File name:

0c17af38bd93cd86d3fd50a2bb4957be178f50c72ae960fbb70769b7fe585d21

Full analysis: https://app.any.run/tasks/cce4c02e-80aa-402b-81d3-66af0d5a9c50
Verdict: Malicious activity
Analysis date: December 14, 2024, 01:18:54
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
jeefo
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:

127B46969213D3C9AFC3BC5ED33472E6

SHA1:

136625C2C973F6C444F47C9EB253C30FEFBFBDBB

SHA256:

0C17AF38BD93CD86D3FD50A2BB4957BE178F50C72AE960FBB70769B7FE585D21

SSDEEP:

6144:c0/1Thw5w4qjPRrf2VrRZHMrbLcPNx0O1LWo1L7rP0OKLWooL7rM0O2LWowL7rw2:HcPNd1CUrbKChrC2C9rDrMShebIUA31

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • JEEFO has been detected

      • 0c17af38bd93cd86d3fd50a2bb4957be178f50c72ae960fbb70769b7fe585d21.exe (PID: 4716)
      • icsys.icn.exe (PID: 2800)
      • explorer.exe (PID: 3172)
      • svchost.exe (PID: 6056)

    • Changes the autorun value in the registry

      • explorer.exe (PID: 3172)
      • svchost.exe (PID: 6056)

  • SUSPICIOUS

    • Starts application with an unusual extension

      • 0c17af38bd93cd86d3fd50a2bb4957be178f50c72ae960fbb70769b7fe585d21.exe (PID: 4716)

    • Executable content was dropped or overwritten

      • 0c17af38bd93cd86d3fd50a2bb4957be178f50c72ae960fbb70769b7fe585d21.exe (PID: 4716)
      • icsys.icn.exe (PID: 2800)
      • spoolsv.exe (PID: 2600)
      • explorer.exe (PID: 3172)

    • Executes application which crashes

      • 0c17af38bd93cd86d3fd50a2bb4957be178f50c72ae960fbb70769b7fe585d21.exe  (PID: 4052)

    • Starts itself from another location

      • 0c17af38bd93cd86d3fd50a2bb4957be178f50c72ae960fbb70769b7fe585d21.exe (PID: 4716)
      • icsys.icn.exe (PID: 2800)
      • explorer.exe (PID: 3172)
      • spoolsv.exe (PID: 2600)
      • svchost.exe (PID: 6056)

    • The process creates files with name similar to system file names

      • icsys.icn.exe (PID: 2800)
      • spoolsv.exe (PID: 2600)

    • Creates or modifies Windows services

      • svchost.exe (PID: 6056)

  • INFO

    • Create files in a temporary directory

      • 0c17af38bd93cd86d3fd50a2bb4957be178f50c72ae960fbb70769b7fe585d21.exe (PID: 4716)
      • icsys.icn.exe (PID: 2800)
      • explorer.exe (PID: 3172)
      • spoolsv.exe (PID: 2600)
      • svchost.exe (PID: 6056)
      • spoolsv.exe (PID: 4724)

    • The sample compiled with english language support

      • 0c17af38bd93cd86d3fd50a2bb4957be178f50c72ae960fbb70769b7fe585d21.exe (PID: 4716)
      • icsys.icn.exe (PID: 2800)
      • explorer.exe (PID: 3172)
      • spoolsv.exe (PID: 2600)

    • Checks supported languages

      • 0c17af38bd93cd86d3fd50a2bb4957be178f50c72ae960fbb70769b7fe585d21.exe (PID: 4716)
      • 0c17af38bd93cd86d3fd50a2bb4957be178f50c72ae960fbb70769b7fe585d21.exe  (PID: 4052)
      • icsys.icn.exe (PID: 2800)
      • explorer.exe (PID: 3172)
      • spoolsv.exe (PID: 2600)
      • svchost.exe (PID: 6056)
      • spoolsv.exe (PID: 4724)

    • Reads the computer name

      • 0c17af38bd93cd86d3fd50a2bb4957be178f50c72ae960fbb70769b7fe585d21.exe  (PID: 4052)
      • svchost.exe (PID: 6056)
      • 0c17af38bd93cd86d3fd50a2bb4957be178f50c72ae960fbb70769b7fe585d21.exe (PID: 4716)

    • Reads the machine GUID from the registry

      • 0c17af38bd93cd86d3fd50a2bb4957be178f50c72ae960fbb70769b7fe585d21.exe  (PID: 4052)

    • Checks proxy server information

      • WerFault.exe (PID: 4128)

    • Reads the software policy settings

      • WerFault.exe (PID: 4128)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 4128)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:04:01 07:08:22+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 106496
InitializedDataSize: 12288
UninitializedDataSize: -
EntryPoint: 0x290c
OSVersion: 4
ImageVersion: 1
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
ProductName: Project1
FileVersion: 1
ProductVersion: 1
InternalName: TJprojMain
OriginalFileName: TJprojMain.exe
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
128
Monitored processes
9
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #JEEFO 0c17af38bd93cd86d3fd50a2bb4957be178f50c72ae960fbb70769b7fe585d21.exe 0c17af38bd93cd86d3fd50a2bb4957be178f50c72ae960fbb70769b7fe585d21.exe  werfault.exe #JEEFO icsys.icn.exe #JEEFO explorer.exe spoolsv.exe #JEEFO svchost.exe spoolsv.exe no specs 0c17af38bd93cd86d3fd50a2bb4957be178f50c72ae960fbb70769b7fe585d21.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2600c:\windows\resources\spoolsv.exe SEC:\Windows\Resources\spoolsv.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\resources\spoolsv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
2800C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe
0c17af38bd93cd86d3fd50a2bb4957be178f50c72ae960fbb70769b7fe585d21.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\resources\themes\icsys.icn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
3172c:\windows\resources\themes\explorer.exeC:\Windows\Resources\Themes\explorer.exe
icsys.icn.exe
User:
admin
Integrity Level:
HIGH
Version:
1.00
Modules
Images
c:\windows\resources\themes\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
4052c:\users\admin\desktop\0c17af38bd93cd86d3fd50a2bb4957be178f50c72ae960fbb70769b7fe585d21.exe  C:\Users\admin\Desktop\0c17af38bd93cd86d3fd50a2bb4957be178f50c72ae960fbb70769b7fe585d21.exe 
0c17af38bd93cd86d3fd50a2bb4957be178f50c72ae960fbb70769b7fe585d21.exe
User:
admin
Integrity Level:
HIGH
Description:
AppXor
Exit code:
3762504530
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\0c17af38bd93cd86d3fd50a2bb4957be178f50c72ae960fbb70769b7fe585d21.exe 
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
4128C:\WINDOWS\SysWOW64\WerFault.exe -u -p 4052 -s 1068C:\Windows\SysWOW64\WerFault.exe
0c17af38bd93cd86d3fd50a2bb4957be178f50c72ae960fbb70769b7fe585d21.exe 
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
4716"C:\Users\admin\Desktop\0c17af38bd93cd86d3fd50a2bb4957be178f50c72ae960fbb70769b7fe585d21.exe" C:\Users\admin\Desktop\0c17af38bd93cd86d3fd50a2bb4957be178f50c72ae960fbb70769b7fe585d21.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\users\admin\desktop\0c17af38bd93cd86d3fd50a2bb4957be178f50c72ae960fbb70769b7fe585d21.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
4724c:\windows\resources\spoolsv.exe PRC:\Windows\Resources\spoolsv.exesvchost.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\resources\spoolsv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
5920"C:\Users\admin\Desktop\0c17af38bd93cd86d3fd50a2bb4957be178f50c72ae960fbb70769b7fe585d21.exe" C:\Users\admin\Desktop\0c17af38bd93cd86d3fd50a2bb4957be178f50c72ae960fbb70769b7fe585d21.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\users\admin\desktop\0c17af38bd93cd86d3fd50a2bb4957be178f50c72ae960fbb70769b7fe585d21.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6056c:\windows\resources\svchost.exeC:\Windows\Resources\svchost.exe
spoolsv.exe
User:
admin
Integrity Level:
HIGH
Version:
1.00
Modules
Images
c:\windows\resources\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
Total events
6 484
Read events
6 461
Write events
18
Delete events
5

Modification events

(PID) Process:(4716) 0c17af38bd93cd86d3fd50a2bb4957be178f50c72ae960fbb70769b7fe585d21.exeKey:HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process
Operation:writeName:LO
Value:
1
(PID) Process:(4128) WerFault.exeKey:\REGISTRY\A\{9bfd2639-3f4c-2dfe-2c44-60fe9c26ab59}\Root\InventoryApplicationFile
Operation:writeName:WritePermissionsCheck
Value:
1
(PID) Process:(4128) WerFault.exeKey:\REGISTRY\A\{9bfd2639-3f4c-2dfe-2c44-60fe9c26ab59}\Root\InventoryApplicationFile\PermissionsCheckTestKey
Operation:delete keyName:(default)
Value:
(PID) Process:(4128) WerFault.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData
Operation:writeName:ClockTimeSeconds
Value:
0BDD5C6700000000
(PID) Process:(4128) WerFault.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData
Operation:writeName:TickCount
Value:
0A74130000000000
(PID) Process:(2800) icsys.icn.exeKey:HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process
Operation:writeName:LO
Value:
1
(PID) Process:(3172) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Explorer
Value:
c:\windows\resources\themes\explorer.exe RO
(PID) Process:(3172) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Svchost
Value:
c:\windows\resources\svchost.exe RO
(PID) Process:(3172) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Explorer
Value:
(PID) Process:(3172) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Svchost
Value:
Executable files
5
Suspicious files
6
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
4128WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_KOBL2NSUSCX5AB2O_71e719fca4936f4b31da676338b69689b79837_b7f29f34_0e8ffb5d-c383-4f43-952f-c1e101c4b31c\Report.wer
MD5:
SHA256:
4128WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\0c17af38bd93cd86d3fd50a2bb4957be178f50c72ae960fbb70769b7fe585d21.exe .4052.dmp
MD5:
SHA256:
4128WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER71D9.tmp.WERInternalMetadata.xmlxml
MD5:62EC8328EC4C492A6E22E57E02AC8941
SHA256:48F0B149C6BD1268BC003A1454C65AA0B53A94ECD9C664A5C79CE92A508ABEA5
3172explorer.exeC:\Windows\Resources\spoolsv.exeexecutable
MD5:2E188FA882DB887B8ECBBDC08C3EF0A4
SHA256:CF4465EF2A9940357ABDD0C3164D79EAEB2790B1C8CF67BDB55893A316E405D4
4128WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER6BFC.tmp.dmpbinary
MD5:721680C537A8B90AD8387AEC7B986FD3
SHA256:0A4BE5C6E6EE6C2B7BD17164AFCCD0C718BB6D953B06C52A15A1A86BEE02C034
2600spoolsv.exeC:\Users\admin\AppData\Local\Temp\~DFF0FEABB34C624073.TMPbinary
MD5:6D344D7E253F6823C09833690D64E225
SHA256:5DECC7D366B411A27950AECA8644CB5AF05B2CDF6E19BB1465B02F6772C7BB41
47160c17af38bd93cd86d3fd50a2bb4957be178f50c72ae960fbb70769b7fe585d21.exeC:\Windows\Resources\Themes\icsys.icn.exeexecutable
MD5:68C011A023D6E97F6E9B82773D5BD631
SHA256:5BD3404426DCB37E1FFE6CBE5034AAAC95AD6ED768E46135BDBA11834EDB2992
47160c17af38bd93cd86d3fd50a2bb4957be178f50c72ae960fbb70769b7fe585d21.exeC:\Users\admin\Desktop\0c17af38bd93cd86d3fd50a2bb4957be178f50c72ae960fbb70769b7fe585d21.exe executable
MD5:6B1D1C1FF7A931675C7E64637ABF6E67
SHA256:ECBB9EF8BB466475E43E9FD8D865C47B1A4E5C888A3812F9481B5EC11C51159A
4128WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER7209.tmp.xmlxml
MD5:9FC03BE39389ABE3EEFA52E92FFB040E
SHA256:C524423EA30EE7A6EEE4CE2F9EBDB8339FF16E0DF6162D8E4F3FE18A0CAC9079
2800icsys.icn.exeC:\Windows\Resources\Themes\explorer.exeexecutable
MD5:61013569B24A1DC1932903F7EA78E13E
SHA256:97C6536BC6E9296B5EF894C88BAF2AF83C2D712D811A81D57EB3A753A718B037
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
19
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5736
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5736
svchost.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5736
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5736
svchost.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5736
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4128
WerFault.exe
20.189.173.21:443
watson.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
google.com
  • 142.250.181.238
whitelisted
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
watson.events.data.microsoft.com
  • 20.189.173.21
whitelisted
self.events.data.microsoft.com
  • 52.168.117.168
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
0c17af38bd93cd86d3fd50a2bb4957be178f50c72ae960fbb70769b7fe585d21