#![allow(clippy::too_many_lines)]
mod android_ext;
mod browser_ext;
mod cloud_ext;
mod generated;
mod linux_ext;
mod macos_ext;
mod vehicle_ext;
mod windows_evtx_ext;
mod windows_files_ext;
mod windows_logs_ext;
mod windows_registry_ext;
mod windows_registry_ext2;
mod windows_registry_ext3;
use super::types::{
ArtifactDescriptor, ArtifactType, BinaryField, BinaryFieldType, DataScope, Decoder,
FieldSchema, HiveTarget, OsScope, TriagePriority, ValueType,
};
pub(crate) static USERASSIST_BINARY_FIELDS: &[BinaryField] = &[
BinaryField {
name: "run_count",
offset: 4,
field_type: BinaryFieldType::U32Le,
description: "Number of times the program was launched",
},
BinaryField {
name: "focus_count",
offset: 8,
field_type: BinaryFieldType::U32Le,
description: "Number of times the program received input focus",
},
BinaryField {
name: "focus_duration_ms",
offset: 12,
field_type: BinaryFieldType::U32Le,
description: "Total focus time in milliseconds",
},
BinaryField {
name: "last_run",
offset: 60,
field_type: BinaryFieldType::FiletimeLe,
description: "FILETIME of the last execution",
},
];
pub(crate) static USERASSIST_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "program",
value_type: ValueType::Text,
description: "ROT13-decoded program path or name",
is_uid_component: true,
},
FieldSchema {
name: "run_count",
value_type: ValueType::UnsignedInt,
description: "Number of times launched",
is_uid_component: false,
},
FieldSchema {
name: "focus_count",
value_type: ValueType::UnsignedInt,
description: "Number of times received focus",
is_uid_component: false,
},
FieldSchema {
name: "focus_duration_ms",
value_type: ValueType::UnsignedInt,
description: "Total focus time in milliseconds",
is_uid_component: false,
},
FieldSchema {
name: "last_run",
value_type: ValueType::Timestamp,
description: "FILETIME of last execution as ISO 8601",
is_uid_component: false,
},
];
pub static USERASSIST_EXE: ArtifactDescriptor = ArtifactDescriptor {
id: "userassist_exe",
name: "UserAssist (EXE)",
artifact_type: ArtifactType::RegistryValue,
hive: Some(HiveTarget::NtUser),
key_path: r"Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count",
value_name: None, file_path: None,
scope: DataScope::User,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Rot13NameWithBinaryValue(USERASSIST_BINARY_FIELDS),
meaning: "Interactive program execution history: launch counts, last execution timestamp, and focus duration. Non-zero Focus Time confirms interactive use; zero Focus Time with non-zero Run Count may indicate shell preloading.",
mitre_techniques: &["T1059", "T1204.002"],
fields: USERASSIST_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &["prefetch_dir", "shimcache", "srum_app_resource"],
sources: &[
"https://www.sans.org/blog/computer-forensic-artifacts-windows-7-userassist/",
"https://windowsir.blogspot.com/2004/02/userassist.html",
"http://windowsir.blogspot.com/2007/09/more-on-userassist-keys.html",
"https://www.magnetforensics.com/blog/artifact-profile-userassist/",
"https://raw.githubusercontent.com/bitbug0x55AA/Blue_Team_Hunting_Field_Notes/main/01_Hunting_Cheatsheets/1.5_Forensics_Artifacts_Map.csv",
"https://training.13cubed.com/p/courses/investigating-windows-endpoints",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &[
"Counts GUI application launches; CLI-only execution not recorded",
"ROT13 name encoding can be misread if decoder is missing",
"Run Count alone is insufficient — right-clicking an app in the Start Menu and selecting 'Open file location' increments Run Count and updates Last Executed without actual execution; require Focus Time > 0 for higher confidence",
"Behaviour differs across Windows 10 and 11 builds; verify on an exact matching OS version when this artifact is case-critical",
"Batch (.bat) and .cmd files launched via double-click are tracked; this may be the only GUI-execution artifact that captures them explicitly",
],
volatility: Some(crate::volatility::VolatilityClass::ActivityDriven),
volatility_rationale: "Updated per user GUI interaction; persists in NTUSER.DAT",
};
pub(crate) static RUN_KEY_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "value",
value_type: ValueType::Text,
description: "Autostart command or path",
is_uid_component: false,
}];
pub static RUN_KEY_HKLM_RUN: ArtifactDescriptor = ArtifactDescriptor {
id: "run_key_hklm",
name: "Run Key (HKLM)",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::HklmSoftware),
key_path: r"Microsoft\Windows\CurrentVersion\Run",
value_name: None,
file_path: None,
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "System-wide autostart entry executed at every user logon",
mitre_techniques: &["T1547.001"],
fields: RUN_KEY_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[
"run_key_hklm_once",
"services_imagepath",
"scheduled_tasks_dir",
],
sources: &[
"https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys",
"https://windowsir.blogspot.com/2013/01/run-mru.html",
"https://raw.githubusercontent.com/bitbug0x55AA/Blue_Team_Hunting_Field_Notes/main/01_Hunting_Cheatsheets/1.5_Forensics_Artifacts_Map.csv",
"https://raw.githubusercontent.com/bitbug0x55AA/Blue_Team_Hunting_Field_Notes/main/06_Tool_Command_Vault/6.02_Windows_DFIR_Master_Notes.md",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &["Legitimate software also uses Run keys; context required"],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "System registry key; persists until explicit deletion",
};
pub(crate) static TYPED_URLS_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "value",
value_type: ValueType::Text,
description: "URL typed into the IE/Edge address bar",
is_uid_component: true,
}];
pub static TYPED_URLS: ArtifactDescriptor = ArtifactDescriptor {
id: "typed_urls",
name: "TypedURLs (IE/Edge)",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::NtUser),
key_path: r"Software\Microsoft\Internet Explorer\TypedURLs",
value_name: None,
file_path: None,
scope: DataScope::User,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "URLs manually typed into the Internet Explorer or Edge address bar",
mitre_techniques: &["T1071.001"],
fields: TYPED_URLS_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/digital-forensics-windows-registry-forensics-part-6-internet-explorer-user-typed-urls/",
"https://windowsir.blogspot.com/2006/04/typed-urls.html",
"https://crucialsecurity.wordpress.com/2011/03/14/typedurls-part-1/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static PCA_FIELDS_SCHEMA: &[FieldSchema] = &[
FieldSchema {
name: "exe_path",
value_type: ValueType::Text,
description: "Full path to the executable",
is_uid_component: true,
},
FieldSchema {
name: "timestamp",
value_type: ValueType::Text,
description: "Launch timestamp string",
is_uid_component: false,
},
];
pub(crate) static PCA_PIPE_FIELDS: &[&str] = &["exe_path", "timestamp"];
pub static PCA_APPLAUNCH_DIC: ArtifactDescriptor = ArtifactDescriptor {
id: "pca_applaunch_dic",
name: "PCA AppLaunch.dic",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\Windows\appcompat\pca\AppLaunch.dic"),
scope: DataScope::System,
os_scope: OsScope::Win11_22H2,
decoder: Decoder::PipeDelimited {
fields: PCA_PIPE_FIELDS,
},
meaning: "Program execution evidence from the Program Compatibility Assistant",
mitre_techniques: &["T1059", "T1204.002"],
fields: PCA_FIELDS_SCHEMA,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &["pca_general_db"],
sources: &[
"https://aboutdfir.com/new-windows-11-pro-22h2-evidence-of-execution-artifact/",
"https://www.sygnia.co/blog/new-windows-11-pca-artifact/",
"https://github.com/Psmths/windows-forensic-artifacts/blob/main/execution/program-compatibility-assistant.md",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static PCA_GENERAL_DB_FIELDS_SCHEMA: &[FieldSchema] = &[
FieldSchema {
name: "exe_path",
value_type: ValueType::Text,
description:
"Full path (often %programfiles% / %USERPROFILE%-style) of the process that exited",
is_uid_component: true,
},
FieldSchema {
name: "exit_code",
value_type: ValueType::Text,
description: "Hex Win32 NTSTATUS / process exit code (e.g. 0x2, 0x80) from the \
\"Abnormal process exit with code 0xN\" record",
is_uid_component: false,
},
FieldSchema {
name: "timestamp",
value_type: ValueType::Text,
description: "Unix epoch seconds — Carvey 2024 parsed records use this format; \
raw on-disk records embed FILETIME on Sygnia/AboutDFIR analysis",
is_uid_component: false,
},
];
pub static PCA_GENERAL_DB: ArtifactDescriptor = ArtifactDescriptor {
id: "pca_general_db",
name: "PCA PcaGeneralDb0.txt",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\Windows\appcompat\pca\PcaGeneralDb0.txt"),
scope: DataScope::System,
os_scope: OsScope::Win11_22H2,
decoder: Decoder::Identity,
meaning: "Program Compatibility Assistant abnormal-exit log — each record captures \
an executable path plus its abnormal process exit code (e.g. 0x2, 0x80). \
Sibling to PcaAppLaunchDic in C:\\Windows\\appcompat\\pca\\. \
No user attribution is recorded in the file itself, so analysts must correlate \
with EVTX / EDR telemetry to assign activity to a specific user.",
mitre_techniques: &["T1059", "T1204.002"],
fields: PCA_GENERAL_DB_FIELDS_SCHEMA,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &["pca_applaunch_dic"],
sources: &[
"https://windowsir.blogspot.com/2024/02/pcaparse.html",
"https://www.sygnia.co/blog/new-windows-11-pca-artifact/",
"https://aboutdfir.com/new-windows-11-pro-22h2-evidence-of-execution-artifact/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static WINDOWS_HOSTS_FILE: ArtifactDescriptor = ArtifactDescriptor {
id: "windows_hosts_file",
name: "Windows hosts File",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\Windows\System32\drivers\etc\hosts"),
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "Static name-to-IP overrides consulted before DNS during host name resolution. \
Adversary tradecraft (per Carvey/EDRSilencer write-ups) maps EDR vendor or C2 \
hostnames to 127.0.0.1 / 0.0.0.0 to blackhole agent telemetry without touching \
the EDR process — a stealthier alternative to WFP filters that nonetheless \
leaves a trivially-collected on-disk artifact. Any non-default entry warrants \
triage during incident response.",
mitre_techniques: &["T1562.001", "T1565.001"],
fields: &[FieldSchema {
name: "value",
value_type: ValueType::Text,
description: "Raw hosts-file contents — one record per non-comment line: \
<IP> <hostname1> [hostname2 ...] [# comment]",
is_uid_component: false,
}],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://windowsir.blogspot.com/2024/01/edrsilencer.html",
"https://support.microsoft.com/en-us/topic/microsoft-tcp-ip-host-name-resolution-order-dae00cc9-7e9c-c0cc-8360-477b99cb978a",
"https://academy.bluraven.io/blog/edr-silencer-and-beyond-exploring-methods-to-block-edr-communication-part-2",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &[
"Non-default entries prove tampering but not who made the change — correlate with filesystem timestamps and event logs",
"Hosts file takes precedence over DNS but NOT over hardcoded IPs; tools that embed C2 IPs bypass this artifact entirely",
],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Plain text file on disk; survives reboots indefinitely until explicitly modified or restored — unlike WFP filters, hosts edits are trivially recoverable even after adversary cleanup if VSS copies exist",
};
pub static DNS_POLICY_CONFIG_NRPT: ArtifactDescriptor = ArtifactDescriptor {
id: "dns_policy_config_nrpt",
name: "DNS Name Resolution Policy Table (NRPT)",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::HklmSystem),
key_path: r"CurrentControlSet\Services\Dnscache\Parameters\DnsPolicyConfig",
value_name: None,
file_path: None,
scope: DataScope::System,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Name Resolution Policy Table (NRPT) — per-FQDN / per-suffix DNS \
redirection rules consulted before the system DNS resolver. \
EDR-silencing tradecraft (Carvey 2024-01 addendum, Cloudbrothers \
2024-12) creates a UUID subkey here per rule mapping an EDR vendor \
or C2 hostname to 127.0.0.1 to blackhole agent telemetry. Benign \
uses include VPN clients (e.g. Tailscale) that redirect DNS for \
split-DNS configurations.",
mitre_techniques: &["T1562.001", "T1562.006"],
fields: &[
FieldSchema {
name: "Name",
value_type: ValueType::List,
description: "REG_MULTI_SZ — list of FQDNs or DNS suffixes the rule applies to. \
Sysmon stores this as opaque 'Binary Data', limiting EDR registry \
telemetry visibility.",
is_uid_component: true,
},
FieldSchema {
name: "GenericDNSServers",
value_type: ValueType::Text,
description: "Target IP address(es) the matching DNS query is redirected to \
(e.g. 127.0.0.1 for blackhole). Matches the \
`-NameServers` parameter of `Add-DnsClientNrptRule`.",
is_uid_component: false,
},
FieldSchema {
name: "Comment",
value_type: ValueType::Text,
description: "Optional rule comment from `Add-DnsClientNrptRule -Comment`. \
Carvey-style triage flag: free-text strings like \
\"Silenced by Name Resolution Policy Table\" are explicit IOCs.",
is_uid_component: false,
},
],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &["windows_hosts_file"],
sources: &[
"https://windowsir.blogspot.com/2024/01/edrsilencer.html",
"https://cloudbrothers.info/en/edr-silencers-exploring-methods-block-edr-communication-part-1/",
"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn593632(v=ws.11)",
"https://learn.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static RUN_KEY_HKCU_RUN: ArtifactDescriptor = ArtifactDescriptor {
id: "run_key_hkcu",
name: "Run Key (HKCU)",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::NtUser),
key_path: r"Software\Microsoft\Windows\CurrentVersion\Run",
value_name: None,
file_path: None,
scope: DataScope::User,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "Per-user autostart programs executed at every logon without elevation. \
Lower-privilege than HKLM Run — writable by the user account itself, \
making it a common unprivileged persistence location that survives password resets.",
mitre_techniques: &["T1547.001"],
fields: RUN_KEY_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &["run_key_hklm", "startup_folder_user"],
sources: &[
"https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys",
"https://windowsir.blogspot.com/2013/01/run-mru.html",
"https://raw.githubusercontent.com/bitbug0x55AA/Blue_Team_Hunting_Field_Notes/main/01_Hunting_Cheatsheets/1.5_Forensics_Artifacts_Map.csv",
"https://raw.githubusercontent.com/bitbug0x55AA/Blue_Team_Hunting_Field_Notes/main/06_Tool_Command_Vault/6.02_Windows_DFIR_Master_Notes.md",
"https://raw.githubusercontent.com/bitbug0x55AA/Blue_Team_Hunting_Field_Notes/main/02_Detection_Rules/2.2_sigma_rules/HKCU%20Run%20Key%20Written%20by%20Unusual%20Process.yml",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &["Per-user; requires knowing which user profile to examine"],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Per-user registry key; persists in NTUSER.DAT",
};
pub static RUN_KEY_HKCU_RUNONCE: ArtifactDescriptor = ArtifactDescriptor {
id: "run_key_hkcu_once",
name: "RunOnce Key (HKCU)",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::NtUser),
key_path: r"Software\Microsoft\Windows\CurrentVersion\RunOnce",
value_name: None,
file_path: None,
scope: DataScope::User,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "Per-user one-shot autostart: values execute once at the next \
USER LOGIN (not machine boot) and are immediately deleted by the OS. \
Presence proves a payload was staged for the next logon session of \
that user. Absence after suspected compromise means the trigger already \
fired; correlate execution time with user logon events (Event ID 4624). \
Distinct from the persistent Run key — malware choosing RunOnce may be \
trying to limit dwell time or avoid repeated execution. Raspberry Robin \
used HKCU RunOnce for user-scoped persistence (T1547.001).",
mitre_techniques: &["T1547.001", "T1112"],
fields: RUN_KEY_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &["run_key_hkcu", "run_key_hklm_once"],
sources: &[
"https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys",
"https://windowsir.blogspot.com/2022/11/post-compilation.html",
"https://windowsir.blogspot.com/2022/10/testing-registry-modification-scenarios.html",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &[
"Key is deleted by the OS after the first user login execution — \
absence does not prove the key was never set; correlate with Event ID 4624 \
(user logon) and execution artifacts (Prefetch, Shimcache) at that time",
"HKCU RunOnce fires at USER LOGIN, not machine boot — \
open reporting frequently confuses these; a user-hive persistence entry \
cannot execute before that user logs in",
"Indirect write via key rename (rename RunOnce → add value → rename back, \
used by Raspberry Robin/Roshtyak) leaves no forensic trace distinguishable \
from normal RunOnce usage in the hive — registry-only analysis cannot detect \
this evasion; requires Sysmon EID 12/13/14 or \
Microsoft-Windows-Shell-Core%4Operational.evtx",
],
volatility: Some(crate::volatility::VolatilityClass::ActivityDriven),
volatility_rationale: "Deleted by OS after single user-login execution; \
transient by design — acquire before the user\'s next login",
};
pub static RUN_KEY_HKLM_RUNONCE: ArtifactDescriptor = ArtifactDescriptor {
id: "run_key_hklm_once",
name: "RunOnce Key (HKLM)",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::HklmSoftware),
key_path: r"Microsoft\Windows\CurrentVersion\RunOnce",
value_name: None,
file_path: None,
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "System-wide one-time autostart: values execute once at the next MACHINE BOOT \
and are immediately deleted by the OS. Presence proves a payload was staged for the \
next boot. Absence after suspected compromise means the trigger already fired — \
correlate execution time with boot records (Event ID 4608 System startup) and \
execution artifacts (Prefetch, ShimCache). Distinct from the persistent Run key; \
malware choosing RunOnce may be trying to limit dwell time or leave minimal trace. \
Indirect write via key rename (Raspberry Robin/Roshtyak) can bypass detection rules.",
mitre_techniques: &["T1547.001", "T1112"],
fields: RUN_KEY_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &["run_key_hkcu_once", "run_key_hklm"],
sources: &[
"https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys",
"https://windowsir.blogspot.com/2022/10/testing-registry-modification-scenarios.html",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &[
"Single-run key deleted by OS after boot execution — absence does not prove the \
key was never set; correlate with Event ID 4608 (System startup) and execution \
artifacts (Prefetch, ShimCache) at that boot time",
"Indirect write via key rename (rename RunOnce → add value → rename back, \
used by Raspberry Robin/Roshtyak) leaves no forensic trace distinguishable \
from normal RunOnce usage in the hive — registry-only analysis cannot detect \
this evasion; requires Sysmon EID 12/13/14 or \
Microsoft-Windows-Shell-Core%4Operational.evtx",
],
volatility: Some(crate::volatility::VolatilityClass::ActivityDriven),
volatility_rationale: "Deleted by OS after single boot-time execution; \
transient by design — acquire before the next system restart",
};
pub(crate) static IFEO_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "debugger",
value_type: ValueType::Text,
description: "Debugger path that hijacks the target process launch",
is_uid_component: false,
}];
pub static IFEO_DEBUGGER: ArtifactDescriptor = ArtifactDescriptor {
id: "ifeo_debugger",
name: "IFEO Debugger Hijack",
artifact_type: ArtifactType::RegistryValue,
hive: Some(HiveTarget::HklmSoftware),
key_path: r"Microsoft\Windows NT\CurrentVersion\Image File Execution Options",
value_name: Some("Debugger"),
file_path: None,
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "Redirects target-process launch to an attacker-controlled binary",
mitre_techniques: &["T1546.012"],
fields: IFEO_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/enabling-postmortem-debugging",
"https://www.sans.org/blog/malware-persistence-without-the-windows-registry/",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &["Legitimate debugger keys exist; focus on non-debugger executables"],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Registry key; persists until explicit deletion",
};
pub static USERASSIST_FOLDER: ArtifactDescriptor = ArtifactDescriptor {
id: "userassist_folder",
name: "UserAssist (Shortcut/LNK)",
artifact_type: ArtifactType::RegistryValue,
hive: Some(HiveTarget::NtUser),
key_path: r"Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count",
value_name: None,
file_path: None,
scope: DataScope::User,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Rot13NameWithBinaryValue(USERASSIST_BINARY_FIELDS),
meaning: "Shortcut-initiated launch history (.lnk files, Start Menu, Desktop) with run counts and timestamps",
mitre_techniques: &["T1547.009", "T1204.002"],
fields: USERASSIST_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &["userassist_exe"],
sources: &[
"https://www.magnetforensics.com/blog/artifact-profile-userassist/",
"https://www.sans.org/blog/computer-forensic-artifacts-windows-7-userassist/",
"https://windowsir.blogspot.com/2004/02/userassist.html",
"http://windowsir.blogspot.com/2007/09/more-on-userassist-keys.html",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static USERASSIST_XP_BINARY_FIELDS: &[BinaryField] = &[
BinaryField {
name: "session_id",
offset: 0,
field_type: BinaryFieldType::U32Le,
description: "Session counter or padding (XP-era, often zero)",
},
BinaryField {
name: "run_count",
offset: 4,
field_type: BinaryFieldType::U32Le,
description: "Number of times the item was launched (little-endian DWORD)",
},
BinaryField {
name: "last_run_time",
offset: 8,
field_type: BinaryFieldType::FiletimeLe,
description: "FILETIME of last launch (100-nanosecond intervals since 1601-01-01 UTC)",
},
];
pub(crate) static USERASSIST_XP_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "program",
value_type: ValueType::Text,
description: "ROT13-decoded path or item name",
is_uid_component: true,
},
FieldSchema {
name: "run_count",
value_type: ValueType::UnsignedInt,
description: "Number of times the item was launched",
is_uid_component: false,
},
FieldSchema {
name: "last_run_time",
value_type: ValueType::Timestamp,
description: "Timestamp of most recent launch",
is_uid_component: false,
},
];
pub static USERASSIST_XP_EXE: ArtifactDescriptor = ArtifactDescriptor {
id: "userassist_xp_exe",
name: "UserAssist XP (App/File/Link)",
artifact_type: ArtifactType::RegistryValue,
hive: Some(HiveTarget::NtUser),
key_path: r"Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count",
value_name: None,
file_path: None,
scope: DataScope::User,
os_scope: OsScope::All, decoder: Decoder::Rot13NameWithBinaryValue(USERASSIST_XP_BINARY_FIELDS),
meaning: "Pre-Vista application, file, and link launch history (16-byte record; no focus time fields)",
mitre_techniques: &["T1059", "T1204.002"],
fields: USERASSIST_XP_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &["userassist_exe"],
sources: &[
"https://www.magnetforensics.com/blog/artifact-profile-userassist/",
"https://windowsir.blogspot.com/2004/02/userassist.html",
"http://windowsir.blogspot.com/2007/09/more-on-userassist-keys.html",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static USERASSIST_XP_IE_FAVORITES: ArtifactDescriptor = ArtifactDescriptor {
id: "userassist_xp_ie_favorites",
name: "UserAssist XP (IE Favorites/Toolbar)",
artifact_type: ArtifactType::RegistryValue,
hive: Some(HiveTarget::NtUser),
key_path: r"Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count",
value_name: None,
file_path: None,
scope: DataScope::User,
os_scope: OsScope::All, decoder: Decoder::Rot13NameWithBinaryValue(USERASSIST_XP_BINARY_FIELDS),
meaning: "Pre-Vista Internet Explorer Favorites and toolbar object access history",
mitre_techniques: &["T1071.001"],
fields: USERASSIST_XP_FIELDS,
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &["userassist_xp_exe", "typed_urls"],
sources: &[
"https://www.magnetforensics.com/blog/artifact-profile-userassist/",
"https://windowsir.blogspot.com/2004/02/userassist.html",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static USERASSIST_XP_IE7: ArtifactDescriptor = ArtifactDescriptor {
id: "userassist_xp_ie7",
name: "UserAssist XP (IE7)",
artifact_type: ArtifactType::RegistryValue,
hive: Some(HiveTarget::NtUser),
key_path: r"Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{0D6D4F41-2994-4BA0-8FEF-620E43CD2812}\Count",
value_name: None,
file_path: None,
scope: DataScope::User,
os_scope: OsScope::All, decoder: Decoder::Rot13NameWithBinaryValue(USERASSIST_XP_BINARY_FIELDS),
meaning: "IE7-specific UserAssist tracking on Windows XP (present only when IE7 was installed)",
mitre_techniques: &["T1071.001"],
fields: USERASSIST_XP_FIELDS,
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &["userassist_xp_exe", "userassist_xp_ie_favorites"],
sources: &[
"https://www.magnetforensics.com/blog/artifact-profile-userassist/",
"https://windowsir.blogspot.com/2004/02/userassist.html",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static SHELLBAGS_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "indices",
value_type: ValueType::List,
description: "MRU order of accessed shell folder slots",
is_uid_component: false,
}];
pub static SHELLBAGS_USER: ArtifactDescriptor = ArtifactDescriptor {
id: "shellbags_user",
name: "ShellBags (User)",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::UsrClass),
key_path: r"Local Settings\Software\Microsoft\Windows\Shell\Bags",
value_name: None,
file_path: None,
scope: DataScope::User,
os_scope: OsScope::Win7Plus,
decoder: Decoder::MruListEx,
meaning: "Folder access history; persists paths even after folder deletion",
mitre_techniques: &["T1083", "T1005"],
fields: SHELLBAGS_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/shell-bag-forensics/",
"https://windowsir.blogspot.com/2009/07/shellbag-analysis.html",
"https://ericzimmerman.github.io/#!index.md",
"https://github.com/EricZimmerman/RECmd",
"https://github.com/EricZimmerman/RegistryPlugins",
"https://www.sans.org/white-papers/34545/",
"https://www.magnetforensics.com/blog/forensic-analysis-of-windows-shellbags/",
"https://raw.githubusercontent.com/bitbug0x55AA/Blue_Team_Hunting_Field_Notes/main/01_Hunting_Cheatsheets/1.5_Forensics_Artifacts_Map.csv",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Corroborative),
evidence_caveats: &["Proves folder was browsed; does not prove file access or execution"],
volatility: Some(crate::volatility::VolatilityClass::ActivityDriven),
volatility_rationale: "Updated on folder access; persists in UsrClass.dat",
};
pub(crate) static AMCACHE_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "file_id",
value_type: ValueType::Text,
description: "Volume GUID + MFT file reference (unique file identity)",
is_uid_component: true,
},
FieldSchema {
name: "sha1",
value_type: ValueType::Text,
description: "SHA1 of the first 31.25 MB (0000-prefixed)",
is_uid_component: false,
},
];
pub static AMCACHE_APP_FILE: ArtifactDescriptor = ArtifactDescriptor {
id: "amcache_app_file",
name: "Amcache InventoryApplicationFile",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::Amcache),
key_path: r"Root\InventoryApplicationFile",
value_name: None,
file_path: None,
scope: DataScope::System,
os_scope: OsScope::Win8Plus,
decoder: Decoder::Identity,
meaning: "Program execution evidence with file hash; persists after binary deletion",
mitre_techniques: &["T1218", "T1204.002"],
fields: AMCACHE_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &["shimcache", "prefetch_dir", "srum_app_resource"],
sources: &[
"https://www.sans.org/blog/new-amcache-hve-in-windows-8-1-update-1/",
"https://www.sansforensics.com/blog/amcache-hive-forensics/",
"https://www.researchgate.net/publication/317258237_Leveraging_the_Windows_Amcachehve_File_in_Forensic_Investigations",
"https://www.magnetforensics.com/blog/shimcache-vs-amcache-key-windows-forensic-artifacts/",
"https://github.com/EricZimmerman/AmcacheParser",
"https://raw.githubusercontent.com/bitbug0x55AA/Blue_Team_Hunting_Field_Notes/main/01_Hunting_Cheatsheets/1.5_Forensics_Artifacts_Map.csv",
"https://sethenoka.com/shimcache-and-amcache-program-execution-without-certainty/",
"https://training.13cubed.com/p/courses/investigating-windows-endpoints",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &[
"Presence proves file was on disk and touched by Windows; not always execution",
"Can be populated by antivirus scans",
"AmCache last write time is NOT a reliable first-execution indicator on modern systems — the hive is updated by multiple mechanisms beyond the Compatibility Appraiser scheduled task (which is often disabled), including normal app launches and PCA activity",
"Run AmcacheParser.exe with the -i flag to generate AssociatedFileEntries output; omitting -i produces incomplete results",
"Transaction log files (.LOG1/.LOG2) must be co-located with the hive; AmcacheParser processes them automatically if present — without them, in-flight writes may be missing",
],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Persists until Windows Update or manual clear",
};
pub(crate) static SHIMCACHE_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "raw",
value_type: ValueType::Bytes,
description: "Raw AppCompatCache binary blob (parsed by shimcache module)",
is_uid_component: false,
}];
pub static SHIMCACHE: ArtifactDescriptor = ArtifactDescriptor {
id: "shimcache",
name: "ShimCache (AppCompatCache)",
artifact_type: ArtifactType::RegistryValue,
hive: Some(HiveTarget::HklmSystem),
key_path: r"CurrentControlSet\Control\Session Manager\AppCompatCache",
value_name: Some("AppCompatCache"),
file_path: None,
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "Executable metadata cache; presence proves binary existed on disk",
mitre_techniques: &["T1218", "T1059"],
fields: SHIMCACHE_FIELDS,
retention: Some("written at clean shutdown only; lost on crash/hard-power-off"),
triage_priority: TriagePriority::Critical,
related_artifacts: &["amcache_app_file", "prefetch_dir", "bam_user", "shimcache_memory"],
sources: &[
"https://www.sans.org/blog/digital-forensics-shimcache/",
"https://redcanary.com/blog/threat-detection/appcompatcache/",
"https://www.sans.org/blog/mass-triage-part-4-processing-returned-files-appcache-shimcache/",
"https://www.magnetforensics.com/blog/shimcache-vs-amcache-key-windows-forensic-artifacts/",
"https://github.com/EricZimmerman/AppCompatCacheParser",
"https://raw.githubusercontent.com/bitbug0x55AA/Blue_Team_Hunting_Field_Notes/main/01_Hunting_Cheatsheets/1.5_Forensics_Artifacts_Map.csv",
"https://raw.githubusercontent.com/bitbug0x55AA/Blue_Team_Hunting_Field_Notes/main/06_Tool_Command_Vault/6.02_Windows_DFIR_Master_Notes.md",
"https://sethenoka.com/shimcache-and-amcache-program-execution-without-certainty/",
"https://training.13cubed.com/p/courses/investigating-windows-endpoints",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &[
"Presence proves file existed on disk, not necessarily executed",
"Written only on clean shutdown; live system registry shows entries from last reboot only — use shimcache_memory to capture entries since last reboot",
"Copying a file at the Command Prompt without opening it in Windows Explorer does NOT create a Shimcache entry — the file must be accessed through the shell (Explorer view, rename, or move) to be shimmed",
"Collection method matters: ShimCache records exposure, not execution — a responder browsing the live system under review (e.g. opening the folder in Explorer) can CREATE entries, making the analyst the source. Treat entries as evidence of exposure rather than proof of execution",
],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Registry value persists until hive is overwritten; see shimcache_memory for the Volatile in-memory counterpart",
};
pub static SHIMCACHE_MEMORY: crate::catalog::ArtifactDescriptor =
crate::catalog::ArtifactDescriptor {
id: "shimcache_memory",
name: "ShimCache In-Memory Buffer (AppCompatCache live)",
artifact_type: ArtifactType::MemoryRegion,
hive: None,
key_path: "",
value_name: None,
file_path: None,
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "Live AppCompatCache entries not yet flushed to registry. Richer than the on-disk \
registry snapshot on a running system — includes all executables touched since the \
last reboot. Collect via memory acquisition before shutdown; flushes to shimcache \
(registry) on clean shutdown, lost on crash/power-off.",
mitre_techniques: &["T1218", "T1059"],
fields: SHIMCACHE_FIELDS,
retention: Some("lost on reboot or crash; flushed to registry AppCompatCache on clean shutdown"),
triage_priority: TriagePriority::Critical,
related_artifacts: &["shimcache", "amcache_app_file", "prefetch_dir"],
sources: &[
"https://www.sans.org/blog/digital-forensics-shimcache/",
"https://www.magnetforensics.com/blog/shimcache-vs-amcache-key-windows-forensic-artifacts/",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &[
"Requires live memory acquisition; not obtainable from disk image alone",
"Presence proves file was loaded by shimming subsystem in current boot session",
],
volatility: Some(crate::volatility::VolatilityClass::Volatile),
volatility_rationale: "In RAM; lost on reboot. Contains entries not visible in registry until shutdown flush.",
};
pub(crate) static BAM_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "last_exec",
value_type: ValueType::Timestamp,
description: "FILETIME of last background execution",
is_uid_component: false,
}];
pub static BAM_USER: ArtifactDescriptor = ArtifactDescriptor {
id: "bam_user",
name: "BAM (Background Activity Moderator)",
artifact_type: ArtifactType::RegistryValue,
hive: Some(HiveTarget::HklmSystem),
key_path: r"CurrentControlSet\Services\bam\State\UserSettings",
value_name: None,
file_path: None,
scope: DataScope::Mixed,
os_scope: OsScope::Win10Plus,
decoder: Decoder::FiletimeAt { offset: 0 },
meaning: "Last execution time of background/UWP processes per-user SID",
mitre_techniques: &["T1059", "T1204"],
fields: BAM_FIELDS,
retention: Some("~7 days rolling window"),
triage_priority: TriagePriority::Critical,
related_artifacts: &["dam_user", "shimcache", "prefetch_dir"],
sources: &[
"https://www.sans.org/blog/background-activity-moderator-bam-forensics/",
"https://www.13cubed.com/downloads/windows10_forensics_cheat_sheet.pdf",
"https://forensafe.com/blogs/bam.html",
"https://github.com/Psmths/windows-forensic-artifacts/blob/main/execution/bam-dam.md",
"https://raw.githubusercontent.com/bitbug0x55AA/Blue_Team_Hunting_Field_Notes/main/01_Hunting_Cheatsheets/1.5_Forensics_Artifacts_Map.csv",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &["Granularity is per-day; precise execution time not available"],
volatility: Some(crate::volatility::VolatilityClass::ActivityDriven),
volatility_rationale: "Rotated by OS on background activity manager flush",
};
pub(crate) static DAM_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "last_exec",
value_type: ValueType::Timestamp,
description: "FILETIME of last desktop application execution",
is_uid_component: false,
}];
pub static DAM_USER: ArtifactDescriptor = ArtifactDescriptor {
id: "dam_user",
name: "DAM (Desktop Activity Moderator)",
artifact_type: ArtifactType::RegistryValue,
hive: Some(HiveTarget::HklmSystem),
key_path: r"CurrentControlSet\Services\dam\State\UserSettings",
value_name: None,
file_path: None,
scope: DataScope::Mixed,
os_scope: OsScope::Win10Plus,
decoder: Decoder::FiletimeAt { offset: 0 },
meaning: "Last execution time of desktop applications per-user SID",
mitre_techniques: &["T1059", "T1204"],
fields: DAM_FIELDS,
retention: Some("~7 days rolling window"),
triage_priority: TriagePriority::Critical,
related_artifacts: &["bam_user", "shimcache"],
sources: &[
"https://www.sans.org/blog/background-activity-moderator-bam-forensics/",
"https://forensafe.com/blogs/bam.html",
"https://github.com/Psmths/windows-forensic-artifacts/blob/main/execution/bam-dam.md",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Corroborative),
evidence_caveats: &["Device Activity Monitor; less studied than BAM"],
volatility: Some(crate::volatility::VolatilityClass::ActivityDriven),
volatility_rationale: "Rotated by OS on desktop activity monitor flush",
};
pub(crate) static SAM_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "username",
value_type: ValueType::Text,
description: "Local account username (sub-key name)",
is_uid_component: true,
}];
pub static SAM_USERS: ArtifactDescriptor = ArtifactDescriptor {
id: "sam_users",
name: "SAM User Accounts",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::HklmSam),
key_path: r"SAM\Domains\Account\Users\Names",
value_name: None,
file_path: None,
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "Local Windows accounts; F/V records contain login counts and NTLM hash metadata",
mitre_techniques: &["T1003.002", "T1087.001"],
fields: SAM_FIELDS,
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &["lsa_secrets", "dcc2_cache"],
sources: &[
"https://www.sans.org/blog/windows-credential-storage-for-penetration-testers/",
"https://windowsir.blogspot.com/2010/11/recovering-passwords.html",
"http://windowsir.blogspot.com/2013/07/howto-determine-users-on-system.html",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &[
"Contains local account NTLM hashes; requires SYSTEM privilege to read",
"Must be used with SYSTEM hive to decrypt",
],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "SAM registry hive; persists until account deleted",
};
pub(crate) static LSA_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "secret_name",
value_type: ValueType::Text,
description: "LSA secret key name (e.g. _SC_*, DPAPI_SYSTEM, DefaultPassword)",
is_uid_component: true,
}];
pub static LSA_SECRETS: ArtifactDescriptor = ArtifactDescriptor {
id: "lsa_secrets",
name: "LSA Secrets",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::HklmSecurity),
key_path: r"Policy\Secrets",
value_name: None,
file_path: None,
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "Encrypted service credentials, auto-logon passwords, and DPAPI master key",
mitre_techniques: &["T1003.004", "T1552.002"],
fields: LSA_FIELDS,
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &["sam_users", "dpapi_system_masterkey", "dcc2_cache"],
sources: &["https://www.sans.org/blog/lsa-secrets/"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &["Requires SYSTEM privileges to read; encrypted at rest"],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "System hive registry; persists until credential removed",
};
pub(crate) static DCC2_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "slot_name",
value_type: ValueType::Text,
description: "Cache slot name (NL$1 through NL$25)",
is_uid_component: true,
}];
pub static DCC2_CACHE: ArtifactDescriptor = ArtifactDescriptor {
id: "dcc2_cache",
name: "Domain Cached Credentials 2 (DCC2)",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::HklmSecurity),
key_path: r"Cache",
value_name: None,
file_path: None,
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "MS-Cache v2 (PBKDF2-SHA1) hashes enabling offline domain logon",
mitre_techniques: &["T1003.005"],
fields: DCC2_FIELDS,
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &["https://www.sans.org/blog/windows-credential-storage-for-penetration-testers/"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &["Only proves domain user logged in; not current password"],
volatility: Some(crate::volatility::VolatilityClass::ActivityDriven),
volatility_rationale: "Rotated; last 10 cached credentials by default",
};
pub(crate) static TYPED_URLS_TIME_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "timestamp",
value_type: ValueType::Timestamp,
description: "FILETIME when the URL slot was typed",
is_uid_component: false,
}];
pub static TYPED_URLS_TIME: ArtifactDescriptor = ArtifactDescriptor {
id: "typed_urls_time",
name: "TypedURLsTime (IE/Edge)",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::NtUser),
key_path: r"Software\Microsoft\Internet Explorer\TypedURLsTime",
value_name: None,
file_path: None,
scope: DataScope::User,
os_scope: OsScope::All,
decoder: Decoder::FiletimeAt { offset: 0 },
meaning: "Timestamps of URLs typed into IE/Edge address bar (paired with TypedURLs)",
mitre_techniques: &["T1071.001"],
fields: TYPED_URLS_TIME_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/digital-forensics-windows-registry-forensics-part-6-internet-explorer-user-typed-urls/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static MRU_RECENT_DOCS_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "indices",
value_type: ValueType::List,
description: "MRUListEx order indices of recently accessed documents",
is_uid_component: false,
}];
pub static MRU_RECENT_DOCS: ArtifactDescriptor = ArtifactDescriptor {
id: "mru_recent_docs",
name: "MRU RecentDocs",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::NtUser),
key_path: r"Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs",
value_name: None,
file_path: None,
scope: DataScope::User,
os_scope: OsScope::All,
decoder: Decoder::MruListEx,
meaning: "Most-recently-used documents list (MRUListEx order of shell32 items)",
mitre_techniques: &["T1005", "T1083"],
fields: MRU_RECENT_DOCS_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://windowsir.blogspot.com/2006/11/recent-docs-mru.html",
"https://www.sans.org/blog/windows-mru-registry-keys/",
"https://www.sans.org/blog/opensavemru-and-lastvisitedmru/",
"https://forensics.wiki/opensavemru/",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Corroborative),
evidence_caveats: &[
"Only tracks files opened via common dialog; programmatic access not recorded",
],
volatility: Some(crate::volatility::VolatilityClass::ActivityDriven),
volatility_rationale: "Updated per file open; fixed max MRU depth",
};
pub(crate) static USB_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "device_id",
value_type: ValueType::Text,
description: "USB device instance ID (VID&PID sub-key name)",
is_uid_component: true,
}];
pub static USB_ENUM: ArtifactDescriptor = ArtifactDescriptor {
id: "usb_enum",
name: "USB Device Enumeration (USBSTOR)",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::HklmSystem),
key_path: r"CurrentControlSet\Enum\USBSTOR",
value_name: None,
file_path: None,
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "USB storage device connection history; persists after device removal",
mitre_techniques: &["T1200", "T1052.001"],
fields: USB_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/computer-forensic-artifacts-windows-7-usb-device-tracking/",
"https://windowsir.blogspot.com/2013/07/usb-device-tracking-in-windows-7.html",
"https://www.magnetforensics.com/blog/artifact-profile-usb-devices/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static MUICACHE_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "display_name",
value_type: ValueType::Text,
description: "Localized display name of the executed application",
is_uid_component: false,
}];
pub static MUICACHE: ArtifactDescriptor = ArtifactDescriptor {
id: "muicache",
name: "MUICache",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::UsrClass),
key_path: r"Local Settings\MuiCache",
value_name: None,
file_path: None,
scope: DataScope::User,
os_scope: OsScope::All,
decoder: Decoder::Utf16Le,
meaning: "Cached display names keyed by executable path; program execution evidence",
mitre_techniques: &["T1059", "T1204.002"],
fields: MUICACHE_FIELDS,
retention: Some("persists until registry cleanup"),
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://windowsir.blogspot.com/2012/08/no-more-mr-nice-guy.html",
"https://www.sans.org/blog/digital-forensics-windows-muicache/",
"http://windowsir.blogspot.com/2005/12/mystery-of-muicachesolved.html",
"https://www.magnetforensics.com/blog/forensic-analysis-of-muicache-files-in-windows/",
"https://forensafe.com/blogs/muicache.html",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static APPINIT_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "dll_list",
value_type: ValueType::Text,
description: "Comma/space-separated DLL paths injected into user32.dll consumers",
is_uid_component: false,
}];
pub static APPINIT_DLLS: ArtifactDescriptor = ArtifactDescriptor {
id: "appinit_dlls",
name: "AppInit_DLLs",
artifact_type: ArtifactType::RegistryValue,
hive: Some(HiveTarget::HklmSoftware),
key_path: r"Microsoft\Windows NT\CurrentVersion\Windows",
value_name: Some("AppInit_DLLs"),
file_path: None,
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "DLLs injected into every process that loads user32.dll",
mitre_techniques: &["T1546.010"],
fields: APPINIT_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://learn.microsoft.com/en-us/windows/win32/dlls/registry-keys-for-appinit-dlls",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &["Only effective when SecureBoot is disabled"],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Registry value; persists until explicit deletion",
};
pub(crate) static WINLOGON_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "userinit",
value_type: ValueType::Text,
description: "Comma-separated executables launched by Winlogon at logon",
is_uid_component: false,
}];
pub static WINLOGON_USERINIT: ArtifactDescriptor = ArtifactDescriptor {
id: "winlogon_userinit",
name: "Winlogon Userinit",
artifact_type: ArtifactType::RegistryValue,
hive: Some(HiveTarget::HklmSoftware),
key_path: r"Microsoft\Windows NT\CurrentVersion\Winlogon",
value_name: Some("Userinit"),
file_path: None,
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "Process(es) launched by Winlogon at logon; default is userinit.exe,",
mitre_techniques: &["T1547.004"],
fields: WINLOGON_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://learn.microsoft.com/en-us/windows/win32/secauthn/winlogon-and-gina"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static SCREENSAVER_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "path",
value_type: ValueType::Text,
description: "Path to the screensaver executable (.scr)",
is_uid_component: false,
}];
pub static SCREENSAVER_EXE: ArtifactDescriptor = ArtifactDescriptor {
id: "screensaver_exe",
name: "Screensaver Executable",
artifact_type: ArtifactType::RegistryValue,
hive: Some(HiveTarget::NtUser),
key_path: r"Control Panel\Desktop",
value_name: Some("SCRNSAVE.EXE"),
file_path: None,
scope: DataScope::User,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "Screensaver path; malicious .scr enables persistence on screen lock",
mitre_techniques: &["T1546.002"],
fields: SCREENSAVER_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://www.sans.org/blog/screensaver-registry-key-for-persistence/"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static PERSIST_CMD_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "command",
value_type: ValueType::Text,
description: "Command, DLL path, or executable registered for execution",
is_uid_component: false,
}];
pub(crate) static DLL_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "dll_path",
value_type: ValueType::Text,
description: "Path to the DLL registered for injection or loading",
is_uid_component: false,
}];
pub(crate) static DIR_ENTRY_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "entry_name",
value_type: ValueType::Text,
description: "Name of the file or shortcut present in this directory",
is_uid_component: true,
}];
pub(crate) static LNK_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "target_path",
value_type: ValueType::Text,
description: "Resolved target path (LocalBasePath + CommonPathSuffix from LinkInfo)",
is_uid_component: true,
},
FieldSchema {
name: "created_time",
value_type: ValueType::Timestamp,
description: "LNK header CreationTime (FILETIME, UTC) — when target file was created",
is_uid_component: false,
},
FieldSchema {
name: "accessed_time",
value_type: ValueType::Timestamp,
description: "LNK header AccessTime (FILETIME, UTC) — last access of target file",
is_uid_component: false,
},
FieldSchema {
name: "modified_time",
value_type: ValueType::Timestamp,
description: "LNK header WriteTime (FILETIME, UTC) — last modification of target file",
is_uid_component: false,
},
FieldSchema {
name: "arguments",
value_type: ValueType::Text,
description: "StringData.Arguments — empty for legitimate LNKs; \
PowerShell/encoded payloads indicate weaponised LNK",
is_uid_component: false,
},
FieldSchema {
name: "working_dir",
value_type: ValueType::Text,
description: "StringData.WorkingDir — execution working directory",
is_uid_component: false,
},
FieldSchema {
name: "drive_type",
value_type: ValueType::Text,
description: "LinkInfo.DriveType: FIXED/REMOVABLE/REMOTE/CDROM/RAMDISK; \
REMOVABLE links to USB artifacts; REMOTE indicates lateral movement",
is_uid_component: false,
},
FieldSchema {
name: "volume_serial_number",
value_type: ValueType::Text,
description: "LinkInfo.VolumeSerialNumber — disk identity; \
cross-reference with MountPoints2 and USB enumeration keys",
is_uid_component: false,
},
FieldSchema {
name: "net_share_name",
value_type: ValueType::Text,
description: "CommonNetworkRelativeLink.NetName — UNC share path \
when DriveType=REMOTE; identifies lateral movement source host",
is_uid_component: false,
},
FieldSchema {
name: "file_size",
value_type: ValueType::Integer,
description: "LNK header FileSize (UInt32, low 32 bits only — truncates for >4 GB targets)",
is_uid_component: false,
},
FieldSchema {
name: "mft_record_number",
value_type: ValueType::Integer,
description: "BEEF0004 MFT record number (48-bit: low 32 bits at +0x12, \
high 16 bits at +0x16); pivot to $MFT/$UsnJrnl for full timeline",
is_uid_component: false,
},
FieldSchema {
name: "mft_sequence_number",
value_type: ValueType::Integer,
description: "BEEF0004 MFT sequence number (UInt16 at +0x18); \
detects MFT record reuse (file deleted then slot reused)",
is_uid_component: false,
},
];
pub(crate) static JUMP_LIST_AUTO_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "app_id_hash",
value_type: ValueType::Text,
description: "8-byte CRC64 AppID hash (filename stem of .automaticDestinations-ms); \
resolved via JumplistData registry key or AppIdlist.csv",
is_uid_component: true,
},
FieldSchema {
name: "mru_rank",
value_type: ValueType::Integer,
description: "DestList entry order (0 = most recently accessed); \
reconstructs file access chronology per application",
is_uid_component: false,
},
FieldSchema {
name: "pin_status",
value_type: ValueType::Text,
description: "Pin Entry field — whether item is pinned and its pinned order",
is_uid_component: false,
},
FieldSchema {
name: "quick_access_order",
value_type: ValueType::Integer,
description: "Quick Access position (item order in Windows Quick Access folder)",
is_uid_component: false,
},
FieldSchema {
name: "lnk_target_path",
value_type: ValueType::Text,
description: "Embedded LNK target path (LocalBasePath + CommonPathSuffix)",
is_uid_component: false,
},
FieldSchema {
name: "accessed_time",
value_type: ValueType::Timestamp,
description: "Embedded LNK header AccessTime (FILETIME, UTC)",
is_uid_component: false,
},
FieldSchema {
name: "modified_time",
value_type: ValueType::Timestamp,
description: "Embedded LNK header WriteTime (FILETIME, UTC)",
is_uid_component: false,
},
FieldSchema {
name: "file_size_64bit",
value_type: ValueType::Integer,
description:
"Full 64-bit target file size (BEEF0004 high 32 bits + LNK header low 32 bits); \
critical for files >4 GB where LNK header alone truncates",
is_uid_component: false,
},
FieldSchema {
name: "mft_record_number",
value_type: ValueType::Integer,
description: "BEEF0004 48-bit MFT record number (low 32 + high 16 bits); \
pivot to $MFT or $UsnJrnl for timestomping or rename-chain analysis",
is_uid_component: false,
},
FieldSchema {
name: "mft_sequence_number",
value_type: ValueType::Integer,
description: "BEEF0004 MFT sequence number — detects MFT record reuse",
is_uid_component: false,
},
];
pub(crate) static JUMP_LIST_CUSTOM_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "group_name",
value_type: ValueType::Text,
description: "Jump list group title (e.g. 'Tasks', 'Recent', 'Pinned', \
or empty for unnamed Tasks groups)",
is_uid_component: true,
},
FieldSchema {
name: "entry_order",
value_type: ValueType::Integer,
description: "Position of this entry within its group (MRU ordering)",
is_uid_component: false,
},
FieldSchema {
name: "lnk_target_path",
value_type: ValueType::Text,
description: "Embedded LNK target path (LocalBasePath + CommonPathSuffix)",
is_uid_component: false,
},
FieldSchema {
name: "arguments",
value_type: ValueType::Text,
description: "LNK StringData.Arguments — primary weaponisation indicator; \
legitimate entries are empty; malicious entries carry payloads",
is_uid_component: false,
},
FieldSchema {
name: "working_dir",
value_type: ValueType::Text,
description: "LNK StringData.WorkingDir — execution working directory",
is_uid_component: false,
},
FieldSchema {
name: "accessed_time",
value_type: ValueType::Timestamp,
description: "Embedded LNK header AccessTime (FILETIME, UTC)",
is_uid_component: false,
},
];
pub(crate) static FILE_PATH_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "path",
value_type: ValueType::Text,
description: "Full path to the artifact file",
is_uid_component: true,
}];
pub static WINLOGON_SHELL: ArtifactDescriptor = ArtifactDescriptor {
id: "winlogon_shell",
name: "Winlogon Shell",
artifact_type: ArtifactType::RegistryValue,
hive: Some(HiveTarget::HklmSoftware),
key_path: r"Microsoft\Windows NT\CurrentVersion\Winlogon",
value_name: Some("Shell"),
file_path: None,
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "Windows shell process(es) launched by Winlogon; default is explorer.exe",
mitre_techniques: &["T1547.004"],
fields: PERSIST_CMD_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://learn.microsoft.com/en-us/windows/win32/secauthn/winlogon-and-gina"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &["Default value is 'explorer.exe'; any deviation is highly suspicious"],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Registry value; persists until explicit deletion",
};
pub static SERVICES_IMAGEPATH: ArtifactDescriptor = ArtifactDescriptor {
id: "services_imagepath",
name: "Services ImagePath",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::HklmSystem),
key_path: r"CurrentControlSet\Services",
value_name: Some("ImagePath"),
file_path: None,
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "Executable path of a Windows service; auto-started services persist across reboots. \
Attackers use sc.exe to set binPath to %COMSPEC% /c powershell.exe -nop -w hidden \
-encodedcommand <base64>, embedding obfuscated PowerShell payloads (base64-encoded \
UTF-16LE, sometimes gzip/deflate-compressed then base64-wrapped) directly in the \
registry. Look for -EncodedCommand, -WindowStyle Hidden, FromBase64String, \
GzipStream, and [IO.Compression.CompressionMode]::Decompress in ImagePath values.",
mitre_techniques: &["T1543.003", "T1059.001", "T1027"],
fields: PERSIST_CMD_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &["evtx_system"],
sources: &[
"https://learn.microsoft.com/en-us/windows/win32/services/service-control-manager",
"https://redcanary.com/threat-detection-report/techniques/t1543/",
"https://raw.githubusercontent.com/bitbug0x55AA/Blue_Team_Hunting_Field_Notes/main/01_Hunting_Cheatsheets/1.5_Forensics_Artifacts_Map.csv",
"https://raw.githubusercontent.com/bitbug0x55AA/Blue_Team_Hunting_Field_Notes/main/06_Tool_Command_Vault/6.02_Windows_DFIR_Master_Notes.md",
"https://az4n6.blogspot.com/2017/10/finding-and-decoding-malicious.html",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &["Many legitimate services present; focus on unsigned/unusual paths"],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Registry key under SYSTEM; persists until service removed",
};
pub(crate) static ACTIVE_SETUP_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "stub_path",
value_type: ValueType::Text,
description: "StubPath command executed once per user at logon for new installs",
is_uid_component: false,
}];
pub static ACTIVE_SETUP_HKLM: ArtifactDescriptor = ArtifactDescriptor {
id: "active_setup_hklm",
name: "Active Setup (HKLM)",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::HklmSoftware),
key_path: r"Microsoft\Active Setup\Installed Components",
value_name: Some("StubPath"),
file_path: None,
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "Per-user setup command executed by HKLM Active Setup; malicious StubPath = user-context persistence",
mitre_techniques: &["T1547.014"],
fields: ACTIVE_SETUP_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/active-setup-registry-persistence/",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &["Registry key presence is definitive persistence evidence; compare sub-key StubPath against known-good baseline"],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Registry key; persists until explicit deletion",
};
pub static ACTIVE_SETUP_HKCU: ArtifactDescriptor = ArtifactDescriptor {
id: "active_setup_hkcu",
name: "Active Setup (HKCU)",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::NtUser),
key_path: r"Software\Microsoft\Active Setup\Installed Components",
value_name: Some("Version"),
file_path: None,
scope: DataScope::User,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "User-side Active Setup version; mismatch with HKLM triggers StubPath re-execution",
mitre_techniques: &["T1547.014"],
fields: RUN_KEY_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://www.sans.org/blog/active-setup-registry-persistence/"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static COM_HIJACK_CLSID_HKCU: ArtifactDescriptor = ArtifactDescriptor {
id: "com_hijack_clsid_hkcu",
name: "COM Hijack CLSID (HKCU)",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::UsrClass),
key_path: r"CLSID",
value_name: Some("InprocServer32"),
file_path: None,
scope: DataScope::User,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "User-space CLSID registration overriding system COM server; no admin needed",
mitre_techniques: &["T1546.015"],
fields: DLL_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://redcanary.com/threat-detection-report/techniques/t1546/"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &["Some legitimate COM redirection exists; compare with HKLM entries"],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Registry key per-user; persists in NTUSER.DAT",
};
pub static APPCERT_DLLS: ArtifactDescriptor = ArtifactDescriptor {
id: "appcert_dlls",
name: "AppCertDlls",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::HklmSystem),
key_path: r"CurrentControlSet\Control\Session Manager\AppCertDlls",
value_name: None,
file_path: None,
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "DLLs injected into every process that calls CreateProcess-family APIs",
mitre_techniques: &["T1546.009"],
fields: DLL_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://learn.microsoft.com/en-us/windows/win32/devnotes/appcertdlls"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static BOOT_EXECUTE_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "commands",
value_type: ValueType::List,
description: "Commands executed by Session Manager before Win32 subsystem starts",
is_uid_component: false,
}];
pub static BOOT_EXECUTE: ArtifactDescriptor = ArtifactDescriptor {
id: "boot_execute",
name: "Boot Execute",
artifact_type: ArtifactType::RegistryValue,
hive: Some(HiveTarget::HklmSystem),
key_path: r"CurrentControlSet\Control\Session Manager",
value_name: Some("BootExecute"),
file_path: None,
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::MultiSz,
meaning: "Native executables run by smss.exe at boot; executes before most security software",
mitre_techniques: &["T1547.001"],
fields: BOOT_EXECUTE_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/boot-time-global-flag-settings",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &["Any non-default value is highly suspicious; default is autocheck autochk *"],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Registry value; persists until explicit deletion",
};
pub static LSA_SECURITY_PKGS: ArtifactDescriptor = ArtifactDescriptor {
id: "lsa_security_pkgs",
name: "LSA Security Packages",
artifact_type: ArtifactType::RegistryValue,
hive: Some(HiveTarget::HklmSystem),
key_path: r"CurrentControlSet\Control\Lsa",
value_name: Some("Security Packages"),
file_path: None,
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::MultiSz,
meaning: "Security Support Providers loaded into LSASS; malicious SSP = persistent LSASS credential access",
mitre_techniques: &["T1547.005"],
fields: BOOT_EXECUTE_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://learn.microsoft.com/en-us/windows/win32/secauthn/lsa-authentication",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LSA_AUTH_PKGS: ArtifactDescriptor = ArtifactDescriptor {
id: "lsa_auth_pkgs",
name: "LSA Authentication Packages",
artifact_type: ArtifactType::RegistryValue,
hive: Some(HiveTarget::HklmSystem),
key_path: r"CurrentControlSet\Control\Lsa",
value_name: Some("Authentication Packages"),
file_path: None,
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::MultiSz,
meaning: "Authentication packages loaded by LSASS; extra DLLs intercept logon credentials",
mitre_techniques: &["T1547.002"],
fields: BOOT_EXECUTE_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://learn.microsoft.com/en-us/windows/win32/secauthn/lsa-authentication"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static PRINT_MONITORS: ArtifactDescriptor = ArtifactDescriptor {
id: "print_monitors",
name: "Print Monitors",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::HklmSystem),
key_path: r"CurrentControlSet\Control\Print\Monitors",
value_name: Some("Driver"),
file_path: None,
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "DLL loaded into spoolsv.exe (SYSTEM); extra monitors = SYSTEM persistence",
mitre_techniques: &["T1547.010"],
fields: DLL_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://learn.microsoft.com/en-us/windows-hardware/drivers/print/print-monitor"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static TIME_PROVIDERS: ArtifactDescriptor = ArtifactDescriptor {
id: "time_providers",
name: "W32Time Time Provider DLLs",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::HklmSystem),
key_path: r"CurrentControlSet\Services\W32Time\TimeProviders",
value_name: Some("DllName"),
file_path: None,
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "DLLs loaded by the Windows Time service; malicious entry = SYSTEM persistence",
mitre_techniques: &["T1547.003"],
fields: DLL_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://learn.microsoft.com/en-us/windows/win32/sysinfo/time-provider"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static NETSH_HELPER_DLLS: ArtifactDescriptor = ArtifactDescriptor {
id: "netsh_helper_dlls",
name: "Netsh Helper DLLs",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::HklmSoftware),
key_path: r"Microsoft\NetSh",
value_name: None,
file_path: None,
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "DLLs loaded whenever netsh.exe is invoked; attacker DLL runs in user's netsh context",
mitre_techniques: &["T1546.007"],
fields: DLL_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://learn.microsoft.com/en-us/windows/win32/netmgmt/network-management-functions",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static BHO_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "clsid",
value_type: ValueType::Text,
description: "CLSID of the Browser Helper Object (sub-key name)",
is_uid_component: true,
}];
pub static BROWSER_HELPER_OBJECTS: ArtifactDescriptor = ArtifactDescriptor {
id: "browser_helper_objects",
name: "Internet Explorer Browser Helper Objects",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::HklmSoftware),
key_path: r"Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects",
value_name: None,
file_path: None,
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "COM components auto-loaded into IE; can intercept browsing and steal credentials",
mitre_techniques: &["T1176"],
fields: BHO_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/platform-apis/aa753582(v=vs.85)",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static STARTUP_FOLDER_USER: ArtifactDescriptor = ArtifactDescriptor {
id: "startup_folder_user",
name: "User Startup Folder",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"),
scope: DataScope::User,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "Executables and LNKs here run at user logon; no admin required",
mitre_techniques: &["T1547.001"],
fields: DIR_ENTRY_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://learn.microsoft.com/en-us/windows/win32/shell/csidl",
"https://raw.githubusercontent.com/bitbug0x55AA/Blue_Team_Hunting_Field_Notes/main/01_Hunting_Cheatsheets/1.5_Forensics_Artifacts_Map.csv",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static STARTUP_FOLDER_SYSTEM: ArtifactDescriptor = ArtifactDescriptor {
id: "startup_folder_system",
name: "System Startup Folder",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"),
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "Executables and LNKs run for every user at logon; requires admin to plant",
mitre_techniques: &["T1547.001"],
fields: DIR_ENTRY_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://learn.microsoft.com/en-us/windows/win32/shell/csidl"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static SCHEDULED_TASKS_DIR: ArtifactDescriptor = ArtifactDescriptor {
id: "scheduled_tasks_dir",
name: "Scheduled Tasks Directory",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\Windows\System32\Tasks"),
scope: DataScope::System,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "XML task definitions; malicious tasks can run at boot, logon, or arbitrary intervals",
mitre_techniques: &["T1053.005"],
fields: DIR_ENTRY_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://learn.microsoft.com/en-us/windows/win32/taskschd/task-scheduler-start-page",
"https://redcanary.com/threat-detection-report/techniques/t1053/",
"https://raw.githubusercontent.com/bitbug0x55AA/Blue_Team_Hunting_Field_Notes/main/01_Hunting_Cheatsheets/1.5_Forensics_Artifacts_Map.csv",
"https://raw.githubusercontent.com/bitbug0x55AA/Blue_Team_Hunting_Field_Notes/main/06_Tool_Command_Vault/6.02_Windows_DFIR_Master_Notes.md",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &["Task XML may be deleted after execution; check event log 4698/4702"],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "XML files in tasks directory; persist until task deleted",
};
pub static WDIGEST_CACHING: ArtifactDescriptor = ArtifactDescriptor {
id: "wdigest_caching",
name: "WDigest UseLogonCredential",
artifact_type: ArtifactType::RegistryValue,
hive: Some(HiveTarget::HklmSystem),
key_path: r"CurrentControlSet\Control\SecurityProviders\WDigest",
value_name: Some("UseLogonCredential"),
file_path: None,
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::DwordLe,
meaning:
"1 = cleartext creds in LSASS; attackers set this before Mimikatz to harvest passwords",
mitre_techniques: &["T1003.001"],
fields: RUN_KEY_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://redcanary.com/threat-detection-report/techniques/t1003/"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static WORDWHEEL_QUERY: ArtifactDescriptor = ArtifactDescriptor {
id: "wordwheel_query",
name: "WordWheelQuery (Explorer Search)",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::NtUser),
key_path: r"Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery",
value_name: None,
file_path: None,
scope: DataScope::User,
os_scope: OsScope::Win7Plus,
decoder: Decoder::MruListEx,
meaning:
"Search terms entered into Windows Explorer search bar; reveals attacker reconnaissance",
mitre_techniques: &["T1083"],
fields: MRU_RECENT_DOCS_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://windowsir.blogspot.com/2012/08/wordwheelquery.html",
"https://github.com/EricZimmerman/RECmd",
"https://github.com/EricZimmerman/RegistryPlugins",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static OPENSAVE_MRU: ArtifactDescriptor = ArtifactDescriptor {
id: "opensave_mru",
name: "OpenSaveMRU (Common Dialog)",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::NtUser),
key_path: r"Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU",
value_name: None,
file_path: None,
scope: DataScope::User,
os_scope: OsScope::All,
decoder: Decoder::MruListEx,
meaning: "Paths of files opened or saved via Win32 common dialog boxes; per-extension history",
mitre_techniques: &["T1083"],
fields: MRU_RECENT_DOCS_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://windowsir.blogspot.com/2006/11/recent-docs-mru.html",
"https://www.sans.org/blog/opensavemru-and-lastvisitedmru/",
"https://forensics.wiki/opensavemru/",
"https://github.com/EricZimmerman/RECmd",
"https://github.com/EricZimmerman/RegistryPlugins",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LASTVISITED_MRU: ArtifactDescriptor = ArtifactDescriptor {
id: "lastvisited_mru",
name: "LastVisitedMRU (Common Dialog)",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::NtUser),
key_path: r"Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU",
value_name: None,
file_path: None,
scope: DataScope::User,
os_scope: OsScope::All,
decoder: Decoder::MruListEx,
meaning: "Application + last-used folder from common dialog; reveals programs accessing files",
mitre_techniques: &["T1083"],
fields: MRU_RECENT_DOCS_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://windowsir.blogspot.com/2006/11/recent-docs-mru.html",
"https://www.sans.org/blog/opensavemru-and-lastvisitedmru/",
"https://github.com/EricZimmerman/RECmd",
"https://github.com/EricZimmerman/RegistryPlugins",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static MFT_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "mft_record_number",
value_type: ValueType::Integer,
description: "Unique 48-bit record number within the $MFT (NTFS 3.1: explicit at header 0x2A; pre-3.1: inferred from file offset)",
is_uid_component: true,
},
FieldSchema {
name: "sequence_number",
value_type: ValueType::Integer,
description: "Reuse counter (uint16 at header 0x10) — incremented each time a record slot is deallocated; stale references detectable",
is_uid_component: false,
},
FieldSchema {
name: "lsn",
value_type: ValueType::UnsignedInt,
description: "$LogFile Sequence Number (uint64 at 0x08); monotonically increasing modification counter; links to $LogFile transaction",
is_uid_component: false,
},
FieldSchema {
name: "hard_link_count",
value_type: ValueType::UnsignedInt,
description: "Number of $FILE_NAME attributes (uint16 at 0x12); > 1 indicates hard links — each is a separate directory entry",
is_uid_component: false,
},
FieldSchema {
name: "si_created",
value_type: ValueType::Timestamp,
description: "$STANDARD_INFORMATION created time (SI offset +0; spoofable via SetFileTime API — compare with FN timestamp)",
is_uid_component: false,
},
FieldSchema {
name: "si_modified",
value_type: ValueType::Timestamp,
description: "$STANDARD_INFORMATION last-modified time (SI offset +8; spoofable)",
is_uid_component: false,
},
FieldSchema {
name: "si_changed",
value_type: ValueType::Timestamp,
description: "$STANDARD_INFORMATION MFT-record-changed time (SI offset +16; requires raw volume write to forge)",
is_uid_component: false,
},
FieldSchema {
name: "si_accessed",
value_type: ValueType::Timestamp,
description: "$STANDARD_INFORMATION last-accessed time (SI offset +24; often disabled on modern Windows)",
is_uid_component: false,
},
FieldSchema {
name: "usn",
value_type: ValueType::UnsignedInt,
description: "Update Sequence Number from $STANDARD_INFORMATION offset +64; links MFT record to its $UsnJrnl:$J change entry",
is_uid_component: false,
},
FieldSchema {
name: "fn_created",
value_type: ValueType::Timestamp,
description: "$FILE_NAME created time (FN offset +8); kernel-maintained, requires raw volume write to falsify",
is_uid_component: false,
},
FieldSchema {
name: "fn_modified",
value_type: ValueType::Timestamp,
description: "$FILE_NAME last-modified time (FN offset +16); kernel-maintained",
is_uid_component: false,
},
FieldSchema {
name: "fn_changed",
value_type: ValueType::Timestamp,
description: "$FILE_NAME MFT-record-changed time (FN offset +24); kernel-maintained",
is_uid_component: false,
},
FieldSchema {
name: "fn_accessed",
value_type: ValueType::Timestamp,
description: "$FILE_NAME last-accessed time (FN offset +32); kernel-maintained",
is_uid_component: false,
},
FieldSchema {
name: "filename",
value_type: ValueType::Text,
description: "UTF-16LE filename from $FILE_NAME (offset +66); namespace: 0=POSIX, 1=Win32, 2=DOS, 3=Win32&DOS",
is_uid_component: true,
},
FieldSchema {
name: "parent_mft_record",
value_type: ValueType::Integer,
description: "48-bit MFT record number of the parent directory (FN offset +0)",
is_uid_component: false,
},
FieldSchema {
name: "file_size",
value_type: ValueType::Integer,
description: "Logical (real) file size in bytes from $FILE_NAME offset +48",
is_uid_component: false,
},
FieldSchema {
name: "flags",
value_type: ValueType::UnsignedInt,
description: "Allocation status flags (header 0x16): bit 15=In Use, bit 14=Is Directory, bit 13=In $Extend",
is_uid_component: false,
},
FieldSchema {
name: "record_slack",
value_type: ValueType::UnsignedInt,
description: "PhysicalSize - LogicalSize (bytes); residual space may contain prior attribute remnants from shrunk metadata",
is_uid_component: false,
},
];
pub static MFT: ArtifactDescriptor = ArtifactDescriptor {
id: "mft",
name: "NTFS Master File Table ($MFT)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"\\.\<volume>\$MFT"),
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "Complete filesystem map with dual timestamps ($STANDARD_INFORMATION vs $FILE_NAME); primary source for timestomping detection and deleted-file recovery",
mitre_techniques: &[
"T1070.006", "T1070.004", "T1564.001", ],
fields: MFT_FIELDS,
retention: Some("Entries persist until overwritten; allocated space grows monotonically"),
triage_priority: TriagePriority::Critical,
related_artifacts: &["usnjrnl", "logfile_ntfs", "prefetch_dir"],
sources: &[
"https://learn.microsoft.com/en-us/windows/win32/fileio/master-file-table",
"https://www.sans.org/blog/windows-file-system-forensics-ntfs-master-file-table/",
"https://github.com/EricZimmerman/MFTECmd",
"https://www.13cubed.com/downloads/Windows_Forensic_Analysis_Poster.pdf",
"https://web.archive.org/web/20210228/https://www.kazamiya.net/files/MFT_Forensics.pdf",
"https://github.com/kacos2000/MFT_Browser",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &[
"Requires raw disk access or volume shadow copy; locked on live systems",
"SI timestamps are user-spoofable; always compare against FN timestamps",
"Deleted-file entries may be overwritten if MFT fills up",
],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "$MFT entries persist until overwritten by new allocations; unallocated entries survive long-term",
};
pub(crate) static USNJRNL_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "usn",
value_type: ValueType::Integer,
description: "Update Sequence Number — monotonically increasing journal position",
is_uid_component: true,
},
FieldSchema {
name: "file_reference",
value_type: ValueType::Integer,
description: "48-bit MFT record number + 16-bit sequence of the affected file",
is_uid_component: true,
},
FieldSchema {
name: "parent_reference",
value_type: ValueType::Integer,
description: "MFT reference of the parent directory at the time of the event",
is_uid_component: false,
},
FieldSchema {
name: "timestamp",
value_type: ValueType::Timestamp,
description: "Event timestamp as a 64-bit Windows FILETIME",
is_uid_component: false,
},
FieldSchema {
name: "reason",
value_type: ValueType::UnsignedInt,
description: "USN reason bitmask: FILE_CREATE (0x100), FILE_DELETE (0x200), RENAME_OLD_NAME (0x1000), RENAME_NEW_NAME (0x2000), DATA_OVERWRITE (0x1), CLOSE (0x80000000)",
is_uid_component: false,
},
FieldSchema {
name: "file_attributes",
value_type: ValueType::UnsignedInt,
description: "Win32 file attribute flags at the time of the event",
is_uid_component: false,
},
FieldSchema {
name: "filename",
value_type: ValueType::Text,
description: "Filename (not full path) of the affected file or directory",
is_uid_component: true,
},
];
pub static USNJRNL: ArtifactDescriptor = ArtifactDescriptor {
id: "usnjrnl",
name: "NTFS USN Change Journal ($UsnJrnl:$J)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"\\.\<volume>\$Extend\$UsnJrnl:$J"),
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "Operation-level file system log: file creates, deletes, renames, and attribute changes — survives directory-entry deletion and MFT reuse",
mitre_techniques: &[
"T1070.004", "T1036.003", "T1070.006", ],
fields: USNJRNL_FIELDS,
retention: Some("Configurable; default ~32 MB rolling window (~days of activity)"),
triage_priority: TriagePriority::Critical,
related_artifacts: &["mft", "logfile_ntfs", "prefetch_dir"],
sources: &[
"https://learn.microsoft.com/en-us/windows/win32/api/winioctl/ns-winioctl-usn_record_v2",
"https://www.sans.org/blog/ntfs-usn-change-journal-forensics/",
"https://github.com/EricZimmerman/MFTECmd",
"https://docs.velociraptor.app/artifact_references/pages/windows.ntfs.usnjournalscanner/",
"https://www.magnetforensics.com/blog/ntfs-usn-change-journal/",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &[
"Journal is a rolling window (~32 MB default); older entries are overwritten",
"Journal can be cleared by an attacker with sufficient privileges",
"$J alternate data stream requires raw NTFS access — not visible via Win32 APIs",
],
volatility: Some(crate::volatility::VolatilityClass::RotatingBuffer),
volatility_rationale: "$UsnJrnl:$J is a rolling window (~32 MB); oldest records are overwritten as the journal grows",
};
pub static LOGFILE_NTFS: ArtifactDescriptor = ArtifactDescriptor {
id: "logfile_ntfs",
name: "NTFS Transaction Log ($LogFile)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"\\.\<volume>\$LogFile"),
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "NTFS transaction log with LSNs that cross-validate MFT timestamps; recent metadata operations only",
mitre_techniques: &[
"T1070.006", ],
fields: &[
FieldSchema {
name: "lsn",
value_type: ValueType::Integer,
description: "Log Sequence Number — monotonically increasing within the volume",
is_uid_component: true,
},
FieldSchema {
name: "record_type",
value_type: ValueType::Text,
description: "NTFS log record type (UPDATE, CHECKPOINT, etc.)",
is_uid_component: false,
},
],
retention: Some("~64 MB rolling window; typically hours of recent activity"),
triage_priority: TriagePriority::High,
related_artifacts: &["mft", "usnjrnl"],
sources: &[
"https://learn.microsoft.com/en-us/windows-server/storage/file-server/ntfs-overview",
"https://github.com/EricZimmerman/NTFSLogTracker",
"https://www.sans.org/blog/the-key-to-ntfs-forensics-the-logfile/",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Corroborative),
evidence_caveats: &[
"~64 MB rolling window; typically only hours of recent metadata operations",
"Primarily useful for cross-validating MFT LSN chains to detect timestamp injection",
"Requires specialised NTFS log parser (e.g. NTFSLogTracker)",
],
volatility: Some(crate::volatility::VolatilityClass::RotatingBuffer),
volatility_rationale: "$LogFile is ~64 MB; wraps on high-activity systems within hours",
};
pub static PREFETCH_DIR: ArtifactDescriptor = ArtifactDescriptor {
id: "prefetch_dir",
name: "Prefetch Files Directory",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\Windows\Prefetch"),
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "Binary .pf files recording 30-day program execution history with timestamps",
mitre_techniques: &["T1204.002"],
fields: DIR_ENTRY_FIELDS,
retention: Some("128 entries; oldest evicted"),
triage_priority: TriagePriority::High,
related_artifacts: &["shimcache", "amcache_app_file", "bam_user"],
sources: &[
"https://www.sans.org/blog/computer-forensic-artifacts-windows-7-prefetch-files/",
"https://13cubed.com/downloads/Windows_Forensic_Analysis_Poster.pdf",
"https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/application-verifier",
"https://isc.sans.edu/diary/Forensic+Value+of+Prefetch/29168",
"https://www.magnetforensics.com/blog/forensic-analysis-of-prefetch-files-in-windows/",
"https://github.com/EricZimmerman/PECmd",
"https://github.com/EricZimmerman/Prefetch",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static SRUM_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "app_name",
value_type: ValueType::Text,
description: "Application executable path or service name",
is_uid_component: true,
},
FieldSchema {
name: "user_sid",
value_type: ValueType::Text,
description: "SID of the user who ran the application",
is_uid_component: false,
},
];
pub static SRUM_DB: ArtifactDescriptor = ArtifactDescriptor {
id: "srum_db",
name: "SRUM Database (SRUDB.dat)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\Windows\System32\sru\SRUDB.dat"),
scope: DataScope::System,
os_scope: OsScope::Win8Plus,
decoder: Decoder::Identity,
meaning:
"Per-app CPU, network, and energy usage records; execution timeline survives log clearing",
mitre_techniques: &["T1204.002"],
fields: SRUM_FIELDS,
retention: Some("~30 days"),
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &[
"https://www.sans.org/white-papers/36660/",
"https://www.sans.org/blog/srum-forensics/",
"https://www.magnetforensics.com/blog/srum-forensic-analysis-of-windows-system-resource-utilization-monitor/",
"https://github.com/MarkBaggett/srum-dump",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &[
"Requires ESE database parsing; data is aggregated over time windows",
"App paths may be partial; correlate with other execution artifacts",
],
volatility: Some(crate::volatility::VolatilityClass::RotatingBuffer),
volatility_rationale: "SRUM ESE database; records rolled up and purged periodically",
};
pub(crate) static WINDOWS_TIMELINE_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "activity_type",
value_type: ValueType::Integer,
description: "5=AppInFocus, 6=AppLifecycle, 11=UserActivity, 12=Notification, 16=CopyPaste",
is_uid_component: true,
},
FieldSchema {
name: "start_time",
value_type: ValueType::Timestamp,
description: "Unix epoch start time of the activity",
is_uid_component: false,
},
FieldSchema {
name: "end_time",
value_type: ValueType::Timestamp,
description: "Unix epoch end time; duration = end_time - start_time gives focus duration",
is_uid_component: false,
},
FieldSchema {
name: "payload_json",
value_type: ValueType::Json,
description: "Type-specific JSON payload; type 16 contains clipboard text",
is_uid_component: false,
},
FieldSchema {
name: "platform_device_id",
value_type: ValueType::Guid,
description: "Device GUID; resolve to name via DeviceCache registry",
is_uid_component: false,
},
FieldSchema {
name: "is_local_only",
value_type: ValueType::Integer,
description:
"1 = not synced to cloud; 0 = was eligible for cross-device sync (pre-July 2021)",
is_uid_component: false,
},
];
pub static WINDOWS_TIMELINE: ArtifactDescriptor = ArtifactDescriptor {
id: "windows_timeline",
name: "Windows Timeline (ActivitiesCache.db)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\Users\*\AppData\Local\ConnectedDevicesPlatform\*\ActivitiesCache.db"),
scope: DataScope::User,
os_scope: OsScope::Win10Plus,
decoder: Decoder::Identity,
meaning: "App focus, lifecycle, and clipboard events with per-device attribution. \
Activity_Type 16 (CopyPaste) entries capture clipboard text — primary indicator \
for credential staging and data exfiltration. platform_device_id GUID resolves \
to device name via DeviceCache registry. Cloud sync disabled July 2021; \
db-wal carving recovers deleted clipboard entries.",
mitre_techniques: &["T1059", "T1204.002", "T1115"],
fields: WINDOWS_TIMELINE_FIELDS,
retention: Some("~30 days"),
triage_priority: TriagePriority::Medium,
related_artifacts: &["windows_timeline_devicecache"],
sources: &[
"https://kacos2000.github.io/WindowsTimeline/WindowsTimeline.pdf",
"https://github.com/kacos2000/WindowsTimeline",
"https://www.sans.org/blog/windows-10-timeline-forensic-artifacts/",
"https://aboutdfir.com/windows-10-timeline/",
"http://windowsir.blogspot.com/2019/11/activitescachedb-vs-ntuserdat.html",
"https://github.com/EricZimmerman/WxTCmd",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static WINDOWS_TIMELINE_DEVICECACHE: ArtifactDescriptor = ArtifactDescriptor {
id: "windows_timeline_devicecache",
name: "Windows Timeline DeviceCache Registry",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::NtUser),
key_path: r"Software\Microsoft\Windows\CurrentVersion\CloudStore\Store\Cache\DefaultAccount\*\Current",
value_name: Some("Data"),
file_path: None,
scope: DataScope::User,
os_scope: OsScope::Win10Plus,
decoder: Decoder::Identity,
meaning: "Maps platform_device_id GUIDs (ActivitiesCache.db Activities.PlatformDeviceId) \
to human-readable device names. Required to determine whether timeline activities \
originated on the examined device or were synced from another.",
mitre_techniques: &["T1059"],
fields: &[
FieldSchema {
name: "device_guid",
value_type: ValueType::Guid,
description: "Device GUID matching Activities.PlatformDeviceId",
is_uid_component: true,
},
FieldSchema {
name: "device_name",
value_type: ValueType::Text,
description: "Human-readable device display name",
is_uid_component: false,
},
],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &["windows_timeline"],
sources: &[
"https://kacos2000.github.io/WindowsTimeline/WindowsTimeline.pdf",
"https://github.com/kacos2000/WindowsTimeline",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static WINDOWS_SEARCH_DB_WIN11: ArtifactDescriptor = ArtifactDescriptor {
id: "windows_search_db_win11",
name: "Windows Search Index SQLite (windows.db, Win11 22H2+)",
artifact_type: ArtifactType::DatabaseEntry,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\ProgramData\Microsoft\Search\Data\Applications\Windows\windows.db"),
scope: DataScope::System,
os_scope: OsScope::Win11_22H2,
decoder: Decoder::Identity,
meaning: "Win11 22H2+ replacement for Windows.edb. Same forensic value — \
gather_time independent of NTFS timestamps — but SQLite3 format. \
Different path: note 'Search' (not 'Windows Search') and 'windows.db' (lowercase). \
Check for both files on Win11 systems.",
mitre_techniques: &["T1070.004", "T1070.006"],
fields: &[
FieldSchema {
name: "file_path",
value_type: ValueType::Text,
description: "Indexed file or folder path",
is_uid_component: true,
},
FieldSchema {
name: "gather_time",
value_type: ValueType::Timestamp,
description: "Last indexed time — independent of NTFS timestamps",
is_uid_component: false,
},
],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &["windows_search_edb", "mft", "usnjrnl"],
sources: &["https://github.com/kacos2000/WinEDB"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static POWERSHELL_HISTORY: ArtifactDescriptor = ArtifactDescriptor {
id: "powershell_history",
name: "PowerShell PSReadLine History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
r"C:\Users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt",
),
scope: DataScope::User,
os_scope: OsScope::Win10Plus,
decoder: Decoder::Identity,
meaning: "Line-by-line PowerShell interactive command history; attackers often clear this",
mitre_techniques: &["T1059.001", "T1552"],
fields: FILE_PATH_FIELDS,
retention: Some("4096 commands; oldest evicted when limit reached"),
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/powershell-forensics/",
"https://redcanary.com/threat-detection-report/techniques/t1059.001/",
"https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics",
"https://raw.githubusercontent.com/bitbug0x55AA/Blue_Team_Hunting_Field_Notes/main/01_Hunting_Cheatsheets/1.5_Forensics_Artifacts_Map.csv",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub const RECYCLE_BIN_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "version",
value_type: ValueType::UnsignedInt,
description: "uint64 at offset 0: 1=Vista/7/8/8.1 (path@24), 2=Win10/11 (path@28); \
selects correct UTF-16LE path offset",
is_uid_component: false,
},
FieldSchema {
name: "original_size",
value_type: ValueType::UnsignedInt,
description: "uint64 at offset 8: size of deleted file in bytes; \
zero if file was a directory",
is_uid_component: false,
},
FieldSchema {
name: "deletion_time",
value_type: ValueType::Timestamp,
description: "FILETIME (100-ns intervals since 1601-01-01) at offset 16: \
moment the file was moved to Recycle.Bin — not secure-delete time; \
convert: (filetime - 116444736000000000) / 10000000 = Unix epoch",
is_uid_component: false,
},
FieldSchema {
name: "original_path",
value_type: ValueType::Text,
description: "UTF-16LE null-terminated string starting at offset 24 (v1) or 28 (v2): \
full pre-deletion Windows path (e.g. C:\\Users\\alice\\Documents\\creds.xlsx); \
survives Recycle.Bin emptying if $I file is not overwritten",
is_uid_component: true,
},
FieldSchema {
name: "sid",
value_type: ValueType::Text,
description: "Security Identifier from parent directory name, format S-1-5-21-…-{RID}; \
identifies which user deleted the file; pivot to SAM hive \
(HKLM\\SAM\\SAM\\Domains\\Account\\Users) for username resolution",
is_uid_component: true,
},
FieldSchema {
name: "i_filename",
value_type: ValueType::Text,
description: "$I{hex} — the metadata filename; hex suffix links to matching $R{hex} \
content file; suffix is random but consistent within the pair",
is_uid_component: true,
},
FieldSchema {
name: "r_file_exists",
value_type: ValueType::Bool,
description: "bool: whether $R{hex} content file is present; False = file permanently \
deleted or Bin emptied — but $I metadata still recoverable; \
analysts can reconstruct deletion evidence from $I alone",
is_uid_component: false,
},
FieldSchema {
name: "mft_addr",
value_type: ValueType::UnsignedInt,
description: "NTFS MFT record address (meta.addr via pytsk3) of the $I file itself; \
pivot to $MFT for additional timeline anchors independent of $I timestamps",
is_uid_component: false,
},
];
pub static RECYCLE_BIN: ArtifactDescriptor = ArtifactDescriptor {
id: "recycle_bin",
name: "Recycle Bin ($I Metadata)",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\$Recycle.Bin\{SID}\$I*"),
scope: DataScope::User,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "$I files reveal original path and deletion timestamp even after Recycle Bin is \
emptied; version field selects correct path offset (24 vs 28); SID directory \
links deletion to a specific user account (pivot to SAM hive for username); \
$R absence means content is unrecoverable but $I metadata always survives until \
MFT slot is reused",
mitre_techniques: &[
"T1070.004", "T1083", "T1078.003", ],
fields: RECYCLE_BIN_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &["sam_users", "mft_file", "usnjrnl", "lnk_files"],
sources: &[
"https://www.sans.org/blog/digital-forensics-recycle-bin-forensics/",
"https://windowsir.blogspot.com/2010/02/more-on-recycle-bin.html",
"https://www.magnetforensics.com/blog/artifact-profile-recycle-bin/",
"https://andreafortuna.org/2019/09/26/windows-forensics-analysis-of-recycle-bin-artifacts/",
"https://github.com/EricZimmerman/RBCmd",
"https://github.com/akhil-dara/RecycleBin-Forensic-Explorer",
"https://raw.githubusercontent.com/bitbug0x55AA/Blue_Team_Hunting_Field_Notes/main/01_Hunting_Cheatsheets/1.5_Forensics_Artifacts_Map.csv",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &["File name and deletion time available; original content may be overwritten"],
volatility: Some(crate::volatility::VolatilityClass::ActivityDriven),
volatility_rationale: "Deleted on permanent delete; survives recycle until purge",
};
pub static THUMBCACHE: ArtifactDescriptor = ArtifactDescriptor {
id: "thumbcache",
name: "Explorer Thumbnail Cache",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\Users\*\AppData\Local\Microsoft\Windows\Explorer"),
scope: DataScope::User,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Cached thumbnails including deleted files; proves files were viewed via Explorer",
mitre_techniques: &["T1083"],
fields: DIR_ENTRY_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/thumbnail-cache-forensics/",
"https://www.nirsoft.net/utils/thumbcache_viewer.html",
"https://www.pentestpartners.com/security-blog/thumbnail-forensics-dfir-techniques-for-analysing-windows-thumbcache/",
"https://thumbcacheviewer.github.io/",
"https://forensics.wiki/windows_thumbcache/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static SEARCH_DB_USER: ArtifactDescriptor = ArtifactDescriptor {
id: "search_db_user",
name: "Windows Search Database (Windows.db)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb"),
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning:
"ESE database of indexed file metadata; reveals filenames and content even after deletion",
mitre_techniques: &["T1083"],
fields: FILE_PATH_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/windows-search-index-forensics/",
"https://learn.microsoft.com/en-us/windows/win32/search/windows-search",
"https://cyber.aon.com/aon_cyber_labs/windows-search-index-the-forensic-artifact-youve-been-searching-for/",
"https://github.com/EricZimmerman/SQLECmd",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static DPAPI_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "guid",
value_type: ValueType::Text,
description: "GUID filename of the DPAPI master key or credential blob",
is_uid_component: true,
}];
pub static DPAPI_MASTERKEY_USER: ArtifactDescriptor = ArtifactDescriptor {
id: "dpapi_masterkey_user",
name: "DPAPI User Master Keys",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\Users\*\AppData\Roaming\Microsoft\Protect\*"),
scope: DataScope::User,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "Master keys protecting all DPAPI-encrypted user secrets (credentials, browser passwords, WiFi PSKs)",
mitre_techniques: &["T1555.004"],
fields: DPAPI_FIELDS,
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &["dpapi_cred_user", "dpapi_credhist", "chrome_login_data"],
sources: &[
"https://www.sans.org/blog/dpapi-forensics-credentials-stored-in-windows/",
"https://posts.specterops.io/operational-guidance-for-offensive-user-dpapi-abuse-1fb7fac8b107",
"https://www.sygnia.co/blog/the-downfall-of-dpapis-top-secret-weapon/",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Corroborative),
evidence_caveats: &["Presence expected for every user; useful for decrypting other artifacts"],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Master keys persist; old keys backed up in AD",
};
pub static DPAPI_CRED_USER: ArtifactDescriptor = ArtifactDescriptor {
id: "dpapi_cred_user",
name: "DPAPI Credential Blobs (Local)",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\Users\*\AppData\Local\Microsoft\Credentials"),
scope: DataScope::User,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning:
"DPAPI-encrypted credential blobs for network resources; decryptable with DPAPI master key",
mitre_techniques: &["T1555.004"],
fields: DPAPI_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &["dpapi_masterkey_user", "windows_vault_user"],
sources: &[
"https://www.sans.org/blog/dpapi-forensics-credentials-stored-in-windows/",
"https://posts.specterops.io/operational-guidance-for-offensive-user-dpapi-abuse-1fb7fac8b107",
"https://www.sygnia.co/blog/the-downfall-of-dpapis-top-secret-weapon/",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Corroborative),
evidence_caveats: &["Encrypted credential blobs; useful with DPAPI master key decryption"],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Encrypted credential blobs; persist until explicit deletion",
};
pub static DPAPI_CRED_ROAMING: ArtifactDescriptor = ArtifactDescriptor {
id: "dpapi_cred_roaming",
name: "DPAPI Credential Blobs (Roaming)",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\Users\*\AppData\Roaming\Microsoft\Credentials"),
scope: DataScope::User,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning:
"Roaming DPAPI credential blobs; same structure as Local, synced across domain machines",
mitre_techniques: &["T1555.004"],
fields: DPAPI_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/dpapi-forensics-credentials-stored-in-windows/",
"https://posts.specterops.io/operational-guidance-for-offensive-user-dpapi-abuse-1fb7fac8b107",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static VAULT_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "policy_file",
value_type: ValueType::Text,
description: ".vpol policy file containing encryption key material",
is_uid_component: false,
},
FieldSchema {
name: "vcrd_file",
value_type: ValueType::Text,
description: ".vcrd credential file containing the encrypted credential",
is_uid_component: true,
},
];
pub static WINDOWS_VAULT_USER: ArtifactDescriptor = ArtifactDescriptor {
id: "windows_vault_user",
name: "Windows Vault (User)",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\Users\*\AppData\Local\Microsoft\Vault"),
scope: DataScope::User,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Per-user Credential Manager vault (.vpol + .vcrd); contains WEB and WINDOWS saved credentials",
mitre_techniques: &["T1555.004"],
fields: VAULT_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://learn.microsoft.com/en-us/windows/win32/secauthn/credential-manager",
"https://blog.digital-forensics.it/2016/01/windows-revaulting.html",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static WINDOWS_VAULT_SYSTEM: ArtifactDescriptor = ArtifactDescriptor {
id: "windows_vault_system",
name: "Windows Vault (System)",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\ProgramData\Microsoft\Vault"),
scope: DataScope::System,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "System-level Windows Credential Manager vault; contains machine-scoped credentials",
mitre_techniques: &["T1555.004"],
fields: VAULT_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://learn.microsoft.com/en-us/windows/win32/secauthn/credential-manager",
"https://blog.digital-forensics.it/2016/01/windows-revaulting.html",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static RDP_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "username_hint",
value_type: ValueType::Text,
description: "Last username used to connect to this RDP server",
is_uid_component: false,
}];
pub static RDP_CLIENT_SERVERS: ArtifactDescriptor = ArtifactDescriptor {
id: "rdp_client_servers",
name: "RDP Client Saved Servers",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::NtUser),
key_path: r"Software\Microsoft\Terminal Server Client\Servers",
value_name: Some("UsernameHint"),
file_path: None,
scope: DataScope::User,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning:
"Hostnames and usernames of previously-connected RDP servers; lateral movement evidence",
mitre_techniques: &["T1021.001"],
fields: RDP_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/windows-rdp-forensics/",
"https://forensafe.com/blogs/rdc.html",
"https://www.magnetforensics.com/blog/rdp-artifacts-in-incident-response/",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &["Proves RDP was initiated FROM this machine; does not confirm success"],
volatility: Some(crate::volatility::VolatilityClass::ActivityDriven),
volatility_rationale: "MRU; rotated when max entries exceeded",
};
pub(crate) static RDP_MRU_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "server",
value_type: ValueType::Text,
description: "RDP server address from the most-recently-used list",
is_uid_component: true,
}];
pub static RDP_CLIENT_DEFAULT: ArtifactDescriptor = ArtifactDescriptor {
id: "rdp_client_default",
name: "RDP Client Default MRU",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::NtUser),
key_path: r"Software\Microsoft\Terminal Server Client\Default",
value_name: None,
file_path: None,
scope: DataScope::User,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning:
"MRU0-MRU9 ordered list of RDP server addresses; confirms specific hosts were targeted",
mitre_techniques: &["T1021.001"],
fields: RDP_MRU_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/windows-rdp-forensics/",
"https://forensafe.com/blogs/rdc.html",
"https://www.magnetforensics.com/blog/rdp-artifacts-in-incident-response/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static NTDS_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "path",
value_type: ValueType::Text,
description: "Full path to the NTDS.dit file",
is_uid_component: true,
}];
pub static NTDS_DIT: ArtifactDescriptor = ArtifactDescriptor {
id: "ntds_dit",
name: "Active Directory Database (NTDS.dit)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\Windows\NTDS\NTDS.dit"),
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "Domain controller AD database; contains NTLM hashes for all domain accounts",
mitre_techniques: &["T1003.003"],
fields: NTDS_FIELDS,
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &["https://www.sans.org/blog/protecting-ad-from-credential-theft/"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &["All domain hashes present; requires parsing with secretsdump or ntdsutil"],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "AD database; persists until account deleted",
};
pub(crate) static BROWSER_CRED_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "origin_url",
value_type: ValueType::Text,
description: "URL the credential is associated with",
is_uid_component: true,
},
FieldSchema {
name: "username_value",
value_type: ValueType::Text,
description: "Saved username",
is_uid_component: false,
},
];
pub static CHROME_LOGIN_DATA: ArtifactDescriptor = ArtifactDescriptor {
id: "chrome_login_data",
name: "Chrome/Edge Login Data (SQLite)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\Users\*\AppData\Local\Google\Chrome\User Data\Default\Login Data"),
scope: DataScope::User,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "SQLite DB with DPAPI-encrypted passwords for saved Chrome/Edge credentials",
mitre_techniques: &["T1555.003"],
fields: BROWSER_CRED_FIELDS,
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &["chrome_cookies", "dpapi_masterkey_user"],
sources: &[
"https://redcanary.com/threat-detection-report/techniques/t1555/",
"https://atropos4n6.com/windows/chrome-login-data-forensics/",
"https://www.foxtonforensics.com/blog/post/analysing-chrome-login-data",
"https://github.com/EricZimmerman/SQLECmd",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &[
"Credentials encrypted with DPAPI; require user masterkey to decrypt",
"May contain stale or user-deleted passwords",
],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "SQLite DB; credentials persist until deleted from browser",
};
pub(crate) static FIREFOX_CRED_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "hostname",
value_type: ValueType::Text,
description: "Hostname the Firefox credential is associated with",
is_uid_component: true,
}];
pub static FIREFOX_LOGINS: ArtifactDescriptor = ArtifactDescriptor {
id: "firefox_logins",
name: "Firefox logins.json",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\logins.json"),
scope: DataScope::User,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning:
"NSS3-encrypted Firefox saved credentials; decryptable with key4.db and master password",
mitre_techniques: &["T1555.003"],
fields: FIREFOX_CRED_FIELDS,
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &[
"https://redcanary.com/threat-detection-report/techniques/t1555/",
"https://atropos4n6.com/windows/chrome-login-data-forensics/",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &[
"Encrypted with Firefox key4.db; requires key extraction for plaintext",
"Primary password (master password) prevents access if set",
],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "JSON file; credentials persist until deleted from browser",
};
pub(crate) static WIFI_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "ssid",
value_type: ValueType::Text,
description: "WiFi network SSID (network name)",
is_uid_component: true,
},
FieldSchema {
name: "key_material",
value_type: ValueType::Text,
description: "Pre-shared key or 802.1X EAP credentials (may be DPAPI-encrypted)",
is_uid_component: false,
},
];
pub static WIFI_PROFILES: ArtifactDescriptor = ArtifactDescriptor {
id: "wifi_profiles",
name: "Wireless Network Profiles (WLAN)",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces"),
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "XML profiles for previously joined WiFi networks; may contain plaintext PSKs",
mitre_techniques: &["T1552.001"],
fields: WIFI_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/wireless-forensics/",
"https://forensafe.com/blogs/winwirelessnetworks.html",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Corroborative),
evidence_caveats: &["Network profile history shows locations visited; useful for timeline and geographic profiling"],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "WiFi profiles persist in registry until deleted",
};
pub(crate) static CRON_LINE_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "schedule_line",
value_type: ValueType::Text,
description: "Cron schedule expression and command, or shell script line",
is_uid_component: false,
}];
pub(crate) static SSH_KEY_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "public_key",
value_type: ValueType::Text,
description: "SSH public key entry (key-type base64 comment)",
is_uid_component: true,
}];
pub(crate) static ACCOUNT_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "username",
value_type: ValueType::Text,
description: "Account username",
is_uid_component: true,
},
FieldSchema {
name: "uid",
value_type: ValueType::UnsignedInt,
description: "Numeric user ID (0 = root)",
is_uid_component: false,
},
];
pub(crate) static LOG_LINE_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "log_line",
value_type: ValueType::Text,
description: "Log line or structured journal entry",
is_uid_component: false,
}];
pub static LINUX_CRONTAB_SYSTEM: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_crontab_system",
name: "System Crontab (/etc/crontab)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/etc/crontab"),
scope: DataScope::System,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "System-wide scheduled job definitions; user field allows cross-account execution",
mitre_techniques: &["T1053.003"],
fields: CRON_LINE_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/linux-persistence-mechanisms/",
"https://linux.die.net/man/5/crontab",
"https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_CRON_D: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_cron_d",
name: "Cron Drop-in Directory (/etc/cron.d/)",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/etc/cron.d"),
scope: DataScope::System,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "Drop-in cron files with full crontab format; easy to add without touching crontab",
mitre_techniques: &["T1053.003"],
fields: CRON_LINE_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/linux-persistence-mechanisms/",
"https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_CRON_PERIODIC: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_cron_periodic",
name: "Cron Periodic Directories (/etc/cron.{daily,hourly,weekly,monthly}/)",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/etc/cron.daily"),
scope: DataScope::System,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "Shell scripts executed periodically by crond/anacron; no schedule syntax required",
mitre_techniques: &["T1053.003"],
fields: DIR_ENTRY_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/linux-persistence-mechanisms/",
"https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_USER_CRONTAB: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_user_crontab",
name: "Per-User Crontab Spool",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/var/spool/cron/crontabs/*"),
scope: DataScope::User,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "Per-user scheduled jobs; attacker can set up recurring execution without admin",
mitre_techniques: &["T1053.003"],
fields: CRON_LINE_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/linux-persistence-mechanisms/",
"https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &["Unexpected cron entries are definitive persistence indicators; compare against known-good baseline"],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Crontab entry; persists until crontab -r",
};
pub static LINUX_ANACRONTAB: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_anacrontab",
name: "Anacrontab (/etc/anacrontab)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/etc/anacrontab"),
scope: DataScope::System,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "Deferred cron jobs for irregular uptime; period-based rather than time-based",
mitre_techniques: &["T1053.003"],
fields: CRON_LINE_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://linux.die.net/man/8/anacron"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_SYSTEMD_SYSTEM_UNIT: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_systemd_system_unit",
name: "systemd System Service Units",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/etc/systemd/system"),
scope: DataScope::System,
os_scope: OsScope::LinuxSystemd,
decoder: Decoder::Identity,
meaning:
"Service definitions executed as root at boot; WantedBy=multi-user.target = auto-start",
mitre_techniques: &["T1543.002"],
fields: DIR_ENTRY_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/linux-persistence-mechanisms/",
"https://www.freedesktop.org/software/systemd/man/systemd.unit.html",
"https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/",
"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_SYSTEMD_USER_UNIT: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_systemd_user_unit",
name: "systemd User Service Units",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/.config/systemd/user"),
scope: DataScope::User,
os_scope: OsScope::LinuxSystemd,
decoder: Decoder::Identity,
meaning: "User-scope service definitions; executed without root on user login",
mitre_techniques: &["T1543.002"],
fields: DIR_ENTRY_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://www.freedesktop.org/software/systemd/man/systemd.unit.html",
"https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_SYSTEMD_TIMER: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_systemd_timer",
name: "systemd Timer Units",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/etc/systemd/system"),
scope: DataScope::System,
os_scope: OsScope::LinuxSystemd,
decoder: Decoder::Identity,
meaning: "Timer-based scheduled execution; malicious timers trigger services on a schedule",
mitre_techniques: &["T1053.006"],
fields: DIR_ENTRY_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://www.freedesktop.org/software/systemd/man/systemd.timer.html",
"https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_RC_LOCAL: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_rc_local",
name: "rc.local Startup Script",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/etc/rc.local"),
scope: DataScope::System,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "Legacy boot-time script executed as root; simple and widely supported",
mitre_techniques: &["T1037.004"],
fields: CRON_LINE_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/linux-persistence-mechanisms/",
"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/",
"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_INIT_D: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_init_d",
name: "SysV Init Scripts (/etc/init.d/)",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/etc/init.d"),
scope: DataScope::System,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "SysV init scripts; malicious script here runs at boot across reboots",
mitre_techniques: &["T1543.002"],
fields: DIR_ENTRY_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_BASHRC_USER: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_bashrc_user",
name: "User ~/.bashrc",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/.bashrc"),
scope: DataScope::User,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "Sourced on every interactive bash session; persistent aliases, functions, or background processes",
mitre_techniques: &["T1546.004"],
fields: CRON_LINE_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/linux-persistence-mechanisms/",
"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/",
"https://www.elastic.co/guide/en/security/current/bash-shell-profile-modification.html",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_BASH_PROFILE_USER: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_bash_profile_user",
name: "User ~/.bash_profile",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/.bash_profile"),
scope: DataScope::User,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "Sourced on Bash login shells; runs at SSH login and console login",
mitre_techniques: &["T1546.004"],
fields: CRON_LINE_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_PROFILE_USER: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_profile_user",
name: "User ~/.profile",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/.profile"),
scope: DataScope::User,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "POSIX login shell startup; sourced by sh, dash, and bash on login",
mitre_techniques: &["T1546.004"],
fields: CRON_LINE_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_ZSHRC_USER: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_zshrc_user",
name: "User ~/.zshrc",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/.zshrc"),
scope: DataScope::User,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "Sourced on every interactive Zsh session; same persistence vector as .bashrc",
mitre_techniques: &["T1546.004"],
fields: CRON_LINE_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_PROFILE_SYSTEM: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_profile_system",
name: "System /etc/profile",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/etc/profile"),
scope: DataScope::System,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "System-wide login shell startup; modifications affect all users",
mitre_techniques: &["T1546.004"],
fields: CRON_LINE_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/linux-persistence-mechanisms/",
"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_PROFILE_D: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_profile_d",
name: "System /etc/profile.d/ Drop-ins",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/etc/profile.d"),
scope: DataScope::System,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "Shell scripts sourced by /etc/profile for all users at login; drop-in persistence",
mitre_techniques: &["T1546.004"],
fields: DIR_ENTRY_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_LD_SO_PRELOAD: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_ld_so_preload",
name: "Dynamic Linker Preload (/etc/ld.so.preload)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/etc/ld.so.preload"),
scope: DataScope::System,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning:
"Libraries preloaded into EVERY process system-wide; standard rootkit hiding mechanism",
mitre_techniques: &["T1574.006"],
fields: CRON_LINE_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/linux-persistence-mechanisms/",
"https://www.wiz.io/blog/linux-rootkits-explained-part-1-dynamic-linker-hijacking",
"https://www.sentinelone.com/labs/leveraging-ld_audit-to-beat-the-traditional-linux-library-preloading-technique/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_LD_SO_CONF_D: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_ld_so_conf_d",
name: "Linker Config Directory (/etc/ld.so.conf.d/)",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/etc/ld.so.conf.d"),
scope: DataScope::System,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning:
"Library search path config; malicious entry adds attacker directory to ldconfig paths",
mitre_techniques: &["T1574.006"],
fields: DIR_ENTRY_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/linux-persistence-mechanisms/",
"https://www.wiz.io/blog/linux-rootkits-explained-part-1-dynamic-linker-hijacking",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_SSH_AUTHORIZED_KEYS: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_ssh_authorized_keys",
name: "SSH authorized_keys",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/.ssh/authorized_keys"),
scope: DataScope::User,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "Public keys permitting passwordless SSH login; attacker key = permanent backdoor",
mitre_techniques: &["T1098.004"],
fields: SSH_KEY_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/ssh-backdoors/",
"https://sandflysecurity.com/blog/detecting-unauthorized-ssh-keys-in-linux/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_PAM_MODULE_DIR: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_pam_module_dir",
name: "PAM Modules Directory (/lib/security/)",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/lib/security"),
scope: DataScope::System,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "Drop location for PAM .so modules; PamDOORa adds pam_linux.so here as a credential-harvesting backdoor loaded via pam_exec config — any .so absent from the installed package manifest proves backdoor installation.",
mitre_techniques: &["T1556.003", "T1574.006"],
fields: DIR_ENTRY_FIELDS,
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &["linux_pam_d", "linux_wtmp", "linux_btmp", "linux_lastlog", "linux_auth_log"],
sources: &[
"https://flare.io/learn/resources/blog/pamdoora-new-linux-pam-based-backdoor-sale-dark-web",
"https://linux.die.net/man/8/pam",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &[
"Also check /lib/x86_64-linux-gnu/security/ (Debian/Ubuntu) and /usr/lib/x86_64-linux-gnu/security/; verify every .so against dpkg/rpm manifest",
"PamDOORa compiles to pam_linux.so — any non-system module name is an immediate IOC",
],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Files on disk in /lib/; persist until explicitly removed",
};
pub static LINUX_PAM_D: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_pam_d",
name: "PAM Configuration (/etc/pam.d/)",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/etc/pam.d"),
scope: DataScope::System,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "PAM module configs per service; malicious module intercepts and logs all passwords",
mitre_techniques: &["T1556.003"],
fields: DIR_ENTRY_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[
"linux_pam_module_dir",
"linux_wtmp",
"linux_btmp",
"linux_lastlog",
"linux_utmp",
"linux_auth_log",
],
sources: &[
"https://x-c3ll.github.io/posts/PAM-backdoor-DNS/",
"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms",
"https://flare.io/learn/resources/blog/pamdoora-new-linux-pam-based-backdoor-sale-dark-web",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &[
"Modification of PAM config proves auth interception capability; correlate with linux_pam_module_dir for dropped .so and auth logs for attacker session timestamps",
"PamDOORa uses pam_exec to load scripts rather than replacing pam_unix.so — check for optional/sufficient module lines referencing non-system paths",
],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Text files in /etc/pam.d/; persist until explicitly modified or restored",
};
pub static LINUX_SUDOERS_D: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_sudoers_d",
name: "Sudoers Drop-ins (/etc/sudoers.d/)",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/etc/sudoers.d"),
scope: DataScope::System,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning:
"Drop-in sudoers rules; NOPASSWD entries enable privilege escalation without credentials",
mitre_techniques: &["T1548.003"],
fields: DIR_ENTRY_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms",
"https://linux.die.net/man/5/sudoers",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &[
"Presence of unexpected rules is high-confidence privilege escalation indicator",
],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Files in /etc/sudoers.d/; persist until explicitly removed",
};
pub static LINUX_MODULES_LOAD_D: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_modules_load_d",
name: "Kernel Module Load Config (/etc/modules-load.d/)",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/etc/modules-load.d"),
scope: DataScope::System,
os_scope: OsScope::LinuxSystemd,
decoder: Decoder::Identity,
meaning: "Kernel modules auto-loaded at boot; rootkit module here = persistent kernel access",
mitre_techniques: &["T1547.006"],
fields: DIR_ENTRY_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://www.freedesktop.org/software/systemd/man/modules-load.d.html",
"https://linux-audit.com/increase-kernel-integrity-with-disabled-linux-kernel-modules-loading/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_MOTD_D: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_motd_d",
name: "Dynamic MOTD Scripts (/etc/update-motd.d/)",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/etc/update-motd.d"),
scope: DataScope::System,
os_scope: OsScope::LinuxDebian,
decoder: Decoder::Identity,
meaning: "Scripts run as root at SSH login for MOTD generation; covert execution vector",
mitre_techniques: &["T1037.004"],
fields: DIR_ENTRY_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms",
"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_UDEV_RULES_D: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_udev_rules_d",
name: "udev Rules (/etc/udev/rules.d/)",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/etc/udev/rules.d"),
scope: DataScope::System,
os_scope: OsScope::LinuxSystemd,
decoder: Decoder::Identity,
meaning: "Device event rules; RUN+= directive executes payload on device attach/detach",
mitre_techniques: &["T1546"],
fields: DIR_ENTRY_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms",
"https://www.freedesktop.org/software/systemd/man/udev_rules.html",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_BASH_HISTORY: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_bash_history",
name: "Bash History (~/.bash_history)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/.bash_history"),
scope: DataScope::User,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning:
"Interactive Bash command history; reveals lateral movement, exfil, and recon commands",
mitre_techniques: &["T1059.004", "T1552"],
fields: CRON_LINE_FIELDS,
retention: Some("HISTSIZE limit; default 500-2000 commands"),
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://bromiley.medium.com/torvalds-tuesday-bash-history-in-linux-forensics-7cc4c9b4db9f",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Circumstantial),
evidence_caveats: &[
"Trivially disabled with HISTSIZE=0 or HISTFILE=/dev/null",
"Written at shell exit; killed shells leave no history",
"Root can modify or delete",
],
volatility: Some(crate::volatility::VolatilityClass::ActivityDriven),
volatility_rationale: "Written at shell exit; max HISTSIZE entries",
};
pub static LINUX_ZSH_HISTORY: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_zsh_history",
name: "Zsh History (~/.zsh_history)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/.zsh_history"),
scope: DataScope::User,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "Interactive Zsh command history; extended format optionally includes timestamps",
mitre_techniques: &["T1059.004", "T1552"],
fields: CRON_LINE_FIELDS,
retention: Some("HISTSIZE limit; default 500-2000 commands"),
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://bromiley.medium.com/torvalds-tuesday-bash-history-in-linux-forensics-7cc4c9b4db9f",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_WTMP: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_wtmp",
name: "Login History (/var/log/wtmp)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/var/log/wtmp"),
scope: DataScope::System,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning:
"Binary record of all successful logins/logouts/reboots; evidence of valid-account abuse",
mitre_techniques: &["T1078", "T1021.004"],
fields: LOG_LINE_FIELDS,
retention: Some("until rotated by logrotate"),
triage_priority: TriagePriority::High,
related_artifacts: &["linux_btmp", "linux_lastlog", "linux_utmp", "linux_auth_log", "linux_pam_d"],
sources: &[
"https://linux.die.net/man/5/wtmp",
"https://bromiley.medium.com/torvalds-tuesday-logon-history-in-the-tmp-files-83530b2acc28",
"https://sandflysecurity.com/blog/using-linux-utmpdump-for-forensics-and-detecting-log-file-tampering",
"https://flare.io/learn/resources/blog/pamdoora-new-linux-pam-based-backdoor-sale-dark-web",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &[
"Binary format; utmpdump needed; can be edited by root",
"PamDOORa explicitly removes attacker login entries from wtmp; gaps in binary record sequence are a tampering indicator — cross-reference with lastlog and auth.log for timeline gaps",
],
volatility: Some(crate::volatility::VolatilityClass::RotatingBuffer),
volatility_rationale: "Rotated by logrotate",
};
pub static LINUX_BTMP: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_btmp",
name: "Failed Login Attempts (/var/log/btmp)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/var/log/btmp"),
scope: DataScope::System,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "Binary record of failed authentication attempts; brute-force and credential-stuffing evidence",
mitre_techniques: &["T1110"],
fields: LOG_LINE_FIELDS,
retention: Some("until rotated by logrotate"),
triage_priority: TriagePriority::High,
related_artifacts: &["linux_wtmp", "linux_lastlog", "linux_utmp", "linux_auth_log", "linux_pam_d"],
sources: &[
"https://linux.die.net/man/5/wtmp",
"https://bromiley.medium.com/torvalds-tuesday-logon-history-in-the-tmp-files-83530b2acc28",
"https://sandflysecurity.com/blog/using-linux-utmpdump-for-forensics-and-detecting-log-file-tampering",
"https://flare.io/learn/resources/blog/pamdoora-new-linux-pam-based-backdoor-sale-dark-web",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &[
"Binary format; lastb command needed; can be zeroed by root",
"PAM backdoors (PamDOORa) deliberately remove their own btmp entries — absence of failed attempts from a source IP that appears in other logs indicates tampering",
],
volatility: Some(crate::volatility::VolatilityClass::RotatingBuffer),
volatility_rationale: "Rotated by logrotate",
};
pub static LINUX_LASTLOG: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_lastlog",
name: "Last Login Database (/var/log/lastlog)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/var/log/lastlog"),
scope: DataScope::System,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "Per-UID last-login record including source IP; never-logged-in vs recent entries",
mitre_techniques: &["T1078"],
fields: LOG_LINE_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &["linux_wtmp", "linux_btmp", "linux_utmp", "linux_auth_log", "linux_pam_d"],
sources: &[
"https://linux.die.net/man/5/wtmp",
"https://bromiley.medium.com/torvalds-tuesday-logon-history-in-the-tmp-files-83530b2acc28",
"https://flare.io/learn/resources/blog/pamdoora-new-linux-pam-based-backdoor-sale-dark-web",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &[
"Fixed-offset binary indexed by UID — zeroing an entry with write access is trivial; PamDOORa explicitly zeroes attacker UID entries to erase login history",
"A UID whose lastlog entry is all-zeros but appears in auth.log or wtmp is a high-confidence tampering indicator",
],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Not rotated; persists until explicitly overwritten; survives reboots",
};
pub static LINUX_AUTH_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_auth_log",
name: "Auth Log (/var/log/auth.log)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/var/log/auth.log"),
scope: DataScope::System,
os_scope: OsScope::LinuxDebian,
decoder: Decoder::Identity,
meaning: "PAM auth events, SSH logins, sudo commands, su usage; primary lateral-movement log",
mitre_techniques: &["T1078", "T1548.003"],
fields: LOG_LINE_FIELDS,
retention: Some("until rotated by logrotate"),
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://sandflysecurity.com/blog/using-linux-utmpdump-for-forensics-and-detecting-log-file-tampering",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &["rsyslog/syslog-ng must be running; can be cleared by root"],
volatility: Some(crate::volatility::VolatilityClass::RotatingBuffer),
volatility_rationale: "logrotate weekly by default",
};
pub static LINUX_JOURNAL_DIR: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_journal_dir",
name: "systemd Journal (/var/log/journal/)",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/var/log/journal"),
scope: DataScope::System,
os_scope: OsScope::LinuxSystemd,
decoder: Decoder::Identity,
meaning:
"Structured binary system journal; includes boot IDs, service crashes, and audit events",
mitre_techniques: &["T1078", "T1059.004"],
fields: DIR_ENTRY_FIELDS,
retention: Some("50MB or 1 month default; configurable in journald.conf"),
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://systemd.io/JOURNAL_NATIVE_PROTOCOL/"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &["systemd journal provides structured authentication and system events; requires journalctl for parsing"],
volatility: Some(crate::volatility::VolatilityClass::RotatingBuffer),
volatility_rationale: "systemd journal; rotated by journald size/time limits",
};
pub static LINUX_PASSWD: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_passwd",
name: "User Account Database (/etc/passwd)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/etc/passwd"),
scope: DataScope::System,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning:
"Local user enumeration; UID=0 duplicates or unusual shells indicate backdoor accounts",
mitre_techniques: &["T1087.001", "T1136.001"],
fields: ACCOUNT_FIELDS,
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &[
"https://linux.die.net/man/5/passwd",
"https://bromiley.medium.com/torvalds-tuesday-user-accounts-597b4ca9dcaf",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &[
"World-readable; shows all accounts but no password hashes (those are in shadow)",
"Added accounts may be backdoors; compare against baseline",
],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "File; persists until account deleted",
};
pub static LINUX_SHADOW: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_shadow",
name: "Shadow Password File (/etc/shadow)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/etc/shadow"),
scope: DataScope::System,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "Password hashes for all local accounts; crackable offline once read",
mitre_techniques: &["T1003.008"],
fields: ACCOUNT_FIELDS,
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/linux-password-security/",
"https://bromiley.medium.com/torvalds-tuesday-user-accounts-597b4ca9dcaf",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &[
"Requires root to read; contains hashed passwords",
"Hash format determines crackability; check for weak algorithms (MD5, SHA-256)",
],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "File; persists until account deleted or password changed",
};
pub static LINUX_SSH_PRIVATE_KEY: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_ssh_private_key",
name: "SSH Private Keys (~/.ssh/id_*)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/.ssh/id_*"),
scope: DataScope::User,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning:
"Private key material for SSH authentication; unencrypted keys = immediate lateral movement",
mitre_techniques: &["T1552.004"],
fields: SSH_KEY_FIELDS,
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/ssh-backdoors/",
"https://sandflysecurity.com/blog/detecting-unauthorized-ssh-keys-in-linux/",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &[
"Private key presence proves capability for lateral movement",
"Passphrase-protected keys require cracking; unprotected keys are immediately usable",
],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "File; persists until explicitly removed",
};
pub static LINUX_SSH_KNOWN_HOSTS: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_ssh_known_hosts",
name: "SSH Known Hosts (~/.ssh/known_hosts)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/.ssh/known_hosts"),
scope: DataScope::User,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "Previously-connected SSH server fingerprints; lateral movement destination history",
mitre_techniques: &["T1021.004", "T1083"],
fields: SSH_KEY_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/ssh-backdoors/",
"https://sandflysecurity.com/blog/detecting-unauthorized-ssh-keys-in-linux/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_GNUPG_PRIVATE: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_gnupg_private",
name: "GnuPG Private Key Store (~/.gnupg/)",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/.gnupg"),
scope: DataScope::User,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "GnuPG private keys; enables message decryption and code-signing forgery",
mitre_techniques: &["T1552.004"],
fields: DPAPI_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://gnupg.org/documentation/manuals/gnupg/GPG-Configuration-Options.html"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_AWS_CREDENTIALS: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_aws_credentials",
name: "AWS Credentials (~/.aws/credentials)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/.aws/credentials"),
scope: DataScope::User,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "AWS long-term or temporary credentials; enables cloud infrastructure compromise",
mitre_techniques: &["T1552.001"],
fields: FILE_PATH_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html",
"https://www.sans.org/blog/cloud-forensics-and-incident-response/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_DOCKER_CONFIG: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_docker_config",
name: "Docker Config (~/.docker/config.json)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/.docker/config.json"),
scope: DataScope::User,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "Docker registry credentials; enables container image exfil or malicious image push",
mitre_techniques: &["T1552.001"],
fields: FILE_PATH_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://docs.docker.com/engine/reference/commandline/login/",
"https://www.sans.org/blog/container-forensics/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LNK_FILES: ArtifactDescriptor = ArtifactDescriptor {
id: "lnk_files",
name: "LNK / Shell Link Recent Files",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"%APPDATA%\Microsoft\Windows\Recent\"),
scope: DataScope::User,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Shell Link (.lnk) files record target path, MAC timestamps, volume serial, \
and NetBIOS host — evidence of file access even after target deletion. \
BEEF0004 extension (Win8+) adds 48-bit MFT record, full 64-bit file size, \
reparse point tags (cloud sync markers), and OS version hint. \
StringData.Arguments is the primary indicator of weaponised LNKs (T1204.002). \
DriveType (FIXED/REMOVABLE/REMOTE) identifies source medium.",
mitre_techniques: &["T1547.009", "T1070.004", "T1204.002"],
fields: LNK_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &["jump_list_auto", "mru_recent_docs"],
sources: &[
"https://github.com/EricZimmerman/LECmd",
"https://github.com/EricZimmerman/Lnk",
"https://github.com/kacos2000/Jumplist-Browser",
"https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-shllink/",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &["Can be spoofed; verify with corroborating artifacts"],
volatility: Some(crate::volatility::VolatilityClass::ActivityDriven),
volatility_rationale: "Created on file open; max ~150 recent items",
};
pub static JUMP_LIST_AUTO: ArtifactDescriptor = ArtifactDescriptor {
id: "jump_list_auto",
name: "Jump Lists — AutomaticDestinations",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"%APPDATA%\Microsoft\Windows\Recent\AutomaticDestinations\"),
scope: DataScope::User,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "OLE Compound Document per application; DestList stream records MRU-ordered \
file access with embedded LNK entries. Filename stem is a CRC64 AppID hash \
resolved via HKCU\\...\\Search\\JumplistData or AppIdlist.csv. \
DestList entries include BEEF0004 extension: 48-bit MFT record number, \
full 64-bit file size (LNK header truncates at 4 GB), reparse tags \
(cloud sync/WSL), and OS-version hint identifying which Windows version \
created the entry (useful for roaming profiles). Also tracks Pin Entry order \
and Quick Access position for pinned items.",
mitre_techniques: &["T1547.009", "T1070.004"],
fields: JUMP_LIST_AUTO_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &["lnk_files", "mru_recent_docs", "jump_list_appid_registry"],
sources: &[
"https://github.com/EricZimmerman/JLECmd",
"https://github.com/EricZimmerman/JumpList",
"https://github.com/kacos2000/Jumplist-Browser",
"https://www.hexacorn.com/blog/2013/04/30/jumplists-file-names-and-appid-calculator/",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &["Application-specific; some apps don't integrate with jump lists"],
volatility: Some(crate::volatility::VolatilityClass::ActivityDriven),
volatility_rationale: "Updated on file access; max entries per app",
};
pub static JUMP_LIST_CUSTOM: ArtifactDescriptor = ArtifactDescriptor {
id: "jump_list_custom",
name: "Jump Lists — CustomDestinations",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"%APPDATA%\Microsoft\Windows\Recent\CustomDestinations\"),
scope: DataScope::User,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Application-defined jump list groups (Tasks/Recent/Pinned) stored as a \
sequence of embedded LNK records separated by group markers (0xAB FB BF BA). \
May persist after file deletion, revealing attacker-pinned tools or \
exfiltrated document access. StringData.Arguments in each embedded LNK \
is the primary weaponisation indicator — legitimate entries are empty, \
malicious entries carry PowerShell commands, encoded payloads, or C2 URLs. \
Group 'Tasks' entries are application-defined and often reveal \
installed capabilities (e.g. browser private mode, admin tools).",
mitre_techniques: &["T1547.009", "T1070.004", "T1204.002"],
fields: JUMP_LIST_CUSTOM_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &["lnk_files", "jump_list_auto"],
sources: &[
"https://github.com/EricZimmerman/JLECmd",
"https://github.com/EricZimmerman/JumpList",
"https://github.com/kacos2000/Jumplist-Browser",
"https://github.com/kacos2000/Jumplist-Browser/blob/master/CustomDestinations-ms.md",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Corroborative),
evidence_caveats: &[
"Pinned items reflect user intent; can be manually set without file access",
],
volatility: Some(crate::volatility::VolatilityClass::ActivityDriven),
volatility_rationale: "Pinned by user; persists until app unpins",
};
pub static EVTX_DIR: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_dir",
name: "Windows Event Log Directory (EVTX)",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\Windows\System32\winevt\Logs\"),
scope: DataScope::System,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Binary EVTX log files — Security.evtx (4624/4625/4688), System.evtx, \
PowerShell/Operational.evtx. Primary execution, logon, and process-creation record.",
mitre_techniques: &["T1070.001", "T1059.001"],
fields: DIR_ENTRY_FIELDS,
retention: Some("configurable; default ~20MB rolling per channel"),
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/evtx"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static MFT_FILE: ArtifactDescriptor = ArtifactDescriptor {
id: "mft_file",
name: "Master File Table ($MFT)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\$MFT"),
scope: DataScope::System,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Complete NTFS filesystem map. Every file record contains 8 timestamps: 4 from \
$STANDARD_INFORMATION (SI, user-space writable via SetFileTime) and 4 from \
$FILE_NAME (FN, kernel-maintained — harder to forge). SI/FN divergence is the \
primary timestomping indicator (T1070.006). Record slack (PhysicalSize - LogicalSize) \
may contain prior attribute remnants. LSN links each record to its $LogFile \
transaction for chronological ordering. Unallocated records (flag bit 15 = 0) \
persist until overwritten — primary deleted-file recovery source.",
mitre_techniques: &["T1070.006", "T1070.004", "T1083", "T1564.001"],
fields: MFT_FIELDS,
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &["usnjrnl", "usn_journal", "recycle_bin", "prefetch_file", "logfile_ntfs"],
sources: &[
"https://learn.microsoft.com/en-us/windows/win32/fileio/master-file-table",
"https://github.com/EricZimmerman/MFTECmd",
"https://github.com/kacos2000/MFT_Browser",
"https://www.sans.org/blog/windows-file-system-forensics-ntfs-master-file-table/",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &[
"Timestamps susceptible to timestomping ($STANDARD_INFORMATION vs $FILE_NAME)",
"$FILE_NAME timestamps harder to tamper; compare both",
],
volatility: Some(crate::volatility::VolatilityClass::Residual),
volatility_rationale: "Metadata persists in unallocated MFT entries after deletion",
};
pub static USN_JOURNAL: ArtifactDescriptor = ArtifactDescriptor {
id: "usn_journal",
name: "USN Journal ($UsnJrnl:$J)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"\\.\C:\$Extend\$UsnJrnl:$J"),
scope: DataScope::System,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "NTFS change journal records file create/delete/rename operations with USN sequence \
number; persists even after file deletion, proving prior file existence.",
mitre_techniques: &["T1070.004", "T1059"],
fields: DIR_ENTRY_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[
"shimcache",
"amcache_app_file",
"bam_user",
"prefetch_file",
"mft_file",
],
sources: &[
"https://github.com/EricZimmerman/MFTECmd",
"https://windowsir.blogspot.com/2022/11/challenge-7-write-up.html",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &["Circular; entries overwritten; may not have full history"],
volatility: Some(crate::volatility::VolatilityClass::RotatingBuffer),
volatility_rationale: "Circular journal; oldest entries overwritten first",
};
pub static WMI_MOF_DIR: ArtifactDescriptor = ArtifactDescriptor {
id: "wmi_mof_dir",
name: "WMI MOF Subscription Repository",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\Windows\System32\wbem\Repository\"),
scope: DataScope::System,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "WMI CIM repository stores EventFilter, EventConsumer, and FilterToConsumerBinding \
objects; persistence survives reboots and is invisible to registry-only tools.",
mitre_techniques: &["T1546.003"],
fields: DIR_ENTRY_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://learn.microsoft.com/en-us/windows/win32/wmisdk/receiving-a-wmi-event",
"https://learn.microsoft.com/en-us/windows/win32/wmisdk/monitoring-and-responding-to-events-with-standard-consumers",
"https://learn.microsoft.com/en-us/windows/win32/wmisdk/commandlineeventconsumer",
"https://learn.microsoft.com/en-us/windows/win32/wmisdk/--filtertoconsumerbinding",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static BITS_DB: ArtifactDescriptor = ArtifactDescriptor {
id: "bits_db",
name: "BITS Job Queue Database",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\ProgramData\Microsoft\Network\Downloader\"),
scope: DataScope::System,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Background Intelligent Transfer Service queue DB (qmgr0.dat); records download \
jobs including URL, destination, and command-to-notify — abused for stealthy malware staging.",
mitre_techniques: &["T1197"],
fields: DIR_ENTRY_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://learn.microsoft.com/en-us/windows/win32/bits/background-intelligent-transfer-service-portal",
"https://learn.microsoft.com/en-us/powershell/module/bitstransfer/get-bitstransfer?view=windowsserver2025-ps",
"https://www.sans.org/white-papers/39195",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static WMI_SUB_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "filter_name",
description: "WMI EventFilter name",
value_type: ValueType::Text,
is_uid_component: true,
},
FieldSchema {
name: "consumer_type",
description: "Consumer type (Script/CommandLine)",
value_type: ValueType::Text,
is_uid_component: false,
},
FieldSchema {
name: "consumer_value",
description: "Script or command executed on trigger",
value_type: ValueType::Text,
is_uid_component: false,
},
FieldSchema {
name: "query",
description: "WQL query that triggers the subscription",
value_type: ValueType::Text,
is_uid_component: false,
},
];
pub static WMI_SUBSCRIPTIONS: ArtifactDescriptor = ArtifactDescriptor {
id: "wmi_subscriptions",
name: "WMI Event Subscriptions (Registry)",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::HklmSoftware),
key_path: r"Microsoft\WBEM\ESS\//./root/subscription",
value_name: None,
file_path: None,
scope: DataScope::System,
os_scope: OsScope::Win7Plus,
decoder: Decoder::MultiSz,
meaning: "Registry-side index of WMI subscriptions; cross-reference with MOF repository for \
complete picture of WMI-based persistence.",
mitre_techniques: &["T1546.003"],
fields: WMI_SUB_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://learn.microsoft.com/en-us/windows/win32/wmisdk/receiving-a-wmi-event",
"https://learn.microsoft.com/en-us/windows/win32/wmisdk/monitoring-and-responding-to-events-with-standard-consumers",
"https://learn.microsoft.com/en-us/windows/win32/wmisdk/--filtertoconsumerbinding",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LOGON_SCRIPTS: ArtifactDescriptor = ArtifactDescriptor {
id: "logon_scripts",
name: "Logon Scripts (UserInitMprLogonScript)",
artifact_type: ArtifactType::RegistryValue,
hive: Some(HiveTarget::NtUser),
key_path: r"Environment",
value_name: Some("UserInitMprLogonScript"),
file_path: None,
scope: DataScope::User,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Script executed at logon via WinLogon; per-user value allowing unprivileged \
persistence that survives password resets.",
mitre_techniques: &["T1037.001"],
fields: PERSIST_CMD_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/opensecurity-persistence/",
"https://www.hexacorn.com/blog/2013/07/04/beyond-good-ol-run-key-part-15/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static WINSOCK_LSP: ArtifactDescriptor = ArtifactDescriptor {
id: "winsock_lsp",
name: "Winsock Layered Service Provider",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::HklmSystem),
key_path: r"CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9",
value_name: None,
file_path: None,
scope: DataScope::System,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "LSP DLLs intercept all Winsock traffic; malicious LSPs can log credentials from \
plaintext protocols. Rare but high-signal indicator of network interception.",
mitre_techniques: &["T1547.010"],
fields: DLL_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/opensecurity-persistence/",
"https://www.hexacorn.com/blog/2013/07/04/beyond-good-ol-run-key-part-15/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static APPSHIM_DB: ArtifactDescriptor = ArtifactDescriptor {
id: "appshim_db",
name: "Application Shim Database",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\Windows\apppatch\Custom\"),
scope: DataScope::System,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Custom SDB shim databases; attackers inject shims to redirect API calls, \
disable security checks, or load malicious DLLs without modifying the target binary.",
mitre_techniques: &["T1546.011"],
fields: DIR_ENTRY_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://www.hexacorn.com/blog/2013/07/04/beyond-good-ol-run-key-part-15/",
"https://www.sans.org/blog/application-shimming/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static PASSWORD_FILTER_DLL: ArtifactDescriptor = ArtifactDescriptor {
id: "password_filter_dll",
name: "Password Filter DLL (Notification Packages)",
artifact_type: ArtifactType::RegistryValue,
hive: Some(HiveTarget::HklmSystem),
key_path: r"CurrentControlSet\Control\Lsa",
value_name: Some("Notification Packages"),
file_path: None,
scope: DataScope::System,
os_scope: OsScope::Win7Plus,
decoder: Decoder::MultiSz,
meaning: "DLLs registered here receive cleartext passwords during every password change; \
malicious filter captures and exfiltrates credentials.",
mitre_techniques: &["T1556.002"],
fields: DLL_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/opensecurity-persistence/",
"https://docs.microsoft.com/en-us/windows/win32/secmgmt/password-filter-programming-considerations",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static OFFICE_NORMAL_DOTM: ArtifactDescriptor = ArtifactDescriptor {
id: "office_normal_dotm",
name: "Office Normal Template (Normal.dotm)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"%APPDATA%\Microsoft\Templates\Normal.dotm"),
scope: DataScope::User,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Global Word template auto-loaded on every document open; malicious macros \
embedded here achieve persistence across all Word sessions.",
mitre_techniques: &["T1137.001"],
fields: FILE_PATH_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/opensecurity-persistence/",
"https://docs.microsoft.com/en-us/office/vba/word/concepts/customizing-word/using-events-with-the-application-object",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static POWERSHELL_PROFILE_ALL: ArtifactDescriptor = ArtifactDescriptor {
id: "powershell_profile_all",
name: "PowerShell All-Users Profile (profile.ps1)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1"),
scope: DataScope::System,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "System-wide PowerShell profile executed for every user on every PS session start; \
SYSTEM-writable, provides privileged persistence without registry modification.",
mitre_techniques: &["T1546.013"],
fields: PERSIST_CMD_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/opensecurity-persistence/",
"https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static DPAPI_SYSTEM_MASTERKEY: ArtifactDescriptor = ArtifactDescriptor {
id: "dpapi_system_masterkey",
name: "DPAPI System Master Key",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\"),
scope: DataScope::System,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "DPAPI master keys for the SYSTEM account; used to decrypt SYSTEM-scope secrets \
such as LSA secrets, service credentials, and scheduled task credentials.",
mitre_techniques: &["T1555.004"],
fields: FILE_PATH_FIELDS,
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &["lsa_secrets", "dpapi_masterkey_user"],
sources: &[
"https://github.com/gentilkiwi/mimikatz",
"https://blog.gentilkiwi.com/securite/mimikatz/dpapi-domain-backup-keys-theft",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &[
"Required to decrypt SYSTEM-scope DPAPI blobs; requires SYSTEM privilege",
"Loss of this key means DPAPI-protected data is unrecoverable",
],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "System DPAPI master key; persists in SYSTEM hive",
};
pub static DPAPI_CREDHIST: ArtifactDescriptor = ArtifactDescriptor {
id: "dpapi_credhist",
name: "DPAPI CREDHIST File",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"%APPDATA%\Microsoft\Protect\CREDHIST"),
scope: DataScope::User,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chain of previous DPAPI master key derivation entries; enables decryption of \
secrets encrypted with old passwords after a password change.",
mitre_techniques: &["T1555.004"],
fields: FILE_PATH_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &["dpapi_masterkey_user"],
sources: &[
"https://github.com/gentilkiwi/mimikatz",
"https://blog.gentilkiwi.com/securite/mimikatz/dpapi-domain-backup-keys-theft",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static CHROME_COOKIES: ArtifactDescriptor = ArtifactDescriptor {
id: "chrome_cookies",
name: "Chrome/Edge Cookies (SQLite)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"%LOCALAPPDATA%\Google\Chrome\User Data\Default\Network\Cookies"),
scope: DataScope::User,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SQLite database of browser session/authentication cookies; adversaries can replay \
these to bypass MFA and impersonate authenticated sessions (pass-the-cookie).",
mitre_techniques: &["T1539", "T1185"],
fields: FILE_PATH_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &["chrome_login_data"],
sources: &["https://github.com/EricZimmerman/SQLECmd"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static EDGE_WEBCACHE: ArtifactDescriptor = ArtifactDescriptor {
id: "edge_webcache",
name: "IE/Edge Legacy WebCacheV01.dat",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"%LOCALAPPDATA%\Microsoft\Windows\INetCache\"),
scope: DataScope::User,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "ESE database recording all IE/Edge Legacy web history, downloads, and cached \
content; reveals browsing patterns and potential data exfiltration URLs.",
mitre_techniques: &["T1539", "T1217"],
fields: FILE_PATH_FIELDS,
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/SQLECmd",
"https://www.sans.org/blog/digital-forensics-windows-browser-artifacts/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static VPN_RAS_PHONEBOOK: ArtifactDescriptor = ArtifactDescriptor {
id: "vpn_ras_phonebook",
name: "VPN Credentials — RAS Phonebook",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"%APPDATA%\Microsoft\Network\Connections\Pbk\rasphone.pbk"),
scope: DataScope::User,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Plain-text INI phonebook storing VPN connection entries including server address \
and saved credential references; reveals network pivoting paths.",
mitre_techniques: &["T1552.001"],
fields: FILE_PATH_FIELDS,
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://docs.microsoft.com/en-us/windows/win32/rras/ras-phone-book-files",
"https://www.sans.org/blog/digital-forensics-windows-artifact-profiles/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static WINDOWS_HELLO_NGC: ArtifactDescriptor = ArtifactDescriptor {
id: "windows_hello_ngc",
name: "Windows Hello / NGC Folder",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Ngc\"),
scope: DataScope::System,
os_scope: OsScope::Win10Plus,
decoder: Decoder::Identity,
meaning: "Stores Windows Hello credential provider keys (PIN protectors, biometric keys); \
compromise reveals authentication material bypassing traditional password forensics.",
mitre_techniques: &["T1555"],
fields: FILE_PATH_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/",
"https://www.sans.org/blog/digital-forensics-windows-artifact-profiles/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static USER_CERT_PRIVATE_KEY: ArtifactDescriptor = ArtifactDescriptor {
id: "user_cert_private_key",
name: "User Certificate Private Keys",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"%APPDATA%\Microsoft\SystemCertificates\My\"),
scope: DataScope::User,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "DPAPI-protected user certificate private keys for code signing, S/MIME, and \
smart-card emulation; exfiltration enables impersonation and signing of malicious artifacts.",
mitre_techniques: &["T1552.004"],
fields: FILE_PATH_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://learn.microsoft.com/en-us/windows/win32/seccng/key-storage-and-retrieval",
"https://github.com/gentilkiwi/mimikatz",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static MACHINE_CERT_STORE: ArtifactDescriptor = ArtifactDescriptor {
id: "machine_cert_store",
name: "Machine Certificate Private Keys",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\"),
scope: DataScope::System,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Machine-scope RSA private keys protected by DPAPI SYSTEM; used for TLS mutual \
auth, code signing, and IPSec — high-value credential exfiltration target.",
mitre_techniques: &["T1552.004"],
fields: FILE_PATH_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://learn.microsoft.com/en-us/windows/win32/seccng/key-storage-and-retrieval",
"https://github.com/gentilkiwi/mimikatz",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_AT_QUEUE: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_at_queue",
name: "AT Job Queue (/var/spool/at/)",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/var/spool/at/"),
scope: DataScope::System,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "One-shot delayed execution jobs from the `at` command; each file contains a shell \
script to run at a specified time, used for stealthy one-shot persistence.",
mitre_techniques: &["T1053.001"],
fields: CRON_LINE_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/linux-persistence-mechanisms/",
"https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_SSHD_CONFIG: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_sshd_config",
name: "SSH Daemon Configuration (/etc/ssh/sshd_config)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/etc/ssh/sshd_config"),
scope: DataScope::System,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "SSH server config; look for unauthorized AuthorizedKeysFile overrides, \
ForceCommand bypass, PermitRootLogin yes, or AllowUsers modifications.",
mitre_techniques: &["T1098.004", "T1021.004"],
fields: PERSIST_CMD_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://www.sans.org/blog/ssh-backdoors/",
"https://linux.die.net/man/5/sshd_config",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_ETC_GROUP: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_etc_group",
name: "Group Accounts (/etc/group)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/etc/group"),
scope: DataScope::System,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "Group membership database; cross-reference with /etc/passwd and sudo log to \
detect unauthorized group additions (e.g., added to `sudo` or `docker` group).",
mitre_techniques: &["T1087.001", "T1078.003"],
fields: ACCOUNT_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://linux.die.net/man/5/group",
"https://bromiley.medium.com/torvalds-tuesday-user-accounts-597b4ca9dcaf",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_GNOME_KEYRING: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_gnome_keyring",
name: "GNOME Keyring (keyrings/)",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/.local/share/keyrings/"),
scope: DataScope::User,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "GNOME keyring stores WiFi PSK, SSH passphrases, web service passwords, and \
browser master passwords encrypted with user login credential.",
mitre_techniques: &["T1555.003"],
fields: FILE_PATH_FIELDS,
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &["https://wiki.gnome.org/Projects/GnomeKeyring"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &[
"Encrypted with user login password; accessible after user session unlock",
"Contains Wi-Fi keys, VPN credentials, and application secrets",
],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Keyring database file; persists until secrets removed",
};
pub static LINUX_KDE_KWALLET: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_kde_kwallet",
name: "KDE KWallet (kwalletd/)",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/.local/share/kwalletd/"),
scope: DataScope::User,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "KDE wallet encrypted credential store; stores passwords, SSH keys, and browser \
credentials for KDE applications.",
mitre_techniques: &["T1555.003"],
fields: FILE_PATH_FIELDS,
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &["https://userbase.kde.org/KWallet"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &[
"Encrypted; requires wallet password or auto-unlock to access",
"Coverage depends on which KDE applications store credentials here",
],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "KWallet database file; persists until secrets removed",
};
pub static LINUX_CHROME_LOGIN_LINUX: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_chrome_login_linux",
name: "Chrome/Chromium Login Data (Linux)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/.config/google-chrome/Default/Login Data"),
scope: DataScope::User,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "SQLite database of saved Chrome passwords on Linux; encryption key stored in \
GNOME Keyring or plaintext depending on configuration.",
mitre_techniques: &["T1555.003"],
fields: FILE_PATH_FIELDS,
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &["https://github.com/AlessandroZ/LaZagne"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &[
"On Linux, Chrome uses GNOME Keyring or KWallet for encryption key storage",
"Plaintext accessible if keyring is unlocked",
],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "SQLite DB; credentials persist until deleted from browser",
};
pub static LINUX_FIREFOX_LOGINS_LINUX: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_firefox_logins_linux",
name: "Firefox logins.json (Linux)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/.mozilla/firefox/"),
scope: DataScope::User,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning:
"JSON-encoded saved Firefox credentials protected by NSS (key4.db); \
can be decrypted with master password or via memory forensics of the Firefox process.",
mitre_techniques: &["T1555.003"],
fields: FILE_PATH_FIELDS,
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &["https://github.com/AlessandroZ/LaZagne"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &[
"Same format as Windows Firefox logins; key4.db required for decryption",
"Primary password prevents access if set",
],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "JSON file; credentials persist until deleted from browser",
};
pub static LINUX_UTMP: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_utmp",
name: "Current Login Sessions (/run/utmp)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/run/utmp"),
scope: DataScope::System,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "Binary utmp records of currently logged-in users; cross-reference with wtmp \
to detect sessions not present in persistent logs (anti-forensics via utmp wiper).",
mitre_techniques: &["T1078"],
fields: LOG_LINE_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &["linux_wtmp", "linux_btmp", "linux_lastlog", "linux_auth_log", "linux_pam_d"],
sources: &[
"https://linux.die.net/man/5/utmp",
"https://bromiley.medium.com/torvalds-tuesday-logon-history-in-the-tmp-files-83530b2acc28",
"https://sandflysecurity.com/blog/using-linux-utmpdump-for-forensics-and-detecting-log-file-tampering",
"https://flare.io/learn/resources/blog/pamdoora-new-linux-pam-based-backdoor-sale-dark-web",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &[
"Lives in /run (tmpfs on most modern distros); lost on reboot",
"PAM backdoors can wipe their active session entry — a session visible in network connections (ss/netstat) but absent from utmp is a strong anti-forensics indicator",
],
volatility: Some(crate::volatility::VolatilityClass::Volatile),
volatility_rationale: "Stored in /run (tmpfs); lost on reboot",
};
pub static LINUX_GCP_CREDENTIALS: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_gcp_credentials",
name: "GCP Application Default Credentials",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/.config/gcloud/"),
scope: DataScope::User,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "GCP access tokens and service account keys stored by gcloud CLI; \
exfiltration enables cloud resource takeover without password.",
mitre_techniques: &["T1552.001"],
fields: FILE_PATH_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://cloud.google.com/sdk/docs/authorizing",
"https://www.sans.org/blog/cloud-forensics-and-incident-response/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_AZURE_CREDENTIALS: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_azure_credentials",
name: "Azure CLI Credentials (~/.azure/)",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/.azure/"),
scope: DataScope::User,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "Azure CLI access tokens and service principal credentials; \
msal_token_cache.json contains active OAuth tokens enabling lateral movement in Azure.",
mitre_techniques: &["T1552.001"],
fields: FILE_PATH_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://docs.microsoft.com/en-us/cli/azure/authenticate-azure-cli",
"https://www.sans.org/blog/cloud-forensics-and-incident-response/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_KUBE_CONFIG: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_kube_config",
name: "Kubernetes Config (~/.kube/config)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/.kube/config"),
scope: DataScope::User,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "kubectl cluster credentials including bearer tokens, client certificates, \
and cluster API endpoints; enables full cluster takeover if exfiltrated.",
mitre_techniques: &["T1552.001"],
fields: FILE_PATH_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/",
"https://www.sans.org/blog/cloud-forensics-and-incident-response/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_GIT_CREDENTIALS: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_git_credentials",
name: "Git Credential Store (~/.git-credentials)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/.git-credentials"),
scope: DataScope::User,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "Plaintext git credential store: URL + username + PAT/password per line; \
personal access tokens here can access source repositories and CI/CD pipelines.",
mitre_techniques: &["T1552.001"],
fields: FILE_PATH_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://git-scm.com/docs/git-credential-store"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_NETRC: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_netrc",
name: "Netrc Credential File (~/.netrc)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/.netrc"),
scope: DataScope::User,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "Auto-authentication file for ftp, curl, and legacy tools; stores plaintext \
hostname/login/password triplets, often forgotten and highly sensitive.",
mitre_techniques: &["T1552.001"],
fields: FILE_PATH_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://linux.die.net/man/5/netrc"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_ETC_ENVIRONMENT: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_etc_environment",
name: "System Environment Variables (/etc/environment)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/etc/environment"),
scope: DataScope::System,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning:
"System-wide environment variable definitions loaded for every login session and \
PAM-based authentication. Attackers inject PATH hijacks or LD_PRELOAD values here \
to redirect binary execution system-wide without modifying shell configuration files.",
mitre_techniques: &["T1546.004"],
fields: PERSIST_CMD_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://linux.die.net/man/7/environ"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_XDG_AUTOSTART_USER: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_xdg_autostart_user",
name: "XDG User Autostart (.desktop files)",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/.config/autostart/"),
scope: DataScope::User,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "Per-user XDG autostart .desktop files executed when a desktop session starts \
(GNOME/KDE/XFCE). Exec= field runs arbitrary commands at GUI login without \
root privileges — frequently overlooked by server-focused forensic checklists.",
mitre_techniques: &["T1547.014"],
fields: PERSIST_CMD_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://specifications.freedesktop.org/autostart-spec/autostart-spec-latest.html"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_XDG_AUTOSTART_SYSTEM: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_xdg_autostart_system",
name: "XDG System Autostart (.desktop files)",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/etc/xdg/autostart/"),
scope: DataScope::System,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning:
"System-wide XDG autostart .desktop entries executed for all users at desktop session \
start. Provides privileged persistence targeting all GUI logins on a workstation.",
mitre_techniques: &["T1547.014"],
fields: PERSIST_CMD_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://specifications.freedesktop.org/autostart-spec/autostart-spec-latest.html"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_NETWORKMANAGER_DISPATCHER: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_networkmanager_dispatcher",
name: "NetworkManager Dispatcher Scripts",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/etc/NetworkManager/dispatcher.d/"),
scope: DataScope::System,
os_scope: OsScope::Linux,
decoder: Decoder::Identity,
meaning: "Scripts executed by NetworkManager when network interfaces change state (up/down). \
Provides network-event-triggered persistence — scripts fire on VPN connect, \
WiFi association, or interface cycling, making detection harder than at-boot persistence.",
mitre_techniques: &["T1547.013"],
fields: PERSIST_CMD_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://networkmanager.dev/docs/api/latest/NetworkManager-dispatcher.html",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LINUX_APT_HOOKS: ArtifactDescriptor = ArtifactDescriptor {
id: "linux_apt_hooks",
name: "APT Package Manager Hook Scripts",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/etc/apt/apt.conf.d/"),
scope: DataScope::System,
os_scope: OsScope::LinuxDebian,
decoder: Decoder::Identity,
meaning: "APT configuration snippets that can define DPkg::Pre-Install-Pkgs, \
DPkg::Post-Invoke, or APT::Update::Post-Invoke hooks; execute as root during \
every package install or update — long-lived trigger-based privilege persistence.",
mitre_techniques: &["T1546.004"],
fields: PERSIST_CMD_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://wiki.debian.org/DpkgTriggers"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static JUMP_LIST_APPID_REGISTRY: ArtifactDescriptor = ArtifactDescriptor {
id: "jump_list_appid_registry",
name: "JumplistData — AppID Hash Registry Index",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::NtUser),
key_path: r"Software\Microsoft\Windows\CurrentVersion\Search\JumplistData",
value_name: None,
file_path: None,
scope: DataScope::User,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Maps 8-byte CRC64 AppID hashes to application display names. \
AutomaticDestinations filenames use the AppID hash as the stem \
(e.g. db53b23fd1edbd46 = WINZIP64). Without this key, filename-to-app \
resolution requires an external lookup database. \
Presence or absence of an AppID confirms whether an application has \
ever been run on the system — useful for anti-forensics detection \
(attacker may delete jump list files but forget this index key).",
mitre_techniques: &["T1547.009", "T1070.004"],
fields: &[
FieldSchema {
name: "app_id_hash",
value_type: ValueType::Text,
description: "8-byte CRC64 hash (registry value name); \
matches the filename stem of .automaticDestinations-ms files",
is_uid_component: true,
},
FieldSchema {
name: "app_name",
value_type: ValueType::Text,
description: "Application display name (registry value data)",
is_uid_component: false,
},
],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &["jump_list_auto", "jump_list_custom"],
sources: &[
"https://github.com/kacos2000/Jumplist-Browser",
"https://www.hexacorn.com/blog/2013/04/30/jumplists-file-names-and-appid-calculator/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static TASKBAND_FAVORITES: ArtifactDescriptor = ArtifactDescriptor {
id: "taskband_favorites",
name: "Taskband Favorites — Taskbar Pinned Applications",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::NtUser),
key_path: r"Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband",
value_name: Some("Favorites"),
file_path: None,
scope: DataScope::User,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Binary blob (REG_BINARY) encoding taskbar-pinned application order. \
Contains embedded Shell Link (LNK) data for each pinned item. \
FavoritesResolve value (same key) stores the resolved path for each entry. \
Attackers may pin malicious tools here to survive reboots, \
or to mimic legitimate application icons. \
Changes to this key indicate a user (or malware) pinned/unpinned an application.",
mitre_techniques: &["T1547.009"],
fields: &[
FieldSchema {
name: "entry_order",
value_type: ValueType::Integer,
description: "Position of pinned item in taskbar order (0-based)",
is_uid_component: false,
},
FieldSchema {
name: "lnk_target",
value_type: ValueType::Text,
description: "Embedded LNK target path for the pinned application",
is_uid_component: true,
},
],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &["jump_list_auto", "lnk_files"],
sources: &["https://github.com/kacos2000/Jumplist-Browser"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static JUMP_LIST_SYSTEM: ArtifactDescriptor = ArtifactDescriptor {
id: "jump_list_system",
name: "Jump Lists — System AutomaticDestinations",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\ProgramData\Microsoft\Windows\Recent\AutomaticDestinations\"),
scope: DataScope::System,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "System-scope jump lists shared across all users; distinct from per-user \
%APPDATA% copies. Each .automaticDestinations-ms is an OLE CFB containing \
a DestList stream (AppID → target MRU) plus embedded LNK blocks.",
mitre_techniques: &["T1547.009", "T1070.004"],
fields: DIR_ENTRY_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &["jump_list_auto", "jump_list_custom"],
sources: &[
"https://www.sans.org/blog/computer-forensics-windows-7-jump-lists/",
"https://windowsir.blogspot.com/2011/05/jump-lists-in-win7.html",
"https://github.com/EricZimmerman/JLECmd",
"https://github.com/EricZimmerman/JumpList",
"https://forensics.wiki/jump_lists/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static LNK_FILES_OFFICE: ArtifactDescriptor = ArtifactDescriptor {
id: "lnk_files_office",
name: "Office Recent LNK Files",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"%APPDATA%\Microsoft\Office\Recent\"),
scope: DataScope::User,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Office-specific shell link files created for every document opened via Office. \
Separate from Windows Recent; survives clearing of Windows Recent Items. \
Reveals document access including network shares and USB paths.",
mitre_techniques: &["T1547.009", "T1070.004"],
fields: DIR_ENTRY_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &["lnk_files", "mru_recent_docs"],
sources: &[
"https://www.sans.org/blog/lnk-files-analysis-in-windows/",
"https://windowsir.blogspot.com/2009/01/lnk-files-are-your-friends.html",
"https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-shllink/",
"https://www.magnetforensics.com/blog/forensic-analysis-of-lnk-files/",
"https://github.com/EricZimmerman/LECmd",
"https://github.com/EricZimmerman/Lnk",
"https://forensics.wiki/lnk/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static PREFETCH_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "executable_name",
description: "Name of the prefetched executable (up to 29 UTF-16 chars from SCCA header offset 0x10)",
value_type: ValueType::Text,
is_uid_component: true,
},
FieldSchema {
name: "format_version",
description: "SCCA format version: 17=XP/2003, 23=Vista/7, 26=Win8, 30/31=Win10/11",
value_type: ValueType::UnsignedInt,
is_uid_component: false,
},
FieldSchema {
name: "run_count",
description: "Cumulative execution count (offset varies by format_version)",
value_type: ValueType::UnsignedInt,
is_uid_component: false,
},
FieldSchema {
name: "last_run_time",
description: "Most recent execution timestamp (FILETIME UTC, 100ns precision)",
value_type: ValueType::Timestamp,
is_uid_component: false,
},
FieldSchema {
name: "previous_run_times",
description: "Up to 7 prior execution timestamps (FILETIME array, v26/30/31 only)",
value_type: ValueType::Text,
is_uid_component: false,
},
FieldSchema {
name: "volume_path",
description: "Volume device path string (e.g. \\DEVICE\\HARDDISKVOLUME3) from Volumes Information block",
value_type: ValueType::Text,
is_uid_component: false,
},
FieldSchema {
name: "volume_creation_time",
description: "FILETIME (UTC) when the source volume was created; pivot to $MFT $Volume_Information",
value_type: ValueType::Timestamp,
is_uid_component: false,
},
FieldSchema {
name: "volume_serial_number",
description: "u32 volume serial number from Volumes Information; corroborates $VOLUME_INFORMATION in $MFT",
value_type: ValueType::UnsignedInt,
is_uid_component: false,
},
FieldSchema {
name: "referenced_files",
description: "Full device paths of DLLs and files loaded during first 10 seconds of execution",
value_type: ValueType::Text,
is_uid_component: false,
},
FieldSchema {
name: "mft_record_number",
description: "48-bit MFT record number of a referenced file (File Metrics flag 0x100); pivot to $MFT for timestomping detection",
value_type: ValueType::UnsignedInt,
is_uid_component: false,
},
FieldSchema {
name: "prefetch_hash",
description: "8-hex SCCA path hash at header offset 0x4C (LE u32 of full executable device path)",
value_type: ValueType::Text,
is_uid_component: true,
},
];
pub static PREFETCH_FILE: ArtifactDescriptor = ArtifactDescriptor {
id: "prefetch_file",
name: "Prefetch File (.pf)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\Windows\Prefetch\*.pf"),
scope: DataScope::System,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Binary execution record: executable name, 8-run-timestamp history (Win8+), \
run count, path hash, and referenced DLL list. Win10+ files are MAM-compressed \
(4-byte magic 0x4D 0x41 0x4D 0x04) — decompress with xpress_huff before parsing. \
Versions: v17 (XP), v23 (Vista/7), v26 (Win8), v30/v31 (Win10+).",
mitre_techniques: &["T1059", "T1070.004"],
fields: PREFETCH_FIELDS,
retention: Some("128 entries; oldest evicted"),
triage_priority: TriagePriority::High,
related_artifacts: &[
"shimcache",
"amcache_app_file",
"evtx_security",
"srum_app_resource",
],
sources: &[
"https://www.sans.org/blog/computer-forensic-artifacts-windows-7-prefetch-files/",
"https://13cubed.com/downloads/Windows_Forensic_Analysis_Poster.pdf",
"https://isc.sans.edu/diary/Forensic+Value+of+Prefetch/29168",
"https://www.magnetforensics.com/blog/forensic-analysis-of-prefetch-files-in-windows/",
"https://github.com/EricZimmerman/PECmd",
"https://github.com/EricZimmerman/Prefetch",
"https://github.com/kacos2000/Prefetch-Browser",
"https://github.com/libyal/libscca/blob/main/documentation/Windows%20Prefetch%20File%20(PF)%20format.asciidoc",
"https://raw.githubusercontent.com/bitbug0x55AA/Blue_Team_Hunting_Field_Notes/main/01_Hunting_Cheatsheets/1.5_Forensics_Artifacts_Map.csv",
"https://raw.githubusercontent.com/bitbug0x55AA/Blue_Team_Hunting_Field_Notes/main/06_Tool_Command_Vault/6.02_Windows_DFIR_Master_Notes.md",
"https://training.13cubed.com/p/courses/investigating-windows-endpoints",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &[
"Prefetch is disabled by default on Windows Server; absence does not imply non-execution on server systems",
"Prefetch can be disabled on workstations via registry (EnablePrefetcher=0); absence does not prove non-execution",
"Volume Serial Number embedded in .pf files can link an executable to a specific removable media source",
"SDelete's own .pf file records the full list of files it deleted — anti-forensic tool use leaves execution evidence of the deletion itself",
"Deleting .pf files with Shift+Delete bypasses the Recycle Bin but leaves recoverable MFT entries; USN Journal also records the deletion",
"Win10+ stores up to 8 last-run timestamps per .pf file; Win7/8 stores only 1 — a single .pf covers broader history on modern Windows",
],
volatility: Some(crate::volatility::VolatilityClass::RotatingBuffer),
volatility_rationale: "Max 1024 entries, FIFO eviction on Win10+",
};
pub(crate) static SRUM_NET_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "app_id",
description: "Application identifier (path or service name)",
value_type: ValueType::Text,
is_uid_component: true,
},
FieldSchema {
name: "user_id",
description: "SID of the user account",
value_type: ValueType::Text,
is_uid_component: true,
},
FieldSchema {
name: "timestamp",
description: "ESE column TimeStamp (UTC)",
value_type: ValueType::Timestamp,
is_uid_component: false,
},
FieldSchema {
name: "bytes_sent",
description: "Total bytes sent by this app in the interval",
value_type: ValueType::UnsignedInt,
is_uid_component: false,
},
FieldSchema {
name: "bytes_received",
description: "Total bytes received by this app in the interval",
value_type: ValueType::UnsignedInt,
is_uid_component: false,
},
FieldSchema {
name: "interface_luid",
description: "Network interface LUID (resolve to adapter name via registry)",
value_type: ValueType::UnsignedInt,
is_uid_component: false,
},
FieldSchema {
name: "l2_profile_id",
description: "Wireless SSID (L2ProfileId) when network is WiFi; null for ethernet",
value_type: ValueType::Text,
is_uid_component: false,
},
];
pub static SRUM_NETWORK_USAGE: ArtifactDescriptor = ArtifactDescriptor {
id: "srum_network_usage",
name: "SRUM Network Data Usage Table",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\Windows\System32\sru\SRUDB.dat:{973F5D5C-1D90-11D3-AE08-00A0C90F57DA}"),
scope: DataScope::System,
os_scope: OsScope::Win8Plus,
decoder: Decoder::Identity,
meaning:
"ESE table {973F5D5C-1D90-11D3-AE08-00A0C90F57DA} records per-app bytes sent/received \
per network interface per hour. ~30-day retention. Proves data exfiltration volume \
even after log deletion; correlate AppId + UserId + BytesSent for exfil attribution.",
mitre_techniques: &["T1049", "T1048"],
fields: SRUM_NET_FIELDS,
retention: Some("~30 days"),
triage_priority: TriagePriority::Critical,
related_artifacts: &["evtx_security", "srum_app_resource", "prefetch_file"],
sources: &[
"https://www.sans.org/white-papers/36660/",
"https://www.sans.org/blog/srum-forensics/",
"https://www.magnetforensics.com/blog/srum-forensic-analysis-of-windows-system-resource-utilization-monitor/",
"https://github.com/EricZimmerman/Srum",
"https://raw.githubusercontent.com/bitbug0x55AA/Blue_Team_Hunting_Field_Notes/main/01_Hunting_Cheatsheets/1.5_Forensics_Artifacts_Map.csv",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &[
"Aggregated bytes sent/received per process; not per-connection detail",
"Clock skew between SRUM and event logs possible",
],
volatility: Some(crate::volatility::VolatilityClass::RotatingBuffer),
volatility_rationale: "SRUM network table; rotated by Windows on schedule",
};
pub(crate) static SRUM_NET_CONN_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "app_id",
description: "Application identifier (path or service name)",
value_type: ValueType::Text,
is_uid_component: true,
},
FieldSchema {
name: "user_id",
description: "SID of the user account",
value_type: ValueType::Text,
is_uid_component: true,
},
FieldSchema {
name: "timestamp",
description: "Connection start time (UTC)",
value_type: ValueType::Timestamp,
is_uid_component: false,
},
FieldSchema {
name: "interface_type",
description: "Network interface type: 6=ethernet, 71=wireless (802.11)",
value_type: ValueType::UnsignedInt,
is_uid_component: false,
},
FieldSchema {
name: "connected_time",
description: "Duration of the network connection in seconds",
value_type: ValueType::UnsignedInt,
is_uid_component: false,
},
FieldSchema {
name: "l2_profile_id",
description: "Wireless SSID when interface is WiFi; null for ethernet",
value_type: ValueType::Text,
is_uid_component: false,
},
FieldSchema {
name: "l2_profile_flags",
description: "Wireless profile flags (0 = managed/infrastructure, 1 = ad-hoc)",
value_type: ValueType::UnsignedInt,
is_uid_component: false,
},
];
pub static SRUM_NETWORK_CONNECTIONS: ArtifactDescriptor = ArtifactDescriptor {
id: "srum_network_connections",
name: "SRUM Network Connections Table",
artifact_type: ArtifactType::EseDatabase,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
r"C:\Windows\System32\sru\SRUDB.dat:{DD6636C4-8929-4683-974E-22C046A43763}",
),
scope: DataScope::System,
os_scope: OsScope::Win8Plus,
decoder: Decoder::Identity,
meaning: "ESE table {DD6636C4-8929-4683-974E-22C046A43763} records per-app \
connection start time, interface type (ethernet/WiFi), duration, and SSID. \
Proves which WiFi network was in use during execution — geo-context \
for lateral movement and exfil timeline.",
mitre_techniques: &["T1049", "T1048"],
fields: SRUM_NET_CONN_FIELDS,
retention: Some("~30 days"),
triage_priority: TriagePriority::High,
related_artifacts: &["srum_network_usage", "srum_app_resource", "networklist_profiles"],
sources: &[
"https://github.com/MarkBaggett/srum-dump",
"https://www.sans.org/white-papers/36660/",
"https://www.magnetforensics.com/blog/srum-forensic-analysis-of-windows-system-resource-utilization-monitor/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static SRUM_APP_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "app_id",
description: "Application path or service name",
value_type: ValueType::Text,
is_uid_component: true,
},
FieldSchema {
name: "user_id",
description: "SID of the user account",
value_type: ValueType::Text,
is_uid_component: true,
},
FieldSchema {
name: "timestamp",
description: "Interval timestamp (UTC)",
value_type: ValueType::Timestamp,
is_uid_component: false,
},
FieldSchema {
name: "foreground_cpu_time",
description: "CPU time used in foreground (100ns units)",
value_type: ValueType::UnsignedInt,
is_uid_component: false,
},
FieldSchema {
name: "background_cpu_time",
description: "CPU time used in background (100ns units)",
value_type: ValueType::UnsignedInt,
is_uid_component: false,
},
FieldSchema {
name: "foreground_cycles",
description: "CPU cycle count in foreground",
value_type: ValueType::UnsignedInt,
is_uid_component: false,
},
FieldSchema {
name: "background_cycles",
description: "CPU cycle count in background",
value_type: ValueType::UnsignedInt,
is_uid_component: false,
},
];
pub static SRUM_APP_RESOURCE: ArtifactDescriptor = ArtifactDescriptor {
id: "srum_app_resource",
name: "SRUM Application Resource Usage Table",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\Windows\System32\sru\SRUDB.dat:{D10CA2FE-6FCF-4F6D-848E-B2E99266FA89}"),
scope: DataScope::System,
os_scope: OsScope::Win8Plus,
decoder: Decoder::Identity,
meaning: "ESE table {D10CA2FE-6FCF-4F6D-848E-B2E99266FA89} records per-app CPU cycles \
(foreground + background) per hour per user. Proves execution even without Prefetch \
or Event Log entries — CPU cycles are non-zero only if the process actually ran.",
mitre_techniques: &["T1059", "T1070.004"],
fields: SRUM_APP_FIELDS,
retention: Some("~30 days"),
triage_priority: TriagePriority::Critical,
related_artifacts: &["srum_network_usage", "prefetch_file", "evtx_security"],
sources: &[
"https://www.sans.org/white-papers/36660/",
"https://www.sans.org/blog/srum-forensics/",
"https://www.magnetforensics.com/blog/srum-forensic-analysis-of-windows-system-resource-utilization-monitor/",
"https://github.com/EricZimmerman/Srum",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Corroborative),
evidence_caveats: &["CPU and memory usage metrics; useful for corroborating execution, not proving it"],
volatility: Some(crate::volatility::VolatilityClass::RotatingBuffer),
volatility_rationale: "SRUM ESE database; rotated by Windows on schedule",
};
pub(crate) static SRUM_ENERGY_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "app_id",
description: "Application path",
value_type: ValueType::Text,
is_uid_component: true,
},
FieldSchema {
name: "user_id",
description: "SID of the user account",
value_type: ValueType::Text,
is_uid_component: true,
},
FieldSchema {
name: "timestamp",
description: "Interval timestamp (UTC)",
value_type: ValueType::Timestamp,
is_uid_component: false,
},
FieldSchema {
name: "charge_level",
description: "Battery charge level at sample time",
value_type: ValueType::UnsignedInt,
is_uid_component: false,
},
FieldSchema {
name: "designed_capacity",
description: "Battery designed capacity (mWh)",
value_type: ValueType::UnsignedInt,
is_uid_component: false,
},
FieldSchema {
name: "full_charge_capacity",
description: "Current full charge capacity (mWh)",
value_type: ValueType::UnsignedInt,
is_uid_component: false,
},
];
pub static SRUM_ENERGY_USAGE: ArtifactDescriptor = ArtifactDescriptor {
id: "srum_energy_usage",
name: "SRUM Energy Usage Table",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\Windows\System32\sru\SRUDB.dat:{FEE4E14F-02A9-4550-B5CE-5FA2DA202E37}"),
scope: DataScope::System,
os_scope: OsScope::Win8Plus,
decoder: Decoder::Identity,
meaning: "ESE table {FEE4E14F-02A9-4550-B5CE-5FA2DA202E37} records battery charge levels \
at each sampling interval — enables timeline reconstruction of device on/off events \
and correlates app activity with physical device presence.",
mitre_techniques: &["T1059"],
fields: SRUM_ENERGY_FIELDS,
retention: Some("~30 days"),
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://www.sans.org/white-papers/36660/",
"https://github.com/EricZimmerman/Srum",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static SRUM_PUSH_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "app_id",
description: "Application that received notification",
value_type: ValueType::Text,
is_uid_component: true,
},
FieldSchema {
name: "user_id",
description: "SID of the user account",
value_type: ValueType::Text,
is_uid_component: true,
},
FieldSchema {
name: "timestamp",
description: "Notification timestamp (UTC)",
value_type: ValueType::Timestamp,
is_uid_component: false,
},
FieldSchema {
name: "notification_type",
description: "WNS notification type code",
value_type: ValueType::UnsignedInt,
is_uid_component: false,
},
FieldSchema {
name: "payload_size",
description: "Notification payload size in bytes",
value_type: ValueType::UnsignedInt,
is_uid_component: false,
},
];
pub static SRUM_PUSH_NOTIFICATION: ArtifactDescriptor = ArtifactDescriptor {
id: "srum_push_notification",
name: "SRUM Push Notification Activity Table",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\Windows\System32\sru\SRUDB.dat:{D10CA2FE-6FCF-4F6D-848E-B2E99266FA86}"),
scope: DataScope::System,
os_scope: OsScope::Win10Plus,
decoder: Decoder::Identity,
meaning: "ESE table {D10CA2FE-6FCF-4F6D-848E-B2E99266FA86} records Windows Push Notification \
(WNS) activity per app — reveals C2-style notification-triggered execution in \
malicious UWP/PWA apps and confirms app network activity.",
mitre_techniques: &["T1059"],
fields: SRUM_PUSH_FIELDS,
retention: Some("~30 days"),
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://www.sans.org/white-papers/36660/",
"https://github.com/EricZimmerman/Srum",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "event_id",
description: "Windows Event ID",
value_type: ValueType::UnsignedInt,
is_uid_component: true,
},
FieldSchema {
name: "timestamp",
description: "Event timestamp (UTC)",
value_type: ValueType::Timestamp,
is_uid_component: false,
},
FieldSchema {
name: "computer",
description: "Source computer name",
value_type: ValueType::Text,
is_uid_component: false,
},
FieldSchema {
name: "subject_user_sid",
description: "SID of the subject user",
value_type: ValueType::Text,
is_uid_component: false,
},
FieldSchema {
name: "subject_user_name",
description: "Username of the subject",
value_type: ValueType::Text,
is_uid_component: false,
},
FieldSchema {
name: "message",
description: "Full event message XML",
value_type: ValueType::Text,
is_uid_component: false,
},
];
pub static EVTX_SECURITY: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_security",
name: "Security Event Log (Security.evtx)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\Windows\System32\winevt\Logs\Security.evtx"),
scope: DataScope::System,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Primary security audit log. Key event IDs: 4624/4625 (logon success/fail), \
4634/4647 (logoff), 4648 (explicit-cred logon), 4688/4689 (process create/exit), \
4698/4702 (scheduled task create/modify), 4720/4732 (account create/group add), \
4616 (system time change — primary timestomping/clock-manipulation indicator; \
records user, previous time, new time, and process that changed the clock; \
back-dated logon records and impossible session durations are downstream symptoms), \
5152 (WFP blocked a packet — pivot for EDR-silencer detection and inbound \
recon/exploitation; source IP recorded but direction is usually inbound), \
5379 (Credential Manager credential read — detects tools like CredentialsFileView harvesting stored passwords), \
1102 (audit log cleared — high-priority anti-forensics indicator).",
mitre_techniques: &["T1070.001", "T1059", "T1078", "T1555"],
fields: EVTX_FIELDS,
retention: Some("configurable; default ~20MB rolling per channel"),
triage_priority: TriagePriority::Critical,
related_artifacts: &[
"srum_network_usage",
"srum_app_resource",
"prefetch_file",
"shimcache",
],
sources: &[
"https://www.sans.org/posters/windows-forensic-analysis/",
"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-security-audit-policies",
"https://www.13cubed.com/downloads/windows_event_log_cheat_sheet.pdf",
"https://www.magnetforensics.com/blog/the-importance-of-powershell-logs-in-digital-forensics/",
"https://github.com/EricZimmerman/evtx",
"https://raw.githubusercontent.com/bitbug0x55AA/Blue_Team_Hunting_Field_Notes/main/01_Hunting_Cheatsheets/1.3_Windows_Event_Core.md",
"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5152",
"https://windowsir.blogspot.com/2023/08/events-ripper-updates.html",
"https://windowsir.blogspot.com/2023/06/events-ripper-update.html",
"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616",
"https://www.linkedin.com/posts/ahmed-thabit_dfir-digitalforensics-incidentresponse-activity",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &[
"Log can be cleared (event 1102/104); absence of log is itself evidence",
"Requires appropriate audit policy to be enabled",
"Event 4624 WorkstationName semantics differ by logon type: \
Type 3 (Network/SMB) — WorkstationName = source machine; \
Type 10 (RDP without NLA) — WorkstationName = destination machine, not source. \
For RDP source attribution always use IpAddress (Source Network Address), \
never WorkstationName alone. Using WorkstationName as the source on a Type 10 \
event misattributes the victim host as the actor.",
],
volatility: Some(crate::volatility::VolatilityClass::RotatingBuffer),
volatility_rationale: "Circular EVTX log; default 128 MB max",
};
pub static EVTX_SYSTEM: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_system",
name: "System Event Log (System.evtx)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\Windows\System32\winevt\Logs\System.evtx"),
scope: DataScope::System,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning:
"System-level events. Key IDs: 7045 (service installed), 7036 (service state change), \
7031 (Service Control Manager — service crash; analyst pivot for \
EDR/AV agent tamper attempts and failed persistence-via-service installs), \
6005/6006 (event log start/stop — boot/shutdown boundary), \
104 (System log cleared). Service installation (7045) is a primary \
lateral-movement and persistence indicator. Attackers abuse sc.exe to create services \
whose binPath uses %COMSPEC% to launch powershell.exe with -encodedcommand and \
-w hidden flags, embedding base64-encoded (often UTF-16LE or gzip-compressed) \
payloads directly in the event log entry. Subsequent Event IDs 7000 and 7009 \
(service timeout/failure) are misleading — the PowerShell payload still executes \
successfully even when Windows reports the service failed to start.",
mitre_techniques: &["T1543.003", "T1070.001", "T1059.001"],
fields: EVTX_FIELDS,
retention: Some("configurable; default ~20MB rolling per channel"),
triage_priority: TriagePriority::High,
related_artifacts: &["evtx_security", "scheduled_tasks_dir", "services_imagepath"],
sources: &[
"https://www.sans.org/posters/windows-forensic-analysis/",
"https://learn.microsoft.com/en-us/windows/win32/eventlog/event-logging",
"https://github.com/EricZimmerman/evtx",
"https://az4n6.blogspot.com/2017/10/finding-and-decoding-malicious.html",
"https://windowsir.blogspot.com/2023/08/events-ripper-updates.html",
"https://www.manageengine.com/products/eventlog/kb/event-7031-service-crash-help.html",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &["Service install/start events useful; can be noisy with false positives"],
volatility: Some(crate::volatility::VolatilityClass::RotatingBuffer),
volatility_rationale: "Circular EVTX log; default 20 MB max",
};
pub static EVTX_APPLICATION_MSIINSTALLER: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_application_msiinstaller",
name: "Application Event Log — MsiInstaller Provider",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\Windows\System32\winevt\Logs\Application.evtx"),
scope: DataScope::System,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Records written to Application.evtx by the Microsoft Installer \
service (Source: MsiInstaller) on every MSI install/uninstall/reconfigure. \
Key host-based artifact for MSI-borne malware (Raspberry Robin, USB-LNK \
droppers that invoke `msiexec.exe /i <url>`, malicious .msi sideloading) \
that open reports routinely omit. Key Event IDs: \
1022 (product update applied), 1033 (install completed — Product Name, \
Product Version, Manufacturer, Install Success/Failure), \
1034 (product removal completed), 1035 (configuration change), \
1036 (windows installer reconfigured), 1040 (transaction begun), \
1042 (transaction ended), 11707 (Installer completed installation \
successfully — friendly product name and language ID), 11708 \
(Installer failed — exit code in event payload), 11724 (uninstall \
succeeded). The MsiInstaller provider records persist in \
Application.evtx independent of msiexec.exe Prefetch evidence and \
survive Defender removal of the dropped MSI itself.",
mitre_techniques: &["T1218.007", "T1204.002", "T1091"],
fields: EVTX_FIELDS,
retention: Some("configurable; Application.evtx default ~20MB rolling"),
triage_priority: TriagePriority::High,
related_artifacts: &[
"evtx_application",
"run_key_hkcu_once",
"run_key_hklm_once",
"prefetch_file",
],
sources: &[
"https://www.huntress.com/blog/evolution-of-usb-borne-malware-raspberry-robin",
"https://windowsir.blogspot.com/2023/09/the-state-of-windows-digital-analysis_19.html",
"https://learn.microsoft.com/en-us/windows/win32/msi/event-logging",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static EVTX_POWERSHELL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_powershell",
name: "PowerShell Operational Log",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
r"C:\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx",
),
scope: DataScope::System,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning:
"PowerShell script execution telemetry. Event 4103 (module logging — pipeline output), \
4104 (ScriptBlock logging — full script text including deobfuscated content). \
4104 captures AMSI-deobfuscated scripts even when encoded; \
highest-fidelity PS forensic source when enabled.",
mitre_techniques: &["T1059.001", "T1027"],
fields: EVTX_FIELDS,
retention: Some("configurable; default ~20MB rolling per channel"),
triage_priority: TriagePriority::High,
related_artifacts: &[
"evtx_security",
"powershell_history",
"powershell_profile_all",
],
sources: &[
"https://www.sans.org/blog/detecting-malicious-powershell/",
"https://redcanary.com/threat-detection-report/techniques/t1059.001/",
"https://github.com/EricZimmerman/evtx",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &[
"Requires script block logging to be enabled (4104)",
"AMSI bypass can prevent logging of obfuscated content",
],
volatility: Some(crate::volatility::VolatilityClass::RotatingBuffer),
volatility_rationale: "Circular EVTX log; oldest events overwritten at max size",
};
pub static EVTX_SYSMON: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_sysmon",
name: "Sysmon Operational Log",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\Windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx"),
scope: DataScope::System,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning:
"Sysmon telemetry (requires deployment). Event 1 (process create + hashes + cmdline), \
3 (network connection), 7 (image load), 8 (CreateRemoteThread), \
10 (ProcessAccess — LSASS reads), 11 (file create), 22 (DNS query). \
Gold standard for EDR-quality forensics without commercial tooling.",
mitre_techniques: &["T1059", "T1055", "T1003.001"],
fields: EVTX_FIELDS,
retention: Some("configurable; default ~20MB rolling per channel"),
triage_priority: TriagePriority::Critical,
related_artifacts: &["evtx_security", "prefetch_file", "srum_app_resource"],
sources: &[
"https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon",
"https://www.sans.org/blog/threat-hunting-using-sysmon/",
"https://www.thedfirspot.com/post/sysmon-when-visibility-is-key",
"https://github.com/EricZimmerman/evtx",
"https://raw.githubusercontent.com/bitbug0x55AA/Blue_Team_Hunting_Field_Notes/main/01_Hunting_Cheatsheets/1.3_Windows_Event_Core.md",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &[
"Requires Sysmon to be installed and configured",
"Sysmon config determines what is logged",
],
volatility: Some(crate::volatility::VolatilityClass::RotatingBuffer),
volatility_rationale: "Circular EVTX log; size depends on Sysmon config",
};
pub static EVTX_DEFENDER_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_defender_operational",
name: "Microsoft-Windows-Windows Defender/Operational",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
r"C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx",
),
scope: DataScope::System,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning:
"Microsoft Defender AV operational telemetry (separate channel from Application.evtx). \
Key Event IDs: 1116 (malware detected — name, severity, file path, user context), \
1117 (malware action taken — quarantined/cleaned/removed), \
1118/1119 (action failed/critically failed — file still on disk), \
2050 (sample uploaded to MAPS cloud — file name and hash recorded; \
high-value DFIR pivot when the dropped binary has been deleted), \
2051 (sample could NOT be uploaded — sometimes indicates the \
sample was already exfiltrated/deleted before MAPS submission), \
5001 (real-time protection disabled — primary AV-tamper indicator), \
5004/5007 (real-time protection config / Defender config changed — \
attackers add path/process exclusions before dropping malware), \
5010 (scanning for malware disabled), 5012 (scanning for viruses disabled). \
Channel survives the dropped malware itself: 2050's file-hash record \
is often the only artifact left after the malware has been cleaned.",
mitre_techniques: &["T1562.001", "T1059", "T1027"],
fields: EVTX_FIELDS,
retention: Some("configurable; default ~1MB rolling per channel"),
triage_priority: TriagePriority::High,
related_artifacts: &[
"evtx_security",
"evtx_application",
"evtx_application_msiinstaller",
"prefetch_file",
],
sources: &[
"https://windowsir.blogspot.com/2023/08/events-ripper-updates.html",
"https://windowsir.blogspot.com/2022/10/events-ripper.html",
"https://kirannr.com/2020/07/02/__trashed/",
"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus",
"https://github.com/EricZimmerman/evtx",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static TYPED_PATHS_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "typed_path",
description: "Path manually entered into Explorer address bar history",
value_type: ValueType::Text,
is_uid_component: true,
}];
pub static TYPED_PATHS: ArtifactDescriptor = ArtifactDescriptor {
id: "typed_paths",
name: "Explorer Typed Paths",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::NtUser),
key_path: r"Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths",
value_name: None,
file_path: None,
scope: DataScope::User,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "Explorer address-bar history of manually entered local, removable, UNC, or shell paths; useful for proving interactive navigation to shares and staged locations.",
mitre_techniques: &["T1083", "T1135"],
fields: TYPED_PATHS_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &["typed_urls", "opensave_mru", "lastvisited_mru"],
sources: &[
"https://github.com/mkorman90/regipy/blob/master/regipy/plugins/ntuser/typed_paths.py",
"https://github.com/mkorman90/regipy/blob/master/regipy/plugins/validated_plugins.json",
"https://github.com/EricZimmerman/RECmd",
"https://github.com/EricZimmerman/RegistryPlugins",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static RUN_MRU_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "mru_order",
description: "Run dialog MRU letter ordering string",
value_type: ValueType::Text,
is_uid_component: false,
},
FieldSchema {
name: "command",
description: "Command line entered via the Run dialog",
value_type: ValueType::Text,
is_uid_component: true,
},
];
pub static RUN_MRU: ArtifactDescriptor = ArtifactDescriptor {
id: "run_mru",
name: "Run Dialog MRU",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::NtUser),
key_path: r"Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU",
value_name: None,
file_path: None,
scope: DataScope::User,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "History of commands launched from the Windows Run dialog, including the user-maintained MRU ordering string and typed execution targets.",
mitre_techniques: &["T1059"],
fields: RUN_MRU_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &["wordwheel_query", "powershell_history", "prefetch_file"],
sources: &[
"https://github.com/mkorman90/regipy/blob/master/regipy/plugins/ntuser/runmru.py",
"https://github.com/mkorman90/regipy/blob/master/regipy/plugins/validated_plugins.json",
"https://github.com/EricZimmerman/RECmd",
"https://github.com/EricZimmerman/RegistryPlugins",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static NETWORK_DRIVES_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "drive_letter",
description: "Mapped drive letter under HKCU\\Network",
value_type: ValueType::Text,
is_uid_component: true,
},
FieldSchema {
name: "remote_path",
description: "UNC path of the mapped network drive",
value_type: ValueType::Text,
is_uid_component: false,
},
];
pub static NETWORK_DRIVES: ArtifactDescriptor = ArtifactDescriptor {
id: "network_drives",
name: "Mapped Network Drives",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::NtUser),
key_path: r"Network",
value_name: Some("RemotePath"),
file_path: None,
scope: DataScope::User,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "Per-user mapped network drives including drive letter to UNC mapping; useful for share-access reconstruction and lateral movement scoping.",
mitre_techniques: &["T1135"],
fields: NETWORK_DRIVES_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &["rdp_client_servers", "networklist_profiles"],
sources: &[
"https://github.com/mkorman90/regipy/blob/master/regipy/plugins/ntuser/network_drives.py",
"https://github.com/mkorman90/regipy/blob/master/regipy/plugins/validated_plugins.json",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &["Mapped drive destinations reveal lateral movement targets; UNC paths may expose internal host names"],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Mapped drive registry entry; persists until unmapped",
};
pub(crate) static APP_PATHS_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "application",
description: "Executable name registered under App Paths",
value_type: ValueType::Text,
is_uid_component: true,
},
FieldSchema {
name: "path",
description: "Default executable path resolved for the application name",
value_type: ValueType::Text,
is_uid_component: false,
},
FieldSchema {
name: "architecture",
description: "Architecture bucket inferred from x64 or Wow6432Node path",
value_type: ValueType::Text,
is_uid_component: false,
},
];
pub static APP_PATHS: ArtifactDescriptor = ArtifactDescriptor {
id: "app_paths",
name: "App Paths Registry Entries",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::HklmSoftware),
key_path: r"Microsoft\Windows\CurrentVersion\App Paths",
value_name: None,
file_path: None,
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "Executable name resolution entries under App Paths and Wow6432Node App Paths; useful for installed-software discovery and hijack-style execution redirection review.",
mitre_techniques: &["T1574"],
fields: APP_PATHS_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &["services_imagepath", "winlogon_shell"],
sources: &[
"https://github.com/mkorman90/regipy/blob/master/regipy/plugins/software/apppaths.py",
"https://github.com/mkorman90/regipy/blob/master/regipy/plugins/validated_plugins.json",
"https://github.com/EricZimmerman/RECmd",
"https://github.com/EricZimmerman/RegistryPlugins",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static MOUNTED_DEVICES_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "value_name",
description: "MountedDevices value name such as a drive letter or volume GUID",
value_type: ValueType::Text,
is_uid_component: true,
},
FieldSchema {
name: "mount_point",
description: "Resolved drive letter or volume mount point",
value_type: ValueType::Text,
is_uid_component: false,
},
FieldSchema {
name: "device_path",
description: "Decoded device path or partition signature data",
value_type: ValueType::Text,
is_uid_component: false,
},
];
pub static MOUNTED_DEVICES: ArtifactDescriptor = ArtifactDescriptor {
id: "mounted_devices",
name: "Mounted Devices",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::HklmSystem),
key_path: r"MountedDevices",
value_name: None,
file_path: None,
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "Drive-letter and volume mappings including device paths, signatures, and removable-media assignments preserved under HKLM\\SYSTEM\\MountedDevices.",
mitre_techniques: &["T1091"],
fields: MOUNTED_DEVICES_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &["usb_enum", "wifi_profiles"],
sources: &[
"https://github.com/mkorman90/regipy/blob/master/regipy/plugins/system/mountdev.py",
"https://github.com/mkorman90/regipy/blob/master/regipy/plugins/validated_plugins.json",
"https://github.com/EricZimmerman/RECmd",
"https://github.com/EricZimmerman/RegistryPlugins",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static NETWORKLIST_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "profile_guid",
description: "GUID of a network profile under NetworkList",
value_type: ValueType::Text,
is_uid_component: true,
},
FieldSchema {
name: "profile_name",
description: "Human-readable network profile name",
value_type: ValueType::Text,
is_uid_component: false,
},
FieldSchema {
name: "date_last_connected",
description: "Timestamp of the most recent recorded connection",
value_type: ValueType::Timestamp,
is_uid_component: false,
},
];
pub static NETWORKLIST_PROFILES: ArtifactDescriptor = ArtifactDescriptor {
id: "networklist_profiles",
name: "Network List Profiles",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::HklmSoftware),
key_path: r"Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles",
value_name: None,
file_path: None,
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "Network profile history including profile names, categories, and created/last-connected dates for wired and wireless networks.",
mitre_techniques: &["T1016"],
fields: NETWORKLIST_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &["wifi_profiles", "network_drives"],
sources: &[
"https://github.com/mkorman90/regipy/blob/master/regipy/plugins/software/networklist.py",
"https://github.com/mkorman90/regipy/blob/master/regipy/plugins/validated_plugins.json",
"https://github.com/EricZimmerman/RECmd",
"https://github.com/EricZimmerman/RegistryPlugins",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &["Profile name set by router; can be spoofed by attacker-controlled AP"],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Network profiles persist in registry",
};
pub(crate) static PUTTY_SESSION_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "session_name",
description: "Saved PuTTY session name",
value_type: ValueType::Text,
is_uid_component: true,
},
FieldSchema {
name: "hostname",
description: "Target host configured in the PuTTY session",
value_type: ValueType::Text,
is_uid_component: false,
},
FieldSchema {
name: "username",
description: "User name configured for the saved session",
value_type: ValueType::Text,
is_uid_component: false,
},
];
pub static PUTTY_SESSIONS: ArtifactDescriptor = ArtifactDescriptor {
id: "putty_sessions",
name: "PuTTY Saved Sessions",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::NtUser),
key_path: r"Software\SimonTatham\PuTTY\Sessions",
value_name: None,
file_path: None,
scope: DataScope::User,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "PuTTY saved sessions, including target hostname, port, protocol, and optional proxy or keyfile settings for SSH and other remote connections.",
mitre_techniques: &["T1021.004"],
fields: PUTTY_SESSION_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &["rdp_client_servers", "winscp_saved_sessions"],
sources: &[
"https://github.com/mkorman90/regipy/blob/master/regipy/plugins/ntuser/putty.py",
"https://the.earth.li/~sgtatham/putty/0.78/htmldoc/AppendixC.html",
"https://github.com/EricZimmerman/RECmd",
"https://github.com/EricZimmerman/RegistryPlugins",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static WINSCP_SESSION_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "session_name",
description: "Saved WinSCP session name",
value_type: ValueType::Text,
is_uid_component: true,
},
FieldSchema {
name: "host_name",
description: "Target host configured in the saved WinSCP session",
value_type: ValueType::Text,
is_uid_component: false,
},
FieldSchema {
name: "user_name",
description: "User name configured for the saved WinSCP session",
value_type: ValueType::Text,
is_uid_component: false,
},
];
pub static WINSCP_SAVED_SESSIONS: ArtifactDescriptor = ArtifactDescriptor {
id: "winscp_saved_sessions",
name: "WinSCP Saved Sessions",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::NtUser),
key_path: r"Software\Martin Prikryl\WinSCP 2\Sessions",
value_name: None,
file_path: None,
scope: DataScope::User,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "WinSCP saved sessions, including host, username, protocol, and optionally recoverable obfuscated credentials or connection defaults.",
mitre_techniques: &["T1021.004", "T1555"],
fields: WINSCP_SESSION_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &["putty_sessions", "rdp_client_servers"],
sources: &[
"https://github.com/mkorman90/regipy/blob/master/regipy/plugins/ntuser/winscp_saved_sessions.py",
"https://winscp.net/eng/docs/ui_pref_storage",
"https://az4n6.blogspot.com/2013/03/winscp-saved-password.html",
"https://github.com/EricZimmerman/RECmd",
"https://github.com/EricZimmerman/RegistryPlugins",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static WINSCP_INI_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "connected_hosts",
value_type: ValueType::Text,
description: "user@host entries from [Configuration\\CDCache]; \
recorded for every connection regardless of whether the session was saved; \
hex-encoded path suffix is last-accessed path on remote host",
is_uid_component: true,
},
FieldSchema {
name: "local_target_dirs",
value_type: ValueType::Text,
description: "[Configuration\\History\\LocalTarget] — local directories \
where remote files were saved; directly identifies exfil staging paths \
even if files were subsequently deleted",
is_uid_component: true,
},
FieldSchema {
name: "last_local_path",
value_type: ValueType::Text,
description: "[Configuration\\Interface\\Commander\\LocalPanel] LastPath — \
last local directory open at session close; often the exfil staging folder",
is_uid_component: false,
},
FieldSchema {
name: "session_hostname",
value_type: ValueType::Text,
description: "[Sessions\\<name>] HostName — target host of a saved session; \
only present if user explicitly saved the session workspace",
is_uid_component: false,
},
FieldSchema {
name: "session_username",
value_type: ValueType::Text,
description: "[Sessions\\<name>] UserName — account used for the saved session",
is_uid_component: false,
},
FieldSchema {
name: "session_password",
value_type: ValueType::Text,
description: "[Sessions\\<name>] Password — XOR-obfuscated credential; \
reversible without a key per github.com/winscp/winscp source/core/Security.cpp; \
only present in saved sessions",
is_uid_component: false,
},
FieldSchema {
name: "local_directory",
value_type: ValueType::Text,
description: "[Sessions\\<name>] LocalDirectory — local panel path at last save; \
corroborates local_target_dirs",
is_uid_component: false,
},
FieldSchema {
name: "remote_directory",
value_type: ValueType::Text,
description: "[Sessions\\<name>] RemoteDirectory — last accessed path on the \
remote host; pivot to logs on the target system",
is_uid_component: false,
},
];
pub(crate) static WINSCP_INI: ArtifactDescriptor = ArtifactDescriptor {
id: "winscp_ini",
name: "WinSCP INI Configuration File",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("WinSCP.ini"),
scope: DataScope::User,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "WinSCP portable configuration file. Records all hosts connected to \
([Configuration\\CDCache]) even without an explicit session save — making it \
the primary indicator of WinSCP-based lateral movement. Also records local \
directories where remote files were saved ([Configuration\\History\\LocalTarget]), \
revealing exfil staging paths. If sessions were saved, contains target hostnames, \
usernames, and reversible obfuscated passwords. The file is updated at session \
close: .ini last-modified vs. WinSCP.exe Prefetch run-time approximates session \
duration. Correlate with SRUM network-usage table for bytes transferred.",
mitre_techniques: &["T1021.004", "T1048", "T1560"],
fields: WINSCP_INI_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[
"winscp_saved_sessions",
"srum_network_usage",
"prefetch_file",
],
sources: &[
"https://az4n6.blogspot.com/2020/02/detecting-laterial-movment-with-winscp.html",
"https://github.com/winscp/winscp/blob/master/source/core/Security.cpp",
"https://winscp.net/eng/docs/ui_pref_storage",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &[
"CDCache records all hosts connected to, but reflects last-session state only; \
entries persist across explicit session deletion but the file itself can be wiped by a cleanup-aware attacker",
"Absence does not prove WinSCP was not used — an attacker may have deleted the file or used a version \
that writes elsewhere (portable build path varies)",
],
volatility: Some(crate::volatility::VolatilityClass::ActivityDriven),
volatility_rationale: "Updated at WinSCP session close; persistent between reboots until manually deleted",
};
pub(crate) static WINRAR_HISTORY_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "operation",
description: "Archive opened, created, or extracted",
value_type: ValueType::Text,
is_uid_component: false,
},
FieldSchema {
name: "file_path",
description: "Archive or extraction path from WinRAR history",
value_type: ValueType::Text,
is_uid_component: true,
},
];
pub static WINRAR_HISTORY: ArtifactDescriptor = ArtifactDescriptor {
id: "winrar_history",
name: "WinRAR Archive History",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::NtUser),
key_path: r"SOFTWARE\WinRAR",
value_name: None,
file_path: None,
scope: DataScope::User,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "WinRAR registry history of archive opens, archive creation targets, and extraction paths; useful for exfiltration staging and archive reconstruction.",
mitre_techniques: &["T1560.001"],
fields: WINRAR_HISTORY_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &["powershell_history", "opensave_mru"],
sources: &[
"https://github.com/mkorman90/regipy/blob/master/regipy/plugins/ntuser/winrar.py",
"https://www.win-rar.com/switches/settings.htm",
"https://github.com/EricZimmerman/RECmd",
"https://github.com/EricZimmerman/RegistryPlugins",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static NETWORK_INTERFACE_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "interface_guid",
description: "TCP/IP interface GUID under the Interfaces key",
value_type: ValueType::Text,
is_uid_component: true,
},
FieldSchema {
name: "ip_address",
description: "Static or DHCP-assigned address values associated with the interface",
value_type: ValueType::Text,
is_uid_component: false,
},
];
pub static NETWORK_INTERFACES: ArtifactDescriptor = ArtifactDescriptor {
id: "network_interfaces",
name: "TCP/IP Network Interfaces",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::HklmSystem),
key_path: r"CurrentControlSet\Services\Tcpip\Parameters\Interfaces",
value_name: None,
file_path: None,
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "Interface GUIDs with DHCP or static addressing details used to tie network activity and lease information back to a host and adapter.",
mitre_techniques: &["T1016"],
fields: NETWORK_INTERFACE_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &["networklist_profiles", "srum_network_usage"],
sources: &[
"https://raw.githubusercontent.com/bitbug0x55AA/Blue_Team_Hunting_Field_Notes/main/01_Hunting_Cheatsheets/1.5_Forensics_Artifacts_Map.csv",
"https://github.com/EricZimmerman/RECmd",
"https://github.com/EricZimmerman/RegistryPlugins",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static PAGEFILE_SYS: ArtifactDescriptor = ArtifactDescriptor {
id: "pagefile_sys",
name: "Pagefile.sys",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\pagefile.sys"),
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "Virtual memory paging file containing memory-resident strings and fragments from paged-out processes when full RAM capture is unavailable.",
mitre_techniques: &["T1005"],
fields: FILE_PATH_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &["hiberfil_sys", "evtx_security"],
sources: &["https://raw.githubusercontent.com/bitbug0x55AA/Blue_Team_Hunting_Field_Notes/main/01_Hunting_Cheatsheets/1.5_Forensics_Artifacts_Map.csv", "https://raw.githubusercontent.com/bitbug0x55AA/Blue_Team_Hunting_Field_Notes/main/06_Tool_Command_Vault/6.02_Windows_DFIR_Master_Notes.md"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static HIBERFIL_SYS: ArtifactDescriptor = ArtifactDescriptor {
id: "hiberfil_sys",
name: "Hibernation File (hiberfil.sys)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\hiberfil.sys"),
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "Compressed hibernation snapshot containing a point-in-time copy of system memory, including processes, sockets, and in-memory strings.",
mitre_techniques: &["T1005"],
fields: FILE_PATH_FIELDS,
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &["pagefile_sys", "evtx_security"],
sources: &[
"https://raw.githubusercontent.com/bitbug0x55AA/Blue_Team_Hunting_Field_Notes/main/01_Hunting_Cheatsheets/1.5_Forensics_Artifacts_Map.csv",
"https://forensics.wiki/hiberfil.sys/",
"https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/storport/nf-storport-storportmarkdumpmemory",
"https://github.com/EricZimmerman/RECmd",
"https://github.com/EricZimmerman/RegistryPlugins",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static MOUNTPOINTS2_FIELDS: &[FieldSchema] = &[FieldSchema {
name: "mount_point",
description: "Per-user mount point or device reference cached by Explorer",
value_type: ValueType::Text,
is_uid_component: true,
}];
pub static MOUNTPOINTS2: ArtifactDescriptor = ArtifactDescriptor {
id: "mountpoints2",
name: "MountPoints2",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::NtUser),
key_path: r"Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2",
value_name: None,
file_path: None,
scope: DataScope::User,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "Per-user record of mounted removable media and mapped resources, useful for attributing USB or volume interaction to a specific logged-in user.",
mitre_techniques: &["T1091"],
fields: MOUNTPOINTS2_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &["mounted_devices", "usb_enum"],
sources: &[
"https://raw.githubusercontent.com/bitbug0x55AA/Blue_Team_Hunting_Field_Notes/main/01_Hunting_Cheatsheets/1.5_Forensics_Artifacts_Map.csv",
"https://github.com/EricZimmerman/RECmd",
"https://github.com/EricZimmerman/RegistryPlugins",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static PORTABLE_DEVICES: ArtifactDescriptor = ArtifactDescriptor {
id: "portable_devices",
name: "Windows Portable Devices Mapping",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::HklmSoftware),
key_path: r"Microsoft\Windows Portable Devices\Devices",
value_name: None,
file_path: None,
scope: DataScope::System,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "Maps portable device identities to user-visible names or drive assignments, helping correlate USB serials and mounted letters during media analysis.",
mitre_techniques: &["T1091"],
fields: FILE_PATH_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &["mounted_devices", "mountpoints2", "usb_enum"],
sources: &["https://raw.githubusercontent.com/bitbug0x55AA/Blue_Team_Hunting_Field_Notes/main/01_Hunting_Cheatsheets/1.5_Forensics_Artifacts_Map.csv"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static RDP_BITMAP_CACHE: ArtifactDescriptor = ArtifactDescriptor {
id: "rdp_bitmap_cache",
name: "RDP Bitmap Cache",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some(r"C:\Users\*\AppData\Local\Microsoft\Terminal Server Client\Cache"),
scope: DataScope::User,
os_scope: OsScope::All,
decoder: Decoder::Identity,
meaning: "Client-side cached bitmap fragments from RDP sessions that can reveal what was rendered on screen during remote administration or attacker activity.",
mitre_techniques: &["T1021.001"],
fields: DIR_ENTRY_FIELDS,
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &["rdp_client_servers", "rdp_client_default"],
sources: &["https://raw.githubusercontent.com/bitbug0x55AA/Blue_Team_Hunting_Field_Notes/main/01_Hunting_Cheatsheets/1.5_Forensics_Artifacts_Map.csv"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static MACOS_UNIFIED_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "macos_unified_log",
name: "macOS Unified Log",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/var/db/diagnostics/"),
scope: DataScope::System,
os_scope: OsScope::MacOS12Plus,
decoder: Decoder::Identity,
meaning: "Apple Unified Logging system. Contains all system and application logs since macOS 10.12. Provides timestamped, structured log entries for process activity, crashes, and security events.",
mitre_techniques: &["T1070.001", "T1059"],
fields: &[],
retention: Some("Rotated by OS; typically weeks to months"),
triage_priority: TriagePriority::High,
related_artifacts: &["macos_install_history"],
sources: &[
"https://www.mandiant.com/resources/blog/reviewing-macos-unified-logs",
"https://developer.apple.com/documentation/os/logging",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static MACOS_LAUNCH_AGENTS_USER: ArtifactDescriptor = ArtifactDescriptor {
id: "macos_launch_agents_user",
name: "macOS User LaunchAgents",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/Library/LaunchAgents/"),
scope: DataScope::User,
os_scope: OsScope::MacOS,
decoder: Decoder::Identity,
meaning: "Per-user LaunchAgent plist files. Automatically loaded at user login. Primary persistence mechanism for malware targeting individual users.",
mitre_techniques: &["T1543.001"],
fields: &[],
retention: Some("Persistent until removed"),
triage_priority: TriagePriority::Critical,
related_artifacts: &["macos_launch_agents_system", "macos_launch_daemons"],
sources: &[
"https://www.sentinelone.com/blog/how-malware-persists-on-macos/",
"https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &[
"LaunchAgent plists in ~/Library/LaunchAgents prove user-context persistence",
"Legitimate software also uses LaunchAgents; cross-reference signing and bundle ID",
],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "LaunchAgent plist persists until deleted; survives reboots",
};
pub static MACOS_LAUNCH_AGENTS_SYSTEM: ArtifactDescriptor = ArtifactDescriptor {
id: "macos_launch_agents_system",
name: "macOS System LaunchAgents",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/Library/LaunchAgents/"),
scope: DataScope::System,
os_scope: OsScope::MacOS,
decoder: Decoder::Identity,
meaning: "System-wide LaunchAgent plist files loaded for all users. Requires root to install; used by system-level malware and legitimate software.",
mitre_techniques: &["T1543.001"],
fields: &[],
retention: Some("Persistent until removed"),
triage_priority: TriagePriority::Critical,
related_artifacts: &["macos_launch_agents_user", "macos_launch_daemons"],
sources: &[
"https://www.sentinelone.com/blog/how-malware-persists-on-macos/",
"https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &[
"System LaunchAgents require root installation; elevated-privilege persistence indicator",
"Apple-signed plists are expected; unsigned or ad-hoc signed warrant investigation",
],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "System-wide LaunchAgent plist; requires root to modify",
};
pub static MACOS_LAUNCH_DAEMONS: ArtifactDescriptor = ArtifactDescriptor {
id: "macos_launch_daemons",
name: "macOS LaunchDaemons",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/Library/LaunchDaemons/"),
scope: DataScope::System,
os_scope: OsScope::MacOS,
decoder: Decoder::Identity,
meaning: "System LaunchDaemon plist files. Run as root at system boot, independent of user login. High-value persistence for privileged malware.",
mitre_techniques: &["T1543.004"],
fields: &[],
retention: Some("Persistent until removed"),
triage_priority: TriagePriority::Critical,
related_artifacts: &["macos_launch_agents_system"],
sources: &[
"https://www.sentinelone.com/blog/how-malware-persists-on-macos/",
"https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &[
"LaunchDaemons run as root; highest-privilege persistence mechanism on macOS",
"Correlate with install history and Gatekeeper records for origin attribution",
],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "LaunchDaemon plist; persists across reboots, requires root",
};
pub static MACOS_TCC_DB: ArtifactDescriptor = ArtifactDescriptor {
id: "macos_tcc_db",
name: "macOS TCC Database",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/Library/Application Support/com.apple.TCC/TCC.db"),
scope: DataScope::User,
os_scope: OsScope::MacOS,
decoder: Decoder::Identity,
meaning: "Transparency, Consent, and Control database. Records which applications have been granted permissions (camera, microphone, Full Disk Access, etc.). Attackers may modify TCC.db to bypass privacy controls.",
mitre_techniques: &["T1548"],
fields: &[],
retention: Some("Persistent; updated on permission grant/revoke"),
triage_priority: TriagePriority::High,
related_artifacts: &["macos_launch_agents_user"],
sources: &[
"https://www.sentinelone.com/blog/bypassing-macos-tcc-user-privacy-protections-by-accident-and-design/",
"https://eclecticlight.co/2020/11/04/tcc-in-big-sur-more-permissions-issues/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static MACOS_QUARANTINE_EVENTS: ArtifactDescriptor = ArtifactDescriptor {
id: "macos_quarantine_events",
name: "macOS Quarantine Events Database",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2"),
scope: DataScope::User,
os_scope: OsScope::MacOS,
decoder: Decoder::Identity,
meaning: "SQLite database recording all files downloaded from the internet with their origin URL, download date, and quarantine agent. Proves a file was downloaded even after deletion.",
mitre_techniques: &["T1204.002"],
fields: &[],
retention: Some("Persistent; entries accumulate unless cleared"),
triage_priority: TriagePriority::High,
related_artifacts: &["macos_safari_downloads"],
sources: &[
"https://www.jaiminton.com/cheatsheet/DFIR/#quarantine-events",
"https://eclecticlight.co/2021/06/05/checking-quarantine-flags-in-big-sur/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static MACOS_SAFARI_HISTORY: ArtifactDescriptor = ArtifactDescriptor {
id: "macos_safari_history",
name: "macOS Safari Browser History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/Library/Safari/History.db"),
scope: DataScope::User,
os_scope: OsScope::MacOS,
decoder: Decoder::Identity,
meaning: "SQLite database containing Safari browsing history with URLs, timestamps, and visit counts. Key artifact for establishing attacker research, C2 communication attempts, and data exfiltration.",
mitre_techniques: &["T1217"],
fields: &[],
retention: Some("Rotated; typically weeks to months of history"),
triage_priority: TriagePriority::High,
related_artifacts: &["macos_safari_downloads", "macos_quarantine_events"],
sources: &[
"https://www.sans.org/blog/mac-artifact-safari/",
"https://www.magnetforensics.com/blog/artifacts-for-ios-investigations/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static MACOS_SAFARI_DOWNLOADS: ArtifactDescriptor = ArtifactDescriptor {
id: "macos_safari_downloads",
name: "macOS Safari Downloads",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/Library/Safari/Downloads.plist"),
scope: DataScope::User,
os_scope: OsScope::MacOS,
decoder: Decoder::Identity,
meaning: "Plist file recording all files downloaded via Safari with source URL, local path, and download date. Corroborates quarantine events database.",
mitre_techniques: &["T1217"],
fields: &[],
retention: Some("Persistent; entries accumulate"),
triage_priority: TriagePriority::Medium,
related_artifacts: &["macos_safari_history", "macos_quarantine_events"],
sources: &[
"https://www.sans.org/blog/mac-artifact-safari/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static MACOS_KNOWLEDGEC: ArtifactDescriptor = ArtifactDescriptor {
id: "macos_knowledgec",
name: "macOS KnowledgeC Database",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/Library/Application Support/Knowledge/knowledgeC.db"),
scope: DataScope::User,
os_scope: OsScope::MacOS12Plus,
decoder: Decoder::Identity,
meaning: "SQLite database maintained by the Duet Activity Scheduler. Records application usage, device lock/unlock events, browser activity, and screen time. Rich timeline source for user activity reconstruction.",
mitre_techniques: &["T1083"],
fields: &[],
retention: Some("Rolling window; typically 30 days"),
triage_priority: TriagePriority::High,
related_artifacts: &["macos_unified_log"],
sources: &[
"https://www.mac4n6.com/blog/2018/8/5/knowledge-is-power-using-the-knowledgecdb-database-on-macos-ios-to-determine-precise-user-and-application-usage",
"https://github.com/mac4n6/APOLLO",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static MACOS_BASH_SESSIONS: ArtifactDescriptor = ArtifactDescriptor {
id: "macos_bash_sessions",
name: "macOS Bash Session History",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/.bash_sessions/"),
scope: DataScope::User,
os_scope: OsScope::MacOS,
decoder: Decoder::Identity,
meaning: "Per-session bash history files. macOS Catalina+ uses zsh by default but bash_sessions may persist for users who used bash previously. Contains command history per terminal session.",
mitre_techniques: &["T1059.004"],
fields: &[],
retention: Some("Persistent per session"),
triage_priority: TriagePriority::Medium,
related_artifacts: &["macos_unified_log"],
sources: &[
"https://eclecticlight.co/2019/07/08/why-mojave-could-be-your-last-bash/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static MACOS_INSTALL_HISTORY: ArtifactDescriptor = ArtifactDescriptor {
id: "macos_install_history",
name: "macOS Software Install History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/Library/Receipts/InstallHistory.plist"),
scope: DataScope::System,
os_scope: OsScope::MacOS,
decoder: Decoder::Identity,
meaning: "Plist recording all software packages installed via macOS installer. Includes package name, version, date, and source. Useful for identifying unauthorized software installation.",
mitre_techniques: &["T1204"],
fields: &[],
retention: Some("Persistent; accumulates over system lifetime"),
triage_priority: TriagePriority::Medium,
related_artifacts: &["macos_launch_daemons"],
sources: &[
"https://www.forensicmike1.com/2019/12/17/macos-forensic-artifacts-install-history/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static MACOS_GATEKEEPER_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "macos_gatekeeper_logs",
name: "macOS Gatekeeper Assessment Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/var/db/SystemPolicy-prefs.plist"),
scope: DataScope::System,
os_scope: OsScope::MacOS,
decoder: Decoder::Identity,
meaning: "Gatekeeper policy database and assessment logs. Records which applications were allowed or blocked by Gatekeeper. Useful for detecting Gatekeeper bypass attempts.",
mitre_techniques: &["T1553.001"],
fields: &[],
retention: Some("Persistent; updated on policy decisions"),
triage_priority: TriagePriority::High,
related_artifacts: &["macos_tcc_db"],
sources: &[
"https://support.apple.com/en-us/102445",
"https://www.sentinelone.com/blog/gatekeeper-bypass-macos-security/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static MACOS_KEYCHAIN_USER: ArtifactDescriptor = ArtifactDescriptor {
id: "macos_keychain_user",
name: "macOS User Keychain",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/Library/Keychains/login.keychain-db"),
scope: DataScope::User,
os_scope: OsScope::MacOS,
decoder: Decoder::Identity,
meaning: "User keychain database storing passwords, certificates, and private keys. Unlocked at login with user password. Attackers with user access can dump all stored credentials.",
mitre_techniques: &["T1555.001"],
fields: &[],
retention: Some("Persistent; updated on credential add/remove"),
triage_priority: TriagePriority::Critical,
related_artifacts: &["macos_tcc_db"],
sources: &[
"https://www.hexnode.com/blogs/macos-keychain-forensics/",
"https://github.com/n0fate/chainbreaker",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Corroborative),
evidence_caveats: &[
"Keychain DB requires user unlock; credential entries show what accounts were stored",
"Cannot be read without unlocking; useful post-acquisition with user password",
],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Keychain DB; persists until item deletion or keychain reset",
};
pub static MACOS_EMOND: ArtifactDescriptor = ArtifactDescriptor {
id: "macos_emond",
name: "macOS Event Monitor Daemon Rules",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/etc/emond.d/rules/"),
scope: DataScope::System,
os_scope: OsScope::MacOS,
decoder: Decoder::Identity,
meaning: "emond plist rules executed by the Event Monitor Daemon. Deprecated in macOS 12 but exploited for persistence on older versions. Rules can execute commands on system events.",
mitre_techniques: &["T1546"],
fields: &[],
retention: Some("Persistent until removed"),
triage_priority: TriagePriority::High,
related_artifacts: &["macos_launch_daemons"],
sources: &[
"https://www.xorrior.com/emond-persistence/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub static MACOS_COREANALYTICS: ArtifactDescriptor = ArtifactDescriptor {
id: "macos_coreanalytics",
name: "macOS CoreAnalytics Execution Reports",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("/Library/Logs/DiagnosticReports/"),
scope: DataScope::System,
os_scope: OsScope::MacOS,
decoder: Decoder::Identity,
meaning: "Execution reports generated by macOS diagnostics. CoreAnalytics .ca_report files record process execution metadata including SHA256 hashes. Provides execution evidence similar to Windows Prefetch.",
mitre_techniques: &["T1059"],
fields: &[],
retention: Some("Rolling; older reports auto-deleted"),
triage_priority: TriagePriority::High,
related_artifacts: &["macos_unified_log"],
sources: &[
"https://www.crowdstrike.com/blog/reconstructing-command-line-activity-on-macos/",
"https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer/",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static MEM_RUNNING_PROCESSES_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "pid",
value_type: ValueType::UnsignedInt,
description: "Process identifier",
is_uid_component: true,
},
FieldSchema {
name: "name",
value_type: ValueType::Text,
description: "Process image name",
is_uid_component: false,
},
FieldSchema {
name: "path",
value_type: ValueType::Text,
description: "Full executable path from process object",
is_uid_component: false,
},
];
pub static MEM_RUNNING_PROCESSES: ArtifactDescriptor = ArtifactDescriptor {
id: "mem_running_processes",
name: "Running Processes (Memory)",
artifact_type: ArtifactType::MemoryRegion,
hive: None,
key_path: "",
value_name: None,
file_path: None,
scope: DataScope::System,
os_scope: OsScope::Win10Plus,
decoder: Decoder::Identity,
meaning: "Live process list from RAM; reveals injected processes, hollowing, and malware hiding from OS APIs",
mitre_techniques: &["T1057", "T1055"],
fields: MEM_RUNNING_PROCESSES_FIELDS,
retention: Some("RAM only; lost on power-off"),
triage_priority: TriagePriority::Critical,
related_artifacts: &["mem_loaded_modules", "mem_network_connections"],
sources: &[
"https://volatilityfoundation.org/",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &["Live RAM only; requires active acquisition"],
volatility: Some(crate::volatility::VolatilityClass::Volatile),
volatility_rationale: "RAM; lost on power-off",
};
pub(crate) static MEM_NETWORK_CONNECTIONS_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "local_addr",
value_type: ValueType::Text,
description: "Local IP address and port",
is_uid_component: true,
},
FieldSchema {
name: "remote_addr",
value_type: ValueType::Text,
description: "Remote IP address and port",
is_uid_component: true,
},
FieldSchema {
name: "state",
value_type: ValueType::Text,
description: "TCP connection state (ESTABLISHED, LISTEN, etc.)",
is_uid_component: false,
},
FieldSchema {
name: "pid",
value_type: ValueType::UnsignedInt,
description: "Owning process identifier",
is_uid_component: false,
},
];
pub static MEM_NETWORK_CONNECTIONS: ArtifactDescriptor = ArtifactDescriptor {
id: "mem_network_connections",
name: "Network Connections (Memory)",
artifact_type: ArtifactType::MemoryRegion,
hive: None,
key_path: "",
value_name: None,
file_path: None,
scope: DataScope::System,
os_scope: OsScope::Win10Plus,
decoder: Decoder::Identity,
meaning: "Active and recently closed network connections from kernel socket structures; reveals C2 channels and lateral movement paths",
mitre_techniques: &["T1049"],
fields: MEM_NETWORK_CONNECTIONS_FIELDS,
retention: Some("RAM only; connections may close during acquisition"),
triage_priority: TriagePriority::Critical,
related_artifacts: &["mem_running_processes"],
sources: &[
"https://volatilityfoundation.org/",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &["Volatile; connections may close during acquisition"],
volatility: Some(crate::volatility::VolatilityClass::Volatile),
volatility_rationale: "RAM; lost on power-off",
};
pub(crate) static MEM_LOADED_MODULES_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "base_addr",
value_type: ValueType::UnsignedInt,
description: "Module base address in process virtual memory",
is_uid_component: true,
},
FieldSchema {
name: "name",
value_type: ValueType::Text,
description: "Module image name",
is_uid_component: false,
},
FieldSchema {
name: "path",
value_type: ValueType::Text,
description: "Full path of the loaded DLL or module",
is_uid_component: false,
},
];
pub static MEM_LOADED_MODULES: ArtifactDescriptor = ArtifactDescriptor {
id: "mem_loaded_modules",
name: "Loaded Modules (Memory)",
artifact_type: ArtifactType::MemoryRegion,
hive: None,
key_path: "",
value_name: None,
file_path: None,
scope: DataScope::System,
os_scope: OsScope::Win10Plus,
decoder: Decoder::Identity,
meaning: "DLLs and modules loaded into process address spaces; detects reflective DLL injection and unsigned in-memory modules",
mitre_techniques: &["T1055"],
fields: MEM_LOADED_MODULES_FIELDS,
retention: Some("RAM only; lost on power-off"),
triage_priority: TriagePriority::High,
related_artifacts: &["mem_running_processes"],
sources: &[
"https://volatilityfoundation.org/",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &["Live RAM only; requires active acquisition; unlisted modules indicate injection"],
volatility: Some(crate::volatility::VolatilityClass::Volatile),
volatility_rationale: "RAM; lost on power-off",
};
pub(crate) static MEM_REGISTRY_HIVES_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "hive_name",
value_type: ValueType::Text,
description: "Name of the in-memory registry hive",
is_uid_component: true,
},
FieldSchema {
name: "base_addr",
value_type: ValueType::UnsignedInt,
description: "Hive CM_HIVE base address in kernel memory",
is_uid_component: false,
},
];
pub static MEM_REGISTRY_HIVES: ArtifactDescriptor = ArtifactDescriptor {
id: "mem_registry_hives",
name: "In-Memory Registry Hives",
artifact_type: ArtifactType::MemoryRegion,
hive: None,
key_path: "",
value_name: None,
file_path: None,
scope: DataScope::System,
os_scope: OsScope::Win10Plus,
decoder: Decoder::Identity,
meaning: "Registry hives as held in kernel memory; may reveal keys deleted on disk, transient values, and malware-created volatile hives not flushed to disk",
mitre_techniques: &["T1012"],
fields: MEM_REGISTRY_HIVES_FIELDS,
retention: Some("RAM only; lost on power-off"),
triage_priority: TriagePriority::High,
related_artifacts: &["mem_running_processes"],
sources: &[
"https://volatilityfoundation.org/",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &["Live RAM only; in-memory hive state may differ from on-disk"],
volatility: Some(crate::volatility::VolatilityClass::Volatile),
volatility_rationale: "RAM; lost on power-off",
};
pub(crate) static MEM_USER_CREDENTIALS_FIELDS: &[FieldSchema] = &[
FieldSchema {
name: "account",
value_type: ValueType::Text,
description: "Account name associated with the credential material",
is_uid_component: true,
},
FieldSchema {
name: "credential_type",
value_type: ValueType::Text,
description: "Type of credential (NTLM hash, Kerberos ticket, cleartext, etc.)",
is_uid_component: false,
},
];
pub static MEM_USER_CREDENTIALS: ArtifactDescriptor = ArtifactDescriptor {
id: "mem_user_credentials",
name: "User Credentials in Memory (LSASS)",
artifact_type: ArtifactType::MemoryRegion,
hive: None,
key_path: "",
value_name: None,
file_path: None,
scope: DataScope::System,
os_scope: OsScope::Win10Plus,
decoder: Decoder::Identity,
meaning: "NTLM hashes, Kerberos tickets, and cleartext credentials cached in LSASS process memory; most valuable live artifact for credential theft detection",
mitre_techniques: &["T1003.001"],
fields: MEM_USER_CREDENTIALS_FIELDS,
retention: Some("RAM only; lost on power-off"),
triage_priority: TriagePriority::Critical,
related_artifacts: &["mem_running_processes"],
sources: &[
"https://volatilityfoundation.org/",
"https://www.sans.org/blog/protecting-privileged-domain-accounts-lsa-secrets-good-times/",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &["Credentials in memory (LSASS); most valuable live artifact"],
volatility: Some(crate::volatility::VolatilityClass::Volatile),
volatility_rationale: "RAM; lost on power-off",
};
pub(crate) static CATALOG_ENTRIES: &[ArtifactDescriptor] = &[
USERASSIST_EXE,
USERASSIST_FOLDER,
USERASSIST_XP_EXE,
USERASSIST_XP_IE_FAVORITES,
USERASSIST_XP_IE7,
RUN_KEY_HKLM_RUN,
RUN_KEY_HKCU_RUN,
RUN_KEY_HKCU_RUNONCE,
RUN_KEY_HKLM_RUNONCE,
TYPED_URLS,
TYPED_URLS_TIME,
PCA_APPLAUNCH_DIC,
PCA_GENERAL_DB,
WINDOWS_HOSTS_FILE,
DNS_POLICY_CONFIG_NRPT,
IFEO_DEBUGGER,
SHELLBAGS_USER,
AMCACHE_APP_FILE,
SHIMCACHE,
SHIMCACHE_MEMORY,
BAM_USER,
DAM_USER,
SAM_USERS,
LSA_SECRETS,
DCC2_CACHE,
MRU_RECENT_DOCS,
USB_ENUM,
MUICACHE,
APPINIT_DLLS,
WINLOGON_USERINIT,
SCREENSAVER_EXE,
WINLOGON_SHELL,
SERVICES_IMAGEPATH,
ACTIVE_SETUP_HKLM,
ACTIVE_SETUP_HKCU,
COM_HIJACK_CLSID_HKCU,
APPCERT_DLLS,
BOOT_EXECUTE,
LSA_SECURITY_PKGS,
LSA_AUTH_PKGS,
PRINT_MONITORS,
TIME_PROVIDERS,
NETSH_HELPER_DLLS,
BROWSER_HELPER_OBJECTS,
STARTUP_FOLDER_USER,
STARTUP_FOLDER_SYSTEM,
SCHEDULED_TASKS_DIR,
WDIGEST_CACHING,
MFT,
USNJRNL,
LOGFILE_NTFS,
WORDWHEEL_QUERY,
OPENSAVE_MRU,
LASTVISITED_MRU,
PREFETCH_DIR,
SRUM_DB,
WINDOWS_TIMELINE,
WINDOWS_TIMELINE_DEVICECACHE,
WINDOWS_SEARCH_DB_WIN11,
POWERSHELL_HISTORY,
RECYCLE_BIN,
THUMBCACHE,
SEARCH_DB_USER,
DPAPI_MASTERKEY_USER,
DPAPI_CRED_USER,
DPAPI_CRED_ROAMING,
WINDOWS_VAULT_USER,
WINDOWS_VAULT_SYSTEM,
RDP_CLIENT_SERVERS,
RDP_CLIENT_DEFAULT,
NTDS_DIT,
CHROME_LOGIN_DATA,
FIREFOX_LOGINS,
WIFI_PROFILES,
TYPED_PATHS,
RUN_MRU,
NETWORK_DRIVES,
APP_PATHS,
MOUNTED_DEVICES,
NETWORKLIST_PROFILES,
PUTTY_SESSIONS,
WINSCP_SAVED_SESSIONS,
WINSCP_INI,
WINRAR_HISTORY,
NETWORK_INTERFACES,
PAGEFILE_SYS,
HIBERFIL_SYS,
MOUNTPOINTS2,
PORTABLE_DEVICES,
RDP_BITMAP_CACHE,
LINUX_CRONTAB_SYSTEM,
LINUX_CRON_D,
LINUX_CRON_PERIODIC,
LINUX_USER_CRONTAB,
LINUX_ANACRONTAB,
LINUX_SYSTEMD_SYSTEM_UNIT,
LINUX_SYSTEMD_USER_UNIT,
LINUX_SYSTEMD_TIMER,
LINUX_RC_LOCAL,
LINUX_INIT_D,
LINUX_BASHRC_USER,
LINUX_BASH_PROFILE_USER,
LINUX_PROFILE_USER,
LINUX_ZSHRC_USER,
LINUX_PROFILE_SYSTEM,
LINUX_PROFILE_D,
LINUX_LD_SO_PRELOAD,
LINUX_LD_SO_CONF_D,
LINUX_SSH_AUTHORIZED_KEYS,
LINUX_PAM_MODULE_DIR,
LINUX_PAM_D,
LINUX_SUDOERS_D,
LINUX_MODULES_LOAD_D,
LINUX_MOTD_D,
LINUX_UDEV_RULES_D,
LINUX_BASH_HISTORY,
LINUX_ZSH_HISTORY,
LINUX_WTMP,
LINUX_BTMP,
LINUX_LASTLOG,
LINUX_AUTH_LOG,
LINUX_JOURNAL_DIR,
LINUX_PASSWD,
LINUX_SHADOW,
LINUX_SSH_PRIVATE_KEY,
LINUX_SSH_KNOWN_HOSTS,
LINUX_GNUPG_PRIVATE,
LINUX_AWS_CREDENTIALS,
LINUX_DOCKER_CONFIG,
LNK_FILES,
JUMP_LIST_AUTO,
JUMP_LIST_CUSTOM,
JUMP_LIST_APPID_REGISTRY,
TASKBAND_FAVORITES,
EVTX_DIR,
MFT_FILE,
USN_JOURNAL,
WMI_MOF_DIR,
BITS_DB,
WMI_SUBSCRIPTIONS,
LOGON_SCRIPTS,
WINSOCK_LSP,
APPSHIM_DB,
PASSWORD_FILTER_DLL,
OFFICE_NORMAL_DOTM,
POWERSHELL_PROFILE_ALL,
DPAPI_SYSTEM_MASTERKEY,
DPAPI_CREDHIST,
CHROME_COOKIES,
EDGE_WEBCACHE,
VPN_RAS_PHONEBOOK,
WINDOWS_HELLO_NGC,
USER_CERT_PRIVATE_KEY,
MACHINE_CERT_STORE,
LINUX_AT_QUEUE,
LINUX_SSHD_CONFIG,
LINUX_ETC_GROUP,
LINUX_GNOME_KEYRING,
LINUX_KDE_KWALLET,
LINUX_CHROME_LOGIN_LINUX,
LINUX_FIREFOX_LOGINS_LINUX,
LINUX_UTMP,
LINUX_GCP_CREDENTIALS,
LINUX_AZURE_CREDENTIALS,
LINUX_KUBE_CONFIG,
LINUX_GIT_CREDENTIALS,
LINUX_NETRC,
LINUX_ETC_ENVIRONMENT,
LINUX_XDG_AUTOSTART_USER,
LINUX_XDG_AUTOSTART_SYSTEM,
LINUX_NETWORKMANAGER_DISPATCHER,
LINUX_APT_HOOKS,
JUMP_LIST_SYSTEM,
LNK_FILES_OFFICE,
PREFETCH_FILE,
SRUM_NETWORK_USAGE,
SRUM_NETWORK_CONNECTIONS,
SRUM_APP_RESOURCE,
SRUM_ENERGY_USAGE,
SRUM_PUSH_NOTIFICATION,
EVTX_SECURITY,
EVTX_SYSTEM,
EVTX_POWERSHELL,
EVTX_APPLICATION_MSIINSTALLER,
EVTX_SYSMON,
EVTX_DEFENDER_OPERATIONAL,
MACOS_UNIFIED_LOG,
MACOS_LAUNCH_AGENTS_USER,
MACOS_LAUNCH_AGENTS_SYSTEM,
MACOS_LAUNCH_DAEMONS,
MACOS_TCC_DB,
MACOS_QUARANTINE_EVENTS,
MACOS_SAFARI_HISTORY,
MACOS_SAFARI_DOWNLOADS,
MACOS_KNOWLEDGEC,
MACOS_BASH_SESSIONS,
MACOS_INSTALL_HISTORY,
MACOS_GATEKEEPER_LOGS,
MACOS_KEYCHAIN_USER,
MACOS_EMOND,
MACOS_COREANALYTICS,
MEM_RUNNING_PROCESSES,
MEM_NETWORK_CONNECTIONS,
MEM_LOADED_MODULES,
MEM_REGISTRY_HIVES,
MEM_USER_CREDENTIALS,
windows_registry_ext::SAFEBOOT_MINIMAL,
windows_registry_ext::SAFEBOOT_NETWORK,
windows_registry_ext::KNOWN_DLLS,
windows_registry_ext::CMD_AUTORUN_HKLM,
windows_registry_ext::CMD_AUTORUN_HKCU,
windows_registry_ext::CREDENTIAL_PROVIDERS,
windows_registry_ext::NETWORK_PROVIDER_ORDER,
windows_registry_ext::SHELL_EXECUTE_HOOKS,
windows_registry_ext::WER_RUNTIME_EXCEPTION_HELPER,
windows_registry_ext::IFEO_GLOBAL_FLAG,
windows_registry_ext::SCHEDULED_TASK_REGISTRY_CACHE,
windows_registry_ext::GROUP_POLICY_STARTUP_SCRIPTS,
windows_registry_ext::GROUP_POLICY_LOGON_SCRIPTS,
windows_registry_ext::WINLOGON_NOTIFY,
windows_registry_ext::COM_SERVER_HKLM,
windows_registry_ext::OFFICE_ADDINS,
windows_registry_ext::TERMINAL_SERVER_INITIAL_PROGRAM,
windows_registry_ext::RECENTAPPS,
windows_registry_ext::NETWORK_SHARES_HKCU,
windows_registry_ext::DEFAULT_BROWSER,
windows_registry_ext::PROXY_SETTINGS,
windows_registry_ext::SYSTEM_TIMEZONE,
windows_registry_ext::COMPUTER_NAME,
windows_registry_ext::SHUTDOWN_TIME,
windows_registry_ext::USB_STOR_ENUM,
windows_registry_ext::SETUPAPI_DEV_LOG,
windows_registry_ext::UNINSTALL_KEYS,
windows_registry_ext::USER_ACCOUNT_SID,
windows_registry_ext::TERMINAL_SERVER_CLIENT_SERVERS,
windows_registry_ext::INTERNET_EXPLORER_TYPED_URLS,
windows_evtx_ext::EVTX_TASK_SCHEDULER,
windows_evtx_ext::EVTX_RDP_CLIENT,
windows_evtx_ext::EVTX_RDP_INBOUND,
windows_evtx_ext::EVTX_RDP_SESSION,
windows_evtx_ext::EVTX_WINRM,
windows_evtx_ext::EVTX_WMI_ACTIVITY,
windows_evtx_ext::EVTX_BITS_CLIENT,
windows_evtx_ext::EVTX_APPLOCKER,
windows_evtx_ext::EVTX_APPLOCKER_SCRIPT,
windows_evtx_ext::EVTX_DEFENDER,
windows_evtx_ext::EVTX_FIREWALL,
windows_evtx_ext::EVTX_CODE_INTEGRITY,
windows_evtx_ext::EVTX_NTLM,
windows_evtx_ext::EVTX_PRINT_SERVICE,
windows_evtx_ext::EVTX_NETLOGON,
windows_evtx_ext::EVTX_SMB_CLIENT,
windows_evtx_ext::EVTX_NETWORK_PROFILE,
windows_evtx_ext::EVTX_KERNEL_PNP,
windows_evtx_ext::EVTX_DRIVER_FRAMEWORKS,
windows_evtx_ext::EVTX_LSA_PROTECTION,
windows_evtx_ext::EVTX_CAPI2,
windows_evtx_ext::EVTX_POWERSHELL_CLASSIC,
windows_evtx_ext::EVTX_DNS_CLIENT,
windows_evtx_ext::EVTX_TERMINAL_SERVICES,
windows_evtx_ext::EVTX_APPLICATION_EXPERIENCE_TELEMETRY,
macos_ext::MACOS_FSEVENTS,
macos_ext::MACOS_BIOME_APP_MENUITEM,
macos_ext::MACOS_SPOTLIGHT_STORE,
macos_ext::MACOS_DOCK_PLIST,
macos_ext::MACOS_LOGIN_ITEMS_PLIST,
macos_ext::MACOS_SFL2_RECENT_ITEMS,
macos_ext::MACOS_SFL2_RECENT_SERVERS,
macos_ext::MACOS_WIFI_PLIST,
macos_ext::MACOS_SCREEN_TIME_DB,
macos_ext::MACOS_TCC_SYSTEM_DB,
macos_ext::MACOS_SMS_DB,
macos_ext::MACOS_NOTES_DB,
macos_ext::MACOS_PHOTOS_DB,
macos_ext::MACOS_ICLOUD_DRIVE_DB,
macos_ext::MACOS_LOCATIOND_CLIENTS,
macos_ext::MACOS_LOCKDOWND_LOG,
macos_ext::MACOS_INSTALLER_RECEIPTS,
macos_ext::MACOS_SAFARI_LOCALSTORAGE,
macos_ext::MACOS_NOTIFICATION_CENTER_DB,
macos_ext::MACOS_MDM_ENROLLMENT,
macos_ext::MACOS_ASL_LOGS,
macos_ext::MACOS_DIAGNOSTIC_REPORTS,
macos_ext::MACOS_QUICKLOOK_THUMBNAILS,
macos_ext::MACOS_WIFI_INTELLIGENCE,
macos_ext::APFS_CONTAINER,
linux_ext::LINUX_AUDITD_LOG,
linux_ext::LINUX_AUDIT_RULES,
linux_ext::LINUX_SYSLOG,
linux_ext::LINUX_MESSAGES_LOG,
linux_ext::LINUX_SECURE_LOG,
linux_ext::LINUX_APACHE_ACCESS_LOG,
linux_ext::LINUX_APACHE_ERROR_LOG,
linux_ext::LINUX_NGINX_ACCESS_LOG,
linux_ext::LINUX_FAIL2BAN_LOG,
linux_ext::LINUX_DPKG_LOG,
linux_ext::LINUX_RPM_DB,
linux_ext::LINUX_SELINUX_CONFIG,
linux_ext::LINUX_APPARMOR_PROFILES,
linux_ext::LINUX_IPTABLES_RULES,
linux_ext::LINUX_NFTABLES_CONF,
linux_ext::LINUX_HOSTS_FILE,
linux_ext::LINUX_RESOLV_CONF,
linux_ext::LINUX_PROC_MODULES,
linux_ext::LINUX_MODPROBE_D,
linux_ext::LINUX_DOCKER_CONTAINER_LOGS,
linux_ext::LINUX_DOCKER_DAEMON_JSON,
linux_ext::LINUX_COREDUMP_DIR,
linux_ext::LINUX_LOGROTATE_D,
linux_ext::LINUX_SNAP_PACKAGES,
linux_ext::LINUX_DMESG_RING_BUFFER,
linux_ext::LINUX_KERN_LOG,
linux_ext::LINUX_PROC_KALLSYMS,
linux_ext::LINUX_PROC_NET_TCP,
linux_ext::LINUX_PROC_NET_TCP6,
linux_ext::LINUX_PROC_NET_UDP,
linux_ext::LINUX_PROC_NET_UNIX,
linux_ext::LINUX_LSOF_OUTPUT,
linux_ext::LINUX_SS_OUTPUT,
linux_ext::LINUX_CHKROOTKIT_OUTPUT,
linux_ext::LINUX_RKHUNTER_LOG,
linux_ext::LINUX_SYSCTL_CONF,
linux_ext::LINUX_DMESG,
linux_ext::LINUX_BOOT_LOG,
linux_ext::LINUX_FAILLOG,
linux_ext::LAN_TURTLE_LOOT,
windows_logs_ext::WINDOWS_CRASH_DUMP,
windows_logs_ext::WINDOWS_MINIDUMP,
windows_logs_ext::AMCACHE_DRIVER,
windows_logs_ext::WER_REPORT_QUEUE,
windows_logs_ext::WINDOWS_NOTIFICATION_DB,
windows_logs_ext::AMCACHE_SHORTCUT,
windows_registry_ext2::WINLOGON_AUTOADMIN_LOGON,
windows_registry_ext2::WINLOGON_DEFAULT_PASSWORD,
windows_registry_ext2::WINLOGON_DEFAULT_USERNAME,
windows_registry_ext2::LOGONUI_LAST_LOGGEDON_USER,
windows_registry_ext2::PORTPROXY_CONFIG,
windows_registry_ext2::WINDOWS_DEFENDER_EXCLUSIONS_LOCAL,
windows_registry_ext2::WINDOWS_DEFENDER_DISABLED_AV,
windows_registry_ext2::WINDOWS_DEFENDER_REALTIME,
windows_registry_ext2::MS_OFFICE_TRUSTED_DOCS,
windows_registry_ext2::VSS_FILES_NOT_TO_SNAPSHOT,
windows_registry_ext2::VSS_FILES_NOT_TO_BACKUP,
windows_registry_ext2::IFEO_SILENT_EXIT,
windows_registry_ext2::EXEFILE_SHELL_OPEN_SOFTWARE,
windows_registry_ext2::EXEFILE_SHELL_OPEN_USRCLASS,
windows_registry_ext2::RDP_SHADOW_SESSIONS,
windows_registry_ext2::RESTRICTED_ADMIN_RDP,
windows_registry_ext2::NETWORK_SHARES_SERVER,
windows_registry_ext2::SYSINTERNALS_EULA,
windows_registry_ext2::MS_OFFICE_SERVER_CACHE,
windows_registry_ext2::POWERSHELL_COBALT_INFO,
windows_registry_ext2::STARTUP_APPROVED_RUN_SYSTEM,
windows_registry_ext2::STARTUP_APPROVED_RUN_USER,
windows_registry_ext2::TASKCACHE_TASKS_PATH,
windows_registry_ext2::PROFILE_LIST_USERS,
windows_registry_ext2::REGISTRAR_FAVORITES,
windows_registry_ext2::DHCP_IPV4_INTERFACE,
windows_registry_ext2::NTFS_LAST_ACCESS_STATUS,
windows_registry_ext2::PREFETCH_STATUS,
windows_registry_ext2::FIREWALL_RULES,
windows_registry_ext2::EVENT_LOG_CHANNEL_STATUS,
windows_files_ext::CHROME_HISTORY,
windows_files_ext::CHROME_WEB_DATA,
windows_files_ext::EDGE_CHROMIUM_HISTORY,
windows_files_ext::EDGE_CHROMIUM_LOGIN_DATA,
windows_files_ext::FIREFOX_PLACES,
windows_files_ext::FIREFOX_FORM_HISTORY,
windows_files_ext::FIREFOX_SESSION_RESTORE,
windows_files_ext::PSREADLINE_HISTORY,
windows_files_ext::PSREADLINE_HISTORY_SYSTEM,
windows_files_ext::POWERSHELL_TRANSCRIPTS,
windows_files_ext::TEAMVIEWER_CONNECTION_LOG,
windows_files_ext::TEAMVIEWER_APP_LOG,
windows_files_ext::ANYDESK_TRACE_USER,
windows_files_ext::ANYDESK_TRACE_SYSTEM,
windows_files_ext::ANYDESK_CONNECTION_TRACE,
windows_files_ext::ANYDESK_FILE_TRANSFER_LOG,
windows_files_ext::SCREENCONNECT_SESSION_DB,
windows_files_ext::RUSTDESK_LOGS,
windows_files_ext::DROPBOX_INSTANCE_DB,
windows_files_ext::ONEDRIVE_METADATA,
windows_files_ext::GOOGLE_DRIVE_FS_METADATA,
windows_files_ext::MEGASYNC_DATA,
windows_files_ext::TEAMS_INDEXED_DB,
windows_files_ext::SLACK_INDEXED_DB,
windows_files_ext::DISCORD_LOCAL_STORAGE,
windows_files_ext::SIGNAL_DATABASE,
windows_files_ext::SIGNAL_CONFIG_JSON,
windows_files_ext::WINDOWS_SEARCH_EDB,
windows_files_ext::EVENT_TRANSCRIPT_DB,
windows_files_ext::CERTUTIL_CACHE,
windows_files_ext::SDB_CUSTOM_FILES,
windows_files_ext::WER_REPORTS,
windows_files_ext::IIS_W3SVC_LOGS,
windows_files_ext::IIS_CONFIG_APPLICATIONHOST,
windows_files_ext::DNS_DEBUG_LOG,
windows_files_ext::DHCP_SERVER_LOG,
windows_files_ext::SUM_DB,
windows_files_ext::COPILOT_RECALL_UKG,
windows_files_ext::NTUSER_DAT_FILE,
windows_files_ext::USRCLASS_DAT_FILE,
windows_files_ext::CBS_LOG,
windows_files_ext::PFRO_LOG,
windows_files_ext::SETUPERR_LOG,
windows_files_ext::SETUPAPI_UPGRADE_LOG,
windows_files_ext::WER_REPORTS_USER,
windows_files_ext::WER_REPORTS_SYSTEM,
windows_files_ext::APPX_PACKAGES_USER,
windows_files_ext::APPX_INSTALL_LOG,
windows_files_ext::DIAGNOSTIC_DATA_DIR,
windows_files_ext::WINDOWS_UPDATE_SESSION,
windows_registry_ext3::ACTIVE_SETUP,
windows_registry_ext3::LSA_AUTH_PACKAGES,
windows_registry_ext3::LSA_SECURITY_PACKAGES,
windows_registry_ext3::LSA_NOTIFICATION_PACKAGES,
windows_registry_ext3::SCREENSAVER_PERSISTENCE,
windows_registry_ext3::PRINT_MONITOR_DLLS,
windows_registry_ext3::SERVICES_HKLM,
windows_registry_ext3::WINDOWS_INSTALL_DATE,
windows_registry_ext3::WINDOWS_CLIPBOARD_HISTORY,
windows_registry_ext3::VALLEY_RAT_REGISTRY,
windows_registry_ext3::HYPERV_GUEST_PARAMS,
windows_registry_ext3::REGISTRY_FEATUREUSAGE,
windows_registry_ext3::ENABLE_PERIODIC_BACKUP,
windows_registry_ext3::RDP_ENABLE_REGISTRY,
windows_registry_ext3::SPECIAL_ACCOUNTS_USERLIST,
windows_registry_ext3::LOGONTYPE_WINLOGON,
windows_files_ext::NTUSER_MAN_PERSISTENCE,
windows_files_ext::WINDOWS_CLIPBOARD_DATA_FILES,
windows_files_ext::WINDOWS_DEFENDER_MPWPPTRACING,
generated::browsers_generated::BROWSERS_CHROME_HISTORY,
generated::browsers_generated::BROWSERS_CHROME_PROFILE_DIR,
generated::browsers_generated::BROWSERS_CHROME_COOKIES,
generated::browsers_generated::BROWSERS_CHROME_CACHE_DIR,
generated::browsers_generated::BROWSERS_CHROME_EXTENSIONS_DIR,
generated::browsers_generated::BROWSERS_EDGE_HISTORY,
generated::browsers_generated::BROWSERS_EDGE_COOKIES,
generated::browsers_generated::BROWSERS_EDGE_PROFILE_DIR,
generated::browsers_generated::BROWSERS_FIREFOX_PROFILE_DIR,
generated::browsers_generated::BROWSERS_FIREFOX_PLACES_DB,
generated::browsers_generated::BROWSERS_FIREFOX_COOKIES,
generated::browsers_generated::BROWSERS_FIREFOX_LOGINS,
generated::browsers_generated::BROWSERS_BRAVE_HISTORY,
generated::browsers_generated::BROWSERS_BRAVE_COOKIES,
generated::browsers_generated::BROWSERS_OPERA_HISTORY,
generated::browsers_generated::BROWSERS_OPERA_PROFILE_DIR,
generated::browsers_generated::BROWSERS_VIVALDI_HISTORY,
generated::browsers_generated::BROWSERS_VIVALDI_PROFILE_DIR,
generated::browsers_generated::BROWSERS_SAFARI_HISTORY,
generated::browsers_generated::BROWSERS_SAFARI_COOKIES,
generated::browsers_generated::BROWSERS_SAFARI_DOWNLOADS,
generated::browsers_generated::BROWSERS_IE_HISTORY_DIR,
generated::browsers_generated::BROWSERS_IE_WEBCACHE_DB,
generated::browsers_generated::BROWSERS_IE_TYPED_URLS,
generated::browsers_generated::BROWSERS_TOR_PROFILE_DIR,
generated::browsers_generated::BROWSERS_TOR_PLACES_DB,
generated::browsers_generated::BROWSERS_WATERFOX_PROFILE_DIR,
generated::browsers_generated::BROWSERS_LIBREWOLF_PROFILE_DIR,
generated::browsers_generated::BROWSERS_CHROMIUM_HISTORY,
generated::browsers_generated::BROWSERS_PALEMOON_PROFILE_DIR,
generated::browsers_generated::BROWSERS_SEAMONKEY_PROFILE_DIR,
generated::browsers_generated::BROWSERS_BASILISK_PROFILE_DIR,
generated::browsers_generated::BROWSERS_FALKON_PROFILE_DIR,
generated::browsers_generated::BROWSERS_MIDORI_CONFIG_DIR,
generated::browsers_generated::BROWSERS_MIN_HISTORY_DB,
generated::browsers_generated::BROWSERS_MAXTHON_USER_DATA_DIR,
generated::browsers_generated::BROWSERS_SLIMJET_HISTORY,
generated::evtx_generated::EVTX_APPLICATION,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DFSN_SERVERFILTER_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DFSN_SERVERSERVICE_ANALYTIC,
generated::evtx_generated::EVTX_ANALYTIC_CHANNEL,
generated::evtx_generated::EVTX_IALPSS_GPIO2_DEBUG_CHANNEL,
generated::evtx_generated::EVTX_IALPSS_GPIO2_PERFORMANCE_CHANNEL,
generated::evtx_generated::EVTX_IALPSS2_I2C_DEBUG_CHANNEL,
generated::evtx_generated::EVTX_IALPSS2_I2C_PERFORMANCE_CHANNEL,
generated::evtx_generated::EVTX_OPERATIONAL,
generated::evtx_generated::EVTX_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_LSA_PERFORMANCE,
generated::evtx_generated::EVTX_AMSI_DEBUG,
generated::evtx_generated::EVTX_AMSI_OPERATIONAL,
generated::evtx_generated::EVTX_UAC_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_APPV_CLIENT_STREAMINGUX_DEBUG,
generated::evtx_generated::EVTX_ADMIN,
generated::evtx_generated::EVTX_VIRTUAL_APPLICATIONS,
generated::evtx_generated::EVTX_MICROSOFT_APPV_CLIENT_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_APPV_SHAREDPERFORMANCE_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_CLIENT_LICENSE_FLEXIBLE_PLATFORM_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_CLIENT_LICENSING_PLATFORM_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_CLIENT_LICENSING_PLATFORM_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORE_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_WEBPLATSTORAGE_SERVER,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_INDEXEDDB_SERVER,
generated::evtx_generated::EVTX_MICROSOFT_IEDVTOOL_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_IEFRAME_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_ONECORE_SETUP_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_PEF_WFP_MESSAGEPROVIDER_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_PERFTRACK_IEFRAME_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_PERFTRACK_MSHTML_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_SERVERCORE_SHELLLAUNCHER_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_SYSTEM_DIAGNOSTICS_DIAGNOSTICINVOKER_OPERATIO,
generated::evtx_generated::EVTX_MICROSOFT_USER_EXPERIENCE_VIRTUALIZATION_ADMIN_DEBUG,
generated::evtx_generated::EVTX_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_USER_EXPERIENCE_VIRTUALIZATION_APP_AGENT_DEBU,
generated::evtx_generated::EVTX_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WS_LICENSING_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WS_LICENSING_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WS_LICENSING_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_VPN_PLUGIN_PLATFORM_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_VPN_PLUGIN_PLATFORM_OPERATIONALVERBOS,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_AAD_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_AAD_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_ADSI_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_API_TRACING_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_ASN1_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_ATAPORT_SATA_LPM,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_ATAPORT_GENERAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORAGE_ATAPORT_DIAGNOSE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORAGE_ATAPORT_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_ACCELLIB_ACCELCX_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_ACTIONQUEUE_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_ALTTAB_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_ANYTIME_UPGRADE_EVENTS_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_ANYTIME_UPGRADE_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPHOST_INTERNAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPHOST_DIAGNOSTIC,
generated::evtx_generated::EVTX_APPTRACING,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPID_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPLOCKER_EXE_AND_DLL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPLOCKER_MSI_AND_SCRIPT,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPLOCKER_PACKAGED_APP_EXECUTION,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPLOCKER_PACKAGED_APP_DEPLOYMENT,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPLOCKER_VERBOSE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PRIVACY_AUDITING_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPMODEL_RUNTIME_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPMODEL_RUNTIME_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPMODEL_RUNTIME_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPMODEL_RUNTIME_DIAGNOSTICS,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPMODEL_STATE_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPMODEL_STATE_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPSRUPROV,
generated::evtx_generated::EVTX_APPXDEPLOYMENTUNDOCKEDDEH_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPXDEPLOYMENTSERVER_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPXDEPLOYMENTSERVER_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPXDEPLOYMENTSERVER_RESTRICTED,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPXDEPLOYMENTSERVER_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPXDEPLOYMENT_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPXDEPLOYMENT_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPLICABILITYENGINE_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPLICABILITYENGINE_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPLICATION_EXPERIENCE_PROGRAM_COMPAT,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPLICATION_EXPERIENCE_PROGRAM_TELEME,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPLICATION_EXPERIENCE_STEPS_RECORDER,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPLICATION_EXPERIENCE_PROBLEM_STEPS,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPLICATION_EXPERIENCE_PROGRAM_INVENT,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPLICATION_EXPERIENCE_COMPATIBILITY,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_APPHELPCACHE_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_APPHELPCACHE_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_APPHELPCACHE_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPLICATIONRESOURCEMANAGEMENTSYSTEM_D,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPLICATIONRESOURCEMANAGEMENTSYSTEM_O,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPXPACKAGING_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_APPXPACKAGING_PERFORMANCE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_ASSIGNEDACCESS_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_ASSIGNEDACCESS_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_ASSIGNEDACCESSBROKER_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_ASYNCHRONOUSCAUSALITY_CAUSALITY,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_AUDIO_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_AUDIO_CAPTUREMONITOR,
generated::evtx_generated::EVTX_PERFORMANCE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_AUDIO_PLAYBACKMANAGER,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_AUDIO_GLITCHDETECTION,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_AUDIO_INFORMATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_AUDIT_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_AUTHENTICATION_PROTECTEDUSER_CLIENT,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_AUTHENTICATION_PROTECTED_USER_CLIENT,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_AXINSTALLSERVICE_LOG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_BTH_BTHPORT_HCI,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_BTH_BTHPORT_L2CAP,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_BTH_BTHUSB_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_BTH_BTHUSB_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_BTH_BTHUSB_PERFORMANCE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_BACKGROUNDTRANSFER_CONTENTPREFETCHER,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_BACKUP_OPERATIONAL,
generated::evtx_generated::EVTX_BFE_IPSEC_CONNECTIONS_OPERATIONAL_LOG,
generated::evtx_generated::EVTX_BFE_IPSEC_CONNECTIONS_RESOURCE_FLOWS_OPERATIONAL_LOG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_BASE_FILTERING_ENGINE_RESOURCE_FLOWS,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_BATTERY_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_BIOMETRICS_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_BIOMETRICS_ANALYTIC,
generated::evtx_generated::EVTX_MANAGEMENT,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_BITLOCKER_TRACING,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_BITLOCKER_DRIVEPREPARATIONTOOL_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_BITLOCKER_DRIVEPREPARATIONTOOL_OPERAT,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_BITLOCKER_DRIVER_PERFORMANCE_OPERATIO,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_BITS_CLIENT_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_BITS_CLIENT_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_BITS_COMPACTSERVER_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_BITS_COMPACTSERVER_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_BLUETOOTH_BTHLEPREPAIRING_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_BLUETOOTH_BTHMINI_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_BLUETOOTH_HIDBTHLE_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_BLUETOOTH_POLICY_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_BRANCHCACHE_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_BRANCHCACHECLIENTEVENTPROVIDER_DIAGNO,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_BRANCHCACHEEVENTPROVIDER_DIAGNOSTICCH,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_BRANCHCACHEMONITORING_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_BRANCHCACHESMB_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_BRANCHCACHESMB_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_BACKGROUNDTASKINFRASTRUCTURE_DIAGNOST,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_BACKGROUNDTASKINFRASTRUCTURE_OPERATIO,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_REGSVR32_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CAPI2_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CAPI2_CATALOG_DATABASE_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CDROM_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_RUNTIME_CREATEINSTANCE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_COM_CREATEINSTANCE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_COM_EXTENSIONCATALOG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_COM_CALL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_COM_FREEUNUSEDLIBRARY,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_OLE_CLIPBOARD,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_COM_APARTMENTUNINITIALIZE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_COM_APARTMENTINITIALIZE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_COM_RUNDOWNINSTRUMENTATION,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_COM_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_COMRUNTIME_TRACING,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_COMRUNTIME_MESSAGEPROCESSING,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_COMRUNTIME_ACTIVATIONS,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CALCULATOR_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CALCULATOR_DEBUG,
generated::evtx_generated::EVTX_OPERATION_LOG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CERTIFICATESERVICES_DEPLOYMENT_OPERAT,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CERTIFICATESERVICESCLIENT_CREDENTIALR,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CERTIFICATESERVICESCLIENT_LIFECYCLE_S,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CERTIFICATESERVICESCLIENT_LIFECYCLE_U,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CLEANMGR_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CLEARTYPETEXTTUNER_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CLOUDFILES_FILTER_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CLOUDRESTORELAUNCHER_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CLOUDSTORAGEWIZARD_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CLOUDSTORAGEWIZARD_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CLOUDSTORE_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CLOUDSTORE_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CLOUDSTORE_INITIALIZATION,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CMISETUP_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CODEINTEGRITY_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CODEINTEGRITY_VERBOSE,
generated::evtx_generated::EVTX_ANALYTICAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_COMPAT_APPRAISER_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_COMPAT_APPRAISER_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CONNECTED_SEARCH_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CONNECTED_SEARCH_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CONNECTED_SEARCH_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CONTAINERS_BINDFLT_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CONTAINERS_WCIFS_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CONTAINERS_WCNFS_OPERATIONAL,
generated::evtx_generated::EVTX_SMSROUTER_OPERATIONAL_CHANNEL,
generated::evtx_generated::EVTX_SMSROUTER_DEBUG_CHANNEL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_COREWINDOW_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CORRUPTEDFILERECOVERY_CLIENT_OPERATIO,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CORRUPTEDFILERECOVERY_SERVER_OPERATIO,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CRASHDUMP_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CRASHDUMP_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CREDPROVHOST_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CREDUI_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CREDENTIALPROVIDERS_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CRYPTO_BCRYPT_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CRYPTO_CNG_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CRYPTO_DPAPI_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CRYPTO_DPAPI_BACKUPKEYSVC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CRYPTO_DPAPI_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CRYPTO_DSSENH_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CRYPTO_NCRYPT_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CRYPTO_NCRYPT_CERTINUSE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CRYPTO_NCRYPT_KEYMGMT,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CRYPTO_RNG_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_CRYPTO_RSAENH_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_D3D10LEVEL9_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_D3D10LEVEL9_PERFTIMING,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIRECT3D9_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DAL_PROVIDER_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DAL_PROVIDER_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DCLOCATOR_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DDISPLAY_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DHCP_SERVER_EVENTS_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DHCP_SERVER_EVENTS_FILTERNOTIFICATION,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DHCPV6_CLIENT_EVENTS_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DHCP_CLIENT_EVENTS_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DLNA_NAMESPACE_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DNS_CLIENT_EVENTS_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DSC_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DSC_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DSC_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DUI_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DUSER_DIAGNOSTIC,
generated::evtx_generated::EVTX_DVD_NAVIGATOR,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DXGI_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DXGI_LOGGING,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DXP_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DATA_PDF_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DATAINTEGRITYSCAN_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DATAINTEGRITYSCAN_CRASHRECOVERY,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DEDUPLICATION_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DEDUPLICATION_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DEDUPLICATION_SCRUBBING,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DEDUPLICATION_PERFORMANCE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DEFRAG_CORE_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DEPLORCH_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DEPLOYMENT_SERVICES_DIAGNOSTICS_OPERA,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DEPLOYMENT_SERVICES_DIAGNOSTICS_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DESKTOPACTIVITYMODERATOR_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DESKTOPWINDOWMANAGER_DIAG_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DEVICEASSOCIATIONSERVICE_PERFORMANCE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DEVICECONFIDENCE_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DEVICEGUARD_OPERATIONAL,
generated::evtx_generated::EVTX_AUTOPILOT,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DEVICEMANAGEMENT_ENTERPRISE_DIAGNOSTI,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DEVICESETUPMANAGER_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DEVICESETUPMANAGER_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DEVICESETUPMANAGER_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DEVICESETUPMANAGER_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DEVICESYNC_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DEVICESYNC_OPERATIONAL,
generated::evtx_generated::EVTX_DEVICE_UPDATE_AGENT_OPERATIONAL_CHANNEL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DEVICEUX_PERFORMANCE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DEVICEUX_INFORMATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DEVICES_BACKGROUND_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DEVICES_LOCATION_PERFORMANCE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DEVICES_QUERY_PERFORMANCE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DHCP_CLIENT_EVENTS_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DHCPNAP_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DHCPNAP_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIAGCPL_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_ADVANCEDTASKMANAGER_ANALYTI,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_DPS_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_DPS_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_DPS_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_MSDE_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_MSDT_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_MSDT_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_PCW_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_PCW_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_PCW_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_PLA_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_PLA_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_PERFHOST_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_SCHEDULED_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_SCRIPTED_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_SCRIPTED_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_SCRIPTED_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_SCRIPTED_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_SCRIPTEDDIAGNOSTICSPROVIDER,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_TASKMANAGER_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_WDC_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_WDI_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIAGNOSTICS_NETWORKING_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIAGNOSTICS_NETWORKING_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIAGNOSTICS_PERFTRACK_COUNTERS_DIAGNO,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIAGNOSTICS_PERFTRACK_DIAGNOSTIC,
generated::evtx_generated::EVTX_DIAGNOSTIC_LOOPBACK,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIRECT3D10_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIRECT3D10_1_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIRECT3D11_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIRECT3D11_PERFTIMING,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIRECT3D11_LOGGING,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIRECT3D12_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIRECT3D12_LOGGING,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIRECT3D12_PERFTIMING,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIRECT3DSHADERCACHE_DEFAULT,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DAMM_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIRECTCOMPOSITION_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIRECTMANIPULATION_DIAGNOSTIC,
generated::evtx_generated::EVTX_DIRECTSHOWPLUGINCONTROL,
generated::evtx_generated::EVTX_DIRECTSHOW_FILTERGRAPH,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIRECTSHOW_KERNELSUPPORT_PERFORMANCE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIRECTSOUND_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIRECTWRITE_FONTCACHE_TRACING,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIRECTWRITE_TRACING,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DIRECTORYSERVICES_DEPLOYMENT_OPERATIO,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DISK_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORAGE_DISK_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORAGE_DISK_DIAGNOSE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DISKDIAGNOSTIC_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DISKDIAGNOSTICDATACOLLECTOR_OPERATION,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DISKDIAGNOSTICRESOLVER_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DISM_API_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DISM_API_INTERNALANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DISM_CLI_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DISPLAYCOLORCALIBRATION_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DISPLAYCOLORCALIBRATION_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DISPLAYSWITCH_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DOT3MM_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DRIVERFRAMEWORKS_USERMODE_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_POWER_DIAGNOSTIC,
generated::evtx_generated::EVTX_DIRVER_PROXY_PERFORMANCE,
generated::evtx_generated::EVTX_DRIVER_PROXY_OPERATIONAL,
generated::evtx_generated::EVTX_DUC_UPDATE_AGENT_OPERATIONAL_CHANNEL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DWM_API_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DWM_COMPOSITOR_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DWM_CORE_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DWM_DWM_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DWM_REDIR_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DWM_UDWM_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DXGKRNL_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DXGKRNL_PERFORMANCE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DXGKRNL_POWER,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DXGKRNL_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DXGKRNL_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DXGKRNL_CONTENTION,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DXPTASKRINGTONE_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_DXPTASKSYNCPROVIDER_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_INFORMATION_PROTECTION_APPLICATION_LE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_INFORMATION_PROTECTION_AUDIT_REGULAR,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_EDP_AUDIT_REGULAR_CHANNEL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_INFORMATION_PROTECTION_AUDIT_TCB_CHAN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_EDP_AUDIT_TCB_CHANNEL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_EFS_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_EFS_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_ELS_HYPHENATION_ANALYTIC_CHANNEL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_POLICY_BASED_QOS_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_POLICY_BASED_QOS_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_ESE_IODIAGNOSE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_ESE_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_EAPHOST_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_EAPHOST_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_EAPHOST_DEBUG,
generated::evtx_generated::EVTX_OPERATIONAL_CHANNEL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_EASEOFACCESS_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_EMBEDDEDAPPLAUNCHER_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_ENERGY_ESTIMATION_ENGINE_EVENTLOG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_ENERGY_ESTIMATION_ENGINE_TRACE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_POWEREFFICIENCYDIAGNOSTICS_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_ENHANCEDSTORAGE_EHSTORCLASS_OPERATION,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_ENHANCEDSTORAGE_EHSTORTCGDRV_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_ENROLLMENTPOLICYWEBSERVICE_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_ENROLLMENTWEBSERVICE_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_FMS_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_FAILOVERCLUSTERING_CLIENT_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_FAILOVERCLUSTERING_CLIENT_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_FAILOVERCLUSTERING_MANAGER_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_FAILOVERCLUSTERING_MANAGER_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_FAULT_TOLERANT_HEAP_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_FEDERATIONSERVICES_DEPLOYMENT_OPERATI,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_FEEDBACK_SERVICE_TRIGGERPROVIDER,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_FILEHISTORY_CATALOG_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_FILEHISTORY_CONFIGMANAGER_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_FILEHISTORY_CORE_WHC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_FILEHISTORY_ENGINE_BACKUPLOG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_FILEHISTORY_ENGINE_DEBUG,
generated::evtx_generated::EVTX_FILE_HISTORY_BACKUP_LOG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_FILEHISTORY_SERVICE_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_FILEHISTORY_UI_EVENTS_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_FILEHISTORY_UI_EVENTS_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_FILEINFOMINIFILTER_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_FILEMANAGERAPP_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_FILEMANAGERDATAMODEL_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_FIREWALL_CPL_DIAGNOSTIC,
generated::evtx_generated::EVTX_SETUP_SPLASH_WINDOW_PERFORMANCE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_FOLDER_REDIRECTION_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_FUNCTIONDISCOVERYHOST_TRACING,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_GENERICROAMING_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_GETTINGSTARTED_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_FONTGROUPS_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_GLOBALIZATION_API_ANALYTIC_CHANNEL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_GROUPPOLICY_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_HAL_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_HEALTHCENTER_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_HEALTHCENTER_PERFORMANCE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_HEALTHCENTERCPL_PERFORMANCE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_HELLOFORBUSINESS_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_HELLOFORBUSINESS_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_HELP_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_HOMEGROUP_CONTROL_PANEL_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_HOMEGROUP_CONTROL_PANEL_PERFORMANCE_D,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_HOMEGROUP_LISTENERSERVICE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_HOMEGROUP_LISTENER_SERVICE_OPERATIONA,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_HOMEGROUP_PROVIDER_SERVICE_OPERATIONA,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_HOMEGROUP_PROVIDER_SERVICE_PERFORMANC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_HOTSTART_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_HOTSPOTAUTH_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_HOTSPOTAUTH_OPERATIONAL,
generated::evtx_generated::EVTX_HTTP_LOG_CHANNEL,
generated::evtx_generated::EVTX_HTTP_SERVICE_CHANNEL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_HYPER_V_COMPUTE_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_HYPER_V_COMPUTE_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_HYPER_V_GUEST_DRIVERS_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_HYPER_V_GUEST_DRIVERS_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_HYPER_V_GUEST_DRIVERS_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_HYPER_V_GUEST_DRIVERS_DIAGNOSE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_HYPER_V_GUEST_DRIVERS_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_HYPER_V_HYPERVISOR_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_HYPER_V_HYPERVISOR_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_HYPER_V_KMCL_CHILD_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_HYPER_V_NETVSC_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_HYPER_V_VID_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_HYPER_V_VID_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_IE_SMARTSCREEN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_IIS_CONFIGURATION_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_IIS_CONFIGURATION_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_IIS_CONFIGURATION_ADMINISTRATIVE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_IIS_CONFIGURATION_OPERATIONAL,
generated::evtx_generated::EVTX_IIS_DIAGNOSTICS_CHANNEL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_IME_BROKER_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_IME_CANDIDATEUI_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_IME_CUSTOMERFEEDBACKMANAGER_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_IME_CUSTOMERFEEDBACKMANAGERUI_ANALYTI,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_IME_JPAPI_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_IME_JPLMP_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_IME_JPPRED_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_IME_JPSETTING_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_IME_JPTIP_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_IME_KRAPI_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_IME_KRTIP_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_IME_OEDCOMPILER_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_IME_ROAMING_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_IME_SCCORE_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_IME_SCDICCOMPILER_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_IME_SCTIP_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_IME_TCCORE_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_IME_TCTIP_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_IME_TIP_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_IPBUSENUM_TRACING,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_IPNAT_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_IPSEC_SRV_DIAGNOSTIC,
generated::evtx_generated::EVTX_DEBUG_CHANNEL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_IDCTRLS_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_IDCTRLS_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_TWINAPI_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_COREAPPLICATION_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_COREAPPLICATION_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_COREAPPLICATION_TRACING,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_TWINUI_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_TWINUI_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_INDIRECTDISPLAYS_CLASSEXTENSION_EVENT,
generated::evtx_generated::EVTX_THIS_IS_THE_ANALYTIC_CHANNEL_TO_WHICH_INTERNAL_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_INPUTSWITCH_DIAGNOSTIC,
generated::evtx_generated::EVTX_THIS_IS_THE_ANALYTIC_CHANNEL_FOR_WINDOWS_INSTALL_UX_PER,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_INTERNATIONAL_OPERATIONAL,
generated::evtx_generated::EVTX_IPHLPSVC_ETW_CHANNEL,
generated::evtx_generated::EVTX_IPHLPSVC_ETW_DEBUG_CHANNEL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KDSSVC_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_ACPI_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_APPCOMPAT_GENERAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_APPCOMPAT_PERFORMANCE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_BOOT_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_BOOT_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_BOOTDIAGNOSTICS_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_CPU_PARTITION_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_CPU_STARVATION_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_DISK_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_DUMP_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_EVENTTRACING_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_EVENTTRACING_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_FILE_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_IO_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_IOTRACE_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_LIVEDUMP_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_LIVEDUMP_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_MEMORY_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_NETWORK_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_PEP_DIAGNOSTIC,
generated::evtx_generated::EVTX_BOOT_DIAGNOSTIC_CHANNEL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_PNP_DIAGNOSTIC,
generated::evtx_generated::EVTX_DRIVER_DIAGNOSTIC_CHANNEL,
generated::evtx_generated::EVTX_DEVICE_ENUMERATION_DIAGNOSTIC_CHANNEL,
generated::evtx_generated::EVTX_CONFIGURATION_DIAGNOSTIC_CHANNEL,
generated::evtx_generated::EVTX_DEVICE_CONFIGURATION,
generated::evtx_generated::EVTX_PNP_ANALYTIC_CHANNEL,
generated::evtx_generated::EVTX_DEVICE_MANAGEMENT,
generated::evtx_generated::EVTX_DRIVER_WATCHDOG_CHANNEL,
generated::evtx_generated::EVTX_CONFIGURATION,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_POWER_THERMAL_DIAGNOSTIC,
generated::evtx_generated::EVTX_THERMAL_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_PREFETCH_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_PRM_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_PROCESS_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_PROCESSOR_POWER_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_REGISTRY_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_REGISTRY_PERFORMANCE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_SHIMENGINE_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_SHIMENGINE_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_SHIMENGINE_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_STOREMGR_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_STOREMGR_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_WDI_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_WDI_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_WDI_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_WHEA_ERRORS,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_WHEA,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_WHEA_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_XDV_ANALYTIC,
generated::evtx_generated::EVTX_WINDOWS_KS_CHANNEL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KEYBOARDFILTER_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KEYBOARDFILTER_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KEYBOARDFILTER_PERFORMANCE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KNOWN_FOLDERS_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_WLAN_AUTOCONFIG_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_WIRED_AUTOCONFIG_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_L2NACP_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_LAPS_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_LDAP_CLIENT_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_LUA_CONSENTUI_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_LANGUAGEPACKSETUP_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_LANGUAGEPACKSETUP_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_LANGUAGEPACKSETUP_DEBUG,
generated::evtx_generated::EVTX_MAJOR_STATE_CONFIGURATION_CHANGE_THAT_CAN_HELP_DEBUG_AD,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_LIMITSMANAGEMENT_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_LINKLAYERDISCOVERYPROTOCOL_OPERATIONA,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_LINKLAYERDISCOVERYPROTOCOL_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_LIVEID_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_LIVEID_OPERATIONAL,
generated::evtx_generated::EVTX_AUTOMATION,
generated::evtx_generated::EVTX_MEDIA_FOUNDATION_FRAMESERVER,
generated::evtx_generated::EVTX_MEDIA_FOUNDATION_DEVICEPROXY,
generated::evtx_generated::EVTX_MF_MEDIAFOUNDATIONDEVICEPROXY,
generated::evtx_generated::EVTX_MEDIA_FOUNDATION_PIPELINE,
generated::evtx_generated::EVTX_MEDIA_FOUNDATION_CONTENTPROTECTION,
generated::evtx_generated::EVTX_MEDIA_FOUNDATION_ASYNCWRAPPER,
generated::evtx_generated::EVTX_MEDIAFOUNDATIONASYNCWRAPPER,
generated::evtx_generated::EVTX_MFDS,
generated::evtx_generated::EVTX_SRCPREFETCH,
generated::evtx_generated::EVTX_MP4,
generated::evtx_generated::EVTX_MEDIA_FOUNDATION_DEVICEMFT,
generated::evtx_generated::EVTX_WINDOWS_MFH264ENC_CHANNEL,
generated::evtx_generated::EVTX_WINDOWS_MP4SDECD_CHANNEL,
generated::evtx_generated::EVTX_MUXENCODE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MPS_CLNT_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MPS_DRV_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MPS_SRV_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MSFTEDIT_DIAGNOSTIC,
generated::evtx_generated::EVTX_WINDOWS_MSMPEG2ADEC_CHANNEL,
generated::evtx_generated::EVTX_WINDOWS_MSMPEG2VDEC_CHANNEL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MSMQ_END2END,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MSPAINT_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MSPAINT_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MSSHAV_SHV_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MSSHAV_SHV_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MSSHAV_SHVCNFG_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MUI_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MUI_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MUI_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MUI_ANALYTIC,
generated::evtx_generated::EVTX_MEDIA_CENTER,
generated::evtx_generated::EVTX_PLAYREADY_PERFORMANCE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MEDIA_STREAMING_DMR,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MEDIA_STREAMING_DMC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MEDIA_STREAMING_MDE,
generated::evtx_generated::EVTX_MEDIA_FOUNDATION_MEDIAENGINE,
generated::evtx_generated::EVTX_MEDIA_FOUNDATION_CAPTURE_ENGINE_ETW_CHANNEL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MEDIAFOUNDATION_MFREADWRITE_SOURCEREA,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MEDIAFOUNDATION_MFREADWRITE_SINKWRITE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MEDIAFOUNDATION_MFREADWRITE_TRANSFORM,
generated::evtx_generated::EVTX_MS_VIDEO_PROCESSOR_MFT_D3D11,
generated::evtx_generated::EVTX_MS_VIDEO_PROCESSOR_MFT,
generated::evtx_generated::EVTX_MS_VIDEO_DSP,
generated::evtx_generated::EVTX_MEDIA_FOUNDATION_PERFORMANCE_CORE,
generated::evtx_generated::EVTX_MEDIA_FOUNDATION_PERFORMANCE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MEDIAFOUNDATION_PERFORMANCE_SARSTREAM,
generated::evtx_generated::EVTX_MEDIA_FOUNDATION_PLATFORM,
generated::evtx_generated::EVTX_MEDIAFOUNDATIONDEVICEPROXY,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MEDIAFOUNDATION_PLAYAPI_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MEMORYDIAGNOSTICS_RESULTS_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MIGRATION_ENGINE_ANALYTIC,
generated::evtx_generated::EVTX_MINSTORE_ANALYTIC_CHANNEL,
generated::evtx_generated::EVTX_MINSTORE_DEBUG_CHANNEL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MOBILE_BROADBAND_EXPERIENCE_API_INTER,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MOBILE_BROADBAND_EXPERIENCE_API_ANALY,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MOBILE_BROADBAND_EXPERIENCE_PARSER_TA,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MOBILE_BROADBAND_EXPERIENCE_SMSAPI_AN,
generated::evtx_generated::EVTX_SMSAPI,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MOBILE_BROADBAND_EXPERIENCE_SMSROUTER,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MOBILITYCENTER_PERFORMANCE,
generated::evtx_generated::EVTX_DIAGNOSTICS,
generated::evtx_generated::EVTX_MANAGEMENTSERVICE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MOSHOST_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MOSHOST_PERFORMANCE,
generated::evtx_generated::EVTX_NOTIFICATION_CHANNEL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_MSLBFOPROVIDER_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NCSI_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NCSI_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NDIS_PACKETCAPTURE_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NDIS_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NDIS_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_AUTHENTICATION_PROTECTEDUSERFAILURES,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_AUTHENTICATION_AUTHENTICATIONPOLICYFA,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NTLM_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NWIFI_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NARRATOR_INPROC_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NARRATOR_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NCASVC_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NCDAUTOSETUP_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NCDAUTOSETUP_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NDISIMPLATFORM_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NDU_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NETSHELL_PERFORMANCE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NETWORK_CONNECTION_BROKER,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NETWORK_DATAUSAGE_ANALYTIC,
generated::evtx_generated::EVTX_EXECUTION_CONTEXT_OPERATIONAL_CHANNEL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NETWORK_SETUP_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NETWORK_AND_SHARING_CENTER_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NETWORKACCESSPROTECTION_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NETWORKACCESSPROTECTION_WHC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NETWORKBRIDGE_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NETWORKPROFILE_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NETWORKPROFILE_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NETWORKPROVIDER_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NETWORKPROVISIONING_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NETWORKPROVISIONING_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NETWORKSECURITY_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NETWORKSTATUS_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NETWORKING_CORRELATION_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NETWORKING_REALTIMECOMMUNICATION_TRAC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NLASVC_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NLASVC_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NTFS_PERFORMANCE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NTFS_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NTFS_WHC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NVDIMMN_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NVDIMMN_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORAGE_NVMEDISK_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORAGE_NVMEDISK_DIAGNOSE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORAGE_NVMEDISK_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_OLE_CLIPBOARD_PERFORMANCE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_OLE_CLIPBOARD_DIAGNOSTICS,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_OLEACC_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_OLEACC_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_OOBE_FIRSTLOGONANIM_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_OOBE_MACHINE_CORE_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_OOBE_MACHINE_DUI_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_OOBE_MACHINE_DUI_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_OOBE_MACHINE_PLUGINS_WIRELESS_DIAGNOS,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_OOBE_MACHINE_PLUGINS_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_OOBE_MACHINE_DIAGNOSTIC,
generated::evtx_generated::EVTX_SETUP,
generated::evtx_generated::EVTX_OCP_UPDATE_AGENT_OPERATIONAL_CHANNEL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_OFFLINEFILES_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_OFFLINEFILES_SYNCLOG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_ONEBACKUP_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_ONEX_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_ONEX_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_OOBELDR_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_OTPCREDENTIALPROVIDER_OPERATIONAL,
generated::evtx_generated::EVTX_PCI_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PCI_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_KERNEL_PDC_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_GLCND_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_GLCND_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_GLCND_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PACKAGESTATEROAMING_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PACKAGESTATEROAMING_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PACKAGESTATEROAMING_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PARENTALCONTROLS_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PARENTALCONTROLS_TELEMETRY_OPERATIONA,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PARENTALCONTROLS_TELEMETRY_AUDITING,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PARTITION_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PARTITION_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PARTITION_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PEERTOPEERDRTEVENTPROVIDER_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PERSISTENTMEMORY_INVDIMM_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PERSISTENTMEMORY_INVDIMM_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PERSISTENTMEMORY_NVDIMM_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PERSISTENTMEMORY_NVDIMM_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PERSISTENTMEMORY_NVDIMMN_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PERSISTENTMEMORY_NVDIMMN_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PERSISTENTMEMORY_PMEMDISK_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PERSISTENTMEMORY_PMEMDISK_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PERSISTENTMEMORY_PMEMDISK_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PERSISTENTMEMORY_SCMBUS_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PERSISTENTMEMORY_SCMBUS_DIAGNOSE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PERSISTENTMEMORY_SCMBUS_CERTIFICATION,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PERSISTENTMEMORY_SCMBUS_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PERSISTENTMEMORY_VIRTUALNVDIMM_OPERAT,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PERSISTENTMEMORY_VIRTUALNVDIMM_DIAGNO,
generated::evtx_generated::EVTX_WINDOWS_WMPHOTO_CHANNEL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PHOTOACQ_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PLAYTOMANAGER_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PMEMDISK_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PMEMDISK_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PMEMDISK_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PORTABLEDEVICESTATUSPROVIDER_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PORTABLEDEVICESYNCPROVIDER_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_POWER_METER_POLLING_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_POWERCFG_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_POWERCPL_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_POWERSHELL_DESIREDSTATECONFIGURATION,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_POWERSHELL_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_POWERSHELL_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_POWERSHELL_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PRIRESOURCES_DEPLOYMENT_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PRIRESOURCES_DEPLOYMENT_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PRIMARYNETWORKICON_PERFORMANCE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_NETWORKLOCATIONWIZARD_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PRINTDIALOGS_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PRINTDIALOGS3D_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PRINTSPOOLER_CORE_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PRINTSPOOLER_CORE_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PRIVACY_AUDITING_PERMISSIVELEARNINGMO,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PROCESSSTATEMANAGER_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PROGRAM_COMPATIBILITY_ASSISTANT_OPERA,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PROXIMITY_COMMON_PERFORMANCE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PROXIMITY_COMMON_INFORMATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PROXIMITY_COMMON_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PUSHNOTIFICATIONS_DEVELOPER_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PUSHNOTIFICATIONS_INPROC_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PUSHNOTIFICATIONS_PLATFORM_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PUSHNOTIFICATIONS_PLATFORM_OPERATIONA,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_PUSHNOTIFICATIONS_PLATFORM_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_QOS_PACER_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_QOS_PACER_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_QOS_QWAVE_DEBUG,
generated::evtx_generated::EVTX_EEINFO,
generated::evtx_generated::EVTX_ADMIN_CHANNEL,
generated::evtx_generated::EVTX_RTWORKQUEUE_EXTENDED,
generated::evtx_generated::EVTX_RTWORKQUEUE_THREADING,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_RADIOMANAGER_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_RAS_NDISWANPACKETCAPTURE_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_REFS_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_REFSDEDUPSVC_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_READYBOOST_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_READYBOOSTDRIVER_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_READYBOOSTDRIVER_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_RECOVERY_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_RELIABILITYANALYSISCOMPONENT_OPERATIO,
generated::evtx_generated::EVTX_METRICS,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_REMOTEAPP_AND_DESKTOP_CONNECTIONS_ADM,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_REMOTEAPP_AND_DESKTOP_CONNECTIONS_OPE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_REMOTEASSISTANCE_TRACING,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_REMOTEASSISTANCE_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_REMOTEASSISTANCE_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_REMOTEDESKTOPSERVICES_RDPCORETS_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_REMOTEDESKTOPSERVICES_RDPCORETS_OPERA,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_REMOTEDESKTOPSERVICES_RDPCORETS_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_REMOTEDESKTOPSERVICES_REMOTEFX_VM_KER,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_REMOTEDESKTOPSERVICES_REMOTEFX_VM_USE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_REMOTEDESKTOPSERVICES_SESSIONSERVICES,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_REMOTEFS_RDBSS_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_REMOTEFS_RDBSS_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_REMOTEFS_UTPROVIDER_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_RESETENG_TRACE_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_RESOURCE_EXHAUSTION_DETECTOR_OPERATIO,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_RESOURCE_EXHAUSTION_RESOLVER_OPERATIO,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_RESOURCE_LEAK_DIAGNOSTIC_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_RESOURCEPUBLICATION_TRACING,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_RESTARTMANAGER_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_RUNTIME_GRAPHICS_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_RUNTIME_WINDOWS_MEDIA_WINRTCAPTUREENG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_RUNTIME_WINDOWS_MEDIA_WINRTTRANSCODE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_RUNTIME_WINDOWS_MEDIA_WINRTMEDIASTREA,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_RUNTIME_WINDOWS_MEDIA_WINRTADAPTIVEME,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_RUNTIME_NETWORKING_BACKGROUNDTRANSFER,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_RUNTIME_NETWORKING_TRACING,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_RUNTIME_WEB_HTTP_TRACING,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_RUNTIME_WEBAPI_TRACING,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SENSE_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SMBCLIENT_HELPERCLASSDIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SMBCLIENT_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SMBCLIENT_XPERFANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SMBCLIENT_OBJECTSTATEDIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SMBCLIENT_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SMBCLIENT_CONNECTIVITY,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SMBCLIENT_SECURITY,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SMBCLIENT_AUDIT,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SMBDIRECT_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SMBDIRECT_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SMBDIRECT_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SMBDIRECT_CONNECTIVITY,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SMBDIRECT_NETMON,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SMBSERVER_PERFORMANCE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SMBSERVER_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SMBSERVER_SECURITY,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SMBSERVER_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SMBSERVER_CONNECTIVITY,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SMBSERVER_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SMBSERVER_AUDIT,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SMBWITNESSCLIENT_ADMIN,
generated::evtx_generated::EVTX_WITNESSCLIENTADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SMBWITNESSCLIENT_INFORMATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SCHANNEL_EVENTS_PERF,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SCMBUS_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SCMBUS_DIAGNOSE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SCMBUS_CERTIFICATION,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SCMDISK0101_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SCMDISK0101_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SCMDISK0101_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SDBUS_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SDBUS_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SDSTOR_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SEARCH_CORE_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SEARCH_PROTOCOLHANDLERS_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SECURITY_ADMINLESS_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SECURITY_AUDIT_CONFIGURATION_CLIENT_D,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SECURITY_AUDIT_CONFIGURATION_CLIENT_O,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SECURITY_CONFIGURATION_WIZARD_DIAGNOS,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SECURITY_CONFIGURATION_WIZARD_OPERATI,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SECURITY_ENTERPRISEDATA_FILEREVOCATIO,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SECURITY_EXCHANGEACTIVESYNCPROVISIONI,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SECURITY_IDENTITYSTORE_PERFORMANCE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SECURITY_LESSPRIVILEGEDAPPCONTAINER_O,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SECURITY_LICENSING_SLC_PERF,
generated::evtx_generated::EVTX_KERNEL_MODE,
generated::evtx_generated::EVTX_USER_MODE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SECURITY_NETLOGON_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SECURITY_SPP_UX_GC_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SECURITY_SPP_UX_GENUINECENTER_LOGGING,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SECURITY_SPP_UX_NOTIFICATIONS_ACTIONC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SECURITY_SPP_UX_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SECURITY_SPP_PERF,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SECURITY_USERCONSENTVERIFIER_AUDIT,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SECURITY_VAULT_PERFORMANCE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SECURITYMITIGATIONSBROKER_PERF,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SECURITYMITIGATIONSBROKER_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SECURITYMITIGATIONSBROKER_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SENDTO_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SENSEIR_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SERVER_FOR_NFS_OPERATIONAL,
generated::evtx_generated::EVTX_DEPLOY,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SERVERMANAGER_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SERVICE_REPORTING_API_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SERVICES_SVCHOST_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SERVICES_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SERVICING_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SETTINGSYNC_AZURE_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SETTINGSYNC_AZURE_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SETTINGSYNC_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SETTINGSYNC_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SETTINGSYNC_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SETTINGSYNC_ONEDRIVE_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SETTINGSYNC_VERBOSEDEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SETUP_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SETUPCL_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SETUPPLATFORM_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SETUPQUEUE_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SETUPUGC_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SHAREMEDIA_CONTROLPANEL_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SHELL_APPWIZCPL_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_AUTHENTICATION_USER_INTERFACE_OPERATI,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SHELL_AUTHUI_COMMON_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SHELL_AUTHUI_LOGONUI_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SHELL_AUTHUI_LOGON_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SHELL_AUTHUI_CREDUI_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SHELL_AUTHUI_SHUTDOWN_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SHELL_AUTHUI_CREDENTIALPROVIDERUSER_D,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SHELL_AUTHUI_PASSWORDPROVIDER_DIAGNOS,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SHELL_AUTHUI_BOOTANIM_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SHELL_AUTHUI_PASSWORDPROVIDER_BOOTANI,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SHELL_CONNECTEDACCOUNTSTATE_ACTIONCEN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SHELL_CORE_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SHELL_CORE_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SHELL_CORE_LOGONTASKSCHANNEL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SHELL_CORE_APPDEFAULTS,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SHELL_CORE_ACTIONCENTER,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SHELL_DEFAULTPROGRAMS_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SHELL_LOCKSCREENCONTENT_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SHELL_OPENWITH_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SHELL_SEARCH_URIHANDLER,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SHELL_SHWEBSVC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SHELL_ZIPFOLDER_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SHELLCOMMON_STARTLAYOUTPOPULATION_OPE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SHELLCOMMON_STARTLAYOUTPOPULATION_DIA,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SHSVCS_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SIDEBAR_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SLEEPSTUDY_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SMARTCARD_AUDIT_AUTHENTICATION,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SMARTCARD_DEVICEENUM_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SMARTCARD_TPM_VCARD_MODULE_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SMARTCARD_TPM_VCARD_MODULE_OPERATIONA,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SMARTSCREEN_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SMBHASHGENERATION_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SMBHASHGENERATION_ANALYTIC,
generated::evtx_generated::EVTX_SMBWMIANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_TTS_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SPEECH_USEREXPERIENCE_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SPELL_CHECKING_FACILITY_ANALYTIC_CHAN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SPELLCHECKER_ANALYTIC_CHANNEL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SPELL_CHECKING_HOST_ANALYTIC_CHANNEL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SRUMON_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SRUMTELEMETRY,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STATEREPOSITORY_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STATEREPOSITORY_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STATEREPOSITORY_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STICKYNOTES_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STICKYNOTES_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STICKYNOTES_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORDIAG_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORAGE_CLASSPNP_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORAGE_CLASSPNP_DIAGNOSE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORAGE_CLASSPNP_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORPORT_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORAGE_STORPORT_DIAGNOSE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORAGE_STORPORT_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORAGE_STORPORT_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORAGE_STORPORT_HEALTH,
generated::evtx_generated::EVTX_TIERING_HEAT_MEASUREMENT_CHANNEL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORAGE_TIERING_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORAGEMANAGEMENT_PARTUTIL_OPERATIONA,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORAGEMANAGEMENT_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORAGEMANAGEMENT_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORAGESETTINGS_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORAGESPACES_API_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORAGESPACES_DRIVER_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORAGESPACES_DRIVER_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORAGESPACES_DRIVER_PERFORMANCE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORAGESPACES_MANAGEMENTAGENT_WHC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORAGESPACES_PARSER_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORAGESPACES_PARSER_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORAGESPACES_SPACEMANAGER_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORAGESPACES_SPACEMANAGER_OPERATIONA,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORAGEVOLUME_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_STORSVC_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SUBSYS_CSR_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SUBSYS_SMSS_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SUDO_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SUPERFETCH_AGMCLOG,
generated::evtx_generated::EVTX_MEMORY_COOLING_OPERATIONAL_CHANNEL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SUPERFETCH_PFAPLOG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SYSPREP_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SYSTEM_PROFILE_HARDWAREID_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SYSTEMDATAARCHIVER_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SYSTEMHEALTHAGENT_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SYSTEMSETTINGS_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SYSTEMSETTINGS_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SYSTEMSETTINGS_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SYSTEMSETTINGSHANDLERS_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SYSTEMSETTINGSTHRESHOLD_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SYSTEMSETTINGSTHRESHOLD_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SYSTEMSETTINGSTHRESHOLD_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_SYSTEMSETTINGSV2_INFORMATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_TCPIP_DIAGNOSTIC,
generated::evtx_generated::EVTX_UIMANAGER_CHANNEL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_TSF_MSCTF_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_TSF_MSUTB_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_TZSYNC_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_TZSYNC_ANALYTIC,
generated::evtx_generated::EVTX_TABLETPC_INPUTPANEL_CHANNEL,
generated::evtx_generated::EVTX_OSK_SOFTKEYBOARD_CHANNEL,
generated::evtx_generated::EVTX_TABLETPC_INPUTPANEL_CHANNEL_IHM,
generated::evtx_generated::EVTX_IHM_DEBUGCHANNEL,
generated::evtx_generated::EVTX_PHYSICAL_KEYBOARD_MANAGER_CHANNEL,
generated::evtx_generated::EVTX_MAINTENANCE,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_TASKBARCPL_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_TENANTRESTRICTIONS_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_TERMINALSERVICES_RDPCLIENT_DEBUG,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_TERMINALSERVICES_RDPCLIENT_OPERATIONA,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_TERMINALSERVICES_RDPCLIENT_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_TERMINALSERVICES_GATEWAY_OPERATIONAL,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_TERMINALSERVICES_GATEWAY_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_TERMINALSERVICES_GATEWAY_TRACING,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_TERMINALSERVICES_GATEWAY_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_TERMINALSERVICES_LICENSING_ADMIN,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_TERMINALSERVICES_LOCALSESSIONMANAGER,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_TERMINALSERVICES_MEDIAREDIRECTION_ANA,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_TERMINALSERVICES_RDPSOUNDDRIVER_PLAYB,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_TERMINALSERVICES_RDPSOUNDDRIVER_CAPTU,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_TERMINALSERVICES_REMOTECONNECTIONMANA,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_TERMINALSERVICES_SESSIONBROKER_CLIENT,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_TETHERING_MANAGER_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_TETHERING_STATION_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_THEMECPL_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_THEMEUI_DIAGNOSTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_THREAT_INTELLIGENCE_ANALYTIC,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_TIME_SERVICE_PTP_PROVIDER_PTP_OPERATI,
generated::evtx_generated::EVTX_MICROSOFT_WINDOWS_TIME_SERVICE_OPERATIONAL,
generated::evtx_generated::EVTX_TUNNEL_DRIVER_ETW_CHANNEL,
generated::fa_generated::FA_FILE_PARITY_AGENT_CACHE,
generated::fa_generated::FA_FILE_QUARANTINE,
generated::fa_generated::FA_FILE_QUARANTINE_2,
generated::fa_generated::FA_FILE_QUARANTINE_3,
generated::fa_generated::FA_FILE_CS_REGISTRY_BASE,
generated::fa_generated::FA_FILE_QUARANTINE_4,
generated::fa_generated::FA_FILE_LOGS,
generated::fa_generated::FA_FILE_QUARANTINE_5,
generated::fa_generated::FA_FILE_QUARANTINE_6,
generated::fa_generated::FA_FILE_SUPPORT_MPDETECTION_LOG,
generated::fa_generated::FA_FILE_SUPPORT_MPLOG_LOG,
generated::fa_generated::FA_FILE_DETECTIONHISTORY,
generated::fa_generated::FA_FILE_SUPPORT_MPDETECTION_LOG_2,
generated::fa_generated::FA_FILE_SUPPORT_MPLOG_LOG_2,
generated::fa_generated::FA_FILE_TEMP_MPCMDRUN_LOG,
generated::fa_generated::FA_FILE_TEMP_MPCMDRUN_LOG_2,
generated::fa_generated::FA_FILE_USERS_TEMP_MPCMDRUN_LOG,
generated::fa_generated::FA_FILE_,
generated::fa_generated::FA_EXCLUSIONS_PATHS,
generated::fa_generated::FA_EXCLUSIONS_PROCESSES,
generated::fa_generated::FA_EXCLUSIONS_EXTENSIONS,
generated::fa_generated::FA_EXCLUSIONS_TEMPORARYPATHS,
generated::fa_generated::FA_EXCLUSIONS_PATHS_2,
generated::fa_generated::FA_EXCLUSIONS_PROCESSES_2,
generated::fa_generated::FA_EXCLUSIONS_EXTENSIONS_2,
generated::fa_generated::FA_EXCLUSIONS_TEMPORARYPATHS_2,
generated::fa_generated::FA_FILE_SANTA,
generated::fa_generated::FA_FILE_SANTA_2,
generated::fa_generated::FA_FILE_LOGS_SOPHOS_LOG,
generated::fa_generated::FA_FILE_LOGS_2,
generated::fa_generated::FA_FILE_INFECTED,
generated::fa_generated::FA_FILE_INFECTED_2,
generated::fa_generated::FA_FILE_LOGS_LOG,
generated::fa_generated::FA_FILE_AV_LOG,
generated::fa_generated::FA_FILE_AV_LOG_2,
generated::fa_generated::FA_FILE_LOGS_LOG_2,
generated::fa_generated::FA_FILE_5_VBN,
generated::fa_generated::FA_FILE_QUARANTINE_7,
generated::fa_generated::FA_FILE_QUARANTINE_8,
generated::fa_generated::FA_FILE_CCSUBSDK,
generated::fa_generated::FA_FILE_EVOLUTION,
generated::fa_generated::FA_FILE_EVOLUTION_2,
generated::fa_generated::FA_FILE_EVOLUTION_3,
generated::fa_generated::FA_FILE_WORD,
generated::fa_generated::FA_FILE_EXCEL,
generated::fa_generated::FA_FILE_POWERPOINT,
generated::fa_generated::FA_FILE_PUBLISHER,
generated::fa_generated::FA_FILE_PREFERENCES_COM_MICROSOFT_OFFICE_PLIST,
generated::fa_generated::FA_FILE_PREFERENCES_COM_MICROSOFT_SECUREBOOKMARKS_PLIST,
generated::fa_generated::FA_FILE_OUTLOOK_PAB,
generated::fa_generated::FA_FILE_OUTLOOK_FILES_PAB,
generated::fa_generated::FA_FILE_OUTLOOK_PST,
generated::fa_generated::FA_FILE_OUTLOOK_FILES_PST,
generated::fa_generated::FA_FILE_OUTLOOK_OST,
generated::fa_generated::FA_FILE_OUTLOOK_FILES_OST,
generated::fa_generated::FA_FILE_NPM,
generated::fa_generated::FA_FILE_NPM_CACHE,
generated::fa_generated::FA_FILE_LOG_ERRORLOG,
generated::fa_generated::FA_FILE_LOG_ERRORLOG_2,
generated::fa_generated::FA_FILE_THUNDERBIRD,
generated::fa_generated::FA_FILE_DROPBOX_DB,
generated::fa_generated::FA_FILE_DROPBOX_DB_2,
generated::fa_generated::FA_FILE_INSTANCE_SYNC_HISTORY_DB,
generated::fa_generated::FA_FILE_DROPBOX_DB_3,
generated::fa_generated::FA_FILE_INSTANCE_SYNC_HISTORY_DB_2,
generated::fa_generated::FA_FILE_DRIVE_SNAPSHOT_DB,
generated::fa_generated::FA_FILE_DRIVE_SYNC_CONFIG_DB,
generated::fa_generated::FA_FILE_DRIVE_SYNC_CONFIG_LOG,
generated::fa_generated::FA_FILE_USER_DEFAULT_SNAPSHOT_DB,
generated::fa_generated::FA_FILE_USER_DEFAULT_SYNC_CONFIG_DB,
generated::fa_generated::FA_FILE_USER_DEFAULT_SYNC_CONFIG_LOG,
generated::fa_generated::FA_FILE_USER_DEFAULT_SYNC_LOG_LOG,
generated::fa_generated::FA_FILE_DRIVE_SNAPSHOT_DB_2,
generated::fa_generated::FA_FILE_DRIVE_SYNC_CONFIG_DB_2,
generated::fa_generated::FA_FILE_DRIVE_SYNC_CONFIG_LOG_2,
generated::fa_generated::FA_FILE_USER_DEFAULT_SNAPSHOT_DB_2,
generated::fa_generated::FA_FILE_USER_DEFAULT_SYNC_CONFIG_DB_2,
generated::fa_generated::FA_FILE_USER_DEFAULT_SYNC_CONFIG_LOG_2,
generated::fa_generated::FA_FILE_SETTINGS_APPLICATIONSETTINGS_XML,
generated::fa_generated::FA_FILE_SETTINGS_DAT,
generated::fa_generated::FA_FILE_SETTINGS_INI,
generated::fa_generated::FA_FILE_JUPYTER_JUPYTER_NOTEBOOK_CONFIG_PY,
generated::fa_generated::FA_FILE_JUPYTER_JUPYTER_NOTEBOOK_CONFIG_PY_2,
generated::fa_generated::FA_FILE_JUPYTER_JUPYTER_NOTEBOOK_CONFIG_PY_3,
generated::fa_generated::FA_FILE_JUPYTER_JUPYTER_NOTEBOOK_CONFIG_PY_4,
generated::fa_generated::FA_FILE_JUPYTER_JUPYTER_NOTEBOOK_CONFIG_PY_5,
generated::fa_generated::FA_FILE_ETC_EXPORTS,
generated::fa_generated::FA_FILE_ETC_EXPORTS_2,
generated::fa_generated::FA_FILE_ETC_EXPORTS_3,
generated::fa_generated::FA_FILE_CONF_REDIS_WINDOWS_CONF,
generated::fa_generated::FA_FILE_CONF_REDIS_CONF,
generated::fa_generated::FA_FILE_REDIS_REDIS_CONF,
generated::fa_generated::FA_FILE_REDIS_REDIS_CONF_2,
generated::fa_generated::FA_FILE_REDIS_REDIS_CONF_3,
generated::fa_generated::FA_FILE_SAMBA_SMB_CONF,
generated::fa_generated::FA_FILE_SSH_SSHD_CONFIG,
generated::fa_generated::FA_FILE_SSH_SSHD_CONFIG_2,
generated::fa_generated::FA_FILE_SSH_SSHD_CONFIG_3,
generated::fa_generated::FA_FILE_SSH_CONFIG,
generated::fa_generated::FA_FILE_CONTAINERD_CONFIG_TOML,
generated::fa_generated::FA_FILE_IO_CONTAINERD_METADATA_V1_BOLT_META_DB,
generated::fa_generated::FA_FILE_IO_CONTAINERD_SNAPSHOTTER_V1_OVERLAYFS_METADATA_DB,
generated::fa_generated::FA_FILE_CONFIG_JSON,
generated::fa_generated::FA_FILE_OPTIONS_JSON,
generated::fa_generated::FA_FILE_LOG_JSON,
generated::fa_generated::FA_FILE_LOG_DAEMON_LOG,
generated::fa_generated::FA_FILE_LOG_DAEMON_LOG_GZ,
generated::fa_generated::FA_FILE_LOG_SYSLOG,
generated::fa_generated::FA_FILE_LOG_MESSAGE,
generated::fa_generated::FA_FILE_ELASTICSEARCH_ACCESS_LOG,
generated::fa_generated::FA_FILE_ELASTICSEARCH_AUDIT_JSON,
generated::fa_generated::FA_FILE_ELASTICSEARCH_AUDIT_LOG,
generated::fa_generated::FA_FILE_ELASTICSEARCH_GC_LOG,
generated::fa_generated::FA_FILE_ELASTICSEARCH_GC_LOG_0_9,
generated::fa_generated::FA_FILE_ELASTICSEARCH_LOG,
generated::fa_generated::FA_FILE_ELASTICSEARCH_JSON,
generated::fa_generated::FA_FILE_ELASTICSEARCH_JSON_GZ,
generated::fa_generated::FA_FILE_ELASTICSEARCH_SERVER_JSON,
generated::fa_generated::FA_FILE_ELASTICSEARCH_JSON_2,
generated::fa_generated::FA_FILE_ELASTICSEARCH_JSON_GZ_2,
generated::fa_generated::FA_FILE_ETC_MONGOD_CONF,
generated::fa_generated::FA_FILE_ETC_MONGOD_CONF_2,
generated::fa_generated::FA_FILE_ETC_MONGOD_CONF_3,
generated::fa_generated::FA_FILE_MONGODB,
generated::fa_generated::FA_FILE_DB,
generated::fa_generated::FA_FILE_MONGODB_MONGOD_LOG,
generated::fa_generated::FA_FILE_ETC_MY_CNF,
generated::fa_generated::FA_FILE_MYSQL_CONF_D_MYSQLD_CNF,
generated::fa_generated::FA_FILE_MYSQL_MYSQL_IBD,
generated::fa_generated::FA_FILE_MYSQL,
generated::fa_generated::FA_FILE_MYSQL_ERROR_LOG,
generated::fa_generated::FA_FILE_LOG_MYSQL_LOG,
generated::fa_generated::FA_FILE_LOG_LOG,
generated::fa_generated::FA_FILE_OPENSEARCH_LOG,
generated::fa_generated::FA_FILE_OPENSEARCH_JSON,
generated::fa_generated::FA_FILE_POSTGRESQL_CONF,
generated::fa_generated::FA_FILE_PG_HBA_CONF,
generated::fa_generated::FA_FILE_PG_IDENT_CONF,
generated::fa_generated::FA_FILE_PGSQL_POSTGRESQL_CONF,
generated::fa_generated::FA_FILE_PGSQL_PG_HBA_CONF,
generated::fa_generated::FA_FILE_PGSQL_PG_IDENT_CONF,
generated::fa_generated::FA_FILE_DATA_POSTGRESQL_CONF,
generated::fa_generated::FA_FILE_DATA_PG_HBA_CONF,
generated::fa_generated::FA_FILE_DATA_PG_IDENT_CONF,
generated::fa_generated::FA_FILE_DATA,
generated::fa_generated::FA_FILE_DATA_OLD,
generated::fa_generated::FA_FILE__2,
generated::fa_generated::FA_FILE__3,
generated::fa_generated::FA_FILE_POSTGRESQL_POSTGRESQL_LOG,
generated::fa_generated::FA_FILE_POSTGRESQL_POSTGRESQL_CSV,
generated::fa_generated::FA_FILE_POSTGRESQL_POSTGRESQL_LOG_2,
generated::fa_generated::FA_FILE_POSTGRESQL_POSTGRESQL_CSV_2,
generated::fa_generated::FA_FILE_POSTGRESQL_POSTGRESQL_LOG_3,
generated::fa_generated::FA_FILE_POSTGRESQL_POSTGRESQL_CSV_3,
generated::fa_generated::FA_FILE_LOG_POSTGRESQL_LOG,
generated::fa_generated::FA_FILE_LOG_POSTGRESQL_CSV,
generated::fa_generated::FA_FILE_LOG_POSTGRESQL_LOG_2,
generated::fa_generated::FA_FILE_LOG_POSTGRESQL_CSV_2,
generated::fa_generated::FA_FILE_LOG_POSTGRESQL_LOG_3,
generated::fa_generated::FA_FILE_LOG_POSTGRESQL_CSV_3,
generated::fa_generated::FA_FILE_REDIS,
generated::fa_generated::FA_FILE_INIT_D_REDIS,
generated::fa_generated::FA_FILE_REDIS_2,
generated::fa_generated::FA_FILE__4,
generated::fa_generated::FA_FILE_REDIS_REDIS_LOG,
generated::fa_generated::FA_FILE_LOG_REDIS_LOG,
generated::fa_generated::FA_FILE_CONFIG_V2_JSON,
generated::fa_generated::FA_FILE_JSON_LOG,
generated::fa_generated::FA_FILE_LOG_ESXAPIADAPTER_LOG,
generated::fa_generated::FA_FILE_LOG_ATTESTD_LOG,
generated::fa_generated::FA_FILE_LOG_AUTH_LOG,
generated::fa_generated::FA_FILE_LOG_HOSTD_LOG,
generated::fa_generated::FA_FILE_LOG_KMXD_LOG,
generated::fa_generated::FA_FILE_LOG_LOADESX_LOG,
generated::fa_generated::FA_FILE_LOG_SHELL_LOG,
generated::fa_generated::FA_FILE_LOG,
generated::fa_generated::FA_FILE_LOG_SYSLOG_LOG,
generated::fa_generated::FA_FILE_LOG_ESXTOKEND_LOG,
generated::fa_generated::FA_FILE_LOG_KMXA_LOG,
generated::fa_generated::FA_FILE_LOG_VMKERNEL_LOG,
generated::fa_generated::FA_FILE_LOG_VMKSUMMARYLOG_LOG,
generated::fa_generated::FA_FILE_LOG_VMKWARNING_LOG,
generated::fa_generated::FA_FILE_LOG_VXPA_LOG,
generated::fa_generated::FA_FILE_ENVIRON_SYSTEMDRIVE_LOGFILE,
generated::fa_generated::FA_FILE_ENVIRON_SYSTEMDRIVE_MFT,
generated::fa_generated::FA_FILE_ENVIRON_SYSTEMDRIVE_MFTMIRR,
generated::fa_generated::FA_FILE_EXTEND_USNJRNL,
generated::fa_generated::FA_FILE_CONTAINER,
generated::fa_generated::FA_FILE_CONTAINER_2,
generated::fa_generated::FA_FILE_APPLICATION_APPLICATION,
generated::fa_generated::FA_FILE_APPLICATION_APPLICATION_2,
generated::fa_generated::FA_FILE_APPLICATION_APPLICATION_3,
generated::fa_generated::FA_FILE_APPLICATION_APPLICATION_4,
generated::fa_generated::FA_FILE_LEVELDB_TIMELINE_STORE_LDB,
generated::fa_generated::FA_FILE_LEVELDB_TIMELINE_STORE_LDB_2,
generated::fa_generated::FA_FILE_LEVELDB_TIMELINE_STORE_LDB_3,
generated::fa_generated::FA_FILE_LEVELDB_TIMELINE_STORE_LDB_4,
generated::fa_generated::FA_FILE_DIAGNOSE,
generated::fa_generated::FA_FILE_DIAGNOSIS,
generated::fa_generated::FA_FILE_DIAGNOSE_2,
generated::fa_generated::FA_FILE_DIAGNOSIS_2,
generated::fa_generated::FA_FILE_SECURITYCONTROLLER,
generated::fa_generated::FA_FILE_LOGFILES,
generated::fa_generated::FA_FILE_SETUP,
generated::fa_generated::FA_FILE_DIST_INFO,
generated::fa_generated::FA_FILE_DIST_INFO_2,
generated::fa_generated::FA_FILE_DIST_INFO_3,
generated::fa_generated::FA_FILE_DIST_INFO_4,
generated::fa_generated::FA_FILE_DIST_INFO_5,
generated::fa_generated::FA_FILE_DIST_INFO_6,
generated::fa_generated::FA_FILE_DIST_INFO_7,
generated::fa_generated::FA_FILE_DIST_INFO_8,
generated::fa_generated::FA_FILE_DIST_INFO_9,
generated::fa_generated::FA_FILE_DIST_INFO_10,
generated::fa_generated::FA_FILE_SITE_PACKAGES_EGG,
generated::fa_generated::FA_FILE_SITE_PACKAGES_EGG_INFO,
generated::fa_generated::FA_FILE_PIP_EGG,
generated::fa_generated::FA_FILE_PIP_EGG_INFO,
generated::fa_generated::FA_FILE_DIST_PACKAGES_EGG,
generated::fa_generated::FA_FILE_DIST_PACKAGES_EGG_INFO,
generated::fa_generated::FA_FILE_SITE_PACKAGES_EGG_2,
generated::fa_generated::FA_FILE_SITE_PACKAGES_EGG_INFO_2,
generated::fa_generated::FA_FILE_DIST_PACKAGES_EGG_2,
generated::fa_generated::FA_FILE_DIST_PACKAGES_EGG_INFO_2,
generated::fa_generated::FA_FILE_SITE_PACKAGES_EGG_3,
generated::fa_generated::FA_FILE_SITE_PACKAGES_EGG_INFO_3,
generated::fa_generated::FA_FILE_DIST_PACKAGES_EGG_3,
generated::fa_generated::FA_FILE_DIST_PACKAGES_EGG_INFO_3,
generated::fa_generated::FA_FILE_SITE_PACKAGES_EGG_4,
generated::fa_generated::FA_FILE_SITE_PACKAGES_EGG_INFO_4,
generated::fa_generated::FA_FILE_DIST_PACKAGES_EGG_4,
generated::fa_generated::FA_FILE_DIST_PACKAGES_EGG_INFO_4,
generated::fa_generated::FA_FILE_SITE_PACKAGES_EGG_5,
generated::fa_generated::FA_FILE_SITE_PACKAGES_EGG_INFO_5,
generated::fa_generated::FA_FILE_PYSHARED_EGG,
generated::fa_generated::FA_FILE_PYSHARED_EGG_INFO,
generated::fa_generated::FA_FILE_EGG,
generated::fa_generated::FA_FILE_EGG_INFO,
generated::fa_generated::FA_FILE_EGG_2,
generated::fa_generated::FA_FILE_EGG_INFO_2,
generated::fa_generated::FA_FILE_EGG_3,
generated::fa_generated::FA_FILE_EGG_INFO_3,
generated::fa_generated::FA_FILE_EGG_4,
generated::fa_generated::FA_FILE_EGG_INFO_4,
generated::fa_generated::FA_FILE_EGG_5,
generated::fa_generated::FA_FILE_EGG_INFO_5,
generated::fa_generated::FA_FILE_EGG_6,
generated::fa_generated::FA_FILE_EGG_INFO_6,
generated::fa_generated::FA_FILE_EGG_7,
generated::fa_generated::FA_FILE_EGG_INFO_7,
generated::fa_generated::FA_FILE_EGG_8,
generated::fa_generated::FA_FILE_EGG_INFO_8,
generated::fa_generated::FA_FILE_EGG_9,
generated::fa_generated::FA_FILE_EGG_INFO_9,
generated::fa_generated::FA_FILE_EGG_10,
generated::fa_generated::FA_FILE_EGG_INFO_10,
generated::fa_generated::FA_FILE_EGG_11,
generated::fa_generated::FA_FILE_EGG_INFO_11,
generated::fa_generated::FA_FILE_PYTHON_WHEELS_WHL,
generated::fa_generated::FA_FILE_WHEELS_WHL,
generated::fa_generated::FA_FILE_2_GEMSPEC,
generated::fa_generated::FA_FILE_2_GEMSPEC_2,
generated::fa_generated::FA_FILE_2_GEMSPEC_3,
generated::fa_generated::FA_FILE_ATTACHMENTS_NOINDEX,
generated::fa_generated::FA_FILE_CACHE,
generated::fa_generated::FA_FILE_ORG_SIGNAL_SIGNAL_CONFIG_JSON,
generated::fa_generated::FA_FILE_ORG_SIGNAL_SIGNAL_DB_SQLITE,
generated::fa_generated::FA_FILE_CHATSYNC,
generated::fa_generated::FA_FILE_MAIN_DB,
generated::fa_generated::FA_FILE_PREFERENCES_COM_SKYPE_SKYPE_PLIST,
generated::fa_generated::FA_FILE_XCHATLOGS_LOG,
generated::fa_generated::FA_FILE_CACHE_2,
generated::fa_generated::FA_FILE_CACHE_3,
generated::fa_generated::FA_FILE_CACHE_4,
generated::fa_generated::FA_FILE_DS_STORE_APP_10,
generated::fa_generated::FA_FILE_LAUNCHAGENTS_COM_APPLE_LAUNCHPORT_PLIST,
generated::fa_generated::FA_FILE_SYSTEM32_AWCODC32_DLL,
generated::fa_generated::FA_FILE_SYSTEM32_AWVIEW32_DLL,
generated::fa_generated::FA_FILE_SYSTEM32_C_50225_NLS,
generated::fa_generated::FA_FILE_SYSTEM32_C_50227_NLS,
generated::fa_generated::FA_FILE_SYSTEM32_C_50229_NLS,
generated::fa_generated::FA_FILE_SYSTEM32_C_51932_NLS,
generated::fa_generated::FA_FILE_SYSTEM32_C_51936_NLS,
generated::fa_generated::FA_FILE_SYSTEM32_C_51949_NLS,
generated::fa_generated::FA_FILE_SYSTEM32_C_51950_NLS,
generated::fa_generated::FA_FILE_SYSTEM32_C_57002_NLS,
generated::fa_generated::FA_FILE_SYSTEM32_C_57006_NLS,
generated::fa_generated::FA_FILE_SYSTEM32_C_57008_NLS,
generated::fa_generated::FA_FILE_SYSTEM32_C_57010_NLS,
generated::fa_generated::FA_FILE_SYSTEM32_CDGEXT32_DLL,
generated::fa_generated::FA_FILE_SYSTEM32_CDLLAIT32_DLL,
generated::fa_generated::FA_FILE_SYSTEM32_CDLLAIT64_DLL,
generated::fa_generated::FA_FILE_SYSTEM32_CDLLUNINSTALLSGH32_DLL,
generated::fa_generated::FA_FILE_SYSTEM32_CDLLUNINSTALLSGH64_DLL,
generated::fa_generated::FA_FILE_SYSTEM32_CDLLUNINSTALLWS32_DLL,
generated::fa_generated::FA_FILE_SYSTEM32_CDLLUNINSTALLWS64_DLL,
generated::fa_generated::FA_FILE_SYSTEM32_CFGBKMGRS_DLL,
generated::fa_generated::FA_FILE_SYSTEM32_CFGMGR64_DLL,
generated::fa_generated::FA_FILE_SYSTEM32_COMSVRPCS_DLL,
generated::fa_generated::FA_FILE_SYSTEM32_D3DX8_20_DLL,
generated::fa_generated::FA_FILE_SYSTEM32_DLLCOMM_DLL,
generated::fa_generated::FA_FILE_DRIVERS_WMIMGR_SYS,
generated::fa_generated::FA_FILE_SYSTEM32_DRVINFO_BIN,
generated::fa_generated::FA_FILE_SYSTEM32_FCACHE_BIN,
generated::fa_generated::FA_FILE_SYSTEM32_FFEXTENDEDCOMMAND_DLL,
generated::fa_generated::FA_FILE_SYSTEM32_GPKTCSP32_DLL,
generated::fa_generated::FA_FILE_SYSTEM32_HPQUEUE_BIN,
generated::fa_generated::FA_FILE_SYSTEM32_LPQUEUE_BIN,
generated::fa_generated::FA_FILE_SYSTEM32_MDWMNSP_DLL,
generated::fa_generated::FA_FILE_SYSTEM32_MFCN30_DLL,
generated::fa_generated::FA_FILE_SYSTEM32_NMWCDLOG_DLL,
generated::fa_generated::FA_FILE_SYSTEM32_OBJFRAME_DLL,
generated::fa_generated::FA_FILE_SYSTEM32_RPCDIST_DLL,
generated::fa_generated::FA_FILE_SYSTEM32_SCSVRFT_DLL,
generated::fa_generated::FA_FILE_SYSTEM32_SDPTBW_DLL,
generated::fa_generated::FA_FILE_SYSTEM32_SHLINK32_DLL,
generated::fa_generated::FA_FILE_SYSTEM32_SHLINK64_DLL,
generated::fa_generated::FA_FILE_SYSTEM32_SIIW9X_DLL,
generated::fa_generated::FA_FILE_SYSTEM32_SKYPEIE6PLUGIN_DLL,
generated::fa_generated::FA_FILE_SYSTEM32_SLBKBW_DLL,
generated::fa_generated::FA_FILE_SYSTEM32_WIFISCAN_DLL,
generated::fa_generated::FA_FILE_SYSTEM32_WMSPDMGR_DLL,
generated::fa_generated::FA_FILE_MICROSOFT_C_27803_NLS,
generated::fa_generated::FA_FILE_MICROSOFT_OBJFRAME_DLL,
generated::fa_generated::FA_FILE_MICROSOFT_SHMGR_DLL,
generated::fa_generated::FA_FILE_USERS_TEMP_DF01AC74D8BE15EE01_TMP,
generated::fa_generated::FA_FILE_USERS_TEMP_DF23BF45A473C42B56_TMP,
generated::fa_generated::FA_FILE_USERS_TEMP_DF8471938479DA49221_TMP,
generated::fa_generated::FA_FILE_USERS_TEMP_DFA0528CD81300F372_TMP,
generated::fa_generated::FA_FILE_KUBERNETES_ADMIN_CONF,
generated::fa_generated::FA_FILE_KUBERNETES_CONTROLLER_MANAGER_CONF,
generated::fa_generated::FA_FILE_KUBERNETES_KUBELET_CONF,
generated::fa_generated::FA_FILE_KUBERNETES_SCHEDULER_CONF,
generated::fa_generated::FA_FILE_SNAP_DB,
generated::fa_generated::FA_FILE_KUBELET_CONFIG_YAML,
generated::fa_generated::FA_FILE_KUBERNETES_KUBELET_CONF_2,
generated::fa_generated::FA_FILE_MANIFESTS_YAML,
generated::fa_generated::FA_CURRENTVERSION_PROFILELIST_PROFILESDIRECTORY,
generated::fa_generated::FA_CURRENTVERSION_PROFILELIST_ALLUSERSPROFILE,
generated::fa_generated::FA_FILE_ETC_ENTERPRISE_RELEASE,
generated::fa_generated::FA_FILE_ETC_LSB_RELEASE,
generated::fa_generated::FA_FILE_ETC_ORACLE_RELEASE,
generated::fa_generated::FA_FILE_ETC_REDHAT_RELEASE,
generated::fa_generated::FA_FILE_ETC_SYSTEM_RELEASE,
generated::fa_generated::FA_FILE_ETC_ANACRONTAB,
generated::fa_generated::FA_FILE_CRON_DAILY,
generated::fa_generated::FA_FILE_CRON_HOURLY,
generated::fa_generated::FA_FILE_CRON_MONTHLY,
generated::fa_generated::FA_FILE_CRON_WEEKLY,
generated::fa_generated::FA_FILE_ANACRON_CRON_DAILY,
generated::fa_generated::FA_FILE_ANACRON_CRON_HOURLY,
generated::fa_generated::FA_FILE_ANACRON_CRON_MONTHLY,
generated::fa_generated::FA_FILE_ANACRON_CRON_WEEKLY,
generated::fa_generated::FA_FILE_LOG_APTITUDE,
generated::fa_generated::FA_FILE_APT_SOURCES_LIST,
generated::fa_generated::FA_FILE_SOURCES_LIST_D_LIST,
generated::fa_generated::FA_FILE_APT_TRUSTED_GPG,
generated::fa_generated::FA_FILE_TRUSTED_GPG_D_GPG,
generated::fa_generated::FA_FILE_APT_TRUSTDB_GPG,
generated::fa_generated::FA_FILE_KEYRINGS_GPG,
generated::fa_generated::FA_FILE_ETC_CRON_ALLOW,
generated::fa_generated::FA_FILE_ETC_CRON_DENY,
generated::fa_generated::FA_FILE_ETC_AT_ALLOW,
generated::fa_generated::FA_FILE_ETC_AT_DENY,
generated::fa_generated::FA_FILE_LOG_DPKG_LOG,
generated::fa_generated::FA_FILE_APT_HISTORY_LOG,
generated::fa_generated::FA_FILE_APT_TERM_LOG,
generated::fa_generated::FA_FILE_DPKG_STATUS,
generated::fa_generated::FA_FILE_ETC_DEBIAN_VERSION,
generated::fa_generated::FA_FILE_ETC_RESOLV_CONF,
generated::fa_generated::FA_FILE_GNOME_SHELL_APPLICATION_STATE,
generated::fa_generated::FA_FILE_INFO_TRASHINFO,
generated::fa_generated::FA_FILE_FILES,
generated::fa_generated::FA_FILE_TRACKER,
generated::fa_generated::FA_FILE_SHARE_RECENTLY_USED_XBEL,
generated::fa_generated::FA_FILE_ETC_HOSTS_ALLOW,
generated::fa_generated::FA_FILE_ETC_HOSTS_DENY,
generated::fa_generated::FA_FILE_ETC_MODULES_CONF,
generated::fa_generated::FA_FILE_MODPROBE_D,
generated::fa_generated::FA_FILE_USERS_HOMEDIR_LESSHST,
generated::fa_generated::FA_FILE_AT,
generated::fa_generated::FA_FILE_SPOOL,
generated::fa_generated::FA_FILE_ATSPOOL,
generated::fa_generated::FA_FILE_AUDIT,
generated::fa_generated::FA_FILE_LOG_AUTH,
generated::fa_generated::FA_FILE_LOG_SECURE,
generated::fa_generated::FA_FILE_ETC_CA_CERTIFICATES_CONF,
generated::fa_generated::FA_FILE_CERTS_CA_CERTIFICATES_CRT,
generated::fa_generated::FA_FILE_CA_CERTIFICATES,
generated::fa_generated::FA_FILE_CA_CERTIFICATES_2,
generated::fa_generated::FA_FILE_LOG_CRON_LOG,
generated::fa_generated::FA_FILE_ETC_CRONTAB,
generated::fa_generated::FA_FILE_CRON_D,
generated::fa_generated::FA_FILE_CRON,
generated::fa_generated::FA_FILE_LOG_DAEMON,
generated::fa_generated::FA_FILE_DHCP_DHCP_CONF,
generated::fa_generated::FA_FILE_ETC_CENTOS_RELEASE,
generated::fa_generated::FA_FILE_ETC_ROCKY_RELEASE,
generated::fa_generated::FA_FILE_ETC_SUSE_RELEASE,
generated::fa_generated::FA_FILE_TABLES_DSDT,
generated::fa_generated::FA_FILE_ETC_FSTAB,
generated::fa_generated::FA_FILE_GRUB_GRUB_CFG,
generated::fa_generated::FA_FILE_GRUB2_GRUB_CFG,
generated::fa_generated::FA_FILE_ETC_HOSTNAME,
generated::fa_generated::FA_FILE_IF_UP_D,
generated::fa_generated::FA_FILE_IF_DOWN_D,
generated::fa_generated::FA_FILE_BOOT_INITRAMFS,
generated::fa_generated::FA_FILE_BOOT_INITRD,
generated::fa_generated::FA_FILE_ETC_ISSUE,
generated::fa_generated::FA_FILE_ETC_ISSUE_NET,
generated::fa_generated::FA_FILE_ETC_KRB5_CONF,
generated::fa_generated::FA_FILE_LOG_KERN,
generated::fa_generated::FA_FILE_LOG_LASTLOG,
generated::fa_generated::FA_FILE_ETC_LD_SO_PRELOAD,
generated::fa_generated::FA_FILE_INIT_D,
generated::fa_generated::FA_FILE_ETC_INSSERV_CONF,
generated::fa_generated::FA_FILE_INSSERV_CONF_D,
generated::fa_generated::FA_FILE_ETC_LOCALTIME,
generated::fa_generated::FA_FILE_LOG_MESSAGES,
generated::fa_generated::FA_FILE_CONF_D_NAME_CONF,
generated::fa_generated::FA_FILE_NETWORKMANAGER_NETWORKMANAGER_CONF,
generated::fa_generated::FA_FILE_NETWORKMANAGER_SYSTEM_CONNECTIONS,
generated::fa_generated::FA_FILE_CONF_D_NAME_CONF_2,
generated::fa_generated::FA_FILE_CONF_D_NAME_CONF_3,
generated::fa_generated::FA_FILE_NETWORKMANAGER_NETWORKMANAGER_INTERN_CONF,
generated::fa_generated::FA_FILE_NETWORKMANAGER,
generated::fa_generated::FA_FILE_ETC_PASSWD_CACHE,
generated::fa_generated::FA_FILE_ETC_PAM_CONF,
generated::fa_generated::FA_FILE_ETC_PAM_D,
generated::fa_generated::FA_FILE_PAM_D_COMMON_PASSWORD,
generated::fa_generated::FA_FILE_PAM_D,
generated::fa_generated::FA_FILE_ETC_PASSWD,
generated::fa_generated::FA_FILE_ETC_RSYSLOG_CONF,
generated::fa_generated::FA_FILE_ETC_RSYSLOG_D,
generated::fa_generated::FA_FILE_RSYSLOG_D,
generated::fa_generated::FA_FILE_TABLES_SSDT,
generated::fa_generated::FA_FILE_SUDO_IO,
generated::fa_generated::FA_FILE_SYSCTL_D_CONF,
generated::fa_generated::FA_FILE_SYSCTL_D_CONF_2,
generated::fa_generated::FA_FILE_SYSCTL_D_CONF_3,
generated::fa_generated::FA_FILE_SYSCTL_D_CONF_4,
generated::fa_generated::FA_FILE_SYSCTL_D_CONF_5,
generated::fa_generated::FA_FILE_ETC_SYSCTL_CON,
generated::fa_generated::FA_FILE_SYSLOG_NG_SYSLOG_NG_CONF,
generated::fa_generated::FA_FILE_CONF_D_CONF,
generated::fa_generated::FA_FILE_SYSTEMD_JOURNALD_CONF,
generated::fa_generated::FA_FILE_JOURNAL,
generated::fa_generated::FA_FILE_JOURNAL_2,
generated::fa_generated::FA_FILE_ETC_OS_RELEASE,
generated::fa_generated::FA_FILE_LIB_OS_RELEASE,
generated::fa_generated::FA_FILE_SYSTEM_CONTROL_SERVICE,
generated::fa_generated::FA_FILE_SYSTEMD_ATTACHED_SERVICE,
generated::fa_generated::FA_FILE_SYSTEM_SERVICE,
generated::fa_generated::FA_FILE_USER_SERVICE,
generated::fa_generated::FA_FILE_SYSTEM_SERVICE_2,
generated::fa_generated::FA_FILE_USER_SERVICE_2,
generated::fa_generated::FA_FILE_GENERATOR_EARLY_SERVICE,
generated::fa_generated::FA_FILE_GENERATOR_LATE_SERVICE,
generated::fa_generated::FA_FILE_GENERATOR_SERVICE,
generated::fa_generated::FA_FILE_SYSTEM_CONTROL_SERVICE_2,
generated::fa_generated::FA_FILE_SYSTEMD_ATTACHED_SERVICE_2,
generated::fa_generated::FA_FILE_SYSTEM_SERVICE_3,
generated::fa_generated::FA_FILE_TRANSIENT_SERVICE,
generated::fa_generated::FA_FILE_USER_SERVICE_3,
generated::fa_generated::FA_FILE_GENERATOR_EARLY_SERVICE_2,
generated::fa_generated::FA_FILE_GENERATOR_LATE_SERVICE_2,
generated::fa_generated::FA_FILE_GENERATOR_SERVICE_2,
generated::fa_generated::FA_FILE_TRANSIENT_SERVICE_2,
generated::fa_generated::FA_FILE_USER_CONTROL_SERVICE,
generated::fa_generated::FA_FILE_USER_SERVICE_4,
generated::fa_generated::FA_FILE_SYSTEM_SERVICE_4,
generated::fa_generated::FA_FILE_USER_SERVICE_5,
generated::fa_generated::FA_FILE_USER_CONTROL_SERVICE_2,
generated::fa_generated::FA_FILE_USER_SERVICE_6,
generated::fa_generated::FA_FILE_USER_SERVICE_7,
generated::fa_generated::FA_FILE_SYSTEM_CONTROL_TIMER,
generated::fa_generated::FA_FILE_SYSTEMD_ATTACHED_TIMER,
generated::fa_generated::FA_FILE_SYSTEM_TIMER,
generated::fa_generated::FA_FILE_USER_TIMER,
generated::fa_generated::FA_FILE_SYSTEM_TIMER_2,
generated::fa_generated::FA_FILE_USER_TIMER_2,
generated::fa_generated::FA_FILE_GENERATOR_EARLY_TIMER,
generated::fa_generated::FA_FILE_GENERATOR_LATE_TIMER,
generated::fa_generated::FA_FILE_GENERATOR_TIMER,
generated::fa_generated::FA_FILE_SYSTEM_CONTROL_TIMER_2,
generated::fa_generated::FA_FILE_SYSTEMD_ATTACHED_TIMER_2,
generated::fa_generated::FA_FILE_SYSTEM_TIMER_3,
generated::fa_generated::FA_FILE_TRANSIENT_TIMER,
generated::fa_generated::FA_FILE_USER_TIMER_3,
generated::fa_generated::FA_FILE_GENERATOR_EARLY_TIMER_2,
generated::fa_generated::FA_FILE_GENERATOR_LATE_TIMER_2,
generated::fa_generated::FA_FILE_GENERATOR_TIMER_2,
generated::fa_generated::FA_FILE_TRANSIENT_TIMER_2,
generated::fa_generated::FA_FILE_USER_CONTROL_TIMER,
generated::fa_generated::FA_FILE_USER_TIMER_4,
generated::fa_generated::FA_FILE_SYSTEM_TIMER_4,
generated::fa_generated::FA_FILE_USER_TIMER_5,
generated::fa_generated::FA_FILE_USER_CONTROL_TIMER_2,
generated::fa_generated::FA_FILE_USER_TIMER_6,
generated::fa_generated::FA_FILE_USER_TIMER_7,
generated::fa_generated::FA_FILE_ETC_RC_LOCAL,
generated::fa_generated::FA_FILE_ETC_RC_D,
generated::fa_generated::FA_FILE_RC_D,
generated::fa_generated::FA_FILE_RC_D_2,
generated::fa_generated::FA_FILE_INIT_D_2,
generated::fa_generated::FA_FILE_ETC_TIMEZONE,
generated::fa_generated::FA_FILE_RULES_D,
generated::fa_generated::FA_FILE_RULES_D_2,
generated::fa_generated::FA_FILE_LOG_BTMP,
generated::fa_generated::FA_FILE_LOG_WTMP,
generated::fa_generated::FA_FILE_RUN_UTMP,
generated::fa_generated::FA_FILE_LOG_WTMP_2,
generated::fa_generated::FA_FILE_ETC_XINETD_CONF,
generated::fa_generated::FA_FILE_XINETD_D,
generated::fa_generated::FA_FILE_MLOCATE_MLOCATE_DB,
generated::fa_generated::FA_FILE_ETC_UPDATEDB_CONF,
generated::fa_generated::FA_FILE_ETC_NETGROUP,
generated::fa_generated::FA_FILE_ETC_NSSWITCH_CONF,
generated::fa_generated::FA_FILE_ETC_PASSWD_2,
generated::fa_generated::FA_FILE_ETC_SHADOW,
generated::fa_generated::FA_FILE_SECURITY_ACCESS_CONF,
generated::fa_generated::FA_FILE_ROOT_K5LOGIN,
generated::fa_generated::FA_FILE_MYSQL_HISTORY,
generated::fa_generated::FA_FILE_ROOT_MYSQL_HISTORY,
generated::fa_generated::FA_FILE_USERS_HOMEDIR_MYSQL_HISTORY,
generated::fa_generated::FA_FILE_USERS_HOMEDIR_NANO_HISTORY,
generated::fa_generated::FA_FILE_ETC_NETGROUP_2,
generated::fa_generated::FA_FILE_ETC_NTP_CONF,
generated::fa_generated::FA_FILE_VENDOR,
generated::fa_generated::FA_FILE_DEVICE,
generated::fa_generated::FA_FILE_CLASS,
generated::fa_generated::FA_FILE_CONFIG,
generated::fa_generated::FA_FILE_PSQL_HISTORY,
generated::fa_generated::FA_FILE_ROOT_PSQL_HISTORY,
generated::fa_generated::FA_FILE_POSTGRESQL_PSQL_HISTORY,
generated::fa_generated::FA_FILE_PGSQL_PSQL_HISTORY,
generated::fa_generated::FA_FILE_USERS_HOMEDIR_PSQL_HISTORY,
generated::fa_generated::FA_FILE_USERS_HOMEDIR_PYTHON_HISTORY,
generated::fa_generated::FA_FILE_USERS_HOMEDIR_RHOSTS,
generated::fa_generated::FA_FILE_SAMBA_LOG,
generated::fa_generated::FA_FILE_SECRETS_SECRETS_LDB,
generated::fa_generated::FA_FILE_SECRETS_SECRETS_MKEY,
generated::fa_generated::FA_FILE_USERS_HOMEDIR_SQLITE_HISTORY,
generated::fa_generated::FA_FILE_SSH_AUTHORIZED_KEYS,
generated::fa_generated::FA_FILE_SSH_AUTHORIZED_KEYS2,
generated::fa_generated::FA_FILE_SSH_SSH_HOST_KEY_PUB,
generated::fa_generated::FA_FILE_SSH_KNOWN_HOSTS,
generated::fa_generated::FA_FILE_SSH_KNOWN_HOSTS_2,
generated::fa_generated::FA_FILE_THUMBNAILS_3,
generated::fa_generated::FA_FILE_DEFAULT_UFW,
generated::fa_generated::FA_FILE_UFW_SYSCTL_CONF,
generated::fa_generated::FA_FILE_UFW_RULES,
generated::fa_generated::FA_FILE_APPLICATIONS_D,
generated::fa_generated::FA_FILE_LOG_UFW_LOG,
generated::fa_generated::FA_FILE_USERS_HOMEDIR_VIMINFO,
generated::fa_generated::FA_FILE_USERS_HOMEDIR_WGET_HSTS,
generated::fa_generated::FA_FILE_AUTOSTART_DESKTOP,
generated::fa_generated::FA_FILE_AUTOSTART_DESKTOP_2,
generated::fa_generated::FA_FILE_ETC_YUM_CONF,
generated::fa_generated::FA_FILE_YUM_REPOS_D_REPO,
generated::fa_generated::FA_FILE_ZEITGEIST_ACTIVITY_SQLITE,
generated::fa_generated::FA_FILE_ZEITGEIST_ACTIVITY_SQLITE_WAL,
generated::fa_generated::FA_FILE_KERNEL_RANDOMIZE_VA_SPACE,
generated::fa_generated::FA_FILE_IPV4_ICMP_ECHO_IGNORE_BROADCASTS,
generated::fa_generated::FA_FILE_KERNEL_BOOTLOADER_TYPE,
generated::fa_generated::FA_FILE_KERNEL_BOOTLOADER_VERSION,
generated::fa_generated::FA_FILE_KERNEL_KEXEC_LOAD_DISABLED,
generated::fa_generated::FA_FILE_KERNEL_MODULES_DISABLED,
generated::fa_generated::FA_FILE_KERNEL_TAINTED,
generated::fa_generated::FA_FILE_FORWARDING,
generated::fa_generated::FA_FILE_MC_FORWARDING,
generated::fa_generated::FA_FILE_IPV4_IP_FORWARD,
generated::fa_generated::FA_FILE_ACCEPT_SOURCE_ROUTE,
generated::fa_generated::FA_FILE_RP_FILTER,
generated::fa_generated::FA_FILE_LOG_MARTIANS,
generated::fa_generated::FA_FILE_ACCEPT_REDIRECTS,
generated::fa_generated::FA_FILE_SECURE_REDIRECTS,
generated::fa_generated::FA_FILE_SEND_REDIRECTS,
generated::fa_generated::FA_FILE_NET_ARP,
generated::fa_generated::FA_FILE_PROC_MOUNTS,
generated::fa_generated::FA_FILE_KERNEL_DMESG_RESTRICT,
generated::fa_generated::FA_FILE_KERNEL_KPTR_RESTRICT,
generated::fa_generated::FA_FILE_FS_PROTECTED_HARDLINKS,
generated::fa_generated::FA_FILE_FS_PROTECTED_SYMLINKS,
generated::fa_generated::FA_FILE_FS_SUID_DUMPABLE,
generated::fa_generated::FA_FILE_IPV4_TCP_SYNCOOKIES,
generated::fa_generated::FA_FILE_LOGS_CONTROLLER_LOG,
generated::fa_generated::FA_FILE_LOGS_KAFKA_LOG,
generated::fa_generated::FA_FILE_LOGS_SERVER_LOG,
generated::fa_generated::FA_FILE_LOGS_STATE_CHANGE_LOG,
generated::fa_generated::FA_FILE_HAPROXY,
generated::fa_generated::FA_FILE_LOG_HAPROXY_LOG,
generated::fa_generated::FA_FILE_LOG_HAPROXY_TRAFFIC_LOG,
generated::fa_generated::FA_FILE_LOG_HAPROXY_ADMIN_LOG,
generated::fa_generated::FA_FILE_JENKINS_JENKINS_LOG,
generated::fa_generated::FA_FILE_OSQUERY_OSQUERYD_RESULTS_LOG,
generated::fa_generated::FA_FILE_OSQUERY_OSQUERYD_SNAPSHOTS_LOG,
generated::fa_generated::FA_FILE_ADDRESSBOOK_ADDRESSBOOKIMAGES_SQLITEDB,
generated::fa_generated::FA_FILE_ADDRESSBOOK_ADDRESSBOOKIMAGES_SQLITEDB_2,
generated::fa_generated::FA_FILE_SYSTEMCONFIGURATION_COM_APPLE_AIRPORT_PREFERENCES_PL,
generated::fa_generated::FA_FILE_APPLEPUSHSERVICE_APS_DB,
generated::fa_generated::FA_FILE_DB_APPLESETUPDONE,
generated::fa_generated::FA_FILE_DB_APPLESETUPDONE_2,
generated::fa_generated::FA_FILE_ASL_ASL,
generated::fa_generated::FA_FILE_DIAGNOSTICMESSAGES_ASL,
generated::fa_generated::FA_FILE_ASL_ASL_2,
generated::fa_generated::FA_FILE_DIAGNOSTICMESSAGES_ASL_2,
generated::fa_generated::FA_FILE_CACHE_DB,
generated::fa_generated::FA_FILE_LPROJ_STRINGS,
generated::fa_generated::FA_FILE_LPROJ_STRINGS_2,
generated::fa_generated::FA_FILE_COM_APPLE_ASSETCACHE_ASSETINFO_DB,
generated::fa_generated::FA_FILE_DB_AUTH_DB,
generated::fa_generated::FA_FILE_DB_AUTH_DB_2,
generated::fa_generated::FA_FILE_CALENDARS_CALENDAR_CACHE,
generated::fa_generated::FA_FILE_CALLHISTORYDB_CALLHISTORY_STOREDATA,
generated::fa_generated::FA_FILE_PREFERENCES_LSSHAREDFILELIST_PLIST,
generated::fa_generated::FA_FILE_JOBS,
generated::fa_generated::FA_FILE_AUDIT_0_9_0_9,
generated::fa_generated::FA_FILE_AUDIT_0_9_0_9_2,
generated::fa_generated::FA_FILE_PREFERENCES_COM_APPLE_BLUETOOTH_PLIST,
generated::fa_generated::FA_FILE_CODESIGNATURE_CODERESOURCES,
generated::fa_generated::FA_FILE_CODESIGNATURE_CODERESOURCES_2,
generated::fa_generated::FA_FILE_CODESIGNATURE_CODERESOURCES_3,
generated::fa_generated::FA_FILE_CODESIGNATURE_CODERESOURCES_4,
generated::fa_generated::FA_FILE_CODESIGNATURE_CODERESOURCES_5,
generated::fa_generated::FA_FILE_CODESIGNATURE_CODERESOURCES_6,
generated::fa_generated::FA_FILE_CODESIGNATURE_CODERESOURCES_7,
generated::fa_generated::FA_FILE_CODESIGNATURE_CODERESOURCES_8,
generated::fa_generated::FA_FILE_CODESIGNATURE_CODERESOURCES_9,
generated::fa_generated::FA_FILE_CODESIGNATURE_CODERESOURCES_10,
generated::fa_generated::FA_FILE_CONTENTS_INFO_PLIST,
generated::fa_generated::FA_FILE_CONTENTS_INFO_PLIST_2,
generated::fa_generated::FA_FILE_CONTENTS_INFO_PLIST_3,
generated::fa_generated::FA_FILE_CONTENTS_INFO_PLIST_4,
generated::fa_generated::FA_FILE_CONTENTS_INFO_PLIST_5,
generated::fa_generated::FA_FILE_CONTENTS_INFO_PLIST_6,
generated::fa_generated::FA_FILE_CONTENTS_INFO_PLIST_7,
generated::fa_generated::FA_FILE_CONTENTS_INFO_PLIST_8,
generated::fa_generated::FA_FILE_KEXT_INFO_PLIST,
generated::fa_generated::FA_FILE_CONTENTS_INFO_PLIST_9,
generated::fa_generated::FA_FILE_CONTENTS_INFO_PLIST_10,
generated::fa_generated::FA_FILE_RESOURCES_INFO_PLIST,
generated::fa_generated::FA_FILE_CONTENTS_INFO_PLIST_11,
generated::fa_generated::FA_FILE_CONTENTS_VERSION_PLIST,
generated::fa_generated::FA_FILE_CONTENTS_VERSION_PLIST_2,
generated::fa_generated::FA_FILE_CONTENTS_VERSION_PLIST_3,
generated::fa_generated::FA_FILE_CONTENTS_VERSION_PLIST_4,
generated::fa_generated::FA_FILE_CONTENTS_VERSION_PLIST_5,
generated::fa_generated::FA_FILE_CONTENTS_VERSION_PLIST_6,
generated::fa_generated::FA_FILE_CONTENTS_VERSION_PLIST_7,
generated::fa_generated::FA_FILE_CONTENTS_VERSION_PLIST_8,
generated::fa_generated::FA_FILE_KEXT_VERSION_PLIST,
generated::fa_generated::FA_FILE_CONTENTS_VERSION_PLIST_9,
generated::fa_generated::FA_FILE_CONTENTS_VERSION_PLIST_10,
generated::fa_generated::FA_FILE_RESOURCES_VERSION_PLIST,
generated::fa_generated::FA_FILE_CONTENTS_VERSION_PLIST_11,
generated::fa_generated::FA_FILE_DIAGNOSTICREPORTS_CORE_ANALYTICS,
generated::fa_generated::FA_FILE_AGGREGATES,
generated::fa_generated::FA_FILE_AGGREGATES_2,
generated::fa_generated::FA_FILE_ETC_CRONTAB_2,
generated::fa_generated::FA_FILE_TABS,
generated::fa_generated::FA_FILE_TABS_2,
generated::fa_generated::FA_FILE_TABS_3,
generated::fa_generated::FA_FILE_TABS_4,
generated::fa_generated::FA_FILE_TABS_5,
generated::fa_generated::FA_FILE_PREFERENCES_COM_APPLE_DOCK_PLIST,
generated::fa_generated::FA_FILE_DEFAULT_SQLINDEX,
generated::fa_generated::FA_FILE_DEFAULT_SQLINDEX_2,
generated::fa_generated::FA_FILE_DUETACTIVITYSCHEDULER_DUETACTIVITYSCHEDULERCLASSC_DB,
generated::fa_generated::FA_FILE_DUETACTIVITYSCHEDULER_DUETACTIVITYSCHEDULERCLASSC_DB_2,
generated::fa_generated::FA_FILE_PEOPLE_INTERACTIONC_DB,
generated::fa_generated::FA_FILE_PEOPLE_INTERACTIONC_DB_2,
generated::fa_generated::FA_FILE_KNOWLEDGE_KNOWLEDGEC_DB,
generated::fa_generated::FA_FILE_KNOWLEDGE_KNOWLEDGEC_DB_2,
generated::fa_generated::FA_FILE_KNOWLEDGE_KNOWLEDGEC_DB_3,
generated::fa_generated::FA_FILE_COREDUET_COREDUETD_DB,
generated::fa_generated::FA_FILE_COREDUET_COREDUETD_DB_2,
generated::fa_generated::FA_FILE_COREDUET_COREDUETD_DB_3,
generated::fa_generated::FA_FILE_COREDUET_COREDUETD_DB_4,
generated::fa_generated::FA_FILE_FSEVENTSD,
generated::fa_generated::FA_FILE_DATA_FSEVENTSD,
generated::fa_generated::FA_FILE_RESOURCES_GKOPAQUE_DB,
generated::fa_generated::FA_FILE_RESOURCES_GKOPAQUE_DB_2,
generated::fa_generated::FA_FILE_PREFERENCES_GLOBALPREFERENCES_PLIST,
generated::fa_generated::FA_FILE_ACCOUNTS,
generated::fa_generated::FA_FILE_PREFERENCES_MOBILEMEACCOUNTS_PLIST,
generated::fa_generated::FA_FILE_IDENTITYSERVICES_IDS_DB,
generated::fa_generated::FA_FILE_PREFERENCES_COM_APPLE_IPOD_PLIST,
generated::fa_generated::FA_FILE_RECEIPTS_INSTALLHISTORY_PLIST,
generated::fa_generated::FA_FILE_LOG_INSTALL_LOG,
generated::fa_generated::FA_FILE_LOG_INSTALL_LOG_2,
generated::fa_generated::FA_FILE_LPROJ_ITXIB,
generated::fa_generated::FA_FILE_INFO_PLIST,
generated::fa_generated::FA_FILE_MANIFEST_PLIST,
generated::fa_generated::FA_FILE_MANIFEST_MDBD,
generated::fa_generated::FA_FILE_BACKUP,
generated::fa_generated::FA_FILE_STATUS_PLIST,
generated::fa_generated::FA_FILE_EXTENSIONS,
generated::fa_generated::FA_FILE_EXTENSIONS_2,
generated::fa_generated::FA_FILE_PREFERENCES_COM_APPLE_HITOOLBOX_PLIST,
generated::fa_generated::FA_FILE_LOG_LASTLOG_2,
generated::fa_generated::FA_FILE_LAUNCHAGENTS_PLIST,
generated::fa_generated::FA_FILE_LAUNCHAGENTS_PLIST_2,
generated::fa_generated::FA_FILE_LAUNCHAGENTS_PLIST_3,
generated::fa_generated::FA_FILE_LAUNCHDAEMONS_PLIST,
generated::fa_generated::FA_FILE_LAUNCHDAEMONS_PLIST_2,
generated::fa_generated::FA_FILE_LAUNCHDAEMONS_PLIST_3,
generated::fa_generated::FA_FILE_PREFERENCES_COM_APPLE_LOGINWINDOW_PLIST,
generated::fa_generated::FA_FILE_PREFERENCES_LOGINWINDOW_PLIST,
generated::fa_generated::FA_FILE_BYHOST_COM_APPLE_LOGINWINDOW_PLIST,
generated::fa_generated::FA_FILE_BYHOST_COM_APPLE_LOGINWINDOW_PLIST_2,
generated::fa_generated::FA_FILE_PREFERENCES_COM_APPLE_LOGINWINDOW_PLIST_2,
generated::fa_generated::FA_FILE_PREFERENCES_COM_APPLE_LOGINWINDOW_PLIST_3,
generated::fa_generated::FA_FILE_MAILDATA_ACCOUNTS_PLIST,
generated::fa_generated::FA_FILE_MAILDATA_BACKUPTOC_PLIST,
generated::fa_generated::FA_FILE_MAILBOXES,
generated::fa_generated::FA_FILE_MAIL_DOWNLOADS,
generated::fa_generated::FA_FILE_MAILDATA_ENVELOPE_INDEX,
generated::fa_generated::FA_FILE_IMAP,
generated::fa_generated::FA_FILE_V_0_9,
generated::fa_generated::FA_FILE_MAILDATA_OPENEDATTACHMENTSV2_PLIST,
generated::fa_generated::FA_FILE_POP,
generated::fa_generated::FA_FILE_PREFERENCES_COM_APPLE_MAIL_PLIST,
generated::fa_generated::FA_FILE_ADDRESSBOOK_MAILRECENTS_V4_ABCDMR,
generated::fa_generated::FA_FILE_SIGNATURES,
generated::fa_generated::FA_FILE_MESSAGES_CHAT_DB,
generated::fa_generated::FA_FILE_NETWORKD_NETUSAGE_SQLITE,
generated::fa_generated::FA_FILE_NETWORKD_NETUSAGE_SQLITE_2,
generated::fa_generated::FA_FILE_NOTES_NOTESV_STOREDATA,
generated::fa_generated::FA_FILE_NOTIFICATIONCENTER_DB,
generated::fa_generated::FA_FILE_DB_DB,
generated::fa_generated::FA_FILE_DB2_DB,
generated::fa_generated::FA_FILE_DB_DB_2,
generated::fa_generated::FA_FILE_DB2_DB_2,
generated::fa_generated::FA_FILE_DAILY_LOCAL,
generated::fa_generated::FA_FILE_DEFAULTS_PERIODIC_CONF,
generated::fa_generated::FA_FILE_MONTHLY_LOCAL,
generated::fa_generated::FA_FILE_PERIODIC_2,
generated::fa_generated::FA_FILE_ETC_PERIODIC_CONF,
generated::fa_generated::FA_FILE_ETC_PERIODIC_CONF_LOCAL,
generated::fa_generated::FA_FILE_DAILY,
generated::fa_generated::FA_FILE_MONTHLY,
generated::fa_generated::FA_FILE_WEEKLY,
generated::fa_generated::FA_FILE_WEEKLY_LOCAL,
generated::fa_generated::FA_FILE_DAILY_LOCAL_2,
generated::fa_generated::FA_FILE_DEFAULTS_PERIODIC_CONF_2,
generated::fa_generated::FA_FILE_MONTHLY_LOCAL_2,
generated::fa_generated::FA_FILE_PERIODIC_2_2,
generated::fa_generated::FA_FILE_ETC_PERIODIC_CONF_2,
generated::fa_generated::FA_FILE_ETC_PERIODIC_CONF_LOCAL_2,
generated::fa_generated::FA_FILE_DAILY_2,
generated::fa_generated::FA_FILE_MONTHLY_2,
generated::fa_generated::FA_FILE_WEEKLY_2,
generated::fa_generated::FA_FILE_WEEKLY_LOCAL_2,
generated::fa_generated::FA_FILE_PERIODIC_2_3,
generated::fa_generated::FA_FILE_PREFERENCES_COM_APPLE_LAUNCHSERVICES_QUARANTINEEVENT,
generated::fa_generated::FA_FILE_PREFERENCES_COM_APPLE_LAUNCHSERVICES_QUARANTINEEVENT_2,
generated::fa_generated::FA_FILE_PREFERENCES_COM_APPLE_RECENTITEMS_PLIST,
generated::fa_generated::FA_FILE_CLIENTCACHES,
generated::fa_generated::FA_FILE_RMDB_RMDB_SQLITE3,
generated::fa_generated::FA_FILE_CLIENTCACHES_2,
generated::fa_generated::FA_FILE_RMDB_RMDB_SQLITE3_2,
generated::fa_generated::FA_FILE_CACHES_APPUSAGE_PLIST,
generated::fa_generated::FA_FILE_CACHES_APPUSAGE_PLIST_2,
generated::fa_generated::FA_FILE_CACHES_USERACCT_TMP,
generated::fa_generated::FA_FILE_CACHES_USERACCT_TMP_2,
generated::fa_generated::FA_FILE_LPROJ_INFOPLIST_STRINGS,
generated::fa_generated::FA_FILE_LPROJ_INFOPLIST_STRINGS_2,
generated::fa_generated::FA_FILE_LPROJ_INFOPLIST_STRINGS_3,
generated::fa_generated::FA_FILE_LPROJ_INFOPLIST_STRINGS_4,
generated::fa_generated::FA_FILE_LPROJ_INFOPLIST_STRINGS_5,
generated::fa_generated::FA_FILE_RESOURCES_INFOPLIST_STRINGS,
generated::fa_generated::FA_FILE_LPROJ_INFOPLIST_STRINGS_6,
generated::fa_generated::FA_FILE_LPROJ_INFOPLIST_STRINGS_7,
generated::fa_generated::FA_FILE_LPROJ_INFOPLIST_STRINGS_8,
generated::fa_generated::FA_FILE_LPROJ_INFOPLIST_STRINGS_9,
generated::fa_generated::FA_FILE_LPROJ_LOCALIZABLE_STRINGS,
generated::fa_generated::FA_FILE_LPROJ_LOCALIZABLE_STRINGS_2,
generated::fa_generated::FA_FILE_LPROJ_LOCALIZABLE_STRINGS_3,
generated::fa_generated::FA_FILE_LPROJ_LOCALIZABLE_STRINGS_4,
generated::fa_generated::FA_FILE_LPROJ_LOCALIZABLE_STRINGS_5,
generated::fa_generated::FA_FILE_LPROJ_LOCALIZABLE_STRINGS_6,
generated::fa_generated::FA_FILE_LPROJ_LOCALIZABLE_STRINGS_7,
generated::fa_generated::FA_FILE_LPROJ_LOCALIZABLE_STRINGS_8,
generated::fa_generated::FA_FILE_PREFERENCES_COM_APPLE_SIDEBARLISTS_PLIST,
generated::fa_generated::FA_FILE_PREFERENCES_COM_APPLE_SIDEBARLISTS_PLIST_2,
generated::fa_generated::FA_FILE_ASSISTANT_SIRIANALYTICS_DB,
generated::fa_generated::FA_FILE_SUGGESTIONS_ENTITIES_DB,
generated::fa_generated::FA_FILE_SUGGESTIONS_ENTITIES_DB_WAL,
generated::fa_generated::FA_FILE_PENDING_QUEUE_DB,
generated::fa_generated::FA_FILE_PENDING_QUEUE_DB_WAL,
generated::fa_generated::FA_FILE_SUGGESTIONS_SNIPPETS_DB,
generated::fa_generated::FA_FILE_SUGGESTIONS_SNIPPETS_DB_WAL,
generated::fa_generated::FA_FILE_VM_SLEEPIMAGE,
generated::fa_generated::FA_FILE_VM_SLEEPIMAGE_2,
generated::fa_generated::FA_FILE_PREFERENCES_COM_APPLE_SOFTWAREUPDATE_PLIST,
generated::fa_generated::FA_FILE_STORE_V1_VOLUMECONFIG_PLIST,
generated::fa_generated::FA_FILE_SPOTLIGHT_V100_VOLUMECONFIGURATION_PLIST,
generated::fa_generated::FA_FILE_PLIST,
generated::fa_generated::FA_FILE_PLIST_2,
generated::fa_generated::FA_FILE_VM_SWAPFILE_0_9,
generated::fa_generated::FA_FILE_VM_SWAPFILE_0_9_2,
generated::fa_generated::FA_FILE_SYSTEMCONFIGURATION_PREFERENCES_PLIST,
generated::fa_generated::FA_FILE_LOG_2,
generated::fa_generated::FA_FILE_DB_SYSTEMPOLICY,
generated::fa_generated::FA_FILE_DB_SYSTEMPOLICY_2,
generated::fa_generated::FA_FILE_PLIST_3,
generated::fa_generated::FA_FILE_CORESERVICES_SYSTEMVERSION_PLIST,
generated::fa_generated::FA_FILE_COM_APPLE_TCC_TCC_DB,
generated::fa_generated::FA_FILE_COM_APPLE_TCC_TCC_DB_2,
generated::fa_generated::FA_FILE_KEYBOARDSERVICES_TEXTREPLACEMENTS_DB,
generated::fa_generated::FA_FILE_PREFERENCES_COM_APPLE_TIMEMACHINE_PLIST,
generated::fa_generated::FA_FILE_DIAGNOSTICS_TRACEV3,
generated::fa_generated::FA_FILE_TRACEV3,
generated::fa_generated::FA_FILE_DIAGNOSTICS_TRACEV3_2,
generated::fa_generated::FA_FILE_TRACEV3_2,
generated::fa_generated::FA_FILE_DOCK_DESKTOPPICTURE_DB,
generated::fa_generated::FA_FILE_PREFERENCES_GLOBALPREFERENCES_PLIST_2,
generated::fa_generated::FA_FILE_KEYCHAINS_KEYCHAIN,
generated::fa_generated::FA_FILE_OCSPCACHE_SQLITE3,
generated::fa_generated::FA_FILE_USER_DB,
generated::fa_generated::FA_FILE_KEYCHAIN_2_DB,
generated::fa_generated::FA_FILE_PREFERENCES_COM_APPLE_LOGINITEMS_PLIST,
generated::fa_generated::FA_FILE_COM_APPLE_BACKGROUNDTASKMANAGEMENTAGENT_BACKGROUNDIT,
generated::fa_generated::FA_FILE_COM_APPLE_BACKGROUNDTASKMANAGEMENT_BACKGROUNDITEMS_V,
generated::fa_generated::FA_FILE_COM_APPLE_BACKGROUNDTASKMANAGEMENT_BACKGROUNDITEMS_V_2,
generated::fa_generated::FA_FILE_USERS_PLIST,
generated::fa_generated::FA_FILE_USERS_PLIST_2,
generated::fa_generated::FA_FILE_PREFERENCES,
generated::fa_generated::FA_FILE_ACCOUNTS_ACCOUNTS_SQLITE,
generated::fa_generated::FA_FILE_ACCOUNTS_ACCOUNTS_SQLITE_WAL,
generated::fa_generated::FA_FILE_TRASH,
generated::fa_generated::FA_FILE_RUN_UTMPX,
generated::fa_generated::FA_FILE_RUN_UTMPX_2,
generated::fa_generated::FA_FILE_PASSES_PASSES23_SQLITE,
generated::fa_generated::FA_FILE_AWDD_PERSISTENT_DB,
generated::fa_generated::FA_FILE_AWDD_PERSISTENT_DB_2,
generated::fa_generated::FA_FILE_IOS_DEVICE_LOGS_IOS_DEVICE_LOGS_DB,
generated::fa_generated::FA_FILE_USERS_HOMEDIR_BASH_LOGOUT,
generated::fa_generated::FA_FILE_USERS_HOMEDIR_BASH_PROFILE,
generated::fa_generated::FA_FILE_USERS_HOMEDIR_BASHRC,
generated::fa_generated::FA_FILE_ETC_BASH_BASHRC,
generated::fa_generated::FA_FILE_ETC_BASHRC,
generated::fa_generated::FA_FILE_ETC_BASH_BASHRC_2,
generated::fa_generated::FA_FILE_ETC_BASHRC_2,
generated::fa_generated::FA_FILE_BASH_LOGOUT,
generated::fa_generated::FA_FILE_BASH_PROFILE,
generated::fa_generated::FA_FILE_BASHRC,
generated::fa_generated::FA_FILE_USERS_HOMEDIR_BASH_HISTORY,
generated::fa_generated::FA_FILE_BASH_HISTORY,
generated::fa_generated::FA_FILE_BASH_SESSIONS,
generated::fa_generated::FA_FILE_USERS_HOMEDIR_SH_HISTORY,
generated::fa_generated::FA_FILE_SH_HISTORY,
generated::fa_generated::FA_FILE_USERS_HOMEDIR_CSHRC,
generated::fa_generated::FA_FILE_ETC_CSH_CSHRC,
generated::fa_generated::FA_FILE_ETC_CSH_LOGIN,
generated::fa_generated::FA_FILE_ETC_CSH_LOGOUT,
generated::fa_generated::FA_FILE_ETC_CSH_CSHRC_2,
generated::fa_generated::FA_FILE_ETC_CSH_LOGIN_2,
generated::fa_generated::FA_FILE_ETC_CSH_LOGOUT_2,
generated::fa_generated::FA_FILE_CSHRC,
generated::fa_generated::FA_FILE_CONF_D_CONFIG_FISH,
generated::fa_generated::FA_FILE_CONF_D_FISH,
generated::fa_generated::FA_FILE_FISH_CONFIG_FISH,
generated::fa_generated::FA_FILE_FISH_CONFIG_FISH_2,
generated::fa_generated::FA_FILE_FISH_FISH_HISTORY,
generated::fa_generated::FA_FILE_USERS_HOMEDIR_KSH,
generated::fa_generated::FA_FILE_ETC_KSHRC,
generated::fa_generated::FA_FILE_ETC_KSHRC_2,
generated::fa_generated::FA_FILE_KSH,
generated::fa_generated::FA_FILE_ROOT_BASH_LOGOUT,
generated::fa_generated::FA_FILE_ROOT_BASH_PROFILE,
generated::fa_generated::FA_FILE_ROOT_BASHRC,
generated::fa_generated::FA_FILE_ROOT_CSHRC,
generated::fa_generated::FA_FILE_ROOT_KSH,
generated::fa_generated::FA_FILE_FISH_CONFIG_FISH_3,
generated::fa_generated::FA_FILE_ROOT_LOGOUT,
generated::fa_generated::FA_FILE_ROOT_PROFILE,
generated::fa_generated::FA_FILE_ROOT_TCSH,
generated::fa_generated::FA_FILE_ROOT_ZLOGIN,
generated::fa_generated::FA_FILE_ROOT_ZLOGOUT,
generated::fa_generated::FA_FILE_ROOT_ZPROFILE,
generated::fa_generated::FA_FILE_ROOT_BASH_HISTORY,
generated::fa_generated::FA_FILE_FISH_FISH_HISTORY_2,
generated::fa_generated::FA_FILE_ROOT_SH_HISTORY,
generated::fa_generated::FA_FILE_ROOT_ZHISTORY,
generated::fa_generated::FA_FILE_ROOT_ZSH_HISTORY,
generated::fa_generated::FA_FILE_USERS_HOMEDIR_LOGOUT,
generated::fa_generated::FA_FILE_LOGOUT,
generated::fa_generated::FA_FILE_USERS_HOMEDIR_PROFILE,
generated::fa_generated::FA_FILE_ETC_PROFILE,
generated::fa_generated::FA_FILE_ETC_PROFILE_2,
generated::fa_generated::FA_FILE_PROFILE,
generated::fa_generated::FA_FILE_USERS_HOMEDIR_TCSH,
generated::fa_generated::FA_FILE_TCSH,
generated::fa_generated::FA_FILE_USERS_HOMEDIR_ZLOGIN,
generated::fa_generated::FA_FILE_USERS_HOMEDIR_ZLOGOUT,
generated::fa_generated::FA_FILE_USERS_HOMEDIR_ZPROFILE,
generated::fa_generated::FA_FILE_ETC_ZSHENV,
generated::fa_generated::FA_FILE_ETC_ZSHRC,
generated::fa_generated::FA_FILE_ZSH_ZLOGIN,
generated::fa_generated::FA_FILE_ZSH_ZLOGOUT,
generated::fa_generated::FA_FILE_ZSH_ZPROFILE,
generated::fa_generated::FA_FILE_ZSH_ZSHENV,
generated::fa_generated::FA_FILE_ZSH_ZSHRC,
generated::fa_generated::FA_FILE_ETC_ZSHENV_2,
generated::fa_generated::FA_FILE_ETC_ZSHRC_2,
generated::fa_generated::FA_FILE_ZSH_ZLOGIN_2,
generated::fa_generated::FA_FILE_ZSH_ZLOGOUT_2,
generated::fa_generated::FA_FILE_ZSH_ZPROFILE_2,
generated::fa_generated::FA_FILE_ZSH_ZSHENV_2,
generated::fa_generated::FA_FILE_ZSH_ZSHRC_2,
generated::fa_generated::FA_FILE_ZLOGIN,
generated::fa_generated::FA_FILE_ZLOGOUT,
generated::fa_generated::FA_FILE_ZPROFILE,
generated::fa_generated::FA_FILE_USERS_HOMEDIR_ZHISTORY,
generated::fa_generated::FA_FILE_USERS_HOMEDIR_ZSH_HISTORY,
generated::fa_generated::FA_FILE_ZHISTORY,
generated::fa_generated::FA_FILE_ZSH_HISTORY,
generated::fa_generated::FA_FILE_ACCESS_LOG,
generated::fa_generated::FA_FILE_LOGS_ACCESS_LOG,
generated::fa_generated::FA_FILE_CATALINA_OUT,
generated::fa_generated::FA_FILE_LOGS_CATALINA_OUT,
generated::fa_generated::FA_FILE_ACCESS_LOG_2,
generated::fa_generated::FA_FILE_LOGS_ACCESS_LOG_2,
generated::fa_generated::FA_FILE_CATALINA_OUT_2,
generated::fa_generated::FA_FILE_LOGS_CATALINA_OUT_2,
generated::fa_generated::FA_FILE_ACCESS_LOG_3,
generated::fa_generated::FA_FILE_LOGS_ACCESS_LOG_3,
generated::fa_generated::FA_FILE_CATALINA_OUT_3,
generated::fa_generated::FA_FILE_LOGS_CATALINA_OUT_3,
generated::fa_generated::FA_FILE_ACCESS_LOG_4,
generated::fa_generated::FA_FILE_LOGS_ACCESS_LOG_4,
generated::fa_generated::FA_FILE_CATALINA_OUT_4,
generated::fa_generated::FA_FILE_LOGS_CATALINA_OUT_4,
generated::fa_generated::FA_FILE_ACCESS_LOG_5,
generated::fa_generated::FA_FILE_LOGS_ACCESS_LOG_5,
generated::fa_generated::FA_FILE_CATALINA_OUT_5,
generated::fa_generated::FA_FILE_LOGS_CATALINA_OUT_5,
generated::fa_generated::FA_FILE_ACCESS_LOG_6,
generated::fa_generated::FA_FILE_LOGS_ACCESS_LOG_6,
generated::fa_generated::FA_FILE_CATALINA_OUT_6,
generated::fa_generated::FA_FILE_LOGS_CATALINA_OUT_6,
generated::fa_generated::FA_FILE_ACCESS_LOG_7,
generated::fa_generated::FA_FILE_LOGS_ACCESS_LOG_7,
generated::fa_generated::FA_FILE_CATALINA_OUT_7,
generated::fa_generated::FA_FILE_LOGS_CATALINA_OUT_7,
generated::fa_generated::FA_FILE_ACCESS_LOG_8,
generated::fa_generated::FA_FILE_LOGS_ACCESS_LOG_8,
generated::fa_generated::FA_FILE_CATALINA_OUT_8,
generated::fa_generated::FA_FILE_LOGS_CATALINA_OUT_8,
generated::fa_generated::FA_FILE_ACCESS_LOG_9,
generated::fa_generated::FA_FILE_LOGS_ACCESS_LOG_9,
generated::fa_generated::FA_FILE_CATALINA_OUT_9,
generated::fa_generated::FA_FILE_LOGS_CATALINA_OUT_9,
generated::fa_generated::FA_FILE_ACCESS_LOG_10,
generated::fa_generated::FA_FILE_LOGS_ACCESS_LOG_10,
generated::fa_generated::FA_FILE_CATALINA_OUT_10,
generated::fa_generated::FA_FILE_LOGS_CATALINA_OUT_10,
generated::fa_generated::FA_FILE_CONF_TOMCAT_USERS_XML,
generated::fa_generated::FA_FILE_CONF_TOMCAT_USERS_XML_2,
generated::fa_generated::FA_FILE_CONF_TOMCAT_USERS_XML_3,
generated::fa_generated::FA_FILE_CONF_TOMCAT_USERS_XML_4,
generated::fa_generated::FA_FILE_CONF_TOMCAT_USERS_XML_5,
generated::fa_generated::FA_FILE_CONF_TOMCAT_USERS_XML_6,
generated::fa_generated::FA_FILE_CONF_TOMCAT_USERS_XML_7,
generated::fa_generated::FA_FILE_CONF_TOMCAT_USERS_XML_8,
generated::fa_generated::FA_FILE_CONF_TOMCAT_USERS_XML_9,
generated::fa_generated::FA_FILE_CONF_TOMCAT_USERS_XML_10,
generated::fa_generated::FA_FILE_CONF_TOMCAT_USERS_XML_11,
generated::fa_generated::FA_FILE_ETC_GROUP,
generated::fa_generated::FA_FILE_ETC_GROUP_2,
generated::fa_generated::FA_FILE_ETC_HOSTS,
generated::fa_generated::FA_FILE_ETC_HOSTS_2,
generated::fa_generated::FA_FILE_ETC_LOCALTIME_2,
generated::fa_generated::FA_FILE_ETC_SHADOW_2,
generated::fa_generated::FA_FILE_ETC_SHADOW_3,
generated::fa_generated::FA_FILE_ETC_SHADOW_4,
generated::fa_generated::FA_FILE_ETC_SUDOERS,
generated::fa_generated::FA_FILE_ETC_SUDOERS_2,
generated::fa_generated::FA_FILE_LOG_BTMP_2,
generated::fa_generated::FA_FILE_RUN_UTMP_2,
generated::fa_generated::FA_CHROME_EXTENSIONS_5,
generated::fa_generated::FA_CHROME_EXTENSIONS_5_2,
generated::fa_generated::FA_FILE_FILE_SYSTEM_5,
generated::fa_generated::FA_FILE_FILE_SYSTEM_5_2,
generated::fa_generated::FA_FILE_FILE_SYSTEM_5_3,
generated::fa_generated::FA_FILE_FILE_SYSTEM_5_4,
generated::fa_generated::FA_FILE_FILE_SYSTEM_5_5,
generated::fa_generated::FA_FILE_FILE_SYSTEM_5_6,
generated::fa_generated::FA_FILE_FILE_SYSTEM_5_7,
generated::fa_generated::FA_FILE_FILE_SYSTEM_5_8,
generated::fa_generated::FA_FILE_FILE_SYSTEM_5_9,
generated::fa_generated::FA_FILE_FILE_SYSTEM_5_10,
generated::fa_generated::FA_FILE_FILE_SYSTEM_5_11,
generated::fa_generated::FA_FILE_FILE_SYSTEM_5_12,
generated::fa_generated::FA_FILE_FILE_SYSTEM_5_13,
generated::fa_generated::FA_FILE_FILE_SYSTEM_5_14,
generated::fa_generated::FA_FILE_INDEXEDDB_5,
generated::fa_generated::FA_FILE_INDEXEDDB_5_2,
generated::fa_generated::FA_FILE_INDEXEDDB_5_3,
generated::fa_generated::FA_FILE_INDEXEDDB_5_4,
generated::fa_generated::FA_FILE_INDEXEDDB_5_5,
generated::fa_generated::FA_FILE_INDEXEDDB_5_6,
generated::fa_generated::FA_FILE_INDEXEDDB_5_7,
generated::fa_generated::FA_FILE_INDEXEDDB_5_8,
generated::fa_generated::FA_FILE_INDEXEDDB_5_9,
generated::fa_generated::FA_FILE_INDEXEDDB_5_10,
generated::fa_generated::FA_FILE_INDEXEDDB_5_11,
generated::fa_generated::FA_FILE_INDEXEDDB_5_12,
generated::fa_generated::FA_FILE_INDEXEDDB_5_13,
generated::fa_generated::FA_FILE_INDEXEDDB_5_14,
generated::fa_generated::FA_FILE_LOCAL_STORAGE,
generated::fa_generated::FA_FILE_LOCAL_STORAGE_2,
generated::fa_generated::FA_FILE_LOCAL_STORAGE_3,
generated::fa_generated::FA_FILE_LOCAL_STORAGE_4,
generated::fa_generated::FA_FILE_LOCAL_STORAGE_5,
generated::fa_generated::FA_FILE_LOCAL_STORAGE_6,
generated::fa_generated::FA_FILE_LOCAL_STORAGE_7,
generated::fa_generated::FA_FILE_LOCAL_STORAGE_8,
generated::fa_generated::FA_FILE_LOCAL_STORAGE_9,
generated::fa_generated::FA_FILE_LOCAL_STORAGE_10,
generated::fa_generated::FA_FILE_LOCAL_STORAGE_11,
generated::fa_generated::FA_FILE_LOCAL_STORAGE_12,
generated::fa_generated::FA_FILE_LOCAL_STORAGE_13,
generated::fa_generated::FA_FILE_LOCAL_STORAGE_14,
generated::fa_generated::FA_FILE_PLATFORM_NOTIFICATIONS,
generated::fa_generated::FA_FILE_PLATFORM_NOTIFICATIONS_2,
generated::fa_generated::FA_FILE_PLATFORM_NOTIFICATIONS_3,
generated::fa_generated::FA_FILE_SECURE_PREFERENCES,
generated::fa_generated::FA_FILE_PREFERENCES_2,
generated::fa_generated::FA_FILE_SECURE_PREFERENCES_2,
generated::fa_generated::FA_FILE_PREFERENCES_3,
generated::fa_generated::FA_FILE_SECURE_PREFERENCES_3,
generated::fa_generated::FA_FILE_PREFERENCES_4,
generated::fa_generated::FA_FILE_SECURE_PREFERENCES_4,
generated::fa_generated::FA_FILE_PREFERENCES_5,
generated::fa_generated::FA_FILE_SECURE_PREFERENCES_5,
generated::fa_generated::FA_FILE_PREFERENCES_6,
generated::fa_generated::FA_FILE_SECURE_PREFERENCES_6,
generated::fa_generated::FA_FILE_PREFERENCES_7,
generated::fa_generated::FA_FILE_SECURE_PREFERENCES_7,
generated::fa_generated::FA_FILE_PREFERENCES_8,
generated::fa_generated::FA_FILE_SECURE_PREFERENCES_8,
generated::fa_generated::FA_FILE_PREFERENCES_9,
generated::fa_generated::FA_FILE_SECURE_PREFERENCES_9,
generated::fa_generated::FA_FILE_PREFERENCES_10,
generated::fa_generated::FA_FILE_SECURE_PREFERENCES_10,
generated::fa_generated::FA_FILE_PREFERENCES_11,
generated::fa_generated::FA_FILE_SECURE_PREFERENCES_11,
generated::fa_generated::FA_FILE_PREFERENCES_12,
generated::fa_generated::FA_FILE_SESSION_STORAGE,
generated::fa_generated::FA_FILE_SESSION_STORAGE_2,
generated::fa_generated::FA_FILE_SESSION_STORAGE_3,
generated::fa_generated::FA_FILE_SESSION_STORAGE_4,
generated::fa_generated::FA_FILE_SESSIONS_SESSION,
generated::fa_generated::FA_FILE_SESSIONS_TABS,
generated::fa_generated::FA_FILE_SESSIONS_SESSION_2,
generated::fa_generated::FA_FILE_SESSIONS_TABS_2,
generated::fa_generated::FA_FILE_SESSIONS_SESSION_3,
generated::fa_generated::FA_FILE_SESSIONS_TABS_3,
generated::fa_generated::FA_FILE_SESSIONS_SESSION_4,
generated::fa_generated::FA_FILE_SESSIONS_TABS_4,
generated::fa_generated::FA_FILE_SESSION_STORAGE_5,
generated::fa_generated::FA_FILE_SESSION_STORAGE_6,
generated::fa_generated::FA_FILE_SESSION_STORAGE_7,
generated::fa_generated::FA_FILE_SESSION_STORAGE_8,
generated::fa_generated::FA_FILE_SESSION_STORAGE_9,
generated::fa_generated::FA_FILE_SESSION_STORAGE_10,
generated::fa_generated::FA_FILE_SESSIONS_SESSION_5,
generated::fa_generated::FA_FILE_SESSIONS_TABS_5,
generated::fa_generated::FA_FILE_SESSIONS_SESSION_6,
generated::fa_generated::FA_FILE_SESSIONS_TABS_6,
generated::fa_generated::FA_FILE_SESSIONS_SESSION_7,
generated::fa_generated::FA_FILE_SESSIONS_SESSION_8,
generated::fa_generated::FA_FILE_SESSIONS_TABS_7,
generated::fa_generated::FA_FILE_SESSIONS_TABS_8,
generated::fa_generated::FA_FILE_SESSIONS_SESSION_9,
generated::fa_generated::FA_FILE_SESSIONS_TABS_9,
generated::fa_generated::FA_FILE_SESSIONS_SESSION_10,
generated::fa_generated::FA_FILE_SESSIONS_TABS_10,
generated::fa_generated::FA_FILE_SESSION_STORAGE_11,
generated::fa_generated::FA_FILE_SESSION_STORAGE_12,
generated::fa_generated::FA_FILE_SESSION_STORAGE_13,
generated::fa_generated::FA_FILE_SESSION_STORAGE_14,
generated::fa_generated::FA_FILE_SESSIONS_SESSION_11,
generated::fa_generated::FA_FILE_SESSIONS_TABS_11,
generated::fa_generated::FA_FILE_SESSIONS_SESSION_12,
generated::fa_generated::FA_FILE_SESSIONS_TABS_12,
generated::fa_generated::FA_FILE_SESSIONS_SESSION_13,
generated::fa_generated::FA_FILE_SESSIONS_TABS_13,
generated::fa_generated::FA_FILE_SESSIONS_SESSION_14,
generated::fa_generated::FA_FILE_SESSIONS_TABS_14,
generated::fa_generated::FA_FILE_CACHE_DATA,
generated::fa_generated::FA_FILE_GPUCACHE,
generated::fa_generated::FA_FILE_MEDIA_CACHE,
generated::fa_generated::FA_FILE_CACHE_DATA_2,
generated::fa_generated::FA_FILE_GPUCACHE_2,
generated::fa_generated::FA_FILE_MEDIA_CACHE_2,
generated::fa_generated::FA_FILE_CACHE_5,
generated::fa_generated::FA_FILE_CACHE_6,
generated::fa_generated::FA_FILE_CACHE_DATA_3,
generated::fa_generated::FA_FILE_GPUCACHE_3,
generated::fa_generated::FA_FILE_MEDIA_CACHE_3,
generated::fa_generated::FA_FILE_CACHE_7,
generated::fa_generated::FA_FILE_CACHE_8,
generated::fa_generated::FA_FILE_CACHE_DATA_4,
generated::fa_generated::FA_FILE_GPUCACHE_4,
generated::fa_generated::FA_FILE_MEDIA_CACHE_4,
generated::fa_generated::FA_FILE_CACHE_9,
generated::fa_generated::FA_FILE_CACHE_10,
generated::fa_generated::FA_FILE_CACHE_DATA_5,
generated::fa_generated::FA_FILE_GPUCACHE_5,
generated::fa_generated::FA_FILE_MEDIA_CACHE_5,
generated::fa_generated::FA_FILE_CACHE_11,
generated::fa_generated::FA_FILE_CACHE_12,
generated::fa_generated::FA_FILE_CACHE_DATA_6,
generated::fa_generated::FA_FILE_GPUCACHE_6,
generated::fa_generated::FA_FILE_MEDIA_CACHE_6,
generated::fa_generated::FA_FILE_CACHE_13,
generated::fa_generated::FA_FILE_CACHE_14,
generated::fa_generated::FA_FILE_CACHE_DATA_7,
generated::fa_generated::FA_FILE_GPUCACHE_7,
generated::fa_generated::FA_FILE_MEDIA_CACHE_7,
generated::fa_generated::FA_FILE_CACHE_15,
generated::fa_generated::FA_FILE_CACHE_16,
generated::fa_generated::FA_FILE_CACHE_DATA_8,
generated::fa_generated::FA_FILE_GPUCACHE_8,
generated::fa_generated::FA_FILE_MEDIA_CACHE_8,
generated::fa_generated::FA_FILE_CACHE_17,
generated::fa_generated::FA_FILE_CACHE_18,
generated::fa_generated::FA_FILE_CACHE_DATA_9,
generated::fa_generated::FA_FILE_GPUCACHE_9,
generated::fa_generated::FA_FILE_MEDIA_CACHE_9,
generated::fa_generated::FA_FILE_CACHE_DATA_10,
generated::fa_generated::FA_FILE_CACHE_19,
generated::fa_generated::FA_FILE_CACHE_20,
generated::fa_generated::FA_FILE_CACHE_DATA_11,
generated::fa_generated::FA_FILE_GPUCACHE_10,
generated::fa_generated::FA_FILE_MEDIA_CACHE_10,
generated::fa_generated::FA_FILE_CACHE_21,
generated::fa_generated::FA_FILE_CACHE_22,
generated::fa_generated::FA_FILE_CACHE_23,
generated::fa_generated::FA_FILE_CACHE_24,
generated::fa_generated::FA_FILE_APPLICATION_CACHE,
generated::fa_generated::FA_FILE_CACHE_25,
generated::fa_generated::FA_FILE_CACHE_26,
generated::fa_generated::FA_FILE_GPUCACHE_11,
generated::fa_generated::FA_FILE_MEDIA_CACHE_11,
generated::fa_generated::FA_FILE_PNACLTRANSLATIONCACHE,
generated::fa_generated::FA_FILE_APPLICATION_CACHE_2,
generated::fa_generated::FA_FILE_CACHE_27,
generated::fa_generated::FA_FILE_CACHE_28,
generated::fa_generated::FA_FILE_CACHE_29,
generated::fa_generated::FA_FILE_GPUCACHE_12,
generated::fa_generated::FA_FILE_MEDIA_CACHE_12,
generated::fa_generated::FA_FILE_PNACLTRANSLATIONCACHE_2,
generated::fa_generated::FA_FILE_APPLICATION_CACHE_3,
generated::fa_generated::FA_FILE_CACHE_30,
generated::fa_generated::FA_FILE_CACHE_31,
generated::fa_generated::FA_FILE_GPUCACHE_13,
generated::fa_generated::FA_FILE_MEDIA_CACHE_13,
generated::fa_generated::FA_FILE_PNACLTRANSLATIONCACHE_3,
generated::fa_generated::FA_FILE_APPLICATION_CACHE_4,
generated::fa_generated::FA_FILE_CACHE_32,
generated::fa_generated::FA_FILE_CACHE_33,
generated::fa_generated::FA_FILE_CACHE_34,
generated::fa_generated::FA_FILE_APPLICATION_CACHE_5,
generated::fa_generated::FA_FILE_CACHE_35,
generated::fa_generated::FA_FILE_CACHE_36,
generated::fa_generated::FA_FILE_CACHE_37,
generated::fa_generated::FA_FILE_GPUCACHE_14,
generated::fa_generated::FA_FILE_MEDIA_CACHE_14,
generated::fa_generated::FA_FILE_PNACLTRANSLATIONCACHE_4,
generated::fa_generated::FA_FILE_APPLICATION_CACHE_6,
generated::fa_generated::FA_FILE_CACHE_38,
generated::fa_generated::FA_FILE_CACHE_39,
generated::fa_generated::FA_FILE_CACHE_40,
generated::fa_generated::FA_FILE_GPUCACHE_15,
generated::fa_generated::FA_FILE_MEDIA_CACHE_15,
generated::fa_generated::FA_FILE_PNACLTRANSLATIONCACHE_5,
generated::fa_generated::FA_FILE_GPUCACHE_16,
generated::fa_generated::FA_FILE_MEDIA_CACHE_16,
generated::fa_generated::FA_FILE_PNACLTRANSLATIONCACHE_6,
generated::fa_generated::FA_FILE_APPLICATION_CACHE_7,
generated::fa_generated::FA_FILE_APPLICATION_CACHE_8,
generated::fa_generated::FA_FILE_CACHE_41,
generated::fa_generated::FA_FILE_CACHE_42,
generated::fa_generated::FA_FILE_GPUCACHE_17,
generated::fa_generated::FA_FILE_MEDIA_CACHE_17,
generated::fa_generated::FA_FILE_PNACLTRANSLATIONCACHE_7,
generated::fa_generated::FA_FILE_CACHE_43,
generated::fa_generated::FA_FILE_CACHE_44,
generated::fa_generated::FA_FILE_GPUCACHE_18,
generated::fa_generated::FA_FILE_MEDIA_CACHE_18,
generated::fa_generated::FA_FILE_PNACLTRANSLATIONCACHE_8,
generated::fa_generated::FA_FILE_APPLICATION_CACHE_9,
generated::fa_generated::FA_FILE_CACHE_45,
generated::fa_generated::FA_FILE_CACHE_46,
generated::fa_generated::FA_FILE_GPUCACHE_19,
generated::fa_generated::FA_FILE_MEDIA_CACHE_19,
generated::fa_generated::FA_FILE_PNACLTRANSLATIONCACHE_9,
generated::fa_generated::FA_FILE_APPLICATION_CACHE_10,
generated::fa_generated::FA_FILE_CACHE_47,
generated::fa_generated::FA_FILE_CACHE_48,
generated::fa_generated::FA_FILE_GPUCACHE_20,
generated::fa_generated::FA_FILE_MEDIA_CACHE_20,
generated::fa_generated::FA_FILE_PNACLTRANSLATIONCACHE_10,
generated::fa_generated::FA_FILE_CACHE_49,
generated::fa_generated::FA_FILE_CACHE_50,
generated::fa_generated::FA_FILE_CACHE_51,
generated::fa_generated::FA_FILE_CACHE_52,
generated::fa_generated::FA_FILE_MEDIA_CACHE_21,
generated::fa_generated::FA_FILE_PNACLTRANSLATIONCACHE_11,
generated::fa_generated::FA_FILE_CACHE_53,
generated::fa_generated::FA_FILE_CACHE_54,
generated::fa_generated::FA_FILE_MEDIA_CACHE_22,
generated::fa_generated::FA_FILE_PNACLTRANSLATIONCACHE_12,
generated::fa_generated::FA_FILE_MEDIA_CACHE_23,
generated::fa_generated::FA_FILE_PNACLTRANSLATIONCACHE_13,
generated::fa_generated::FA_FILE_CACHE_DATA_12,
generated::fa_generated::FA_FILE_CACHE_DATA_13,
generated::fa_generated::FA_FILE_CACHE_55,
generated::fa_generated::FA_FILE_CACHE_56,
generated::fa_generated::FA_FILE_CACHE_DATA_14,
generated::fa_generated::FA_FILE_MEDIA_CACHE_24,
generated::fa_generated::FA_FILE_PNACLTRANSLATIONCACHE_14,
generated::fa_generated::FA_FILE_CACHE_57,
generated::fa_generated::FA_FILE_CACHE_58,
generated::fa_generated::FA_FILE_CACHE_DATA_15,
generated::fa_generated::FA_FILE_MEDIA_CACHE_25,
generated::fa_generated::FA_FILE_PNACLTRANSLATIONCACHE_15,
generated::fa_generated::FA_FILE_CACHE_59,
generated::fa_generated::FA_FILE_CACHE_60,
generated::fa_generated::FA_FILE_CACHE_DATA_16,
generated::fa_generated::FA_FILE_MEDIA_CACHE_26,
generated::fa_generated::FA_FILE_PNACLTRANSLATIONCACHE_16,
generated::fa_generated::FA_FILE_CACHE_61,
generated::fa_generated::FA_FILE_CACHE_62,
generated::fa_generated::FA_FILE_CACHE_DATA_17,
generated::fa_generated::FA_FILE_MEDIA_CACHE_27,
generated::fa_generated::FA_FILE_PNACLTRANSLATIONCACHE_17,
generated::fa_generated::FA_FILE_CACHE_DATA_18,
generated::fa_generated::FA_FILE_CACHE_DATA_19,
generated::fa_generated::FA_FILE_APPLICATION_CACHE_11,
generated::fa_generated::FA_FILE_CACHE_63,
generated::fa_generated::FA_FILE_CACHE_64,
generated::fa_generated::FA_FILE_GPUCACHE_21,
generated::fa_generated::FA_FILE_MEDIA_CACHE_28,
generated::fa_generated::FA_FILE_PNACLTRANSLATIONCACHE_18,
generated::fa_generated::FA_FILE_APPLICATION_CACHE_12,
generated::fa_generated::FA_FILE_CACHE_65,
generated::fa_generated::FA_FILE_CACHE_66,
generated::fa_generated::FA_FILE_CACHE_DATA_20,
generated::fa_generated::FA_FILE_GPUCACHE_22,
generated::fa_generated::FA_FILE_MEDIA_CACHE_29,
generated::fa_generated::FA_FILE_PNACLTRANSLATIONCACHE_19,
generated::fa_generated::FA_FILE_APPLICATION_CACHE_13,
generated::fa_generated::FA_FILE_CACHE_67,
generated::fa_generated::FA_FILE_CACHE_68,
generated::fa_generated::FA_FILE_CACHE_DATA_21,
generated::fa_generated::FA_FILE_GPUCACHE_23,
generated::fa_generated::FA_FILE_MEDIA_CACHE_30,
generated::fa_generated::FA_FILE_PNACLTRANSLATIONCACHE_20,
generated::fa_generated::FA_FILE_APPLICATION_CACHE_14,
generated::fa_generated::FA_FILE_CACHE_69,
generated::fa_generated::FA_FILE_CACHE_70,
generated::fa_generated::FA_FILE_CACHE_DATA_22,
generated::fa_generated::FA_FILE_GPUCACHE_24,
generated::fa_generated::FA_FILE_MEDIA_CACHE_31,
generated::fa_generated::FA_FILE_PNACLTRANSLATIONCACHE_21,
generated::fa_generated::FA_FILE_APPLICATION_CACHE_15,
generated::fa_generated::FA_FILE_APPLICATION_CACHE_16,
generated::fa_generated::FA_FILE_CACHE_71,
generated::fa_generated::FA_FILE_CACHE_72,
generated::fa_generated::FA_FILE_GPUCACHE_25,
generated::fa_generated::FA_FILE_MEDIA_CACHE_32,
generated::fa_generated::FA_FILE_PNACLTRANSLATIONCACHE_22,
generated::fa_generated::FA_FILE_APPLICATION_CACHE_17,
generated::fa_generated::FA_FILE_CACHE_73,
generated::fa_generated::FA_FILE_CACHE_74,
generated::fa_generated::FA_FILE_GPUCACHE_26,
generated::fa_generated::FA_FILE_MEDIA_CACHE_33,
generated::fa_generated::FA_FILE_PNACLTRANSLATIONCACHE_23,
generated::fa_generated::FA_FILE_CACHE_75,
generated::fa_generated::FA_FILE_CACHE_76,
generated::fa_generated::FA_FILE_CACHE_DATA_23,
generated::fa_generated::FA_FILE_GPUCACHE_27,
generated::fa_generated::FA_FILE_MEDIA_CACHE_34,
generated::fa_generated::FA_FILE_PNACLTRANSLATIONCACHE_24,
generated::fa_generated::FA_FILE_GPUCACHE_28,
generated::fa_generated::FA_FILE_APPLICATION_CACHE_18,
generated::fa_generated::FA_FILE_CACHE_77,
generated::fa_generated::FA_FILE_CACHE_78,
generated::fa_generated::FA_FILE_GPUCACHE_29,
generated::fa_generated::FA_FILE_GPUCACHE_30,
generated::fa_generated::FA_FILE_MEDIA_CACHE_35,
generated::fa_generated::FA_FILE_PNACLTRANSLATIONCACHE_25,
generated::fa_generated::FA_FILE_APPLICATION_CACHE_19,
generated::fa_generated::FA_FILE_CACHE_79,
generated::fa_generated::FA_FILE_CACHE_80,
generated::fa_generated::FA_FILE_GPUCACHE_31,
generated::fa_generated::FA_FILE_MEDIA_CACHE_36,
generated::fa_generated::FA_FILE_PNACLTRANSLATIONCACHE_26,
generated::fa_generated::FA_FILE_APPLICATION_CACHE_20,
generated::fa_generated::FA_FILE_CACHE_81,
generated::fa_generated::FA_FILE_CACHE_82,
generated::fa_generated::FA_FILE_GPUCACHE_32,
generated::fa_generated::FA_FILE_MEDIA_CACHE_37,
generated::fa_generated::FA_FILE_PNACLTRANSLATIONCACHE_27,
generated::fa_generated::FA_FILE_NETWORK_COOKIES,
generated::fa_generated::FA_FILE_NETWORK_COOKIES_JOURNAL,
generated::fa_generated::FA_FILE_COOKIES,
generated::fa_generated::FA_FILE_COOKIES_JOURNAL,
generated::fa_generated::FA_FILE_NETWORK_COOKIES_2,
generated::fa_generated::FA_FILE_NETWORK_COOKIES_JOURNAL_2,
generated::fa_generated::FA_FILE_COOKIES_2,
generated::fa_generated::FA_FILE_COOKIES_JOURNAL_2,
generated::fa_generated::FA_FILE_NETWORK_COOKIES_3,
generated::fa_generated::FA_FILE_NETWORK_COOKIES_JOURNAL_3,
generated::fa_generated::FA_FILE_COOKIES_3,
generated::fa_generated::FA_FILE_COOKIES_JOURNAL_3,
generated::fa_generated::FA_FILE_NETWORK_COOKIES_4,
generated::fa_generated::FA_FILE_NETWORK_COOKIES_JOURNAL_4,
generated::fa_generated::FA_FILE_COOKIES_4,
generated::fa_generated::FA_FILE_COOKIES_JOURNAL_4,
generated::fa_generated::FA_FILE_NETWORK_COOKIES_5,
generated::fa_generated::FA_FILE_NETWORK_COOKIES_JOURNAL_5,
generated::fa_generated::FA_FILE_NETWORK_COOKIES_6,
generated::fa_generated::FA_FILE_NETWORK_COOKIES_JOURNAL_6,
generated::fa_generated::FA_FILE_COOKIES_5,
generated::fa_generated::FA_FILE_COOKIES_JOURNAL_5,
generated::fa_generated::FA_FILE_COOKIES_6,
generated::fa_generated::FA_FILE_COOKIES_JOURNAL_6,
generated::fa_generated::FA_FILE_NETWORK_COOKIES_7,
generated::fa_generated::FA_FILE_NETWORK_COOKIES_JOURNAL_7,
generated::fa_generated::FA_FILE_COOKIES_7,
generated::fa_generated::FA_FILE_COOKIES_JOURNAL_7,
generated::fa_generated::FA_FILE_NETWORK_COOKIES_8,
generated::fa_generated::FA_FILE_NETWORK_COOKIES_JOURNAL_8,
generated::fa_generated::FA_FILE_COOKIES_8,
generated::fa_generated::FA_FILE_COOKIES_JOURNAL_8,
generated::fa_generated::FA_FILE_NETWORK_COOKIES_9,
generated::fa_generated::FA_FILE_NETWORK_COOKIES_JOURNAL_9,
generated::fa_generated::FA_FILE_COOKIES_9,
generated::fa_generated::FA_FILE_COOKIES_JOURNAL_9,
generated::fa_generated::FA_FILE_NETWORK_COOKIES_10,
generated::fa_generated::FA_FILE_NETWORK_COOKIES_JOURNAL_10,
generated::fa_generated::FA_FILE_COOKIES_10,
generated::fa_generated::FA_FILE_COOKIES_JOURNAL_10,
generated::fa_generated::FA_FILE_NETWORK_COOKIES_11,
generated::fa_generated::FA_FILE_NETWORK_COOKIES_JOURNAL_11,
generated::fa_generated::FA_FILE_COOKIES_11,
generated::fa_generated::FA_FILE_COOKIES_JOURNAL_11,
generated::fa_generated::FA_FILE_NETWORK_COOKIES_12,
generated::fa_generated::FA_FILE_NETWORK_COOKIES_JOURNAL_12,
generated::fa_generated::FA_FILE_COOKIES_12,
generated::fa_generated::FA_FILE_COOKIES_JOURNAL_12,
generated::fa_generated::FA_FILE_OPERA_COOKIES,
generated::fa_generated::FA_FILE_OPERA_COOKIES_JOURNAL,
generated::fa_generated::FA_FILE_COOKIES_13,
generated::fa_generated::FA_FILE_COOKIES_JOURNAL_13,
generated::fa_generated::FA_FILE_NETWORK_COOKIES_13,
generated::fa_generated::FA_FILE_NETWORK_COOKIES_JOURNAL_13,
generated::fa_generated::FA_FILE_COOKIES_14,
generated::fa_generated::FA_FILE_COOKIES_JOURNAL_14,
generated::fa_generated::FA_FILE_NETWORK_COOKIES_14,
generated::fa_generated::FA_FILE_NETWORK_COOKIES_JOURNAL_14,
generated::fa_generated::FA_FILE_COOKIES_15,
generated::fa_generated::FA_FILE_COOKIES_JOURNAL_15,
generated::fa_generated::FA_FILE_NETWORK_COOKIES_15,
generated::fa_generated::FA_FILE_NETWORK_COOKIES_JOURNAL_15,
generated::fa_generated::FA_FILE_COOKIES_16,
generated::fa_generated::FA_FILE_COOKIES_JOURNAL_16,
generated::fa_generated::FA_FILE_NETWORK_COOKIES_16,
generated::fa_generated::FA_FILE_NETWORK_COOKIES_JOURNAL_16,
generated::fa_generated::FA_FILE_EXTENSIONS_10,
generated::fa_generated::FA_FILE_EXTENSIONS_10_2,
generated::fa_generated::FA_FILE_EXTENSIONS_10_3,
generated::fa_generated::FA_FILE_EXTENSIONS_10_4,
generated::fa_generated::FA_FILE_EXTENSIONS_10_5,
generated::fa_generated::FA_FILE_EXTENSIONS_10_6,
generated::fa_generated::FA_FILE_EXTENSIONS_10_7,
generated::fa_generated::FA_FILE_EXTENSIONS_10_8,
generated::fa_generated::FA_FILE_EXTENSIONS_10_9,
generated::fa_generated::FA_FILE_EXTENSIONS_10_10,
generated::fa_generated::FA_FILE_EXTENSIONS_10_11,
generated::fa_generated::FA_FILE_EXTENSIONS_10_12,
generated::fa_generated::FA_FILE_EXTENSIONS_10_13,
generated::fa_generated::FA_FILE_EXTENSIONS_10_14,
generated::fa_generated::FA_FILE_EXTENSIONS_10_15,
generated::fa_generated::FA_FILE_EXTENSIONS_10_16,
generated::fa_generated::FA_FILE_EXTENSIONS_10_17,
generated::fa_generated::FA_FILE_EXTENSIONS_10_18,
generated::fa_generated::FA_FILE_EXTENSIONS_10_19,
generated::fa_generated::FA_FILE_EXTENSIONS_10_20,
generated::fa_generated::FA_FILE_EXTENSIONS_10_21,
generated::fa_generated::FA_FILE_EXTENSIONS_10_22,
generated::fa_generated::FA_FILE_EXTENSIONS_10_23,
generated::fa_generated::FA_FILE_EXTENSIONS_10_24,
generated::fa_generated::FA_FILE_EXTENSIONS_10_25,
generated::fa_generated::FA_FILE_EXTENSIONS_10_26,
generated::fa_generated::FA_FILE_EXTENSIONS_10_27,
generated::fa_generated::FA_FILE_EXTENSIONS_10_28,
generated::fa_generated::FA_FILE_EXTENSION_ACTIVITY,
generated::fa_generated::FA_FILE_EXTENSION_ACTIVITY_2,
generated::fa_generated::FA_FILE_EXTENSION_ACTIVITY_3,
generated::fa_generated::FA_FILE_EXTENSION_ACTIVITY_4,
generated::fa_generated::FA_FILE_EXTENSION_ACTIVITY_5,
generated::fa_generated::FA_FILE_EXTENSION_ACTIVITY_6,
generated::fa_generated::FA_FILE_EXTENSION_ACTIVITY_7,
generated::fa_generated::FA_FILE_EXTENSION_ACTIVITY_8,
generated::fa_generated::FA_FILE_EXTENSION_ACTIVITY_9,
generated::fa_generated::FA_FILE_EXTENSION_ACTIVITY_10,
generated::fa_generated::FA_FILE_EXTENSION_ACTIVITY_11,
generated::fa_generated::FA_FILE_EXTENSION_ACTIVITY_12,
generated::fa_generated::FA_FILE_EXTENSION_ACTIVITY_13,
generated::fa_generated::FA_FILE_EXTENSION_ACTIVITY_14,
generated::fa_generated::FA_FILE_EXTENSION_ACTIVITY_15,
generated::fa_generated::FA_FILE_EXTENSION_ACTIVITY_16,
generated::fa_generated::FA_FILE_EXTENSION_ACTIVITY_17,
generated::fa_generated::FA_FILE_EXTENSION_ACTIVITY_18,
generated::fa_generated::FA_FILE_EXTENSION_ACTIVITY_19,
generated::fa_generated::FA_FILE_EXTENSION_ACTIVITY_20,
generated::fa_generated::FA_FILE_EXTENSION_ACTIVITY_21,
generated::fa_generated::FA_FILE_EXTENSION_ACTIVITY_22,
generated::fa_generated::FA_FILE_EXTENSION_ACTIVITY_23,
generated::fa_generated::FA_FILE_EXTENSION_ACTIVITY_24,
generated::fa_generated::FA_FILE_EXTENSION_ACTIVITY_25,
generated::fa_generated::FA_FILE_EXTENSION_ACTIVITY_26,
generated::fa_generated::FA_FILE_EXTENSION_ACTIVITY_27,
generated::fa_generated::FA_FILE_EXTENSION_ACTIVITY_28,
generated::fa_generated::FA_FILE_NETWORK_FAVICONS,
generated::fa_generated::FA_FILE_NETWORK_FAVICONS_JOURNAL,
generated::fa_generated::FA_FILE_FAVICONS,
generated::fa_generated::FA_FILE_FAVICONS_JOURNAL,
generated::fa_generated::FA_FILE_NETWORK_FAVICONS_2,
generated::fa_generated::FA_FILE_NETWORK_FAVICONS_JOURNAL_2,
generated::fa_generated::FA_FILE_FAVICONS_2,
generated::fa_generated::FA_FILE_FAVICONS_JOURNAL_2,
generated::fa_generated::FA_FILE_NETWORK_FAVICONS_3,
generated::fa_generated::FA_FILE_NETWORK_FAVICONS_JOURNAL_3,
generated::fa_generated::FA_FILE_FAVICONS_3,
generated::fa_generated::FA_FILE_FAVICONS_JOURNAL_3,
generated::fa_generated::FA_FILE_NETWORK_FAVICONS_4,
generated::fa_generated::FA_FILE_NETWORK_FAVICONS_JOURNAL_4,
generated::fa_generated::FA_FILE_FAVICONS_4,
generated::fa_generated::FA_FILE_FAVICONS_JOURNAL_4,
generated::fa_generated::FA_FILE_NETWORK_FAVICONS_5,
generated::fa_generated::FA_FILE_NETWORK_FAVICONS_JOURNAL_5,
generated::fa_generated::FA_FILE_NETWORK_FAVICONS_6,
generated::fa_generated::FA_FILE_NETWORK_FAVICONS_JOURNAL_6,
generated::fa_generated::FA_FILE_FAVICONS_5,
generated::fa_generated::FA_FILE_FAVICONS_JOURNAL_5,
generated::fa_generated::FA_FILE_FAVICONS_6,
generated::fa_generated::FA_FILE_FAVICONS_JOURNAL_6,
generated::fa_generated::FA_FILE_NETWORK_FAVICONS_7,
generated::fa_generated::FA_FILE_NETWORK_FAVICONS_JOURNAL_7,
generated::fa_generated::FA_FILE_FAVICONS_7,
generated::fa_generated::FA_FILE_FAVICONS_JOURNAL_7,
generated::fa_generated::FA_FILE_NETWORK_FAVICONS_8,
generated::fa_generated::FA_FILE_NETWORK_FAVICONS_JOURNAL_8,
generated::fa_generated::FA_FILE_FAVICONS_8,
generated::fa_generated::FA_FILE_FAVICONS_JOURNAL_8,
generated::fa_generated::FA_FILE_NETWORK_FAVICONS_9,
generated::fa_generated::FA_FILE_NETWORK_FAVICONS_JOURNAL_9,
generated::fa_generated::FA_FILE_FAVICONS_9,
generated::fa_generated::FA_FILE_FAVICONS_JOURNAL_9,
generated::fa_generated::FA_FILE_NETWORK_FAVICONS_10,
generated::fa_generated::FA_FILE_NETWORK_FAVICONS_JOURNAL_10,
generated::fa_generated::FA_FILE_FAVICONS_10,
generated::fa_generated::FA_FILE_FAVICONS_JOURNAL_10,
generated::fa_generated::FA_FILE_NETWORK_FAVICONS_11,
generated::fa_generated::FA_FILE_NETWORK_FAVICONS_JOURNAL_11,
generated::fa_generated::FA_FILE_FAVICONS_11,
generated::fa_generated::FA_FILE_FAVICONS_JOURNAL_11,
generated::fa_generated::FA_FILE_NETWORK_FAVICONS_12,
generated::fa_generated::FA_FILE_NETWORK_FAVICONS_JOURNAL_12,
generated::fa_generated::FA_FILE_FAVICONS_12,
generated::fa_generated::FA_FILE_FAVICONS_JOURNAL_12,
generated::fa_generated::FA_FILE_OPERA_FAVICONS,
generated::fa_generated::FA_FILE_OPERA_FAVICONS_JOURNAL,
generated::fa_generated::FA_FILE_FAVICONS_13,
generated::fa_generated::FA_FILE_FAVICONS_JOURNAL_13,
generated::fa_generated::FA_FILE_NETWORK_FAVICONS_13,
generated::fa_generated::FA_FILE_NETWORK_FAVICONS_JOURNAL_13,
generated::fa_generated::FA_FILE_FAVICONS_14,
generated::fa_generated::FA_FILE_FAVICONS_JOURNAL_14,
generated::fa_generated::FA_FILE_NETWORK_FAVICONS_14,
generated::fa_generated::FA_FILE_NETWORK_FAVICONS_JOURNAL_14,
generated::fa_generated::FA_FILE_FAVICONS_15,
generated::fa_generated::FA_FILE_FAVICONS_JOURNAL_15,
generated::fa_generated::FA_FILE_NETWORK_FAVICONS_15,
generated::fa_generated::FA_FILE_NETWORK_FAVICONS_JOURNAL_15,
generated::fa_generated::FA_FILE_FAVICONS_16,
generated::fa_generated::FA_FILE_FAVICONS_JOURNAL_16,
generated::fa_generated::FA_FILE_NETWORK_FAVICONS_16,
generated::fa_generated::FA_FILE_NETWORK_FAVICONS_JOURNAL_16,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_JOURNAL,
generated::fa_generated::FA_FILE_HISTORY,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_2,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_JOURNAL_2,
generated::fa_generated::FA_FILE_HISTORY_2,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL_2,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_3,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_JOURNAL_3,
generated::fa_generated::FA_FILE_HISTORY_3,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL_3,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_4,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_JOURNAL_4,
generated::fa_generated::FA_FILE_HISTORY_4,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL_4,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_5,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_JOURNAL_5,
generated::fa_generated::FA_FILE_HISTORY_5,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL_5,
generated::fa_generated::FA_FILE_HISTORY_6,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL_6,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_6,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_JOURNAL_6,
generated::fa_generated::FA_FILE_HISTORY_7,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL_7,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_7,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_JOURNAL_7,
generated::fa_generated::FA_FILE_HISTORY_8,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL_8,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_8,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_JOURNAL_8,
generated::fa_generated::FA_FILE_HISTORY_9,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL_9,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_9,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_JOURNAL_9,
generated::fa_generated::FA_FILE_HISTORY_10,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL_10,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_10,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_JOURNAL_10,
generated::fa_generated::FA_FILE_HISTORY_11,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL_11,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_11,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_JOURNAL_11,
generated::fa_generated::FA_FILE_HISTORY_12,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL_12,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_12,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_JOURNAL_12,
generated::fa_generated::FA_FILE_HISTORY_13,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL_13,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_13,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_JOURNAL_13,
generated::fa_generated::FA_FILE_HISTORY_14,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL_14,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_14,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_JOURNAL_14,
generated::fa_generated::FA_FILE_HISTORY_15,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL_15,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_15,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_JOURNAL_15,
generated::fa_generated::FA_FILE_HISTORY_16,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL_16,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_16,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_JOURNAL_16,
generated::fa_generated::FA_FILE_HISTORY_17,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL_17,
generated::fa_generated::FA_FILE_HISTORY_18,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL_18,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_17,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_JOURNAL_17,
generated::fa_generated::FA_FILE_HISTORY_19,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL_19,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_18,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_JOURNAL_18,
generated::fa_generated::FA_FILE_HISTORY_20,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL_20,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_19,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_JOURNAL_19,
generated::fa_generated::FA_FILE_HISTORY_21,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL_21,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_20,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_JOURNAL_20,
generated::fa_generated::FA_FILE_HISTORY_22,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL_22,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_21,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_JOURNAL_21,
generated::fa_generated::FA_FILE_HISTORY_23,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL_23,
generated::fa_generated::FA_FILE_HISTORY_24,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL_24,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_22,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_JOURNAL_22,
generated::fa_generated::FA_FILE_HISTORY_25,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL_25,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_23,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_JOURNAL_23,
generated::fa_generated::FA_FILE_HISTORY_26,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL_26,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_24,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_JOURNAL_24,
generated::fa_generated::FA_FILE_HISTORY_27,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL_27,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_25,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_JOURNAL_25,
generated::fa_generated::FA_FILE_HISTORY_28,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL_28,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_26,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_JOURNAL_26,
generated::fa_generated::FA_FILE_HISTORY_29,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL_29,
generated::fa_generated::FA_FILE_HISTORY_30,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL_30,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_27,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_JOURNAL_27,
generated::fa_generated::FA_FILE_HISTORY_31,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL_31,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_28,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_JOURNAL_28,
generated::fa_generated::FA_FILE_HISTORY_32,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL_32,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_29,
generated::fa_generated::FA_FILE_ARCHIVED_HISTORY_JOURNAL_29,
generated::fa_generated::FA_FILE_HISTORY_33,
generated::fa_generated::FA_FILE_HISTORY_JOURNAL_33,
generated::fa_generated::FA_FILE_NETWORK_LOGIN_DATA,
generated::fa_generated::FA_FILE_NETWORK_LOGIN_DATA_JOURNAL,
generated::fa_generated::FA_FILE_LOGIN_DATA,
generated::fa_generated::FA_FILE_LOGIN_DATA_JOURNAL,
generated::fa_generated::FA_FILE_NETWORK_LOGIN_DATA_2,
generated::fa_generated::FA_FILE_NETWORK_LOGIN_DATA_JOURNAL_2,
generated::fa_generated::FA_FILE_LOGIN_DATA_2,
generated::fa_generated::FA_FILE_LOGIN_DATA_JOURNAL_2,
generated::fa_generated::FA_FILE_NETWORK_LOGIN_DATA_3,
generated::fa_generated::FA_FILE_NETWORK_LOGIN_DATA_JOURNAL_3,
generated::fa_generated::FA_FILE_LOGIN_DATA_3,
generated::fa_generated::FA_FILE_LOGIN_DATA_JOURNAL_3,
generated::fa_generated::FA_FILE_NETWORK_LOGIN_DATA_4,
generated::fa_generated::FA_FILE_NETWORK_LOGIN_DATA_JOURNAL_4,
generated::fa_generated::FA_FILE_LOGIN_DATA_4,
generated::fa_generated::FA_FILE_LOGIN_DATA_JOURNAL_4,
generated::fa_generated::FA_FILE_NETWORK_LOGIN_DATA_5,
generated::fa_generated::FA_FILE_NETWORK_LOGIN_DATA_JOURNAL_5,
generated::fa_generated::FA_FILE_NETWORK_LOGIN_DATA_6,
generated::fa_generated::FA_FILE_NETWORK_LOGIN_DATA_JOURNAL_6,
generated::fa_generated::FA_FILE_LOGIN_DATA_5,
generated::fa_generated::FA_FILE_LOGIN_DATA_JOURNAL_5,
generated::fa_generated::FA_FILE_LOGIN_DATA_6,
generated::fa_generated::FA_FILE_LOGIN_DATA_JOURNAL_6,
generated::fa_generated::FA_FILE_NETWORK_LOGIN_DATA_7,
generated::fa_generated::FA_FILE_NETWORK_LOGIN_DATA_JOURNAL_7,
generated::fa_generated::FA_FILE_LOGIN_DATA_7,
generated::fa_generated::FA_FILE_LOGIN_DATA_JOURNAL_7,
generated::fa_generated::FA_FILE_NETWORK_LOGIN_DATA_8,
generated::fa_generated::FA_FILE_NETWORK_LOGIN_DATA_JOURNAL_8,
generated::fa_generated::FA_FILE_LOGIN_DATA_8,
generated::fa_generated::FA_FILE_LOGIN_DATA_JOURNAL_8,
generated::fa_generated::FA_FILE_NETWORK_LOGIN_DATA_9,
generated::fa_generated::FA_FILE_NETWORK_LOGIN_DATA_JOURNAL_9,
generated::fa_generated::FA_FILE_LOGIN_DATA_9,
generated::fa_generated::FA_FILE_LOGIN_DATA_JOURNAL_9,
generated::fa_generated::FA_FILE_NETWORK_LOGIN_DATA_10,
generated::fa_generated::FA_FILE_NETWORK_LOGIN_DATA_JOURNAL_10,
generated::fa_generated::FA_FILE_LOGIN_DATA_10,
generated::fa_generated::FA_FILE_LOGIN_DATA_JOURNAL_10,
generated::fa_generated::FA_FILE_NETWORK_LOGIN_DATA_11,
generated::fa_generated::FA_FILE_NETWORK_LOGIN_DATA_JOURNAL_11,
generated::fa_generated::FA_FILE_LOGIN_DATA_11,
generated::fa_generated::FA_FILE_LOGIN_DATA_JOURNAL_11,
generated::fa_generated::FA_FILE_NETWORK_LOGIN_DATA_12,
generated::fa_generated::FA_FILE_NETWORK_LOGIN_DATA_JOURNAL_12,
generated::fa_generated::FA_FILE_LOGIN_DATA_12,
generated::fa_generated::FA_FILE_LOGIN_DATA_JOURNAL_12,
generated::fa_generated::FA_FILE_OPERA_LOGIN_DATA,
generated::fa_generated::FA_FILE_OPERA_LOGIN_DATA_JOURNAL,
generated::fa_generated::FA_FILE_LOGIN_DATA_13,
generated::fa_generated::FA_FILE_LOGIN_DATA_JOURNAL_13,
generated::fa_generated::FA_FILE_NETWORK_LOGIN_DATA_13,
generated::fa_generated::FA_FILE_NETWORK_LOGIN_DATA_JOURNAL_13,
generated::fa_generated::FA_FILE_LOGIN_DATA_14,
generated::fa_generated::FA_FILE_LOGIN_DATA_JOURNAL_14,
generated::fa_generated::FA_FILE_NETWORK_LOGIN_DATA_14,
generated::fa_generated::FA_FILE_NETWORK_LOGIN_DATA_JOURNAL_14,
generated::fa_generated::FA_FILE_LOGIN_DATA_15,
generated::fa_generated::FA_FILE_LOGIN_DATA_JOURNAL_15,
generated::fa_generated::FA_FILE_NETWORK_LOGIN_DATA_15,
generated::fa_generated::FA_FILE_NETWORK_LOGIN_DATA_JOURNAL_15,
generated::fa_generated::FA_FILE_LOGIN_DATA_16,
generated::fa_generated::FA_FILE_LOGIN_DATA_JOURNAL_16,
generated::fa_generated::FA_FILE_NETWORK_LOGIN_DATA_16,
generated::fa_generated::FA_FILE_NETWORK_LOGIN_DATA_JOURNAL_16,
generated::fa_generated::FA_FILE_NETWORK_WEB_DATA,
generated::fa_generated::FA_FILE_NETWORK_WEB_DATA_JOURNAL,
generated::fa_generated::FA_FILE_WEB_DATA,
generated::fa_generated::FA_FILE_WEB_DATA_JOURNAL,
generated::fa_generated::FA_FILE_NETWORK_WEB_DATA_2,
generated::fa_generated::FA_FILE_NETWORK_WEB_DATA_JOURNAL_2,
generated::fa_generated::FA_FILE_WEB_DATA_2,
generated::fa_generated::FA_FILE_WEB_DATA_JOURNAL_2,
generated::fa_generated::FA_FILE_NETWORK_WEB_DATA_3,
generated::fa_generated::FA_FILE_NETWORK_WEB_DATA_JOURNAL_3,
generated::fa_generated::FA_FILE_WEB_DATA_3,
generated::fa_generated::FA_FILE_WEB_DATA_JOURNAL_3,
generated::fa_generated::FA_FILE_NETWORK_WEB_DATA_4,
generated::fa_generated::FA_FILE_NETWORK_WEB_DATA_JOURNAL_4,
generated::fa_generated::FA_FILE_WEB_DATA_4,
generated::fa_generated::FA_FILE_WEB_DATA_JOURNAL_4,
generated::fa_generated::FA_FILE_NETWORK_WEB_DATA_5,
generated::fa_generated::FA_FILE_NETWORK_WEB_DATA_JOURNAL_5,
generated::fa_generated::FA_FILE_NETWORK_WEB_DATA_6,
generated::fa_generated::FA_FILE_NETWORK_WEB_DATA_JOURNAL_6,
generated::fa_generated::FA_FILE_WEB_DATA_5,
generated::fa_generated::FA_FILE_WEB_DATA_JOURNAL_5,
generated::fa_generated::FA_FILE_WEB_DATA_6,
generated::fa_generated::FA_FILE_WEB_DATA_JOURNAL_6,
generated::fa_generated::FA_FILE_NETWORK_WEB_DATA_7,
generated::fa_generated::FA_FILE_NETWORK_WEB_DATA_JOURNAL_7,
generated::fa_generated::FA_FILE_WEB_DATA_7,
generated::fa_generated::FA_FILE_WEB_DATA_JOURNAL_7,
generated::fa_generated::FA_FILE_NETWORK_WEB_DATA_8,
generated::fa_generated::FA_FILE_NETWORK_WEB_DATA_JOURNAL_8,
generated::fa_generated::FA_FILE_WEB_DATA_8,
generated::fa_generated::FA_FILE_WEB_DATA_JOURNAL_8,
generated::fa_generated::FA_FILE_NETWORK_WEB_DATA_9,
generated::fa_generated::FA_FILE_NETWORK_WEB_DATA_JOURNAL_9,
generated::fa_generated::FA_FILE_WEB_DATA_9,
generated::fa_generated::FA_FILE_WEB_DATA_JOURNAL_9,
generated::fa_generated::FA_FILE_NETWORK_WEB_DATA_10,
generated::fa_generated::FA_FILE_NETWORK_WEB_DATA_JOURNAL_10,
generated::fa_generated::FA_FILE_WEB_DATA_10,
generated::fa_generated::FA_FILE_WEB_DATA_JOURNAL_10,
generated::fa_generated::FA_FILE_NETWORK_WEB_DATA_11,
generated::fa_generated::FA_FILE_NETWORK_WEB_DATA_JOURNAL_11,
generated::fa_generated::FA_FILE_WEB_DATA_11,
generated::fa_generated::FA_FILE_WEB_DATA_JOURNAL_11,
generated::fa_generated::FA_FILE_NETWORK_WEB_DATA_12,
generated::fa_generated::FA_FILE_NETWORK_WEB_DATA_JOURNAL_12,
generated::fa_generated::FA_FILE_WEB_DATA_12,
generated::fa_generated::FA_FILE_WEB_DATA_JOURNAL_12,
generated::fa_generated::FA_FILE_OPERA_WEB_DATA,
generated::fa_generated::FA_FILE_OPERA_WEB_DATA_JOURNAL,
generated::fa_generated::FA_FILE_WEB_DATA_13,
generated::fa_generated::FA_FILE_WEB_DATA_JOURNAL_13,
generated::fa_generated::FA_FILE_NETWORK_WEB_DATA_13,
generated::fa_generated::FA_FILE_NETWORK_WEB_DATA_JOURNAL_13,
generated::fa_generated::FA_FILE_WEB_DATA_14,
generated::fa_generated::FA_FILE_WEB_DATA_JOURNAL_14,
generated::fa_generated::FA_FILE_NETWORK_WEB_DATA_14,
generated::fa_generated::FA_FILE_NETWORK_WEB_DATA_JOURNAL_14,
generated::fa_generated::FA_FILE_WEB_DATA_15,
generated::fa_generated::FA_FILE_WEB_DATA_JOURNAL_15,
generated::fa_generated::FA_FILE_NETWORK_WEB_DATA_15,
generated::fa_generated::FA_FILE_NETWORK_WEB_DATA_JOURNAL_15,
generated::fa_generated::FA_FILE_WEB_DATA_16,
generated::fa_generated::FA_FILE_WEB_DATA_JOURNAL_16,
generated::fa_generated::FA_FILE_NETWORK_WEB_DATA_16,
generated::fa_generated::FA_FILE_NETWORK_WEB_DATA_JOURNAL_16,
generated::fa_generated::FA_FILE_CACHE_83,
generated::fa_generated::FA_FILE_CACHE2,
generated::fa_generated::FA_FILE_DOOMED,
generated::fa_generated::FA_FILE_ENTRIES,
generated::fa_generated::FA_FILE_CACHE_84,
generated::fa_generated::FA_FILE_CACHE2_2,
generated::fa_generated::FA_FILE_DOOMED_2,
generated::fa_generated::FA_FILE_ENTRIES_2,
generated::fa_generated::FA_FILE_CACHE_85,
generated::fa_generated::FA_FILE_CACHE_86,
generated::fa_generated::FA_FILE_CACHE2_3,
generated::fa_generated::FA_FILE_DOOMED_3,
generated::fa_generated::FA_FILE_ENTRIES_3,
generated::fa_generated::FA_FILE_CACHE_87,
generated::fa_generated::FA_FILE_CACHE2_4,
generated::fa_generated::FA_FILE_DOOMED_4,
generated::fa_generated::FA_FILE_ENTRIES_4,
generated::fa_generated::FA_FILE_CACHE_88,
generated::fa_generated::FA_FILE_CACHE2_5,
generated::fa_generated::FA_FILE_DOOMED_5,
generated::fa_generated::FA_FILE_ENTRIES_5,
generated::fa_generated::FA_FILE_CACHE_89,
generated::fa_generated::FA_FILE_CACHE2_6,
generated::fa_generated::FA_FILE_DOOMED_6,
generated::fa_generated::FA_FILE_ENTRIES_6,
generated::fa_generated::FA_FILE_CACHE_90,
generated::fa_generated::FA_FILE_CACHE2_7,
generated::fa_generated::FA_FILE_DOOMED_7,
generated::fa_generated::FA_FILE_ENTRIES_7,
generated::fa_generated::FA_FILE_CACHE_91,
generated::fa_generated::FA_FILE_CACHE2_8,
generated::fa_generated::FA_FILE_DOOMED_8,
generated::fa_generated::FA_FILE_ENTRIES_8,
generated::fa_generated::FA_FILE_COOKIES_SQLITE,
generated::fa_generated::FA_FILE_COOKIES_SQLITE_WAL,
generated::fa_generated::FA_FILE_COOKIES_SQLITE_2,
generated::fa_generated::FA_FILE_COOKIES_SQLITE_SHM,
generated::fa_generated::FA_FILE_COOKIES_SQLITE_WAL_2,
generated::fa_generated::FA_FILE_COOKIES_SQLITE_3,
generated::fa_generated::FA_FILE_COOKIES_SQLITE_WAL_3,
generated::fa_generated::FA_FILE_COOKIES_SQLITE_4,
generated::fa_generated::FA_FILE_COOKIES_SQLITE_WAL_4,
generated::fa_generated::FA_FILE_DOWNLOADS_SQLITE,
generated::fa_generated::FA_FILE_DOWNLOADS_SQLITE_WAL,
generated::fa_generated::FA_FILE_DOWNLOADS_SQLITE_2,
generated::fa_generated::FA_FILE_DOWNLOADS_SQLITE_WAL_2,
generated::fa_generated::FA_FILE_DOWNLOADS_SQLITE_3,
generated::fa_generated::FA_FILE_DOWNLOADS_SQLITE_WAL_3,
generated::fa_generated::FA_FILE_DOWNLOADS_SQLITE_4,
generated::fa_generated::FA_FILE_DOWNLOADS_SQLITE_WAL_4,
generated::fa_generated::FA_FILE_PLACES_SQLITE,
generated::fa_generated::FA_FILE_PLACES_SQLITE_WAL,
generated::fa_generated::FA_FILE_PLACES_SQLITE_2,
generated::fa_generated::FA_FILE_PLACES_SQLITE_WAL_2,
generated::fa_generated::FA_FILE_PLACES_SQLITE_3,
generated::fa_generated::FA_FILE_PLACES_SQLITE_WAL_3,
generated::fa_generated::FA_FILE_PLACES_SQLITE_4,
generated::fa_generated::FA_FILE_PLACES_SQLITE_WAL_4,
generated::fa_generated::FA_FILE_PLACES_SQLITE_5,
generated::fa_generated::FA_FILE_PLACES_SQLITE_WAL_5,
generated::fa_generated::FA_FILE_ADDONS_JSON,
generated::fa_generated::FA_FILE_EXTENSIONS_JSON,
generated::fa_generated::FA_FILE_WEBAPPS_WEBAPPS_JSON,
generated::fa_generated::FA_FILE_ADDONS_JSON_2,
generated::fa_generated::FA_FILE_EXTENSIONS_JSON_2,
generated::fa_generated::FA_FILE_WEBAPPS_WEBAPPS_JSON_2,
generated::fa_generated::FA_FILE_ADDONS_JSON_3,
generated::fa_generated::FA_FILE_EXTENSIONS_JSON_3,
generated::fa_generated::FA_FILE_WEBAPPS_WEBAPPS_JSON_3,
generated::fa_generated::FA_FILE_ADDONS_JSON_4,
generated::fa_generated::FA_FILE_EXTENSIONS_JSON_4,
generated::fa_generated::FA_FILE_WEBAPPS_WEBAPPS_JSON_4,
generated::fa_generated::FA_EXPLORER_BROWSER_HELPER_OBJECTS,
generated::fa_generated::FA_EXPLORER_BROWSER_HELPER_OBJECTS_2,
generated::fa_generated::FA_FILE_COOKIES_INDEX_DAT,
generated::fa_generated::FA_FILE_LOW_INDEX_DAT,
generated::fa_generated::FA_FILE_WEBCACHE_WEBCACHEV_DAT,
generated::fa_generated::FA_FILE_IEDOWNLOADHISTORY_INDEX_DAT,
generated::fa_generated::FA_FILE_FEEDS_CACHE_INDEX_DAT,
generated::fa_generated::FA_FILE_INDEX_DAT,
generated::fa_generated::FA_FILE_HISTORY_IE5_INDEX_DAT,
generated::fa_generated::FA_FILE_INDEX_DAT_2,
generated::fa_generated::FA_FILE_HISTORY_IE5_INDEX_DAT_2,
generated::fa_generated::FA_FILE_CONTENT_IE5_INDEX_DAT,
generated::fa_generated::FA_FILE_CONTENT_IE5_INDEX_DAT_2,
generated::fa_generated::FA_FILE_HISTORY_IE5_INDEX_DAT_3,
generated::fa_generated::FA_INTERNET_EXPLORER_MAIN_NOPROTECTEDMODEBANNER,
generated::fa_generated::FA_INTERNET_EXPLORER_TYPEDURLS,
generated::fa_generated::FA_FILE_OPERA_GLOBAL_HISTORY_DAT,
generated::fa_generated::FA_FILE_OPERA_GLOBAL_HISTORY_DAT_2,
generated::fa_generated::FA_FILE_OPERA_GLOBAL_HISTORY_DAT_3,
generated::fa_generated::FA_FILE_OPERA_STABLE_HISTORY,
generated::fa_generated::FA_FILE_OPERA_STABLE_HISTORY_JOURNAL,
generated::fa_generated::FA_FILE_SAFARI_AUTOFILLCORRECTIONS_DB,
generated::fa_generated::FA_FILE_SAFARI_AUTOFILLCORRECTIONS_DB_WAL,
generated::fa_generated::FA_FILE_COM_APPLE_SAFARI_CACHE_DB,
generated::fa_generated::FA_FILE_COM_APPLE_SAFARI_CACHE_DB_WAL,
generated::fa_generated::FA_FILE_COM_APPLE_SAFARI_CACHE_DB_2,
generated::fa_generated::FA_FILE_COM_APPLE_SAFARI_CACHE_DB_WAL_2,
generated::fa_generated::FA_FILE_SAFARI_CACHE_DB,
generated::fa_generated::FA_FILE_SAFARI_CLOUDAUTOFILLCORRECTIONS_DB,
generated::fa_generated::FA_FILE_SAFARI_CLOUDAUTOFILLCORRECTIONS_DB_WAL,
generated::fa_generated::FA_FILE_COOKIES_COOKIES_BINARYCOOKIES,
generated::fa_generated::FA_FILE_COOKIES_COOKIES_BINARYCOOKIES_2,
generated::fa_generated::FA_FILE_SAFARI_DOWNLOADS_PLIST,
generated::fa_generated::FA_FILE_SAFARI_DOWNLOADS_PLIST_2,
generated::fa_generated::FA_FILE_SAFARI_DOWNLOADS_PLIST_3,
generated::fa_generated::FA_FILE_FAVICON_CACHE_FAVICONS_DB,
generated::fa_generated::FA_FILE_FAVICON_CACHE_FAVICONS_DB_WAL,
generated::fa_generated::FA_FILE_SAFARI_HISTORY_PLIST,
generated::fa_generated::FA_FILE_SAFARI_HISTORY_PLIST_2,
generated::fa_generated::FA_FILE_SAFARI_HISTORY_PLIST_3,
generated::fa_generated::FA_FILE_SAFARI_HISTORY_DB,
generated::fa_generated::FA_FILE_SAFARI_HISTORY_DB_WAL,
generated::fa_generated::FA_FILE_SAFARI_PERSITEPREFERENCES_DB,
generated::fa_generated::FA_FILE_SAFARI_PERSITEPREFERENCES_DB_WAL,
generated::fa_generated::FA_FILE_TABSNAPSHOTS_METADATA_DB,
generated::fa_generated::FA_FILE_TOUCH_ICONS_CACHE_TOUCHICONCACHESETTINGS_DB,
generated::fa_generated::FA_FILE_TOUCH_ICONS_CACHE_TOUCHICONCACHESETTINGS_DB_WAL,
generated::fa_generated::FA_FILE_DATABASE_DATABASE_SQLITE3,
generated::fa_generated::FA_FILE_APACHE_ACCESS_LOG,
generated::fa_generated::FA_FILE_APACHE_ACCESS_LOG_2,
generated::fa_generated::FA_FILE_APACHE2_ACCESS_LOG,
generated::fa_generated::FA_FILE_APACHE2_ACCESS_LOG_2,
generated::fa_generated::FA_FILE_APACHE2_OTHER_VHOSTS_ACCESS_LOG,
generated::fa_generated::FA_FILE_APACHE2_OTHER_VHOSTS_ACCESS_LOG_2,
generated::fa_generated::FA_FILE_HTTPD_ACCESS_LOG,
generated::fa_generated::FA_FILE_HTTPD_ACCESS_LOG_2,
generated::fa_generated::FA_FILE_APACHE2_CONF,
generated::fa_generated::FA_FILE_HTTPD_CONF,
generated::fa_generated::FA_FILE_CONF_MODULES_D_CONF,
generated::fa_generated::FA_FILE_SITES_AVAILABLE_000_DEFAULT_CONF,
generated::fa_generated::FA_FILE_APACHE_ERROR,
generated::fa_generated::FA_FILE_APACHE_ERROR_LOG,
generated::fa_generated::FA_FILE_APACHE2_ERROR,
generated::fa_generated::FA_FILE_APACHE2_ERROR_LOG,
generated::fa_generated::FA_FILE_HTTPD_ERROR,
generated::fa_generated::FA_FILE_HTTPD_ERROR_LOG,
generated::fa_generated::FA_FILE_LOGS_ERROR_LOG,
generated::fa_generated::FA_FILE_NGINX_ACCESS_LOG,
generated::fa_generated::FA_FILE_NGINX_ERROR_LOG,
generated::fa_generated::FA_FILE_WP_CONFIG_PHP,
generated::fa_generated::FA_FILE_WWW_WP_CONFIG_PHP,
generated::fa_generated::FA_FILE_WP_CONFIG_PHP_2,
generated::fa_generated::FA_FILE_WWW_WP_CONFIG_PHP_2,
generated::fa_generated::FA_FILE_WP_WP_CONFIG_PHP,
generated::fa_generated::FA_FILE_LOGFILES_LOG,
generated::fa_generated::FA_FILE_W3SVC_LOG,
generated::fa_generated::FA_FILE_W3SVC_LOG_2,
generated::fa_generated::FA_FILE_W3SVC_LOG_3,
generated::fa_generated::FA_DESKTOP_COMPONENTS,
generated::fa_generated::FA_INTERNET_EXPLORER_DESKTOP_GENERAL,
generated::fa_generated::FA_FILE_NTDS_NTDS_DIT,
generated::fa_generated::FA_FILE_NTDS_DIT,
generated::fa_generated::FA_FILE_NTDS_DIT_2,
generated::fa_generated::FA_FILE_SYSTEM32_NTDS_DIT,
generated::fa_generated::FA_WINDOWS_CE_SERVICES_AUTOSTARTONCONNECT,
generated::fa_generated::FA_WINDOWS_CE_SERVICES_AUTOSTARTONDISCONNECT,
generated::fa_generated::FA_WINDOWS_CE_SERVICES_AUTOSTARTONCONNECT_2,
generated::fa_generated::FA_WINDOWS_CE_SERVICES_AUTOSTARTONDISCONNECT_2,
generated::fa_generated::FA_FILE_L_USERS_USERNAME_ACTIVITIESCACHE_DB,
generated::fa_generated::FA_FILE_PROGRAMS_AMCACHE_HVE,
generated::fa_generated::FA_FILE_PROGRAMS_AMCACHE_HVE_LOG1,
generated::fa_generated::FA_FILE_PROGRAMS_AMCACHE_HVE_LOG2,
generated::fa_generated::FA_CONTROL_SESSION_MANAGER_APPCERTDLLS,
generated::fa_generated::FA_CURRENTVERSION_APP_PATHS,
generated::fa_generated::FA_CURRENTVERSION_APP_PATHS_2,
generated::fa_generated::FA_FILE_APPPATCH_DRVMAIN_SDB,
generated::fa_generated::FA_FILE_APPPATCH_FRXMAIN_SDB,
generated::fa_generated::FA_FILE_APPPATCH_MSIMAIN_SDB,
generated::fa_generated::FA_FILE_APPPATCH_PCAMAIN_SDB,
generated::fa_generated::FA_FILE_APPPATCH_SYSMAIN_SDB,
generated::fa_generated::FA_FILE_CUSTOM,
generated::fa_generated::FA_FILE_CUSTOM_2,
generated::fa_generated::FA_FILE_CUSTOM64,
generated::fa_generated::FA_FILE_CUSTOMSDB,
generated::fa_generated::FA_FILE_SYSTEM32_WINAPPXRT_DLL,
generated::fa_generated::FA_FILE_ENVIRON_SYSTEMROOT_WINAPPXRT_DLL,
generated::fa_generated::FA_FILE_WBEM_WINAPPXRT_DLL,
generated::fa_generated::FA_FILE_V1_0_WINAPPXRT_DLL,
generated::fa_generated::FA_FILE_ENVIRON_SYSTEMDRIVE_AUTOEXEC_BAT,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_AUTOEXEC_NT,
generated::fa_generated::FA_CURRENTVERSION_AUTOEXCLUSIONLIST,
generated::fa_generated::FA_FILE_ENVIRON_SYSTEMDRIVE_AUTORUN_INF,
generated::fa_generated::FA_CURRENTVERSION_TIME_ZONES,
generated::fa_generated::FA_BAM_USERSETTINGS,
generated::fa_generated::FA_STATE_USERSETTINGS,
generated::fa_generated::FA_DAM_USERSETTINGS,
generated::fa_generated::FA_STATE_USERSETTINGS_2,
generated::fa_generated::FA_FILE_DOWNLOADER_QMGR_DAT,
generated::fa_generated::FA_FILE_DOWNLOADER_QMGR_DB,
generated::fa_generated::FA_FILE_BOOT_BCD,
generated::fa_generated::FA_FILE_BOOT_BCD_LOG,
generated::fa_generated::FA_FILE_BOOT_BCD_LOG1,
generated::fa_generated::FA_FILE_BOOT_BCD_LOG2,
generated::fa_generated::FA_FILE_BOOT_BCD_2,
generated::fa_generated::FA_FILE_BOOT_BCD_LOG_2,
generated::fa_generated::FA_FILE_BOOT_BCD_LOG1_2,
generated::fa_generated::FA_FILE_BOOT_BCD_LOG2_2,
generated::fa_generated::FA_FILE_RECOVERY_BCD,
generated::fa_generated::FA_FILE_RECOVERY_BCD_LOG,
generated::fa_generated::FA_FILE_RECOVERY_BCD_LOG1,
generated::fa_generated::FA_FILE_RECOVERY_BCD_LOG2,
generated::fa_generated::FA_FILE_REPOSITORY_CIM_REP,
generated::fa_generated::FA_FILE_REPOSITORY_CIM_REC,
generated::fa_generated::FA_FILE_REPOSITORY_CIM_REP_2,
generated::fa_generated::FA_FILE_REPOSITORY_INDEX_BTR,
generated::fa_generated::FA_FILE_REPOSITORY_INDEX_MAP,
generated::fa_generated::FA_FILE_REPOSITORY_MAPPING_VER,
generated::fa_generated::FA_FILE_REPOSITORY_MAPPING_1_3_MAP,
generated::fa_generated::FA_FILE_REPOSITORY_OBJECTS_DATA,
generated::fa_generated::FA_FILE_REPOSITORY_OBJECTS_MAP,
generated::fa_generated::FA_FILE_FS_INDEX_BTR,
generated::fa_generated::FA_FILE_FS_INDEX_MAP,
generated::fa_generated::FA_FILE_FS_MAPPING_VER,
generated::fa_generated::FA_FILE_FS_MAPPING_1_2_MAP,
generated::fa_generated::FA_FILE_FS_OBJECTS_DATA,
generated::fa_generated::FA_FILE_FS_OBJECTS_MAP,
generated::fa_generated::FA_FILE_REPOSITORY_00_1_9_INDEX_BTR,
generated::fa_generated::FA_FILE_REPOSITORY_00_1_9_INDEX_MAP,
generated::fa_generated::FA_FILE_REPOSITORY_00_1_9_MAPPING_VER,
generated::fa_generated::FA_FILE_REPOSITORY_00_1_9_MAPPING_1_3_MAP,
generated::fa_generated::FA_FILE_REPOSITORY_00_1_9_OBJECTS_DATA,
generated::fa_generated::FA_FILE_REPOSITORY_00_1_9_OBJECTS_MAP,
generated::fa_generated::FA_FILE_FS_INDEX_BTR_2,
generated::fa_generated::FA_FILE_FS_INDEX_MAP_2,
generated::fa_generated::FA_FILE_FS_MAPPING_VER_2,
generated::fa_generated::FA_FILE_FS_MAPPING_1_2_MAP_2,
generated::fa_generated::FA_FILE_FS_OBJECTS_DATA_2,
generated::fa_generated::FA_FILE_FS_OBJECTS_MAP_2,
generated::fa_generated::FA_FILE_INTERNET_EXPLORER_SXS_DLL,
generated::fa_generated::FA_FILE_INTERNET_EXPLORER_SXS_DLL_2,
generated::fa_generated::FA_FILE_ENVIRON_SYSTEMDRIVE_EXPLORER_EXE,
generated::fa_generated::FA_FILE_ENVIRON_SYSTEMDRIVE_PROGRAM_EXE,
generated::fa_generated::FA_FILE_ENVIRON_SYSTEMROOT_LINKINFO_DLL,
generated::fa_generated::FA_FILE_ENVIRON_SYSTEMROOT_NTSHRUI_DLL,
generated::fa_generated::FA_FILE_SYSTEM32_OCI_DLL,
generated::fa_generated::FA_FILE_SYSPREP_CRYPTBASE_DLL,
generated::fa_generated::FA_FILE_SYSWOW64_OCI_DLL,
generated::fa_generated::FA_FILE_SYSPREP_CRYPTBASE_DLL_2,
generated::fa_generated::FA_FILE_ENVIRON_SYSTEMDRIVE_CONFIG_SYS,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_CONFIG_NT,
generated::fa_generated::FA_CURRENTVERSION_CONTROL_PANEL_CPLS,
generated::fa_generated::FA_CURRENTVERSION_CONTROL_PANEL_CPLS_2,
generated::fa_generated::FA_CURRENTVERSION_CONTROL_PANEL_CPLS_3,
generated::fa_generated::FA_CURRENTVERSION_CONTROL_PANEL_CPLS_4,
generated::fa_generated::FA_FILE_INDEXED_DB_INDEXEDDB_EDB,
generated::fa_generated::FA_FILE_ESEDATABASE_CORTANACOREINSTANCE_CORTANACOREDB_DAT,
generated::fa_generated::FA_FILE_WER,
generated::fa_generated::FA_FILE_ENVIRON_SYSTEMROOT_DMP,
generated::fa_generated::FA_FILE_MINIDUMP_DMP,
generated::fa_generated::FA_FILE_CRASHDUMPS,
generated::fa_generated::FA_FILE_TEMP_DMP,
generated::fa_generated::FA_FILE_CRASHDUMPS_2,
generated::fa_generated::FA_FILE_TEMP_DMP_2,
generated::fa_generated::FA_FILE_TEMP_DMP_3,
generated::fa_generated::FA_FILE_CRASHDUMPS_3,
generated::fa_generated::FA_FILE_WER_2,
generated::fa_generated::FA_FILE_TEMP_DMP_4,
generated::fa_generated::FA_AUTHENTICATION_CREDENTIAL_PROVIDER_FILTERS,
generated::fa_generated::FA_AUTHENTICATION_CREDENTIAL_PROVIDER_FILTERS_2,
generated::fa_generated::FA_AUTHENTICATION_CREDENTIAL_PROVIDERS,
generated::fa_generated::FA_AUTHENTICATION_CREDENTIAL_PROVIDERS_2,
generated::fa_generated::FA_FILE_METADATA,
generated::fa_generated::FA_FILE_METADATA_2,
generated::fa_generated::FA_FILE_METADATA_3,
generated::fa_generated::FA_FILE_CONTENT,
generated::fa_generated::FA_FILE_CONTENT_2,
generated::fa_generated::FA_FILE_CONTENT_3,
generated::fa_generated::FA_DISALLOWED_CERTIFICATES,
generated::fa_generated::FA_DISALLOWED_CERTIFICATES_2,
generated::fa_generated::FA_DISALLOWED_CERTIFICATES_3,
generated::fa_generated::FA_DISALLOWED_CERTIFICATES_4,
generated::fa_generated::FA_FILE_CONFIG_APPEVENT_EVT,
generated::fa_generated::FA_WINEVT_PUBLISHERS,
generated::fa_generated::FA_FILE_CONFIG_EVT,
generated::fa_generated::FA_FILE_LOGS_EVTX,
generated::fa_generated::FA_FILE_CONFIG_SECEVENT_EVT,
generated::fa_generated::FA_EVENTLOG,
generated::fa_generated::FA_FILE_CONFIG_SYSEVENT_EVT,
generated::fa_generated::FA_FILE_SHUTDOWNLOGGER_ETL,
generated::fa_generated::FA_FILE_COLLECTORS_ETL,
generated::fa_generated::FA_FILE_WFP_ETL,
generated::fa_generated::FA_FILE_LOGS_ETL,
generated::fa_generated::FA_FILE_SYSTEM_ETL,
generated::fa_generated::FA_FILE_PERSONAL_ETL,
generated::fa_generated::FA_FILE_EXPLORER_ETL,
generated::fa_generated::FA_FILE_LOCALSTATE_ETL,
generated::fa_generated::FA_FILE_ETL,
generated::fa_generated::FA_FILE_PANTHER_ETL,
generated::fa_generated::FA_FILE_LOGS_ETL_2,
generated::fa_generated::FA_FILE_LOGS_ETL_3,
generated::fa_generated::FA_FILE_WMI_ETL,
generated::fa_generated::FA_FILE_WMI_ETL_0,
generated::fa_generated::FA_FILE_RTBACKUP_ETL,
generated::fa_generated::FA_FILE_SLEEPSTUDY_ETL,
generated::fa_generated::FA_FILE_SCREENON_ETL,
generated::fa_generated::FA_FILE_LOGFILES_ETL,
generated::fa_generated::FA_FILE_LOGFILES_ETL_0,
generated::fa_generated::FA_FILE_ETL_2,
generated::fa_generated::FA_AUTOPLAYHANDLERS_HANDLERS,
generated::fa_generated::FA_EXPLORER_COMMONPLACES_NAMESPACE,
generated::fa_generated::FA_EXPLORER_COMMONPLACES_NAMESPACE_2,
generated::fa_generated::FA_EXPLORER_COMMONPLACES_NAMESPACE_3,
generated::fa_generated::FA_EXPLORER_COMMONPLACES_NAMESPACE_4,
generated::fa_generated::FA_COMMONPLACES_NAMESPACE_DELEGATEFOLDERS,
generated::fa_generated::FA_COMMONPLACES_NAMESPACE_DELEGATEFOLDERS_2,
generated::fa_generated::FA_COMMONPLACES_NAMESPACE_DELEGATEFOLDERS_3,
generated::fa_generated::FA_COMMONPLACES_NAMESPACE_DELEGATEFOLDERS_4,
generated::fa_generated::FA_COMMONPLACES_NAMESPACE,
generated::fa_generated::FA_COMMONPLACES_NAMESPACE_2,
generated::fa_generated::FA_COMMONPLACES_NAMESPACE_DELEGATEFOLDERS_5,
generated::fa_generated::FA_COMMONPLACES_NAMESPACE_DELEGATEFOLDERS_6,
generated::fa_generated::FA_EXPLORER_CONTROLPANEL_NAMESPACE,
generated::fa_generated::FA_EXPLORER_CONTROLPANEL_NAMESPACE_2,
generated::fa_generated::FA_CONTROLPANEL_NAMESPACE_DELEGATEFOLDERS,
generated::fa_generated::FA_CONTROLPANEL_NAMESPACE_DELEGATEFOLDERS_2,
generated::fa_generated::FA_CONTROLPANEL_NAMESPACE,
generated::fa_generated::FA_CONTROLPANEL_NAMESPACE_DELEGATEFOLDERS_3,
generated::fa_generated::FA_EXPLORER_CONTROLPANELWOW64_NAMESPACE,
generated::fa_generated::FA_EXPLORER_CONTROLPANELWOW64_NAMESPACE_2,
generated::fa_generated::FA_CONTROLPANEL_NAMESPACEWOW64_DELEGATEFOLDERS,
generated::fa_generated::FA_CONTROLPANELWOW64_NAMESPACE_DELEGATEFOLDERS,
generated::fa_generated::FA_CONTROLPANELWOW64_NAMESPACE,
generated::fa_generated::FA_CONTROLPANELWOW64_NAMESPACE_DELEGATEFOLDERS_2,
generated::fa_generated::FA_EXPLORER_CONTROLPANEL_NAMESPACE_3,
generated::fa_generated::FA_EXPLORER_CONTROLPANEL_NAMESPACE_4,
generated::fa_generated::FA_CONTROLPANEL_NAMESPACE_DELEGATEFOLDERS_4,
generated::fa_generated::FA_CONTROLPANEL_NAMESPACE_DELEGATEFOLDERS_5,
generated::fa_generated::FA_CONTROLPANEL_NAMESPACE_2,
generated::fa_generated::FA_CONTROLPANEL_NAMESPACE_DELEGATEFOLDERS_6,
generated::fa_generated::FA_EXPLORER_CONTROLPANELWOW64_NAMESPACE_3,
generated::fa_generated::FA_CONTROLPANELWOW64_NAMESPACE_DELEGATEFOLDERS_3,
generated::fa_generated::FA_EXPLORER_DESKTOP_NAMESPACE,
generated::fa_generated::FA_EXPLORER_DESKTOP_NAMESPACE_2,
generated::fa_generated::FA_DESKTOP_NAMESPACE_DELEGATEFOLDERS,
generated::fa_generated::FA_DESKTOP_NAMESPACE_DELEGATEFOLDERS_2,
generated::fa_generated::FA_DESKTOP_NAMESPACE,
generated::fa_generated::FA_DESKTOP_NAMESPACE_DELEGATEFOLDERS_3,
generated::fa_generated::FA_EXPLORER_DESKTOP_NAMESPACE_3,
generated::fa_generated::FA_EXPLORER_DESKTOP_NAMESPACE_4,
generated::fa_generated::FA_DESKTOP_NAMESPACE_DELEGATEFOLDERS_4,
generated::fa_generated::FA_DESKTOP_NAMESPACE_DELEGATEFOLDERS_5,
generated::fa_generated::FA_DESKTOP_NAMESPACE_2,
generated::fa_generated::FA_DESKTOP_NAMESPACE_DELEGATEFOLDERS_6,
generated::fa_generated::FA_EXPLORER_MYCOMPUTER_NAMESPACE,
generated::fa_generated::FA_EXPLORER_MYCOMPUTER_NAMESPACE_2,
generated::fa_generated::FA_MYCOMPUTER_NAMESPACE_DELEGATEFOLDERS,
generated::fa_generated::FA_MYCOMPUTER_NAMESPACE_DELEGATEFOLDERS_2,
generated::fa_generated::FA_MYCOMPUTER_NAMESPACE,
generated::fa_generated::FA_MYCOMPUTER_NAMESPACE_DELEGATEFOLDERS_3,
generated::fa_generated::FA_EXPLORER_MYCOMPUTER_NAMESPACE_3,
generated::fa_generated::FA_EXPLORER_MYCOMPUTER_NAMESPACE_4,
generated::fa_generated::FA_MYCOMPUTER_NAMESPACE_DELEGATEFOLDERS_4,
generated::fa_generated::FA_MYCOMPUTER_NAMESPACE_DELEGATEFOLDERS_5,
generated::fa_generated::FA_MYCOMPUTER_NAMESPACE_2,
generated::fa_generated::FA_MYCOMPUTER_NAMESPACE_DELEGATEFOLDERS_6,
generated::fa_generated::FA_EXPLORER_NETWORKNEIGHBORHOOD_NAMESPACE,
generated::fa_generated::FA_EXPLORER_NETWORKNEIGHBORHOOD_NAMESPACE_2,
generated::fa_generated::FA_NETWORKNEIGHBORHOOD_NAMESPACE_DELEGATEFOLDERS,
generated::fa_generated::FA_NETWORKNEIGHBORHOOD_NAMESPACE_DELEGATEFOLDERS_2,
generated::fa_generated::FA_NETWORKNEIGHBORHOOD_NAMESPACE,
generated::fa_generated::FA_NETWORKNEIGHBORHOOD_NAMESPACE_DELEGATEFOLDERS_3,
generated::fa_generated::FA_EXPLORER_NETWORKNEIGHBORHOOD_NAMESPACE_3,
generated::fa_generated::FA_EXPLORER_NETWORKNEIGHBORHOOD_NAMESPACE_4,
generated::fa_generated::FA_NETWORKNEIGHBORHOOD_NAMESPACE_DELEGATEFOLDERS_4,
generated::fa_generated::FA_NETWORKNEIGHBORHOOD_NAMESPACE_DELEGATEFOLDERS_5,
generated::fa_generated::FA_NETWORKNEIGHBORHOOD_NAMESPACE_2,
generated::fa_generated::FA_NETWORKNEIGHBORHOOD_NAMESPACE_DELEGATEFOLDERS_6,
generated::fa_generated::FA_EXPLORER_PRINTERSANDFAXES_NAMESPACE,
generated::fa_generated::FA_EXPLORER_PRINTERSANDFAXES_NAMESPACE_2,
generated::fa_generated::FA_PRINTERSANDFAXES_NAMESPACE_DELEGATEFOLDERS,
generated::fa_generated::FA_PRINTERSANDFAXES_NAMESPACE_DELEGATEFOLDERS_2,
generated::fa_generated::FA_PRINTERSANDFAXES_NAMESPACE,
generated::fa_generated::FA_PRINTERSANDFAXES_NAMESPACE_DELEGATEFOLDERS_3,
generated::fa_generated::FA_EXPLORER_PRINTERSANDFAXES_NAMESPACE_3,
generated::fa_generated::FA_EXPLORER_PRINTERSANDFAXES_NAMESPACE_4,
generated::fa_generated::FA_PRINTERSANDFAXES_NAMESPACE_DELEGATEFOLDERS_4,
generated::fa_generated::FA_PRINTERSANDFAXES_NAMESPACE_DELEGATEFOLDERS_5,
generated::fa_generated::FA_PRINTERSANDFAXES_NAMESPACE_2,
generated::fa_generated::FA_PRINTERSANDFAXES_NAMESPACE_DELEGATEFOLDERS_6,
generated::fa_generated::FA_FILE_FIREWALL_PFIREWALL_LOG,
generated::fa_generated::FA_FILE_SCRIPTS_PSSCRIPTS_INI,
generated::fa_generated::FA_FILE_SCRIPTS_SCRIPTS_INI,
generated::fa_generated::FA_FILE_LOGOFF,
generated::fa_generated::FA_FILE_LOGON,
generated::fa_generated::FA_FILE_SCRIPTS_PSSCRIPTS_INI_2,
generated::fa_generated::FA_FILE_SCRIPTS_SCRIPTS_INI_2,
generated::fa_generated::FA_FILE_SHUTDOWN,
generated::fa_generated::FA_FILE_STARTUP,
generated::fa_generated::FA_AUTHORIZEDAPPLICATIONS_LIST,
generated::fa_generated::FA_AUTHORIZEDAPPLICATIONS_LIST_2,
generated::fa_generated::FA_AUTHORIZEDAPPLICATIONS_LIST_3,
generated::fa_generated::FA_AUTHORIZEDAPPLICATIONS_LIST_4,
generated::fa_generated::FA_AUTHORIZEDAPPLICATIONS_LIST_5,
generated::fa_generated::FA_GLOBALLYOPENPORTS_LIST,
generated::fa_generated::FA_GLOBALLYOPENPORTS_LIST_2,
generated::fa_generated::FA_GLOBALLYOPENPORTS_LIST_3,
generated::fa_generated::FA_GLOBALLYOPENPORTS_LIST_4,
generated::fa_generated::FA_GLOBALLYOPENPORTS_LIST_5,
generated::fa_generated::FA_CURRENTVERSION_FONT_DRIVERS,
generated::fa_generated::FA_FILE_DATABASE_HCDATA_EDB,
generated::fa_generated::FA_FILE_ETC_LMHOSTS,
generated::fa_generated::FA_FILE_SYSTEM32_MAGNIFIER_EXE,
generated::fa_generated::FA_FILE_SYSTEM32_SETHC_EXE,
generated::fa_generated::FA_FILE_SYSTEM32_UTILMAN_EXE,
generated::fa_generated::FA_CURRENTVERSION_EXPLORER_MAP_NETWORK_DRIVE_MRU,
generated::fa_generated::FA_FILE_AC_INETCACHE,
generated::fa_generated::FA_FILE_AC_INETCOOKIES,
generated::fa_generated::FA_FILE_AC_INETHISTORY,
generated::fa_generated::FA_FILE_WINDOWS_ROAMINGTILES,
generated::fa_generated::FA_SYSTEM_MOUNTEDDEVICES,
generated::fa_generated::FA_MSDTC_MTXOCI,
generated::fa_generated::FA_MSDTC_MTXOCI_2,
generated::fa_generated::FA_CURRENTVERSION_DRIVERS32,
generated::fa_generated::FA_CURRENTVERSION_DRIVERS32_2,
generated::fa_generated::FA_CURRENTVERSION_DRIVERS32_3,
generated::fa_generated::FA_CURRENTVERSION_DRIVERS32_4,
generated::fa_generated::FA_SOFTWARE_MICROSOFT_NETSH,
generated::fa_generated::FA_WOW6432NODE_MICROSOFT_NETSH,
generated::fa_generated::FA_OPENSAVEMRU,
generated::fa_generated::FA_OPENSAVEPIDLMRU,
generated::fa_generated::FA_AUTHENTICATION_PLAP_PROVIDERS,
generated::fa_generated::FA_AUTHENTICATION_PLAP_PROVIDERS_2,
generated::fa_generated::FA_EXPLORER_DISALLOWRUN,
generated::fa_generated::FA_EXPLORER_DISALLOWRUN_2,
generated::fa_generated::FA_,
generated::fa_generated::FA_FILE_V1_0_PROFILE_PS1,
generated::fa_generated::FA_FILE_V1_0_MICROSOFT_POWERSHELL_PROFILE_PS1,
generated::fa_generated::FA_FILE_WINDOWSPOWERSHELL_PROFILE_PS1,
generated::fa_generated::FA_FILE_WINDOWSPOWERSHELL_MICROSOFT_POWERSHELL_PROFILE_PS1,
generated::fa_generated::FA_FILE_PSREADLINE_CONSOLEHOST_HISTORY_TXT,
generated::fa_generated::FA_FILE_PREFETCH_PF,
generated::fa_generated::FA_FILE_NOTIFICATIONS_WPNDATABASE_DB,
generated::fa_generated::FA_FILE_NOTIFICATIONS_WPNDATABASE_DB_2,
generated::fa_generated::FA_FILE_PROGRAMS_RECENTFILECACHE_BCF,
generated::fa_generated::FA_FILE_RECYCLE_BIN,
generated::fa_generated::FA_FILE_RECYCLER,
generated::fa_generated::FA_FILE_I,
generated::fa_generated::FA_FILE_INFO2,
generated::fa_generated::FA_FILE_SYSTEM32_ROVER_DLL,
generated::fa_generated::FA_CLSID_16D12736_7A9E_4765_BEC6_F301D679CAAA,
generated::fa_generated::FA_EXPLORER_RUN,
generated::fa_generated::FA_CURRENTVERSION_RUN,
generated::fa_generated::FA_CURRENTVERSION_RUNONCE,
generated::fa_generated::FA_RUNONCE_SETUP,
generated::fa_generated::FA_CURRENTVERSION_RUNONCEEX,
generated::fa_generated::FA_CURRENTVERSION_RUN_2,
generated::fa_generated::FA_CURRENTVERSION_RUNONCE_2,
generated::fa_generated::FA_RUNONCE_SETUP_2,
generated::fa_generated::FA_CURRENTVERSION_RUNONCEEX_2,
generated::fa_generated::FA_EXPLORER_RUN_2,
generated::fa_generated::FA_EXPLORER_RUN_3,
generated::fa_generated::FA_CURRENTVERSION_RUN_3,
generated::fa_generated::FA_CURRENTVERSION_RUNONCE_3,
generated::fa_generated::FA_RUNONCE_SETUP_3,
generated::fa_generated::FA_CURRENTVERSION_RUNONCEEX_3,
generated::fa_generated::FA_EXPLORER_RUN_4,
generated::fa_generated::FA_CURRENTVERSION_RUN_4,
generated::fa_generated::FA_CURRENTVERSION_RUNONCE_4,
generated::fa_generated::FA_RUNONCE_SETUP_4,
generated::fa_generated::FA_CURRENTVERSION_RUNONCEEX_4,
generated::fa_generated::FA_CURRENTVERSION_RUNSERVICESONCE,
generated::fa_generated::FA_CURRENTVERSION_RUNSERVICES,
generated::fa_generated::FA_CURRENTVERSION_RUNSERVICESONCE_2,
generated::fa_generated::FA_CURRENTVERSION_RUNSERVICES_2,
generated::fa_generated::FA_CURRENTVERSION_RUNSERVICESONCE_3,
generated::fa_generated::FA_CURRENTVERSION_RUNSERVICES_3,
generated::fa_generated::FA_CURRENTVERSION_RUNSERVICESONCE_4,
generated::fa_generated::FA_CURRENTVERSION_RUNSERVICES_4,
generated::fa_generated::FA_FILE_TASKS_10,
generated::fa_generated::FA_FILE_TASKS_10_2,
generated::fa_generated::FA_FILE_TASKS_10_3,
generated::fa_generated::FA_FILE_WINDOWS_WINDOWS_EDB,
generated::fa_generated::FA_CONTROL_SECURITYPROVIDERS,
generated::fa_generated::FA_FILE_DATABASE_SECEDIT_SDB,
generated::fa_generated::FA_FILE_TEMPLATES_SPSECUPD_SDB,
generated::fa_generated::FA_CURRENTCONTROLSET_SERVICES,
generated::fa_generated::FA_EXPLORER_SHAREDTASKSCHEDULER,
generated::fa_generated::FA_EXPLORER_SHAREDTASKSCHEDULER_2,
generated::fa_generated::FA_EXPLORER_SHELLEXECUTEHOOKS,
generated::fa_generated::FA_EXPLORER_SHELLEXECUTEHOOKS_2,
generated::fa_generated::FA_CURRENTVERSION_SHELL_EXTENSIONS_APPROVED,
generated::fa_generated::FA_CURRENTVERSION_SHELL_EXTENSIONS_APPROVED_2,
generated::fa_generated::FA_CURRENTVERSION_SHELL_EXTENSIONS_APPROVED_3,
generated::fa_generated::FA_CURRENTVERSION_SHELL_EXTENSIONS_APPROVED_4,
generated::fa_generated::FA_SHELLEX_COLUMNHANDLERS,
generated::fa_generated::FA_SHELLEX_CONTEXTMENUHANDLERS,
generated::fa_generated::FA_SHELLEX_COPYHOOKHANDLERS,
generated::fa_generated::FA_SHELLEX_DRAGDROPHANDLERS,
generated::fa_generated::FA_SHELLEX_PROPERTYSHEETHANDLERS,
generated::fa_generated::FA_SHELLEX_CONTEXTMENUHANDLERS_2,
generated::fa_generated::FA_SHELLEX_COPYHOOKHANDLERS_2,
generated::fa_generated::FA_SHELLEX_DRAGDROPHANDLERS_2,
generated::fa_generated::FA_SHELLEX_PROPERTYSHEETHANDLERS_2,
generated::fa_generated::FA_SHELLEX_COLUMNHANDLERS_2,
generated::fa_generated::FA_SHELLEX_CONTEXTMENUHANDLERS_3,
generated::fa_generated::FA_SHELLEX_COPYHOOKHANDLERS_3,
generated::fa_generated::FA_SHELLEX_DRAGDROPHANDLERS_3,
generated::fa_generated::FA_SHELLEX_PROPERTYSHEETHANDLERS_3,
generated::fa_generated::FA_SHELLEX_CONTEXTMENUHANDLERS_4,
generated::fa_generated::FA_SHELLEX_COPYHOOKHANDLERS_4,
generated::fa_generated::FA_SHELLEX_DRAGDROPHANDLERS_4,
generated::fa_generated::FA_SHELLEX_PROPERTYSHEETHANDLERS_4,
generated::fa_generated::FA_SHELLEX_COLUMNHANDLERS_3,
generated::fa_generated::FA_SHELLEX_CONTEXTMENUHANDLERS_5,
generated::fa_generated::FA_SHELLEX_COPYHOOKHANDLERS_5,
generated::fa_generated::FA_SHELLEX_DRAGDROPHANDLERS_5,
generated::fa_generated::FA_SHELLEX_PROPERTYSHEETHANDLERS_5,
generated::fa_generated::FA_SHELLEX_CONTEXTMENUHANDLERS_6,
generated::fa_generated::FA_SHELLEX_COPYHOOKHANDLERS_6,
generated::fa_generated::FA_SHELLEX_DRAGDROPHANDLERS_6,
generated::fa_generated::FA_SHELLEX_PROPERTYSHEETHANDLERS_6,
generated::fa_generated::FA_SHELLEX_COLUMNHANDLERS_4,
generated::fa_generated::FA_SHELLEX_CONTEXTMENUHANDLERS_7,
generated::fa_generated::FA_SHELLEX_COPYHOOKHANDLERS_7,
generated::fa_generated::FA_SHELLEX_DRAGDROPHANDLERS_7,
generated::fa_generated::FA_SHELLEX_PROPERTYSHEETHANDLERS_7,
generated::fa_generated::FA_SHELLEX_CONTEXTMENUHANDLERS_8,
generated::fa_generated::FA_SHELLEX_COPYHOOKHANDLERS_8,
generated::fa_generated::FA_SHELLEX_DRAGDROPHANDLERS_8,
generated::fa_generated::FA_SHELLEX_PROPERTYSHEETHANDLERS_8,
generated::fa_generated::FA_EXPLORER_SHELLICONOVERLAYIDENTIFIERS,
generated::fa_generated::FA_EXPLORER_SHELLICONOVERLAYIDENTIFIERS_2,
generated::fa_generated::FA_EXPLORER_SHELLICONOVERLAYIDENTIFIERS_3,
generated::fa_generated::FA_EXPLORER_SHELLICONOVERLAYIDENTIFIERS_4,
generated::fa_generated::FA_WINDOWS_CURRENTVERSION_SHELLSERVICEOBJECTDELAYLOAD,
generated::fa_generated::FA_WINDOWS_CURRENTVERSION_SHELLSERVICEOBJECTDELAYLOAD_2,
generated::fa_generated::FA_FILE_MESSAGESTORE_SMSINTERCEPTSTORE_DB,
generated::fa_generated::FA_FILE_ENVIRON_SYSTEMROOT_SETUPAPI_LOG,
generated::fa_generated::FA_FILE_INF_SETUPAPI_APP_LOG,
generated::fa_generated::FA_FILE_INF_SETUPAPI_DEV_LOG,
generated::fa_generated::FA_FILE_INF_SETUPAPI_OFFLINE_LOG,
generated::fa_generated::FA_FILE_APPREPOSITORY_STATEREPOSITORY_DEPLOYMENT_SRD,
generated::fa_generated::FA_FILE_APPREPOSITORY_STATEREPOSITORY_MACHINE_SRD,
generated::fa_generated::FA_FILE_STARTUP_2,
generated::fa_generated::FA_FILE_STARTUP_3,
generated::fa_generated::FA_FILE_STARTUP_4,
generated::fa_generated::FA_FILE_STARTUP_5,
generated::fa_generated::FA_FILE_PREFETCH_AG_DB,
generated::fa_generated::FA_FILE_PREFETCH_AG_DB_TRX,
generated::fa_generated::FA_FILE_ENVIRON_SYSTEMDRIVE_SYSTEM_INI,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_WIN_INI,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_WININIT_INI,
generated::fa_generated::FA_FILE_REGBACK_SAM,
generated::fa_generated::FA_FILE_REGBACK_SECURITY,
generated::fa_generated::FA_FILE_REGBACK_SOFTWARE,
generated::fa_generated::FA_FILE_REGBACK_SYSTEM,
generated::fa_generated::FA_FILE_REGBACK_SAM_LOG,
generated::fa_generated::FA_FILE_REGBACK_SAM_LOG1,
generated::fa_generated::FA_FILE_REGBACK_SAM_LOG2,
generated::fa_generated::FA_FILE_REGBACK_SECURITY_LOG,
generated::fa_generated::FA_FILE_REGBACK_SECURITY_LOG1,
generated::fa_generated::FA_FILE_REGBACK_SECURITY_LOG2,
generated::fa_generated::FA_FILE_REGBACK_SOFTWARE_LOG,
generated::fa_generated::FA_FILE_REGBACK_SOFTWARE_LOG1,
generated::fa_generated::FA_FILE_REGBACK_SOFTWARE_LOG2,
generated::fa_generated::FA_FILE_REGBACK_SYSTEM_LOG,
generated::fa_generated::FA_FILE_REGBACK_SYSTEM_LOG1,
generated::fa_generated::FA_FILE_REGBACK_SYSTEM_LOG2,
generated::fa_generated::FA_FILE_SYSTEM_VOLUME_INFORMATION_SYSCACHE_HVE,
generated::fa_generated::FA_FILE_CONFIG_SAM,
generated::fa_generated::FA_FILE_CONFIG_SECURITY,
generated::fa_generated::FA_FILE_CONFIG_SOFTWARE,
generated::fa_generated::FA_FILE_CONFIG_SYSTEM,
generated::fa_generated::FA_FILE_CONFIG_SAM_LOG,
generated::fa_generated::FA_FILE_CONFIG_SAM_LOG1,
generated::fa_generated::FA_FILE_CONFIG_SAM_LOG2,
generated::fa_generated::FA_FILE_CONFIG_SECURITY_LOG,
generated::fa_generated::FA_FILE_CONFIG_SECURITY_LOG1,
generated::fa_generated::FA_FILE_CONFIG_SECURITY_LOG2,
generated::fa_generated::FA_FILE_CONFIG_SOFTWARE_LOG,
generated::fa_generated::FA_FILE_CONFIG_SOFTWARE_LOG1,
generated::fa_generated::FA_FILE_CONFIG_SOFTWARE_LOG2,
generated::fa_generated::FA_FILE_CONFIG_SYSTEM_LOG,
generated::fa_generated::FA_FILE_CONFIG_SYSTEM_LOG1,
generated::fa_generated::FA_FILE_CONFIG_SYSTEM_LOG2,
generated::fa_generated::FA_FILE_SRU_SRUDB_DAT,
generated::fa_generated::FA_FILE_STARTUPINFO_XML,
generated::fa_generated::FA_FILE_TEMP,
generated::fa_generated::FA_FILE_TEMP_2,
generated::fa_generated::FA_FILE_TEMP_3,
generated::fa_generated::FA_CURRENTVERSION_RUNONCE_5,
generated::fa_generated::FA_CURRENTVERSION_RUNONCEEX_5,
generated::fa_generated::FA_CURRENTVERSION_RUN_5,
generated::fa_generated::FA_CURRENTVERSION_RUNONCE_6,
generated::fa_generated::FA_CURRENTVERSION_RUNONCEEX_6,
generated::fa_generated::FA_CURRENTVERSION_RUN_6,
generated::fa_generated::FA_CURRENTVERSION_RUNONCE_7,
generated::fa_generated::FA_CURRENTVERSION_RUNONCEEX_7,
generated::fa_generated::FA_CURRENTVERSION_RUN_7,
generated::fa_generated::FA_CURRENTVERSION_RUNONCE_8,
generated::fa_generated::FA_CURRENTVERSION_RUNONCEEX_8,
generated::fa_generated::FA_CURRENTVERSION_RUN_8,
generated::fa_generated::FA_FILE_EXPLORER_THUMBCACHE_DB,
generated::fa_generated::FA_EXPLORER_MYCOMPUTER_BACKUPPATH,
generated::fa_generated::FA_EXPLORER_MYCOMPUTER_CHKDSKPATH,
generated::fa_generated::FA_EXPLORER_MYCOMPUTER_CLEANUPPATH,
generated::fa_generated::FA_EXPLORER_MYCOMPUTER_DEFRAGPATH,
generated::fa_generated::FA_FILE_DATABASE_VEDATAMODEL_EDB,
generated::fa_generated::FA_UNINSTALL,
generated::fa_generated::FA_UNINSTALL_2,
generated::fa_generated::FA_UNINSTALL_3,
generated::fa_generated::FA_FILE_CATDB,
generated::fa_generated::FA_FILE_DATASTORE_DATASTORE_EDB,
generated::fa_generated::FA_FILE_SYSTEM_ETL_2,
generated::fa_generated::FA_FILE_CBS_CBS_LOG,
generated::fa_generated::FA_FILE_WINDOWSUPDATE_WINDOWSUPDATE_ETL,
generated::fa_generated::FA_FILE_UPDATESTORE_STORE_DB,
generated::fa_generated::FA_FILE_SUM_MDB,
generated::fa_generated::FA_FILE_AUTOMATICDESTINATIONS_AUTOMATICDESTINATIONS_MS,
generated::fa_generated::FA_FILE_CUSTOMDESTINATIONS_CUSTOMDESTINATIONS_MS,
generated::fa_generated::FA_FILE_RECENT,
generated::fa_generated::FA_FILE_RECENT_2,
generated::fa_generated::FA_FILE_USERS_USERPROFILE_NTUSER_DAT,
generated::fa_generated::FA_FILE_USERS_USERPROFILE_NTUSER_MAN,
generated::fa_generated::FA_FILE_WINDOWS_USRCLASS_DAT,
generated::fa_generated::FA_FILE_USERS_USERPROFILE_NTUSER_DAT_LOG,
generated::fa_generated::FA_FILE_USERS_USERPROFILE_NTUSER_DAT_LOG1,
generated::fa_generated::FA_FILE_USERS_USERPROFILE_NTUSER_DAT_LOG2,
generated::fa_generated::FA_FILE_WINDOWS_USRCLASS_DAT_LOG,
generated::fa_generated::FA_FILE_WINDOWS_USRCLASS_DAT_LOG1,
generated::fa_generated::FA_FILE_WINDOWS_USRCLASS_DAT_LOG2,
generated::fa_generated::FA_EXPLORER_SHELL_FOLDERS,
generated::fa_generated::FA_USERS_SID_ENVIRONMENT,
generated::fa_generated::FA_USERS_SID_VOLATILE_ENVIRONMENT,
generated::fa_generated::FA_FILE_CACHESTORAGE_CACHESTORAGE_EDB,
generated::fa_generated::FA_ALTERNATESHELLS_AVAILABLESHELLS,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_WINSTART_BAT,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_DOSSTART_BAT,
generated::fa_generated::FA_EXPLORER_WORDWHEELQUERY,
generated::fa_generated::FA_FILE_LOGS_APPLICATION_EVTX,
generated::fa_generated::FA_FILE_LOGS_MICROSOFT_WINDOWS_POWERSHELL_4ADMIN_EVTX,
generated::fa_generated::FA_FILE_LOGS_MICROSOFT_WINDOWS_POWERSHELL_4OPERATIONAL_EVTX,
generated::fa_generated::FA_FILE_LOGS_POWERSHELLCORE_OPERATIONAL_EVTX,
generated::fa_generated::FA_FILE_LOGS_WINDOWS_POWERSHELL_EVTX,
generated::fa_generated::FA_FILE_LOGS_SECURITY_EVTX,
generated::fa_generated::FA_FILE_LOGS_MICROSOFT_WINDOWS_SYSMON_4OPERATIONAL_EVTX,
generated::fa_generated::FA_FILE_LOGS_SYSTEM_EVTX,
generated::fa_generated::FA_FILE_LOGS_MICROSOFT_WINDOWS_TERMINALSERVICES_LOCALSESSION,
generated::fa_generated::FA_PROTOCOL_CATALOG9_CATALOG_ENTRIES,
generated::fa_generated::FA_PROTOCOL_CATALOG9_CATALOG_ENTRIES64,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_EXPLORERFRAME_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_DUSER_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_DUI70_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_UXTHEME_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_POWRPROF_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_DWMAPI_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_SLC_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_GDIPLUS_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_SECUR32_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_SSPICLI_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_PROPSYS_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_WINSTA_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_CRYPTBASE_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_WINDOWSCODECS_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_PROFAPI_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_APPHELP_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_EHSTORSHELL_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_CSCUI_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_CSCDLL_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_CSCAPI_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_NTSHRUI_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_SRVCLI_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_ICONCODECSERVICE_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_CRYPTSP_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_RSAENH_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_RPCRTREMOTE_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_SNDVOLSSO_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_HID_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_MMDEVAPI_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_TIMEDATE_CPL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_ATL_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_ACTXPRXY_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_NTMARTA_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_SHDOCVW_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_LINKINFO_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_USERENV_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_SHACCT_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_GAMEUX_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_XMLLITE_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_WER_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_SAMLIB_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_MSLS31_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_TIPTSF_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_AUTHUI_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_CRYPTUI_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_MSILTCFG_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_VERSION_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_MSI_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_NETWORKEXPLORER_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_WINMM_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_WDMAUD_DRV,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_KSUSER_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_AVRT_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_AUDIOSES_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_MSACM32_DRV,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_MSACM32_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_MIDIMAP_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_NETUTILS_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_STOBJECT_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_BATMETER_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_WTSAPI32_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_ES_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_PRNFLDR_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_WINSPOOL_DRV,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_DXP_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_SYNCREG_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_NETSHELL_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_IPHLPAPI_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_WINNSI_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_NLAAPI_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_ALTTAB_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_PNIDUI_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_QUTIL_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_WEVTAPI_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_DHCPCSVC6_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_DHCPCSVC_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_CREDSSP_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_NPMPROXY_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_CSCOBJ_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_WLANAPI_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_WLANUTIL_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_WWANAPI_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_WWAPI_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_QAGENT_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_SRCHADMIN_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_MSSPRXY_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_BTHPROPS_CPL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_IEFRAME_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_OLEACC_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_SYNCCENTER_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_ACTIONCENTER_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_IMAPI2_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_SXS_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_HGCPL_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_PROVSVC_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_WKSCLI_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_FXSST_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_FXSAPI_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_FXSRESM_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_IEPROXY_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_THUMBCACHE_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_RASADHLP_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_MPR_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_VMHGFS_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_DRPROV_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_NTLANMAN_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_DAVCLNT_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_DAVHLPR_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_STRUCTUREDQUERY_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_UIANIMATION_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_DEVRTL_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_MLANG_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_WSCINTEROP_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_WSCAPI_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_WSCUI_CPL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_WERCONCPL_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_FRAMEDYNOS_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_WERCPLSUPPORT_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_MSXML6_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_HCPROVIDERS_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_ZIPFLDR_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_RAREXT_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_7_ZIP_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_TWEXT_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_WINCDEMUCONTEXTMENU_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_SYNCUI_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_SYNCENG_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_SHLEXT010_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_ATL90_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_ACPPAGE_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_SFC_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_SFC_OS_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_DSROLE_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_ACLUI_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_NTDSAPI_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_PHOTOBASE_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_SBDROP_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_TQUERY_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_EHSTORAPI_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_SEARCHFOLDER_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_NATURALLANGUAGE6_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_NLSDATA0009_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_NLSLEXICONS0009_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_MSFTEDIT_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_DNSAPI_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_RASAPI32_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_RASMAN_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_RTUTILS_DLL,
generated::fa_generated::FA_FILE_ENVIRON_WINDIR_SENSAPI_DLL,
generated::kape_generated::KAPE_FILE_KAPETRIAGE_TKAPE,
generated::kape_generated::KAPE_FILE_USER_APPDATA,
generated::kape_generated::KAPE_FILE_REGEX_3GP_AA_AAC_ACT_AIFF_ALAC_AMR_APE_AU_AWB_DSS,
generated::kape_generated::KAPE_FILE_REGEX_XLS_XLSX_CSV_TSV_XLT_XLM_XLSM_XLTX_XLTM_XLSB,
generated::kape_generated::KAPE_FILE_REGEX_PDF_XPS_OXPS,
generated::kape_generated::KAPE_FILE_REGEX_AI_BMP_BPG_CDR_CPC_EPS_EXR_FLIF_GIF_HEIF_ILB,
generated::kape_generated::KAPE_FILE_REGEX_DB_SQLITE,
generated::kape_generated::KAPE_FILE_REGEX_3G2_3GP_AMV_ASF_AVI_DRC_FLV_F4V_F4P_F4A_F4B,
generated::kape_generated::KAPE_FILE_C_ZIP,
generated::kape_generated::KAPE_FILE_REGEX_DOC_DOCX_DOCM_DOTX_DOTM_DOCB_DOT_WBK_ODT_FOD,
generated::kape_generated::KAPE_FILE_USER_DESKTOP,
generated::kape_generated::KAPE_FILE_USER_DOCUMENTS,
generated::kape_generated::KAPE_FILE_USER_DOWNLOADS,
generated::kape_generated::KAPE_FILE_USER_DROPBOX,
generated::kape_generated::KAPE_FILE_ANTIVIRUS_LOG,
generated::kape_generated::KAPE_FILE_ANTIVIRUS_REPORT,
generated::kape_generated::KAPE_FILE_AVG_AV_LOGS,
generated::kape_generated::KAPE_FILE_AVG_REPORT_LOGS,
generated::kape_generated::KAPE_FILE_ANTIVIRUS_LOGS,
generated::kape_generated::KAPE_FILE_AVG_ANTIVIRUSFILEINFO2_DB,
generated::kape_generated::KAPE_FILE_AVG_ANTIVIRUSLSDB2_JSON,
generated::kape_generated::KAPE_FILE_AVAST_LOG,
generated::kape_generated::KAPE_FILE_AVAST_AV_LOGS,
generated::kape_generated::KAPE_FILE_AVAST_AV_USER_LOGS,
generated::kape_generated::KAPE_FILE_CHEST_INDEX_XML,
generated::kape_generated::KAPE_FILE_AVAST_LOGS,
generated::kape_generated::KAPE_FILE_ICARUS_LOGS,
generated::kape_generated::KAPE_FILE_ANTIVIRUS_LOGFILES,
generated::kape_generated::KAPE_FILE_SECURITY_LOGS,
generated::kape_generated::KAPE_FILE_AVIRA_VPN,
generated::kape_generated::KAPE_FILE_ENDPOINT_SECURITY_LOGS,
generated::kape_generated::KAPE_FILE_PROFILES_LOGS,
generated::kape_generated::KAPE_FILE_REGEX_DB_DB_WAL_DB_SHM,
generated::kape_generated::KAPE_FILE_C_COMBOFIX_TXT,
generated::kape_generated::KAPE_FILE_CROWDSTRIKE_QUARANTINE,
generated::kape_generated::KAPE_FILE_CRS1_LOGS,
generated::kape_generated::KAPE_FILE_APV2_LOGS,
generated::kape_generated::KAPE_FILE_CRB1_LOGS,
generated::kape_generated::KAPE_FILE_CYLANCE_DESKTOP,
generated::kape_generated::KAPE_FILE_OPTICS_LOG,
generated::kape_generated::KAPE_FILE_DESKTOP_LOG,
generated::kape_generated::KAPE_FILE_ESET_NOD32_ANTIVIRUS_LOGS,
generated::kape_generated::KAPE_FILE_ESET_NOD32_AV_LOGS,
generated::kape_generated::KAPE_FILE_ESET_SECURITY_LOGS,
generated::kape_generated::KAPE_FILE_ERAAGENTAPPLICATIONDATA_LOGS,
generated::kape_generated::KAPE_FILE_ESET_SECURITY_QUARANTINE,
generated::kape_generated::KAPE_FILE_SYSTEM_USER_QUARANTI,
generated::kape_generated::KAPE_FILE_LOG_LOG,
generated::kape_generated::KAPE_FILE_EQUARANTINE,
generated::kape_generated::KAPE_FILE_ELASTIC_DEFEND_QUARA,
generated::kape_generated::KAPE_FILE_REPORTS_SCAN_TXT,
generated::kape_generated::KAPE_FILE_F_SECURE_LOG,
generated::kape_generated::KAPE_FILE_F_SECURE_USER_LOGS,
generated::kape_generated::KAPE_FILE_ANTIVIRUS_SCHEDULEDSCANREPORTS,
generated::kape_generated::KAPE_FILE_HITMANPRO_LOGS,
generated::kape_generated::KAPE_FILE_HITMANPRO_ALERT_LOGS,
generated::kape_generated::KAPE_FILE_HITMANPRO_ALERT_EXCALIBUR_DB,
generated::kape_generated::KAPE_FILE_HITMANPRO_QUARANTINE,
generated::kape_generated::KAPE_FILE_LOGS_MBAM_LOG_XML,
generated::kape_generated::KAPE_FILE_LOGS_MBAMSERVICE_LOG,
generated::kape_generated::KAPE_FILE_MALWAREBYTES_ANTI_MALWARE_LOGS,
generated::kape_generated::KAPE_FILE_MBAMSERVICE_SCANRESULTS,
generated::kape_generated::KAPE_FILE_MCAFEE_DESKTOPPROTECTION,
generated::kape_generated::KAPE_FILE_MCAFEE_DESKTOP_PROTE,
generated::kape_generated::KAPE_FILE_ENDPOINT_SECURITY_LOGS_2,
generated::kape_generated::KAPE_FILE_ENDPOINT_SECURITY_LOGS_OLD,
generated::kape_generated::KAPE_FILE_MCAFEE_VIRUSSCAN,
generated::kape_generated::KAPE_FILE_MSC_LOGS,
generated::kape_generated::KAPE_FILE_AGENT_AGENTEVENTS,
generated::kape_generated::KAPE_FILE_AGENT_LOGS,
generated::kape_generated::KAPE_FILE_DATAREPUTATION_LOGS,
generated::kape_generated::KAPE_FILE_VIRUSSCAN_LOGS,
generated::kape_generated::KAPE_FILE_COMMON_FRAMEWORK_AGENTEVENTS,
generated::kape_generated::KAPE_FILE_MCLOGS_SAE,
generated::kape_generated::KAPE_FILE_DATREPUTATION_LOGS,
generated::kape_generated::KAPE_FILE_MCAFEE_MANAGED_VIRUS,
generated::kape_generated::KAPE_FILE_WCF_SERVICE_LOG,
generated::kape_generated::KAPE_FILE_ENDPOINT_SECURITY_LOGS_3,
generated::kape_generated::KAPE_FILE_APACHE2_LOGS,
generated::kape_generated::KAPE_FILE_DB_EVENTS,
generated::kape_generated::KAPE_FILE_EVENTS_DEBUG,
generated::kape_generated::KAPE_FILE_SERVER_LOGS,
generated::kape_generated::KAPE_FILE_DEBUG_MSERT_LOG,
generated::kape_generated::KAPE_FILE_LOGS_ADLICEREPORT_JSON,
generated::kape_generated::KAPE_FILE_SUPERANTISPYWARE_LOGS,
generated::kape_generated::KAPE_FILE_SECUREAGE_LOG,
generated::kape_generated::KAPE_FILE_SENTINEL_LOGS,
generated::kape_generated::KAPE_FILE_SOPHOS_LOGS,
generated::kape_generated::KAPE_FILE_LOGS,
generated::kape_generated::KAPE_FILE_SOPHOS_LOGS_2,
generated::kape_generated::KAPE_FILE_APPLICATIONEVENTS_TKAPE,
generated::kape_generated::KAPE_FILE_LOGS_AV,
generated::kape_generated::KAPE_FILE_DATA_LOGS,
generated::kape_generated::KAPE_FILE_SYMANTEC_ENDPOINT_PROTECTION_LOGS,
generated::kape_generated::KAPE_FILE_LOGS_SYMANTEC_ENDPOINT_PROTECTION_CLIENT_EVTX,
generated::kape_generated::KAPE_FILE_SYMANTEC_EVENT_LOG_W,
generated::kape_generated::KAPE_FILE_APPLICATIONEVENTS_TKAPE_2,
generated::kape_generated::KAPE_FILE_SYMANTEC_ENDPOINT_PROTECTION_QUARANTINE,
generated::kape_generated::KAPE_FILE_DATA_QUARANTINE,
generated::kape_generated::KAPE_FILE_CMNCLNT_CCSUBSDK,
generated::kape_generated::KAPE_FILE_DATA_REGISTRATIONINFO_XML,
generated::kape_generated::KAPE_FILE_TOTALAV_LOGS,
generated::kape_generated::KAPE_FILE_TOTALAV_LOGS_2,
generated::kape_generated::KAPE_FILE_PROGRAMDATA_TREND_MICRO,
generated::kape_generated::KAPE_FILE_REPORT_LOG,
generated::kape_generated::KAPE_FILE_CONNLOG_LOG,
generated::kape_generated::KAPE_FILE_QUARANTINE,
generated::kape_generated::KAPE_FILE_VIPRE_BUSINESS_AGENT_LOGS,
generated::kape_generated::KAPE_FILE_ROAMING_VIPRE_BUSINESS,
generated::kape_generated::KAPE_FILE_ANTIMALWARE_LOGS,
generated::kape_generated::KAPE_FILE_VIPRE_BUSINESS_USER,
generated::kape_generated::KAPE_FILE_WRDATA_WRLOG_LOG,
generated::kape_generated::KAPE_FILE_DETECTIONHISTORY,
generated::kape_generated::KAPE_FILE_MICROSOFT_ANTIMALWARE_SUPPORT,
generated::kape_generated::KAPE_FILE_LOGS_MICROSOFT_WINDOWS_WINDOWS_DEFENDER_EVTX,
generated::kape_generated::KAPE_FILE_WINDOWS_DEFENDER_EVE,
generated::kape_generated::KAPE_FILE_WINDOWS_DEFENDER_SUPPORT,
generated::kape_generated::KAPE_FILE_TEMP_MPCMDRUN_LOG,
generated::kape_generated::KAPE_FILE_WINDOWS_DEFENDER_LOG,
generated::kape_generated::KAPE_FILE_DETECTIONHISTORY_2,
generated::kape_generated::KAPE_FILE_WINDOWS_DEFENDER_QUARANTINE,
generated::kape_generated::KAPE_FILE_SERVICE_DETECTIONS_LOG,
generated::kape_generated::KAPE_FILE_1PASSWORD_DATA_1PASSWORD10_SQLITE,
generated::kape_generated::KAPE_FILE_1PASSWORD_BACKUPS_1PASSWORD10_SQLITE,
generated::kape_generated::KAPE_FILE_1PASSWORD_LOGS_LOG,
generated::kape_generated::KAPE_FILE_4K_VIDEO_DOWNLOADER_4K_VIDEO_DOWNLOADER_SQLITE,
generated::kape_generated::KAPE_FILE_4K_VIDEO_DOWNLOADER,
generated::kape_generated::KAPE_FILE_USER_DOCUMENTS_ATC,
generated::kape_generated::KAPE_FILE_LOGS_TI_DEMON,
generated::kape_generated::KAPE_FILE_TRUEIMAGEHOME_DATABASEARCHIVES_DB,
generated::kape_generated::KAPE_FILE_TRUEIMAGEHOME_SCRIPTS,
generated::kape_generated::KAPE_FILE_ACTION1_LOGS_LOG,
generated::kape_generated::KAPE_FILE_USERS_USER_ADVANCED_IP_SCANNER_ALIASES_BIN,
generated::kape_generated::KAPE_FILE_TEMP_ADVANCED_IP_SCANNER_2_ADVANCED_IP_SCANNER_ALI,
generated::kape_generated::KAPE_FILE_ADVANCED_IP_SCANNER,
generated::kape_generated::KAPE_FILE_CONFIG_SYSTEMPROFILE_ADVANCED_IP_SCANNER_ALIASES_B,
generated::kape_generated::KAPE_FILE_CONFIG_SYSTEMPROFILE_ADVANCED_IP_SCANNER_ALIASES_B_2,
generated::kape_generated::KAPE_FILE_SERVICEPROFILES_LOCALSERVICE_ADVANCED_IP_SCANNER_A,
generated::kape_generated::KAPE_FILE_SERVICEPROFILES_NETWORKSERVICE_ADVANCED_IP_SCANNER,
generated::kape_generated::KAPE_FILE_USERS_USER_ADVANCED_IP_SCANNER_COMMENTS_BIN,
generated::kape_generated::KAPE_FILE_TEMP_ADVANCED_IP_SCANNER_2_ADVANCED_IP_SCANNER_COM,
generated::kape_generated::KAPE_FILE_TEMP_ADVANCED_IP_SCANNER_2_ADVANCED_IP_SCANNER_COM_2,
generated::kape_generated::KAPE_FILE_CONFIG_SYSTEMPROFILE_ADVANCED_IP_SCANNER_COMMENTS,
generated::kape_generated::KAPE_FILE_CONFIG_SYSTEMPROFILE_ADVANCED_IP_SCANNER_COMMENTS_2,
generated::kape_generated::KAPE_FILE_SERVICEPROFILES_LOCALSERVICE_ADVANCED_IP_SCANNER_C,
generated::kape_generated::KAPE_FILE_SERVICEPROFILES_NETWORKSERVICE_ADVANCED_IP_SCANNER_2,
generated::kape_generated::KAPE_FILE_USERS_USER_ADVANCED_IP_SCANNER_MAC_BIN,
generated::kape_generated::KAPE_FILE_TEMP_ADVANCED_IP_SCANNER_2_ADVANCED_IP_SCANNER_MAC,
generated::kape_generated::KAPE_FILE_TEMP_ADVANCED_IP_SCANNER_2_ADVANCED_IP_SCANNER_MAC_2,
generated::kape_generated::KAPE_FILE_CONFIG_SYSTEMPROFILE_ADVANCED_IP_SCANNER_MAC_BIN,
generated::kape_generated::KAPE_FILE_CONFIG_SYSTEMPROFILE_ADVANCED_IP_SCANNER_MAC_BIN_2,
generated::kape_generated::KAPE_FILE_SERVICEPROFILES_LOCALSERVICE_ADVANCED_IP_SCANNER_M,
generated::kape_generated::KAPE_FILE_SERVICEPROFILES_NETWORKSERVICE_ADVANCED_IP_SCANNER_3,
generated::kape_generated::KAPE_FILE_USERS_USER_ADVANCED_IP_SCANNER_FAVORITES_BIN,
generated::kape_generated::KAPE_FILE_TEMP_ADVANCED_IP_SCANNER_2_ADVANCED_IP_SCANNER_FAV,
generated::kape_generated::KAPE_FILE_TEMP_ADVANCED_IP_SCANNER_2_ADVANCED_IP_SCANNER_FAV_2,
generated::kape_generated::KAPE_FILE_CONFIG_SYSTEMPROFILE_ADVANCED_IP_SCANNER_FAVORITES,
generated::kape_generated::KAPE_FILE_CONFIG_SYSTEMPROFILE_ADVANCED_IP_SCANNER_FAVORITES_2,
generated::kape_generated::KAPE_FILE_SERVICEPROFILES_LOCALSERVICE_ADVANCED_IP_SCANNER_F,
generated::kape_generated::KAPE_FILE_SERVICEPROFILES_NETWORKSERVICE_ADVANCED_IP_SCANNER_4,
generated::kape_generated::KAPE_FILE_C_ADVANCED_IP_SCANNER_FAVORITES_BIN,
generated::kape_generated::KAPE_FILE_USERS_USER_ADVANCED_PORT_SCANNER_ALIASES_BIN,
generated::kape_generated::KAPE_FILE_TEMP_ADVANCED_PORT_SCANNER_2_ADVANCED_PORT_SCANNER,
generated::kape_generated::KAPE_FILE_ADVANCED_PORT_SCANNE,
generated::kape_generated::KAPE_FILE_CONFIG_SYSTEMPROFILE_ADVANCED_PORT_SCANNER_ALIASES,
generated::kape_generated::KAPE_FILE_CONFIG_SYSTEMPROFILE_ADVANCED_PORT_SCANNER_ALIASES_2,
generated::kape_generated::KAPE_FILE_SERVICEPROFILES_LOCALSERVICE_ADVANCED_PORT_SCANNER,
generated::kape_generated::KAPE_FILE_SERVICEPROFILES_NETWORKSERVICE_ADVANCED_PORT_SCANN,
generated::kape_generated::KAPE_FILE_USERS_USER_ADVANCED_PORT_SCANNER_COMMENTS_BIN,
generated::kape_generated::KAPE_FILE_TEMP_ADVANCED_PORT_SCANNER_2_ADVANCED_PORT_SCANNER_2,
generated::kape_generated::KAPE_FILE_TEMP_ADVANCED_PORT_SCANNER_2_ADVANCED_PORT_SCANNER_3,
generated::kape_generated::KAPE_FILE_CONFIG_SYSTEMPROFILE_ADVANCED_PORT_SCANNER_COMMENT,
generated::kape_generated::KAPE_FILE_CONFIG_SYSTEMPROFILE_ADVANCED_PORT_SCANNER_COMMENT_2,
generated::kape_generated::KAPE_FILE_SERVICEPROFILES_LOCALSERVICE_ADVANCED_PORT_SCANNER_2,
generated::kape_generated::KAPE_FILE_SERVICEPROFILES_NETWORKSERVICE_ADVANCED_PORT_SCANN_2,
generated::kape_generated::KAPE_FILE_USERS_USER_ADVANCED_PORT_SCANNER_MAC_BIN,
generated::kape_generated::KAPE_FILE_TEMP_ADVANCED_PORT_SCANNER_2_ADVANCED_PORT_SCANNER_4,
generated::kape_generated::KAPE_FILE_TEMP_ADVANCED_PORT_SCANNER_2_ADVANCED_PORT_SCANNER_5,
generated::kape_generated::KAPE_FILE_CONFIG_SYSTEMPROFILE_ADVANCED_PORT_SCANNER_MAC_BIN,
generated::kape_generated::KAPE_FILE_CONFIG_SYSTEMPROFILE_ADVANCED_PORT_SCANNER_MAC_BIN_2,
generated::kape_generated::KAPE_FILE_SERVICEPROFILES_LOCALSERVICE_ADVANCED_PORT_SCANNER_3,
generated::kape_generated::KAPE_FILE_SERVICEPROFILES_NETWORKSERVICE_ADVANCED_PORT_SCANN_3,
generated::kape_generated::KAPE_FILE_USERS_USER_ADVANCED_PORT_SCANNER_FAVORITES_BIN,
generated::kape_generated::KAPE_FILE_TEMP_ADVANCED_PORT_SCANNER_2_ADVANCED_PORT_SCANNER_6,
generated::kape_generated::KAPE_FILE_TEMP_ADVANCED_PORT_SCANNER_2_ADVANCED_PORT_SCANNER_7,
generated::kape_generated::KAPE_FILE_CONFIG_SYSTEMPROFILE_ADVANCED_PORT_SCANNER_FAVORIT,
generated::kape_generated::KAPE_FILE_CONFIG_SYSTEMPROFILE_ADVANCED_PORT_SCANNER_FAVORIT_2,
generated::kape_generated::KAPE_FILE_SERVICEPROFILES_LOCALSERVICE_ADVANCED_PORT_SCANNER_4,
generated::kape_generated::KAPE_FILE_SERVICEPROFILES_NETWORKSERVICE_ADVANCED_PORT_SCANN_4,
generated::kape_generated::KAPE_FILE_C_ADVANCED_PORT_SCANNER_FAVORITES_BIN,
generated::kape_generated::KAPE_FILE_AGENTRANSACK_CONFIG,
generated::kape_generated::KAPE_FILE_AGENTRANSACK_CRASHREPORTS,
generated::kape_generated::KAPE_FILE_AGENTRANSACK_INDEXLOG,
generated::kape_generated::KAPE_FILE_AGENTRANSACK_LOGS,
generated::kape_generated::KAPE_FILE_PROGRAMDATA_AMMYY,
generated::kape_generated::KAPE_FILE_ANYDESK_TRACE,
generated::kape_generated::KAPE_FILE_ANYDESK_LOGS_PROGRAM,
generated::kape_generated::KAPE_FILE_ANYDESK_CONF,
generated::kape_generated::KAPE_FILE_ANYDESK_CONF_2,
generated::kape_generated::KAPE_FILE_ANYDESK_ANYDESK,
generated::kape_generated::KAPE_FILE_ANYDESK_CONNECTION_TRACE_TXT,
generated::kape_generated::KAPE_FILE_ANYDESK_CONNECTION_TRACE_TXT_2,
generated::kape_generated::KAPE_FILE_ROAMING_ANYDESK,
generated::kape_generated::KAPE_FILE_ANYDESK_CHAT_TXT,
generated::kape_generated::KAPE_FILE_ROAMING_ANYDESK_FILE_TRANSFER_TRACE_TXT,
generated::kape_generated::KAPE_FILE_ANYDESK_FILE_TRANSFER_TRACE_TXT,
generated::kape_generated::KAPE_FILE_LOG_LOG_2,
generated::kape_generated::KAPE_FILE_ASPERA_SERVER_LOGS,
generated::kape_generated::KAPE_FILE_ATERA_NETWORKS_ATERAAGENT_INI,
generated::kape_generated::KAPE_FILE_ATERA_NETWORKS_ATERAAGENT_TXT,
generated::kape_generated::KAPE_FILE_ATERA_NETWORKS_ATERAAGENT_DB,
generated::kape_generated::KAPE_FILE_ATERA_NETWORKS_ATERAAGENT_CONFIG,
generated::kape_generated::KAPE_FILE_ATERA_NETWORKS_ATERAAGENT_CFG,
generated::kape_generated::KAPE_FILE_BOX_BOX,
generated::kape_generated::KAPE_FILE_LOCAL_BOX_SYNC,
generated::kape_generated::KAPE_FILE_USER_BOX,
generated::kape_generated::KAPE_FILE_USER_BOX_SYNC,
generated::kape_generated::KAPE_FILE_LOCAL_STORAGE_LEVELDB,
generated::kape_generated::KAPE_FILE_INDEXEDDB_HTTPS_CHATGPT_COM_0_INDEXEDDB_LEVELDB,
generated::kape_generated::KAPE_FILE_CHATGPT_CACHE,
generated::kape_generated::KAPE_FILE_SYSTEMAPPDATA_HELIUM_DAT,
generated::kape_generated::KAPE_FILE_OPENAI_CHATGPT_DESKTOP_2P2NQSD0C76G0_SETTINGS_SETT,
generated::kape_generated::KAPE_FILE_LOGS_LOG,
generated::kape_generated::KAPE_FILE_HISTORY_DB,
generated::kape_generated::KAPE_FILE_CLIPBOARDMASTER_CLIPBOARD_CLM4,
generated::kape_generated::KAPE_FILE_CLIPBOARDMASTER_PICS,
generated::kape_generated::KAPE_FILE_CLIPBOARDMASTER_CLIPBOARD_CLM4_BA,
generated::kape_generated::KAPE_FILE_LOGS_LOG_2,
generated::kape_generated::KAPE_FILE_CONFLUENCE_WIKI_LOG,
generated::kape_generated::KAPE_FILE_DWAGENT_LOG,
generated::kape_generated::KAPE_FILE_AWS_CREDENTIALS,
generated::kape_generated::KAPE_FILE_AWS_CONFIG,
generated::kape_generated::KAPE_FILE_KUBE_CONFIG,
generated::kape_generated::KAPE_FILE_DOCKER_CONFIG_JSON,
generated::kape_generated::KAPE_FILE_USER_GIT_CREDENTIALS,
generated::kape_generated::KAPE_FILE_USER_GITCONFIG,
generated::kape_generated::KAPE_FILE_SSH_CONFIG,
generated::kape_generated::KAPE_FILE_SSH_KNOWN_HOSTS,
generated::kape_generated::KAPE_FILE_USER_NPMRC,
generated::kape_generated::KAPE_FILE_MRU_RENAME_FOLDERS_OSD,
generated::kape_generated::KAPE_FILE_MRU_RENAME_FILES_OSD,
generated::kape_generated::KAPE_FILE_MRU_FIND_CONTAINS_OSD,
generated::kape_generated::KAPE_FILE_MRU_FIND_NAME_OSD,
generated::kape_generated::KAPE_FILE_MRU_FIND_PATH_OSD,
generated::kape_generated::KAPE_FILE_STATE_DATA_RECENT_OSD,
generated::kape_generated::KAPE_FILE_STATE_DATA_BACKUPCONFIG_OSD,
generated::kape_generated::KAPE_FILE_DIRECTORY_OPUS_THUMBNAIL_CACHE,
generated::kape_generated::KAPE_FILE_DIRECTORY_OPUS_LOGS,
generated::kape_generated::KAPE_FILE_DISCORD_CACHE,
generated::kape_generated::KAPE_FILE_LOCAL_STORAGE_LEVELDB_2,
generated::kape_generated::KAPE_FILE_DOUBLECMD_HISTORY_XML,
generated::kape_generated::KAPE_FILE_DOUBLECMD_DOUBLECMD_XML,
generated::kape_generated::KAPE_FILE_DOUBLECMD_DOUBLECMD_LOG,
generated::kape_generated::KAPE_FILE_DOUBLECMD_MULTIARC_INI,
generated::kape_generated::KAPE_FILE_DOUBLECMD_SESSION_INI,
generated::kape_generated::KAPE_FILE_DOUBLECMD_PIXMAPS_TXT,
generated::kape_generated::KAPE_FILE_DOUBLECMD_SHORTCUTS_SCF,
generated::kape_generated::KAPE_FILE_DROPBOX_INFO_JSON,
generated::kape_generated::KAPE_FILE_DROPBOX_HOST_DB,
generated::kape_generated::KAPE_FILE_DROPBOX_MACHINE_STORAGETRAY_THUMBNAILS_DB,
generated::kape_generated::KAPE_FILE_DROPBOX_HOST_DBX,
generated::kape_generated::KAPE_FILE_PROTECT,
generated::kape_generated::KAPE_FILE_DROPBOX_INSTANCE,
generated::kape_generated::KAPE_FILE_USER_DROPBOX_2,
generated::kape_generated::KAPE_FILE_ROAMING_EFSOFTWARE,
generated::kape_generated::KAPE_FILE_DATABASES_ACCOUNTS,
generated::kape_generated::KAPE_FILE_DATABASES_EXB,
generated::kape_generated::KAPE_FILE_DATABASES_EXB_SNIPPETS,
generated::kape_generated::KAPE_FILE_EVERYTHING_EVERYTHING_DB,
generated::kape_generated::KAPE_FILE_EVERYTHING_RUN_HISTORY_CSV,
generated::kape_generated::KAPE_FILE_EVERYTHING_SEARCH_HISTORY_CSV,
generated::kape_generated::KAPE_FILE_EVERYTHING_EVERYTHING_INI,
generated::kape_generated::KAPE_FILE_FSIV_FSIV_DB,
generated::kape_generated::KAPE_FILE_FENCES_BACKUPS,
generated::kape_generated::KAPE_FILE_FILEZILLA_XML,
generated::kape_generated::KAPE_FILE_FILEZILLA_SQLITE3,
generated::kape_generated::KAPE_FILE_FILEZILLA_SERVER_XML,
generated::kape_generated::KAPE_FILE_LOGS_LOG_3,
generated::kape_generated::KAPE_FILE_LOGS_TRACE,
generated::kape_generated::KAPE_FILE_FORTICLIENT_TRACE_LO,
generated::kape_generated::KAPE_FILE_SETTINGS_FREECOMMANDER_INI,
generated::kape_generated::KAPE_FILE_SETTINGS_FREECOMMANDER_FTP_INI,
generated::kape_generated::KAPE_FILE_SETTINGS_FREECOMMANDER_HIST_INI,
generated::kape_generated::KAPE_FILE_SETTINGS_FREECOMMANDER_FAV_XML,
generated::kape_generated::KAPE_FILE_SETTINGS_BKP_SETTINGS,
generated::kape_generated::KAPE_FILE_TEMP_FC_LOG,
generated::kape_generated::KAPE_FILE_TEMP_FREECOMMANDER,
generated::kape_generated::KAPE_FILE_FREE_DOWNLOAD_MANAGER_FDM_SQLITE,
generated::kape_generated::KAPE_FILE_BACKUP_BACKUP_INFO,
generated::kape_generated::KAPE_FILE_BACKUP_USERDATA_ZIP,
generated::kape_generated::KAPE_FILE_FREEFILESYNC_LOGS,
generated::kape_generated::KAPE_FILE_USER_GOOGLE_DRIVE,
generated::kape_generated::KAPE_FILE_GOOGLE_DRIVE,
generated::kape_generated::KAPE_FILE_GOOGLE_DRIVEFS,
generated::kape_generated::KAPE_FILE_GOOGLE_GOOGLEEARTH_MYPLACES_KML,
generated::kape_generated::KAPE_FILE_GOOGLE_GOOGLEEARTH_MYPLACES_BACKUP_KML,
generated::kape_generated::KAPE_FILE_GOOGLE_EARTH_MY_PLAC,
generated::kape_generated::KAPE_FILE_GOOGLE_GOOGLEEARTH_MYPLACES_BACKUP_KML_2,
generated::kape_generated::KAPE_FILE_HEIDISQL_BACKUPS,
generated::kape_generated::KAPE_FILE_HEIDISQL_TABS_INI,
generated::kape_generated::KAPE_FILE_HEXCHAT_LOGS,
generated::kape_generated::KAPE_FILE_ARCHIVE_CLEANUP,
generated::kape_generated::KAPE_FILE_BACKUP,
generated::kape_generated::KAPE_FILE_DELETE,
generated::kape_generated::KAPE_FILE_RESTORE,
generated::kape_generated::KAPE_FILE_LOGXML_XML,
generated::kape_generated::KAPE_FILE_TRACEFILE_TXT,
generated::kape_generated::KAPE_FILE_IBCOMMON_IDMAPPEDDRIVES_TXT,
generated::kape_generated::KAPE_FILE_IBCOMMON_SCHEDULE_XML,
generated::kape_generated::KAPE_FILE_IBCOMMON_SCH_TRACE_TXT,
generated::kape_generated::KAPE_FILE_IBCOMMON_IDRIVE_INI,
generated::kape_generated::KAPE_FILE_IBCOMMON_GET_ALLDRIVES_TXT,
generated::kape_generated::KAPE_FILE_IBCOMMON_EXCLUDE,
generated::kape_generated::KAPE_FILE_IBCOMMON_AUTOCOMP_INI,
generated::kape_generated::KAPE_FILE_IBDS,
generated::kape_generated::KAPE_FILE_ISLCLIENT_OUT,
generated::kape_generated::KAPE_FILE_CONF,
generated::kape_generated::KAPE_FILE_ISL_ALWAYSON_SESSION_XML,
generated::kape_generated::KAPE_FILE_TRACE_OUT,
generated::kape_generated::KAPE_FILE_ISL_ALWAYSON_OUT,
generated::kape_generated::KAPE_FILE_ISL_LIGHT_LOGS_SESSI,
generated::kape_generated::KAPE_FILE_STATUS_TRAY,
generated::kape_generated::KAPE_FILE_ISL_ALWAYSON_STATICCONFIGURATION_INI,
generated::kape_generated::KAPE_FILE_ENDPOINT_MANAGER_RMMLOGS,
generated::kape_generated::KAPE_FILE_ITARIAN,
generated::kape_generated::KAPE_FILE_COMODO,
generated::kape_generated::KAPE_FILE_ENDPOINT_MANAGER_RMMLOGS_2,
generated::kape_generated::KAPE_FILE_ICECHAT_LOGS,
generated::kape_generated::KAPE_FILE_LOG_FILES_IMGBURN_LOG,
generated::kape_generated::KAPE_FILE_IRFANVIEW_I_VIEW32_INI,
generated::kape_generated::KAPE_FILE_JDOWNLOADER_2_0_CFG_DOWNLOADLIST_ZIP,
generated::kape_generated::KAPE_FILE_JDOWNLOADER_2_0_CFG_LINKCOLLECTOR_ZIP,
generated::kape_generated::KAPE_FILE_JDOWNLOADER_2_0_CFG_ORG_JDOWNLOADER_SETTINGS_GENER,
generated::kape_generated::KAPE_FILE_JDOWNLOADER_2_0_CFG_ORG_JDOWNLOADER_GUI_VIEWS_LINK,
generated::kape_generated::KAPE_FILE_JDOWNLOADER_2_0_CFG_ORG_JDOWNLOADER_SETTINGS_INTER,
generated::kape_generated::KAPE_FILE_IDX,
generated::kape_generated::KAPE_FILE_JAVA_WEBSTART_CACHE,
generated::kape_generated::KAPE_FILE_IDX_2,
generated::kape_generated::KAPE_FILE_IDX_3,
generated::kape_generated::KAPE_FILE_IDX_4,
generated::kape_generated::KAPE_FILE_IDX_5,
generated::kape_generated::KAPE_FILE_IDX_6,
generated::kape_generated::KAPE_FILE_IDX_7,
generated::kape_generated::KAPE_FILE_IDX_8,
generated::kape_generated::KAPE_FILE_IDX_9,
generated::kape_generated::KAPE_FILE_IDX_10,
generated::kape_generated::KAPE_FILE_KASEYA_LOG,
generated::kape_generated::KAPE_FILE_LOG_KASEYALIVECONNECT,
generated::kape_generated::KAPE_FILE_LOG_ENDPOINT,
generated::kape_generated::KAPE_FILE_KASEYA_AGENT_ENDPOIN,
generated::kape_generated::KAPE_FILE_AGENTMON_LOG,
generated::kape_generated::KAPE_FILE_TEMP_KASETUP_LOG,
generated::kape_generated::KAPE_FILE_KASEYA_SETUP_LOG,
generated::kape_generated::KAPE_FILE_TEMP_KASETUP_LOG_2,
generated::kape_generated::KAPE_FILE_LOG_KASEYAEDGESERVICES,
generated::kape_generated::KAPE_FILE_KEEPASS_XML,
generated::kape_generated::KAPE_FILE_KEEPASS_PASSWORD_SAFE_XML,
generated::kape_generated::KAPE_FILE_KEEPASS_PASSWORD_SAFE_CONFIG,
generated::kape_generated::KAPE_FILE_KEEPASSXC_INI,
generated::kape_generated::KAPE_FILE_KEEPASS_ROAMING_INI,
generated::kape_generated::KAPE_FILE_PROGRAM_FILES_LEVEL_LOG,
generated::kape_generated::KAPE_FILE_LOGMEIN_LOGS,
generated::kape_generated::KAPE_FILE_APPLICATIONEVENTS_TKAPE_3,
generated::kape_generated::KAPE_FILE_TEMP_LOGMEINLOGS,
generated::kape_generated::KAPE_FILE_MACRIUM_MACRIUM_SERVICE,
generated::kape_generated::KAPE_FILE_MACRIUM_REFLECT,
generated::kape_generated::KAPE_FILE_MACRIUM_REFLECT_LAUNCHER,
generated::kape_generated::KAPE_FILE_MATTERMOST_INDEXEDDB,
generated::kape_generated::KAPE_FILE_ROAMING_MEDIAMONKEY_MM_DB,
generated::kape_generated::KAPE_FILE_ROAMING_MEDIAMONKEY_MEDIAMONKEY_INI,
generated::kape_generated::KAPE_FILE_MEGA_LIMITED_MEGASYNC,
generated::kape_generated::KAPE_FILE_MESH_AGENT_MSH,
generated::kape_generated::KAPE_FILE_MESH_AGENT_LOG,
generated::kape_generated::KAPE_FILE_AZCOPY_LOG,
generated::kape_generated::KAPE_FILE_PLANS_STE,
generated::kape_generated::KAPE_FILE_FULLTEXTSEARCHINDEX,
generated::kape_generated::KAPE_FILE_ONENOTE_NOTIFICATIONSRECENTNOTEBOOKS_SEENURLS,
generated::kape_generated::KAPE_FILE_16_0_ACCESSIBILITYCHECKERINDEX,
generated::kape_generated::KAPE_FILE_16_0_NOTETAGS_LIVEID_DB,
generated::kape_generated::KAPE_FILE_16_0_RECENTSEARCHESRECENTSEARCHES_DB,
generated::kape_generated::KAPE_FILE_STICKYNOTES_STICKYNOTES_SNT,
generated::kape_generated::KAPE_FILE_LOCALSTATE_PLUM_SQLITE,
generated::kape_generated::KAPE_FILE_INDEXEDDB_HTTPS_TEAMS_MICROSOFT_COM_0_INDEXEDDB_LE,
generated::kape_generated::KAPE_FILE_LOCAL_STORAGE_LEVELDB_3,
generated::kape_generated::KAPE_FILE_TEAMS_CACHE,
generated::kape_generated::KAPE_FILE_TEAMS_DESKTOP_CONFIG_JSON,
generated::kape_generated::KAPE_FILE_MSTEAMS_LOGS,
generated::kape_generated::KAPE_FILE_TODOSQLITE_DB,
generated::kape_generated::KAPE_FILE_AVATARS_USERAVATAR_JPG,
generated::kape_generated::KAPE_FILE_USER_MIDNIGHT_COMMANDER,
generated::kape_generated::KAPE_FILE_ROAMING_MOBAXTERM,
generated::kape_generated::KAPE_FILE_MSTY_DB,
generated::kape_generated::KAPE_FILE_LOCAL_MULTICOMMANDER,
generated::kape_generated::KAPE_FILE_MULTICOMMANDER_CONFIG,
generated::kape_generated::KAPE_FILE_MULTICOMMANDER_LOGS,
generated::kape_generated::KAPE_FILE_MULTICOMMANDER_USERDATA,
generated::kape_generated::KAPE_FILE_MULTICOMMANDER_MULTICOMMANDER_LOG,
generated::kape_generated::KAPE_FILE_NESSUS_CONF,
generated::kape_generated::KAPE_FILE_NESSUS_LOGS,
generated::kape_generated::KAPE_FILE_LOG_USER,
generated::kape_generated::KAPE_FILE_NET_MONITOR_FOR_EMPLOYEES_PRO_DATA,
generated::kape_generated::KAPE_FILE_NET_MONITOR_FOR_EMPLOYEES_PRO_CONFIG,
generated::kape_generated::KAPE_FILE_NET_MONITOR_FOR_EMPLOYEES_PRO_TMP,
generated::kape_generated::KAPE_FILE_NET_MONITOR_FOR_EMPLOYEES_PRO_LOG,
generated::kape_generated::KAPE_FILE_NET_MONITOR_CLIENT_C,
generated::kape_generated::KAPE_FILE_NOTEPAD_BACKUP,
generated::kape_generated::KAPE_FILE_NOTEPAD_CONFIG_XML,
generated::kape_generated::KAPE_FILE_NOTEPAD_SESSION_XML,
generated::kape_generated::KAPE_FILE_ROAMING_NOTION_NOTION_DB,
generated::kape_generated::KAPE_FILE_PARTITIONS_NOTION_CUSTOM_DICTIONARY_TXT,
generated::kape_generated::KAPE_FILE_USER_ONECOMMANDER,
generated::kape_generated::KAPE_FILE_ONEC,
generated::kape_generated::KAPE_FILE_MICROSOFT_ONEDRIVE,
generated::kape_generated::KAPE_FILE_USER_ONEDRIVE,
generated::kape_generated::KAPE_FILE_SSH_CONFIG_2,
generated::kape_generated::KAPE_FILE_SSH_KNOWN_HOSTS_2,
generated::kape_generated::KAPE_FILE_SSH_PUB,
generated::kape_generated::KAPE_FILE_SSH_ID_RSA,
generated::kape_generated::KAPE_FILE_SSH_ID_ECDSA,
generated::kape_generated::KAPE_FILE_SSH_ID_ECDSA_SK,
generated::kape_generated::KAPE_FILE_SSH_ID_ED25519,
generated::kape_generated::KAPE_FILE_SSH_ID_ED25519_SK,
generated::kape_generated::KAPE_FILE_SSH_ID_DSA,
generated::kape_generated::KAPE_FILE_SSH_SSHD_CONFIG,
generated::kape_generated::KAPE_FILE_LOGS_2,
generated::kape_generated::KAPE_FILE_SSH_SSH_HOST_ECDSA_KEY,
generated::kape_generated::KAPE_FILE_SSH_SSH_HOST_ED25519_KEY,
generated::kape_generated::KAPE_FILE_SSH_SSH_HOST_DSA_KEY,
generated::kape_generated::KAPE_FILE_SSH_SSH_HOST_RSA_KEY,
generated::kape_generated::KAPE_FILE_SSH_AUTHORIZED_KEYS,
generated::kape_generated::KAPE_FILE_SSH_AUTHORIZED_KEYS2,
generated::kape_generated::KAPE_FILE_SSH_ADMINISTRATORS_AUTHORIZED_KEYS,
generated::kape_generated::KAPE_FILE_OPENVPN_CONFIG,
generated::kape_generated::KAPE_FILE_OPENVPN_CLIENT_CONFI,
generated::kape_generated::KAPE_FILE_LOG_LOG_3,
generated::kape_generated::KAPE_FILE_OUTLOOK_PST,
generated::kape_generated::KAPE_FILE_OUTLOOK_OST,
generated::kape_generated::KAPE_FILE_OUTLOOK_FILES_PST,
generated::kape_generated::KAPE_FILE_OUTLOOK_FILES_OST,
generated::kape_generated::KAPE_FILE_PST,
generated::kape_generated::KAPE_FILE_OST,
generated::kape_generated::KAPE_FILE_OUTLOOK_NST,
generated::kape_generated::KAPE_FILE_INETCACHE_CONTENT_OUTLOOK,
generated::kape_generated::KAPE_FILE_PDQ_DEPLOY_DB,
generated::kape_generated::KAPE_FILE_PALO_ALTO_NETWORKS_GLOBALPROTECT_PANGP_LOG,
generated::kape_generated::KAPE_FILE_PALO_ALTO_NETWORKS_GLOBALPROTECT_LOG,
generated::kape_generated::KAPE_FILE_ROAMING_PEAZIP,
generated::kape_generated::KAPE_FILE_PROTONVPN_LOGS,
generated::kape_generated::KAPE_FILE_PROTON_VPN_LOGS,
generated::kape_generated::KAPE_FILE_SERVICEDATA_LOGS,
generated::kape_generated::KAPE_FILE_PROTON_VPN_STORAGE,
generated::kape_generated::KAPE_FILE_PULSE_SECURE_LOGGING,
generated::kape_generated::KAPE_FILE_PULSE_SECURE_LOGS_IN,
generated::kape_generated::KAPE_FILE_PULSE_SECURE_SETUP_CLIENT_LOG,
generated::kape_generated::KAPE_FILE_PULSE_SECURE_LOGGING_PULSECLIENT_LOG,
generated::kape_generated::KAPE_FILE_Q_DIR_Q_DIR_INI,
generated::kape_generated::KAPE_FILE_Q_DIR_START_QDR,
generated::kape_generated::KAPE_FILE_QNAP_QFINDERPRO,
generated::kape_generated::KAPE_FILE_LOG_PROXY_TXT,
generated::kape_generated::KAPE_FILE_LOG_PROXY_LOG,
generated::kape_generated::KAPE_FILE_LOG_SCHEDULER_TXT,
generated::kape_generated::KAPE_FILE_LOG_SCHEDULER_LOG,
generated::kape_generated::KAPE_FILE_C_RDG,
generated::kape_generated::KAPE_FILE_C_RDG_OLD,
generated::kape_generated::KAPE_FILE_REMOTE_DESKTOP_CONNECTION_MANAGER_SETTINGS,
generated::kape_generated::KAPE_FILE_MY_CERTIFICATES,
generated::kape_generated::KAPE_FILE_RSERVER30_RADM_LOG_HTM,
generated::kape_generated::KAPE_FILE_RADMIN_SERVER_64BIT,
generated::kape_generated::KAPE_FILE_HTM,
generated::kape_generated::KAPE_FILE_HTM_2,
generated::kape_generated::KAPE_FILE_RADMIN_VIEWER_CHATS,
generated::kape_generated::KAPE_FILE_USERS_USER_RCLONE_CONF,
generated::kape_generated::KAPE_FILE_CONFIG_SYSTEMPROFILE_RCLONE_CONF,
generated::kape_generated::KAPE_FILE_RCLONE_CONFIG_SYSTEM,
generated::kape_generated::KAPE_FILE_SERVICEPROFILES_LOCALSERVICE_RCLONE_CONF,
generated::kape_generated::KAPE_FILE_SERVICEPROFILES_NETWORKSERVICE_RCLONE_CONF,
generated::kape_generated::KAPE_FILE_CONFIG_RCLONE_RCLONE_CONF,
generated::kape_generated::KAPE_FILE_CONFIG_RCLONE_RCLONE_CONF_2,
generated::kape_generated::KAPE_FILE_CONFIG_RCLONE_RCLONE_CONF_3,
generated::kape_generated::KAPE_FILE_RCLONE_CONFIG_LOCALS,
generated::kape_generated::KAPE_FILE_RCLONE_CONFIG_NETWOR,
generated::kape_generated::KAPE_FILE_LOCAL_RCLONE_RCLONE_CONF,
generated::kape_generated::KAPE_FILE_LOCAL_RCLONE_RCLONE_CONF_2,
generated::kape_generated::KAPE_FILE_LOCAL_RCLONE_RCLONE_CONF_3,
generated::kape_generated::KAPE_FILE_LOCAL_RCLONE_RCLONE_CONF_4,
generated::kape_generated::KAPE_FILE_LOCAL_RCLONE_RCLONE_CONF_5,
generated::kape_generated::KAPE_FILE_ROAMING_RCLONE_RCLONE_CONF,
generated::kape_generated::KAPE_FILE_ROAMING_RCLONE_RCLONE_CONF_2,
generated::kape_generated::KAPE_FILE_ROAMING_RCLONE_RCLONE_CONF_3,
generated::kape_generated::KAPE_FILE_ROAMING_RCLONE_RCLONE_CONF_4,
generated::kape_generated::KAPE_FILE_ROAMING_RCLONE_RCLONE_CONF_5,
generated::kape_generated::KAPE_FILE_WINDOWS_SYSWOW64_RCLONE_CONF,
generated::kape_generated::KAPE_FILE_WINDOWS_SYSTEM32_RCLONE_CONF,
generated::kape_generated::KAPE_FILE_C_WINDOWS_RCLONE_CONF,
generated::kape_generated::KAPE_FILE_C_RCLONE_CONF,
generated::kape_generated::KAPE_FILE_RCLONE_CONFIG_FALLBA,
generated::kape_generated::KAPE_FILE_ROAMING_REMCOS_LOGS_DAT,
generated::kape_generated::KAPE_FILE_ROAMING_SCREENSHOTS_LOGS_DAT,
generated::kape_generated::KAPE_FILE_ROAMING_NOTESS_LOGS_DAT,
generated::kape_generated::KAPE_FILE_ROAMING_MICRECORDS_LOGS_DAT,
generated::kape_generated::KAPE_FILE_ROAMING_HPSUPPORT_LOGS_DAT,
generated::kape_generated::KAPE_FILE_PROGRAMDATA_REMCOS_LOGS_DAT,
generated::kape_generated::KAPE_FILE_PROGRAMDATA_NOTESS_LOGS_DAT,
generated::kape_generated::KAPE_FILE_PROGRAMDATA_SCREENSHOTS_LOGS_DAT,
generated::kape_generated::KAPE_FILE_PROGRAMDATA_MICRECORDS_LOGS_DAT,
generated::kape_generated::KAPE_FILE_PROGRAMDATA_HPSUPPORT_LOGS_DAT,
generated::kape_generated::KAPE_FILE_DEVOLUTIONS_REMOTEDESKTOPMANAGER_DB,
generated::kape_generated::KAPE_FILE_DEVOLUTIONS_REMOTEDESKTOPMANAGER_XML,
generated::kape_generated::KAPE_FILE_DEVOLUTIONS_REMOTEDESKTOPMANAGER_CONNECTIONS_LOG,
generated::kape_generated::KAPE_FILE_DEVOLUTIONS_REMOTEDESKTOPMANAGER_REMOTEDESKTOPMANA,
generated::kape_generated::KAPE_FILE_MRU_XML,
generated::kape_generated::KAPE_FILE_FAVORITES_XML,
generated::kape_generated::KAPE_FILE_REMOTE_MANIPULATOR_SYSTEM_HOST_LOGS_RMS_LOG_HTML,
generated::kape_generated::KAPE_FILE_REMOTE_MANIPULATOR_SYSTEM_LOGS_RMS_LOG_HTML,
generated::kape_generated::KAPE_FILE_PROGRAMDATA_REMOTE_MANIPULATOR_SYSTEM_INSTALL_LOG,
generated::kape_generated::KAPE_FILE_REMOTE_UTILITIES_HOST_LOGS_RUT_LOG_HTML,
generated::kape_generated::KAPE_FILE_REMOTE_UTILITIES_LOGS_RUT_LOG_HTML,
generated::kape_generated::KAPE_FILE_PROGRAMDATA_REMOTE_UTILITIES_INSTALL_LOG,
generated::kape_generated::KAPE_FILE_SCRIPTS_S,
generated::kape_generated::KAPE_FILE_DEBUG_LOG,
generated::kape_generated::KAPE_FILE_LOGS_3,
generated::kape_generated::KAPE_FILE_CONFIG_XML,
generated::kape_generated::KAPE_FILE_SSH_KEYS,
generated::kape_generated::KAPE_FILE_SSL_CERTIFICATES,
generated::kape_generated::KAPE_FILE_PGP_KEYS,
generated::kape_generated::KAPE_FILE_ROBO_FTP_SSH_KEYS,
generated::kape_generated::KAPE_FILE_ROBO_FTP_SSL_CERTIFI,
generated::kape_generated::KAPE_FILE_ROBO_FTP_PGP_KEYS,
generated::kape_generated::KAPE_FILE_DEBUG,
generated::kape_generated::KAPE_FILE_ROBO_FTP_SCRIPT_TRAC,
generated::kape_generated::KAPE_FILE_PROGRAMDATA_CONFIG_XML,
generated::kape_generated::KAPE_FILE_PROGRAMDATA_SCHEDULERSERVICE_SQLITE,
generated::kape_generated::KAPE_FILE_ROAMING_RUSTDESK,
generated::kape_generated::KAPE_FILE_LOG_SERVER,
generated::kape_generated::KAPE_FILE_POWERSHELL_PSREADLINECONSOLEHOST_HISTORY_TXT,
generated::kape_generated::KAPE_FILE_USERS_USER_BASH_HISTORY,
generated::kape_generated::KAPE_FILE_USERS_USER_ZSH_HISTORY,
generated::kape_generated::KAPE_FILE_USERS_USER_PS1,
generated::kape_generated::KAPE_FILE_USERS_USER_BAT,
generated::kape_generated::KAPE_FILE_USERS_USER_CMD,
generated::kape_generated::KAPE_FILE_USERS_USER_SH,
generated::kape_generated::KAPE_FILE_USER_SSHKNOWN_HOSTS,
generated::kape_generated::KAPE_FILE_USER_SSHCONFIG,
generated::kape_generated::KAPE_FILE_USER_SSH,
generated::kape_generated::KAPE_FILE_APP_DATA_SESSION_DB,
generated::kape_generated::KAPE_FILE_APP_DATA_USER_XML,
generated::kape_generated::KAPE_FILE_APPLICATIONEVENTS_TKAPE_4,
generated::kape_generated::KAPE_FILE_SCREENCONNECT_CLIENT_USER_CONFIG,
generated::kape_generated::KAPE_FILE_ROAMING_SESSION,
generated::kape_generated::KAPE_FILE_DOCUMENTS_SHAREX,
generated::kape_generated::KAPE_FILE_PORTAL_SETTINGS,
generated::kape_generated::KAPE_FILE_SIGNAL_ATTACHMENTS_NOINDEX,
generated::kape_generated::KAPE_FILE_SIGNAL_LOGS,
generated::kape_generated::KAPE_FILE_SIGNAL_CONFIG_JSON,
generated::kape_generated::KAPE_FILE_SQL_DB_SQLITE,
generated::kape_generated::KAPE_FILE_JWRAPPER_REMOTE_ACCESS_LOGS,
generated::kape_generated::KAPE_FILE_SIMPLEHELP_LOGS,
generated::kape_generated::KAPE_FILE_JWRAPPER_SIMPLEHELP_TECHNICIAN_LOGS,
generated::kape_generated::KAPE_FILE_MAIN_DB,
generated::kape_generated::KAPE_FILE_SKYPE_DB,
generated::kape_generated::KAPE_FILE_MAIN_DB_XP,
generated::kape_generated::KAPE_FILE_MAIN_DB_WIN7,
generated::kape_generated::KAPE_FILE_LOCALSTATE_S4L_DB,
generated::kape_generated::KAPE_FILE_INDEXEDDB_LEVELDB,
generated::kape_generated::KAPE_FILE_SKYPE_FOR_DESKTOP_CACHE,
generated::kape_generated::KAPE_FILE_SLACK_INDEXEDDB,
generated::kape_generated::KAPE_FILE_LOCAL_STORAGE_LEVELDB_4,
generated::kape_generated::KAPE_FILE_SLACK_LOGS,
generated::kape_generated::KAPE_FILE_SLACK_CACHE,
generated::kape_generated::KAPE_FILE_SLACK_STORAGE,
generated::kape_generated::KAPE_FILE_SNAGIT_DATASTORE,
generated::kape_generated::KAPE_FILE_C_NETSCAN_XML,
generated::kape_generated::KAPE_FILE_SPEEDPROJECT_SPEEDCOMMANDER_19,
generated::kape_generated::KAPE_FILE_SERVER_LOG,
generated::kape_generated::KAPE_FILE_TEMP_LOG,
generated::kape_generated::KAPE_FILE_SPLASHTOP_GATEWAY_LOG,
generated::kape_generated::KAPE_FILE_LOG,
generated::kape_generated::KAPE_FILE_APPCACHE_LIBRARYCACHE,
generated::kape_generated::KAPE_FILE_CONFIG_LOGINUSERS_VDF,
generated::kape_generated::KAPE_FILE_CONFIG_LOCALCONFIG_VDF,
generated::kape_generated::KAPE_FILE_CONFIG_AVATARCACHE,
generated::kape_generated::KAPE_FILE_STEAM_GAMES,
generated::kape_generated::KAPE_FILE_LOGS_BOOTSTRAP_LOG_TXT,
generated::kape_generated::KAPE_FILE_STEAM_GAME_IMAGE_FIL,
generated::kape_generated::KAPE_FILE_STEAM_LOGIN_METADATA,
generated::kape_generated::KAPE_FILE_STEAM_FRIEND_LIST_AN,
generated::kape_generated::KAPE_FILE_STEAM_USER_AVATAR_FI,
generated::kape_generated::KAPE_FILE_STEAM_GAME_TRAY_ICON,
generated::kape_generated::KAPE_FILE_STEAM_STARTUP_TIMES,
generated::kape_generated::KAPE_FILE_SETTINGS_SESSION_SUBLIME_SESSION,
generated::kape_generated::KAPE_FILE_LOCAL_SUBLIME_SESSION,
generated::kape_generated::KAPE_FILE_SUGARSYNC_SC1_LOG,
generated::kape_generated::KAPE_FILE_DOCUMENTS_SUGARSYNC_SHARED_FOLDERS,
generated::kape_generated::KAPE_FILE_DOCUMENTS_MY_SUGARSYNC,
generated::kape_generated::KAPE_FILE_LOCAL_SUMATRAPDFSUMATRAPDF_SETTINGS_TXT,
generated::kape_generated::KAPE_FILE_SUMATRAPDF_SUMATRAPDFCACHE,
generated::kape_generated::KAPE_FILE_SUPREMOREMOTEDESKTOP_LOG_LOG,
generated::kape_generated::KAPE_FILE_SUPREMOREMOTEDESKTOP_INBOX,
generated::kape_generated::KAPE_FILE_LOCAL_SYNCTHING,
generated::kape_generated::KAPE_FILE_LOCAL_SYNCTRAZOR,
generated::kape_generated::KAPE_FILE_ROAMING_SYNCTRAZOR,
generated::kape_generated::KAPE_FILE_CONFIG_REMEMBER_XML,
generated::kape_generated::KAPE_FILE_CONFIG_WINDOW_XML,
generated::kape_generated::KAPE_FILE_CONFIG_WINDOW1_XML,
generated::kape_generated::KAPE_FILE_TEAMVIEWER_CONNECTIONS_TXT,
generated::kape_generated::KAPE_FILE_TEAMVIEWER_TEAMVIEWER_LOGFILE,
generated::kape_generated::KAPE_FILE_TEAMVIEWER_APPLICATI,
generated::kape_generated::KAPE_FILE_MRU_REMOTESUPPORT,
generated::kape_generated::KAPE_FILE_ROAMING_TELEGRAM_DESKTOP,
generated::kape_generated::KAPE_FILE_DOWNLOADS_TELEGRAM_DESKTOP,
generated::kape_generated::KAPE_FILE_ROAMING_TERACOPY,
generated::kape_generated::KAPE_FILE_CRASH_REPORTS_INSTALLTIME,
generated::kape_generated::KAPE_FILE_THUNDERBIRD_PROFILES_INI,
generated::kape_generated::KAPE_FILE_PREFS_JS,
generated::kape_generated::KAPE_FILE_GLOBAL_MESSAGES_DB_SQLITE,
generated::kape_generated::KAPE_FILE_LOGINS_JSON,
generated::kape_generated::KAPE_FILE_PLACES_SQLITE,
generated::kape_generated::KAPE_FILE_IMAPMAIL_INBOX,
generated::kape_generated::KAPE_FILE_MAIL_INBOX,
generated::kape_generated::KAPE_FILE_CALENDAR_DATA_LOCAL_SQLITE,
generated::kape_generated::KAPE_FILE_ATTACHMENTS,
generated::kape_generated::KAPE_FILE_ABOOK_SQLITE,
generated::kape_generated::KAPE_FILE_GHISLER_WINCMD_INI,
generated::kape_generated::KAPE_FILE_C_TOTALCMD_LOG,
generated::kape_generated::KAPE_FILE_TEMP_FTP_TMP,
generated::kape_generated::KAPE_FILE_GHISLER_WCX_FTP_INI,
generated::kape_generated::KAPE_FILE_GHISLER_TREEINFO_WC,
generated::kape_generated::KAPE_FILE_GHISLER_TCDIRFRQ_TXT,
generated::kape_generated::KAPE_FILE_TEMP_TCFTP_LOG,
generated::kape_generated::KAPE_FILE_JAM_SOFTWARE_TREESIZE_SCANHISTORY_XML,
generated::kape_generated::KAPE_FILE_UEMS_AGENT_LOGS_LOG,
generated::kape_generated::KAPE_FILE_UNIFIED_ENDPOINT_MAN,
generated::kape_generated::KAPE_FILE_ROAMING_ULTRAVIEWER,
generated::kape_generated::KAPE_FILE_ULTRAVIEWER_SYSTEM_L,
generated::kape_generated::KAPE_FILE_PROGRAM_FILES_ULTRAVIEWERULTRAVIEWERSERVICE_LOG_TX,
generated::kape_generated::KAPE_FILE_PROGRAM_FILES_ULTRAVIEWERCONNECTIONLOG_LOG,
generated::kape_generated::KAPE_FILE_VLC_VLC_QT_INTERFACE_INI,
generated::kape_generated::KAPE_FILE_VIDEOS_VLC_AVI,
generated::kape_generated::KAPE_FILE_ROAMING_VMWARE,
generated::kape_generated::KAPE_FILE_C_VMEM,
generated::kape_generated::KAPE_FILE_C_VMSS,
generated::kape_generated::KAPE_FILE_C_VMSN,
generated::kape_generated::KAPE_FILE_REALVNC_VNCSERVER_LOG,
generated::kape_generated::KAPE_FILE_REALVNC_VNCVIEWER_LOG,
generated::kape_generated::KAPE_FILE_PROGRAMDATA_REALVNC_SERVICEVNCSERVER_LOG,
generated::kape_generated::KAPE_FILE_APPLICATIONEVENTS_TKAPE_5,
generated::kape_generated::KAPE_FILE_SERVER_LOGS_2,
generated::kape_generated::KAPE_FILE_VIBERPC_CONFIG_DB,
generated::kape_generated::KAPE_FILE_VIBER_DB,
generated::kape_generated::KAPE_FILE_AVATARS,
generated::kape_generated::KAPE_FILE_BACKGROUNDS,
generated::kape_generated::KAPE_FILE_THUMBNAILS,
generated::kape_generated::KAPE_FILE_C_VBOX,
generated::kape_generated::KAPE_FILE_C_VBOX_PREV,
generated::kape_generated::KAPE_FILE_C_VBOX_LOG,
generated::kape_generated::KAPE_FILE_VIRTUALBOX_BACKUP_LO,
generated::kape_generated::KAPE_FILE_C_VBOXHARDENING_LOG,
generated::kape_generated::KAPE_FILE_C_SAV,
generated::kape_generated::KAPE_FILE_HISTORY,
generated::kape_generated::KAPE_FILE_GLOBALSTORAGE_STORAGE_JSON,
generated::kape_generated::KAPE_FILE_CACHEDEXTENSIONS_USER,
generated::kape_generated::KAPE_FILE_USER_SETTINGS_JSON,
generated::kape_generated::KAPE_FILE_CODE_PREFERENCES,
generated::kape_generated::KAPE_FILE_NETWORK_COOKIES,
generated::kape_generated::KAPE_FILE_NETWORK_NETWORK_PERSISTENT_STATE,
generated::kape_generated::KAPE_FILE_CODE_LOGS,
generated::kape_generated::KAPE_FILE_BACKUPS,
generated::kape_generated::KAPE_FILE_WHATSAPP_CACHE,
generated::kape_generated::KAPE_FILE_LOCAL_STORAGE_LEVELDB_5,
generated::kape_generated::KAPE_FILE_MICROSOFT_STORE_WHAT,
generated::kape_generated::KAPE_FILE_LOCAL_STORAGE_LEVELDB_2_2,
generated::kape_generated::KAPE_FILE_LOCALSTATE_PROFILEPICTURES,
generated::kape_generated::KAPE_FILE_TRANSFERSREGEX_JPG_MP4_PDF_WEBP,
generated::kape_generated::KAPE_FILE_C_WINSCP_INI,
generated::kape_generated::KAPE_FILE_LOCALCACHE_INDEXED,
generated::kape_generated::KAPE_FILE_XYPLORER_XYPLORER_INI,
generated::kape_generated::KAPE_FILE_PANE_INI,
generated::kape_generated::KAPE_FILE_XYPLORER_AUTOBACKUP,
generated::kape_generated::KAPE_FILE_ROAMING_XYPLORER_DAT,
generated::kape_generated::KAPE_FILE_PROGRAM_FILES_XEOX_LOG,
generated::kape_generated::KAPE_FILE_LOCAL_ZSCALER,
generated::kape_generated::KAPE_FILE_ZOHOMEETING_LOG,
generated::kape_generated::KAPE_FILE_LOCAL_ZOHOMEETING_CONF,
generated::kape_generated::KAPE_FILE_ZOHO_ASSIST_LOG_FILE,
generated::kape_generated::KAPE_FILE_PROGRAMDATA_ZOHOMEETING_CONF,
generated::kape_generated::KAPE_FILE_ZOHOMEETING_LOGS,
generated::kape_generated::KAPE_FILE_UNATTENDED_ZOHOMEETING_CONF,
generated::kape_generated::KAPE_FILE_UNATTENDED_ZOHOMEETING_TXT,
generated::kape_generated::KAPE_FILE_ZOOM_LOGS,
generated::kape_generated::KAPE_FILE_ZOOM,
generated::kape_generated::KAPE_FILE_ZOOM_CLIENT_RECORDIN,
generated::kape_generated::KAPE_FILE_ROAMING_ZOOM_PLUGIN_JSON,
generated::kape_generated::KAPE_FILE_MOBILESYNC_BACKUP,
generated::kape_generated::KAPE_FILE_ITUNES_BACKUP_FOLDER,
generated::kape_generated::KAPE_FILE_MOBILESYNC_BACKUP_2,
generated::kape_generated::KAPE_FILE_MIRC_LOGS,
generated::kape_generated::KAPE_FILE_MIRC_CHAT_LOGS_2000,
generated::kape_generated::KAPE_FILE_MREMOTENG_MREMOTENG_LOG,
generated::kape_generated::KAPE_FILE_MREMOTENG_CONFCONS_XML,
generated::kape_generated::KAPE_FILE_MREMOTENG_USER_CONFIG,
generated::kape_generated::KAPE_FILE_PCLOUD_DB,
generated::kape_generated::KAPE_FILE_PCLOUD_DB_WAL,
generated::kape_generated::KAPE_FILE_PCLOUD_DB_SHM,
generated::kape_generated::KAPE_FILE_360BOOKMARKS,
generated::kape_generated::KAPE_FILE_COOKIES,
generated::kape_generated::KAPE_FILE_CURRENT_SESSION,
generated::kape_generated::KAPE_FILE_CURRENT_TABS,
generated::kape_generated::KAPE_FILE_DOWNLOADMETADATA,
generated::kape_generated::KAPE_FILE_EXTENSION_COOKIES,
generated::kape_generated::KAPE_FILE_FAVICONS,
generated::kape_generated::KAPE_FILE_360HISTORY,
generated::kape_generated::KAPE_FILE_LAST_SESSION,
generated::kape_generated::KAPE_FILE_LAST_TABS,
generated::kape_generated::KAPE_FILE_SESSIONS,
generated::kape_generated::KAPE_FILE_LOGIN_DATA,
generated::kape_generated::KAPE_FILE_MEDIA_HISTORY,
generated::kape_generated::KAPE_FILE_NETWORK_ACTION_PREDICTOR,
generated::kape_generated::KAPE_FILE_NETWORK_PERSISTENT_STATE,
generated::kape_generated::KAPE_FILE_PREFERENCES,
generated::kape_generated::KAPE_FILE_QUOTAMANAGER,
generated::kape_generated::KAPE_FILE_REPORTING_AND_NEL,
generated::kape_generated::KAPE_FILE_SHORTCUTS,
generated::kape_generated::KAPE_FILE_TOP_SITES,
generated::kape_generated::KAPE_FILE_TRUST_TOKENS,
generated::kape_generated::KAPE_FILE_SYNC_DATA,
generated::kape_generated::KAPE_FILE_VISITED_LINKS,
generated::kape_generated::KAPE_FILE_WEB_DATA,
generated::kape_generated::KAPE_FILE_PROTECT_2,
generated::kape_generated::KAPE_FILE_SNAPSHOTS,
generated::kape_generated::KAPE_FILE_NETWORKCOOKIES,
generated::kape_generated::KAPE_FILE_FAVICONS_2,
generated::kape_generated::KAPE_FILE_HISTORY_2,
generated::kape_generated::KAPE_FILE_SESSIONS_2,
generated::kape_generated::KAPE_FILE_LOGIN_DATA_2,
generated::kape_generated::KAPE_FILE_NETWORK_ACTION_PREDICTOR_2,
generated::kape_generated::KAPE_FILE_PREFERENCES_2,
generated::kape_generated::KAPE_FILE_SHORTCUTS_2,
generated::kape_generated::KAPE_FILE_TOP_SITES_2,
generated::kape_generated::KAPE_FILE_SYNC_DATA_2,
generated::kape_generated::KAPE_FILE_BOOKMARKS,
generated::kape_generated::KAPE_FILE_VISITED_LINKS_2,
generated::kape_generated::KAPE_FILE_WEB_DATA_2,
generated::kape_generated::KAPE_FILE_LOCAL_ARCSTORABLE_JSON,
generated::kape_generated::KAPE_FILE_LOCALCACHE_LOCALCOM_PLIST,
generated::kape_generated::KAPE_FILE_BOOKMARKS_2,
generated::kape_generated::KAPE_FILE_COOKIES_2,
generated::kape_generated::KAPE_FILE_CURRENT_SESSION_2,
generated::kape_generated::KAPE_FILE_CURRENT_TABS_2,
generated::kape_generated::KAPE_FILE_DOWNLOADMETADATA_2,
generated::kape_generated::KAPE_FILE_FAVICONS_3,
generated::kape_generated::KAPE_FILE_HISTORY_3,
generated::kape_generated::KAPE_FILE_DEFAULT_SESSIONS,
generated::kape_generated::KAPE_FILE_LOGIN_DATA_3,
generated::kape_generated::KAPE_FILE_NETWORK_ACTION_PREDICTOR_3,
generated::kape_generated::KAPE_FILE_NETWORK_PERSISTENT_STATE_2,
generated::kape_generated::KAPE_FILE_PREFERENCES_3,
generated::kape_generated::KAPE_FILE_QUOTAMANAGER_2,
generated::kape_generated::KAPE_FILE_REPORTING_AND_NEL_2,
generated::kape_generated::KAPE_FILE_SHORTCUTS_3,
generated::kape_generated::KAPE_FILE_PUBLISHER_INFO_DB,
generated::kape_generated::KAPE_FILE_TOP_SITES_3,
generated::kape_generated::KAPE_FILE_VISITED_LINKS_3,
generated::kape_generated::KAPE_FILE_WEB_DATA_3,
generated::kape_generated::KAPE_FILE_SECURE_PREFERENCES,
generated::kape_generated::KAPE_FILE_CACHE,
generated::kape_generated::KAPE_FILE_CHROME_BETA_CACHE_FO,
generated::kape_generated::KAPE_FILE_CHROME_DEV_CACHE_FOL,
generated::kape_generated::KAPE_FILE_CHROME_SXS_CANARY_CA,
generated::kape_generated::KAPE_FILE_CHROMIUM_EDGE_CACHE,
generated::kape_generated::KAPE_FILE_CHROMIUM_EDGE_BETA_C,
generated::kape_generated::KAPE_FILE_CHROMIUM_EDGE_DEV_CA,
generated::kape_generated::KAPE_FILE_CHROMIUM_EDGE_SXS_CA,
generated::kape_generated::KAPE_FILE_CHROMIUM_CACHE_FOLDE,
generated::kape_generated::KAPE_FILE_PROFILES,
generated::kape_generated::KAPE_FILE_WINDOWS_TEMPORARY_INTERNET_FILES,
generated::kape_generated::KAPE_FILE_CONTENT_IE5_INDEX_DAT,
generated::kape_generated::KAPE_FILE_WINDOWS_INETCACHE,
generated::kape_generated::KAPE_FILE_WINDOWS_WEBCACHE,
generated::kape_generated::KAPE_FILE_CACHE_CACHE_DATA,
generated::kape_generated::KAPE_FILE_BOOKMARKS_3,
generated::kape_generated::KAPE_FILE_COOKIES_3,
generated::kape_generated::KAPE_FILE_CURRENT_SESSION_3,
generated::kape_generated::KAPE_FILE_CURRENT_TABS_3,
generated::kape_generated::KAPE_FILE_FAVICONS_4,
generated::kape_generated::KAPE_FILE_HISTORY_4,
generated::kape_generated::KAPE_FILE_LAST_SESSION_2,
generated::kape_generated::KAPE_FILE_LAST_TABS_2,
generated::kape_generated::KAPE_FILE_LOGIN_DATA_4,
generated::kape_generated::KAPE_FILE_PREFERENCES_4,
generated::kape_generated::KAPE_FILE_SHORTCUTS_4,
generated::kape_generated::KAPE_FILE_TOP_SITES_4,
generated::kape_generated::KAPE_FILE_VISITED_LINKS_4,
generated::kape_generated::KAPE_FILE_WEB_DATA_4,
generated::kape_generated::KAPE_FILE_CHROME_BOOKMARKS,
generated::kape_generated::KAPE_FILE_CHROME_COOKIES,
generated::kape_generated::KAPE_FILE_CHROME_CURRENT_SESSI,
generated::kape_generated::KAPE_FILE_CHROME_CURRENT_TABS,
generated::kape_generated::KAPE_FILE_DOWNLOADMETADATA_3,
generated::kape_generated::KAPE_FILE_EXTENSION_COOKIES_2,
generated::kape_generated::KAPE_FILE_CHROME_FAVICONS,
generated::kape_generated::KAPE_FILE_CHROME_HISTORY,
generated::kape_generated::KAPE_FILE_CHROME_LAST_SESSION,
generated::kape_generated::KAPE_FILE_CHROME_LAST_TABS,
generated::kape_generated::KAPE_FILE_SESSIONS_3,
generated::kape_generated::KAPE_FILE_CHROME_LOGIN_DATA,
generated::kape_generated::KAPE_FILE_MEDIA_HISTORY_2,
generated::kape_generated::KAPE_FILE_NETWORK_ACTION_PREDICTOR_4,
generated::kape_generated::KAPE_FILE_NETWORK_PERSISTENT_STATE_3,
generated::kape_generated::KAPE_FILE_NETWORKNETWORK_PERSISTENT_STATE,
generated::kape_generated::KAPE_FILE_CHROME_PREFERENCES,
generated::kape_generated::KAPE_FILE_QUOTAMANAGER_3,
generated::kape_generated::KAPE_FILE_WEBSTORAGEQUOTAMANAGER,
generated::kape_generated::KAPE_FILE_REPORTING_AND_NEL_3,
generated::kape_generated::KAPE_FILE_NETWORKREPORTING_AND_NEL,
generated::kape_generated::KAPE_FILE_CHROME_SHORTCUTS,
generated::kape_generated::KAPE_FILE_CHROME_TOP_SITES,
generated::kape_generated::KAPE_FILE_TRUST_TOKENS_2,
generated::kape_generated::KAPE_FILE_NETWORKTRUST_TOKENS,
generated::kape_generated::KAPE_FILE_SYNC_DATASYNCDATA_SQLITE3,
generated::kape_generated::KAPE_FILE_CHROME_VISITED_LINKS,
generated::kape_generated::KAPE_FILE_CHROME_WEB_DATA,
generated::kape_generated::KAPE_FILE_INDEXEDDB,
generated::kape_generated::KAPE_FILE_LOCAL_STORAGE_LEVELDB_6,
generated::kape_generated::KAPE_FILE_PROTECT_3,
generated::kape_generated::KAPE_FILE_SNAPSHOTS_2,
generated::kape_generated::KAPE_FILE_SYSTEM_CHROME_HISTOR,
generated::kape_generated::KAPE_FILE_BOOKMARKS_4,
generated::kape_generated::KAPE_FILE_COOKIES_4,
generated::kape_generated::KAPE_FILE_CURRENT_SESSION_4,
generated::kape_generated::KAPE_FILE_CURRENT_TABS_4,
generated::kape_generated::KAPE_FILE_FAVICONS_5,
generated::kape_generated::KAPE_FILE_HISTORY_5,
generated::kape_generated::KAPE_FILE_LAST_SESSION_3,
generated::kape_generated::KAPE_FILE_LAST_TABS_3,
generated::kape_generated::KAPE_FILE_LOGIN_DATA_5,
generated::kape_generated::KAPE_FILE_PREFERENCES_5,
generated::kape_generated::KAPE_FILE_SHORTCUTS_5,
generated::kape_generated::KAPE_FILE_TOP_SITES_5,
generated::kape_generated::KAPE_FILE_VISITED_LINKS_5,
generated::kape_generated::KAPE_FILE_WEB_DATA_5,
generated::kape_generated::KAPE_FILE_CHROME_BETA_BOOKMARK,
generated::kape_generated::KAPE_FILE_CHROME_BETA_COOKIES,
generated::kape_generated::KAPE_FILE_CHROME_BETA_CURRENT,
generated::kape_generated::KAPE_FILE_CURRENT_TABS_2_2,
generated::kape_generated::KAPE_FILE_DOWNLOADMETADATA_4,
generated::kape_generated::KAPE_FILE_EXTENSION_COOKIES_3,
generated::kape_generated::KAPE_FILE_CHROME_BETA_FAVICONS,
generated::kape_generated::KAPE_FILE_CHROME_BETA_HISTORY,
generated::kape_generated::KAPE_FILE_CHROME_BETA_LAST_SES,
generated::kape_generated::KAPE_FILE_CHROME_BETA_LAST_TAB,
generated::kape_generated::KAPE_FILE_SESSIONS_4,
generated::kape_generated::KAPE_FILE_CHROME_BETA_LOGIN_DA,
generated::kape_generated::KAPE_FILE_MEDIA_HISTORY_3,
generated::kape_generated::KAPE_FILE_NETWORK_ACTION_PREDICTOR_5,
generated::kape_generated::KAPE_FILE_NETWORK_PERSISTENT_STATE_4,
generated::kape_generated::KAPE_FILE_NETWORKNETWORK_PERSISTENT_STATE_2,
generated::kape_generated::KAPE_FILE_CHROME_BETA_PREFEREN,
generated::kape_generated::KAPE_FILE_QUOTAMANAGER_4,
generated::kape_generated::KAPE_FILE_WEBSTORAGEQUOTAMANAGER_2,
generated::kape_generated::KAPE_FILE_REPORTING_AND_NEL_4,
generated::kape_generated::KAPE_FILE_NETWORKREPORTING_AND_NEL_2,
generated::kape_generated::KAPE_FILE_CHROME_BETA_SHORTCUT,
generated::kape_generated::KAPE_FILE_CHROME_BETA_TOP_SITE,
generated::kape_generated::KAPE_FILE_TRUST_TOKENS_3,
generated::kape_generated::KAPE_FILE_NETWORKTRUST_TOKENS_2,
generated::kape_generated::KAPE_FILE_SYNC_DATASYNCDATA_SQLITE3_2,
generated::kape_generated::KAPE_FILE_CHROME_BETA_VISITED,
generated::kape_generated::KAPE_FILE_CHROME_BETA_WEB_DATA,
generated::kape_generated::KAPE_FILE_INDEXEDDB_2,
generated::kape_generated::KAPE_FILE_LOCAL_STORAGE_LEVELDB_7,
generated::kape_generated::KAPE_FILE_PROTECT_4,
generated::kape_generated::KAPE_FILE_SNAPSHOTS_3,
generated::kape_generated::KAPE_FILE_SYSTEM_CHROME_BETA_H,
generated::kape_generated::KAPE_FILE_BOOKMARKS_5,
generated::kape_generated::KAPE_FILE_COOKIES_5,
generated::kape_generated::KAPE_FILE_CURRENT_SESSION_5,
generated::kape_generated::KAPE_FILE_CURRENT_TABS_5,
generated::kape_generated::KAPE_FILE_FAVICONS_6,
generated::kape_generated::KAPE_FILE_HISTORY_6,
generated::kape_generated::KAPE_FILE_LAST_SESSION_4,
generated::kape_generated::KAPE_FILE_LAST_TABS_4,
generated::kape_generated::KAPE_FILE_LOGIN_DATA_6,
generated::kape_generated::KAPE_FILE_PREFERENCES_6,
generated::kape_generated::KAPE_FILE_SHORTCUTS_6,
generated::kape_generated::KAPE_FILE_TOP_SITES_6,
generated::kape_generated::KAPE_FILE_VISITED_LINKS_6,
generated::kape_generated::KAPE_FILE_WEB_DATA_6,
generated::kape_generated::KAPE_FILE_CHROME_DEV_BOOKMARKS,
generated::kape_generated::KAPE_FILE_CHROME_DEV_COOKIES,
generated::kape_generated::KAPE_FILE_CHROME_DEV_CURRENT_S,
generated::kape_generated::KAPE_FILE_CHROME_DEV_CURRENT_T,
generated::kape_generated::KAPE_FILE_DOWNLOADMETADATA_5,
generated::kape_generated::KAPE_FILE_EXTENSION_COOKIES_4,
generated::kape_generated::KAPE_FILE_CHROME_DEV_FAVICONS,
generated::kape_generated::KAPE_FILE_CHROME_DEV_HISTORY,
generated::kape_generated::KAPE_FILE_CHROME_DEV_LAST_SESS,
generated::kape_generated::KAPE_FILE_CHROME_DEV_LAST_TABS,
generated::kape_generated::KAPE_FILE_SESSIONS_5,
generated::kape_generated::KAPE_FILE_CHROME_DEV_LOGIN_DAT,
generated::kape_generated::KAPE_FILE_MEDIA_HISTORY_4,
generated::kape_generated::KAPE_FILE_NETWORK_ACTION_PREDICTOR_6,
generated::kape_generated::KAPE_FILE_NETWORK_PERSISTENT_STATE_5,
generated::kape_generated::KAPE_FILE_NETWORKNETWORK_PERSISTENT_STATE_3,
generated::kape_generated::KAPE_FILE_CHROME_DEV_PREFERENC,
generated::kape_generated::KAPE_FILE_QUOTAMANAGER_5,
generated::kape_generated::KAPE_FILE_WEBSTORAGEQUOTAMANAGER_3,
generated::kape_generated::KAPE_FILE_REPORTING_AND_NEL_5,
generated::kape_generated::KAPE_FILE_NETWORKREPORTING_AND_NEL_3,
generated::kape_generated::KAPE_FILE_CHROME_DEV_SHORTCUTS,
generated::kape_generated::KAPE_FILE_CHROME_DEV_TOP_SITES,
generated::kape_generated::KAPE_FILE_TRUST_TOKENS_4,
generated::kape_generated::KAPE_FILE_NETWORKTRUST_TOKENS_3,
generated::kape_generated::KAPE_FILE_SYNC_DATASYNCDATA_SQLITE3_3,
generated::kape_generated::KAPE_FILE_CHROME_DEV_VISITED_L,
generated::kape_generated::KAPE_FILE_CHROME_DEV_WEB_DATA,
generated::kape_generated::KAPE_FILE_INDEXEDDB_3,
generated::kape_generated::KAPE_FILE_LOCAL_STORAGE_LEVELDB_8,
generated::kape_generated::KAPE_FILE_PROTECT_5,
generated::kape_generated::KAPE_FILE_SNAPSHOTS_4,
generated::kape_generated::KAPE_FILE_SYSTEM_CHROME_DEV_HI,
generated::kape_generated::KAPE_FILE_EXTENSIONS_MANIFEST_JSON,
generated::kape_generated::KAPE_FILE_EN_MESSAGES_JSON,
generated::kape_generated::KAPE_FILE_CHROME_BETA_BROWSER,
generated::kape_generated::KAPE_FILE_EN_MESSAGES_JSON_2,
generated::kape_generated::KAPE_FILE_CHROME_DEV_BROWSER_E,
generated::kape_generated::KAPE_FILE_EN_MESSAGES_JSON_3,
generated::kape_generated::KAPE_FILE_CHROME_SXS_CANARY_BR,
generated::kape_generated::KAPE_FILE_EN_MESSAGES_JSON_4,
generated::kape_generated::KAPE_FILE_EXTENSIONS,
generated::kape_generated::KAPE_FILE_CHROME_EXTENSION_FIL,
generated::kape_generated::KAPE_FILE_CHROME_BETA_EXTENSIO,
generated::kape_generated::KAPE_FILE_EXTENSIONS_2,
generated::kape_generated::KAPE_FILE_CHROME_DEV_EXTENSION,
generated::kape_generated::KAPE_FILE_EXTENSIONS_3,
generated::kape_generated::KAPE_FILE_CHROME_SXS_CANARY_EX,
generated::kape_generated::KAPE_FILE_EXTENSIONS_4,
generated::kape_generated::KAPE_FILE_FILE_SYSTEM,
generated::kape_generated::KAPE_FILE_CHROME_BETA_HTML5_FI,
generated::kape_generated::KAPE_FILE_CHROME_DEV_HTML5_FIL,
generated::kape_generated::KAPE_FILE_CHROME_SXS_CANARY_HT,
generated::kape_generated::KAPE_FILE_BOOKMARKS_6,
generated::kape_generated::KAPE_FILE_COOKIES_6,
generated::kape_generated::KAPE_FILE_CURRENT_SESSION_6,
generated::kape_generated::KAPE_FILE_CURRENT_TABS_6,
generated::kape_generated::KAPE_FILE_FAVICONS_7,
generated::kape_generated::KAPE_FILE_HISTORY_7,
generated::kape_generated::KAPE_FILE_LAST_SESSION_5,
generated::kape_generated::KAPE_FILE_LAST_TABS_5,
generated::kape_generated::KAPE_FILE_LOGIN_DATA_7,
generated::kape_generated::KAPE_FILE_PREFERENCES_7,
generated::kape_generated::KAPE_FILE_SHORTCUTS_7,
generated::kape_generated::KAPE_FILE_TOP_SITES_7,
generated::kape_generated::KAPE_FILE_VISITED_LINKS_7,
generated::kape_generated::KAPE_FILE_WEB_DATA_7,
generated::kape_generated::KAPE_FILE_CHROME_SXS_BOOKMARKS,
generated::kape_generated::KAPE_FILE_CHROME_SXS_COOKIES,
generated::kape_generated::KAPE_FILE_CHROME_SXS_CURRENT_S,
generated::kape_generated::KAPE_FILE_CHROME_SXS_CURRENT_T,
generated::kape_generated::KAPE_FILE_DOWNLOADMETADATA_6,
generated::kape_generated::KAPE_FILE_EXTENSION_COOKIES_5,
generated::kape_generated::KAPE_FILE_CHROME_SXS_FAVICONS,
generated::kape_generated::KAPE_FILE_CHROME_SXS_HISTORY,
generated::kape_generated::KAPE_FILE_CHROME_SXS_LAST_SESS,
generated::kape_generated::KAPE_FILE_CHROME_SXS_LAST_TABS,
generated::kape_generated::KAPE_FILE_SESSIONS_6,
generated::kape_generated::KAPE_FILE_CHROME_SXS_LOGIN_DAT,
generated::kape_generated::KAPE_FILE_MEDIA_HISTORY_5,
generated::kape_generated::KAPE_FILE_NETWORK_ACTION_PREDICTOR_7,
generated::kape_generated::KAPE_FILE_NETWORK_PERSISTENT_STATE_6,
generated::kape_generated::KAPE_FILE_NETWORKNETWORK_PERSISTENT_STATE_4,
generated::kape_generated::KAPE_FILE_CHROME_SXS_PREFERENC,
generated::kape_generated::KAPE_FILE_QUOTAMANAGER_6,
generated::kape_generated::KAPE_FILE_WEBSTORAGEQUOTAMANAGER_4,
generated::kape_generated::KAPE_FILE_REPORTING_AND_NEL_6,
generated::kape_generated::KAPE_FILE_NETWORKREPORTING_AND_NEL_4,
generated::kape_generated::KAPE_FILE_CHROME_SXS_SHORTCUTS,
generated::kape_generated::KAPE_FILE_CHROME_SXS_TOP_SITES,
generated::kape_generated::KAPE_FILE_TRUST_TOKENS_5,
generated::kape_generated::KAPE_FILE_NETWORKTRUST_TOKENS_4,
generated::kape_generated::KAPE_FILE_SYNC_DATASYNCDATA_SQLITE3_4,
generated::kape_generated::KAPE_FILE_CHROME_SXS_VISITED_L,
generated::kape_generated::KAPE_FILE_CHROME_SXS_WEB_DATA,
generated::kape_generated::KAPE_FILE_INDEXEDDB_4,
generated::kape_generated::KAPE_FILE_LOCAL_STORAGE_LEVELDB_9,
generated::kape_generated::KAPE_FILE_PROTECT_6,
generated::kape_generated::KAPE_FILE_SNAPSHOTS_5,
generated::kape_generated::KAPE_FILE_SYSTEM_CHROME_SXS_HI,
generated::kape_generated::KAPE_FILE_BOOKMARKS_7,
generated::kape_generated::KAPE_FILE_COOKIES_7,
generated::kape_generated::KAPE_FILE_CURRENT_SESSION_7,
generated::kape_generated::KAPE_FILE_CURRENT_TABS_7,
generated::kape_generated::KAPE_FILE_FAVICONS_8,
generated::kape_generated::KAPE_FILE_HISTORY_8,
generated::kape_generated::KAPE_FILE_LAST_SESSION_6,
generated::kape_generated::KAPE_FILE_LAST_TABS_6,
generated::kape_generated::KAPE_FILE_LOGIN_DATA_8,
generated::kape_generated::KAPE_FILE_PREFERENCES_8,
generated::kape_generated::KAPE_FILE_SHORTCUTS_8,
generated::kape_generated::KAPE_FILE_TOP_SITES_8,
generated::kape_generated::KAPE_FILE_VISITED_LINKS_8,
generated::kape_generated::KAPE_FILE_WEB_DATA_8,
generated::kape_generated::KAPE_FILE_CHROMIUM_BOOKMARKS,
generated::kape_generated::KAPE_FILE_CHROMIUM_COOKIES,
generated::kape_generated::KAPE_FILE_CHROMIUM_CURRENT_SES,
generated::kape_generated::KAPE_FILE_CHROMIUM_CURRENT_TAB,
generated::kape_generated::KAPE_FILE_DOWNLOADMETADATA_7,
generated::kape_generated::KAPE_FILE_EXTENSION_COOKIES_6,
generated::kape_generated::KAPE_FILE_CHROMIUM_FAVICONS,
generated::kape_generated::KAPE_FILE_CHROMIUM_HISTORY,
generated::kape_generated::KAPE_FILE_CHROMIUM_LAST_SESSIO,
generated::kape_generated::KAPE_FILE_CHROMIUM_LAST_TABS,
generated::kape_generated::KAPE_FILE_SESSIONS_7,
generated::kape_generated::KAPE_FILE_CHROMIUM_LOGIN_DATA,
generated::kape_generated::KAPE_FILE_MEDIA_HISTORY_6,
generated::kape_generated::KAPE_FILE_NETWORK_ACTION_PREDICTOR_8,
generated::kape_generated::KAPE_FILE_NETWORK_PERSISTENT_STATE_7,
generated::kape_generated::KAPE_FILE_NETWORKNETWORK_PERSISTENT_STATE_5,
generated::kape_generated::KAPE_FILE_CHROMIUM_PREFERENCES,
generated::kape_generated::KAPE_FILE_QUOTAMANAGER_7,
generated::kape_generated::KAPE_FILE_WEBSTORAGEQUOTAMANAGER_5,
generated::kape_generated::KAPE_FILE_REPORTING_AND_NEL_7,
generated::kape_generated::KAPE_FILE_NETWORKREPORTING_AND_NEL_5,
generated::kape_generated::KAPE_FILE_CHROMIUM_SHORTCUTS,
generated::kape_generated::KAPE_FILE_CHROMIUM_TOP_SITES,
generated::kape_generated::KAPE_FILE_TRUST_TOKENS_6,
generated::kape_generated::KAPE_FILE_NETWORKTRUST_TOKENS_5,
generated::kape_generated::KAPE_FILE_SYNC_DATASYNCDATA_SQLITE3_5,
generated::kape_generated::KAPE_FILE_CHROMIUM_VISITED_LIN,
generated::kape_generated::KAPE_FILE_CHROMIUM_WEB_DATA,
generated::kape_generated::KAPE_FILE_INDEXEDDB_5,
generated::kape_generated::KAPE_FILE_LOCAL_STORAGE_LEVELDB_10,
generated::kape_generated::KAPE_FILE_PROTECT_7,
generated::kape_generated::KAPE_FILE_SNAPSHOTS_6,
generated::kape_generated::KAPE_FILE_SYSTEM_CHROMIUM_HIST,
generated::kape_generated::KAPE_FILE_BOOKMARKS_8,
generated::kape_generated::KAPE_FILE_COOKIES_8,
generated::kape_generated::KAPE_FILE_CURRENT_SESSION_8,
generated::kape_generated::KAPE_FILE_CURRENT_TABS_8,
generated::kape_generated::KAPE_FILE_DOWNLOADMETADATA_8,
generated::kape_generated::KAPE_FILE_EXTENSION_COOKIES_7,
generated::kape_generated::KAPE_FILE_FAVICONS_9,
generated::kape_generated::KAPE_FILE_HISTORY_9,
generated::kape_generated::KAPE_FILE_LAST_SESSION_7,
generated::kape_generated::KAPE_FILE_LAST_TABS_7,
generated::kape_generated::KAPE_FILE_SESSIONS_8,
generated::kape_generated::KAPE_FILE_LOGIN_DATA_9,
generated::kape_generated::KAPE_FILE_MEDIA_HISTORY_7,
generated::kape_generated::KAPE_FILE_NETWORK_ACTION_PREDICTOR_9,
generated::kape_generated::KAPE_FILE_NETWORK_PERSISTENT_STATE_8,
generated::kape_generated::KAPE_FILE_PREFERENCES_9,
generated::kape_generated::KAPE_FILE_QUOTAMANAGER_8,
generated::kape_generated::KAPE_FILE_REPORTING_AND_NEL_8,
generated::kape_generated::KAPE_FILE_SHORTCUTS_9,
generated::kape_generated::KAPE_FILE_TOP_SITES_9,
generated::kape_generated::KAPE_FILE_TRUST_TOKENS_7,
generated::kape_generated::KAPE_FILE_SYNC_DATA_3,
generated::kape_generated::KAPE_FILE_VISITED_LINKS_9,
generated::kape_generated::KAPE_FILE_WEB_DATA_9,
generated::kape_generated::KAPE_FILE_PROTECT_8,
generated::kape_generated::KAPE_FILE_SNAPSHOTS_7,
generated::kape_generated::KAPE_FILE_PACKAGES_MICROSOFT_MICROSOFTEDGE_8WEKYB3D8BBWE,
generated::kape_generated::KAPE_FILE_COLLECTIONSCOLLECTIONSSQLITE,
generated::kape_generated::KAPE_FILE_BOOKMARKS_9,
generated::kape_generated::KAPE_FILE_NETWORKCOOKIES_2,
generated::kape_generated::KAPE_FILE_CURRENT_SESSION_9,
generated::kape_generated::KAPE_FILE_CURRENT_TABS_9,
generated::kape_generated::KAPE_FILE_EXTENSION_COOKIES_8,
generated::kape_generated::KAPE_FILE_FAVICONS_10,
generated::kape_generated::KAPE_FILE_HISTORY_10,
generated::kape_generated::KAPE_FILE_LAST_SESSION_8,
generated::kape_generated::KAPE_FILE_LAST_TABS_8,
generated::kape_generated::KAPE_FILE_SESSIONS_9,
generated::kape_generated::KAPE_FILE_LOGIN_DATA_10,
generated::kape_generated::KAPE_FILE_MEDIA_HISTORY_8,
generated::kape_generated::KAPE_FILE_NETWORK_ACTION_PREDICTOR_10,
generated::kape_generated::KAPE_FILE_NETWORK_PERSISTENT_STATE_9,
generated::kape_generated::KAPE_FILE_NETWORKNETWORK_PERSISTENT_STATE_6,
generated::kape_generated::KAPE_FILE_PREFERENCES_10,
generated::kape_generated::KAPE_FILE_QUOTAMANAGER_9,
generated::kape_generated::KAPE_FILE_WEBSTORAGEQUOTAMANAGER_6,
generated::kape_generated::KAPE_FILE_REPORTING_AND_NEL_9,
generated::kape_generated::KAPE_FILE_NETWORKREPORTING_AND_NEL_6,
generated::kape_generated::KAPE_FILE_SHORTCUTS_10,
generated::kape_generated::KAPE_FILE_TOP_SITES_10,
generated::kape_generated::KAPE_FILE_TRUST_TOKENS_8,
generated::kape_generated::KAPE_FILE_NETWORKTRUST_TOKENS_6,
generated::kape_generated::KAPE_FILE_SYNC_DATASYNCDATA_SQLITE3_6,
generated::kape_generated::KAPE_FILE_VISITED_LINKS_10,
generated::kape_generated::KAPE_FILE_WEB_DATA_10,
generated::kape_generated::KAPE_FILE_INDEXEDDB_6,
generated::kape_generated::KAPE_FILE_LOCAL_STORAGE_LEVELDB_11,
generated::kape_generated::KAPE_FILE_WEBASSISTDATABASE,
generated::kape_generated::KAPE_FILE_PROTECT_9,
generated::kape_generated::KAPE_FILE_SNAPSHOTS_8,
generated::kape_generated::KAPE_FILE_COLLECTIONSCOLLECTIONSSQLITE_2,
generated::kape_generated::KAPE_FILE_BOOKMARKS_10,
generated::kape_generated::KAPE_FILE_NETWORKCOOKIES_3,
generated::kape_generated::KAPE_FILE_CURRENT_SESSION_10,
generated::kape_generated::KAPE_FILE_CURRENT_TABS_10,
generated::kape_generated::KAPE_FILE_EXTENSION_COOKIES_9,
generated::kape_generated::KAPE_FILE_FAVICONS_11,
generated::kape_generated::KAPE_FILE_HISTORY_11,
generated::kape_generated::KAPE_FILE_LAST_SESSION_9,
generated::kape_generated::KAPE_FILE_LAST_TABS_9,
generated::kape_generated::KAPE_FILE_SESSIONS_10,
generated::kape_generated::KAPE_FILE_LOGIN_DATA_11,
generated::kape_generated::KAPE_FILE_MEDIA_HISTORY_9,
generated::kape_generated::KAPE_FILE_NETWORK_ACTION_PREDICTOR_11,
generated::kape_generated::KAPE_FILE_NETWORK_PERSISTENT_STATE_10,
generated::kape_generated::KAPE_FILE_NETWORKNETWORK_PERSISTENT_STATE_7,
generated::kape_generated::KAPE_FILE_PREFERENCES_11,
generated::kape_generated::KAPE_FILE_QUOTAMANAGER_10,
generated::kape_generated::KAPE_FILE_WEBSTORAGEQUOTAMANAGER_7,
generated::kape_generated::KAPE_FILE_REPORTING_AND_NEL_10,
generated::kape_generated::KAPE_FILE_NETWORKREPORTING_AND_NEL_7,
generated::kape_generated::KAPE_FILE_SHORTCUTS_11,
generated::kape_generated::KAPE_FILE_TOP_SITES_11,
generated::kape_generated::KAPE_FILE_TRUST_TOKENS_9,
generated::kape_generated::KAPE_FILE_NETWORKTRUST_TOKENS_7,
generated::kape_generated::KAPE_FILE_SYNC_DATASYNCDATA_SQLITE3_7,
generated::kape_generated::KAPE_FILE_VISITED_LINKS_11,
generated::kape_generated::KAPE_FILE_WEB_DATA_11,
generated::kape_generated::KAPE_FILE_INDEXEDDB_7,
generated::kape_generated::KAPE_FILE_LOCAL_STORAGE_LEVELDB_12,
generated::kape_generated::KAPE_FILE_WEBASSISTDATABASE_2,
generated::kape_generated::KAPE_FILE_PROTECT_10,
generated::kape_generated::KAPE_FILE_SNAPSHOTS_9,
generated::kape_generated::KAPE_FILE_EXTENSIONS_5,
generated::kape_generated::KAPE_FILE_EDGE_BETA_CHROMIUM_E,
generated::kape_generated::KAPE_FILE_EDGE_DEV_CHROMIUM_EX,
generated::kape_generated::KAPE_FILE_EDGE_SXS_CANARY_CHRO,
generated::kape_generated::KAPE_FILE_COLLECTIONSCOLLECTIONSSQLITE_3,
generated::kape_generated::KAPE_FILE_BOOKMARKS_11,
generated::kape_generated::KAPE_FILE_NETWORKCOOKIES_4,
generated::kape_generated::KAPE_FILE_CURRENT_SESSION_11,
generated::kape_generated::KAPE_FILE_CURRENT_TABS_11,
generated::kape_generated::KAPE_FILE_EXTENSION_COOKIES_10,
generated::kape_generated::KAPE_FILE_FAVICONS_12,
generated::kape_generated::KAPE_FILE_HISTORY_12,
generated::kape_generated::KAPE_FILE_LAST_SESSION_10,
generated::kape_generated::KAPE_FILE_LAST_TABS_10,
generated::kape_generated::KAPE_FILE_SESSIONS_11,
generated::kape_generated::KAPE_FILE_LOGIN_DATA_12,
generated::kape_generated::KAPE_FILE_MEDIA_HISTORY_10,
generated::kape_generated::KAPE_FILE_NETWORK_ACTION_PREDICTOR_12,
generated::kape_generated::KAPE_FILE_NETWORK_PERSISTENT_STATE_11,
generated::kape_generated::KAPE_FILE_NETWORKNETWORK_PERSISTENT_STATE_8,
generated::kape_generated::KAPE_FILE_PREFERENCES_12,
generated::kape_generated::KAPE_FILE_QUOTAMANAGER_11,
generated::kape_generated::KAPE_FILE_WEBSTORAGEQUOTAMANAGER_8,
generated::kape_generated::KAPE_FILE_REPORTING_AND_NEL_11,
generated::kape_generated::KAPE_FILE_NETWORKREPORTING_AND_NEL_8,
generated::kape_generated::KAPE_FILE_SHORTCUTS_12,
generated::kape_generated::KAPE_FILE_TOP_SITES_12,
generated::kape_generated::KAPE_FILE_TRUST_TOKENS_10,
generated::kape_generated::KAPE_FILE_NETWORKTRUST_TOKENS_8,
generated::kape_generated::KAPE_FILE_SYNC_DATASYNCDATA_SQLITE3_8,
generated::kape_generated::KAPE_FILE_VISITED_LINKS_12,
generated::kape_generated::KAPE_FILE_WEB_DATA_12,
generated::kape_generated::KAPE_FILE_INDEXEDDB_8,
generated::kape_generated::KAPE_FILE_LOCAL_STORAGE_LEVELDB_13,
generated::kape_generated::KAPE_FILE_WEBASSISTDATABASE_3,
generated::kape_generated::KAPE_FILE_PROTECT_11,
generated::kape_generated::KAPE_FILE_SNAPSHOTS_10,
generated::kape_generated::KAPE_FILE_FILE_SYSTEM_2,
generated::kape_generated::KAPE_FILE_EDGE_BETA_HTML5_FILE,
generated::kape_generated::KAPE_FILE_EDGE_DEV_HTML5_FILE,
generated::kape_generated::KAPE_FILE_EDGE_SXS_CANARY_HTML,
generated::kape_generated::KAPE_FILE_COLLECTIONSCOLLECTIONSSQLITE_4,
generated::kape_generated::KAPE_FILE_BOOKMARKS_12,
generated::kape_generated::KAPE_FILE_NETWORKCOOKIES_5,
generated::kape_generated::KAPE_FILE_CURRENT_SESSION_12,
generated::kape_generated::KAPE_FILE_CURRENT_TABS_12,
generated::kape_generated::KAPE_FILE_EXTENSION_COOKIES_11,
generated::kape_generated::KAPE_FILE_FAVICONS_13,
generated::kape_generated::KAPE_FILE_HISTORY_13,
generated::kape_generated::KAPE_FILE_LAST_SESSION_11,
generated::kape_generated::KAPE_FILE_LAST_TABS_11,
generated::kape_generated::KAPE_FILE_SESSIONS_12,
generated::kape_generated::KAPE_FILE_LOGIN_DATA_13,
generated::kape_generated::KAPE_FILE_MEDIA_HISTORY_11,
generated::kape_generated::KAPE_FILE_NETWORK_ACTION_PREDICTOR_13,
generated::kape_generated::KAPE_FILE_NETWORK_PERSISTENT_STATE_12,
generated::kape_generated::KAPE_FILE_NETWORKNETWORK_PERSISTENT_STATE_9,
generated::kape_generated::KAPE_FILE_PREFERENCES_13,
generated::kape_generated::KAPE_FILE_QUOTAMANAGER_12,
generated::kape_generated::KAPE_FILE_WEBSTORAGEQUOTAMANAGER_9,
generated::kape_generated::KAPE_FILE_REPORTING_AND_NEL_12,
generated::kape_generated::KAPE_FILE_NETWORKREPORTING_AND_NEL_9,
generated::kape_generated::KAPE_FILE_SHORTCUTS_13,
generated::kape_generated::KAPE_FILE_TOP_SITES_13,
generated::kape_generated::KAPE_FILE_TRUST_TOKENS_11,
generated::kape_generated::KAPE_FILE_NETWORKTRUST_TOKENS_9,
generated::kape_generated::KAPE_FILE_SYNC_DATASYNCDATA_SQLITE3_9,
generated::kape_generated::KAPE_FILE_VISITED_LINKS_13,
generated::kape_generated::KAPE_FILE_WEB_DATA_13,
generated::kape_generated::KAPE_FILE_INDEXEDDB_9,
generated::kape_generated::KAPE_FILE_LOCAL_STORAGE_LEVELDB_14,
generated::kape_generated::KAPE_FILE_WEBASSISTDATABASE_4,
generated::kape_generated::KAPE_FILE_PROTECT_12,
generated::kape_generated::KAPE_FILE_SNAPSHOTS_11,
generated::kape_generated::KAPE_FILE_ADDONS_SQLITE,
generated::kape_generated::KAPE_FILE_WEAVE_BOOKMARKS_SQLITE,
generated::kape_generated::KAPE_FILE_BOOKMARKBACKUPS,
generated::kape_generated::KAPE_FILE_COOKIES_SQLITE,
generated::kape_generated::KAPE_FILE_FIREFOX_COOKIES_SQLITE,
generated::kape_generated::KAPE_FILE_DOWNLOADS_SQLITE,
generated::kape_generated::KAPE_FILE_EXTENSIONS_JSON,
generated::kape_generated::KAPE_FILE_FAVICONS_SQLITE,
generated::kape_generated::KAPE_FILE_FORMHISTORY_SQLITE,
generated::kape_generated::KAPE_FILE_PERMISSIONS_SQLITE,
generated::kape_generated::KAPE_FILE_PLACES_SQLITE_2,
generated::kape_generated::KAPE_FILE_PROTECTIONS_SQLITE,
generated::kape_generated::KAPE_FILE_SEARCH_SQLITE,
generated::kape_generated::KAPE_FILE_SIGNONS_SQLITE,
generated::kape_generated::KAPE_FILE_STORAGE_SYNC_SQLITE,
generated::kape_generated::KAPE_FILE_WEBAPPSTORE_SQLITE,
generated::kape_generated::KAPE_FILE_KEY_DB,
generated::kape_generated::KAPE_FILE_SIGNON,
generated::kape_generated::KAPE_FILE_LOGINS_JSON_2,
generated::kape_generated::KAPE_FILE_PREFS_JS_2,
generated::kape_generated::KAPE_FILE_SESSIONSTORE,
generated::kape_generated::KAPE_FILE_SESSIONSTORE_BACKUPS,
generated::kape_generated::KAPE_FILE_PLACES_XP,
generated::kape_generated::KAPE_FILE_DOWNLOADS_XP,
generated::kape_generated::KAPE_FILE_FORM_HISTORY_XP,
generated::kape_generated::KAPE_FILE_COOKIES_XP,
generated::kape_generated::KAPE_FILE_SIGNONS_XP,
generated::kape_generated::KAPE_FILE_WEBAPPSTORE_XP,
generated::kape_generated::KAPE_FILE_FAVICONS_XP,
generated::kape_generated::KAPE_FILE_ADDONS_XP,
generated::kape_generated::KAPE_FILE_SEARCH_XP,
generated::kape_generated::KAPE_FILE_PASSWORD_XP,
generated::kape_generated::KAPE_FILE_SIGNON_2,
generated::kape_generated::KAPE_FILE_LOGINS_JSON_2_2,
generated::kape_generated::KAPE_FILE_SESSIONSTORE_XP,
generated::kape_generated::KAPE_FILE_HISTORY_IE5_INDEX_DAT,
generated::kape_generated::KAPE_FILE_INDEX_DAT,
generated::kape_generated::KAPE_FILE_COOKIES_INDEX_DAT,
generated::kape_generated::KAPE_FILE_USERDATA_INDEX_DAT,
generated::kape_generated::KAPE_FILE_RECENT_INDEX_DAT,
generated::kape_generated::KAPE_FILE_INDEX_DAT_OFFICE,
generated::kape_generated::KAPE_FILE_MICROSOFT_INTERNET_EXPLORER,
generated::kape_generated::KAPE_FILE_ROAMING_INTERNET_EXP,
generated::kape_generated::KAPE_FILE_WINDOWS_HISTORY,
generated::kape_generated::KAPE_FILE_WINDOWS_COOKIES,
generated::kape_generated::KAPE_FILE_WINDOWS_IEDOWNLOADHISTORY,
generated::kape_generated::KAPE_FILE_WINDOWS_WEBCACHE_2,
generated::kape_generated::KAPE_FILE_WINDOWS_INETCOOKIES,
generated::kape_generated::KAPE_FILE_OPERA_SOFTWARE_OPERA_STABLE,
generated::kape_generated::KAPE_FILE_OPERA_ROAMING_FOLDER,
generated::kape_generated::KAPE_FILE_BOOKMARKS_13,
generated::kape_generated::KAPE_FILE_COOKIES_9,
generated::kape_generated::KAPE_FILE_CURRENT_SESSION_13,
generated::kape_generated::KAPE_FILE_CURRENT_TABS_13,
generated::kape_generated::KAPE_FILE_FAVICONS_14,
generated::kape_generated::KAPE_FILE_HISTORY_14,
generated::kape_generated::KAPE_FILE_LAST_SESSION_12,
generated::kape_generated::KAPE_FILE_LAST_TABS_12,
generated::kape_generated::KAPE_FILE_LOGIN_DATA_14,
generated::kape_generated::KAPE_FILE_PREFERENCES_14,
generated::kape_generated::KAPE_FILE_SHORTCUTS_14,
generated::kape_generated::KAPE_FILE_TOP_SITES_14,
generated::kape_generated::KAPE_FILE_VISITED_LINKS_14,
generated::kape_generated::KAPE_FILE_WEB_DATA_14,
generated::kape_generated::KAPE_FILE_PRISMA_ACCESS_BROWSE,
generated::kape_generated::KAPE_FILE_COOKIES_2_2,
generated::kape_generated::KAPE_FILE_CURRENT_SESSION_2_2,
generated::kape_generated::KAPE_FILE_CURRENT_TABS_2_3,
generated::kape_generated::KAPE_FILE_DOWNLOADMETADATA_9,
generated::kape_generated::KAPE_FILE_EXTENSION_COOKIES_12,
generated::kape_generated::KAPE_FILE_FAVICONS_2_2,
generated::kape_generated::KAPE_FILE_HISTORY_2_2,
generated::kape_generated::KAPE_FILE_LAST_SESSION_2_2,
generated::kape_generated::KAPE_FILE_LAST_TABS_2_2,
generated::kape_generated::KAPE_FILE_SESSIONS_13,
generated::kape_generated::KAPE_FILE_LOGIN_DATA_2_2,
generated::kape_generated::KAPE_FILE_MEDIA_HISTORY_12,
generated::kape_generated::KAPE_FILE_NETWORK_ACTION_PREDICTOR_14,
generated::kape_generated::KAPE_FILE_NETWORK_PERSISTENT_STATE_13,
generated::kape_generated::KAPE_FILE_PREFERENCES_2_2,
generated::kape_generated::KAPE_FILE_QUOTAMANAGER_13,
generated::kape_generated::KAPE_FILE_REPORTING_AND_NEL_13,
generated::kape_generated::KAPE_FILE_SHORTCUTS_2_2,
generated::kape_generated::KAPE_FILE_TOP_SITES_2_2,
generated::kape_generated::KAPE_FILE_TRUST_TOKENS_12,
generated::kape_generated::KAPE_FILE_SYNC_DATASYNCDATA_SQLITE3_10,
generated::kape_generated::KAPE_FILE_VISITED_LINKS_2_2,
generated::kape_generated::KAPE_FILE_WEB_DATA_2_2,
generated::kape_generated::KAPE_FILE_PROTECT_13,
generated::kape_generated::KAPE_FILE_SNAPSHOTS_12,
generated::kape_generated::KAPE_FILE_SYSTEM_CHROME_HISTOR_2,
generated::kape_generated::KAPE_FILE_PRISMAACCESSBROWSER_USER_DATA_BACKUP,
generated::kape_generated::KAPE_FILE_LOCAL_PUFFINSECUREBROWSERDATA_DB,
generated::kape_generated::KAPE_FILE_LOCAL_PUFFINSECUREBROWSERAUTOCOMPLETES_DAT,
generated::kape_generated::KAPE_FILE_LOCAL_PUFFINSECUREBROWSERPASSWORDFORMS_DAT,
generated::kape_generated::KAPE_FILE_LOCAL_PUFFINSECUREBROWSERCREDENTIAL_DAT,
generated::kape_generated::KAPE_FILE_LOCAL_PUFFINSECUREBROWSERSUBSCRIPTION,
generated::kape_generated::KAPE_FILE_LOCAL_PUFFINSECUREBROWSERCOOKIES_DAT,
generated::kape_generated::KAPE_FILE_PUFFINSECUREBROWSER_IMAGE_CACHE,
generated::kape_generated::KAPE_FILE_BOOKMARKS_14,
generated::kape_generated::KAPE_FILE_COOKIES_10,
generated::kape_generated::KAPE_FILE_CURRENT_SESSION_14,
generated::kape_generated::KAPE_FILE_CURRENT_TABS_14,
generated::kape_generated::KAPE_FILE_DOWNLOADMETADATA_10,
generated::kape_generated::KAPE_FILE_EXTENSION_COOKIES_13,
generated::kape_generated::KAPE_FILE_FAVICONS_15,
generated::kape_generated::KAPE_FILE_HISTORY_15,
generated::kape_generated::KAPE_FILE_LAST_SESSION_13,
generated::kape_generated::KAPE_FILE_LAST_TABS_13,
generated::kape_generated::KAPE_FILE_SESSIONS_14,
generated::kape_generated::KAPE_FILE_LOGIN_DATA_15,
generated::kape_generated::KAPE_FILE_MEDIA_HISTORY_13,
generated::kape_generated::KAPE_FILE_NETWORK_ACTION_PREDICTOR_15,
generated::kape_generated::KAPE_FILE_NETWORK_PERSISTENT_STATE_14,
generated::kape_generated::KAPE_FILE_PREFERENCES_15,
generated::kape_generated::KAPE_FILE_QUOTAMANAGER_14,
generated::kape_generated::KAPE_FILE_REPORTING_AND_NEL_14,
generated::kape_generated::KAPE_FILE_SHORTCUTS_15,
generated::kape_generated::KAPE_FILE_TOP_SITES_15,
generated::kape_generated::KAPE_FILE_TRUST_TOKENS_13,
generated::kape_generated::KAPE_FILE_SYNC_DATA_4,
generated::kape_generated::KAPE_FILE_VISITED_LINKS_15,
generated::kape_generated::KAPE_FILE_WEB_DATA_15,
generated::kape_generated::KAPE_FILE_PROTECT_14,
generated::kape_generated::KAPE_FILE_SNAPSHOTS_13,
generated::kape_generated::KAPE_FILE_BOOKMARKS_15,
generated::kape_generated::KAPE_FILE_COOKIES_11,
generated::kape_generated::KAPE_FILE_CURRENT_SESSION_15,
generated::kape_generated::KAPE_FILE_CURRENT_TABS_15,
generated::kape_generated::KAPE_FILE_FAVICONS_16,
generated::kape_generated::KAPE_FILE_HISTORY_16,
generated::kape_generated::KAPE_FILE_LAST_SESSION_14,
generated::kape_generated::KAPE_FILE_LAST_TABS_14,
generated::kape_generated::KAPE_FILE_SESSIONS_15,
generated::kape_generated::KAPE_FILE_NETWORK_ACTION_PREDICTOR_16,
generated::kape_generated::KAPE_FILE_NETWORK_PERSISTENT_STATE_15,
generated::kape_generated::KAPE_FILE_LOGIN_DATA_16,
generated::kape_generated::KAPE_FILE_PREFERENCES_16,
generated::kape_generated::KAPE_FILE_REPORTING_AND_NEL_15,
generated::kape_generated::KAPE_FILE_TRUST_TOKENS_14,
generated::kape_generated::KAPE_FILE_SYNC_DATA_5,
generated::kape_generated::KAPE_FILE_SHORTCUTS_16,
generated::kape_generated::KAPE_FILE_TOP_SITES_16,
generated::kape_generated::KAPE_FILE_VISITED_LINKS_16,
generated::kape_generated::KAPE_FILE_WEB_DATA_16,
generated::kape_generated::KAPE_FILE_SUPERMIUM_BOOKMARKS,
generated::kape_generated::KAPE_FILE_SUPERMIUM_COOKIES,
generated::kape_generated::KAPE_FILE_SUPERMIUM_CURRENT_SE,
generated::kape_generated::KAPE_FILE_SUPERMIUM_CURRENT_TA,
generated::kape_generated::KAPE_FILE_DOWNLOADMETADATA_11,
generated::kape_generated::KAPE_FILE_EXTENSION_COOKIES_14,
generated::kape_generated::KAPE_FILE_SUPERMIUM_FAVICONS,
generated::kape_generated::KAPE_FILE_SUPERMIUM_HISTORY,
generated::kape_generated::KAPE_FILE_SUPERMIUM_LAST_SESSI,
generated::kape_generated::KAPE_FILE_SUPERMIUM_LAST_TABS,
generated::kape_generated::KAPE_FILE_SUPERMIUM_SESSIONS_F,
generated::kape_generated::KAPE_FILE_SUPERMIUM_LOGIN_DATA,
generated::kape_generated::KAPE_FILE_MEDIA_HISTORY_14,
generated::kape_generated::KAPE_FILE_SUPERMIUM_NETWORK_AC,
generated::kape_generated::KAPE_FILE_SUPERMIUM_NETWORK_PE,
generated::kape_generated::KAPE_FILE_SUPERMIUM_PREFERENCE,
generated::kape_generated::KAPE_FILE_QUOTAMANAGER_15,
generated::kape_generated::KAPE_FILE_SUPERMIUM_REPORTING,
generated::kape_generated::KAPE_FILE_SUPERMIUM_SHORTCUTS,
generated::kape_generated::KAPE_FILE_SUPERMIUM_TOP_SITES,
generated::kape_generated::KAPE_FILE_SUPERMIUM_TRUST_TOKE,
generated::kape_generated::KAPE_FILE_SUPERMIUM_SYNCDATA_D,
generated::kape_generated::KAPE_FILE_SUPERMIUM_VISITED_LI,
generated::kape_generated::KAPE_FILE_SUPERMIUM_WEB_DATA,
generated::kape_generated::KAPE_FILE_PROTECT_15,
generated::kape_generated::KAPE_FILE_SNAPSHOTS_14,
generated::kape_generated::KAPE_FILE_SYSTEM_SUPERMIUM_HIS,
generated::kape_generated::KAPE_FILE_BOOKMARKS_16,
generated::kape_generated::KAPE_FILE_COOKIES_12,
generated::kape_generated::KAPE_FILE_CURRENT_SESSION_16,
generated::kape_generated::KAPE_FILE_CURRENT_TABS_16,
generated::kape_generated::KAPE_FILE_DOWNLOADMETADATA_12,
generated::kape_generated::KAPE_FILE_EXTENSION_COOKIES_15,
generated::kape_generated::KAPE_FILE_FAVICONS_17,
generated::kape_generated::KAPE_FILE_HISTORY_17,
generated::kape_generated::KAPE_FILE_LAST_SESSION_15,
generated::kape_generated::KAPE_FILE_LAST_TABS_15,
generated::kape_generated::KAPE_FILE_SESSIONS_16,
generated::kape_generated::KAPE_FILE_LOGIN_DATA_17,
generated::kape_generated::KAPE_FILE_MEDIA_HISTORY_15,
generated::kape_generated::KAPE_FILE_NETWORK_ACTION_PREDICTOR_17,
generated::kape_generated::KAPE_FILE_NETWORK_PERSISTENT_STATE_16,
generated::kape_generated::KAPE_FILE_PREFERENCES_17,
generated::kape_generated::KAPE_FILE_QUOTAMANAGER_16,
generated::kape_generated::KAPE_FILE_REPORTING_AND_NEL_16,
generated::kape_generated::KAPE_FILE_SHORTCUTS_17,
generated::kape_generated::KAPE_FILE_TOP_SITES_17,
generated::kape_generated::KAPE_FILE_TRUST_TOKENS_15,
generated::kape_generated::KAPE_FILE_SYNC_DATA_6,
generated::kape_generated::KAPE_FILE_VISITED_LINKS_17,
generated::kape_generated::KAPE_FILE_WEB_DATA_17,
generated::kape_generated::KAPE_FILE_PROTECT_16,
generated::kape_generated::KAPE_FILE_SNAPSHOTS_15,
generated::kape_generated::KAPE_FILE_COOKIES_13,
generated::kape_generated::KAPE_FILE_NETWORK_PERSISTENT_STATE_17,
generated::kape_generated::KAPE_FILE_FAVICONS_18,
generated::kape_generated::KAPE_FILE_HISTORY_18,
generated::kape_generated::KAPE_FILE_SESSIONS_17,
generated::kape_generated::KAPE_FILE_LOGIN_DATA_18,
generated::kape_generated::KAPE_FILE_NETWORK_ACTION_PREDICTOR_18,
generated::kape_generated::KAPE_FILE_PREFERENCES_18,
generated::kape_generated::KAPE_FILE_TOP_SITES_18,
generated::kape_generated::KAPE_FILE_BOOKMARKS_17,
generated::kape_generated::KAPE_FILE_VISITED_LINKS_18,
generated::kape_generated::KAPE_FILE_WEB_DATA_18,
generated::kape_generated::KAPE_FILE_USER_VIVALDI_REPORTING_DATA,
generated::kape_generated::KAPE_FILE_CALENDAR,
generated::kape_generated::KAPE_FILE_CONTACTS,
generated::kape_generated::KAPE_FILE_NOTES,
generated::kape_generated::KAPE_FILE_DOWNLOADMETADATA_13,
generated::kape_generated::KAPE_FILE_BOOKMARKS_18,
generated::kape_generated::KAPE_FILE_COOKIES_14,
generated::kape_generated::KAPE_FILE_CURRENT_SESSION_17,
generated::kape_generated::KAPE_FILE_CURRENT_TABS_17,
generated::kape_generated::KAPE_FILE_DOWNLOADMETADATA_14,
generated::kape_generated::KAPE_FILE_EXTENSION_COOKIES_16,
generated::kape_generated::KAPE_FILE_FAVICONS_19,
generated::kape_generated::KAPE_FILE_HISTORY_19,
generated::kape_generated::KAPE_FILE_LAST_SESSION_16,
generated::kape_generated::KAPE_FILE_LAST_TABS_16,
generated::kape_generated::KAPE_FILE_SESSIONS_18,
generated::kape_generated::KAPE_FILE_LOGIN_DATA_19,
generated::kape_generated::KAPE_FILE_MEDIA_HISTORY_16,
generated::kape_generated::KAPE_FILE_NETWORK_ACTION_PREDICTOR_19,
generated::kape_generated::KAPE_FILE_NETWORK_PERSISTENT_STATE_18,
generated::kape_generated::KAPE_FILE_PREFERENCES_19,
generated::kape_generated::KAPE_FILE_QUOTAMANAGER_17,
generated::kape_generated::KAPE_FILE_REPORTING_AND_NEL_17,
generated::kape_generated::KAPE_FILE_SHORTCUTS_18,
generated::kape_generated::KAPE_FILE_TOP_SITES_19,
generated::kape_generated::KAPE_FILE_TRUST_TOKENS_16,
generated::kape_generated::KAPE_FILE_SYNC_DATASYNCDATA_SQLITE3_11,
generated::kape_generated::KAPE_FILE_VISITED_LINKS_19,
generated::kape_generated::KAPE_FILE_WEB_DATA_19,
generated::kape_generated::KAPE_FILE_PROTECT_17,
generated::kape_generated::KAPE_FILE_SNAPSHOTS_16,
generated::kape_generated::KAPE_FILE_SYSTEM_WAVEBROWSER_H,
generated::kape_generated::KAPE_FILE_COOKIES_15,
generated::kape_generated::KAPE_FILE_NETWORK_PERSISTENT_STATE_19,
generated::kape_generated::KAPE_FILE_FAVICONS_20,
generated::kape_generated::KAPE_FILE_HISTORY_20,
generated::kape_generated::KAPE_FILE_SESSIONS_19,
generated::kape_generated::KAPE_FILE_YA_PASSMAN_DATA,
generated::kape_generated::KAPE_FILE_NETWORK_ACTION_PREDICTOR_20,
generated::kape_generated::KAPE_FILE_PREFERENCES_20,
generated::kape_generated::KAPE_FILE_TOP_SITES_20,
generated::kape_generated::KAPE_FILE_BOOKMARKS_19,
generated::kape_generated::KAPE_FILE_VISITED_LINKS_20,
generated::kape_generated::KAPE_FILE_WEB_DATA_20,
generated::kape_generated::KAPE_FILE_YA_AUTOFILL_DATA,
generated::kape_generated::KAPE_FILE_PASSMAN_LOGS,
generated::kape_generated::KAPE_FILE_SHORTCUTS_19,
generated::kape_generated::KAPE_FILE_EVENTLOGS_TKAPE,
generated::kape_generated::KAPE_FILE_EVIDENCEOFEXECUTION_TKAPE,
generated::kape_generated::KAPE_FILE_FILESYSTEM_TKAPE,
generated::kape_generated::KAPE_FILE_LNKFILESANDJUMPLISTS_TKAPE,
generated::kape_generated::KAPE_FILE_POWERSHELLCONSOLE_TKAPE,
generated::kape_generated::KAPE_FILE_RECYCLEBIN_INFOFILES_TKAPE,
generated::kape_generated::KAPE_FILE_REGISTRYHIVES_TKAPE,
generated::kape_generated::KAPE_FILE_SCHEDULEDTASKS_TKAPE,
generated::kape_generated::KAPE_FILE_SRUM_TKAPE,
generated::kape_generated::KAPE_FILE_THUMBCACHE_TKAPE,
generated::kape_generated::KAPE_FILE_USBDEVICESLOGS_TKAPE,
generated::kape_generated::KAPE_FILE_WINDOWSINDEXSEARCH_TKAPE,
generated::kape_generated::KAPE_FILE_ANTIVIRUS_TKAPE,
generated::kape_generated::KAPE_FILE_CLOUDSTORAGE_METADATA_TKAPE,
generated::kape_generated::KAPE_FILE_COMBINEDLOGS_TKAPE,
generated::kape_generated::KAPE_FILE_GROUPPOLICY_TKAPE,
generated::kape_generated::KAPE_FILE_EVIDENCEOFEXECUTION_TKAPE_2,
generated::kape_generated::KAPE_FILE_FILESYSTEM_TKAPE_2,
generated::kape_generated::KAPE_FILE_FTPCLIENTS_TKAPE,
generated::kape_generated::KAPE_FILE_LNKFILESANDJUMPLISTS_TKAPE_2,
generated::kape_generated::KAPE_FILE_MESSAGINGCLIENTS_TKAPE,
generated::kape_generated::KAPE_FILE_NETWORKSCANNER_TKAPE,
generated::kape_generated::KAPE_FILE_RECYCLEBIN_INFOFILES_TKAPE_2,
generated::kape_generated::KAPE_FILE_REGISTRYHIVES_TKAPE_2,
generated::kape_generated::KAPE_FILE_REMOTEADMIN_TKAPE,
generated::kape_generated::KAPE_FILE_SCHEDULEDTASKS_TKAPE_2,
generated::kape_generated::KAPE_FILE_SRUM_TKAPE_2,
generated::kape_generated::KAPE_FILE_SUM_TKAPE,
generated::kape_generated::KAPE_FILE_WER_TKAPE,
generated::kape_generated::KAPE_FILE_THUMBCACHE_TKAPE_2,
generated::kape_generated::KAPE_FILE_WBEM_TKAPE,
generated::kape_generated::KAPE_FILE_BITS_TKAPE,
generated::kape_generated::KAPE_FILE_WEBBROWSERS_TKAPE,
generated::kape_generated::KAPE_FILE_WINDOWSINDEXSEARCH_TKAPE_2,
generated::kape_generated::KAPE_FILE_WINDOWSTIMELINE_TKAPE,
generated::kape_generated::KAPE_FILE_AVAST_TKAPE,
generated::kape_generated::KAPE_FILE_AVG_TKAPE,
generated::kape_generated::KAPE_FILE_AVIRAAVLOGS_TKAPE,
generated::kape_generated::KAPE_FILE_BITDEFENDER_TKAPE,
generated::kape_generated::KAPE_FILE_COMBOFIX_TKAPE,
generated::kape_generated::KAPE_FILE_CROWDSTRIKEFALCON_TKAPE,
generated::kape_generated::KAPE_FILE_CYBEREASON_TKAPE,
generated::kape_generated::KAPE_FILE_CYLANCE_TKAPE,
generated::kape_generated::KAPE_FILE_ELASTICDEFEND_TKAPE,
generated::kape_generated::KAPE_FILE_EMSISOFT_TKAPE,
generated::kape_generated::KAPE_FILE_ESET_TKAPE,
generated::kape_generated::KAPE_FILE_FSECURE_TKAPE,
generated::kape_generated::KAPE_FILE_HITMANPRO_TKAPE,
generated::kape_generated::KAPE_FILE_MALWAREBYTES_TKAPE,
generated::kape_generated::KAPE_FILE_MCAFEE_TKAPE,
generated::kape_generated::KAPE_FILE_MCAFEE_EPO_TKAPE,
generated::kape_generated::KAPE_FILE_MICROSOFTSAFETYSCANNER_TKAPE,
generated::kape_generated::KAPE_FILE_ROGUEKILLER_TKAPE,
generated::kape_generated::KAPE_FILE_SECUREAGE_TKAPE,
generated::kape_generated::KAPE_FILE_SENTINELONE_TKAPE,
generated::kape_generated::KAPE_FILE_SOPHOS_TKAPE,
generated::kape_generated::KAPE_FILE_SUPERANTISPYWARE_TKAPE,
generated::kape_generated::KAPE_FILE_SYMANTEC_AV_LOGS_TKAPE,
generated::kape_generated::KAPE_FILE_TOTALAV_TKAPE,
generated::kape_generated::KAPE_FILE_TRENDMICRO_TKAPE,
generated::kape_generated::KAPE_FILE_VIPRE_TKAPE,
generated::kape_generated::KAPE_FILE_WEBROOT_TKAPE,
generated::kape_generated::KAPE_FILE_WINDOWSDEFENDER_TKAPE,
generated::kape_generated::KAPE_FILE_BOXDRIVE_USERFILES_TKAPE,
generated::kape_generated::KAPE_FILE_DROPBOX_USERFILES_TKAPE,
generated::kape_generated::KAPE_FILE_GOOGLEDRIVEBACKUPSYNC_USERFILES_TKAPE,
generated::kape_generated::KAPE_FILE_ONEDRIVE_USERFILES_TKAPE,
generated::kape_generated::KAPE_FILE_PCLOUDDATABASE_TKAPE,
generated::kape_generated::KAPE_FILE_SUGARSYNC_TKAPE,
generated::kape_generated::KAPE_FILE_CLOUDSTORAGE_METADATA_TKAPE_2,
generated::kape_generated::KAPE_FILE_IDRIVE_TKAPE,
generated::kape_generated::KAPE_FILE_BOXDRIVE_METADATA_TKAPE,
generated::kape_generated::KAPE_FILE_DROPBOX_METADATA_TKAPE,
generated::kape_generated::KAPE_FILE_GOOGLEDRIVE_METADATA_TKAPE,
generated::kape_generated::KAPE_FILE_MEGASYNC_TKAPE,
generated::kape_generated::KAPE_FILE_ONEDRIVE_METADATA_TKAPE,
generated::kape_generated::KAPE_FILE_RCLONECONF_TKAPE,
generated::kape_generated::KAPE_FILE_FREEFILESYNC_TKAPE,
generated::kape_generated::KAPE_FILE_ONEDRIVE_METADATA_TKAPE_2,
generated::kape_generated::KAPE_FILE_REGISTRYHIVESUSER_TKAPE,
generated::kape_generated::KAPE_FILE_RECYCLEBIN_TKAPE,
generated::kape_generated::KAPE_FILE_EVENTLOGS_TKAPE_2,
generated::kape_generated::KAPE_FILE_EVENTTRACELOGS_TKAPE,
generated::kape_generated::KAPE_FILE_POWERSHELLCONSOLE_TKAPE_2,
generated::kape_generated::KAPE_FILE_POWERSHELLTRANSCRIPTS_TKAPE,
generated::kape_generated::KAPE_FILE_WINDOWSFIREWALL_TKAPE,
generated::kape_generated::KAPE_FILE_USBDEVICESLOGS_TKAPE_2,
generated::kape_generated::KAPE_FILE_NETCLRUSAGELOGS_TKAPE,
generated::kape_generated::KAPE_FILE_AMCACHE_TKAPE,
generated::kape_generated::KAPE_FILE_APPCOMPATPCA_TKAPE,
generated::kape_generated::KAPE_FILE_PREFETCH_TKAPE,
generated::kape_generated::KAPE_FILE_RECENTFILECACHE_TKAPE,
generated::kape_generated::KAPE_FILE_SYSCACHE_TKAPE,
generated::kape_generated::KAPE_FILE_EXCHANGECLIENTACCESS_TKAPE,
generated::kape_generated::KAPE_FILE_EXCHANGETRANSPORT_TKAPE,
generated::kape_generated::KAPE_FILE_EXCHANGESETUPLOG_TKAPE,
generated::kape_generated::KAPE_FILE_FILEZILLACLIENT_TKAPE,
generated::kape_generated::KAPE_FILE_FILEZILLASERVER_TKAPE,
generated::kape_generated::KAPE_FILE_WINSCP_TKAPE,
generated::kape_generated::KAPE_FILE_ROBO_FTP_TKAPE,
generated::kape_generated::KAPE_FILE_DIRECTORYOPUS_TKAPE,
generated::kape_generated::KAPE_FILE_DOUBLECOMMANDER_TKAPE,
generated::kape_generated::KAPE_FILE_EFCOMMANDER_TKAPE,
generated::kape_generated::KAPE_FILE_FREECOMMANDER_TKAPE,
generated::kape_generated::KAPE_FILE_MIDNIGHTCOMMANDER_TKAPE,
generated::kape_generated::KAPE_FILE_MULTICOMMANDER_TKAPE,
generated::kape_generated::KAPE_FILE_ONECOMMANDER_TKAPE,
generated::kape_generated::KAPE_FILE_Q_DIR_TKAPE,
generated::kape_generated::KAPE_FILE_SPEEDCOMMANDER_TKAPE,
generated::kape_generated::KAPE_FILE_TABLACUSEXPLORER_TKAPE,
generated::kape_generated::KAPE_FILE_TOTALCOMMANDER_TKAPE,
generated::kape_generated::KAPE_FILE_XYPLORER_TKAPE,
generated::kape_generated::KAPE_FILE_MFT_TKAPE,
generated::kape_generated::KAPE_FILE_LOGFILE_TKAPE,
generated::kape_generated::KAPE_FILE_J_TKAPE,
generated::kape_generated::KAPE_FILE_SDS_TKAPE,
generated::kape_generated::KAPE_FILE_BOOT_TKAPE,
generated::kape_generated::KAPE_FILE_T_TKAPE,
generated::kape_generated::KAPE_FILE_HEXCHAT_TKAPE,
generated::kape_generated::KAPE_FILE_ICECHAT_TKAPE,
generated::kape_generated::KAPE_FILE_MIRC_TKAPE,
generated::kape_generated::KAPE_FILE_ANTIVIRUS_TKAPE_2,
generated::kape_generated::KAPE_FILE_CLOUDSTORAGE_METADATA_TKAPE_3,
generated::kape_generated::KAPE_FILE_EVENTLOGS_TKAPE_3,
generated::kape_generated::KAPE_FILE_EVIDENCEOFEXECUTION_TKAPE_3,
generated::kape_generated::KAPE_FILE_FILESYSTEM_TKAPE_3,
generated::kape_generated::KAPE_FILE_LNKFILESANDJUMPLISTS_TKAPE_3,
generated::kape_generated::KAPE_FILE_NOTEPAD_TKAPE,
generated::kape_generated::KAPE_FILE_POWERSHELLCONSOLE_TKAPE_3,
generated::kape_generated::KAPE_FILE_RECYCLEBIN_INFOFILES_TKAPE_3,
generated::kape_generated::KAPE_FILE_REGISTRYHIVES_TKAPE_3,
generated::kape_generated::KAPE_FILE_REMOTEADMIN_TKAPE_2,
generated::kape_generated::KAPE_FILE_SCHEDULEDTASKS_TKAPE_3,
generated::kape_generated::KAPE_FILE_SRUM_TKAPE_3,
generated::kape_generated::KAPE_FILE_SUM_TKAPE_2,
generated::kape_generated::KAPE_FILE_WER_TKAPE_2,
generated::kape_generated::KAPE_FILE_WBEM_TKAPE_2,
generated::kape_generated::KAPE_FILE_WEBBROWSERS_TKAPE_2,
generated::kape_generated::KAPE_FILE_WINDOWSTIMELINE_TKAPE_2,
generated::kape_generated::KAPE_FILE_IRCCLIENTS_TKAPE,
generated::kape_generated::KAPE_FILE_CISCOJABBER_TKAPE,
generated::kape_generated::KAPE_FILE_DISCORD_TKAPE,
generated::kape_generated::KAPE_FILE_MATTERMOST_TKAPE,
generated::kape_generated::KAPE_FILE_MICROSOFTTEAMS_TKAPE,
generated::kape_generated::KAPE_FILE_SIGNAL_TKAPE,
generated::kape_generated::KAPE_FILE_SKYPE_TKAPE,
generated::kape_generated::KAPE_FILE_SLACK_TKAPE,
generated::kape_generated::KAPE_FILE_TELEGRAM_TKAPE,
generated::kape_generated::KAPE_FILE_VIBER_TKAPE,
generated::kape_generated::KAPE_FILE_WHATSAPP_TKAPE,
generated::kape_generated::KAPE_FILE_EVENTLOGS_TKAPE_4,
generated::kape_generated::KAPE_FILE_FILESYSTEM_TKAPE_4,
generated::kape_generated::KAPE_FILE_REGISTRYHIVES_TKAPE_4,
generated::kape_generated::KAPE_FILE_ADVANCEDIPSCANNER_TKAPE,
generated::kape_generated::KAPE_FILE_ADVANCEDPORTSCANNER_TKAPE,
generated::kape_generated::KAPE_FILE_SOFTPERFECTNETSCAN_TKAPE,
generated::kape_generated::KAPE_FILE_DC_TKAPE,
generated::kape_generated::KAPE_FILE_EMULE_TKAPE,
generated::kape_generated::KAPE_FILE_FROSTWIRE_TKAPE,
generated::kape_generated::KAPE_FILE_GIGATRIBE_TKAPE,
generated::kape_generated::KAPE_FILE_SHAREAZA_TKAPE,
generated::kape_generated::KAPE_FILE_SOULSEEK_TKAPE,
generated::kape_generated::KAPE_FILE_CHOCOLATEY_TKAPE,
generated::kape_generated::KAPE_FILE_AMCACHE_TKAPE_2,
generated::kape_generated::KAPE_FILE_APPCOMPATPCA_TKAPE_2,
generated::kape_generated::KAPE_FILE_PREFETCH_TKAPE_2,
generated::kape_generated::KAPE_FILE_RECENTFILECACHE_TKAPE_2,
generated::kape_generated::KAPE_FILE_SYSCACHE_TKAPE_2,
generated::kape_generated::KAPE_FILE_POWERSHELLTRANSCRIPTS_TKAPE_2,
generated::kape_generated::KAPE_FILE_POWERSHELLCONSOLE_TKAPE_4,
generated::kape_generated::KAPE_FILE_WBEM_TKAPE_3,
generated::kape_generated::KAPE_FILE_WER_TKAPE_3,
generated::kape_generated::KAPE_FILE_WINDOWSTIMELINE_TKAPE_3,
generated::kape_generated::KAPE_FILE_JUMPLISTS_TKAPE,
generated::kape_generated::KAPE_FILE_NETCLRUSAGELOGS_TKAPE_2,
generated::kape_generated::KAPE_FILE_RECYCLEBIN_INFOFILES_TKAPE_4,
generated::kape_generated::KAPE_FILE_RECYCLEBIN_DATAFILES_TKAPE,
generated::kape_generated::KAPE_FILE_REGISTRYHIVESSYSTEM_TKAPE,
generated::kape_generated::KAPE_FILE_REGISTRYHIVESUSER_TKAPE_2,
generated::kape_generated::KAPE_FILE_REGISTRYHIVESMSIXAPPS_TKAPE,
generated::kape_generated::KAPE_FILE_ACTION1_TKAPE,
generated::kape_generated::KAPE_FILE_AMMYY_TKAPE,
generated::kape_generated::KAPE_FILE_ANYDESK_TKAPE,
generated::kape_generated::KAPE_FILE_APPLICATIONEVENTS_TKAPE_6,
generated::kape_generated::KAPE_FILE_DWAGENT_TKAPE,
generated::kape_generated::KAPE_FILE_ISLONLINE_TKAPE,
generated::kape_generated::KAPE_FILE_ITARIAN_TKAPE,
generated::kape_generated::KAPE_FILE_KASEYA_TKAPE,
generated::kape_generated::KAPE_FILE_LEVEL_TKAPE,
generated::kape_generated::KAPE_FILE_LOGMEIN_TKAPE,
generated::kape_generated::KAPE_FILE_MESHAGENT_TKAPE,
generated::kape_generated::KAPE_FILE_MREMOTENG_TKAPE,
generated::kape_generated::KAPE_FILE_NETMONITORFOREMPLOYEESPROFESSIONAL_TKAPE,
generated::kape_generated::KAPE_FILE_QUICKASSIST_TKAPE,
generated::kape_generated::KAPE_FILE_RADMIN_TKAPE,
generated::kape_generated::KAPE_FILE_RDPCACHE_TKAPE,
generated::kape_generated::KAPE_FILE_RDPLOGS_TKAPE,
generated::kape_generated::KAPE_FILE_REMCOS_TKAPE,
generated::kape_generated::KAPE_FILE_REMOTEMANIPULATORSYSTEM_TKAPE,
generated::kape_generated::KAPE_FILE_REMOTEUTILITIES_APP_TKAPE,
generated::kape_generated::KAPE_FILE_RUSTDESK_TKAPE,
generated::kape_generated::KAPE_FILE_SCREENCONNECT_TKAPE,
generated::kape_generated::KAPE_FILE_SPLASHTOP_TKAPE,
generated::kape_generated::KAPE_FILE_SUPREMOREMOTEDESKTOP_TKAPE,
generated::kape_generated::KAPE_FILE_TEAMVIEWERLOGS_TKAPE,
generated::kape_generated::KAPE_FILE_UEMS_TKAPE,
generated::kape_generated::KAPE_FILE_ULTRAVIEWER_TKAPE,
generated::kape_generated::KAPE_FILE_VNCLOGS_TKAPE,
generated::kape_generated::KAPE_FILE_XEOX_TKAPE,
generated::kape_generated::KAPE_FILE_ZOHOASSIST_TKAPE,
generated::kape_generated::KAPE_FILE_EVENTLOGS_TKAPE_5,
generated::kape_generated::KAPE_FILE_EVIDENCEOFEXECUTION_TKAPE_4,
generated::kape_generated::KAPE_FILE_FILESYSTEM_TKAPE_5,
generated::kape_generated::KAPE_FILE_LNKFILESANDJUMPLISTS_TKAPE_4,
generated::kape_generated::KAPE_FILE_PREFETCH_TKAPE_3,
generated::kape_generated::KAPE_FILE_4K_VIDEO_DOWNLOADER_4K_VIDEO_DOWNLOADER_SQLITE_2,
generated::kape_generated::KAPE_FILE_FULLTEXTSEARCHINDEX_2,
generated::kape_generated::KAPE_FILE_ONENOTE_NOTIFICATIONSRECENTNOTEBOOKS_SEENURLS_2,
generated::kape_generated::KAPE_FILE_16_0_ACCESSIBILITYCHECKERINDEX_2,
generated::kape_generated::KAPE_FILE_16_0_NOTETAGS_LIVEID_DB_2,
generated::kape_generated::KAPE_FILE_16_0_RECENTSEARCHESRECENTSEARCHES_DB_2,
generated::kape_generated::KAPE_FILE_LOCALSTATE_PLUM_SQLITE_2,
generated::kape_generated::KAPE_FILE_TODOSQLITE_DB_2,
generated::kape_generated::KAPE_FILE_PROGRAMDATA_SCHEDULERSERVICE_SQLITE_2,
generated::kape_generated::KAPE_FILE_TERACOPY_HISTORY_DB,
generated::kape_generated::KAPE_FILE_TERACOPY_MAIN_DB,
generated::kape_generated::KAPE_FILE_ROAMING_NOTION_NOTION_DB_2,
generated::kape_generated::KAPE_FILE_IDBS,
generated::kape_generated::KAPE_FILE_FILECACHE_DB,
generated::kape_generated::KAPE_FILE_CONFIG_DBX,
generated::kape_generated::KAPE_FILE_HOME_DB,
generated::kape_generated::KAPE_FILE_ICON_DB,
generated::kape_generated::KAPE_FILE_SYNC_HISTORY_DB,
generated::kape_generated::KAPE_FILE_SYNC_NUCLEUS_SQLITE3,
generated::kape_generated::KAPE_FILE_DROPBOX_HOST_DB_2,
generated::kape_generated::KAPE_FILE_DROPBOX_HOST_DBX_2,
generated::kape_generated::KAPE_FILE_SYNC_AGGREGATION_DBX,
generated::kape_generated::KAPE_FILE_AVATARCACHE_DB,
generated::kape_generated::KAPE_FILE_DROPBOX_METADATA,
generated::kape_generated::KAPE_FILE_CLOUD_GRAPH_CLOUD_GRAPH_DB,
generated::kape_generated::KAPE_FILE_CHANGE_BUFFER,
generated::kape_generated::KAPE_FILE_SNAPSHOT_DB,
generated::kape_generated::KAPE_FILE_SYNC_CONFIG_DB,
generated::kape_generated::KAPE_FILE_FILEZILLA_SQLITE3_2,
generated::kape_generated::KAPE_FILE_BOOKMARKS_20,
generated::kape_generated::KAPE_FILE_COOKIES_16,
generated::kape_generated::KAPE_FILE_CURRENT_SESSION_18,
generated::kape_generated::KAPE_FILE_CURRENT_TABS_18,
generated::kape_generated::KAPE_FILE_FAVICONS_21,
generated::kape_generated::KAPE_FILE_HISTORY_21,
generated::kape_generated::KAPE_FILE_LAST_SESSION_17,
generated::kape_generated::KAPE_FILE_LAST_TABS_17,
generated::kape_generated::KAPE_FILE_LOGIN_DATA_20,
generated::kape_generated::KAPE_FILE_PREFERENCES_21,
generated::kape_generated::KAPE_FILE_SHORTCUTS_20,
generated::kape_generated::KAPE_FILE_TOP_SITES_21,
generated::kape_generated::KAPE_FILE_VISITED_LINKS_21,
generated::kape_generated::KAPE_FILE_WEB_DATA_21,
generated::kape_generated::KAPE_FILE_CHROME_BOOKMARKS_2,
generated::kape_generated::KAPE_FILE_CHROME_COOKIES_2,
generated::kape_generated::KAPE_FILE_CHROME_CURRENT_SESSI_2,
generated::kape_generated::KAPE_FILE_CHROME_CURRENT_TABS_2,
generated::kape_generated::KAPE_FILE_DOWNLOAD_METADATA,
generated::kape_generated::KAPE_FILE_EXTENSION_COOKIES_17,
generated::kape_generated::KAPE_FILE_CHROME_FAVICONS_2,
generated::kape_generated::KAPE_FILE_CHROME_HISTORY_2,
generated::kape_generated::KAPE_FILE_CHROME_LAST_SESSION_2,
generated::kape_generated::KAPE_FILE_CHROME_LAST_TABS_2,
generated::kape_generated::KAPE_FILE_CHROME_LOGIN_DATA_2,
generated::kape_generated::KAPE_FILE_MEDIA_HISTORY_17,
generated::kape_generated::KAPE_FILE_NETWORK_ACTION_PREDICTOR_21,
generated::kape_generated::KAPE_FILE_NETWORK_PERSISTENT_STATE_20,
generated::kape_generated::KAPE_FILE_CHROME_PREFERENCES_2,
generated::kape_generated::KAPE_FILE_QUOTAMANAGER_18,
generated::kape_generated::KAPE_FILE_REPORTING_AND_NEL_18,
generated::kape_generated::KAPE_FILE_CHROME_SHORTCUTS_2,
generated::kape_generated::KAPE_FILE_CHROME_TOP_SITES_2,
generated::kape_generated::KAPE_FILE_TRUST_TOKENS_17,
generated::kape_generated::KAPE_FILE_SYNC_DATASYNCDATA_SQLITE3_12,
generated::kape_generated::KAPE_FILE_CHROME_VISITED_LINKS_2,
generated::kape_generated::KAPE_FILE_CHROME_WEB_DATA_2,
generated::kape_generated::KAPE_FILE_EDGE_BOOKMARKS,
generated::kape_generated::KAPE_FILE_COLLECTIONSCOLLECTIONSSQLITE_5,
generated::kape_generated::KAPE_FILE_EDGE_COOKIES,
generated::kape_generated::KAPE_FILE_EDGE_CURRENT_SESSION,
generated::kape_generated::KAPE_FILE_EDGE_CURRENT_TABS,
generated::kape_generated::KAPE_FILE_EDGE_FAVICONS,
generated::kape_generated::KAPE_FILE_EDGE_HISTORY,
generated::kape_generated::KAPE_FILE_EDGE_LAST_SESSION,
generated::kape_generated::KAPE_FILE_EDGE_LAST_TABS,
generated::kape_generated::KAPE_FILE_EDGE_LOGIN_DATA,
generated::kape_generated::KAPE_FILE_EDGE_MEDIA_HISTORY,
generated::kape_generated::KAPE_FILE_EDGE_NETWORK_ACTION,
generated::kape_generated::KAPE_FILE_EDGE_PREFERENCES,
generated::kape_generated::KAPE_FILE_EDGE_SHORTCUTS,
generated::kape_generated::KAPE_FILE_EDGE_TOP_SITES,
generated::kape_generated::KAPE_FILE_EDGE_SYNCDATA_DATABA,
generated::kape_generated::KAPE_FILE_BOOKMARKS_2_2,
generated::kape_generated::KAPE_FILE_EDGE_VISITED_LINKS,
generated::kape_generated::KAPE_FILE_EDGE_WEB_DATA,
generated::kape_generated::KAPE_FILE_ADDONS_SQLITE_2,
generated::kape_generated::KAPE_FILE_WEAVE_BOOKMARKS_SQLITE_2,
generated::kape_generated::KAPE_FILE_COOKIES_SQLITE_2,
generated::kape_generated::KAPE_FILE_FIREFOX_COOKIES_SQLITE_2,
generated::kape_generated::KAPE_FILE_DOWNLOADS_SQLITE_2,
generated::kape_generated::KAPE_FILE_FAVICONS_SQLITE_2,
generated::kape_generated::KAPE_FILE_FORMHISTORY_SQLITE_2,
generated::kape_generated::KAPE_FILE_PERMISSIONS_SQLITE_2,
generated::kape_generated::KAPE_FILE_PLACES_SQLITE_3,
generated::kape_generated::KAPE_FILE_PROTECTIONS_SQLITE_2,
generated::kape_generated::KAPE_FILE_SEARCH_SQLITE_2,
generated::kape_generated::KAPE_FILE_SIGNONS_SQLITE_2,
generated::kape_generated::KAPE_FILE_STORAGE_SYNC_SQLITE_2,
generated::kape_generated::KAPE_FILE_WEBAPPSTORE_SQLITE_2,
generated::kape_generated::KAPE_FILE_NOTIFICATIONS_WPNDATABASE_DB,
generated::kape_generated::KAPE_FILE_NOTIFICATIONS_APPDB_DAT,
generated::kape_generated::KAPE_FILE_ACTIVITIESCACHE_DB,
generated::kape_generated::KAPE_FILE_USOPRIVATE_UPDATESTORESTORE_DB,
generated::kape_generated::KAPE_FILE_REGEX_DB_DB_WAL_DB_SHM_2,
generated::kape_generated::KAPE_FILE_DIAGNOSIS_EVENTTRANSCRIPT_EVENTTRANSCRIPT_DB,
generated::kape_generated::KAPE_FILE_EVENTTRANSCRIPT_DB,
generated::kape_generated::KAPE_FILE_WEBSERVERS_TKAPE,
generated::kape_generated::KAPE_FILE_MONGODBLOGS_TKAPE,
generated::kape_generated::KAPE_FILE_EXCHANGE_TKAPE,
generated::kape_generated::KAPE_FILE_CONFLUENCELOGS_TKAPE,
generated::kape_generated::KAPE_FILE_FILEZILLASERVER_TKAPE_2,
generated::kape_generated::KAPE_FILE_OPENSSHSERVER_TKAPE,
generated::kape_generated::KAPE_FILE_MANAGEENGINELOGS_TKAPE,
generated::kape_generated::KAPE_FILE_BITTORRENT_TKAPE,
generated::kape_generated::KAPE_FILE_QBITTORRENT_TKAPE,
generated::kape_generated::KAPE_FILE_UTORRENT_TKAPE,
generated::kape_generated::KAPE_FILE_USBDEVICESLOGS_TKAPE_3,
generated::kape_generated::KAPE_FILE_REGISTRYHIVES_TKAPE_5,
generated::kape_generated::KAPE_FILE_EVENTLOGS_TKAPE_6,
generated::kape_generated::KAPE_FILE_LNKFILESANDJUMPLISTS_TKAPE_5,
generated::kape_generated::KAPE_FILE_AMCACHE_TKAPE_3,
generated::kape_generated::KAPE_FILE_NEWSBINPRO_TKAPE,
generated::kape_generated::KAPE_FILE_NEWSLEECHER_TKAPE,
generated::kape_generated::KAPE_FILE_NZBGET_TKAPE,
generated::kape_generated::KAPE_FILE_SABNBZD_TKAPE,
generated::kape_generated::KAPE_FILE_VMWAREINVENTORY_TKAPE,
generated::kape_generated::KAPE_FILE_VMWAREMEMORY_TKAPE,
generated::kape_generated::KAPE_FILE_VIRTUALDISKS_TKAPE,
generated::kape_generated::KAPE_FILE_PROTONVPN_TKAPE,
generated::kape_generated::KAPE_FILE_OPENVPNCLIENT_TKAPE,
generated::kape_generated::KAPE_FILE_PALOALTO_TKAPE,
generated::kape_generated::KAPE_FILE_FORTICLIENTVPN_TKAPE,
generated::kape_generated::KAPE_FILE_PULSESECURE_TKAPE,
generated::kape_generated::KAPE_FILE_VIRTUALBOXLOGS_TKAPE,
generated::kape_generated::KAPE_FILE_VIRTUALBOXMEMORY_TKAPE,
generated::kape_generated::KAPE_FILE_VIRTUALBOXCONFIG_TKAPE,
generated::kape_generated::KAPE_FILE_VIRTUALDISKS_TKAPE_2,
generated::kape_generated::KAPE_FILE_DEBIAN_TKAPE,
generated::kape_generated::KAPE_FILE_UBUNTU_TKAPE,
generated::kape_generated::KAPE_FILE_KALI_TKAPE,
generated::kape_generated::KAPE_FILE_OPENSUSE_TKAPE,
generated::kape_generated::KAPE_FILE_SUSELINUXENTERPRISESERVER_TKAPE,
generated::kape_generated::KAPE_FILE_360SECUREBROWSER_TKAPE,
generated::kape_generated::KAPE_FILE_ARC_TKAPE,
generated::kape_generated::KAPE_FILE_BRAVEBROWSER_TKAPE,
generated::kape_generated::KAPE_FILE_CHROME_TKAPE,
generated::kape_generated::KAPE_FILE_CHROMEBETA_TKAPE,
generated::kape_generated::KAPE_FILE_CHROMEDEV_TKAPE,
generated::kape_generated::KAPE_FILE_CHROMESXS_TKAPE,
generated::kape_generated::KAPE_FILE_CHROMIUM_TKAPE,
generated::kape_generated::KAPE_FILE_COCCOC_TKAPE,
generated::kape_generated::KAPE_FILE_EDGE_TKAPE,
generated::kape_generated::KAPE_FILE_EDGEBETACHROMIUM_TKAPE,
generated::kape_generated::KAPE_FILE_EDGECHROMIUM_TKAPE,
generated::kape_generated::KAPE_FILE_EDGEDEVCHROMIUM_TKAPE,
generated::kape_generated::KAPE_FILE_EDGESXSCHROMIUM_TKAPE,
generated::kape_generated::KAPE_FILE_FIREFOX_TKAPE,
generated::kape_generated::KAPE_FILE_INTERNETEXPLORER_TKAPE,
generated::kape_generated::KAPE_FILE_OPERA_TKAPE,
generated::kape_generated::KAPE_FILE_PRISMAACCESSBROWSER_TKAPE,
generated::kape_generated::KAPE_FILE_PUFFINSECUREBROWSER_TKAPE,
generated::kape_generated::KAPE_FILE_QQBROWSER_TKAPE,
generated::kape_generated::KAPE_FILE_SUPERMIUM_TKAPE,
generated::kape_generated::KAPE_FILE_UCBROWSER_TKAPE,
generated::kape_generated::KAPE_FILE_VIVALDI_TKAPE,
generated::kape_generated::KAPE_FILE_WAVEBROWSER_TKAPE,
generated::kape_generated::KAPE_FILE_YANDEX_TKAPE,
generated::kape_generated::KAPE_FILE_APACHEACCESSLOG_TKAPE,
generated::kape_generated::KAPE_FILE_IISLOGFILES_TKAPE,
generated::kape_generated::KAPE_FILE_NGINXLOGS_TKAPE,
generated::kape_generated::KAPE_FILE_MSSQLERRORLOG_TKAPE,
generated::kape_generated::KAPE_FILE_C_ACCESS_LOG,
generated::kape_generated::KAPE_FILE_W3SVC_LOG,
generated::kape_generated::KAPE_FILE_IIS_LOG_FILES,
generated::kape_generated::KAPE_FILE_LOGFILES_LOG,
generated::kape_generated::KAPE_FILE_W3SVC_LOG_2,
generated::kape_generated::KAPE_FILE_W3SVC_LOG_3,
generated::kape_generated::KAPE_FILE_HTTPERR_LOG,
generated::kape_generated::KAPE_FILE_FTPSVC_LOG,
generated::kape_generated::KAPE_FILE_LOG_2,
generated::kape_generated::KAPE_FILE_LOG_ERRORLOG,
generated::kape_generated::KAPE_FILE_MS_SQL_ERRORLOGS,
generated::kape_generated::KAPE_FILE_DESKTOPCENTRAL_SERVER_LOGS,
generated::kape_generated::KAPE_FILE_ADSELFSERVICE_PLUS_LOGS,
generated::kape_generated::KAPE_FILE_LOG_LOG_4,
generated::kape_generated::KAPE_FILE_LOGS_LOG_4,
generated::kape_generated::KAPE_FILE_MONGODB_LOGS_C_DATA,
generated::kape_generated::KAPE_FILE_MONGODB_LOGS_PROGRAM,
generated::kape_generated::KAPE_FILE_MONGODB_LOGS_ALTERNA,
generated::kape_generated::KAPE_FILE_LOGS_LOG_5,
generated::kape_generated::KAPE_FILE_PSREADLINE_HISTORY_TXT,
generated::kape_generated::KAPE_FILE_POWERSHELL_CONSOLE_L,
generated::kape_generated::KAPE_FILE_PSREADLINE_HISTORY_TXT_2,
generated::kape_generated::KAPE_FILE_AUTOSAVEFILES_PS1,
generated::kape_generated::KAPE_FILE_CONFIG,
generated::kape_generated::KAPE_FILE_BITTORRENT_DAT,
generated::kape_generated::KAPE_FILE_DC_LOGS,
generated::kape_generated::KAPE_FILE_FREENET_NODE,
generated::kape_generated::KAPE_FILE_FREENET_COMPLETED_LIST_DOWNLOADS,
generated::kape_generated::KAPE_FILE_FREENET_COMPLETED_LIST_UPLOADS,
generated::kape_generated::KAPE_FILE_FREENET_BAK,
generated::kape_generated::KAPE_FILE_FREENET_DOWNLOADS,
generated::kape_generated::KAPE_FILE_FROSTWIRE_TORRENT_DATA,
generated::kape_generated::KAPE_FILE_USER_FROSTWIRE5_FROSTWIRE_PROPS,
generated::kape_generated::KAPE_FILE_USER_FROSTWIRE5_ITUNES_PROPS,
generated::kape_generated::KAPE_FILE_LOCAL_SHALSOFT,
generated::kape_generated::KAPE_FILE_APPLICATION_DATA_GIGATRIBE,
generated::kape_generated::KAPE_FILE_APPLICATION_DATA_SHALSOFT,
generated::kape_generated::KAPE_FILE_NZBGET_NZBGET_LOG,
generated::kape_generated::KAPE_FILE_NZBGET_NZB,
generated::kape_generated::KAPE_FILE_NEWSBIN_DOWNLOADED_DB3,
generated::kape_generated::KAPE_FILE_NEWSLEECHER_DOWNLOADED_DAT,
generated::kape_generated::KAPE_FILE_NICOTINE_LOGS,
generated::kape_generated::KAPE_FILE_NICOTINE_INCOMPLETE,
generated::kape_generated::KAPE_FILE_NICOTINE_BUDDYFILES_DB,
generated::kape_generated::KAPE_FILE_NICOTINE_BUDDYSTREAMS_DB,
generated::kape_generated::KAPE_FILE_NICOTINE_BUDDYMTIMES_DB,
generated::kape_generated::KAPE_FILE_NICOTINE_BUDDYFILEINDEX_DB,
generated::kape_generated::KAPE_FILE_ROAMING_NICOTINE_BUDDYWORDINDEX_DB,
generated::kape_generated::KAPE_FILE_NICOTINE_CONFIG,
generated::kape_generated::KAPE_FILE_NICOTINE_USERSHARES,
generated::kape_generated::KAPE_FILE_ROAMING_NICOTINE_DOWNLOADS_JSON,
generated::kape_generated::KAPE_FILE_ROAMING_NICOTINE_UPLOADS_JSON,
generated::kape_generated::KAPE_FILE_LOGS_SABNZBD_LOG,
generated::kape_generated::KAPE_FILE_ADMIN_HISTORY1_DB,
generated::kape_generated::KAPE_FILE_ROAMING_SHAREAZA,
generated::kape_generated::KAPE_FILE_SOULSEEKQT_SOULSEEK_CHAT_LOGS,
generated::kape_generated::KAPE_FILE_1_DAT,
generated::kape_generated::KAPE_FILE_C_TORRENT,
generated::kape_generated::KAPE_FILE_C_NZB,
generated::kape_generated::KAPE_FILE_LOCAL_EMULE,
generated::kape_generated::KAPE_FILE_C_PART_MET,
generated::kape_generated::KAPE_FILE_QBITTORRENT_INI,
generated::kape_generated::KAPE_FILE_QBITTORRENT_LOGS,
generated::kape_generated::KAPE_FILE_QBITTORRENT_GEODB,
generated::kape_generated::KAPE_FILE_QBITTORRENT_BT_BACKUP,
generated::kape_generated::KAPE_FILE_UTORRENT_DAT,
generated::kape_generated::KAPE_FILE_C_BITMAP,
generated::kape_generated::KAPE_FILE_C_BOOT,
generated::kape_generated::KAPE_FILE_EXTEND_USNJRNL_J,
generated::kape_generated::KAPE_FILE_EXTEND_USNJRNL_MAX,
generated::kape_generated::KAPE_FILE_EXTEND_J,
generated::kape_generated::KAPE_FILE_EXTEND_MAX,
generated::kape_generated::KAPE_FILE_C_LOGFILE,
generated::kape_generated::KAPE_FILE_C_MFT,
generated::kape_generated::KAPE_FILE_C_MFTMIRR,
generated::kape_generated::KAPE_FILE_C_SECURE_SDS,
generated::kape_generated::KAPE_FILE_SDS,
generated::kape_generated::KAPE_FILE_TXFLOG_TOPS_T,
generated::kape_generated::KAPE_FILE_TXFLOG_T,
generated::kape_generated::KAPE_FILE_WINDOWS_NTDS,
generated::kape_generated::KAPE_FILE_WINDOWS_SYSVOL,
generated::kape_generated::KAPE_FILE_PROGRAMS_AMCACHE_HVE,
generated::kape_generated::KAPE_FILE_AMCACHE,
generated::kape_generated::KAPE_FILE_PROGRAMS_AMCACHE_HVE_LOG,
generated::kape_generated::KAPE_FILE_AMCACHE_TRANSACTION,
generated::kape_generated::KAPE_FILE_APPCOMPAT_PCA,
generated::kape_generated::KAPE_FILE_WINDOWSAPPS_DELETED,
generated::kape_generated::KAPE_FILE_WINDOWS_SYSTEMAPPS,
generated::kape_generated::KAPE_FILE_LOCAL_PACKAGES,
generated::kape_generated::KAPE_FILE_PACKAGES_STATEREPOSITORY_SRD,
generated::kape_generated::KAPE_FILE_PROGRAMDATA_PACKAGES,
generated::kape_generated::KAPE_FILE_CONFIG_APPEVENT_EVT,
generated::kape_generated::KAPE_FILE_APPLICATION_EVENT_LO,
generated::kape_generated::KAPE_FILE_LOGS_APPLICATION_EVTX,
generated::kape_generated::KAPE_FILE_LOGS_APPLICATION_EVTX_2,
generated::kape_generated::KAPE_FILE_BOOT_BCD,
generated::kape_generated::KAPE_FILE_BOOT_BCD_LOG,
generated::kape_generated::KAPE_FILE_NETWORK_DOWNLOADER,
generated::kape_generated::KAPE_FILE_CAPABILITYACCESSMANAGER_CAPABILITYACCESSMANAGER_DB,
generated::kape_generated::KAPE_FILE_MICROSOFT_CRYPTNETURLCACHE,
generated::kape_generated::KAPE_FILE_SYSTEM_WOW64_CRYPTNE,
generated::kape_generated::KAPE_FILE_USER_CRYPTNETURLCACH,
generated::kape_generated::KAPE_FILE_INETCACHE_IE,
generated::kape_generated::KAPE_FILE_DRIVERS_SYS,
generated::kape_generated::KAPE_FILE_PROGRAMS_ENCAPSULATIONLOGGING_HVE,
generated::kape_generated::KAPE_FILE_ENCAPSULATIONLOGGING,
generated::kape_generated::KAPE_FILE_PROGRAMS_ENCAPSULATIONLOGGING_HVE_LOG,
generated::kape_generated::KAPE_FILE_PROGRAMS_ENCAPSULATIONLOGGING_HVE_LOG_2,
generated::kape_generated::KAPE_FILE_LOGS_SYSTEM_EVTX,
generated::kape_generated::KAPE_FILE_EVENT_LOGS_WIN7,
generated::kape_generated::KAPE_FILE_LOGS_SECURITY_EVTX,
generated::kape_generated::KAPE_FILE_LOGS_SECURITY_EVTX_2,
generated::kape_generated::KAPE_FILE_LOGS_MICROSOFT_WINDOWS_TERMINALSERVICES_RDPCLIENT,
generated::kape_generated::KAPE_FILE_LOGS_MICROSOFT_WINDOWS_TERMINALSERVICES_RDPCLIENT_2,
generated::kape_generated::KAPE_FILE_LOGS_MICROSOFT_WINDOWS_REMOTEDESKTOPSERVICES_RDPCO,
generated::kape_generated::KAPE_FILE_LOGS_MICROSOFT_WINDOWS_REMOTEDESKTOPSERVICES_RDPCO_2,
generated::kape_generated::KAPE_FILE_LOGS_MICROSOFT_WINDOWS_TERMINALSERVICES_REMOTECONN,
generated::kape_generated::KAPE_FILE_LOGS_MICROSOFT_WINDOWS_TERMINALSERVICES_REMOTECONN_2,
generated::kape_generated::KAPE_FILE_LOGS_MICROSOFT_WINDOWS_TERMINALSERVICES_LOCALSESSI,
generated::kape_generated::KAPE_FILE_LOGS_MICROSOFT_WINDOWS_TERMINALSERVICES_LOCALSESSI_2,
generated::kape_generated::KAPE_FILE_CONFIG_EVT,
generated::kape_generated::KAPE_FILE_LOGS_EVTX,
generated::kape_generated::KAPE_FILE_EVENT_LOGS_WIN7_2,
generated::kape_generated::KAPE_FILE_LOGFILES_ETL,
generated::kape_generated::KAPE_FILE_WDI_TRACE_LOGS_1,
generated::kape_generated::KAPE_FILE_WDI,
generated::kape_generated::KAPE_FILE_WDI_TRACE_LOGS_2,
generated::kape_generated::KAPE_FILE_LOGFILES_WMI,
generated::kape_generated::KAPE_FILE_WMI_TRACE_LOGS,
generated::kape_generated::KAPE_FILE_SYSTEM32_SLEEPSTUDY,
generated::kape_generated::KAPE_FILE_SLEEPSTUDY_TRACE_LOG,
generated::kape_generated::KAPE_FILE_POWEREFFICIENCY_DIAGNOSTICS_ENERGY_NTKL_ETL,
generated::kape_generated::KAPE_FILE_LOGS_ETL,
generated::kape_generated::KAPE_FILE_DIAGNOSIS_EVENTTRANSCRIPT_EVENTTRANSCRIPT_DB_2,
generated::kape_generated::KAPE_FILE_EVENTTRANSCRIPT_DB_2,
generated::kape_generated::KAPE_FILE_TEMP_DIAGNOSTICS,
generated::kape_generated::KAPE_FILE_LOGGING_LOG,
generated::kape_generated::KAPE_FILE_B_A_ZA_Z0_9_8_B_COMPILED,
generated::kape_generated::KAPE_FILE_EXCHANGE_SERVER_MODI,
generated::kape_generated::KAPE_FILE_B_A_ZA_Z0_9_8_B_COMPILED_2,
generated::kape_generated::KAPE_FILE_B_A_ZA_Z0_9_8_B_COMPILED_3,
generated::kape_generated::KAPE_FILE_EXCHANGESETUPLOGS_EXCHANGESETUP_LOG,
generated::kape_generated::KAPE_FILE_LOGS_LOG_6,
generated::kape_generated::KAPE_FILE_SYSTEM32_GROUPPOLICY,
generated::kape_generated::KAPE_FILE_GROUP_POLICY_HISTORY,
generated::kape_generated::KAPE_FILE_USER_GROUP_POLICY_FI,
generated::kape_generated::KAPE_FILE_GROUPPOLICY_INI,
generated::kape_generated::KAPE_FILE_GROUPPOLICY_POL,
generated::kape_generated::KAPE_FILE_LOCAL_GROUP_POLICY_F,
generated::kape_generated::KAPE_FILE_SCRIPTS,
generated::kape_generated::KAPE_FILE_SCRIPTS_2,
generated::kape_generated::KAPE_FILE_ETC_HOSTS,
generated::kape_generated::KAPE_FILE_CONFIG_APPLICATIONHOST_CONFIG,
generated::kape_generated::KAPE_FILE_CONFIG_ADMINISTRATION_CONFIG,
generated::kape_generated::KAPE_FILE_CONFIG_REDIRECTION_CONFIG,
generated::kape_generated::KAPE_FILE_INETPUB_WWWROOT_WEB_CONFIG,
generated::kape_generated::KAPE_FILE_LOCAL_ICONCACHE_DB,
generated::kape_generated::KAPE_FILE_RECENT_AUTOMATICDESTINATIONS,
generated::kape_generated::KAPE_FILE_RECENT_CUSTOMDESTINATIONS,
generated::kape_generated::KAPE_FILE_WINDOWS_RECENT,
generated::kape_generated::KAPE_FILE_OFFICE_RECENT,
generated::kape_generated::KAPE_FILE_START_MENU_PROGRAMS_LNK,
generated::kape_generated::KAPE_FILE_USER_RECENT,
generated::kape_generated::KAPE_FILE_DESKTOP_LNK,
generated::kape_generated::KAPE_FILE_DESKTOP_LNK_FILES,
generated::kape_generated::KAPE_FILE_RP_LNK,
generated::kape_generated::KAPE_FILE_PROGRAMS_LNK,
generated::kape_generated::KAPE_FILE_BASH_HISTORY,
generated::kape_generated::KAPE_FILE_BASH_LOGOUT,
generated::kape_generated::KAPE_FILE_BASHRC,
generated::kape_generated::KAPE_FILE_PROFILE,
generated::kape_generated::KAPE_FILE_SYSTEM32_LOGFILES,
generated::kape_generated::KAPE_FILE_LOGFILES,
generated::kape_generated::KAPE_FILE_WINDOWS_PFRO_LOG,
generated::kape_generated::KAPE_FILE_C_MOF,
generated::kape_generated::KAPE_FILE_C_HIBERFIL_SYS,
generated::kape_generated::KAPE_FILE_C_PAGEFILE_SYS,
generated::kape_generated::KAPE_FILE_C_SWAPFILE_SYS,
generated::kape_generated::KAPE_FILE_MINIDUMP_DMP,
generated::kape_generated::KAPE_FILE_SMALL_MEMORY_DUMP_DI,
generated::kape_generated::KAPE_FILE_BACKSTAGEINAPPNAVCACHE,
generated::kape_generated::KAPE_FILE_CLR_LOG,
generated::kape_generated::KAPE_FILE_NET_CLR_USAGELOGS_SY,
generated::kape_generated::KAPE_FILE_LOCALSTATE_TABSTATE_BIN,
generated::kape_generated::KAPE_FILE_WINDOWSTATE_BIN,
generated::kape_generated::KAPE_FILE_SETTINGS_SETTINGS_DAT,
generated::kape_generated::KAPE_FILE_SYSTEMAPPDATA_HELIUM_DAT_2,
generated::kape_generated::KAPE_FILE_MICROSOFT_WORD,
generated::kape_generated::KAPE_FILE_MICROSOFT_EXCEL,
generated::kape_generated::KAPE_FILE_MICROSOFT_POWERPOINT,
generated::kape_generated::KAPE_FILE_MICROSOFT_PUBLISHER,
generated::kape_generated::KAPE_FILE_DIAGNOSTICS_PCW_DEBUGREPORT_XML,
generated::kape_generated::KAPE_FILE_ELEVATEDDIAGNOSTICS_PCW_DEBUGREPORT_XML,
generated::kape_generated::KAPE_FILE_OFFICEFILECACHE,
generated::kape_generated::KAPE_FILE_C_PERFLOGS,
generated::kape_generated::KAPE_FILE_POWERSHELL_7_POWERSHELL_CONFIG_JSON,
generated::kape_generated::KAPE_FILE_DOCUMENTS_POWERSHELL_TRANSCRIPT_TXT,
generated::kape_generated::KAPE_FILE_20_POWERSHELL_TRANSCRIPT_TXT,
generated::kape_generated::KAPE_FILE_POWERSHELL_TRANSCRIPT_TXT,
generated::kape_generated::KAPE_FILE_POWERSHELL_TRANSCRIP,
generated::kape_generated::KAPE_FILE_POWERSHELL_TRANSCRIPT_TXT_2,
generated::kape_generated::KAPE_FILE_20_POWERSHELL_TRANSCRIPT_TXT_2,
generated::kape_generated::KAPE_FILE_PREFETCH_PF,
generated::kape_generated::KAPE_FILE_PREFETCH,
generated::kape_generated::KAPE_FILE_C_PROGRAMDATA,
generated::kape_generated::KAPE_FILE_NOTIFICATIONS_APPDB_DAT_2,
generated::kape_generated::KAPE_FILE_NOTIFICATIONS_WPNDATABASE_DB_2,
generated::kape_generated::KAPE_FILE_TEMP_QUICKASSIST,
generated::kape_generated::KAPE_FILE_TEMP_REMOTEHELP,
generated::kape_generated::KAPE_FILE_TERMINAL_SERVER_CLIENT_CACHE,
generated::kape_generated::KAPE_FILE_WINDOWS_OLD_RDP_CACH,
generated::kape_generated::KAPE_FILE_RDP_CACHE_FILES,
generated::kape_generated::KAPE_FILE_PACKAGES_MICROSOFT_REMOTEDESKTOP_8WEKYB3D8BBWE,
generated::kape_generated::KAPE_FILE_LOGS_MICROSOFT_WINDOWS_TERMINALSERVICES_REMOTECONN_3,
generated::kape_generated::KAPE_FILE_REMOTECONNECTIONMANA,
generated::kape_generated::KAPE_FILE_LOGS_MICROSOFT_WINDOWS_TERMINALSERVICES_LOCALSESSI_3,
generated::kape_generated::KAPE_FILE_LOCALSESSIONMANAGER,
generated::kape_generated::KAPE_FILE_LOGS_MICROSOFT_WINDOWS_TERMINALSERVICES_RDPCLIENT_3,
generated::kape_generated::KAPE_FILE_RDPCLIENT_EVENT_LOGS,
generated::kape_generated::KAPE_FILE_LOGS_MICROSOFT_WINDOWS_REMOTEDESKTOPSERVICES_RDPCO_3,
generated::kape_generated::KAPE_FILE_RDPCORETS_EVENT_LOGS,
generated::kape_generated::KAPE_FILE_PROGRAMS_RECENTFILECACHE_BCF,
generated::kape_generated::KAPE_FILE_RECENTFILECACHE,
generated::kape_generated::KAPE_FILE_WINDOWS_RECENT_2,
generated::kape_generated::KAPE_FILE_OFFICE_RECENT_2,
generated::kape_generated::KAPE_FILE_RECYCLE_BIN_R,
generated::kape_generated::KAPE_FILE_R,
generated::kape_generated::KAPE_FILE_RECYCLE_D,
generated::kape_generated::KAPE_FILE_RECYCLE_BIN_I,
generated::kape_generated::KAPE_FILE_RECYCLE_INFO2,
generated::kape_generated::KAPE_FILE_HELIUM_REGISTRY_DAT,
generated::kape_generated::KAPE_FILE_REGISTRY_DAT,
generated::kape_generated::KAPE_FILE_REGISTRY_DAT_MSIX_HI,
generated::kape_generated::KAPE_FILE_SETTINGS_SETTINGS_DAT_2,
generated::kape_generated::KAPE_FILE_HELIUM_USER_DAT,
generated::kape_generated::KAPE_FILE_HELIUM_USERCLASSES_DAT,
generated::kape_generated::KAPE_FILE_CONFIG_BBI,
generated::kape_generated::KAPE_FILE_BBI_REGISTRY_HIVE,
generated::kape_generated::KAPE_FILE_CONFIG_BBI_LOG,
generated::kape_generated::KAPE_FILE_BBI_REGISTRY_TRANSAC,
generated::kape_generated::KAPE_FILE_CONFIG_BCD_TEMPLATE,
generated::kape_generated::KAPE_FILE_BCD_TEMPLATE_REGISTR,
generated::kape_generated::KAPE_FILE_CONFIG_BCD_TEMPLATE_LOG,
generated::kape_generated::KAPE_FILE_CONFIG_BCD_TEMPLATE_LOG_2,
generated::kape_generated::KAPE_FILE_CONFIG_COMPONENTS,
generated::kape_generated::KAPE_FILE_COMPONENTS_REGISTRY,
generated::kape_generated::KAPE_FILE_CONFIG_COMPONENTS_LOG,
generated::kape_generated::KAPE_FILE_CONFIG_COMPONENTS_LOG_2,
generated::kape_generated::KAPE_FILE_CONFIG_DRIVERS,
generated::kape_generated::KAPE_FILE_DRIVERS_REGISTRY_HIV,
generated::kape_generated::KAPE_FILE_CONFIG_DRIVERS_LOG,
generated::kape_generated::KAPE_FILE_DRIVERS_REGISTRY_TRA,
generated::kape_generated::KAPE_FILE_CONFIG_ELAM,
generated::kape_generated::KAPE_FILE_ELAM_REGISTRY_HIVE,
generated::kape_generated::KAPE_FILE_CONFIG_ELAM_LOG,
generated::kape_generated::KAPE_FILE_ELAM_REGISTRY_TRANSA,
generated::kape_generated::KAPE_FILE_CONFIG_USERDIFF,
generated::kape_generated::KAPE_FILE_USERDIFF_REGISTRY_HI,
generated::kape_generated::KAPE_FILE_CONFIG_USERDIFF_LOG,
generated::kape_generated::KAPE_FILE_USERDIFF_REGISTRY_TR,
generated::kape_generated::KAPE_FILE_CONFIG_VSMIDK,
generated::kape_generated::KAPE_FILE_VSMIDK_REGISTRY_HIVE,
generated::kape_generated::KAPE_FILE_CONFIG_VSMIDK_LOG,
generated::kape_generated::KAPE_FILE_VSMIDK_REGISTRY_TRAN,
generated::kape_generated::KAPE_FILE_CONFIG_SAM_LOG,
generated::kape_generated::KAPE_FILE_SAM_REGISTRY_TRANSAC,
generated::kape_generated::KAPE_FILE_CONFIG_SECURITY_LOG,
generated::kape_generated::KAPE_FILE_SECURITY_REGISTRY_TR,
generated::kape_generated::KAPE_FILE_CONFIG_SOFTWARE_LOG,
generated::kape_generated::KAPE_FILE_SOFTWARE_REGISTRY_TR,
generated::kape_generated::KAPE_FILE_CONFIG_SYSTEM_LOG,
generated::kape_generated::KAPE_FILE_SYSTEM_REGISTRY_TRAN,
generated::kape_generated::KAPE_FILE_CONFIG_SAM,
generated::kape_generated::KAPE_FILE_SAM_REGISTRY_HIVE,
generated::kape_generated::KAPE_FILE_CONFIG_SECURITY,
generated::kape_generated::KAPE_FILE_SECURITY_REGISTRY_HI,
generated::kape_generated::KAPE_FILE_CONFIG_SOFTWARE,
generated::kape_generated::KAPE_FILE_SOFTWARE_REGISTRY_HI,
generated::kape_generated::KAPE_FILE_CONFIG_SYSTEM,
generated::kape_generated::KAPE_FILE_SYSTEM_REGISTRY_HIVE,
generated::kape_generated::KAPE_FILE_REGBACK_LOG,
generated::kape_generated::KAPE_FILE_REGBACK_REGISTRY_TRA,
generated::kape_generated::KAPE_FILE_REGBACK_SAM,
generated::kape_generated::KAPE_FILE_SAM_REGISTRY_HIVE_RE,
generated::kape_generated::KAPE_FILE_REGBACK_SECURITY,
generated::kape_generated::KAPE_FILE_REGBACK_SECURITY_2,
generated::kape_generated::KAPE_FILE_REGBACK_SOFTWARE,
generated::kape_generated::KAPE_FILE_REGBACK_SOFTWARE_2,
generated::kape_generated::KAPE_FILE_REGBACK_SYSTEM,
generated::kape_generated::KAPE_FILE_REGBACK_SYSTEM_2,
generated::kape_generated::KAPE_FILE_REGBACK_SYSTEM1,
generated::kape_generated::KAPE_FILE_REGBACK_SYSTEM1_2,
generated::kape_generated::KAPE_FILE_SYSTEMPROFILE_NTUSER_DAT,
generated::kape_generated::KAPE_FILE_SYSTEM_PROFILE_REGIS,
generated::kape_generated::KAPE_FILE_SYSTEMPROFILE_NTUSER_DAT_LOG,
generated::kape_generated::KAPE_FILE_SYSTEMPROFILE_NTUSER_DAT_LOG_2,
generated::kape_generated::KAPE_FILE_LOCALSERVICE_NTUSER_DAT,
generated::kape_generated::KAPE_FILE_LOCAL_SERVICE_REGIST,
generated::kape_generated::KAPE_FILE_LOCALSERVICE_NTUSER_DAT_LOG,
generated::kape_generated::KAPE_FILE_LOCALSERVICE_NTUSER_DAT_LOG_2,
generated::kape_generated::KAPE_FILE_NETWORKSERVICE_NTUSER_DAT,
generated::kape_generated::KAPE_FILE_NETWORK_SERVICE_REGI,
generated::kape_generated::KAPE_FILE_NETWORKSERVICE_NTUSER_DAT_LOG,
generated::kape_generated::KAPE_FILE_NETWORKSERVICE_NTUSER_DAT_LOG_2,
generated::kape_generated::KAPE_FILE_SNAPSHOT_REGISTRY,
generated::kape_generated::KAPE_FILE_USER_NTUSER_DAT,
generated::kape_generated::KAPE_FILE_NTUSER_DAT_REGISTRY,
generated::kape_generated::KAPE_FILE_USER_NTUSER_DAT_LOG,
generated::kape_generated::KAPE_FILE_CONFIG_DEFAULT,
generated::kape_generated::KAPE_FILE_NTUSER_DAT_DEFAULT_R,
generated::kape_generated::KAPE_FILE_CONFIG_DEFAULT_LOG,
generated::kape_generated::KAPE_FILE_NTUSER_DAT_DEFAULT_T,
generated::kape_generated::KAPE_FILE_WINDOWS_USRCLASS_DAT,
generated::kape_generated::KAPE_FILE_WINDOWS_USRCLASS_DAT_LOG,
generated::kape_generated::KAPE_FILE_C_NTUSER_DAT,
generated::kape_generated::KAPE_FILE_C_NTUSER_DAT_LOG,
generated::kape_generated::KAPE_FILE_C_DEFAULT,
generated::kape_generated::KAPE_FILE_C_DEFAULT_LOG,
generated::kape_generated::KAPE_FILE_C_USRCLASS_DAT,
generated::kape_generated::KAPE_FILE_C_USRCLASS_DAT_LOG,
generated::kape_generated::KAPE_FILE_C_LNK,
generated::kape_generated::KAPE_FILE_MICROSOFT_WORD_2,
generated::kape_generated::KAPE_FILE_MICROSOFT_EXCEL_2,
generated::kape_generated::KAPE_FILE_MICROSOFT_POWERPOINT_2,
generated::kape_generated::KAPE_FILE_MICROSOFT_PUBLISHER_2,
generated::kape_generated::KAPE_FILE_PUBLISHER_AUTOSAVE_L,
generated::kape_generated::KAPE_FILE_OFFICEFILECACHE_2,
generated::kape_generated::KAPE_FILE_OFFICE_DOCUMENT_CACH,
generated::kape_generated::KAPE_FILE_BOOKMARKS_21,
generated::kape_generated::KAPE_FILE_CHROME_BOOKMARKS_3,
generated::kape_generated::KAPE_FILE_COOKIES_17,
generated::kape_generated::KAPE_FILE_CHROME_COOKIES_3,
generated::kape_generated::KAPE_FILE_CURRENT_SESSION_19,
generated::kape_generated::KAPE_FILE_CHROME_CURRENT_SESSI_3,
generated::kape_generated::KAPE_FILE_CURRENT_TABS_19,
generated::kape_generated::KAPE_FILE_CHROME_CURRENT_TABS_3,
generated::kape_generated::KAPE_FILE_DOWNLOAD_METADATA_2,
generated::kape_generated::KAPE_FILE_CHROME_DOWNLOAD_META,
generated::kape_generated::KAPE_FILE_EXTENSION_COOKIES_18,
generated::kape_generated::KAPE_FILE_CHROME_EXTENSION_COO,
generated::kape_generated::KAPE_FILE_FAVICONS_22,
generated::kape_generated::KAPE_FILE_CHROME_FAVICONS_3,
generated::kape_generated::KAPE_FILE_HISTORY_22,
generated::kape_generated::KAPE_FILE_CHROME_HISTORY_3,
generated::kape_generated::KAPE_FILE_LAST_SESSION_18,
generated::kape_generated::KAPE_FILE_CHROME_LAST_SESSION_3,
generated::kape_generated::KAPE_FILE_LAST_TABS_18,
generated::kape_generated::KAPE_FILE_CHROME_LAST_TABS_3,
generated::kape_generated::KAPE_FILE_SESSIONS_20,
generated::kape_generated::KAPE_FILE_CHROME_SESSIONS_FOLD,
generated::kape_generated::KAPE_FILE_LOGIN_DATA_21,
generated::kape_generated::KAPE_FILE_CHROME_LOGIN_DATA_3,
generated::kape_generated::KAPE_FILE_MEDIA_HISTORY_18,
generated::kape_generated::KAPE_FILE_CHROME_MEDIA_HISTORY,
generated::kape_generated::KAPE_FILE_NETWORK_ACTION_PREDICTOR_22,
generated::kape_generated::KAPE_FILE_CHROME_NETWORK_ACTIO,
generated::kape_generated::KAPE_FILE_NETWORK_PERSISTENT_STATE_21,
generated::kape_generated::KAPE_FILE_CHROME_NETWORK_PERSI,
generated::kape_generated::KAPE_FILE_PREFERENCES_22,
generated::kape_generated::KAPE_FILE_CHROME_PREFERENCES_3,
generated::kape_generated::KAPE_FILE_QUOTAMANAGER_19,
generated::kape_generated::KAPE_FILE_CHROME_QUOTA_MANAGER,
generated::kape_generated::KAPE_FILE_REPORTING_AND_NEL_19,
generated::kape_generated::KAPE_FILE_CHROME_REPORTING_AND,
generated::kape_generated::KAPE_FILE_SHORTCUTS_21,
generated::kape_generated::KAPE_FILE_CHROME_SHORTCUTS_3,
generated::kape_generated::KAPE_FILE_TOP_SITES_22,
generated::kape_generated::KAPE_FILE_CHROME_TOP_SITES_3,
generated::kape_generated::KAPE_FILE_TRUST_TOKENS_18,
generated::kape_generated::KAPE_FILE_CHROME_TRUST_TOKENS,
generated::kape_generated::KAPE_FILE_SYNC_DATASYNCDATA_SQLITE3_13,
generated::kape_generated::KAPE_FILE_CHROME_SYNCDATA_DATA,
generated::kape_generated::KAPE_FILE_VISITED_LINKS_22,
generated::kape_generated::KAPE_FILE_CHROME_VISITED_LINKS_3,
generated::kape_generated::KAPE_FILE_WEB_DATA_22,
generated::kape_generated::KAPE_FILE_CHROME_WEB_DATA_3,
generated::kape_generated::KAPE_FILE_PROTECT_18,
generated::kape_generated::KAPE_FILE_WINDOWS_PROTECT_FOLD,
generated::kape_generated::KAPE_FILE_PACKAGES_MICROSOFT_MICROSOFTEDGE_8WEKYB3D8BBWE_2,
generated::kape_generated::KAPE_FILE_EDGE_FOLDER,
generated::kape_generated::KAPE_FILE_C_AMCACHE_HVE,
generated::kape_generated::KAPE_FILE_C_AMCACHE_HVE_LOG,
generated::kape_generated::KAPE_FILE_WINDOWS_RECENT_3,
generated::kape_generated::KAPE_FILE_LNK_FILES_FROM_RECEN,
generated::kape_generated::KAPE_FILE_OFFICE_RECENT_3,
generated::kape_generated::KAPE_FILE_LNK_FILES_FROM_MICRO,
generated::kape_generated::KAPE_FILE_DESKTOP_LNK_FILES_2,
generated::kape_generated::KAPE_FILE_CCM_LOGS,
generated::kape_generated::KAPE_FILE_CUSTOM_SDB,
generated::kape_generated::KAPE_FILE_SDB_FILES,
generated::kape_generated::KAPE_FILE_CUSTOM64_SDB,
generated::kape_generated::KAPE_FILE_SDB_FILES_X64,
generated::kape_generated::KAPE_FILE_SYSTEM32_SRU,
generated::kape_generated::KAPE_FILE_SRUM,
generated::kape_generated::KAPE_FILE_CONFIG_SOFTWARE_2,
generated::kape_generated::KAPE_FILE_SOFTWARE_REGISTRY_HI_2,
generated::kape_generated::KAPE_FILE_CONFIG_SOFTWARE_LOG_2,
generated::kape_generated::KAPE_FILE_SOFTWARE_REGISTRY_TR_2,
generated::kape_generated::KAPE_FILE_LOGFILES_SUM,
generated::kape_generated::KAPE_FILE_TASKS_JOB,
generated::kape_generated::KAPE_FILE_AT_JOB,
generated::kape_generated::KAPE_FILE_WINDOWS_SCHEDLGU_TXT,
generated::kape_generated::KAPE_FILE_AT_SCHEDLGU_TXT,
generated::kape_generated::KAPE_FILE_SYSTEM32_TASKS,
generated::kape_generated::KAPE_FILE_SYSWOW64_TASKS,
generated::kape_generated::KAPE_FILE_XML,
generated::kape_generated::KAPE_FILE_POWERSHELL_SCHEDULEDJOBS,
generated::kape_generated::KAPE_FILE_OUTPUT,
generated::kape_generated::KAPE_FILE_POWERSHELL_SCHEDULED,
generated::kape_generated::KAPE_FILE_OUTPUT_2,
generated::kape_generated::KAPE_FILE_POWERSHELL_SCHEDULEDJOBS_2,
generated::kape_generated::KAPE_FILE_OUTPUT_3,
generated::kape_generated::KAPE_FILE_SYSTEM32_CATROOT,
generated::kape_generated::KAPE_FILE_SIGNATURECATALOG,
generated::kape_generated::KAPE_FILE_TEMPSTATE_PNG,
generated::kape_generated::KAPE_FILE_SNIP_SKETCH,
generated::kape_generated::KAPE_FILE_SCREENCLIP_JSON,
generated::kape_generated::KAPE_FILE_SCREENSHOTS_PNG,
generated::kape_generated::KAPE_FILE_SNIPS_PNG,
generated::kape_generated::KAPE_FILE_PROGRAMS_STARTUP,
generated::kape_generated::KAPE_FILE_SYSTEM_WIDE_STARTUP,
generated::kape_generated::KAPE_FILE_STARTUPINFO_XML,
generated::kape_generated::KAPE_FILE_STARTUPINFO_XML_FILE,
generated::kape_generated::KAPE_FILE_SYSTEM_VOLUME_INFORMATION_SYSCACHE_HVE,
generated::kape_generated::KAPE_FILE_SYSTEM_VOLUME_INFORMATION_SYSCACHE_HVE_LOG,
generated::kape_generated::KAPE_FILE_EXPLORER_THUMBCACHE_DB,
generated::kape_generated::KAPE_FILE_WINDOWS_SETUPAPI_LOG,
generated::kape_generated::KAPE_FILE_INF_SETUPAPI_LOG,
generated::kape_generated::KAPE_FILE_SETUPAPI_LOG_WIN7,
generated::kape_generated::KAPE_FILE_USERS_USER,
generated::kape_generated::KAPE_FILE_C_VHD,
generated::kape_generated::KAPE_FILE_C_VHDX,
generated::kape_generated::KAPE_FILE_C_VDI,
generated::kape_generated::KAPE_FILE_C_VMDK,
generated::kape_generated::KAPE_FILE_WBEM_REPOSITORY,
generated::kape_generated::KAPE_FILE_WBEM,
generated::kape_generated::KAPE_FILE_WINDOWS_WER,
generated::kape_generated::KAPE_FILE_WER_FILES,
generated::kape_generated::KAPE_FILE_CRASHDUMPS_DMP,
generated::kape_generated::KAPE_FILE_WINDOWS_DMP,
generated::kape_generated::KAPE_FILE_CRASH_DUMPS,
generated::kape_generated::KAPE_FILE_LOGCAT_LOG,
generated::kape_generated::KAPE_FILE_LOCALCACHE_PNG,
generated::kape_generated::KAPE_FILE_LOCALCACHE_ICO,
generated::kape_generated::KAPE_FILE_LOCALSTATE_APPCOMPATDB_JSON,
generated::kape_generated::KAPE_FILE_LOCALCACHE_USERDATA_VHDX,
generated::kape_generated::KAPE_FILE_ETC_DEBIAN_VERSION,
generated::kape_generated::KAPE_FILE_ETC_FSTAB,
generated::kape_generated::KAPE_FILE_ETC_OS_RELEASE,
generated::kape_generated::KAPE_FILE_ETC_PASSWD,
generated::kape_generated::KAPE_FILE_ETC_GROUP,
generated::kape_generated::KAPE_FILE_ETC_SHADOW,
generated::kape_generated::KAPE_FILE_ETC_TIMEZONE,
generated::kape_generated::KAPE_FILE_ETC_HOSTNAME,
generated::kape_generated::KAPE_FILE_ETC_HOSTS_2,
generated::kape_generated::KAPE_FILE_ETC_CRONTAB,
generated::kape_generated::KAPE_FILE_ETC_BASH_BASHRC,
generated::kape_generated::KAPE_FILE_ETC_PROFILE,
generated::kape_generated::KAPE_FILE_ROOTFS_BASH_HISTORY,
generated::kape_generated::KAPE_FILE_ROOTFS_BASHRC,
generated::kape_generated::KAPE_FILE_ROOTFS_PROFILE,
generated::kape_generated::KAPE_FILE_CRON_CRONTABS,
generated::kape_generated::KAPE_FILE_APT_LOG,
generated::kape_generated::KAPE_FILE_LOCALSTATE_EXT4_VHDX,
generated::kape_generated::KAPE_FILE_ETC_DEBIAN_VERSION_2,
generated::kape_generated::KAPE_FILE_ETC_FSTAB_2,
generated::kape_generated::KAPE_FILE_ETC_OS_RELEASE_2,
generated::kape_generated::KAPE_FILE_ETC_PASSWD_2,
generated::kape_generated::KAPE_FILE_ETC_GROUP_2,
generated::kape_generated::KAPE_FILE_ETC_SHADOW_2,
generated::kape_generated::KAPE_FILE_ETC_TIMEZONE_2,
generated::kape_generated::KAPE_FILE_ETC_HOSTNAME_2,
generated::kape_generated::KAPE_FILE_ETC_HOSTS_3,
generated::kape_generated::KAPE_FILE_ETC_CRONTAB_2,
generated::kape_generated::KAPE_FILE_ETC_BASH_BASHRC_2,
generated::kape_generated::KAPE_FILE_ETC_PROFILE_2,
generated::kape_generated::KAPE_FILE_ROOTFS_BASH_HISTORY_2,
generated::kape_generated::KAPE_FILE_ROOTFS_BASHRC_2,
generated::kape_generated::KAPE_FILE_ROOTFS_PROFILE_2,
generated::kape_generated::KAPE_FILE_CRON_CRONTABS_2,
generated::kape_generated::KAPE_FILE_APT_LOG_2,
generated::kape_generated::KAPE_FILE_LOCALSTATE_EXT4_VHDX_2,
generated::kape_generated::KAPE_FILE_ETC_OS_RELEASE_3,
generated::kape_generated::KAPE_FILE_ETC_FSTAB_3,
generated::kape_generated::KAPE_FILE_ETC_PASSWD_3,
generated::kape_generated::KAPE_FILE_ETC_GROUP_3,
generated::kape_generated::KAPE_FILE_ETC_SHADOW_3,
generated::kape_generated::KAPE_FILE_ETC_TIMEZONE_3,
generated::kape_generated::KAPE_FILE_ETC_HOSTNAME_3,
generated::kape_generated::KAPE_FILE_ETC_HOSTS_4,
generated::kape_generated::KAPE_FILE_ETC_BASH_BASHRC_3,
generated::kape_generated::KAPE_FILE_ETC_PROFILE_3,
generated::kape_generated::KAPE_FILE_ROOTFS_BASH_HISTORY_3,
generated::kape_generated::KAPE_FILE_ROOTFS_BASHRC_3,
generated::kape_generated::KAPE_FILE_ROOTFS_PROFILE_3,
generated::kape_generated::KAPE_FILE_LOCALSTATE_EXT4_VHDX_3,
generated::kape_generated::KAPE_FILE_ETC_OS_RELEASE_4,
generated::kape_generated::KAPE_FILE_ETC_FSTAB_4,
generated::kape_generated::KAPE_FILE_ETC_PASSWD_4,
generated::kape_generated::KAPE_FILE_ETC_GROUP_4,
generated::kape_generated::KAPE_FILE_ETC_SHADOW_4,
generated::kape_generated::KAPE_FILE_ETC_TIMEZONE_4,
generated::kape_generated::KAPE_FILE_ETC_HOSTNAME_4,
generated::kape_generated::KAPE_FILE_ETC_HOSTS_5,
generated::kape_generated::KAPE_FILE_ETC_CRONTAB_3,
generated::kape_generated::KAPE_FILE_ETC_BASH_BASHRC_4,
generated::kape_generated::KAPE_FILE_ETC_PROFILE_4,
generated::kape_generated::KAPE_FILE_ROOTFS_BASH_HISTORY_4,
generated::kape_generated::KAPE_FILE_ROOTFS_BASHRC_4,
generated::kape_generated::KAPE_FILE_ROOTFS_PROFILE_4,
generated::kape_generated::KAPE_FILE_CRON_CRONTABS_3,
generated::kape_generated::KAPE_FILE_APT_LOG_3,
generated::kape_generated::KAPE_FILE_LOCALSTATE_EXT4_VHDX_4,
generated::kape_generated::KAPE_FILE_ETC_OS_RELEASE_5,
generated::kape_generated::KAPE_FILE_ETC_FSTAB_5,
generated::kape_generated::KAPE_FILE_ETC_PASSWD_5,
generated::kape_generated::KAPE_FILE_ETC_GROUP_5,
generated::kape_generated::KAPE_FILE_ETC_SHADOW_5,
generated::kape_generated::KAPE_FILE_ETC_TIMEZONE_5,
generated::kape_generated::KAPE_FILE_ETC_HOSTNAME_5,
generated::kape_generated::KAPE_FILE_ETC_HOSTS_6,
generated::kape_generated::KAPE_FILE_ETC_BASH_BASHRC_5,
generated::kape_generated::KAPE_FILE_ETC_PROFILE_5,
generated::kape_generated::KAPE_FILE_ROOTFS_BASH_HISTORY_5,
generated::kape_generated::KAPE_FILE_ROOTFS_BASHRC_5,
generated::kape_generated::KAPE_FILE_ROOTFS_PROFILE_5,
generated::kape_generated::KAPE_FILE_LOCALSTATE_EXT4_VHDX_5,
generated::kape_generated::KAPE_FILE_DIAGOUTPUTDIR_WINDOWS365,
generated::kape_generated::KAPE_FILE_COREAIPLATFORM_00_UKP,
generated::kape_generated::KAPE_FILE_FIREWALL_PFIREWALL,
generated::kape_generated::KAPE_FILE_WINDOWS_FIREWALL_LOG,
generated::kape_generated::KAPE_FILE_CRYPTO_KEYS,
generated::kape_generated::KAPE_FILE_S_1_5_18_USER,
generated::kape_generated::KAPE_FILE_MICROSOFT_NGC,
generated::kape_generated::KAPE_FILE_CONFIG_SECURITY_LOG_2,
generated::kape_generated::KAPE_FILE_SECURITY_REGISTRY_TR_2,
generated::kape_generated::KAPE_FILE_CONFIG_SOFTWARE_LOG_3,
generated::kape_generated::KAPE_FILE_SOFTWARE_REGISTRY_TR_3,
generated::kape_generated::KAPE_FILE_CONFIG_SYSTEM_LOG_2,
generated::kape_generated::KAPE_FILE_SYSTEM_REGISTRY_TRAN_2,
generated::kape_generated::KAPE_FILE_CONFIG_SECURITY_2,
generated::kape_generated::KAPE_FILE_SECURITY_REGISTRY_HI_2,
generated::kape_generated::KAPE_FILE_CONFIG_SOFTWARE_3,
generated::kape_generated::KAPE_FILE_SOFTWARE_REGISTRY_HI_3,
generated::kape_generated::KAPE_FILE_CONFIG_SYSTEM_2,
generated::kape_generated::KAPE_FILE_SYSTEM_REGISTRY_HIVE_2,
generated::kape_generated::KAPE_FILE_REGBACK_SECURITY_3,
generated::kape_generated::KAPE_FILE_REGBACK_SECURITY_2_2,
generated::kape_generated::KAPE_FILE_REGBACK_SOFTWARE_3,
generated::kape_generated::KAPE_FILE_REGBACK_SOFTWARE_2_2,
generated::kape_generated::KAPE_FILE_REGBACK_SYSTEM_3,
generated::kape_generated::KAPE_FILE_REGBACK_SYSTEM_2_2,
generated::kape_generated::KAPE_FILE_REGBACK_SYSTEM1_3,
generated::kape_generated::KAPE_FILE_REGBACK_SYSTEM1_2_2,
generated::kape_generated::KAPE_FILE_APPLICATIONS_WINDOWS,
generated::kape_generated::KAPE_FILE_APPLICATIONS_S_1,
generated::kape_generated::KAPE_FILE_S_1_GATHERLOGS,
generated::kape_generated::KAPE_FILE_WINDOWS_GATHERLOGS,
generated::kape_generated::KAPE_FILE_DRIVERS_ETC,
generated::kape_generated::KAPE_FILE_NOTIFICATIONS_WPNDATABASE_DB_3,
generated::kape_generated::KAPE_FILE_NOTIFICATIONS_APPDB_DAT_3,
generated::kape_generated::KAPE_FILE_WINDOWS_PANTHERMIGLOG_XML,
generated::kape_generated::KAPE_FILE_WINDOWS_PANTHERSETUPACT_LOG,
generated::kape_generated::KAPE_FILE_WINDOWS_PANTHER_HUMANREADABLE_XML,
generated::kape_generated::KAPE_FILE_PANTHER_ROLLBACKFOLDERMOVELOG_TXT,
generated::kape_generated::KAPE_FILE_USOPRIVATE_UPDATESTORESTORE_DB_2,
generated::kape_generated::KAPE_FILE_WINDOWS_POWER_EFFICIENCY_DIAGNOSTICS,
generated::kape_generated::KAPE_FILE_CONFIG_NETLOGON,
generated::kape_generated::KAPE_FILE_SYSTEM32_DNS,
generated::kape_generated::KAPE_FILE_SYSTEM32_DHCP,
generated::kape_generated::KAPE_FILE_DIAGNOSIS_EVENTS_RBS,
generated::kape_generated::KAPE_FILE_LEGACY_RBS_FILES_REL,
generated::kape_generated::KAPE_FILE_CONNECTEDDEVICESPLATFORM_ACTIVITIESCACHE_DB,
generated::kape_generated::KAPE_FILE_SYSTEM_ETL,
generated::kape_generated::KAPE_FILE_WINDOWSUPDATE_WINDOWSUPDATE_ETL,
generated::kape_generated::KAPE_FILE_CBS_CBS_LOG,
generated::kape_generated::KAPE_FILE_SOFTWAREDISTRIBUTION_DATASTORE,
generated::kape_generated::KAPE_FILE_C_SYSTEM_VOLUME_INFORMATION,
generated::nirsoft_generated::NIRSOFT_LAST_ACTIVITY_RECENT_ITEMS,
generated::nirsoft_generated::NIRSOFT_BROWSING_HISTORY_CHROME,
generated::nirsoft_generated::NIRSOFT_BROWSING_HISTORY_FIREFOX,
generated::nirsoft_generated::NIRSOFT_NETWORK_CONNECT_LOG,
generated::nirsoft_generated::NIRSOFT_USBDEVIEW_ENUM_USB,
generated::nirsoft_generated::NIRSOFT_USBDEVIEW_ENUM_USBSTOR,
generated::nirsoft_generated::NIRSOFT_SHELLBAGS_USRCLASS_BAGS,
generated::nirsoft_generated::NIRSOFT_SHELLBAGS_NTUSER_BAGS,
generated::nirsoft_generated::NIRSOFT_JUMPLISTS_AUTOMATIC_DESTINATIONS,
generated::nirsoft_generated::NIRSOFT_JUMPLISTS_CUSTOM_DESTINATIONS,
generated::nirsoft_generated::NIRSOFT_MUICACHE_LOCAL_SETTINGS,
generated::nirsoft_generated::NIRSOFT_RECENTFILES_RECENTDOCS_KEY,
generated::nirsoft_generated::NIRSOFT_WIFI_HISTORY_PROFILES_DIR,
generated::nirsoft_generated::NIRSOFT_NETWORK_PASSWORDS_CRED_DIR,
generated::nirsoft_generated::NIRSOFT_SAM_HIVE_REG,
generated::nirsoft_generated::NIRSOFT_REGISTRY_CHANGES_NTUSER,
generated::nirsoft_generated::NIRSOFT_OPENED_FILES_VIEW_HANDLE,
generated::nirsoft_generated::NIRSOFT_PROCESS_ACTIVITY_PREFETCH,
generated::nirsoft_generated::NIRSOFT_INSTALLED_CODEC_AUDIO,
generated::nirsoft_generated::NIRSOFT_STARTUP_RUN_HKLM_RUN,
generated::nirsoft_generated::NIRSOFT_STARTUP_RUN_HKCU_RUN,
generated::nirsoft_generated::NIRSOFT_APP_CRASH_DUMPS_DIR,
generated::regedit_generated::REGEDIT_NETWORK,
generated::regedit_generated::REGEDIT_MICROSOFT_INTERNET_EXPLORER_TYPEDURLS,
generated::regedit_generated::REGEDIT_USER_MRU,
generated::regedit_generated::REGEDIT_MICROSOFT_TERMINAL_SERVER_CLIENT,
generated::regedit_generated::REGEDIT_EXPLORER_COMDLG32_CIDSIZEMRU,
generated::regedit_generated::REGEDIT_EXPLORER_COMDLG32_FIRSTFOLDER,
generated::regedit_generated::REGEDIT_EXPLORER_COMDLG32_LASTVISITEDPIDLMRU,
generated::regedit_generated::REGEDIT_EXPLORER_COMDLG32_LASTVISITEDPIDLMRULEGACY,
generated::regedit_generated::REGEDIT_EXPLORER_COMDLG32_OPENSAVEPIDLMRU,
generated::regedit_generated::REGEDIT_CURRENTVERSION_EXPLORER_FILEEXTS,
generated::regedit_generated::REGEDIT_CURRENTVERSION_EXPLORER_RECENTDOCS,
generated::regedit_generated::REGEDIT_CURRENTVERSION_EXPLORER_MOUNTPOINTS2,
generated::regedit_generated::REGEDIT_WINDOWS_CURRENTVERSION_RUN,
generated::regedit_generated::REGEDIT_WINDOWS_CURRENTVERSION_RUNONCE,
generated::regedit_generated::REGEDIT_CURRENTVERSION_EXPLORER_RUNMRU,
generated::regedit_generated::REGEDIT_CURRENTVERSION_EXPLORER_TYPEDPATHS,
generated::regedit_generated::REGEDIT_CURRENTVERSION_EXPLORER_USERASSIST,
generated::regedit_generated::REGEDIT_CURRENTVERSION_EXPLORER_WORDWHEELQUERY,
generated::regedit_generated::REGEDIT_CURRENTVERSION_SEARCH_RECENTAPPS,
generated::regedit_generated::REGEDIT_DOMAINS_ACCOUNT_USERS,
generated::regedit_generated::REGEDIT_MICROSOFT_WINDOWS_NT_CURRENTVERSION,
generated::regedit_generated::REGEDIT_WINDOWS_NT_CURRENTVERSION_NETWORKLIST,
generated::regedit_generated::REGEDIT_POLICIES_EXPLORER_RUN,
generated::regedit_generated::REGEDIT_WINDOWS_CURRENTVERSION_RUN_SYSTEM_RUN_KEY,
generated::regedit_generated::REGEDIT_WINDOWS_CURRENTVERSION_RUNONCE_SYSTEM_RUNONCE,
generated::regedit_generated::REGEDIT_MICROSOFT_WINDOWS_PORTABLE_DEVICES_DEVICES,
generated::regedit_generated::REGEDIT_CONTROL_COMPUTERNAME_COMPUTERNAME,
generated::regedit_generated::REGEDIT_CONTROL_SESSION_MANAGER_APPCOMPATCACHE,
generated::regedit_generated::REGEDIT_CONTROLSET00_CONTROL_TIMEZONEINFORMATION,
generated::regedit_generated::REGEDIT_SYSTEM_CONTROLSET00_SERVICES,
generated::regedit_generated::REGEDIT_SERVICES_BAM_USERSETTINGS,
generated::regedit_generated::REGEDIT_SERVICES_DAM_USERSETTINGS,
generated::regedit_generated::REGEDIT_SERVICES_LANMANSERVER_SHARES,
generated::regedit_generated::REGEDIT_TCPIP_PARAMETERS_INTERFACES,
generated::regedit_generated::REGEDIT_PARAMETERS_INTERFACES,
generated::regedit_generated::REGEDIT_SYSTEM_MOUNTEDDEVICES,
generated::regedit_generated::REGEDIT_SYSTEM_SETUP,
generated::regedit_generated::REGEDIT_SYSTEM_SELECT,
generated::regedit_generated::REGEDIT_CONTROLSET00_CONTROL_WINDOWS,
generated::regedit_generated::REGEDIT_CURRENTVERSION_PROFILELIST,
generated::regedit_generated::REGEDIT_CURRENTVERSION_PROFILELIST_PROFILELIST_PRO,
generated::regedit_generated::REGEDIT_CURRENTVERSION_PROFILELIST_PROFILELIST_RUN,
generated::regedit_generated::REGEDIT_CURRENTVERSION_PROFILELIST_PROFILELIST_SID,
generated::regedit_generated::REGEDIT_CURRENTVERSION_PROFILELIST_PROFILELIST_STA,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_LOGS_MICROSOFT_WINDOWS_SYSMON_4OPERATIONAL,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_DOCX_DOCM_DOTX_DOTM_DOCB_XLSX_XLSM_XLTX_XL,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_USERS,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_TEMP,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_C_PROGRAM_FILES,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_TEMP_LOCALLOGS_LOG,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_LOGS_ACCESS_LOG_ACCESS_LOG,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_BIN_LS,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_EXE,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_TMP_IMAGE_DD,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_MANIFEST_JSON,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_EXTENSIONS,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_RUN_DOCKER_SOCK,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_APT_LISTS,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_DPKG_STATUS,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_RUN_SNAPD_SOCKET,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_TMP,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_JOURNAL,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_SBIN_AUDITCTL,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_LOG_AUTH_LOG,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_SYSLOGTIMESTAMP_TIMESTAMP_SYSLOGFACILITY_S,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_HOME,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_PROC_MOUNTS,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_NET_ARP,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_PROC_MODULES,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_SBIN_NFT,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_SSH_AUTHORIZED_KEYS,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_SSH_PEM_ID_RSA_ID_DSA,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_ACPI_TABLES,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_HISTORY,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_PROC_STAT,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_CRONTABS,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_CRON_WEEKLY,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_ETC_GROUP,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_LOG_WTMP,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_LOG,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_USR,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_ETC_PASSWD,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_LOG_AUTH_LOG_SECURE,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_BIN_SYNC,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_PREFERENCES_COM_APPLE_FINDER_PLIST,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_COM_APPLE_XPC_LAUNCHD_DISABLED_PLIST,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_TABS,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_RECEIPTS_INSTALLHISTORY_PLIST,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_DOWNLOADS_ZIP,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_PREFERENCES_COM_APPLE_DOCK_PLIST,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_PREFERENCES_PLIST,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_PREFERENCES_COM_APPLE_LAUNCHSERVICES_QUARA,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_COM_APPLE_TCC_TCC_DB,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_PREFERENCES_COM_APPLE_TIMEMACHINE_PLIST,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_USERS_PLIST,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_SYSTEMCONFIGURATION_COM_APPLE_AIRPORT_PREF,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_YAML_YML,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_TMP_YAML,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_TO_IMAGE_VMDK,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_TMP_REMAPPING_WRITEBACK_YAML,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_TMP_1_YAML,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_FAVICONS,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_3_LOG,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_LOGS_LOG,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_TEAMVIEWER_CONNECTIONS_INCOMING_TXT,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_TMP_COLLECTION_ZIP,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_PROGRAMS_AMCACHE_HVE,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_INVENTORY_FILE,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_DLL,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_WINDOWS_SYSMON64_EXE,
generated::velociraptor_generated::VELOCIRAPTOR_CURRENTVERSION_RUN,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_RTF_DOC_DOT_DOCX_DOCM_DOTX_DOTM_DOCB_XLS_X,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_WINDOWS_SYSTEM32,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_TEMP_WINPMEM_SYS,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_LOGS_SECURITY_EVTX,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_LOGS_SYSTEM_SECURITY_EVTX,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_WINEVT_LOGS,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_LOGS_EVTX,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_LOGS_MICROSOFT_WINDOWS_POWERSHELL_4OPERATI,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_LOGS_SYSTEM_EVTX,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_LOGS_MICROSOFT_WINDOWS_TERMINALSERVICES_LO,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_LOGS_MICROSOFT_WINDOWS_TERMINALSERVICES_RE,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_LOGS_MICROSOFT_WINDOWS_TASKSCHEDULER_4OPER,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_LOGS_SYMANTEC_ENDPOINT_PROTECTION_CLIENT_E,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_LOGS_APPLICATION_EVTX,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_TEMP_PROCESSES_SQLITE,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_METADATA,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_METADATA_2,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_AUTOMATICDESTINATIONS_AUTOMATICDESTINATION,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_LNK,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_WINDOWSTATE_01_BIN,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_TABSTATE_BIN,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_PREFETCH_PF,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_PST,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_CACHE,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_NTUSER_DAT,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_I,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_CONFIG_SAM,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_SRU_SRUDB_DAT,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_ACTIVITIESCACHE_DB,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_SUM,
generated::velociraptor_generated::VELOCIRAPTOR_CURRENTVERSION_IMAGE_FILE_EXECUTION_OPTIONS,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_V1_0_PROFILE_MICROSOFT_PROFILE_PS1,
generated::velociraptor_generated::VELOCIRAPTOR_MICROSOFT_WOW64,
generated::velociraptor_generated::VELOCIRAPTOR_SESSION_MANAGER_APPCOMPATCACHE_APPCOMPATCACHE,
generated::velociraptor_generated::VELOCIRAPTOR_CONTROL_BACKUPRESTORE,
generated::velociraptor_generated::VELOCIRAPTOR_SERVICES_PORTPROXY,
generated::velociraptor_generated::VELOCIRAPTOR_SOFTWARE_SYSINTERNALS,
generated::velociraptor_generated::VELOCIRAPTOR_SECURITYPROVIDERS_WDIGEST,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_TASKS,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_V1_0_POWERSHELL_EXE,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_ETC_HOSTS,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_ETC_HOSTS_VELOCIRAPTOR_BACKUP,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_VHDX,
generated::velociraptor_generated::VELOCIRAPTOR_CURRENTVERSION_PROFILELIST,
generated::velociraptor_generated::VELOCIRAPTOR_APPCOMPATFLAGS_INSTALLEDSDB,
generated::velociraptor_generated::VELOCIRAPTOR_CUSTOM,
generated::velociraptor_generated::VELOCIRAPTOR_FIREWALLRULES,
generated::velociraptor_generated::VELOCIRAPTOR_SYSTEM_RESOURCES_PHYSICAL_MEMORY_TRANSLATED,
generated::velociraptor_generated::VELOCIRAPTOR_CURRENTVERSION_UNINSTALL,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_CAT,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_POWERSHELL_MODULEANALYSISCACHE,
generated::velociraptor_generated::VELOCIRAPTOR_SYSTEM_CURRENTCONTROLSET_SERVICES,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_DLL_EXE,
generated::velociraptor_generated::VELOCIRAPTOR_FILE_C_MFT,
browser_ext::BROWSER_CHROME_HISTORY,
browser_ext::BROWSER_CHROME_COOKIES,
browser_ext::BROWSER_CHROME_DOWNLOADS,
browser_ext::BROWSER_CHROME_BOOKMARKS,
browser_ext::BROWSER_CHROME_EXTENSIONS,
browser_ext::BROWSER_CHROME_LOGIN_DATA_V2,
browser_ext::BROWSER_CHROME_AUTOFILL,
browser_ext::BROWSER_CHROME_CACHE,
browser_ext::BROWSER_CHROME_SESSION,
browser_ext::BROWSER_CHROME_SESSION_MEMORY,
browser_ext::BROWSER_FIREFOX_HISTORY,
browser_ext::BROWSER_FIREFOX_COOKIES,
browser_ext::BROWSER_FIREFOX_DOWNLOADS,
browser_ext::BROWSER_FIREFOX_SESSION_MEMORY,
browser_ext::BROWSER_SAFARI_HISTORY,
macos_ext::IOS_UNIFIED_LOG,
macos_ext::IOS14_MAPS_HISTORY,
macos_ext::HEIC_IMAGE_FILE,
macos_ext::UBER_IOS_LEVELDB,
macos_ext::IOS_GOOGLE_CHAT_CACHEV0,
macos_ext::IOS_MOBILE_CONTAINER_MANAGER,
macos_ext::MACOS_BTM_BACKGROUND_TASKS,
windows_files_ext::ONEDRIVE_ODL_LOGS,
android_ext::SAMSUNG_GALLERY3D_TRASH,
android_ext::SAMSUNG_GALLERY3D_LOG,
android_ext::ANDROID_TOR_BROWSER_THUMBNAILS,
android_ext::ANDROID_GBOARD_TRAININGCACHE,
cloud_ext::GOOGLE_TAKEOUT_LOCATION_RECORDS,
cloud_ext::GOOGLE_TAKEOUT_SEMANTIC_LOCATION_HISTORY,
cloud_ext::AWS_CLOUDTRAIL_IAM_EVENTS,
vehicle_ext::HONDA_ACCORD_RECENTSTOPS,
vehicle_ext::HONDA_ACCORD_CRM_ECO_LOGS,
vehicle_ext::HONDA_ACCORD_PHONEDB,
vehicle_ext::HONDA_ACCORD_BLUETOOTH,
vehicle_ext::GARMIN_NUVI_VOICE_LOG,
windows_registry_ext3::RUN_SERVICES_HKLM,
windows_registry_ext3::RUN_SERVICES_HKCU,
windows_registry_ext3::RUN_SERVICES_ONCE_HKLM,
windows_registry_ext3::RUN_SERVICES_ONCE_HKCU,
windows_registry_ext3::FIREWALL_AUTHORIZED_APPS,
windows_registry_ext3::SSODL,
windows_registry_ext3::SHARED_TASK_SCHEDULER,
windows_registry_ext3::CREDENTIAL_PROVIDER_FILTERS,
linux_ext::ESXI_ATTESTD_LOG,
linux_ext::ESXI_ESXTOKEND_LOG,
linux_ext::ESXI_KMXA_LOG,
];