Malware analysis ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe Malicious activity

Add for printing

File name:	ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe
Full analysis:	https://app.any.run/tasks/e6558e44-ed8a-4386-864b-f4bd043a6f3b
Verdict:	Malicious activity
Analysis date:	December 21, 2024, 19:48:15
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:	6E9187E870238AD2D00866A47264E109
SHA1:	78E7CF585CBC9D02B6FAB6F268D49559E696B17A
SHA256:	7BEFC08954B8847B35E82BB40E6AEC8F69807C5A5C8861C35463C818F4628377
SSDEEP:	49152:NXNxvXaUxiPLFWDsbXOMO1AEaCybsGo8sBV5anzYkvkOjLjXZCNAzwHC1XLJB8sm:NX71xiPhWAbXOMQtaCWZsBynzYkpUNAq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Executing a file with an untrusted certificate
  - CleanWebSecure.exe (PID: 6428)
- Changes the autorun value in the registry
  - VC11 Runtimes x64.exe (PID: 4160)
  - VC11 Runtimes x86.exe (PID: 4076)
  - VC12 Runtimes x86.exe (PID: 880)
SUSPICIOUS
- Executable content was dropped or overwritten
  - ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe (PID: 556)
  - ZoneAlarmUpdateSetup.exe (PID: 6456)
  - ZoneAlarmUpdate.exe (PID: 6516)
  - ZANG_Install.exe (PID: 6616)
  - eula.exe (PID: 1144)
  - ZANG_Prerequisites.exe (PID: 4228)
  - VC11 Runtimes x64.exe (PID: 6700)
  - VC11 Runtimes x64.exe (PID: 4160)
  - VC10 Runtimes x86.exe (PID: 6780)
  - VC11 Runtimes x86.exe (PID: 4076)
  - VC11 Runtimes x86.exe (PID: 5880)
  - VC12 Runtimes x86.exe (PID: 1020)
  - VC12 Runtimes x86.exe (PID: 880)
- The process verifies whether the antivirus software is installed
  - ZoneAlarmUpdate.exe (PID: 6272)
  - ZoneAlarmUpdate.exe (PID: 6860)
  - ZANG_Install.exe (PID: 6616)
  - sc.exe (PID: 6604)
  - conhost.exe (PID: 3564)
  - dltel.exe (PID: 6912)
  - eula.exe (PID: 1144)
  - dltel.exe (PID: 7152)
  - ZA_WSC_ExecVerifier.exe (PID: 6284)
  - conhost.exe (PID: 4952)
  - CleanWebSecure.exe (PID: 6428)
  - sc.exe (PID: 1876)
  - conhost.exe (PID: 3988)
  - sc.exe (PID: 4052)
  - conhost.exe (PID: 5496)
  - conhost.exe (PID: 3640)
  - sc.exe (PID: 836)
  - sc.exe (PID: 5916)
  - sc.exe (PID: 716)
  - conhost.exe (PID: 7108)
  - conhost.exe (PID: 4824)
  - dltel.exe (PID: 1488)
  - ZANG_Prerequisites.exe (PID: 4228)
  - dllhost.exe (PID: 2152)
  - dltel.exe (PID: 4672)
  - sc.exe (PID: 424)
  - conhost.exe (PID: 3812)
  - msiexec.exe (PID: 308)
  - dltel.exe (PID: 6004)
  - dltel.exe (PID: 6580)
  - conhost.exe (PID: 6700)
  - dltel.exe (PID: 3656)
  - sc.exe (PID: 5464)
  - conhost.exe (PID: 6308)
  - sc.exe (PID: 5712)
  - msiexec.exe (PID: 6232)
  - conhost.exe (PID: 6436)
  - sc.exe (PID: 6444)
  - dltel.exe (PID: 6784)
  - zup.exe (PID: 4244)
  - conhost.exe (PID: 3560)
  - msiexec.exe (PID: 5588)
  - dltel.exe (PID: 4228)
  - reg.exe (PID: 6792)
  - ZoneAlarmUpdate.exe (PID: 6516)
  - msiexec.exe (PID: 5112)
  - ZoneAlarmUpdate.exe (PID: 3812)
- Reads security settings of Internet Explorer
  - ZoneAlarmUpdate.exe (PID: 6272)
  - ZANG_Prerequisites.exe (PID: 4228)
  - VC11 Runtimes x64.exe (PID: 4160)
  - Setup.exe (PID: 628)
  - VC11 Runtimes x86.exe (PID: 4076)
  - VC12 Runtimes x86.exe (PID: 880)
  - msiexec.exe (PID: 5588)
  - zup.exe (PID: 4244)
  - ZoneAlarmUpdate.exe (PID: 6860)
- The process creates files with name similar to system file names
  - ZANG_Install.exe (PID: 6616)
  - eula.exe (PID: 1144)
  - ZANG_Prerequisites.exe (PID: 4228)
  - WerFault.exe (PID: 5032)
- Malware-specific behavior (creating "System.dll" in Temp)
  - ZANG_Install.exe (PID: 6616)
  - eula.exe (PID: 1144)
  - ZANG_Prerequisites.exe (PID: 4228)
- Executes as Windows Service
  - ZoneAlarmUpdate.exe (PID: 6860)
  - VSSVC.exe (PID: 5776)
- Windows service management via SC.EXE
  - sc.exe (PID: 6604)
  - sc.exe (PID: 1876)
  - sc.exe (PID: 4052)
  - sc.exe (PID: 836)
  - sc.exe (PID: 5916)
  - sc.exe (PID: 716)
  - sc.exe (PID: 424)
  - sc.exe (PID: 5464)
  - sc.exe (PID: 5712)
  - sc.exe (PID: 6444)
- Searches for installed software
  - ZANG_Install.exe (PID: 6616)
  - VC11 Runtimes x64.exe (PID: 6700)
  - dllhost.exe (PID: 2152)
  - VC11 Runtimes x86.exe (PID: 5880)
  - VC11 Runtimes x86.exe (PID: 4076)
  - VC12 Runtimes x86.exe (PID: 1020)
  - VC12 Runtimes x86.exe (PID: 880)
- Checks Windows Trust Settings
  - ZANG_Prerequisites.exe (PID: 4228)
  - VC11 Runtimes x64.exe (PID: 4160)
  - msiexec.exe (PID: 448)
  - Setup.exe (PID: 628)
  - VC11 Runtimes x86.exe (PID: 4076)
  - msiexec.exe (PID: 5112)
  - VC12 Runtimes x86.exe (PID: 880)
  - msiexec.exe (PID: 5588)
- Process drops legitimate windows executable
  - ZANG_Prerequisites.exe (PID: 4228)
  - VC11 Runtimes x64.exe (PID: 6700)
  - VC11 Runtimes x64.exe (PID: 4160)
  - msiexec.exe (PID: 448)
  - VC10 Runtimes x86.exe (PID: 6780)
  - VC11 Runtimes x86.exe (PID: 4076)
  - VC11 Runtimes x86.exe (PID: 5880)
  - VC12 Runtimes x86.exe (PID: 1020)
  - VC12 Runtimes x86.exe (PID: 880)
  - msiexec.exe (PID: 5112)
- Starts a Microsoft application from unusual location
  - VC11 Runtimes x64.exe (PID: 4160)
  - VC11 Runtimes x64.exe (PID: 6700)
  - VC10 Runtimes x86.exe (PID: 6780)
  - VC11 Runtimes x86.exe (PID: 4076)
  - VC11 Runtimes x86.exe (PID: 5880)
  - VC12 Runtimes x86.exe (PID: 1020)
  - VC12 Runtimes x86.exe (PID: 880)
- Application launched itself
  - VC11 Runtimes x64.exe (PID: 4160)
  - VC11 Runtimes x86.exe (PID: 4076)
  - VC12 Runtimes x86.exe (PID: 880)
  - ZoneAlarmUpdate.exe (PID: 6860)
- Creates a software uninstall entry
  - VC11 Runtimes x64.exe (PID: 4160)
  - VC11 Runtimes x86.exe (PID: 4076)
  - VC12 Runtimes x86.exe (PID: 880)
  - ZANG_Install.exe (PID: 6616)
- The process drops C-runtime libraries
  - msiexec.exe (PID: 448)
- Reads the Windows owner or organization settings
  - msiexec.exe (PID: 448)
  - msiexec.exe (PID: 5112)
- Creates file in the systems drive root
  - VC10 Runtimes x86.exe (PID: 6780)
- Creates files in the driver directory
  - msiexec.exe (PID: 2972)
- Drops a system driver (possible attempt to evade defenses)
  - msiexec.exe (PID: 5112)
- Executes application which crashes
  - msiexec.exe (PID: 3140)
- Adds/modifies Windows certificates
  - msiexec.exe (PID: 5588)
- The process exported the data from the registry
  - zup.exe (PID: 4244)
- Uses REG/REGEDIT.EXE to modify registry
  - zup.exe (PID: 4244)
INFO
- The sample compiled with french language support
  - ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe (PID: 556)
  - ZoneAlarmUpdateSetup.exe (PID: 6456)
  - ZoneAlarmUpdate.exe (PID: 6516)
  - msiexec.exe (PID: 448)
  - VC10 Runtimes x86.exe (PID: 6780)
  - msiexec.exe (PID: 5112)
- The sample compiled with english language support
  - ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe (PID: 556)
  - ZoneAlarmUpdateSetup.exe (PID: 6456)
  - ZoneAlarmUpdate.exe (PID: 6516)
  - ZANG_Install.exe (PID: 6616)
  - eula.exe (PID: 1144)
  - ZANG_Prerequisites.exe (PID: 4228)
  - VC11 Runtimes x64.exe (PID: 6700)
  - VC11 Runtimes x64.exe (PID: 4160)
  - msiexec.exe (PID: 448)
  - VC10 Runtimes x86.exe (PID: 6780)
  - VC11 Runtimes x86.exe (PID: 5880)
  - VC11 Runtimes x86.exe (PID: 4076)
  - VC12 Runtimes x86.exe (PID: 1020)
  - VC12 Runtimes x86.exe (PID: 880)
  - msiexec.exe (PID: 5112)
- The sample compiled with chinese language support
  - ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe (PID: 556)
  - ZoneAlarmUpdateSetup.exe (PID: 6456)
  - ZoneAlarmUpdate.exe (PID: 6516)
  - msiexec.exe (PID: 448)
  - VC10 Runtimes x86.exe (PID: 6780)
  - msiexec.exe (PID: 5112)
- Create files in a temporary directory
  - ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe (PID: 556)
  - ZANG_Install.exe (PID: 6616)
  - eula.exe (PID: 1144)
  - ZANG_Prerequisites.exe (PID: 4228)
  - VC11 Runtimes x64.exe (PID: 6700)
  - Setup.exe (PID: 628)
  - VC11 Runtimes x86.exe (PID: 5880)
  - VC12 Runtimes x86.exe (PID: 1020)
  - msiexec.exe (PID: 5588)
  - zup.exe (PID: 4244)
  - reg.exe (PID: 6792)
- The sample compiled with swedish language support
  - ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe (PID: 556)
  - ZoneAlarmUpdateSetup.exe (PID: 6456)
  - ZoneAlarmUpdate.exe (PID: 6516)
- Checks supported languages
  - ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe (PID: 556)
  - ZoneAlarmUpdate.exe (PID: 6272)
  - ZoneAlarmUpdateSetup.exe (PID: 6456)
  - ZANG_Install.exe (PID: 6616)
  - ZoneAlarmUpdate.exe (PID: 6860)
  - dltel.exe (PID: 6912)
  - ZA_WSC_ExecVerifier.exe (PID: 6284)
  - eula.exe (PID: 1144)
  - CleanWebSecure.exe (PID: 6428)
  - dltel.exe (PID: 7152)
  - ZANG_Prerequisites.exe (PID: 4228)
  - dltel.exe (PID: 1488)
  - dltel.exe (PID: 4244)
  - dltel.exe (PID: 4980)
  - dltel.exe (PID: 5936)
  - VC11 Runtimes x64.exe (PID: 4160)
  - VC11 Runtimes x64.exe (PID: 6700)
  - msiexec.exe (PID: 448)
  - dltel.exe (PID: 6580)
  - dltel.exe (PID: 2456)
  - dltel.exe (PID: 6980)
  - VC10 Runtimes x86.exe (PID: 6780)
  - dltel.exe (PID: 6992)
  - Setup.exe (PID: 628)
  - dltel.exe (PID: 7152)
  - dltel.exe (PID: 3436)
  - VC11 Runtimes x86.exe (PID: 4076)
  - VC11 Runtimes x86.exe (PID: 5880)
  - msiexec.exe (PID: 5112)
  - dltel.exe (PID: 5036)
  - VC12 Runtimes x86.exe (PID: 880)
  - VC12 Runtimes x86.exe (PID: 1020)
  - dltel.exe (PID: 1620)
  - dltel.exe (PID: 4932)
  - dltel.exe (PID: 6636)
  - dltel.exe (PID: 768)
  - dltel.exe (PID: 6004)
  - msiexec.exe (PID: 2972)
  - msiexec.exe (PID: 6772)
  - dltel.exe (PID: 4672)
  - dltel.exe (PID: 6580)
  - dltel.exe (PID: 3656)
  - msiexec.exe (PID: 5588)
  - msiexec.exe (PID: 3140)
  - MSI8CB.tmp (PID: 1488)
  - dltel.exe (PID: 6784)
  - zup.exe (PID: 4244)
  - dltel.exe (PID: 4228)
  - ZoneAlarmUpdate.exe (PID: 3812)
- The sample compiled with german language support
  - ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe (PID: 556)
  - ZoneAlarmUpdateSetup.exe (PID: 6456)
  - ZoneAlarmUpdate.exe (PID: 6516)
  - msiexec.exe (PID: 448)
  - VC10 Runtimes x86.exe (PID: 6780)
  - msiexec.exe (PID: 5112)
- The sample compiled with czech language support
  - ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe (PID: 556)
  - ZoneAlarmUpdateSetup.exe (PID: 6456)
  - ZoneAlarmUpdate.exe (PID: 6516)
- The sample compiled with bulgarian language support
  - ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe (PID: 556)
  - ZoneAlarmUpdateSetup.exe (PID: 6456)
  - ZoneAlarmUpdate.exe (PID: 6516)
- The sample compiled with Italian language support
  - ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe (PID: 556)
  - ZoneAlarmUpdateSetup.exe (PID: 6456)
  - ZoneAlarmUpdate.exe (PID: 6516)
  - msiexec.exe (PID: 448)
  - VC10 Runtimes x86.exe (PID: 6780)
  - msiexec.exe (PID: 5112)
- The sample compiled with portuguese language support
  - ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe (PID: 556)
  - ZoneAlarmUpdateSetup.exe (PID: 6456)
  - ZoneAlarmUpdate.exe (PID: 6516)
- The sample compiled with russian language support
  - ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe (PID: 556)
  - ZoneAlarmUpdateSetup.exe (PID: 6456)
  - ZoneAlarmUpdate.exe (PID: 6516)
  - msiexec.exe (PID: 448)
  - VC10 Runtimes x86.exe (PID: 6780)
  - msiexec.exe (PID: 5112)
- The sample compiled with arabic language support
  - ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe (PID: 556)
  - ZoneAlarmUpdateSetup.exe (PID: 6456)
  - ZoneAlarmUpdate.exe (PID: 6516)
- Reads the computer name
  - ZoneAlarmUpdate.exe (PID: 6272)
  - dltel.exe (PID: 6912)
  - eula.exe (PID: 1144)
  - ZANG_Install.exe (PID: 6616)
  - dltel.exe (PID: 7152)
  - ZANG_Prerequisites.exe (PID: 4228)
  - dltel.exe (PID: 1488)
  - dltel.exe (PID: 5936)
  - dltel.exe (PID: 4244)
  - VC11 Runtimes x64.exe (PID: 4160)
  - VC11 Runtimes x64.exe (PID: 6700)
  - dltel.exe (PID: 4980)
  - msiexec.exe (PID: 448)
  - dltel.exe (PID: 6580)
  - dltel.exe (PID: 2456)
  - dltel.exe (PID: 6992)
  - dltel.exe (PID: 6980)
  - VC10 Runtimes x86.exe (PID: 6780)
  - Setup.exe (PID: 628)
  - dltel.exe (PID: 7152)
  - dltel.exe (PID: 3436)
  - VC11 Runtimes x86.exe (PID: 4076)
  - VC11 Runtimes x86.exe (PID: 5880)
  - msiexec.exe (PID: 5112)
  - dltel.exe (PID: 5036)
  - VC12 Runtimes x86.exe (PID: 880)
  - VC12 Runtimes x86.exe (PID: 1020)
  - dltel.exe (PID: 1620)
  - dltel.exe (PID: 768)
  - dltel.exe (PID: 4932)
  - dltel.exe (PID: 6636)
  - dltel.exe (PID: 4672)
  - dltel.exe (PID: 6004)
  - msiexec.exe (PID: 2972)
  - msiexec.exe (PID: 6772)
  - dltel.exe (PID: 3656)
  - dltel.exe (PID: 6580)
  - msiexec.exe (PID: 5588)
  - msiexec.exe (PID: 3140)
  - dltel.exe (PID: 6784)
  - zup.exe (PID: 4244)
  - dltel.exe (PID: 4228)
  - ZoneAlarmUpdate.exe (PID: 3812)
- Process checks computer location settings
  - ZoneAlarmUpdate.exe (PID: 6272)
- Creates files in the program directory
  - ZoneAlarmUpdateSetup.exe (PID: 6456)
  - ZoneAlarmUpdate.exe (PID: 6860)
  - ZANG_Install.exe (PID: 6616)
  - ZANG_Prerequisites.exe (PID: 4228)
  - VC11 Runtimes x64.exe (PID: 6700)
  - VC11 Runtimes x64.exe (PID: 4160)
  - Setup.exe (PID: 628)
  - VC11 Runtimes x86.exe (PID: 5880)
  - VC11 Runtimes x86.exe (PID: 4076)
  - VC12 Runtimes x86.exe (PID: 1020)
  - VC12 Runtimes x86.exe (PID: 880)
  - msiexec.exe (PID: 308)
  - msiexec.exe (PID: 6232)
- The sample compiled with Indonesian language support
  - ZoneAlarmUpdateSetup.exe (PID: 6456)
  - ZoneAlarmUpdate.exe (PID: 6516)
  - ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe (PID: 556)
- The sample compiled with korean language support
  - ZoneAlarmUpdateSetup.exe (PID: 6456)
  - ZoneAlarmUpdate.exe (PID: 6516)
  - ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe (PID: 556)
  - msiexec.exe (PID: 448)
  - VC10 Runtimes x86.exe (PID: 6780)
  - msiexec.exe (PID: 5112)
- The sample compiled with polish language support
  - ZoneAlarmUpdateSetup.exe (PID: 6456)
  - ZoneAlarmUpdate.exe (PID: 6516)
  - ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe (PID: 556)
- The sample compiled with slovak language support
  - ZoneAlarmUpdateSetup.exe (PID: 6456)
  - ZoneAlarmUpdate.exe (PID: 6516)
  - ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe (PID: 556)
- The sample compiled with japanese language support
  - ZoneAlarmUpdateSetup.exe (PID: 6456)
  - ZoneAlarmUpdate.exe (PID: 6516)
  - ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe (PID: 556)
  - msiexec.exe (PID: 448)
  - VC10 Runtimes x86.exe (PID: 6780)
  - msiexec.exe (PID: 5112)
- The sample compiled with turkish language support
  - ZoneAlarmUpdateSetup.exe (PID: 6456)
  - ZoneAlarmUpdate.exe (PID: 6516)
  - ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe (PID: 556)
- Reads the software policy settings
  - ZoneAlarmUpdate.exe (PID: 6860)
  - dltel.exe (PID: 6912)
  - dltel.exe (PID: 7152)
  - dltel.exe (PID: 1488)
  - ZANG_Prerequisites.exe (PID: 4228)
  - dltel.exe (PID: 4244)
  - dltel.exe (PID: 5936)
  - dltel.exe (PID: 4980)
  - VC11 Runtimes x64.exe (PID: 4160)
  - msiexec.exe (PID: 448)
  - dltel.exe (PID: 6992)
  - dltel.exe (PID: 2456)
  - dltel.exe (PID: 6980)
  - dltel.exe (PID: 6580)
  - Setup.exe (PID: 628)
  - dltel.exe (PID: 3436)
  - dltel.exe (PID: 7152)
  - VC11 Runtimes x86.exe (PID: 4076)
  - msiexec.exe (PID: 5112)
  - dltel.exe (PID: 5036)
  - dltel.exe (PID: 1620)
  - VC12 Runtimes x86.exe (PID: 880)
  - dltel.exe (PID: 6636)
  - dltel.exe (PID: 4672)
  - dltel.exe (PID: 768)
  - dltel.exe (PID: 6004)
  - dltel.exe (PID: 4932)
  - dltel.exe (PID: 6580)
  - dltel.exe (PID: 3656)
  - msiexec.exe (PID: 5588)
  - zup.exe (PID: 4244)
  - dltel.exe (PID: 4228)
  - dltel.exe (PID: 6784)
  - ZoneAlarmUpdate.exe (PID: 3812)
- Sends debugging messages
  - dltel.exe (PID: 6912)
  - dltel.exe (PID: 7152)
  - dltel.exe (PID: 1488)
  - dltel.exe (PID: 4980)
  - dltel.exe (PID: 4244)
  - dltel.exe (PID: 5936)
  - dltel.exe (PID: 6580)
  - dltel.exe (PID: 6992)
  - dltel.exe (PID: 6980)
  - dltel.exe (PID: 2456)
  - Setup.exe (PID: 628)
  - dltel.exe (PID: 3436)
  - dltel.exe (PID: 7152)
  - dltel.exe (PID: 5036)
  - dltel.exe (PID: 1620)
  - dltel.exe (PID: 4932)
  - dltel.exe (PID: 6636)
  - dltel.exe (PID: 4672)
  - dltel.exe (PID: 768)
  - dltel.exe (PID: 6004)
  - dltel.exe (PID: 3656)
  - dltel.exe (PID: 6580)
  - zup.exe (PID: 4244)
  - dltel.exe (PID: 6784)
  - dltel.exe (PID: 4228)
- Reads the machine GUID from the registry
  - dltel.exe (PID: 6912)
  - dltel.exe (PID: 7152)
  - ZANG_Prerequisites.exe (PID: 4228)
  - dltel.exe (PID: 1488)
  - dltel.exe (PID: 4244)
  - dltel.exe (PID: 4980)
  - dltel.exe (PID: 5936)
  - VC11 Runtimes x64.exe (PID: 4160)
  - msiexec.exe (PID: 448)
  - dltel.exe (PID: 2456)
  - dltel.exe (PID: 6580)
  - dltel.exe (PID: 6980)
  - dltel.exe (PID: 6992)
  - VC10 Runtimes x86.exe (PID: 6780)
  - Setup.exe (PID: 628)
  - dltel.exe (PID: 3436)
  - dltel.exe (PID: 7152)
  - msiexec.exe (PID: 5112)
  - dltel.exe (PID: 5036)
  - VC11 Runtimes x86.exe (PID: 4076)
  - dltel.exe (PID: 1620)
  - VC12 Runtimes x86.exe (PID: 880)
  - dltel.exe (PID: 6636)
  - dltel.exe (PID: 4932)
  - dltel.exe (PID: 768)
  - dltel.exe (PID: 6004)
  - dltel.exe (PID: 4672)
  - dltel.exe (PID: 3656)
  - dltel.exe (PID: 6580)
  - msiexec.exe (PID: 5588)
  - dltel.exe (PID: 6784)
  - zup.exe (PID: 4244)
  - dltel.exe (PID: 4228)
- Creates files or folders in the user directory
  - ZANG_Prerequisites.exe (PID: 4228)
  - VC11 Runtimes x64.exe (PID: 4160)
  - msiexec.exe (PID: 448)
  - msiexec.exe (PID: 5588)
  - WerFault.exe (PID: 5032)
- Checks proxy server information
  - ZANG_Prerequisites.exe (PID: 4228)
  - VC11 Runtimes x64.exe (PID: 4160)
  - msiexec.exe (PID: 5588)
  - zup.exe (PID: 4244)
  - ZoneAlarmUpdate.exe (PID: 3812)
- Manages system restore points
  - SrTasks.exe (PID: 2736)
- Executable content was dropped or overwritten
  - msiexec.exe (PID: 448)
  - msiexec.exe (PID: 5112)
- The sample compiled with spanish language support
  - msiexec.exe (PID: 448)
  - VC10 Runtimes x86.exe (PID: 6780)
  - msiexec.exe (PID: 5112)
- Creates a software uninstall entry
  - msiexec.exe (PID: 448)
  - msiexec.exe (PID: 5112)
- Reads CPU info
  - Setup.exe (PID: 628)
- Reads Environment values
  - msiexec.exe (PID: 2972)
  - msiexec.exe (PID: 3140)
- Application launched itself
  - msiexec.exe (PID: 5112)
- Starts application with an unusual extension
  - msiexec.exe (PID: 5112)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable (generic) (52.9)
.exe	\|	Generic Win/DOS Executable (23.5)
.exe	\|	DOS Executable Generic (23.5)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2022:09:30 20:28:31+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14
CodeSize:	84992
InitializedDataSize:	1028096
UninitializedDataSize:	-
EntryPoint:	0x4fdc
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI
FileVersionNumber:	1.3.99.0
ProductVersionNumber:	1.3.99.0
FileFlagsMask:	0x003f
FileFlags:	Private build
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	CheckPoint Software Technologies Ltd.
FileDescription:	CheckPoint Update Setup
FileVersion:	1.3.99.0
InternalName:	CheckPoint Update Setup
LegalCopyright:	Copyright 2007-2010 Google Inc.
OriginalFileName:	ZoneAlarmUpdateSetup.exe
ProductName:	CheckPoint Update
ProductVersion:	1.3.99.0
LanguageId:	en
PrivateBuild:	-

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

216

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

308

C:\WINDOWS\system32\msiexec.exe /i "C:\Users\admin\AppData\Local\Temp\nsm3DCF.tmp\EPElamDrv.msi" /qn /norestart /l*v+ "C:\ProgramData\CheckPoint\ZANG\Logs\Install\EPElamDrv.log"

C:\Windows\SysWOW64\msiexec.exe

—

ZANG_Install.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows® installer

Exit code:

Version:

5.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

424

C:\WINDOWS\system32\sc.exe query WscHelper

C:\Windows\SysWOW64\sc.exe

—

ZANG_Install.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Service Control Manager Configuration Tool

Exit code:

1060

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\rpcrt4.dll

448

C:\WINDOWS\system32\msiexec.exe /V

C:\Windows\System32\msiexec.exe

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows® installer

Exit code:

Version:

5.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

556

"C:\Users\admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe"

C:\Users\admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe

explorer.exe

User:

admin

Company:

CheckPoint Software Technologies Ltd.

Integrity Level:

MEDIUM

Description:

CheckPoint Update Setup

Exit code:

2147748098

Version:

1.3.99.0

Modules

Images
c:\users\admin\appdata\local\temp\zonealarmngsetup_zang_fw_fr_ar8znp.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll

628

c:\688c76a6cc39f4baf6\Setup.exe /q /norestart /log "C:\ProgramData\CheckPoint\ZANG\Logs\ZANG_Prerequisites\VC10 Runtimes x86.log"

C:\688c76a6cc39f4baf6\Setup.exe

VC10 Runtimes x86.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Setup Installer

Exit code:

Version:

10.0.40219.1 built by: SP1Rel

Modules

Images
c:\688c76a6cc39f4baf6\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll

716

C:\WINDOWS\system32\sc.exe query ZANG_DAF

C:\Windows\SysWOW64\sc.exe

—

ZANG_Install.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Service Control Manager Configuration Tool

Exit code:

1060

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\rpcrt4.dll

768

"C:\Users\admin\AppData\Local\Temp\nsp53A8.tmp\dltel.exe" client_version=4.3.28.19803 unique_client=C931F85DC59AA54C9E5E8510908FCD25 type=211127 meta_data2="{OS_INFO}" int_field1=1 int_field2=1 int_field3=0 int_field5=0 int_field6=2011 int_field8=1 int_field9=0 int_field10=1435 str_field1=InstallPrereqSkip str_field2="ZANG_FW_FR" str_field3=4.3.28.19803 str_field4="AM,AR,FW,WebSecure" str_field5=4.3.283.19962 str_field6="NoInstallDate" str_field7="n/a" str_field8="en" str_field9="NoUMID" str_field10=C931F85DC59AA54C9E5E8510908FCD25

C:\Users\admin\AppData\Local\Temp\nsp53A8.tmp\dltel.exe

ZANG_Prerequisites.exe

User:

admin

Company:

Check Point Software Technologies Ltd.

Integrity Level:

HIGH

Description:

ZoneAlarm Datalake telemetry utility

Exit code:

2147500037

Version:

4.3.16.19803

Modules

Images
c:\users\admin\appdata\local\temp\nsp53a8.tmp\dltel.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll

836

"C:\WINDOWS\system32\sc.exe" query vsdatant

C:\Windows\SysWOW64\sc.exe

—

ZANG_Install.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Service Control Manager Configuration Tool

Exit code:

1060

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\rpcrt4.dll

880

"C:\Users\admin\AppData\Local\Temp\nsp53A8.tmp\VC12 Runtimes x86.exe" /quiet /norestart /log "C:\ProgramData\CheckPoint\ZANG\Logs\ZANG_Prerequisites\VC12 Runtimes x86.log"

C:\Users\admin\AppData\Local\Temp\nsp53A8.tmp\VC12 Runtimes x86.exe

ZANG_Prerequisites.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501

Exit code:

Version:

12.0.30501.0

Modules

Images
c:\users\admin\appdata\local\temp\nsp53a8.tmp\vc12 runtimes x86.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

1020

"C:\Users\admin\AppData\Local\Temp\nsp53A8.tmp\VC12 Runtimes x86.exe" /quiet /norestart /log "C:\ProgramData\CheckPoint\ZANG\Logs\ZANG_Prerequisites\VC12 Runtimes x86.log" -burn.unelevated BurnPipe.{0DCD8BE7-B379-4B77-A011-45EADB34FE21} {49A7B8CB-979B-4048-B643-BACC9B18C809} 880

C:\Users\admin\AppData\Local\Temp\nsp53A8.tmp\VC12 Runtimes x86.exe

VC12 Runtimes x86.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501

Exit code:

Version:

12.0.30501.0

Modules

Images
c:\users\admin\appdata\local\temp\nsp53a8.tmp\vc12 runtimes x86.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll

Add for printing

Total events

57 796

Read events

50 951

Write events

6 677

Delete events

168

Modification events


(PID) Process:	(556) ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\CheckPoint
Operation:	write	Name:	FileNameRaw
Value: ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe
(PID) Process:	(556) ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\CheckPoint\ZANG
Operation:	write	Name:	Tags
Value: bundlename=Product&appguid={814E4157-8A6C-461B-A80F-B75931228CA1}&appname=ZoneAlarmNG&needsadmin=True&lang=en&ap=ZANG_FW_FR&usagestats=1
(PID) Process:	(6456) ZoneAlarmUpdateSetup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\CheckPoint\ZANG
Operation:	write	Name:	Tags
Value: bundlename=Product&appguid={814E4157-8A6C-461B-A80F-B75931228CA1}&appname=ZoneAlarmNG&needsadmin=True&lang=en&ap=ZANG_FW_FR&usagestats=1
(PID) Process:	(6860) ZoneAlarmUpdate.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\CheckPoint\Update\ClientState\{814E4157-8A6C-461B-A80F-B75931228CA1}\CurrentState
Operation:	write	Name:	StateValue
Value: 3
(PID) Process:	(6860) ZoneAlarmUpdate.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\CheckPoint\Update\proxy
Operation:	write	Name:	source
Value: auto
(PID) Process:	(6860) ZoneAlarmUpdate.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\CheckPoint\Update\ClientState\{814E4157-8A6C-461B-A80F-B75931228CA1}
Operation:	write	Name:	ping_freshness
Value: {AEADF737-78BF-419D-AE08-DC70FEE057B3}
(PID) Process:	(6860) ZoneAlarmUpdate.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\CheckPoint\Update\ClientState\{814E4157-8A6C-461B-A80F-B75931228CA1}
Operation:	delete value	Name:	tttoken
Value:
(PID) Process:	(6860) ZoneAlarmUpdate.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\CheckPoint\Update\ClientState\{814E4157-8A6C-461B-A80F-B75931228CA1}\CurrentState
Operation:	write	Name:	StateValue
Value: 4
(PID) Process:	(6860) ZoneAlarmUpdate.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\CheckPoint\Update\PersistedPings\{D48C5B8D-46AD-4EF9-B998-2C47965C1A67}
Operation:	write	Name:	PersistedPingString
Value: <?xml version="1.0" encoding="UTF-8"?><request protocol="3.0" version="1.3.99.0" shell_version="1.3.99.0" ismachine="1" sessionid="{0B089CB0-8C26-4BB1-BF5F-62888CA1A825}" userid="{24086617-397C-4EDC-8112-D77100306E57}" installsource="taggedmi" testsource="auto" requestid="{D48C5B8D-46AD-4EF9-B998-2C47965C1A67}" dedup="cr"><hw physmemory="4" sse="1" sse2="1" sse3="1" ssse3="1" sse41="1" sse42="1" avx="1"/><os platform="win" version="10.0.19045.4046" sp="" arch="x64"/><app appid="{814E4157-8A6C-461B-A80F-B75931228CA1}" version="" nextversion="4.3.283.19962" ap="ZANG_FW_FR" lang="en" brand="" client="" installage="-1" installdate="-1"><event eventtype="9" eventresult="1" errorcode="0" extracode1="0"/></app></request>
(PID) Process:	(6860) ZoneAlarmUpdate.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\CheckPoint\Update\PersistedPings\{D48C5B8D-46AD-4EF9-B998-2C47965C1A67}
Operation:	write	Name:	PersistedPingTime
Value: 133792841047308076

Add for printing

Executable files

393

Suspicious files

117

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
556	ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe	C:\Users\admin\AppData\Local\Temp\GUM5278.tmp\goopdate.dll		executable
		MD5:572B21A1706173306E8D8A3AC8007117	SHA256:F93FF69079392EBE57AB5E23076D2661145434487731C07A961D316C17AD7D34
556	ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe	C:\Users\admin\AppData\Local\Temp\GUM5278.tmp\psuser.dll		executable
		MD5:C565FE51CE4E97ED485939FAAC4C6536	SHA256:5AF920D7B0F66EE9347F1C5E21C0A5D6C35051E2D689CA0C8814BE5BDBBF2803
556	ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe	C:\Users\admin\AppData\Local\Temp\GUM5278.tmp\ZoneAlarmUpdateWebPlugin.exe		executable
		MD5:AD596D36921547CE92232DE04EA33176	SHA256:1C85060B1B487E1CEB3ECCC586DAC068517A1284EFE05054CA73FED88E9A3FAA
556	ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe	C:\Users\admin\AppData\Local\Temp\GUM5278.tmp\psuser_64.dll		executable
		MD5:75FCD97CF578662375C1EE5FEC14DF92	SHA256:BCE3CA9C896870E9DE6413526BEE418FFFDE7E2F9731B598D3889F482D21E61E
556	ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe	C:\Users\admin\AppData\Local\Temp\GUM5278.tmp\psmachine_64.dll		executable
		MD5:D4F77E1ADF2C1ACCE9F902714A04AB52	SHA256:9D9B86382931B944928A4DF3DEDA49D215279EEDE8CAAC4735FB068790AD542A
556	ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe	C:\Users\admin\AppData\Local\Temp\GUM5278.tmp\ZoneAlarmCrashHandler.exe		executable
		MD5:68351FEDF0579636DBBA97DD5E0EFE80	SHA256:4613295B428618717CD9C11D35694AA13C0708483E4C15A620E75592AB30C5EC
556	ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe	C:\Users\admin\AppData\Local\Temp\GUM5278.tmp\ZoneAlarmUpdateComRegisterShell64.exe		executable
		MD5:4C4934B6B9275A2F5EC789A0AE4EC9ED	SHA256:F3455A492F3F6F8319F8A35F49734C972D6CB3C4FB756E1EB2B6D6E37E36FFAC
556	ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe	C:\Users\admin\AppData\Local\Temp\GUM5278.tmp\ZoneAlarmUpdateHelper.msi		executable
		MD5:04AE2A984DF761CF7F03E8EBAE605422	SHA256:F633034B2B466FF541BC4AAB77B41C1D7A5490EF0CAD81C70BE07FE2D96B3A18
556	ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe	C:\Users\admin\AppData\Local\Temp\GUM5278.tmp\ZoneAlarmUpdateOnDemand.exe		executable
		MD5:E8A6969C0DD0EC68FF1DCF56C5ED5672	SHA256:50221B700233F01A8E76020D6E451410B3BE8A63B823190E739C965CEEB9316F
556	ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe	C:\Users\admin\AppData\Local\Temp\GUM5278.tmp\npZoneAlarmUpdate3.dll		executable
		MD5:8652BA1EC80DA71216607D056BA08209	SHA256:6E9DE753CC919E7667BAB4CE279C7142818B0BD22FE5BC7CDA068D4D302E2738

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4712	MoUsoCoreWorker.exe	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	2.19.217.218:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
6192	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	whitelisted
—	—	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
4980	SIHClient.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
4228	ZANG_Prerequisites.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D	unknown	—	—	whitelisted
4980	SIHClient.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
4160	VC11 Runtimes x64.exe	GET	200	2.16.164.120:80	http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl	unknown	—	—	whitelisted
4160	VC11 Runtimes x64.exe	GET	200	2.16.164.120:80	http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	192.168.100.255:137	—	—	—	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4712	MoUsoCoreWorker.exe	23.48.23.156:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	2.19.217.218:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
5064	SearchApp.exe	23.212.110.209:443	www.bing.com	Akamai International B.V.	CZ	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	20.190.159.4:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
—	—	23.35.238.131:443	go.microsoft.com	AKAMAI-AS	DE	whitelisted
—	—	209.87.209.77:443	zupdate.zonealarm.com	ZONEALARM-COM	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208	whitelisted
crl.microsoft.com	23.48.23.156 23.48.23.143 2.16.164.120 2.16.164.49 2.16.164.72	whitelisted
www.microsoft.com	2.19.217.218 88.221.169.152	whitelisted
google.com	142.250.186.142	whitelisted
www.bing.com	23.212.110.209 23.212.110.218 23.212.110.217 23.212.110.203 23.212.110.201 23.212.110.186 23.212.110.185 23.212.110.187 23.212.110.208	whitelisted
login.live.com	20.190.159.4 20.190.159.68 40.126.31.67 20.190.159.75 20.190.159.23 20.190.159.0 40.126.31.71 20.190.159.2	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
go.microsoft.com	23.35.238.131 184.28.89.167	whitelisted
zupdate.zonealarm.com	209.87.209.77	whitelisted
download.zonealarm.com	23.56.202.234 23.212.211.158	whitelisted

Threats

No threats detected

Add for printing

Process	Message
dltel.exe	Arguments: C:\Users\admin\AppData\Local\Temp\nsm3DCF.tmp\dltel.exe,client_version=4.3.283.19962,unique_client=NoClientID,type=211127,meta_data2={OS_INFO},int_field1=-1,int_field2=-1,int_field3=0,int_field5=0,int_field6=262,int_field8=-1,int_field9=0,int_field10=1392,str_field1=StopCPOSFW,str_field2=ZANG_FW_FR,str_field3=4.3.283.19962,str_field4=NoSKU,str_field5=NoClientVersion,str_field6=NoInstallDate,str_field7=n/a,str_field8=NoLanguage,str_field9=NoUMID,str_field10=NoClientID
dltel.exe	Error: telemetry::datalake::SendMsg: error = -2147467259 (0x80004005), description = Unspecified error
dltel.exe	Arguments: C:\Users\admin\AppData\Local\Temp\nsm3DCF.tmp\dltel.exe,client_version=4.3.283.19962,unique_client=C931F85DC59AA54C9E5E8510908FCD25,type=211127,meta_data2={OS_INFO},int_field1=1,int_field2=1,int_field3=0,int_field5=0,int_field6=1,int_field8=1,int_field9=0,int_field10=1395,str_field1=InstallBeginZANG_Install,str_field2=ZANG_FW_FR,str_field3=4.3.283.19962,str_field4=AM,AR,FW,WebSecure,str_field5=4.3.283.19962,str_field6=NoInstallDate,str_field7=n/a,str_field8=en,str_field9=NoUMID,str_field10=C931F85DC59AA54C9E5E8510908FCD25
dltel.exe	Error: telemetry::datalake::SendMsg: error = -2147467259 (0x80004005), description = Unspecified error
dltel.exe	Arguments: C:\Users\admin\AppData\Local\Temp\nsm3DCF.tmp\dltel.exe,client_version=4.3.283.19962,unique_client=C931F85DC59AA54C9E5E8510908FCD25,type=211127,meta_data2={OS_INFO},int_field1=1,int_field2=1,int_field3=0,int_field5=0,int_field6=5,int_field8=1,int_field9=0,int_field10=1397,str_field1=InstallBeginZANG_PrerequisitesInstall,str_field2=ZANG_FW_FR,str_field3=4.3.283.19962,str_field4=AM,AR,FW,WebSecure,str_field5=4.3.283.19962,str_field6=NoInstallDate,str_field7=n/a,str_field8=en,str_field9=NoUMID,str_field10=C931F85DC59AA54C9E5E8510908FCD25
dltel.exe	Error: telemetry::datalake::SendMsg: error = -2147467259 (0x80004005), description = Unspecified error
dltel.exe	Arguments: C:\Users\admin\AppData\Local\Temp\nsp53A8.tmp\dltel.exe,client_version=4.3.28.19803,unique_client=C931F85DC59AA54C9E5E8510908FCD25,type=211127,meta_data2={OS_INFO},int_field1=1,int_field2=1,int_field3=0,int_field5=0,int_field6=1000,int_field8=1,int_field9=0,int_field10=1406,str_field1=InstallBeginPrerequisites,str_field2=ZANG_FW_FR,str_field3=4.3.28.19803,str_field4=AM,AR,FW,WebSecure,str_field5=4.3.283.19962,str_field6=NoInstallDate,str_field7=n/a,str_field8=en,str_field9=NoUMID,str_field10=C931F85DC59AA54C9E5E8510908FCD25
dltel.exe	Arguments: C:\Users\admin\AppData\Local\Temp\nsp53A8.tmp\dltel.exe,client_version=4.3.28.19803,unique_client=C931F85DC59AA54C9E5E8510908FCD25,type=211127,meta_data2={OS_INFO},int_field1=1,int_field2=1,int_field3=0,int_field5=0,int_field6=2006,int_field8=1,int_field9=0,int_field10=1406,str_field1=InstallPrereqStart,str_field2=ZANG_FW_FR,str_field3=4.3.28.19803,str_field4=AM,AR,FW,WebSecure,str_field5=4.3.283.19962,str_field6=NoInstallDate,str_field7=n/a,str_field8=en,str_field9=NoUMID,str_field10=C931F85DC59AA54C9E5E8510908FCD25
dltel.exe	Arguments: C:\Users\admin\AppData\Local\Temp\nsp53A8.tmp\dltel.exe,client_version=4.3.28.19803,unique_client=C931F85DC59AA54C9E5E8510908FCD25,type=211127,meta_data2={OS_INFO},int_field1=1,int_field2=1,int_field3=0,int_field5=0,int_field6=2002,int_field8=1,int_field9=0,int_field10=1406,str_field1=InstallPrereqSkip,str_field2=ZANG_FW_FR,str_field3=4.3.28.19803,str_field4=AM,AR,FW,WebSecure,str_field5=4.3.283.19962,str_field6=NoInstallDate,str_field7=n/a,str_field8=en,str_field9=NoUMID,str_field10=C931F85DC59AA54C9E5E8510908FCD25
dltel.exe	Error: telemetry::datalake::SendMsg: error = -2147467259 (0x80004005), description = Unspecified error

General Info

ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe

6E9187E870238AD2D00866A47264E109

78E7CF585CBC9D02B6FAB6F268D49559E696B17A

7BEFC08954B8847B35E82BB40E6AEC8F69807C5A5C8861C35463C818F4628377

49152:NXNxvXaUxiPLFWDsbXOMO1AEaCybsGo8sBV5anzYkvkOjLjXZCNAzwHC1XLJB8sm:NX71xiPhWAbXOMQtaCWZsBynzYkpUNAq

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

Changes the autorun value in the registry

SUSPICIOUS

Executable content was dropped or overwritten

The process verifies whether the antivirus software is installed

Reads security settings of Internet Explorer

The process creates files with name similar to system file names

Malware-specific behavior (creating "System.dll" in Temp)

Executes as Windows Service

Windows service management via SC.EXE

Searches for installed software

Checks Windows Trust Settings

Process drops legitimate windows executable

Starts a Microsoft application from unusual location

Application launched itself

Creates a software uninstall entry

The process drops C-runtime libraries

Reads the Windows owner or organization settings

Creates file in the systems drive root

Creates files in the driver directory

Drops a system driver (possible attempt to evade defenses)

Executes application which crashes

Adds/modifies Windows certificates

The process exported the data from the registry

Uses REG/REGEDIT.EXE to modify registry

INFO

The sample compiled with french language support

The sample compiled with english language support

The sample compiled with chinese language support

Create files in a temporary directory

The sample compiled with swedish language support

Checks supported languages

The sample compiled with german language support

The sample compiled with czech language support

The sample compiled with bulgarian language support

The sample compiled with Italian language support

The sample compiled with portuguese language support

The sample compiled with russian language support

The sample compiled with arabic language support

Reads the computer name

Process checks computer location settings

Creates files in the program directory

The sample compiled with Indonesian language support

The sample compiled with korean language support

The sample compiled with polish language support

The sample compiled with slovak language support

The sample compiled with japanese language support

The sample compiled with turkish language support

Reads the software policy settings

Sends debugging messages

Reads the machine GUID from the registry

Creates files or folders in the user directory

Checks proxy server information

Manages system restore points

Executable content was dropped or overwritten

The sample compiled with spanish language support

Creates a software uninstall entry

Reads CPU info

Reads Environment values

Application launched itself

Starts application with an unusual extension

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes