Malware analysis zsu-1191326.exe Malicious activity | ANY.RUN

Add for printing

File name:	zsu-1191326.exe
Full analysis:	https://app.any.run/tasks/376fdd71-a659-41e4-b503-e757557715ac
Verdict:	Malicious activity
Analysis date:	February 25, 2025, 10:14:16
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	arch-doc delphi
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:	AE648D07114D0F8207A01ECD20D412AA
SHA1:	D954CFA7EE4C39CE78CC2C46444641648D55FAA9
SHA256:	52EACEF794F1C25308427DC0820F8AA6286D0B80E83A82F9DF020E021F92FC84
SSDEEP:	98304:NOejYtZ1Yz1rbGhx9LGrupR4YuURHpFTw8uWeQNdaKlYqoaKtekaajXJ9ojsD/xv:CvTQ6fugeavAfGkOTtry

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 240 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 180 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Process drops legitimate windows executable
  - zsu-1191326.exe (PID: 6636)
  - msiexec.exe (PID: 4716)
- Executable content was dropped or overwritten
  - zsu-1191326.exe (PID: 6636)
  - zsu-1-1-9-1326.exe (PID: 936)
  - Prn64.bin (PID: 5000)
- The process creates files with name similar to system file names
  - zsu-1191326.exe (PID: 6636)
  - zsu-1-1-9-1326.exe (PID: 936)
- Drops 7-zip archiver for unpacking
  - zsu-1-1-9-1326.exe (PID: 936)
- Reads the Windows owner or organization settings
  - zsu-1-1-9-1326.exe (PID: 936)
  - msiexec.exe (PID: 4716)
- Starts application with an unusual extension
  - PrnInst.exe (PID: 5472)
- Creates a software uninstall entry
  - zsu-1-1-9-1326.exe (PID: 936)
- Reads security settings of Internet Explorer
  - PrnUtils.exe (PID: 2676)
INFO
- Reads the computer name
  - zsu-1191326.exe (PID: 6636)
  - zsu-1-1-9-1326.exe (PID: 936)
  - msiexec.exe (PID: 4716)
  - msiexec.exe (PID: 4428)
  - PrnInst.exe (PID: 5472)
  - Prn64.bin (PID: 5000)
  - PrnUtils.exe (PID: 2676)
- Checks supported languages
  - zsu-1191326.exe (PID: 6636)
  - zsu-1-1-9-1326.exe (PID: 936)
  - msiexec.exe (PID: 4716)
  - msiexec.exe (PID: 4428)
  - PrnInst.exe (PID: 5472)
  - Prn64.bin (PID: 5000)
  - PrnUtils.exe (PID: 2676)
- The sample compiled with english language support
  - zsu-1191326.exe (PID: 6636)
  - zsu-1-1-9-1326.exe (PID: 936)
  - Prn64.bin (PID: 5000)
  - msiexec.exe (PID: 4716)
- Creates files or folders in the user directory
  - zsu-1-1-9-1326.exe (PID: 936)
- Creates files in the program directory
  - zsu-1-1-9-1326.exe (PID: 936)
  - zsu-1191326.exe (PID: 6636)
- Create files in a temporary directory
  - zsu-1-1-9-1326.exe (PID: 936)
- Executable content was dropped or overwritten
  - msiexec.exe (PID: 4716)
- Process checks computer location settings
  - PrnUtils.exe (PID: 2676)
- Manual execution by a user
  - chrome.exe (PID: 5032)
- Application launched itself
  - chrome.exe (PID: 5032)
- Compiled with Borland Delphi (YARA)
  - zsu-1-1-9-1326.exe (PID: 936)
- Creates a software uninstall entry
  - msiexec.exe (PID: 4716)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2022:07:29 23:29:47+00:00
ImageFileCharacteristics:	No relocs, Executable, Large address aware, 32-bit
PEType:	PE32
LinkerVersion:	9
CodeSize:	197632
InitializedDataSize:	157184
UninitializedDataSize:	-
EntryPoint:	0x22c58
OSVersion:	5
ImageVersion:	-
SubsystemVersion:	5
Subsystem:	Windows GUI
FileVersionNumber:	1.1.9.1326
ProductVersionNumber:	0.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Windows, Latin1
Comments:	This installation was built with InstallAware: http://www.installaware.com
CompanyName:	Zebra Technologies
FileDescription:	Zebra Setup Utilities Installation
FileVersion:	1.1.9.1326
LegalCopyright:	ZEBRA and the stylized Zebra head are trademarks of Zebra Technologies Corporation, registered in many jurisdictions worldwide. All other trademarks are the property of their respective owners. ©2025 Zebra Technologies Corporation and/or its affiliates. All rights reserved
ProductName:	Zebra Setup Utilities
ProductVersion:	1.1.9.1326

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

142

Monitored processes

20

Malicious processes

2

Suspicious processes

0

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

732

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=4516 --field-trial-handle=1964,i,11176828561868743014,13475154176736545957,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

0

Version:

122.0.6261.70

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

936

.\zsu-1-1-9-1326.exe /m="C:\Users\admin\Desktop\ZSU-11~1.EXE" /k=""

C:\ProgramData\mia55A5.tmp\zsu-1-1-9-1326.exe

zsu-1191326.exe

User:

admin

Company:

Zebra Technologies

Integrity Level:

HIGH

Description:

Zebra Setup Utilities Installation

Exit code:

0

Version:

1.1.9.1326

Modules

Images
c:\programdata\mia55a5.tmp\zsu-1-1-9-1326.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll

1400

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=5184 --field-trial-handle=1964,i,11176828561868743014,13475154176736545957,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Chrome

Exit code:

0

Version:

122.0.6261.70

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

1856

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3156 --field-trial-handle=1964,i,11176828561868743014,13475154176736545957,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Version:

122.0.6261.70

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

2160

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=1796 --field-trial-handle=1964,i,11176828561868743014,13475154176736545957,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Version:

122.0.6261.70

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

2408

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1904 --field-trial-handle=1964,i,11176828561868743014,13475154176736545957,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Version:

122.0.6261.70

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

2676

"C:\Program Files (x86)\Zebra Technologies\Zebra Setup Utilities\App\PrnUtils.exe"

C:\Program Files (x86)\Zebra Technologies\Zebra Setup Utilities\App\PrnUtils.exe

—

zsu-1-1-9-1326.exe

User:

admin

Company:

Zebra Technologies Corporation

Integrity Level:

HIGH

Description:

Zebra Simple Setup Utility

Version:

1.1.9.1324

Modules

Images
c:\program files (x86)\zebra technologies\zebra setup utilities\app\prnutils.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll

3640

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3116 --field-trial-handle=1964,i,11176828561868743014,13475154176736545957,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Version:

122.0.6261.70

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

4428

C:\Windows\syswow64\MsiExec.exe -Embedding DE07E70C436833F84F9DE65FB48F8A1F

C:\Windows\SysWOW64\msiexec.exe

—

msiexec.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows® installer

Exit code:

0

Version:

5.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

4624

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3752 --field-trial-handle=1964,i,11176828561868743014,13475154176736545957,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Version:

122.0.6261.70

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

Add for printing

Total events

7 043

Read events

6 128

Write events

906

Delete events

9

Modification events


(PID) Process:	(6636) zsu-1191326.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\zsu-1191326.exe
Operation:	write	Name:	IsHostApp
Value:
(PID) Process:	(936) zsu-1-1-9-1326.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\zsu-1-1-9-1326.exe
Operation:	write	Name:	IsHostApp
Value:
(PID) Process:	(4716) msiexec.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	Owner
Value: 6C120000A57F81256E87DB01
(PID) Process:	(4716) msiexec.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	SessionHash
Value: 979F9859AD5288671737ABDCABE518424384CD0DAEB48C0AF826904AD956D77E
(PID) Process:	(4716) msiexec.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	Sequence
Value: 1
(PID) Process:	(4716) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
Operation:	write	Name:	C:\Config.Msi\
Value:
(PID) Process:	(4716) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
Operation:	write	Name:	C:\Config.Msi\140158.rbs
Value: 31164270
(PID) Process:	(4716) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
Operation:	write	Name:	C:\Config.Msi\140158.rbsLow
Value: 660056080
(PID) Process:	(4716) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\80A349E2224DFB74FA01027FC3FFEEEE
Operation:	write	Name:	CE8A7029D2B3A4A4B87F59F71CB93BED
Value: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Zebra Setup Utilities\
(PID) Process:	(4716) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D3A6725D802642043A6F21D186CE5268
Operation:	write	Name:	CE8A7029D2B3A4A4B87F59F71CB93BED
Value: 0171\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\C:\Program Files (x86)\Zebra Technologies\Zebra Setup Utilities\App\PrnUtils.exe

Add for printing

Executable files

2 782

Suspicious files

92

Text files

124

Unknown types

0

Dropped files

PID	Process	Filename		Type
6636	zsu-1191326.exe	C:\ProgramData\mia55A5.tmp\data\zsu-1-1-9-1326.msi		binary
		MD5:5C5DC988E6A2E6737175CF5A95B8ECCE	SHA256:960B35A932C4397081949A4AB8CCEDBD15482724769CFA9F85FD6A842EF995FD
6636	zsu-1191326.exe	C:\ProgramData\mia55A5.tmp\data\OFFLINE\9DFA037B\1653EC00\prnutils.chm		binary
		MD5:008753AC945918530DBCAD9E483EB394	SHA256:D8FA4F2D116E8F7D7A57B3F86E60AE2FBC6A50C8EC54597DDCAD18660EA14553
6636	zsu-1191326.exe	C:\ProgramData\mia55A5.tmp\data\OFFLINE\1E7B3AEE\F75D0379\About.bmp		image
		MD5:79E9D314BB3F1040E042F814603EBA55	SHA256:C4D975F8A2A6B50AB5BF34D4A018270F54323C135FFE421BC712F2A1194D40DA
6636	zsu-1191326.exe	C:\ProgramData\mia55A5.tmp\data\OFFLINE\1E7B3AEE\F75D0379\ZDesign.chm		binary
		MD5:2F1AC81A8964E6213C591F63CAB97240	SHA256:388D6BEE77BD2CF790A97BB0EDF957268A5263ECCDE689B2014F6646106D3ECF
6636	zsu-1191326.exe	C:\ProgramData\mia55A5.tmp\zsu-1-1-9-1326.msi		binary
		MD5:5C5DC988E6A2E6737175CF5A95B8ECCE	SHA256:960B35A932C4397081949A4AB8CCEDBD15482724769CFA9F85FD6A842EF995FD
6636	zsu-1191326.exe	C:\ProgramData\mia55A5.tmp\data\OFFLINE\1E7B3AEE\6B71268F\EULA.pdf		pdf
		MD5:EDE201CD561CB5C524EF18B0073ED100	SHA256:5960FB1A21A4AE7824896FBDB8B3E288D01C3979FECD08EFD1134BB5B1F42B08
6636	zsu-1191326.exe	C:\ProgramData\mia55A5.tmp\data\OFFLINE\1E7B3AEE\F75D0379\ZebraBarcode.ttf		binary
		MD5:86783BB204BD942A98768CA9DE2AEF5E	SHA256:4A19C33BAFD4A19F433BF047C0A65B03032F30CA9E79CF81162679C995AB7FD3
6636	zsu-1191326.exe	C:\ProgramData\mia55A5.tmp\data\OFFLINE\1E7B3AEE\6B71268F\PrnInst.exe		executable
		MD5:6FDC47EA13BD9BA1994B1EAA0A45BD2C	SHA256:95FC7EC697B6230062537905E77568880751F623A073C98E4CA6B8502037FBED
6636	zsu-1191326.exe	C:\ProgramData\mia55A5.tmp\data\OFFLINE\9DFA037B\1653EC00\PrnUtils.exe		executable
		MD5:A9B8CB130ED60029ADB4CAFE7ABDB2CD	SHA256:DEA8EC53CF94B11D41898BC90E5472F41FAFB807079605E4D24E2113C8DB5378
6636	zsu-1191326.exe	C:\ProgramData\mia55A5.tmp\data\OFFLINE\9DFA037B\1653EC00\About.bmp		image
		MD5:B68DC6433CE92629987DE971DF350E5B	SHA256:B9B3C707BCAF83BB8FE817E859CB8FA9FC941FC0C89B44D1FE1898718FC7F89B

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

9

TCP/UDP connections

43

DNS requests

34

Threats

0

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4712	MoUsoCoreWorker.exe	GET	200	2.16.164.120:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5208	svchost.exe	GET	200	2.16.164.120:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5208	svchost.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1176	svchost.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
5064	SearchApp.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
6596	backgroundTaskHost.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	whitelisted
7052	SIHClient.exe	GET	200	23.219.150.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
7052	SIHClient.exe	GET	200	23.219.150.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
3560	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4712	MoUsoCoreWorker.exe	2.16.164.120:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
5208	svchost.exe	2.16.164.120:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
4712	MoUsoCoreWorker.exe	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted
5208	svchost.exe	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5064	SearchApp.exe	2.19.122.17:443	www.bing.com	Akamai International B.V.	DE	whitelisted
5064	SearchApp.exe	184.30.131.245:80	ocsp.digicert.com	AKAMAI-AS	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158	whitelisted
crl.microsoft.com	2.16.164.120 2.16.164.72	whitelisted
www.microsoft.com	2.23.246.101 23.219.150.101	whitelisted
google.com	142.250.185.78	whitelisted
www.bing.com	2.19.122.17 2.19.122.13 2.19.122.20 2.19.122.14 2.19.122.15 2.19.122.26 2.19.122.25 2.19.122.28 2.19.122.21	whitelisted
ocsp.digicert.com	184.30.131.245 2.23.77.188	whitelisted
login.live.com	20.190.160.128 20.190.160.131 20.190.160.67 20.190.160.4 40.126.32.74 40.126.32.136 20.190.160.20 20.190.160.3	whitelisted
go.microsoft.com	2.18.97.227	whitelisted
arc.msn.com	20.223.35.26	whitelisted
fd.api.iris.microsoft.com	20.223.35.26	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

zsu-1191326.exe

AE648D07114D0F8207A01ECD20D412AA

D954CFA7EE4C39CE78CC2C46444641648D55FAA9

52EACEF794F1C25308427DC0820F8AA6286D0B80E83A82F9DF020E021F92FC84

98304:NOejYtZ1Yz1rbGhx9LGrupR4YuURHpFTw8uWeQNdaKlYqoaKtekaajXJ9ojsD/xv:CvTQ6fugeavAfGkOTtry

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Process drops legitimate windows executable

Executable content was dropped or overwritten

The process creates files with name similar to system file names

Drops 7-zip archiver for unpacking

Reads the Windows owner or organization settings

Starts application with an unusual extension

Creates a software uninstall entry

Reads security settings of Internet Explorer

INFO

Reads the computer name

Checks supported languages

The sample compiled with english language support

Creates files or folders in the user directory

Creates files in the program directory

Create files in a temporary directory

Executable content was dropped or overwritten

Process checks computer location settings

Manual execution by a user

Application launched itself

Compiled with Borland Delphi (YARA)

Creates a software uninstall entry

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings