Click to jump to signature section
Source: SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll | Avira: detected |
Source: SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll | Joe Sandbox ML: detected |
Source: SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll | Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL |
Source: SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll | String found in binary or memory: http://www.2345.com/?15493 |
Source: SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll | String found in binary or memory: http://www.2345.com/?15493Software |
Source: SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll | String found in binary or memory: http://www.hao123.com/?tn=50097079_1_hao_pg |
Source: SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll | String found in binary or memory: http://www.hao123.com/?tn=50097079_1_hao_pgaHR0cDovL3d3dy5oYW8xMjMuY29tLz90bj01MDA5NzA3OV8xX2hhb19wZ |
Source: SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll | String found in binary or memory: http://www.itmxc.com |
Source: SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll | String found in binary or memory: http://www.itmxc.com/member.php?mod=register |
Source: SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll | Static PE information: .vmp0 and .vmp1 section names |
Source: SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll | Binary or memory string: OriginalFilenameNCList.DLL< vs SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll |
Source: SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll | Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL |
Source: SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll | Static PE information: Section: .vmp2 ZLIB complexity 0.9891912286931818 |
Source: classification engine | Classification label: mal56.winDLL@14/0@0/0 |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4176:120:WilError_03 |
Source: C:\Windows\System32\loaddll32.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll",#1 |
Source: unknown | Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll" | |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll",#1 | |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll | |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll",#1 | |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll,DllCanUnloadNow | |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll,DllGetClassObject | |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll,DllRegisterServer | |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll",#1 | Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll | Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll,DllCanUnloadNow | Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll,DllGetClassObject | Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll,DllRegisterServer | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll",#1 | Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe | Section loaded: apphelp.dll | Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe | Section loaded: atl100.dll | Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe | Section loaded: msvcp100.dll | Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe | Section loaded: omng.dll | Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe | Section loaded: msvcr100.dll | Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe | Section loaded: uilib.dll | Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe | Section loaded: version.dll | Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe | Section loaded: wininet.dll | Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe | Section loaded: msvcr100.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Section loaded: apphelp.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe | Section loaded: apphelp.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe | Section loaded: aclayers.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe | Section loaded: mpr.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe | Section loaded: sfc.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe | Section loaded: sfc_os.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe | Section loaded: uxtheme.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe | Section loaded: atl100.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe | Section loaded: msvcp100.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe | Section loaded: omng.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe | Section loaded: msvcr100.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe | Section loaded: uilib.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe | Section loaded: version.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe | Section loaded: wininet.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe | Section loaded: msvcr100.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Automated click: OK |
Source: C:\Windows\SysWOW64\rundll32.exe | Automated click: OK |
Source: C:\Windows\SysWOW64\rundll32.exe | Automated click: OK |
Source: C:\Windows\SysWOW64\rundll32.exe | Automated click: OK |
Source: Window Recorder | Window detected: More than 3 window changes detected |
Source: SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll | Static file information: File size 2216547 > 1048576 |
Source: SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll | Static PE information: Raw size of .vmp2 is bigger than: 0x100000 < 0x113000 |
Source: initial sample | Static PE information: section where entry point is pointing to: .vmp2 |
Source: SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll | Static PE information: real checksum: 0x12bb1c should be: 0x2286d4 |
Source: SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll | Static PE information: section name: .vmp0 |
Source: SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll | Static PE information: section name: .vmp1 |
Source: SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll | Static PE information: section name: .vmp2 |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll |
Source: SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll | Static PE information: section name: .vmp2 entropy: 7.954667501881547 |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\conhost.exe | Last function: Thread delayed |
Source: C:\Windows\System32\loaddll32.exe | Process queried: DebugPort | Jump to behavior |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll",#1 | Jump to behavior |