e982c59b70fae4d269dd4c34b502a81f26668bad00f7dccd372d50ec71d939ae

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	IDMan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Uninstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Uninstall.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 5 IoCs

pid	Process
4948	Internet Download Manager 6.42.25.tmp
2244	Uninstall.exe
1364	idmBroker.exe
1612	IDMan.exe
4268	Uninstall.exe

Loads dropped DLL 34 IoCs

pid	Process
4948	Internet Download Manager 6.42.25.tmp
4948	Internet Download Manager 6.42.25.tmp
4948	Internet Download Manager 6.42.25.tmp
4948	Internet Download Manager 6.42.25.tmp
4932	regsvr32.exe
1508	regsvr32.exe
1416	regsvr32.exe
1572	regsvr32.exe
2928	regsvr32.exe
4764	regsvr32.exe
1580	regsvr32.exe
2792	regsvr32.exe
3828	regsvr32.exe
2340	regsvr32.exe
1648	regsvr32.exe
3416	Process not Found
3416	Process not Found
3408	regsvr32.exe
3704	regsvr32.exe
3012	regsvr32.exe
1612	IDMan.exe
3416	Process not Found
1612	IDMan.exe
1612	IDMan.exe
1612	IDMan.exe
1612	IDMan.exe
4568	regsvr32.exe
228	regsvr32.exe
3216	regsvr32.exe
5040	regsvr32.exe
2128	regsvr32.exe
5024	regsvr32.exe
5020	regsvr32.exe
5388	regsvr32.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	RUNDLL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	RUNDLL32.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	Internet Download Manager 6.42.25.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	Internet Download Manager 6.42.25.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1"	Internet Download Manager 6.42.25.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	Internet Download Manager 6.42.25.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	Internet Download Manager 6.42.25.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1"	Internet Download Manager 6.42.25.tmp

Drops file in System32 directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a15ebdc0-a7a9-9946-ab21-b773be649d86}\SETB939.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{a15ebdc0-a7a9-9946-ab21-b773be649d86}\SETB939.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{a15ebdc0-a7a9-9946-ab21-b773be649d86}\SETB93A.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a15ebdc0-a7a9-9946-ab21-b773be649d86}\SETB94B.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a15ebdc0-a7a9-9946-ab21-b773be649d86}\idmwfp.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a15ebdc0-a7a9-9946-ab21-b773be649d86}\idmwfp.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\idmwfp.inf_amd64_8b0ebbc2b4585464\idmwfp.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a15ebdc0-a7a9-9946-ab21-b773be649d86}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a15ebdc0-a7a9-9946-ab21-b773be649d86}\idmwfp64.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\idmwfp.inf_amd64_8b0ebbc2b4585464\idmwfp64.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a15ebdc0-a7a9-9946-ab21-b773be649d86}\SETB93A.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{a15ebdc0-a7a9-9946-ab21-b773be649d86}\SETB94B.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\idmwfp.inf_amd64_8b0ebbc2b4585464\idmwfp64.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\idmwfp.inf_amd64_8b0ebbc2b4585464\idmwfp.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Download Manager\Languages\is-BJF10.tmp	Internet Download Manager 6.42.25.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\is-VLE46.tmp	Internet Download Manager 6.42.25.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\is-P1K6Q.tmp	Internet Download Manager 6.42.25.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\Pure_Flat_2013\BITMAP\is-PL92F.tmp	Internet Download Manager 6.42.25.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\is-V65EU.tmp	Internet Download Manager 6.42.25.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\is-6778A.tmp	Internet Download Manager 6.42.25.tmp
File opened for modification	C:\Program Files (x86)\Internet Download Manager\idmindex.dll	Internet Download Manager 6.42.25.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\is-N5U41.tmp	Internet Download Manager 6.42.25.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\Dtu_Style\BITMAP\is-5QAVK.tmp	Internet Download Manager 6.42.25.tmp
File created	C:\Program Files (x86)\Internet Download Manager\is-G3H8L.tmp	Internet Download Manager 6.42.25.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Registration\is-AGTV8.tmp	Internet Download Manager 6.42.25.tmp
File created	C:\Program Files (x86)\Internet Download Manager\is-U2KH6.tmp	Internet Download Manager 6.42.25.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\is-1UKLQ.tmp	Internet Download Manager 6.42.25.tmp
File opened for modification	C:\Program Files (x86)\Internet Download Manager\idmcchandler7_64.dll	Internet Download Manager 6.42.25.tmp
File opened for modification	C:\Program Files (x86)\Internet Download Manager\KGIDM.dll	Internet Download Manager 6.42.25.tmp
File created	C:\Program Files (x86)\Internet Download Manager\is-JHCO0.tmp	Internet Download Manager 6.42.25.tmp
File created	C:\Program Files (x86)\Internet Download Manager\is-KMAC3.tmp	Internet Download Manager 6.42.25.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\is-PPOAD.tmp	Internet Download Manager 6.42.25.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\is-M9K94.tmp	Internet Download Manager 6.42.25.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\Pure_Flat_2013\BITMAP\is-K62GC.tmp	Internet Download Manager 6.42.25.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\is-MV81L.tmp	Internet Download Manager 6.42.25.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\Pure_Flat_2013\BITMAP\is-S6948.tmp	Internet Download Manager 6.42.25.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\Helvet_3D_Light\is-NR7F0.tmp	Internet Download Manager 6.42.25.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\Kavian\is-R4T94.tmp	Internet Download Manager 6.42.25.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\Office Flat\is-MMEHV.tmp	Internet Download Manager 6.42.25.tmp
File created	C:\Program Files (x86)\Internet Download Manager\is-E12DK.tmp	Internet Download Manager 6.42.25.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\is-09F1P.tmp	Internet Download Manager 6.42.25.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\is-RAQK1.tmp	Internet Download Manager 6.42.25.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\is-23INV.tmp	Internet Download Manager 6.42.25.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\H3M_BlueSky_Shapes_Toolbar\is-P1L16.tmp	Internet Download Manager 6.42.25.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\Office Flat\is-Q9PSE.tmp	Internet Download Manager 6.42.25.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\Pure_Flat_2013\BITMAP\is-BP812.tmp	Internet Download Manager 6.42.25.tmp
File opened for modification	C:\Program Files (x86)\Internet Download Manager\oldjsproxy.dll	Internet Download Manager 6.42.25.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\is-CS6S3.tmp	Internet Download Manager 6.42.25.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\is-6RRK4.tmp	Internet Download Manager 6.42.25.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\H3M_Bronze_Shapes_Toolbar\is-C5H1I.tmp	Internet Download Manager 6.42.25.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\Pure_Flat_2013\BITMAP\is-T89EL.tmp	Internet Download Manager 6.42.25.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\is-HGEF6.tmp	Internet Download Manager 6.42.25.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\H3M_Olive_Shapes_Toolbar\is-3LRG1.tmp	Internet Download Manager 6.42.25.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\Helvet_3D_Dark\is-QA179.tmp	Internet Download Manager 6.42.25.tmp
File created	C:\Program Files (x86)\Internet Download Manager\is-4LBS2.tmp	Internet Download Manager 6.42.25.tmp
File created	C:\Program Files (x86)\Internet Download Manager\is-V1IBE.tmp	Internet Download Manager 6.42.25.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\Helvet_3D_Dark\is-G3I89.tmp	Internet Download Manager 6.42.25.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\is-LUEM7.tmp	Internet Download Manager 6.42.25.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\Dtu_Style\BITMAP\is-ENNQL.tmp	Internet Download Manager 6.42.25.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\PT LIGHT\is-0VSH5.tmp	Internet Download Manager 6.42.25.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\is-8J9LH.tmp	Internet Download Manager 6.42.25.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\Glyfz_2016\is-9S814.tmp	Internet Download Manager 6.42.25.tmp
File created	C:\Program Files (x86)\Internet Download Manager\is-A7KJJ.tmp	Internet Download Manager 6.42.25.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\is-0L2K2.tmp	Internet Download Manager 6.42.25.tmp
File created	C:\Program Files (x86)\Internet Download Manager\is-AM843.tmp	Internet Download Manager 6.42.25.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\is-A0B22.tmp	Internet Download Manager 6.42.25.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\is-SS6UC.tmp	Internet Download Manager 6.42.25.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\is-PRUSE.tmp	Internet Download Manager 6.42.25.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\is-4J4AC.tmp	Internet Download Manager 6.42.25.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\is-MSADL.tmp	Internet Download Manager 6.42.25.tmp
File created	C:\Program Files (x86)\Internet Download Manager\is-2959L.tmp	Internet Download Manager 6.42.25.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\BilsOrbit\is-QQA9H.tmp	Internet Download Manager 6.42.25.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\H3M_Painted_Stickers_Toolbar\is-2EEQE.tmp	Internet Download Manager 6.42.25.tmp
File created	C:\Program Files (x86)\Internet Download Manager\is-TF76V.tmp	Internet Download Manager 6.42.25.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\Dtu_Style\BITMAP\is-8GQJU.tmp	Internet Download Manager 6.42.25.tmp
File created	C:\Program Files (x86)\Internet Download Manager\is-QKDJ0.tmp	Internet Download Manager 6.42.25.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\is-UV02Q.tmp	Internet Download Manager 6.42.25.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\is-VEES6.tmp	Internet Download Manager 6.42.25.tmp

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	RUNDLL32.EXE
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	RUNDLL32.EXE
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	idmBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Internet Download Manager 6.42.25.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Internet Download Manager 6.42.25.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Checks SCSI registry key(s) 3 TTPs 26 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	svchost.exe

Checks processor information in registry 2 TTPs 16 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1228	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download all links with IDM\ = "C:\\Program Files (x86)\\Internet Download Manager\\IEGetAll.htm"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	idmBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B851AF-A4B9-43EF-97D3-28E1B4A5DB9B}\AppName = "idmBroker.exe"	idmBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM\ = "C:\\Program Files (x86)\\Internet Download Manager\\IEExt.htm"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "IDMan.exe"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "IDMan.exe"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM\contexts = "243"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B851AF-A4B9-43EF-97D3-28E1B4A5DB9B}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	idmBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download all links with IDM	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download all links with IDM\contexts = "243"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B851AF-A4B9-43EF-97D3-28E1B4A5DB9B}	idmBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B851AF-A4B9-43EF-97D3-28E1B4A5DB9B}\Policy = "3"	idmBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Low Rights	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	Internet Download Manager 6.42.25.tmp
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	Internet Download Manager 6.42.25.tmp
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Low Rights	idmBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe"	IDMan.exe

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\ProgID\ = "IDMIECC.IDMHelperLinksStorage.1"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C7798BD6-34AF-4925-B01C-450C9EAD2DD9}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Wow6432Node\CLSID\{1CD20007-3B87-3336-1349-C7AE26E01D83}	regini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6A89524B-E1B6-4D71-972A-8FD53F240936}\1.0\0\win32\ = "C:\\Program Files (x86)\\Internet Download Manager\\downlWithIDM.dll"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\ = "IDMEFSAgent Class"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMIECC.IDMIEHlprObj\CLSID\ = "{0055C089-8582-441B-A0BF-17B458C2A3A8}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D4E387-BAB7-47E7-B3D7-3F01ABC463EA}\1.0\FLAGS	idmBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\InprocServer32	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{28670AE0-CAF4-4836-8418-0F456023EBF7}	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\VersionIndependentProgID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\Control	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMGetAll.IDMAllLinksProcessor\ = "IDMAllLinksProcessor Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{D189CA6A-1987-5A96-5095-E9C2B5B6702E}	regini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D4E387-BAB7-47E7-B3D7-3F01ABC463EA}\1.0\HELPDIR	idmBroker.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\VersionIndependentProgID	IDMan.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\ToolboxBitmap32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{98D060EC-53AF-4F61-8180-43C507C9FF94}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{98D060EC-53AF-4F61-8180-43C507C9FF94}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}\ProxyStubClsid32\ = "{C950922F-897A-4E13-BA38-66C8AF2E0BF7}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}	regini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\VersionIndependentProgID\ = "DownlWithIDM.LinkProcessor"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.VLinkProcessor\CurVer\ = "DownlWithIDM.VLinkProcessor.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMIECC.IDMHelperLinksStorage\CLSID\ = "{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}\LocalServer32\ = "\"C:\\Program Files (x86)\\Internet Download Manager\\idmBroker.exe\""	idmBroker.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\downlWithIDM64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\idmBroker.OptionsReader.1\CLSID	idmBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\ = "IDMDwnlMgr Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\VersionIndependentProgID\ = "IDMIECC.IDMHelperLinksStorage"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}\NumMethods\ = "13"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.IDMDwnlMgr\CLSID\ = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\MiscStatus\1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{42FD0451-B21A-4EE0-8B4F-6F2DA05F6FD1}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{42FD0451-B21A-4EE0-8B4F-6F2DA05F6FD1}\NumMethods\ = "18"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\idmBroker.OptionsReader	idmBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\ = "IDMAllLinksProcessor Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{202AFC46-6CDD-FE82-8C52-5990104C20F0}	regini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BC69364C-34D7-4225-B16F-8595C743C775}\ = "IVLinkProcessor"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMIECC.IDMIEHlprObj.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\TypeLib	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMGetAll.IDMAllLinksProcessor\CLSID\ = "{5312C54E-A385-46B7-B200-ABAF81B03935}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}\ = "IIDMEFSAgent2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{28670AE0-CAF4-4836-8418-0F456023EBF7}\ProxyStubClsid32\ = "{C950922F-897A-4E13-BA38-66C8AF2E0BF7}"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.IDMDwnlMgr\CurVer\ = "DownlWithIDM.IDMDwnlMgr.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{72B7361C-3568-4392-BCCD-D912CD5C1169}\ = "IV2LinkProcessor"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{28670AE0-CAF4-4836-8418-0F456023EBF7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6A89524B-E1B6-4D71-972A-8FD53F240936}\1.0\0\win32\ = "C:\\Program Files (x86)\\Internet Download Manager\\downlWithIDM64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\ProgID\ = "DownlWithIDM.LinkProcessor.1"	regsvr32.exe

Runs .reg file with regedit 2 IoCs

pid	Process
3816	regedit.exe
3876	regedit.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
4948	Internet Download Manager 6.42.25.tmp
4948	Internet Download Manager 6.42.25.tmp
4948	Internet Download Manager 6.42.25.tmp
4948	Internet Download Manager 6.42.25.tmp
4948	Internet Download Manager 6.42.25.tmp
4948	Internet Download Manager 6.42.25.tmp
4948	Internet Download Manager 6.42.25.tmp
4948	Internet Download Manager 6.42.25.tmp
4948	Internet Download Manager 6.42.25.tmp
4948	Internet Download Manager 6.42.25.tmp
4948	Internet Download Manager 6.42.25.tmp
4948	Internet Download Manager 6.42.25.tmp
4948	Internet Download Manager 6.42.25.tmp
4948	Internet Download Manager 6.42.25.tmp
4948	Internet Download Manager 6.42.25.tmp
4948	Internet Download Manager 6.42.25.tmp
4948	Internet Download Manager 6.42.25.tmp
4948	Internet Download Manager 6.42.25.tmp
4948	Internet Download Manager 6.42.25.tmp
4948	Internet Download Manager 6.42.25.tmp
4948	Internet Download Manager 6.42.25.tmp
4948	Internet Download Manager 6.42.25.tmp
4948	Internet Download Manager 6.42.25.tmp
4948	Internet Download Manager 6.42.25.tmp
4948	Internet Download Manager 6.42.25.tmp
4948	Internet Download Manager 6.42.25.tmp
4948	Internet Download Manager 6.42.25.tmp
4948	Internet Download Manager 6.42.25.tmp
4948	Internet Download Manager 6.42.25.tmp
4948	Internet Download Manager 6.42.25.tmp
4948	Internet Download Manager 6.42.25.tmp
4948	Internet Download Manager 6.42.25.tmp
4948	Internet Download Manager 6.42.25.tmp
4948	Internet Download Manager 6.42.25.tmp
4948	Internet Download Manager 6.42.25.tmp
4948	Internet Download Manager 6.42.25.tmp
4948	Internet Download Manager 6.42.25.tmp
4948	Internet Download Manager 6.42.25.tmp
4948	Internet Download Manager 6.42.25.tmp
4948	Internet Download Manager 6.42.25.tmp
4948	Internet Download Manager 6.42.25.tmp
4948	Internet Download Manager 6.42.25.tmp
4948	Internet Download Manager 6.42.25.tmp
4948	Internet Download Manager 6.42.25.tmp
4948	Internet Download Manager 6.42.25.tmp
4948	Internet Download Manager 6.42.25.tmp
4948	Internet Download Manager 6.42.25.tmp
4948	Internet Download Manager 6.42.25.tmp
1612	IDMan.exe
1612	IDMan.exe

Suspicious behavior: LoadsDriver 11 IoCs

pid	Process
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeAuditPrivilege	2488	svchost.exe
Token: SeSecurityPrivilege	2488	svchost.exe
Token: SeRestorePrivilege	4552	DrvInst.exe
Token: SeBackupPrivilege	4552	DrvInst.exe
Token: SeDebugPrivilege	1228	taskkill.exe
Token: SeRestorePrivilege	1416	DrvInst.exe
Token: SeBackupPrivilege	1416	DrvInst.exe
Token: SeDebugPrivilege	4500	firefox.exe
Token: SeDebugPrivilege	4500	firefox.exe

Suspicious use of FindShellTrayWindow 22 IoCs

pid	Process
4948	Internet Download Manager 6.42.25.tmp
4500	firefox.exe
4500	firefox.exe
4500	firefox.exe
4500	firefox.exe
4500	firefox.exe
4500	firefox.exe
4500	firefox.exe
4500	firefox.exe
4500	firefox.exe
4500	firefox.exe
4500	firefox.exe
4500	firefox.exe
4500	firefox.exe
4500	firefox.exe
4500	firefox.exe
4500	firefox.exe
4500	firefox.exe
4500	firefox.exe
4500	firefox.exe
4500	firefox.exe
4500	firefox.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
4500	firefox.exe
4500	firefox.exe
4500	firefox.exe
4500	firefox.exe
4500	firefox.exe
4500	firefox.exe
4500	firefox.exe
4500	firefox.exe
4500	firefox.exe
4500	firefox.exe
4500	firefox.exe
4500	firefox.exe
4500	firefox.exe
4500	firefox.exe
4500	firefox.exe
4500	firefox.exe
4500	firefox.exe
4500	firefox.exe
4500	firefox.exe
4500	firefox.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4948	Internet Download Manager 6.42.25.tmp
4948	Internet Download Manager 6.42.25.tmp
4948	Internet Download Manager 6.42.25.tmp
1612	IDMan.exe
1612	IDMan.exe
4268	Uninstall.exe
4500	firefox.exe
1612	IDMan.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 4948	2912	Internet Download Manager 6.42.25.exe	86
PID 2912 wrote to memory of 4948	2912	Internet Download Manager 6.42.25.exe	86
PID 2912 wrote to memory of 4948	2912	Internet Download Manager 6.42.25.exe	86
PID 4948 wrote to memory of 4932	4948	Internet Download Manager 6.42.25.tmp	106
PID 4948 wrote to memory of 4932	4948	Internet Download Manager 6.42.25.tmp	106
PID 4948 wrote to memory of 4932	4948	Internet Download Manager 6.42.25.tmp	106
PID 4948 wrote to memory of 1508	4948	Internet Download Manager 6.42.25.tmp	107
PID 4948 wrote to memory of 1508	4948	Internet Download Manager 6.42.25.tmp	107
PID 4948 wrote to memory of 1508	4948	Internet Download Manager 6.42.25.tmp	107
PID 4948 wrote to memory of 1416	4948	Internet Download Manager 6.42.25.tmp	108
PID 4948 wrote to memory of 1416	4948	Internet Download Manager 6.42.25.tmp	108
PID 4948 wrote to memory of 1416	4948	Internet Download Manager 6.42.25.tmp	108
PID 4948 wrote to memory of 1572	4948	Internet Download Manager 6.42.25.tmp	109
PID 4948 wrote to memory of 1572	4948	Internet Download Manager 6.42.25.tmp	109
PID 4948 wrote to memory of 1572	4948	Internet Download Manager 6.42.25.tmp	109
PID 4948 wrote to memory of 2928	4948	Internet Download Manager 6.42.25.tmp	110
PID 4948 wrote to memory of 2928	4948	Internet Download Manager 6.42.25.tmp	110
PID 4948 wrote to memory of 4764	4948	Internet Download Manager 6.42.25.tmp	111
PID 4948 wrote to memory of 4764	4948	Internet Download Manager 6.42.25.tmp	111
PID 4948 wrote to memory of 4764	4948	Internet Download Manager 6.42.25.tmp	111
PID 4764 wrote to memory of 1580	4764	regsvr32.exe	112
PID 4764 wrote to memory of 1580	4764	regsvr32.exe	112
PID 4948 wrote to memory of 2792	4948	Internet Download Manager 6.42.25.tmp	113
PID 4948 wrote to memory of 2792	4948	Internet Download Manager 6.42.25.tmp	113
PID 4948 wrote to memory of 2792	4948	Internet Download Manager 6.42.25.tmp	113
PID 2792 wrote to memory of 3828	2792	regsvr32.exe	114
PID 2792 wrote to memory of 3828	2792	regsvr32.exe	114
PID 4948 wrote to memory of 2340	4948	Internet Download Manager 6.42.25.tmp	115
PID 4948 wrote to memory of 2340	4948	Internet Download Manager 6.42.25.tmp	115
PID 4948 wrote to memory of 2340	4948	Internet Download Manager 6.42.25.tmp	115
PID 2340 wrote to memory of 1648	2340	regsvr32.exe	116
PID 2340 wrote to memory of 1648	2340	regsvr32.exe	116
PID 4948 wrote to memory of 2632	4948	Internet Download Manager 6.42.25.tmp	117
PID 4948 wrote to memory of 2632	4948	Internet Download Manager 6.42.25.tmp	117
PID 4948 wrote to memory of 2632	4948	Internet Download Manager 6.42.25.tmp	117
PID 4948 wrote to memory of 4060	4948	Internet Download Manager 6.42.25.tmp	119
PID 4948 wrote to memory of 4060	4948	Internet Download Manager 6.42.25.tmp	119
PID 4948 wrote to memory of 4060	4948	Internet Download Manager 6.42.25.tmp	119
PID 4060 wrote to memory of 3856	4060	cmd.exe	121
PID 4060 wrote to memory of 3856	4060	cmd.exe	121
PID 4060 wrote to memory of 3856	4060	cmd.exe	121
PID 4060 wrote to memory of 5000	4060	cmd.exe	122
PID 4060 wrote to memory of 5000	4060	cmd.exe	122
PID 4060 wrote to memory of 5000	4060	cmd.exe	122
PID 4060 wrote to memory of 4192	4060	cmd.exe	123
PID 4060 wrote to memory of 4192	4060	cmd.exe	123
PID 4060 wrote to memory of 4192	4060	cmd.exe	123
PID 4060 wrote to memory of 4412	4060	cmd.exe	124
PID 4060 wrote to memory of 4412	4060	cmd.exe	124
PID 4060 wrote to memory of 4412	4060	cmd.exe	124
PID 4060 wrote to memory of 2896	4060	cmd.exe	125
PID 4060 wrote to memory of 2896	4060	cmd.exe	125
PID 4060 wrote to memory of 2896	4060	cmd.exe	125
PID 4060 wrote to memory of 1104	4060	cmd.exe	126
PID 4060 wrote to memory of 1104	4060	cmd.exe	126
PID 4060 wrote to memory of 1104	4060	cmd.exe	126
PID 4060 wrote to memory of 4616	4060	cmd.exe	127
PID 4060 wrote to memory of 4616	4060	cmd.exe	127
PID 4060 wrote to memory of 4616	4060	cmd.exe	127
PID 4060 wrote to memory of 4804	4060	cmd.exe	128
PID 4060 wrote to memory of 4804	4060	cmd.exe	128
PID 4060 wrote to memory of 4804	4060	cmd.exe	128
PID 4060 wrote to memory of 1984	4060	cmd.exe	129
PID 4060 wrote to memory of 1984	4060	cmd.exe	129

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Internet Download Manager 6.42.25.exe
"C:\Users\Admin\AppData\Local\Temp\Internet Download Manager 6.42.25.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Users\Admin\AppData\Local\Temp\is-JDT9A.tmp\Internet Download Manager 6.42.25.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-JDT9A.tmp\Internet Download Manager 6.42.25.tmp" /SL5="$9021E,14999154,64512,C:\Users\Admin\AppData\Local\Temp\Internet Download Manager 6.42.25.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4948
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:4932
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:1508
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:1416
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\idmfsa.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:1572
- - C:\Windows\system32\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
    3⤵
    - Loads dropped DLL
    PID:2928
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4764
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:1580
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:3828
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2340
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:1648
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\idmantypeinfo.tlb"
    3⤵
    PID:2632
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-SPHRM.tmp\clean.bat" install"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4060
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:3856
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:5000
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:4192
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:4412
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:2896
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:1104
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:4616
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:4804
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      Modifies registry class
      PID:1984
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:4436
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:3012
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:3476
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:1564
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:3720
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:720
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:2244
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:812
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:3628
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:3368
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:3808
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:3868
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:1964
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:3672
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:2344
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:3096
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:3016
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:3060
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:4328
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:4044
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:2380
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:3304
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:4048
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      Modifies registry class
      PID:516
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:2024
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:4904
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:4552
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:2404
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:1168
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:4312
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:2292
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:1820
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:4848
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:4960
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:1540
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:1508
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:2216
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:3520
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:3504
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:5020
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      Modifies registry class
      PID:1580
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:3904
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:3484
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:3620
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:2892
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:4940
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:2632
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:892
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:4040
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:2224
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:4400
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:4396
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:64
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:4284
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:3124
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:2208
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      Modifies registry class
      PID:4296
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:2424
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:5012
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:1160
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:3800
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:844
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:3476
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:1564
  - - C:\Windows\SysWOW64\regini.exe
      regini "permdel.txt"
      4⤵
      PID:3436
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}" /F
      4⤵
      PID:3128
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}" /F
      4⤵
      PID:2040
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Classes\Wow6432Node\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}" /F
      4⤵
      PID:4880
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Classes\Wow6432Node\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}" /F
      4⤵
      PID:2236
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}" /F
      4⤵
      PID:3292
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}" /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:2496
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /F
      4⤵
      PID:1092
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Classes\Wow6432Node\CLSID\{0E5D391E-6A9E-101C-B6DF-F60A80231A87}" /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:1956
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Classes\Wow6432Node\CLSID\{202AFC46-6CDD-FE82-8C52-5990104C20F0}" /F
      4⤵
      PID:4676
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}" /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:1904
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Classes\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:3368
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Classes\Wow6432Node\CLSID\{1CD20007-3B87-3336-1349-C7AE26E01D83}" /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:4744
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Classes\Wow6432Node\CLSID\{FC93A1AC-E200-CECA-C86C-DBF8D10831C6}" /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:228
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Classes\Wow6432Node\CLSID\{3C463EC2-6181-C191-A8C9-A4D6D76B33DB}" /F
      4⤵
      PID:3868
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Classes\Wow6432Node\CLSID\{D189CA6A-1987-5A96-5095-E9C2B5B6702E}" /F
      4⤵
      PID:4416
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Classes\Wow6432Node\CLSID\{35699221-9155-D6DA-7068-8BC57602636B}" /F
      4⤵
      PID:3508
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Classes\Wow6432Node\CLSID\{AA5AED86-7BCC-6970-4C3F-E46AFF3EB48C}" /F
      4⤵
      PID:3528
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Classes\Wow6432Node\CLSID\{37D6E00D-6482-C67D-CE0C-16E6D9E89B10}" /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:4644
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}" /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:4624
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}" /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:432
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Classes\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}" /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:3344
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Classes\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}" /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:4996
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}" /F
      4⤵
      PID:4420
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}" /F
      4⤵
      PID:924
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:4080
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Classes\CLSID\{0E5D391E-6A9E-101C-B6DF-F60A80231A87}" /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:1980
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Classes\CLSID\{202AFC46-6CDD-FE82-8C52-5990104C20F0}" /F
      4⤵
      PID:2712
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Classes\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}" /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:3340
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" /F
      4⤵
      PID:4320
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Classes\CLSID\{1CD20007-3B87-3336-1349-C7AE26E01D83}" /F
      4⤵
      PID:1896
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Classes\CLSID\{FC93A1AC-E200-CECA-C86C-DBF8D10831C6}" /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:516
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Classes\CLSID\{3C463EC2-6181-C191-A8C9-A4D6D76B33DB}" /F
      4⤵
      PID:2188
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Classes\CLSID\{D189CA6A-1987-5A96-5095-E9C2B5B6702E}" /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:2108
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Classes\CLSID\{35699221-9155-D6DA-7068-8BC57602636B}" /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:4904
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Classes\CLSID\{AA5AED86-7BCC-6970-4C3F-E46AFF3EB48C}" /F
      4⤵
      PID:4836
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Classes\CLSID\{37D6E00D-6482-C67D-CE0C-16E6D9E89B10}" /F
      4⤵
      PID:3692
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\SOFTWARE\Wow6432Node\Internet Download Manager" /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:2404
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\SOFTWARE\Internet Download Manager" /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:3284
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCU\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}" /F
      4⤵
      PID:1728
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCU\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}" /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:4908
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCU\Software\Classes\Wow6432Node\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}" /F
      4⤵
      PID:1476
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCU\Software\Classes\Wow6432Node\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}" /F
      4⤵
      PID:5008
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCU\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}" /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:4848
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCU\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}" /F
      4⤵
      PID:3536
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCU\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /F
      4⤵
      PID:4076
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCU\Software\Classes\Wow6432Node\CLSID\{0E5D391E-6A9E-101C-B6DF-F60A80231A87}" /F
      4⤵
      PID:1968
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCU\Software\Classes\Wow6432Node\CLSID\{202AFC46-6CDD-FE82-8C52-5990104C20F0}" /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:4276
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCU\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}" /F
      4⤵
      PID:2216
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCU\Software\Classes\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" /F
      4⤵
      PID:5084
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCU\Software\Classes\Wow6432Node\CLSID\{1CD20007-3B87-3336-1349-C7AE26E01D83}" /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:3616
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCU\Software\Classes\Wow6432Node\CLSID\{FC93A1AC-E200-CECA-C86C-DBF8D10831C6}" /F
      4⤵
      PID:1460
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCU\Software\Classes\Wow6432Node\CLSID\{3C463EC2-6181-C191-A8C9-A4D6D76B33DB}" /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:5020
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCU\Software\Classes\Wow6432Node\CLSID\{D189CA6A-1987-5A96-5095-E9C2B5B6702E}" /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:1216
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCU\Software\Classes\Wow6432Node\CLSID\{35699221-9155-D6DA-7068-8BC57602636B}" /F
      4⤵
      PID:1972
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCU\Software\Classes\Wow6432Node\CLSID\{AA5AED86-7BCC-6970-4C3F-E46AFF3EB48C}" /F
      4⤵
      PID:3828
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCU\Software\Classes\Wow6432Node\CLSID\{37D6E00D-6482-C67D-CE0C-16E6D9E89B10}" /F
      4⤵
      PID:2792
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCU\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}" /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:3620
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCU\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}" /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:5032
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCU\Software\Classes\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}" /F
      4⤵
      PID:3940
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCU\Software\Classes\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}" /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:4844
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCU\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}" /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:4204
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCU\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}" /F
      4⤵
      PID:892
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCU\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:3404
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCU\Software\Classes\CLSID\{0E5D391E-6A9E-101C-B6DF-F60A80231A87}" /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:2272
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCU\Software\Classes\CLSID\{202AFC46-6CDD-FE82-8C52-5990104C20F0}" /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:4404
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCU\Software\Classes\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}" /F
      4⤵
      PID:2012
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCU\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:4396
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCU\Software\Classes\CLSID\{1CD20007-3B87-3336-1349-C7AE26E01D83}" /F
      4⤵
      PID:1756
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCU\Software\Classes\CLSID\{FC93A1AC-E200-CECA-C86C-DBF8D10831C6}" /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:4620
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCU\Software\Classes\CLSID\{3C463EC2-6181-C191-A8C9-A4D6D76B33DB}" /F
      4⤵
      PID:1804
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCU\Software\Classes\CLSID\{D189CA6A-1987-5A96-5095-E9C2B5B6702E}" /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:4172
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCU\Software\Classes\CLSID\{35699221-9155-D6DA-7068-8BC57602636B}" /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:4616
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCU\Software\Classes\CLSID\{AA5AED86-7BCC-6970-4C3F-E46AFF3EB48C}" /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:712
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCU\Software\Classes\CLSID\{37D6E00D-6482-C67D-CE0C-16E6D9E89B10}" /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:2424
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCU\Software\DownloadManager" /v "FName" /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:1816
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCU\Software\DownloadManager" /v "LName" /F
      4⤵
      PID:4436
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCU\Software\DownloadManager" /v "Email" /F
      4⤵
      PID:3012
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCU\Software\DownloadManager" /v "Serial" /F
      4⤵
      PID:1276
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCU\Software\DownloadManager" /v "scansk" /F
      4⤵
      PID:844
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCU\Software\DownloadManager" /v "tvfrdt" /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:2956
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCU\Software\DownloadManager" /v "radxcnt" /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:4480
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCU\Software\DownloadManager" /v "LstCheck" /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:1736
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCU\Software\DownloadManager" /v "ptrk_scdt" /F
      4⤵
      PID:2600
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCU\Software\DownloadManager" /v "LastCheckQU" /F
      4⤵
      PID:3132
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCU\Software\DownloadManager" /v "CheckUpdtVM" /F
      4⤵
      PID:2608
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s /u "C:\Program Files (x86)\Internet Download Manager\IDMShellExt.dll"
    3⤵
    - Loads dropped DLL
    PID:3408
- - C:\Program Files (x86)\Internet Download Manager\Uninstall.exe
    "C:\Program Files (x86)\Internet Download Manager\Uninstall.exe" -instdriv
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:2244
  - - C:\Windows\system32\RUNDLL32.EXE
      "C:\Windows\Sysnative\RUNDLL32.EXE" SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 C:\Program Files (x86)\Internet Download Manager\idmwfp.inf
      4⤵
      Adds Run key to start application
      Drops file in Windows directory
      PID:1440
    - - C:\Windows\system32\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        5⤵
        Checks processor information in registry
        
        PID:428
      - C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        6⤵
        
        PID:1168
  - - C:\Windows\SysWOW64\net.exe
      "C:\Windows\System32\net.exe" start IDMWFP
      4⤵
      System Location Discovery: System Language Discovery
      PID:1476
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start IDMWFP
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3448
  - - C:\Windows\SysWOW64\net.exe
      "C:\Windows\System32\net.exe" start IDMWFP
      4⤵
      PID:2216
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start IDMWFP
        5⤵
        
        PID:3452
  - - C:\Windows\SysWOW64\net.exe
      "C:\Windows\System32\net.exe" start IDMWFP
      4⤵
      System Location Discovery: System Language Discovery
      PID:3620
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start IDMWFP
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4544
  - - C:\Windows\SysWOW64\net.exe
      "C:\Windows\System32\net.exe" start IDMWFP
      4⤵
      System Location Discovery: System Language Discovery
      PID:4204
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start IDMWFP
        5⤵
        
        PID:2280
  - - C:\Windows\SysWOW64\net.exe
      "C:\Windows\System32\net.exe" start IDMWFP
      4⤵
      PID:4412
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start IDMWFP
        5⤵
        
        PID:4284
  - - C:\Windows\SysWOW64\net.exe
      "C:\Windows\System32\net.exe" start IDMWFP
      4⤵
      PID:1804
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start IDMWFP
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4840
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
      4⤵
      Loads dropped DLL
      PID:3704
    - - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
        5⤵
        Loads dropped DLL
        
        PID:3012
- - C:\Program Files (x86)\Internet Download Manager\idmBroker.exe
    "C:\Program Files (x86)\Internet Download Manager\idmBroker.exe" -RegServer
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:1364
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill" /f /im IDMan.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1228
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\regedit.exe" /S "C:\Users\Admin\AppData\Local\Temp\is-SPHRM.tmp\idmreg.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    - Runs .reg file with regedit
    PID:3816
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\regedit.exe" /S "C:\Users\Admin\AppData\Local\Temp\settings.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    - Runs .reg file with regedit
    PID:3876
- - C:\Program Files (x86)\Internet Download Manager\IDMan.exe
    "C:\Program Files (x86)\Internet Download Manager\IDMan.exe" /rtr
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1612
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"
      4⤵
      Loads dropped DLL
      PID:4568
    - - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"
        5⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:3216
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"
      4⤵
      Loads dropped DLL
      PID:228
    - - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"
        5⤵
        Loads dropped DLL
        
        PID:5040
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"
      4⤵
      Loads dropped DLL
      PID:2128
    - - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"
        5⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:5024
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html
      4⤵
      PID:3928
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html
        5⤵
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:4500
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1936 -parentBuildID 20240401114208 -prefsHandle 1880 -prefMapHandle 1872 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9227acdf-fb94-4400-87b2-6014c370f40a} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" gpu
        6⤵
        
        PID:4908
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2436 -parentBuildID 20240401114208 -prefsHandle 2428 -prefMapHandle 2416 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f586a46-8f1b-4dc5-b094-81f852226325} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" socket
        6⤵
        Checks processor information in registry
        
        PID:4924
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2980 -childID 1 -isForBrowser -prefsHandle 3064 -prefMapHandle 2712 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cac6f57e-06d4-47df-8257-0e6b43b2ebc3} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:4396
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3720 -childID 2 -isForBrowser -prefsHandle 2900 -prefMapHandle 3696 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f4bd6039-5be5-4172-a3a6-943a072ca195} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:5048
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4296 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4244 -prefMapHandle 4280 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {546f2eb2-5fd1-49c5-91cc-75842e69b80c} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" utility
        6⤵
        Checks processor information in registry
        
        PID:5244
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5324 -childID 3 -isForBrowser -prefsHandle 5332 -prefMapHandle 5336 -prefsLen 29278 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0de39e34-76a8-49a1-8026-780fa7bbd21f} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:5944
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3304 -childID 4 -isForBrowser -prefsHandle 2372 -prefMapHandle 5480 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {23f5d64e-4aae-4758-a734-ca227d4514a4} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:2344
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5428 -childID 5 -isForBrowser -prefsHandle 4680 -prefMapHandle 3732 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {16970568-e6f2-45e9-856e-4e9918713954} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:1772
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5760 -childID 6 -isForBrowser -prefsHandle 5356 -prefMapHandle 5748 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {24e793de-c63f-4cb0-a909-4be3576d20c2} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:4400
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4280 -childID 7 -isForBrowser -prefsHandle 2356 -prefMapHandle 3452 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e2d1ea1-ef14-4b50-abb8-ce7245e07b3a} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:3036
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5964 -childID 8 -isForBrowser -prefsHandle 6120 -prefMapHandle 6116 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e14d2fe2-68ff-466e-939e-da4ee291c6ec} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:4192
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6140 -childID 9 -isForBrowser -prefsHandle 6132 -prefMapHandle 6128 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3273e5c5-963c-486d-ad1b-bb4745236ba8} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:2732
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6356 -childID 10 -isForBrowser -prefsHandle 6440 -prefMapHandle 6444 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cbfcb7ad-b912-43cc-8189-3163a9e31ba5} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:1920
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6348 -childID 11 -isForBrowser -prefsHandle 6536 -prefMapHandle 6428 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ccda3bcc-b93f-442a-8fa8-a80807e9536c} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:4384
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6560 -childID 12 -isForBrowser -prefsHandle 5536 -prefMapHandle 2356 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {937db3bd-e366-47b2-ad41-6d5abea7235a} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:1460
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4660 -childID 13 -isForBrowser -prefsHandle 3304 -prefMapHandle 5640 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b71be1bd-a30c-47e8-a4fd-80c221905ede} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:464
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4680 -childID 14 -isForBrowser -prefsHandle 6544 -prefMapHandle 5972 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a43bfd5-aa60-49ef-bf74-ecd4f848186b} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:4680
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3564 -childID 15 -isForBrowser -prefsHandle 5296 -prefMapHandle 3720 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {adde7a98-012d-4ca1-88d0-b428c96e7539} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:1572
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7580 -childID 16 -isForBrowser -prefsHandle 3564 -prefMapHandle 7196 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e72f4b6-1d51-44ee-b8f7-e58374c97a2c} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:3460
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7592 -childID 17 -isForBrowser -prefsHandle 7316 -prefMapHandle 7328 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {03783d34-b411-4d15-981f-2a2707c08acc} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:2904
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7916 -childID 18 -isForBrowser -prefsHandle 6132 -prefMapHandle 7416 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {71bd074c-1dbf-4483-a77a-280f2b1f22cf} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:5132
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7924 -childID 19 -isForBrowser -prefsHandle 7580 -prefMapHandle 7592 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4843328c-35b8-4f8e-8a60-80418d519877} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:5128
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7492 -childID 20 -isForBrowser -prefsHandle 7504 -prefMapHandle 7512 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cce86d98-236b-4b9c-af8f-fcbf2ae21adb} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:5556
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7484 -childID 21 -isForBrowser -prefsHandle 7564 -prefMapHandle 7568 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {878043a1-4458-46eb-b08c-06aa846e128f} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:5568
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6828 -childID 22 -isForBrowser -prefsHandle 8444 -prefMapHandle 8452 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7cae2b50-8974-494c-b43d-6e95cc9a053e} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:5652
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6880 -childID 23 -isForBrowser -prefsHandle 6384 -prefMapHandle 6388 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc23c03c-68b5-4bae-8628-167b5e296ae4} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:5660
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6816 -childID 24 -isForBrowser -prefsHandle 8732 -prefMapHandle 8736 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {753fa5c8-b020-441a-921d-fda611dcf448} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:5668
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6060 -childID 25 -isForBrowser -prefsHandle 8720 -prefMapHandle 8724 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4379efbb-f69f-4767-8c79-8f50166c52b9} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:5672
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8608 -childID 26 -isForBrowser -prefsHandle 8760 -prefMapHandle 8764 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {db6d9c2f-c145-47a7-9f64-f5c52f2b366f} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:5284
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7900 -childID 27 -isForBrowser -prefsHandle 7908 -prefMapHandle 7848 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd54bd3d-bc31-45ab-8851-5c53d11439da} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:5328
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9156 -childID 28 -isForBrowser -prefsHandle 6784 -prefMapHandle 9144 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a0ae2a5-c529-4872-87eb-f6168e927487} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:5324
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6804 -childID 29 -isForBrowser -prefsHandle 6796 -prefMapHandle 6792 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8091fbb6-51cd-4997-8272-938c220fd68a} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:5628
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9616 -childID 30 -isForBrowser -prefsHandle 9584 -prefMapHandle 9580 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc8eec33-d670-4e0b-84cf-f32714f730b9} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:3340
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9624 -childID 31 -isForBrowser -prefsHandle 9596 -prefMapHandle 9592 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {72f8312f-27f5-48a5-97aa-20020c20cad6} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:3616
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9940 -childID 32 -isForBrowser -prefsHandle 9828 -prefMapHandle 9832 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b61555e-fd9c-431e-8478-836306e30d61} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:1696
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9932 -childID 33 -isForBrowser -prefsHandle 9812 -prefMapHandle 9816 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {72d4f3d3-a5ba-46eb-8a66-a9a803ef69ad} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:5384
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=10204 -childID 34 -isForBrowser -prefsHandle 10108 -prefMapHandle 9924 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9349df52-09d7-4aa5-a43b-3ca3a75e7a29} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6172
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=10220 -childID 35 -isForBrowser -prefsHandle 10208 -prefMapHandle 10200 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {82606b47-dd4b-45de-a524-2ec2e8831de3} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6188
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=10608 -childID 36 -isForBrowser -prefsHandle 10704 -prefMapHandle 10708 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d09fc80c-4a52-4e47-8876-4b99d7c01b5f} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6212
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=10600 -childID 37 -isForBrowser -prefsHandle 10692 -prefMapHandle 10696 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e123308a-d130-43d6-946c-56933f9461d5} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6220
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=11140 -childID 38 -isForBrowser -prefsHandle 10984 -prefMapHandle 10884 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {81420fa0-863d-454d-a2b6-2715c0b8d8e9} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6264
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=11148 -childID 39 -isForBrowser -prefsHandle 11000 -prefMapHandle 10992 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e56bab12-a6ee-4e10-b475-5c98a87fdae3} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6272
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=11552 -childID 40 -isForBrowser -prefsHandle 11292 -prefMapHandle 11480 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc09b82a-4b7e-4dd5-a9fc-3f0d3612d8a1} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6292
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=11560 -childID 41 -isForBrowser -prefsHandle 11384 -prefMapHandle 11380 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea6afe4a-3c7f-467a-a588-df07bddaabd4} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6300
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=11764 -childID 42 -isForBrowser -prefsHandle 11924 -prefMapHandle 11692 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {83d6830a-ee46-4d04-b253-594825b18601} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6348
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=11944 -childID 43 -isForBrowser -prefsHandle 11936 -prefMapHandle 11932 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {19a22d94-87df-44de-a8ff-04b639c1c10c} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6356
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=12256 -childID 44 -isForBrowser -prefsHandle 12272 -prefMapHandle 12276 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {919231c3-1809-4de4-a878-44e6d6a60358} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6376
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=12240 -childID 45 -isForBrowser -prefsHandle 12252 -prefMapHandle 12260 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8ee5b42-721a-4dbd-ac3d-f24e83de25be} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6384
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=12700 -childID 46 -isForBrowser -prefsHandle 12440 -prefMapHandle 12240 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eaf31fde-cb8b-4d3d-a098-e4363fd183c2} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6400
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=12708 -childID 47 -isForBrowser -prefsHandle 12532 -prefMapHandle 12528 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {74f48080-8aa8-4dd8-ad68-8ebda4d541f5} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6408
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=12812 -childID 48 -isForBrowser -prefsHandle 12928 -prefMapHandle 12920 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e00fb4ef-e22e-4321-9915-045521765a45} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6428
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=12916 -childID 49 -isForBrowser -prefsHandle 12940 -prefMapHandle 12936 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8c464f9-e00e-4fc0-b10d-acbdf476ae2f} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6436
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=13208 -childID 50 -isForBrowser -prefsHandle 13476 -prefMapHandle 13472 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {530dffe3-e9e5-47b0-a92b-e1653c4fc353} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6452
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=13496 -childID 51 -isForBrowser -prefsHandle 13488 -prefMapHandle 13484 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6c2c6dae-182f-46af-b1c1-428d54fe2cd9} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6460
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=13496 -childID 52 -isForBrowser -prefsHandle 13812 -prefMapHandle 13332 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {42a254db-5c6f-4522-9c35-efcb685ad02b} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6476
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=13712 -childID 53 -isForBrowser -prefsHandle 13512 -prefMapHandle 13620 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0bb44011-9bc9-4055-a2f6-1af34bb68921} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6484
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=14176 -childID 54 -isForBrowser -prefsHandle 14252 -prefMapHandle 14248 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2bcb9f8-97d5-4100-924f-95f188a27033} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6500
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=13980 -childID 55 -isForBrowser -prefsHandle 14264 -prefMapHandle 14260 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {80a65965-60fb-4260-8d93-1566ab7c8154} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6508
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=14472 -childID 56 -isForBrowser -prefsHandle 14456 -prefMapHandle 14368 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a386b866-aa9a-4edc-89f7-71f4039345c1} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6524
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=14488 -childID 57 -isForBrowser -prefsHandle 14476 -prefMapHandle 14468 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e64c3bd-d7fd-4a1c-ab0e-785aed808022} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6532
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=14948 -childID 58 -isForBrowser -prefsHandle 15024 -prefMapHandle 15020 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {34ddd5d3-6c6e-4213-beae-3b80dace5323} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6548
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=14760 -childID 59 -isForBrowser -prefsHandle 15036 -prefMapHandle 15032 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7fb279d-fbcf-4824-bde0-13ce83ebdfec} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6556
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=15256 -childID 60 -isForBrowser -prefsHandle 15240 -prefMapHandle 15140 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0c0f0be-ecce-405b-981a-e20f6f68f3c3} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6572
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=15276 -childID 61 -isForBrowser -prefsHandle 15260 -prefMapHandle 15252 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7bc47633-454b-45c3-80ad-596bd1c55bcf} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6580
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=15788 -childID 62 -isForBrowser -prefsHandle 15532 -prefMapHandle 15276 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a8e82060-1ab8-437c-bb22-7c92cda6d715} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6628
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=15796 -childID 63 -isForBrowser -prefsHandle 15624 -prefMapHandle 15620 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6cd0369e-b2ea-465e-b80a-e32d0f28062b} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6636
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=16172 -childID 64 -isForBrowser -prefsHandle 15812 -prefMapHandle 15908 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f1d5342e-23a1-4174-9bf8-cff3b6ac578e} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6664
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=16180 -childID 65 -isForBrowser -prefsHandle 16012 -prefMapHandle 15912 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6978c619-ea10-4070-8bd7-2600b674b834} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6672
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=16556 -childID 66 -isForBrowser -prefsHandle 16188 -prefMapHandle 16300 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {129c6f3f-2b11-4812-a73d-324a2194966f} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6688
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=16564 -childID 67 -isForBrowser -prefsHandle 16396 -prefMapHandle 16392 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {494c96c4-0cd6-41a3-9d49-00fcd533a7f1} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6696
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=16788 -childID 68 -isForBrowser -prefsHandle 16664 -prefMapHandle 16556 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b985dc6c-ffc7-4d49-a34f-b8426820ce2c} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6712
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=16800 -childID 69 -isForBrowser -prefsHandle 16780 -prefMapHandle 16772 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0339ce83-4b0b-4564-b8af-f8d934d6671b} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6720
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=17256 -childID 70 -isForBrowser -prefsHandle 17176 -prefMapHandle 17180 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f53929ac-1b3b-45a0-8c03-35c01d4e45fd} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6736
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=17344 -childID 71 -isForBrowser -prefsHandle 17264 -prefMapHandle 17268 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {808cb793-553a-46bd-901d-91b3deabbcc6} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6744
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=17256 -childID 72 -isForBrowser -prefsHandle 17716 -prefMapHandle 17712 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b007284-9c52-47ad-96a9-e1238a27e770} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6760
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=17544 -childID 73 -isForBrowser -prefsHandle 17728 -prefMapHandle 17724 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d5d9b1ce-8ba4-42da-b88a-37f3f2f91ab5} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6768
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=17940 -childID 74 -isForBrowser -prefsHandle 17848 -prefMapHandle 17544 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c341391-033c-4c6b-9d71-76679dec43bf} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6784
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=17952 -childID 75 -isForBrowser -prefsHandle 17944 -prefMapHandle 17936 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {279105a0-e871-46bb-8ec3-e7cac53db2a6} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6792
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=18328 -childID 76 -isForBrowser -prefsHandle 18208 -prefMapHandle 17940 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {005b3c53-ad65-4cd9-8091-418525ef1efa} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6808
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=18340 -childID 77 -isForBrowser -prefsHandle 18320 -prefMapHandle 18312 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef8649c5-5cf2-40c8-81eb-07917230ad44} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6816
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=18340 -childID 78 -isForBrowser -prefsHandle 18872 -prefMapHandle 18868 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {927be593-1ed9-42db-b75f-38361b780eb0} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6832
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=18596 -childID 79 -isForBrowser -prefsHandle 18884 -prefMapHandle 18880 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {87fd3c13-2c4a-42d8-ab76-1c37fbcafa13} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6840
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=19120 -childID 80 -isForBrowser -prefsHandle 19220 -prefMapHandle 19224 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7af150ac-fa23-4b65-a86d-2829e95c0914} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6856
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=19108 -childID 81 -isForBrowser -prefsHandle 19208 -prefMapHandle 19212 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {11361c64-0651-4b96-821a-54b7bcce87ac} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6864
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=19480 -childID 82 -isForBrowser -prefsHandle 19468 -prefMapHandle 19376 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e77fe44c-2640-46e6-92e8-ef922f2ca9b2} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6880
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=19636 -childID 83 -isForBrowser -prefsHandle 19488 -prefMapHandle 19484 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6da8e2a5-289a-484f-a372-fe7bb1736a80} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6888
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=19872 -childID 84 -isForBrowser -prefsHandle 19756 -prefMapHandle 19480 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd62cb8d-cb7d-41f5-a44a-754fd976de5d} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6904
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=19884 -childID 85 -isForBrowser -prefsHandle 19864 -prefMapHandle 19860 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {50870b2c-c1b6-4c03-a8cc-5b6f3fcd827a} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6912
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=19884 -childID 86 -isForBrowser -prefsHandle 20412 -prefMapHandle 20408 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bceb3715-f0c5-4c90-a1a5-4b1f820f7951} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6928
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=20144 -childID 87 -isForBrowser -prefsHandle 20424 -prefMapHandle 20420 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {683bb9ca-091a-4e82-8eab-b0cd66363bdd} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6936
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=20796 -childID 88 -isForBrowser -prefsHandle 20544 -prefMapHandle 20524 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a2c501be-896f-47c1-9e3e-bf7d97061903} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6952
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=20640 -childID 89 -isForBrowser -prefsHandle 20636 -prefMapHandle 20632 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d975693-b858-4456-841a-acd280fcd623} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6960
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=21180 -childID 90 -isForBrowser -prefsHandle 20656 -prefMapHandle 20644 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a6f003b-7ea3-47b4-baf2-1420108e58c4} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6976
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=21024 -childID 91 -isForBrowser -prefsHandle 21020 -prefMapHandle 20920 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d6c756e-0fe0-4353-ad3d-096a63a96b4b} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6984
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=21420 -childID 92 -isForBrowser -prefsHandle 21404 -prefMapHandle 21396 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a1fe8a2-29fe-4bb7-9322-ee430d3d2032} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:7000
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=21500 -childID 93 -isForBrowser -prefsHandle 21424 -prefMapHandle 21416 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3364a284-fb5e-422c-8977-2e2e67549060} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:7008
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=21952 -childID 94 -isForBrowser -prefsHandle 21700 -prefMapHandle 21584 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {60660cb9-0867-401a-97b9-520e97e85963} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:7024
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=21800 -childID 95 -isForBrowser -prefsHandle 21792 -prefMapHandle 21788 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {76676b01-a206-4882-81ef-96e73f2f7423} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:7032
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=22072 -childID 96 -isForBrowser -prefsHandle 22340 -prefMapHandle 22336 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a6c64a4-e724-4dff-be85-116a6d33c342} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:7048
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=22176 -childID 97 -isForBrowser -prefsHandle 22352 -prefMapHandle 22348 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf93932f-e4db-4b68-9f83-0c2d50222d1d} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:7056
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=22568 -childID 98 -isForBrowser -prefsHandle 22552 -prefMapHandle 22476 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e9f8e39e-ade4-4e77-ab90-398f314af7f0} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:7072
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=22584 -childID 99 -isForBrowser -prefsHandle 22572 -prefMapHandle 22564 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {65510811-3870-4c00-92c0-2e90c95f6521} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:7080
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=22980 -childID 100 -isForBrowser -prefsHandle 22936 -prefMapHandle 22836 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab3d0279-d832-4518-b9e8-bf5a2aac778a} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:7096
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=22952 -childID 101 -isForBrowser -prefsHandle 23052 -prefMapHandle 23056 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {14839c6a-e37c-4261-8477-13b790572f54} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:7104
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=23336 -childID 102 -isForBrowser -prefsHandle 23240 -prefMapHandle 22952 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b9bbf9b5-6488-4aec-9e6e-2b8fc568f2bc} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:7120
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=23352 -childID 103 -isForBrowser -prefsHandle 23340 -prefMapHandle 23332 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac318f39-ed9a-4049-b3fe-2c2e77be7215} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:7128
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=23720 -childID 104 -isForBrowser -prefsHandle 23708 -prefMapHandle 23620 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7003df03-7fd5-4af5-8fda-0266332927e0} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:7144
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=23740 -childID 105 -isForBrowser -prefsHandle 23728 -prefMapHandle 23724 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {93ff07e4-8316-44de-ad34-2a793a1d6d09} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:7156
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=24264 -childID 106 -isForBrowser -prefsHandle 23996 -prefMapHandle 23880 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {49d6baa0-88a5-491c-93a4-1947a62e767b} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:3244
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=24108 -childID 107 -isForBrowser -prefsHandle 24104 -prefMapHandle 24100 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {46d5660a-8cb7-4dd4-8fdc-11fcd53b02c8} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6156
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=24388 -childID 108 -isForBrowser -prefsHandle 24396 -prefMapHandle 24400 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {82b21fa9-b5a5-4011-9e5f-7fb8cd2eb2ad} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6204
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=24684 -childID 109 -isForBrowser -prefsHandle 24692 -prefMapHandle 24696 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f71e50c8-a284-445e-8383-d797c0bc356e} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6280
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=24672 -childID 110 -isForBrowser -prefsHandle 24804 -prefMapHandle 24808 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {672ab518-c1f6-4c8d-9227-0165643286d6} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6312
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=24960 -childID 111 -isForBrowser -prefsHandle 25088 -prefMapHandle 25092 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {18c1f96d-21f4-4de7-995b-4258931e6a34} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:1516
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=25084 -childID 112 -isForBrowser -prefsHandle 25168 -prefMapHandle 25172 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {897566b8-2671-4e8c-9b6c-dcc95ae5c504} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6396
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=25564 -childID 113 -isForBrowser -prefsHandle 25584 -prefMapHandle 25588 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {93a5b063-a6ec-475b-bd00-1896e002239f} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6564
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=25552 -childID 114 -isForBrowser -prefsHandle 25572 -prefMapHandle 25576 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {507bceb0-8722-41e7-9224-ae43f53ad33d} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6540
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=25844 -childID 115 -isForBrowser -prefsHandle 25732 -prefMapHandle 25564 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3584192-e69b-4030-975c-62ba9b52fb2f} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6620
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=25860 -childID 116 -isForBrowser -prefsHandle 25848 -prefMapHandle 25836 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {661812d3-5d3d-44dd-8808-d8f49e7181a9} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6644
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=26224 -childID 117 -isForBrowser -prefsHandle 26212 -prefMapHandle 26124 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1178da50-8efe-4112-b3b5-9a1b69b284f9} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6660
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=26244 -childID 118 -isForBrowser -prefsHandle 26232 -prefMapHandle 26228 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {abf00bf2-59a0-4d5f-aea6-c23f1d12ff43} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6684
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=26612 -childID 119 -isForBrowser -prefsHandle 26508 -prefMapHandle 26244 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d539b1e6-5e06-468f-a875-165c1fe73929} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6732
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=26632 -childID 120 -isForBrowser -prefsHandle 26616 -prefMapHandle 26600 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {484f81da-437d-4c70-aa75-73e9b0cfbf52} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6756
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=26632 -childID 121 -isForBrowser -prefsHandle 27160 -prefMapHandle 27156 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {df85c877-64d2-4805-ab74-637e80d72fca} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6804
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=26884 -childID 122 -isForBrowser -prefsHandle 27172 -prefMapHandle 27168 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {610dfba7-099d-436d-9415-a4a89a0c0731} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6828
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=27512 -childID 123 -isForBrowser -prefsHandle 27300 -prefMapHandle 27288 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a97792e-46e2-48df-9c89-e8e114e4b88a} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6876
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=27500 -childID 124 -isForBrowser -prefsHandle 27004 -prefMapHandle 27008 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c6ed6a0-dd4a-4ffc-8ece-3224c19e9ae1} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6900
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=27772 -childID 125 -isForBrowser -prefsHandle 27756 -prefMapHandle 27668 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a2fb9a58-486a-42b3-ab08-801c39702537} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6948
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=27780 -childID 126 -isForBrowser -prefsHandle 27768 -prefMapHandle 27764 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {52588e4b-b195-45b7-87aa-b34156929e13} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6968
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=28312 -childID 127 -isForBrowser -prefsHandle 28136 -prefMapHandle 28048 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a7b45dd-64a1-435e-8af4-509880e2d23d} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:7044
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=28324 -childID 128 -isForBrowser -prefsHandle 28148 -prefMapHandle 28144 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {65ac4bb8-5288-431d-b4fa-ad60b5db3260} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:7068
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=28552 -childID 129 -isForBrowser -prefsHandle 28528 -prefMapHandle 28636 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {563fc91a-0efe-4d70-90ca-dc48ac3ebdf8} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:5820
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=28560 -childID 130 -isForBrowser -prefsHandle 28548 -prefMapHandle 28544 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce0ab8f0-0689-441b-bcb2-5d8fca4b7eb3} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:2964
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=29028 -childID 131 -isForBrowser -prefsHandle 29020 -prefMapHandle 29016 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fcf9c920-eb01-4463-93ba-6fb28b1c3b42} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:3928
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=29108 -childID 132 -isForBrowser -prefsHandle 29100 -prefMapHandle 29096 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3b7a0b82-1800-4aab-a118-acffb343e0d5} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6228
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=29348 -childID 133 -isForBrowser -prefsHandle 29464 -prefMapHandle 29460 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {740ccdf6-b7e1-4d74-b4dc-0fb8181ac113} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:5056
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=28948 -childID 134 -isForBrowser -prefsHandle 29476 -prefMapHandle 29472 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {47d2d1e4-7e8e-460b-ac48-d370b68708d4} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:4952
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=28936 -childID 135 -isForBrowser -prefsHandle 29608 -prefMapHandle 28948 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0931ce81-d368-4eda-81bc-1263109e4b88} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6612
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=29708 -childID 136 -isForBrowser -prefsHandle 28912 -prefMapHandle 28920 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c4b0d4d-da75-4b1e-9360-e6e85e2370b4} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6328
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=30072 -childID 137 -isForBrowser -prefsHandle 29980 -prefMapHandle 29708 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0aead81d-b8e4-4fd9-9b29-f619a76bf700} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:3976
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=30092 -childID 138 -isForBrowser -prefsHandle 30080 -prefMapHandle 30076 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a0ed06c4-7a37-4096-9b4d-7c4d12704a32} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:2108
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=30484 -childID 139 -isForBrowser -prefsHandle 30492 -prefMapHandle 30500 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff499d11-3ab2-481f-8d0a-5a57c568b87f} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6444
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=30636 -childID 140 -isForBrowser -prefsHandle 30452 -prefMapHandle 30560 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c142d31-a639-4d58-afa6-a08b2cadc42a} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6472
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=30860 -childID 141 -isForBrowser -prefsHandle 30964 -prefMapHandle 30968 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fabfaea2-6df6-4577-ae3c-41cb75391b82} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6520
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=30852 -childID 142 -isForBrowser -prefsHandle 30952 -prefMapHandle 30956 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b64d9098-c9b3-4b00-8676-550ca4784669} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:1556
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=31388 -childID 143 -isForBrowser -prefsHandle 31128 -prefMapHandle 30852 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9003746e-0e90-41d9-bc6b-f4cdd8fc46f7} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6656
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=31396 -childID 144 -isForBrowser -prefsHandle 31220 -prefMapHandle 31216 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {685e4c75-577c-4ff8-8117-b1a957aa289c} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:6708
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=31724 -childID 145 -isForBrowser -prefsHandle 31736 -prefMapHandle 31740 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b72a9fae-70ab-4208-8a82-d558bf3b84ee} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:7172
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=31704 -childID 146 -isForBrowser -prefsHandle 31716 -prefMapHandle 31720 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0000b5f1-5227-44dd-90f1-ee3261bb8962} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:7180
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=31704 -childID 147 -isForBrowser -prefsHandle 32164 -prefMapHandle 32160 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6c5aed6f-f283-4be9-974f-1516aa839ac0} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:7196
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=31888 -childID 148 -isForBrowser -prefsHandle 32176 -prefMapHandle 32172 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {98fba0f5-86d0-4163-ab56-bdfbb92ac937} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:7204
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=32412 -childID 149 -isForBrowser -prefsHandle 32512 -prefMapHandle 32516 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ef56b8c-762d-4529-b2ff-235630f9d710} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:7220
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=32400 -childID 150 -isForBrowser -prefsHandle 32500 -prefMapHandle 32504 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8544efe9-f169-4a4d-a7ef-7c007f9cf4db} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:7228
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=32932 -childID 151 -isForBrowser -prefsHandle 32376 -prefMapHandle 32412 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bf04137c-ed87-4b71-a444-b6fd7c706858} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:7244
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=32940 -childID 152 -isForBrowser -prefsHandle 32772 -prefMapHandle 32760 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c661007-1bab-47b4-89a5-3610b39e8384} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:7256
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=33200 -childID 153 -isForBrowser -prefsHandle 33208 -prefMapHandle 33212 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6be8d479-8130-4043-b68d-4cd095f20700} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:7272
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=33288 -childID 154 -isForBrowser -prefsHandle 33296 -prefMapHandle 33300 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {526cefdb-951c-46ba-8397-d40b182ab41b} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:7280
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=33580 -childID 155 -isForBrowser -prefsHandle 33608 -prefMapHandle 33612 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {365abaab-4f08-4e02-83ca-67869e62650b} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:7296
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=33708 -childID 156 -isForBrowser -prefsHandle 33716 -prefMapHandle 33720 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {467033cb-c0d7-47cf-9e22-d4b3bc43b812} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:7304
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=33896 -childID 157 -isForBrowser -prefsHandle 9544 -prefMapHandle 9420 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {000baf55-f146-4918-80b1-40bc56088bf3} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:7440
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9524 -childID 158 -isForBrowser -prefsHandle 9532 -prefMapHandle 9536 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {001ecb03-7006-47ed-86f2-07b9674ea257} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" tab
        6⤵
        
        PID:7556
  - - C:\Program Files (x86)\Internet Download Manager\Uninstall.exe
      "C:\Program Files (x86)\Internet Download Manager\Uninstall.exe" -instdriv
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4268
    - - C:\Windows\system32\RUNDLL32.EXE
        
        "C:\Windows\Sysnative\RUNDLL32.EXE" SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 C:\Program Files (x86)\Internet Download Manager\idmwfp.inf
        5⤵
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:1476
      - C:\Windows\system32\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        6⤵
        Checks processor information in registry
        
        PID:2388
        
        C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        7⤵
        
        PID:3500
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" start IDMWFP
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1984
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start IDMWFP
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5344
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" start IDMWFP
        5⤵
        
        PID:6036
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start IDMWFP
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:6096
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" start IDMWFP
        5⤵
        
        PID:4868
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start IDMWFP
        6⤵
        
        PID:2636
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" start IDMWFP
        5⤵
        
        PID:3976
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start IDMWFP
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:6612
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" start IDMWFP
        5⤵
        
        PID:7332
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" start IDMWFP
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1384
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start IDMWFP
        6⤵
        
        PID:10712
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
        5⤵
        Loads dropped DLL
        
        PID:5020
      - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
        6⤵
        Loads dropped DLL
        
        PID:5388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2488
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{5ce71650-00ca-6a44-93d7-a8910083d876}\idmwfp.inf" "9" "4fc2928b3" "0000000000000148" "WinSta0\Default" "0000000000000158" "208" "C:\Program Files (x86)\Internet Download Manager"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:3480
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "8" "4" "C:\Windows\System32\DriverStore\FileRepository\idmwfp.inf_amd64_8b0ebbc2b4585464\idmwfp.inf" "0" "4fc2928b3" "0000000000000158" "WinSta0\Default"
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:4552
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "8" "4" "C:\Windows\System32\DriverStore\FileRepository\idmwfp.inf_amd64_8b0ebbc2b4585464\idmwfp.inf" "0" "4fc2928b3" "0000000000000158" "WinSta0\Default"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery