File name:

badfile.exe

Full analysis: https://app.any.run/tasks/3f798b9e-cb2b-46d3-83e2-0b0031b17f20
Verdict: Suspicious activity
Analysis date: July 09, 2018, 17:30:32
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

57022F341789FBEA44D53C1A1FB9DA93

SHA1:

8043C97711BB17B14A90837E5BC10EE131E1D051

SHA256:

0EBC5F39A12FDCFAB58691518E16AD5CC6B3AE27281A91B2ABEE0747D9E6CECA

SSDEEP:

49152:nGvvmnalQoEPQBmdLphVFErfAYqMKqYZO:nGvmxPUPq/qr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • AppSync.exe (PID: 3772)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • badfile.exe (PID: 1388)
      • AppSync.exe (PID: 3772)

    • Creates files in the user directory

      • AppSync.exe (PID: 3772)

    • Changes IE settings (feature browser emulation)

      • AppSync.exe (PID: 3772)

    • Reads internet explorer settings

      • AppSync.exe (PID: 3772)

  • INFO

    • Dropped object may contain URL's

      • badfile.exe (PID: 1388)
      • AppSync.exe (PID: 3772)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

ProductVersion: 11.00.15063.0
ProductName: Internet Explorer
OriginalFileName: WEXTRACT.EXE .MUI
LegalCopyright: © Microsoft Corporation. All rights reserved.
InternalName: Wextract
FileVersion: 11.00.15063.0 (WinBuild.160101.0800)
FileDescription: Win32 Cabinet Self-Extractor
CompanyName: Microsoft Corporation
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Windows NT 32-bit
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 11.0.15063.0
FileVersionNumber: 11.0.15063.0
Subsystem: Windows GUI
SubsystemVersion: 6
ImageVersion: 10
OSVersion: 10
EntryPoint: 0x6a60
UninitializedDataSize: -
InitializedDataSize: 2036736
CodeSize: 25600
LinkerVersion: 14.1
PEType: PE32
TimeStamp: 2027:09:18 21:49:23+02:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
3
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start badfile.exe appsync.exe explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1388"C:\Users\admin\AppData\Local\Temp\badfile.exe" C:\Users\admin\AppData\Local\Temp\badfile.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Win32 Cabinet Self-Extractor
Exit code:
0
Version:
11.00.15063.0 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\appdata\local\temp\badfile.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2856"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3772C:\Users\admin\AppData\Local\Temp\IXP000.TMP\AppSync.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\AppSync.exe
badfile.exe
User:
admin
Integrity Level:
MEDIUM
Description:
AppSync
Exit code:
0
Version:
13.0.1.0
Modules
Images
c:\users\admin\appdata\local\temp\ixp000.tmp\appsync.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
Total events
219
Read events
197
Write events
22
Delete events
0

Modification events

(PID) Process:(3772) AppSync.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION
Operation:writeName:AppSync.exe
Value:
8000
(PID) Process:(3772) AppSync.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_CLIPCHILDREN_OPTIMIZATION
Operation:writeName:AppSync.exe
Value:
1
(PID) Process:(3772) AppSync.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS
Operation:writeName:AppSync.exe
Value:
1
(PID) Process:(3772) AppSync.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING
Operation:writeName:AppSync.exe
Value:
1
(PID) Process:(3772) AppSync.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM
Operation:writeName:AppSync.exe
Value:
1
(PID) Process:(3772) AppSync.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_NINPUT_LEGACYMODE
Operation:writeName:AppSync.exe
Value:
0
(PID) Process:(3772) AppSync.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\AppSync_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3772) AppSync.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\AppSync_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3772) AppSync.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\AppSync_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(3772) AppSync.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\AppSync_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
Executable files
7
Suspicious files
0
Text files
74
Unknown types
0

Dropped files

PID
Process
Filename
Type
1388badfile.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\config.txttext
MD5:
SHA256:
1388badfile.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\AppSync.exeexecutable
MD5:
SHA256:
1388badfile.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\PdfPro100.icoimage
MD5:
SHA256:
1388badfile.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\pref.txttext
MD5:
SHA256:
1388badfile.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\brand.jstext
MD5:
SHA256:
1388badfile.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\1517130957005_490x60.pngimage
MD5:
SHA256:
1388badfile.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\1517143390278_1512482433840_logo.pngimage
MD5:
SHA256:
1388badfile.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\install.htmlhtml
MD5:5DF42D9DD9FE8B3C98FE3FEABAD67CF7
SHA256:741AAB644ED45961879774546C9B87C3A2E25283E489221469CB6D0DCD39D623
1388badfile.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\bg.jpgimage
MD5:410E67276B4C3A0AD73BC3EECDCD0D6D
SHA256:71C0C7CC191A2CBF3DDF033CA7BA97ADB46A04284F014C667574C1BF1FB0F1F3
1388badfile.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\jquery-3.2.1.slim.min.jstext
MD5:5F48FC77CAC90C4778FA24EC9C57F37D
SHA256:9365920887B11B33A3DC4BA28A0F93951F200341263E3B9CEFD384798E4BE398
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3772
AppSync.exe
POST
200
45.33.90.169:80
http://inf.bonefreeze.com/api/report/install?
US
malicious
3772
AppSync.exe
GET
200
45.33.90.169:80
http://lgc.bonefreeze.com/install/first_time?session_id=47784242-0293-4265-b2f7-e370a2a19abb&emid=178BFBFF000306C14d513030303020312020202020202020202020205254004AAD21&app_id=1495373619430762&offer_id=000000000&os_version=6.1.7601.65536&install_version=1173&r=60345581&disable_dynamic_update=0&agent_update=0&identity=Bonefreeze&sig=TERSER_TUDE_LTD_SIGNATURE
US
text
3.91 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3772
AppSync.exe
45.33.90.169:80
lgc.bonefreeze.com
Linode, LLC
US
malicious

DNS requests

Domain
IP
Reputation
lgc.bonefreeze.com
  • 45.33.90.169
malicious
inf.bonefreeze.com
  • 45.33.90.169
malicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
badfile.exe