File name:

malware200

Full analysis: https://app.any.run/tasks/ef233ec5-6dd1-4925-b0fb-c244ce42b395
Verdict: Malicious activity
Analysis date: May 18, 2025, 10:13:02
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
upx
autoit
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:

957302C7E0C9E025397C2E3CFDC0FEF3

SHA1:

10AC72A20AC5CD28C94199899FE2EAE6ED5B3A84

SHA256:

AE1DAB47FAE0307831EC90B249D26AB4D783FD1FBFEBF98A2448D40932885BBD

SSDEEP:

12288:oquErHF6xC9D6DmR1J98w4oknqOOCyQf1vYOUlsxdX:prl6kD68JmlotQfhHUl4X

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts NET.EXE to view/add/change user profiles

      • malware200.exe (PID: 4776)
      • net.exe (PID: 7204)
      • net.exe (PID: 7720)
      • net.exe (PID: 8084)
      • net.exe (PID: 7460)
      • net.exe (PID: 7836)
      • net.exe (PID: 7468)
      • net.exe (PID: 7576)
      • net.exe (PID: 7812)

    • Starts NET.EXE to view/change users localgroup

      • net.exe (PID: 7556)
      • net.exe (PID: 7652)
      • malware200.exe (PID: 4776)
      • net.exe (PID: 3240)
      • net.exe (PID: 5972)

    • Starts NET.EXE to view/change users group

      • malware200.exe (PID: 4776)
      • net.exe (PID: 6712)
      • net.exe (PID: 7744)

  • SUSPICIOUS

    • Uses NETSH.EXE to change the status of the firewall

      • cmd.exe (PID: 7180)
      • cmd.exe (PID: 2320)
      • cmd.exe (PID: 1276)

    • Starts CMD.EXE for commands execution

      • malware200.exe (PID: 4776)

    • There is functionality for taking screenshot (YARA)

      • malware200.exe (PID: 4776)

    • Uses WMIC.EXE to obtain user accounts information

      • cmd.exe (PID: 6264)
      • cmd.exe (PID: 7824)

    • Reads security settings of Internet Explorer

      • malware200.exe (PID: 4776)

  • INFO

    • Checks supported languages

      • malware200.exe (PID: 4776)

    • Reads mouse settings

      • malware200.exe (PID: 4776)

    • UPX packer has been detected

      • malware200.exe (PID: 4776)

    • The process uses AutoIt

      • malware200.exe (PID: 4776)

    • Reads the computer name

      • malware200.exe (PID: 4776)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 7540)
      • WMIC.exe (PID: 7864)

    • Reads the software policy settings

      • slui.exe (PID: 7980)
      • slui.exe (PID: 7452)

    • Checks proxy server information

      • slui.exe (PID: 7452)
      • malware200.exe (PID: 4776)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 EXE Yoda's Crypter (63.7)
.dll | Win32 Dynamic Link Library (generic) (15.7)
.exe | Win32 Executable (generic) (10.8)
.exe | Generic Win/DOS Executable (4.8)
.exe | DOS Executable Generic (4.8)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2017:04:26 18:12:56+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 12
CodeSize: 352256
InitializedDataSize: 106496
UninitializedDataSize: 634880
EntryPoint: 0xf1990
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
194
Monitored processes
61
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start malware200.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs conhost.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs net1.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs sppextcomobj.exe no specs slui.exe net.exe no specs conhost.exe no specs net1.exe no specs net.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs conhost.exe no specs net1.exe no specs net1.exe no specs wmic.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs net.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs net1.exe no specs wmic.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1276C:\WINDOWS\system32\cmd.exe /c netsh firewall set opmode DisableC:\Windows\SysWOW64\cmd.exemalware200.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2320C:\WINDOWS\system32\cmd.exe /c netsh advfirewall set currentprofile state offC:\Windows\SysWOW64\cmd.exemalware200.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3240net localgroup "remote desktop users" server_sys /addC:\Windows\SysWOW64\net.exemalware200.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4228C:\WINDOWS\system32\net1 localgroup "remote desktop users" server_sys /addC:\Windows\SysWOW64\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
4776"C:\Users\admin\AppData\Local\Temp\malware200.exe" C:\Users\admin\AppData\Local\Temp\malware200.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\malware200.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
5008\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5344C:\WINDOWS\system32\net1 group "domain admins" server_sys /addC:\Windows\SysWOW64\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
5376\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5972net localgroup administrators server_sys /addC:\Windows\SysWOW64\net.exemalware200.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6148\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
3 039
Read events
3 039
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
23
DNS requests
20
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.216.77.13:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7364
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7364
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4628
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
23.216.77.13:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
5496
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.159.129:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 23.216.77.13
  • 23.216.77.38
  • 23.216.77.6
  • 23.216.77.8
  • 23.216.77.32
  • 23.216.77.35
  • 23.216.77.41
  • 23.216.77.36
  • 23.216.77.42
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
google.com
  • 142.250.186.78
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.159.129
  • 40.126.31.130
  • 20.190.159.130
  • 20.190.159.4
  • 20.190.159.68
  • 20.190.159.73
  • 40.126.31.73
  • 20.190.159.2
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
www.jily.tw
unknown
ucitsaanglicky.sk
unknown
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
malware200