Malware analysis Bonzify.exe Malicious activity | ANY.RUN

Add for printing

File name:	Bonzify.exe
Full analysis:	https://app.any.run/tasks/a3592cb3-8aee-4f98-b61a-163ed83aba53
Verdict:	Malicious activity
Analysis date:	March 16, 2024, 15:51:46
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	9C352D2CE0C0BDC40C72F52CE3480577
SHA1:	BD4C956186F33C92EB4469F7E5675510D0790E99
SHA256:	D7E6580054525D3F21F86EDFC9F30B7A75FFA829A1EB67EE3CAB33F0040DBA4E
SSDEEP:	196608:/dAMaWetTeAkLIdx751qFTkub//73lc6u7b5VJ2Yx5xIdk3o:naWedh+Idx75QYub//73lc6u7bLMYxDo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: on
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.19596 KB4534251
Adobe Acrobat Reader DC (20.013.20064)
Adobe Acrobat Reader DC (20.013.20064)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Refresh Manager (1.8.0)
Adobe Refresh Manager (1.8.0)
CCleaner (6.14)
CCleaner (6.14)
FileZilla 3.65.0 (3.65.0)
FileZilla 3.65.0 (3.65.0)
Google Chrome (109.0.5414.120)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.36.31)
Google Update Helper (1.3.36.31)
Java 8 Update 271 (8.0.2710.9)
Java 8 Update 271 (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Java Auto Updater (2.8.271.9)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft Edge (109.0.1518.115)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.175.29)
Microsoft Edge Update (1.3.175.29)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (32-bit x86) (7.9.1)
Notepad++ (32-bit x86) (7.9.1)
PowerShell 7-x86 (7.2.11.0)
PowerShell 7-x86 (7.2.11.0)
Skype version 8.110 (8.110)
Skype version 8.110 (8.110)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
VLC media player (3.0.11)
VLC media player (3.0.11)
WinRAR 5.91 (32-bit) (5.91.0)
WinRAR 5.91 (32-bit) (5.91.0)

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - Bonzify.exe (PID: 3940)
  - INSTALLER.exe (PID: 3324)
  - INSTALLER.exe (PID: 2372)
- Registers / Runs the DLL via REGSVR32.EXE
  - INSTALLER.exe (PID: 2372)
  - INSTALLER.exe (PID: 3324)
- Changes the autorun value in the registry
  - INSTALLER.exe (PID: 3324)
  - dllhost.exe (PID: 6008)
  - tlntsess.exe (PID: 324)
  - dllhost.exe (PID: 5204)
- Creates a writable file in the system directory
  - INSTALLER.exe (PID: 3324)
- Changes the AppInit_DLLs value (autorun option)
  - Bonzify.exe (PID: 3940)
- Unusual execution from MS Office
  - WINWORD.EXE (PID: 3956)
- Antivirus name has been found in the command line (generic signature)
  - reset.exe (PID: 5072)
SUSPICIOUS
- Executing commands from a ".bat" file
  - Bonzify.exe (PID: 3940)
- Starts CMD.EXE for commands execution
  - Bonzify.exe (PID: 3940)
- Uses ICACLS.EXE to modify access control lists
  - cmd.exe (PID: 4044)
- Uses TASKKILL.EXE to kill process
  - cmd.exe (PID: 4044)
- Takes ownership (TAKEOWN.EXE)
  - cmd.exe (PID: 4044)
- Starts a Microsoft application from unusual location
  - INSTALLER.exe (PID: 2372)
  - INSTALLER.exe (PID: 3324)
- Executable content was dropped or overwritten
  - Bonzify.exe (PID: 3940)
  - INSTALLER.exe (PID: 3324)
  - INSTALLER.exe (PID: 2372)
- Creates/Modifies COM task schedule object
  - regsvr32.exe (PID: 748)
  - regsvr32.exe (PID: 1560)
  - regsvr32.exe (PID: 1992)
  - regsvr32.exe (PID: 240)
  - regsvr32.exe (PID: 1572)
  - regsvr32.exe (PID: 1860)
  - regsvr32.exe (PID: 3400)
  - regsvr32.exe (PID: 2744)
  - regsvr32.exe (PID: 1308)
  - chrome.exe (PID: 3564)
  - chrome.exe (PID: 1812)
  - msedge.exe (PID: 3124)
  - chrome.exe (PID: 548)
  - WINWORD.EXE (PID: 3956)
  - rasphone.exe (PID: 3988)
- Process drops legitimate windows executable
  - INSTALLER.exe (PID: 3324)
  - Bonzify.exe (PID: 3940)
  - INSTALLER.exe (PID: 2372)
- Creates a software uninstall entry
  - INSTALLER.exe (PID: 3324)
- Creates file in the systems drive root
  - Bonzify.exe (PID: 3940)
  - chrome.exe (PID: 3564)
  - chrome.exe (PID: 548)
  - chrome.exe (PID: 3084)
  - msedge.exe (PID: 1428)
  - msedge.exe (PID: 2556)
  - chrome.exe (PID: 2032)
  - msedge.exe (PID: 3768)
  - msedge.exe (PID: 3748)
  - chrome.exe (PID: 1812)
  - chrome.exe (PID: 3660)
  - WINWORD.EXE (PID: 3956)
  - chrome.exe (PID: 2536)
  - chrome.exe (PID: 3684)
  - chrome.exe (PID: 2292)
  - chrome.exe (PID: 3976)
  - msedge.exe (PID: 1864)
  - chrome.exe (PID: 2168)
  - chrome.exe (PID: 2384)
  - chrome.exe (PID: 1692)
  - chrome.exe (PID: 984)
  - chrome.exe (PID: 1884)
  - chrome.exe (PID: 3140)
  - msedge.exe (PID: 3132)
  - chrome.exe (PID: 1484)
  - msedge.exe (PID: 3108)
  - chrome.exe (PID: 4040)
  - msedge.exe (PID: 532)
  - chrome.exe (PID: 1748)
  - chrome.exe (PID: 3256)
  - msedge.exe (PID: 3124)
  - msedge.exe (PID: 2988)
  - ntvdm.exe (PID: 2744)
  - Eap3Host.exe (PID: 3572)
  - chrome.exe (PID: 4144)
  - relog.exe (PID: 120)
  - unlodctr.exe (PID: 3416)
  - chrome.exe (PID: 4296)
  - chrome.exe (PID: 4428)
  - alg.exe (PID: 4676)
  - TsUsbRedirectionGroupPolicyControl.exe (PID: 4452)
  - BrmfRsmg.exe (PID: 4616)
  - find.exe (PID: 5252)
  - NETFXSBS10.exe (PID: 5260)
  - aitstatic.exe (PID: 4500)
  - chrome.exe (PID: 4816)
  - gpupdate.exe (PID: 4916)
  - tskill.exe (PID: 3544)
  - qwinsta.exe (PID: 4520)
  - ie4uinit.exe (PID: 5928)
  - McrMgr.exe (PID: 5684)
  - dllhost.exe (PID: 6008)
  - tlntsess.exe (PID: 324)
  - bcdboot.exe (PID: 2576)
  - rasphone.exe (PID: 3988)
  - IEExec.exe (PID: 1772)
  - shrpubw.exe (PID: 4852)
  - dllhost.exe (PID: 5204)
  - Utilman.exe (PID: 4940)
  - wermgr.exe (PID: 3360)
  - msedge.exe (PID: 1344)
  - taskhost.exe (PID: 5540)
  - Mahjong.exe (PID: 2964)
  - ngen.exe (PID: 2564)
  - ctfmon.exe (PID: 4388)
  - jsc.exe (PID: 3332)
  - chrome.exe (PID: 3080)
  - ie4uinit.exe (PID: 1268)
  - dllhost.exe (PID: 2572)
  - infocard.exe (PID: 2928)
  - wbemtest.exe (PID: 3736)
  - EOSNotify.exe (PID: 5216)
  - sipnotify.exe (PID: 1992)
  - p2phost.exe (PID: 2184)
  - ehrec.exe (PID: 3496)
  - PresentationFontCache.exe (PID: 3128)
- Non-standard symbols in registry
  - WINWORD.EXE (PID: 3956)
- Changes internet zones settings
  - WINWORD.EXE (PID: 3956)
  - dllhost.exe (PID: 6008)
  - rasphone.exe (PID: 3988)
  - dllhost.exe (PID: 5204)
  - dllhost.exe (PID: 2572)
  - infocard.exe (PID: 2928)
- Adds/modifies Windows certificates
  - WINWORD.EXE (PID: 3956)
- Uses ATTRIB.EXE to modify file attributes
  - chrome.exe (PID: 548)
- Executed via WMI
  - bcdboot.exe (PID: 2576)
  - auditpol.exe (PID: 4772)
  - shrpubw.exe (PID: 4852)
  - reset.exe (PID: 5072)
  - auditpol.exe (PID: 5904)
  - infocard.exe (PID: 2928)
  - winresume.exe (PID: 612)
  - wermgr.exe (PID: 4464)
- Executes as Windows Service
  - dllhost.exe (PID: 5204)
  - taskhost.exe (PID: 5540)
  - dllhost.exe (PID: 2572)
  - EOSNotify.exe (PID: 5216)
- The process executes via Task Scheduler
  - ctfmon.exe (PID: 4388)
  - sipnotify.exe (PID: 1992)
  - shrpubw.exe (PID: 3284)
  - ehrec.exe (PID: 3496)
  - VSSVC.exe (PID: 424)
- Reads settings of System Certificates
  - infocard.exe (PID: 2928)
- Reads security settings of Internet Explorer
  - infocard.exe (PID: 2928)
- Checks Windows Trust Settings
  - infocard.exe (PID: 2928)
  - PresentationFontCache.exe (PID: 3128)
- Reads the Internet Settings
  - infocard.exe (PID: 2928)
INFO
- Checks supported languages
  - Bonzify.exe (PID: 3940)
  - AgentSvr.exe (PID: 1112)
  - INSTALLER.exe (PID: 3324)
  - AgentSvr.exe (PID: 2320)
  - INSTALLER.exe (PID: 2372)
  - wmpnscfg.exe (PID: 2188)
  - wmpnscfg.exe (PID: 3496)
  - Eap3Host.exe (PID: 3572)
  - relog.exe (PID: 120)
  - mpnotify.exe (PID: 4996)
  - TsUsbRedirectionGroupPolicyControl.exe (PID: 4452)
  - BrmfRsmg.exe (PID: 4616)
  - NETFXSBS10.exe (PID: 5260)
  - aitstatic.exe (PID: 4500)
  - McrMgr.exe (PID: 5684)
  - mscorsvw.exe (PID: 5016)
  - IEExec.exe (PID: 1772)
  - tlntsess.exe (PID: 324)
  - shrpubw.exe (PID: 4852)
  - wermgr.exe (PID: 3360)
  - jsc.exe (PID: 3332)
  - ie4uinit.exe (PID: 1268)
  - Mahjong.exe (PID: 2964)
  - ngen.exe (PID: 2564)
  - infocard.exe (PID: 2928)
  - ehrec.exe (PID: 3496)
  - PresentationFontCache.exe (PID: 3128)
  - wbemtest.exe (PID: 3736)
  - auditpol.exe (PID: 4772)
- Create files in a temporary directory
  - Bonzify.exe (PID: 3940)
  - INSTALLER.exe (PID: 3324)
  - INSTALLER.exe (PID: 2372)
  - NETFXSBS10.exe (PID: 5260)
  - ntvdm.exe (PID: 2744)
- Reads the computer name
  - INSTALLER.exe (PID: 2372)
  - INSTALLER.exe (PID: 3324)
  - Bonzify.exe (PID: 3940)
  - AgentSvr.exe (PID: 2320)
  - wmpnscfg.exe (PID: 2188)
  - wmpnscfg.exe (PID: 3496)
  - Eap3Host.exe (PID: 3572)
  - relog.exe (PID: 120)
  - mpnotify.exe (PID: 4996)
  - TsUsbRedirectionGroupPolicyControl.exe (PID: 4452)
  - BrmfRsmg.exe (PID: 4616)
  - McrMgr.exe (PID: 5684)
  - tlntsess.exe (PID: 324)
  - shrpubw.exe (PID: 4852)
  - infocard.exe (PID: 2928)
  - wbemtest.exe (PID: 3736)
  - ehrec.exe (PID: 3496)
  - PresentationFontCache.exe (PID: 3128)
  - auditpol.exe (PID: 4772)
- Reads the machine GUID from the registry
  - Bonzify.exe (PID: 3940)
  - AgentSvr.exe (PID: 2320)
  - McrMgr.exe (PID: 5684)
  - tlntsess.exe (PID: 324)
  - shrpubw.exe (PID: 4852)
  - jsc.exe (PID: 3332)
  - Mahjong.exe (PID: 2964)
  - infocard.exe (PID: 2928)
  - wbemtest.exe (PID: 3736)
  - ehrec.exe (PID: 3496)
  - PresentationFontCache.exe (PID: 3128)
- Manual execution by a user
  - chrome.exe (PID: 3564)
  - chrome.exe (PID: 3084)
  - msedge.exe (PID: 1428)
  - msedge.exe (PID: 2556)
  - WINWORD.EXE (PID: 3956)
  - wmpnscfg.exe (PID: 2188)
  - explorer.exe (PID: 1652)
  - wmpnscfg.exe (PID: 3496)
  - appcmd.exe (PID: 1092)
  - winload.exe (PID: 2016)
  - aitstatic.exe (PID: 4500)
  - NETFXSBS10.exe (PID: 5260)
  - McrMgr.exe (PID: 5684)
  - mscorsvw.exe (PID: 5016)
  - EdmGen.exe (PID: 2384)
- Application launched itself
  - chrome.exe (PID: 3564)
  - msedge.exe (PID: 2556)
  - chrome.exe (PID: 3084)
  - msedge.exe (PID: 1428)
  - msedge.exe (PID: 3748)
- Checks transactions between databases Windows and Oracle
  - dllhost.exe (PID: 5204)
  - dllhost.exe (PID: 2572)
- Changes appearance of the Explorer extensions
  - dllhost.exe (PID: 5204)
- Reads the software policy settings
  - infocard.exe (PID: 2928)
  - PresentationFontCache.exe (PID: 3128)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 MS Cabinet Self-Extractor (WExtract stub) (86.7)
.exe	\|	Win32 Executable MS Visual C++ (generic) (8.9)
.dll	\|	Win32 Dynamic Link Library (generic) (1.8)
.exe	\|	Win32 Executable (generic) (1.2)
.exe	\|	Generic Win/DOS Executable (0.5)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2019:03:04 14:58:11+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14
CodeSize:	4096
InitializedDataSize:	6697472
UninitializedDataSize:	-
EntryPoint:	0x16b0
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

394

Monitored processes

131

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

120

"C:\Windows\winsxs\x86_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_6.1.7601.17514_none_632ae4bc5d173763\relog.exe"

C:\Windows\winsxs\x86_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_6.1.7601.17514_none_632ae4bc5d173763\relog.exe

—

chrome.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Performance Relogging Utility

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\winsxs\x86_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_6.1.7601.17514_none_632ae4bc5d173763\relog.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll

240

regsvr32 /s "C:\Windows\msagent\AgentDP2.dll"

C:\Windows\System32\regsvr32.exe

—

INSTALLER.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft(C) Register Server

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

324

"C:\Windows\winsxs\x86_microsoft-windows-telnet-server-tlntsess_31bf3856ad364e35_6.1.7600.16385_none_a9cd5618e9d2d300\tlntsess.exe"

C:\Windows\winsxs\x86_microsoft-windows-telnet-server-tlntsess_31bf3856ad364e35_6.1.7600.16385_none_a9cd5618e9d2d300\tlntsess.exe

dllhost.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Microsoft Telnet Server Helper

Exit code:

3221225477

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\winsxs\x86_microsoft-windows-telnet-server-tlntsess_31bf3856ad364e35_6.1.7600.16385_none_a9cd5618e9d2d300\tlntsess.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

412

"C:\Windows\SysWow64\print.exe"

C:\Windows\System32\print.exe

—

dllhost.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Print Utility

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

424

"C:\Windows\winsxs\x86_microsoft-windows-vssservice_31bf3856ad364e35_6.1.7601.17514_none_5cd4386276198cd2\VSSVC.exe"

C:\Windows\winsxs\x86_microsoft-windows-vssservice_31bf3856ad364e35_6.1.7601.17514_none_5cd4386276198cd2\VSSVC.exe

—

taskeng.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft® Volume Shadow Copy Service

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

532

"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1164 --field-trial-handle=1380,i,13490081635525181479,15986496972037266640,131072 /prefetch:3

C:\Program Files\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Exit code:

Version:

109.0.1518.115

Modules

Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

548

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=109.0.5414.120 --initial-client-data=0xd4,0xd8,0xdc,0xac,0xe0,0x71988b38,0x71988b48,0x71988b54

C:\Program Files\Google\Chrome\Application\chrome.exe

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Chrome

Exit code:

Version:

109.0.5414.120

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

612

"C:\Windows\winsxs\x86_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_6.1.7601.23539_none_5da6f30ce41285cd\winresume.exe"

C:\Windows\winsxs\x86_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_6.1.7601.23539_none_5da6f30ce41285cd\winresume.exe

—

WmiPrvSE.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Resume From Hibernate boot application

Exit code:

Version:

6.1.7601.23003 (win7sp1_ldr.150317-1510)

Modules

Images
c:\windows\winsxs\x86_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_6.1.7601.23539_none_5da6f30ce41285cd\winresume.exe
c:\windows\system32\ntdll.dll

748

regsvr32 /s "C:\Windows\msagent\AgentCtl.dll"

C:\Windows\System32\regsvr32.exe

—

INSTALLER.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft(C) Register Server

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

984

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --disable-quic --mojo-platform-channel-handle=1648 --field-trial-handle=1236,i,10367648673522318350,3066183693346873426,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

109.0.5414.120

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

Add for printing

Total events

30 015

Read events

27 849

Write events

1 835

Delete events

331

Modification events


(PID) Process:	(748) regsvr32.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\InprocServer32
Operation:	write	Name:	ThreadingModel
Value: Apartment
(PID) Process:	(748) regsvr32.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}\InprocServer32
Operation:	write	Name:	ThreadingModel
Value: Apartment
(PID) Process:	(748) regsvr32.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\Control
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(748) regsvr32.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\InprocServer32
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(748) regsvr32.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\MiscStatus\1
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(748) regsvr32.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\MiscStatus
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(748) regsvr32.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\ProgID
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(748) regsvr32.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\Programmable
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(748) regsvr32.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\ToolboxBitmap32
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(748) regsvr32.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\TypeLib
Operation:	delete key	Name:	(default)
Value:

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
3940	Bonzify.exe	C:\Users\admin\AppData\Local\Temp\KillAgent.bat		text
		MD5:EA7DF060B402326B4305241F21F39736	SHA256:E4EDC2CB6317AB19EE1A6327993E9332AF35CFBEBAFF2AC7C3F71D43CFCBE793
3940	Bonzify.exe	C:\Users\admin\AppData\Local\Temp\TakeOwn.bat		text
		MD5:F80E36CD406022944558D8A099DB0FA7	SHA256:7B41E5A6C2DD92F60C38CB4FE09DCBE378C3E99443F7BAF079ECE3608497BDC7
2372	INSTALLER.exe	C:\Users\admin\AppData\Local\Temp\IXP000.TMP\MSLWVTTS.DLL		executable
		MD5:316999655FEF30C52C3854751C663996	SHA256:EA4CA740CD60D2C88280FF8115BF354876478EF27E9E676D8B66601B4E900BA0
3940	Bonzify.exe	C:\Windows\executables.bin		binary
		MD5:F3160BA7F8BB9D7A9C6080EF2C9869C5	SHA256:F6A3286714A661612EAC65E4A6CB78736C370492151B692A8F1E666740C0A00E
3940	Bonzify.exe	C:\Users\admin\AppData\Local\Temp\INSTALLER.exe		executable
		MD5:66996A076065EBDCDAC85FF9637CEAE0	SHA256:16CA09AD70561F413376AD72550AE5664C89C6A76C85C872FFE2CB1E7F49E2AA
2372	INSTALLER.exe	C:\Users\admin\AppData\Local\Temp\IXP000.TMP\AGENTSR.DLL		executable
		MD5:9FAFB9D0591F2BE4C2A846F63D82D301	SHA256:E78E74C24D468284639FAF9DCFDBA855F3E4F00B2F26DB6B2C491FA51DA8916D
2372	INSTALLER.exe	C:\Users\admin\AppData\Local\Temp\IXP000.TMP\AGENTSVR.EXE		executable
		MD5:5C91BF20FE3594B81052D131DB798575	SHA256:E8CE546196B6878A8C34DA863A6C8A7E34AF18FB9B509D4D36763734EFA2D175
2372	INSTALLER.exe	C:\Users\admin\AppData\Local\Temp\IXP000.TMP\AGENTMPX.DLL		executable
		MD5:4FBBAAC42CF2ECB83543F262973D07C0	SHA256:6550582E41FC53B8A7CCDF9AC603216937C6FF2A28E9538610ADB7E67D782AB5
2372	INSTALLER.exe	C:\Users\admin\AppData\Local\Temp\IXP000.TMP\AGT0409.DLL		executable
		MD5:0CBF0F4C9E54D12D34CD1A772BA799E1	SHA256:6B0B57E5B27D901F4F106B236C58D0B2551B384531A8F3DAD6C06ED4261424B1
2372	INSTALLER.exe	C:\Users\admin\AppData\Local\Temp\IXP000.TMP\AGT0409.HLP		binary
		MD5:466D35E6A22924DD846A043BC7DD94B8	SHA256:E4CCF06706E68621BB69ADD3DD88FED82D30AD8778A55907D33F6D093AC16801

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
856	svchost.exe	HEAD	403	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/j2hxfei2occ5siitujtlwgp6xi_3/ojhpjlocmbogdgmfpkhlaaeamibhnphh_3_all_gplutbkdljxxbjolk3siq7kive.crx3	unknown	—	—	unknown
2864	RMActivate_isv.exe	GET	200	84.53.175.122:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?e6cb58393ec7bf72	unknown	compressed	4.66 Kb	unknown
5100	infocard.exe	GET	200	84.53.175.122:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?0d7fd858ca2488e2	unknown	compressed	4.66 Kb	unknown
5100	infocard.exe	GET	200	95.101.21.9:80	http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl	unknown	binary	767 b	unknown
5100	infocard.exe	GET	200	95.101.21.9:80	http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl	unknown	binary	564 b	unknown
2928	infocard.exe	GET	200	84.53.175.122:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?d0792f0471a92409	unknown	compressed	4.66 Kb	unknown
2928	infocard.exe	GET	200	95.101.21.9:80	http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl	unknown	binary	767 b	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	unknown
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	224.0.0.252:5355	—	—	—	unknown
1080	svchost.exe	224.0.0.252:5355	—	—	—	unknown
1812	chrome.exe	142.250.102.84:443	accounts.google.com	GOOGLE	US	unknown
1812	chrome.exe	142.250.179.195:443	clientservices.googleapis.com	GOOGLE	US	whitelisted
3564	chrome.exe	239.255.255.250:1900	—	—	—	unknown
1812	chrome.exe	142.251.36.36:443	www.google.com	GOOGLE	US	whitelisted
1812	chrome.exe	172.217.23.195:443	update.googleapis.com	GOOGLE	US	whitelisted
1812	chrome.exe	142.251.36.10:443	www.googleapis.com	GOOGLE	US	unknown

DNS requests

Domain	IP	Reputation
www.google.com	142.251.36.36	whitelisted
accounts.google.com	142.250.102.84	shared
clientservices.googleapis.com	142.250.179.195	whitelisted
update.googleapis.com	172.217.23.195	whitelisted
www.googleapis.com	142.251.36.10	whitelisted
nw-umwatson.events.data.microsoft.com	20.189.173.22	whitelisted
clients1.google.com	172.217.23.206	whitelisted
edgedl.me.gvt1.com	34.104.35.123	whitelisted
ctldl.windowsupdate.com	84.53.175.122	whitelisted
www.bing.com	2.22.54.122	whitelisted

Threats

No threats detected

Add for printing

Process	Message
AgentSvr.exe	ClaimOutput
AgentSvr.exe	UnclaimOutput
AgentSvr.exe	ClaimOutput
AgentSvr.exe	UnclaimOutput
AgentSvr.exe	ClaimOutput
AgentSvr.exe	UnclaimOutput
AgentSvr.exe	ClaimOutput
AgentSvr.exe	UnclaimOutput
AgentSvr.exe	ClaimOutput
AgentSvr.exe	UnclaimOutput

General Info

Bonzify.exe

9C352D2CE0C0BDC40C72F52CE3480577

BD4C956186F33C92EB4469F7E5675510D0790E99

D7E6580054525D3F21F86EDFC9F30B7A75FFA829A1EB67EE3CAB33F0040DBA4E

196608:/dAMaWetTeAkLIdx751qFTkub//73lc6u7b5VJ2Yx5xIdk3o:naWedh+Idx75QYub//73lc6u7bLMYxDo

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Registers / Runs the DLL via REGSVR32.EXE

Changes the autorun value in the registry

Creates a writable file in the system directory

Changes the AppInit_DLLs value (autorun option)

Unusual execution from MS Office

Antivirus name has been found in the command line (generic signature)

SUSPICIOUS

Executing commands from a ".bat" file

Starts CMD.EXE for commands execution

Uses ICACLS.EXE to modify access control lists

Uses TASKKILL.EXE to kill process

Takes ownership (TAKEOWN.EXE)

Starts a Microsoft application from unusual location

Executable content was dropped or overwritten

Creates/Modifies COM task schedule object

Process drops legitimate windows executable

Creates a software uninstall entry

Creates file in the systems drive root

Non-standard symbols in registry

Changes internet zones settings

Adds/modifies Windows certificates

Uses ATTRIB.EXE to modify file attributes

Executed via WMI

Executes as Windows Service

The process executes via Task Scheduler

Reads settings of System Certificates

Reads security settings of Internet Explorer

Checks Windows Trust Settings

Reads the Internet Settings

INFO

Checks supported languages

Create files in a temporary directory

Reads the computer name

Reads the machine GUID from the registry

Manual execution by a user

Application launched itself

Checks transactions between databases Windows and Oracle

Changes appearance of the Explorer extensions

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity