LoFP LoFP / t1561

t1561

TitleTags
this event is really notable but we found minimal number of normal application from system32 folder like svchost.exe accessing it too. in this case we used 'system32' and 'syswow64' path as a filter for this detection.
will be used sometimes by admins to clean up local flash space