limerat | a716b5f8a785fdbd248b36963d8a797083bf9d05dc4ae50b10536dbca81f4301

System Information Discovery

Processes:

c7d749686aa87a0826f47179002820dd.exeFreeFirewall.exeFreeFirewall.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	c7d749686aa87a0826f47179002820dd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	FreeFirewall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	FreeFirewall.exe

Loads dropped DLL 8 IoCs

Processes:

FreeFirewall.exeFreeFirewall.exeFreeFirewall.exeFreeFirewall.exe

pid	Process
5332	FreeFirewall.exe
5332	FreeFirewall.exe
6032	FreeFirewall.exe
6032	FreeFirewall.exe
5548	FreeFirewall.exe
5548	FreeFirewall.exe
3100	FreeFirewall.exe
3100	FreeFirewall.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 4 IoCs

Processes:

FirewallSvc64.exe

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	FirewallSvc64.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	FirewallSvc64.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4A94E7A99DF38DF5FD11F1DF8D18D8D0	FirewallSvc64.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4A94E7A99DF38DF5FD11F1DF8D18D8D0	FirewallSvc64.exe

Drops file in Program Files directory 64 IoCs

Processes:

freefirewall-setup.exeFirewallSvc64.exe

description	ioc	Process
File created	C:\Program Files\Evorim\Free Firewall\FirewallSvc32.exe	freefirewall-setup.exe
File created	C:\Program Files\Evorim\Free Firewall\locales\bn.pak	freefirewall-setup.exe
File created	C:\Program Files\Evorim\Free Firewall\locales\da.pak	freefirewall-setup.exe
File created	C:\Program Files\Evorim\Free Firewall\locales\en-US.pak	freefirewall-setup.exe
File created	C:\Program Files\Evorim\Free Firewall\locales\fi.pak	freefirewall-setup.exe
File created	C:\Program Files\Evorim\Free Firewall\locales\pt-BR.pak	freefirewall-setup.exe
File created	C:\Program Files\Evorim\Free Firewall\components\lz4.license.txt	freefirewall-setup.exe
File created	C:\Program Files\Evorim\Free Firewall\dhcpcsvc.dll	freefirewall-setup.exe
File created	C:\Program Files\Evorim\Free Firewall\locales\it.pak	freefirewall-setup.exe
File created	C:\Program Files\Evorim\Free Firewall\locales\te.pak	freefirewall-setup.exe
File created	C:\Program Files\Evorim\Free Firewall\locales\ar.pak	freefirewall-setup.exe
File created	C:\Program Files\Evorim\Free Firewall\locales\kn.pak	freefirewall-setup.exe
File created	C:\Program Files\Evorim\Free Firewall\locales\ml.pak	freefirewall-setup.exe
File created	C:\Program Files\Evorim\Free Firewall\locales\sl.pak	freefirewall-setup.exe
File created	C:\Program Files\Evorim\Free Firewall\components\jsoncpp.license.txt	freefirewall-setup.exe
File created	C:\Program Files\Evorim\Free Firewall\components\zlib.license.txt	freefirewall-setup.exe
File opened for modification	C:\Program Files\Evorim\Free Firewall\resources\app.asar	freefirewall-setup.exe
File opened for modification	C:\Program Files\Evorim\Free Firewall\components\jsoncpp.license.txt	freefirewall-setup.exe
File created	C:\Program Files\Evorim\Free Firewall\locales\fa.pak	freefirewall-setup.exe
File created	C:\Program Files\Evorim\Free Firewall\locales\lv.pak	freefirewall-setup.exe
File created	C:\Program Files\Evorim\Free Firewall\locales\sw.pak	freefirewall-setup.exe
File created	C:\Program Files\Evorim\Free Firewall\dns-cache.json.tmp	FirewallSvc64.exe
File opened for modification	C:\Program Files\Evorim\Free Firewall\FirewallSvc32.exe	freefirewall-setup.exe
File created	C:\Program Files\Evorim\Free Firewall\ffmpeg.dll	freefirewall-setup.exe
File created	C:\Program Files\Evorim\Free Firewall\locales\am.pak	freefirewall-setup.exe
File created	C:\Program Files\Evorim\Free Firewall\locales\cs.pak	freefirewall-setup.exe
File created	C:\Program Files\Evorim\Free Firewall\locales\gu.pak	freefirewall-setup.exe
File created	C:\Program Files\Evorim\Free Firewall\locales\mr.pak	freefirewall-setup.exe
File created	C:\Program Files\Evorim\Free Firewall\locales\zh-TW.pak	freefirewall-setup.exe
File created	C:\Program Files\Evorim\Free Firewall\alarm.mp3	freefirewall-setup.exe
File created	C:\Program Files\Evorim\Free Firewall\icudtl.dat	freefirewall-setup.exe
File created	C:\Program Files\Evorim\Free Firewall\locales\pt-PT.pak	freefirewall-setup.exe
File created	C:\Program Files\Evorim\Free Firewall\resources\app.asar	freefirewall-setup.exe
File opened for modification	C:\Program Files\Evorim\Free Firewall\components\zlib.license.txt	freefirewall-setup.exe
File created	C:\Program Files\Evorim\Free Firewall\locales\bg.pak	freefirewall-setup.exe
File created	C:\Program Files\Evorim\Free Firewall\locales\el.pak	freefirewall-setup.exe
File created	C:\Program Files\Evorim\Free Firewall\locales\es.pak	freefirewall-setup.exe
File created	C:\Program Files\Evorim\Free Firewall\locales\id.pak	freefirewall-setup.exe
File created	C:\Program Files\Evorim\Free Firewall\locales\zh-CN.pak	freefirewall-setup.exe
File created	C:\Program Files\Evorim\Free Firewall\uninstall.exe	freefirewall-setup.exe
File created	C:\Program Files\Evorim\Free Firewall\snapshot_blob.bin	freefirewall-setup.exe
File created	C:\Program Files\Evorim\Free Firewall\components\chromium.html	freefirewall-setup.exe
File created	C:\Program Files\Evorim\Free Firewall\FreeFirewall.exe	freefirewall-setup.exe
File created	C:\Program Files\Evorim\Free Firewall\locales\fr.pak	freefirewall-setup.exe
File created	C:\Program Files\Evorim\Free Firewall\locales\ja.pak	freefirewall-setup.exe
File created	C:\Program Files\Evorim\Free Firewall\locales\pl.pak	freefirewall-setup.exe
File created	C:\Program Files\Evorim\Free Firewall\locales\ru.pak	freefirewall-setup.exe
File created	C:\Program Files\Evorim\Free Firewall\resources.pak	freefirewall-setup.exe
File created	C:\Program Files\Common Files\Evorim\Free Firewall\2.6.2\uninstall.exe	freefirewall-setup.exe
File opened for modification	C:\Program Files\Evorim\Free Firewall\license_en.txt	freefirewall-setup.exe
File created	C:\Program Files\Evorim\Free Firewall\locales\en-GB.pak	freefirewall-setup.exe
File created	C:\Program Files\Evorim\Free Firewall\locales\es-419.pak	freefirewall-setup.exe
File created	C:\Program Files\Evorim\Free Firewall\locales\fil.pak	freefirewall-setup.exe
File created	C:\Program Files\Evorim\Free Firewall\locales\sk.pak	freefirewall-setup.exe
File created	C:\Program Files\Evorim\Free Firewall\resources\electron.asar	freefirewall-setup.exe
File created	C:\Program Files\Evorim\Free Firewall\components\license.thirdparty.html	freefirewall-setup.exe
File opened for modification	C:\Program Files\Evorim\Free Firewall\FirewallSvc64.exe	freefirewall-setup.exe
File created	C:\Program Files\Evorim\Free Firewall\locales\de.pak	freefirewall-setup.exe
File created	C:\Program Files\Evorim\Free Firewall\locales\he.pak	freefirewall-setup.exe
File created	C:\Program Files\Evorim\Free Firewall\locales\hu.pak	freefirewall-setup.exe
File created	C:\Program Files\Evorim\Free Firewall\locales\lt.pak	freefirewall-setup.exe
File created	C:\Program Files\Evorim\Free Firewall\locales\tr.pak	freefirewall-setup.exe
File created	C:\Program Files\Evorim\Free Firewall\locales\vi.pak	freefirewall-setup.exe
File opened for modification	C:\Program Files\Evorim\Free Firewall\efwtc32.dll	freefirewall-setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

vssvc.exetaskmgr.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000789d96067ff55f5b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000789d96060000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900789d9606000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000789d960600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000789d960600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

Processes:

schtasks.exe

pid	Process
4792	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

Processes:

chrome.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

FirewallSvc64.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	FirewallSvc64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	FirewallSvc64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	FirewallSvc64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	FirewallSvc64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	FirewallSvc64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	FirewallSvc64.exe

Modifies registry class 1 IoCs

Processes:

taskmgr.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	taskmgr.exe

NTFS ADS 1 IoCs

Processes:

FreeFirewall.exe

description	ioc	Process
File created	C:\ProgramData\Evorim\FreeFirewall\logs\app2023-01-21_17-27:34.538.log	FreeFirewall.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskmgr.exewinIogon.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exe

pid	Process
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
528	winIogon.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
4088	chrome.exe
4088	chrome.exe
556	chrome.exe
556	chrome.exe
3476	chrome.exe
3476	chrome.exe
528	winIogon.exe
528	winIogon.exe
528	winIogon.exe
2276	chrome.exe
2276	chrome.exe
528	winIogon.exe
528	winIogon.exe
528	winIogon.exe
528	winIogon.exe
5944	chrome.exe
5944	chrome.exe
5304	chrome.exe
5304	chrome.exe
528	winIogon.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

Processes:

chrome.exe

pid	Process
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe

Suspicious use of AdjustPrivilegeToken 63 IoCs

Processes:

taskmgr.exewinIogon.exefreefirewall-setup.exevssvc.exesrtasks.exeFirewallSvc64.exe

description	pid	Process
Token: SeDebugPrivilege	2880	taskmgr.exe
Token: SeSystemProfilePrivilege	2880	taskmgr.exe
Token: SeCreateGlobalPrivilege	2880	taskmgr.exe
Token: SeDebugPrivilege	528	winIogon.exe
Token: SeDebugPrivilege	528	winIogon.exe
Token: 33	2880	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2880	taskmgr.exe
Token: SeCreateGlobalPrivilege	2104	freefirewall-setup.exe
Token: SeDebugPrivilege	2104	freefirewall-setup.exe
Token: SeBackupPrivilege	2808	vssvc.exe
Token: SeRestorePrivilege	2808	vssvc.exe
Token: SeAuditPrivilege	2808	vssvc.exe
Token: SeBackupPrivilege	2104	freefirewall-setup.exe
Token: SeRestorePrivilege	2104	freefirewall-setup.exe
Token: SeBackupPrivilege	4060	srtasks.exe
Token: SeRestorePrivilege	4060	srtasks.exe
Token: SeSecurityPrivilege	4060	srtasks.exe
Token: SeTakeOwnershipPrivilege	4060	srtasks.exe
Token: SeBackupPrivilege	4060	srtasks.exe
Token: SeRestorePrivilege	4060	srtasks.exe
Token: SeSecurityPrivilege	4060	srtasks.exe
Token: SeTakeOwnershipPrivilege	4060	srtasks.exe
Token: SeDebugPrivilege	5256	FirewallSvc64.exe
Token: SeDebugPrivilege	5256	FirewallSvc64.exe
Token: SeDebugPrivilege	5256	FirewallSvc64.exe
Token: SeTakeOwnershipPrivilege	5256	FirewallSvc64.exe
Token: SeTakeOwnershipPrivilege	5256	FirewallSvc64.exe
Token: SeTakeOwnershipPrivilege	5256	FirewallSvc64.exe
Token: SeTakeOwnershipPrivilege	5256	FirewallSvc64.exe
Token: SeTakeOwnershipPrivilege	5256	FirewallSvc64.exe
Token: SeTakeOwnershipPrivilege	5256	FirewallSvc64.exe
Token: SeTakeOwnershipPrivilege	5256	FirewallSvc64.exe
Token: SeTakeOwnershipPrivilege	5256	FirewallSvc64.exe
Token: SeDebugPrivilege	5256	FirewallSvc64.exe
Token: SeDebugPrivilege	5256	FirewallSvc64.exe
Token: SeDebugPrivilege	5256	FirewallSvc64.exe
Token: SeDebugPrivilege	5256	FirewallSvc64.exe
Token: SeDebugPrivilege	5256	FirewallSvc64.exe
Token: SeDebugPrivilege	5256	FirewallSvc64.exe
Token: SeDebugPrivilege	5256	FirewallSvc64.exe
Token: SeDebugPrivilege	5256	FirewallSvc64.exe
Token: SeDebugPrivilege	5256	FirewallSvc64.exe
Token: SeDebugPrivilege	5256	FirewallSvc64.exe
Token: SeDebugPrivilege	5256	FirewallSvc64.exe
Token: SeDebugPrivilege	5256	FirewallSvc64.exe
Token: SeDebugPrivilege	5256	FirewallSvc64.exe
Token: SeDebugPrivilege	5256	FirewallSvc64.exe
Token: SeDebugPrivilege	5256	FirewallSvc64.exe
Token: SeDebugPrivilege	5256	FirewallSvc64.exe
Token: SeDebugPrivilege	5256	FirewallSvc64.exe
Token: SeDebugPrivilege	5256	FirewallSvc64.exe
Token: SeDebugPrivilege	5256	FirewallSvc64.exe
Token: SeDebugPrivilege	5256	FirewallSvc64.exe
Token: SeDebugPrivilege	5256	FirewallSvc64.exe
Token: SeDebugPrivilege	5256	FirewallSvc64.exe
Token: SeDebugPrivilege	5256	FirewallSvc64.exe
Token: SeDebugPrivilege	5256	FirewallSvc64.exe
Token: SeDebugPrivilege	5256	FirewallSvc64.exe
Token: SeDebugPrivilege	5256	FirewallSvc64.exe
Token: SeDebugPrivilege	5256	FirewallSvc64.exe
Token: SeDebugPrivilege	5256	FirewallSvc64.exe
Token: SeDebugPrivilege	5256	FirewallSvc64.exe
Token: SeDebugPrivilege	5256	FirewallSvc64.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe

pid	Process
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	Process
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe
2880	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

freefirewall-setup.exe

pid	Process
2104	freefirewall-setup.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c7d749686aa87a0826f47179002820dd.exechrome.exe

description	pid	Process	procid_target
PID 2680 wrote to memory of 4792	2680	c7d749686aa87a0826f47179002820dd.exe	79
PID 2680 wrote to memory of 4792	2680	c7d749686aa87a0826f47179002820dd.exe	79
PID 2680 wrote to memory of 4792	2680	c7d749686aa87a0826f47179002820dd.exe	79
PID 2680 wrote to memory of 528	2680	c7d749686aa87a0826f47179002820dd.exe	81
PID 2680 wrote to memory of 528	2680	c7d749686aa87a0826f47179002820dd.exe	81
PID 2680 wrote to memory of 528	2680	c7d749686aa87a0826f47179002820dd.exe	81
PID 556 wrote to memory of 4196	556	chrome.exe	92
PID 556 wrote to memory of 4196	556	chrome.exe	92
PID 556 wrote to memory of 3144	556	chrome.exe	95
PID 556 wrote to memory of 3144	556	chrome.exe	95
PID 556 wrote to memory of 3144	556	chrome.exe	95
PID 556 wrote to memory of 3144	556	chrome.exe	95
PID 556 wrote to memory of 3144	556	chrome.exe	95
PID 556 wrote to memory of 3144	556	chrome.exe	95
PID 556 wrote to memory of 3144	556	chrome.exe	95
PID 556 wrote to memory of 3144	556	chrome.exe	95
PID 556 wrote to memory of 3144	556	chrome.exe	95
PID 556 wrote to memory of 3144	556	chrome.exe	95
PID 556 wrote to memory of 3144	556	chrome.exe	95
PID 556 wrote to memory of 3144	556	chrome.exe	95
PID 556 wrote to memory of 3144	556	chrome.exe	95
PID 556 wrote to memory of 3144	556	chrome.exe	95
PID 556 wrote to memory of 3144	556	chrome.exe	95
PID 556 wrote to memory of 3144	556	chrome.exe	95
PID 556 wrote to memory of 3144	556	chrome.exe	95
PID 556 wrote to memory of 3144	556	chrome.exe	95
PID 556 wrote to memory of 3144	556	chrome.exe	95
PID 556 wrote to memory of 3144	556	chrome.exe	95
PID 556 wrote to memory of 3144	556	chrome.exe	95
PID 556 wrote to memory of 3144	556	chrome.exe	95
PID 556 wrote to memory of 3144	556	chrome.exe	95
PID 556 wrote to memory of 3144	556	chrome.exe	95
PID 556 wrote to memory of 3144	556	chrome.exe	95
PID 556 wrote to memory of 3144	556	chrome.exe	95
PID 556 wrote to memory of 3144	556	chrome.exe	95
PID 556 wrote to memory of 3144	556	chrome.exe	95
PID 556 wrote to memory of 3144	556	chrome.exe	95
PID 556 wrote to memory of 3144	556	chrome.exe	95
PID 556 wrote to memory of 3144	556	chrome.exe	95
PID 556 wrote to memory of 3144	556	chrome.exe	95
PID 556 wrote to memory of 3144	556	chrome.exe	95
PID 556 wrote to memory of 3144	556	chrome.exe	95
PID 556 wrote to memory of 3144	556	chrome.exe	95
PID 556 wrote to memory of 3144	556	chrome.exe	95
PID 556 wrote to memory of 3144	556	chrome.exe	95
PID 556 wrote to memory of 3144	556	chrome.exe	95
PID 556 wrote to memory of 3144	556	chrome.exe	95
PID 556 wrote to memory of 3144	556	chrome.exe	95
PID 556 wrote to memory of 4088	556	chrome.exe	96
PID 556 wrote to memory of 4088	556	chrome.exe	96
PID 556 wrote to memory of 720	556	chrome.exe	98
PID 556 wrote to memory of 720	556	chrome.exe	98
PID 556 wrote to memory of 720	556	chrome.exe	98
PID 556 wrote to memory of 720	556	chrome.exe	98
PID 556 wrote to memory of 720	556	chrome.exe	98
PID 556 wrote to memory of 720	556	chrome.exe	98
PID 556 wrote to memory of 720	556	chrome.exe	98
PID 556 wrote to memory of 720	556	chrome.exe	98
PID 556 wrote to memory of 720	556	chrome.exe	98
PID 556 wrote to memory of 720	556	chrome.exe	98
PID 556 wrote to memory of 720	556	chrome.exe	98
PID 556 wrote to memory of 720	556	chrome.exe	98
PID 556 wrote to memory of 720	556	chrome.exe	98
PID 556 wrote to memory of 720	556	chrome.exe	98

C:\Users\Admin\AppData\Local\Temp\c7d749686aa87a0826f47179002820dd.exe
"C:\Users\Admin\AppData\Local\Temp\c7d749686aa87a0826f47179002820dd.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\Local\winIogon.exe'"
  2⤵
  - Creates scheduled task(s)
  PID:4792
- C:\Users\Admin\AppData\Roaming\Local\winIogon.exe
  "C:\Users\Admin\AppData\Roaming\Local\winIogon.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:528

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2880

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
PID:556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa06fd4f50,0x7ffa06fd4f60,0x7ffa06fd4f70
  2⤵
  PID:4196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1676 /prefetch:2
  2⤵
  PID:3144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1988 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2272 /prefetch:8
  2⤵
  PID:720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2944 /prefetch:1
  2⤵
  PID:4620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3140 /prefetch:1
  2⤵
  PID:3412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3868 /prefetch:1
  2⤵
  PID:540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4808 /prefetch:8
  2⤵
  PID:4904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4948 /prefetch:8
  2⤵
  PID:1508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5072 /prefetch:8
  2⤵
  PID:3640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5044 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5068 /prefetch:8
  2⤵
  PID:4376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5164 /prefetch:8
  2⤵
  PID:988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4932 /prefetch:8
  2⤵
  PID:4524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4912 /prefetch:8
  2⤵
  PID:4476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
  2⤵
  PID:1528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
  2⤵
  PID:4304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:1
  2⤵
  PID:5052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:4376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
  2⤵
  PID:1264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:1
  2⤵
  PID:4764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:1332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1
  2⤵
  PID:5056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
  2⤵
  PID:2284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3776 /prefetch:1
  2⤵
  PID:1284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:1
  2⤵
  PID:2100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
  2⤵
  PID:1056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6320 /prefetch:1
  2⤵
  PID:4368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:3476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
  2⤵
  PID:3060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2972 /prefetch:1
  2⤵
  PID:4820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6224 /prefetch:1
  2⤵
  PID:1072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:1
  2⤵
  PID:4276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6276 /prefetch:1
  2⤵
  PID:3640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6200 /prefetch:1
  2⤵
  PID:4132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6468 /prefetch:1
  2⤵
  PID:1780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6624 /prefetch:1
  2⤵
  PID:1724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6948 /prefetch:1
  2⤵
  PID:3112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6940 /prefetch:1
  2⤵
  PID:4528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6824 /prefetch:1
  2⤵
  PID:4416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7180 /prefetch:1
  2⤵
  PID:1616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7476 /prefetch:1
  2⤵
  PID:5132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7216 /prefetch:1
  2⤵
  PID:5244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7620 /prefetch:1
  2⤵
  PID:5260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7776 /prefetch:1
  2⤵
  PID:5268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8084 /prefetch:1
  2⤵
  PID:5364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8256 /prefetch:1
  2⤵
  PID:5420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8248 /prefetch:1
  2⤵
  PID:5388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8240 /prefetch:1
  2⤵
  PID:5380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8212 /prefetch:1
  2⤵
  PID:5372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7868 /prefetch:1
  2⤵
  PID:5748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7912 /prefetch:1
  2⤵
  PID:5740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
  2⤵
  PID:5884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8288 /prefetch:1
  2⤵
  PID:5732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8300 /prefetch:1
  2⤵
  PID:5724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8336 /prefetch:1
  2⤵
  PID:5716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7456 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8348 /prefetch:1
  2⤵
  PID:6036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6780 /prefetch:1
  2⤵
  PID:6068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:6100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7664 /prefetch:1
  2⤵
  PID:5632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7348 /prefetch:1
  2⤵
  PID:1136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8460 /prefetch:1
  2⤵
  PID:5156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8712 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8584 /prefetch:1
  2⤵
  PID:5268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
  2⤵
  PID:5492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6768 /prefetch:1
  2⤵
  PID:5212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
  2⤵
  PID:5232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7768 /prefetch:1
  2⤵
  PID:5452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6920 /prefetch:1
  2⤵
  PID:5032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7816 /prefetch:8
  2⤵
  PID:5676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6556 /prefetch:1
  2⤵
  PID:1332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7652 /prefetch:8
  2⤵
  PID:2548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7592 /prefetch:8
  2⤵
  PID:4140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6344 /prefetch:1
  2⤵
  PID:5468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8388 /prefetch:1
  2⤵
  PID:5052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=78 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8528 /prefetch:1
  2⤵
  PID:5800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=79 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8156 /prefetch:1
  2⤵
  PID:5784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=80 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:5792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=81 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
  2⤵
  PID:5776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=82 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6732 /prefetch:1
  2⤵
  PID:5860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=83 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8648 /prefetch:1
  2⤵
  PID:1252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=86 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8952 /prefetch:1
  2⤵
  PID:3512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=85 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8912 /prefetch:1
  2⤵
  PID:3184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=84 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1
  2⤵
  PID:5000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=87 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9280 /prefetch:1
  2⤵
  PID:6084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=88 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1540 /prefetch:1
  2⤵
  PID:6092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=89 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6420 /prefetch:1
  2⤵
  PID:3276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=90 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9804 /prefetch:1
  2⤵
  PID:6072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=91 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9824 /prefetch:1
  2⤵
  PID:6008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=92 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9964 /prefetch:1
  2⤵
  PID:5884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=93 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9812 /prefetch:1
  2⤵
  PID:2836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9712 /prefetch:8
  2⤵
  PID:4472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=94 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9688 /prefetch:1
  2⤵
  PID:3872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=96 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2716 /prefetch:1
  2⤵
  PID:1808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=10088 /prefetch:8
  2⤵
  PID:5624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=98 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2100 /prefetch:1
  2⤵
  PID:5288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=10552 /prefetch:8
  2⤵
  PID:6116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=10324 /prefetch:8
  2⤵
  PID:6120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=10312 /prefetch:8
  2⤵
  PID:5328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=10388 /prefetch:8
  2⤵
  PID:5772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=10360 /prefetch:8
  2⤵
  PID:1252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2980 /prefetch:8
  2⤵
  PID:4120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=10152 /prefetch:8
  2⤵
  PID:2440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=106 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9972 /prefetch:1
  2⤵
  PID:4120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=107 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7028 /prefetch:1
  2⤵
  PID:3836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=108 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4012 /prefetch:1
  2⤵
  PID:6020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=109 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6752 /prefetch:1
  2⤵
  PID:2264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=110 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
  2⤵
  PID:2216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=111 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8632 /prefetch:1
  2⤵
  PID:3624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=112 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9828 /prefetch:1
  2⤵
  PID:908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=113 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9892 /prefetch:1
  2⤵
  PID:3336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=114 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2528 /prefetch:1
  2⤵
  PID:6152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=115 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
  2⤵
  PID:6160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=9032 /prefetch:2
  2⤵
  PID:6260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7576 /prefetch:8
  2⤵
  PID:6412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=122 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7400 /prefetch:1
  2⤵
  PID:6484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=121 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7360 /prefetch:1
  2⤵
  PID:6476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=120 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8336 /prefetch:1
  2⤵
  PID:6468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=119 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6708 /prefetch:1
  2⤵
  PID:6460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=118 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6660 /prefetch:1
  2⤵
  PID:6452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=123 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7788 /prefetch:1
  2⤵
  PID:6712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=124 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8848 /prefetch:1
  2⤵
  PID:6796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=125 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
  2⤵
  PID:6804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=126 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6876 /prefetch:1
  2⤵
  PID:6860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=127 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8728 /prefetch:1
  2⤵
  PID:7024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=128 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6736 /prefetch:1
  2⤵
  PID:5332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=129 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3748 /prefetch:1
  2⤵
  PID:5352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=130 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8052 /prefetch:1
  2⤵
  PID:5504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=131 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4040 /prefetch:1
  2⤵
  PID:3080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=132 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8604 /prefetch:1
  2⤵
  PID:6092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=133 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8888 /prefetch:1
  2⤵
  PID:2496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=134 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10228 /prefetch:1
  2⤵
  PID:4832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=135 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6424 /prefetch:1
  2⤵
  PID:4664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=136 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9784 /prefetch:1
  2⤵
  PID:6012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=137 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3140 /prefetch:1
  2⤵
  PID:5676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=139 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10444 /prefetch:1
  2⤵
  PID:2272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=138 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9524 /prefetch:1
  2⤵
  PID:4956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=140 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9372 /prefetch:1
  2⤵
  PID:3136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=141 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6264 /prefetch:1
  2⤵
  PID:5244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=142 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
  2⤵
  PID:2732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=143 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8300 /prefetch:1
  2⤵
  PID:5860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=144 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8304 /prefetch:1
  2⤵
  PID:5968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=145 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9780 /prefetch:1
  2⤵
  PID:6084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=146 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3048 /prefetch:1
  2⤵
  PID:5820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=147 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9052 /prefetch:1
  2⤵
  PID:3488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=148 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:1
  2⤵
  PID:2224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=149 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10108 /prefetch:1
  2⤵
  PID:6812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=150 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:6876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=151 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1568 /prefetch:1
  2⤵
  PID:4464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=152 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9520 /prefetch:1
  2⤵
  PID:3576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=153 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10456 /prefetch:1
  2⤵
  PID:5416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=154 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8948 /prefetch:1
  2⤵
  PID:1304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=156 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2712 /prefetch:1
  2⤵
  PID:6252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=159 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6664 /prefetch:1
  2⤵
  PID:3464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=158 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9672 /prefetch:1
  2⤵
  PID:7080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=157 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8032 /prefetch:1
  2⤵
  PID:6224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=155 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10068 /prefetch:1
  2⤵
  PID:6244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=160 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6216 /prefetch:1
  2⤵
  PID:6580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=161 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7108 /prefetch:1
  2⤵
  PID:1072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=162 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6884 /prefetch:1
  2⤵
  PID:5564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=163 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8184 /prefetch:1
  2⤵
  PID:5200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=164 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6712 /prefetch:1
  2⤵
  PID:6476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=168 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9556 /prefetch:1
  2⤵
  PID:1040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=167 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8700 /prefetch:1
  2⤵
  PID:5128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=166 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9312 /prefetch:1
  2⤵
  PID:5700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=165 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8564 /prefetch:1
  2⤵
  PID:344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=170 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10844 /prefetch:1
  2⤵
  PID:7052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,16404817406695955839,14629854483191356769,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=169 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10668 /prefetch:1
  2⤵
  PID:7032

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:748

C:\Users\Admin\Desktop\freefirewall-setup.exe
"C:\Users\Admin\Desktop\freefirewall-setup.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2104

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2808

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:3
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4060

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x38c 0x384
1⤵
PID:5692

C:\Program Files\Evorim\Free Firewall\FreeFirewall.exe
"C:\Program Files\Evorim\Free Firewall\FreeFirewall.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5332
- C:\Program Files\Evorim\Free Firewall\FreeFirewall.exe
  "C:\Program Files\Evorim\Free Firewall\FreeFirewall.exe" --type=gpu-process --field-trial-handle=2032,6315788970742411639,3519377524655118936,131072 --disable-features=LayoutNG,SpareRendererForSitePerProcess --gpu-preferences=IAAAAAAAAADgAAAgAAAAAAAAYAAAAAAACAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAABQAAABAAAAAAAAAAAAAAAAYAAAAQAAAAAAAAAAEAAAAFAAAAEAAAAAAAAAABAAAABgAAAA== --use-gl=swiftshader-webgl --service-request-channel-token=11703642174660699899 --mojo-platform-channel-handle=2040 --ignored=" --type=renderer " /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:6032
- C:\Program Files\Evorim\Free Firewall\FreeFirewall.exe
  "C:\Program Files\Evorim\Free Firewall\FreeFirewall.exe" --type=renderer --field-trial-handle=2032,6315788970742411639,3519377524655118936,131072 --disable-features=LayoutNG,SpareRendererForSitePerProcess --lang=en-US --app-path="C:\Program Files\Evorim\Free Firewall\resources\app.asar" --no-sandbox --no-zygote --background-color=#fff --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=12553380287593086089 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2504 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Loads dropped DLL
  PID:5548
- C:\Program Files\Evorim\Free Firewall\FreeFirewall.exe
  "C:\Program Files\Evorim\Free Firewall\FreeFirewall.exe" --type=renderer --field-trial-handle=2032,6315788970742411639,3519377524655118936,131072 --disable-features=LayoutNG,SpareRendererForSitePerProcess --lang=en-US --app-path="C:\Program Files\Evorim\Free Firewall\resources\app.asar" --node-integration --no-sandbox --no-zygote --background-color=#fff --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=14602022879548898143 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2584 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Loads dropped DLL
  - NTFS ADS
  PID:3100
- - C:\Program Files\Evorim\Free Firewall\FirewallSvc32.exe
    "C:\Program Files\Evorim\Free Firewall\FirewallSvc32.exe" /start
    3⤵
    - Executes dropped EXE
    PID:4900

C:\Program Files\Evorim\Free Firewall\FirewallSvc64.exe
"C:\Program Files\Evorim\Free Firewall\FirewallSvc64.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5256

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery