File name:

UnityCrashHandler64.exe

Full analysis: https://app.any.run/tasks/d146b166-e828-47f8-948e-89b1f63f474c
Verdict: Malicious activity
Analysis date: October 19, 2023, 03:52:30
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows, MZ for MS-DOS
MD5:

5B24BCA41DB0F83036B160AC21FAEA83

SHA1:

DCCE194911197F5256FA671E817C63C3D717818D

SHA256:

EC3834209486E893CB3F3BABEC2669B61CBEAB5183305A3A7E7829193EB963CC

SSDEEP:

49152:Hc6IXgStZe5IEv4dowiIoU2Pey7OlmO09y8qdtjD1DAXPL4gL4H:Hc6IXgwZe5y2Peoe8qdTao

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • UnityCrashHandler64.exe (PID: 3344)
      • icsys.icn.exe (PID: 888)
      • explorer.exe (PID: 3676)
      • spoolsv.exe (PID: 1812)

    • Changes the autorun value in the registry

      • svchost.exe (PID: 1120)

    • Uses Task Scheduler to run other applications

      • svchost.exe (PID: 1120)

    • Changes appearance of the Explorer extensions

      • svchost.exe (PID: 1120)

    • Application was dropped or rewritten from another process

      • svchost.exe (PID: 1120)
      • UnityCrashHandler64.exe (PID: 3344)
      • spoolsv.exe (PID: 1812)
      • icsys.icn.exe (PID: 888)
      • explorer.exe (PID: 3676)
      • UnityCrashHandler64.exe (PID: 1796)
      • spoolsv.exe (PID: 3760)

  • SUSPICIOUS

    • Starts itself from another location

      • UnityCrashHandler64.exe (PID: 3344)
      • icsys.icn.exe (PID: 888)
      • explorer.exe (PID: 3676)
      • svchost.exe (PID: 1120)
      • spoolsv.exe (PID: 1812)

    • The process creates files with name similar to system file names

      • icsys.icn.exe (PID: 888)
      • spoolsv.exe (PID: 1812)

    • Creates executable files that already exist in Windows

      • icsys.icn.exe (PID: 888)
      • spoolsv.exe (PID: 1812)

  • INFO

    • Checks supported languages

      • UnityCrashHandler64.exe (PID: 3344)
      • icsys.icn.exe (PID: 888)
      • explorer.exe (PID: 3676)
      • spoolsv.exe (PID: 1812)
      • svchost.exe (PID: 1120)
      • spoolsv.exe (PID: 3760)

    • Reads the machine GUID from the registry

      • UnityCrashHandler64.exe (PID: 3344)
      • icsys.icn.exe (PID: 888)
      • explorer.exe (PID: 3676)
      • svchost.exe (PID: 1120)
      • spoolsv.exe (PID: 3760)
      • spoolsv.exe (PID: 1812)

    • Create files in a temporary directory

      • UnityCrashHandler64.exe (PID: 3344)
      • icsys.icn.exe (PID: 888)
      • explorer.exe (PID: 3676)
      • spoolsv.exe (PID: 1812)
      • svchost.exe (PID: 1120)
      • spoolsv.exe (PID: 3760)

    • Reads the computer name

      • svchost.exe (PID: 1120)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:04:01 09:08:22+02:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 106496
InitializedDataSize: 12288
UninitializedDataSize: -
EntryPoint: 0x290c
OSVersion: 4
ImageVersion: 1
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
ProductName: Project1
FileVersion: 1
ProductVersion: 1
InternalName: TJprojMain
OriginalFileName: TJprojMain.exe
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
8
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start unitycrashhandler64.exe icsys.icn.exe no specs explorer.exe no specs spoolsv.exe no specs svchost.exe spoolsv.exe no specs schtasks.exe no specs unitycrashhandler64.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
888C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exeUnityCrashHandler64.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\resources\themes\icsys.icn.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
1120c:\windows\resources\svchost.exeC:\Windows\resources\svchost.exe
spoolsv.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\resources\svchost.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
1796"C:\Users\admin\AppData\Local\Temp\UnityCrashHandler64.exe" C:\Users\admin\AppData\Local\Temp\UnityCrashHandler64.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\users\admin\appdata\local\temp\unitycrashhandler64.exe
c:\windows\system32\ntdll.dll
1812c:\windows\resources\spoolsv.exe SEC:\Windows\resources\spoolsv.exeexplorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\resources\spoolsv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
3344"C:\Users\admin\AppData\Local\Temp\UnityCrashHandler64.exe" C:\Users\admin\AppData\Local\Temp\UnityCrashHandler64.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\system32\ntdll.dll
c:\users\admin\appdata\local\temp\unitycrashhandler64.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
3604schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:54 /fC:\Windows\System32\schtasks.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
3676c:\windows\resources\themes\explorer.exeC:\Windows\resources\Themes\explorer.exeicsys.icn.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\resources\themes\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\user32.dll
c:\windows\system32\msvcrt.dll
3760c:\windows\resources\spoolsv.exe PRC:\Windows\resources\spoolsv.exesvchost.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\resources\spoolsv.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
Total events
185
Read events
180
Write events
5
Delete events
0

Modification events

(PID) Process:(888) icsys.icn.exeKey:HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process
Operation:writeName:LO
Value:
1
(PID) Process:(1120) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Explorer
Value:
c:\windows\resources\themes\explorer.exe RO
(PID) Process:(1120) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Svchost
Value:
c:\windows\resources\svchost.exe RO
(PID) Process:(1120) svchost.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Operation:writeName:ShowSuperHidden
Value:
0
Executable files
5
Suspicious files
4
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3344UnityCrashHandler64.exeC:\Windows\Resources\Themes\icsys.icn.exeexecutable
MD5:D5D1745F8C12EB9A93C47DF7DCA69723
SHA256:EEA9579AB9B8CAAE32B1BDBA6D7AA9FAA10E20A041BD5517199674A35C5DAE02
3344UnityCrashHandler64.exeC:\users\admin\appdata\local\temp\unitycrashhandler64.exe executable
MD5:4B8AE5717F903335BA4330793E9B0487
SHA256:7C9098A5FFF304A29AEEADA4608D3C96E43A74F55BCE7C841A07D771287CB5BC
888icsys.icn.exeC:\Users\admin\AppData\Local\Temp\~DF06B6EDD9FF2D8023.TMPbinary
MD5:E15F0041F22452300A8D8C7C13119EF9
SHA256:E611EF555EB643DAE96A74DCC25C9D1C05FB6DE5B62C69419A7E0A88D4E39C7D
1812spoolsv.exeC:\Users\admin\AppData\Local\Temp\~DF755018227BA0FAD2.TMPbinary
MD5:E15F0041F22452300A8D8C7C13119EF9
SHA256:E611EF555EB643DAE96A74DCC25C9D1C05FB6DE5B62C69419A7E0A88D4E39C7D
3344UnityCrashHandler64.exeC:\Users\admin\AppData\Local\Temp\~DFA4AEDA7A0BD26A3B.TMPbinary
MD5:F32899A8D5521BD83471D81B897B38FB
SHA256:DB7F73C5F3F0464CCE8FDD41E155E5277B41964CDA61CEB43E67BCB8EE3B6871
3676explorer.exeC:\windows\resources\spoolsv.exeexecutable
MD5:FAE3AA2BEB4B2BD4FA5377ACCA2BE96E
SHA256:0CCB34E41FAE32B57080B9080AF87C2977642D269CD2AB77CAD5772EFB8DEE70
1812spoolsv.exeC:\windows\resources\svchost.exeexecutable
MD5:8C84ED5216260D9A163FED17D2A40BA6
SHA256:7159CE978F0BAD1537A6FB75889405FDE2FF953FF85C5D22DAF5E3CAD9F65943
888icsys.icn.exeC:\windows\resources\themes\explorer.exeexecutable
MD5:CAE2E65C8D585E509EA4F63E0233E3A1
SHA256:A2A3EBBA51755624E3276505F648A6364F5B8691A437C83105AC324FC8147632
3760spoolsv.exeC:\Users\admin\AppData\Local\Temp\~DF015A33D89005E3C5.TMPbinary
MD5:B01358FEB85F784FE1AD2D366FE593A4
SHA256:46EEFE35484AFA05C5088250D03F999DB10304F42C8157082FCA1D8DBECF947F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
unknown
4
System
192.168.100.255:137
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
UnityCrashHandler64.exe