├── README.md
├── SysmonForLinux
├── ReadME.md
└── config.xml
├── startupscript.bat
├── sysmonconfig.xml
└── sysmonv9.xml
/README.md:
--------------------------------------------------------------------------------
1 | # Sysmon configuration and scripts
2 | Create a GPO startup script and execute the batch file from it. The script terminates if it finds sysmonconfig.xml in C:\Windows modify it with the new config name.
3 | # Sysmon V9.0
4 | In sysmon v9.0 config file we added some of the detections from JPCERT https://jpcertcc.github.io/ToolAnalysisResultSheet/.
5 | We also included most of https://github.com/olafhartong/sysmon-modular and also some of https://github.com/Neo23x0/sigma/tree/master/rules/windows/sysmon.
6 | Our target is to map most of the MITRE Att@ck/JPCERT in this sysmon config. You might need to add exclusion for some of the software your enivroment including Antivirus/EDR/Whitelisting...etc. Also some of the events are noisy like pipe related events.
7 |
--------------------------------------------------------------------------------
/SysmonForLinux/ReadME.md:
--------------------------------------------------------------------------------
1 | # Config File
2 | The config file is this repo is based on MSTIC config file we have added to it
3 | * Sigma Rules for Linux Detections
4 | * GTFOBins Detections
5 | * Malware research articles detection on Linux
6 | # Live log view
7 | ```journalctl -f | /opt/sysmon/sysmonLogView```
8 |
9 |
10 |
11 | # References
12 | https://pberba.github.io/security/2021/11/22/linux-threat-hunting-for-persistence-sysmon-auditd-webshell/
13 | https://www.lares.com/blog/sysmon-for-linux-test-drive/
14 | https://pberba.github.io/security/2021/11/23/linux-threat-hunting-for-persistence-account-creation-manipulation/
15 | https://github.com/microsoft/MSTIC-Sysmon/blob/main/linux/configs/main.xml
16 |
--------------------------------------------------------------------------------
/SysmonForLinux/config.xml:
--------------------------------------------------------------------------------
1 |
22 |
23 |
24 |
25 |
26 |
27 |
28 | ssh
29 | ConnectTimeout=
30 | BatchMode=yes
31 | StrictHostKeyChecking=no
32 | wget;curl
33 |
34 |
35 |
36 | /bin/dd
37 | dd;if=
38 |
39 |
40 | /var/run/utmp
41 | /var/log/btmp
42 | /var/log/wtmp
43 |
44 |
45 | crontab
46 |
47 |
48 | groupmod
49 | addgroup
50 | groupadd
51 |
52 |
53 | usermod
54 | userdel
55 |
56 |
57 | passwd
58 |
59 |
60 | /bin/bash
61 | /bin/dash
62 | /bin/sh
63 | aa-exec
64 | ansible-playbook
65 | ansible-test
66 | aoss
67 | apt-get
68 | apt
69 | ash
70 | at
71 | awk
72 | aws
73 | batcat
74 | bconsole
75 | bundle
76 | bundler
77 | busctl
78 | busybox
79 | byebug
80 | c89
81 | c99
82 | cabal
83 | capsh
84 | cdist
85 | certbot
86 | check_by_ssh
87 | choom
88 | cobc
89 | composer
90 | cowsay
91 | cowthink
92 | cpan
93 | cpio
94 | cpulimit
95 | crash
96 | csh
97 | csvtool
98 | dc
99 | distcc
100 | dmesg
101 | dotnet
102 | dpkg
103 | dstat
104 | dvips
105 | easy_install
106 | eb
107 | ed
108 | elvish
109 | emacs
110 | enscript
111 | env
112 | ex
113 | expect
114 | facter
115 | find
116 | fish
117 | flock
118 | ftp
119 | gawk
120 | gcc
121 | gcloud
122 | gdb
123 | gem
124 | genie
125 | ghc
126 | ghci
127 | gimp
128 | ginsh
129 | git
130 | grc
131 | gtester
132 | hping3
133 | iftop
134 | ionice
135 | irb
136 | ispell
137 | jjs
138 | joe
139 | journalctl
140 | jrunscript
141 | jtag
142 | julia
143 | knife
144 | ksh
145 | latex
146 | latexmk
147 | ld.so
148 | less
149 | lftp
150 | loginctl
151 | logsave
152 | ltrace
153 | lua
154 | lualatex
155 | luatex
156 | mail
157 | make
158 | man
159 | mawk
160 | minicom
161 | more
162 | msfconsole
163 | msgfilter
164 | multitime
165 | mysql
166 | nano
167 | nawk
168 | ncdu
169 | ncftp
170 | neofetch
171 | nice
172 | nmap
173 | node
174 | nohup
175 | npm
176 | nroff
177 | nsenter
178 | octave
179 | openvpn
180 | pandoc
181 | pdb
182 | pdflatex
183 | pdftex
184 | perf
185 | perl
186 | perlbug
187 | pexec
188 | pg
189 | php
190 | pic
191 | pico
192 | pip
193 | posh
194 | pry
195 | psftp
196 | psql
197 | puppet
198 | pwsh
199 | python
200 | rake
201 | rc
202 | rlwrap
203 | rpm
204 | rpmdb
205 | rpmquery
206 | rpmverify
207 | rsync
208 | rtorrent
209 | ruby
210 | run-mailcap
211 | run-parts
212 | runscript
213 | rview
214 | rvim
215 | sash
216 | scanmem
217 | scp
218 | screen
219 | script
220 | scrot
221 | sed
222 | service
223 | setarch
224 | setlock
225 | sftp
226 | sg
227 | slsh
228 | smbclient
229 | socat
230 | softlimit
231 | split
232 | sqlite3
233 | sqlmap
234 | ssh-agent
235 | ssh
236 | sshpass
237 | start-stop-daemon
238 | stdbuf
239 | strace
240 | tar
241 | task
242 | taskset
243 | tasksh
244 | tclsh
245 | tdbtool
246 | telnet
247 | tex
248 | time
249 | timedatectl
250 | timeout
251 | tmate
252 | tmux
253 | top
254 | torify
255 | torsocks
256 | tshark
257 | unshare
258 | vagrant
259 | valgrind
260 | vi
261 | view
262 | vim
263 | vimdiff
264 | volatility
265 | watch
266 | wget
267 | wish
268 | xargs
269 | xdg-user-dir
270 | xdotool
271 | xelatex
272 | xetex
273 | yarn
274 | yash
275 | zathura
276 | zip
277 | zypper
278 |
279 |
280 | /bin/touch
281 | -r;--reference;-t;--time
282 |
283 |
284 | /etc/passwd
285 | /etc/sudoers
286 |
287 |
288 | wget
289 | curl
290 | ftpget
291 | tftp
292 | lwp-download
293 |
294 |
295 | /bin/aplay
296 | arecord
297 |
298 |
299 | useradd
300 | adduser
301 |
302 |
303 | root
304 | 0
305 | /var/opt/microsoft/scx/tmp
306 | /bin/sh
307 |
308 |
309 | /bin/dd
310 | dd;of=;if=
311 | if=/dev/zero;if=/dev/null
312 |
313 |
314 | whoami;ifconfig;/usr/bin/ip;/bin/uname;iptables;netstat;pwd;route
315 | httpd;lighttpd;nginx;apache2;node;dash;caddy
316 |
317 |
318 | systemd
319 |
320 |
321 | chmod
322 | chown
323 | fchmod
324 | fchmodat
325 | fchown
326 | fchownat
327 | fremovexattr
328 | fsetxattr
329 | lchown
330 | lremovexattr
331 | lsetxattr
332 | removexattr
333 | setuid
334 | setgid
335 | setreuid
336 | setregid
337 |
338 |
339 | IyEvYmluL2Jhc2;IyEvYmluL2Rhc2;IyEvYmluL3pza;IyEvYmluL2Zpc2;IyEvYmluL3No
340 |
341 |
342 | bpftrace;--unsafe
343 | kprobes;enable
344 |
345 |
346 | /getcap
347 |
348 |
349 | chattr;--unsafe
350 |
351 |
352 | xclip
353 | -sel;clip;-o
354 |
355 |
356 |
357 |
358 | --cpu-priority=;--donate-level=0;-o pool.;--nicehash;--algo=rx/0;stratum+tcp://;stratum+udp://;sh -c /sbin/modprobe msr allow_writes=on;LS1kb25hdGUtbGV2ZWw9;0tZG9uYXRlLWxldmVsP;tLWRvbmF0ZS1sZXZlbD;c3RyYXR1bSt0Y3A6Ly;N0cmF0dW0rdGNwOi8v;zdHJhdHVtK3RjcDovL;c3RyYXR1bSt1ZHA6Ly;N0cmF0dW0rdWRwOi8v;zdHJhdHVtK3VkcDovL;
359 |
360 |
361 |
362 |
363 |
364 |
365 |
366 | wget
367 | curl
368 | ftpget
369 | tftp
370 | lwp-download
371 | bash
372 | busybox
373 | cpan
374 | easy_install
375 | gdb
376 | gimp
377 | irb
378 | jjs
379 | jrunscript
380 | julia
381 | ksh
382 | nc
383 | node
384 | openssl
385 | perl
386 | php
387 | pip
388 | python
389 | ruby
390 | rview
391 | rvim
392 | socat
393 | socket
394 | telnet
395 | view
396 | vim
397 | vimdiff
398 | www-data
399 |
400 |
401 | pool.minexmr.com
402 | fr.minexmr.com
403 | de.minexmr.com
404 | sg.minexmr.com
405 | ca.minexmr.com
406 | us-west.minexmr.com
407 | pool.supportxmr.com
408 | mine.c3pool.com
409 | xmr-eu1.nanopool.org
410 | xmr-eu2.nanopool.org
411 | xmr-us-east1.nanopool.org
412 | xmr-us-west1.nanopool.org
413 | xmr-asia1.nanopool.org
414 | xmr-jp1.nanopool.org
415 | xmr-au1.nanopool.org
416 | xmr.2miners.com
417 | xmr.hashcity.org
418 | xmr.f2pool.com
419 | xmrpool.eu
420 | pool.hashvault.pro
421 | moneroocean.stream
422 | monerocean.stream
423 |
424 |
425 | localto.net
426 | localtonet.com
427 |
428 |
429 | tunnel.us.ngrok.com
430 | tunnel.eu.ngrok.com
431 | tunnel.au.ngrok.com
432 | tunnel.sa.ngrok.com
433 | tunnel.jp.ngrok.com
434 | tunnel.in.ngrok.com
435 |
436 |
437 | tcp
438 | java
439 |
440 |
441 |
442 |
443 |
444 |
445 |
446 |
447 |
448 |
449 |
450 |
451 |
452 |
453 |
454 | /etc/init/
455 | /etc/init.d/
456 | /etc/rc.d/
457 |
458 |
459 | /etc/cron.allow
460 | /etc/cron.deny
461 | /etc/crontab
462 | /etc/cron.d/
463 | /etc/cron.daily/
464 | /etc/cron.hourly/
465 | /etc/cron.monthly/
466 | /etc/cron.weekly/
467 | /var/spool/cron/crontabs/
468 |
469 |
470 | wget
471 | curl
472 | ftpget
473 | tftp
474 | lwp-download
475 |
476 |
477 | /etc/systemd/system
478 | /usr/lib/systemd/system
479 | /run/systemd/system/
480 | /systemd/user/
481 | /lib/systemd/system/
482 |
483 |
484 | authorized_keys
485 | .ssh
486 |
487 |
488 | /etc/profile.d/
489 | /etc/profile
490 | /etc/bash.bashrc
491 | /etc/bash.bash_logout
492 | .bashrc
493 | .bash_profile
494 | .bash_login
495 | .profile
496 | .bash_logout
497 |
498 |
499 | /etc/systemd/system-generators/
500 | /usr/local/lib/systemd/system-generators/
501 | /lib/systemd/system-generators/
502 | /usr/lib/systemd/system-generators/
503 | /etc/systemd/user-generators/
504 | /usr/local/lib/systemd/user-generators/
505 | /usr/lib/systemd/user-generators/
506 |
507 |
508 | /etc/doas.conf
509 |
510 |
511 | /etc/sudoers.d/
512 |
513 |
514 | /tmp/rootlog
515 | ebpfbackdoor
516 |
517 |
518 |
519 |
520 |
521 |
522 |
523 |
524 |
525 |
--------------------------------------------------------------------------------
/startupscript.bat:
--------------------------------------------------------------------------------
1 | @echo off
2 |
3 | SET Configfile="c:\windows\sysmonconfig.xml"
4 | IF EXIST %Configfile% GOTO END
5 |
6 | REM you can use sysmon -u in here for future versions to unistall the old version before installing new one
7 | copy /z /y "\\UNCPATH\sysmonconfig.xml" "C:\windows\"
8 | copy /z /y "\\UNCPATH\sysmon.exe" "C:\windows\"
9 |
10 |
11 | "C:\windows\sysmon.exe" /accepteula -i c:\windows\sysmonconfig.xml
12 |
13 | :End
14 |
--------------------------------------------------------------------------------
/sysmonconfig.xml:
--------------------------------------------------------------------------------
1 |
27 |
28 |
29 | md5,sha256
30 |
31 |
32 |
33 |
34 |
35 |
36 |
39 |
40 | C:\Windows\system32\DllHost.exe /Processid
41 | C:\Windows\system32\SearchIndexer.exe /Embedding
42 | C:\Windows\System32\CompatTelRunner.exe
43 | C:\Windows\System32\MusNotification.exe
44 | C:\ProgramData\Sophos\AutoUpdate\Cache\sophos_autoupdate1.dir\ALUpdate.exe
45 | C:\Windows\System32\MusNotificationUx.exe
46 | C:\Windows\System32\audiodg.exe
47 | C:\Windows\System32\conhost.exe
48 | C:\Windows\System32\powercfg.exe
49 | C:\Windows\System32\wbem\WmiApSrv.exe
50 | C:\Windows\System32\wermgr.exe
51 | C:\Windows\SysWOW64\wermgr.exe
52 | C:\Windows\system32\sppsvc.exe
53 | AppContainer
54 | C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe
55 | %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows
56 | C:\Windows\system32\SearchIndexer.exe
57 |
58 | C:\Program Files\Windows Defender
59 | C:\Windows\System32\MpSigStub.exe
60 | C:\Windows\SoftwareDistribution\Download\Install\AM_Base
61 | C:\Windows\SoftwareDistribution\Download\Install\AM_Delta
62 | C:\Windows\SoftwareDistribution\Download\Install\AM_Engine
63 |
64 | C:\WINDOWS\system32\svchost.exe -k DcomLaunch
65 | C:\Windows\System32\svchost.exe -k appmodel
66 | C:\Windows\System32\svchost.exe -k dcomLaunch
67 | C:\Windows\System32\svchost.exe -k defragsvc
68 | C:\Windows\System32\svchost.exe -k imgsvc
69 | C:\Windows\System32\svchost.exe -k localServiceAndNoImpersonation
70 | C:\Windows\System32\svchost.exe -k localServiceNetworkRestricted
71 | C:\Windows\System32\svchost.exe -k localSystemNetworkRestricted
72 | C:\Windows\System32\svchost.exe -k netsvcs
73 | C:\Windows\System32\svchost.exe -k networkServiceNetworkRestricted
74 | C:\Windows\System32\svchost.exe -k rPCSS
75 | C:\Windows\System32\svchost.exe -k swprv
76 | C:\Windows\System32\svchost.exe -k unistackSvcGroup
77 | C:\Windows\System32\svchost.exe -k utcsvc
78 | C:\Windows\System32\svchost.exe -k wbioSvcGroup
79 | C:\Windows\System32\svchost.exe -k wsappx
80 | C:\Windows\system32\svchost.exe -k networkService
81 |
82 | C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe
83 |
84 | C:\Program Files (x86)\Sophos\Remote Management System\ManagementAgentNT.exe
85 | C:\Program Files (x86)\Sophos\Remote Management System\RouterNT.exe
86 |
87 | C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe
88 | C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe
89 | C:\ProgramData\Sophos\AutoUpdate\Cache\sophos_autoupdate1.dir\ALUpdate.exe
90 |
91 | C:\windows\System32\svchost.exe -k werSvcGroup
92 | C:\Windows\System32\svchost.exe -k netsvcs
93 | C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
94 |
95 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
96 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
97 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
98 | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
99 | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
100 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
101 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
102 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
103 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
104 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
105 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
106 |
107 | C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE
108 | C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
109 |
110 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
111 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
112 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
113 |
114 | "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=
115 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=
116 | C:\Program Files (x86)\Google\Update\
117 | C:\Program Files (x86)\Google\Update\
118 |
119 | "C:\Program Files\Mozilla Firefox\plugin-container.exe" --channel
120 | "C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe" --channel
121 |
122 | AcroRd32.exe" /CR
123 | AcroRd32.exe" --channel=
124 | C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe
125 | C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe
126 | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
127 | C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\LogTransport2.exe
128 |
129 | C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
130 |
131 | C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
132 | C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
133 | C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
134 |
135 | C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe
136 | C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe
137 | C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AdobeGCClient.exe
138 | C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P6\adobe_licutil.exe
139 | C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P7\adobe_licutil.exe
140 | C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P7\adobe_licutil.exe
141 | C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
142 | C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
143 |
144 | C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe
145 | C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe
146 | C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\CCXProcess.exe
147 | C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe
148 |
149 | "C:\Program Files\DellTPad\ApMsgFwd.exe" -s{
150 | C:\Program Files\NVIDIA Corporation\
151 | C:\Program Files\Realtek\
152 | C:\Program Files\DellTPad\HidMonitorSvc.exe
153 | C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
154 |
155 | C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
156 | C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
157 |
158 | C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe
159 |
160 |
161 |
162 |
163 |
164 | C:\Users
165 |
166 |
167 | OneDrive.exe
168 | setup
169 |
170 |
171 |
172 |
173 |
174 |
175 |
176 |
177 |
178 | C:\Users
179 | C:\ProgramData
180 | C:\Windows\Temp
181 |
182 | at.exe
183 | certutil.exe
184 | cmd.exe
185 | cscript.exe
186 | java.exe
187 | mshta.exe
188 | msiexec.exe
189 | net.exe
190 | notepad.exe
191 | powershell.exe
192 | qwinsta.exe
193 | reg.exe
194 | regsvr32.exe
195 | rundll32.exe
196 | sc.exe
197 | wmic.exe
198 | wscript.exe
199 |
200 | psexec.exe
201 | psexesvc.exe
202 | vnc.exe
203 | vncviewer.exe
204 | vncservice.exe
205 | winexesvc.exe
206 | \AA_v
207 |
208 | omniinet.exe
209 | hpsmhd.exe
210 |
211 | tor.exe
212 |
213 | 22
214 | 23
215 | 25
216 | 3389
217 | 5800
218 | 5900
219 |
220 | 1080
221 | 3128
222 | 8080
223 |
224 | 1723
225 | 4500
226 | 9001
227 | 9030
228 |
229 |
230 | OneDrive.exe
231 | Spotify.exe
232 | C:\ProgramData\Sophos\AutoUpdate\Cache\sophos_autoupdate1.dir\ALUpdate.exe
233 | AppData\Roaming\Dropbox\bin\Dropbox.exe
234 |
235 | OneDriveStandaloneUpdater.exe
236 | microsoft.com
237 | microsoft.com.akadns.net
238 | microsoft.com.nsatc.net
239 |
240 |
241 |
242 |
243 |
244 |
245 |
246 |
247 |
248 |
249 | C:\Users
250 |
251 |
252 |
253 |
254 |
255 |
257 | microsoft
258 | windows
259 | Intel
260 |
261 |
262 |
263 |
264 |
265 |
266 |
267 |
268 |
269 |
270 |
271 |
273 | C:\Windows\System32\wbem\WmiPrvSE.exe
274 | C:\Windows\System32\svchost.exe
275 | C:\Windows\System32\wininit.exe
276 | C:\Windows\System32\csrss.exe
277 | C:\Windows\System32\services.exe
278 | C:\Windows\System32\winlogon.exe
279 | C:\Windows\System32\audiodg.exe
280 | 28f4c222-3655-59a5-0000-0010d60e8919
281 | 28f4c222-bb74-59b7-0000-00103f02932c
282 | C:\PROGRA~2\PHAROS~1\PRINTS~1\CTskMstr.exe
283 | C:\windows\system32\kernel32.dll
284 | Google\Chrome\Application\chrome.exe
285 |
286 |
287 |
288 |
289 |
290 |
293 |
294 |
295 |
296 |
297 |
298 |
299 | C:\Windows\system32\lsass.exe
300 |
301 |
302 |
303 | 0x1400
304 | 0x1000
305 | 0x400
306 | C:\Windows\CarbonBlack\cb.exe
307 | C:\Windows\system32\wbem\wmiprvse.exe
308 | C:\Windows\system32\lsm.exe
309 |
310 |
311 |
312 |
313 |
314 |
315 | \Start Menu
316 | \Startup
317 | \Content.Outlook\
318 | \Downloads\
319 | .application
320 | .appref-ms
321 | .bat
322 | .cmd
323 | .cmdline
324 | .docm
325 | .exe
326 | .hta
327 | .pptm
328 | .ps1
329 | .sys
330 | .vbs
331 | .xlsm
332 | C:\Users\Default
333 | C:\Windows\System32\Drivers
334 | C:\Windows\SysWOW64\Drivers
335 | C:\Windows\System32\GroupPolicy\Machine\Scripts
336 | C:\Windows\System32\GroupPolicy\User\Scripts
337 | C:\Windows\System32\Tasks
338 | C:\Windows\System32\Wbem
339 | C:\Windows\SysWOW64\Wbem
340 | C:\Windows\System32\WindowsPowerShell
341 | C:\Windows\SysWOW64\WindowsPowerShell
342 | C:\Windows\Tasks\
343 |
344 |
345 |
346 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
347 |
348 | C:\Windows\System32\smss.exe
349 | C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe
350 | C:\ProgramData\Sophos\AutoUpdate\cache\sophos_autoupdate1.dir\ALUpdate.exe
351 | C:\Windows\system32\CompatTelRunner.exe
352 | \\?\C:\Windows\system32\wbem\WMIADAP.EXE
353 | C:\Windows\System32\DriverStore\Temp\
354 | C:\Windows\System32\wbem\Performance\
355 | WRITABLE.TST
356 |
357 | C:\$WINDOWS.~BT\Sources\SafeOS\SafeOS.Mount\
358 | C:\WINDOWS\winsxs\amd64_microsoft-windows
359 |
360 | C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe
361 |
362 | C:\Windows\system32\igfxCUIService.exe
363 |
364 |
365 |
366 |
367 |
368 |
369 |
370 |
371 |
372 |
373 |
374 |
375 |
376 |
377 |
378 |
379 |
380 | \CurrentVersion\Run
381 | \Group Policy\Scripts
382 | \Windows\System\Scripts
383 | \Policies\Explorer\Run
384 | \ServiceDll
385 | \ImagePath
386 | \Start
387 | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
388 | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit\
389 | HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
390 | HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute
391 |
392 | \Explorer\FileExts\
393 | \shell\install\command\
394 | \shell\open\command\
395 | \shell\open\ddeexec\
396 |
397 | \InprocServer32\(Default)
398 |
399 | \Classes\*\
400 | \Classes\AllFilesystemObjects\
401 | \Classes\Directory\
402 | \Classes\Drive\
403 | \Classes\Folder\
404 | \ContextMenuHandlers\
405 | \CurrentVersion\Shell
406 | HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks
407 | HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjectDelayLoad
408 |
409 | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
410 | HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\
411 |
412 | HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram
413 |
414 | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\
415 |
416 | HKLM\SYSTEM\CurrentControlSet\Services\WinSock\
417 | \ProxyServer
418 |
419 | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider
420 | HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
421 | HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders
422 |
423 | HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\
424 | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles
425 |
426 | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\
427 | HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\
428 |
429 | \Microsoft\Office\Outlook\Addins\
430 |
431 | \Internet Explorer\Toolbar\
432 | \Internet Explorer\Extensions\
433 | \Browser Helper Objects\
434 |
435 | {AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\
436 |
437 | \UrlUpdateInfo
438 | \InstallSource
439 |
440 | HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
441 | HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy
442 |
443 | HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
444 |
445 | HKLM\SOFTWARE\Microsoft\Security Center\AllAlertsDisabled
446 | HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify
447 | HKLM\SOFTWARE\Microsoft\Security Center\DisableMonitoring
448 | HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify
449 | HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride
450 | HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify
451 | HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify
452 |
453 | HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
454 | HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiVirus
455 | HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
456 | HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
457 | HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
458 | HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\SpyNetReporting
459 |
460 | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
461 | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
462 | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\
463 | HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\
464 | HKLM\SYSTEM\CurrentControlSet\Control\Safeboot\
465 | HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\
466 | \FriendlyName
467 | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)
468 |
469 |
470 |
471 |
472 | Office\root\integration\integrator.exe
473 | \Sophos\AutoUpdate\cache\sophos_autoupdate1.dir\ALUpdate.exe
474 | C:\WINDOWS\system32\backgroundTaskHost.exe
475 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
476 | C:\Program Files\Windows Defender\MsMpEng.exe
477 | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
478 |
479 | C:\Program Files (x86)\Common Files\Rhozet\Carbon Coder\Kernel\PNXSERVR.exe
480 | Toolbar\WebBrowser
481 | Toolbar\WebBrowser\ITBar7Height
482 | Toolbar\ShellBrowser\ITBar7Layout
483 | Internet Explorer\Toolbar\Locked
484 | ShellBrowser
485 | \CurrentVersion\Run
486 | \CurrentVersion\RunOnce
487 | \CurrentVersion\App Paths
488 | \CurrentVersion\Image File Execution Options
489 | \CurrentVersion\Shell Extensions\Cached
490 | \CurrentVersion\Shell Extensions\Approved
491 | }\PreviousPolicyAreas
492 | \Control\WMI\Autologger\
493 | HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc\Start
494 | \Lsa\OfflineJoin\CurrentValue
495 | \Components\TrustedInstaller\Events
496 | \Components\TrustedInstaller
497 | \Components\Wlansvc
498 | \Components\Wlansvc\Events
499 | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\
500 | \Directory\shellex
501 | \Directory\shellex\DragDropHandlers
502 | \Drive\shellex
503 | \Drive\shellex\DragDropHandlers
504 | _Classes\AppX
505 | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\
506 | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
507 |
508 | HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit
509 | HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit\AuditPolicy
510 | HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System
511 | HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache
512 | HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains
513 | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit
514 |
515 | \services\clr_optimization_v2.0.50727_32\Start
516 | \services\clr_optimization_v2.0.50727_64\Start
517 | \services\clr_optimization_v4.0.30319_32\Start
518 | \services\clr_optimization_v4.0.30319_64\Start
519 | \services\DeviceAssociationService\Start
520 | \services\BITS\Start
521 | \services\TrustedInstaller\Start
522 | \services\tunnel\Start
523 | \services\UsoSvc\Start
524 |
525 | \OpenWithProgids
526 | \OpenWithList
527 | \UserChoice
528 | \UserChoice\ProgId
529 | \UserChoice\Hash
530 | \OpenWithList\MRUList
531 | } 0xFFFF
532 |
533 | C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
534 | C:\Program Files (x86)\Webroot\WRSA.exe
535 | C:\WINDOWS\System32\spoolsv.exe
536 |
537 |
538 |
539 |
540 |
541 |
542 |
546 | Content.Outlook
547 | Downloads
548 | Temp\7z
549 | .bat
550 | .cmd
551 | .hta
552 | .lnk
553 | .ps1
554 | .ps2
555 | .reg
556 | .vb
557 | .vbe
558 | .vbs
559 |
563 | .vb
564 | .application
565 | .appref-ms
566 | .cmdline
567 | .docm
568 | .exe
569 | .dll
570 | .sys
571 | .pptm
572 | .sys
573 | .docm
574 | .xlsm
575 | .xlam
576 | .pptm
577 | .potm
578 | .pptm
579 | .sldm
580 | .scf
581 | .appref-ms
582 | .rdp
583 | .js
584 |
585 | .pem
586 | .crt
587 | .ca-bundle
588 | .cer
589 | .csr
590 | .der
591 | .p7b
592 | .p7r
593 | .p7s
594 | .pfx
595 | .sto
596 | .p12
597 | .crl
598 | .sst
599 | .key
600 |
601 | .mht
602 | .manifest
603 | .cpl
604 | .scr
605 | .inf
606 |
607 |
608 |
609 |
610 |
611 |
612 |
613 |
614 |
615 |
616 |
617 |
618 |
619 | C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
620 | C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ElevationManager\AdobeUpdateService.exe
621 | lsass
622 | \netmon
623 | \SQLLocal\RTCLOCAL
624 |
625 | \M.E.C.Core.WinRMDataCommunicator.NamedPipe.
626 | c:\windows\system32\inetsrv\w3wp.exe
627 | C:\Windows\syswow64\snmp.exe
628 | C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\BIN\OWSTIMER.EXE
629 |
630 | C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\ParserServer\ParserServer.exe
631 | C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.RpcClientAccess.Service.exe
632 | C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Service.exe
633 | C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Worker.exe
634 | C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\ResourceProfile\contentengine\NodeRunner.exe
635 |
636 | C:\Windows\system32\dns.exe
637 |
638 | C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
639 |
640 | C:\Program Files\Skype for Business Server 2015\Server\Core\RtcHost.exee
641 | C:\Program Files\Skype for Business Server 2015\OCSMCU\AV Conferencing\AVMCUSvc.exe
642 | C:\Program Files\Skype for Business Server 2015\Server\Health Agent\HealthAgent.exe
643 | C:\Program Files\Skype for Business Server 2015\Server\Core\LysSvc.exe
644 | C:\Program Files\Skype for Business Server 2015\File Transfer Agent\FileTransferAgent.exe
645 | C:\Program Files\Skype for Business Server 2015\Web Conferencing\DataMCUSvc.exe
646 | C:\Program Files\Skype for Business Server 2015\Application Host\OcsAppServerHost.exe
647 | C:\Program Files\Skype for Business Server 2015\Server\Core\ABServer.exe
648 | C:\Program Files\Skype for Business Server 2015\Master Replicator Agent\MasterReplicatorAgent.exe
649 | C:\Program Files\Skype for Business Server 2015\OCSMCU\IM Conferencing\IMMCUSvc.exe
650 | C:\Program Files\Common Files\Skype for Business Server 2015\ClsAgent\ClsAgent.exe
651 | C:\Program Files\Skype for Business Server 2015\Server\Core\ReplicationApp.exe
652 | C:\Program Files\Skype for Business Server 2015\OCSMCU\Application Sharing\ASMCUSvc.exe
653 | C:\Program Files\Skype for Business Server 2015\Server\Replica Replicator Agent\ReplicaReplicatorAgent.exe
654 | C:\Program Files\Skype for Business Server 2015\Server\Core\RtcHost.exe
655 |
656 | C:\Windows\system32\DFSRs.exee
657 | C:\Windows\SystemApps\Microsoft.Windows
658 | C:\Windows\system32\SearchProtocolHost.exe
659 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
660 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
661 | C:\Windows\System32\LxRun.exe
662 | vmware-
663 | \System
664 | \InitShutdown
665 | C:\Windows\System32\wininit.exe
666 | C:\Windows\System32\SearchIndexer.exe
667 | C:\Windows\System32\services.exe
668 | \ntsvcs
669 | \scerpc
670 | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
671 | C:\Windows\System32\smss.exe
672 | C:\Windows\System32\spoolsv.exe
673 | \epmapper
674 | \atsvc
675 | \browser
676 | \srvsvc
677 | \Winsock2CatelogChangeListener
678 | ProtectedPrefix\LocalService\FTHPIPE
679 | \W32TIME_ALT
680 | \eventlog
681 | \wkssvc
682 | \TDLN-
683 | \WiFiNetworkManagerTask
684 | \MsFteWds
685 |
686 | \WRSVCPipe
687 | \WRSynUM2
688 | \wrUrl
689 | C:\Program Files (x86)\Webroot\WRSA.exe
690 |
691 | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
692 | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
693 | AppData\Local\Google\Chrome\User Data\SwReporter\
694 | mojo.
695 | crashpad_
696 | chrome.
697 | GoogleCrashServices
698 |
699 | slack.exe
700 |
701 | booma\
702 |
703 | qtsingleapp-enpass-
704 | qtsingleapp-enpass-
705 |
706 | Everything Service
707 | anchor_gui_agent
708 |
709 | C:\Program Files (x86)\Lenovo\System Update\SUService.exe
710 | C:\Program Files\Common Files\VMware\DeviceRedirectionCommon\ftnlsv.exe
711 | C:\Program Files\Lenovo\ImController\Service\Lenovo.Modern.ImController.exe
712 | C:\Program Files\Lenovo\HOTKEY\shtctky.exe
713 | C:\Windows\System32\LPlatSvc.exe
714 | C:\Program Files (x86)\Lenovo\System Update\TvsuCommandLauncher.exe
715 |
716 | C:\Windows\LTSvc\LTSVC.exe
717 | ScreenConnect.WindowsClient.exe
718 | ScreenConnect.ClientService.exe
719 | C:\Program Files\OpenVPN\bin\openvpn-gui.exe
720 | C:\Program Files\OpenVPN\bin\openvpn.exe
721 | C:\Program Files\OpenVPN\bin\openvpnserv.exe
722 | C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
723 | C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe
724 | C:\Program Files\Lenovo\HOTKEY\tphkload.exe
725 | C:\Program Files\Lenovo\
726 | C:\Program Files (x86)\Common Files\VMware\SerialPortRedirection\Client\vmwsprrdpwks.exe
727 | Graylog-collector-sidecar.exe
728 | C:\Program Files (x86)\SmartGit\git\mingw32\libexec\git-core\git-remote-https.exe
729 | C:\Program Files (x86)\SmartGit\git\mingw32\bin\git.exe
730 | C:\Program Files (x86)\SmartGit\git\mingw32\libexec\git-core\git.exe
731 | C:\Program Files (x86)\SmartGit\bin\smartgit.exe
732 | C:\Program Files (x86)\SmartGit\bin\smartgit.exe
733 | Anonymous Pipe
734 | C:\Program Files (x86)\Fortinet\FortiClient\FortiESNAC.exe
735 | C:\Program Files (x86)\Fortinet\FortiClient\update_task.exe
736 | C:\Program Files (x86)\Fortinet\FortiClient\FortiTray.exe
737 | C:\Program Files (x86)\Fortinet\FortiClient\FCDBLog.exe
738 | C:\Program Files (x86)\Enpass\Enpass.exe
739 | C:\Program Files (x86)\VMware\VMware Horizon View Client\vmware-view.exe
740 | C:\Program Files (x86)\VMware\ScannerRedirection\ftscanmgrhv.exe
741 | C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe
742 | C:\Program Files (x86)\Common Files\VMware\VMware Remote Console Plug-in 5.5\Internet Explorer\vmware-vmrc.exe
743 | SQLAnywhereLRM
744 | pgsignal
745 | postgres.exe
746 | MICROSOFT##WID\tsql\query
747 | TSVCPIPE-
748 | BB4BB19A178C25D1
749 | SQLAnywhereLRM
750 | SQLLocal
751 | DropboxPipe_
752 | c:\windows\system32\inetsrv\w3wp.exe
753 | C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel RMS License Manager\WinNT\mfcesd.exe
754 | C:\Pfx Engagement\WM\PFXEngagement.exe
755 | C:\Pfx Engagement\WM\PfxEngagement.exe
756 | C:\Pfx Engagement\WM\Pfx.KnowledgeCoach.SharedServices.exe
757 | C:\Program Files (x86)\Micro Focus\COBOL Server 2012\bin\mfds.exe
758 | ScreenConnect.WindowsClient.exe
759 | ScreenConnect.ClientService.exe
760 | QBW32.EXE
761 | C:\Windows\system32\wbem\wmiprvse.exe
762 |
763 |
764 |
765 |
766 |
767 |
768 |
769 |
770 |
--------------------------------------------------------------------------------
/sysmonv9.xml:
--------------------------------------------------------------------------------
1 |
27 |
28 |
29 | md5,sha256,IMPHASH
30 |
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
46 |
47 | C:\Program Files\avs\bin\avagent.exe
48 | "C:\Windows\system32\wermgr.exe" "-queuereporting_svc"
49 | "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=
50 | "C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe" --channel
51 | "C:\Program Files\DellTPad\ApMsgFwd.exe" -s{
52 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=
53 | "C:\Program Files\Mozilla Firefox\plugin-container.exe" --channel
54 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
55 | C:\Windows\system32\DllHost.exe /Processid
56 | C:\Windows\system32\wbem\wmiprvse.exe -Embedding
57 | C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
58 | AcroRd32.exe" --channel=
59 | AcroRd32.exe" /CR
60 | AcroRd32.exe" /CR
61 | C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost
62 | C:\WINDOWS\System32\svchost.exe -k wsappx -p -s ClipSVC
63 | C:\WINDOWS\system32\svchost.exe -k appmodel -p -s tiledatamodelsvc
64 | C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s wlidsvc
65 | C:\WINDOWS\system32\svchost.exe -k wsappx -p -s AppXSvc
66 | C:\WINDOWS\system32\wermgr.exe -upload
67 | C:\Windows\System32\svchost.exe -k appmodel
68 | C:\Windows\System32\svchost.exe -k dcomLaunch
69 | C:\Windows\System32\svchost.exe -k defragsvc
70 | C:\Windows\System32\svchost.exe -k imgsvc
71 | C:\Windows\System32\svchost.exe -k localServiceAndNoImpersonation
72 | C:\Windows\System32\svchost.exe -k localServiceNetworkRestricted
73 | C:\Windows\System32\svchost.exe -k localSystemNetworkRestricted
74 | C:\Windows\System32\svchost.exe -k netsvcs
75 | C:\Windows\System32\svchost.exe -k networkServiceNetworkRestricted
76 | C:\Windows\System32\svchost.exe -k rPCSS
77 | C:\Windows\System32\svchost.exe -k swprv
78 | C:\Windows\System32\svchost.exe -k unistackSvcGroup
79 | C:\Windows\System32\svchost.exe -k utcsvc
80 | C:\Windows\System32\svchost.exe -k wbioSvcGroup
81 | C:\Windows\System32\svchost.exe -k wsappx
82 | C:\Windows\system32\SearchIndexer.exe /Embedding
83 | C:\Windows\system32\igfxsrvc.exe -Embedding
84 | C:\Windows\system32\svchost.exe -k appmodel -s StateRepository
85 | C:\Windows\system32\svchost.exe -k appmodel
86 | C:\Windows\system32\svchost.exe -k camera -s FrameServer
87 | C:\Windows\system32\svchost.exe -k dcomlaunch -s LSM
88 | C:\Windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
89 | C:\Windows\system32\svchost.exe -k defragsvc
90 | C:\Windows\system32\svchost.exe -k devicesflow -s DevicesFlowUserSvc
91 | C:\Windows\system32\svchost.exe -k imgsvc
92 | C:\Windows\system32\svchost.exe -k localService -s EventSystem
93 | C:\Windows\system32\svchost.exe -k localService -s bthserv
94 | C:\Windows\system32\svchost.exe -k localService -s nsi
95 | C:\Windows\system32\svchost.exe -k localService -s w32Time
96 | C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -s SensrSvc
97 | C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation
98 | C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s Dhcp
99 | C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s EventLog
100 | C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s TimeBrokerSvc
101 | C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s WFDSConMgrSvc
102 | C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted
103 | C:\Windows\system32\svchost.exe -k localServiceNoNetwork
104 | C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s WPDBusEnum
105 | C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s fhsvc
106 | C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s DeviceAssociationService
107 | C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s NcbService
108 | C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s SensorService
109 | C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s TabletInputService
110 | C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s UmRdpService
111 | C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WPDBusEnum
112 | C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WdiSystemHost
113 | C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted
114 | C:\Windows\system32\svchost.exe -k netsvcs -p -s ncaSvc
115 | C:\Windows\system32\svchost.exe -k netsvcs -s BDESVC
116 | C:\Windows\system32\svchost.exe -k netsvcs -s BITS
117 | C:\Windows\system32\svchost.exe -k netsvcs -s CertPropSvc
118 | C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
119 | C:\Windows\system32\svchost.exe -k netsvcs -s Gpsvc
120 | C:\Windows\system32\svchost.exe -k netsvcs -s ProfSvc
121 | C:\Windows\system32\svchost.exe -k netsvcs -s SENS
122 | C:\Windows\system32\svchost.exe -k netsvcs -s SessionEnv
123 | C:\Windows\system32\svchost.exe -k netsvcs -s Themes
124 | C:\Windows\system32\svchost.exe -k netsvcs -s Winmgmt
125 | C:\Windows\system32\svchost.exe -k netsvcs
126 | C:\Windows\system32\svchost.exe -k networkService -p -s DoSvc
127 | C:\Windows\system32\svchost.exe -k networkService -s Dnscache
128 | C:\Windows\system32\svchost.exe -k networkService -s LanmanWorkstation
129 | C:\Windows\system32\svchost.exe -k networkService -s NlaSvc
130 | C:\Windows\system32\svchost.exe -k networkService -s TermService
131 | C:\Windows\system32\svchost.exe -k networkService
132 | C:\Windows\system32\svchost.exe -k networkServiceNetworkRestricted
133 | C:\Windows\system32\svchost.exe -k rPCSS
134 | C:\Windows\system32\svchost.exe -k secsvcs
135 | C:\Windows\system32\svchost.exe -k swprv
136 | C:\Windows\system32\svchost.exe -k unistackSvcGroup
137 | C:\Windows\system32\svchost.exe -k utcsvc
138 | C:\Windows\system32\svchost.exe -k wbioSvcGroup
139 | C:\Windows\system32\svchost.exe -k werSvcGroup
140 | C:\Windows\system32\svchost.exe -k wsappx -s ClipSVC
141 | C:\Windows\system32\svchost.exe -k wsappx
142 | C:\windows\System32\svchost.exe -k werSvcGroup
143 | C:\windows\system32\wermgr.exe -queuereporting
144 | \??\C:\WINDOWS\system32\autochk.exe *
145 | \SystemRoot\System32\smss.exe
146 | C:\Program Files (x86)\Google\Update\
147 | C:\Program Files (x86)\Google\Update\
148 | C:\Program Files\NVIDIA Corporation\
149 | C:\Program Files\Realtek\
150 | C:\Program Files\Windows Defender
151 | C:\Windows\SoftwareDistribution\Download\Install\AM_
152 | C:\Windows\SoftwareDistribution\Download\Install\AM_Base
153 | C:\Windows\SoftwareDistribution\Download\Install\AM_Delta
154 | C:\Windows\SoftwareDistribution\Download\Install\AM_Engine
155 | C:\Program Files (x86)\Adobe\Acrobat 2015\Acrobat\AcroCEF\AcroCEF.exe
156 | C:\Program Files (x86)\Adobe\Acrobat 2015\Acrobat\LogTransport2.exe
157 | C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe
158 | C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe
159 | C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\LogTransport2.exe
160 | C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\LogTransport2.exe
161 | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
162 | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe
163 | C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe
164 | C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
165 | C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
166 | C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe
167 | C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AdobeGCClient.exe
168 | C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P6\adobe_licutil.exe
169 | C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P7\adobe_licutil.exe
170 | C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
171 | C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
172 | C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
173 | C:\Windows\System32\CompatTelRunner.exe
174 | C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe
175 | C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE
176 | C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE
177 | C:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe
178 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
179 | C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
180 | C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
181 | C:\Program Files\Dell\SupportAssist\koala.exe
182 | C:\Program Files\Dell\SupportAssist\pcdrcui.exe
183 | C:\Program Files\Microsoft Office\Office15\MSOSYNC.EXE
184 | C:\Program Files\Microsoft Office\Office16\MSOSYNC.EXE
185 | C:\Program Files\Microsoft Office\Office16\msoia.exe
186 | C:\Program Files\Windows Media Player\wmpnscfg.exe
187 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
188 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
189 | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
190 | C:\Windows\SysWOW64\wermgr.exe
191 | C:\Windows\System32\MpSigStub.exe
192 | C:\Windows\System32\MusNotification.exe
193 | C:\Windows\System32\MusNotificationUx.exe
194 | C:\Windows\System32\TokenBrokerCookies.exe
195 | C:\Windows\System32\audiodg.exe
196 | C:\Windows\System32\conhost.exe
197 | C:\Windows\System32\plasrv.exe
198 | C:\Windows\System32\powercfg.exe
199 | C:\Windows\System32\wbem\WmiApSrv.exe
200 | C:\Windows\System32\wermgr.exe
201 | C:\Windows\System32\wifitask.exe
202 | C:\Windows\system32\CompatTelRunner.exe
203 | C:\Windows\system32\MpSigStub.exe
204 | C:\Windows\system32\PrintIsolationHost.exe
205 | C:\Windows\system32\SppExtComObj.Exe
206 | C:\Windows\system32\audiodg.exe
207 | C:\Windows\system32\conhost.exe
208 | C:\Windows\system32\mobsync.exe
209 | C:\Windows\system32\musNotification.exe
210 | C:\Windows\system32\musNotificationUx.exe
211 | C:\Windows\system32\powercfg.exe
212 | C:\Windows\system32\sndVol.exe
213 | C:\Windows\system32\sppsvc.exe
214 | C:\Windows\system32\wbem\WmiApSrv.exe
215 | AppContainer
216 | %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows
217 | %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows
218 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
219 | "-outc=C:\ProgramData\Dell\CommandUpdate\inventory.xml" "-logc=C:\ProgramData\Dell\CommandUpdate\scanerrs.xml" "-lang=en" "-enc=UTF-16"
220 | C:\WINDOWS\system32\svchost.exe -k DcomLaunch
221 | C:\Windows\System32\svchost.exe -k netsvcs
222 | C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
223 | C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted
224 | C:\Windows\system32\svchost.exe -k netsvcs
225 | C:\windows\system32\wermgr.exe -queuereporting
226 | C:\Program Files (x86)\Google\Update\
227 | C:\Program Files (x86)\Google\Update\
228 | C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe
229 | C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\CCXProcess.exe
230 | C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe
231 | C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe
232 | C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
233 | C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe
234 | C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P7\adobe_licutil.exe
235 | C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
236 | C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
237 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
238 | C:\Program Files\DellTPad\HidMonitorSvc.exe
239 | C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
240 | C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe
241 | C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
242 | C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe
243 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
244 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
245 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
246 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
247 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
248 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
249 | C:\Windows\system32\SearchIndexer.exe
250 | C:\Windows\system32\DllHost.exe /Processid
251 |
252 |
253 |
254 |
255 |
256 |
257 |
258 | C:\Users
259 | C:\windows\temp
260 |
261 |
262 |
263 |
264 | OneDrive.exe
265 | setup
266 | install
267 | Update\
268 | redist.exe
269 | TrustedInstaller.exe
270 |
271 |
272 |
273 |
274 |
275 |
276 |
277 |
278 |
279 |
280 |
281 | C:\Users
282 | C:\ProgramData
283 | C:\Windows\Temp
284 |
285 | at.exe
286 | certutil.exe
287 | cmd.exe
288 | cmstp.exe
289 | cscript.exe
290 | driverquery.exe
291 | dsquery.exe
292 | hh.exe
293 | infDefaultInstall.exe
294 | java.exe
295 | javaw.exe
296 | javaws.exe
297 | mmc.exe
298 | msbuild.exe
299 | mshta.exe
300 | msiexec.exe
301 | nbtstat.exe
302 | net.exe
303 | net1.exe
304 | notepad.exe
305 | nslookup.exe
306 | powershell.exe
307 | qprocess.exe
308 | qwinsta.exe
309 | reg.exe
310 | regsvcs.exe
311 | regsvr32.exe
312 | rundll32.exe
313 | rwinsta.exe
314 | sc.exe
315 | schtasks.exe
316 | taskkill.exe
317 | tasklist.exe
318 | wmic.exe
319 | wscript.exe
320 | nc.exe
321 | ncat.exe
322 |
323 | psexec.exe
324 | psexesvc.exe
325 | vnc.exe
326 | vncviewer.exe
327 | vncservice.exe
328 | winexesvc.exe
329 | \AA_v
330 |
331 | omniinet.exe
332 | hpsmhd.exe
333 |
334 | tor.exe
335 |
336 | services.exe
337 | nmap.exe
338 | psinfo.exe
339 |
340 | 22
341 | 23
342 | 25
343 | 3389
344 | 5800
345 | 5900
346 |
347 | 1080
348 | 3128
349 | 8080
350 |
351 | 1723
352 | 4500
353 | 9001
354 | 9030
355 | 445
356 |
357 |
358 |
359 |
360 | OneDrive.exe
361 | Spotify.exe
362 | AppData\Roaming\Dropbox\bin\Dropbox.exe
363 | g2ax_comm_expert.exe
364 | g2mcomm.exe
365 |
366 | OneDriveStandaloneUpdater.exe
367 | OneDrive.exe
368 |
369 | AppData\Local\Microsoft\Teams\current\Teams.exe
370 | microsoft.com
371 | microsoft.com.akadns.net
372 | microsoft.com.nsatc.net
373 |
374 |
375 |
376 |
377 |
378 |
379 |
380 |
381 |
382 |
383 |
384 | C:\Users
385 | C:\Windows\Temp
386 |
387 |
388 |
389 |
390 |
391 |
392 |
393 |
394 |
395 |
396 |
398 | microsoft
399 | windows
400 | Intel
401 |
402 |
403 |
404 |
405 |
406 |
407 |
408 |
409 |
410 |
411 |
412 |
413 |
414 |
415 |
416 |
417 |
419 | C:\Windows\System32\wbem\WmiPrvSE.exe
420 | C:\Windows\System32\svchost.exe
421 | C:\Windows\System32\wininit.exe
422 | C:\Windows\System32\csrss.exe
423 | C:\Windows\System32\services.exe
424 | C:\Windows\System32\winlogon.exe
425 | C:\Windows\System32\audiodg.exe
426 | C:\Program Files (x86)\PharosSystems\PrintScout\CTskMstr.exe
427 | 28f4c222-3655-59a5-0000-0010d60e8919
428 | 28f4c222-bb74-59b7-0000-00103f02932c
429 | C:\PROGRA~2\PHAROS~1\PRINTS~1\CTskMstr.exe
430 | C:\windows\system32\kernel32.dll
431 | Google\Chrome\Application\chrome.exe
432 |
433 |
434 |
435 |
436 |
437 |
438 |
441 |
442 |
443 |
444 |
445 |
446 |
447 |
448 |
449 | C:\WINDOWS\system32\lsass.exe
450 | C:\Windows\SysWOW64\netsh.exe
451 | C:\Windows\system32\cmd.exe
452 |
454 |
455 |
456 |
457 |
458 |
459 | 0x1400
460 | 0x1000
461 | 0x400
462 | C:\Windows\system32\wbem\wmiprvse.exe
463 | C:\Windows\system32\lsm.exe
464 | C:\Windows\system32\wbem\wmiprvse.exe
465 | C:\Windows\sysWOW64\wbem\wmiprvse.exe
466 | C:\Program Files\Hewlett-Packard\AMS\service\hpqams.exe
467 | esrv_svc.exe
468 | VBoxService.exe
469 |
470 |
471 |
472 |
473 |
474 |
475 |
476 |
477 |
478 | \Startup
479 | \Content.Outlook\
480 | \Downloads\
481 | .application
482 | .appref-ms
483 | .bat
484 | .chm
485 | .cmd
486 | .cmdline
487 | .docm
488 | .exe
489 | .jar
490 | .jnlp
491 | .jse
492 | .hta
493 | .pptm
494 | .ps1
495 | .sys
496 | .scr
497 | .vbs
498 | .vbe
499 | .xlsm
500 | proj
501 | .sln
502 | C:\Users\Default
503 | C:\Windows\System32\Drivers
504 | C:\Windows\SysWOW64\Drivers
505 | C:\Windows\System32\GroupPolicy\Machine\Scripts
506 | C:\Windows\System32\GroupPolicy\User\Scripts
507 | C:\Windows\System32\Tasks
508 | C:\Windows\System32\Wbem
509 | C:\Windows\SysWOW64\Wbem
510 | C:\Windows\System32\WindowsPowerShell
511 | C:\Windows\SysWOW64\WindowsPowerShell
512 | C:\Windows\Tasks\
513 | C:\Windows\system32\Tasks
514 |
515 |
516 | C:\Windows\AppPatch\Custom
517 | VirtualStore
518 |
519 | .xls
520 | .ppt
521 | .rft
522 |
523 |
524 |
525 |
526 |
527 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
528 |
529 | C:\Windows\System32\smss.exe
530 | C:\Windows\system32\CompatTelRunner.exe
531 | \\?\C:\Windows\system32\wbem\WMIADAP.EXE
532 | C:\Windows\System32\DriverStore\Temp\
533 | C:\Windows\System32\wbem\Performance\
534 | WRITABLE.TST
535 |
536 | C:\$WINDOWS.~BT\Sources\SafeOS\SafeOS.Mount\
537 | C:\WINDOWS\winsxs\amd64_microsoft-windows
538 |
539 | C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe
540 |
541 | C:\Windows\system32\igfxCUIService.exe
542 |
543 | C:\Windows\System32\Tasks\Adobe Acrobat Update Task
544 | C:\Windows\System32\Tasks\Adobe Flash Player Updater
545 |
546 |
547 |
548 |
549 |
550 |
551 |
552 |
553 |
554 |
555 |
556 |
557 |
558 |
559 |
560 |
561 |
562 | \CurrentVersion\Run
563 | \Group Policy\Scripts
564 | \Windows\System\Scripts
565 | \Policies\Explorer\Run
566 | \ServiceDll
567 | \ImagePath
568 | \Start
569 | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
570 | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit\
571 | HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
572 | HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute
573 |
574 | \Explorer\FileExts\
575 | \shell\install\command\
576 | \shell\open\command\
577 | \shell\open\ddeexec\
578 |
579 | \InprocServer32\(Default)
580 |
581 | \Classes\*\
582 | \Classes\AllFilesystemObjects\
583 | \Classes\Directory\
584 | \Classes\Drive\
585 | \Classes\Folder\
586 | \ContextMenuHandlers\
587 | \CurrentVersion\Shell
588 | HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks
589 | HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjectDelayLoad
590 |
591 | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
592 | HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\
593 |
594 | HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram
595 |
596 | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\
597 |
598 | HKLM\SYSTEM\CurrentControlSet\Services\WinSock\
599 | \ProxyServer
600 |
601 | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider
602 | HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
603 | HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders
604 |
605 | HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\
606 | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles
607 |
608 | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\
609 | HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\
610 |
611 | \Microsoft\Office\Outlook\Addins\
612 |
613 | \Internet Explorer\Toolbar\
614 | \Internet Explorer\Extensions\
615 | \Browser Helper Objects\
616 |
617 | {AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\
618 |
619 | \UrlUpdateInfo
620 | \InstallSource
621 |
622 | HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
623 | HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy
624 |
625 | HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
626 |
627 | HKLM\SOFTWARE\Microsoft\Security Center\AllAlertsDisabled
628 | HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify
629 | HKLM\SOFTWARE\Microsoft\Security Center\DisableMonitoring
630 | HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify
631 | HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride
632 | HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify
633 | HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify
634 |
635 | HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
636 | HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiVirus
637 | HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
638 | HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
639 | HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
640 | HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\SpyNetReporting
641 |
642 | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
643 | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
644 | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\
645 | HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\
646 | HKLM\SYSTEM\CurrentControlSet\Control\Safeboot\
647 | HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\
648 | \FriendlyName
649 | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)
650 |
651 | HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders
652 | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
653 | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
654 | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
655 | HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
656 | HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute
657 | HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram
658 | HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify
659 | HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify
660 | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
661 | HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy
662 | HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify
663 | HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify
664 | HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride
665 | HKLM\SOFTWARE\Policies\Microsoft\Windows Defender
666 | HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
667 | HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
668 | HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
669 | HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\SpyNetReporting
670 | HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
671 | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls
672 | HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls
673 | HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates
674 | HKLM\SYSTEM\CurrentControlSet\Control\Lsa
675 | HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls
676 | HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
677 | HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
678 | HKLM\SOFTWARE\Microsoft\Cryptography\OID
679 | HKLM\SOFTWARE\Microsoft\Cryptography\Providers\Trust
680 | HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID
681 | HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust
682 | \Control\SecurityProviders\WDigest
683 | \Windows\System\Scripts
684 | \Explorer\FileExts
685 | SYSTEM\CurrentControlSet\Control\CrashControl
686 | \CurrentVersion\Run
687 | \Policies\Explorer\Run
688 | Classes\exefile\shell\runas\command\isolatedCommand
689 | \mscfile\shell\open\command
690 | ms-settings\shell\open\command
691 | SYSTEM\CurrentControlSet\services\Sysmon
692 | SYSTEM\CurrentControlSet\services\SysmonDrv
693 | \services\Netlogon\Parameters\DisablePasswordChange
694 | SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe
695 | Software\Classes\CLSID
696 | SOFTWARE\Microsoft\Netsh
697 | \Microsoft\SystemCertificates\Root\Certificates
698 | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom
699 | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB
700 | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders
701 | \PsGetSID\EulaAccepted
702 | \PsLoggedOn\EulaAccepted
703 | \PsExec\EulaAccepted
704 | \PsLogList\EulaAccepted
705 | \PsService\EulaAccepted
706 | \PsInfo\EulaAccepted
707 | \PsList\EulaAccepted
708 | \PsKill\EulaAccepted
709 | \PsPasswd\EulaAccepted
710 | \PsFile\EulaAccepted
711 | \PsShutDown\EulaAccepted
712 | \PsSuspend\EulaAccepted
713 | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
714 | HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
715 | REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DNS\Parameters\ServerLevelPluginDll
716 | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Setup\ServiceStartup
717 |
718 |
719 |
720 |
721 |
722 |
723 |
724 |
725 | Office\root\integration\integrator.exe
726 | C:\WINDOWS\system32\backgroundTaskHost.exe
727 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
728 | C:\Program Files\Windows Defender\MsMpEng.exe
729 | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
730 |
731 | C:\Program Files (x86)\Common Files\Rhozet\Carbon Coder\Kernel\PNXSERVR.exe
732 | Toolbar\WebBrowser
733 | Toolbar\WebBrowser\ITBar7Height
734 | Toolbar\ShellBrowser\ITBar7Layout
735 | Internet Explorer\Toolbar\Locked
736 | ShellBrowser
737 | \CurrentVersion\Run
738 | \CurrentVersion\RunOnce
739 | \CurrentVersion\App Paths
740 | \CurrentVersion\Image File Execution Options
741 | \CurrentVersion\Shell Extensions\Cached
742 | \CurrentVersion\Shell Extensions\Approved
743 | }\PreviousPolicyAreas
744 | \Control\WMI\Autologger\
745 | HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc\Start
746 | \Lsa\OfflineJoin\CurrentValue
747 | \Components\TrustedInstaller\Events
748 | \Components\TrustedInstaller
749 | \Components\Wlansvc
750 | \Components\Wlansvc\Events
751 | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\
752 | \Directory\shellex
753 | \Directory\shellex\DragDropHandlers
754 | \Drive\shellex
755 | \Drive\shellex\DragDropHandlers
756 | _Classes\AppX
757 | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\
758 | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
759 |
760 | HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit
761 | HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit\AuditPolicy
762 | HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System
763 | HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache
764 | HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains
765 | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit
766 |
767 | \services\clr_optimization_v2.0.50727_32\Start
768 | \services\clr_optimization_v2.0.50727_64\Start
769 | \services\clr_optimization_v4.0.30319_32\Start
770 | \services\clr_optimization_v4.0.30319_64\Start
771 | \services\DeviceAssociationService\Start
772 | \services\BITS\Start
773 | \services\TrustedInstaller\Start
774 | \services\tunnel\Start
775 | \services\UsoSvc\Start
776 |
777 | \OpenWithProgids
778 | \OpenWithList
779 | \UserChoice
780 | \UserChoice\ProgId
781 | \UserChoice\Hash
782 | \OpenWithList\MRUList
783 | } 0xFFFF
784 |
785 | C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
786 | C:\Program Files (x86)\Webroot\WRSA.exe
787 | C:\WINDOWS\System32\spoolsv.exe
788 |
789 |
790 |
791 |
792 |
793 |
794 |
795 |
796 |
800 | Content.Outlook
801 | Downloads
802 | Startup
803 | Temp\7z
804 | .bat
805 | .cmd
806 | .hta
807 | .lnk
808 | .ps1
809 | .ps2
810 | .reg
811 | .jse
812 | .vb
813 | .vbe
814 | .vbs
815 |
819 | .vb
820 | .application
821 | .appref-ms
822 | .cmdline
823 | .docm
824 | .exe
825 | .dll
826 | .sys
827 | .pptm
828 | .sys
829 | .docm
830 | .xlsm
831 | .xlam
832 | .pptm
833 | .potm
834 | .pptm
835 | .sldm
836 | .scf
837 | .appref-ms
838 | .rdp
839 | .js
840 |
841 | .pem
842 | .crt
843 | .ca-bundle
844 | .cer
845 | .csr
846 | .der
847 | .p7b
848 | .p7r
849 | .p7s
850 | .pfx
851 | .sto
852 | .p12
853 | .crl
854 | .sst
855 | .key
856 |
857 | .mht
858 | .manifest
859 | .cpl
860 | .scr
861 | .inf
862 |
863 |
864 |
865 |
866 |
867 |
868 |
869 |
870 |
871 |
872 |
873 |
874 |
875 |
876 | C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
877 | C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ElevationManager\AdobeUpdateService.exe
878 | lsass
879 | \netmon
880 | \SQLLocal\RTCLOCAL
881 |
882 | \M.E.C.Core.WinRMDataCommunicator.NamedPipe.
883 | c:\windows\system32\inetsrv\w3wp.exe
884 | VBoxTrayIPC
885 | C:\Windows\syswow64\snmp.exe
886 | C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\BIN\OWSTIMER.EXE
887 |
888 | C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\ParserServer\ParserServer.exe
889 | C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.RpcClientAccess.Service.exe
890 | C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Service.exe
891 | C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Worker.exe
892 | C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\ResourceProfile\contentengine\NodeRunner.exe
893 |
894 | C:\Windows\system32\dns.exe
895 |
896 | C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
897 |
898 | C:\Program Files\Skype for Business Server 2015\Server\Core\RtcHost.exee
899 | C:\Program Files\Skype for Business Server 2015\OCSMCU\AV Conferencing\AVMCUSvc.exe
900 | C:\Program Files\Skype for Business Server 2015\Server\Health Agent\HealthAgent.exe
901 | C:\Program Files\Skype for Business Server 2015\Server\Core\LysSvc.exe
902 | C:\Program Files\Skype for Business Server 2015\File Transfer Agent\FileTransferAgent.exe
903 | C:\Program Files\Skype for Business Server 2015\Web Conferencing\DataMCUSvc.exe
904 | C:\Program Files\Skype for Business Server 2015\Application Host\OcsAppServerHost.exe
905 | C:\Program Files\Skype for Business Server 2015\Server\Core\ABServer.exe
906 | C:\Program Files\Skype for Business Server 2015\Master Replicator Agent\MasterReplicatorAgent.exe
907 | C:\Program Files\Skype for Business Server 2015\OCSMCU\IM Conferencing\IMMCUSvc.exe
908 | C:\Program Files\Common Files\Skype for Business Server 2015\ClsAgent\ClsAgent.exe
909 | C:\Program Files\Skype for Business Server 2015\Server\Core\ReplicationApp.exe
910 | C:\Program Files\Skype for Business Server 2015\OCSMCU\Application Sharing\ASMCUSvc.exe
911 | C:\Program Files\Skype for Business Server 2015\Server\Replica Replicator Agent\ReplicaReplicatorAgent.exe
912 | C:\Program Files\Skype for Business Server 2015\Server\Core\RtcHost.exe
913 |
914 | C:\Windows\system32\DFSRs.exee
915 | C:\Windows\SystemApps\Microsoft.Windows
916 | C:\Windows\system32\SearchProtocolHost.exe
917 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
918 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
919 | C:\Windows\System32\LxRun.exe
920 | vmware-
921 | \System
922 | \InitShutdown
923 | C:\Windows\System32\wininit.exe
924 | C:\Windows\System32\SearchIndexer.exe
925 | C:\Windows\System32\services.exe
926 | \ntsvcs
927 | \scerpc
928 | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
929 | C:\Windows\System32\smss.exe
930 | C:\Windows\System32\spoolsv.exe
931 | \epmapper
932 | \atsvc
933 | \browser
934 | \srvsvc
935 | \Winsock2CatelogChangeListener
936 | ProtectedPrefix\LocalService\FTHPIPE
937 | \W32TIME_ALT
938 | \eventlog
939 | \wkssvc
940 | \TDLN-
941 | \WiFiNetworkManagerTask
942 | \MsFteWds
943 |
944 | \WRSVCPipe
945 | \WRSynUM2
946 | \wrUrl
947 | C:\Program Files (x86)\Webroot\WRSA.exe
948 |
949 | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
950 | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
951 | AppData\Local\Google\Chrome\User Data\SwReporter\
952 | mojo.
953 | crashpad_
954 | chrome.
955 | GoogleCrashServices
956 |
957 | slack.exe
958 |
959 | booma\
960 |
961 | qtsingleapp-enpass-
962 | qtsingleapp-enpass-
963 |
964 | Everything Service
965 | anchor_gui_agent
966 |
967 | C:\Program Files (x86)\Lenovo\System Update\SUService.exe
968 | C:\Program Files\Common Files\VMware\DeviceRedirectionCommon\ftnlsv.exe
969 | C:\Program Files\Lenovo\ImController\Service\Lenovo.Modern.ImController.exe
970 | C:\Program Files\Lenovo\HOTKEY\shtctky.exe
971 | C:\Windows\System32\LPlatSvc.exe
972 | C:\Program Files (x86)\Lenovo\System Update\TvsuCommandLauncher.exe
973 |
974 | C:\Windows\LTSvc\LTSVC.exe
975 | ScreenConnect.WindowsClient.exe
976 | ScreenConnect.ClientService.exe
977 | C:\Program Files\OpenVPN\bin\openvpn-gui.exe
978 | C:\Program Files\OpenVPN\bin\openvpn.exe
979 | C:\Program Files\OpenVPN\bin\openvpnserv.exe
980 | C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
981 | C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe
982 | C:\Program Files\Lenovo\HOTKEY\tphkload.exe
983 | C:\Program Files\Lenovo\
984 | C:\Program Files (x86)\Common Files\VMware\SerialPortRedirection\Client\vmwsprrdpwks.exe
985 | Graylog-collector-sidecar.exe
986 | C:\Program Files (x86)\SmartGit\git\mingw32\libexec\git-core\git-remote-https.exe
987 | C:\Program Files (x86)\SmartGit\git\mingw32\bin\git.exe
988 | C:\Program Files (x86)\SmartGit\git\mingw32\libexec\git-core\git.exe
989 | C:\Program Files (x86)\SmartGit\bin\smartgit.exe
990 | C:\Program Files (x86)\SmartGit\bin\smartgit.exe
991 | Anonymous Pipe
992 | C:\Program Files (x86)\Fortinet\FortiClient\FortiESNAC.exe
993 | C:\Program Files (x86)\Fortinet\FortiClient\update_task.exe
994 | C:\Program Files (x86)\Fortinet\FortiClient\FortiTray.exe
995 | C:\Program Files (x86)\Fortinet\FortiClient\FCDBLog.exe
996 | C:\Program Files (x86)\Enpass\Enpass.exe
997 | C:\Program Files (x86)\VMware\VMware Horizon View Client\vmware-view.exe
998 | C:\Program Files (x86)\VMware\ScannerRedirection\ftscanmgrhv.exe
999 | C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe
1000 | C:\Program Files (x86)\Common Files\VMware\VMware Remote Console Plug-in 5.5\Internet Explorer\vmware-vmrc.exe
1001 | SQLAnywhereLRM
1002 | pgsignal
1003 | postgres.exe
1004 | MICROSOFT##WID\tsql\query
1005 | TSVCPIPE-
1006 | BB4BB19A178C25D1
1007 | SQLAnywhereLRM
1008 | SQLLocal
1009 | DropboxPipe_
1010 | pipe\netlogon
1011 | pipe\samr
1012 | pipe\lsarpc
1013 | c:\windows\system32\inetsrv\w3wp.exe
1014 | C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel RMS License Manager\WinNT\mfcesd.exe
1015 | C:\Pfx Engagement\WM\PFXEngagement.exe
1016 | C:\Pfx Engagement\WM\PfxEngagement.exe
1017 | C:\Pfx Engagement\WM\Pfx.KnowledgeCoach.SharedServices.exe
1018 | C:\Program Files (x86)\Micro Focus\COBOL Server 2012\bin\mfds.exe
1019 | ScreenConnect.WindowsClient.exe
1020 | ScreenConnect.ClientService.exe
1021 | QBW32.EXE
1022 | C:\Windows\system32\wbem\wmiprvse.exe
1023 |
1024 |
1025 |
1026 |
1027 |
1028 |
1029 |
1030 |
1031 |
1032 |
1033 |
1034 |
--------------------------------------------------------------------------------