home

ic-0.0cdc6b60bdd664.exe

Ding Ruan

The application ic-0.0cdc6b60bdd664.exe by Ding Ruan has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. While running, it connects to the Internet address server-52-85-77-241.lax3.r.cloudfront.net on port 80 using the HTTP protocol.
Publisher:
Ding Ruan  (signed and verified)

MD5:
efdb130d75fb5d1b1d6f356e730f3e4c

SHA-1:
052b6433f6f2e9d58da8552ed21c5bf6410b9278

SHA-256:
bf85c2a51ad04e67ec23d01ac603ee8d057f1bf6326fdbfe777e9d36d7ae14ed

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
3/27/2026 2:33:53 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.ELEX (M)
17.2.20.4

File size:
419 KB (429,104 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\ic-0.0cdc6b60bdd664.exe

Digital Signature
Signed by:
Ding Ruan

Authority:
thawte, Inc.

Valid from:
1/22/2017 7:00:00 AM

Valid to:
4/14/2017 6:59:59 AM

Subject:
CN=Ding Ruan, OU=Individual Developer, O=No Organization Affiliation, L=Beijing, S=Beijing, C=CN

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
50EE108988BED95F53447CC7C9B80D11

File PE Metadata
Compilation timestamp:
2/13/2017 8:23:53 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

Entry address:
0x1B57

Entry point:
E8, 20, 00, 00, 00, E9, EC, 9F, 00, 00, 55, 8B, EC, 8B, 45, 08, F7, D8, 1B, C0, 83, E0, 01, 5D, C3, 6A, 01, E8, 5B, B1, 00, 00, 59, C3, 33, C0, C3, 55, 8B, EC, 83, EC, 14, 83, 65, F4, 00, 83, 65, F8, 00, A1, 00, 60, 46, 00, 56, 57, BF, 4E, E6, 40, BB, BE, 00, 00, FF, FF, 3B, C7, 74, 0D, 85, C6, 74, 09, F7, D0, A3, 04, 60, 46, 00, EB, 66, 8D, 45, F4, 50, FF, 15, A0, F0, 45, 00, 8B, 45, F8, 33, 45, F4, 89, 45, FC, FF, 15, 88, F0, 45, 00, 31, 45, FC, FF, 15, 9C, F0, 45, 00, 31, 45, FC, 8D, 45, EC, 50, FF, 15...
 
[+]

Entropy:
7.7998  (probably packed)

Code size:
376 KB (385,024 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-54-230-216-106.mrs50.r.cloudfront.net  (54.230.216.106:80)

TCP (HTTP):
Connects to server-52-85-77-110.lax3.r.cloudfront.net  (52.85.77.110:80)

TCP (HTTP):
Connects to server-52-84-246-215.sfo20.r.cloudfront.net  (52.84.246.215:80)

TCP (HTTP):
Connects to server-54-192-130-78.ams50.r.cloudfront.net  (54.192.130.78:80)

TCP (HTTP):
Connects to server-52-84-246-127.sfo20.r.cloudfront.net  (52.84.246.127:80)

TCP (HTTP):
Connects to server-54-230-216-51.mrs50.r.cloudfront.net  (54.230.216.51:80)

TCP (HTTP):
Connects to server-54-230-216-35.mrs50.r.cloudfront.net  (54.230.216.35:80)

TCP (HTTP):
Connects to server-54-230-216-108.mrs50.r.cloudfront.net  (54.230.216.108:80)

TCP (HTTP):
Connects to server-52-85-77-86.lax3.r.cloudfront.net  (52.85.77.86:80)

TCP (HTTP):
Connects to server-52-85-77-241.lax3.r.cloudfront.net  (52.85.77.241:80)

TCP (HTTP):
Connects to server-54-192-130-45.ams50.r.cloudfront.net  (54.192.130.45:80)

TCP (HTTP):
Connects to server-54-192-130-223.ams50.r.cloudfront.net  (54.192.130.223:80)

TCP (HTTP):
Connects to server-52-85-83-99.lax1.r.cloudfront.net  (52.85.83.99:80)

TCP (HTTP):
Connects to server-52-84-246-21.sfo20.r.cloudfront.net  (52.84.246.21:80)

TCP (HTTP):
Connects to server-52-84-246-114.sfo20.r.cloudfront.net  (52.84.246.114:80)

Remove ic-0.0cdc6b60bdd664.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.