Try VMRay Platform
Malicious
Classifications

Downloader

Threat Names

Pikabot Mal/HTMLGen-A Mal/Generic-S

Remarks (2/2)

(0x02000008): One or more processes crashed during the analysis. Analysis results may be incomplete.

(0x0200000E): The overall sleep time of all monitored processes was truncated from "1 minute, 35 seconds" to "10 seconds" to reveal dormant functionality.

Filters:
File Name Category Type Verdict Actions
C:\Users\RDhJ0CNFevzX\Desktop\ZPHG.exe Sample File Binary
Malicious
»
MIME Type application/vnd.microsoft.portable-executable
File Size 1.39 MB
MD5 b3fa794fdfb6b417ecdb135ff28b7899 Copy to Clipboard
SHA1 83fe427d99d06744dfb0f3556105d54dd2c2f6cc Copy to Clipboard
SHA256 a06a36de9b35bf54940b70a0ba4c3f836e42613b51c96bc265ee8910c6ae1849 Copy to Clipboard
SSDeep 24576:U3dhgAYmYqHU7pHYev00V6dCDdoVYdGp8VTALtMa6:XmYqHU7pHYY00VcCDdowG3tMa6 Copy to Clipboard
ImpHash 66fd4e61aeff559a6af394a29c49ac49 Copy to Clipboard
File Reputation Information
»
Verdict
Malicious
Names Mal/Generic-S
PE Information
»
Image Base 0x00400000
Entry Point 0x004819A0
Size Of Code 0x000B1200
Size Of Initialized Data 0x000B0A00
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2023-11-09 13:59 (UTC)
Version Information (8)
»
FileVersion 27.0.25.114
ProductVersion 27.0.25.114
CompanyName Bitdefender
FileDescription bduserhost
InternalName bduserhost.exe
LegalCopyright ©1997-2023 Bitdefender
OriginalFilename bduserhost.exe
ProductName Bitdefender 2023
Sections (7)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x000B109C 0x000B1200 0x00000400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.57
.rdata 0x004B3000 0x000240BE 0x00024200 0x000B1600 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 5.03
.data 0x004D8000 0x00006194 0x00004A00 0x000D5800 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 5.91
.detourc 0x004DF000 0x000011A0 0x00001200 0x000DA200 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.71
.detourd 0x004E1000 0x0000000C 0x00000200 0x000DB400 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.07
.rsrc 0x004E2000 0x0007DE38 0x0007E000 0x000DB600 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 5.58
.reloc 0x00560000 0x000089CC 0x00008A00 0x00159600 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 6.63
Imports (11)
»
CRYPT32.dll (9)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CryptMsgGetParam - 0x004B305C 0x000D5C00 0x000D4200 0x000000B8
CryptMsgClose - 0x004B3060 0x000D5C04 0x000D4204 0x000000B1
CertFindCertificateInStore - 0x004B3064 0x000D5C08 0x000D4208 0x00000035
CertCloseStore - 0x004B3068 0x000D5C0C 0x000D420C 0x00000012
CertFreeCTLContext - 0x004B306C 0x000D5C10 0x000D4210 0x0000003C
CertFreeCRLContext - 0x004B3070 0x000D5C14 0x000D4214 0x0000003B
CertFreeCertificateContext - 0x004B3074 0x000D5C18 0x000D4218 0x00000040
CryptQueryObject - 0x004B3078 0x000D5C1C 0x000D421C 0x000000C8
CertGetNameStringW - 0x004B307C 0x000D5C20 0x000D4220 0x0000004B
KERNEL32.dll (157)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
InitializeCriticalSectionEx - 0x004B3084 0x000D5C28 0x000D4228 0x00000363
DecodePointer - 0x004B3088 0x000D5C2C 0x000D422C 0x0000010C
CreateThread - 0x004B308C 0x000D5C30 0x000D4230 0x000000F6
SetCurrentDirectoryW - 0x004B3090 0x000D5C34 0x000D4234 0x0000050B
CreateToolhelp32Snapshot - 0x004B3094 0x000D5C38 0x000D4238 0x000000FF
Process32FirstW - 0x004B3098 0x000D5C3C 0x000D423C 0x0000042E
Process32NextW - 0x004B309C 0x000D5C40 0x000D4240 0x00000430
GetCommandLineW - 0x004B30A0 0x000D5C44 0x000D4244 0x000001DA
SetEvent - 0x004B30A4 0x000D5C48 0x000D4248 0x00000518
HeapAlloc - 0x004B30A8 0x000D5C4C 0x000D424C 0x00000348
HeapFree - 0x004B30AC 0x000D5C50 0x000D4250 0x0000034C
HeapReAlloc - 0x004B30B0 0x000D5C54 0x000D4254 0x0000034F
HeapSize - 0x004B30B4 0x000D5C58 0x000D4258 0x00000351
GetProcessHeap - 0x004B30B8 0x000D5C5C 0x000D425C 0x000002B7
CreateEventW - 0x004B30BC 0x000D5C60 0x000D4260 0x000000C2
GetModuleHandleA - 0x004B30C0 0x000D5C64 0x000D4264 0x00000278
OpenProcess - 0x004B30C4 0x000D5C68 0x000D4268 0x0000040F
OpenEventW - 0x004B30C8 0x000D5C6C 0x000D426C 0x00000403
GetExitCodeThread - 0x004B30CC 0x000D5C70 0x000D4270 0x00000240
LocalFree - 0x004B30D0 0x000D5C74 0x000D4274 0x000003D3
LocalAlloc - 0x004B30D4 0x000D5C78 0x000D4278 0x000003CE
GetCurrentProcess - 0x004B30D8 0x000D5C7C 0x000D427C 0x0000021A
LockFile - 0x004B30DC 0x000D5C80 0x000D4280 0x000003DD
UnlockFile - 0x004B30E0 0x000D5C84 0x000D4284 0x000005B2
WriteFile - 0x004B30E4 0x000D5C88 0x000D4288 0x00000616
SetEnvironmentVariableW - 0x004B30E8 0x000D5C8C 0x000D428C 0x00000516
GetSystemDirectoryW - 0x004B30EC 0x000D5C90 0x000D4290 0x000002E3
LoadLibraryExW - 0x004B30F0 0x000D5C94 0x000D4294 0x000003C7
FreeEnvironmentStringsW - 0x004B30F4 0x000D5C98 0x000D4298 0x000001AD
GetEnvironmentStringsW - 0x004B30F8 0x000D5C9C 0x000D429C 0x0000023A
GetCommandLineA - 0x004B30FC 0x000D5CA0 0x000D42A0 0x000001D9
GetOEMCP - 0x004B3100 0x000D5CA4 0x000D42A4 0x0000029A
WideCharToMultiByte - 0x004B3104 0x000D5CA8 0x000D42A8 0x00000602
MultiByteToWideChar - 0x004B3108 0x000D5CAC 0x000D42AC 0x000003F3
GetModuleHandleW - 0x004B310C 0x000D5CB0 0x000D42B0 0x0000027B
GetCurrentProcessId - 0x004B3110 0x000D5CB4 0x000D42B4 0x0000021B
ProcessIdToSessionId - 0x004B3114 0x000D5CB8 0x000D42B8 0x00000431
CreateFileW - 0x004B3118 0x000D5CBC 0x000D42BC 0x000000CE
GetLastError - 0x004B311C 0x000D5CC0 0x000D42C0 0x00000264
FormatMessageA - 0x004B3120 0x000D5CC4 0x000D42C4 0x000001A9
FreeLibrary - 0x004B3124 0x000D5CC8 0x000D42C8 0x000001AE
GetProcAddress - 0x004B3128 0x000D5CCC 0x000D42CC 0x000002B1
LoadLibraryW - 0x004B312C 0x000D5CD0 0x000D42D0 0x000003C8
GetModuleFileNameW - 0x004B3130 0x000D5CD4 0x000D42D4 0x00000277
GetModuleHandleExW - 0x004B3134 0x000D5CD8 0x000D42D8 0x0000027A
DeleteCriticalSection - 0x004B3138 0x000D5CDC 0x000D42DC 0x00000113
CloseHandle - 0x004B313C 0x000D5CE0 0x000D42E0 0x00000089
Sleep - 0x004B3140 0x000D5CE4 0x000D42E4 0x00000581
RaiseException - 0x004B3144 0x000D5CE8 0x000D42E8 0x00000464
SetDllDirectoryW - 0x004B3148 0x000D5CEC 0x000D42EC 0x00000510
GetACP - 0x004B314C 0x000D5CF0 0x000D42F0 0x000001B5
IsValidCodePage - 0x004B3150 0x000D5CF4 0x000D42F4 0x0000038F
GetTimeZoneInformation - 0x004B3154 0x000D5CF8 0x000D42F8 0x00000311
EnumSystemLocalesW - 0x004B3158 0x000D5CFC 0x000D42FC 0x00000157
GetUserDefaultLCID - 0x004B315C 0x000D5D00 0x000D4300 0x00000315
IsValidLocale - 0x004B3160 0x000D5D04 0x000D4304 0x00000391
GetLocaleInfoW - 0x004B3164 0x000D5D08 0x000D4308 0x00000268
LCMapStringW - 0x004B3168 0x000D5D0C 0x000D430C 0x000003B5
CompareStringW - 0x004B316C 0x000D5D10 0x000D4310 0x0000009E
GetTimeFormatW - 0x004B3170 0x000D5D14 0x000D4314 0x0000030F
GetDateFormatW - 0x004B3174 0x000D5D18 0x000D4318 0x00000224
ReadConsoleW - 0x004B3178 0x000D5D1C 0x000D431C 0x00000472
ReadFile - 0x004B317C 0x000D5D20 0x000D4320 0x00000475
GetConsoleMode - 0x004B3180 0x000D5D24 0x000D4324 0x000001FF
GetConsoleOutputCP - 0x004B3184 0x000D5D28 0x000D4328 0x00000203
FlushFileBuffers - 0x004B3188 0x000D5D2C 0x000D432C 0x000001A2
GetStdHandle - 0x004B318C 0x000D5D30 0x000D4330 0x000002D5
ExitProcess - 0x004B3190 0x000D5D34 0x000D4334 0x00000161
GetFileType - 0x004B3194 0x000D5D38 0x000D4338 0x00000251
SetStdHandle - 0x004B3198 0x000D5D3C 0x000D433C 0x0000054E
FreeLibraryAndExitThread - 0x004B319C 0x000D5D40 0x000D4340 0x000001AF
ExitThread - 0x004B31A0 0x000D5D44 0x000D4344 0x00000162
SetConsoleCtrlHandler - 0x004B31A4 0x000D5D48 0x000D4348 0x000004EB
TlsFree - 0x004B31A8 0x000D5D4C 0x000D434C 0x000005A3
GetStringTypeW - 0x004B31AC 0x000D5D50 0x000D4350 0x000002DA
CreateDirectoryW - 0x004B31B0 0x000D5D54 0x000D4354 0x000000BD
FindClose - 0x004B31B4 0x000D5D58 0x000D4358 0x00000178
FindFirstFileExW - 0x004B31B8 0x000D5D5C 0x000D435C 0x0000017E
FindNextFileW - 0x004B31BC 0x000D5D60 0x000D4360 0x0000018F
GetFileAttributesW - 0x004B31C0 0x000D5D64 0x000D4364 0x00000248
GetFileAttributesExW - 0x004B31C4 0x000D5D68 0x000D4368 0x00000245
GetFileInformationByHandle - 0x004B31C8 0x000D5D6C 0x000D436C 0x0000024A
GetFinalPathNameByHandleW - 0x004B31CC 0x000D5D70 0x000D4370 0x00000253
SetEndOfFile - 0x004B31D0 0x000D5D74 0x000D4374 0x00000512
SetFileAttributesW - 0x004B31D4 0x000D5D78 0x000D4378 0x0000051F
SetFilePointerEx - 0x004B31D8 0x000D5D7C 0x000D437C 0x00000525
AreFileApisANSI - 0x004B31DC 0x000D5D80 0x000D4380 0x00000023
DeviceIoControl - 0x004B31E0 0x000D5D84 0x000D4384 0x00000120
GetFileInformationByHandleEx - 0x004B31E4 0x000D5D88 0x000D4388 0x0000024B
InitializeSRWLock - 0x004B31E8 0x000D5D8C 0x000D438C 0x00000367
ReleaseSRWLockExclusive - 0x004B31EC 0x000D5D90 0x000D4390 0x000004B4
AcquireSRWLockExclusive - 0x004B31F0 0x000D5D94 0x000D4394 0x00000000
EnterCriticalSection - 0x004B31F4 0x000D5D98 0x000D4398 0x00000134
LeaveCriticalSection - 0x004B31F8 0x000D5D9C 0x000D439C 0x000003C1
TryEnterCriticalSection - 0x004B31FC 0x000D5DA0 0x000D43A0 0x000005AB
GetCurrentThreadId - 0x004B3200 0x000D5DA4 0x000D43A4 0x0000021F
EncodePointer - 0x004B3204 0x000D5DA8 0x000D43A8 0x00000130
LCMapStringEx - 0x004B3208 0x000D5DAC 0x000D43AC 0x000003B4
QueryPerformanceCounter - 0x004B320C 0x000D5DB0 0x000D43B0 0x0000044F
QueryPerformanceFrequency - 0x004B3210 0x000D5DB4 0x000D43B4 0x00000450
InitializeConditionVariable - 0x004B3214 0x000D5DB8 0x000D43B8 0x0000035E
WakeConditionVariable - 0x004B3218 0x000D5DBC 0x000D43BC 0x000005E4
WakeAllConditionVariable - 0x004B321C 0x000D5DC0 0x000D43C0 0x000005E3
SleepConditionVariableCS - 0x004B3220 0x000D5DC4 0x000D43C4 0x00000582
SleepConditionVariableSRW - 0x004B3224 0x000D5DC8 0x000D43C8 0x00000583
GetSystemTimeAsFileTime - 0x004B3228 0x000D5DCC 0x000D43CC 0x000002EC
GetTickCount64 - 0x004B322C 0x000D5DD0 0x000D43D0 0x0000030B
GetLocaleInfoEx - 0x004B3230 0x000D5DD4 0x000D43D4 0x00000267
CompareStringEx - 0x004B3234 0x000D5DD8 0x000D43D8 0x0000009C
GetCPInfo - 0x004B3238 0x000D5DDC 0x000D43DC 0x000001C4
IsDebuggerPresent - 0x004B323C 0x000D5DE0 0x000D43E0 0x00000382
OutputDebugStringW - 0x004B3240 0x000D5DE4 0x000D43E4 0x0000041B
GetEnvironmentVariableW - 0x004B3244 0x000D5DE8 0x000D43E8 0x0000023C
ExpandEnvironmentStringsW - 0x004B3248 0x000D5DEC 0x000D43EC 0x00000165
DeleteFileW - 0x004B324C 0x000D5DF0 0x000D43F0 0x00000118
GetFileSizeEx - 0x004B3250 0x000D5DF4 0x000D43F4 0x0000024F
SetFilePointer - 0x004B3254 0x000D5DF8 0x000D43F8 0x00000524
DebugBreak - 0x004B3258 0x000D5DFC 0x000D43FC 0x00000109
OutputDebugStringA - 0x004B325C 0x000D5E00 0x000D4400 0x0000041A
SetLastError - 0x004B3260 0x000D5E04 0x000D4404 0x00000534
WaitForSingleObject - 0x004B3264 0x000D5E08 0x000D4408 0x000005DB
GetProcessTimes - 0x004B3268 0x000D5E0C 0x000D440C 0x000002C1
GetCurrentThread - 0x004B326C 0x000D5E10 0x000D4410 0x0000021E
GetLocalTime - 0x004B3270 0x000D5E14 0x000D4414 0x00000265
GetWindowsDirectoryW - 0x004B3274 0x000D5E18 0x000D4418 0x00000329
GetModuleFileNameA - 0x004B3278 0x000D5E1C 0x000D441C 0x00000276
LoadLibraryExA - 0x004B327C 0x000D5E20 0x000D4420 0x000003C6
LoadLibraryA - 0x004B3280 0x000D5E24 0x000D4424 0x000003C5
FormatMessageW - 0x004B3284 0x000D5E28 0x000D4428 0x000001AA
SetSearchPathMode - 0x004B3288 0x000D5E2C 0x000D442C 0x0000054D
FileTimeToSystemTime - 0x004B328C 0x000D5E30 0x000D4430 0x0000016D
K32GetMappedFileNameW - 0x004B3290 0x000D5E34 0x000D4434 0x000003A3
WriteConsoleW - 0x004B3294 0x000D5E38 0x000D4438 0x00000615
SuspendThread - 0x004B3298 0x000D5E3C 0x000D443C 0x00000589
ResumeThread - 0x004B329C 0x000D5E40 0x000D4440 0x000004CF
GetThreadContext - 0x004B32A0 0x000D5E44 0x000D4444 0x000002FA
SetThreadContext - 0x004B32A4 0x000D5E48 0x000D4448 0x00000558
FlushInstructionCache - 0x004B32A8 0x000D5E4C 0x000D444C 0x000001A3
VirtualAlloc - 0x004B32AC 0x000D5E50 0x000D4450 0x000005CA
VirtualProtect - 0x004B32B0 0x000D5E54 0x000D4454 0x000005D0
VirtualFree - 0x004B32B4 0x000D5E58 0x000D4458 0x000005CD
VirtualQuery - 0x004B32B8 0x000D5E5C 0x000D445C 0x000005D2
GetLongPathNameW - 0x004B32BC 0x000D5E60 0x000D4460 0x00000271
QueryDosDeviceW - 0x004B32C0 0x000D5E64 0x000D4464 0x00000447
InitializeCriticalSectionAndSpinCount - 0x004B32C4 0x000D5E68 0x000D4468 0x00000362
ResetEvent - 0x004B32C8 0x000D5E6C 0x000D446C 0x000004C8
WaitForSingleObjectEx - 0x004B32CC 0x000D5E70 0x000D4470 0x000005DC
UnhandledExceptionFilter - 0x004B32D0 0x000D5E74 0x000D4474 0x000005B1
SetUnhandledExceptionFilter - 0x004B32D4 0x000D5E78 0x000D4478 0x00000571
TerminateProcess - 0x004B32D8 0x000D5E7C 0x000D447C 0x00000590
IsProcessorFeaturePresent - 0x004B32DC 0x000D5E80 0x000D4480 0x00000389
GetStartupInfoW - 0x004B32E0 0x000D5E84 0x000D4484 0x000002D3
InitializeSListHead - 0x004B32E4 0x000D5E88 0x000D4488 0x00000366
RtlUnwind - 0x004B32E8 0x000D5E8C 0x000D448C 0x000004D5
TlsAlloc - 0x004B32EC 0x000D5E90 0x000D4490 0x000005A2
TlsGetValue - 0x004B32F0 0x000D5E94 0x000D4494 0x000005A4
TlsSetValue - 0x004B32F4 0x000D5E98 0x000D4498 0x000005A5
USER32.dll (12)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
DispatchMessageW - 0x004B3310 0x000D5EB4 0x000D44B4 0x000000BD
PeekMessageW - 0x004B3314 0x000D5EB8 0x000D44B8 0x000002A7
TranslateMessage - 0x004B3318 0x000D5EBC 0x000D44BC 0x000003A5
RegisterClassExW - 0x004B331C 0x000D5EC0 0x000D44C0 0x000002DA
CreateWindowExW - 0x004B3320 0x000D5EC4 0x000D44C4 0x00000076
ShowWindow - 0x004B3324 0x000D5EC8 0x000D44C8 0x00000385
UpdateWindow - 0x004B3328 0x000D5ECC 0x000D44CC 0x000003BF
BeginPaint - 0x004B332C 0x000D5ED0 0x000D44D0 0x00000011
EndPaint - 0x004B3330 0x000D5ED4 0x000D44D4 0x000000F4
PostQuitMessage - 0x004B3334 0x000D5ED8 0x000D44D8 0x000002AC
DefWindowProcW - 0x004B3338 0x000D5EDC 0x000D44DC 0x000000A7
MsgWaitForMultipleObjects - 0x004B333C 0x000D5EE0 0x000D44E0 0x0000028F
ADVAPI32.dll (22)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
ConvertSidToStringSidW - 0x004B3000 0x000D5BA4 0x000D41A4 0x0000007B
LookupAccountSidW - 0x004B3004 0x000D5BA8 0x000D41A8 0x000001A9
GetAclInformation - 0x004B3008 0x000D5BAC 0x000D41AC 0x00000138
GetSidSubAuthorityCount - 0x004B300C 0x000D5BB0 0x000D41B0 0x0000016D
GetSidSubAuthority - 0x004B3010 0x000D5BB4 0x000D41B4 0x0000016C
GetSidIdentifierAuthority - 0x004B3014 0x000D5BB8 0x000D41B8 0x0000016A
GetSecurityDescriptorDacl - 0x004B3018 0x000D5BBC 0x000D41BC 0x0000015D
GetFileSecurityW - 0x004B301C 0x000D5BC0 0x000D41C0 0x00000145
GetAce - 0x004B3020 0x000D5BC4 0x000D41C4 0x00000137
SetSecurityDescriptorDacl - 0x004B3024 0x000D5BC8 0x000D41C8 0x000002E8
InitializeSecurityDescriptor - 0x004B3028 0x000D5BCC 0x000D41CC 0x0000018F
AdjustTokenPrivileges - 0x004B302C 0x000D5BD0 0x000D41D0 0x0000001F
LookupPrivilegeValueW - 0x004B3030 0x000D5BD4 0x000D41D4 0x000001AF
GetNamedSecurityInfoW - 0x004B3034 0x000D5BD8 0x000D41D8 0x00000157
GetTokenInformation - 0x004B3038 0x000D5BDC 0x000D41DC 0x00000170
OpenProcessToken - 0x004B303C 0x000D5BE0 0x000D41E0 0x00000215
FreeSid - 0x004B3040 0x000D5BE4 0x000D41E4 0x00000134
CheckTokenMembership - 0x004B3044 0x000D5BE8 0x000D41E8 0x0000005F
AllocateAndInitializeSid - 0x004B3048 0x000D5BEC 0x000D41EC 0x00000020
RegOpenKeyExW - 0x004B304C 0x000D5BF0 0x000D41F0 0x0000028C
RegGetValueW - 0x004B3050 0x000D5BF4 0x000D41F4 0x00000281
RegCloseKey - 0x004B3054 0x000D5BF8 0x000D41F8 0x0000025B
SHELL32.dll (2)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SHGetKnownFolderPath - 0x004B32FC 0x000D5EA0 0x000D44A0 0x00000159
CommandLineToArgvW - 0x004B3300 0x000D5EA4 0x000D44A4 0x00000008
ole32.dll (3)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
StringFromCLSID - 0x004B3380 0x000D5F24 0x000D4524 0x000001C9
CLSIDFromString - 0x004B3384 0x000D5F28 0x000D4528 0x0000000C
CoTaskMemFree - 0x004B3388 0x000D5F2C 0x000D452C 0x00000089
WINMM.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
timeGetTime - 0x004B3354 0x000D5EF8 0x000D44F8 0x00000094
WINTRUST.dll (6)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CryptCATCatalogInfoFromContext - 0x004B335C 0x000D5F00 0x000D4500 0x0000001A
CryptCATAdminReleaseContext - 0x004B3360 0x000D5F04 0x000D4504 0x0000000E
CryptCATAdminAcquireContext - 0x004B3364 0x000D5F08 0x000D4508 0x00000005
WinVerifyTrust - 0x004B3368 0x000D5F0C 0x000D450C 0x0000008F
CryptCATAdminCalcHashFromFileHandle - 0x004B336C 0x000D5F10 0x000D4510 0x00000008
CryptCATAdminEnumCatalogFromHash - 0x004B3370 0x000D5F14 0x000D4514 0x0000000B
SHLWAPI.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
PathIsRelativeW - 0x004B3308 0x000D5EAC 0x000D44AC 0x00000069
ntdll.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
NtQuerySystemInformation - 0x004B3378 0x000D5F1C 0x000D451C 0x000001FF
VERSION.dll (3)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetFileVersionInfoA - 0x004B3344 0x000D5EE8 0x000D44E8 0x00000000
VerQueryValueA - 0x004B3348 0x000D5EEC 0x000D44EC 0x0000000F
GetFileVersionInfoSizeA - 0x004B334C 0x000D5EF0 0x000D44F0 0x00000004
Exports (1)
»
API Name EAT Address Ordinal
GetUserProcessHost 0x00038010 0x00000001
Digital Signature Information
»
Verification Status Valid
Certificate: 4leaf Holding Corp.
»
Issued by 4leaf Holding Corp.
Parent Certificate SSL.com EV Code Signing Intermediate CA RSA R3
Country Name CA
Valid From 2024-01-26 19:53 (UTC)
Valid Until 2025-01-25 19:53 (UTC)
Algorithm sha256_rsa
Serial Number 5E 90 65 01 75 69 20 86 F7 3D D0 5E E1 4B 3D A5
Thumbprint 94 BA CD 94 87 65 52 AA 68 3B 8D 9E 47 72 A0 E3 7C 98 5E 30
Certificate: SSL.com EV Code Signing Intermediate CA RSA R3
»
Issued by SSL.com EV Code Signing Intermediate CA RSA R3
Parent Certificate SSL.com EV Root Certification Authority RSA R2
Country Name US
Valid From 2019-03-26 17:44 (UTC)
Valid Until 2034-03-22 17:44 (UTC)
Algorithm sha256_rsa
Serial Number 42 4B 6A 53 CE C7 66 14 1C 2A 63 B1 A5 1C 41 04
Thumbprint D2 95 3D BA 95 08 6F EB 58 05 BE FC 41 28 3C A6 4C 39 7D F5
Certificate: SSL.com EV Root Certification Authority RSA R2
»
Issued by SSL.com EV Root Certification Authority RSA R2
Country Name US
Valid From 2017-05-31 18:14 (UTC)
Valid Until 2042-05-30 18:14 (UTC)
Algorithm sha256_rsa
Serial Number 56 B6 29 CD 34 BC 78 F6
Thumbprint 74 3A F0 52 9B D0 32 A0 F4 4A 83 CD D4 BA A9 7B 7C 2E C4 9A
Memory Dumps (71)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
zphg.exe 1 0x00400000 0x00568FFF Relevant Image False 32-bit 0x004824F5 False
buffer 1 0x046D0000 0x04702FFF First Execution False 32-bit 0x046E4474 False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046DDD80 False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046E0790 False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046DBFD8 False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046DE1B8 False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046E3754 False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046D6538 False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046E156C False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046E2E2C False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046D1079 False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046D1022 False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046D9D0C False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046E17E8 False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046DF620 False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046DBAF4 False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046E42E8 False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046E0440 False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046E3A21 False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046DEF28 False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046DF000 False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046E1B58 False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046E42E8 False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046E2054 False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046E3A21 False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046DEF28 False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046DF000 False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046DB666 False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046E04F0 False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046DC334 False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046DEF28 False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046DF000 False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046E39F1 False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046DEF28 False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046DF000 False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046E04F0 False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046DEF28 False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046DF000 False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046D14E4 False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046E156C False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046E41EC False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046DDB14 False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046E2198 False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046D2000 False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046D9D0C False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046D3B58 False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046D4000 False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046D145F False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046D500F False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046DF620 False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046D2FA4 False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046E41EC False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046D6000 False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046DBF4C False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046D7000 False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046E0CFC False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046DAF78 False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046D82C0 False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046D6EF3 False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046D9D9E False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046DFB8F False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046DD8C8 False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046E2FD4 False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046DAF78 False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046D7839 False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046E0CFC False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046D6AF2 False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046D9E09 False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046DD8C8 False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046D8A5C False
buffer 1 0x046D0000 0x04702FFF Content Changed False 32-bit 0x046D108D False
8bb65388a6bc0e6484d15645e6464ef214f4f7f49e14e4b44dcf37c3709cfafe Downloaded File Stream
Clean
»
MIME Type application/octet-stream
File Size 6.14 KB
MD5 ff0e215ff136f8fb9fff46b05591d899 Copy to Clipboard
SHA1 7b11f372072e5ac5825730d3f2115f4bc9110b99 Copy to Clipboard
SHA256 8bb65388a6bc0e6484d15645e6464ef214f4f7f49e14e4b44dcf37c3709cfafe Copy to Clipboard
SSDeep 96:L2/JS1waG5LuZrvZEQsHiCDnlIRJXA/7Jf4byEiJ7sWqny83WC789isOMGcA:4JgtpZORlEwZsbbGCbLhh Copy to Clipboard
ImpHash -
5fd55da8747d933410bb637571802aca2eedf3314039722e2b9d6f37afdad97e Downloaded File HTML
Clean
»
MIME Type text/html
File Size 552 Bytes
MD5 eac0a6a53d4a4353aace122055b4b4c8 Copy to Clipboard
SHA1 b400d2a40c870dd448eed9b418297c3038b9d023 Copy to Clipboard
SHA256 5fd55da8747d933410bb637571802aca2eedf3314039722e2b9d6f37afdad97e Copy to Clipboard
SSDeep 12:TD11VI48lI5r8INGlTF5TF5TF5TF5TF5TFK:bGDTPTPTPTPTPTc Copy to Clipboard
ImpHash -
da78602eed761e8b98dc361be836680766a5d446ffe24d166c6487283fe01de0 Extracted File Image
Clean
»
Parent File C:\Users\RDhJ0CNFevzX\Desktop\ZPHG.exe
MIME Type image/png
File Size 18.64 KB
MD5 059869d4f86e5c88a0b04f99c812981f Copy to Clipboard
SHA1 6e79c69b131d751214b3dc53c67cdec8849d3f96 Copy to Clipboard
SHA256 da78602eed761e8b98dc361be836680766a5d446ffe24d166c6487283fe01de0 Copy to Clipboard
SSDeep 384:PjFatodVB+i5fSUFr1cX9Htcdicnsc0uIE6H2Iz:PjFaqD+qFr1cXdtX+0uIEq Copy to Clipboard
ImpHash -
Function Logfile
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\".


    
Before

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\".


    
After

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\".


    
Screenshot
Expand-Icon
Exit-Icon
icon_left
icon_left
image