File name:

zipsoft-2-install (1).exe

Full analysis: https://app.any.run/tasks/c3398e19-d572-4dff-bbe6-ec6a623eafeb
Verdict: Malicious activity
Analysis date: October 26, 2023, 11:52:43
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:

D2D15C056197044A31A7EF4F96B24832

SHA1:

AE3887D16A624109FA9D35A5FA7A8780839216F2

SHA256:

5052C5D3B511803F1BDB3A47F268F73BB69595B482C7022EF535AD99BC06E57B

SSDEEP:

98304:BeoyNjE3jYt5Rw+kqS1ZhRFmhKP13RA+nqs5YT33RsnGrXANmQbso7kbIbXvbJA4:T3X

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads the Internet Settings

      • zipsoft-2-install (1).exe (PID: 3828)

    • Reads security settings of Internet Explorer

      • zipsoft-2-install (1).exe (PID: 3828)

    • Reads settings of System Certificates

      • zipsoft-2-install (1).exe (PID: 3828)

    • Checks Windows Trust Settings

      • zipsoft-2-install (1).exe (PID: 3828)

    • Reads Internet Explorer settings

      • zipsoft-2-install (1).exe (PID: 3828)

    • Reads Microsoft Outlook installation path

      • zipsoft-2-install (1).exe (PID: 3828)

  • INFO

    • Reads the computer name

      • zipsoft-2-install (1).exe (PID: 3828)

    • Checks supported languages

      • zipsoft-2-install (1).exe (PID: 3828)

    • Checks proxy server information

      • zipsoft-2-install (1).exe (PID: 3828)

    • Create files in a temporary directory

      • zipsoft-2-install (1).exe (PID: 3828)

    • Reads the machine GUID from the registry

      • zipsoft-2-install (1).exe (PID: 3828)

    • Creates files or folders in the user directory

      • zipsoft-2-install (1).exe (PID: 3828)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (76)
.exe | Win32 Executable (generic) (12.6)
.exe | Generic Win/DOS Executable (5.6)
.exe | DOS Executable Generic (5.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:10:05 15:17:20+02:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.29
CodeSize: 1667072
InitializedDataSize: 421888
UninitializedDataSize: 10293248
EntryPoint: 0xb67800
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 3.3.2.0
ProductVersionNumber: 3.3.2.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: ROSTPAY LTD.
FileDescription: Install ZipSoft
InternalName: ZipSoftInstaller
LegalCopyright: © ROSTPAY LTD. All rights reserved.
OriginalFileName: ZipSoftInstaller.exe
ProductName: ZipSoft
FileVersion: 3.3.2
ProductVersion: 3.3.2
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start zipsoft-2-install (1).exe

Process information

PID
CMD
Path
Indicators
Parent process
3828"C:\Users\admin\AppData\Local\Temp\zipsoft-2-install (1).exe" C:\Users\admin\AppData\Local\Temp\zipsoft-2-install (1).exe
explorer.exe
User:
admin
Company:
ROSTPAY LTD.
Integrity Level:
MEDIUM
Description:
Install ZipSoft
Exit code:
0
Version:
3.3.2
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\users\admin\appdata\local\temp\zipsoft-2-install (1).exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\usp10.dll
Total events
5 914
Read events
5 891
Write events
23
Delete events
0

Modification events

(PID) Process:(3828) zipsoft-2-install (1).exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3828) zipsoft-2-install (1).exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3828) zipsoft-2-install (1).exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3828) zipsoft-2-install (1).exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000056010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3828) zipsoft-2-install (1).exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3828) zipsoft-2-install (1).exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3828) zipsoft-2-install (1).exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3828) zipsoft-2-install (1).exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3828) zipsoft-2-install (1).exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\178\417C44EB
Operation:writeName:LanguageList
Value:
en-GB
Executable files
0
Suspicious files
11
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3828zipsoft-2-install (1).exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:CCD76790A39776943D08D62F69BB662B
SHA256:0F0A74DA0956157F90A06D1933CE7619C7FD08C0EA03F8194E46056B36C8EEA3
3828zipsoft-2-install (1).exeC:\Users\admin\AppData\Local\Temp\TarB768.tmpbinary
MD5:9441737383D21192400ECA82FDA910EC
SHA256:BC3A6E84E41FAEB57E7C21AA3B60C2A64777107009727C5B7C0ED8FE658909E5
3828zipsoft-2-install (1).exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751binary
MD5:85567F6EE6D40BE9CA2BDF1237E5AA1B
SHA256:051FF8FD83682AB5F7A975BB54BEEB9A5C27A21EEEF378F0DE421027ABD499DA
3828zipsoft-2-install (1).exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:74CBD7868F0B8710FF82EEF40342F348
SHA256:44CCFCF5CCB4D789BC2DEE5A84FEBCA2FAAD882403F5023F6595099CEECEDF76
3828zipsoft-2-install (1).exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:F3441B8572AAE8801C04F3060B550443
SHA256:6720349E7D82EE0A8E73920D3C2B7CB2912D9FCF2EDB6FD98F2F12820158B0BF
3828zipsoft-2-install (1).exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157compressed
MD5:1BFE591A4FE3D91B03CDF26EAACD8F89
SHA256:9CF94355051BF0F4A45724CA20D1CC02F76371B963AB7D1E38BD8997737B13D8
3828zipsoft-2-install (1).exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FA8B72E153ECD2AB5A49B87A4DF1FAB2binary
MD5:F42379B41352DE6A32F5E101EF388D97
SHA256:5DF32199DF74BC55A3870D81E6B6DB5B52603C23C36E23CCF8C6B3BFFDCC8DE0
3828zipsoft-2-install (1).exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FA8B72E153ECD2AB5A49B87A4DF1FAB2binary
MD5:5C3D5516DD6C595832169E69D1E25D43
SHA256:43AFB5063A53EC43D019D7FB4D1A964FEA13F512F4BD868B13AA1CC5C0E15518
3828zipsoft-2-install (1).exeC:\Users\admin\AppData\Local\Temp\CabB767.tmpcompressed
MD5:F3441B8572AAE8801C04F3060B550443
SHA256:6720349E7D82EE0A8E73920D3C2B7CB2912D9FCF2EDB6FD98F2F12820158B0BF
3828zipsoft-2-install (1).exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751binary
MD5:60FE01DF86BE2E5331B0CDBE86165686
SHA256:C08CCBC876CD5A7CDFA9670F9637DA57F6A1282198A9BC71FC7D7247A6E5B7A8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
8
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3828
zipsoft-2-install (1).exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?d9d446fd2e6edf24
unknown
compressed
4.66 Kb
unknown
3828
zipsoft-2-install (1).exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?aa2e95dbe42fbdc2
unknown
compressed
61.6 Kb
unknown
3828
zipsoft-2-install (1).exe
GET
200
23.212.210.158:80
http://x1.c.lencr.org/
unknown
binary
717 b
unknown
3828
zipsoft-2-install (1).exe
GET
200
184.24.77.71:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgNDLu2rk%2BYtiWrcHseTEt2Acw%3D%3D
unknown
binary
503 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3828
zipsoft-2-install (1).exe
188.130.153.33:443
api.az-partners.net
Rostpay Ltd
RU
unknown
2656
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
3828
zipsoft-2-install (1).exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown
3828
zipsoft-2-install (1).exe
23.212.210.158:80
x1.c.lencr.org
AKAMAI-AS
AU
unknown
3828
zipsoft-2-install (1).exe
184.24.77.71:80
r3.o.lencr.org
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
api.az-partners.net
  • 188.130.153.33
  • 188.130.153.32
unknown
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
x1.c.lencr.org
  • 23.212.210.158
whitelisted
r3.o.lencr.org
  • 184.24.77.71
  • 184.24.77.55
shared

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
zipsoft-2-install (1).exe