SHA256: 1bceb4e84115eabb8bf3df704b5cc014834ca08b126451ae95d60a968e66d666
Date Analysed: Mar 29, 2021
File type: Win 32 executable
Version: 4.0.3
Environment: Windows 7 64-bit Operating System

Network

HTTP conversation

  • DNS Resolutions

    • t1.cloudshielding.xyz
      • ["195.181.169.92", "195.181.169.92"]

    • fetch.nerdprotect.xyz
      • ["195.181.169.92", "195.181.169.92"]

    • a1961.g2.akamai.net
      • ["23.205.118.154", "23.205.118.16"]

    • time.microsoft.akadns.net
      • ["40.81.94.65"]

    • proxy.netbounce.net
      • ["195.181.164.195", "195.181.164.195"]

    • g.capboost.xyz
      • ["195.181.169.92"]

    • m1.uptime66.com
      • ["195.181.164.212", "195.181.164.212", "195.181.164.212"]

    • shopfun.top
      • ["172.67.128.174", "104.21.2.38", "172.67.128.174", "104.21.2.38"]

    • www.msftncsi.com
      • []

    • goQXflQiDKBwjCTFfnflSzU.goQXflQiDKBwjCTFfnflSzU
      • []

    • fetch.saleclutch.xyz
      • ["195.181.169.92"]

    • srv2.checkblanco.xyz
      • ["195.181.169.92"]

    • teredo.ipv6.microsoft.com
      • []

    • time.windows.com
      • []

  • IP Traffic

    • UDP

      • 239.255.255.250:3702
        224.0.0.252:5355
        224.0.0.251:5353
        255.255.255.255:67
        40.81.94.65:123
        239.255.255.250:1900
        255.255.255.255:68

    • TCP

      • 195.181.164.195:9000
        195.181.169.92:80
        23.205.118.154:80
        159.89.171.243:80
        195.181.164.212:443
        172.67.128.174:80
        195.181.169.92:443

    • IGMP

      • 224.0.0.22:0
        224.0.0.1:0

  • Files Dropped

    • 106c3cf938688e1d4e24480182d79ae969687e46d2b44d519f5b43dd90f9eecd
      • application/x-dosexec

    • 6137f8db2192e638e13610f75e73b9247c05f4706f0afd1fdb132d86de6b4012
      • text/plain

    • 64cb3cc325655ba7a7e955c6f6c39dd4ef2a237e6605dd4d11e63c5bc387edd9
      • text/xml

    • 71e9538820b12b60ce88608c9f7da7072fc93836269d16a332fc196550ef6679
      • text/html

    • 220e22217eda89a5f0fd7a39a7da2a8abc7f88eee8856c6540c8fe4e6dfd5928
      • text/xml

    • 2f1d25b8a95247a563512983c3686346aa3e3911ff5da98a6eed799067a3dd62
      • text/xml

    • 75220584fa1576a69af7ee4c9ec0e0ba2fab24e75b122be3086422f7cd3e3acb
      • application/x-dosexec

    • 291cd644d26e99352bfdf5c87772859bf2c15c801ea4541a10d1ba3fb8690752
      • text/xml

    • 036b02cc8e48e615e9c498b60f2505bf36db7afb5e5f057eab609aae4d0243ae
      • text/xml

    • 2ceeca59ccd8705cf5c133fbc43d48eb17ee488d954f249196d051baedd62dc3
      • application/x-dosexec

    • 05765e9a5cee5af6f5b1ca383427314bc82c4c5a2e8d3579db2bbfbe8542d3e4
      • text/plain

    • e3507a5019fad5b9f83252c492ad21f84f88523cc7650253a9ff7e15024296c5
      • text/xml

    • 7298da0916328fffc3ccfc34982b56b4fe5853f7ca814f827b8c536bf4640304
      • text/xml

    • 03f51bec889449243b6705a7c346183de64326cb8ddd52ccfc6e48a98a45ebab
      • application/x-dosexec

  • ja3

    • d0ee3237a14bbd89ca4d2b5356ab20ba

      • client_hello_pkt
        • 1603010118010001140303a6ab65e50d308392634d067d6eeb4e994800d53f3011d3d73b4bd09265b80f1620a68277da8215ccbf28a7d7903ffbf54c64c9f7a66ff7ba4b2f5bb1911dedff900026c02fc030c02bc02ccca8cca9c013c009c014c00a009c009d002f0035c012000a130113031302010000a500000014001200000f6d312e757074696d6536362e636f6d000500050100000000000a000a0008001d001700180019000b00020100000d001a0018080404030807080508060401050106010503060302010203ff010001000010000e000c02683208687474702f312e3100120000002b0009080304030303020301003300260024001d0020ea9f95655678c8918c8aa394a512656b246f08dac2aca8f11c78361eed231117

      • destination_ip
        • 195.181.164.212

      • httpsDomain
        • m1.uptime66.com

      • timestamp
        • 1617012626.13

      • destination_port
        • 443

      • ja3
        • 771,49199-49200-49195-49196-52392-52393-49171-49161-49172-49162-156-157-47-53-49170-10-4865-4867-4866,0-5-10-11-13-65281-16-18-43-51,29-23-24-25,0
  • Process


  • Files Accessed

    • C:\WINDOWS\SYSTEM32\WOW64.DLL
      C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
      C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
      C:\WINDOWS\SYSWOW64\SECHOST.DLL
      C:\WINDOWS\SYSWOW64\VERSION.DLL
      C:\WINDOWS\SYSWOW64\MSIMG32.DLL
      C:\WINDOWS\SYSWOW64\IMM32.DLL
      C:\WINDOWS\SYSWOW64\NTDLL.DLL
      C:\WINDOWS\SYSWOW64\KERNEL32.DLL
      C:\MALWARE\1BCEB4E84115EABB8BF3DF704B5CC014834CA08B126451AE95D60A968E66D666.EXE
      C:\WINDOWS\SYSWOW64\APPHELP.DLL
      C:\WINDOWS\SYSWOW64\ADVAPI32.DLL
      C:\WINDOWS\SYSWOW64\WINMM.DLL
      C:\WINDOWS\SYSWOW64\WS2_32.DLL
      C:\WINDOWS\SYSWOW64\POWRPROF.DLL
      C:\WINDOWS\SYSWOW64\EN-US\SETUPAPI.DLL.MUI
      C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
      C:\WINDOWS\SYSWOW64\WSHTCPIP.DLL
      C:\WINDOWS\SYSWOW64\EN-US\WSHTCPIP.DLL.MUI
      C:\WINDOWS\SYSWOW64\WSHIP6.DLL
      C:\WINDOWS\SYSWOW64\EN-US\WSHIP6.DLL.MUI
      C:\WINDOWS\SYSWOW64\WSHQOS.DLL
      C:\WINDOWS\SYSWOW64\EN-US\WSHQOS.DLL.MUI
      C:\WINDOWS\SYSWOW64\CMD.EXE
      C:\WINDOWS\APPPATCH\SYSMAIN.SDB
      C:\WINDOWS\SYSWOW64\WINBRAND.DLL
      C:\WINDOWS\SYSWOW64\EN-US\CMD.EXE.MUI
      C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH_TARGET_2162329
      C:\WINDOWS\SYSWOW64\WBEM
      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE
      C:\WINDOWS\SYSWOW64\ATL.DLL
      C:\WINDOWS\SYSWOW64\MSCOREE.DLL
      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\EN-US\POWERSHELL.EXE.MUI
      C:\WINDOWS\SYSWOW64\UXTHEME.DLL
      C:\WINDOWS\REGISTRATION\R000000000006.CLB
      C:\WINDOWS\SYSWOW64\SHELL32.DLL
      C:\WINDOWS\SYSWOW64\USERENV.DLL
      C:\WINDOWS\SYSWOW64\PROFAPI.DLL
      C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.7601.17514_NONE_41E6975E2BD6F2B2\COMCTL32.DLL
      C:\WINDOWS\WINDOWSSHELL.MANIFEST
      C:\WINDOWS\SYSWOW64\PROPSYS.DLL
      C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\CVERSIONS.1.DB
      C:\WINDOWS\SYSWOW64\NTMARTA.DLL
      C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.VER0X0000000000000001.DB
      C:\USERS\DESKTOP.INI
      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\DESKTOP.INI
      C:\USERS\ADMINISTRATOR\DESKTOP\DESKTOP.INI
      C:\WINDOWS\SYSWOW64\EN-US\SHELL32.DLL.MUI
      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DESKTOP.INI
      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\DESKTOP.INI
      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DESKTOP.INI
      C:\USERS\PUBLIC\DESKTOP.INI
      C:\USERS\PUBLIC\DESKTOP\DESKTOP.INI
      C:\WINDOWS\SYSWOW64\GAMEUX.DLL
      C:\WINDOWS\SYSWOW64\EN-US\GAMEUX.DLL.MUI
      C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.GDIPLUS_6595B64144CCF1DF_1.1.7601.17514_NONE_72D18A4386696C80\GDIPLUS.DLL
      C:\WINDOWS\SYSWOW64\XMLLITE.DLL
      C:\WINDOWS\SYSWOW64\WER.DLL
      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\DESKTOP.INI
      C:\WINDOWS\SYSWOW64\SHDOCVW.DLL
      C:\WINDOWS\SYSWOW64\EN-US\SHDOCVW.DLL.MUI
      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\DESKTOP.INI
      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\WINDOWS POWERSHELL\DESKTOP.INI
      C:\WINDOWS\SYSWOW64\LINKINFO.DLL
      C:\WINDOWS\SYSWOW64\NTSHRUI.DLL
      C:\WINDOWS\SYSWOW64\SRVCLI.DLL
      C:\WINDOWS\SYSWOW64\CSCAPI.DLL
      C:\WINDOWS\SYSWOW64\SLC.DLL
      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\WINDOWS POWERSHELL\WINDOWS POWERSHELL.LNK
      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL_ISE.EXE
      C:\WINDOWS\HH.EXE
      C:\WINDOWS\SYSWOW64\CRYPTSP.DLL
      C:\WINDOWS\SYSWOW64\RSAENH.DLL
      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\94IYE447TS3OVIVOFHLI.TEMP
      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\JGRNUS9P3WSM6KU1PKW0.TEMP
      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\D93F411851D7C929.CUSTOMDESTINATIONS-MS~RFA784.TMP
      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\MSCOREEI.DLL
      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORWKS.DLL
      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CLR.DLL
      C:\WINDOWS\WINSXS\X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8.0.50727.4940_NONE_D08CC06A442B34FC\MSVCR80.DLL
      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\PSKUL7GJMAB0ONUO017P.TEMP
      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\D93F411851D7C929.CUSTOMDESTINATIONS-MS~RFA7B3.TMP
      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CONFIG\MACHINE.CONFIG
      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\INDEX149.DAT
      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MSCORLIB\62A0B3E4B40EC0E8C5CFAA0C8848E64A\MSCORLIB.NI.DLL
      C:\WINDOWS\ASSEMBLY\PUBPOL25.DAT
      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM\9E0A3B9B9F457233A335D7FBA8F95419\SYSTEM.NI.DLL
      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\8XSEURBKIJZ9I1OAGOAD.TEMP
      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\D93F411851D7C929.CUSTOMDESTINATIONS-MS~RFA811.TMP
      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\B1C511D8FAD78AD3C5213B2B4FB02B8B\MICROSOFT.POWERSHELL.CONSOLEHOST.NI.DLL
      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\MCCJNPLYDM9988TJ2P7M.TEMP
      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\D93F411851D7C929.CUSTOMDESTINATIONS-MS~RFA83F.TMP
      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.CONSOLEHOST\1.0.0.0__31BF3856AD364E35
      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.MANAGEMENT.AUTOMATION\1.0.0.0__31BF3856AD364E35\SYSTEM.MANAGEMENT.AUTOMATION.DLL
      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM\2.0.0.0__B77A5C561934E089
      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.MANAGEMENT.A#\4436815B432C313255AF322F4EC3560D\SYSTEM.MANAGEMENT.AUTOMATION.NI.DLL
      C:\WINDOWS\SYSWOW64\L_INTL.NLS
      C:\WINDOWS\SYSWOW64\EN-US\KERNELBASE.DLL.MUI
      C:\WINDOWS\ASSEMBLY\GAC_32\MSCORLIB\2.0.0.0__B77A5C561934E089\SORTTBLS.NLP
      C:\WINDOWS\ASSEMBLY\GAC_32\MSCORLIB\2.0.0.0__B77A5C561934E089\SORTKEY.NLP
      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.CORE\FBC05B5B05DC6366B02B8E2F77D080F1\SYSTEM.CORE.NI.DLL
      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\4F68CD04686E5DC5A55070D112D44BDF\MICROSOFT.POWERSHELL.COMMANDS.DIAGNOSTICS.NI.DLL
      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.DIAGNOSTICS\1.0.0.0__31BF3856AD364E35
      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.CORE\3.5.0.0__B77A5C561934E089
      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.CONFIGURATIO#\F02737C83305687A68C088927A6C5A98\SYSTEM.CONFIGURATION.INSTALL.NI.DLL
      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.CONFIGURATION.INSTALL\2.0.0.0__B03F5F7F11D50A3A
      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.WSMAN.MAN#\EE28A075665B6BC23B6DAE56903D431D\MICROSOFT.WSMAN.MANAGEMENT.NI.DLL
      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.WSMAN.MANAGEMENT\1.0.0.0__31BF3856AD364E35
      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.WSMAN.RUNTIME\1.0.0.0__31BF3856AD364E35\MICROSOFT.WSMAN.RUNTIME.DLL
      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.TRANSACTIONS\AD18F93FC713DB2C4B29B25116C13BD8\SYSTEM.TRANSACTIONS.NI.DLL
      C:\WINDOWS\ASSEMBLY\GAC_32\SYSTEM.TRANSACTIONS\2.0.0.0__B77A5C561934E089\SYSTEM.TRANSACTIONS.DLL
      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\3008A05E2928E2C1D856CC34E0422C17\MICROSOFT.POWERSHELL.COMMANDS.UTILITY.NI.DLL
      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.UTILITY\1.0.0.0__31BF3856AD364E35
      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\8DF695FB80187F65208D87229E81E8A2\MICROSOFT.POWERSHELL.COMMANDS.MANAGEMENT.NI.DLL
      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.MANAGEMENT\1.0.0.0__31BF3856AD364E35
      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\8CE205027E30804D1B2DEAFFA0582735\MICROSOFT.POWERSHELL.SECURITY.NI.DLL
      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.SECURITY\1.0.0.0__31BF3856AD364E35
      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CULTURE.DLL
      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORRC.DLL
      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\FYOMWUZS8SQ46UF07U26.TEMP
      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\D93F411851D7C929.CUSTOMDESTINATIONS-MS~RFAA90.TMP
      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.XML\461D3B6B3F43E6FBE6C897D5936E17E4\SYSTEM.XML.NI.DLL
      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.XML\2.0.0.0__B77A5C561934E089
      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.MANAGEMENT\6F3B99ED0B791FF4D8AA52F2F0CD0BCF\SYSTEM.MANAGEMENT.NI.DLL
      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.MANAGEMENT\2.0.0.0__B03F5F7F11D50A3A
      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.DIRECTORYSER#\45EC12795950A7D54691591C615A9E3C\SYSTEM.DIRECTORYSERVICES.NI.DLL
      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.DIRECTORYSERVICES\2.0.0.0__B03F5F7F11D50A3A
      C:\WINDOWS\SYSWOW64\SHFOLDER.DLL
      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\GETEVENT.TYPES.PS1XML
      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\TYPES.PS1XML
      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\NDYVXIRAZ4AR0EDNYDHZ.TEMP
      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\D93F411851D7C929.CUSTOMDESTINATIONS-MS~RFABC8.TMP
      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\YFUSY1A214O5F6MY47ER.TEMP
      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\D93F411851D7C929.CUSTOMDESTINATIONS-MS~RFAC07.TMP
      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\BH8GG2G5KLF6CI9IF3JV.TEMP
      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\D93F411851D7C929.CUSTOMDESTINATIONS-MS~RFADDB.TMP
      C:\WINDOWS\SYSWOW64\TZRES.DLL
      C:\WINDOWS\SYSWOW64\MSWSOCK.DLL
      C:\WINDOWS\SYSWOW64\EN-US\TZRES.DLL.MUI
      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\DIAGNOSTICS.FORMAT.PS1XML
      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\WSMAN.FORMAT.PS1XML
      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\CERTIFICATE.FORMAT.PS1XML
      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\DOTNETTYPES.FORMAT.PS1XML
      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\FILESYSTEM.FORMAT.PS1XML
      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\HELP.FORMAT.PS1XML
      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELLCORE.FORMAT.PS1XML
      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELLTRACE.FORMAT.PS1XML
      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\REGISTRY.FORMAT.PS1XML
      C:\WINDOWS\SYSWOW64\SECUR32.DLL
      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.DATA\1E85062785E286CD9EAE9C26D2C61F73\SYSTEM.DATA.NI.DLL
      C:\WINDOWS\ASSEMBLY\GAC_32\SYSTEM.DATA\2.0.0.0__B77A5C561934E089\SYSTEM.DATA.DLL
      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORJIT.DLL
      C:\WINDOWS\SYSWOW64\DNSAPI.DLL
      C:\WINDOWS\SYSWOW64\IPHLPAPI.DLL
      C:\WINDOWS\SYSWOW64\WINNSI.DLL
      C:\PROGRAM FILES\NODEJS
      C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\PROGRAMS\PYTHON\PYTHON37\SCRIPTS
      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\NPM
      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\DIASYMREADER.DLL
      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\TVJQ15YNJB5LU4FF3EIW.TEMP
      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\D93F411851D7C929.CUSTOMDESTINATIONS-MS~RFB643.TMP
      C:\WINDOWS\SYSWOW64\RASADHLP.DLL
      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\5EWXH2EKYNLALY8QH70N.TEMP
      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\D93F411851D7C929.CUSTOMDESTINATIONS-MS~RFBC3C.TMP
      C:\WINDOWS\SYSWOW64\FWPUCLNT.DLL
      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\NKPN2J4M4SBW90ICH9PK.TEMP
      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\D93F411851D7C929.CUSTOMDESTINATIONS-MS~RFBD26.TMP
      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\KH0WBVPYPHJZ5WJ8Y4IX.TEMP
      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\D93F411851D7C929.CUSTOMDESTINATIONS-MS~RFBDD2.TMP
      C:\WINDOWS\SYSWOW64\NETUTILS.DLL
      C:\WINDOWS\SYSWOW64\CRYPT32.DLL
      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\SYSTEMCERTIFICATES\MY\CERTIFICATES
      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\SYSTEMCERTIFICATES\MY\CRLS
      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\SYSTEMCERTIFICATES\MY\CTLS
      C:\WINDOWS\SYSWOW64\GPAPI.DLL
      C:\WINDOWS\SYSWOW64\EN-US\CRYPT32.DLL.MUI
      C:\WINDOWS\SYSWOW64\NCRYPT.DLL
      C:\WINDOWS\SYSWOW64\BCRYPT.DLL
      C:\WINDOWS\SYSWOW64\BCRYPTPRIMITIVES.DLL
      C:\USERS\ADMINI~1\APPDATA\LOCAL\TEMP\UPDATE-ASSETS.ZIP
      C:\PROGRAM FILES (X86)\PUBLICGAMING\APPSETUP.EXE
      C:\PROGRAM FILES (X86)\PUBLICGAMING\PRUN.EXE
      C:\USERS\ADMINI~1\APPDATA\LOCAL\TEMP\P3.EXE
      C:\WINDOWS\SYSWOW64\DWMAPI.DLL
      C:\WINDOWS\FONTS\STATICCACHE.DAT
      C:\WINDOWS\SYSWOW64\OLE32.DLL
      C:\WINDOWS\SYSWOW64\EN-US\MSCTF.DLL.MUI
      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\ZOLLBYVRLZOLVDRSHN\AVRAI.VSS
      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\ZOLLBYVRLZOLVDRSHN\FIMO.VSS
      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\ZOLLBYVRLZOLVDRSHN\ORA.VSS
      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\ZOLLBYVRLZOLVDRSHN\VENIR.VSS
      C:\WINDOWS\SYSWOW64\IEFRAME.DLL
      C:\WINDOWS\SYSWOW64\OLEACC.DLL
      C:\WINDOWS\SYSWOW64\OLEACCRC.DLL
      C:\WINDOWS\SYSWOW64\EN-US\PROPSYS.DLL.MUI
      C:\WINDOWS\SYSWOW64\AT.EXE
      C:\WINDOWS\SYSWOW64\SCHEDCLI.DLL
      C:\WINDOWS\SYSWOW64\EN-US\AT.EXE.MUI
      C:\WINDOWS\SYSWOW64\NETMSG.DLL
      C:\WINDOWS\SYSWOW64\CREDSSP.DLL
      C:\WINDOWS\SYSWOW64\MSV1_0.DLL
      C:\WINDOWS\SYSWOW64\CRYPTDLL.DLL
      C:\WINDOWS\SYSWOW64\EN-US\NETMSG.DLL.MUI
      C:\WINDOWS\BRANDING\BASEBRD\BASEBRD.DLL
      C:\WINDOWS\BRANDING\BASEBRD\EN-US\BASEBRD.DLL.MUI
      C:\USERS\ADMINI~1\APPDATA\LOCAL\TEMP\KARA.EXE
      C:\WINDOWS\SYSWOW64\NTVDM64.DLL
      C:\USERS\ADMINI~1\APPDATA\LOCAL\TEMP\1.EXE
      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.VISUALBAS#\08D608378AA405ADC844F3CF36974B8C\MICROSOFT.VISUALBASIC.NI.DLL
      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.VISUALBASIC\8.0.0.0__B03F5F7F11D50A3A
      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.DRAWING\DBFE8642A8ED7B2B103AD28E0C96418A\SYSTEM.DRAWING.NI.DLL
      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.WINDOWS.FORMS\3AFCD5168C7A6CB02EAB99D7FD71E102\SYSTEM.WINDOWS.FORMS.NI.DLL
      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.WINDOWS.FORMS\2.0.0.0__B77A5C561934E089
      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.DRAWING\2.0.0.0__B03F5F7F11D50A3A
      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\VBC.EXE
      C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\TEMP\SVCHOST.EXE
      C:\USERS\ADMINI~1\APPDATA\LOCAL\TEMP\SVCHOST.EXE
      C:\WINDOWS\SYSWOW64\NETAPI32.DLL
      C:\WINDOWS\SYSWOW64\WKSCLI.DLL
      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.CONFIGURATION\BC09AD2D49D8535371845CD7532F9271\SYSTEM.CONFIGURATION.NI.DLL
      C:\WINDOWS\SYSWOW64\DSROLE.DLL
      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.CONFIGURATION\2.0.0.0__B03F5F7F11D50A3A
      C:\USERS\ADMINI~1\APPDATA\LOCAL\TEMP\JHUIMME.EXE
      C:\WINDOWS\SYSWOW64\WININET.DLL
      C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\INDEX.DAT
      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\INDEX.DAT
      C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\HISTORY\HISTORY.IE5\INDEX.DAT
      C:\WINDOWS\SYSWOW64\RASAPI32.DLL
      C:\WINDOWS\SYSWOW64\RASMAN.DLL
      C:\WINDOWS\SYSWOW64\RTUTILS.DLL
      C:\WINDOWS\SYSWOW64\SENSAPI.DLL
      C:\WINDOWS\SYSWOW64\NLAAPI.DLL
      C:\WINDOWS\SYSWOW64\NAPINSP.DLL
      C:\WINDOWS\SYSWOW64\PNRPNSP.DLL
      C:\WINDOWS\SYSWOW64\WINRNR.DLL
      C:\WINDOWS\SYSWOW64\NETPROFM.DLL
      C:\WINDOWS\SYSWOW64\RPCRTREMOTE.DLL
      C:\WINDOWS\SYSWOW64\NPMPROXY.DLL
      C:\WINDOWS\SYSWOW64\DHCPCSVC.DLL
      C:\WINDOWS\SYSWOW64\DHCPCSVC6.DLL
      C:\WINDOWS\SYSTEM32\IMM32.DLL
      C:\WINDOWS\SYSTEM32\RPCSS.DLL
      C:\WINDOWS\SYSTEM32\CRYPTBASE.DLL
      C:\WINDOWS\SYSTEM32\UXTHEME.DLL
      C:\WINDOWS\SYSTEM32\SECHOST.DLL
      C:\WINDOWS\SYSTEM32\AUTHUI.DLL
      C:\WINDOWS\SYSTEM32\CRYPTUI.DLL
      C:\WINDOWS\WINSXS\AMD64_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.7601.17514_NONE_FA396087175AC9AC\COMCTL32.DLL
      C:\WINDOWS\WINSXS\AMD64_MICROSOFT.WINDOWS.GDIPLUS_6595B64144CCF1DF_1.1.7601.17514_NONE_2B24536C71ED437A\GDIPLUS.DLL
      C:\WINDOWS\SYSTEM32\DUI70.DLL
      C:\WINDOWS\SYSTEM32\DUSER.DLL
      C:\WINDOWS\SYSTEM32\EN-US\AUTHUI.DLL.MUI
      C:\WINDOWS\SYSTEM32\SNDVOLSSO.DLL
      C:\WINDOWS\SYSTEM32\HID.DLL
      C:\WINDOWS\SYSTEM32\MMDEVAPI.DLL
      C:\WINDOWS\SYSTEM32\PROPSYS.DLL
      C:\WINDOWS\SYSTEM32\EN-US\SETUPAPI.DLL.MUI
      C:\WINDOWS\SYSTEM32\DWMAPI.DLL
      C:\WINDOWS\SYSTEM32\XMLLITE.DLL
      C:\WINDOWS\SYSTEM32\IMAGERES.DLL
      C:\WINDOWS\SYSTEM32\WINDOWSCODECS.DLL
      C:\WINDOWS\SYSTEM32\WINBRAND.DLL
      C:\WINDOWS\SYSTEM32\WTSAPI32.DLL
      C:\WINDOWS\SYSTEM32\WINSTA.DLL
      C:\WINDOWS\SYSTEM32\VAULTCREDPROVIDER.DLL
      C:\WINDOWS\SYSTEM32\SMARTCARDCREDENTIALPROVIDER.DLL
      C:\WINDOWS\SYSTEM32\RPCRTREMOTE.DLL
      C:\WINDOWS\SYSTEM32\BIOCREDPROV.DLL
      C:\WINDOWS\SYSTEM32\SECUR32.DLL
      C:\WINDOWS\SYSTEM32\SSPICLI.DLL
      C:\WINDOWS\SYSTEM32\WINBIO.DLL
      C:\WINDOWS\SYSTEM32\CREDUI.DLL
      C:\WINDOWS\SYSTEM32\VAULTCLI.DLL
      C:\WINDOWS\SYSTEM32\NETAPI32.DLL
      C:\WINDOWS\SYSTEM32\NETUTILS.DLL
      C:\WINDOWS\SYSTEM32\SRVCLI.DLL
      C:\WINDOWS\SYSTEM32\WKSCLI.DLL
      C:\WINDOWS\SYSTEM32\SAMCLI.DLL
      C:\WINDOWS\WIN.INI
      C:\WINDOWS\SYSTEM32\CERTCREDPROVIDER.DLL
      C:\WINDOWS\SYSTEM32\RASPLAP.DLL
      C:\WINDOWS\SYSTEM32\RASAPI32.DLL
      C:\WINDOWS\SYSTEM32\RASMAN.DLL
      C:\WINDOWS\SYSTEM32\RTUTILS.DLL
      C:\WINDOWS\SYSTEM32\CRYPTSP.DLL
      C:\WINDOWS\SYSTEM32\RSAENH.DLL
      C:\WINDOWS\SYSTEM32\INPUT.DLL
      C:\WINDOWS\SYSTEM32\EN-US\INPUT.DLL.MUI
      C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\INK\TIPTSF.DLL
      C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\INK\EN-US\TIPTSF.DLL.MUI
      C:\WINDOWS\IME\SPTIP.DLL
      C:\WINDOWS\IME\EN-US\SPTIP.DLL.MUI
      C:\PROGRAM FILES\WINDOWS NT\TABLETEXTSERVICE\TABLETEXTSERVICE.DLL
      C:\PROGRAM FILES\WINDOWS NT\TABLETEXTSERVICE\EN-US\TABLETEXTSERVICE.DLL.MUI
      C:\WINDOWS\SYSTEM32\EN-US\KERNELBASE.DLL.MUI
      C:\WINDOWS\SYSTEM32\EN-US\MSCTF.DLL.MUI
      C:\WINDOWS\SYSTEM32\OLEACC.DLL
      C:\WINDOWS\SYSTEM32\OLEACCRC.DLL
      C:\WINDOWS\SYSTEM32\UIAUTOMATIONCORE.DLL
      C:\WINDOWS\SYSTEM32\SXS.DLL
      C:\WINDOWS\SYSTEM32\EN-US\IMAGERES.DLL.MUI
      C:\WINDOWS\SYSTEM32\TQUERY.DLL
      C:\WINDOWS\SYSTEM32\MSSHOOKS.DLL
      C:\WINDOWS\SYSTEM32\MSCOREE.DLL
      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\MSCOREEI.DLL
      C:\WINDOWS\SYSTEM32\MSSPRXY.DLL
      C:\WINDOWS\SYSTEM32\EN-US\RUNDLL32.EXE.MUI
      C:\WINDOWS\SYSTEM32\DFDTS.DLL
      C:\WINDOWS\SYSTEM32\RUNDLL32.EXE
      C:\WINDOWS\SYSTEM32\WDI.DLL

  • Process Created

    • PUBLICGAMING'"

      • Time offset
        • ["1.690616", "1.439804"]

    • POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'APPSETUP.EXE'"

      • Time offset
        • ["1.690616"]

    • CMD.EXE "/C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'APPSETUP.EXE'"

      • Time offset
        • ["1.476406"]

    • POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'PRUN.EXE'"

      • Time offset
        • ["1.973024"]

    • CMD.EXE "/C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'PRUN.EXE'"

      • Time offset
        • ["1.571611"]

    • POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P1.EXE'"

      • Time offset
        • ["2.583254"]

    • CMD.EXE "/C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P1.EXE'"

      • Time offset
        • ["2.040827"]

    • POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P2.EXE'"

      • Time offset
        • ["2.722261"]

    • CMD.EXE "/C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P2.EXE'"

      • Time offset
        • ["2.32324"]

    • POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P3.EXE'"

      • Time offset
        • ["4.239349"]

    • CMD.EXE "/C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P3.EXE'"

      • Time offset
        • ["2.589254"]

    • POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P4.EXE'"

      • Time offset
        • ["4.709959"]

    • CMD.EXE "/C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P4.EXE'"

      • Time offset
        • ["4.383156"]

    • POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P5.EXE'"

      • Time offset
        • ["5.300186"]

    • CMD.EXE "/C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P5.EXE'"

      • Time offset
        • ["4.726957"]

    • POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P6.EXE'"

      • Time offset
        • ["5.908586"]

    • CMD.EXE "/C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P6.EXE'"

      • Time offset
        • ["5.502985"]

    • POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P7.EXE'"

      • Time offset
        • ["6.329786"]

    • CMD.EXE "/C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P7.EXE'"

      • Time offset
        • ["6.158186"]

    • POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P8.EXE'"

      • Time offset
        • ["6.485786"]

    • CMD.EXE "/C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P8.EXE'"

      • Time offset
        • ["6.345386"]

    • POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P9.EXE'"

      • Time offset
        • ["6.438987"]

    • CMD.EXE "/C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P9.EXE'"

      • Time offset
        • ["6.360986"]

    • POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P10.EXE'"

      • Time offset
        • ["6.485786"]

    • CMD.EXE "/C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P10.EXE'"

      • Time offset
        • ["6.392187"]

    • APPSETUP.EXE"

      • Time offset
        • ["48.065084"]

    • AT.EXE"

      • Time offset
        • ["72.834743"]

    • CMD.EXE

      • Time offset
        • ["72.975143"]

    • CMD.EXE < FIMO.VSS

      • Time offset
        • ["72.928343"]

    • P3.EXE

      • Time offset
        • ["72.382341"]

    • SVCHOST.EXE

      • Time offset
        • ["110.74621"]

    • 1.EXE

      • Time offset
        • ["110.527811"]

    • PRUN.EXE"

      • Time offset
        • ["49.940695", "48.153887"]

    • "C:/MALWARE/1BCEB4E84115EABB8BF3DF704B5CC014834CA08B126451AE95D60A968E66D666.EXE"

      • Time offset
        • ["1.232401", "0.0"]

  • Process Tree

    • 412

      • Image path
        • "C:/MALWARE/1BCEB4E84115EABB8BF3DF704B5CC014834CA08B126451AE95D60A968E66D666.EXE"

      • Time lapse
        • 0.0

      • Files Accessed

        • C:\WINDOWS\SYSTEM32\WOW64.DLL
          C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
          C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
          C:\WINDOWS\SYSWOW64\SECHOST.DLL
          C:\WINDOWS\SYSWOW64\VERSION.DLL
          C:\WINDOWS\SYSWOW64\MSIMG32.DLL
          C:\WINDOWS\SYSWOW64\IMM32.DLL
          C:\WINDOWS\SYSWOW64\NTDLL.DLL
          C:\WINDOWS\SYSWOW64\KERNEL32.DLL
          C:\MALWARE\1BCEB4E84115EABB8BF3DF704B5CC014834CA08B126451AE95D60A968E66D666.EXE
          C:\WINDOWS\SYSWOW64\APPHELP.DLL

      • Process children

        • 2200

          • Image path
            • "C:/MALWARE/1BCEB4E84115EABB8BF3DF704B5CC014834CA08B126451AE95D60A968E66D666.EXE"

          • Time lapse
            • 1.232401

          • Files Accessed

            • C:\WINDOWS\SYSTEM32\WOW64.DLL
              C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
              C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
              C:\WINDOWS\SYSWOW64\SECHOST.DLL
              C:\WINDOWS\SYSWOW64\IMM32.DLL
              C:\WINDOWS\SYSWOW64\ADVAPI32.DLL
              C:\WINDOWS\SYSWOW64\NTDLL.DLL
              C:\WINDOWS\SYSWOW64\WINMM.DLL
              C:\WINDOWS\SYSWOW64\WS2_32.DLL
              C:\WINDOWS\SYSWOW64\POWRPROF.DLL
              C:\WINDOWS\SYSWOW64\EN-US\SETUPAPI.DLL.MUI
              C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
              C:\WINDOWS\SYSWOW64\WSHTCPIP.DLL
              C:\WINDOWS\SYSWOW64\EN-US\WSHTCPIP.DLL.MUI
              C:\WINDOWS\SYSWOW64\WSHIP6.DLL
              C:\WINDOWS\SYSWOW64\EN-US\WSHIP6.DLL.MUI
              C:\WINDOWS\SYSWOW64\WSHQOS.DLL
              C:\WINDOWS\SYSWOW64\EN-US\WSHQOS.DLL.MUI
              C:\WINDOWS\SYSWOW64\CMD.EXE
              C:\WINDOWS\SYSWOW64\APPHELP.DLL
              C:\WINDOWS\APPPATCH\SYSMAIN.SDB
              C:\WINDOWS\SYSWOW64\MSWSOCK.DLL
              C:\WINDOWS\SYSWOW64\DNSAPI.DLL
              C:\WINDOWS\SYSWOW64\IPHLPAPI.DLL
              C:\WINDOWS\SYSWOW64\WINNSI.DLL
              C:\WINDOWS\SYSWOW64\RASADHLP.DLL
              C:\WINDOWS\SYSWOW64\FWPUCLNT.DLL
              C:\WINDOWS\SYSWOW64\CRYPTSP.DLL
              C:\WINDOWS\SYSWOW64\RSAENH.DLL
              C:\WINDOWS\SYSWOW64\CRYPT32.DLL
              C:\WINDOWS\SYSWOW64\USERENV.DLL
              C:\WINDOWS\SYSWOW64\PROFAPI.DLL
              C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\SYSTEMCERTIFICATES\MY\CERTIFICATES
              C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\SYSTEMCERTIFICATES\MY\CRLS
              C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\SYSTEMCERTIFICATES\MY\CTLS
              C:\WINDOWS\SYSWOW64\GPAPI.DLL
              C:\WINDOWS\SYSWOW64\EN-US\CRYPT32.DLL.MUI
              C:\WINDOWS\SYSWOW64\NCRYPT.DLL
              C:\WINDOWS\SYSWOW64\BCRYPT.DLL
              C:\WINDOWS\SYSWOW64\BCRYPTPRIMITIVES.DLL
              C:\USERS\ADMINI~1\APPDATA\LOCAL\TEMP\UPDATE-ASSETS.ZIP
              C:\WINDOWS\SYSWOW64\KERNEL32.DLL
              C:\PROGRAM FILES (X86)\PUBLICGAMING\APPSETUP.EXE
              C:\PROGRAM FILES (X86)\PUBLICGAMING\PRUN.EXE

          • Process children

            • 2268

              • Image path
                • CMD.EXE "/C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPATH 'C:\PROGRAM FILES (X86)\PUBLICGAMING'"

              • Time lapse
                • 1.439804

              • Files Accessed

                • C:\WINDOWS\SYSTEM32\WOW64.DLL
                  C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
                  C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
                  C:\WINDOWS\SYSWOW64\WINBRAND.DLL
                  C:\WINDOWS\SYSWOW64\SECHOST.DLL
                  C:\WINDOWS\SYSWOW64\IMM32.DLL
                  C:\WINDOWS\SYSWOW64\EN-US\CMD.EXE.MUI
                  C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH_TARGET_2162329
                  C:\WINDOWS\SYSWOW64\WBEM
                  C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
                  C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE
                  C:\WINDOWS\SYSWOW64\APPHELP.DLL
                  C:\WINDOWS\APPPATCH\SYSMAIN.SDB

              • Process children

                • 1220

                  • Image path
                    • POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPATH 'C:\PROGRAM FILES (X86)\PUBLICGAMING'"

                  • Time lapse
                    • 1.690616

                  • Files Accessed

                    • C:\WINDOWS\SYSTEM32\WOW64.DLL
                      C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
                      C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
                      C:\WINDOWS\SYSWOW64\SECHOST.DLL
                      C:\WINDOWS\SYSWOW64\ATL.DLL
                      C:\WINDOWS\SYSWOW64\MSCOREE.DLL
                      C:\WINDOWS\SYSWOW64\IMM32.DLL
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\EN-US\POWERSHELL.EXE.MUI
                      C:\WINDOWS\SYSWOW64\UXTHEME.DLL
                      C:\WINDOWS\REGISTRATION\R000000000006.CLB
                      C:\WINDOWS\SYSWOW64\SHELL32.DLL
                      C:\WINDOWS\SYSWOW64\USERENV.DLL
                      C:\WINDOWS\SYSWOW64\PROFAPI.DLL
                      C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.7601.17514_NONE_41E6975E2BD6F2B2\COMCTL32.DLL
                      C:\WINDOWS\WINDOWSSHELL.MANIFEST
                      C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
                      C:\WINDOWS\SYSWOW64\PROPSYS.DLL
                      C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\CVERSIONS.1.DB
                      C:\WINDOWS\SYSWOW64\EN-US\SETUPAPI.DLL.MUI
                      C:\WINDOWS\SYSWOW64\NTMARTA.DLL
                      C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.VER0X0000000000000001.DB
                      C:\USERS\DESKTOP.INI
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\DESKTOP.INI
                      C:\USERS\ADMINISTRATOR\DESKTOP\DESKTOP.INI
                      C:\WINDOWS\SYSWOW64\EN-US\SHELL32.DLL.MUI
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DESKTOP.INI
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\DESKTOP.INI
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DESKTOP.INI
                      C:\USERS\PUBLIC\DESKTOP.INI
                      C:\USERS\PUBLIC\DESKTOP\DESKTOP.INI
                      C:\WINDOWS\SYSWOW64\APPHELP.DLL
                      C:\WINDOWS\SYSWOW64\GAMEUX.DLL
                      C:\WINDOWS\APPPATCH\SYSMAIN.SDB
                      C:\WINDOWS\SYSWOW64\EN-US\GAMEUX.DLL.MUI
                      C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.GDIPLUS_6595B64144CCF1DF_1.1.7601.17514_NONE_72D18A4386696C80\GDIPLUS.DLL
                      C:\WINDOWS\SYSWOW64\XMLLITE.DLL
                      C:\WINDOWS\SYSWOW64\WER.DLL
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\DESKTOP.INI
                      C:\WINDOWS\SYSWOW64\SHDOCVW.DLL
                      C:\WINDOWS\SYSWOW64\EN-US\SHDOCVW.DLL.MUI
                      C:\WINDOWS\SYSWOW64\LINKINFO.DLL
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\DESKTOP.INI
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\WINDOWS POWERSHELL\DESKTOP.INI
                      C:\WINDOWS\SYSWOW64\NTSHRUI.DLL
                      C:\WINDOWS\SYSWOW64\SRVCLI.DLL
                      C:\WINDOWS\SYSWOW64\CSCAPI.DLL
                      C:\WINDOWS\SYSWOW64\SLC.DLL
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\WINDOWS POWERSHELL\WINDOWS POWERSHELL.LNK
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL_ISE.EXE
                      C:\WINDOWS\HH.EXE
                      C:\WINDOWS\SYSWOW64\CRYPTSP.DLL
                      C:\WINDOWS\SYSWOW64\RSAENH.DLL
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\MCCJNPLYDM9988TJ2P7M.TEMP
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\D93F411851D7C929.CUSTOMDESTINATIONS-MS~RFA83F.TMP
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\MSCOREEI.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORWKS.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CLR.DLL
                      C:\WINDOWS\WINSXS\X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8.0.50727.4940_NONE_D08CC06A442B34FC\MSVCR80.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CONFIG\MACHINE.CONFIG
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\INDEX149.DAT
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MSCORLIB\62A0B3E4B40EC0E8C5CFAA0C8848E64A\MSCORLIB.NI.DLL
                      C:\WINDOWS\ASSEMBLY\PUBPOL25.DAT
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM\9E0A3B9B9F457233A335D7FBA8F95419\SYSTEM.NI.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\B1C511D8FAD78AD3C5213B2B4FB02B8B\MICROSOFT.POWERSHELL.CONSOLEHOST.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.CONSOLEHOST\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.MANAGEMENT.AUTOMATION\1.0.0.0__31BF3856AD364E35\SYSTEM.MANAGEMENT.AUTOMATION.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM\2.0.0.0__B77A5C561934E089
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.MANAGEMENT.A#\4436815B432C313255AF322F4EC3560D\SYSTEM.MANAGEMENT.AUTOMATION.NI.DLL
                      C:\WINDOWS\SYSWOW64\VERSION.DLL
                      C:\WINDOWS\SYSWOW64\L_INTL.NLS
                      C:\WINDOWS\SYSWOW64\EN-US\KERNELBASE.DLL.MUI
                      C:\WINDOWS\ASSEMBLY\GAC_32\MSCORLIB\2.0.0.0__B77A5C561934E089\SORTTBLS.NLP
                      C:\WINDOWS\ASSEMBLY\GAC_32\MSCORLIB\2.0.0.0__B77A5C561934E089\SORTKEY.NLP
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.CORE\FBC05B5B05DC6366B02B8E2F77D080F1\SYSTEM.CORE.NI.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\4F68CD04686E5DC5A55070D112D44BDF\MICROSOFT.POWERSHELL.COMMANDS.DIAGNOSTICS.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.DIAGNOSTICS\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.CORE\3.5.0.0__B77A5C561934E089
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.CONFIGURATIO#\F02737C83305687A68C088927A6C5A98\SYSTEM.CONFIGURATION.INSTALL.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.CONFIGURATION.INSTALL\2.0.0.0__B03F5F7F11D50A3A
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.WSMAN.MAN#\EE28A075665B6BC23B6DAE56903D431D\MICROSOFT.WSMAN.MANAGEMENT.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.WSMAN.MANAGEMENT\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.WSMAN.RUNTIME\1.0.0.0__31BF3856AD364E35\MICROSOFT.WSMAN.RUNTIME.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.TRANSACTIONS\AD18F93FC713DB2C4B29B25116C13BD8\SYSTEM.TRANSACTIONS.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_32\SYSTEM.TRANSACTIONS\2.0.0.0__B77A5C561934E089\SYSTEM.TRANSACTIONS.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\3008A05E2928E2C1D856CC34E0422C17\MICROSOFT.POWERSHELL.COMMANDS.UTILITY.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.UTILITY\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\8DF695FB80187F65208D87229E81E8A2\MICROSOFT.POWERSHELL.COMMANDS.MANAGEMENT.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.MANAGEMENT\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\8CE205027E30804D1B2DEAFFA0582735\MICROSOFT.POWERSHELL.SECURITY.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.SECURITY\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CULTURE.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORRC.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.XML\461D3B6B3F43E6FBE6C897D5936E17E4\SYSTEM.XML.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.XML\2.0.0.0__B77A5C561934E089
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.MANAGEMENT\6F3B99ED0B791FF4D8AA52F2F0CD0BCF\SYSTEM.MANAGEMENT.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.MANAGEMENT\2.0.0.0__B03F5F7F11D50A3A
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.DIRECTORYSER#\45EC12795950A7D54691591C615A9E3C\SYSTEM.DIRECTORYSERVICES.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.DIRECTORYSERVICES\2.0.0.0__B03F5F7F11D50A3A
                      C:\WINDOWS\SYSWOW64\SHFOLDER.DLL
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\GETEVENT.TYPES.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\TYPES.PS1XML
                      C:\WINDOWS\SYSWOW64\TZRES.DLL
                      C:\WINDOWS\SYSWOW64\EN-US\TZRES.DLL.MUI
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\DIAGNOSTICS.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\WSMAN.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\CERTIFICATE.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\DOTNETTYPES.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\FILESYSTEM.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\HELP.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELLCORE.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELLTRACE.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\REGISTRY.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\SECUR32.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.DATA\1E85062785E286CD9EAE9C26D2C61F73\SYSTEM.DATA.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_32\SYSTEM.DATA\2.0.0.0__B77A5C561934E089\SYSTEM.DATA.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORJIT.DLL
                      C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH_TARGET_2162329
                      C:\WINDOWS\SYSWOW64\WBEM
                      C:\PROGRAM FILES\NODEJS
                      C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\PROGRAMS\PYTHON\PYTHON37\SCRIPTS
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\NPM
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\DIASYMREADER.DLL
                      C:\WINDOWS\SYSWOW64\NETUTILS.DLL

            • 1968

              • Image path
                • CMD.EXE "/C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'APPSETUP.EXE'"

              • Time lapse
                • 1.476406

              • Files Accessed

                • C:\WINDOWS\SYSTEM32\WOW64.DLL
                  C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
                  C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
                  C:\WINDOWS\SYSWOW64\WINBRAND.DLL
                  C:\WINDOWS\SYSWOW64\SECHOST.DLL
                  C:\WINDOWS\SYSWOW64\IMM32.DLL
                  C:\WINDOWS\SYSWOW64\EN-US\CMD.EXE.MUI
                  C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH_TARGET_2162329
                  C:\WINDOWS\SYSWOW64\WBEM
                  C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
                  C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE
                  C:\WINDOWS\SYSWOW64\APPHELP.DLL
                  C:\WINDOWS\APPPATCH\SYSMAIN.SDB
                  C:\WINDOWS\SYSTEM32\IMM32.DLL
                  C:\WINDOWS\SYSTEM32\EN-US\RUNDLL32.EXE.MUI
                  C:\WINDOWS\SYSTEM32\DFDTS.DLL
                  C:\WINDOWS\SYSTEM32\RUNDLL32.EXE
                  C:\WINDOWS\SYSTEM32\SECHOST.DLL
                  C:\WINDOWS\SYSTEM32\WDI.DLL
                  C:\WINDOWS\SYSTEM32\EN-US\SETUPAPI.DLL.MUI

              • Process children

                • 2576

                  • Image path
                    • POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'APPSETUP.EXE'"

                  • Time lapse
                    • 1.690616

                  • Files Accessed

                    • C:\WINDOWS\SYSTEM32\WOW64.DLL
                      C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
                      C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
                      C:\WINDOWS\SYSWOW64\SECHOST.DLL
                      C:\WINDOWS\SYSWOW64\ATL.DLL
                      C:\WINDOWS\SYSWOW64\MSCOREE.DLL
                      C:\WINDOWS\SYSWOW64\IMM32.DLL
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\EN-US\POWERSHELL.EXE.MUI
                      C:\WINDOWS\SYSWOW64\UXTHEME.DLL
                      C:\WINDOWS\REGISTRATION\R000000000006.CLB
                      C:\WINDOWS\SYSWOW64\SHELL32.DLL
                      C:\WINDOWS\SYSWOW64\USERENV.DLL
                      C:\WINDOWS\SYSWOW64\PROFAPI.DLL
                      C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.7601.17514_NONE_41E6975E2BD6F2B2\COMCTL32.DLL
                      C:\WINDOWS\WINDOWSSHELL.MANIFEST
                      C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
                      C:\WINDOWS\SYSWOW64\PROPSYS.DLL
                      C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\CVERSIONS.1.DB
                      C:\WINDOWS\SYSWOW64\NTMARTA.DLL
                      C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.VER0X0000000000000001.DB
                      C:\USERS\DESKTOP.INI
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\DESKTOP.INI
                      C:\USERS\ADMINISTRATOR\DESKTOP\DESKTOP.INI
                      C:\WINDOWS\SYSWOW64\EN-US\SHELL32.DLL.MUI
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DESKTOP.INI
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\DESKTOP.INI
                      C:\WINDOWS\SYSWOW64\EN-US\SETUPAPI.DLL.MUI
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DESKTOP.INI
                      C:\USERS\PUBLIC\DESKTOP.INI
                      C:\USERS\PUBLIC\DESKTOP\DESKTOP.INI
                      C:\WINDOWS\SYSWOW64\APPHELP.DLL
                      C:\WINDOWS\SYSWOW64\GAMEUX.DLL
                      C:\WINDOWS\APPPATCH\SYSMAIN.SDB
                      C:\WINDOWS\SYSWOW64\EN-US\GAMEUX.DLL.MUI
                      C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.GDIPLUS_6595B64144CCF1DF_1.1.7601.17514_NONE_72D18A4386696C80\GDIPLUS.DLL
                      C:\WINDOWS\SYSWOW64\XMLLITE.DLL
                      C:\WINDOWS\SYSWOW64\WER.DLL
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\DESKTOP.INI
                      C:\WINDOWS\SYSWOW64\SHDOCVW.DLL
                      C:\WINDOWS\SYSWOW64\EN-US\SHDOCVW.DLL.MUI
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\DESKTOP.INI
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\WINDOWS POWERSHELL\DESKTOP.INI
                      C:\WINDOWS\SYSWOW64\LINKINFO.DLL
                      C:\WINDOWS\SYSWOW64\NTSHRUI.DLL
                      C:\WINDOWS\SYSWOW64\SRVCLI.DLL
                      C:\WINDOWS\SYSWOW64\CSCAPI.DLL
                      C:\WINDOWS\SYSWOW64\SLC.DLL
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\WINDOWS POWERSHELL\WINDOWS POWERSHELL.LNK
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL_ISE.EXE
                      C:\WINDOWS\HH.EXE
                      C:\WINDOWS\SYSWOW64\CRYPTSP.DLL
                      C:\WINDOWS\SYSWOW64\RSAENH.DLL
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\JGRNUS9P3WSM6KU1PKW0.TEMP
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\D93F411851D7C929.CUSTOMDESTINATIONS-MS~RFA784.TMP
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\MSCOREEI.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORWKS.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CLR.DLL
                      C:\WINDOWS\WINSXS\X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8.0.50727.4940_NONE_D08CC06A442B34FC\MSVCR80.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CONFIG\MACHINE.CONFIG
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\INDEX149.DAT
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MSCORLIB\62A0B3E4B40EC0E8C5CFAA0C8848E64A\MSCORLIB.NI.DLL
                      C:\WINDOWS\ASSEMBLY\PUBPOL25.DAT
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM\9E0A3B9B9F457233A335D7FBA8F95419\SYSTEM.NI.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\B1C511D8FAD78AD3C5213B2B4FB02B8B\MICROSOFT.POWERSHELL.CONSOLEHOST.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.CONSOLEHOST\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.MANAGEMENT.AUTOMATION\1.0.0.0__31BF3856AD364E35\SYSTEM.MANAGEMENT.AUTOMATION.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM\2.0.0.0__B77A5C561934E089
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.MANAGEMENT.A#\4436815B432C313255AF322F4EC3560D\SYSTEM.MANAGEMENT.AUTOMATION.NI.DLL
                      C:\WINDOWS\SYSWOW64\VERSION.DLL
                      C:\WINDOWS\SYSWOW64\L_INTL.NLS
                      C:\WINDOWS\SYSWOW64\EN-US\KERNELBASE.DLL.MUI
                      C:\WINDOWS\ASSEMBLY\GAC_32\MSCORLIB\2.0.0.0__B77A5C561934E089\SORTTBLS.NLP
                      C:\WINDOWS\ASSEMBLY\GAC_32\MSCORLIB\2.0.0.0__B77A5C561934E089\SORTKEY.NLP
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.CORE\FBC05B5B05DC6366B02B8E2F77D080F1\SYSTEM.CORE.NI.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\4F68CD04686E5DC5A55070D112D44BDF\MICROSOFT.POWERSHELL.COMMANDS.DIAGNOSTICS.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.DIAGNOSTICS\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.CORE\3.5.0.0__B77A5C561934E089
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.CONFIGURATIO#\F02737C83305687A68C088927A6C5A98\SYSTEM.CONFIGURATION.INSTALL.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.CONFIGURATION.INSTALL\2.0.0.0__B03F5F7F11D50A3A
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.WSMAN.MAN#\EE28A075665B6BC23B6DAE56903D431D\MICROSOFT.WSMAN.MANAGEMENT.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.WSMAN.MANAGEMENT\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.WSMAN.RUNTIME\1.0.0.0__31BF3856AD364E35\MICROSOFT.WSMAN.RUNTIME.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.TRANSACTIONS\AD18F93FC713DB2C4B29B25116C13BD8\SYSTEM.TRANSACTIONS.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_32\SYSTEM.TRANSACTIONS\2.0.0.0__B77A5C561934E089\SYSTEM.TRANSACTIONS.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\3008A05E2928E2C1D856CC34E0422C17\MICROSOFT.POWERSHELL.COMMANDS.UTILITY.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.UTILITY\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\8DF695FB80187F65208D87229E81E8A2\MICROSOFT.POWERSHELL.COMMANDS.MANAGEMENT.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.MANAGEMENT\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\8CE205027E30804D1B2DEAFFA0582735\MICROSOFT.POWERSHELL.SECURITY.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.SECURITY\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CULTURE.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORRC.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.XML\461D3B6B3F43E6FBE6C897D5936E17E4\SYSTEM.XML.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.XML\2.0.0.0__B77A5C561934E089
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.MANAGEMENT\6F3B99ED0B791FF4D8AA52F2F0CD0BCF\SYSTEM.MANAGEMENT.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.MANAGEMENT\2.0.0.0__B03F5F7F11D50A3A
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.DIRECTORYSER#\45EC12795950A7D54691591C615A9E3C\SYSTEM.DIRECTORYSERVICES.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.DIRECTORYSERVICES\2.0.0.0__B03F5F7F11D50A3A
                      C:\WINDOWS\SYSWOW64\SHFOLDER.DLL
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\GETEVENT.TYPES.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\TYPES.PS1XML
                      C:\WINDOWS\SYSWOW64\TZRES.DLL
                      C:\WINDOWS\SYSWOW64\EN-US\TZRES.DLL.MUI
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\DIAGNOSTICS.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\WSMAN.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\CERTIFICATE.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\DOTNETTYPES.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\FILESYSTEM.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\HELP.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELLCORE.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELLTRACE.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\REGISTRY.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\SECUR32.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.DATA\1E85062785E286CD9EAE9C26D2C61F73\SYSTEM.DATA.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_32\SYSTEM.DATA\2.0.0.0__B77A5C561934E089\SYSTEM.DATA.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORJIT.DLL
                      C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH_TARGET_2162329
                      C:\WINDOWS\SYSWOW64\WBEM
                      C:\PROGRAM FILES\NODEJS
                      C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\PROGRAMS\PYTHON\PYTHON37\SCRIPTS
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\NPM
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\DIASYMREADER.DLL
                      C:\WINDOWS\SYSWOW64\NETUTILS.DLL

            • 1184

              • Image path
                • CMD.EXE "/C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'PRUN.EXE'"

              • Time lapse
                • 1.571611

              • Files Accessed

                • C:\WINDOWS\SYSTEM32\WOW64.DLL
                  C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
                  C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
                  C:\WINDOWS\SYSWOW64\WINBRAND.DLL
                  C:\WINDOWS\SYSWOW64\SECHOST.DLL
                  C:\WINDOWS\SYSWOW64\IMM32.DLL
                  C:\WINDOWS\SYSWOW64\EN-US\CMD.EXE.MUI
                  C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH_TARGET_2162329
                  C:\WINDOWS\SYSWOW64\WBEM
                  C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
                  C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE
                  C:\WINDOWS\SYSWOW64\APPHELP.DLL
                  C:\WINDOWS\APPPATCH\SYSMAIN.SDB

              • Process children

                • 2796

                  • Image path
                    • POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'PRUN.EXE'"

                  • Time lapse
                    • 1.973024

                  • Files Accessed

                    • C:\WINDOWS\SYSTEM32\WOW64.DLL
                      C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
                      C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
                      C:\WINDOWS\SYSWOW64\SECHOST.DLL
                      C:\WINDOWS\SYSWOW64\ATL.DLL
                      C:\WINDOWS\SYSWOW64\MSCOREE.DLL
                      C:\WINDOWS\SYSWOW64\IMM32.DLL
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\EN-US\POWERSHELL.EXE.MUI
                      C:\WINDOWS\SYSWOW64\UXTHEME.DLL
                      C:\WINDOWS\REGISTRATION\R000000000006.CLB
                      C:\WINDOWS\SYSWOW64\SHELL32.DLL
                      C:\WINDOWS\SYSWOW64\USERENV.DLL
                      C:\WINDOWS\SYSWOW64\PROFAPI.DLL
                      C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.7601.17514_NONE_41E6975E2BD6F2B2\COMCTL32.DLL
                      C:\WINDOWS\WINDOWSSHELL.MANIFEST
                      C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
                      C:\WINDOWS\SYSWOW64\PROPSYS.DLL
                      C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\CVERSIONS.1.DB
                      C:\WINDOWS\SYSWOW64\NTMARTA.DLL
                      C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.VER0X0000000000000001.DB
                      C:\USERS\DESKTOP.INI
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\DESKTOP.INI
                      C:\USERS\ADMINISTRATOR\DESKTOP\DESKTOP.INI
                      C:\WINDOWS\SYSWOW64\EN-US\SHELL32.DLL.MUI
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DESKTOP.INI
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\DESKTOP.INI
                      C:\WINDOWS\SYSWOW64\EN-US\SETUPAPI.DLL.MUI
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DESKTOP.INI
                      C:\USERS\PUBLIC\DESKTOP.INI
                      C:\USERS\PUBLIC\DESKTOP\DESKTOP.INI
                      C:\WINDOWS\SYSWOW64\APPHELP.DLL
                      C:\WINDOWS\SYSWOW64\GAMEUX.DLL
                      C:\WINDOWS\APPPATCH\SYSMAIN.SDB
                      C:\WINDOWS\SYSWOW64\EN-US\GAMEUX.DLL.MUI
                      C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.GDIPLUS_6595B64144CCF1DF_1.1.7601.17514_NONE_72D18A4386696C80\GDIPLUS.DLL
                      C:\WINDOWS\SYSWOW64\XMLLITE.DLL
                      C:\WINDOWS\SYSWOW64\WER.DLL
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\DESKTOP.INI
                      C:\WINDOWS\SYSWOW64\SHDOCVW.DLL
                      C:\WINDOWS\SYSWOW64\EN-US\SHDOCVW.DLL.MUI
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\DESKTOP.INI
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\WINDOWS POWERSHELL\DESKTOP.INI
                      C:\WINDOWS\SYSWOW64\LINKINFO.DLL
                      C:\WINDOWS\SYSWOW64\NTSHRUI.DLL
                      C:\WINDOWS\SYSWOW64\SRVCLI.DLL
                      C:\WINDOWS\SYSWOW64\CSCAPI.DLL
                      C:\WINDOWS\SYSWOW64\SLC.DLL
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\WINDOWS POWERSHELL\WINDOWS POWERSHELL.LNK
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL_ISE.EXE
                      C:\WINDOWS\HH.EXE
                      C:\WINDOWS\SYSWOW64\CRYPTSP.DLL
                      C:\WINDOWS\SYSWOW64\RSAENH.DLL
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\94IYE447TS3OVIVOFHLI.TEMP
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\MSCOREEI.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORWKS.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CLR.DLL
                      C:\WINDOWS\WINSXS\X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8.0.50727.4940_NONE_D08CC06A442B34FC\MSVCR80.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CONFIG\MACHINE.CONFIG
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\INDEX149.DAT
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MSCORLIB\62A0B3E4B40EC0E8C5CFAA0C8848E64A\MSCORLIB.NI.DLL
                      C:\WINDOWS\ASSEMBLY\PUBPOL25.DAT
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM\9E0A3B9B9F457233A335D7FBA8F95419\SYSTEM.NI.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\B1C511D8FAD78AD3C5213B2B4FB02B8B\MICROSOFT.POWERSHELL.CONSOLEHOST.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.CONSOLEHOST\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.MANAGEMENT.AUTOMATION\1.0.0.0__31BF3856AD364E35\SYSTEM.MANAGEMENT.AUTOMATION.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM\2.0.0.0__B77A5C561934E089
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.MANAGEMENT.A#\4436815B432C313255AF322F4EC3560D\SYSTEM.MANAGEMENT.AUTOMATION.NI.DLL
                      C:\WINDOWS\SYSWOW64\VERSION.DLL
                      C:\WINDOWS\SYSWOW64\L_INTL.NLS
                      C:\WINDOWS\SYSWOW64\EN-US\KERNELBASE.DLL.MUI
                      C:\WINDOWS\ASSEMBLY\GAC_32\MSCORLIB\2.0.0.0__B77A5C561934E089\SORTTBLS.NLP
                      C:\WINDOWS\ASSEMBLY\GAC_32\MSCORLIB\2.0.0.0__B77A5C561934E089\SORTKEY.NLP
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.CORE\FBC05B5B05DC6366B02B8E2F77D080F1\SYSTEM.CORE.NI.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\4F68CD04686E5DC5A55070D112D44BDF\MICROSOFT.POWERSHELL.COMMANDS.DIAGNOSTICS.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.DIAGNOSTICS\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.CORE\3.5.0.0__B77A5C561934E089
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.CONFIGURATIO#\F02737C83305687A68C088927A6C5A98\SYSTEM.CONFIGURATION.INSTALL.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.CONFIGURATION.INSTALL\2.0.0.0__B03F5F7F11D50A3A
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.WSMAN.MAN#\EE28A075665B6BC23B6DAE56903D431D\MICROSOFT.WSMAN.MANAGEMENT.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.WSMAN.MANAGEMENT\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.WSMAN.RUNTIME\1.0.0.0__31BF3856AD364E35\MICROSOFT.WSMAN.RUNTIME.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.TRANSACTIONS\AD18F93FC713DB2C4B29B25116C13BD8\SYSTEM.TRANSACTIONS.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_32\SYSTEM.TRANSACTIONS\2.0.0.0__B77A5C561934E089\SYSTEM.TRANSACTIONS.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\3008A05E2928E2C1D856CC34E0422C17\MICROSOFT.POWERSHELL.COMMANDS.UTILITY.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.UTILITY\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\8DF695FB80187F65208D87229E81E8A2\MICROSOFT.POWERSHELL.COMMANDS.MANAGEMENT.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.MANAGEMENT\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\8CE205027E30804D1B2DEAFFA0582735\MICROSOFT.POWERSHELL.SECURITY.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.SECURITY\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CULTURE.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORRC.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.XML\461D3B6B3F43E6FBE6C897D5936E17E4\SYSTEM.XML.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.XML\2.0.0.0__B77A5C561934E089
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.MANAGEMENT\6F3B99ED0B791FF4D8AA52F2F0CD0BCF\SYSTEM.MANAGEMENT.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.MANAGEMENT\2.0.0.0__B03F5F7F11D50A3A
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.DIRECTORYSER#\45EC12795950A7D54691591C615A9E3C\SYSTEM.DIRECTORYSERVICES.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.DIRECTORYSERVICES\2.0.0.0__B03F5F7F11D50A3A
                      C:\WINDOWS\SYSWOW64\SHFOLDER.DLL
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\GETEVENT.TYPES.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\TYPES.PS1XML
                      C:\WINDOWS\SYSWOW64\TZRES.DLL
                      C:\WINDOWS\SYSWOW64\EN-US\TZRES.DLL.MUI
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\DIAGNOSTICS.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\WSMAN.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\CERTIFICATE.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\DOTNETTYPES.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\FILESYSTEM.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\HELP.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELLCORE.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELLTRACE.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\REGISTRY.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\SECUR32.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.DATA\1E85062785E286CD9EAE9C26D2C61F73\SYSTEM.DATA.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_32\SYSTEM.DATA\2.0.0.0__B77A5C561934E089\SYSTEM.DATA.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORJIT.DLL
                      C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH_TARGET_2162329
                      C:\WINDOWS\SYSWOW64\WBEM
                      C:\PROGRAM FILES\NODEJS
                      C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\PROGRAMS\PYTHON\PYTHON37\SCRIPTS
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\NPM
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\DIASYMREADER.DLL
                      C:\WINDOWS\SYSWOW64\NETUTILS.DLL

            • 1596

              • Image path
                • CMD.EXE "/C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P1.EXE'"

              • Time lapse
                • 2.040827

              • Files Accessed

                • C:\WINDOWS\SYSTEM32\WOW64.DLL
                  C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
                  C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
                  C:\WINDOWS\SYSWOW64\WINBRAND.DLL
                  C:\WINDOWS\SYSWOW64\SECHOST.DLL
                  C:\WINDOWS\SYSWOW64\IMM32.DLL
                  C:\WINDOWS\SYSWOW64\EN-US\CMD.EXE.MUI
                  C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH_TARGET_2162329
                  C:\WINDOWS\SYSWOW64\WBEM
                  C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
                  C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE
                  C:\WINDOWS\SYSWOW64\APPHELP.DLL
                  C:\WINDOWS\APPPATCH\SYSMAIN.SDB

              • Process children

                • 1976

                  • Image path
                    • POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P1.EXE'"

                  • Time lapse
                    • 2.583254

                  • Files Accessed

                    • C:\WINDOWS\SYSTEM32\WOW64.DLL
                      C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
                      C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
                      C:\WINDOWS\SYSWOW64\SECHOST.DLL
                      C:\WINDOWS\SYSWOW64\ATL.DLL
                      C:\WINDOWS\SYSWOW64\MSCOREE.DLL
                      C:\WINDOWS\SYSWOW64\IMM32.DLL
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\EN-US\POWERSHELL.EXE.MUI
                      C:\WINDOWS\SYSWOW64\UXTHEME.DLL
                      C:\WINDOWS\REGISTRATION\R000000000006.CLB
                      C:\WINDOWS\SYSWOW64\SHELL32.DLL
                      C:\WINDOWS\SYSWOW64\USERENV.DLL
                      C:\WINDOWS\SYSWOW64\PROFAPI.DLL
                      C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.7601.17514_NONE_41E6975E2BD6F2B2\COMCTL32.DLL
                      C:\WINDOWS\WINDOWSSHELL.MANIFEST
                      C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
                      C:\WINDOWS\SYSWOW64\PROPSYS.DLL
                      C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\CVERSIONS.1.DB
                      C:\WINDOWS\SYSWOW64\NTMARTA.DLL
                      C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.VER0X0000000000000001.DB
                      C:\USERS\DESKTOP.INI
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\DESKTOP.INI
                      C:\USERS\ADMINISTRATOR\DESKTOP\DESKTOP.INI
                      C:\WINDOWS\SYSWOW64\EN-US\SETUPAPI.DLL.MUI
                      C:\WINDOWS\SYSWOW64\EN-US\SHELL32.DLL.MUI
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DESKTOP.INI
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\DESKTOP.INI
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DESKTOP.INI
                      C:\USERS\PUBLIC\DESKTOP.INI
                      C:\USERS\PUBLIC\DESKTOP\DESKTOP.INI
                      C:\WINDOWS\SYSWOW64\APPHELP.DLL
                      C:\WINDOWS\SYSWOW64\GAMEUX.DLL
                      C:\WINDOWS\APPPATCH\SYSMAIN.SDB
                      C:\WINDOWS\SYSWOW64\EN-US\GAMEUX.DLL.MUI
                      C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.GDIPLUS_6595B64144CCF1DF_1.1.7601.17514_NONE_72D18A4386696C80\GDIPLUS.DLL
                      C:\WINDOWS\SYSWOW64\XMLLITE.DLL
                      C:\WINDOWS\SYSWOW64\WER.DLL
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\DESKTOP.INI
                      C:\WINDOWS\SYSWOW64\SHDOCVW.DLL
                      C:\WINDOWS\SYSWOW64\EN-US\SHDOCVW.DLL.MUI
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\DESKTOP.INI
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\WINDOWS POWERSHELL\DESKTOP.INI
                      C:\WINDOWS\SYSWOW64\LINKINFO.DLL
                      C:\WINDOWS\SYSWOW64\NTSHRUI.DLL
                      C:\WINDOWS\SYSWOW64\SRVCLI.DLL
                      C:\WINDOWS\SYSWOW64\CSCAPI.DLL
                      C:\WINDOWS\SYSWOW64\SLC.DLL
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\WINDOWS POWERSHELL\WINDOWS POWERSHELL.LNK
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL_ISE.EXE
                      C:\WINDOWS\HH.EXE
                      C:\WINDOWS\SYSWOW64\CRYPTSP.DLL
                      C:\WINDOWS\SYSWOW64\RSAENH.DLL
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\8XSEURBKIJZ9I1OAGOAD.TEMP
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\D93F411851D7C929.CUSTOMDESTINATIONS-MS~RFA811.TMP
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\MSCOREEI.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORWKS.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CLR.DLL
                      C:\WINDOWS\WINSXS\X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8.0.50727.4940_NONE_D08CC06A442B34FC\MSVCR80.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CONFIG\MACHINE.CONFIG
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\INDEX149.DAT
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MSCORLIB\62A0B3E4B40EC0E8C5CFAA0C8848E64A\MSCORLIB.NI.DLL
                      C:\WINDOWS\ASSEMBLY\PUBPOL25.DAT
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM\9E0A3B9B9F457233A335D7FBA8F95419\SYSTEM.NI.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\B1C511D8FAD78AD3C5213B2B4FB02B8B\MICROSOFT.POWERSHELL.CONSOLEHOST.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.CONSOLEHOST\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.MANAGEMENT.AUTOMATION\1.0.0.0__31BF3856AD364E35\SYSTEM.MANAGEMENT.AUTOMATION.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM\2.0.0.0__B77A5C561934E089
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.MANAGEMENT.A#\4436815B432C313255AF322F4EC3560D\SYSTEM.MANAGEMENT.AUTOMATION.NI.DLL
                      C:\WINDOWS\SYSWOW64\VERSION.DLL
                      C:\WINDOWS\SYSWOW64\L_INTL.NLS
                      C:\WINDOWS\SYSWOW64\EN-US\KERNELBASE.DLL.MUI
                      C:\WINDOWS\ASSEMBLY\GAC_32\MSCORLIB\2.0.0.0__B77A5C561934E089\SORTTBLS.NLP
                      C:\WINDOWS\ASSEMBLY\GAC_32\MSCORLIB\2.0.0.0__B77A5C561934E089\SORTKEY.NLP
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.CORE\FBC05B5B05DC6366B02B8E2F77D080F1\SYSTEM.CORE.NI.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\4F68CD04686E5DC5A55070D112D44BDF\MICROSOFT.POWERSHELL.COMMANDS.DIAGNOSTICS.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.DIAGNOSTICS\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.CORE\3.5.0.0__B77A5C561934E089
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.CONFIGURATIO#\F02737C83305687A68C088927A6C5A98\SYSTEM.CONFIGURATION.INSTALL.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.CONFIGURATION.INSTALL\2.0.0.0__B03F5F7F11D50A3A
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.WSMAN.MAN#\EE28A075665B6BC23B6DAE56903D431D\MICROSOFT.WSMAN.MANAGEMENT.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.WSMAN.MANAGEMENT\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.WSMAN.RUNTIME\1.0.0.0__31BF3856AD364E35\MICROSOFT.WSMAN.RUNTIME.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.TRANSACTIONS\AD18F93FC713DB2C4B29B25116C13BD8\SYSTEM.TRANSACTIONS.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_32\SYSTEM.TRANSACTIONS\2.0.0.0__B77A5C561934E089\SYSTEM.TRANSACTIONS.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\3008A05E2928E2C1D856CC34E0422C17\MICROSOFT.POWERSHELL.COMMANDS.UTILITY.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.UTILITY\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\8DF695FB80187F65208D87229E81E8A2\MICROSOFT.POWERSHELL.COMMANDS.MANAGEMENT.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.MANAGEMENT\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\8CE205027E30804D1B2DEAFFA0582735\MICROSOFT.POWERSHELL.SECURITY.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.SECURITY\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CULTURE.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORRC.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.XML\461D3B6B3F43E6FBE6C897D5936E17E4\SYSTEM.XML.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.XML\2.0.0.0__B77A5C561934E089
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.MANAGEMENT\6F3B99ED0B791FF4D8AA52F2F0CD0BCF\SYSTEM.MANAGEMENT.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.MANAGEMENT\2.0.0.0__B03F5F7F11D50A3A
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.DIRECTORYSER#\45EC12795950A7D54691591C615A9E3C\SYSTEM.DIRECTORYSERVICES.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.DIRECTORYSERVICES\2.0.0.0__B03F5F7F11D50A3A
                      C:\WINDOWS\SYSWOW64\SHFOLDER.DLL
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\GETEVENT.TYPES.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\TYPES.PS1XML
                      C:\WINDOWS\SYSWOW64\TZRES.DLL
                      C:\WINDOWS\SYSWOW64\EN-US\TZRES.DLL.MUI
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\DIAGNOSTICS.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\WSMAN.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\CERTIFICATE.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\DOTNETTYPES.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\FILESYSTEM.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\HELP.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELLCORE.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELLTRACE.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\REGISTRY.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\SECUR32.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.DATA\1E85062785E286CD9EAE9C26D2C61F73\SYSTEM.DATA.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_32\SYSTEM.DATA\2.0.0.0__B77A5C561934E089\SYSTEM.DATA.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORJIT.DLL
                      C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH_TARGET_2162329
                      C:\WINDOWS\SYSWOW64\WBEM
                      C:\PROGRAM FILES\NODEJS
                      C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\PROGRAMS\PYTHON\PYTHON37\SCRIPTS
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\NPM
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\DIASYMREADER.DLL
                      C:\WINDOWS\SYSWOW64\NETUTILS.DLL

            • 2300

              • Image path
                • CMD.EXE "/C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P2.EXE'"

              • Time lapse
                • 2.32324

              • Files Accessed

                • C:\WINDOWS\SYSTEM32\WOW64.DLL
                  C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
                  C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
                  C:\WINDOWS\SYSWOW64\WINBRAND.DLL
                  C:\WINDOWS\SYSWOW64\SECHOST.DLL
                  C:\WINDOWS\SYSWOW64\IMM32.DLL
                  C:\WINDOWS\SYSWOW64\EN-US\CMD.EXE.MUI
                  C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH_TARGET_2162329
                  C:\WINDOWS\SYSWOW64\WBEM
                  C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
                  C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE
                  C:\WINDOWS\SYSWOW64\APPHELP.DLL
                  C:\WINDOWS\APPPATCH\SYSMAIN.SDB

              • Process children

                • 3080

                  • Image path
                    • POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P2.EXE'"

                  • Time lapse
                    • 2.722261

                  • Files Accessed

                    • C:\WINDOWS\SYSTEM32\WOW64.DLL
                      C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
                      C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
                      C:\WINDOWS\SYSWOW64\SECHOST.DLL
                      C:\WINDOWS\SYSWOW64\ATL.DLL
                      C:\WINDOWS\SYSWOW64\MSCOREE.DLL
                      C:\WINDOWS\SYSWOW64\IMM32.DLL
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\EN-US\POWERSHELL.EXE.MUI
                      C:\WINDOWS\SYSWOW64\UXTHEME.DLL
                      C:\WINDOWS\REGISTRATION\R000000000006.CLB
                      C:\WINDOWS\SYSWOW64\SHELL32.DLL
                      C:\WINDOWS\SYSWOW64\USERENV.DLL
                      C:\WINDOWS\SYSWOW64\PROFAPI.DLL
                      C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.7601.17514_NONE_41E6975E2BD6F2B2\COMCTL32.DLL
                      C:\WINDOWS\WINDOWSSHELL.MANIFEST
                      C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
                      C:\WINDOWS\SYSWOW64\PROPSYS.DLL
                      C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\CVERSIONS.1.DB
                      C:\WINDOWS\SYSWOW64\NTMARTA.DLL
                      C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.VER0X0000000000000001.DB
                      C:\USERS\DESKTOP.INI
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\DESKTOP.INI
                      C:\USERS\ADMINISTRATOR\DESKTOP\DESKTOP.INI
                      C:\WINDOWS\SYSWOW64\EN-US\SHELL32.DLL.MUI
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DESKTOP.INI
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\DESKTOP.INI
                      C:\WINDOWS\SYSWOW64\EN-US\SETUPAPI.DLL.MUI
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DESKTOP.INI
                      C:\USERS\PUBLIC\DESKTOP.INI
                      C:\USERS\PUBLIC\DESKTOP\DESKTOP.INI
                      C:\WINDOWS\SYSWOW64\APPHELP.DLL
                      C:\WINDOWS\SYSWOW64\GAMEUX.DLL
                      C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.GDIPLUS_6595B64144CCF1DF_1.1.7601.17514_NONE_72D18A4386696C80\GDIPLUS.DLL
                      C:\WINDOWS\SYSWOW64\XMLLITE.DLL
                      C:\WINDOWS\SYSWOW64\WER.DLL
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\DESKTOP.INI
                      C:\WINDOWS\SYSWOW64\SHDOCVW.DLL
                      C:\WINDOWS\APPPATCH\SYSMAIN.SDB
                      C:\WINDOWS\SYSWOW64\EN-US\SHDOCVW.DLL.MUI
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\DESKTOP.INI
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\WINDOWS POWERSHELL\DESKTOP.INI
                      C:\WINDOWS\SYSWOW64\LINKINFO.DLL
                      C:\WINDOWS\SYSWOW64\NTSHRUI.DLL
                      C:\WINDOWS\SYSWOW64\SRVCLI.DLL
                      C:\WINDOWS\SYSWOW64\CSCAPI.DLL
                      C:\WINDOWS\SYSWOW64\SLC.DLL
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\WINDOWS POWERSHELL\WINDOWS POWERSHELL.LNK
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL_ISE.EXE
                      C:\WINDOWS\HH.EXE
                      C:\WINDOWS\SYSWOW64\CRYPTSP.DLL
                      C:\WINDOWS\SYSWOW64\RSAENH.DLL
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\PSKUL7GJMAB0ONUO017P.TEMP
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\D93F411851D7C929.CUSTOMDESTINATIONS-MS~RFA7B3.TMP
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\MSCOREEI.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORWKS.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CLR.DLL
                      C:\WINDOWS\WINSXS\X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8.0.50727.4940_NONE_D08CC06A442B34FC\MSVCR80.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CONFIG\MACHINE.CONFIG
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\INDEX149.DAT
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MSCORLIB\62A0B3E4B40EC0E8C5CFAA0C8848E64A\MSCORLIB.NI.DLL
                      C:\WINDOWS\ASSEMBLY\PUBPOL25.DAT
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM\9E0A3B9B9F457233A335D7FBA8F95419\SYSTEM.NI.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\B1C511D8FAD78AD3C5213B2B4FB02B8B\MICROSOFT.POWERSHELL.CONSOLEHOST.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.CONSOLEHOST\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.MANAGEMENT.AUTOMATION\1.0.0.0__31BF3856AD364E35\SYSTEM.MANAGEMENT.AUTOMATION.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM\2.0.0.0__B77A5C561934E089
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.MANAGEMENT.A#\4436815B432C313255AF322F4EC3560D\SYSTEM.MANAGEMENT.AUTOMATION.NI.DLL
                      C:\WINDOWS\SYSWOW64\VERSION.DLL
                      C:\WINDOWS\SYSWOW64\L_INTL.NLS
                      C:\WINDOWS\SYSWOW64\EN-US\KERNELBASE.DLL.MUI
                      C:\WINDOWS\ASSEMBLY\GAC_32\MSCORLIB\2.0.0.0__B77A5C561934E089\SORTTBLS.NLP
                      C:\WINDOWS\ASSEMBLY\GAC_32\MSCORLIB\2.0.0.0__B77A5C561934E089\SORTKEY.NLP
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.CORE\FBC05B5B05DC6366B02B8E2F77D080F1\SYSTEM.CORE.NI.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\4F68CD04686E5DC5A55070D112D44BDF\MICROSOFT.POWERSHELL.COMMANDS.DIAGNOSTICS.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.DIAGNOSTICS\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.CORE\3.5.0.0__B77A5C561934E089
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.CONFIGURATIO#\F02737C83305687A68C088927A6C5A98\SYSTEM.CONFIGURATION.INSTALL.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.CONFIGURATION.INSTALL\2.0.0.0__B03F5F7F11D50A3A
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.WSMAN.MAN#\EE28A075665B6BC23B6DAE56903D431D\MICROSOFT.WSMAN.MANAGEMENT.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.WSMAN.MANAGEMENT\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.WSMAN.RUNTIME\1.0.0.0__31BF3856AD364E35\MICROSOFT.WSMAN.RUNTIME.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.TRANSACTIONS\AD18F93FC713DB2C4B29B25116C13BD8\SYSTEM.TRANSACTIONS.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_32\SYSTEM.TRANSACTIONS\2.0.0.0__B77A5C561934E089\SYSTEM.TRANSACTIONS.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\3008A05E2928E2C1D856CC34E0422C17\MICROSOFT.POWERSHELL.COMMANDS.UTILITY.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.UTILITY\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\8DF695FB80187F65208D87229E81E8A2\MICROSOFT.POWERSHELL.COMMANDS.MANAGEMENT.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.MANAGEMENT\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\8CE205027E30804D1B2DEAFFA0582735\MICROSOFT.POWERSHELL.SECURITY.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.SECURITY\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CULTURE.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORRC.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.XML\461D3B6B3F43E6FBE6C897D5936E17E4\SYSTEM.XML.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.XML\2.0.0.0__B77A5C561934E089
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.MANAGEMENT\6F3B99ED0B791FF4D8AA52F2F0CD0BCF\SYSTEM.MANAGEMENT.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.MANAGEMENT\2.0.0.0__B03F5F7F11D50A3A
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.DIRECTORYSER#\45EC12795950A7D54691591C615A9E3C\SYSTEM.DIRECTORYSERVICES.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.DIRECTORYSERVICES\2.0.0.0__B03F5F7F11D50A3A
                      C:\WINDOWS\SYSWOW64\SHFOLDER.DLL
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\GETEVENT.TYPES.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\TYPES.PS1XML
                      C:\WINDOWS\SYSWOW64\TZRES.DLL
                      C:\WINDOWS\SYSWOW64\EN-US\TZRES.DLL.MUI
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\DIAGNOSTICS.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\WSMAN.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\CERTIFICATE.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\DOTNETTYPES.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\FILESYSTEM.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\HELP.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELLCORE.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELLTRACE.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\REGISTRY.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\SECUR32.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.DATA\1E85062785E286CD9EAE9C26D2C61F73\SYSTEM.DATA.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_32\SYSTEM.DATA\2.0.0.0__B77A5C561934E089\SYSTEM.DATA.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORJIT.DLL
                      C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH_TARGET_2162329
                      C:\WINDOWS\SYSWOW64\WBEM
                      C:\PROGRAM FILES\NODEJS
                      C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\PROGRAMS\PYTHON\PYTHON37\SCRIPTS
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\NPM
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\DIASYMREADER.DLL
                      C:\WINDOWS\SYSWOW64\NETUTILS.DLL

            • 2272

              • Image path
                • CMD.EXE "/C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P3.EXE'"

              • Time lapse
                • 2.589254

              • Files Accessed

                • C:\WINDOWS\SYSTEM32\WOW64.DLL
                  C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
                  C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
                  C:\WINDOWS\SYSWOW64\WINBRAND.DLL
                  C:\WINDOWS\SYSWOW64\SECHOST.DLL
                  C:\WINDOWS\SYSWOW64\IMM32.DLL
                  C:\WINDOWS\SYSWOW64\EN-US\CMD.EXE.MUI
                  C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH_TARGET_2162329
                  C:\WINDOWS\SYSWOW64\WBEM
                  C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
                  C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE
                  C:\WINDOWS\SYSWOW64\APPHELP.DLL
                  C:\WINDOWS\APPPATCH\SYSMAIN.SDB
                  C:\WINDOWS\SYSTEM32\SECHOST.DLL
                  C:\WINDOWS\SYSTEM32\TQUERY.DLL
                  C:\WINDOWS\SYSTEM32\MSSHOOKS.DLL
                  C:\WINDOWS\SYSTEM32\MSCOREE.DLL
                  C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\MSCOREEI.DLL
                  C:\WINDOWS\SYSTEM32\RPCSS.DLL
                  C:\WINDOWS\SYSTEM32\CRYPTBASE.DLL
                  C:\WINDOWS\REGISTRATION\R000000000006.CLB
                  C:\WINDOWS\SYSTEM32\CRYPTSP.DLL
                  C:\WINDOWS\SYSTEM32\RSAENH.DLL
                  C:\WINDOWS\SYSTEM32\RPCRTREMOTE.DLL
                  C:\WINDOWS\SYSTEM32\MSSPRXY.DLL

              • Process children

                • 3164

                  • Image path
                    • POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P3.EXE'"

                  • Time lapse
                    • 4.239349

                  • Files Accessed

                    • C:\WINDOWS\SYSTEM32\WOW64.DLL
                      C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
                      C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
                      C:\WINDOWS\SYSWOW64\SECHOST.DLL
                      C:\WINDOWS\SYSWOW64\ATL.DLL
                      C:\WINDOWS\SYSWOW64\MSCOREE.DLL
                      C:\WINDOWS\SYSWOW64\IMM32.DLL
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\EN-US\POWERSHELL.EXE.MUI
                      C:\WINDOWS\SYSWOW64\UXTHEME.DLL
                      C:\WINDOWS\REGISTRATION\R000000000006.CLB
                      C:\WINDOWS\SYSWOW64\SHELL32.DLL
                      C:\WINDOWS\SYSWOW64\USERENV.DLL
                      C:\WINDOWS\SYSWOW64\PROFAPI.DLL
                      C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.7601.17514_NONE_41E6975E2BD6F2B2\COMCTL32.DLL
                      C:\WINDOWS\WINDOWSSHELL.MANIFEST
                      C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
                      C:\WINDOWS\SYSWOW64\PROPSYS.DLL
                      C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\CVERSIONS.1.DB
                      C:\WINDOWS\SYSWOW64\NTMARTA.DLL
                      C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.VER0X0000000000000001.DB
                      C:\USERS\DESKTOP.INI
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\DESKTOP.INI
                      C:\USERS\ADMINISTRATOR\DESKTOP\DESKTOP.INI
                      C:\WINDOWS\SYSWOW64\EN-US\SHELL32.DLL.MUI
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DESKTOP.INI
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\DESKTOP.INI
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DESKTOP.INI
                      C:\USERS\PUBLIC\DESKTOP.INI
                      C:\USERS\PUBLIC\DESKTOP\DESKTOP.INI
                      C:\WINDOWS\SYSWOW64\APPHELP.DLL
                      C:\WINDOWS\SYSWOW64\GAMEUX.DLL
                      C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.GDIPLUS_6595B64144CCF1DF_1.1.7601.17514_NONE_72D18A4386696C80\GDIPLUS.DLL
                      C:\WINDOWS\SYSWOW64\XMLLITE.DLL
                      C:\WINDOWS\SYSWOW64\WER.DLL
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\DESKTOP.INI
                      C:\WINDOWS\SYSWOW64\SHDOCVW.DLL
                      C:\WINDOWS\APPPATCH\SYSMAIN.SDB
                      C:\WINDOWS\SYSWOW64\EN-US\SHDOCVW.DLL.MUI
                      C:\WINDOWS\SYSWOW64\EN-US\SETUPAPI.DLL.MUI
                      C:\WINDOWS\SYSWOW64\LINKINFO.DLL
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\DESKTOP.INI
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\WINDOWS POWERSHELL\DESKTOP.INI
                      C:\WINDOWS\SYSWOW64\NTSHRUI.DLL
                      C:\WINDOWS\SYSWOW64\SRVCLI.DLL
                      C:\WINDOWS\SYSWOW64\CSCAPI.DLL
                      C:\WINDOWS\SYSWOW64\SLC.DLL
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\WINDOWS POWERSHELL\WINDOWS POWERSHELL.LNK
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL_ISE.EXE
                      C:\WINDOWS\HH.EXE
                      C:\WINDOWS\SYSWOW64\CRYPTSP.DLL
                      C:\WINDOWS\SYSWOW64\RSAENH.DLL
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\FYOMWUZS8SQ46UF07U26.TEMP
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\D93F411851D7C929.CUSTOMDESTINATIONS-MS~RFAA90.TMP
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\MSCOREEI.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORWKS.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CLR.DLL
                      C:\WINDOWS\WINSXS\X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8.0.50727.4940_NONE_D08CC06A442B34FC\MSVCR80.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CONFIG\MACHINE.CONFIG
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\INDEX149.DAT
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MSCORLIB\62A0B3E4B40EC0E8C5CFAA0C8848E64A\MSCORLIB.NI.DLL
                      C:\WINDOWS\ASSEMBLY\PUBPOL25.DAT
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM\9E0A3B9B9F457233A335D7FBA8F95419\SYSTEM.NI.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\B1C511D8FAD78AD3C5213B2B4FB02B8B\MICROSOFT.POWERSHELL.CONSOLEHOST.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.CONSOLEHOST\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.MANAGEMENT.AUTOMATION\1.0.0.0__31BF3856AD364E35\SYSTEM.MANAGEMENT.AUTOMATION.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM\2.0.0.0__B77A5C561934E089
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.MANAGEMENT.A#\4436815B432C313255AF322F4EC3560D\SYSTEM.MANAGEMENT.AUTOMATION.NI.DLL
                      C:\WINDOWS\SYSWOW64\VERSION.DLL
                      C:\WINDOWS\SYSWOW64\L_INTL.NLS
                      C:\WINDOWS\SYSWOW64\EN-US\KERNELBASE.DLL.MUI
                      C:\WINDOWS\ASSEMBLY\GAC_32\MSCORLIB\2.0.0.0__B77A5C561934E089\SORTTBLS.NLP
                      C:\WINDOWS\ASSEMBLY\GAC_32\MSCORLIB\2.0.0.0__B77A5C561934E089\SORTKEY.NLP
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.CORE\FBC05B5B05DC6366B02B8E2F77D080F1\SYSTEM.CORE.NI.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\4F68CD04686E5DC5A55070D112D44BDF\MICROSOFT.POWERSHELL.COMMANDS.DIAGNOSTICS.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.DIAGNOSTICS\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.CORE\3.5.0.0__B77A5C561934E089
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.CONFIGURATIO#\F02737C83305687A68C088927A6C5A98\SYSTEM.CONFIGURATION.INSTALL.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.CONFIGURATION.INSTALL\2.0.0.0__B03F5F7F11D50A3A
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.WSMAN.MAN#\EE28A075665B6BC23B6DAE56903D431D\MICROSOFT.WSMAN.MANAGEMENT.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.WSMAN.MANAGEMENT\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.WSMAN.RUNTIME\1.0.0.0__31BF3856AD364E35\MICROSOFT.WSMAN.RUNTIME.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.TRANSACTIONS\AD18F93FC713DB2C4B29B25116C13BD8\SYSTEM.TRANSACTIONS.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_32\SYSTEM.TRANSACTIONS\2.0.0.0__B77A5C561934E089\SYSTEM.TRANSACTIONS.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\3008A05E2928E2C1D856CC34E0422C17\MICROSOFT.POWERSHELL.COMMANDS.UTILITY.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.UTILITY\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\8DF695FB80187F65208D87229E81E8A2\MICROSOFT.POWERSHELL.COMMANDS.MANAGEMENT.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.MANAGEMENT\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\8CE205027E30804D1B2DEAFFA0582735\MICROSOFT.POWERSHELL.SECURITY.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.SECURITY\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CULTURE.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORRC.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.XML\461D3B6B3F43E6FBE6C897D5936E17E4\SYSTEM.XML.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.XML\2.0.0.0__B77A5C561934E089
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.MANAGEMENT\6F3B99ED0B791FF4D8AA52F2F0CD0BCF\SYSTEM.MANAGEMENT.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.MANAGEMENT\2.0.0.0__B03F5F7F11D50A3A
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.DIRECTORYSER#\45EC12795950A7D54691591C615A9E3C\SYSTEM.DIRECTORYSERVICES.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.DIRECTORYSERVICES\2.0.0.0__B03F5F7F11D50A3A
                      C:\WINDOWS\SYSWOW64\SHFOLDER.DLL
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\GETEVENT.TYPES.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\TYPES.PS1XML
                      C:\WINDOWS\SYSWOW64\TZRES.DLL
                      C:\WINDOWS\SYSWOW64\EN-US\TZRES.DLL.MUI
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\DIAGNOSTICS.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\WSMAN.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\CERTIFICATE.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\DOTNETTYPES.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\FILESYSTEM.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\HELP.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELLCORE.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELLTRACE.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\REGISTRY.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\SECUR32.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.DATA\1E85062785E286CD9EAE9C26D2C61F73\SYSTEM.DATA.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_32\SYSTEM.DATA\2.0.0.0__B77A5C561934E089\SYSTEM.DATA.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORJIT.DLL
                      C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH_TARGET_2162329
                      C:\WINDOWS\SYSWOW64\WBEM
                      C:\PROGRAM FILES\NODEJS
                      C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\PROGRAMS\PYTHON\PYTHON37\SCRIPTS
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\NPM
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\DIASYMREADER.DLL
                      C:\WINDOWS\SYSWOW64\NETUTILS.DLL

            • 3188

              • Image path
                • CMD.EXE "/C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P4.EXE'"

              • Time lapse
                • 4.383156

              • Files Accessed

                • C:\WINDOWS\SYSTEM32\WOW64.DLL
                  C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
                  C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
                  C:\WINDOWS\SYSWOW64\WINBRAND.DLL
                  C:\WINDOWS\SYSWOW64\SECHOST.DLL
                  C:\WINDOWS\SYSWOW64\IMM32.DLL
                  C:\WINDOWS\SYSWOW64\EN-US\CMD.EXE.MUI
                  C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH_TARGET_2162329
                  C:\WINDOWS\SYSWOW64\WBEM
                  C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
                  C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE
                  C:\WINDOWS\SYSWOW64\APPHELP.DLL
                  C:\WINDOWS\APPPATCH\SYSMAIN.SDB

              • Process children

                • 3208

                  • Image path
                    • POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P4.EXE'"

                  • Time lapse
                    • 4.709959

                  • Files Accessed

                    • C:\WINDOWS\SYSTEM32\WOW64.DLL
                      C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
                      C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
                      C:\WINDOWS\SYSWOW64\SECHOST.DLL
                      C:\WINDOWS\SYSWOW64\ATL.DLL
                      C:\WINDOWS\SYSWOW64\MSCOREE.DLL
                      C:\WINDOWS\SYSWOW64\IMM32.DLL
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\EN-US\POWERSHELL.EXE.MUI
                      C:\WINDOWS\SYSWOW64\UXTHEME.DLL
                      C:\WINDOWS\REGISTRATION\R000000000006.CLB
                      C:\WINDOWS\SYSWOW64\SHELL32.DLL
                      C:\WINDOWS\SYSWOW64\USERENV.DLL
                      C:\WINDOWS\SYSWOW64\PROFAPI.DLL
                      C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.7601.17514_NONE_41E6975E2BD6F2B2\COMCTL32.DLL
                      C:\WINDOWS\WINDOWSSHELL.MANIFEST
                      C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
                      C:\WINDOWS\SYSWOW64\PROPSYS.DLL
                      C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\CVERSIONS.1.DB
                      C:\WINDOWS\SYSWOW64\NTMARTA.DLL
                      C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.VER0X0000000000000001.DB
                      C:\USERS\DESKTOP.INI
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\DESKTOP.INI
                      C:\USERS\ADMINISTRATOR\DESKTOP\DESKTOP.INI
                      C:\WINDOWS\SYSWOW64\EN-US\SHELL32.DLL.MUI
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DESKTOP.INI
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\DESKTOP.INI
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DESKTOP.INI
                      C:\USERS\PUBLIC\DESKTOP.INI
                      C:\USERS\PUBLIC\DESKTOP\DESKTOP.INI
                      C:\WINDOWS\SYSWOW64\APPHELP.DLL
                      C:\WINDOWS\SYSWOW64\EN-US\SETUPAPI.DLL.MUI
                      C:\WINDOWS\SYSWOW64\GAMEUX.DLL
                      C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.GDIPLUS_6595B64144CCF1DF_1.1.7601.17514_NONE_72D18A4386696C80\GDIPLUS.DLL
                      C:\WINDOWS\SYSWOW64\XMLLITE.DLL
                      C:\WINDOWS\SYSWOW64\WER.DLL
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\DESKTOP.INI
                      C:\WINDOWS\SYSWOW64\SHDOCVW.DLL
                      C:\WINDOWS\APPPATCH\SYSMAIN.SDB
                      C:\WINDOWS\SYSWOW64\EN-US\SHDOCVW.DLL.MUI
                      C:\WINDOWS\SYSWOW64\LINKINFO.DLL
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\DESKTOP.INI
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\WINDOWS POWERSHELL\DESKTOP.INI
                      C:\WINDOWS\SYSWOW64\NTSHRUI.DLL
                      C:\WINDOWS\SYSWOW64\SRVCLI.DLL
                      C:\WINDOWS\SYSWOW64\CSCAPI.DLL
                      C:\WINDOWS\SYSWOW64\SLC.DLL
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\WINDOWS POWERSHELL\WINDOWS POWERSHELL.LNK
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL_ISE.EXE
                      C:\WINDOWS\HH.EXE
                      C:\WINDOWS\SYSWOW64\CRYPTSP.DLL
                      C:\WINDOWS\SYSWOW64\RSAENH.DLL
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\NDYVXIRAZ4AR0EDNYDHZ.TEMP
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\D93F411851D7C929.CUSTOMDESTINATIONS-MS~RFABC8.TMP
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\MSCOREEI.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORWKS.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CLR.DLL
                      C:\WINDOWS\WINSXS\X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8.0.50727.4940_NONE_D08CC06A442B34FC\MSVCR80.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CONFIG\MACHINE.CONFIG
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\INDEX149.DAT
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MSCORLIB\62A0B3E4B40EC0E8C5CFAA0C8848E64A\MSCORLIB.NI.DLL
                      C:\WINDOWS\ASSEMBLY\PUBPOL25.DAT
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM\9E0A3B9B9F457233A335D7FBA8F95419\SYSTEM.NI.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\B1C511D8FAD78AD3C5213B2B4FB02B8B\MICROSOFT.POWERSHELL.CONSOLEHOST.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.CONSOLEHOST\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.MANAGEMENT.AUTOMATION\1.0.0.0__31BF3856AD364E35\SYSTEM.MANAGEMENT.AUTOMATION.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM\2.0.0.0__B77A5C561934E089
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.MANAGEMENT.A#\4436815B432C313255AF322F4EC3560D\SYSTEM.MANAGEMENT.AUTOMATION.NI.DLL
                      C:\WINDOWS\SYSWOW64\VERSION.DLL
                      C:\WINDOWS\SYSWOW64\L_INTL.NLS
                      C:\WINDOWS\SYSWOW64\EN-US\KERNELBASE.DLL.MUI
                      C:\WINDOWS\ASSEMBLY\GAC_32\MSCORLIB\2.0.0.0__B77A5C561934E089\SORTTBLS.NLP
                      C:\WINDOWS\ASSEMBLY\GAC_32\MSCORLIB\2.0.0.0__B77A5C561934E089\SORTKEY.NLP
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.CORE\FBC05B5B05DC6366B02B8E2F77D080F1\SYSTEM.CORE.NI.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\4F68CD04686E5DC5A55070D112D44BDF\MICROSOFT.POWERSHELL.COMMANDS.DIAGNOSTICS.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.DIAGNOSTICS\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.CORE\3.5.0.0__B77A5C561934E089
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.CONFIGURATIO#\F02737C83305687A68C088927A6C5A98\SYSTEM.CONFIGURATION.INSTALL.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.CONFIGURATION.INSTALL\2.0.0.0__B03F5F7F11D50A3A
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.WSMAN.MAN#\EE28A075665B6BC23B6DAE56903D431D\MICROSOFT.WSMAN.MANAGEMENT.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.WSMAN.MANAGEMENT\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.WSMAN.RUNTIME\1.0.0.0__31BF3856AD364E35\MICROSOFT.WSMAN.RUNTIME.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.TRANSACTIONS\AD18F93FC713DB2C4B29B25116C13BD8\SYSTEM.TRANSACTIONS.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_32\SYSTEM.TRANSACTIONS\2.0.0.0__B77A5C561934E089\SYSTEM.TRANSACTIONS.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\3008A05E2928E2C1D856CC34E0422C17\MICROSOFT.POWERSHELL.COMMANDS.UTILITY.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.UTILITY\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\8DF695FB80187F65208D87229E81E8A2\MICROSOFT.POWERSHELL.COMMANDS.MANAGEMENT.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.MANAGEMENT\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\8CE205027E30804D1B2DEAFFA0582735\MICROSOFT.POWERSHELL.SECURITY.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.SECURITY\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CULTURE.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORRC.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.XML\461D3B6B3F43E6FBE6C897D5936E17E4\SYSTEM.XML.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.XML\2.0.0.0__B77A5C561934E089
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.MANAGEMENT\6F3B99ED0B791FF4D8AA52F2F0CD0BCF\SYSTEM.MANAGEMENT.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.MANAGEMENT\2.0.0.0__B03F5F7F11D50A3A
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.DIRECTORYSER#\45EC12795950A7D54691591C615A9E3C\SYSTEM.DIRECTORYSERVICES.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.DIRECTORYSERVICES\2.0.0.0__B03F5F7F11D50A3A
                      C:\WINDOWS\SYSWOW64\SHFOLDER.DLL
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\GETEVENT.TYPES.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\TYPES.PS1XML
                      C:\WINDOWS\SYSWOW64\TZRES.DLL
                      C:\WINDOWS\SYSWOW64\EN-US\TZRES.DLL.MUI
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\DIAGNOSTICS.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\WSMAN.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\CERTIFICATE.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\DOTNETTYPES.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\FILESYSTEM.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\HELP.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELLCORE.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELLTRACE.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\REGISTRY.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\SECUR32.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.DATA\1E85062785E286CD9EAE9C26D2C61F73\SYSTEM.DATA.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_32\SYSTEM.DATA\2.0.0.0__B77A5C561934E089\SYSTEM.DATA.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORJIT.DLL
                      C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH_TARGET_2162329
                      C:\WINDOWS\SYSWOW64\WBEM
                      C:\PROGRAM FILES\NODEJS
                      C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\PROGRAMS\PYTHON\PYTHON37\SCRIPTS
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\NPM
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\DIASYMREADER.DLL
                      C:\WINDOWS\SYSWOW64\NETUTILS.DLL

            • 3200

              • Image path
                • CMD.EXE "/C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P5.EXE'"

              • Time lapse
                • 4.726957

              • Files Accessed

                • C:\WINDOWS\SYSTEM32\WOW64.DLL
                  C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
                  C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
                  C:\WINDOWS\SYSWOW64\WINBRAND.DLL
                  C:\WINDOWS\SYSWOW64\SECHOST.DLL
                  C:\WINDOWS\SYSWOW64\IMM32.DLL
                  C:\WINDOWS\SYSWOW64\EN-US\CMD.EXE.MUI
                  C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH_TARGET_2162329
                  C:\WINDOWS\SYSWOW64\WBEM
                  C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
                  C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE
                  C:\WINDOWS\SYSWOW64\APPHELP.DLL
                  C:\WINDOWS\APPPATCH\SYSMAIN.SDB

              • Process children

                • 3240

                  • Image path
                    • POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P5.EXE'"

                  • Time lapse
                    • 5.300186

                  • Files Accessed

                    • C:\WINDOWS\SYSTEM32\WOW64.DLL
                      C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
                      C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
                      C:\WINDOWS\SYSWOW64\SECHOST.DLL
                      C:\WINDOWS\SYSWOW64\ATL.DLL
                      C:\WINDOWS\SYSWOW64\MSCOREE.DLL
                      C:\WINDOWS\SYSWOW64\IMM32.DLL
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\EN-US\POWERSHELL.EXE.MUI
                      C:\WINDOWS\SYSWOW64\UXTHEME.DLL
                      C:\WINDOWS\REGISTRATION\R000000000006.CLB
                      C:\WINDOWS\SYSWOW64\SHELL32.DLL
                      C:\WINDOWS\SYSWOW64\USERENV.DLL
                      C:\WINDOWS\SYSWOW64\PROFAPI.DLL
                      C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.7601.17514_NONE_41E6975E2BD6F2B2\COMCTL32.DLL
                      C:\WINDOWS\WINDOWSSHELL.MANIFEST
                      C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
                      C:\WINDOWS\SYSWOW64\PROPSYS.DLL
                      C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\CVERSIONS.1.DB
                      C:\WINDOWS\SYSWOW64\NTMARTA.DLL
                      C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.VER0X0000000000000001.DB
                      C:\USERS\DESKTOP.INI
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\DESKTOP.INI
                      C:\USERS\ADMINISTRATOR\DESKTOP\DESKTOP.INI
                      C:\WINDOWS\SYSWOW64\EN-US\SHELL32.DLL.MUI
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DESKTOP.INI
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\DESKTOP.INI
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DESKTOP.INI
                      C:\USERS\PUBLIC\DESKTOP.INI
                      C:\USERS\PUBLIC\DESKTOP\DESKTOP.INI
                      C:\WINDOWS\SYSWOW64\APPHELP.DLL
                      C:\WINDOWS\SYSWOW64\GAMEUX.DLL
                      C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.GDIPLUS_6595B64144CCF1DF_1.1.7601.17514_NONE_72D18A4386696C80\GDIPLUS.DLL
                      C:\WINDOWS\SYSWOW64\XMLLITE.DLL
                      C:\WINDOWS\SYSWOW64\WER.DLL
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\DESKTOP.INI
                      C:\WINDOWS\SYSWOW64\SHDOCVW.DLL
                      C:\WINDOWS\APPPATCH\SYSMAIN.SDB
                      C:\WINDOWS\SYSWOW64\EN-US\SHDOCVW.DLL.MUI
                      C:\WINDOWS\SYSWOW64\EN-US\SETUPAPI.DLL.MUI
                      C:\WINDOWS\SYSWOW64\LINKINFO.DLL
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\DESKTOP.INI
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\WINDOWS POWERSHELL\DESKTOP.INI
                      C:\WINDOWS\SYSWOW64\NTSHRUI.DLL
                      C:\WINDOWS\SYSWOW64\SRVCLI.DLL
                      C:\WINDOWS\SYSWOW64\CSCAPI.DLL
                      C:\WINDOWS\SYSWOW64\SLC.DLL
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\WINDOWS POWERSHELL\WINDOWS POWERSHELL.LNK
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL_ISE.EXE
                      C:\WINDOWS\HH.EXE
                      C:\WINDOWS\SYSWOW64\CRYPTSP.DLL
                      C:\WINDOWS\SYSWOW64\RSAENH.DLL
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\YFUSY1A214O5F6MY47ER.TEMP
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\D93F411851D7C929.CUSTOMDESTINATIONS-MS~RFAC07.TMP
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\MSCOREEI.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORWKS.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CLR.DLL
                      C:\WINDOWS\WINSXS\X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8.0.50727.4940_NONE_D08CC06A442B34FC\MSVCR80.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CONFIG\MACHINE.CONFIG
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\INDEX149.DAT
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MSCORLIB\62A0B3E4B40EC0E8C5CFAA0C8848E64A\MSCORLIB.NI.DLL
                      C:\WINDOWS\ASSEMBLY\PUBPOL25.DAT
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM\9E0A3B9B9F457233A335D7FBA8F95419\SYSTEM.NI.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\B1C511D8FAD78AD3C5213B2B4FB02B8B\MICROSOFT.POWERSHELL.CONSOLEHOST.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.CONSOLEHOST\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.MANAGEMENT.AUTOMATION\1.0.0.0__31BF3856AD364E35\SYSTEM.MANAGEMENT.AUTOMATION.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM\2.0.0.0__B77A5C561934E089
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.MANAGEMENT.A#\4436815B432C313255AF322F4EC3560D\SYSTEM.MANAGEMENT.AUTOMATION.NI.DLL
                      C:\WINDOWS\SYSWOW64\VERSION.DLL
                      C:\WINDOWS\SYSWOW64\L_INTL.NLS
                      C:\WINDOWS\SYSWOW64\EN-US\KERNELBASE.DLL.MUI
                      C:\WINDOWS\ASSEMBLY\GAC_32\MSCORLIB\2.0.0.0__B77A5C561934E089\SORTTBLS.NLP
                      C:\WINDOWS\ASSEMBLY\GAC_32\MSCORLIB\2.0.0.0__B77A5C561934E089\SORTKEY.NLP
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.CORE\FBC05B5B05DC6366B02B8E2F77D080F1\SYSTEM.CORE.NI.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\4F68CD04686E5DC5A55070D112D44BDF\MICROSOFT.POWERSHELL.COMMANDS.DIAGNOSTICS.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.DIAGNOSTICS\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.CORE\3.5.0.0__B77A5C561934E089
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.CONFIGURATIO#\F02737C83305687A68C088927A6C5A98\SYSTEM.CONFIGURATION.INSTALL.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.CONFIGURATION.INSTALL\2.0.0.0__B03F5F7F11D50A3A
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.WSMAN.MAN#\EE28A075665B6BC23B6DAE56903D431D\MICROSOFT.WSMAN.MANAGEMENT.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.WSMAN.MANAGEMENT\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.WSMAN.RUNTIME\1.0.0.0__31BF3856AD364E35\MICROSOFT.WSMAN.RUNTIME.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.TRANSACTIONS\AD18F93FC713DB2C4B29B25116C13BD8\SYSTEM.TRANSACTIONS.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_32\SYSTEM.TRANSACTIONS\2.0.0.0__B77A5C561934E089\SYSTEM.TRANSACTIONS.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\3008A05E2928E2C1D856CC34E0422C17\MICROSOFT.POWERSHELL.COMMANDS.UTILITY.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.UTILITY\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\8DF695FB80187F65208D87229E81E8A2\MICROSOFT.POWERSHELL.COMMANDS.MANAGEMENT.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.MANAGEMENT\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\8CE205027E30804D1B2DEAFFA0582735\MICROSOFT.POWERSHELL.SECURITY.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.SECURITY\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CULTURE.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORRC.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.XML\461D3B6B3F43E6FBE6C897D5936E17E4\SYSTEM.XML.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.XML\2.0.0.0__B77A5C561934E089
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.MANAGEMENT\6F3B99ED0B791FF4D8AA52F2F0CD0BCF\SYSTEM.MANAGEMENT.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.MANAGEMENT\2.0.0.0__B03F5F7F11D50A3A
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.DIRECTORYSER#\45EC12795950A7D54691591C615A9E3C\SYSTEM.DIRECTORYSERVICES.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.DIRECTORYSERVICES\2.0.0.0__B03F5F7F11D50A3A
                      C:\WINDOWS\SYSWOW64\SHFOLDER.DLL
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\GETEVENT.TYPES.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\TYPES.PS1XML
                      C:\WINDOWS\SYSWOW64\TZRES.DLL
                      C:\WINDOWS\SYSWOW64\EN-US\TZRES.DLL.MUI
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\DIAGNOSTICS.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\WSMAN.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\CERTIFICATE.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\DOTNETTYPES.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\FILESYSTEM.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\HELP.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELLCORE.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELLTRACE.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\REGISTRY.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\SECUR32.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.DATA\1E85062785E286CD9EAE9C26D2C61F73\SYSTEM.DATA.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_32\SYSTEM.DATA\2.0.0.0__B77A5C561934E089\SYSTEM.DATA.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORJIT.DLL
                      C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH_TARGET_2162329
                      C:\WINDOWS\SYSWOW64\WBEM
                      C:\PROGRAM FILES\NODEJS
                      C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\PROGRAMS\PYTHON\PYTHON37\SCRIPTS
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\NPM
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\DIASYMREADER.DLL
                      C:\WINDOWS\SYSWOW64\NETUTILS.DLL

            • 3256

              • Image path
                • CMD.EXE "/C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P6.EXE'"

              • Time lapse
                • 5.502985

              • Files Accessed

                • C:\WINDOWS\SYSTEM32\WOW64.DLL
                  C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
                  C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
                  C:\WINDOWS\SYSWOW64\WINBRAND.DLL
                  C:\WINDOWS\SYSWOW64\SECHOST.DLL
                  C:\WINDOWS\SYSWOW64\IMM32.DLL
                  C:\WINDOWS\SYSWOW64\EN-US\CMD.EXE.MUI
                  C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH_TARGET_2162329
                  C:\WINDOWS\SYSWOW64\WBEM
                  C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
                  C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE
                  C:\WINDOWS\SYSWOW64\APPHELP.DLL
                  C:\WINDOWS\APPPATCH\SYSMAIN.SDB

              • Process children

                • 3296

                  • Image path
                    • POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P6.EXE'"

                  • Time lapse
                    • 5.908586

                  • Files Accessed

                    • C:\WINDOWS\SYSTEM32\WOW64.DLL
                      C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
                      C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
                      C:\WINDOWS\SYSWOW64\SECHOST.DLL
                      C:\WINDOWS\SYSWOW64\ATL.DLL
                      C:\WINDOWS\SYSWOW64\MSCOREE.DLL
                      C:\WINDOWS\SYSWOW64\IMM32.DLL
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\EN-US\POWERSHELL.EXE.MUI
                      C:\WINDOWS\SYSWOW64\UXTHEME.DLL
                      C:\WINDOWS\REGISTRATION\R000000000006.CLB
                      C:\WINDOWS\SYSWOW64\SHELL32.DLL
                      C:\WINDOWS\SYSWOW64\USERENV.DLL
                      C:\WINDOWS\SYSWOW64\PROFAPI.DLL
                      C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.7601.17514_NONE_41E6975E2BD6F2B2\COMCTL32.DLL
                      C:\WINDOWS\WINDOWSSHELL.MANIFEST
                      C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
                      C:\WINDOWS\SYSWOW64\PROPSYS.DLL
                      C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\CVERSIONS.1.DB
                      C:\WINDOWS\SYSWOW64\NTMARTA.DLL
                      C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.VER0X0000000000000001.DB
                      C:\USERS\DESKTOP.INI
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\DESKTOP.INI
                      C:\USERS\ADMINISTRATOR\DESKTOP\DESKTOP.INI
                      C:\WINDOWS\SYSWOW64\EN-US\SHELL32.DLL.MUI
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DESKTOP.INI
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\DESKTOP.INI
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DESKTOP.INI
                      C:\USERS\PUBLIC\DESKTOP.INI
                      C:\USERS\PUBLIC\DESKTOP\DESKTOP.INI
                      C:\WINDOWS\SYSWOW64\APPHELP.DLL
                      C:\WINDOWS\SYSWOW64\GAMEUX.DLL
                      C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.GDIPLUS_6595B64144CCF1DF_1.1.7601.17514_NONE_72D18A4386696C80\GDIPLUS.DLL
                      C:\WINDOWS\SYSWOW64\XMLLITE.DLL
                      C:\WINDOWS\SYSWOW64\WER.DLL
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\DESKTOP.INI
                      C:\WINDOWS\SYSWOW64\SHDOCVW.DLL
                      C:\WINDOWS\APPPATCH\SYSMAIN.SDB
                      C:\WINDOWS\SYSWOW64\EN-US\SHDOCVW.DLL.MUI
                      C:\WINDOWS\SYSWOW64\EN-US\SETUPAPI.DLL.MUI
                      C:\WINDOWS\SYSWOW64\LINKINFO.DLL
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\DESKTOP.INI
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\WINDOWS POWERSHELL\DESKTOP.INI
                      C:\WINDOWS\SYSWOW64\NTSHRUI.DLL
                      C:\WINDOWS\SYSWOW64\SRVCLI.DLL
                      C:\WINDOWS\SYSWOW64\CSCAPI.DLL
                      C:\WINDOWS\SYSWOW64\SLC.DLL
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\WINDOWS POWERSHELL\WINDOWS POWERSHELL.LNK
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL_ISE.EXE
                      C:\WINDOWS\HH.EXE
                      C:\WINDOWS\SYSWOW64\CRYPTSP.DLL
                      C:\WINDOWS\SYSWOW64\RSAENH.DLL
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\BH8GG2G5KLF6CI9IF3JV.TEMP
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\D93F411851D7C929.CUSTOMDESTINATIONS-MS~RFADDB.TMP
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\MSCOREEI.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORWKS.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CLR.DLL
                      C:\WINDOWS\WINSXS\X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8.0.50727.4940_NONE_D08CC06A442B34FC\MSVCR80.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CONFIG\MACHINE.CONFIG
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\INDEX149.DAT
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MSCORLIB\62A0B3E4B40EC0E8C5CFAA0C8848E64A\MSCORLIB.NI.DLL
                      C:\WINDOWS\ASSEMBLY\PUBPOL25.DAT
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM\9E0A3B9B9F457233A335D7FBA8F95419\SYSTEM.NI.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\B1C511D8FAD78AD3C5213B2B4FB02B8B\MICROSOFT.POWERSHELL.CONSOLEHOST.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.CONSOLEHOST\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.MANAGEMENT.AUTOMATION\1.0.0.0__31BF3856AD364E35\SYSTEM.MANAGEMENT.AUTOMATION.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM\2.0.0.0__B77A5C561934E089
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.MANAGEMENT.A#\4436815B432C313255AF322F4EC3560D\SYSTEM.MANAGEMENT.AUTOMATION.NI.DLL
                      C:\WINDOWS\SYSWOW64\VERSION.DLL
                      C:\WINDOWS\SYSWOW64\L_INTL.NLS
                      C:\WINDOWS\SYSWOW64\EN-US\KERNELBASE.DLL.MUI
                      C:\WINDOWS\ASSEMBLY\GAC_32\MSCORLIB\2.0.0.0__B77A5C561934E089\SORTTBLS.NLP
                      C:\WINDOWS\ASSEMBLY\GAC_32\MSCORLIB\2.0.0.0__B77A5C561934E089\SORTKEY.NLP
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.CORE\FBC05B5B05DC6366B02B8E2F77D080F1\SYSTEM.CORE.NI.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\4F68CD04686E5DC5A55070D112D44BDF\MICROSOFT.POWERSHELL.COMMANDS.DIAGNOSTICS.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.DIAGNOSTICS\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.CORE\3.5.0.0__B77A5C561934E089
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.CONFIGURATIO#\F02737C83305687A68C088927A6C5A98\SYSTEM.CONFIGURATION.INSTALL.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.CONFIGURATION.INSTALL\2.0.0.0__B03F5F7F11D50A3A
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.WSMAN.MAN#\EE28A075665B6BC23B6DAE56903D431D\MICROSOFT.WSMAN.MANAGEMENT.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.WSMAN.MANAGEMENT\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.WSMAN.RUNTIME\1.0.0.0__31BF3856AD364E35\MICROSOFT.WSMAN.RUNTIME.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.TRANSACTIONS\AD18F93FC713DB2C4B29B25116C13BD8\SYSTEM.TRANSACTIONS.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_32\SYSTEM.TRANSACTIONS\2.0.0.0__B77A5C561934E089\SYSTEM.TRANSACTIONS.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\3008A05E2928E2C1D856CC34E0422C17\MICROSOFT.POWERSHELL.COMMANDS.UTILITY.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.UTILITY\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\8DF695FB80187F65208D87229E81E8A2\MICROSOFT.POWERSHELL.COMMANDS.MANAGEMENT.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.MANAGEMENT\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\8CE205027E30804D1B2DEAFFA0582735\MICROSOFT.POWERSHELL.SECURITY.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.SECURITY\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CULTURE.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORRC.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.XML\461D3B6B3F43E6FBE6C897D5936E17E4\SYSTEM.XML.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.XML\2.0.0.0__B77A5C561934E089
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.MANAGEMENT\6F3B99ED0B791FF4D8AA52F2F0CD0BCF\SYSTEM.MANAGEMENT.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.MANAGEMENT\2.0.0.0__B03F5F7F11D50A3A
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.DIRECTORYSER#\45EC12795950A7D54691591C615A9E3C\SYSTEM.DIRECTORYSERVICES.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.DIRECTORYSERVICES\2.0.0.0__B03F5F7F11D50A3A
                      C:\WINDOWS\SYSWOW64\SHFOLDER.DLL
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\GETEVENT.TYPES.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\TYPES.PS1XML
                      C:\WINDOWS\SYSWOW64\TZRES.DLL
                      C:\WINDOWS\SYSWOW64\EN-US\TZRES.DLL.MUI
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\DIAGNOSTICS.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\WSMAN.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\CERTIFICATE.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\DOTNETTYPES.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\FILESYSTEM.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\HELP.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELLCORE.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELLTRACE.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\REGISTRY.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\SECUR32.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.DATA\1E85062785E286CD9EAE9C26D2C61F73\SYSTEM.DATA.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_32\SYSTEM.DATA\2.0.0.0__B77A5C561934E089\SYSTEM.DATA.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORJIT.DLL
                      C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH_TARGET_2162329
                      C:\WINDOWS\SYSWOW64\WBEM
                      C:\PROGRAM FILES\NODEJS
                      C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\PROGRAMS\PYTHON\PYTHON37\SCRIPTS
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\NPM
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\DIASYMREADER.DLL
                      C:\WINDOWS\SYSWOW64\NETUTILS.DLL

            • 3324

              • Image path
                • CMD.EXE "/C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P7.EXE'"

              • Time lapse
                • 6.158186

              • Files Accessed

                • C:\WINDOWS\SYSTEM32\WOW64.DLL
                  C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
                  C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
                  C:\WINDOWS\SYSWOW64\WINBRAND.DLL
                  C:\WINDOWS\SYSWOW64\SECHOST.DLL
                  C:\WINDOWS\SYSWOW64\IMM32.DLL
                  C:\WINDOWS\SYSWOW64\EN-US\CMD.EXE.MUI
                  C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH_TARGET_2162329
                  C:\WINDOWS\SYSWOW64\WBEM
                  C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
                  C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE
                  C:\WINDOWS\SYSWOW64\APPHELP.DLL
                  C:\WINDOWS\APPPATCH\SYSMAIN.SDB

              • Process children

                • 3360

                  • Image path
                    • POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P7.EXE'"

                  • Time lapse
                    • 6.329786

                  • Files Accessed

                    • C:\WINDOWS\SYSTEM32\WOW64.DLL
                      C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
                      C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
                      C:\WINDOWS\SYSWOW64\SECHOST.DLL
                      C:\WINDOWS\SYSWOW64\ATL.DLL
                      C:\WINDOWS\SYSWOW64\MSCOREE.DLL
                      C:\WINDOWS\SYSWOW64\IMM32.DLL
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\EN-US\POWERSHELL.EXE.MUI
                      C:\WINDOWS\SYSWOW64\UXTHEME.DLL
                      C:\WINDOWS\REGISTRATION\R000000000006.CLB
                      C:\WINDOWS\SYSWOW64\SHELL32.DLL
                      C:\WINDOWS\SYSWOW64\USERENV.DLL
                      C:\WINDOWS\SYSWOW64\PROFAPI.DLL
                      C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.7601.17514_NONE_41E6975E2BD6F2B2\COMCTL32.DLL
                      C:\WINDOWS\WINDOWSSHELL.MANIFEST
                      C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
                      C:\WINDOWS\SYSWOW64\PROPSYS.DLL
                      C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\CVERSIONS.1.DB
                      C:\WINDOWS\SYSWOW64\NTMARTA.DLL
                      C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.VER0X0000000000000001.DB
                      C:\USERS\DESKTOP.INI
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\DESKTOP.INI
                      C:\USERS\ADMINISTRATOR\DESKTOP\DESKTOP.INI
                      C:\WINDOWS\SYSWOW64\EN-US\SHELL32.DLL.MUI
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DESKTOP.INI
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\DESKTOP.INI
                      C:\WINDOWS\SYSWOW64\EN-US\SETUPAPI.DLL.MUI
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DESKTOP.INI
                      C:\USERS\PUBLIC\DESKTOP.INI
                      C:\USERS\PUBLIC\DESKTOP\DESKTOP.INI
                      C:\WINDOWS\SYSWOW64\APPHELP.DLL
                      C:\WINDOWS\SYSWOW64\GAMEUX.DLL
                      C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.GDIPLUS_6595B64144CCF1DF_1.1.7601.17514_NONE_72D18A4386696C80\GDIPLUS.DLL
                      C:\WINDOWS\SYSWOW64\XMLLITE.DLL
                      C:\WINDOWS\SYSWOW64\WER.DLL
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\DESKTOP.INI
                      C:\WINDOWS\SYSWOW64\SHDOCVW.DLL
                      C:\WINDOWS\APPPATCH\SYSMAIN.SDB
                      C:\WINDOWS\SYSWOW64\EN-US\SHDOCVW.DLL.MUI
                      C:\WINDOWS\SYSWOW64\LINKINFO.DLL
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\DESKTOP.INI
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\WINDOWS POWERSHELL\DESKTOP.INI
                      C:\WINDOWS\SYSWOW64\NTSHRUI.DLL
                      C:\WINDOWS\SYSWOW64\SRVCLI.DLL
                      C:\WINDOWS\SYSWOW64\CSCAPI.DLL
                      C:\WINDOWS\SYSWOW64\SLC.DLL
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\WINDOWS POWERSHELL\WINDOWS POWERSHELL.LNK
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL_ISE.EXE
                      C:\WINDOWS\HH.EXE
                      C:\WINDOWS\SYSWOW64\CRYPTSP.DLL
                      C:\WINDOWS\SYSWOW64\RSAENH.DLL
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\TVJQ15YNJB5LU4FF3EIW.TEMP
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\D93F411851D7C929.CUSTOMDESTINATIONS-MS~RFB643.TMP
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\MSCOREEI.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORWKS.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CLR.DLL
                      C:\WINDOWS\WINSXS\X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8.0.50727.4940_NONE_D08CC06A442B34FC\MSVCR80.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CONFIG\MACHINE.CONFIG
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\INDEX149.DAT
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MSCORLIB\62A0B3E4B40EC0E8C5CFAA0C8848E64A\MSCORLIB.NI.DLL
                      C:\WINDOWS\ASSEMBLY\PUBPOL25.DAT
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM\9E0A3B9B9F457233A335D7FBA8F95419\SYSTEM.NI.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\B1C511D8FAD78AD3C5213B2B4FB02B8B\MICROSOFT.POWERSHELL.CONSOLEHOST.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.CONSOLEHOST\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.MANAGEMENT.AUTOMATION\1.0.0.0__31BF3856AD364E35\SYSTEM.MANAGEMENT.AUTOMATION.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM\2.0.0.0__B77A5C561934E089
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.MANAGEMENT.A#\4436815B432C313255AF322F4EC3560D\SYSTEM.MANAGEMENT.AUTOMATION.NI.DLL
                      C:\WINDOWS\SYSWOW64\VERSION.DLL
                      C:\WINDOWS\SYSWOW64\L_INTL.NLS
                      C:\WINDOWS\SYSWOW64\EN-US\KERNELBASE.DLL.MUI
                      C:\WINDOWS\ASSEMBLY\GAC_32\MSCORLIB\2.0.0.0__B77A5C561934E089\SORTTBLS.NLP
                      C:\WINDOWS\ASSEMBLY\GAC_32\MSCORLIB\2.0.0.0__B77A5C561934E089\SORTKEY.NLP
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.CORE\FBC05B5B05DC6366B02B8E2F77D080F1\SYSTEM.CORE.NI.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\4F68CD04686E5DC5A55070D112D44BDF\MICROSOFT.POWERSHELL.COMMANDS.DIAGNOSTICS.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.DIAGNOSTICS\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.CORE\3.5.0.0__B77A5C561934E089
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.CONFIGURATIO#\F02737C83305687A68C088927A6C5A98\SYSTEM.CONFIGURATION.INSTALL.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.CONFIGURATION.INSTALL\2.0.0.0__B03F5F7F11D50A3A
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.WSMAN.MAN#\EE28A075665B6BC23B6DAE56903D431D\MICROSOFT.WSMAN.MANAGEMENT.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.WSMAN.MANAGEMENT\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.WSMAN.RUNTIME\1.0.0.0__31BF3856AD364E35\MICROSOFT.WSMAN.RUNTIME.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.TRANSACTIONS\AD18F93FC713DB2C4B29B25116C13BD8\SYSTEM.TRANSACTIONS.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_32\SYSTEM.TRANSACTIONS\2.0.0.0__B77A5C561934E089\SYSTEM.TRANSACTIONS.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\3008A05E2928E2C1D856CC34E0422C17\MICROSOFT.POWERSHELL.COMMANDS.UTILITY.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.UTILITY\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\8DF695FB80187F65208D87229E81E8A2\MICROSOFT.POWERSHELL.COMMANDS.MANAGEMENT.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.MANAGEMENT\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\8CE205027E30804D1B2DEAFFA0582735\MICROSOFT.POWERSHELL.SECURITY.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.SECURITY\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CULTURE.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORRC.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.XML\461D3B6B3F43E6FBE6C897D5936E17E4\SYSTEM.XML.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.XML\2.0.0.0__B77A5C561934E089
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.MANAGEMENT\6F3B99ED0B791FF4D8AA52F2F0CD0BCF\SYSTEM.MANAGEMENT.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.MANAGEMENT\2.0.0.0__B03F5F7F11D50A3A
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.DIRECTORYSER#\45EC12795950A7D54691591C615A9E3C\SYSTEM.DIRECTORYSERVICES.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.DIRECTORYSERVICES\2.0.0.0__B03F5F7F11D50A3A
                      C:\WINDOWS\SYSWOW64\SHFOLDER.DLL
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\GETEVENT.TYPES.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\TYPES.PS1XML
                      C:\WINDOWS\SYSWOW64\TZRES.DLL
                      C:\WINDOWS\SYSWOW64\EN-US\TZRES.DLL.MUI
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\DIAGNOSTICS.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\WSMAN.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\CERTIFICATE.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\DOTNETTYPES.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\FILESYSTEM.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\HELP.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELLCORE.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELLTRACE.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\REGISTRY.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\SECUR32.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.DATA\1E85062785E286CD9EAE9C26D2C61F73\SYSTEM.DATA.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_32\SYSTEM.DATA\2.0.0.0__B77A5C561934E089\SYSTEM.DATA.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORJIT.DLL
                      C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH_TARGET_2162329
                      C:\WINDOWS\SYSWOW64\WBEM
                      C:\PROGRAM FILES\NODEJS
                      C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\PROGRAMS\PYTHON\PYTHON37\SCRIPTS
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\NPM
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\DIASYMREADER.DLL
                      C:\WINDOWS\SYSWOW64\NETUTILS.DLL
                      C:\WINDOWS\SYSTEM32\IMM32.DLL
                      C:\WINDOWS\SYSTEM32\RPCSS.DLL
                      C:\WINDOWS\SYSTEM32\CRYPTBASE.DLL
                      C:\WINDOWS\SYSTEM32\UXTHEME.DLL
                      C:\WINDOWS\SYSTEM32\SECHOST.DLL
                      C:\WINDOWS\SYSTEM32\AUTHUI.DLL
                      C:\WINDOWS\SYSTEM32\CRYPTUI.DLL
                      C:\WINDOWS\WINSXS\AMD64_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.7601.17514_NONE_FA396087175AC9AC\COMCTL32.DLL
                      C:\WINDOWS\WINSXS\AMD64_MICROSOFT.WINDOWS.GDIPLUS_6595B64144CCF1DF_1.1.7601.17514_NONE_2B24536C71ED437A\GDIPLUS.DLL
                      C:\WINDOWS\SYSTEM32\DUI70.DLL
                      C:\WINDOWS\SYSTEM32\DUSER.DLL
                      C:\WINDOWS\SYSTEM32\EN-US\AUTHUI.DLL.MUI
                      C:\WINDOWS\SYSTEM32\SNDVOLSSO.DLL
                      C:\WINDOWS\SYSTEM32\HID.DLL
                      C:\WINDOWS\SYSTEM32\MMDEVAPI.DLL
                      C:\WINDOWS\SYSTEM32\PROPSYS.DLL
                      C:\WINDOWS\SYSTEM32\EN-US\SETUPAPI.DLL.MUI
                      C:\WINDOWS\SYSTEM32\DWMAPI.DLL
                      C:\WINDOWS\SYSTEM32\XMLLITE.DLL
                      C:\WINDOWS\SYSTEM32\IMAGERES.DLL
                      C:\WINDOWS\SYSTEM32\WINDOWSCODECS.DLL
                      C:\WINDOWS\SYSTEM32\WINBRAND.DLL
                      C:\WINDOWS\BRANDING\BASEBRD\BASEBRD.DLL
                      C:\WINDOWS\BRANDING\BASEBRD\EN-US\BASEBRD.DLL.MUI
                      C:\WINDOWS\SYSTEM32\WTSAPI32.DLL
                      C:\WINDOWS\SYSTEM32\WINSTA.DLL
                      C:\WINDOWS\SYSTEM32\VAULTCREDPROVIDER.DLL
                      C:\WINDOWS\SYSTEM32\SMARTCARDCREDENTIALPROVIDER.DLL
                      C:\WINDOWS\SYSTEM32\RPCRTREMOTE.DLL
                      C:\WINDOWS\SYSTEM32\BIOCREDPROV.DLL
                      C:\WINDOWS\SYSTEM32\SECUR32.DLL
                      C:\WINDOWS\SYSTEM32\SSPICLI.DLL
                      C:\WINDOWS\SYSTEM32\WINBIO.DLL
                      C:\WINDOWS\SYSTEM32\CREDUI.DLL
                      C:\WINDOWS\SYSTEM32\VAULTCLI.DLL
                      C:\WINDOWS\SYSTEM32\NETAPI32.DLL
                      C:\WINDOWS\SYSTEM32\NETUTILS.DLL
                      C:\WINDOWS\SYSTEM32\SRVCLI.DLL
                      C:\WINDOWS\SYSTEM32\WKSCLI.DLL
                      C:\WINDOWS\SYSTEM32\SAMCLI.DLL
                      C:\WINDOWS\WIN.INI
                      C:\WINDOWS\SYSTEM32\CERTCREDPROVIDER.DLL
                      C:\WINDOWS\SYSTEM32\RASPLAP.DLL
                      C:\WINDOWS\SYSTEM32\RASAPI32.DLL
                      C:\WINDOWS\SYSTEM32\RASMAN.DLL
                      C:\WINDOWS\SYSTEM32\RTUTILS.DLL
                      C:\WINDOWS\SYSTEM32\CRYPTSP.DLL
                      C:\WINDOWS\SYSTEM32\RSAENH.DLL
                      C:\WINDOWS\SYSTEM32\INPUT.DLL
                      C:\WINDOWS\SYSTEM32\EN-US\INPUT.DLL.MUI
                      C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\INK\TIPTSF.DLL
                      C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\INK\EN-US\TIPTSF.DLL.MUI
                      C:\WINDOWS\IME\SPTIP.DLL
                      C:\WINDOWS\IME\EN-US\SPTIP.DLL.MUI
                      C:\PROGRAM FILES\WINDOWS NT\TABLETEXTSERVICE\TABLETEXTSERVICE.DLL
                      C:\PROGRAM FILES\WINDOWS NT\TABLETEXTSERVICE\EN-US\TABLETEXTSERVICE.DLL.MUI
                      C:\WINDOWS\SYSTEM32\EN-US\KERNELBASE.DLL.MUI
                      C:\WINDOWS\SYSTEM32\EN-US\MSCTF.DLL.MUI
                      C:\WINDOWS\SYSTEM32\OLEACC.DLL
                      C:\WINDOWS\SYSTEM32\OLEACCRC.DLL
                      C:\WINDOWS\SYSTEM32\UIAUTOMATIONCORE.DLL
                      C:\WINDOWS\SYSTEM32\SXS.DLL
                      C:\WINDOWS\FONTS\STATICCACHE.DAT
                      C:\WINDOWS\SYSTEM32\EN-US\IMAGERES.DLL.MUI

            • 3368

              • Image path
                • CMD.EXE "/C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P8.EXE'"

              • Time lapse
                • 6.345386

              • Files Accessed

                • C:\WINDOWS\SYSTEM32\WOW64.DLL
                  C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
                  C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
                  C:\WINDOWS\SYSWOW64\WINBRAND.DLL
                  C:\WINDOWS\SYSWOW64\SECHOST.DLL
                  C:\WINDOWS\SYSWOW64\IMM32.DLL
                  C:\WINDOWS\SYSWOW64\EN-US\CMD.EXE.MUI
                  C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH_TARGET_2162329
                  C:\WINDOWS\SYSWOW64\WBEM
                  C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
                  C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE
                  C:\WINDOWS\SYSWOW64\APPHELP.DLL
                  C:\WINDOWS\APPPATCH\SYSMAIN.SDB

              • Process children

                • 3420

                  • Image path
                    • POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P8.EXE'"

                  • Time lapse
                    • 6.485786

                  • Files Accessed

                    • C:\WINDOWS\SYSTEM32\WOW64.DLL
                      C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
                      C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
                      C:\WINDOWS\SYSWOW64\SECHOST.DLL
                      C:\WINDOWS\SYSWOW64\ATL.DLL
                      C:\WINDOWS\SYSWOW64\MSCOREE.DLL
                      C:\WINDOWS\SYSWOW64\IMM32.DLL
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\EN-US\POWERSHELL.EXE.MUI
                      C:\WINDOWS\SYSWOW64\UXTHEME.DLL
                      C:\WINDOWS\REGISTRATION\R000000000006.CLB
                      C:\WINDOWS\SYSWOW64\SHELL32.DLL
                      C:\WINDOWS\SYSWOW64\USERENV.DLL
                      C:\WINDOWS\SYSWOW64\PROFAPI.DLL
                      C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.7601.17514_NONE_41E6975E2BD6F2B2\COMCTL32.DLL
                      C:\WINDOWS\WINDOWSSHELL.MANIFEST
                      C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
                      C:\WINDOWS\SYSWOW64\PROPSYS.DLL
                      C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\CVERSIONS.1.DB
                      C:\WINDOWS\SYSWOW64\NTMARTA.DLL
                      C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.VER0X0000000000000001.DB
                      C:\USERS\DESKTOP.INI
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\DESKTOP.INI
                      C:\USERS\ADMINISTRATOR\DESKTOP\DESKTOP.INI
                      C:\WINDOWS\SYSWOW64\EN-US\SHELL32.DLL.MUI
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DESKTOP.INI
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\DESKTOP.INI
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DESKTOP.INI
                      C:\USERS\PUBLIC\DESKTOP.INI
                      C:\USERS\PUBLIC\DESKTOP\DESKTOP.INI
                      C:\WINDOWS\SYSWOW64\APPHELP.DLL
                      C:\WINDOWS\SYSWOW64\GAMEUX.DLL
                      C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.GDIPLUS_6595B64144CCF1DF_1.1.7601.17514_NONE_72D18A4386696C80\GDIPLUS.DLL
                      C:\WINDOWS\SYSWOW64\XMLLITE.DLL
                      C:\WINDOWS\SYSWOW64\WER.DLL
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\DESKTOP.INI
                      C:\WINDOWS\SYSWOW64\SHDOCVW.DLL
                      C:\WINDOWS\APPPATCH\SYSMAIN.SDB
                      C:\WINDOWS\SYSWOW64\EN-US\SETUPAPI.DLL.MUI
                      C:\WINDOWS\SYSWOW64\EN-US\SHDOCVW.DLL.MUI
                      C:\WINDOWS\SYSWOW64\LINKINFO.DLL
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\DESKTOP.INI
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\WINDOWS POWERSHELL\DESKTOP.INI
                      C:\WINDOWS\SYSWOW64\NTSHRUI.DLL
                      C:\WINDOWS\SYSWOW64\SRVCLI.DLL
                      C:\WINDOWS\SYSWOW64\CSCAPI.DLL
                      C:\WINDOWS\SYSWOW64\SLC.DLL
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\WINDOWS POWERSHELL\WINDOWS POWERSHELL.LNK
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL_ISE.EXE
                      C:\WINDOWS\HH.EXE
                      C:\WINDOWS\SYSWOW64\CRYPTSP.DLL
                      C:\WINDOWS\SYSWOW64\RSAENH.DLL
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\KH0WBVPYPHJZ5WJ8Y4IX.TEMP
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\D93F411851D7C929.CUSTOMDESTINATIONS-MS~RFBDD2.TMP
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\MSCOREEI.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORWKS.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CLR.DLL
                      C:\WINDOWS\WINSXS\X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8.0.50727.4940_NONE_D08CC06A442B34FC\MSVCR80.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CONFIG\MACHINE.CONFIG
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\INDEX149.DAT
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MSCORLIB\62A0B3E4B40EC0E8C5CFAA0C8848E64A\MSCORLIB.NI.DLL
                      C:\WINDOWS\ASSEMBLY\PUBPOL25.DAT
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM\9E0A3B9B9F457233A335D7FBA8F95419\SYSTEM.NI.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\B1C511D8FAD78AD3C5213B2B4FB02B8B\MICROSOFT.POWERSHELL.CONSOLEHOST.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.CONSOLEHOST\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.MANAGEMENT.AUTOMATION\1.0.0.0__31BF3856AD364E35\SYSTEM.MANAGEMENT.AUTOMATION.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM\2.0.0.0__B77A5C561934E089
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.MANAGEMENT.A#\4436815B432C313255AF322F4EC3560D\SYSTEM.MANAGEMENT.AUTOMATION.NI.DLL
                      C:\WINDOWS\SYSWOW64\VERSION.DLL
                      C:\WINDOWS\SYSWOW64\L_INTL.NLS
                      C:\WINDOWS\SYSWOW64\EN-US\KERNELBASE.DLL.MUI
                      C:\WINDOWS\ASSEMBLY\GAC_32\MSCORLIB\2.0.0.0__B77A5C561934E089\SORTTBLS.NLP
                      C:\WINDOWS\ASSEMBLY\GAC_32\MSCORLIB\2.0.0.0__B77A5C561934E089\SORTKEY.NLP
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.CORE\FBC05B5B05DC6366B02B8E2F77D080F1\SYSTEM.CORE.NI.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\4F68CD04686E5DC5A55070D112D44BDF\MICROSOFT.POWERSHELL.COMMANDS.DIAGNOSTICS.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.DIAGNOSTICS\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.CORE\3.5.0.0__B77A5C561934E089
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.CONFIGURATIO#\F02737C83305687A68C088927A6C5A98\SYSTEM.CONFIGURATION.INSTALL.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.CONFIGURATION.INSTALL\2.0.0.0__B03F5F7F11D50A3A
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.WSMAN.MAN#\EE28A075665B6BC23B6DAE56903D431D\MICROSOFT.WSMAN.MANAGEMENT.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.WSMAN.MANAGEMENT\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.WSMAN.RUNTIME\1.0.0.0__31BF3856AD364E35\MICROSOFT.WSMAN.RUNTIME.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.TRANSACTIONS\AD18F93FC713DB2C4B29B25116C13BD8\SYSTEM.TRANSACTIONS.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_32\SYSTEM.TRANSACTIONS\2.0.0.0__B77A5C561934E089\SYSTEM.TRANSACTIONS.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\3008A05E2928E2C1D856CC34E0422C17\MICROSOFT.POWERSHELL.COMMANDS.UTILITY.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.UTILITY\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\8DF695FB80187F65208D87229E81E8A2\MICROSOFT.POWERSHELL.COMMANDS.MANAGEMENT.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.MANAGEMENT\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\8CE205027E30804D1B2DEAFFA0582735\MICROSOFT.POWERSHELL.SECURITY.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.SECURITY\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CULTURE.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORRC.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.XML\461D3B6B3F43E6FBE6C897D5936E17E4\SYSTEM.XML.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.XML\2.0.0.0__B77A5C561934E089
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.MANAGEMENT\6F3B99ED0B791FF4D8AA52F2F0CD0BCF\SYSTEM.MANAGEMENT.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.MANAGEMENT\2.0.0.0__B03F5F7F11D50A3A
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.DIRECTORYSER#\45EC12795950A7D54691591C615A9E3C\SYSTEM.DIRECTORYSERVICES.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.DIRECTORYSERVICES\2.0.0.0__B03F5F7F11D50A3A
                      C:\WINDOWS\SYSWOW64\SHFOLDER.DLL
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\GETEVENT.TYPES.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\TYPES.PS1XML
                      C:\WINDOWS\SYSWOW64\TZRES.DLL
                      C:\WINDOWS\SYSWOW64\EN-US\TZRES.DLL.MUI
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\DIAGNOSTICS.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\WSMAN.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\CERTIFICATE.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\DOTNETTYPES.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\FILESYSTEM.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\HELP.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELLCORE.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELLTRACE.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\REGISTRY.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\SECUR32.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.DATA\1E85062785E286CD9EAE9C26D2C61F73\SYSTEM.DATA.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_32\SYSTEM.DATA\2.0.0.0__B77A5C561934E089\SYSTEM.DATA.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORJIT.DLL
                      C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH_TARGET_2162329
                      C:\WINDOWS\SYSWOW64\WBEM
                      C:\PROGRAM FILES\NODEJS
                      C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\PROGRAMS\PYTHON\PYTHON37\SCRIPTS
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\NPM
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\DIASYMREADER.DLL
                      C:\WINDOWS\SYSWOW64\NETUTILS.DLL
                      C:\WINDOWS\SYSTEM32\IMM32.DLL
                      C:\WINDOWS\SYSTEM32\RPCSS.DLL
                      C:\WINDOWS\SYSTEM32\CRYPTBASE.DLL
                      C:\WINDOWS\SYSTEM32\SECHOST.DLL
                      C:\WINDOWS\SYSTEM32\AUTHUI.DLL
                      C:\WINDOWS\SYSTEM32\CRYPTUI.DLL
                      C:\WINDOWS\WINSXS\AMD64_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.7601.17514_NONE_FA396087175AC9AC\COMCTL32.DLL
                      C:\WINDOWS\SYSTEM32\UXTHEME.DLL
                      C:\WINDOWS\WINSXS\AMD64_MICROSOFT.WINDOWS.GDIPLUS_6595B64144CCF1DF_1.1.7601.17514_NONE_2B24536C71ED437A\GDIPLUS.DLL
                      C:\WINDOWS\SYSTEM32\DUI70.DLL
                      C:\WINDOWS\SYSTEM32\DUSER.DLL
                      C:\WINDOWS\SYSTEM32\EN-US\AUTHUI.DLL.MUI
                      C:\WINDOWS\SYSTEM32\SNDVOLSSO.DLL
                      C:\WINDOWS\SYSTEM32\HID.DLL
                      C:\WINDOWS\SYSTEM32\MMDEVAPI.DLL
                      C:\WINDOWS\SYSTEM32\PROPSYS.DLL
                      C:\WINDOWS\SYSTEM32\EN-US\SETUPAPI.DLL.MUI
                      C:\WINDOWS\SYSTEM32\DWMAPI.DLL
                      C:\WINDOWS\SYSTEM32\XMLLITE.DLL
                      C:\WINDOWS\SYSTEM32\IMAGERES.DLL
                      C:\WINDOWS\SYSTEM32\WINDOWSCODECS.DLL
                      C:\WINDOWS\SYSTEM32\WINBRAND.DLL
                      C:\WINDOWS\BRANDING\BASEBRD\BASEBRD.DLL
                      C:\WINDOWS\BRANDING\BASEBRD\EN-US\BASEBRD.DLL.MUI
                      C:\WINDOWS\SYSTEM32\WTSAPI32.DLL
                      C:\WINDOWS\SYSTEM32\VAULTCREDPROVIDER.DLL
                      C:\WINDOWS\SYSTEM32\RPCRTREMOTE.DLL
                      C:\WINDOWS\SYSTEM32\SMARTCARDCREDENTIALPROVIDER.DLL
                      C:\WINDOWS\SYSTEM32\WINSTA.DLL
                      C:\WINDOWS\SYSTEM32\BIOCREDPROV.DLL
                      C:\WINDOWS\SYSTEM32\SECUR32.DLL
                      C:\WINDOWS\SYSTEM32\SSPICLI.DLL
                      C:\WINDOWS\SYSTEM32\WINBIO.DLL
                      C:\WINDOWS\SYSTEM32\CREDUI.DLL
                      C:\WINDOWS\SYSTEM32\VAULTCLI.DLL
                      C:\WINDOWS\SYSTEM32\NETAPI32.DLL
                      C:\WINDOWS\SYSTEM32\NETUTILS.DLL
                      C:\WINDOWS\SYSTEM32\SRVCLI.DLL
                      C:\WINDOWS\SYSTEM32\WKSCLI.DLL
                      C:\WINDOWS\SYSTEM32\SAMCLI.DLL
                      C:\WINDOWS\WIN.INI
                      C:\WINDOWS\SYSTEM32\CERTCREDPROVIDER.DLL
                      C:\WINDOWS\SYSTEM32\RASPLAP.DLL
                      C:\WINDOWS\SYSTEM32\RASAPI32.DLL
                      C:\WINDOWS\SYSTEM32\RASMAN.DLL
                      C:\WINDOWS\SYSTEM32\RTUTILS.DLL
                      C:\WINDOWS\SYSTEM32\INPUT.DLL
                      C:\WINDOWS\SYSTEM32\EN-US\INPUT.DLL.MUI
                      C:\WINDOWS\SYSTEM32\CRYPTSP.DLL
                      C:\WINDOWS\SYSTEM32\RSAENH.DLL
                      C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\INK\TIPTSF.DLL
                      C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\INK\EN-US\TIPTSF.DLL.MUI
                      C:\WINDOWS\IME\SPTIP.DLL
                      C:\WINDOWS\IME\EN-US\SPTIP.DLL.MUI
                      C:\PROGRAM FILES\WINDOWS NT\TABLETEXTSERVICE\TABLETEXTSERVICE.DLL
                      C:\PROGRAM FILES\WINDOWS NT\TABLETEXTSERVICE\EN-US\TABLETEXTSERVICE.DLL.MUI
                      C:\WINDOWS\SYSTEM32\EN-US\KERNELBASE.DLL.MUI
                      C:\WINDOWS\SYSTEM32\EN-US\MSCTF.DLL.MUI
                      C:\WINDOWS\SYSTEM32\OLEACC.DLL
                      C:\WINDOWS\SYSTEM32\OLEACCRC.DLL
                      C:\WINDOWS\SYSTEM32\UIAUTOMATIONCORE.DLL
                      C:\WINDOWS\SYSTEM32\SXS.DLL

            • 3384

              • Image path
                • CMD.EXE "/C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P9.EXE'"

              • Time lapse
                • 6.360986

              • Files Accessed

                • C:\WINDOWS\SYSTEM32\WOW64.DLL
                  C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
                  C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
                  C:\WINDOWS\SYSWOW64\WINBRAND.DLL
                  C:\WINDOWS\SYSWOW64\SECHOST.DLL
                  C:\WINDOWS\SYSWOW64\IMM32.DLL
                  C:\WINDOWS\SYSWOW64\EN-US\CMD.EXE.MUI
                  C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH_TARGET_2162329
                  C:\WINDOWS\SYSWOW64\WBEM
                  C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
                  C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE
                  C:\WINDOWS\SYSWOW64\APPHELP.DLL
                  C:\WINDOWS\APPPATCH\SYSMAIN.SDB

              • Process children

                • 3404

                  • Image path
                    • POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P9.EXE'"

                  • Time lapse
                    • 6.438987

                  • Files Accessed

                    • C:\WINDOWS\SYSTEM32\WOW64.DLL
                      C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
                      C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
                      C:\WINDOWS\SYSWOW64\SECHOST.DLL
                      C:\WINDOWS\SYSWOW64\ATL.DLL
                      C:\WINDOWS\SYSWOW64\MSCOREE.DLL
                      C:\WINDOWS\SYSWOW64\IMM32.DLL
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\EN-US\POWERSHELL.EXE.MUI
                      C:\WINDOWS\SYSWOW64\UXTHEME.DLL
                      C:\WINDOWS\REGISTRATION\R000000000006.CLB
                      C:\WINDOWS\SYSWOW64\SHELL32.DLL
                      C:\WINDOWS\SYSWOW64\USERENV.DLL
                      C:\WINDOWS\SYSWOW64\PROFAPI.DLL
                      C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.7601.17514_NONE_41E6975E2BD6F2B2\COMCTL32.DLL
                      C:\WINDOWS\WINDOWSSHELL.MANIFEST
                      C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
                      C:\WINDOWS\SYSWOW64\PROPSYS.DLL
                      C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\CVERSIONS.1.DB
                      C:\WINDOWS\SYSWOW64\NTMARTA.DLL
                      C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.VER0X0000000000000001.DB
                      C:\USERS\DESKTOP.INI
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\DESKTOP.INI
                      C:\USERS\ADMINISTRATOR\DESKTOP\DESKTOP.INI
                      C:\WINDOWS\SYSWOW64\EN-US\SHELL32.DLL.MUI
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DESKTOP.INI
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\DESKTOP.INI
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DESKTOP.INI
                      C:\USERS\PUBLIC\DESKTOP.INI
                      C:\USERS\PUBLIC\DESKTOP\DESKTOP.INI
                      C:\WINDOWS\SYSWOW64\APPHELP.DLL
                      C:\WINDOWS\SYSWOW64\GAMEUX.DLL
                      C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.GDIPLUS_6595B64144CCF1DF_1.1.7601.17514_NONE_72D18A4386696C80\GDIPLUS.DLL
                      C:\WINDOWS\SYSWOW64\XMLLITE.DLL
                      C:\WINDOWS\SYSWOW64\WER.DLL
                      C:\WINDOWS\SYSWOW64\EN-US\SETUPAPI.DLL.MUI
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\DESKTOP.INI
                      C:\WINDOWS\SYSWOW64\SHDOCVW.DLL
                      C:\WINDOWS\APPPATCH\SYSMAIN.SDB
                      C:\WINDOWS\SYSWOW64\EN-US\SHDOCVW.DLL.MUI
                      C:\WINDOWS\SYSWOW64\LINKINFO.DLL
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\DESKTOP.INI
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\WINDOWS POWERSHELL\DESKTOP.INI
                      C:\WINDOWS\SYSWOW64\NTSHRUI.DLL
                      C:\WINDOWS\SYSWOW64\SRVCLI.DLL
                      C:\WINDOWS\SYSWOW64\CSCAPI.DLL
                      C:\WINDOWS\SYSWOW64\SLC.DLL
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\WINDOWS POWERSHELL\WINDOWS POWERSHELL.LNK
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL_ISE.EXE
                      C:\WINDOWS\HH.EXE
                      C:\WINDOWS\SYSWOW64\CRYPTSP.DLL
                      C:\WINDOWS\SYSWOW64\RSAENH.DLL
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\NKPN2J4M4SBW90ICH9PK.TEMP
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\D93F411851D7C929.CUSTOMDESTINATIONS-MS~RFBD26.TMP
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\MSCOREEI.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORWKS.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CLR.DLL
                      C:\WINDOWS\WINSXS\X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8.0.50727.4940_NONE_D08CC06A442B34FC\MSVCR80.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CONFIG\MACHINE.CONFIG
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\INDEX149.DAT
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MSCORLIB\62A0B3E4B40EC0E8C5CFAA0C8848E64A\MSCORLIB.NI.DLL
                      C:\WINDOWS\ASSEMBLY\PUBPOL25.DAT
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM\9E0A3B9B9F457233A335D7FBA8F95419\SYSTEM.NI.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\B1C511D8FAD78AD3C5213B2B4FB02B8B\MICROSOFT.POWERSHELL.CONSOLEHOST.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.CONSOLEHOST\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.MANAGEMENT.AUTOMATION\1.0.0.0__31BF3856AD364E35\SYSTEM.MANAGEMENT.AUTOMATION.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM\2.0.0.0__B77A5C561934E089
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.MANAGEMENT.A#\4436815B432C313255AF322F4EC3560D\SYSTEM.MANAGEMENT.AUTOMATION.NI.DLL
                      C:\WINDOWS\SYSWOW64\VERSION.DLL
                      C:\WINDOWS\SYSWOW64\L_INTL.NLS
                      C:\WINDOWS\SYSWOW64\EN-US\KERNELBASE.DLL.MUI
                      C:\WINDOWS\ASSEMBLY\GAC_32\MSCORLIB\2.0.0.0__B77A5C561934E089\SORTTBLS.NLP
                      C:\WINDOWS\ASSEMBLY\GAC_32\MSCORLIB\2.0.0.0__B77A5C561934E089\SORTKEY.NLP
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.CORE\FBC05B5B05DC6366B02B8E2F77D080F1\SYSTEM.CORE.NI.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\4F68CD04686E5DC5A55070D112D44BDF\MICROSOFT.POWERSHELL.COMMANDS.DIAGNOSTICS.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.DIAGNOSTICS\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.CORE\3.5.0.0__B77A5C561934E089
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.CONFIGURATIO#\F02737C83305687A68C088927A6C5A98\SYSTEM.CONFIGURATION.INSTALL.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.CONFIGURATION.INSTALL\2.0.0.0__B03F5F7F11D50A3A
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.WSMAN.MAN#\EE28A075665B6BC23B6DAE56903D431D\MICROSOFT.WSMAN.MANAGEMENT.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.WSMAN.MANAGEMENT\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.WSMAN.RUNTIME\1.0.0.0__31BF3856AD364E35\MICROSOFT.WSMAN.RUNTIME.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.TRANSACTIONS\AD18F93FC713DB2C4B29B25116C13BD8\SYSTEM.TRANSACTIONS.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_32\SYSTEM.TRANSACTIONS\2.0.0.0__B77A5C561934E089\SYSTEM.TRANSACTIONS.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\3008A05E2928E2C1D856CC34E0422C17\MICROSOFT.POWERSHELL.COMMANDS.UTILITY.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.UTILITY\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\8DF695FB80187F65208D87229E81E8A2\MICROSOFT.POWERSHELL.COMMANDS.MANAGEMENT.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.MANAGEMENT\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\8CE205027E30804D1B2DEAFFA0582735\MICROSOFT.POWERSHELL.SECURITY.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.SECURITY\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CULTURE.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORRC.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.XML\461D3B6B3F43E6FBE6C897D5936E17E4\SYSTEM.XML.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.XML\2.0.0.0__B77A5C561934E089
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.MANAGEMENT\6F3B99ED0B791FF4D8AA52F2F0CD0BCF\SYSTEM.MANAGEMENT.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.MANAGEMENT\2.0.0.0__B03F5F7F11D50A3A
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.DIRECTORYSER#\45EC12795950A7D54691591C615A9E3C\SYSTEM.DIRECTORYSERVICES.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.DIRECTORYSERVICES\2.0.0.0__B03F5F7F11D50A3A
                      C:\WINDOWS\SYSWOW64\SHFOLDER.DLL
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\GETEVENT.TYPES.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\TYPES.PS1XML
                      C:\WINDOWS\SYSWOW64\TZRES.DLL
                      C:\WINDOWS\SYSWOW64\EN-US\TZRES.DLL.MUI
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\DIAGNOSTICS.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\WSMAN.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\CERTIFICATE.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\DOTNETTYPES.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\FILESYSTEM.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\HELP.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELLCORE.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELLTRACE.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\REGISTRY.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\SECUR32.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.DATA\1E85062785E286CD9EAE9C26D2C61F73\SYSTEM.DATA.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_32\SYSTEM.DATA\2.0.0.0__B77A5C561934E089\SYSTEM.DATA.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORJIT.DLL
                      C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH_TARGET_2162329
                      C:\WINDOWS\SYSWOW64\WBEM
                      C:\PROGRAM FILES\NODEJS
                      C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\PROGRAMS\PYTHON\PYTHON37\SCRIPTS
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\NPM
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\DIASYMREADER.DLL
                      C:\WINDOWS\SYSWOW64\NETUTILS.DLL

            • 3392

              • Image path
                • CMD.EXE "/C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P10.EXE'"

              • Time lapse
                • 6.392187

              • Files Accessed

                • C:\WINDOWS\SYSTEM32\WOW64.DLL
                  C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
                  C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
                  C:\WINDOWS\SYSWOW64\WINBRAND.DLL
                  C:\WINDOWS\SYSWOW64\SECHOST.DLL
                  C:\WINDOWS\SYSWOW64\IMM32.DLL
                  C:\WINDOWS\SYSWOW64\EN-US\CMD.EXE.MUI
                  C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH_TARGET_2162329
                  C:\WINDOWS\SYSWOW64\WBEM
                  C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
                  C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE
                  C:\WINDOWS\SYSWOW64\APPHELP.DLL
                  C:\WINDOWS\APPPATCH\SYSMAIN.SDB

              • Process children

                • 3412

                  • Image path
                    • POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P10.EXE'"

                  • Time lapse
                    • 6.485786

                  • Files Accessed

                    • C:\WINDOWS\SYSTEM32\WOW64.DLL
                      C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
                      C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
                      C:\WINDOWS\SYSWOW64\SECHOST.DLL
                      C:\WINDOWS\SYSWOW64\ATL.DLL
                      C:\WINDOWS\SYSWOW64\MSCOREE.DLL
                      C:\WINDOWS\SYSWOW64\IMM32.DLL
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\EN-US\POWERSHELL.EXE.MUI
                      C:\WINDOWS\SYSWOW64\UXTHEME.DLL
                      C:\WINDOWS\REGISTRATION\R000000000006.CLB
                      C:\WINDOWS\SYSWOW64\SHELL32.DLL
                      C:\WINDOWS\SYSWOW64\USERENV.DLL
                      C:\WINDOWS\SYSWOW64\PROFAPI.DLL
                      C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.7601.17514_NONE_41E6975E2BD6F2B2\COMCTL32.DLL
                      C:\WINDOWS\WINDOWSSHELL.MANIFEST
                      C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
                      C:\WINDOWS\SYSWOW64\PROPSYS.DLL
                      C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\CVERSIONS.1.DB
                      C:\WINDOWS\SYSWOW64\NTMARTA.DLL
                      C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.VER0X0000000000000001.DB
                      C:\USERS\DESKTOP.INI
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\DESKTOP.INI
                      C:\USERS\ADMINISTRATOR\DESKTOP\DESKTOP.INI
                      C:\WINDOWS\SYSWOW64\EN-US\SHELL32.DLL.MUI
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DESKTOP.INI
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\DESKTOP.INI
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DESKTOP.INI
                      C:\USERS\PUBLIC\DESKTOP.INI
                      C:\USERS\PUBLIC\DESKTOP\DESKTOP.INI
                      C:\WINDOWS\SYSWOW64\APPHELP.DLL
                      C:\WINDOWS\SYSWOW64\GAMEUX.DLL
                      C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.GDIPLUS_6595B64144CCF1DF_1.1.7601.17514_NONE_72D18A4386696C80\GDIPLUS.DLL
                      C:\WINDOWS\SYSWOW64\XMLLITE.DLL
                      C:\WINDOWS\SYSWOW64\WER.DLL
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\DESKTOP.INI
                      C:\WINDOWS\SYSWOW64\EN-US\SETUPAPI.DLL.MUI
                      C:\WINDOWS\SYSWOW64\SHDOCVW.DLL
                      C:\WINDOWS\APPPATCH\SYSMAIN.SDB
                      C:\WINDOWS\SYSWOW64\EN-US\SHDOCVW.DLL.MUI
                      C:\WINDOWS\SYSWOW64\LINKINFO.DLL
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\DESKTOP.INI
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\WINDOWS POWERSHELL\DESKTOP.INI
                      C:\WINDOWS\SYSWOW64\NTSHRUI.DLL
                      C:\WINDOWS\SYSWOW64\SRVCLI.DLL
                      C:\WINDOWS\SYSWOW64\CSCAPI.DLL
                      C:\WINDOWS\SYSWOW64\SLC.DLL
                      C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\WINDOWS POWERSHELL\WINDOWS POWERSHELL.LNK
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL_ISE.EXE
                      C:\WINDOWS\HH.EXE
                      C:\WINDOWS\SYSWOW64\CRYPTSP.DLL
                      C:\WINDOWS\SYSWOW64\RSAENH.DLL
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\5EWXH2EKYNLALY8QH70N.TEMP
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\RECENT\CUSTOMDESTINATIONS\D93F411851D7C929.CUSTOMDESTINATIONS-MS~RFBC3C.TMP
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\MSCOREEI.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORWKS.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CLR.DLL
                      C:\WINDOWS\WINSXS\X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8.0.50727.4940_NONE_D08CC06A442B34FC\MSVCR80.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CONFIG\MACHINE.CONFIG
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\INDEX149.DAT
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MSCORLIB\62A0B3E4B40EC0E8C5CFAA0C8848E64A\MSCORLIB.NI.DLL
                      C:\WINDOWS\ASSEMBLY\PUBPOL25.DAT
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM\9E0A3B9B9F457233A335D7FBA8F95419\SYSTEM.NI.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\B1C511D8FAD78AD3C5213B2B4FB02B8B\MICROSOFT.POWERSHELL.CONSOLEHOST.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.CONSOLEHOST\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.MANAGEMENT.AUTOMATION\1.0.0.0__31BF3856AD364E35\SYSTEM.MANAGEMENT.AUTOMATION.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM\2.0.0.0__B77A5C561934E089
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.MANAGEMENT.A#\4436815B432C313255AF322F4EC3560D\SYSTEM.MANAGEMENT.AUTOMATION.NI.DLL
                      C:\WINDOWS\SYSWOW64\VERSION.DLL
                      C:\WINDOWS\SYSWOW64\L_INTL.NLS
                      C:\WINDOWS\SYSWOW64\EN-US\KERNELBASE.DLL.MUI
                      C:\WINDOWS\ASSEMBLY\GAC_32\MSCORLIB\2.0.0.0__B77A5C561934E089\SORTTBLS.NLP
                      C:\WINDOWS\ASSEMBLY\GAC_32\MSCORLIB\2.0.0.0__B77A5C561934E089\SORTKEY.NLP
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.CORE\FBC05B5B05DC6366B02B8E2F77D080F1\SYSTEM.CORE.NI.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\4F68CD04686E5DC5A55070D112D44BDF\MICROSOFT.POWERSHELL.COMMANDS.DIAGNOSTICS.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.DIAGNOSTICS\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.CORE\3.5.0.0__B77A5C561934E089
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.CONFIGURATIO#\F02737C83305687A68C088927A6C5A98\SYSTEM.CONFIGURATION.INSTALL.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.CONFIGURATION.INSTALL\2.0.0.0__B03F5F7F11D50A3A
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.WSMAN.MAN#\EE28A075665B6BC23B6DAE56903D431D\MICROSOFT.WSMAN.MANAGEMENT.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.WSMAN.MANAGEMENT\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.WSMAN.RUNTIME\1.0.0.0__31BF3856AD364E35\MICROSOFT.WSMAN.RUNTIME.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.TRANSACTIONS\AD18F93FC713DB2C4B29B25116C13BD8\SYSTEM.TRANSACTIONS.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_32\SYSTEM.TRANSACTIONS\2.0.0.0__B77A5C561934E089\SYSTEM.TRANSACTIONS.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\3008A05E2928E2C1D856CC34E0422C17\MICROSOFT.POWERSHELL.COMMANDS.UTILITY.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.UTILITY\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\8DF695FB80187F65208D87229E81E8A2\MICROSOFT.POWERSHELL.COMMANDS.MANAGEMENT.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.COMMANDS.MANAGEMENT\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\8CE205027E30804D1B2DEAFFA0582735\MICROSOFT.POWERSHELL.SECURITY.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.POWERSHELL.SECURITY\1.0.0.0__31BF3856AD364E35
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CULTURE.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORRC.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.XML\461D3B6B3F43E6FBE6C897D5936E17E4\SYSTEM.XML.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.XML\2.0.0.0__B77A5C561934E089
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.MANAGEMENT\6F3B99ED0B791FF4D8AA52F2F0CD0BCF\SYSTEM.MANAGEMENT.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.MANAGEMENT\2.0.0.0__B03F5F7F11D50A3A
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.DIRECTORYSER#\45EC12795950A7D54691591C615A9E3C\SYSTEM.DIRECTORYSERVICES.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.DIRECTORYSERVICES\2.0.0.0__B03F5F7F11D50A3A
                      C:\WINDOWS\SYSWOW64\SHFOLDER.DLL
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\GETEVENT.TYPES.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\TYPES.PS1XML
                      C:\WINDOWS\SYSWOW64\TZRES.DLL
                      C:\WINDOWS\SYSWOW64\EN-US\TZRES.DLL.MUI
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\DIAGNOSTICS.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\WSMAN.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\CERTIFICATE.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\DOTNETTYPES.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\FILESYSTEM.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\HELP.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELLCORE.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELLTRACE.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\REGISTRY.FORMAT.PS1XML
                      C:\WINDOWS\SYSWOW64\SECUR32.DLL
                      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.DATA\1E85062785E286CD9EAE9C26D2C61F73\SYSTEM.DATA.NI.DLL
                      C:\WINDOWS\ASSEMBLY\GAC_32\SYSTEM.DATA\2.0.0.0__B77A5C561934E089\SYSTEM.DATA.DLL
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORJIT.DLL
                      C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH_TARGET_2162329
                      C:\WINDOWS\SYSWOW64\WBEM
                      C:\PROGRAM FILES\NODEJS
                      C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\PROGRAMS\PYTHON\PYTHON37\SCRIPTS
                      C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\NPM
                      C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\DIASYMREADER.DLL
                      C:\WINDOWS\SYSWOW64\NETUTILS.DLL

            • 3872

              • Image path
                • "C:\PROGRAM FILES (X86)\PUBLICGAMING\APPSETUP.EXE"

              • Time lapse
                • 48.065084

              • Files Accessed

                • C:\WINDOWS\SYSTEM32\WOW64.DLL
                  C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
                  C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
                  C:\WINDOWS\SYSWOW64\SECHOST.DLL
                  C:\WINDOWS\SYSWOW64\NTDLL.DLL
                  C:\WINDOWS\SYSWOW64\IMM32.DLL
                  C:\WINDOWS\SYSWOW64\ADVAPI32.DLL
                  C:\WINDOWS\SYSWOW64\WINMM.DLL
                  C:\WINDOWS\SYSWOW64\WS2_32.DLL
                  C:\WINDOWS\SYSWOW64\POWRPROF.DLL
                  C:\WINDOWS\SYSWOW64\EN-US\SETUPAPI.DLL.MUI
                  C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
                  C:\WINDOWS\SYSWOW64\WSHTCPIP.DLL
                  C:\WINDOWS\SYSWOW64\EN-US\WSHTCPIP.DLL.MUI
                  C:\WINDOWS\SYSWOW64\WSHIP6.DLL
                  C:\WINDOWS\SYSWOW64\EN-US\WSHIP6.DLL.MUI
                  C:\WINDOWS\SYSWOW64\WSHQOS.DLL
                  C:\WINDOWS\SYSWOW64\EN-US\WSHQOS.DLL.MUI
                  C:\WINDOWS\SYSWOW64\EN-US\KERNELBASE.DLL.MUI
                  C:\WINDOWS\SYSWOW64\CRYPTSP.DLL
                  C:\WINDOWS\SYSWOW64\RSAENH.DLL
                  C:\WINDOWS\SYSWOW64\KERNEL32.DLL

            • 3880

              • Image path
                • "C:\PROGRAM FILES (X86)\PUBLICGAMING\PRUN.EXE"

              • Time lapse
                • 48.153887

              • Files Accessed

                • C:\WINDOWS\SYSTEM32\WOW64.DLL
                  C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
                  C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
                  C:\WINDOWS\SYSWOW64\SECHOST.DLL
                  C:\WINDOWS\SYSWOW64\VERSION.DLL
                  C:\WINDOWS\SYSWOW64\IMM32.DLL
                  C:\WINDOWS\SYSWOW64\NTDLL.DLL
                  C:\WINDOWS\SYSWOW64\KERNEL32.DLL
                  C:\PROGRAM FILES (X86)\PUBLICGAMING\PRUN.EXE
                  C:\WINDOWS\SYSWOW64\APPHELP.DLL

              • Process children

                • 3952

                  • Image path
                    • "C:\PROGRAM FILES (X86)\PUBLICGAMING\PRUN.EXE"

                  • Time lapse
                    • 49.940695

                  • Files Accessed

                    • C:\WINDOWS\SYSTEM32\WOW64.DLL
                      C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
                      C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
                      C:\WINDOWS\SYSWOW64\SECHOST.DLL
                      C:\WINDOWS\SYSWOW64\IMM32.DLL
                      C:\WINDOWS\SYSWOW64\SECUR32.DLL
                      C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
                      C:\WINDOWS\SYSWOW64\IPHLPAPI.DLL
                      C:\WINDOWS\SYSWOW64\WINNSI.DLL
                      C:\WINDOWS\SYSWOW64\MSWSOCK.DLL
                      C:\WINDOWS\SYSWOW64\WSHIP6.DLL
                      C:\WINDOWS\SYSWOW64\WSHTCPIP.DLL
                      C:\WINDOWS\SYSWOW64\DNSAPI.DLL
                      C:\WINDOWS\SYSWOW64\RASADHLP.DLL
                      C:\WINDOWS\SYSWOW64\FWPUCLNT.DLL
                      C:\USERS\ADMINI~1\APPDATA\LOCAL\TEMP\P3.EXE
                      C:\WINDOWS\SYSWOW64\APPHELP.DLL
                      C:\WINDOWS\APPPATCH\SYSMAIN.SDB
                      C:\USERS\ADMINI~1\APPDATA\LOCAL\TEMP\KARA.EXE
                      C:\WINDOWS\SYSWOW64\NTVDM64.DLL
                      C:\WINDOWS\SYSWOW64\VERSION.DLL
                      C:\WINDOWS\SYSWOW64\EN-US\KERNELBASE.DLL.MUI
                      C:\USERS\ADMINI~1\APPDATA\LOCAL\TEMP\1.EXE
                      C:\USERS\ADMINI~1\APPDATA\LOCAL\TEMP\JHUIMME.EXE

                  • Process children

                    • 2792

                      • Image path
                        • C:\USERS\ADMINI~1\APPDATA\LOCAL\TEMP\P3.EXE

                      • Time lapse
                        • 72.382341

                      • Files Accessed

                        • C:\WINDOWS\SYSTEM32\WOW64.DLL
                          C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
                          C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
                          C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.7601.17514_NONE_41E6975E2BD6F2B2\COMCTL32.DLL
                          C:\WINDOWS\SYSWOW64\SECHOST.DLL
                          C:\WINDOWS\SYSWOW64\IMM32.DLL
                          C:\WINDOWS\WINDOWSSHELL.MANIFEST
                          C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
                          C:\WINDOWS\SYSWOW64\UXTHEME.DLL
                          C:\WINDOWS\SYSWOW64\DWMAPI.DLL
                          C:\WINDOWS\FONTS\STATICCACHE.DAT
                          C:\WINDOWS\SYSWOW64\OLE32.DLL
                          C:\WINDOWS\SYSWOW64\EN-US\MSCTF.DLL.MUI
                          C:\WINDOWS\REGISTRATION\R000000000006.CLB
                          C:\WINDOWS\SYSWOW64\PROFAPI.DLL
                          C:\USERS\ADMINI~1\APPDATA\LOCAL\TEMP\P3.EXE
                          C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\ZOLLBYVRLZOLVDRSHN\AVRAI.VSS
                          C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\ZOLLBYVRLZOLVDRSHN\FIMO.VSS
                          C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\ZOLLBYVRLZOLVDRSHN\ORA.VSS
                          C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\ZOLLBYVRLZOLVDRSHN\VENIR.VSS
                          C:\WINDOWS\SYSWOW64\SHELL32.DLL
                          C:\WINDOWS\SYSWOW64\PROPSYS.DLL
                          C:\WINDOWS\SYSWOW64\APPHELP.DLL
                          C:\WINDOWS\SYSWOW64\IEFRAME.DLL
                          C:\WINDOWS\SYSWOW64\OLEACC.DLL
                          C:\WINDOWS\SYSWOW64\OLEACCRC.DLL
                          C:\WINDOWS\SYSWOW64\EN-US\SETUPAPI.DLL.MUI
                          C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\CVERSIONS.1.DB
                          C:\WINDOWS\SYSWOW64\NTMARTA.DLL
                          C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.VER0X0000000000000001.DB
                          C:\USERS\ADMINISTRATOR\DESKTOP\DESKTOP.INI
                          C:\WINDOWS\SYSWOW64\EN-US\PROPSYS.DLL.MUI
                          C:\WINDOWS\SYSWOW64\AT.EXE
                          C:\WINDOWS\APPPATCH\SYSMAIN.SDB
                          C:\WINDOWS\SYSWOW64\CMD.EXE

                      • Process children

                        • 1576

                          • Image path
                            • "C:\WINDOWS\SYSTEM32\AT.EXE"

                          • Time lapse
                            • 72.834743

                          • Files Accessed

                            • C:\WINDOWS\SYSTEM32\WOW64.DLL
                              C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
                              C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
                              C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\ZOLLBYVRLZOLVDRSHN
                              C:\WINDOWS\SYSWOW64\SECHOST.DLL
                              C:\WINDOWS\SYSWOW64\NETUTILS.DLL
                              C:\WINDOWS\SYSWOW64\SCHEDCLI.DLL
                              C:\WINDOWS\SYSWOW64\IMM32.DLL
                              C:\WINDOWS\SYSWOW64\EN-US\AT.EXE.MUI
                              C:\WINDOWS\SYSWOW64\NETMSG.DLL
                              C:\WINDOWS\SYSWOW64\SECUR32.DLL
                              C:\WINDOWS\SYSWOW64\CRYPTSP.DLL
                              C:\WINDOWS\SYSWOW64\CREDSSP.DLL
                              C:\WINDOWS\SYSWOW64\MSV1_0.DLL
                              C:\WINDOWS\SYSWOW64\CRYPTDLL.DLL
                              C:\WINDOWS\SYSWOW64\EN-US\NETMSG.DLL.MUI

                        • 3656

                          • Image path
                            • "C:\WINDOWS\SYSTEM32\CMD.EXE" /C C:\WINDOWS\SYSTEM32\CMD.EXE < FIMO.VSS

                          • Time lapse
                            • 72.928343

                          • Files Accessed

                            • C:\WINDOWS\SYSTEM32\WOW64.DLL
                              C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
                              C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
                              C:\WINDOWS\SYSWOW64\WINBRAND.DLL
                              C:\WINDOWS\SYSWOW64\SECHOST.DLL
                              C:\WINDOWS\SYSWOW64\IMM32.DLL
                              C:\WINDOWS\SYSWOW64\EN-US\CMD.EXE.MUI
                              C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\ZOLLBYVRLZOLVDRSHN\FIMO.VSS
                              C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
                              C:\WINDOWS\SYSWOW64\CMD.EXE
                              C:\WINDOWS\SYSWOW64\APPHELP.DLL
                              C:\WINDOWS\APPPATCH\SYSMAIN.SDB

                          • Process children

                            • 3664

                              • Image path
                                • C:\WINDOWS\SYSTEM32\CMD.EXE

                              • Time lapse
                                • 72.975143

                              • Files Accessed

                                • C:\WINDOWS\SYSTEM32\WOW64.DLL
                                  C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
                                  C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
                                  C:\WINDOWS\SYSWOW64\WINBRAND.DLL
                                  C:\WINDOWS\SYSWOW64\SECHOST.DLL
                                  C:\WINDOWS\SYSWOW64\IMM32.DLL
                                  C:\WINDOWS\SYSWOW64\EN-US\CMD.EXE.MUI
                                  C:\WINDOWS\BRANDING\BASEBRD\BASEBRD.DLL
                                  C:\WINDOWS\BRANDING\BASEBRD\EN-US\BASEBRD.DLL.MUI
                                  C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
                                  C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\ZOLLBYVRLZOLVDRSHN\FIMO.VSS
                                  C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH_TARGET_2162329
                                  C:\WINDOWS\SYSWOW64\WBEM
                                  C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0
                                  C:\PROGRAM FILES\NODEJS
                                  C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\PROGRAMS\PYTHON\PYTHON37\SCRIPTS
                                  C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\NPM

                    • 3300

                      • Image path
                        • C:\USERS\ADMINI~1\APPDATA\LOCAL\TEMP\1.EXE

                      • Time lapse
                        • 110.527811

                      • Files Accessed

                        • C:\WINDOWS\SYSTEM32\WOW64.DLL
                          C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
                          C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
                          C:\WINDOWS\SYSWOW64\MSCOREE.DLL
                          C:\WINDOWS\SYSWOW64\SECHOST.DLL
                          C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\MSCOREEI.DLL
                          C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORWKS.DLL
                          C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CLR.DLL
                          C:\WINDOWS\SYSWOW64\IMM32.DLL
                          C:\USERS\ADMINI~1\APPDATA\LOCAL\TEMP\1.EXE
                          C:\WINDOWS\WINSXS\X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8.0.50727.4940_NONE_D08CC06A442B34FC\MSVCR80.DLL
                          C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CONFIG\MACHINE.CONFIG
                          C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
                          C:\WINDOWS\SYSWOW64\PROFAPI.DLL
                          C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\INDEX149.DAT
                          C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MSCORLIB\62A0B3E4B40EC0E8C5CFAA0C8848E64A\MSCORLIB.NI.DLL
                          C:\WINDOWS\SYSWOW64\L_INTL.NLS
                          C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORJIT.DLL
                          C:\WINDOWS\ASSEMBLY\GAC_32\MSCORLIB\2.0.0.0__B77A5C561934E089\SORTTBLS.NLP
                          C:\WINDOWS\ASSEMBLY\GAC_32\MSCORLIB\2.0.0.0__B77A5C561934E089\SORTKEY.NLP
                          C:\WINDOWS\ASSEMBLY\PUBPOL25.DAT
                          C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CULTURE.DLL
                          C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORRC.DLL
                          C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM\9E0A3B9B9F457233A335D7FBA8F95419\SYSTEM.NI.DLL
                          C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.VISUALBAS#\08D608378AA405ADC844F3CF36974B8C\MICROSOFT.VISUALBASIC.NI.DLL
                          C:\WINDOWS\ASSEMBLY\GAC_MSIL\MICROSOFT.VISUALBASIC\8.0.0.0__B03F5F7F11D50A3A
                          C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM\2.0.0.0__B77A5C561934E089
                          C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.DRAWING\DBFE8642A8ED7B2B103AD28E0C96418A\SYSTEM.DRAWING.NI.DLL
                          C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.WINDOWS.FORMS\3AFCD5168C7A6CB02EAB99D7FD71E102\SYSTEM.WINDOWS.FORMS.NI.DLL
                          C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.WINDOWS.FORMS\2.0.0.0__B77A5C561934E089
                          C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.DRAWING\2.0.0.0__B03F5F7F11D50A3A
                          C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\VBC.EXE
                          C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\TEMP\SVCHOST.EXE
                          C:\WINDOWS\SYSWOW64\EN-US\KERNELBASE.DLL.MUI
                          C:\USERS\ADMINI~1\APPDATA\LOCAL\TEMP\SVCHOST.EXE
                          C:\WINDOWS\SYSWOW64\APPHELP.DLL
                          C:\WINDOWS\APPPATCH\SYSMAIN.SDB
                          C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.CONFIGURATION\BC09AD2D49D8535371845CD7532F9271\SYSTEM.CONFIGURATION.NI.DLL
                          C:\WINDOWS\ASSEMBLY\GAC_MSIL\SYSTEM.CONFIGURATION\2.0.0.0__B03F5F7F11D50A3A

                      • Process children

                        • 3260

                          • Image path
                            • C:\USERS\ADMINI~1\APPDATA\LOCAL\TEMP\SVCHOST.EXE

                          • Time lapse
                            • 110.74621

                          • Files Accessed

                            • C:\WINDOWS\SYSTEM32\WOW64.DLL
                              C:\WINDOWS\SYSTEM32\WOW64WIN.DLL
                              C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
                              C:\WINDOWS\SYSWOW64\SECHOST.DLL
                              C:\WINDOWS\SYSWOW64\NETAPI32.DLL
                              C:\WINDOWS\SYSWOW64\NETUTILS.DLL
                              C:\WINDOWS\SYSWOW64\SRVCLI.DLL
                              C:\WINDOWS\SYSWOW64\WKSCLI.DLL
                              C:\WINDOWS\SYSWOW64\DSROLE.DLL
                              C:\WINDOWS\SYSWOW64\IMM32.DLL
                              C:\WINDOWS\SYSWOW64\BCRYPT.DLL
                              C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.GDIPLUS_6595B64144CCF1DF_1.1.7601.17514_NONE_72D18A4386696C80\GDIPLUS.DLL
                              C:\WINDOWS\SYSWOW64\WININET.DLL
                              C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.7601.17514_NONE_41E6975E2BD6F2B2\COMCTL32.DLL
                              C:\WINDOWS\WINDOWSSHELL.MANIFEST
                              C:\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
                              C:\WINDOWS\SYSWOW64\PROFAPI.DLL
                              C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\INDEX.DAT
                              C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\INDEX.DAT
                              C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\HISTORY\HISTORY.IE5\INDEX.DAT
                              C:\WINDOWS\SYSWOW64\NTMARTA.DLL
                              C:\WINDOWS\SYSWOW64\DNSAPI.DLL
                              C:\WINDOWS\SYSWOW64\IPHLPAPI.DLL
                              C:\WINDOWS\SYSWOW64\WINNSI.DLL
                              C:\WINDOWS\SYSWOW64\RASAPI32.DLL
                              C:\WINDOWS\SYSWOW64\RASMAN.DLL
                              C:\WINDOWS\SYSWOW64\RTUTILS.DLL
                              C:\WINDOWS\SYSWOW64\SENSAPI.DLL
                              C:\WINDOWS\SYSWOW64\NLAAPI.DLL
                              C:\WINDOWS\SYSWOW64\RASADHLP.DLL
                              C:\WINDOWS\SYSWOW64\NAPINSP.DLL
                              C:\WINDOWS\SYSWOW64\PNRPNSP.DLL
                              C:\WINDOWS\SYSWOW64\MSWSOCK.DLL
                              C:\WINDOWS\SYSWOW64\WINRNR.DLL
                              C:\WINDOWS\SYSWOW64\WSHTCPIP.DLL
                              C:\WINDOWS\SYSWOW64\WSHIP6.DLL
                              C:\WINDOWS\SYSWOW64\FWPUCLNT.DLL
                              C:\WINDOWS\REGISTRATION\R000000000006.CLB
                              C:\WINDOWS\SYSWOW64\NETPROFM.DLL
                              C:\WINDOWS\SYSWOW64\CRYPTSP.DLL
                              C:\WINDOWS\SYSWOW64\RSAENH.DLL
                              C:\WINDOWS\SYSWOW64\RPCRTREMOTE.DLL
                              C:\WINDOWS\SYSWOW64\NPMPROXY.DLL
                              C:\WINDOWS\SYSWOW64\DHCPCSVC.DLL
                              C:\WINDOWS\SYSWOW64\DHCPCSVC6.DLL

  • Registry Accessed

    • \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\WSMAN