File name:

zuma-deluxe-1.0.exe

Full analysis: https://app.any.run/tasks/410081e1-fabb-4d6a-99a6-0a9d12273431
Verdict: Malicious activity
Analysis date: March 10, 2024, 12:04:22
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
MD5:

8B13A3EF51B432A08470C12896C069E8

SHA1:

15C14F18202D0F309F36F38BDC333C1A57E5DB66

SHA256:

54D7EF25B03F2D04D09F11D8614DF9C3B99BA55BE473DBE7FA1243DBF26855ED

SSDEEP:

98304:n7gjE6xajoOOyY48GHQQ5rq81dspnCT0vUCVI+Med7LnPnLmWAK3/DjPLu7kybIX:repGEj/9m6RITw1pn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • zuma-deluxe-1.0.exe (PID: 1776)
      • Zuma.exe (PID: 2692)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • zuma-deluxe-1.0.exe (PID: 1776)
      • Zuma.exe (PID: 2692)

    • Checks Windows Trust Settings

      • zuma-deluxe-1.0.exe (PID: 1776)

    • Executable content was dropped or overwritten

      • zuma-deluxe-1.0.exe (PID: 1776)
      • Zuma.exe (PID: 2692)

    • Reads settings of System Certificates

      • zuma-deluxe-1.0.exe (PID: 1776)

    • Adds/modifies Windows certificates

      • zuma-deluxe-1.0.exe (PID: 1776)

    • Creates a software uninstall entry

      • zuma-deluxe-1.0.exe (PID: 1776)

    • Reads the Internet Settings

      • zuma-deluxe-1.0.exe (PID: 1776)
      • Zuma.exe (PID: 2692)

  • INFO

    • Reads the computer name

      • zuma-deluxe-1.0.exe (PID: 1776)
      • Zuma.exe (PID: 2692)
      • popcapgame1.exe (PID: 3516)

    • Checks supported languages

      • zuma-deluxe-1.0.exe (PID: 1776)
      • Zuma.exe (PID: 2692)
      • popcapgame1.exe (PID: 3516)

    • Reads Environment values

      • zuma-deluxe-1.0.exe (PID: 1776)

    • Creates files in the program directory

      • zuma-deluxe-1.0.exe (PID: 1776)
      • Zuma.exe (PID: 2692)
      • popcapgame1.exe (PID: 3516)

    • Reads the machine GUID from the registry

      • zuma-deluxe-1.0.exe (PID: 1776)
      • Zuma.exe (PID: 2692)

    • Create files in a temporary directory

      • zuma-deluxe-1.0.exe (PID: 1776)

    • Reads the software policy settings

      • zuma-deluxe-1.0.exe (PID: 1776)

    • Checks proxy server information

      • Zuma.exe (PID: 2692)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2008:09:22 18:34:03+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 290816
InitializedDataSize: 98304
UninitializedDataSize: -
EntryPoint: 0x31e80
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start zuma-deluxe-1.0.exe zuma.exe popcapgame1.exe zuma-deluxe-1.0.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1776"C:\Users\admin\AppData\Local\Temp\zuma-deluxe-1.0.exe" C:\Users\admin\AppData\Local\Temp\zuma-deluxe-1.0.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\zuma-deluxe-1.0.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
2692"C:\Program Files\PopCap Games\Zuma Deluxe\Zuma.exe" C:\Program Files\PopCap Games\Zuma Deluxe\Zuma.exe
zuma-deluxe-1.0.exe
User:
admin
Integrity Level:
HIGH
Description:
Zuma
Exit code:
0
Version:
1, 0, 0, 1
Modules
Images
c:\program files\popcap games\zuma deluxe\zuma.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\user32.dll
3516"C:\ProgramData\PopCap Games\Zuma\popcapgame1.exe" -changedir="C:\Program Files\PopCap Games\Zuma Deluxe\"C:\ProgramData\PopCap Games\Zuma\popcapgame1.exe
Zuma.exe
User:
admin
Integrity Level:
HIGH
Description:
Zuma
Exit code:
0
Version:
1, 0, 0, 1
Modules
Images
c:\programdata\popcap games\zuma\popcapgame1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winmm.dll
4052"C:\Users\admin\AppData\Local\Temp\zuma-deluxe-1.0.exe" C:\Users\admin\AppData\Local\Temp\zuma-deluxe-1.0.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\zuma-deluxe-1.0.exe
c:\windows\system32\ntdll.dll
Total events
7 622
Read events
7 526
Write events
84
Delete events
12

Modification events

(PID) Process:(1776) zuma-deluxe-1.0.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\GameUX\Games\{0ABD0415-76A0-4A15-B846-C18B919BF6D6}
Operation:writeName:ConfigInstallType
Value:
2
(PID) Process:(1776) zuma-deluxe-1.0.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\GameUX\Games\{0ABD0415-76A0-4A15-B846-C18B919BF6D6}
Operation:writeName:ConfigApplicationPath
Value:
C:\Program Files\PopCap Games\Zuma Deluxe
(PID) Process:(1776) zuma-deluxe-1.0.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\GameUX\Games\{0ABD0415-76A0-4A15-B846-C18B919BF6D6}
Operation:writeName:ConfigGDFBinaryPath
Value:
C:\Program Files\PopCap Games\Zuma Deluxe\Zuma.exe
(PID) Process:(1776) zuma-deluxe-1.0.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\GameUX\Games\{0ABD0415-76A0-4A15-B846-C18B919BF6D6}
Operation:writeName:ApplicationId
Value:
{CF92B623-F090-4FDB-8BFB-2505D626CD46}
(PID) Process:(1776) zuma-deluxe-1.0.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\GameUX\Games\{0ABD0415-76A0-4A15-B846-C18B919BF6D6}
Operation:writeName:Title
Value:
Zuma™ Deluxe
(PID) Process:(1776) zuma-deluxe-1.0.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\GameUX\Games\{0ABD0415-76A0-4A15-B846-C18B919BF6D6}
Operation:writeName:RatingsInfo
Value:
<Ratings xmlns="urn:schemas-microsoft-com:GameDescription.v1"> <Rating ratingSystemID="{768BD93D-63BE-46A9-8994-0B53C4B5248F}" ratingID="{7A53B0BE-B92D-4e8a-A11F-8E6F9F3C575B}"/> </Ratings>
(PID) Process:(1776) zuma-deluxe-1.0.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\GameUX\Games\{0ABD0415-76A0-4A15-B846-C18B919BF6D6}
Operation:writeName:Description
Value:
Unearth the ancient secrets of Zuma! Survive the hidden jungle temples... shoot magical balls to clear a deadly chain... avoid dangerous traps... and do it all before the chain reaches the golden skull. Be quick, or you'll be history in this action-packed challenge.
(PID) Process:(1776) zuma-deluxe-1.0.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\GameUX\Games\{0ABD0415-76A0-4A15-B846-C18B919BF6D6}
Operation:writeName:Type
Value:
0
(PID) Process:(1776) zuma-deluxe-1.0.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1776) zuma-deluxe-1.0.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates
Operation:delete valueName:9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6
Value:
Executable files
4
Suspicious files
101
Text files
440
Unknown types
28

Dropped files

PID
Process
Filename
Type
1776zuma-deluxe-1.0.exeC:\Users\admin\AppData\Local\Temp\popcfg2\files.cab
MD5:
SHA256:
1776zuma-deluxe-1.0.exeC:\Users\admin\AppData\Local\Temp\popcfg2\defines.xmltext
MD5:33F72C59461C45073AF328AFD70C7A1D
SHA256:8B0A6448164795E044F47D3D4BBBEF5EE4A4208C160F746FD57BF58079C31F2C
1776zuma-deluxe-1.0.exeC:\Users\admin\AppData\Local\Temp\popcfg2\logo.bmpimage
MD5:1843D66328CEDC1CE60CB98F3D593F4A
SHA256:7F3E2F0EC8926E7911FE024271387657ADF8BDA95581C6235F995BE57FF56EA1
1776zuma-deluxe-1.0.exeC:\Program Files\PopCap Games\Zuma Deluxe\drm\common\fonts\_Arial12Bold.pngimage
MD5:863930D80A382BB4520ACC37C53D82F9
SHA256:411C9B874945D4EB690A7D1DAB646B4A55CA0A054A78735D46D1B24D29299BD6
1776zuma-deluxe-1.0.exeC:\Users\admin\AppData\Local\Temp\popcfg2\readme.htmlhtml
MD5:A56B9138DAF1CE3AAB6845A186BE4972
SHA256:C98E8EE14648AAEFD228E25683173FDE79DC928FE6C3EEB56B9D4F843BAE5CD5
1776zuma-deluxe-1.0.exeC:\Program Files\PopCap Games\moregames.icoimage
MD5:E213A8D3DF54E8C1431CC9DEC3016DB1
SHA256:2DD8378B031F18F67B20FC2354476395D00CEDFA1947CB29A9583C88FB14F589
1776zuma-deluxe-1.0.exeC:\Users\admin\AppData\Local\Temp\popcfg2\props.xmlxml
MD5:ACF2E02C4FEDBF05762C4ACEEE1C1D4C
SHA256:EF7C8669907E7476C089339490023311D4EA430409AF242D6E50C92409A2B1DF
1776zuma-deluxe-1.0.exeC:\Program Files\PopCap Games\Zuma Deluxe\drm\common\drm.xmlxml
MD5:946A134DC587A63D6BD2118721221128
SHA256:ECD9B35903EEC8B6C68C4775831023648A2B084C58762DEC715584DC57C7B22B
1776zuma-deluxe-1.0.exeC:\Users\admin\AppData\Local\Temp\popcfg2\install.xmltext
MD5:518587C14E2F1BE212D1DB1D017EAD0E
SHA256:E98558F3C178BBDEDD5ACA92E347BE4D8768F0A474081C04B1C9DE4DFDFF91AA
1776zuma-deluxe-1.0.exeC:\Users\admin\AppData\Local\Temp\popcfg2\product.bmpimage
MD5:2473C200DBCBA64785E26C765D9B0184
SHA256:02158A1864BDF784BDE817FA8E418E4F20ECF17C0CF4AD4D1EE0578C29CB466D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
8
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
224.0.0.252:5355
unknown
1080
svchost.exe
224.0.0.252:5355
unknown
2692
Zuma.exe
49.13.77.253:80
updates.popcap.com
Hetzner Online GmbH
DE
unknown

DNS requests

Domain
IP
Reputation
updates.popcap.com
  • 49.13.77.253
unknown
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

No threats detected
Process
Message
Zuma.exe
Init Time: 0.040992
popcapgame1.exe
Product: Zuma
popcapgame1.exe
BuildNum: 0
popcapgame1.exe
BuildDate:
popcapgame1.exe
Application requests 640 x 480 [ 4: 3]
popcapgame1.exe
Desktop is 1280 x 720 [16: 9]
popcapgame1.exe
Display is 640 x 480 [ 4: 3]
popcapgame1.exe
Draw buffer is 640 x 480 [ 4: 3]
popcapgame1.exe
Resource Loading Time: 2047
Zuma.exe
Session seconds: 1 Minutes Left: 60
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
zuma-deluxe-1.0.exe