NtCreateFile
|
create_disposition:
2
(FILE_CREATE)
file_handle:
0x000003ac
filepath:
C:\Users\test22\AppData\Local\Temp\~$inv_orders.xlsx
desired_access:
0xc0110080
(FILE_READ_ATTRIBUTES|DELETE|SYNCHRONIZE|GENERIC_WRITE)
file_attributes:
2
(FILE_ATTRIBUTE_HIDDEN)
filepath_r:
\??\C:\Users\test22\AppData\Local\Temp\~$inv_orders.xlsx
create_options:
4198496
(FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_DELETE_ON_CLOSE)
status_info:
2
(FILE_CREATED)
share_access:
1
(FILE_SHARE_READ)
|
1
|
0 |
0
|
NtCreateFile
|
create_disposition:
2
(FILE_CREATE)
file_handle:
0x00000000
filepath:
C:\Users\test22\AppData\Roaming\Microsoft
desired_access:
0x00100001
(FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE)
file_attributes:
4
(FILE_ATTRIBUTE_SYSTEM)
filepath_r:
\??\C:\Users\test22\AppData\Roaming\Microsoft
create_options:
16417
(FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT)
status_info:
4294967295
()
share_access:
3
(FILE_SHARE_READ|FILE_SHARE_WRITE)
|
|
3221225525 |
0
|
NtCreateFile
|
create_disposition:
2
(FILE_CREATE)
file_handle:
0x00000000
filepath:
C:\Users\test22\AppData\Roaming\Microsoft\Crypto
desired_access:
0x00100001
(FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE)
file_attributes:
4
(FILE_ATTRIBUTE_SYSTEM)
filepath_r:
\??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto
create_options:
16417
(FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT)
status_info:
4294967295
()
share_access:
3
(FILE_SHARE_READ|FILE_SHARE_WRITE)
|
|
3221225525 |
0
|
NtCreateFile
|
create_disposition:
2
(FILE_CREATE)
file_handle:
0x00000000
filepath:
C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA
desired_access:
0x00100001
(FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE)
file_attributes:
4
(FILE_ATTRIBUTE_SYSTEM)
filepath_r:
\??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA
create_options:
16417
(FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT)
status_info:
4294967295
()
share_access:
3
(FILE_SHARE_READ|FILE_SHARE_WRITE)
|
|
3221225525 |
0
|
NtCreateFile
|
create_disposition:
2
(FILE_CREATE)
file_handle:
0x00000000
filepath:
C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3832866432-4053218753-3017428901-1001
desired_access:
0x00100001
(FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE)
file_attributes:
4
(FILE_ATTRIBUTE_SYSTEM)
filepath_r:
\??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3832866432-4053218753-3017428901-1001
create_options:
16417
(FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT)
status_info:
4294967295
()
share_access:
3
(FILE_SHARE_READ|FILE_SHARE_WRITE)
|
|
3221225525 |
0
|
NtCreateFile
|
create_disposition:
2
(FILE_CREATE)
file_handle:
0x00000000
filepath:
C:\Users\test22\AppData\Roaming\Microsoft
desired_access:
0x00100001
(FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE)
file_attributes:
4
(FILE_ATTRIBUTE_SYSTEM)
filepath_r:
\??\C:\Users\test22\AppData\Roaming\Microsoft
create_options:
16417
(FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT)
status_info:
4294967295
()
share_access:
3
(FILE_SHARE_READ|FILE_SHARE_WRITE)
|
|
3221225525 |
0
|
NtCreateFile
|
create_disposition:
2
(FILE_CREATE)
file_handle:
0x00000000
filepath:
C:\Users\test22\AppData\Roaming\Microsoft\Crypto
desired_access:
0x00100001
(FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE)
file_attributes:
4
(FILE_ATTRIBUTE_SYSTEM)
filepath_r:
\??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto
create_options:
16417
(FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT)
status_info:
4294967295
()
share_access:
3
(FILE_SHARE_READ|FILE_SHARE_WRITE)
|
|
3221225525 |
0
|
NtCreateFile
|
create_disposition:
2
(FILE_CREATE)
file_handle:
0x00000000
filepath:
C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA
desired_access:
0x00100001
(FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE)
file_attributes:
4
(FILE_ATTRIBUTE_SYSTEM)
filepath_r:
\??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA
create_options:
16417
(FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT)
status_info:
4294967295
()
share_access:
3
(FILE_SHARE_READ|FILE_SHARE_WRITE)
|
|
3221225525 |
0
|
NtCreateFile
|
create_disposition:
2
(FILE_CREATE)
file_handle:
0x00000000
filepath:
C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3832866432-4053218753-3017428901-1001
desired_access:
0x00100001
(FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE)
file_attributes:
4
(FILE_ATTRIBUTE_SYSTEM)
filepath_r:
\??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3832866432-4053218753-3017428901-1001
create_options:
16417
(FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT)
status_info:
4294967295
()
share_access:
3
(FILE_SHARE_READ|FILE_SHARE_WRITE)
|
|
3221225525 |
0
|
NtCreateFile
|
create_disposition:
2
(FILE_CREATE)
file_handle:
0x00000000
filepath:
C:\Users\test22\AppData\Roaming\Microsoft
desired_access:
0x00100001
(FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE)
file_attributes:
4
(FILE_ATTRIBUTE_SYSTEM)
filepath_r:
\??\C:\Users\test22\AppData\Roaming\Microsoft
create_options:
16417
(FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT)
status_info:
4294967295
()
share_access:
3
(FILE_SHARE_READ|FILE_SHARE_WRITE)
|
|
3221225525 |
0
|
NtCreateFile
|
create_disposition:
2
(FILE_CREATE)
file_handle:
0x00000000
filepath:
C:\Users\test22\AppData\Roaming\Microsoft\Crypto
desired_access:
0x00100001
(FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE)
file_attributes:
4
(FILE_ATTRIBUTE_SYSTEM)
filepath_r:
\??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto
create_options:
16417
(FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT)
status_info:
4294967295
()
share_access:
3
(FILE_SHARE_READ|FILE_SHARE_WRITE)
|
|
3221225525 |
0
|
NtCreateFile
|
create_disposition:
2
(FILE_CREATE)
file_handle:
0x00000000
filepath:
C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA
desired_access:
0x00100001
(FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE)
file_attributes:
4
(FILE_ATTRIBUTE_SYSTEM)
filepath_r:
\??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA
create_options:
16417
(FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT)
status_info:
4294967295
()
share_access:
3
(FILE_SHARE_READ|FILE_SHARE_WRITE)
|
|
3221225525 |
0
|
NtCreateFile
|
create_disposition:
2
(FILE_CREATE)
file_handle:
0x00000000
filepath:
C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3832866432-4053218753-3017428901-1001
desired_access:
0x00100001
(FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE)
file_attributes:
4
(FILE_ATTRIBUTE_SYSTEM)
filepath_r:
\??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3832866432-4053218753-3017428901-1001
create_options:
16417
(FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT)
status_info:
4294967295
()
share_access:
3
(FILE_SHARE_READ|FILE_SHARE_WRITE)
|
|
3221225525 |
0
|