File name:

e96c334f57835eb579789875fda70800a5947955d420babbf482a39e7afbb3df.exe

Full analysis: https://app.any.run/tasks/df0b6b3b-528c-413d-a32e-86a81faaa1ac
Verdict: Malicious activity
Analysis date: August 26, 2025, 20:45:48
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
jeefo
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

4CEB21B9A6093AB9F033C39294E376AE

SHA1:

305AE88C2F8F0028251F1557EF9456474F9720C1

SHA256:

E96C334F57835EB579789875FDA70800A5947955D420BABBF482A39E7AFBB3DF

SSDEEP:

196608:PFxFm6LTvg/tRg4IWGnPqIo9yxA6vYoqLjObhmURg3qU:PFHHYtR/vgPlw6v4kmURUf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • JEEFO has been detected

      • e96c334f57835eb579789875fda70800a5947955d420babbf482a39e7afbb3df.exe (PID: 5616)

  • SUSPICIOUS

    • Starts application with an unusual extension

      • e96c334f57835eb579789875fda70800a5947955d420babbf482a39e7afbb3df.exe (PID: 5616)
      • e96c334f57835eb579789875fda70800a5947955d420babbf482a39e7afbb3df.exe  (PID: 1100)

    • Executable content was dropped or overwritten

      • e96c334f57835eb579789875fda70800a5947955d420babbf482a39e7afbb3df.exe  (PID: 1100)
      • e96c334f57835eb579789875fda70800a5947955d420babbf482a39e7afbb3df.exe  (PID: 436)
      • e96c334f57835eb579789875fda70800a5947955d420babbf482a39e7afbb3df.exe (PID: 5616)

    • There is functionality for taking screenshot (YARA)

      • e96c334f57835eb579789875fda70800a5947955d420babbf482a39e7afbb3df.exe  (PID: 1100)
      • e96c334f57835eb579789875fda70800a5947955d420babbf482a39e7afbb3df.exe  (PID: 436)

    • Searches for installed software

      • e96c334f57835eb579789875fda70800a5947955d420babbf482a39e7afbb3df.exe  (PID: 436)

  • INFO

    • The sample compiled with english language support

      • e96c334f57835eb579789875fda70800a5947955d420babbf482a39e7afbb3df.exe (PID: 5616)
      • e96c334f57835eb579789875fda70800a5947955d420babbf482a39e7afbb3df.exe  (PID: 1100)
      • e96c334f57835eb579789875fda70800a5947955d420babbf482a39e7afbb3df.exe  (PID: 436)

    • Create files in a temporary directory

      • e96c334f57835eb579789875fda70800a5947955d420babbf482a39e7afbb3df.exe (PID: 5616)
      • e96c334f57835eb579789875fda70800a5947955d420babbf482a39e7afbb3df.exe  (PID: 1100)
      • e96c334f57835eb579789875fda70800a5947955d420babbf482a39e7afbb3df.exe  (PID: 436)

    • Checks supported languages

      • e96c334f57835eb579789875fda70800a5947955d420babbf482a39e7afbb3df.exe (PID: 5616)
      • e96c334f57835eb579789875fda70800a5947955d420babbf482a39e7afbb3df.exe  (PID: 1100)
      • e96c334f57835eb579789875fda70800a5947955d420babbf482a39e7afbb3df.exe  (PID: 436)

    • Failed to create an executable file in Windows directory

      • e96c334f57835eb579789875fda70800a5947955d420babbf482a39e7afbb3df.exe (PID: 5616)

    • Reads the computer name

      • e96c334f57835eb579789875fda70800a5947955d420babbf482a39e7afbb3df.exe  (PID: 436)

    • UPX packer has been detected

      • e96c334f57835eb579789875fda70800a5947955d420babbf482a39e7afbb3df.exe (PID: 5616)

    • Reads the machine GUID from the registry

      • e96c334f57835eb579789875fda70800a5947955d420babbf482a39e7afbb3df.exe  (PID: 436)

    • Checks proxy server information

      • slui.exe (PID: 5188)

    • Reads the software policy settings

      • slui.exe (PID: 5188)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Microsoft Visual Basic 6 (47.7)
.exe | Win64 Executable (generic) (16)
.exe | UPX compressed Win32 Executable (15.7)
.exe | Win32 EXE Yoda's Crypter (15.4)
.exe | Win32 Executable (generic) (2.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:04:01 07:08:22+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 36864
InitializedDataSize: 8192
UninitializedDataSize: 90112
EntryPoint: 0x1f1a0
OSVersion: 4
ImageVersion: 1
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
ProductName: Project1
FileVersion: 1
ProductVersion: 1
InternalName: TJprojMain
OriginalFileName: TJprojMain.exe
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
4
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start #JEEFO e96c334f57835eb579789875fda70800a5947955d420babbf482a39e7afbb3df.exe e96c334f57835eb579789875fda70800a5947955d420babbf482a39e7afbb3df.exe  e96c334f57835eb579789875fda70800a5947955d420babbf482a39e7afbb3df.exe  slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
436"C:\Users\admin\AppData\Local\Temp\{5A929E10-C5AA-4087-9BE5-F7754BF37C81}\.cr\e96c334f57835eb579789875fda70800a5947955d420babbf482a39e7afbb3df.exe " -burn.clean.room="c:\users\admin\desktop\e96c334f57835eb579789875fda70800a5947955d420babbf482a39e7afbb3df.exe " -burn.filehandle.attached=596 -burn.filehandle.self=604 C:\Users\admin\AppData\Local\Temp\{5A929E10-C5AA-4087-9BE5-F7754BF37C81}\.cr\e96c334f57835eb579789875fda70800a5947955d420babbf482a39e7afbb3df.exe 
e96c334f57835eb579789875fda70800a5947955d420babbf482a39e7afbb3df.exe 
User:
admin
Company:
Engelmann Software
Integrity Level:
MEDIUM
Description:
Simply Good Pictures 5
Version:
5.0.7242.24775
Modules
Images
c:\users\admin\appdata\local\temp\{5a929e10-c5aa-4087-9be5-f7754bf37c81}\.cr\e96c334f57835eb579789875fda70800a5947955d420babbf482a39e7afbb3df.exe 
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1100c:\users\admin\desktop\e96c334f57835eb579789875fda70800a5947955d420babbf482a39e7afbb3df.exe  C:\Users\admin\Desktop\e96c334f57835eb579789875fda70800a5947955d420babbf482a39e7afbb3df.exe 
e96c334f57835eb579789875fda70800a5947955d420babbf482a39e7afbb3df.exe
User:
admin
Company:
Engelmann Software
Integrity Level:
MEDIUM
Description:
Simply Good Pictures 5
Version:
5.0.7242.24775
Modules
Images
c:\users\admin\desktop\e96c334f57835eb579789875fda70800a5947955d420babbf482a39e7afbb3df.exe 
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
5188C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5616"C:\Users\admin\Desktop\e96c334f57835eb579789875fda70800a5947955d420babbf482a39e7afbb3df.exe" C:\Users\admin\Desktop\e96c334f57835eb579789875fda70800a5947955d420babbf482a39e7afbb3df.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
Modules
Images
c:\users\admin\desktop\e96c334f57835eb579789875fda70800a5947955d420babbf482a39e7afbb3df.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
Total events
3 591
Read events
3 589
Write events
2
Delete events
0

Modification events

(PID) Process:(5616) e96c334f57835eb579789875fda70800a5947955d420babbf482a39e7afbb3df.exeKey:HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process
Operation:writeName:LO
Value:
1
(PID) Process:(436) e96c334f57835eb579789875fda70800a5947955d420babbf482a39e7afbb3df.exe Key:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Installer\Languages
Operation:writeName:{14FFF7BE-3649-452B-AA82-508577F97F25}
Value:
1033
Executable files
3
Suspicious files
1
Text files
10
Unknown types
0

Dropped files

PID
Process
Filename
Type
436e96c334f57835eb579789875fda70800a5947955d420babbf482a39e7afbb3df.exe C:\Users\admin\AppData\Local\Temp\{F3BC3CC2-5D4C-438A-A857-DFEEAD708BCC}\.ba\Logo.pngimage
MD5:DC9AA2F0AA432B799876F966855FC496
SHA256:3D838B049D85442167B056143EFF5BB798D43328C5FAC6CD208937EEC5F43D5E
436e96c334f57835eb579789875fda70800a5947955d420babbf482a39e7afbb3df.exe C:\Users\admin\AppData\Local\Temp\{F3BC3CC2-5D4C-438A-A857-DFEEAD708BCC}\.ba\thm.wxlxml
MD5:5DCADCD2E10BDAE82C651A6C966ED3A2
SHA256:CF4BAC461F70AD0B60F12F35EAD1FD9BBE184C497EDEE3ACBFF82A5D23B26E1C
436e96c334f57835eb579789875fda70800a5947955d420babbf482a39e7afbb3df.exe C:\Users\admin\AppData\Local\Temp\{F3BC3CC2-5D4C-438A-A857-DFEEAD708BCC}\.ba\UpdateSearch01.pngimage
MD5:03A616090EB820D53D26286F7F44F675
SHA256:ECEFF7AFA3D34E06AF8681B807CC1630ADFEB061DEE255298B63BA4F7EF41763
436e96c334f57835eb579789875fda70800a5947955d420babbf482a39e7afbb3df.exe C:\Users\admin\AppData\Local\Temp\{F3BC3CC2-5D4C-438A-A857-DFEEAD708BCC}\.ba\LogoSide.pngimage
MD5:CD17AD0CC34945EF4DEA29742CD89C84
SHA256:DC915FBF7F10969759F7735C5337F705AE2D4BABF36D00917DBD2CCBAD2A1842
436e96c334f57835eb579789875fda70800a5947955d420babbf482a39e7afbb3df.exe C:\Users\admin\AppData\Local\Temp\{F3BC3CC2-5D4C-438A-A857-DFEEAD708BCC}\.ba\UpdateSearch02.pngimage
MD5:D4F84E6375D03EC926B5A79D42E848B1
SHA256:400AE9C91DBB6AADC360080B4E4A928C65FDC5027533DE5A294EB075B45B5ACB
5616e96c334f57835eb579789875fda70800a5947955d420babbf482a39e7afbb3df.exeC:\Users\admin\Desktop\e96c334f57835eb579789875fda70800a5947955d420babbf482a39e7afbb3df.exe executable
MD5:70B6CB1B8D28F0E0925DA38CAEBEAD2E
SHA256:96762056835703225DE0452A289896814E1F22AB85479CA83A0E9C7C02606FE7
1100e96c334f57835eb579789875fda70800a5947955d420babbf482a39e7afbb3df.exe C:\Users\admin\AppData\Local\Temp\{5A929E10-C5AA-4087-9BE5-F7754BF37C81}\.cr\e96c334f57835eb579789875fda70800a5947955d420babbf482a39e7afbb3df.exe executable
MD5:B38B30AAC5F68EBB297DF9990C3470AB
SHA256:128E4F7356E9D0B91343F0E22C0B2239FD23C8D94BF0BBB054DE7F42A98873EB
436e96c334f57835eb579789875fda70800a5947955d420babbf482a39e7afbb3df.exe C:\Users\admin\AppData\Local\Temp\{F3BC3CC2-5D4C-438A-A857-DFEEAD708BCC}\.ba\1033\thm.wxlxml
MD5:D5508D7176704F69ECA1E3D70B088AA4
SHA256:5F1F246B6A3D320DA8C59337B4DB541672E46DDB50F0D297F335B2A44DB24CED
436e96c334f57835eb579789875fda70800a5947955d420babbf482a39e7afbb3df.exe C:\Users\admin\AppData\Local\Temp\{F3BC3CC2-5D4C-438A-A857-DFEEAD708BCC}\.ba\1045\thm.wxlxml
MD5:4E10A3802573F6836F7553F45CC76CA7
SHA256:0B621B6ACC6E4C80423A3146B99F4499C62ED66E24129C24627AA5E27321642D
436e96c334f57835eb579789875fda70800a5947955d420babbf482a39e7afbb3df.exe C:\Users\admin\AppData\Local\Temp\{F3BC3CC2-5D4C-438A-A857-DFEEAD708BCC}\.ba\wixextba.dllexecutable
MD5:13FE36F0F07B31D2302EE553A38E8F43
SHA256:02DFAAEAB46F66300389ECC2BDC83B608AAB6FD945DE87AA2F1083D25D79D6BC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
37
TCP/UDP connections
50
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
20.190.160.17:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
POST
400
20.190.160.17:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
POST
400
20.190.160.66:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
POST
400
40.126.32.74:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
2.16.164.120:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
1268
svchost.exe
2.16.164.120:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
2.16.164.120:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
1268
svchost.exe
69.192.161.161:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
69.192.161.161:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
69.192.161.161:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
whitelisted
google.com
  • 142.250.74.206
whitelisted
crl.microsoft.com
  • 2.16.164.120
  • 2.16.164.9
whitelisted
www.microsoft.com
  • 69.192.161.161
whitelisted
login.live.com
  • 20.190.160.20
  • 40.126.32.68
  • 20.190.160.22
  • 20.190.160.14
  • 40.126.32.74
  • 20.190.160.5
  • 20.190.160.132
  • 40.126.32.138
whitelisted
slscr.update.microsoft.com
  • 20.165.94.63
  • 135.232.92.137
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
self.events.data.microsoft.com
  • 20.189.173.28
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted
client.wns.windows.com
  • 172.211.123.248
  • 172.211.123.249
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
e96c334f57835eb579789875fda70800a5947955d420babbf482a39e7afbb3df.exe