× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 37a49015ddbf52ee9ac95ef08f317d29c562f12d96ef586cbae92df85a4fb39a
File name: a361b835f2cbdaea6e4c2c947f46d4bf
Detection ratio: 11 / 57
Analysis date: 2016-11-21 05:26:54 UTC ( 2 years, 4 months ago ) View latest
Antivirus Result Update
AegisLab Heur.Advml.Gen!c 20161121
AVG Generic38.XWQ 20161121
CrowdStrike Falcon (ML) malicious_confidence_100% (W) 20161024
DrWeb BackDoor.Siggen.60255 20161121
GData Win32.Trojan-Ransom.Locky.XNZ9II 20161121
Sophos ML ransom.win32.crowti.a 20161018
Kaspersky UDS:DangerousObject.Multi.Generic 20161120
Qihoo-360 HEUR/QVM07.1.4BCA.Malware.Gen 20161121
Rising Malware.Generic!n5cl4nfMoBF@5 (thunder) 20161121
Symantec Trojan Horse 20161121
ViRobot Trojan.Win32.Locky.270336.A[h] 20161121
Ad-Aware 20161121
AhnLab-V3 20161121
Alibaba 20161121
ALYac 20161121
Antiy-AVL 20161121
Arcabit 20161121
Avast 20161121
Avira (no cloud) 20161120
AVware 20161121
Baidu 20161118
BitDefender 20161121
Bkav 20161121
CAT-QuickHeal 20161121
ClamAV 20161121
CMC 20161120
Comodo 20161121
Cyren 20161121
Emsisoft 20161121
ESET-NOD32 20161120
F-Prot 20161121
F-Secure 20161121
Fortinet 20161121
Ikarus 20161120
Jiangmin 20161121
K7AntiVirus 20161120
K7GW 20161121
Kingsoft 20161121
Malwarebytes 20161121
McAfee 20161121
McAfee-GW-Edition 20161121
Microsoft 20161121
eScan 20161121
NANO-Antivirus 20161120
nProtect 20161121
Panda 20161120
Sophos AV 20161121
SUPERAntiSpyware 20161121
Tencent 20161121
TheHacker 20161117
TotalDefense 20161120
TrendMicro 20161121
TrendMicro-HouseCall 20161121
VBA32 20161118
VIPRE 20161121
Yandex 20161121
Zillya 20161118
Zoner 20161121
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
Copyright
???? (C) 2008

Product switchForm ????
Original name switchForm.EXE
Internal name switchForm
File version 1, 0, 0, 1
Description switchForm Microsoft ???????
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2016-11-16 18:29:01
Entry Point 0x000083AD
Number of sections 6
PE sections
PE imports
GetStartupInfoA
GetModuleHandleA
GetModuleFileNameW
CreateFileW
Ord(1775)
Ord(4080)
Ord(4710)
Ord(5677)
Ord(3597)
Ord(3495)
Ord(3136)
Ord(4963)
Ord(4524)
Ord(554)
Ord(1842)
Ord(5237)
Ord(5577)
Ord(3350)
Ord(5852)
Ord(4533)
Ord(6375)
Ord(4589)
Ord(3798)
Ord(2621)
Ord(3259)
Ord(1665)
Ord(4303)
Ord(2884)
Ord(5301)
Ord(807)
Ord(4163)
Ord(6215)
Ord(6625)
Ord(4953)
Ord(1725)
Ord(815)
Ord(2723)
Ord(366)
Ord(641)
Ord(2494)
Ord(5277)
Ord(2514)
Ord(986)
Ord(4425)
Ord(2554)
Ord(3092)
Ord(4441)
Ord(1134)
Ord(4465)
Ord(4108)
Ord(5300)
Ord(6175)
Ord(338)
Ord(4627)
Ord(1168)
Ord(3738)
Ord(4853)
Ord(2982)
Ord(617)
Ord(3172)
Ord(3454)
Ord(4526)
Ord(4234)
Ord(825)
Ord(3081)
Ord(5199)
Ord(5307)
Ord(796)
Ord(4531)
Ord(1746)
Ord(2542)
Ord(4424)
Ord(5260)
Ord(5076)
Ord(4078)
Ord(3059)
Ord(2091)
Ord(4376)
Ord(6376)
Ord(5282)
Ord(4614)
Ord(2117)
Ord(1727)
Ord(823)
Ord(2725)
Ord(4998)
Ord(5472)
Ord(4436)
Ord(4457)
Ord(3749)
Ord(4899)
Ord(4823)
Ord(4427)
Ord(5484)
Ord(5261)
Ord(4696)
Ord(4079)
Ord(4467)
Ord(3058)
Ord(4623)
Ord(3147)
Ord(2124)
Ord(4615)
Ord(4892)
Ord(2879)
Ord(4242)
Ord(4077)
Ord(6336)
Ord(3262)
Ord(5653)
Ord(674)
Ord(975)
Ord(1576)
Ord(5243)
Ord(4353)
Ord(3748)
Ord(5065)
Ord(4407)
Ord(4426)
Ord(784)
Ord(6117)
Ord(3346)
Ord(2446)
Ord(4241)
Ord(4159)
Ord(3831)
Ord(5100)
Ord(6374)
Ord(5280)
Ord(5214)
Ord(4960)
Ord(3825)
Ord(2976)
Ord(1089)
Ord(3198)
Ord(2985)
Ord(3922)
Ord(5240)
Ord(6080)
Ord(4151)
Ord(2649)
Ord(6052)
Ord(5252)
Ord(2626)
Ord(1776)
Ord(4083)
Ord(4347)
Ord(6000)
Ord(2510)
Ord(324)
Ord(5265)
Ord(4238)
Ord(2396)
Ord(5281)
Ord(3830)
Ord(5103)
Ord(2385)
Ord(4613)
Ord(4720)
Ord(2878)
Ord(3079)
Ord(2512)
Ord(652)
Ord(5949)
Ord(4387)
Ord(4420)
Ord(2055)
Ord(2627)
Ord(4837)
Ord(4340)
Ord(5241)
Ord(520)
Ord(2399)
Ord(5012)
Ord(2648)
Ord(3065)
Ord(5714)
Ord(5289)
Ord(4545)
Ord(4274)
Ord(3403)
Ord(4622)
Ord(561)
Ord(2390)
Ord(4612)
Ord(4543)
Ord(4610)
Ord(364)
Ord(1841)
Ord(4529)
Ord(4486)
Ord(2535)
Ord(529)
Ord(4698)
Ord(4370)
Ord(6054)
Ord(4588)
Ord(5163)
Ord(6055)
Ord(296)
Ord(4858)
Ord(4889)
Ord(4432)
Ord(5740)
Ord(5302)
Ord(1825)
Ord(5731)
_except_handler3
__p__fmode
_acmdln
__CxxFrameHandler
_exit
_adjust_fdiv
__setusermatherr
_setmbcp
__dllonexit
_onexit
_controlfp
exit
_XcptFilter
__getmainargs
_initterm
__p__commode
__set_app_type
EnableWindow
UpdateWindow
FindWindowW
ExifTool file metadata
SubsystemVersion
4.0

LinkerVersion
2.0

ImageVersion
0.0

FileSubtype
0

FileVersionNumber
1.0.0.1

UninitializedDataSize
0

LanguageCode
Chinese (Simplified)

FileFlagsMask
0x003f

CharacterSet
Unicode

InitializedDataSize
225280

EntryPoint
0x83ad

OriginalFileName
switchForm.EXE

MIMEType
application/octet-stream

LegalCopyright
(C) 2008

FileVersion
1, 0, 0, 1

TimeStamp
2016:11:16 19:29:01+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
switchForm

ProductVersion
1, 0, 0, 1

FileDescription
switchForm Microsoft

OSVersion
4.0

FileOS
Win32

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CodeSize
40960

ProductName
switchForm

ProductVersionNumber
1.0.0.1

FileTypeExtension
exe

ObjectFileType
Executable application

File identification
MD5 a361b835f2cbdaea6e4c2c947f46d4bf
SHA1 956f19ca672335d0faef475f0c2629d40c7528f2
SHA256 37a49015ddbf52ee9ac95ef08f317d29c562f12d96ef586cbae92df85a4fb39a
ssdeep
6144:gugZKFhdf9NqD2P/rMp1h+/4/mdzESK3x/LSXT:gugZydf9AmzM9+KmdYSgTSXT

authentihash 484eec24cc502f8976250a0b1a84a39e267833db187c928ecd77ffc913386c0a
imphash 2fe74dc218492780dc129e3a33f66f8b
File size 264.0 KB ( 270336 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win64 Executable (generic) (64.6%)
Win32 Dynamic Link Library (generic) (15.4%)
Win32 Executable (generic) (10.5%)
Generic Win/DOS Executable (4.6%)
DOS Executable Generic (4.6%)
Tags
peexe

VirusTotal metadata
First submission 2016-11-20 20:07:17 UTC ( 2 years, 4 months ago )
Last submission 2016-11-22 11:27:21 UTC ( 2 years, 4 months ago )
File names Temp.vir.HSvir
switchForm.EXE
switchForm
Advanced heuristic and reputation engines
TrendMicro-HouseCall
TrendMicro's heuristic engine has flagged this file as: Suspicious_GEN.F47V1121.

No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Written files
Code injections in the following processes
Runtime DLLs
UDP communications