├── README.md └── quickrundown.cna /README.md: -------------------------------------------------------------------------------- 1 | # Quickrundown 2 | 3 | ![alt text](https://raw.githubusercontent.com/1c3be4r/stash/master/quickrundown.png "QRD") 4 | 5 | ## Table of Contents 6 | 1. Summary and Methodology 7 | 2. Walkthrough 8 | 3. Under the Hood 9 | 10 | 11 | ## Summary and Methodology 12 | 13 | Quickrundown (QRD) at its core is an overlay for the **bps** command packaged with Cobalstrike; this overlay incorporates elements from @r3dQu1nn's processcolor.cna aggressor script to provide enhancements. Utilizing QRD will allow an operator to quickly characterize what processes are both known and unknown on a host through the use of colors and notes about the processes displayed. Built into the script are capabilities to add processes, or update processes that already have characterizations assigned to them. This lets the operator do characterization and research with permenance (for the life of their cna file, that is). 14 | 15 | The methodology behind QRD came from frustration with not knowing the "so what" about processes on a host. Yes, I had a rough idea about some of them. But when it came down to it I really only truly knew a handful. Another problem was that I had no idea how to really utilize Sleep 2.1. I had grown accustom to running Python code in an IDE so that I could set breakpoints, analyze values, etc. With Sleep 2.1 I did not see anything readily available that could mimic that. Eventually I bit the bullet and emailed Raphael Mudge @armitagehacker) directly to start asking questions. Thankfully he was nice enough to put up with me until I could get the hang of things, and I do want to send him a big thank you. 16 | 17 | I tried to put as many comments as I could throughout this script to help aspiring operators. If you do not like all of the comments, I have included a **sed** script that will remove them. Please feel free to message me (@1c3be4r) if you have any questions about the script, or need help getting started with Sleep. 18 | 19 | ## Walkthrough 20 | 21 | Finally: the "just tell me how to turn the damn thing on" portion of the README. 22 | 23 | ### 1) Load the script 24 | 25 | First, you will need to pull down quickrundown.cna and place it on your filesystem. Make sure you remember where on the filesystem you will be loading this script (/home/ubuntu/quickrundown.cna, for example). 26 | 27 | Open the script and at the top you will see a variable labeled *$yourfile*. Edit this variable to say where *quickrundown.cna* is being loaded from. Ensure that Cobaltstrike can **write** to this file. 28 | 29 | ![alt text](https://raw.githubusercontent.com/1c3be4r/stash/master/step1.png "Step 1") 30 | 31 | ### 2) Once the script is loaded, pull up a beacon console and run the command **qrd** 32 | 33 | The command **qrd** will launch the quickrundown function. You can find this function in the *quickrundown* script at *alias qrd*. 34 | 35 | ![alt text](https://raw.githubusercontent.com/1c3be4r/stash/master/step2_.png "Step 2") 36 | 37 | ### 3) Examine the data 38 | 39 | The list and array packaged with this build are not extensive, as I could spend a week or more jamming processes into this thing; however, it does come with a few already preloaded (over 50). Feel free to share your lists once you get them matured. 40 | 41 | Known processes will simply be standard white text with the note off to the right. If one of the **known** processes also hits a category from the processcolor.cna script, then it will be *colorized()*. The lists for the color categories are found at the bottom of the script. 42 | 43 | ![alt text](https://raw.githubusercontent.com/1c3be4r/stash/master/step4_more.png "Step 3") 44 | 45 | ### 4) Document new processes or update old one 46 | 47 | If and when you discover an *++UNKNOWN PROCESS++* (as seen above), this is where the script gets good. Right click on the beacon to bring up the context menu, and select **Quickrundown** at the bottom. 48 | 49 | ![alt text](https://raw.githubusercontent.com/1c3be4r/stash/master/step3_.png "Step 4 also") 50 | 51 | Place the full process name into the top box (*newprocess.exe*) and the note you would like for the processes in the box below it. **Case sensitivity applies! How you see it in the process list is how it should be entered**. 52 | 53 | Hit **create/update**. 54 | 55 | Continue these steps until you are satisfied with your research progress. 56 | 57 | ![alt text](https://raw.githubusercontent.com/1c3be4r/stash/master/step4.png "Step 4") 58 | 59 | To **update** an existing processes, do everything that you would do to add in a new process: same process name, new note. 60 | 61 | *NOTE:* New or updated processes will not show characterization by **qrd** until you complete the next step. 62 | 63 | ### 5) Reload *quickrundown.cna* via the script console 64 | 65 | The processes you have researched are written to the *quickrundown.cna* file, yes. However, they are not loaded into memory within Cobaltstrike yet. Go to the *Script Manager* within Cobaltstrike and reload the script. 66 | 67 | ![alt text](https://raw.githubusercontent.com/1c3be4r/stash/master/step5.png "Step 5") 68 | 69 | ### 6) Verify and repeat 70 | 71 | With the script reloaded, run **qrd** again to see your work displayed. Known processes will be displayed in certain colors if they match specific categories (that you can add to, located at the bottom of the script). 72 | 73 | ![alt text](https://raw.githubusercontent.com/1c3be4r/stash/master/step6.png "Step 6") 74 | 75 | ## Under the Hood 76 | 77 | How does this thing work? 78 | 79 | First, QRD is taking data returned from **bps** and manipulating it in certain ways. It uses a variety of loops, lists, and arrays to place things where they need to go. I tried to comment the loops and variables as best as I could to help you follow along. 80 | 81 | Second, to add a new process the script takes a different route. The *quickrundown.cna* file is first opened in readonly mode and iterated through via a **while** loop. The loop will look for certain strings in the code, and take action once those strings are found. It will add the new process to a list, and the note to an array that is keyed to the process name; if the process name is already in the list or array, it will overwrite the note instead. 82 | 83 | As each line is read it is placed into a new list, and once the keywords are hit they are placed into the same list as well. The *quickrundown.cna* file is closed and reopened with the **>** flag: this flag means that it will overwrite the entire file. The list holding the old file is then iterated through, line by line, and pushed into the file. The file is closed with your new data in it. 84 | 85 | TL;DR: I rewrite the entire file with your new data in it. This is why it needs reloaded. 86 | 87 | -------------------------------------------------------------------------------- /quickrundown.cna: -------------------------------------------------------------------------------- 1 | #Quickrundown ps overlay and data 2 | # 3 | #author: Christopher Cottrell (@1c3be4r) 4 | #credits: @r3dQu1nn (processcolor.cna), @oldb00t (code guideposts), @vysecurity (code guideposts) 5 | #credits+: @armitagehacker for putting up with all my questions and emails 6 | 7 | # Hate (my) comments? sed -i 's/^#/d' quickrundown.cna 8 | 9 | 10 | 11 | 12 | # DO THIS FIRST <-------------------- START HERE 13 | # Place the location of THIS cna script in $yourfile 14 | 15 | $yourfile = "/home/ubuntu/Quickrundown/quickrundown.cna"; 16 | 17 | # Seriously this is important ^^^^ <-------------------- DID YOU DO THIS? 18 | 19 | alias qrd { #alias for quickrundown (qrd). This is what you will use in the beacon console 20 | 21 | # this is probably redundant, since $1 would give the beacon ID, but at least you get to see that bdata() 22 | # returns an array of info, such as id. You can foreach or println() this array to dump them all 23 | $bid = bdata($1); 24 | 25 | # call the fullps() function on our beacon id, and pass the id to the new function 26 | fullps($bid['id']); 27 | 28 | } 29 | 30 | 31 | sub fullps{ # this function will run the ps command (bps) and utilize a bunch of loops and arrays to spit out "smarter" data 32 | # big props to @r3dQu1nn for his process coloring scheme which I now consider the "standard" colors 33 | 34 | # I needed to expose these variable to different functions and took the easy way out 35 | # fullps is an array that will hold 36 | global('@fullps'); 37 | global('$thebeacon'); 38 | 39 | # gather data about the beacon. we will need the 'id' key for later on 40 | $thebeacon = bdata($1); 41 | 42 | # run the ps command and redirect the output to a lambda instance 43 | bps($thebeacon['id'], lambda({ 44 | 45 | # initialize variables used in the lambda instance 46 | local('$entry'); 47 | 48 | # the data being returned by bps ($2) is text, and to iterate this data it needs to be split according to something: in this case, a newline 49 | foreach $entry (split("\n",$2)) { 50 | 51 | # assigning variables to portions of the split text, splitting based on tab 52 | ($name, $null, $pid, $arch, $userfull) = split("\t", $entry); 53 | 54 | # splitting further based on \ to break up things like localhost\username, domain\username and spit out just the username 55 | ($null, $userslash) = split('\\\\', $userfull); 56 | 57 | # used to further break up things like NT SYSTEM and return just SYSTEM instead. Splitting based on white space 58 | ($user, $null) = split('\\s+', $userslash); 59 | 60 | # if the name of the process (assigned as $name) is in the list, send it to the colorized function 61 | # @knownsystemps is near the bottom of this script 62 | if(iff($name in @knownsystemps)) { 63 | 64 | # send the assigned variables to colorized(). These variables were initialized during the split() function above 65 | colorized($name, $pid, $arch, $user); 66 | 67 | } else if(iff($name in @blacklist)) { # some processes just dont look nice. List is towards the bottom of the script 68 | 69 | # greping out these processes 70 | local ('$temp'); 71 | $temp = $null 72 | 73 | } else { 74 | 75 | # This code is also in the colorized() function. This is taking things that we assigned during the split() 76 | # above and pushing it to an array. PID is pushed to keep unique keys in the array (I'm assuming) 77 | push(@fullps, %(pid => $pid, entry => "\c7$[25]name $[5]pid\t$[4]arch\t$[15]user\t++UNKNOWN PROCESS++\o"))}; 78 | 79 | } 80 | 81 | # setting up variables to make things readable 82 | 83 | $note1 = "\nProcess Name"; 84 | $note2 = "PID"; 85 | $note3 = "Arch"; 86 | $note4 = "User"; 87 | $note5 = "Note"; 88 | $allin .= "\o Process List with process highlighting\n"; 89 | $allin .= "\cC[*]\o Current Running PID: \c8 Yellow ". $thebeacon['pid'] ." \o \n"; 90 | $allin .= "\cC[*]\o Explorer/Winlogon: \c2 BLUE \o \n"; 91 | $allin .= "\cC[*]\o Admin Tools: \cB LIGHT BLUE \o \n"; 92 | $allin .= "\cC[*]\o Browsers: \c3 GREEN \o \n"; 93 | $allin .= "\cC[*]\o AV/EDR: \c4 RED \o \n"; 94 | $allin .= "\cA[*]\o Infrastructure: \cA Turquoise \o \n\n"; 95 | $allin .= "$[25]note1 $[5]note2\t$[4]note3\t$[15]note4\t$note5\n"; 96 | $allin .= ("-" x 60); 97 | 98 | 99 | # sort via pid, also provides unique Key Value pair for the array 100 | sort({ return $1['pid'] <=> $2['pid']; }, @fullps); 101 | 102 | # initializing and running $testx to iterate through the list @fullps (which has all of our pushed data in it) 103 | foreach $testx (@fullps) { 104 | 105 | # joining together a sorted array based on the 'entry' key (the one that has all the data in it) 106 | $allin .= "\n$testx['entry']" ; 107 | 108 | } 109 | 110 | 111 | $allin .= "\n"; 112 | # send data to the beacon console. $1 is still referencing the beacon id that was passed from qrd() waaaay up there 113 | blog2($1, "$allin"); 114 | 115 | # clear the values so they can be used again 116 | $allin = "" ; 117 | @fullps = @(""); 118 | # I dont think this acutally works as intended but im too scared to take it out 119 | }, $callback => $allin;)); 120 | 121 | } 122 | 123 | 124 | 125 | sub colorized { # most of this code came from @r3dQu1nn and @oldb00 all I did was just turn it into a function 126 | # also added in an @infrastructure list that covers things like SIEM/SCCM/Monitoring software 127 | 128 | # arguments that were passed to this function and their correlation 129 | # $1 - name, $2 - pid $3 - arch $4 - user 130 | 131 | $name = $1; 132 | $pid = $2; 133 | $arch = $3; 134 | $user = $4; 135 | 136 | # highlight AV processes in RED. These lists are at the bottom of the script (from @r3dQu1nn) 137 | if(iff($name in @av || $name in @av1,true,false)) { 138 | local ('$temp'); 139 | # split the process name from filetype and only retain the name 140 | ($temp, $null) = split('\.', $name); 141 | # this is the same 'push' code seen from fullps(), except this time we are pushing data with a color tag 142 | # the biggest difference is the end portion, where we are pulling the VALUE out of the %kvpsystem array based on 143 | # the name of the process (split into temp, because you can't have a . in a KEY) 144 | push(@fullps, %(pid => $pid, entry => "\c4$[25]temp $[5]pid\t$[4]arch\t$[15]user\t" . %kvpsystem["$temp"])); 145 | 146 | # highlight explorer or winlogon in BLUE. 147 | } else if(iff($name eq "explorer.exe" || $name eq "winlogon.exe")) { 148 | local ('$temp'); 149 | ($temp, $null) = split('\.', $name); 150 | push(@fullps, %(pid => $pid, entry => "\c2$[25]temp $[5]pid\t$[4]arch\t$[15]user\t" . %kvpsystem["$temp"])); 151 | 152 | } else if ($name eq "chrome.exe" || $1 eq "firefox.exe" || $1 eq "iexplore.exe" || $1 eq "MicrosoftEdgeCP.exe") { 153 | local ('$temp'); 154 | ($temp, $null) = split('\.', $name); 155 | push(@fullps, %(pid => $pid, entry => "\c3$[25]temp $[5]pid\t$[4]arch\t$[15]user\t" . %kvpsystem["$temp"])); 156 | 157 | 158 | } else if(iff($name in @admin,true,false)) { 159 | 160 | local ('$temp'); 161 | ($temp, $null) = split('\.', $name); 162 | push(@fullps, %(pid => $pid, entry => "\cB$[25]temp $[5]pid\t$[4]arch\t$[15]user\t" . %kvpsystem["$temp"])); 163 | 164 | } else if($name in @infrastructure){ 165 | 166 | local ('$temp'); 167 | ($temp, $null) = split('\.', $name); 168 | push(@fullps, %(pid => $pid, entry => "\cA$[25]temp $[5]pid\t$[4]arch\t$[15]user\t" . %kvpsystem["$temp"])); 169 | 170 | } 171 | 172 | 173 | 174 | else { # if you've gotten to here, it means that the process is 1) known, 2) not in the AV, explorer, inf, or a browser list 175 | local ('$temp'); 176 | ($temp, $null) = split('\.', $name); 177 | push(@fullps, %(pid => $pid, entry => "\o$[25]temp\o $[5]pid\t$[4]arch\t$[15]user\t" . %kvpsystem["$temp"])); 178 | } 179 | 180 | } 181 | 182 | 183 | 184 | sub fileopen{ # this function goes with the dialog button, and will add new processes and notes to the @knownsystemps and %kvpsystem 185 | 186 | 187 | # all of the options created from dialog in the addnewqrd() function. This is an array. It is $3 because of how &dialog is built 188 | %options = $3; 189 | 190 | # open the file...THIS file 191 | $opener = openf("$yourfile"); 192 | 193 | # making a list to catch all the line dumps from reading THIS file 194 | @catchit = @(); 195 | 196 | # iterate through the file looking for something specific. if it doesn't find it, push that line to the catchit list 197 | # if it finds the regex markers, it will stop and do something. this is how new processes and notes are inserted into the file 198 | while $line (readln($opener)){ 199 | 200 | ($dupeproc, $null) = split('\.', %options['newproc']); #splitting newproccess.exe into newprocess 201 | ($procclean, $null) = split('\\s+', $dupeproc); #stripping newprocess of any whitespaces that would mess with regex 202 | 203 | 204 | if ( $procclean in %kvpsystem ){ # if newproc is already in the array, then this is always true and loop redirection is here from now on 205 | 206 | if ($line hasmatch "$procclean =>"){ # checking for duplicate for updates 207 | $temp = ""; # clearing temp just in case 208 | $temp = "$procclean => "; 209 | $temp .= '"' . %options['newnote'] .'",'; 210 | push(@catchit, $temp); 211 | 212 | } else { push(@catchit, $line);} 213 | } 214 | 215 | else if ($line ismatch '"fIrSt"'){ # looking for a regex marker. This marker is in @knownsystemps. Don't remove it 216 | 217 | $temp = ""; 218 | $temp .= '"' . %options['newproc'] .'",'; 219 | #$temp = '"' . $procclean .'",'; 220 | push(@catchit, $temp); 221 | #$temp .= "\n"; 222 | $temp = '"fIrSt"'; # adding the marker back in so we can do this all over again with a new process 223 | push(@catchit, $temp); # push to the @catchit list everything in $temp 224 | 225 | } else if ($line eq 'sEcOnD => "testdata"'){ # the second marker. This is located in %kvpsystem 226 | 227 | $temp = ""; 228 | #($name, $null) = split('\.', %options['newproc']); # have to split the process name because no .'s in KEYS 229 | $temp = "$procclean => "; 230 | $temp .= '"' . %options['newnote'] .'",'; 231 | push(@catchit, $temp); 232 | #$temp .= "\n"; 233 | $temp = 'sEcOnD => '; 234 | $temp .= '"testdata'; 235 | $temp .= '"'; 236 | push(@catchit, $temp); 237 | 238 | } 239 | 240 | else { push(@catchit, $line); } # if it isn't the first or the second marker, push the line to the @catchit list 241 | # eventually the entire file will be in @catchit, but with the new processes added 242 | 243 | } 244 | 245 | 246 | closef($opener); # close the file, THIS file 247 | 248 | 249 | $openest = openf(">$yourfile"); # open THIS file back up but with write permissions 250 | foreach $line (@catchit) { println($openest, $line); } # push everything in @catchit, which includes the newly added processes and notes, into the file 251 | closef($opentest); # close and save the file 252 | 253 | } 254 | 255 | 256 | sub addnewqrd { # this function will add new processes and notes to the known process database 257 | 258 | # $1 is passed from the popup beacon_bottom function 259 | $bid = $1; 260 | 261 | # this will take your input and kick it over to the fileopen() function 262 | $dialog = dialog("Add and characterize a process for Quickrundown", %(newproc => "", newnote => "" ), &fileopen); 263 | dialog_description($dialog, "Characterize an ++UNKNOWN PROCESS++.\nReload Quickrundown.cna when you are finished with your research.\nIf you want to UPDATE a process, reload Quickrundown.cna so it can load the updated list into memory"); 264 | 265 | drow_text($dialog, "newproc", "newprocess.exe"); 266 | drow_text($dialog, "newnote", "A quick blurb about what you discovered about newprocess.exe"); 267 | 268 | # detailing what the button should say 269 | dbutton_action($dialog, "Create/Update"); 270 | 271 | # this function kill make the window actually show up. Think of this as executing the popup 272 | dialog_show($dialog); 273 | 274 | 275 | } 276 | 277 | # this will add a popup when you right click on a beacon 278 | popup beacon_bottom { 279 | item "Quickrundown" { 280 | #$1 corresponds to the item that initiated this function, and in this case, is the beacon id 281 | addnewqrd($1); 282 | 283 | } 284 | 285 | } 286 | 287 | 288 | 289 | # list of processes that dont play well with formatting 290 | @blacklist = @("Memory", 291 | "[System Process]"); 292 | 293 | # array of known proccess. Will correspond to a key value pair below. The last item is for regex matching and updating. Don't mess with it 294 | @knownsystemps = @( 295 | "svchost.exe", 296 | "System", 297 | "reg.exe", 298 | "Registry", 299 | "wininit.exe", 300 | "lsass.exe", 301 | "csrss.exe", 302 | "conhost.exe", 303 | "smss.exe", 304 | "winlogon.exe", 305 | "services.exe", 306 | "fontdrvhost.exe", 307 | "dwm.exe", 308 | "vmacthlp.exe", 309 | "spoolsv.exe", 310 | "SecurityHealthService.exe", 311 | "VGAuthService.exe", 312 | "vmtoolsd.exe", 313 | "WmiPrvSE.exe", 314 | "TPAutoConnSvc.exe", 315 | "dllhost.exe", 316 | "msdtc.exe", 317 | "SearchIndexer.exe", 318 | "sedsvc.exe", 319 | "SgrmBroker.exe", 320 | "MsMpEng.exe", 321 | "NisSrv.exe", 322 | "LogonUI.exe", 323 | "WUDFHost.exe", 324 | "audiodg.exe", 325 | "sppsvc.exe", 326 | "SearchProtocolHost.exe", 327 | "SearchFilterHost.exe", 328 | "wermgr.exe", 329 | "GoogleUpdate.exe", 330 | "SppExtComObj.exe", 331 | "sihost.exe", 332 | "taskhostw.exe", 333 | "ctfmon.exe", 334 | "RuntimeBroker.exe", 335 | "cmd.exe", 336 | "explorer.exe", 337 | "ShellExperienceHost.exe", 338 | "SearchUI.exe", 339 | "SkypeApp.exe", 340 | "ApplicationFrameHost.exe", 341 | "SkypeBackgroundHost.exe", 342 | "browser_broker.exe", 343 | "MicrosoftEdge.exe", 344 | "MicrosoftEdgeCP.exe", 345 | "LockApp.exe", 346 | "TPAutoConnect.exe", 347 | "MSASCuiL.exe", 348 | "OneDrive.exe", 349 | "cscript.exe", 350 | "Microsoft.Photos.exe", 351 | "HxTsr.exe", 352 | "backgroundTaskHost.exe", 353 | "chrome.exe", 354 | "fIrSt" 355 | ); 356 | 357 | 358 | # key value pairs that correspond to the process array. Keys need to be spelled and capitalized the same way as what is in the array. The last kvp is for regex matching. Don't mess with it 359 | %kvpsystem = %( 360 | svchost => "Manages system services that run from DLLs", 361 | System => "Responsible for system memory and compressed memory", 362 | lsass => "Enforces the security policy on the system", 363 | Registry => "Used to hold Software and User Registry hive data", 364 | wininit => "Critical system process required for function", 365 | csrss => "Responsible for console windows and creating and/or deleting threads", 366 | conhost => "Related to csrss. Related to cmd.exe", 367 | smss => "Session manager subsystem. Handles sessions on the system", 368 | winlogon => "Windows login subsystem. User authorization and Windows activation checks", 369 | services => "Service control manager; running, ending, and interacting with system services", 370 | fontdrvhost => "Usermode Font Driver, manages fonts in the current user account. Runs as admin", 371 | dwm => "Desktop Windows Manager. Manages visual effects for desktop", 372 | vmacthlp => "VMware process. More info needed", 373 | Memory => "More info needed, but probably related to spinning up memory", 374 | spoolsv => "Manages spooled print/fax jobs", 375 | SecurityHealthService => "Runs as a service. Part of Windows Defender", 376 | VGAuthService => "VMWare process. VMWare authentication service", 377 | vmtoolsd => "VMWare process. Syncronizes time in guest OS", 378 | WmiPrvSE => "Windows Management Instrumentation. Provides management info and control", 379 | TPAutoConnSvc => "VMWare Process.ThinPrint AutoConnect Service", 380 | dllhost => "Related to COM+ and loading .NET runtimes", 381 | msdtc => "Used to manage data transactions across servers. MSSQL", 382 | SearchIndexer => "Search Indexer for file indexing in Windows", 383 | sedsvc => "Related to Windows updates", 384 | SgrmBroker => "System Guard Runtime Monitor. More details needed", 385 | MsMpEng => "Windows Defender. Scans downloads", 386 | NisSrv => "Windows Defender. Network Realtime Inspection Service", 387 | LogonUI => "Logon User Interface", 388 | WUDFHost => "User Mode Driver Framework", 389 | sihost => "Shell infrastructure host. Handles graphic elements of the OS", 390 | taskhostw => "Starts DLL-based WIndows services when the computer boots. Loads DLLs", 391 | ctfmon => "Microsoft Office process. Monitors active windows", 392 | audiodg => "Audio Device Graph Isolation", 393 | sppsvc => "Microsoft Software Protection Platform. Download and installation of licences", 394 | RuntimeBroker => "Permissions manager for the Windows store", 395 | cmd => "Command Prompt", 396 | explorer => "Windows graphical shell; start menu, taskbar, etc", 397 | ShellExperienceHost => "Related to built-in Universal Apps. Integrate with Windows shell", 398 | SearchUI => "Part of Microsoft's native search UI - Cortana", 399 | SkypeApp => "Microsoft Skype", 400 | ApplicationFrameHost => "Related to Universal Windows Platform apps (store apps)", 401 | SkypeBackgroundHost => "Background downloader/installer for Skype", 402 | MicrosoftEdge => "Microsoft Edge browser", 403 | browser_broker => "Runs with Microsoft Edge", 404 | MicrosoftEdgeCP => "Software componente of the Edge browser", 405 | LockApp => "Responsible for displaying the lock screen", 406 | TPAutoConnect => "ThinPrint Autoconnect. VMWare", 407 | MSASCuiL => "Display icon for Windows Defender", 408 | cscript => "Command-line version of the windows script host", 409 | Microsoft => "Possibly the app for Microsoft Photos", 410 | SearchProtocolHost => "Windows Indexing Service", 411 | SearchFilterHost => "Related to search indexer", 412 | wermgr => "Windows Error Reporting", 413 | HxTsr => "Outlook communications; Microsoft Office", 414 | SppExtComObj => "Key Management Service, licensing for Microsoft products", 415 | GoogleUpdate => "Downloads, runs, and installs Google updates for Google apps", 416 | backgroundTaskHost => "Legit Microsoft process. More details needed", 417 | chrome => "Chrome browser or tab", 418 | sEcOnD => "testdata" 419 | ); 420 | 421 | 422 | #list of AVs from @r3dQu1nn. These are for the colorized() function and not all are present in the known array (maybe some day) 423 | @av = @("Tanium.exe", "360RP.exe", "360SD.exe", "360Safe.exe", "360leakfixer.exe", "360rp.exe", "360safe.exe", "360sd.exe", "360tray.exe", "AAWTray.exe", "ACAAS.exe", "ACAEGMgr.exe", "ACAIS.exe", "AClntUsr.EXE", "ALERT.EXE", "ALERTSVC.EXE", "ALMon.exe", "ALUNotify.exe", "ALUpdate.exe", "ALsvc.exe", "AVENGINE.exe", "AVGCHSVX.EXE", "AVGCSRVX.EXE", "AVGIDSAgent.exe", "AVGIDSMonitor.exe", "AVGIDSUI.exe", "AVGIDSWatcher.exe", "AVGNSX.EXE", "AVKProxy.exe", "AVKService.exe", "AVKTray.exe", "AVKWCtl.exe", "AVP.EXE", "AVP.exe", "AVPDTAgt.exe", "AcctMgr.exe", "Ad-Aware.exe", "Ad-Aware2007.exe", "AddressExport.exe", "AdminServer.exe", "Administrator.exe", "AeXAgentUIHost.exe", "AeXNSAgent.exe", "AeXNSRcvSvc.exe", "AlertSvc.exe", "AlogServ.exe", "AluSchedulerSvc.exe", "AnVir.exe", "AppSvc32.exe", "AtrsHost.exe", "Auth8021x.exe", "AvastSvc.exe", "AvastUI.exe", "Avconsol.exe", "AvpM.exe", "Avsynmgr.exe", "Avtask.exe", "BLACKD.exe", "BWMeterConSvc.exe", "CAAntiSpyware.exe", "CALogDump.exe", "CAPPActiveProtection.exe", "CAPPActiveProtection.exe", "CB.exe", "CCAP.EXE", "CCenter.exe", "CClaw.exe", "CLPS.exe", "CLPSLA.exe", "CLPSLS.exe", "CNTAoSMgr.exe", "CPntSrv.exe", "CTDataLoad.exe", "CertificationManagerServiceNT.exe", "ClShield.exe", "ClamTray.exe", "ClamWin.exe", "Console.exe", "CylanceUI.exe", "DAO_Log.exe", "DLService.exe", "DLTray.EXE", "DLTray.exe", "DRWAGNTD.EXE", "DRWAGNUI.EXE", "DRWEB32W.EXE", "DRWEBSCD.EXE", "DRWEBUPW.EXE", "DRWINST.EXE", "DSMain.exe", "DWHWizrd.exe", "DefWatch.exe", "DolphinCharge.exe", "EHttpSrv.exe", "EMET_Agent.exe", "EMET_Service.exe", "EMLPROUI.exe", "EMLPROXY.exe", "EMLibUpdateAgentNT.exe", "ETConsole3.exe", "ETCorrel.exe", "ETLogAnalyzer.exe", "ETReporter.exe", "ETRssFeeds.exe", "EUQMonitor.exe", "EndPointSecurity.exe", "EngineServer.exe", "EntityMain.exe", "EtScheduler.exe", "EtwControlPanel.exe", "EventParser.exe", "FAMEH32.exe", "FCDBLog.exe", "FCH32.exe", "FPAVServer.exe", "FProtTray.exe", "FSCUIF.exe", "FSHDLL32.exe", "FSM32.exe", "FSMA32.exe", "FSMB32.exe", "FWCfg.exe", "FireSvc.exe", "FireTray.exe", "FirewallGUI.exe", "ForceField.exe", "FortiProxy.exe", "FortiTray.exe", "FortiWF.exe", "FrameworkService.exe", "FreeProxy.exe", "GDFirewallTray.exe", "GDFwSvc.exe", "HWAPI.exe", "ISNTSysMonitor.exe", "ISSVC.exe", "ISWMGR.exe", "ITMRTSVC.exe", "ITMRT_SupportDiagnostics.exe", "ITMRT_TRACE.exe", "IcePack.exe", "IdsInst.exe", "InoNmSrv.exe", "InoRT.exe", "InoRpc.exe", "InoTask.exe", "InoWeb.exe", "IsntSmtp.exe", "KABackReport.exe", "KANMCMain.exe", "KAVFS.EXE", "KAVStart.exe", "KLNAGENT.EXE", "KMailMon.exe", "KNUpdateMain.exe", "KPFWSvc.exe", "KSWebShield.exe", "KVMonXP.exe", "KVMonXP_2.exe", "KVSrvXP.exe", "KWSProd.exe", "KWatch.exe", "KavAdapterExe.exe", "KeyPass.exe", "KvXP.exe", "LUALL.EXE", "LWDMServer.exe", "LockApp.exe", "LockAppHost.exe", "LogGetor.exe", "MCSHIELD.EXE", "MCUI32.exe", "MSASCui.exe", "ManagementAgentNT.exe", "McAfeeDataBackup.exe", "McEPOC.exe", "McEPOCfg.exe", "McNASvc.exe", "McProxy.exe", "McScript_InUse.exe", "McWCE.exe", "McWCECfg.exe", "Mcshield.exe", "Mctray.exe", "MgntSvc.exe", "MpCmdRun.exe", "MpfAgent.exe", "MpfSrv.exe", "MsMpEng.exe", "NAIlgpip.exe", "NAVAPSVC.EXE", "NAVAPW32.EXE", "NCDaemon.exe", "NIP.exe", "NJeeves.exe", "NLClient.exe", "NMAGENT.EXE", "NOD32view.exe", "NPFMSG.exe", "NPROTECT.EXE", "NRMENCTB.exe", "NSMdtr.exe", "NTRtScan.exe", "NVCOAS.exe", "NVCSched.exe", "NavShcom.exe", "Navapsvc.exe", "NaveCtrl.exe", "NaveLog.exe", "NaveSP.exe", "Navw32.exe", "Navwnt.exe", "Nip.exe", "Njeeves.exe", "Npfmsg2.exe", "Npfsvice.exe", "NscTop.exe", "Nvcoas.exe", "Nvcsched.exe", "Nymse.exe", "OLFSNT40.EXE", "OMSLogManager.exe", "ONLINENT.exe", "ONLNSVC.exe", "OfcPfwSvc.exe", "PASystemTray.exe", "PAVFNSVR.exe", "PAVSRV51.exe", "PNmSrv.exe", "POPROXY.EXE", "POProxy.exe", "PPClean.exe", "PPCtlPriv.exe", "PQIBrowser.exe", "PSHost.exe", "PSIMSVC.EXE", "PXEMTFTP.exe", "PadFSvr.exe", "Pagent.exe", "Pagentwd.exe", "PavBckPT.exe", "PavFnSvr.exe", "PavPrSrv.exe", "PavProt.exe", "PavReport.exe", "Pavkre.exe", "PcCtlCom.exe", "PcScnSrv.exe", "PccNTMon.exe", "PccNTUpd.exe", "PpPpWallRun.exe", "PrintDevice.exe", "ProUtil.exe", "PsCtrlS.exe", "PsImSvc.exe", "PwdFiltHelp.exe", "Qoeloader.exe", "RAVMOND.exe", "RAVXP.exe", "RNReport.exe", "RPCServ.exe", "RSSensor.exe", "RTVscan.exe", "RapApp.exe", "Rav.exe", "RavAlert.exe", "RavMon.exe", "RavMonD.exe", "RavService.exe", "RavStub.exe", "RavTask.exe", "RavTray.exe", "RavUpdate.exe", "RavXP.exe", "RealMon.exe", "Realmon.exe", "RedirSvc.exe", "RegMech.exe", "ReporterSvc.exe", "RouterNT.exe", "Rtvscan.exe", "SAFeService.exe", "SAService.exe", "SAVAdminService.exe", "SAVFMSESp.exe", "SAVMain.exe", "SAVScan.exe", "SCANMSG.exe", "SCANWSCS.exe", "SCFManager.exe", "SCFService.exe", "SCFTray.exe", "SDTrayApp.exe", "SEVINST.EXE", "SMEX_ActiveUpdate.exe", "SMEX_Master.exe", "SMEX_RemoteConf.exe", "SMEX_SystemWatch.exe", "SMSECtrl.exe", "SMSELog.exe", "SMSESJM.exe", "SMSESp.exe", "SMSESrv.exe", "SMSETask.exe", "SMSEUI.exe", "SNAC.EXE", "SNAC.exe", "SNDMon.exe", "SNDSrvc.exe", "SPBBCSvc.exe", "SPIDERML.EXE", "SPIDERNT.EXE", "SSM.exe", "SSScheduler.exe", "SVCharge.exe", "SVDealer.exe", "SVFrame.exe", "SVTray.exe", "SWNETSUP.EXE", "SavRoam.exe", "SavService.exe", "SavUI.exe", "ScanMailOutLook.exe", "SeAnalyzerTool.exe", "SemSvc.exe", "SescLU.exe", "SetupGUIMngr.exe", "SiteAdv.exe", "Smc.exe", "SmcGui.exe", "SnHwSrv.exe", "SnICheckAdm.exe", "SnIcon.exe", "SnSrv.exe", "SnicheckSrv.exe", "SpIDerAgent.exe", "SpntSvc.exe", "SpyEmergency.exe", "SpyEmergencySrv.exe", "StOPP.exe", "StWatchDog.exe", "SymCorpUI.exe", "SymSPort.exe", "TBMon.exe", "TFGui.exe", "TFService.exe", "TFTray.exe", "TFun.exe", "TIASPN~1.EXE", "TSAnSrf.exe", "TSAtiSy.exe", "TScutyNT.exe", "TSmpNT.exe", "TmListen.exe", "TmPfw.exe", "Tmntsrv.exe", "Traflnsp.exe", "TrapTrackerMgr.exe", "UPSCHD.exe", "UcService.exe", "UdaterUI.exe", "UmxAgent.exe", "UmxCfg.exe", "UmxFwHlp.exe", "UmxPol.exe", "Up2date.exe", "UpdaterUI.exe", "UrlLstCk.exe", "UserActivity.exe", "UserAnalysis.exe", "UsrPrmpt.exe", "V3Medic.exe", "V3Svc.exe", "VPC32.exe", "VPDN_LU.exe", "VPTray.exe", "VSStat.exe", "VsStat.exe", "VsTskMgr.exe", "WEBPROXY.EXE", "WFXCTL32.EXE", "WFXMOD32.EXE", "WFXSNT40.EXE", "WebProxy.exe", "WebScanX.exe", "WinRoute.exe", "WrSpySetup.exe", "ZLH.exe", "Zanda.exe", "ZhuDongFangYu.exe", "Zlh.exe", "_avp32.exe", "_avpcc.exe", "_avpm.exe", "aAvgApi.exe", "aawservice.exe", "acaif.exe", "acctmgr.exe", "ackwin32.exe", "aclient.exe", "adaware.exe", "advxdwin.exe", "aexnsagent.exe", "aexsvc.exe", "aexswdusr.exe", "aflogvw.exe", "afwServ.exe", "agentsvr.exe", "agentw.exe", "ahnrpt.exe", "ahnsd.exe", "ahnsdsv.exe", "alertsvc.exe", "alevir.exe", "alogserv.exe", "alsvc.exe", "alunotify.exe", "aluschedulersvc.exe", "amon9x.exe", "amswmagt.exe", "anti-trojan.exe", "antiarp.exe", "antivirus.exe", "ants.exe", "aphost.exe", "apimonitor.exe", "aplica32.exe", "aps.exe", "apvxdwin.exe", "arr.exe", "ashAvast.exe", "ashBug.exe", "ashChest.exe", "ashCmd.exe", "ashDisp.exe", "ashEnhcd.exe", "ashLogV.exe", "ashMaiSv.exe", "ashPopWz.exe", "ashQuick.exe", "ashServ.exe", "ashSimp2.exe", "ashSimpl.exe", "ashSkPcc.exe", "ashSkPck.exe", "ashUpd.exe", "ashWebSv.exe", "ashdisp.exe", "ashmaisv.exe", "ashserv.exe", "ashwebsv.exe", "asupport.exe", "aswDisp.exe", "aswRegSvr.exe", "aswServ.exe", "aswUpdSv.exe", "aswUpdsv.exe", "aswWebSv.exe", "aswupdsv.exe", "atcon.exe", "atguard.exe", "atro55en.exe", "atupdater.exe", "atwatch.exe", "atwsctsk.exe", "au.exe", "aupdate.exe", "aupdrun.exe", "aus.exe", "auto-protect.nav80try.exe", "autodown.exe", "autotrace.exe", "autoup.exe", "autoupdate.exe", "avEngine.exe", "avadmin.exe", "avcenter.exe", "avconfig.exe", "avconsol.exe", "ave32.exe", "avengine.exe", "avesvc.exe", "avfwsvc.exe", "avgam.exe", "avgamsvr.exe", "avgas.exe", "avgcc.exe", "avgcc32.exe", "avgcsrvx.exe", "avgctrl.exe", "avgdiag.exe", "avgemc.exe", "avgfws8.exe", "avgfws9.exe", "avgfwsrv.exe", "avginet.exe", "avgmsvr.exe", "avgnsx.exe", "avgnt.exe", "avgregcl.exe", "avgrssvc.exe", "avgrsx.exe", "avgscanx.exe", "avgserv.exe", "avgserv9.exe", "avgsystx.exe", "avgtray.exe", "avguard.exe", "avgui.exe", "avgupd.exe", "avgupdln.exe", "avgupsvc.exe", "avgvv.exe", "avgw.exe", "avgwb.exe", "avgwdsvc.exe", "avgwizfw.exe", "avkpop.exe", "avkserv.exe", "avkservice.exe", "avkwctl9.exe", "avltmain.exe", "avmailc.exe", "avmcdlg.exe", "avnotify.exe", "avnt.exe", "avp.exe", "avp32.exe", "avpcc.exe", "avpdos32.exe", "avpexec.exe", "avpm.exe", "avpncc.exe", "avps.exe", "avptc32.exe", "avpupd.exe", "avscan.exe", "avsched32.exe", "avserver.exe", "avshadow.exe", "avsynmgr.exe", "avwebgrd.exe", "avwin.exe", "avwin95.exe", "avwinnt.exe", "avwupd.exe", "avwupd32.exe", "avwupsrv.exe", "avxmonitor9x.exe", "avxmonitornt.exe", "avxquar.exe", "backweb.exe", "bargains.exe", "basfipm.exe", "bd_professional.exe", "bdagent.exe", "bdc.exe", "bdlite.exe", "bdmcon.exe", "bdss.exe", "bdsubmit.exe", "beagle.exe", "belt.exe", "bidef.exe", "bidserver.exe", "bipcp.exe", "bipcpevalsetup.exe", "bisp.exe", "blackd.exe", "blackice.exe", "blink.exe", "blss.exe", "bmrt.exe", "bootconf.exe", "bootwarn.exe", "borg2.exe", "bpc.exe", "bpk.exe", "brasil.exe", "bs120.exe", "bundle.exe", "bvt.exe", "bwgo0000.exe", "ca.exe", "caav.exe", "caavcmdscan.exe", "caavguiscan.exe", "caf.exe", "cafw.exe", "caissdt.exe", "capfaem.exe", "capfasem.exe", "capfsem.exe", "capmuamagt.exe", "casc.exe", "casecuritycenter.exe", "caunst.exe", "cavrep.exe", "cavrid.exe", "cavscan.exe", "cavtray.exe", "ccApp.exe", "ccEvtMgr.exe", "ccLgView.exe", "ccProxy.exe", "ccSetMgr.exe", "ccSetmgr.exe", "ccSvcHst.exe", "ccap.exe", "ccapp.exe", "ccevtmgr.exe", "cclaw.exe", "ccnfagent.exe", "ccprovsp.exe", "ccproxy.exe", "ccpxysvc.exe", "ccschedulersvc.exe", "ccsetmgr.exe", "ccsmagtd.exe", "ccsvchst.exe", "ccsystemreport.exe", "cctray.exe", "ccupdate.exe", "cdp.exe", "cfd.exe", "cfftplugin.exe", "cfgwiz.exe", "cfiadmin.exe", "cfiaudit.exe", "cfinet.exe", "cfinet32.exe", "cfnotsrvd.exe", "cfp.exe", "cfpconfg.exe", "cfpconfig.exe", "cfplogvw.exe", "cfpsbmit.exe", "cfpupdat.exe", "cfsmsmd.exe", "checkup.exe", "cka.exe", "clamscan.exe", "claw95.exe", "claw95cf.exe", "clean.exe", "cleaner.exe", "cleaner3.exe", "cleanpc.exe", "cleanup.exe", "click.exe", "cmdagent.exe", "cmdinstall.exe", "cmesys.exe", "cmgrdian.exe", "cmon016.exe", "comHost.exe", "connectionmonitor.exe", "control_panel.exe", "cpd.exe", "cpdclnt.exe", "cpf.exe", "cpf9x206.exe", "cpfnt206.exe", "crashrep.exe", "csacontrol.exe", "csinject.exe", "csinsm32.exe", "csinsmnt.exe", "csrss_tc.exe", "ctrl.exe", "cv.exe", "cwnb181.exe", "cwntdwmo.exe", "cz.exe", "datemanager.exe", "dbserv.exe", "dbsrv9.exe", "dcomx.exe", "defalert.exe", "defscangui.exe", "defwatch.exe", "deloeminfs.exe", "deputy.exe", "diskmon.exe", "divx.exe", "djsnetcn.exe", "dllcache.exe", "dllreg.exe", "doors.exe", "doscan.exe", "dpf.exe", "dpfsetup.exe", "dpps2.exe", "drwagntd.exe", "drwatson.exe", "drweb.exe", "drweb32.exe", "drweb32w.exe", "drweb386.exe", "drwebcgp.exe", "drwebcom.exe", "drwebdc.exe", "drwebmng.exe", "drwebscd.exe", "drwebupw.exe", "drwebwcl.exe", "drwebwin.exe", "drwupgrade.exe", "dsmain.exe", "dssagent.exe", "dvp95.exe", "dvp95_0.exe", "dwengine.exe", "dwhwizrd.exe", "dwwin.exe", "ecengine.exe", "edisk.exe", "efpeadm.exe", "egui.exe", "ekrn.exe", "elogsvc.exe", "emet_agent.exe", "emet_service.exe", "emsw.exe", "engineserver.exe", "ent.exe", "era.exe", "esafe.exe", "escanhnt.exe", "escanv95.exe", "esecagntservice.exe", "esecservice.exe", "esmagent.exe", "espwatch.exe", "etagent.exe", "ethereal.exe", "etrustcipe.exe", "evpn.exe", "evtProcessEcFile.exe", "evtarmgr.exe", "evtmgr.exe", "exantivirus-cnet.exe", "exe.avxw.exe", "execstat.exe", "expert.exe", "explore.exe", "f-agnt95.exe", "f-prot.exe", "f-prot95.exe", "f-stopw.exe", "fameh32.exe", "fast.exe", "fch32.exe", "fih32.exe", "findviru.exe", "firesvc.exe", "firetray.exe", "firewall.exe", "fmon.exe", "fnrb32.exe", "fortifw.exe", "fp-win.exe", "fp-win_trial.exe", "fprot.exe", "frameworkservice.exe", "frminst.exe", "frw.exe", "fsaa.exe", "fsaua.exe", "fsav.exe", "fsav32.exe", "fsav530stbyb.exe", "fsav530wtbyb.exe", "fsav95.exe", "fsavgui.exe", "fscuif.exe", "fsdfwd.exe", "fsgk32.exe", "fsgk32st.exe", "fsguidll.exe", "fsguiexe.exe", "fshdll32.exe", "fsm32.exe", "fsma32.exe", "fsmb32.exe", "fsorsp.exe", "fspc.exe", "fspex.exe", "fsqh.exe", "fssm32.exe", "fwinst.exe", "gator.exe", "gbmenu.exe", "gbpoll.exe", "gcascleaner.exe", "gcasdtserv.exe", "gcasinstallhelper.exe", "gcasnotice.exe", "gcasserv.exe", "gcasservalert.exe", "gcasswupdater.exe", "generics.exe", "gfireporterservice.exe", "ghost_2.exe", "ghosttray.exe", "giantantispywaremain.exe", "giantantispywareupdater.exe", "gmt.exe", "guard.exe", "guarddog.exe", "guardgui.exe", "hacktracersetup.exe", "hbinst.exe", "hbsrv.exe", "hipsvc.exe", "hotactio.exe", "hotpatch.exe", "htlog.exe", "htpatch.exe", "hwpe.exe", "hxdl.exe", "hxiul.exe", "iamapp.exe", "iamserv.exe", "iamstats.exe", "ibmasn.exe", "ibmavsp.exe", "icepack.exe", "icload95.exe", "icloadnt.exe", "icmon.exe", "icsupp95.exe", "icsuppnt.exe", "idle.exe", "iedll.exe", "iedriver.exe", "iface.exe", "ifw2000.exe", "igateway.exe", "inetlnfo.exe", "infus.exe", "infwin.exe", "inicio.exe", "init.exe", "inonmsrv.exe", "inorpc.exe", "inort.exe", "inotask.exe", "intdel.exe", "intren.exe", "iomon98.exe", "isPwdSvc.exe", "isUAC.exe", "isafe.exe", "isafinst.exe", "issvc.exe", "istsvc.exe", "jammer.exe", "jdbgmrg.exe", "jedi.exe", "kaccore.exe", "kansgui.exe", "kansvr.exe", "kastray.exe", "kav.exe", "kav32.exe", "kavfs.exe", "kavfsgt.exe", "kavfsrcn.exe", "kavfsscs.exe", "kavfswp.exe", "kavisarv.exe", "kavlite40eng.exe", "kavlotsingleton.exe", "kavmm.exe", "kavpers40eng.exe", "kavpf.exe", "kavshell.exe", "kavss.exe", "kavstart.exe", "kavsvc.exe", "kavtray.exe", "kazza.exe", "keenvalue.exe", "kerio-pf-213-en-win.exe", "kerio-wrl-421-en-win.exe", "kerio-wrp-421-en-win.exe", "kernel32.exe", "killprocesssetup161.exe", "kis.exe", "kislive.exe", "kissvc.exe", "klnacserver.exe", "klnagent.exe", "klserver.exe", "klswd.exe", "klwtblfs.exe", "kmailmon.exe", "knownsvr.exe", "kpf4gui.exe", "kpf4ss.exe", "kpfw32.exe", "kpfwsvc.exe", "krbcc32s.exe", "kvdetech.exe", "kvolself.exe", "kvsrvxp.exe", "kvsrvxp_1.exe", "kwatch.exe", "kwsprod.exe", "kxeserv.exe", "launcher.exe", "ldnetmon.exe", "ldpro.exe", "ldpromenu.exe", "ldscan.exe", "leventmgr.exe", "livesrv.exe", "lmon.exe", "lnetinfo.exe", "loader.exe", "localnet.exe", "lockdown.exe", "lockdown2000.exe", "log_qtine.exe", "lookout.exe", "lordpe.exe", "lsetup.exe", "luall.exe", "luau.exe", "lucallbackproxy.exe", "lucoms.exe", "lucomserver.exe", "lucoms~1.exe", "luinit.exe", "luspt.exe", "makereport.exe", "mantispm.exe", "mapisvc32.exe", "masalert.exe", "massrv.exe", "mcafeefire.exe", "mcagent.exe", "mcappins.exe", "mcconsol.exe", "mcdash.exe", "mcdetect.exe", "mcepoc.exe", "mcepocfg.exe", "mcinfo.exe", "mcmnhdlr.exe", "mcmscsvc.exe", "mcods.exe", "mcpalmcfg.exe", "mcpromgr.exe", "mcregwiz.exe", "mcscript.exe", "mcscript_inuse.exe", "mcshell.exe", "mcshield.exe", "mcshld9x.exe", "mcsysmon.exe", "mctool.exe", "mctray.exe", "mctskshd.exe", "mcuimgr.exe", "mcupdate.exe", "mcupdmgr.exe", "mcvsftsn.exe", "mcvsrte.exe", "mcvsshld.exe", "mcwce.exe", "mcwcecfg.exe", "md.exe", "mfeann.exe", "mfevtps.exe", "mfin32.exe", "mfw2en.exe", "mfweng3.02d30.exe", "mgavrtcl.exe", "mgavrte.exe", "mghtml.exe", "mgui.exe", "minilog.exe", "mmod.exe", "monitor.exe", "monsvcnt.exe", "monsysnt.exe", "moolive.exe", "mostat.exe", "mpcmdrun.exe", "mpf.exe", "mpfagent.exe", "mpfconsole.exe", "mpfservice.exe", "mpftray.exe", "mps.exe", "mpsevh.exe", "mpsvc.exe", "mrf.exe", "mrflux.exe", "msapp.exe", "msascui.exe", "msbb.exe", "msblast.exe", "mscache.exe", "msccn32.exe", "mscifapp.exe", "mscman.exe", "msconfig.exe", "msdm.exe", "msdos.exe", "msiexec16.exe", "mskagent.exe", "mskdetct.exe", "msksrver.exe", "msksrvr.exe", "mslaugh.exe", "msmgt.exe", "msmpeng.exe", "msmsgri32.exe", "msscli.exe", "msseces.exe", "mssmmc32.exe", "msssrv.exe", "mssys.exe", "msvxd.exe", "mu0311ad.exe", "mwatch.exe", "myagttry.exe", "n32scanw.exe", "nSMDemf.exe", "nSMDmon.exe", "nSMDreal.exe", "nSMDsch.exe", "naPrdMgr.exe", "nav.exe", "navap.navapsvc.exe", "navapsvc.exe", "navapw32.exe", "navdx.exe", "navlu32.exe", "navnt.exe", "navstub.exe", "navw32.exe", "navwnt.exe", "nc2000.exe", "ncinst4.exe"); 424 | 425 | @av1 = @("MsSense.exe", "SenseCncProxy.exe", "SenseSampleUploader.exe", "MSASCuiL.exe", "CylanceSvc.exe", "ndd32.exe", "ndetect.exe", "neomonitor.exe", "neotrace.exe", "neowatchlog.exe", "netalertclient.exe", "netarmor.exe", "netcfg.exe", "netd32.exe", "netinfo.exe", "netmon.exe", "netscanpro.exe", "netspyhunter-1.2.exe", "netstat.exe", "netutils.exe", "networx.exe", "ngctw32.exe", "ngserver.exe", "nip.exe", "nipsvc.exe", "nisoptui.exe", "nisserv.exe", "nisum.exe", "njeeves.exe", "nlsvc.exe", "nmain.exe", "nod32.exe", "nod32krn.exe", "nod32kui.exe", "normist.exe", "norton_internet_secu_3.0_407.exe", "notstart.exe", "npf40_tw_98_nt_me_2k.exe", "npfmessenger.exe", "npfmntor.exe", "npfmsg.exe", "nprotect.exe", "npscheck.exe", "npssvc.exe", "nrmenctb.exe", "nsched32.exe", "nscsrvce.exe", "nsctop.exe", "nsmdtr.exe", "nssys32.exe", "nstask32.exe", "nsupdate.exe", "nt.exe", "ntcaagent.exe", "ntcadaemon.exe", "ntcaservice.exe", "ntrtscan.exe", "ntvdm.exe", "ntxconfig.exe", "nui.exe", "nupgrade.exe", "nvarch16.exe", "nvc95.exe", "nvcoas.exe", "nvcsched.exe", "nvsvc32.exe", "nwinst4.exe", "nwservice.exe", "nwtool16.exe", "nymse.exe", "oasclnt.exe", "oespamtest.exe", "ofcdog.exe", "ofcpfwsvc.exe", "okclient.exe", "olfsnt40.exe", "ollydbg.exe", "onsrvr.exe", "op_viewer.exe", "opscan.exe", "optimize.exe", "ostronet.exe", "otfix.exe", "outpost.exe", "outpostinstall.exe", "outpostproinstall.exe", "paamsrv.exe", "padmin.exe", "pagent.exe", "pagentwd.exe", "panixk.exe", "patch.exe", "pavbckpt.exe", "pavcl.exe", "pavfires.exe", "pavfnsvr.exe", "pavjobs.exe", "pavkre.exe", "pavmail.exe", "pavprot.exe", "pavproxy.exe", "pavprsrv.exe", "pavsched.exe", "pavsrv50.exe", "pavsrv51.exe", "pavsrv52.exe", "pavupg.exe", "pavw.exe", "pccNT.exe", "pccclient.exe", "pccguide.exe", "pcclient.exe", "pccnt.exe", "pccntmon.exe", "pccntupd.exe", "pccpfw.exe", "pcctlcom.exe", "pccwin98.exe", "pcfwallicon.exe", "pcip10117_0.exe", "pcscan.exe", "pctsAuxs.exe", "pctsGui.exe", "pctsSvc.exe", "pctsTray.exe", "pdsetup.exe", "pep.exe", "periscope.exe", "persfw.exe", "perswf.exe", "pf2.exe", "pfwadmin.exe", "pgmonitr.exe", "pingscan.exe", "platin.exe", "pmon.exe", "pnmsrv.exe", "pntiomon.exe", "pop3pack.exe", "pop3trap.exe", "poproxy.exe", "popscan.exe", "portdetective.exe", "portmonitor.exe", "powerscan.exe", "ppinupdt.exe", "ppmcativedetection.exe", "pptbc.exe", "ppvstop.exe", "pqibrowser.exe", "pqv2isvc.exe", "prevsrv.exe", "prizesurfer.exe", "prmt.exe", "prmvr.exe", "programauditor.exe", "proport.exe", "protectx.exe", "psctris.exe", "psh_svc.exe", "psimreal.exe", "psimsvc.exe", "pskmssvc.exe", "pspf.exe", "purge.exe", "pview.exe", "pviewer.exe", "pxemtftp.exe", "pxeservice.exe", "qclean.exe", "qconsole.exe", "qdcsfs.exe", "qoeloader.exe", "qserver.exe", "rapapp.exe", "rapuisvc.exe", "ras.exe", "rasupd.exe", "rav7.exe", "rav7win.exe", "rav8win32eng.exe", "ravmon.exe", "ravmond.exe", "ravstub.exe", "ravxp.exe", "ray.exe", "rb32.exe", "rcsvcmon.exe", "rcsync.exe", "realmon.exe", "reged.exe", "remupd.exe", "reportsvc.exe", "rescue.exe", "rescue32.exe", "rfwmain.exe", "rfwproxy.exe", "rfwsrv.exe", "rfwstub.exe", "rnav.exe", "rrguard.exe", "rshell.exe", "rsnetsvr.exe", "rstray.exe", "rtvscan.exe", "rtvscn95.exe", "rulaunch.exe", "saHookMain.exe", "safeboxtray.exe", "safeweb.exe", "sahagent.exescan32.exe", "sav32cli.exe", "save.exe", "savenow.exe", "savroam.exe", "savscan.exe", "savservice.exe", "sbserv.exe", "scam32.exe", "scan32.exe", "scan95.exe", "scanexplicit.exe", "scanfrm.exe", "scanmailoutlook.exe", "scanpm.exe", "schdsrvc.exe", "schupd.exe", "scrscan.exe", "seestat.exe", "serv95.exe", "setloadorder.exe", "setup_flowprotector_us.exe", "setupguimngr.exe", "setupvameeval.exe", "sfc.exe", "sgssfw32.exe", "sh.exe", "shellspyinstall.exe", "shn.exe", "showbehind.exe", "shstat.exe", "siteadv.exe", "smOutlookPack.exe", "smc.exe", "smoutlookpack.exe", "sms.exe", "smsesp.exe", "smss32.exe", "sndmon.exe", "sndsrvc.exe", "soap.exe", "sofi.exe", "softManager.exe", "spbbcsvc.exe", "spf.exe", "sphinx.exe", "spideragent.exe", "spiderml.exe", "spidernt.exe", "spiderui.exe", "spntsvc.exe", "spoler.exe", "spoolcv.exe", "spoolsv32.exe", "spyxx.exe", "srexe.exe", "srng.exe", "srvload.exe", "srvmon.exe", "ss3edit.exe", "sschk.exe", "ssg_4104.exe", "ssgrate.exe", "st2.exe", "stcloader.exe", "stinger.exe", "stopp.exe", "stwatchdog.exe", "supftrl.exe", "support.exe", "supporter5.exe", "svcGenericHost", "svcharge.exe", "svchostc.exe", "svchosts.exe", "svcntaux.exe", "svdealer.exe", "svframe.exe", "svtray.exe", "swdsvc.exe", "sweep95.exe", "sweepnet.sweepsrv.sys.swnetsup.exe", "sweepsrv.exe", "swnetsup.exe", "swnxt.exe", "swserver.exe", "symlcsvc.exe", "symproxysvc.exe", "symsport.exe", "symtray.exe", "symwsc.exe", "sysdoc32.exe", "sysedit.exe", "sysupd.exe", "taskmo.exe", "taumon.exe", "tbmon.exe", "tbscan.exe", "tc.exe", "tca.exe", "tclproc.exe", "tcm.exe", "tdimon.exe", "tds-3.exe", "tds2-98.exe", "tds2-nt.exe", "teekids.exe", "tfak.exe", "tfak5.exe", "tgbob.exe", "titanin.exe", "titaninxp.exe", "tmas.exe", "tmlisten.exe", "tmntsrv.exe", "tmpfw.exe", "tmproxy.exe", "tnbutil.exe", "tpsrv.exe", "tracesweeper.exe", "trickler.exe", "trjscan.exe", "trjsetup.exe", "trojantrap3.exe", "trupd.exe", "tsadbot.exe", "tvmd.exe", "tvtmd.exe", "udaterui.exe", "undoboot.exe", "unvet32.exe", "updat.exe", "updtnv28.exe", "upfile.exe", "upgrad.exe", "uplive.exe", "urllstck.exe", "usergate.exe", "usrprmpt.exe", "utpost.exe", "v2iconsole.exe", "v3clnsrv.exe", "v3exec.exe", "v3imscn.exe", "vbcmserv.exe", "vbcons.exe", "vbust.exe", "vbwin9x.exe", "vbwinntw.exe", "vcsetup.exe", "vet32.exe", "vet95.exe", "vetmsg.exe", "vettray.exe", "vfsetup.exe", "vir-help.exe", "virusmdpersonalfirewall.exe", "vnlan300.exe", "vnpc3000.exe", "vpatch.exe", "vpc32.exe", "vpc42.exe", "vpfw30s.exe", "vprosvc.exe", "vptray.exe", "vrv.exe", "vrvmail.exe", "vrvmon.exe", "vrvnet.exe", "vscan40.exe", "vscenu6.02d30.exe", "vsched.exe", "vsecomr.exe", "vshwin32.exe", "vsisetup.exe", "vsmain.exe", "vsmon.exe", "vsserv.exe", "vsstat.exe", "vstskmgr.exe", "vswin9xe.exe", "vswinntse.exe", "vswinperse.exe", "w32dsm89.exe", "w9x.exe", "watchdog.exe", "webdav.exe", "webproxy.exe", "webscanx.exe", "webtrap.exe", "webtrapnt.exe", "wfindv32.exe", "wfxctl32.exe", "wfxmod32.exe", "wfxsnt40.exe", "whoswatchingme.exe", "wimmun32.exe", "win-bugsfix.exe", "winactive.exe", "winmain.exe", "winnet.exe", "winppr32.exe", "winrecon.exe", "winroute.exe", "winservn.exe", "winssk32.exe", "winstart.exe", "winstart001.exe", "wintsk32.exe", "winupdate.exe", "wkufind.exe", "wnad.exe", "wnt.exe", "wradmin.exe", "wrctrl.exe", "wsbgate.exe", "wssfcmai.exe", "wupdater.exe", "wupdt.exe", "wyvernworksfirewall.exe", "xagt.exe", "xagtnotif.exe", "xcommsvr.exe", "xfilter.exe", "xpf202en.exe", "zanda.exe", "zapro.exe", "zapsetup3001.exe", "zatutor.exe", "zhudongfangyu.exe", "zlclient.exe", "zlh.exe", "zonalm2601.exe", "zonealarm.exe", "mfecanary.exe", "mfeesp.exe", "mfefire.exe", "mfefw.exe", "mfehcs.exe", "mfemactl.exe", "mfemms.exe", "mfetp.exe", "mfewc.exe", "CSFalconService.exe", "CSFalconContainer.exe", "SophosFIMService.exe", "SophosFS.exe", "Sophos UI.exe", "SophosFileScanner.exe", "SAVAdminService.exe", "ALsvc.exe", "Clean.exe", "sdcservice.exe", "SEDService.exe", "SSPService.exe", "SophosFIMService.exe", "SophosFileScanner.exe", "SophosFS.exe", "Health.exe", "McsAgent.exe", "McsClient.exe", "SntpService.exe", "Safestore64.exe", "hmpalert.exe", "swi_service.exe", "swi_fc.exe", "swi_filter.exe"); 426 | 427 | 428 | @admin = @("MobaXterm.exe", "bash.exe", "git-bash.exe", "mmc.exe", "Code.exe", "notepad++.exe", "notepad.exe", "cmd.exe", "drwatson.exe", "DRWTSN32.EXE", "drwtsn32.exe", "dumpcap.exe", "ethereal.exe", "filemon.exe", "idag.exe", "idaw.exe", "k1205.exe", "loader32.exe", "netmon.exe", "netstat.exe", "netxray.exe", "NmWebService.exe", "nukenabber.exe", "portmon.exe", "powershell.exe", "PRTG Traffic Gr.exe", "PRTG Traffic Grapher.exe", "prtgwatchdog.exe", "putty.exe", "regmon.exe", "SystemEye.exe", "taskman.exe", "TASKMGR.EXE", "tcpview.exe", "Totalcmd.exe", "TrafMonitor.exe", "windbg.exe", "winobj.exe", "wireshark.exe", "WMonAvNScan.exe", "WMonAvScan.exe", "WMonSrv.exe","regedit.exe", "regedit32.exe", "accesschk.exe", "accesschk64.exe", "AccessEnum.exe", "ADExplorer.exe", "ADInsight.exe", "adrestore.exe", "Autologon.exe", "Autoruns.exe", "Autoruns64.exe", "autorunsc.exe", "autorunsc64.exe", "Bginfo.exe", "Bginfo64.exe", "Cacheset.exe", "Clockres.exe", "Clockres64.exe", "Contig.exe", "Contig64.exe", "Coreinfo.exe", "ctrl2cap.exe", "Dbgview.exe", "Desktops.exe", "disk2vhd.exe", "diskext.exe", "diskext64.exe", "Diskmon.exe", "DiskView.exe", "du.exe", "du64.exe", "efsdump.exe", "FindLinks.exe", "FindLinks64.exe", "handle.exe", "handle64.exe", "hex2dec.exe", "hex2dec64.exe", "junction.exe", "junction64.exe", "ldmdump.exe", "Listdlls.exe", "Listdlls64.exe", "livekd.exe", "livekd64.exe", "LoadOrd.exe", "LoadOrd64.exe", "LoadOrdC.exe", "LoadOrdC64.exe", "logonsessions.exe", "logonsessions64.exe", "movefile.exe", "movefile64.exe", "notmyfault.exe", "notmyfault64.exe", "notmyfaultc.exe", "notmyfaultc64.exe", "ntfsinfo.exe", "ntfsinfo64.exe", "pagedfrg.exe", "pendmoves.exe", "pendmoves64.exe", "pipelist.exe", "pipelist64.exe", "portmon.exe", "procdump.exe", "procdump64.exe", "procexp.exe", "procexp64.exe", "Procmon.exe", "PsExec.exe", "PsExec64.exe", "psfile.exe", "psfile64.exe", "PsGetsid.exe", "PsGetsid64.exe", "PsInfo.exe", "PsInfo64.exe", "pskill.exe", "pskill64.exe", "pslist.exe", "pslist64.exe", "PsLoggedon.exe", "PsLoggedon64.exe", "psloglist.exe", "pspasswd.exe", "pspasswd64.exe", "psping.exe", "psping64.exe", "PsService.exe", "PsService64.exe", "psshutdown.exe", "pssuspend.exe", "pssuspend64.exe", "RAMMap.exe", "RegDelNull.exe", "RegDelNull64.exe", "regjump.exe", "ru.exe", "ru64.exe", "sdelete.exe", "sdelete64.exe", "ShareEnum.exe", "ShellRunas.exe", "sigcheck.exe", "sigcheck64.exe", "streams.exe", "streams64.exe", "strings.exe", "strings64.exe", "sync.exe", "sync64.exe", "Sysmon.exe", "Sysmon64.exe", "Tcpvcon.exe", "Tcpview.exe", "Testlimit.exe", "Testlimit64.exe", "vmmap.exe", "Volumeid.exe", "Volumeid64.exe", "whois.exe", "whois64.exe", "Winobj.exe", "ZoomIt.exe",); 429 | 430 | @infrastructure = @( 431 | "LDsensors.exe", 432 | "LDpfcntrs.exe", 433 | "LDmemory.exe", 434 | "SoftMon.exe", 435 | "pds.exe", 436 | "PolicySync.exe"); 437 | --------------------------------------------------------------------------------