Edit tour
Windows
Analysis Report
SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe
Overview
General Information
| Sample name: | SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe |
| Analysis ID: | 1521528 |
| MD5: | b954dc27c4bf7b87dcc365ee9e1c99db |
| SHA1: | 405dd8848ecbc7dce62978bf96571d9c2a8bf8f8 |
| SHA256: | 5af43067ad6e35eca23cbfe8de88d89984e9f1996625a8bba845669c5f9fb10b |
| Tags: | exe |
| Infos: | |
 | |
Detection
| Score: | 64 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to detect virtual machines (STR)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Detected potential crypto function
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
One or more processes crash
PE file contains an invalid checksum
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe (PID: 3872 cmdline: "C:\Users\ user\Deskt op\Securit eInfo.com. Trojan.Swi zzor.based .8485.2727 7.exe" MD5: B954DC27C4BF7B87DCC365EE9E1C99DB) 
WerFault.exe (PID: 5880 cmdline: C:\Windows \SysWOW64\ WerFault.e xe -u -p 3 872 -s 488 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 2996 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 3 872 -s 508 MD5: C31336C1EFC2CCB44B4326EA793040F2)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Static PE information: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | Code function: | 4_2_0007DBB1 | |
| Source: | Code function: | 4_2_000843C6 | |
| Source: | Code function: | 4_2_00076669 | |
| Source: | Code function: | 4_2_00083774 | |
| Source: | Code function: | ||
| Source: | Process created: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | ReversingLabs: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 4_2_0007B0F2 | |
| Source: | Static PE information: | ||
| Source: | Code function: | 4_2_00078114 | |
| Source: | Code function: | 4_2_0007813C | |
| Source: | Code function: | 4_2_0008050B | |
| Source: | Code function: | 4_2_00078F47 | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Code function: | 4_2_00075E71 | |
| Source: | Evasive API call chain: | graph_4-12524 | ||
| Source: | API coverage: | ||
| Source: | Code function: | 4_2_00071762 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | API call chain: | graph_4-12529 | ||
| Source: | API call chain: | graph_4-12543 | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Code function: | 4_2_0007B0F2 | |
| Source: | Code function: | 4_2_0007846D | |
| Source: | Code function: | 4_2_0007EEE8 | |
| Source: | Code function: | 4_2_00081596 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Native API | 1 DLL Side-Loading | 1 Process Injection | 2 Virtualization/Sandbox Evasion | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 Process Injection | LSASS Memory | 21 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Deobfuscate/Decode Files or Information | Security Account Manager | 2 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 2 Obfuscated Files or Information | NTDS | 13 System Information Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | Internet Connection Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 68% | ReversingLabs | Win32.Trojan.Swizzor | ||
| 100% | Avira | TR/Dldr.Swizzor.Gen | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | URL Reputation | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| ax-0001.ax-msedge.net | 150.171.28.10 | true | false | unknown | |
| tse1.mm.bing.net | unknown | unknown | false | unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown |
⊘No contacted IP infos
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1521528 |
| Start date and time: | 2024-09-28 22:24:13 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 4m 47s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 16 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe |
| Detection: | MAL |
| Classification: | mal64.winEXE@3/9@1/0 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 20.42.65.92, 20.42.73.29
- Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, g.bing.com, arc.msn.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, 6.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa, login.live.com, mm-mm.bing.net.trafficmanager.net, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, umwatson.events.data.microsoft.com
- VT rate limit hit for: SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe
| Time | Type | Description |
|---|---|---|
| 16:25:29 | API Interceptor |
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| ax-0001.ax-msedge.net | Get hash | malicious | HTMLPhisher | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
|
⊘No context
⊘No context
⊘No context
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_7dd5f59ad4b8c3eff5e6cb56669dac635af4597_e30bf782_3c08e170-e099-426f-ab81-7dafb72511c7\Report.wer
Download File
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.8313649670480145 |
| Encrypted: | false |
| SSDEEP: | 96:kYtF03RzfSszlcRfZncQXIDcQjc6qcElcw3D+HbHg/LAeugih88WpENEg92MbC4P:R2RzS909uP8jXIqzuiFMZ24IO8l |
| MD5: | 7FBF214B51065C40645A8741A42B1E56 |
| SHA1: | A0C0ECEA6CCFFA01D196255DA2D3D89A136731C1 |
| SHA-256: | 13F80E0085CE89684DB11F0AFD79AAAD35D3F9E8C3FD64D7AB371B94113F42E9 |
| SHA-512: | 48EEBCC3439C1AC4CF2D47BC9F1E59DB05F2EB22626371D3F0E169F3B5959FD0D374E9F41B1DF14DF32DBF21EB495D76E0590A4440FE5B7837415FEED614DE39 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_9f8a51d2e97124c38f6ead774f7a4d26f0c08f_e30bf782_44600bb9-7195-4d8d-b9e1-633f0683a2ec\Report.wer
Download File
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.8265425130407492 |
| Encrypted: | false |
| SSDEEP: | 96:gAFNWITzfAszlc1yDfmQXIDcQjc6qcElcw3D+HbHg/LAeugih88WpENEg92MbC4P:9XWITzA809uP8jXIqzuiFMZ24IO8l |
| MD5: | 21A80604732596906AAD9DCF30ABD15E |
| SHA1: | 7497EE6521C5D4C9D846BBCC9D842338AFF614D3 |
| SHA-256: | B4D2A8758B9D96B682D78709050588973F2FFE7358456A4FFCDE788EC0F4B011 |
| SHA-512: | EF40CF3119824EB40397E23FE6F424A64ED7719311795428466AA7C4B1FF0E36E38BCDE30F4997B0B2AD36F9AF60E6303D94EA73B9F07754CEBC274003E8201C |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 590468 |
| Entropy (8bit): | 0.9240539913405436 |
| Encrypted: | false |
| SSDEEP: | 3072:5blKVJodpfavdwQQeZ9h6rpq+IvUWcJxCbyCrwyznpEB/RumDwHDvej90nkqR2Qm:lrH |
| MD5: | D8A580B67519AA07BD882B7B4AE458C8 |
| SHA1: | 361B381D26EE839FC82CA851BD9DBE9A8F372E03 |
| SHA-256: | 1AF2FC6234384546853E28BB7A2FB0FFF4B0B7BB9117FEA8FF4062F9B74B13B3 |
| SHA-512: | DE2A19F5F11D7894E8D4478F8F69AC555E17CCBA47DC0DCD2AA24061E2BBC104C91E69CEE38BCFE2C425F23D977F3E614640670DFBDC23C52DE658A4AF558AC1 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8524 |
| Entropy (8bit): | 3.699619899734924 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJxg6NF6Y2DZSUuEEgmfnan6pr/89b8IsfLUm:R6lXJ26P6YkSUhEgmfnK87fd |
| MD5: | F62DE14DAB6AF0D9833358068D964497 |
| SHA1: | 6892CDB5132C69387DDCADC7B1E95D532C169820 |
| SHA-256: | F936A8FC18E2601FA0EE0B66C0DF3D1D54A7B6CB6F3C73DA454D0FBBB18CE06F |
| SHA-512: | 31410B636ADEE71F42CE12201B63E15DB849288C2385B5D7FDCE72098E5D8877629E994DD45E204DD432DA34D779CA01A43BC777333A14442A7DE2D691621D67 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4909 |
| Entropy (8bit): | 4.578232891977028 |
| Encrypted: | false |
| SSDEEP: | 96:uIjf2I7uG7VoJ6PJQ1bqXYBl+VPvumuhRd:uIqYuG7y6PJQ1mXYBl+1vumuhv |
| MD5: | 3DE66D160515C3887BEF17604476A9DF |
| SHA1: | 2D352162A79671B3CA6FB5EB0E4166CFB17A86A4 |
| SHA-256: | 9282C3C080903F73F2BC5AB449C9CB81C04FA444B9856AEB3E24F1DE725D0CD3 |
| SHA-512: | 0246C27FBBC479A441065356A2D5CDA29D262C0D198A79E7A41C98BC3E1670FC738A89FB28C27CE71374D7D893AA5777740CFA0FAB94DEDAAB70E04367B60511 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 586736 |
| Entropy (8bit): | 0.9189702916923299 |
| Encrypted: | false |
| SSDEEP: | 3072:3GKVJodpfavdwQQeZ9h6rpq+IvUWcJxCbyCrwyznpEB/RumDwHDvej90nkqR2QWR:erH3 |
| MD5: | 8D06F1DB4CCA6064F56FF67B7E569419 |
| SHA1: | 45AB75B3C9D0C0DBE7C138466EE0DED5AB3EF45E |
| SHA-256: | 77651D3D9E9E73437E5EBF2AD20BDF83455E752BFBC9C64CF259263307EC3D88 |
| SHA-512: | B8333AFEE8102B18008A3BA4BE40CC79592A3FD57751891CC0DBFA3EA96E3B52552C2BCDEBF2F0496A3F50310DED39608A56F04F383CC30E2B169872B1CA8725 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8454 |
| Entropy (8bit): | 3.6988572533357877 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJxE6qF6Y2DWSUE4TgmfIJ1an6pDB89b7IsfmWIkpm:R6lXJS6A6YrSUTTgmfIJ1M77fhI3 |
| MD5: | E96B35C89B618D6BAC9114AB24F2EA99 |
| SHA1: | 3408BB4ECD0DD90358416D3132A66D04EE1F8EB2 |
| SHA-256: | AAB39CA72C330C01B42D656061A9D0B8B1D46FCD00904935A84DDC7051BE68E3 |
| SHA-512: | 368DBAD43635CE3CD0CDE816FA90E9005BC28DECD713084C59C6D0CDC8DF8C956B400EE7A5FB63777794AC67D2E95D0A305D39C9B70BC47A8E23E14B731FA9DB |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4839 |
| Entropy (8bit): | 4.544877028261893 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zswtJg77aI903WpW8VYBYm8M4J6PJa2Fk+q8pXHp+VJdvunmuhRd:uIjf2I7uG7VFJ6PJeqXJ+VPvumuhRd |
| MD5: | 6AB6BC042CA4A0C198EA68980ECDB557 |
| SHA1: | 769394818F9010DABB512AE7B5881128CDBBB1B9 |
| SHA-256: | 15066D03D2E83DFC9CFDD9DC79D7DC7C31482A457D15D6D46ACF84084FC73D78 |
| SHA-512: | 1D73D721FA1B59BA98C4707FABD565BF870AE7D16790B51BB30E6F153983CD58ECBE63A5C63C6D9F7D9C06DE0CAC47B61B4BAF3C2969F5976581FB22A288557D |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1835008 |
| Entropy (8bit): | 4.469007815916115 |
| Encrypted: | false |
| SSDEEP: | 6144:HzZfpi6ceLPx9skLmb0faZWSP3aJG8nAgeiJRMMhA2zX4WABluuNOjDH5S:TZHtaZWOKnMM6bFpkj4 |
| MD5: | C988162B2314CE43577FFFF15F2FAEB1 |
| SHA1: | 04964741570916A1E3C4EE025AE533C00F514F02 |
| SHA-256: | C63C9648258CE9420FBDD672F19812DA671202BA6E32509E78221B619BAF7C43 |
| SHA-512: | 6AFCF957D0CF363203B5B12DC08073D3B35233B567E74E9C7492D9C181BCDEA35FCD49B795C1B0A3C80E642E43E782CFE3E317EB80FF94D1B4C54BA46E3D4ABA |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 7.688944481915534 |
| TrID: |
|
| File name: | SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe |
| File size: | 753'664 bytes |
| MD5: | b954dc27c4bf7b87dcc365ee9e1c99db |
| SHA1: | 405dd8848ecbc7dce62978bf96571d9c2a8bf8f8 |
| SHA256: | 5af43067ad6e35eca23cbfe8de88d89984e9f1996625a8bba845669c5f9fb10b |
| SHA512: | 93e4422a32f9ead610ac73d6cca7c06f174806ab8df79d0c9fe7a5913dd6063ca8331a93c7080845792d73f6ede54ca44600bfdf1601c0622884763c7eea3150 |
| SSDEEP: | 12288:gj+jvIbgM7h8PzDlHkXOUoWwUF3g6jYc8dn9/Xp+2bqwldnBZP4OsRI+hRC:gj+8biPzDlHxUZG6j2dhZ+Y3jBZP4RIA |
| TLSH: | BFF40122B3C2D0B5D1C30F7469AA97108B30FDFB53B5550B79A25B8ACD72BA05E43B52 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+..KJ..KJ..KJ..+h..IJ..l...HJ...j..JJ...B..JJ...B..JJ..XB..JJ..l...JJ...i..JJ..NF..JJ..NF..JJ...U..JJ..l...JJ..NF..JJ..RichKJ. |
 | |
| Icon Hash: | 6623594c45050301 |
| Entrypoint: | 0x81596 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x70000 |
| Subsystem: | windows gui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
| DLL Characteristics: | |
| Time Stamp: | 0x4724F87D [Sun Oct 28 21:00:45 2007 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 30d06e7f8bbe31666f40bdb01f63380e |
| Instruction |
|---|
| push 00000060h |
| push 000E6F30h |
| call 00007F58290841F3h |
| mov edi, 00000094h |
| mov eax, edi |
| call 00007F582907BE27h |
| mov dword ptr [ebp-18h], esp |
| mov esi, esp |
| mov dword ptr [esi], edi |
| push esi |
| call dword ptr [00087790h] |
| mov ecx, dword ptr [esi+10h] |
| mov dword ptr [000FE3BCh], ecx |
| mov eax, dword ptr [esi+04h] |
| mov dword ptr [000FE3C8h], eax |
| mov edx, dword ptr [esi+08h] |
| mov dword ptr [000FE3CCh], edx |
| mov esi, dword ptr [esi+0Ch] |
| and esi, 00007FFFh |
| mov dword ptr [000FE3C0h], esi |
| cmp ecx, 02h |
| je 00007F58290852DEh |
| or esi, 00008000h |
| mov dword ptr [000FE3C0h], esi |
| shl eax, 08h |
| add eax, edx |
| mov dword ptr [000FE3C4h], eax |
| xor esi, esi |
| push esi |
| mov edi, dword ptr [000875F8h] |
| call edi |
| cmp word ptr [eax], 5A4Dh |
| jne 00007F58290852F1h |
| mov ecx, dword ptr [eax+3Ch] |
| add ecx, eax |
| cmp dword ptr [ecx], 00004550h |
| jne 00007F58290852E4h |
| movzx eax, word ptr [ecx+18h] |
| cmp eax, 0000010Bh |
| je 00007F58290852F1h |
| cmp eax, 0000020Bh |
| je 00007F58290852D7h |
| mov dword ptr [ebp-1Ch], esi |
| jmp 00007F58290852F9h |
| cmp dword ptr [ecx+00000084h], 0Eh |
| jbe 00007F58290852C4h |
| xor eax, eax |
| cmp dword ptr [ecx+000000F8h], esi |
| jmp 00007F58290852E0h |
| cmp dword ptr [ecx+74h], 0Eh |
| jbe 00007F58290852B4h |
| xor eax, eax |
| cmp dword ptr [ecx+000000E8h], esi |
| setne al |
| mov dword ptr [ebp-1Ch], eax |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x88214 | 0xb4 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xaa000 | 0xd6fc | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x17958 | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x17000 | 0x958 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x15e78 | 0x16000 | 3e777ec457934acbae462db3954e7cdd | False | 0.6765913529829546 | data | 6.682217353526458 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x17000 | 0x745ed | 0x75000 | ff729987c895b9f0cc1b8779b7e59245 | False | 0.9185717982104701 | data | 7.952820554625134 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x8c000 | 0x1d058 | 0x1e000 | bd9124e6bdf88aad7f3f486809dc3300 | False | 0.8010579427083333 | data | 7.228953730445401 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0xaa000 | 0xd6fc | 0xe000 | 10a5d0e4c4165d4f07d19f9897aaf881 | False | 0.34139578683035715 | data | 5.494393495853644 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_BITMAP | 0xaa688 | 0x2e90 | Device independent bitmap graphic, 165 x 24 x 24, image size 0 | English | United States | 0.17181208053691274 |
| RT_ICON | 0xad518 | 0x668 | Device independent bitmap graphic, 48 x 96 x 4, image size 0 | English | United States | 0.22073170731707317 |
| RT_ICON | 0xadb80 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 0 | English | United States | 0.5101351351351351 |
| RT_ICON | 0xadca8 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | English | United States | 0.5575692963752665 |
| RT_ICON | 0xaeb50 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | English | United States | 0.6163294797687862 |
| RT_ICON | 0xaf0b8 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | English | United States | 0.3403526970954357 |
| RT_ICON | 0xb1660 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | English | United States | 0.47701688555347094 |
| RT_ICON | 0xb2708 | 0xca8 | Device independent bitmap graphic, 32 x 64 x 24, image size 0 | English | United States | 0.4527777777777778 |
| RT_ICON | 0xb33b0 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | English | United States | 0.45286116322701686 |
| RT_MENU | 0xb4458 | 0x3ca | data | English | United States | 0.48556701030927835 |
| RT_MENU | 0xb4824 | 0x22e | data | English | United States | 0.514336917562724 |
| RT_MENU | 0xb4a54 | 0x3e8 | data | English | United States | 0.462 |
| RT_MENU | 0xb4e3c | 0x422 | data | English | United States | 0.46313799621928164 |
| RT_MENU | 0xb5260 | 0x398 | Matlab v4 mat-file (little endian) &, numeric, rows 2490384, columns 7602249, imaginary | English | United States | 0.48043478260869565 |
| RT_MENU | 0xb55f8 | 0x88 | data | English | United States | 0.7352941176470589 |
| RT_DIALOG | 0xb5680 | 0x1f8 | data | English | United States | 0.5674603174603174 |
| RT_DIALOG | 0xb5878 | 0x210 | data | English | United States | 0.5397727272727273 |
| RT_DIALOG | 0xb5a88 | 0x1b0 | data | English | United States | 0.5555555555555556 |
| RT_DIALOG | 0xb5c38 | 0x14c | data | English | United States | 0.608433734939759 |
| RT_DIALOG | 0xb5d84 | 0x2c8 | data | English | United States | 0.5154494382022472 |
| RT_DIALOG | 0xb604c | 0x2b0 | data | English | United States | 0.5450581395348837 |
| RT_DIALOG | 0xb62fc | 0x174 | data | English | United States | 0.5994623655913979 |
| RT_DIALOG | 0xb6470 | 0x188 | data | English | United States | 0.576530612244898 |
| RT_DIALOG | 0xb65f8 | 0x2e8 | data | English | United States | 0.4986559139784946 |
| RT_DIALOG | 0xb68e0 | 0x200 | data | English | United States | 0.517578125 |
| RT_DIALOG | 0xb6ae0 | 0xdc | data | English | United States | 0.6818181818181818 |
| RT_DIALOG | 0xb6bbc | 0x290 | data | English | United States | 0.5167682926829268 |
| RT_MESSAGETABLE | 0xb6e4c | 0x538 | Matlab v4 mat-file (little endian) \226_\001, rows 90000, columns 90001, imaginary | English | United States | 0.469311377245509 |
| RT_GROUP_ICON | 0xb7384 | 0x5a | data | English | United States | 0.7 |
| RT_GROUP_ICON | 0xb73e0 | 0x22 | data | English | United States | 1.0294117647058822 |
| RT_VERSION | 0xb7404 | 0x2f8 | data | English | United States | 0.4986842105263158 |
| DLL | Import |
|---|---|
| comdlg32.dll | PageSetupDlgA, GetSaveFileNameA, PrintDlgA, ChooseColorA, GetOpenFileNameW, GetOpenFileNameA, CommDlgExtendedError, ChooseColorW, GetSaveFileNameW |
| advapi32.dll | RegSetValueExA, GetLengthSid, LookupPrivilegeValueA, RegDeleteKeyW, SetSecurityDescriptorOwner, RegEnumValueA, RegCreateKeyW, ControlService, RegisterEventSourceW, DeleteService, RegCreateKeyExA, RegOpenKeyExW, QueryServiceStatus, RegQueryValueW, AdjustTokenPrivileges, DuplicateToken, CreateServiceW, ReportEventA, InitializeSecurityDescriptor, GetAclInformation, GetUserNameA, RegQueryInfoKeyA, RegDeleteKeyA, OpenThreadToken, EqualSid, DeregisterEventSource, RegEnumKeyExW, RegQueryInfoKeyW, RegisterEventSourceA, RegEnumKeyA, CloseServiceHandle, SetSecurityDescriptorDacl, RegCloseKey, SetSecurityDescriptorGroup, RevertToSelf, RegEnumValueW, GetFileSecurityW, GetFileSecurityA, GetSecurityDescriptorDacl, AccessCheck, SetServiceStatus, RegOpenKeyExA, RegDeleteValueA, OpenSCManagerA, MapGenericMask, LookupPrivilegeValueW, InitializeAcl, RegQueryValueExA, GetTokenInformation, RegCreateKeyExW, RegOpenKeyA, RegSetValueExW, FreeSid, RegEnumKeyW, OpenSCManagerW, RegQueryValueExW, RegSetValueA, RegQueryValueA, RegisterServiceCtrlHandlerA, OpenServiceA, RegDeleteValueW, OpenServiceW |
| winspool.drv | FindFirstPrinterChangeNotification, DeviceCapabilitiesW, SetJobW, OpenPrinterW, GetPrinterW, EnumJobsW, FindNextPrinterChangeNotification, EnumPortsW, EnumPrintersW, GetJobW, SetPrinterDataW, ClosePrinter, FreePrinterNotifyInfo, DocumentPropertiesW |
| user32.dll | HideCaret, DestroyWindow, GetClassLongA, IsZoomed, AppendMenuA, GetSysColorBrush, EnableMenuItem, IsDialogMessageW, TabbedTextOutA, CreatePopupMenu, MonitorFromPoint, SendDlgItemMessageA, WindowFromPoint, GetParent, DefWindowProcA, GetMenuItemRect, ShowScrollBar, GetWindowDC, MapWindowPoints, GetCapture, GetActiveWindow, LoadMenuA, SetDlgItemInt, ModifyMenuA, IsWindowVisible, PostThreadMessageW, GetUpdateRgn, wsprintfA, GetSubMenu, MoveWindow, GetSysColor, TranslateMDISysAccel, GetIconInfo, CreateMenu, IsWindowEnabled, CopyAcceleratorTableA, CharUpperBuffA, GetWindow, SetTimer, UnpackDDElParam, DispatchMessageA, SetActiveWindow, SetCapture, IsRectEmpty, GetMessagePos, GetAsyncKeyState, GetMenuItemCount, RegisterWindowMessageA, GetMessageTime, LoadIconA, DlgDirListA, GetMenuCheckMarkDimensions, RegisterClipboardFormatA, LoadMenuIndirectA, SetScrollInfo, ShowCaret, GetClassNameW, GetWindowRect, GetMenuDefaultItem, GrayStringA, TranslateMessage, CreateWindowExW, DrawIcon, GetNextDlgGroupItem, PostMessageA, SetCursor, GetDesktopWindow, ShowWindow, GetWindowTextW, UpdateWindow, IntersectRect, PostThreadMessageA, SetMenuItemInfoA, IsIconic, AppendMenuW, GetWindowRgn, DispatchMessageW, LoadCursorW, TrackPopupMenu, DrawStateA, SetForegroundWindow, DlgDirSelectExA, CreateDialogIndirectParamW, IsClipboardFormatAvailable, SetWindowLongW, TranslateAcceleratorA, GetWindowTextLengthW, DialogBoxIndirectParamW, CreateDialogParamA, GetDlgItemTextA, GetDC, SetCaretBlinkTime, AdjustWindowRectEx, IsWindowUnicode, GetPropA, SetDlgItemTextW, UnregisterClassW, InvalidateRect, mouse_event, PeekMessageA, BeginPaint, GetDlgItem, GetMenuStringW, DestroyIcon, GetScrollInfo, DdeGetData, ClientToScreen, LoadBitmapA, EnableWindow, RemoveMenu, SetWindowLongA, GetSystemMetrics, GetForegroundWindow, MessageBoxW, GetNextDlgTabItem, ArrangeIconicWindows, CharUpperA, IsDlgButtonChecked, DestroyCaret, RemovePropA, LoadImageA, DeferWindowPos, GetMenuContextHelpId, GetSystemMenu, SetMenu, DdeCreateDataHandle, GetMenuState, CallNextHookEx, KillTimer, SetScrollRange, BringWindowToTop, GetClientRect, ReleaseCapture, ExcludeUpdateRgn, DrawFocusRect, UnhookWindowsHookEx, SetScrollPos, DefFrameProcA, GetDlgCtrlID, CreateWindowExA, IsWindow, GetDlgItemInt, DrawIconEx, EmptyClipboard, SystemParametersInfoA, ToAsciiEx, wvsprintfA, SetClipboardViewer, DeleteMenu, ScreenToClient, PeekMessageW, DrawMenuBar, CopyRect, DrawFrameControl, GetScrollPos, InsertMenuA, GetClassInfoW, GetFocus, ReleaseDC, EndPaint, RedrawWindow, CallWindowProcA, GetTabbedTextExtentA, DdeFreeStringHandle, DdeConnect, GetWindowThreadProcessId, SetRectEmpty, WinHelpA, DrawTextA, GetTopWindow, GetClassInfoA, LoadCursorA, EnumChildWindows, DrawTextW, PostQuitMessage, SendDlgItemMessageW, CharLowerA, GetLastActivePopup, DrawEdge, IsMenu, SetWindowsHookExW, DestroyCursor, SetWindowRgn, RegisterClassExA, RegisterClassA, DefDlgProcA, CharNextA, GetWindowLongA, SetPropA, SetWindowsHookExA, MessageBoxA, GetCursorPos, SetRect, GetDialogBaseUnits, FrameRect, GetMenu, DestroyMenu, SetWindowTextA, SetDlgItemTextA, GetWindowTextLengthA, GetMessageW, EnableScrollBar, SetWindowPos, RegisterClassW, FillRect, SetMenuItemBitmaps, MapDialogRect, SetMenuDefaultItem, GetWindowPlacement, ModifyMenuW, GetClassNameA, DlgDirSelectComboBoxExA, GetCursor, EqualRect, OffsetRect, InflateRect, GetComboBoxInfo, MessageBeep, SendMessageA, EndDialog, SendMessageW, GetWindowTextA, DlgDirListComboBoxA, ValidateRect, CreateIconIndirect, SetWindowContextHelpId, CloseClipboard, GetWindowContextHelpId, CheckDlgButton, DefWindowProcW, GetPropW, PostMessageW, UnregisterClassA, ScrollWindowEx, GetKeyState, GetClipboardData, PtInRect, IsChild, CopyIcon, IsDialogMessageA, DragDetect, CheckMenuItem, SetFocus, GetMessageA |
| kernel32.dll | UnhandledExceptionFilter, WriteFile, GetVersion, QueryPerformanceCounter, lstrcpyA, TerminateThread, MapViewOfFile, VirtualFree, ReadFile, GetEnvironmentStringsW, TerminateProcess, EnumResourceLanguagesW, GetPrivateProfileStringA, FreeEnvironmentStringsW, CreateFileMappingW, FatalAppExitA, GetCommandLineA, GlobalHandle, DeleteFileA, GetCurrentThread, HeapAlloc, GetWindowsDirectoryW, GetUserDefaultLCID, FreeLibrary, HeapSize, GetStringTypeW, LocalFree, SetHandleCount, GetFullPathNameW, SetFileAttributesA, GlobalFindAtomA, GetOEMCP, GetCPInfo, GetEnvironmentVariableW, SetUnhandledExceptionFilter, MultiByteToWideChar, CreateDirectoryA, InterlockedDecrement, LCMapStringW, GetModuleFileNameA, lstrcpyW, SetLastError, WideCharToMultiByte, FindResourceA, GetFileAttributesA, GetPrivateProfileIntA, InterlockedIncrement, GetLocalTime, GetModuleHandleA, GetStdHandle, IsBadWritePtr, TlsAlloc, GlobalLock, GetTimeFormatA, TlsGetValue, ExitThread, SetFileTime, InterlockedCompareExchange, GetSystemTimeAsFileTime, MoveFileW, GetACP, GetLogicalDriveStringsA, IsDebuggerPresent, DisconnectNamedPipe, GetFullPathNameA, GetTempPathW, GetTimeZoneInformation, GetShortPathNameW, ExitProcess, GetFileTime, IsValidLocale, OpenMutexA, GetTickCount, GetStartupInfoA, TlsFree, GetFileAttributesW, HeapFree, lstrcatA, CloseHandle, GetFileSize, GetEnvironmentStrings, GetTempFileNameA, CreateMutexA, SetFileAttributesW, GetWindowsDirectoryA, EnumSystemLocalesA, FileTimeToLocalFileTime, GetStartupInfoW, GlobalMemoryStatus, UnlockFile, FlushFileBuffers, GlobalGetAtomNameA, CreateThread, FreeEnvironmentStringsA, GetStringTypeExW, GetLocaleInfoA, LCMapStringA, FindFirstFileA, MulDiv, GlobalFree, GlobalFlags, IsBadReadPtr, SuspendThread, SetStdHandle, VirtualProtect, WaitForSingleObject, GetProfileStringA, GetVersionExW, ResumeThread, GetModuleHandleW, WinExec, LoadLibraryA, SetEnvironmentVariableA, WritePrivateProfileStringW, lstrcmpiA, OpenEventA, VirtualQuery, GetOverlappedResult, GetCurrentProcess, GetExitCodeThread, GetSystemDefaultLangID, GetTempPathA, CopyFileA, UnmapViewOfFile, InterlockedExchange, SetEnvironmentVariableW, SetFilePointer, DeleteCriticalSection, RtlUnwind, VirtualAlloc, GetProcessHeap, IsValidCodePage, ReleaseMutex, EnumResourceLanguagesA, IsBadCodePtr, SetPriorityClass, GlobalFindAtomW, LoadResource, SearchPathA, HeapDestroy, GetThreadLocale, FindNextFileA, FindClose, Sleep, lstrcpynW, PeekNamedPipe, SetEndOfFile, FindNextFileW, GetCurrentProcessId, GetModuleFileNameW, GetVersionExA, ConvertDefaultLocale, InitializeCriticalSection, GlobalAddAtomW, WritePrivateProfileStringA, FindFirstFileW, SetThreadPriority, LoadLibraryW, DeleteFileW, FileTimeToSystemTime, lstrcmpW, GlobalSize, DuplicateHandle, GetCurrentDirectoryA, CreateFileA, CompareStringA, HeapCreate, LockFile, GetVolumeInformationA, RaiseException, GlobalDeleteAtom, FormatMessageW, CompareFileTime, SizeofResource, TlsSetValue, CreateFileMappingA, GetFileType, LeaveCriticalSection, GetSystemTime, SetEvent, lstrlenW, GetSystemInfo, LocalReAlloc, lstrlenA, GetCurrentThreadId, GlobalReAlloc, GetShortPathNameA, GetStringTypeA, ResetEvent, GetDateFormatA, CompareStringW, HeapReAlloc, WriteConsoleA, EnterCriticalSection, GetDiskFreeSpaceExW, GlobalAlloc, SetErrorMode, GetLocaleInfoW, GetConsoleMode, FindResourceW, SleepEx, GetLastError, GetProcAddress |
| shlwapi.dll | SHDeleteKeyA, PathIsUNCA, PathAddBackslashA, PathGetDriveNumberA, PathIsUNCServerA, PathUnquoteSpacesA, PathBuildRootA, PathFileExistsA, PathIsURLA, PathCombineA, PathStripToRootA, PathAppendA, PathFindExtensionA, UrlUnescapeA, PathRemoveExtensionA, PathIsDirectoryA, PathIsRootA, PathRemoveFileSpecA, PathFindFileNameA, PathRemoveBackslashA, PathIsUNCServerShareA, PathStripPathA, PathRenameExtensionA |
| comctl32.dll | ImageList_Destroy, ImageList_GetIcon, InitializeFlatSB, ImageList_GetBkColor, ImageList_GetImageCount, DestroyPropertySheetPage, ImageList_DragEnter, ImageList_SetDragCursorImage, ImageList_SetImageCount, ImageList_Replace, PropertySheetW, CreateStatusWindowW, ImageList_BeginDrag, InitCommonControlsEx, ImageList_GetImageInfo, ImageList_Remove, ImageList_LoadImageW, ImageList_ReplaceIcon, ImageList_Add, ImageList_EndDrag, ImageList_Draw, ImageList_Create, ImageList_DrawIndirect, ImageList_DragLeave, ImageList_DragMove, CreatePropertySheetPageA, FlatSB_EnableScrollBar, _TrackMouseEvent, ImageList_GetIconSize, ImageList_SetBkColor, ImageList_LoadImageA, ImageList_AddMasked |
| oleaut32.dll | LoadTypeLib |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Sep 28, 2024 22:25:20.495116949 CEST | 60681 | 53 | 192.168.2.6 | 1.1.1.1 |
| Sep 28, 2024 22:26:06.893265963 CEST | 53 | 61583 | 162.159.36.2 | 192.168.2.6 |
| Sep 28, 2024 22:26:07.734683037 CEST | 53 | 52312 | 1.1.1.1 | 192.168.2.6 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Sep 28, 2024 22:25:20.495116949 CEST | 192.168.2.6 | 1.1.1.1 | 0x2a00 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Sep 28, 2024 22:25:20.502981901 CEST | 1.1.1.1 | 192.168.2.6 | 0x2a00 | No error (0) | mm-mm.bing.net.trafficmanager.net | CNAME (Canonical name) | IN (0x0001) | false | ||
| Sep 28, 2024 22:25:20.502981901 CEST | 1.1.1.1 | 192.168.2.6 | 0x2a00 | No error (0) | 150.171.28.10 | A (IP address) | IN (0x0001) | false | ||
| Sep 28, 2024 22:25:20.502981901 CEST | 1.1.1.1 | 192.168.2.6 | 0x2a00 | No error (0) | 150.171.27.10 | A (IP address) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 4 |
| Start time: | 16:25:24 |
| Start date: | 28/09/2024 |
| Path: | C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x70000 |
| File size: | 753'664 bytes |
| MD5 hash: | B954DC27C4BF7B87DCC365EE9E1C99DB |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 7 |
| Start time: | 16:25:25 |
| Start date: | 28/09/2024 |
| Path: | C:\Windows\SysWOW64\WerFault.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x310000 |
| File size: | 483'680 bytes |
| MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 9 |
| Start time: | 16:25:29 |
| Start date: | 28/09/2024 |
| Path: | C:\Windows\SysWOW64\WerFault.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x310000 |
| File size: | 483'680 bytes |
| MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 0.3% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 6.4% |
| Total number of Nodes: | 612 |
| Total number of Limit Nodes: | 1 |
Graph
Function 0007FE3D Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 29libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00075321 Relevance: 3.0, APIs: 2, Instructions: 26memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0007B0F2 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 90libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0007EEE8 Relevance: 10.7, APIs: 7, Instructions: 212timeCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00071762 Relevance: 7.6, APIs: 5, Instructions: 92memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00083774 Relevance: .1, Instructions: 77COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000843C6 Relevance: .1, Instructions: 56COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00075E71 Relevance: .0, Instructions: 22COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0007138E Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 71libraryloaderthreadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0008335D Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 185COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00071000 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 115fileCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000719C2 Relevance: 13.8, APIs: 9, Instructions: 291COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000801C2 Relevance: 12.1, APIs: 8, Instructions: 131COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0007159B Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 13libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00080667 Relevance: 9.2, APIs: 6, Instructions: 168COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00077A47 Relevance: 7.7, APIs: 5, Instructions: 184COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0007F313 Relevance: 7.7, APIs: 5, Instructions: 172COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0007789A Relevance: 7.6, APIs: 5, Instructions: 150COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0007C132 Relevance: 7.6, APIs: 5, Instructions: 133COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000797BF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19libraryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0007DDCC Relevance: 6.2, APIs: 4, Instructions: 167fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00071B6E Relevance: 6.1, APIs: 4, Instructions: 93COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0007F8EC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000764AC Relevance: 5.1, APIs: 4, Instructions: 57memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|