File name:	dInstall.exe
Full analysis:	https://app.any.run/tasks/c8902f05-85a8-410f-a2ca-86475a6c38d0
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth. Malware Trends Tracker >>>
Analysis date:	May 24, 2025, 07:37:05
OS:	Windows 11 Professional (build: 22000, 64 bit)
Tags:	loader delphi inno installer miner github winring0x64-sys vuln-driver
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 11 sections
MD5:	CDE2E062E822263577C5C7CE4A71FB92
SHA1:	480380C48916B1FB191A93E961DB93C3C999DBCB
SHA256:	EEB57A7B78BE43BABE3397CB7E45FC3EF906A8F3AE29EB0D4D17CD6C8C42D07B
SSDEEP:	98304:Vrq3BdwXIP1IxEJesOx7l9Lm1QcLmvpMcplq9t6MgW9c+m/WoPaOi4uT/G7GfG17:yT/pQvDRV60SAaMQUkZz11sv9

.exe	\|	Inno Setup installer (67.7)
.exe	\|	Win32 EXE PECompact compressed (generic) (25.6)
.exe	\|	Win32 Executable (generic) (2.7)
.exe	\|	Win16/32 Executable Delphi generic (1.2)
.exe	\|	Generic Win/DOS Executable (1.2)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:07:12 07:26:53+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	2.25
CodeSize:	685056
InitializedDataSize:	171520
UninitializedDataSize:	-
EntryPoint:	0xa83bc
OSVersion:	6.1
ImageVersion:	-
SubsystemVersion:	6.1
Subsystem:	Windows GUI
FileVersionNumber:	173.8.4.2
ProductVersionNumber:	173.8.4.2
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	This installation was built with Inno Setup.
CompanyName:	codesigningstore.com
FileDescription:	Inno Script Studio Setup
FileVersion:	173.8.4.2
LegalCopyright:
OriginalFileName:
ProductName:	Inno Script Studio
ProductVersion:	173.8.4.2


(PID) Process:	(716) dInstall.tmp	Key:	HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:	write	Name:	Owner
Value: CC02000071674BAE7ECCDB01
(PID) Process:	(716) dInstall.tmp	Key:	HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:	write	Name:	SessionHash
Value: 07079C58159A486C192864DF5D9DF756C3CC1CC4B62C0FD4872765618C42E7F9
(PID) Process:	(716) dInstall.tmp	Key:	HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:	write	Name:	Sequence
Value: 1
(PID) Process:	(716) dInstall.tmp	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(716) dInstall.tmp	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(716) dInstall.tmp	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(716) dInstall.tmp	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(716) dInstall.tmp	Key:	HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:	delete value	Name:	Sequence
Value:
(PID) Process:	(716) dInstall.tmp	Key:	HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:	delete value	Name:	SessionHash
Value: ܇墜騕汈⠙�鵝囷쳃쐜Ⲷ퐏➇慥䊌裏
(PID) Process:	(716) dInstall.tmp	Key:	HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:	delete value	Name:	Owner
Value: ˌ

PID	Process	Filename		Type
5312	dInstall.tmp	C:\Windows\is-LAGH4.tmp		compressed
		MD5:D5DDFBC8FED65B057D79F3FBBC6E8D34	SHA256:626F7DBF857259C71AF04C4B537615FFB78A3A64DE7AD7CB43245EBBF99A188C
5312	dInstall.tmp	C:\Users\admin\AppData\Local\Temp\is-U7AMI.tmp\_isetup\_setup64.tmp		executable
		MD5:E4211D6D009757C078A9FAC7FF4F03D4	SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
5312	dInstall.tmp	C:\Windows\unins000.exe		executable
		MD5:21178564D1EA6B85F3527BBEE00A6849	SHA256:A1124F8E83F83577A7C512481EB7FC0FDFE86E021A95C757D273FAC61D114860
5312	dInstall.tmp	C:\Windows\wireguard.exe		executable
		MD5:1CF9257C07936D7FBF508DC113E9B6D5	SHA256:EEEE2B0A6AD1C7E4614FED4DFBE58B63776F6A3A6758267B5A976B4DC4315F48
5312	dInstall.tmp	C:\Windows\is-FU6CE.tmp		executable
		MD5:21178564D1EA6B85F3527BBEE00A6849	SHA256:A1124F8E83F83577A7C512481EB7FC0FDFE86E021A95C757D273FAC61D114860
5088	dInstall.exe	C:\Users\admin\AppData\Local\Temp\is-USAQ6.tmp\dInstall.tmp		executable
		MD5:59B50984D3421A9D74F116E77C246ADF	SHA256:5000747A854DF8F0D61A4F664C0EEB595553BE998B6BBFB62AFF6BC14BB0A65F
5604	dInstall.exe	C:\Users\admin\AppData\Local\Temp\is-KII53.tmp\dInstall.tmp		executable
		MD5:59B50984D3421A9D74F116E77C246ADF	SHA256:5000747A854DF8F0D61A4F664C0EEB595553BE998B6BBFB62AFF6BC14BB0A65F
5312	dInstall.tmp	C:\Windows\is-R99SS.tmp		executable
		MD5:1CF9257C07936D7FBF508DC113E9B6D5	SHA256:EEEE2B0A6AD1C7E4614FED4DFBE58B63776F6A3A6758267B5A976B4DC4315F48
716	dInstall.tmp	C:\Users\admin\AppData\Local\Temp\is-3Q7GC.tmp\_isetup\_setup64.tmp		executable
		MD5:E4211D6D009757C078A9FAC7FF4F03D4	SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
5220	7z2409-x64.exe	C:\Program Files (x86)\7-Zip\History.txt		text
		MD5:CCAD44B829868FC155D11387F09C4F4B	SHA256:7D6A3D181B5166FFE08F2779903EDD2749C3EF78FD3C0174BDC4380F4A7511B8

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3464	smartscreen.exe	GET	200	23.50.131.200:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?b6379c0c45d59d7a	unknown	—	—	whitelisted
—	—	POST	200	172.205.25.163:443	https://checkappexec.microsoft.com/windows/shell/actions	unknown	binary	182 b	whitelisted
1352	svchost.exe	GET	200	2.21.20.155:80	http://www.msftconnecttest.com/connecttest.txt	unknown	—	—	whitelisted
—	—	GET	200	136.144.57.121:443	https://download.wireguard.com/windows-client/latest.sig	unknown	text	436 b	—
—	—	GET	200	136.144.57.121:443	https://download.wireguard.com/windows-client/wireguard-amd64-0.5.3.msi	unknown	executable	2.71 Mb	—
3936	wireguard.exe	GET	200	23.209.209.62:80	http://ocsp.entrust.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTLXNCzDvBhHecWjg70iJhBW0InywQUanImetAe733nO2lR1GyNn5ASZqsCEE5A5DdU7eaMAAAAAFHTlH8%3D	unknown	—	—	whitelisted
3936	wireguard.exe	GET	200	23.209.209.62:80	http://ocsp.entrust.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRp%2BmQDKauE4nIg%2FgknZHuBlLkfKgQUzolPglGqFaKEYsoxI2HSYfv4%2FngCEHvWxPrG6a7ySOSaswtvvIE%3D	unknown	—	—	whitelisted
3936	wireguard.exe	GET	200	23.209.209.62:80	http://ocsp.entrust.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRr2bwARTxMtEy9aspRAZg5QFhagQQUgrrWPZfOn89x6JI3r%2F2ztWk1V88CEDWvt3udNB9q%2FI%2BERqsxNSs%3D	unknown	—	—	whitelisted
3936	wireguard.exe	GET	200	23.209.209.62:80	http://ocsp.entrust.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRr2bwARTxMtEy9aspRAZg5QFhagQQUgrrWPZfOn89x6JI3r%2F2ztWk1V88CECW8K%2FMpyhB%2FHqm6iIXUnTs%3D	unknown	—	—	whitelisted
3936	wireguard.exe	GET	200	23.209.209.62:80	http://ocsp.entrust.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQXoCibpolAJkHkrE10coCb1HRkIAQUJg%2FwxEgIG83dkfVUVLazs%2FyZ8QgCEHTZ8ttRPCJn%2FUecNgc%2Fex0%3D	unknown	—	—	whitelisted

Domain	IP	Reputation
google.com	142.250.186.174	whitelisted
checkappexec.microsoft.com	172.205.25.163	whitelisted
ctldl.windowsupdate.com	23.50.131.200 23.50.131.216	whitelisted
settings-win.data.microsoft.com	51.124.78.146	whitelisted
download.wireguard.com	136.144.57.121	unknown
ocsp.entrust.net	23.209.209.62	whitelisted
fs.microsoft.com	23.197.142.186	whitelisted
self.events.data.microsoft.com	20.189.173.17	whitelisted
pool.hashvault.pro	192.248.189.11 80.240.16.67	whitelisted
raw.githubusercontent.com	185.199.109.133 185.199.110.133 185.199.111.133 185.199.108.133	whitelisted

PID	Process	Class	Message
1352	svchost.exe	Misc activity	ET INFO Microsoft Connection Test
—	—	Generic Protocol Command Decode	SURICATA HTTP Request unrecognized authorization method
1664	svchost.exe	Crypto Currency Mining Activity Detected	ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
1664	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] Attempting to access raw user content on GitHub

General Info

dInstall.exe

CDE2E062E822263577C5C7CE4A71FB92

480380C48916B1FB191A93E961DB93C3C999DBCB

EEB57A7B78BE43BABE3397CB7E45FC3EF906A8F3AE29EB0D4D17CD6C8C42D07B

98304:Vrq3BdwXIP1IxEJesOx7l9Lm1QcLmvpMcplq9t6MgW9c+m/WoPaOi4uT/G7GfG17:yT/pQvDRV60SAaMQUkZz11sv9

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Adds extension to the Windows Defender exclusion list

Uninstalls Malicious Software Removal Tool (MRT)

Changes Windows Defender settings

Vulnerable driver has been detected

MINER has been detected (SURICATA)

SUSPICIOUS

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Reads the Internet Settings

Reads the Windows owner or organization settings

Drops 7-zip archiver for unpacking

Reads settings of System Certificates

Creates a software uninstall entry

Creates/Modifies COM task schedule object

Uses TIMEOUT.EXE to delay execution

Starts CMD.EXE for commands execution

Adds/modifies Windows certificates

There is functionality for taking screenshot (YARA)

Application launched itself

Executes as Windows Service

Script adds exclusion path to Windows Defender

Script adds exclusion extension to Windows Defender

Manipulates environment variables

Process uninstalls Windows update

Stops a currently running service

Starts SC.EXE for service management

Creates a new Windows service

Windows service management via SC.EXE

Starts POWERSHELL.EXE for commands execution

Uses powercfg.exe to modify the power settings

Drops a system driver (possible attempt to evade defenses)

Crypto Currency Mining Activity Detected

INFO

Checks supported languages

Create files in a temporary directory

Reads the computer name

The sample compiled with english language support

Creates files in the program directory

Checks proxy server information

Reads the software policy settings

Creates a software uninstall entry

Creates files or folders in the user directory

Reads the machine GUID from the registry

Detects InnoSetup installer (YARA)

Executable content was dropped or overwritten

Compiled with Borland Delphi (YARA)

Manages system restore points

The sample compiled with chinese language support

The sample compiled with japanese language support

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information