File name:

projectx-setup.exe

Full analysis: https://app.any.run/tasks/299771bc-ef82-4589-8484-83d779f6be96
Verdict: Malicious activity
Analysis date: May 25, 2025, 04:58:04
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
inno
installer
delphi
themida
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 11 sections
MD5:

40A13BD1C9DC15C024DD3DEFB60FD52B

SHA1:

D3CA78652F74BFEBE2855B66E45D98CAFB09A183

SHA256:

CB4F4E5D2F083665D8C8515C2A1D5E5435954AF74ECDA097117F067C08279994

SSDEEP:

98304:mrq3BdwR4HcSO6JCoMhLTlJP/Z/cxnW3Tt/EK1BArY/vj961lql2dnVtV4wirPGf:7hnlaUcshgmCcMQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • projectx-setup.exe (PID: 5064)
      • projectx-setup.exe (PID: 4120)
      • projectx-setup.tmp (PID: 516)

    • Reads security settings of Internet Explorer

      • projectx-setup.tmp (PID: 1532)

    • Reads the Windows owner or organization settings

      • projectx-setup.tmp (PID: 516)

    • Reads the BIOS version

      • ProjectXLauncher.exe (PID: 3676)

    • There is functionality for taking screenshot (YARA)

      • ProjectXLauncher.exe (PID: 3676)

  • INFO

    • Checks supported languages

      • projectx-setup.tmp (PID: 1532)
      • projectx-setup.exe (PID: 5064)
      • projectx-setup.exe (PID: 4120)
      • projectx-setup.tmp (PID: 516)
      • ProjectXLauncher.exe (PID: 3676)

    • Reads the computer name

      • projectx-setup.tmp (PID: 1532)
      • projectx-setup.exe (PID: 4120)
      • projectx-setup.tmp (PID: 516)
      • ProjectXLauncher.exe (PID: 3676)

    • Create files in a temporary directory

      • projectx-setup.exe (PID: 5064)
      • projectx-setup.exe (PID: 4120)
      • projectx-setup.tmp (PID: 516)

    • Process checks computer location settings

      • projectx-setup.tmp (PID: 1532)

    • Detects InnoSetup installer (YARA)

      • projectx-setup.exe (PID: 5064)
      • projectx-setup.tmp (PID: 1532)

    • Compiled with Borland Delphi (YARA)

      • projectx-setup.tmp (PID: 1532)
      • projectx-setup.exe (PID: 5064)

    • Creates files in the program directory

      • projectx-setup.tmp (PID: 516)

    • Themida protector has been detected

      • ProjectXLauncher.exe (PID: 3676)

    • Creates a software uninstall entry

      • projectx-setup.tmp (PID: 516)

    • Reads the machine GUID from the registry

      • ProjectXLauncher.exe (PID: 3676)

    • Disables trace logs

      • ProjectXLauncher.exe (PID: 3676)

    • Checks proxy server information

      • ProjectXLauncher.exe (PID: 3676)
      • slui.exe (PID: 1348)

    • Reads the software policy settings

      • ProjectXLauncher.exe (PID: 3676)
      • slui.exe (PID: 1348)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (53.5)
.exe | InstallShield setup (21)
.exe | Win32 EXE PECompact compressed (generic) (20.2)
.exe | Win32 Executable (generic) (2.1)
.exe | Win16/32 Executable Delphi generic (1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:07:12 07:26:53+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 2.25
CodeSize: 685056
InitializedDataSize: 159744
UninitializedDataSize: -
EntryPoint: 0xa83bc
OSVersion: 6.1
ImageVersion: -
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: WeepingAngel
FileDescription: Project X Loader Setup
FileVersion:
LegalCopyright:
OriginalFileName:
ProductName: Project X Loader
ProductVersion: 1.5
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
7
Malicious processes
0
Suspicious processes
3

Behavior graph

Click at the process to see the details
start projectx-setup.exe projectx-setup.tmp no specs projectx-setup.exe projectx-setup.tmp projectxlauncher.exe svchost.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
516"C:\Users\admin\AppData\Local\Temp\is-SO9TL.tmp\projectx-setup.tmp" /SL5="$5028A,4909707,845824,C:\Users\admin\Desktop\projectx-setup.exe" /SPAWNWND=$302E6 /NOTIFYWND=$90276 C:\Users\admin\AppData\Local\Temp\is-SO9TL.tmp\projectx-setup.tmp
projectx-setup.exe
User:
admin
Company:
WeepingAngel
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-so9tl.tmp\projectx-setup.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
1348C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1532"C:\Users\admin\AppData\Local\Temp\is-5KR6L.tmp\projectx-setup.tmp" /SL5="$90276,4909707,845824,C:\Users\admin\Desktop\projectx-setup.exe" C:\Users\admin\AppData\Local\Temp\is-5KR6L.tmp\projectx-setup.tmpprojectx-setup.exe
User:
admin
Company:
WeepingAngel
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-5kr6l.tmp\projectx-setup.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
3676"C:\Program Files (x86)\Project X Loader\ProjectXLauncher.exe"C:\Program Files (x86)\Project X Loader\ProjectXLauncher.exe
projectx-setup.tmp
User:
admin
Integrity Level:
MEDIUM
Description:
ProjectXLauncher
Exit code:
1
Version:
1.0.0.0
Modules
Images
c:\program files (x86)\project x loader\projectxlauncher.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
4120"C:\Users\admin\Desktop\projectx-setup.exe" /SPAWNWND=$302E6 /NOTIFYWND=$90276 C:\Users\admin\Desktop\projectx-setup.exe
projectx-setup.tmp
User:
admin
Company:
WeepingAngel
Integrity Level:
HIGH
Description:
Project X Loader Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\desktop\projectx-setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comctl32.dll
5064"C:\Users\admin\Desktop\projectx-setup.exe" C:\Users\admin\Desktop\projectx-setup.exe
explorer.exe
User:
admin
Company:
WeepingAngel
Integrity Level:
MEDIUM
Description:
Project X Loader Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\desktop\projectx-setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comctl32.dll
Total events
7 674
Read events
7 636
Write events
38
Delete events
0

Modification events

(PID) Process:(516) projectx-setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{F4C68F30-098F-4293-9215-5FC386E95133}_is1
Operation:writeName:Inno Setup: Setup Version
Value:
6.3.3
(PID) Process:(516) projectx-setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{F4C68F30-098F-4293-9215-5FC386E95133}_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Program Files (x86)\Project X Loader
(PID) Process:(516) projectx-setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{F4C68F30-098F-4293-9215-5FC386E95133}_is1
Operation:writeName:InstallLocation
Value:
C:\Program Files (x86)\Project X Loader\
(PID) Process:(516) projectx-setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{F4C68F30-098F-4293-9215-5FC386E95133}_is1
Operation:writeName:Inno Setup: Icon Group
Value:
(Default)
(PID) Process:(516) projectx-setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{F4C68F30-098F-4293-9215-5FC386E95133}_is1
Operation:writeName:Inno Setup: User
Value:
admin
(PID) Process:(516) projectx-setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{F4C68F30-098F-4293-9215-5FC386E95133}_is1
Operation:writeName:Inno Setup: Selected Tasks
Value:
(PID) Process:(516) projectx-setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{F4C68F30-098F-4293-9215-5FC386E95133}_is1
Operation:writeName:Inno Setup: Deselected Tasks
Value:
desktopicon
(PID) Process:(516) projectx-setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{F4C68F30-098F-4293-9215-5FC386E95133}_is1
Operation:writeName:Inno Setup: Language
Value:
english
(PID) Process:(516) projectx-setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{F4C68F30-098F-4293-9215-5FC386E95133}_is1
Operation:writeName:DisplayName
Value:
Project X Loader version 1.5
(PID) Process:(516) projectx-setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{F4C68F30-098F-4293-9215-5FC386E95133}_is1
Operation:writeName:UninstallString
Value:
"C:\Program Files (x86)\Project X Loader\unins000.exe"
Executable files
11
Suspicious files
2
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
516projectx-setup.tmpC:\Users\admin\AppData\Local\Temp\is-CFCHI.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
4120projectx-setup.exeC:\Users\admin\AppData\Local\Temp\is-SO9TL.tmp\projectx-setup.tmpexecutable
MD5:A1C6D106D2972ED1C899D9C456AEFC6E
SHA256:4481858503F57E7404FA1E5768E765614BC1FBDA845B33409C41449614B5B087
5064projectx-setup.exeC:\Users\admin\AppData\Local\Temp\is-5KR6L.tmp\projectx-setup.tmpexecutable
MD5:A1C6D106D2972ED1C899D9C456AEFC6E
SHA256:4481858503F57E7404FA1E5768E765614BC1FBDA845B33409C41449614B5B087
516projectx-setup.tmpC:\Program Files (x86)\Project X Loader\ProjectXLauncher.exeexecutable
MD5:3987B4C765E900763D114A93563E4112
SHA256:FCB08FE230BEFAAD5AE43187FB5CD74A417D73DF91D39C45A1863778A07CEA96
516projectx-setup.tmpC:\Program Files (x86)\Project X Loader\unins000.exeexecutable
MD5:DC6E7852A74765F2FBD5810FBE5765D2
SHA256:6793D36034B1AD0C8F1C36055E0B558FDA2CF049EEEC19D48A223CC85B28474A
516projectx-setup.tmpC:\Program Files (x86)\Project X Loader\is-E2Q2V.tmpxml
MD5:15C8C4BA1AA574C0C00FD45BB9CCE1AB
SHA256:F82338E8E9C746B5D95CD2CCC7BF94DD5DE2B9B8982FFFDDF2118E475DE50E15
516projectx-setup.tmpC:\Program Files (x86)\Project X Loader\Newtonsoft.Json.dllexecutable
MD5:195FFB7167DB3219B217C4FD439EEDD6
SHA256:E1E27AF7B07EEEDF5CE71A9255F0422816A6FC5849A483C6714E1B472044FA9D
516projectx-setup.tmpC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Project X Loader.lnkbinary
MD5:D6A2B4509314EDC087432B37D05D7DF9
SHA256:0E69415B9258719FDEEF12D75B1AD29901DE126896D64904937B4885294DAF20
516projectx-setup.tmpC:\Program Files (x86)\Project X Loader\is-8AJ0O.tmpexecutable
MD5:B464FC896B14BFA34F608DA53856E999
SHA256:2130C7489F5A5E21812C1EAB37DC4903B901861A2D545AA607555BE269091AFD
516projectx-setup.tmpC:\Program Files (x86)\Project X Loader\Newtonsoft.Json.xmlxml
MD5:D398FFE9FDAC6A53A8D8BB26F29BBB3C
SHA256:79EE87D4EDE8783461DE05B93379D576F6E8575D4AB49359F15897A854B643C4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
23
DNS requests
7
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2104
svchost.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3676
ProjectXLauncher.exe
104.26.0.5:443
keyauth.win
CLOUDFLARENET
US
malicious
4756
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1348
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
google.com
  • 142.250.181.238
whitelisted
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
whitelisted
www.microsoft.com
  • 2.23.181.156
whitelisted
keyauth.win
  • 104.26.0.5
  • 172.67.72.57
  • 104.26.1.5
malicious
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Potentially Bad Traffic
ET INFO KeyAuth Open-source Authentication System Domain in DNS Lookup (keyauth .win)
3676
ProjectXLauncher.exe
Potentially Bad Traffic
ET INFO KeyAuth Open-source Authentication System Domain (keyauth .win) in TLS SNI
3676
ProjectXLauncher.exe
Potentially Bad Traffic
ET INFO KeyAuth Open-source Authentication System Domain (keyauth .win) in TLS SNI
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
projectx-setup.exe