File name:

Bonzify.exe

Full analysis: https://app.any.run/tasks/e9933081-936a-4d6c-aa67-62a55f72ecee
Verdict: Malicious activity
Analysis date: January 18, 2024, 20:45:46
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
malware
bonzibuddy
bonzi
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

9C352D2CE0C0BDC40C72F52CE3480577

SHA1:

BD4C956186F33C92EB4469F7E5675510D0790E99

SHA256:

D7E6580054525D3F21F86EDFC9F30B7A75FFA829A1EB67EE3CAB33F0040DBA4E

SSDEEP:

196608:/dAMaWetTeAkLIdx751qFTkub//73lc6u7b5VJ2Yx5xIdk3o:naWedh+Idx75QYub//73lc6u7bLMYxDo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Bonzify.exe (PID: 2064)
      • INSTALLER.exe (PID: 1236)
      • INSTALLER.exe (PID: 1536)

    • Registers / Runs the DLL via REGSVR32.EXE

      • INSTALLER.exe (PID: 1236)
      • INSTALLER.exe (PID: 1536)

    • Creates a writable file in the system directory

      • INSTALLER.exe (PID: 1536)

    • Changes the AppInit_DLLs value (autorun option)

      • Bonzify.exe (PID: 2064)

    • Changes the autorun value in the registry

      • comp.exe (PID: 2076)
      • dllhost.exe (PID: 1196)
      • printfilterpipelinesvc.exe (PID: 3396)
      • dpapimig.exe (PID: 3752)
      • SETUP.EXE (PID: 3000)
      • ehvid.exe (PID: 2044)
      • wuauclt.exe (PID: 5248)
      • ftp.exe (PID: 5692)
      • rdpclip.exe (PID: 6132)
      • explorer.exe (PID: 2692)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • Bonzify.exe (PID: 2064)

    • Uses ICACLS.EXE to modify access control lists

      • cmd.exe (PID: 2420)

    • Executing commands from a ".bat" file

      • Bonzify.exe (PID: 2064)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 2420)

    • Executable content was dropped or overwritten

      • Bonzify.exe (PID: 2064)
      • INSTALLER.exe (PID: 1236)
      • INSTALLER.exe (PID: 1536)

    • Takes ownership (TAKEOWN.EXE)

      • cmd.exe (PID: 2420)

    • Process drops legitimate windows executable

      • Bonzify.exe (PID: 2064)
      • INSTALLER.exe (PID: 1236)
      • INSTALLER.exe (PID: 1536)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 956)
      • dllhost.exe (PID: 120)
      • dllhost.exe (PID: 1196)
      • label.exe (PID: 1264)
      • rdpclip.exe (PID: 6132)
      • conhost.exe (PID: 5460)
      • SETUP.EXE (PID: 3000)
      • explorer.exe (PID: 2692)

    • Changes internet zones settings

      • comp.exe (PID: 2076)
      • dllhost.exe (PID: 120)
      • printfilterpipelinesvc.exe (PID: 3396)
      • dllhost.exe (PID: 1196)
      • SETUP.EXE (PID: 3540)
      • label.exe (PID: 1264)
      • ehmsas.exe (PID: 3220)
      • SETUP.EXE (PID: 3000)
      • conhost.exe (PID: 5460)
      • explorer.exe (PID: 2692)

    • Changes default file association

      • dllhost.exe (PID: 1196)

    • Checks Windows Trust Settings

      • SETUP.EXE (PID: 3540)
      • SETUP.EXE (PID: 3000)

    • Reads security settings of Internet Explorer

      • SETUP.EXE (PID: 3540)
      • SETUP.EXE (PID: 3000)

    • Reads settings of System Certificates

      • SETUP.EXE (PID: 3540)
      • SETUP.EXE (PID: 3000)

    • Starts itself from another location

      • SETUP.EXE (PID: 3540)

    • Write to the desktop.ini file (may be used to cloak folders)

      • Journal.exe (PID: 2500)

    • Changes the desktop background image

      • ehmsas.exe (PID: 3220)

    • Process changes security settings for the VBA macro

      • rdpclip.exe (PID: 6132)

  • INFO

    • Checks supported languages

      • Bonzify.exe (PID: 2064)
      • INSTALLER.exe (PID: 1236)
      • AgentSvr.exe (PID: 1928)
      • INSTALLER.exe (PID: 1536)
      • AgentSvr.exe (PID: 2192)
      • wmpnscfg.exe (PID: 3012)
      • wmpnscfg.exe (PID: 3020)
      • McxTask.exe (PID: 2860)
      • msinfo32.exe (PID: 1812)
      • printfilterpipelinesvc.exe (PID: 3396)
      • dpapimig.exe (PID: 3752)
      • consent.exe (PID: 2984)
      • wmpenc.exe (PID: 3656)
      • label.exe (PID: 1264)
      • NETFXRepair.exe (PID: 3876)
      • Journal.exe (PID: 2500)
      • SETUP.EXE (PID: 3540)
      • SearchProtocolHost.exe (PID: 3988)
      • SETUP.EXE (PID: 3000)
      • ehmsas.exe (PID: 3220)
      • ehvid.exe (PID: 2044)
      • wscript.exe (PID: 4624)
      • ROUTE.EXE (PID: 4312)
      • wuauclt.exe (PID: 5248)
      • conhost.exe (PID: 5460)
      • AxInstUI.exe (PID: 5892)
      • RTLCPL.EXE (PID: 5976)
      • Defrag.exe (PID: 4284)
      • scrcons.exe (PID: 2372)
      • dpapimig.exe (PID: 3756)
      • TabTip.exe (PID: 2816)
      • cttunesvr.exe (PID: 3156)
      • userinit.exe (PID: 2764)
      • wksprt.exe (PID: 3824)
      • RegSvcs.exe (PID: 5644)

    • Create files in a temporary directory

      • Bonzify.exe (PID: 2064)
      • INSTALLER.exe (PID: 1236)
      • INSTALLER.exe (PID: 1536)
      • NETFXRepair.exe (PID: 3876)
      • FXSSVC.exe (PID: 492)
      • SETUP.EXE (PID: 3540)
      • SETUP.EXE (PID: 3000)

    • Reads the computer name

      • INSTALLER.exe (PID: 1236)
      • wmpnscfg.exe (PID: 3020)
      • INSTALLER.exe (PID: 1536)
      • Bonzify.exe (PID: 2064)
      • AgentSvr.exe (PID: 2192)
      • wmpnscfg.exe (PID: 3012)
      • msinfo32.exe (PID: 1812)
      • dpapimig.exe (PID: 3752)
      • consent.exe (PID: 2984)
      • printfilterpipelinesvc.exe (PID: 3396)
      • wmpenc.exe (PID: 3656)
      • Journal.exe (PID: 2500)
      • SETUP.EXE (PID: 3540)
      • SETUP.EXE (PID: 3000)
      • ehmsas.exe (PID: 3220)
      • ehvid.exe (PID: 2044)
      • wscript.exe (PID: 4624)
      • wuauclt.exe (PID: 5248)
      • dpapimig.exe (PID: 3756)
      • TabTip.exe (PID: 2816)
      • cttunesvr.exe (PID: 3156)

    • Reads the machine GUID from the registry

      • AgentSvr.exe (PID: 2192)
      • Bonzify.exe (PID: 2064)
      • msinfo32.exe (PID: 1812)
      • dpapimig.exe (PID: 3752)
      • printfilterpipelinesvc.exe (PID: 3396)
      • wmpenc.exe (PID: 3656)
      • label.exe (PID: 1264)
      • Journal.exe (PID: 2500)
      • SearchProtocolHost.exe (PID: 3988)
      • SETUP.EXE (PID: 3540)
      • SETUP.EXE (PID: 3000)
      • ehmsas.exe (PID: 3220)
      • ehvid.exe (PID: 2044)
      • wscript.exe (PID: 4624)
      • wuauclt.exe (PID: 5248)
      • conhost.exe (PID: 5460)
      • RTLCPL.EXE (PID: 5976)
      • TabTip.exe (PID: 2816)
      • userinit.exe (PID: 2764)
      • cttunesvr.exe (PID: 3156)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 3020)
      • wmpnscfg.exe (PID: 3012)
      • services.exe (PID: 2956)
      • InfDefaultInstall.exe (PID: 1544)
      • powershell.exe (PID: 2308)
      • msinfo32.exe (PID: 1812)
      • bcdedit.exe (PID: 2852)
      • dpapimig.exe (PID: 3752)
      • comp.exe (PID: 2076)
      • wmpconfig.exe (PID: 3500)
      • audit.exe (PID: 1652)
      • rrinstaller.exe (PID: 1220)
      • DismHost.exe (PID: 3808)
      • sdbinst.exe (PID: 4000)
      • Defrag.exe (PID: 4284)
      • RTLCPL.EXE (PID: 5976)
      • expand.exe (PID: 1880)
      • dw20.exe (PID: 3284)
      • regedt32.exe (PID: 1348)
      • wksprt.exe (PID: 3824)
      • ComSvcConfig.exe (PID: 5200)

    • Reads the time zone

      • runonce.exe (PID: 392)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 MS Cabinet Self-Extractor (WExtract stub) (86.7)
.exe | Win32 Executable MS Visual C++ (generic) (8.9)
.dll | Win32 Dynamic Link Library (generic) (1.8)
.exe | Win32 Executable (generic) (1.2)
.exe | Generic Win/DOS Executable (0.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:03:04 15:58:11+01:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 4096
InitializedDataSize: 6697472
UninitializedDataSize: -
EntryPoint: 0x16b0
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
428
Monitored processes
101
Malicious processes
16
Suspicious processes
3

Behavior graph

Click at the process to see the details
start bonzify.exe cmd.exe no specs taskkill.exe no specs takeown.exe no specs icacls.exe no specs installer.exe regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs agentsvr.exe no specs grpconv.exe no specs installer.exe regsvr32.exe no specs regsvr32.exe no specs grpconv.exe no specs agentsvr.exe wmpnscfg.exe no specs wmpnscfg.exe no specs comp.exe imepadsv.exe no specs infdefaultinstall.exe no specs powershell.exe no specs %systemroot%\System32\UserAccountControlSettings.dll %systemroot%\System32\UserAccountControlSettings.dll msinfo32.exe no specs mcxtask.exe no specs bcdedit.exe no specs devicedisplayobjectprovider.exe no specs services.exe dpapimig.exe printfilterpipelinesvc.exe consent.exe no specs wmpconfig.exe no specs wmpenc.exe netfxrepair.exe no specs diantz.exe no specs fxssvc.exe no specs audit.exe no specs label.exe no specs journal.exe no specs rrinstaller.exe no specs searchprotocolhost.exe no specs dismhost.exe no specs setup.exe no specs nbtstat.exe no specs setup.exe sdbinst.exe no specs wlrmdr.exe no specs runonce.exe no specs configureieoptionalcomponents.exe no specs ehmsas.exe no specs ehvid.exe hdwwiz.exe no specs route.exe no specs wscript.exe no specs psr.exe no specs printui.exe no specs winresume.exe no specs wuauclt.exe cleanupintlcache.exe no specs conhost.exe no specs ftp.exe axinstui.exe no specs rtlcpl.exe no specs rdpclip.exe scrcons.exe no specs sigverif.exe no specs bfsvc.exe no specs winrs.exe no specs dpapimig.exe no specs defrag.exe no specs rdrmemptylst.exe no specs rwinsta.exe no specs tabtip.exe no specs cttunesvr.exe no specs wksprt.exe no specs wfs.exe no specs userinit.exe no specs explorer.exe setup.exe no specs winresume.exe no specs verifier.exe no specs systempropertiesprotection.exe no specs dw20.exe no specs regsvcs.exe no specs ieetwcollector.exe no specs expand.exe no specs aitstatic.exe no specs prevhost.exe no specs comsvcconfig.exe no specs poqexec.exe no specs cofire.exe no specs installutil.exe no specs regedt32.exe no specs cliconfg.exe no specs find.exe no specs bonzify.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
120C:\Windows\system32\DllHost.exe /Processid:{EA2C6B24-C590-457B-BAC8-4A0F9B13B5B8}C:\Windows\System32\dllhost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
3221226356
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
392"C:\Windows\System32\runonce.exe"C:\Windows\System32\runonce.exelabel.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Run Once Wrapper
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\runonce.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
492"C:\Windows\System32\FXSSVC.exe"C:\Windows\System32\FXSSVC.exeprintfilterpipelinesvc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Fax Service
Exit code:
1063
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\fxssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\pcwum.dll
c:\windows\system32\version.dll
584takeown /r /d y /f C:\Windows\MsAgentC:\Windows\System32\takeown.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Takes ownership of a file
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\takeown.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
712regsvr32 /s "C:\Windows\msagent\AgentDP2.dll"C:\Windows\System32\regsvr32.exeINSTALLER.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
956regsvr32 /s "C:\Windows\msagent\AgentCtl.dll"C:\Windows\System32\regsvr32.exeINSTALLER.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
968C:\Windows\system32\DeviceDisplayObjectProvider.exe -EmbeddingC:\Windows\System32\DeviceDisplayObjectProvider.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Device Display Object Function Discovery Provider
Exit code:
2147942405
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\devicedisplayobjectprovider.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1196C:\Windows\system32\DllHost.exe /Processid:{06C792F8-6212-4F39-BF70-E8C0AC965C23}C:\Windows\System32\dllhost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1220"C:\Windows\winsxs\x86_microsoft-windows-mediafoundation_31bf3856ad364e35_6.1.7601.17514_none_9e6699276b03c38e\rrinstaller.exe"C:\Windows\winsxs\x86_microsoft-windows-mediafoundation_31bf3856ad364e35_6.1.7601.17514_none_9e6699276b03c38e\rrinstaller.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
R&R installer
Exit code:
3221226540
Version:
11.0.7600.16385
Modules
Images
c:\windows\winsxs\x86_microsoft-windows-mediafoundation_31bf3856ad364e35_6.1.7601.17514_none_9e6699276b03c38e\rrinstaller.exe
c:\windows\system32\ntdll.dll
1236INSTALLER.exe /qC:\Users\admin\AppData\Local\Temp\INSTALLER.exe
Bonzify.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Win32 Cabinet Self-Extractor
Exit code:
0
Version:
4.71.1015.0
Modules
Images
c:\users\admin\appdata\local\temp\installer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
11 639
Read events
8 957
Write events
2 661
Delete events
21

Modification events

(PID) Process:(956) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\Control
Operation:delete keyName:(default)
Value:
(PID) Process:(956) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\InprocServer32
Operation:delete keyName:(default)
Value:
(PID) Process:(956) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\MiscStatus\1
Operation:delete keyName:(default)
Value:
(PID) Process:(956) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\MiscStatus
Operation:delete keyName:(default)
Value:
(PID) Process:(956) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\ProgID
Operation:delete keyName:(default)
Value:
(PID) Process:(956) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\Programmable
Operation:delete keyName:(default)
Value:
(PID) Process:(956) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\ToolboxBitmap32
Operation:delete keyName:(default)
Value:
(PID) Process:(956) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\TypeLib
Operation:delete keyName:(default)
Value:
(PID) Process:(956) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\Version
Operation:delete keyName:(default)
Value:
(PID) Process:(956) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\VersionIndependentProgID
Operation:delete keyName:(default)
Value:
Executable files
55
Suspicious files
20
Text files
8
Unknown types
0

Dropped files

PID
Process
Filename
Type
2064Bonzify.exeC:\Users\admin\AppData\Local\Temp\KillAgent.battext
MD5:EA7DF060B402326B4305241F21F39736
SHA256:E4EDC2CB6317AB19EE1A6327993E9332AF35CFBEBAFF2AC7C3F71D43CFCBE793
1236INSTALLER.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\AGT0409.DLLexecutable
MD5:0CBF0F4C9E54D12D34CD1A772BA799E1
SHA256:6B0B57E5B27D901F4F106B236C58D0B2551B384531A8F3DAD6C06ED4261424B1
2064Bonzify.exeC:\Windows\executables.binbinary
MD5:F3160BA7F8BB9D7A9C6080EF2C9869C5
SHA256:F6A3286714A661612EAC65E4A6CB78736C370492151B692A8F1E666740C0A00E
1236INSTALLER.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\AGENTSR.DLLexecutable
MD5:9FAFB9D0591F2BE4C2A846F63D82D301
SHA256:E78E74C24D468284639FAF9DCFDBA855F3E4F00B2F26DB6B2C491FA51DA8916D
1236INSTALLER.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\AGENTDPV.DLLexecutable
MD5:7C5AEFB11E797129C9E90F279FBDF71B
SHA256:394A17150B8774E507B8F368C2C248C10FCE50FC43184B744E771F0E79ECAFED
1236INSTALLER.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\AGT0409.HLPbinary
MD5:466D35E6A22924DD846A043BC7DD94B8
SHA256:E4CCF06706E68621BB69ADD3DD88FED82D30AD8778A55907D33F6D093AC16801
1236INSTALLER.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\AGENTANM.DLLexecutable
MD5:48C00A7493B28139CBF197CCC8D1F9ED
SHA256:905CB1A15ECCAA9B79926EE7CFE3629A6F1C6B24BDD6CEA9CCB9EBC9EAA92FF7
1236INSTALLER.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\AGTCTL15.TLBexecutable
MD5:F1656B80EAAE5E5201DCBFBCD3523691
SHA256:3F8ADC1E332DD5C252BBCF92BF6079B38A74D360D94979169206DB34E6A24CD2
1236INSTALLER.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\AGTEULA.TXTtext
MD5:7070B77ED401307D2E9A0F8EAAAA543B
SHA256:225D227ABBD45BF54D01DFC9FA6E54208BF5AE452A32CC75B15D86456A669712
1236INSTALLER.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\AGT20.INFbinary
MD5:E4A499B9E1FE33991DBCFB4E926C8821
SHA256:49E6B848F5A708D161F795157333D7E1C7103455A2F47F50895683EF6A1ABE4D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
unknown
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
unknown
4896
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
EDGECAST
US
unknown

DNS requests

Domain
IP
Reputation
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted

Threats

No threats detected
Process
Message
AgentSvr.exe
ClaimOutput
AgentSvr.exe
UnclaimOutput
AgentSvr.exe
ClaimOutput
AgentSvr.exe
UnclaimOutput
AgentSvr.exe
ClaimOutput
AgentSvr.exe
UnclaimOutput
AgentSvr.exe
ClaimOutput
AgentSvr.exe
UnclaimOutput
AgentSvr.exe
ClaimOutput
AgentSvr.exe
ClaimOutput
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Bonzify.exe