select * from arp_cache;

select * from registry where key='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit'

SELECT * FROM launchd WHERE name IN ('com.getdropbox.dropbox.integritycheck.plist','com.getdropbox.dropbox.timegrabber.plist','com.getdropbox.dropbox.usercontent.plist');

select name as package_name, version as package_version, path as package_path from python_packages where package_name = 'acqusition' or package_name = 'apidev-coop' or package_name = 'bzip' or package_name = 'crypt' or package_name = 'django-server' or package_name = 'pwd' or package_name = 'setup-tools' or package_name = 'telnet' or package_name = 'urlib3' or package_name = 'urllib';

select * from file where path in ('/tmp/mcliZokhb', '/tmp/mclzaKmfa');

select * from file where path in ('/usr/local/bin/bin', '/usr/man/.man10', '/usr/sbin/arobia', '/usr/lib/elm/arobia', '/usr/local/bin/.../bktd');

SELECT DISTINCT(processes.pid), processes.parent, processes.name, processes.path, \\
        processes.cmdline, processes.cwd, processes.root, processes.uid, processes.gid, \\
        processes.start_time, process_open_sockets.remote_address, process_open_sockets.remote_port, \\
        (SELECT cmdline FROM processes AS parent_cmdline WHERE pid=processes.parent) AS parent_cmdline \\
        FROM processes JOIN process_open_sockets USING (pid) \\
        LEFT OUTER JOIN process_open_files \\
        ON processes.pid = process_open_files.pid \\
        WHERE (name='sh' OR name='bash') \\
        AND process_open_files.pid IS NULL;

SELECT * FROM users JOIN chrome_extensions USING (uid) WHERE identifier='gjknjjomckknofjidppipffbpoekiipm';

select * from launchd where name = 'com.BT.BPK.plist';

select * from file where path in ('/etc/.bmbl', '/etc/.bmbl/sk');