| File name: | 19.exe |
| Full analysis: | https://app.any.run/tasks/255a68c7-0f3d-4c1b-b6fe-d8884c962d76 |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | June 19, 2025, 13:45:12 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections |
| MD5: | 795F0191C4CEA4CECEF77FEAD8D33A91 |
| SHA1: | 3488F1DA6F7517620EAC8C642B6D7D3643C4FEFE |
| SHA256: | E61CC3DF7D9C5B24EEB4BF24A26322F3A08D51AA900C9E4550EB4AF79623F2C8 |
| SSDEEP: | 3072:egXAlMeU0WMET/ZH7HtKFASWmNglgTTR0s:egXAlM8ErZH7H0F/Gk |
MALICIOUS
GENERIC has been found (auto)
- 19.exe (PID: 4192)
Executing a file with an untrusted certificate
- {6AADF51E-4FAA-48c8-B4D1-1F27B6873CA3}.exe (PID: 5456)
Changes the autorun value in the registry
- reg.exe (PID: 7096)
SUSPICIOUS
Reads security settings of Internet Explorer
- 19.exe (PID: 4192)
- {6AADF51E-4FAA-48c8-B4D1-1F27B6873CA3}.exe (PID: 5456)
Process requests binary or script from the Internet
- 19.exe (PID: 4192)
Connects to the server without a host name
- 19.exe (PID: 4192)
Potential Corporate Privacy Violation
- 19.exe (PID: 4192)
Executable content was dropped or overwritten
- 19.exe (PID: 4192)
Uses REG/REGEDIT.EXE to modify registry
- {6AADF51E-4FAA-48c8-B4D1-1F27B6873CA3}.exe (PID: 5456)
Connects to unusual port
- Te.exe (PID: 1216)
INFO
Checks supported languages
- 19.exe (PID: 4192)
- Te.exe (PID: 1216)
- {6AADF51E-4FAA-48c8-B4D1-1F27B6873CA3}.exe (PID: 5456)
Reads the computer name
- 19.exe (PID: 4192)
- {6AADF51E-4FAA-48c8-B4D1-1F27B6873CA3}.exe (PID: 5456)
Checks proxy server information
- 19.exe (PID: 4192)
- slui.exe (PID: 7048)
Creates files or folders in the user directory
- 19.exe (PID: 4192)
The sample compiled with english language support
- 19.exe (PID: 4192)
Manual execution by a user
- {6AADF51E-4FAA-48c8-B4D1-1F27B6873CA3}.exe (PID: 5456)
- Te.exe (PID: 1216)
Create files in a temporary directory
- 19.exe (PID: 4192)
Reads the machine GUID from the registry
- {6AADF51E-4FAA-48c8-B4D1-1F27B6873CA3}.exe (PID: 5456)
Process checks computer location settings
- {6AADF51E-4FAA-48c8-B4D1-1F27B6873CA3}.exe (PID: 5456)
Launching a file from a Registry key
- reg.exe (PID: 7096)
Failed to create an executable file in Windows directory
- 19.exe (PID: 4192)
Reads the software policy settings
- slui.exe (PID: 7048)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (67.4) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (14.2) |
| .exe | | | Win32 Executable (generic) (9.7) |
| .exe | | | Generic Win/DOS Executable (4.3) |
| .exe | | | DOS Executable Generic (4.3) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2025:05:29 09:07:54+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 10 |
| CodeSize: | 35328 |
| InitializedDataSize: | 23040 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x2d5c |
| OSVersion: | 5.1 |
| ImageVersion: | - |
| SubsystemVersion: | 5.1 |
| Subsystem: | Windows GUI |
Total processes
140
Monitored processes
7
Malicious processes
2
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1180 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | reg.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1216 | "C:\Users\admin\AppData\Roaming\{496A184C-A25E-471d-A344-D7712A34F019}\Te.exe" | C:\Users\admin\AppData\Roaming\{496A184C-A25E-471d-A344-D7712A34F019}\Te.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
| |||||||||||||||
| 4192 | "C:\Users\admin\Desktop\19.exe" | C:\Users\admin\Desktop\19.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 5020 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | {6AADF51E-4FAA-48c8-B4D1-1F27B6873CA3}.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5456 | "C:\Users\admin\AppData\Local\Temp\{6AADF51E-4FAA-48c8-B4D1-1F27B6873CA3}.exe" 2 "C:\Users\admin\AppData\Local\Temp\{3EB42FD8-1938-4996-957C-5082342B4034}.lnk" | C:\Users\admin\AppData\Local\Temp\{6AADF51E-4FAA-48c8-B4D1-1F27B6873CA3}.exe | — | explorer.exe | |||||||||||
User: admin Company: WiseCleaner.com Integrity Level: MEDIUM Exit code: 0 Version: 1.0.2.2 Modules
| |||||||||||||||
| 7048 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7096 | "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v "Startup" /t REG_SZ /d "C:\Users\admin\AppData\Local\{8435CB26-8F32-4558-A09F-B9607AB0BAE7}" /f | C:\Windows\SysWOW64\reg.exe | {6AADF51E-4FAA-48c8-B4D1-1F27B6873CA3}.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
5 256
Read events
5 253
Write events
3
Delete events
0
Modification events
| (PID) Process: | (5456) {6AADF51E-4FAA-48c8-B4D1-1F27B6873CA3}.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer |
| Operation: | write | Name: | SlowContextMenuEntries |
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000 | |||
| (PID) Process: | (5456) {6AADF51E-4FAA-48c8-B4D1-1F27B6873CA3}.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer |
| Operation: | write | Name: | SlowContextMenuEntries |
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C000000000000046090100006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000 | |||
| (PID) Process: | (7096) reg.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders |
| Operation: | write | Name: | Startup |
Value: C:\Users\admin\AppData\Local\{8435CB26-8F32-4558-A09F-B9607AB0BAE7} | |||
Executable files
3
Suspicious files
1
Text files
1
Unknown types
1
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 4192 | 19.exe | C:\Users\Public\Videos\login.bin | binary | |
MD5:370140BEDE3C5E5E958D390026BF888E | SHA256:31C71CC5D1CA3BBD18051CA42BD6324A0BC69E4863982097C2C4792AA3177C71 | |||
| 4192 | 19.exe | C:\Users\admin\AppData\Roaming\{496A184C-A25E-471d-A344-D7712A34F019}\Te.exe | executable | |
MD5:9EAECD1E58C761D807162DA46C76654A | SHA256:13CA48AB9FDB58AEF5F788057BA84980E8D7D219E0585E7DD56014B967081849 | |||
| 4192 | 19.exe | C:\Users\admin\AppData\Local\{8435CB26-8F32-4558-A09F-B9607AB0BAE7}\Windows_system_deponcom.exe | executable | |
MD5:9C38E5CFA356B47B1C060179F385F1E2 | SHA256:1FE4C08701C24B3592933C073CE170268AC2809E7F3B8E65F46B0E54B01E16CC | |||
| 4192 | 19.exe | C:\Users\admin\AppData\Local\Temp\{6AADF51E-4FAA-48c8-B4D1-1F27B6873CA3}.exe | executable | |
MD5:7AFC96F9E4DC9CB8A4ED216988AF1257 | SHA256:C86512D5D4766B5F45A9ED4680A88246197D317C167DB52A67E685851D41C753 | |||
| 4192 | 19.exe | C:\Users\admin\AppData\Local\Temp\{3EB42FD8-1938-4996-957C-5082342B4034}.lnk | lnk | |
MD5:E8C00E35783FF69EB9A88DFE27AD5F53 | SHA256:00A662AFA73730901156407A9C6DA2556DE9609B51277E65DED5412F0388E816 | |||
| 4192 | 19.exe | C:\Users\Public\Videos\config.ini | text | |
MD5:118F7C66B434EAE36939ED29937882EE | SHA256:5660C0C1358AE24475088CFBDD06747E58C79A81F82D274DB4AE083817F09FDD | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
31
TCP/UDP connections
48
DNS requests
19
Threats
16
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
4192 | 19.exe | GET | 200 | 45.192.216.81:80 | http://45.192.216.81/06/login.bin | unknown | — | — | malicious |
2228 | RUXIMICS.exe | GET | 200 | 23.48.23.156:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
4192 | 19.exe | GET | 200 | 45.192.216.81:80 | http://45.192.216.81/Te.exe | unknown | — | — | unknown |
5944 | MoUsoCoreWorker.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | GET | 200 | 23.48.23.156:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
1268 | svchost.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
2228 | RUXIMICS.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | POST | 200 | 20.190.160.67:443 | https://login.live.com/RST2.srf | unknown | xml | 11.0 Kb | whitelisted |
— | — | POST | 200 | 40.126.32.68:443 | https://login.live.com/RST2.srf | unknown | xml | 11.1 Kb | whitelisted |
4192 | 19.exe | GET | 200 | 45.192.216.81:80 | http://45.192.216.81/witheFile.exe | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1268 | svchost.exe | 51.124.78.146:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
5944 | MoUsoCoreWorker.exe | 51.124.78.146:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
2228 | RUXIMICS.exe | 51.124.78.146:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4192 | 19.exe | 45.192.216.81:80 | — | LUOGELANG FRANCE LIMITED | HK | malicious |
5944 | MoUsoCoreWorker.exe | 23.48.23.156:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
2228 | RUXIMICS.exe | 23.48.23.156:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
5944 | MoUsoCoreWorker.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
2228 | RUXIMICS.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
login.live.com |
| whitelisted |
nexusrules.officeapps.live.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
4192 | 19.exe | A Network Trojan was detected | ET MALWARE Zbot Generic URI/Header Struct .bin |
4192 | 19.exe | Potentially Bad Traffic | ET HUNTING Generic .bin download from Dotted Quad |
4192 | 19.exe | Potentially Bad Traffic | ET INFO Executable Download from dotted-quad Host |
4192 | 19.exe | Potentially Bad Traffic | ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile |
4192 | 19.exe | Potential Corporate Privacy Violation | ET INFO PE EXE or DLL Windows file download HTTP |
4192 | 19.exe | Potentially Bad Traffic | ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response |
4192 | 19.exe | Potentially Bad Traffic | ET INFO Executable Download from dotted-quad Host |
4192 | 19.exe | Potential Corporate Privacy Violation | ET INFO PE EXE or DLL Windows file download HTTP |
4192 | 19.exe | Potentially Bad Traffic | ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response |
4192 | 19.exe | Misc activity | ET INFO Packed Executable Download |