File name:

Bonzify.exe

Full analysis: https://app.any.run/tasks/e7a43a70-b3d5-45c8-9346-7b10e405e0b4
Verdict: Malicious activity
Analysis date: April 25, 2024, 08:51:35
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

FBA93D8D029E85E0CDE3759B7903CEE2

SHA1:

525B1AA549188F4565C75AB69E51F927204CA384

SHA256:

66F62408DFCE7C4A5718D2759F1D35721CA22077398850277D16E1FCA87FE764

SSDEEP:

196608:adAMaWetTeAkLIdx751qFTkub//73lc6u7b5VJ2Yx5xIdk3m:OaWedh+Idx75QYub//73lc6u7bLMYxDm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Bonzify.exe (PID: 2268)
      • INSTALLER.exe (PID: 696)
      • INSTALLER.exe (PID: 3984)
      • RTLCPL.EXE (PID: 2728)

    • Registers / Runs the DLL via REGSVR32.EXE

      • INSTALLER.exe (PID: 696)
      • INSTALLER.exe (PID: 3984)

    • Changes the autorun value in the registry

      • INSTALLER.exe (PID: 3984)
      • RTBK.EXE (PID: 2744)
      • slui.exe (PID: 2756)
      • SndVol.exe (PID: 3864)
      • wbengine.exe (PID: 2176)

    • Creates a writable file in the system directory

      • INSTALLER.exe (PID: 3984)

    • Changes the AppInit_DLLs value (autorun option)

      • Bonzify.exe (PID: 2268)

    • Starts PowerShell from an unusual location

      • wbengine.exe (PID: 2176)

    • Changes Windows Error Reporting flag

      • wbengine.exe (PID: 2176)

  • SUSPICIOUS

    • Executing commands from a ".bat" file

      • Bonzify.exe (PID: 2268)

    • Takes ownership (TAKEOWN.EXE)

      • cmd.exe (PID: 3472)

    • Starts CMD.EXE for commands execution

      • Bonzify.exe (PID: 2268)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 3472)

    • Uses ICACLS.EXE to modify access control lists

      • cmd.exe (PID: 3472)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 1556)
      • regsvr32.exe (PID: 1808)
      • regsvr32.exe (PID: 864)
      • regsvr32.exe (PID: 3892)
      • regsvr32.exe (PID: 1112)
      • regsvr32.exe (PID: 1492)
      • regsvr32.exe (PID: 1408)
      • regsvr32.exe (PID: 2888)
      • regsvr32.exe (PID: 3896)
      • RTBK.EXE (PID: 2744)
      • slui.exe (PID: 2756)
      • wbengine.exe (PID: 2176)

    • Starts a Microsoft application from unusual location

      • INSTALLER.exe (PID: 696)
      • INSTALLER.exe (PID: 3984)

    • Executable content was dropped or overwritten

      • Bonzify.exe (PID: 2268)
      • INSTALLER.exe (PID: 696)
      • INSTALLER.exe (PID: 3984)
      • RTLCPL.EXE (PID: 2728)

    • Process drops legitimate windows executable

      • Bonzify.exe (PID: 2268)
      • INSTALLER.exe (PID: 696)
      • INSTALLER.exe (PID: 3984)

    • Creates a software uninstall entry

      • INSTALLER.exe (PID: 3984)
      • RTBK.EXE (PID: 2744)

    • Creates file in the systems drive root

      • Bonzify.exe (PID: 2268)
      • RTLCPL.EXE (PID: 2728)
      • ntvdm.exe (PID: 2880)
      • XamlViewer_v0300.exe (PID: 1188)
      • logagent.exe (PID: 3432)
      • RTBK.EXE (PID: 2744)
      • dw20.exe (PID: 876)
      • imjpuexc.exe (PID: 3908)
      • WerFault.exe (PID: 3700)
      • loadmxf.exe (PID: 120)
      • appcmd.exe (PID: 3596)
      • PrintBrmEngine.exe (PID: 3780)
      • BdeUnlockWizard.exe (PID: 3832)
      • typeperf.exe (PID: 3528)
      • pcawrk.exe (PID: 2800)
      • TabTip.exe (PID: 2300)
      • wuauclt.exe (PID: 2652)
      • printfilterpipelinesvc.exe (PID: 1880)
      • regsvr32.exe (PID: 3368)
      • twunk_32.exe (PID: 1548)
      • appidcertstorecheck.exe (PID: 3980)
      • replace.exe (PID: 1748)
      • ie4uinit.exe (PID: 1844)
      • grpconv.exe (PID: 3196)
      • grpconv.exe (PID: 3768)
      • TabTip.exe (PID: 2128)
      • services.exe (PID: 1792)
      • slui.exe (PID: 2756)
      • MSBuild.exe (PID: 532)
      • sppsvc.exe (PID: 2088)
      • wbengine.exe (PID: 2176)
      • mshta.exe (PID: 2620)
      • SndVol.exe (PID: 3864)
      • powershell.exe (PID: 2936)
      • chgport.exe (PID: 3196)
      • sdiagnhost.exe (PID: 2468)
      • SETUP.EXE (PID: 2904)
      • winver.exe (PID: 3308)
      • ndadmin.exe (PID: 560)
      • LinqWebConfig.exe (PID: 3708)
      • AddInUtil.exe (PID: 3520)
      • DFDWiz.exe (PID: 2788)
      • Alcrmv.exe (PID: 2760)
      • appidcertstorecheck.exe (PID: 1820)

    • Executed via WMI

      • XamlViewer_v0300.exe (PID: 1188)
      • imjpuexc.exe (PID: 3908)
      • WerFault.exe (PID: 3700)

    • Reads security settings of Internet Explorer

      • XamlViewer_v0300.exe (PID: 1188)
      • SETUP.EXE (PID: 2904)

    • Reads settings of System Certificates

      • XamlViewer_v0300.exe (PID: 1188)
      • SETUP.EXE (PID: 2904)

    • Checks Windows Trust Settings

      • XamlViewer_v0300.exe (PID: 1188)
      • SETUP.EXE (PID: 2904)
      • powershell.exe (PID: 2936)

    • Changes internet zones settings

      • RTBK.EXE (PID: 2744)
      • slui.exe (PID: 2756)
      • wbengine.exe (PID: 2176)

    • Reads the Internet Settings

      • XamlViewer_v0300.exe (PID: 1188)
      • mshta.exe (PID: 2620)

    • Changes default file association

      • RTBK.EXE (PID: 2744)

    • Adds/modifies Windows certificates

      • RTBK.EXE (PID: 2744)

    • Executes as Windows Service

      • wbengine.exe (PID: 2176)

  • INFO

    • Create files in a temporary directory

      • Bonzify.exe (PID: 2268)
      • INSTALLER.exe (PID: 696)
      • INSTALLER.exe (PID: 3984)
      • RTLCPL.EXE (PID: 2728)
      • twunk_32.exe (PID: 1548)
      • SETUP.EXE (PID: 2904)

    • Checks supported languages

      • INSTALLER.exe (PID: 696)
      • INSTALLER.exe (PID: 3984)
      • AgentSvr.exe (PID: 2744)
      • wmpnscfg.exe (PID: 2484)
      • wmpnscfg.exe (PID: 3684)
      • RTLCPL.EXE (PID: 2728)
      • AgentSvr.exe (PID: 332)
      • RTBK.EXE (PID: 2744)
      • logagent.exe (PID: 3432)
      • XamlViewer_v0300.exe (PID: 1188)
      • dw20.exe (PID: 876)
      • loadmxf.exe (PID: 120)
      • wmpnscfg.exe (PID: 3152)
      • wmpnscfg.exe (PID: 3940)
      • Bonzify.exe (PID: 2268)
      • appcmd.exe (PID: 3596)
      • TabTip.exe (PID: 2300)
      • wuauclt.exe (PID: 2652)
      • typeperf.exe (PID: 3528)
      • svchost.exe (PID: 2320)
      • pcawrk.exe (PID: 2800)
      • ie4uinit.exe (PID: 1844)
      • twunk_32.exe (PID: 1548)
      • regsvr32.exe (PID: 3368)
      • printfilterpipelinesvc.exe (PID: 1880)
      • TabTip.exe (PID: 2128)
      • services.exe (PID: 1792)
      • grpconv.exe (PID: 3768)
      • sppsvc.exe (PID: 2088)
      • MSBuild.exe (PID: 532)
      • auditpol.exe (PID: 1728)
      • powershell.exe (PID: 2936)
      • SETUP.EXE (PID: 2904)
      • AddInUtil.exe (PID: 3520)
      • lsass.exe (PID: 2560)
      • auditpol.exe (PID: 2860)
      • LinqWebConfig.exe (PID: 3708)
      • Alcrmv.exe (PID: 2760)
      • appidcertstorecheck.exe (PID: 1820)

    • Reads the computer name

      • INSTALLER.exe (PID: 696)
      • Bonzify.exe (PID: 2268)
      • INSTALLER.exe (PID: 3984)
      • AgentSvr.exe (PID: 332)
      • wmpnscfg.exe (PID: 3684)
      • wmpnscfg.exe (PID: 2484)
      • logagent.exe (PID: 3432)
      • RTLCPL.EXE (PID: 2728)
      • RTBK.EXE (PID: 2744)
      • XamlViewer_v0300.exe (PID: 1188)
      • dw20.exe (PID: 876)
      • loadmxf.exe (PID: 120)
      • wmpnscfg.exe (PID: 3152)
      • wmpnscfg.exe (PID: 3940)
      • typeperf.exe (PID: 3528)
      • TabTip.exe (PID: 2300)
      • wuauclt.exe (PID: 2652)
      • printfilterpipelinesvc.exe (PID: 1880)
      • regsvr32.exe (PID: 3368)
      • MSBuild.exe (PID: 532)
      • services.exe (PID: 1792)
      • auditpol.exe (PID: 1728)
      • powershell.exe (PID: 2936)
      • SETUP.EXE (PID: 2904)
      • auditpol.exe (PID: 2860)

    • Reads the machine GUID from the registry

      • Bonzify.exe (PID: 2268)
      • AgentSvr.exe (PID: 332)
      • RTLCPL.EXE (PID: 2728)
      • RTBK.EXE (PID: 2744)
      • logagent.exe (PID: 3432)
      • XamlViewer_v0300.exe (PID: 1188)
      • dw20.exe (PID: 876)
      • loadmxf.exe (PID: 120)
      • wuauclt.exe (PID: 2652)
      • printfilterpipelinesvc.exe (PID: 1880)
      • regsvr32.exe (PID: 3368)
      • SETUP.EXE (PID: 2904)
      • powershell.exe (PID: 2936)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 3684)
      • wmpnscfg.exe (PID: 2484)
      • ntvdm.exe (PID: 2880)
      • RTLCPL.EXE (PID: 2728)
      • wmpnscfg.exe (PID: 3940)
      • BdeUnlockWizard.exe (PID: 3832)
      • IMJPDADM.EXE (PID: 2112)
      • wmpnscfg.exe (PID: 3152)
      • PrintBrmEngine.exe (PID: 3780)
      • pcawrk.exe (PID: 2800)
      • shrpubw.exe (PID: 3736)
      • wuauclt.exe (PID: 2652)
      • twunk_32.exe (PID: 1548)
      • regsvr32.exe (PID: 3368)
      • grpconv.exe (PID: 3196)
      • printfilterpipelinesvc.exe (PID: 1880)
      • TabTip.exe (PID: 2128)
      • PSCustomSetupInstaller.exe (PID: 2196)
      • grpconv.exe (PID: 3768)
      • MSBuild.exe (PID: 532)
      • ntkrnlpa.exe (PID: 1976)
      • chgport.exe (PID: 3196)

    • Reads Environment values

      • RTLCPL.EXE (PID: 2728)
      • dw20.exe (PID: 876)

    • Reads the software policy settings

      • XamlViewer_v0300.exe (PID: 1188)
      • SETUP.EXE (PID: 2904)

    • Reads product name

      • dw20.exe (PID: 876)

    • Creates files in the program directory

      • dw20.exe (PID: 876)

    • Process checks Powershell version

      • powershell.exe (PID: 2936)

    • Reads Microsoft Office registry keys

      • SETUP.EXE (PID: 2904)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 2620)

    • Checks current location (POWERSHELL)

      • powershell.exe (PID: 2936)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 MS Cabinet Self-Extractor (WExtract stub) (80.4)
.exe | Win32 Executable MS Visual C++ (generic) (8.2)
.exe | Win64 Executable (generic) (7.3)
.dll | Win32 Dynamic Link Library (generic) (1.7)
.exe | Win32 Executable (generic) (1.1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:10:13 11:42:04+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 4096
InitializedDataSize: 6696960
UninitializedDataSize: -
EntryPoint: 0x16b0
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
262
Monitored processes
86
Malicious processes
11
Suspicious processes
3

Behavior graph

Click at the process to see the details
start bonzify.exe cmd.exe no specs taskkill.exe no specs takeown.exe no specs icacls.exe no specs installer.exe regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs agentsvr.exe no specs grpconv.exe no specs installer.exe regsvr32.exe no specs regsvr32.exe no specs grpconv.exe no specs agentsvr.exe wmpnscfg.exe no specs wmpnscfg.exe no specs ntvdm.exe no specs rtlcpl.exe rtbk.exe logagent.exe no specs xamlviewer_v0300.exe dw20.exe no specs imjpuexc.exe loadmxf.exe no specs werfault.exe no specs wmpnscfg.exe no specs wmpnscfg.exe no specs sapisvr.exe no specs imjpdadm.exe no specs printbrmengine.exe no specs appcmd.exe no specs bdeunlockwizard.exe no specs tabtip.exe no specs wuauclt.exe no specs typeperf.exe no specs shrpubw.exe no specs svchost.exe no specs pcawrk.exe no specs ie4uinit.exe no specs grpconv.exe no specs systempropertiescomputername.exe no specs printfilterpipelinesvc.exe no specs odbcad32.exe no specs twunk_32.exe no specs appidcertstorecheck.exe no specs replace.exe no specs regsvr32.exe no specs grpconv.exe no specs slui.exe tabtip.exe no specs ieetwcollector.exe no specs pscustomsetupinstaller.exe no specs aspnet_wp.exe no specs services.exe no specs rrinstaller.exe no specs ntkrnlpa.exe no specs sndvol.exe lpremove.exe no specs mcbuilder.exe no specs winresume.exe no specs auditpol.exe no specs eudcedit.exe no specs sppsvc.exe no specs wbengine.exe mshta.exe no specs msbuild.exe no specs winver.exe no specs chgport.exe no specs sdiagnhost.exe no specs powershell.exe no specs setup.exe no specs lsass.exe no specs auditpol.exe no specs ndadmin.exe no specs linqwebconfig.exe no specs addinutil.exe no specs alcrmv.exe no specs appidcertstorecheck.exe no specs dfdwiz.exe no specs bonzify.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
120"C:\Windows\ehome\loadmxf.exe"C:\Windows\ehome\loadmxf.exeRTBK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Center MXF Loader
Exit code:
4294967295
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\ehome\loadmxf.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
332C:\Windows\msagent\AgentSvr.exe -EmbeddingC:\Windows\msagent\AgentSvr.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Agent Server
Exit code:
0
Version:
2.00.0.2202
Modules
Images
c:\windows\msagent\agentsvr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
532"C:\Windows\winsxs\x86_msbuild_b03f5f7f11d50a3a_6.1.7601.18523_none_55908d7e6dda7cf4\MSBuild.exe"C:\Windows\winsxs\x86_msbuild_b03f5f7f11d50a3a_6.1.7601.18523_none_55908d7e6dda7cf4\MSBuild.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MSBuild.exe
Exit code:
1
Version:
2.0.50727.5483 built by: Win7SP1GDR
Modules
Images
c:\windows\winsxs\x86_msbuild_b03f5f7f11d50a3a_6.1.7601.18523_none_55908d7e6dda7cf4\msbuild.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
560"C:\Windows\System32\ndadmin.exe"C:\Windows\System32\ndadmin.exewbengine.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Device driver software installation
Exit code:
87
Version:
5.2.3668.0
Modules
Images
c:\windows\system32\ndadmin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
696INSTALLER.exe /qC:\Users\admin\AppData\Local\Temp\INSTALLER.exe
Bonzify.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Win32 Cabinet Self-Extractor
Exit code:
0
Version:
4.71.1015.0
Modules
Images
c:\users\admin\appdata\local\temp\installer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
864regsvr32 /s "C:\Windows\msagent\AgentCtl.dll"C:\Windows\System32\regsvr32.exeINSTALLER.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
876dw20.exe -x -s 1064C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeXamlViewer_v0300.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft .NET Error Reporting Shim
Exit code:
0
Version:
2.0.50727.5483 (Win7SP1GDR.050727-5400)
Modules
Images
c:\windows\microsoft.net\framework\v2.0.50727\dw20.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
1112regsvr32 /s "C:\Windows\msagent\mslwvtts.dll"C:\Windows\System32\regsvr32.exeINSTALLER.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1188"C:\Windows\winsxs\x86_wpf-xamlviewer_31bf3856ad364e35_6.1.7600.16385_none_55e4a2a4de407800\XamlViewer_v0300.exe"C:\Windows\winsxs\x86_wpf-xamlviewer_31bf3856ad364e35_6.1.7600.16385_none_55e4a2a4de407800\XamlViewer_v0300.exe
WmiPrvSE.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
XamlViewer_v0300.exe
Exit code:
3762507597
Version:
3.0.6920.4902 built by: NetFXw7
Modules
Images
c:\windows\winsxs\x86_wpf-xamlviewer_31bf3856ad364e35_6.1.7600.16385_none_55e4a2a4de407800\xamlviewer_v0300.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1352grpconv.exe -oC:\Windows\System32\grpconv.exeINSTALLER.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Progman Group Converter
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\grpconv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
20 071
Read events
17 810
Write events
2 244
Delete events
17

Modification events

(PID) Process:(864) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\InprocServer32
Operation:writeName:ThreadingModel
Value:
Apartment
(PID) Process:(864) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}\InprocServer32
Operation:writeName:ThreadingModel
Value:
Apartment
(PID) Process:(864) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\Control
Operation:delete keyName:(default)
Value:
(PID) Process:(864) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\InprocServer32
Operation:delete keyName:(default)
Value:
(PID) Process:(864) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\MiscStatus\1
Operation:delete keyName:(default)
Value:
(PID) Process:(864) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\MiscStatus
Operation:delete keyName:(default)
Value:
(PID) Process:(864) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\ProgID
Operation:delete keyName:(default)
Value:
(PID) Process:(864) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\Programmable
Operation:delete keyName:(default)
Value:
(PID) Process:(864) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\ToolboxBitmap32
Operation:delete keyName:(default)
Value:
(PID) Process:(864) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\TypeLib
Operation:delete keyName:(default)
Value:
Executable files
54
Suspicious files
22
Text files
35
Unknown types
6

Dropped files

PID
Process
Filename
Type
696INSTALLER.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\AGENTDPV.DLLexecutable
MD5:7C5AEFB11E797129C9E90F279FBDF71B
SHA256:394A17150B8774E507B8F368C2C248C10FCE50FC43184B744E771F0E79ECAFED
696INSTALLER.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\MSLWVTTS.DLLexecutable
MD5:316999655FEF30C52C3854751C663996
SHA256:EA4CA740CD60D2C88280FF8115BF354876478EF27E9E676D8B66601B4E900BA0
2268Bonzify.exeC:\Users\admin\AppData\Local\Temp\INSTALLER.exeexecutable
MD5:66996A076065EBDCDAC85FF9637CEAE0
SHA256:16CA09AD70561F413376AD72550AE5664C89C6A76C85C872FFE2CB1E7F49E2AA
696INSTALLER.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\AGTEULA.TXTtext
MD5:7070B77ED401307D2E9A0F8EAAAA543B
SHA256:225D227ABBD45BF54D01DFC9FA6E54208BF5AE452A32CC75B15D86456A669712
696INSTALLER.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\AGT0409.HLPhlp
MD5:466D35E6A22924DD846A043BC7DD94B8
SHA256:E4CCF06706E68621BB69ADD3DD88FED82D30AD8778A55907D33F6D093AC16801
2268Bonzify.exeC:\Users\admin\AppData\Local\Temp\KillAgent.battext
MD5:EA7DF060B402326B4305241F21F39736
SHA256:E4EDC2CB6317AB19EE1A6327993E9332AF35CFBEBAFF2AC7C3F71D43CFCBE793
696INSTALLER.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\AGENTDP2.DLLexecutable
MD5:A334BBF5F5A19B3BDB5B7F1703363981
SHA256:C33BEABA130F8B740DDDB9980FE9012F9322AC6E94F36A6AA6086851C51B98DE
2268Bonzify.exeC:\Windows\executables.binbinary
MD5:F3160BA7F8BB9D7A9C6080EF2C9869C5
SHA256:F6A3286714A661612EAC65E4A6CB78736C370492151B692A8F1E666740C0A00E
2268Bonzify.exeC:\Users\admin\AppData\Local\Temp\TakeOwn.battext
MD5:F80E36CD406022944558D8A099DB0FA7
SHA256:7B41E5A6C2DD92F60C38CB4FE09DCBE378C3E99443F7BAF079ECE3608497BDC7
696INSTALLER.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\AGT20.INFbinary
MD5:E4A499B9E1FE33991DBCFB4E926C8821
SHA256:49E6B848F5A708D161F795157333D7E1C7103455A2F47F50895683EF6A1ABE4D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
6
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1188
XamlViewer_v0300.exe
GET
200
23.53.40.72:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?f5c9b24d503eeedd
unknown
unknown
1188
XamlViewer_v0300.exe
GET
200
23.32.238.107:80
http://crl.microsoft.com/pki/crl/products/CSPCA.crl
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
1080
svchost.exe
224.0.0.252:5355
unknown
1188
XamlViewer_v0300.exe
23.53.40.72:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
1188
XamlViewer_v0300.exe
23.32.238.107:80
crl.microsoft.com
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
ctldl.windowsupdate.com
  • 23.53.40.72
  • 23.53.40.65
whitelisted
crl.microsoft.com
  • 23.32.238.107
  • 23.32.238.112
whitelisted

Threats

No threats detected
Process
Message
AgentSvr.exe
ClaimOutput
AgentSvr.exe
UnclaimOutput
AgentSvr.exe
ClaimOutput
AgentSvr.exe
ClaimOutput
AgentSvr.exe
UnclaimOutput
AgentSvr.exe
UnclaimOutput
AgentSvr.exe
ClaimOutput
AgentSvr.exe
UnclaimOutput
AgentSvr.exe
ClaimOutput
AgentSvr.exe
ClaimOutput
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Bonzify.exe