而Volatility分為2與3版，差別就是一個是要使用 python2 執行，另一個是用 python3 執行，並且現在Volatility 2 已經沒有在維護了，但是一些 Plugin 的完整度在目前為止還是比 Volatility 3 還要高並且豐富，所以有些人還是會比較會偏向使用 Volatility 2

什麼是pslist/pstree

~~對沒錯，講了六天的記憶體鑑識，現在才要談什麼是pslist/pstree~~

pslist/pstree 可以幫助我們去查看這台電腦跑了什麼process，他們分析的方式是會根據Symbol Table 找到Windows Kernel的 PsActiveProcessHead 的位址，然後從那個鏈表開始沿 ActiveProcessLinks 指標逐一讀出 EPROCESS 結構並解析必要欄位，如：ImageFileName、UniqueProcessId、CreateTime、ExitTime 等

source:https://www.tophertimzen.com/resources/cs407/slides/week02_02-Processes.html#slide13

另外的pstree 以 pslist 的結果為基礎，轉成父子樹狀。

那如果參考 https://ithelp.ithome.com.tw/m/articles/10321120 或者 https://ithelp.ithome.com.tw/articles/10335699 的其中一個方式，可以發現其實惡意程式是可以去將process 隱藏起來的，並且讓pslist 與 pstree 無法偵測，因此我們可以使用 psscan 嘗試去偵測

什麼是psscan?

首先要說明，Windows kernel 在為許多核心物件（例如 EPROCESS、ETHREAD、FILE_OBJECT）分配記憶體時，會在 _POOL_HEADER 中放置一個 4-byte 的 pool tag，用來標示該分配的用途或來源。

psscan是一個使用 pool-tag scanning 的掃描器：它會在 memory dump 中搜尋_POOL_HEADER 與 pool tag，並且對找到的候選區塊做結構一致性檢查（例如欄位範圍、指標是否指向可讀記憶體、ProcessName 是否可讀等），來判定該區塊是否為一個有效的 EPROCESS／ETHREAD。

因此，即使該程序物件已被從 kernel 的 active list unlink（例如被某些 rootkit 隱藏），只要其 pool 分配尚存在記憶體且尚未被覆寫，psscan 通常可以把它找到。

$vol -f MemoryDump.mem windows.psscan

Volatility 3 Framework 2.11.0
Progress:  100.00		PDB scanning finished
PID	PPID	ImageFileName	Offset(V)	Threads	Handles	SessionId	Wow64	CreateTime	ExitTime	File output

832	676	msdtc.exe	0xad8185861280	9	-	0	False	2023-05-21 22:29:25.000000 UTC	N/A	Disabled
4	0	System	0xad8185883180	157	-	N/A	False	2023-05-21 22:27:10.000000 UTC	N/A	Disabled
108	4	Registry	0xad81858f2080	4	-	N/A	False	2023-05-21 22:26:54.000000 UTC	N/A	Disabled
3028	676	dllhost.exe	0xad8185907080	12	-	0	False	2023-05-21 22:29:20.000000 UTC	N/A	Disabled
5704	824	RuntimeBroker.	0xad8185962080	5	-	1	False	2023-05-21 22:32:44.000000 UTC	N/A	Disabled
332	4	smss.exe	0xad81860dc040	2	-	N/A	False	2023-05-21 22:27:10.000000 UTC	N/A	Disabled
452	444	csrss.exe	0xad81861cd080	12	-	0	False	2023-05-21 22:27:22.000000 UTC	N/A	Disabled
2404	2152	vm3dservice.ex	0xad8186619200	2	-	1	False	2023-05-21 22:28:32.000000 UTC	N/A	Disabled
528	520	csrss.exe	0xad8186f1b140	14	-	1	False	2023-05-21 22:27:25.000000 UTC	N/A	Disabled
552	444	wininit.exe	0xad8186f2b080	1	-	0	False	2023-05-21 22:27:25.000000 UTC	N/A	Disabled
588	520	winlogon.exe	0xad8186f450c0	5	-	1	False	2023-05-21 22:27:25.000000 UTC	N/A	Disabled
372	824	SkypeBackgroun	0xad8186f49080	3	-	1	False	2023-05-21 22:10:00.000000 UTC	N/A	Disabled
1232	676	svchost.exe	0xad8186f4a2c0	7	-	0	False	2023-05-21 22:29:39.000000 UTC	N/A	Disabled
676	552	services.exe	0xad8186f4d080	7	-	0	False	2023-05-21 22:27:29.000000 UTC	N/A	Disabled
696	552	lsass.exe	0xad8186fc6080	10	-	0	False	2023-05-21 22:27:29.000000 UTC	N/A	Disabled
852	552	fontdrvhost.ex	0xad818761b0c0	5	-	0	False	2023-05-21 22:27:33.000000 UTC	N/A	Disabled
824	676	svchost.exe	0xad818761d240	22	-	0	False	2023-05-21 22:27:32.000000 UTC	N/A	Disabled
860	588	fontdrvhost.ex	0xad818761f140	5	-	1	False	2023-05-21 22:27:33.000000 UTC	N/A	Disabled
952	676	svchost.exe	0xad81876802c0	12	-	0	False	2023-05-21 22:27:36.000000 UTC	N/A	Disabled
1016	588	dwm.exe	0xad81876e4340	15	-	1	False	2023-05-21 22:27:38.000000 UTC	N/A	Disabled
5656	824	RuntimeBroker.	0xad81876e8080	0	-	1	False	2023-05-21 21:58:19.000000 UTC	2023-05-21 22:02:01.000000 UTC	Disabled
448	676	svchost.exe	0xad8187721240	54	-	0	False	2023-05-21 22:27:41.000000 UTC	N/A	Disabled
1012	676	svchost.exe	0xad818774c080	19	-	0	False	2023-05-21 22:27:43.000000 UTC	N/A	Disabled
752	676	svchost.exe	0xad8187758280	21	-	0	False	2023-05-21 22:27:43.000000 UTC	N/A	Disabled
1196	676	svchost.exe	0xad81877972c0	34	-	0	False	2023-05-21 22:27:46.000000 UTC	N/A	Disabled
1376	676	svchost.exe	0xad81878020c0	15	-	0	False	2023-05-21 22:27:49.000000 UTC	N/A	Disabled
1280	4	MemCompression	0xad8187835080	62	-	N/A	False	2023-05-21 22:27:49.000000 UTC	N/A	Disabled
1448	676	svchost.exe	0xad818796c2c0	30	-	0	False	2023-05-21 22:27:52.000000 UTC	N/A	Disabled
1496	676	svchost.exe	0xad81879752c0	12	-	0	False	2023-05-21 22:27:52.000000 UTC	N/A	Disabled
1644	676	svchost.exe	0xad8187a112c0	6	-	0	False	2023-05-21 22:27:58.000000 UTC	N/A	Disabled
1652	676	svchost.exe	0xad8187a2d2c0	10	-	0	False	2023-05-21 22:27:58.000000 UTC	N/A	Disabled
8896	5328	msedge.exe	0xad8187a39080	18	-	1	False	2023-05-21 22:28:21.000000 UTC	N/A	Disabled
1840	676	spoolsv.exe	0xad8187acb200	10	-	0	False	2023-05-21 22:28:03.000000 UTC	N/A	Disabled
1892	676	svchost.exe	0xad8187b34080	14	-	0	False	2023-05-21 22:28:05.000000 UTC	N/A	Disabled
2024	676	svchost.exe	0xad8187b65240	7	-	0	False	2023-05-21 22:28:11.000000 UTC	N/A	Disabled
2076	676	svchost.exe	0xad8187b94080	10	-	0	False	2023-05-21 22:28:19.000000 UTC	N/A	Disabled
1120	676	MsMpEng.exe	0xad818945c080	12	-	0	False	2023-05-21 22:10:01.000000 UTC	N/A	Disabled
2144	676	vmtoolsd.exe	0xad81896ab080	11	-	0	False	2023-05-21 22:28:19.000000 UTC	N/A	Disabled
2152	676	vm3dservice.ex	0xad81896ae240	2	-	0	False	2023-05-21 22:28:19.000000 UTC	N/A	Disabled
2200	676	VGAuthService.	0xad81896b3300	2	-	0	False	2023-05-21 22:28:19.000000 UTC	N/A	Disabled
3252	3580	vmtoolsd.exe	0xad8189796300	8	-	1	False	2023-05-21 22:31:59.000000 UTC	N/A	Disabled
464	3580	SecurityHealth	0xad818979d080	3	-	1	False	2023-05-21 22:31:59.000000 UTC	N/A	Disabled
130195296305516	127577716190325	�	0xad818997494d	1342177466	-	-	True	2000-08-31 04:07:25.000000 UTC	-	Disabled
2044	676	svchost.exe	0xad8189b27080	28	-	0	False	2023-05-21 22:49:29.000000 UTC	N/A	Disabled
3876	448	taskhostw.exe	0xad8189b30080	8	-	1	False	2023-05-21 22:08:02.000000 UTC	N/A	Disabled
5896	8844	oneetx.exe	0xad8189b41080	5	-	1	True	2023-05-21 22:30:56.000000 UTC	N/A	Disabled
3204	752	ctfmon.exe	0xad8189c8b280	12	-	1	False	2023-05-21 22:30:11.000000 UTC	N/A	Disabled
1600	448	taskhostw.exe	0xad8189d07300	10	-	1	False	2023-05-21 22:30:09.000000 UTC	N/A	Disabled
1064	676	svchost.exe	0xad8189d7c2c0	15	-	1	False	2023-05-21 22:30:09.000000 UTC	N/A	Disabled
1392	448	sihost.exe	0xad8189e94280	11	-	1	False	2023-05-21 22:30:08.000000 UTC	N/A	Disabled
3556	588	userinit.exe	0xad818c02f340	0	-	1	False	2023-05-21 22:30:28.000000 UTC	2023-05-21 22:30:43.000000 UTC	Disabled
3580	3556	explorer.exe	0xad818c047340	76	-	1	False	2023-05-21 22:30:28.000000 UTC	N/A	Disabled
3944	824	WmiPrvSE.exe	0xad818c054080	13	-	0	False	2023-05-21 22:30:44.000000 UTC	N/A	Disabled
4448	824	RuntimeBroker.	0xad818c09a080	9	-	1	False	2023-05-21 22:31:33.000000 UTC	N/A	Disabled
6544	5328	msedge.exe	0xad818c0ea080	18	-	1	False	2023-05-21 22:22:35.000000 UTC	N/A	Disabled
3004	676	svchost.exe	0xad818c4212c0	7	-	0	False	2023-05-21 22:30:55.000000 UTC	N/A	Disabled
1116	676	svchost.exe	0xad818c426080	6	-	1	False	2023-05-21 22:31:00.000000 UTC	N/A	Disabled
6696	676	svchost.exe	0xad818c532080	8	-	0	False	2023-05-21 22:34:07.000000 UTC	N/A	Disabled
5156	5328	msedge.exe	0xad818c553080	14	-	1	False	2023-05-21 22:28:22.000000 UTC	N/A	Disabled
3160	824	StartMenuExper	0xad818cad3240	14	-	1	False	2023-05-21 22:31:21.000000 UTC	N/A	Disabled
7160	824	SearchApp.exe	0xad818ccc4080	57	-	1	False	2023-05-21 22:39:13.000000 UTC	N/A	Disabled
4116	824	RuntimeBroker.	0xad818cd93300	3	-	1	False	2023-05-21 22:31:24.000000 UTC	N/A	Disabled
4228	676	SearchIndexer.	0xad818ce06240	15	-	0	False	2023-05-21 22:31:27.000000 UTC	N/A	Disabled
3608	676	svchost.exe	0xad818d07a080	3	-	0	False	2023-05-21 22:41:28.000000 UTC	N/A	Disabled
5328	3580	msedge.exe	0xad818d0980c0	54	-	1	False	2023-05-21 22:32:02.000000 UTC	N/A	Disabled
1916	824	SearchApp.exe	0xad818d099080	24	-	1	False	2023-05-21 22:33:05.000000 UTC	N/A	Disabled
6200	676	SgrmBroker.exe	0xad818d09f080	7	-	0	False	2023-05-21 22:33:42.000000 UTC	N/A	Disabled
2228	3580	FTK Imager.exe	0xad818d143080	10	-	1	False	2023-05-21 22:43:56.000000 UTC	N/A	Disabled
1764	824	dllhost.exe	0xad818d176080	7	-	1	False	2023-05-21 22:32:48.000000 UTC	N/A	Disabled
7732	5896	rundll32.exe	0xad818d1912c0	1	-	1	True	2023-05-21 22:31:53.000000 UTC	N/A	Disabled
5136	676	SecurityHealth	0xad818d374280	7	-	0	False	2023-05-21 22:32:01.000000 UTC	N/A	Disabled
6644	824	SkypeApp.exe	0xad818d3ac080	49	-	1	False	2023-05-21 22:41:52.000000 UTC	N/A	Disabled
5480	448	oneetx.exe	0xad818d3d6080	6	-	1	True	2023-05-21 23:03:00.000000 UTC	N/A	Disabled
8708	676	svchost.exe	0xad818d431080	5	-	0	False	2023-05-21 22:57:33.000000 UTC	N/A	Disabled
4396	5328	msedge.exe	0xad818d515080	7	-	1	False	2023-05-21 22:32:19.000000 UTC	N/A	Disabled
4544	5328	msedge.exe	0xad818d75b080	14	-	1	False	2023-05-21 22:32:39.000000 UTC	N/A	Disabled
1144	5328	msedge.exe	0xad818d75f080	18	-	1	False	2023-05-21 22:32:38.000000 UTC	N/A	Disabled
6292	5328	msedge.exe	0xad818d7a1080	20	-	1	False	2023-05-21 22:06:15.000000 UTC	N/A	Disabled
5340	5328	msedge.exe	0xad818d7b3080	10	-	1	False	2023-05-21 22:32:39.000000 UTC	N/A	Disabled
5636	3580	notepad.exe	0xad818db45080	1	-	1	False	2023-05-21 22:46:50.000000 UTC	N/A	Disabled
6048	448	taskhostw.exe	0xad818dc5d080	5	-	1	False	2023-05-21 22:40:20.000000 UTC	N/A	Disabled
6596	676	TrustedInstall	0xad818dc88080	4	-	0	False	2023-05-21 22:58:13.000000 UTC	N/A	Disabled
5808	824	HxTsr.exe	0xad818de5d080	0	-	1	False	2023-05-21 21:59:58.000000 UTC	2023-05-21 22:07:45.000000 UTC	Disabled
4628	6724	tun2socks.exe	0xad818de82340	0	-	1	True	2023-05-21 22:40:10.000000 UTC	2023-05-21 23:01:24.000000 UTC	Disabled
7964	5328	msedge.exe	0xad818dee5080	19	-	1	False	2023-05-21 22:22:09.000000 UTC	N/A	Disabled
7696	824	dllhost.exe	0xad818dee6080	0	-	1	False	2023-05-21 23:02:40.000000 UTC	2023-05-21 23:02:45.000000 UTC	Disabled
6324	1496	audiodg.exe	0xad818df2e080	4	-	0	False	2023-05-21 22:42:56.000000 UTC	N/A	Disabled
2388	5328	msedge.exe	0xad818e54c340	18	-	1	False	2023-05-21 22:05:35.000000 UTC	N/A	Disabled
6724	3580	Outline.exe	0xad818e578080	0	-	1	True	2023-05-21 22:36:09.000000 UTC	2023-05-21 23:01:24.000000 UTC	Disabled
8952	824	TextInputHost.	0xad818e6db080	10	-	1	False	2023-05-21 21:59:11.000000 UTC	N/A	Disabled
5476	676	svchost.exe	0xad818e752080	9	-	0	False	2023-05-21 22:58:08.000000 UTC	N/A	Disabled
2332	824	TiWorker.exe	0xad818e780080	4	-	0	False	2023-05-21 22:58:13.000000 UTC	N/A	Disabled
7312	824	ApplicationFra	0xad818e84f300	10	-	1	False	2023-05-21 22:35:44.000000 UTC	N/A	Disabled
4340	676	VSSVC.exe	0xad818e888080	3	-	0	False	2023-05-21 23:01:06.000000 UTC	N/A	Disabled
4224	6724	Outline.exe	0xad818e88b080	0	-	1	True	2023-05-21 22:36:23.000000 UTC	2023-05-21 23:01:24.000000 UTC	Disabled
7772	676	svchost.exe	0xad818e88e140	3	-	0	False	2023-05-21 22:36:03.000000 UTC	N/A	Disabled
7540	824	smartscreen.ex	0xad818e893080	14	-	1	False	2023-05-21 23:02:26.000000 UTC	N/A	Disabled
7788	2916	conhost.exe	0xad818e8a1080	0	-	0	False	2023-05-21 23:01:27.000000 UTC	2023-05-21 23:01:48.000000 UTC	Disabled
7336	824	RuntimeBroker.	0xad818e8bb080	2	-	1	False	2023-05-21 22:11:39.000000 UTC	N/A	Disabled
6076	824	ShellExperienc	0xad818eb18080	14	-	1	False	2023-05-21 22:11:36.000000 UTC	N/A	Disabled
8264	824	RuntimeBroker.	0xad818eec8080	4	-	1	False	2023-05-21 22:40:33.000000 UTC	N/A	Disabled
8920	3580	FTK Imager.exe	0xad818ef81080	20	-	1	False	2023-05-21 23:02:28.000000 UTC	N/A	Disabled
5964	676	svchost.exe	0xad818ef86080	5	-	0	False	2023-05-21 22:27:56.000000 UTC	N/A	Disabled
125689842201708	208586546348048	dexer	0xad818f4f62ad	16777219	-	-	True	2000-08-31 04:05:52.000000 UTC	-	Disabled
4396	5328	msedge.exe	0xbe8505fbf080	7	-	1	False	2023-05-21 22:32:19.000000 UTC	N/A	Disabled

那我們知道psscan之後我們如果要比對跟pslist 的結果太麻煩了，因此有一個plugin 可以幫助我們進行比對，這個 plugin就是我們今天的主題 psxview

什麼是psxview ?

這個plugin 會將我們剛剛提到的pslist/pstree與psscan以及其他thrdscan、csrss作比較，如果沒有出現在相對應的掃描上就會出現 False，否則就會出現 true，因此如果有一個process 他在pslist 出現False 但在psscan出現True 那就可以嘗試去分析看看是不是rootkit

$ vol -f MemoryDump.mem windows.psxview.PsXView

Volatility 3 Framework 2.11.0
Progress:  100.00		PDB scanning finished
Offset(Virtual)	Name	PID	pslist	psscan	thrdscan	csrss	Exit Time

0xad8187acb200	spoolsv.exe	1840	True	True	True	True
0xad81896ab080	vmtoolsd.exe	2144	True	True	True	True
0xad8185907080	dllhost.exe	3028	True	True	True	True
0xad818d75b080	msedge.exe	4544	True	True	True	True
0xad818d75f080	msedge.exe	1144	True	True	True	True
0xad818d09f080	SgrmBroker.exe	6200	True	True	True	True
0xad818e88b080	Outline.exe	4224	True	True	False	False	2023-05-21 23:01:24+00:00
0xad818e6db080	TextInputHost.	8952	True	True	True	True
0xad818d7b3080	msedge.exe	5340	True	True	True	True
0xad818e8bb080	RuntimeBroker.	7336	True	True	True	True
0xad818c553080	msedge.exe	5156	True	True	True	True
0xad8189c8b280	ctfmon.exe	3204	True	True	True	True
0xad818db45080	notepad.exe	5636	True	True	True	True
0xad81860dc040	smss.exe	332	True	True	True	False
0xad818761d240	svchost.exe	824	True	True	True	True
0xad8187721240	svchost.exe	448	True	True	True	True
0xad8187b65240	svchost.exe	2024	True	True	True	True
0xad818cad3240	StartMenuExper	3160	True	True	True	True
0xad818ce06240	SearchIndexer.	4228	True	True	True	True
0xad818c4212c0	svchost.exe	3004	True	True	True	True
0xad818e893080	smartscreen.ex	7540	True	True	True	True
0xad818e578080	Outline.exe	6724	True	True	True	False	2023-05-21 23:01:24+00:00
0xad81858f2080	Registry	108	True	True	True	False
0xad81861cd080	csrss.exe	452	True	True	True	False
0xad8186f2b080	wininit.exe	552	True	True	True	True
0xad8186f4d080	services.exe	676	True	True	True	True
0xad8186fc6080	lsass.exe	696	True	True	True	True
0xad818774c080	svchost.exe	1012	True	True	True	True
0xad8187835080	MemCompression	1280	True	True	True	False
0xad8187758280	svchost.exe	752	True	True	True	True
0xad8187b34080	svchost.exe	1892	True	True	True	True
0xad8187b94080	svchost.exe	2076	True	True	True	True
0xad818c054080	WmiPrvSE.exe	3944	True	True	True	True
0xad818945c080	MsMpEng.exe	1120	True	True	True	True
0xad818ccc4080	SearchApp.exe	7160	True	True	True	True
0xad818eec8080	RuntimeBroker.	8264	True	True	True	True
0xad81876e8080	RuntimeBroker.	5656	True	True	False	False	2023-05-21 22:02:01+00:00
0xad8189e94280	sihost.exe	1392	True	True	True	True
0xad818d374280	SecurityHealth	5136	True	True	True	True
0xad818e780080	TiWorker.exe	2332	True	True	True	True
0xad818f4f62ad	dexer	125689842201708	False	True	False	False
0xad8189b27080	svchost.exe	2044	True	True	True	True
0xad818dc88080	TrustedInstall	6596	True	True	True	True
0xad818e888080	VSSVC.exe	4340	True	True	True	True
0xad8186f450c0	winlogon.exe	588	True	True	True	True
0xad818761b0c0	fontdrvhost.ex	852	True	True	True	True
0xad81877972c0	svchost.exe	1196	True	True	True	True
0xad81876802c0	svchost.exe	952	True	True	True	True
0xad81878020c0	svchost.exe	1376	True	True	True	True
0xad818d0980c0	msedge.exe	5328	True	True	True	True
0xad818796c2c0	svchost.exe	1448	True	True	True	True
0xad81879752c0	svchost.exe	1496	True	True	True	True
0xad8187a112c0	svchost.exe	1644	True	True	True	True
0xad8187a2d2c0	svchost.exe	1652	True	True	True	True
0xad8186f4a2c0	svchost.exe	1232	True	True	True	True
0xad818d3d6080	oneetx.exe	5480	True	True	True	True
0xad818eb18080	ShellExperienc	6076	True	True	True	True
0xad81896b3300	VGAuthService.	2200	True	True	True	True
0xad8189d07300	taskhostw.exe	1600	True	True	True	True
0xad818cd93300	RuntimeBroker.	4116	True	True	True	True
0xad8189796300	vmtoolsd.exe	3252	True	True	True	True
0xad818e84f300	ApplicationFra	7312	True	True	True	True
0xad818979d080	SecurityHealth	464	True	True	True	True
0xad818dc5d080	taskhostw.exe	6048	True	True	True	True
0xad818de5d080	HxTsr.exe	5808	True	True	False	False	2023-05-21 22:07:45+00:00
0xad818d7a1080	msedge.exe	6292	True	True	True	True
0xad8186f49080	SkypeBackgroun	372	True	True	True	True
0xad818d515080	msedge.exe	4396	True	True	True	True
0xad818d099080	SearchApp.exe	1916	True	True	True	True
0xad818dee5080	msedge.exe	7964	True	True	True	True
0xad8187a39080	msedge.exe	8896	True	True	True	True
0xad8189b41080	oneetx.exe	5896	True	True	True	True
0xad8185861280	msdtc.exe	832	True	True	True	True
0xbe8505fbf080	msedge.exe	4396	False	True	False	False
0xad818ef81080	FTK Imager.exe	8920	True	True	True	True
0xad818d143080	FTK Imager.exe	2228	True	True	True	True
0xad818dee6080	dllhost.exe	7696	False	True	False	False	2023-05-21 23:02:45+00:00
0xad8186f1b140	csrss.exe	528	True	True	True	False
0xad818761f140	fontdrvhost.ex	860	True	True	True	True
0xad81876e4340	dwm.exe	1016	True	True	True	True
0xad818e88e140	svchost.exe	7772	True	True	True	True
0xad818c02f340	userinit.exe	3556	True	True	False	False	2023-05-21 22:30:43+00:00
0xad818c047340	explorer.exe	3580	True	True	True	True
0xad818e54c340	msedge.exe	2388	True	True	True	True
0xad818d3ac080	SkypeApp.exe	6644	True	True	True	True
0xad8189b30080	taskhostw.exe	3876	True	True	True	True
0xad8185883180	System	4	True	True	True	False
0xad818c09a080	RuntimeBroker.	4448	True	True	True	True
0xad818d07a080	svchost.exe	3608	True	True	True	True
0xad8185962080	RuntimeBroker.	5704	True	True	True	True
0xad818c426080	svchost.exe	1116	True	True	True	True
0xad818c532080	svchost.exe	6696	True	True	True	True
0xad818d176080	dllhost.exe	1764	True	True	True	True
0xad818c0ea080	msedge.exe	6544	True	True	True	True
0xad818ef86080	svchost.exe	5964	True	True	True	True
0xad818df2e080	audiodg.exe	6324	True	True	True	True
0xad818e752080	svchost.exe	5476	True	True	True	True
0xad818e8a1080	conhost.exe	7788	False	True	False	False	2023-05-21 23:01:48+00:00
0xad8189d7c2c0	svchost.exe	1064	True	True	True	True
0xad818d431080	svchost.exe	8708	True	True	True	True