Windows Analysis Report
SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe

Overview

General Information

Sample name: SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe
Analysis ID: 1521528
MD5: b954dc27c4bf7b87dcc365ee9e1c99db
SHA1: 405dd8848ecbc7dce62978bf96571d9c2a8bf8f8
SHA256: 5af43067ad6e35eca23cbfe8de88d89984e9f1996625a8bba845669c5f9fb10b
Tags: exe
Infos:

Detection

Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to detect virtual machines (STR)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Detected potential crypto function
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
One or more processes crash
PE file contains an invalid checksum
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe ReversingLabs: Detection: 68%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 84.3% probability
Machine Learning detection for sample
Source: SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: tse1.mm.bing.net
Source: Amcache.hve.7.dr String found in binary or memory: http://upx.sf.net
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe Code function: 4_2_0007DBB1 4_2_0007DBB1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe Code function: 4_2_000843C6 4_2_000843C6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe Code function: 4_2_00076669 4_2_00076669
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe Code function: 4_2_00083774 4_2_00083774
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe Code function: String function: 000804C0 appears 36 times
One or more processes crash
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 488
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe, 00000004.00000000.2304213204.000000000011A000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameBuild.exeD vs SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe
Source: SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe Binary or memory string: OriginalFilenameBuild.exeD vs SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: mal64.winEXE@3/9@1/0
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3872
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\196abeed-8e62-4e78-8ffe-0cd99aa368fe Jump to behavior
Source: SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe ReversingLabs: Detection: 68%
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 488
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 508
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe Section loaded: apphelp.dll Jump to behavior
Source: SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe Static PE information: More than 200 imports for user32.dll
Source: SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe Static PE information: More than 200 imports for kernel32.dll
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe Code function: 4_2_0007B0F2 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 4_2_0007B0F2
PE file contains an invalid checksum
Source: SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe Static PE information: real checksum: 0xc43c0 should be: 0xc7e5d
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe Code function: 4_2_00078100 push eax; ret 4_2_00078114
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe Code function: 4_2_00078100 push eax; ret 4_2_0007813C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe Code function: 4_2_000804FB push ecx; ret 4_2_0008050B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe Code function: 4_2_00078EE9 push ss; ret 4_2_00078F47
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Contains functionality to detect virtual machines (STR)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe Code function: 4_2_00075E71 str word ptr [ecx-275CF5FCh] 4_2_00075E71
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe API coverage: 1.3 %
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe Code function: 4_2_00071762 VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect, 4_2_00071762
Source: Amcache.hve.7.dr Binary or memory string: VMware
Source: Amcache.hve.7.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.7.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.7.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.7.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.7.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.7.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr Binary or memory string: vmci.sys
Source: Amcache.hve.7.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.7.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.7.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr Binary or memory string: VMware20,1
Source: Amcache.hve.7.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.7.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.7.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.7.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.7.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.7.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.7.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe API call chain: ExitProcess graph end node
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe Process queried: DebugPort Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe Code function: 4_2_0007B0F2 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 4_2_0007B0F2
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe Code function: GetLocaleInfoA, 4_2_0007846D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe Code function: 4_2_0007EEE8 __lock,_strcat,_strncpy,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,_strncpy, 4_2_0007EEE8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe Code function: 4_2_00081596 EntryPoint,GetVersionExA,GetModuleHandleA,GetModuleHandleA,_fast_error_exit,_fast_error_exit,GetCommandLineA,GetStartupInfoA,__wincmdln,GetModuleHandleA, 4_2_00081596
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.7.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.7.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.7.dr Binary or memory string: MsMpEng.exe
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1521528 Sample: SecuriteInfo.com.Trojan.Swi... Startdate: 28/09/2024 Architecture: WINDOWS Score: 64 13 tse1.mm.bing.net 2->13 15 ax-0001.ax-msedge.net 2->15 17 Antivirus / Scanner detection for submitted sample 2->17 19 Multi AV Scanner detection for submitted file 2->19 21 Machine Learning detection for sample 2->21 23 AI detected suspicious sample 2->23 7 SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe 2->7         started        signatures3 process4 process5 9 WerFault.exe 22 16 7->9         started        11 WerFault.exe 2 16 7->11         started       
No contacted IP infos

Contacted Domains

Name IP Active
ax-0001.ax-msedge.net 150.171.28.10 true
tse1.mm.bing.net unknown unknown