It'd be interesting improvement if the Process Explorer could automatically use a low level driver to create hashes from the executable sections of processes and submit those to virustotal and if unknown then submit the executable sections, because why would the attacker drop anything on the disk if there's a hole on the server they can get back in with later? This needs to be done in a way that there is no way for the attacker to detect that this executable section hashing is being performed. This could be done by having the section hashing/capture run in the vPro/smbios and have a direct connection from there to a network or storage device that is not visible to Windows, so that this auditing can be completely isolated. Process Explorer can then run on another computer or vm and connect to the low level capturing to get a view of the processes and hashes that can't be manipulated, and the attacker won't be able to know they are running on the system.