Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
SophosZap(1).exe

Overview

General Information

Sample name:SophosZap(1).exe
Analysis ID:1671067
MD5:e8ec1b452253493fee6c02ea1bc8773d
SHA1:059fc237a015cbe1dc644662b500d774cf31f70a
SHA256:55e9754b2cb493134277fc14616e50786e02bc76d32e89d62ff1bb57a88348ae
Infos:

Detection

Score:2
Range:0 - 100
Confidence:80%

Signatures

PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w11x64_office
  • SophosZap(1).exe (PID: 3164 cmdline: "C:\Users\user\Desktop\SophosZap(1).exe" MD5: E8EC1B452253493FEE6C02EA1BC8773D)
    • conhost.exe (PID: 1012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 9698384842DA735D80D278A427A229AB)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: SophosZap(1).exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: SophosZap(1).exeStatic PE information: certificate valid
Source: SophosZap(1).exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: C:\workspace\_bin\Win32\Release\Output\SophosZap.pdb source: SophosZap(1).exe
Source: Binary string: C:\workspace\_bin\Win32\Release\Output\SophosZapHelper.pdb source: SophosZap(1).exe
Source: Binary string: C:\workspace\_bin\x64\Release\Output\SophosZapHelper.pdb source: SophosZap(1).exe
Source: Binary string: C:\workspace\_bin\Win32\Release\Output\SophosZap.pdbc source: SophosZap(1).exe
Source: Binary string: C:\workspace\_bin\ARM64\Release\Output\SophosZapHelper.pdb source: SophosZap(1).exe
Source: SophosZap(1).exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: SophosZap(1).exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: SophosZap(1).exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SophosZap(1).exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SophosZap(1).exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SophosZap(1).exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: SophosZap(1).exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: SophosZap(1).exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: SophosZap(1).exeString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: SophosZap(1).exeString found in binary or memory: http://ocsp.digicert.com0
Source: SophosZap(1).exeString found in binary or memory: http://ocsp.digicert.com0A
Source: SophosZap(1).exeString found in binary or memory: http://ocsp.digicert.com0C
Source: SophosZap(1).exeString found in binary or memory: http://ocsp.digicert.com0X
Source: SophosZap(1).exeString found in binary or memory: http://www.digicert.com/CPS0
Source: SophosZap(1).exeStatic PE information: Resource name: RT_RCDATA type: PE32 executable (console) Intel 80386, for MS Windows
Source: SophosZap(1).exeStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: SophosZap(1).exeStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Aarch64, for MS Windows
Source: SophosZap(1).exe, 00000001.00000000.2859872875.00000000000EB000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSophosZapHelper, vs SophosZap(1).exe
Source: SophosZap(1).exe, 00000001.00000000.2859872875.00000000000EB000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSophosZap, vs SophosZap(1).exe
Source: SophosZap(1).exeBinary or memory string: OriginalFilenameSophosZapHelper, vs SophosZap(1).exe
Source: SophosZap(1).exeBinary or memory string: OriginalFilenameSophosZap, vs SophosZap(1).exe
Source: SophosZap(1).exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: clean2.winEXE@2/1@0/0
Source: SophosZap(1).exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SophosZap(1).exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\SophosZap(1).exe "C:\Users\user\Desktop\SophosZap(1).exe"
Source: C:\Users\user\Desktop\SophosZap(1).exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SophosZap(1).exeSection loaded: apphelp.dllJump to behavior
Source: SophosZap(1).exeStatic PE information: certificate valid
Source: SophosZap(1).exeStatic file information: File size 3543408 > 1048576
Source: SophosZap(1).exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x315400
Source: SophosZap(1).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SophosZap(1).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SophosZap(1).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SophosZap(1).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SophosZap(1).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SophosZap(1).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SophosZap(1).exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: SophosZap(1).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\workspace\_bin\Win32\Release\Output\SophosZap.pdb source: SophosZap(1).exe
Source: Binary string: C:\workspace\_bin\Win32\Release\Output\SophosZapHelper.pdb source: SophosZap(1).exe
Source: Binary string: C:\workspace\_bin\x64\Release\Output\SophosZapHelper.pdb source: SophosZap(1).exe
Source: Binary string: C:\workspace\_bin\Win32\Release\Output\SophosZap.pdbc source: SophosZap(1).exe
Source: Binary string: C:\workspace\_bin\ARM64\Release\Output\SophosZapHelper.pdb source: SophosZap(1).exe
Source: SophosZap(1).exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SophosZap(1).exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SophosZap(1).exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SophosZap(1).exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SophosZap(1).exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: SophosZap(1).exeStatic PE information: section name: .didat
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Process Injection		OS Credential Dumping1
System Information Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
DLL Side-Loading		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1671067 Sample: SophosZap(1).exe Startdate: 22/04/2025 Architecture: WINDOWS Score: 2 5 SophosZap(1).exe 1 2->5         started        process3 7 conhost.exe 5->7         started       

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SophosZap(1).exe0%VirustotalBrowse
SophosZap(1).exe0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:42.0.0 Malachite
Analysis ID:1671067
Start date and time:2025-04-22 15:32:11 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 3m 59s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultwindowsinteractivecookbook.jbs
Analysis system description:Windows 11 23H2 with Office Professional Plus 2021, Chrome 131, Firefox 133, Adobe Reader DC 24, Java 8 Update 431, 7zip 24.09
Run name:Potential for more IOCs and behavior
Number of analysed new started processes analysed:14
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:SophosZap(1).exe
Detection:CLEAN
Classification:clean2.winEXE@2/1@0/0
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Exclude process from analysis (whitelisted): dllhost.exe, SystemSettingsBroker.exe, SIHClient.exe, appidcertstorecheck.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 104.18.38.233, 172.64.149.23, 172.202.163.200
  • Excluded domains from analysis (whitelisted): crt.comodoca.com.cdn.cloudflare.net, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com, crt.comodoca.com
  • Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

\Device\ConDrv

Download File
Process:C:\Users\user\Desktop\SophosZap(1).exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):264
Entropy (8bit):4.956898676378702
Encrypted:false
SSDEEP:6:nNWYYFwBREB7kJlXz+PXthNTa1rTFAyIB5U7kJl/GoWxI1+jxymaDN:njoW1cZa1f6yE1/GoSx2N
MD5:7C444E2CC5B14205C210EBD963EA82C1
SHA1:47D0D43F3657E2D3202A902A91F204C99D847D45
SHA-256:50828E50CC9CF4CA51E67ACAC5EB0818F88B4F7C797F795704F38E746478F8C4
SHA-512:B373E10756B56909E8B8A320984B495A288C6AEEA673482285B0BF0E6410FDEEDB79D37370C1758D2E388C4E77FDCAE03C310298F0E1883645FEB88FAF653AAD
Malicious:false
Reputation:low
Preview:SophosZap v1.8.60.0 - Uninstall Sophos Endpoint software..Copyright 1989-2024 Sophos Limited. All rights reserved.....Run this tool with the --confirm qualifier to uninstall Sophos Endpoint...Example: C:\>SophosZap(1).exe --confirm....Press ENTER to continue . . .

Static File Info

General

File type:PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):6.594512185963858
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:SophosZap(1).exe
File size:3'543'408 bytes
MD5:e8ec1b452253493fee6c02ea1bc8773d
SHA1:059fc237a015cbe1dc644662b500d774cf31f70a
SHA256:55e9754b2cb493134277fc14616e50786e02bc76d32e89d62ff1bb57a88348ae
SHA512:a779792a7760511814c4ac19e852830b9ff7651864a57df618804ecd3da615e041a634dc610327c29dbabcde6decbae16a2bd3f0f1f84a18a1082ee6dbd10599
SSDEEP:49152:6gK/blXzSyrnuguDiOt84bTDx5OsvXUSnncWZ5GALSeZG0zKk4ioS3P1qyv:6gKTFzSencDiOS+TNESBZG31ioS3F
TLSH:4CF58D21ABDD407AE1F6D2749E758B22A17FBC24077086CF33C4072E8D656D19E76B22
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9;..}Z..}Z..}Z..6"..pZ..6"...Z..6"..kZ...$..lZ...$..jZ..6"..tZ..}Z...Z...$...Z..d%..]Z..d%..|Z..}Zq.|Z..d%..|Z..Rich}Z.........

File Icon

Icon Hash:90969696969696a8

Static PE Info

General

Entrypoint:0x416390
Entrypoint Section:.text
Digitally signed:true
Imagebase:0x400000
Subsystem:windows cui
Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:0x6661BE28 [Thu Jun 6 13:48:24 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:1
File Version Major:6
File Version Minor:1
Subsystem Version Major:6
Subsystem Version Minor:1
Import Hash:8256a3557562955829bd8f0eaf5db47d

Authenticode Signature

Signature Valid:true
Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:The operation completed successfully
Error Number:0
Not Before, Not After
  • 12/01/2023 01:00:00 12/02/2026 00:59:59
Subject Chain
  • CN=Sophos Ltd, OU=Endpoint Security Group, O=Sophos Ltd, L=Abingdon, C=GB, SERIALNUMBER=02096520, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=GB
Version:3
Thumbprint MD5:0D88E09CEEF82C1718C347DEF0940593
Thumbprint SHA-1:5628368784201C9B23D2838F7E4A68D8A101AADB
Thumbprint SHA-256:5FE57E24D3E2FECAC0F62C4B9D484FF13B76FEF362AFE51505ACF9B896C4DE0A
Serial:09CA6A31D555EEE418532F4AE4AC38CB
Instruction
call 00007F2414D3B2FEh
jmp 00007F2414D3A5ADh
int3
int3
int3
int3
int3
int3
call 00007F2414D3A767h
push 00000000h
call 00007F2414D3A9F8h
pop ecx
test al, al
je 00007F2414D3A750h
push 00416450h
call 00007F2414D3AB76h
pop ecx
xor eax, eax
ret
push 00000007h
call 00007F2414D3B386h
int3
push esi
push edi
push 00000FA0h
push 004489B0h
call dword ptr [00435108h]
push 00436970h
call dword ptr [00435018h]
mov esi, eax
test esi, esi
jne 00007F2414D3A753h
push 004366F8h
call dword ptr [00435018h]
mov esi, eax
test esi, esi
je 00007F2414D3A788h
push 004369B4h
push esi
call dword ptr [00435014h]
push 004369D0h
push esi
mov edi, eax
call dword ptr [00435014h]
test edi, edi
je 00007F2414D3A754h
test eax, eax
je 00007F2414D3A750h
mov dword ptr [004489C8h], edi
mov dword ptr [004489CCh], eax
pop edi
pop esi
ret
xor eax, eax
push eax
push eax
push 00000001h
push eax
call dword ptr [00435050h]
mov dword ptr [004489ACh], eax
test eax, eax
jne 00007F2414D3A729h
push 00000007h
call 00007F2414D3B304h
int3
int3
int3
int3
int3
int3
int3
int3
push 004489B0h
call dword ptr [000000ECh]
NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x45cd80x28.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x4b0000x315268.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x35e8000x2970
IMAGE_DIRECTORY_ENTRY_BASERELOC0x3610000x2be4.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x41d500x54.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x41dc00x18.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x369f00x40.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x350000x1d0.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x45c180x40.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x3323a0x3340080b8ec48e847d0ea44477bbaaa1c0da5False0.5365901295731708data6.618901508353795IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x350000x117600x1180008aa760e24af636be8fa21a7dd25a114False0.5008370535714286data5.452909659481047IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x470000x29b00x16000db8ccbe1316d76a85de7b4ca4931d5aFalse0.19691051136363635DOS executable (block device driver \277DN)3.744744808704506IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat0x4a0000x140x2009cb84a29f1cbb209fe24f716f24b11ddFalse0.044921875data0.21310128450968063IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x4b0000x3152680x315400d8394474a18fc8dc1a79b5d713bad86cunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x3610000x2be40x2c0001c95bca5a50469ae68ca8801293bdcbFalse0.7395241477272727GLS_BINARY_LSB_FIRST6.601333916301838IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
NameRVASizeTypeLanguageCountryZLIB Complexity
RT_RCDATA0x4b1480xef368PE32 executable (console) Intel 80386, for MS Windows0.44047351747675073
RT_RCDATA0x13a4b00x110368PE32+ executable (console) x86-64, for MS Windows0.4464244842529297
RT_RCDATA0x24a8180x115568PE32+ executable (console) Aarch64, for MS Windows0.4079904556274414
RT_VERSION0x35fd800x360dataEnglishUnited States0.46064814814814814
RT_MANIFEST0x3600e00x188XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5892857142857143
DLLImport
KERNEL32.dllFindResourceW, GetExitCodeProcess, MultiByteToWideChar, WideCharToMultiByte, GetNativeSystemInfo, GetProcAddress, GetModuleHandleW, ReadFile, GetStdHandle, TerminateProcess, WaitForSingleObject, OpenProcess, CreateProcessW, FindClose, CloseHandle, LocalFree, FindFirstFileExW, FindNextFileW, FreeEnvironmentStringsW, FreeLibrary, CreateEventW, FormatMessageW, LoadLibraryExW, OutputDebugStringA, GetCurrentProcessId, LoadLibraryExA, SetEnvironmentVariableW, SetSearchPathMode, HeapSetInformation, GetProcessHeap, SetDllDirectoryW, LockResource, GetLastError, DuplicateHandle, GetSystemDirectoryW, LoadResource, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, FormatMessageA, GetLocaleInfoEx, CreateDirectoryW, FindFirstFileW, GetFileAttributesW, GetFileAttributesExW, SetFileInformationByHandle, GetTempPathW, AreFileApisANSI, GetFileInformationByHandleEx, GetStringTypeW, InitializeSRWLock, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, TryAcquireSRWLockExclusive, GetCurrentThreadId, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, EncodePointer, DecodePointer, LCMapStringEx, CreateFileW, GetSystemTimeAsFileTime, GetCPInfo, InitializeCriticalSectionAndSpinCount, SetEvent, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, HeapFree, HeapAlloc, GetFileType, SetStdHandle, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, GetFileSizeEx, SetFilePointerEx, ReadConsoleW, HeapReAlloc, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, HeapSize, WriteConsoleW, ReOpenFile, WriteFile, GetCurrentProcess, QueryPerformanceCounter, SizeofResource
DescriptionData
Commentsb3591af05249338cb9d2211b0aa8a74d43ff3d8c
CompanyNameSophos Limited
FileDescriptionSophosZap
FileVersion1.8.60.0
InternalNameSophosZap
LegalCopyrightCopyright 1989-2024 Sophos Limited. All rights reserved.
OriginalFilenameSophosZap
ProductVersion1.8
ProductNameSophosZap
Translation0x0409 0x04b0

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Statistics

CPU Usage

050100s020406080100

Click to jump to process

Memory Usage

050100s0.005101520MB

Click to jump to process

Behavior

Click to jump to process

System Behavior

General

Target ID:1
Start time:09:33:11
Start date:22/04/2025
Path:C:\Users\user\Desktop\SophosZap(1).exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\SophosZap(1).exe"
Imagebase:0xa0000
File size:3'543'408 bytes
MD5 hash:E8EC1B452253493FEE6C02EA1BC8773D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:false
Show Windows behavior

File Activities

Show Windows behavior

Section Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Memory Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

General

Target ID:2
Start time:09:33:11
Start date:22/04/2025
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff7bdef0000
File size:1'040'384 bytes
MD5 hash:9698384842DA735D80D278A427A229AB
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:moderate
Has exited:false
Show Windows behavior

File Activities

Show Windows behavior

Section Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Mutex Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Thread Activities

Show Windows behavior

Memory Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Windows UI Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Disassembly

No disassembly