Malware analysis zsu-1191326.exe Malicious activity | ANY.RUN

Add for printing

File name:	zsu-1191326.exe
Full analysis:	https://app.any.run/tasks/376fdd71-a659-41e4-b503-e757557715ac
Verdict:	Malicious activity
Analysis date:	February 25, 2025, 10:14:16
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	arch-doc delphi
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:	AE648D07114D0F8207A01ECD20D412AA
SHA1:	D954CFA7EE4C39CE78CC2C46444641648D55FAA9
SHA256:	52EACEF794F1C25308427DC0820F8AA6286D0B80E83A82F9DF020E021F92FC84
SSDEEP:	98304:NOejYtZ1Yz1rbGhx9LGrupR4YuURHpFTw8uWeQNdaKlYqoaKtekaajXJ9ojsD/xv:CvTQ6fugeavAfGkOTtry

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 240 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 180 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- The process creates files with name similar to system file names
  - zsu-1191326.exe (PID: 6636)
  - zsu-1-1-9-1326.exe (PID: 936)
- Process drops legitimate windows executable
  - zsu-1191326.exe (PID: 6636)
  - msiexec.exe (PID: 4716)
- Executable content was dropped or overwritten
  - zsu-1191326.exe (PID: 6636)
  - zsu-1-1-9-1326.exe (PID: 936)
  - Prn64.bin (PID: 5000)
- Drops 7-zip archiver for unpacking
  - zsu-1-1-9-1326.exe (PID: 936)
- Reads the Windows owner or organization settings
  - zsu-1-1-9-1326.exe (PID: 936)
  - msiexec.exe (PID: 4716)
- Creates a software uninstall entry
  - zsu-1-1-9-1326.exe (PID: 936)
- Reads security settings of Internet Explorer
  - PrnUtils.exe (PID: 2676)
- Starts application with an unusual extension
  - PrnInst.exe (PID: 5472)
INFO
- Creates files in the program directory
  - zsu-1191326.exe (PID: 6636)
  - zsu-1-1-9-1326.exe (PID: 936)
- Checks supported languages
  - zsu-1191326.exe (PID: 6636)
  - zsu-1-1-9-1326.exe (PID: 936)
  - PrnUtils.exe (PID: 2676)
  - msiexec.exe (PID: 4716)
  - msiexec.exe (PID: 4428)
  - PrnInst.exe (PID: 5472)
  - Prn64.bin (PID: 5000)
- The sample compiled with english language support
  - zsu-1191326.exe (PID: 6636)
  - zsu-1-1-9-1326.exe (PID: 936)
  - msiexec.exe (PID: 4716)
  - Prn64.bin (PID: 5000)
- Reads the computer name
  - zsu-1191326.exe (PID: 6636)
  - zsu-1-1-9-1326.exe (PID: 936)
  - PrnUtils.exe (PID: 2676)
  - msiexec.exe (PID: 4716)
  - msiexec.exe (PID: 4428)
  - Prn64.bin (PID: 5000)
  - PrnInst.exe (PID: 5472)
- Creates files or folders in the user directory
  - zsu-1-1-9-1326.exe (PID: 936)
- Executable content was dropped or overwritten
  - msiexec.exe (PID: 4716)
- Compiled with Borland Delphi (YARA)
  - zsu-1-1-9-1326.exe (PID: 936)
- Creates a software uninstall entry
  - msiexec.exe (PID: 4716)
- Create files in a temporary directory
  - zsu-1-1-9-1326.exe (PID: 936)
- Manual execution by a user
  - chrome.exe (PID: 5032)
- Application launched itself
  - chrome.exe (PID: 5032)
- Process checks computer location settings
  - PrnUtils.exe (PID: 2676)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2022:07:29 23:29:47+00:00
ImageFileCharacteristics:	No relocs, Executable, Large address aware, 32-bit
PEType:	PE32
LinkerVersion:	9
CodeSize:	197632
InitializedDataSize:	157184
UninitializedDataSize:	-
EntryPoint:	0x22c58
OSVersion:	5
ImageVersion:	-
SubsystemVersion:	5
Subsystem:	Windows GUI
FileVersionNumber:	1.1.9.1326
ProductVersionNumber:	0.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Windows, Latin1
Comments:	This installation was built with InstallAware: http://www.installaware.com
CompanyName:	Zebra Technologies
FileDescription:	Zebra Setup Utilities Installation
FileVersion:	1.1.9.1326
LegalCopyright:	ZEBRA and the stylized Zebra head are trademarks of Zebra Technologies Corporation, registered in many jurisdictions worldwide. All other trademarks are the property of their respective owners. ©2025 Zebra Technologies Corporation and/or its affiliates. All rights reserved
ProductName:	Zebra Setup Utilities
ProductVersion:	1.1.9.1326

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

142

Monitored processes

20

Malicious processes

2

Suspicious processes

0

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

732

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=4516 --field-trial-handle=1964,i,11176828561868743014,13475154176736545957,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

0

Version:

122.0.6261.70

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

936

.\zsu-1-1-9-1326.exe /m="C:\Users\admin\Desktop\ZSU-11~1.EXE" /k=""

C:\ProgramData\mia55A5.tmp\zsu-1-1-9-1326.exe

zsu-1191326.exe

User:

admin

Company:

Zebra Technologies

Integrity Level:

HIGH

Description:

Zebra Setup Utilities Installation

Exit code:

0

Version:

1.1.9.1326

Modules

Images
c:\programdata\mia55a5.tmp\zsu-1-1-9-1326.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll

1400

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=5184 --field-trial-handle=1964,i,11176828561868743014,13475154176736545957,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Chrome

Exit code:

0

Version:

122.0.6261.70

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

1856

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3156 --field-trial-handle=1964,i,11176828561868743014,13475154176736545957,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Version:

122.0.6261.70

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

2160

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=1796 --field-trial-handle=1964,i,11176828561868743014,13475154176736545957,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Version:

122.0.6261.70

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

2408

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1904 --field-trial-handle=1964,i,11176828561868743014,13475154176736545957,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Version:

122.0.6261.70

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

2676

"C:\Program Files (x86)\Zebra Technologies\Zebra Setup Utilities\App\PrnUtils.exe"

C:\Program Files (x86)\Zebra Technologies\Zebra Setup Utilities\App\PrnUtils.exe

—

zsu-1-1-9-1326.exe

User:

admin

Company:

Zebra Technologies Corporation

Integrity Level:

HIGH

Description:

Zebra Simple Setup Utility

Version:

1.1.9.1324

Modules

Images
c:\program files (x86)\zebra technologies\zebra setup utilities\app\prnutils.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll

3640

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3116 --field-trial-handle=1964,i,11176828561868743014,13475154176736545957,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Version:

122.0.6261.70

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

4428

C:\Windows\syswow64\MsiExec.exe -Embedding DE07E70C436833F84F9DE65FB48F8A1F

C:\Windows\SysWOW64\msiexec.exe

—

msiexec.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows® installer

Exit code:

0

Version:

5.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

4624

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3752 --field-trial-handle=1964,i,11176828561868743014,13475154176736545957,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Version:

122.0.6261.70

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

Add for printing

Total events

7 043

Read events

6 128

Write events

906

Delete events

9

Modification events


(PID) Process:	(6636) zsu-1191326.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\zsu-1191326.exe
Operation:	write	Name:	IsHostApp
Value:
(PID) Process:	(936) zsu-1-1-9-1326.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\zsu-1-1-9-1326.exe
Operation:	write	Name:	IsHostApp
Value:
(PID) Process:	(4716) msiexec.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	Owner
Value: 6C120000A57F81256E87DB01
(PID) Process:	(4716) msiexec.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	SessionHash
Value: 979F9859AD5288671737ABDCABE518424384CD0DAEB48C0AF826904AD956D77E
(PID) Process:	(4716) msiexec.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	Sequence
Value: 1
(PID) Process:	(4716) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
Operation:	write	Name:	C:\Config.Msi\
Value:
(PID) Process:	(4716) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
Operation:	write	Name:	C:\Config.Msi\140158.rbs
Value: 31164270
(PID) Process:	(4716) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
Operation:	write	Name:	C:\Config.Msi\140158.rbsLow
Value: 660056080
(PID) Process:	(4716) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\80A349E2224DFB74FA01027FC3FFEEEE
Operation:	write	Name:	CE8A7029D2B3A4A4B87F59F71CB93BED
Value: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Zebra Setup Utilities\
(PID) Process:	(4716) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D3A6725D802642043A6F21D186CE5268
Operation:	write	Name:	CE8A7029D2B3A4A4B87F59F71CB93BED
Value: 0171\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\C:\Program Files (x86)\Zebra Technologies\Zebra Setup Utilities\App\PrnUtils.exe

Add for printing

Executable files

2 782

Suspicious files

92

Text files

124

Unknown types

0

Dropped files

PID	Process	Filename		Type
6636	zsu-1191326.exe	C:\ProgramData\mia55A5.tmp\data\OFFLINE\9DFA037B\1653EC00\prnutils.chm		binary
		MD5:008753AC945918530DBCAD9E483EB394	SHA256:D8FA4F2D116E8F7D7A57B3F86E60AE2FBC6A50C8EC54597DDCAD18660EA14553
6636	zsu-1191326.exe	C:\ProgramData\mia55A5.tmp\data\OFFLINE\9DFA037B\1653EC00\icon.ico		image
		MD5:7A249B98A44B30FFB030B8CA868A9BFB	SHA256:3E4A789ADBD26DFA0C4921D72710AE7EE304D482F5C389299EB69E0A1D859470
6636	zsu-1191326.exe	C:\ProgramData\mia55A5.tmp\data\OFFLINE\1E7B3AEE\6B71268F\Readme.htm		html
		MD5:A6A6C1348F0A9383AB74E309E9951798	SHA256:0232D6EFEA39BCAC122DF1903F785247DCE09F9C370C8C8C5E96CDAF20ECFB05
6636	zsu-1191326.exe	C:\ProgramData\mia55A5.tmp\data\OFFLINE\9DFA037B\1653EC00\About.bmp		image
		MD5:B68DC6433CE92629987DE971DF350E5B	SHA256:B9B3C707BCAF83BB8FE817E859CB8FA9FC941FC0C89B44D1FE1898718FC7F89B
6636	zsu-1191326.exe	C:\ProgramData\mia55A5.tmp\data\OFFLINE\1E7B3AEE\A2C5B76A\Prn64.bin		executable
		MD5:D4EECE652E94EB3B41A0D7C8CE947259	SHA256:170536B689E79445B3201B8E7C045FACF289712C268F7D927D74EB39159E330F
6636	zsu-1191326.exe	C:\ProgramData\mia55A5.tmp\data\OFFLINE\1E7B3AEE\F75D0379\ZDesign.chm		binary
		MD5:2F1AC81A8964E6213C591F63CAB97240	SHA256:388D6BEE77BD2CF790A97BB0EDF957268A5263ECCDE689B2014F6646106D3ECF
6636	zsu-1191326.exe	C:\ProgramData\mia55A5.tmp\data\OFFLINE\1E7B3AEE\F75D0379\About.bmp		image
		MD5:79E9D314BB3F1040E042F814603EBA55	SHA256:C4D975F8A2A6B50AB5BF34D4A018270F54323C135FFE421BC712F2A1194D40DA
6636	zsu-1191326.exe	C:\ProgramData\mia55A5.tmp\data\OFFLINE\1E7B3AEE\6B71268F\notices.html		html
		MD5:CE23A057BB8AC69C6045F9801CE0A997	SHA256:853F45CA0A1781484032D99F827541B7A936DCB193253D61C8A4042865E6D98E
6636	zsu-1191326.exe	C:\ProgramData\mia55A5.tmp\data\OFFLINE\9DFA037B\1653EC00\setup.ini		text
		MD5:A529FC372211FB80379E6392D4911264	SHA256:DC63434B8BAB37130598E22AAEC6A270C6CC1D54FB22C28098A860D1C2B85332
6636	zsu-1191326.exe	C:\ProgramData\mia55A5.tmp\data\OFFLINE\9DFA037B\1653EC00\Readme.htm		html
		MD5:622894113833862A501CFF7A1579E5C3	SHA256:7208E69D911D1123269E0BE4913B94E8EDD281574968D058D5763036CC18DC93

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

9

TCP/UDP connections

43

DNS requests

34

Threats

0

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4712	MoUsoCoreWorker.exe	GET	200	2.16.164.120:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5208	svchost.exe	GET	200	2.16.164.120:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5208	svchost.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5064	SearchApp.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
1176	svchost.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
7052	SIHClient.exe	GET	200	23.219.150.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
6596	backgroundTaskHost.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	whitelisted
7052	SIHClient.exe	GET	200	23.219.150.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
3560	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4712	MoUsoCoreWorker.exe	2.16.164.120:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
5208	svchost.exe	2.16.164.120:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
4712	MoUsoCoreWorker.exe	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted
5208	svchost.exe	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5064	SearchApp.exe	2.19.122.17:443	www.bing.com	Akamai International B.V.	DE	whitelisted
5064	SearchApp.exe	184.30.131.245:80	ocsp.digicert.com	AKAMAI-AS	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158	whitelisted
crl.microsoft.com	2.16.164.120 2.16.164.72	whitelisted
www.microsoft.com	2.23.246.101 23.219.150.101	whitelisted
google.com	142.250.185.78	whitelisted
www.bing.com	2.19.122.17 2.19.122.13 2.19.122.20 2.19.122.14 2.19.122.15 2.19.122.26 2.19.122.25 2.19.122.28 2.19.122.21	whitelisted
ocsp.digicert.com	184.30.131.245 2.23.77.188	whitelisted
login.live.com	20.190.160.128 20.190.160.131 20.190.160.67 20.190.160.4 40.126.32.74 40.126.32.136 20.190.160.20 20.190.160.3	whitelisted
go.microsoft.com	2.18.97.227	whitelisted
arc.msn.com	20.223.35.26	whitelisted
fd.api.iris.microsoft.com	20.223.35.26	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

zsu-1191326.exe

AE648D07114D0F8207A01ECD20D412AA

D954CFA7EE4C39CE78CC2C46444641648D55FAA9

52EACEF794F1C25308427DC0820F8AA6286D0B80E83A82F9DF020E021F92FC84

98304:NOejYtZ1Yz1rbGhx9LGrupR4YuURHpFTw8uWeQNdaKlYqoaKtekaajXJ9ojsD/xv:CvTQ6fugeavAfGkOTtry

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

The process creates files with name similar to system file names

Process drops legitimate windows executable

Executable content was dropped or overwritten

Drops 7-zip archiver for unpacking

Reads the Windows owner or organization settings

Creates a software uninstall entry

Reads security settings of Internet Explorer

Starts application with an unusual extension

INFO

Creates files in the program directory

Checks supported languages

The sample compiled with english language support

Reads the computer name

Creates files or folders in the user directory

Executable content was dropped or overwritten

Compiled with Borland Delphi (YARA)

Creates a software uninstall entry

Create files in a temporary directory

Manual execution by a user

Application launched itself

Process checks computer location settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings