File name:	e8955d539951e3c16e1d1dbff413566788ebad092e4d66d862e7b2ae5b90708f
Full analysis:	https://app.any.run/tasks/d988612d-fe5e-4f67-852a-cd65eb9bc773
Verdict:	Malicious activity
Analysis date:	December 14, 2024, 01:05:14
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	jeefo
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:	1C15A4F17AEAD40B520FEE6136B966F4
SHA1:	7062FDF8B97BEBBF39E2E7F51489764B20EB837D
SHA256:	E8955D539951E3C16E1D1DBFF413566788EBAD092E4D66D862E7B2AE5B90708F
SSDEEP:	6144:i0/1Thw5w4qjPRrf2VrRZHMrbLcPN/wVVVVVVVVV0eDq0:5cPN/wVVVVVVVVV0eW0

.exe	\|	Win32 Executable (generic) (52.9)
.exe	\|	Generic Win/DOS Executable (23.5)
.exe	\|	DOS Executable Generic (23.5)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2013:04:01 07:08:22+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	106496
InitializedDataSize:	12288
UninitializedDataSize:	-
EntryPoint:	0x290c
OSVersion:	4
ImageVersion:	1
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
ProductName:	Project1
FileVersion:	1
ProductVersion:	1
InternalName:	TJprojMain
OriginalFileName:	TJprojMain.exe


(PID) Process:	(6508) icsys.icn.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process
Operation:	write	Name:	LO
Value: 1
(PID) Process:	(6948) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	state
Value: 1
(PID) Process:	(6440) e8955d539951e3c16e1d1dbff413566788ebad092e4d66d862e7b2ae5b90708f.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process
Operation:	write	Name:	LO
Value: 1
(PID) Process:	(6464) e8955d539951e3c16e1d1dbff413566788ebad092e4d66d862e7b2ae5b90708f.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SlowContextMenuEntries
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:	(6464) e8955d539951e3c16e1d1dbff413566788ebad092e4d66d862e7b2ae5b90708f.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(6464) e8955d539951e3c16e1d1dbff413566788ebad092e4d66d862e7b2ae5b90708f.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(6464) e8955d539951e3c16e1d1dbff413566788ebad092e4d66d862e7b2ae5b90708f.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(6528) explorer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:	write	Name:	Explorer
Value: c:\windows\resources\themes\explorer.exe RO
(PID) Process:	(6528) explorer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:	write	Name:	Svchost
Value: c:\windows\resources\svchost.exe RO
(PID) Process:	(6528) explorer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:	delete value	Name:	Explorer
Value:

PID	Process	Filename		Type
6440	e8955d539951e3c16e1d1dbff413566788ebad092e4d66d862e7b2ae5b90708f.exe	C:\Users\admin\Desktop\e8955d539951e3c16e1d1dbff413566788ebad092e4d66d862e7b2ae5b90708f.exe		executable
		MD5:152D20DD611B27A92E28A9D341182CB4	SHA256:07ECEE434076A3590ABB4F5E030663539DB93CE5856432DA4AB54E2540FDD046
6948	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG.old~RF136d34.TMP		text
		MD5:C5C8E14929BCE261B2B5B899CB479AF7	SHA256:73DBFF8A366CFF6972A38C091782EF62C89E28FDA1423A47448A60343F921754
6948	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF136d44.TMP		—
		MD5:—	SHA256:—
6948	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF136d44.TMP		—
		MD5:—	SHA256:—
6440	e8955d539951e3c16e1d1dbff413566788ebad092e4d66d862e7b2ae5b90708f.exe	C:\Users\admin\AppData\Local\Temp\~DFD6359B56E91947DA.TMP		binary
		MD5:4CFBD860067DA55B1D0D92EB2D22EA1A	SHA256:EE477A131D2E8E7D71E2B0C730E5C7963BC342663D18919C3E61B2E8D1BCCA91
6696	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Local State~RF136c2b.TMP		binary
		MD5:DFFC82B8D23613E62A20204028CEF32F	SHA256:114690F0417A9A6B079EA8D0534F095B04467809DCA929EB0983059E1C60FB6C
6948	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF136d44.TMP		—
		MD5:—	SHA256:—
6948	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old		—
		MD5:—	SHA256:—
6696	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\81805195-0d99-4fac-b42a-5b7508d0badc.tmp		binary
		MD5:6E44F5DFC2B13CB0BDF2BA008A93F316	SHA256:A0F54170AEA810F7DAB156B651C379F7ACD8D1F33B709EDAB857D6DC492B2C3E
6948	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old		—
		MD5:—	SHA256:—

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2548	svchost.exe	GET	200	2.20.245.137:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
3032	RUXIMICS.exe	GET	200	2.20.245.137:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	2.20.245.137:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
3032	RUXIMICS.exe	GET	200	2.23.181.156:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	401	13.107.6.158:443	https://business.bing.com/api/v1/user/token/microsoftgraph?&clienttype=edge-omnibox	unknown	—	—	unknown
2548	svchost.exe	GET	200	2.23.181.156:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	2.23.181.156:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	3.124.100.143:443	https://optimizerlinks.netlify.app/	unknown	html	92.7 Kb	malicious
—	—	GET	200	204.79.197.239:443	https://edge.microsoft.com/serviceexperimentation/v3/?osname=win&channel=stable&osver=10.0.19045&devicefamily=desktop&installdate=1661339457&clientversion=122.0.2365.59&experimentationmode=2&scpguard=0&scpfull=0&scpver=0	unknown	binary	502 b	whitelisted
—	—	GET	401	13.107.6.158:443	https://business.bing.com/work/api/v2/tenant/my/settingswithflights?&clienttype=edge-omnibox	unknown	binary	584 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	192.168.100.255:137	—	—	—	whitelisted
2548	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4712	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3032	RUXIMICS.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	2.21.110.139:443	www.bing.com	AKAMAI-AS	DE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2548	svchost.exe	2.20.245.137:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
3032	RUXIMICS.exe	2.20.245.137:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
6948	msedge.exe	239.255.255.250:1900	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	2.20.245.137:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 51.104.136.2	whitelisted
www.bing.com	2.21.110.139 2.21.110.146	whitelisted
google.com	142.250.74.206	whitelisted
crl.microsoft.com	2.20.245.137 2.20.245.138	whitelisted
www.microsoft.com	2.23.181.156	whitelisted
config.edge.skype.com	13.107.42.16	whitelisted
optimizerlinks.netlify.app	3.75.10.80 3.125.36.175	malicious
edge.microsoft.com	204.79.197.239 13.107.21.239	whitelisted
business.bing.com	13.107.6.158	whitelisted
edge-mobile-static.azureedge.net	13.107.246.45	whitelisted

General Info

e8955d539951e3c16e1d1dbff413566788ebad092e4d66d862e7b2ae5b90708f

1C15A4F17AEAD40B520FEE6136B966F4

7062FDF8B97BEBBF39E2E7F51489764B20EB837D

E8955D539951E3C16E1D1DBFF413566788EBAD092E4D66D862E7B2AE5B90708F

6144:i0/1Thw5w4qjPRrf2VrRZHMrbLcPN/wVVVVVVVVV0eDq0:5cPN/wVVVVVVVVV0eW0

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

JEEFO has been detected

Changes the autorun value in the registry

SUSPICIOUS

Starts application with an unusual extension

Executable content was dropped or overwritten

Starts itself from another location

The process creates files with name similar to system file names

Reads security settings of Internet Explorer

Creates or modifies Windows services

INFO

Checks supported languages

The sample compiled with english language support

Create files in a temporary directory

Reads the computer name

Reads the machine GUID from the registry

Manual execution by a user

Reads Environment values

Application launched itself

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings