handle.exe
- File Path:
C:\SysinternalsSuite\handle.exe - Description: Handle viewer
Hashes
| Type | Hash |
|---|---|
| MD5 | B7976CFA4763E744CBEA8EC4E462E185 |
| SHA1 | FBC5177CAB851476DEF3AF42BE2BBE45B3AA8AC3 |
| SHA256 | DE960B7FF0C687475ABA4852D799BB2BC3ED38B172BE1C4F954CBA461AE8DE1F |
| SHA384 | 981AB1244A757E69A795EB3FC70293ED9C013A6914349766F4B3CB9E3F20B3FF1EEACC2708B78E555F4999E3E87E6CB8 |
| SHA512 | 1A1C38780760F21BA3C542E2B2A04E19905E7BF60FDFE42E5B19970EE315B2A82CFC4FD05A2C1C6734726AF04D0C5A6705813DE0DBD162517B78A5CD5AD937F5 |
| SSDEEP | 24576:u66qP9nYhpo6DpQ638OFksYzDLnkT53yGR:5lWfoIonOVlR |
| IMP | 127AD03756DD9922E0DC20B19BF20030 |
| PESHA1 | 2B71D1139117DC6A05E3C5F5434AA32CA8E0A650 |
| PE256 | AC68148A8F49F6574E68A17E75762ECB31021E064DC755DD34D236A05DEC08AC |
Runtime Data
Usage (stdout):
Nthandle v4.22 - Handle viewer
Copyright (C) 1997-2019 Mark Russinovich
Sysinternals - www.sysinternals.com
------------------------------------------------------------------------------
System pid: 4 \<unable to open process>
2E0: File (---) \Device\Mup
2E4: File (---) \Device\Mup
145C: File (---) C:\Windows\System32\config\DEFAULT.LOG2
1470: File (---) C:\Windows\System32\config\DEFAULT.LOG1
1528: File (---) C:\Windows\System32\config\DEFAULT
15D8: File (---) C:\Windows\System32\config\SOFTWARE.LOG1
1624: File (-W-) C:\swapfile.sys
1628: File (R--) C:\Windows\bootstat.dat
16FC: Section \Win32kCrossSessionGlobals
1708: File (R-D) C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl
170C: File (---) C:\Windows\System32\config\SOFTWARE
1714: File (R-D) C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl
1724: File (R-D) C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl
172C: File (---) C:\Windows\System32\config\SOFTWARE.LOG2
1748: File (R-D) C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl
174C: File (---) C:\Windows\System32\config\SYSTEM
1754: File (---) C:\Windows\System32\config\SYSTEM.LOG1
1758: File (---) C:\Windows\System32\config\SYSTEM.LOG2
1760: File (R--) C:\Windows\System32\config\TxR\{53b39e3e-18c4-11ea-a811-000d3aa4692b}.TM.blf
1768: File (-W-) C:\pagefile.sys
1778: File (R--) C:\Windows\System32\config\TxR\{53b39e3e-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms
177C: File (---) C:\Windows\appcompat\Programs\Amcache.hve.LOG2
178C: File (R--) C:\Windows\System32\config\TxR\{53b39e3e-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms
1794: File (---) C:\Windows\appcompat\Programs\Amcache.hve
17A0: File (RWD) \clfs
17A4: File (RW-) \clfs
17EC: File (R-D) C:\Windows\System32\en-US\win32kbase.sys.mui
1820: File (R-D) C:\Windows\System32\LogFiles\Scm\SCM.EVM
1834: File (---) C:\Windows\System32\config\SECURITY
1860: File (---) C:\Windows\System32\config\SECURITY.LOG1
1864: File (---) C:\Windows\System32\config\SECURITY.LOG2
193C: File (---) C:\Windows\System32\config\SAM
195C: File (---) C:\Windows\System32\config\SAM.LOG1
1960: File (---) C:\Windows\System32\config\SAM.LOG2
19D4: File (R--) C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TM.blf
19DC: File (---) C:\Windows\ServiceProfiles\NetworkService\ntuser.dat
1A2C: File (---) C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT.LOG1
1A30: File (---) C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT.LOG2
1A38: File (R--) C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms
1A40: File (R--) C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms
1A4C: File (RWD) \clfs
1A50: File (RW-) \clfs
1B50: File (R-D) C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTUBPM.etl
1B64: File (---) C:\Windows\System32\config\BBI
1BBC: File (---) C:\Windows\System32\config\BBI.LOG1
1BC0: File (---) C:\Windows\System32\config\BBI.LOG2
1BE4: File (---) C:\Windows\ServiceProfiles\LocalService\ntuser.dat
1C20: File (---) C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT.LOG1
1C24: File (---) C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT.LOG2
1C5C: File (R--) C:\Windows\ServiceProfiles\LocalService\ntuser.dat{9befe192-f08f-11ea-882b-894b3d6cee30}.TM.blf
1CC0: File (R--) C:\Windows\ServiceProfiles\LocalService\ntuser.dat{9befe192-f08f-11ea-882b-894b3d6cee30}.TMContainer00000000000000000001.regtrans-ms
1CD0: File (R--) C:\Windows\ServiceProfiles\LocalService\ntuser.dat{9befe192-f08f-11ea-882b-894b3d6cee30}.TMContainer00000000000000000002.regtrans-ms
1CDC: File (RWD) \clfs
1CE0: File (RW-) \clfs
1DBC: File (---) \Device\Mup
2328: File (R--) C:\Windows\System32\config\TxR\{53b39e3d-18c4-11ea-a811-000d3aa4692b}.TxR.blf
2378: File (R-D) C:\ProgramData\Microsoft\Windows\wfp\wfpdiag.etl
23A8: File (R-D) C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTWFP-IPsec Diagnostics.etl
2430: File (R--) C:\Windows\System32\config\TxR\{53b39e3d-18c4-11ea-a811-000d3aa4692b}.TxR.0.regtrans-ms
2470: File (R--) C:\Windows\System32\config\TxR\{53b39e3d-18c4-11ea-a811-000d3aa4692b}.TxR.1.regtrans-ms
2570: File (---) \clfs
259C: File (R--) C:\Windows\System32\config\TxR\{53b39e3d-18c4-11ea-a811-000d3aa4692b}.TxR.2.regtrans-ms
2F7C: File (---) C:\Windows\appcompat\Programs\Amcache.hve.LOG1
3198: File (R-D) C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagtrack-Agent-Listener.etl
3ADC: File (R--) C:\Users\user\AppData\Local\Microsoft\Windows\UsrClass.dat{78289e84-f087-11ea-882d-a4ccbe4a7faa}.TM.blf
3B34: File (---) C:\Users\user\ntuser.dat
3B44: File (R--) C:\Users\user\AppData\Local\Microsoft\Windows\UsrClass.dat{78289e84-f087-11ea-882d-a4ccbe4a7faa}.TMContainer00000000000000000002.regtrans-ms
3B4C: File (R--) C:\Users\user\AppData\Local\Microsoft\Windows\UsrClass.dat{78289e84-f087-11ea-882d-a4ccbe4a7faa}.TMContainer00000000000000000001.regtrans-ms
3B50: File (R--) C:\Users\user\ntuser.dat{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms
3B60: File (---) C:\Users\user\ntuser.dat.LOG1
3B64: File (---) C:\Users\user\ntuser.dat.LOG2
3B84: File (R--) C:\Users\user\ntuser.dat{53b39e88-18c4-11ea-a811-000d3aa4692b}.TM.blf
3B98: File (RWD) \clfs
3BA4: File (R--) C:\Users\user\ntuser.dat{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms
3BBC: File (RWD) \clfs
3BC0: File (RW-) \clfs
3BCC: File (---) C:\Users\user\AppData\Local\Microsoft\Windows\UsrClass.dat
3BDC: File (RW-) \clfs
3BE4: File (---) C:\Users\user\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1
3BE8: File (---) C:\Users\user\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2
4FFC: File (R--) C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftEdge_44.19041.423.0_neutral__8wekyb3d8bbwe\ActivationStore.dat
5008: File (R--) C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftEdge_44.19041.423.0_neutral__8wekyb3d8bbwe\ActivationStore.dat.LOG1
500C: File (R--) C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftEdge_44.19041.423.0_neutral__8wekyb3d8bbwe\ActivationStore.dat.LOG2
5020: File (---) C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Settings\settings.dat.LOG1
504C: File (---) C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Settings\settings.dat
5070: File (---) C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Settings\settings.dat.LOG2
594C: File (---) C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat.LOG2
595C: File (R--) C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Search_1.14.0.19041_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat
5970: File (R--) C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Search_1.14.0.19041_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG1
5974: File (R--) C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Search_1.14.0.19041_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG2
5980: File (---) C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat
59A8: File (---) C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat.LOG1
6558: File (R-D) C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTSgrmEtwSession.etl
68B4: File (R--) C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.StartMenuExperienceHost_10.0.19041.423_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat
68C4: File (R--) C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.StartMenuExperienceHost_10.0.19041.423_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG1
68C8: File (R--) C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.StartMenuExperienceHost_10.0.19041.423_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG2
6A68: File (---) C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat
6A88: File (---) C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG1
6A8C: File (---) C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG2
7E0C: File (R-D) C:\ProgramData\Microsoft\Windows Security Health\Logs\SHS-09252020-081854-7-7f-19041.1.amd64fre.vb_release.191206-1406.etl
8B3C: File (R-D) C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTNT Kernel Logger.etl
------------------------------------------------------------------------------
smss.exe pid: 428 \<unable to open process>
3C: File (RW-) C:\Windows
------------------------------------------------------------------------------
csrss.exe pid: 528 \<unable to open process>
40: File (RW-) C:\Windows\System32
88: Section \Windows\SharedSection
C0: File (R-D) C:\Windows\System32\en-US\csrss.exe.mui
15C: File (R-D) C:\Windows\System32\en-US\winsrv.dll.mui
------------------------------------------------------------------------------
wininit.exe pid: 600 \<unable to open process>
40: File (RW-) C:\Windows\System32
110: File (R-D) C:\Windows\System32\en-US\user32.dll.mui
------------------------------------------------------------------------------
services.exe pid: 644 \<unable to open process>
40: File (RW-) C:\Windows\System32
250: File (R-D) C:\Windows\System32\en-US\services.exe.mui
------------------------------------------------------------------------------
lsass.exe pid: 664 NT AUTHORITY\SYSTEM
40: File (RW-) C:\Windows\System32
114: Section \LsaPerformance
178: File (R-D) C:\Windows\System32\en-US\lsasrv.dll.mui
29C: Section \BaseNamedObjects\Debug.Trace.Memory.298
3C8: File (RW-) C:\Windows\debug\PASSWD.LOG
668: File (R-D) C:\Windows\System32\en-US\vaultsvc.dll.mui
AA4: File (R-D) C:\Windows\System32\en-US\KernelBase.dll.mui
D98: File (RWD) C:\Users\user\AppData\Local\Microsoft\Credentials
DC0: File (R-D) C:\Windows\System32\en-US\crypt32.dll.mui
F00: File (R-D) C:\Windows\SystemResources\crypt32.dll.mun
FC0: File (RWD) C:\Users\user\AppData\Roaming\Microsoft\Credentials
------------------------------------------------------------------------------
svchost.exe pid: 776 NT AUTHORITY\SYSTEM
48: File (RW-) C:\Windows\System32
1AC: File (R-D) C:\Windows\System32\en-US\mswsock.dll.mui
1B8: Section \BaseNamedObjects\RotHintTable
230: Section \BaseNamedObjects\__ComCatalogCache__
250: Section \BaseNamedObjects\{A64C7F33-DA35-459b-96CA-63B51FB0CDB9}
2CC: File (R-D) C:\Windows\System32\en-US\svchost.exe.mui
4AC: Section \BaseNamedObjects\__ComCatalogCache__
58C: Section \BaseNamedObjects\__ComCatalogCache__
5E8: Section \BaseNamedObjects\__ComCatalogCache__
828: File (R-D) C:\Windows\System32\en-US\KernelBase.dll.mui
A60: Section \BaseNamedObjects\RotHintTable
CD0: Section \BaseNamedObjects\windows_shell_global_counters
------------------------------------------------------------------------------
fontdrvhost.exe pid: 812 Font Driver Host\UMFD-0
40: File (RW-) C:\Windows\System32
------------------------------------------------------------------------------
svchost.exe pid: 844 NT AUTHORITY\NETWORK SERVICE
48: File (RW-) C:\Windows\System32
2A8: File (R-D) C:\Windows\System32\en-US\mswsock.dll.mui
348: Section \BaseNamedObjects\__ComCatalogCache__
354: Section \BaseNamedObjects\__ComCatalogCache__
6D8: File (R-D) C:\Windows\System32\en-US\KernelBase.dll.mui
CE8: File (R-D) C:\Windows\System32\en-US\netmsg.dll.mui
------------------------------------------------------------------------------
svchost.exe pid: 968 NT AUTHORITY\SYSTEM
48: File (RW-) C:\Windows\System32
134: File (R-D) C:\Windows\System32\en-US\svchost.exe.mui
1FC: Section \BaseNamedObjects\__ComCatalogCache__
20C: Section \BaseNamedObjects\__ComCatalogCache__
254: File (R-D) C:\Windows\System32\en-US\srvsvc.dll.mui
364: Section \BaseNamedObjects\SENS Information Cache
4CC: File (RW-) C:\Windows\Tasks
5C0: File (R-D) C:\Windows\System32\en-US\crypt32.dll.mui
888: File (R--) C:\Windows\System32\wbem\Repository\MAPPING1.MAP
958: File (R-D) C:\Windows\SystemResources\propsys.dll.mun
974: Section \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db
9E0: File (RWD) C:\Windows\System32\wbem\MOF
A2C: File (R-D) C:\Windows\System32\en-US\mswsock.dll.mui
C5C: Section \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2
CCC: Section \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2
D28: Section \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2
D2C: Section \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2
D30: Section \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db
D64: File (R-D) C:\Windows\System32\en-US\propsys.dll.mui
FF8: File (R-D) C:\Windows\System32\en-US\wldap32.dll.mui
FFC: File (R-D) C:\Windows\System32\en-US\iphlpsvc.dll.mui
1160: File (R-D) C:\Windows\System32\en-US\KernelBase.dll.mui
11E0: File (R--) C:\Windows\System32\wbem\Repository\OBJECTS.DATA
11F8: File (R-D) C:\Windows\System32\en-US\vsstrace.dll.mui
1244: File (R--) C:\Windows\System32\wbem\Repository\MAPPING2.MAP
124C: File (R--) C:\Windows\System32\wbem\Repository\MAPPING3.MAP
125C: File (R--) C:\Windows\System32\wbem\Repository\INDEX.BTR
1278: Section \BaseNamedObjects\Wmi Provider Sub System Counters
137C: Section \BaseNamedObjects\windows_shell_global_counters
1384: File (R-D) C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.7c9c0c45-c6d2-4284-b749-8678f71347ed.1.etl
1390: File (R-D) C:\Windows\System32\en-US\usosvc.dll.mui
15C8: File (R-D) C:\Windows\System32\en-US\kernel32.dll.mui
15F8: Section \BaseNamedObjects\F932B6C7-3A20-46A0-B8A0-8894AA421973
1674: File (R-D) C:\Windows\System32\en-US\winnlsres.dll.mui
168C: File (RW-) C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db-wal
1690: Section \Windows\Theme1324212991
16A8: File (R-D) C:\Windows\System32\en-US\gpsvc.dll.mui
17AC: File (RW-) C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db
19D8: File (R-D) C:\Windows\System32\en-US\SHCore.dll.mui
1E48: Section \BaseNamedObjects\RotHintTable
1ED0: File (R-D) C:\Windows\System32\en-US\combase.dll.mui
------------------------------------------------------------------------------
svchost.exe pid: 984 NT AUTHORITY\NETWORK SERVICE
48: File (RW-) C:\Windows\System32
130: File (R-D) C:\Windows\System32\en-US\svchost.exe.mui
1CC: Section \BaseNamedObjects\__ComCatalogCache__
218: Section \BaseNamedObjects\__ComCatalogCache__
380: File (R-D) C:\Windows\System32\en-US\termsrv.dll.mui
990: Section \BaseNamedObjects\RdpCommandChannel-Session1-0
9A0: Section \BaseNamedObjects\RdpUpdateBuffer-Session1-0
A2C: File (R-D) C:\Windows\System32\en-US\rdpcorets.dll.mui
B3C: Section \BaseNamedObjects\RotHintTable
------------------------------------------------------------------------------
svchost.exe pid: 1020 NT AUTHORITY\SYSTEM
48: File (RW-) C:\Windows\System32
134: File (R-D) C:\Windows\System32\en-US\svchost.exe.mui
16C: File (RWD) C:\$Extend\$ObjId:$O:$INDEX_ALLOCATION
230: Section \BaseNamedObjects\__ComCatalogCache__
24C: Section \BaseNamedObjects\__ComCatalogCache__
28C: Section \BaseNamedObjects\windows_shell_global_counters
338: File (---) \Device\Mup
3C0: File (R-D) C:\Windows\System32\en-US\AudioEndpointBuilder.dll.mui
3C8: File (R-D) C:\Windows\System32\en-US\umrdp.dll.mui
568: File (R--) C:\System Volume Information\tracking.log
5C8: File (R-D) C:\Windows\System32\en-US\rdpendp.dll.mui
670: File (RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21
684: File (R-D) C:\Windows\System32\en-US\printui.dll.mui
6CC: Section \BaseNamedObjects\RotHintTable
750: Section \BaseNamedObjects\windows_shell_global_counters
794: File (R-D) C:\Windows\System32\en-US\windows.storage.dll.mui
79C: Section \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db
7A0: Section \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2
7A4: Section \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db
7A8: Section \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2
7B0: File (R-D) C:\Windows\System32\en-US\shell32.dll.mui
8D4: File (R-D) C:\Windows\System32\en-US\kernel32.dll.mui
97C: Section \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro
------------------------------------------------------------------------------
svchost.exe pid: 1064 NT AUTHORITY\LOCAL SERVICE
48: File (RW-) C:\Windows\System32
13C: File (R-D) C:\Windows\System32\en-US\svchost.exe.mui
264: Section \BaseNamedObjects\vmictimesync-mem-681d3198-3c2c-44c8-9f0b-dbdd1fe7f740
2F4: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx
3D4: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-FileHistory-Core%4WHC.evtx
434: File (R--) C:\Windows\System32\winevt\Logs\System.evtx
4A8: File (R--) C:\Windows\System32\winevt\Logs\Application.evtx
4F0: File (R--) C:\Windows\System32\winevt\Logs\Key Management Service.evtx
510: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtx
528: File (R--) C:\Windows\System32\winevt\Logs\Security.evtx
52C: File (R--) C:\Windows\System32\winevt\Logs\Windows PowerShell.evtx
530: File (R--) C:\Windows\System32\winevt\Logs\HardwareEvents.evtx
540: File (R--) C:\Windows\System32\winevt\Logs\Internet Explorer.evtx
544: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-Wcmsvc%4Operational.evtx
558: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx
568: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-StateRepository%4Operational.evtx
584: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-Scheduled%4Operational.evtx
58C: Section \BaseNamedObjects\F932B6C7-3A20-46A0-B8A0-8894AA421973
594: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-WebAuthN%4Operational.evtx
598: File (R-D) C:\Windows\System32\en-US\mswsock.dll.mui
5E8: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx
5F8: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-PnP%4Driver Watchdog.evtx
60C: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsBackup%4ActionCenter.evtx
61C: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-StateRepository%4Restricted.evtx
62C: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Operational.evtx
634: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBClient%4Operational.evtx
644: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx
648: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Errors.evtx
660: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Boot%4Operational.evtx
670: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx
674: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-HotspotAuth%4Operational.evtx
684: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx
688: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx
68C: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppModel-Runtime%4Admin.evtx
694: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Device Registration%4Admin.evtx
698: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4Operational.evtx
69C: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-PnP%4Configuration.evtx
6A0: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx
6B0: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-UserPnp%4DeviceInstall.evtx
6B4: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-UserPnp%4ActionCenter.evtx
6C0: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Operational.evtx
6C8: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx
6CC: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx
6D0: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-RemoteDesktopServices-RdpCoreTS%4Admin.evtx
6D8: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx
6DC: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-Wcifs%4Operational.evtx
6E0: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-RemoteDesktopServices-RdpCoreTS%4Operational.evtx
6E4: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx
6E8: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4WHC.evtx
6EC: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx
6F0: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx
6F4: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-Dhcp-Client%4Admin.evtx
6F8: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Health.evtx
704: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx
70C: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-Partition%4Diagnostic.evtx
718: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx
740: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx
744: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-BindFlt%4Operational.evtx
74C: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx
75C: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-DeviceSetupManager%4Operational.evtx
764: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-DeviceSetupManager%4Admin.evtx
7B0: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Maintenance.evtx
7BC: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx
7C0: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx
7C4: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Operational.evtx
7C8: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Audit.evtx
7CC: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx
7D0: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Security.evtx
7D8: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Connectivity.evtx
7DC: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-PrintService%4Admin.evtx
7E0: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-Guest-Network-Service-Admin.evtx
7E4: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-Guest-Network-Service-Operational.evtx
7E8: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Admin.evtx
7FC: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx
81C: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-Store%4Operational.evtx
820: Section \BaseNamedObjects\RotHintTable
82C: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-Privacy-Auditing%4Operational.evtx
840: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx
84C: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx
854: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-WinRM%4Operational.evtx
864: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-StorageSpaces-ManagementAgent%4WHC.evtx
868: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx
86C: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Connectivity.evtx
870: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Security.evtx
874: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Audit.evtx
87C: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Client-Licensing-Platform%4Admin.evtx
880: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-NCrypt%4Operational.evtx
888: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx
890: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-LiveId%4Operational.evtx
894: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-TZUtil%4Operational.evtx
8A0: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4FirewallDiagnostics.evtx
8C8: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-WER-PayloadHealth%4Operational.evtx
8EC: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
904: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-RemoteDesktopServices-SessionServices%4Operational.evtx
918: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx
91C: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-WorkFolders%4WHC.evtx
924: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-PushNotification-Platform%4Operational.evtx
93C: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx
958: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx
95C: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-PushNotification-Platform%4Admin.evtx
960: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-SettingSync%4Operational.evtx
968: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-SettingSync%4Debug.evtx
984: Section \BaseNamedObjects\__ComCatalogCache__
994: Section \BaseNamedObjects\__ComCatalogCache__
9C4: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Defender%4WHC.evtx
9D8: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4LogonTasksChannel.evtx
9E0: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppReadiness%4Operational.evtx
9E4: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx
9E8: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppReadiness%4Admin.evtx
9EC: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4ActionCenter.evtx
9F0: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx
9F4: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4AppDefaults.evtx
9FC: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeployment%4Operational.evtx
A10: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-HelloForBusiness%4Operational.evtx
A14: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-LessPrivilegedAppContainer%4Operational.evtx
A20: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx
A28: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-ConnectedAccountState%4ActionCenter.evtx
A2C: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx
AB0: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx
AC4: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-ShellCommon-StartLayoutPopulation%4Operational.evtx
AE8: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-TWinUI%4Operational.evtx
AF8: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppxPackaging%4Operational.evtx
B1C: File (R--) C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storsvc%4Diagnostic.evtx
------------------------------------------------------------------------------
svchost.exe pid: 1080 NT AUTHORITY\LOCAL SERVICE
48: File (RW-) C:\Windows\System32
13C: File (R-D) C:\Windows\System32\en-US\svchost.exe.mui
1C4: Section \BaseNamedObjects\__ComCatalogCache__
2A8: File (R-D) C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\~FontCache-FontFace.dat
2E0: Section \BaseNamedObjects\__ComCatalogCache__
36C: File (R-D) C:\Windows\System32\en-US\netprofmsvc.dll.mui
578: File (R-D) C:\Windows\System32\es.dll
5AC: File (R-D) C:\Windows\System32\stdole2.tlb
714: File (R-D) C:\Windows\System32\en-US\crypt32.dll.mui
8B8: Section \BaseNamedObjects\RotHintTable
930: File (R-D) C:\Windows\System32\en-US\KernelBase.dll.mui
A54: File (R-D) C:\Windows\System32\en-US\winnlsres.dll.mui
A80: File (R-D) C:\Windows\System32\en-US\mswsock.dll.mui
AB8: Section \BaseNamedObjects\F932B6C7-3A20-46A0-B8A0-8894AA421973
B20: File (R-D) C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\~FontCache-FontSet-S-1-5-21-2047949552-857980807-821054962-504.dat
B24: File (R-D) C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\~FontCache-S-1-5-21-2047949552-857980807-821054962-504.dat
C98: File (R-D) C:\Windows\System32\en-US\netmsg.dll.mui
DB0: File (RWD) C:\Windows\Fonts
DC8: File (R-D) C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\~fontcache-system.dat
------------------------------------------------------------------------------
svchost.exe pid: 1288 NT AUTHORITY\LOCAL SERVICE
48: File (RW-) C:\Windows\System32
134: File (R-D) C:\Windows\System32\en-US\svchost.exe.mui
1F0: Section \BaseNamedObjects\__ComCatalogCache__
1FC: Section \BaseNamedObjects\__ComCatalogCache__
2DC: Section \BaseNamedObjects\mmGlobalPnpInfo
460: File (R-D) C:\Windows\System32\en-US\AudioSrv.dll.mui
------------------------------------------------------------------------------
svchost.exe pid: 1348 NT AUTHORITY\NETWORK SERVICE
48: File (RW-) C:\Windows\System32
128: File (R-D) C:\Windows\System32\en-US\svchost.exe.mui
2B4: File (RWD) C:\Windows\System32\drivers\etc
2E8: File (---) \Device\Mup
398: File (---) \Device\Mup
658: Section \BaseNamedObjects\__ComCatalogCache__
678: Section \BaseNamedObjects\__ComCatalogCache__
6C4: File (R--) C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb.jfm
774: File (RWD) C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
8AC: File (R-D) C:\Windows\System32\en-US\vsstrace.dll.mui
8C0: File (RWD) C:\Windows\System32\CatRoot
984: File (R-D) C:\Windows\System32\en-US\mswsock.dll.mui
9D4: File (R--) C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb.jfm
AE8: File (R--) C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb
B28: File (R-D) C:\Windows\System32\en-US\winnlsres.dll.mui
B34: Section \BaseNamedObjects\F932B6C7-3A20-46A0-B8A0-8894AA421973
B84: File (R-D) C:\Windows\System32\en-US\dnsapi.dll.mui
B8C: File (R-D) C:\Windows\System32\en-US\crypt32.dll.mui
C88: File (R--) C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb
CBC: File (RWD) C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData
CEC: File (R-D) C:\Windows\System32\en-US\ESENT.dll.mui
D10: File (RWD) C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData
------------------------------------------------------------------------------
svchost.exe pid: 1416 NT AUTHORITY\LOCAL SERVICE
48: File (RW-) C:\Windows\System32
134: File (R-D) C:\Windows\System32\en-US\svchost.exe.mui
330: File (R-D) C:\Windows\System32\en-US\KernelBase.dll.mui
470: Section \BaseNamedObjects\__ComCatalogCache__
488: Section \BaseNamedObjects\__ComCatalogCache__
------------------------------------------------------------------------------
svchost.exe pid: 1428 NT AUTHORITY\LOCAL SERVICE
48: File (RW-) C:\Windows\System32
134: File (R-D) C:\Windows\System32\en-US\svchost.exe.mui
------------------------------------------------------------------------------
spoolsv.exe pid: 1560 NT AUTHORITY\SYSTEM
48: File (RW-) C:\Windows\System32
A8: File (R-D) C:\Windows\System32\en-US\spoolsv.exe.mui
3A0: File (R-D) C:\Windows\System32\en-US\localspl.dll.mui
544: File (R-D) C:\Windows\System32\en-US\APMon.dll.mui
558: Section \BaseNamedObjects\__ComCatalogCache__
568: Section \BaseNamedObjects\__ComCatalogCache__
578: File (R-D) C:\Windows\System32\en-US\KernelBase.dll.mui
5C0: File (R-D) C:\Windows\System32\en-US\win32spl.dll.mui
784: File (RWD) C:\Windows\System32\spool\drivers\x64\PCC
790: File (R-D) C:\Windows\System32\en-US\setupapi.dll.mui
7D0: Section \BaseNamedObjects\windows_shell_global_counters
------------------------------------------------------------------------------
svchost.exe pid: 1684 NT AUTHORITY\LOCAL SERVICE
48: File (RW-) C:\Windows\System32
11C: File (R-D) C:\Windows\System32\en-US\svchost.exe.mui
188: File (R-D) C:\Windows\System32\en-US\bfe.dll.mui
364: File (R-D) C:\Windows\System32\en-US\FirewallAPI.dll.mui
4E4: Section \BaseNamedObjects\__ComCatalogCache__
670: Section \BaseNamedObjects\__ComCatalogCache__
------------------------------------------------------------------------------
svchost.exe pid: 1992 NT AUTHORITY\SYSTEM
48: File (RW-) C:\Windows\System32
134: File (R-D) C:\Windows\System32\en-US\svchost.exe.mui
28C: Section \BaseNamedObjects\__ComCatalogCache__
41C: Section \BaseNamedObjects\__ComCatalogCache__
------------------------------------------------------------------------------
svchost.exe pid: 2020 NT AUTHORITY\LOCAL SERVICE
48: File (RW-) C:\Windows\System32
134: File (R-D) C:\Windows\System32\en-US\svchost.exe.mui
178: Section \BaseNamedObjects\__ComCatalogCache__
1AC: Section \BaseNamedObjects\__ComCatalogCache__
------------------------------------------------------------------------------
CExecSvc.exe pid: 1192 NT AUTHORITY\SYSTEM
40: File (RW-) C:\Windows\System32
------------------------------------------------------------------------------
VmComputeAgent.exe pid: 2152 NT AUTHORITY\SYSTEM
40: File (RW-) C:\Windows\System32
284: Section \BaseNamedObjects\__ComCatalogCache__
2DC: File (R-D) C:\Windows\System32\en-US\KernelBase.dll.mui
------------------------------------------------------------------------------
svchost.exe pid: 1760 NT AUTHORITY\NETWORK SERVICE
48: File (RW-) C:\Windows\System32
228: Section \BaseNamedObjects\__ComCatalogCache__
------------------------------------------------------------------------------
csrss.exe pid: 2468 \<unable to open process>
40: File (RW-) C:\Windows\System32
84: Section \Sessions\1\Windows\SharedSection
30C: File (R-D) C:\Windows\System32\en-US\winsrv.dll.mui
------------------------------------------------------------------------------
winlogon.exe pid: 2484 NT AUTHORITY\SYSTEM
40: File (RW-) C:\Windows\System32
1E4: Section \Sessions\1\Windows\Theme2036293991
2B0: Section \Windows\Theme1324212991
2B4: Section \Sessions\1\Windows\ThemeSection
388: File (R-D) C:\Windows\System32\en-US\user32.dll.mui
------------------------------------------------------------------------------
fontdrvhost.exe pid: 2712 Font Driver Host\UMFD-1
40: File (RW-) C:\Windows\System32
------------------------------------------------------------------------------
WUDFHost.exe pid: 2732 NT AUTHORITY\LOCAL SERVICE
40: File (RW-) C:\Windows\System32
2E0: File (R-D) C:\Windows\System32\en-US\WUDFHost.exe.mui
344: File (R-D) C:\Windows\System32\drivers\UMDF\en-US\IddCx.dll.mui
348: File (R-D) C:\Windows\System32\en-US\d2d1.dll.mui
34C: File (R-D) C:\Windows\System32\en-US\DWrite.dll.mui
350: File (R-D) C:\Windows\System32\en-US\ntmarta.dll.mui
368: File (R-D) C:\Windows\System32\en-US\user32.dll.mui
484: Section \BaseNamedObjects\RdpCommandChannel-Session1-0
488: Section \BaseNamedObjects\RdpUpdateBuffer-Session1-0
4A0: Section \BaseNamedObjects\RdpCursorShape_S1_U0
550: Section \BaseNamedObjects\RdpFrameBuffer_S1_M0_U0
------------------------------------------------------------------------------
dwm.exe pid: 3024 Window Manager\DWM-1
40: File (RW-) C:\Windows\System32
D4: File (R-D) C:\Windows\System32\en-US\dwm.exe.mui
17C: File (R-D) C:\Windows\System32\en-US\d2d1.dll.mui
4A4: Section \BaseNamedObjects\__ComCatalogCache__
4B8: Section \Sessions\1\Windows\Theme2036293991
570: Section \BaseNamedObjects\__ComCatalogCache__
5E0: File (R-D) C:\Windows\System32\en-US\crypt32.dll.mui
830: File (RWD) C:\Windows\System32
BA4: Section \Windows\Theme1324212991
DFC: File (R-D) C:\Windows\Fonts\StaticCache.dat
------------------------------------------------------------------------------
svchost.exe pid: 3208 NT AUTHORITY\SYSTEM
48: File (RW-) C:\Windows\System32
134: File (R-D) C:\Windows\System32\en-US\svchost.exe.mui
238: Section \BaseNamedObjects\__ComCatalogCache__
280: Section \BaseNamedObjects\__ComCatalogCache__
2D0: Section \BaseNamedObjects\windows_shell_global_counters
------------------------------------------------------------------------------
svchost.exe pid: 3252 NT AUTHORITY\SYSTEM
48: File (RW-) C:\Windows\System32
134: File (R-D) C:\Windows\System32\en-US\svchost.exe.mui
1BC: File (RW-) C:\ProgramData\Microsoft\Windows\AppRepository\staterepository-machine.srd-shm
1D8: File (R-D) C:\Windows\System32\en-US\KernelBase.dll.mui
1EC: Section \BaseNamedObjects\__ComCatalogCache__
230: Section \BaseNamedObjects\__ComCatalogCache__
460: File (RW-) C:\ProgramData\Microsoft\Windows\AppRepository\staterepository-machine.srd-wal
4B8: File (RW-) C:\ProgramData\Microsoft\Windows\AppRepository\StateRepository-Machine.srd
674: File (RW-) C:\ProgramData\Microsoft\Windows\AppRepository\StateRepository-Machine.srd
678: File (RW-) C:\ProgramData\Microsoft\Windows\AppRepository\staterepository-machine.srd-wal
------------------------------------------------------------------------------
rdpclip.exe pid: 3536 37AACD8D-548A-4\user
40: File (RW-) C:\Windows\System32
80: File (R-D) C:\Windows\System32\en-US\rdpclip.exe.mui
254: Section \BaseNamedObjects\__ComCatalogCache__
260: Section \BaseNamedObjects\__ComCatalogCache__
338: Section \Windows\Theme1324212991
33C: Section \Sessions\1\Windows\Theme2036293991
528: Section \Windows\Theme1324212991
52C: Section \Sessions\1\Windows\Theme2036293991
------------------------------------------------------------------------------
sihost.exe pid: 3576 37AACD8D-548A-4\user
40: File (RW-) C:\Windows\System32
194: Section \BaseNamedObjects\__ComCatalogCache__
1B0: Section \BaseNamedObjects\__ComCatalogCache__
63C: File (R-D) C:\Windows\System32\en-US\KernelBase.dll.mui
------------------------------------------------------------------------------
svchost.exe pid: 3664 37AACD8D-548A-4\user
48: File (RW-) C:\Windows\System32
134: File (R-D) C:\Windows\System32\en-US\svchost.exe.mui
258: Section \BaseNamedObjects\__ComCatalogCache__
264: Section \BaseNamedObjects\__ComCatalogCache__
308: File (R-D) C:\Windows\System32\en-US\KernelBase.dll.mui
334: Section \Sessions\1\BaseNamedObjects\windows_shell_global_counters
38C: File (RW-) C:\Users\user\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db
390: File (RW-) C:\Users\user\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db-wal
394: File (RW-) C:\Users\user\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db-shm
5F8: File (R-D) C:\Windows\System32\en-US\crypt32.dll.mui
790: File (RW-) C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\ActivitiesCache.db
7A4: File (RW-) C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\ActivitiesCache.db-shm
7BC: File (RW-) C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\ActivitiesCache.db-wal
7D8: Section \Sessions\1\BaseNamedObjects\C:*Users*user*AppData*Local*Microsoft*Windows*Caches*cversions.3.ro
954: File (R-D) C:\Windows\System32\en-US\QuietHours.dll.mui
998: Section \Sessions\1\BaseNamedObjects\C:*Users*user*AppData*Local*Microsoft*Windows*Caches*{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000007.db
------------------------------------------------------------------------------
taskhostw.exe pid: 3716 37AACD8D-548A-4\user
40: File (RW-) C:\Windows\System32
110: File (R-D) C:\Windows\System32\en-US\taskhostw.exe.mui
188: Section \Windows\Theme1324212991
18C: Section \Sessions\1\Windows\Theme2036293991
1A0: File (---) C:\Users\user\AppData\Local\Microsoft\Windows\WebCacheLock.dat
1AC: Section \BaseNamedObjects\__ComCatalogCache__
1B8: Section \BaseNamedObjects\__ComCatalogCache__
1CC: File (R-D) C:\Windows\System32\en-US\MsCtfMonitor.dll.mui
23C: Section \Sessions\1\BaseNamedObjects\windows_shell_global_counters
29C: File (R-D) C:\Windows\System32\en-US\ESENT.dll.mui
2B8: File (---) C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.log
35C: File (R-D) C:\Windows\System32\en-US\winmm.dll.mui
3A4: Section \Sessions\1\BaseNamedObjects\windows_webcache_counters_{9B6AB5B3-91BC-4097-835C-EA2DEC95E9CC}_S-1-5-21-2047949552-857980807-821054962-504
3B0: File (---) C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
3BC: File (---) C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm
3FC: File (R-D) C:\Windows\System32\en-US\wdmaud.drv.mui
454: File (---) C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\v01tmp.log
49C: File (R-D) C:\Windows\System32\en-US\rdpendp.dll.mui
------------------------------------------------------------------------------
svchost.exe pid: 3916 NT AUTHORITY\SYSTEM
4C: File (RW-) C:\Windows\System32
134: File (R-D) C:\Windows\System32\en-US\svchost.exe.mui
264: Section \BaseNamedObjects\__ComCatalogCache__
274: Section \BaseNamedObjects\__ComCatalogCache__
------------------------------------------------------------------------------
ctfmon.exe pid: 3980 37AACD8D-548A-4\user
40: File (RW-) C:\Windows\System32
FC: File (R-D) C:\Windows\System32\en-US\ctfmon.exe.mui
2D4: Section \Windows\Theme1324212991
2D8: Section \Sessions\1\Windows\Theme2036293991
440: Section \BaseNamedObjects\__ComCatalogCache__
44C: Section \BaseNamedObjects\__ComCatalogCache__
524: Section \Sessions\1\BaseNamedObjects\CTF.AsmListCache.FMPDefault1
538: Section \Sessions\1\BaseNamedObjects\ImeSipSharedMapping
548: File (R--) C:\Windows\System32\en-US\datamap.0409.dat
------------------------------------------------------------------------------
explorer.exe pid: 3996 37AACD8D-548A-4\user
40: File (RW-) C:\Windows\System32
80: File (R-D) C:\Windows\en-US\explorer.exe.mui
308: Section \Sessions\1\BaseNamedObjects\SessionImmersiveColorPreference
30C: File (RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21
320: Section \BaseNamedObjects\__ComCatalogCache__
32C: Section \BaseNamedObjects\__ComCatalogCache__
358: Section \Sessions\1\BaseNamedObjects\windows_shell_global_counters
390: Section \BaseNamedObjects\windows_shell_global_counters
428: File (RWD) C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
50C: File (R-D) C:\Windows\System32\en-US\dsreg.dll.mui
518: Section \Sessions\1\BaseNamedObjects\f9cHWNDInterface:100ee
52C: File (RWD) C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
588: Section \Windows\Theme1324212991
590: File (R-D) C:\Windows\System32\en-US\oleaccrc.dll.mui
594: Section \Sessions\1\Windows\Theme2036293991
598: File (R-D) C:\Windows\Fonts\StaticCache.dat
5C0: Section \Sessions\1\BaseNamedObjects\f9cHWNDInterface:100e6
5D0: Section \Sessions\1\BaseNamedObjects\f9cHWNDInterface:100e6
5D8: Section \Sessions\1\BaseNamedObjects\C:*Users*user*AppData*Local*Microsoft*Windows*Caches*cversions.3.ro
62C: File (RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21
67C: Section \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2
680: Section \Sessions\1\BaseNamedObjects\SessionImmersiveColorPreference
688: Section \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db
68C: Section \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2
690: Section \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db
6C0: Section \Sessions\1\BaseNamedObjects\windows_ie_global_counters
6F0: Section \Sessions\1\BaseNamedObjects\f9cHWNDInterface:100f6
6F4: Section \Sessions\1\BaseNamedObjects\f9cHWNDInterface:100f6
6F8: Section \Sessions\1\BaseNamedObjects\f9cHWNDInterface:100f0
6FC: Section \Sessions\1\BaseNamedObjects\f9cHWNDInterface:100f0
754: File (RWD) C:\Users\user\Desktop
798: File (RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21
828: File (R-D) C:\Windows\System32\en-US\shell32.dll.mui
82C: File (RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21
85C: File (R-D) C:\Windows\System32\en-US\propsys.dll.mui
890: Section \Sessions\1\BaseNamedObjects\f9cHWNDInterface:100ee
8B8: File (RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21
8DC: File (RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21
958: File (---) \FileSystem\Filters\FltMgrMsg
AAC: File (R-D) C:\Windows\System32\en-US\twinui.pcshell.dll.mui
B70: File (R-D) C:\Windows\System32\en-US\windows.storage.dll.mui
B7C: File (R-D) C:\Windows\apppatch\DirectXApps_FOD.sdb
BB8: Section \Sessions\1\BaseNamedObjects\f9cHWNDInterface:20102
BC0: Section \Sessions\1\BaseNamedObjects\f9cHWNDInterface:20102
CD0: File (RWD) C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db
DE8: File (RWD) C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
E9C: File (RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21
EF4: Section \Sessions\1\BaseNamedObjects\f9cHWNDInterface:10144
F00: File (R-D) C:\Windows\System32\en-US\KernelBase.dll.mui
F04: Section \Sessions\1\BaseNamedObjects\f9cHWNDInterface:10144
F08: Section \Sessions\1\BaseNamedObjects\f9cHWNDInterface:10146
F0C: Section \Sessions\1\BaseNamedObjects\f9cHWNDInterface:10146
F10: Section \Sessions\1\BaseNamedObjects\f9cHWNDInterface:10148
F14: Section \Sessions\1\BaseNamedObjects\f9cHWNDInterface:10148
F18: Section \Sessions\1\BaseNamedObjects\f9cHWNDInterface:1014a
F1C: Section \Sessions\1\BaseNamedObjects\f9cHWNDInterface:1014a
F20: Section \Sessions\1\BaseNamedObjects\f9cHWNDInterface:1014c
F24: Section \Sessions\1\BaseNamedObjects\f9cHWNDInterface:1014c
F28: Section \Sessions\1\BaseNamedObjects\f9cHWNDInterface:1014e
F2C: Section \Sessions\1\BaseNamedObjects\f9cHWNDInterface:1014e
F30: Section \Sessions\1\BaseNamedObjects\f9cHWNDInterface:10150
F34: Section \Sessions\1\BaseNamedObjects\f9cHWNDInterface:10150
F38: Section \Sessions\1\BaseNamedObjects\f9cHWNDInterface:10152
F3C: Section \Sessions\1\BaseNamedObjects\f9cHWNDInterface:10152
F40: Section \Sessions\1\BaseNamedObjects\f9cHWNDInterface:10154
F44: Section \Sessions\1\BaseNamedObjects\f9cHWNDInterface:10154
10B4: File (RWD) C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db
10E0: File (RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21
1258: File (R--) C:\Users\user\AppData\Local\Microsoft\GameDVR\KnownGameList.bin
1298: File (RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21
129C: File (RWD) C:\Windows\bcastdvr
12A4: File (RWD) C:\Users\user\AppData\Local\Microsoft\GameDVR
12E8: File (R-D) C:\Windows\System32\en-US\crypt32.dll.mui
12F4: File (RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21
12F8: File (R-D) C:\Windows\SystemResources\batmeter.dll.mun
12FC: File (R-D) C:\Windows\System32\en-US\winnlsres.dll.mui
1314: File (RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21
1320: File (R-D) C:\Windows\System32\en-US\ApplicationFrame.dll.mui
1340: File (R-D) C:\Windows\System32\en-US\stobject.dll.mui
1344: File (R-D) C:\Windows\SystemResources\stobject.dll.mun
137C: Section \Sessions\1\BaseNamedObjects\f9cHWNDInterface:10184
13BC: Section \Sessions\1\BaseNamedObjects\f9cHWNDInterface:10184
13CC: Section \Sessions\1\BaseNamedObjects\f9cHWNDInterface:10184
13F4: File (R-D) C:\Windows\System32\en-US\InputSwitch.dll.mui
1618: File (R-D) C:\Windows\System32\en-US\batmeter.dll.mui
1768: File (R-D) C:\Windows\SystemResources\SndVolSSO.dll.mun
177C: File (R-D) C:\Windows\System32\en-US\sndvolsso.dll.mui
17AC: Section \Sessions\1\BaseNamedObjects\f9cHWNDInterface:100a4
17B0: Section \Sessions\1\BaseNamedObjects\f9cHWNDInterface:100a4
184C: File (RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21
1868: File (RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21
1874: File (RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21
1904: File (RW-) C:\Windows\WinSxS\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_en-us_cb612d02732b0fd9
196C: Section \Sessions\1\BaseNamedObjects\f9cHWNDInterface:102ac
1974: File (RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21
19E0: File (RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21
19E8: File (R-D) C:\Windows\System32\en-US\rdpendp.dll.mui
1AB0: File (R-D) C:\Windows\System32\en-US\pnidui.dll.mui
1AC0: File (RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21
1B10: Section \Sessions\1\BaseNamedObjects\UrlZonesSM_user
1B30: File (R-D) C:\Windows\System32\en-US\bthprops.cpl.mui
1B68: Section \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2
1B8C: File (R-D) C:\Windows\System32\en-US\user32.dll.mui
1BA4: File (RWD) C:\Users\Public\Desktop
1BD8: Section \Sessions\1\BaseNamedObjects\C:*Users*user*AppData*Local*Microsoft*Windows*Caches*{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000007.db
1C34: Section \Sessions\1\BaseNamedObjects\f9cHWNDInterface:102ac
1CA0: Section \Sessions\1\BaseNamedObjects\f9cHWNDInterface:10238
1CA4: File (R-D) C:\Windows\SystemResources\shell32.dll.mun
1CA8: File (RWD) C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
1CB4: File (RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21
1CBC: File (R-D) C:\Windows\System32\en-US\explorerframe.dll.mui
1CC8: File (R-D) C:\Windows\System32\en-US\UIRibbon.dll.mui
1CE8: File (RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21
1CFC: File (R-D) C:\Windows\SystemResources\ExplorerFrame.dll.mun
1D28: Section \Sessions\1\BaseNamedObjects\f9cHWNDInterface:10266
1D30: Section \Sessions\1\BaseNamedObjects\f9cHWNDInterface:10266
1D34: File (RW-) C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.508_none_faefa4f37613d18e
1D38: Section \Sessions\1\BaseNamedObjects\f9cHWNDInterface:1021c
1D3C: Section \Sessions\1\BaseNamedObjects\f9cHWNDInterface:1024c
1D44: Section \Sessions\1\BaseNamedObjects\f9cHWNDInterface:1024c
1D48: Section \Sessions\1\BaseNamedObjects\f9cHWNDInterface:1021c
1D50: Section \Sessions\1\BaseNamedObjects\f9cHWNDInterface:10238
1D54: Section \Sessions\1\BaseNamedObjects\f9cHWNDInterface:1021c
1D60: File (RWD) C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db
1EB4: File (RWD) C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db
1F54: File (RW-) C:\Windows\System32
1F58: File (R-D) C:\Windows\System32\en-US\UIAutomationCore.dll.mui
1F6C: Section \Sessions\1\BaseNamedObjects\f9cHWNDInterface:10264
1FA8: Section \Sessions\1\BaseNamedObjects\f9cHWNDInterface:10264
1FCC: File (R-D) C:\Windows\System32\en-US\dui70.dll.mui
20B0: File (R-D) C:\Windows\System32\en-US\NetworkExplorer.dll.mui
20DC: File (RWD) C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db
20FC: File (RWD) C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db
2128: File (RWD) C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db
2154: File (RWD) C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts
2248: File (RWD) C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db
224C: File (R-D) C:\Windows\System32\en-US\ActionCenter.dll.mui
2294: File (RWD) C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
235C: File (RWD) C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
24B0: File (RWD) C:\Users\user\AppData\Local\Microsoft\Windows\Burn
251C: File (RWD) C:\Users\user\AppData\Local\Microsoft\Windows\Burn
2538: Section \Sessions\1\BaseNamedObjects\f9cHWNDInterface:60028
2574: File (R-D) C:\Windows\System32\en-US\mpr.dll.mui
2618: File (RW-) C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.508_none_faefa4f37613d18e
2630: File (RWD) C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db
2778: File (RWD) C:\Users\user\Desktop
280C: File (R-D) C:\Windows\SystemResources\imageres.dll.mun
283C: Section \Sessions\1\BaseNamedObjects\f9cHWNDInterface:60028
2894: File (R-D) C:\Windows\System32\en-US\hcproviders.dll.mui
28C8: Section \Sessions\1\BaseNamedObjects\windows_webcache_counters_{9B6AB5B3-91BC-4097-835C-EA2DEC95E9CC}_S-1-5-21-2047949552-857980807-821054962-504
2908: File (RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21
290C: File (R-D) C:\Windows\System32\en-US\ieframe.dll.mui
2938: File (R-D) C:\Windows\System32\en-US\ole32.dll.mui
293C: File (RWD) C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts
2948: File (RWD) C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
29E0: File (R-D) C:\Windows\System32\en-US\combase.dll.mui
29F0: File (RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21
2A40: File (R-D) C:\Windows\System32\en-US\ntshrui.dll.mui
2A68: File (RWD) C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned
2AA8: File (R-D) C:\Windows\System32\en-US\twext.dll.mui
2B28: File (RWD) C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db
2C78: File (R-D) C:\Windows\WinSxS\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_en-us_cb612d02732b0fd9\comctl32.dll.mui
2C88: Section \Sessions\1\BaseNamedObjects\f9cHWNDInterface:902d0
2D40: File (R-D) C:\Windows\System32\en-US\zipfldr.dll.mui
2D84: File (RWD) C:\ProgramData\Microsoft\Windows\Start Menu\Programs
2DAC: File (R-D) C:\Windows\SystemResources\zipfldr.dll.mun
2DC8: Section \Sessions\1\BaseNamedObjects\f9cHWNDInterface:902d0
2DE0: File (RWD) C:\Users\Public\Desktop
2E50: File (R-D) C:\Windows\System32\en-US\wscui.cpl.mui
2ED8: File (RWD) C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
2FE0: File (RWD) C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu
2FF4: File (RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21
303C: File (RWD) C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
30B0: File (RWD) C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu
30B8: File (RWD) C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
30D8: File (RWD) C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
30E0: File (RWD) C:\ProgramData\Microsoft\Windows\Start Menu\Programs
3100: File (RWD) C:\ProgramData\Microsoft\Windows\Start Menu
3108: File (RWD) C:\ProgramData\Microsoft\Windows\Start Menu
3128: File (RWD) C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned
3134: File (RWD) C:\Users\user\Downloads
3140: File (RWD) C:\Users\user\Downloads
314C: File (RWD) C:\Users\user\Documents
3158: File (RWD) C:\Users\user\Documents
3164: File (RWD) C:\Users\user\Pictures
3170: File (RWD) C:\Users\user\Pictures
317C: File (RWD) C:\Users\user\Music
3188: File (RWD) C:\Users\user\Music
3194: File (RWD) C:\Users\user\Videos
31A0: File (RWD) C:\Users\user\Videos
31AC: File (RWD) C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries
31B8: File (RWD) C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries
31C4: File (RWD) C:\
31D0: File (RWD) C:\
31DC: File (RWD) C:\SysinternalsSuite
31EC: File (RWD) C:\SysinternalsSuite
32E0: File (RWD) C:\Windows\Fonts\segoeui.ttf
3320: File (RWD) C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db
3348: File (RWD) C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db
3380: File (RWD) C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db
33EC: File (RWD) C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db
------------------------------------------------------------------------------
svchost.exe pid: 3696 37AACD8D-548A-4\user
48: File (RW-) C:\Windows\System32
13C: File (R-D) C:\Windows\System32\en-US\svchost.exe.mui
1E8: Section \BaseNamedObjects\__ComCatalogCache__
1FC: Section \BaseNamedObjects\__ComCatalogCache__
3F0: File (R-D) C:\Windows\System32\en-US\KernelBase.dll.mui
3FC: File (R-D) C:\Windows\System32\en-US\ole32.dll.mui
428: File (R-D) C:\Windows\System32\en-US\windows.applicationmodel.datatransfer.dll.mui
480: Section \Sessions\1\BaseNamedObjects\windows_shell_global_counters
4D0: File (R-D) C:\Windows\System32\en-US\propsys.dll.mui
4E8: Section \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db
4EC: Section \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2
500: Section \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db
504: Section \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2
568: Section \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2
------------------------------------------------------------------------------
ApplicationFrameHost.exe pid: 4216 37AACD8D-548A-4\user
40: File (RW-) C:\Windows\System32
14C: Section \BaseNamedObjects\__ComCatalogCache__
158: Section \BaseNamedObjects\__ComCatalogCache__
20C: Section \Windows\Theme1324212991
210: Section \Sessions\1\Windows\Theme2036293991
2C4: File (R-D) C:\Windows\apppatch\DirectXApps_FOD.sdb
2C8: Section \Sessions\1\BaseNamedObjects\windows_shell_global_counters
3B0: Section \Sessions\1\BaseNamedObjects\SessionImmersiveColorPreference
3EC: File (R-D) C:\Windows\System32\en-US\user32.dll.mui
40C: File (R-D) C:\Windows\System32\en-US\ApplicationFrame.dll.mui
438: Section \Sessions\1\BaseNamedObjects\1078HWNDInterface:10178
43C: Section \Sessions\1\BaseNamedObjects\1078HWNDInterface:10178
444: Section \Sessions\1\BaseNamedObjects\1078HWNDInterface:10178
59C: File (R-D) C:\Windows\Fonts\StaticCache.dat
------------------------------------------------------------------------------
MicrosoftEdge.exe pid: 4252 37AACD8D-548A-4\user
40: File (RW-) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe
1E8: Section \BaseNamedObjects\__ComCatalogCache__
328: Section \Sessions\1\AppContainerNamedObjects\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\UrlZonesSM_user
33C: File (R-D) C:\Windows\apppatch\DirectXApps_FOD.sdb
340: Section \Sessions\1\AppContainerNamedObjects\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\windows_shell_global_counters
434: Section \...\ie_ias_0000109C-0000-0000-0000-000000000000
438: Section \Sessions\1\AppContainerNamedObjects\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\IAS_ID_Microsoft.MicrosoftEdge_44.19041.423.0_neutral__8wekyb3d8bbwe_4252
45C: Section \Sessions\1\AppContainerNamedObjects\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\ApplicationService:109c1d6933584aa9e16
558: Section \Sessions\1\BaseNamedObjects\windows_webcache_counters_{9B6AB5B3-91BC-4097-835C-EA2DEC95E9CC}_S-1-5-21-2047949552-857980807-821054962-504
574: Section \Sessions\1\AppContainerNamedObjects\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\windows_webcache_counters_{00000000-5d8e-4eed-b3fa-e30684411323}
594: Section \BaseNamedObjects\F932B6C7-3A20-46A0-B8A0-8894AA421973
63C: Section \...\IsoSpaceV2_ScopeTrusted
640: Section \...\IsoSpaceV2_ScopeLILNAC
644: Section \...\IsoSpaceV2_ScopeUntrusted
74C: Section \Sessions\1\AppContainerNamedObjects\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\SessionImmersiveColorPreference
780: File (---) C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.jfm
7E8: File (R-D) C:\Windows\System32\en-US\ESENT.dll.mui
7EC: File (---) C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\LogFiles\edb.log
870: File (---) C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.edb
8D4: Section \Sessions\1\AppContainerNamedObjects\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\ApplicationService:109c1d6933584aa9e16
908: File (RWD) C:\Windows\Fonts\segoeui.ttf
940: Section \Sessions\1\AppContainerNamedObjects\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\109cHWNDInterface:2019c
944: Section \Sessions\1\AppContainerNamedObjects\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\109cHWNDInterface:2019c
980: Section \Sessions\1\AppContainerNamedObjects\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\109cHWNDInterface:2019c
A30: File (R-D) C:\Windows\System32\en-US\KernelBase.dll.mui
A34: Section \Sessions\1\AppContainerNamedObjects\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\109cHWNDInterface:2019c
A68: Section \Sessions\1\AppContainerNamedObjects\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\109cHWNDInterface:2019c
A6C: Section \Sessions\1\AppContainerNamedObjects\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\109cHWNDInterface:2019c
A74: Section \Sessions\1\AppContainerNamedObjects\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\109cHWNDInterface:2019c
A94: Section \Sessions\1\AppContainerNamedObjects\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\109cHWNDInterface:2019c
AA4: Section \Windows\Theme1324212991
AB0: Section \Sessions\1\Windows\Theme2036293991
AE0: File (---) C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\RecoveryStore.{52D29049-79B9-43C5-8B9C-2FF519042EE3}.dat
B30: File (RWD) C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DFBFDF33BC9F12325E.TMP
B48: Section \BaseNamedObjects\F932B6C7-3A20-46A0-B8A0-8894AA421973
BDC: Section \Sessions\1\AppContainerNamedObjects\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\109cHWNDInterface:2019c
C20: Section \Sessions\1\AppContainerNamedObjects\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\109cHWNDInterface:2019c
C48: Section \Sessions\1\AppContainerNamedObjects\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\{00021402-0002-0000-2D92-000000000000}
CA0: Section \...\IsoSpaceV2_ScopeLILNAC_1:1_1
CA4: File (RWD) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\Fonts\BrowserMDL.ttf
CF4: Section \Sessions\1\AppContainerNamedObjects\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\109cHWNDInterface:2019c
E08: File (R-D) C:\Windows\System32\en-US\windows.storage.dll.mui
------------------------------------------------------------------------------
browser_broker.exe pid: 4352 37AACD8D-548A-4\user
40: File (RW-) C:\Windows\System32
19C: Section \BaseNamedObjects\__ComCatalogCache__
1E8: Section \BaseNamedObjects\__ComCatalogCache__
28C: Section \Sessions\1\BaseNamedObjects\windows_shell_global_counters
2E0: Section \Sessions\1\BaseNamedObjects\windows_webcache_counters_{9B6AB5B3-91BC-4097-835C-EA2DEC95E9CC}_S-1-5-21-2047949552-857980807-821054962-504
------------------------------------------------------------------------------
RuntimeBroker.exe pid: 4460 37AACD8D-548A-4\user
48: File (RW-) C:\Windows\System32
180: Section \BaseNamedObjects\__ComCatalogCache__
1B0: Section \BaseNamedObjects\__ComCatalogCache__
370: Section \Sessions\1\BaseNamedObjects\windows_shell_global_counters
42C: Section \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2
434: Section \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db
438: Section \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2
444: Section \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db
448: File (R-D) C:\Windows\System32\en-US\propsys.dll.mui
474: Section \BaseNamedObjects\windows_shell_global_counters
------------------------------------------------------------------------------
svchost.exe pid: 4468 NT AUTHORITY\LOCAL SERVICE
48: File (RW-) C:\Windows\System32
144: File (R-D) C:\Windows\System32\en-US\svchost.exe.mui
------------------------------------------------------------------------------
Windows.WARP.JITService.exe pid: 4540 NT AUTHORITY\LOCAL SERVICE
40: File (RW-) C:\Windows\System32
------------------------------------------------------------------------------
MicrosoftEdgeSH.exe pid: 4652 37AACD8D-548A-4\user
40: File (RW-) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe
1D8: Section \...\ie_ias_0000109C-0000-0000-0000-000000000000
2CC: Section \BaseNamedObjects\__ComCatalogCache__
3B4: Section \...\IsoSpaceV2_ScopeTrusted
3B8: Section \...\IsoSpaceV2_ScopeLILNAC
3BC: Section \...\IsoSpaceV2_ScopeUntrusted
------------------------------------------------------------------------------
MicrosoftEdgeCP.exe pid: 4696 37AACD8D-548A-4\user
40: File (RW-) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe
1D4: Section \Sessions\1\AppContainerNamedObjects\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\{00021402-0002-0000-2D92-000000000000}
26C: Section \...\ie_ias_0000109C-0000-0000-0000-000000000000
2BC: Section \Sessions\1\AppContainerNamedObjects\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\{00021402-0002-0000-2D92-000000000000}
2E4: Section \BaseNamedObjects\__ComCatalogCache__
424: Section \Sessions\1\AppContainerNamedObjects\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\3513710562-3729412521-1863153555-1462103995\ApplicationService:12581d69335851130d1
52C: Section \Sessions\1\BaseNamedObjects\windows_webcache_counters_{9B6AB5B3-91BC-4097-835C-EA2DEC95E9CC}_S-1-5-21-2047949552-857980807-821054962-504
53C: Section \Sessions\1\AppContainerNamedObjects\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\3513710562-3729412521-1863153555-1462103995\windows_webcache_counters_{00000000-5d8e-4eed-b3fa-e30684411323}
5AC: Section \...\IsoSpaceV2_ScopeTrusted
5B0: Section \...\IsoSpaceV2_ScopeLILNAC
5B4: Section \...\IsoSpaceV2_ScopeUntrusted
5F4: Section \...\IsoSpaceV2_ScopeLILNAC_1:1_1
------------------------------------------------------------------------------
SearchApp.exe pid: 3168 37AACD8D-548A-4\user
40: File (RW-) C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy
198: Section \BaseNamedObjects\__ComCatalogCache__
43C: Section \Sessions\1\AppContainerNamedObjects\S-1-15-2-536077884-713174666-1066051701-3219990555-339840825-1966734348-1611281757\SessionImmersiveColorPreference
44C: File (R-D) C:\Windows\apppatch\DirectXApps_FOD.sdb
458: Section \Sessions\1\AppContainerNamedObjects\S-1-15-2-536077884-713174666-1066051701-3219990555-339840825-1966734348-1611281757\windows_shell_global_counters
51C: File (RWD) C:\Windows\Fonts\segoeui.ttf
674: Section \Sessions\1\AppContainerNamedObjects\S-1-15-2-536077884-713174666-1066051701-3219990555-339840825-1966734348-1611281757\ApplicationService:c601d693358aa91d62
684: Section \Sessions\1\AppContainerNamedObjects\S-1-15-2-536077884-713174666-1066051701-3219990555-339840825-1966734348-1611281757\c60HWNDInterface:1702e2
6C0: Section \Sessions\1\AppContainerNamedObjects\S-1-15-2-536077884-713174666-1066051701-3219990555-339840825-1966734348-1611281757\windows_webcache_counters_{00000000-5d8e-4eed-b3fa-e30684411323}
6C4: Section \Sessions\1\BaseNamedObjects\windows_webcache_counters_{9B6AB5B3-91BC-4097-835C-EA2DEC95E9CC}_S-1-5-21-2047949552-857980807-821054962-504
724: File (R-D) C:\Windows\System32\en-US\mswsock.dll.mui
74C: Section \Sessions\1\AppContainerNamedObjects\S-1-15-2-536077884-713174666-1066051701-3219990555-339840825-1966734348-1611281757\UrlZonesSM_user
818: File (R-D) C:\Windows\System32\en-US\windows.storage.dll.mui
8D8: Section \Sessions\1\BaseNamedObjects\C:*Users*user*AppData*Local*Microsoft*Windows*Caches*cversions.3.ro
994: Section \Sessions\1\AppContainerNamedObjects\S-1-15-2-536077884-713174666-1066051701-3219990555-339840825-1966734348-1611281757\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db
99C: Section \Sessions\1\AppContainerNamedObjects\S-1-15-2-536077884-713174666-1066051701-3219990555-339840825-1966734348-1611281757\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro
9A4: Section \Sessions\1\AppContainerNamedObjects\S-1-15-2-536077884-713174666-1066051701-3219990555-339840825-1966734348-1611281757\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro
9A8: Section \BaseNamedObjects\F932B6C7-3A20-46A0-B8A0-8894AA421973
9C8: Section \Sessions\1\AppContainerNamedObjects\S-1-15-2-536077884-713174666-1066051701-3219990555-339840825-1966734348-1611281757\c60HWNDInterface:1702e2
9D0: Section \Sessions\1\AppContainerNamedObjects\S-1-15-2-536077884-713174666-1066051701-3219990555-339840825-1966734348-1611281757\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db
A8C: Section \Sessions\1\AppContainerNamedObjects\S-1-15-2-536077884-713174666-1066051701-3219990555-339840825-1966734348-1611281757\c60HWNDInterface:1702e2
ABC: Section \Sessions\1\AppContainerNamedObjects\S-1-15-2-536077884-713174666-1066051701-3219990555-339840825-1966734348-1611281757\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro
AF8: Section \Sessions\1\AppContainerNamedObjects\S-1-15-2-536077884-713174666-1066051701-3219990555-339840825-1966734348-1611281757\c60HWNDInterface:1702e2
B00: Section \Sessions\1\AppContainerNamedObjects\S-1-15-2-536077884-713174666-1066051701-3219990555-339840825-1966734348-1611281757\c60HWNDInterface:1702e2
BC8: Section \Sessions\1\AppContainerNamedObjects\S-1-15-2-536077884-713174666-1066051701-3219990555-339840825-1966734348-1611281757\c60HWNDInterface:1702e2
BF8: Section \BaseNamedObjects\F932B6C7-3A20-46A0-B8A0-8894AA421973
C5C: Section \Sessions\1\AppContainerNamedObjects\S-1-15-2-536077884-713174666-1066051701-3219990555-339840825-1966734348-1611281757\c60HWNDInterface:1702e2
C64: Section \Sessions\1\AppContainerNamedObjects\S-1-15-2-536077884-713174666-1066051701-3219990555-339840825-1966734348-1611281757\c60HWNDInterface:1702e2
CF0: Section \Sessions\1\AppContainerNamedObjects\S-1-15-2-536077884-713174666-1066051701-3219990555-339840825-1966734348-1611281757\c60HWNDInterface:1702e2
E7C: File (RWD) C:\Windows\Fonts\seguiemj.ttf
EC0: File (R-D) C:\Windows\System32\en-US\KernelBase.dll.mui
EE0: File (R-D) C:\Windows\System32\en-US\edgehtml.dll.mui
EE4: Section \Sessions\1\AppContainerNamedObjects\S-1-15-2-536077884-713174666-1066051701-3219990555-339840825-1966734348-1611281757\c60HWNDInterface:30322
EF4: Section \Sessions\1\AppContainerNamedObjects\S-1-15-2-536077884-713174666-1066051701-3219990555-339840825-1966734348-1611281757\c60HWNDInterface:1702e2
EF8: File (RWD) C:\Windows\Fonts\simsun.ttc
1110: File (R-D) C:\Windows\System32\WinMetadata\Windows.Foundation.winmd
111C: File (R-D) C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Cortana.Internal.Search.winmd
1120: File (R-D) C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Cortana.Search.winmd
1138: File (RWD) C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\KSN8XTDT
1154: File (R-D) C:\Windows\System32\WinMetadata\Windows.Security.winmd
1160: File (R-D) C:\Windows\System32\WinMetadata\Windows.System.winmd
1164: File (R-D) C:\Windows\System32\WinMetadata\Windows.Storage.winmd
11A4: File (R-D) C:\Windows\System32\en-US\crypt32.dll.mui
1218: File (R-D) C:\Windows\System32\WinMetadata\Windows.UI.winmd
1230: File (R-D) C:\Windows\System32\WinMetadata\Windows.Web.winmd
1274: File (R-D) C:\Windows\System32\WinMetadata\Windows.ApplicationModel.winmd
127C: File (R-D) C:\Windows\SystemResources\Chakra.dll.mun
1314: File (R-D) C:\Windows\System32\en-US\StartTileData.dll.mui
1318: File (R-D) C:\Windows\SystemResources\edgehtml.dll.mun
1358: File (RWD) C:\Windows\Fonts\seguisb.ttf
1364: Section \Sessions\1\AppContainerNamedObjects\S-1-15-2-536077884-713174666-1066051701-3219990555-339840825-1966734348-1611281757\c60HWNDInterface:1702e2
1554: File (RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.488_none_4238de57f6b64d28
157C: Section \Windows\Theme1324212991
1580: Section \Sessions\1\Windows\Theme2036293991
1598: File (R-D) C:\Windows\System32\en-US\netmsg.dll.mui
15A0: File (R-D) C:\Windows\System32\en-US\netmsg.dll.mui
169C: Section \Sessions\1\AppContainerNamedObjects\S-1-15-2-536077884-713174666-1066051701-3219990555-339840825-1966734348-1611281757\MSIMGSIZECacheMapACLow
177C: File (R-D) C:\Windows\System32\en-US\winnlsres.dll.mui
17C4: Section \Sessions\1\BaseNamedObjects\C:*Users*user*AppData*Local*Microsoft*Windows*Caches*{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000007.db
------------------------------------------------------------------------------
RuntimeBroker.exe pid: 2816 37AACD8D-548A-4\user
48: File (RW-) C:\Windows\System32
180: Section \BaseNamedObjects\__ComCatalogCache__
1B8: Section \BaseNamedObjects\__ComCatalogCache__
370: Section \Sessions\1\BaseNamedObjects\windows_shell_global_counters
398: File (R-D) C:\Windows\System32\en-US\windows.storage.dll.mui
3B0: Section \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2
3BC: Section \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db
3C0: Section \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2
3C4: Section \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db
3E0: File (R-D) C:\Windows\System32\en-US\propsys.dll.mui
464: File (RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21
4F4: Section \BaseNamedObjects\windows_shell_global_counters
578: Section \Sessions\1\BaseNamedObjects\C:*Users*user*AppData*Local*Microsoft*Windows*Caches*{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000006.db
5F8: Section \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2
640: File (R-D) C:\Windows\System32\en-US\shell32.dll.mui
6B0: Section \Sessions\1\BaseNamedObjects\C:*Users*user*AppData*Local*Microsoft*Windows*Caches*cversions.3.ro
7A0: Section \Sessions\1\BaseNamedObjects\C:*Users*user*AppData*Local*Microsoft*Windows*Caches*cversions.3.ro
934: File (R-D) C:\Windows\System32\en-US\StartTileData.dll.mui
93C: File (R-D) C:\Windows\System32\en-US\KernelBase.dll.mui
96C: File (RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21
97C: File (R-D) C:\Windows\System32\en-US\AppResolver.dll.mui
9F4: File (R-D) C:\Windows\SystemResources\imageres.dll.mun
A5C: Section \Windows\Theme1324212991
A90: Section \Sessions\1\Windows\Theme2036293991
------------------------------------------------------------------------------
RuntimeBroker.exe pid: 824 37AACD8D-548A-4\user
48: File (RW-) C:\Windows\System32
184: Section \BaseNamedObjects\__ComCatalogCache__
1BC: Section \BaseNamedObjects\__ComCatalogCache__
2A4: Section \Sessions\1\BaseNamedObjects\windows_shell_global_counters
350: Section \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2
358: Section \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db
35C: Section \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2
360: Section \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db
368: Section \BaseNamedObjects\windows_shell_global_counters
37C: File (R-D) C:\Windows\System32\en-US\shell32.dll.mui
39C: File (R-D) C:\Windows\System32\en-US\propsys.dll.mui
418: Section \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2
------------------------------------------------------------------------------
svchost.exe pid: 5396 NT AUTHORITY\LOCAL SERVICE
48: File (RW-) C:\Windows\System32
134: File (R-D) C:\Windows\System32\en-US\svchost.exe.mui
------------------------------------------------------------------------------
SgrmBroker.exe pid: 3392 \<unable to open process>
3C: File (RW-) C:\Windows
178: File (R--) C:\Windows\System32\Sgrm
------------------------------------------------------------------------------
svchost.exe pid: 976 \<unable to open process>
48: File (RW-) C:\Windows\System32
134: File (R-D) C:\Windows\System32\en-US\svchost.exe.mui
254: Section \BaseNamedObjects\__ComCatalogCache__
28C: Section \BaseNamedObjects\__ComCatalogCache__
------------------------------------------------------------------------------
powershell_ise.exe pid: 676 37AACD8D-548A-4\user
40: File (RW-) C:\xCyclopedia
100: Section \BaseNamedObjects\Cor_Private_IPCBlock_v4_676
10C: Section \...\Cor_SxSPublic_IPCBlock
1C0: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll
1C4: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll
2B4: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ISECommon\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ISECommon.dll
2BC: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
2C4: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
2CC: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll
2D0: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
2D8: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
2E0: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
2E8: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll
2EC: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll
2F4: File (R-D) C:\Windows\System32\en-US\winnlsres.dll.mui
328: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll
3B4: Section \Sessions\1\BaseNamedObjects\windows_shell_global_counters
3D4: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll
3D8: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll
3E8: File (RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21
40C: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
424: File (RW-) C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.508_none_faefa4f37613d18e
444: Section \Windows\Theme1324212991
450: File (RWD) C:\Windows\Fonts\micross.ttf
460: File (RWD) C:\Windows\Fonts\segoeuii.ttf
464: File (RWD) C:\Windows\Fonts\segoeuiz.ttf
470: Section \Sessions\1\Windows\Theme2036293991
4F8: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll
508: Section \BaseNamedObjects\NLS_CodePage_1252_3_2_0_0
524: File (RWD) C:\Windows\Fonts\segoeui.ttf
528: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.GPowerShell\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.GPowerShell.dll
52C: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ComponentModel.Composition\v4.0_4.0.0.0__b77a5c561934e089\System.ComponentModel.Composition.dll
53C: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Editor\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Editor.dll
548: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\WindowsBase\v4.0_4.0.0.0__31bf3856ad364e35\WindowsBase.dll
54C: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\WindowsBase\v4.0_4.0.0.0__31bf3856ad364e35\WindowsBase.dll
554: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_64\PresentationCore\v4.0_4.0.0.0__31bf3856ad364e35\PresentationCore.dll
558: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_64\PresentationCore\v4.0_4.0.0.0__31bf3856ad364e35\PresentationCore.dll
55C: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework\v4.0_4.0.0.0__31bf3856ad364e35\PresentationFramework.dll
564: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework\v4.0_4.0.0.0__31bf3856ad364e35\PresentationFramework.dll
568: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xaml\v4.0_4.0.0.0__b77a5c561934e089\System.Xaml.dll
574: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xaml\v4.0_4.0.0.0__b77a5c561934e089\System.Xaml.dll
580: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll
584: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll
58C: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Serialization\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Serialization.dll
594: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Serialization\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Serialization.dll
5E0: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll
5E4: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
5EC: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll
660: Section \Sessions\1\BaseNamedObjects\UrlZonesSM_user
6C4: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework.Aero2\v4.0_4.0.0.0__31bf3856ad364e35\PresentationFramework.Aero2.dll
6CC: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
71C: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Runtime.dll
73C: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WSMan.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Management.dll
74C: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemData\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemData.dll
750: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemCore\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemCore.dll
758: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll
7C4: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll
838: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll
83C: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll
85C: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll
86C: Section \BaseNamedObjects\__ComCatalogCache__
894: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll
8A8: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll
8B4: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll
8C4: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll
8D0: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll
8EC: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.GraphicalHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.GraphicalHost.dll
908: File (R-D) C:\Windows\System32\en-US\KernelBase.dll.mui
90C: Section \BaseNamedObjects\__ComCatalogCache__
950: Section \Sessions\1\BaseNamedObjects\2a4HWNDInterface:e02da
954: Section \Sessions\1\BaseNamedObjects\2a4HWNDInterface:e02da
9A0: File (R-D) C:\Windows\System32\WinMetadata\Windows.UI.winmd
9A4: File (R-D) C:\Windows\System32\WinMetadata\Windows.Foundation.winmd
9AC: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.InteropServices.WindowsRuntime\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.InteropServices.WindowsRuntime.dll
9B4: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.WindowsRuntime\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.WindowsRuntime.dll
9F4: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll
A10: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll
BB0: File (R-D) C:\Windows\System32\en-US\crypt32.dll.mui
BD0: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
BD4: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll
BE0: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll
BE4: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll
BF0: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll
C5C: File (RW-) C:\Windows\System32
D24: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll
D30: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll
D80: Section \BaseNamedObjects\NLS_CodePage_437_3_2_0_0
D98: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll
E30: File (R-D) C:\Windows\System32\en-US\msctfui.dll.mui
E3C: File (R--) C:\temp\strontic-xcyclopedia\2020-09-25T08-29-02-job.txt
E40: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll
E4C: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll
EC8: File (R-D) C:\Windows\System32\en-US\UIAutomationCore.dll.mui
F18: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll
F54: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsSearch.Commands.dll
F60: File (R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsSearch.Commands.dll
------------------------------------------------------------------------------
StartMenuExperienceHost.exe pid: 4368 37AACD8D-548A-4\user
40: File (RW-) C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy
12C: Section \BaseNamedObjects\__ComCatalogCache__
254: Section \Sessions\1\AppContainerNamedObjects\S-1-15-2-515815643-2845804217-1874292103-218650560-777617685-4287762684-137415000\ApplicationService:11101d69335cc7eb25c
394: Section \Sessions\1\AppContainerNamedObjects\S-1-15-2-515815643-2845804217-1874292103-218650560-777617685-4287762684-137415000\SessionImmersiveColorPreference
418: File (R-D) C:\Windows\apppatch\DirectXApps_FOD.sdb
420: Section \Sessions\1\AppContainerNamedObjects\S-1-15-2-515815643-2845804217-1874292103-218650560-777617685-4287762684-137415000\windows_shell_global_counters
4D0: File (RWD) C:\Windows\Fonts\segoeui.ttf
574: Section \Sessions\1\AppContainerNamedObjects\S-1-15-2-515815643-2845804217-1874292103-218650560-777617685-4287762684-137415000\1110HWNDInterface:902d8
578: Section \Sessions\1\AppContainerNamedObjects\S-1-15-2-515815643-2845804217-1874292103-218650560-777617685-4287762684-137415000\1110HWNDInterface:902d8
5BC: Section \Sessions\1\AppContainerNamedObjects\S-1-15-2-515815643-2845804217-1874292103-218650560-777617685-4287762684-137415000\1110HWNDInterface:902d8
618: Section \Sessions\1\AppContainerNamedObjects\S-1-15-2-515815643-2845804217-1874292103-218650560-777617685-4287762684-137415000\1110HWNDInterface:902d8
624: Section \Sessions\1\AppContainerNamedObjects\S-1-15-2-515815643-2845804217-1874292103-218650560-777617685-4287762684-137415000\1110HWNDInterface:902d8
718: File (R-D) C:\Windows\System32\en-US\windows.storage.dll.mui
814: Section \Sessions\1\BaseNamedObjects\C:*Users*user*AppData*Local*Microsoft*Windows*Caches*cversions.3.ro
85C: Section \Sessions\1\AppContainerNamedObjects\S-1-15-2-515815643-2845804217-1874292103-218650560-777617685-4287762684-137415000\1110HWNDInterface:902d8
904: Section \Sessions\1\AppContainerNamedObjects\S-1-15-2-515815643-2845804217-1874292103-218650560-777617685-4287762684-137415000\1110HWNDInterface:902d8
908: Section \Sessions\1\AppContainerNamedObjects\S-1-15-2-515815643-2845804217-1874292103-218650560-777617685-4287762684-137415000\1110HWNDInterface:902d8
938: Section \Sessions\1\AppContainerNamedObjects\S-1-15-2-515815643-2845804217-1874292103-218650560-777617685-4287762684-137415000\1110HWNDInterface:902d8
944: Section \Sessions\1\AppContainerNamedObjects\S-1-15-2-515815643-2845804217-1874292103-218650560-777617685-4287762684-137415000\1110HWNDInterface:902d8
9B4: Section \Sessions\1\BaseNamedObjects\C:*Users*user*AppData*Local*Microsoft*Windows*Caches*{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000007.db
9C4: File (R-D) C:\Windows\System32\en-US\windows.ui.xaml.dll.mui
A10: File (RWD) C:\Windows\Fonts\segoeuib.ttf
A4C: File (R--) C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.bin
A54: File (R-D) C:\Windows\System32\en-US\Windows.Globalization.dll.mui
A6C: Section \Sessions\1\AppContainerNamedObjects\S-1-15-2-515815643-2845804217-1874292103-218650560-777617685-4287762684-137415000\1110HWNDInterface:902d8
A9C: File (R--) C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin
------------------------------------------------------------------------------
RuntimeBroker.exe pid: 5996 37AACD8D-548A-4\user
48: File (RW-) C:\Windows\System32
188: Section \BaseNamedObjects\__ComCatalogCache__
1B8: Section \BaseNamedObjects\__ComCatalogCache__
2E4: Section \Sessions\1\BaseNamedObjects\windows_shell_global_counters
354: File (R-D) C:\Windows\System32\en-US\ShutdownUX.dll.mui
438: Section \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db
43C: Section \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2
444: Section \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2
448: Section \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db
44C: File (R-D) C:\Windows\System32\en-US\propsys.dll.mui
48C: File (RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21
------------------------------------------------------------------------------
dllhost.exe pid: 2292 37AACD8D-548A-4\user
40: File (RW-) C:\Windows\System32
124: Section \BaseNamedObjects\__ComCatalogCache__
130: Section \BaseNamedObjects\__ComCatalogCache__
288: Section \Sessions\1\BaseNamedObjects\windows_shell_global_counters
338: File (R-D) C:\Windows\System32\en-US\ESENT.dll.mui
34C: File (---) C:\Users\user\AppData\Local\Microsoft\Internet Explorer\CacheStorage\edb.log
354: File (---) C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\CacheStorage\CacheStorage.jfm
358: File (---) C:\Users\user\AppData\Local\Microsoft\Internet Explorer\CacheStorage\edbtmp.log
380: File (---) C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\CacheStorage\CacheStorage.edb
------------------------------------------------------------------------------
cmd.exe pid: 696 37AACD8D-548A-4\user
40: File (RW-) C:\Users\user
114: File (R-D) C:\Windows\System32\en-US\cmd.exe.mui
198: File (RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21
1B4: Section \Sessions\1\BaseNamedObjects\windows_shell_global_counters
278: Section \BaseNamedObjects\__ComCatalogCache__
290: Section \BaseNamedObjects\windows_shell_global_counters
354: Section \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2
358: Section \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db
35C: Section \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2
364: Section \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db
374: File (RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21
3D4: Section \Sessions\1\BaseNamedObjects\UrlZonesSM_user
4C0: File (R-D) C:\Windows\System32\en-US\KernelBase.dll.mui
------------------------------------------------------------------------------
conhost.exe pid: 2276 37AACD8D-548A-4\user
44: File (RW-) C:\Windows
12C: File (R-D) C:\Windows\System32\en-US\Conhost.exe.mui
1A4: File (R-D) C:\Windows\System32\en-US\propsys.dll.mui
1B8: Section \Sessions\1\BaseNamedObjects\windows_shell_global_counters
20C: Section \BaseNamedObjects\__ComCatalogCache__
220: Section \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2
228: Section \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db
22C: Section \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2
230: Section \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db
238: Section \BaseNamedObjects\windows_shell_global_counters
314: Section \Windows\Theme1324212991
31C: Section \Sessions\1\Windows\Theme2036293991
324: Section \Sessions\1\BaseNamedObjects\SessionImmersiveColorPreference
328: File (R-D) C:\Windows\System32\en-US\user32.dll.mui
32C: File (R-D) C:\Windows\Fonts\StaticCache.dat
33C: File (RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21
410: Section \BaseNamedObjects\__ComCatalogCache__
------------------------------------------------------------------------------
dllhost.exe pid: 1784 37AACD8D-548A-4\user
40: File (RW-) C:\Windows\System32
11C: Section \BaseNamedObjects\__ComCatalogCache__
128: Section \BaseNamedObjects\__ComCatalogCache__
------------------------------------------------------------------------------
SecurityHealthService.exe pid: 1256 \<unable to open process>
40: File (RW-) C:\Windows\System32
258: Section \BaseNamedObjects\__ComCatalogCache__
2C0: Section \BaseNamedObjects\__ComCatalogCache__
------------------------------------------------------------------------------
SecurityHealthHost.exe pid: 4516 37AACD8D-548A-4\user
40: File (RW-) C:\Windows\System32
178: Section \BaseNamedObjects\__ComCatalogCache__
1D0: Section \BaseNamedObjects\__ComCatalogCache__
------------------------------------------------------------------------------
Desktops.exe pid: 892 37AACD8D-548A-4\user
40: File (RW-) C:\Windows
90: File (RW-) C:\Users\user
D8: File (RW-) C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_11b1e5df2ffd8627
1E8: Section \Windows\Theme1324212991
1FC: Section \Sessions\1\Windows\Theme2036293991
2A8: File (R-D) C:\Windows\Fonts\StaticCache.dat
324: Section \Sessions\1\BaseNamedObjects\windows_shell_global_counters
354: Section \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2
358: Section \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db
35C: Section \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2
364: Section \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db
------------------------------------------------------------------------------
conhost.exe pid: 1356 37AACD8D-548A-4\user
44: File (RW-) C:\Windows
130: File (R-D) C:\Windows\System32\en-US\Conhost.exe.mui
1A4: Section \Windows\Theme1324212991
1AC: Section \Sessions\1\Windows\Theme2036293991
1BC: File (R-D) C:\Windows\System32\en-US\user32.dll.mui
1C4: Section \Sessions\1\BaseNamedObjects\SessionImmersiveColorPreference
1C8: File (R-D) C:\Windows\Fonts\StaticCache.dat
1D0: File (RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21
2C4: Section \BaseNamedObjects\__ComCatalogCache__
2D0: Section \BaseNamedObjects\__ComCatalogCache__
------------------------------------------------------------------------------
WmiPrvSE.exe pid: 6076 NT AUTHORITY\NETWORK SERVICE
40: File (RW-) C:\Windows\System32
138: File (R-D) C:\Windows\System32\en-US\user32.dll.mui
174: Section \BaseNamedObjects\Wmi Provider Sub System Counters
1AC: Section \BaseNamedObjects\__ComCatalogCache__
1B8: Section \BaseNamedObjects\__ComCatalogCache__
------------------------------------------------------------------------------
audiodg.exe pid: 2676 NT AUTHORITY\LOCAL SERVICE
40: File (RW-) C:\Windows\System32
190: File (R-D) C:\Windows\System32\en-US\audiodg.exe.mui
1B4: Section \BaseNamedObjects\__ComCatalogCache__
200: Section \BaseNamedObjects\__ComCatalogCache__
404: File (R-D) C:\Windows\System32\en-US\imaadp32.acm.mui
410: File (R-D) C:\Windows\System32\en-US\msadp32.acm.mui
418: File (R-D) C:\Windows\System32\en-US\msg711.acm.mui
41C: File (R-D) C:\Windows\System32\en-US\msgsm32.acm.mui
424: File (R-D) C:\Windows\System32\en-US\l3codeca.acm.mui
42C: File (R-D) C:\Windows\System32\en-US\msacm32.dll.mui
------------------------------------------------------------------------------
WmiPrvSE.exe pid: 3928 NT AUTHORITY\SYSTEM
40: File (RW-) C:\Windows\System32
144: File (R-D) C:\Windows\System32\en-US\user32.dll.mui
180: Section \BaseNamedObjects\Wmi Provider Sub System Counters
1B8: Section \BaseNamedObjects\__ComCatalogCache__
1C4: Section \BaseNamedObjects\__ComCatalogCache__
2C8: File (R-D) C:\Windows\System32\en-US\combase.dll.mui
2D0: File (R-D) C:\Windows\System32\en-US\KernelBase.dll.mui
------------------------------------------------------------------------------
handle.exe pid: 4948 37AACD8D-548A-4\user
40: File (RW-) C:\Windows
8C: File (RW-) C:\xCyclopedia
C4: File (RW-) C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.488_none_89e6152f0b32762e
508: Section \BaseNamedObjects\NLS_CodePage_1252_3_2_0_0
D80: Section \BaseNamedObjects\NLS_CodePage_437_3_2_0_0
------------------------------------------------------------------------------
conhost.exe pid: 5788 37AACD8D-548A-4\user
44: File (RW-) C:\Windows
128: File (R-D) C:\Windows\System32\en-US\Conhost.exe.mui
------------------------------------------------------------------------------
handle64.exe pid: 5920 37AACD8D-548A-4\user
50: File (RW-) C:\xCyclopedia
90: File (RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.488_none_4238de57f6b64d28
Loaded Modules:
| Path |
|---|
| C:\SysinternalsSuite\handle.exe |
| C:\Windows\SYSTEM32\ntdll.dll |
| C:\Windows\System32\wow64.dll |
| C:\Windows\System32\wow64cpu.dll |
| C:\Windows\System32\wow64win.dll |
Signature
- Status: Signature verified.
- Serial:
33000001519E8D8F4071A30E41000000000151 - Thumbprint:
62009AAABDAE749FD47D19150958329BF6FF4B34 - Issuer: CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: Nthandle.exe
- Product Name: Sysinternals Handle
- Company Name: Sysinternals - www.sysinternals.com
- File Version: 4.22
- Product Version: 4.22
- Language: English (United States)
- Legal Copyright: Copyright (C) 1997-2019 Mark Russinovich
- Machine Type: 32-bit
File Scan
- VirusTotal Detections: 0/69
- VirusTotal Link: https://www.virustotal.com/gui/file/de960b7ff0c687475aba4852d799bb2bc3ed38b172be1c4f954cba461ae8de1f/detection/
File Similarity (ssdeep match)
| File | Score |
|---|---|
| C:\SysinternalsSuite\handle64.exe | 77 |
Possible Misuse
The following table contains possible examples of handle.exe being misused. While handle.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | lnx_susp_vsftp.yml | - 'couldn''t handle sandbox event' |
DRL 1.0 |
| sigma | win_sam_registry_hive_handle_request.yml | title: SAM Registry Hive Handle Request |
DRL 1.0 |
| sigma | win_scm_database_handle_failure.yml | title: SCM Database Handle Failure |
DRL 1.0 |
| sigma | win_scm_database_handle_failure.yml | description: Detects non-system users failing to get a handle of the SCM database. |
DRL 1.0 |
| sigma | win_susp_lsass_dump.yml | description: Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN |
DRL 1.0 |
| sigma | win_susp_lsass_dump_generic.yml | description: Detects process handle on LSASS process with certain access mask |
DRL 1.0 |
| sigma | win_syskey_registry_access.yml | description: Detects handle requests and access operations to specific registry keys to calculate the SysKey |
DRL 1.0 |
| sigma | win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml | description: The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA. |
DRL 1.0 |
| sigma | file_event_win_webshell_creation_detect.yml | # kind of ugly but sigmac seems not to handle double parenthesis "((" |
DRL 1.0 |
| sigma | posh_ps_suspicious_iofilestream.yml | description: Open a handle on the drive volume via the \\.\ DOS device path specifier and perform direct access read of the first few bytes of the volume. |
DRL 1.0 |
| sigma | proc_creation_win_false_sysinternalsuite.yml | - '\handle.exe' |
DRL 1.0 |
| LOLBAS | YML-Template.yml | Handle: '@johndoe' |
|
| LOLBAS | YML-Template.yml | Handle: '@olaNor' |
|
| LOLBAS | Explorer.yml | Handle: '@bohops' |
|
| LOLBAS | Netsh.yml | - Handle: '' |
|
| LOLBAS | Nltest.yml | Handle: '@sysopfb' |
|
| LOLBAS | Openwith.yml | Handle: '@harr0ey' |
|
| LOLBAS | Powershell.yml | Handle: '@Moriarty_Meng' |
|
| LOLBAS | Psr.yml | - Handle: '' |
|
| LOLBAS | Robocopy.yml | - Handle: '' |
|
| LOLBAS | AcroRd32.yml | Handle: '@pabraeken' |
|
| LOLBAS | aswrundll.yml | handle: 'https://www.linkedin.com/in/eli-salem-954728150' |
|
| LOLBAS | Gpup.yml | Handle: '@pabraeken' |
|
| LOLBAS | Nlnotes.yml | Handle: '@danielhbohannon' |
|
| LOLBAS | Notes.yml | Handle: '@danielhbohannon' |
|
| LOLBAS | Nvudisp.yml | Handle: '@pabraeken' |
|
| LOLBAS | Nvuhda6.yml | Handle: '@hexacorn' |
|
| LOLBAS | ROCCAT_Swarm.yml | Handle: '@pabraeken' |
|
| LOLBAS | RunCmd_X64.yml | Handle: '@bartblaze' |
|
| LOLBAS | Setup.yml | Handle: '@pabraeken' |
|
| LOLBAS | Usbinst.yml | Handle: '@pabraeken' |
|
| LOLBAS | VBoxDrvInst.yml | Handle: '@pabraeken' |
|
| LOLBAS | Winword.yml | Handle: '@@vysecurity' |
|
| LOLBAS | Winword.yml | Handle: '@Hexacorn' |
|
| LOLBAS | Testxlst.yml | Handle: '@bohops' |
|
| LOLBAS | AppInstaller.yml | Handle: '@notwhickey' |
|
| LOLBAS | Aspnet_Compiler.yml | Handle: '@cpl3h' |
|
| LOLBAS | At.yml | Handle: |
|
| LOLBAS | Atbroker.yml | Handle: '@hexacorn' |
|
| LOLBAS | Bash.yml | Handle: '@aionescu' |
|
| LOLBAS | Bash.yml | Handle: '@d1r4c' |
|
| LOLBAS | Bitsadmin.yml | Handle: '@mubix' |
|
| LOLBAS | Bitsadmin.yml | Handle: '@carnal0wnage' |
|
| LOLBAS | Bitsadmin.yml | Handle: '@oddvarmoe' |
|
| LOLBAS | Certoc.yml | Handle: '@sblmsrsn' |
|
| LOLBAS | Certreq.yml | Handle: '@dtmsecurity' |
|
| LOLBAS | Certutil.yml | Handle: '@mattifestation' |
|
| LOLBAS | Certutil.yml | Handle: '@Moriarty_Meng' |
|
| LOLBAS | Certutil.yml | Handle: '@egre55' |
|
| LOLBAS | Cmd.yml | Handle: '@yeyint_mth' |
|
| LOLBAS | Cmdkey.yml | Handle: |
|
| LOLBAS | Cmdl32.yml | Handle: '@elliotkillick' |
|
| LOLBAS | Cmstp.yml | Handle: '@oddvarmoe' |
|
| LOLBAS | Cmstp.yml | Handle: '@NickTyrer' |
|
| LOLBAS | ConfigSecurityPolicy.yml | Handle: '@NtSetDefault' |
|
| LOLBAS | Control.yml | Handle: '@bohops' |
|
| LOLBAS | Csc.yml | Handle: |
|
| LOLBAS | Cscript.yml | Handle: '@oddvarmoe' |
|
| LOLBAS | DataSvcUtil.yml | Handle: '@NtSetDefault' |
|
| LOLBAS | Desktopimgdownldr.yml | Handle: '@gal_kristal' |
|
| LOLBAS | Dfsvc.yml | Handle: '@subtee' |
|
| LOLBAS | Diantz.yml | Handle: '@tim8288' |
|
| LOLBAS | Diantz.yml | Handle: '@vakninhai' |
|
| LOLBAS | Diskshadow.yml | Handle: '@bohops' |
|
| LOLBAS | Dllhost.yml | Handle: '@CyberRaiju' |
|
| LOLBAS | Dllhost.yml | Handle: '@nas_bench' |
|
| LOLBAS | Dnscmd.yml | Handle: |
|
| LOLBAS | Dnscmd.yml | Handle: '@dim0x69' |
|
| LOLBAS | Dnscmd.yml | Handle: '@nikhil_mitt' |
|
| LOLBAS | Esentutl.yml | Handle: '@egre55' |
|
| LOLBAS | Esentutl.yml | Handle: 'grayfold3d' |
|
| LOLBAS | Eventvwr.yml | Handle: '@enigma0x3' |
|
| LOLBAS | Eventvwr.yml | Handle: '@mattifestation' |
|
| LOLBAS | Expand.yml | Handle: '@infosecn1nja' |
|
| LOLBAS | Expand.yml | Handle: '@oddvarmoe' |
|
| LOLBAS | Explorer.yml | Handle: '@CyberRaiju' |
|
| LOLBAS | Explorer.yml | Handle: '@bohops' |
|
| LOLBAS | Extexport.yml | Handle: '@hexacorn' |
|
| LOLBAS | Extrac32.yml | Handle: '@egre55' |
|
| LOLBAS | Extrac32.yml | Handle: '@oddvarmoe' |
|
| LOLBAS | Extrac32.yml | Handle: '@VakninHai' |
|
| LOLBAS | Extrac32.yml | Handle: '@tim8288' |
|
| LOLBAS | Findstr.yml | Handle: '@oddvarmoe' |
|
| LOLBAS | Finger.yml | Handle: '@rubn_RB' |
|
| LOLBAS | Finger.yml | Handle: '@Ocelotty6669' |
|
| LOLBAS | Finger.yml | Handle: '@DissectMalware' |
|
| LOLBAS | FltMC.yml | Handle: '@Carlos_Perez' |
|
| LOLBAS | Forfiles.yml | Handle: '@vector_sec' |
|
| LOLBAS | Forfiles.yml | Handle: '@oddvarmoe' |
|
| LOLBAS | Ftp.yml | Handle: '@subtee' |
|
| LOLBAS | Ftp.yml | Handle: '' |
|
| LOLBAS | Ftp.yml | Handle: '@0xAmit ' |
|
| LOLBAS | GfxDownloadWrapper.yml | Handle: |
|
| LOLBAS | Gpscript.yml | Handle: '@oddvarmoe' |
|
| LOLBAS | Hh.yml | Handle: '@oddvarmoe' |
|
| LOLBAS | Ie4uinit.yml | Handle: '@bohops' |
|
| LOLBAS | Ieexec.yml | Handle: '@subtee' |
|
| LOLBAS | Ilasm.yml | Handle: '@VakninHai' |
|
| LOLBAS | Ilasm.yml | Handle: |
|
| LOLBAS | IMEWDBLD.yml | Handle: '@notwhickey' |
|
| LOLBAS | Infdefaultinstall.yml | Handle: '@kylehanslovan' |
|
| LOLBAS | Installutil.yml | Handle: '@subtee' |
|
| LOLBAS | Jsc.yml | Handle: '@DissectMalware' |
|
| LOLBAS | Makecab.yml | Handle: '@oddvarmoe' |
|
| LOLBAS | Mavinject.yml | Handle: '@gN3mes1s' |
|
| LOLBAS | Mavinject.yml | Handle: '@oddvarmoe' |
|
| LOLBAS | Microsoft.Workflow.Compiler.yml | Handle: '@mattifestation' |
|
| LOLBAS | Microsoft.Workflow.Compiler.yml | Handle: '@BergbomJohn' |
|
| LOLBAS | Microsoft.Workflow.Compiler.yml | Handle: '@FortyNorthSec' |
|
| LOLBAS | Microsoft.Workflow.Compiler.yml | Handle: '@Bank_Security' |
|
| LOLBAS | Mmc.yml | Handle: '@bohops' |
|
| LOLBAS | Mmc.yml | Handle: '@clavoillotte' |
|
| LOLBAS | MpCmdRun.yml | Handle: '@mohammadaskar2' |
|
| LOLBAS | MpCmdRun.yml | Handle: '@oddvarmoe' |
|
| LOLBAS | MpCmdRun.yml | Handle: '' |
|
| LOLBAS | MpCmdRun.yml | Handle: '@th3c3dr1c' |
|
| LOLBAS | Msbuild.yml | Handle: '@subtee' |
|
| LOLBAS | Msbuild.yml | Handle: '@Cneelis' |
|
| LOLBAS | Msbuild.yml | Handle: '@bohops' |
|
| LOLBAS | Msconfig.yml | Handle: '@pabraeken' |
|
| LOLBAS | Msdt.yml | Handle: |
|
| LOLBAS | Mshta.yml | Handle: '@subtee' |
|
| LOLBAS | Mshta.yml | Handle: '@oddvarmoe' |
|
| LOLBAS | Msiexec.yml | Handle: '@netbiosX' |
|
| LOLBAS | Msiexec.yml | Handle: '@PhilipTsukerman' |
|
| LOLBAS | Netsh.yml | Handle: |
|
| LOLBAS | Odbcconf.yml | Handle: '@subtee' |
|
| LOLBAS | Odbcconf.yml | Handle: '@Hexacorn' |
|
| LOLBAS | OfflineScannerShell.yml | Handle: '@elliotkillick' |
|
| LOLBAS | OneDriveStandaloneUpdater.yml | Handle: '@elliotkillick' |
|
| LOLBAS | Pcalua.yml | Handle: '@kylehanslovan' |
|
| LOLBAS | Pcalua.yml | Handle: '@0rbz_' |
|
| LOLBAS | Pcwrun.yml | Handle: '@pabraeken' |
|
| LOLBAS | Pktmon.yml | Handle: '' |
|
| LOLBAS | Pnputil.yml | Handle: '@LuxNoBulIshit' |
|
| LOLBAS | Pnputil.yml | Handle: '@aloneliassaf' |
|
| LOLBAS | Presentationhost.yml | Handle: '@subtee' |
|
| LOLBAS | Print.yml | Handle: '@oddvarmoe' |
|
| LOLBAS | PrintBrm.yml | Handle: '@elliotkillick' |
|
| LOLBAS | Psr.yml | Handle: '@L3m0nada' |
|
| LOLBAS | Rasautou.yml | Handle: '@FireEye' |
|
| LOLBAS | Reg.yml | Handle: '@oddvarmoe' |
|
| LOLBAS | Regasm.yml | Handle: '@subtee' |
|
| LOLBAS | Regedit.yml | Handle: '@oddvarmoe' |
|
| LOLBAS | Regini.yml | Handle: '@elisalem9' |
|
| LOLBAS | Register-cimprovider.yml | Handle: '@PhilipTsukerman' |
|
| LOLBAS | Regsvcs.yml | Handle: '@subtee' |
|
| LOLBAS | Regsvr32.yml | Handle: '@subtee' |
|
| LOLBAS | Replace.yml | Handle: '@elceef' |
|
| LOLBAS | Rpcping.yml | Handle: '@subtee' |
|
| LOLBAS | Rpcping.yml | Handle: '@vysecurity' |
|
| LOLBAS | Rpcping.yml | Handle: '@splinter_code' |
|
| LOLBAS | Rpcping.yml | Handle: '@decoder_it' |
|
| LOLBAS | Rundll32.yml | Handle: '@subtee' |
|
| LOLBAS | Rundll32.yml | Handle: '@oddvarmoe' |
|
| LOLBAS | Rundll32.yml | Handle: '@bohops' |
|
| LOLBAS | Rundll32.yml | Handle: '@404death' |
|
| LOLBAS | Rundll32.yml | Handle: '@Mrtn9' |
|
| LOLBAS | Runonce.yml | Handle: '@pabraeken' |
|
| LOLBAS | Runscripthelper.yml | Handle: '@mattifestation' |
|
| LOLBAS | Sc.yml | Handle: '@oddvarmoe' |
|
| LOLBAS | Schtasks.yml | Handle: |
|
| LOLBAS | Scriptrunner.yml | Handle: '@nicktyrer' |
|
| LOLBAS | SettingSyncHost.yml | Handle: '@hexacorn' |
|
| LOLBAS | SettingSyncHost.yml | Handle: '@elliotkillick' |
|
| LOLBAS | Stordiag.yml | Handle: '@eral4m' |
|
| LOLBAS | Syncappvpublishingserver.yml | Handle: '@monoxgas' |
|
| LOLBAS | Ttdinject.yml | Handle: '@oddvarmoe' |
|
| LOLBAS | Ttdinject.yml | Handle: '@m_nad0' |
|
| LOLBAS | Tttracer.yml | Handle: '@oulusoyum' |
|
| LOLBAS | Tttracer.yml | Handle: '@mattifestation' |
|
| LOLBAS | Vbc.yml | Handle: |
|
| LOLBAS | Verclsid.yml | Handle: '@NickTyrer' |
|
| LOLBAS | Wab.yml | Handle: '@Hexacorn' |
|
| LOLBAS | Wlrmdr.yml | Handle: '@0gtweet' |
|
| LOLBAS | Wlrmdr.yml | Handle: '@Oddvarmoe' |
|
| LOLBAS | Wlrmdr.yml | Handle: '@falsneg' |
|
| LOLBAS | Wmic.yml | Handle: '@subtee' |
|
| LOLBAS | WorkFolders.yml | Handle: '@YoSignals' |
|
| LOLBAS | WorkFolders.yml | Handle: '@elliotkillick' |
|
| LOLBAS | Wscript.yml | Handle: '@oddvarmoe' |
|
| LOLBAS | Wscript.yml | Handle: '@404death' |
|
| LOLBAS | Wsreset.yml | Handle: '@ihack4falafel' |
|
| LOLBAS | Wuauclt.yml | Handle: '@dtmsecurity' |
|
| LOLBAS | Xwizard.yml | Handle: '@Hexacorn' |
|
| LOLBAS | Xwizard.yml | Handle: '@NickTyrer' |
|
| LOLBAS | Xwizard.yml | Handle: '@harr0ey' |
|
| LOLBAS | Xwizard.yml | Handle: '@notwhickey' |
|
| LOLBAS | Advpack.yml | Handle: '@bohops' |
|
| LOLBAS | Advpack.yml | Handle: '@0rbz_' |
|
| LOLBAS | Advpack.yml | Handle: '@moriarty_meng' |
|
| LOLBAS | Advpack.yml | Handle: '@ItsReallyNick' |
|
| LOLBAS | comsvcs.yml | Handle: |
|
| LOLBAS | Dfshim.yml | Handle: '@subtee' |
|
| LOLBAS | Ieadvpack.yml | Handle: '@bohops' |
|
| LOLBAS | Ieadvpack.yml | Handle: '@0rbz_' |
|
| LOLBAS | Ieadvpack.yml | Handle: '@pabraeken' |
|
| LOLBAS | Ieframe.yml | Handle: '@bohops' |
|
| LOLBAS | Ieframe.yml | Handle: '@hexacorn' |
|
| LOLBAS | Mshtml.yml | Handle: '@pabraeken' |
|
| LOLBAS | Pcwutl.yml | Handle: '@harr0ey' |
|
| LOLBAS | Setupapi.yml | Handle: '@KyleHanslovan' |
|
| LOLBAS | Setupapi.yml | Handle: '@HuntressLabs' |
|
| LOLBAS | Setupapi.yml | Handle: '@subTee' |
|
| LOLBAS | Setupapi.yml | Handle: '@ItsReallyNick' |
|
| LOLBAS | Shdocvw.yml | Handle: '@hexacorn' |
|
| LOLBAS | Shdocvw.yml | Handle: '@bohops' |
|
| LOLBAS | Shell32.yml | Handle: '@hexacorn' |
|
| LOLBAS | Shell32.yml | Handle: '@pabraeken' |
|
| LOLBAS | Shell32.yml | Handle: '@mattifestation' |
|
| LOLBAS | Shell32.yml | Handle: '@KyleHanslovan' |
|
| LOLBAS | Syssetup.yml | Handle: '@pabraeken' |
|
| LOLBAS | Syssetup.yml | Handle: '@harr0ey' |
|
| LOLBAS | Syssetup.yml | Handle: '@bohops' |
|
| LOLBAS | Url.yml | Handle: '@hexacorn' |
|
| LOLBAS | Url.yml | Handle: '@bohops' |
|
| LOLBAS | Url.yml | Handle: '@DissectMalware' |
|
| LOLBAS | Url.yml | Handle: '@r0lan' |
|
| LOLBAS | Zipfldr.yml | Handle: '@moriarty_meng' |
|
| LOLBAS | Zipfldr.yml | Handle: '@r0lan' |
|
| LOLBAS | Cl_invocation.yml | Handle: '@bohops' |
|
| LOLBAS | Cl_invocation.yml | Handle: '@pabraeken' |
|
| LOLBAS | CL_LoadAssembly.yml | Handle: '@bohops' |
|
| LOLBAS | CL_mutexverifiers.yml | Handle: '@pabraeken' |
|
| LOLBAS | Manage-bde.yml | Handle: '@bohops' |
|
| LOLBAS | Manage-bde.yml | Handle: '@danielbohannon' |
|
| LOLBAS | Manage-bde.yml | Handle: '@JohnLaTwC' |
|
| LOLBAS | pester.yml | Handle: '@p0w3rsh3ll' |
|
| LOLBAS | Pubprn.yml | Handle: '@enigma0x3' |
|
| LOLBAS | Syncappvpublishingserver.yml | Handle: '@monoxgas' |
|
| LOLBAS | Syncappvpublishingserver.yml | Handle: '@subtee' |
|
| LOLBAS | UtilityFunctions.yml | Handle: '@nickvangilder' |
|
| LOLBAS | Winrm.yml | - Command: '%SystemDrive%\BypassDir\cscript //nologo %windir%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 -format:pretty' |
|
| LOLBAS | Winrm.yml | Handle: '@mattifestation' |
|
| LOLBAS | Winrm.yml | Handle: '@enigma0x3' |
|
| LOLBAS | Winrm.yml | Handle: '@subtee' |
|
| LOLBAS | Winrm.yml | Handle: '@bohops' |
|
| LOLBAS | Winrm.yml | Handle: '@redcanaryco' |
|
| LOLBAS | Adplus.yml | Handle: '@mrd0x' |
|
| LOLBAS | Agentexecutor.yml | Handle: '@lefterispan' |
|
| LOLBAS | Appvlp.yml | Handle: '@0rbz_' |
|
| LOLBAS | Appvlp.yml | Handle: '@moo_hax' |
|
| LOLBAS | Appvlp.yml | Handle: '@enigma0x3' |
|
| LOLBAS | Bginfo.yml | Handle: '@oddvarmoe' |
|
| LOLBAS | Cdb.yml | Handle: '@mattifestation' |
|
| LOLBAS | Cdb.yml | Handle: '@mrd0x' |
|
| LOLBAS | Cdb.yml | Handle: '@sec_spooky' |
|
| LOLBAS | Coregen.yml | Handle: |
|
| LOLBAS | Csi.yml | Handle: '@subtee' |
|
| LOLBAS | DefaultPack.yml | Handle: '@checkymander' |
|
| LOLBAS | Devtoolslauncher.yml | Handle: '@_felamos' |
|
| LOLBAS | Dnx.yml | Handle: '@enigma0x3' |
|
| LOLBAS | Dotnet.yml | Handle: '@_felamos' |
|
| LOLBAS | Dotnet.yml | Handle: '@bohops' |
|
| LOLBAS | Dxcap.yml | Handle: '@harr0ey' |
|
| LOLBAS | Excel.yml | Handle: '@reegun21' |
|
| LOLBAS | Fsi.yml | Handle: '@NickTyrer' |
|
| LOLBAS | Fsi.yml | Handle: '@bohops' |
|
| LOLBAS | FsiAnyCpu.yml | Handle: '@NickTyrer' |
|
| LOLBAS | FsiAnyCpu.yml | Handle: '@bohops' |
|
| LOLBAS | Mftrace.yml | Handle: '@0rbz_' |
|
| LOLBAS | Msdeploy.yml | Handle: '@pabraeken' |
|
| LOLBAS | Msxsl.yml | Handle: '@subtee' |
|
| LOLBAS | Ntdsutil.yml | Handle: '@PyroTek3' |
|
| LOLBAS | Powerpnt.yml | Handle: '@reegun21' |
|
| LOLBAS | Procdump.yml | Handle: '@ajpc500' |
|
| LOLBAS | Rcsi.yml | Handle: '@enigma0x3' |
|
| LOLBAS | Remote.yml | Handle: '@mrd0x' |
|
| LOLBAS | Sqldumper.yml | Handle: '@countuponsec' |
|
| LOLBAS | Sqlps.yml | Handle: '@bryon_' |
|
| LOLBAS | Sqltoolsps.yml | Handle: '@pabraeken' |
|
| LOLBAS | Squirrel.yml | Handle: '@reegun21' |
|
| LOLBAS | Squirrel.yml | Handle: '@Hexacorn' |
|
| LOLBAS | Te.yml | Handle: '@gN3mes1s' |
|
| LOLBAS | Tracker.yml | Handle: '@subTee' |
|
| LOLBAS | Update.yml | Handle: '@reegun21' |
|
| LOLBAS | Update.yml | Handle: '@MrUn1k0d3r' |
|
| LOLBAS | Update.yml | Handle: '@Hexacorn' |
|
| LOLBAS | VisualUiaVerifyNative.yml | Handle: '@tifkin' |
|
| LOLBAS | VisualUiaVerifyNative.yml | Handle: '@bohops' |
|
| LOLBAS | VSIISExeLauncher.yml | Handle: |
|
| LOLBAS | Vsjitdebugger.yml | Handle: '@pabraeken' |
|
| LOLBAS | Wfc.yml | Handle: '@mattifestation' |
|
| LOLBAS | Wfc.yml | Handle: '@bohops' |
|
| LOLBAS | Winword.yml | Handle: '@reegun21' |
|
| LOLBAS | Wsl.yml | Handle: '@aionescu' |
|
| LOLBAS | Wsl.yml | Handle: '@NotoriousRebel1' |
|
| LOLBAS | Wsl.yml | Handle: '@d1r4c' |
|
| malware-ioc | nouns.txt | handle |
© ESET 2014-2018 |
| malware-ioc | oceanlotus-rtf_ocx_campaigns.misp.event.json | "description": "Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools. Timestomping may be used along with file name Masquerading to hide malware and tools. (Citation: WindowsIR Anti-Forensic Techniques)\n\nDetection: Forensic techniques exist to detect aspects of files that have had their timestamps modified. (Citation: WindowsIR Anti-Forensic Techniques) It may be possible to detect timestomping using file modification monitoring that collects information on file handle opens and can compare timestamp values.\n\nPlatforms: Linux, Windows\n\nData Sources: File monitoring, Process monitoring, Process command-line parameters\n\nDefense Bypassed: Host forensic analysis\n\nPermissions Required: User, Administrator, SYSTEM", |
© ESET 2014-2018 |
| malware-ioc | misp-turla-powershell-event.json | "description": "Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools. Timestomping may be used along with file name Masquerading to hide malware and tools. (Citation: WindowsIR Anti-Forensic Techniques)\n\nDetection: Forensic techniques exist to detect aspects of files that have had their timestamps modified. (Citation: WindowsIR Anti-Forensic Techniques) It may be possible to detect timestomping using file modification monitoring that collects information on file handle opens and can compare timestamp values.\n\nPlatforms: Linux, Windows\n\nData Sources: File monitoring, Process monitoring, Process command-line parameters\n\nDefense Bypassed: Host forensic analysis\n\nPermissions Required: User, Administrator, SYSTEM", |
© ESET 2014-2018 |
| atomic-red-team | T1006.md | This test uses PowerShell to open a handle on the drive volume via the \\.\ DOS device path specifier and perform direct access read of the first few bytes of the volume. |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1006.md | $handle = New-Object IO.FileStream “\.#{volume}”, ‘Open’, ‘Read’, ‘ReadWrite’ | MIT License. © 2018 Red Canary |
| atomic-red-team | T1006.md | $handle.Read($buffer, 0, $buffer.Length) | MIT License. © 2018 Red Canary |
| atomic-red-team | T1006.md | $handle.Close() | MIT License. © 2018 Red Canary |
| atomic-red-team | T1055.004.md | APC injection is commonly performed by attaching malicious code to the APC Queue (Citation: Microsoft APC) of a process’s thread. Queued APC functions are executed when the thread enters an alterable state.(Citation: Microsoft APC) A handle to an existing victim process is first created with native Windows API calls such as OpenThread. At this point QueueUserAPC can be used to invoke a function (such as LoadLibrayA pointing to a malicious DLL). |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1134.002.md | gwmi win32process |% {$owners[$.handle] = $_.getowner().user} | MIT License. © 2018 Red Canary |
| atomic-red-team | T1547.004.md | * Winlogon\Notify - points to notification package DLLs that handle Winlogon events | MIT License. © 2018 Red Canary |
| signature-base | apt_aus_parl_compromise.yar | $x5 = “VirtualSite: {0}, Address: {1:X16}, Name: {2}, Handle: {3:X16}, LogPath: {4}” fullword wide | CC BY-NC 4.0 |
| signature-base | apt_eqgrp_apr17.yar | $x5 = “Creating CURL connection handle…” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_passthehashtoolkit.yar | $s7 = “LSASS HANDLE: %x” fullword ascii /* score: ‘5.00’ */ | CC BY-NC 4.0 |
| signature-base | apt_webmonitor_rat.yar | $a2 = “Select * from Win32_Process WHERE handle =” fullword wide | CC BY-NC 4.0 |
| signature-base | apt_wildneutron.yar | $x5 = “Invalid input handle!!!” fullword ascii /* PEStudio Blacklist: strings / / score: ‘10.00’ */ | CC BY-NC 4.0 |
| signature-base | apt_wildneutron.yar | $s8 = “Invalid input handle!!!” fullword ascii /* PEStudio Blacklist: strings / / score: ‘15.00’ */ | CC BY-NC 4.0 |
| signature-base | gen_empire.yar | $s2 = “# Get a handle to the module specified” fullword ascii | CC BY-NC 4.0 |
| signature-base | thor-hacktools.yar | $x6 = “Unable to obtain handle to PStoreCreateInstance in pstorec.dll” fullword ascii | CC BY-NC 4.0 |
| signature-base | thor-webshells.yar | $s2 = “$handle = @opendir($dir) or die("Can’t open directory $dir");” fullword | CC BY-NC 4.0 |
| stockpile | 05cda6f6-2b1b-462e-bff1-845af94343f7.yml | gwmi win32_process \|% {$owners[$_.handle] = $_.getowner().user}; |
Apache-2.0 |
| stockpile | 3b5db901-2cb8-4df7-8043-c4628a6a5d5a.yml | gwmi win32_process \|% {$owners[$_.handle] = $_.getowner().user}; |
Apache-2.0 |
MIT License. Copyright (c) 2020-2021 Strontic.