File name:

badfile.exe

Full analysis: https://app.any.run/tasks/3f798b9e-cb2b-46d3-83e2-0b0031b17f20
Verdict: Suspicious activity
Analysis date: July 09, 2018, 17:30:32
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

57022F341789FBEA44D53C1A1FB9DA93

SHA1:

8043C97711BB17B14A90837E5BC10EE131E1D051

SHA256:

0EBC5F39A12FDCFAB58691518E16AD5CC6B3AE27281A91B2ABEE0747D9E6CECA

SSDEEP:

49152:nGvvmnalQoEPQBmdLphVFErfAYqMKqYZO:nGvmxPUPq/qr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • AppSync.exe (PID: 3772)

  • SUSPICIOUS

    • Changes IE settings (feature browser emulation)

      • AppSync.exe (PID: 3772)

    • Creates files in the user directory

      • AppSync.exe (PID: 3772)

    • Executable content was dropped or overwritten

      • AppSync.exe (PID: 3772)
      • badfile.exe (PID: 1388)

    • Reads internet explorer settings

      • AppSync.exe (PID: 3772)

  • INFO

    • Dropped object may contain URL's

      • badfile.exe (PID: 1388)
      • AppSync.exe (PID: 3772)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2027:09:18 21:49:23+02:00
PEType: PE32
LinkerVersion: 14.1
CodeSize: 25600
InitializedDataSize: 2036736
UninitializedDataSize: -
EntryPoint: 0x6a60
OSVersion: 10
ImageVersion: 10
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 11.0.15063.0
ProductVersionNumber: 11.0.15063.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Win32 Cabinet Self-Extractor
FileVersion: 11.00.15063.0 (WinBuild.160101.0800)
InternalName: Wextract
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: WEXTRACT.EXE .MUI
ProductName: Internet Explorer
ProductVersion: 11.00.15063.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
3
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start badfile.exe appsync.exe explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1388"C:\Users\admin\AppData\Local\Temp\badfile.exe" C:\Users\admin\AppData\Local\Temp\badfile.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Win32 Cabinet Self-Extractor
Version:
11.00.15063.0 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\appdata\local\temp\badfile.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3772C:\Users\admin\AppData\Local\Temp\IXP000.TMP\AppSync.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\AppSync.exe
badfile.exe
User:
admin
Integrity Level:
MEDIUM
Description:
AppSync
Version:
13.0.1.0
Modules
Images
c:\users\admin\appdata\local\temp\ixp000.tmp\appsync.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
2856"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
219
Read events
197
Write events
22
Delete events
0

Modification events

(PID) Process:(3772) AppSync.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION
Operation:writeName:AppSync.exe
Value:
8000
(PID) Process:(3772) AppSync.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_CLIPCHILDREN_OPTIMIZATION
Operation:writeName:AppSync.exe
Value:
1
(PID) Process:(3772) AppSync.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS
Operation:writeName:AppSync.exe
Value:
1
(PID) Process:(3772) AppSync.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING
Operation:writeName:AppSync.exe
Value:
1
(PID) Process:(3772) AppSync.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM
Operation:writeName:AppSync.exe
Value:
1
(PID) Process:(3772) AppSync.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_NINPUT_LEGACYMODE
Operation:writeName:AppSync.exe
Value:
0
(PID) Process:(3772) AppSync.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\AppSync_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3772) AppSync.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\AppSync_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3772) AppSync.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\AppSync_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(3772) AppSync.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\AppSync_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
Executable files
7
Suspicious files
0
Text files
74
Unknown types
0

Dropped files

PID
Process
Filename
Type
1388badfile.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\pref.txttext
MD5:70020B6A508BC807F8E0801914433531
SHA256:8BE004D020F5CC7C185129226D6D1E21AEC2F03B6231A6B877A70E2B1E59771C
1388badfile.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\1517143390278_1512482433840_logo.pngimage
MD5:1B3B1B185013A718549AD7ECEF41AA46
SHA256:FDA69691D16FF902C54DB60CAB6B765B1026170527162483DCB5BE38C918D79E
1388badfile.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\PdfPro100.icoimage
MD5:DDFAD33D3B32F121BBD103237057325D
SHA256:2FA4044BC6EA21C14B87D7E35B865A60046D329F9881BAF13DDD435AC0657063
1388badfile.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\AppSync.exeexecutable
MD5:4691BE1B1915CC45E0D85F64ACFE5CEC
SHA256:3352E4994FE1BC86E8C538FDBD9B865B2DD702AB532AC453BBA5FC5DFEAD5805
1388badfile.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\1517130957005_490x60.pngimage
MD5:C983548175B1C8E5E374E18343358D9B
SHA256:64E1417B6762EC16151AD20E629C5A1368325F3470CF5AE1FEA86489977076FA
1388badfile.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\brand.jstext
MD5:5BCBCEEC1639923A5E3CD5C88A71D27F
SHA256:9E4287D2708A006A05A5A71C855CDBE27DE8C8BDC46BAF0737C665060C18E5D8
1388badfile.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\config.txttext
MD5:2637BC1F7FC151F19534B8757FA7ACB7
SHA256:C09B091B806E131BA76A27317C4127BC4B6BCB3983135902DE7BB75C7C2FE503
1388badfile.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\logo.pngimage
MD5:EB4C64430E6D9D564CB61BBFC97F26F5
SHA256:4037A85BF6224A74A837A2E7ECCED0C71816F3EA49D116476A1F0EDE963DB40D
1388badfile.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\loader.gifimage
MD5:72E5F3E5E94851D1091E6703D9A63550
SHA256:1BE86474E1B66764F38A8362DCB98CA55237D749515114EE6CDFDB6F0903F148
1388badfile.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\spinner.gifimage
MD5:6F346E7F3244264676A2E3A286AD9509
SHA256:BEEFC7696051C720E15736A3B62D8F66A1DD955ADB43A5653E94D9BB3BFE5AA3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3772
AppSync.exe
POST
200
45.33.90.169:80
http://inf.bonefreeze.com/api/report/install?
US
malicious
3772
AppSync.exe
GET
200
45.33.90.169:80
http://lgc.bonefreeze.com/install/first_time?session_id=47784242-0293-4265-b2f7-e370a2a19abb&emid=178BFBFF000306C14d513030303020312020202020202020202020205254004AAD21&app_id=1495373619430762&offer_id=000000000&os_version=6.1.7601.65536&install_version=1173&r=60345581&disable_dynamic_update=0&agent_update=0&identity=Bonefreeze&sig=TERSER_TUDE_LTD_SIGNATURE
US
text
3.91 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3772
AppSync.exe
45.33.90.169:80
lgc.bonefreeze.com
Linode, LLC
US
malicious

DNS requests

Domain
IP
Reputation
lgc.bonefreeze.com
  • 45.33.90.169
malicious
inf.bonefreeze.com
  • 45.33.90.169
malicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
badfile.exe