handle.exe

  • File Path: C:\SysinternalsSuite\handle.exe
  • Description: Handle viewer

Hashes

Type Hash
MD5 B7976CFA4763E744CBEA8EC4E462E185
SHA1 FBC5177CAB851476DEF3AF42BE2BBE45B3AA8AC3
SHA256 DE960B7FF0C687475ABA4852D799BB2BC3ED38B172BE1C4F954CBA461AE8DE1F
SHA384 981AB1244A757E69A795EB3FC70293ED9C013A6914349766F4B3CB9E3F20B3FF1EEACC2708B78E555F4999E3E87E6CB8
SHA512 1A1C38780760F21BA3C542E2B2A04E19905E7BF60FDFE42E5B19970EE315B2A82CFC4FD05A2C1C6734726AF04D0C5A6705813DE0DBD162517B78A5CD5AD937F5
SSDEEP 24576:u66qP9nYhpo6DpQ638OFksYzDLnkT53yGR:5lWfoIonOVlR
IMP 127AD03756DD9922E0DC20B19BF20030
PESHA1 2B71D1139117DC6A05E3C5F5434AA32CA8E0A650
PE256 AC68148A8F49F6574E68A17E75762ECB31021E064DC755DD34D236A05DEC08AC

Runtime Data

Usage (stdout):


Nthandle v4.22 - Handle viewer
Copyright (C) 1997-2019 Mark Russinovich
Sysinternals - www.sysinternals.com

------------------------------------------------------------------------------
System pid: 4 \<unable to open process>
  2E0: File  (---)   \Device\Mup
  2E4: File  (---)   \Device\Mup
 145C: File  (---)   C:\Windows\System32\config\DEFAULT.LOG2
 1470: File  (---)   C:\Windows\System32\config\DEFAULT.LOG1
 1528: File  (---)   C:\Windows\System32\config\DEFAULT
 15D8: File  (---)   C:\Windows\System32\config\SOFTWARE.LOG1
 1624: File  (-W-)   C:\swapfile.sys
 1628: File  (R--)   C:\Windows\bootstat.dat
 16FC: Section       \Win32kCrossSessionGlobals
 1708: File  (R-D)   C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl
 170C: File  (---)   C:\Windows\System32\config\SOFTWARE
 1714: File  (R-D)   C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl
 1724: File  (R-D)   C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl
 172C: File  (---)   C:\Windows\System32\config\SOFTWARE.LOG2
 1748: File  (R-D)   C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl
 174C: File  (---)   C:\Windows\System32\config\SYSTEM
 1754: File  (---)   C:\Windows\System32\config\SYSTEM.LOG1
 1758: File  (---)   C:\Windows\System32\config\SYSTEM.LOG2
 1760: File  (R--)   C:\Windows\System32\config\TxR\{53b39e3e-18c4-11ea-a811-000d3aa4692b}.TM.blf
 1768: File  (-W-)   C:\pagefile.sys
 1778: File  (R--)   C:\Windows\System32\config\TxR\{53b39e3e-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms
 177C: File  (---)   C:\Windows\appcompat\Programs\Amcache.hve.LOG2
 178C: File  (R--)   C:\Windows\System32\config\TxR\{53b39e3e-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms
 1794: File  (---)   C:\Windows\appcompat\Programs\Amcache.hve
 17A0: File  (RWD)   \clfs
 17A4: File  (RW-)   \clfs
 17EC: File  (R-D)   C:\Windows\System32\en-US\win32kbase.sys.mui
 1820: File  (R-D)   C:\Windows\System32\LogFiles\Scm\SCM.EVM
 1834: File  (---)   C:\Windows\System32\config\SECURITY
 1860: File  (---)   C:\Windows\System32\config\SECURITY.LOG1
 1864: File  (---)   C:\Windows\System32\config\SECURITY.LOG2
 193C: File  (---)   C:\Windows\System32\config\SAM
 195C: File  (---)   C:\Windows\System32\config\SAM.LOG1
 1960: File  (---)   C:\Windows\System32\config\SAM.LOG2
 19D4: File  (R--)   C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TM.blf
 19DC: File  (---)   C:\Windows\ServiceProfiles\NetworkService\ntuser.dat
 1A2C: File  (---)   C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT.LOG1
 1A30: File  (---)   C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT.LOG2
 1A38: File  (R--)   C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms
 1A40: File  (R--)   C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms
 1A4C: File  (RWD)   \clfs
 1A50: File  (RW-)   \clfs
 1B50: File  (R-D)   C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTUBPM.etl
 1B64: File  (---)   C:\Windows\System32\config\BBI
 1BBC: File  (---)   C:\Windows\System32\config\BBI.LOG1
 1BC0: File  (---)   C:\Windows\System32\config\BBI.LOG2
 1BE4: File  (---)   C:\Windows\ServiceProfiles\LocalService\ntuser.dat
 1C20: File  (---)   C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT.LOG1
 1C24: File  (---)   C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT.LOG2
 1C5C: File  (R--)   C:\Windows\ServiceProfiles\LocalService\ntuser.dat{9befe192-f08f-11ea-882b-894b3d6cee30}.TM.blf
 1CC0: File  (R--)   C:\Windows\ServiceProfiles\LocalService\ntuser.dat{9befe192-f08f-11ea-882b-894b3d6cee30}.TMContainer00000000000000000001.regtrans-ms
 1CD0: File  (R--)   C:\Windows\ServiceProfiles\LocalService\ntuser.dat{9befe192-f08f-11ea-882b-894b3d6cee30}.TMContainer00000000000000000002.regtrans-ms
 1CDC: File  (RWD)   \clfs
 1CE0: File  (RW-)   \clfs
 1DBC: File  (---)   \Device\Mup
 2328: File  (R--)   C:\Windows\System32\config\TxR\{53b39e3d-18c4-11ea-a811-000d3aa4692b}.TxR.blf
 2378: File  (R-D)   C:\ProgramData\Microsoft\Windows\wfp\wfpdiag.etl
 23A8: File  (R-D)   C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTWFP-IPsec Diagnostics.etl
 2430: File  (R--)   C:\Windows\System32\config\TxR\{53b39e3d-18c4-11ea-a811-000d3aa4692b}.TxR.0.regtrans-ms
 2470: File  (R--)   C:\Windows\System32\config\TxR\{53b39e3d-18c4-11ea-a811-000d3aa4692b}.TxR.1.regtrans-ms
 2570: File  (---)   \clfs
 259C: File  (R--)   C:\Windows\System32\config\TxR\{53b39e3d-18c4-11ea-a811-000d3aa4692b}.TxR.2.regtrans-ms
 2F7C: File  (---)   C:\Windows\appcompat\Programs\Amcache.hve.LOG1
 3198: File  (R-D)   C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagtrack-Agent-Listener.etl
 3ADC: File  (R--)   C:\Users\user\AppData\Local\Microsoft\Windows\UsrClass.dat{78289e84-f087-11ea-882d-a4ccbe4a7faa}.TM.blf
 3B34: File  (---)   C:\Users\user\ntuser.dat
 3B44: File  (R--)   C:\Users\user\AppData\Local\Microsoft\Windows\UsrClass.dat{78289e84-f087-11ea-882d-a4ccbe4a7faa}.TMContainer00000000000000000002.regtrans-ms
 3B4C: File  (R--)   C:\Users\user\AppData\Local\Microsoft\Windows\UsrClass.dat{78289e84-f087-11ea-882d-a4ccbe4a7faa}.TMContainer00000000000000000001.regtrans-ms
 3B50: File  (R--)   C:\Users\user\ntuser.dat{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms
 3B60: File  (---)   C:\Users\user\ntuser.dat.LOG1
 3B64: File  (---)   C:\Users\user\ntuser.dat.LOG2
 3B84: File  (R--)   C:\Users\user\ntuser.dat{53b39e88-18c4-11ea-a811-000d3aa4692b}.TM.blf
 3B98: File  (RWD)   \clfs
 3BA4: File  (R--)   C:\Users\user\ntuser.dat{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms
 3BBC: File  (RWD)   \clfs
 3BC0: File  (RW-)   \clfs
 3BCC: File  (---)   C:\Users\user\AppData\Local\Microsoft\Windows\UsrClass.dat
 3BDC: File  (RW-)   \clfs
 3BE4: File  (---)   C:\Users\user\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1
 3BE8: File  (---)   C:\Users\user\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2
 4FFC: File  (R--)   C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftEdge_44.19041.423.0_neutral__8wekyb3d8bbwe\ActivationStore.dat
 5008: File  (R--)   C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftEdge_44.19041.423.0_neutral__8wekyb3d8bbwe\ActivationStore.dat.LOG1
 500C: File  (R--)   C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftEdge_44.19041.423.0_neutral__8wekyb3d8bbwe\ActivationStore.dat.LOG2
 5020: File  (---)   C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Settings\settings.dat.LOG1
 504C: File  (---)   C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Settings\settings.dat
 5070: File  (---)   C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Settings\settings.dat.LOG2
 594C: File  (---)   C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat.LOG2
 595C: File  (R--)   C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Search_1.14.0.19041_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat
 5970: File  (R--)   C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Search_1.14.0.19041_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG1
 5974: File  (R--)   C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Search_1.14.0.19041_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG2
 5980: File  (---)   C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat
 59A8: File  (---)   C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat.LOG1
 6558: File  (R-D)   C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTSgrmEtwSession.etl
 68B4: File  (R--)   C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.StartMenuExperienceHost_10.0.19041.423_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat
 68C4: File  (R--)   C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.StartMenuExperienceHost_10.0.19041.423_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG1
 68C8: File  (R--)   C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.StartMenuExperienceHost_10.0.19041.423_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG2
 6A68: File  (---)   C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat
 6A88: File  (---)   C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG1
 6A8C: File  (---)   C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG2
 7E0C: File  (R-D)   C:\ProgramData\Microsoft\Windows Security Health\Logs\SHS-09252020-081854-7-7f-19041.1.amd64fre.vb_release.191206-1406.etl
 8B3C: File  (R-D)   C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTNT Kernel Logger.etl
------------------------------------------------------------------------------
smss.exe pid: 428 \<unable to open process>
   3C: File  (RW-)   C:\Windows
------------------------------------------------------------------------------
csrss.exe pid: 528 \<unable to open process>
   40: File  (RW-)   C:\Windows\System32
   88: Section       \Windows\SharedSection
   C0: File  (R-D)   C:\Windows\System32\en-US\csrss.exe.mui
  15C: File  (R-D)   C:\Windows\System32\en-US\winsrv.dll.mui
------------------------------------------------------------------------------
wininit.exe pid: 600 \<unable to open process>
   40: File  (RW-)   C:\Windows\System32
  110: File  (R-D)   C:\Windows\System32\en-US\user32.dll.mui
------------------------------------------------------------------------------
services.exe pid: 644 \<unable to open process>
   40: File  (RW-)   C:\Windows\System32
  250: File  (R-D)   C:\Windows\System32\en-US\services.exe.mui
------------------------------------------------------------------------------
lsass.exe pid: 664 NT AUTHORITY\SYSTEM
   40: File  (RW-)   C:\Windows\System32
  114: Section       \LsaPerformance
  178: File  (R-D)   C:\Windows\System32\en-US\lsasrv.dll.mui
  29C: Section       \BaseNamedObjects\Debug.Trace.Memory.298
  3C8: File  (RW-)   C:\Windows\debug\PASSWD.LOG
  668: File  (R-D)   C:\Windows\System32\en-US\vaultsvc.dll.mui
  AA4: File  (R-D)   C:\Windows\System32\en-US\KernelBase.dll.mui
  D98: File  (RWD)   C:\Users\user\AppData\Local\Microsoft\Credentials
  DC0: File  (R-D)   C:\Windows\System32\en-US\crypt32.dll.mui
  F00: File  (R-D)   C:\Windows\SystemResources\crypt32.dll.mun
  FC0: File  (RWD)   C:\Users\user\AppData\Roaming\Microsoft\Credentials
------------------------------------------------------------------------------
svchost.exe pid: 776 NT AUTHORITY\SYSTEM
   48: File  (RW-)   C:\Windows\System32
  1AC: File  (R-D)   C:\Windows\System32\en-US\mswsock.dll.mui
  1B8: Section       \BaseNamedObjects\RotHintTable
  230: Section       \BaseNamedObjects\__ComCatalogCache__
  250: Section       \BaseNamedObjects\{A64C7F33-DA35-459b-96CA-63B51FB0CDB9}
  2CC: File  (R-D)   C:\Windows\System32\en-US\svchost.exe.mui
  4AC: Section       \BaseNamedObjects\__ComCatalogCache__
  58C: Section       \BaseNamedObjects\__ComCatalogCache__
  5E8: Section       \BaseNamedObjects\__ComCatalogCache__
  828: File  (R-D)   C:\Windows\System32\en-US\KernelBase.dll.mui
  A60: Section       \BaseNamedObjects\RotHintTable
  CD0: Section       \BaseNamedObjects\windows_shell_global_counters
------------------------------------------------------------------------------
fontdrvhost.exe pid: 812 Font Driver Host\UMFD-0
   40: File  (RW-)   C:\Windows\System32
------------------------------------------------------------------------------
svchost.exe pid: 844 NT AUTHORITY\NETWORK SERVICE
   48: File  (RW-)   C:\Windows\System32
  2A8: File  (R-D)   C:\Windows\System32\en-US\mswsock.dll.mui
  348: Section       \BaseNamedObjects\__ComCatalogCache__
  354: Section       \BaseNamedObjects\__ComCatalogCache__
  6D8: File  (R-D)   C:\Windows\System32\en-US\KernelBase.dll.mui
  CE8: File  (R-D)   C:\Windows\System32\en-US\netmsg.dll.mui
------------------------------------------------------------------------------
svchost.exe pid: 968 NT AUTHORITY\SYSTEM
   48: File  (RW-)   C:\Windows\System32
  134: File  (R-D)   C:\Windows\System32\en-US\svchost.exe.mui
  1FC: Section       \BaseNamedObjects\__ComCatalogCache__
  20C: Section       \BaseNamedObjects\__ComCatalogCache__
  254: File  (R-D)   C:\Windows\System32\en-US\srvsvc.dll.mui
  364: Section       \BaseNamedObjects\SENS Information Cache
  4CC: File  (RW-)   C:\Windows\Tasks
  5C0: File  (R-D)   C:\Windows\System32\en-US\crypt32.dll.mui
  888: File  (R--)   C:\Windows\System32\wbem\Repository\MAPPING1.MAP
  958: File  (R-D)   C:\Windows\SystemResources\propsys.dll.mun
  974: Section       \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db
  9E0: File  (RWD)   C:\Windows\System32\wbem\MOF
  A2C: File  (R-D)   C:\Windows\System32\en-US\mswsock.dll.mui
  C5C: Section       \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2
  CCC: Section       \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2
  D28: Section       \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2
  D2C: Section       \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2
  D30: Section       \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db
  D64: File  (R-D)   C:\Windows\System32\en-US\propsys.dll.mui
  FF8: File  (R-D)   C:\Windows\System32\en-US\wldap32.dll.mui
  FFC: File  (R-D)   C:\Windows\System32\en-US\iphlpsvc.dll.mui
 1160: File  (R-D)   C:\Windows\System32\en-US\KernelBase.dll.mui
 11E0: File  (R--)   C:\Windows\System32\wbem\Repository\OBJECTS.DATA
 11F8: File  (R-D)   C:\Windows\System32\en-US\vsstrace.dll.mui
 1244: File  (R--)   C:\Windows\System32\wbem\Repository\MAPPING2.MAP
 124C: File  (R--)   C:\Windows\System32\wbem\Repository\MAPPING3.MAP
 125C: File  (R--)   C:\Windows\System32\wbem\Repository\INDEX.BTR
 1278: Section       \BaseNamedObjects\Wmi Provider Sub System Counters
 137C: Section       \BaseNamedObjects\windows_shell_global_counters
 1384: File  (R-D)   C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.7c9c0c45-c6d2-4284-b749-8678f71347ed.1.etl
 1390: File  (R-D)   C:\Windows\System32\en-US\usosvc.dll.mui
 15C8: File  (R-D)   C:\Windows\System32\en-US\kernel32.dll.mui
 15F8: Section       \BaseNamedObjects\F932B6C7-3A20-46A0-B8A0-8894AA421973
 1674: File  (R-D)   C:\Windows\System32\en-US\winnlsres.dll.mui
 168C: File  (RW-)   C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db-wal
 1690: Section       \Windows\Theme1324212991
 16A8: File  (R-D)   C:\Windows\System32\en-US\gpsvc.dll.mui
 17AC: File  (RW-)   C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db
 19D8: File  (R-D)   C:\Windows\System32\en-US\SHCore.dll.mui
 1E48: Section       \BaseNamedObjects\RotHintTable
 1ED0: File  (R-D)   C:\Windows\System32\en-US\combase.dll.mui
------------------------------------------------------------------------------
svchost.exe pid: 984 NT AUTHORITY\NETWORK SERVICE
   48: File  (RW-)   C:\Windows\System32
  130: File  (R-D)   C:\Windows\System32\en-US\svchost.exe.mui
  1CC: Section       \BaseNamedObjects\__ComCatalogCache__
  218: Section       \BaseNamedObjects\__ComCatalogCache__
  380: File  (R-D)   C:\Windows\System32\en-US\termsrv.dll.mui
  990: Section       \BaseNamedObjects\RdpCommandChannel-Session1-0
  9A0: Section       \BaseNamedObjects\RdpUpdateBuffer-Session1-0
  A2C: File  (R-D)   C:\Windows\System32\en-US\rdpcorets.dll.mui
  B3C: Section       \BaseNamedObjects\RotHintTable
------------------------------------------------------------------------------
svchost.exe pid: 1020 NT AUTHORITY\SYSTEM
   48: File  (RW-)   C:\Windows\System32
  134: File  (R-D)   C:\Windows\System32\en-US\svchost.exe.mui
  16C: File  (RWD)   C:\$Extend\$ObjId:$O:$INDEX_ALLOCATION
  230: Section       \BaseNamedObjects\__ComCatalogCache__
  24C: Section       \BaseNamedObjects\__ComCatalogCache__
  28C: Section       \BaseNamedObjects\windows_shell_global_counters
  338: File  (---)   \Device\Mup
  3C0: File  (R-D)   C:\Windows\System32\en-US\AudioEndpointBuilder.dll.mui
  3C8: File  (R-D)   C:\Windows\System32\en-US\umrdp.dll.mui
  568: File  (R--)   C:\System Volume Information\tracking.log
  5C8: File  (R-D)   C:\Windows\System32\en-US\rdpendp.dll.mui
  670: File  (RW-)   C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21
  684: File  (R-D)   C:\Windows\System32\en-US\printui.dll.mui
  6CC: Section       \BaseNamedObjects\RotHintTable
  750: Section       \BaseNamedObjects\windows_shell_global_counters
  794: File  (R-D)   C:\Windows\System32\en-US\windows.storage.dll.mui
  79C: Section       \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db
  7A0: Section       \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2
  7A4: Section       \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db
  7A8: Section       \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2
  7B0: File  (R-D)   C:\Windows\System32\en-US\shell32.dll.mui
  8D4: File  (R-D)   C:\Windows\System32\en-US\kernel32.dll.mui
  97C: Section       \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro
------------------------------------------------------------------------------
svchost.exe pid: 1064 NT AUTHORITY\LOCAL SERVICE
   48: File  (RW-)   C:\Windows\System32
  13C: File  (R-D)   C:\Windows\System32\en-US\svchost.exe.mui
  264: Section       \BaseNamedObjects\vmictimesync-mem-681d3198-3c2c-44c8-9f0b-dbdd1fe7f740
  2F4: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx
  3D4: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-FileHistory-Core%4WHC.evtx
  434: File  (R--)   C:\Windows\System32\winevt\Logs\System.evtx
  4A8: File  (R--)   C:\Windows\System32\winevt\Logs\Application.evtx
  4F0: File  (R--)   C:\Windows\System32\winevt\Logs\Key Management Service.evtx
  510: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtx
  528: File  (R--)   C:\Windows\System32\winevt\Logs\Security.evtx
  52C: File  (R--)   C:\Windows\System32\winevt\Logs\Windows PowerShell.evtx
  530: File  (R--)   C:\Windows\System32\winevt\Logs\HardwareEvents.evtx
  540: File  (R--)   C:\Windows\System32\winevt\Logs\Internet Explorer.evtx
  544: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-Wcmsvc%4Operational.evtx
  558: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx
  568: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-StateRepository%4Operational.evtx
  584: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-Scheduled%4Operational.evtx
  58C: Section       \BaseNamedObjects\F932B6C7-3A20-46A0-B8A0-8894AA421973
  594: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-WebAuthN%4Operational.evtx
  598: File  (R-D)   C:\Windows\System32\en-US\mswsock.dll.mui
  5E8: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx
  5F8: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-PnP%4Driver Watchdog.evtx
  60C: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsBackup%4ActionCenter.evtx
  61C: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-StateRepository%4Restricted.evtx
  62C: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Operational.evtx
  634: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBClient%4Operational.evtx
  644: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx
  648: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Errors.evtx
  660: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Boot%4Operational.evtx
  670: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx
  674: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-HotspotAuth%4Operational.evtx
  684: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx
  688: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx
  68C: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppModel-Runtime%4Admin.evtx
  694: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Device Registration%4Admin.evtx
  698: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4Operational.evtx
  69C: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-PnP%4Configuration.evtx
  6A0: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx
  6B0: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-UserPnp%4DeviceInstall.evtx
  6B4: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-UserPnp%4ActionCenter.evtx
  6C0: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Operational.evtx
  6C8: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx
  6CC: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx
  6D0: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-RemoteDesktopServices-RdpCoreTS%4Admin.evtx
  6D8: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx
  6DC: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-Wcifs%4Operational.evtx
  6E0: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-RemoteDesktopServices-RdpCoreTS%4Operational.evtx
  6E4: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx
  6E8: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4WHC.evtx
  6EC: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx
  6F0: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx
  6F4: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-Dhcp-Client%4Admin.evtx
  6F8: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Health.evtx
  704: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx
  70C: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-Partition%4Diagnostic.evtx
  718: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx
  740: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx
  744: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-BindFlt%4Operational.evtx
  74C: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx
  75C: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-DeviceSetupManager%4Operational.evtx
  764: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-DeviceSetupManager%4Admin.evtx
  7B0: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Maintenance.evtx
  7BC: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx
  7C0: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx
  7C4: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Operational.evtx
  7C8: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Audit.evtx
  7CC: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx
  7D0: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Security.evtx
  7D8: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Connectivity.evtx
  7DC: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-PrintService%4Admin.evtx
  7E0: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-Guest-Network-Service-Admin.evtx
  7E4: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-Guest-Network-Service-Operational.evtx
  7E8: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Admin.evtx
  7FC: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx
  81C: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-Store%4Operational.evtx
  820: Section       \BaseNamedObjects\RotHintTable
  82C: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-Privacy-Auditing%4Operational.evtx
  840: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx
  84C: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx
  854: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-WinRM%4Operational.evtx
  864: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-StorageSpaces-ManagementAgent%4WHC.evtx
  868: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx
  86C: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Connectivity.evtx
  870: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Security.evtx
  874: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Audit.evtx
  87C: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Client-Licensing-Platform%4Admin.evtx
  880: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-NCrypt%4Operational.evtx
  888: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx
  890: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-LiveId%4Operational.evtx
  894: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-TZUtil%4Operational.evtx
  8A0: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4FirewallDiagnostics.evtx
  8C8: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-WER-PayloadHealth%4Operational.evtx
  8EC: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
  904: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-RemoteDesktopServices-SessionServices%4Operational.evtx
  918: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx
  91C: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-WorkFolders%4WHC.evtx
  924: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-PushNotification-Platform%4Operational.evtx
  93C: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx
  958: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx
  95C: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-PushNotification-Platform%4Admin.evtx
  960: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-SettingSync%4Operational.evtx
  968: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-SettingSync%4Debug.evtx
  984: Section       \BaseNamedObjects\__ComCatalogCache__
  994: Section       \BaseNamedObjects\__ComCatalogCache__
  9C4: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Defender%4WHC.evtx
  9D8: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4LogonTasksChannel.evtx
  9E0: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppReadiness%4Operational.evtx
  9E4: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx
  9E8: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppReadiness%4Admin.evtx
  9EC: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4ActionCenter.evtx
  9F0: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx
  9F4: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4AppDefaults.evtx
  9FC: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeployment%4Operational.evtx
  A10: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-HelloForBusiness%4Operational.evtx
  A14: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-LessPrivilegedAppContainer%4Operational.evtx
  A20: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx
  A28: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-ConnectedAccountState%4ActionCenter.evtx
  A2C: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx
  AB0: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx
  AC4: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-ShellCommon-StartLayoutPopulation%4Operational.evtx
  AE8: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-TWinUI%4Operational.evtx
  AF8: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppxPackaging%4Operational.evtx
  B1C: File  (R--)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storsvc%4Diagnostic.evtx
------------------------------------------------------------------------------
svchost.exe pid: 1080 NT AUTHORITY\LOCAL SERVICE
   48: File  (RW-)   C:\Windows\System32
  13C: File  (R-D)   C:\Windows\System32\en-US\svchost.exe.mui
  1C4: Section       \BaseNamedObjects\__ComCatalogCache__
  2A8: File  (R-D)   C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\~FontCache-FontFace.dat
  2E0: Section       \BaseNamedObjects\__ComCatalogCache__
  36C: File  (R-D)   C:\Windows\System32\en-US\netprofmsvc.dll.mui
  578: File  (R-D)   C:\Windows\System32\es.dll
  5AC: File  (R-D)   C:\Windows\System32\stdole2.tlb
  714: File  (R-D)   C:\Windows\System32\en-US\crypt32.dll.mui
  8B8: Section       \BaseNamedObjects\RotHintTable
  930: File  (R-D)   C:\Windows\System32\en-US\KernelBase.dll.mui
  A54: File  (R-D)   C:\Windows\System32\en-US\winnlsres.dll.mui
  A80: File  (R-D)   C:\Windows\System32\en-US\mswsock.dll.mui
  AB8: Section       \BaseNamedObjects\F932B6C7-3A20-46A0-B8A0-8894AA421973
  B20: File  (R-D)   C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\~FontCache-FontSet-S-1-5-21-2047949552-857980807-821054962-504.dat
  B24: File  (R-D)   C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\~FontCache-S-1-5-21-2047949552-857980807-821054962-504.dat
  C98: File  (R-D)   C:\Windows\System32\en-US\netmsg.dll.mui
  DB0: File  (RWD)   C:\Windows\Fonts
  DC8: File  (R-D)   C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\~fontcache-system.dat
------------------------------------------------------------------------------
svchost.exe pid: 1288 NT AUTHORITY\LOCAL SERVICE
   48: File  (RW-)   C:\Windows\System32
  134: File  (R-D)   C:\Windows\System32\en-US\svchost.exe.mui
  1F0: Section       \BaseNamedObjects\__ComCatalogCache__
  1FC: Section       \BaseNamedObjects\__ComCatalogCache__
  2DC: Section       \BaseNamedObjects\mmGlobalPnpInfo
  460: File  (R-D)   C:\Windows\System32\en-US\AudioSrv.dll.mui
------------------------------------------------------------------------------
svchost.exe pid: 1348 NT AUTHORITY\NETWORK SERVICE
   48: File  (RW-)   C:\Windows\System32
  128: File  (R-D)   C:\Windows\System32\en-US\svchost.exe.mui
  2B4: File  (RWD)   C:\Windows\System32\drivers\etc
  2E8: File  (---)   \Device\Mup
  398: File  (---)   \Device\Mup
  658: Section       \BaseNamedObjects\__ComCatalogCache__
  678: Section       \BaseNamedObjects\__ComCatalogCache__
  6C4: File  (R--)   C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb.jfm
  774: File  (RWD)   C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
  8AC: File  (R-D)   C:\Windows\System32\en-US\vsstrace.dll.mui
  8C0: File  (RWD)   C:\Windows\System32\CatRoot
  984: File  (R-D)   C:\Windows\System32\en-US\mswsock.dll.mui
  9D4: File  (R--)   C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb.jfm
  AE8: File  (R--)   C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb
  B28: File  (R-D)   C:\Windows\System32\en-US\winnlsres.dll.mui
  B34: Section       \BaseNamedObjects\F932B6C7-3A20-46A0-B8A0-8894AA421973
  B84: File  (R-D)   C:\Windows\System32\en-US\dnsapi.dll.mui
  B8C: File  (R-D)   C:\Windows\System32\en-US\crypt32.dll.mui
  C88: File  (R--)   C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb
  CBC: File  (RWD)   C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData
  CEC: File  (R-D)   C:\Windows\System32\en-US\ESENT.dll.mui
  D10: File  (RWD)   C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData
------------------------------------------------------------------------------
svchost.exe pid: 1416 NT AUTHORITY\LOCAL SERVICE
   48: File  (RW-)   C:\Windows\System32
  134: File  (R-D)   C:\Windows\System32\en-US\svchost.exe.mui
  330: File  (R-D)   C:\Windows\System32\en-US\KernelBase.dll.mui
  470: Section       \BaseNamedObjects\__ComCatalogCache__
  488: Section       \BaseNamedObjects\__ComCatalogCache__
------------------------------------------------------------------------------
svchost.exe pid: 1428 NT AUTHORITY\LOCAL SERVICE
   48: File  (RW-)   C:\Windows\System32
  134: File  (R-D)   C:\Windows\System32\en-US\svchost.exe.mui
------------------------------------------------------------------------------
spoolsv.exe pid: 1560 NT AUTHORITY\SYSTEM
   48: File  (RW-)   C:\Windows\System32
   A8: File  (R-D)   C:\Windows\System32\en-US\spoolsv.exe.mui
  3A0: File  (R-D)   C:\Windows\System32\en-US\localspl.dll.mui
  544: File  (R-D)   C:\Windows\System32\en-US\APMon.dll.mui
  558: Section       \BaseNamedObjects\__ComCatalogCache__
  568: Section       \BaseNamedObjects\__ComCatalogCache__
  578: File  (R-D)   C:\Windows\System32\en-US\KernelBase.dll.mui
  5C0: File  (R-D)   C:\Windows\System32\en-US\win32spl.dll.mui
  784: File  (RWD)   C:\Windows\System32\spool\drivers\x64\PCC
  790: File  (R-D)   C:\Windows\System32\en-US\setupapi.dll.mui
  7D0: Section       \BaseNamedObjects\windows_shell_global_counters
------------------------------------------------------------------------------
svchost.exe pid: 1684 NT AUTHORITY\LOCAL SERVICE
   48: File  (RW-)   C:\Windows\System32
  11C: File  (R-D)   C:\Windows\System32\en-US\svchost.exe.mui
  188: File  (R-D)   C:\Windows\System32\en-US\bfe.dll.mui
  364: File  (R-D)   C:\Windows\System32\en-US\FirewallAPI.dll.mui
  4E4: Section       \BaseNamedObjects\__ComCatalogCache__
  670: Section       \BaseNamedObjects\__ComCatalogCache__
------------------------------------------------------------------------------
svchost.exe pid: 1992 NT AUTHORITY\SYSTEM
   48: File  (RW-)   C:\Windows\System32
  134: File  (R-D)   C:\Windows\System32\en-US\svchost.exe.mui
  28C: Section       \BaseNamedObjects\__ComCatalogCache__
  41C: Section       \BaseNamedObjects\__ComCatalogCache__
------------------------------------------------------------------------------
svchost.exe pid: 2020 NT AUTHORITY\LOCAL SERVICE
   48: File  (RW-)   C:\Windows\System32
  134: File  (R-D)   C:\Windows\System32\en-US\svchost.exe.mui
  178: Section       \BaseNamedObjects\__ComCatalogCache__
  1AC: Section       \BaseNamedObjects\__ComCatalogCache__
------------------------------------------------------------------------------
CExecSvc.exe pid: 1192 NT AUTHORITY\SYSTEM
   40: File  (RW-)   C:\Windows\System32
------------------------------------------------------------------------------
VmComputeAgent.exe pid: 2152 NT AUTHORITY\SYSTEM
   40: File  (RW-)   C:\Windows\System32
  284: Section       \BaseNamedObjects\__ComCatalogCache__
  2DC: File  (R-D)   C:\Windows\System32\en-US\KernelBase.dll.mui
------------------------------------------------------------------------------
svchost.exe pid: 1760 NT AUTHORITY\NETWORK SERVICE
   48: File  (RW-)   C:\Windows\System32
  228: Section       \BaseNamedObjects\__ComCatalogCache__
------------------------------------------------------------------------------
csrss.exe pid: 2468 \<unable to open process>
   40: File  (RW-)   C:\Windows\System32
   84: Section       \Sessions\1\Windows\SharedSection
  30C: File  (R-D)   C:\Windows\System32\en-US\winsrv.dll.mui
------------------------------------------------------------------------------
winlogon.exe pid: 2484 NT AUTHORITY\SYSTEM
   40: File  (RW-)   C:\Windows\System32
  1E4: Section       \Sessions\1\Windows\Theme2036293991
  2B0: Section       \Windows\Theme1324212991
  2B4: Section       \Sessions\1\Windows\ThemeSection
  388: File  (R-D)   C:\Windows\System32\en-US\user32.dll.mui
------------------------------------------------------------------------------
fontdrvhost.exe pid: 2712 Font Driver Host\UMFD-1
   40: File  (RW-)   C:\Windows\System32
------------------------------------------------------------------------------
WUDFHost.exe pid: 2732 NT AUTHORITY\LOCAL SERVICE
   40: File  (RW-)   C:\Windows\System32
  2E0: File  (R-D)   C:\Windows\System32\en-US\WUDFHost.exe.mui
  344: File  (R-D)   C:\Windows\System32\drivers\UMDF\en-US\IddCx.dll.mui
  348: File  (R-D)   C:\Windows\System32\en-US\d2d1.dll.mui
  34C: File  (R-D)   C:\Windows\System32\en-US\DWrite.dll.mui
  350: File  (R-D)   C:\Windows\System32\en-US\ntmarta.dll.mui
  368: File  (R-D)   C:\Windows\System32\en-US\user32.dll.mui
  484: Section       \BaseNamedObjects\RdpCommandChannel-Session1-0
  488: Section       \BaseNamedObjects\RdpUpdateBuffer-Session1-0
  4A0: Section       \BaseNamedObjects\RdpCursorShape_S1_U0
  550: Section       \BaseNamedObjects\RdpFrameBuffer_S1_M0_U0
------------------------------------------------------------------------------
dwm.exe pid: 3024 Window Manager\DWM-1
   40: File  (RW-)   C:\Windows\System32
   D4: File  (R-D)   C:\Windows\System32\en-US\dwm.exe.mui
  17C: File  (R-D)   C:\Windows\System32\en-US\d2d1.dll.mui
  4A4: Section       \BaseNamedObjects\__ComCatalogCache__
  4B8: Section       \Sessions\1\Windows\Theme2036293991
  570: Section       \BaseNamedObjects\__ComCatalogCache__
  5E0: File  (R-D)   C:\Windows\System32\en-US\crypt32.dll.mui
  830: File  (RWD)   C:\Windows\System32
  BA4: Section       \Windows\Theme1324212991
  DFC: File  (R-D)   C:\Windows\Fonts\StaticCache.dat
------------------------------------------------------------------------------
svchost.exe pid: 3208 NT AUTHORITY\SYSTEM
   48: File  (RW-)   C:\Windows\System32
  134: File  (R-D)   C:\Windows\System32\en-US\svchost.exe.mui
  238: Section       \BaseNamedObjects\__ComCatalogCache__
  280: Section       \BaseNamedObjects\__ComCatalogCache__
  2D0: Section       \BaseNamedObjects\windows_shell_global_counters
------------------------------------------------------------------------------
svchost.exe pid: 3252 NT AUTHORITY\SYSTEM
   48: File  (RW-)   C:\Windows\System32
  134: File  (R-D)   C:\Windows\System32\en-US\svchost.exe.mui
  1BC: File  (RW-)   C:\ProgramData\Microsoft\Windows\AppRepository\staterepository-machine.srd-shm
  1D8: File  (R-D)   C:\Windows\System32\en-US\KernelBase.dll.mui
  1EC: Section       \BaseNamedObjects\__ComCatalogCache__
  230: Section       \BaseNamedObjects\__ComCatalogCache__
  460: File  (RW-)   C:\ProgramData\Microsoft\Windows\AppRepository\staterepository-machine.srd-wal
  4B8: File  (RW-)   C:\ProgramData\Microsoft\Windows\AppRepository\StateRepository-Machine.srd
  674: File  (RW-)   C:\ProgramData\Microsoft\Windows\AppRepository\StateRepository-Machine.srd
  678: File  (RW-)   C:\ProgramData\Microsoft\Windows\AppRepository\staterepository-machine.srd-wal
------------------------------------------------------------------------------
rdpclip.exe pid: 3536 37AACD8D-548A-4\user
   40: File  (RW-)   C:\Windows\System32
   80: File  (R-D)   C:\Windows\System32\en-US\rdpclip.exe.mui
  254: Section       \BaseNamedObjects\__ComCatalogCache__
  260: Section       \BaseNamedObjects\__ComCatalogCache__
  338: Section       \Windows\Theme1324212991
  33C: Section       \Sessions\1\Windows\Theme2036293991
  528: Section       \Windows\Theme1324212991
  52C: Section       \Sessions\1\Windows\Theme2036293991
------------------------------------------------------------------------------
sihost.exe pid: 3576 37AACD8D-548A-4\user
   40: File  (RW-)   C:\Windows\System32
  194: Section       \BaseNamedObjects\__ComCatalogCache__
  1B0: Section       \BaseNamedObjects\__ComCatalogCache__
  63C: File  (R-D)   C:\Windows\System32\en-US\KernelBase.dll.mui
------------------------------------------------------------------------------
svchost.exe pid: 3664 37AACD8D-548A-4\user
   48: File  (RW-)   C:\Windows\System32
  134: File  (R-D)   C:\Windows\System32\en-US\svchost.exe.mui
  258: Section       \BaseNamedObjects\__ComCatalogCache__
  264: Section       \BaseNamedObjects\__ComCatalogCache__
  308: File  (R-D)   C:\Windows\System32\en-US\KernelBase.dll.mui
  334: Section       \Sessions\1\BaseNamedObjects\windows_shell_global_counters
  38C: File  (RW-)   C:\Users\user\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db
  390: File  (RW-)   C:\Users\user\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db-wal
  394: File  (RW-)   C:\Users\user\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db-shm
  5F8: File  (R-D)   C:\Windows\System32\en-US\crypt32.dll.mui
  790: File  (RW-)   C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\ActivitiesCache.db
  7A4: File  (RW-)   C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\ActivitiesCache.db-shm
  7BC: File  (RW-)   C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\ActivitiesCache.db-wal
  7D8: Section       \Sessions\1\BaseNamedObjects\C:*Users*user*AppData*Local*Microsoft*Windows*Caches*cversions.3.ro
  954: File  (R-D)   C:\Windows\System32\en-US\QuietHours.dll.mui
  998: Section       \Sessions\1\BaseNamedObjects\C:*Users*user*AppData*Local*Microsoft*Windows*Caches*{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000007.db
------------------------------------------------------------------------------
taskhostw.exe pid: 3716 37AACD8D-548A-4\user
   40: File  (RW-)   C:\Windows\System32
  110: File  (R-D)   C:\Windows\System32\en-US\taskhostw.exe.mui
  188: Section       \Windows\Theme1324212991
  18C: Section       \Sessions\1\Windows\Theme2036293991
  1A0: File  (---)   C:\Users\user\AppData\Local\Microsoft\Windows\WebCacheLock.dat
  1AC: Section       \BaseNamedObjects\__ComCatalogCache__
  1B8: Section       \BaseNamedObjects\__ComCatalogCache__
  1CC: File  (R-D)   C:\Windows\System32\en-US\MsCtfMonitor.dll.mui
  23C: Section       \Sessions\1\BaseNamedObjects\windows_shell_global_counters
  29C: File  (R-D)   C:\Windows\System32\en-US\ESENT.dll.mui
  2B8: File  (---)   C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.log
  35C: File  (R-D)   C:\Windows\System32\en-US\winmm.dll.mui
  3A4: Section       \Sessions\1\BaseNamedObjects\windows_webcache_counters_{9B6AB5B3-91BC-4097-835C-EA2DEC95E9CC}_S-1-5-21-2047949552-857980807-821054962-504
  3B0: File  (---)   C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
  3BC: File  (---)   C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm
  3FC: File  (R-D)   C:\Windows\System32\en-US\wdmaud.drv.mui
  454: File  (---)   C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\v01tmp.log
  49C: File  (R-D)   C:\Windows\System32\en-US\rdpendp.dll.mui
------------------------------------------------------------------------------
svchost.exe pid: 3916 NT AUTHORITY\SYSTEM
   4C: File  (RW-)   C:\Windows\System32
  134: File  (R-D)   C:\Windows\System32\en-US\svchost.exe.mui
  264: Section       \BaseNamedObjects\__ComCatalogCache__
  274: Section       \BaseNamedObjects\__ComCatalogCache__
------------------------------------------------------------------------------
ctfmon.exe pid: 3980 37AACD8D-548A-4\user
   40: File  (RW-)   C:\Windows\System32
   FC: File  (R-D)   C:\Windows\System32\en-US\ctfmon.exe.mui
  2D4: Section       \Windows\Theme1324212991
  2D8: Section       \Sessions\1\Windows\Theme2036293991
  440: Section       \BaseNamedObjects\__ComCatalogCache__
  44C: Section       \BaseNamedObjects\__ComCatalogCache__
  524: Section       \Sessions\1\BaseNamedObjects\CTF.AsmListCache.FMPDefault1
  538: Section       \Sessions\1\BaseNamedObjects\ImeSipSharedMapping
  548: File  (R--)   C:\Windows\System32\en-US\datamap.0409.dat
------------------------------------------------------------------------------
explorer.exe pid: 3996 37AACD8D-548A-4\user
   40: File  (RW-)   C:\Windows\System32
   80: File  (R-D)   C:\Windows\en-US\explorer.exe.mui
  308: Section       \Sessions\1\BaseNamedObjects\SessionImmersiveColorPreference
  30C: File  (RW-)   C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21
  320: Section       \BaseNamedObjects\__ComCatalogCache__
  32C: Section       \BaseNamedObjects\__ComCatalogCache__
  358: Section       \Sessions\1\BaseNamedObjects\windows_shell_global_counters
  390: Section       \BaseNamedObjects\windows_shell_global_counters
  428: File  (RWD)   C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
  50C: File  (R-D)   C:\Windows\System32\en-US\dsreg.dll.mui
  518: Section       \Sessions\1\BaseNamedObjects\f9cHWNDInterface:100ee
  52C: File  (RWD)   C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
  588: Section       \Windows\Theme1324212991
  590: File  (R-D)   C:\Windows\System32\en-US\oleaccrc.dll.mui
  594: Section       \Sessions\1\Windows\Theme2036293991
  598: File  (R-D)   C:\Windows\Fonts\StaticCache.dat
  5C0: Section       \Sessions\1\BaseNamedObjects\f9cHWNDInterface:100e6
  5D0: Section       \Sessions\1\BaseNamedObjects\f9cHWNDInterface:100e6
  5D8: Section       \Sessions\1\BaseNamedObjects\C:*Users*user*AppData*Local*Microsoft*Windows*Caches*cversions.3.ro
  62C: File  (RW-)   C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21
  67C: Section       \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2
  680: Section       \Sessions\1\BaseNamedObjects\SessionImmersiveColorPreference
  688: Section       \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db
  68C: Section       \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2
  690: Section       \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db
  6C0: Section       \Sessions\1\BaseNamedObjects\windows_ie_global_counters
  6F0: Section       \Sessions\1\BaseNamedObjects\f9cHWNDInterface:100f6
  6F4: Section       \Sessions\1\BaseNamedObjects\f9cHWNDInterface:100f6
  6F8: Section       \Sessions\1\BaseNamedObjects\f9cHWNDInterface:100f0
  6FC: Section       \Sessions\1\BaseNamedObjects\f9cHWNDInterface:100f0
  754: File  (RWD)   C:\Users\user\Desktop
  798: File  (RW-)   C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21
  828: File  (R-D)   C:\Windows\System32\en-US\shell32.dll.mui
  82C: File  (RW-)   C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21
  85C: File  (R-D)   C:\Windows\System32\en-US\propsys.dll.mui
  890: Section       \Sessions\1\BaseNamedObjects\f9cHWNDInterface:100ee
  8B8: File  (RW-)   C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21
  8DC: File  (RW-)   C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21
  958: File  (---)   \FileSystem\Filters\FltMgrMsg
  AAC: File  (R-D)   C:\Windows\System32\en-US\twinui.pcshell.dll.mui
  B70: File  (R-D)   C:\Windows\System32\en-US\windows.storage.dll.mui
  B7C: File  (R-D)   C:\Windows\apppatch\DirectXApps_FOD.sdb
  BB8: Section       \Sessions\1\BaseNamedObjects\f9cHWNDInterface:20102
  BC0: Section       \Sessions\1\BaseNamedObjects\f9cHWNDInterface:20102
  CD0: File  (RWD)   C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db
  DE8: File  (RWD)   C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
  E9C: File  (RW-)   C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21
  EF4: Section       \Sessions\1\BaseNamedObjects\f9cHWNDInterface:10144
  F00: File  (R-D)   C:\Windows\System32\en-US\KernelBase.dll.mui
  F04: Section       \Sessions\1\BaseNamedObjects\f9cHWNDInterface:10144
  F08: Section       \Sessions\1\BaseNamedObjects\f9cHWNDInterface:10146
  F0C: Section       \Sessions\1\BaseNamedObjects\f9cHWNDInterface:10146
  F10: Section       \Sessions\1\BaseNamedObjects\f9cHWNDInterface:10148
  F14: Section       \Sessions\1\BaseNamedObjects\f9cHWNDInterface:10148
  F18: Section       \Sessions\1\BaseNamedObjects\f9cHWNDInterface:1014a
  F1C: Section       \Sessions\1\BaseNamedObjects\f9cHWNDInterface:1014a
  F20: Section       \Sessions\1\BaseNamedObjects\f9cHWNDInterface:1014c
  F24: Section       \Sessions\1\BaseNamedObjects\f9cHWNDInterface:1014c
  F28: Section       \Sessions\1\BaseNamedObjects\f9cHWNDInterface:1014e
  F2C: Section       \Sessions\1\BaseNamedObjects\f9cHWNDInterface:1014e
  F30: Section       \Sessions\1\BaseNamedObjects\f9cHWNDInterface:10150
  F34: Section       \Sessions\1\BaseNamedObjects\f9cHWNDInterface:10150
  F38: Section       \Sessions\1\BaseNamedObjects\f9cHWNDInterface:10152
  F3C: Section       \Sessions\1\BaseNamedObjects\f9cHWNDInterface:10152
  F40: Section       \Sessions\1\BaseNamedObjects\f9cHWNDInterface:10154
  F44: Section       \Sessions\1\BaseNamedObjects\f9cHWNDInterface:10154
 10B4: File  (RWD)   C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db
 10E0: File  (RW-)   C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21
 1258: File  (R--)   C:\Users\user\AppData\Local\Microsoft\GameDVR\KnownGameList.bin
 1298: File  (RW-)   C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21
 129C: File  (RWD)   C:\Windows\bcastdvr
 12A4: File  (RWD)   C:\Users\user\AppData\Local\Microsoft\GameDVR
 12E8: File  (R-D)   C:\Windows\System32\en-US\crypt32.dll.mui
 12F4: File  (RW-)   C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21
 12F8: File  (R-D)   C:\Windows\SystemResources\batmeter.dll.mun
 12FC: File  (R-D)   C:\Windows\System32\en-US\winnlsres.dll.mui
 1314: File  (RW-)   C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21
 1320: File  (R-D)   C:\Windows\System32\en-US\ApplicationFrame.dll.mui
 1340: File  (R-D)   C:\Windows\System32\en-US\stobject.dll.mui
 1344: File  (R-D)   C:\Windows\SystemResources\stobject.dll.mun
 137C: Section       \Sessions\1\BaseNamedObjects\f9cHWNDInterface:10184
 13BC: Section       \Sessions\1\BaseNamedObjects\f9cHWNDInterface:10184
 13CC: Section       \Sessions\1\BaseNamedObjects\f9cHWNDInterface:10184
 13F4: File  (R-D)   C:\Windows\System32\en-US\InputSwitch.dll.mui
 1618: File  (R-D)   C:\Windows\System32\en-US\batmeter.dll.mui
 1768: File  (R-D)   C:\Windows\SystemResources\SndVolSSO.dll.mun
 177C: File  (R-D)   C:\Windows\System32\en-US\sndvolsso.dll.mui
 17AC: Section       \Sessions\1\BaseNamedObjects\f9cHWNDInterface:100a4
 17B0: Section       \Sessions\1\BaseNamedObjects\f9cHWNDInterface:100a4
 184C: File  (RW-)   C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21
 1868: File  (RW-)   C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21
 1874: File  (RW-)   C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21
 1904: File  (RW-)   C:\Windows\WinSxS\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_en-us_cb612d02732b0fd9
 196C: Section       \Sessions\1\BaseNamedObjects\f9cHWNDInterface:102ac
 1974: File  (RW-)   C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21
 19E0: File  (RW-)   C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21
 19E8: File  (R-D)   C:\Windows\System32\en-US\rdpendp.dll.mui
 1AB0: File  (R-D)   C:\Windows\System32\en-US\pnidui.dll.mui
 1AC0: File  (RW-)   C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21
 1B10: Section       \Sessions\1\BaseNamedObjects\UrlZonesSM_user
 1B30: File  (R-D)   C:\Windows\System32\en-US\bthprops.cpl.mui
 1B68: Section       \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2
 1B8C: File  (R-D)   C:\Windows\System32\en-US\user32.dll.mui
 1BA4: File  (RWD)   C:\Users\Public\Desktop
 1BD8: Section       \Sessions\1\BaseNamedObjects\C:*Users*user*AppData*Local*Microsoft*Windows*Caches*{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000007.db
 1C34: Section       \Sessions\1\BaseNamedObjects\f9cHWNDInterface:102ac
 1CA0: Section       \Sessions\1\BaseNamedObjects\f9cHWNDInterface:10238
 1CA4: File  (R-D)   C:\Windows\SystemResources\shell32.dll.mun
 1CA8: File  (RWD)   C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
 1CB4: File  (RW-)   C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21
 1CBC: File  (R-D)   C:\Windows\System32\en-US\explorerframe.dll.mui
 1CC8: File  (R-D)   C:\Windows\System32\en-US\UIRibbon.dll.mui
 1CE8: File  (RW-)   C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21
 1CFC: File  (R-D)   C:\Windows\SystemResources\ExplorerFrame.dll.mun
 1D28: Section       \Sessions\1\BaseNamedObjects\f9cHWNDInterface:10266
 1D30: Section       \Sessions\1\BaseNamedObjects\f9cHWNDInterface:10266
 1D34: File  (RW-)   C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.508_none_faefa4f37613d18e
 1D38: Section       \Sessions\1\BaseNamedObjects\f9cHWNDInterface:1021c
 1D3C: Section       \Sessions\1\BaseNamedObjects\f9cHWNDInterface:1024c
 1D44: Section       \Sessions\1\BaseNamedObjects\f9cHWNDInterface:1024c
 1D48: Section       \Sessions\1\BaseNamedObjects\f9cHWNDInterface:1021c
 1D50: Section       \Sessions\1\BaseNamedObjects\f9cHWNDInterface:10238
 1D54: Section       \Sessions\1\BaseNamedObjects\f9cHWNDInterface:1021c
 1D60: File  (RWD)   C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db
 1EB4: File  (RWD)   C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db
 1F54: File  (RW-)   C:\Windows\System32
 1F58: File  (R-D)   C:\Windows\System32\en-US\UIAutomationCore.dll.mui
 1F6C: Section       \Sessions\1\BaseNamedObjects\f9cHWNDInterface:10264
 1FA8: Section       \Sessions\1\BaseNamedObjects\f9cHWNDInterface:10264
 1FCC: File  (R-D)   C:\Windows\System32\en-US\dui70.dll.mui
 20B0: File  (R-D)   C:\Windows\System32\en-US\NetworkExplorer.dll.mui
 20DC: File  (RWD)   C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db
 20FC: File  (RWD)   C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db
 2128: File  (RWD)   C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db
 2154: File  (RWD)   C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts
 2248: File  (RWD)   C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db
 224C: File  (R-D)   C:\Windows\System32\en-US\ActionCenter.dll.mui
 2294: File  (RWD)   C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
 235C: File  (RWD)   C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
 24B0: File  (RWD)   C:\Users\user\AppData\Local\Microsoft\Windows\Burn
 251C: File  (RWD)   C:\Users\user\AppData\Local\Microsoft\Windows\Burn
 2538: Section       \Sessions\1\BaseNamedObjects\f9cHWNDInterface:60028
 2574: File  (R-D)   C:\Windows\System32\en-US\mpr.dll.mui
 2618: File  (RW-)   C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.508_none_faefa4f37613d18e
 2630: File  (RWD)   C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db
 2778: File  (RWD)   C:\Users\user\Desktop
 280C: File  (R-D)   C:\Windows\SystemResources\imageres.dll.mun
 283C: Section       \Sessions\1\BaseNamedObjects\f9cHWNDInterface:60028
 2894: File  (R-D)   C:\Windows\System32\en-US\hcproviders.dll.mui
 28C8: Section       \Sessions\1\BaseNamedObjects\windows_webcache_counters_{9B6AB5B3-91BC-4097-835C-EA2DEC95E9CC}_S-1-5-21-2047949552-857980807-821054962-504
 2908: File  (RW-)   C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21
 290C: File  (R-D)   C:\Windows\System32\en-US\ieframe.dll.mui
 2938: File  (R-D)   C:\Windows\System32\en-US\ole32.dll.mui
 293C: File  (RWD)   C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts
 2948: File  (RWD)   C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
 29E0: File  (R-D)   C:\Windows\System32\en-US\combase.dll.mui
 29F0: File  (RW-)   C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21
 2A40: File  (R-D)   C:\Windows\System32\en-US\ntshrui.dll.mui
 2A68: File  (RWD)   C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned
 2AA8: File  (R-D)   C:\Windows\System32\en-US\twext.dll.mui
 2B28: File  (RWD)   C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db
 2C78: File  (R-D)   C:\Windows\WinSxS\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_en-us_cb612d02732b0fd9\comctl32.dll.mui
 2C88: Section       \Sessions\1\BaseNamedObjects\f9cHWNDInterface:902d0
 2D40: File  (R-D)   C:\Windows\System32\en-US\zipfldr.dll.mui
 2D84: File  (RWD)   C:\ProgramData\Microsoft\Windows\Start Menu\Programs
 2DAC: File  (R-D)   C:\Windows\SystemResources\zipfldr.dll.mun
 2DC8: Section       \Sessions\1\BaseNamedObjects\f9cHWNDInterface:902d0
 2DE0: File  (RWD)   C:\Users\Public\Desktop
 2E50: File  (R-D)   C:\Windows\System32\en-US\wscui.cpl.mui
 2ED8: File  (RWD)   C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
 2FE0: File  (RWD)   C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu
 2FF4: File  (RW-)   C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21
 303C: File  (RWD)   C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
 30B0: File  (RWD)   C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu
 30B8: File  (RWD)   C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
 30D8: File  (RWD)   C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
 30E0: File  (RWD)   C:\ProgramData\Microsoft\Windows\Start Menu\Programs
 3100: File  (RWD)   C:\ProgramData\Microsoft\Windows\Start Menu
 3108: File  (RWD)   C:\ProgramData\Microsoft\Windows\Start Menu
 3128: File  (RWD)   C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned
 3134: File  (RWD)   C:\Users\user\Downloads
 3140: File  (RWD)   C:\Users\user\Downloads
 314C: File  (RWD)   C:\Users\user\Documents
 3158: File  (RWD)   C:\Users\user\Documents
 3164: File  (RWD)   C:\Users\user\Pictures
 3170: File  (RWD)   C:\Users\user\Pictures
 317C: File  (RWD)   C:\Users\user\Music
 3188: File  (RWD)   C:\Users\user\Music
 3194: File  (RWD)   C:\Users\user\Videos
 31A0: File  (RWD)   C:\Users\user\Videos
 31AC: File  (RWD)   C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries
 31B8: File  (RWD)   C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries
 31C4: File  (RWD)   C:\
 31D0: File  (RWD)   C:\
 31DC: File  (RWD)   C:\SysinternalsSuite
 31EC: File  (RWD)   C:\SysinternalsSuite
 32E0: File  (RWD)   C:\Windows\Fonts\segoeui.ttf
 3320: File  (RWD)   C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db
 3348: File  (RWD)   C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db
 3380: File  (RWD)   C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db
 33EC: File  (RWD)   C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db
------------------------------------------------------------------------------
svchost.exe pid: 3696 37AACD8D-548A-4\user
   48: File  (RW-)   C:\Windows\System32
  13C: File  (R-D)   C:\Windows\System32\en-US\svchost.exe.mui
  1E8: Section       \BaseNamedObjects\__ComCatalogCache__
  1FC: Section       \BaseNamedObjects\__ComCatalogCache__
  3F0: File  (R-D)   C:\Windows\System32\en-US\KernelBase.dll.mui
  3FC: File  (R-D)   C:\Windows\System32\en-US\ole32.dll.mui
  428: File  (R-D)   C:\Windows\System32\en-US\windows.applicationmodel.datatransfer.dll.mui
  480: Section       \Sessions\1\BaseNamedObjects\windows_shell_global_counters
  4D0: File  (R-D)   C:\Windows\System32\en-US\propsys.dll.mui
  4E8: Section       \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db
  4EC: Section       \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2
  500: Section       \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db
  504: Section       \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2
  568: Section       \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2
------------------------------------------------------------------------------
ApplicationFrameHost.exe pid: 4216 37AACD8D-548A-4\user
   40: File  (RW-)   C:\Windows\System32
  14C: Section       \BaseNamedObjects\__ComCatalogCache__
  158: Section       \BaseNamedObjects\__ComCatalogCache__
  20C: Section       \Windows\Theme1324212991
  210: Section       \Sessions\1\Windows\Theme2036293991
  2C4: File  (R-D)   C:\Windows\apppatch\DirectXApps_FOD.sdb
  2C8: Section       \Sessions\1\BaseNamedObjects\windows_shell_global_counters
  3B0: Section       \Sessions\1\BaseNamedObjects\SessionImmersiveColorPreference
  3EC: File  (R-D)   C:\Windows\System32\en-US\user32.dll.mui
  40C: File  (R-D)   C:\Windows\System32\en-US\ApplicationFrame.dll.mui
  438: Section       \Sessions\1\BaseNamedObjects\1078HWNDInterface:10178
  43C: Section       \Sessions\1\BaseNamedObjects\1078HWNDInterface:10178
  444: Section       \Sessions\1\BaseNamedObjects\1078HWNDInterface:10178
  59C: File  (R-D)   C:\Windows\Fonts\StaticCache.dat
------------------------------------------------------------------------------
MicrosoftEdge.exe pid: 4252 37AACD8D-548A-4\user
   40: File  (RW-)   C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe
  1E8: Section       \BaseNamedObjects\__ComCatalogCache__
  328: Section       \Sessions\1\AppContainerNamedObjects\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\UrlZonesSM_user
  33C: File  (R-D)   C:\Windows\apppatch\DirectXApps_FOD.sdb
  340: Section       \Sessions\1\AppContainerNamedObjects\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\windows_shell_global_counters
  434: Section       \...\ie_ias_0000109C-0000-0000-0000-000000000000
  438: Section       \Sessions\1\AppContainerNamedObjects\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\IAS_ID_Microsoft.MicrosoftEdge_44.19041.423.0_neutral__8wekyb3d8bbwe_4252
  45C: Section       \Sessions\1\AppContainerNamedObjects\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\ApplicationService:109c1d6933584aa9e16
  558: Section       \Sessions\1\BaseNamedObjects\windows_webcache_counters_{9B6AB5B3-91BC-4097-835C-EA2DEC95E9CC}_S-1-5-21-2047949552-857980807-821054962-504
  574: Section       \Sessions\1\AppContainerNamedObjects\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\windows_webcache_counters_{00000000-5d8e-4eed-b3fa-e30684411323}
  594: Section       \BaseNamedObjects\F932B6C7-3A20-46A0-B8A0-8894AA421973
  63C: Section       \...\IsoSpaceV2_ScopeTrusted
  640: Section       \...\IsoSpaceV2_ScopeLILNAC
  644: Section       \...\IsoSpaceV2_ScopeUntrusted
  74C: Section       \Sessions\1\AppContainerNamedObjects\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\SessionImmersiveColorPreference
  780: File  (---)   C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.jfm
  7E8: File  (R-D)   C:\Windows\System32\en-US\ESENT.dll.mui
  7EC: File  (---)   C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\LogFiles\edb.log
  870: File  (---)   C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.edb
  8D4: Section       \Sessions\1\AppContainerNamedObjects\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\ApplicationService:109c1d6933584aa9e16
  908: File  (RWD)   C:\Windows\Fonts\segoeui.ttf
  940: Section       \Sessions\1\AppContainerNamedObjects\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\109cHWNDInterface:2019c
  944: Section       \Sessions\1\AppContainerNamedObjects\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\109cHWNDInterface:2019c
  980: Section       \Sessions\1\AppContainerNamedObjects\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\109cHWNDInterface:2019c
  A30: File  (R-D)   C:\Windows\System32\en-US\KernelBase.dll.mui
  A34: Section       \Sessions\1\AppContainerNamedObjects\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\109cHWNDInterface:2019c
  A68: Section       \Sessions\1\AppContainerNamedObjects\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\109cHWNDInterface:2019c
  A6C: Section       \Sessions\1\AppContainerNamedObjects\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\109cHWNDInterface:2019c
  A74: Section       \Sessions\1\AppContainerNamedObjects\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\109cHWNDInterface:2019c
  A94: Section       \Sessions\1\AppContainerNamedObjects\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\109cHWNDInterface:2019c
  AA4: Section       \Windows\Theme1324212991
  AB0: Section       \Sessions\1\Windows\Theme2036293991
  AE0: File  (---)   C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\RecoveryStore.{52D29049-79B9-43C5-8B9C-2FF519042EE3}.dat
  B30: File  (RWD)   C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DFBFDF33BC9F12325E.TMP
  B48: Section       \BaseNamedObjects\F932B6C7-3A20-46A0-B8A0-8894AA421973
  BDC: Section       \Sessions\1\AppContainerNamedObjects\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\109cHWNDInterface:2019c
  C20: Section       \Sessions\1\AppContainerNamedObjects\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\109cHWNDInterface:2019c
  C48: Section       \Sessions\1\AppContainerNamedObjects\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\{00021402-0002-0000-2D92-000000000000}
  CA0: Section       \...\IsoSpaceV2_ScopeLILNAC_1:1_1
  CA4: File  (RWD)   C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\Fonts\BrowserMDL.ttf
  CF4: Section       \Sessions\1\AppContainerNamedObjects\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\109cHWNDInterface:2019c
  E08: File  (R-D)   C:\Windows\System32\en-US\windows.storage.dll.mui
------------------------------------------------------------------------------
browser_broker.exe pid: 4352 37AACD8D-548A-4\user
   40: File  (RW-)   C:\Windows\System32
  19C: Section       \BaseNamedObjects\__ComCatalogCache__
  1E8: Section       \BaseNamedObjects\__ComCatalogCache__
  28C: Section       \Sessions\1\BaseNamedObjects\windows_shell_global_counters
  2E0: Section       \Sessions\1\BaseNamedObjects\windows_webcache_counters_{9B6AB5B3-91BC-4097-835C-EA2DEC95E9CC}_S-1-5-21-2047949552-857980807-821054962-504
------------------------------------------------------------------------------
RuntimeBroker.exe pid: 4460 37AACD8D-548A-4\user
   48: File  (RW-)   C:\Windows\System32
  180: Section       \BaseNamedObjects\__ComCatalogCache__
  1B0: Section       \BaseNamedObjects\__ComCatalogCache__
  370: Section       \Sessions\1\BaseNamedObjects\windows_shell_global_counters
  42C: Section       \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2
  434: Section       \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db
  438: Section       \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2
  444: Section       \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db
  448: File  (R-D)   C:\Windows\System32\en-US\propsys.dll.mui
  474: Section       \BaseNamedObjects\windows_shell_global_counters
------------------------------------------------------------------------------
svchost.exe pid: 4468 NT AUTHORITY\LOCAL SERVICE
   48: File  (RW-)   C:\Windows\System32
  144: File  (R-D)   C:\Windows\System32\en-US\svchost.exe.mui
------------------------------------------------------------------------------
Windows.WARP.JITService.exe pid: 4540 NT AUTHORITY\LOCAL SERVICE
   40: File  (RW-)   C:\Windows\System32
------------------------------------------------------------------------------
MicrosoftEdgeSH.exe pid: 4652 37AACD8D-548A-4\user
   40: File  (RW-)   C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe
  1D8: Section       \...\ie_ias_0000109C-0000-0000-0000-000000000000
  2CC: Section       \BaseNamedObjects\__ComCatalogCache__
  3B4: Section       \...\IsoSpaceV2_ScopeTrusted
  3B8: Section       \...\IsoSpaceV2_ScopeLILNAC
  3BC: Section       \...\IsoSpaceV2_ScopeUntrusted
------------------------------------------------------------------------------
MicrosoftEdgeCP.exe pid: 4696 37AACD8D-548A-4\user
   40: File  (RW-)   C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe
  1D4: Section       \Sessions\1\AppContainerNamedObjects\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\{00021402-0002-0000-2D92-000000000000}
  26C: Section       \...\ie_ias_0000109C-0000-0000-0000-000000000000
  2BC: Section       \Sessions\1\AppContainerNamedObjects\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\{00021402-0002-0000-2D92-000000000000}
  2E4: Section       \BaseNamedObjects\__ComCatalogCache__
  424: Section       \Sessions\1\AppContainerNamedObjects\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\3513710562-3729412521-1863153555-1462103995\ApplicationService:12581d69335851130d1
  52C: Section       \Sessions\1\BaseNamedObjects\windows_webcache_counters_{9B6AB5B3-91BC-4097-835C-EA2DEC95E9CC}_S-1-5-21-2047949552-857980807-821054962-504
  53C: Section       \Sessions\1\AppContainerNamedObjects\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\3513710562-3729412521-1863153555-1462103995\windows_webcache_counters_{00000000-5d8e-4eed-b3fa-e30684411323}
  5AC: Section       \...\IsoSpaceV2_ScopeTrusted
  5B0: Section       \...\IsoSpaceV2_ScopeLILNAC
  5B4: Section       \...\IsoSpaceV2_ScopeUntrusted
  5F4: Section       \...\IsoSpaceV2_ScopeLILNAC_1:1_1
------------------------------------------------------------------------------
SearchApp.exe pid: 3168 37AACD8D-548A-4\user
   40: File  (RW-)   C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy
  198: Section       \BaseNamedObjects\__ComCatalogCache__
  43C: Section       \Sessions\1\AppContainerNamedObjects\S-1-15-2-536077884-713174666-1066051701-3219990555-339840825-1966734348-1611281757\SessionImmersiveColorPreference
  44C: File  (R-D)   C:\Windows\apppatch\DirectXApps_FOD.sdb
  458: Section       \Sessions\1\AppContainerNamedObjects\S-1-15-2-536077884-713174666-1066051701-3219990555-339840825-1966734348-1611281757\windows_shell_global_counters
  51C: File  (RWD)   C:\Windows\Fonts\segoeui.ttf
  674: Section       \Sessions\1\AppContainerNamedObjects\S-1-15-2-536077884-713174666-1066051701-3219990555-339840825-1966734348-1611281757\ApplicationService:c601d693358aa91d62
  684: Section       \Sessions\1\AppContainerNamedObjects\S-1-15-2-536077884-713174666-1066051701-3219990555-339840825-1966734348-1611281757\c60HWNDInterface:1702e2
  6C0: Section       \Sessions\1\AppContainerNamedObjects\S-1-15-2-536077884-713174666-1066051701-3219990555-339840825-1966734348-1611281757\windows_webcache_counters_{00000000-5d8e-4eed-b3fa-e30684411323}
  6C4: Section       \Sessions\1\BaseNamedObjects\windows_webcache_counters_{9B6AB5B3-91BC-4097-835C-EA2DEC95E9CC}_S-1-5-21-2047949552-857980807-821054962-504
  724: File  (R-D)   C:\Windows\System32\en-US\mswsock.dll.mui
  74C: Section       \Sessions\1\AppContainerNamedObjects\S-1-15-2-536077884-713174666-1066051701-3219990555-339840825-1966734348-1611281757\UrlZonesSM_user
  818: File  (R-D)   C:\Windows\System32\en-US\windows.storage.dll.mui
  8D8: Section       \Sessions\1\BaseNamedObjects\C:*Users*user*AppData*Local*Microsoft*Windows*Caches*cversions.3.ro
  994: Section       \Sessions\1\AppContainerNamedObjects\S-1-15-2-536077884-713174666-1066051701-3219990555-339840825-1966734348-1611281757\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db
  99C: Section       \Sessions\1\AppContainerNamedObjects\S-1-15-2-536077884-713174666-1066051701-3219990555-339840825-1966734348-1611281757\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro
  9A4: Section       \Sessions\1\AppContainerNamedObjects\S-1-15-2-536077884-713174666-1066051701-3219990555-339840825-1966734348-1611281757\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro
  9A8: Section       \BaseNamedObjects\F932B6C7-3A20-46A0-B8A0-8894AA421973
  9C8: Section       \Sessions\1\AppContainerNamedObjects\S-1-15-2-536077884-713174666-1066051701-3219990555-339840825-1966734348-1611281757\c60HWNDInterface:1702e2
  9D0: Section       \Sessions\1\AppContainerNamedObjects\S-1-15-2-536077884-713174666-1066051701-3219990555-339840825-1966734348-1611281757\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db
  A8C: Section       \Sessions\1\AppContainerNamedObjects\S-1-15-2-536077884-713174666-1066051701-3219990555-339840825-1966734348-1611281757\c60HWNDInterface:1702e2
  ABC: Section       \Sessions\1\AppContainerNamedObjects\S-1-15-2-536077884-713174666-1066051701-3219990555-339840825-1966734348-1611281757\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro
  AF8: Section       \Sessions\1\AppContainerNamedObjects\S-1-15-2-536077884-713174666-1066051701-3219990555-339840825-1966734348-1611281757\c60HWNDInterface:1702e2
  B00: Section       \Sessions\1\AppContainerNamedObjects\S-1-15-2-536077884-713174666-1066051701-3219990555-339840825-1966734348-1611281757\c60HWNDInterface:1702e2
  BC8: Section       \Sessions\1\AppContainerNamedObjects\S-1-15-2-536077884-713174666-1066051701-3219990555-339840825-1966734348-1611281757\c60HWNDInterface:1702e2
  BF8: Section       \BaseNamedObjects\F932B6C7-3A20-46A0-B8A0-8894AA421973
  C5C: Section       \Sessions\1\AppContainerNamedObjects\S-1-15-2-536077884-713174666-1066051701-3219990555-339840825-1966734348-1611281757\c60HWNDInterface:1702e2
  C64: Section       \Sessions\1\AppContainerNamedObjects\S-1-15-2-536077884-713174666-1066051701-3219990555-339840825-1966734348-1611281757\c60HWNDInterface:1702e2
  CF0: Section       \Sessions\1\AppContainerNamedObjects\S-1-15-2-536077884-713174666-1066051701-3219990555-339840825-1966734348-1611281757\c60HWNDInterface:1702e2
  E7C: File  (RWD)   C:\Windows\Fonts\seguiemj.ttf
  EC0: File  (R-D)   C:\Windows\System32\en-US\KernelBase.dll.mui
  EE0: File  (R-D)   C:\Windows\System32\en-US\edgehtml.dll.mui
  EE4: Section       \Sessions\1\AppContainerNamedObjects\S-1-15-2-536077884-713174666-1066051701-3219990555-339840825-1966734348-1611281757\c60HWNDInterface:30322
  EF4: Section       \Sessions\1\AppContainerNamedObjects\S-1-15-2-536077884-713174666-1066051701-3219990555-339840825-1966734348-1611281757\c60HWNDInterface:1702e2
  EF8: File  (RWD)   C:\Windows\Fonts\simsun.ttc
 1110: File  (R-D)   C:\Windows\System32\WinMetadata\Windows.Foundation.winmd
 111C: File  (R-D)   C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Cortana.Internal.Search.winmd
 1120: File  (R-D)   C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Cortana.Search.winmd
 1138: File  (RWD)   C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\KSN8XTDT
 1154: File  (R-D)   C:\Windows\System32\WinMetadata\Windows.Security.winmd
 1160: File  (R-D)   C:\Windows\System32\WinMetadata\Windows.System.winmd
 1164: File  (R-D)   C:\Windows\System32\WinMetadata\Windows.Storage.winmd
 11A4: File  (R-D)   C:\Windows\System32\en-US\crypt32.dll.mui
 1218: File  (R-D)   C:\Windows\System32\WinMetadata\Windows.UI.winmd
 1230: File  (R-D)   C:\Windows\System32\WinMetadata\Windows.Web.winmd
 1274: File  (R-D)   C:\Windows\System32\WinMetadata\Windows.ApplicationModel.winmd
 127C: File  (R-D)   C:\Windows\SystemResources\Chakra.dll.mun
 1314: File  (R-D)   C:\Windows\System32\en-US\StartTileData.dll.mui
 1318: File  (R-D)   C:\Windows\SystemResources\edgehtml.dll.mun
 1358: File  (RWD)   C:\Windows\Fonts\seguisb.ttf
 1364: Section       \Sessions\1\AppContainerNamedObjects\S-1-15-2-536077884-713174666-1066051701-3219990555-339840825-1966734348-1611281757\c60HWNDInterface:1702e2
 1554: File  (RW-)   C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.488_none_4238de57f6b64d28
 157C: Section       \Windows\Theme1324212991
 1580: Section       \Sessions\1\Windows\Theme2036293991
 1598: File  (R-D)   C:\Windows\System32\en-US\netmsg.dll.mui
 15A0: File  (R-D)   C:\Windows\System32\en-US\netmsg.dll.mui
 169C: Section       \Sessions\1\AppContainerNamedObjects\S-1-15-2-536077884-713174666-1066051701-3219990555-339840825-1966734348-1611281757\MSIMGSIZECacheMapACLow
 177C: File  (R-D)   C:\Windows\System32\en-US\winnlsres.dll.mui
 17C4: Section       \Sessions\1\BaseNamedObjects\C:*Users*user*AppData*Local*Microsoft*Windows*Caches*{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000007.db
------------------------------------------------------------------------------
RuntimeBroker.exe pid: 2816 37AACD8D-548A-4\user
   48: File  (RW-)   C:\Windows\System32
  180: Section       \BaseNamedObjects\__ComCatalogCache__
  1B8: Section       \BaseNamedObjects\__ComCatalogCache__
  370: Section       \Sessions\1\BaseNamedObjects\windows_shell_global_counters
  398: File  (R-D)   C:\Windows\System32\en-US\windows.storage.dll.mui
  3B0: Section       \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2
  3BC: Section       \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db
  3C0: Section       \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2
  3C4: Section       \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db
  3E0: File  (R-D)   C:\Windows\System32\en-US\propsys.dll.mui
  464: File  (RW-)   C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21
  4F4: Section       \BaseNamedObjects\windows_shell_global_counters
  578: Section       \Sessions\1\BaseNamedObjects\C:*Users*user*AppData*Local*Microsoft*Windows*Caches*{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000006.db
  5F8: Section       \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2
  640: File  (R-D)   C:\Windows\System32\en-US\shell32.dll.mui
  6B0: Section       \Sessions\1\BaseNamedObjects\C:*Users*user*AppData*Local*Microsoft*Windows*Caches*cversions.3.ro
  7A0: Section       \Sessions\1\BaseNamedObjects\C:*Users*user*AppData*Local*Microsoft*Windows*Caches*cversions.3.ro
  934: File  (R-D)   C:\Windows\System32\en-US\StartTileData.dll.mui
  93C: File  (R-D)   C:\Windows\System32\en-US\KernelBase.dll.mui
  96C: File  (RW-)   C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21
  97C: File  (R-D)   C:\Windows\System32\en-US\AppResolver.dll.mui
  9F4: File  (R-D)   C:\Windows\SystemResources\imageres.dll.mun
  A5C: Section       \Windows\Theme1324212991
  A90: Section       \Sessions\1\Windows\Theme2036293991
------------------------------------------------------------------------------
RuntimeBroker.exe pid: 824 37AACD8D-548A-4\user
   48: File  (RW-)   C:\Windows\System32
  184: Section       \BaseNamedObjects\__ComCatalogCache__
  1BC: Section       \BaseNamedObjects\__ComCatalogCache__
  2A4: Section       \Sessions\1\BaseNamedObjects\windows_shell_global_counters
  350: Section       \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2
  358: Section       \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db
  35C: Section       \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2
  360: Section       \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db
  368: Section       \BaseNamedObjects\windows_shell_global_counters
  37C: File  (R-D)   C:\Windows\System32\en-US\shell32.dll.mui
  39C: File  (R-D)   C:\Windows\System32\en-US\propsys.dll.mui
  418: Section       \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2
------------------------------------------------------------------------------
svchost.exe pid: 5396 NT AUTHORITY\LOCAL SERVICE
   48: File  (RW-)   C:\Windows\System32
  134: File  (R-D)   C:\Windows\System32\en-US\svchost.exe.mui
------------------------------------------------------------------------------
SgrmBroker.exe pid: 3392 \<unable to open process>
   3C: File  (RW-)   C:\Windows
  178: File  (R--)   C:\Windows\System32\Sgrm
------------------------------------------------------------------------------
svchost.exe pid: 976 \<unable to open process>
   48: File  (RW-)   C:\Windows\System32
  134: File  (R-D)   C:\Windows\System32\en-US\svchost.exe.mui
  254: Section       \BaseNamedObjects\__ComCatalogCache__
  28C: Section       \BaseNamedObjects\__ComCatalogCache__
------------------------------------------------------------------------------
powershell_ise.exe pid: 676 37AACD8D-548A-4\user
   40: File  (RW-)   C:\xCyclopedia
  100: Section       \BaseNamedObjects\Cor_Private_IPCBlock_v4_676
  10C: Section       \...\Cor_SxSPublic_IPCBlock
  1C0: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll
  1C4: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll
  2B4: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ISECommon\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ISECommon.dll
  2BC: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
  2C4: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
  2CC: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll
  2D0: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
  2D8: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
  2E0: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
  2E8: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll
  2EC: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll
  2F4: File  (R-D)   C:\Windows\System32\en-US\winnlsres.dll.mui
  328: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll
  3B4: Section       \Sessions\1\BaseNamedObjects\windows_shell_global_counters
  3D4: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll
  3D8: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll
  3E8: File  (RW-)   C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21
  40C: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
  424: File  (RW-)   C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.508_none_faefa4f37613d18e
  444: Section       \Windows\Theme1324212991
  450: File  (RWD)   C:\Windows\Fonts\micross.ttf
  460: File  (RWD)   C:\Windows\Fonts\segoeuii.ttf
  464: File  (RWD)   C:\Windows\Fonts\segoeuiz.ttf
  470: Section       \Sessions\1\Windows\Theme2036293991
  4F8: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll
  508: Section       \BaseNamedObjects\NLS_CodePage_1252_3_2_0_0
  524: File  (RWD)   C:\Windows\Fonts\segoeui.ttf
  528: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.GPowerShell\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.GPowerShell.dll
  52C: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ComponentModel.Composition\v4.0_4.0.0.0__b77a5c561934e089\System.ComponentModel.Composition.dll
  53C: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Editor\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Editor.dll
  548: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_MSIL\WindowsBase\v4.0_4.0.0.0__31bf3856ad364e35\WindowsBase.dll
  54C: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_MSIL\WindowsBase\v4.0_4.0.0.0__31bf3856ad364e35\WindowsBase.dll
  554: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_64\PresentationCore\v4.0_4.0.0.0__31bf3856ad364e35\PresentationCore.dll
  558: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_64\PresentationCore\v4.0_4.0.0.0__31bf3856ad364e35\PresentationCore.dll
  55C: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework\v4.0_4.0.0.0__31bf3856ad364e35\PresentationFramework.dll
  564: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework\v4.0_4.0.0.0__31bf3856ad364e35\PresentationFramework.dll
  568: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xaml\v4.0_4.0.0.0__b77a5c561934e089\System.Xaml.dll
  574: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xaml\v4.0_4.0.0.0__b77a5c561934e089\System.Xaml.dll
  580: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll
  584: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll
  58C: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Serialization\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Serialization.dll
  594: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Serialization\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Serialization.dll
  5E0: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll
  5E4: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
  5EC: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll
  660: Section       \Sessions\1\BaseNamedObjects\UrlZonesSM_user
  6C4: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework.Aero2\v4.0_4.0.0.0__31bf3856ad364e35\PresentationFramework.Aero2.dll
  6CC: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
  71C: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Runtime.dll
  73C: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WSMan.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Management.dll
  74C: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemData\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemData.dll
  750: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemCore\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemCore.dll
  758: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll
  7C4: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll
  838: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll
  83C: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll
  85C: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll
  86C: Section       \BaseNamedObjects\__ComCatalogCache__
  894: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll
  8A8: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll
  8B4: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll
  8C4: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll
  8D0: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll
  8EC: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.GraphicalHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.GraphicalHost.dll
  908: File  (R-D)   C:\Windows\System32\en-US\KernelBase.dll.mui
  90C: Section       \BaseNamedObjects\__ComCatalogCache__
  950: Section       \Sessions\1\BaseNamedObjects\2a4HWNDInterface:e02da
  954: Section       \Sessions\1\BaseNamedObjects\2a4HWNDInterface:e02da
  9A0: File  (R-D)   C:\Windows\System32\WinMetadata\Windows.UI.winmd
  9A4: File  (R-D)   C:\Windows\System32\WinMetadata\Windows.Foundation.winmd
  9AC: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.InteropServices.WindowsRuntime\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.InteropServices.WindowsRuntime.dll
  9B4: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.WindowsRuntime\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.WindowsRuntime.dll
  9F4: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll
  A10: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll
  BB0: File  (R-D)   C:\Windows\System32\en-US\crypt32.dll.mui
  BD0: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
  BD4: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll
  BE0: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll
  BE4: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll
  BF0: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll
  C5C: File  (RW-)   C:\Windows\System32
  D24: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll
  D30: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll
  D80: Section       \BaseNamedObjects\NLS_CodePage_437_3_2_0_0
  D98: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll
  E30: File  (R-D)   C:\Windows\System32\en-US\msctfui.dll.mui
  E3C: File  (R--)   C:\temp\strontic-xcyclopedia\2020-09-25T08-29-02-job.txt
  E40: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll
  E4C: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll
  EC8: File  (R-D)   C:\Windows\System32\en-US\UIAutomationCore.dll.mui
  F18: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll
  F54: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsSearch.Commands.dll
  F60: File  (R-D)   C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsSearch.Commands.dll
------------------------------------------------------------------------------
StartMenuExperienceHost.exe pid: 4368 37AACD8D-548A-4\user
   40: File  (RW-)   C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy
  12C: Section       \BaseNamedObjects\__ComCatalogCache__
  254: Section       \Sessions\1\AppContainerNamedObjects\S-1-15-2-515815643-2845804217-1874292103-218650560-777617685-4287762684-137415000\ApplicationService:11101d69335cc7eb25c
  394: Section       \Sessions\1\AppContainerNamedObjects\S-1-15-2-515815643-2845804217-1874292103-218650560-777617685-4287762684-137415000\SessionImmersiveColorPreference
  418: File  (R-D)   C:\Windows\apppatch\DirectXApps_FOD.sdb
  420: Section       \Sessions\1\AppContainerNamedObjects\S-1-15-2-515815643-2845804217-1874292103-218650560-777617685-4287762684-137415000\windows_shell_global_counters
  4D0: File  (RWD)   C:\Windows\Fonts\segoeui.ttf
  574: Section       \Sessions\1\AppContainerNamedObjects\S-1-15-2-515815643-2845804217-1874292103-218650560-777617685-4287762684-137415000\1110HWNDInterface:902d8
  578: Section       \Sessions\1\AppContainerNamedObjects\S-1-15-2-515815643-2845804217-1874292103-218650560-777617685-4287762684-137415000\1110HWNDInterface:902d8
  5BC: Section       \Sessions\1\AppContainerNamedObjects\S-1-15-2-515815643-2845804217-1874292103-218650560-777617685-4287762684-137415000\1110HWNDInterface:902d8
  618: Section       \Sessions\1\AppContainerNamedObjects\S-1-15-2-515815643-2845804217-1874292103-218650560-777617685-4287762684-137415000\1110HWNDInterface:902d8
  624: Section       \Sessions\1\AppContainerNamedObjects\S-1-15-2-515815643-2845804217-1874292103-218650560-777617685-4287762684-137415000\1110HWNDInterface:902d8
  718: File  (R-D)   C:\Windows\System32\en-US\windows.storage.dll.mui
  814: Section       \Sessions\1\BaseNamedObjects\C:*Users*user*AppData*Local*Microsoft*Windows*Caches*cversions.3.ro
  85C: Section       \Sessions\1\AppContainerNamedObjects\S-1-15-2-515815643-2845804217-1874292103-218650560-777617685-4287762684-137415000\1110HWNDInterface:902d8
  904: Section       \Sessions\1\AppContainerNamedObjects\S-1-15-2-515815643-2845804217-1874292103-218650560-777617685-4287762684-137415000\1110HWNDInterface:902d8
  908: Section       \Sessions\1\AppContainerNamedObjects\S-1-15-2-515815643-2845804217-1874292103-218650560-777617685-4287762684-137415000\1110HWNDInterface:902d8
  938: Section       \Sessions\1\AppContainerNamedObjects\S-1-15-2-515815643-2845804217-1874292103-218650560-777617685-4287762684-137415000\1110HWNDInterface:902d8
  944: Section       \Sessions\1\AppContainerNamedObjects\S-1-15-2-515815643-2845804217-1874292103-218650560-777617685-4287762684-137415000\1110HWNDInterface:902d8
  9B4: Section       \Sessions\1\BaseNamedObjects\C:*Users*user*AppData*Local*Microsoft*Windows*Caches*{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000007.db
  9C4: File  (R-D)   C:\Windows\System32\en-US\windows.ui.xaml.dll.mui
  A10: File  (RWD)   C:\Windows\Fonts\segoeuib.ttf
  A4C: File  (R--)   C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.bin
  A54: File  (R-D)   C:\Windows\System32\en-US\Windows.Globalization.dll.mui
  A6C: Section       \Sessions\1\AppContainerNamedObjects\S-1-15-2-515815643-2845804217-1874292103-218650560-777617685-4287762684-137415000\1110HWNDInterface:902d8
  A9C: File  (R--)   C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin
------------------------------------------------------------------------------
RuntimeBroker.exe pid: 5996 37AACD8D-548A-4\user
   48: File  (RW-)   C:\Windows\System32
  188: Section       \BaseNamedObjects\__ComCatalogCache__
  1B8: Section       \BaseNamedObjects\__ComCatalogCache__
  2E4: Section       \Sessions\1\BaseNamedObjects\windows_shell_global_counters
  354: File  (R-D)   C:\Windows\System32\en-US\ShutdownUX.dll.mui
  438: Section       \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db
  43C: Section       \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2
  444: Section       \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2
  448: Section       \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db
  44C: File  (R-D)   C:\Windows\System32\en-US\propsys.dll.mui
  48C: File  (RW-)   C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21
------------------------------------------------------------------------------
dllhost.exe pid: 2292 37AACD8D-548A-4\user
   40: File  (RW-)   C:\Windows\System32
  124: Section       \BaseNamedObjects\__ComCatalogCache__
  130: Section       \BaseNamedObjects\__ComCatalogCache__
  288: Section       \Sessions\1\BaseNamedObjects\windows_shell_global_counters
  338: File  (R-D)   C:\Windows\System32\en-US\ESENT.dll.mui
  34C: File  (---)   C:\Users\user\AppData\Local\Microsoft\Internet Explorer\CacheStorage\edb.log
  354: File  (---)   C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\CacheStorage\CacheStorage.jfm
  358: File  (---)   C:\Users\user\AppData\Local\Microsoft\Internet Explorer\CacheStorage\edbtmp.log
  380: File  (---)   C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\CacheStorage\CacheStorage.edb
------------------------------------------------------------------------------
cmd.exe pid: 696 37AACD8D-548A-4\user
   40: File  (RW-)   C:\Users\user
  114: File  (R-D)   C:\Windows\System32\en-US\cmd.exe.mui
  198: File  (RW-)   C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21
  1B4: Section       \Sessions\1\BaseNamedObjects\windows_shell_global_counters
  278: Section       \BaseNamedObjects\__ComCatalogCache__
  290: Section       \BaseNamedObjects\windows_shell_global_counters
  354: Section       \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2
  358: Section       \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db
  35C: Section       \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2
  364: Section       \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db
  374: File  (RW-)   C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21
  3D4: Section       \Sessions\1\BaseNamedObjects\UrlZonesSM_user
  4C0: File  (R-D)   C:\Windows\System32\en-US\KernelBase.dll.mui
------------------------------------------------------------------------------
conhost.exe pid: 2276 37AACD8D-548A-4\user
   44: File  (RW-)   C:\Windows
  12C: File  (R-D)   C:\Windows\System32\en-US\Conhost.exe.mui
  1A4: File  (R-D)   C:\Windows\System32\en-US\propsys.dll.mui
  1B8: Section       \Sessions\1\BaseNamedObjects\windows_shell_global_counters
  20C: Section       \BaseNamedObjects\__ComCatalogCache__
  220: Section       \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2
  228: Section       \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db
  22C: Section       \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2
  230: Section       \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db
  238: Section       \BaseNamedObjects\windows_shell_global_counters
  314: Section       \Windows\Theme1324212991
  31C: Section       \Sessions\1\Windows\Theme2036293991
  324: Section       \Sessions\1\BaseNamedObjects\SessionImmersiveColorPreference
  328: File  (R-D)   C:\Windows\System32\en-US\user32.dll.mui
  32C: File  (R-D)   C:\Windows\Fonts\StaticCache.dat
  33C: File  (RW-)   C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21
  410: Section       \BaseNamedObjects\__ComCatalogCache__
------------------------------------------------------------------------------
dllhost.exe pid: 1784 37AACD8D-548A-4\user
   40: File  (RW-)   C:\Windows\System32
  11C: Section       \BaseNamedObjects\__ComCatalogCache__
  128: Section       \BaseNamedObjects\__ComCatalogCache__
------------------------------------------------------------------------------
SecurityHealthService.exe pid: 1256 \<unable to open process>
   40: File  (RW-)   C:\Windows\System32
  258: Section       \BaseNamedObjects\__ComCatalogCache__
  2C0: Section       \BaseNamedObjects\__ComCatalogCache__
------------------------------------------------------------------------------
SecurityHealthHost.exe pid: 4516 37AACD8D-548A-4\user
   40: File  (RW-)   C:\Windows\System32
  178: Section       \BaseNamedObjects\__ComCatalogCache__
  1D0: Section       \BaseNamedObjects\__ComCatalogCache__
------------------------------------------------------------------------------
Desktops.exe pid: 892 37AACD8D-548A-4\user
   40: File  (RW-)   C:\Windows
   90: File  (RW-)   C:\Users\user
   D8: File  (RW-)   C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_11b1e5df2ffd8627
  1E8: Section       \Windows\Theme1324212991
  1FC: Section       \Sessions\1\Windows\Theme2036293991
  2A8: File  (R-D)   C:\Windows\Fonts\StaticCache.dat
  324: Section       \Sessions\1\BaseNamedObjects\windows_shell_global_counters
  354: Section       \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2
  358: Section       \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db
  35C: Section       \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2
  364: Section       \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db
------------------------------------------------------------------------------
conhost.exe pid: 1356 37AACD8D-548A-4\user
   44: File  (RW-)   C:\Windows
  130: File  (R-D)   C:\Windows\System32\en-US\Conhost.exe.mui
  1A4: Section       \Windows\Theme1324212991
  1AC: Section       \Sessions\1\Windows\Theme2036293991
  1BC: File  (R-D)   C:\Windows\System32\en-US\user32.dll.mui
  1C4: Section       \Sessions\1\BaseNamedObjects\SessionImmersiveColorPreference
  1C8: File  (R-D)   C:\Windows\Fonts\StaticCache.dat
  1D0: File  (RW-)   C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21
  2C4: Section       \BaseNamedObjects\__ComCatalogCache__
  2D0: Section       \BaseNamedObjects\__ComCatalogCache__
------------------------------------------------------------------------------
WmiPrvSE.exe pid: 6076 NT AUTHORITY\NETWORK SERVICE
   40: File  (RW-)   C:\Windows\System32
  138: File  (R-D)   C:\Windows\System32\en-US\user32.dll.mui
  174: Section       \BaseNamedObjects\Wmi Provider Sub System Counters
  1AC: Section       \BaseNamedObjects\__ComCatalogCache__
  1B8: Section       \BaseNamedObjects\__ComCatalogCache__
------------------------------------------------------------------------------
audiodg.exe pid: 2676 NT AUTHORITY\LOCAL SERVICE
   40: File  (RW-)   C:\Windows\System32
  190: File  (R-D)   C:\Windows\System32\en-US\audiodg.exe.mui
  1B4: Section       \BaseNamedObjects\__ComCatalogCache__
  200: Section       \BaseNamedObjects\__ComCatalogCache__
  404: File  (R-D)   C:\Windows\System32\en-US\imaadp32.acm.mui
  410: File  (R-D)   C:\Windows\System32\en-US\msadp32.acm.mui
  418: File  (R-D)   C:\Windows\System32\en-US\msg711.acm.mui
  41C: File  (R-D)   C:\Windows\System32\en-US\msgsm32.acm.mui
  424: File  (R-D)   C:\Windows\System32\en-US\l3codeca.acm.mui
  42C: File  (R-D)   C:\Windows\System32\en-US\msacm32.dll.mui
------------------------------------------------------------------------------
WmiPrvSE.exe pid: 3928 NT AUTHORITY\SYSTEM
   40: File  (RW-)   C:\Windows\System32
  144: File  (R-D)   C:\Windows\System32\en-US\user32.dll.mui
  180: Section       \BaseNamedObjects\Wmi Provider Sub System Counters
  1B8: Section       \BaseNamedObjects\__ComCatalogCache__
  1C4: Section       \BaseNamedObjects\__ComCatalogCache__
  2C8: File  (R-D)   C:\Windows\System32\en-US\combase.dll.mui
  2D0: File  (R-D)   C:\Windows\System32\en-US\KernelBase.dll.mui
------------------------------------------------------------------------------
handle.exe pid: 4948 37AACD8D-548A-4\user
   40: File  (RW-)   C:\Windows
   8C: File  (RW-)   C:\xCyclopedia
   C4: File  (RW-)   C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.488_none_89e6152f0b32762e
  508: Section       \BaseNamedObjects\NLS_CodePage_1252_3_2_0_0
  D80: Section       \BaseNamedObjects\NLS_CodePage_437_3_2_0_0
------------------------------------------------------------------------------
conhost.exe pid: 5788 37AACD8D-548A-4\user
   44: File  (RW-)   C:\Windows
  128: File  (R-D)   C:\Windows\System32\en-US\Conhost.exe.mui
------------------------------------------------------------------------------
handle64.exe pid: 5920 37AACD8D-548A-4\user
   50: File  (RW-)   C:\xCyclopedia
   90: File  (RW-)   C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.488_none_4238de57f6b64d28

Loaded Modules:

Path
C:\SysinternalsSuite\handle.exe
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll

Signature

  • Status: Signature verified.
  • Serial: 33000001519E8D8F4071A30E41000000000151
  • Thumbprint: 62009AAABDAE749FD47D19150958329BF6FF4B34
  • Issuer: CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: Nthandle.exe
  • Product Name: Sysinternals Handle
  • Company Name: Sysinternals - www.sysinternals.com
  • File Version: 4.22
  • Product Version: 4.22
  • Language: English (United States)
  • Legal Copyright: Copyright (C) 1997-2019 Mark Russinovich
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/69
  • VirusTotal Link: https://www.virustotal.com/gui/file/de960b7ff0c687475aba4852d799bb2bc3ed38b172be1c4f954cba461ae8de1f/detection/

File Similarity (ssdeep match)

File Score
C:\SysinternalsSuite\handle64.exe 77

Possible Misuse

The following table contains possible examples of handle.exe being misused. While handle.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma lnx_susp_vsftp.yml - 'couldn''t handle sandbox event' DRL 1.0
sigma win_sam_registry_hive_handle_request.yml title: SAM Registry Hive Handle Request DRL 1.0
sigma win_scm_database_handle_failure.yml title: SCM Database Handle Failure DRL 1.0
sigma win_scm_database_handle_failure.yml description: Detects non-system users failing to get a handle of the SCM database. DRL 1.0
sigma win_susp_lsass_dump.yml description: Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN DRL 1.0
sigma win_susp_lsass_dump_generic.yml description: Detects process handle on LSASS process with certain access mask DRL 1.0
sigma win_syskey_registry_access.yml description: Detects handle requests and access operations to specific registry keys to calculate the SysKey DRL 1.0
sigma win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml description: The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA. DRL 1.0
sigma file_event_win_webshell_creation_detect.yml # kind of ugly but sigmac seems not to handle double parenthesis "((" DRL 1.0
sigma posh_ps_suspicious_iofilestream.yml description: Open a handle on the drive volume via the \\.\ DOS device path specifier and perform direct access read of the first few bytes of the volume. DRL 1.0
sigma proc_creation_win_false_sysinternalsuite.yml - '\handle.exe' DRL 1.0
LOLBAS YML-Template.yml Handle: '@johndoe'  
LOLBAS YML-Template.yml Handle: '@olaNor'  
LOLBAS Explorer.yml Handle: '@bohops'  
LOLBAS Netsh.yml - Handle: ''  
LOLBAS Nltest.yml Handle: '@sysopfb'  
LOLBAS Openwith.yml Handle: '@harr0ey'  
LOLBAS Powershell.yml Handle: '@Moriarty_Meng'  
LOLBAS Psr.yml - Handle: ''  
LOLBAS Robocopy.yml - Handle: ''  
LOLBAS AcroRd32.yml Handle: '@pabraeken'  
LOLBAS aswrundll.yml handle: 'https://www.linkedin.com/in/eli-salem-954728150'  
LOLBAS Gpup.yml Handle: '@pabraeken'  
LOLBAS Nlnotes.yml Handle: '@danielhbohannon'  
LOLBAS Notes.yml Handle: '@danielhbohannon'  
LOLBAS Nvudisp.yml Handle: '@pabraeken'  
LOLBAS Nvuhda6.yml Handle: '@hexacorn'  
LOLBAS ROCCAT_Swarm.yml Handle: '@pabraeken'  
LOLBAS RunCmd_X64.yml Handle: '@bartblaze'  
LOLBAS Setup.yml Handle: '@pabraeken'  
LOLBAS Usbinst.yml Handle: '@pabraeken'  
LOLBAS VBoxDrvInst.yml Handle: '@pabraeken'  
LOLBAS Winword.yml Handle: '@@vysecurity'  
LOLBAS Winword.yml Handle: '@Hexacorn'  
LOLBAS Testxlst.yml Handle: '@bohops'  
LOLBAS AppInstaller.yml Handle: '@notwhickey'  
LOLBAS Aspnet_Compiler.yml Handle: '@cpl3h'  
LOLBAS At.yml Handle:  
LOLBAS Atbroker.yml Handle: '@hexacorn'  
LOLBAS Bash.yml Handle: '@aionescu'  
LOLBAS Bash.yml Handle: '@d1r4c'  
LOLBAS Bitsadmin.yml Handle: '@mubix'  
LOLBAS Bitsadmin.yml Handle: '@carnal0wnage'  
LOLBAS Bitsadmin.yml Handle: '@oddvarmoe'  
LOLBAS Certoc.yml Handle: '@sblmsrsn'  
LOLBAS Certreq.yml Handle: '@dtmsecurity'  
LOLBAS Certutil.yml Handle: '@mattifestation'  
LOLBAS Certutil.yml Handle: '@Moriarty_Meng'  
LOLBAS Certutil.yml Handle: '@egre55'  
LOLBAS Cmd.yml Handle: '@yeyint_mth'  
LOLBAS Cmdkey.yml Handle:  
LOLBAS Cmdl32.yml Handle: '@elliotkillick'  
LOLBAS Cmstp.yml Handle: '@oddvarmoe'  
LOLBAS Cmstp.yml Handle: '@NickTyrer'  
LOLBAS ConfigSecurityPolicy.yml Handle: '@NtSetDefault'  
LOLBAS Control.yml Handle: '@bohops'  
LOLBAS Csc.yml Handle:  
LOLBAS Cscript.yml Handle: '@oddvarmoe'  
LOLBAS DataSvcUtil.yml Handle: '@NtSetDefault'  
LOLBAS Desktopimgdownldr.yml Handle: '@gal_kristal'  
LOLBAS Dfsvc.yml Handle: '@subtee'  
LOLBAS Diantz.yml Handle: '@tim8288'  
LOLBAS Diantz.yml Handle: '@vakninhai'  
LOLBAS Diskshadow.yml Handle: '@bohops'  
LOLBAS Dllhost.yml Handle: '@CyberRaiju'  
LOLBAS Dllhost.yml Handle: '@nas_bench'  
LOLBAS Dnscmd.yml Handle:  
LOLBAS Dnscmd.yml Handle: '@dim0x69'  
LOLBAS Dnscmd.yml Handle: '@nikhil_mitt'  
LOLBAS Esentutl.yml Handle: '@egre55'  
LOLBAS Esentutl.yml Handle: 'grayfold3d'  
LOLBAS Eventvwr.yml Handle: '@enigma0x3'  
LOLBAS Eventvwr.yml Handle: '@mattifestation'  
LOLBAS Expand.yml Handle: '@infosecn1nja'  
LOLBAS Expand.yml Handle: '@oddvarmoe'  
LOLBAS Explorer.yml Handle: '@CyberRaiju'  
LOLBAS Explorer.yml Handle: '@bohops'  
LOLBAS Extexport.yml Handle: '@hexacorn'  
LOLBAS Extrac32.yml Handle: '@egre55'  
LOLBAS Extrac32.yml Handle: '@oddvarmoe'  
LOLBAS Extrac32.yml Handle: '@VakninHai'  
LOLBAS Extrac32.yml Handle: '@tim8288'  
LOLBAS Findstr.yml Handle: '@oddvarmoe'  
LOLBAS Finger.yml Handle: '@rubn_RB'  
LOLBAS Finger.yml Handle: '@Ocelotty6669'  
LOLBAS Finger.yml Handle: '@DissectMalware'  
LOLBAS FltMC.yml Handle: '@Carlos_Perez'  
LOLBAS Forfiles.yml Handle: '@vector_sec'  
LOLBAS Forfiles.yml Handle: '@oddvarmoe'  
LOLBAS Ftp.yml Handle: '@subtee'  
LOLBAS Ftp.yml Handle: ''  
LOLBAS Ftp.yml Handle: '@0xAmit '  
LOLBAS GfxDownloadWrapper.yml Handle:  
LOLBAS Gpscript.yml Handle: '@oddvarmoe'  
LOLBAS Hh.yml Handle: '@oddvarmoe'  
LOLBAS Ie4uinit.yml Handle: '@bohops'  
LOLBAS Ieexec.yml Handle: '@subtee'  
LOLBAS Ilasm.yml Handle: '@VakninHai'  
LOLBAS Ilasm.yml Handle:  
LOLBAS IMEWDBLD.yml Handle: '@notwhickey'  
LOLBAS Infdefaultinstall.yml Handle: '@kylehanslovan'  
LOLBAS Installutil.yml Handle: '@subtee'  
LOLBAS Jsc.yml Handle: '@DissectMalware'  
LOLBAS Makecab.yml Handle: '@oddvarmoe'  
LOLBAS Mavinject.yml Handle: '@gN3mes1s'  
LOLBAS Mavinject.yml Handle: '@oddvarmoe'  
LOLBAS Microsoft.Workflow.Compiler.yml Handle: '@mattifestation'  
LOLBAS Microsoft.Workflow.Compiler.yml Handle: '@BergbomJohn'  
LOLBAS Microsoft.Workflow.Compiler.yml Handle: '@FortyNorthSec'  
LOLBAS Microsoft.Workflow.Compiler.yml Handle: '@Bank_Security'  
LOLBAS Mmc.yml Handle: '@bohops'  
LOLBAS Mmc.yml Handle: '@clavoillotte'  
LOLBAS MpCmdRun.yml Handle: '@mohammadaskar2'  
LOLBAS MpCmdRun.yml Handle: '@oddvarmoe'  
LOLBAS MpCmdRun.yml Handle: ''  
LOLBAS MpCmdRun.yml Handle: '@th3c3dr1c'  
LOLBAS Msbuild.yml Handle: '@subtee'  
LOLBAS Msbuild.yml Handle: '@Cneelis'  
LOLBAS Msbuild.yml Handle: '@bohops'  
LOLBAS Msconfig.yml Handle: '@pabraeken'  
LOLBAS Msdt.yml Handle:  
LOLBAS Mshta.yml Handle: '@subtee'  
LOLBAS Mshta.yml Handle: '@oddvarmoe'  
LOLBAS Msiexec.yml Handle: '@netbiosX'  
LOLBAS Msiexec.yml Handle: '@PhilipTsukerman'  
LOLBAS Netsh.yml Handle:  
LOLBAS Odbcconf.yml Handle: '@subtee'  
LOLBAS Odbcconf.yml Handle: '@Hexacorn'  
LOLBAS OfflineScannerShell.yml Handle: '@elliotkillick'  
LOLBAS OneDriveStandaloneUpdater.yml Handle: '@elliotkillick'  
LOLBAS Pcalua.yml Handle: '@kylehanslovan'  
LOLBAS Pcalua.yml Handle: '@0rbz_'  
LOLBAS Pcwrun.yml Handle: '@pabraeken'  
LOLBAS Pktmon.yml Handle: ''  
LOLBAS Pnputil.yml Handle: '@LuxNoBulIshit'  
LOLBAS Pnputil.yml Handle: '@aloneliassaf'  
LOLBAS Presentationhost.yml Handle: '@subtee'  
LOLBAS Print.yml Handle: '@oddvarmoe'  
LOLBAS PrintBrm.yml Handle: '@elliotkillick'  
LOLBAS Psr.yml Handle: '@L3m0nada'  
LOLBAS Rasautou.yml Handle: '@FireEye'  
LOLBAS Reg.yml Handle: '@oddvarmoe'  
LOLBAS Regasm.yml Handle: '@subtee'  
LOLBAS Regedit.yml Handle: '@oddvarmoe'  
LOLBAS Regini.yml Handle: '@elisalem9'  
LOLBAS Register-cimprovider.yml Handle: '@PhilipTsukerman'  
LOLBAS Regsvcs.yml Handle: '@subtee'  
LOLBAS Regsvr32.yml Handle: '@subtee'  
LOLBAS Replace.yml Handle: '@elceef'  
LOLBAS Rpcping.yml Handle: '@subtee'  
LOLBAS Rpcping.yml Handle: '@vysecurity'  
LOLBAS Rpcping.yml Handle: '@splinter_code'  
LOLBAS Rpcping.yml Handle: '@decoder_it'  
LOLBAS Rundll32.yml Handle: '@subtee'  
LOLBAS Rundll32.yml Handle: '@oddvarmoe'  
LOLBAS Rundll32.yml Handle: '@bohops'  
LOLBAS Rundll32.yml Handle: '@404death'  
LOLBAS Rundll32.yml Handle: '@Mrtn9'  
LOLBAS Runonce.yml Handle: '@pabraeken'  
LOLBAS Runscripthelper.yml Handle: '@mattifestation'  
LOLBAS Sc.yml Handle: '@oddvarmoe'  
LOLBAS Schtasks.yml Handle:  
LOLBAS Scriptrunner.yml Handle: '@nicktyrer'  
LOLBAS SettingSyncHost.yml Handle: '@hexacorn'  
LOLBAS SettingSyncHost.yml Handle: '@elliotkillick'  
LOLBAS Stordiag.yml Handle: '@eral4m'  
LOLBAS Syncappvpublishingserver.yml Handle: '@monoxgas'  
LOLBAS Ttdinject.yml Handle: '@oddvarmoe'  
LOLBAS Ttdinject.yml Handle: '@m_nad0'  
LOLBAS Tttracer.yml Handle: '@oulusoyum'  
LOLBAS Tttracer.yml Handle: '@mattifestation'  
LOLBAS Vbc.yml Handle:  
LOLBAS Verclsid.yml Handle: '@NickTyrer'  
LOLBAS Wab.yml Handle: '@Hexacorn'  
LOLBAS Wlrmdr.yml Handle: '@0gtweet'  
LOLBAS Wlrmdr.yml Handle: '@Oddvarmoe'  
LOLBAS Wlrmdr.yml Handle: '@falsneg'  
LOLBAS Wmic.yml Handle: '@subtee'  
LOLBAS WorkFolders.yml Handle: '@YoSignals'  
LOLBAS WorkFolders.yml Handle: '@elliotkillick'  
LOLBAS Wscript.yml Handle: '@oddvarmoe'  
LOLBAS Wscript.yml Handle: '@404death'  
LOLBAS Wsreset.yml Handle: '@ihack4falafel'  
LOLBAS Wuauclt.yml Handle: '@dtmsecurity'  
LOLBAS Xwizard.yml Handle: '@Hexacorn'  
LOLBAS Xwizard.yml Handle: '@NickTyrer'  
LOLBAS Xwizard.yml Handle: '@harr0ey'  
LOLBAS Xwizard.yml Handle: '@notwhickey'  
LOLBAS Advpack.yml Handle: '@bohops'  
LOLBAS Advpack.yml Handle: '@0rbz_'  
LOLBAS Advpack.yml Handle: '@moriarty_meng'  
LOLBAS Advpack.yml Handle: '@ItsReallyNick'  
LOLBAS comsvcs.yml Handle:  
LOLBAS Dfshim.yml Handle: '@subtee'  
LOLBAS Ieadvpack.yml Handle: '@bohops'  
LOLBAS Ieadvpack.yml Handle: '@0rbz_'  
LOLBAS Ieadvpack.yml Handle: '@pabraeken'  
LOLBAS Ieframe.yml Handle: '@bohops'  
LOLBAS Ieframe.yml Handle: '@hexacorn'  
LOLBAS Mshtml.yml Handle: '@pabraeken'  
LOLBAS Pcwutl.yml Handle: '@harr0ey'  
LOLBAS Setupapi.yml Handle: '@KyleHanslovan'  
LOLBAS Setupapi.yml Handle: '@HuntressLabs'  
LOLBAS Setupapi.yml Handle: '@subTee'  
LOLBAS Setupapi.yml Handle: '@ItsReallyNick'  
LOLBAS Shdocvw.yml Handle: '@hexacorn'  
LOLBAS Shdocvw.yml Handle: '@bohops'  
LOLBAS Shell32.yml Handle: '@hexacorn'  
LOLBAS Shell32.yml Handle: '@pabraeken'  
LOLBAS Shell32.yml Handle: '@mattifestation'  
LOLBAS Shell32.yml Handle: '@KyleHanslovan'  
LOLBAS Syssetup.yml Handle: '@pabraeken'  
LOLBAS Syssetup.yml Handle: '@harr0ey'  
LOLBAS Syssetup.yml Handle: '@bohops'  
LOLBAS Url.yml Handle: '@hexacorn'  
LOLBAS Url.yml Handle: '@bohops'  
LOLBAS Url.yml Handle: '@DissectMalware'  
LOLBAS Url.yml Handle: '@r0lan'  
LOLBAS Zipfldr.yml Handle: '@moriarty_meng'  
LOLBAS Zipfldr.yml Handle: '@r0lan'  
LOLBAS Cl_invocation.yml Handle: '@bohops'  
LOLBAS Cl_invocation.yml Handle: '@pabraeken'  
LOLBAS CL_LoadAssembly.yml Handle: '@bohops'  
LOLBAS CL_mutexverifiers.yml Handle: '@pabraeken'  
LOLBAS Manage-bde.yml Handle: '@bohops'  
LOLBAS Manage-bde.yml Handle: '@danielbohannon'  
LOLBAS Manage-bde.yml Handle: '@JohnLaTwC'  
LOLBAS pester.yml Handle: '@p0w3rsh3ll'  
LOLBAS Pubprn.yml Handle: '@enigma0x3'  
LOLBAS Syncappvpublishingserver.yml Handle: '@monoxgas'  
LOLBAS Syncappvpublishingserver.yml Handle: '@subtee'  
LOLBAS UtilityFunctions.yml Handle: '@nickvangilder'  
LOLBAS Winrm.yml - Command: '%SystemDrive%\BypassDir\cscript //nologo %windir%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 -format:pretty'  
LOLBAS Winrm.yml Handle: '@mattifestation'  
LOLBAS Winrm.yml Handle: '@enigma0x3'  
LOLBAS Winrm.yml Handle: '@subtee'  
LOLBAS Winrm.yml Handle: '@bohops'  
LOLBAS Winrm.yml Handle: '@redcanaryco'  
LOLBAS Adplus.yml Handle: '@mrd0x'  
LOLBAS Agentexecutor.yml Handle: '@lefterispan'  
LOLBAS Appvlp.yml Handle: '@0rbz_'  
LOLBAS Appvlp.yml Handle: '@moo_hax'  
LOLBAS Appvlp.yml Handle: '@enigma0x3'  
LOLBAS Bginfo.yml Handle: '@oddvarmoe'  
LOLBAS Cdb.yml Handle: '@mattifestation'  
LOLBAS Cdb.yml Handle: '@mrd0x'  
LOLBAS Cdb.yml Handle: '@sec_spooky'  
LOLBAS Coregen.yml Handle:  
LOLBAS Csi.yml Handle: '@subtee'  
LOLBAS DefaultPack.yml Handle: '@checkymander'  
LOLBAS Devtoolslauncher.yml Handle: '@_felamos'  
LOLBAS Dnx.yml Handle: '@enigma0x3'  
LOLBAS Dotnet.yml Handle: '@_felamos'  
LOLBAS Dotnet.yml Handle: '@bohops'  
LOLBAS Dxcap.yml Handle: '@harr0ey'  
LOLBAS Excel.yml Handle: '@reegun21'  
LOLBAS Fsi.yml Handle: '@NickTyrer'  
LOLBAS Fsi.yml Handle: '@bohops'  
LOLBAS FsiAnyCpu.yml Handle: '@NickTyrer'  
LOLBAS FsiAnyCpu.yml Handle: '@bohops'  
LOLBAS Mftrace.yml Handle: '@0rbz_'  
LOLBAS Msdeploy.yml Handle: '@pabraeken'  
LOLBAS Msxsl.yml Handle: '@subtee'  
LOLBAS Ntdsutil.yml Handle: '@PyroTek3'  
LOLBAS Powerpnt.yml Handle: '@reegun21'  
LOLBAS Procdump.yml Handle: '@ajpc500'  
LOLBAS Rcsi.yml Handle: '@enigma0x3'  
LOLBAS Remote.yml Handle: '@mrd0x'  
LOLBAS Sqldumper.yml Handle: '@countuponsec'  
LOLBAS Sqlps.yml Handle: '@bryon_'  
LOLBAS Sqltoolsps.yml Handle: '@pabraeken'  
LOLBAS Squirrel.yml Handle: '@reegun21'  
LOLBAS Squirrel.yml Handle: '@Hexacorn'  
LOLBAS Te.yml Handle: '@gN3mes1s'  
LOLBAS Tracker.yml Handle: '@subTee'  
LOLBAS Update.yml Handle: '@reegun21'  
LOLBAS Update.yml Handle: '@MrUn1k0d3r'  
LOLBAS Update.yml Handle: '@Hexacorn'  
LOLBAS VisualUiaVerifyNative.yml Handle: '@tifkin'  
LOLBAS VisualUiaVerifyNative.yml Handle: '@bohops'  
LOLBAS VSIISExeLauncher.yml Handle:  
LOLBAS Vsjitdebugger.yml Handle: '@pabraeken'  
LOLBAS Wfc.yml Handle: '@mattifestation'  
LOLBAS Wfc.yml Handle: '@bohops'  
LOLBAS Winword.yml Handle: '@reegun21'  
LOLBAS Wsl.yml Handle: '@aionescu'  
LOLBAS Wsl.yml Handle: '@NotoriousRebel1'  
LOLBAS Wsl.yml Handle: '@d1r4c'  
malware-ioc nouns.txt handle © ESET 2014-2018
malware-ioc oceanlotus-rtf_ocx_campaigns.misp.event.json "description": "Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools. Timestomping may be used along with file name Masquerading to hide malware and tools. (Citation: WindowsIR Anti-Forensic Techniques)\n\nDetection: Forensic techniques exist to detect aspects of files that have had their timestamps modified. (Citation: WindowsIR Anti-Forensic Techniques) It may be possible to detect timestomping using file modification monitoring that collects information on file handle opens and can compare timestamp values.\n\nPlatforms: Linux, Windows\n\nData Sources: File monitoring, Process monitoring, Process command-line parameters\n\nDefense Bypassed: Host forensic analysis\n\nPermissions Required: User, Administrator, SYSTEM", © ESET 2014-2018
malware-ioc misp-turla-powershell-event.json "description": "Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools. Timestomping may be used along with file name Masquerading to hide malware and tools. (Citation: WindowsIR Anti-Forensic Techniques)\n\nDetection: Forensic techniques exist to detect aspects of files that have had their timestamps modified. (Citation: WindowsIR Anti-Forensic Techniques) It may be possible to detect timestomping using file modification monitoring that collects information on file handle opens and can compare timestamp values.\n\nPlatforms: Linux, Windows\n\nData Sources: File monitoring, Process monitoring, Process command-line parameters\n\nDefense Bypassed: Host forensic analysis\n\nPermissions Required: User, Administrator, SYSTEM", © ESET 2014-2018
atomic-red-team T1006.md This test uses PowerShell to open a handle on the drive volume via the \\.\ DOS device path specifier and perform direct access read of the first few bytes of the volume. MIT License. © 2018 Red Canary
atomic-red-team T1006.md $handle = New-Object IO.FileStream “\.#{volume}”, ‘Open’, ‘Read’, ‘ReadWrite’ MIT License. © 2018 Red Canary
atomic-red-team T1006.md $handle.Read($buffer, 0, $buffer.Length) MIT License. © 2018 Red Canary
atomic-red-team T1006.md $handle.Close() MIT License. © 2018 Red Canary
atomic-red-team T1055.004.md APC injection is commonly performed by attaching malicious code to the APC Queue (Citation: Microsoft APC) of a process’s thread. Queued APC functions are executed when the thread enters an alterable state.(Citation: Microsoft APC) A handle to an existing victim process is first created with native Windows API calls such as OpenThread. At this point QueueUserAPC can be used to invoke a function (such as LoadLibrayA pointing to a malicious DLL). MIT License. © 2018 Red Canary
atomic-red-team T1134.002.md gwmi win32process |% {$owners[$.handle] = $_.getowner().user} MIT License. © 2018 Red Canary
atomic-red-team T1547.004.md * Winlogon\Notify - points to notification package DLLs that handle Winlogon events MIT License. © 2018 Red Canary
signature-base apt_aus_parl_compromise.yar $x5 = “VirtualSite: {0}, Address: {1:X16}, Name: {2}, Handle: {3:X16}, LogPath: {4}” fullword wide CC BY-NC 4.0
signature-base apt_eqgrp_apr17.yar $x5 = “Creating CURL connection handle…” fullword ascii CC BY-NC 4.0
signature-base apt_passthehashtoolkit.yar $s7 = “LSASS HANDLE: %x” fullword ascii /* score: ‘5.00’ */ CC BY-NC 4.0
signature-base apt_webmonitor_rat.yar $a2 = “Select * from Win32_Process WHERE handle =” fullword wide CC BY-NC 4.0
signature-base apt_wildneutron.yar $x5 = “Invalid input handle!!!” fullword ascii /* PEStudio Blacklist: strings / / score: ‘10.00’ */ CC BY-NC 4.0
signature-base apt_wildneutron.yar $s8 = “Invalid input handle!!!” fullword ascii /* PEStudio Blacklist: strings / / score: ‘15.00’ */ CC BY-NC 4.0
signature-base gen_empire.yar $s2 = “# Get a handle to the module specified” fullword ascii CC BY-NC 4.0
signature-base thor-hacktools.yar $x6 = “Unable to obtain handle to PStoreCreateInstance in pstorec.dll” fullword ascii CC BY-NC 4.0
signature-base thor-webshells.yar $s2 = “$handle = @opendir($dir) or die("Can’t open directory $dir");” fullword CC BY-NC 4.0
stockpile 05cda6f6-2b1b-462e-bff1-845af94343f7.yml gwmi win32_process \|% {$owners[$_.handle] = $_.getowner().user}; Apache-2.0
stockpile 3b5db901-2cb8-4df7-8043-c4628a6a5d5a.yml gwmi win32_process \|% {$owners[$_.handle] = $_.getowner().user}; Apache-2.0

MIT License. Copyright (c) 2020-2021 Strontic.