File name:

8200755cbedd6f15eecd8207eba534709a01957b172d7a051b9cc4769ddbf233.bin

Full analysis: https://app.any.run/tasks/a3b5846e-32aa-4cb3-a7e4-04b480d50eef
Verdict: Malicious activity
Analysis date: May 16, 2025, 15:24:48
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 11 sections
MD5:

F2E1D236C5D2C009E1749FC6479A9EDE

SHA1:

262C22FFD66C33DA641558F3DA23F7584881A782

SHA256:

8200755CBEDD6F15EECD8207EBA534709A01957B172D7A051B9CC4769DDBF233

SSDEEP:

49152:HhwoefBiOeiupQRE2jLC7B0otrG6slgkExmPn0TG7iISL/XFeRNkvUOlWQ4mhIdB:BwoesOeiupQRBjmtSJn0mUG7jSzFeRMg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 5380)
      • cmd.exe (PID: 2904)
      • cmd.exe (PID: 7152)

    • Starts CMD.EXE for commands execution

      • 8200755cbedd6f15eecd8207eba534709a01957b172d7a051b9cc4769ddbf233.bin.exe (PID: 4560)

    • Windows service management via SC.EXE

      • sc.exe (PID: 4408)

    • Stops a currently running service

      • sc.exe (PID: 6516)

    • Suspicious use of NETSH.EXE

      • cmd.exe (PID: 6272)
      • cmd.exe (PID: 1056)
      • cmd.exe (PID: 2516)
      • cmd.exe (PID: 1348)
      • cmd.exe (PID: 960)
      • cmd.exe (PID: 6744)

    • Uses NETSH.EXE to delete a firewall rule or allowed programs

      • cmd.exe (PID: 3240)
      • cmd.exe (PID: 1676)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • cmd.exe (PID: 5780)
      • cmd.exe (PID: 5360)

  • INFO

    • Checks supported languages

      • 8200755cbedd6f15eecd8207eba534709a01957b172d7a051b9cc4769ddbf233.bin.exe (PID: 4560)

    • Reads the computer name

      • 8200755cbedd6f15eecd8207eba534709a01957b172d7a051b9cc4769ddbf233.bin.exe (PID: 4560)

    • Reads the software policy settings

      • slui.exe (PID: 4688)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.3)
.dll | Win32 Dynamic Link Library (generic) (14.1)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 2.24
CodeSize: 1448960
InitializedDataSize: 512
UninitializedDataSize: 6144
EntryPoint: 0x311a7f
OSVersion: 5
ImageVersion: 1
SubsystemVersion: 5
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
176
Monitored processes
49
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 8200755cbedd6f15eecd8207eba534709a01957b172d7a051b9cc4769ddbf233.bin.exe cmd.exe no specs conhost.exe no specs taskkill.exe no specs sppextcomobj.exe no specs slui.exe cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
644C:\WINDOWS\system32\cmd.exe /c sc stop WELMC:\Windows\SysWOW64\cmd.exe8200755cbedd6f15eecd8207eba534709a01957b172d7a051b9cc4769ddbf233.bin.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1060
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
660netsh ipsec static add filteraction name=block action=blockC:\Windows\SysWOW64\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
660netsh advfirewall firewall delete rule name="Windriver"C:\Windows\SysWOW64\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
960C:\WINDOWS\system32\cmd.exe /c netsh ipsec static add rule name=block policy=netbc filterlist=block filteraction=blockC:\Windows\SysWOW64\cmd.exe8200755cbedd6f15eecd8207eba534709a01957b172d7a051b9cc4769ddbf233.bin.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1056C:\WINDOWS\system32\cmd.exe /c netsh ipsec static add filterlist name=blockC:\Windows\SysWOW64\cmd.exe8200755cbedd6f15eecd8207eba534709a01957b172d7a051b9cc4769ddbf233.bin.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1184\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1348C:\WINDOWS\system32\cmd.exe /c netsh ipsec static add filter filterlist=block any srcmask=32 srcport=0 dstaddr=me dstport=445 protocol=tcp description=445C:\Windows\SysWOW64\cmd.exe8200755cbedd6f15eecd8207eba534709a01957b172d7a051b9cc4769ddbf233.bin.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1676C:\WINDOWS\system32\cmd.exe /c netsh advfirewall firewall delete rule name="Windriver"C:\Windows\SysWOW64\cmd.exe8200755cbedd6f15eecd8207eba534709a01957b172d7a051b9cc4769ddbf233.bin.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2140C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
2236taskkill /f /im mmc.exeC:\Windows\SysWOW64\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
7 344
Read events
7 344
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
48
DNS requests
15
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4560
8200755cbedd6f15eecd8207eba534709a01957b172d7a051b9cc4769ddbf233.bin.exe
GET
404
91.195.240.94:80
http://08.super5566.com/install/start
unknown
malicious
4560
8200755cbedd6f15eecd8207eba534709a01957b172d7a051b9cc4769ddbf233.bin.exe
GET
404
91.195.240.94:80
http://08.super5566.com/install/106:0%20-%3e%20127:5%20-%3e%20128:5%20-%3e%2065:5
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
5496
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4560
8200755cbedd6f15eecd8207eba534709a01957b172d7a051b9cc4769ddbf233.bin.exe
91.195.240.94:80
08.super5566.com
SEDO GmbH
DE
malicious
6544
svchost.exe
40.126.31.69:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2112
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.142
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
08.super5566.com
  • 91.195.240.94
malicious
login.live.com
  • 40.126.31.69
  • 20.190.159.68
  • 20.190.159.128
  • 20.190.159.0
  • 20.190.159.75
  • 40.126.31.73
  • 40.126.31.129
  • 40.126.31.1
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
  • 2603:1030:408:7::3d
whitelisted
15.164.165.52.in-addr.arpa
unknown
d.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.8.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa
unknown
nexusrules.officeapps.live.com
  • 52.111.229.48
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
8200755cbedd6f15eecd8207eba534709a01957b172d7a051b9cc4769ddbf233.bin