Windows Analysis Report
SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe

Overview

General Information

Sample name: SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe
Analysis ID: 1527906
MD5: eaf75c53fccbbb7bb45e96fe3c642cfc
SHA1: 89741ce1b3f522d995ea1e311b758e09384ae4f6
SHA256: 9f12616bd66ff80dfbed9355844515746b0371e075616ccb7b8f776584e02e05
Tags: exe
Infos:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
Uses bcdedit to modify the Windows boot settings
Abnormal high CPU Usage
Creates a process in suspended mode (likely to inject code)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: New Kernel Driver Via SC.EXE
Sigma detected: Suspicious Copy From or To System Directory
Uses reg.exe to modify the Windows registry

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe ReversingLabs: Detection: 18%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 86.3% probability
Source: SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: jC:\Users\Sleepy\Documents\coding\Roblox\registry-callbacks-master\UserMode\.pdb?? source: SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe
Source: Binary string: C:\Users\Sleepy\Documents\coding\Roblox\registry-callbacks-master\UserMode\.pdb source: SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe
Source: SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe String found in binary or memory: https://www.dearimgui.com/faq/
Source: SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe String found in binary or memory: https://www.dearimgui.com/faq/Set
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Process Stats: CPU usage > 49%
Uses reg.exe to modify the Windows registry
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ValidateAdminCodeSignatures /t REG_DWORD /d 0 /f
Source: classification engine Classification label: mal56.winEXE@24/7@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7012:120:WilError_03
Source: SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe ReversingLabs: Detection: 18%
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c bcdedit /set hypervisorlaunchtype off >NUL
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\bcdedit.exe bcdedit /set hypervisorlaunchtype off
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ValidateAdminCodeSignatures /t REG_DWORD /d 0 /f > NUL
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ValidateAdminCodeSignatures /t REG_DWORD /d 0 /f
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c copy "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.71KernelMode.sys" "C:\Windows\System32\drivers\sPdzrFj5MyJVEO29Rs0hjwD7Npia8S.sys" > NUL
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc create sPdzrFj5MyJVEO29Rs0hjwD7Npia8S type=kernel binPath="C:\Windows\System32\drivers\sPdzrFj5MyJVEO29Rs0hjwD7Npia8S.sys" > NUL
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc create sPdzrFj5MyJVEO29Rs0hjwD7Npia8S type=kernel binPath="C:\Windows\System32\drivers\sPdzrFj5MyJVEO29Rs0hjwD7Npia8S.sys"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc create sPdzrFj5MyJVEO29Rs0hjwD7Npia8S type=kernel binpath=C:\Windows\System32\drivers\sPdzrFj5MyJVEO29Rs0hjwD7Npia8S.sys>NUL
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc create sPdzrFj5MyJVEO29Rs0hjwD7Npia8S type=kernel binpath=C:\Windows\System32\drivers\sPdzrFj5MyJVEO29Rs0hjwD7Npia8S.sys
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc start sPdzrFj5MyJVEO29Rs0hjwD7Npia8S>NUL
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start sPdzrFj5MyJVEO29Rs0hjwD7Npia8S
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c bcdedit /set hypervisorlaunchtype off >NUL Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ValidateAdminCodeSignatures /t REG_DWORD /d 0 /f > NUL Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c copy "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.71KernelMode.sys" "C:\Windows\System32\drivers\sPdzrFj5MyJVEO29Rs0hjwD7Npia8S.sys" > NUL Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc create sPdzrFj5MyJVEO29Rs0hjwD7Npia8S type=kernel binPath="C:\Windows\System32\drivers\sPdzrFj5MyJVEO29Rs0hjwD7Npia8S.sys" > NUL Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc create sPdzrFj5MyJVEO29Rs0hjwD7Npia8S type=kernel binpath=C:\Windows\System32\drivers\sPdzrFj5MyJVEO29Rs0hjwD7Npia8S.sys>NUL Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc start sPdzrFj5MyJVEO29Rs0hjwD7Npia8S>NUL Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\bcdedit.exe bcdedit /set hypervisorlaunchtype off Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ValidateAdminCodeSignatures /t REG_DWORD /d 0 /f Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc create sPdzrFj5MyJVEO29Rs0hjwD7Npia8S type=kernel binPath="C:\Windows\System32\drivers\sPdzrFj5MyJVEO29Rs0hjwD7Npia8S.sys" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc create sPdzrFj5MyJVEO29Rs0hjwD7Npia8S type=kernel binpath=C:\Windows\System32\drivers\sPdzrFj5MyJVEO29Rs0hjwD7Npia8S.sys Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start sPdzrFj5MyJVEO29Rs0hjwD7Npia8S Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Section loaded: d3dcompiler_47.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Section loaded: xinput1_4.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Section loaded: inputhost.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\bcdedit.exe Section loaded: cryptsp.dll Jump to behavior
Source: SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: jC:\Users\Sleepy\Documents\coding\Roblox\registry-callbacks-master\UserMode\.pdb?? source: SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe
Source: Binary string: C:\Users\Sleepy\Documents\coding\Roblox\registry-callbacks-master\UserMode\.pdb source: SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe
Source: SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Persistence and Installation Behavior
barindex
Uses bcdedit to modify the Windows boot settings
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c bcdedit /set hypervisorlaunchtype off >NUL
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\bcdedit.exe bcdedit /set hypervisorlaunchtype off
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c bcdedit /set hypervisorlaunchtype off >NUL Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\bcdedit.exe bcdedit /set hypervisorlaunchtype off Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc create sPdzrFj5MyJVEO29Rs0hjwD7Npia8S type=kernel binPath="C:\Windows\System32\drivers\sPdzrFj5MyJVEO29Rs0hjwD7Npia8S.sys"
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Window / User API: threadDelayed 3048 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Window / User API: threadDelayed 509 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Window / User API: foregroundWindowGot 762 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Window / User API: foregroundWindowGot 757 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe TID: 7124 Thread sleep time: -30480s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c bcdedit /set hypervisorlaunchtype off >NUL Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ValidateAdminCodeSignatures /t REG_DWORD /d 0 /f > NUL Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c copy "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.71KernelMode.sys" "C:\Windows\System32\drivers\sPdzrFj5MyJVEO29Rs0hjwD7Npia8S.sys" > NUL Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc create sPdzrFj5MyJVEO29Rs0hjwD7Npia8S type=kernel binPath="C:\Windows\System32\drivers\sPdzrFj5MyJVEO29Rs0hjwD7Npia8S.sys" > NUL Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc create sPdzrFj5MyJVEO29Rs0hjwD7Npia8S type=kernel binpath=C:\Windows\System32\drivers\sPdzrFj5MyJVEO29Rs0hjwD7Npia8S.sys>NUL Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc start sPdzrFj5MyJVEO29Rs0hjwD7Npia8S>NUL Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\bcdedit.exe bcdedit /set hypervisorlaunchtype off Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ValidateAdminCodeSignatures /t REG_DWORD /d 0 /f Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc create sPdzrFj5MyJVEO29Rs0hjwD7Npia8S type=kernel binPath="C:\Windows\System32\drivers\sPdzrFj5MyJVEO29Rs0hjwD7Npia8S.sys" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc create sPdzrFj5MyJVEO29Rs0hjwD7Npia8S type=kernel binpath=C:\Windows\System32\drivers\sPdzrFj5MyJVEO29Rs0hjwD7Npia8S.sys Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start sPdzrFj5MyJVEO29Rs0hjwD7Npia8S Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1527906 Sample: SecuriteInfo.com.Variant.Te... Startdate: 07/10/2024 Architecture: WINDOWS Score: 56 29 Multi AV Scanner detection for submitted file 2->29 31 AI detected suspicious sample 2->31 7 SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe 2 1 2->7         started        process3 signatures4 33 Uses bcdedit to modify the Windows boot settings 7->33 10 cmd.exe 1 7->10         started        13 cmd.exe 1 7->13         started        15 cmd.exe 1 7->15         started        17 4 other processes 7->17 process5 signatures6 35 Uses bcdedit to modify the Windows boot settings 10->35 19 bcdedit.exe 1 1 10->19         started        21 reg.exe 1 13->21         started        23 sc.exe 1 15->23         started        25 sc.exe 1 17->25         started        27 sc.exe 1 17->27         started        process7
No contacted IP infos