File name:

zadig-2.8.exe

Full analysis: https://app.any.run/tasks/53a07bb3-415e-45cf-87b1-0493f1a25e6c
Verdict: Malicious activity
Analysis date: March 22, 2024, 19:32:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:

F44A1FE63A81D60A0476B98794241FB0

SHA1:

427F088EE99E25872F7B1AE25E091A868A703D2A

SHA256:

20E4CD7B6768718848F603FE928F36E207DC5CA96FC9DB7085D841410D0ABAE4

SSDEEP:

98304:cbAfw3h8305oFigPV4HtWnMNoK7d98rCrMkrlFD/xhGcgux9LEqPyDGKfLt7R15Z:cs4C3zmHtWMHHeC4k7dEcjvEqPWG0vMw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • zadig-2.8.exe (PID: 2408)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • zadig-2.8.exe (PID: 2408)

    • Reads settings of System Certificates

      • zadig-2.8.exe (PID: 2408)

    • Adds/modifies Windows certificates

      • zadig-2.8.exe (PID: 2408)

    • Checks Windows Trust Settings

      • zadig-2.8.exe (PID: 2408)

    • Reads security settings of Internet Explorer

      • zadig-2.8.exe (PID: 2408)

    • Reads the Internet Settings

      • zadig-2.8.exe (PID: 2408)

    • Executable content was dropped or overwritten

      • zadig-2.8.exe (PID: 2408)

  • INFO

    • Reads the computer name

      • zadig-2.8.exe (PID: 2408)

    • Checks proxy server information

      • zadig-2.8.exe (PID: 2408)

    • Checks supported languages

      • zadig-2.8.exe (PID: 2408)

    • Creates files or folders in the user directory

      • zadig-2.8.exe (PID: 2408)

    • Reads the machine GUID from the registry

      • zadig-2.8.exe (PID: 2408)

    • Reads the software policy settings

      • zadig-2.8.exe (PID: 2408)

    • Create files in a temporary directory

      • zadig-2.8.exe (PID: 2408)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (64.2)
.dll | Win32 Dynamic Link Library (generic) (15.6)
.exe | Win32 Executable (generic) (10.6)
.exe | Generic Win/DOS Executable (4.7)
.exe | DOS Executable Generic (4.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:03:01 17:56:23+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.34
CodeSize: 5218304
InitializedDataSize: 32768
UninitializedDataSize: 1855488
EntryPoint: 0x6be6e0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 2.8.782.0
ProductVersionNumber: 2.8.782.0
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Unknown (0009)
CharacterSet: Unicode
CompanyName: akeo.ie
FileDescription: Zadig
FileVersion: 2.8.782
InternalName: Zadig
LegalCopyright: � 2010-2023 Pete Batard (GPL v3)
LegalTrademarks: https://www.gnu.org/copyleft/gpl.html
OriginalFileName: zadig.exe
ProductName: Zadig
ProductVersion: 2.8.782
Comments: https://zadig.akeo.ie
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start zadig-2.8.exe zadig-2.8.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2120"C:\Users\admin\AppData\Local\Temp\zadig-2.8.exe" C:\Users\admin\AppData\Local\Temp\zadig-2.8.exeexplorer.exe
User:
admin
Company:
akeo.ie
Integrity Level:
MEDIUM
Description:
Zadig
Exit code:
3221226540
Version:
2.8.782
Modules
Images
c:\users\admin\appdata\local\temp\zadig-2.8.exe
c:\windows\system32\ntdll.dll
2408"C:\Users\admin\AppData\Local\Temp\zadig-2.8.exe" C:\Users\admin\AppData\Local\Temp\zadig-2.8.exe
explorer.exe
User:
admin
Company:
akeo.ie
Integrity Level:
HIGH
Description:
Zadig
Exit code:
0
Version:
2.8.782
Modules
Images
c:\users\admin\appdata\local\temp\zadig-2.8.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
6 456
Read events
6 403
Write events
42
Delete events
11

Modification events

(PID) Process:(2408) zadig-2.8.exeKey:HKEY_CURRENT_USER\Software\Akeo Consulting\Zadig
Operation:writeName:CommCheck
Value:
1583953
(PID) Process:(2408) zadig-2.8.exeKey:HKEY_CURRENT_USER\Software\Akeo Consulting\Zadig
Operation:writeName:UpdateCheckInterval
Value:
86400
(PID) Process:(2408) zadig-2.8.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2408) zadig-2.8.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2408) zadig-2.8.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2408) zadig-2.8.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2408) zadig-2.8.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:ProxyServer
Value:
(PID) Process:(2408) zadig-2.8.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:ProxyOverride
Value:
(PID) Process:(2408) zadig-2.8.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:AutoConfigURL
Value:
(PID) Process:(2408) zadig-2.8.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:AutoDetect
Value:
Executable files
3
Suspicious files
1
Text files
1
Unknown types
2

Dropped files

PID
Process
Filename
Type
2408zadig-2.8.exeC:\Users\admin\AppData\Local\Temp\winusbcoinstaller2.dllexecutable
MD5:8E7B9F81E8823FEE2D82F7DE3A44300B
SHA256:EBE3B7708DD974EE87EFED3113028D266AF87CA8DBAE77C47C6F7612824D3D6C
2408zadig-2.8.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\Zadig_win[1].vertext
MD5:CB90BCF09EECDA182DC4873C6DC37247
SHA256:B27158FAB465ADAA22FE312AA48046E8BB00190A1F18C848BF4E7EC7E4BFB484
2408zadig-2.8.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751binary
MD5:822467B728B7A66B081C91795373789A
SHA256:AF2343382B88335EEA72251AD84949E244FF54B6995063E24459A7216E9576B9
2408zadig-2.8.exeC:\Users\admin\AppData\Local\Temp\libusbK.dllexecutable
MD5:BD03C4792F08F0C889441F49DF9DEB98
SHA256:E908FB5501D74F810948CACBE476658479F19F4D2AFF14F9044F18981BE9C6FC
2408zadig-2.8.exeC:\Users\admin\AppData\Local\Temp\libusb0.dllexecutable
MD5:7ADF671E367A345905EFB078985E18AB
SHA256:A706653EDDDB4837B798B1F6F44FCD4CC4E75827A08F0336CBC713E468A4A5A4
2408zadig-2.8.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751binary
MD5:172E6135F891973DCC02C2AD0F33F620
SHA256:DCBFF5CF7D3C3012264BAAF88498C3B0251169DBAC78C524C5875DAD30FBE1B1
2408zadig-2.8.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:3C6A3AA23214CBFB6E22BBF8310FD9EC
SHA256:47A1956488D33D3EF7E504A591EC26AC161488F3888CA1E5337292974F2ACFE3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
11
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2408
zadig-2.8.exe
GET
304
173.222.108.243:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?04b2dea8abd60a79
unknown
unknown
2408
zadig-2.8.exe
GET
200
2.19.245.44:80
http://x1.c.lencr.org/
unknown
binary
717 b
unknown
1080
svchost.exe
GET
200
2.19.126.163:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?89bca2e7018c82c0
unknown
compressed
67.5 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
2408
zadig-2.8.exe
185.199.108.153:443
zadig.akeo.ie
FASTLY
US
shared
2408
zadig-2.8.exe
173.222.108.243:80
ctldl.windowsupdate.com
Akamai International B.V.
CH
unknown
2408
zadig-2.8.exe
2.19.245.44:80
x1.c.lencr.org
AKAMAI-AS
DE
unknown
1080
svchost.exe
2.19.126.163:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
zadig.akeo.ie
  • 185.199.108.153
  • 185.199.109.153
  • 185.199.110.153
  • 185.199.111.153
unknown
ctldl.windowsupdate.com
  • 173.222.108.243
  • 173.222.108.249
  • 2.19.126.163
  • 2.19.126.137
whitelisted
x1.c.lencr.org
  • 2.19.245.44
whitelisted

Threats

No threats detected
Process
Message
zadig-2.8.exe
Windows 7 SP1 32 bit
zadig-2.8.exe
Zadig 2.8.782
zadig-2.8.exe
default driver set to 'WinUSB'
zadig-2.8.exe
ini file 'zadig.ini' not found in 'C:\Users\admin\AppData\Local\Temp' - default parameters will be used
zadig-2.8.exe
0 devices found.
zadig-2.8.exe
Checking for Zadig updates...
zadig-2.8.exe
Checking release channel...
zadig-2.8.exe
No new release version found.
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
zadig-2.8.exe