LoFP / legitimate administrator sets up autorun keys for legitimate reason

condition: main_selection and not 1 of filter_*
filter_IE:
  TargetObject|contains: \Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}
filter_chrome:
  TargetObject|contains: \SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}
filter_edge:
  TargetObject|contains: \SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}
filter_empty:
  Details: (Empty)
filter_image:
  Image:
  - C:\Windows\System32\poqexec.exe
  - C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe
filter_msoffice:
- TargetObject|contains:
  - \Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\PROTOCOLS\Handler\
  - \ClickToRunStore\HKMU\SOFTWARE\Classes\PROTOCOLS\Handler\
- Details:
  - '{314111c7-a502-11d2-bbca-00c04f8ec294}'
  - '{3459B272-CC19-4448-86C9-DDC3B4B2FAD3}'
  - '{42089D2D-912D-4018-9087-2B87803E93FB}'
  - '{5504BE45-A83B-4808-900A-3A5C36E7F77A}'
  - '{807583E5-5146-11D5-A672-00B0D022E945}'
filter_office:
  Image|endswith: \OfficeClickToRun.exe
  Image|startswith:
  - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\
  - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\
main_selection:
  TargetObject|contains:
  - \SOFTWARE\Wow6432Node\Microsoft\Windows CE Services\AutoStart
  - \Software\Wow6432Node\Microsoft\Command Processor\Autorun
  - \SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components
  - \SOFTWARE\Microsoft\Windows CE Services\AutoStartOnDisconnect
  - \SOFTWARE\Microsoft\Windows CE Services\AutoStartOnConnect
  - \SYSTEM\Setup\CmdLine
  - \Software\Microsoft\Ctf\LangBarAddin
  - \Software\Microsoft\Command Processor\Autorun
  - \SOFTWARE\Microsoft\Active Setup\Installed Components
  - \SOFTWARE\Classes\Protocols\Handler
  - \SOFTWARE\Classes\Protocols\Filter
  - \SOFTWARE\Classes\Htmlfile\Shell\Open\Command\(Default)
  - \Environment\UserInitMprLogonScript
  - \SOFTWARE\Policies\Microsoft\Windows\Control Panel\Desktop\Scrnsave.exe
  - \Software\Microsoft\Internet Explorer\UrlSearchHooks
  - \SOFTWARE\Microsoft\Internet Explorer\Desktop\Components
  - \Software\Classes\Clsid\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\Inprocserver32
  - \Control Panel\Desktop\Scrnsave.exe

condition: scripts_base and scripts and not filter
filter:
  Details: (Empty)
scripts:
  TargetObject|contains:
  - \Startup
  - \Shutdown
  - \Logon
  - \Logoff
scripts_base:
  TargetObject|contains: \Software\Policies\Microsoft\Windows\System\Scripts

condition: nt_current_version_base and nt_current_version and not 1 of filter_*
filter_edge:
  Image|endswith: \MicrosoftEdgeUpdate.exe
  Image|startswith: C:\Program Files (x86)\Microsoft\Temp\
filter_empty:
  Details: (Empty)
filter_legitimate_subkey:
  TargetObject|contains: \Image File Execution Options\
  TargetObject|endswith:
  - \DisableExceptionChainValidation
  - \MitigationOptions
filter_msoffice:
- TargetObject|contains:
  - \ClickToRunStore\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
  - \ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\
- Image:
  - C:\Program Files\Microsoft Office\root\integration\integrator.exe
  - C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe
filter_ngen:
  Image|endswith: \ngen.exe
  Image|startswith: C:\Windows\Microsoft.NET\Framework
filter_officeclicktorun:
  Image|endswith: \OfficeClickToRun.exe
  Image|startswith:
  - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\
  - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\
filter_onedrive:
  Details|endswith: \AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe"
  Details|startswith: C:\Windows\system32\cmd.exe /q /c del /q "C:\Users\
  Image|endswith: \AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe
  TargetObject|endswith: \Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update
    Binary
filter_security_extension_dc:
  Details:
  - DWORD (0x00000009)
  - DWORD (0x000003c0)
  Image: C:\Windows\system32\svchost.exe
  TargetObject|contains:
  - \Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\PreviousPolicyAreas
  - \Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\MaxNoGPOListChangesInterval
nt_current_version:
  TargetObject|contains:
  - \Winlogon\VmApplet
  - \Winlogon\Userinit
  - \Winlogon\Taskman
  - \Winlogon\Shell
  - \Winlogon\GpExtensions
  - \Winlogon\AppSetup
  - \Winlogon\AlternateShells\AvailableShells
  - \Windows\IconServiceLib
  - \Windows\Appinit_Dlls
  - \Image File Execution Options
  - \Font Drivers
  - \Drivers32
  - \Windows\Run
  - \Windows\Load
nt_current_version_base:
  TargetObject|contains: \SOFTWARE\Microsoft\Windows NT\CurrentVersion

condition: wow_classes_base and wow_classes and not filter
filter:
  Details: (Empty)
wow_classes:
  TargetObject|contains:
  - \Folder\ShellEx\ExtShellFolderViews
  - \Folder\ShellEx\DragDropHandlers
  - \Folder\ShellEx\ColumnHandlers
  - \Directory\Shellex\DragDropHandlers
  - \Directory\Shellex\CopyHookHandlers
  - \CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance
  - \CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance
  - \CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance
  - \CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance
  - \AllFileSystemObjects\ShellEx\DragDropHandlers
  - \ShellEx\PropertySheetHandlers
  - \ShellEx\ContextMenuHandlers
wow_classes_base:
  TargetObject|contains: \Software\Wow6432Node\Classes

condition: wow_nt_current_version_base and wow_nt_current_version and not filter
filter:
  Details:
  - (Empty)
  - \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
    Options
wow_nt_current_version:
  TargetObject|contains:
  - \Windows\Appinit_Dlls
  - \Image File Execution Options
  - \Drivers32
wow_nt_current_version_base:
  TargetObject|contains: \SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion

condition: ie and ie_details and not 1 of filter_*
filter_empty:
  Details: (Empty)
filter_extensions:
  TargetObject|contains:
  - \Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}
  - \Extensions\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}
  - \Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}
  - \Extensions\{A95fe080-8f5d-11d2-a20b-00aa003c157a}
filter_toolbar:
  TargetObject|endswith:
  - \Toolbar\ShellBrowser\ITBar7Layout
  - \Toolbar\ShowDiscussionButton
  - \Toolbar\Locked
ie:
  TargetObject|contains:
  - \Software\Wow6432Node\Microsoft\Internet Explorer
  - \Software\Microsoft\Internet Explorer
ie_details:
  TargetObject|contains:
  - \Toolbar
  - \Extensions
  - \Explorer Bars

condition: session_manager_base and session_manager and not filter
filter:
  Details: (Empty)
session_manager:
  TargetObject|contains:
  - \SetupExecute
  - \S0InitialCommand
  - \KnownDlls
  - \Execute
  - \BootExecute
  - \AppCertDlls
session_manager_base:
  TargetObject|contains: \System\CurrentControlSet\Control\Session Manager

condition: all of system_control_* and not 1 of filter_*
filter_cutepdf:
  Details:
  - cpwmon64_v40.dll
  - CutePDF Writer
  Image: C:\Windows\System32\spoolsv.exe
  TargetObject|contains: \Print\Monitors\CutePDF Writer Monitor
filter_empty:
  Details: (Empty)
filter_onenote:
  Image: C:\Windows\System32\spoolsv.exe
  TargetObject|contains: Print\Monitors\Appmon\Ports\Microsoft.Office.OneNote_
  User|contains:
  - AUTHORI
  - AUTORI
filter_poqexec:
  Image: C:\Windows\System32\poqexec.exe
  TargetObject|endswith: \NetworkProvider\Order\ProviderOrder
filter_realvnc:
  Details: VNCpm.dll
  Image: C:\Windows\System32\spoolsv.exe
  TargetObject|endswith: \Print\Monitors\MONVNC\Driver
system_control_base:
  TargetObject|contains: \SYSTEM\CurrentControlSet\Control
system_control_keys:
  TargetObject|contains:
  - \Terminal Server\WinStations\RDP-Tcp\InitialProgram
  - \Terminal Server\Wds\rdpwd\StartupPrograms
  - \SecurityProviders\SecurityProviders
  - \SafeBoot\AlternateShell
  - \Print\Providers
  - \Print\Monitors
  - \NetworkProvider\Order
  - \Lsa\Notification Packages
  - \Lsa\Authentication Packages
  - \BootVerificationProgram\ImagePath

condition: office and office_details and not 1 of filter_*
filter_avg:
  Image: C:\Program Files\AVG\Antivirus\RegSvr.exe
  TargetObject|contains: \Microsoft\Office\Outlook\Addins\Antivirus.AsOutExt\
filter_empty:
  Details: (Empty)
filter_known_addins:
  Image|startswith:
  - C:\Program Files\Microsoft Office\
  - C:\Program Files (x86)\Microsoft Office\
  - C:\Windows\System32\msiexec.exe
  - C:\Windows\System32\regsvr32.exe
  TargetObject|contains:
  - \Excel\Addins\AdHocReportingExcelClientLib.AdHocReportingExcelClientAddIn.1\
  - \Excel\Addins\ExcelPlugInShell.PowerMapConnect\
  - \Excel\Addins\NativeShim\
  - \Excel\Addins\NativeShim.InquireConnector.1\
  - \Excel\Addins\PowerPivotExcelClientAddIn.NativeEntry.1\
  - \Outlook\AddIns\AccessAddin.DC\
  - \Outlook\AddIns\ColleagueImport.ColleagueImportAddin\
  - \Outlook\AddIns\EvernoteCC.EvernoteContactConnector\
  - \Outlook\AddIns\EvernoteOLRD.Connect\
  - \Outlook\Addins\Microsoft.VbaAddinForOutlook.1\
  - \Outlook\Addins\OcOffice.OcForms\
  - \Outlook\Addins\\OneNote.OutlookAddin
  - \Outlook\Addins\OscAddin.Connect\
  - \Outlook\Addins\OutlookChangeNotifier.Connect\
  - \Outlook\Addins\UCAddin.LyncAddin.1
  - \Outlook\Addins\UCAddin.UCAddin.1
  - \Outlook\Addins\UmOutlookAddin.FormRegionAddin\
filter_officeclicktorun:
  Image|endswith: \OfficeClickToRun.exe
  Image|startswith:
  - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\
  - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\
office:
  TargetObject|contains:
  - \Software\Wow6432Node\Microsoft\Office
  - \Software\Microsoft\Office
office_details:
  TargetObject|contains:
  - \Word\Addins
  - \PowerPoint\Addins
  - \Outlook\Addins
  - \Onenote\Addins
  - \Excel\Addins
  - \Access\Addins
  - test\Special\Perf

condition: all of selection_wow_current_version_* and not 1 of filter_*
filter_dotnet:
  Details|endswith: .exe" /burn.runonce
  Details|startswith: '"C:\ProgramData\Package Cache\'
  Image|contains: \windowsdesktop-runtime-
  TargetObject|endswith:
  - \WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{e2d1ae32-dd1d-4ad7-a298-10e42e7840fc}
  - \WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{7037b699-7382-448c-89a7-4765961d2537}
filter_dropbox:
- Details|endswith: -A251-47B7-93E1-CDD82E34AF8B}
- Details: grpconv -o
- Details|contains|all:
  - C:\Program Files
  - \Dropbox\Client\Dropbox.exe
  - ' /systemstartup'
filter_edge:
  Image|contains|all:
  - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{
  - \setup.exe
filter_empty:
  Details: (Empty)
filter_evernote:
  TargetObject|endswith: \Explorer\Browser Helper Objects\{92EF2EAD-A7CE-4424-B0DB-499CF856608E}\NoExplorer
filter_ms_win_desktop_runtime:
  Details|startswith: '"C:\ProgramData\Package Cache\{d21a4f20-968a-4b0c-bf04-a38da5f06e41}\windowsdesktop-runtime-'
filter_msiexec:
  Image: C:\WINDOWS\system32\msiexec.exe
  TargetObject|contains: \SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\
filter_msoffice1:
  Image: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
  TargetObject|contains: \Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\
filter_msoffice2:
  Image:
  - C:\Program Files\Microsoft Office\root\integration\integrator.exe
  - C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe
  TargetObject|contains: \Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\
filter_office:
  Image|endswith: \OfficeClickToRun.exe
  Image|startswith:
  - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\
  - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\
filter_uninstallers:
  Image|startswith: C:\Windows\Installer\MSI
  TargetObject|contains: \Explorer\Browser Helper Objects
filter_upgrades:
  Details|endswith: ' /burn.runonce'
  Image|contains:
  - \winsdksetup.exe
  - \windowsdesktop-runtime-
  - \AspNetCoreSharedFrameworkBundle-
  Image|startswith:
  - C:\ProgramData\Package Cache
  - C:\Windows\Temp\
filter_vcredist:
  Details|endswith: '}\VC_redist.x64.exe" /burn.runonce'
  Image|endswith: \VC_redist.x64.exe
selection_wow_current_version_base:
  TargetObject|contains: \SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion
selection_wow_current_version_keys:
  TargetObject|contains:
  - \ShellServiceObjectDelayLoad
  - \Run\
  - \RunOnce\
  - \RunOnceEx\
  - \RunServices\
  - \RunServicesOnce\
  - \Explorer\ShellServiceObjects
  - \Explorer\ShellIconOverlayIdentifiers
  - \Explorer\ShellExecuteHooks
  - \Explorer\SharedTaskScheduler
  - \Explorer\Browser Helper Objects

condition: all of current_version_* and not 1 of filter_*
current_version_base:
  TargetObject|contains: \SOFTWARE\Microsoft\Windows\CurrentVersion
current_version_keys:
  TargetObject|contains:
  - \ShellServiceObjectDelayLoad
  - \Run\
  - \RunOnce\
  - \RunOnceEx\
  - \RunServices\
  - \RunServicesOnce\
  - \Policies\System\Shell
  - \Policies\Explorer\Run
  - \Group Policy\Scripts\Startup
  - \Group Policy\Scripts\Shutdown
  - \Group Policy\Scripts\Logon
  - \Group Policy\Scripts\Logoff
  - \Explorer\ShellServiceObjects
  - \Explorer\ShellIconOverlayIdentifiers
  - \Explorer\ShellExecuteHooks
  - \Explorer\SharedTaskScheduler
  - \Explorer\Browser Helper Objects
  - \Authentication\PLAP Providers
  - \Authentication\Credential Providers
  - \Authentication\Credential Provider Filters
filter_AVG:
  Details:
  - '"C:\Program Files\AVG\Antivirus\AvLaunch.exe" /gui'
  - '"C:\Program Files (x86)\AVG\Antivirus\AvLaunch.exe" /gui'
  - '{472083B0-C522-11CF-8763-00608CC02F24}'
  Image|startswith: C:\Program Files\AVG\Antivirus\Setup\
filter_all:
- Details: (Empty)
- TargetObject|endswith: \NgcFirst\ConsecutiveSwitchCount
- Image|endswith:
  - \AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
  - \AppData\Roaming\Spotify\Spotify.exe
  - \AppData\Local\WebEx\WebexHost.exe
- Image:
  - C:\WINDOWS\system32\devicecensus.exe
  - C:\Windows\system32\winsat.exe
  - C:\Program Files\Microsoft OneDrive\StandaloneUpdater\OneDriveSetup.exe
  - C:\Program Files\Microsoft OneDrive\Update\OneDriveSetup.exe
  - C:\Program Files (x86)\Microsoft OneDrive\Update\OneDriveSetup.exe
  - C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe
  - C:\Program Files\Everything\Everything.exe
  - C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe
filter_aurora_dashboard:
  Details: C:\Program Files\Aurora-Agent\tools\aurora-dashboard.exe
  Image|endswith:
  - \aurora-agent-64.exe
  - \aurora-agent.exe
  TargetObject|endswith: \Microsoft\Windows\CurrentVersion\Run\aurora-dashboard
filter_ctfmon:
  Details: ctfmon.exe /n
  Image: C:\Windows\system32\userinit.exe
filter_defender:
  Image: C:\Program Files\Windows Defender\MsMpEng.exe
filter_dropbox:
  Details|endswith: A251-47B7-93E1-CDD82E34AF8B}
  Image: C:\Windows\system32\regsvr32.exe
  TargetObject|contains: DropboxExt
filter_edge:
  Image|startswith:
  - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\
  - C:\Program Files (x86)\Microsoft\EdgeWebView\
  - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
filter_everything:
  Details|endswith: \Everything\Everything.exe" -startup
  TargetObject|endswith: \Microsoft\Windows\CurrentVersion\Run\Everything
filter_googledrive1:
  Details|contains: \GoogleDriveFS.exe
  Details|startswith: C:\Program Files\Google\Drive File Stream\
  TargetObject|endswith: \Software\Microsoft\Windows\CurrentVersion\Run\GoogleDriveFS
filter_googledrive2:
  Details:
  - '{CFE8B367-77A7-41D7-9C90-75D16D7DC6B6}'
  - '{A8E52322-8734-481D-A7E2-27B309EF8D56}'
  - '{C973DA94-CBDF-4E77-81D1-E5B794FBD146}'
  - '{51EF1569-67EE-4AD6-9646-E726C3FFC8A2}'
  TargetObject|contains: GoogleDrive
filter_greenshot:
  Details: C:\Program Files\Greenshot\Greenshot.exe
  TargetObject|endswith: \SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Greenshot
filter_itunes:
  Details: '"C:\Program Files\iTunes\iTunesHelper.exe"'
  TargetObject|endswith: \SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iTunesHelper
filter_logonui:
  Image: C:\Windows\system32\LogonUI.exe
  TargetObject|contains:
  - \Authentication\Credential Providers\{D6886603-9D2F-4EB2-B667-1971041FA96B}\
  - \Authentication\Credential Providers\{BEC09223-B018-416D-A0AC-523971B639F5}\
  - \Authentication\Credential Providers\{8AF662BF-65A0-4D0A-A540-A338A999D36F}\
  - \Authentication\Credential Providers\{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}\
filter_officeclicktorun:
  Image|endswith: \OfficeClickToRun.exe
  Image|startswith:
  - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\
  - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\
filter_onedrive:
  Details|contains: \AppData\Local\Microsoft\OneDrive\
  Details|startswith:
  - C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\
  - C:\Windows\system32\cmd.exe /q /c del /q "C:\Users\
filter_opera:
  Details: C:\Program Files\Opera\assistant\browser_assistant.exe
  TargetObject|endswith: \SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Opera Browser
    Assistant
filter_python:
  Details|contains|all:
  - \AppData\Local\Package Cache\{
  - '}\python-'
  Details|endswith: .exe" /burn.runonce
  TargetObject|contains: \Microsoft\Windows\CurrentVersion\RunOnce\{
filter_teams:
  Details|contains: '\Microsoft\Teams\Update.exe --processStart '
  Image|endswith: \Microsoft\Teams\current\Teams.exe
filter_zoom:
  Details: '"C:\Program Files\Zoom\bin\installer.exe" /repair'
  TargetObject|endswith: \SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zoommsirepair

condition: all of selection_* and not 1 of filter_*
filter_drivers:
  Image: C:\Windows\System32\drvinst.exe
filter_empty:
  Details: (Empty)
filter_msoffice:
  Details: '{807583E5-5146-11D5-A672-00B0D022E945}'
filter_svchost:
  Image: C:\Windows\System32\svchost.exe
  TargetObject|contains: \lnkfile\shellex\ContextMenuHandlers\
selection_classes_base:
  TargetObject|contains: \Software\Classes
selection_classes_target:
  TargetObject|contains:
  - \Folder\ShellEx\ExtShellFolderViews
  - \Folder\ShellEx\DragDropHandlers
  - \Folder\Shellex\ColumnHandlers
  - \Filter
  - \Exefile\Shell\Open\Command\(Default)
  - \Directory\Shellex\DragDropHandlers
  - \Directory\Shellex\CopyHookHandlers
  - \CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance
  - \CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance
  - \CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance
  - \CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance
  - \Classes\AllFileSystemObjects\ShellEx\DragDropHandlers
  - \.exe
  - \.cmd
  - \ShellEx\PropertySheetHandlers
  - \ShellEx\ContextMenuHandlers

condition: winsock_parameters_base and winsock_parameters and not filter
filter:
- Details: (Empty)
- Image: C:\Windows\System32\MsiExec.exe
- Image: C:\Windows\syswow64\MsiExec.exe
winsock_parameters:
  TargetObject|contains:
  - \Protocol_Catalog9\Catalog_Entries
  - \NameSpace_Catalog5\Catalog_Entries
winsock_parameters_base:
  TargetObject|contains: \System\CurrentControlSet\Services\WinSock2\Parameters