File name:

loader.exe

Full analysis: https://app.any.run/tasks/f6e64d41-1c29-4874-afe5-2f714feaf5f7
Verdict: Malicious activity
Analysis date: July 27, 2025, 11:51:26
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
jeefo
auto-reg
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:

025EB1BB1651986848DD4633B080CB31

SHA1:

96081C8ADCD16964892D2201FAC43091A68BE535

SHA256:

FDEDAE183C634F8E6D903D90179009F66C217543D86A80E3A103D74C5C441E08

SSDEEP:

196608:p91QjoGBaJfi44ucge3rgIxwPeUisbfS5I:ekJfl4u/eE1fTwI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • JEEFO has been detected

      • svchost.exe (PID: 1740)
      • explorer.exe (PID: 4168)

    • Changes the autorun value in the registry

      • explorer.exe (PID: 4168)
      • svchost.exe (PID: 1740)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • icsys.icn.exe (PID: 4224)
      • explorer.exe (PID: 4168)
      • loader.exe (PID: 3392)
      • spoolsv.exe (PID: 6240)

    • Starts itself from another location

      • loader.exe (PID: 3392)

    • Creates or modifies Windows services

      • svchost.exe (PID: 1740)

  • INFO

    • The sample compiled with english language support

      • loader.exe (PID: 3392)
      • icsys.icn.exe (PID: 4224)
      • explorer.exe (PID: 4168)
      • spoolsv.exe (PID: 6240)

    • Checks supported languages

      • spoolsv.exe (PID: 5808)

    • Create files in a temporary directory

      • spoolsv.exe (PID: 5808)

    • Reads the computer name

      • svchost.exe (PID: 1740)

    • Launching a file from a Registry key

      • explorer.exe (PID: 4168)
      • svchost.exe (PID: 1740)

    • Manual execution by a user

      • svchost.exe (PID: 1160)
      • explorer.exe (PID: 5236)

    • Checks proxy server information

      • slui.exe (PID: 6724)

    • Reads the software policy settings

      • slui.exe (PID: 6724)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:04:01 07:08:22+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 106496
InitializedDataSize: 12288
UninitializedDataSize: -
EntryPoint: 0x290c
OSVersion: 4
ImageVersion: 1
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
ProductName: Project1
FileVersion: 1
ProductVersion: 1
InternalName: TJprojMain
OriginalFileName: TJprojMain.exe
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
143
Monitored processes
10
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start loader.exe icsys.icn.exe explorer.exe no specs spoolsv.exe no specs svchost.exe no specs spoolsv.exe no specs explorer.exe no specs svchost.exe no specs slui.exe loader.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1160c:\windows\resources\svchost.exe ROC:\Windows\Resources\svchost.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\windows\resources\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
1740c:\windows\resources\svchost.exeC:\Windows\Resources\svchost.exespoolsv.exe
User:
admin
Integrity Level:
HIGH
Version:
1.00
2508"C:\Users\admin\Desktop\loader.exe" C:\Users\admin\Desktop\loader.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\users\admin\desktop\loader.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
3392"C:\Users\admin\Desktop\loader.exe" C:\Users\admin\Desktop\loader.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
4168c:\windows\resources\themes\explorer.exeC:\Windows\Resources\Themes\explorer.exeicsys.icn.exe
User:
admin
Integrity Level:
HIGH
Version:
1.00
4224C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe
loader.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
5236c:\windows\resources\themes\explorer.exe ROC:\Windows\Resources\Themes\explorer.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\windows\resources\themes\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
5808c:\windows\resources\spoolsv.exe PRC:\Windows\Resources\spoolsv.exesvchost.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\resources\spoolsv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
6240c:\windows\resources\spoolsv.exe SEC:\Windows\Resources\spoolsv.exeexplorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
6724C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 600
Read events
3 584
Write events
12
Delete events
4

Modification events

(PID) Process:(1740) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Explorer
Value:
c:\windows\resources\themes\explorer.exe RO
(PID) Process:(1740) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Svchost
Value:
c:\windows\resources\svchost.exe RO
(PID) Process:(1740) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Explorer
Value:
(PID) Process:(1740) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Svchost
Value:
(PID) Process:(4168) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Explorer
Value:
c:\windows\resources\themes\explorer.exe RO
(PID) Process:(4168) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Svchost
Value:
c:\windows\resources\svchost.exe RO
(PID) Process:(4168) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Explorer
Value:
(PID) Process:(4168) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Svchost
Value:
(PID) Process:(1740) svchost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Schedule
Operation:writeName:Start
Value:
2
(PID) Process:(1740) svchost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess
Operation:writeName:Start
Value:
4
Executable files
5
Suspicious files
4
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
4168explorer.exeC:\Windows\Resources\spoolsv.exeexecutable
MD5:64B4C43A1798B94A91B8EC775CF7ECC3
SHA256:3C43A34B3F0087D5F0D76C63906D39B5C0F1298AE4D91C54CFA4F5688DD4326E
3392loader.exeC:\Windows\Resources\Themes\icsys.icn.exeexecutable
MD5:16DB0D68E0B6563E3FB2493D2C264570
SHA256:5650769D6F015F956347B7B755A046934EAEDCB3F5FE7E4B155EE13A2E80F299
3392loader.exeC:\Users\admin\Desktop\loader.exe executable
MD5:67843B5E8AA74189D46A4C3AB643185C
SHA256:F2C50FDCE47A64945BD9E8246F212D77BBFD4614DE2535BC1235705A3A5281E1
6240spoolsv.exeC:\Windows\Resources\svchost.exeexecutable
MD5:86D1BAA084E083AEC7AED85AA0AC2623
SHA256:7AB784401A8B956495BE32F6AB581439D583502A144A2E3D471E45E2BF643D61
4224icsys.icn.exeC:\Windows\Resources\Themes\explorer.exeexecutable
MD5:3E5EEF1324C682AD7CD839B34B6544E3
SHA256:0BC4F30EB9FD62EEEDB5418077E68C2CA4009FDE098EFB3D0E8DD64486BC34E0
5808spoolsv.exeC:\Users\admin\AppData\Local\Temp\~DFC146B11D24CF2DED.TMPbinary
MD5:B4429097FF92461144323777419CF93C
SHA256:A0CC6ABC877DD08D069CC63800506E133D5B81A01325F71F563B62EC606E5023
6240spoolsv.exeC:\Users\admin\AppData\Local\Temp\~DFB8121B7E4EB4AF3F.TMPbinary
MD5:30FF21EB5687951DE6C62DE1C8E2162E
SHA256:B5A6CAE530E7981EA1EDA9019DCC3253DED5CCFBA6B3BA66CE7220D2ACC83552
4224icsys.icn.exeC:\Users\admin\AppData\Local\Temp\~DF1C5692CF05E75EEF.TMPbinary
MD5:4ED65818F1307DB80571F453C72507E0
SHA256:00A4C3BC7662F1768F0C899DA691C095050B2F90DC2600562CE4741368055334
3392loader.exeC:\Users\admin\AppData\Local\Temp\~DF0DAAD22F8AA7170F.TMPbinary
MD5:B6F75E66430988F40D947F80BC5F3A21
SHA256:BFFCDF5E3F05E46CC895522F84060DECDA67BCD23D49E4EB72744F3240BF6197
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
45
TCP/UDP connections
51
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5528
RUXIMICS.exe
GET
200
23.216.77.20:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.216.77.20:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.216.77.20:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5528
RUXIMICS.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
400
20.190.159.68:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
200
40.126.31.73:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
400
20.190.159.130:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
20.190.159.2:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5528
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.216.77.20:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.20:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5528
RUXIMICS.exe
23.216.77.20:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
69.192.161.161:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
69.192.161.161:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
  • 51.124.78.146
whitelisted
google.com
  • 172.217.16.142
whitelisted
crl.microsoft.com
  • 23.216.77.20
  • 23.216.77.37
  • 23.216.77.41
  • 23.216.77.28
  • 23.216.77.6
  • 23.216.77.21
  • 23.216.77.5
  • 23.216.77.31
  • 23.216.77.25
  • 23.216.77.22
  • 23.216.77.42
  • 23.216.77.38
  • 23.216.77.8
  • 23.216.77.30
  • 23.216.77.36
whitelisted
www.microsoft.com
  • 69.192.161.161
whitelisted
login.live.com
  • 20.190.159.2
  • 20.190.159.130
  • 20.190.159.73
  • 20.190.159.64
  • 40.126.31.73
  • 20.190.159.131
  • 20.190.159.71
  • 20.190.159.68
whitelisted
slscr.update.microsoft.com
  • 74.178.240.61
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
self.events.data.microsoft.com
  • 20.189.173.9
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
x1.c.lencr.org
  • 104.76.201.34
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
loader.exe