File name:	32df691da0929298f88b37f712b47fbd17c7b2172aea31c200eedd08d5c296fb.exe
Full analysis:	https://app.any.run/tasks/696dc0b5-e85b-4743-8246-544673c8906c
Verdict:	Malicious activity
Analysis date:	September 03, 2025, 16:31:18
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	auto-startup
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:	177C3F4049BE4EB3619ECC9CDD36F5BC
SHA1:	023EA3A70DEB22E635E77AA360B6EEC80C4C070A
SHA256:	32DF691DA0929298F88B37F712B47FBD17C7B2172AEA31C200EEDD08D5C296FB
SSDEEP:	98304:X8JyT/gk2VymklI6Lq291ejwzhYJ4zrOkJqqvZc/OHS6LvoLmJwGosht/Bbnxrw7:BJ3MSjxm

.exe	\|	Win32 EXE PECompact compressed (generic) (31.8)
.exe	\|	Win32 Executable MS Visual C++ (generic) (23.8)
.exe	\|	Win64 Executable (generic) (21.1)
.scr	\|	Windows screen saver (10)
.dll	\|	Win32 Dynamic Link Library (generic) (5)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2025:08:26 23:29:44+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, 32-bit
PEType:	PE32
LinkerVersion:	2.24
CodeSize:	6656
InitializedDataSize:	3544576
UninitializedDataSize:	-
EntryPoint:	0x20fc
OSVersion:	4
ImageVersion:	1
SubsystemVersion:	4
Subsystem:	Windows GUI

PID	Process	Filename		Type
1592	32df691da0929298f88b37f712b47fbd17c7b2172aea31c200eedd08d5c296fb.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JXYXEwq.exe		executable
		MD5:D6175C1BAC44F91197C593E3EBAACB73	SHA256:84900124D45B0F96163A091C5ED736A0CB869F628B6F2458614D51E1341898A8

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2168	RUXIMICS.exe	GET	200	23.216.77.6:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	DE	binary	825 b	whitelisted
1268	svchost.exe	GET	200	23.216.77.6:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	DE	binary	825 b	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	23.216.77.6:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	DE	binary	825 b	whitelisted
1268	svchost.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	DE	binary	814 b	whitelisted
2168	RUXIMICS.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	DE	binary	814 b	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	DE	binary	814 b	whitelisted
—	—	POST	200	20.190.160.4:443	https://login.live.com/RST2.srf	US	xml	1.24 Kb	unknown
—	—	POST	400	20.190.160.65:443	https://login.live.com/ppsecure/deviceaddcredential.srf	US	text	203 b	unknown
—	—	POST	400	40.126.32.133:443	https://login.live.com/ppsecure/deviceaddcredential.srf	US	text	203 b	unknown
—	—	POST	400	40.126.32.74:443	https://login.live.com/ppsecure/deviceaddcredential.srf	US	text	203 b	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
1268	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5944	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2168	RUXIMICS.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1268	svchost.exe	23.216.77.6:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5944	MoUsoCoreWorker.exe	23.216.77.6:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
2168	RUXIMICS.exe	23.216.77.6:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1268	svchost.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
5944	MoUsoCoreWorker.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 51.124.78.146 51.104.136.2	whitelisted
google.com	172.217.18.14	whitelisted
crl.microsoft.com	23.216.77.6 23.216.77.28 2.16.164.34 2.16.164.35 2.16.164.81 2.16.164.49 2.16.164.66 2.16.164.73 2.16.164.96 2.16.164.83 2.16.164.58	whitelisted
www.microsoft.com	23.35.229.160 88.221.169.152	whitelisted
login.live.com	20.190.160.4 40.126.32.72 40.126.32.140 20.190.160.17 40.126.32.74 20.190.160.130 40.126.32.133 20.190.160.65	whitelisted
slscr.update.microsoft.com	74.178.76.128	whitelisted
fe3cr.delivery.mp.microsoft.com	40.69.42.241	whitelisted
self.events.data.microsoft.com	104.208.16.95	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted
x1.c.lencr.org	23.3.109.48	whitelisted

PID	Process	Class	Message
4820	cmd.exe	Misc Attack	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 149
4820	cmd.exe	Misc Attack	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 149

General Info

32df691da0929298f88b37f712b47fbd17c7b2172aea31c200eedd08d5c296fb.exe

177C3F4049BE4EB3619ECC9CDD36F5BC

023EA3A70DEB22E635E77AA360B6EEC80C4C070A

32DF691DA0929298F88B37F712B47FBD17C7B2172AEA31C200EEDD08D5C296FB

98304:X8JyT/gk2VymklI6Lq291ejwzhYJ4zrOkJqqvZc/OHS6LvoLmJwGosht/Bbnxrw7:BJ3MSjxm

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Create files in the Startup directory

SUSPICIOUS

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Application launched itself

Starts CMD.EXE for commands execution

Connects to unusual port

INFO

Checks supported languages

Creates files or folders in the user directory

Launching a file from the Startup directory

Process checks computer location settings

Reads the computer name

Manual execution by a user

Checks proxy server information

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings