URL:

https://softmany.com/zapya-windows/

Full analysis: https://app.any.run/tasks/0fa2318b-7968-4709-9e70-f89aa6185ea3
Verdict: Malicious activity
Analysis date: May 13, 2024, 08:19:49
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
qrcode
Indicators:
MD5:

251F9B532F0B1A33252B3B2F5C9EE6C0

SHA1:

9DEFEEA0D884ADC942981875FABA273B0C0FA048

SHA256:

B340D89689D17FF88B07A0C82979BC1C4DBC204F4F8C069434AF06A0DFB05D53

SSDEEP:

3:N8HPoLGKIn1IvN:2v5+N

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • ZapyaPC2802Lite.exe (PID: 860)
      • ZapyaPC2802Lite.tmp (PID: 1940)

    • Actions looks like stealing of personal data

      • ZapyaPC2802Lite.tmp (PID: 1940)

    • Changes the autorun value in the registry

      • ZapyaPC2802Lite.tmp (PID: 1940)

    • Creates a writable file in the system directory

      • ZapyaService.exe (PID: 3836)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • ZapyaPC2802Lite.exe (PID: 860)
      • ZapyaPC2802Lite.tmp (PID: 1940)

    • Process drops legitimate windows executable

      • ZapyaPC2802Lite.tmp (PID: 1940)

    • Reads the Windows owner or organization settings

      • ZapyaPC2802Lite.tmp (PID: 1940)

    • Starts CMD.EXE for commands execution

      • ZapyaPC2802Lite.tmp (PID: 1940)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 2484)
      • cmd.exe (PID: 2428)
      • cmd.exe (PID: 1332)
      • cmd.exe (PID: 188)
      • cmd.exe (PID: 1996)
      • cmd.exe (PID: 1312)
      • cmd.exe (PID: 2808)
      • cmd.exe (PID: 916)
      • cmd.exe (PID: 1468)
      • cmd.exe (PID: 2076)

    • Reads the Internet Settings

      • ZapyaPC2802Lite.tmp (PID: 1940)
      • InstallUtil.exe (PID: 3424)
      • Zapya.exe (PID: 1616)

    • Reads Internet Explorer settings

      • ZapyaPC2802Lite.tmp (PID: 1940)

    • Reads Microsoft Outlook installation path

      • ZapyaPC2802Lite.tmp (PID: 1940)

    • Reads security settings of Internet Explorer

      • InstallUtil.exe (PID: 3424)
      • ZapyaAdaptor.exe (PID: 3480)
      • ZapyaPC2802Lite.tmp (PID: 1940)

    • Executes as Windows Service

      • ZapyaService.exe (PID: 3836)

    • Checks Windows Trust Settings

      • ZapyaAdaptor.exe (PID: 3480)

    • Reads settings of System Certificates

      • ZapyaAdaptor.exe (PID: 3480)
      • Zapya.exe (PID: 1616)

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 3976)
      • msedge.exe (PID: 616)
      • msedge.exe (PID: 3884)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 328)
      • ZapyaPC2802Lite.exe (PID: 860)
      • ZapyaPC2802Lite.exe (PID: 1640)
      • msedge.exe (PID: 616)
      • Zapya.exe (PID: 1616)

    • Drops the executable file immediately after the start

      • iexplore.exe (PID: 4036)
      • iexplore.exe (PID: 3976)

    • The process uses the downloaded file

      • iexplore.exe (PID: 3976)
      • ZapyaPC2802Lite.tmp (PID: 1940)

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 3976)
      • iexplore.exe (PID: 4036)

    • Checks supported languages

      • wmpnscfg.exe (PID: 328)
      • ZapyaPC2802Lite.tmp (PID: 1940)
      • ZapyaPC2802Lite.exe (PID: 860)
      • ZsSetup.exe (PID: 3468)
      • InstallUtil.exe (PID: 3424)
      • ZapyaService.exe (PID: 3836)
      • Zapya.exe (PID: 1616)
      • ZapyaAdaptor.exe (PID: 3480)

    • Reads the computer name

      • wmpnscfg.exe (PID: 328)
      • ZapyaPC2802Lite.tmp (PID: 1940)
      • ZsSetup.exe (PID: 3468)
      • InstallUtil.exe (PID: 3424)
      • ZapyaService.exe (PID: 3836)
      • ZapyaAdaptor.exe (PID: 3480)
      • Zapya.exe (PID: 1616)

    • Create files in a temporary directory

      • ZapyaPC2802Lite.exe (PID: 860)
      • ZapyaPC2802Lite.tmp (PID: 1940)

    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 3976)

    • Reads product name

      • ZapyaPC2802Lite.tmp (PID: 1940)

    • Checks Windows language

      • ZapyaPC2802Lite.tmp (PID: 1940)

    • Reads Environment values

      • ZapyaPC2802Lite.tmp (PID: 1940)
      • Zapya.exe (PID: 1616)

    • Reads the machine GUID from the registry

      • ZapyaPC2802Lite.tmp (PID: 1940)
      • ZsSetup.exe (PID: 3468)
      • InstallUtil.exe (PID: 3424)
      • ZapyaService.exe (PID: 3836)
      • Zapya.exe (PID: 1616)
      • ZapyaAdaptor.exe (PID: 3480)

    • Creates files in the program directory

      • ZapyaPC2802Lite.tmp (PID: 1940)
      • InstallUtil.exe (PID: 3424)
      • ZapyaService.exe (PID: 3836)

    • Creates a software uninstall entry

      • ZapyaPC2802Lite.tmp (PID: 1940)

    • Creates files or folders in the user directory

      • ZsSetup.exe (PID: 3468)
      • Zapya.exe (PID: 1616)
      • ZapyaAdaptor.exe (PID: 3480)

    • Checks proxy server information

      • ZapyaPC2802Lite.tmp (PID: 1940)

    • Reads the software policy settings

      • ZapyaAdaptor.exe (PID: 3480)
      • Zapya.exe (PID: 1616)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
107
Monitored processes
52
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe wmpnscfg.exe no specs zapyapc2802lite.exe no specs zapyapc2802lite.exe zapyapc2802lite.tmp cmd.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs zssetup.exe installutil.exe no specs zapyaservice.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs zapya.exe zapyaadaptor.exe

Process information

PID
CMD
Path
Indicators
Parent process
188"cmd.exe" /c taskkill /F /IM hh.exeC:\Windows\System32\cmd.exeZapyaPC2802Lite.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
128
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
328"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
616"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --flag-switches-begin --flag-switches-end --do-not-de-elevate "C:\Program Files\Zapya\ZapyaPC\tools\en-us\help_english.html"C:\Program Files\Microsoft\Edge\Application\msedge.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
860"C:\Users\admin\Downloads\ZapyaPC2802Lite.exe" C:\Users\admin\Downloads\ZapyaPC2802Lite.exe
explorer.exe
User:
admin
Company:
DewMobile,Inc.
Integrity Level:
HIGH
Description:
Zapya
Exit code:
0
Version:
2.8.0.2
Modules
Images
c:\users\admin\downloads\zapyapc2802lite.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
916"cmd.exe" /c taskkill /F /IM ZapyaInternetSharing.exeC:\Windows\System32\cmd.exeZapyaPC2802Lite.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
128
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1060"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1012 --field-trial-handle=868,i,11573957106394497114,5686996122874492149,131072 /prefetch:3C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1072"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3856 --field-trial-handle=1276,i,16564751475687004626,9871659166097606660,131072 /prefetch:1C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1312"cmd.exe" /c taskkill /F /IM WiFiDirectLegacyAP.exeC:\Windows\System32\cmd.exeZapyaPC2802Lite.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
128
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1312"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3312 --field-trial-handle=1276,i,16564751475687004626,9871659166097606660,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1332"cmd.exe" /c taskkill /F /IM UninstallWin32.exeC:\Windows\System32\cmd.exeZapyaPC2802Lite.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
128
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
49 565
Read events
49 184
Write events
303
Delete events
78

Modification events

(PID) Process:(3976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
1
(PID) Process:(3976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchLowDateTime
Value:
(PID) Process:(3976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
31106318
(PID) Process:(3976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
(PID) Process:(3976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
31106318
(PID) Process:(3976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(3976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
108
Suspicious files
150
Text files
494
Unknown types
10

Dropped files

PID
Process
Filename
Type
4036iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAder
MD5:3E549B5389BC9C0837D865F0FD5E6F76
SHA256:FFF9D6642902E0E72199831F2EFA86DEF70CC12C3647DC7907A1F10F07F37E01
4036iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464der
MD5:8202A1CD02E7D69597995CABBE881A12
SHA256:58F381C3A0A0ACE6321DA22E40BD44A597BD98B9C9390AB9258426B5CF75A7A5
3976iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EAF8AA29A62AB29E614331747385D816_F9E4DC0B9D5C777357D7DB8DEF51118Ader
MD5:726E3850700A33F9AA360CEE4E2EDE33
SHA256:DBF1C8110A2E52DE01271F6CAAE2F0C8E9018114497A395E510DB54CF219E2A8
4036iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464binary
MD5:173EE8593AF6104923C7F170C0C3B70E
SHA256:41232C54968C93E56379E6720019899ECF4D753EADC9529E8FB9DBC81A5D8451
4036iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAbinary
MD5:9A0D4D4BD842F84388E9680CDC4ECBC0
SHA256:C508E4BA0D5304B40E3B75220C9252597FA55DBAEF07ED19805E7C1EAC2CE7F2
4036iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAbinary
MD5:0B4BDAA9BA0DEA7A3E9394F28E4C3D90
SHA256:37CABA727AEEC61A5A926C3CCEF56287A2190586658CDEC83D31E3793C51C0AB
4036iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\jquery.min[1].jstext
MD5:826EB77E86B02AB7724FE3D0141FF87C
SHA256:CB6F2D32C49D1C2B25E9FFC9AAAFA3F83075346C01BCD4AE6EB187392A4292CF
4036iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:531C893D7F4BA7908EA8997EEC0A5143
SHA256:0E2FF3A45806695DEE8D36CF3A805B04AEE3D5F0D848526DB864D9CAE6DE3D27
4036iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\postratings-js[1].jstext
MD5:9BFD02B751CBFA3F0B493399A398B7AB
SHA256:816C9C121E9F737DF79AA48AEE9E1E4FD4AA50A787E152C36A68DEF2B0072FC0
4036iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\embed-count-scroll.min[1].jstext
MD5:9D5B9F0DDC4B807B28BDE14DE26F4C6A
SHA256:DA82D5638ED73ACE79F3F850E1AB80F414BD3FBB18F9554B8BB71A1CCCC1909A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
25
TCP/UDP connections
88
DNS requests
55
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3976
iexplore.exe
GET
304
23.220.73.6:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?260f79dbb405aab9
unknown
unknown
4036
iexplore.exe
GET
200
142.250.184.227:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFCjJ1PwkYAi7fE%3D
unknown
unknown
4036
iexplore.exe
GET
304
23.220.73.6:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?aa27c982be707355
unknown
unknown
3976
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAzlnDD9eoNTLi0BRrMy%2BWU%3D
unknown
unknown
4036
iexplore.exe
GET
200
142.250.184.227:80
http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEAFWoeiRoD5nEA9wbC%2FqWOc%3D
unknown
unknown
4036
iexplore.exe
GET
304
23.220.73.6:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?30bfcba95dc85498
unknown
unknown
4036
iexplore.exe
GET
200
172.64.149.23:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D
unknown
unknown
4036
iexplore.exe
GET
200
142.250.184.227:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
unknown
unknown
3976
iexplore.exe
GET
304
23.220.73.6:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?5fc92888093a54f7
unknown
unknown
4036
iexplore.exe
GET
200
104.18.38.233:80
http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRDC9IOTxN6GmyRjyTl2n4yTUczyAQUjYxexFStiuF36Zv5mwXhuAGNYeECEBsOdT%2B40yoXDxAvL7SeyBI%3D
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown
4036
iexplore.exe
104.25.149.12:443
softmany.com
CLOUDFLARENET
US
shared
4036
iexplore.exe
23.220.73.6:80
ctldl.windowsupdate.com
Akamai International B.V.
US
unknown
4036
iexplore.exe
142.250.184.227:80
ocsp.pki.goog
GOOGLE
US
whitelisted
3976
iexplore.exe
23.222.16.26:443
www.bing.com
Akamai International B.V.
US
unknown
3976
iexplore.exe
23.220.73.6:80
ctldl.windowsupdate.com
Akamai International B.V.
US
unknown
4036
iexplore.exe
142.250.186.40:443
www.googletagmanager.com
GOOGLE
US
unknown
4036
iexplore.exe
142.250.185.226:443
pagead2.googlesyndication.com
GOOGLE
US
unknown

DNS requests

Domain
IP
Reputation
softmany.com
  • 104.25.149.12
  • 104.25.148.12
unknown
ctldl.windowsupdate.com
  • 23.220.73.6
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 23.222.16.26
  • 23.222.16.32
  • 2.19.193.75
  • 2.19.193.73
  • 2.19.193.80
  • 2.19.193.65
  • 2.19.193.81
  • 2.19.193.74
  • 2.19.193.83
  • 2.19.193.67
  • 2.19.193.72
whitelisted
ocsp.pki.goog
  • 142.250.184.227
whitelisted
pagead2.googlesyndication.com
  • 142.250.185.226
whitelisted
www.googletagmanager.com
  • 142.250.186.40
whitelisted
cdnjs.cloudflare.com
  • 104.17.24.14
  • 104.17.25.14
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
www.youtube.com
  • 142.250.184.206
  • 142.250.185.174
  • 172.217.18.14
  • 142.250.186.174
  • 142.250.185.78
  • 172.217.16.142
  • 216.58.206.78
  • 142.250.185.110
  • 142.250.186.110
  • 142.250.185.142
  • 172.217.16.206
  • 142.250.186.142
  • 172.217.23.110
  • 216.58.206.46
  • 172.217.18.110
  • 216.58.212.142
whitelisted

Threats

No threats detected
Process
Message
ZsSetup.exe
2024-05-13 09:21:51.039 | [info] | [file: ] | [func: App_Startup] | [line: 0] | [col: 0] | C:\Program Files\Zapya\ZapyaPC
ZsSetup.exe
2024-05-13 09:21:51.492 | [info] | [file: ] | [func: App_Startup] | [line: 0] | [col: 0] | ZapyaService installed
ZsSetup.exe
2024-05-13 09:21:51.492 | [info] | [file: ] | [func: RunInstallUtil] | [line: 0] | [col: 0] | Microsoft (R) .NET Framework Installation utility Version 2.0.50727.7905 Copyright (c) Microsoft Corporation. All rights reserved. Running a transacted installation. Beginning the Install phase of the installation. See the contents of the log file for the C:\Program Files\Zapya\ZapyaPC\ZapyaService.exe assembly's progress. The file is located at . Installing assembly 'C:\Program Files\Zapya\ZapyaPC\ZapyaService.exe'. Affected parameters are: logtoconsole = logfile = assemblypath = C:\Program Files\Zapya\ZapyaPC\ZapyaService.exe Installing service ZapyaService... Service ZapyaService has been successfully installed. Creating EventLog source ZapyaService in log Application... The Install phase completed successfully, and the Commit phase is beginning. See the contents of the log file for the C:\Program Files\Zapya\ZapyaPC\ZapyaService.exe assembly's progress. The file is located at . Committing assembly 'C:\Program Files\Zapya\ZapyaPC\ZapyaService.exe'. Affected parameters are: logtoconsole = logfile = assemblypath = C:\Program Files\Zapya\ZapyaPC\ZapyaService.exe The Commit phase completed successfully. The transacted install has completed.
ZapyaService.exe
2024-05-13 09:21:51.617 | [debug] | [file: ] | [func: Main] | [line: 0] | [col: 0] | Main() Start
ZapyaService.exe
2024-05-13 09:21:51.664 | [info] | [file: ] | [func: .ctor] | [line: 0] | [col: 0] | ZapyaService() End
ZapyaService.exe
2024-05-13 09:21:51.664 | [info] | [file: ] | [func: .ctor] | [line: 0] | [col: 0] | ZapyaService() Start
ZapyaService.exe
2024-05-13 09:21:51.695 | [info] | [file: ] | [func: Start] | [line: 0] | [col: 0] | CmdServer.Start()
ZapyaService.exe
2024-05-13 09:21:51.695 | [info] | [file: ] | [func: Start] | [line: 0] | [col: 0] | C:\Program Files\Zapya\ZapyaPC
ZapyaService.exe
2024-05-13 09:21:51.711 | [info] | [file: ] | [func: Run] | [line: 0] | [col: 0] | CmdServer.Run() Start
ZapyaService.exe
2024-05-13 09:21:51.711 | [error] | [file: ] | [func: .cctor] | [line: 0] | [col: 0] | The service has not been started
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://softmany.com/zapya-windows/