File name:

xf20e8c7469b1e640280d65a25cc1f5358d5ab136626b43f4c590ce978112d8ce.exe

Full analysis: https://app.any.run/tasks/2f4a4026-6922-4e4e-8101-e6cf30f0f63f
Verdict: Malicious activity
Analysis date: February 22, 2026, 17:57:32
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-reg
delphi
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 10 sections
MD5:

C9582DA9827B90AA8CDBC655D3CF0891

SHA1:

B8F74EAA127E0B86E8FD8AC5374D8FB2FB0381AD

SHA256:

F20E8C7469B1E640280D65A25CC1F5358D5AB136626B43F4C590CE978112D8CE

SSDEEP:

98304:1vqlKzaAGOmWnWJK2x+9Je2YHJ8hTVDkBEdao5yMHm0ODGRDwjO5yl7olfjx4Ciz:TYHJm+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • UAC/LUA settings modification

      • xf20e8c7469b1e640280d65a25cc1f5358d5ab136626b43f4c590ce978112d8ce.exe (PID: 1848)
      • winPrsv.exe (PID: 4332)
      • taskWin.exe (PID: 7924)

    • Changes the autorun value in the registry

      • xf20e8c7469b1e640280d65a25cc1f5358d5ab136626b43f4c590ce978112d8ce.exe (PID: 1848)
      • winPrsv.exe (PID: 4332)
      • taskWin.exe (PID: 7924)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • xf20e8c7469b1e640280d65a25cc1f5358d5ab136626b43f4c590ce978112d8ce.exe (PID: 1848)

  • INFO

    • Checks supported languages

      • xf20e8c7469b1e640280d65a25cc1f5358d5ab136626b43f4c590ce978112d8ce.exe (PID: 1848)
      • winPrsv.exe (PID: 4332)
      • taskWin.exe (PID: 7924)

    • Launching a file from a Registry key

      • xf20e8c7469b1e640280d65a25cc1f5358d5ab136626b43f4c590ce978112d8ce.exe (PID: 1848)
      • winPrsv.exe (PID: 4332)
      • taskWin.exe (PID: 7924)

    • Creates files or folders in the user directory

      • xf20e8c7469b1e640280d65a25cc1f5358d5ab136626b43f4c590ce978112d8ce.exe (PID: 1848)
      • taskWin.exe (PID: 7924)

    • Manual execution by a user

      • winPrsv.exe (PID: 4332)
      • taskWin.exe (PID: 7924)

    • Checks proxy server information

      • slui.exe (PID: 3020)
      • taskWin.exe (PID: 7924)

    • Compiled with Borland Delphi (YARA)

      • winPrsv.exe (PID: 4332)
      • taskWin.exe (PID: 7924)

    • Reads the computer name

      • taskWin.exe (PID: 7924)

    • Reads security settings of Internet Explorer

      • taskWin.exe (PID: 7924)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (67.7)
.exe | Win32 EXE PECompact compressed (generic) (25.6)
.exe | Win32 Executable (generic) (2.7)
.exe | Win16/32 Executable Delphi generic (1.2)
.exe | Generic Win/DOS Executable (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:02:17 22:25:39+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 1278464
InitializedDataSize: 5843968
UninitializedDataSize: -
EntryPoint: 0x139974
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
149
Monitored processes
5
Malicious processes
0
Suspicious processes
3

Behavior graph

Click at the process to see the details
start xf20e8c7469b1e640280d65a25cc1f5358d5ab136626b43f4c590ce978112d8ce.exe taskwin.exe winprsv.exe slui.exe xf20e8c7469b1e640280d65a25cc1f5358d5ab136626b43f4c590ce978112d8ce.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1848"C:\Users\admin\Desktop\xf20e8c7469b1e640280d65a25cc1f5358d5ab136626b43f4c590ce978112d8ce.exe" C:\Users\admin\Desktop\xf20e8c7469b1e640280d65a25cc1f5358d5ab136626b43f4c590ce978112d8ce.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\xf20e8c7469b1e640280d65a25cc1f5358d5ab136626b43f4c590ce978112d8ce.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
3020C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4332"C:\Users\admin\AppData\Local\Microsoft Windows\winPrsv.exe"C:\Users\admin\AppData\Local\Microsoft Windows\winPrsv.exe
explorer.exe
User:
admin
Company:
Microsoft
Integrity Level:
MEDIUM
Description:
Controlador de Protocolo de Rede
Version:
1.9.0.0
Modules
Images
c:\users\admin\appdata\local\microsoft windows\winprsv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
7636"C:\Users\admin\Desktop\xf20e8c7469b1e640280d65a25cc1f5358d5ab136626b43f4c590ce978112d8ce.exe" C:\Users\admin\Desktop\xf20e8c7469b1e640280d65a25cc1f5358d5ab136626b43f4c590ce978112d8ce.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\xf20e8c7469b1e640280d65a25cc1f5358d5ab136626b43f4c590ce978112d8ce.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7924"C:\Users\admin\AppData\Local\Microsoft Windows\taskWin.exe"C:\Users\admin\AppData\Local\Microsoft Windows\taskWin.exe
explorer.exe
User:
admin
Company:
Microsoft
Integrity Level:
MEDIUM
Description:
Sistema de Kernel
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\microsoft windows\taskwin.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
Total events
4 040
Read events
3 991
Write events
49
Delete events
0

Modification events

(PID) Process:(1848) xf20e8c7469b1e640280d65a25cc1f5358d5ab136626b43f4c590ce978112d8ce.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:EnableLUA
Value:
0
(PID) Process:(1848) xf20e8c7469b1e640280d65a25cc1f5358d5ab136626b43f4c590ce978112d8ce.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Kernel System
Value:
"C:\Users\admin\AppData\Local\Microsoft Windows\taskWin.exe"
(PID) Process:(1848) xf20e8c7469b1e640280d65a25cc1f5358d5ab136626b43f4c590ce978112d8ce.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Control Network
Value:
"C:\Users\admin\AppData\Local\Microsoft Windows\winPrsv.exe"
(PID) Process:(4332) winPrsv.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:EnableLUA
Value:
0
(PID) Process:(4332) winPrsv.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Control Network
Value:
"C:\Users\admin\AppData\Local\Microsoft Windows\winPrsv.exe"
(PID) Process:(4332) winPrsv.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Control Network
Value:
"C:\Users\admin\AppData\Local\Microsoft Windows\winPrsv.exe"
(PID) Process:(7924) taskWin.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:EnableLUA
Value:
0
(PID) Process:(7924) taskWin.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Kernel System
Value:
"C:\Users\admin\AppData\Local\Microsoft Windows\taskWin.exe"
(PID) Process:(7924) taskWin.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Kernel System
Value:
"C:\Users\admin\AppData\Local\Microsoft Windows\taskWin.exe"
(PID) Process:(7924) taskWin.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Control Network
Value:
"C:\Users\admin\AppData\Local\Microsoft Windows\winPrsv.exe"
Executable files
1
Suspicious files
0
Text files
0
Unknown types
8

Dropped files

PID
Process
Filename
Type
1848xf20e8c7469b1e640280d65a25cc1f5358d5ab136626b43f4c590ce978112d8ce.exeC:\Users\admin\AppData\Local\Microsoft Windows\ssleay32.dllbinary
MD5:A02F9DD21FA2E39BDF1BC8D8C8C63F21
SHA256:189A70D8C1311CC09FF14FD43EC67595531B1F0AEEAF6964D4239D5F32830F03
7924taskWin.exeC:\Users\admin\AppData\Local\Microsoft Windows\listaArq.txtbinary
MD5:BEE799CE5DDA5B823F750DD024F26D4D
SHA256:5A6F11B20B8DFBD9A6F8C2CFABF245F6D51D8D9FB2816922F7B516761EE31892
1848xf20e8c7469b1e640280d65a25cc1f5358d5ab136626b43f4c590ce978112d8ce.exeC:\Users\admin\AppData\Local\Microsoft Windows\Config.inibinary
MD5:2F6711974A9E669E965706B48A7EB0D9
SHA256:98AD0CCD4C0BD1400048DCE4E7056FC8D115AC88DFA7FD3F8C48CF64CF885E4A
1848xf20e8c7469b1e640280d65a25cc1f5358d5ab136626b43f4c590ce978112d8ce.exeC:\Users\admin\AppData\Local\Microsoft Windows\libeay32.dllbinary
MD5:C337C251661977D92B5AC8BBC840421B
SHA256:D376DDC6B93772EC2429D9DFDCE6C11F1A771E84304F2E3D12AF6235558A2733
1848xf20e8c7469b1e640280d65a25cc1f5358d5ab136626b43f4c590ce978112d8ce.exeC:\Users\admin\AppData\Local\Microsoft Windows\sqlite3.dllbinary
MD5:D9E9F9BAF324BB1B954751FB22884B41
SHA256:D3D8EB6A038766AF126C84D56DD8BB4192B84F8C78F6515493ED32108F7A41BD
1848xf20e8c7469b1e640280d65a25cc1f5358d5ab136626b43f4c590ce978112d8ce.exeC:\Users\admin\AppData\Local\Microsoft Windows\winPrsv.exebinary
MD5:DA1CB6BFED050ECA74AC921135DDB152
SHA256:C3FF6FE117B8BECAEFB3F36E267284C8CC0F9392035439DBBD4EF2D51D2DCFE2
1848xf20e8c7469b1e640280d65a25cc1f5358d5ab136626b43f4c590ce978112d8ce.exeC:\Users\admin\AppData\Local\Microsoft Windows\taskWin.exebinary
MD5:9B6BF5B960EBD4D8EBE92089D670FD4C
SHA256:7491BDED3D6DA3AD573149CBD3826F274A6FB1DA09F0FB2C6049A818EEA83B75
1848xf20e8c7469b1e640280d65a25cc1f5358d5ab136626b43f4c590ce978112d8ce.exeC:\Users\admin\AppData\Local\Microsoft Windows\default.exeexecutable
MD5:C9582DA9827B90AA8CDBC655D3CF0891
SHA256:F20E8C7469B1E640280D65A25CC1F5358D5AB136626B43F4C590CE978112D8CE
7924taskWin.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Login Data - Copybinary
MD5:A45465CDCDC6CB30C8906F3DA4EC114C
SHA256:4412319EF944EBCCA9581CBACB1D4E1DC614C348D1DFC5D2FAAAAD863D300209
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
51
TCP/UDP connections
52
DNS requests
21
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2424
SIHClient.exe
GET
304
135.232.92.137:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
6768
MoUsoCoreWorker.exe
GET
200
184.24.77.33:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
6768
MoUsoCoreWorker.exe
GET
200
23.52.181.212:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
1324
svchost.exe
GET
200
184.24.77.33:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
4256
RUXIMICS.exe
GET
200
184.24.77.33:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
1324
svchost.exe
GET
200
23.52.181.212:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
4256
RUXIMICS.exe
GET
200
23.52.181.212:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
POST
200
40.126.31.130:443
https://login.live.com/RST2.srf
US
binary
11.1 Kb
whitelisted
2424
SIHClient.exe
GET
200
135.232.92.97:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
US
whitelisted
2424
SIHClient.exe
GET
200
135.232.92.137:443
https://slscr.update.microsoft.com/sls/ping
US
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
1324
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4256
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6768
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
92.123.104.45:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
1324
svchost.exe
184.24.77.33:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
6768
MoUsoCoreWorker.exe
184.24.77.33:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
4256
RUXIMICS.exe
184.24.77.33:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
self.events.data.microsoft.com
  • 104.208.16.89
  • 20.189.173.23
whitelisted
www.bing.com
  • 92.123.104.45
  • 92.123.104.51
  • 92.123.104.47
  • 92.123.104.50
  • 92.123.104.39
  • 92.123.104.52
  • 92.123.104.33
  • 92.123.104.38
  • 92.123.104.42
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
google.com
  • 192.178.203.102
  • 192.178.203.101
  • 192.178.203.113
  • 192.178.203.139
  • 192.178.203.138
  • 192.178.203.100
whitelisted
crl.microsoft.com
  • 184.24.77.33
  • 184.24.77.16
  • 184.24.77.28
  • 184.24.77.39
  • 184.24.77.18
  • 184.24.77.23
  • 184.24.77.38
  • 184.24.77.17
  • 184.24.77.34
  • 184.24.77.43
  • 184.24.77.41
  • 184.24.77.10
  • 184.24.77.36
  • 184.24.77.9
  • 184.24.77.35
  • 184.24.77.11
whitelisted
www.microsoft.com
  • 23.52.181.212
whitelisted
login.live.com
  • 20.190.159.2
  • 20.190.159.0
  • 40.126.31.129
  • 20.190.159.128
  • 40.126.31.128
  • 20.190.159.129
  • 20.190.159.71
  • 40.126.31.2
  • 40.126.31.71
  • 20.190.159.73
  • 20.190.159.64
  • 20.190.159.23
  • 20.190.159.75
  • 40.126.31.3
whitelisted
slscr.update.microsoft.com
  • 135.232.92.137
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 135.232.92.97
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
xf20e8c7469b1e640280d65a25cc1f5358d5ab136626b43f4c590ce978112d8ce.exe