| Source: C:\Users\user\Desktop\Open.EXE |
Code function: 0_2_00007FF73F9830EC GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,GetWindowsDirectoryA,SetCurrentDirectoryA, |
0_2_00007FF73F9830EC |
| Source: Open.EXE |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE |
| Source: |
Binary string: wextract.pdb source: Open.EXE |
| Source: |
Binary string: wextract.pdbGCTL source: Open.EXE |
| Source: C:\Users\user\Desktop\Open.EXE |
Code function: 0_2_00007FF73F98204C FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, |
0_2_00007FF73F98204C |
| Source: C:\Users\user\Desktop\Open.EXE |
Code function: 0_2_00007FF73F982C54 GetVersion,GetModuleHandleW,GetProcAddress,ExitWindowsEx,CloseHandle, |
0_2_00007FF73F982C54 |
| Source: C:\Users\user\Desktop\Open.EXE |
Code function: 0_2_00007FF73F981C0C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx, |
0_2_00007FF73F981C0C |
| Source: C:\Users\user\Desktop\Open.EXE |
Code function: 0_2_00007FF73F9866C4 |
0_2_00007FF73F9866C4 |
| Source: C:\Users\user\Desktop\Open.EXE |
Code function: 0_2_00007FF73F9840C4 |
0_2_00007FF73F9840C4 |
| Source: C:\Users\user\Desktop\Open.EXE |
Code function: 0_2_00007FF73F986CA4 |
0_2_00007FF73F986CA4 |
| Source: C:\Users\user\Desktop\Open.EXE |
Code function: 0_2_00007FF73F982DB4 |
0_2_00007FF73F982DB4 |
| Source: C:\Users\user\Desktop\Open.EXE |
Code function: 0_2_00007FF73F981D28 |
0_2_00007FF73F981D28 |
| Source: C:\Users\user\Desktop\Open.EXE |
Code function: 0_2_00007FF73F985D90 |
0_2_00007FF73F985D90 |
| Source: C:\Users\user\Desktop\Open.EXE |
Code function: 0_2_00007FF73F981C0C |
0_2_00007FF73F981C0C |
| Source: C:\Users\user\Desktop\Open.EXE |
Code function: 0_2_00007FF73F983530 |
0_2_00007FF73F983530 |
| Source: Open.EXE |
Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, Windows 2000/XP setup, 165 bytes, 1 file, at 0x2c +A "Open.cmd", ID 756, number 1, 1 datablock, 0x1503 compression |
| Source: Open.EXE |
Binary or memory string: OriginalFilename vs Open.EXE |
| Source: Open.EXE, 00000000.00000000.1654646480.00007FF73F98E000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenameWEXTRACT.EXE D vs Open.EXE |
| Source: Open.EXE, 00000000.00000000.1654646480.00007FF73F98E000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs Open.EXE |
| Source: Open.EXE |
Binary or memory string: OriginalFilenameWEXTRACT.EXE D vs Open.EXE |
| Source: Open.EXE |
Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs Open.EXE |
| Source: classification engine |
Classification label: sus25.spyw.winEXE@5/1@0/0 |
| Source: C:\Users\user\Desktop\Open.EXE |
Code function: 0_2_00007FF73F986CA4 GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA, |
0_2_00007FF73F986CA4 |
| Source: C:\Users\user\Desktop\Open.EXE |
Code function: 0_2_00007FF73F981C0C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx, |
0_2_00007FF73F981C0C |
| Source: C:\Users\user\Desktop\Open.EXE |
Code function: 0_2_00007FF73F9866C4 LocalAlloc,LocalFree,lstrcmpA,LocalFree,GetTempPathA,GetDriveTypeA,GetFileAttributesA,GetDiskFreeSpaceA,MulDiv,GetWindowsDirectoryA,GetFileAttributesA,CreateDirectoryA,SetFileAttributesA,GetWindowsDirectoryA, |
0_2_00007FF73F9866C4 |
| Source: C:\Users\user\Desktop\Open.EXE |
Code function: 0_2_00007FF73F987AC8 FindResourceA,LoadResource,DialogBoxIndirectParamA,FreeResource, |
0_2_00007FF73F987AC8 |
| Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3760:120:WilError_03 |
| Source: C:\Users\user\Desktop\Open.EXE |
File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP |
Jump to behavior |
| Source: Open.EXE |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| Source: C:\Users\user\Desktop\Open.EXE |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
| Source: unknown |
Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\" |
| Source: unknown |
Process created: C:\Users\user\Desktop\Open.EXE "C:\Users\user\Desktop\Open.EXE" |
|
| Source: C:\Users\user\Desktop\Open.EXE |
Process created: C:\Windows\System32\cmd.exe cmd /c \\fada-planner\Other\RevitTool\01_ToolList\files\3_PLC\exe\3\Open.cmd |
|
| Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
| Source: unknown |
Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\" |
|
| Source: C:\Users\user\Desktop\Open.EXE |
Process created: C:\Windows\System32\cmd.exe cmd /c \\fada-planner\Other\RevitTool\01_ToolList\files\3_PLC\exe\3\Open.cmd |
Jump to behavior |
| Source: C:\Users\user\Desktop\Open.EXE |
Section loaded: cabinet.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\Open.EXE |
Section loaded: version.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\Open.EXE |
Section loaded: feclient.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\Open.EXE |
Section loaded: iertutil.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\Open.EXE |
Section loaded: uxtheme.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\Open.EXE |
Section loaded: kernel.appcore.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\Open.EXE |
Section loaded: textinputframework.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\Open.EXE |
Section loaded: coreuicomponents.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\Open.EXE |
Section loaded: coremessaging.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\Open.EXE |
Section loaded: ntmarta.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\Open.EXE |
Section loaded: wintypes.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\Open.EXE |
Section loaded: wintypes.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\Open.EXE |
Section loaded: wintypes.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\Open.EXE |
Section loaded: textshaping.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\Open.EXE |
Section loaded: advpack.dll |
Jump to behavior |
| Source: Open.EXE |
Static PE information: Image base 0x140000000 > 0x60000000 |
| Source: Open.EXE |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
| Source: Open.EXE |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
| Source: Open.EXE |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
| Source: Open.EXE |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
| Source: Open.EXE |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
| Source: Open.EXE |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
| Source: Open.EXE |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE |
| Source: Open.EXE |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
| Source: |
Binary string: wextract.pdb source: Open.EXE |
| Source: |
Binary string: wextract.pdbGCTL source: Open.EXE |
| Source: Open.EXE |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
| Source: Open.EXE |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
| Source: Open.EXE |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
| Source: Open.EXE |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
| Source: Open.EXE |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
| Source: Open.EXE |
Static PE information: 0xAE1BC4F8 [Tue Jul 25 12:18:00 2062 UTC] |
| Source: C:\Users\user\Desktop\Open.EXE |
Code function: 0_2_00007FF73F9830EC GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,GetWindowsDirectoryA,SetCurrentDirectoryA, |
0_2_00007FF73F9830EC |
| Source: C:\Users\user\Desktop\Open.EXE |
Code function: 0_2_00007FF73F981684 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA, |
0_2_00007FF73F981684 |
| Source: C:\Users\user\Desktop\Open.EXE |
Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0 |
Jump to behavior |
| Source: C:\Users\user\Desktop\Open.EXE |
Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0 |
Jump to behavior |
| Source: C:\Users\user\Desktop\Open.EXE |
Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0 |
Jump to behavior |
| Source: C:\Users\user\Desktop\Open.EXE |
Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0 |
Jump to behavior |
| Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
| Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
| Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
| Source: C:\Users\user\Desktop\Open.EXE |
Check user administrative privileges: GetTokenInformation,DecisionNodes |
| Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
| Source: C:\Users\user\Desktop\Open.EXE |
Code function: 0_2_00007FF73F98204C FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, |
0_2_00007FF73F98204C |
| Source: C:\Users\user\Desktop\Open.EXE |
Code function: 0_2_00007FF73F9864E4 GetSystemInfo,CreateDirectoryA,RemoveDirectoryA, |
0_2_00007FF73F9864E4 |
| Source: C:\Users\user\Desktop\Open.EXE |
Code function: 0_2_00007FF73F9830EC GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,GetWindowsDirectoryA,SetCurrentDirectoryA, |
0_2_00007FF73F9830EC |
| Source: C:\Users\user\Desktop\Open.EXE |
Code function: 0_2_00007FF73F988790 SetUnhandledExceptionFilter, |
0_2_00007FF73F988790 |
| Source: C:\Users\user\Desktop\Open.EXE |
Code function: 0_2_00007FF73F988494 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_00007FF73F988494 |
| Source: C:\Users\user\Desktop\Open.EXE |
Code function: 0_2_00007FF73F9811CC LoadLibraryA,GetProcAddress,AllocateAndInitializeSid,FreeSid,FreeLibrary, |
0_2_00007FF73F9811CC |
| Source: C:\Users\user\Desktop\Open.EXE |
Code function: 0_2_00007FF73F988964 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter, |
0_2_00007FF73F988964 |
| Source: C:\Users\user\Desktop\Open.EXE |
Code function: 0_2_00007FF73F982C54 GetVersion,GetModuleHandleW,GetProcAddress,ExitWindowsEx,CloseHandle, |
0_2_00007FF73F982C54 |
| Source: C:\Windows\System32\cmd.exe |
File opened: \\fada-planner\Other\RevitTool\01_ToolList\files\3_PLC\exe\3\ |
Jump to behavior |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet