File name:

BoschPlayer.exe

Full analysis: https://app.any.run/tasks/9da9f320-72a0-4b41-a1fd-abf295007ed8
Verdict: Suspicious activity
Analysis date: August 16, 2019, 11:12:23
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

81AD68EF393662F0383B2226FAA75246

SHA1:

618601781CDAD03099D741E2C1C7B42602BDFA34

SHA256:

FD771A4DCB4812D0CA66669AFD4701450966F0F380093574287D4ED63108022E

SSDEEP:

196608:HWLs+/ti6Rl21XZS/VTIUDovqyBvVHqsyKdzvOb:HWLp/1AHS/JDovHbthOb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • BoschPlayer.exe (PID: 3524)

    • Loads dropped or rewritten executable

      • BoschPlayer.exe (PID: 3524)

  • SUSPICIOUS

    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 3676)

    • Starts CMD.EXE for commands execution

      • BoschPlayer.exe (PID: 3524)

    • Executable content was dropped or overwritten

      • BoschPlayer.exe (PID: 3852)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:10:16 07:57:04+02:00
PEType: PE32
LinkerVersion: 8
CodeSize: 24576
InitializedDataSize: 7868416
UninitializedDataSize: -
EntryPoint: 0x675f
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 3.33.21.0
ProductVersionNumber: 3.33.21.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
FileDescription: BoschPlayer
FileVersion: 3, 33, 21
LegalCopyright: Copyright(C) 2018
ProductName: BoschPlayer
ProductVersion: 3. 33. 21

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 16-Oct-2018 05:57:04
Detected languages:
  • Chinese - PRC
  • English - United States
Debug artifacts:
  • d:\Project\Bosch\Trunk\release_device\Shell.pdb
FileDescription: BoschPlayer
FileVersion: 3, 33, 21
LegalCopyright: Copyright(C) 2018
ProductName: BoschPlayer
ProductVersion: 3. 33. 21

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000F0

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 4
Time date stamp: 16-Oct-2018 05:57:04
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00005CFB
0x00006000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.52827
.rdata
0x00007000
0x00000DCE
0x00001000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.79316
.data
0x00008000
0x00002400
0x00001000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0.26955
.rsrc
0x0000B000
0x0077E7F4
0x0077F000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.99989

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.08566
340
Latin 1 / Western European
English - United States
RT_MANIFEST
101
7.99998
7847257
Latin 1 / Western European
Chinese - PRC
ZIP
102
1.91924
20
Latin 1 / Western European
Chinese - PRC
RT_GROUP_ICON

Imports

KERNEL32.dll
MSVCR80.dll
SHELL32.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
6
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start boschplayer.exe boschplayer.exe cmd.exe no specs cmd.exe no specs regini.exe no specs reg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2072reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dav /fC:\Windows\system32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2688regini C:\SPTemp\reg.iniC:\Windows\system32\regini.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Initializer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\regini.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3500"C:\Windows\System32\cmd.exe" /c regini C:\SPTemp\reg.iniC:\Windows\System32\cmd.exeBoschPlayer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3524"C:\SPTemp\BoschPlayer.exe" "C:\Users\admin\AppData\Local\Temp" ""C:\SPTemp\BoschPlayer.exe
BoschPlayer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Bosch Player
Exit code:
0
Version:
3, 33, 21
Modules
Images
c:\sptemp\boschplayer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\sptemp\qtcore4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
3676"C:\Windows\System32\cmd.exe" /c reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dav /fC:\Windows\System32\cmd.exeBoschPlayer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3852"C:\Users\admin\AppData\Local\Temp\BoschPlayer.exe" C:\Users\admin\AppData\Local\Temp\BoschPlayer.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
BoschPlayer
Exit code:
0
Version:
3, 33, 21
Modules
Images
c:\users\admin\appdata\local\temp\boschplayer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
Total events
190
Read events
102
Write events
88
Delete events
0

Modification events

(PID) Process:(3852) BoschPlayer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3852) BoschPlayer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3524) BoschPlayer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3524) BoschPlayer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3524) BoschPlayer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication
Operation:writeName:Name
Value:
BoschPlayer.exe
(PID) Process:(3524) BoschPlayer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication
Operation:writeName:ID
Value:
1539661549
(PID) Process:(3524) BoschPlayer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dav
Operation:writeName:Progid
Value:
BoschPlayer.Files
(PID) Process:(3524) BoschPlayer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dav\UserChoice
Operation:writeName:Progid
Value:
BoschPlayer.Files
(PID) Process:(3524) BoschPlayer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:GlobalAssocChangedCounter
Value:
65
(PID) Process:(3524) BoschPlayer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dav_
Operation:writeName:Progid
Value:
BoschPlayer.Files
Executable files
13
Suspicious files
0
Text files
137
Unknown types
16

Dropped files

PID
Process
Filename
Type
3852BoschPlayer.exeC:\SPTemp\BoschPlayer.7z
MD5:
SHA256:
3852BoschPlayer.exeC:\SPTemp\Skin\bg_curtime.pngimage
MD5:35EF0D13579F74DEC3F5E8FB4C542E15
SHA256:D3E169925F95240708C8050718B9AB255A7B6F0736004A0AC2DB10D2BE34153B
3852BoschPlayer.exeC:\SPTemp\Skin\bg_monitor.pngimage
MD5:C3697DB261DC131B86077950F5F829FF
SHA256:1CBD102D810A1322D8F381801DFC038606FF896563140CDAF22FBC13108F2D24
3852BoschPlayer.exeC:\SPTemp\Skin\btn_addfilenor.pngimage
MD5:CC6CA6B70302B4E6721D73BA30039216
SHA256:D6E35B3FABCB976408AF72E5EC8D7A397285A34D52010D2A16D2D947B3FB71A2
3852BoschPlayer.exeC:\SPTemp\Skin\bg_curtime_text.pngimage
MD5:E6E2F9427B422327AE5B130A94A990B3
SHA256:21B9D2FF90271B921206A86B24D241E038EB30CE2C9B5D2A9571336E124EB065
3852BoschPlayer.exeC:\SPTemp\Skin\btn_addfiledis.pngimage
MD5:8D3B0A78D4F951BC7C70B0FB5D6A4755
SHA256:A9C157838C24B559AF0A7BA65999D776A4B7EA14A534B5701D79C8F0BC7AC892
3852BoschPlayer.exeC:\SPTemp\Skin\bg_timelinepopdlg.pngimage
MD5:0AA59BF68C60E50E091E1FA760F9612B
SHA256:97A6B369F2E9245CD9F8458DEE524BD4F73A06390CE68109BFDAD19AC7E443FF
3852BoschPlayer.exeC:\SPTemp\Skin\bg_toolbar.pngimage
MD5:DF216A39B4754B7BB6011DC23DFD867E
SHA256:E80C6D753082D61800C28A72F42FE3A2745F428D16E20384C938C06E22359E43
3852BoschPlayer.exeC:\SPTemp\Skin\bg_simpleplayer.pngimage
MD5:26DA3146E1299E38537E7B522169D91E
SHA256:0D4CCCE4FE88E2E717C174CA44AA11CE873327845C7ECE5954D68115ECD270C8
3852BoschPlayer.exeC:\SPTemp\Skin\bg_tabbar.pngimage
MD5:2E6496517469B8863A7E25CCA2D7344C
SHA256:2C458842F92FC652665D450CBC6F57B2A4AEF3BC832FCF4EEEC62F310EFDB385
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
Process
Message
BoschPlayer.exe
QPainter::begin: Paint device returned engine == 0, type: 1
BoschPlayer.exe
QPainter::fontMetrics: Painter not active
BoschPlayer.exe
QPainter::begin: Paint device returned engine == 0, type: 1
BoschPlayer.exe
QPainter::fontMetrics: Painter not active
BoschPlayer.exe
QPainter::fontMetrics: Painter not active
BoschPlayer.exe
QPainter::fontMetrics: Painter not active
BoschPlayer.exe
QPainter::begin: Paint device returned engine == 0, type: 1
BoschPlayer.exe
QPainter::fontMetrics: Painter not active
BoschPlayer.exe
QPainter::begin: Paint device returned engine == 0, type: 1
BoschPlayer.exe
QPainter::fontMetrics: Painter not active
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
BoschPlayer.exe