Edit tour

Windows Analysis Report
SophosZap(1).exe

Overview

General Information

Sample name:SophosZap(1).exe
Analysis ID:1671067
MD5:e8ec1b452253493fee6c02ea1bc8773d
SHA1:059fc237a015cbe1dc644662b500d774cf31f70a
SHA256:55e9754b2cb493134277fc14616e50786e02bc76d32e89d62ff1bb57a88348ae
Infos:

Detection

Score:2
Range:0 - 100
Confidence:80%

Signatures

PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w11x64_office
  • SophosZap(1).exe (PID: 3164 cmdline: "C:\Users\user\Desktop\SophosZap(1).exe" MD5: E8EC1B452253493FEE6C02EA1BC8773D)
    • conhost.exe (PID: 1012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 9698384842DA735D80D278A427A229AB)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: SophosZap(1).exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: SophosZap(1).exeStatic PE information: certificate valid
Source: SophosZap(1).exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: C:\workspace\_bin\Win32\Release\Output\SophosZap.pdb source: SophosZap(1).exe
Source: Binary string: C:\workspace\_bin\Win32\Release\Output\SophosZapHelper.pdb source: SophosZap(1).exe
Source: Binary string: C:\workspace\_bin\x64\Release\Output\SophosZapHelper.pdb source: SophosZap(1).exe
Source: Binary string: C:\workspace\_bin\Win32\Release\Output\SophosZap.pdbc source: SophosZap(1).exe
Source: Binary string: C:\workspace\_bin\ARM64\Release\Output\SophosZapHelper.pdb source: SophosZap(1).exe
Source: SophosZap(1).exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: SophosZap(1).exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: SophosZap(1).exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SophosZap(1).exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SophosZap(1).exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SophosZap(1).exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: SophosZap(1).exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: SophosZap(1).exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: SophosZap(1).exeString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: SophosZap(1).exeString found in binary or memory: http://ocsp.digicert.com0
Source: SophosZap(1).exeString found in binary or memory: http://ocsp.digicert.com0A
Source: SophosZap(1).exeString found in binary or memory: http://ocsp.digicert.com0C
Source: SophosZap(1).exeString found in binary or memory: http://ocsp.digicert.com0X
Source: SophosZap(1).exeString found in binary or memory: http://www.digicert.com/CPS0
Source: SophosZap(1).exeStatic PE information: Resource name: RT_RCDATA type: PE32 executable (console) Intel 80386, for MS Windows
Source: SophosZap(1).exeStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: SophosZap(1).exeStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Aarch64, for MS Windows
Source: SophosZap(1).exe, 00000001.00000000.2859872875.00000000000EB000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSophosZapHelper, vs SophosZap(1).exe
Source: SophosZap(1).exe, 00000001.00000000.2859872875.00000000000EB000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSophosZap, vs SophosZap(1).exe
Source: SophosZap(1).exeBinary or memory string: OriginalFilenameSophosZapHelper, vs SophosZap(1).exe
Source: SophosZap(1).exeBinary or memory string: OriginalFilenameSophosZap, vs SophosZap(1).exe
Source: SophosZap(1).exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: clean2.winEXE@2/1@0/0
Source: SophosZap(1).exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SophosZap(1).exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\SophosZap(1).exe "C:\Users\user\Desktop\SophosZap(1).exe"
Source: C:\Users\user\Desktop\SophosZap(1).exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SophosZap(1).exeSection loaded: apphelp.dllJump to behavior
Source: SophosZap(1).exeStatic PE information: certificate valid
Source: SophosZap(1).exeStatic file information: File size 3543408 > 1048576
Source: SophosZap(1).exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x315400
Source: SophosZap(1).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SophosZap(1).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SophosZap(1).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SophosZap(1).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SophosZap(1).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SophosZap(1).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SophosZap(1).exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: SophosZap(1).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\workspace\_bin\Win32\Release\Output\SophosZap.pdb source: SophosZap(1).exe
Source: Binary string: C:\workspace\_bin\Win32\Release\Output\SophosZapHelper.pdb source: SophosZap(1).exe
Source: Binary string: C:\workspace\_bin\x64\Release\Output\SophosZapHelper.pdb source: SophosZap(1).exe
Source: Binary string: C:\workspace\_bin\Win32\Release\Output\SophosZap.pdbc source: SophosZap(1).exe
Source: Binary string: C:\workspace\_bin\ARM64\Release\Output\SophosZapHelper.pdb source: SophosZap(1).exe
Source: SophosZap(1).exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SophosZap(1).exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SophosZap(1).exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SophosZap(1).exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SophosZap(1).exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: SophosZap(1).exeStatic PE information: section name: .didat
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading
1
Process Injection
1
Process Injection
OS Credential Dumping1
System Information Discovery
Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading
1
DLL Side-Loading
LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1671067 Sample: SophosZap(1).exe Startdate: 22/04/2025 Architecture: WINDOWS Score: 2 5 SophosZap(1).exe 1 2->5         started        process3 7 conhost.exe 5->7         started       

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
SophosZap(1).exe0%VirustotalBrowse
SophosZap(1).exe0%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
No contacted IP infos
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1671067
Start date and time:2025-04-22 15:32:11 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 3m 59s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultwindowsinteractivecookbook.jbs
Analysis system description:Windows 11 23H2 with Office Professional Plus 2021, Chrome 131, Firefox 133, Adobe Reader DC 24, Java 8 Update 431, 7zip 24.09
Run name:Potential for more IOCs and behavior
Number of analysed new started processes analysed:14
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:SophosZap(1).exe
Detection:CLEAN
Classification:clean2.winEXE@2/1@0/0
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Exclude process from analysis (whitelisted): dllhost.exe, SystemSettingsBroker.exe, SIHClient.exe, appidcertstorecheck.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 104.18.38.233, 172.64.149.23, 172.202.163.200
  • Excluded domains from analysis (whitelisted): crt.comodoca.com.cdn.cloudflare.net, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com, crt.comodoca.com
  • Not all processes where analyzed, report is missing behavior information
No simulations
No context
No context
No context
No context
No context
Process:C:\Users\user\Desktop\SophosZap(1).exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):264
Entropy (8bit):4.956898676378702
Encrypted:false
SSDEEP:6:nNWYYFwBREB7kJlXz+PXthNTa1rTFAyIB5U7kJl/GoWxI1+jxymaDN:njoW1cZa1f6yE1/GoSx2N
MD5:7C444E2CC5B14205C210EBD963EA82C1
SHA1:47D0D43F3657E2D3202A902A91F204C99D847D45
SHA-256:50828E50CC9CF4CA51E67ACAC5EB0818F88B4F7C797F795704F38E746478F8C4
SHA-512:B373E10756B56909E8B8A320984B495A288C6AEEA673482285B0BF0E6410FDEEDB79D37370C1758D2E388C4E77FDCAE03C310298F0E1883645FEB88FAF653AAD
Malicious:false
Reputation:low
Preview:SophosZap v1.8.60.0 - Uninstall Sophos Endpoint software..Copyright 1989-2024 Sophos Limited. All rights reserved.....Run this tool with the --confirm qualifier to uninstall Sophos Endpoint...Example: C:\>SophosZap(1).exe --confirm....Press ENTER to continue . . .
File type:PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):6.594512185963858
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:SophosZap(1).exe
File size:3'543'408 bytes
MD5:e8ec1b452253493fee6c02ea1bc8773d
SHA1:059fc237a015cbe1dc644662b500d774cf31f70a
SHA256:55e9754b2cb493134277fc14616e50786e02bc76d32e89d62ff1bb57a88348ae
SHA512:a779792a7760511814c4ac19e852830b9ff7651864a57df618804ecd3da615e041a634dc610327c29dbabcde6decbae16a2bd3f0f1f84a18a1082ee6dbd10599
SSDEEP:49152:6gK/blXzSyrnuguDiOt84bTDx5OsvXUSnncWZ5GALSeZG0zKk4ioS3P1qyv:6gKTFzSencDiOS+TNESBZG31ioS3F
TLSH:4CF58D21ABDD407AE1F6D2749E758B22A17FBC24077086CF33C4072E8D656D19E76B22
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9;..}Z..}Z..}Z..6"..pZ..6"...Z..6"..kZ...$..lZ...$..jZ..6"..tZ..}Z...Z...$...Z..d%..]Z..d%..|Z..}Zq.|Z..d%..|Z..Rich}Z.........
Icon Hash:90969696969696a8
Entrypoint:0x416390
Entrypoint Section:.text
Digitally signed:true
Imagebase:0x400000
Subsystem:windows cui
Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:0x6661BE28 [Thu Jun 6 13:48:24 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:1
File Version Major:6
File Version Minor:1
Subsystem Version Major:6
Subsystem Version Minor:1
Import Hash:8256a3557562955829bd8f0eaf5db47d
Signature Valid:true
Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:The operation completed successfully
Error Number:0
Not Before, Not After
  • 12/01/2023 01:00:00 12/02/2026 00:59:59
Subject Chain
  • CN=Sophos Ltd, OU=Endpoint Security Group, O=Sophos Ltd, L=Abingdon, C=GB, SERIALNUMBER=02096520, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=GB
Version:3
Thumbprint MD5:0D88E09CEEF82C1718C347DEF0940593
Thumbprint SHA-1:5628368784201C9B23D2838F7E4A68D8A101AADB
Thumbprint SHA-256:5FE57E24D3E2FECAC0F62C4B9D484FF13B76FEF362AFE51505ACF9B896C4DE0A
Serial:09CA6A31D555EEE418532F4AE4AC38CB
Instruction
call 00007F2414D3B2FEh
jmp 00007F2414D3A5ADh
int3
int3
int3
int3
int3
int3
call 00007F2414D3A767h
push 00000000h
call 00007F2414D3A9F8h
pop ecx
test al, al
je 00007F2414D3A750h
push 00416450h
call 00007F2414D3AB76h
pop ecx
xor eax, eax
ret
push 00000007h
call 00007F2414D3B386h
int3
push esi
push edi
push 00000FA0h
push 004489B0h
call dword ptr [00435108h]
push 00436970h
call dword ptr [00435018h]
mov esi, eax
test esi, esi
jne 00007F2414D3A753h
push 004366F8h
call dword ptr [00435018h]
mov esi, eax
test esi, esi
je 00007F2414D3A788h
push 004369B4h
push esi
call dword ptr [00435014h]
push 004369D0h
push esi
mov edi, eax
call dword ptr [00435014h]
test edi, edi
je 00007F2414D3A754h
test eax, eax
je 00007F2414D3A750h
mov dword ptr [004489C8h], edi
mov dword ptr [004489CCh], eax
pop edi
pop esi
ret
xor eax, eax
push eax
push eax
push 00000001h
push eax
call dword ptr [00435050h]
mov dword ptr [004489ACh], eax
test eax, eax
jne 00007F2414D3A729h
push 00000007h
call 00007F2414D3B304h
int3
int3
int3
int3
int3
int3
int3
int3
push 004489B0h
call dword ptr [000000ECh]
NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x45cd80x28.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x4b0000x315268.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x35e8000x2970
IMAGE_DIRECTORY_ENTRY_BASERELOC0x3610000x2be4.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x41d500x54.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x41dc00x18.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x369f00x40.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x350000x1d0.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x45c180x40.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x3323a0x3340080b8ec48e847d0ea44477bbaaa1c0da5False0.5365901295731708data6.618901508353795IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x350000x117600x1180008aa760e24af636be8fa21a7dd25a114False0.5008370535714286data5.452909659481047IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x470000x29b00x16000db8ccbe1316d76a85de7b4ca4931d5aFalse0.19691051136363635DOS executable (block device driver \277DN)3.744744808704506IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat0x4a0000x140x2009cb84a29f1cbb209fe24f716f24b11ddFalse0.044921875data0.21310128450968063IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x4b0000x3152680x315400d8394474a18fc8dc1a79b5d713bad86cunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x3610000x2be40x2c0001c95bca5a50469ae68ca8801293bdcbFalse0.7395241477272727GLS_BINARY_LSB_FIRST6.601333916301838IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
NameRVASizeTypeLanguageCountryZLIB Complexity
RT_RCDATA0x4b1480xef368PE32 executable (console) Intel 80386, for MS Windows0.44047351747675073
RT_RCDATA0x13a4b00x110368PE32+ executable (console) x86-64, for MS Windows0.4464244842529297
RT_RCDATA0x24a8180x115568PE32+ executable (console) Aarch64, for MS Windows0.4079904556274414
RT_VERSION0x35fd800x360dataEnglishUnited States0.46064814814814814
RT_MANIFEST0x3600e00x188XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5892857142857143
DLLImport
KERNEL32.dllFindResourceW, GetExitCodeProcess, MultiByteToWideChar, WideCharToMultiByte, GetNativeSystemInfo, GetProcAddress, GetModuleHandleW, ReadFile, GetStdHandle, TerminateProcess, WaitForSingleObject, OpenProcess, CreateProcessW, FindClose, CloseHandle, LocalFree, FindFirstFileExW, FindNextFileW, FreeEnvironmentStringsW, FreeLibrary, CreateEventW, FormatMessageW, LoadLibraryExW, OutputDebugStringA, GetCurrentProcessId, LoadLibraryExA, SetEnvironmentVariableW, SetSearchPathMode, HeapSetInformation, GetProcessHeap, SetDllDirectoryW, LockResource, GetLastError, DuplicateHandle, GetSystemDirectoryW, LoadResource, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, FormatMessageA, GetLocaleInfoEx, CreateDirectoryW, FindFirstFileW, GetFileAttributesW, GetFileAttributesExW, SetFileInformationByHandle, GetTempPathW, AreFileApisANSI, GetFileInformationByHandleEx, GetStringTypeW, InitializeSRWLock, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, TryAcquireSRWLockExclusive, GetCurrentThreadId, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, EncodePointer, DecodePointer, LCMapStringEx, CreateFileW, GetSystemTimeAsFileTime, GetCPInfo, InitializeCriticalSectionAndSpinCount, SetEvent, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, HeapFree, HeapAlloc, GetFileType, SetStdHandle, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, GetFileSizeEx, SetFilePointerEx, ReadConsoleW, HeapReAlloc, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, HeapSize, WriteConsoleW, ReOpenFile, WriteFile, GetCurrentProcess, QueryPerformanceCounter, SizeofResource
DescriptionData
Commentsb3591af05249338cb9d2211b0aa8a74d43ff3d8c
CompanyNameSophos Limited
FileDescriptionSophosZap
FileVersion1.8.60.0
InternalNameSophosZap
LegalCopyrightCopyright 1989-2024 Sophos Limited. All rights reserved.
OriginalFilenameSophosZap
ProductVersion1.8
ProductNameSophosZap
Translation0x0409 0x04b0
Language of compilation systemCountry where language is spokenMap
EnglishUnited States
No network behavior found
050100s020406080100

Click to jump to process

050100s0.005101520MB

Click to jump to process

Click to jump to process

Target ID:1
Start time:09:33:11
Start date:22/04/2025
Path:C:\Users\user\Desktop\SophosZap(1).exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\SophosZap(1).exe"
Imagebase:0xa0000
File size:3'543'408 bytes
MD5 hash:E8EC1B452253493FEE6C02EA1BC8773D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:false

Target ID:2
Start time:09:33:11
Start date:22/04/2025
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff7bdef0000
File size:1'040'384 bytes
MD5 hash:9698384842DA735D80D278A427A229AB
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:moderate
Has exited:false
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

No disassembly