File name:

Fatality.exe

Full analysis: https://app.any.run/tasks/73878cee-2882-45d2-9585-2cc58b2819d2
Verdict: Malicious activity
Analysis date: March 30, 2025, 04:58:33
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
jeefo
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:

314375A212BA4F9038C454820D9C5CAD

SHA1:

2CE6451C052F88A9C0BDDAD5F23BC3253CB972BD

SHA256:

003ACE97463C139FB1D6C53909C5DAC9FFD958A698330A817BC268E6131182C5

SSDEEP:

98304:5cbQolU286JeYe2omm9m21JUeUdWS4e5ZpZkATpAIGUh2TZgdj2sF0/CJv48YM6q:zC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • JEEFO has been detected

      • icsys.icn.exe (PID: 4408)
      • Fatality.exe (PID: 6644)
      • svchost.exe (PID: 2392)
      • explorer.exe (PID: 1760)

    • Changes the autorun value in the registry

      • explorer.exe (PID: 1760)
      • svchost.exe (PID: 2392)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Fatality.exe (PID: 6644)
      • icsys.icn.exe (PID: 4408)
      • spoolsv.exe (PID: 6404)
      • explorer.exe (PID: 1760)

    • Starts itself from another location

      • Fatality.exe (PID: 6644)
      • icsys.icn.exe (PID: 4408)
      • spoolsv.exe (PID: 6404)
      • explorer.exe (PID: 1760)
      • svchost.exe (PID: 2392)

    • Starts application with an unusual extension

      • Fatality.exe (PID: 6644)

    • The process creates files with name similar to system file names

      • icsys.icn.exe (PID: 4408)
      • spoolsv.exe (PID: 6404)

    • Creates or modifies Windows services

      • svchost.exe (PID: 2392)

  • INFO

    • The sample compiled with english language support

      • Fatality.exe (PID: 6644)

    • Checks supported languages

      • fatality.exe  (PID: 6540)
      • icsys.icn.exe (PID: 4408)
      • Fatality.exe (PID: 6644)
      • explorer.exe (PID: 1760)
      • svchost.exe (PID: 2392)
      • spoolsv.exe (PID: 780)
      • spoolsv.exe (PID: 6404)

    • Create files in a temporary directory

      • Fatality.exe (PID: 6644)
      • icsys.icn.exe (PID: 4408)
      • svchost.exe (PID: 2392)
      • spoolsv.exe (PID: 780)
      • explorer.exe (PID: 1760)
      • spoolsv.exe (PID: 6404)

    • Reads the computer name

      • svchost.exe (PID: 2392)

    • Checks proxy server information

      • slui.exe (PID: 6576)

    • Reads the software policy settings

      • slui.exe (PID: 6576)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:04:01 07:08:22+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 106496
InitializedDataSize: 12288
UninitializedDataSize: -
EntryPoint: 0x290c
OSVersion: 4
ImageVersion: 1
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
ProductName: Project1
FileVersion: 1
ProductVersion: 1
InternalName: TJprojMain
OriginalFileName: TJprojMain.exe
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
138
Monitored processes
9
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #JEEFO fatality.exe fatality.exe  no specs #JEEFO icsys.icn.exe #JEEFO explorer.exe spoolsv.exe #JEEFO svchost.exe spoolsv.exe no specs slui.exe fatality.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
780c:\windows\resources\spoolsv.exe PRC:\Windows\Resources\spoolsv.exesvchost.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\resources\spoolsv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
1760c:\windows\resources\themes\explorer.exeC:\Windows\Resources\Themes\explorer.exe
icsys.icn.exe
User:
admin
Integrity Level:
HIGH
Version:
1.00
Modules
Images
c:\windows\resources\themes\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
2392c:\windows\resources\svchost.exeC:\Windows\Resources\svchost.exe
spoolsv.exe
User:
admin
Integrity Level:
HIGH
Version:
1.00
Modules
Images
c:\windows\resources\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
4408C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe
Fatality.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\resources\themes\icsys.icn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
6404c:\windows\resources\spoolsv.exe SEC:\Windows\Resources\spoolsv.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\resources\spoolsv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
6540c:\users\admin\desktop\fatality.exe  C:\Users\admin\Desktop\fatality.exe Fatality.exe
User:
admin
Integrity Level:
HIGH
Exit code:
1
Modules
Images
c:\users\admin\desktop\fatality.exe 
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6576C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6644"C:\Users\admin\Desktop\Fatality.exe" C:\Users\admin\Desktop\Fatality.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\users\admin\desktop\fatality.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
6768"C:\Users\admin\Desktop\Fatality.exe" C:\Users\admin\Desktop\Fatality.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\users\admin\desktop\fatality.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
Total events
3 880
Read events
3 861
Write events
15
Delete events
4

Modification events

(PID) Process:(4408) icsys.icn.exeKey:HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process
Operation:writeName:LO
Value:
1
(PID) Process:(6644) Fatality.exeKey:HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process
Operation:writeName:LO
Value:
1
(PID) Process:(1760) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Explorer
Value:
c:\windows\resources\themes\explorer.exe RO
(PID) Process:(1760) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Svchost
Value:
c:\windows\resources\svchost.exe RO
(PID) Process:(1760) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Explorer
Value:
(PID) Process:(1760) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Svchost
Value:
(PID) Process:(2392) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Explorer
Value:
c:\windows\resources\themes\explorer.exe RO
(PID) Process:(2392) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Svchost
Value:
c:\windows\resources\svchost.exe RO
(PID) Process:(2392) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Explorer
Value:
(PID) Process:(2392) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Svchost
Value:
Executable files
5
Suspicious files
4
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6404spoolsv.exeC:\Users\admin\AppData\Local\Temp\~DFA7A34AC0B1053520.TMPbinary
MD5:1BA64FBCAA4AF7A77C42EF38CBCD8C22
SHA256:11204D35D909FD13299D1F5E20242BCD799AB9FFAA6E8C11D5B4E16FD3D66D79
6644Fatality.exeC:\Windows\Resources\Themes\icsys.icn.exeexecutable
MD5:17E0D90EBFBEBF56AC506EE1A002847C
SHA256:C157AC4823F88889B733FBED21504064636633BCC8DAB597B46C69C3751DB4F6
6644Fatality.exeC:\Users\admin\AppData\Local\Temp\~DF2501A30D0AE137C3.TMPbinary
MD5:4FF0C4F27BA3129BB8BDAB6940474553
SHA256:368E31CD7BA49F766F4D9EE2B39A485A9AE6CE4EE43AE5E969667185A46006B7
4408icsys.icn.exeC:\Windows\Resources\Themes\explorer.exeexecutable
MD5:90C09CA0B20CF89936C130559E204AFE
SHA256:2BEE82B9E16F3D6A367D3F8D36F95F88D1CB8CB9D581B273960CA3235E011514
4408icsys.icn.exeC:\Users\admin\AppData\Local\Temp\~DFA72A4479A11D9917.TMPbinary
MD5:4ACF8568829D7305DBD490FEA7D5BF01
SHA256:C892ED005E63DC27BED915CFA9EBE8E7852D9F414F601B913340F0C033FAFE81
1760explorer.exeC:\Windows\Resources\spoolsv.exeexecutable
MD5:4AEB0774B7D6573E19E89658DB243B3A
SHA256:D760D4771D79CF5E40263500337330345F849B830D4A6466FC5291A9B74FDFB3
6404spoolsv.exeC:\Windows\Resources\svchost.exeexecutable
MD5:16DA335178D9045B5C81B1B6FFD0FE54
SHA256:C06FC3EB984A1D205885177E96A8E88567B78C92DDDB116A7AEF6F279DD7E333
780spoolsv.exeC:\Users\admin\AppData\Local\Temp\~DF97048529806AB1A8.TMPbinary
MD5:54D1F56273A0DF8077FB415F82FCCBB6
SHA256:0738C865BB2C420F93623091C919C16E96E5CE3B7F5BB00C0F2366C89D9AFB87
6644Fatality.exeC:\Users\admin\Desktop\fatality.exe executable
MD5:C3D006E36238CCDE7635FC1DFF753E18
SHA256:36ADDAB1B80302055ACC352FD2DA83DE76F98432D02749CCF15D80961D9B4F27
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
31
TCP/UDP connections
47
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2148
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
2104
svchost.exe
GET
200
23.216.77.42:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2148
SIHClient.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
2148
SIHClient.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
2148
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
2148
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
GET
200
20.3.187.198:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
2148
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
GET
200
52.149.20.212:443
https://slscr.update.microsoft.com/sls/ping
unknown
GET
304
52.149.20.212:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
23.216.77.42:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6544
svchost.exe
20.190.159.64:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2148
SIHClient.exe
52.149.20.212:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2148
SIHClient.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2148
SIHClient.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
google.com
  • 142.250.181.238
whitelisted
crl.microsoft.com
  • 23.216.77.42
  • 23.216.77.6
  • 23.216.77.28
whitelisted
client.wns.windows.com
  • 172.172.255.216
whitelisted
login.live.com
  • 20.190.159.64
  • 40.126.31.131
  • 20.190.159.68
  • 20.190.159.23
  • 40.126.31.129
  • 20.190.159.2
  • 40.126.31.0
  • 20.190.159.73
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.13
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Fatality.exe