md5,sha1,sha256
C:\Program Files\osquery\osqueryd\osqueryd.exe
System
AppContainer
C:\Windows\SystemApps
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\audiodg.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\system32\DllHost.exe /Processid
C:\Windows\system32\svchost.exe -k DcomLaunch
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows
C:\Program Files\Windows Defender
C:\Windows\System32\conhost.exe
C:\Windows\System32\wbem\WmiApSrv.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=
"C:\Program Files (x86)\Google\Update\
"C:\Program Files\Mozilla Firefox\plugin-container.exe" --channel
"C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe" --channel
C:\Program Files\Dell\SupportAssist\pcdrcui.exe
C:\Program Files\Dell\SupportAssist\koala.exe
AcroRd32.exe" /CR
AcroRd32.exe" --channel
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AdobeGCClient.exe
C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P6\adobe_licutil.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\NVIDIA Corporation\Display\
C:\Program Files\Realtek\
cmd.exe
PsExe
winexe
powershell
cscript
wscript
mstsc
RTS2App
RTS3App
wmic
MSBuild.exe
cmstp.exe
mshta.exe
msiexec.exe
msxsl.exe
rclone.exe
169.254.169.254
C:\Program Files\osquery\osqueryd\osqueryd.exe
C:\Users
C:\Windows\System32\wbem\WmiPrvSE.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\wininit.exe
C:\Windows\System32\csrss.exe
C:\Windows\System32\services.exe
C:\Windows\System32\winlogon.exe
C:\Windows\System32\audiodg.exe
C:\windows\system32\kernel32.dll
Google\Chrome\Application\chrome.exe
\Start Menu\Programs\Startup
\Start Menu\Startup
\autoexec.bat
\config.sys
\wininit.ini
\win.ini
\system.ini
\config.nt
\autoexec.nt
\Content.Outlook\
\Downloads\
\Temp\7z
\spool\drivers\x
.vbs
.hta
.bat
.cmd
.ps1
C:\Users\Default
C:\Windows\System32\GroupPolicy\Machine\Scripts
C:\Windows\System32\GroupPolicy\User\Scripts
C:\Windows\System32\drivers
C:\Windows\SysWOW64\Drivers
C:\Windows\System32\wbem
C:\Windows\SysWOW64\wbem
C:\Windows\System32\WindowsPowerShell
C:\Windows\SysWOW64\WindowsPowerShell
.cmdline
C:\Program Files\osquery\osqueryd\osqueryd.exe
C:\Program Files\osquery\
\Downloads
\Start Menu
\Start Menu\Programs
\Start Menu\Programs\Startup
\Services\DNS\Parameters\ServerLevelPluginDll
\Start Menu\Programs\Startup
\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
file\shell\open
\Microsoft\Active Setup\Installed Components
\Microsoft\Windows NT\CurrentVersion\Font Drivers
\Microsoft\Windows NT\CurrentVersion\Drivers32
\Software\Policies\Microsoft\Windows\
\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts
\Software\Microsoft\Windows\CurrentVersion\Policies
\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
\Microsoft\Windows\CurrentVersion\Explorer\Shell
\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
\Microsoft\Internet Explorer\Toolbar\
\Microsoft\Internet Explorer\Explorer Bars
\Microsoft\Internet Explorer\Extensions
\Microsoft\Internet Explorer\Desktop\Components
\Microsoft\Internet Explorer\UrlSearchHooks'
\Software\Microsoft\Windows NT\CurrentVersion\svchost
\ShellEx\ContextMenuHandlers
\ShellEx\PropertySheetHandlers
\Shellex\DragDropHandlers
\Shellex\CopyHookHandlers
\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
\Control Panel\Desktop\Scrnsave.exe
\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells\AvailableShells
\Control\Terminal Server\Wds\rdpwd\StartupPrograms
\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram
\Control\Session Manager
\Control\BootVerificationProgram\ImagePath
\Microsoft\Command Processor\Autorun
\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
\Control\SafeBoot\AlternateShell
\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
\Software\Policies\Microsoft\PowerShell
\Microsoft\Office\Outlook\Addins
\Microsoft\Office\Excel\Addins
\Microsoft\Office\PowerPoint\Addins
\Microsoft\Office\Word\Addins
\Control\NetworkProvider\Order'
\Software\Classes\Protocols
\Software\Classes\Filter
\Control\Print\Monitors
\Control\SecurityProviders\SecurityProviders
\Control\Lsa
\System\Setup\CmdLine
Windows\CurrentVersion\Shell Extensions
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)
\Windows\CurrentVersion\Run
\Windows\System\Scripts
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit\
\ServiceDll
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\
\shell\install\command\
\shell\open\command\
\Explorer\FileExts\
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\
\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\WinSock
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\
\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\
C:\Program Files\osquery\
Content.Outlook
Downloads
Temp\7z
.vbs
.hta
.ps1
C:\Program Files\osquery\osqueryd\osqueryd.exe
lsass
\SQLLocal\RTCLOCAL
\M.E.C.Core.WinRMDataCommunicator.NamedPipe.
c:\windows\system32\inetsrv\w3wp.exe
C:\Windows\syswow64\snmp.exe
C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\BIN\OWSTIMER.EXE
C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\ParserServer\ParserServer.exe
C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.RpcClientAccess.Service.exe
C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Service.exe
C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Worker.exe
C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\ResourceProfile\contentengine\NodeRunner.exe
C:\Windows\system32\dns.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Skype for Business Server 2015\Server\Core\RtcHost.exee
C:\Program Files\Skype for Business Server 2015\OCSMCU\AV Conferencing\AVMCUSvc.exe
C:\Program Files\Skype for Business Server 2015\Server\Health Agent\HealthAgent.exe
C:\Program Files\Skype for Business Server 2015\Server\Core\LysSvc.exe
C:\Program Files\Skype for Business Server 2015\File Transfer Agent\FileTransferAgent.exe
C:\Program Files\Skype for Business Server 2015\Web Conferencing\DataMCUSvc.exe
C:\Program Files\Skype for Business Server 2015\Application Host\OcsAppServerHost.exe
C:\Program Files\Skype for Business Server 2015\Server\Core\ABServer.exe
C:\Program Files\Skype for Business Server 2015\Master Replicator Agent\MasterReplicatorAgent.exe
C:\Program Files\Skype for Business Server 2015\OCSMCU\IM Conferencing\IMMCUSvc.exe
C:\Program Files\Common Files\Skype for Business Server 2015\ClsAgent\ClsAgent.exe
C:\Program Files\Skype for Business Server 2015\Server\Core\ReplicationApp.exe
C:\Program Files\Skype for Business Server 2015\OCSMCU\Application Sharing\ASMCUSvc.exe
C:\Program Files\Skype for Business Server 2015\Server\Replica Replicator Agent\ReplicaReplicatorAgent.exe
C:\Program Files\Skype for Business Server 2015\Server\Core\RtcHost.exe
C:\Windows\system32\DFSRs.exee
C:\Windows\SystemApps\Microsoft.Windows
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\Windows\System32\LxRun.exe
vmware-
\System
\InitShutdown
C:\Windows\System32\wininit.exe
C:\Windows\System32\SearchIndexer.exe
C:\Windows\System32\services.exe
\ntsvcs
\scerpc
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
C:\Windows\System32\smss.exe
C:\Windows\System32\spoolsv.exe
\epmapper
\atsvc
\browser
\srvsvc
\Winsock2CatelogChangeListener
ProtectedPrefix\LocalService\FTHPIPE
\W32TIME_ALT
\eventlog
\wkssvc
\TDLN-
\WiFiNetworkManagerTask
\MsFteWds
\WRSVCPipe
\WRSynUM2
\wrUrl
C:\Program Files (x86)\Webroot\WRSA.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
AppData\Local\Google\Chrome\User Data\SwReporter\
mojo.
crashpad_
chrome.
GoogleCrashServices
slack.exe
booma\
qtsingleapp-enpass-
qtsingleapp-enpass-
Everything Service
anchor_gui_agent
C:\Program Files (x86)\Lenovo\System Update\SUService.exe
C:\Program Files\Common Files\VMware\DeviceRedirectionCommon\ftnlsv.exe
C:\Program Files\Lenovo\ImController\Service\Lenovo.Modern.ImController.exe
C:\Program Files\Lenovo\HOTKEY\shtctky.exe
C:\Windows\System32\LPlatSvc.exe
C:\Program Files (x86)\Lenovo\System Update\TvsuCommandLauncher.exe
C:\Windows\LTSvc\LTSVC.exe
ScreenConnect.WindowsClient.exe
ScreenConnect.ClientService.exe
C:\Program Files\OpenVPN\bin\openvpn-gui.exe
C:\Program Files\OpenVPN\bin\openvpn.exe
C:\Program Files\OpenVPN\bin\openvpnserv.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe
C:\Program Files\Lenovo\HOTKEY\tphkload.exe
C:\Program Files\Lenovo\
C:\Program Files (x86)\Common Files\VMware\SerialPortRedirection\Client\vmwsprrdpwks.exe
Graylog-collector-sidecar.exe
C:\Program Files (x86)\SmartGit\git\mingw32\libexec\git-core\git-remote-https.exe
C:\Program Files (x86)\SmartGit\git\mingw32\bin\git.exe
C:\Program Files (x86)\SmartGit\git\mingw32\libexec\git-core\git.exe
C:\Program Files (x86)\SmartGit\bin\smartgit.exe
C:\Program Files (x86)\SmartGit\bin\smartgit.exe
Anonymous Pipe
C:\Program Files (x86)\Fortinet\FortiClient\FortiESNAC.exe
C:\Program Files (x86)\Fortinet\FortiClient\update_task.exe
C:\Program Files (x86)\Fortinet\FortiClient\FortiTray.exe
C:\Program Files (x86)\Fortinet\FortiClient\FCDBLog.exe
C:\Program Files (x86)\Enpass\Enpass.exe
C:\Program Files (x86)\VMware\VMware Horizon View Client\vmware-view.exe
C:\Program Files (x86)\VMware\ScannerRedirection\ftscanmgrhv.exe
C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe
C:\Program Files (x86)\Common Files\VMware\VMware Remote Console Plug-in 5.5\Internet Explorer\vmware-vmrc.exe
SQLAnywhereLRM
pgsignal
postgres.exe
MICROSOFT##WID\tsql\query
TSVCPIPE-
BB4BB19A178C25D1
SQLAnywhereLRM
SQLLocal
DropboxPipe_
c:\windows\system32\inetsrv\w3wp.exe
C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel RMS License Manager\WinNT\mfcesd.exe
C:\Pfx Engagement\WM\PFXEngagement.exe
C:\Pfx Engagement\WM\PfxEngagement.exe
C:\Pfx Engagement\WM\Pfx.KnowledgeCoach.SharedServices.exe
C:\Program Files (x86)\Micro Focus\COBOL Server 2012\bin\mfds.exe
ScreenConnect.WindowsClient.exe
ScreenConnect.ClientService.exe
QBW32.EXE
\Trend Micro\OfficeScan
C:\Windows\system32\wbem\wmiprvse.exe
\Sophos\Health
\Sophos\Sophos Anti-Virus
C:\WINDOWS\system32\svchost.exe
C:\Windows\system32\WUDFHost.exe
\Trend Micro\AOT
\Trend Micro\iService
\Trend Micro\Endpoint Basecamp
C:\Program Files\USSAgent\USSAgent\ProxyTray.exe
C:\Program Files\USSAgent\USSAgent\USSService.exe