File name:

K.exe

Full analysis: https://app.any.run/tasks/23c81556-697c-401f-8c2c-35660d15f32c
Verdict: Malicious activity
Analysis date: June 07, 2025, 22:52:24
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
sfx
dropper
delphi
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

9FD3E2730D5C4643C27820A46D536A4C

SHA1:

15CC60C9E6B8BF7472571575F95A56A1EEE46654

SHA256:

667449A66227092E33BD20CC611FB266C79A35A23D631801A68A4DE2D337AD1F

SSDEEP:

98304:laeKrIApxoMgASZDaJaY2RsQaa9uqH7akQQq/3LwHnJT4D0onagBw4GKpz3mpdvj:Bsbpj5pvcxGZSbMk4O

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • SFX dropper has been detected

      • K.exe (PID: 2652)

  • SUSPICIOUS

    • Application launched itself

      • K.exe (PID: 2652)

    • Executable content was dropped or overwritten

      • K.exe (PID: 6584)

    • Likely accesses (executes) a file from the Public directory

      • K.exe (PID: 6584)
      • Keygen_Loader_Kg193582 master.exe (PID: 1188)

    • Reads security settings of Internet Explorer

      • K.exe (PID: 2652)

    • There is functionality for taking screenshot (YARA)

      • Keygen_Loader_Kg193582 master.exe (PID: 1188)

  • INFO

    • Reads the computer name

      • K.exe (PID: 2652)
      • K.exe (PID: 6584)
      • Keygen_Loader_Kg193582 master.exe (PID: 1188)

    • Process checks computer location settings

      • K.exe (PID: 2652)

    • Manual execution by a user

      • Keygen_Loader_Kg193582 master.exe (PID: 1188)

    • Checks supported languages

      • K.exe (PID: 6584)
      • K.exe (PID: 2652)
      • Keygen_Loader_Kg193582 master.exe (PID: 1188)

    • Compiled with Borland Delphi (YARA)

      • Keygen_Loader_Kg193582 master.exe (PID: 1188)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:04:27 20:03:27+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 190976
InitializedDataSize: 242176
UninitializedDataSize: -
EntryPoint: 0x1d759
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
131
Monitored processes
5
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #DROPPER k.exe no specs k.exe rundll32.exe no specs keygen_loader_kg193582 master.exe slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1188"C:\Users\Public\Desktop\Keygen Optitex 22\Keygen_Loader_Kg193582 master.exe" C:\Users\Public\Desktop\Keygen Optitex 22\Keygen_Loader_Kg193582 master.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\public\desktop\keygen optitex 22\keygen_loader_kg193582 master.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1600C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
2652"C:\Users\admin\AppData\Local\Temp\K.exe" C:\Users\admin\AppData\Local\Temp\K.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\k.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.3996_none_d954cb49e10154a6\gdiplus.dll
6584"C:\Users\admin\AppData\Local\Temp\K.exe" -el -s2 "-dC:\Users\Public\Desktop" "-sp"C:\Users\admin\AppData\Local\Temp\K.exe
K.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\k.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.3996_none_d954cb49e10154a6\gdiplus.dll
8168C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
515
Read events
515
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6584K.exeC:\Users\Public\Desktop\Keygen Optitex 22\Keygen_Loader_Kg193582 master.exeexecutable
MD5:401645FEFFCA89CE4415620300F62414
SHA256:80FB960FBB0B63B095F318ACBACEDAF06B2D64BE934E32D81CDD4875214DD687
6584K.exeC:\Users\Public\Desktop\Keygen Optitex 22\Kg193582.exeexecutable
MD5:683A0BBF7A00C48D6ADFB002F324D3C5
SHA256:B6BA3034697DD94A5FE37F6595E77483E6C0D4E8681E0D0F1D2C43C3642041FE
6584K.exeC:\Users\Public\Desktop\Keygen Optitex 22\Loader_Kg193582.exeexecutable
MD5:1C3C2012EE851C0F708DBDC042004F82
SHA256:E80602BCE622A8AFB1A2617B976E73440065FACE622A1EA301CC883E5A4423EC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
20
DNS requests
13
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7636
svchost.exe
GET
200
23.48.23.147:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.48.23.147:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7636
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3304
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6544
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
3304
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2516
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
23.48.23.147:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
7636
svchost.exe
23.48.23.147:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
7636
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
7636
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
6544
svchost.exe
40.126.31.3:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 23.48.23.147
  • 23.48.23.166
  • 23.48.23.194
  • 23.48.23.176
  • 23.48.23.173
  • 23.48.23.177
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
google.com
  • 142.250.185.78
whitelisted
login.live.com
  • 40.126.31.3
  • 20.190.159.73
  • 40.126.31.1
  • 40.126.31.2
  • 40.126.31.69
  • 20.190.159.130
  • 20.190.159.64
  • 40.126.31.130
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
activation-v2.sls.microsoft.com
whitelisted

Threats

No threats detected
No debug info