File name:

x41d7490a42d67ab3b1a2b16fb97a02aee51da656952dc6c5df5987ac36f794b0.exe

Full analysis: https://app.any.run/tasks/0657c9c7-2a44-4839-9b3f-af057572eb79
Verdict: Malicious activity
Analysis date: February 22, 2026, 17:40:21
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-reg
delphi
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 10 sections
MD5:

5BC647C9A9306AB106777B6D6CA9707D

SHA1:

3DCA255B5AF7E4AC3E50D6A4CFD6B4818BD55846

SHA256:

41D7490A42D67AB3B1A2B16FB97A02AEE51DA656952DC6C5DF5987AC36F794B0

SSDEEP:

98304:rvqlKzaAGOmWnWJi2x+9Je2YHJ8hTVDkBEdao5yMHm0ODGRDwjO5yl7olfjx4Ciz:PYHJm+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • x41d7490a42d67ab3b1a2b16fb97a02aee51da656952dc6c5df5987ac36f794b0.exe (PID: 7896)
      • winPrsv.exe (PID: 6060)
      • taskWin.exe (PID: 1600)

    • UAC/LUA settings modification

      • taskWin.exe (PID: 1600)
      • x41d7490a42d67ab3b1a2b16fb97a02aee51da656952dc6c5df5987ac36f794b0.exe (PID: 7896)
      • winPrsv.exe (PID: 6060)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • x41d7490a42d67ab3b1a2b16fb97a02aee51da656952dc6c5df5987ac36f794b0.exe (PID: 7896)

  • INFO

    • Manual execution by a user

      • taskWin.exe (PID: 1600)
      • winPrsv.exe (PID: 6060)

    • Launching a file from a Registry key

      • winPrsv.exe (PID: 6060)
      • taskWin.exe (PID: 1600)
      • x41d7490a42d67ab3b1a2b16fb97a02aee51da656952dc6c5df5987ac36f794b0.exe (PID: 7896)

    • The sample compiled with english language support

      • x41d7490a42d67ab3b1a2b16fb97a02aee51da656952dc6c5df5987ac36f794b0.exe (PID: 7896)

    • Checks supported languages

      • winPrsv.exe (PID: 6060)
      • x41d7490a42d67ab3b1a2b16fb97a02aee51da656952dc6c5df5987ac36f794b0.exe (PID: 7896)
      • taskWin.exe (PID: 1600)

    • Creates files or folders in the user directory

      • x41d7490a42d67ab3b1a2b16fb97a02aee51da656952dc6c5df5987ac36f794b0.exe (PID: 7896)
      • taskWin.exe (PID: 1600)

    • The sample compiled with portuguese language support

      • x41d7490a42d67ab3b1a2b16fb97a02aee51da656952dc6c5df5987ac36f794b0.exe (PID: 7896)

    • Reads the computer name

      • taskWin.exe (PID: 1600)

    • Compiled with Borland Delphi (YARA)

      • winPrsv.exe (PID: 6060)
      • taskWin.exe (PID: 1600)

    • Reads security settings of Internet Explorer

      • taskWin.exe (PID: 1600)

    • Checks proxy server information

      • taskWin.exe (PID: 1600)
      • slui.exe (PID: 1708)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (67.7)
.exe | Win32 EXE PECompact compressed (generic) (25.6)
.exe | Win32 Executable (generic) (2.7)
.exe | Win16/32 Executable Delphi generic (1.2)
.exe | Generic Win/DOS Executable (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:02:17 22:25:39+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 1278464
InitializedDataSize: 5843968
UninitializedDataSize: -
EntryPoint: 0x139974
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
150
Monitored processes
5
Malicious processes
0
Suspicious processes
3

Behavior graph

Click at the process to see the details
start x41d7490a42d67ab3b1a2b16fb97a02aee51da656952dc6c5df5987ac36f794b0.exe taskwin.exe winprsv.exe slui.exe x41d7490a42d67ab3b1a2b16fb97a02aee51da656952dc6c5df5987ac36f794b0.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1600"C:\Users\admin\AppData\Local\Microsoft Windows\taskWin.exe"C:\Users\admin\AppData\Local\Microsoft Windows\taskWin.exe
explorer.exe
User:
admin
Company:
Microsoft
Integrity Level:
MEDIUM
Description:
Sistema de Kernel
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\microsoft windows\taskwin.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
1708C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3652"C:\Users\admin\Desktop\x41d7490a42d67ab3b1a2b16fb97a02aee51da656952dc6c5df5987ac36f794b0.exe" C:\Users\admin\Desktop\x41d7490a42d67ab3b1a2b16fb97a02aee51da656952dc6c5df5987ac36f794b0.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\x41d7490a42d67ab3b1a2b16fb97a02aee51da656952dc6c5df5987ac36f794b0.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6060"C:\Users\admin\AppData\Local\Microsoft Windows\winPrsv.exe"C:\Users\admin\AppData\Local\Microsoft Windows\winPrsv.exe
explorer.exe
User:
admin
Company:
Microsoft
Integrity Level:
MEDIUM
Description:
Controlador de Protocolo de Rede
Version:
1.9.0.0
Modules
Images
c:\users\admin\appdata\local\microsoft windows\winprsv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
7896"C:\Users\admin\Desktop\x41d7490a42d67ab3b1a2b16fb97a02aee51da656952dc6c5df5987ac36f794b0.exe" C:\Users\admin\Desktop\x41d7490a42d67ab3b1a2b16fb97a02aee51da656952dc6c5df5987ac36f794b0.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\x41d7490a42d67ab3b1a2b16fb97a02aee51da656952dc6c5df5987ac36f794b0.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
Total events
4 107
Read events
4 052
Write events
55
Delete events
0

Modification events

(PID) Process:(7896) x41d7490a42d67ab3b1a2b16fb97a02aee51da656952dc6c5df5987ac36f794b0.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:EnableLUA
Value:
0
(PID) Process:(7896) x41d7490a42d67ab3b1a2b16fb97a02aee51da656952dc6c5df5987ac36f794b0.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Kernel System
Value:
"C:\Users\admin\AppData\Local\Microsoft Windows\taskWin.exe"
(PID) Process:(7896) x41d7490a42d67ab3b1a2b16fb97a02aee51da656952dc6c5df5987ac36f794b0.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Control Network
Value:
"C:\Users\admin\AppData\Local\Microsoft Windows\winPrsv.exe"
(PID) Process:(6060) winPrsv.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:EnableLUA
Value:
0
(PID) Process:(6060) winPrsv.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Control Network
Value:
"C:\Users\admin\AppData\Local\Microsoft Windows\winPrsv.exe"
(PID) Process:(6060) winPrsv.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Control Network
Value:
"C:\Users\admin\AppData\Local\Microsoft Windows\winPrsv.exe"
(PID) Process:(1600) taskWin.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:EnableLUA
Value:
0
(PID) Process:(1600) taskWin.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Kernel System
Value:
"C:\Users\admin\AppData\Local\Microsoft Windows\taskWin.exe"
(PID) Process:(1600) taskWin.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Kernel System
Value:
"C:\Users\admin\AppData\Local\Microsoft Windows\taskWin.exe"
(PID) Process:(1600) taskWin.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Control Network
Value:
"C:\Users\admin\AppData\Local\Microsoft Windows\winPrsv.exe"
Executable files
6
Suspicious files
1
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
7896x41d7490a42d67ab3b1a2b16fb97a02aee51da656952dc6c5df5987ac36f794b0.exeC:\Users\admin\AppData\Local\Microsoft Windows\ssleay32.dllexecutable
MD5:A02F9DD21FA2E39BDF1BC8D8C8C63F21
SHA256:189A70D8C1311CC09FF14FD43EC67595531B1F0AEEAF6964D4239D5F32830F03
7896x41d7490a42d67ab3b1a2b16fb97a02aee51da656952dc6c5df5987ac36f794b0.exeC:\Users\admin\AppData\Local\Microsoft Windows\Config.initext
MD5:2F6711974A9E669E965706B48A7EB0D9
SHA256:98AD0CCD4C0BD1400048DCE4E7056FC8D115AC88DFA7FD3F8C48CF64CF885E4A
1600taskWin.exeC:\Users\admin\AppData\Local\Microsoft Windows\listaArq.txttext
MD5:4FA11C870239ACB0DBE8621EC686C0C2
SHA256:D3D979532422817592CF8B2FF77D43E63DE05BB3120E519521FA1FB5A8AFBADE
7896x41d7490a42d67ab3b1a2b16fb97a02aee51da656952dc6c5df5987ac36f794b0.exeC:\Users\admin\AppData\Local\Microsoft Windows\taskWin.exeexecutable
MD5:9B6BF5B960EBD4D8EBE92089D670FD4C
SHA256:7491BDED3D6DA3AD573149CBD3826F274A6FB1DA09F0FB2C6049A818EEA83B75
7896x41d7490a42d67ab3b1a2b16fb97a02aee51da656952dc6c5df5987ac36f794b0.exeC:\Users\admin\AppData\Local\Microsoft Windows\libeay32.dllexecutable
MD5:C337C251661977D92B5AC8BBC840421B
SHA256:D376DDC6B93772EC2429D9DFDCE6C11F1A771E84304F2E3D12AF6235558A2733
1600taskWin.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Login Data - Copybinary
MD5:A45465CDCDC6CB30C8906F3DA4EC114C
SHA256:4412319EF944EBCCA9581CBACB1D4E1DC614C348D1DFC5D2FAAAAD863D300209
7896x41d7490a42d67ab3b1a2b16fb97a02aee51da656952dc6c5df5987ac36f794b0.exeC:\Users\admin\AppData\Local\Microsoft Windows\winPrsv.exeexecutable
MD5:DA1CB6BFED050ECA74AC921135DDB152
SHA256:C3FF6FE117B8BECAEFB3F36E267284C8CC0F9392035439DBBD4EF2D51D2DCFE2
7896x41d7490a42d67ab3b1a2b16fb97a02aee51da656952dc6c5df5987ac36f794b0.exeC:\Users\admin\AppData\Local\Microsoft Windows\sqlite3.dllexecutable
MD5:D9E9F9BAF324BB1B954751FB22884B41
SHA256:D3D8EB6A038766AF126C84D56DD8BB4192B84F8C78F6515493ED32108F7A41BD
7896x41d7490a42d67ab3b1a2b16fb97a02aee51da656952dc6c5df5987ac36f794b0.exeC:\Users\admin\AppData\Local\Microsoft Windows\default.exeexecutable
MD5:5BC647C9A9306AB106777B6D6CA9707D
SHA256:41D7490A42D67AB3B1A2B16FB97A02AEE51DA656952DC6C5DF5987AC36F794B0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
51
TCP/UDP connections
51
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4724
SIHClient.exe
GET
304
74.178.76.128:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
4516
RUXIMICS.exe
GET
200
23.55.110.211:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
6768
MoUsoCoreWorker.exe
GET
200
23.55.110.211:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
9088
svchost.exe
GET
200
23.52.181.212:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
9088
svchost.exe
GET
200
23.55.110.211:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
6768
MoUsoCoreWorker.exe
GET
200
23.52.181.212:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
356
svchost.exe
POST
200
20.190.160.5:443
https://login.live.com/RST2.srf
US
10.3 Kb
whitelisted
4724
SIHClient.exe
GET
200
13.95.31.18:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
US
whitelisted
4516
RUXIMICS.exe
GET
200
23.52.181.212:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
4724
SIHClient.exe
GET
200
74.178.76.128:443
https://slscr.update.microsoft.com/sls/ping
US
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
9088
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4516
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6768
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
4516
RUXIMICS.exe
23.55.110.211:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
6768
MoUsoCoreWorker.exe
23.55.110.211:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
9088
svchost.exe
23.55.110.211:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
4516
RUXIMICS.exe
23.52.181.212:80
www.microsoft.com
AKAMAI-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
self.events.data.microsoft.com
  • 13.89.178.26
  • 20.44.10.123
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
google.com
  • 142.251.36.110
whitelisted
crl.microsoft.com
  • 23.55.110.211
  • 23.55.110.193
  • 2.16.164.120
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 23.52.181.212
  • 88.221.169.152
whitelisted
login.live.com
  • 20.190.160.5
  • 40.126.32.133
  • 40.126.32.134
  • 40.126.32.136
  • 20.190.160.65
  • 40.126.32.74
  • 20.190.160.132
  • 40.126.32.76
whitelisted
slscr.update.microsoft.com
  • 74.178.76.128
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
activation-v2.sls.microsoft.com
  • 48.192.1.64
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
x41d7490a42d67ab3b1a2b16fb97a02aee51da656952dc6c5df5987ac36f794b0.exe