Pikabot | a06a36de9b35

Filters:

File Name	Category	Type	Verdict	Actions

C:\Users\RDhJ0CNFevzX\Desktop\ZPHG.exe

Sample File

Binary

MIME Type	application/vnd.microsoft.portable-executable
File Size	1.39 MB
MD5	b3fa794fdfb6b417ecdb135ff28b7899
SHA1	83fe427d99d06744dfb0f3556105d54dd2c2f6cc
SHA256	a06a36de9b35bf54940b70a0ba4c3f836e42613b51c96bc265ee8910c6ae1849
SSDeep	24576:U3dhgAYmYqHU7pHYev00V6dCDdoVYdGp8VTALtMa6:XmYqHU7pHYY00VcCDdowG3tMa6
ImpHash	66fd4e61aeff559a6af394a29c49ac49

File Reputation Information

Verdict	Malicious
Names	Mal/Generic-S

PE Information

Image Base	0x00400000
Entry Point	0x004819A0
Size Of Code	0x000B1200
Size Of Initialized Data	0x000B0A00
File Type	IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem	IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type	IMAGE_FILE_MACHINE_I386
Compile Timestamp	2023-11-09 13:59 (UTC)

Version Information (8)

FileVersion	27.0.25.114
ProductVersion	27.0.25.114
CompanyName	Bitdefender
FileDescription	bduserhost
InternalName	bduserhost.exe
LegalCopyright	©1997-2023 Bitdefender
OriginalFilename	bduserhost.exe
ProductName	Bitdefender 2023

Sections (7)

Name	Virtual Address	Virtual Size	Raw Data Size	Raw Data Offset	Flags	Entropy
.text	0x00401000	0x000B109C	0x000B1200	0x00000400	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	6.57
.rdata	0x004B3000	0x000240BE	0x00024200	0x000B1600	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	5.03
.data	0x004D8000	0x00006194	0x00004A00	0x000D5800	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	5.91
.detourc	0x004DF000	0x000011A0	0x00001200	0x000DA200	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	2.71
.detourd	0x004E1000	0x0000000C	0x00000200	0x000DB400	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	0.07
.rsrc	0x004E2000	0x0007DE38	0x0007E000	0x000DB600	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	5.58
.reloc	0x00560000	0x000089CC	0x00008A00	0x00159600	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ	6.63

Imports (11)

CRYPT32.dll (9)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
CryptMsgGetParam	-	0x004B305C	0x000D5C00	0x000D4200	0x000000B8
CryptMsgClose	-	0x004B3060	0x000D5C04	0x000D4204	0x000000B1
CertFindCertificateInStore	-	0x004B3064	0x000D5C08	0x000D4208	0x00000035
CertCloseStore	-	0x004B3068	0x000D5C0C	0x000D420C	0x00000012
CertFreeCTLContext	-	0x004B306C	0x000D5C10	0x000D4210	0x0000003C
CertFreeCRLContext	-	0x004B3070	0x000D5C14	0x000D4214	0x0000003B
CertFreeCertificateContext	-	0x004B3074	0x000D5C18	0x000D4218	0x00000040
CryptQueryObject	-	0x004B3078	0x000D5C1C	0x000D421C	0x000000C8
CertGetNameStringW	-	0x004B307C	0x000D5C20	0x000D4220	0x0000004B

KERNEL32.dll (157)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
InitializeCriticalSectionEx	-	0x004B3084	0x000D5C28	0x000D4228	0x00000363
DecodePointer	-	0x004B3088	0x000D5C2C	0x000D422C	0x0000010C
CreateThread	-	0x004B308C	0x000D5C30	0x000D4230	0x000000F6
SetCurrentDirectoryW	-	0x004B3090	0x000D5C34	0x000D4234	0x0000050B
CreateToolhelp32Snapshot	-	0x004B3094	0x000D5C38	0x000D4238	0x000000FF
Process32FirstW	-	0x004B3098	0x000D5C3C	0x000D423C	0x0000042E
Process32NextW	-	0x004B309C	0x000D5C40	0x000D4240	0x00000430
GetCommandLineW	-	0x004B30A0	0x000D5C44	0x000D4244	0x000001DA
SetEvent	-	0x004B30A4	0x000D5C48	0x000D4248	0x00000518
HeapAlloc	-	0x004B30A8	0x000D5C4C	0x000D424C	0x00000348
HeapFree	-	0x004B30AC	0x000D5C50	0x000D4250	0x0000034C
HeapReAlloc	-	0x004B30B0	0x000D5C54	0x000D4254	0x0000034F
HeapSize	-	0x004B30B4	0x000D5C58	0x000D4258	0x00000351
GetProcessHeap	-	0x004B30B8	0x000D5C5C	0x000D425C	0x000002B7
CreateEventW	-	0x004B30BC	0x000D5C60	0x000D4260	0x000000C2
GetModuleHandleA	-	0x004B30C0	0x000D5C64	0x000D4264	0x00000278
OpenProcess	-	0x004B30C4	0x000D5C68	0x000D4268	0x0000040F
OpenEventW	-	0x004B30C8	0x000D5C6C	0x000D426C	0x00000403
GetExitCodeThread	-	0x004B30CC	0x000D5C70	0x000D4270	0x00000240
LocalFree	-	0x004B30D0	0x000D5C74	0x000D4274	0x000003D3
LocalAlloc	-	0x004B30D4	0x000D5C78	0x000D4278	0x000003CE
GetCurrentProcess	-	0x004B30D8	0x000D5C7C	0x000D427C	0x0000021A
LockFile	-	0x004B30DC	0x000D5C80	0x000D4280	0x000003DD
UnlockFile	-	0x004B30E0	0x000D5C84	0x000D4284	0x000005B2
WriteFile	-	0x004B30E4	0x000D5C88	0x000D4288	0x00000616
SetEnvironmentVariableW	-	0x004B30E8	0x000D5C8C	0x000D428C	0x00000516
GetSystemDirectoryW	-	0x004B30EC	0x000D5C90	0x000D4290	0x000002E3
LoadLibraryExW	-	0x004B30F0	0x000D5C94	0x000D4294	0x000003C7
FreeEnvironmentStringsW	-	0x004B30F4	0x000D5C98	0x000D4298	0x000001AD
GetEnvironmentStringsW	-	0x004B30F8	0x000D5C9C	0x000D429C	0x0000023A
GetCommandLineA	-	0x004B30FC	0x000D5CA0	0x000D42A0	0x000001D9
GetOEMCP	-	0x004B3100	0x000D5CA4	0x000D42A4	0x0000029A
WideCharToMultiByte	-	0x004B3104	0x000D5CA8	0x000D42A8	0x00000602
MultiByteToWideChar	-	0x004B3108	0x000D5CAC	0x000D42AC	0x000003F3
GetModuleHandleW	-	0x004B310C	0x000D5CB0	0x000D42B0	0x0000027B
GetCurrentProcessId	-	0x004B3110	0x000D5CB4	0x000D42B4	0x0000021B
ProcessIdToSessionId	-	0x004B3114	0x000D5CB8	0x000D42B8	0x00000431
CreateFileW	-	0x004B3118	0x000D5CBC	0x000D42BC	0x000000CE
GetLastError	-	0x004B311C	0x000D5CC0	0x000D42C0	0x00000264
FormatMessageA	-	0x004B3120	0x000D5CC4	0x000D42C4	0x000001A9
FreeLibrary	-	0x004B3124	0x000D5CC8	0x000D42C8	0x000001AE
GetProcAddress	-	0x004B3128	0x000D5CCC	0x000D42CC	0x000002B1
LoadLibraryW	-	0x004B312C	0x000D5CD0	0x000D42D0	0x000003C8
GetModuleFileNameW	-	0x004B3130	0x000D5CD4	0x000D42D4	0x00000277
GetModuleHandleExW	-	0x004B3134	0x000D5CD8	0x000D42D8	0x0000027A
DeleteCriticalSection	-	0x004B3138	0x000D5CDC	0x000D42DC	0x00000113
CloseHandle	-	0x004B313C	0x000D5CE0	0x000D42E0	0x00000089
Sleep	-	0x004B3140	0x000D5CE4	0x000D42E4	0x00000581
RaiseException	-	0x004B3144	0x000D5CE8	0x000D42E8	0x00000464
SetDllDirectoryW	-	0x004B3148	0x000D5CEC	0x000D42EC	0x00000510
GetACP	-	0x004B314C	0x000D5CF0	0x000D42F0	0x000001B5
IsValidCodePage	-	0x004B3150	0x000D5CF4	0x000D42F4	0x0000038F
GetTimeZoneInformation	-	0x004B3154	0x000D5CF8	0x000D42F8	0x00000311
EnumSystemLocalesW	-	0x004B3158	0x000D5CFC	0x000D42FC	0x00000157
GetUserDefaultLCID	-	0x004B315C	0x000D5D00	0x000D4300	0x00000315
IsValidLocale	-	0x004B3160	0x000D5D04	0x000D4304	0x00000391
GetLocaleInfoW	-	0x004B3164	0x000D5D08	0x000D4308	0x00000268
LCMapStringW	-	0x004B3168	0x000D5D0C	0x000D430C	0x000003B5
CompareStringW	-	0x004B316C	0x000D5D10	0x000D4310	0x0000009E
GetTimeFormatW	-	0x004B3170	0x000D5D14	0x000D4314	0x0000030F
GetDateFormatW	-	0x004B3174	0x000D5D18	0x000D4318	0x00000224
ReadConsoleW	-	0x004B3178	0x000D5D1C	0x000D431C	0x00000472
ReadFile	-	0x004B317C	0x000D5D20	0x000D4320	0x00000475
GetConsoleMode	-	0x004B3180	0x000D5D24	0x000D4324	0x000001FF
GetConsoleOutputCP	-	0x004B3184	0x000D5D28	0x000D4328	0x00000203
FlushFileBuffers	-	0x004B3188	0x000D5D2C	0x000D432C	0x000001A2
GetStdHandle	-	0x004B318C	0x000D5D30	0x000D4330	0x000002D5
ExitProcess	-	0x004B3190	0x000D5D34	0x000D4334	0x00000161
GetFileType	-	0x004B3194	0x000D5D38	0x000D4338	0x00000251
SetStdHandle	-	0x004B3198	0x000D5D3C	0x000D433C	0x0000054E
FreeLibraryAndExitThread	-	0x004B319C	0x000D5D40	0x000D4340	0x000001AF
ExitThread	-	0x004B31A0	0x000D5D44	0x000D4344	0x00000162
SetConsoleCtrlHandler	-	0x004B31A4	0x000D5D48	0x000D4348	0x000004EB
TlsFree	-	0x004B31A8	0x000D5D4C	0x000D434C	0x000005A3
GetStringTypeW	-	0x004B31AC	0x000D5D50	0x000D4350	0x000002DA
CreateDirectoryW	-	0x004B31B0	0x000D5D54	0x000D4354	0x000000BD
FindClose	-	0x004B31B4	0x000D5D58	0x000D4358	0x00000178
FindFirstFileExW	-	0x004B31B8	0x000D5D5C	0x000D435C	0x0000017E
FindNextFileW	-	0x004B31BC	0x000D5D60	0x000D4360	0x0000018F
GetFileAttributesW	-	0x004B31C0	0x000D5D64	0x000D4364	0x00000248
GetFileAttributesExW	-	0x004B31C4	0x000D5D68	0x000D4368	0x00000245
GetFileInformationByHandle	-	0x004B31C8	0x000D5D6C	0x000D436C	0x0000024A
GetFinalPathNameByHandleW	-	0x004B31CC	0x000D5D70	0x000D4370	0x00000253
SetEndOfFile	-	0x004B31D0	0x000D5D74	0x000D4374	0x00000512
SetFileAttributesW	-	0x004B31D4	0x000D5D78	0x000D4378	0x0000051F
SetFilePointerEx	-	0x004B31D8	0x000D5D7C	0x000D437C	0x00000525
AreFileApisANSI	-	0x004B31DC	0x000D5D80	0x000D4380	0x00000023
DeviceIoControl	-	0x004B31E0	0x000D5D84	0x000D4384	0x00000120
GetFileInformationByHandleEx	-	0x004B31E4	0x000D5D88	0x000D4388	0x0000024B
InitializeSRWLock	-	0x004B31E8	0x000D5D8C	0x000D438C	0x00000367
ReleaseSRWLockExclusive	-	0x004B31EC	0x000D5D90	0x000D4390	0x000004B4
AcquireSRWLockExclusive	-	0x004B31F0	0x000D5D94	0x000D4394	0x00000000
EnterCriticalSection	-	0x004B31F4	0x000D5D98	0x000D4398	0x00000134
LeaveCriticalSection	-	0x004B31F8	0x000D5D9C	0x000D439C	0x000003C1
TryEnterCriticalSection	-	0x004B31FC	0x000D5DA0	0x000D43A0	0x000005AB
GetCurrentThreadId	-	0x004B3200	0x000D5DA4	0x000D43A4	0x0000021F
EncodePointer	-	0x004B3204	0x000D5DA8	0x000D43A8	0x00000130
LCMapStringEx	-	0x004B3208	0x000D5DAC	0x000D43AC	0x000003B4
QueryPerformanceCounter	-	0x004B320C	0x000D5DB0	0x000D43B0	0x0000044F
QueryPerformanceFrequency	-	0x004B3210	0x000D5DB4	0x000D43B4	0x00000450
InitializeConditionVariable	-	0x004B3214	0x000D5DB8	0x000D43B8	0x0000035E
WakeConditionVariable	-	0x004B3218	0x000D5DBC	0x000D43BC	0x000005E4
WakeAllConditionVariable	-	0x004B321C	0x000D5DC0	0x000D43C0	0x000005E3
SleepConditionVariableCS	-	0x004B3220	0x000D5DC4	0x000D43C4	0x00000582
SleepConditionVariableSRW	-	0x004B3224	0x000D5DC8	0x000D43C8	0x00000583
GetSystemTimeAsFileTime	-	0x004B3228	0x000D5DCC	0x000D43CC	0x000002EC
GetTickCount64	-	0x004B322C	0x000D5DD0	0x000D43D0	0x0000030B
GetLocaleInfoEx	-	0x004B3230	0x000D5DD4	0x000D43D4	0x00000267
CompareStringEx	-	0x004B3234	0x000D5DD8	0x000D43D8	0x0000009C
GetCPInfo	-	0x004B3238	0x000D5DDC	0x000D43DC	0x000001C4
IsDebuggerPresent	-	0x004B323C	0x000D5DE0	0x000D43E0	0x00000382
OutputDebugStringW	-	0x004B3240	0x000D5DE4	0x000D43E4	0x0000041B
GetEnvironmentVariableW	-	0x004B3244	0x000D5DE8	0x000D43E8	0x0000023C
ExpandEnvironmentStringsW	-	0x004B3248	0x000D5DEC	0x000D43EC	0x00000165
DeleteFileW	-	0x004B324C	0x000D5DF0	0x000D43F0	0x00000118
GetFileSizeEx	-	0x004B3250	0x000D5DF4	0x000D43F4	0x0000024F
SetFilePointer	-	0x004B3254	0x000D5DF8	0x000D43F8	0x00000524
DebugBreak	-	0x004B3258	0x000D5DFC	0x000D43FC	0x00000109
OutputDebugStringA	-	0x004B325C	0x000D5E00	0x000D4400	0x0000041A
SetLastError	-	0x004B3260	0x000D5E04	0x000D4404	0x00000534
WaitForSingleObject	-	0x004B3264	0x000D5E08	0x000D4408	0x000005DB
GetProcessTimes	-	0x004B3268	0x000D5E0C	0x000D440C	0x000002C1
GetCurrentThread	-	0x004B326C	0x000D5E10	0x000D4410	0x0000021E
GetLocalTime	-	0x004B3270	0x000D5E14	0x000D4414	0x00000265
GetWindowsDirectoryW	-	0x004B3274	0x000D5E18	0x000D4418	0x00000329
GetModuleFileNameA	-	0x004B3278	0x000D5E1C	0x000D441C	0x00000276
LoadLibraryExA	-	0x004B327C	0x000D5E20	0x000D4420	0x000003C6
LoadLibraryA	-	0x004B3280	0x000D5E24	0x000D4424	0x000003C5
FormatMessageW	-	0x004B3284	0x000D5E28	0x000D4428	0x000001AA
SetSearchPathMode	-	0x004B3288	0x000D5E2C	0x000D442C	0x0000054D
FileTimeToSystemTime	-	0x004B328C	0x000D5E30	0x000D4430	0x0000016D
K32GetMappedFileNameW	-	0x004B3290	0x000D5E34	0x000D4434	0x000003A3
WriteConsoleW	-	0x004B3294	0x000D5E38	0x000D4438	0x00000615
SuspendThread	-	0x004B3298	0x000D5E3C	0x000D443C	0x00000589
ResumeThread	-	0x004B329C	0x000D5E40	0x000D4440	0x000004CF
GetThreadContext	-	0x004B32A0	0x000D5E44	0x000D4444	0x000002FA
SetThreadContext	-	0x004B32A4	0x000D5E48	0x000D4448	0x00000558
FlushInstructionCache	-	0x004B32A8	0x000D5E4C	0x000D444C	0x000001A3
VirtualAlloc	-	0x004B32AC	0x000D5E50	0x000D4450	0x000005CA
VirtualProtect	-	0x004B32B0	0x000D5E54	0x000D4454	0x000005D0
VirtualFree	-	0x004B32B4	0x000D5E58	0x000D4458	0x000005CD
VirtualQuery	-	0x004B32B8	0x000D5E5C	0x000D445C	0x000005D2
GetLongPathNameW	-	0x004B32BC	0x000D5E60	0x000D4460	0x00000271
QueryDosDeviceW	-	0x004B32C0	0x000D5E64	0x000D4464	0x00000447
InitializeCriticalSectionAndSpinCount	-	0x004B32C4	0x000D5E68	0x000D4468	0x00000362
ResetEvent	-	0x004B32C8	0x000D5E6C	0x000D446C	0x000004C8
WaitForSingleObjectEx	-	0x004B32CC	0x000D5E70	0x000D4470	0x000005DC
UnhandledExceptionFilter	-	0x004B32D0	0x000D5E74	0x000D4474	0x000005B1
SetUnhandledExceptionFilter	-	0x004B32D4	0x000D5E78	0x000D4478	0x00000571
TerminateProcess	-	0x004B32D8	0x000D5E7C	0x000D447C	0x00000590
IsProcessorFeaturePresent	-	0x004B32DC	0x000D5E80	0x000D4480	0x00000389
GetStartupInfoW	-	0x004B32E0	0x000D5E84	0x000D4484	0x000002D3
InitializeSListHead	-	0x004B32E4	0x000D5E88	0x000D4488	0x00000366
RtlUnwind	-	0x004B32E8	0x000D5E8C	0x000D448C	0x000004D5
TlsAlloc	-	0x004B32EC	0x000D5E90	0x000D4490	0x000005A2
TlsGetValue	-	0x004B32F0	0x000D5E94	0x000D4494	0x000005A4
TlsSetValue	-	0x004B32F4	0x000D5E98	0x000D4498	0x000005A5

USER32.dll (12)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
DispatchMessageW	-	0x004B3310	0x000D5EB4	0x000D44B4	0x000000BD
PeekMessageW	-	0x004B3314	0x000D5EB8	0x000D44B8	0x000002A7
TranslateMessage	-	0x004B3318	0x000D5EBC	0x000D44BC	0x000003A5
RegisterClassExW	-	0x004B331C	0x000D5EC0	0x000D44C0	0x000002DA
CreateWindowExW	-	0x004B3320	0x000D5EC4	0x000D44C4	0x00000076
ShowWindow	-	0x004B3324	0x000D5EC8	0x000D44C8	0x00000385
UpdateWindow	-	0x004B3328	0x000D5ECC	0x000D44CC	0x000003BF
BeginPaint	-	0x004B332C	0x000D5ED0	0x000D44D0	0x00000011
EndPaint	-	0x004B3330	0x000D5ED4	0x000D44D4	0x000000F4
PostQuitMessage	-	0x004B3334	0x000D5ED8	0x000D44D8	0x000002AC
DefWindowProcW	-	0x004B3338	0x000D5EDC	0x000D44DC	0x000000A7
MsgWaitForMultipleObjects	-	0x004B333C	0x000D5EE0	0x000D44E0	0x0000028F

ADVAPI32.dll (22)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
ConvertSidToStringSidW	-	0x004B3000	0x000D5BA4	0x000D41A4	0x0000007B
LookupAccountSidW	-	0x004B3004	0x000D5BA8	0x000D41A8	0x000001A9
GetAclInformation	-	0x004B3008	0x000D5BAC	0x000D41AC	0x00000138
GetSidSubAuthorityCount	-	0x004B300C	0x000D5BB0	0x000D41B0	0x0000016D
GetSidSubAuthority	-	0x004B3010	0x000D5BB4	0x000D41B4	0x0000016C
GetSidIdentifierAuthority	-	0x004B3014	0x000D5BB8	0x000D41B8	0x0000016A
GetSecurityDescriptorDacl	-	0x004B3018	0x000D5BBC	0x000D41BC	0x0000015D
GetFileSecurityW	-	0x004B301C	0x000D5BC0	0x000D41C0	0x00000145
GetAce	-	0x004B3020	0x000D5BC4	0x000D41C4	0x00000137
SetSecurityDescriptorDacl	-	0x004B3024	0x000D5BC8	0x000D41C8	0x000002E8
InitializeSecurityDescriptor	-	0x004B3028	0x000D5BCC	0x000D41CC	0x0000018F
AdjustTokenPrivileges	-	0x004B302C	0x000D5BD0	0x000D41D0	0x0000001F
LookupPrivilegeValueW	-	0x004B3030	0x000D5BD4	0x000D41D4	0x000001AF
GetNamedSecurityInfoW	-	0x004B3034	0x000D5BD8	0x000D41D8	0x00000157
GetTokenInformation	-	0x004B3038	0x000D5BDC	0x000D41DC	0x00000170
OpenProcessToken	-	0x004B303C	0x000D5BE0	0x000D41E0	0x00000215
FreeSid	-	0x004B3040	0x000D5BE4	0x000D41E4	0x00000134
CheckTokenMembership	-	0x004B3044	0x000D5BE8	0x000D41E8	0x0000005F
AllocateAndInitializeSid	-	0x004B3048	0x000D5BEC	0x000D41EC	0x00000020
RegOpenKeyExW	-	0x004B304C	0x000D5BF0	0x000D41F0	0x0000028C
RegGetValueW	-	0x004B3050	0x000D5BF4	0x000D41F4	0x00000281
RegCloseKey	-	0x004B3054	0x000D5BF8	0x000D41F8	0x0000025B

SHELL32.dll (2)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
SHGetKnownFolderPath	-	0x004B32FC	0x000D5EA0	0x000D44A0	0x00000159
CommandLineToArgvW	-	0x004B3300	0x000D5EA4	0x000D44A4	0x00000008

ole32.dll (3)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
StringFromCLSID	-	0x004B3380	0x000D5F24	0x000D4524	0x000001C9
CLSIDFromString	-	0x004B3384	0x000D5F28	0x000D4528	0x0000000C
CoTaskMemFree	-	0x004B3388	0x000D5F2C	0x000D452C	0x00000089

WINMM.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
timeGetTime	-	0x004B3354	0x000D5EF8	0x000D44F8	0x00000094

WINTRUST.dll (6)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
CryptCATCatalogInfoFromContext	-	0x004B335C	0x000D5F00	0x000D4500	0x0000001A
CryptCATAdminReleaseContext	-	0x004B3360	0x000D5F04	0x000D4504	0x0000000E
CryptCATAdminAcquireContext	-	0x004B3364	0x000D5F08	0x000D4508	0x00000005
WinVerifyTrust	-	0x004B3368	0x000D5F0C	0x000D450C	0x0000008F
CryptCATAdminCalcHashFromFileHandle	-	0x004B336C	0x000D5F10	0x000D4510	0x00000008
CryptCATAdminEnumCatalogFromHash	-	0x004B3370	0x000D5F14	0x000D4514	0x0000000B

SHLWAPI.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
PathIsRelativeW	-	0x004B3308	0x000D5EAC	0x000D44AC	0x00000069

ntdll.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
NtQuerySystemInformation	-	0x004B3378	0x000D5F1C	0x000D451C	0x000001FF

VERSION.dll (3)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
GetFileVersionInfoA	-	0x004B3344	0x000D5EE8	0x000D44E8	0x00000000
VerQueryValueA	-	0x004B3348	0x000D5EEC	0x000D44EC	0x0000000F
GetFileVersionInfoSizeA	-	0x004B334C	0x000D5EF0	0x000D44F0	0x00000004

Exports (1)

API Name	EAT Address	Ordinal
GetUserProcessHost	0x00038010	0x00000001

Digital Signature Information

Verification Status

Valid

Certificate: 4leaf Holding Corp.

Issued by	4leaf Holding Corp.
Parent Certificate	SSL.com EV Code Signing Intermediate CA RSA R3
Country Name	CA
Valid From	2024-01-26 19:53 (UTC)
Valid Until	2025-01-25 19:53 (UTC)
Algorithm	sha256_rsa
Serial Number	5E 90 65 01 75 69 20 86 F7 3D D0 5E E1 4B 3D A5
Thumbprint	94 BA CD 94 87 65 52 AA 68 3B 8D 9E 47 72 A0 E3 7C 98 5E 30

Certificate: SSL.com EV Code Signing Intermediate CA RSA R3

Issued by	SSL.com EV Code Signing Intermediate CA RSA R3
Parent Certificate	SSL.com EV Root Certification Authority RSA R2
Country Name	US
Valid From	2019-03-26 17:44 (UTC)
Valid Until	2034-03-22 17:44 (UTC)
Algorithm	sha256_rsa
Serial Number	42 4B 6A 53 CE C7 66 14 1C 2A 63 B1 A5 1C 41 04
Thumbprint	D2 95 3D BA 95 08 6F EB 58 05 BE FC 41 28 3C A6 4C 39 7D F5

Certificate: SSL.com EV Root Certification Authority RSA R2

Issued by	SSL.com EV Root Certification Authority RSA R2
Country Name	US
Valid From	2017-05-31 18:14 (UTC)
Valid Until	2042-05-30 18:14 (UTC)
Algorithm	sha256_rsa
Serial Number	56 B6 29 CD 34 BC 78 F6
Thumbprint	74 3A F0 52 9B D0 32 A0 F4 4A 83 CD D4 BA A9 7B 7C 2E C4 9A

Memory Dumps (71)

Name	Process ID	Start VA	End VA	Dump Reason	Bitness	Entry Point	Actions
zphg.exe	1	0x00400000	0x00568FFF	Relevant Image	32-bit	0x004824F5	... Actions Go to Process Download Dump
buffer	1	0x046D0000	0x04702FFF	First Execution	32-bit	0x046E4474	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046DDD80	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046E0790	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046DBFD8	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046DE1B8	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046E3754	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046D6538	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046E156C	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046E2E2C	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046D1079	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046D1022	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046D9D0C	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046E17E8	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046DF620	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046DBAF4	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046E42E8	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046E0440	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046E3A21	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046DEF28	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046DF000	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046E1B58	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046E42E8	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046E2054	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046E3A21	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046DEF28	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046DF000	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046DB666	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046E04F0	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046DC334	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046DEF28	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046DF000	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046E39F1	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046DEF28	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046DF000	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046E04F0	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046DEF28	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046DF000	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046D14E4	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046E156C	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046E41EC	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046DDB14	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046E2198	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046D2000	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046D9D0C	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046D3B58	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046D4000	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046D145F	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046D500F	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046DF620	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046D2FA4	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046E41EC	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046D6000	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046DBF4C	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046D7000	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046E0CFC	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046DAF78	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046D82C0	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046D6EF3	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046D9D9E	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046DFB8F	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046DD8C8	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046E2FD4	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046DAF78	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046D7839	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046E0CFC	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046D6AF2	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046D9E09	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046DD8C8	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046D8A5C	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x046D0000	0x04702FFF	Content Changed	32-bit	0x046D108D	... Actions Go to Process Go to YARA Match Download Dump

8bb65388a6bc0e6484d15645e6464ef214f4f7f49e14e4b44dcf37c3709cfafe

Downloaded File

Stream

MIME Type	application/octet-stream
File Size	6.14 KB
MD5	ff0e215ff136f8fb9fff46b05591d899
SHA1	7b11f372072e5ac5825730d3f2115f4bc9110b99
SHA256	8bb65388a6bc0e6484d15645e6464ef214f4f7f49e14e4b44dcf37c3709cfafe
SSDeep	96:L2/JS1waG5LuZrvZEQsHiCDnlIRJXA/7Jf4byEiJ7sWqny83WC789isOMGcA:4JgtpZORlEwZsbbGCbLhh
ImpHash	-

5fd55da8747d933410bb637571802aca2eedf3314039722e2b9d6f37afdad97e

Downloaded File

HTML

MIME Type	text/html
File Size	552 Bytes
MD5	eac0a6a53d4a4353aace122055b4b4c8
SHA1	b400d2a40c870dd448eed9b418297c3038b9d023
SHA256	5fd55da8747d933410bb637571802aca2eedf3314039722e2b9d6f37afdad97e
SSDeep	12:TD11VI48lI5r8INGlTF5TF5TF5TF5TF5TFK:bGDTPTPTPTPTPTc
ImpHash	-

da78602eed761e8b98dc361be836680766a5d446ffe24d166c6487283fe01de0

Extracted File

Image

Parent File	C:\Users\RDhJ0CNFevzX\Desktop\ZPHG.exe
MIME Type	image/png
File Size	18.64 KB
MD5	059869d4f86e5c88a0b04f99c812981f
SHA1	6e79c69b131d751214b3dc53c67cdec8849d3f96
SHA256	da78602eed761e8b98dc361be836680766a5d446ffe24d166c6487283fe01de0
SSDeep	384:PjFatodVB+i5fSUFr1cX9Htcdicnsc0uIE6H2Iz:PjFaqD+qFr1cXdtX+0uIEq
ImpHash	-

Remarks (2/2)

There are no files for this filter

There are no files in this analysis

Classifications

Threat Names

Before

After

WHOIS Domain Information