File name:

x47459f42816327f6249bb5e52c87f9b0ebab0adf421b894f00046921b6140e35.exe

Full analysis: https://app.any.run/tasks/9f54e229-4596-4be0-a405-62b1af993f7c
Verdict: Malicious activity
Analysis date: February 22, 2026, 17:47:04
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-reg
delphi
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 10 sections
MD5:

89ABDB1E7DD907FEFD7113602F54FE7B

SHA1:

7601267D0BD389436CED365F7AF5E80A07F2AA60

SHA256:

47459F42816327F6249BB5E52C87F9B0EBAB0ADF421B894F00046921B6140E35

SSDEEP:

98304:qvqlKzaAGOmWnWJ/2x+9Je2YHJ8hTVDkBEdao5yMHm0ODGRDwjO5yl7olfjx4Ciz:NYHJm+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • x47459f42816327f6249bb5e52c87f9b0ebab0adf421b894f00046921b6140e35.exe (PID: 7636)
      • winPrsv.exe (PID: 3244)
      • taskWin.exe (PID: 3404)

    • UAC/LUA settings modification

      • x47459f42816327f6249bb5e52c87f9b0ebab0adf421b894f00046921b6140e35.exe (PID: 7636)
      • winPrsv.exe (PID: 3244)
      • taskWin.exe (PID: 3404)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • x47459f42816327f6249bb5e52c87f9b0ebab0adf421b894f00046921b6140e35.exe (PID: 7636)

  • INFO

    • Creates files or folders in the user directory

      • x47459f42816327f6249bb5e52c87f9b0ebab0adf421b894f00046921b6140e35.exe (PID: 7636)
      • taskWin.exe (PID: 3404)

    • Checks supported languages

      • x47459f42816327f6249bb5e52c87f9b0ebab0adf421b894f00046921b6140e35.exe (PID: 7636)
      • taskWin.exe (PID: 3404)
      • winPrsv.exe (PID: 3244)

    • Launching a file from a Registry key

      • x47459f42816327f6249bb5e52c87f9b0ebab0adf421b894f00046921b6140e35.exe (PID: 7636)
      • winPrsv.exe (PID: 3244)
      • taskWin.exe (PID: 3404)

    • Manual execution by a user

      • taskWin.exe (PID: 3404)
      • winPrsv.exe (PID: 3244)

    • Reads the computer name

      • taskWin.exe (PID: 3404)

    • Checks proxy server information

      • taskWin.exe (PID: 3404)
      • slui.exe (PID: 5788)

    • Reads security settings of Internet Explorer

      • taskWin.exe (PID: 3404)

    • Compiled with Borland Delphi (YARA)

      • taskWin.exe (PID: 3404)
      • winPrsv.exe (PID: 3244)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (67.7)
.exe | Win32 EXE PECompact compressed (generic) (25.6)
.exe | Win32 Executable (generic) (2.7)
.exe | Win16/32 Executable Delphi generic (1.2)
.exe | Generic Win/DOS Executable (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:02:17 22:25:39+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 1278464
InitializedDataSize: 5843968
UninitializedDataSize: -
EntryPoint: 0x139974
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
148
Monitored processes
5
Malicious processes
0
Suspicious processes
3

Behavior graph

Click at the process to see the details
start x47459f42816327f6249bb5e52c87f9b0ebab0adf421b894f00046921b6140e35.exe taskwin.exe winprsv.exe slui.exe x47459f42816327f6249bb5e52c87f9b0ebab0adf421b894f00046921b6140e35.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3244"C:\Users\admin\AppData\Local\Microsoft Windows\winPrsv.exe"C:\Users\admin\AppData\Local\Microsoft Windows\winPrsv.exe
explorer.exe
User:
admin
Company:
Microsoft
Integrity Level:
MEDIUM
Description:
Controlador de Protocolo de Rede
Version:
1.9.0.0
Modules
Images
c:\users\admin\appdata\local\microsoft windows\winprsv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
3404"C:\Users\admin\AppData\Local\Microsoft Windows\taskWin.exe"C:\Users\admin\AppData\Local\Microsoft Windows\taskWin.exe
explorer.exe
User:
admin
Company:
Microsoft
Integrity Level:
MEDIUM
Description:
Sistema de Kernel
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\microsoft windows\taskwin.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
5788C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7636"C:\Users\admin\Desktop\x47459f42816327f6249bb5e52c87f9b0ebab0adf421b894f00046921b6140e35.exe" C:\Users\admin\Desktop\x47459f42816327f6249bb5e52c87f9b0ebab0adf421b894f00046921b6140e35.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\x47459f42816327f6249bb5e52c87f9b0ebab0adf421b894f00046921b6140e35.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
8108"C:\Users\admin\Desktop\x47459f42816327f6249bb5e52c87f9b0ebab0adf421b894f00046921b6140e35.exe" C:\Users\admin\Desktop\x47459f42816327f6249bb5e52c87f9b0ebab0adf421b894f00046921b6140e35.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\x47459f42816327f6249bb5e52c87f9b0ebab0adf421b894f00046921b6140e35.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
Total events
4 100
Read events
4 045
Write events
55
Delete events
0

Modification events

(PID) Process:(7636) x47459f42816327f6249bb5e52c87f9b0ebab0adf421b894f00046921b6140e35.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:EnableLUA
Value:
0
(PID) Process:(7636) x47459f42816327f6249bb5e52c87f9b0ebab0adf421b894f00046921b6140e35.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Kernel System
Value:
"C:\Users\admin\AppData\Local\Microsoft Windows\taskWin.exe"
(PID) Process:(7636) x47459f42816327f6249bb5e52c87f9b0ebab0adf421b894f00046921b6140e35.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Control Network
Value:
"C:\Users\admin\AppData\Local\Microsoft Windows\winPrsv.exe"
(PID) Process:(3244) winPrsv.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:EnableLUA
Value:
0
(PID) Process:(3244) winPrsv.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Control Network
Value:
"C:\Users\admin\AppData\Local\Microsoft Windows\winPrsv.exe"
(PID) Process:(3244) winPrsv.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Control Network
Value:
"C:\Users\admin\AppData\Local\Microsoft Windows\winPrsv.exe"
(PID) Process:(3404) taskWin.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:EnableLUA
Value:
0
(PID) Process:(3404) taskWin.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Kernel System
Value:
"C:\Users\admin\AppData\Local\Microsoft Windows\taskWin.exe"
(PID) Process:(3404) taskWin.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Kernel System
Value:
"C:\Users\admin\AppData\Local\Microsoft Windows\taskWin.exe"
(PID) Process:(3404) taskWin.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Control Network
Value:
"C:\Users\admin\AppData\Local\Microsoft Windows\winPrsv.exe"
Executable files
1
Suspicious files
0
Text files
0
Unknown types
8

Dropped files

PID
Process
Filename
Type
7636x47459f42816327f6249bb5e52c87f9b0ebab0adf421b894f00046921b6140e35.exeC:\Users\admin\AppData\Local\Microsoft Windows\taskWin.exebinary
MD5:9B6BF5B960EBD4D8EBE92089D670FD4C
SHA256:7491BDED3D6DA3AD573149CBD3826F274A6FB1DA09F0FB2C6049A818EEA83B75
7636x47459f42816327f6249bb5e52c87f9b0ebab0adf421b894f00046921b6140e35.exeC:\Users\admin\AppData\Local\Microsoft Windows\Config.inibinary
MD5:2F6711974A9E669E965706B48A7EB0D9
SHA256:98AD0CCD4C0BD1400048DCE4E7056FC8D115AC88DFA7FD3F8C48CF64CF885E4A
7636x47459f42816327f6249bb5e52c87f9b0ebab0adf421b894f00046921b6140e35.exeC:\Users\admin\AppData\Local\Microsoft Windows\sqlite3.dllbinary
MD5:D9E9F9BAF324BB1B954751FB22884B41
SHA256:D3D8EB6A038766AF126C84D56DD8BB4192B84F8C78F6515493ED32108F7A41BD
7636x47459f42816327f6249bb5e52c87f9b0ebab0adf421b894f00046921b6140e35.exeC:\Users\admin\AppData\Local\Microsoft Windows\libeay32.dllbinary
MD5:C337C251661977D92B5AC8BBC840421B
SHA256:D376DDC6B93772EC2429D9DFDCE6C11F1A771E84304F2E3D12AF6235558A2733
7636x47459f42816327f6249bb5e52c87f9b0ebab0adf421b894f00046921b6140e35.exeC:\Users\admin\AppData\Local\Microsoft Windows\ssleay32.dllbinary
MD5:A02F9DD21FA2E39BDF1BC8D8C8C63F21
SHA256:189A70D8C1311CC09FF14FD43EC67595531B1F0AEEAF6964D4239D5F32830F03
3404taskWin.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Login Data - Copybinary
MD5:A45465CDCDC6CB30C8906F3DA4EC114C
SHA256:4412319EF944EBCCA9581CBACB1D4E1DC614C348D1DFC5D2FAAAAD863D300209
3404taskWin.exeC:\Users\admin\AppData\Local\Microsoft Windows\listaArq.txtbinary
MD5:DC6D0E633B1636BA368FF600A063D29F
SHA256:282D88FEFD56A23197A033DC964E626F2B5A8CEF43B5208A972A16416A9A4DFD
7636x47459f42816327f6249bb5e52c87f9b0ebab0adf421b894f00046921b6140e35.exeC:\Users\admin\AppData\Local\Microsoft Windows\default.exeexecutable
MD5:89ABDB1E7DD907FEFD7113602F54FE7B
SHA256:47459F42816327F6249BB5E52C87F9B0EBAB0ADF421B894F00046921B6140E35
7636x47459f42816327f6249bb5e52c87f9b0ebab0adf421b894f00046921b6140e35.exeC:\Users\admin\AppData\Local\Microsoft Windows\winPrsv.exebinary
MD5:DA1CB6BFED050ECA74AC921135DDB152
SHA256:C3FF6FE117B8BECAEFB3F36E267284C8CC0F9392035439DBBD4EF2D51D2DCFE2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
27
DNS requests
12
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5900
RUXIMICS.exe
GET
200
23.55.110.211:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
3004
svchost.exe
GET
200
23.55.110.211:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
6768
MoUsoCoreWorker.exe
GET
200
23.55.110.211:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
3004
svchost.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
5900
RUXIMICS.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
3400
slui.exe
POST
500
48.192.1.65:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
US
binary
512 b
whitelisted
6768
MoUsoCoreWorker.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
POST
500
48.192.1.65:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
US
binary
512 b
whitelisted
3292
svchost.exe
GET
200
23.52.181.212:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
US
binary
401 b
whitelisted
3292
svchost.exe
GET
200
23.52.181.212:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
US
binary
813 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3004
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
Not routed
whitelisted
5900
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6768
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
184.86.251.22:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
3004
svchost.exe
23.55.110.211:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
5900
RUXIMICS.exe
23.55.110.211:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
6768
MoUsoCoreWorker.exe
23.55.110.211:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
3004
svchost.exe
2.23.246.101:80
www.microsoft.com
AKAMAI-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
self.events.data.microsoft.com
  • 13.89.179.14
  • 20.50.201.203
whitelisted
www.bing.com
  • 184.86.251.22
  • 184.86.251.24
  • 184.86.251.20
  • 184.86.251.4
  • 184.86.251.27
  • 184.86.251.23
  • 184.86.251.7
  • 184.86.251.30
  • 184.86.251.19
whitelisted
google.com
  • 142.251.141.78
whitelisted
crl.microsoft.com
  • 23.55.110.211
  • 23.55.110.193
  • 184.24.77.30
  • 184.24.77.35
  • 184.24.77.27
  • 184.24.77.11
  • 184.24.77.37
  • 184.24.77.29
  • 184.24.77.34
  • 184.24.77.23
  • 184.24.77.12
whitelisted
www.microsoft.com
  • 2.23.246.101
  • 23.52.181.212
whitelisted
activation-v2.sls.microsoft.com
  • 48.192.1.65
whitelisted
smtp.mail.yahoo.com.br
  • 87.248.97.36
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
x47459f42816327f6249bb5e52c87f9b0ebab0adf421b894f00046921b6140e35.exe