File name:	5e5a4f1bb6de2ebaf064b13fe7056b88e2d400b4402daa2c3dd4b611294ddd2e.exe
Full analysis:	https://app.any.run/tasks/e9635127-3a83-45ac-973e-e01cf6a1d9de
Verdict:	Malicious activity
Threats:	Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	September 03, 2025, 16:42:31
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	inno installer delphi stealer
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 11 sections
MD5:	D2AD2978B8B1ABC4CEF93117273A082B
SHA1:	6D813AFFA791957B405B19456621262F4535C390
SHA256:	5E5A4F1BB6DE2EBAF064B13FE7056B88E2D400B4402DAA2C3DD4B611294DDD2E
SSDEEP:	196608:sic3YDQu8D/eVVnchS6n6tmpERmA1yTdDMyJJi3axkm:Tco0D/eVihSIpET6GyJ2m

.exe	\|	Inno Setup installer (67.7)
.exe	\|	Win32 EXE PECompact compressed (generic) (25.6)
.exe	\|	Win32 Executable (generic) (2.7)
.exe	\|	Win16/32 Executable Delphi generic (1.2)
.exe	\|	Generic Win/DOS Executable (1.2)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2025:01:08 15:36:35+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	2.25
CodeSize:	684032
InitializedDataSize:	476160
UninitializedDataSize:	-
EntryPoint:	0xa7f98
OSVersion:	6.1
ImageVersion:	-
SubsystemVersion:	6.1
Subsystem:	Windows GUI
FileVersionNumber:	0.0.0.0
ProductVersionNumber:	0.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	This installation was built with Inno Setup.
CompanyName:
FileDescription:	GTA V Setup
FileVersion:
LegalCopyright:
OriginalFileName:
ProductName:	GTA V
ProductVersion:	0.0.0.1


(PID) Process:	(1180) msiexec.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:	write	Name:	Owner
Value: 9C0400002203CEC8F11CDC01
(PID) Process:	(1180) msiexec.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:	write	Name:	SessionHash
Value: FE5BB6722D3A5467F43869D59AFD1B84B2C0EB00B0FB47497E66F142B7B8FF65
(PID) Process:	(1180) msiexec.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:	write	Name:	Sequence
Value: 1
(PID) Process:	(1180) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
Operation:	write	Name:	C:\Config.Msi\
Value:
(PID) Process:	(1180) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
Operation:	write	Name:	C:\Config.Msi\18f51b.rbs
Value: 31202545
(PID) Process:	(1180) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
Operation:	write	Name:	C:\Config.Msi\18f51b.rbsLow
Value:
(PID) Process:	(1180) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\F942F94A19C0F79468FD2B85E5E8677B
Operation:	write	Name:	c1c4f01781cc94c4c8fb1542c0981a2a
Value: 02:\SOFTWARE\Microsoft\DevDiv\VC\Servicing\8.0\RED\1033\Install
(PID) Process:	(1180) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\77EB05CE46035D115AA4000972A8B18B
Operation:	write	Name:	c1c4f01781cc94c4c8fb1542c0981a2a
Value: 02:\SOFTWARE\Microsoft\DevDiv\VC\Servicing\8.0\SP
(PID) Process:	(1180) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\4006F64980E4BACB0EF18C3B9B1A1EE8
Operation:	write	Name:	c1c4f01781cc94c4c8fb1542c0981a2a
Value:
(PID) Process:	(1180) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1FA18F7974E099CD0AF18C3B9B1A1EE8
Operation:	write	Name:	c1c4f01781cc94c4c8fb1542c0981a2a
Value: >ATL80.dll\Microsoft.VC80.ATL,type="win32",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86"

PID	Process	Filename		Type
5780	5e5a4f1bb6de2ebaf064b13fe7056b88e2d400b4402daa2c3dd4b611294ddd2e.tmp	C:\Users\admin\AppData\Local\Temp\is-UK3GT.tmp\libs.7z		—
		MD5:—	SHA256:—
6152	5e5a4f1bb6de2ebaf064b13fe7056b88e2d400b4402daa2c3dd4b611294ddd2e.exe	C:\Users\admin\AppData\Local\Temp\is-U9HS6.tmp\5e5a4f1bb6de2ebaf064b13fe7056b88e2d400b4402daa2c3dd4b611294ddd2e.tmp		executable
		MD5:1686B594C94F585111D6392B6BA9A573	SHA256:4C080954182F3152C00BB4B116067F3CA1B3D7762FF08273E0BE54EDE3087658
5780	5e5a4f1bb6de2ebaf064b13fe7056b88e2d400b4402daa2c3dd4b611294ddd2e.tmp	C:\Users\admin\AppData\Local\Temp\is-UK3GT.tmp\CFLite.resources\CFUnicodeData-B.mapping		binary
		MD5:9B5B382CBD127EE52B2CABF51112624E	SHA256:B7EC3164389BFB5E6CDCC60F77533FD842FBA219263EA30621DF18CE1C6DE09F
5780	5e5a4f1bb6de2ebaf064b13fe7056b88e2d400b4402daa2c3dd4b611294ddd2e.tmp	C:\Users\admin\AppData\Local\Temp\is-UK3GT.tmp\Dictionaries\en_US.aff		text
		MD5:D329845E5D86AFEBE0DB82B3422C70C2	SHA256:56E2090475E1CE11A1885CE8ECE4D4B1F1E863F69A7233CC00BAF56CDAAA9096
5780	5e5a4f1bb6de2ebaf064b13fe7056b88e2d400b4402daa2c3dd4b611294ddd2e.tmp	C:\Users\admin\AppData\Local\Temp\is-UK3GT.tmp\view\main.js		binary
		MD5:35F8F60C9E93CE7C7BA34EE82F4B8848	SHA256:02B3D253C4AAB963D1155133F2D4AF351B213F94106760D7534FE0E2271A7390
5780	5e5a4f1bb6de2ebaf064b13fe7056b88e2d400b4402daa2c3dd4b611294ddd2e.tmp	C:\Users\admin\AppData\Local\Temp\is-UK3GT.tmp\CFLite.resources\CFCharacterSetBitmaps.bitmap		binary
		MD5:C296628E32131F103F370A1315B8B6AC	SHA256:5C66E729F7817455193076D386F72C498874A7307ECCDF0DA4D93E13ABBAC2A8
5780	5e5a4f1bb6de2ebaf064b13fe7056b88e2d400b4402daa2c3dd4b611294ddd2e.tmp	C:\Users\admin\AppData\Local\Temp\is-UK3GT.tmp\CFLite.resources\CFUnicodeData-L.mapping		binary
		MD5:21D1E35F9FA5CB37772AE4A25687F1B4	SHA256:9C7EEF81142CF859E45ED41BE1133904CAD5A014BB0D44D7F0F0A10AA9219537
5780	5e5a4f1bb6de2ebaf064b13fe7056b88e2d400b4402daa2c3dd4b611294ddd2e.tmp	C:\Users\admin\AppData\Local\Temp\is-UK3GT.tmp\CFLite.resources\Info.plist		xml
		MD5:58FB86ED6E4E45D86AF994BABBA3460B	SHA256:D83EC6C2C3CEE012D8F11DC5B08998AA4C6E55C467567DC9375C4F4DEC2DEF78
5780	5e5a4f1bb6de2ebaf064b13fe7056b88e2d400b4402daa2c3dd4b611294ddd2e.tmp	C:\Users\admin\AppData\Local\Temp\is-UK3GT.tmp\vcredist.msi		executable
		MD5:B20BBEB818222B657DF49A9CFE4FED79	SHA256:91BDD063F6C53126737791C9ECCF0B2F4CF44927831527245BC89A0BE06C0CB4
5780	5e5a4f1bb6de2ebaf064b13fe7056b88e2d400b4402daa2c3dd4b611294ddd2e.tmp	C:\Users\admin\AppData\Local\Temp\is-UK3GT.tmp\Dictionaries\README_en_US.txt		text
		MD5:9BF37A3C2CC38A159CCAFC22C7341DE3	SHA256:09FC0493763C5E924856FEFBD7F84BC2314338BD4D1455B25A13CF75DE8303D3

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5944	MoUsoCoreWorker.exe	GET	200	2.16.164.123:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	NL	binary	825 b	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	DE	binary	814 b	whitelisted
—	—	GET	200	2.16.164.123:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	NL	binary	825 b	whitelisted
—	—	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	DE	binary	814 b	whitelisted
—	—	POST	200	20.190.160.130:443	https://login.live.com/RST2.srf	US	xml	1.24 Kb	unknown
—	—	POST	400	20.190.160.130:443	https://login.live.com/ppsecure/deviceaddcredential.srf	US	text	203 b	unknown
1180	msiexec.exe	GET	200	2.16.164.123:80	http://crl.microsoft.com/pki/crl/products/CSPCA.crl	NL	binary	506 b	whitelisted
—	—	POST	200	20.190.160.22:443	https://login.live.com/RST2.srf	US	xml	11.1 Kb	unknown
—	—	POST	200	40.126.32.72:443	https://login.live.com/ppsecure/deviceaddcredential.srf	US	text	16.7 Kb	unknown
—	—	POST	200	20.190.160.132:443	https://login.live.com/RST2.srf	US	xml	10.3 Kb	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	2.16.164.123:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
—	—	2.16.164.123:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
5944	MoUsoCoreWorker.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
—	—	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3644	svchost.exe	40.126.32.76:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
1180	msiexec.exe	2.16.164.123:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted

Domain	IP	Reputation
google.com	142.250.185.238	whitelisted
crl.microsoft.com	2.16.164.123 2.16.164.42 2.16.164.83 2.16.164.120 2.16.164.107 2.16.164.91 2.16.164.112 2.16.164.34 2.16.164.105 2.16.164.74 2.16.164.35 2.16.164.66 2.16.164.104 2.16.164.75 2.16.164.98 2.16.164.64	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
settings-win.data.microsoft.com	51.104.136.2	whitelisted
login.live.com	40.126.32.76 20.190.160.132 20.190.160.4 20.190.160.130 20.190.160.22 40.126.32.68 20.190.160.65 40.126.32.74	whitelisted
files-6.ru	89.108.83.41	malicious
client.wns.windows.com	172.211.123.249	whitelisted
slscr.update.microsoft.com	20.165.94.63	whitelisted
fe3cr.delivery.mp.microsoft.com	13.95.31.18	whitelisted
self.events.data.microsoft.com	20.42.65.90	whitelisted

General Info

5e5a4f1bb6de2ebaf064b13fe7056b88e2d400b4402daa2c3dd4b611294ddd2e.exe

D2AD2978B8B1ABC4CEF93117273A082B

6D813AFFA791957B405B19456621262F4535C390

5E5A4F1BB6DE2EBAF064B13FE7056B88E2D400B4402DAA2C3DD4B611294DDD2E

196608:sic3YDQu8D/eVVnchS6n6tmpERmA1yTdDMyJJi3axkm:Tco0D/eVihSIpET6GyJ2m

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Actions looks like stealing of personal data

SUSPICIOUS

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Reads the Windows owner or organization settings

Drops 7-zip archiver for unpacking

Process drops legitimate windows executable

The process drops C-runtime libraries

The process verifies whether the antivirus software is installed

INFO

Checks supported languages

Create files in a temporary directory

Reads Environment values

Process checks computer location settings

Reads the computer name

The sample compiled with english language support

Reads the machine GUID from the registry

Creates files or folders in the user directory

Executable content was dropped or overwritten

Reads the software policy settings

The sample compiled with chinese language support

The sample compiled with german language support

The sample compiled with spanish language support

The sample compiled with Italian language support

The sample compiled with korean language support

Detects InnoSetup installer (YARA)

Compiled with Borland Delphi (YARA)

The sample compiled with japanese language support

Creates a software uninstall entry

The sample compiled with french language support

Reads CPU info

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests