File name:

ZapyaPC2802_Lite.exe

Full analysis: https://app.any.run/tasks/8296f83d-7c07-4828-a78f-82f5eb3c3cdc
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: June 01, 2025, 15:03:15
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
stealer
inno
installer
delphi
qrcode
auto-reg
qr-redirect
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

192C9A04B3E7375BF425D642667A44D4

SHA1:

AF01FC1F0BFA0AF12631C9626D635172560B6B3E

SHA256:

1FEAC4A9F0C79A6DAFF0E90DDC9E7167FF3272D42319A6E060BD0DBF6222AE49

SSDEEP:

98304:XElbdnohd+0114uloLzWFFwORF0C76zZhIfs1V56DnJNPfcGNMdbWb+Tdzq+m0n9:Uruf1iRALOVMGGxoEn92vmYunYiROzr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • ZapyaPC2802_Lite.tmp (PID: 2852)

    • Actions looks like stealing of personal data

      • ZapyaPC2802_Lite.tmp (PID: 2852)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • ZapyaPC2802_Lite.tmp (PID: 2852)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 2104)
      • cmd.exe (PID: 6192)
      • cmd.exe (PID: 6876)
      • cmd.exe (PID: 7216)
      • cmd.exe (PID: 3872)
      • cmd.exe (PID: 8112)
      • cmd.exe (PID: 5608)
      • cmd.exe (PID: 2568)
      • cmd.exe (PID: 2660)
      • cmd.exe (PID: 6792)

    • Process drops legitimate windows executable

      • ZapyaPC2802_Lite.tmp (PID: 2852)

    • Reads the Windows owner or organization settings

      • ZapyaPC2802_Lite.tmp (PID: 2852)

    • Executable content was dropped or overwritten

      • ZapyaPC2802_Lite.exe (PID: 5960)
      • ZapyaPC2802_Lite.tmp (PID: 2852)

    • Reads Microsoft Outlook installation path

      • ZapyaPC2802_Lite.tmp (PID: 2852)

    • Reads security settings of Internet Explorer

      • ZapyaPC2802_Lite.tmp (PID: 2852)
      • InstallUtil.exe (PID: 4468)
      • ZapyaAdaptor.exe (PID: 5116)

    • Reads Internet Explorer settings

      • ZapyaPC2802_Lite.tmp (PID: 2852)

    • Executes as Windows Service

      • ZapyaService.exe (PID: 5552)

    • There is functionality for taking screenshot (YARA)

      • ZapyaPC2802_Lite.tmp (PID: 2852)

  • INFO

    • Checks supported languages

      • ZapyaPC2802_Lite.tmp (PID: 2852)
      • ZapyaPC2802_Lite.exe (PID: 5960)
      • InstallUtil.exe (PID: 4468)
      • ZapyaService.exe (PID: 5552)
      • ZsSetup.exe (PID: 7736)
      • ZapyaAdaptor.exe (PID: 5116)
      • identity_helper.exe (PID: 7148)

    • Create files in a temporary directory

      • ZapyaPC2802_Lite.exe (PID: 5960)
      • ZapyaPC2802_Lite.tmp (PID: 2852)

    • The sample compiled with russian language support

      • ZapyaPC2802_Lite.tmp (PID: 2852)

    • Reads the computer name

      • ZapyaPC2802_Lite.tmp (PID: 2852)
      • ZsSetup.exe (PID: 7736)
      • ZapyaService.exe (PID: 5552)
      • InstallUtil.exe (PID: 4468)
      • ZapyaAdaptor.exe (PID: 5116)
      • identity_helper.exe (PID: 7148)

    • The sample compiled with english language support

      • ZapyaPC2802_Lite.tmp (PID: 2852)

    • Creates files in the program directory

      • ZapyaPC2802_Lite.tmp (PID: 2852)
      • ZapyaService.exe (PID: 5552)
      • InstallUtil.exe (PID: 4468)

    • Compiled with Borland Delphi (YARA)

      • ZapyaPC2802_Lite.tmp (PID: 2852)
      • ZapyaPC2802_Lite.exe (PID: 5960)

    • Checks proxy server information

      • ZapyaPC2802_Lite.tmp (PID: 2852)
      • ZapyaAdaptor.exe (PID: 5116)

    • Reads the machine GUID from the registry

      • ZsSetup.exe (PID: 7736)
      • InstallUtil.exe (PID: 4468)
      • ZapyaPC2802_Lite.tmp (PID: 2852)
      • ZapyaAdaptor.exe (PID: 5116)
      • ZapyaService.exe (PID: 5552)

    • The sample compiled with chinese language support

      • ZapyaPC2802_Lite.tmp (PID: 2852)

    • Creates a software uninstall entry

      • ZapyaPC2802_Lite.tmp (PID: 2852)

    • Launch of the file from Registry key

      • ZapyaPC2802_Lite.tmp (PID: 2852)

    • Creates files or folders in the user directory

      • ZsSetup.exe (PID: 7736)
      • ZapyaAdaptor.exe (PID: 5116)

    • Reads Environment values

      • ZapyaPC2802_Lite.tmp (PID: 2852)
      • identity_helper.exe (PID: 7148)

    • Detects InnoSetup installer (YARA)

      • ZapyaPC2802_Lite.exe (PID: 5960)
      • ZapyaPC2802_Lite.tmp (PID: 2852)

    • Reads the software policy settings

      • ZapyaAdaptor.exe (PID: 5116)

    • Manual execution by a user

      • msedge.exe (PID: 8008)
      • msedge.exe (PID: 7524)
      • msedge.exe (PID: 7804)
      • ZapyaAdaptor.exe (PID: 5116)

    • Application launched itself

      • msedge.exe (PID: 208)
      • msedge.exe (PID: 8008)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (91.2)
.exe | Win32 Executable (generic) (3.7)
.exe | Win16/32 Executable Delphi generic (1.7)
.exe | Generic Win/DOS Executable (1.6)
.exe | DOS Executable Generic (1.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:10:02 05:04:04+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 86016
InitializedDataSize: 233472
UninitializedDataSize: -
EntryPoint: 0x16478
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 2.8.0.2
ProductVersionNumber: 2.8.0.2
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: DewMobile,Inc.
FileDescription: Zapya
FileVersion: 2.8.0.2
LegalCopyright: Copyright©2011-2020 DewMobile,Inc.
ProductName: Zapya
ProductVersion: 2.8.0.2
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
214
Monitored processes
86
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start zapyapc2802_lite.exe zapyapc2802_lite.tmp cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs zssetup.exe no specs installutil.exe no specs conhost.exe no specs zapyaservice.exe zapyaadaptor.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs slui.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs zapyapc2802_lite.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
208"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Program Files (x86)\Zapya\ZapyaPC\tools\en-us\help_english.htmlC:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeZapyaPC2802_Lite.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
896"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2140 --field-trial-handle=2352,i,13549089953294642241,2635864021876869767,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1240\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1244"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=5848 --field-trial-handle=2380,i,10688836401962203616,13654203125377084187,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1284"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x310,0x314,0x318,0x308,0x320,0x7ffc89d35fd8,0x7ffc89d35fe4,0x7ffc89d35ff0C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1452\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1676"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=6004 --field-trial-handle=2380,i,10688836401962203616,13654203125377084187,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1760"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=6376 --field-trial-handle=2380,i,10688836401962203616,13654203125377084187,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2104"cmd.exe" /c taskkill /F /IM hh.exeC:\Windows\SysWOW64\cmd.exeZapyaPC2802_Lite.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
128
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2124"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=6972 --field-trial-handle=2380,i,10688836401962203616,13654203125377084187,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
16 625
Read events
16 548
Write events
75
Delete events
2

Modification events

(PID) Process:(2852) ZapyaPC2802_Lite.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2852) ZapyaPC2802_Lite.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2852) ZapyaPC2802_Lite.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2852) ZapyaPC2802_Lite.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shell\Zapya
Operation:writeName:icon
Value:
C:\Program Files (x86)\Zapya\ZapyaPC\ZapyaSender.exe
(PID) Process:(2852) ZapyaPC2802_Lite.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Zapya\Settings
Operation:writeName:InstallLanguage
Value:
En
(PID) Process:(2852) ZapyaPC2802_Lite.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:ZapyaAdaptor
Value:
C:\Program Files (x86)\Zapya\ZapyaPC\ZapyaAdaptor.exe
(PID) Process:(2852) ZapyaPC2802_Lite.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26096B28-1A2B-416E-BC67-B9A0A1CBB10E}_is1
Operation:writeName:Inno Setup: Setup Version
Value:
5.5.1.ee2 (u)
(PID) Process:(2852) ZapyaPC2802_Lite.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26096B28-1A2B-416E-BC67-B9A0A1CBB10E}_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Program Files (x86)\Zapya\ZapyaPC
(PID) Process:(2852) ZapyaPC2802_Lite.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26096B28-1A2B-416E-BC67-B9A0A1CBB10E}_is1
Operation:writeName:InstallLocation
Value:
C:\Program Files (x86)\Zapya\ZapyaPC\
(PID) Process:(2852) ZapyaPC2802_Lite.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26096B28-1A2B-416E-BC67-B9A0A1CBB10E}_is1
Operation:writeName:Inno Setup: Icon Group
Value:
Zapya PC
Executable files
107
Suspicious files
295
Text files
403
Unknown types
0

Dropped files

PID
Process
Filename
Type
5960ZapyaPC2802_Lite.exeC:\Users\admin\AppData\Local\Temp\is-LFHTM.tmp\ZapyaPC2802_Lite.tmpexecutable
MD5:09811313870AE1894A12C40E092EE4CF
SHA256:C32F1C2DD2A67D6BD4802CF62C721C60217260CCCD3DC61193608E26EB43CEBF
2852ZapyaPC2802_Lite.tmpC:\Users\admin\AppData\Local\Temp\is-GK0AE.tmp\innocallback.dllexecutable
MD5:CA826D6114C596A797FB68DDA30BE56B
SHA256:A293E1292837F0BE4056F80CC22462F46C663386BD64EF74871DD0D124DE596D
2852ZapyaPC2802_Lite.tmpC:\Users\admin\AppData\Local\Temp\is-GK0AE.tmp\_isetup\_setup64.tmpexecutable
MD5:4FF75F505FDDCC6A9AE62216446205D9
SHA256:A4C86FC4836AC728D7BD96E7915090FD59521A9E74F1D06EF8E5A47C8695FD81
2852ZapyaPC2802_Lite.tmpC:\Users\admin\AppData\Local\Temp\is-GK0AE.tmp\botva2.dllexecutable
MD5:46244FED43F005AFE5B64B2DE134C299
SHA256:5F3ECAB52409403CECEB3820B8674932E4579E8A4D1CD7D0E8A40F92950FA618
2852ZapyaPC2802_Lite.tmpC:\Users\admin\AppData\Local\Temp\is-GK0AE.tmp\kzniqgtvyek.dllexecutable
MD5:DA2BCAF24FB9AEA3BCD8B2E58134E968
SHA256:0612A44EB772F5570F964381DE75279AB5F8516F7CAFB1F8FAF199677BB0D69D
2852ZapyaPC2802_Lite.tmpC:\Users\admin\AppData\Local\Temp\nsd118690640363\css\sdk-ui\browse.csstext
MD5:6009D6E864F60AEA980A9DF94C1F7E1C
SHA256:5EF48A8C8C3771B4F233314D50DD3B5AFDCD99DD4B74A9745C8FE7B22207056D
2852ZapyaPC2802_Lite.tmpC:\Users\admin\AppData\Local\Temp\nsd118690640363\css\sdk-ui\images\progress-bg.pngimage
MD5:E9F12F92A9EEB8EBE911080721446687
SHA256:C1CF449536BC2778E27348E45F0F53D04C284109199FB7A9AF7A61016B91F8BC
2852ZapyaPC2802_Lite.tmpC:\Users\admin\AppData\Local\Temp\nsd118690640363\css\sdk-ui\checkbox.csstext
MD5:64773C6B0E3413C81AEBC46CCE8C9318
SHA256:B09504C1BF0486D3EC46500592B178A3A6C39284672AF8815C3687CC3D29560D
2852ZapyaPC2802_Lite.tmpC:\Users\admin\AppData\Local\Temp\nsd118690640363\css\sdk-ui\button.csstext
MD5:37E1FF96E084EC201F0D95FEEF4D5E94
SHA256:8E806F5B94FC294E918503C8053EF1284E4F4B1E02C7DA4F4635E33EC33E0534
2852ZapyaPC2802_Lite.tmpC:\Users\admin\AppData\Local\Temp\nsd118690640363\css\sdk-ui\images\progress-bg-corner.pngimage
MD5:608F1F20CD6CA9936EAA7E8C14F366BE
SHA256:86B6E6826BCDE2955D64D4600A4E01693522C1FDDF156CE31C4BA45B3653A7BD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
445
TCP/UDP connections
183
DNS requests
194
Threats
9

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5352
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5116
ZapyaAdaptor.exe
GET
200
104.18.38.233:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D
unknown
whitelisted
5352
RUXIMICS.exe
GET
200
23.48.23.171:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5116
ZapyaAdaptor.exe
GET
200
172.64.149.23:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEB2iSDBvmyYY0ILgln0z02o%3D
unknown
whitelisted
GET
200
13.107.42.16:443
https://config.edge.skype.com/config/v1/Edge/122.0.2365.59?clientId=4489578223053569932&agents=EdgeFirstRun%2CEdgeFirstRunConfig&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=48&mngd=0&installdate=1661339457&edu=0&bphint=2&soobedate=1504771245&fg=1
unknown
binary
839 b
whitelisted
GET
200
150.171.27.11:443
https://edge.microsoft.com/serviceexperimentation/v3/?osname=win&channel=stable&osver=10.0.19045&devicefamily=desktop&installdate=1661339457&clientversion=122.0.2365.59&experimentationmode=2&scpguard=0&scpfull=0&scpver=0
unknown
binary
446 b
whitelisted
GET
503
13.107.6.158:443
https://business.bing.com/work/api/v2/tenant/my/settingswithflights?&clienttype=edge-omnibox
unknown
html
13.7 Kb
whitelisted
5116
ZapyaAdaptor.exe
GET
200
104.18.38.233:80
http://ocsp.sectigo.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBQ5suEceKjAJbxseAmHFkQ9FrhTWQQUDuE6qFM6MdWKvsG7rWcaA4WtNA4CEQCRO96KwNLZ44W2zib25m6T
unknown
whitelisted
GET
200
13.107.246.45:443
https://edge-mobile-static.azureedge.net/eccp/get?settenant=edge-config&setplatform=win&setmkt=en-US&setchannel=stable
unknown
binary
16.0 Kb
whitelisted
GET
503
13.107.6.158:443
https://business.bing.com/api/v1/user/token/microsoftgraph?&clienttype=edge-omnibox
unknown
html
13.7 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5352
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5352
RUXIMICS.exe
23.48.23.171:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5352
RUXIMICS.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5116
ZapyaAdaptor.exe
104.18.38.233:80
ocsp.comodoca.com
CLOUDFLARENET
whitelisted
5116
ZapyaAdaptor.exe
172.64.149.23:80
ocsp.comodoca.com
CLOUDFLARENET
US
whitelisted
7976
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
google.com
  • 142.250.186.78
whitelisted
crl.microsoft.com
  • 23.48.23.171
  • 23.48.23.175
  • 23.48.23.185
  • 23.48.23.194
  • 23.48.23.134
  • 23.48.23.183
  • 23.48.23.184
  • 23.48.23.176
  • 23.48.23.181
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 95.101.149.131
whitelisted
whm.catebkuse.com
  • 13.107.246.53
unknown
backup.catebkuse.com
unknown
sip.catebkuse.com
unknown
ocsp.comodoca.com
  • 104.18.38.233
  • 172.64.149.23
whitelisted
ocsp.usertrust.com
  • 172.64.149.23
  • 104.18.38.233
whitelisted
ocsp.sectigo.com
  • 104.18.38.233
  • 172.64.149.23
whitelisted

Threats

PID
Process
Class
Message
7976
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
7976
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
7976
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
7976
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
7976
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Azure Front Door domain observed in TLS SNI ( .azurefd .net)
7976
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
7976
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
7976
msedge.exe
Misc activity
INFO [ANY.RUN] Possible short link service (t .co)
7976
msedge.exe
Misc activity
INFO [ANY.RUN] Possible short link service (t .co)
Process
Message
ZapyaService.exe
2025-06-01 15:04:01.675 | [info] | [file: ] | [func: .ctor] | [line: 0] | [col: 0] | ZapyaService() Start
ZapyaService.exe
2025-06-01 15:04:01.675 | [info] | [file: ] | [func: .ctor] | [line: 0] | [col: 0] | ZapyaService() End
ZapyaService.exe
2025-06-01 15:04:01.660 | [debug] | [file: ] | [func: Main] | [line: 0] | [col: 0] | Main() Start
ZapyaService.exe
2025-06-01 15:04:01.691 | [info] | [file: ] | [func: Start] | [line: 0] | [col: 0] | CmdServer.Start()
ZapyaService.exe
2025-06-01 15:04:01.691 | [info] | [file: ] | [func: Start] | [line: 0] | [col: 0] | C:\Program Files (x86)\Zapya\ZapyaPC
ZapyaService.exe
2025-06-01 15:04:01.691 | [info] | [file: ] | [func: Run] | [line: 0] | [col: 0] | CmdServer.Run() Start
ZapyaService.exe
2025-06-01 15:04:01.707 | [error] | [file: ] | [func: .cctor] | [line: 0] | [col: 0] | The service has not been started
ZapyaService.exe
2025-06-01 15:04:02.097 | [debug] | [file: ] | [func: OpenRegistryKeyForManagerNic] | [line: 0] | [col: 0] | open subkey:SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0010
ZapyaService.exe
2025-06-01 15:04:02.097 | [debug] | [file: ] | [func: IsShutdownPowerDisabled] | [line: 0] | [col: 0] | PnPCapabilities key doesnot exsist
ZapyaService.exe
2025-06-01 15:04:02.097 | [error] | [file: ] | [func: Run] | [line: 0] | [col: 0] | Start to bind
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ZapyaPC2802_Lite.exe