<Sysmon schemaversion="4.0">
<HashAlgorithms>md5,sha1,sha256</HashAlgorithms>
<EventFiltering>
<ProcessCreate onmatch="exclude">
<Image condition="image">C:\Program Files\osquery\osqueryd\osqueryd.exe</Image>
<IntegrityLevel condition="is">System</IntegrityLevel>
<IntegrityLevel condition="is">AppContainer</IntegrityLevel>
<Image condition="begin with">C:\Windows\SystemApps</Image>
<ParentImage condition="image">C:\Windows\system32\SearchIndexer.exe</ParentImage>
<Image condition="image">C:\Windows\System32\audiodg.exe</Image>
<ParentImage condition="image">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</ParentImage>
<ParentImage condition="image">C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe</ParentImage>
<CommandLine condition="begin with">C:\Windows\system32\DllHost.exe /Processid</CommandLine>
<ParentCommandLine condition="begin with">C:\Windows\system32\svchost.exe -k DcomLaunch</ParentCommandLine>
<ParentCommandLine condition="begin with">%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows</ParentCommandLine>
<Image condition="begin with">C:\Program Files\Windows Defender</Image>
<Image condition="image">C:\Windows\System32\conhost.exe</Image>
<Image condition="image">C:\Windows\System32\wbem\WmiApSrv.exe</Image>
<ParentImage condition="image">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe</ParentImage>
<ParentImage condition="image">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe</ParentImage>
<CommandLine condition="begin with">"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=</CommandLine>
<CommandLine condition="begin with">"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=</CommandLine>
<CommandLine condition="begin with">"C:\Program Files (x86)\Google\Update\</CommandLine>
<CommandLine condition="begin with">"C:\Program Files\Mozilla Firefox\plugin-container.exe" --channel</CommandLine>
<CommandLine condition="begin with">"C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe" --channel</CommandLine>
<Image condition="Image">C:\Program Files\Dell\SupportAssist\pcdrcui.exe</Image>
<Image condition="Image">C:\Program Files\Dell\SupportAssist\koala.exe</Image>
<CommandLine condition="contains">AcroRd32.exe" /CR</CommandLine>
<CommandLine condition="contains">AcroRd32.exe" --channel</CommandLine>
<Image condition="image">C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe</Image>
<Image condition="Image">C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AdobeGCClient.exe</Image>
<Image condition="image">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P6\adobe_licutil.exe</Image>
<Image condition="image">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe</Image>
<Image condition="image">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe</Image>
<Image condition="begin with">C:\Program Files\NVIDIA Corporation\Display\</Image>
<Image condition="begin with">C:\Program Files\Realtek\</Image>
</ProcessCreate>
<FileCreateTime onmatch="include"/>
<NetworkConnect onmatch="include">
<Image condition="contains">cmd.exe</Image>
<Image condition="contains">PsExe</Image>
<Image condition="contains">winexe</Image>
<Image condition="contains">powershell</Image>
<Image condition="contains">cscript</Image>
<Image condition="contains">wscript</Image>
<Image condition="contains">mstsc</Image>
<Image condition="contains">RTS2App</Image>
<Image condition="contains">RTS3App</Image>
<Image condition="contains">wmic</Image>
<Image condition="contains">MSBuild.exe</Image>
<Image condition="contains">cmstp.exe</Image>
<Image condition="contains">mshta.exe</Image>
<Image condition="contains">msiexec.exe</Image>
<Image condition="contains">msxsl.exe</Image>
</NetworkConnect>
<NetworkConnect onmatch="exclude">
<DestinationIp condition="is">169.254.169.254</DestinationIp>
<Image condition="image">C:\Program Files\osquery\osqueryd\osqueryd.exe</Image>
</NetworkConnect>
<ProcessTerminate onmatch="include">
<Image condition="begin with">C:\Users</Image>
</ProcessTerminate>
<DriverLoad onmatch="exclude"/>
<CreateRemoteThread onmatch="exclude">
<SourceImage condition="image">C:\Windows\System32\wbem\WmiPrvSE.exe</SourceImage>
<SourceImage condition="image">C:\Windows\System32\svchost.exe</SourceImage>
<SourceImage condition="image">C:\Windows\System32\wininit.exe</SourceImage>
<SourceImage condition="image">C:\Windows\System32\csrss.exe</SourceImage>
<SourceImage condition="image">C:\Windows\System32\services.exe</SourceImage>
<SourceImage condition="image">C:\Windows\System32\winlogon.exe</SourceImage>
<SourceImage condition="image">C:\Windows\System32\audiodg.exe</SourceImage>
<StartModule condition="is">C:\windows\system32\kernel32.dll</StartModule>
<TargetImage condition="end with">Google\Chrome\Application\chrome.exe</TargetImage>
</CreateRemoteThread>
<RawAccessRead onmatch="include"/>
<FileCreate onmatch="include">
<TargetFilename condition="contains">\Start Menu\Programs\Startup</TargetFilename>
<TargetFilename condition="contains">\Start Menu\Startup</TargetFilename>
<TargetFilename condition="contains">\autoexec.bat</TargetFilename>
<TargetFilename condition="contains">\config.sys</TargetFilename>
<TargetFilename condition="contains">\wininit.ini</TargetFilename>
<TargetFilename condition="contains">\win.ini</TargetFilename>
<TargetFilename condition="contains">\system.ini</TargetFilename>
<TargetFilename condition="contains">\config.nt</TargetFilename>
<TargetFilename condition="contains">\autoexec.nt</TargetFilename>
<TargetFilename condition="contains">\Content.Outlook\</TargetFilename>
<TargetFilename condition="contains">\Downloads\</TargetFilename>
<TargetFilename condition="contains">\Temp\7z</TargetFilename>
<TargetFilename condition="end with">.vbs</TargetFilename>
<TargetFilename condition="end with">.hta</TargetFilename>
<TargetFilename condition="end with">.bat</TargetFilename>
<TargetFilename condition="end with">.cmd</TargetFilename>
<TargetFilename condition="end with">.ps1</TargetFilename>
<TargetFilename condition="begin with">C:\Users\Default</TargetFilename>
<TargetFilename condition="begin with">C:\Windows\System32\GroupPolicy\Machine\Scripts</TargetFilename>
<TargetFilename condition="begin with">C:\Windows\System32\GroupPolicy\User\Scripts</TargetFilename>
<TargetFilename condition="begin with">C:\Windows\System32\drivers</TargetFilename>
<TargetFilename condition="begin with">C:\Windows\SysWOW64\Drivers</TargetFilename>
<TargetFilename condition="begin with">C:\Windows\System32\wbem</TargetFilename>
<TargetFilename condition="begin with">C:\Windows\SysWOW64\wbem</TargetFilename>
<TargetFilename condition="begin with">C:\Windows\System32\WindowsPowerShell</TargetFilename>
<TargetFilename condition="begin with">C:\Windows\SysWOW64\WindowsPowerShell</TargetFilename>
<TargetFilename condition="end with">.cmdline</TargetFilename>
</FileCreate>
<FileCreate onmatch="exclude">
<Image condition="image">C:\Program Files\osquery\osqueryd\osqueryd.exe</Image>
<TargetFilename condition="begin with">C:\Program Files\osquery\</TargetFilename>
<TargetFilename condition="end with">\Downloads</TargetFilename>
<TargetFilename condition="end with">\Start Menu</TargetFilename>
<TargetFilename condition="end with">\Start Menu\Programs</TargetFilename>
<TargetFilename condition="end with">\Start Menu\Programs\Startup</TargetFilename>
</FileCreate>
<RegistryEvent onmatch="include">
<TargetObject condition="contains">\Services\DNS\Parameters\ServerLevelPluginDll</TargetObject>
<TargetObject condition="contains">\Start Menu\Programs\Startup</TargetObject>
<TargetObject condition="contains">\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders</TargetObject>
<TargetObject condition="contains">\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders</TargetObject>
<TargetObject condition="contains">file\shell\open</TargetObject>
<TargetObject condition="contains">\Microsoft\Active Setup\Installed Components</TargetObject>
<TargetObject condition="contains">\Microsoft\Windows NT\CurrentVersion\Font Drivers</TargetObject>
<TargetObject condition="contains">\Microsoft\Windows NT\CurrentVersion\Drivers32</TargetObject>
<TargetObject condition="contains">\Software\Policies\Microsoft\Windows\</TargetObject>
<TargetObject condition="contains">\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts</TargetObject>
<TargetObject condition="contains">\Software\Microsoft\Windows\CurrentVersion\Policies</TargetObject>
<TargetObject condition="contains">\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad</TargetObject>
<TargetObject condition="contains">\Microsoft\Windows\CurrentVersion\Explorer\Shell</TargetObject>
<TargetObject condition="contains">\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler</TargetObject>
<TargetObject condition="contains">\Microsoft\Internet Explorer\Toolbar\</TargetObject>
<TargetObject condition="contains">\Microsoft\Internet Explorer\Explorer Bars</TargetObject>
<TargetObject condition="contains">\Microsoft\Internet Explorer\Extensions</TargetObject>
<TargetObject condition="contains">\Microsoft\Internet Explorer\Desktop\Components</TargetObject>
<TargetObject condition="contains">\Microsoft\Internet Explorer\UrlSearchHooks'</TargetObject>
<TargetObject condition="contains">\Software\Microsoft\Windows NT\CurrentVersion\svchost</TargetObject>
<TargetObject condition="contains">\ShellEx\ContextMenuHandlers</TargetObject>
<TargetObject condition="contains">\ShellEx\PropertySheetHandlers</TargetObject>
<TargetObject condition="contains">\Shellex\DragDropHandlers</TargetObject>
<TargetObject condition="contains">\Shellex\CopyHookHandlers</TargetObject>
<TargetObject condition="contains">\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers</TargetObject>
<TargetObject condition="contains">\Control Panel\Desktop\Scrnsave.exe</TargetObject>
<TargetObject condition="contains">\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells\AvailableShells</TargetObject>
<TargetObject condition="contains">\Control\Terminal Server\Wds\rdpwd\StartupPrograms</TargetObject>
<TargetObject condition="contains">\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram</TargetObject>
<TargetObject condition="contains">\Control\Session Manager</TargetObject>
<TargetObject condition="contains">\Control\BootVerificationProgram\ImagePath</TargetObject>
<TargetObject condition="contains">\Microsoft\Command Processor\Autorun</TargetObject>
<TargetObject condition="contains">\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects</TargetObject>
<TargetObject condition="contains">\Control\SafeBoot\AlternateShell</TargetObject>
<TargetObject condition="contains">\Microsoft\Windows NT\CurrentVersion\Image File Execution Options</TargetObject>
<TargetObject condition="contains">\Software\Policies\Microsoft\PowerShell</TargetObject>
<TargetObject condition="contains">\Microsoft\Office\Outlook\Addins</TargetObject>
<TargetObject condition="contains">\Microsoft\Office\Excel\Addins</TargetObject>
<TargetObject condition="contains">\Microsoft\Office\PowerPoint\Addins</TargetObject>
<TargetObject condition="contains">\Microsoft\Office\Word\Addins</TargetObject>
<TargetObject condition="contains">\Control\NetworkProvider\Order'</TargetObject>
<TargetObject condition="contains">\Software\Classes\Protocols</TargetObject>
<TargetObject condition="contains">\Software\Classes\Filter</TargetObject>
<TargetObject condition="contains">\Control\Print\Monitors</TargetObject>
<TargetObject condition="contains">\Control\SecurityProviders\SecurityProviders</TargetObject>
<TargetObject condition="contains">\Control\Lsa</TargetObject>
<TargetObject condition="contains">\System\Setup\CmdLine</TargetObject>
<TargetObject condition="contains">Windows\CurrentVersion\Shell Extensions</TargetObject>
<TargetObject condition="is">\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)</TargetObject>
<TargetObject condition="contains">\Windows\CurrentVersion\Run</TargetObject>
<TargetObject condition="contains">\Windows\System\Scripts</TargetObject>
<TargetObject condition="begin with">\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\</TargetObject>
<TargetObject condition="begin with">\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit\</TargetObject>
<TargetObject condition="end with">\ServiceDll</TargetObject>
<TargetObject condition="begin with">\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\</TargetObject>
<TargetObject condition="begin with">\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\</TargetObject>
<TargetObject condition="contains">\shell\install\command\</TargetObject>
<TargetObject condition="contains">\shell\open\command\</TargetObject>
<TargetObject condition="contains">\Explorer\FileExts\</TargetObject>
<TargetObject condition="begin with">\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\</TargetObject>
<TargetObject condition="begin with">\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\WinSock</TargetObject>
<TargetObject condition="begin with">\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider</TargetObject>
<TargetObject condition="begin with">\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject>
<TargetObject condition="begin with">\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject>
<TargetObject condition="contains">\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\</TargetObject>
</RegistryEvent>
<FileCreateStreamHash onmatch="include">
<TargetFilename condition="begin with">C:\Program Files\osquery\</TargetFilename>
<TargetFilename condition="contains">Content.Outlook</TargetFilename>
<TargetFilename condition="contains">Downloads</TargetFilename>
<TargetFilename condition="contains">Temp\7z</TargetFilename>
<TargetFilename condition="end with">.vbs</TargetFilename>
<TargetFilename condition="end with">.hta</TargetFilename>
<TargetFilename condition="end with">.ps1</TargetFilename>
</FileCreateStreamHash>
<PipeEvent onmatch="exclude">
<Image condition="image">C:\Program Files\osquery\osqueryd\osqueryd.exe</Image>
<PipeName condition="contains">lsass</PipeName>
<PipeName condition="is">\SQLLocal\RTCLOCAL</PipeName>
<PipeName condition="begin with">\M.E.C.Core.WinRMDataCommunicator.NamedPipe.</PipeName>
<Image condition="is">c:\windows\system32\inetsrv\w3wp.exe</Image>
<Image condition="is">C:\Windows\syswow64\snmp.exe</Image>
<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\BIN\OWSTIMER.EXE</Image>
<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\ParserServer\ParserServer.exe</Image>
<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.RpcClientAccess.Service.exe</Image>
<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Service.exe</Image>
<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Worker.exe</Image>
<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\ResourceProfile\contentengine\NodeRunner.exe</Image>
<Image condition="is">C:\Windows\system32\dns.exe</Image>
<Image condition="is">C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe</Image>
<Image condition="is">C:\Program Files\Skype for Business Server 2015\Server\Core\RtcHost.exee</Image>
<Image condition="is">C:\Program Files\Skype for Business Server 2015\OCSMCU\AV Conferencing\AVMCUSvc.exe</Image>
<Image condition="is">C:\Program Files\Skype for Business Server 2015\Server\Health Agent\HealthAgent.exe</Image>
<Image condition="is">C:\Program Files\Skype for Business Server 2015\Server\Core\LysSvc.exe</Image>
<Image condition="is">C:\Program Files\Skype for Business Server 2015\File Transfer Agent\FileTransferAgent.exe</Image>
<Image condition="is">C:\Program Files\Skype for Business Server 2015\Web Conferencing\DataMCUSvc.exe</Image>
<Image condition="is">C:\Program Files\Skype for Business Server 2015\Application Host\OcsAppServerHost.exe</Image>
<Image condition="is">C:\Program Files\Skype for Business Server 2015\Server\Core\ABServer.exe</Image>
<Image condition="is">C:\Program Files\Skype for Business Server 2015\Master Replicator Agent\MasterReplicatorAgent.exe</Image>
<Image condition="is">C:\Program Files\Skype for Business Server 2015\OCSMCU\IM Conferencing\IMMCUSvc.exe</Image>
<Image condition="is">C:\Program Files\Common Files\Skype for Business Server 2015\ClsAgent\ClsAgent.exe</Image>
<Image condition="is">C:\Program Files\Skype for Business Server 2015\Server\Core\ReplicationApp.exe</Image>
<Image condition="is">C:\Program Files\Skype for Business Server 2015\OCSMCU\Application Sharing\ASMCUSvc.exe</Image>
<Image condition="is">C:\Program Files\Skype for Business Server 2015\Server\Replica Replicator Agent\ReplicaReplicatorAgent.exe</Image>
<Image condition="is">C:\Program Files\Skype for Business Server 2015\Server\Core\RtcHost.exe</Image>
<Image condition="is">C:\Windows\system32\DFSRs.exee</Image>
<Image condition="begin with">C:\Windows\SystemApps\Microsoft.Windows</Image>
<Image condition="is">C:\Windows\system32\SearchProtocolHost.exe</Image>
<Image condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe</Image>
<Image condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe</Image>
<Image condition="is">C:\Windows\System32\LxRun.exe</Image>
<PipeName condition="contains">vmware-</PipeName>
<Image condition="is">\System</Image>
<PipeName condition="is">\InitShutdown</PipeName>
<Image condition="is">C:\Windows\System32\wininit.exe</Image>
<Image condition="is">C:\Windows\System32\SearchIndexer.exe</Image>
<Image condition="is">C:\Windows\System32\services.exe</Image>
<PipeName condition="is">\ntsvcs</PipeName>
<PipeName condition="is">\scerpc</PipeName>
<Image condition="is">C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe</Image>
<Image condition="is">C:\Windows\System32\smss.exe</Image>
<Image condition="is">C:\Windows\System32\spoolsv.exe</Image>
<PipeName condition="is">\epmapper</PipeName>
<PipeName condition="is">\atsvc</PipeName>
<PipeName condition="is">\browser</PipeName>
<PipeName condition="is">\srvsvc</PipeName>
<PipeName condition="is">\Winsock2CatelogChangeListener</PipeName>
<PipeName condition="contains">ProtectedPrefix\LocalService\FTHPIPE</PipeName>
<PipeName condition="is">\W32TIME_ALT</PipeName>
<PipeName condition="is">\eventlog</PipeName>
<PipeName condition="is">\wkssvc</PipeName>
<PipeName condition="contains">\TDLN-</PipeName>
<PipeName condition="is">\WiFiNetworkManagerTask</PipeName>
<PipeName condition="is">\MsFteWds</PipeName>
<PipeName condition="is">\WRSVCPipe</PipeName>
<PipeName condition="is">\WRSynUM2</PipeName>
<PipeName condition="is">\wrUrl</PipeName>
<Image condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</Image>
<Image condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>
<Image condition="is">C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</Image>
<Image condition="contains">AppData\Local\Google\Chrome\User Data\SwReporter\</Image>
<PipeName condition="contains">mojo.</PipeName>
<PipeName condition="contains">crashpad_</PipeName>
<PipeName condition="contains">chrome.</PipeName>
<PipeName condition="contains">GoogleCrashServices</PipeName>
<Image condition="end with">slack.exe</Image>
<PipeName condition="contains">booma\</PipeName>
<PipeName condition="contains">qtsingleapp-enpass-</PipeName>
<Image condition="contains">qtsingleapp-enpass-</Image>
<PipeName condition="contains">Everything Service</PipeName>
<PipeName condition="contains">anchor_gui_agent</PipeName>
<Image condition="is">C:\Program Files (x86)\Lenovo\System Update\SUService.exe</Image>
<Image condition="is">C:\Program Files\Common Files\VMware\DeviceRedirectionCommon\ftnlsv.exe</Image>
<Image condition="is">C:\Program Files\Lenovo\ImController\Service\Lenovo.Modern.ImController.exe</Image>
<Image condition="is">C:\Program Files\Lenovo\HOTKEY\shtctky.exe</Image>
<Image condition="is">C:\Windows\System32\LPlatSvc.exe</Image>
<Image condition="is">C:\Program Files (x86)\Lenovo\System Update\TvsuCommandLauncher.exe</Image>
<Image condition="is">C:\Windows\LTSvc\LTSVC.exe</Image>
<Image condition="contains">ScreenConnect.WindowsClient.exe</Image>
<Image condition="contains">ScreenConnect.ClientService.exe</Image>
<Image condition="is">C:\Program Files\OpenVPN\bin\openvpn-gui.exe</Image>
<Image condition="is">C:\Program Files\OpenVPN\bin\openvpn.exe</Image>
<Image condition="is">C:\Program Files\OpenVPN\bin\openvpnserv.exe</Image>
<Image condition="is">C:\Program Files\Synaptics\SynTP\SynTPEnh.exe</Image>
<Image condition="is">C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe</Image>
<Image condition="is">C:\Program Files\Lenovo\HOTKEY\tphkload.exe</Image>
<Image condition="contains">C:\Program Files\Lenovo\</Image>
<Image condition="is">C:\Program Files (x86)\Common Files\VMware\SerialPortRedirection\Client\vmwsprrdpwks.exe</Image>
<Image condition="contains">Graylog-collector-sidecar.exe</Image>
<Image condition="is">C:\Program Files (x86)\SmartGit\git\mingw32\libexec\git-core\git-remote-https.exe</Image>
<Image condition="is">C:\Program Files (x86)\SmartGit\git\mingw32\bin\git.exe</Image>
<Image condition="is">C:\Program Files (x86)\SmartGit\git\mingw32\libexec\git-core\git.exe</Image>
<Image condition="is">C:\Program Files (x86)\SmartGit\bin\smartgit.exe</Image>
<Image condition="is">C:\Program Files (x86)\SmartGit\bin\smartgit.exe</Image>
<PipeName condition="contains">Anonymous Pipe</PipeName>
<Image condition="is">C:\Program Files (x86)\Fortinet\FortiClient\FortiESNAC.exe</Image>
<Image condition="is">C:\Program Files (x86)\Fortinet\FortiClient\update_task.exe</Image>
<Image condition="is">C:\Program Files (x86)\Fortinet\FortiClient\FortiTray.exe</Image>
<Image condition="is">C:\Program Files (x86)\Fortinet\FortiClient\FCDBLog.exe</Image>
<Image condition="is">C:\Program Files (x86)\Enpass\Enpass.exe</Image>
<Image condition="is">C:\Program Files (x86)\VMware\VMware Horizon View Client\vmware-view.exe</Image>
<Image condition="is">C:\Program Files (x86)\VMware\ScannerRedirection\ftscanmgrhv.exe</Image>
<Image condition="is">C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe</Image>
<Image condition="is">C:\Program Files (x86)\Common Files\VMware\VMware Remote Console Plug-in 5.5\Internet Explorer\vmware-vmrc.exe</Image>
<PipeName condition="contains">SQLAnywhereLRM</PipeName>
<PipeName condition="contains">pgsignal</PipeName>
<Image condition="is">postgres.exe</Image>
<PipeName condition="contains">MICROSOFT##WID\tsql\query</PipeName>
<PipeName condition="contains">TSVCPIPE-</PipeName>
<PipeName condition="contains">BB4BB19A178C25D1</PipeName>
<PipeName condition="contains">SQLAnywhereLRM</PipeName>
<PipeName condition="contains">SQLLocal</PipeName>
<PipeName condition="contains">DropboxPipe_</PipeName>
<Image condition="is">c:\windows\system32\inetsrv\w3wp.exe</Image>
<Image condition="is">C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel RMS License Manager\WinNT\mfcesd.exe</Image>
<Image condition="is">C:\Pfx Engagement\WM\PFXEngagement.exe</Image>
<Image condition="is">C:\Pfx Engagement\WM\PfxEngagement.exe</Image>
<Image condition="is">C:\Pfx Engagement\WM\Pfx.KnowledgeCoach.SharedServices.exe</Image>
<Image condition="is">C:\Program Files (x86)\Micro Focus\COBOL Server 2012\bin\mfds.exe</Image>
<Image condition="is">ScreenConnect.WindowsClient.exe</Image>
<Image condition="is">ScreenConnect.ClientService.exe</Image>
<Image condition="is">QBW32.EXE</Image>
<Image condition="contains">\Trend Micro\OfficeScan</Image>
<Image condition="is">C:\Windows\system32\wbem\wmiprvse.exe</Image>
<Image condition="contains">\Sophos\Health</Image>
<Image condition="contains">\Sophos\Sophos Anti-Virus</Image>
<Image condition="is">C:\WINDOWS\system32\svchost.exe</Image>
<Image condition="is">C:\Windows\system32\WUDFHost.exe</Image>
<Image condition="contains">\Trend Micro\AOT</Image>
<Image condition="contains">\Trend Micro\iService</Image>
<Image condition="contains">\Trend Micro\Endpoint Basecamp</Image>
<Image condition="is">C:\Program Files\USSAgent\USSAgent\ProxyTray.exe</Image>
<Image condition="is">C:\Program Files\USSAgent\USSAgent\USSService.exe</Image>
</PipeEvent>
<WmiEvent onmatch="exclude"/>
</EventFiltering>
</Sysmon>