File name:

gInstall.exe

Full analysis: https://app.any.run/tasks/156ca7c8-2608-4f72-95c4-3ed1db904644
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: May 24, 2025, 19:11:07
OS: Windows 11 Professional (build: 22000, 64 bit)
Tags:
loader
delphi
inno
installer
miner
github
winring0x64-sys
vuln-driver
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 11 sections
MD5:

BC9F9FF2908DDA2350F795297A582756

SHA1:

5029C37F0BEF2F5813234D0BE2E54B68A7E2D94A

SHA256:

E5EDC621F67B5BBE84E5E01C9F98094DB094FE95EEE9AE2B3EB474F1AD0F9909

SSDEEP:

98304:Trq3BdwnCcgfQLyp3a2oam03VlCqPUXJvC/imlNcyT2M0wFa3chAdZLXX34Zu0W1:Q56RbWr/6ahmIqjsfmNrF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uninstalls Malicious Software Removal Tool (MRT)

      • cmd.exe (PID: 4120)
      • cmd.exe (PID: 4656)

    • Changes Windows Defender settings

      • Volvet_Install.exe (PID: 1812)
      • ezyrmuerzgtz.exe (PID: 3692)

    • Adds extension to the Windows Defender exclusion list

      • Volvet_Install.exe (PID: 1812)
      • ezyrmuerzgtz.exe (PID: 3692)

    • Vulnerable driver has been detected

      • ezyrmuerzgtz.exe (PID: 3692)

    • MINER has been detected (SURICATA)

      • svchost.exe (PID: 1664)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • gInstall.exe (PID: 5088)
      • gInstall.tmp (PID: 3424)
      • 7z2409-x64.exe (PID: 5332)
      • wireguard.exe (PID: 4296)
      • ezyrmuerzgtz.exe (PID: 3692)

    • Drops 7-zip archiver for unpacking

      • gInstall.tmp (PID: 3424)
      • 7z2409-x64.exe (PID: 5332)

    • Reads the Internet Settings

      • wireguard.exe (PID: 4296)

    • Reads settings of System Certificates

      • wireguard.exe (PID: 4296)

    • Creates/Modifies COM task schedule object

      • 7z2409-x64.exe (PID: 5332)

    • Creates a software uninstall entry

      • 7z2409-x64.exe (PID: 5332)

    • Starts CMD.EXE for commands execution

      • gInstall.tmp (PID: 3424)
      • Volvet_Install.exe (PID: 1812)
      • ezyrmuerzgtz.exe (PID: 3692)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 4948)
      • cmd.exe (PID: 5312)
      • cmd.exe (PID: 5280)

    • Reads security settings of Internet Explorer

      • wireguard.exe (PID: 4296)

    • Adds/modifies Windows certificates

      • wireguard.exe (PID: 4296)

    • Executes as Windows Service

      • VSSVC.exe (PID: 4272)
      • wireguard.exe (PID: 1872)
      • ezyrmuerzgtz.exe (PID: 3692)

    • Application launched itself

      • msiexec.exe (PID: 2872)
      • wireguard.exe (PID: 2016)
      • wireguard.exe (PID: 1872)

    • Starts POWERSHELL.EXE for commands execution

      • Volvet_Install.exe (PID: 1812)
      • ezyrmuerzgtz.exe (PID: 3692)

    • Script adds exclusion extension to Windows Defender

      • Volvet_Install.exe (PID: 1812)
      • ezyrmuerzgtz.exe (PID: 3692)

    • There is functionality for taking screenshot (YARA)

      • wireguard.exe (PID: 4296)
      • conhost.exe (PID: 444)

    • Script adds exclusion path to Windows Defender

      • Volvet_Install.exe (PID: 1812)
      • ezyrmuerzgtz.exe (PID: 3692)

    • Starts SC.EXE for service management

      • Volvet_Install.exe (PID: 1812)
      • ezyrmuerzgtz.exe (PID: 3692)

    • Process uninstalls Windows update

      • wusa.exe (PID: 228)
      • wusa.exe (PID: 2940)

    • Stops a currently running service

      • sc.exe (PID: 5908)
      • sc.exe (PID: 3140)
      • sc.exe (PID: 2756)
      • sc.exe (PID: 5452)
      • sc.exe (PID: 5308)
      • sc.exe (PID: 1568)
      • sc.exe (PID: 3732)
      • sc.exe (PID: 3216)
      • sc.exe (PID: 1036)
      • sc.exe (PID: 2996)
      • sc.exe (PID: 3564)

    • Uses powercfg.exe to modify the power settings

      • Volvet_Install.exe (PID: 1812)
      • ezyrmuerzgtz.exe (PID: 3692)

    • Manipulates environment variables

      • powershell.exe (PID: 1848)
      • powershell.exe (PID: 3604)

    • Creates a new Windows service

      • sc.exe (PID: 3504)

    • Windows service management via SC.EXE

      • sc.exe (PID: 296)
      • sc.exe (PID: 816)

    • Drops a system driver (possible attempt to evade defenses)

      • ezyrmuerzgtz.exe (PID: 3692)

    • Crypto Currency Mining Activity Detected

      • svchost.exe (PID: 1664)

  • INFO

    • Create files in a temporary directory

      • gInstall.exe (PID: 5088)

    • Checks supported languages

      • gInstall.exe (PID: 5088)
      • wireguard.exe (PID: 4296)
      • msiexec.exe (PID: 2872)
      • 7z2409-x64.exe (PID: 5332)

    • The sample compiled with english language support

      • gInstall.tmp (PID: 3424)
      • wireguard.exe (PID: 4296)
      • msiexec.exe (PID: 2872)
      • 7z2409-x64.exe (PID: 5332)

    • Creates a software uninstall entry

      • gInstall.tmp (PID: 3424)

    • Reads the computer name

      • wireguard.exe (PID: 4296)
      • 7z2409-x64.exe (PID: 5332)
      • msiexec.exe (PID: 2872)

    • Checks proxy server information

      • wireguard.exe (PID: 4296)

    • Reads the machine GUID from the registry

      • wireguard.exe (PID: 4296)

    • Reads the software policy settings

      • wireguard.exe (PID: 4296)

    • Creates files in the program directory

      • 7z2409-x64.exe (PID: 5332)

    • The sample compiled with chinese language support

      • wireguard.exe (PID: 4296)
      • msiexec.exe (PID: 2872)

    • Creates files or folders in the user directory

      • wireguard.exe (PID: 4296)

    • Detects InnoSetup installer (YARA)

      • gInstall.tmp (PID: 3424)

    • Compiled with Borland Delphi (YARA)

      • gInstall.tmp (PID: 3424)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 2872)

    • Manages system restore points

      • SrTasks.exe (PID: 716)

    • The sample compiled with japanese language support

      • ezyrmuerzgtz.exe (PID: 3692)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (65.1)
.exe | Win32 EXE PECompact compressed (generic) (24.6)
.dll | Win32 Dynamic Link Library (generic) (3.9)
.exe | Win32 Executable (generic) (2.6)
.exe | Win16/32 Executable Delphi generic (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:07:12 07:26:53+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 2.25
CodeSize: 685056
InitializedDataSize: 131072
UninitializedDataSize: -
EntryPoint: 0xa83bc
OSVersion: 6.1
ImageVersion: -
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 55.8.0.2
ProductVersionNumber: 55.8.0.2
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: globalsign.com
FileDescription: Ubisoft Script Studio Setup
FileVersion: 55.8.0.2
LegalCopyright:
OriginalFileName:
ProductName: Ubisoft Script Studio
ProductVersion: 55.8.0.2
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
187
Monitored processes
86
Malicious processes
7
Suspicious processes
2

Behavior graph

Click at the process to see the details
start ginstall.exe ginstall.tmp no specs wireguard.exe 7z2409-x64.exe cmd.exe no specs conhost.exe no specs setx.exe no specs cmd.exe no specs conhost.exe no specs timeout.exe no specs msiexec.exe vssvc.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe no specs msiexec.exe no specs wireguard.exe no specs wireguard.exe wireguard.exe wireguard.exe no specs 7z.exe no specs cmd.exe no specs conhost.exe no specs timeout.exe no specs volvet_install.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs wusa.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs powercfg.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs powercfg.exe no specs conhost.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs THREAT ezyrmuerzgtz.exe conhost.exe no specs timeout.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs wusa.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs explorer.exe #MINER svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
136\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSrTasks.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
228wusa /uninstall /kb:890830 /quiet /norestartC:\Windows\System32\wusa.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Update Standalone Installer
Exit code:
87
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wusa.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
296C:\Windows\system32\sc.exe delete "RDQWLEGN"C:\Windows\System32\sc.exeVolvet_Install.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
1060
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
312\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
356\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
364\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowercfg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
444\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
604C:\Windows\system32\conhost.exeC:\Windows\System32\conhost.exeezyrmuerzgtz.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
716C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:14C:\Windows\System32\SrTasks.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Windows System Protection background tasks.
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
716\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
Total events
41 416
Read events
40 518
Write events
837
Delete events
61

Modification events

(PID) Process:(3424) gInstall.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:RegFiles0000
Value:
C:\Windows\wireguard.exe
(PID) Process:(3424) gInstall.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:RegFilesHash
Value:
69247CE911784B4DB662D1BA6894BA65BFDDE8860C478939E40706E2564687F7
(PID) Process:(3424) gInstall.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0D0220B8-625B-448A-BA2D-5FC86CA622CB}_is1
Operation:writeName:Inno Setup: Setup Version
Value:
6.3.3
(PID) Process:(3424) gInstall.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0D0220B8-625B-448A-BA2D-5FC86CA622CB}_is1
Operation:writeName:Inno Setup: App Path
Value:
(PID) Process:(3424) gInstall.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0D0220B8-625B-448A-BA2D-5FC86CA622CB}_is1
Operation:writeName:Inno Setup: Icon Group
Value:
(Default)
(PID) Process:(3424) gInstall.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0D0220B8-625B-448A-BA2D-5FC86CA622CB}_is1
Operation:writeName:Inno Setup: User
Value:
admin
(PID) Process:(3424) gInstall.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0D0220B8-625B-448A-BA2D-5FC86CA622CB}_is1
Operation:writeName:Inno Setup: Language
Value:
default
(PID) Process:(3424) gInstall.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0D0220B8-625B-448A-BA2D-5FC86CA622CB}_is1
Operation:writeName:DisplayName
Value:
Ubisoft Script Studio version 85.0.0.1
(PID) Process:(3424) gInstall.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0D0220B8-625B-448A-BA2D-5FC86CA622CB}_is1
Operation:writeName:UninstallString
Value:
"C:\Windows\unins000.exe"
(PID) Process:(3424) gInstall.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0D0220B8-625B-448A-BA2D-5FC86CA622CB}_is1
Operation:writeName:QuietUninstallString
Value:
"C:\Windows\unins000.exe" /SILENT
Executable files
29
Suspicious files
43
Text files
110
Unknown types
0

Dropped files

PID
Process
Filename
Type
3424gInstall.tmpC:\Users\admin\AppData\Local\Temp\is-ID9UN.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
53327z2409-x64.exeC:\Program Files (x86)\7-Zip\descript.iontext
MD5:EB7E322BDC62614E49DED60E0FB23845
SHA256:1DA513F5A4E8018B9AE143884EB3EAF72454B606FD51F2401B7CFD9BE4DBBF4F
3424gInstall.tmpC:\Windows\is-H05C3.tmpcompressed
MD5:E09BA78E092B5EA280C9E9F6AA5056F0
SHA256:675E859505876A7C933647D34490C3F2AC590FF9D00F3CFEA5ED601E5402706C
3424gInstall.tmpC:\Windows\Volvet_Install.zipcompressed
MD5:E09BA78E092B5EA280C9E9F6AA5056F0
SHA256:675E859505876A7C933647D34490C3F2AC590FF9D00F3CFEA5ED601E5402706C
3424gInstall.tmpC:\Windows\is-LL0NS.tmpexecutable
MD5:1CF9257C07936D7FBF508DC113E9B6D5
SHA256:EEEE2B0A6AD1C7E4614FED4DFBE58B63776F6A3A6758267B5A976B4DC4315F48
3424gInstall.tmpC:\Windows\is-O52JJ.tmpexecutable
MD5:DD07475E2AA22ED7FFD0E12802E34000
SHA256:3482372A6672709F83E9CD3987D48EFEEC1E8C81505E5D67780CDDDC95AFF219
3424gInstall.tmpC:\Windows\wireguard.exeexecutable
MD5:1CF9257C07936D7FBF508DC113E9B6D5
SHA256:EEEE2B0A6AD1C7E4614FED4DFBE58B63776F6A3A6758267B5A976B4DC4315F48
3424gInstall.tmpC:\Windows\is-9PL94.tmpexecutable
MD5:6C73CC4C494BE8F4E680DE1A20262C8A
SHA256:BDD1A33DE78618D16EE4CE148B849932C05D0015491C34887846D431D29F308E
3424gInstall.tmpC:\Windows\unins000.exeexecutable
MD5:DD07475E2AA22ED7FFD0E12802E34000
SHA256:3482372A6672709F83E9CD3987D48EFEEC1E8C81505E5D67780CDDDC95AFF219
3424gInstall.tmpC:\Windows\7z2409-x64.exeexecutable
MD5:6C73CC4C494BE8F4E680DE1A20262C8A
SHA256:BDD1A33DE78618D16EE4CE148B849932C05D0015491C34887846D431D29F308E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
24
TCP/UDP connections
22
DNS requests
14
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
184.25.50.48:80
http://www.msftconnecttest.com/connecttest.txt
unknown
whitelisted
4296
wireguard.exe
GET
200
23.209.209.62:80
http://ocsp.entrust.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTLXNCzDvBhHecWjg70iJhBW0InywQUanImetAe733nO2lR1GyNn5ASZqsCEE5A5DdU7eaMAAAAAFHTlH8%3D
unknown
whitelisted
4576
MoUsoCoreWorker.exe
GET
200
23.50.131.200:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?dc78633dd7c93d85
unknown
whitelisted
POST
200
20.190.159.75:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
POST
200
40.126.31.0:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
3640
svchost.exe
GET
200
23.50.131.200:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?42ad739d664e5d69
unknown
whitelisted
POST
200
20.190.159.75:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
POST
200
172.205.25.163:443
https://checkappexec.microsoft.com/windows/shell/actions
unknown
binary
182 b
whitelisted
GET
200
136.144.57.121:443
https://download.wireguard.com/windows-client/latest.sig
unknown
text
436 b
GET
200
136.144.57.121:443
https://download.wireguard.com/windows-client/wireguard-amd64-0.5.3.msi
unknown
executable
2.71 Mb
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
184.25.50.48:80
Akamai International B.V.
DE
unknown
4576
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4576
MoUsoCoreWorker.exe
23.50.131.200:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
whitelisted
3640
svchost.exe
20.190.160.65:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3640
svchost.exe
23.50.131.200:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
whitelisted
2064
smartscreen.exe
108.141.15.7:443
checkappexec.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4296
wireguard.exe
136.144.57.121:443
download.wireguard.com
PACKET
US
malicious
4296
wireguard.exe
23.209.209.62:80
ocsp.entrust.net
PT. Telekomunikasi Selular
ID
whitelisted
1872
wireguard.exe
136.144.57.121:443
download.wireguard.com
PACKET
US
malicious

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.174
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
ctldl.windowsupdate.com
  • 23.50.131.200
  • 23.50.131.213
  • 23.50.131.208
  • 2.18.121.71
  • 2.18.121.202
whitelisted
login.live.com
  • 20.190.160.65
  • 20.190.160.131
  • 40.126.32.136
  • 40.126.32.140
  • 20.190.160.3
  • 20.190.160.130
  • 20.190.160.128
  • 40.126.32.74
  • 40.126.31.3
  • 20.190.159.130
  • 40.126.31.2
  • 40.126.31.130
  • 20.190.159.75
  • 20.190.159.129
  • 40.126.31.128
  • 20.190.159.2
whitelisted
checkappexec.microsoft.com
  • 108.141.15.7
whitelisted
download.wireguard.com
  • 136.144.57.121
unknown
ocsp.entrust.net
  • 23.209.209.62
whitelisted
dns.msftncsi.com
  • 131.107.255.255
whitelisted
fs.microsoft.com
  • 23.197.142.186
whitelisted
self.events.data.microsoft.com
  • 20.189.173.13
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO Microsoft Connection Test
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
1664
svchost.exe
Crypto Currency Mining Activity Detected
ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
1664
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
gInstall.exe