File name:

juice.exe

Full analysis: https://app.any.run/tasks/79555351-378f-460b-98d6-5e55753cbd2b
Verdict: Malicious activity
Analysis date: November 09, 2024, 01:42:12
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
qrcode
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 2 sections
MD5:

FB1569B5A3266444D676E5F82D6BAC85

SHA1:

F0D76B3806E58AE5363A78DCC62B5E27A90A7ECF

SHA256:

5B7228947B256F36BD98DDE1622799CDA8F7A7AA0F3196ABA08200FE8439DFEE

SSDEEP:

768:OIVlbMb8fL1YwirvVmcWXhi+I661D/wlzPDruLDTBP:OsiADEtLWxSHhP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • juice.exe (PID: 6596)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • juice.exe (PID: 6596)

    • Executable content was dropped or overwritten

      • juice.exe (PID: 6596)

    • Connects to unusual port

      • juice.exe (PID: 6596)

  • INFO

    • Create files in a temporary directory

      • juice.exe (PID: 6596)

    • Creates files or folders in the user directory

      • juice.exe (PID: 6596)

    • Reads the computer name

      • juice.exe (PID: 6596)

    • Checks supported languages

      • juice.exe (PID: 6596)

    • Checks proxy server information

      • juice.exe (PID: 6596)

    • Manual execution by a user

      • WINWORD.EXE (PID: 8012)

    • The process uses the downloaded file

      • WINWORD.EXE (PID: 8012)

    • Drops encrypted VBS script (Microsoft Script Encoder)

      • WINWORD.EXE (PID: 8012)

    • Sends debugging messages

      • WINWORD.EXE (PID: 8012)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2004:01:27 11:22:58+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 7
CodeSize: 41472
InitializedDataSize: 512
UninitializedDataSize: -
EntryPoint: 0xac09
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
140
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start juice.exe winword.exe ai.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6596"C:\Users\admin\Downloads\juice.exe" C:\Users\admin\Downloads\juice.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\downloads\juice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7656"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "2505F1CA-B5EE-4964-80C1-E8BE6EEE2EBF" "964821F1-9A75-4183-A7D7-570C4DBA55F8" "8012"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64.
Exit code:
0
Version:
0.12.2.0
Modules
Images
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\ai.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\program files\common files\microsoft shared\clicktorun\c2r64.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
8012"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\admin\Desktop\usercalls.rtf" /o ""C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
8 871
Read events
8 556
Write events
285
Delete events
30

Modification events

(PID) Process:(6596) juice.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Gremlin
Value:
C:\Users\admin\AppData\Local\Temp\intrenat.exe
(PID) Process:(8012) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:writeName:0
Value:
017012000000001000B24E9A3E01000000000000000500000000000000
(PID) Process:(8012) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\5932
Operation:delete valueName:0
Value:
ซ괐殺ࠆꯞꝅ莼跳⏺䘅헉꾍樁င$梅摝麨…ީ湕湫睯쥮௅賙ᒳ೅肫
(PID) Process:(8012) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\5932
Operation:delete keyName:(default)
Value:
(PID) Process:(8012) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\8012
Operation:writeName:0
Value:
0B0E1002DA5509CC0D474B8D722F40FACB74F8230046F9D5919990C9CCED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C511CC3ED2120B770069006E0077006F00720064002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:(8012) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-US
Value:
2
(PID) Process:(8012) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:de-de
Value:
2
(PID) Process:(8012) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:fr-fr
Value:
2
(PID) Process:(8012) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:es-es
Value:
2
(PID) Process:(8012) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:it-it
Value:
2
Executable files
2
Suspicious files
35
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
8012WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmbinary
MD5:5E7AF20F38EC1E972FF156CB0A016493
SHA256:43F652B1DD78DB64930100C2AE16BB231256DAA6CF01604676CB6513831BA0A9
6596juice.exeC:\Users\admin\AppData\Local\VirtualStore\Windows\SysWOW64\sync-src-1.00.tbzcompressed
MD5:32D24E642E87AFFC9EB692EF4BF97772
SHA256:6CD0666EE68849E57E054C6A009366868494C4EC73723F607473375518591496
6596juice.exeC:\Users\admin\AppData\Local\VirtualStore\Windows\sync-src-1.00.tbzcompressed
MD5:32D24E642E87AFFC9EB692EF4BF97772
SHA256:6CD0666EE68849E57E054C6A009366868494C4EC73723F607473375518591496
8012WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bintext
MD5:CC90D669144261B198DEAD45AA266572
SHA256:89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899
6596juice.exeC:\Users\admin\sync-src-1.00.tbzcompressed
MD5:32D24E642E87AFFC9EB692EF4BF97772
SHA256:6CD0666EE68849E57E054C6A009366868494C4EC73723F607473375518591496
6596juice.exeC:\Users\admin\AppData\Local\VirtualStore\sync-src-1.00.tbzcompressed
MD5:32D24E642E87AFFC9EB692EF4BF97772
SHA256:6CD0666EE68849E57E054C6A009366868494C4EC73723F607473375518591496
8012WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:2CDF9CC0BC25CAAC26F5D8FA6D6DD499
SHA256:D897DA409F0DF5BFB6D4AA79163C11758D2E3C2B7B909ADC444C90EC2846EBBA
8012WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\BA14432E-85E1-47D0-92FE-F92C54262E78xml
MD5:6D443F314948A8DBACBC901F8D34B052
SHA256:9FF80DF1E43A8D4BE3A1533AA922037FDFC62F4CEF8875DBF3F6918B24A5DEA6
8012WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\FontCache\4\PreviewFont\flat_officeFontsPreview_4_40.ttfpi2
MD5:4296A064B917926682E7EED650D4A745
SHA256:E04E41C74D6C78213BA1588BACEE64B42C0EDECE85224C474A714F39960D8083
8012WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbresbinary
MD5:A0D1280B3740F864B06EEC7B8B84C7D0
SHA256:FA2B80A45584295C700CA30619354BCEF385DBAC423866E234C51B4C8F8EF55F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
8 025
DNS requests
30
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4360
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2076
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1768
SIHClient.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7736
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
1768
SIHClient.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
8012
WINWORD.EXE
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
whitelisted
8012
WINWORD.EXE
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6944
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4836
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5488
MoUsoCoreWorker.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5488
MoUsoCoreWorker.exe
2.16.253.202:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4020
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
6596
juice.exe
147.76.201.1:3127
AU
unknown
6596
juice.exe
43.24.173.1:3127
SG
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 2.16.253.202
whitelisted
google.com
  • 172.217.16.206
whitelisted
www.bing.com
  • 2.23.209.182
  • 2.23.209.149
  • 2.23.209.133
  • 2.23.209.130
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.31.67
  • 20.190.159.75
  • 20.190.159.23
  • 20.190.159.64
  • 40.126.31.71
  • 20.190.159.71
  • 20.190.159.68
  • 20.190.159.4
whitelisted
th.bing.com
  • 2.23.209.133
  • 2.23.209.130
  • 2.23.209.187
  • 2.23.209.182
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted

Threats

No threats detected
Process
Message
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
juice.exe