`filerenameop`#

$ target-query <path/to/target> -f filerenameop

Details#
Module	`os.windows.generic.GenericPlugin`
Output	`records`

Module documentation

Generic Windows plugin.

Provides some plugins that don’t fit in a separate plugin.

Function documentation

Return all pending file rename operations.

The PendingFileRenameOperations registry key value contains information about files that will be renamed on reboot. Can be used to hunt for malicious binaries.

References:

https://forensicatorj.wordpress.com/2014/06/25/interpreting-the-pendingfilerenameoperations-registry-key-for-forensics/
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc960241%28v=technet.10%29?redirectedfrom=MSDN
https://qtechbabble.wordpress.com/2020/06/26/use-pendingfilerenameoperations-registry-key-to-automatically-delete-a-file-on-reboot/

filerenameop#

`filerenameop`#