File name:

Protection.exe

Full analysis: https://app.any.run/tasks/66edd708-b850-4d7d-9e50-34dc8c5c507b
Verdict: Malicious activity
Threats:

HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses.

Malware Trends Tracker     >>>
Analysis date: January 05, 2026, 23:24:58
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
inno
installer
delphi
auto-startup
hijackloader
loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

EC8258ADFBF4BA5B9E8A06D75C5634CC

SHA1:

FEB928A54BE40AD4BBF245AAAE6968F83B4937F5

SHA256:

EB523F6B0F306CE9FB68ADEADAC41D2C25B720075F03C75BD3611584DEE28CF9

SSDEEP:

98304:R0I5+DyaR1DGZNVZVGmZc/Umgn1njKlX4dGwrPhYLBtpZoaKrabPGhCE5NlbLBaW:dI7S

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • OptiUtility.exe (PID: 7640)
      • OptiUtility.exe (PID: 8056)

    • HIJACKLOADER has been detected (YARA)

      • Crisp.exe (PID: 8112)

    • HIJACKLOADER has been detected (SURICATA)

      • Crisp.exe (PID: 8112)

    • Connects to the CnC server

      • Crisp.exe (PID: 8112)

  • SUSPICIOUS

    • Reads the Windows owner or organization settings

      • Protection.tmp (PID: 7600)

    • Executable content was dropped or overwritten

      • Protection.exe (PID: 7560)
      • Protection.tmp (PID: 7600)
      • OptiUtility.exe (PID: 7640)
      • OptiUtility.exe (PID: 8056)

    • There is functionality for taking screenshot (YARA)

      • Protection.tmp (PID: 7600)
      • OptiUtility.exe (PID: 8056)

    • Starts itself from another location

      • OptiUtility.exe (PID: 7640)

    • Connects to unusual port

      • Crisp.exe (PID: 8112)

    • Contacting a server suspected of hosting an CnC

      • Crisp.exe (PID: 8112)

  • INFO

    • Checks supported languages

      • Protection.exe (PID: 7560)
      • Protection.tmp (PID: 7600)
      • OptiUtility.exe (PID: 7640)
      • OptiUtility.exe (PID: 8056)
      • Crisp.exe (PID: 8112)

    • Create files in a temporary directory

      • Protection.tmp (PID: 7600)
      • Protection.exe (PID: 7560)
      • OptiUtility.exe (PID: 8056)
      • Crisp.exe (PID: 8112)

    • Reads the computer name

      • Protection.tmp (PID: 7600)
      • OptiUtility.exe (PID: 7640)
      • OptiUtility.exe (PID: 8056)
      • Crisp.exe (PID: 8112)

    • The sample compiled with english language support

      • Protection.tmp (PID: 7600)
      • OptiUtility.exe (PID: 7640)
      • OptiUtility.exe (PID: 8056)

    • Detects InnoSetup installer (YARA)

      • Protection.exe (PID: 7560)
      • Protection.tmp (PID: 7600)

    • Compiled with Borland Delphi (YARA)

      • Protection.exe (PID: 7560)
      • Protection.tmp (PID: 7600)

    • Creates files in the program directory

      • OptiUtility.exe (PID: 7640)
      • Crisp.exe (PID: 8112)

    • Creates files or folders in the user directory

      • OptiUtility.exe (PID: 8056)

    • Reads the machine GUID from the registry

      • Crisp.exe (PID: 8112)

    • Checks proxy server information

      • slui.exe (PID: 7284)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Delphi generic (45.2)
.dll | Win32 Dynamic Link Library (generic) (20.9)
.exe | Win32 Executable (generic) (14.3)
.exe | Win16/32 Executable Delphi generic (6.6)
.exe | Generic Win/DOS Executable (6.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:06:08 05:01:01+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 66560
InitializedDataSize: 53760
UninitializedDataSize: -
EntryPoint: 0x1181c
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 3.6.0.0
ProductVersionNumber: 3.6.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName:
FileDescription: Rascasse Setup
FileVersion: 3.6.0.0
LegalCopyright:
ProductName: Rascasse
ProductVersion: 10.7
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
147
Monitored processes
8
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start protection.exe protection.tmp optiutility.exe optiutility.exe #HIJACKLOADER crisp.exe updater.exe no specs updater.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
5180"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --wake --systemC:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exesvchost.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
6700"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=134.0.6985.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x2a0,0x2a4,0x2a8,0x27c,0x2ac,0x139c460,0x139c46c,0x139c478C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exeupdater.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
7284C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7560"C:\Users\admin\Desktop\Protection.exe" C:\Users\admin\Desktop\Protection.exe
explorer.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Rascasse Setup
Exit code:
1
Version:
3.6.0.0
Modules
Images
c:\users\admin\desktop\protection.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
7600"C:\Users\admin\AppData\Local\Temp\is-QEMNP.tmp\Protection.tmp" /SL5="$502FE,2664747,121344,C:\Users\admin\Desktop\Protection.exe" C:\Users\admin\AppData\Local\Temp\is-QEMNP.tmp\Protection.tmp
Protection.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
1
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-qemnp.tmp\protection.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
7640"C:\Users\admin\AppData\Local\Temp\is-VAS2I.tmp\OptiUtility.exe"C:\Users\admin\AppData\Local\Temp\is-VAS2I.tmp\OptiUtility.exe
Protection.tmp
User:
admin
Company:
Stardock Software, Inc
Integrity Level:
MEDIUM
Description:
Stardock WindowBlinds 8
Exit code:
0
Version:
8.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-vas2i.tmp\optiutility.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
8056C:\ProgramData\svchost_arm64\OptiUtility.exeC:\ProgramData\svchost_arm64\OptiUtility.exe
OptiUtility.exe
User:
admin
Company:
Stardock Software, Inc
Integrity Level:
MEDIUM
Description:
Stardock WindowBlinds 8
Exit code:
0
Version:
8.0.0.0
Modules
Images
c:\programdata\svchost_arm64\optiutility.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
8112C:\Users\admin\AppData\Roaming\svchost_arm64\Crisp.exeC:\Users\admin\AppData\Roaming\svchost_arm64\Crisp.exe
OptiUtility.exe
User:
admin
Company:
Crisp IM SAS
Integrity Level:
MEDIUM
Description:
Crisp
Version:
6.0.68
Modules
Images
c:\windows\syswow64\rasapi32.dll
c:\users\admin\appdata\roaming\svchost_arm64\crisp.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
Total events
4 086
Read events
4 086
Write events
0
Delete events
0

Modification events

No data
Executable files
8
Suspicious files
11
Text files
13
Unknown types
0

Dropped files

PID
Process
Filename
Type
7600Protection.tmpC:\Users\admin\AppData\Local\Temp\is-VAS2I.tmp\application-vnd.kde.kleopatra.keygroup_1.svgtext
MD5:381AA77E9B5E7422F1B89B54D45BCCA3
SHA256:D4BF86DE15F84F5041ADFC708A4A7257B5F6746BFB9C63C00D7F52DE21BE06B8
7600Protection.tmpC:\Users\admin\AppData\Local\Temp\is-VAS2I.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
7560Protection.exeC:\Users\admin\AppData\Local\Temp\is-QEMNP.tmp\Protection.tmpexecutable
MD5:BE3CC5717F5951662ADB399D613F20CC
SHA256:8F0BEB5863D190B7B2CFE7F506F3B721AB6B9E892337A133364F2BA710931B25
7600Protection.tmpC:\Users\admin\AppData\Local\Temp\is-VAS2I.tmp\channel_press.pngimage
MD5:2C0DE43794758609CE0430DC2D750F45
SHA256:2E010A9773192538EB7417FD2A7E581E7CC98DE2EE6F158BBE2D0A437990E597
7600Protection.tmpC:\Users\admin\AppData\Local\Temp\is-VAS2I.tmp\CommonRegisterColorAndFont.jsontext
MD5:F8FE2DE8947FC74C70FDD8DA5C790E0D
SHA256:F7DDC4CE1388E238B8E464403397656014CE6AA14CF8280D6F8CBABD89FD6FA5
7600Protection.tmpC:\Users\admin\AppData\Local\Temp\is-VAS2I.tmp\dsgui_it.qmbinary
MD5:B9AC80A3AD09C94BE93A328E485D080E
SHA256:1541E9A457E596857DCE5D35E23CD083CDD744623C2AECCE188C96AB85D5AFCB
7600Protection.tmpC:\Users\admin\AppData\Local\Temp\is-VAS2I.tmp\functional.pycbinary
MD5:A5087106730781BF6E7C331B01DCC937
SHA256:85BDB3D6E675F5EDF8FF3517FA852FE77296A98B703174DAAFB59853E4C287A4
7600Protection.tmpC:\Users\admin\AppData\Local\Temp\is-VAS2I.tmp\application-x-lyx_1.svgimage
MD5:496D7C89B26CAC3C1703ACFFB1DCD259
SHA256:F83EBDC639BDC96553D4157F1FFDCE3D6999B2A22F8284494BB6068736AEC570
7600Protection.tmpC:\Users\admin\AppData\Local\Temp\is-VAS2I.tmp\iso_639-5.xmlxml
MD5:E0B95D807A0093725B1E6DB521563937
SHA256:68B69F209DAE671A6A37140D9316A416F468BB22098D4C7E41793A88050DD913
7600Protection.tmpC:\Users\admin\AppData\Local\Temp\is-VAS2I.tmp\frame_time.pytext
MD5:1167D37C417044F1F51E61F9CDF48296
SHA256:6783DF9632C3AB2E1B0EFE0B28CC4DF5035F3EDF5720503FC4A3F0E868CAFA5A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
15
TCP/UDP connections
31
DNS requests
7
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6908
RUXIMICS.exe
GET
304
51.124.78.146:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/RUXIM?os=Windows&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&sampleId=s:95271487&appVer=10.0.19041.3623&OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&FlightRing=Retail&AttrDataVer=186&App=RUXIM&AppVer=&DeviceFamily=Windows.Desktop
unknown
whitelisted
6768
MoUsoCoreWorker.exe
GET
304
51.124.78.146:443
https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=562&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30
unknown
whitelisted
2216
svchost.exe
GET
200
23.53.41.90:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6768
MoUsoCoreWorker.exe
GET
200
23.53.41.90:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6908
RUXIMICS.exe
GET
200
23.53.41.90:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6908
RUXIMICS.exe
GET
200
23.59.18.102:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6768
MoUsoCoreWorker.exe
GET
200
23.59.18.102:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
48.192.1.65:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
unknown
8112
Crisp.exe
HEAD
200
104.18.26.120:80
http://example.com/
unknown
unknown
3048
slui.exe
POST
500
48.192.1.64:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
6768
MoUsoCoreWorker.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6908
RUXIMICS.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2216
svchost.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
2216
svchost.exe
23.53.41.90:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
6768
MoUsoCoreWorker.exe
23.53.41.90:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
6908
RUXIMICS.exe
23.53.41.90:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
6908
RUXIMICS.exe
23.59.18.102:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
6768
MoUsoCoreWorker.exe
23.59.18.102:80
www.microsoft.com
AKAMAI-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.206.78
whitelisted
crl.microsoft.com
  • 23.53.41.90
  • 23.53.40.178
whitelisted
www.microsoft.com
  • 23.59.18.102
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
self.events.data.microsoft.com
  • 20.42.73.26
whitelisted
activation-v2.sls.microsoft.com
  • 48.192.1.64
whitelisted
example.com
  • 104.18.26.120
  • 104.18.27.120
whitelisted

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
8112
Crisp.exe
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Win32/HijackLoader CnC Connectivity Check
8112
Crisp.exe
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Win32/HijackLoader CnC Connectivity Check
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Protection.exe