File name:

KanishkCheats-PRIMIUM.exe

Full analysis: https://app.any.run/tasks/1f5fd300-1ac7-491a-b39a-b40b06040fe1
Verdict: Malicious activity
Analysis date: June 21, 2025, 16:23:41
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
jeefo
auto-reg
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:

3FF5E52C3E8ACB7D9B84C565C1724AEA

SHA1:

B60C3BC13FAB1A6BE5C7983F47C67B1A2DD46CF2

SHA256:

6D59B440C96C1F7C8006D58068F64FBDD0A270671918D5C972D2A48F934F3343

SSDEEP:

49152:5cpdCgPF8AjyCAJ40XED+CDmcxN54CCDbXuY1zi8Aa3nnxaShxMMMMMMMMMMMMMq:5cNAJdXE/DmS53C2sxMMMMMMMMMMMMMq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • JEEFO has been detected

      • KanishkCheats-PRIMIUM.exe (PID: 7048)
      • icsys.icn.exe (PID: 6356)
      • explorer.exe (PID: 3668)
      • svchost.exe (PID: 5424)

    • Changes the autorun value in the registry

      • explorer.exe (PID: 3668)
      • svchost.exe (PID: 5424)

    • Changes appearance of the Explorer extensions

      • svchost.exe (PID: 5424)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • KanishkCheats-PRIMIUM.exe (PID: 7048)
      • icsys.icn.exe (PID: 6356)
      • explorer.exe (PID: 3668)
      • spoolsv.exe (PID: 5496)

    • Starts application with an unusual extension

      • KanishkCheats-PRIMIUM.exe (PID: 7048)

    • Starts itself from another location

      • KanishkCheats-PRIMIUM.exe (PID: 7048)
      • icsys.icn.exe (PID: 6356)
      • explorer.exe (PID: 3668)
      • spoolsv.exe (PID: 5496)
      • svchost.exe (PID: 5424)

    • The process creates files with name similar to system file names

      • icsys.icn.exe (PID: 6356)
      • spoolsv.exe (PID: 5496)

    • Creates or modifies Windows services

      • svchost.exe (PID: 5424)

    • The process executes via Task Scheduler

      • updater.exe (PID: 2120)

    • Application launched itself

      • updater.exe (PID: 2120)

  • INFO

    • The sample compiled with english language support

      • KanishkCheats-PRIMIUM.exe (PID: 7048)
      • icsys.icn.exe (PID: 6356)
      • explorer.exe (PID: 3668)
      • spoolsv.exe (PID: 5496)

    • Create files in a temporary directory

      • KanishkCheats-PRIMIUM.exe (PID: 7048)
      • icsys.icn.exe (PID: 6356)
      • explorer.exe (PID: 3668)
      • spoolsv.exe (PID: 5496)
      • svchost.exe (PID: 5424)
      • spoolsv.exe (PID: 4644)
      • explorer.exe (PID: 4864)

    • Checks supported languages

      • KanishkCheats-PRIMIUM.exe (PID: 7048)
      • icsys.icn.exe (PID: 6356)
      • explorer.exe (PID: 3668)
      • spoolsv.exe (PID: 5496)
      • explorer.exe (PID: 4864)
      • svchost.exe (PID: 5424)
      • spoolsv.exe (PID: 4644)
      • updater.exe (PID: 6492)
      • updater.exe (PID: 2120)

    • Reads the computer name

      • svchost.exe (PID: 5424)
      • updater.exe (PID: 2120)

    • Launching a file from a Registry key

      • explorer.exe (PID: 3668)
      • svchost.exe (PID: 5424)

    • Manual execution by a user

      • explorer.exe (PID: 4864)
      • svchost.exe (PID: 1800)

    • Checks proxy server information

      • slui.exe (PID: 1496)

    • Reads the software policy settings

      • slui.exe (PID: 1496)

    • Process checks whether UAC notifications are on

      • updater.exe (PID: 2120)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:04:01 07:08:22+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 106496
InitializedDataSize: 12288
UninitializedDataSize: -
EntryPoint: 0x290c
OSVersion: 4
ImageVersion: 1
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
ProductName: Project1
FileVersion: 1
ProductVersion: 1
InternalName: TJprojMain
OriginalFileName: TJprojMain.exe
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
147
Monitored processes
13
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #JEEFO kanishkcheats-primium.exe kanishkcheats-primium.exe  no specs #JEEFO icsys.icn.exe #JEEFO explorer.exe spoolsv.exe #JEEFO svchost.exe spoolsv.exe no specs explorer.exe no specs svchost.exe no specs slui.exe updater.exe no specs updater.exe no specs kanishkcheats-primium.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
868c:\users\admin\desktop\kanishkcheats-primium.exe  C:\Users\admin\Desktop\kanishkcheats-primium.exe KanishkCheats-PRIMIUM.exe
User:
admin
Integrity Level:
HIGH
Exit code:
3221225781
Modules
Images
c:\users\admin\desktop\kanishkcheats-primium.exe 
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ole32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
c:\windows\system32\gdi32.dll
1496C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1800c:\windows\resources\svchost.exe ROC:\Windows\Resources\svchost.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\windows\resources\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
2120"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --wake --systemC:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exesvchost.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
3668c:\windows\resources\themes\explorer.exeC:\Windows\Resources\Themes\explorer.exe
icsys.icn.exe
User:
admin
Integrity Level:
HIGH
Version:
1.00
Modules
Images
c:\windows\resources\themes\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
4644c:\windows\resources\spoolsv.exe PRC:\Windows\Resources\spoolsv.exesvchost.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\resources\spoolsv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
4864c:\windows\resources\themes\explorer.exe ROC:\Windows\Resources\Themes\explorer.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\windows\resources\themes\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvbvm60.dll
c:\windows\syswow64\user32.dll
5424c:\windows\resources\svchost.exeC:\Windows\Resources\svchost.exe
spoolsv.exe
User:
admin
Integrity Level:
HIGH
Version:
1.00
Modules
Images
c:\windows\resources\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
5496c:\windows\resources\spoolsv.exe SEC:\Windows\Resources\spoolsv.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\resources\spoolsv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
6356C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe
KanishkCheats-PRIMIUM.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\resources\themes\icsys.icn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
Total events
4 087
Read events
4 067
Write events
16
Delete events
4

Modification events

(PID) Process:(7048) KanishkCheats-PRIMIUM.exeKey:HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process
Operation:writeName:LO
Value:
1
(PID) Process:(5424) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Explorer
Value:
c:\windows\resources\themes\explorer.exe RO
(PID) Process:(5424) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Svchost
Value:
c:\windows\resources\svchost.exe RO
(PID) Process:(5424) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Explorer
Value:
(PID) Process:(5424) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Svchost
Value:
(PID) Process:(5424) svchost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Operation:writeName:ShowSuperHidden
Value:
0
(PID) Process:(6356) icsys.icn.exeKey:HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process
Operation:writeName:LO
Value:
1
(PID) Process:(3668) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Explorer
Value:
c:\windows\resources\themes\explorer.exe RO
(PID) Process:(3668) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Svchost
Value:
c:\windows\resources\svchost.exe RO
(PID) Process:(3668) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Explorer
Value:
Executable files
5
Suspicious files
5
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
7048KanishkCheats-PRIMIUM.exeC:\Windows\Resources\Themes\icsys.icn.exeexecutable
MD5:AC49B5063A8EC42B4F10CE55048CB760
SHA256:5DBF54BA0E499378D61ECA8DB43C9318851A65CA8B8C30290C69EC4BB8A0775A
7048KanishkCheats-PRIMIUM.exeC:\Users\admin\Desktop\kanishkcheats-primium.exe executable
MD5:D5160BB68231A4407039F4EC7F513221
SHA256:E31E58739436EE1D469390D6135AC2E46FD6F57FDB8E3B7CFA9F99A60E84C309
4644spoolsv.exeC:\Users\admin\AppData\Local\Temp\~DFF8E76285DC1D942E.TMPbinary
MD5:CF7C1D65B6B6FB2D9CE245F507ACE053
SHA256:89A6936DC8CDE495DBAA7F1BF88DD4DD8C58155B1795B213E61D662E61DB2C97
5496spoolsv.exeC:\Users\admin\AppData\Local\Temp\~DF53180B89BA57CE78.TMPbinary
MD5:3D70C73ADE293957800AF870031FC9BE
SHA256:6CA47765B24AFCA3B2B7A9C62AD85339BE22652E117B19CA709C320730AC0B8B
7048KanishkCheats-PRIMIUM.exeC:\Users\admin\AppData\Local\Temp\~DFCA9D1DCDF94C06B3.TMPbinary
MD5:ABD0F694077377673806DDBF4A426C68
SHA256:C09430EF512F83D03671206DB0D16C9723B82E707475B94A37E8E51943E71506
4864explorer.exeC:\Users\admin\AppData\Local\Temp\~DFEAA4B3D9A505EF25.TMPbinary
MD5:1E6AF6327736E3508F1C50506326C220
SHA256:A941B5DA057560690B11153765184E0F92983148611048F3FDADA662054E0EFD
6356icsys.icn.exeC:\Windows\Resources\Themes\explorer.exeexecutable
MD5:8BE720F498870AE42F4BA94DEA08DECF
SHA256:D8F6E17C9C1CDC2FE2FB57A9DB0307EF6DC5D82FA4620F9A021A4CEEB02BB2FE
6356icsys.icn.exeC:\Users\admin\AppData\Local\Temp\~DF33C9A6777226C6B3.TMPbinary
MD5:ABD0F694077377673806DDBF4A426C68
SHA256:C09430EF512F83D03671206DB0D16C9723B82E707475B94A37E8E51943E71506
5496spoolsv.exeC:\Windows\Resources\svchost.exeexecutable
MD5:6787CFDE95777BC1C60A0496ADC9E47B
SHA256:DDA40263DED81237B24672BC70F513048CC429BFC9CF29C99FC0CFD2F9ACDACA
6492updater.exeC:\Program Files (x86)\Google\GoogleUpdater\updater.logtext
MD5:EC5B6F2B1AF98741C5A5BA1D010B3BDF
SHA256:871BFB28D64A9549F0304F20FA7778EDF2FAB4A40945E375C32B1EB0E786374C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
29
TCP/UDP connections
40
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
23.55.104.172:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.55.104.172:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3108
RUXIMICS.exe
GET
200
23.55.104.172:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3108
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
20.190.160.132:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
200
20.190.160.20:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
GET
304
4.245.163.56:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
unknown
3620
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3108
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.55.104.172:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
1268
svchost.exe
23.55.104.172:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
3108
RUXIMICS.exe
23.55.104.172:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 142.250.186.78
whitelisted
crl.microsoft.com
  • 23.55.104.172
  • 23.55.104.190
  • 184.24.77.42
  • 184.24.77.30
  • 184.24.77.10
  • 184.24.77.34
  • 184.24.77.37
  • 184.24.77.41
  • 184.24.77.35
  • 184.24.77.33
  • 184.24.77.9
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 2.23.181.156
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.160.132
  • 40.126.32.140
  • 40.126.32.74
  • 40.126.32.76
  • 40.126.32.72
  • 40.126.32.68
  • 40.126.32.138
  • 20.190.160.14
whitelisted
nexusrules.officeapps.live.com
  • 52.111.243.30
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
KanishkCheats-PRIMIUM.exe