Manalyze report for b32c80d7fc2f50b327554620912bd7c68b7aeda5e05d1f4706bd96aa79bea3dd

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2026-Jan-23 18:12:50
Detected languages	English - United States
Debug artifacts	CyptInMemory.pdb
LegalCopyright	Â© Zoom Video Communications, Inc. All rights reserved.
CompanyName	Zoom Video Communications, Inc.
FileDescription	Zoom Installer
OriginalFilename	ZoomInstaller.exe
InternalName	ZoomInstaller
ProductVersion	`3.43.282`
ProductName	Zoom Meeting
FileVersion	`3.43.282`

Plugin Output

Suspicious	The PE is possibly packed.	`Unusual section name found: .fptable`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryA LoadLibraryExW` `Memory manipulation functions often used by packers: VirtualAlloc VirtualProtect`
Suspicious	The file contains overlay data.	`181760 bytes of data starting at offset 0x9d3a00.`
Malicious	VirusTotal score: 41/70 (Scanned on 2026-05-03 12:04:15)	`ALYac: Gen:Variant.fragtor.922142` `AVG: Win32:MalwareX-gen [Pws]` `AhnLab-V3: Trojan/Win.Generic.R757478` `Antiy-AVL: Trojan/Win32.GenKryptik` `Arcabit: Trojan.fragtor.DE121E` `Avast: Win32:MalwareX-gen [Pws]` `BitDefender: Gen:Variant.fragtor.922142` `Bkav: W32.AIDetectMalware` `CTX: exe.trojan.fragtor` `CrowdStrike: win/malicious_confidence_100% (W)` `Cylance: Unsafe` `Cynet: Malicious (score: 99)` `DeepInstinct: MALICIOUS` `ESET-NOD32: Generik.JYSHCJO trojan` `Elastic: malicious (high confidence)` `Emsisoft: Gen:Variant.fragtor.922142 (B)` `GData: Gen:Variant.fragtor.922142` `Google: Detected` `Gridinsoft: Trojan.Win32.Wacatac.cl` `Ikarus: Trojan.Win64.Crypt` `Kaspersky: UDS:DangerousObject.Multi.Generic` `Lionic: Trojan.Win32.Generic.4!c` `Malwarebytes: Spyware.Passwordstealer.RST` `MaxSecure: Trojan.Malware.581888162.susgen` `McAfeeD: Trojan:Win/Midie.EAW` `MicroWorld-eScan: Gen:Variant.fragtor.922142` `Microsoft: Trojan:Win32/Egairtigado!rfn` `Paloalto: generic.ml` `Rising: Trojan.Kryptik@AI.100 (RDML:JIO+GM8kL29SuBrZHGrJ6A)` `Sangfor: Trojan.Win32.Fragtor.Vv1f` `Skyhigh: BehavesLike.Win32.Rootkit.vt` `Sophos: Mal/Generic-S` `Symantec: ML.Attribute.HighConfidence` `Trapmine: malicious.moderate.ml.score` `TrellixENS: Artemis!62B944AFB915` `TrendMicro: TrojanSpy.Win32.SALATSTEALER.YXGAZZ` `TrendMicro-HouseCall: TrojanSpy.Win32.SALATSTEALER.YXGAZZ` `VIPRE: Gen:Variant.fragtor.922142` `Varist: W32/ABTrojan.SSNS-4317` `Webroot: Win.Trojan.Gen` `alibabacloud: Trojan:Win/Wacatac.B9nj`

Hashes

MD5	`62b944afb915965ce38206c4d160c71e`
SHA1	`7e48214f9bc6ab8892d98d44cbc7c48a95c1f3e2`
SHA256	`b32c80d7fc2f50b327554620912bd7c68b7aeda5e05d1f4706bd96aa79bea3dd`
SHA3	`556ac6b3a362a69d40be03bdb75b491bc9cc6a579eee762a8715d844d26f4c14`
SSDeep	`49152:sLGiOciPreU0fz8HEPgRqBfe59hwkokcMN6FOSpHzu+PxgD+L7qjrTeTo2WN2+s:s+e3fz8`
Imports Hash	`652c45169574bb54d0e1b5b4f6fb8a9f`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x108`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`6`
TimeDateStamp	2026-Jan-23 18:12:50
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32`
LinkerVersion	`14.0`
SizeOfCode	`0x22200`
SizeOfInitializedData	`0x9b1e00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x000136D4 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x24000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x9d9000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`3231efeb3db3724ca89987c21fe7b32c`
SHA1	`bd2ccd98494df8a6048f952ee0626a476152a21c`
SHA256	`f269b202fe13f26f2083019c6461073d373bd1a0151d539084a2c3c49554a56a`
SHA3	`98ffa2e9c727a61337d8b2203378df18d9c9f46f14ac2443d361dada7f40bef5`
VirtualSize	`0x22200`
VirtualAddress	`0x1000`
SizeOfRawData	`0x22200`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.63016`

.rdata

MD5	`dd1f299ee5eb27f507af2c3d5336254a`
SHA1	`8885996869bcceb34e586b53a47f8a118ac80ee3`
SHA256	`f78643656f594f6716e0b908907cb2d3dcb4723d95326ab126343dbb07877475`
SHA3	`7505ac3359898feead59ccb3c3f159a5f98197c5c0a2bed015e9ea25c9e829ac`
VirtualSize	`0x9476ec`
VirtualAddress	`0x24000`
SizeOfRawData	`0x947800`
PointerToRawData	`0x22600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.66788`

.data

MD5	`5671db23926b3d25e0df30f8dc094698`
SHA1	`39904cb6633499a001b6a00bf9c8c360389318f7`
SHA256	`a7391ca72f129fb7cf2afa3bd3a389bf046c7c62178ae725744fb8c0a57508a4`
SHA3	`1c5af33e3ab408119982f225a7157b6cff5781736e7bbf5c9c3d2f3a51b0ea45`
VirtualSize	`0x13a0`
VirtualAddress	`0x96c000`
SizeOfRawData	`0xa00`
PointerToRawData	`0x969e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`2.14615`

.fptable

MD5	`bf619eac0cdf3f68d496ea9344137e8b`
SHA1	`5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5`
SHA256	`076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560`
SHA3	`622de1e1568ddef36c4b89b706b05201c13481c3575d0fc804ff8224787fcb59`
VirtualSize	`0x80`
VirtualAddress	`0x96e000`
SizeOfRawData	`0x200`
PointerToRawData	`0x96a800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0`

.rsrc

MD5	`14333c336bdcbe3f70e29987dc13b637`
SHA1	`81bf7e8f991e64d9c2f761874fa0e321b45046c0`
SHA256	`cef2cc129509ccc7ec46ca912e813fd0a6c5bcc1ad884336481f025e30981cce`
SHA3	`aa5d85edad557deec0bdd0cfceb0c4c93e988224a48de6474b496892659b4a3a`
VirtualSize	`0x510`
VirtualAddress	`0x96f000`
SizeOfRawData	`0x600`
PointerToRawData	`0x96aa00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`3.46975`

.reloc

MD5	`d20c01028909d03341f393b36686688f`
SHA1	`027aa0139b7fc6a91680f78fac0134d292552056`
SHA256	`8240f6bc99b3f298b85b644c18be6a89a755e8a45d6263ab93c8f1f103070e35`
SHA3	`a8d2cf038511a83fa1ec1cd44973759cfb422d7f419f875dc2783ba8c89d1525`
VirtualSize	`0x68878`
VirtualAddress	`0x970000`
SizeOfRawData	`0x68a00`
PointerToRawData	`0x96b000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.95818`

Imports

api-ms-win-core-synch-l1-2-0.dll	`WaitOnAddress` `WakeByAddressAll` `WakeByAddressSingle`
KERNEL32.dll	`GetModuleHandleW` `CreateFileW` `GetProcessHeap` `HeapFree` `GlobalMemoryStatusEx` `GetSystemInfo` `HeapReAlloc` `AddVectoredExceptionHandler` `SetThreadStackGuarantee` `GetCurrentThread` `GetLastError` `SetLastError` `GetEnvironmentVariableW` `GetStdHandle` `GetConsoleMode` `GetConsoleOutputCP` `WaitForSingleObject` `CloseHandle` `MultiByteToWideChar` `WriteConsoleW` `GetCurrentThreadId` `GetCurrentDirectoryW` `GetCurrentProcess` `RtlCaptureContext` `GetProcAddress` `ReleaseMutex` `WaitForSingleObjectEx` `LoadLibraryA` `lstrlenW` `GetCurrentProcessId` `CreateMutexA` `WideCharToMultiByte` `HeapAlloc` `GetModuleHandleA` `GetNativeSystemInfo` `VirtualAlloc` `VirtualProtect` `VirtualFree` `FreeLibrary` `IsBadReadPtr` `SetFilePointerEx` `FlushFileBuffers` `HeapSize` `LCMapStringW` `CompareStringW` `QueryPerformanceCounter` `GetSystemTimeAsFileTime` `InitializeSListHead` `IsDebuggerPresent` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `GetStartupInfoW` `IsProcessorFeaturePresent` `DecodePointer` `TerminateProcess` `RtlUnwind` `EncodePointer` `EnterCriticalSection` `LeaveCriticalSection` `DeleteCriticalSection` `InitializeCriticalSectionAndSpinCount` `TlsAlloc` `TlsGetValue` `TlsSetValue` `TlsFree` `LoadLibraryExW` `RaiseException` `WriteFile` `GetModuleFileNameW` `ExitProcess` `GetModuleHandleExW` `GetCommandLineA` `GetCommandLineW` `FindClose` `FindFirstFileExW` `FindNextFileW` `IsValidCodePage` `GetACP` `GetOEMCP` `GetCPInfo` `GetEnvironmentStringsW` `FreeEnvironmentStringsW` `SetEnvironmentVariableW` `SetStdHandle` `GetFileType` `GetStringTypeW` `FlsAlloc` `FlsGetValue` `FlsSetValue` `FlsFree` `InitializeCriticalSectionEx`
USER32.dll	`GetCursorPos` `SetRect` `GetSystemMetrics`
ntdll.dll	`RtlNtStatusToDosError` `NtWriteFile`

Delayed Imports

1

Type	`RT_VERSION`
Language	English - United States
Codepage	UNKNOWN
Size	`0x348`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.32379`
MD5	`10b16c28666bc84f93fb6d2af841be63`
SHA1	`99de1e942caf63f971b5034ba8221b2ed62c6616`
SHA256	`ac05f7af1366ddc662776a0f85f4860e3024c324fb4f85b28c9ae4af27191a46`
SHA3	`fb53ab41a05aa9d2a8fd9d5c0c0f9dd017d6cb0930487ac70cf48253b6f61513`

1 (#2)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x126`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.73923`
MD5	`640d29f28adf0a357c65252c3e4a9178`
SHA1	`493abdf6a42f821f64b903a4c9a5023184656fc8`
SHA256	`3662a189c5e707c59e52500b05f5814d03ef3c89361f6b0a517c3bea4c3e03e6`
SHA3	`e8873a16257a592fea2df2fa0388db8095c071bb622c9074216d8fd6174e24e7`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	1.0.0.0
ProductVersion	1.0.0.0
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	UNKNOWN
LegalCopyright	Â© Zoom Video Communications, Inc. All rights reserved.
CompanyName	Zoom Video Communications, Inc.
FileDescription	Zoom Installer
OriginalFilename	ZoomInstaller.exe
InternalName	ZoomInstaller
ProductVersion (#2)	3.43.282
ProductName	Zoom Meeting
FileVersion (#2)	3.43.282

Resource LangID	English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2026-Jan-23 18:12:50
Version	`0.0`
SizeofData	`41`
AddressOfRawData	`0x969d0c`
PointerToRawData	`0x96830c`
Referenced File	CyptInMemory.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics	`0`
TimeDateStamp	2026-Jan-23 18:12:50
Version	`0.0`
SizeofData	`20`
AddressOfRawData	`0x969d38`
PointerToRawData	`0x968338`

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2026-Jan-23 18:12:50
Version	`0.0`
SizeofData	`940`
AddressOfRawData	`0x969d4c`
PointerToRawData	`0x96834c`

TLS Callbacks

StartAddressOfRawData	`0xd6a108`
EndAddressOfRawData	`0xd6a120`
AddressOfIndex	`0xd6ca08`
AddressOfCallbacks	`0x4241d4`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_ALIGN_8BYTES`
Callbacks	`(EMPTY)`

Load Configuration

Size	`0xc0`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0xd6c080`
SEHandlerTable	`0xd69bb4`
SEHandlerCount	`40`

RICH Header

XOR Key	`0x57ab3c89`
Unmarked objects	`0`
ASM objects (33145)	`13`
C++ objects (33145)	`146`
C objects (33145)	`19`
ASM objects (35207)	`21`
C objects (35207)	`17`
C++ objects (35207)	`39`
Imports (33145)	`7`
Total imports	`116`
C objects (35222)	`1`
Unmarked objects (#2)	`4`
Resource objects (35222)	`1`
Linker (35222)	`1`

Errors

Leave a comment

No comments yet.