Malware analysis zsu-1191326.exe Malicious activity | ANY.RUN

Add for printing

File name:	zsu-1191326.exe
Full analysis:	https://app.any.run/tasks/376fdd71-a659-41e4-b503-e757557715ac
Verdict:	Malicious activity
Analysis date:	February 25, 2025, 10:14:16
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	arch-doc delphi
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:	AE648D07114D0F8207A01ECD20D412AA
SHA1:	D954CFA7EE4C39CE78CC2C46444641648D55FAA9
SHA256:	52EACEF794F1C25308427DC0820F8AA6286D0B80E83A82F9DF020E021F92FC84
SSDEEP:	98304:NOejYtZ1Yz1rbGhx9LGrupR4YuURHpFTw8uWeQNdaKlYqoaKtekaajXJ9ojsD/xv:CvTQ6fugeavAfGkOTtry

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 240 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 180 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Executable content was dropped or overwritten
  - zsu-1191326.exe (PID: 6636)
  - zsu-1-1-9-1326.exe (PID: 936)
  - Prn64.bin (PID: 5000)
- Process drops legitimate windows executable
  - zsu-1191326.exe (PID: 6636)
  - msiexec.exe (PID: 4716)
- The process creates files with name similar to system file names
  - zsu-1191326.exe (PID: 6636)
  - zsu-1-1-9-1326.exe (PID: 936)
- Drops 7-zip archiver for unpacking
  - zsu-1-1-9-1326.exe (PID: 936)
- Reads the Windows owner or organization settings
  - zsu-1-1-9-1326.exe (PID: 936)
  - msiexec.exe (PID: 4716)
- Reads security settings of Internet Explorer
  - PrnUtils.exe (PID: 2676)
- Starts application with an unusual extension
  - PrnInst.exe (PID: 5472)
- Creates a software uninstall entry
  - zsu-1-1-9-1326.exe (PID: 936)
INFO
- Creates files in the program directory
  - zsu-1191326.exe (PID: 6636)
  - zsu-1-1-9-1326.exe (PID: 936)
- The sample compiled with english language support
  - zsu-1191326.exe (PID: 6636)
  - zsu-1-1-9-1326.exe (PID: 936)
  - msiexec.exe (PID: 4716)
  - Prn64.bin (PID: 5000)
- Reads the computer name
  - zsu-1191326.exe (PID: 6636)
  - zsu-1-1-9-1326.exe (PID: 936)
  - msiexec.exe (PID: 4716)
  - PrnUtils.exe (PID: 2676)
  - PrnInst.exe (PID: 5472)
  - msiexec.exe (PID: 4428)
  - Prn64.bin (PID: 5000)
- Checks supported languages
  - zsu-1191326.exe (PID: 6636)
  - zsu-1-1-9-1326.exe (PID: 936)
  - msiexec.exe (PID: 4716)
  - msiexec.exe (PID: 4428)
  - PrnUtils.exe (PID: 2676)
  - PrnInst.exe (PID: 5472)
  - Prn64.bin (PID: 5000)
- Creates files or folders in the user directory
  - zsu-1-1-9-1326.exe (PID: 936)
- Create files in a temporary directory
  - zsu-1-1-9-1326.exe (PID: 936)
- Compiled with Borland Delphi (YARA)
  - zsu-1-1-9-1326.exe (PID: 936)
- Executable content was dropped or overwritten
  - msiexec.exe (PID: 4716)
- Process checks computer location settings
  - PrnUtils.exe (PID: 2676)
- Creates a software uninstall entry
  - msiexec.exe (PID: 4716)
- Application launched itself
  - chrome.exe (PID: 5032)
- Manual execution by a user
  - chrome.exe (PID: 5032)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2022:07:29 23:29:47+00:00
ImageFileCharacteristics:	No relocs, Executable, Large address aware, 32-bit
PEType:	PE32
LinkerVersion:	9
CodeSize:	197632
InitializedDataSize:	157184
UninitializedDataSize:	-
EntryPoint:	0x22c58
OSVersion:	5
ImageVersion:	-
SubsystemVersion:	5
Subsystem:	Windows GUI
FileVersionNumber:	1.1.9.1326
ProductVersionNumber:	0.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Windows, Latin1
Comments:	This installation was built with InstallAware: http://www.installaware.com
CompanyName:	Zebra Technologies
FileDescription:	Zebra Setup Utilities Installation
FileVersion:	1.1.9.1326
LegalCopyright:	ZEBRA and the stylized Zebra head are trademarks of Zebra Technologies Corporation, registered in many jurisdictions worldwide. All other trademarks are the property of their respective owners. ©2025 Zebra Technologies Corporation and/or its affiliates. All rights reserved
ProductName:	Zebra Setup Utilities
ProductVersion:	1.1.9.1326

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

142

Monitored processes

20

Malicious processes

2

Suspicious processes

0

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

732

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=4516 --field-trial-handle=1964,i,11176828561868743014,13475154176736545957,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

0

Version:

122.0.6261.70

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

936

.\zsu-1-1-9-1326.exe /m="C:\Users\admin\Desktop\ZSU-11~1.EXE" /k=""

C:\ProgramData\mia55A5.tmp\zsu-1-1-9-1326.exe

zsu-1191326.exe

User:

admin

Company:

Zebra Technologies

Integrity Level:

HIGH

Description:

Zebra Setup Utilities Installation

Exit code:

0

Version:

1.1.9.1326

Modules

Images
c:\programdata\mia55a5.tmp\zsu-1-1-9-1326.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll

1400

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=5184 --field-trial-handle=1964,i,11176828561868743014,13475154176736545957,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Chrome

Exit code:

0

Version:

122.0.6261.70

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

1856

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3156 --field-trial-handle=1964,i,11176828561868743014,13475154176736545957,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Version:

122.0.6261.70

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

2160

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=1796 --field-trial-handle=1964,i,11176828561868743014,13475154176736545957,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Version:

122.0.6261.70

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

2408

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1904 --field-trial-handle=1964,i,11176828561868743014,13475154176736545957,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Version:

122.0.6261.70

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

2676

"C:\Program Files (x86)\Zebra Technologies\Zebra Setup Utilities\App\PrnUtils.exe"

C:\Program Files (x86)\Zebra Technologies\Zebra Setup Utilities\App\PrnUtils.exe

—

zsu-1-1-9-1326.exe

User:

admin

Company:

Zebra Technologies Corporation

Integrity Level:

HIGH

Description:

Zebra Simple Setup Utility

Version:

1.1.9.1324

Modules

Images
c:\program files (x86)\zebra technologies\zebra setup utilities\app\prnutils.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll

3640

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3116 --field-trial-handle=1964,i,11176828561868743014,13475154176736545957,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Version:

122.0.6261.70

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

4428

C:\Windows\syswow64\MsiExec.exe -Embedding DE07E70C436833F84F9DE65FB48F8A1F

C:\Windows\SysWOW64\msiexec.exe

—

msiexec.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows® installer

Exit code:

0

Version:

5.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

4624

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3752 --field-trial-handle=1964,i,11176828561868743014,13475154176736545957,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Version:

122.0.6261.70

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

Add for printing

Total events

7 043

Read events

6 128

Write events

906

Delete events

9

Modification events


(PID) Process:	(6636) zsu-1191326.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\zsu-1191326.exe
Operation:	write	Name:	IsHostApp
Value:
(PID) Process:	(936) zsu-1-1-9-1326.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\zsu-1-1-9-1326.exe
Operation:	write	Name:	IsHostApp
Value:
(PID) Process:	(4716) msiexec.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	Owner
Value: 6C120000A57F81256E87DB01
(PID) Process:	(4716) msiexec.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	SessionHash
Value: 979F9859AD5288671737ABDCABE518424384CD0DAEB48C0AF826904AD956D77E
(PID) Process:	(4716) msiexec.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	Sequence
Value: 1
(PID) Process:	(4716) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
Operation:	write	Name:	C:\Config.Msi\
Value:
(PID) Process:	(4716) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
Operation:	write	Name:	C:\Config.Msi\140158.rbs
Value: 31164270
(PID) Process:	(4716) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
Operation:	write	Name:	C:\Config.Msi\140158.rbsLow
Value: 660056080
(PID) Process:	(4716) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\80A349E2224DFB74FA01027FC3FFEEEE
Operation:	write	Name:	CE8A7029D2B3A4A4B87F59F71CB93BED
Value: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Zebra Setup Utilities\
(PID) Process:	(4716) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D3A6725D802642043A6F21D186CE5268
Operation:	write	Name:	CE8A7029D2B3A4A4B87F59F71CB93BED
Value: 0171\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\C:\Program Files (x86)\Zebra Technologies\Zebra Setup Utilities\App\PrnUtils.exe

Add for printing

Executable files

2 782

Suspicious files

92

Text files

124

Unknown types

0

Dropped files

PID	Process	Filename		Type
6636	zsu-1191326.exe	C:\ProgramData\mia55A5.tmp\data\OFFLINE\9DFA037B\1653EC00\Splash.bmp		image
		MD5:9F75D2E1554332AE79F6D7B0651CDF38	SHA256:559856DFCF4C431707E2D90284A2C5F7B11119C2B729D427890223B0B755BC5F
6636	zsu-1191326.exe	C:\ProgramData\mia55A5.tmp\data\OFFLINE\9DFA037B\1653EC00\About.bmp		image
		MD5:B68DC6433CE92629987DE971DF350E5B	SHA256:B9B3C707BCAF83BB8FE817E859CB8FA9FC941FC0C89B44D1FE1898718FC7F89B
6636	zsu-1191326.exe	C:\ProgramData\mia55A5.tmp\data\OFFLINE\1E7B3AEE\F75D0379\ZDesign.chm		binary
		MD5:2F1AC81A8964E6213C591F63CAB97240	SHA256:388D6BEE77BD2CF790A97BB0EDF957268A5263ECCDE689B2014F6646106D3ECF
6636	zsu-1191326.exe	C:\ProgramData\mia55A5.tmp\data\OFFLINE\1E7B3AEE\6B71268F\DFP3.vbs		text
		MD5:A1BB6ADB107AAC70D6B51FA7925D9104	SHA256:BF16B8D0B5D3C9DDF486EBB272AA7AC209C3BE4135D3271F559EBCCC79F63E55
6636	zsu-1191326.exe	C:\ProgramData\mia55A5.tmp\data\OFFLINE\9DFA037B\1653EC00\prnutils.chm		binary
		MD5:008753AC945918530DBCAD9E483EB394	SHA256:D8FA4F2D116E8F7D7A57B3F86E60AE2FBC6A50C8EC54597DDCAD18660EA14553
6636	zsu-1191326.exe	C:\ProgramData\mia55A5.tmp\data\OFFLINE\9DFA037B\1653EC00\icon.ico		image
		MD5:7A249B98A44B30FFB030B8CA868A9BFB	SHA256:3E4A789ADBD26DFA0C4921D72710AE7EE304D482F5C389299EB69E0A1D859470
6636	zsu-1191326.exe	C:\ProgramData\mia55A5.tmp\data\OFFLINE\1E7B3AEE\A2C5B76A\Prn64.bin		executable
		MD5:D4EECE652E94EB3B41A0D7C8CE947259	SHA256:170536B689E79445B3201B8E7C045FACF289712C268F7D927D74EB39159E330F
6636	zsu-1191326.exe	C:\ProgramData\mia55A5.tmp\data\zsu-1-1-9-1326.msi		binary
		MD5:5C5DC988E6A2E6737175CF5A95B8ECCE	SHA256:960B35A932C4397081949A4AB8CCEDBD15482724769CFA9F85FD6A842EF995FD
6636	zsu-1191326.exe	C:\ProgramData\mia55A5.tmp\data\OFFLINE\1E7B3AEE\F75D0379\ZebraBarcode.ttf		binary
		MD5:86783BB204BD942A98768CA9DE2AEF5E	SHA256:4A19C33BAFD4A19F433BF047C0A65B03032F30CA9E79CF81162679C995AB7FD3
6636	zsu-1191326.exe	C:\ProgramData\mia55A5.tmp\data\OFFLINE\9DFA037B\1653EC00\PrnUtils.exe		executable
		MD5:A9B8CB130ED60029ADB4CAFE7ABDB2CD	SHA256:DEA8EC53CF94B11D41898BC90E5472F41FAFB807079605E4D24E2113C8DB5378

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

9

TCP/UDP connections

43

DNS requests

34

Threats

0

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5208	svchost.exe	GET	200	2.16.164.120:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	NL	binary	1.01 Kb	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	2.16.164.120:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	NL	binary	1.01 Kb	whitelisted
5064	SearchApp.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	US	binary	314 b	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	QA	binary	973 b	whitelisted
1176	svchost.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	US	binary	471 b	whitelisted
5208	svchost.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	QA	binary	973 b	whitelisted
6596	backgroundTaskHost.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	DE	binary	471 b	whitelisted
7052	SIHClient.exe	GET	200	23.219.150.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	CL	binary	419 b	whitelisted
7052	SIHClient.exe	GET	200	23.219.150.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	CL	binary	408 b	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
3560	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4712	MoUsoCoreWorker.exe	2.16.164.120:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
5208	svchost.exe	2.16.164.120:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
4712	MoUsoCoreWorker.exe	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted
5208	svchost.exe	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5064	SearchApp.exe	2.19.122.17:443	www.bing.com	Akamai International B.V.	DE	whitelisted
5064	SearchApp.exe	184.30.131.245:80	ocsp.digicert.com	AKAMAI-AS	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158	whitelisted
crl.microsoft.com	2.16.164.120 2.16.164.72	whitelisted
www.microsoft.com	2.23.246.101 23.219.150.101	whitelisted
google.com	142.250.185.78	whitelisted
www.bing.com	2.19.122.17 2.19.122.13 2.19.122.20 2.19.122.14 2.19.122.15 2.19.122.26 2.19.122.25 2.19.122.28 2.19.122.21	whitelisted
ocsp.digicert.com	184.30.131.245 2.23.77.188	whitelisted
login.live.com	20.190.160.128 20.190.160.131 20.190.160.67 20.190.160.4 40.126.32.74 40.126.32.136 20.190.160.20 20.190.160.3	whitelisted
go.microsoft.com	2.18.97.227	whitelisted
arc.msn.com	20.223.35.26	whitelisted
fd.api.iris.microsoft.com	20.223.35.26	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

zsu-1191326.exe

AE648D07114D0F8207A01ECD20D412AA

D954CFA7EE4C39CE78CC2C46444641648D55FAA9

52EACEF794F1C25308427DC0820F8AA6286D0B80E83A82F9DF020E021F92FC84

98304:NOejYtZ1Yz1rbGhx9LGrupR4YuURHpFTw8uWeQNdaKlYqoaKtekaajXJ9ojsD/xv:CvTQ6fugeavAfGkOTtry

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Executable content was dropped or overwritten

Process drops legitimate windows executable

The process creates files with name similar to system file names

Drops 7-zip archiver for unpacking

Reads the Windows owner or organization settings

Reads security settings of Internet Explorer

Starts application with an unusual extension

Creates a software uninstall entry

INFO

Creates files in the program directory

The sample compiled with english language support

Reads the computer name

Checks supported languages

Creates files or folders in the user directory

Create files in a temporary directory

Compiled with Borland Delphi (YARA)

Executable content was dropped or overwritten

Process checks computer location settings

Creates a software uninstall entry

Application launched itself

Manual execution by a user

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings