File name:

32ad1ff886fd3671a6f849e99b4df8d9f37ac41a65bd8d11088549aab6cf51d4.exe

Full analysis: https://app.any.run/tasks/96e388ab-72d6-4d02-a12f-ce5eb22fc864
Verdict: Malicious activity
Analysis date: September 03, 2025, 16:38:36
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-startup
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

53A4A0D0DD0BAE167CF5268FD0B2D9E5

SHA1:

64619A26BC85746F6A7144DBB1034D8092E1DD6A

SHA256:

32AD1FF886FD3671A6F849E99B4DF8D9F37AC41A65BD8D11088549AAB6CF51D4

SSDEEP:

98304:s8JyT/zDigjxSsGy814XKxCT42yyorIE0slO8/b/VVOr:B

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Create files in the Startup directory

      • 32ad1ff886fd3671a6f849e99b4df8d9f37ac41a65bd8d11088549aab6cf51d4.exe (PID: 7124)

  • SUSPICIOUS

    • Application launched itself

      • 32ad1ff886fd3671a6f849e99b4df8d9f37ac41a65bd8d11088549aab6cf51d4.exe (PID: 6408)
      • ksat7ZV7FFW4s.exe (PID: 5628)
      • ksat7ZV7FFW4s.exe (PID: 6332)

    • Reads security settings of Internet Explorer

      • 32ad1ff886fd3671a6f849e99b4df8d9f37ac41a65bd8d11088549aab6cf51d4.exe (PID: 7124)
      • ksat7ZV7FFW4s.exe (PID: 6856)
      • ksat7ZV7FFW4s.exe (PID: 1472)
      • ksat7ZV7FFW4s.exe (PID: 6332)

    • Executable content was dropped or overwritten

      • 32ad1ff886fd3671a6f849e99b4df8d9f37ac41a65bd8d11088549aab6cf51d4.exe (PID: 7124)

    • Executes application which crashes

      • cmd.exe (PID: 6748)
      • cmd.exe (PID: 2464)

    • Starts CMD.EXE for commands execution

      • ksat7ZV7FFW4s.exe (PID: 6856)
      • ksat7ZV7FFW4s.exe (PID: 1472)

  • INFO

    • Checks supported languages

      • 32ad1ff886fd3671a6f849e99b4df8d9f37ac41a65bd8d11088549aab6cf51d4.exe (PID: 6408)
      • 32ad1ff886fd3671a6f849e99b4df8d9f37ac41a65bd8d11088549aab6cf51d4.exe (PID: 7124)
      • ksat7ZV7FFW4s.exe (PID: 5628)
      • ksat7ZV7FFW4s.exe (PID: 1472)
      • ksat7ZV7FFW4s.exe (PID: 6332)
      • ksat7ZV7FFW4s.exe (PID: 6856)

    • Reads the computer name

      • 32ad1ff886fd3671a6f849e99b4df8d9f37ac41a65bd8d11088549aab6cf51d4.exe (PID: 7124)
      • ksat7ZV7FFW4s.exe (PID: 6856)
      • ksat7ZV7FFW4s.exe (PID: 1472)
      • ksat7ZV7FFW4s.exe (PID: 6332)

    • Creates files or folders in the user directory

      • 32ad1ff886fd3671a6f849e99b4df8d9f37ac41a65bd8d11088549aab6cf51d4.exe (PID: 7124)
      • WerFault.exe (PID: 5616)
      • WerFault.exe (PID: 2428)

    • Launching a file from the Startup directory

      • 32ad1ff886fd3671a6f849e99b4df8d9f37ac41a65bd8d11088549aab6cf51d4.exe (PID: 7124)

    • Process checks computer location settings

      • 32ad1ff886fd3671a6f849e99b4df8d9f37ac41a65bd8d11088549aab6cf51d4.exe (PID: 7124)
      • ksat7ZV7FFW4s.exe (PID: 6332)
      • ksat7ZV7FFW4s.exe (PID: 6856)
      • ksat7ZV7FFW4s.exe (PID: 1472)

    • Manual execution by a user

      • ksat7ZV7FFW4s.exe (PID: 6332)

    • Checks proxy server information

      • WerFault.exe (PID: 5616)
      • slui.exe (PID: 3108)
      • WerFault.exe (PID: 2428)

    • Reads the software policy settings

      • slui.exe (PID: 3108)
      • WerFault.exe (PID: 2428)
      • WerFault.exe (PID: 5616)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (41)
.exe | Win64 Executable (generic) (36.3)
.dll | Win32 Dynamic Link Library (generic) (8.6)
.exe | Win32 Executable (generic) (5.9)
.exe | Win16/32 Executable Delphi generic (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:08:29 01:14:52+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, 32-bit
PEType: PE32
LinkerVersion: 2.24
CodeSize: 6656
InitializedDataSize: 3544064
UninitializedDataSize: -
EntryPoint: 0x2751
OSVersion: 4
ImageVersion: 1
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
150
Monitored processes
13
Malicious processes
1
Suspicious processes
5

Behavior graph

Click at the process to see the details

Process information

PID
CMD
Path
Indicators
Parent process
1472"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ksat7ZV7FFW4s.exe" "C:\Users\admin\Desktop\32ad1ff886fd3671a6f849e99b4df8d9f37ac41a65bd8d11088549aab6cf51d4.exe" C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ksat7ZV7FFW4s.exeksat7ZV7FFW4s.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\ksat7zv7ffw4s.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2428C:\WINDOWS\SysWOW64\WerFault.exe -u -p 2464 -s 760C:\Windows\SysWOW64\WerFault.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
2464"C:\Windows\SysWOW64\cmd.exe" C:\Windows\SysWOW64\cmd.exe
ksat7ZV7FFW4s.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
3221226505
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
3108C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3844\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4172\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5616C:\WINDOWS\SysWOW64\WerFault.exe -u -p 6748 -s 872C:\Windows\SysWOW64\WerFault.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
5628"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ksat7ZV7FFW4s.exe" "C:\Users\admin\Desktop\32ad1ff886fd3671a6f849e99b4df8d9f37ac41a65bd8d11088549aab6cf51d4.exe" C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ksat7ZV7FFW4s.exe32ad1ff886fd3671a6f849e99b4df8d9f37ac41a65bd8d11088549aab6cf51d4.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\ksat7zv7ffw4s.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6332"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ksat7ZV7FFW4s.exe"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ksat7ZV7FFW4s.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\ksat7zv7ffw4s.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
6408"C:\Users\admin\Desktop\32ad1ff886fd3671a6f849e99b4df8d9f37ac41a65bd8d11088549aab6cf51d4.exe" C:\Users\admin\Desktop\32ad1ff886fd3671a6f849e99b4df8d9f37ac41a65bd8d11088549aab6cf51d4.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\32ad1ff886fd3671a6f849e99b4df8d9f37ac41a65bd8d11088549aab6cf51d4.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
17 981
Read events
17 981
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
4
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
5616WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_cmd.exe_eb7ef24ae21cb78864ae5d636e19a2aa777c8b3_4f3fbfa9_7f06ee4a-2c29-4e44-b1b1-1c067a740e42\Report.wer
MD5:
SHA256:
2428WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_cmd.exe_963884aca569c1eb357b9bd3565f7fb13a4a9fe9_4f3fbfa9_7062fa33-cc54-433f-b535-bdcb5a343ec9\Report.wer
MD5:
SHA256:
5616WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER26E9.tmp.xmlxml
MD5:ADAD7D7C464614DCBCB1D8239D979E44
SHA256:45688D24701A66D20245E7B83AF119BB7400DC78E021AD80E47D0C8936505919
2428WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER453D.tmp.dmpbinary
MD5:EFF46928664E0C0646DBB7B57B6957AA
SHA256:1A13E234153750D31FC0B27C7EDB1FDFF76859183F6AE431B36DE57FA5EB66B2
2428WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER45CA.tmp.WERInternalMetadata.xmlxml
MD5:3219367DA7C2E369D4A03BB072CBAB5B
SHA256:5E6305F7987EA1F5B0A7C3DA4AA9E6C22D51D691DA307E66E7AFA4131F67F5D6
712432ad1ff886fd3671a6f849e99b4df8d9f37ac41a65bd8d11088549aab6cf51d4.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ksat7ZV7FFW4s.exeexecutable
MD5:155FD66068E2432C1A6CE921671A7C5E
SHA256:AD3ACE1EE9D8963A7180FBF870BE586DD64BE1C1E49BF17C8DDCC1BC7A7821DA
5616WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER26C9.tmp.WERInternalMetadata.xmlxml
MD5:87C7089953B73B33F26F0BA6C7BAD5A3
SHA256:8C13C121B1172BC88E3F4285F364700A77F2C7AA2D861C3BDCB849264A77B990
5616WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER265A.tmp.dmpbinary
MD5:CEF3FE57BA9A96C4921B6036AEFCF893
SHA256:4F785F45A6F6BE79021140F71DC3324240A07A46923208B187C513AC0DE19B81
5616WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\cmd.exe.6748.dmpbinary
MD5:4ECB28183D34F033689418BB85968C96
SHA256:73426D9B9C2547D623F9E85E273C02B7301113645C82F725CD7F087ED0390B0B
2428WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER45FA.tmp.xmlxml
MD5:1774A84A8D030EC4D6B25F35DD58432A
SHA256:3F135366B30D8DB2659549DF25FBEBB1C2A8C62B16272F70085482B6826DF06A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
32
TCP/UDP connections
40
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
2.16.164.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
2.16.164.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
7084
RUXIMICS.exe
GET
200
2.16.164.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
7084
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
814 b
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
814 b
whitelisted
2940
svchost.exe
GET
200
69.192.161.44:80
http://x1.c.lencr.org/
DE
binary
734 b
whitelisted
POST
200
40.126.32.134:443
https://login.live.com/RST2.srf
US
xml
1.24 Kb
unknown
POST
400
40.126.32.134:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
unknown
POST
400
20.190.160.14:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
unknown
POST
400
40.126.32.138:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7084
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
2.16.164.114:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
1268
svchost.exe
2.16.164.114:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
7084
RUXIMICS.exe
2.16.164.114:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
7084
RUXIMICS.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
  • 51.104.136.2
whitelisted
google.com
  • 172.217.18.14
whitelisted
crl.microsoft.com
  • 2.16.164.114
  • 2.16.164.107
  • 2.16.164.18
  • 2.16.164.98
  • 2.16.164.24
  • 2.16.164.25
  • 2.16.164.122
  • 2.16.164.131
  • 2.16.164.9
  • 23.216.77.6
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
watson.events.data.microsoft.com
  • 135.233.45.223
  • 135.234.160.244
whitelisted
self.events.data.microsoft.com
  • 40.74.98.192
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
x1.c.lencr.org
  • 69.192.161.44
whitelisted
login.live.com
  • 20.190.160.132
  • 20.190.160.2
  • 20.190.160.4
  • 20.190.160.5
  • 20.190.160.128
  • 20.190.160.66
  • 20.190.160.67
  • 40.126.32.133
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.14
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
32ad1ff886fd3671a6f849e99b4df8d9f37ac41a65bd8d11088549aab6cf51d4.exe