Windows Analysis Report
SecuriteInfo.com.Trojan.Inject.11626.30754

ID:	635338
Product:	CloudBasic
Start time:	19:29:20
Start date:	27.05.2022
Sample:	SecuriteInfo.com.Trojan.Inject.11626.30754
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	dd43bd8cdc55dd9c8a168f7d5e67db30
SHA1:	b7b49d8b277b6cb3d3006e912ad78558872119fb
SHA256:	7dc00d4ca525d39db7c57bcbcf2a17720f3e1d2eaecfc714f5e28f0e2a09633b
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\CYKELPARKERINGENS.ini	ASCII text, with CRLF line terminators	8B36E2227A5BD0472C64194B43581D90	E391FCABCE78C902A95B2B3A90F46380AA0E6031	7A5D1B27408729909236B8B98CD3D19002750B7297981F32A6E6DD743B16BFB4
C:\Users\user\AppData\Local\Temp\GL-1.0.typelib	HTML document, ASCII text, with CRLF line terminators	5343C1A8B203C162A3BF3870D9F50FD4	04B5B886C20D88B57EEA6D8FF882624A4AC1E51D	DC1D54DAB6EC8C00F70137927504E4F222C8395F10760B6BEECFCFA94E08249F
C:\Users\user\AppData\Local\Temp\HERMAPHRODEITY.ini	ASCII text, with CRLF line terminators	176F3A8631F14F0421935D07502B8CD9	70C91B54BDE9BA107AB322ECACF16C60E0D8E57B	F507F6BB14F286DD6835A18FC9ECDB86F73DBA96E9E281D626718447F1C496BB
C:\Users\user\AppData\Local\Temp\ThrottlePlugin.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	07B4E869E84B557512EE38A5C283FEF3	85AFD748ACB7DB97C763ABFEA292E8543B084517	C718B6BF9A427A117FFC1AB1C0E02551AFB2675406BAC625534E02179DB12C9D
C:\Users\user\AppData\Local\Temp\Waxiness.Sym	data	B364DBDF5A8A0C58CD4B721BE9432C48	B4159BD48769E110F77AC738B411ABFB73BE5A16	1EE1B8AE17CE30ACC1DCC52DD1B0B569BB336E8D2E67E5DAC944B2D3DE4F0762
C:\Users\user\AppData\Local\Temp\applications-other.png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	8C4F73C63672801A4629BA32BFAF9E31	C59877FEA56A2D45E36389366B0CCBC0AC2B720B	DFAFC0CCDCD4A2B74B8F74ECBE0BE82FC9FF3D055A8C9585DD78379DB7F01063
C:\Users\user\AppData\Local\Temp\folder-symbolic.symbolic.png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	A008C1D205C5B08639C0A8D8673C6C72	5190570B97A6F75F1D10D3D1EC6E46AEC8705B0B	54A3EBAD22462339574D87D835CA626E039E9B38A625806BAA051F80A327C428
C:\Users\user\AppData\Local\Temp\nsaA34A.tmp\System.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	CFF85C549D536F651D4FB8387F1976F2	D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E	8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
C:\Users\user\AppData\Local\Temp\rt64win7.inf	Windows setup INFormation, Little-endian UTF-16 Unicode text, with CRLF line terminators	2D947C4C9147622CFC588FC5C17DDDEC	B367B48D1282E39E37B8992615FF9947DEE8CFED	EBB8155AC71DD53258CE3772F189B4771272BA55E15A6DABDE2BEA6896DC2CC3
C:\Users\user\AppData\Local\Temp\user-not-tracked-symbolic.svg	SVG Scalable Vector Graphics image	8F7C767AFA41E6D03BDE59296DFF8175	EEFA541D3A06CAFEB62A535B86D1A95D6AAE1CD6	292770B23ED69AF4EDE9255BB66ADF3D3A0FF62D827D2BA05ED2C44A57228ED6
C:\Users\user\AppData\Local\Temp\video-joined-displays-symbolic.symbolic.png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	E2FC23D36F5488D1F2888D524F933582	335CA8F69FF42E4418F0C95A9626F7B027F62139	07AEFFEAC02CD1501C54E5D66ED1816B83AF04E51B1676AF3C4A538FDC9E9E4A

AV Detection

Source: 00000000.00000002.790910785.0000000003291000.00000040.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "http://185.222.57.79/SALES/muhasebe@par%20v4_zZlYyWbWEF39.bin1"}

Source: SecuriteInfo.com.Trojan.Inject.11626.exe

Virustotal: Detection: 11%

Perma Link

Compliance

Source: SecuriteInfo.com.Trojan.Inject.11626.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: SecuriteInfo.com.Trojan.Inject.11626.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: D:\SourceCode\GC3.Overclocking\production_V4.2\Service\ServiceSDK\Release\ThrottlePlugin\ThrottlePlugin.pdb source: SecuriteInfo.com.Trojan.Inject.11626.exe, 00000000.00000002.790363953.0000000002881000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.0.dr
Source:	Binary string: D:\SourceCode\GC3.Overclocking\production_V4.2\Service\ServiceSDK\Release\ThrottlePlugin\ThrottlePlugin.pdb00 source: SecuriteInfo.com.Trojan.Inject.11626.exe, 00000000.00000002.790363953.0000000002881000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.0.dr

Spreading

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.11626.exe	Code function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,		0_2_00405D74
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.11626.exe	Code function: 0_2_0040290B FindFirstFileW,		0_2_0040290B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.11626.exe	Code function: 0_2_0040699E FindFirstFileW,FindClose,		0_2_0040699E

Networking

Source: Malware configuration extractor

URLs: http://185.222.57.79/SALES/muhasebe@par%20v4_zZlYyWbWEF39.bin1

Source: SecuriteInfo.com.Trojan.Inject.11626.exe, 00000000.00000002.790363953.0000000002881000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: SecuriteInfo.com.Trojan.Inject.11626.exe, 00000000.00000002.790363953.0000000002881000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: user-not-tracked-symbolic.svg.0.dr	String found in binary or memory: http://creativecommons.org/licenses/by-sa/4.0/
Source: SecuriteInfo.com.Trojan.Inject.11626.exe, 00000000.00000002.789161040.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Inject.11626.exe, 00000000.00000002.790363953.0000000002881000.00000004.00000800.00020000.00000000.sdmp, user-not-tracked-symbolic.svg.0.dr	String found in binary or memory: http://creativecommons.org/ns#
Source: SecuriteInfo.com.Trojan.Inject.11626.exe, 00000000.00000002.789161040.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Inject.11626.exe, 00000000.00000002.790363953.0000000002881000.00000004.00000800.00020000.00000000.sdmp, user-not-tracked-symbolic.svg.0.dr	String found in binary or memory: http://creativecommons.org/ns#Attribution
Source: SecuriteInfo.com.Trojan.Inject.11626.exe, 00000000.00000002.789161040.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Inject.11626.exe, 00000000.00000002.790363953.0000000002881000.00000004.00000800.00020000.00000000.sdmp, user-not-tracked-symbolic.svg.0.dr	String found in binary or memory: http://creativecommons.org/ns#DerivativeWorks
Source: SecuriteInfo.com.Trojan.Inject.11626.exe, 00000000.00000002.789161040.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Inject.11626.exe, 00000000.00000002.790363953.0000000002881000.00000004.00000800.00020000.00000000.sdmp, user-not-tracked-symbolic.svg.0.dr	String found in binary or memory: http://creativecommons.org/ns#Distribution
Source: SecuriteInfo.com.Trojan.Inject.11626.exe, 00000000.00000002.789161040.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Inject.11626.exe, 00000000.00000002.790363953.0000000002881000.00000004.00000800.00020000.00000000.sdmp, user-not-tracked-symbolic.svg.0.dr	String found in binary or memory: http://creativecommons.org/ns#Notice
Source: SecuriteInfo.com.Trojan.Inject.11626.exe, 00000000.00000002.789161040.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Inject.11626.exe, 00000000.00000002.790363953.0000000002881000.00000004.00000800.00020000.00000000.sdmp, user-not-tracked-symbolic.svg.0.dr	String found in binary or memory: http://creativecommons.org/ns#Reproduction
Source: SecuriteInfo.com.Trojan.Inject.11626.exe, 00000000.00000002.789161040.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Inject.11626.exe, 00000000.00000002.790363953.0000000002881000.00000004.00000800.00020000.00000000.sdmp, user-not-tracked-symbolic.svg.0.dr	String found in binary or memory: http://creativecommons.org/ns#ShareAlike
Source: SecuriteInfo.com.Trojan.Inject.11626.exe, 00000000.00000002.790363953.0000000002881000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.0.dr	String found in binary or memory: http://crl.globalsign.com/gsextendcodesignsha2g3.crl0
Source: SecuriteInfo.com.Trojan.Inject.11626.exe, 00000000.00000002.790363953.0000000002881000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0b
Source: SecuriteInfo.com.Trojan.Inject.11626.exe, 00000000.00000002.790363953.0000000002881000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.0.dr	String found in binary or memory: http://crl.globalsign.com/root.crl0G
Source: SecuriteInfo.com.Trojan.Inject.11626.exe, 00000000.00000002.790363953.0000000002881000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: SecuriteInfo.com.Trojan.Inject.11626.exe, 00000000.00000002.790363953.0000000002881000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: SecuriteInfo.com.Trojan.Inject.11626.exe, 00000000.00000002.790363953.0000000002881000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: SecuriteInfo.com.Trojan.Inject.11626.exe, 00000000.00000002.790363953.0000000002881000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: SecuriteInfo.com.Trojan.Inject.11626.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: SecuriteInfo.com.Trojan.Inject.11626.exe, 00000000.00000002.790363953.0000000002881000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: SecuriteInfo.com.Trojan.Inject.11626.exe, 00000000.00000002.790363953.0000000002881000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: SecuriteInfo.com.Trojan.Inject.11626.exe, 00000000.00000002.790363953.0000000002881000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.0.dr	String found in binary or memory: http://ocsp.globalsign.com/rootr103
Source: SecuriteInfo.com.Trojan.Inject.11626.exe, 00000000.00000002.790363953.0000000002881000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gsextendcodesignsha2g30U
Source: SecuriteInfo.com.Trojan.Inject.11626.exe, 00000000.00000002.790363953.0000000002881000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: SecuriteInfo.com.Trojan.Inject.11626.exe, 00000000.00000002.790363953.0000000002881000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsextendcodesignsha2g3ocsp.crt0
Source: SecuriteInfo.com.Trojan.Inject.11626.exe, 00000000.00000002.790363953.0000000002881000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: SecuriteInfo.com.Trojan.Inject.11626.exe, 00000000.00000002.790363953.0000000002881000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: SecuriteInfo.com.Trojan.Inject.11626.exe, 00000000.00000002.790363953.0000000002881000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Key, Mouse, Clipboard, Microphone and Screen Capturing

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.11626.exe

Code function: 0_2_00405809 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405809

System Summary

Source: SecuriteInfo.com.Trojan.Inject.11626.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: SecuriteInfo.com.Trojan.Inject.11626.exe, 00000000.00000002.790363953.0000000002881000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameThrottlePlugin.dllL vs SecuriteInfo.com.Trojan.Inject.11626.exe

Source: SecuriteInfo.com.Trojan.Inject.11626.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.11626.exe

Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403640

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.11626.exe	Code function: 0_2_00406D5F		0_2_00406D5F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.11626.exe	Code function: 0_2_734E1BFF		0_2_734E1BFF

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.11626.exe

Process Stats: CPU usage > 98%

Source: SecuriteInfo.com.Trojan.Inject.11626.exe

Virustotal: Detection: 11%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.11626.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.11626.exe

Jump to behavior

Source: SecuriteInfo.com.Trojan.Inject.11626.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.11626.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.11626.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.11626.exe

Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403640

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.11626.exe

File created: C:\Users\user\AppData\Local\Temp\nseA0F6.tmp

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.11626.exe

File written: C:\Users\user\AppData\Local\Temp\HERMAPHRODEITY.ini

Jump to behavior

Source: classification engine

Classification label: mal72.troj.evad.winEXE@1/11@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.11626.exe

Code function: 0_2_004021AA CoCreateInstance,

0_2_004021AA

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.11626.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.11626.exe

Code function: 0_2_00404AB5 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_00404AB5

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SecuriteInfo.com.Trojan.Inject.11626.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: D:\SourceCode\GC3.Overclocking\production_V4.2\Service\ServiceSDK\Release\ThrottlePlugin\ThrottlePlugin.pdb source: SecuriteInfo.com.Trojan.Inject.11626.exe, 00000000.00000002.790363953.0000000002881000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.0.dr
Source:	Binary string: D:\SourceCode\GC3.Overclocking\production_V4.2\Service\ServiceSDK\Release\ThrottlePlugin\ThrottlePlugin.pdb00 source: SecuriteInfo.com.Trojan.Inject.11626.exe, 00000000.00000002.790363953.0000000002881000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.0.dr

Data Obfuscation

Source: Yara match

File source: 00000000.00000002.790910785.0000000003291000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.11626.exe

Code function: 0_2_734E30C0 push eax; ret

0_2_734E30EE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.11626.exe

Code function: 0_2_734E1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_734E1BFF

Persistence and Installation Behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.11626.exe	File created: C:\Users\user\AppData\Local\Temp\nsaA34A.tmp\System.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.11626.exe	File created: C:\Users\user\AppData\Local\Temp\ThrottlePlugin.dll			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.11626.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.11626.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.11626.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.11626.exe

RDTSC instruction interceptor: First address: 000000000329264E second address: 000000000329264E instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007FA27107F8DAh 0x00000006 inc ebp 0x00000007 inc ebx 0x00000008 rdtsc

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.11626.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ThrottlePlugin.dll

Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.11626.exe	Code function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,		0_2_00405D74
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.11626.exe	Code function: 0_2_0040290B FindFirstFileW,		0_2_0040290B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.11626.exe	Code function: 0_2_0040699E FindFirstFileW,FindClose,		0_2_0040699E

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.11626.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.11626.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.11626.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.11626.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Anti Debugging

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.11626.exe

Code function: 0_2_734E1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_734E1BFF

Language, Device and Operating System Detection

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.11626.exe

Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403640