Analysis
-
max time kernel
574s -
max time network
602s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
18-01-2023 17:03
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://bonzibuddy.tk/
Resource
win7-20220812-en
Errors
General
-
Target
http://bonzibuddy.tk/
Malware Config
Signatures
-
Executes dropped EXE 6 IoCs
Processes:
Bonzify.exeINSTALLER.exeAgentSvr.exeINSTALLER.exeAgentSvr.exeChromeRecovery.exepid process 1016 Bonzify.exe 1700 INSTALLER.exe 1068 AgentSvr.exe 1792 INSTALLER.exe 1180 AgentSvr.exe 2244 ChromeRecovery.exe -
Modifies AppInit DLL entries 2 TTPs
-
Modifies Installed Components in the registry 2 TTPs 3 IoCs
Processes:
INSTALLER.exeINSTALLER.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\software\Wow6432Node\microsoft\Active Setup\Installed Components INSTALLER.exe Key created \REGISTRY\MACHINE\software\Wow6432Node\microsoft\Active Setup\Installed Components INSTALLER.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Possible privilege escalation attempt 64 IoCs
Processes:
takeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exepid process 1484 takeown.exe 1068 takeown.exe 2684 icacls.exe 2836 takeown.exe 2544 icacls.exe 2660 icacls.exe 1312 icacls.exe 2568 takeown.exe 2032 takeown.exe 1972 icacls.exe 1252 takeown.exe 2220 takeown.exe 2320 takeown.exe 2092 takeown.exe 320 takeown.exe 1644 takeown.exe 2348 icacls.exe 3016 takeown.exe 436 takeown.exe 2148 icacls.exe 1988 takeown.exe 796 icacls.exe 2936 takeown.exe 2584 takeown.exe 952 icacls.exe 584 takeown.exe 3052 icacls.exe 2348 takeown.exe 680 takeown.exe 2296 icacls.exe 2656 icacls.exe 1856 icacls.exe 396 icacls.exe 2308 icacls.exe 2088 icacls.exe 1744 takeown.exe 2096 icacls.exe 2104 takeown.exe 3008 takeown.exe 2188 icacls.exe 2792 takeown.exe 1984 takeown.exe 1748 icacls.exe 2080 takeown.exe 1600 takeown.exe 920 takeown.exe 1540 icacls.exe 2096 icacls.exe 580 takeown.exe 2032 icacls.exe 2168 icacls.exe 1956 takeown.exe 2364 takeown.exe 1788 takeown.exe 2236 icacls.exe 320 icacls.exe 2460 icacls.exe 2892 icacls.exe 2128 takeown.exe 1264 icacls.exe 2720 icacls.exe 3044 takeown.exe 1604 takeown.exe 2492 icacls.exe -
Loads dropped DLL 29 IoCs
Processes:
Bonzify.exeINSTALLER.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeAgentSvr.exeINSTALLER.exeregsvr32.exeregsvr32.exeAgentSvr.exepid process 1016 Bonzify.exe 1700 INSTALLER.exe 1700 INSTALLER.exe 1700 INSTALLER.exe 1700 INSTALLER.exe 1600 regsvr32.exe 2272 regsvr32.exe 2976 regsvr32.exe 2716 regsvr32.exe 1916 regsvr32.exe 2192 regsvr32.exe 2020 regsvr32.exe 1700 INSTALLER.exe 1700 INSTALLER.exe 1068 AgentSvr.exe 1068 AgentSvr.exe 1068 AgentSvr.exe 1016 Bonzify.exe 1792 INSTALLER.exe 1792 INSTALLER.exe 1792 INSTALLER.exe 1792 INSTALLER.exe 2084 regsvr32.exe 2084 regsvr32.exe 2796 regsvr32.exe 1016 Bonzify.exe 1180 AgentSvr.exe 1180 AgentSvr.exe 1180 AgentSvr.exe -
Modifies file permissions 1 TTPs 64 IoCs
Processes:
takeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exepid process 1644 takeown.exe 2188 icacls.exe 1252 takeown.exe 1988 takeown.exe 2348 icacls.exe 2544 icacls.exe 2096 icacls.exe 1972 icacls.exe 2532 icacls.exe 2936 takeown.exe 2092 takeown.exe 2892 icacls.exe 952 icacls.exe 2584 takeown.exe 680 takeown.exe 2320 takeown.exe 2308 icacls.exe 2364 takeown.exe 320 icacls.exe 1068 takeown.exe 436 takeown.exe 2088 icacls.exe 1484 takeown.exe 580 takeown.exe 920 takeown.exe 2236 icacls.exe 2220 takeown.exe 2720 icacls.exe 3008 takeown.exe 2684 icacls.exe 796 icacls.exe 2488 icacls.exe 320 takeown.exe 2568 takeown.exe 1984 takeown.exe 1604 takeown.exe 2032 takeown.exe 2656 icacls.exe 1600 takeown.exe 1788 takeown.exe 2032 icacls.exe 2168 icacls.exe 1748 icacls.exe 2148 icacls.exe 1312 icacls.exe 2348 takeown.exe 2792 takeown.exe 2104 takeown.exe 2296 icacls.exe 2836 takeown.exe 584 takeown.exe 1540 icacls.exe 1744 takeown.exe 2460 icacls.exe 2096 icacls.exe 396 icacls.exe 2492 icacls.exe 3016 takeown.exe 2660 icacls.exe 1856 icacls.exe 1264 icacls.exe 1956 takeown.exe 3044 takeown.exe 2128 takeown.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
INSTALLER.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce INSTALLER.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tv_enua = "RunDll32 advpack.dll,LaunchINFSection C:\\Windows\\INF\\tv_enua.inf, RemoveCabinet" INSTALLER.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 3 IoCs
Processes:
INSTALLER.exedescription ioc process File opened for modification C:\Windows\SysWOW64\SETB5ED.tmp INSTALLER.exe File created C:\Windows\SysWOW64\SETB5ED.tmp INSTALLER.exe File opened for modification C:\Windows\SysWOW64\msvcp50.dll INSTALLER.exe -
Drops file in Program Files directory 7 IoCs
Processes:
elevation_service.exedescription ioc process File opened for modification C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir364_1930664466\ChromeRecovery.exe elevation_service.exe File created C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir364_1930664466\manifest.json elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir364_1930664466\manifest.json elevation_service.exe File created C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir364_1930664466\_metadata\verified_contents.json elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir364_1930664466\_metadata\verified_contents.json elevation_service.exe File created C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir364_1930664466\ChromeRecoveryCRX.crx elevation_service.exe File created C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir364_1930664466\ChromeRecovery.exe elevation_service.exe -
Drops file in Windows directory 61 IoCs
Processes:
INSTALLER.exeINSTALLER.exeBonzify.exeexplorer.exedescription ioc process File opened for modification C:\Windows\msagent\SETAD24.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\AgentAnm.dll INSTALLER.exe File opened for modification C:\Windows\msagent\SETAD47.tmp INSTALLER.exe File created C:\Windows\msagent\SETAD8B.tmp INSTALLER.exe File opened for modification C:\Windows\INF\setupapi.app.log INSTALLER.exe File opened for modification C:\Windows\lhsp\tv\SETB5DA.tmp INSTALLER.exe File created C:\Windows\msagent\SETAD25.tmp INSTALLER.exe File created C:\Windows\msagent\SETAD47.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\AgentPsh.dll INSTALLER.exe File created C:\Windows\help\SETAD6A.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\SETAD25.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\AgentSvr.exe INSTALLER.exe File opened for modification C:\Windows\msagent\AgentSR.dll INSTALLER.exe File opened for modification C:\Windows\INF\SETAD58.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\mslwvtts.dll INSTALLER.exe File opened for modification C:\Windows\msagent\SETAD69.tmp INSTALLER.exe File opened for modification C:\Windows\lhsp\tv\tv_enua.dll INSTALLER.exe File opened for modification C:\Windows\msagent\AgentCtl.dll INSTALLER.exe File created C:\Windows\msagent\SETAD23.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\SETAD8B.tmp INSTALLER.exe File created C:\Windows\lhsp\help\SETB5DB.tmp INSTALLER.exe File opened for modification C:\Windows\fonts\SETB5EB.tmp INSTALLER.exe File created C:\Windows\msagent\chars\Bonzi.acs Bonzify.exe File created C:\Windows\msagent\SETAD12.tmp INSTALLER.exe File created C:\Windows\lhsp\tv\SETB5DA.tmp INSTALLER.exe File created C:\Windows\finalDestruction.bin Bonzify.exe File created C:\Windows\lhsp\tv\SETB5D9.tmp INSTALLER.exe File opened for modification C:\Windows\INF\setupapi.app.log INSTALLER.exe File opened for modification C:\Windows\msagent\SETAD23.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\AgentDp2.dll INSTALLER.exe File opened for modification C:\Windows\msagent\AgentMPx.dll INSTALLER.exe File opened for modification C:\Windows\msagent\SETAD57.tmp INSTALLER.exe File opened for modification C:\Windows\INF\agtinst.inf INSTALLER.exe File opened for modification C:\Windows\msagent\intl\SETAD7B.tmp INSTALLER.exe File created C:\Windows\INF\SETB5EC.tmp INSTALLER.exe File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe explorer.exe File opened for modification C:\Windows\msagent\SETAD46.tmp INSTALLER.exe File created C:\Windows\msagent\intl\SETAD7B.tmp INSTALLER.exe File opened for modification C:\Windows\fonts\andmoipa.ttf INSTALLER.exe File created C:\Windows\executables.bin Bonzify.exe File opened for modification C:\Windows\msagent\AgtCtl15.tlb INSTALLER.exe File created C:\Windows\fonts\SETB5EB.tmp INSTALLER.exe File created C:\Windows\msagent\SETAD57.tmp INSTALLER.exe File opened for modification C:\Windows\help\SETAD6A.tmp INSTALLER.exe File opened for modification C:\Windows\lhsp\help\SETB5DB.tmp INSTALLER.exe File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe explorer.exe File created C:\Windows\msagent\SETAD35.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\SETAD35.tmp INSTALLER.exe File opened for modification C:\Windows\lhsp\help\tv_enua.hlp INSTALLER.exe File created C:\Windows\msagent\SETAD46.tmp INSTALLER.exe File opened for modification C:\Windows\help\Agt0409.hlp INSTALLER.exe File opened for modification C:\Windows\msagent\SETAD12.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\AgentDPv.dll INSTALLER.exe File created C:\Windows\msagent\SETAD24.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\intl\Agt0409.dll INSTALLER.exe File opened for modification C:\Windows\INF\tv_enua.inf INSTALLER.exe File created C:\Windows\INF\SETAD58.tmp INSTALLER.exe File opened for modification C:\Windows\lhsp\tv\tvenuax.dll INSTALLER.exe File created C:\Windows\msagent\SETAD69.tmp INSTALLER.exe File opened for modification C:\Windows\lhsp\tv\SETB5D9.tmp INSTALLER.exe File opened for modification C:\Windows\INF\SETB5EC.tmp INSTALLER.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1788 taskkill.exe -
Modifies registry class 64 IoCs
Processes:
regsvr32.exeAgentSvr.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BF0-7DE6-11D0-91FE-00C04FD701A5}\TypeLib\Version = "2.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A7B93C8D-7B81-11D0-AC5F-00C04FD97575}\TypeLib AgentSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48D12BA0-5B77-11D1-9EC1-00C04FD7081F}\TypeLib\ = "{A7B93C73-7B81-11D0-AC5F-00C04FD97575}" AgentSvr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{822DB1C0-8879-11D1-9EC6-00C04FD7081F} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.aca\ = "Agent.Character.2" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D45FD31D-5C6E-11D1-9EC1-00C04FD7081F} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BD4-7DE6-11D0-91FE-00C04FD701A5} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5BE8BD9-7DE6-11D0-91FE-00C04FD701A5}\ = "IAgentCtlCharacter" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5BE8BF0-7DE6-11D0-91FE-00C04FD701A5}\ = "IAgentCtlAudioObjectEx" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8563FF20-8ECC-11D1-B9B4-00C04FD97575}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4BAC124B-78C8-11D1-B9A8-00C04FD97575}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A7B93C73-7B81-11D0-AC5F-00C04FD97575}\2.0\0 AgentSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5BE8BE8-7DE6-11D0-91FE-00C04FD701A5}\TypeLib\Version = "2.0" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}\MiscStatus\1 regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}\Version regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0913410-3B44-11D1-ACBA-00C04FD97575}\TypeLib\ = "{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BDB-7DE6-11D0-91FE-00C04FD701A5}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8563FF20-8ECC-11D1-B9B4-00C04FD97575}\TypeLib\Version = "2.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A7B93C87-7B81-11D0-AC5F-00C04FD97575} AgentSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{98BBE491-2EED-11D1-ACAC-00C04FD97575}\TypeLib\ = "{A7B93C73-7B81-11D0-AC5F-00C04FD97575}" AgentSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5BE8BE1-7DE6-11D0-91FE-00C04FD701A5} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BE3-7DE6-11D0-91FE-00C04FD701A5}\ = "IAgentCtlCommand" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{95A893C3-543A-11D0-AC45-00C04FD97575}\ = "MSLwvTTS Engine Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6D0ECB23-9968-11D0-AC6E-00C04FD97575}\TypeLib\ = "{A7B93C73-7B81-11D0-AC5F-00C04FD97575}" AgentSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\InprocServer32\ = "C:\\Windows\\msagent\\AgentCtl.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DE8EF600-2F82-11D1-ACAC-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C91-7B81-11D0-AC5F-00C04FD97575} AgentSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C83-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" AgentSvr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C8F-7B81-11D0-AC5F-00C04FD97575}\TypeLib AgentSvr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{98BBE491-2EED-11D1-ACAC-00C04FD97575} AgentSvr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}\MiscStatus regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8B77181C-D3EF-11D1-8500-00C04FA34A14}\TypeLib\ = "{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BF0-7DE6-11D0-91FE-00C04FD701A5} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.acf\ = "Agent.Character.2" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C89-7B81-11D0-AC5F-00C04FD97575}\ = "IAgentAudioOutputProperties" AgentSvr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE8EF600-2F82-11D1-ACAC-00C04FD97575}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{822DB1C0-8879-11D1-9EC6-00C04FD7081F} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BE1-7DE6-11D0-91FE-00C04FD701A5}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8563FF20-8ECC-11D1-B9B4-00C04FD97575}\TypeLib\ = "{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8563FF20-8ECC-11D1-B9B4-00C04FD97575}\TypeLib\Version = "2.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C80-7B81-11D0-AC5F-00C04FD97575}\TypeLib\ = "{A7B93C73-7B81-11D0-AC5F-00C04FD97575}" AgentSvr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B0913412-3B44-11D1-ACBA-00C04FD97575}\TypeLib AgentSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}\2.0\FLAGS\ = "0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Agent.Server.2\ = "Microsoft Agent Server 2.0" AgentSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C8D-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" AgentSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA141FD0-AC7F-11d1-97A3-0060082730FF}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B8F2846E-CE36-11D0-AC83-00C04FD97575}\MiscStatus\1\ = "132497" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D45FD31C-5C6E-11D1-9EC1-00C04FD7081F}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}\ProgID\ = "Agent.Control.1" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{822DB1C0-8879-11D1-9EC6-00C04FD7081F}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BA90C01-3910-11D1-ACB3-00C04FD97575}\TypeLib\Version = "2.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5BE8BDB-7DE6-11D0-91FE-00C04FD701A5}\TypeLib\ = "{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4BAC124B-78C8-11D1-B9A8-00C04FD97575}\InprocServer32\ = "C:\\Windows\\msagent\\AgentMPx.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\ToolboxBitmap32\ = "C:\\Windows\\msagent\\AgentCtl.dll, 105" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Agent.Server AgentSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A7B93C89-7B81-11D0-AC5F-00C04FD97575}\TypeLib\ = "{A7B93C73-7B81-11D0-AC5F-00C04FD97575}" AgentSvr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00D18159-8466-11D0-AC63-00C04FD97575} AgentSvr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B8F2846E-CE36-11D0-AC83-00C04FD97575}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0FA9F4D5-A173-11D1-AA62-00C04FA34D72}\InprocServer32\ = "C:\\Windows\\msagent\\AgentSR.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D45FD2FC-5C6E-11D1-9EC1-00C04FD7081F}\LocalServer32 AgentSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A7B93C8D-7B81-11D0-AC5F-00C04FD97575}\ = "IAgentBalloon" AgentSvr.exe -
NTFS ADS 1 IoCs
Processes:
firefox.exedescription ioc process File created C:\Users\Admin\Downloads\Bonzify-master.zip:Zone.Identifier firefox.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
chrome.exechrome.exechrome.exechrome.exechrome.exeBonzify.exepid process 1616 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 320 chrome.exe 2112 chrome.exe 3040 chrome.exe 1016 Bonzify.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 1640 explorer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
firefox.exe7zG.exeAUDIODG.EXE7zG.exe7zG.exetaskkill.exetakeown.exeINSTALLER.exeINSTALLER.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeAgentSvr.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeexplorer.exedescription pid process Token: SeDebugPrivilege 696 firefox.exe Token: SeDebugPrivilege 696 firefox.exe Token: SeDebugPrivilege 696 firefox.exe Token: SeRestorePrivilege 2768 7zG.exe Token: 35 2768 7zG.exe Token: SeSecurityPrivilege 2768 7zG.exe Token: SeSecurityPrivilege 2768 7zG.exe Token: 33 2856 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2856 AUDIODG.EXE Token: 33 2856 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2856 AUDIODG.EXE Token: SeRestorePrivilege 2976 7zG.exe Token: 35 2976 7zG.exe Token: SeSecurityPrivilege 2976 7zG.exe Token: SeSecurityPrivilege 2976 7zG.exe Token: SeRestorePrivilege 2084 7zG.exe Token: 35 2084 7zG.exe Token: SeSecurityPrivilege 2084 7zG.exe Token: SeSecurityPrivilege 2084 7zG.exe Token: SeDebugPrivilege 1788 taskkill.exe Token: SeTakeOwnershipPrivilege 3008 takeown.exe Token: SeRestorePrivilege 1700 INSTALLER.exe Token: SeRestorePrivilege 1700 INSTALLER.exe Token: SeRestorePrivilege 1700 INSTALLER.exe Token: SeRestorePrivilege 1700 INSTALLER.exe Token: SeRestorePrivilege 1700 INSTALLER.exe Token: SeRestorePrivilege 1700 INSTALLER.exe Token: SeRestorePrivilege 1700 INSTALLER.exe Token: SeRestorePrivilege 1792 INSTALLER.exe Token: SeRestorePrivilege 1792 INSTALLER.exe Token: SeRestorePrivilege 1792 INSTALLER.exe Token: SeRestorePrivilege 1792 INSTALLER.exe Token: SeRestorePrivilege 1792 INSTALLER.exe Token: SeRestorePrivilege 1792 INSTALLER.exe Token: SeRestorePrivilege 1792 INSTALLER.exe Token: SeTakeOwnershipPrivilege 2032 takeown.exe Token: SeTakeOwnershipPrivilege 3016 takeown.exe Token: SeTakeOwnershipPrivilege 680 takeown.exe Token: SeTakeOwnershipPrivilege 436 takeown.exe Token: SeTakeOwnershipPrivilege 580 takeown.exe Token: SeTakeOwnershipPrivilege 2128 takeown.exe Token: SeTakeOwnershipPrivilege 1252 takeown.exe Token: 33 1180 AgentSvr.exe Token: SeIncBasePriorityPrivilege 1180 AgentSvr.exe Token: SeTakeOwnershipPrivilege 2220 takeown.exe Token: SeTakeOwnershipPrivilege 2080 takeown.exe Token: SeTakeOwnershipPrivilege 1600 takeown.exe Token: SeTakeOwnershipPrivilege 2836 takeown.exe Token: SeTakeOwnershipPrivilege 2364 takeown.exe Token: SeTakeOwnershipPrivilege 1988 takeown.exe Token: SeTakeOwnershipPrivilege 2936 takeown.exe Token: SeTakeOwnershipPrivilege 584 takeown.exe Token: SeTakeOwnershipPrivilege 1788 takeown.exe Token: SeTakeOwnershipPrivilege 1644 takeown.exe Token: SeTakeOwnershipPrivilege 2320 takeown.exe Token: SeTakeOwnershipPrivilege 920 takeown.exe Token: SeTakeOwnershipPrivilege 2584 takeown.exe Token: SeTakeOwnershipPrivilege 2092 takeown.exe Token: SeShutdownPrivilege 1640 explorer.exe Token: SeShutdownPrivilege 1640 explorer.exe Token: SeShutdownPrivilege 1640 explorer.exe Token: SeShutdownPrivilege 1640 explorer.exe Token: SeShutdownPrivilege 1640 explorer.exe Token: SeShutdownPrivilege 1640 explorer.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
firefox.exe7zG.exechrome.exe7zG.exe7zG.exeAgentSvr.exeexplorer.exepid process 696 firefox.exe 696 firefox.exe 696 firefox.exe 696 firefox.exe 2768 7zG.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2976 7zG.exe 2084 7zG.exe 1180 AgentSvr.exe 1180 AgentSvr.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe -
Suspicious use of SendNotifyMessage 58 IoCs
Processes:
firefox.exechrome.exeAgentSvr.exeexplorer.exepid process 696 firefox.exe 696 firefox.exe 696 firefox.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 2068 chrome.exe 1180 AgentSvr.exe 1180 AgentSvr.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
firefox.exepid process 696 firefox.exe 696 firefox.exe 696 firefox.exe 696 firefox.exe 696 firefox.exe 696 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
firefox.exefirefox.exedescription pid process target process PID 1644 wrote to memory of 696 1644 firefox.exe firefox.exe PID 1644 wrote to memory of 696 1644 firefox.exe firefox.exe PID 1644 wrote to memory of 696 1644 firefox.exe firefox.exe PID 1644 wrote to memory of 696 1644 firefox.exe firefox.exe PID 1644 wrote to memory of 696 1644 firefox.exe firefox.exe PID 1644 wrote to memory of 696 1644 firefox.exe firefox.exe PID 1644 wrote to memory of 696 1644 firefox.exe firefox.exe PID 1644 wrote to memory of 696 1644 firefox.exe firefox.exe PID 1644 wrote to memory of 696 1644 firefox.exe firefox.exe PID 1644 wrote to memory of 696 1644 firefox.exe firefox.exe PID 696 wrote to memory of 1816 696 firefox.exe firefox.exe PID 696 wrote to memory of 1816 696 firefox.exe firefox.exe PID 696 wrote to memory of 1816 696 firefox.exe firefox.exe PID 696 wrote to memory of 676 696 firefox.exe firefox.exe PID 696 wrote to memory of 676 696 firefox.exe firefox.exe PID 696 wrote to memory of 676 696 firefox.exe firefox.exe PID 696 wrote to memory of 676 696 firefox.exe firefox.exe PID 696 wrote to memory of 676 696 firefox.exe firefox.exe PID 696 wrote to memory of 676 696 firefox.exe firefox.exe PID 696 wrote to memory of 676 696 firefox.exe firefox.exe PID 696 wrote to memory of 676 696 firefox.exe firefox.exe PID 696 wrote to memory of 676 696 firefox.exe firefox.exe PID 696 wrote to memory of 676 696 firefox.exe firefox.exe PID 696 wrote to memory of 676 696 firefox.exe firefox.exe PID 696 wrote to memory of 676 696 firefox.exe firefox.exe PID 696 wrote to memory of 676 696 firefox.exe firefox.exe PID 696 wrote to memory of 676 696 firefox.exe firefox.exe PID 696 wrote to memory of 676 696 firefox.exe firefox.exe PID 696 wrote to memory of 676 696 firefox.exe firefox.exe PID 696 wrote to memory of 676 696 firefox.exe firefox.exe PID 696 wrote to memory of 676 696 firefox.exe firefox.exe PID 696 wrote to memory of 676 696 firefox.exe firefox.exe PID 696 wrote to memory of 676 696 firefox.exe firefox.exe PID 696 wrote to memory of 676 696 firefox.exe firefox.exe PID 696 wrote to memory of 676 696 firefox.exe firefox.exe PID 696 wrote to memory of 676 696 firefox.exe firefox.exe PID 696 wrote to memory of 676 696 firefox.exe firefox.exe PID 696 wrote to memory of 676 696 firefox.exe firefox.exe PID 696 wrote to memory of 676 696 firefox.exe firefox.exe PID 696 wrote to memory of 676 696 firefox.exe firefox.exe PID 696 wrote to memory of 676 696 firefox.exe firefox.exe PID 696 wrote to memory of 676 696 firefox.exe firefox.exe PID 696 wrote to memory of 676 696 firefox.exe firefox.exe PID 696 wrote to memory of 676 696 firefox.exe firefox.exe PID 696 wrote to memory of 676 696 firefox.exe firefox.exe PID 696 wrote to memory of 676 696 firefox.exe firefox.exe PID 696 wrote to memory of 676 696 firefox.exe firefox.exe PID 696 wrote to memory of 676 696 firefox.exe firefox.exe PID 696 wrote to memory of 676 696 firefox.exe firefox.exe PID 696 wrote to memory of 676 696 firefox.exe firefox.exe PID 696 wrote to memory of 676 696 firefox.exe firefox.exe PID 696 wrote to memory of 676 696 firefox.exe firefox.exe PID 696 wrote to memory of 676 696 firefox.exe firefox.exe PID 696 wrote to memory of 676 696 firefox.exe firefox.exe PID 696 wrote to memory of 676 696 firefox.exe firefox.exe PID 696 wrote to memory of 676 696 firefox.exe firefox.exe PID 696 wrote to memory of 676 696 firefox.exe firefox.exe PID 696 wrote to memory of 1016 696 firefox.exe firefox.exe PID 696 wrote to memory of 1016 696 firefox.exe firefox.exe PID 696 wrote to memory of 1016 696 firefox.exe firefox.exe PID 696 wrote to memory of 1016 696 firefox.exe firefox.exe PID 696 wrote to memory of 1016 696 firefox.exe firefox.exe PID 696 wrote to memory of 1016 696 firefox.exe firefox.exe PID 696 wrote to memory of 1016 696 firefox.exe firefox.exe
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" http://bonzibuddy.tk/1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" http://bonzibuddy.tk/2⤵
- Checks processor information in registry
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="696.0.1012723648\1672344907" -parentBuildID 20200403170909 -prefsHandle 1164 -prefMapHandle 1156 -prefsLen 1 -prefMapSize 219796 -appdir "C:\Program Files\Mozilla Firefox\browser" - 696 "\\.\pipe\gecko-crash-server-pipe.696" 1232 gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="696.3.1900713167\49949091" -childID 1 -isForBrowser -prefsHandle 1304 -prefMapHandle 1656 -prefsLen 156 -prefMapSize 219796 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 696 "\\.\pipe\gecko-crash-server-pipe.696" 1764 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="696.13.1158659063\1306449033" -childID 2 -isForBrowser -prefsHandle 2804 -prefMapHandle 2800 -prefsLen 6938 -prefMapSize 219796 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 696 "\\.\pipe\gecko-crash-server-pipe.696" 2820 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="696.20.1897810021\1896002418" -parentBuildID 20200403170909 -prefsHandle 7104 -prefMapHandle 6792 -prefsLen 8630 -prefMapSize 219796 -appdir "C:\Program Files\Mozilla Firefox\browser" - 696 "\\.\pipe\gecko-crash-server-pipe.696" 6784 rdd3⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Bonzify-master\" -spe -an -ai#7zMap29933:90:7zEvent22681⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2f01⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef3894f50,0x7fef3894f60,0x7fef3894f702⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1056 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1284 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1628 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2012 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3088 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3288 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3504 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3612 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3684 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3820 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3404 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3500 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3384 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2424 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2436 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3320 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3448 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3976 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4080 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3660 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4040 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4384 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3864 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1888 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3480 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=540 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5188 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1732 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3272 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4420 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4744 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe" --reenable-autoupdates --system-level2⤵
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x13c,0x140,0x144,0x110,0x148,0x13f50a890,0x13f50a8a0,0x13f50a8b03⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4728 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4880 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=816 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5568 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5244 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,10943955946817318729,17619678626782887174,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1488 /prefetch:12⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Bonzify\" -spe -an -ai#7zMap24784:76:7zEvent107091⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Bonzify\The Big Bang\" -spe -an -ai#7zMap12791:102:7zEvent152761⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Downloads\Bonzify\The Big Bang\Bonzify.exe"C:\Users\Admin\Downloads\Bonzify\The Big Bang\Bonzify.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\KillAgent.bat"2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im AgentSvr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\takeown.exetakeown /r /d y /f C:\Windows\MsAgent3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\MsAgent /c /t /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\amd64_netfx35linq-vb_compiler_orcas_31bf3856ad364e35_6.1.7601.17514_none_f4285a06060032a9\vbc.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\winsxs\amd64_netfx35linq-vb_compiler_orcas_31bf3856ad364e35_6.1.7601.17514_none_f4285a06060032a9\vbc.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\winsxs\amd64_netfx35linq-vb_compiler_orcas_31bf3856ad364e35_6.1.7601.17514_none_f4285a06060032a9\vbc.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\INSTALLER.exeINSTALLER.exe /q2⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentCtl.dll"3⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentDPv.dll"3⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\mslwvtts.dll"3⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentDP2.dll"3⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentMPx.dll"3⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentSR.dll"3⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentPsh.dll"3⤵
- Loads dropped DLL
-
C:\Windows\msagent\AgentSvr.exe"C:\Windows\msagent\AgentSvr.exe" /regserver3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\SysWOW64\grpconv.exegrpconv.exe -o3⤵
-
C:\Users\Admin\AppData\Local\Temp\INSTALLER.exeINSTALLER.exe /q2⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s C:\Windows\lhsp\tv\tv_enua.dll3⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s C:\Windows\lhsp\tv\tvenuax.dll3⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\SysWOW64\grpconv.exegrpconv.exe -o3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\amd64_regasm_b03f5f7f11d50a3a_6.1.7601.17514_none_a3c349b4bdac0898\RegAsm.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\winsxs\amd64_regasm_b03f5f7f11d50a3a_6.1.7601.17514_none_a3c349b4bdac0898\RegAsm.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\winsxs\amd64_regasm_b03f5f7f11d50a3a_6.1.7601.17514_none_a3c349b4bdac0898\RegAsm.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\amd64_regsvcs_b03f5f7f11d50a3a_6.1.7601.17514_none_76de745b101f0148\RegSvcs.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\winsxs\amd64_regsvcs_b03f5f7f11d50a3a_6.1.7601.17514_none_76de745b101f0148\RegSvcs.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\winsxs\amd64_regsvcs_b03f5f7f11d50a3a_6.1.7601.17514_none_76de745b101f0148\RegSvcs.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MpCmdRun.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MpCmdRun.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MpCmdRun.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MSASCui.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MSASCui.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MSASCui.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\amd64_subsystem-for-unix-based-applications_31bf3856ad364e35_6.1.7601.17514_none_d20e5d35068f261a\posix.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\winsxs\amd64_subsystem-for-unix-based-applications_31bf3856ad364e35_6.1.7601.17514_none_d20e5d35068f261a\posix.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\winsxs\amd64_subsystem-for-unix-based-applications_31bf3856ad364e35_6.1.7601.17514_none_d20e5d35068f261a\posix.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\amd64_subsystem-for-unix-based-applications_31bf3856ad364e35_6.1.7601.17514_none_d20e5d35068f261a\psxrun.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\winsxs\amd64_subsystem-for-unix-based-applications_31bf3856ad364e35_6.1.7601.17514_none_d20e5d35068f261a\psxrun.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\winsxs\amd64_subsystem-for-unix-based-applications_31bf3856ad364e35_6.1.7601.17514_none_d20e5d35068f261a\psxrun.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\amd64_subsystem-for-unix-based-applications_31bf3856ad364e35_6.1.7601.17514_none_d20e5d35068f261a\psxss.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\winsxs\amd64_subsystem-for-unix-based-applications_31bf3856ad364e35_6.1.7601.17514_none_d20e5d35068f261a\psxss.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\winsxs\amd64_subsystem-for-unix-based-applications_31bf3856ad364e35_6.1.7601.17514_none_d20e5d35068f261a\psxss.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\amd64_wcf-comsvcconfig_b03f5f7f11d50a3a_6.1.7601.17514_none_52db65a773b633fd\ComSvcConfig.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\winsxs\amd64_wcf-comsvcconfig_b03f5f7f11d50a3a_6.1.7601.17514_none_52db65a773b633fd\ComSvcConfig.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\winsxs\amd64_wcf-comsvcconfig_b03f5f7f11d50a3a_6.1.7601.17514_none_52db65a773b633fd\ComSvcConfig.exe" /grant "everyone":(f)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\amd64_wcf-icardagt_exe_31bf3856ad364e35_6.1.7600.16385_none_8dcc9c6f8b58a5eb\icardagt.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\winsxs\amd64_wcf-icardagt_exe_31bf3856ad364e35_6.1.7600.16385_none_8dcc9c6f8b58a5eb\icardagt.exe"3⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\winsxs\amd64_wcf-icardagt_exe_31bf3856ad364e35_6.1.7600.16385_none_8dcc9c6f8b58a5eb\icardagt.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\amd64_wcf-m_sm_cfg_ins_exe_31bf3856ad364e35_6.1.7601.17514_none_5e47617f33c574ac\SMConfigInstaller.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\winsxs\amd64_wcf-m_sm_cfg_ins_exe_31bf3856ad364e35_6.1.7601.17514_none_5e47617f33c574ac\SMConfigInstaller.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\winsxs\amd64_wcf-m_sm_cfg_ins_exe_31bf3856ad364e35_6.1.7601.17514_none_5e47617f33c574ac\SMConfigInstaller.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\amd64_wcf-servicemodelreg_b03f5f7f11d50a3a_6.1.7601.17514_none_40fc6e6d1b4ea992\ServiceModelReg.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\winsxs\amd64_wcf-servicemodelreg_b03f5f7f11d50a3a_6.1.7601.17514_none_40fc6e6d1b4ea992\ServiceModelReg.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\winsxs\amd64_wcf-servicemodelreg_b03f5f7f11d50a3a_6.1.7601.17514_none_40fc6e6d1b4ea992\ServiceModelReg.exe" /grant "everyone":(f)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\amd64_wcf-smsvchost_b03f5f7f11d50a3a_6.1.7600.16385_none_c7f13af70ac77b22\SMSvcHost.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\winsxs\amd64_wcf-smsvchost_b03f5f7f11d50a3a_6.1.7600.16385_none_c7f13af70ac77b22\SMSvcHost.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\winsxs\amd64_wcf-smsvchost_b03f5f7f11d50a3a_6.1.7600.16385_none_c7f13af70ac77b22\SMSvcHost.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\amd64_wcf-wsatconfig_b03f5f7f11d50a3a_6.1.7601.17514_none_d7ce65f32404434b\WsatConfig.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\winsxs\amd64_wcf-wsatconfig_b03f5f7f11d50a3a_6.1.7601.17514_none_d7ce65f32404434b\WsatConfig.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\winsxs\amd64_wcf-wsatconfig_b03f5f7f11d50a3a_6.1.7601.17514_none_d7ce65f32404434b\WsatConfig.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\amd64_windowssearchengine_31bf3856ad364e35_7.0.7601.17514_none_d18028273214fa77\SearchFilterHost.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\winsxs\amd64_windowssearchengine_31bf3856ad364e35_7.0.7601.17514_none_d18028273214fa77\SearchFilterHost.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\winsxs\amd64_windowssearchengine_31bf3856ad364e35_7.0.7601.17514_none_d18028273214fa77\SearchFilterHost.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\amd64_windowssearchengine_31bf3856ad364e35_7.0.7601.17514_none_d18028273214fa77\SearchIndexer.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\winsxs\amd64_windowssearchengine_31bf3856ad364e35_7.0.7601.17514_none_d18028273214fa77\SearchIndexer.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\winsxs\amd64_windowssearchengine_31bf3856ad364e35_7.0.7601.17514_none_d18028273214fa77\SearchIndexer.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\amd64_windowssearchengine_31bf3856ad364e35_7.0.7601.17514_none_d18028273214fa77\SearchProtocolHost.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\winsxs\amd64_windowssearchengine_31bf3856ad364e35_7.0.7601.17514_none_d18028273214fa77\SearchProtocolHost.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\winsxs\amd64_windowssearchengine_31bf3856ad364e35_7.0.7601.17514_none_d18028273214fa77\SearchProtocolHost.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\amd64_wpf-presentationfontcache_31bf3856ad364e35_6.1.7601.17514_none_63bf9c3e28cd9bfb\PresentationFontCache.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\winsxs\amd64_wpf-presentationfontcache_31bf3856ad364e35_6.1.7601.17514_none_63bf9c3e28cd9bfb\PresentationFontCache.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\winsxs\amd64_wpf-presentationfontcache_31bf3856ad364e35_6.1.7601.17514_none_63bf9c3e28cd9bfb\PresentationFontCache.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\amd64_wpf-presentationhostexe_31bf3856ad364e35_6.2.7601.17514_none_96490604d588c19b\PresentationHost.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\winsxs\amd64_wpf-presentationhostexe_31bf3856ad364e35_6.2.7601.17514_none_96490604d588c19b\PresentationHost.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\winsxs\amd64_wpf-presentationhostexe_31bf3856ad364e35_6.2.7601.17514_none_96490604d588c19b\PresentationHost.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\amd64_wpf-terminalserverwpfwrapperexe_31bf3856ad364e35_6.1.7600.16385_none_80543131e5508a75\TsWpfWrp.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\winsxs\amd64_wpf-terminalserverwpfwrapperexe_31bf3856ad364e35_6.1.7600.16385_none_80543131e5508a75\TsWpfWrp.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\winsxs\amd64_wpf-terminalserverwpfwrapperexe_31bf3856ad364e35_6.1.7600.16385_none_80543131e5508a75\TsWpfWrp.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\amd64_wpf-xamlviewer_31bf3856ad364e35_6.1.7601.17514_none_b43451f0938c6cd0\XamlViewer_v0300.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\winsxs\amd64_wpf-xamlviewer_31bf3856ad364e35_6.1.7601.17514_none_b43451f0938c6cd0\XamlViewer_v0300.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\winsxs\amd64_wpf-xamlviewer_31bf3856ad364e35_6.1.7601.17514_none_b43451f0938c6cd0\XamlViewer_v0300.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\amd64_wvmic.inf_31bf3856ad364e35_6.1.7601.17514_none_6007c443630c03aa\vmicsvc.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\winsxs\amd64_wvmic.inf_31bf3856ad364e35_6.1.7601.17514_none_6007c443630c03aa\vmicsvc.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\winsxs\amd64_wvmic.inf_31bf3856ad364e35_6.1.7601.17514_none_6007c443630c03aa\vmicsvc.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\msil_addinprocess_b77a5c561934e089_6.1.7601.17514_none_f9a5b9a7f0e068e4\AddInProcess.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\winsxs\msil_addinprocess_b77a5c561934e089_6.1.7601.17514_none_f9a5b9a7f0e068e4\AddInProcess.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\winsxs\msil_addinprocess_b77a5c561934e089_6.1.7601.17514_none_f9a5b9a7f0e068e4\AddInProcess.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\msil_addinutil_b77a5c561934e089_6.1.7601.17514_none_1a816bc7556b71eb\AddInUtil.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\winsxs\msil_addinutil_b77a5c561934e089_6.1.7601.17514_none_1a816bc7556b71eb\AddInUtil.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\winsxs\msil_addinutil_b77a5c561934e089_6.1.7601.17514_none_1a816bc7556b71eb\AddInUtil.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\msil_comsvcconfig_b03f5f7f11d50a3a_6.1.7601.17514_none_bfe4d387913dbb8f\ComSvcConfig.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\winsxs\msil_comsvcconfig_b03f5f7f11d50a3a_6.1.7601.17514_none_bfe4d387913dbb8f\ComSvcConfig.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\winsxs\msil_comsvcconfig_b03f5f7f11d50a3a_6.1.7601.17514_none_bfe4d387913dbb8f\ComSvcConfig.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\msil_datasvcutil_b77a5c561934e089_6.1.7601.17514_none_cfdc452bbab5ec47\DataSvcUtil.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\winsxs\msil_datasvcutil_b77a5c561934e089_6.1.7601.17514_none_cfdc452bbab5ec47\DataSvcUtil.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\winsxs\msil_datasvcutil_b77a5c561934e089_6.1.7601.17514_none_cfdc452bbab5ec47\DataSvcUtil.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\msil_dfsvc_b03f5f7f11d50a3a_6.1.7600.16385_none_3a54952b454a8916\dfsvc.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\winsxs\msil_dfsvc_b03f5f7f11d50a3a_6.1.7600.16385_none_3a54952b454a8916\dfsvc.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\winsxs\msil_dfsvc_b03f5f7f11d50a3a_6.1.7600.16385_none_3a54952b454a8916\dfsvc.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\msil_edmgen_b77a5c561934e089_6.1.7601.17514_none_cddf79f7120d371d\EdmGen.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\winsxs\msil_edmgen_b77a5c561934e089_6.1.7601.17514_none_cddf79f7120d371d\EdmGen.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\winsxs\msil_edmgen_b77a5c561934e089_6.1.7601.17514_none_cddf79f7120d371d\EdmGen.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\msil_ehexthost_31bf3856ad364e35_6.1.7601.17514_none_c0f01f501d19ea73\ehexthost.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\winsxs\msil_ehexthost_31bf3856ad364e35_6.1.7601.17514_none_c0f01f501d19ea73\ehexthost.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\winsxs\msil_ehexthost_31bf3856ad364e35_6.1.7601.17514_none_c0f01f501d19ea73\ehexthost.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\msil_ieexec_b03f5f7f11d50a3a_6.1.7600.16385_none_53678ee8c3f93f6b\IEExec.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\winsxs\msil_ieexec_b03f5f7f11d50a3a_6.1.7600.16385_none_53678ee8c3f93f6b\IEExec.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\winsxs\msil_ieexec_b03f5f7f11d50a3a_6.1.7600.16385_none_53678ee8c3f93f6b\IEExec.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\msil_jsc_b03f5f7f11d50a3a_6.1.7600.16385_none_7c5b469993c3ad32\jsc.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\winsxs\msil_jsc_b03f5f7f11d50a3a_6.1.7600.16385_none_7c5b469993c3ad32\jsc.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\winsxs\msil_jsc_b03f5f7f11d50a3a_6.1.7600.16385_none_7c5b469993c3ad32\jsc.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\msil_loadmxf_31bf3856ad364e35_6.1.7600.16385_none_388de5065074b62c\loadmxf.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\winsxs\msil_loadmxf_31bf3856ad364e35_6.1.7600.16385_none_388de5065074b62c\loadmxf.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\msil_narrator_31bf3856ad364e35_6.1.7601.17514_none_e18f9f5aaa2eda72\Narrator.exe"2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\winsxs\msil_narrator_31bf3856ad364e35_6.1.7601.17514_none_e18f9f5aaa2eda72\Narrator.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\msagent\AgentSvr.exeC:\Windows\msagent\AgentSvr.exe -Embedding1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"1⤵
- Drops file in Program Files directory
-
C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir364_1930664466\ChromeRecovery.exe"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir364_1930664466\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={e34923ea-179b-4838-8a1e-ff264fffe897} --system2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\INSTALLER.exeFilesize
391KB
MD566996a076065ebdcdac85ff9637ceae0
SHA14a25632b66a9d30239a1a77c7e7ba81bb3aee9ce
SHA25616ca09ad70561f413376ad72550ae5664c89c6a76c85c872ffe2cb1e7f49e2aa
SHA512e42050e799cbee5aa4f60d4e2f42aae656ff98af0548308c8d7f0d681474a9da3ad7e89694670449cdfde30ebe2c47006fbdc57cfb6b357c82731aeebc50901c
-
C:\Users\Admin\AppData\Local\Temp\INSTALLER.exeFilesize
391KB
MD566996a076065ebdcdac85ff9637ceae0
SHA14a25632b66a9d30239a1a77c7e7ba81bb3aee9ce
SHA25616ca09ad70561f413376ad72550ae5664c89c6a76c85c872ffe2cb1e7f49e2aa
SHA512e42050e799cbee5aa4f60d4e2f42aae656ff98af0548308c8d7f0d681474a9da3ad7e89694670449cdfde30ebe2c47006fbdc57cfb6b357c82731aeebc50901c
-
C:\Users\Admin\AppData\Local\Temp\KillAgent.batFilesize
161B
MD5ea7df060b402326b4305241f21f39736
SHA17d58fb4c58e0edb2ddceef4d21581ff9d512fdc2
SHA256e4edc2cb6317ab19ee1a6327993e9332af35cfbebaff2ac7c3f71d43cfcbe793
SHA5123147615add5608d0dce7a8b6efbfb19263c51a2e495df72abb67c6db34f5995a27fde55b5af78bbd5a6468b4065942cad4a4d3cb28ab932aad9b0f835aafe4d0
-
C:\Users\Admin\AppData\Local\Temp\TakeOwn.batFilesize
46B
MD5f80e36cd406022944558d8a099db0fa7
SHA1fd7e93ca529ed760ff86278fbfa5ba0496e581ce
SHA2567b41e5a6c2dd92f60c38cb4fe09dcbe378c3e99443f7baf079ece3608497bdc7
SHA512436e711ede85a02cd87ea312652ddbf927cf8df776448326b1e974d0a3719a9535952f4d3cc0d3cd4e3551b57231d7e916f317b119ab670e5f47284a90ab59a2
-
C:\Users\Admin\Downloads\Bonzify-master.zipFilesize
3KB
MD5512066537f528631b41638ed25891d6b
SHA1c640b7acd1ade524d4351052eb400881f2f8dff6
SHA256bbcce67b9de792a506cf0228321d4a4e02d0cee128d3085dd7f7e7f989c45850
SHA512d02ef9cf4b92cff6cb758d77179e6d2d1bdb5901fecbad7110e2394219d63cecdf2aee51d39b684fbe37fbf52048bbf35ef8a04cad6a9ac4ec01092eab9ef8ba
-
C:\Users\Admin\Downloads\Bonzify.zipFilesize
5.6MB
MD5ca73018dec1f49da4786965cb7d2d6e0
SHA187a6704452e86e19d7610476d26e407d15b58c24
SHA25628c10c7ea2db58c95a59be50ce5d657c3b81b68cb75b242c174b77cc5bebd2ff
SHA512311533f8a52294d30e9f9d787cc5763e286612ee0dd6f24c197692dedd95ff1c0c08abf9b2508dd2de15cc107ae89a09eccffa1fe7b853d4585c781a4077e59e
-
C:\Users\Admin\Downloads\Bonzify\The Big Bang.isoFilesize
6.9MB
MD52c0fcd3dcdc31f3c8a19a43a60900ce7
SHA19127ffc5915e3142410f164ad8fbe4e4029be097
SHA256b553b401f8d8fa47db7f3b513637145453337159d0acca460b4efcdaf5ef5c61
SHA5125903ee1db1677acd91ffab49494af43a2d80add3c1c785a104b1737fc7f158507019a267e6380a95482da8bb9c1d8006b6bed6855fbc9e54e30394a814ed123f
-
C:\Users\Admin\Downloads\Bonzify\The Big Bang\Bonzify.exeFilesize
6.4MB
MD5fba93d8d029e85e0cde3759b7903cee2
SHA1525b1aa549188f4565c75ab69e51f927204ca384
SHA25666f62408dfce7c4a5718d2759f1d35721ca22077398850277d16e1fca87fe764
SHA5127c1441b2e804e925eb5a03e97db620117d3ad4f6981dc020e4e7df4bfc4bd6e414fa3b0ce764481a2cef07eebb2baa87407355bfbe88fab96397d82bd441e6a2
-
C:\Windows\msagent\AgentCtl.dllFilesize
160KB
MD5237e13b95ab37d0141cf0bc585b8db94
SHA1102c6164c21de1f3e0b7d487dd5dc4c5249e0994
SHA256d19b6b7c57bcee7239526339e683f62d9c2f9690947d0a446001377f0b56103a
SHA5129d0a68a806be25d2eeedba8be1acc2542d44ecd8ba4d9d123543d0f7c4732e1e490bad31cad830f788c81395f6b21d5a277c0bed251c9854440a662ac36ac4cb
-
C:\Windows\msagent\AgentDPv.dllFilesize
64KB
MD57c5aefb11e797129c9e90f279fbdf71b
SHA1cb9d9cbfbebb5aed6810a4e424a295c27520576e
SHA256394a17150b8774e507b8f368c2c248c10fce50fc43184b744e771f0e79ecafed
SHA512df59a30704d62fa2d598a5824aa04b4b4298f6192a01d93d437b46c4f907c90a1bad357199c51a62beb87cd724a30af55a619baef9ecf2cba032c5290938022a
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\crashpad_2068_DWTSJFKXJBQEWEHFMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Temp\INSTALLER.exeFilesize
391KB
MD566996a076065ebdcdac85ff9637ceae0
SHA14a25632b66a9d30239a1a77c7e7ba81bb3aee9ce
SHA25616ca09ad70561f413376ad72550ae5664c89c6a76c85c872ffe2cb1e7f49e2aa
SHA512e42050e799cbee5aa4f60d4e2f42aae656ff98af0548308c8d7f0d681474a9da3ad7e89694670449cdfde30ebe2c47006fbdc57cfb6b357c82731aeebc50901c
-
\Users\Admin\AppData\Local\Temp\INSTALLER.exeFilesize
391KB
MD566996a076065ebdcdac85ff9637ceae0
SHA14a25632b66a9d30239a1a77c7e7ba81bb3aee9ce
SHA25616ca09ad70561f413376ad72550ae5664c89c6a76c85c872ffe2cb1e7f49e2aa
SHA512e42050e799cbee5aa4f60d4e2f42aae656ff98af0548308c8d7f0d681474a9da3ad7e89694670449cdfde30ebe2c47006fbdc57cfb6b357c82731aeebc50901c
-
\Users\Admin\AppData\Local\Temp\INSTALLER.exeFilesize
391KB
MD566996a076065ebdcdac85ff9637ceae0
SHA14a25632b66a9d30239a1a77c7e7ba81bb3aee9ce
SHA25616ca09ad70561f413376ad72550ae5664c89c6a76c85c872ffe2cb1e7f49e2aa
SHA512e42050e799cbee5aa4f60d4e2f42aae656ff98af0548308c8d7f0d681474a9da3ad7e89694670449cdfde30ebe2c47006fbdc57cfb6b357c82731aeebc50901c
-
\Users\Admin\AppData\Local\Temp\INSTALLER.exeFilesize
391KB
MD566996a076065ebdcdac85ff9637ceae0
SHA14a25632b66a9d30239a1a77c7e7ba81bb3aee9ce
SHA25616ca09ad70561f413376ad72550ae5664c89c6a76c85c872ffe2cb1e7f49e2aa
SHA512e42050e799cbee5aa4f60d4e2f42aae656ff98af0548308c8d7f0d681474a9da3ad7e89694670449cdfde30ebe2c47006fbdc57cfb6b357c82731aeebc50901c
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\ADVPACK.DLLFilesize
73KB
MD581e5c8596a7e4e98117f5c5143293020
SHA145b7fe0989e2df1b4dfd227f8f3b73b6b7df9081
SHA2567d126ed85df9705ec4f38bd52a73b621cf64dd87a3e8f9429a569f3f82f74004
SHA51205b1e9eef13f7c140eb21f6dcb705ee3aaafabe94857aa86252afa4844de231815078a72e63d43725f6074aa5fefe765feb93a6b9cd510ee067291526bb95ec6
-
\Windows\msagent\AgentCtl.dllFilesize
160KB
MD5237e13b95ab37d0141cf0bc585b8db94
SHA1102c6164c21de1f3e0b7d487dd5dc4c5249e0994
SHA256d19b6b7c57bcee7239526339e683f62d9c2f9690947d0a446001377f0b56103a
SHA5129d0a68a806be25d2eeedba8be1acc2542d44ecd8ba4d9d123543d0f7c4732e1e490bad31cad830f788c81395f6b21d5a277c0bed251c9854440a662ac36ac4cb
-
memory/368-110-0x0000000000000000-mapping.dmp
-
memory/436-122-0x0000000000000000-mapping.dmp
-
memory/516-137-0x0000000000000000-mapping.dmp
-
memory/580-125-0x0000000000000000-mapping.dmp
-
memory/680-119-0x0000000000000000-mapping.dmp
-
memory/796-129-0x0000000000000000-mapping.dmp
-
memory/880-121-0x0000000000000000-mapping.dmp
-
memory/952-148-0x0000000000000000-mapping.dmp
-
memory/1016-64-0x0000000075BD1000-0x0000000075BD3000-memory.dmpFilesize
8KB
-
memory/1068-100-0x0000000000000000-mapping.dmp
-
memory/1100-102-0x0000000000000000-mapping.dmp
-
memory/1120-214-0x0000000075880000-0x00000000758C7000-memory.dmpFilesize
284KB
-
memory/1120-220-0x00000000758D0000-0x0000000075970000-memory.dmpFilesize
640KB
-
memory/1120-218-0x0000000075630000-0x00000000756DC000-memory.dmpFilesize
688KB
-
memory/1120-216-0x0000000077560000-0x00000000776E0000-memory.dmpFilesize
1.5MB
-
memory/1120-219-0x000000004A170000-0x000000004A1BC000-memory.dmpFilesize
304KB
-
memory/1120-217-0x0000000074F40000-0x0000000074F47000-memory.dmpFilesize
28KB
-
memory/1120-215-0x0000000076F50000-0x0000000076F55000-memory.dmpFilesize
20KB
-
memory/1252-131-0x0000000000000000-mapping.dmp
-
memory/1312-151-0x0000000000000000-mapping.dmp
-
memory/1456-189-0x000000004AA10000-0x000000004AA5C000-memory.dmpFilesize
304KB
-
memory/1456-182-0x0000000077560000-0x00000000776E0000-memory.dmpFilesize
1.5MB
-
memory/1456-190-0x0000000075870000-0x000000007587A000-memory.dmpFilesize
40KB
-
memory/1456-188-0x00000000750C0000-0x00000000750D9000-memory.dmpFilesize
100KB
-
memory/1456-180-0x0000000077560000-0x00000000776E0000-memory.dmpFilesize
1.5MB
-
memory/1456-185-0x00000000758D0000-0x0000000075970000-memory.dmpFilesize
640KB
-
memory/1456-183-0x0000000074F50000-0x0000000074F57000-memory.dmpFilesize
28KB
-
memory/1456-187-0x0000000076820000-0x00000000768EC000-memory.dmpFilesize
816KB
-
memory/1456-186-0x0000000074F70000-0x0000000074F7C000-memory.dmpFilesize
48KB
-
memory/1456-191-0x0000000074FE0000-0x000000007507D000-memory.dmpFilesize
628KB
-
memory/1456-184-0x0000000075630000-0x00000000756DC000-memory.dmpFilesize
688KB
-
memory/1456-181-0x0000000077560000-0x00000000776E0000-memory.dmpFilesize
1.5MB
-
memory/1456-178-0x0000000075880000-0x00000000758C7000-memory.dmpFilesize
284KB
-
memory/1456-179-0x0000000076F50000-0x0000000076F55000-memory.dmpFilesize
20KB
-
memory/1484-206-0x0000000074AF0000-0x0000000074AF9000-memory.dmpFilesize
36KB
-
memory/1484-195-0x0000000074B50000-0x0000000074B62000-memory.dmpFilesize
72KB
-
memory/1484-208-0x00000000758D0000-0x0000000075970000-memory.dmpFilesize
640KB
-
memory/1484-204-0x0000000074B70000-0x0000000074B7F000-memory.dmpFilesize
60KB
-
memory/1484-203-0x0000000074B10000-0x0000000074B29000-memory.dmpFilesize
100KB
-
memory/1484-201-0x0000000076F60000-0x0000000076FB7000-memory.dmpFilesize
348KB
-
memory/1484-209-0x0000000074F70000-0x0000000074F7C000-memory.dmpFilesize
48KB
-
memory/1484-197-0x0000000074B80000-0x0000000074B88000-memory.dmpFilesize
32KB
-
memory/1484-207-0x0000000000CD0000-0x0000000000CDF000-memory.dmpFilesize
60KB
-
memory/1484-200-0x0000000075630000-0x00000000756DC000-memory.dmpFilesize
688KB
-
memory/1484-198-0x0000000077530000-0x0000000077536000-memory.dmpFilesize
24KB
-
memory/1484-199-0x0000000075080000-0x00000000750B5000-memory.dmpFilesize
212KB
-
memory/1484-194-0x0000000077560000-0x00000000776E0000-memory.dmpFilesize
1.5MB
-
memory/1484-210-0x0000000076820000-0x00000000768EC000-memory.dmpFilesize
816KB
-
memory/1484-212-0x0000000074FE0000-0x000000007507D000-memory.dmpFilesize
628KB
-
memory/1484-213-0x00000000750C0000-0x00000000750D9000-memory.dmpFilesize
100KB
-
memory/1484-196-0x0000000077380000-0x0000000077529000-memory.dmpFilesize
1.7MB
-
memory/1484-202-0x0000000074F30000-0x0000000074F39000-memory.dmpFilesize
36KB
-
memory/1484-193-0x0000000076F50000-0x0000000076F55000-memory.dmpFilesize
20KB
-
memory/1484-205-0x0000000074B30000-0x0000000074B41000-memory.dmpFilesize
68KB
-
memory/1484-192-0x0000000075880000-0x00000000758C7000-memory.dmpFilesize
284KB
-
memory/1484-211-0x0000000075870000-0x000000007587A000-memory.dmpFilesize
40KB
-
memory/1504-143-0x0000000000000000-mapping.dmp
-
memory/1600-141-0x0000000000000000-mapping.dmp
-
memory/1600-83-0x0000000000000000-mapping.dmp
-
memory/1604-118-0x0000000000000000-mapping.dmp
-
memory/1604-68-0x0000000000000000-mapping.dmp
-
memory/1624-140-0x0000000000000000-mapping.dmp
-
memory/1700-74-0x0000000000000000-mapping.dmp
-
memory/1744-536-0x0000000074BB0000-0x0000000074BEB000-memory.dmpFilesize
236KB
-
memory/1744-537-0x0000000000345000-0x0000000000356000-memory.dmpFilesize
68KB
-
memory/1744-539-0x0000000077380000-0x0000000077529000-memory.dmpFilesize
1.7MB
-
memory/1748-69-0x0000000000000000-mapping.dmp
-
memory/1788-67-0x0000000000000000-mapping.dmp
-
memory/1792-104-0x0000000000000000-mapping.dmp
-
memory/1844-127-0x0000000000000000-mapping.dmp
-
memory/1856-142-0x0000000000000000-mapping.dmp
-
memory/1916-94-0x0000000000000000-mapping.dmp
-
memory/1932-149-0x0000000000000000-mapping.dmp
-
memory/1972-126-0x0000000000000000-mapping.dmp
-
memory/1988-150-0x0000000000000000-mapping.dmp
-
memory/2016-124-0x0000000000000000-mapping.dmp
-
memory/2020-98-0x0000000000000000-mapping.dmp
-
memory/2032-113-0x0000000000000000-mapping.dmp
-
memory/2032-154-0x0000000000000000-mapping.dmp
-
memory/2080-138-0x0000000000000000-mapping.dmp
-
memory/2080-70-0x0000000000000000-mapping.dmp
-
memory/2084-106-0x0000000000000000-mapping.dmp
-
memory/2128-128-0x0000000000000000-mapping.dmp
-
memory/2148-139-0x0000000000000000-mapping.dmp
-
memory/2188-117-0x0000000000000000-mapping.dmp
-
memory/2192-96-0x0000000000000000-mapping.dmp
-
memory/2220-135-0x0000000000000000-mapping.dmp
-
memory/2272-87-0x0000000000000000-mapping.dmp
-
memory/2296-120-0x0000000000000000-mapping.dmp
-
memory/2348-176-0x00000000750C0000-0x00000000750D9000-memory.dmpFilesize
100KB
-
memory/2348-171-0x0000000000370000-0x000000000037F000-memory.dmpFilesize
60KB
-
memory/2348-157-0x0000000075880000-0x00000000758C7000-memory.dmpFilesize
284KB
-
memory/2348-161-0x0000000074F30000-0x0000000074F38000-memory.dmpFilesize
32KB
-
memory/2348-160-0x0000000074B70000-0x0000000074B82000-memory.dmpFilesize
72KB
-
memory/2348-158-0x0000000076F50000-0x0000000076F55000-memory.dmpFilesize
20KB
-
memory/2348-159-0x0000000077560000-0x00000000776E0000-memory.dmpFilesize
1.5MB
-
memory/2348-163-0x0000000075080000-0x00000000750B5000-memory.dmpFilesize
212KB
-
memory/2348-164-0x0000000075630000-0x00000000756DC000-memory.dmpFilesize
688KB
-
memory/2348-166-0x0000000074B40000-0x0000000074B49000-memory.dmpFilesize
36KB
-
memory/2348-165-0x0000000076F60000-0x0000000076FB7000-memory.dmpFilesize
348KB
-
memory/2348-177-0x0000000074F70000-0x0000000074F7C000-memory.dmpFilesize
48KB
-
memory/2348-162-0x0000000077530000-0x0000000077536000-memory.dmpFilesize
24KB
-
memory/2348-175-0x0000000074FE0000-0x000000007507D000-memory.dmpFilesize
628KB
-
memory/2348-167-0x0000000074B20000-0x0000000074B39000-memory.dmpFilesize
100KB
-
memory/2348-173-0x0000000076820000-0x00000000768EC000-memory.dmpFilesize
816KB
-
memory/2348-168-0x0000000074B10000-0x0000000074B1F000-memory.dmpFilesize
60KB
-
memory/2348-169-0x0000000074B50000-0x0000000074B61000-memory.dmpFilesize
68KB
-
memory/2348-170-0x0000000074B00000-0x0000000074B09000-memory.dmpFilesize
36KB
-
memory/2348-174-0x0000000075870000-0x000000007587A000-memory.dmpFilesize
40KB
-
memory/2348-172-0x00000000758D0000-0x0000000075970000-memory.dmpFilesize
640KB
-
memory/2364-147-0x0000000000000000-mapping.dmp
-
memory/2420-146-0x0000000000000000-mapping.dmp
-
memory/2444-115-0x0000000000000000-mapping.dmp
-
memory/2488-136-0x0000000000000000-mapping.dmp
-
memory/2492-114-0x0000000000000000-mapping.dmp
-
memory/2520-152-0x0000000000000000-mapping.dmp
-
memory/2532-145-0x0000000000000000-mapping.dmp
-
memory/2548-155-0x0000000000000000-mapping.dmp
-
memory/2568-65-0x0000000000000000-mapping.dmp
-
memory/2572-112-0x0000000000000000-mapping.dmp
-
memory/2656-132-0x0000000000000000-mapping.dmp
-
memory/2684-76-0x0000000000000000-mapping.dmp
-
memory/2716-92-0x0000000000000000-mapping.dmp
-
memory/2740-130-0x0000000000000000-mapping.dmp
-
memory/2768-54-0x000007FEFBC01000-0x000007FEFBC03000-memory.dmpFilesize
8KB
-
memory/2796-108-0x0000000000000000-mapping.dmp
-
memory/2836-144-0x0000000000000000-mapping.dmp
-
memory/2888-133-0x0000000000000000-mapping.dmp
-
memory/2892-123-0x0000000000000000-mapping.dmp
-
memory/2936-153-0x0000000000000000-mapping.dmp
-
memory/2976-90-0x0000000000000000-mapping.dmp
-
memory/3008-73-0x0000000000000000-mapping.dmp
-
memory/3016-116-0x0000000000000000-mapping.dmp