-
ESET AV Module (ekrn.exe)
What is it with antivirus and weird DNS?
-
EndpointBasecamp.exe, RiskIndexCollector.exe
A little wmic enumeration
-
Teramind's dwm.exe
Nacho dwm
-
IBM's pcsnp.exe triggers SYSTEM cmd.exe
IBM's
pcsnp.exe
just...what -
OpenVAS runs WMIExec
TFW the vuln scanner runs offensive tools.
-
SecurityHealthService.exe unprotects LSA
Who needs protection? Not LSA!
-
draw.io.exe
Nothing to see here
-
JetBrains binaries invoke WMI
JetBrains queries security tools.
-
IBM Storage Insights Data Collector
IBM creates WMI false positives
-
Cisco Jabber
Cisco enumerates your system.
-
Startupscan.dll
Windows being sus? Inconceivable!
-
CCM.exe (SCCM)
Windows Config Manager CCM.exe runs b64-encoded powershell.
-
LogMeIn and CScript
Who doesn't love CScript?
-
RingCentral.exe
How to look like malware, by RingCentral
-
Bloodhound.exe
Not the Bloodhound you're thinking of.
-
Noregon Fake Windows Components
Named after legitimate Windows binaries, in the wrong location.
-
Adobe Genuine Monitor Service
A little LSASS, as a treat.
-
Ivanti Endpoint Manager
Ivanti does some weird stuff
-
Snow Inventory Agent for Windows
Yet another PowerShell weirdo.
-
ArcGISPortal.exe
Not just bad guys run
whoami
. -
McAfee Antivirus
McAfee also loves big DNS queries!
-
ESET Protection Suite
Everybody loves a big DNS query!
-
EaseUS spaceman.exe
EaseUS and bizarre Scheduled Tasks.
-
AvastSvc.exe
Avast scans your network on the sly.
-
SenseNdr.exe
SenseNDR base64 encoding
-
HostedAgent.exe
Whoami? HostedAgent, of course!
-
iManage Document Protection
Random file extensions from iManage
-
gc_worker.exe
Base64-encoded PowerShell from Azure's own agent!
-
explorer.exe
Guests are not invited to Everyone shares.
-
SenseIR.exe
How much can an EDR look like malware?
-
Nutanix Guest Tools
Yet another base64-loving process.
-
Nim Lang install binaries
The Nim language installer binaries in certain versions trigger Windows Defender.
-
Windows TCP Connections on High Ports
Windows uses random high service ports for a variety of functions.
-
Edge/Chromium Browsers
Bizarre sub-processes.
-
Windows Terminal
-
Network Detective Data Collector (nddc.exe)
WMIExec-ish NDCC
-
Adobe Reader (reader_sl.exe)
Adobe Reader for no reason starts a subprocess using the command line "I run".