Windows
Analysis Report
SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe
Overview
General Information
Detection
Score: | 64 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe (PID: 3872 cmdline:
"C:\Users\ user\Deskt op\Securit eInfo.com. Trojan.Swi zzor.based .8485.2727 7.exe" MD5: B954DC27C4BF7B87DCC365EE9E1C99DB) - WerFault.exe (PID: 5880 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 3 872 -s 488 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 2996 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 3 872 -s 508 MD5: C31336C1EFC2CCB44B4326EA793040F2)
- cleanup
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | UDP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: |
Source: | Code function: | 4_2_0007DBB1 | |
Source: | Code function: | 4_2_000843C6 | |
Source: | Code function: | 4_2_00076669 | |
Source: | Code function: | 4_2_00083774 |
Source: | Code function: |
Source: | Process created: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: | 4_2_0007B0F2 |
Source: | Static PE information: |
Source: | Code function: | 4_2_00078114 | |
Source: | Code function: | 4_2_0007813C | |
Source: | Code function: | 4_2_0008050B | |
Source: | Code function: | 4_2_00078F47 |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Code function: | 4_2_00075E71 |
Source: | Evasive API call chain: | graph_4-12524 |
Source: | API coverage: |
Source: | Code function: | 4_2_00071762 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | API call chain: | graph_4-12529 | ||
Source: | API call chain: | graph_4-12543 |
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior |
Source: | Code function: | 4_2_0007B0F2 |
Source: | Code function: | 4_2_0007846D |
Source: | Code function: | 4_2_0007EEE8 |
Source: | Code function: | 4_2_00081596 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Native API | 1 DLL Side-Loading | 1 Process Injection | 2 Virtualization/Sandbox Evasion | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 Process Injection | LSASS Memory | 21 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Deobfuscate/Decode Files or Information | Security Account Manager | 2 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 2 Obfuscated Files or Information | NTDS | 13 System Information Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | Internet Connection Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
68% | ReversingLabs | Win32.Trojan.Swizzor | ||
100% | Avira | TR/Dldr.Swizzor.Gen | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
ax-0001.ax-msedge.net | 150.171.28.10 | true | false | unknown | |
tse1.mm.bing.net | unknown | unknown | false | unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1521528 |
Start date and time: | 2024-09-28 22:24:13 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 47s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 16 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe |
Detection: | MAL |
Classification: | mal64.winEXE@3/9@1/0 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 20.42.65.92, 20.42.73.29
- Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, g.bing.com, arc.msn.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, 6.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa, login.live.com, mm-mm.bing.net.trafficmanager.net, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, umwatson.events.data.microsoft.com
- VT rate limit hit for: SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe
Time | Type | Description |
---|---|---|
16:25:29 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
ax-0001.ax-msedge.net | Get hash | malicious | HTMLPhisher | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_7dd5f59ad4b8c3eff5e6cb56669dac635af4597_e30bf782_3c08e170-e099-426f-ab81-7dafb72511c7\Report.wer
Download File
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.8313649670480145 |
Encrypted: | false |
SSDEEP: | 96:kYtF03RzfSszlcRfZncQXIDcQjc6qcElcw3D+HbHg/LAeugih88WpENEg92MbC4P:R2RzS909uP8jXIqzuiFMZ24IO8l |
MD5: | 7FBF214B51065C40645A8741A42B1E56 |
SHA1: | A0C0ECEA6CCFFA01D196255DA2D3D89A136731C1 |
SHA-256: | 13F80E0085CE89684DB11F0AFD79AAAD35D3F9E8C3FD64D7AB371B94113F42E9 |
SHA-512: | 48EEBCC3439C1AC4CF2D47BC9F1E59DB05F2EB22626371D3F0E169F3B5959FD0D374E9F41B1DF14DF32DBF21EB495D76E0590A4440FE5B7837415FEED614DE39 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_9f8a51d2e97124c38f6ead774f7a4d26f0c08f_e30bf782_44600bb9-7195-4d8d-b9e1-633f0683a2ec\Report.wer
Download File
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.8265425130407492 |
Encrypted: | false |
SSDEEP: | 96:gAFNWITzfAszlc1yDfmQXIDcQjc6qcElcw3D+HbHg/LAeugih88WpENEg92MbC4P:9XWITzA809uP8jXIqzuiFMZ24IO8l |
MD5: | 21A80604732596906AAD9DCF30ABD15E |
SHA1: | 7497EE6521C5D4C9D846BBCC9D842338AFF614D3 |
SHA-256: | B4D2A8758B9D96B682D78709050588973F2FFE7358456A4FFCDE788EC0F4B011 |
SHA-512: | EF40CF3119824EB40397E23FE6F424A64ED7719311795428466AA7C4B1FF0E36E38BCDE30F4997B0B2AD36F9AF60E6303D94EA73B9F07754CEBC274003E8201C |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 590468 |
Entropy (8bit): | 0.9240539913405436 |
Encrypted: | false |
SSDEEP: | 3072:5blKVJodpfavdwQQeZ9h6rpq+IvUWcJxCbyCrwyznpEB/RumDwHDvej90nkqR2Qm:lrH |
MD5: | D8A580B67519AA07BD882B7B4AE458C8 |
SHA1: | 361B381D26EE839FC82CA851BD9DBE9A8F372E03 |
SHA-256: | 1AF2FC6234384546853E28BB7A2FB0FFF4B0B7BB9117FEA8FF4062F9B74B13B3 |
SHA-512: | DE2A19F5F11D7894E8D4478F8F69AC555E17CCBA47DC0DCD2AA24061E2BBC104C91E69CEE38BCFE2C425F23D977F3E614640670DFBDC23C52DE658A4AF558AC1 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8524 |
Entropy (8bit): | 3.699619899734924 |
Encrypted: | false |
SSDEEP: | 192:R6l7wVeJxg6NF6Y2DZSUuEEgmfnan6pr/89b8IsfLUm:R6lXJ26P6YkSUhEgmfnK87fd |
MD5: | F62DE14DAB6AF0D9833358068D964497 |
SHA1: | 6892CDB5132C69387DDCADC7B1E95D532C169820 |
SHA-256: | F936A8FC18E2601FA0EE0B66C0DF3D1D54A7B6CB6F3C73DA454D0FBBB18CE06F |
SHA-512: | 31410B636ADEE71F42CE12201B63E15DB849288C2385B5D7FDCE72098E5D8877629E994DD45E204DD432DA34D779CA01A43BC777333A14442A7DE2D691621D67 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4909 |
Entropy (8bit): | 4.578232891977028 |
Encrypted: | false |
SSDEEP: | 96:uIjf2I7uG7VoJ6PJQ1bqXYBl+VPvumuhRd:uIqYuG7y6PJQ1mXYBl+1vumuhv |
MD5: | 3DE66D160515C3887BEF17604476A9DF |
SHA1: | 2D352162A79671B3CA6FB5EB0E4166CFB17A86A4 |
SHA-256: | 9282C3C080903F73F2BC5AB449C9CB81C04FA444B9856AEB3E24F1DE725D0CD3 |
SHA-512: | 0246C27FBBC479A441065356A2D5CDA29D262C0D198A79E7A41C98BC3E1670FC738A89FB28C27CE71374D7D893AA5777740CFA0FAB94DEDAAB70E04367B60511 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 586736 |
Entropy (8bit): | 0.9189702916923299 |
Encrypted: | false |
SSDEEP: | 3072:3GKVJodpfavdwQQeZ9h6rpq+IvUWcJxCbyCrwyznpEB/RumDwHDvej90nkqR2QWR:erH3 |
MD5: | 8D06F1DB4CCA6064F56FF67B7E569419 |
SHA1: | 45AB75B3C9D0C0DBE7C138466EE0DED5AB3EF45E |
SHA-256: | 77651D3D9E9E73437E5EBF2AD20BDF83455E752BFBC9C64CF259263307EC3D88 |
SHA-512: | B8333AFEE8102B18008A3BA4BE40CC79592A3FD57751891CC0DBFA3EA96E3B52552C2BCDEBF2F0496A3F50310DED39608A56F04F383CC30E2B169872B1CA8725 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8454 |
Entropy (8bit): | 3.6988572533357877 |
Encrypted: | false |
SSDEEP: | 192:R6l7wVeJxE6qF6Y2DWSUE4TgmfIJ1an6pDB89b7IsfmWIkpm:R6lXJS6A6YrSUTTgmfIJ1M77fhI3 |
MD5: | E96B35C89B618D6BAC9114AB24F2EA99 |
SHA1: | 3408BB4ECD0DD90358416D3132A66D04EE1F8EB2 |
SHA-256: | AAB39CA72C330C01B42D656061A9D0B8B1D46FCD00904935A84DDC7051BE68E3 |
SHA-512: | 368DBAD43635CE3CD0CDE816FA90E9005BC28DECD713084C59C6D0CDC8DF8C956B400EE7A5FB63777794AC67D2E95D0A305D39C9B70BC47A8E23E14B731FA9DB |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4839 |
Entropy (8bit): | 4.544877028261893 |
Encrypted: | false |
SSDEEP: | 48:cvIwWl8zswtJg77aI903WpW8VYBYm8M4J6PJa2Fk+q8pXHp+VJdvunmuhRd:uIjf2I7uG7VFJ6PJeqXJ+VPvumuhRd |
MD5: | 6AB6BC042CA4A0C198EA68980ECDB557 |
SHA1: | 769394818F9010DABB512AE7B5881128CDBBB1B9 |
SHA-256: | 15066D03D2E83DFC9CFDD9DC79D7DC7C31482A457D15D6D46ACF84084FC73D78 |
SHA-512: | 1D73D721FA1B59BA98C4707FABD565BF870AE7D16790B51BB30E6F153983CD58ECBE63A5C63C6D9F7D9C06DE0CAC47B61B4BAF3C2969F5976581FB22A288557D |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1835008 |
Entropy (8bit): | 4.469007815916115 |
Encrypted: | false |
SSDEEP: | 6144:HzZfpi6ceLPx9skLmb0faZWSP3aJG8nAgeiJRMMhA2zX4WABluuNOjDH5S:TZHtaZWOKnMM6bFpkj4 |
MD5: | C988162B2314CE43577FFFF15F2FAEB1 |
SHA1: | 04964741570916A1E3C4EE025AE533C00F514F02 |
SHA-256: | C63C9648258CE9420FBDD672F19812DA671202BA6E32509E78221B619BAF7C43 |
SHA-512: | 6AFCF957D0CF363203B5B12DC08073D3B35233B567E74E9C7492D9C181BCDEA35FCD49B795C1B0A3C80E642E43E782CFE3E317EB80FF94D1B4C54BA46E3D4ABA |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 7.688944481915534 |
TrID: |
|
File name: | SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe |
File size: | 753'664 bytes |
MD5: | b954dc27c4bf7b87dcc365ee9e1c99db |
SHA1: | 405dd8848ecbc7dce62978bf96571d9c2a8bf8f8 |
SHA256: | 5af43067ad6e35eca23cbfe8de88d89984e9f1996625a8bba845669c5f9fb10b |
SHA512: | 93e4422a32f9ead610ac73d6cca7c06f174806ab8df79d0c9fe7a5913dd6063ca8331a93c7080845792d73f6ede54ca44600bfdf1601c0622884763c7eea3150 |
SSDEEP: | 12288:gj+jvIbgM7h8PzDlHkXOUoWwUF3g6jYc8dn9/Xp+2bqwldnBZP4OsRI+hRC:gj+8biPzDlHxUZG6j2dhZ+Y3jBZP4RIA |
TLSH: | BFF40122B3C2D0B5D1C30F7469AA97108B30FDFB53B5550B79A25B8ACD72BA05E43B52 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+..KJ..KJ..KJ..+h..IJ..l...HJ...j..JJ...B..JJ...B..JJ..XB..JJ..l...JJ...i..JJ..NF..JJ..NF..JJ...U..JJ..l...JJ..NF..JJ..RichKJ. |
Icon Hash: | 6623594c45050301 |
Entrypoint: | 0x81596 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x70000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
DLL Characteristics: | |
Time Stamp: | 0x4724F87D [Sun Oct 28 21:00:45 2007 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 30d06e7f8bbe31666f40bdb01f63380e |
Instruction |
---|
push 00000060h |
push 000E6F30h |
call 00007F58290841F3h |
mov edi, 00000094h |
mov eax, edi |
call 00007F582907BE27h |
mov dword ptr [ebp-18h], esp |
mov esi, esp |
mov dword ptr [esi], edi |
push esi |
call dword ptr [00087790h] |
mov ecx, dword ptr [esi+10h] |
mov dword ptr [000FE3BCh], ecx |
mov eax, dword ptr [esi+04h] |
mov dword ptr [000FE3C8h], eax |
mov edx, dword ptr [esi+08h] |
mov dword ptr [000FE3CCh], edx |
mov esi, dword ptr [esi+0Ch] |
and esi, 00007FFFh |
mov dword ptr [000FE3C0h], esi |
cmp ecx, 02h |
je 00007F58290852DEh |
or esi, 00008000h |
mov dword ptr [000FE3C0h], esi |
shl eax, 08h |
add eax, edx |
mov dword ptr [000FE3C4h], eax |
xor esi, esi |
push esi |
mov edi, dword ptr [000875F8h] |
call edi |
cmp word ptr [eax], 5A4Dh |
jne 00007F58290852F1h |
mov ecx, dword ptr [eax+3Ch] |
add ecx, eax |
cmp dword ptr [ecx], 00004550h |
jne 00007F58290852E4h |
movzx eax, word ptr [ecx+18h] |
cmp eax, 0000010Bh |
je 00007F58290852F1h |
cmp eax, 0000020Bh |
je 00007F58290852D7h |
mov dword ptr [ebp-1Ch], esi |
jmp 00007F58290852F9h |
cmp dword ptr [ecx+00000084h], 0Eh |
jbe 00007F58290852C4h |
xor eax, eax |
cmp dword ptr [ecx+000000F8h], esi |
jmp 00007F58290852E0h |
cmp dword ptr [ecx+74h], 0Eh |
jbe 00007F58290852B4h |
xor eax, eax |
cmp dword ptr [ecx+000000E8h], esi |
setne al |
mov dword ptr [ebp-1Ch], eax |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x88214 | 0xb4 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xaa000 | 0xd6fc | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x17958 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x17000 | 0x958 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x15e78 | 0x16000 | 3e777ec457934acbae462db3954e7cdd | False | 0.6765913529829546 | data | 6.682217353526458 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x17000 | 0x745ed | 0x75000 | ff729987c895b9f0cc1b8779b7e59245 | False | 0.9185717982104701 | data | 7.952820554625134 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x8c000 | 0x1d058 | 0x1e000 | bd9124e6bdf88aad7f3f486809dc3300 | False | 0.8010579427083333 | data | 7.228953730445401 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0xaa000 | 0xd6fc | 0xe000 | 10a5d0e4c4165d4f07d19f9897aaf881 | False | 0.34139578683035715 | data | 5.494393495853644 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_BITMAP | 0xaa688 | 0x2e90 | Device independent bitmap graphic, 165 x 24 x 24, image size 0 | English | United States | 0.17181208053691274 |
RT_ICON | 0xad518 | 0x668 | Device independent bitmap graphic, 48 x 96 x 4, image size 0 | English | United States | 0.22073170731707317 |
RT_ICON | 0xadb80 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 0 | English | United States | 0.5101351351351351 |
RT_ICON | 0xadca8 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | English | United States | 0.5575692963752665 |
RT_ICON | 0xaeb50 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | English | United States | 0.6163294797687862 |
RT_ICON | 0xaf0b8 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | English | United States | 0.3403526970954357 |
RT_ICON | 0xb1660 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | English | United States | 0.47701688555347094 |
RT_ICON | 0xb2708 | 0xca8 | Device independent bitmap graphic, 32 x 64 x 24, image size 0 | English | United States | 0.4527777777777778 |
RT_ICON | 0xb33b0 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | English | United States | 0.45286116322701686 |
RT_MENU | 0xb4458 | 0x3ca | data | English | United States | 0.48556701030927835 |
RT_MENU | 0xb4824 | 0x22e | data | English | United States | 0.514336917562724 |
RT_MENU | 0xb4a54 | 0x3e8 | data | English | United States | 0.462 |
RT_MENU | 0xb4e3c | 0x422 | data | English | United States | 0.46313799621928164 |
RT_MENU | 0xb5260 | 0x398 | Matlab v4 mat-file (little endian) &, numeric, rows 2490384, columns 7602249, imaginary | English | United States | 0.48043478260869565 |
RT_MENU | 0xb55f8 | 0x88 | data | English | United States | 0.7352941176470589 |
RT_DIALOG | 0xb5680 | 0x1f8 | data | English | United States | 0.5674603174603174 |
RT_DIALOG | 0xb5878 | 0x210 | data | English | United States | 0.5397727272727273 |
RT_DIALOG | 0xb5a88 | 0x1b0 | data | English | United States | 0.5555555555555556 |
RT_DIALOG | 0xb5c38 | 0x14c | data | English | United States | 0.608433734939759 |
RT_DIALOG | 0xb5d84 | 0x2c8 | data | English | United States | 0.5154494382022472 |
RT_DIALOG | 0xb604c | 0x2b0 | data | English | United States | 0.5450581395348837 |
RT_DIALOG | 0xb62fc | 0x174 | data | English | United States | 0.5994623655913979 |
RT_DIALOG | 0xb6470 | 0x188 | data | English | United States | 0.576530612244898 |
RT_DIALOG | 0xb65f8 | 0x2e8 | data | English | United States | 0.4986559139784946 |
RT_DIALOG | 0xb68e0 | 0x200 | data | English | United States | 0.517578125 |
RT_DIALOG | 0xb6ae0 | 0xdc | data | English | United States | 0.6818181818181818 |
RT_DIALOG | 0xb6bbc | 0x290 | data | English | United States | 0.5167682926829268 |
RT_MESSAGETABLE | 0xb6e4c | 0x538 | Matlab v4 mat-file (little endian) \226_\001, rows 90000, columns 90001, imaginary | English | United States | 0.469311377245509 |
RT_GROUP_ICON | 0xb7384 | 0x5a | data | English | United States | 0.7 |
RT_GROUP_ICON | 0xb73e0 | 0x22 | data | English | United States | 1.0294117647058822 |
RT_VERSION | 0xb7404 | 0x2f8 | data | English | United States | 0.4986842105263158 |
DLL | Import |
---|---|
comdlg32.dll | PageSetupDlgA, GetSaveFileNameA, PrintDlgA, ChooseColorA, GetOpenFileNameW, GetOpenFileNameA, CommDlgExtendedError, ChooseColorW, GetSaveFileNameW |
advapi32.dll | RegSetValueExA, GetLengthSid, LookupPrivilegeValueA, RegDeleteKeyW, SetSecurityDescriptorOwner, RegEnumValueA, RegCreateKeyW, ControlService, RegisterEventSourceW, DeleteService, RegCreateKeyExA, RegOpenKeyExW, QueryServiceStatus, RegQueryValueW, AdjustTokenPrivileges, DuplicateToken, CreateServiceW, ReportEventA, InitializeSecurityDescriptor, GetAclInformation, GetUserNameA, RegQueryInfoKeyA, RegDeleteKeyA, OpenThreadToken, EqualSid, DeregisterEventSource, RegEnumKeyExW, RegQueryInfoKeyW, RegisterEventSourceA, RegEnumKeyA, CloseServiceHandle, SetSecurityDescriptorDacl, RegCloseKey, SetSecurityDescriptorGroup, RevertToSelf, RegEnumValueW, GetFileSecurityW, GetFileSecurityA, GetSecurityDescriptorDacl, AccessCheck, SetServiceStatus, RegOpenKeyExA, RegDeleteValueA, OpenSCManagerA, MapGenericMask, LookupPrivilegeValueW, InitializeAcl, RegQueryValueExA, GetTokenInformation, RegCreateKeyExW, RegOpenKeyA, RegSetValueExW, FreeSid, RegEnumKeyW, OpenSCManagerW, RegQueryValueExW, RegSetValueA, RegQueryValueA, RegisterServiceCtrlHandlerA, OpenServiceA, RegDeleteValueW, OpenServiceW |
winspool.drv | FindFirstPrinterChangeNotification, DeviceCapabilitiesW, SetJobW, OpenPrinterW, GetPrinterW, EnumJobsW, FindNextPrinterChangeNotification, EnumPortsW, EnumPrintersW, GetJobW, SetPrinterDataW, ClosePrinter, FreePrinterNotifyInfo, DocumentPropertiesW |
user32.dll | HideCaret, DestroyWindow, GetClassLongA, IsZoomed, AppendMenuA, GetSysColorBrush, EnableMenuItem, IsDialogMessageW, TabbedTextOutA, CreatePopupMenu, MonitorFromPoint, SendDlgItemMessageA, WindowFromPoint, GetParent, DefWindowProcA, GetMenuItemRect, ShowScrollBar, GetWindowDC, MapWindowPoints, GetCapture, GetActiveWindow, LoadMenuA, SetDlgItemInt, ModifyMenuA, IsWindowVisible, PostThreadMessageW, GetUpdateRgn, wsprintfA, GetSubMenu, MoveWindow, GetSysColor, TranslateMDISysAccel, GetIconInfo, CreateMenu, IsWindowEnabled, CopyAcceleratorTableA, CharUpperBuffA, GetWindow, SetTimer, UnpackDDElParam, DispatchMessageA, SetActiveWindow, SetCapture, IsRectEmpty, GetMessagePos, GetAsyncKeyState, GetMenuItemCount, RegisterWindowMessageA, GetMessageTime, LoadIconA, DlgDirListA, GetMenuCheckMarkDimensions, RegisterClipboardFormatA, LoadMenuIndirectA, SetScrollInfo, ShowCaret, GetClassNameW, GetWindowRect, GetMenuDefaultItem, GrayStringA, TranslateMessage, CreateWindowExW, DrawIcon, GetNextDlgGroupItem, PostMessageA, SetCursor, GetDesktopWindow, ShowWindow, GetWindowTextW, UpdateWindow, IntersectRect, PostThreadMessageA, SetMenuItemInfoA, IsIconic, AppendMenuW, GetWindowRgn, DispatchMessageW, LoadCursorW, TrackPopupMenu, DrawStateA, SetForegroundWindow, DlgDirSelectExA, CreateDialogIndirectParamW, IsClipboardFormatAvailable, SetWindowLongW, TranslateAcceleratorA, GetWindowTextLengthW, DialogBoxIndirectParamW, CreateDialogParamA, GetDlgItemTextA, GetDC, SetCaretBlinkTime, AdjustWindowRectEx, IsWindowUnicode, GetPropA, SetDlgItemTextW, UnregisterClassW, InvalidateRect, mouse_event, PeekMessageA, BeginPaint, GetDlgItem, GetMenuStringW, DestroyIcon, GetScrollInfo, DdeGetData, ClientToScreen, LoadBitmapA, EnableWindow, RemoveMenu, SetWindowLongA, GetSystemMetrics, GetForegroundWindow, MessageBoxW, GetNextDlgTabItem, ArrangeIconicWindows, CharUpperA, IsDlgButtonChecked, DestroyCaret, RemovePropA, LoadImageA, DeferWindowPos, GetMenuContextHelpId, GetSystemMenu, SetMenu, DdeCreateDataHandle, GetMenuState, CallNextHookEx, KillTimer, SetScrollRange, BringWindowToTop, GetClientRect, ReleaseCapture, ExcludeUpdateRgn, DrawFocusRect, UnhookWindowsHookEx, SetScrollPos, DefFrameProcA, GetDlgCtrlID, CreateWindowExA, IsWindow, GetDlgItemInt, DrawIconEx, EmptyClipboard, SystemParametersInfoA, ToAsciiEx, wvsprintfA, SetClipboardViewer, DeleteMenu, ScreenToClient, PeekMessageW, DrawMenuBar, CopyRect, DrawFrameControl, GetScrollPos, InsertMenuA, GetClassInfoW, GetFocus, ReleaseDC, EndPaint, RedrawWindow, CallWindowProcA, GetTabbedTextExtentA, DdeFreeStringHandle, DdeConnect, GetWindowThreadProcessId, SetRectEmpty, WinHelpA, DrawTextA, GetTopWindow, GetClassInfoA, LoadCursorA, EnumChildWindows, DrawTextW, PostQuitMessage, SendDlgItemMessageW, CharLowerA, GetLastActivePopup, DrawEdge, IsMenu, SetWindowsHookExW, DestroyCursor, SetWindowRgn, RegisterClassExA, RegisterClassA, DefDlgProcA, CharNextA, GetWindowLongA, SetPropA, SetWindowsHookExA, MessageBoxA, GetCursorPos, SetRect, GetDialogBaseUnits, FrameRect, GetMenu, DestroyMenu, SetWindowTextA, SetDlgItemTextA, GetWindowTextLengthA, GetMessageW, EnableScrollBar, SetWindowPos, RegisterClassW, FillRect, SetMenuItemBitmaps, MapDialogRect, SetMenuDefaultItem, GetWindowPlacement, ModifyMenuW, GetClassNameA, DlgDirSelectComboBoxExA, GetCursor, EqualRect, OffsetRect, InflateRect, GetComboBoxInfo, MessageBeep, SendMessageA, EndDialog, SendMessageW, GetWindowTextA, DlgDirListComboBoxA, ValidateRect, CreateIconIndirect, SetWindowContextHelpId, CloseClipboard, GetWindowContextHelpId, CheckDlgButton, DefWindowProcW, GetPropW, PostMessageW, UnregisterClassA, ScrollWindowEx, GetKeyState, GetClipboardData, PtInRect, IsChild, CopyIcon, IsDialogMessageA, DragDetect, CheckMenuItem, SetFocus, GetMessageA |
kernel32.dll | UnhandledExceptionFilter, WriteFile, GetVersion, QueryPerformanceCounter, lstrcpyA, TerminateThread, MapViewOfFile, VirtualFree, ReadFile, GetEnvironmentStringsW, TerminateProcess, EnumResourceLanguagesW, GetPrivateProfileStringA, FreeEnvironmentStringsW, CreateFileMappingW, FatalAppExitA, GetCommandLineA, GlobalHandle, DeleteFileA, GetCurrentThread, HeapAlloc, GetWindowsDirectoryW, GetUserDefaultLCID, FreeLibrary, HeapSize, GetStringTypeW, LocalFree, SetHandleCount, GetFullPathNameW, SetFileAttributesA, GlobalFindAtomA, GetOEMCP, GetCPInfo, GetEnvironmentVariableW, SetUnhandledExceptionFilter, MultiByteToWideChar, CreateDirectoryA, InterlockedDecrement, LCMapStringW, GetModuleFileNameA, lstrcpyW, SetLastError, WideCharToMultiByte, FindResourceA, GetFileAttributesA, GetPrivateProfileIntA, InterlockedIncrement, GetLocalTime, GetModuleHandleA, GetStdHandle, IsBadWritePtr, TlsAlloc, GlobalLock, GetTimeFormatA, TlsGetValue, ExitThread, SetFileTime, InterlockedCompareExchange, GetSystemTimeAsFileTime, MoveFileW, GetACP, GetLogicalDriveStringsA, IsDebuggerPresent, DisconnectNamedPipe, GetFullPathNameA, GetTempPathW, GetTimeZoneInformation, GetShortPathNameW, ExitProcess, GetFileTime, IsValidLocale, OpenMutexA, GetTickCount, GetStartupInfoA, TlsFree, GetFileAttributesW, HeapFree, lstrcatA, CloseHandle, GetFileSize, GetEnvironmentStrings, GetTempFileNameA, CreateMutexA, SetFileAttributesW, GetWindowsDirectoryA, EnumSystemLocalesA, FileTimeToLocalFileTime, GetStartupInfoW, GlobalMemoryStatus, UnlockFile, FlushFileBuffers, GlobalGetAtomNameA, CreateThread, FreeEnvironmentStringsA, GetStringTypeExW, GetLocaleInfoA, LCMapStringA, FindFirstFileA, MulDiv, GlobalFree, GlobalFlags, IsBadReadPtr, SuspendThread, SetStdHandle, VirtualProtect, WaitForSingleObject, GetProfileStringA, GetVersionExW, ResumeThread, GetModuleHandleW, WinExec, LoadLibraryA, SetEnvironmentVariableA, WritePrivateProfileStringW, lstrcmpiA, OpenEventA, VirtualQuery, GetOverlappedResult, GetCurrentProcess, GetExitCodeThread, GetSystemDefaultLangID, GetTempPathA, CopyFileA, UnmapViewOfFile, InterlockedExchange, SetEnvironmentVariableW, SetFilePointer, DeleteCriticalSection, RtlUnwind, VirtualAlloc, GetProcessHeap, IsValidCodePage, ReleaseMutex, EnumResourceLanguagesA, IsBadCodePtr, SetPriorityClass, GlobalFindAtomW, LoadResource, SearchPathA, HeapDestroy, GetThreadLocale, FindNextFileA, FindClose, Sleep, lstrcpynW, PeekNamedPipe, SetEndOfFile, FindNextFileW, GetCurrentProcessId, GetModuleFileNameW, GetVersionExA, ConvertDefaultLocale, InitializeCriticalSection, GlobalAddAtomW, WritePrivateProfileStringA, FindFirstFileW, SetThreadPriority, LoadLibraryW, DeleteFileW, FileTimeToSystemTime, lstrcmpW, GlobalSize, DuplicateHandle, GetCurrentDirectoryA, CreateFileA, CompareStringA, HeapCreate, LockFile, GetVolumeInformationA, RaiseException, GlobalDeleteAtom, FormatMessageW, CompareFileTime, SizeofResource, TlsSetValue, CreateFileMappingA, GetFileType, LeaveCriticalSection, GetSystemTime, SetEvent, lstrlenW, GetSystemInfo, LocalReAlloc, lstrlenA, GetCurrentThreadId, GlobalReAlloc, GetShortPathNameA, GetStringTypeA, ResetEvent, GetDateFormatA, CompareStringW, HeapReAlloc, WriteConsoleA, EnterCriticalSection, GetDiskFreeSpaceExW, GlobalAlloc, SetErrorMode, GetLocaleInfoW, GetConsoleMode, FindResourceW, SleepEx, GetLastError, GetProcAddress |
shlwapi.dll | SHDeleteKeyA, PathIsUNCA, PathAddBackslashA, PathGetDriveNumberA, PathIsUNCServerA, PathUnquoteSpacesA, PathBuildRootA, PathFileExistsA, PathIsURLA, PathCombineA, PathStripToRootA, PathAppendA, PathFindExtensionA, UrlUnescapeA, PathRemoveExtensionA, PathIsDirectoryA, PathIsRootA, PathRemoveFileSpecA, PathFindFileNameA, PathRemoveBackslashA, PathIsUNCServerShareA, PathStripPathA, PathRenameExtensionA |
comctl32.dll | ImageList_Destroy, ImageList_GetIcon, InitializeFlatSB, ImageList_GetBkColor, ImageList_GetImageCount, DestroyPropertySheetPage, ImageList_DragEnter, ImageList_SetDragCursorImage, ImageList_SetImageCount, ImageList_Replace, PropertySheetW, CreateStatusWindowW, ImageList_BeginDrag, InitCommonControlsEx, ImageList_GetImageInfo, ImageList_Remove, ImageList_LoadImageW, ImageList_ReplaceIcon, ImageList_Add, ImageList_EndDrag, ImageList_Draw, ImageList_Create, ImageList_DrawIndirect, ImageList_DragLeave, ImageList_DragMove, CreatePropertySheetPageA, FlatSB_EnableScrollBar, _TrackMouseEvent, ImageList_GetIconSize, ImageList_SetBkColor, ImageList_LoadImageA, ImageList_AddMasked |
oleaut32.dll | LoadTypeLib |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 28, 2024 22:25:20.495116949 CEST | 60681 | 53 | 192.168.2.6 | 1.1.1.1 |
Sep 28, 2024 22:26:06.893265963 CEST | 53 | 61583 | 162.159.36.2 | 192.168.2.6 |
Sep 28, 2024 22:26:07.734683037 CEST | 53 | 52312 | 1.1.1.1 | 192.168.2.6 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Sep 28, 2024 22:25:20.495116949 CEST | 192.168.2.6 | 1.1.1.1 | 0x2a00 | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Sep 28, 2024 22:25:20.502981901 CEST | 1.1.1.1 | 192.168.2.6 | 0x2a00 | No error (0) | mm-mm.bing.net.trafficmanager.net | CNAME (Canonical name) | IN (0x0001) | false | ||
Sep 28, 2024 22:25:20.502981901 CEST | 1.1.1.1 | 192.168.2.6 | 0x2a00 | No error (0) | 150.171.28.10 | A (IP address) | IN (0x0001) | false | ||
Sep 28, 2024 22:25:20.502981901 CEST | 1.1.1.1 | 192.168.2.6 | 0x2a00 | No error (0) | 150.171.27.10 | A (IP address) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 4 |
Start time: | 16:25:24 |
Start date: | 28/09/2024 |
Path: | C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x70000 |
File size: | 753'664 bytes |
MD5 hash: | B954DC27C4BF7B87DCC365EE9E1C99DB |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 7 |
Start time: | 16:25:25 |
Start date: | 28/09/2024 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x310000 |
File size: | 483'680 bytes |
MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 9 |
Start time: | 16:25:29 |
Start date: | 28/09/2024 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x310000 |
File size: | 483'680 bytes |
MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Execution Graph
Execution Coverage: | 0.3% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 6.4% |
Total number of Nodes: | 612 |
Total number of Limit Nodes: | 1 |
Graph
Function 0007FE3D Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 29libraryloaderCOMMONLIBRARYCODE
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00075321 Relevance: 3.0, APIs: 2, Instructions: 26memoryCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0007B0F2 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 90libraryloaderCOMMONLIBRARYCODE
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0007EEE8 Relevance: 10.7, APIs: 7, Instructions: 212timeCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00071762 Relevance: 7.6, APIs: 5, Instructions: 92memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00083774 Relevance: .1, Instructions: 77COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 000843C6 Relevance: .1, Instructions: 56COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00075E71 Relevance: .0, Instructions: 22COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0007138E Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 71libraryloaderthreadCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0008335D Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 185COMMONLIBRARYCODE
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00071000 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 115fileCOMMONLIBRARYCODE
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 000719C2 Relevance: 13.8, APIs: 9, Instructions: 291COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 000801C2 Relevance: 12.1, APIs: 8, Instructions: 131COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0007159B Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 13libraryloaderCOMMONLIBRARYCODE
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00080667 Relevance: 9.2, APIs: 6, Instructions: 168COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00077A47 Relevance: 7.7, APIs: 5, Instructions: 184COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0007F313 Relevance: 7.7, APIs: 5, Instructions: 172COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0007789A Relevance: 7.6, APIs: 5, Instructions: 150COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0007C132 Relevance: 7.6, APIs: 5, Instructions: 133COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 000797BF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19libraryCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0007DDCC Relevance: 6.2, APIs: 4, Instructions: 167fileCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00071B6E Relevance: 6.1, APIs: 4, Instructions: 93COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0007F8EC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 000764AC Relevance: 5.1, APIs: 4, Instructions: 57memoryCOMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|