hxxp://bonzibuddy[.]tk/

Analysis

max time kernel
574s
max time network
602s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
18-01-2023 17:03

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

http://bonzibuddy.tk/

Score

8^/10

discovery exploit persistence

Malware Config

Signatures

Executes dropped EXE 6 IoCs

Processes:

Bonzify.exeINSTALLER.exeAgentSvr.exeINSTALLER.exeAgentSvr.exeChromeRecovery.exe

pid process

1016 Bonzify.exe
1700 INSTALLER.exe
1068 AgentSvr.exe
1792 INSTALLER.exe
1180 AgentSvr.exe
2244 ChromeRecovery.exe
Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Modifies Installed Components in the registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

INSTALLER.exeINSTALLER.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\software\Wow6432Node\microsoft\Active Setup\Installed Components	INSTALLER.exe
Key created	\REGISTRY\MACHINE\software\Wow6432Node\microsoft\Active Setup\Installed Components	INSTALLER.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Possible privilege escalation attempt 64 IoCs

exploit

Processes:

takeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exe

pid	process
1484	takeown.exe
1068	takeown.exe
2684	icacls.exe
2836	takeown.exe
2544	icacls.exe
2660	icacls.exe
1312	icacls.exe
2568	takeown.exe
2032	takeown.exe
1972	icacls.exe
1252	takeown.exe
2220	takeown.exe
2320	takeown.exe
2092	takeown.exe
320	takeown.exe
1644	takeown.exe
2348	icacls.exe
3016	takeown.exe
436	takeown.exe
2148	icacls.exe
1988	takeown.exe
796	icacls.exe
2936	takeown.exe
2584	takeown.exe
952	icacls.exe
584	takeown.exe
3052	icacls.exe
2348	takeown.exe
680	takeown.exe
2296	icacls.exe
2656	icacls.exe
1856	icacls.exe
396	icacls.exe
2308	icacls.exe
2088	icacls.exe
1744	takeown.exe
2096	icacls.exe
2104	takeown.exe
3008	takeown.exe
2188	icacls.exe
2792	takeown.exe
1984	takeown.exe
1748	icacls.exe
2080	takeown.exe
1600	takeown.exe
920	takeown.exe
1540	icacls.exe
2096	icacls.exe
580	takeown.exe
2032	icacls.exe
2168	icacls.exe
1956	takeown.exe
2364	takeown.exe
1788	takeown.exe
2236	icacls.exe
320	icacls.exe
2460	icacls.exe
2892	icacls.exe
2128	takeown.exe
1264	icacls.exe
2720	icacls.exe
3044	takeown.exe
1604	takeown.exe
2492	icacls.exe

Loads dropped DLL 29 IoCs

Processes:

Bonzify.exeINSTALLER.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeAgentSvr.exeINSTALLER.exeregsvr32.exeregsvr32.exeAgentSvr.exe

pid	process
1016	Bonzify.exe
1700	INSTALLER.exe
1700	INSTALLER.exe
1700	INSTALLER.exe
1700	INSTALLER.exe
1600	regsvr32.exe
2272	regsvr32.exe
2976	regsvr32.exe
2716	regsvr32.exe
1916	regsvr32.exe
2192	regsvr32.exe
2020	regsvr32.exe
1700	INSTALLER.exe
1700	INSTALLER.exe
1068	AgentSvr.exe
1068	AgentSvr.exe
1068	AgentSvr.exe
1016	Bonzify.exe
1792	INSTALLER.exe
1792	INSTALLER.exe
1792	INSTALLER.exe
1792	INSTALLER.exe
2084	regsvr32.exe
2084	regsvr32.exe
2796	regsvr32.exe
1016	Bonzify.exe
1180	AgentSvr.exe
1180	AgentSvr.exe
1180	AgentSvr.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File Permissions Modification

T1222

Processes:

takeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exe

pid	process
1644	takeown.exe
2188	icacls.exe
1252	takeown.exe
1988	takeown.exe
2348	icacls.exe
2544	icacls.exe
2096	icacls.exe
1972	icacls.exe
2532	icacls.exe
2936	takeown.exe
2092	takeown.exe
2892	icacls.exe
952	icacls.exe
2584	takeown.exe
680	takeown.exe
2320	takeown.exe
2308	icacls.exe
2364	takeown.exe
320	icacls.exe
1068	takeown.exe
436	takeown.exe
2088	icacls.exe
1484	takeown.exe
580	takeown.exe
920	takeown.exe
2236	icacls.exe
2220	takeown.exe
2720	icacls.exe
3008	takeown.exe
2684	icacls.exe
796	icacls.exe
2488	icacls.exe
320	takeown.exe
2568	takeown.exe
1984	takeown.exe
1604	takeown.exe
2032	takeown.exe
2656	icacls.exe
1600	takeown.exe
1788	takeown.exe
2032	icacls.exe
2168	icacls.exe
1748	icacls.exe
2148	icacls.exe
1312	icacls.exe
2348	takeown.exe
2792	takeown.exe
2104	takeown.exe
2296	icacls.exe
2836	takeown.exe
584	takeown.exe
1540	icacls.exe
1744	takeown.exe
2460	icacls.exe
2096	icacls.exe
396	icacls.exe
2492	icacls.exe
3016	takeown.exe
2660	icacls.exe
1856	icacls.exe
1264	icacls.exe
1956	takeown.exe
3044	takeown.exe
2128	takeown.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

INSTALLER.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	INSTALLER.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tv_enua = "RunDll32 advpack.dll,LaunchINFSection C:\\Windows\\INF\\tv_enua.inf, RemoveCabinet"	INSTALLER.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 3 IoCs

Processes:

INSTALLER.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\SETB5ED.tmp	INSTALLER.exe
File created	C:\Windows\SysWOW64\SETB5ED.tmp	INSTALLER.exe
File opened for modification	C:\Windows\SysWOW64\msvcp50.dll	INSTALLER.exe

Drops file in Program Files directory 7 IoCs

Processes:

elevation_service.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir364_1930664466\ChromeRecovery.exe	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir364_1930664466\manifest.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir364_1930664466\manifest.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir364_1930664466\_metadata\verified_contents.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir364_1930664466\_metadata\verified_contents.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir364_1930664466\ChromeRecoveryCRX.crx	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir364_1930664466\ChromeRecovery.exe	elevation_service.exe

Drops file in Windows directory 61 IoCs

Processes:

INSTALLER.exeINSTALLER.exeBonzify.exeexplorer.exe

description	ioc	process
File opened for modification	C:\Windows\msagent\SETAD24.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentAnm.dll	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SETAD47.tmp	INSTALLER.exe
File created	C:\Windows\msagent\SETAD8B.tmp	INSTALLER.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\tv\SETB5DA.tmp	INSTALLER.exe
File created	C:\Windows\msagent\SETAD25.tmp	INSTALLER.exe
File created	C:\Windows\msagent\SETAD47.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentPsh.dll	INSTALLER.exe
File created	C:\Windows\help\SETAD6A.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SETAD25.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentSvr.exe	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentSR.dll	INSTALLER.exe
File opened for modification	C:\Windows\INF\SETAD58.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\mslwvtts.dll	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SETAD69.tmp	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\tv\tv_enua.dll	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentCtl.dll	INSTALLER.exe
File created	C:\Windows\msagent\SETAD23.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SETAD8B.tmp	INSTALLER.exe
File created	C:\Windows\lhsp\help\SETB5DB.tmp	INSTALLER.exe
File opened for modification	C:\Windows\fonts\SETB5EB.tmp	INSTALLER.exe
File created	C:\Windows\msagent\chars\Bonzi.acs	Bonzify.exe
File created	C:\Windows\msagent\SETAD12.tmp	INSTALLER.exe
File created	C:\Windows\lhsp\tv\SETB5DA.tmp	INSTALLER.exe
File created	C:\Windows\finalDestruction.bin	Bonzify.exe
File created	C:\Windows\lhsp\tv\SETB5D9.tmp	INSTALLER.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SETAD23.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentDp2.dll	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentMPx.dll	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SETAD57.tmp	INSTALLER.exe
File opened for modification	C:\Windows\INF\agtinst.inf	INSTALLER.exe
File opened for modification	C:\Windows\msagent\intl\SETAD7B.tmp	INSTALLER.exe
File created	C:\Windows\INF\SETB5EC.tmp	INSTALLER.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe	explorer.exe
File opened for modification	C:\Windows\msagent\SETAD46.tmp	INSTALLER.exe
File created	C:\Windows\msagent\intl\SETAD7B.tmp	INSTALLER.exe
File opened for modification	C:\Windows\fonts\andmoipa.ttf	INSTALLER.exe
File created	C:\Windows\executables.bin	Bonzify.exe
File opened for modification	C:\Windows\msagent\AgtCtl15.tlb	INSTALLER.exe
File created	C:\Windows\fonts\SETB5EB.tmp	INSTALLER.exe
File created	C:\Windows\msagent\SETAD57.tmp	INSTALLER.exe
File opened for modification	C:\Windows\help\SETAD6A.tmp	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\help\SETB5DB.tmp	INSTALLER.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe	explorer.exe
File created	C:\Windows\msagent\SETAD35.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SETAD35.tmp	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\help\tv_enua.hlp	INSTALLER.exe
File created	C:\Windows\msagent\SETAD46.tmp	INSTALLER.exe
File opened for modification	C:\Windows\help\Agt0409.hlp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SETAD12.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentDPv.dll	INSTALLER.exe
File created	C:\Windows\msagent\SETAD24.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\intl\Agt0409.dll	INSTALLER.exe
File opened for modification	C:\Windows\INF\tv_enua.inf	INSTALLER.exe
File created	C:\Windows\INF\SETAD58.tmp	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\tv\tvenuax.dll	INSTALLER.exe
File created	C:\Windows\msagent\SETAD69.tmp	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\tv\SETB5D9.tmp	INSTALLER.exe
File opened for modification	C:\Windows\INF\SETB5EC.tmp	INSTALLER.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1788 taskkill.exe

pid	process
1788	taskkill.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exeAgentSvr.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BF0-7DE6-11D0-91FE-00C04FD701A5}\TypeLib\Version = "2.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A7B93C8D-7B81-11D0-AC5F-00C04FD97575}\TypeLib	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48D12BA0-5B77-11D1-9EC1-00C04FD7081F}\TypeLib\ = "{A7B93C73-7B81-11D0-AC5F-00C04FD97575}"	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{822DB1C0-8879-11D1-9EC6-00C04FD7081F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.aca\ = "Agent.Character.2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D45FD31D-5C6E-11D1-9EC1-00C04FD7081F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BD4-7DE6-11D0-91FE-00C04FD701A5}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5BE8BD9-7DE6-11D0-91FE-00C04FD701A5}\ = "IAgentCtlCharacter"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5BE8BF0-7DE6-11D0-91FE-00C04FD701A5}\ = "IAgentCtlAudioObjectEx"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8563FF20-8ECC-11D1-B9B4-00C04FD97575}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4BAC124B-78C8-11D1-B9A8-00C04FD97575}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A7B93C73-7B81-11D0-AC5F-00C04FD97575}\2.0\0	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5BE8BE8-7DE6-11D0-91FE-00C04FD701A5}\TypeLib\Version = "2.0"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}\MiscStatus\1	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0913410-3B44-11D1-ACBA-00C04FD97575}\TypeLib\ = "{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BDB-7DE6-11D0-91FE-00C04FD701A5}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8563FF20-8ECC-11D1-B9B4-00C04FD97575}\TypeLib\Version = "2.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A7B93C87-7B81-11D0-AC5F-00C04FD97575}	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{98BBE491-2EED-11D1-ACAC-00C04FD97575}\TypeLib\ = "{A7B93C73-7B81-11D0-AC5F-00C04FD97575}"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5BE8BE1-7DE6-11D0-91FE-00C04FD701A5}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BE3-7DE6-11D0-91FE-00C04FD701A5}\ = "IAgentCtlCommand"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{95A893C3-543A-11D0-AC45-00C04FD97575}\ = "MSLwvTTS Engine Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6D0ECB23-9968-11D0-AC6E-00C04FD97575}\TypeLib\ = "{A7B93C73-7B81-11D0-AC5F-00C04FD97575}"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\InprocServer32\ = "C:\\Windows\\msagent\\AgentCtl.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DE8EF600-2F82-11D1-ACAC-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C91-7B81-11D0-AC5F-00C04FD97575}	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C83-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C8F-7B81-11D0-AC5F-00C04FD97575}\TypeLib	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{98BBE491-2EED-11D1-ACAC-00C04FD97575}	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}\MiscStatus	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8B77181C-D3EF-11D1-8500-00C04FA34A14}\TypeLib\ = "{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BF0-7DE6-11D0-91FE-00C04FD701A5}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.acf\ = "Agent.Character.2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C89-7B81-11D0-AC5F-00C04FD97575}\ = "IAgentAudioOutputProperties"	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE8EF600-2F82-11D1-ACAC-00C04FD97575}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{822DB1C0-8879-11D1-9EC6-00C04FD7081F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BE1-7DE6-11D0-91FE-00C04FD701A5}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8563FF20-8ECC-11D1-B9B4-00C04FD97575}\TypeLib\ = "{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8563FF20-8ECC-11D1-B9B4-00C04FD97575}\TypeLib\Version = "2.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C80-7B81-11D0-AC5F-00C04FD97575}\TypeLib\ = "{A7B93C73-7B81-11D0-AC5F-00C04FD97575}"	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B0913412-3B44-11D1-ACBA-00C04FD97575}\TypeLib	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}\2.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Agent.Server.2\ = "Microsoft Agent Server 2.0"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C8D-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA141FD0-AC7F-11d1-97A3-0060082730FF}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B8F2846E-CE36-11D0-AC83-00C04FD97575}\MiscStatus\1\ = "132497"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D45FD31C-5C6E-11D1-9EC1-00C04FD7081F}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}\ProgID\ = "Agent.Control.1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{822DB1C0-8879-11D1-9EC6-00C04FD7081F}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BA90C01-3910-11D1-ACB3-00C04FD97575}\TypeLib\Version = "2.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5BE8BDB-7DE6-11D0-91FE-00C04FD701A5}\TypeLib\ = "{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4BAC124B-78C8-11D1-B9A8-00C04FD97575}\InprocServer32\ = "C:\\Windows\\msagent\\AgentMPx.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\ToolboxBitmap32\ = "C:\\Windows\\msagent\\AgentCtl.dll, 105"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Agent.Server	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A7B93C89-7B81-11D0-AC5F-00C04FD97575}\TypeLib\ = "{A7B93C73-7B81-11D0-AC5F-00C04FD97575}"	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00D18159-8466-11D0-AC63-00C04FD97575}	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B8F2846E-CE36-11D0-AC83-00C04FD97575}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0FA9F4D5-A173-11D1-AA62-00C04FA34D72}\InprocServer32\ = "C:\\Windows\\msagent\\AgentSR.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D45FD2FC-5C6E-11D1-9EC1-00C04FD7081F}\LocalServer32	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A7B93C8D-7B81-11D0-AC5F-00C04FD97575}\ = "IAgentBalloon"	AgentSvr.exe

NTFS ADS 1 IoCs

Processes:

firefox.exe

description ioc process

File created C:\Users\Admin\Downloads\Bonzify-master.zip:Zone.Identifier firefox.exe
Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exeBonzify.exe

pid process

1616 chrome.exe
2068 chrome.exe
2068 chrome.exe
2068 chrome.exe
2068 chrome.exe
320 chrome.exe
2112 chrome.exe
3040 chrome.exe
1016 Bonzify.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

1640 explorer.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\Bonzify-master.zip:Zone.Identifier	firefox.exe

pid	process
1616	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
320	chrome.exe
2112	chrome.exe
3040	chrome.exe
1016	Bonzify.exe

pid	process
1640	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

firefox.exe7zG.exeAUDIODG.EXE7zG.exe7zG.exetaskkill.exetakeown.exeINSTALLER.exeINSTALLER.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeAgentSvr.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	696	firefox.exe
Token: SeDebugPrivilege	696	firefox.exe
Token: SeDebugPrivilege	696	firefox.exe
Token: SeRestorePrivilege	2768	7zG.exe
Token: 35	2768	7zG.exe
Token: SeSecurityPrivilege	2768	7zG.exe
Token: SeSecurityPrivilege	2768	7zG.exe
Token: 33	2856	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2856	AUDIODG.EXE
Token: 33	2856	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2856	AUDIODG.EXE
Token: SeRestorePrivilege	2976	7zG.exe
Token: 35	2976	7zG.exe
Token: SeSecurityPrivilege	2976	7zG.exe
Token: SeSecurityPrivilege	2976	7zG.exe
Token: SeRestorePrivilege	2084	7zG.exe
Token: 35	2084	7zG.exe
Token: SeSecurityPrivilege	2084	7zG.exe
Token: SeSecurityPrivilege	2084	7zG.exe
Token: SeDebugPrivilege	1788	taskkill.exe
Token: SeTakeOwnershipPrivilege	3008	takeown.exe
Token: SeRestorePrivilege	1700	INSTALLER.exe
Token: SeRestorePrivilege	1700	INSTALLER.exe
Token: SeRestorePrivilege	1700	INSTALLER.exe
Token: SeRestorePrivilege	1700	INSTALLER.exe
Token: SeRestorePrivilege	1700	INSTALLER.exe
Token: SeRestorePrivilege	1700	INSTALLER.exe
Token: SeRestorePrivilege	1700	INSTALLER.exe
Token: SeRestorePrivilege	1792	INSTALLER.exe
Token: SeRestorePrivilege	1792	INSTALLER.exe
Token: SeRestorePrivilege	1792	INSTALLER.exe
Token: SeRestorePrivilege	1792	INSTALLER.exe
Token: SeRestorePrivilege	1792	INSTALLER.exe
Token: SeRestorePrivilege	1792	INSTALLER.exe
Token: SeRestorePrivilege	1792	INSTALLER.exe
Token: SeTakeOwnershipPrivilege	2032	takeown.exe
Token: SeTakeOwnershipPrivilege	3016	takeown.exe
Token: SeTakeOwnershipPrivilege	680	takeown.exe
Token: SeTakeOwnershipPrivilege	436	takeown.exe
Token: SeTakeOwnershipPrivilege	580	takeown.exe
Token: SeTakeOwnershipPrivilege	2128	takeown.exe
Token: SeTakeOwnershipPrivilege	1252	takeown.exe
Token: 33	1180	AgentSvr.exe
Token: SeIncBasePriorityPrivilege	1180	AgentSvr.exe
Token: SeTakeOwnershipPrivilege	2220	takeown.exe
Token: SeTakeOwnershipPrivilege	2080	takeown.exe
Token: SeTakeOwnershipPrivilege	1600	takeown.exe
Token: SeTakeOwnershipPrivilege	2836	takeown.exe
Token: SeTakeOwnershipPrivilege	2364	takeown.exe
Token: SeTakeOwnershipPrivilege	1988	takeown.exe
Token: SeTakeOwnershipPrivilege	2936	takeown.exe
Token: SeTakeOwnershipPrivilege	584	takeown.exe
Token: SeTakeOwnershipPrivilege	1788	takeown.exe
Token: SeTakeOwnershipPrivilege	1644	takeown.exe
Token: SeTakeOwnershipPrivilege	2320	takeown.exe
Token: SeTakeOwnershipPrivilege	920	takeown.exe
Token: SeTakeOwnershipPrivilege	2584	takeown.exe
Token: SeTakeOwnershipPrivilege	2092	takeown.exe
Token: SeShutdownPrivilege	1640	explorer.exe
Token: SeShutdownPrivilege	1640	explorer.exe
Token: SeShutdownPrivilege	1640	explorer.exe
Token: SeShutdownPrivilege	1640	explorer.exe
Token: SeShutdownPrivilege	1640	explorer.exe
Token: SeShutdownPrivilege	1640	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

firefox.exe7zG.exechrome.exe7zG.exe7zG.exeAgentSvr.exeexplorer.exe

pid	process
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
2768	7zG.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2976	7zG.exe
2084	7zG.exe
1180	AgentSvr.exe
1180	AgentSvr.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe

Suspicious use of SendNotifyMessage 58 IoCs

Processes:

firefox.exechrome.exeAgentSvr.exeexplorer.exe

pid	process
696	firefox.exe
696	firefox.exe
696	firefox.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
1180	AgentSvr.exe
1180	AgentSvr.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

firefox.exe

pid process

696 firefox.exe
696 firefox.exe
696 firefox.exe
696 firefox.exe
696 firefox.exe
696 firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 1644 wrote to memory of 696	1644	firefox.exe	firefox.exe
PID 1644 wrote to memory of 696	1644	firefox.exe	firefox.exe
PID 1644 wrote to memory of 696	1644	firefox.exe	firefox.exe
PID 1644 wrote to memory of 696	1644	firefox.exe	firefox.exe
PID 1644 wrote to memory of 696	1644	firefox.exe	firefox.exe
PID 1644 wrote to memory of 696	1644	firefox.exe	firefox.exe
PID 1644 wrote to memory of 696	1644	firefox.exe	firefox.exe
PID 1644 wrote to memory of 696	1644	firefox.exe	firefox.exe
PID 1644 wrote to memory of 696	1644	firefox.exe	firefox.exe
PID 1644 wrote to memory of 696	1644	firefox.exe	firefox.exe
PID 696 wrote to memory of 1816	696	firefox.exe	firefox.exe
PID 696 wrote to memory of 1816	696	firefox.exe	firefox.exe
PID 696 wrote to memory of 1816	696	firefox.exe	firefox.exe
PID 696 wrote to memory of 676	696	firefox.exe	firefox.exe
PID 696 wrote to memory of 676	696	firefox.exe	firefox.exe
PID 696 wrote to memory of 676	696	firefox.exe	firefox.exe
PID 696 wrote to memory of 676	696	firefox.exe	firefox.exe
PID 696 wrote to memory of 676	696	firefox.exe	firefox.exe
PID 696 wrote to memory of 676	696	firefox.exe	firefox.exe
PID 696 wrote to memory of 676	696	firefox.exe	firefox.exe
PID 696 wrote to memory of 676	696	firefox.exe	firefox.exe
PID 696 wrote to memory of 676	696	firefox.exe	firefox.exe
PID 696 wrote to memory of 676	696	firefox.exe	firefox.exe
PID 696 wrote to memory of 676	696	firefox.exe	firefox.exe
PID 696 wrote to memory of 676	696	firefox.exe	firefox.exe
PID 696 wrote to memory of 676	696	firefox.exe	firefox.exe
PID 696 wrote to memory of 676	696	firefox.exe	firefox.exe
PID 696 wrote to memory of 676	696	firefox.exe	firefox.exe
PID 696 wrote to memory of 676	696	firefox.exe	firefox.exe
PID 696 wrote to memory of 676	696	firefox.exe	firefox.exe
PID 696 wrote to memory of 676	696	firefox.exe	firefox.exe
PID 696 wrote to memory of 676	696	firefox.exe	firefox.exe
PID 696 wrote to memory of 676	696	firefox.exe	firefox.exe
PID 696 wrote to memory of 676	696	firefox.exe	firefox.exe
PID 696 wrote to memory of 676	696	firefox.exe	firefox.exe
PID 696 wrote to memory of 676	696	firefox.exe	firefox.exe
PID 696 wrote to memory of 676	696	firefox.exe	firefox.exe
PID 696 wrote to memory of 676	696	firefox.exe	firefox.exe
PID 696 wrote to memory of 676	696	firefox.exe	firefox.exe
PID 696 wrote to memory of 676	696	firefox.exe	firefox.exe
PID 696 wrote to memory of 676	696	firefox.exe	firefox.exe
PID 696 wrote to memory of 676	696	firefox.exe	firefox.exe
PID 696 wrote to memory of 676	696	firefox.exe	firefox.exe
PID 696 wrote to memory of 676	696	firefox.exe	firefox.exe
PID 696 wrote to memory of 676	696	firefox.exe	firefox.exe
PID 696 wrote to memory of 676	696	firefox.exe	firefox.exe
PID 696 wrote to memory of 676	696	firefox.exe	firefox.exe
PID 696 wrote to memory of 676	696	firefox.exe	firefox.exe
PID 696 wrote to memory of 676	696	firefox.exe	firefox.exe
PID 696 wrote to memory of 676	696	firefox.exe	firefox.exe
PID 696 wrote to memory of 676	696	firefox.exe	firefox.exe
PID 696 wrote to memory of 676	696	firefox.exe	firefox.exe
PID 696 wrote to memory of 676	696	firefox.exe	firefox.exe
PID 696 wrote to memory of 676	696	firefox.exe	firefox.exe
PID 696 wrote to memory of 676	696	firefox.exe	firefox.exe
PID 696 wrote to memory of 676	696	firefox.exe	firefox.exe
PID 696 wrote to memory of 676	696	firefox.exe	firefox.exe
PID 696 wrote to memory of 1016	696	firefox.exe	firefox.exe
PID 696 wrote to memory of 1016	696	firefox.exe	firefox.exe
PID 696 wrote to memory of 1016	696	firefox.exe	firefox.exe
PID 696 wrote to memory of 1016	696	firefox.exe	firefox.exe
PID 696 wrote to memory of 1016	696	firefox.exe	firefox.exe
PID 696 wrote to memory of 1016	696	firefox.exe	firefox.exe
PID 696 wrote to memory of 1016	696	firefox.exe	firefox.exe

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" http://bonzibuddy.tk/
1⤵
- Suspicious use of WriteProcessMemory
PID:1644

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" http://bonzibuddy.tk/
2⤵
- Checks processor information in registry
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:696

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="696.0.1012723648\1672344907" -parentBuildID 20200403170909 -prefsHandle 1164 -prefMapHandle 1156 -prefsLen 1 -prefMapSize 219796 -appdir "C:\Program Files\Mozilla Firefox\browser" - 696 "\\.\pipe\gecko-crash-server-pipe.696" 1232 gpu
3⤵
PID:1816

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="696.3.1900713167\49949091" -childID 1 -isForBrowser -prefsHandle 1304 -prefMapHandle 1656 -prefsLen 156 -prefMapSize 219796 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 696 "\\.\pipe\gecko-crash-server-pipe.696" 1764 tab
3⤵
PID:676

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="696.13.1158659063\1306449033" -childID 2 -isForBrowser -prefsHandle 2804 -prefMapHandle 2800 -prefsLen 6938 -prefMapSize 219796 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 696 "\\.\pipe\gecko-crash-server-pipe.696" 2820 tab
3⤵
PID:1016

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="696.20.1897810021\1896002418" -parentBuildID 20200403170909 -prefsHandle 7104 -prefMapHandle 6792 -prefsLen 8630 -prefMapSize 219796 -appdir "C:\Program Files\Mozilla Firefox\browser" - 696 "\\.\pipe\gecko-crash-server-pipe.696" 6784 rdd
3⤵
PID:1572

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Bonzify-master\" -spe -an -ai#7zMap29933:90:7zEvent2268
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2768

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef3894f50,0x7fef3894f60,0x7fef3894f70
2⤵
PID:2060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1056 /prefetch:2
2⤵
PID:948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1284 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1628 /prefetch:8
2⤵
PID:2000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2072 /prefetch:1
2⤵
PID:436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2012 /prefetch:1
2⤵
PID:1552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3088 /prefetch:8
2⤵
PID:2732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3288 /prefetch:2
2⤵
PID:2968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
2⤵
PID:2508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3504 /prefetch:8
2⤵
PID:2116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3612 /prefetch:8
2⤵
PID:3048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3684 /prefetch:1
2⤵
PID:2704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
2⤵
PID:2584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3820 /prefetch:1
2⤵
PID:1976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3404 /prefetch:8
2⤵
PID:636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3500 /prefetch:8
2⤵
PID:956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3384 /prefetch:8
2⤵
PID:1604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2424 /prefetch:8
2⤵
PID:1492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2436 /prefetch:8
2⤵
PID:1984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3320 /prefetch:8
2⤵
PID:1668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3448 /prefetch:8
2⤵
PID:1036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3976 /prefetch:8
2⤵
PID:796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4080 /prefetch:8
2⤵
PID:2112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3660 /prefetch:8
2⤵
PID:1504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4040 /prefetch:8
2⤵
PID:2016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4384 /prefetch:8
2⤵
PID:1812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4072 /prefetch:1
2⤵
PID:1156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3864 /prefetch:1
2⤵
PID:2760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1888 /prefetch:1
2⤵
PID:1520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:1
2⤵
PID:2108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3480 /prefetch:8
2⤵
PID:968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=540 /prefetch:8
2⤵
PID:2648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5188 /prefetch:8
2⤵
PID:2656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1732 /prefetch:1
2⤵
PID:2768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3272 /prefetch:8
2⤵
PID:1188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4420 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4744 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2112

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe" --reenable-autoupdates --system-level
2⤵
PID:1564

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x13c,0x140,0x144,0x110,0x148,0x13f50a890,0x13f50a8a0,0x13f50a8b0
3⤵
PID:1948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4728 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4880 /prefetch:8
2⤵
PID:1972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=816 /prefetch:8
2⤵
PID:2876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5568 /prefetch:8
2⤵
PID:2780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5244 /prefetch:8
2⤵
PID:1156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1488 /prefetch:1
2⤵
PID:1816

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:660

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Bonzify\" -spe -an -ai#7zMap24784:76:7zEvent10709
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2976

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Bonzify\The Big Bang\" -spe -an -ai#7zMap12791:102:7zEvent15276
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2084

C:\Users\Admin\Downloads\Bonzify\The Big Bang\Bonzify.exe
"C:\Users\Admin\Downloads\Bonzify\The Big Bang\Bonzify.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1016

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\KillAgent.bat"
2⤵
PID:2568

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im AgentSvr.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1788

C:\Windows\SysWOW64\takeown.exe
takeown /r /d y /f C:\Windows\MsAgent
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1604

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\MsAgent /c /t /grant "everyone":(f)
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1748

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\amd64_netfx35linq-vb_compiler_orcas_31bf3856ad364e35_6.1.7601.17514_none_f4285a06060032a9\vbc.exe"
2⤵
PID:2080

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\winsxs\amd64_netfx35linq-vb_compiler_orcas_31bf3856ad364e35_6.1.7601.17514_none_f4285a06060032a9\vbc.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3008

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\winsxs\amd64_netfx35linq-vb_compiler_orcas_31bf3856ad364e35_6.1.7601.17514_none_f4285a06060032a9\vbc.exe" /grant "everyone":(f)
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2684

C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe
INSTALLER.exe /q
2⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentCtl.dll"
3⤵
- Loads dropped DLL
- Modifies registry class
PID:1600

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentDPv.dll"
3⤵
- Loads dropped DLL
- Modifies registry class
PID:2272

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\mslwvtts.dll"
3⤵
- Loads dropped DLL
- Modifies registry class
PID:2976

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentDP2.dll"
3⤵
- Loads dropped DLL
PID:2716

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentMPx.dll"
3⤵
- Loads dropped DLL
- Modifies registry class
PID:1916

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentSR.dll"
3⤵
- Loads dropped DLL
- Modifies registry class
PID:2192

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentPsh.dll"
3⤵
- Loads dropped DLL
PID:2020

C:\Windows\msagent\AgentSvr.exe
"C:\Windows\msagent\AgentSvr.exe" /regserver
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1068

C:\Windows\SysWOW64\grpconv.exe
grpconv.exe -o
3⤵
PID:1100

C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe
INSTALLER.exe /q
2⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1792

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s C:\Windows\lhsp\tv\tv_enua.dll
3⤵
- Loads dropped DLL
- Modifies registry class
PID:2084

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s C:\Windows\lhsp\tv\tvenuax.dll
3⤵
- Loads dropped DLL
- Modifies registry class
PID:2796

C:\Windows\SysWOW64\grpconv.exe
grpconv.exe -o
3⤵
PID:368

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\amd64_regasm_b03f5f7f11d50a3a_6.1.7601.17514_none_a3c349b4bdac0898\RegAsm.exe"
2⤵
PID:2572

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\winsxs\amd64_regasm_b03f5f7f11d50a3a_6.1.7601.17514_none_a3c349b4bdac0898\RegAsm.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\winsxs\amd64_regasm_b03f5f7f11d50a3a_6.1.7601.17514_none_a3c349b4bdac0898\RegAsm.exe" /grant "everyone":(f)
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2492

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\amd64_regsvcs_b03f5f7f11d50a3a_6.1.7601.17514_none_76de745b101f0148\RegSvcs.exe"
2⤵
PID:2444

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\winsxs\amd64_regsvcs_b03f5f7f11d50a3a_6.1.7601.17514_none_76de745b101f0148\RegSvcs.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3016

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\winsxs\amd64_regsvcs_b03f5f7f11d50a3a_6.1.7601.17514_none_76de745b101f0148\RegSvcs.exe" /grant "everyone":(f)
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2188

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MpCmdRun.exe"
2⤵
PID:1604

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MpCmdRun.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:680

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MpCmdRun.exe" /grant "everyone":(f)
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2296

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MSASCui.exe"
2⤵
PID:880

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MSASCui.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:436

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MSASCui.exe" /grant "everyone":(f)
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2892

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\amd64_subsystem-for-unix-based-applications_31bf3856ad364e35_6.1.7601.17514_none_d20e5d35068f261a\posix.exe"
2⤵
PID:2016

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\winsxs\amd64_subsystem-for-unix-based-applications_31bf3856ad364e35_6.1.7601.17514_none_d20e5d35068f261a\posix.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:580

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\winsxs\amd64_subsystem-for-unix-based-applications_31bf3856ad364e35_6.1.7601.17514_none_d20e5d35068f261a\posix.exe" /grant "everyone":(f)
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1972

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\amd64_subsystem-for-unix-based-applications_31bf3856ad364e35_6.1.7601.17514_none_d20e5d35068f261a\psxrun.exe"
2⤵
PID:1844

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\winsxs\amd64_subsystem-for-unix-based-applications_31bf3856ad364e35_6.1.7601.17514_none_d20e5d35068f261a\psxrun.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2128

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\winsxs\amd64_subsystem-for-unix-based-applications_31bf3856ad364e35_6.1.7601.17514_none_d20e5d35068f261a\psxrun.exe" /grant "everyone":(f)
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:796

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\amd64_subsystem-for-unix-based-applications_31bf3856ad364e35_6.1.7601.17514_none_d20e5d35068f261a\psxss.exe"
2⤵
PID:2740

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\winsxs\amd64_subsystem-for-unix-based-applications_31bf3856ad364e35_6.1.7601.17514_none_d20e5d35068f261a\psxss.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1252

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\winsxs\amd64_subsystem-for-unix-based-applications_31bf3856ad364e35_6.1.7601.17514_none_d20e5d35068f261a\psxss.exe" /grant "everyone":(f)
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2656

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\amd64_wcf-comsvcconfig_b03f5f7f11d50a3a_6.1.7601.17514_none_52db65a773b633fd\ComSvcConfig.exe"
2⤵
PID:2888

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\winsxs\amd64_wcf-comsvcconfig_b03f5f7f11d50a3a_6.1.7601.17514_none_52db65a773b633fd\ComSvcConfig.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2220

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\winsxs\amd64_wcf-comsvcconfig_b03f5f7f11d50a3a_6.1.7601.17514_none_52db65a773b633fd\ComSvcConfig.exe" /grant "everyone":(f)
3⤵
- Modifies file permissions
PID:2488

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\amd64_wcf-icardagt_exe_31bf3856ad364e35_6.1.7600.16385_none_8dcc9c6f8b58a5eb\icardagt.exe"
2⤵
PID:516

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\winsxs\amd64_wcf-icardagt_exe_31bf3856ad364e35_6.1.7600.16385_none_8dcc9c6f8b58a5eb\icardagt.exe"
3⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:2080

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\winsxs\amd64_wcf-icardagt_exe_31bf3856ad364e35_6.1.7600.16385_none_8dcc9c6f8b58a5eb\icardagt.exe" /grant "everyone":(f)
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2148

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\amd64_wcf-m_sm_cfg_ins_exe_31bf3856ad364e35_6.1.7601.17514_none_5e47617f33c574ac\SMConfigInstaller.exe"
2⤵
PID:1624

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\winsxs\amd64_wcf-m_sm_cfg_ins_exe_31bf3856ad364e35_6.1.7601.17514_none_5e47617f33c574ac\SMConfigInstaller.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\winsxs\amd64_wcf-m_sm_cfg_ins_exe_31bf3856ad364e35_6.1.7601.17514_none_5e47617f33c574ac\SMConfigInstaller.exe" /grant "everyone":(f)
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1856

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\amd64_wcf-servicemodelreg_b03f5f7f11d50a3a_6.1.7601.17514_none_40fc6e6d1b4ea992\ServiceModelReg.exe"
2⤵
PID:1504

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\winsxs\amd64_wcf-servicemodelreg_b03f5f7f11d50a3a_6.1.7601.17514_none_40fc6e6d1b4ea992\ServiceModelReg.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2836

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\winsxs\amd64_wcf-servicemodelreg_b03f5f7f11d50a3a_6.1.7601.17514_none_40fc6e6d1b4ea992\ServiceModelReg.exe" /grant "everyone":(f)
3⤵
- Modifies file permissions
PID:2532

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\amd64_wcf-smsvchost_b03f5f7f11d50a3a_6.1.7600.16385_none_c7f13af70ac77b22\SMSvcHost.exe"
2⤵
PID:2420

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\winsxs\amd64_wcf-smsvchost_b03f5f7f11d50a3a_6.1.7600.16385_none_c7f13af70ac77b22\SMSvcHost.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2364

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\winsxs\amd64_wcf-smsvchost_b03f5f7f11d50a3a_6.1.7600.16385_none_c7f13af70ac77b22\SMSvcHost.exe" /grant "everyone":(f)
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:952

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\amd64_wcf-wsatconfig_b03f5f7f11d50a3a_6.1.7601.17514_none_d7ce65f32404434b\WsatConfig.exe"
2⤵
PID:1932

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\winsxs\amd64_wcf-wsatconfig_b03f5f7f11d50a3a_6.1.7601.17514_none_d7ce65f32404434b\WsatConfig.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1988

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\winsxs\amd64_wcf-wsatconfig_b03f5f7f11d50a3a_6.1.7601.17514_none_d7ce65f32404434b\WsatConfig.exe" /grant "everyone":(f)
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1312

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\amd64_windowssearchengine_31bf3856ad364e35_7.0.7601.17514_none_d18028273214fa77\SearchFilterHost.exe"
2⤵
PID:2520

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\winsxs\amd64_windowssearchengine_31bf3856ad364e35_7.0.7601.17514_none_d18028273214fa77\SearchFilterHost.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2936

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\winsxs\amd64_windowssearchengine_31bf3856ad364e35_7.0.7601.17514_none_d18028273214fa77\SearchFilterHost.exe" /grant "everyone":(f)
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2032

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\amd64_windowssearchengine_31bf3856ad364e35_7.0.7601.17514_none_d18028273214fa77\SearchIndexer.exe"
2⤵
PID:2548

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\winsxs\amd64_windowssearchengine_31bf3856ad364e35_7.0.7601.17514_none_d18028273214fa77\SearchIndexer.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:584

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\winsxs\amd64_windowssearchengine_31bf3856ad364e35_7.0.7601.17514_none_d18028273214fa77\SearchIndexer.exe" /grant "everyone":(f)
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2088

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\amd64_windowssearchengine_31bf3856ad364e35_7.0.7601.17514_none_d18028273214fa77\SearchProtocolHost.exe"
2⤵
PID:1104

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\winsxs\amd64_windowssearchengine_31bf3856ad364e35_7.0.7601.17514_none_d18028273214fa77\SearchProtocolHost.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1788

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\winsxs\amd64_windowssearchengine_31bf3856ad364e35_7.0.7601.17514_none_d18028273214fa77\SearchProtocolHost.exe" /grant "everyone":(f)
3⤵
- Possible privilege escalation attempt
PID:3052

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\amd64_wpf-presentationfontcache_31bf3856ad364e35_6.1.7601.17514_none_63bf9c3e28cd9bfb\PresentationFontCache.exe"
2⤵
PID:1532

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\winsxs\amd64_wpf-presentationfontcache_31bf3856ad364e35_6.1.7601.17514_none_63bf9c3e28cd9bfb\PresentationFontCache.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\winsxs\amd64_wpf-presentationfontcache_31bf3856ad364e35_6.1.7601.17514_none_63bf9c3e28cd9bfb\PresentationFontCache.exe" /grant "everyone":(f)
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2348

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\amd64_wpf-presentationhostexe_31bf3856ad364e35_6.2.7601.17514_none_96490604d588c19b\PresentationHost.exe"
2⤵
PID:3024

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\winsxs\amd64_wpf-presentationhostexe_31bf3856ad364e35_6.2.7601.17514_none_96490604d588c19b\PresentationHost.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2320

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\winsxs\amd64_wpf-presentationhostexe_31bf3856ad364e35_6.2.7601.17514_none_96490604d588c19b\PresentationHost.exe" /grant "everyone":(f)
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:320

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\amd64_wpf-terminalserverwpfwrapperexe_31bf3856ad364e35_6.1.7600.16385_none_80543131e5508a75\TsWpfWrp.exe"
2⤵
PID:2200

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\winsxs\amd64_wpf-terminalserverwpfwrapperexe_31bf3856ad364e35_6.1.7600.16385_none_80543131e5508a75\TsWpfWrp.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:920

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\winsxs\amd64_wpf-terminalserverwpfwrapperexe_31bf3856ad364e35_6.1.7600.16385_none_80543131e5508a75\TsWpfWrp.exe" /grant "everyone":(f)
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2544

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\amd64_wpf-xamlviewer_31bf3856ad364e35_6.1.7601.17514_none_b43451f0938c6cd0\XamlViewer_v0300.exe"
2⤵
PID:2036

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\winsxs\amd64_wpf-xamlviewer_31bf3856ad364e35_6.1.7601.17514_none_b43451f0938c6cd0\XamlViewer_v0300.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2584

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\winsxs\amd64_wpf-xamlviewer_31bf3856ad364e35_6.1.7601.17514_none_b43451f0938c6cd0\XamlViewer_v0300.exe" /grant "everyone":(f)
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2168

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\amd64_wvmic.inf_31bf3856ad364e35_6.1.7601.17514_none_6007c443630c03aa\vmicsvc.exe"
2⤵
PID:2152

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\winsxs\amd64_wvmic.inf_31bf3856ad364e35_6.1.7601.17514_none_6007c443630c03aa\vmicsvc.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2092

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\winsxs\amd64_wvmic.inf_31bf3856ad364e35_6.1.7601.17514_none_6007c443630c03aa\vmicsvc.exe" /grant "everyone":(f)
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2236

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\msil_addinprocess_b77a5c561934e089_6.1.7601.17514_none_f9a5b9a7f0e068e4\AddInProcess.exe"
2⤵
PID:1456

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\winsxs\msil_addinprocess_b77a5c561934e089_6.1.7601.17514_none_f9a5b9a7f0e068e4\AddInProcess.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2348

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\winsxs\msil_addinprocess_b77a5c561934e089_6.1.7601.17514_none_f9a5b9a7f0e068e4\AddInProcess.exe" /grant "everyone":(f)
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2660

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\msil_addinutil_b77a5c561934e089_6.1.7601.17514_none_1a816bc7556b71eb\AddInUtil.exe"
2⤵
PID:1120

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\winsxs\msil_addinutil_b77a5c561934e089_6.1.7601.17514_none_1a816bc7556b71eb\AddInUtil.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1484

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\winsxs\msil_addinutil_b77a5c561934e089_6.1.7601.17514_none_1a816bc7556b71eb\AddInUtil.exe" /grant "everyone":(f)
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1264

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\msil_comsvcconfig_b03f5f7f11d50a3a_6.1.7601.17514_none_bfe4d387913dbb8f\ComSvcConfig.exe"
2⤵
PID:1832

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\winsxs\msil_comsvcconfig_b03f5f7f11d50a3a_6.1.7601.17514_none_bfe4d387913dbb8f\ComSvcConfig.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1956

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\winsxs\msil_comsvcconfig_b03f5f7f11d50a3a_6.1.7601.17514_none_bfe4d387913dbb8f\ComSvcConfig.exe" /grant "everyone":(f)
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1540

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\msil_datasvcutil_b77a5c561934e089_6.1.7601.17514_none_cfdc452bbab5ec47\DataSvcUtil.exe"
2⤵
PID:2112

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\winsxs\msil_datasvcutil_b77a5c561934e089_6.1.7601.17514_none_cfdc452bbab5ec47\DataSvcUtil.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1744

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\winsxs\msil_datasvcutil_b77a5c561934e089_6.1.7601.17514_none_cfdc452bbab5ec47\DataSvcUtil.exe" /grant "everyone":(f)
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2720

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\msil_dfsvc_b03f5f7f11d50a3a_6.1.7600.16385_none_3a54952b454a8916\dfsvc.exe"
2⤵
PID:2748

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\winsxs\msil_dfsvc_b03f5f7f11d50a3a_6.1.7600.16385_none_3a54952b454a8916\dfsvc.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:320

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\winsxs\msil_dfsvc_b03f5f7f11d50a3a_6.1.7600.16385_none_3a54952b454a8916\dfsvc.exe" /grant "everyone":(f)
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2096

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\msil_edmgen_b77a5c561934e089_6.1.7601.17514_none_cddf79f7120d371d\EdmGen.exe"
2⤵
PID:2300

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\winsxs\msil_edmgen_b77a5c561934e089_6.1.7601.17514_none_cddf79f7120d371d\EdmGen.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2792

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\winsxs\msil_edmgen_b77a5c561934e089_6.1.7601.17514_none_cddf79f7120d371d\EdmGen.exe" /grant "everyone":(f)
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2460

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\msil_ehexthost_31bf3856ad364e35_6.1.7601.17514_none_c0f01f501d19ea73\ehexthost.exe"
2⤵
PID:2428

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\winsxs\msil_ehexthost_31bf3856ad364e35_6.1.7601.17514_none_c0f01f501d19ea73\ehexthost.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2104

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\winsxs\msil_ehexthost_31bf3856ad364e35_6.1.7601.17514_none_c0f01f501d19ea73\ehexthost.exe" /grant "everyone":(f)
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2096

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\msil_ieexec_b03f5f7f11d50a3a_6.1.7600.16385_none_53678ee8c3f93f6b\IEExec.exe"
2⤵
PID:2016

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\winsxs\msil_ieexec_b03f5f7f11d50a3a_6.1.7600.16385_none_53678ee8c3f93f6b\IEExec.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2568

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\winsxs\msil_ieexec_b03f5f7f11d50a3a_6.1.7600.16385_none_53678ee8c3f93f6b\IEExec.exe" /grant "everyone":(f)
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:396

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\msil_jsc_b03f5f7f11d50a3a_6.1.7600.16385_none_7c5b469993c3ad32\jsc.exe"
2⤵
PID:536

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\winsxs\msil_jsc_b03f5f7f11d50a3a_6.1.7600.16385_none_7c5b469993c3ad32\jsc.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1068

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\winsxs\msil_jsc_b03f5f7f11d50a3a_6.1.7600.16385_none_7c5b469993c3ad32\jsc.exe" /grant "everyone":(f)
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2308

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\msil_loadmxf_31bf3856ad364e35_6.1.7600.16385_none_388de5065074b62c\loadmxf.exe"
2⤵
PID:1744

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\winsxs\msil_loadmxf_31bf3856ad364e35_6.1.7600.16385_none_388de5065074b62c\loadmxf.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3044

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\msil_narrator_31bf3856ad364e35_6.1.7601.17514_none_e18f9f5aaa2eda72\Narrator.exe"
2⤵
PID:2712

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\winsxs\msil_narrator_31bf3856ad364e35_6.1.7601.17514_none_e18f9f5aaa2eda72\Narrator.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1984

C:\Windows\msagent\AgentSvr.exe
C:\Windows\msagent\AgentSvr.exe -Embedding
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1180

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1640

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:364

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir364_1930664466\ChromeRecovery.exe
"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir364_1930664466\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={e34923ea-179b-4838-8a1e-ff264fffe897} --system
2⤵
- Executes dropped EXE
PID:2244

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

File Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe
Filesize
391KB

MD5
66996a076065ebdcdac85ff9637ceae0

SHA1
4a25632b66a9d30239a1a77c7e7ba81bb3aee9ce

SHA256
16ca09ad70561f413376ad72550ae5664c89c6a76c85c872ffe2cb1e7f49e2aa

SHA512
e42050e799cbee5aa4f60d4e2f42aae656ff98af0548308c8d7f0d681474a9da3ad7e89694670449cdfde30ebe2c47006fbdc57cfb6b357c82731aeebc50901c

Download Submit
C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe
Filesize
391KB

MD5
66996a076065ebdcdac85ff9637ceae0

SHA1
4a25632b66a9d30239a1a77c7e7ba81bb3aee9ce

SHA256
16ca09ad70561f413376ad72550ae5664c89c6a76c85c872ffe2cb1e7f49e2aa

SHA512
e42050e799cbee5aa4f60d4e2f42aae656ff98af0548308c8d7f0d681474a9da3ad7e89694670449cdfde30ebe2c47006fbdc57cfb6b357c82731aeebc50901c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KillAgent.bat
Filesize
161B

MD5
ea7df060b402326b4305241f21f39736

SHA1
7d58fb4c58e0edb2ddceef4d21581ff9d512fdc2

SHA256
e4edc2cb6317ab19ee1a6327993e9332af35cfbebaff2ac7c3f71d43cfcbe793

SHA512
3147615add5608d0dce7a8b6efbfb19263c51a2e495df72abb67c6db34f5995a27fde55b5af78bbd5a6468b4065942cad4a4d3cb28ab932aad9b0f835aafe4d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat
Filesize
46B

MD5
f80e36cd406022944558d8a099db0fa7

SHA1
fd7e93ca529ed760ff86278fbfa5ba0496e581ce

SHA256
7b41e5a6c2dd92f60c38cb4fe09dcbe378c3e99443f7baf079ece3608497bdc7

SHA512
436e711ede85a02cd87ea312652ddbf927cf8df776448326b1e974d0a3719a9535952f4d3cc0d3cd4e3551b57231d7e916f317b119ab670e5f47284a90ab59a2

Download Submit
C:\Users\Admin\Downloads\Bonzify-master.zip
Filesize
3KB

MD5
512066537f528631b41638ed25891d6b

SHA1
c640b7acd1ade524d4351052eb400881f2f8dff6

SHA256
bbcce67b9de792a506cf0228321d4a4e02d0cee128d3085dd7f7e7f989c45850

SHA512
d02ef9cf4b92cff6cb758d77179e6d2d1bdb5901fecbad7110e2394219d63cecdf2aee51d39b684fbe37fbf52048bbf35ef8a04cad6a9ac4ec01092eab9ef8ba

Download Submit
C:\Users\Admin\Downloads\Bonzify.zip
Filesize
5.6MB

MD5
ca73018dec1f49da4786965cb7d2d6e0

SHA1
87a6704452e86e19d7610476d26e407d15b58c24

SHA256
28c10c7ea2db58c95a59be50ce5d657c3b81b68cb75b242c174b77cc5bebd2ff

SHA512
311533f8a52294d30e9f9d787cc5763e286612ee0dd6f24c197692dedd95ff1c0c08abf9b2508dd2de15cc107ae89a09eccffa1fe7b853d4585c781a4077e59e

Download Submit
C:\Users\Admin\Downloads\Bonzify\The Big Bang.iso
Filesize
6.9MB

MD5
2c0fcd3dcdc31f3c8a19a43a60900ce7

SHA1
9127ffc5915e3142410f164ad8fbe4e4029be097

SHA256
b553b401f8d8fa47db7f3b513637145453337159d0acca460b4efcdaf5ef5c61

SHA512
5903ee1db1677acd91ffab49494af43a2d80add3c1c785a104b1737fc7f158507019a267e6380a95482da8bb9c1d8006b6bed6855fbc9e54e30394a814ed123f

Download Submit
C:\Users\Admin\Downloads\Bonzify\The Big Bang\Bonzify.exe
Filesize
6.4MB

MD5
fba93d8d029e85e0cde3759b7903cee2

SHA1
525b1aa549188f4565c75ab69e51f927204ca384

SHA256
66f62408dfce7c4a5718d2759f1d35721ca22077398850277d16e1fca87fe764

SHA512
7c1441b2e804e925eb5a03e97db620117d3ad4f6981dc020e4e7df4bfc4bd6e414fa3b0ce764481a2cef07eebb2baa87407355bfbe88fab96397d82bd441e6a2

Download Submit
C:\Windows\msagent\AgentCtl.dll
Filesize
160KB

MD5
237e13b95ab37d0141cf0bc585b8db94

SHA1
102c6164c21de1f3e0b7d487dd5dc4c5249e0994

SHA256
d19b6b7c57bcee7239526339e683f62d9c2f9690947d0a446001377f0b56103a

SHA512
9d0a68a806be25d2eeedba8be1acc2542d44ecd8ba4d9d123543d0f7c4732e1e490bad31cad830f788c81395f6b21d5a277c0bed251c9854440a662ac36ac4cb

Download Submit
C:\Windows\msagent\AgentDPv.dll
Filesize
64KB

MD5
7c5aefb11e797129c9e90f279fbdf71b

SHA1
cb9d9cbfbebb5aed6810a4e424a295c27520576e

SHA256
394a17150b8774e507b8f368c2c248c10fce50fc43184b744e771f0e79ecafed

SHA512
df59a30704d62fa2d598a5824aa04b4b4298f6192a01d93d437b46c4f907c90a1bad357199c51a62beb87cd724a30af55a619baef9ecf2cba032c5290938022a

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\crashpad_2068_DWTSJFKXJBQEWEHF
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\INSTALLER.exe
Filesize
391KB

MD5
66996a076065ebdcdac85ff9637ceae0

SHA1
4a25632b66a9d30239a1a77c7e7ba81bb3aee9ce

SHA256
16ca09ad70561f413376ad72550ae5664c89c6a76c85c872ffe2cb1e7f49e2aa

SHA512
e42050e799cbee5aa4f60d4e2f42aae656ff98af0548308c8d7f0d681474a9da3ad7e89694670449cdfde30ebe2c47006fbdc57cfb6b357c82731aeebc50901c

Download Submit
\Users\Admin\AppData\Local\Temp\INSTALLER.exe
Filesize
391KB

MD5
66996a076065ebdcdac85ff9637ceae0

SHA1
4a25632b66a9d30239a1a77c7e7ba81bb3aee9ce

SHA256
16ca09ad70561f413376ad72550ae5664c89c6a76c85c872ffe2cb1e7f49e2aa

SHA512
e42050e799cbee5aa4f60d4e2f42aae656ff98af0548308c8d7f0d681474a9da3ad7e89694670449cdfde30ebe2c47006fbdc57cfb6b357c82731aeebc50901c

Download Submit
\Users\Admin\AppData\Local\Temp\INSTALLER.exe
Filesize
391KB

MD5
66996a076065ebdcdac85ff9637ceae0

SHA1
4a25632b66a9d30239a1a77c7e7ba81bb3aee9ce

SHA256
16ca09ad70561f413376ad72550ae5664c89c6a76c85c872ffe2cb1e7f49e2aa

SHA512
e42050e799cbee5aa4f60d4e2f42aae656ff98af0548308c8d7f0d681474a9da3ad7e89694670449cdfde30ebe2c47006fbdc57cfb6b357c82731aeebc50901c

Download Submit
\Users\Admin\AppData\Local\Temp\INSTALLER.exe
Filesize
391KB

MD5
66996a076065ebdcdac85ff9637ceae0

SHA1
4a25632b66a9d30239a1a77c7e7ba81bb3aee9ce

SHA256
16ca09ad70561f413376ad72550ae5664c89c6a76c85c872ffe2cb1e7f49e2aa

SHA512
e42050e799cbee5aa4f60d4e2f42aae656ff98af0548308c8d7f0d681474a9da3ad7e89694670449cdfde30ebe2c47006fbdc57cfb6b357c82731aeebc50901c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\ADVPACK.DLL
Filesize
73KB

MD5
81e5c8596a7e4e98117f5c5143293020

SHA1
45b7fe0989e2df1b4dfd227f8f3b73b6b7df9081

SHA256
7d126ed85df9705ec4f38bd52a73b621cf64dd87a3e8f9429a569f3f82f74004

SHA512
05b1e9eef13f7c140eb21f6dcb705ee3aaafabe94857aa86252afa4844de231815078a72e63d43725f6074aa5fefe765feb93a6b9cd510ee067291526bb95ec6

Download Submit
\Windows\msagent\AgentCtl.dll
Filesize
160KB

MD5
237e13b95ab37d0141cf0bc585b8db94

SHA1
102c6164c21de1f3e0b7d487dd5dc4c5249e0994

SHA256
d19b6b7c57bcee7239526339e683f62d9c2f9690947d0a446001377f0b56103a

SHA512
9d0a68a806be25d2eeedba8be1acc2542d44ecd8ba4d9d123543d0f7c4732e1e490bad31cad830f788c81395f6b21d5a277c0bed251c9854440a662ac36ac4cb

Download Submit
memory/368-110-0x0000000000000000-mapping.dmp

Download
memory/436-122-0x0000000000000000-mapping.dmp

Download
memory/516-137-0x0000000000000000-mapping.dmp

Download
memory/580-125-0x0000000000000000-mapping.dmp

Download
memory/680-119-0x0000000000000000-mapping.dmp

Download
memory/796-129-0x0000000000000000-mapping.dmp

Download
memory/880-121-0x0000000000000000-mapping.dmp

Download
memory/952-148-0x0000000000000000-mapping.dmp

Download
memory/1016-64-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download
memory/1068-100-0x0000000000000000-mapping.dmp

Download
memory/1100-102-0x0000000000000000-mapping.dmp

Download
memory/1120-214-0x0000000075880000-0x00000000758C7000-memory.dmp

Filesize
284KB

Download
memory/1120-220-0x00000000758D0000-0x0000000075970000-memory.dmp

Filesize
640KB

Download
memory/1120-218-0x0000000075630000-0x00000000756DC000-memory.dmp

Filesize
688KB

Download
memory/1120-216-0x0000000077560000-0x00000000776E0000-memory.dmp

Filesize
1.5MB

Download
memory/1120-219-0x000000004A170000-0x000000004A1BC000-memory.dmp

Filesize
304KB

Download
memory/1120-217-0x0000000074F40000-0x0000000074F47000-memory.dmp

Filesize
28KB

Download
memory/1120-215-0x0000000076F50000-0x0000000076F55000-memory.dmp

Filesize
20KB

Download
memory/1252-131-0x0000000000000000-mapping.dmp

Download
memory/1312-151-0x0000000000000000-mapping.dmp

Download
memory/1456-189-0x000000004AA10000-0x000000004AA5C000-memory.dmp

Filesize
304KB

Download
memory/1456-182-0x0000000077560000-0x00000000776E0000-memory.dmp

Filesize
1.5MB

Download
memory/1456-190-0x0000000075870000-0x000000007587A000-memory.dmp

Filesize
40KB

Download
memory/1456-188-0x00000000750C0000-0x00000000750D9000-memory.dmp

Filesize
100KB

Download
memory/1456-180-0x0000000077560000-0x00000000776E0000-memory.dmp

Filesize
1.5MB

Download
memory/1456-185-0x00000000758D0000-0x0000000075970000-memory.dmp

Filesize
640KB

Download
memory/1456-183-0x0000000074F50000-0x0000000074F57000-memory.dmp

Filesize
28KB

Download
memory/1456-187-0x0000000076820000-0x00000000768EC000-memory.dmp

Filesize
816KB

Download
memory/1456-186-0x0000000074F70000-0x0000000074F7C000-memory.dmp

Filesize
48KB

Download
memory/1456-191-0x0000000074FE0000-0x000000007507D000-memory.dmp

Filesize
628KB

Download
memory/1456-184-0x0000000075630000-0x00000000756DC000-memory.dmp

Filesize
688KB

Download
memory/1456-181-0x0000000077560000-0x00000000776E0000-memory.dmp

Filesize
1.5MB

Download
memory/1456-178-0x0000000075880000-0x00000000758C7000-memory.dmp

Filesize
284KB

Download
memory/1456-179-0x0000000076F50000-0x0000000076F55000-memory.dmp

Filesize
20KB

Download
memory/1484-206-0x0000000074AF0000-0x0000000074AF9000-memory.dmp

Filesize
36KB

Download
memory/1484-195-0x0000000074B50000-0x0000000074B62000-memory.dmp

Filesize
72KB

Download
memory/1484-208-0x00000000758D0000-0x0000000075970000-memory.dmp

Filesize
640KB

Download
memory/1484-204-0x0000000074B70000-0x0000000074B7F000-memory.dmp

Filesize
60KB

Download
memory/1484-203-0x0000000074B10000-0x0000000074B29000-memory.dmp

Filesize
100KB

Download
memory/1484-201-0x0000000076F60000-0x0000000076FB7000-memory.dmp

Filesize
348KB

Download
memory/1484-209-0x0000000074F70000-0x0000000074F7C000-memory.dmp

Filesize
48KB

Download
memory/1484-197-0x0000000074B80000-0x0000000074B88000-memory.dmp

Filesize
32KB

Download
memory/1484-207-0x0000000000CD0000-0x0000000000CDF000-memory.dmp

Filesize
60KB

Download
memory/1484-200-0x0000000075630000-0x00000000756DC000-memory.dmp

Filesize
688KB

Download
memory/1484-198-0x0000000077530000-0x0000000077536000-memory.dmp

Filesize
24KB

Download
memory/1484-199-0x0000000075080000-0x00000000750B5000-memory.dmp

Filesize
212KB

Download
memory/1484-194-0x0000000077560000-0x00000000776E0000-memory.dmp

Filesize
1.5MB

Download
memory/1484-210-0x0000000076820000-0x00000000768EC000-memory.dmp

Filesize
816KB

Download
memory/1484-212-0x0000000074FE0000-0x000000007507D000-memory.dmp

Filesize
628KB

Download
memory/1484-213-0x00000000750C0000-0x00000000750D9000-memory.dmp

Filesize
100KB

Download
memory/1484-196-0x0000000077380000-0x0000000077529000-memory.dmp

Filesize
1.7MB

Download
memory/1484-202-0x0000000074F30000-0x0000000074F39000-memory.dmp

Filesize
36KB

Download
memory/1484-193-0x0000000076F50000-0x0000000076F55000-memory.dmp

Filesize
20KB

Download
memory/1484-205-0x0000000074B30000-0x0000000074B41000-memory.dmp

Filesize
68KB

Download
memory/1484-192-0x0000000075880000-0x00000000758C7000-memory.dmp

Filesize
284KB

Download
memory/1484-211-0x0000000075870000-0x000000007587A000-memory.dmp

Filesize
40KB

Download
memory/1504-143-0x0000000000000000-mapping.dmp

Download
memory/1600-141-0x0000000000000000-mapping.dmp

Download
memory/1600-83-0x0000000000000000-mapping.dmp

Download
memory/1604-118-0x0000000000000000-mapping.dmp

Download
memory/1604-68-0x0000000000000000-mapping.dmp

Download
memory/1624-140-0x0000000000000000-mapping.dmp

Download
memory/1700-74-0x0000000000000000-mapping.dmp

Download
memory/1744-536-0x0000000074BB0000-0x0000000074BEB000-memory.dmp

Filesize
236KB

Download
memory/1744-537-0x0000000000345000-0x0000000000356000-memory.dmp

Filesize
68KB

Download
memory/1744-539-0x0000000077380000-0x0000000077529000-memory.dmp

Filesize
1.7MB

Download
memory/1748-69-0x0000000000000000-mapping.dmp

Download
memory/1788-67-0x0000000000000000-mapping.dmp

Download
memory/1792-104-0x0000000000000000-mapping.dmp

Download
memory/1844-127-0x0000000000000000-mapping.dmp

Download
memory/1856-142-0x0000000000000000-mapping.dmp

Download
memory/1916-94-0x0000000000000000-mapping.dmp

Download
memory/1932-149-0x0000000000000000-mapping.dmp

Download
memory/1972-126-0x0000000000000000-mapping.dmp

Download
memory/1988-150-0x0000000000000000-mapping.dmp

Download
memory/2016-124-0x0000000000000000-mapping.dmp

Download
memory/2020-98-0x0000000000000000-mapping.dmp

Download
memory/2032-113-0x0000000000000000-mapping.dmp

Download
memory/2032-154-0x0000000000000000-mapping.dmp

Download
memory/2080-138-0x0000000000000000-mapping.dmp

Download
memory/2080-70-0x0000000000000000-mapping.dmp

Download
memory/2084-106-0x0000000000000000-mapping.dmp

Download
memory/2128-128-0x0000000000000000-mapping.dmp

Download
memory/2148-139-0x0000000000000000-mapping.dmp

Download
memory/2188-117-0x0000000000000000-mapping.dmp

Download
memory/2192-96-0x0000000000000000-mapping.dmp

Download
memory/2220-135-0x0000000000000000-mapping.dmp

Download
memory/2272-87-0x0000000000000000-mapping.dmp

Download
memory/2296-120-0x0000000000000000-mapping.dmp

Download
memory/2348-176-0x00000000750C0000-0x00000000750D9000-memory.dmp

Filesize
100KB

Download
memory/2348-171-0x0000000000370000-0x000000000037F000-memory.dmp

Filesize
60KB

Download
memory/2348-157-0x0000000075880000-0x00000000758C7000-memory.dmp

Filesize
284KB

Download
memory/2348-161-0x0000000074F30000-0x0000000074F38000-memory.dmp

Filesize
32KB

Download
memory/2348-160-0x0000000074B70000-0x0000000074B82000-memory.dmp

Filesize
72KB

Download
memory/2348-158-0x0000000076F50000-0x0000000076F55000-memory.dmp

Filesize
20KB

Download
memory/2348-159-0x0000000077560000-0x00000000776E0000-memory.dmp

Filesize
1.5MB

Download
memory/2348-163-0x0000000075080000-0x00000000750B5000-memory.dmp

Filesize
212KB

Download
memory/2348-164-0x0000000075630000-0x00000000756DC000-memory.dmp

Filesize
688KB

Download
memory/2348-166-0x0000000074B40000-0x0000000074B49000-memory.dmp

Filesize
36KB

Download
memory/2348-165-0x0000000076F60000-0x0000000076FB7000-memory.dmp

Filesize
348KB

Download
memory/2348-177-0x0000000074F70000-0x0000000074F7C000-memory.dmp

Filesize
48KB

Download
memory/2348-162-0x0000000077530000-0x0000000077536000-memory.dmp

Filesize
24KB

Download
memory/2348-175-0x0000000074FE0000-0x000000007507D000-memory.dmp

Filesize
628KB

Download
memory/2348-167-0x0000000074B20000-0x0000000074B39000-memory.dmp

Filesize
100KB

Download
memory/2348-173-0x0000000076820000-0x00000000768EC000-memory.dmp

Filesize
816KB

Download
memory/2348-168-0x0000000074B10000-0x0000000074B1F000-memory.dmp

Filesize
60KB

Download
memory/2348-169-0x0000000074B50000-0x0000000074B61000-memory.dmp

Filesize
68KB

Download
memory/2348-170-0x0000000074B00000-0x0000000074B09000-memory.dmp

Filesize
36KB

Download
memory/2348-174-0x0000000075870000-0x000000007587A000-memory.dmp

Filesize
40KB

Download
memory/2348-172-0x00000000758D0000-0x0000000075970000-memory.dmp

Filesize
640KB

Download
memory/2364-147-0x0000000000000000-mapping.dmp

Download
memory/2420-146-0x0000000000000000-mapping.dmp

Download
memory/2444-115-0x0000000000000000-mapping.dmp

Download
memory/2488-136-0x0000000000000000-mapping.dmp

Download
memory/2492-114-0x0000000000000000-mapping.dmp

Download
memory/2520-152-0x0000000000000000-mapping.dmp

Download
memory/2532-145-0x0000000000000000-mapping.dmp

Download
memory/2548-155-0x0000000000000000-mapping.dmp

Download
memory/2568-65-0x0000000000000000-mapping.dmp

Download
memory/2572-112-0x0000000000000000-mapping.dmp

Download
memory/2656-132-0x0000000000000000-mapping.dmp

Download
memory/2684-76-0x0000000000000000-mapping.dmp

Download
memory/2716-92-0x0000000000000000-mapping.dmp

Download
memory/2740-130-0x0000000000000000-mapping.dmp

Download
memory/2768-54-0x000007FEFBC01000-0x000007FEFBC03000-memory.dmp

Filesize
8KB

Download
memory/2796-108-0x0000000000000000-mapping.dmp

Download
memory/2836-144-0x0000000000000000-mapping.dmp

Download
memory/2888-133-0x0000000000000000-mapping.dmp

Download
memory/2892-123-0x0000000000000000-mapping.dmp

Download
memory/2936-153-0x0000000000000000-mapping.dmp

Download
memory/2976-90-0x0000000000000000-mapping.dmp

Download
memory/3008-73-0x0000000000000000-mapping.dmp

Download
memory/3016-116-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads