOADMETADATA_11,
generated::kape_generated::KAPE_FILE_EXTENSION_COOKIES_14,
generated::kape_generated::KAPE_FILE_SUPERMIUM_FAVICONS,
generated::kape_generated::KAPE_FILE_SUPERMIUM_HISTORY,
generated::kape_generated::KAPE_FILE_SUPERMIUM_LAST_SESSI,
generated::kape_generated::KAPE_FILE_SUPERMIUM_LAST_TABS,
generated::kape_generated::KAPE_FILE_SUPERMIUM_SESSIONS_F,
generated::kape_generated::KAPE_FILE_SUPERMIUM_LOGIN_DATA,
generated::kape_generated::KAPE_FILE_MEDIA_HISTORY_14,
generated::kape_generated::KAPE_FILE_SUPERMIUM_NETWORK_AC,
generated::kape_generated::KAPE_FILE_SUPERMIUM_NETWORK_PE,
generated::kape_generated::KAPE_FILE_SUPERMIUM_PREFERENCE,
generated::kape_generated::KAPE_FILE_QUOTAMANAGER_15,
generated::kape_generated::KAPE_FILE_SUPERMIUM_REPORTING,
generated::kape_generated::KAPE_FILE_SUPERMIUM_SHORTCUTS,
generated::kape_generated::KAPE_FILE_SUPERMIUM_TOP_SITES,
generated::kape_generated::KAPE_FILE_SUPERMIUM_TRUST_TOKE,
generated::kape_generated::KAPE_FILE_SUPERMIUM_SYNCDATA_D,
generated::kape_generated::KAPE_FILE_SUPERMIUM_VISITED_LI,
generated::kape_generated::KAPE_FILE_SUPERMIUM_WEB_DATA,
generated::kape_generated::KAPE_FILE_PROTECT_15,
generated::kape_generated::KAPE_FILE_SNAPSHOTS_14,
generated::kape_generated::KAPE_FILE_SYSTEM_SUPERMIUM_HIS,
generated::kape_generated::KAPE_FILE_BOOKMARKS_16,
generated::kape_generated::KAPE_FILE_COOKIES_12,
generated::kape_generated::KAPE_FILE_CURRENT_SESSION_16,
generated::kape_generated::KAPE_FILE_CURRENT_TABS_16,
generated::kape_generated::KAPE_FILE_DOWNLOADMETADATA_12,
generated::kape_generated::KAPE_FILE_EXTENSION_COOKIES_15,
generated::kape_generated::KAPE_FILE_FAVICONS_17,
generated::kape_generated::KAPE_FILE_HISTORY_17,
generated::kape_generated::KAPE_FILE_LAST_SESSION_15,
generated::kape_generated::KAPE_FILE_LAST_TABS_15,
generated::kape_generated::KAPE_FILE_SESSIONS_16,
generated::kape_generated::KAPE_FILE_LOGIN_DATA_17,
generated::kape_generated::KAPE_FILE_MEDIA_HISTORY_15,
generated::kape_generated::KAPE_FILE_NETWORK_ACTION_PREDICTOR_17,
generated::kape_generated::KAPE_FILE_NETWORK_PERSISTENT_STATE_16,
generated::kape_generated::KAPE_FILE_PREFERENCES_17,
generated::kape_generated::KAPE_FILE_QUOTAMANAGER_16,
generated::kape_generated::KAPE_FILE_REPORTING_AND_NEL_16,
generated::kape_generated::KAPE_FILE_SHORTCUTS_17,
generated::kape_generated::KAPE_FILE_TOP_SITES_17,
generated::kape_generated::KAPE_FILE_TRUST_TOKENS_15,
generated::kape_generated::KAPE_FILE_SYNC_DATA_6,
generated::kape_generated::KAPE_FILE_VISITED_LINKS_17,
generated::kape_generated::KAPE_FILE_WEB_DATA_17,
generated::kape_generated::KAPE_FILE_PROTECT_16,
generated::kape_generated::KAPE_FILE_SNAPSHOTS_15,
generated::kape_generated::KAPE_FILE_COOKIES_13,
generated::kape_generated::KAPE_FILE_NETWORK_PERSISTENT_STATE_17,
generated::kape_generated::KAPE_FILE_FAVICONS_18,
generated::kape_generated::KAPE_FILE_HISTORY_18,
generated::kape_generated::KAPE_FILE_SESSIONS_17,
generated::kape_generated::KAPE_FILE_LOGIN_DATA_18,
generated::kape_generated::KAPE_FILE_NETWORK_ACTION_PREDICTOR_18,
generated::kape_generated::KAPE_FILE_PREFERENCES_18,
generated::kape_generated::KAPE_FILE_TOP_SITES_18,
generated::kape_generated::KAPE_FILE_BOOKMARKS_17,
generated::kape_generated::KAPE_FILE_VISITED_LINKS_18,
generated::kape_generated::KAPE_FILE_WEB_DATA_18,
generated::kape_generated::KAPE_FILE_USER_VIVALDI_REPORTING_DATA,
generated::kape_generated::KAPE_FILE_CALENDAR,
generated::kape_generated::KAPE_FILE_CONTACTS,
generated::kape_generated::KAPE_FILE_NOTES,
generated::kape_generated::KAPE_FILE_DOWNLOADMETADATA_13,
generated::kape_generated::KAPE_FILE_BOOKMARKS_18,
generated::kape_generated::KAPE_FILE_COOKIES_14,
generated::kape_generated::KAPE_FILE_CURRENT_SESSION_17,
generated::kape_generated::KAPE_FILE_CURRENT_TABS_17,
generated::kape_generated::KAPE_FILE_DOWNLOADMETADATA_14,
generated::kape_generated::KAPE_FILE_EXTENSION_COOKIES_16,
generated::kape_generated::KAPE_FILE_FAVICONS_19,
generated::kape_generated::KAPE_FILE_HISTORY_19,
generated::kape_generated::KAPE_FILE_LAST_SESSION_16,
generated::kape_generated::KAPE_FILE_LAST_TABS_16,
generated::kape_generated::KAPE_FILE_SESSIONS_18,
generated::kape_generated::KAPE_FILE_LOGIN_DATA_19,
generated::kape_generated::KAPE_FILE_MEDIA_HISTORY_16,
generated::kape_generated::KAPE_FILE_NETWORK_ACTION_PREDICTOR_19,
generated::kape_generated::KAPE_FILE_NETWORK_PERSISTENT_STATE_18,
generated::kape_generated::KAPE_FILE_PREFERENCES_19,
generated::kape_generated::KAPE_FILE_QUOTAMANAGER_17,
generated::kape_generated::KAPE_FILE_REPORTING_AND_NEL_17,
generated::kape_generated::KAPE_FILE_SHORTCUTS_18,
generated::kape_generated::KAPE_FILE_TOP_SITES_19,
generated::kape_generated::KAPE_FILE_TRUST_TOKENS_16,
generated::kape_generated::KAPE_FILE_SYNC_DATASYNCDATA_SQLITE3_11,
generated::kape_generated::KAPE_FILE_VISITED_LINKS_19,
generated::kape_generated::KAPE_FILE_WEB_DATA_19,
generated::kape_generated::KAPE_FILE_PROTECT_17,
generated::kape_generated::KAPE_FILE_SNAPSHOTS_16,
generated::kape_generated::KAPE_FILE_SYSTEM_WAVEBROWSER_H,
generated::kape_generated::KAPE_FILE_COOKIES_15,
generated::kape_generated::KAPE_FILE_NETWORK_PERSISTENT_STATE_19,
generated::kape_generated::KAPE_FILE_FAVICONS_20,
generated::kape_generated::KAPE_FILE_HISTORY_20,
generated::kape_generated::KAPE_FILE_SESSIONS_19,
generated::kape_generated::KAPE_FILE_YA_PASSMAN_DATA,
generated::kape_generated::KAPE_FILE_NETWORK_ACTION_PREDICTOR_20,
generated::kape_generated::KAPE_FILE_PREFERENCES_20,
generated::kape_generated::KAPE_FILE_TOP_SITES_20,
generated::kape_generated::KAPE_FILE_BOOKMARKS_19,
generated::kape_generated::KAPE_FILE_VISITED_LINKS_20,
generated::kape_generated::KAPE_FILE_WEB_DATA_20,
generated::kape_generated::KAPE_FILE_YA_AUTOFILL_DATA,
generated::kape_generated::KAPE_FILE_PASSMAN_LOGS,
generated::kape_generated::KAPE_FILE_SHORTCUTS_19,
generated::kape_generated::KAPE_FILE_EVENTLOGS_TKAPE,
generated::kape_generated::KAPE_FILE_EVIDENCEOFEXECUTION_TKAPE,
generated::kape_generated::KAPE_FILE_FILESYSTEM_TKAPE,
generated::kape_generated::KAPE_FILE_LNKFILESANDJUMPLISTS_TKAPE,
generated::kape_generated::KAPE_FILE_POWERSHELLCONSOLE_TKAPE,
generated::kape_generated::KAPE_FILE_RECYCLEBIN_INFOFILES_TKAPE,
generated::kape_generated::KAPE_FILE_REGISTRYHIVES_TKAPE,
generated::kape_generated::KAPE_FILE_SCHEDULEDTASKS_TKAPE,
generated::kape_generated::KAPE_FILE_SRUM_TKAPE,
generated::kape_generated::KAPE_FILE_THUMBCACHE_TKAPE,
generated::kape_generated::KAPE_FILE_USBDEVICESLOGS_TKAPE,
generated::kape_generated::KAPE_FILE_WINDOWSINDEXSEARCH_TKAPE,
generated::kape_generated::KAPE_FILE_ANTIVIRUS_TKAPE,
generated::kape_generated::KAPE_FILE_CLOUDSTORAGE_METADATA_TKAPE,
generated::kape_generated::KAPE_FILE_COMBINEDLOGS_TKAPE,
generated::kape_generated::KAPE_FILE_GROUPPOLICY_TKAPE,
generated::kape_generated::KAPE_FILE_EVIDENCEOFEXECUTION_TKAPE_2,
generated::kape_generated::KAPE_FILE_FILESYSTEM_TKAPE_2,
generated::kape_generated::KAPE_FILE_FTPCLIENTS_TKAPE,
generated::kape_generated::KAPE_FILE_LNKFILESANDJUMPLISTS_TKAPE_2,
generated::kape_generated::KAPE_FILE_MESSAGINGCLIENTS_TKAPE,
generated::kape_generated::KAPE_FILE_NETWORKSCANNER_TKAPE,
generated::kape_generated::KAPE_FILE_RECYCLEBIN_INFOFILES_TKAPE_2,
generated::kape_generated::KAPE_FILE_REGISTRYHIVES_TKAPE_2,
generated::kape_generated::KAPE_FILE_REMOTEADMIN_TKAPE,
generated::kape_generated::KAPE_FILE_SCHEDULEDTASKS_TKAPE_2,
generated::kape_generated::KAPE_FILE_SRUM_TKAPE_2,
generated::kape_generated::KAPE_FILE_SUM_TKAPE,
generated::kape_generated::KAPE_FILE_WER_TKAPE,
generated::kape_generated::KAPE_FILE_THUMBCACHE_TKAPE_2,
generated::kape_generated::KAPE_FILE_WBEM_TKAPE,
generated::kape_generated::KAPE_FILE_BITS_TKAPE,
generated::kape_generated::KAPE_FILE_WEBBROWSERS_TKAPE,
generated::kape_generated::KAPE_FILE_WINDOWSINDEXSEARCH_TKAPE_2,
generated::kape_generated::KAPE_FILE_WINDOWSTIMELINE_TKAPE,
generated::kape_generated::KAPE_FILE_AVAST_TKAPE,
generated::kape_generated::KAPE_FILE_AVG_TKAPE,
generated::kape_generated::KAPE_FILE_AVIRAAVLOGS_TKAPE,
generated::kape_generated::KAPE_FILE_BITDEFENDER_TKAPE,
generated::kape_generated::KAPE_FILE_COMBOFIX_TKAPE,
generated::kape_generated::KAPE_FILE_CROWDSTRIKEFALCON_TKAPE,
generated::kape_generated::KAPE_FILE_CYBEREASON_TKAPE,
generated::kape_generated::KAPE_FILE_CYLANCE_TKAPE,
generated::kape_generated::KAPE_FILE_ELASTICDEFEND_TKAPE,
generated::kape_generated::KAPE_FILE_EMSISOFT_TKAPE,
generated::kape_generated::KAPE_FILE_ESET_TKAPE,
generated::kape_generated::KAPE_FILE_FSECURE_TKAPE,
generated::kape_generated::KAPE_FILE_HITMANPRO_TKAPE,
generated::kape_generated::KAPE_FILE_MALWAREBYTES_TKAPE,
generated::kape_generated::KAPE_FILE_MCAFEE_TKAPE,
generated::kape_generated::KAPE_FILE_MCAFEE_EPO_TKAPE,
generated::kape_generated::KAPE_FILE_MICROSOFTSAFETYSCANNER_TKAPE,
generated::kape_generated::KAPE_FILE_ROGUEKILLER_TKAPE,
generated::kape_generated::KAPE_FILE_SECUREAGE_TKAPE,
generated::kape_generated::KAPE_FILE_SENTINELONE_TKAPE,
generated::kape_generated::KAPE_FILE_SOPHOS_TKAPE,
generated::kape_generated::KAPE_FILE_SUPERANTISPYWARE_TKAPE,
generated::kape_generated::KAPE_FILE_SYMANTEC_AV_LOGS_TKAPE,
generated::kape_generated::KAPE_FILE_TOTALAV_TKAPE,
generated::kape_generated::KAPE_FILE_TRENDMICRO_TKAPE,
generated::kape_generated::KAPE_FILE_VIPRE_TKAPE,
generated::kape_generated::KAPE_FILE_WEBROOT_TKAPE,
generated::kape_generated::KAPE_FILE_WINDOWSDEFENDER_TKAPE,
generated::kape_generated::KAPE_FILE_BOXDRIVE_USERFILES_TKAPE,
generated::kape_generated::KAPE_FILE_DROPBOX_USERFILES_TKAPE,
generated::kape_generated::KAPE_FILE_GOOGLEDRIVEBACKUPSYNC_USERFILES_TKAPE,
generated::kape_generated::KAPE_FILE_ONEDRIVE_USERFILES_TKAPE,
generated::kape_generated::KAPE_FILE_PCLOUDDATABASE_TKAPE,
generated::kape_generated::KAPE_FILE_SUGARSYNC_TKAPE,
generated::kape_generated::KAPE_FILE_CLOUDSTORAGE_METADATA_TKAPE_2,
generated::kape_generated::KAPE_FILE_IDRIVE_TKAPE,
generated::kape_generated::KAPE_FILE_BOXDRIVE_METADATA_TKAPE,
generated::kape_generated::KAPE_FILE_DROPBOX_METADATA_TKAPE,
generated::kape_generated::KAPE_FILE_GOOGLEDRIVE_METADATA_TKAPE,
generated::kape_generated::KAPE_FILE_MEGASYNC_TKAPE,
generated::kape_generated::KAPE_FILE_ONEDRIVE_METADATA_TKAPE,
generated::kape_generated::KAPE_FILE_RCLONECONF_TKAPE,
generated::kape_generated::KAPE_FILE_FREEFILESYNC_TKAPE,
generated::kape_generated::KAPE_FILE_ONEDRIVE_METADATA_TKAPE_2,
generated::kape_generated::KAPE_FILE_REGISTRYHIVESUSER_TKAPE,
generated::kape_generated::KAPE_FILE_RECYCLEBIN_TKAPE,
generated::kape_generated::KAPE_FILE_EVENTLOGS_TKAPE_2,
generated::kape_generated::KAPE_FILE_EVENTTRACELOGS_TKAPE,
generated::kape_generated::KAPE_FILE_POWERSHELLCONSOLE_TKAPE_2,
generated::kape_generated::KAPE_FILE_POWERSHELLTRANSCRIPTS_TKAPE,
generated::kape_generated::KAPE_FILE_WINDOWSFIREWALL_TKAPE,
generated::kape_generated::KAPE_FILE_USBDEVICESLOGS_TKAPE_2,
generated::kape_generated::KAPE_FILE_NETCLRUSAGELOGS_TKAPE,
generated::kape_generated::KAPE_FILE_AMCACHE_TKAPE,
generated::kape_generated::KAPE_FILE_APPCOMPATPCA_TKAPE,
generated::kape_generated::KAPE_FILE_PREFETCH_TKAPE,
generated::kape_generated::KAPE_FILE_RECENTFILECACHE_TKAPE,
generated::kape_generated::KAPE_FILE_SYSCACHE_TKAPE,
generated::kape_generated::KAPE_FILE_EXCHANGECLIENTACCESS_TKAPE,
generated::kape_generated::KAPE_FILE_EXCHANGETRANSPORT_TKAPE,
generated::kape_generated::KAPE_FILE_EXCHANGESETUPLOG_TKAPE,
generated::kape_generated::KAPE_FILE_FILEZILLACLIENT_TKAPE,
generated::kape_generated::KAPE_FILE_FILEZILLASERVER_TKAPE,
generated::kape_generated::KAPE_FILE_WINSCP_TKAPE,
generated::kape_generated::KAPE_FILE_ROBO_FTP_TKAPE,
generated::kape_generated::KAPE_FILE_DIRECTORYOPUS_TKAPE,
generated::kape_generated::KAPE_FILE_DOUBLECOMMANDER_TKAPE,
generated::kape_generated::KAPE_FILE_EFCOMMANDER_TKAPE,
generated::kape_generated::KAPE_FILE_FREECOMMANDER_TKAPE,
generated::kape_generated::KAPE_FILE_MIDNIGHTCOMMANDER_TKAPE,
generated::kape_generated::KAPE_FILE_MULTICOMMANDER_TKAPE,
generated::kape_generated::KAPE_FILE_ONECOMMANDER_TKAPE,
generated::kape_generated::KAPE_FILE_Q_DIR_TKAPE,
generated::kape_generated::KAPE_FILE_SPEEDCOMMANDER_TKAPE,
generated::kape_generated::KAPE_FILE_TABLACUSEXPLORER_TKAPE,
generated::kape_generated::KAPE_FILE_TOTALCOMMANDER_TKAPE,
generated::kape_generated::KAPE_FILE_XYPLORER_TKAPE,
generated::kape_generated::KAPE_FILE_MFT_TKAPE,
generated::kape_generated::KAPE_FILE_LOGFILE_TKAPE,
generated::kape_generated::KAPE_FILE_J_TKAPE,
generated::kape_generated::KAPE_FILE_SDS_TKAPE,
generated::kape_generated::KAPE_FILE_BOOT_TKAPE,
generated::kape_generated::KAPE_FILE_T_TKAPE,
generated::kape_generated::KAPE_FILE_HEXCHAT_TKAPE,
generated::kape_generated::KAPE_FILE_ICECHAT_TKAPE,
generated::kape_generated::KAPE_FILE_MIRC_TKAPE,
generated::kape_generated::KAPE_FILE_ANTIVIRUS_TKAPE_2,
generated::kape_generated::KAPE_FILE_CLOUDSTORAGE_METADATA_TKAPE_3,
generated::kape_generated::KAPE_FILE_EVENTLOGS_TKAPE_3,
generated::kape_generated::KAPE_FILE_EVIDENCEOFEXECUTION_TKAPE_3,
generated::kape_generated::KAPE_FILE_FILESYSTEM_TKAPE_3,
generated::kape_generated::KAPE_FILE_LNKFILESANDJUMPLISTS_TKAPE_3,
generated::kape_generated::KAPE_FILE_NOTEPAD_TKAPE,
generated::kape_generated::KAPE_FILE_POWERSHELLCONSOLE_TKAPE_3,
generated::kape_generated::KAPE_FILE_RECYCLEBIN_INFOFILES_TKAPE_3,
generated::kape_generated::KAPE_FILE_REGISTRYHIVES_TKAPE_3,
generated::kape_generated::KAPE_FILE_REMOTEADMIN_TKAPE_2,
generated::kape_generated::KAPE_FILE_SCHEDULEDTASKS_TKAPE_3,
generated::kape_generated::KAPE_FILE_SRUM_TKAPE_3,
generated::kape_generated::KAPE_FILE_SUM_TKAPE_2,
generated::kape_generated::KAPE_FILE_WER_TKAPE_2,
generated::kape_generated::KAPE_FILE_WBEM_TKAPE_2,
generated::kape_generated::KAPE_FILE_WEBBROWSERS_TKAPE_2,
generated::kape_generated::KAPE_FILE_WINDOWSTIMELINE_TKAPE_2,
generated::kape_generated::KAPE_FILE_IRCCLIENTS_TKAPE,
generated::kape_generated::KAPE_FILE_CISCOJABBER_TKAPE,
generated::kape_generated::KAPE_FILE_DISCORD_TKAPE,
generated::kape_generated::KAPE_FILE_MATTERMOST_TKAPE,
generated::kape_generated::KAPE_FILE_MICROSOFTTEAMS_TKAPE,
generated::kape_generated::KAPE_FILE_SIGNAL_TKAPE,
generated::kape_generated::KAPE_FILE_SKYPE_TKAPE,
generated::kape_generated::KAPE_FILE_SLACK_TKAPE,
generated::kape_generated::KAPE_FILE_TELEGRAM_TKAPE,
generated::kape_generated::KAPE_FILE_VIBER_TKAPE,
generated::kape_generated::KAPE_FILE_WHATSAPP_TKAPE,
generated::kape_generated::KAPE_FILE_EVENTLOGS_TKAPE_4,
generated::kape_generated::KAPE_FILE_FILESYSTEM_TKAPE_4,
generated::kape_generated::KAPE_FILE_REGISTRYHIVES_TKAPE_4,
generated::kape_generated::KAPE_FILE_ADVANCEDIPSCANNER_TKAPE,
generated::kape_generated::KAPE_FILE_ADVANCEDPORTSCANNER_TKAPE,
generated::kape_generated::KAPE_FILE_SOFTPERFECTNETSCAN_TKAPE,
generated::kape_generated::KAPE_FILE_DC_TKAPE,
generated::kape_generated::KAPE_FILE_EMULE_TKAPE,
generated::kape_generated::KAPE_FILE_FROSTWIRE_TKAPE,
generated::kape_generated::KAPE_FILE_GIGATRIBE_TKAPE,
generated::kape_generated::KAPE_FILE_SHAREAZA_TKAPE,
generated::kape_generated::KAPE_FILE_SOULSEEK_TKAPE,
generated::kape_generated::KAPE_FILE_CHOCOLATEY_TKAPE,
generated::kape_generated::KAPE_FILE_AMCACHE_TKAPE_2,
generated::kape_generated::KAPE_FILE_APPCOMPATPCA_TKAPE_2,
generated::kape_generated::KAPE_FILE_PREFETCH_TKAPE_2,
generated::kape_generated::KAPE_FILE_RECENTFILECACHE_TKAPE_2,
generated::kape_generated::KAPE_FILE_SYSCACHE_TKAPE_2,
generated::kape_generated::KAPE_FILE_POWERSHELLTRANSCRIPTS_TKAPE_2,
generated::kape_generated::KAPE_FILE_POWERSHELLCONSOLE_TKAPE_4,
generated::kape_generated::KAPE_FILE_WBEM_TKAPE_3,
generated::kape_generated::KAPE_FILE_WER_TKAPE_3,
generated::kape_generated::KAPE_FILE_WINDOWSTIMELINE_TKAPE_3,
generated::kape_generated::KAPE_FILE_JUMPLISTS_TKAPE,
generated::kape_generated::KAPE_FILE_NETCLRUSAGELOGS_TKAPE_2,
generated::kape_generated::KAPE_FILE_RECYCLEBIN_INFOFILES_TKAPE_4,
generated::kape_generated::KAPE_FILE_RECYCLEBIN_DATAFILES_TKAPE,
generated::kape_generated::KAPE_FILE_REGISTRYHIVESSYSTEM_TKAPE,
generated::kape_generated::KAPE_FILE_REGISTRYHIVESUSER_TKAPE_2,
generated::kape_generated::KAPE_FILE_REGISTRYHIVESMSIXAPPS_TKAPE,
generated::kape_generated::KAPE_FILE_ACTION1_TKAPE,
generated::kape_generated::KAPE_FILE_AMMYY_TKAPE,
generated::kape_generated::KAPE_FILE_ANYDESK_TKAPE,
generated::kape_generated::KAPE_FILE_APPLICATIONEVENTS_TKAPE_6,
generated::kape_generated::KAPE_FILE_DWAGENT_TKAPE,
generated::kape_generated::KAPE_FILE_ISLONLINE_TKAPE,
generated::kape_generated::KAPE_FILE_ITARIAN_TKAPE,
generated::kape_generated::KAPE_FILE_KASEYA_TKAPE,
generated::kape_generated::KAPE_FILE_LEVEL_TKAPE,
generated::kape_generated::KAPE_FILE_LOGMEIN_TKAPE,
generated::kape_generated::KAPE_FILE_MESHAGENT_TKAPE,
generated::kape_generated::KAPE_FILE_MREMOTENG_TKAPE,
generated::kape_generated::KAPE_FILE_NETMONITORFOREMPLOYEESPROFESSIONAL_TKAPE,
generated::kape_generated::KAPE_FILE_QUICKASSIST_TKAPE,
generated::kape_generated::KAPE_FILE_RADMIN_TKAPE,
generated::kape_generated::KAPE_FILE_RDPCACHE_TKAPE,
generated::kape_generated::KAPE_FILE_RDPLOGS_TKAPE,
generated::kape_generated::KAPE_FILE_REMCOS_TKAPE,
generated::kape_generated::KAPE_FILE_REMOTEMANIPULATORSYSTEM_TKAPE,
generated::kape_generated::KAPE_FILE_REMOTEUTILITIES_APP_TKAPE,
generated::kape_generated::KAPE_FILE_RUSTDESK_TKAPE,
generated::kape_generated::KAPE_FILE_SCREENCONNECT_TKAPE,
generated::kape_generated::KAPE_FILE_SPLASHTOP_TKAPE,
generated::kape_generated::KAPE_FILE_SUPREMOREMOTEDESKTOP_TKAPE,
generated::kape_generated::KAPE_FILE_TEAMVIEWERLOGS_TKAPE,
generated::kape_generated::KAPE_FILE_UEMS_TKAPE,
generated::kape_generated::KAPE_FILE_ULTRAVIEWER_TKAPE,
generated::kape_generated::KAPE_FILE_VNCLOGS_TKAPE,
generated::kape_generated::KAPE_FILE_XEOX_TKAPE,
generated::kape_generated::KAPE_FILE_ZOHOASSIST_TKAPE,
generated::kape_generated::KAPE_FILE_EVENTLOGS_TKAPE_5,
generated::kape_generated::KAPE_FILE_EVIDENCEOFEXECUTION_TKAPE_4,
generated::kape_generated::KAPE_FILE_FILESYSTEM_TKAPE_5,
generated::kape_generated::KAPE_FILE_LNKFILESANDJUMPLISTS_TKAPE_4,
generated::kape_generated::KAPE_FILE_PREFETCH_TKAPE_3,
generated::kape_generated::KAPE_FILE_4K_VIDEO_DOWNLOADER_4K_VIDEO_DOWNLOADER_SQLITE_2,
generated::kape_generated::KAPE_FILE_FULLTEXTSEARCHINDEX_2,
generated::kape_generated::KAPE_FILE_ONENOTE_NOTIFICATIONSRECENTNOTEBOOKS_SEENURLS_2,
generated::kape_generated::KAPE_FILE_16_0_ACCESSIBILITYCHECKERINDEX_2,
generated::kape_generated::KAPE_FILE_16_0_NOTETAGS_LIVEID_DB_2,
generated::kape_generated::KAPE_FILE_16_0_RECENTSEARCHESRECENTSEARCHES_DB_2,
generated::kape_generated::KAPE_FILE_LOCALSTATE_PLUM_SQLITE_2,
generated::kape_generated::KAPE_FILE_TODOSQLITE_DB_2,
generated::kape_generated::KAPE_FILE_PROGRAMDATA_SCHEDULERSERVICE_SQLITE_2,
generated::kape_generated::KAPE_FILE_TERACOPY_HISTORY_DB,
generated::kape_generated::KAPE_FILE_TERACOPY_MAIN_DB,
generated::kape_generated::KAPE_FILE_ROAMING_NOTION_NOTION_DB_2,
generated::kape_generated::KAPE_FILE_IDBS,
generated::kape_generated::KAPE_FILE_FILECACHE_DB,
generated::kape_generated::KAPE_FILE_CONFIG_DBX,
generated::kape_generated::KAPE_FILE_HOME_DB,
generated::kape_generated::KAPE_FILE_ICON_DB,
generated::kape_generated::KAPE_FILE_SYNC_HISTORY_DB,
generated::kape_generated::KAPE_FILE_SYNC_NUCLEUS_SQLITE3,
generated::kape_generated::KAPE_FILE_DROPBOX_HOST_DB_2,
generated::kape_generated::KAPE_FILE_DROPBOX_HOST_DBX_2,
generated::kape_generated::KAPE_FILE_SYNC_AGGREGATION_DBX,
generated::kape_generated::KAPE_FILE_AVATARCACHE_DB,
generated::kape_generated::KAPE_FILE_DROPBOX_METADATA,
generated::kape_generated::KAPE_FILE_CLOUD_GRAPH_CLOUD_GRAPH_DB,
generated::kape_generated::KAPE_FILE_CHANGE_BUFFER,
generated::kape_generated::KAPE_FILE_SNAPSHOT_DB,
generated::kape_generated::KAPE_FILE_SYNC_CONFIG_DB,
generated::kape_generated::KAPE_FILE_FILEZILLA_SQLITE3_2,
generated::kape_generated::KAPE_FILE_BOOKMARKS_20,
generated::kape_generated::KAPE_FILE_COOKIES_16,
generated::kape_generated::KAPE_FILE_CURRENT_SESSION_18,
generated::kape_generated::KAPE_FILE_CURRENT_TABS_18,
generated::kape_generated::KAPE_FILE_FAVICONS_21,
generated::kape_generated::KAPE_FILE_HISTORY_21,
generated::kape_generated::KAPE_FILE_LAST_SESSION_17,
generated::kape_generated::KAPE_FILE_LAST_TABS_17,
generated::kape_generated::KAPE_FILE_LOGIN_DATA_20,
generated::kape_generated::KAPE_FILE_PREFERENCES_21,
generated::kape_generated::KAPE_FILE_SHORTCUTS_20,
generated::kape_generated::KAPE_FILE_TOP_SITES_21,
generated::kape_generated::KAPE_FILE_VISITED_LINKS_21,
generated::kape_generated::KAPE_FILE_WEB_DATA_21,
generated::kape_generated::KAPE_FILE_CHROME_BOOKMARKS_2,
generated::kape_generated::KAPE_FILE_CHROME_COOKIES_2,
generated::kape_generated::KAPE_FILE_CHROME_CURRENT_SESSI_2,
generated::kape_generated::KAPE_FILE_CHROME_CURRENT_TABS_2,
generated::kape_generated::KAPE_FILE_DOWNLOAD_METADATA,
generated::kape_generated::KAPE_FILE_EXTENSION_COOKIES_17,
generated::kape_generated::KAPE_FILE_CHROME_FAVICONS_2,
generated::kape_generated::KAPE_FILE_CHROME_HISTORY_2,
generated::kape_generated::KAPE_FILE_CHROME_LAST_SESSION_2,
generated::kape_generated::KAPE_FILE_CHROME_LAST_TABS_2,
generated::kape_generated::KAPE_FILE_CHROME_LOGIN_DATA_2,
generated::kape_generated::KAPE_FILE_MEDIA_HISTORY_17,
generated::kape_generated::KAPE_FILE_NETWORK_ACTION_PREDICTOR_21,
generated::kape_generated::KAPE_FILE_NETWORK_PERSISTENT_STATE_20,
generated::kape_generated::KAPE_FILE_CHROME_PREFERENCES_2,
generated::kape_generated::KAPE_FILE_QUOTAMANAGER_18,
generated::kape_generated::KAPE_FILE_REPORTING_AND_NEL_18,
generated::kape_generated::KAPE_FILE_CHROME_SHORTCUTS_2,
generated::kape_generated::KAPE_FILE_CHROME_TOP_SITES_2,
generated::kape_generated::KAPE_FILE_TRUST_TOKENS_17,
generated::kape_generated::KAPE_FILE_SYNC_DATASYNCDATA_SQLITE3_12,
generated::kape_generated::KAPE_FILE_CHROME_VISITED_LINKS_2,
generated::kape_generated::KAPE_FILE_CHROME_WEB_DATA_2,
generated::kape_generated::KAPE_FILE_EDGE_BOOKMARKS,
generated::kape_generated::KAPE_FILE_COLLECTIONSCOLLECTIONSSQLITE_5,
generated::kape_generated::KAPE_FILE_EDGE_COOKIES,
generated::kape_generated::KAPE_FILE_EDGE_CURRENT_SESSION,
generated::kape_generated::KAPE_FILE_EDGE_CURRENT_TABS,
generated::kape_generated::KAPE_FILE_EDGE_FAVICONS,
generated::kape_generated::KAPE_FILE_EDGE_HISTORY,
generated::kape_generated::KAPE_FILE_EDGE_LAST_SESSION,
generated::kape_generated::KAPE_FILE_EDGE_LAST_TABS,
generated::kape_generated::KAPE_FILE_EDGE_LOGIN_DATA,
generated::kape_generated::KAPE_FILE_EDGE_MEDIA_HISTORY,
generated::kape_generated::KAPE_FILE_EDGE_NETWORK_ACTION,
generated::kape_generated::KAPE_FILE_EDGE_PREFERENCES,
generated::kape_generated::KAPE_FILE_EDGE_SHORTCUTS,
generated::kape_generated::KAPE_FILE_EDGE_TOP_SITES,
generated::kape_generated::KAPE_FILE_EDGE_SYNCDATA_DATABA,
generated::kape_generated::KAPE_FILE_BOOKMARKS_2_2,
generated::kape_generated::KAPE_FILE_EDGE_VISITED_LINKS,
generated::kape_generated::KAPE_FILE_EDGE_WEB_DATA,
generated::kape_generated::KAPE_FILE_ADDONS_SQLITE_2,
generated::kape_generated::KAPE_FILE_WEAVE_BOOKMARKS_SQLITE_2,
generated::kape_generated::KAPE_FILE_COOKIES_SQLITE_2,
generated::kape_generated::KAPE_FILE_FIREFOX_COOKIES_SQLITE_2,
generated::kape_generated::KAPE_FILE_DOWNLOADS_SQLITE_2,
generated::kape_generated::KAPE_FILE_FAVICONS_SQLITE_2,
generated::kape_generated::KAPE_FILE_FORMHISTORY_SQLITE_2,
generated::kape_generated::KAPE_FILE_PERMISSIONS_SQLITE_2,
generated::kape_generated::KAPE_FILE_PLACES_SQLITE_3,
generated::kape_generated::KAPE_FILE_PROTECTIONS_SQLITE_2,
generated::kape_generated::KAPE_FILE_SEARCH_SQLITE_2,
generated::kape_generated::KAPE_FILE_SIGNONS_SQLITE_2,
generated::kape_generated::KAPE_FILE_STORAGE_SYNC_SQLITE_2,
generated::kape_generated::KAPE_FILE_WEBAPPSTORE_SQLITE_2,
generated::kape_generated::KAPE_FILE_NOTIFICATIONS_WPNDATABASE_DB,
generated::kape_generated::KAPE_FILE_NOTIFICATIONS_APPDB_DAT,
generated::kape_generated::KAPE_FILE_ACTIVITIESCACHE_DB,
generated::kape_generated::KAPE_FILE_USOPRIVATE_UPDATESTORESTORE_DB,
generated::kape_generated::KAPE_FILE_REGEX_DB_DB_WAL_DB_SHM_2,
generated::kape_generated::KAPE_FILE_DIAGNOSIS_EVENTTRANSCRIPT_EVENTTRANSCRIPT_DB,
generated::kape_generated::KAPE_FILE_EVENTTRANSCRIPT_DB,
generated::kape_generated::KAPE_FILE_WEBSERVERS_TKAPE,
generated::kape_generated::KAPE_FILE_MONGODBLOGS_TKAPE,
generated::kape_generated::KAPE_FILE_EXCHANGE_TKAPE,
generated::kape_generated::KAPE_FILE_CONFLUENCELOGS_TKAPE,
generated::kape_generated::KAPE_FILE_FILEZILLASERVER_TKAPE_2,
generated::kape_generated::KAPE_FILE_OPENSSHSERVER_TKAPE,
generated::kape_generated::KAPE_FILE_MANAGEENGINELOGS_TKAPE,
generated::kape_generated::KAPE_FILE_BITTORRENT_TKAPE,
generated::kape_generated::KAPE_FILE_QBITTORRENT_TKAPE,
generated::kape_generated::KAPE_FILE_UTORRENT_TKAPE,
generated::kape_generated::KAPE_FILE_USBDEVICESLOGS_TKAPE_3,
generated::kape_generated::KAPE_FILE_REGISTRYHIVES_TKAPE_5,
generated::kape_generated::KAPE_FILE_EVENTLOGS_TKAPE_6,
generated::kape_generated::KAPE_FILE_LNKFILESANDJUMPLISTS_TKAPE_5,
generated::kape_generated::KAPE_FILE_AMCACHE_TKAPE_3,
generated::kape_generated::KAPE_FILE_NEWSBINPRO_TKAPE,
generated::kape_generated::KAPE_FILE_NEWSLEECHER_TKAPE,
generated::kape_generated::KAPE_FILE_NZBGET_TKAPE,
generated::kape_generated::KAPE_FILE_SABNBZD_TKAPE,
generated::kape_generated::KAPE_FILE_VMWAREINVENTORY_TKAPE,
generated::kape_generated::KAPE_FILE_VMWAREMEMORY_TKAPE,
generated::kape_generated::KAPE_FILE_VIRTUALDISKS_TKAPE,
generated::kape_generated::KAPE_FILE_PROTONVPN_TKAPE,
generated::kape_generated::KAPE_FILE_OPENVPNCLIENT_TKAPE,
generated::kape_generated::KAPE_FILE_PALOALTO_TKAPE,
generated::kape_generated::KAPE_FILE_FORTICLIENTVPN_TKAPE,
generated::kape_generated::KAPE_FILE_PULSESECURE_TKAPE,
generated::kape_generated::KAPE_FILE_VIRTUALBOXLOGS_TKAPE,
generated::kape_generated::KAPE_FILE_VIRTUALBOXMEMORY_TKAPE,
generated::kape_generated::KAPE_FILE_VIRTUALBOXCONFIG_TKAPE,
generated::kape_generated::KAPE_FILE_VIRTUALDISKS_TKAPE_2,
generated::kape_generated::KAPE_FILE_DEBIAN_TKAPE,
generated::kape_generated::KAPE_FILE_UBUNTU_TKAPE,
generated::kape_generated::KAPE_FILE_KALI_TKAPE,
generated::kape_generated::KAPE_FILE_OPENSUSE_TKAPE,
generated::kape_generated::KAPE_FILE_SUSELINUXENTERPRISESERVER_TKAPE,
generated::kape_generated::KAPE_FILE_360SECUREBROWSER_TKAPE,
generated::kape_generated::KAPE_FILE_ARC_TKAPE,
generated::kape_generated::KAPE_FILE_BRAVEBROWSER_TKAPE,
generated::kape_generated::KAPE_FILE_CHROME_TKAPE,
generated::kape_generated::KAPE_FILE_CHROMEBETA_TKAPE,
generated::kape_generated::KAPE_FILE_CHROMEDEV_TKAPE,
generated::kape_generated::KAPE_FILE_CHROMESXS_TKAPE,
generated::kape_generated::KAPE_FILE_CHROMIUM_TKAPE,
generated::kape_generated::KAPE_FILE_COCCOC_TKAPE,
generated::kape_generated::KAPE_FILE_EDGE_TKAPE,
generated::kape_generated::KAPE_FILE_EDGEBETACHROMIUM_TKAPE,
generated::kape_generated::KAPE_FILE_EDGECHROMIUM_TKAPE,
generated::kape_generated::KAPE_FILE_EDGEDEVCHROMIUM_TKAPE,
generated::kape_generated::KAPE_FILE_EDGESXSCHROMIUM_TKAPE,
generated::kape_generated::KAPE_FILE_FIREFOX_TKAPE,
generated::kape_generated::KAPE_FILE_INTERNETEXPLORER_TKAPE,
generated::kape_generated::KAPE_FILE_OPERA_TKAPE,
generated::kape_generated::KAPE_FILE_PRISMAACCESSBROWSER_TKAPE,
generated::kape_generated::KAPE_FILE_PUFFINSECUREBROWSER_TKAPE,
generated::kape_generated::KAPE_FILE_QQBROWSER_TKAPE,
generated::kape_generated::KAPE_FILE_SUPERMIUM_TKAPE,
generated::kape_generated::KAPE_FILE_UCBROWSER_TKAPE,
generated::kape_generated::KAPE_FILE_VIVALDI_TKAPE,
generated::kape_generated::KAPE_FILE_WAVEBROWSER_TKAPE,
generated::kape_generated::KAPE_FILE_YANDEX_TKAPE,
generated::kape_generated::KAPE_FILE_APACHEACCESSLOG_TKAPE,
generated::kape_generated::KAPE_FILE_IISLOGFILES_TKAPE,
generated::kape_generated::KAPE_FILE_NGINXLOGS_TKAPE,
generated::kape_generated::KAPE_FILE_MSSQLERRORLOG_TKAPE,
generated::kape_generated::KAPE_FILE_C_ACCESS_LOG,
generated::kape_generated::KAPE_FILE_W3SVC_LOG,
generated::kape_generated::KAPE_FILE_IIS_LOG_FILES,
generated::kape_generated::KAPE_FILE_LOGFILES_LOG,
generated::kape_generated::KAPE_FILE_W3SVC_LOG_2,
generated::kape_generated::KAPE_FILE_W3SVC_LOG_3,
generated::kape_generated::KAPE_FILE_HTTPERR_LOG,
generated::kape_generated::KAPE_FILE_FTPSVC_LOG,
generated::kape_generated::KAPE_FILE_LOG_2,
generated::kape_generated::KAPE_FILE_LOG_ERRORLOG,
generated::kape_generated::KAPE_FILE_MS_SQL_ERRORLOGS,
generated::kape_generated::KAPE_FILE_DESKTOPCENTRAL_SERVER_LOGS,
generated::kape_generated::KAPE_FILE_ADSELFSERVICE_PLUS_LOGS,
generated::kape_generated::KAPE_FILE_LOG_LOG_4,
generated::kape_generated::KAPE_FILE_LOGS_LOG_4,
generated::kape_generated::KAPE_FILE_MONGODB_LOGS_C_DATA,
generated::kape_generated::KAPE_FILE_MONGODB_LOGS_PROGRAM,
generated::kape_generated::KAPE_FILE_MONGODB_LOGS_ALTERNA,
generated::kape_generated::KAPE_FILE_LOGS_LOG_5,
generated::kape_generated::KAPE_FILE_PSREADLINE_HISTORY_TXT,
generated::kape_generated::KAPE_FILE_POWERSHELL_CONSOLE_L,
generated::kape_generated::KAPE_FILE_PSREADLINE_HISTORY_TXT_2,
generated::kape_generated::KAPE_FILE_AUTOSAVEFILES_PS1,
generated::kape_generated::KAPE_FILE_CONFIG,
generated::kape_generated::KAPE_FILE_BITTORRENT_DAT,
generated::kape_generated::KAPE_FILE_DC_LOGS,
generated::kape_generated::KAPE_FILE_FREENET_NODE,
generated::kape_generated::KAPE_FILE_FREENET_COMPLETED_LIST_DOWNLOADS,
generated::kape_generated::KAPE_FILE_FREENET_COMPLETED_LIST_UPLOADS,
generated::kape_generated::KAPE_FILE_FREENET_BAK,
generated::kape_generated::KAPE_FILE_FREENET_DOWNLOADS,
generated::kape_generated::KAPE_FILE_FROSTWIRE_TORRENT_DATA,
generated::kape_generated::KAPE_FILE_USER_FROSTWIRE5_FROSTWIRE_PROPS,
generated::kape_generated::KAPE_FILE_USER_FROSTWIRE5_ITUNES_PROPS,
generated::kape_generated::KAPE_FILE_LOCAL_SHALSOFT,
generated::kape_generated::KAPE_FILE_APPLICATION_DATA_GIGATRIBE,
generated::kape_generated::KAPE_FILE_APPLICATION_DATA_SHALSOFT,
generated::kape_generated::KAPE_FILE_NZBGET_NZBGET_LOG,
generated::kape_generated::KAPE_FILE_NZBGET_NZB,
generated::kape_generated::KAPE_FILE_NEWSBIN_DOWNLOADED_DB3,
generated::kape_generated::KAPE_FILE_NEWSLEECHER_DOWNLOADED_DAT,
generated::kape_generated::KAPE_FILE_NICOTINE_LOGS,
generated::kape_generated::KAPE_FILE_NICOTINE_INCOMPLETE,
generated::kape_generated::KAPE_FILE_NICOTINE_BUDDYFILES_DB,
generated::kape_generated::KAPE_FILE_NICOTINE_BUDDYSTREAMS_DB,
generated::kape_generated::KAPE_FILE_NICOTINE_BUDDYMTIMES_DB,
generated::kape_generated::KAPE_FILE_NICOTINE_BUDDYFILEINDEX_DB,
generated::kape_generated::KAPE_FILE_ROAMING_NICOTINE_BUDDYWORDINDEX_DB,
generated::kape_generated::KAPE_FILE_NICOTINE_CONFIG,
generated::kape_generated::KAPE_FILE_NICOTINE_USERSHARES,
generated::kape_generated::KAPE_FILE_ROAMING_NICOTINE_DOWNLOADS_JSON,
generated::kape_generated::KAPE_FILE_ROAMING_NICOTINE_UPLOADS_JSON,
generated::kape_generated::KAPE_FILE_LOGS_SABNZBD_LOG,
generated::kape_generated::KAPE_FILE_ADMIN_HISTORY1_DB,
generated::kape_generated::KAPE_FILE_ROAMING_SHAREAZA,
generated::kape_generated::KAPE_FILE_SOULSEEKQT_SOULSEEK_CHAT_LOGS,
generated::kape_generated::KAPE_FILE_1_DAT,
generated::kape_generated::KAPE_FILE_C_TORRENT,
generated::kape_generated::KAPE_FILE_C_NZB,
generated::kape_generated::KAPE_FILE_LOCAL_EMULE,
generated::kape_generated::KAPE_FILE_C_PART_MET,
generated::kape_generated::KAPE_FILE_QBITTORRENT_INI,
generated::kape_generated::KAPE_FILE_QBITTORRENT_LOGS,
generated::kape_generated::KAPE_FILE_QBITTORRENT_GEODB,
generated::kape_generated::KAPE_FILE_QBITTORRENT_BT_BACKUP,
generated::kape_generated::KAPE_FILE_UTORRENT_DAT,
generated::kape_generated::KAPE_FILE_C_BITMAP,
generated::kape_generated::KAPE_FILE_C_BOOT,
generated::kape_generated::KAPE_FILE_EXTEND_USNJRNL_J,
generated::kape_generated::KAPE_FILE_EXTEND_USNJRNL_MAX,
generated::kape_generated::KAPE_FILE_EXTEND_J,
generated::kape_generated::KAPE_FILE_EXTEND_MAX,
generated::kape_generated::KAPE_FILE_C_LOGFILE,
generated::kape_generated::KAPE_FILE_C_MFT,
generated::kape_generated::KAPE_FILE_C_MFTMIRR,
generated::kape_generated::KAPE_FILE_C_SECURE_SDS,
generated::kape_generated::KAPE_FILE_SDS,
generated::kape_generated::KAPE_FILE_TXFLOG_TOPS_T,
generated::kape_generated::KAPE_FILE_TXFLOG_T,
generated::kape_generated::KAPE_FILE_WINDOWS_NTDS,
generated::kape_generated::KAPE_FILE_WINDOWS_SYSVOL,
generated::kape_generated::KAPE_FILE_PROGRAMS_AMCACHE_HVE,
generated::kape_generated::KAPE_FILE_AMCACHE,
generated::kape_generated::KAPE_FILE_PROGRAMS_AMCACHE_HVE_LOG,
generated::kape_generated::KAPE_FILE_AMCACHE_TRANSACTION,
generated::kape_generated::KAPE_FILE_APPCOMPAT_PCA,
generated::kape_generated::KAPE_FILE_WINDOWSAPPS_DELETED,
generated::kape_generated::KAPE_FILE_WINDOWS_SYSTEMAPPS,
generated::kape_generated::KAPE_FILE_LOCAL_PACKAGES,
generated::kape_generated::KAPE_FILE_PACKAGES_STATEREPOSITORY_SRD,
generated::kape_generated::KAPE_FILE_PROGRAMDATA_PACKAGES,
generated::kape_generated::KAPE_FILE_CONFIG_APPEVENT_EVT,
generated::kape_generated::KAPE_FILE_APPLICATION_EVENT_LO,
generated::kape_generated::KAPE_FILE_LOGS_APPLICATION_EVTX,
generated::kape_generated::KAPE_FILE_LOGS_APPLICATION_EVTX_2,
generated::kape_generated::KAPE_FILE_BOOT_BCD,
generated::kape_generated::KAPE_FILE_BOOT_BCD_LOG,
generated::kape_generated::KAPE_FILE_NETWORK_DOWNLOADER,
generated::kape_generated::KAPE_FILE_CAPABILITYACCESSMANAGER_CAPABILITYACCESSMANAGER_DB,
generated::kape_generated::KAPE_FILE_MICROSOFT_CRYPTNETURLCACHE,
generated::kape_generated::KAPE_FILE_SYSTEM_WOW64_CRYPTNE,
generated::kape_generated::KAPE_FILE_USER_CRYPTNETURLCACH,
generated::kape_generated::KAPE_FILE_INETCACHE_IE,
generated::kape_generated::KAPE_FILE_DRIVERS_SYS,
generated::kape_generated::KAPE_FILE_PROGRAMS_ENCAPSULATIONLOGGING_HVE,
generated::kape_generated::KAPE_FILE_ENCAPSULATIONLOGGING,
generated::kape_generated::KAPE_FILE_PROGRAMS_ENCAPSULATIONLOGGING_HVE_LOG,
generated::kape_generated::KAPE_FILE_PROGRAMS_ENCAPSULATIONLOGGING_HVE_LOG_2,
generated::kape_generated::KAPE_FILE_LOGS_SYSTEM_EVTX,
generated::kape_generated::KAPE_FILE_EVENT_LOGS_WIN7,
generated::kape_generated::KAPE_FILE_LOGS_SECURITY_EVTX,
generated::kape_generated::KAPE_FILE_LOGS_SECURITY_EVTX_2,
generated::kape_generated::KAPE_FILE_LOGS_MICROSOFT_WINDOWS_TERMINALSERVICES_RDPCLIENT,
generated::kape_generated::KAPE_FILE_LOGS_MICROSOFT_WINDOWS_TERMINALSERVICES_RDPCLIENT_2,
generated::kape_generated::KAPE_FILE_LOGS_MICROSOFT_WINDOWS_REMOTEDESKTOPSERVICES_RDPCO,
generated::kape_generated::KAPE_FILE_LOGS_MICROSOFT_WINDOWS_REMOTEDESKTOPSERVICES_RDPCO_2,
generated::kape_generated::KAPE_FILE_LOGS_MICROSOFT_WINDOWS_TERMINALSERVICES_REMOTECONN,
generated::kape_generated::KAPE_FILE_LOGS_MICROSOFT_WINDOWS_TERMINALSERVICES_REMOTECONN_2,
generated::kape_generated::KAPE_FILE_LOGS_MICROSOFT_WINDOWS_TERMINALSERVICES_LOCALSESSI,
generated::kape_generated::KAPE_FILE_LOGS_MICROSOFT_WINDOWS_TERMINALSERVICES_LOCALSESSI_2,
generated::kape_generated::KAPE_FILE_CONFIG_EVT,
generated::kape_generated::KAPE_FILE_LOGS_EVTX,
generated::kape_generated::KAPE_FILE_EVENT_LOGS_WIN7_2,
generated::kape_generated::KAPE_FILE_LOGFILES_ETL,
generated::kape_generated::KAPE_FILE_WDI_TRACE_LOGS_1,
generated::kape_generated::KAPE_FILE_WDI,
generated::kape_generated::KAPE_FILE_WDI_TRACE_LOGS_2,
generated::kape_generated::KAPE_FILE_LOGFILES_WMI,
generated::kape_generated::KAPE_FILE_WMI_TRACE_LOGS,
generated::kape_generated::KAPE_FILE_SYSTEM32_SLEEPSTUDY,
generated::kape_generated::KAPE_FILE_SLEEPSTUDY_TRACE_LOG,
generated::kape_generated::KAPE_FILE_POWEREFFICIENCY_DIAGNOSTICS_ENERGY_NTKL_ETL,
generated::kape_generated::KAPE_FILE_LOGS_ETL,
generated::kape_generated::KAPE_FILE_DIAGNOSIS_EVENTTRANSCRIPT_EVENTTRANSCRIPT_DB_2,
generated::kape_generated::KAPE_FILE_EVENTTRANSCRIPT_DB_2,
generated::kape_generated::KAPE_FILE_TEMP_DIAGNOSTICS,
generated::kape_generated::KAPE_FILE_LOGGING_LOG,
generated::kape_generated::KAPE_FILE_B_A_ZA_Z0_9_8_B_COMPILED,
generated::kape_generated::KAPE_FILE_EXCHANGE_SERVER_MODI,
generated::kape_generated::KAPE_FILE_B_A_ZA_Z0_9_8_B_COMPILED_2,
generated::kape_generated::KAPE_FILE_B_A_ZA_Z0_9_8_B_COMPILED_3,
generated::kape_generated::KAPE_FILE_EXCHANGESETUPLOGS_EXCHANGESETUP_LOG,
generated::kape_generated::KAPE_FILE_LOGS_LOG_6,
generated::kape_generated::KAPE_FILE_SYSTEM32_GROUPPOLICY,
generated::kape_generated::KAPE_FILE_GROUP_POLICY_HISTORY,
generated::kape_generated::KAPE_FILE_USER_GROUP_POLICY_FI,
generated::kape_generated::KAPE_FILE_GROUPPOLICY_INI,
generated::kape_generated::KAPE_FILE_GROUPPOLICY_POL,
generated::kape_generated::KAPE_FILE_LOCAL_GROUP_POLICY_F,
generated::kape_generated::KAPE_FILE_SCRIPTS,
generated::kape_generated::KAPE_FILE_SCRIPTS_2,
generated::kape_generated::KAPE_FILE_ETC_HOSTS,
generated::kape_generated::KAPE_FILE_CONFIG_APPLICATIONHOST_CONFIG,
generated::kape_generated::KAPE_FILE_CONFIG_ADMINISTRATION_CONFIG,
generated::kape_generated::KAPE_FILE_CONFIG_REDIRECTION_CONFIG,
generated::kape_generated::KAPE_FILE_INETPUB_WWWROOT_WEB_CONFIG,
generated::kape_generated::KAPE_FILE_LOCAL_ICONCACHE_DB,
generated::kape_generated::KAPE_FILE_RECENT_AUTOMATICDESTINATIONS,
generated::kape_generated::KAPE_FILE_RECENT_CUSTOMDESTINATIONS,
generated::kape_generated::KAPE_FILE_WINDOWS_RECENT,
generated::kape_generated::KAPE_FILE_OFFICE_RECENT,
generated::kape_generated::KAPE_FILE_START_MENU_PROGRAMS_LNK,
generated::kape_generated::KAPE_FILE_USER_RECENT,
generated::kape_generated::KAPE_FILE_DESKTOP_LNK,
generated::kape_generated::KAPE_FILE_DESKTOP_LNK_FILES,
generated::kape_generated::KAPE_FILE_RP_LNK,
generated::kape_generated::KAPE_FILE_PROGRAMS_LNK,
generated::kape_generated::KAPE_FILE_BASH_HISTORY,
generated::kape_generated::KAPE_FILE_BASH_LOGOUT,
generated::kape_generated::KAPE_FILE_BASHRC,
generated::kape_generated::KAPE_FILE_PROFILE,
generated::kape_generated::KAPE_FILE_SYSTEM32_LOGFILES,
generated::kape_generated::KAPE_FILE_LOGFILES,
generated::kape_generated::KAPE_FILE_WINDOWS_PFRO_LOG,
generated::kape_generated::KAPE_FILE_C_MOF,
generated::kape_generated::KAPE_FILE_C_HIBERFIL_SYS,
generated::kape_generated::KAPE_FILE_C_PAGEFILE_SYS,
generated::kape_generated::KAPE_FILE_C_SWAPFILE_SYS,
generated::kape_generated::KAPE_FILE_MINIDUMP_DMP,
generated::kape_generated::KAPE_FILE_SMALL_MEMORY_DUMP_DI,
generated::kape_generated::KAPE_FILE_BACKSTAGEINAPPNAVCACHE,
generated::kape_generated::KAPE_FILE_CLR_LOG,
generated::kape_generated::KAPE_FILE_NET_CLR_USAGELOGS_SY,
generated::kape_generated::KAPE_FILE_LOCALSTATE_TABSTATE_BIN,
generated::kape_generated::KAPE_FILE_WINDOWSTATE_BIN,
generated::kape_generated::KAPE_FILE_SETTINGS_SETTINGS_DAT,
generated::kape_generated::KAPE_FILE_SYSTEMAPPDATA_HELIUM_DAT_2,
generated::kape_generated::KAPE_FILE_MICROSOFT_WORD,
generated::kape_generated::KAPE_FILE_MICROSOFT_EXCEL,
generated::kape_generated::KAPE_FILE_MICROSOFT_POWERPOINT,
generated::kape_generated::KAPE_FILE_MICROSOFT_PUBLISHER,
generated::kape_generated::KAPE_FILE_DIAGNOSTICS_PCW_DEBUGREPORT_XML,
generated::kape_generated::KAPE_FILE_ELEVATEDDIAGNOSTICS_PCW_DEBUGREPORT_XML,
generated::kape_generated::KAPE_FILE_OFFICEFILECACHE,
generated::kape_generated::KAPE_FILE_C_PERFLOGS,
generated::kape_generated::KAPE_FILE_POWERSHELL_7_POWERSHELL_CONFIG_JSON,
generated::kape_generated::KAPE_FILE_DOCUMENTS_POWERSHELL_TRANSCRIPT_TXT,
generated::kape_generated::KAPE_FILE_20_POWERSHELL_TRANSCRIPT_TXT,
generated::kape_generated::KAPE_FILE_POWERSHELL_TRANSCRIPT_TXT,
generated::kape_generated::KAPE_FILE_POWERSHELL_TRANSCRIP,
generated::kape_generated::KAPE_FILE_POWERSHELL_TRANSCRIPT_TXT_2,
generated::kape_generated::KAPE_FILE_20_POWERSHELL_TRANSCRIPT_TXT_2,
generated::kape_generated::KAPE_FILE_PREFETCH_PF,
generated::kape_generated::KAPE_FILE_PREFETCH,
generated::kape_generated::KAPE_FILE_C_PROGRAMDATA,
generated::kape_generated::KAPE_FILE_NOTIFICATIONS_APPDB_DAT_2,
generated::kape_generated::KAPE_FILE_NOTIFICATIONS_WPNDATABASE_DB_2,
generated::kape_generated::KAPE_FILE_TEMP_QUICKASSIST,
generated::kape_generated::KAPE_FILE_TEMP_REMOTEHELP,
generated::kape_generated::KAPE_FILE_TERMINAL_SERVER_CLIENT_CACHE,
generated::kape_generated::KAPE_FILE_WINDOWS_OLD_RDP_CACH,
generated::kape_generated::KAPE_FILE_RDP_CACHE_FILES,
generated::kape_generated::KAPE_FILE_PACKAGES_MICROSOFT_REMOTEDESKTOP_8WEKYB3D8BBWE,
generated::kape_generated::KAPE_FILE_LOGS_MICROSOFT_WINDOWS_TERMINALSERVICES_REMOTECONN_3,
generated::kape_generated::KAPE_FILE_REMOTECONNECTIONMANA,
generated::kape_generated::KAPE_FILE_LOGS_MICROSOFT_WINDOWS_TERMINALSERVICES_LOCALSESSI_3,
generated::kape_generated::KAPE_FILE_LOCALSESSIONMANAGER,
generated::kape_generated::KAPE_FILE_LOGS_MICROSOFT_WINDOWS_TERMINALSERVICES_RDPCLIENT_3,
generated::kape_generated::KAPE_FILE_RDPCLIENT_EVENT_LOGS,
generated::kape_generated::KAPE_FILE_LOGS_MICROSOFT_WINDOWS_REMOTEDESKTOPSERVICES_RDPCO_3,
generated::kape_generated::KAPE_FILE_RDPCORETS_EVENT_LOGS,
generated::kape_generated::KAPE_FILE_PROGRAMS_RECENTFILECACHE_BCF,
generated::kape_generated::KAPE_FILE_RECENTFILECACHE,
generated::kape_generated::KAPE_FILE_WINDOWS_RECENT_2,
generated::kape_generated::KAPE_FILE_OFFICE_RECENT_2,
generated::kape_generated::KAPE_FILE_RECYCLE_BIN_R,
generated::kape_generated::KAPE_FILE_R,
generated::kape_generated::KAPE_FILE_RECYCLE_D,
generated::kape_generated::KAPE_FILE_RECYCLE_BIN_I,
generated::kape_generated::KAPE_FILE_RECYCLE_INFO2,
generated::kape_generated::KAPE_FILE_HELIUM_REGISTRY_DAT,
generated::kape_generated::KAPE_FILE_REGISTRY_DAT,
generated::kape_generated::KAPE_FILE_REGISTRY_DAT_MSIX_HI,
generated::kape_generated::KAPE_FILE_SETTINGS_SETTINGS_DAT_2,
generated::kape_generated::KAPE_FILE_HELIUM_USER_DAT,
generated::kape_generated::KAPE_FILE_HELIUM_USERCLASSES_DAT,
generated::kape_generated::KAPE_FILE_CONFIG_BBI,
generated::kape_generated::KAPE_FILE_BBI_REGISTRY_HIVE,
generated::kape_generated::KAPE_FILE_CONFIG_BBI_LOG,
generated::kape_generated::KAPE_FILE_BBI_REGISTRY_TRANSAC,
generated::kape_generated::KAPE_FILE_CONFIG_BCD_TEMPLATE,
generated::kape_generated::KAPE_FILE_BCD_TEMPLATE_REGISTR,
generated::kape_generated::KAPE_FILE_CONFIG_BCD_TEMPLATE_LOG,
generated::kape_generated::KAPE_FILE_CONFIG_BCD_TEMPLATE_LOG_2,
generated::kape_generated::KAPE_FILE_CONFIG_COMPONENTS,
generated::kape_generated::KAPE_FILE_COMPONENTS_REGISTRY,
generated::kape_generated::KAPE_FILE_CONFIG_COMPONENTS_LOG,
generated::kape_generated::KAPE_FILE_CONFIG_COMPONENTS_LOG_2,
generated::kape_generated::KAPE_FILE_CONFIG_DRIVERS,
generated::kape_generated::KAPE_FILE_DRIVERS_REGISTRY_HIV,
generated::kape_generated::KAPE_FILE_CONFIG_DRIVERS_LOG,
generated::kape_generated::KAPE_FILE_DRIVERS_REGISTRY_TRA,
generated::kape_generated::KAPE_FILE_CONFIG_ELAM,
generated::kape_generated::KAPE_FILE_ELAM_REGISTRY_HIVE,
generated::kape_generated::KAPE_FILE_CONFIG_ELAM_LOG,
generated::kape_generated::KAPE_FILE_ELAM_REGISTRY_TRANSA,
generated::kape_generated::KAPE_FILE_CONFIG_USERDIFF,
generated::kape_generated::KAPE_FILE_USERDIFF_REGISTRY_HI,
generated::kape_generated::KAPE_FILE_CONFIG_USERDIFF_LOG,
generated::kape_generated::KAPE_FILE_USERDIFF_REGISTRY_TR,
generated::kape_generated::KAPE_FILE_CONFIG_VSMIDK,
generated::kape_generated::KAPE_FILE_VSMIDK_REGISTRY_HIVE,
generated::kape_generated::KAPE_FILE_CONFIG_VSMIDK_LOG,
generated::kape_generated::KAPE_FILE_VSMIDK_REGISTRY_TRAN,
generated::kape_generated::KAPE_FILE_CONFIG_SAM_LOG,
generated::kape_generated::KAPE_FILE_SAM_REGISTRY_TRANSAC,
generated::kape_generated::KAPE_FILE_CONFIG_SECURITY_LOG,
generated::kape_generated::KAPE_FILE_SECURITY_REGISTRY_TR,
generated::kape_generated::KAPE_FILE_CONFIG_SOFTWARE_LOG,
generated::kape_generated::KAPE_FILE_SOFTWARE_REGISTRY_TR,
generated::kape_generated::KAPE_FILE_CONFIG_SYSTEM_LOG,
generated::kape_generated::KAPE_FILE_SYSTEM_REGISTRY_TRAN,
generated::kape_generated::KAPE_FILE_CONFIG_SAM,
generated::kape_generated::KAPE_FILE_SAM_REGISTRY_HIVE,
generated::kape_generated::KAPE_FILE_CONFIG_SECURITY,
generated::kape_generated::KAPE_FILE_SECURITY_REGISTRY_HI,
generated::kape_generated::KAPE_FILE_CONFIG_SOFTWARE,
generated::kape_generated::KAPE_FILE_SOFTWARE_REGISTRY_HI,
generated::kape_generated::KAPE_FILE_CONFIG_SYSTEM,
generated::kape_generated::KAPE_FILE_SYSTEM_REGISTRY_HIVE,
generated::kape_generated::KAPE_FILE_REGBACK_LOG,
generated::kape_generated::KAPE_FILE_REGBACK_REGISTRY_TRA,
generated::kape_generated::KAPE_FILE_REGBACK_SAM,
generated::kape_generated::KAPE_FILE_SAM_REGISTRY_HIVE_RE,
generated::kape_generated::KAPE_FILE_REGBACK_SECURITY,
generated::kape_generated::KAPE_FILE_REGBACK_SECURITY_2,
generated::kape_generated::KAPE_FILE_REGBACK_SOFTWARE,
generated::kape_generated::KAPE_FILE_REGBACK_SOFTWARE_2,
generated::kape_generated::KAPE_FILE_REGBACK_SYSTEM,
generated::kape_generated::KAPE_FILE_REGBACK_SYSTEM_2,
generated::kape_generated::KAPE_FILE_REGBACK_SYSTEM1,
generated::kape_generated::KAPE_FILE_REGBACK_SYSTEM1_2,
generated::kape_generated::KAPE_FILE_SYSTEMPROFILE_NTUSER_DAT,
generated::kape_generated::KAPE_FILE_SYSTEM_PROFILE_REGIS,
generated::kape_generated::KAPE_FILE_SYSTEMPROFILE_NTUSER_DAT_LOG,
generated::kape_generated::KAPE_FILE_SYSTEMPROFILE_NTUSER_DAT_LOG_2,
generated::kape_generated::KAPE_FILE_LOCALSERVICE_NTUSER_DAT,
generated::kape_generated::KAPE_FILE_LOCAL_SERVICE_REGIST,
generated::kape_generated::KAPE_FILE_LOCALSERVICE_NTUSER_DAT_LOG,
generated::kape_generated::KAPE_FILE_LOCALSERVICE_NTUSER_DAT_LOG_2,
generated::kape_generated::KAPE_FILE_NETWORKSERVICE_NTUSER_DAT,
generated::kape_generated::KAPE_FILE_NETWORK_SERVICE_REGI,
generated::kape_generated::KAPE_FILE_NETWORKSERVICE_NTUSER_DAT_LOG,
generated::kape_generated::KAPE_FILE_NETWORKSERVICE_NTUSER_DAT_LOG_2,
generated::kape_generated::KAPE_FILE_SNAPSHOT_REGISTRY,
generated::kape_generated::KAPE_FILE_USER_NTUSER_DAT,
generated::kape_generated::KAPE_FILE_NTUSER_DAT_REGISTRY,
generated::kape_generated::KAPE_FILE_USER_NTUSER_DAT_LOG,
generated::kape_generated::KAPE_FILE_CONFIG_DEFAULT,
generated::kape_generated::KAPE_FILE_NTUSER_DAT_DEFAULT_R,
generated::kape_generated::KAPE_FILE_CONFIG_DEFAULT_LOG,
generated::kape_generated::KAPE_FILE_NTUSER_DAT_DEFAULT_T,
generated::kape_generated::KAPE_FILE_WINDOWS_USRCLASS_DAT,
generated::kape_generated::KAPE_FILE_WINDOWS_USRCLASS_DAT_LOG,
generated::kape_generated::KAPE_FILE_C_NTUSER_DAT,
generated::kape_generated::KAPE_FILE_C_NTUSER_DAT_LOG,
generated::kape_generated::KAPE_FILE_C_DEFAULT,
generated::kape_generated::KAPE_FILE_C_DEFAULT_LOG,
generated::kape_generated::KAPE_FILE_C_USRCLASS_DAT,
generated::kape_generated::KAPE_FILE_C_USRCLASS_DAT_LOG,
generated::kape_generated::KAPE_FILE_C_LNK,
generated::kape_generated::KAPE_FILE_MICROSOFT_WORD_2,
generated::kape_generated::KAPE_FILE_MICROSOFT_EXCEL_2,
generated::kape_generated::KAPE_FILE_MICROSOFT_POWERPOINT_2,
generated::kape_generated::KAPE_FILE_MICROSOFT_PUBLISHER_2,
generated::kape_generated::KAPE_FILE_PUBLISHER_AUTOSAVE_L,
generated::kape_generated::KAPE_FILE_OFFICEFILECACHE_2,
generated::kape_generated::KAPE_FILE_OFFICE_DOCUMENT_CACH,
generated::kape_generated::KAPE_FILE_BOOKMARKS_21,
generated::kape_generated::KAPE_FILE_CHROME_BOOKMARKS_3,
generated::kape_generated::KAPE_FILE_COOKIES_17,
generated::kape_generated::KAPE_FILE_CHROME_COOKIES_3,
generated::kape_generated::KAPE_FILE_CURRENT_SESSION_19,
generated::kape_generated::KAPE_FILE_CHROME_CURRENT_SESSI_3,
generated::kape_generated::KAPE_FILE_CURRENT_TABS_19,
generated::kape_generated::KAPE_FILE_CHROME_CURRENT_TABS_3,
generated::kape_generated::KAPE_FILE_DOWNLOAD_METADATA_2,
generated::kape_generated::KAPE_FILE_CHROME_DOWNLOAD_META,
generated::kape_generated::KAPE_FILE_EXTENSION_COOKIES_18,
generated::kape_generated::KAPE_FILE_CHROME_EXTENSION_COO,
generated::kape_generated::KAPE_FILE_FAVICONS_22,
generated::kape_generated::KAPE_FILE_CHROME_FAVICONS_3,
generated::kape_generated::KAPE_FILE_HISTORY_22,
generated::kape_generated::KAPE_FILE_CHROME_HISTORY_3,
generated::kape_generated::KAPE_FILE_LAST_SESSION_18,
generated::kape_generated::KAPE_FILE_CHROME_LAST_SESSION_3,
generated::kape_generated::KAPE_FILE_LAST_TABS_18,
generated::kape_generated::KAPE_FILE_CHROME_LAST_TABS_3,
generated::kape_generated::KAPE_FILE_SESSIONS_20,
generated::kape_generated::KAPE_FILE_CHROME_SESSIONS_FOLD,
generated::kape_generated::KAPE_FILE_LOGIN_DATA_21,
generated::kape_generated::KAPE_FILE_CHROME_LOGIN_DATA_3,
generated::kape_generated::KAPE_FILE_MEDIA_HISTORY_18,
generated::kape_generated::KAPE_FILE_CHROME_MEDIA_HISTORY,
generated::kape_generated::KAPE_FILE_NETWORK_ACTION_PREDICTOR_22,
generated::kape_generated::KAPE_FILE_CHROME_NETWORK_ACTIO,
generated::kape_generated::KAPE_FILE_NETWORK_PERSISTENT_STATE_21,
generated::kape_generated::KAPE_FILE_CHROME_NETWORK_PERSI,
generated::kape_generated::KAPE_FILE_PREFERENCES_22,
generated::kape_generated::KAPE_FILE_CHROME_PREFERENCES_3,
generated::kape_generated::KAPE_FILE_QUOTAMANAGER_19,
generated::kape_generated::KAPE_FILE_CHROME_QUOTA_MANAGER,
generated::kape_generated::KAPE_FILE_REPORTING_AND_NEL_19,
generated::kape_generated::KAPE_FILE_CHROME_REPORTING_AND,
generated::kape_generated::KAPE_FILE_SHORTCUTS_21,
generated::kape_generated::KAPE_FILE_CHROME_SHORTCUTS_3,
generated::kape_generated::KAPE_FILE_TOP_SITES_22,
generated::kape_generated::KAPE_FILE_CHROME_TOP_SITES_3,
generated::kape_generated::KAPE_FILE_TRUST_TOKENS_18,
generated::kape_generated::KAPE_FILE_CHROME_TRUST_TOKENS,
generated::kape_generated::KAPE_FILE_SYNC_DATASYNCDATA_SQLITE3_13,
generated::kape_generated::KAPE_FILE_CHROME_SYNCDATA_DATA,
generated::kape_generated::KAPE_FILE_VISITED_LINKS_22,
generated::kape_generated::KAPE_FILE_CHROME_VISITED_LINKS_3,
generated::kape_generated::KAPE_FILE_WEB_DATA_22,
generated::kape_generated::KAPE_FILE_CHROME_WEB_DATA_3,
generated::kape_generated::KAPE_FILE_PROTECT_18,
generated::kape_generated::KAPE_FILE_WINDOWS_PROTECT_FOLD,
generated::kape_generated::KAPE_FILE_PACKAGES_MICROSOFT_MICROSOFTEDGE_8WEKYB3D8BBWE_2,
generated::kape_generated::KAPE_FILE_EDGE_FOLDER,
generated::kape_generated::KAPE_FILE_C_AMCACHE_HVE,
generated::kape_generated::KAPE_FILE_C_AMCACHE_HVE_LOG,
generated::kape_generated::KAPE_FILE_WINDOWS_RECENT_3,
generated::kape_generated::KAPE_FILE_LNK_FILES_FROM_RECEN,
generated::kape_generated::KAPE_FILE_OFFICE_RECENT_3,
generated::kape_generated::KAPE_FILE_LNK_FILES_FROM_MICRO,
generated::kape_generated::KAPE_FILE_DESKTOP_LNK_FILES_2,
generated::kape_generated::KAPE_FILE_CCM_LOGS,
generated::kape_generated::KAPE_FILE_CUSTOM_SDB,
generated::kape_generated::KAPE_FILE_SDB_FILES,
generated::kape_generated::KAPE_FILE_CUSTOM64_SDB,
generated::kape_generated::KAPE_FILE_SDB_FILES_X64,
generated::kape_generated::KAPE_FILE_SYSTEM32_SRU,
generated::kape_generated::KAPE_FILE_SRUM,
generated::kape_generated::KAPE_FILE_CONFIG_SOFTWARE_2,
generated::kape_generated::KAPE_FILE_SOFTWARE_REGISTRY_HI_2,
generated::kape_generated::KAPE_FILE_CONFIG_SOFTWARE_LOG_2,
generated::kape_generated::KAPE_FILE_SOFTWARE_REGISTRY_TR_2,
generated::kape_generated::KAPE_FILE_LOGFILES_SUM,
generated::kape_generated::KAPE_FILE_TASKS_JOB,
generated::kape_generated::KAPE_FILE_AT_JOB,
generated::kape_generated::KAPE_FILE_WINDOWS_SCHEDLGU_TXT,
generated::kape_generated::KAPE_FILE_AT_SCHEDLGU_TXT,
generated::kape_generated::KAPE_FILE_SYSTEM32_TASKS,
generated::kape_generated::KAPE_FILE_SYSWOW64_TASKS,
generated::kape_generated::KAPE_FILE_XML,
generated::kape_generated::KAPE_FILE_POWERSHELL_SCHEDULEDJOBS,
generated::kape_generated::KAPE_FILE_OUTPUT,
generated::kape_generated::KAPE_FILE_POWERSHELL_SCHEDULED,
generated::kape_generated::KAPE_FILE_OUTPUT_2,
generated::kape_generated::KAPE_FILE_POWERSHELL_SCHEDULEDJOBS_2,
generated::kape_generated::KAPE_FILE_OUTPUT_3,
generated::kape_generated::KAPE_FILE_SYSTEM32_CATROOT,
generated::kape_generated::KAPE_FILE_SIGNATURECATALOG,
generated::kape_generated::KAPE_FILE_TEMPSTATE_PNG,
generated::kape_generated::KAPE_FILE_SNIP_SKETCH,
generated::kape_generated::KAPE_FILE_SCREENCLIP_JSON,
generated::kape_generated::KAPE_FILE_SCREENSHOTS_PNG,
generated::kape_generated::KAPE_FILE_SNIPS_PNG,
generated::kape_generated::KAPE_FILE_PROGRAMS_STARTUP,
generated::kape_generated::KAPE_FILE_SYSTEM_WIDE_STARTUP,
generated::kape_generated::KAPE_FILE_STARTUPINFO_XML,
generated::kape_generated::KAPE_FILE_STARTUPINFO_XML_FILE,
generated::kape_generated::KAPE_FILE_SYSTEM_VOLUME_INFORMATION_SYSCACHE_HVE,
generated::kape_generated::KAPE_FILE_SYSTEM_VOLUME_INFORMATION_SYSCACHE_HVE_LOG,
generated::kape_generated::KAPE_FILE_EXPLORER_THUMBCACHE_DB,
generated::kape_generated::KAPE_FILE_WINDOWS_SETUPAPI_LOG,
generated::kape_generated::KAPE_FILE_INF_SETUPAPI_LOG,
generated::kape_generated::KAPE_FILE_SETUPAPI_LOG_WIN7,
generated::kape_generated::KAPE_FILE_USERS_USER,
generated::kape_generated::KAPE_FILE_C_VHD,
generated::kape_generated::KAPE_FILE_C_VHDX,
generated::kape_generated::KAPE_FILE_C_VDI,
generated::kape_generated::KAPE_FILE_C_VMDK,
generated::kape_generated::KAPE_FILE_WBEM_REPOSITORY,
generated::kape_generated::KAPE_FILE_WBEM,
generated::kape_generated::KAPE_FILE_WINDOWS_WER,
generated::kape_generated::KAPE_FILE_WER_FILES,
generated::kape_generated::KAPE_FILE_CRASHDUMPS_DMP,
generated::kape_generated::KAPE_FILE_WINDOWS_DMP,
generated::kape_generated::KAPE_FILE_CRASH_DUMPS,
generated::kape_generated::KAPE_FILE_LOGCAT_LOG,
generated::kape_generated::KAPE_FILE_LOCALCACHE_PNG,
generated::kape_generated::KAPE_FILE_LOCALCACHE_ICO,
generated::kape_generated::KAPE_FILE_LOCALSTATE_APPCOMPATDB_JSON,
generated::kape_generated::KAPE_FILE_LOCALCACHE_USERDATA_VHDX,
generated::kape_generated::KAPE_FILE_ETC_DEBIAN_VERSION,
generated::kape_generated::KAPE_FILE_ETC_FSTAB,
generated::kape_generated::KAPE_FILE_ETC_OS_RELEASE,
generated::kape_generated::KAPE_FILE_ETC_PASSWD,
generated::kape_generated::KAPE_FILE_ETC_GROUP,
generated::kape_generated::KAPE_FILE_ETC_SHADOW,
generated::kape_generated::KAPE_FILE_ETC_TIMEZONE,
generated::kape_generated::KAPE_FILE_ETC_HOSTNAME,
generated::kape_generated::KAPE_FILE_ETC_HOSTS_2,
generated::kape_generated::KAPE_FILE_ETC_CRONTAB,
generated::kape_generated::KAPE_FILE_ETC_BASH_BASHRC,
generated::kape_generated::KAPE_FILE_ETC_PROFILE,
generated::kape_generated::KAPE_FILE_ROOTFS_BASH_HISTORY,
generated::kape_generated::KAPE_FILE_ROOTFS_BASHRC,
generated::kape_generated::KAPE_FILE_ROOTFS_PROFILE,
generated::kape_generated::KAPE_FILE_CRON_CRONTABS,
generated::kape_generated::KAPE_FILE_APT_LOG,
generated::kape_generated::KAPE_FILE_LOCALSTATE_EXT4_VHDX,
generated::kape_generated::KAPE_FILE_ETC_DEBIAN_VERSION_2,
generated::kape_generated::KAPE_FILE_ETC_FSTAB_2,
generated::kape_generated::KAPE_FILE_ETC_OS_RELEASE_2,
generated::kape_generated::KAPE_FILE_ETC_PASSWD_2,
generated::kape_generated::KAPE_FILE_ETC_GROUP_2,
generated::kape_generated::KAPE_FILE_ETC_SHADOW_2,
generated::kape_generated::KAPE_FILE_ETC_TIMEZONE_2,
generated::kape_generated::KAPE_FILE_ETC_HOSTNAME_2,
generated::kape_generated::KAPE_FILE_ETC_HOSTS_3,
generated::kape_generated::KAPE_FILE_ETC_CRONTAB_2,
generated::kape_generated::KAPE_FILE_ETC_BASH_BASHRC_2,
generated::kape_generated::KAPE_FILE_ETC_PROFILE_2,
generated::kape_generated::KAPE_FILE_ROOTFS_BASH_HISTORY_2,
generated::kape_generated::KAPE_FILE_ROOTFS_BASHRC_2,
generated::kape_generated::KAPE_FILE_ROOTFS_PROFILE_2,
generated::kape_generated::KAPE_FILE_CRON_CRONTABS_2,
generated::kape_generated::KAPE_FILE_APT_LOG_2,
generated::kape_generated::KAPE_FILE_LOCALSTATE_EXT4_VHDX_2,
generated::kape_generated::KAPE_FILE_ETC_OS_RELEASE_3,
generated::kape_generated::KAPE_FILE_ETC_FSTAB_3,
generated::kape_generated::KAPE_FILE_ETC_PASSWD_3,
generated::kape_generated::KAPE_FILE_ETC_GROUP_3,
generated::kape_generated::KAPE_FILE_ETC_SHADOW_3,
generated::kape_generated::KAPE_FILE_ETC_TIMEZONE_3,
generated::kape_generated::KAPE_FILE_ETC_HOSTNAME_3,
generated::kape_generated::KAPE_FILE_ETC_HOSTS_4,
generated::kape_generated::KAPE_FILE_ETC_BASH_BASHRC_3,
generated::kape_generated::KAPE_FILE_ETC_PROFILE_3,
generated::kape_generated::KAPE_FILE_ROOTFS_BASH_HISTORY_3,
generated::kape_generated::KAPE_FILE_ROOTFS_BASHRC_3,
generated::kape_generated::KAPE_FILE_ROOTFS_PROFILE_3,
generated::kape_generated::KAPE_FILE_LOCALSTATE_EXT4_VHDX_3,
generated::kape_generated::KAPE_FILE_ETC_OS_RELEASE_4,
generated::kape_generated::KAPE_FILE_ETC_FSTAB_4,
generated::kape_generated::KAPE_FILE_ETC_PASSWD_4,
generated::kape_generated::KAPE_FILE_ETC_GROUP_4,
generated::kape_generated::KAPE_FILE_ETC_SHADOW_4,
generated::kape_generated::KAPE_FILE_ETC_TIMEZONE_4,
generated::kape_generated::KAPE_FILE_ETC_HOSTNAME_4,
generated::kape_generated::KAPE_FILE_ETC_HOSTS_5,
generated::kape_generated::KAPE_FILE_ETC_CRONTAB_3,
generated::kape_generated::KAPE_FILE_ETC_BASH_BASHRC_4,
generated::kape_generated::KAPE_FILE_ETC_PROFILE_4,
generated::kape_generated::KAPE_FILE_ROOTFS_BASH_HISTORY_4,
generated::kape_generated::KAPE_FILE_ROOTFS_BASHRC_4,
generated::kape_generated::KAPE_FILE_ROOTFS_PROFILE_4,
generated::kape_generated::KAPE_FILE_CRON_CRONTABS_3,
generated::kape_generated::KAPE_FILE_APT_LOG_3,
generated::kape_generated::KAPE_FILE_LOCALSTATE_EXT4_VHDX_4,
generated::kape_generated::KAPE_FILE_ETC_OS_RELEASE_5,
generated::kape_generated::KAPE_FILE_ETC_FSTAB_5,
generated::kape_generated::KAPE_FILE_ETC_PASSWD_5,
generated::kape_generated::KAPE_FILE_ETC_GROUP_5,
generated::kape_generated::KAPE_FILE_ETC_SHADOW_5,
generated::kape_generated::KAPE_FILE_ETC_TIMEZONE_5,
generated::kape_generated::KAPE_FILE_ETC_HOSTNAME_5,
generated::kape_generated::KAPE_FILE_ETC_HOSTS_6,
generated::kape_generated::KAPE_FILE_ETC_BASH_BASHRC_5,
generated::kape_generated::KAPE_FILE_ETC_PROFILE_5,
generated::kape_generated::KAPE_FILE_ROOTFS_BASH_HISTORY_5,
generated::kape_generated::KAPE_FILE_ROOTFS_BASHRC_5,
generated::kape_generated::KAPE_FILE_ROOTFS_PROFILE_5,
generated::kape_generated::KAPE_FILE_LOCALSTATE_EXT4_VHDX_5,
generated::kape_generated::KAPE_FILE_DIAGOUTPUTDIR_WINDOWS365,
generated::kape_generated::KAPE_FILE_COREAIPLATFORM_00_UKP,
generated::kape_generated::KAPE_FILE_FIREWALL_PFIREWALL,
generated::kape_generated::KAPE_FILE_WINDOWS_FIREWALL_LOG,
generated::kape_generated::KAPE_FILE_CRYPTO_KEYS,
generated::kape_generated::KAPE_FILE_S_1_5_18_USER,
generated::kape_generated::KAPE_FILE_MICROSOFT_NGC,
generated::kape_generated::KAPE_FILE_CONFIG_SECURITY_LOG_2,
generated::kape_generated::KAPE_FILE_SECURITY_REGISTRY_TR_2,
generated::kape_generated::KAPE_FILE_CONFIG_SOFTWARE_LOG_3,
generated::kape_generated::KAPE_FILE_SOFTWARE_REGISTRY_TR_3,
generated::kape_generated::KAPE_FILE_CONFIG_SYSTEM_LOG_2,
generated::kape_generated::KAPE_FILE_SYSTEM_REGISTRY_TRAN_2,
generated::kape_generated::KAPE_FILE_CONFIG_SECURITY_2,
generated::kape_generated::KAPE_FILE_SECURITY_REGISTRY_HI_2,
generated::kape_generated::KAPE_FILE_CONFIG_SOFTWARE_3,
generated::kape_generated::KAPE_FILE_SOFTWARE_REGISTRY_HI_3,
generated::kape_generated::KAPE_FILE_CONFIG_SYSTEM_2,
generated::kape_generated::KAPE_FILE_SYSTEM_REGISTRY_HIVE_2,
generated::kape_generated::KAPE_FILE_REGBACK_SECURITY_3,
generated::kape_generated::KAPE_FILE_REGBACK_SECURITY_2_2,
generated::kape_generated::KAPE_FILE_REGBACK_SOFTWARE_3,
generated::kape_generated::KAPE_FILE_REGBACK_SOFTWARE_2_2,
generated::kape_generated::KAPE_FILE_REGBACK_SYSTEM_3,
generated::kape_generated::KAPE_FILE_REGBACK_SYSTEM_2_2,
generated::kape_generated::KAPE_FILE_REGBACK_SYSTEM1_3,
generated::kape_generated::KAPE_FILE_REGBACK_SYSTEM1_2_2,
generated::kape_generated::KAPE_FILE_APPLICATIONS_WINDOWS,
generated::kape_generated::KAPE_FILE_APPLICATIONS_S_1,
generated::kape_generated::KAPE_FILE_S_1_GATHERLOGS,
generated::kape_generated::KAPE_FILE_WINDOWS_GATHERLOGS,
generated::kape_generated::KAPE_FILE_DRIVERS_ETC,
generated::kape_generated::KAPE_FILE_NOTIFICATIONS_WPNDATABASE_DB_3,
generated::kape_generated::KAPE_FILE_NOTIFICATIONS_APPDB_DAT_3,
generated::kape_generated::KAPE_FILE_WINDOWS_PANTHERMIGLOG_XML,
generated::kape_generated::KAPE_FILE_WINDOWS_PANTHERSETUPACT_LOG,
generated::kape_generated::KAPE_FILE_WINDOWS_PANTHER_HUMANREADABLE_XML,
generated::kape_generated::KAPE_FILE_PANTHER_ROLLBACKFOLDERMOVELOG_TXT,
generated::kape_generated::KAPE_FILE_USOPRIVATE_UPDATESTORESTORE_DB_2,
generated::kape_generated::KAPE_FILE_WINDOWS_POWER_EFFICIENCY_DIAGNOSTICS,
generated::kape_generated::KAPE_FILE_CONFIG_NETLOGON,
generated::kape_generated::KAPE_FILE_SYSTEM32_DNS,
generated::kape_generated::KAPE_FILE_SYSTEM32_DHCP,
generated::kape_generated::KAPE_FILE_DIAGNOSIS_EVENTS_RBS,
generated::kape_generated::KAPE_FILE_LEGACY_RBS_FILES_REL,
generated::kape_generated::KAPE_FILE_CONNECTEDDEVICESPLATFORM_ACTIVITIESCACHE_DB,
generated::kape_generated::KAPE_FILE_SYSTEM_ETL,
generated::kape_generated::KAPE_FILE_WINDOWSUPDATE_WINDOWSUPDATE_ETL,
generated::kape_generated::KAPE_FILE_CBS_CBS_LOG,
generated::kape_generated::KAPE_FILE_SOFTWAREDISTRIBUTION_DATASTORE,
generated::kape_generated::KAPE_FILE_C_SYSTEM_VOLUME_INFORMATION,
generated::nirsoft_generated::NIRSOFT_LAST_ACTIVITY_RECENT_ITEMS,
generated::nirsoft_generated::NIRSOFT_BROWSING_HISTORY_CHROME,
generated::nirsoft_generated::NIRSOFT_BROWSING_HISTORY_FIREFOX,
generated::nirsoft_generated::NIRSOFT_NETWORK_CONNECT_LOG,
generated::nirsoft_generated::NIRSOFT_USBDEVIEW_ENUM_USB,
generated::nirsoft_generated::NIRSOFT_USBDEVIEW_ENUM_USBSTOR,
generated::nirsoft_generated::NIRSOFT_SHELLBAGS_USRCLASS_BAGS,
generated::nirsoft_generated::NIRSOFT_SHELLBAGS_NTUSER_BAGS,
generated::nirsoft_generated::NIRSOFT_JUMPLISTS_AUTOMATIC_DESTINATIONS,
generated::nirsoft_generated::NIRSOFT_JUMPLISTS_CUSTOM_DESTINATIONS,
generated::nirsoft_generated::NIRSOFT_MUICACHE_LOCAL_SETTINGS,
generated::nirsoft_generated::NIRSOFT_RECENTFILES_RECENTDOCS_KEY,
generated::nirsoft_generated::NIRSOFT_WIFI_HISTORY_PROFILES_DIR,
generated::nirsoft_generated::NIRSOFT_NETWORK_PASSWORDS_CRED_DIR,
generated::nirsoft_generated::NIRSOFT_SAM_HIVE_REG,
generated::nirsoft_generated::NIRSOFT_REGISTRY_CHANGES_NTUSER,
generated::nirsoft_generated::NIRSOFT_OPENED_FILES_VIEW_HANDLE,
generated::nirsoft_generated::NIRSOFT_PROCESS_ACTIVITY_PREFETCH,
generated::nirsoft_generated::NIRSOFT_INSTALLED_CODEC_AUDIO,
generated::nirsoft_generated::NIRSOFT_STARTUP_RUN_HKLM_RUN,
generated::nirsoft_generated::NIRSOFT_STARTUP_RUN_HKCU_RUN,
generated::nirsoft_generated::NIRSOFT_APP_CRASH_DUMPS_DIR,
generated::regedit_generated::REGEDIT_NETWORK,
generated::regedit_generated::REGEDIT_MICROSOFT_INTERNET_EXPLORER_TYPEDURLS,
generated::regedit_generated::REGEDIT_USER_MRU,
generated::regedit_generated::REGEDIT_MICROSOFT_TERMINAL_SERVER_CLIENT,
generated::regedit_generated::REGEDIT_EXPLORER_COMDLG32_CIDSIZEMRU,
generated::regedit_generated::REGEDIT_EXPLORER_COMDLG32_FIRSTFOLDER,
generated::regedit_generated::REGEDIT_EXPLORER_COMDLG32_LASTVISITEDPIDLMRU,
generated::regedit_generated::REGEDIT_EXPLORER_COMDLG32_LASTVISITEDPIDLMRULEGACY,
generated::regedit_generated::REGEDIT_EXPLORER_COMDLG32_OPENSAVEPIDLMRU,
generated::regedit_generated::REGEDIT_CURRENTVERSION_EXPLORER_FILEEXTS,
generated::regedit_generated::REGEDIT_CURRENTVERSION_EXPLORER_RECENTDOCS,
generated::regedit_generated::REGEDIT_CURRENTVERSION_EXPLORER_MOUNTPOINTS2,
generated::regedit_generated::REGEDIT_WINDOWS_CURRENTVERSION_RUN,
generated::regedit_generated::REGEDIT_WINDOWS_CURRENTVERSION_RUNONCE,
generated::regedit_generated::REGEDIT_CURRENTVERSION_EXPLORER_RUNMRU,
generated::regedit_generated::REGEDIT_CURRENTVERSION_EXPLORER_TYPEDPATHS,
generated::regedit_generated::REGEDIT_CURRENTVERSION_EXPLORER_USERASSIST,
generated::regedit_generated::REGEDIT_CURRENTVERSION_EXPLORER_WORDWHEELQUERY,
generated::regedit_generated::REGEDIT_CURRENTVERSION_SEARCH_RECENTAPPS,
generated::regedit_generated::REGEDIT_DOMAINS_ACCOUNT_USERS,
generated::regedit_generated::REGEDIT_MICROSOFT_WINDOWS_NT_CURRENTVERSION,
generated::regedit_generated::REGEDIT_WINDOWS_NT_CURRENTVERSION_NETWORKLIST,
generated::regedit_generated::REGEDIT_POLICIES_EXPLORER_RUN,
generated::regedit_generated::REGEDIT_WINDOWS_CURRENTVERSION_RUN_SYSTEM_RUN_KEY,
generated::regedit_generated::REGEDIT_WINDOWS_CURRENTVERSION_RUNONCE_SYSTEM_RUNONCE,
generated::regedit_generated::REGEDIT_MICROSOFT_WINDOWS_PORTABLE_DEVICES_DEVICES,
generated::regedit_generated::REGEDIT_CONTROL_COMPUTERNAME_COMPUTERNAME,
generated::regedit_generated::REGEDIT_CONTROL_SESSION_MANAGER_APPCOMPATCACHE,
generated::regedit_generated::REGEDIT_CONTROLSET00_CONTROL_TIMEZONEINFORMATION,
generated::regedit_generated::REGEDIT_SYSTEM_CONTROLSET00_SERVICES,
generated::regedit_generated::REGEDIT_SERVICES_BAM_USERSETTINGS,
generated::regedit_generated::REGEDIT_SERVICES_DAM_USERSETTINGS,
generated::regedit_generated::REGEDIT_SERVICES_LANMANSERVER_SHARES,
generated::regedit_generated::REGEDIT_TCPIP_PARAMETERS_INTERFACES,
generated::regedit_generated::REGEDIT_PARAMETERS_INTERFACES,
generated::regedit_generated::REGEDIT_SYSTEM_MOUNTEDDEVICES,
generated::regedit_generated::REGEDIT_SYSTEM_SETUP,
generated::regedit_generated::REGEDIT_SYSTEM_SELECT,
generated::regedit_generated::REGEDIT_CONTROLSET00_CONTROL_WINDOWS,
generated::regedit_generated::REGEDIT_CURRENTVERSION_PROFILELIST,
generated::regedit_generated::REGEDIT_CURRENTVERSION_PROFILELIST_PROFILELIST_PRO,
generated::regedit_generated::REGEDIT_CURRENTVERSION_PROFILELIST_PROFILELIST_RUN,
generated::regedit_generated::REGEDIT_CURRENTVERSION_PROFILELIST_PROFILELIST_SID,
generated::regedit_generated::REGEDIT_CURRENTVERSION_PROFILELIST_PROFILELIST_STA,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_LOGS_MICROSOFT_WINDOWS_SYSMON_4OPERATIONAL,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_DOCX_DOCM_DOTX_DOTM_DOCB_XLSX_XLSM_XLTX_XL,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_USERS,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_TEMP,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_C_PROGRAM_FILES,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_TEMP_LOCALLOGS_LOG,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_LOGS_ACCESS_LOG_ACCESS_LOG,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_BIN_LS,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_EXE,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_TMP_IMAGE_DD,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_MANIFEST_JSON,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_EXTENSIONS,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_RUN_DOCKER_SOCK,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_APT_LISTS,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_DPKG_STATUS,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_RUN_SNAPD_SOCKET,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_TMP,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_JOURNAL,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_SBIN_AUDITCTL,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_LOG_AUTH_LOG,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_SYSLOGTIMESTAMP_TIMESTAMP_SYSLOGFACILITY_S,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_HOME,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_PROC_MOUNTS,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_NET_ARP,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_PROC_MODULES,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_SBIN_NFT,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_SSH_AUTHORIZED_KEYS,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_SSH_PEM_ID_RSA_ID_DSA,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_ACPI_TABLES,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_HISTORY,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_PROC_STAT,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_CRONTABS,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_CRON_WEEKLY,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_ETC_GROUP,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_LOG_WTMP,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_LOG,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_USR,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_ETC_PASSWD,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_LOG_AUTH_LOG_SECURE,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_BIN_SYNC,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_PREFERENCES_COM_APPLE_FINDER_PLIST,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_COM_APPLE_XPC_LAUNCHD_DISABLED_PLIST,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_TABS,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_RECEIPTS_INSTALLHISTORY_PLIST,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_DOWNLOADS_ZIP,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_PREFERENCES_COM_APPLE_DOCK_PLIST,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_PREFERENCES_PLIST,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_PREFERENCES_COM_APPLE_LAUNCHSERVICES_QUARA,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_COM_APPLE_TCC_TCC_DB,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_PREFERENCES_COM_APPLE_TIMEMACHINE_PLIST,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_USERS_PLIST,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_SYSTEMCONFIGURATION_COM_APPLE_AIRPORT_PREF,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_YAML_YML,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_TMP_YAML,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_TO_IMAGE_VMDK,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_TMP_REMAPPING_WRITEBACK_YAML,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_TMP_1_YAML,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_FAVICONS,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_3_LOG,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_LOGS_LOG,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_TEAMVIEWER_CONNECTIONS_INCOMING_TXT,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_TMP_COLLECTION_ZIP,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_PROGRAMS_AMCACHE_HVE,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_INVENTORY_FILE,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_DLL,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_WINDOWS_SYSMON64_EXE,
generated::velociraptor_generated::VELOCIRAPTOR_CURRENTVERSION_RUN,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_RTF_DOC_DOT_DOCX_DOCM_DOTX_DOTM_DOCB_XLS_X,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_WINDOWS_SYSTEM32,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_TEMP_WINPMEM_SYS,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_LOGS_SECURITY_EVTX,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_LOGS_SYSTEM_SECURITY_EVTX,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_WINEVT_LOGS,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_LOGS_EVTX,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_LOGS_MICROSOFT_WINDOWS_POWERSHELL_4OPERATI,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_LOGS_SYSTEM_EVTX,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_LOGS_MICROSOFT_WINDOWS_TERMINALSERVICES_LO,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_LOGS_MICROSOFT_WINDOWS_TERMINALSERVICES_RE,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_LOGS_MICROSOFT_WINDOWS_TASKSCHEDULER_4OPER,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_LOGS_SYMANTEC_ENDPOINT_PROTECTION_CLIENT_E,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_LOGS_APPLICATION_EVTX,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_TEMP_PROCESSES_SQLITE,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_METADATA,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_METADATA_2,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_AUTOMATICDESTINATIONS_AUTOMATICDESTINATION,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_LNK,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_WINDOWSTATE_01_BIN,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_TABSTATE_BIN,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_PREFETCH_PF,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_PST,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_CACHE,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_NTUSER_DAT,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_I,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_CONFIG_SAM,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_SRU_SRUDB_DAT,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_ACTIVITIESCACHE_DB,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_SUM,
generated::velociraptor_generated::VELOCIRAPTOR_CURRENTVERSION_IMAGE_FILE_EXECUTION_OPTIONS,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_V1_0_PROFILE_MICROSOFT_PROFILE_PS1,
generated::velociraptor_generated::VELOCIRAPTOR_MICROSOFT_WOW64,
generated::velociraptor_generated::VELOCIRAPTOR_SESSION_MANAGER_APPCOMPATCACHE_APPCOMPATCACHE,
generated::velociraptor_generated::VELOCIRAPTOR_CONTROL_BACKUPRESTORE,
generated::velociraptor_generated::VELOCIRAPTOR_SERVICES_PORTPROXY,
generated::velociraptor_generated::VELOCIRAPTOR_SOFTWARE_SYSINTERNALS,
generated::velociraptor_generated::VELOCIRAPTOR_SECURITYPROVIDERS_WDIGEST,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_TASKS,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_V1_0_POWERSHELL_EXE,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_ETC_HOSTS,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_ETC_HOSTS_VELOCIRAPTOR_BACKUP,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_VHDX,
generated::velociraptor_generated::VELOCIRAPTOR_CURRENTVERSION_PROFILELIST,
generated::velociraptor_generated::VELOCIRAPTOR_APPCOMPATFLAGS_INSTALLEDSDB,
generated::velociraptor_generated::VELOCIRAPTOR_CUSTOM,
generated::velociraptor_generated::VELOCIRAPTOR_FIREWALLRULES,
generated::velociraptor_generated::VELOCIRAPTOR_SYSTEM_RESOURCES_PHYSICAL_MEMORY_TRANSLATED,
generated::velociraptor_generated::VELOCIRAPTOR_CURRENTVERSION_UNINSTALL,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_CAT,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_POWERSHELL_MODULEANALYSISCACHE,
generated::velociraptor_generated::VELOCIRAPTOR_SYSTEM_CURRENTCONTROLSET_SERVICES,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_DLL_EXE,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_C_MFT,
browser_ext::BROWSER_CHROME_HISTORY,
browser_ext::BROWSER_CHROME_COOKIES,
browser_ext::BROWSER_CHROME_DOWNLOADS,
browser_ext::BROWSER_CHROME_BOOKMARKS,
browser_ext::BROWSER_CHROME_EXTENSIONS,
browser_ext::BROWSER_CHROME_LOGIN_DATA_V2,
browser_ext::BROWSER_CHROME_AUTOFILL,
browser_ext::BROWSER_CHROME_CACHE,
browser_ext::BROWSER_CHROME_SESSION,
browser_ext::BROWSER_CHROME_SESSION_MEMORY,
browser_ext::BROWSER_FIREFOX_HISTORY,
browser_ext::BROWSER_FIREFOX_COOKIES,
browser_ext::BROWSER_FIREFOX_DOWNLOADS,
browser_ext::BROWSER_FIREFOX_SESSION_MEMORY,
browser_ext::BROWSER_SAFARI_HISTORY,
macos_ext::IOS_UNIFIED_LOG,
macos_ext::IOS14_MAPS_HISTORY,
macos_ext::HEIC_IMAGE_FILE,
macos_ext::UBER_IOS_LEVELDB,
macos_ext::IOS_GOOGLE_CHAT_CACHEV0,
macos_ext::IOS_MOBILE_CONTAINER_MANAGER,
macos_ext::MACOS_BTM_BACKGROUND_TASKS,
windows_files_ext::ONEDRIVE_ODL_LOGS,
android_ext::SAMSUNG_GALLERY3D_TRASH,
android_ext::SAMSUNG_GALLERY3D_LOG,
android_ext::ANDROID_TOR_BROWSER_THUMBNAILS,
android_ext::ANDROID_GBOARD_TRAININGCACHE,
cloud_ext::GOOGLE_TAKEOUT_LOCATION_RECORDS,
cloud_ext::GOOGLE_TAKEOUT_SEMANTIC_LOCATION_HISTORY,
cloud_ext::AWS_CLOUDTRAIL_IAM_EVENTS,
vehicle_ext::HONDA_ACCORD_RECENTSTOPS,
vehicle_ext::HONDA_ACCORD_CRM_ECO_LOGS,
vehicle_ext::HONDA_ACCORD_PHONEDB,
vehicle_ext::HONDA_ACCORD_BLUETOOTH,
vehicle_ext::GARMIN_NUVI_VOICE_LOG,
windows_registry_ext3::RUN_SERVICES_HKLM,
windows_registry_ext3::RUN_SERVICES_HKCU,
windows_registry_ext3::RUN_SERVICES_ONCE_HKLM,
windows_registry_ext3::RUN_SERVICES_ONCE_HKCU,
windows_registry_ext3::FIREWALL_AUTHORIZED_APPS,
windows_registry_ext3::SSODL,
windows_registry_ext3::SHARED_TASK_SCHEDULER,
windows_registry_ext3::CREDENTIAL_PROVIDER_FILTERS,
linux_ext::ESXI_ATTESTD_LOG,
linux_ext::ESXI_ESXTOKEND_LOG,
linux_ext::ESXI_KMXA_LOG,
];