File name:

X.exe

Full analysis: https://app.any.run/tasks/236dd508-3f86-4307-9a40-f51f754e10b3
Verdict: Malicious activity
Analysis date: August 17, 2025, 00:11:32
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
xor-url
generic
delphi
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, PECompact2 compressed, 2 sections
MD5:

98EAF0ABBD30DD9EB5EF9BBA29891643

SHA1:

86FDF5FC70C1076F365E5231DF4F32A17E239BEC

SHA256:

B8B976FC785EAA95FB3087BAED16EDBD390084E0733E86A66647FEEB51A36889

SSDEEP:

196608:bww1Clur9jcrIcur9m+aAM4nXOzwfI8jqaiu9A:Uw1CMr3HrhaAMgdQeqaiuG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Renames files like ransomware

      • X.exe (PID: 4880)

    • XORed URL has been found (YARA)

      • X.exe (PID: 4880)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • X.exe (PID: 5288)
      • X.exe (PID: 4880)

    • Executable content was dropped or overwritten

      • X.exe (PID: 5288)

    • Starts itself from another location

      • X.exe (PID: 5288)

    • Connects to unusual port

      • X.exe (PID: 5288)
      • X.exe (PID: 4880)

    • There is functionality for taking screenshot (YARA)

      • X.exe (PID: 4880)

  • INFO

    • Reads the computer name

      • X.exe (PID: 5288)
      • X.exe (PID: 4880)

    • Checks supported languages

      • X.exe (PID: 5288)
      • X.exe (PID: 4880)

    • Create files in a temporary directory

      • X.exe (PID: 5288)
      • X.exe (PID: 4880)

    • Checks proxy server information

      • X.exe (PID: 5288)
      • X.exe (PID: 4880)
      • slui.exe (PID: 6832)

    • Compiled with Borland Delphi (YARA)

      • X.exe (PID: 4880)

    • Reads the software policy settings

      • slui.exe (PID: 6832)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

xor-url

(PID) Process(4880) X.exe
Decrypted-URLs (1)http://www.gameofmir.com
No Malware configuration.

TRiD

.exe | Win32 EXE PECompact compressed (v2.x) (51)
.exe | Win32 EXE PECompact compressed (generic) (35.9)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:07:11 07:21:51+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 1097728
InitializedDataSize: 8372224
UninitializedDataSize: -
EntryPoint: 0x1000
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
124
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start x.exe #XOR-URL x.exe svchost.exe slui.exe x.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2200C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
4880C:\ÔÉÉñÖ®½£Î¢¶Ë\X.exeC:\ÔÉÉñÖ®½£Î¢¶Ë\X.exe
X.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\ôééñö®½£î¢¶ë\x.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
xor-url
(PID) Process(4880) X.exe
Decrypted-URLs (1)http://www.gameofmir.com
5288"C:\Users\admin\Desktop\X.exe" C:\Users\admin\Desktop\X.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\x.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
6832C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7140"C:\Users\admin\Desktop\X.exe" C:\Users\admin\Desktop\X.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\x.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
Total events
4 481
Read events
4 481
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
3
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
5288X.exeC:\Users\admin\AppData\Local\Temp\del.tmptext
MD5:116471C76DFF6DFEB43ED75477C40106
SHA256:B372AFEBEEE3B8240AE0937EA7AA1EF9D8950DED1A2E4940401FBF283B2D40B9
5288X.exeC:\ÔÉÉñÖ®½£Î¢¶Ë\X.exeexecutable
MD5:98EAF0ABBD30DD9EB5EF9BBA29891643
SHA256:B8B976FC785EAA95FB3087BAED16EDBD390084E0733E86A66647FEEB51A36889
4880X.exeC:\Users\admin\AppData\Local\Temp\ÔÉÉñÖ®½£XµÇ¼Æ÷.lnkbinary
MD5:35397DA99D4EE7CE5CA947D7CFA33901
SHA256:570D5113E1DAA21D5D6AC9B27B6F0CF42DC65F2B83125C0172A648D81B7D307B
5288X.exeC:\Users\admin\AppData\Local\Temp\1fd56ede3e4acb481b23dd8fcedd0db7.tmptext
MD5:7017A2F92A8F8EA38A42A3AE323F5B54
SHA256:141177AA60F8CE3171A5CF6903C914DA3601C7543389BE84245EDD0041ADF5E3
4880X.exeC:\Users\admin\Desktop\ÔÉÉñÖ®½£XµÇ¼Æ÷.lnkbinary
MD5:35397DA99D4EE7CE5CA947D7CFA33901
SHA256:570D5113E1DAA21D5D6AC9B27B6F0CF42DC65F2B83125C0172A648D81B7D307B
4880X.exeC:\Users\admin\Desktop\ÔÉÉñÖ®½£XµÇ¼Æ÷binary
MD5:35397DA99D4EE7CE5CA947D7CFA33901
SHA256:570D5113E1DAA21D5D6AC9B27B6F0CF42DC65F2B83125C0172A648D81B7D307B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
22
DNS requests
10
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
whitelisted
google.com
  • 142.250.186.78
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
200.188nsnrs.top
  • 103.60.165.157
unknown
200.588oaoea.top
  • 103.60.165.157
unknown
self.events.data.microsoft.com
  • 20.42.73.30
whitelisted
activation-v2.sls.microsoft.com
  • 4.255.142.105
  • 20.83.72.98
whitelisted

Threats

PID
Process
Class
Message
2200
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
No debug info