File name:

6b163e3d71cacd4ab904745d3c1fb61dcba4f61ca2e737bf14c266370758b583N

Full analysis: https://app.any.run/tasks/7a364f14-d98f-4299-92f2-ef91d25c4b5b
Verdict: Malicious activity
Analysis date: October 03, 2024, 01:21:48
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
floxif
installer
upx
Indicators:
MIME: application/x-dosexec
File info: MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows, MZ for MS-DOS
MD5:

404250C802183C1D87EEE4FB1EA99A20

SHA1:

1C6F628F57B10CC26BA42AB6CF248A4098E28A3A

SHA256:

6B163E3D71CACD4AB904745D3C1FB61DCBA4F61CA2E737BF14C266370758B583

SSDEEP:

12288:5cPN9oY5+aK9EfA9kh3Sci1zRTxe+P8v0g5nT9W:5cPN9D5+agEI9kh3Sci1e+Uv0g5c

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • FLOXIF has been detected (SURICATA)

      • icsys.icn.exe (PID: 1436)
      • ielowutil.exe (PID: 2088)

    • Connects to the CnC server

      • ielowutil.exe (PID: 2088)
      • icsys.icn.exe (PID: 1436)

  • SUSPICIOUS

    • Starts itself from another location

      • 6b163e3d71cacd4ab904745d3c1fb61dcba4f61ca2e737bf14c266370758b583N.exe (PID: 3824)
      • icsys.icn.exe (PID: 1436)
      • explorer.exe (PID: 2244)
      • spoolsv.exe (PID: 2060)
      • svchost.exe (PID: 2224)

    • Executable content was dropped or overwritten

      • 6b163e3d71cacd4ab904745d3c1fb61dcba4f61ca2e737bf14c266370758b583N.exe (PID: 3824)
      • 6b163e3d71cacd4ab904745d3c1fb61dcba4f61ca2e737bf14c266370758b583n.exe  (PID: 6524)
      • explorer.exe (PID: 2244)
      • spoolsv.exe (PID: 2060)
      • icsys.icn.exe (PID: 1436)
      • ielowutil.exe (PID: 2088)

    • Starts application with an unusual extension

      • 6b163e3d71cacd4ab904745d3c1fb61dcba4f61ca2e737bf14c266370758b583N.exe (PID: 3824)

    • Process drops legitimate windows executable

      • 6b163e3d71cacd4ab904745d3c1fb61dcba4f61ca2e737bf14c266370758b583n.exe  (PID: 6524)
      • ielowutil.exe (PID: 2088)

    • The process creates files with name similar to system file names

      • icsys.icn.exe (PID: 1436)
      • spoolsv.exe (PID: 2060)

    • Reads Microsoft Outlook installation path

      • 6b163e3d71cacd4ab904745d3c1fb61dcba4f61ca2e737bf14c266370758b583n.exe  (PID: 6524)

    • Reads Internet Explorer settings

      • 6b163e3d71cacd4ab904745d3c1fb61dcba4f61ca2e737bf14c266370758b583n.exe  (PID: 6524)

    • Reads security settings of Internet Explorer

      • 6b163e3d71cacd4ab904745d3c1fb61dcba4f61ca2e737bf14c266370758b583n.exe  (PID: 6524)

    • There is functionality for taking screenshot (YARA)

      • 6b163e3d71cacd4ab904745d3c1fb61dcba4f61ca2e737bf14c266370758b583n.exe  (PID: 6524)

    • Contacting a server suspected of hosting an CnC

      • icsys.icn.exe (PID: 1436)
      • ielowutil.exe (PID: 2088)

  • INFO

    • Create files in a temporary directory

      • 6b163e3d71cacd4ab904745d3c1fb61dcba4f61ca2e737bf14c266370758b583N.exe (PID: 3824)
      • 6b163e3d71cacd4ab904745d3c1fb61dcba4f61ca2e737bf14c266370758b583n.exe  (PID: 6524)
      • icsys.icn.exe (PID: 1436)
      • explorer.exe (PID: 2244)
      • spoolsv.exe (PID: 2060)
      • svchost.exe (PID: 2224)

    • Creates files in the program directory

      • 6b163e3d71cacd4ab904745d3c1fb61dcba4f61ca2e737bf14c266370758b583n.exe  (PID: 6524)

    • Checks supported languages

      • 6b163e3d71cacd4ab904745d3c1fb61dcba4f61ca2e737bf14c266370758b583N.exe (PID: 3824)
      • 6b163e3d71cacd4ab904745d3c1fb61dcba4f61ca2e737bf14c266370758b583n.exe  (PID: 6524)
      • icsys.icn.exe (PID: 1436)
      • explorer.exe (PID: 2244)
      • spoolsv.exe (PID: 2060)
      • svchost.exe (PID: 2224)

    • Reads the computer name

      • icsys.icn.exe (PID: 1436)
      • 6b163e3d71cacd4ab904745d3c1fb61dcba4f61ca2e737bf14c266370758b583n.exe  (PID: 6524)
      • explorer.exe (PID: 2244)
      • spoolsv.exe (PID: 2060)
      • svchost.exe (PID: 2224)

    • Checks proxy server information

      • 6b163e3d71cacd4ab904745d3c1fb61dcba4f61ca2e737bf14c266370758b583n.exe  (PID: 6524)

    • Application launched itself

      • msedge.exe (PID: 3712)
      • msedge.exe (PID: 5104)

    • UPX packer has been detected

      • 6b163e3d71cacd4ab904745d3c1fb61dcba4f61ca2e737bf14c266370758b583n.exe  (PID: 6524)
      • explorer.exe (PID: 2244)
      • svchost.exe (PID: 2224)

    • Manual execution by a user

      • msedge.exe (PID: 5104)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:04:01 07:08:22+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 106496
InitializedDataSize: 12288
UninitializedDataSize: -
EntryPoint: 0x290c
OSVersion: 4
ImageVersion: 1
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
ProductName: Project1
FileVersion: 1
ProductVersion: 1
InternalName: TJprojMain
OriginalFileName: TJprojMain.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
178
Monitored processes
51
Malicious processes
3
Suspicious processes
2

Behavior graph

Click at the process to see the details
start 6b163e3d71cacd4ab904745d3c1fb61dcba4f61ca2e737bf14c266370758b583n.exe THREAT 6b163e3d71cacd4ab904745d3c1fb61dcba4f61ca2e737bf14c266370758b583n.exe  #FLOXIF icsys.icn.exe THREAT explorer.exe spoolsv.exe THREAT svchost.exe no specs spoolsv.exe no specs #FLOXIF ielowutil.exe iexplore.exe iexplore.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs credentialuibroker.exe no specs msedge.exe no specs 6b163e3d71cacd4ab904745d3c1fb61dcba4f61ca2e737bf14c266370758b583n.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
8"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_xpay_wallet.mojom.EdgeXPayWalletService --lang=en-US --service-sandbox-type=utility --no-appcompat-clear --mojo-platform-channel-handle=5656 --field-trial-handle=2388,i,1067243185378745643,17407551706478343527,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
188"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --mojo-platform-channel-handle=6256 --field-trial-handle=2388,i,1067243185378745643,17407551706478343527,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1436C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe
6b163e3d71cacd4ab904745d3c1fb61dcba4f61ca2e737bf14c266370758b583N.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\resources\themes\icsys.icn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
1504"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x290,0x294,0x298,0x288,0x2a4,0x7fffd37e5fd8,0x7fffd37e5fe4,0x7fffd37e5ff0C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2060c:\windows\resources\spoolsv.exe SEC:\Windows\Resources\spoolsv.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\resources\spoolsv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
2088"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{D5E8041D-920F-45e9-B8FB-B1DEB82C6E5E} -EmbeddingC:\Program Files (x86)\Internet Explorer\ielowutil.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Low-Mic Utility Tool
Version:
11.00.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\program files (x86)\internet explorer\ielowutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2224c:\windows\resources\svchost.exeC:\Windows\Resources\svchost.exe
spoolsv.exe
User:
admin
Integrity Level:
HIGH
Version:
1.00
Modules
Images
c:\windows\resources\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
2244c:\windows\resources\themes\explorer.exeC:\Windows\Resources\Themes\explorer.exe
icsys.icn.exe
User:
admin
Integrity Level:
HIGH
Version:
1.00
Modules
Images
c:\windows\resources\themes\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
2400"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2520 --field-trial-handle=2388,i,1067243185378745643,17407551706478343527,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3372"C:\Program Files\Internet Explorer\iexplore.exe" -startmediumtab -EmbeddingC:\Program Files\Internet Explorer\iexplore.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Version:
11.00.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
19 957
Read events
19 817
Write events
130
Delete events
10

Modification events

(PID) Process:(3824) 6b163e3d71cacd4ab904745d3c1fb61dcba4f61ca2e737bf14c266370758b583N.exeKey:HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process
Operation:writeName:LO
Value:
1
(PID) Process:(6524) 6b163e3d71cacd4ab904745d3c1fb61dcba4f61ca2e737bf14c266370758b583n.exe Key:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6524) 6b163e3d71cacd4ab904745d3c1fb61dcba4f61ca2e737bf14c266370758b583n.exe Key:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6524) 6b163e3d71cacd4ab904745d3c1fb61dcba4f61ca2e737bf14c266370758b583n.exe Key:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1436) icsys.icn.exeKey:HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process
Operation:writeName:LO
Value:
1
(PID) Process:(2244) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Explorer
Value:
c:\windows\resources\themes\explorer.exe RO
(PID) Process:(2244) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Svchost
Value:
c:\windows\resources\svchost.exe RO
(PID) Process:(2244) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Explorer
Value:
(PID) Process:(2244) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Svchost
Value:
(PID) Process:(2224) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Explorer
Value:
c:\windows\resources\themes\explorer.exe RO
Executable files
14
Suspicious files
224
Text files
170
Unknown types
2

Dropped files

PID
Process
Filename
Type
4888spoolsv.exeC:\Users\admin\AppData\Local\Temp\~DFBDD943C8E676DC32.TMPbinary
MD5:54129C4A3CC37EDC8C39590CAA6600FA
SHA256:3361300F6BBC6827802F78C0D18F4055298A68D6D466F435DC37E578DDD0411B
38246b163e3d71cacd4ab904745d3c1fb61dcba4f61ca2e737bf14c266370758b583N.exeC:\Windows\Resources\Themes\icsys.icn.exeexecutable
MD5:D5D758C4F3F443A2C960AF5169E3730B
SHA256:57A7203209CCB9FE41BF4EA3C7C112D2C62A64466E2E421C0D1D1AC2AF03A1CB
65246b163e3d71cacd4ab904745d3c1fb61dcba4f61ca2e737bf14c266370758b583n.exe C:\Program Files\Common Files\System\symsrv.dllexecutable
MD5:7574CF2C64F35161AB1292E2F532AABF
SHA256:DE055A89DE246E629A8694BDE18AF2B1605E4B9B493C7E4AEF669DD67ACF5085
1436icsys.icn.exeC:\Users\admin\Desktop\6b163e3d71cacd4ab904745d3c1fb61dcba4f61ca2e737bf14c266370758b583N.exe.tmpexecutable
MD5:EA4DB099006FC69EA570822A84FC30D0
SHA256:99A9A5626F3095B25A9BB97C3F896D2A98EC5C34B8C774D733A08AFEE6D48BB0
65246b163e3d71cacd4ab904745d3c1fb61dcba4f61ca2e737bf14c266370758b583n.exe C:\Users\admin\AppData\Local\Temp\A1D26E2\689A18A4197C.tmpexecutable
MD5:67DD97FE9C6B83DCDA6EBAB959C6B54E
SHA256:D20C1B9604DC1D896FF7D417320C33CCEB7C1597C04CBC76941E3714C1D8B200
38246b163e3d71cacd4ab904745d3c1fb61dcba4f61ca2e737bf14c266370758b583N.exeC:\Users\admin\Desktop\6b163e3d71cacd4ab904745d3c1fb61dcba4f61ca2e737bf14c266370758b583n.exe executable
MD5:3ADBA60B5A53A6B82B736F76A1A74885
SHA256:384A1DE17E4201B2E6BE7685C8B79FAED9B1632E6175C8C0128F469A6906BC15
2244explorer.exeC:\Windows\Resources\spoolsv.exeexecutable
MD5:0D8B6C9987FDEAA36445F202BD27BAAE
SHA256:472D3F0FB29FADF6D8F1E4F50086B5ED8125354DFFF6F215F3F4B2EF7B37CC5E
1436icsys.icn.exeC:\Users\admin\Desktop\6b163e3d71cacd4ab904745d3c1fb61dcba4f61ca2e737bf14c266370758b583N.exeexecutable
MD5:EA4DB099006FC69EA570822A84FC30D0
SHA256:99A9A5626F3095B25A9BB97C3F896D2A98EC5C34B8C774D733A08AFEE6D48BB0
2060spoolsv.exeC:\Windows\Resources\svchost.exeexecutable
MD5:DF53889DFEAD44F7BDB07BE9293B8CF4
SHA256:49C1EDF10C3FCF1C9F6BBC1139D3260A86C000FB41DDCD8E301F0D80D1A4728A
1436icsys.icn.exeC:\Users\admin\Desktop\6b163e3d71cacd4ab904745d3c1fb61dcba4f61ca2e737bf14c266370758b583N.exe.datexecutable
MD5:404250C802183C1D87EEE4FB1EA99A20
SHA256:6B163E3D71CACD4AB904745D3C1FB61DCBA4F61CA2E737BF14C266370758B583
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
424
TCP/UDP connections
139
DNS requests
90
Threats
10

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1436
icsys.icn.exe
GET
403
173.255.194.134:80
http://www.aieov.com/logo.gif
unknown
malicious
6536
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2088
ielowutil.exe
GET
403
173.255.194.134:80
http://www.aieov.com/logo.gif
unknown
malicious
GET
302
23.35.229.160:443
https://go.microsoft.com/fwlink/?LinkId=251136
unknown
GET
200
140.82.121.3:443
https://github.com/forth32/balong-usbdload
unknown
html
402 Kb
shared
GET
200
185.199.109.154:443
https://github.githubassets.com/assets/primer-primitives-4cf0d59ab51a.css
unknown
text
8.32 Kb
whitelisted
GET
200
140.82.121.3:443
https://github.com/favicon.ico
unknown
image
6.37 Kb
shared
6536
svchost.exe
GET
200
92.123.104.34:443
https://www.bing.com/favicon.ico
unknown
image
4.19 Kb
whitelisted
GET
200
185.199.109.154:443
https://github.githubassets.com/assets/dark-9c5b7a476542.css
unknown
text
48.9 Kb
whitelisted
GET
200
185.199.109.154:443
https://github.githubassets.com/assets/repository-0f7cf89e325a.css
unknown
text
29.7 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
6536
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4324
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1436
icsys.icn.exe
173.255.194.134:80
www.aieov.com
Linode, LLC
US
malicious
6536
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6536
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2088
ielowutil.exe
173.255.194.134:80
www.aieov.com
Linode, LLC
US
malicious

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
whitelisted
google.com
  • 142.250.186.142
whitelisted
5isohu.com
whitelisted
www.aieov.com
  • 173.255.194.134
  • 72.14.185.43
  • 45.33.20.235
  • 45.33.23.183
  • 45.33.2.79
  • 198.58.118.167
  • 45.33.30.197
  • 45.79.19.196
  • 96.126.123.244
  • 45.33.18.44
  • 72.14.178.174
  • 45.56.79.23
malicious
www.microsoft.com
  • 23.35.229.160
whitelisted
github.com
  • 140.82.121.3
shared
github.githubassets.com
  • 185.199.110.154
  • 185.199.109.154
  • 185.199.108.154
  • 185.199.111.154
whitelisted
user-images.githubusercontent.com
  • 185.199.108.133
  • 185.199.109.133
  • 185.199.111.133
  • 185.199.110.133
whitelisted
avatars.githubusercontent.com
  • 185.199.110.133
  • 185.199.111.133
  • 185.199.108.133
  • 185.199.109.133
whitelisted
github-cloud.s3.amazonaws.com
  • 16.182.104.81
  • 3.5.29.57
  • 52.217.167.233
  • 52.216.30.156
  • 3.5.10.198
  • 16.182.65.249
  • 16.182.42.17
  • 3.5.25.70
  • 16.182.97.33
  • 3.5.30.151
  • 52.217.197.201
  • 52.217.199.49
  • 52.216.95.131
  • 3.5.27.25
  • 16.182.69.33
  • 16.182.109.97
  • 3.5.28.202
  • 52.216.107.172
  • 3.5.24.236
  • 54.231.129.209
  • 52.217.172.185
  • 3.5.27.83
  • 3.5.28.185
  • 16.182.68.193
shared

Threats

PID
Process
Class
Message
Misc activity
INSTALLER [ANY.RUN] VCSoapClient Installer HTTP POST Request (UA)
Misc activity
INSTALLER [ANY.RUN] VCSoapClient Installer HTTP POST Request (UA)
8 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
6b163e3d71cacd4ab904745d3c1fb61dcba4f61ca2e737bf14c266370758b583N