File name:

xf5754ced777c99db5ef0b38c6393605718798f89fd2333fd878ac2a093d32521.exe

Full analysis: https://app.any.run/tasks/ba4b55cb-ed8c-4672-baa6-10de06d89ffc
Verdict: Malicious activity
Analysis date: February 22, 2026, 17:33:00
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-reg
delphi
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 10 sections
MD5:

14545238D45345336F332C2135F8D62C

SHA1:

ADDB844301463E73DEB8FCA7712A8EAD7F273F71

SHA256:

F5754CED777C99DB5EF0B38C6393605718798F89FD2333FD878AC2A093D32521

SSDEEP:

98304:lvqlKzaAGOmWnWJm2x+9Je2YHJ8hTVDkBEdao5yMHm0ODGRDwjO5yl7olfjx4Ciz:HYHJm+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • UAC/LUA settings modification

      • xf5754ced777c99db5ef0b38c6393605718798f89fd2333fd878ac2a093d32521.exe (PID: 6912)
      • winPrsv.exe (PID: 8364)
      • taskWin.exe (PID: 5920)

    • Changes the autorun value in the registry

      • xf5754ced777c99db5ef0b38c6393605718798f89fd2333fd878ac2a093d32521.exe (PID: 6912)
      • winPrsv.exe (PID: 8364)
      • taskWin.exe (PID: 5920)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • xf5754ced777c99db5ef0b38c6393605718798f89fd2333fd878ac2a093d32521.exe (PID: 6912)

    • Connects to SMTP port

      • taskWin.exe (PID: 5920)

  • INFO

    • Checks supported languages

      • xf5754ced777c99db5ef0b38c6393605718798f89fd2333fd878ac2a093d32521.exe (PID: 6912)
      • winPrsv.exe (PID: 8364)
      • taskWin.exe (PID: 5920)

    • The sample compiled with portuguese language support

      • xf5754ced777c99db5ef0b38c6393605718798f89fd2333fd878ac2a093d32521.exe (PID: 6912)

    • Launching a file from a Registry key

      • xf5754ced777c99db5ef0b38c6393605718798f89fd2333fd878ac2a093d32521.exe (PID: 6912)
      • winPrsv.exe (PID: 8364)
      • taskWin.exe (PID: 5920)

    • The sample compiled with english language support

      • xf5754ced777c99db5ef0b38c6393605718798f89fd2333fd878ac2a093d32521.exe (PID: 6912)

    • Creates files or folders in the user directory

      • xf5754ced777c99db5ef0b38c6393605718798f89fd2333fd878ac2a093d32521.exe (PID: 6912)
      • taskWin.exe (PID: 5920)

    • Manual execution by a user

      • taskWin.exe (PID: 5920)
      • winPrsv.exe (PID: 8364)

    • Reads the computer name

      • taskWin.exe (PID: 5920)

    • Reads security settings of Internet Explorer

      • taskWin.exe (PID: 5920)

    • Checks proxy server information

      • slui.exe (PID: 5108)
      • taskWin.exe (PID: 5920)

    • Compiled with Borland Delphi (YARA)

      • taskWin.exe (PID: 5920)
      • winPrsv.exe (PID: 8364)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (67.7)
.exe | Win32 EXE PECompact compressed (generic) (25.6)
.exe | Win32 Executable (generic) (2.7)
.exe | Win16/32 Executable Delphi generic (1.2)
.exe | Generic Win/DOS Executable (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:02:17 22:25:39+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 1278464
InitializedDataSize: 5843968
UninitializedDataSize: -
EntryPoint: 0x139974
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
145
Monitored processes
5
Malicious processes
0
Suspicious processes
3

Behavior graph

Click at the process to see the details
start xf5754ced777c99db5ef0b38c6393605718798f89fd2333fd878ac2a093d32521.exe taskwin.exe winprsv.exe slui.exe xf5754ced777c99db5ef0b38c6393605718798f89fd2333fd878ac2a093d32521.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
5108C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5920"C:\Users\admin\AppData\Local\Microsoft Windows\taskWin.exe"C:\Users\admin\AppData\Local\Microsoft Windows\taskWin.exe
explorer.exe
User:
admin
Company:
Microsoft
Integrity Level:
MEDIUM
Description:
Sistema de Kernel
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\microsoft windows\taskwin.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
6216"C:\Users\admin\Desktop\xf5754ced777c99db5ef0b38c6393605718798f89fd2333fd878ac2a093d32521.exe" C:\Users\admin\Desktop\xf5754ced777c99db5ef0b38c6393605718798f89fd2333fd878ac2a093d32521.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\xf5754ced777c99db5ef0b38c6393605718798f89fd2333fd878ac2a093d32521.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6912"C:\Users\admin\Desktop\xf5754ced777c99db5ef0b38c6393605718798f89fd2333fd878ac2a093d32521.exe" C:\Users\admin\Desktop\xf5754ced777c99db5ef0b38c6393605718798f89fd2333fd878ac2a093d32521.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\xf5754ced777c99db5ef0b38c6393605718798f89fd2333fd878ac2a093d32521.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
8364"C:\Users\admin\AppData\Local\Microsoft Windows\winPrsv.exe"C:\Users\admin\AppData\Local\Microsoft Windows\winPrsv.exe
explorer.exe
User:
admin
Company:
Microsoft
Integrity Level:
MEDIUM
Description:
Controlador de Protocolo de Rede
Version:
1.9.0.0
Modules
Images
c:\users\admin\appdata\local\microsoft windows\winprsv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
Total events
4 094
Read events
4 045
Write events
49
Delete events
0

Modification events

(PID) Process:(6912) xf5754ced777c99db5ef0b38c6393605718798f89fd2333fd878ac2a093d32521.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:EnableLUA
Value:
0
(PID) Process:(6912) xf5754ced777c99db5ef0b38c6393605718798f89fd2333fd878ac2a093d32521.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Kernel System
Value:
"C:\Users\admin\AppData\Local\Microsoft Windows\taskWin.exe"
(PID) Process:(6912) xf5754ced777c99db5ef0b38c6393605718798f89fd2333fd878ac2a093d32521.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Control Network
Value:
"C:\Users\admin\AppData\Local\Microsoft Windows\winPrsv.exe"
(PID) Process:(8364) winPrsv.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:EnableLUA
Value:
0
(PID) Process:(8364) winPrsv.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Control Network
Value:
"C:\Users\admin\AppData\Local\Microsoft Windows\winPrsv.exe"
(PID) Process:(8364) winPrsv.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Control Network
Value:
"C:\Users\admin\AppData\Local\Microsoft Windows\winPrsv.exe"
(PID) Process:(5920) taskWin.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:EnableLUA
Value:
0
(PID) Process:(5920) taskWin.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Kernel System
Value:
"C:\Users\admin\AppData\Local\Microsoft Windows\taskWin.exe"
(PID) Process:(5920) taskWin.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Kernel System
Value:
"C:\Users\admin\AppData\Local\Microsoft Windows\taskWin.exe"
(PID) Process:(5920) taskWin.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Control Network
Value:
"C:\Users\admin\AppData\Local\Microsoft Windows\winPrsv.exe"
Executable files
6
Suspicious files
1
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
6912xf5754ced777c99db5ef0b38c6393605718798f89fd2333fd878ac2a093d32521.exeC:\Users\admin\AppData\Local\Microsoft Windows\Config.initext
MD5:2F6711974A9E669E965706B48A7EB0D9
SHA256:98AD0CCD4C0BD1400048DCE4E7056FC8D115AC88DFA7FD3F8C48CF64CF885E4A
6912xf5754ced777c99db5ef0b38c6393605718798f89fd2333fd878ac2a093d32521.exeC:\Users\admin\AppData\Local\Microsoft Windows\taskWin.exeexecutable
MD5:9B6BF5B960EBD4D8EBE92089D670FD4C
SHA256:7491BDED3D6DA3AD573149CBD3826F274A6FB1DA09F0FB2C6049A818EEA83B75
6912xf5754ced777c99db5ef0b38c6393605718798f89fd2333fd878ac2a093d32521.exeC:\Users\admin\AppData\Local\Microsoft Windows\libeay32.dllexecutable
MD5:C337C251661977D92B5AC8BBC840421B
SHA256:D376DDC6B93772EC2429D9DFDCE6C11F1A771E84304F2E3D12AF6235558A2733
6912xf5754ced777c99db5ef0b38c6393605718798f89fd2333fd878ac2a093d32521.exeC:\Users\admin\AppData\Local\Microsoft Windows\winPrsv.exeexecutable
MD5:DA1CB6BFED050ECA74AC921135DDB152
SHA256:C3FF6FE117B8BECAEFB3F36E267284C8CC0F9392035439DBBD4EF2D51D2DCFE2
6912xf5754ced777c99db5ef0b38c6393605718798f89fd2333fd878ac2a093d32521.exeC:\Users\admin\AppData\Local\Microsoft Windows\default.exeexecutable
MD5:14545238D45345336F332C2135F8D62C
SHA256:F5754CED777C99DB5EF0B38C6393605718798F89FD2333FD878AC2A093D32521
6912xf5754ced777c99db5ef0b38c6393605718798f89fd2333fd878ac2a093d32521.exeC:\Users\admin\AppData\Local\Microsoft Windows\sqlite3.dllexecutable
MD5:D9E9F9BAF324BB1B954751FB22884B41
SHA256:D3D8EB6A038766AF126C84D56DD8BB4192B84F8C78F6515493ED32108F7A41BD
5920taskWin.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Login Data - Copybinary
MD5:A45465CDCDC6CB30C8906F3DA4EC114C
SHA256:4412319EF944EBCCA9581CBACB1D4E1DC614C348D1DFC5D2FAAAAD863D300209
6912xf5754ced777c99db5ef0b38c6393605718798f89fd2333fd878ac2a093d32521.exeC:\Users\admin\AppData\Local\Microsoft Windows\ssleay32.dllexecutable
MD5:A02F9DD21FA2E39BDF1BC8D8C8C63F21
SHA256:189A70D8C1311CC09FF14FD43EC67595531B1F0AEEAF6964D4239D5F32830F03
5920taskWin.exeC:\Users\admin\AppData\Local\Microsoft Windows\listaArq.txttext
MD5:CAA1C50DC9AF28A4DDA29DA369FFB367
SHA256:C641BC5AF7A50681B1C7F53DB7C79690F9E45AF6EC0F179E02A6445B23F65462
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
27
DNS requests
11
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
876
svchost.exe
GET
200
184.24.77.10:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
GET
200
184.24.77.10:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
6768
MoUsoCoreWorker.exe
GET
200
184.24.77.10:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
GET
200
23.52.181.212:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
876
svchost.exe
GET
200
23.52.181.212:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
POST
500
48.192.1.65:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
US
whitelisted
6768
MoUsoCoreWorker.exe
GET
200
23.52.181.212:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
7612
slui.exe
POST
500
48.192.1.64:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
US
512 b
whitelisted
3292
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl
US
binary
814 b
whitelisted
3292
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
US
binary
401 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
92.123.104.7:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
876
svchost.exe
184.24.77.10:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
184.24.77.10:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
6768
MoUsoCoreWorker.exe
184.24.77.10:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
23.52.181.212:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
876
svchost.exe
23.52.181.212:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
6768
MoUsoCoreWorker.exe
23.52.181.212:80
www.microsoft.com
AKAMAI-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
www.bing.com
  • 92.123.104.7
  • 92.123.104.65
  • 92.123.104.6
  • 92.123.104.66
  • 92.123.104.63
  • 92.123.104.4
  • 92.123.104.62
  • 92.123.104.12
  • 92.123.104.8
whitelisted
google.com
  • 216.58.206.46
whitelisted
crl.microsoft.com
  • 184.24.77.10
  • 184.24.77.30
  • 184.24.77.12
  • 184.24.77.23
  • 184.24.77.11
  • 184.24.77.27
  • 184.24.77.28
  • 184.24.77.22
  • 184.24.77.29
  • 184.24.77.4
  • 184.24.77.39
  • 184.24.77.16
  • 184.24.77.43
  • 184.24.77.19
  • 184.24.77.15
  • 184.24.77.13
  • 184.24.77.41
whitelisted
www.microsoft.com
  • 23.52.181.212
  • 88.221.169.152
whitelisted
activation-v2.sls.microsoft.com
  • 48.192.1.64
whitelisted
smtp.mail.yahoo.com.br
  • 87.248.97.36
whitelisted
self.events.data.microsoft.com
  • 13.89.178.26
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
xf5754ced777c99db5ef0b38c6393605718798f89fd2333fd878ac2a093d32521.exe